A stratified heap with two universes, enabling storing "small" heap predicates in the larger heap #19
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…e second layer of the heap; not yet connected to PulseCore.Memory though
|
Note, this commit gives a sense of the changes incurred in the Pulse checker and libraries for a universe bump: It's relatively small. If F* had a way to declare top-level universe constants, e.g., |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR enriches the memory model of Pulse to use PulseCore.TwoLevelHeap
The underlying memory now contains the following:
A pair of a small heap and a large heap is called a TwoLevelHeap, or H2.heap.
The core Pulse.Lib.Core.vprop is now an affine H2.heap -> prop, where
vprop : Type u#3(We also have an invariant store in PulseCore.Memory, storing
slpropas invariants, this is mostly unchanged, except for a universe level increase, and some other cleanup, notably, directly using PulseCore.MonotonicStateMonad in a universe-polymorphic way, rather than using FStar.MSTTotal, which fixes the state to be in universe 1.)We also have two functions
down : vprop -> small_slpropandup: small_slprop -> vprop, wheresmall_slprop : Type u#2And a predicate
is_small (p:vprop) = up (down p) == pThat is,
vpropvalidatingis_smallcan be coerced to small_slprops without loss of information, and then coerced back.Most familiar predicates are small, e.g,
emp,pure,pts_to,ghost_pts_toetc.The connectives ** and exists* form small vprops if their arguments are also small.
But, we now also have
Pulse.Lib.BigReference.pts_to (#a:Type u#2) (x:ref a) (#p:perm) (v:a) : vpropthat allows storing terms in universe 2 in the heap, including, notablysmall_slprop.An example PulseExample.UseBigRef shows how it works, storing list of closures packed with small vprops denoting their pre and postconditions.
Note, we also have Pulse.Lib.BigGhostReference, for a ghost variant of a reference to store a universe 2 term.
I plan to add one more level to the heap, this one to turn any slprop into a resourceful invariant---so, expect one more universe bump.