achlipala / frap Goto Github PK

In section 2.5, "Simplification and Rewriting", there is a minor typo. The sentence:

We may apply the defining equation to rewrite into a different formula, where we have essential pushed the definition of $\size{\cdot}$ through the $\mathsf{Plus}$.

should read:

We may apply the defining equation to rewrite into a different formula, where we have essentially pushed the definition of $\size{\cdot}$ through the $\mathsf{Plus}$.

I was reading AbstractInterpretation.v's definitions of absint_sound and absint_complete, and found them quite challenging to read because of the verbosity.

I thought I'd try rewriting it a bit to more closely match the book's statement of the algebraic laws, and I think it's a lot clearer:

Section absint_theorems.
  Variable A : absint.

  Infix "~" := A.(Represents) (at level 70, no associativity).
  Infix "⊔" := A.(Join) (at level 50).
  Notation "a ⊑ b" := (forall n, n ~ a -> n ~ b) (at level 70, no associativity).

  Infix "@+" := A.(Add) (at level 50).
  Infix "@-" := A.(Subtract) (at level 50).
  Infix "@*" := A.(Multiply) (at level 50).

  Record absint_sound : Prop := {
    TopSound   : forall n, n ~ A.(Top);
    ConstSound : forall n, n ~ A.(Constant) n;

    AddSound      : forall n m a b, n ~ a -> m ~ b -> (n + m) ~ (a @+ b);
    SubtractSound : forall n m a b, n ~ a -> m ~ b -> (n - m) ~ (a @- b);
    MultiplySound : forall n m a b, n ~ a -> m ~ b -> (n * m) ~ (a @* b);

    AddMonotone      : forall a b a' b', a ⊑ a' -> b ⊑ b' -> (a @+ b) ⊑ (a' @+ b');
    SubtractMonotone : forall a b a' b', a ⊑ a' -> b ⊑ b' -> (a @- b) ⊑ (a' @- b');
    MultiplyMonotone : forall a b a' b', a ⊑ a' -> b ⊑ b' -> (a @* b) ⊑ (a' @* b');

    JoinSoundLeft  : forall a b, a ⊑ (a ⊔ b);
    JoinSoundRight : forall a b, b ⊑ (a ⊔ b)
  }.

  (* Here's a "bonus" condition that we'll sometimes use and sometimes not:
   * [Join] gives a *least* upper bound of its two arguments, such that any other
   * upper bound is also at or above the join. *)
  Definition absint_complete := forall a b c, a ⊑ c -> b ⊑ c -> (a ⊔ b) ⊑ c.
End absint_theorems.

I wanted to use +^, -^, and *^ to more closely mimic the book's notation, but *^ is already used for transitive closures, and I couldn't figure out how to locally override that notation.

Notably, after rewriting it this way, I noticed that TopSound differs from the law stated on page 44 (forall a, a ⊑ A.(Top)). Though assuming ConstSound, the two statements are equivalent. That is, (forall n, n ~ A.(Constant) n) -> (forall n, n ~ A.(Top)) <-> (forall a, a ⊑ A.(Top)) is true. (Maybe this is obvious to others, but I found it at least worth formally proving.)

--

Of course, the statement could be further refactored; e.g., instead of adding helper notation for the operations, the soundness and monotone theorems could be abstracted like:

  Definition absop_sound natop absop := forall n m a b, n ~ a -> m ~ b -> (natop n m) ~ (absop a b).
  Definition absop_monotone absop := forall a b a' b', a ⊑ a' -> b ⊑ b' -> (absop a b) ⊑ (absop a' b').

--

Finally, I note that page 43 says 𝓒 and the abstract operations calculate the "most precise abstractions", but there's no formalization of this concept.

I believe the correct theorems are:

  Definition const_complete := forall n a, n ~ a -> A.(Constant) n ⊑ a.
  Definition absop_complete natop absop :=
    forall a b c, (forall n m, n ~ a -> m ~ b -> (natop n m) ~ c) -> (absop a b) ⊑ c.

None of the subsequent proofs actually rely on this, but for the purpose of proving an abstraction complete (e.g., #28), it might be worth including and then proving for at least parity_absint?

Edit: Also worth noting is that absop_sound and absop_complete together imply absop_monotone. (Again, probably expected, but I decided to formally verify.)

--

Happy to send a pull request for any of the above, but thought I'd file an issue first to check that it matches the intended direction.

On Windows 10, I downloaded the code file and open it in Visual Studio Code (vscoq version 0.3.7)

when I ran make in the terminal, I got the following error

pdflatex frap_book
process_begin: CreateProcess(NULL, pdflatex frap_book, ...) failed.
make (e=2):
Makefile:6: recipe for target 'frap_book.pdf' failed
make: *** [frap_book.pdf] Error 2

Then I ran make lib , I got the following error:

coq_makefile -f _CoqProject -o Makefile.coq
D:/Tool/MinGW/bin/make -f Makefile.coq Frap.vo AbstractInterpret.vo SepCancel.vo
'cut' 不是内部或外部命令，也不是可运行的程序
或批处理文件。
make[1]: Entering directory 'C:/Users/Changmin/Desktop/Reading/3_formalReasoning/frap-master'
""'COQDEP VFILES'
make[1]: Leaving directory 'C:/Users/Changmin/Desktop/Reading/3_formalReasoning/frap-master'
'cut' 不是内部或外部命令，也不是可运行的程序
或批处理文件。
make[1]: Entering directory 'C:/Users/Changmin/Desktop/Reading/3_formalReasoning/frap-master'
""COQC Sets.v
Error: More than one file to compile: '-undeclared-scope'

Makefile.coq:763: recipe for target 'Sets.vo' failed
make[1]: *** [Sets.vo] Error 1
make[1]: Leaving directory 'C:/Users/Changmin/Desktop/Reading/3_formalReasoning/frap-master'
Makefile:16: recipe for target 'lib' failed
make: *** [lib] Error 2

I'm new to coq and I really appreciate it if you can help me solve this problem. Thank you so much!

At the end of section 8.2, it's claimed that "n -> Top" is the most precise answer for analyzing the doubling code. This is true if we're talking about abstract states valid at any point during execution, as n can be odd within the loop. But at termination, n will always be 0, so the most precise answer would be "n -> Even".

On the other hand, section 8.3 opens talking about how "x -> Odd" is the most precise answer for "x <- 0; x <- 1". But this only a sound answer if we're talking about analysis at termination, as opposed to any point during execution.

One way to resolve this inconsistency would be to qualify at the end of section 8.2 that flow-insensitive analysis "gives the most precise answer for x".

With a fresh clone, on Windows 10, tested with Coq versions 8.4 and 8.10:

make -C frap lib # OK
make -C pset1 # Error

The error is:

make: Entering directory '/c/dev-other/frap/pset1'
coqc -q -R ../frap Frap Pset1Sig
File "C:\dev-other\frap\pset1/Pset1Sig.v", line 3, characters 0-20:
Error: Cannot find library Frap in loadpath
make: *** [Makefile:6: coq] Error 1
make: Leaving directory '/c/dev-other/frap/pset1'

Advice welcome! I'm really hoping to take a stab at these exercises

I am talking about the statement of Lemma 10.1 on page 65: https://github.com/achlipala/frap/blob/master/frap_book.tex#L2782

Should it be $\denote{b}(h, v)$ instead of $\denote{b}(h, s)$?

Best regards,
-Dan

Will it be talking about dependent type, or will it be leaning toward Hoare Logic/Separation Logic?
Will it assume prior Coq knowledge or start from scratch like momst others Coq book?

In lines 18-22 of Polymorphism.v there is a typo describing option. I'd do a PR but I'm not quite sure what it should say:

While Java and friends force all sorts of different types to include the special value [null],
in Coq we request that option explicitly [something here] by wrapping a type in [option].

Hi, you just fixed typos 1 day ago. However several lines under your fix another similar typo(Line 171) still exists. I guess you did copy-paste job when writing them. :)

Page 19 says "we write s1 ⋈ s2 for concatenation of two stacks s1 and s2." But notably, the next use of ⋈ is actually for concatenating instructions/programs.

There is a usage of ⋈ with stacks in Lemma 4.3 for the expression "⟦e⟧⋈s", but since (1) it's only pushing a single value onto the stack, and (2) it's the only apparent usage of ⋈ on stacks, it seems like it would be simpler to just stick to the already introduced ⊳ operator here, and instead introduce ⋈ as operating on programs.

In the code and on p. 78, commutes(_,_) is defined to take two arguments: an atomic action and a summary.

But on p. 79 (the first line) commutes(c_0, c_1) is called with two atomic actions.

Should the second argument instead be the summary s (as in the proof of commutes_sound)?

I am trying to use the Coq files of the textbook, and ran into an issue when I ran make lib.

Steps to reproduce:

1. Clone repository
2. Run make lib

I get this as the output to make lib:

bhargav@bhargav-kk:/mnt/c/bhargav/prog/coq/frap$ make lib
coq_makefile -f _CoqProject -o Makefile.coq
make -f Makefile.coq Frap.vo AbstractInterpret.vo SepCancel.vo
make[1]: Entering directory '/mnt/c/bhargav/prog/coq/frap'
COQDEP VFILES
COQC Sets.v
COQC Relations.v
COQC Map.v
File "./Map.v", line 143, characters 2-177:
Error: This command does not support this attribute: global.
[unsupported-attributes,parsing]

make[1]: *** [Makefile.coq:678: Map.vo] Error 1
make[1]: Leaving directory '/mnt/c/bhargav/prog/coq/frap'
make: *** [Makefile:16: lib] Error 2

The Coq Proof Assistant, version 8.17.0
compiled with OCaml 4.14.0

macOS Big Sur
Version 11.5.2

At first, I was getting the following error

 The default value for hint locality is currently "global" outside
sections, but is scheduled to change to "export" in the next release (Coq
8.18). In Coq 8.17, not providing an explicit locality outside sections
triggers a fatal warning, to ensure that hint localities are made explicit
before the upcoming change in the default value. It is recommended to use
"export" whenever possible. Use the attributes #[local], #[global] and
#[export] depending on your choice. For example: "#[export] Hint Unfold foo :
bar." [deprecated-hint-without-locality,deprecated]

in both Relations.v (line 130) and Sets.v (line 134). I tried the #[global] and #[local] for locality, but they did not get me very far in the compilation process before erroring out. I tried #[export] and that seemed to have worked better, but then I got the following error:

File "./AbstractInterpret.v", line 478, characters 8-21:
Error:
In environment
a : absint
H : absint_sound a
s : astate a
c1, c2 : cmd
IHc1 : forall (wrap : cmd -> cmd) (ss : astates a),
       absint_step s c1 wrap = Some ss ->
       forall s' : astate a,
       subsumed s s' ->
       exists ss' : astates a,
         absint_step s' c1 wrap = Some ss' /\ subsumeds ss ss'
IHc2 : forall (wrap : cmd -> cmd) (ss : astates a),
       absint_step s c2 wrap = Some ss ->
       forall s' : astate a,
       subsumed s s' ->
       exists ss' : astates a,
         absint_step s' c2 wrap = Some ss' /\ subsumeds ss ss'
wrap : cmd -> cmd
ss : astates a
H0 : match absint_step s c1 (fun c : cmd => wrap (c;; c2)) with
     | Some a0 => Some a0
     | None => Some ($0 $+ (wrap c2, s))
     end = Some ss
s' : astate a
H1 : subsumed s s'
Unable to unify
 "forall (c : cmd) (s1 : astate ?M27986),
  (?M27987 $+ (?M27989, ?M27990)) $? c = Some s1 ->
  exists s2 : astate ?M27986,
    (?M27988 $+ (?M27989, ?M27991)) $? c = Some s2 /\ subsumed s1 s2" with
 "exists ss' : astates a,
    match absint_step s' c1 (fun c : cmd => wrap (c;; c2)) with
    | Some a0 => Some a0
    | None => Some ($0 $+ (wrap c2, s'))
    end = Some ss' /\ subsumeds ss ss'".

make[2]: *** [AbstractInterpret.vo] Error 1
make[1]: *** [all] Error 2
make: *** [coq] Error 2

Any help would be appreciated, thanks.

Hi, I am trying to solve pset5 (producer-consumer formal verification) of 6.887 with transition system abstraction and model checking.

Looks like the tactic model_check_done in FrapWithoutSets.v is insufficient to directly prove the abstracted transition system via model_check_infer.

I make some hacks to change the tactic

 Ltac model_check_done :=
    apply MscDone; eapply oneStepClosure_solve; [ closure | simplify; solve [ sets ] ].

into

 Ltac model_check_done :=
    apply MscDone; eapply oneStepClosure_solve; [ closure | simplify; apply sets_equal; simplify; propositional ].

And then model_check_infer could just work.

My Coq (8.6) code for pset5 is here (deleted to avoid cheater). It takes about 1 minute to execute. You can just focus on L210 to L213. If I use the above hacks, L211 to L213 can be omitted.

As I am a really Coq novice, I don't understand some details of your Coq Ltac magic, can you figure out more details to check if it is a bug? Thanks.

On Mac OS X, the default filesystem is case-insensitive.
This is unfortunate.
Since Frap.v is present, make clean tries to delete Frap.tex, which results in deleting frap.tex.

Loading Frap.v in proof general inside /frap fails. I had to load it from one level up. Is this intentional?

Something of a feature request, but perhaps it might be nice to have a "Further Reading" section at the end of each chapter with links to some relevant papers/readings?

I've got a list of papers somewhere which I found/read/skimmed when I took 822 which I'll add to this (when I've found it) on the off chance that it's useful.

Hi, I'm trying to build the project as stated in the README, but make all fails with

make -f Makefile.coq
make[1]: Entering directory '/home/bedef/Projects/coq/frap'
/bin/sh: line 1: /snap/coq-prover/34/coq-platform/bin//coqc: No such file or directory
COQDEP VFILES
/bin/sh: line 1: /snap/coq-prover/34/coq-platform/bin//coqdep: No such file or directory
/bin/sh: line 1: /snap/coq-prover/34/coq-platform/bin//coqc: No such file or directory
COQDEP VFILES
/bin/sh: line 1: /snap/coq-prover/34/coq-platform/bin//coqdep: No such file or directory
W: This Makefile was generated by Coq 8.18.0
W: while the current Coq version is
/bin/sh: line 1: /snap/coq-prover/34/coq-platform/bin//coqc: No such file or directory
COQDEP VFILES
/bin/sh: line 1: /snap/coq-prover/34/coq-platform/bin//coqdep: No such file or directory
make[2]: *** No rule to make target '.Makefile.coq.d', needed by 'Map.vo'. Stop.
make[1]: *** [Makefile.coq:409: all] Error 2
make[1]: Leaving directory '/home/bedef/Projects/coq/frap'
make: *** [Makefile:13: coq] Error 2

I'm a beginner with coq and have installed it with the snap package as stated here https://coq.inria.fr/download. What am I missing?

Hi,

I tried to compile the library with make lib, but this failed at the following step:

coqc  -q  -R . Frap   Sets
File "/[...]/frap/Sets.v", line 312, characters 23-22:
Syntax error: [constr:operconstr] expected after '=' (in [constr:operconstr]).
Makefile.coq:245: recipe for target 'Sets.vo' failed
make[1]: *** [Sets.vo] Error 1
make[1]: Leaving directory '/[...]/frap'
Makefile:16: recipe for target 'lib' failed
make: *** [lib] Error 2

Could it be because this library requires a version of Coq newer than 8.4pl4 ? (this is the current version for Ubuntu, which does date back a bit)
Thank you

Remi

1 + |e| + |Const(7)| = 8 + |e|

should be

1 + |e| + 1 = 8 + |e|

not

1 + |e| + 7 = 8 + |e|

Assuming | | represents the same size operation defined in 2.2

Specifically, the last few lines when running make are

"coqc"  -q  -R "." Frap   Sets
"coqc"  -q  -R "." Frap   Map
"coqc"  -q  -R "." Frap   Var
"coqc"  -q  -R "." Frap   Relations
make[1]: *** No rule to make target `Invariant.vo', needed by `Frap.vo'.  Stop.
make: *** [coq] Error 2

If I manually execute

"coqc"  -q  -R "." Frap   Invariant

and then run make again, I get

"coqc"  -q  -R "." Frap   Frap
"coqc"  -q  -R "." Frap   BasicSyntax_template
     = 1
     : nat
     = 5
     : nat
     = 1
     : nat
     = 5
     : nat
File "./BasicSyntax_template.v", line 42, characters 0-4:
Error: Attempt to save a proof with given up goals. If this is really what
you want to do, use Admitted in place of Qed. (in proof depth_le_size)
make[1]: *** [BasicSyntax_template.vo] Error 1
make: *** [coq] Error 2

Disclaimer: I am a coq noob
Edit: resolved by using a global opam switch

As stated in the .tex sources I used coq 8.16.0 (I also tried with 8.15.0 to 8.19.0).
I installed coq through opam

coq:

> opam exec -- coqtop -v
The Coq Proof Assistant, version 8.16.0
compiled with OCaml 4.13.1

operating system:

> lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:        20.04
Codename:       focal

I get a Error: Cannot find a physical path bound to logical path Prelude with prefix Coq. error when running the makefile. There is also a handfull of warnings but I do not know if that is normal so here is the full output after opam exec -- make

make -f Makefile.coq Frap.vo AbstractInterpret.vo SepCancel.vo
make[1]: Entering directory '/home/lesenr1/work/frap'
COQC Sets.v
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Compat was previously
bound to Coq.Compat; it is remapped to Frap._opam.lib.coq.theories.Compat
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/derive was previously
bound to Coq.derive; it is remapped to Frap._opam.lib.coq.theories.derive
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Logic was previously
bound to Coq.Logic; it is remapped to Frap._opam.lib.coq.theories.Logic
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/QArith was previously
bound to Coq.QArith; it is remapped to Frap._opam.lib.coq.theories.QArith
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Relations was
previously bound to Coq.Relations; it is remapped to
Frap._opam.lib.coq.theories.Relations [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/rtauto was previously
bound to Coq.rtauto; it is remapped to Frap._opam.lib.coq.theories.rtauto
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/NArith was previously
bound to Coq.NArith; it is remapped to Frap._opam.lib.coq.theories.NArith
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/nsatz was previously
bound to Coq.nsatz; it is remapped to Frap._opam.lib.coq.theories.nsatz
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/FSets was previously
bound to Coq.FSets; it is remapped to Frap._opam.lib.coq.theories.FSets
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Sorting was
previously bound to Coq.Sorting; it is remapped to
Frap._opam.lib.coq.theories.Sorting [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Array was previously
bound to Coq.Array; it is remapped to Frap._opam.lib.coq.theories.Array
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Structures was
previously bound to Coq.Structures; it is remapped to
Frap._opam.lib.coq.theories.Structures [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/funind was previously
bound to Coq.funind; it is remapped to Frap._opam.lib.coq.theories.funind
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/micromega was
previously bound to Coq.micromega; it is remapped to
Frap._opam.lib.coq.theories.micromega [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Vectors was
previously bound to Coq.Vectors; it is remapped to
Frap._opam.lib.coq.theories.Vectors [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Setoids was
previously bound to Coq.Setoids; it is remapped to
Frap._opam.lib.coq.theories.Setoids [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/extraction was
previously bound to Coq.extraction; it is remapped to
Frap._opam.lib.coq.theories.extraction [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Init was previously
bound to Coq.Init; it is remapped to Frap._opam.lib.coq.theories.Init
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Sets was previously
bound to Coq.Sets; it is remapped to Frap._opam.lib.coq.theories.Sets
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/setoid_ring was
previously bound to Coq.setoid_ring; it is remapped to
Frap._opam.lib.coq.theories.setoid_ring
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/ssr was previously
bound to Coq.ssr; it is remapped to Frap._opam.lib.coq.theories.ssr
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/PArith was previously
bound to Coq.PArith; it is remapped to Frap._opam.lib.coq.theories.PArith
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/omega was previously
bound to Coq.omega; it is remapped to Frap._opam.lib.coq.theories.omega
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/btauto was previously
bound to Coq.btauto; it is remapped to Frap._opam.lib.coq.theories.btauto
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Reals/Abstract was
previously bound to Coq.Reals.Abstract; it is remapped to
Frap._opam.lib.coq.theories.Reals.Abstract
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Reals/Cauchy was
previously bound to Coq.Reals.Cauchy; it is remapped to
Frap._opam.lib.coq.theories.Reals.Cauchy
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Reals was previously
bound to Coq.Reals; it is remapped to Frap._opam.lib.coq.theories.Reals
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/ZArith was previously
bound to Coq.ZArith; it is remapped to Frap._opam.lib.coq.theories.ZArith
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Strings was
previously bound to Coq.Strings; it is remapped to
Frap._opam.lib.coq.theories.Strings [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Lists was previously
bound to Coq.Lists; it is remapped to Frap._opam.lib.coq.theories.Lists
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Classes was
previously bound to Coq.Classes; it is remapped to
Frap._opam.lib.coq.theories.Classes [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Wellfounded was
previously bound to Coq.Wellfounded; it is remapped to
Frap._opam.lib.coq.theories.Wellfounded
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Unicode was
previously bound to Coq.Unicode; it is remapped to
Frap._opam.lib.coq.theories.Unicode [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Floats was previously
bound to Coq.Floats; it is remapped to Frap._opam.lib.coq.theories.Floats
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/MSets was previously
bound to Coq.MSets; it is remapped to Frap._opam.lib.coq.theories.MSets
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Arith was previously
bound to Coq.Arith; it is remapped to Frap._opam.lib.coq.theories.Arith
[overriding-logical-loadpath,loadpath]
Warning:
/home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Cyclic/Abstract was
previously bound to Coq.Numbers.Cyclic.Abstract; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Cyclic.Abstract
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Cyclic/Int31
was previously bound to Coq.Numbers.Cyclic.Int31; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Cyclic.Int31
[overriding-logical-loadpath,loadpath]
Warning:
/home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Cyclic/ZModulo was
previously bound to Coq.Numbers.Cyclic.ZModulo; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Cyclic.ZModulo
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Cyclic/Int63
was previously bound to Coq.Numbers.Cyclic.Int63; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Cyclic.Int63
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Cyclic was
previously bound to Coq.Numbers.Cyclic; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Cyclic
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/NatInt was
previously bound to Coq.Numbers.NatInt; it is remapped to
Frap._opam.lib.coq.theories.Numbers.NatInt
[overriding-logical-loadpath,loadpath]
Warning:
/home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Integer/Binary was
previously bound to Coq.Numbers.Integer.Binary; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Integer.Binary
[overriding-logical-loadpath,loadpath]
Warning:
/home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Integer/Abstract was
previously bound to Coq.Numbers.Integer.Abstract; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Integer.Abstract
[overriding-logical-loadpath,loadpath]
Warning:
/home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Integer/NatPairs was
previously bound to Coq.Numbers.Integer.NatPairs; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Integer.NatPairs
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Integer was
previously bound to Coq.Numbers.Integer; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Integer
[overriding-logical-loadpath,loadpath]
Warning:
/home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Natural/Binary was
previously bound to Coq.Numbers.Natural.Binary; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Natural.Binary
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Natural/Peano
was previously bound to Coq.Numbers.Natural.Peano; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Natural.Peano
[overriding-logical-loadpath,loadpath]
Warning:
/home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Natural/Abstract was
previously bound to Coq.Numbers.Natural.Abstract; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Natural.Abstract
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers/Natural was
previously bound to Coq.Numbers.Natural; it is remapped to
Frap._opam.lib.coq.theories.Numbers.Natural
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Numbers was
previously bound to Coq.Numbers; it is remapped to
Frap._opam.lib.coq.theories.Numbers [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Program was
previously bound to Coq.Program; it is remapped to
Frap._opam.lib.coq.theories.Program [overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/Bool was previously
bound to Coq.Bool; it is remapped to Frap._opam.lib.coq.theories.Bool
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories/ssrmatching was
previously bound to Coq.ssrmatching; it is remapped to
Frap._opam.lib.coq.theories.ssrmatching
[overriding-logical-loadpath,loadpath]
Warning: /home/lesenr1/work/frap/_opam/lib/coq/theories was previously bound
to Coq; it is remapped to Frap._opam.lib.coq.theories
[overriding-logical-loadpath,loadpath]
Error: Cannot find a physical path bound to logical path
Prelude with prefix Coq.

make[1]: *** [Makefile.coq:793: Sets.vo] Error 1
make[1]: Leaving directory '/home/lesenr1/work/frap'
make: *** [Makefile:16: lib] Error 2

On page 44, there are rules for addition/subtraction/multiplication on odd/even/unknown values. However, the rules for "-" only give a precise answer for E - E, whereas it could use the same rules as "+" (i.e., giving precise answers for all of {E,O} x {E,O}).

The omission doesn't compromise the soundness of the abstraction, but it is at odds with the previous page describing the abstracted operators as "push[ing] abstraction through arithmetic operators, calculating their most precise abstractions."

It seems like either (1) the rules for "+" and "-" should match, or (2) the text could take the opportunity to point out that while "-" is less precise, it doesn't compromise its soundness.

In our study group session today, we discussed FRAP chapter 18. We spent a while discussing the HtPar rule, because we were wondering about "r" in the book's rendition vs tt in the Coq code. What occurred to us is because there's no way for Return tt || Return tt to take a step, the post condition for c1 || c2 doesn't end up mattering.

For example, a program like:

Example stuckJoin : cmd unit :=
  _ <- (Return tt; Return tt);
  Fail.

gets stuck without ever reaching Fail. It's possible to prove that notAboutToFail is an invariant of this program, but not with hoare_triple_sound because HtPar is too restrictive (it requires you to prove tt = tt -> False).

Two reasonable options we saw:

1. Extend the operational semantics with a join operation, like step (h, l, Par (Return tt) (Return tt)) (h, l, Return tt). (Or even change Par's type and make it return a tuple of the results from its two subcommands.)

   Note: With this option, notAboutToFail is no longer an invariant of stuckJoin.

2. Change HtPar's post condition to just [| False |]. With a slight tweak to invert_Par (just dropping /\ Q1 tt * Q2 tt ===> Q tt) and corresponding simplification to preservation, I was able to still prove the same final results.

However, this also got us wondering about notAboutToFail more broadly. Most of us initially assumed it served a role similar to the unstuck predicate from chapter 12 used for proving progress. But upon closer inspection, realized it's more limited than we thought. For example, it doesn't prevent reading/writing bad memory addresses, or unlocking locks that are already unlocked.

Again, two reasonable options:

1. If a step rule is added for Par (Return v1) (Return v2), then use an unstuck invariant like in previous chapters. That is, prove there's always a step to take, or the command is Return v where v and the heap satisfy the Hoare triple post condition.

2. Add Fail transitions for cases that shouldn't happen. For example:

   | StepUnlockFail : forall h l a,
     ~a \in l
     -> step (h, l, Unlock a) (h, l, Fail)
   

   These transitions might be interesting to add anyway. I imagine a bunch would just make the proofs tedious, but even one would probably be edifying.

I was wondering if there were any plans on releasing it there. Thanks!

Following the text:

We can also define natural comparison operators between assertions, overload-
ing the usual notations for equivalence and implication of propositions.

I believe that the arrows on the right hand side of the equality should be single-lined arrows, not double, since they are implication and equivalence in the meta-language, not the object language, but I might be mistaken.

I'm not seeing an index entry for the model_check tactic. This is conceptually a simple enough tactic that it probably doesn't matter, but mentioning it in case this was an oversight.