├── .gitattributes ├── .github ├── dependabot.yml └── workflows │ ├── ci.yml │ ├── dependabot-automerge.yml │ ├── mailbot.yml │ └── update-tested.yml ├── .gitignore ├── .gitmodules ├── LICENSE ├── Makefile ├── README.md ├── _CoqProject ├── etc ├── ci-goose-check.py ├── ci-grackle-check.py ├── coqc.py ├── disable-qed.sh ├── mixcode │ ├── README.md │ ├── mixcode.el │ └── screenshot.png ├── mkvok ├── popl21-supplement │ ├── Makefile │ ├── README.md │ └── prepare.sh ├── release.sh ├── test_coqc.py ├── test_coqc │ ├── Abstract.v │ ├── Abstract.v.out │ ├── infinite.v │ ├── infinite.v.out │ ├── test.v │ └── test.v.out ├── timing-report.py ├── update-goose.py └── update-grackle.sh ├── external └── Goose │ └── github_com │ ├── goose_lang │ ├── goose │ │ ├── channel.v │ │ └── internal │ │ │ └── examples │ │ │ ├── append_log.v │ │ │ ├── async.v │ │ │ ├── comments.v │ │ │ ├── logging2.v │ │ │ ├── rfc1813.v │ │ │ ├── semantics.v │ │ │ ├── simpledb.v │ │ │ ├── trust_import.v │ │ │ ├── trust_import │ │ │ └── trusted_example.v │ │ │ ├── unittest.v │ │ │ ├── unittest │ │ │ └── generic.v │ │ │ └── wal.v │ ├── std.v │ └── std │ │ └── std_core.v │ ├── mit_pdos │ ├── go_journal │ │ ├── addr.v │ │ ├── alloc.v │ │ ├── buf.v │ │ ├── common.v │ │ ├── jrnl.v │ │ ├── jrnl_replication.v │ │ ├── lockmap.v │ │ ├── obj.v │ │ ├── txn.v │ │ ├── util.v │ │ └── wal.v │ ├── go_nfsd │ │ ├── fh.v │ │ ├── kvs.v │ │ ├── nfstypes.v │ │ ├── simple.v │ │ └── super.v │ ├── gokv │ │ ├── aof.v │ │ ├── asyncfile.v │ │ ├── bank.v │ │ ├── cachekv.v │ │ ├── connman.v │ │ ├── ctrexample │ │ │ ├── client.v │ │ │ └── server.v │ │ ├── dmvcc │ │ │ ├── example.v │ │ │ ├── index.v │ │ │ ├── prophname.v │ │ │ ├── txn.v │ │ │ ├── txncoordinator.v │ │ │ └── txnmgr.v │ │ ├── erpc.v │ │ ├── fencing │ │ │ ├── client.v │ │ │ ├── config.v │ │ │ ├── ctr.v │ │ │ ├── frontend.v │ │ │ └── loopclient.v │ │ ├── kv.v │ │ ├── lockservice.v │ │ ├── map_marshal.v │ │ ├── map_string_marshal.v │ │ ├── memkv.v │ │ ├── memkv │ │ │ ├── bank.v │ │ │ └── lockservice.v │ │ ├── minlease.v │ │ ├── paxi │ │ │ ├── reconf.v │ │ │ └── single.v │ │ ├── reconnectclient.v │ │ ├── tutorial.v │ │ ├── tutorial │ │ │ ├── basics.v │ │ │ ├── kvservice.v │ │ │ ├── kvservice │ │ │ │ ├── conditionalput_gk.v │ │ │ │ ├── get_gk.v │ │ │ │ └── put_gk.v │ │ │ ├── lockservice.v │ │ │ ├── lockservice │ │ │ │ └── lockrequest_gk.v │ │ │ ├── objectstore │ │ │ │ ├── chunk.v │ │ │ │ ├── chunk │ │ │ │ │ └── writechunk_gk.v │ │ │ │ ├── client.v │ │ │ │ ├── dir.v │ │ │ │ └── dir │ │ │ │ │ ├── chunkhandle_gk.v │ │ │ │ │ ├── finishwrite_gk.v │ │ │ │ │ └── recordchunk_gk.v │ │ │ └── queue.v │ │ ├── urpc.v │ │ └── vrsm │ │ │ ├── apps │ │ │ ├── closed.v │ │ │ ├── exactlyonce.v │ │ │ └── vkv.v │ │ │ ├── clerk.v │ │ │ ├── configservice.v │ │ │ ├── e.v │ │ │ ├── paxos.v │ │ │ ├── reconfig.v │ │ │ ├── replica.v │ │ │ └── storage.v │ ├── lockservice │ │ ├── grove_common.v │ │ └── lockservice.v │ ├── pav │ │ ├── advrpc.v │ │ ├── alicebob.v │ │ ├── cryptoffi.v │ │ ├── cryptoutil.v │ │ ├── kt.v │ │ ├── marshalutil.v │ │ ├── merkle.v │ │ └── netffi.v │ ├── perennial_examples │ │ ├── alloc.v │ │ ├── async_durable_alloc.v │ │ ├── async_durable_alloc_inode.v │ │ ├── async_inode.v │ │ ├── async_mem_alloc_dir.v │ │ ├── async_mem_alloc_inode.v │ │ ├── async_toy.v │ │ ├── dir.v │ │ ├── dynamic_dir.v │ │ ├── indirect_inode.v │ │ ├── inode.v │ │ ├── replicated_block.v │ │ ├── single_async_inode.v │ │ ├── single_inode.v │ │ └── toy.v │ ├── rsm │ │ ├── distx.v │ │ ├── mpaxos.v │ │ ├── pcr.v │ │ ├── spaxos.v │ │ └── tpl.v │ ├── tulip │ │ ├── backup.v │ │ ├── gcoord.v │ │ ├── index.v │ │ ├── message.v │ │ ├── params.v │ │ ├── paxos.v │ │ ├── quorum.v │ │ ├── replica.v │ │ ├── tulip.v │ │ ├── tuple.v │ │ ├── txn.v │ │ ├── txnlog.v │ │ └── util.v │ └── vmvcc │ │ ├── common.v │ │ ├── config.v │ │ ├── examples.v │ │ ├── examples │ │ └── strnum.v │ │ ├── index.v │ │ ├── tid.v │ │ ├── tuple.v │ │ ├── txnsite.v │ │ ├── vmvcc.v │ │ └── wrbuf.v │ └── tchajed │ └── marshal.v ├── flake.lock ├── flake.nix ├── new ├── atomic_fupd.v ├── code │ ├── bytes.v │ ├── bytes.v.toml │ ├── context.v │ ├── context.v.toml │ ├── crypto │ │ ├── rand.v │ │ └── rand.v.toml │ ├── errors.v │ ├── errors.v.toml │ ├── fmt.v │ ├── fmt.v.toml │ ├── github_com │ │ ├── goose_lang │ │ │ ├── goose │ │ │ │ ├── model │ │ │ │ │ └── channel.v │ │ │ │ └── testdata │ │ │ │ │ └── examples │ │ │ │ │ ├── append_log.v │ │ │ │ │ ├── channel.v │ │ │ │ │ ├── semantics.v │ │ │ │ │ ├── unittest.v │ │ │ │ │ └── unittest │ │ │ │ │ └── generics.v │ │ │ ├── primitive.v │ │ │ ├── primitive.v.toml │ │ │ ├── primitive │ │ │ │ ├── disk.v │ │ │ │ └── disk.v.toml │ │ │ ├── std.v │ │ │ └── std │ │ │ │ ├── std_core.v │ │ │ │ └── std_core.v.toml │ │ ├── mit_pdos │ │ │ ├── go_journal │ │ │ │ ├── addr.v │ │ │ │ ├── alloc.v │ │ │ │ ├── buf.v │ │ │ │ ├── common.v │ │ │ │ ├── jrnl.v │ │ │ │ ├── jrnl_replication.v │ │ │ │ ├── lockmap.v │ │ │ │ ├── obj.v │ │ │ │ ├── txn.v │ │ │ │ ├── util.v │ │ │ │ └── wal.v │ │ │ ├── gokv │ │ │ │ ├── aof.v │ │ │ │ ├── asyncfile.v │ │ │ │ ├── bank.v │ │ │ │ ├── cachekv.v │ │ │ │ ├── globals_test.v │ │ │ │ ├── grove_ffi.v │ │ │ │ ├── grove_ffi.v.toml │ │ │ │ ├── kv.v │ │ │ │ ├── lockservice.v │ │ │ │ ├── map_marshal.v │ │ │ │ ├── map_string_marshal.v │ │ │ │ ├── partialapp.v │ │ │ │ ├── reconnectclient.v │ │ │ │ ├── trusted_proph.v │ │ │ │ ├── trusted_proph.v.toml │ │ │ │ ├── urpc.v │ │ │ │ └── vrsm │ │ │ │ │ ├── apps │ │ │ │ │ ├── closed.v │ │ │ │ │ ├── exactlyonce.v │ │ │ │ │ └── vkv.v │ │ │ │ │ ├── clerk.v │ │ │ │ │ ├── configservice.v │ │ │ │ │ ├── e.v │ │ │ │ │ ├── paxos.v │ │ │ │ │ ├── reconfig.v │ │ │ │ │ ├── replica.v │ │ │ │ │ └── storage.v │ │ │ ├── pav │ │ │ │ ├── cryptoffi.v.toml │ │ │ │ └── netffi.v.toml │ │ │ └── tulip │ │ │ │ ├── trusted_proph.v.toml │ │ │ │ └── trusted_time.v.toml │ │ ├── stretchr │ │ │ └── testify │ │ │ │ ├── assert.v │ │ │ │ └── assert.v.toml │ │ └── tchajed │ │ │ ├── marshal.v │ │ │ └── marshal.v.toml │ ├── go_etcd_io │ │ ├── etcd │ │ │ ├── api │ │ │ │ └── v3 │ │ │ │ │ ├── etcdserverpb.v │ │ │ │ │ ├── etcdserverpb.v.toml │ │ │ │ │ ├── mvccpb.v │ │ │ │ │ ├── mvccpb.v.toml │ │ │ │ │ └── v3rpc │ │ │ │ │ └── rpctypes.v │ │ │ └── client │ │ │ │ ├── v3.v │ │ │ │ ├── v3.v.toml │ │ │ │ └── v3 │ │ │ │ ├── concurrency.v │ │ │ │ └── leasing.v │ │ └── raft │ │ │ ├── v3.v │ │ │ └── v3 │ │ │ ├── confchange.v │ │ │ ├── confchange.v.toml │ │ │ ├── quorum.v │ │ │ ├── quorum │ │ │ ├── slices.v │ │ │ └── slices.v.toml │ │ │ ├── raftpb.v │ │ │ ├── raftpb.v.toml │ │ │ └── tracker.v │ ├── go_uber_org │ │ ├── zap.v │ │ ├── zap.v.toml │ │ └── zap │ │ │ ├── zapcore.v │ │ │ └── zapcore.v.toml │ ├── google_golang_org │ │ ├── grpc.v │ │ ├── grpc.v.toml │ │ └── grpc │ │ │ ├── codes.v │ │ │ ├── codes.v.toml │ │ │ ├── status.v │ │ │ └── status.v.toml │ ├── internal │ │ ├── race.v │ │ └── race.v.toml │ ├── io.v │ ├── io.v.toml │ ├── log.v │ ├── log.v.toml │ ├── math.v │ ├── math.v.toml │ ├── math │ │ ├── big.v │ │ ├── big.v.toml │ │ ├── rand.v │ │ └── rand.v.toml │ ├── os.v │ ├── os.v.toml │ ├── slices.v │ ├── slices.v.toml │ ├── sort.v │ ├── sort.v.toml │ ├── strconv.v │ ├── strconv.v.toml │ ├── strings.v │ ├── strings.v.toml │ ├── sync.v │ ├── sync.v.toml │ ├── sync │ │ ├── atomic.v │ │ └── atomic.v.toml │ ├── testing.v │ ├── testing.v.toml │ ├── time.v │ └── time.v.toml ├── disk_prelude.v ├── etc │ └── update-goose-new.py ├── experiments │ ├── all_scmra.v │ ├── all_ucmra.v │ ├── checker.v │ ├── glob.v │ ├── inG.v │ ├── lang.v │ ├── records.v │ ├── store.v │ ├── type.v │ └── unsound.v ├── generatedproof │ ├── bytes.v │ ├── context.v │ ├── crypto │ │ └── rand.v │ ├── errors.v │ ├── fmt.v │ ├── github_com │ │ ├── goose_lang │ │ │ ├── goose │ │ │ │ ├── model │ │ │ │ │ └── channel.v │ │ │ │ └── testdata │ │ │ │ │ └── examples │ │ │ │ │ ├── append_log.v │ │ │ │ │ ├── channel.v │ │ │ │ │ ├── semantics.v │ │ │ │ │ ├── unittest.v │ │ │ │ │ └── unittest │ │ │ │ │ └── generics.v │ │ │ ├── primitive.v │ │ │ ├── primitive │ │ │ │ └── disk.v │ │ │ ├── std.v │ │ │ └── std │ │ │ │ └── std_core.v │ │ ├── mit_pdos │ │ │ ├── go_journal │ │ │ │ ├── addr.v │ │ │ │ ├── alloc.v │ │ │ │ ├── buf.v │ │ │ │ ├── common.v │ │ │ │ ├── jrnl.v │ │ │ │ ├── jrnl_replication.v │ │ │ │ ├── lockmap.v │ │ │ │ ├── obj.v │ │ │ │ ├── txn.v │ │ │ │ ├── util.v │ │ │ │ └── wal.v │ │ │ └── gokv │ │ │ │ ├── aof.v │ │ │ │ ├── asyncfile.v │ │ │ │ ├── bank.v │ │ │ │ ├── cachekv.v │ │ │ │ ├── globals_test.v │ │ │ │ ├── grove_ffi.v │ │ │ │ ├── kv.v │ │ │ │ ├── lockservice.v │ │ │ │ ├── map_marshal.v │ │ │ │ ├── map_string_marshal.v │ │ │ │ ├── partialapp.v │ │ │ │ ├── reconnectclient.v │ │ │ │ ├── trusted_proph.v │ │ │ │ ├── urpc.v │ │ │ │ └── vrsm │ │ │ │ ├── apps │ │ │ │ ├── closed.v │ │ │ │ ├── exactlyonce.v │ │ │ │ └── vkv.v │ │ │ │ ├── clerk.v │ │ │ │ ├── configservice.v │ │ │ │ ├── e.v │ │ │ │ ├── paxos.v │ │ │ │ ├── reconfig.v │ │ │ │ ├── replica.v │ │ │ │ └── storage.v │ │ ├── stretchr │ │ │ └── testify │ │ │ │ └── assert.v │ │ └── tchajed │ │ │ └── marshal.v │ ├── go_etcd_io │ │ ├── etcd │ │ │ ├── api │ │ │ │ └── v3 │ │ │ │ │ ├── etcdserverpb.v │ │ │ │ │ ├── mvccpb.v │ │ │ │ │ └── v3rpc │ │ │ │ │ └── rpctypes.v │ │ │ └── client │ │ │ │ ├── v3.v │ │ │ │ └── v3 │ │ │ │ ├── concurrency.v │ │ │ │ └── leasing.v │ │ └── raft │ │ │ ├── v3.v │ │ │ └── v3 │ │ │ ├── confchange.v │ │ │ ├── quorum.v │ │ │ ├── quorum │ │ │ └── slices.v │ │ │ ├── raftpb.v │ │ │ └── tracker.v │ ├── go_uber_org │ │ ├── zap.v │ │ └── zap │ │ │ └── zapcore.v │ ├── google_golang_org │ │ ├── grpc.v │ │ └── grpc │ │ │ ├── codes.v │ │ │ └── status.v │ ├── internal │ │ └── race.v │ ├── io.v │ ├── log.v │ ├── math.v │ ├── math │ │ ├── big.v │ │ └── rand.v │ ├── os.v │ ├── slices.v │ ├── sort.v │ ├── strconv.v │ ├── strings.v │ ├── sync.v │ ├── sync │ │ └── atomic.v │ ├── testing.v │ └── time.v ├── golang │ ├── README.md │ ├── defn.v │ ├── defn │ │ ├── array.v │ │ ├── assume.v │ │ ├── builtin.v │ │ ├── chan.v │ │ ├── core.v │ │ ├── defer.v │ │ ├── dynamic_typing.v │ │ ├── exception.v │ │ ├── globals.v │ │ ├── interface.v │ │ ├── list.v │ │ ├── loop.v │ │ ├── map.v │ │ ├── mem.v │ │ ├── notation.v │ │ ├── pkg.v │ │ ├── slice.v │ │ ├── static_mem.v │ │ ├── string.v │ │ ├── struct.v │ │ └── typing.v │ ├── theory.v │ └── theory │ │ ├── assume.v │ │ ├── auto.v │ │ ├── builtin.v │ │ ├── chan.v │ │ ├── defer.v │ │ ├── dynamic_typing.v │ │ ├── exception.v │ │ ├── globals.v │ │ ├── interface.v │ │ ├── list.v │ │ ├── loop.v │ │ ├── map.v │ │ ├── mem.v │ │ ├── pkg.v │ │ ├── primitive.v │ │ ├── proofmode.v │ │ ├── proofmode_tests.v │ │ ├── slice.v │ │ ├── static_mem.v │ │ ├── struct.v │ │ ├── typed_pointsto.v │ │ └── typing.v ├── grove_prelude.v ├── manualproof │ ├── fmt.v │ ├── github_com │ │ ├── goose_lang │ │ │ ├── primitive.v │ │ │ └── primitive │ │ │ │ └── disk.v │ │ └── mit_pdos │ │ │ └── gokv │ │ │ ├── grove_ffi.v │ │ │ └── trusted_proph.v │ ├── log.v │ ├── sync.v │ └── sync │ │ └── atomic.v ├── proof │ ├── chan.v │ ├── chan_proof │ │ ├── closeable.v │ │ └── onetimebarrier.v │ ├── context.v │ ├── disk_prelude.v │ ├── fmt.v │ ├── github_com │ │ ├── goose_lang │ │ │ ├── goose │ │ │ │ └── testdata │ │ │ │ │ └── examples │ │ │ │ │ ├── unittest.v │ │ │ │ │ └── unittest │ │ │ │ │ └── generics.v │ │ │ ├── primitive.v │ │ │ ├── primitive │ │ │ │ └── disk.v │ │ │ ├── std.v │ │ │ └── std │ │ │ │ └── std_core.v │ │ ├── mit_pdos │ │ │ ├── go_journal │ │ │ │ ├── addr.v │ │ │ │ ├── alloc.v │ │ │ │ ├── buf.v │ │ │ │ ├── buf_proof │ │ │ │ │ ├── buf_proof.v │ │ │ │ │ └── defs.v │ │ │ │ ├── common.v │ │ │ │ ├── lockmap.v │ │ │ │ ├── util.v │ │ │ │ ├── wal.v │ │ │ │ └── wal_proof │ │ │ │ │ ├── abstraction.v │ │ │ │ │ ├── highest.v │ │ │ │ │ ├── thread_owned.v │ │ │ │ │ ├── transitions.v │ │ │ │ │ └── txns_ctx.v │ │ │ └── gokv │ │ │ │ ├── aof.v │ │ │ │ ├── asyncfile.v │ │ │ │ ├── bank.v │ │ │ │ ├── bug_wp_ncatomic.v │ │ │ │ ├── cachekv.v │ │ │ │ ├── globals_test.v │ │ │ │ ├── grove_ffi.v │ │ │ │ ├── kv.v │ │ │ │ ├── lockservice.v │ │ │ │ ├── partialapp.v │ │ │ │ ├── reconnectclient.v │ │ │ │ ├── urpc.v │ │ │ │ ├── urpc │ │ │ │ ├── urpc_proof.v │ │ │ │ └── urpc_spec.v │ │ │ │ └── vrsm │ │ │ │ ├── apps │ │ │ │ ├── closed.v │ │ │ │ ├── closed_proof │ │ │ │ │ ├── closed_proof.v │ │ │ │ │ ├── closed_wpcs.v │ │ │ │ │ └── print_assumptions.v │ │ │ │ ├── exactlyonce.v │ │ │ │ ├── exactlyonce_proof │ │ │ │ │ ├── log.v │ │ │ │ │ ├── proof.v │ │ │ │ │ └── vsm.v │ │ │ │ ├── vkv.v │ │ │ │ └── vkv_proof │ │ │ │ │ ├── clerkpool_proof.v │ │ │ │ │ ├── kv_proof.v │ │ │ │ │ └── kv_vsm_proof.v │ │ │ │ ├── clerk.v │ │ │ │ ├── clerk_proof │ │ │ │ ├── clerk_int_proof.v │ │ │ │ └── clerk_proof.v │ │ │ │ ├── configservice.v │ │ │ │ ├── configservice_proof │ │ │ │ ├── config_marshal_proof.v │ │ │ │ └── config_proof.v │ │ │ │ ├── e.v │ │ │ │ ├── paxos.v │ │ │ │ ├── paxos_proof │ │ │ │ ├── applyasfollower_proof.v │ │ │ │ ├── becomeleader_proof.v │ │ │ │ ├── clerk_proof.v │ │ │ │ ├── definitions.v │ │ │ │ ├── enternewepoch_proof.v │ │ │ │ ├── init_proof.v │ │ │ │ ├── marshal_proof.v │ │ │ │ ├── protocol_proof.v │ │ │ │ ├── start_proof.v │ │ │ │ ├── tryacquire_proof.v │ │ │ │ ├── weakread_proof.v │ │ │ │ └── withlock_proof.v │ │ │ │ ├── reconfig.v │ │ │ │ ├── replica.v │ │ │ │ ├── replica_proof │ │ │ │ ├── apply_proof.v │ │ │ │ ├── applybackup_proof.v │ │ │ │ ├── becomeprimary_proof.v │ │ │ │ ├── config_protocol_proof.v │ │ │ │ ├── definitions.v │ │ │ │ ├── getstate_proof.v │ │ │ │ ├── increasecommit_proof.v │ │ │ │ ├── init_proof.v │ │ │ │ ├── leaserenewal_proof.v │ │ │ │ ├── makeclerk_proof.v │ │ │ │ ├── marshal_proof.v │ │ │ │ ├── preread_protocol.v │ │ │ │ ├── primary_protocol.v │ │ │ │ ├── protocol.v │ │ │ │ ├── roapply_proof.v │ │ │ │ ├── sendcommitthread_proof.v │ │ │ │ ├── setstate_proof.v │ │ │ │ └── start_proof.v │ │ │ │ └── storage.v │ │ └── tchajed │ │ │ └── marshal.v │ ├── go_etcd_io │ │ └── etcd │ │ │ ├── client │ │ │ ├── v3.v │ │ │ └── v3 │ │ │ │ ├── concurrency.v │ │ │ │ └── leasing.v │ │ │ └── raft │ │ │ └── v3.v │ ├── grove_prelude.v │ ├── inG_problem.v │ ├── log.v │ ├── own_crash.v │ ├── proof_prelude.v │ ├── sync.v │ ├── sync │ │ └── atomic.v │ ├── sync_proof │ │ ├── base.v │ │ ├── cond.v │ │ ├── mutex.v │ │ ├── rwmutex.v │ │ ├── rwmutex_guard.v │ │ ├── sema.v │ │ └── waitgroup.v │ ├── tok_set.v │ └── vrsm │ │ └── paxos │ │ └── definitions.v ├── should_build.v └── trusted_code │ ├── fmt.v │ ├── github_com │ ├── goose_lang │ │ ├── primitive.v │ │ └── primitive │ │ │ └── disk.v │ └── mit_pdos │ │ └── gokv │ │ ├── grove_ffi.v │ │ └── trusted_proph.v │ ├── log.v │ ├── sync.v │ └── sync │ └── atomic.v ├── pyproject.toml └── src ├── Helpers ├── BigOp.v ├── ByteString.v ├── CountableTactics.v ├── Fractional.v ├── Integers.v ├── List.v ├── ListLen.v ├── ListSolver.v ├── ListSplice.v ├── ListSubset.v ├── ListZ.v ├── LittleEndian.v ├── Map.v ├── ModArith.v ├── NamedProps.v ├── NatDivMod.v ├── ProofCaching.v ├── PropRestore.v ├── Qextra.v ├── Tactics.v ├── Transitions.v ├── Word │ ├── Automation.v │ ├── Integers.v │ ├── LittleEndian.v │ ├── MulOverflow.v │ └── Properties.v ├── byte_explode.v ├── bytes.v ├── finite.v ├── gmap_algebra.v ├── gset.v ├── ipm.v ├── iris.v └── range_set.v ├── LiteBuild.v ├── ShouldBuild.v ├── algebra ├── abs_laterable.v ├── append_list.v ├── async.v ├── atleast.v ├── auth_frac.v ├── auth_map.v ├── big_op.v ├── big_op │ ├── big_sepL.v │ ├── big_sepM.v │ ├── big_sepML.v │ └── big_sepS.v ├── blocks.v ├── fmlist_map.v ├── frac_count.v ├── gen_dir.v ├── gen_heap_names.v ├── ghost_async_map.v ├── ghost_var.v ├── gmap_rel_view.v ├── laterN.v ├── liftable.v ├── log_heap.v ├── map.v ├── mlist.v ├── mono_nat.v ├── na_heap.v ├── own_discrete.v └── partition.v ├── base.v ├── base_logic ├── base_logic.v └── lib │ ├── ae_invariants.v │ ├── cancelable_invariants.v │ ├── crash_token.v │ ├── fancy_updates.v │ ├── fancy_updates2.v │ ├── frac_coPset.v │ ├── fupd_level.v │ ├── gen_heap.v │ ├── ghost_map.v │ ├── ghost_var.v │ ├── gmap_own.v │ ├── invariants.v │ ├── iprop.v │ ├── later_credits.v │ ├── mono_list.v │ ├── mono_nat.v │ ├── ncfupd.v │ ├── own.v │ ├── proph_map.v │ ├── saved_prop.v │ ├── saved_spec.v │ └── wsat.v ├── goose_lang ├── adequacy.v ├── array.v ├── automation │ └── extra_tactics.v ├── base_prelude.v ├── crash_borrow.v ├── crash_modality.v ├── dist_adequacy.v ├── dist_lifting.v ├── examples │ └── nfs_spec │ │ ├── NFS3API.v │ │ ├── README.md │ │ └── symtest │ │ ├── NFS3API.json │ │ ├── NFS3API.ml │ │ ├── filename.smt2 │ │ ├── json_eval.py │ │ ├── json_sym.py │ │ ├── nfs.pcap │ │ ├── nfs_trace.py │ │ ├── rfc1057 │ │ ├── __init__.py │ │ ├── client.py │ │ ├── const.py │ │ ├── pack.py │ │ ├── server.py │ │ └── types.py │ │ ├── rfc1813 │ │ ├── __init__.py │ │ ├── client.py │ │ ├── const.py │ │ ├── pack.py │ │ ├── server.py │ │ └── types.py │ │ ├── rpc │ │ ├── __init__.py │ │ ├── rpc.py │ │ ├── rpc_const.py │ │ ├── rpc_pack.py │ │ ├── rpc_type.py │ │ └── rpcsec │ │ │ ├── __init__.py │ │ │ ├── base.py │ │ │ ├── sec_auth_gss.py │ │ │ ├── sec_auth_none.py │ │ │ └── sec_auth_sys.py │ │ ├── symbolic_json.py │ │ └── symrun.py ├── ffi │ ├── append_log_ffi.v │ ├── async_disk.v │ ├── async_disk_equiv.v │ ├── async_disk_prelude.v │ ├── async_disk_proph.v │ ├── async_disk_syntax.v │ ├── atomic_refinement.v │ ├── disk.v │ ├── disk_ffi │ │ ├── adequacy.v │ │ ├── impl.v │ │ ├── specs.v │ │ ├── typed_impl.v │ │ └── typed_specs.v │ ├── disk_prelude.v │ ├── grove_ffi │ │ ├── adequacy.v │ │ ├── grove_ffi.v │ │ ├── grove_ffi_typed.v │ │ ├── impl.v │ │ └── typed_impl.v │ ├── grove_prelude.v │ ├── jrnl_ffi.v │ ├── jrnl_ffi_facts.v │ ├── jrnl_ffi_spec.v │ └── kvs_ffi.v ├── interpreter │ ├── disk_interpreter.v │ ├── generated_test.v │ ├── interpret_types.v │ ├── interpreter.v │ ├── pretty_types.v │ └── test_config.v ├── ipersist.v ├── lang.v ├── lib │ ├── atomic │ │ ├── atomic.v │ │ └── impl.v │ ├── barrier │ │ ├── barrier.v │ │ └── impl.v │ ├── channel │ │ ├── channel.v │ │ └── impl.v │ ├── control │ │ ├── control.v │ │ └── impl.v │ ├── encoding │ │ ├── encoding.v │ │ └── impl.v │ ├── into_val.v │ ├── list │ │ ├── impl.v │ │ ├── list.v │ │ └── list_slice.v │ ├── lock │ │ ├── crash_lock.v │ │ ├── impl.v │ │ └── lock.v │ ├── loop │ │ ├── impl.v │ │ └── loop.v │ ├── map │ │ ├── impl.v │ │ ├── map.v │ │ └── typed_map.v │ ├── persistent_readonly.v │ ├── proph │ │ ├── impl.v │ │ └── proph.v │ ├── rand │ │ ├── impl.v │ │ └── rand.v │ ├── rwlock │ │ ├── impl.v │ │ ├── rwlock.v │ │ ├── rwlock_derived.v │ │ └── rwlock_noncrash.v │ ├── slice │ │ ├── crash_slice.v │ │ ├── impl.v │ │ ├── pred_slice.v │ │ ├── slice.v │ │ └── typed_slice.v │ ├── string │ │ ├── impl.v │ │ └── string.v │ ├── struct │ │ ├── impl.v │ │ └── struct.v │ ├── time │ │ ├── impl.v │ │ └── time.v │ ├── typed_mem │ │ ├── impl.v │ │ └── typed_mem.v │ ├── waitgroup │ │ ├── impl.v │ │ └── waitgroup.v │ └── wp_store.v ├── lifting.v ├── locations.v ├── logical_reln_adeq.v ├── logical_reln_defns.v ├── logical_reln_fund.v ├── metatheory.v ├── mono_nat.v ├── notation.v ├── popl_submission_proofs.v ├── prelude.v ├── proofmode.v ├── recovery_adequacy.v ├── recovery_lifting.v ├── refinement.v ├── refinement_adequacy.v ├── spec_assert.v ├── tactics.v ├── trusted │ └── github_com │ │ ├── goose_lang │ │ └── goose │ │ │ └── internal │ │ │ └── examples │ │ │ └── trust_import │ │ │ └── trusted_example.v │ │ └── mit_pdos │ │ ├── gokv │ │ ├── trusted_hash.v │ │ └── trusted_proph.v │ │ ├── tulip │ │ ├── trusted_proph.v │ │ └── trusted_time.v │ │ └── vmvcc │ │ └── trusted_proph.v ├── typed_translate.v ├── typing.v └── wpc_proofmode.v ├── iris_lib ├── conflicting.v └── dfractional.v ├── program_logic ├── ae_invariants_mutable.v ├── atomic.v ├── atomic_fupd.v ├── cfupd.v ├── crash_adequacy.v ├── crash_lang.v ├── crash_weakestpre.v ├── dist_adequacy.v ├── dist_lang.v ├── dist_weakestpre.v ├── ectx_language.v ├── ectx_lifting.v ├── ectxi_language.v ├── init_cancel.v ├── invariants_mutable.v ├── language.v ├── language_ctx.v ├── later_res.v ├── lifting.v ├── na_crash_inv.v ├── ncinv.v ├── own_crash_inv.v ├── post_expr.v ├── private_invariants.v ├── recovery_adequacy.v ├── recovery_weakestpre.v ├── simulation.v ├── spec_assert.v ├── staged_invariant.v ├── staged_invariant_alt.v ├── staged_invariant_init.v ├── staged_invariant_use_cancel.v ├── staged_invariant_use_idle.v ├── staged_invariant_use_inuse.v ├── staged_invariant_use_inuse2.v ├── staged_invariant_wp_nval.v ├── staged_invariant_wpc_nval.v ├── step_fupd_extra.v ├── weakestpre.v ├── wp_nval.v └── wpc_nval.v ├── program_proof ├── addr │ └── addr_proof.v ├── alloc │ └── alloc_proof.v ├── aof │ └── proof.v ├── append_log_hocap.v ├── append_log_proof.v ├── append_log_refinement.v ├── append_log_refinement_triples.v ├── async_disk_lib.v ├── async_disk_prelude.v ├── async_marshal_block.v ├── asyncfile │ └── proof.v ├── bad_nil_slice.v ├── bad_zero_func.v ├── bank │ └── bank_proof.v ├── buf │ ├── buf_proof.v │ ├── bufmap_proof.v │ └── defs.v ├── cachekv │ └── proof.v ├── callcc │ └── callcc.v ├── crash_example.v ├── crash_lockmap_proof.v ├── ctrexample │ ├── client.v │ ├── closed.v │ ├── interface.v │ ├── server.v │ └── wpc_proofmode.v ├── disk_lib.v ├── disk_prelude.v ├── examples │ ├── all_examples.v │ ├── alloc_addrset.v │ ├── alloc_crash_proof.v │ ├── alloc_proof.v │ ├── alloc_proof_simple.v │ ├── async_inode_proof.v │ ├── async_mem_alloc_dir_proof.v │ ├── async_mem_alloc_inode_proof.v │ ├── dir_proof.v │ ├── indirect_inode_append_proof.v │ ├── indirect_inode_proof.v │ ├── inode_proof.v │ ├── print_assumptions.v │ ├── replicated_block_proof.v │ ├── single_async_inode_proof.v │ ├── single_inode_proof.v │ └── toy_proof.v ├── fencing │ ├── client_proof.v │ ├── config_proof.v │ ├── ctr_proof.v │ ├── frontend_proof.v │ ├── loopclient_proof.v │ └── notes.txt ├── grove_prelude.v ├── grove_shared │ ├── erpc_lib.v │ ├── erpc_proof.v │ ├── fmcounter_map.v │ ├── monotonic_pred.v │ ├── urpc_proof.v │ └── urpc_spec.v ├── jrnl │ ├── jrnl_proof.v │ ├── sep_jrnl_invariant.v │ ├── sep_jrnl_ops.v │ ├── sep_jrnl_proof.v │ └── sep_jrnl_recovery_proof.v ├── jrnl_replication │ └── jrnl_replication_proof.v ├── kv │ └── interface.v ├── kvs │ └── specs.v ├── lock │ └── lock_proof.v ├── lockmap_proof.v ├── lockservice │ ├── aof_proof.v │ ├── bank_proof.v │ ├── common_proof.v │ ├── grove_ffi.v │ ├── grove_prelude.v │ ├── incr_proof.v │ ├── incr_proxy_proof.v │ ├── kv_durable.v │ ├── kv_logatom.v │ ├── kv_proof.v │ ├── lockservice_nocrash.v │ ├── lockservice_proof.v │ ├── movers.v │ ├── nondet.v │ ├── rpc_durable_proof.v │ ├── rpc_logatom.v │ ├── rpc_logatom_proof.v │ ├── rpc_proof.v │ ├── scratch.v │ ├── two_pc_example.v │ └── wpc_proofmode.v ├── map_marshal_proof.v ├── map_string_marshal_proof.v ├── marshal_block.v ├── marshal_proof.v ├── marshal_stateless_proof.v ├── memkv │ ├── bank_proof.v │ ├── closed.v │ ├── common_proof.v │ ├── connman_proof.v │ ├── lockservice_proof.v │ ├── memkv_clerk_proof.v │ ├── memkv_conditional_put_proof.v │ ├── memkv_coord_clerk_proof.v │ ├── memkv_coord_definitions.v │ ├── memkv_coord_ghost_init.v │ ├── memkv_coord_make_proof.v │ ├── memkv_coord_start_proof.v │ ├── memkv_get_proof.v │ ├── memkv_getcid_proof.v │ ├── memkv_ghost.v │ ├── memkv_install_shard_proof.v │ ├── memkv_marshal_conditional_put_proof.v │ ├── memkv_marshal_get_proof.v │ ├── memkv_marshal_getcid_proof.v │ ├── memkv_marshal_install_shard_proof.v │ ├── memkv_marshal_move_shard_proof.v │ ├── memkv_marshal_put_proof.v │ ├── memkv_move_shard_proof.v │ ├── memkv_put_proof.v │ ├── memkv_seq_clerk_proof.v │ ├── memkv_shard_clerk_proof.v │ ├── memkv_shard_definitions.v │ ├── memkv_shard_ghost_init.v │ ├── memkv_shard_make_proof.v │ ├── memkv_shard_start_proof.v │ └── print_assumptions.v ├── minlease │ └── proof.v ├── mvcc │ ├── db_activate_gc.v │ ├── db_get_safe_ts.v │ ├── db_mk.v │ ├── db_new_txn.v │ ├── db_repr.v │ ├── db_run.v │ ├── examples_hello.v │ ├── examples_xfer.v │ ├── goose.sh │ ├── grepv.sh │ ├── index_proof.v │ ├── loc.sh │ ├── mvcc_action.v │ ├── mvcc_ghost.v │ ├── mvcc_inv.v │ ├── mvcc_misc.v │ ├── mvcc_prelude.v │ ├── mvcc_proof.v │ ├── mvcc_tuplext.v │ ├── print_assumptions.v │ ├── proph_proof.v │ ├── strnum.v │ ├── tid_proof.v │ ├── tuple_append_version.v │ ├── tuple_free.v │ ├── tuple_kill_version.v │ ├── tuple_mk.v │ ├── tuple_own.v │ ├── tuple_prelude.v │ ├── tuple_read_version.v │ ├── tuple_remove_versions.v │ ├── tuple_repr.v │ ├── tuple_write_lock.v │ ├── txn_abort.v │ ├── txn_acquire.v │ ├── txn_begin.v │ ├── txn_commit.v │ ├── txn_delete.v │ ├── txn_prelude.v │ ├── txn_read.v │ ├── txn_repr.v │ ├── txn_run.v │ ├── txn_write.v │ ├── txnsite_activate.v │ ├── txnsite_deactivate.v │ ├── txnsite_get_safe_ts.v │ ├── txnsite_mk.v │ ├── txnsite_prelude.v │ ├── txnsite_repr.v │ ├── vok.sh │ ├── vos.sh │ ├── wrbuf_open_tuples.v │ ├── wrbuf_prelude.v │ ├── wrbuf_proof.v │ ├── wrbuf_repr.v │ ├── wrbuf_sort_ents_by_key.v │ └── wrbuf_update_tuples.v ├── obj │ ├── commit_proof.v │ ├── invariant.v │ ├── load_proof.v │ ├── map_helpers.v │ ├── obj_proof.v │ └── recovery_proof.v ├── pav │ ├── advrpc.v │ ├── alicebob.v │ ├── alicebob_helpers.v │ ├── auditor.v │ ├── classes.v │ ├── client.v │ ├── client_hist.v │ ├── core.v │ ├── crypto_model.v │ ├── cryptoffi.v │ ├── cryptoutil.v │ ├── evidence.v │ ├── get_agreement.v │ ├── logical_audit.v │ ├── logical_hist.v │ ├── marshalutil.v │ ├── merkle.v │ ├── misc.v │ ├── msv.v │ ├── phys_hist.v │ ├── prelude.v │ ├── rpc.v │ ├── serde.v │ ├── server.v │ ├── server2.v │ ├── should_build.v │ └── workq.v ├── proof_prelude.v ├── reconf │ └── ghost_proof.v ├── reconnectclient │ └── proof.v ├── rsm │ ├── big_sep.v │ ├── distx │ │ ├── action.v │ │ ├── base.v │ │ ├── cmd.v │ │ ├── inv.v │ │ ├── inv_group.v │ │ ├── inv_key.v │ │ ├── inv_txnsys.v │ │ ├── invariance │ │ │ ├── abort.v │ │ │ ├── cancel.v │ │ │ ├── commit.v │ │ │ ├── learn.v │ │ │ ├── learn_abort.v │ │ │ ├── learn_commit.v │ │ │ ├── learn_prepare.v │ │ │ ├── learn_read.v │ │ │ ├── linearize.v │ │ │ ├── preprepare.v │ │ │ ├── read.v │ │ │ └── submit.v │ │ ├── prelude.v │ │ ├── program │ │ │ ├── index.v │ │ │ ├── replica.v │ │ │ ├── replica_group.v │ │ │ ├── tuple.v │ │ │ ├── txn.v │ │ │ └── txnlog.v │ │ └── res.v │ ├── fpaxos_inv.v │ ├── fpaxos_top.v │ ├── goose.sh │ ├── mpaxos_proof.v │ ├── pure │ │ ├── dual_lookup.v │ │ ├── extend.v │ │ ├── fin_maps.v │ │ ├── fin_maps_list.v │ │ ├── fin_sets.v │ │ ├── largest_before.v │ │ ├── list.v │ │ ├── misc.v │ │ ├── nat.v │ │ ├── nonexpanding_merge.v │ │ ├── quorum.v │ │ ├── serialize.v │ │ ├── sets.v │ │ ├── vslice.v │ │ └── word.v │ ├── rsm_proof.v │ ├── spaxos_examples.v │ ├── spaxos_ghost.v │ ├── spaxos_inv.v │ ├── spaxos_prelude.v │ ├── spaxos_propose.v │ ├── spaxos_top.v │ ├── vok.sh │ └── vos.sh ├── simple │ ├── common.v │ ├── example.v │ ├── getattr.v │ ├── invariant.v │ ├── iread.v │ ├── iwrite.v │ ├── print_assumptions.v │ ├── proofs.v │ ├── read.v │ ├── recovery.v │ ├── setattr.v │ ├── spec.v │ └── write.v ├── single │ ├── election.v │ ├── replica_proof.v │ ├── single_proof.v │ └── try_decide_proof.v ├── spellchecker │ └── proof.v ├── std_proof.v ├── tpcc │ ├── examples_counter.v │ ├── examples_rsvkey.v │ ├── tpcc_customer.v │ └── tpcc_prelude.v ├── tulip │ ├── action.v │ ├── admit.sh │ ├── base.v │ ├── big_sep.v │ ├── cloc.sh │ ├── cmd.v │ ├── encode.v │ ├── goose.sh │ ├── inv.v │ ├── inv_group.v │ ├── inv_key.v │ ├── inv_replica.v │ ├── inv_txnlog.v │ ├── inv_txnsys.v │ ├── invariance │ │ ├── abort.v │ │ ├── accept.v │ │ ├── advance.v │ │ ├── cancel.v │ │ ├── cmd.v │ │ ├── commit.v │ │ ├── execute.v │ │ ├── execute_abort.v │ │ ├── execute_commit.v │ │ ├── execute_common.v │ │ ├── learn.v │ │ ├── learn_abort.v │ │ ├── learn_commit.v │ │ ├── linearize.v │ │ ├── local_read.v │ │ ├── prepare.v │ │ ├── preprepare.v │ │ ├── propose.v │ │ ├── read.v │ │ ├── submit.v │ │ ├── unprepare.v │ │ └── validate.v │ ├── msg.v │ ├── paxos │ │ ├── base.v │ │ ├── consistency.v │ │ ├── inv.v │ │ ├── invariance │ │ │ ├── accept.v │ │ │ ├── advance.v │ │ │ ├── append.v │ │ │ ├── ascend.v │ │ │ ├── commit.v │ │ │ ├── expand.v │ │ │ ├── extend.v │ │ │ └── prepare.v │ │ ├── msg.v │ │ ├── prelude.v │ │ ├── program │ │ │ ├── decode_request.v │ │ │ ├── decode_response.v │ │ │ ├── encode_accept_request.v │ │ │ ├── encode_accept_response.v │ │ │ ├── encode_prepare_request.v │ │ │ ├── encode_prepare_response.v │ │ │ ├── mk_paxos.v │ │ │ ├── paxos_accept.v │ │ │ ├── paxos_ascend.v │ │ │ ├── paxos_collect.v │ │ │ ├── paxos_commit.v │ │ │ ├── paxos_connect.v │ │ │ ├── paxos_cquorum.v │ │ │ ├── paxos_election_session.v │ │ │ ├── paxos_forward.v │ │ │ ├── paxos_get_connection.v │ │ │ ├── paxos_getlsnc.v │ │ │ ├── paxos_gettermc.v │ │ │ ├── paxos_gttermc.v │ │ │ ├── paxos_heartbeat.v │ │ │ ├── paxos_heartbeat_session.v │ │ │ ├── paxos_heartbeated.v │ │ │ ├── paxos_latest.v │ │ │ ├── paxos_leader_session.v │ │ │ ├── paxos_leading.v │ │ │ ├── paxos_learn.v │ │ │ ├── paxos_log.v │ │ │ ├── paxos_lookup.v │ │ │ ├── paxos_lttermc.v │ │ │ ├── paxos_nominate.v │ │ │ ├── paxos_nominated.v │ │ │ ├── paxos_obtain.v │ │ │ ├── paxos_prepare.v │ │ │ ├── paxos_push.v │ │ │ ├── paxos_receive.v │ │ │ ├── paxos_request_session.v │ │ │ ├── paxos_resethb.v │ │ │ ├── paxos_response_session.v │ │ │ ├── paxos_send.v │ │ │ ├── paxos_serve.v │ │ │ ├── paxos_stepdown.v │ │ │ ├── paxos_submit.v │ │ │ ├── paxos_wait_until_safe.v │ │ │ ├── repr.v │ │ │ ├── resume.v │ │ │ └── start.v │ │ ├── recovery.v │ │ ├── res.v │ │ └── res_network.v │ ├── prelude.v │ ├── print_assumptions.v │ ├── program │ │ ├── backup │ │ │ ├── bgcoord_abort.v │ │ │ ├── bgcoord_change_leader.v │ │ │ ├── bgcoord_commit.v │ │ │ ├── bgcoord_connect.v │ │ │ ├── bgcoord_finalized.v │ │ │ ├── bgcoord_get_connection.v │ │ │ ├── bgcoord_get_leader.v │ │ │ ├── bgcoord_get_pwrs.v │ │ │ ├── bgcoord_next_prepare_action.v │ │ │ ├── bgcoord_prepare.v │ │ │ ├── bgcoord_prepare_session.v │ │ │ ├── bgcoord_receive.v │ │ │ ├── bgcoord_repr.v │ │ │ ├── bgcoord_response_session.v │ │ │ ├── bgcoord_send.v │ │ │ ├── bgcoord_wait_until_prepare_done.v │ │ │ ├── bgpreparer_accept.v │ │ │ ├── bgpreparer_accepted.v │ │ │ ├── bgpreparer_action.v │ │ │ ├── bgpreparer_become_preparing.v │ │ │ ├── bgpreparer_become_unpreparing.v │ │ │ ├── bgpreparer_collect_proposal.v │ │ │ ├── bgpreparer_count_fast_proposals.v │ │ │ ├── bgpreparer_count_proposals.v │ │ │ ├── bgpreparer_cquorum.v │ │ │ ├── bgpreparer_finalized.v │ │ │ ├── bgpreparer_get_phase.v │ │ │ ├── bgpreparer_get_pwrs.v │ │ │ ├── bgpreparer_hcquorum.v │ │ │ ├── bgpreparer_in.v │ │ │ ├── bgpreparer_inquired.v │ │ │ ├── bgpreparer_latest_proposal.v │ │ │ ├── bgpreparer_process_finalization_result.v │ │ │ ├── bgpreparer_process_inquire_result.v │ │ │ ├── bgpreparer_process_prepare_result.v │ │ │ ├── bgpreparer_process_query_result.v │ │ │ ├── bgpreparer_process_unprepare_result.v │ │ │ ├── bgpreparer_process_validate_result.v │ │ │ ├── bgpreparer_quorum_accepted.v │ │ │ ├── bgpreparer_quorum_validated.v │ │ │ ├── bgpreparer_ready.v │ │ │ ├── bgpreparer_repr.v │ │ │ ├── bgpreparer_set_pwrs.v │ │ │ ├── bgpreparer_stop.v │ │ │ ├── bgpreparer_try_resign.v │ │ │ ├── bgpreparer_try_validate.v │ │ │ ├── bgpreparer_validate.v │ │ │ ├── bgpreparer_validated.v │ │ │ ├── btcoord_abort.v │ │ │ ├── btcoord_commit.v │ │ │ ├── btcoord_finalize.v │ │ │ ├── btcoord_repr.v │ │ │ ├── btcoord_resolve.v │ │ │ ├── btcoord_stabilize.v │ │ │ ├── mk_bgcoord.v │ │ │ ├── mk_bgpreparer.v │ │ │ ├── start.v │ │ │ └── start_bgcoord.v │ │ ├── gcoord │ │ │ ├── decode.v │ │ │ ├── encode.v │ │ │ ├── gcoord_abort.v │ │ │ ├── gcoord_attach.v │ │ │ ├── gcoord_attached_with.v │ │ │ ├── gcoord_change_leader.v │ │ │ ├── gcoord_commit.v │ │ │ ├── gcoord_connect.v │ │ │ ├── gcoord_finalized.v │ │ │ ├── gcoord_get_connection.v │ │ │ ├── gcoord_get_leader.v │ │ │ ├── gcoord_next_prepare_action.v │ │ │ ├── gcoord_prepare.v │ │ │ ├── gcoord_prepare_session.v │ │ │ ├── gcoord_process_finalization_result.v │ │ │ ├── gcoord_read.v │ │ │ ├── gcoord_read_session.v │ │ │ ├── gcoord_receive.v │ │ │ ├── gcoord_register_finalization.v │ │ │ ├── gcoord_repr.v │ │ │ ├── gcoord_resend_session.v │ │ │ ├── gcoord_response_session.v │ │ │ ├── gcoord_send.v │ │ │ ├── gcoord_value_responded.v │ │ │ ├── gcoord_wait_until_prepare_done.v │ │ │ ├── gcoord_wait_until_value_ready.v │ │ │ ├── gpreparer_action.v │ │ │ ├── gpreparer_attach.v │ │ │ ├── gpreparer_collect_fast_decision.v │ │ │ ├── gpreparer_collect_validation.v │ │ │ ├── gpreparer_cquorum.v │ │ │ ├── gpreparer_fquorum.v │ │ │ ├── gpreparer_get_phase.v │ │ │ ├── gpreparer_hcquorum.v │ │ │ ├── gpreparer_in.v │ │ │ ├── gpreparer_process_fast_prepare_result.v │ │ │ ├── gpreparer_process_prepare_result.v │ │ │ ├── gpreparer_process_query_result.v │ │ │ ├── gpreparer_process_unprepare_result.v │ │ │ ├── gpreparer_process_validate_result.v │ │ │ ├── gpreparer_ready.v │ │ │ ├── gpreparer_repr.v │ │ │ ├── gpreparer_try_become_preparing.v │ │ │ ├── gpreparer_try_become_unpreparing.v │ │ │ ├── gpreparer_try_fast_abort.v │ │ │ ├── gpreparer_try_fast_prepare.v │ │ │ ├── gpreparer_try_resign.v │ │ │ ├── greader_clear_versions.v │ │ │ ├── greader_cquorum.v │ │ │ ├── greader_pick_latest_value.v │ │ │ ├── greader_process_read_result.v │ │ │ ├── greader_read.v │ │ │ ├── greader_repr.v │ │ │ ├── greader_reset.v │ │ │ ├── greader_responded.v │ │ │ ├── mk_gcoord.v │ │ │ ├── mk_gpreparer.v │ │ │ ├── mk_greader.v │ │ │ └── start.v │ │ ├── index │ │ │ └── index.v │ │ ├── prelude.v │ │ ├── quorum.v │ │ ├── replica │ │ │ ├── decode.v │ │ │ ├── encode.v │ │ │ ├── replica_abort.v │ │ │ ├── replica_accept.v │ │ │ ├── replica_acquire.v │ │ │ ├── replica_acquire_key.v │ │ │ ├── replica_advance.v │ │ │ ├── replica_applier.v │ │ │ ├── replica_apply.v │ │ │ ├── replica_apply_abort.v │ │ │ ├── replica_apply_commit.v │ │ │ ├── replica_backup.v │ │ │ ├── replica_bump_key.v │ │ │ ├── replica_commit.v │ │ │ ├── replica_erase.v │ │ │ ├── replica_fast_prepare.v │ │ │ ├── replica_finalized.v │ │ │ ├── replica_inquire.v │ │ │ ├── replica_intervene.v │ │ │ ├── replica_last_proposal.v │ │ │ ├── replica_log.v │ │ │ ├── replica_lowest_rank.v │ │ │ ├── replica_memorize.v │ │ │ ├── replica_multiwrite.v │ │ │ ├── replica_prepare.v │ │ │ ├── replica_query.v │ │ │ ├── replica_read.v │ │ │ ├── replica_readable_key.v │ │ │ ├── replica_refresh.v │ │ │ ├── replica_release.v │ │ │ ├── replica_release_key.v │ │ │ ├── replica_repr.v │ │ │ ├── replica_request_session.v │ │ │ ├── replica_resume.v │ │ │ ├── replica_serve.v │ │ │ ├── replica_terminated.v │ │ │ ├── replica_try_accept.v │ │ │ ├── replica_try_acquire.v │ │ │ ├── replica_unprepare.v │ │ │ ├── replica_validate.v │ │ │ ├── replica_validated.v │ │ │ ├── replica_writable_key.v │ │ │ └── start.v │ │ ├── tuple │ │ │ ├── res.v │ │ │ └── tuple.v │ │ ├── txn │ │ │ ├── mk_txn.v │ │ │ ├── proph.v │ │ │ ├── res.v │ │ │ ├── txn_abort.v │ │ │ ├── txn_attach.v │ │ │ ├── txn_begin.v │ │ │ ├── txn_cancel.v │ │ │ ├── txn_commit.v │ │ │ ├── txn_delete.v │ │ │ ├── txn_getwrs.v │ │ │ ├── txn_key_to_group.v │ │ │ ├── txn_prepare.v │ │ │ ├── txn_read.v │ │ │ ├── txn_repr.v │ │ │ ├── txn_reset.v │ │ │ ├── txn_resetwrs.v │ │ │ ├── txn_run.v │ │ │ ├── txn_setptgs.v │ │ │ ├── txn_setwrs.v │ │ │ └── txn_write.v │ │ ├── txnlog │ │ │ └── txnlog.v │ │ └── util │ │ │ ├── count_bool_map.v │ │ │ ├── decode_ints.v │ │ │ ├── decode_kvmap.v │ │ │ ├── decode_kvmap_into_slice.v │ │ │ ├── decode_prepare_proposal.v │ │ │ ├── decode_string.v │ │ │ ├── decode_strings.v │ │ │ ├── decode_value.v │ │ │ ├── decode_version.v │ │ │ ├── decode_write_entry.v │ │ │ ├── encode_ints.v │ │ │ ├── encode_kvmap.v │ │ │ ├── encode_kvmap_from_slice.v │ │ │ ├── encode_prepare_proposal.v │ │ │ ├── encode_string.v │ │ │ ├── encode_strings.v │ │ │ ├── encode_value.v │ │ │ ├── encode_version.v │ │ │ ├── encode_write_entry.v │ │ │ ├── next_aligned.v │ │ │ └── sort.v │ ├── res.v │ ├── res_group.v │ ├── res_network.v │ ├── res_replica.v │ ├── res_txnsys.v │ ├── stability.v │ ├── tulip_proof.v │ ├── vok.sh │ └── vos.sh ├── tutorial │ ├── .gitattributes │ ├── basics │ │ ├── full_proof.v │ │ └── proof.v │ ├── kvservice │ │ ├── conditionalput_proof_gk.v │ │ ├── full_proof.v │ │ ├── get_proof_gk.v │ │ ├── proof.v │ │ └── put_proof_gk.v │ ├── lockservice │ │ ├── lockrequest_proof_gk.v │ │ └── proof.v │ ├── objectstore │ │ ├── chunk │ │ │ └── writechunk_proof_gk.v │ │ └── dir │ │ │ ├── chunkhandle_proof_gk.v │ │ │ ├── finishwrite_proof_gk.v │ │ │ └── recordchunk_proof_gk.v │ └── queue │ │ └── proof.v ├── txn │ ├── README.md │ ├── op_wrappers.v │ ├── twophase_refinement_defs.v │ ├── twophase_refinement_proof.v │ ├── twophase_refinement_thm.v │ ├── twophase_sub_logical_reln_defs.v │ ├── txn_proof.v │ ├── typed_translate.v │ ├── typed_translate_facts.v │ ├── wrapper_init_proof.v │ └── wrapper_proof.v ├── unittest.v ├── util_proof.v ├── verus │ ├── inv.v │ ├── typecast_nontermination.v │ ├── ucmra_cmra_adjunction.v │ ├── wpc_transformer.v │ ├── wrs.v │ └── wrsmulti.v ├── vrsm │ ├── apps │ │ ├── closed_proof.v │ │ ├── closed_wpcs.v │ │ ├── exactlyonce │ │ │ ├── log.v │ │ │ ├── proof.v │ │ │ └── vsm.v │ │ ├── print_assumptions.v │ │ └── vkv │ │ │ ├── clerkpool_proof.v │ │ │ ├── kv_proof.v │ │ │ └── kv_vsm_proof.v │ ├── clerk │ │ ├── clerk_int_proof.v │ │ └── clerk_proof.v │ ├── configservice │ │ ├── config_marshal_proof.v │ │ └── config_proof.v │ ├── marshal_template.txt │ ├── notes.txt │ ├── paxos │ │ ├── applyasfollower_proof.v │ │ ├── becomeleader_proof.v │ │ ├── clerk_proof.v │ │ ├── definitions.v │ │ ├── enternewepoch_proof.v │ │ ├── init_proof.v │ │ ├── marshal_proof.v │ │ ├── protocol_proof.v │ │ ├── start_proof.v │ │ ├── tryacquire_proof.v │ │ ├── weakread_proof.v │ │ └── withlock_proof.v │ ├── proph_proof.v │ ├── reconfig │ │ └── proof.v │ ├── renewable_lease.v │ ├── replica │ │ ├── apply_proof.v │ │ ├── applybackup_proof.v │ │ ├── becomeprimary_proof.v │ │ ├── config_protocol_proof.v │ │ ├── definitions.v │ │ ├── getstate_proof.v │ │ ├── increasecommit_proof.v │ │ ├── init_proof.v │ │ ├── leaserenewal_proof.v │ │ ├── makeclerk_proof.v │ │ ├── marshal_proof.v │ │ ├── preread_protocol.v │ │ ├── primary_protocol.v │ │ ├── protocol.v │ │ ├── roapply_proof.v │ │ ├── sendcommitthread_proof.v │ │ ├── setstate_proof.v │ │ └── start_proof.v │ └── storage │ │ └── proof.v ├── wal │ ├── abstraction.v │ ├── boundaries.v │ ├── circ_proof.v │ ├── circ_proof_crash.v │ ├── common_proof.v │ ├── flush_proof.v │ ├── heapspec.v │ ├── heapspec_lib.v │ ├── heapspec_list.v │ ├── highest.v │ ├── installer_proof.v │ ├── invariant.v │ ├── lib.v │ ├── logger_proof.v │ ├── proof.v │ ├── read_proof.v │ ├── recovery_proof.v │ ├── sliding.v │ ├── sliding_proof.v │ ├── specs.v │ ├── thread_owned.v │ ├── transitions.v │ ├── txns_ctx.v │ └── write_proof.v ├── wp_auto │ └── experiments.v └── wp_to_wpc.v └── tutorial ├── ipm_extensions.org └── ipm_extensions.v /.gitattributes: -------------------------------------------------------------------------------- 1 | external/Goose/** linguist-generated 2 | new/code/**/*.v linguist-generated 3 | new/generatedproof/**/*.v linguist-generated 4 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | updates: 4 | - package-ecosystem: "gitsubmodule" 5 | directory: "/" 6 | schedule: 7 | interval: "daily" 8 | time: "04:00" 9 | timezone: "US/Eastern" 10 | 11 | - package-ecosystem: "github-actions" 12 | directory: "/" 13 | schedule: 14 | interval: "monthly" 15 | time: "04:00" 16 | timezone: "US/Eastern" 17 | 18 | - package-ecosystem: "pip" 19 | directory: "/" 20 | schedule: 21 | interval: "monthly" 22 | time: "04:00" 23 | timezone: "US/Eastern" 24 | -------------------------------------------------------------------------------- /.github/workflows/dependabot-automerge.yml: -------------------------------------------------------------------------------- 1 | name: Dependabot auto-merge 2 | on: pull_request 3 | 4 | permissions: 5 | contents: write 6 | pull-requests: write 7 | 8 | jobs: 9 | dependabot-automerge: 10 | runs-on: ubuntu-latest 11 | if: ${{ github.actor == 'dependabot[bot]' }} 12 | env: 13 | PR_URL: ${{ github.event.pull_request.html_url }} 14 | GH_TOKEN: ${{ github.token }} 15 | steps: 16 | - name: merge 17 | # a separate repo-wide ruleset ensures that dependabot PRs only merge 18 | # after CI passes. 19 | run: gh pr merge --auto --merge --delete-branch "$PR_URL" 20 | -------------------------------------------------------------------------------- /.github/workflows/mailbot.yml: -------------------------------------------------------------------------------- 1 | name: Commit mailbot 2 | on: push 3 | 4 | jobs: 5 | mailbot: 6 | if: github.actor != 'dependabot[bot]' 7 | uses: sanjit-bhat/github-mailbot/.github/workflows/mailbot.yml@main 8 | with: 9 | host: smtp.gmail.com 10 | port: 587 11 | from: mit.pdos.mailbot@gmail.com 12 | to: chajed@wisc.edu,kaashoek@mit.edu,nickolai@csail.mit.edu,jt4767@nyu.edu,sanjit.bhat@gmail.com,upamanyu@mit.edu,schwennesen@cs.wisc.edu 13 | secrets: 14 | password: ${{ secrets.MAILBOT_PASSWORD }} 15 | -------------------------------------------------------------------------------- /.github/workflows/update-tested.yml: -------------------------------------------------------------------------------- 1 | # mostly stolen from 2 | # https://github.com/mit-plv/bedrock2/blob/720023ddce9ba114f451cf3f0ebc8f9ee3002893/.github/workflows/main.yml 3 | 4 | name: Update coq/tested 5 | 6 | on: 7 | schedule: 8 | # run at 06:59 UTC (3am eastern) each day 9 | - cron: "59 6 * * *" 10 | # allow running action manually. 11 | workflow_dispatch: 12 | 13 | jobs: 14 | update_branch: 15 | runs-on: ubuntu-latest 16 | name: Update coq/tested 17 | steps: 18 | - uses: actions/checkout@v4 19 | with: 20 | fetch-depth: 0 21 | # this branch is protected so the push will fail if CI hasn't succeeded on 22 | # this commit 23 | - name: Push to coq/tested 24 | uses: ad-m/github-push-action@v0.8.0 25 | with: 26 | github_token: ${{ secrets.GITHUB_TOKEN }} 27 | branch: "coq/tested" 28 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /bin 3 | /doc 4 | *.lia.cache 5 | *.nia.cache 6 | *.nra.cache 7 | 8 | # emacs 9 | *.aux 10 | *.*~ 11 | 12 | # vim 13 | *.swp 14 | 15 | # vscode 16 | /.vscode 17 | 18 | # CoqIDE files 19 | \#*# 20 | 21 | # Coq compiled files 22 | *.vo 23 | *.vos 24 | *.vok 25 | *.v.d 26 | *.glob 27 | .coqdeps.d 28 | 29 | /.timing.sqlite3 30 | 31 | # Python 32 | __pycache__ 33 | .mypy_cache 34 | *.pyc 35 | 36 | # Compiled code supplement 37 | /peony-code.zip 38 | 39 | # direnv 40 | .direnv 41 | .envrc 42 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "external/stdpp"] 2 | path = external/stdpp 3 | url = https://gitlab.mpi-sws.org/iris/stdpp.git 4 | [submodule "external/coqutil"] 5 | path = external/coqutil 6 | url = https://github.com/mit-plv/coqutil 7 | [submodule "external/record-update"] 8 | path = external/record-update 9 | url = https://github.com/tchajed/coq-record-update 10 | [submodule "external/iris"] 11 | path = external/iris 12 | url = https://gitlab.mpi-sws.org/iris/iris.git 13 | branch = master 14 | [submodule "external/coq-tactical"] 15 | path = external/coq-tactical 16 | url = https://github.com/tchajed/coq-tactical 17 | [submodule "external/iris-named-props"] 18 | path = external/iris-named-props 19 | url = https://github.com/tchajed/iris-named-props 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /etc/disable-qed.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Toggle between Qed and Admitted in source code. 3 | # To be safer than Admitted, we actually add some extra commands that ensure 4 | # there are no remaining goals. 5 | 6 | set -eu 7 | 8 | SED="sed" 9 | 10 | if command -v gsed >/dev/null ; then 11 | SED=gsed 12 | fi 13 | 14 | inplace_edit() { 15 | $SED -r -i~ "$@" 16 | } 17 | 18 | forward_repl() { 19 | local search='([[:space:]]*)(Time )?Qed\.' 20 | local repl="\1Unshelve. Fail idtac. \2Admitted." 21 | inplace_edit "s/^${search}$/${repl}/" "$@" 22 | } 23 | 24 | backward_repl() { 25 | local search="([[:space:]]*)" 26 | search="${search}Unshelve\. Fail idtac\. " 27 | search="${search}(Time )?Admitted\.$" 28 | local repl='\1\2Qed.' 29 | inplace_edit "s/^${search}$/${repl}/" "$@" 30 | } 31 | 32 | 33 | reverse=false 34 | 35 | usage() { 36 | echo "Usage: disable-qed.sh [--undo] " 37 | } 38 | 39 | case "$1" in 40 | "--undo" ) 41 | reverse=true 42 | shift 43 | ;; 44 | esac 45 | 46 | if [ $reverse = true ]; then 47 | backward_repl "$@" 48 | else 49 | forward_repl "$@" 50 | fi 51 | -------------------------------------------------------------------------------- /etc/mixcode/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/etc/mixcode/screenshot.png -------------------------------------------------------------------------------- /etc/mkvok: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage: ./etc/mkvok $MAKE_ARGS 3 | # Environment variables: 4 | # FILE: Which file to build all dependencies of. Default: "src/ShouldBuild.v". 5 | # FOLDER: Only .vok files in this folder will be built. Default: "src/". 6 | 7 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 8 | cd "$DIR/.." 9 | 10 | if test -z "$FILE"; then 11 | FILE=src/ShouldBuild.v 12 | fi 13 | 14 | #if test -z ${FOLDER+x}; then 15 | if test -z "$FOLDER"; then 16 | FOLDER=src/ 17 | fi 18 | 19 | FILES=$(make -n "$FILE"o | egrep '^echo "COQC '"$FOLDER" | sed -E 's/^.*"COQC (.*)"$/\1ok/') 20 | if test -z "$FILES"; then 21 | echo "Nothing found to build in $FOLDER" 22 | exit 1 23 | fi 24 | 25 | make $FILES "$@" 26 | -------------------------------------------------------------------------------- /etc/release.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Prepare a release tarball 4 | 5 | set -e 6 | 7 | src="$1" 8 | output_dir=/tmp/perennial 9 | 10 | if [ -z "$src" ]; then 11 | echo "Usage: $0 " 12 | exit 1 13 | fi 14 | 15 | rm -rf "$output_dir" 16 | mkdir "$output_dir" 17 | cp -r "$src/" "$output_dir/" 18 | 19 | rm "$output_dir/.travis.yml" 20 | rm -r "$output_dir/etc/ci" 21 | rm -r "$output_dir/.github" 22 | rm "$output_dir/src/.dir-locals.el" 23 | 24 | # clean build outputs and untracked files 25 | make -C "$output_dir" clean-all 26 | git -C "$output_dir" clean -ffxd 27 | 28 | # remove git repo 29 | rm -rf $(find "$output_dir" -name '.git') 30 | rm "$output_dir/.gitmodules" 31 | find "$output_dir" -name '.gitignore' -exec rm {} \; 32 | 33 | # package 34 | find "$output_dir" -type f -name '._*' -delete 35 | tar -czvf perennial.tar.gz -C "$(dirname "$output_dir")" "$(basename "$output_dir")" 36 | rm -r "$output_dir" 37 | -------------------------------------------------------------------------------- /etc/test_coqc/Abstract.v: -------------------------------------------------------------------------------- 1 | Local Lemma abstract_away_helper {A} (P: A -> Prop) (x y:A) : 2 | P y -> y = x -> P x. 3 | Proof. 4 | intros; subst; auto. 5 | Qed. 6 | 7 | Ltac abstract_term t := 8 | match goal with 9 | | |- ?g => let p := eval pattern t in g in 10 | match p with 11 | | ?P ?x => eapply (abstract_away_helper P) 12 | end 13 | end. 14 | -------------------------------------------------------------------------------- /etc/test_coqc/Abstract.v.out: -------------------------------------------------------------------------------- 1 | Chars 0 - 84 [#[local]~Lemma~abstract_away_h...] 0. secs (0.u,0.s) 2 | Chars 85 - 91 [Proof.] 0. secs (0.u,0.s) 3 | Chars 94 - 114 [(intros;~subst;~auto).] 0. secs (0.u,0.s) 4 | Chars 115 - 119 [Qed.] 0. secs (0.u,0.s) 5 | Chars 121 - 319 [Ltac~~abstract_term~t~:=~~~mat...] 0. secs (0.u,0.s) 6 | -------------------------------------------------------------------------------- /etc/test_coqc/test.v: -------------------------------------------------------------------------------- 1 | Require Import Utf8. 2 | Definition σ : forall (x:nat), x + 1000 = x + 1000 := 3 | fun x => eq_refl (x + (500+500)). 4 | Print σ. 5 | Local Theorem thm : True. 6 | Proof. 7 | idtac "some output". 8 | exact I. 9 | Qed. 10 | 11 | Lemma helpful : True. 12 | Proof. 13 | pose proof (eq_refl : 600 + 600 = 1200). 14 | debug auto. 15 | Qed. 16 | 17 | Global Theorem thm' : True. 18 | Proof. 19 | auto. 20 | Qed. 21 | -------------------------------------------------------------------------------- /etc/test_coqc/test.v.out: -------------------------------------------------------------------------------- 1 | Chars 0 - 20 [Require~Import~Utf8.] 0. secs (0.u,0.s) 2 | Chars 21 - 111 [Definition~σ~:~forall~x~:~nat,...] 0.043 secs (0.029u,0.014s) 3 | σ = λ x : nat, eq_refl 4 | : ∀ x : nat, x + 1000 = x + 1000 5 | 6 | Argument scope is [nat_scope] 7 | Chars 112 - 121 [Print~σ.] 0.009 secs (0.006u,0.002s) 8 | Chars 122 - 147 [#[local]Theorem~thm~:~True.] 0. secs (0.u,0.s) 9 | Chars 148 - 154 [Proof.] 0. secs (0.u,0.s) 10 | some output 11 | Chars 157 - 177 [idtac~"some~output".] 0. secs (0.u,0.s) 12 | Chars 180 - 188 [exact~I.] 0. secs (0.u,0.s) 13 | Chars 189 - 193 [Qed.] 0. secs (0.u,0.s) 14 | Chars 195 - 216 [Lemma~helpful~:~True.] 0. secs (0.u,0.s) 15 | Chars 217 - 223 [Proof.] 0. secs (0.u,0.s) 16 | Chars 226 - 266 [(pose~proof~(eq_refl~:~600~+~6...] 0.029 secs (0.018u,0.009s) 17 | Debug: (* debug auto: *) 18 | Debug: * assumption. (*fail*) 19 | Debug: * intro. (*fail*) 20 | Debug: * exact I (in core). (*success*) 21 | Chars 269 - 280 [debug~auto.] 0.001 secs (0.u,0.s) 22 | Chars 281 - 285 [Qed.] 0.037 secs (0.025u,0.011s) 23 | Chars 287 - 314 [#[global]Theorem~thm'~:~True.] 0. secs (0.u,0.s) 24 | Chars 315 - 321 [Proof.] 0. secs (0.u,0.s) 25 | Chars 324 - 329 [auto.] 0. secs (0.u,0.s) 26 | Chars 330 - 334 [Qed.] 0. secs (0.u,0.s) 27 | -------------------------------------------------------------------------------- /external/Goose/github_com/goose_lang/goose/internal/examples/async.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/goose-lang/goose/internal/examples/async *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | From Perennial.goose_lang Require Import ffi.async_disk_prelude. 5 | 6 | (* async just uses the async disk FFI *) 7 | 8 | Definition TakesDisk: val := 9 | rec: "TakesDisk" "d" := 10 | #(). 11 | 12 | Definition UseDisk: val := 13 | rec: "UseDisk" "d" := 14 | let: "v" := NewSlice byteT #4096 in 15 | disk.Write #0 "v";; 16 | disk.Barrier #();; 17 | #(). 18 | -------------------------------------------------------------------------------- /external/Goose/github_com/goose_lang/goose/internal/examples/comments.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/goose-lang/goose/internal/examples/comments *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | (* 0consts.go *) 8 | 9 | Definition ONE : expr := #1. 10 | 11 | Definition TWO : expr := #2. 12 | 13 | (* 1doc.go *) 14 | 15 | (* comments tests package comments, like this one 16 | 17 | it has multiple files *) 18 | 19 | Definition Foo := struct.decl [ 20 | "a" :: boolT 21 | ]. 22 | 23 | End code. 24 | -------------------------------------------------------------------------------- /external/Goose/github_com/goose_lang/goose/internal/examples/trust_import.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/goose-lang/goose/internal/examples/trust_import *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Perennial.goose_lang.trusted Require Import github_com.goose_lang.goose.internal.examples.trust_import.trusted_example. 4 | 5 | Section code. 6 | Context `{ext_ty: ext_types}. 7 | 8 | Definition Bar: val := 9 | rec: "Bar" <> := 10 | trusted_example.Foo #();; 11 | #(). 12 | 13 | End code. 14 | -------------------------------------------------------------------------------- /external/Goose/github_com/goose_lang/goose/internal/examples/trust_import/trusted_example.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/goose-lang/goose/internal/examples/trust_import/trusted_example *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Definition Foo: val := 8 | rec: "Foo" <> := 9 | (* fmt.Println("Blah") *) 10 | #(). 11 | 12 | End code. 13 | -------------------------------------------------------------------------------- /external/Goose/github_com/goose_lang/goose/internal/examples/unittest/generic.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/goose-lang/goose/internal/examples/unittest/generic *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Definition SliceMap (T:ty) (U:ty): val := 8 | rec: "SliceMap" "f" "s" := 9 | let: "newSlice" := ref (zero_val (slice.T U)) in 10 | ForSlice T <> "x" "s" 11 | ("newSlice" <-[slice.T U] (SliceAppend U (![slice.T U] "newSlice") ("f" "x")));; 12 | ![slice.T U] "newSlice". 13 | 14 | Definition Id (T:ty): val := 15 | rec: "Id" "x" := 16 | "x". 17 | 18 | Definition MapLen (V:ty): val := 19 | rec: "MapLen" "m" := 20 | MapLen "m". 21 | 22 | End code. 23 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/go_journal/common.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/go-journal/common *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | From Perennial.goose_lang Require Import ffi.disk_prelude. 5 | 6 | (* on-disk size *) 7 | Definition INODESZ : expr := #128. 8 | 9 | Definition NBITBLOCK : expr := disk.BlockSize * #8. 10 | 11 | Definition INODEBLK : expr := disk.BlockSize `quot` INODESZ. 12 | 13 | Definition NINODEBITMAP : expr := #1. 14 | 15 | (* space for the end position *) 16 | Definition HDRMETA : expr := #8. 17 | 18 | Definition HDRADDRS : expr := (disk.BlockSize - HDRMETA) `quot` #8. 19 | 20 | (* 2 for log header *) 21 | Definition LOGSIZE : expr := HDRADDRS + #2. 22 | 23 | Notation Inum := uint64T (only parsing). 24 | 25 | Notation Bnum := uint64T (only parsing). 26 | 27 | Definition NULLINUM : expr := #0. 28 | 29 | Definition ROOTINUM : expr := #1. 30 | 31 | Definition NULLBNUM : expr := #0. 32 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/go_journal/util.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/go-journal/util *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Definition Debug : expr := #0. 8 | 9 | Definition DPrintf: val := 10 | rec: "DPrintf" "level" "format" "a" := 11 | (if: "level" ≤ Debug 12 | then 13 | (* log.Printf(format, a...) *) 14 | #() 15 | else #()). 16 | 17 | Definition RoundUp: val := 18 | rec: "RoundUp" "n" "sz" := 19 | (("n" + "sz") - #1) `quot` "sz". 20 | 21 | Definition Min: val := 22 | rec: "Min" "n" "m" := 23 | (if: "n" < "m" 24 | then "n" 25 | else "m"). 26 | 27 | (* returns n+m>=2^64 (if it were computed at infinite precision) *) 28 | Definition SumOverflows: val := 29 | rec: "SumOverflows" "n" "m" := 30 | ("n" + "m") < "n". 31 | 32 | Definition SumOverflows32: val := 33 | rec: "SumOverflows32" "n" "m" := 34 | ("n" + "m") < "n". 35 | 36 | Definition CloneByteSlice: val := 37 | rec: "CloneByteSlice" "s" := 38 | let: "s2" := NewSlice byteT (slice.len "s") in 39 | SliceCopy byteT "s2" "s";; 40 | "s2". 41 | 42 | End code. 43 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/gokv/ctrexample/client.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/ctrexample/client *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Goose Require github_com.mit_pdos.gokv.urpc. 4 | From Goose Require github_com.tchajed.marshal. 5 | 6 | From Perennial.goose_lang Require Import ffi.grove_prelude. 7 | 8 | Definition FAI_OP : expr := #0. 9 | 10 | (* the boot/main() function for the server *) 11 | Definition main: val := 12 | rec: "main" <> := 13 | let: "cl" := urpc.MakeClient #53021371269120 in 14 | let: "localBound" := ref_to uint64T #0 in 15 | Skip;; 16 | (for: (λ: <>, #true); (λ: <>, Skip) := λ: <>, 17 | let: "rep" := ref (zero_val (slice.T byteT)) in 18 | let: "err" := urpc.Client__Call "cl" FAI_OP (NewSlice byteT #0) "rep" #100 in 19 | (if: "err" ≠ #0 20 | then Continue 21 | else 22 | let: "dec" := marshal.NewDec (![slice.T byteT] "rep") in 23 | let: "v" := marshal.Dec__GetInt "dec" in 24 | control.impl.Assert ("v" ≥ (![uint64T] "localBound"));; 25 | "localBound" <-[uint64T] "v";; 26 | (* fmt.Println("One") *) 27 | Continue));; 28 | #(). 29 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/gokv/dmvcc/prophname.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/dmvcc/prophname *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Definition Get: val := 8 | rec: "Get" <> := 9 | NewProph #(). 10 | 11 | End code. 12 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/gokv/dmvcc/txnmgr.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/dmvcc/txnmgr *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | (* clerk.go *) 8 | 9 | Definition Clerk := struct.decl [ 10 | ]. 11 | 12 | (* server.go *) 13 | 14 | Definition Server := struct.decl [ 15 | "mu" :: ptrT; 16 | "p" :: ProphIdT; 17 | "nextTid" :: uint64T 18 | ]. 19 | 20 | Definition MakeServer: val := 21 | rec: "MakeServer" <> := 22 | let: "p" := NewProph #() in 23 | let: "txnMgr" := struct.new Server [ 24 | "p" ::= "p"; 25 | "nextTid" ::= #1 26 | ] in 27 | struct.storeF Server "mu" "txnMgr" (newMutex #());; 28 | "txnMgr". 29 | 30 | Definition Server__New: val := 31 | rec: "Server__New" "txnMgr" := 32 | Mutex__Lock (struct.loadF Server "mu" "txnMgr");; 33 | let: "tid" := struct.loadF Server "nextTid" "txnMgr" in 34 | struct.storeF Server "nextTid" "txnMgr" ((struct.loadF Server "nextTid" "txnMgr") + #1);; 35 | Mutex__Unlock (struct.loadF Server "mu" "txnMgr");; 36 | "tid". 37 | 38 | End code. 39 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/gokv/fencing/loopclient.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/fencing/loopclient *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Goose Require github_com.mit_pdos.gokv.fencing.client. 4 | 5 | From Perennial.goose_lang Require Import ffi.grove_prelude. 6 | 7 | Definition LoopOnKey: val := 8 | rec: "LoopOnKey" "key" "config" := 9 | let: "ck" := client.MakeClerk "config" in 10 | let: "lowerBound" := ref_to uint64T (client.Clerk__FetchAndIncrement "ck" "key") in 11 | Skip;; 12 | (for: (λ: <>, #true); (λ: <>, Skip) := λ: <>, 13 | let: "v" := client.Clerk__FetchAndIncrement "ck" "key" in 14 | control.impl.Assert ("v" > (![uint64T] "lowerBound"));; 15 | (if: ("v" `rem` #1000) = #0 16 | then 17 | (* log.Printf("reached %d >= %d", key, v) *) 18 | #() 19 | else #());; 20 | "lowerBound" <-[uint64T] "v";; 21 | Continue);; 22 | #(). 23 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/gokv/kv.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/kv *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Definition Kv := struct.decl [ 8 | "Put" :: (stringT -> stringT -> unitT)%ht; 9 | "Get" :: (stringT -> stringT)%ht; 10 | "ConditionalPut" :: (stringT -> stringT -> stringT -> stringT)%ht 11 | ]. 12 | 13 | End code. 14 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/gokv/lockservice.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/lockservice *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Goose Require github_com.mit_pdos.gokv.kv. 4 | 5 | Section code. 6 | Context `{ext_ty: ext_types}. 7 | 8 | Definition LockClerk := struct.decl [ 9 | "kv" :: ptrT 10 | ]. 11 | 12 | Definition LockClerk__Lock: val := 13 | rec: "LockClerk__Lock" "ck" "key" := 14 | Skip;; 15 | (for: (λ: <>, ((struct.loadF kv.Kv "ConditionalPut" (struct.loadF LockClerk "kv" "ck")) "key" #(str"") #(str"1")) ≠ #(str"ok")); (λ: <>, Skip) := λ: <>, 16 | Continue);; 17 | #(). 18 | 19 | Definition LockClerk__Unlock: val := 20 | rec: "LockClerk__Unlock" "ck" "key" := 21 | (struct.loadF kv.Kv "Put" (struct.loadF LockClerk "kv" "ck")) "key" #(str"");; 22 | #(). 23 | 24 | Definition MakeLockClerk: val := 25 | rec: "MakeLockClerk" "kv" := 26 | struct.new LockClerk [ 27 | "kv" ::= "kv" 28 | ]. 29 | 30 | End code. 31 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/gokv/memkv/lockservice.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/memkv/lockservice *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Goose Require github_com.mit_pdos.gokv.connman. 4 | From Goose Require github_com.mit_pdos.gokv.memkv. 5 | 6 | From Perennial.goose_lang Require Import ffi.grove_prelude. 7 | 8 | Definition LockClerk := struct.decl [ 9 | "kv" :: ptrT 10 | ]. 11 | 12 | Definition LockClerk__Lock: val := 13 | rec: "LockClerk__Lock" "ck" "key" := 14 | Skip;; 15 | (for: (λ: <>, (~ (memkv.KVClerk__ConditionalPut (struct.loadF LockClerk "kv" "ck") "key" (NewSlice byteT #0) (NewSlice byteT #1)))); (λ: <>, Skip) := λ: <>, 16 | Continue);; 17 | #(). 18 | 19 | Definition LockClerk__Unlock: val := 20 | rec: "LockClerk__Unlock" "ck" "key" := 21 | memkv.KVClerk__Put (struct.loadF LockClerk "kv" "ck") "key" (NewSlice byteT #0);; 22 | #(). 23 | 24 | Definition MakeLockClerk: val := 25 | rec: "MakeLockClerk" "lockhost" "cm" := 26 | struct.new LockClerk [ 27 | "kv" ::= memkv.MakeKVClerk "lockhost" "cm" 28 | ]. 29 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/gokv/tutorial/lockservice/lockrequest_gk.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/tutorial/lockservice/lockrequest_gk *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Goose Require github_com.tchajed.marshal. 4 | 5 | Section code. 6 | Context `{ext_ty: ext_types}. 7 | 8 | Definition S := struct.decl [ 9 | "Id" :: uint64T 10 | ]. 11 | 12 | Definition Marshal: val := 13 | rec: "Marshal" "prefix" "l" := 14 | let: "enc" := ref_to (slice.T byteT) "prefix" in 15 | "enc" <-[slice.T byteT] (marshal.WriteInt (![slice.T byteT] "enc") (struct.get S "Id" "l"));; 16 | ![slice.T byteT] "enc". 17 | 18 | Definition Unmarshal: val := 19 | rec: "Unmarshal" "s" := 20 | let: "enc" := ref_to (slice.T byteT) "s" in 21 | let: "id" := ref (zero_val uint64T) in 22 | let: ("0_ret", "1_ret") := marshal.ReadInt (![slice.T byteT] "enc") in 23 | "id" <-[uint64T] "0_ret";; 24 | "enc" <-[slice.T byteT] "1_ret";; 25 | (struct.mk S [ 26 | "Id" ::= ![uint64T] "id" 27 | ], ![slice.T byteT] "enc"). 28 | 29 | End code. 30 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/gokv/vrsm/e.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/vrsm/e *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Goose Require github_com.tchajed.marshal. 4 | 5 | Section code. 6 | Context `{ext_ty: ext_types}. 7 | 8 | Notation Error := uint64T (only parsing). 9 | 10 | Definition None : expr := #0. 11 | 12 | Definition Stale : expr := #1. 13 | 14 | Definition OutOfOrder : expr := #2. 15 | 16 | Definition Timeout : expr := #3. 17 | 18 | Definition EmptyConfig : expr := #4. 19 | 20 | Definition NotLeader : expr := #5. 21 | 22 | Definition Sealed : expr := #6. 23 | 24 | Definition LeaseExpired : expr := #7. 25 | 26 | Definition Leased : expr := #8. 27 | 28 | Definition EncodeError: val := 29 | rec: "EncodeError" "err" := 30 | marshal.WriteInt (NewSliceWithCap byteT #0 #8) "err". 31 | 32 | Definition DecodeError: val := 33 | rec: "DecodeError" "enc" := 34 | let: ("err", <>) := marshal.ReadInt "enc" in 35 | "err". 36 | 37 | End code. 38 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/lockservice/grove_common.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from grove_common *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Perennial.goose_lang Require Import ffi.disk_prelude. 4 | 5 | Module RawRPCRequest. 6 | Definition S := struct.decl [ 7 | "RpcId" :: uint64T; 8 | "Data" :: slice.T byteT 9 | ]. 10 | End RawRPCRequest. 11 | 12 | Module RawRPCReply. 13 | Definition S := struct.decl [ 14 | "Data" :: slice.T byteT 15 | ]. 16 | End RawRPCReply. 17 | 18 | Definition RawRpcFunc: ty := (slice.T byteT -> refT (slice.T byteT) -> unitT)%ht. 19 | 20 | Module RPCVals. 21 | Definition S := struct.decl [ 22 | "U64_1" :: uint64T; 23 | "U64_2" :: uint64T 24 | ]. 25 | End RPCVals. 26 | 27 | Module RPCRequest. 28 | Definition S := struct.decl [ 29 | "CID" :: uint64T; 30 | "Seq" :: uint64T; 31 | "Args" :: struct.t RPCVals.S 32 | ]. 33 | End RPCRequest. 34 | 35 | Module RPCReply. 36 | Definition S := struct.decl [ 37 | "Stale" :: boolT; 38 | "Ret" :: uint64T 39 | ]. 40 | End RPCReply. 41 | 42 | Definition RpcFunc: ty := (struct.ptrT RPCRequest.S -> struct.ptrT RPCReply.S -> unitT)%ht. 43 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/pav/cryptoutil.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/pav/cryptoutil *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Goose Require github_com.mit_pdos.pav.cryptoffi. 4 | 5 | Section code. 6 | Context `{ext_ty: ext_types}. 7 | 8 | Definition Hash: val := 9 | rec: "Hash" "b" := 10 | let: "hr" := cryptoffi.NewHasher #() in 11 | cryptoffi.Hasher__Write "hr" "b";; 12 | cryptoffi.Hasher__Sum "hr" slice.nil. 13 | 14 | End code. 15 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/pav/netffi.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import prelude. 2 | 3 | Section code. 4 | Context `{ext_ty: ext_types}. 5 | 6 | Definition Conn: ty. Admitted. 7 | 8 | Definition Dial: val := 9 | rec: "Dial" "addr" := 10 | Panic "ffi";; 11 | #(). 12 | 13 | Definition Conn__Send: val := 14 | rec: "Conn__Send" "data" := 15 | Panic "ffi";; 16 | #(). 17 | 18 | Definition Conn__Receive: val := 19 | rec: "Conn__Receive" <> := 20 | Panic "ffi";; 21 | #(). 22 | 23 | Definition Listener: ty. Admitted. 24 | 25 | Definition Listen: val := 26 | rec: "Listen" "addr" := 27 | Panic "ffi";; 28 | #(). 29 | 30 | Definition Listener__Accept: val := 31 | rec: "Listener__Accept" <> := 32 | Panic "ffi";; 33 | #(). 34 | 35 | End code. 36 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/tulip/index.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/tulip/index *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Goose Require github_com.mit_pdos.tulip.tuple. 4 | 5 | From Perennial.goose_lang Require Import ffi.grove_prelude. 6 | 7 | Definition Index := struct.decl [ 8 | "mu" :: ptrT; 9 | "tplm" :: mapT ptrT 10 | ]. 11 | 12 | Definition Index__GetTuple: val := 13 | rec: "Index__GetTuple" "idx" "key" := 14 | Mutex__Lock (struct.loadF Index "mu" "idx");; 15 | let: ("tpl", "ok") := MapGet (struct.loadF Index "tplm" "idx") "key" in 16 | (if: "ok" 17 | then 18 | Mutex__Unlock (struct.loadF Index "mu" "idx");; 19 | "tpl" 20 | else 21 | let: "tplnew" := tuple.MkTuple #() in 22 | MapInsert (struct.loadF Index "tplm" "idx") "key" "tplnew";; 23 | Mutex__Unlock (struct.loadF Index "mu" "idx");; 24 | "tplnew"). 25 | 26 | Definition MkIndex: val := 27 | rec: "MkIndex" <> := 28 | let: "idx" := struct.alloc Index (zero_val (struct.t Index)) in 29 | struct.storeF Index "mu" "idx" (newMutex #());; 30 | struct.storeF Index "tplm" "idx" (NewMap stringT ptrT #());; 31 | "idx". 32 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/tulip/params.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/tulip/params *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Definition N_SHARDS : expr := #2. 8 | 9 | Definition NS_RECONNECT : expr := #100000000. 10 | 11 | Definition NS_RESEND_PREPARE : expr := #500000000. 12 | 13 | Definition NS_RESEND_READ : expr := #400000000. 14 | 15 | Definition NS_RESEND_COMMIT : expr := #400000000. 16 | 17 | Definition NS_RESEND_ABORT : expr := #400000000. 18 | 19 | Definition NS_SPAWN_BACKUP_BASE : expr := #5000000000. 20 | 21 | Definition NS_SPAWN_BACKUP_DELTA : expr := #1000000000. 22 | 23 | Definition NS_SEND_REFRESH : expr := #4000000000. 24 | 25 | Definition NS_BACKUP_INTERVAL : expr := #5000000000. 26 | 27 | Definition NS_BATCH_INTERVAL : expr := #300000000. 28 | 29 | Definition NS_HEARTBEAT_INTERVAL : expr := #1000000000. 30 | 31 | Definition NS_ELECTION_TIMEOUT_BASE : expr := #2000000000. 32 | 33 | Definition NS_ELECTION_TIMEOUT_DELTA : expr := #1000000000. 34 | 35 | Definition N_RETRY_REPLICATED : expr := #500. 36 | 37 | Definition NS_REPLICATED_INTERVAL : expr := #10000. 38 | 39 | Definition N_TXN_SITES : expr := #1024. 40 | 41 | End code. 42 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/tulip/quorum.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/tulip/quorum *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Definition FastQuorum: val := 8 | rec: "FastQuorum" "n" := 9 | ((#3 * "n") + #3) `quot` #4. 10 | 11 | Definition ClassicQuorum: val := 12 | rec: "ClassicQuorum" "n" := 13 | ("n" `quot` #2) + #1. 14 | 15 | Definition Half: val := 16 | rec: "Half" "n" := 17 | ("n" + #1) `quot` #2. 18 | 19 | End code. 20 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/vmvcc/common.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/vmvcc/common *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Definition RET_SUCCESS : expr := #0. 8 | 9 | Definition RET_NONEXIST : expr := #1. 10 | 11 | Definition RET_RETRY : expr := #200. 12 | 13 | Definition RET_UNSERIALIZABLE : expr := #400. 14 | 15 | End code. 16 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/vmvcc/config.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/vmvcc/config *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Definition N_TXN_SITES : expr := #32. 8 | 9 | Definition N_IDX_BUCKET : expr := #8192. 10 | 11 | Definition TID_SENTINEL : expr := #18446744073709551615. 12 | 13 | End code. 14 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/vmvcc/examples/strnum.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/vmvcc/examples/strnum *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | (* / This package converts between strings and numbers. Currently Goose has 8 | / limited support for manipulating string, so this package is trusted. *) 9 | 10 | Definition StringToU64: val := 11 | rec: "StringToU64" "s" := 12 | UInt64Get (StringToBytes "s"). 13 | 14 | Definition U64ToString: val := 15 | rec: "U64ToString" "n" := 16 | let: "buf" := NewSlice byteT #8 in 17 | UInt64Put "buf" "n";; 18 | StringFromBytes "buf". 19 | 20 | End code. 21 | -------------------------------------------------------------------------------- /external/Goose/github_com/mit_pdos/vmvcc/tid.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/vmvcc/tid *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Goose Require github_com.goose_lang.std. 4 | From Goose Require github_com.mit_pdos.vmvcc.config. 5 | 6 | From Perennial.goose_lang Require Import ffi.grove_prelude. 7 | 8 | Definition GenTID: val := 9 | rec: "GenTID" "sid" := 10 | let: "tid" := ref (zero_val uint64T) in 11 | "tid" <-[uint64T] (grove_ffi.GetTSC #());; 12 | "tid" <-[uint64T] ((((std.SumAssumeNoOverflow (![uint64T] "tid") config.N_TXN_SITES) `quot` config.N_TXN_SITES) * config.N_TXN_SITES) + "sid");; 13 | Skip;; 14 | (for: (λ: <>, (grove_ffi.GetTSC #()) ≤ (![uint64T] "tid")); (λ: <>, Skip) := λ: <>, 15 | Continue);; 16 | ![uint64T] "tid". 17 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "A Flake for Perennial development, with Goose and Grackle"; 3 | 4 | inputs = { 5 | nixpkgs.url = "nixpkgs"; 6 | flake-utils.url = "github:numtide/flake-utils"; 7 | grackle.url = "github:mjschwenne/grackle"; 8 | }; 9 | 10 | outputs = { 11 | nixpkgs, 12 | flake-utils, 13 | grackle, 14 | ... 15 | }: 16 | flake-utils.lib.eachDefaultSystem ( 17 | system: let 18 | pkgs = import nixpkgs { 19 | inherit system; 20 | }; 21 | in { 22 | devShells.default = with pkgs; 23 | mkShell { 24 | buildInputs = [ 25 | coq 26 | coqPackages.stdlib 27 | 28 | go 29 | grackle.packages.${system}.default 30 | grackle.packages.${system}.goose 31 | protobuf 32 | 33 | # nix helpers 34 | nix-prefetch-git 35 | nix-prefetch-github 36 | nix-prefetch 37 | ]; 38 | 39 | shellHook = '' 40 | unset COQPATH 41 | ''; 42 | }; 43 | } 44 | ); 45 | } 46 | -------------------------------------------------------------------------------- /new/code/bytes.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from bytes *) 2 | From New.golang Require Import defn. 3 | 4 | Definition bytes : go_string := "bytes". 5 | 6 | Module bytes. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Axiom Buffer : go_type. 12 | 13 | Axiom ErrTooLarge'init : val. 14 | 15 | Axiom errNegativeRead'init : val. 16 | 17 | Axiom errUnreadByte'init : val. 18 | 19 | Axiom asciiSpace'init : val. 20 | 21 | Definition vars' : list (go_string * go_type) := []. 22 | 23 | Definition functions' : list (go_string * val) := []. 24 | 25 | Definition msets' : list (go_string * (list (go_string * val))) := []. 26 | 27 | #[global] Instance info' : PkgInfo bytes.bytes := 28 | {| 29 | pkg_vars := vars'; 30 | pkg_functions := functions'; 31 | pkg_msets := msets'; 32 | pkg_imported_pkgs := []; 33 | |}. 34 | 35 | Axiom _'init : val. 36 | 37 | Definition initialize' : val := 38 | rec: "initialize'" <> := 39 | globals.package_init bytes.bytes (λ: <>, 40 | exception_do (do: (ErrTooLarge'init #());;; 41 | do: (errNegativeRead'init #());;; 42 | do: (errUnreadByte'init #());;; 43 | do: (asciiSpace'init #())) 44 | ). 45 | 46 | End code. 47 | End bytes. 48 | -------------------------------------------------------------------------------- /new/code/bytes.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | axiomatize = [ 8 | "Buffer", 9 | ] 10 | -------------------------------------------------------------------------------- /new/code/context.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "Context", 3 | "CancelFunc", 4 | ] 5 | imports = [ 6 | "!*" 7 | ] 8 | -------------------------------------------------------------------------------- /new/code/crypto/rand.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from crypto/rand *) 2 | From New.golang Require Import defn. 3 | 4 | Definition rand : go_string := "crypto/rand". 5 | 6 | Module rand. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Definition vars' : list (go_string * go_type) := []. 12 | 13 | Definition functions' : list (go_string * val) := []. 14 | 15 | Definition msets' : list (go_string * (list (go_string * val))) := []. 16 | 17 | #[global] Instance info' : PkgInfo rand.rand := 18 | {| 19 | pkg_vars := vars'; 20 | pkg_functions := functions'; 21 | pkg_msets := msets'; 22 | pkg_imported_pkgs := []; 23 | |}. 24 | 25 | Axiom _'init : val. 26 | 27 | Definition initialize' : val := 28 | rec: "initialize'" <> := 29 | globals.package_init rand.rand (λ: <>, 30 | exception_do (do: #()) 31 | ). 32 | 33 | End code. 34 | End rand. 35 | -------------------------------------------------------------------------------- /new/code/crypto/rand.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/errors.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from errors *) 2 | From New.golang Require Import defn. 3 | 4 | Definition errors : go_string := "errors". 5 | 6 | Module errors. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Axiom ErrUnsupported'init : val. 12 | 13 | Axiom errorType'init : val. 14 | 15 | Definition vars' : list (go_string * go_type) := []. 16 | 17 | Definition functions' : list (go_string * val) := []. 18 | 19 | Definition msets' : list (go_string * (list (go_string * val))) := []. 20 | 21 | #[global] Instance info' : PkgInfo errors.errors := 22 | {| 23 | pkg_vars := vars'; 24 | pkg_functions := functions'; 25 | pkg_msets := msets'; 26 | pkg_imported_pkgs := []; 27 | |}. 28 | 29 | Axiom _'init : val. 30 | 31 | Definition initialize' : val := 32 | rec: "initialize'" <> := 33 | globals.package_init errors.errors (λ: <>, 34 | exception_do (do: (ErrUnsupported'init #());;; 35 | do: (errorType'init #())) 36 | ). 37 | 38 | End code. 39 | End errors. 40 | -------------------------------------------------------------------------------- /new/code/errors.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/fmt.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | trusted = [ 8 | "Print", 9 | "Printf" 10 | ] 11 | -------------------------------------------------------------------------------- /new/code/github_com/goose_lang/primitive.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/goose-lang/primitive *) 2 | From New.golang Require Import defn. 3 | 4 | Require Export New.trusted_code.github_com.goose_lang.primitive. 5 | Import primitive. 6 | Definition primitive : go_string := "github.com/goose-lang/primitive". 7 | 8 | Module primitive. 9 | Section code. 10 | Context `{ffi_syntax}. 11 | 12 | 13 | Definition vars' : list (go_string * go_type) := []. 14 | 15 | Definition functions' : list (go_string * val) := [("UInt64Put"%go, UInt64Put); ("RandomUint64"%go, RandomUint64); ("Assume"%go, Assume)]. 16 | 17 | Definition msets' : list (go_string * (list (go_string * val))) := []. 18 | 19 | #[global] Instance info' : PkgInfo primitive.primitive := 20 | {| 21 | pkg_vars := vars'; 22 | pkg_functions := functions'; 23 | pkg_msets := msets'; 24 | pkg_imported_pkgs := []; 25 | |}. 26 | 27 | Axiom _'init : val. 28 | 29 | Definition initialize' : val := 30 | rec: "initialize'" <> := 31 | globals.package_init primitive.primitive (λ: <>, 32 | exception_do (do: #()) 33 | ). 34 | 35 | End code. 36 | End primitive. 37 | -------------------------------------------------------------------------------- /new/code/github_com/goose_lang/primitive.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | trusted = [ 8 | "UInt64Put", 9 | "Assume", 10 | "RandomUint64", 11 | # FIXME: add remaining functions 12 | ] 13 | -------------------------------------------------------------------------------- /new/code/github_com/goose_lang/primitive/disk.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/goose-lang/primitive/disk *) 2 | From New.golang Require Import defn. 3 | 4 | Require Export New.trusted_code.github_com.goose_lang.primitive.disk. 5 | Import disk. 6 | Definition disk : go_string := "github.com/goose-lang/primitive/disk". 7 | 8 | From New Require Import disk_prelude. 9 | Module disk. 10 | Section code. 11 | 12 | 13 | Definition vars' : list (go_string * go_type) := []. 14 | 15 | Definition functions' : list (go_string * val) := [("Get"%go, Get); ("Read"%go, Read); ("Write"%go, Write); ("Size"%go, Size); ("Barrier"%go, Barrier)]. 16 | 17 | Definition msets' : list (go_string * (list (go_string * val))) := []. 18 | 19 | #[global] Instance info' : PkgInfo disk.disk := 20 | {| 21 | pkg_vars := vars'; 22 | pkg_functions := functions'; 23 | pkg_msets := msets'; 24 | pkg_imported_pkgs := []; 25 | |}. 26 | 27 | Axiom _'init : val. 28 | 29 | Definition initialize' : val := 30 | rec: "initialize'" <> := 31 | globals.package_init disk.disk (λ: <>, 32 | exception_do (do: (_'init #());;; 33 | do: (_'init #())) 34 | ). 35 | 36 | End code. 37 | End disk. 38 | -------------------------------------------------------------------------------- /new/code/github_com/goose_lang/primitive/disk.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | trusted = [ 8 | "Disk", 9 | "BlockSize", 10 | "Get", 11 | "Read", 12 | "ReadTo", 13 | "Write", 14 | "Barrier", 15 | "Size", 16 | ] 17 | -------------------------------------------------------------------------------- /new/code/github_com/goose_lang/std/std_core.v.toml: -------------------------------------------------------------------------------- 1 | [bootstrap] 2 | enabled = true 3 | prelude = [ 4 | "From New.golang.defn Require Export slice.", 5 | ] 6 | -------------------------------------------------------------------------------- /new/code/github_com/mit_pdos/gokv/grove_ffi.v.toml: -------------------------------------------------------------------------------- 1 | trusted = [ 2 | "Listener", 3 | "Connection", 4 | "Address", 5 | "ConnectRet", 6 | "ReceiveRet", 7 | 8 | "Listen", 9 | "Connect", 10 | "Accept", 11 | "Send", 12 | "Receive", 13 | 14 | "FileRead", 15 | "FileWrite", 16 | "FileAppend", 17 | 18 | "GetTSC", 19 | "GetTimeRange", 20 | ] 21 | -------------------------------------------------------------------------------- /new/code/github_com/mit_pdos/gokv/kv.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/kv *) 2 | From New.golang Require Import defn. 3 | 4 | Definition kv : go_string := "github.com/mit-pdos/gokv/kv". 5 | 6 | Module kv. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Definition Kv : go_type := interfaceT. 12 | 13 | Definition KvCput : go_type := interfaceT. 14 | 15 | Definition vars' : list (go_string * go_type) := []. 16 | 17 | Definition functions' : list (go_string * val) := []. 18 | 19 | Definition msets' : list (go_string * (list (go_string * val))) := []. 20 | 21 | #[global] Instance info' : PkgInfo kv.kv := 22 | {| 23 | pkg_vars := vars'; 24 | pkg_functions := functions'; 25 | pkg_msets := msets'; 26 | pkg_imported_pkgs := []; 27 | |}. 28 | 29 | Definition initialize' : val := 30 | rec: "initialize'" <> := 31 | globals.package_init kv.kv (λ: <>, 32 | exception_do (do: #()) 33 | ). 34 | 35 | End code. 36 | End kv. 37 | -------------------------------------------------------------------------------- /new/code/github_com/mit_pdos/gokv/trusted_proph.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from github.com/mit-pdos/gokv/trusted_proph *) 2 | From New.golang Require Import defn. 3 | 4 | Require Export New.trusted_code.github_com.mit_pdos.gokv.trusted_proph. 5 | Import trusted_proph. 6 | Definition trusted_proph : go_string := "github.com/mit-pdos/gokv/trusted_proph". 7 | 8 | Module trusted_proph. 9 | Section code. 10 | Context `{ffi_syntax}. 11 | 12 | 13 | Definition ProphId : go_type := ptrT. 14 | 15 | Definition vars' : list (go_string * go_type) := []. 16 | 17 | Definition functions' : list (go_string * val) := [("NewProph"%go, NewProph); ("ResolveBytes"%go, ResolveBytes)]. 18 | 19 | Definition msets' : list (go_string * (list (go_string * val))) := []. 20 | 21 | #[global] Instance info' : PkgInfo trusted_proph.trusted_proph := 22 | {| 23 | pkg_vars := vars'; 24 | pkg_functions := functions'; 25 | pkg_msets := msets'; 26 | pkg_imported_pkgs := []; 27 | |}. 28 | 29 | Axiom _'init : val. 30 | 31 | Definition initialize' : val := 32 | rec: "initialize'" <> := 33 | globals.package_init trusted_proph.trusted_proph (λ: <>, 34 | exception_do (do: #()) 35 | ). 36 | 37 | End code. 38 | End trusted_proph. 39 | -------------------------------------------------------------------------------- /new/code/github_com/mit_pdos/gokv/trusted_proph.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "ProphId", 3 | ] 4 | 5 | trusted = [ 6 | "ResolveBytes", 7 | "NewProph", 8 | ] 9 | 10 | imports = [ 11 | "!*", 12 | ] 13 | -------------------------------------------------------------------------------- /new/code/github_com/mit_pdos/pav/cryptoffi.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "HashLen" 3 | ] 4 | axiomatize = [ 5 | "Hasher", 6 | "NewHasher", 7 | "Hasher.Write", 8 | "Hasher.Sum", 9 | 10 | "SigPrivateKey", 11 | "SigGenerateKey", 12 | "SigPrivateKey.Sign", 13 | "SigGenerateKey", 14 | "SigPublicKey", 15 | "SigPublicKey.Verify", 16 | 17 | "VrfPrivateKey", 18 | "VrfPublicKey", 19 | "VrfGenerateKey", 20 | "VrfPrivateKey.Prove", 21 | "VrfPublicKey.Verify", 22 | "VrfPublicKeyEncode", 23 | "VrfPublicKeyDecode", 24 | 25 | "RandBytes", 26 | ] 27 | -------------------------------------------------------------------------------- /new/code/github_com/mit_pdos/pav/netffi.v.toml: -------------------------------------------------------------------------------- 1 | axiomatize = [ 2 | "Conn", 3 | "Dial", 4 | "Conn.Send", 5 | "Conn.Receive", 6 | "Listener", 7 | "Listen", 8 | "Listen.Accept", 9 | ] 10 | -------------------------------------------------------------------------------- /new/code/github_com/mit_pdos/tulip/trusted_proph.v.toml: -------------------------------------------------------------------------------- 1 | ## TODO: these have intended models (from old goose) and shouldn't just be 2 | ## axiomatized 3 | axiomatize = [ 4 | "ActReadId", 5 | "ActAbortId", 6 | "ActCommitId", 7 | "NewProph", 8 | "ResolveRead", 9 | "ResolveAbort", 10 | "WrsToVal", 11 | "ResolveCommit", 12 | ] 13 | -------------------------------------------------------------------------------- /new/code/github_com/mit_pdos/tulip/trusted_time.v.toml: -------------------------------------------------------------------------------- 1 | ## TODO: these have intended models 2 | axiomatize = [ 3 | "GetTime", 4 | ] 5 | -------------------------------------------------------------------------------- /new/code/github_com/stretchr/testify/assert.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/github_com/tchajed/marshal.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "compute_new_cap", "reserve", 3 | "ReadInt", "ReadInt32", "ReadBytes", "ReadBytesCopy", "ReadBool", "ReadLenPrefixeBytes", 4 | "WriteInt", "WriteInt32", "WriteBytes", "WriteBool", "WriteLenPrefixedBytes", 5 | "ReadSlice", "ReadSliceLenPrefix", "WriteSlice", "WriteSliceLenPrefix", 6 | "Dec", "Enc", 7 | ] 8 | imports = [ 9 | "github.com/goose-lang/primitive", 10 | "github.com/goose-lang/std", 11 | ] 12 | -------------------------------------------------------------------------------- /new/code/go_etcd_io/etcd/api/v3/etcdserverpb.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "Compare_CompareResult", 3 | "Compare_CompareTarget", 4 | "isCompare_TargetUnion", 5 | "Compare", 6 | "TxnResponse", 7 | "RangeResponse", 8 | "ResponseHeader", 9 | 10 | "PutResponse", 11 | "RangeResponse", 12 | "DeleteRangeResponse", 13 | 14 | "ResponseOp", 15 | "isResponseOp_Response", 16 | "ResponseOp_ResponseRange", 17 | "ResponseOp_ResponseRange", 18 | "ResponseOp_ResponsePut", 19 | "ResponseOp_ResponseDeleteRange", 20 | "ResponseOp_ResponseTxn", 21 | 22 | 23 | "Compare_VERSION", 24 | "Compare_CREATE", 25 | "Compare_MOD", 26 | "Compare_VALUE", 27 | "Compare_LEASE", 28 | 29 | 30 | "Compare_EQUAL", 31 | "Compare_GREATER", 32 | "Compare_LESS", 33 | "Compare_NOT_EQUAL", 34 | 35 | "Compare_Version", 36 | "Compare_CreateRevision", 37 | "Compare_ModRevision", 38 | "Compare_Value", 39 | "Compare_Lease", 40 | 41 | ] 42 | 43 | imports = [ 44 | "!*", 45 | ] 46 | -------------------------------------------------------------------------------- /new/code/go_etcd_io/etcd/api/v3/mvccpb.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "KeyValue", 3 | "Event_EventType", 4 | "PUT", 5 | "DELETE", 6 | "Event", 7 | ] 8 | 9 | imports = [ 10 | "!*", 11 | ] 12 | -------------------------------------------------------------------------------- /new/code/go_etcd_io/etcd/client/v3.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "LeaseID", 3 | "Txn", 4 | "Cmp", 5 | "KV", 6 | "OpOption", 7 | "TxnResponse", 8 | "Cluster", 9 | "GetResponse", 10 | "WatchResponse", 11 | "WatchChan", 12 | "Event", 13 | "Watcher", 14 | "Lease", 15 | "NoLease", 16 | "LeaseGrantResponse", 17 | "OpResponse", 18 | "EventTypeDelete", 19 | 20 | "PutResponse", 21 | "RangeResponse", 22 | "DeleteResponse", 23 | ] 24 | 25 | axiomatize = [ 26 | "Client", 27 | "Op", 28 | ] 29 | 30 | imports = [ 31 | "go.etcd.io/etcd/api/v3/etcdserverpb", 32 | "go.etcd.io/etcd/api/v3/mvccpb", 33 | ] 34 | -------------------------------------------------------------------------------- /new/code/go_etcd_io/raft/v3/confchange.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from go.etcd.io/raft/v3/confchange *) 2 | From New.golang Require Import defn. 3 | Require Export New.code.go_etcd_io.raft.v3.tracker. 4 | 5 | Definition confchange : go_string := "go.etcd.io/raft/v3/confchange". 6 | 7 | Module confchange. 8 | Section code. 9 | Context `{ffi_syntax}. 10 | 11 | 12 | Definition Changer : go_type := structT [ 13 | "Tracker" :: tracker.ProgressTracker; 14 | "LastIndex" :: uint64T 15 | ]. 16 | 17 | Definition vars' : list (go_string * go_type) := []. 18 | 19 | Definition functions' : list (go_string * val) := []. 20 | 21 | Definition msets' : list (go_string * (list (go_string * val))) := [("Changer"%go, []); ("Changer'ptr"%go, [])]. 22 | 23 | #[global] Instance info' : PkgInfo confchange.confchange := 24 | {| 25 | pkg_vars := vars'; 26 | pkg_functions := functions'; 27 | pkg_msets := msets'; 28 | pkg_imported_pkgs := [tracker.tracker]; 29 | |}. 30 | 31 | Axiom _'init : val. 32 | 33 | Definition initialize' : val := 34 | rec: "initialize'" <> := 35 | globals.package_init confchange.confchange (λ: <>, 36 | exception_do (do: tracker.initialize') 37 | ). 38 | 39 | End code. 40 | End confchange. 41 | -------------------------------------------------------------------------------- /new/code/go_etcd_io/raft/v3/confchange.v.toml: -------------------------------------------------------------------------------- 1 | imports = [ 2 | "go.etcd.io/raft/v3/tracker", 3 | ] 4 | 5 | translate = [ 6 | "Changer", 7 | ] 8 | -------------------------------------------------------------------------------- /new/code/go_etcd_io/raft/v3/quorum/slices.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from go.etcd.io/raft/v3/quorum/slices *) 2 | From New.golang Require Import defn. 3 | 4 | Definition slices : go_string := "go.etcd.io/raft/v3/quorum/slices". 5 | 6 | Module slices. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Definition Tup : go_type := structT [ 12 | "ID" :: uint64T; 13 | "Idx" :: uint64T; 14 | "Ok" :: boolT; 15 | "Bar" :: intT 16 | ]. 17 | 18 | Definition vars' : list (go_string * go_type) := []. 19 | 20 | Definition functions' : list (go_string * val) := []. 21 | 22 | Definition msets' : list (go_string * (list (go_string * val))) := [("Tup"%go, []); ("Tup'ptr"%go, [])]. 23 | 24 | #[global] Instance info' : PkgInfo slices.slices := 25 | {| 26 | pkg_vars := vars'; 27 | pkg_functions := functions'; 28 | pkg_msets := msets'; 29 | pkg_imported_pkgs := []; 30 | |}. 31 | 32 | Axiom _'init : val. 33 | 34 | Definition initialize' : val := 35 | rec: "initialize'" <> := 36 | globals.package_init slices.slices (λ: <>, 37 | exception_do (do: #()) 38 | ). 39 | 40 | End code. 41 | End slices. 42 | -------------------------------------------------------------------------------- /new/code/go_etcd_io/raft/v3/quorum/slices.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "Tup", 3 | ] 4 | 5 | imports = [ 6 | "!*", 7 | ] 8 | -------------------------------------------------------------------------------- /new/code/go_uber_org/zap.v.toml: -------------------------------------------------------------------------------- 1 | imports = [ 2 | "go.uber.org/zap/zapcore", 3 | ] 4 | translate = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/go_uber_org/zap/zapcore.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "Field", 3 | "FieldType", 4 | ] 5 | imports = [ 6 | "!*", 7 | ] 8 | -------------------------------------------------------------------------------- /new/code/google_golang_org/grpc.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/google_golang_org/grpc/codes.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "Code", 3 | "Canceled", 4 | "DataLoss", 5 | "DeadlineExceeded", 6 | "FailedPrecondition", 7 | "InvalidArgument", 8 | "NotFound", 9 | "OutOfRange", 10 | "PermissionDenied", 11 | "ResourceExhausted", 12 | "Unauthenticated", 13 | "Unavailable", 14 | ] 15 | imports = [ 16 | "!*" 17 | ] 18 | -------------------------------------------------------------------------------- /new/code/google_golang_org/grpc/status.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from google.golang.org/grpc/status *) 2 | From New.golang Require Import defn. 3 | 4 | Definition status : go_string := "google.golang.org/grpc/status". 5 | 6 | Module status. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Definition vars' : list (go_string * go_type) := []. 12 | 13 | Definition functions' : list (go_string * val) := []. 14 | 15 | Definition msets' : list (go_string * (list (go_string * val))) := []. 16 | 17 | #[global] Instance info' : PkgInfo status.status := 18 | {| 19 | pkg_vars := vars'; 20 | pkg_functions := functions'; 21 | pkg_msets := msets'; 22 | pkg_imported_pkgs := []; 23 | |}. 24 | 25 | Axiom _'init : val. 26 | 27 | Definition initialize' : val := 28 | rec: "initialize'" <> := 29 | globals.package_init status.status (λ: <>, 30 | exception_do (do: #()) 31 | ). 32 | 33 | End code. 34 | End status. 35 | -------------------------------------------------------------------------------- /new/code/google_golang_org/grpc/status.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/internal/race.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from internal/race *) 2 | From New.golang Require Import defn. 3 | 4 | Definition race : go_string := "internal/race". 5 | 6 | Module race. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Definition Enabled : expr := #false. 12 | 13 | Definition vars' : list (go_string * go_type) := []. 14 | 15 | Definition functions' : list (go_string * val) := []. 16 | 17 | Definition msets' : list (go_string * (list (go_string * val))) := []. 18 | 19 | #[global] Instance info' : PkgInfo race.race := 20 | {| 21 | pkg_vars := vars'; 22 | pkg_functions := functions'; 23 | pkg_msets := msets'; 24 | pkg_imported_pkgs := []; 25 | |}. 26 | 27 | Axiom _'init : val. 28 | 29 | Definition initialize' : val := 30 | rec: "initialize'" <> := 31 | globals.package_init race.race (λ: <>, 32 | exception_do (do: #()) 33 | ). 34 | 35 | End code. 36 | End race. 37 | -------------------------------------------------------------------------------- /new/code/internal/race.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "Enabled", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/io.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "Reader", 3 | "Writer", 4 | ] 5 | imports = [ 6 | "!*" 7 | ] 8 | -------------------------------------------------------------------------------- /new/code/log.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "Ldate", 3 | "Ltime", 4 | "LstdFlags", 5 | ] 6 | 7 | trusted = [ 8 | "Printf", 9 | "Println", 10 | ] 11 | 12 | imports = [ 13 | "!*" 14 | ] 15 | -------------------------------------------------------------------------------- /new/code/math.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "MaxUint64", 3 | "MaxInt64", 4 | ] 5 | 6 | imports = [ 7 | "!*" 8 | ] 9 | -------------------------------------------------------------------------------- /new/code/math/big.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/math/rand.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/os.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/slices.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from slices *) 2 | From New.golang Require Import defn. 3 | 4 | Definition slices : go_string := "slices". 5 | 6 | Module slices. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Definition vars' : list (go_string * go_type) := []. 12 | 13 | Definition functions' : list (go_string * val) := []. 14 | 15 | Definition msets' : list (go_string * (list (go_string * val))) := []. 16 | 17 | #[global] Instance info' : PkgInfo slices.slices := 18 | {| 19 | pkg_vars := vars'; 20 | pkg_functions := functions'; 21 | pkg_msets := msets'; 22 | pkg_imported_pkgs := []; 23 | |}. 24 | 25 | Axiom _'init : val. 26 | 27 | Definition initialize' : val := 28 | rec: "initialize'" <> := 29 | globals.package_init slices.slices (λ: <>, 30 | exception_do (do: #()) 31 | ). 32 | 33 | End code. 34 | End slices. 35 | -------------------------------------------------------------------------------- /new/code/slices.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/sort.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from sort *) 2 | From New.golang Require Import defn. 3 | 4 | Definition sort : go_string := "sort". 5 | 6 | Module sort. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Definition vars' : list (go_string * go_type) := []. 12 | 13 | Definition functions' : list (go_string * val) := []. 14 | 15 | Definition msets' : list (go_string * (list (go_string * val))) := []. 16 | 17 | #[global] Instance info' : PkgInfo sort.sort := 18 | {| 19 | pkg_vars := vars'; 20 | pkg_functions := functions'; 21 | pkg_msets := msets'; 22 | pkg_imported_pkgs := []; 23 | |}. 24 | 25 | Axiom _'init : val. 26 | 27 | Definition initialize' : val := 28 | rec: "initialize'" <> := 29 | globals.package_init sort.sort (λ: <>, 30 | exception_do (do: #()) 31 | ). 32 | 33 | End code. 34 | End sort. 35 | -------------------------------------------------------------------------------- /new/code/sort.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/strconv.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | ] 4 | imports = [ 5 | "!*", 6 | ] 7 | -------------------------------------------------------------------------------- /new/code/strings.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from strings *) 2 | From New.golang Require Import defn. 3 | 4 | Definition strings : go_string := "strings". 5 | 6 | Module strings. 7 | Section code. 8 | Context `{ffi_syntax}. 9 | 10 | 11 | Definition Builder : go_type := structT [ 12 | "addr" :: ptrT; 13 | "buf" :: sliceT 14 | ]. 15 | 16 | Axiom asciiSpace'init : val. 17 | 18 | Definition vars' : list (go_string * go_type) := []. 19 | 20 | Definition functions' : list (go_string * val) := []. 21 | 22 | Definition msets' : list (go_string * (list (go_string * val))) := [("Builder"%go, []); ("Builder'ptr"%go, [])]. 23 | 24 | #[global] Instance info' : PkgInfo strings.strings := 25 | {| 26 | pkg_vars := vars'; 27 | pkg_functions := functions'; 28 | pkg_msets := msets'; 29 | pkg_imported_pkgs := []; 30 | |}. 31 | 32 | Axiom _'init : val. 33 | 34 | Definition initialize' : val := 35 | rec: "initialize'" <> := 36 | globals.package_init strings.strings (λ: <>, 37 | exception_do (do: (asciiSpace'init #())) 38 | ). 39 | 40 | End code. 41 | End strings. 42 | -------------------------------------------------------------------------------- /new/code/strings.v.toml: -------------------------------------------------------------------------------- 1 | translate = ["Builder"] 2 | axiomatize = ["Builder"] 3 | imports = [ 4 | "!*" 5 | ] 6 | -------------------------------------------------------------------------------- /new/code/sync.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "!*", 3 | "rwmutexMaxReaders", 4 | "RWMutex", 5 | "RWMutex.*", 6 | 7 | "WaitGroup", 8 | "WaitGroup.*", 9 | "noCopy", 10 | ] 11 | 12 | imports = [ 13 | "sync/atomic", 14 | "internal/race", 15 | ] 16 | 17 | axiomatize = [ 18 | ] 19 | 20 | trusted = [ 21 | # Unlike WaitGroup, one cannot translate and verify Mutex methods because they 22 | # actually have data races (and the race detector is explicitly disabled on 23 | # the sync package for these reasons). 24 | # E.g. in Mutex.Lock: 25 | # https://github.com/golang/go/blob/ff27d270c9f95178f9749bc8e1f15957b1c1d5b3/src/internal/sync/mutex.go#L100 26 | "Mutex", 27 | "Mutex.*", 28 | 29 | "Cond", 30 | "Cond.*", 31 | "NewCond", 32 | 33 | "runtime_Semacquire", 34 | "runtime_SemacquireWaitGroup", 35 | "runtime_SemacquireRWMutexR", 36 | "runtime_SemacquireRWMutex", 37 | "runtime_Semrelease", 38 | ] 39 | -------------------------------------------------------------------------------- /new/code/sync/atomic.v.toml: -------------------------------------------------------------------------------- 1 | translate = [ 2 | "Uint64", 3 | "Uint64.Load", 4 | "Uint64.Store", 5 | "Uint64.Add", 6 | "Uint64.CompareAndSwap", 7 | 8 | "Int32", 9 | "Int32.Load", 10 | "Int32.Store", 11 | "Int32.Add", 12 | "Int32.CompareAndSwap", 13 | 14 | "noCopy", 15 | "align64", 16 | ] 17 | 18 | trusted = [ 19 | "LoadUint64", 20 | "StoreUint64", 21 | "AddUint64", 22 | "CompareAndSwapUint64", 23 | "LoadInt32", 24 | "StoreInt32", 25 | "AddInt32", 26 | "CompareAndSwapInt32", 27 | ] 28 | 29 | imports = [ 30 | "!*", 31 | ] 32 | -------------------------------------------------------------------------------- /new/code/testing.v.toml: -------------------------------------------------------------------------------- 1 | axiomatize = [ 2 | "T", 3 | ] 4 | translate = [ 5 | "!*", 6 | ] 7 | imports = [ 8 | "!*", 9 | ] 10 | -------------------------------------------------------------------------------- /new/code/time.v.toml: -------------------------------------------------------------------------------- 1 | imports = [ 2 | "!*", 3 | ] 4 | translate = [ 5 | "Time", 6 | "Second", 7 | "Millisecond", 8 | "Microsecond", 9 | "Nanosecond", 10 | ] 11 | -------------------------------------------------------------------------------- /new/disk_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang notation. 2 | From New.golang Require Import defn. 3 | From Perennial.goose_lang Require Export ffi.disk_ffi.impl. 4 | #[global] 5 | Existing Instances disk_op disk_model. 6 | -------------------------------------------------------------------------------- /new/generatedproof/bytes.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.bytes. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module bytes. 10 | 11 | (* type bytes.Buffer *) 12 | Module Buffer. 13 | Section def. 14 | Context `{ffi_syntax}. 15 | Axiom t : Type. 16 | End def. 17 | End Buffer. 18 | 19 | Global Instance bounded_size_Buffer : BoundedTypeSize bytes.Buffer. 20 | Admitted. 21 | 22 | Global Instance into_val_Buffer `{ffi_syntax} : IntoVal Buffer.t. 23 | Admitted. 24 | 25 | Global Instance into_val_typed_Buffer `{ffi_syntax} : IntoValTyped Buffer.t bytes.Buffer. 26 | Admitted. 27 | 28 | Section names. 29 | 30 | Class GlobalAddrs := 31 | { 32 | }. 33 | 34 | Context `{!GlobalAddrs}. 35 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 36 | Context `{!goGlobalsGS Σ}. 37 | 38 | Definition var_addrs : list (go_string * loc) := [ 39 | ]. 40 | 41 | Global Instance is_pkg_defined_instance : IsPkgDefined bytes := 42 | {| 43 | is_pkg_defined := is_global_definitions bytes var_addrs; 44 | |}. 45 | 46 | Definition own_allocated : iProp Σ := 47 | True. 48 | 49 | End names. 50 | End bytes. 51 | -------------------------------------------------------------------------------- /new/generatedproof/context.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.context. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module context. 10 | 11 | (* type context.Context *) 12 | Module Context. 13 | Section def. 14 | Context `{ffi_syntax}. 15 | Definition t := interface.t. 16 | End def. 17 | End Context. 18 | 19 | (* type context.CancelFunc *) 20 | Module CancelFunc. 21 | Section def. 22 | Context `{ffi_syntax}. 23 | Definition t := func.t. 24 | End def. 25 | End CancelFunc. 26 | 27 | Section names. 28 | 29 | Class GlobalAddrs := 30 | { 31 | }. 32 | 33 | Context `{!GlobalAddrs}. 34 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 35 | Context `{!goGlobalsGS Σ}. 36 | 37 | Definition var_addrs : list (go_string * loc) := [ 38 | ]. 39 | 40 | Global Instance is_pkg_defined_instance : IsPkgDefined context := 41 | {| 42 | is_pkg_defined := is_global_definitions context var_addrs; 43 | |}. 44 | 45 | Definition own_allocated : iProp Σ := 46 | True. 47 | 48 | End names. 49 | End context. 50 | -------------------------------------------------------------------------------- /new/generatedproof/crypto/rand.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.crypto.rand. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module rand. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined rand := 25 | {| 26 | is_pkg_defined := is_global_definitions rand var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End rand. 34 | -------------------------------------------------------------------------------- /new/generatedproof/errors.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.errors. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module errors. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined errors := 25 | {| 26 | is_pkg_defined := is_global_definitions errors var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End errors. 34 | -------------------------------------------------------------------------------- /new/generatedproof/fmt.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.manualproof.fmt. 4 | Require Export New.golang.theory. 5 | 6 | Require Export New.code.fmt. 7 | 8 | Set Default Proof Using "Type". 9 | 10 | Module fmt. 11 | 12 | Section names. 13 | 14 | Class GlobalAddrs := 15 | { 16 | }. 17 | 18 | Context `{!GlobalAddrs}. 19 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 20 | Context `{!goGlobalsGS Σ}. 21 | 22 | Definition var_addrs : list (go_string * loc) := [ 23 | ]. 24 | 25 | Global Instance is_pkg_defined_instance : IsPkgDefined fmt := 26 | {| 27 | is_pkg_defined := is_global_definitions fmt var_addrs; 28 | |}. 29 | 30 | Definition own_allocated : iProp Σ := 31 | True. 32 | 33 | Global Instance wp_func_call_Printf : 34 | WpFuncCall fmt "Printf" _ (is_pkg_defined fmt) := 35 | ltac:(apply wp_func_call'; reflexivity). 36 | 37 | Global Instance wp_func_call_Print : 38 | WpFuncCall fmt "Print" _ (is_pkg_defined fmt) := 39 | ltac:(apply wp_func_call'; reflexivity). 40 | 41 | End names. 42 | End fmt. 43 | -------------------------------------------------------------------------------- /new/generatedproof/github_com/mit_pdos/go_journal/common.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.disk_prelude. 3 | Require Export New.generatedproof.github_com.goose_lang.primitive.disk. 4 | Require Export New.golang.theory. 5 | 6 | Require Export New.code.github_com.mit_pdos.go_journal.common. 7 | 8 | Set Default Proof Using "Type". 9 | 10 | Module common. 11 | 12 | (* type common.Inum *) 13 | Module Inum. 14 | Section def. 15 | Context `{ffi_syntax}. 16 | Definition t := w64. 17 | End def. 18 | End Inum. 19 | 20 | (* type common.Bnum *) 21 | Module Bnum. 22 | Section def. 23 | Context `{ffi_syntax}. 24 | Definition t := w64. 25 | End def. 26 | End Bnum. 27 | 28 | Section names. 29 | 30 | Class GlobalAddrs := 31 | { 32 | }. 33 | 34 | Context `{!GlobalAddrs}. 35 | Context `{!heapGS Σ}. 36 | Context `{!goGlobalsGS Σ}. 37 | 38 | Definition var_addrs : list (go_string * loc) := [ 39 | ]. 40 | 41 | Global Instance is_pkg_defined_instance : IsPkgDefined common := 42 | {| 43 | is_pkg_defined := is_global_definitions common var_addrs; 44 | |}. 45 | 46 | Definition own_allocated : iProp Σ := 47 | True. 48 | 49 | End names. 50 | End common. 51 | -------------------------------------------------------------------------------- /new/generatedproof/github_com/mit_pdos/gokv/kv.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.github_com.mit_pdos.gokv.kv. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module kv. 10 | 11 | (* type kv.Kv *) 12 | Module Kv. 13 | Section def. 14 | Context `{ffi_syntax}. 15 | Definition t := interface.t. 16 | End def. 17 | End Kv. 18 | 19 | (* type kv.KvCput *) 20 | Module KvCput. 21 | Section def. 22 | Context `{ffi_syntax}. 23 | Definition t := interface.t. 24 | End def. 25 | End KvCput. 26 | 27 | Section names. 28 | 29 | Class GlobalAddrs := 30 | { 31 | }. 32 | 33 | Context `{!GlobalAddrs}. 34 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 35 | Context `{!goGlobalsGS Σ}. 36 | 37 | Definition var_addrs : list (go_string * loc) := [ 38 | ]. 39 | 40 | Global Instance is_pkg_defined_instance : IsPkgDefined kv := 41 | {| 42 | is_pkg_defined := is_global_definitions kv var_addrs; 43 | |}. 44 | 45 | Definition own_allocated : iProp Σ := 46 | True. 47 | 48 | End names. 49 | End kv. 50 | -------------------------------------------------------------------------------- /new/generatedproof/github_com/stretchr/testify/assert.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.github_com.stretchr.testify.assert. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module assert. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined assert := 25 | {| 26 | is_pkg_defined := is_global_definitions assert var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End assert. 34 | -------------------------------------------------------------------------------- /new/generatedproof/go_uber_org/zap.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.generatedproof.go_uber_org.zap.zapcore. 4 | Require Export New.golang.theory. 5 | 6 | Require Export New.code.go_uber_org.zap. 7 | 8 | Set Default Proof Using "Type". 9 | 10 | Module zap. 11 | 12 | Section names. 13 | 14 | Class GlobalAddrs := 15 | { 16 | }. 17 | 18 | Context `{!GlobalAddrs}. 19 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 20 | Context `{!goGlobalsGS Σ}. 21 | 22 | Definition var_addrs : list (go_string * loc) := [ 23 | ]. 24 | 25 | Global Instance is_pkg_defined_instance : IsPkgDefined zap := 26 | {| 27 | is_pkg_defined := is_global_definitions zap var_addrs; 28 | |}. 29 | 30 | Definition own_allocated : iProp Σ := 31 | True. 32 | 33 | End names. 34 | End zap. 35 | -------------------------------------------------------------------------------- /new/generatedproof/google_golang_org/grpc.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.google_golang_org.grpc. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module grpc. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined grpc := 25 | {| 26 | is_pkg_defined := is_global_definitions grpc var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End grpc. 34 | -------------------------------------------------------------------------------- /new/generatedproof/google_golang_org/grpc/codes.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.google_golang_org.grpc.codes. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module codes. 10 | 11 | (* type codes.Code *) 12 | Module Code. 13 | Section def. 14 | Context `{ffi_syntax}. 15 | Definition t := w32. 16 | End def. 17 | End Code. 18 | 19 | Section names. 20 | 21 | Class GlobalAddrs := 22 | { 23 | }. 24 | 25 | Context `{!GlobalAddrs}. 26 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 27 | Context `{!goGlobalsGS Σ}. 28 | 29 | Definition var_addrs : list (go_string * loc) := [ 30 | ]. 31 | 32 | Global Instance is_pkg_defined_instance : IsPkgDefined codes := 33 | {| 34 | is_pkg_defined := is_global_definitions codes var_addrs; 35 | |}. 36 | 37 | Definition own_allocated : iProp Σ := 38 | True. 39 | 40 | End names. 41 | End codes. 42 | -------------------------------------------------------------------------------- /new/generatedproof/google_golang_org/grpc/status.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.google_golang_org.grpc.status. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module status. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined status := 25 | {| 26 | is_pkg_defined := is_global_definitions status var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End status. 34 | -------------------------------------------------------------------------------- /new/generatedproof/internal/race.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.internal.race. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module race. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined race := 25 | {| 26 | is_pkg_defined := is_global_definitions race var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End race. 34 | -------------------------------------------------------------------------------- /new/generatedproof/io.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.io. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module io. 10 | 11 | (* type io.Reader *) 12 | Module Reader. 13 | Section def. 14 | Context `{ffi_syntax}. 15 | Definition t := interface.t. 16 | End def. 17 | End Reader. 18 | 19 | (* type io.Writer *) 20 | Module Writer. 21 | Section def. 22 | Context `{ffi_syntax}. 23 | Definition t := interface.t. 24 | End def. 25 | End Writer. 26 | 27 | Section names. 28 | 29 | Class GlobalAddrs := 30 | { 31 | }. 32 | 33 | Context `{!GlobalAddrs}. 34 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 35 | Context `{!goGlobalsGS Σ}. 36 | 37 | Definition var_addrs : list (go_string * loc) := [ 38 | ]. 39 | 40 | Global Instance is_pkg_defined_instance : IsPkgDefined io := 41 | {| 42 | is_pkg_defined := is_global_definitions io var_addrs; 43 | |}. 44 | 45 | Definition own_allocated : iProp Σ := 46 | True. 47 | 48 | End names. 49 | End io. 50 | -------------------------------------------------------------------------------- /new/generatedproof/log.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.manualproof.log. 4 | Require Export New.golang.theory. 5 | 6 | Require Export New.code.log. 7 | 8 | Set Default Proof Using "Type". 9 | 10 | Module log. 11 | 12 | Section names. 13 | 14 | Class GlobalAddrs := 15 | { 16 | }. 17 | 18 | Context `{!GlobalAddrs}. 19 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 20 | Context `{!goGlobalsGS Σ}. 21 | 22 | Definition var_addrs : list (go_string * loc) := [ 23 | ]. 24 | 25 | Global Instance is_pkg_defined_instance : IsPkgDefined log := 26 | {| 27 | is_pkg_defined := is_global_definitions log var_addrs; 28 | |}. 29 | 30 | Definition own_allocated : iProp Σ := 31 | True. 32 | 33 | Global Instance wp_func_call_Printf : 34 | WpFuncCall log "Printf" _ (is_pkg_defined log) := 35 | ltac:(apply wp_func_call'; reflexivity). 36 | 37 | Global Instance wp_func_call_Println : 38 | WpFuncCall log "Println" _ (is_pkg_defined log) := 39 | ltac:(apply wp_func_call'; reflexivity). 40 | 41 | End names. 42 | End log. 43 | -------------------------------------------------------------------------------- /new/generatedproof/math.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.math. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module math. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined math := 25 | {| 26 | is_pkg_defined := is_global_definitions math var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End math. 34 | -------------------------------------------------------------------------------- /new/generatedproof/math/big.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.math.big. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module big. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined big := 25 | {| 26 | is_pkg_defined := is_global_definitions big var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End big. 34 | -------------------------------------------------------------------------------- /new/generatedproof/math/rand.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.math.rand. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module rand. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined rand := 25 | {| 26 | is_pkg_defined := is_global_definitions rand var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End rand. 34 | -------------------------------------------------------------------------------- /new/generatedproof/os.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.os. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module os. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined os := 25 | {| 26 | is_pkg_defined := is_global_definitions os var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End os. 34 | -------------------------------------------------------------------------------- /new/generatedproof/slices.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.slices. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module slices. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined slices := 25 | {| 26 | is_pkg_defined := is_global_definitions slices var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End slices. 34 | -------------------------------------------------------------------------------- /new/generatedproof/sort.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.sort. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module sort. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined sort := 25 | {| 26 | is_pkg_defined := is_global_definitions sort var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End sort. 34 | -------------------------------------------------------------------------------- /new/generatedproof/strconv.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.strconv. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module strconv. 10 | 11 | Section names. 12 | 13 | Class GlobalAddrs := 14 | { 15 | }. 16 | 17 | Context `{!GlobalAddrs}. 18 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 19 | Context `{!goGlobalsGS Σ}. 20 | 21 | Definition var_addrs : list (go_string * loc) := [ 22 | ]. 23 | 24 | Global Instance is_pkg_defined_instance : IsPkgDefined strconv := 25 | {| 26 | is_pkg_defined := is_global_definitions strconv var_addrs; 27 | |}. 28 | 29 | Definition own_allocated : iProp Σ := 30 | True. 31 | 32 | End names. 33 | End strconv. 34 | -------------------------------------------------------------------------------- /new/generatedproof/testing.v: -------------------------------------------------------------------------------- 1 | (* autogenerated by goose proofgen; do not modify *) 2 | Require Export New.proof.proof_prelude. 3 | Require Export New.golang.theory. 4 | 5 | Require Export New.code.testing. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Module testing. 10 | 11 | (* type testing.T *) 12 | Module T. 13 | Section def. 14 | Context `{ffi_syntax}. 15 | Axiom t : Type. 16 | End def. 17 | End T. 18 | 19 | Global Instance bounded_size_T : BoundedTypeSize testing.T. 20 | Admitted. 21 | 22 | Global Instance into_val_T `{ffi_syntax} : IntoVal T.t. 23 | Admitted. 24 | 25 | Global Instance into_val_typed_T `{ffi_syntax} : IntoValTyped T.t testing.T. 26 | Admitted. 27 | 28 | Section names. 29 | 30 | Class GlobalAddrs := 31 | { 32 | }. 33 | 34 | Context `{!GlobalAddrs}. 35 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 36 | Context `{!goGlobalsGS Σ}. 37 | 38 | Definition var_addrs : list (go_string * loc) := [ 39 | ]. 40 | 41 | Global Instance is_pkg_defined_instance : IsPkgDefined testing := 42 | {| 43 | is_pkg_defined := is_global_definitions testing var_addrs; 44 | |}. 45 | 46 | Definition own_allocated : iProp Σ := 47 | True. 48 | 49 | End names. 50 | End testing. 51 | -------------------------------------------------------------------------------- /new/golang/README.md: -------------------------------------------------------------------------------- 1 | # Golang for Iris 2 | 3 | The `./defn` directory contains trusted definitions. It specifically 4 | defines the semantics of types, control flow like early return and for loops, and 5 | built-in Go objects such as maps, slices, etc. It is built on top of the minimal 6 | and untyped GooseLang. 7 | 8 | The `./theory` directory contains theorems about the Go concepts defined here. 9 | This theory need not be trusted for the most part, since it consists of lemmas 10 | for other libraries to prove higher-level theorems. Parts may be trusted with 11 | respect to a particular top-level theorem if definitions from the theory are 12 | used in the statement of that theorem. 13 | -------------------------------------------------------------------------------- /new/golang/defn.v: -------------------------------------------------------------------------------- 1 | From New.golang.defn Require Export core. 2 | From New.golang.defn Require Export 3 | slice array map string interface defer chan builtin. 4 | -------------------------------------------------------------------------------- /new/golang/defn/array.v: -------------------------------------------------------------------------------- 1 | From New Require Import notation. 2 | From New.golang.defn Require Import typing list. 3 | 4 | (** Fixed-size arrays. 5 | 6 | NOTE: this library is incomplete, even the signatures here could be wrong. 7 | *) 8 | 9 | Module array. 10 | Section defn. 11 | Context `{ffi_syntax}. 12 | 13 | Definition elem_ref : val := 14 | λ: "et" "a" "i", Panic "todo". 15 | 16 | Definition elem_get : val := 17 | λ: "et" "a" "i", Panic "todo". 18 | 19 | (* t here is the array type, not the element type *) 20 | Definition len : val := 21 | λ: "t", Panic "todo". 22 | 23 | (* t here is the array type, not the element type *) 24 | Definition cap : val := 25 | λ: "t", len "t". 26 | 27 | Definition slice : val := 28 | λ: "t" "a", Panic "todo". 29 | 30 | (* takes a list as input, and makes an array value *) 31 | Definition literal : val := 32 | rec: "literal" "len" "elems" := 33 | list.Match "elems" (λ: <>, #()) (λ: "hd" "tl", ("hd", "literal" "tl")). 34 | End defn. 35 | End array. 36 | -------------------------------------------------------------------------------- /new/golang/defn/assume.v: -------------------------------------------------------------------------------- 1 | From New Require Import notation. 2 | From New.golang.defn Require Import exception. 3 | From Perennial Require Import base. 4 | 5 | Section defn. 6 | 7 | Context `{!ffi_syntax}. 8 | 9 | (** [assume e] goes into an infinite loop if e does not hold *) 10 | Definition assume : val := 11 | λ: "cond", if: "cond" then #() else 12 | (rec: "infloop" <> := "infloop" #()) #(). 13 | 14 | (** Assume "a" + "b" doesn't overflow. *) 15 | Definition assume_sum_no_overflow : val := 16 | λ: "a" "b", assume ("a" ≤ #(W64 (2^64-1)) - "b");; #(). 17 | 18 | (** Assume "a" + "b" doesn't overflow and return the sum. *) 19 | Definition sum_assume_no_overflow : val := 20 | λ: "a" "b", assume_sum_no_overflow "a" "b";; 21 | "a" + "b". 22 | 23 | Definition mul_overflows : val := 24 | λ: "a" "b", if: ("a" = #(W64 0)) || ("b" = #(W64 0)) then #false 25 | else "a" > #(W64 (2^64-1)) `quot` "b". 26 | 27 | (** Assume "a" * "b" doesn't overflow (as unsigned 64-bit integers) *) 28 | Definition assume_mul_no_overflow : val := 29 | λ: "a" "b", assume (~ mul_overflows "a" "b"). 30 | 31 | End defn. 32 | -------------------------------------------------------------------------------- /new/golang/defn/chan.v: -------------------------------------------------------------------------------- 1 | From New.golang.defn Require Import mem loop typing. 2 | 3 | Module chan. 4 | Section defns. 5 | Context `{ffi_syntax}. 6 | 7 | (* takes type as first argument *) 8 | Axiom make : val. 9 | Axiom receive : val. 10 | Axiom send : val. 11 | Axiom select : val. 12 | Axiom close : val. 13 | Axiom len : val. 14 | Axiom cap : val. 15 | Axiom for_range : val. 16 | 17 | (* FIXME: seal these functions *) 18 | Definition select_no_default : val := 19 | InjLV #(). 20 | 21 | Definition select_default : val := 22 | λ: "f", InjR "f". 23 | 24 | Definition select_send : val := 25 | λ: "v" "ch" "f", InjL ("v", "ch", "f"). 26 | 27 | Definition select_receive : val := 28 | λ: "ch" "f", InjR ("ch", "f"). 29 | 30 | End defns. 31 | End chan. 32 | -------------------------------------------------------------------------------- /new/golang/defn/core.v: -------------------------------------------------------------------------------- 1 | (* a set of "core" libraries for goose code, intended to bootstrap models that 2 | are written in Go and translated with goose *) 3 | From Perennial.goose_lang Require Export lang notation. 4 | From New.golang.defn Require Export 5 | typing dynamic_typing globals exception 6 | mem struct pkg loop list. 7 | Open Scope struct_scope. 8 | -------------------------------------------------------------------------------- /new/golang/defn/defer.v: -------------------------------------------------------------------------------- 1 | From New.golang.defn Require Import exception mem. 2 | From Perennial Require Import base. 3 | 4 | Section defn. 5 | Context `{!ffi_syntax}. 6 | 7 | Definition wrap_defer : val := 8 | λ: "body", 9 | let: "$defer" := (alloc #(func.mk <> <> #())) in 10 | let: "$func_ret" := exception_do ("body" "$defer") in 11 | (![#funcT] "$defer") #();; 12 | "$func_ret". 13 | 14 | End defn. 15 | 16 | Global Notation "with_defer: e" := (wrap_defer (λ: "$defer", e%E)%E) 17 | (at level 90, e at level 85, format "with_defer: '[' e ']'") : expr_scope. 18 | 19 | Global Notation "with_defer': e" := (wrap_defer (λ: "$defer", e%E)%V) 20 | (at level 90, e at level 85, format "with_defer': '[' e ']'") : expr_scope. 21 | -------------------------------------------------------------------------------- /new/golang/defn/notation.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Export lang notation. 2 | From Perennial Require Export base. 3 | -------------------------------------------------------------------------------- /new/golang/defn/pkg.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import notation. 2 | From New.golang.defn Require Export typing. 3 | 4 | (** [PkgInfo] associates a pkg_name to its static information. *) 5 | Class PkgInfo (pkg_name: go_string) `{ffi_syntax} := { 6 | pkg_vars : list (go_string * go_type); 7 | pkg_functions : list (go_string * val); 8 | pkg_msets : list (go_string * (list (go_string * val))); 9 | pkg_imported_pkgs : list go_string; 10 | }. 11 | 12 | Arguments pkg_vars (pkg_name) {_ _}. 13 | Arguments pkg_functions (pkg_name) {_ _}. 14 | Arguments pkg_msets (pkg_name) {_ _}. 15 | Arguments pkg_imported_pkgs (pkg_name) {_ _}. 16 | -------------------------------------------------------------------------------- /new/golang/theory.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Export lang. 2 | From New.golang Require Export defn. 3 | From New.golang.theory Require Export exception list typing dynamic_typing loop struct 4 | slice map interface defer typing builtin primitive chan pkg auto globals. 5 | From New.golang.theory Require Export typed_pointsto mem. 6 | From Perennial Require Export base. 7 | 8 | Export uPred. (* XXX: inherited from proof_prelude.v; not sure why it's here. *) 9 | Global Set Default Proof Using "Type". 10 | Global Set Printing Projections. 11 | -------------------------------------------------------------------------------- /new/golang/theory/defer.v: -------------------------------------------------------------------------------- 1 | From New.golang.theory Require Import exception mem. 2 | From New.golang.defn Require Export defer. 3 | 4 | Section proof. 5 | Context `{ffi_sem: ffi_semantics} `{!ffi_interp ffi} `{!heapGS Σ}. 6 | 7 | Lemma wp_with_defer e Φ : 8 | (∀ (defer : loc), 9 | defer ↦ (func.mk <> <> #())%V -∗ 10 | WP (let: "$func_ret" := exception_do (subst "$defer" #defer e) in ![#funcT] #defer #();; "$func_ret") 11 | {{ Φ }}) -∗ 12 | WP (wrap_defer #(func.mk <> ("$defer" : string) e)) {{ Φ }}. 13 | Proof. 14 | iIntros "Hwp". 15 | wp_call. 16 | wp_apply wp_alloc. iIntros (defer) "Hdefer". wp_pures. 17 | iApply "Hwp". iFrame. 18 | Qed. 19 | 20 | End proof. 21 | -------------------------------------------------------------------------------- /new/golang/theory/primitive.v: -------------------------------------------------------------------------------- 1 | From New Require Export notation. 2 | From New.golang.theory Require Import typing proofmode. 3 | From Perennial Require Import base. 4 | 5 | Set Default Proof Using "Type". 6 | 7 | Section wps. 8 | 9 | Context `{sem: ffi_semantics} `{!ffi_interp ffi} `{!heapGS Σ}. 10 | 11 | (* use new goose's to_val for the return value *) 12 | Lemma wp_fork s E e Φ : 13 | ▷ WP e @ s; ⊤ {{ _, True }} -∗ ▷ Φ #() -∗ WP Fork e @ s; E {{ Φ }}. 14 | Proof. 15 | iIntros "Hwp HΦ". 16 | wp_apply (lifting.wp_fork with "[$Hwp]"). 17 | replace (LitV LitUnit) with #(). 18 | { iFrame "HΦ". } 19 | rewrite to_val_unseal //. 20 | Qed. 21 | 22 | (* use new goose's to_val for the return value *) 23 | Lemma wp_ArbitraryInt s E Φ : 24 | ▷ (∀ (x: w64), Φ #x) -∗ WP ArbitraryInt @ s; E {{ Φ }}. 25 | Proof. 26 | iIntros "HΦ". 27 | wp_apply (lifting.wp_ArbitraryInt). 28 | iIntros (x) "_". 29 | replace (LitV x) with #x. 30 | { iApply "HΦ". } 31 | rewrite to_val_unseal //. 32 | Qed. 33 | 34 | End wps. 35 | -------------------------------------------------------------------------------- /new/golang/theory/proofmode_tests.v: -------------------------------------------------------------------------------- 1 | From New.golang Require Import theory. 2 | 3 | Section mem. 4 | 5 | Context `{ffi_sem: ffi_semantics} `{!ffi_interp ffi} `{!heapGS Σ}. 6 | 7 | Lemma failing_wp_load_error_message (x y : loc) Φ : 8 | y ↦ (W64 0) -∗ 9 | WP (do: load_ty uint64T #x ;;; load_ty uint64T #y) {{ Φ }}. 10 | Proof. 11 | iIntros "Hy". 12 | Fail wp_load. 13 | (* 14 | Init.Tactic_failure (Init.Some message:(wp_load: could not find a points-to in context covering the address)) 15 | *) 16 | Abort. 17 | 18 | End mem. 19 | -------------------------------------------------------------------------------- /new/grove_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang. 2 | From Perennial.goose_lang Require Import ffi.grove_ffi.impl. 3 | #[global] 4 | Existing Instances grove_op grove_model. 5 | -------------------------------------------------------------------------------- /new/manualproof/fmt.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/manualproof/fmt.v -------------------------------------------------------------------------------- /new/manualproof/github_com/goose_lang/primitive.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/manualproof/github_com/goose_lang/primitive.v -------------------------------------------------------------------------------- /new/manualproof/github_com/goose_lang/primitive/disk.v: -------------------------------------------------------------------------------- 1 | Require Export New.proof.disk_prelude. 2 | Require Export New.golang.theory. 3 | 4 | Require Export New.code.github_com.goose_lang.primitive.disk. 5 | Module disk. 6 | Module Disk. 7 | Definition t := loc. 8 | End Disk. 9 | 10 | Section instances. 11 | 12 | Global Instance : IntoVal Disk.t := _. 13 | Global Program Instance into_val_typed_Disk : IntoValTyped Disk.t disk.Disk := _. 14 | 15 | End instances. 16 | 17 | End disk. 18 | -------------------------------------------------------------------------------- /new/manualproof/github_com/mit_pdos/gokv/grove_ffi.v: -------------------------------------------------------------------------------- 1 | Require Export New.proof.proof_prelude. 2 | Require Export New.golang.theory. 3 | 4 | Module grove_ffi. 5 | Module Connection. 6 | Definition t := loc. 7 | End Connection. 8 | End grove_ffi. 9 | -------------------------------------------------------------------------------- /new/manualproof/github_com/mit_pdos/gokv/trusted_proph.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/manualproof/github_com/mit_pdos/gokv/trusted_proph.v -------------------------------------------------------------------------------- /new/manualproof/log.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/manualproof/log.v -------------------------------------------------------------------------------- /new/manualproof/sync/atomic.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/manualproof/sync/atomic.v -------------------------------------------------------------------------------- /new/proof/chan.v: -------------------------------------------------------------------------------- 1 | (** This provides more specialized specs for some common channel patterns. *) 2 | From New.proof.chan_proof Require Export closeable onetimebarrier. 3 | -------------------------------------------------------------------------------- /new/proof/disk_prelude.v: -------------------------------------------------------------------------------- 1 | From New.proof Require Export proof_prelude. 2 | From Perennial.program_logic Require Export atomic_fupd. 3 | From New Require Import disk_prelude. 4 | From Perennial.goose_lang.ffi Require Import disk_prelude. 5 | 6 | #[global] 7 | Existing Instances disk_semantics disk_interp. 8 | #[global] 9 | Existing Instances goose_diskGS. 10 | 11 | (* Make sure Z_scope is open. *) 12 | Local Lemma Z_scope_test : (0%Z) + (0%Z) = 0%Z. 13 | Proof. done. Qed. 14 | -------------------------------------------------------------------------------- /new/proof/fmt.v: -------------------------------------------------------------------------------- 1 | From New.generatedproof Require Import fmt. 2 | From New.proof Require Import proof_prelude. 3 | 4 | Section proof. 5 | Context `{hG: heapGS Σ, !ffi_semantics _ _} `{!goGlobalsGS Σ}. 6 | 7 | #[global] Program Instance : IsPkgInit fmt := ltac2:(build_pkg_init ()). 8 | 9 | End proof. 10 | -------------------------------------------------------------------------------- /new/proof/github_com/goose_lang/primitive.v: -------------------------------------------------------------------------------- 1 | From New.proof Require Import proof_prelude. 2 | Require Import New.code.github_com.goose_lang.primitive. 3 | Require Import New.generatedproof.github_com.goose_lang.primitive. 4 | 5 | Section wps. 6 | Context `{hG: heapGS Σ, !ffi_semantics _ _}. 7 | Context `{!goGlobalsGS Σ}. 8 | 9 | #[global] 10 | Program Instance is_pkg_init_inst : IsPkgInit (PROP:=iProp Σ) primitive := 11 | ltac2:(build_pkg_init ()). 12 | 13 | Lemma wp_Assume (cond : bool) : 14 | {{{ is_pkg_init primitive }}} 15 | primitive@"Assume" #cond 16 | {{{ RET #(); ⌜ cond = true ⌝ }}} 17 | . 18 | Proof. 19 | wp_start as "#Hdef". 20 | destruct cond; wp_auto. 21 | - iApply ("HΦ" with "[//]"). 22 | - iLöb as "IH". wp_auto. 23 | wp_apply ("IH" with "[$]"). 24 | Qed. 25 | 26 | Lemma wp_RandomUint64 : 27 | {{{ is_pkg_init primitive }}} 28 | primitive@"RandomUint64" #() 29 | {{{ (x: w64), RET #x; True }}} 30 | . 31 | Proof. 32 | wp_start as "_". 33 | wp_apply wp_ArbitraryInt. 34 | iIntros (x). 35 | iApply "HΦ". 36 | done. 37 | Qed. 38 | 39 | End wps. 40 | -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/go_journal/buf.v: -------------------------------------------------------------------------------- 1 | From New.proof.github_com.mit_pdos.go_journal.buf_proof Require Export 2 | defs buf_proof. 3 | -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/go_journal/common.v: -------------------------------------------------------------------------------- 1 | Require Import New.generatedproof.github_com.mit_pdos.go_journal.common. 2 | Require Import New.proof.proof_prelude. 3 | Require Import New.proof.github_com.goose_lang.primitive.disk. 4 | 5 | Section proof. 6 | Context `{!heapGS Σ} `{!goGlobalsGS Σ}. 7 | 8 | #[global] 9 | Program Instance : IsPkgInit common := ltac2:(build_pkg_init ()). 10 | 11 | End proof. 12 | -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/go_journal/wal.v: -------------------------------------------------------------------------------- 1 | (* Temporarily Require intermediate files, 2 | * since we don't have top-level theorems yet. 3 | *) 4 | Require Import New.generatedproof.github_com.mit_pdos.go_journal.wal. 5 | From New.proof.github_com.mit_pdos.go_journal.wal_proof Require Export 6 | abstraction transitions txns_ctx thread_owned. 7 | -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/urpc.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/proof/github_com/mit_pdos/gokv/urpc.v -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/apps/closed.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/proof/github_com/mit_pdos/gokv/vrsm/apps/closed.v -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/apps/closed_proof/print_assumptions.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.vrsm Require kv_proof closed_proof config_proof reconfig.proof. 2 | From Perennial.program_proof.cachekv Require proof. 3 | 4 | Definition lemmas := 5 | (@config_proof.wp_StartServer, 6 | @reconfig.proof.wp_Reconfig, 7 | @kv_proof.wp_Start, 8 | @kv_proof.wp_MakeClerk, 9 | @kv_proof.wp_Clerk__Put, 10 | @kv_proof.wp_Clerk__Get, 11 | @kv_proof.wp_Clerk__CondPut, 12 | @cachekv.proof.wp_CacheKv__Get, 13 | @cachekv.proof.wp_CacheKv__GetAndCache, 14 | @cachekv.proof.wp_CacheKv__Put 15 | ). 16 | 17 | Print Assumptions lemmas. 18 | 19 | Print Assumptions closed_proof.closed.closed_bank. 20 | -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/apps/exactlyonce.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/proof/github_com/mit_pdos/gokv/vrsm/apps/exactlyonce.v -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/apps/exactlyonce_proof/log.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | From iris.algebra Require Export mono_list. 3 | Section log_defn. 4 | 5 | Context `{!inG Σ (mono_listR (leibnizO A))}. 6 | Definition own_log γ l := own γ (●ML{#1/2} l). 7 | 8 | End log_defn. 9 | -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/apps/vkv.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/proof/github_com/mit_pdos/gokv/vrsm/apps/vkv.v -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/clerk.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/proof/github_com/mit_pdos/gokv/vrsm/clerk.v -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/configservice.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/proof/github_com/mit_pdos/gokv/vrsm/configservice.v -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/e.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/proof/github_com/mit_pdos/gokv/vrsm/e.v -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/paxos.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/proof/github_com/mit_pdos/gokv/vrsm/paxos.v -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/paxos_proof/clerk_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | From Goose.github_com.mit_pdos.gokv Require paxos. 3 | From Perennial.program_proof.reconnectclient Require Import proof. 4 | From Perennial Require Export paxos.definitions. 5 | 6 | Section clerk_proof. 7 | Context `{!heapGS Σ}. 8 | Context `{!paxosG Σ}. 9 | Context `{Hparams:!paxosParams.t Σ}. 10 | Import paxosParams. 11 | 12 | Lemma wp_makeSingleClerk (host:u64) γ γsrv : 13 | {{{ 14 | is_paxos_host host γ γsrv 15 | }}} 16 | MakeSingleClerk #host 17 | {{{ 18 | ck, RET #ck; is_singleClerk ck γ γsrv 19 | }}} 20 | . 21 | Proof. 22 | iIntros (?) "#Hhost HΦ". 23 | wp_rec. 24 | wp_apply wp_MakeReconnectingClient. 25 | iIntros (?) "#Hcl". 26 | wp_apply (wp_allocStruct); first by val_ty. 27 | iIntros (?) "Hs". iDestruct (struct_fields_split with "Hs") as "HH". 28 | iNamed "HH". 29 | iMod (readonly_alloc_1 with "cl") as "#cl". 30 | wp_pures. iModIntro. iApply "HΦ". 31 | repeat iExists _; iFrame "#". 32 | Qed. 33 | 34 | End clerk_proof. 35 | -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/paxos_proof/weakread_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | From Goose.github_com.mit_pdos.gokv.vrsm Require paxos. 3 | From Perennial Require Export paxos.definitions. 4 | 5 | Section weakread_proof. 6 | 7 | Context `{!heapGS Σ}. 8 | Context `{Hparams:!paxosParams.t Σ}. 9 | Import paxosParams. 10 | Context `{!paxosG Σ}. 11 | 12 | Lemma wp_Server__WeakRead s γ γsrv : 13 | {{{ 14 | is_Server s γ γsrv 15 | }}} 16 | Server__WeakRead #s 17 | {{{ 18 | (state:list u8) sl, RET (slice_val sl); 19 | readonly (own_slice_small sl byteT (DfracOwn 1) state) ∗ 20 | Pwf state 21 | }}}. 22 | Proof. 23 | iIntros (Φ) "#Hsrv HΦ". 24 | wp_rec. wp_pures. 25 | iNamed "Hsrv". 26 | wp_loadField. 27 | wp_apply (wp_Mutex__Lock with "[$]"). 28 | iIntros "[Hlocked Hown]". 29 | iNamed "Hown". 30 | iNamed "Hvol". 31 | wp_loadField. 32 | wp_loadField. 33 | wp_loadField. 34 | wp_apply (wp_Mutex__Unlock with "[-HΦ]"). 35 | { 36 | do 2 iFrame "∗#%". 37 | } 38 | wp_pures. 39 | iModIntro. 40 | iApply "HΦ". 41 | iFrame "∗#". 42 | Qed. 43 | 44 | End weakread_proof. 45 | -------------------------------------------------------------------------------- /new/proof/github_com/mit_pdos/gokv/vrsm/replica.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/new/proof/github_com/mit_pdos/gokv/vrsm/replica.v -------------------------------------------------------------------------------- /new/proof/go_etcd_io/etcd/raft/v3.v: -------------------------------------------------------------------------------- 1 | From New.code.go_etcd_io.raft Require Import v3. 2 | Require Import New.generatedproof.go_etcd_io.raft.v3 3 | New.generatedproof.go_etcd_io.raft.v3.raftpb. 4 | From New.proof Require Import grove_prelude. 5 | 6 | Section proof. 7 | Context `{!heapGS Σ}. 8 | 9 | End proof. 10 | -------------------------------------------------------------------------------- /new/proof/grove_prelude.v: -------------------------------------------------------------------------------- 1 | From New.proof Require Export proof_prelude. 2 | From New Require Export atomic_fupd. 3 | From New Require Export grove_prelude. 4 | From Perennial.goose_lang.ffi.grove_ffi Require Import grove_ffi. 5 | 6 | #[global] 7 | Existing Instances grove_semantics grove_interp. 8 | #[global] 9 | Existing Instances goose_groveGS goose_groveNodeGS. 10 | 11 | (* Make sure Z_scope is open. *) 12 | Local Lemma Z_scope_test : (0%Z) + (0%Z) = 0%Z. 13 | Proof. done. Qed. 14 | -------------------------------------------------------------------------------- /new/proof/log.v: -------------------------------------------------------------------------------- 1 | Require Import New.code.log. 2 | Require Import New.generatedproof.log. 3 | Require Import New.proof.proof_prelude. 4 | 5 | Section heap. 6 | Context `{heapGS Σ, !ffi_semantics _ _}. 7 | Context `{!goGlobalsGS Σ}. 8 | 9 | #[global] 10 | Program Instance : IsPkgInit log := ltac2:(build_pkg_init ()). 11 | 12 | Theorem wp_Printf (msg: go_string) (arg: slice.t) : 13 | {{{ is_pkg_init log }}} 14 | log@"Printf" #msg #arg 15 | {{{ RET #(); True }}}. 16 | Proof. 17 | wp_start as "_". iApply "HΦ". done. 18 | Qed. 19 | 20 | End heap. 21 | -------------------------------------------------------------------------------- /new/proof/proof_prelude.v: -------------------------------------------------------------------------------- 1 | From iris.algebra Require Export auth gmap frac agree excl vector. 2 | From Perennial.algebra Require Export big_op. 3 | From Perennial.Helpers Require Export 4 | Tactics List ListLen BigOp Transitions ModArith iris ipm. 5 | From Perennial.base_logic Require Export ghost_var. 6 | From Perennial.program_logic Require Export ncinv. 7 | From New.golang Require Export theory. 8 | From Perennial Require Export base. 9 | Export uPred. 10 | 11 | Global Set Default Proof Using "Type". 12 | Global Set Printing Projections. 13 | -------------------------------------------------------------------------------- /new/proof/sync.v: -------------------------------------------------------------------------------- 1 | From New.proof.sync_proof Require Export 2 | base cond mutex rwmutex_guard waitgroup. 3 | -------------------------------------------------------------------------------- /new/should_build.v: -------------------------------------------------------------------------------- 1 | From New.generatedproof.github_com.goose_lang.goose.testdata.examples 2 | Require unittest semantics. 3 | (* required just to make sure this demo works *) 4 | From New.golang.theory Require static_mem. 5 | From New.proof Require go_etcd_io.etcd.raft.v3. 6 | From New.proof.github_com.mit_pdos.gokv Require partialapp asyncfile lockservice globals_test. 7 | From New.proof.github_com.goose_lang.goose.testdata.examples 8 | Require unittest unittest.generics. 9 | (* TODO: change to importing the proof once that works *) 10 | From New.generatedproof.github_com.goose_lang.goose.testdata.examples 11 | Require channel. 12 | 13 | From New.proof Require go_etcd_io.etcd.client.v3.leasing. 14 | From New.proof Require Import chan context. 15 | 16 | Require New.generatedproof.github_com.mit_pdos.gokv.vrsm.apps.closed. 17 | 18 | From New.proof.github_com.mit_pdos.go_journal Require 19 | common addr util lockmap alloc buf wal. 20 | 21 | From New.proof Require Import inG_problem. 22 | -------------------------------------------------------------------------------- /new/trusted_code/fmt.v: -------------------------------------------------------------------------------- 1 | From New.golang Require Export defn. 2 | (* From New.code_axioms Require Import fmt. *) 3 | 4 | Section code. 5 | Context `{ffi_syntax}. 6 | 7 | (* FIXME: Returns some stuff *) 8 | Definition Print : val := 9 | λ: "format" "a", 10 | Panic "unimplemented". 11 | 12 | (* FIXME: Returns some stuff *) 13 | Definition Printf : val := 14 | λ: "a", 15 | Panic "unimplemented". 16 | 17 | End code. 18 | -------------------------------------------------------------------------------- /new/trusted_code/github_com/goose_lang/primitive/disk.v: -------------------------------------------------------------------------------- 1 | (* TODO: this isn't correct, the new translation needs certain go_type definitions *) 2 | From Perennial.goose_lang.ffi Require Export disk_ffi.impl. 3 | From New.golang Require Import defn. 4 | 5 | #[global] 6 | Existing Instances disk_op disk_model. 7 | Section disk. 8 | 9 | Definition Disk : go_type := ptrT. 10 | 11 | Definition BlockSize := 12 | #(W64 4096). 13 | 14 | Definition Get: val := 15 | λ: <>, ExtV (). 16 | 17 | Definition Read: val := 18 | λ: "a", 19 | let: "p" := ExternalOp ReadOp (Var "a") in 20 | (InjL (Var "p", #(W64 4096), #(W64 4096))). 21 | 22 | Definition ReadTo: val := 23 | λ: "a" "buf", 24 | let: "p" := ExternalOp ReadOp (Var "a") in 25 | slice.copy #byteT (Var "buf") (Var "p", #(W64 4096), #(W64 4096)). 26 | 27 | Definition Write: val := 28 | λ: "a" "b", 29 | ExternalOp WriteOp (Var "a", slice.ptr (Var "b")). 30 | 31 | Definition Barrier: val := 32 | λ: <>, #(). 33 | 34 | Definition Size: val := 35 | λ: "v", 36 | ExternalOp SizeOp (Var "v"). 37 | 38 | End disk. 39 | -------------------------------------------------------------------------------- /new/trusted_code/github_com/mit_pdos/gokv/trusted_proph.v: -------------------------------------------------------------------------------- 1 | From New.golang Require Import defn. 2 | 3 | Section defs. 4 | Context `{ffi_syntax}. 5 | 6 | Definition NewProph : val := 7 | λ: <>, goose_lang.NewProph. 8 | 9 | Definition BytesToVal : val := 10 | λ: "sl", 11 | let: "res" := ref list.Nil in 12 | slice.for_range #byteT "slice" (λ: "idx" "val", 13 | "res" <- list.Cons "val" (!"res") 14 | ) "slice";;; 15 | !"res". 16 | 17 | Definition ResolveBytes : val := 18 | λ: "p" "slice", 19 | let: "bytesval" := BytesToVal "slice" in 20 | goose_lang.ResolveProph "p" "bytesval". 21 | 22 | End defs. 23 | -------------------------------------------------------------------------------- /new/trusted_code/log.v: -------------------------------------------------------------------------------- 1 | From New.golang Require Import defn. 2 | 3 | Section code. 4 | Context `{ffi_syntax}. 5 | 6 | Definition Printf : val := 7 | λ: "format" "vs", #(). 8 | Definition Println : val := 9 | λ: "vs", #(). 10 | 11 | End code. 12 | -------------------------------------------------------------------------------- /new/trusted_code/sync/atomic.v: -------------------------------------------------------------------------------- 1 | From New.golang Require Import defn. 2 | 3 | Module atomic. 4 | Section code. 5 | Context `{ffi_syntax}. 6 | 7 | Definition LoadUint64 : val := 8 | λ: "addr", Load "addr". 9 | 10 | Definition StoreUint64 : val := 11 | λ: "addr" "val", AtomicStore "addr" "val". 12 | 13 | Definition AddUint64 : val := 14 | λ: "addr" "val", AtomicOp PlusOp "addr" "val". 15 | 16 | Definition CompareAndSwapUint64 : val := 17 | λ: "addr" "old" "new", 18 | Snd (CmpXchg "addr" "old" "new"). 19 | 20 | Definition LoadInt32 : val := 21 | λ: "addr", Load "addr". 22 | 23 | Definition StoreInt32 : val := 24 | λ: "addr" "val", AtomicStore "addr" "val". 25 | 26 | Definition AddInt32 : val := 27 | λ: "addr" "val", AtomicOp PlusOp "addr" "val". 28 | 29 | Definition CompareAndSwapInt32 : val := 30 | λ: "addr" "old" "new", 31 | Snd (CmpXchg "addr" "old" "new"). 32 | 33 | End code. 34 | End atomic. 35 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [project] 2 | name = "perennial" 3 | version = "2024.0.0" 4 | dependencies = [ 5 | "ruff==0.11.12", 6 | ] 7 | 8 | [tool.ruff] 9 | exclude = [ 10 | "src/goose_lang/examples/nfs_spec", 11 | "external", 12 | ] 13 | -------------------------------------------------------------------------------- /src/Helpers/BigOp.v: -------------------------------------------------------------------------------- 1 | From iris.algebra Require Import gmap. 2 | From iris.proofmode Require Import tactics. 3 | From Perennial.base_logic.lib Require Import iprop. 4 | From Perennial.algebra Require Import big_op. 5 | From Perennial.goose_lang Require Import lang. 6 | 7 | Theorem heap_array_to_list {Σ} {A} l0 (vs: list A) (P: loc -> A -> iProp Σ) : 8 | ([∗ map] l↦v ∈ heap_array l0 vs, P l v) ⊣⊢ 9 | ([∗ list] i↦v ∈ vs, P (l0 +ₗ i) v). 10 | Proof. 11 | (iInduction (vs) as [| v vs] "IH" forall (l0)). 12 | - simpl. 13 | rewrite big_sepM_empty. 14 | auto. 15 | - simpl. 16 | rewrite loc_add_0. 17 | rewrite big_sepM_union. 18 | { rewrite big_sepM_singleton. 19 | setoid_rewrite loc_add_Sn. 20 | iSpecialize ("IH" $! (l0 +ₗ 1)). 21 | iSplit. 22 | + iIntros "($&Hm)". 23 | iApply ("IH" with "Hm"). 24 | + iIntros "($&Hl)". 25 | iApply ("IH" with "Hl"). 26 | } 27 | symmetry. 28 | apply heap_array_map_disjoint; intros. 29 | apply (not_elem_of_dom (D := gset loc)). 30 | rewrite dom_singleton elem_of_singleton addr_plus_plus. 31 | intros ?%loc_add_ne; auto; lia. 32 | Qed. 33 | -------------------------------------------------------------------------------- /src/Helpers/Fractional.v: -------------------------------------------------------------------------------- 1 | From iris.algebra Require Import gmap. 2 | From iris.proofmode Require Import tactics. 3 | From iris.bi.lib Require Import fractional. 4 | From Perennial.base_logic.lib Require Import iprop. 5 | From Perennial.Helpers Require Import Qextra. 6 | 7 | Section bi. 8 | Context {PROP:bi} `{!BiAffine PROP}. 9 | Set Default Proof Using "All". 10 | 11 | Implicit Types (P:PROP) (Φ: Qp → PROP) (q: Qp). 12 | 13 | Theorem fractional_weaken Φ `{fractional.Fractional _ Φ} q1 q2 : 14 | (q1 ≤ q2)%Qp -> 15 | Φ q2 -∗ Φ q1. 16 | Proof. 17 | iIntros ([Hlt%Qp_split_lt|<-]%Qp.le_lteq) "H". 18 | - destruct Hlt as [? <-]. 19 | rewrite fractional. 20 | iDestruct "H" as "[$ _]". 21 | - done. 22 | Qed. 23 | 24 | Theorem as_fractional_weaken `{!fractional.AsFractional P Φ q2} q1 : 25 | (q1 ≤ q2)%Qp → 26 | P -∗ Φ q1. 27 | Proof. 28 | iIntros (?) "HP". 29 | iDestruct (as_fractional (Φ:=Φ) with "HP") as "HΦ". 30 | iApply fractional_weaken; eauto. 31 | by destruct H. 32 | Qed. 33 | 34 | End bi. 35 | -------------------------------------------------------------------------------- /src/Helpers/Integers.v: -------------------------------------------------------------------------------- 1 | From coqutil.Word Require Export Interface Properties. 2 | From Perennial.Helpers.Word 3 | Require Export Integers Properties MulOverflow LittleEndian Automation. 4 | -------------------------------------------------------------------------------- /src/Helpers/ModArith.v: -------------------------------------------------------------------------------- 1 | From Coq Require Import ZArith. 2 | From Coq Require Import ssreflect. 3 | From stdpp Require Import base numbers. 4 | From Perennial.Helpers Require Import Integers. 5 | 6 | Open Scope Z_scope. 7 | Set Default Goal Selector "!". 8 | Set Default Proof Using "Type". 9 | 10 | Theorem sum_overflow_check (x y: u64) : 11 | uint.Z (word.add x y) < uint.Z x <-> uint.Z x + uint.Z y >= 2^64. 12 | Proof. word. Qed. 13 | 14 | Lemma sum_nooverflow_l (x y : u64) : 15 | uint.Z x ≤ uint.Z (word.add x y) → 16 | uint.Z (word.add x y) = (uint.Z x) + (uint.Z y). 17 | Proof. word. Qed. 18 | 19 | Lemma word_add_comm (x y : u64) : 20 | word.add x y = word.add y x. 21 | Proof. word. Qed. 22 | 23 | Lemma sum_nooverflow_r (x y : u64) : 24 | uint.Z y ≤ uint.Z (word.add x y) → 25 | uint.Z (word.add x y) = (uint.Z x) + (uint.Z y). 26 | Proof. word. Qed. 27 | 28 | Theorem word_add1_neq (x: u64) : 29 | uint.Z x ≠ uint.Z (word.add x (W64 1)). 30 | Proof. word. Qed. 31 | -------------------------------------------------------------------------------- /src/Helpers/NamedProps.v: -------------------------------------------------------------------------------- 1 | (* Named propositions are implemented externally at 2 | https://github.com/tchajed/iris-named-props 3 | 4 | This file is only here for backwards-compatibility (to avoid changing many 5 | imports). *) 6 | From iris_named_props Require Export named_props. 7 | -------------------------------------------------------------------------------- /src/Helpers/NatDivMod.v: -------------------------------------------------------------------------------- 1 | (* import ZifyNat to bring some Zify instances into scope *) 2 | Require Import ZArith ZifyInst ZifyNat Lia. 3 | 4 | (* the user should probably also use this - we don't (yet) enable it globally in 5 | Perennial *) 6 | #[local] Ltac Zify.zify_post_hook ::= Z.div_mod_to_equations. 7 | 8 | Goal forall (n:nat), 2 * n mod 2 = 0. 9 | Proof. 10 | intros. 11 | lia. 12 | Qed. 13 | -------------------------------------------------------------------------------- /src/Helpers/Tactics.v: -------------------------------------------------------------------------------- 1 | From stdpp Require Import base option fin_maps. 2 | From Perennial.Helpers Require Import Integers. 3 | 4 | Ltac solve_inhabited := 5 | lazymatch goal with 6 | | [ |- Inhabited _ ] => apply populate; constructor; apply inhabitant 7 | end. 8 | 9 | Notation "'populate!'" := (ltac:(solve_inhabited)) (at level 0, only parsing). 10 | 11 | Tactic Notation "fmap_Some" "in" hyp(H) "as" simple_intropattern(x) := 12 | try lazymatch type of H with 13 | | @lookup _ _ (list _) _ _ (fmap _ _) = _ => 14 | rewrite list_lookup_fmap in H 15 | | lookup _ (fmap _ _) = _ => 16 | rewrite lookup_fmap in H 17 | end ; 18 | lazymatch type of H with 19 | | fmap _ _ = Some ?v => 20 | let Heq := fresh "Heq" in 21 | apply fmap_Some_1 in H as [x [H Heq]]; 22 | try (is_var v; subst v) 23 | | _ => fail 1 "fmap_Some:" H "is not an fmap equality" 24 | end. 25 | 26 | Tactic Notation "fmap_Some" "in" hyp(H) := fmap_Some in H as ?. 27 | -------------------------------------------------------------------------------- /src/Helpers/Word/Properties.v: -------------------------------------------------------------------------------- 1 | From stdpp Require Import prelude. 2 | From coqutil.Word Require Import Interface Properties. 3 | From Perennial.Helpers.Word Require Import Integers Automation. 4 | 5 | (* should maybe convert this into an explicit match on ints at some point *) 6 | Definition u8_to_ascii (x:byte) : Ascii.ascii := Ascii.ascii_of_nat (uint.nat x). 7 | 8 | (* conversion to string *) 9 | Definition u8_to_string (x:byte) : String.string := String.String (u8_to_ascii x) String.EmptyString. 10 | 11 | Definition u64_round_up (x div : u64) := let x' := word.add x div in word.mul (word.divu x' div) div. 12 | 13 | Lemma seq_U64_NoDup (m len : Z) : 14 | 0 ≤ m → 15 | m+len < 2^64 → 16 | NoDup (W64 <$> seqZ m len). 17 | Proof. 18 | intros Hlb Hub. apply NoDup_fmap_2_strong. 19 | 2:{ apply NoDup_seqZ. } 20 | setoid_rewrite elem_of_seqZ. intros; word. 21 | Qed. 22 | 23 | Lemma w64_to_nat_id x : W64 (Z.of_nat (uint.nat x)) = x. 24 | Proof. word. Qed. 25 | 26 | (* FIXME:(stdpp) These are missing from stdpp numbers.v *) 27 | Global Instance Nat_ge_dec : RelDecision ge := ge_dec. 28 | Global Instance Nat_gt_dec : RelDecision gt := gt_dec. 29 | -------------------------------------------------------------------------------- /src/Helpers/gset.v: -------------------------------------------------------------------------------- 1 | From stdpp Require Import gmap. 2 | From Coq Require Import ssreflect. 3 | 4 | Lemma gset_elem_is_empty `{Countable A} (c:gset A) : 5 | (forall x, x ∉ c) → 6 | c = ∅. 7 | Proof. 8 | intros Hnoelem. 9 | apply set_eq; intros. 10 | split; intros Helem. 11 | - contradiction (Hnoelem x). 12 | - contradiction (not_elem_of_empty (C:=gset A) x). 13 | Qed. 14 | 15 | Lemma set_split_element `{!EqDecision L, !Countable L} (d: gset L) a : 16 | a ∈ d → 17 | d = {[a]} ∪ (d ∖ {[a]}). 18 | Proof. 19 | intros. 20 | apply set_eq; intros a'. 21 | destruct (decide (a = a')); set_solver. 22 | Qed. 23 | -------------------------------------------------------------------------------- /src/LiteBuild.v: -------------------------------------------------------------------------------- 1 | (** LiteBuild depends on a subset of Perennial that is relatively fast to check, 2 | for use in Coq's CI. *) 3 | 4 | (* Some key theorems *) 5 | From Perennial.goose_lang Require 6 | recovery_adequacy dist_adequacy. 7 | (* Some core libraries *) 8 | From Perennial.base_logic Require 9 | gmap_own. 10 | (* Prelude and shared files *) 11 | From Perennial.program_proof Require 12 | proof_prelude disk_prelude grove_prelude 13 | marshal_proof marshal_stateless_proof std_proof. 14 | 15 | From Perennial.goose_lang Require 16 | adequacy recovery_adequacy dist_adequacy 17 | crash_lock 18 | rwlock. 19 | 20 | (* a couple program proofs that are pretty interesting on their own and include 21 | the wpc infrastructure *) 22 | From Perennial.program_proof Require 23 | wal.circ_proof_crash. 24 | 25 | (* Goose tests: goose_unittest has the syntactic tests while generated_test 26 | includes running all the semantics tests *) 27 | From Perennial.program_proof Require unittest. 28 | From Perennial.goose_lang.interpreter Require 29 | generated_test. 30 | -------------------------------------------------------------------------------- /src/algebra/big_op.v: -------------------------------------------------------------------------------- 1 | From Perennial.algebra.big_op Require Export 2 | big_sepS big_sepL big_sepM big_sepML. 3 | -------------------------------------------------------------------------------- /src/algebra/big_op/big_sepS.v: -------------------------------------------------------------------------------- 1 | From iris.algebra Require Export big_op. 2 | From iris.proofmode Require Import tactics. 3 | From Perennial.base_logic Require Import ncfupd. 4 | From Perennial.algebra Require Import big_op.big_sepL. 5 | -------------------------------------------------------------------------------- /src/algebra/mono_nat.v: -------------------------------------------------------------------------------- 1 | From Perennial.base_logic.lib Require Export mono_nat. 2 | From Perennial.algebra Require Import own_discrete. 3 | 4 | Global Instance mono_nat_own_auth_discretizable Σ `{mono_natG Σ} γ q n 5 | : Discretizable (mono_nat_auth_own γ q n). 6 | Proof. 7 | rewrite mono_nat.mono_nat_auth_own_unseal. 8 | apply _. 9 | Qed. 10 | 11 | Global Instance mono_nat_lb_own_discretizable Σ `{mono_natG Σ} γ n 12 | : Discretizable (mono_nat_lb_own γ n). 13 | Proof. 14 | rewrite mono_nat.mono_nat_lb_own_unseal. 15 | apply _. 16 | Qed. 17 | -------------------------------------------------------------------------------- /src/base.v: -------------------------------------------------------------------------------- 1 | (* Common setup for all of Perennial. Similar to stdpp and iris's options.v 2 | files. *) 3 | 4 | From Coq Require Import ZArith. 5 | From stdpp Require Export base tactics. 6 | 7 | Notation "'sealed' x" := (unseal (_ : seal x)) (at level 200, only parsing). 8 | 9 | (** Override stdpp's setting of Program's Obligation Tactic to [id]. *) 10 | (* this Ltac is here to support rebinding, if needed *) 11 | Ltac obligation_tac := 12 | try 13 | match goal with 14 | | |- seal _ => eexists; reflexivity 15 | | _ => solve [ apply _ ] 16 | end. 17 | 18 | #[global] 19 | Obligation Tactic := obligation_tac. 20 | 21 | Module test_obligation_tactic. 22 | Definition foo_def := 3. 23 | Program Definition foo := sealed foo_def. 24 | (* should not create any obligations *) 25 | Definition foo_unseal : foo = _ := seal_eq _. 26 | End test_obligation_tactic. 27 | 28 | #[export] Set Default Goal Selector "!". 29 | (* cannot be export *) 30 | #[global] Open Scope Z_scope. 31 | -------------------------------------------------------------------------------- /src/base_logic/base_logic.v: -------------------------------------------------------------------------------- 1 | (* Just reexport Iris base_logic *) 2 | From iris.base_logic Require Export base_logic. 3 | -------------------------------------------------------------------------------- /src/base_logic/lib/iprop.v: -------------------------------------------------------------------------------- 1 | (* Just reexport Iris mdoule *) 2 | From iris.base_logic Require Export lib.iprop. 3 | -------------------------------------------------------------------------------- /src/base_logic/lib/later_credits.v: -------------------------------------------------------------------------------- 1 | (* Just reexport Iris mdoule *) 2 | From iris.base_logic Require Export lib.later_credits. 3 | -------------------------------------------------------------------------------- /src/base_logic/lib/mono_nat.v: -------------------------------------------------------------------------------- 1 | From iris.base_logic Require Export lib.mono_nat. 2 | 3 | (* Add some Perennial-specific stuff *) 4 | From iris.proofmode Require Import tactics. 5 | From Perennial.algebra Require Import own_discrete atleast. 6 | 7 | Section iris. 8 | Context `{mono_natG Σ}. 9 | 10 | Global Instance mono_nat_auth_own_discretizable (γ: gname) q n : 11 | Discretizable (mono_nat_auth_own γ q n). 12 | Proof. rewrite mono_nat.mono_nat_auth_own_unseal. apply _. Qed. 13 | 14 | Global Instance mono_nat_lb_own_discretizable (γ: gname) n : 15 | Discretizable (mono_nat_lb_own γ n). 16 | Proof. rewrite mono_nat.mono_nat_lb_own_unseal. apply _. Qed. 17 | 18 | End iris. 19 | -------------------------------------------------------------------------------- /src/base_logic/lib/own.v: -------------------------------------------------------------------------------- 1 | (* Just reexport Iris mdoule *) 2 | From iris.base_logic Require Export lib.own. 3 | -------------------------------------------------------------------------------- /src/base_logic/lib/proph_map.v: -------------------------------------------------------------------------------- 1 | (* Just reexport Iris mdoule *) 2 | From iris.base_logic Require Export lib.proph_map. 3 | -------------------------------------------------------------------------------- /src/base_logic/lib/saved_prop.v: -------------------------------------------------------------------------------- 1 | (* Just reexport Iris mdoule *) 2 | From iris.base_logic Require Export lib.saved_prop. 3 | -------------------------------------------------------------------------------- /src/goose_lang/examples/nfs_spec/README.md: -------------------------------------------------------------------------------- 1 | ## NSF SERVER/CLIENT SETUP 2 | 3 | Add to `/etc/exports`: 4 | ```/ localhost(rw,sync,insecure,no_root_squash)``` 5 | 6 | Run an NFS server on Ubuntu: 7 | 8 | ``` 9 | sudo apt install nfs-kernel-server 10 | sudo apt install nfs-common // for client 11 | systemctl start nfs-server 12 | ``` 13 | 14 | Create an nfs trace to analyze with our NFS spec (requires sudo): 15 | ``` 16 | mount localhost:/ /mnt/x -o vers=3 17 | tcpdump -w /tmp/nfs.pcap -s 1600 -i lo port 2049 18 | (ls -ld /proc/self/fd/5; ls -ld /proc/self/fd/5) 5< /mnt/x/etc/timezone 19 | ``` 20 | 21 | ## Run the Symbolic NFS3API Interpreter 22 | Install python packages (via pip for python2): 23 | * z3-solver==4.8.7 24 | * dpkt 25 | 26 | Run the Coq/Gallina spec in `NFS3API.v` 27 | to extract to `NFS3API.json` 28 | 29 | Extract to z3 expressions and solve for valid trace responses (requires that an nfs trace is in /tmp/nfs.pcap): `python symrun.py` 30 | -------------------------------------------------------------------------------- /src/goose_lang/examples/nfs_spec/symtest/filename.smt2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/src/goose_lang/examples/nfs_spec/symtest/filename.smt2 -------------------------------------------------------------------------------- /src/goose_lang/examples/nfs_spec/symtest/nfs.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/src/goose_lang/examples/nfs_spec/symtest/nfs.pcap -------------------------------------------------------------------------------- /src/goose_lang/examples/nfs_spec/symtest/rfc1057/__init__.py: -------------------------------------------------------------------------------- 1 | import const 2 | import types 3 | import pack 4 | import client 5 | import server 6 | -------------------------------------------------------------------------------- /src/goose_lang/examples/nfs_spec/symtest/rfc1813/__init__.py: -------------------------------------------------------------------------------- 1 | import const 2 | import types 3 | import pack 4 | import client 5 | import server 6 | -------------------------------------------------------------------------------- /src/goose_lang/examples/nfs_spec/symtest/rpc/__init__.py: -------------------------------------------------------------------------------- 1 | from rpc import * 2 | 3 | __all__ = ['rpcsec', 'rpc_const.py', 'rpc_type.py'] 4 | -------------------------------------------------------------------------------- /src/goose_lang/examples/nfs_spec/symtest/rpc/rpcsec/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /src/goose_lang/examples/nfs_spec/symtest/rpc/rpcsec/sec_auth_none.py: -------------------------------------------------------------------------------- 1 | from base import SecFlavor 2 | 3 | class SecAuthNone(SecFlavor): 4 | pass 5 | -------------------------------------------------------------------------------- /src/goose_lang/examples/nfs_spec/symtest/rpc/rpcsec/sec_auth_sys.py: -------------------------------------------------------------------------------- 1 | from base import SecFlavor, SecError 2 | from rpc.rpc_const import AUTH_SYS 3 | from rpc.rpc_type import opaque_auth 4 | from xdrlib import Packer, Error 5 | 6 | class SecAuthSys(SecFlavor): 7 | def __init__(self, stamp, machinename, uid, gid, gids): 8 | if len(machinename) > 255: 9 | raise SecError("machinename %s is too long" % machinename) 10 | if len(gids) > 16: 11 | raise SecError("gid array too long: %s" % str(gids)) 12 | try: 13 | p = Packer() 14 | p.pack_int(stamp) 15 | p.pack_string(machinename) 16 | p.pack_uint(uid) 17 | p.pack_uint(gid) 18 | p.pack_array(gids, p.pack_uint) 19 | self.cred = p.get_buffer() 20 | except Error, e: 21 | raise SecError("Packing error: %s", str(e)) 22 | self.uid = uid 23 | self.gid = gid 24 | 25 | def make_cred(self): 26 | return opaque_auth(AUTH_SYS, self.cred), None 27 | 28 | def get_owner(self): 29 | return self.uid 30 | 31 | def get_group(self): 32 | return self.gid 33 | -------------------------------------------------------------------------------- /src/goose_lang/ffi/async_disk_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang. 2 | From Perennial.goose_lang Require Export ffi.async_disk_proph. 3 | #[global] 4 | Existing Instances async_disk_syntax.disk_op async_disk_proph.disk_model async_disk_syntax.disk_ty. 5 | #[global] 6 | Existing Instances async_disk_proph.disk_semantics async_disk_proph.disk_interp. 7 | #[global] 8 | Existing Instance goose_diskGS. 9 | 10 | 11 | Module disk. 12 | Notation Disk := async_disk_syntax.Disk. 13 | Notation Write := async_disk_proph.Write. 14 | Notation Read := async_disk_proph.Read. 15 | Notation ReadTo := async_disk_proph.ReadTo. 16 | Notation Barrier := async_disk_proph.Barrier. 17 | Notation Size := async_disk_proph.Size. 18 | End disk. 19 | 20 | Module async_disk. 21 | Notation BlockSize := async_disk_syntax.BlockSize. 22 | Notation Write := async_disk_proph.Write. 23 | Notation Read := async_disk_proph.Read. 24 | Notation ReadTo := async_disk_proph.ReadTo. 25 | Notation Barrier := async_disk_proph.Barrier. 26 | Notation Size := async_disk_proph.Size. 27 | End async_disk. 28 | -------------------------------------------------------------------------------- /src/goose_lang/ffi/disk.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang.ffi.disk_ffi Require Export impl specs adequacy. 2 | -------------------------------------------------------------------------------- /src/goose_lang/ffi/disk_ffi/typed_specs.v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mit-pdos/perennial/1b3c3a252411ced0f142c1080573d023d13853a5/src/goose_lang/ffi/disk_ffi/typed_specs.v -------------------------------------------------------------------------------- /src/goose_lang/ffi/disk_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang typing. 2 | From Perennial.goose_lang Require Export ffi.disk_ffi.typed_impl. 3 | From Perennial.goose_lang Require Export ffi.disk. 4 | #[global] 5 | Existing Instances disk_op disk_model disk_ty. 6 | #[global] 7 | Existing Instances disk_semantics disk_interp. 8 | #[global] 9 | Existing Instance goose_diskGS. 10 | Export disk. 11 | -------------------------------------------------------------------------------- /src/goose_lang/ffi/grove_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang. 2 | From Perennial.goose_lang Require Export ffi.grove_ffi.grove_ffi_typed. 3 | #[global] 4 | Existing Instances grove_op grove_model. 5 | #[global] 6 | Existing Instances grove_semantics grove_interp. 7 | #[global] 8 | Existing Instances goose_groveGS goose_groveNodeGS. 9 | -------------------------------------------------------------------------------- /src/goose_lang/ffi/jrnl_ffi.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Export ffi.jrnl_ffi_spec ffi.jrnl_ffi_facts. 2 | -------------------------------------------------------------------------------- /src/goose_lang/lib/atomic/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import notation typing typed_mem.impl. 2 | 3 | (* this code is intended to be used qualified with the atomic module *) 4 | Module atomic. 5 | Section goose_lang. 6 | Context {ext:ffi_syntax} {ext_ty: ext_types ext}. 7 | 8 | (* these are not values so that they are Atomic *) 9 | 10 | Definition LoadUint64 : expr → expr := Load. 11 | Definition LoadUint32 : expr → expr := LoadUint64. 12 | Definition StoreUint64 : expr → expr → expr := AtomicStore. 13 | Definition StoreUint32 : expr → expr → expr := StoreUint64. 14 | Definition CompareAndSwapUint64 : expr → expr → expr → expr := CmpXchg. 15 | Definition CompareAndSwapUint32 : expr → expr → expr → expr := CompareAndSwapUint64. 16 | 17 | (* the type arguments to these functions are passed since that's the GooseLang 18 | calling convention. They are not needed in the model, since these operations 19 | only load pointers, and we don't need to know what the shape of the referenced 20 | data is to write the model. *) 21 | Definition Pointer__Load (_: ty) : expr → expr := Load. 22 | Definition Pointer__Store (_: ty) : expr → expr → expr := AtomicStore. 23 | 24 | End goose_lang. 25 | End atomic. 26 | -------------------------------------------------------------------------------- /src/goose_lang/lib/barrier/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Export notation typing. 2 | 3 | Module barrier. 4 | Section goose_lang. 5 | Context {ext:ffi_syntax}. 6 | Definition newbarrier : val := λ: <>, ref #false. 7 | Definition signal : val := λ: "x", CAS "x" #false #true. 8 | Definition wait : val := 9 | rec: "wait" "x" := if: !"x" then #() else "wait" "x". 10 | End goose_lang. 11 | End barrier. 12 | -------------------------------------------------------------------------------- /src/goose_lang/lib/control/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang notation. 2 | 3 | Section goose_lang. 4 | Context {ext: ffi_syntax}. 5 | 6 | (** [Assume c] goes into an endless loop if [c] does not hold. So proofs can 7 | assume that it holds. *) 8 | Definition Assume: val := 9 | λ: "cond", if: "cond" then #() 10 | else (rec: "loop" <> := "loop" #()) #(). 11 | 12 | (** [Assert c] raises UB (program gets stuck via [Panic]) if [c] does not 13 | hold. So proofs have to show it always holds. *) 14 | Definition Assert: val := 15 | λ: "cond", if: "cond" then #() 16 | else Panic "assert failed". 17 | 18 | (** [Exit n] is supposed to exit the process. We cannot directly model 19 | this in GooseLang, so we just loop. *) 20 | Definition Exit: val := 21 | λ: <>, (rec: "loop" <> := "loop" #()) #(). 22 | 23 | End goose_lang. 24 | -------------------------------------------------------------------------------- /src/goose_lang/lib/list/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang notation. 2 | 3 | Notation ListConsV hd tl := (InjRV (PairV hd tl)). 4 | Notation ListNilV := (InjLV (LitV LitUnit)). 5 | Notation ListCons hd tl := (InjR (Pair hd tl)). 6 | 7 | Section goose_lang. 8 | Context {ext:ffi_syntax}. 9 | 10 | Definition ListMatch : val := 11 | λ: "l" "nilfun" "consfun", 12 | (match: "l" with 13 | InjL "nil" => "nilfun" #() 14 | | InjR "p" => "consfun" "p" 15 | end). 16 | 17 | End goose_lang. 18 | -------------------------------------------------------------------------------- /src/goose_lang/lib/list/list.v: -------------------------------------------------------------------------------- 1 | From iris.proofmode Require Import coq_tactics reduction. 2 | From Perennial.goose_lang Require Import notation proofmode. 3 | From Perennial.goose_lang.lib Require Import typed_mem. 4 | From Perennial.goose_lang.lib Require Export list.impl. 5 | Import uPred. 6 | 7 | Set Default Proof Using "Type". 8 | 9 | Section heap. 10 | Context `{ffi_sem: ffi_semantics} `{!ffi_interp ffi} `{!heapGS Σ}. 11 | Context {ext_ty: ext_types ext}. 12 | Implicit Types v : val. 13 | 14 | Fixpoint val_of_list (l: list val) : val := 15 | match l with 16 | | nil => InjLV (LitV LitUnit) 17 | | v :: l => InjRV (PairV v (val_of_list l)) 18 | end. 19 | 20 | End heap. 21 | -------------------------------------------------------------------------------- /src/goose_lang/lib/list/list_slice.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang notation typing. 2 | From Perennial.goose_lang.lib Require Import typed_mem.impl. 3 | From Perennial.goose_lang Require Import slice.impl list.impl. 4 | 5 | Section goose_lang. 6 | Context `{ffi_sem: ffi_semantics}. 7 | Context {ext_ty:ext_types ext}. 8 | 9 | Definition SliceToListFrom t : val := 10 | rec: "loop" "s" "i" := 11 | let: "len" := slice.len "s" in 12 | if: ("i" < "len") then 13 | let: "x" := SliceGet t "s" "i" in 14 | ListCons "x" ("loop" "s" ("i" + #1)) 15 | else ListNilV. 16 | 17 | Definition SliceToList t : val := 18 | λ: "s", 19 | SliceToListFrom t "s" #0%nat. 20 | 21 | Definition ListToSliceApp t : val := 22 | rec: "loop" "l" "s" := 23 | ListMatch "l" 24 | (λ: "x", "s") 25 | (λ: "p", 26 | "loop" (Snd "p") (SliceAppend t "s" (Fst "p")) 27 | ). 28 | 29 | Definition ListToSlice t : val := 30 | λ: "l", 31 | ListToSliceApp t "l" (NewSlice t #0). 32 | 33 | End goose_lang. 34 | -------------------------------------------------------------------------------- /src/goose_lang/lib/loop/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang notation. 2 | 3 | Section goose_lang. 4 | Context {ext: ffi_syntax}. 5 | 6 | (* idiomatic wrappers for loop control flow *) 7 | Definition Continue: val := #true. 8 | Definition Break: val := #false. 9 | 10 | Definition For: val := 11 | λ: "cond" "body" "post", 12 | (rec: "loop" <> := 13 | let: "continue" := 14 | (if: "cond" #() 15 | then "body" #() 16 | else #false) in 17 | if: "continue" 18 | then "post" #();; "loop" #() 19 | else #()) #(). 20 | 21 | Definition Loop: val := 22 | λ: "body", 23 | (rec: "loop" <> := 24 | let: "continue" := "body" #() in 25 | if: "continue" 26 | then "loop" #() 27 | else #()) #(). 28 | 29 | End goose_lang. 30 | 31 | Notation "'for:' cond ; post := e" := (For cond%E e%E post%E) 32 | (at level 200, cond, post at level 1, e at level 200, 33 | format "'[' 'for:' cond ; post := '/ ' e ']'") : expr_scope. 34 | 35 | Notation "'for:' := e" := (Loop (LamV BAnon e%E)) 36 | (at level 200, e at level 200, 37 | format "'[' 'for:' := '/ ' e ']'") : expr_scope. 38 | -------------------------------------------------------------------------------- /src/goose_lang/lib/proph/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang notation typing. 2 | 3 | Definition ProphIdT {ext} {ext_ty: ext_types ext} := prophT. 4 | 5 | Section goose_lang. 6 | Context {ext: ffi_syntax}. 7 | 8 | Definition NewProph : val := 9 | λ: <>, NewProph. 10 | 11 | Definition ResolveProph : val := 12 | λ: "p" "val", ResolveProph (Var "p") (Var "val"). 13 | 14 | End goose_lang. 15 | 16 | -------------------------------------------------------------------------------- /src/goose_lang/lib/rand/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import notation typing. 2 | 3 | Module rand. 4 | Section goose_lang. 5 | Context {ext:ffi_syntax}. 6 | 7 | Definition RandomUint64: val := λ: <>, ArbitraryInt. 8 | End goose_lang. 9 | End rand. 10 | -------------------------------------------------------------------------------- /src/goose_lang/lib/rand/rand.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import proofmode. 2 | From Perennial.goose_lang.lib Require Export rand.impl. 3 | 4 | Set Default Proof Using "Type". 5 | 6 | Section goose_lang. 7 | Context `{ffi_sem: ffi_semantics} `{!ffi_interp ffi} `{!heapGS Σ}. 8 | 9 | Theorem wp_RandomUint64 s E : 10 | {{{ True }}} 11 | rand.RandomUint64 #() @ s; E 12 | {{{ (r: u64), RET #r; True }}}. 13 | Proof. 14 | iIntros (Φ) "Hpre HΦ". 15 | wp_rec. wp_pures. 16 | wp_apply wp_ArbitraryInt. 17 | done. 18 | Qed. 19 | 20 | End goose_lang. 21 | -------------------------------------------------------------------------------- /src/goose_lang/lib/string/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang slice notation typing. 2 | From Perennial.goose_lang.lib Require Import control.impl. 3 | 4 | Section goose_lang. 5 | Context {ext:ffi_syntax}. 6 | Context {ext_ty:ext_types ext}. (* need this to use slice *) 7 | 8 | Definition StringFromBytes : val := 9 | (rec: "StringFromBytes" "b" := 10 | if: (slice.len "b") = #0 11 | then (Val #str "") 12 | else (to_string (SliceGet byteT "b" #0)) + 13 | ("StringFromBytes" (SliceSubslice byteT "b" #1 (slice.len "b")))). 14 | 15 | Definition stringToBytes : val := 16 | (rec: "stringToBytes" "i" "s" := 17 | if: (Var "i") = #0 18 | then slice.nil 19 | else 20 | let: "j" := "i" - #1 in 21 | (SliceAppend byteT ("stringToBytes" "j" "s") (StringGet "s" "j"))) 22 | . 23 | 24 | Definition StringToBytes : val := 25 | λ: "s", 26 | Assume (IsNoStringOverflow "s") ;; 27 | stringToBytes (StringLength "s") "s" 28 | . 29 | 30 | End goose_lang. 31 | -------------------------------------------------------------------------------- /src/goose_lang/lib/time/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import notation typing. 2 | 3 | Definition timerRefT {ext} {ext_ty: ext_types ext} := refT (arrowT unitT unitT). 4 | 5 | Module time. 6 | Section goose_lang. 7 | Context {ext:ffi_syntax}. 8 | 9 | Definition Millisecond: val := #1000000. 10 | Definition Second: val := #1000000000. 11 | Definition Sleep: val := λ: "duration", #(). 12 | Definition TimeNow: val := λ: <>, #0. (* FIXME make it actually nondet *) 13 | Definition AfterFunc: val := λ: "duration" "f", Fork "f" ;; ref "f". 14 | Definition Timer__Reset: val := λ: "timer", !"timer" #(). (* FIXME: this could rerun f *) 15 | End goose_lang. 16 | End time. 17 | -------------------------------------------------------------------------------- /src/goose_lang/lib/time/time.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import proofmode. 2 | From Perennial.goose_lang.lib Require Export time.impl. 3 | 4 | Set Default Proof Using "Type". 5 | 6 | Section goose_lang. 7 | Context `{ffi_sem: ffi_semantics} `{!ffi_interp ffi} `{!heapGS Σ}. 8 | 9 | Theorem wp_Sleep (duration : u64) : 10 | {{{ True }}} 11 | time.Sleep #duration 12 | {{{ RET #(); True }}}. 13 | Proof. 14 | iIntros (Φ) "_ HΦ". 15 | wp_rec. wp_pures. 16 | by iApply "HΦ". 17 | Qed. 18 | 19 | Theorem wp_TimeNow : 20 | {{{ True }}} 21 | time.TimeNow #() 22 | {{{ (t : u64), RET #t; True }}}. 23 | Proof. 24 | iIntros (Φ) "_ HΦ". 25 | wp_rec. wp_pures. 26 | by iApply "HΦ". 27 | Qed. 28 | 29 | End goose_lang. 30 | -------------------------------------------------------------------------------- /src/goose_lang/lib/waitgroup/impl.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import notation typing. 2 | From Perennial.goose_lang.lib.lock Require Import impl. 3 | From Perennial.goose_lang.lib.typed_mem Require Import impl. 4 | 5 | Module waitgroup. 6 | Section goose_lang. 7 | Context {ext:ffi_syntax}. 8 | Context {ext_tys: ext_types ext}. 9 | 10 | Definition New: val := λ: <>, (lock.new #(), ref_to uint64T #0). 11 | Definition Add: val := λ: "wg" "delta", 12 | let: ("mu", "v") := "wg" in 13 | lock.acquire "mu" ;; 14 | "v" <-[uint64T] ("delta" + (![uint64T] "v")) ;; 15 | lock.release "mu" 16 | . 17 | 18 | Definition Done: val := 19 | λ: "wg", 20 | let: ("mu", "v") := "wg" in 21 | lock.acquire "mu" ;; 22 | "v" <-[uint64T] ((![uint64T] "v") - #1) ;; 23 | lock.release "mu" 24 | . 25 | 26 | Definition Wait: val := 27 | rec: "Wait" "wg" := 28 | let: ("mu", "vptr") := "wg" in 29 | lock.acquire "mu" ;; 30 | let: "v" := (![uint64T] "vptr") in 31 | lock.release "mu" ;; 32 | if: "v" = #0 then #() 33 | else "Wait" "wg". 34 | End goose_lang. 35 | 36 | End waitgroup. 37 | -------------------------------------------------------------------------------- /src/goose_lang/mono_nat.v: -------------------------------------------------------------------------------- 1 | (** Crash instances for mono_nat. *) 2 | From iris.proofmode Require Import base tactics classes. 3 | From Perennial.base_logic.lib Require Export mono_nat. 4 | From Perennial.goose_lang Require Import crash_modality lifting. 5 | 6 | Set Default Proof Using "Type". 7 | 8 | Section instances. 9 | Context `{ffi_sem: ffi_semantics}. 10 | Context `{!ffi_interp ffi}. 11 | Context `{!mono_natG Σ, !heapGS Σ}. 12 | 13 | Global Instance mono_nat_lb_own_durable γ n: 14 | IntoCrash (mono_nat_lb_own γ n) (λ _, mono_nat_lb_own γ n). 15 | Proof. rewrite /IntoCrash. iApply post_crash_nodep. Qed. 16 | 17 | Global Instance mono_nat_auth_own_durable γ q n: 18 | IntoCrash (mono_nat_auth_own γ q n) (λ _, mono_nat_auth_own γ q n). 19 | Proof. rewrite /IntoCrash. iApply post_crash_nodep. Qed. 20 | End instances. 21 | -------------------------------------------------------------------------------- /src/goose_lang/prelude.v: -------------------------------------------------------------------------------- 1 | (* Gooselang dependencies included in every translated Goose file. *) 2 | From Perennial.goose_lang Require Export base_prelude. 3 | (* Gooselang dependencies that are generated from features modeled as Goose 4 | compatible Go code, such as the channel model, which is implemented as 5 | a Go generic struct. *) 6 | From Goose.github_com.goose_lang.goose 7 | Require Export channel 8 | . -------------------------------------------------------------------------------- /src/goose_lang/trusted/github_com/goose_lang/goose/internal/examples/trust_import/trusted_example.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import notation typing. 2 | 3 | Module trusted_example. 4 | Section goose_lang. 5 | Context {ext:ffi_syntax}. 6 | Context {ext_tys: ext_types ext}. 7 | 8 | Definition Foo: val := λ: <>, #(). 9 | End goose_lang. 10 | End trusted_example. 11 | -------------------------------------------------------------------------------- /src/goose_lang/trusted/github_com/mit_pdos/gokv/trusted_hash.v: -------------------------------------------------------------------------------- 1 | (* TODO: implement this *) 2 | From Perennial.goose_lang Require Import prelude. 3 | 4 | Section code. 5 | Context `{ext_ty: ext_types}. 6 | 7 | Axiom Hash: val. 8 | 9 | End code. 10 | -------------------------------------------------------------------------------- /src/goose_lang/trusted/github_com/mit_pdos/gokv/trusted_proph.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang notation prelude. 2 | 3 | Section goose_lang. 4 | Context `{ffi_sem: ffi_semantics}. 5 | Context {ext_ty:ext_types ext}. 6 | 7 | Definition ActReadId : Z := 0. 8 | Definition ActAbortId : Z := 1. 9 | Definition ActCommitId : Z := 2. 10 | 11 | Definition NewProph : val := 12 | λ: <>, goose_lang.NewProph. 13 | 14 | Definition BytesToVal : val := 15 | λ: "slice", 16 | (* Goose alloc lemmas are very wonky, and directly allocating a #() does not work. 17 | So we allocate a 0 and then store #() in it... *) 18 | let: "res" := ref #0 in 19 | "res" <- #();; 20 | forSlice (byteT) (λ: "idx" "val", 21 | "res" <- ("val", !"res") 22 | ) "slice";; 23 | !"res". 24 | 25 | Definition ResolveBytes : val := 26 | λ: "p" "slice", 27 | let: "bytesval" := BytesToVal "slice" in 28 | goose_lang.ResolveProph "p" "bytesval". 29 | 30 | End goose_lang. 31 | -------------------------------------------------------------------------------- /src/goose_lang/trusted/github_com/mit_pdos/tulip/trusted_proph.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import lang notation prelude. 2 | 3 | Section goose_lang. 4 | Context `{ffi_sem: ffi_semantics}. 5 | Context {ext_ty:ext_types ext}. 6 | 7 | Definition ActReadId : Z := 0. 8 | Definition ActAbortId : Z := 1. 9 | Definition ActCommitId : Z := 2. 10 | 11 | Definition NewProph : val := 12 | λ: <>, goose_lang.NewProph. 13 | 14 | Definition ResolveRead : val := 15 | λ: "p" "tid" "key", goose_lang.ResolveProph "p" (#ActReadId, ("tid", "key")). 16 | 17 | Definition ResolveAbort : val := 18 | λ: "p" "tid", goose_lang.ResolveProph "p" (#ActAbortId, "tid"). 19 | 20 | (* TODO *) 21 | Definition WrsToVal : val := 22 | λ: "mref", (!"mref"). 23 | 24 | Definition ResolveCommit : val := 25 | λ: "p" "tid" "wrbuf", 26 | let: "wrsval" := WrsToVal "wrbuf" in 27 | goose_lang.ResolveProph "p" (#ActCommitId, ("tid", "wrsval")). 28 | 29 | End goose_lang. 30 | -------------------------------------------------------------------------------- /src/goose_lang/trusted/github_com/mit_pdos/tulip/trusted_time.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import prelude. 2 | From Perennial.goose_lang.ffi Require Import grove_prelude. 3 | 4 | Section goose_lang. 5 | 6 | Definition GetTime : val := 7 | λ: <>, grove_ffi.GetTSC #(). 8 | 9 | End goose_lang. 10 | -------------------------------------------------------------------------------- /src/program_logic/dist_weakestpre.v: -------------------------------------------------------------------------------- 1 | From iris.proofmode Require Import tactics. 2 | From iris.algebra Require Import gmap auth agree gset coPset. 3 | From Perennial.base_logic.lib Require Import wsat. 4 | From Perennial.program_logic Require Export weakestpre. 5 | From Perennial.program_logic Require Export crash_lang dist_lang crash_weakestpre recovery_weakestpre. 6 | Import uPred. 7 | 8 | Set Default Proof Using "Type". 9 | 10 | (*** Distributed WP ***) 11 | 12 | Section wpd. 13 | Context `{HI: !irisGS Λ Σ}. 14 | 15 | Definition wpd CS (E: coPset) (ers: list node_init_cfg) := 16 | ([∗ list] i↦σ ∈ ers, ∀ `(Hc: !crashGS Σ), 17 | |={⊤}=> ∃ (stateI : state Λ → nat → iProp Σ) (* for the initial generation *) Φ Φrx Φinv, 18 | let HG := GenerationGS Λ Σ Hc stateI in 19 | stateI σ.(init_local_state) 0 ∗ 20 | wpr CS NotStuck HG E σ.(init_thread) σ.(init_restart) Φ Φinv Φrx)%I. 21 | 22 | Lemma wpd_compose CS E ers1 ers2 : 23 | wpd CS E ers1 -∗ 24 | wpd CS E ers2 -∗ 25 | wpd CS E (ers1 ++ ers2). 26 | Proof. rewrite /wpd big_sepL_app. iIntros "$ $". Qed. 27 | 28 | End wpd. 29 | -------------------------------------------------------------------------------- /src/program_logic/staged_invariant.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_logic Require Export staged_invariant_alt. 2 | From Perennial.program_logic Require Export staged_invariant_init. 3 | From Perennial.program_logic Require Export staged_invariant_use_cancel. 4 | From Perennial.program_logic Require Export staged_invariant_use_idle. 5 | From Perennial.program_logic Require Export staged_invariant_use_inuse. 6 | From Perennial.program_logic Require Export staged_invariant_use_inuse2. 7 | From Perennial.program_logic Require Export staged_invariant_wpc_nval. 8 | From Perennial.program_logic Require Export staged_invariant_wp_nval. 9 | -------------------------------------------------------------------------------- /src/program_proof/async_disk_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_logic Require Export atomic. 2 | From Perennial.program_proof Require Export proof_prelude. 3 | (* For backwards compat, make untyped slice lib take precedence. *) 4 | From Perennial.goose_lang.lib Require Export slice. 5 | 6 | From Perennial.goose_lang Require Export ffi.async_disk_prelude. 7 | 8 | (* Make sure Z_scope is open. *) 9 | Local Lemma Z_scope_test : (0%Z) + (0%Z) = 0%Z. 10 | Proof. done. Qed. 11 | 12 | 13 | -------------------------------------------------------------------------------- /src/program_proof/bad_nil_slice.v: -------------------------------------------------------------------------------- 1 | (* 2 | package test 3 | 4 | import ( 5 | "github.com/goose-lang/goose/machine" 6 | ) 7 | 8 | func test() { 9 | slEmpt := make([]byte, 0) 10 | machine.Assert((slEmpt == nil) == true) 11 | } 12 | *) 13 | (* autogenerated from test *) 14 | From Perennial.goose_lang Require Import prelude. 15 | 16 | Section code. 17 | Context `{ext_ty: ext_types}. 18 | 19 | (* FIXME: should not be possible to prove this assert *) 20 | Definition test: val := 21 | rec: "test" <> := 22 | let: "slEmpt" := NewSlice byteT #0 in 23 | control.impl.Assert (("slEmpt" = slice.nil) = #true);; 24 | #(). 25 | 26 | End code. 27 | 28 | From Perennial.program_proof Require Import grove_prelude. 29 | From Perennial.goose_lang.lib Require Import slice. 30 | Section proof. 31 | Context `{!heapGS Σ}. 32 | Lemma wp_test : 33 | {{{ 34 | True 35 | }}} 36 | test #() 37 | {{{ 38 | RET #(); True 39 | }}} 40 | . 41 | Proof. 42 | iIntros (Φ) "_ HΦ". 43 | wp_rec. wp_pures. 44 | rewrite /NewSlice. 45 | rewrite /slice.nil. 46 | wp_pures. 47 | wp_pure. 48 | { done. } 49 | wp_apply wp_Assert. 50 | 2:{ wp_pures; by iApply "HΦ". } 51 | done. 52 | Qed. 53 | 54 | End proof. 55 | -------------------------------------------------------------------------------- /src/program_proof/disk_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_logic Require Export atomic. 2 | From Perennial.program_proof Require Export proof_prelude. 3 | (* For backwards compat, make untyped slice lib take precedence. *) 4 | From Perennial.goose_lang Require Export typing lib.slice.slice. 5 | 6 | From Perennial.goose_lang Require Export ffi.disk. 7 | From Perennial.goose_lang Require Export ffi.disk_prelude. 8 | 9 | (* Make sure Z_scope is open. *) 10 | Local Lemma Z_scope_test : (0%Z) + (0%Z) = 0%Z. 11 | Proof. done. Qed. 12 | -------------------------------------------------------------------------------- /src/program_proof/examples/all_examples.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.examples Require 2 | dir_proof 3 | async_mem_alloc_dir_proof 4 | alloc_proof_simple 5 | single_inode_proof 6 | (* async_inode_proof *) 7 | (* single_async_inode_proof *) 8 | alloc_crash_proof 9 | (* indirect_inode_proof *) 10 | (* indirect_inode_append_proof *) 11 | replicated_block_proof 12 | toy_proof. 13 | -------------------------------------------------------------------------------- /src/program_proof/grove_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_logic Require Export atomic_fupd. 2 | From Perennial.program_proof Require Export proof_prelude. 3 | From Perennial.goose_lang Require Export ffi.grove_prelude. 4 | 5 | (* Make sure Z_scope is open. *) 6 | Local Lemma Z_scope_test : (0%Z) + (0%Z) = 0%Z. 7 | Proof. done. Qed. 8 | -------------------------------------------------------------------------------- /src/program_proof/jrnl/sep_jrnl_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.jrnl Require Export 2 | sep_jrnl_invariant sep_jrnl_ops sep_jrnl_recovery_proof. 3 | -------------------------------------------------------------------------------- /src/program_proof/lockservice/grove_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.goose_lang Require Import prelude. 2 | From Perennial.goose_lang Require Export ffi.disk_prelude. 3 | From Perennial.program_proof.lockservice Require Import grove_ffi. 4 | -------------------------------------------------------------------------------- /src/program_proof/lockservice/nondet.v: -------------------------------------------------------------------------------- 1 | (* autogenerated from lockservice *) 2 | From Perennial.goose_lang Require Import prelude. 3 | From Perennial.goose_lang Require Import ffi.disk_prelude. 4 | 5 | (* nondet.go *) 6 | 7 | Definition nondet: val := 8 | rec: "nondet" <> := 9 | #true. 10 | -------------------------------------------------------------------------------- /src/program_proof/memkv/common_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | From Goose.github_com.mit_pdos.gokv Require Import memkv. 3 | 4 | Section common_proof. 5 | 6 | Context `{!heapGS Σ}. 7 | 8 | Definition uNSHARD : Z := 65536%Z. 9 | 10 | Definition shardOfC (key:u64) : u64 := (word.modu key uNSHARD). 11 | 12 | Lemma shardOfC_bound k : uint.Z (shardOfC k) < uNSHARD. 13 | Proof. 14 | rewrite /shardOfC /uNSHARD. 15 | rewrite word.unsigned_modu_nowrap //. 16 | apply Z.mod_pos_bound. done. 17 | Qed. 18 | 19 | Lemma wp_shardOf key : 20 | {{{ 21 | True 22 | }}} 23 | shardOf #key 24 | {{{ 25 | RET #(shardOfC key); True 26 | }}}. 27 | Proof. 28 | iIntros (?) "_ HΦ". 29 | wp_rec. 30 | wp_pures. 31 | by iApply "HΦ". 32 | Qed. 33 | 34 | Lemma wp_shardOf_bound (key:u64) : 35 | {{{ 36 | True 37 | }}} 38 | shardOf #key 39 | {{{ 40 | (s:u64), RET #s; ⌜uint.Z s < uNSHARD⌝ 41 | }}}. 42 | Proof. 43 | iIntros (Φ) "_ HΦ". 44 | iApply wp_shardOf; first done. 45 | iIntros "!> _". iApply "HΦ". 46 | iPureIntro. apply shardOfC_bound. 47 | Qed. 48 | 49 | End common_proof. 50 | -------------------------------------------------------------------------------- /src/program_proof/memkv/memkv_getcid_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.Helpers Require Import ModArith. 2 | From Perennial.program_proof Require Import grove_prelude std_proof. 3 | From Goose.github_com.mit_pdos.gokv Require Import memkv. 4 | From Perennial.program_proof.memkv Require Export memkv_shard_definitions memkv_marshal_getcid_proof memkv_shard_clerk_proof. 5 | 6 | Section memkv_getcid_proof. 7 | 8 | Context `{!heapGS Σ, erpcG Σ, urpcregG Σ, kvMapG Σ}. 9 | 10 | Lemma wp_GetCIDRPC (s:loc) γ : 11 | is_KVShardServer s γ -∗ 12 | {{{ 13 | True 14 | }}} 15 | KVShardServer__GetCIDRPC #s 16 | {{{ 17 | cid, RET #cid; erpc_make_client_pre γ.(erpc_gn) cid 18 | }}} 19 | . 20 | Proof. 21 | iIntros "#Hmemkv !#" (Φ) "_ HΦ". 22 | wp_rec. 23 | iNamed "Hmemkv". 24 | wp_loadField. 25 | wp_apply wp_erpc_GetFreshCID; first done. 26 | done. 27 | Qed. 28 | 29 | End memkv_getcid_proof. 30 | -------------------------------------------------------------------------------- /src/program_proof/memkv/print_assumptions.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import proof_prelude. 2 | From Perennial.program_proof.memkv Require Import closed memkv_clerk_proof. 3 | 4 | (* Client function wps *) 5 | Definition client_theorems := (@wp_KVClerk__Get, @wp_KVClerk__MGet, @wp_KVClerk__Put, @wp_KVClerk__ConditionalPut). 6 | Print Assumptions client_theorems. 7 | 8 | (* Closed proof for shard + coord server *) 9 | Print Assumptions closed1.shard_coord_boot. 10 | 11 | (* Closed proof for bank boot *) 12 | Print Assumptions closed2.bank_boot. 13 | 14 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/goose.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cd ../../../ 4 | ./etc/update-goose.py --compile --goose ../goose/ --mvcc ../vmvcc/ 5 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/grepv.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | grep ${1} -r ${2} --include \*.v 4 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/loc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Tuple:" 4 | wc -l tuple*.v 5 | 6 | echo "Transaction:" 7 | wc -l txn*.v wrbuf*.v 8 | 9 | echo "Index:" 10 | wc -l index*.v 11 | 12 | echo "Timestamp generation:" 13 | wc -l tid*.v 14 | 15 | echo "Misc:" 16 | wc -l mvcc_prelude.v mvcc_misc.v 17 | 18 | echo "Ghost states:" 19 | wc -l mvcc_ghost.v 20 | 21 | echo "Global invariants:" 22 | wc -l mvcc_inv.v mvcc_action.v mvcc_tuplext.v proph_proof.v 23 | 24 | echo "Not counted: mvcc_proof.v examples_proof.v print_assumptions.v" 25 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/mvcc_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Export grove_prelude. 2 | From Perennial.program_logic Require Export atomic. (* prefer the ncfupd atomics *) 3 | (* Prefer untyped slices. *) 4 | Export Perennial.goose_lang.lib.slice.slice. 5 | 6 | Definition dbval := option byte_string. 7 | Canonical Structure dbvalO := leibnizO dbval. 8 | Notation Nil := (None : dbval). 9 | Notation Value x := (Some x : dbval). 10 | 11 | Definition to_dbval (b : bool) (v : byte_string) := 12 | if b then Value v else Nil. 13 | 14 | Definition dbmap := gmap u64 dbval. 15 | 16 | Notation N_TXN_SITES := 32. 17 | 18 | Definition keys_all : gset u64 := fin_to_set u64. 19 | Definition sids_all : list u64 := W64 <$> seqZ 0 N_TXN_SITES. 20 | 21 | (* Invariant namespaces. *) 22 | Definition mvccN := nroot .@ "mvcc". 23 | Definition mvccNSST := mvccN .@ "sst". 24 | Definition mvccNGC := mvccN .@ "gc". 25 | Definition mvccNTID := mvccN .@ "tid". 26 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/mvcc_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.mvcc Require Export 2 | mvcc_misc mvcc_action mvcc_tuplext mvcc_ghost mvcc_inv 3 | proph_proof 4 | index_proof 5 | tid_proof 6 | (* db *) 7 | db_repr db_mk db_new_txn db_activate_gc db_get_safe_ts 8 | (* txnsite *) 9 | txnsite_activate txnsite_deactivate txnsite_get_safe_ts 10 | (* txn *) 11 | txn_repr txn_begin txn_commit txn_acquire 12 | txn_read txn_write txn_delete txn_run 13 | (* tuple *) 14 | tuple_prelude tuple_repr 15 | tuple_append_version tuple_kill_version tuple_read_version 16 | tuple_remove_versions tuple_own tuple_free tuple_write_lock 17 | (* examples *) 18 | (* examples_rsvkey examples_counter *) 19 | . 20 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/print_assumptions.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import proof_prelude. 2 | From Perennial.program_proof.mvcc Require Import mvcc_proof examples_hello. 3 | 4 | (* Core Txn machinery *) 5 | Definition mvcc_theorems := ( 6 | @wp_txn__Run, @wp_txn__Read, @wp_txn__Write, @wp_txn__Delete, 7 | @wp_MkDB, @wp_DB__NewTxn, @wp_DB__ActivateGC 8 | ). 9 | Print Assumptions mvcc_theorems. 10 | 11 | (* Closed proofs *) 12 | Print Assumptions closed_proof.hello_adequate. 13 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/strnum.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | From Goose.github_com.mit_pdos.vmvcc.examples Require Export strnum. 3 | 4 | Section program. 5 | Context `{!heapGS Σ}. 6 | 7 | Definition u64_to_string (n : u64) : string. 8 | Admitted. 9 | 10 | Lemma u64_to_string_inj n1 n2 : 11 | u64_to_string n1 = u64_to_string n2 -> 12 | n1 = n2. 13 | Admitted. 14 | 15 | Theorem wp_StringToU64 (s : byte_string) (n : u64) : 16 | {{{ ⌜u64_to_string n = s⌝ }}} 17 | StringToU64 #(LitString s) 18 | {{{ (n : u64), RET #n; ⌜u64_to_string n = s⌝ }}}. 19 | Admitted. 20 | 21 | Theorem wp_U64ToString (n : u64) : 22 | {{{ True }}} 23 | U64ToString #n 24 | {{{ (s : byte_string), RET #(LitString s); ⌜u64_to_string n = s⌝ }}}. 25 | Admitted. 26 | 27 | End program. 28 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/txn_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.mvcc Require Export 2 | mvcc_prelude mvcc_misc mvcc_action mvcc_tuplext mvcc_ghost mvcc_inv. 3 | From Goose.github_com.mit_pdos.vmvcc Require Export vmvcc. 4 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/txnsite_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.mvcc Require Export mvcc_prelude mvcc_ghost mvcc_inv mvcc_misc. 2 | From Goose.github_com.mit_pdos.vmvcc Require Export txnsite. 3 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/vok.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | dir='./src/program_proof/mvcc' 4 | 5 | cd ../../../ 6 | files=`find ${dir} -name "${1}*.v" ! -name "print_assumptions.v" | sed "s/\.v/\.vok/"` 7 | if [[ -z ${files} ]]; then 8 | echo "No target files." 9 | exit 1 10 | fi 11 | 12 | echo "Checking:" 13 | echo "`basename ${files}`" 14 | make --ignore-errors -j8 ${files} 15 | -------------------------------------------------------------------------------- /src/program_proof/mvcc/vos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | dir='./src/program_proof/mvcc' 4 | 5 | cd ../../../ 6 | files=`find ${dir} -name "${1}*.v" ! -name "print_assumptions.v" | sed "s/\.v/\.vos/"` 7 | if [[ -z ${files} ]]; then 8 | echo "No target files." 9 | exit 1 10 | fi 11 | 12 | echo "Checking:" 13 | echo "`basename ${files}`" 14 | make -j8 ${files} 15 | -------------------------------------------------------------------------------- /src/program_proof/obj/obj_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.obj Require Export 2 | invariant load_proof commit_proof recovery_proof. 3 | -------------------------------------------------------------------------------- /src/program_proof/pav/advrpc.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.pav Require Import prelude. 2 | 3 | From Goose.github_com.mit_pdos.pav Require Import advrpc. 4 | 5 | Module Server. 6 | Definition t : Type. Admitted. 7 | 8 | Section defs. 9 | Context `{!heapGS Σ}. 10 | Definition own (ptr : loc) (obj : t) : iProp Σ. Admitted. 11 | End defs. 12 | End Server. 13 | 14 | Section specs. 15 | Context `{!heapGS Σ}. 16 | 17 | Lemma wp_NewServer (handlers : loc) : 18 | {{{ True }}} 19 | NewServer #handlers 20 | {{{ 21 | ptr_serv serv, RET #ptr_serv; 22 | "Hown_serv" ∷ Server.own ptr_serv serv 23 | }}}. 24 | Proof. Admitted. 25 | 26 | Lemma wp_Server__Serve ptr_serv serv (addr : w64) : 27 | {{{ 28 | "Hown_serv" ∷ Server.own ptr_serv serv 29 | }}} 30 | Server__Serve #ptr_serv #addr 31 | {{{ RET #(); True }}}. 32 | Proof. Admitted. 33 | 34 | Definition own_Client (ptr : loc) (addr : w64) (is_good : bool) : iProp Σ. Admitted. 35 | 36 | Lemma wp_Dial (addr : w64) (is_good : bool) : 37 | {{{ True }}} 38 | Dial #addr 39 | {{{ 40 | ptr_cli, RET #ptr_cli; 41 | "Hrpc_cli" ∷ own_Client ptr_cli addr is_good 42 | }}}. 43 | Proof. Admitted. 44 | 45 | End specs. 46 | -------------------------------------------------------------------------------- /src/program_proof/pav/cryptoutil.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.pav Require Import prelude. 2 | From Goose.github_com.mit_pdos.pav Require Import cryptoutil. 3 | 4 | From Perennial.program_proof.pav Require Import cryptoffi. 5 | 6 | Section proof. 7 | Context `{!heapGS Σ}. 8 | 9 | Lemma wp_Hash sl_b b d0 : 10 | {{{ 11 | "Hsl_b" ∷ own_slice_small sl_b byteT d0 b 12 | }}} 13 | Hash (slice_val sl_b) 14 | {{{ 15 | sl_hash hash, RET (slice_val sl_hash); 16 | "Hsl_b" ∷ own_slice_small sl_b byteT d0 b ∗ 17 | "Hsl_hash" ∷ own_slice sl_hash byteT (DfracOwn 1) hash ∗ 18 | "#His_hash" ∷ is_hash b hash 19 | }}}. 20 | Proof. 21 | iIntros (Φ) "H HΦ". wp_rec. iNamed "H". 22 | wp_apply wp_NewHasher. iIntros (?). iNamed 1. 23 | wp_apply (wp_Hasher__Write with "[$]"). iNamed 1. 24 | wp_apply (wp_Hasher__Sum Slice.nil with "[$Hown_hr]"). 25 | { iApply own_slice_zero. } 26 | iIntros (??). iNamed 1. 27 | iApply "HΦ". iFrame "∗#". 28 | Qed. 29 | 30 | End proof. 31 | -------------------------------------------------------------------------------- /src/program_proof/pav/prelude.v: -------------------------------------------------------------------------------- 1 | From iris.base_logic.lib Require Export mono_nat ghost_map. 2 | From Perennial.base_logic Require Export mono_list. 3 | From RecordUpdate Require Export RecordSet. 4 | From Perennial.program_proof Require Export grove_prelude. 5 | -------------------------------------------------------------------------------- /src/program_proof/pav/should_build.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.pav Require 2 | crypto_model 3 | alicebob. 4 | -------------------------------------------------------------------------------- /src/program_proof/proof_prelude.v: -------------------------------------------------------------------------------- 1 | From iris.algebra Require Export auth gmap frac agree excl vector. 2 | 3 | From Perennial.algebra Require Export big_op. 4 | 5 | From Perennial.Helpers Require Export Tactics List ListLen BigOp Transitions iris ipm. 6 | 7 | From Perennial.base_logic Require Export ghost_var. 8 | From Perennial.program_logic Require Export ncinv. 9 | From Perennial.goose_lang Require Export proofmode wpc_proofmode array. 10 | From Perennial.goose_lang Require Export into_val. 11 | From Perennial.goose_lang.lib Require Export 12 | persistent_readonly slice slice.typed_slice struct loop lock control map.typed_map time proph rand string. 13 | 14 | Export uPred. 15 | 16 | Global Set Default Proof Using "Type". 17 | Global Set Printing Projections. 18 | 19 | Global Opaque load_ty store_ty. 20 | -------------------------------------------------------------------------------- /src/program_proof/rsm/distx/inv.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | From Perennial.program_proof.rsm.distx Require Import base. 3 | From Perennial.program_proof.rsm.distx Require Export inv_txnsys inv_key inv_group. 4 | 5 | Section inv. 6 | Context `{!heapGS Σ, !distx_ghostG Σ}. 7 | (* TODO: remove this once we have real defintions for resources. *) 8 | Implicit Type (γ : distx_names). 9 | 10 | Definition sysNS := nroot .@ "sys". 11 | Definition distxNS := sysNS .@ "distx". 12 | Definition tsNS := sysNS .@ "ts". 13 | 14 | Definition distx_inv γ p : iProp Σ := 15 | (* txn invariants *) 16 | "Htxnsys" ∷ txnsys_inv γ p ∗ 17 | (* keys invariants *) 18 | "Hkeys" ∷ ([∗ set] key ∈ keys_all, key_inv γ key) ∗ 19 | (* groups invariants *) 20 | "Hgroups" ∷ ([∗ set] gid ∈ gids_all, group_inv γ gid). 21 | 22 | #[global] 23 | Instance distx_inv_timeless γ p : 24 | Timeless (distx_inv γ p). 25 | Admitted. 26 | 27 | Definition know_distx_inv γ p : iProp Σ := 28 | inv distxNS (distx_inv γ p). 29 | 30 | End inv. 31 | -------------------------------------------------------------------------------- /src/program_proof/rsm/distx/invariance/preprepare.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.rsm.distx Require Import prelude. 2 | 3 | Section inv. 4 | Context `{!distx_ghostG Σ}. 5 | 6 | Lemma txnsys_inv_preprepare γ p Qr tid wrs : 7 | valid_ts tid -> 8 | valid_wrs wrs -> 9 | Qr wrs -> 10 | txnpost_receipt γ tid Qr -∗ 11 | txnwrs_excl γ tid -∗ 12 | txnsys_inv γ p ==∗ 13 | txnsys_inv γ p ∗ 14 | txnwrs_receipt γ tid wrs. 15 | Proof. 16 | iIntros (Hvts Hvwrs HQ) "#HQ Hexclwrs Htxn". 17 | iNamed "Htxn". 18 | iDestruct (txnwrs_excl_elem_of with "Hexclwrs Hwrsm") as %Hin. 19 | iMod (txnwrs_set _ _ _ wrs with "Hexclwrs Hwrsm") as "[Hwrsm #Hwrs]". 20 | iFrame "∗ # %". 21 | rewrite wrsm_dbmap_insert_Some. 22 | iModIntro. 23 | iSplit. 24 | { iApply big_sepM_insert_2; [iFrame "# %" | done]. } 25 | iPureIntro. 26 | split; first set_solver. 27 | by apply map_Forall_insert_2. 28 | Qed. 29 | 30 | End inv. 31 | -------------------------------------------------------------------------------- /src/program_proof/rsm/distx/invariance/submit.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.rsm.distx Require Import prelude. 2 | 3 | Section inv. 4 | Context `{!distx_ghostG Σ}. 5 | 6 | Lemma group_inv_submit γ gid cpool c : 7 | safe_submit γ gid c -∗ 8 | group_inv_no_cpool γ gid cpool -∗ 9 | group_inv_no_cpool γ gid ({[c]} ∪ cpool). 10 | Proof. 11 | iIntros "Hsafe Hgroup". 12 | do 2 iNamed "Hgroup". 13 | iDestruct (big_sepS_insert_2 with "Hsafe Hvc") as "Hvc'". 14 | iFrame "∗ # %". 15 | Qed. 16 | 17 | End inv. 18 | -------------------------------------------------------------------------------- /src/program_proof/rsm/distx/prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Export grove_prelude. 2 | From Perennial.program_logic Require Export atomic. (* prefer the ncfupd atomics *) 3 | From Perennial.program_proof.rsm Require Export big_sep. 4 | From Perennial.program_proof.rsm.pure Require Export 5 | dual_lookup extend fin_maps largest_before list misc nat nonexpanding_merge sets vslice word. 6 | From Perennial.program_proof.rsm.distx Require Export 7 | action base cmd res inv. 8 | -------------------------------------------------------------------------------- /src/program_proof/rsm/distx/program/index.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.rsm.distx Require Import prelude. 2 | From Perennial.program_proof.rsm.distx.program Require Import tuple. 3 | From Goose.github_com.mit_pdos.rsm Require Import distx. 4 | 5 | Section program. 6 | Context `{!heapGS Σ, !distx_ghostG Σ}. 7 | 8 | Definition is_index (idx : loc) (α : replica_names) : iProp Σ. 9 | Admitted. 10 | 11 | #[global] 12 | Instance is_index_persistent idx α : 13 | Persistent (is_index idx α). 14 | Admitted. 15 | 16 | Theorem wp_Index__GetTuple (idx : loc) (key : byte_string) α : 17 | key ∈ keys_all -> 18 | is_index idx α -∗ 19 | {{{ True }}} 20 | Index__GetTuple #idx #(LitString key) 21 | {{{ (tpl : loc), RET #tpl; is_tuple tpl key α }}}. 22 | Proof. 23 | (*@ func (idx *Index) GetTuple(key string) *Tuple { @*) 24 | (*@ // TODO @*) 25 | (*@ return &Tuple{} @*) 26 | (*@ } @*) 27 | Admitted. 28 | 29 | End program. 30 | -------------------------------------------------------------------------------- /src/program_proof/rsm/fpaxos_top.v: -------------------------------------------------------------------------------- 1 | (** 2 | * Common definitions used by every part of this project. Minimize this file. 3 | *) 4 | From Perennial.program_proof Require Export grove_prelude. 5 | 6 | Inductive proposal : Type := 7 | | Any 8 | | Proposed (v : byte_string). 9 | Definition proposals := gmap nat proposal. 10 | 11 | Inductive vote : Type := 12 | | Reject 13 | | CAccept 14 | | FAccept (v : byte_string). 15 | Definition ballot := list vote. 16 | 17 | #[global] 18 | Instance vote_eq_decision : 19 | EqDecision vote. 20 | Proof. solve_decision. Qed. 21 | 22 | Inductive consensus : Type := 23 | | Chosen (v : byte_string) 24 | | Free. 25 | 26 | Definition prefixes `{Countable A} {B : Type} (lbs ls : gmap A (list B)) := 27 | ∀ x lb l, lbs !! x = Some lb -> ls !! x = Some l -> prefix lb l. 28 | -------------------------------------------------------------------------------- /src/program_proof/rsm/goose.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cd ../../../ 4 | ./etc/update-goose.py --compile --goose ../goose/ --rsm ../rsm/ 5 | -------------------------------------------------------------------------------- /src/program_proof/rsm/pure/dual_lookup.v: -------------------------------------------------------------------------------- 1 | From iris.proofmode Require Import proofmode. 2 | 3 | Definition dual_lookup `{Countable K1} `{Countable K2} {V} 4 | (m : gmap K1 (gmap K2 V)) (k1 : K1) (k2 : K2) := 5 | match m !! k1 with 6 | | Some im => im !! k2 7 | | None => None 8 | end. 9 | 10 | Definition dual_lookup_consistent `{Countable K1} `{Countable K2} {V} 11 | (m1 : gmap K1 (gmap K2 V)) (m2 : gmap K2 (gmap K1 V)) := 12 | ∀ k1 k2, dual_lookup m1 k1 k2 = dual_lookup m2 k2 k1. 13 | 14 | Section props. 15 | Context `{Countable K1} `{Countable K2} {V : Type}. 16 | 17 | 18 | End props. 19 | -------------------------------------------------------------------------------- /src/program_proof/rsm/pure/fin_maps_list.v: -------------------------------------------------------------------------------- 1 | From iris.proofmode Require Import proofmode. 2 | From Perennial.program_proof.rsm.pure Require Import list. 3 | 4 | Section lemmas. 5 | Context `{FinMap K M}. 6 | 7 | Lemma map_to_list_not_elem_of_take_key {A} {m : M A} l i k v : 8 | map_to_list m ≡ₚ l -> 9 | l !! i = Some (k, v) -> 10 | k ∉ (take i l).*1. 11 | Proof. 12 | intros Hl Hkv. 13 | pose proof (NoDup_fst_map_to_list m) as Hnd. 14 | rewrite Hl in Hnd. 15 | pose proof (list_lookup_fmap fst l i) as Hi. 16 | rewrite Hkv in Hi. 17 | pose proof (not_elem_of_take _ _ _ Hnd Hi) as Htake. 18 | by rewrite -fmap_take in Htake. 19 | Qed. 20 | 21 | End lemmas. 22 | -------------------------------------------------------------------------------- /src/program_proof/rsm/pure/fin_sets.v: -------------------------------------------------------------------------------- 1 | From iris.proofmode Require Import proofmode. 2 | 3 | Section fin_set. 4 | Context `{FinSet A C}. 5 | Implicit Types X Y : C. 6 | 7 | Lemma size_empty_iff_L `{!LeibnizEquiv C} X : size X = 0 ↔ X = ∅. 8 | Proof. unfold_leibniz. apply size_empty_iff. Qed. 9 | 10 | Lemma size_non_empty_iff_L `{!LeibnizEquiv C} X : size X ≠ 0 ↔ X ≠ ∅. 11 | Proof. unfold_leibniz. apply size_non_empty_iff. Qed. 12 | 13 | Lemma filter_subseteq_impl X (P Q : A → Prop) `{!∀ x, Decision (P x)} `{!∀ x, Decision (Q x)} : 14 | (∀ x, P x -> Q x) -> 15 | filter P X ⊆ filter Q X. 16 | Proof. set_solver. Qed. 17 | 18 | Lemma filter_subseteq_mono X Y (P : A -> Prop) `{!∀ x, Decision (P x)} : 19 | X ⊆ Y -> 20 | filter P X ⊆ filter P Y. 21 | Proof. set_solver. Qed. 22 | 23 | End fin_set. 24 | -------------------------------------------------------------------------------- /src/program_proof/rsm/pure/misc.v: -------------------------------------------------------------------------------- 1 | From iris.proofmode Require Import proofmode. 2 | 3 | Lemma set_Forall_Forall_subsume `{Countable A} (l : list A) (s : gset A) P : 4 | set_Forall P s -> 5 | Forall (λ x, x ∈ s) l -> 6 | Forall P l. 7 | Proof. do 2 rewrite Forall_forall. intros HP Hl x Hin. by auto. Qed. 8 | 9 | Lemma gset_to_gmap_same_union `{Countable K} {A} (X Y : gset K) (x : A) : 10 | gset_to_gmap x (X ∪ Y) = gset_to_gmap x X ∪ gset_to_gmap x Y. 11 | Proof. 12 | apply map_eq. 13 | intros i. 14 | rewrite lookup_union 3!lookup_gset_to_gmap. 15 | destruct (decide (i ∈ X)) as [Hinx | Hnotinx]. 16 | { rewrite option_guard_True. 17 | { rewrite option_guard_True; last done. 18 | by rewrite union_Some_l. 19 | } 20 | set_solver. 21 | } 22 | rewrite (option_guard_False (i ∈ X)); last done. 23 | rewrite option_union_left_id. 24 | destruct (decide (i ∈ Y)) as [Hiny | Hnotiny]. 25 | { rewrite option_guard_True. 26 | { by rewrite option_guard_True. } 27 | set_solver. 28 | } 29 | { rewrite option_guard_False. 30 | { by rewrite option_guard_False. } 31 | set_solver. 32 | } 33 | Qed. 34 | -------------------------------------------------------------------------------- /src/program_proof/rsm/pure/sets.v: -------------------------------------------------------------------------------- 1 | From iris.proofmode Require Import proofmode. 2 | 3 | Section lemmas. 4 | Context `{SemiSet A C}. 5 | 6 | Lemma set_Forall_subseteq (P : A -> Prop) (X Y : C) : 7 | X ⊆ Y -> 8 | set_Forall P Y -> 9 | set_Forall P X. 10 | Proof. intros Hsubseteq HY x Hx. apply HY. set_solver. Qed. 11 | 12 | End lemmas. 13 | -------------------------------------------------------------------------------- /src/program_proof/rsm/pure/word.v: -------------------------------------------------------------------------------- 1 | From iris.proofmode Require Import proofmode. 2 | From Perennial.Helpers Require Import Integers. 3 | 4 | Lemma uint_nat_W64_0 : 5 | uint.nat (W64 0) = O. 6 | Proof. word. Qed. 7 | 8 | Lemma uint_nat_W64_of_nat (n : nat) : 9 | n < 2 ^ 64 -> 10 | uint.nat (W64 n) = n. 11 | Proof. intros H. word. Qed. 12 | 13 | Lemma uint_nat_word_add_S (x : u64) : 14 | uint.Z x < 2 ^ 64 - 1 -> 15 | (uint.nat (word.add x (W64 1))) = S (uint.nat x). 16 | Proof. intros H. word. Qed. 17 | 18 | Lemma uint_nat_u64_inj (x y : u64) : 19 | uint.nat x = uint.nat y -> 20 | x = y. 21 | Proof. intros H. word. Qed. 22 | -------------------------------------------------------------------------------- /src/program_proof/rsm/rsm_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.rsm Require Export 2 | big_sep 3 | spaxos_examples spaxos_ghost spaxos_inv spaxos_prelude 4 | spaxos_propose spaxos_top 5 | fpaxos_inv fpaxos_top 6 | mpaxos_proof. 7 | 8 | (* pure theorems *) 9 | From Perennial.program_proof.rsm.pure Require Export 10 | dual_lookup extend fin_maps fin_sets largest_before list misc 11 | nat nonexpanding_merge quorum sets vslice word. 12 | 13 | (* distx *) 14 | From Perennial.program_proof.rsm.distx.program Require Export 15 | tuple index txnlog replica replica_group txn. 16 | -------------------------------------------------------------------------------- /src/program_proof/rsm/spaxos_prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.rsm Require Export 2 | spaxos_top spaxos_ghost spaxos_inv. 3 | From Goose.github_com.mit_pdos.rsm Require Export spaxos. 4 | -------------------------------------------------------------------------------- /src/program_proof/rsm/spaxos_top.v: -------------------------------------------------------------------------------- 1 | (** 2 | * Common definitions used by every part of this project. Minimize this file. 3 | *) 4 | From Perennial.program_proof Require Export grove_prelude. 5 | From Perennial.program_logic Require Export atomic. (* prefer the ncfupd atomics *) 6 | 7 | Definition proposals := gmap nat byte_string. 8 | Definition ballot := list bool. 9 | Inductive consensus : Type := 10 | | Chosen (v : byte_string) 11 | | Free. 12 | 13 | Definition prefixes `{Countable A} {B : Type} (lbs ls : gmap A (list B)) := 14 | ∀ x lb l, lbs !! x = Some lb -> ls !! x = Some l -> prefix lb l. 15 | -------------------------------------------------------------------------------- /src/program_proof/rsm/vok.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | dir='./src/program_proof/rsm' 4 | 5 | cd ../../../ 6 | files=`find ${dir} -name "${1}*.v" ! -name "print_assumptions.v" | sed "s/\.v/\.vok/"` 7 | if [[ -z ${files} ]]; then 8 | echo "No target files." 9 | exit 1 10 | fi 11 | 12 | echo "Checking:" 13 | echo "`basename ${files}`" 14 | make --ignore-errors -j8 ${files} 15 | -------------------------------------------------------------------------------- /src/program_proof/rsm/vos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | dir='./src/program_proof/rsm' 4 | 5 | cd "$(dirname $0)"/../../../ 6 | files=`find ${dir} -name "${1}*.v" ! -name "print_assumptions.v" | sed "s/\.v/\.vos/"` 7 | if [[ -z ${files} ]]; then 8 | echo "No target files." 9 | exit 1 10 | fi 11 | 12 | echo "Checking:" 13 | echo "`basename ${files}`" 14 | make -j8 ${files} 15 | -------------------------------------------------------------------------------- /src/program_proof/simple/print_assumptions.v: -------------------------------------------------------------------------------- 1 | From Perennial Require Import program_proof.simple.example. 2 | 3 | Print Assumptions wpr_RecoverExample. 4 | -------------------------------------------------------------------------------- /src/program_proof/simple/proofs.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.simple Require Export 2 | common read write getattr setattr recovery. 3 | -------------------------------------------------------------------------------- /src/program_proof/tulip/admit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | grep Admitted --include "*.v" -r . 4 | -------------------------------------------------------------------------------- /src/program_proof/tulip/cloc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | CLOC="cloc --include-lang=Coq --quiet" 4 | 5 | $CLOC . ../rsm/pure ../rsm/big_sep.v 6 | 7 | echo "Transaction:" 8 | $CLOC --not-match-f='(encode|decode)' ./program/txn ./program/gcoord 9 | 10 | echo "Backup coordinator:" 11 | $CLOC ./program/backup 12 | 13 | echo "Replica:" 14 | $CLOC --not-match-f='(encode|decode)' ./program/replica 15 | 16 | echo "Transaction log:" 17 | $CLOC ./program/txnlog 18 | 19 | echo "Paxos:" 20 | $CLOC ./paxos 21 | 22 | echo "Tuple:" 23 | $CLOC ./program/tuple ./program/index 24 | 25 | echo "Message:" 26 | $CLOC --match-f='(encode|decode)' ./program/gcoord ./program/replica 27 | 28 | echo "Misc:" 29 | $CLOC ./program/prelude.v ./program/quorum.v ./program/util 30 | 31 | echo "Invariance proofs:" 32 | $CLOC ./invariance 33 | 34 | echo "Invariant/resource definitions:" 35 | $CLOC ./*.v 36 | 37 | echo "General lemmas:" 38 | $CLOC ../rsm/pure ../rsm/big_sep.v 39 | -------------------------------------------------------------------------------- /src/program_proof/tulip/goose.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cd "$(dirname $0)"/../../../ 4 | ./etc/update-goose.py --compile --goose ../goose/ --tulip ../tulip/ 5 | -------------------------------------------------------------------------------- /src/program_proof/tulip/invariance/execute_common.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip Require Import prelude. 2 | 3 | Lemma prepared_impl_locked_inv_release cpm ptsm ts pwrs : 4 | cpm !! ts = Some pwrs -> 5 | prepared_impl_locked_cpm cpm ptsm -> 6 | prepared_impl_locked_cpm (delete ts cpm) (release pwrs ptsm). 7 | Proof. 8 | intros Hpwrs Hpil t w k Hw Hk. 9 | destruct (decide (t = ts)) as [-> | Hne]; first by rewrite lookup_delete in Hw. 10 | rewrite lookup_delete_ne in Hw; last done. 11 | rewrite release_unmodified; last first. 12 | { apply not_elem_of_dom. 13 | pose proof (prepared_impl_locked_disjoint _ _ _ _ _ _ Hne Hw Hpwrs Hpil) as Hdisj. 14 | set_solver. 15 | } 16 | by specialize (Hpil _ _ _ Hw Hk). 17 | Qed. 18 | -------------------------------------------------------------------------------- /src/program_proof/tulip/invariance/preprepare.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip Require Import prelude. 2 | 3 | Section inv. 4 | Context `{!heapGS Σ}. 5 | Context `{!tulip_ghostG Σ}. 6 | 7 | Lemma txnsys_inv_preprepare γ p Qr tid wrs : 8 | valid_ts tid -> 9 | valid_wrs wrs -> 10 | Qr wrs -> 11 | is_txn_postcond γ tid Qr -∗ 12 | own_txn_reserved_wrs γ tid -∗ 13 | txnsys_inv γ p ==∗ 14 | txnsys_inv γ p ∗ 15 | is_txn_wrs γ tid wrs. 16 | Proof. 17 | iIntros (Hvts Hvwrs HQ) "#HQ Hexclwrs Htxnsys". 18 | do 2 iNamed "Htxnsys". 19 | iDestruct (txn_oneshot_wrs_elem_of with "Hexclwrs Hwrsm") as %Hin. 20 | iMod (txn_oneshot_wrs_update _ _ _ wrs with "Hexclwrs Hwrsm") as "[Hwrsm #Hwrs]". 21 | iFrame "∗ # %". 22 | rewrite wrsm_dbmap_insert_Some. 23 | iModIntro. 24 | iSplit. 25 | { iApply big_sepM_insert_2; [iFrame "# %" | done]. } 26 | iPureIntro. 27 | split; first set_solver. 28 | by apply map_Forall_insert_2. 29 | Qed. 30 | 31 | End inv. 32 | -------------------------------------------------------------------------------- /src/program_proof/tulip/invariance/submit.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip Require Import prelude. 2 | 3 | Section inv. 4 | Context `{!tulip_ghostG Σ}. 5 | 6 | Lemma group_inv_submit {γ gid cpool} c : 7 | safe_submit γ gid c -∗ 8 | group_inv_no_cpool γ gid cpool -∗ 9 | group_inv_no_cpool γ gid ({[c]} ∪ cpool). 10 | Proof. 11 | iIntros "Hsafe Hgroup". 12 | do 2 iNamed "Hgroup". 13 | iDestruct (big_sepS_insert_2 with "Hsafe Hsafecp") as "Hsafecp'". 14 | iFrame "∗ # %". 15 | iPureIntro. 16 | rewrite /txn_cpool_subsume_log. 17 | apply (Forall_impl _ _ _ Hcscincl). 18 | set_solver. 19 | Qed. 20 | 21 | End inv. 22 | -------------------------------------------------------------------------------- /src/program_proof/tulip/paxos/prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Export grove_prelude. 2 | From Perennial.program_logic Require Export atomic. (* prefer the ncfupd atomics *) 3 | From Perennial.program_logic Require Export own_crash_inv. (* import [own_crash_ex] *) 4 | From Perennial.program_proof.rsm Require Export big_sep. 5 | From Perennial.program_proof.rsm.pure Require Export 6 | extend fin_maps fin_sets list misc nat sets word quorum. 7 | From Perennial.program_proof.tulip.paxos Require Export 8 | base consistency msg inv res recovery. 9 | -------------------------------------------------------------------------------- /src/program_proof/tulip/paxos/program/paxos_heartbeated.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.paxos Require Import prelude. 2 | From Perennial.program_proof.tulip.paxos.program Require Import repr. 3 | From Goose.github_com.mit_pdos.tulip Require Import paxos. 4 | 5 | Section heartbeated. 6 | Context `{!heapGS Σ, !paxos_ghostG Σ}. 7 | 8 | Theorem wp_Paxos__heartbeated (px : loc) nidme nids γ : 9 | {{{ own_paxos px nidme nids γ }}} 10 | Paxos__heartbeated #px 11 | {{{ (hb : bool), RET #hb; own_paxos px nidme nids γ }}}. 12 | Proof. 13 | iIntros (Φ) "Hpx HΦ". 14 | wp_rec. 15 | 16 | (*@ func (px *Paxos) heartbeated() bool { @*) 17 | (*@ return px.hb @*) 18 | (*@ } @*) 19 | do 2 iNamed "Hpx". 20 | wp_loadField. 21 | iApply "HΦ". 22 | iFrame "Hcand Hleader". 23 | by iFrame "∗ # %". 24 | Qed. 25 | 26 | End heartbeated. 27 | -------------------------------------------------------------------------------- /src/program_proof/tulip/paxos/program/paxos_nominated.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.paxos Require Import prelude. 2 | From Perennial.program_proof.tulip.paxos.program Require Import repr. 3 | From Goose.github_com.mit_pdos.tulip Require Import paxos. 4 | 5 | Section nominated. 6 | Context `{!heapGS Σ, !paxos_ghostG Σ}. 7 | 8 | Theorem wp_Paxos__nominated (px : loc) nidme termc nids γ : 9 | {{{ own_paxos_with_termc px nidme termc nids γ }}} 10 | Paxos__nominated #px 11 | {{{ (iscand : bool), RET #iscand; 12 | if iscand 13 | then own_paxos_nominated_with_termc px nidme termc nids γ 14 | else own_paxos_with_termc px nidme termc nids γ 15 | }}}. 16 | Proof. 17 | iIntros (Φ) "Hpx HΦ". 18 | wp_rec. 19 | 20 | (*@ func (px *Paxos) nominated() bool { @*) 21 | (*@ return px.iscand @*) 22 | (*@ } @*) 23 | iNamed "Hpx". iNamed "Hcand". 24 | wp_loadField. 25 | iApply "HΦ". 26 | destruct iscand; iFrame. 27 | Qed. 28 | 29 | End nominated. 30 | -------------------------------------------------------------------------------- /src/program_proof/tulip/paxos/program/paxos_resethb.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.paxos Require Import prelude. 2 | From Perennial.program_proof.tulip.paxos.program Require Import repr. 3 | From Goose.github_com.mit_pdos.tulip Require Import paxos. 4 | 5 | Section resethb. 6 | Context `{!heapGS Σ, !paxos_ghostG Σ}. 7 | 8 | Theorem wp_Paxos__resethb (px : loc) nidme nids γ : 9 | {{{ own_paxos px nidme nids γ }}} 10 | Paxos__resethb #px 11 | {{{ RET #(); own_paxos px nidme nids γ }}}. 12 | Proof. 13 | iIntros (Φ) "Hpx HΦ". 14 | wp_rec. 15 | 16 | (*@ func (px *Paxos) resethb() { @*) 17 | (*@ px.hb = false @*) 18 | (*@ } @*) 19 | do 2 iNamed "Hpx". 20 | wp_storeField. 21 | iApply "HΦ". 22 | iFrame "Hcand Hleader". 23 | by iFrame "∗ # %". 24 | Qed. 25 | 26 | End resethb. 27 | -------------------------------------------------------------------------------- /src/program_proof/tulip/prelude.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Export grove_prelude. 2 | From Perennial.program_logic Require Export atomic. (* prefer the ncfupd atomics *) 3 | From Perennial.program_logic Require Export own_crash_inv. (* import [own_crash_ex] *) 4 | From Perennial.program_proof.rsm Require Export big_sep. 5 | From Perennial.program_proof.rsm.pure Require Export 6 | dual_lookup extend fin_maps fin_maps_list fin_sets largest_before list misc nat 7 | nonexpanding_merge sets vslice word quorum. 8 | From Perennial.program_proof.tulip Require Export 9 | action base cmd encode res msg inv inv_txnlog stability. 10 | -------------------------------------------------------------------------------- /src/program_proof/tulip/print_assumptions.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip Require Import tulip_proof. 2 | 3 | (* Interface of tulip *) 4 | Definition tulip_theorems := ( 5 | @wp_mkTxn, @wp_Txn__Run, @wp_Txn__Read, @wp_Txn__Write, @wp_Txn__Delete, 6 | @wp_start 7 | ). 8 | Print Assumptions tulip_theorems. 9 | 10 | (* Closed proofs *) 11 | (* Print Assumptions closed_proof.hello_adequate. *) 12 | -------------------------------------------------------------------------------- /src/program_proof/tulip/program/backup/bgpreparer_count_proposals.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.program Require Import prelude. 2 | From Perennial.program_proof.tulip.program.backup Require Import bgpreparer_repr. 3 | 4 | Section program. 5 | Context `{!heapGS Σ, !tulip_ghostG Σ}. 6 | 7 | Theorem wp_BackupGroupPreparer__countProposals (gpp : loc) pps rk ts cid gid γ : 8 | {{{ own_backup_gpreparer_pps gpp pps rk ts cid gid γ }}} 9 | BackupGroupPreparer__countProposals #gpp 10 | {{{ (n : u64), RET #n; 11 | own_backup_gpreparer_pps gpp pps rk ts cid gid γ ∗ 12 | ⌜uint.nat n = size pps⌝ 13 | }}}. 14 | Proof. 15 | iIntros (Φ) "Hpps HΦ". 16 | wp_rec. 17 | 18 | (*@ func (gpp *BackupGroupPreparer) countProposals() uint64 { @*) 19 | (*@ return uint64(len(gpp.pps)) @*) 20 | (*@ } @*) 21 | iNamed "Hpps". 22 | wp_loadField. 23 | wp_apply (wp_MapLen with "Hpps"). 24 | iIntros "[%Hsz Hpps]". 25 | iApply "HΦ". 26 | iFrame "∗ # %". 27 | word. 28 | Qed. 29 | 30 | End program. 31 | -------------------------------------------------------------------------------- /src/program_proof/tulip/program/backup/bgpreparer_finalized.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.program Require Import prelude. 2 | From Perennial.program_proof.tulip.program.backup Require Import bgpreparer_repr. 3 | 4 | Section program. 5 | Context `{!heapGS Σ, !tulip_ghostG Σ}. 6 | 7 | (* A weak spec since its use is not related to safety *) 8 | Theorem wp_BackupGroupPreparer__finalized gpp rk ts cid gid γ : 9 | {{{ own_backup_gpreparer gpp rk ts cid gid γ }}} 10 | BackupGroupPreparer__finalized #gpp 11 | {{{ (finalized : bool), RET #finalized; own_backup_gpreparer gpp rk ts cid gid γ }}}. 12 | Proof. 13 | iIntros (Φ) "Hgpp HΦ". 14 | wp_rec. 15 | 16 | (*@ func (gpp *BackupGroupPreparer) finalized() bool { @*) 17 | (*@ return BGPP_COMMITTED <= gpp.phase @*) 18 | (*@ } @*) 19 | do 2 iNamed "Hgpp". iNamed "Hphase". 20 | wp_loadField. 21 | wp_pures. 22 | iApply "HΦ". 23 | by iFrame "∗ # %". 24 | Qed. 25 | 26 | 27 | End program. 28 | -------------------------------------------------------------------------------- /src/program_proof/tulip/program/backup/bgpreparer_get_phase.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.program Require Import prelude. 2 | From Perennial.program_proof.tulip.program.backup Require Import bgpreparer_repr. 3 | 4 | Section program. 5 | Context `{!heapGS Σ, !tulip_ghostG Σ}. 6 | 7 | Theorem wp_BackupGroupPreparer__getPhase (gpp : loc) phase rk ts cid gid γ : 8 | {{{ own_backup_gpreparer_with_phase gpp phase rk ts cid gid γ }}} 9 | BackupGroupPreparer__getPhase #gpp 10 | {{{ RET #(bgppphase_to_u64 phase); 11 | own_backup_gpreparer_with_phase gpp phase rk ts cid gid γ ∗ 12 | safe_backup_gpreparer_phase γ ts cid gid rk phase 13 | }}}. 14 | Proof. 15 | iIntros (Φ) "Hgpp HΦ". 16 | wp_rec. 17 | 18 | (*@ func (gpp *BackupGroupPreparer) getPhase() uint64 { @*) 19 | (*@ return gpp.phase @*) 20 | (*@ } @*) 21 | iNamed "Hgpp". iNamed "Hphase". 22 | wp_loadField. 23 | rewrite Hphase. 24 | iApply "HΦ". 25 | by iFrame "∗ # %". 26 | Qed. 27 | 28 | End program. 29 | -------------------------------------------------------------------------------- /src/program_proof/tulip/program/backup/bgpreparer_set_pwrs.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.program Require Import prelude. 2 | From Perennial.program_proof.tulip.program.backup Require Import bgpreparer_repr. 3 | 4 | Section program. 5 | Context `{!heapGS Σ, !tulip_ghostG Σ}. 6 | 7 | Theorem wp_BackupGroupPreparer__setPwrs (gpp : loc) (pwrsP : loc) (pwrs : dbmap) ts gid γ : 8 | own_map pwrsP DfracDiscarded pwrs -∗ 9 | safe_txn_pwrs γ gid ts pwrs -∗ 10 | {{{ own_backup_gpreparer_pwrs gpp ts gid γ }}} 11 | BackupGroupPreparer__setPwrs #gpp #pwrsP 12 | {{{ RET #(); own_backup_gpreparer_pwrs gpp ts gid γ }}}. 13 | Proof. 14 | iIntros "#Hm #Hsafe" (Φ) "!> Hpwrs HΦ". 15 | wp_rec. 16 | 17 | (*@ func (gpp *BackupGroupPreparer) setPwrs(pwrs tulip.KVMap) { @*) 18 | (*@ gpp.pwrsok = true @*) 19 | (*@ gpp.pwrs = pwrs @*) 20 | (*@ } @*) 21 | iNamed "Hpwrs". 22 | do 2 wp_storeField. 23 | iApply "HΦ". 24 | by iFrame "∗ #". 25 | Qed. 26 | 27 | End program. 28 | -------------------------------------------------------------------------------- /src/program_proof/tulip/program/backup/bgpreparer_stop.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.program Require Import prelude. 2 | From Perennial.program_proof.tulip.program.backup Require Import bgpreparer_repr. 3 | 4 | Section program. 5 | Context `{!heapGS Σ, !tulip_ghostG Σ}. 6 | 7 | Theorem wp_BackupGroupPreparer__stop (gpp : loc) phase : 8 | {{{ own_backup_gpreparer_phase gpp phase }}} 9 | BackupGroupPreparer__stop #gpp 10 | {{{ RET #(); own_backup_gpreparer_phase gpp BGPPStopped }}}. 11 | Proof. 12 | iIntros (Φ) "Hphase HΦ". 13 | wp_rec. 14 | 15 | (*@ func (gpp *BackupGroupPreparer) stop() { @*) 16 | (*@ gpp.phase = BGPP_STOPPED @*) 17 | (*@ } @*) 18 | iNamed "Hphase". 19 | wp_storeField. 20 | iApply "HΦ". 21 | by iFrame. 22 | Qed. 23 | 24 | End program. 25 | -------------------------------------------------------------------------------- /src/program_proof/tulip/program/gcoord/gpreparer_get_phase.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.program Require Import prelude. 2 | From Perennial.program_proof.tulip.program.gcoord Require Import gpreparer_repr. 3 | 4 | Section program. 5 | Context `{!heapGS Σ, !tulip_ghostG Σ}. 6 | 7 | Theorem wp_GroupPreparer__getPhase (gpp : loc) phase ts gid γ : 8 | {{{ own_gpreparer_with_phase gpp phase ts gid γ }}} 9 | GroupPreparer__getPhase #gpp 10 | {{{ RET #(gppphase_to_u64 phase); 11 | own_gpreparer_with_phase gpp phase ts gid γ ∗ 12 | safe_gpreparer_phase γ ts gid phase 13 | }}}. 14 | Proof. 15 | iIntros (Φ) "Hgpp HΦ". 16 | wp_rec. 17 | 18 | (*@ func (gpp *GroupPreparer) getPhase() uint64 { @*) 19 | (*@ return gpp.phase @*) 20 | (*@ } @*) 21 | iNamed "Hgpp". iNamed "Hphase". 22 | wp_loadField. 23 | rewrite Hphase. 24 | iApply "HΦ". 25 | by iFrame "∗ # %". 26 | Qed. 27 | 28 | End program. 29 | -------------------------------------------------------------------------------- /src/program_proof/tulip/program/replica/replica_refresh.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.program Require Import prelude. 2 | From Perennial.program_proof.tulip.program.replica Require Import 3 | replica_repr replica_finalized replica_last_proposal replica_acquire 4 | replica_accept replica_log. 5 | 6 | Section program. 7 | Context `{!heapGS Σ, !tulip_ghostG Σ}. 8 | 9 | Theorem wp_Replica__refresh (rp : loc) (ts : u64) (rank : u64) gid rid γ α : 10 | {{{ own_replica rp gid rid γ α }}} 11 | Replica__refresh #rp #ts #rank 12 | {{{ RET #(); own_replica rp gid rid γ α }}}. 13 | Proof. 14 | iIntros (Φ) "Hrp HΦ". 15 | wp_rec. wp_pures. by iApply "HΦ". 16 | (*@ func (rp *Replica) refresh(ts uint64, rank uint64) { @*) 17 | (*@ // TODO @*) 18 | (*@ } @*) 19 | Qed. 20 | 21 | End program. 22 | -------------------------------------------------------------------------------- /src/program_proof/tulip/program/txn/txn_reset.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.tulip.program Require Import prelude. 2 | From Perennial.program_proof.tulip.program.txn Require Import txn_repr txn_resetwrs. 3 | 4 | Section program. 5 | Context `{!heapGS Σ, !tulip_ghostG Σ}. 6 | 7 | Theorem wp_Txn__reset (txn : loc) wrs q : 8 | {{{ own_txn_wrs txn q wrs }}} 9 | Txn__reset #txn 10 | {{{ RET #(); own_txn_wrs txn (DfracOwn 1) ∅ }}}. 11 | Proof. 12 | iIntros (Φ) "Hwrs HΦ". 13 | wp_rec. 14 | 15 | (*@ func (txn *Txn) reset() { @*) 16 | (*@ txn.resetwrs() @*) 17 | (*@ } @*) 18 | wp_apply (wp_Txn__resetwrs with "Hwrs"). 19 | iIntros "Hwrs". 20 | wp_pures. 21 | iApply "HΦ". 22 | by iFrame. 23 | Qed. 24 | 25 | End program. 26 | -------------------------------------------------------------------------------- /src/program_proof/tulip/tulip_proof.v: -------------------------------------------------------------------------------- 1 | (* paxos *) 2 | From Perennial.program_proof.tulip.paxos.program Require Export 3 | start paxos_submit paxos_lookup. 4 | (* tulip *) 5 | From Perennial.program_proof.tulip.program.replica Require Export 6 | start. 7 | From Perennial.program_proof.tulip.program.txn Require Export 8 | mk_txn txn_run txn_read txn_write txn_delete. 9 | -------------------------------------------------------------------------------- /src/program_proof/tulip/vok.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | basedir='./src/program_proof/tulip' 4 | dir='' 5 | prefix='' 6 | 7 | while getopts ":d:p:" option; do 8 | case $option in 9 | d) dir=${OPTARG};; 10 | p) prefix=${OPTARG};; 11 | \?) echo "Error: Invalid option" 12 | exit;; 13 | esac 14 | done 15 | 16 | echo "Checking files in: ${dir}" 17 | echo "Matching files with prefix: ${prefix}" 18 | 19 | # On macOS, install 'gfind' with `brew install findutils` 20 | cd "$(dirname $0)"/../../../ 21 | files=`gfind ${basedir}/${dir} -name "${prefix}*.v" ! -name "print_assumptions.v" | sed "s/\.v/\.vok/"` 22 | if [[ -z ${files} ]]; then 23 | echo "No target files." 24 | exit 1 25 | fi 26 | 27 | echo "Checking:" 28 | echo "`basename ${files}`" 29 | make --ignore-errors -j8 ${files} 30 | -------------------------------------------------------------------------------- /src/program_proof/tulip/vos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | basedir='./src/program_proof/tulip' 4 | dir='' 5 | prefix='' 6 | 7 | while getopts ":d:p:" option; do 8 | case $option in 9 | d) dir=${OPTARG};; 10 | p) prefix=${OPTARG};; 11 | \?) echo "Error: Invalid option" 12 | exit;; 13 | esac 14 | done 15 | 16 | echo "Checking files in: ${dir}" 17 | echo "Matching files with prefix: ${prefix}" 18 | 19 | # On macOS, install 'gfind' with `brew install findutils` 20 | cd "$(dirname $0)"/../../../ 21 | files=`gfind ${basedir}/${dir} -name "${prefix}*.v" ! -name "print_assumptions.v" | sed "s/\.v/\.vos/"` 22 | if [[ -z ${files} ]]; then 23 | echo "No target files." 24 | exit 1 25 | fi 26 | 27 | echo "Checking:" 28 | echo "`basename ${files}`" 29 | make --ignore-errors -j8 ${files} 30 | -------------------------------------------------------------------------------- /src/program_proof/tutorial/.gitattributes: -------------------------------------------------------------------------------- 1 | kvservice/get_proof.v linguist-generated 2 | kvservice/put_proof.v linguist-generated 3 | kvservice/conditionalput_proof.v linguist-generated 4 | objectstore/**/**_proof.v linguist-generated 5 | -------------------------------------------------------------------------------- /src/program_proof/unittest.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import disk_prelude. 2 | From Goose.github_com.goose_lang.goose Require Import unittest. 3 | 4 | Section proof. 5 | Context `{!heapGS Σ}. 6 | 7 | Lemma proph_test : ⊢ WP unittest.Oracle #() {{ _, True }}. 8 | Proof. 9 | iStartProof. wp_rec. 10 | wp_apply wp_NewProph_list. 11 | iIntros (p pvs1) "Hp". 12 | wp_apply (wp_ResolveProph_list with "Hp"). 13 | iIntros (pvs2) "[_ Hp]". 14 | wp_apply (wp_ResolveProph_list with "Hp"). 15 | iIntros (pvs3) "[_ Hp]". 16 | wp_pures. auto. 17 | Qed. 18 | 19 | End proof. 20 | -------------------------------------------------------------------------------- /src/program_proof/verus/inv.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | 3 | Section proof. 4 | 5 | Context `{!heapGS Σ}. 6 | (* This is to justify the inv_acc rule with lc in Verus *) 7 | Lemma inv_acc N P : 8 | inv N P -∗ 9 | ∀ E, 10 | ⌜ ↑N ⊆ E ⌝ -∗ £ 1 -∗ 11 | |={E, E∖↑N}=> (P ∗ (P -∗ |={E∖↑N,E}=> True)). 12 | Proof. 13 | iIntros "Hinv". 14 | iIntros (??) "Hlc". 15 | iInv "Hinv" as "Hi" "Hclose". 16 | iMod (lc_fupd_elim_later with "Hlc Hi") as "Hi". 17 | iModIntro. 18 | iFrame "Hi". iIntros. 19 | iApply "Hclose". iFrame. 20 | Qed. 21 | 22 | End proof. 23 | -------------------------------------------------------------------------------- /src/program_proof/vrsm/apps/exactlyonce/log.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | From iris.algebra Require Export mono_list. 3 | Section log_defn. 4 | 5 | Context `{!inG Σ (mono_listR (leibnizO A))}. 6 | Definition own_log γ l := own γ (●ML{#1/2} l). 7 | 8 | End log_defn. 9 | -------------------------------------------------------------------------------- /src/program_proof/vrsm/apps/print_assumptions.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof.vrsm Require kv_proof closed_proof config_proof reconfig.proof. 2 | From Perennial.program_proof.cachekv Require proof. 3 | 4 | Definition lemmas := 5 | (@config_proof.wp_StartServer, 6 | @reconfig.proof.wp_Reconfig, 7 | @kv_proof.wp_Start, 8 | @kv_proof.wp_MakeClerk, 9 | @kv_proof.wp_Clerk__Put, 10 | @kv_proof.wp_Clerk__Get, 11 | @kv_proof.wp_Clerk__CondPut, 12 | @cachekv.proof.wp_CacheKv__Get, 13 | @cachekv.proof.wp_CacheKv__GetAndCache, 14 | @cachekv.proof.wp_CacheKv__Put 15 | ). 16 | 17 | Print Assumptions lemmas. 18 | 19 | Print Assumptions closed_proof.closed.closed_bank. 20 | -------------------------------------------------------------------------------- /src/program_proof/vrsm/marshal_template.txt: -------------------------------------------------------------------------------- 1 | Definition has_encoding (encoded:list u8) (args:C) : Prop := 2 | encoded = (u64_le args.(epoch)) ++ args.(state). 3 | 4 | Context `{!heapGS Σ}. 5 | 6 | Definition own args_ptr args : iProp Σ := 7 | ∃ state_sl, 8 | "Hargs_epoch" ∷ args_ptr ↦[pb.ApplyArgs :: "epoch"] #args.(epoch) ∗ 9 | "Hargs_state" ∷ args_ptr ↦[pb.ApplyArgs :: "op"] (slice_val state_sl) ∗ 10 | "Hargs_state_sl" ∷ own_slice_small state_sl byteT 1 args.(state) 11 | . 12 | 13 | Lemma wp_Encode (args_ptr:loc) (args:C) : 14 | {{{ 15 | own args_ptr args 16 | }}} 17 | pb.EncodeSetStateArgs #args_ptr 18 | {{{ 19 | enc enc_sl, RET (slice_val enc_sl); 20 | ⌜has_encoding enc args⌝ ∗ 21 | own_slice enc_sl byteT 1 enc 22 | }}}. 23 | Admitted. 24 | 25 | Lemma wp_Decode enc enc_sl (args:C) : 26 | {{{ 27 | ⌜has_encoding enc args⌝ ∗ 28 | own_slice enc_sl byteT 1 enc 29 | }}} 30 | pb.DecodeSetStateArgs (slice_val enc_sl) 31 | {{{ 32 | args_ptr, RET #args_ptr; own args_ptr args 33 | }}}. 34 | Admitted. 35 | -------------------------------------------------------------------------------- /src/program_proof/vrsm/notes.txt: -------------------------------------------------------------------------------- 1 | Would be nice to improve: 2 | * slice library, specifically splitting ownership of a slice across threads 3 | * if statements with && and || 4 | * when locking and unlocking multiple times in a single function, the context 5 | gets polluted and the proofs do big `iClear`s. 6 | -------------------------------------------------------------------------------- /src/program_proof/vrsm/paxos/clerk_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | From Goose.github_com.mit_pdos.gokv Require paxos. 3 | From Perennial.program_proof.reconnectclient Require Import proof. 4 | From Perennial Require Export paxos.definitions. 5 | 6 | Section clerk_proof. 7 | Context `{!heapGS Σ}. 8 | Context `{!paxosG Σ}. 9 | Context `{Hparams:!paxosParams.t Σ}. 10 | Import paxosParams. 11 | 12 | Lemma wp_makeSingleClerk (host:u64) γ γsrv : 13 | {{{ 14 | is_paxos_host host γ γsrv 15 | }}} 16 | MakeSingleClerk #host 17 | {{{ 18 | ck, RET #ck; is_singleClerk ck γ γsrv 19 | }}} 20 | . 21 | Proof. 22 | iIntros (?) "#Hhost HΦ". 23 | wp_rec. 24 | wp_apply wp_MakeReconnectingClient. 25 | iIntros (?) "#Hcl". 26 | wp_apply (wp_allocStruct); first by val_ty. 27 | iIntros (?) "Hs". iDestruct (struct_fields_split with "Hs") as "HH". 28 | iNamed "HH". 29 | iMod (readonly_alloc_1 with "cl") as "#cl". 30 | wp_pures. iModIntro. iApply "HΦ". 31 | repeat iExists _; iFrame "#". 32 | Qed. 33 | 34 | End clerk_proof. 35 | -------------------------------------------------------------------------------- /src/program_proof/vrsm/paxos/weakread_proof.v: -------------------------------------------------------------------------------- 1 | From Perennial.program_proof Require Import grove_prelude. 2 | From Goose.github_com.mit_pdos.gokv.vrsm Require paxos. 3 | From Perennial Require Export paxos.definitions. 4 | 5 | Section weakread_proof. 6 | 7 | Context `{!heapGS Σ}. 8 | Context `{Hparams:!paxosParams.t Σ}. 9 | Import paxosParams. 10 | Context `{!paxosG Σ}. 11 | 12 | Lemma wp_Server__WeakRead s γ γsrv : 13 | {{{ 14 | is_Server s γ γsrv 15 | }}} 16 | Server__WeakRead #s 17 | {{{ 18 | (state:list u8) sl, RET (slice_val sl); 19 | readonly (own_slice_small sl byteT (DfracOwn 1) state) ∗ 20 | Pwf state 21 | }}}. 22 | Proof. 23 | iIntros (Φ) "#Hsrv HΦ". 24 | wp_rec. wp_pures. 25 | iNamed "Hsrv". 26 | wp_loadField. 27 | wp_apply (wp_Mutex__Lock with "[$]"). 28 | iIntros "[Hlocked Hown]". 29 | iNamed "Hown". 30 | iNamed "Hvol". 31 | wp_loadField. 32 | wp_loadField. 33 | wp_loadField. 34 | wp_apply (wp_Mutex__Unlock with "[-HΦ]"). 35 | { 36 | do 2 iFrame "∗#%". 37 | } 38 | wp_pures. 39 | iModIntro. 40 | iApply "HΦ". 41 | iFrame "∗#". 42 | Qed. 43 | 44 | End weakread_proof. 45 | -------------------------------------------------------------------------------- /src/program_proof/wal/proof.v: -------------------------------------------------------------------------------- 1 | (* for now this file just depends on the rest of the proofs, but eventually we 2 | need to compose some things together *) 3 | From Perennial.program_proof.wal Require 4 | flush_proof 5 | read_proof 6 | write_proof 7 | logger_proof 8 | installer_proof 9 | recovery_proof. 10 | 11 | From Perennial.program_proof.wal Require highest. 12 | -------------------------------------------------------------------------------- /src/program_proof/wal/specs.v: -------------------------------------------------------------------------------- 1 | From RecordUpdate Require Import RecordSet. 2 | Import RecordSetNotations. 3 | 4 | From Goose.github_com.mit_pdos.go_journal Require Import wal. 5 | 6 | From Perennial.program_proof Require util_proof. 7 | From Perennial.program_proof Require Import disk_prelude disk_lib. 8 | From Perennial.program_proof Require Import wal.lib. 9 | From Perennial.program_proof Require Export wal.transitions. 10 | From Perennial.program_proof Require Export wal.invariant. 11 | From Perennial.program_proof Require Export wal.circ_proof. 12 | From Perennial.program_proof Require Export wal.flush_proof. 13 | From Perennial.program_proof Require Export wal.installer_proof. 14 | From Perennial.program_proof Require Export wal.logger_proof. 15 | From Perennial.program_proof Require Export wal.read_proof. 16 | From Perennial.program_proof Require Export wal.recovery_proof. 17 | From Perennial.program_proof Require Export wal.write_proof. 18 | --------------------------------------------------------------------------------