This project is the companion Rocq development of the paper "A Separation Logic for Parallel Time Complexity with Work and Span Credits".
See INSTALL.md.
Rocq files are located in the src/ directory.
- directory
langcontains the syntax and semantics of the language we study:- syntax is in
syntax.vandsyntax_instances.v - the head reduction relation is in
head_semantics.v - the scheduler and main reduction relation are in
semantics.v
- syntax is in
- directory
logiccontains the program logic:wpg.vdefines the general weakest preconditionwpgand its structural ruleswp.vdefines the single-thread WPwpas a special case ofwpgwp_logatom.vdefines logically atomic WP triplesinterp.vdefines the ghost state, the state interpretation predicate, and the work/span credit assertionsadequacy.vcontains the soundness theorem
- directory
examplescontains the case studies - directory
utilscontains utility functions and lemmas
Rocq files are located in the src/ directory.
Work credits are called wcredits and span credits scredits.
-
Figures 1 and 4 (the small example): in
examples/small.v -
Figure 2 (Reasoning rules for credits, and for the tick and the parallel primitives):
- Tick:
wp_tickinlogic/wp.v - Transfer:
wp_transferinlogic/wp.v - Par:
wp_parinlogic/wp.v
- Tick:
-
The WorkSplit and SpanSplit rules (inline in Section 2, not in a figure):
- WorkSplit:
wcredits_splitinlogic/interp.v - SpanSplit:
scredits_splitinlogic/interp.v
- WorkSplit:
-
Figure 5 (Syntax of ParLang):
- values and expressions are defined in
lang/syntax.v, typesvalandexpr - evaluation contexts are in
lang/syntax.v, typectx
- values and expressions are defined in
-
Figure 6 (Head reduction relation):
- the head reduction relation is defined in
lang/head_semantics.v
- the head reduction relation is defined in
-
Figure 7 (Reduction under a context and parallelism):
- the task tree is defined in
lang/semantics.v, typetask_tree - the computation graph fork and join operations are
graph_forkandgraph_joininlang/semantics.v - the scheduler step relation is
sched_stepinlang/semantics.v - the main step relation is
stepinlang/semantics.v
- the task tree is defined in
-
Figure 8 (Reasoning rules for base constructs), in
logic/wp.v -
Figure 9 (Reasoning principles for the Transfer rule):
- the
transferablerelation is defined inlogic/transferable.v isforkandisjoinare defined inlogic/interp.v- GenerateTransferable:
wp_transferableinlogic/wp.v - PrimitiveTransfer:
wp_primitive_transferinlogic/wp.v - End:
wp_endinlogic/wp.v
- the
-
Figure 10 (Definitions of the WorkBound and SpanBound predicates):
work_boundedinlogic/adequacy.vpath(inductive definition of a weighted path) inlogic/adequacy.vspan_boundedinlogic/adequacy.v
-
Figure 11 (Reducibility and safety of a configuration):
reducibleis defined inlang/reducible.v- Safe is called
adequatedefined inlogic/adequacy.v
-
Theorem 4.1 (Soundness of the program logic):
- stated and proved as
wp_adequacyinlogic/adequacy.v
- stated and proved as
-
Figure 12 (Definition of the weakest precondition):
- the general WP
wpgis defined as the fixpoint ofwpg_preinlogic/wpg.v - the single-thread WP
wpis defined inlogic/wp.v
- the general WP
-
Figure 13 (Definition of the state interpretation predicate):
- the state interpretation predicate is
interpinlogic/interp.v winterp(coupling ofpureinvandinterp) is inlogic/wpg.v
- the state interpretation predicate is
-
Figure 14 (Definition of pure invariants):
- the compatibility predicate
comptreeis defined inductively inlogic/pureinv.v - the pure invariant
pureinvis defined as a record inlogic/pureinv.v
- the compatibility predicate
-
Figures 15 and 16 (Ghost state for work credits, and ghost state for span credits): in
logic/interp.v. -
Figure 17 (The parallel for loop and its specification): in
examples/parfor.v -
Figure 18 (The tabulate primitive, the scan function, and their specifications):
tabulateinexamples/tabulate.vscaninexamples/scan.v
-
Figure 19 (The parallel merge operation and its specification):
- slices in
examples/slice.v - sequential merge in
examples/merge_seq.v - binary search in
examples/binsearch.v - parallel merge in
examples/merge.v. The closed forms are inexamples/merge_closed.v.
- slices in
-
Figure 20 (The parallel merge sort and its specification): in
examples/merge_sort.v. -
Figure 21 (Code and specifications for Treiber's stack): in
examples/stack.v. Atomic triples are defined asatomic_wpand theATRIPLEnotation inlogic/wp_logatom.v
Users can check that all files compile and that no Admitted or Axiom
remains. It suffices to open the file src/noaxioms.v and play with it
interactively.
If the Rocq command Print Assumptions xxx prints "Closed under the
global context", it indicates that xxx has no dependencies (reference).
Some case studies suppose the axiom functional_extensionality_dep due to the Equations plugin.
Users can also open some selected .v files inside RocqIDE or Proof
General and evaluate the whole file to check that no errors occur and
to verify that the objects and statements mentioned in the claims are
what they are supposed to be.
NB: There is a hack to work with ProofGeneral.
We have a dumb src/_CoqProject which makes visible the files
produced by dune.
See issue: ProofGeneral/PG#477