Move to a relational approach to encode map

yunshengtw · yunshengtw · commit e3274872cc71 · 2024-11-25T21:39:16.000-05:00
diff --git a/external/Goose/github_com/mit_pdos/tulip/util.v b/external/Goose/github_com/mit_pdos/tulip/util.v
@@ -51,39 +51,34 @@ Definition CountBoolMap: val :=
 
 Definition EncodeString: val :=
   rec: "EncodeString" "bs" "str" :=
-    let: "data" := ref_to (slice.T byteT) "bs" in
-    "data" <-[slice.T byteT] (marshal.WriteInt (![slice.T byteT] "data") (StringLength "str"));;
-    "data" <-[slice.T byteT] (marshal.WriteBytes (![slice.T byteT] "data") (StringToBytes "str"));;
-    ![slice.T byteT] "data".
+    let: "bs1" := marshal.WriteInt "bs" (StringLength "str") in
+    let: "data" := marshal.WriteBytes "bs1" (StringToBytes "str") in
+    "data".
 
 Definition EncodeStrings: val :=
   rec: "EncodeStrings" "bs" "strs" :=
-    let: "data" := ref_to (slice.T byteT) "bs" in
-    "data" <-[slice.T byteT] (marshal.WriteInt (![slice.T byteT] "data") (slice.len "strs"));;
+    let: "data" := ref_to (slice.T byteT) (marshal.WriteInt "bs" (slice.len "strs")) in
     ForSlice stringT <> "s" "strs"
       ("data" <-[slice.T byteT] (EncodeString (![slice.T byteT] "data") "s"));;
     ![slice.T byteT] "data".
 
 Definition DecodeString: val :=
   rec: "DecodeString" "bs" :=
-    let: "data" := ref_to (slice.T byteT) "bs" in
-    let: ("sz", "data") := marshal.ReadInt (![slice.T byteT] "data") in
-    let: ("bsr", "data") := marshal.ReadBytes (![slice.T byteT] "data") "sz" in
-    (StringFromBytes "bsr", ![slice.T byteT] "data").
+    let: ("sz", "bs1") := marshal.ReadInt "bs" in
+    let: ("bsr", "data") := marshal.ReadBytes "bs1" "sz" in
+    (StringFromBytes "bsr", "data").
 
 Definition DecodeStrings: val :=
   rec: "DecodeStrings" "bs" :=
-    let: "data" := ref_to (slice.T byteT) "bs" in
-    let: ("n", "data") := marshal.ReadInt (![slice.T byteT] "data") in
+    let: ("n", "bs1") := marshal.ReadInt "bs" in
+    let: "data" := ref_to (slice.T byteT) "bs1" in
     let: "ents" := ref_to (slice.T stringT) (NewSliceWithCap stringT #0 "n") in
     let: "i" := ref_to uint64T #0 in
-    let: "s" := ref (zero_val stringT) in
     Skip;;
     (for: (λ: <>, (![uint64T] "i") < "n"); (λ: <>, Skip) := λ: <>,
-      let: ("0_ret", "1_ret") := DecodeString (![slice.T byteT] "data") in
-      "s" <-[stringT] "0_ret";;
-      "data" <-[slice.T byteT] "1_ret";;
-      "ents" <-[slice.T stringT] (SliceAppend stringT (![slice.T stringT] "ents") (![stringT] "s"));;
+      let: ("s", "bsloop") := DecodeString (![slice.T byteT] "data") in
+      "ents" <-[slice.T stringT] (SliceAppend stringT (![slice.T stringT] "ents") "s");;
+      "data" <-[slice.T byteT] "bsloop";;
       "i" <-[uint64T] ((![uint64T] "i") + #1);;
       Continue);;
     (![slice.T stringT] "ents", ![slice.T byteT] "data").
diff --git a/src/program_proof/tulip/base.v b/src/program_proof/tulip/base.v
@@ -251,68 +251,3 @@ Class tulip_ghostG (Σ : gFunctors).
 
 Record tulip_names := {}.
 Record replica_names := {}.
-
-Section msg.
-
-  Inductive txnreq :=
-  | ReadReq        (ts : u64) (key : string)
-  | FastPrepareReq (ts : u64) (pwrs : dbmap)
-  | ValidateReq    (ts : u64) (rank : u64) (pwrs : dbmap)
-  | PrepareReq     (ts : u64) (rank : u64)
-  | UnprepareReq   (ts : u64) (rank : u64)
-  | QueryReq       (ts : u64) (rank : u64)
-  | RefreshReq     (ts : u64) (rank : u64)
-  | CommitReq      (ts : u64) (pwrs : dbmap)
-  | AbortReq       (ts : u64).
-
-  #[global]
-  Instance txnreq_eq_decision :
-    EqDecision txnreq.
-  Proof. solve_decision. Qed.
-
-  #[global]
-  Instance txnreq_countable :
-    Countable txnreq.
-  Admitted.
-
-  Definition encode_txnreq (req : txnreq) : list u8.
-  Admitted.
-
-  Inductive rpres :=
-  | ReplicaOK
-  | ReplicaCommittedTxn
-  | ReplicaAbortedTxn
-  | ReplicaStaleCoordinator
-  | ReplicaFailedValidation
-  | ReplicaInvalidRank
-  | ReplicaWrongLeader.
-
-  #[global]
-  Instance rpres_eq_decision :
-    EqDecision rpres.
-  Proof. solve_decision. Qed.
-
-  Inductive txnresp :=
-  | ReadResp        (ts : u64) (rid : u64) (key : string) (ver : dbpver) (slow : bool)
-  | FastPrepareResp (ts : u64) (rid : u64) (res : rpres)
-  | ValidateResp    (ts : u64) (rid : u64) (res : rpres)
-  | PrepareResp     (ts : u64) (rank : u64) (rid : u64) (res : rpres)
-  | UnprepareResp   (ts : u64) (rank : u64) (rid : u64) (res : rpres)
-  | QueryResp       (ts : u64) (res : rpres)
-  | CommitResp      (ts : u64) (res : rpres)
-  | AbortResp       (ts : u64) (res : rpres).
-
-  #[global]
-  Instance txnresp_eq_decision :
-    EqDecision txnresp.
-  Proof. solve_decision. Qed.
-
-  #[global]
-  Instance txnresp_countable :
-    Countable txnresp.
-  Admitted.
-
-  Definition encode_txnresp (resp : txnresp) : list u8.
-  Admitted.
-
-End msg.
diff --git a/src/program_proof/tulip/encode.v b/src/program_proof/tulip/encode.v
@@ -0,0 +1,84 @@
+From Perennial.program_proof Require Import grove_prelude.
+From Perennial.program_proof.tulip Require Import base.
+
+Definition encode_string (x : string) : list u8 :=
+  let bs := string_to_bytes x in
+  u64_le (U64 (length bs)) ++ bs.
+
+Opaque encode_string.
+
+Definition encode_strings_step (bs : list u8) (x : string) : list u8 :=
+  bs ++ encode_string x.
+
+Definition encode_strings_xlen (xs : list string) : list u8 :=
+  foldl encode_strings_step [] xs.
+
+Definition encode_strings (xs : list string) : list u8 :=
+  u64_le (U64 (length xs)) ++ encode_strings_xlen xs.
+
+Lemma encode_strings_xlen_snoc xs x :
+  encode_strings_xlen (xs ++ [x]) = encode_strings_xlen xs ++ encode_string x.
+Proof.
+  by rewrite /encode_strings_xlen foldl_snoc /encode_strings_step.
+Qed.
+
+Lemma foldl_encode_strings_step_app (bs : list u8) (xs : list string) :
+  foldl encode_strings_step bs xs = bs ++ foldl encode_strings_step [] xs.
+Proof.
+  generalize dependent bs.
+  induction xs as [| x xs IH]; intros bs.
+  { by rewrite /= app_nil_r. }
+  rewrite /= (IH (encode_strings_step bs x)) (IH (encode_strings_step [] x)).
+  rewrite {1 3}/encode_strings_step.
+  by rewrite app_nil_l app_assoc.
+Qed.
+
+Lemma encode_strings_xlen_cons xs x :
+  encode_strings_xlen (x :: xs) = encode_string x ++ encode_strings_xlen xs.
+Proof.
+  rewrite /encode_strings_xlen /= foldl_encode_strings_step_app.
+  by rewrite {1}/encode_strings_step app_nil_l.
+Qed.
+
+Lemma encode_strings_xlen_length_inv xs n :
+  (length (encode_strings_xlen xs) ≤ n)%nat ->
+  (length xs ≤ n)%nat.
+Proof.
+  generalize dependent n.
+  induction xs as [| x xs IH]; intros n; first done.
+  rewrite encode_strings_xlen_cons length_app /=.
+  assert (length (encode_string x) ≠ O).
+  { by destruct (nil_or_length_pos (encode_string x)). }
+  intros Hlen.
+  assert (Hlenxs : (length xs ≤ pred n)%nat).
+  { apply IH. lia. }
+  lia.
+Qed.
+
+Lemma encode_strings_length_inv xs n :
+  (length (encode_strings xs) ≤ n)%nat ->
+  (length xs ≤ n)%nat.
+Proof.
+  rewrite /encode_strings length_app.
+  intros Hn.
+  pose proof (encode_strings_xlen_length_inv xs n) as Hlen.
+  lia.
+Qed.
+
+Definition encode_dbval (x : dbval) : list u8 :=
+  match x with
+  | Some v => [U8 0] ++ encode_string v
+  | None => [U8 1]
+  end.
+
+Definition encode_dbmod (x : dbmod) : list u8 :=
+  encode_string x.1 ++ encode_dbval x.2.
+
+Fixpoint encode_dbmods (xs : list dbmod) : list u8 :=
+  match xs with
+  | x :: tail => encode_dbmod x ++ encode_dbmods tail
+  | _ => []
+  end.
+
+Definition encode_dbmap (m : dbmap) (data : list u8) :=
+  ∃ xs, data = u64_le (size m) ++ encode_dbmods xs ∧ xs ≡ₚ map_to_list m.
diff --git a/src/program_proof/tulip/inv.v b/src/program_proof/tulip/inv.v
@@ -1,7 +1,7 @@
 From Perennial.program_proof Require Import grove_prelude.
 From Perennial.program_proof.rsm Require Import big_sep.
 From Perennial.program_proof.rsm.pure Require Import vslice extend quorum fin_maps.
-From Perennial.program_proof.tulip Require Import base res cmd.
+From Perennial.program_proof.tulip Require Import base res cmd msg.
 From Perennial.program_proof.tulip Require Export inv_txnsys inv_key inv_group inv_replica.
 
 Section inv.
@@ -222,7 +222,7 @@ Section inv_network.
       (* senders are always reachable *)
       "#Hsender" ∷ ([∗ set] trml ∈ set_map msg_sender ms, is_terminal γ gid trml) ∗
       "#Hreqs"   ∷ ([∗ set] req ∈ reqs, safe_txnreq γ gid req) ∗
-      "%Henc"    ∷ ⌜(set_map msg_data ms : gset (list u8)) ⊆ set_map encode_txnreq reqs⌝.
+      "%Henc"    ∷ ⌜set_Forall (λ x, ∃ req, req ∈ reqs ∧ encode_txnreq req (msg_data x)) ms⌝.
 
   Definition connect_inv (trml : chan) (ms : gset message) gid γ : iProp Σ :=
     ∃ (resps : gset txnresp),
diff --git a/src/program_proof/tulip/msg.v b/src/program_proof/tulip/msg.v
@@ -0,0 +1,69 @@
+From Perennial.program_proof Require Import grove_prelude.
+From Perennial.program_proof.tulip Require Import base encode.
+
+Inductive txnreq :=
+| ReadReq        (ts : u64) (key : string)
+| FastPrepareReq (ts : u64) (pwrs : dbmap)
+| ValidateReq    (ts : u64) (rank : u64) (pwrs : dbmap)
+| PrepareReq     (ts : u64) (rank : u64)
+| UnprepareReq   (ts : u64) (rank : u64)
+| QueryReq       (ts : u64) (rank : u64)
+| RefreshReq     (ts : u64) (rank : u64)
+| CommitReq      (ts : u64) (pwrs : dbmap)
+| AbortReq       (ts : u64).
+
+#[global]
+Instance txnreq_eq_decision :
+  EqDecision txnreq.
+Proof. solve_decision. Qed.
+
+#[global]
+Instance txnreq_countable :
+  Countable txnreq.
+Admitted.
+
+Definition encode_fast_prepare_req (ts : u64) (pwrs : dbmap) (data : list u8) :=
+  ∃ datapwrs, data = u64_le (U64 201) ++ u64_le ts ++ datapwrs ∧ encode_dbmap pwrs datapwrs.
+
+Definition encode_txnreq (req : txnreq) (data : list u8) :=
+  match req with
+  | FastPrepareReq ts pwrs => encode_fast_prepare_req ts pwrs data
+  | _ => True
+  end.
+
+Inductive rpres :=
+| ReplicaOK
+| ReplicaCommittedTxn
+| ReplicaAbortedTxn
+| ReplicaStaleCoordinator
+| ReplicaFailedValidation
+| ReplicaInvalidRank
+| ReplicaWrongLeader.
+
+#[global]
+  Instance rpres_eq_decision :
+  EqDecision rpres.
+Proof. solve_decision. Qed.
+
+Inductive txnresp :=
+| ReadResp        (ts : u64) (rid : u64) (key : string) (ver : dbpver) (slow : bool)
+| FastPrepareResp (ts : u64) (rid : u64) (res : rpres)
+| ValidateResp    (ts : u64) (rid : u64) (res : rpres)
+| PrepareResp     (ts : u64) (rank : u64) (rid : u64) (res : rpres)
+| UnprepareResp   (ts : u64) (rank : u64) (rid : u64) (res : rpres)
+| QueryResp       (ts : u64) (res : rpres)
+| CommitResp      (ts : u64) (res : rpres)
+| AbortResp       (ts : u64) (res : rpres).
+
+#[global]
+  Instance txnresp_eq_decision :
+  EqDecision txnresp.
+Proof. solve_decision. Qed.
+
+#[global]
+  Instance txnresp_countable :
+  Countable txnresp.
+Admitted.
+
+Definition encode_txnresp (resp : txnresp) : list u8.
+Admitted.
diff --git a/src/program_proof/tulip/prelude.v b/src/program_proof/tulip/prelude.v
@@ -5,4 +5,4 @@ From Perennial.program_proof.rsm.pure Require Export
   dual_lookup extend fin_maps fin_maps_list fin_sets largest_before list misc nat
   nonexpanding_merge sets vslice word quorum.
 From Perennial.program_proof.tulip Require Export
-  action base cmd res inv stability.
+  action base cmd encode res msg inv stability.
diff --git a/src/program_proof/tulip/program/gcoord/gcoord_send.v b/src/program_proof/tulip/program/gcoord/gcoord_send.v
@@ -10,7 +10,7 @@ Section encode.
       EncodeTxnReadRequest #ts #(LitString key)
     {{{ (dataP : Slice.t) (data : list u8), RET (to_val dataP);
         own_slice dataP byteT (DfracOwn 1) data ∗
-        ⌜data = encode_txnreq (ReadReq ts key)⌝
+        ⌜encode_txnreq (ReadReq ts key) data⌝
     }}}.
   Proof.
   Admitted.
@@ -146,8 +146,12 @@ Section program.
       iSplit.
       { iApply big_sepS_insert_2; [done | done]. }
       iPureIntro.
-      rewrite 2!set_map_union_L 2!set_map_singleton_L /= -Hdataenc.
-      set_solver.
+      apply set_Forall_union; last first.
+      { apply (set_Forall_impl _ _ _ Henc). intros m Hm. clear -Hm. set_solver. }
+      rewrite set_Forall_singleton.
+      exists req.
+      split; first set_solver.
+      done.
     }
     rewrite insert_delete_insert.
     iMod "Hmask" as "_".
diff --git a/src/program_proof/tulip/program/replica/replica_request_session.v b/src/program_proof/tulip/program/replica/replica_request_session.v
@@ -39,7 +39,7 @@ Section decode.
   Context `{!heapGS Σ, !tulip_ghostG Σ}.
 
   Theorem wp_DecodeTxnRequest (dataP : Slice.t) (data : list u8) (req : txnreq) :
-    data = encode_txnreq req ->
+    encode_txnreq req data ->
     {{{ own_slice dataP byteT (DfracOwn 1) data }}}
       DecodeTxnRequest (to_val dataP)
     {{{ (pwrsP : Slice.t), RET (txnreq_to_val req pwrsP);
@@ -209,12 +209,14 @@ Section program.
     destruct err; wp_pures.
     { by iApply "HΦ". }
     iDestruct "Herr" as "%Hmsg".
-    assert (∃ req, retdata = encode_txnreq req ∧ req ∈ reqs) as (req & Hreq & Hinreqs).
-    { specialize (Henc retdata).
-      apply (elem_of_map_2 msg_data (D := gset (list u8))) in Hmsg.
-      specialize (Henc Hmsg).
-      by rewrite elem_of_map in Henc.
-    }
+    apply Henc in Hmsg as Hreq.
+    destruct Hreq as (req & Hinreqs & Hreq). simpl in Hreq.
+    (* assert (∃ req, retdata = encode_txnreq req ∧ req ∈ reqs) as (req & Hreq & Hinreqs). *)
+    (* { specialize (Henc retdata). *)
+    (*   apply (elem_of_map_2 msg_data (D := gset (list u8))) in Hmsg. *)
+    (*   specialize (Henc Hmsg). *)
+    (*   by rewrite elem_of_map in Henc. *)
+    (* } *)
 
     (*@         req  := message.DecodeTxnRequest(ret.Data)                      @*)
     (*@         kind := req.Kind                                                @*)
diff --git a/src/program_proof/tulip/program/util/encode_string.v b/src/program_proof/tulip/program/util/encode_string.v
