Mt.Task.Validation

def Mt.TaskM.instIsReservationReservation {spec : Mt.Spec} :

Equations

Mt.TaskM.instIsReservationReservation = spec.is_reservation

def Mt.TaskM.valid {spec : Mt.Spec} {T : Type} (p : Mt.TaskM spec T) (r : spec.Reservation) (assuming : spec.State → Bool) (motive : T → spec.Reservation → Prop) :

Prop

Validation primitive for reasoning for composable tasks.

Validation may assume assuming and must ensure the following:

The task has to behave conform to the specification at all times
The task never panics
Finally, motive holds after the task completes

Proving `valid` #

The definition is rather cumbersome to work with. You should use helper theorems like valid_pure, valid_bind, valid_rmr, ...

They are designed to be used with the apply tactic.

Blocking predicate: `assuming` #

When validating our task, we can assume assuming state = true. However, in most cases we have assuming = λ _ => true, i.e. our hypothesis does not provide anything useful.

There is one important exception: Blocking threads. If a thread waits for a certain condition before it continues its task, we can safely assume that this condition holds when the task is excuting.

Final goal: `motive` #

A valid thread must drop its reservations in the end. Therefore, the final goal on those tasks is λ _ r => r = IsReservation.empty. However, intermediate tasks (i.e. single operations) do not need to share this goal.

In fact, they usally do not. If one operation prepares the next operation, it usually creates some reservation to ensure that no other thread undos this preparation. In this example, the motive should encode that the preparation has been made.

motive is the only way to pass facts from one iteration to the next. See valid_bind for more information.

Equations

One or more equations did not get rendered due to their size.

source

ink

theorem Mt.TaskM.valid_pure {spec : Mt.Spec} {T : Type} {t : T} {r : spec.Reservation} {assuming : spec.State → Bool} {motive : T → spec.Reservation → Prop} (is_valid : motive t r) :

Mt.TaskM.valid (pure t) r assuming motive

To prove that pure t is valid you need to prove that the motive holds

source

ink

theorem Mt.TaskM.valid_bind {spec : Mt.Spec} {U : Type} {V : Type} {mu : Mt.TaskM spec U} {f : U → Mt.TaskM spec V} {r : spec.Reservation} {assuming : spec.State → Bool} {motive : V → spec.Reservation → Prop} (motive_u : U → spec.Reservation → Prop) (mu_valid : Mt.TaskM.valid mu r assuming motive_u) (f_valid : ∀ (r' : spec.Reservation) (u : U), motive_u u r' → Mt.TaskM.valid (f u) r' (fun x => true) motive) :

Mt.TaskM.valid (mu >>= f) r assuming motive

To prove that a >>= f is valid you need to prove that both a and f u for all results u are valid.

In many cases, a does something to prepare f u. Since only f u needs to fulfil the final motive, we can choose an arbitrary motive to validate a as "intermediate goal".

To validate f u with the original motive, we can use the fact that the intermediate goal motive_u has been ensured by a. Motives use only results and reservations, which cannot be changed by other threads. Therefore, they stay valid even if other threads become active between a and f u.

source

ink

theorem Mt.TaskM.valid_rmr {spec : Mt.Spec} {T : Type} {f : spec.State → T × spec.State} {r : spec.Reservation} {assuming : spec.State → Bool} {motive : T → spec.Reservation → Prop} (f_valid : ∀ (env_r : spec.Reservation) (s : spec.State), assuming s = true → Mt.Spec.validate spec (env_r + r) s → ∃ r', let _discr := f s; match f s with | (t, s') => Mt.Spec.validate spec (env_r + r') s' ∧ motive t r') :

Mt.TaskM.valid (Mt.TaskM.atomic_read_modify_read f) r assuming motive

source

ink

theorem Mt.TaskM.valid_rm {spec : Mt.Spec} {f : spec.State → spec.State} {r : spec.Reservation} {assuming : spec.State → Bool} {motive : Unit → spec.Reservation → Prop} (f_valid : ∀ (env_r : spec.Reservation) (s : spec.State), assuming s = true → Mt.Spec.validate spec (env_r + r) s → ∃ r', let s' := f s; Mt.Spec.validate spec (env_r + r') s' ∧ motive PUnit.unit r') :

Mt.TaskM.valid (Mt.TaskM.atomic_read_modify f) r assuming motive

source

ink

theorem Mt.TaskM.valid_read {spec : Mt.Spec} {T : Type} {f : spec.State → T} {r : spec.Reservation} {assuming : spec.State → Bool} {motive : T → spec.Reservation → Prop} (f_valid : ∀ (env_r : spec.Reservation) (s : spec.State), assuming s = true → Mt.Spec.validate spec (env_r + r) s → ∃ r', let t := f s; Mt.Spec.validate spec (env_r + r') s ∧ motive t r') :

Mt.TaskM.valid (Mt.TaskM.atomic_read f) r assuming motive

source

ink

theorem Mt.TaskM.valid_assert {spec : Mt.Spec} {cond : spec.State → Bool} {r : spec.Reservation} {assuming : spec.State → Bool} {motive : Unit → spec.Reservation → Prop} (motive_holds : motive PUnit.unit r) (assertion_succeeds : ∀ (env_r : spec.Reservation) (s : spec.State), assuming s = true → Mt.Spec.validate spec (env_r + r) s → cond s = true) :

Mt.TaskM.valid (Mt.TaskM.atomic_assert cond) r assuming motive

source

ink

theorem Mt.TaskM.valid_blocking_rmr {spec : Mt.Spec} {T : Type} {block_until : spec.State → Bool} {f : spec.State → T × spec.State} {r : spec.Reservation} {assuming : spec.State → Bool} {motive : T → spec.Reservation → Prop} (f_valid : ∀ (env_r : spec.Reservation) (s : spec.State), block_until s = true → Mt.Spec.validate spec (env_r + r) s → ∃ r', let _discr := f s; match f s with | (t, s') => Mt.Spec.validate spec (env_r + r') s' ∧ motive t r') :

Mt.TaskM.valid (Mt.TaskM.atomic_blocking_rmr block_until f) r assuming motive

Proving valid #

Blocking predicate: assuming #

Final goal: motive #

Proving `valid` #

Blocking predicate: `assuming` #

Final goal: `motive` #