Home | Blog | Wiki | About

https://plv.mpi-sws.org/coqdoc/iris/index.html https://plv.mpi-sws.org/semantics-course/

Iris

• https://iris-project.org/tutorial-material.html
• https://iris-project.org/tutorial-pdfs/iris-lecture-notes.pdf
• Setting up editor: https://gitlab.mpi-sws.org/iris/iris/-/blob/master/docs/editor.md
  • Many iris operators needs special characters.

—

• Seperation logic

  • Notion of resource ownership
  • Facts + resource ownership

• Concurrent seperation logic

• PCM: Partial Commutative Monoids

  • User defined resources modeled as PCM ??

• WP: Weakest Precondition

• Resource algebras

• OFE: Ordered Families of Equivalences

  • Corresponds to sets but in step-indexed settings ??

• COFE: Complete OFE

• FAA: Fetch-and-add

• ▶P: later

  • advances the step indexing ??
  • P holds but only from next step onwards ??
  • Kind of like liveness in LTL

• μr.P

  • P always holds ??
  • Kind of like safety/global in LTL

• Points-to connective (l ↦ v)

  • l ↦ v says that l points to value v
  • Also indicates exclusive ownership of l by the expression under consideration

• Separation conjunction (P ∗ Q)

  • State is made up of disjoint parts P and Q

• Adequacy

• Löb induction principle

• Ghost state

  • Camera
  • OFEs to cameras ??
  • heapGS: type class providing some cameras ˡ

• Ghost variables

  • A way to avoid loss of information due to existential quantification
  • They come in 'entangled' pairs
    • Authoritative: curved arrow with black circle
    • Fragment: curved arrow with white circle

• View shift

  • Related to ghost variables

• {P} e {v.Q}_ε

  • P is pre-condition
  • e is an expression resulting in a value v
  • Q is a post-condition that is a predicate which holds for v
  • Currently active invariant is written as subscript

• l ↦ v: 'points-to' predicate

  • Think of them as heap fragments
  • asserts ownership of a singleton heap mapping l to v.

• iProp Σ: Type of propositions

  • where Σ: gFunctors indicates available resources that is part of current context
  • gFunctors: a global list of resource algebras

• ∗ is not idempotent

  • ie, P ⊢ P * P needn't be true
  • NOTE: This is not asterisk ('*')

• iSplitL H: H is given to left subgoal, rest to the right subgoal

  • Vice-versa for iSplitR

• -∗: 'magic wand' operator

  • aka 'wand'
  • P -∗ Q is equivalent to P ⊢ Q
  • NOTE: the ∗ is NOT asterisk!

• ⊣⊢: bi-entailment

  • Like 'iff'
  • P ⊣⊢ Q means (P -∗ Q) ∧ (Q -∗ P)

• P ∗ Q: P and Q are disjoint components that make up the state

  • We can split off P and Q
  • x ↦ v1 ∗ y ↦ v2: we can be sure that x and y are not pointing to same location
    • ∵ we need to be able to split P and Q

• ⌜ p ⌝ turns a coq propositions p into an iris proposition

• [⊢ p] turns an iris proposition p into a coq proposition

• # can be used to convert a literal to a val

  • Quite useful because val coerces to expr
  • Useful to convert a coq term to a heaplang term

• iIntros "(Hx & Hy & Hz)" can be used instead of iIntros "[Hx [Hy Hz]]"

NONEV and SOMEV

• Both are val values.
• val counterparts of SOME and NONE

Notation NONEV := (InjLV #())
Notation SOMEV x := (InjRV x)

InjLV itself is a constructor of val type:

Inductive expr : Set :=
    Val : val → expr
  | Var : string → expr
  | Rec : binder → binder → expr → expr
  | App : expr → expr → expr
  | UnOp : un_op → expr → expr
  | BinOp : bin_op → expr → expr → expr
  | If : expr → expr → expr → expr
  | Pair : expr → expr → expr
  | Fst : expr → expr
  | Snd : expr → expr
  | InjL : expr → expr
  | InjR : expr → expr
  | Case : expr → expr → expr → expr
  | AllocN : expr → expr → expr
  | Free : expr → expr
  | Load : expr → expr
  | Store : expr → expr → expr
  | CmpXchg : expr → expr → expr → expr
  | Xchg : expr → expr → expr
  | FAA : expr → expr → expr
  | Fork : expr → expr
  | NewProph : expr
  | Resolve : expr → expr → expr → expr
  with val : Set :=
    LitV : base_lit → val
  | RecV : binder → binder → expr → val
  | PairV : val → val → val
  | InjLV : val → val
  | InjRV : val → val.

Concurrency

• Fork e: create a new thread to run e
  • e is run only for its side effects. Its return value cannot be used
  • Fork is the only primitive for concurrency in HeapLang
• spawn: takes a thunk that will be executed in a new thread
  • A handle to the return value of this execution is returned
  • This handle can be awaited upon with spawn.join
• par: Run two threads in parallel
  • Needs From iris.heap_lang Require Import lib.par
  • Defined in terms of spawn ??
  • e1 ||| e2 is notation for par e1 e2
  • Result will be a pair, consisting of return values from running e1 and e2

Iris Proof Mode (IPM)

https://gitlab.mpi-sws.org/iris/iris/blob/master/docs/proof_mode.md

• Involves an extra context named spatial context
  • This is in addition to the 'normal' context, called non-spatial context in iris.
• iris tactics tailored to work also with spatial context start with i
  • Eg: iIntros "H" instead of intros H
  • Eg: iApply "H" instead of apply H
• Start IPM: iStartProof
  • Many iris tactics will automatically start IPM though.
• https://github.com/izgzhen/iris-coq/blob/master/ProofMode.md

Rules

P1 ⊢ Q1      P2 ⊢ Q2
----------------------
  P1 ∗ P2 ⊢ Q1 ∗ Q2

–

  {P} e {w. Q}
---------------- Frame rule
{P*R} e {w. Q*R}


------------------ Val
{True} v {w. w==v}


---------------------- Alloc
{True} ref(v) {l. l↦v}


------------------------ Load
{l↦v} !l {w. w==v * l↦v}


--------------- Store
{l↦v} l←w {l↦w}

Relevance of frame rule:

• It says that if a computation proceeded without involvement of a resource, it will still go correctly with its involvement.
• Helps us to compose disjoint computations together.

HeapLang

HeapLang: an ML-like language that comes with iris.

• Values are prefixed by #
  • Eg: #4, #true
• Natively supported by HeapLang
  • Integers
  • Booleans
  • Tuples: Fst, Snd
  • Option: SOME, NONE
• Is untyped ??
  • Eg: if: #true then #() else #false is vaild
• Variables are strings

Types

• val
  • Scope: %V
• expr
  • Scope: %E
• loc

Functions

Non-recursive:

(* add5 := λx. x+5 *)
λ: "x", "x" + #5 

(* compose := λx. x+5 *)
λ: "f" "g", (λ: "x", "g" ("f" "x"))

Recursive:

References

• 'Handles' for dynamically allocated values.
• A ref use does this:
  1. A location in heap is found for the value
  2. Value is stored in this location
  3. This location is returned
• Dereference value at a location l: !l
• Update value at location l with another value v: l <- v

let "v" := ref (#0) in
"v"

Evaluate an expr

• Use eval with a fuel parameter
• Eg: eval 10 expvar where 10 is the fuel
• inl _ if result could be obtained. Otherwise inr _

let expressions

Not native, but available by means of notations that desugars to lambda abstractions.

Example:

let: "a" := #4 in
let: "b" := #2 in
"a" + "b".

Tactics

• iModIntro: related to ghost variables
• iFrame
  • https://gitlab.mpi-sws.org/iris/iris/-/blob/master/docs/proof_mode.md?ref_type=heads#separation-logic-specific-tactics
  • 'pairs up hypotheses with pieces of separation sequence'
• iStartProof
• iNext: advance to next step in the step-index relation
• iLöb
• iApply, iIntro, iIntros, iDestruct, iExists, iInduction
• iPureIntro

WP

WP e {{ v, Φ v }} is the weakest precondition such that

• all executions of the expression e would produce a value v such that Φ v is true
• φ is a proposition
• The {{ v, Φ v }} is the post condition

Example from here:

Section Proof.         
  Context `{heapGS Σ}.

Section list.                                     
  Context `{heapGS Σ}.                            

  Example arith : expr := #1 + #2 + #3 + #4 + #5. 

  Lemma arith_spec : ⊢ WP arith {{ v, ⌜v = #15⌝ }}. 
  Proof.                                            
    unfold arith.                                   
    by wp_pures.                                    
  Qed.                                              
End Proof.

---

{{{ P }}} e {{{ RET v, Q }}}

desugars to

∀ Φ, P -∗ (Q -∗ Φ v) -∗ WP e {{ v, Φ v }}

This is logically equivalent to

P -∗ WP e {{ x, x = v ∗ Q }}

WP tactics

https://gitlab.mpi-sws.org/iris/iris/-/blob/master/docs/heap_lang.md#tactics

These tactics work when goal is like WP e @ E {{ Q }} ??

• wp_lam: removes λ:
  • Does application. ie, beta-reduction
• wp_rec: similar to wp_lam, but for recursive function
• wp_let: zeta-reduction (ie, substitutes let var with its definition)
• wp_load: substitute !x with v if there is a x ↦ v in assumption
• wp_store: move a p <- v to context as p ↦ v
• wp_seq: reduce a sequential composition
• wp_alloc
• wp_pair
• wp_fork
• wp_apply
• wp_smartapply
• wp_bind
• wp_pures
• wp_cmpxchgsuc, wp_cmpxchgfail
• wp_faa
• wp_proj
• wp_inj
• wp_match, wp_case
• wp_unop, wp_binop, wp_op: reduce unary, binary or other arithmetic operation
• wp_pure: kind of like 'auto' for wp_ tactics
• wp_pures: do wp_pure as many times as possible

1. wp_lam

   "Hx" : x ↦ v1
   "Hy" : y ↦ v2
   "Post" : ▷ (x ↦ v2 ∗ y ↦ v1 -∗ Φ #())
   --------------------------------------∗
   WP (λ: "x" "y", let: "tmp" := ! "x" in "x" <- "y";; "y" <- "tmp")%V #x #y
   {{ v, Φ v }}
   

   becomes

   "Hx" : x ↦ v1
   "Hy" : y ↦ v2
   "Post" : x ↦ v2 ∗ y ↦ v1 -∗ Φ #()
   --------------------------------------∗
   WP let: "y" := #y in let: "tmp" := ! #x in #x <- "y";; "y" <- "tmp"
   {{ v, Φ v }}
   

2. wp_store

   --------------------------------------□
   "Hp" : p ↦ (#x, v)
   "Hl" : is_list l v
   "Post" : (∃ p0 : loc, ⌜InjRV #p = InjRV #p0⌝ ∗
               ∃ v' : val, p0 ↦ (#(n + x), v') ∗ is_list (map (Z.add n) l) v') -∗
            Φ #()
   --------------------------------------∗
   WP #p <- (#x + #n, v);; inc_list #n v {{ v, Φ v }}
   

   becomes

   --------------------------------------□
   "Hp" : p ↦ (#(x + n), v)
   "Hl" : is_list l v
   "Post" : (∃ p0 : loc, ⌜InjRV #p = InjRV #p0⌝ ∗
               ∃ v' : val, p0 ↦ (#(n + x), v') ∗ is_list (map (Z.add n) l) v') -∗
            Φ #()
   --------------------------------------∗
   WP inc_list #n v {{ v, Φ v }}
   

Interpreter (experimental)

• A heaplang interpreter is available as part of the iris_unstable package.
  • This package contains iris stuff that is not considered ready for release.
• This interpreter is only development version and is not part of standard release.
• Use via exec function with a fuel parameter:
  • Eg: Compute (exec 10 exprn)

Misc

• Both of these are same:
  • iIntros "%Φ [Hx Hy] Post".
  • iIntros (Φ) "[Hx Hy] Post"
• The name 'Texan triple' for the triple curly brace notation
  • It's a lot of curly braces. As in big braces
  • Texas is the biggest state in US, so Texan.

Doubts

• Meaning of %->
• Meaning of |={⊤}=>

Seperation Logic

• l ↦ v being a precondition for e means that e has ownership of l.

• Concurrency:

  • By means of invariants

Dbt

• Is there an iCheck to see types of terms?