Update for hp-revisited.

* Iris 4.3.0

* Bunch of improvements

* Proof of lock-free, robust version of HP + Harris.

Author: Lee-Janggun

README.md

@@ -8,7 +8,7 @@ This repository contains the proofs of the following paper, mechanized in Coq wi
 
 ## Build
 This version is known to compile with
-Coq 8.17.1 and
+Coq 8.19.0 and
 development versions of [Iris](https://gitlab.mpi-sws.org/iris/iris) and [Diaframe][]
 as specified in [smr-verification.opam](smr-verification.opam).
 
@@ -20,7 +20,7 @@ opam switch create \
   --no-install \
   --repositories=default,coq-released=https://coq.inria.fr/opam/released,iris-dev=git+https://gitlab.mpi-sws.org/iris/opam.git \
   . ocaml-base-compiler.4.14.1
-opam pin add -n -y coq 8.17.1
+opam pin add -n -y coq 8.19.0
 
 make builddep
 # hit "y" for all prompts, if any
@@ -34,7 +34,7 @@ Some proofs in theories/diaframe/examples may raise warning like this:
 Too many intro patterns were supplied!
 Dropping the following intro patterns:   γ_h1 n1
 Too many IPM names were supplied!
-Please remove "Info_h1", "M_h1", "Nodes", 
+Please remove "Info_h1", "M_h1", "Nodes",
 Subgoal 2 naming problems:
 Too little intro patterns were supplied! Please supply a name for:
   x0 : bool
@@ -67,7 +67,7 @@ and statistics will be saved in [`line_count.tsv`](line_count.tsv) (tab separate
 * [`spec_hazptr.v`](theories/hazptr/spec_hazptr.v): specifications of hazard pointers. (Fig. 5,10, and Appendix A).
 
   | Paper                           | Coq                          |
-  |---------------------------------|------------------------------|
+  | ------------------------------- | ---------------------------- |
   | HPInv                           | `IsHazardDomainT`            |
   | Managed                         | `ManagedT`                   |
   | HPSlot & Protected              | `ShieldT`                    |

_CoqProject

@@ -4,9 +4,6 @@
 # Cannot use non-canonical projections as it causes massive unification failures
 # (https://github.com/coq/coq/issues/6294).
 -arg -w -arg -redundant-canonical-projection
-# Disabling warnings about future coercion syntax that requires Coq 8.17
-# (https://github.com/coq/coq/pull/16230)
--arg -w -arg -future-coercion-class-field
 
 
 # Modified version of heap_lang, with block memory model, tagging, and integers extended with infinity
@@ -110,6 +107,7 @@ theories/hazptr/code_rdcss.v
 theories/hazptr/code_cldeque.v
 theories/hazptr/code_harris_operations.v
 theories/hazptr/code_harris_michael_find.v
+theories/hazptr/code_harris_find.v
 
 ## Specs
 theories/hazptr/spec_hazptr.v
@@ -133,6 +131,7 @@ theories/hazptr/proof_rdcss.v
 theories/hazptr/proof_cldeque.v
 theories/hazptr/proof_harris_operations.v
 theories/hazptr/proof_harris_michael_find.v
+theories/hazptr/proof_harris_find.v
 
 theories/hazptr/closed_proofs.v
 theories/hazptr/client.v
@@ -186,22 +185,22 @@ theories/ebr/client.v
 
 
 ## Diaframe Basis
-theories/diaframe/lang/specs.v
-theories/diaframe/lang/proof_automation.v
-theories/diaframe/lang/base_hints.v
-theories/diaframe/lang/wp_auto_lob.v
-theories/diaframe/lang/atomic_specs.v
-theories/diaframe/lang/smr_weakestpre.v
-theories/diaframe/lang/smr_weakestpre_logatom.v
-theories/diaframe/lang/atom_spec_notation.v
+# theories/diaframe/lang/specs.v
+# theories/diaframe/lang/proof_automation.v
+# theories/diaframe/lang/base_hints.v
+# theories/diaframe/lang/wp_auto_lob.v
+# theories/diaframe/lang/atomic_specs.v
+# theories/diaframe/lang/smr_weakestpre.v
+# theories/diaframe/lang/smr_weakestpre_logatom.v
+# theories/diaframe/lang/atom_spec_notation.v
 
 ## Diaframe Hints
-theories/diaframe/hints/ghost_var_hints.v
-theories/diaframe/hints/array_hints.v
-theories/diaframe/hints/hazptr_hints.v
-theories/diaframe/hints/rcu_hints.v
+# theories/diaframe/hints/ghost_var_hints.v
+# theories/diaframe/hints/array_hints.v
+# theories/diaframe/hints/hazptr_hints.v
+# theories/diaframe/hints/rcu_hints.v
 
 ## Example: treiber stack on HP and RCU
-theories/diaframe/examples/proof_treiber_no_recl.v
-theories/diaframe/examples/proof_treiber_hazptr.v
-theories/diaframe/examples/proof_treiber_rcu.v
+# theories/diaframe/examples/proof_treiber_no_recl.v
+# theories/diaframe/examples/proof_treiber_hazptr.v
+# theories/diaframe/examples/proof_treiber_rcu.v

count_lines.py

@@ -17,11 +17,6 @@ def count_coqwc_lines(ds_file):
     res_proof = []
 
     for recl in ["no_recl", "hazptr", "ebr"]:
-        if ds_file["name"] == "Harris Set" and recl == "hazptr":
-            res_code += [0]
-            res_proof += [0]
-            continue
-
         code_count = 0
         for code in ds_file["code"]:
             lines = subprocess.check_output(
@@ -131,19 +126,12 @@ def count_coqwc_lines(ds_file):
         with open("line_count.tsv", "a") as f:
             f.write(ds_file["name"] + "\t" + "\t".join(res) + "\n")
 
-    (harris_code, harris_proof) = count_coqwc_lines(harris_files)
     total_code_str = list(map(format_com, total_code))
     total_proof_str = list(map(format_com, total_proof))
 
     total_code_str[2] += str_ratio(2, total_code)
     total_proof_str[2] += str_ratio(2, total_proof)
 
-    total_code[0] -= harris_code[0]
-    total_proof[0] -= harris_proof[0]
-
-    total_code_str[0] = f"{total_code[0]:,}" + " " + total_code_str[0]
-    total_proof_str[0] = f"{total_proof[0]:,}" + " " + total_proof_str[0]
-
     total_code_str[1] += str_ratio(1, total_code)
     total_proof_str[1] += str_ratio(1, total_proof)
 

line_count.tsv

@@ -1,11 +1,11 @@
 Data Structure	NR Code	HP Code	RCU Code	NR Proof	HP Proof	RCU Proof
-Counter	23	30 (30.4%)	30 (30.4%)	140	175 (25.0%)	168 (20.0%)
-Treiber Stack	38	52 (36.8%)	51 (34.2%)	199	248 (24.6%)	233 (17.1%)
-Elimination Stack	54	71 (31.5%)	70 (29.6%)	297	404 (36.0%)	384 (29.3%)
-Michael-Scott Queue	55	76 (38.2%)	68 (23.6%)	464	620 (33.6%)	578 (24.6%)
-DGLM Queue	55	76 (38.2%)	68 (23.6%)	463	775 (67.4%)	731 (57.9%)
-Harris Set	113	0 (-100.0%)	144 (27.4%)	1,389	0 (-100.0%)	1,805 (29.9%)
-Harris-Michael Set	96	146 (52.1%)	119 (24.0%)	1,171	1,278 (9.1%)	1,473 (25.8%)
-Chase-Lev Deque	82	90 (9.8%)	89 (8.5%)	1,113	1,293 (16.2%)	1,284 (15.4%)
-RDCSS	52	75 (44.2%)	68 (30.8%)	400	530 (32.5%)	467 (16.8%)
-total	455 568	616 (35.4%)	707 (24.5%)	4,247 5,636	5,323 (25.3%)	7,123 (26.4%)
+Counter	23	30 (30.4%)	30 (30.4%)	138	175 (26.8%)	168 (21.7%)
+Treiber Stack	38	52 (36.8%)	51 (34.2%)	198	248 (25.3%)	233 (17.7%)
+Elimination Stack	54	71 (31.5%)	70 (29.6%)	283	399 (41.0%)	381 (34.6%)
+Michael-Scott Queue	55	72 (30.9%)	68 (23.6%)	463	604 (30.5%)	578 (24.8%)
+DGLM Queue	55	76 (38.2%)	68 (23.6%)	462	775 (67.7%)	731 (58.2%)
+Harris Set	106	206 (94.3%)	138 (30.2%)	1,339	1,927 (43.9%)	1,762 (31.6%)
+Harris-Michael Set	93	144 (54.8%)	116 (24.7%)	1,137	1,260 (10.8%)	1,452 (27.7%)
+Chase-Lev Deque	82	90 (9.8%)	89 (8.5%)	1,111	1,289 (16.0%)	1,279 (15.1%)
+RDCSS	52	75 (44.2%)	68 (30.8%)	398	528 (32.7%)	466 (17.1%)
+total	558	816 (46.2%)	698 (25.1%)	5,529	7,205 (30.3%)	7,050 (27.5%)

smr-verification.opam

@@ -15,8 +15,7 @@ bug-reports: "https://cp-git.kaist.ac.kr/verification/smr/issues"
 dev-repo: "git+https://cp-git.kaist.ac.kr/verification/smr.git"
 
 depends: [
-  "coq-iris"  { = "dev.2023-06-14.0.f0e415b6" }
-  "coq-diaframe" { = "dev.2023-06-15.0.1c3b5549" }
+  "coq-iris"  { = "4.3.0" }
 ]
 
 build: [make "-j%{jobs}%" ]

theories/algebra/gset.v

@@ -197,7 +197,7 @@ Section gneset_disj.
   (*   GNESetDisj X ~~>: Q. *)
   (* Proof. *)
   (*   intros Hfresh HQ. *)
-  (*   apply cmra_discrete_updateP=> ? /gneset_disj_valid_inv_l [Y [->?]]. *)
+  (*   apply cmra_discrete_total_updateP=> ? /gneset_disj_valid_inv_l [Y [->?]]. *)
   (*   destruct (Hfresh (X ∪ Y)) as (i&?&?); first set_solver. *)
   (*   exists (GNESetDisj ({[ i ]} ∪ X)); split. *)
   (*   - apply HQ; set_solver by eauto. *)

theories/base_logic/lib/coP_cancellable_invariants.v

@@ -4,14 +4,15 @@ From iris.base_logic.lib Require Export invariants.
 From iris.prelude Require Import options.
 Import uPred.
 
-Class coP_cinvG Σ := coP_cinv_inG :> inG Σ coPneset_disjR.
+Class coP_cinvG Σ := { #[local] coP_cinv_inG :: inG Σ coPneset_disjR }.
+
 Definition coP_cinvΣ : gFunctors := #[GFunctor coPneset_disjR].
 
 Global Instance subG_coP_cinvΣ {Σ} : subG coP_cinvΣ Σ → coP_cinvG Σ.
 Proof. solve_inG. Qed.
 
 Section defs.
-  Context `{!invGS Σ, !coP_cinvG Σ}.
+  Context `{!invGS_gen hlc Σ, !coP_cinvG Σ}.
 
   Definition coP_cinv_own (γ : gname) (t : coPneset) : iProp Σ :=
     own γ (CoPNESetDisj t).
@@ -23,7 +24,7 @@ End defs.
 Global Instance: Params (@coP_cinv) 5 := {}.
 
 Section proofs.
-  Context `{!invGS Σ, !coP_cinvG Σ}.
+  Context `{!invGS_gen hlc Σ, !coP_cinvG Σ}.
 
   Global Instance coP_cinv_own_timeless γ p : Timeless (coP_cinv_own γ p).
   Proof. rewrite /coP_cinv_own; apply _. Qed.

theories/base_logic/lib/coP_ghost_map.v

@@ -8,8 +8,9 @@ From iris.prelude Require Import options.
 (** like ghost_map, but using coP_gmap_view instead of gmap_view *)
 
 Class coP_ghost_mapG Σ (K V : Type) `{Countable K} := CoPGhostMapG {
-  coP_ghost_map_inG :> inG Σ (coP_gmap_viewR K (leibnizO V));
+  #[local] coP_ghost_map_inG :: inG Σ (coP_gmap_viewR K (leibnizO V));
 }.
+
 Definition coP_ghost_mapΣ (K V : Type) `{Countable K} : gFunctors :=
   #[ GFunctor (coP_gmap_viewR K (leibnizO V)) ].
 

theories/base_logic/lib/ghost_var.v

@@ -1,34 +1,11 @@
 (* Modified version supporting persistent ghost vars. *)
 
-(** A simple "ghost variable" of arbitrary type with fractional ownership.
-Can be mutated when fully owned. *)
-From iris.algebra Require Import dfrac dfrac_agree.
-From iris.bi.lib Require Import fractional.
+From iris.algebra Require Import dfrac_agree.
 From iris.proofmode Require Import proofmode.
-From iris.base_logic.lib Require Export own.
+From iris.base_logic.lib Require Export own ghost_var.
 From iris.prelude Require Import options.
 
-(** The CMRA we need. *)
-Class ghost_varG Σ (A : Type) := GhostVarG {
-  ghost_var_inG : inG Σ (dfrac_agreeR $ leibnizO A);
-}.
 Local Existing Instance ghost_var_inG.
-Global Hint Mode ghost_varG - ! : typeclass_instances.
-
-Definition ghost_varΣ (A : Type) : gFunctors :=
-  #[ GFunctor (dfrac_agreeR $ leibnizO A) ].
-
-Global Instance subG_ghost_varΣ Σ A : subG (ghost_varΣ A) Σ → ghost_varG Σ A.
-Proof. solve_inG. Qed.
-
-Local Definition ghost_var_def `{!ghost_varG Σ A}
-    (γ : gname) (q : Qp) (a : A) : iProp Σ :=
-  own γ (to_frac_agree (A:=leibnizO A) q a).
-Local Definition ghost_var_aux : seal (@ghost_var_def). Proof. by eexists. Qed.
-Definition ghost_var := ghost_var_aux.(unseal).
-Local Definition ghost_var_unseal :
-  @ghost_var = @ghost_var_def := ghost_var_aux.(seal_eq).
-Global Arguments ghost_var {Σ A _} γ q a.
 
 Local Definition persistent_ghost_var_def `{!ghost_varG Σ A}
     (γ : gname) (a : A) : iProp Σ :=
@@ -39,88 +16,46 @@ Local Definition persistent_ghost_var_unseal :
   @persistent_ghost_var = @persistent_ghost_var_def := persistent_ghost_var_aux.(seal_eq).
 Global Arguments persistent_ghost_var {Σ A _} γ a.
 
-Local Ltac unseal := rewrite ?ghost_var_unseal /ghost_var_def ?persistent_ghost_var_unseal /persistent_ghost_var_def.
+Local Ltac unseal := rewrite
+  ?ghost_var.ghost_var_unseal /ghost_var.ghost_var_def
+  ?persistent_ghost_var_unseal /persistent_ghost_var_def.
 
 Section lemmas.
   Context `{!ghost_varG Σ A}.
   Implicit Types (a b : A) (q : Qp).
 
-  Global Instance ghost_var_timeless γ q a : Timeless (ghost_var γ q a).
-  Proof. unseal. apply _. Qed.
-
-  Global Instance ghost_var_fractional γ a : Fractional (λ q, ghost_var γ q a).
-  Proof. intros q1 q2. unseal. rewrite -own_op -frac_agree_op //. Qed.
-  Global Instance ghost_var_as_fractional γ a q :
-    AsFractional (ghost_var γ q a) (λ q, ghost_var γ q a) q.
-  Proof. split; [done|]. apply _. Qed.
-
   Global Instance persistent_ghost_var_timeless γ a : Timeless (persistent_ghost_var γ a).
   Proof. unseal. apply _. Qed.
   Global Instance persistent_ghost_var_persistent γ a : Persistent (persistent_ghost_var γ a).
   Proof. unseal. apply _. Qed.
 
-  Lemma ghost_var_alloc_strong a (P : gname → Prop) :
-    pred_infinite P →
-    ⊢ |==> ∃ γ, ⌜P γ⌝ ∗ ghost_var γ 1 a.
-  Proof. unseal. intros. iApply own_alloc_strong; done. Qed.
-  Lemma ghost_var_alloc a :
-    ⊢ |==> ∃ γ, ghost_var γ 1 a.
-  Proof. unseal. iApply own_alloc. done. Qed.
+  (** Persistent ghost var rules *)
+  Lemma ghost_var_persist γ q a :
+    ghost_var γ q a ==∗ persistent_ghost_var γ a.
+  Proof. unseal. iApply own_update. apply dfrac_agree_persist. Qed.
 
-  Lemma ghost_var_valid_2 γ a1 q1 a2 q2 :
-    ghost_var γ q1 a1 -∗ ghost_var γ q2 a2 -∗ ⌜(q1 + q2 ≤ 1)%Qp ∧ a1 = a2⌝.
+  Lemma persistent_ghost_var_valid_2 γ a1 a2 q2 :
+    persistent_ghost_var γ a1 -∗ ghost_var γ q2 a2 -∗ ⌜(q2 < 1)%Qp ∧ a1 = a2⌝.
   Proof.
     unseal. iIntros "Hvar1 Hvar2".
-    by iCombine "Hvar1 Hvar2" gives %?%frac_agree_op_valid.
+    iCombine "Hvar1 Hvar2" gives %[Hq Ha]%dfrac_agree_op_valid_L.
+    done.
   Qed.
   (** Almost all the time, this is all you really need. *)
-  Lemma ghost_var_agree γ a1 q1 a2 q2 :
-    ghost_var γ q1 a1 -∗ ghost_var γ q2 a2 -∗ ⌜a1 = a2⌝.
+  Lemma persistent_ghost_var_agree γ a1 a2 q2 :
+    persistent_ghost_var γ a1 -∗ ghost_var γ q2 a2 -∗ ⌜a1 = a2⌝.
   Proof.
     iIntros "Hvar1 Hvar2".
-    iDestruct (ghost_var_valid_2 with "Hvar1 Hvar2") as %[_ ?]. done.
+    iDestruct (persistent_ghost_var_valid_2 with "Hvar1 Hvar2") as %[_ ?]. done.
   Qed.
 
-  (** This is just an instance of fractionality above, but that can be hard to find. *)
-  Lemma ghost_var_split γ a q1 q2 :
-    ghost_var γ (q1 + q2) a -∗ ghost_var γ q1 a ∗ ghost_var γ q2 a.
-  Proof. iIntros "[$$]". Qed.
-
-  (** Update the ghost variable to new value [b]. *)
-  Lemma ghost_var_update b γ a :
-    ghost_var γ 1 a ==∗ ghost_var γ 1 b.
+  Global Instance ghost_var_combine_gives γ a1 a2 q2 :
+    CombineSepGives (persistent_ghost_var γ a1) (ghost_var γ q2 a2)
+      ⌜(q2 < 1)%Qp ∧ a1 = a2⌝.
   Proof.
-    unseal. iApply own_update. apply cmra_update_exclusive. done.
+    rewrite /CombineSepGives. iIntros "[H1 H2]".
+    iDestruct (persistent_ghost_var_valid_2 with "H1 H2") as %[H1 H2].
+    eauto.
   Qed.
-  Lemma ghost_var_update_2 b γ a1 q1 a2 q2 :
-    (q1 + q2 = 1)%Qp →
-    ghost_var γ q1 a1 -∗ ghost_var γ q2 a2 ==∗ ghost_var γ q1 b ∗ ghost_var γ q2 b.
-  Proof.
-    intros Hq. unseal. rewrite -own_op. iApply own_update_2.
-    apply frac_agree_update_2. done.
-  Qed.
-  Lemma ghost_var_update_halves b γ a1 a2 :
-    ghost_var γ (1/2) a1 -∗
-    ghost_var γ (1/2) a2 ==∗
-    ghost_var γ (1/2) b ∗ ghost_var γ (1/2) b.
-  Proof. iApply ghost_var_update_2. apply Qp.half_half. Qed.
-
-  (** Framing support *)
-  Global Instance frame_ghost_var p γ a q1 q2 q :
-    FrameFractionalQp q1 q2 q →
-    Frame p (ghost_var γ q1 a) (ghost_var γ q2 a) (ghost_var γ q a) | 5.
-  Proof. apply: frame_fractional. Qed.
-
-  (** Persistent ghost var rules *)
-  Lemma ghost_var_persist γ q a :
-    ghost_var γ q a ==∗ persistent_ghost_var γ a.
-  Proof. unseal. iApply own_update. apply dfrac_agree_persist. Qed.
 
-  Lemma persistent_ghost_var_agree γ a1 a2 q2 :
-    persistent_ghost_var γ a1 -∗ ghost_var γ q2 a2 -∗ ⌜a1 = a2⌝.
-  Proof.
-    unseal. iIntros "Hvar1 Hvar2".
-    by iCombine "Hvar1 Hvar2" gives %[? ?]%dfrac_agree_op_valid_L.
-  Qed.
 End lemmas.
-