# Artifact for Proof Automation for Linearizability in Separation Logic # Introduction This is the artifact accompanying 'Proof Automation for Linearizability in Separation Logic'. The paper describes new proof automation strategies for establishing linearizability, in two ways: by establishing logical atomicity, or contextual refinement. Proof automation strategies for both these goals are built by instantiating Diaframe 2.0, a proof automation framework for Iris's separation logic. (Iris itself is a separation logic framework in Coq.) The artifact is intended to back the claims made in the paper about the provided proof automation. To do so, the artifact contains the complete source code of Diaframe 2.0, its instantiations for logical atomicity and contextual refinement, and the examples on which the proof automation was benchmarked. The list of claims the artifact backs is as follows: 1. §2: Proof automation for contextual refinement is functional, and follows the procedure from §2.3. The rules in Fig. 4 hold. 2. §3: Proof automation for logical atomicity is functional, and follows the procedure from §3.3. AU-ACCESS-DIAFRAME holds. 3. §4: The description of Diaframe 2.0's proof automation framework is accurate. 4. §5.1: The comparison to Voila is accurate (Fig. 7) 5. §5.2: The comparison to interactive logical atomicity proofs is accurate (Fig. 8) 6. §5.4: The comparison to interactive proofs in ReLoC is accurate (Fig. 9) # Getting Started Guide The artifact contains the source-code of Diaframe 2.0 (`diaframe2-artifact-source.tgz`) as well as relevant dependencies. It also contains a virtual machine (`diaframe2-artifact-vm.ova`) where this source-code and dependencies have been pre-installed. Pick a version that suits you, then follow the corresponding instructions below. ## Use the virtual machine (`diaframe2-artifact-vm.ova`) To start the virtual machine, you need virtualization software. We recommend [Virtual Machine Manager](https://virt-manager.org/)(tested with version 2.2.1) or [VirtualBox](https://www.virtualbox.org/wiki/Downloads). VirtualBox can work with `.ova` files directly, to use Virtual Machine Manager one needs to convert this to a different format - see the end of this document. For the VM, we recommend at least 4 GB of RAM, although 2GB might also work. If you want to verify files in parallel we recommend 8GB of RAM. This VM contains all dependencies of Diaframe 2.0, as well as CoqIDE. To check that you have a functional installation, first open CoqIDE (third sidebar icon from the top, or press Start and type 'coq'). Now open (ctrl+O), for example, `atomic_spin_lock.v`, located in `~/Documents/paper-auto-iris-artifact/diaframe2-artifact-source/diaframe/supplements/diaframe_heap_lang_examples/logatom/`. Press Ctrl+End or the 'Go to end' arrow to run the verification. All (non-empty) lines should become green. To run this verification from the command line, open the terminal and navigate to `~/Documents/paper-auto-iris-artifact/diaframe2-artifact-source/diaframe`. First run ``` eval $(opam env) ``` to make opam functional. Then run ``` touch supplements/diaframe_heap_lang_examples/logatom/atomic_spinlock.v && make supplements/diaframe_heap_lang_examples/logatom/atomic_spinlock.vo ``` to force recompilation/reverification of the spin lock. This should at least print ``` COQC supplements/diaframe_heap_lang_examples/logatom/atomic_spin_lock.v ``` and terminate succesfully without printing errors. The user of the VM image is 'artifact' with password 'artifact'. To change the keyboard layout, press the cog/settings logo, go to 'Region & Language' and add your desired keyboard layout with the '+' button. ## Build locally from source (`diaframe2-artifact-source.tgz`) (Tested on 64-bits Ubuntu 20.04, and on a not very recent macbook) Building Diaframe from source requires a functioning (recent, i.e. >= 2.0.0) version of `opam`. To check whether this is the case, you can run `opam --version`. If you do not have a recent version of opam, follow [the instructions here](https://opam.ocaml.org/doc/Install.html). For macOS, we recommend installing the `gtime` command with `brew install gnu-time`. You can build the artifact by running the following commands: ``` tar xf diaframe2-artifact-source.tgz cd diaframe2-artifact-source ./build_artifact.sh ``` This will install all dependencies locally, compile Diaframe, and verify some of the examples listed in the paper. Depending on your system, `opam` might ask you to install additional system dependencies like `libgmp-dev`. Among other things, `./build_artifact.sh` creates a local opam switch in the current directory. To make opam able to use this local switch, run ``` eval $(opam env) ``` After this, you can check that Diaframe is functional by running ``` touch supplements/diaframe_heap_lang_examples/logatom/atomic_spinlock.v && make supplements/diaframe_heap_lang_examples/logatom/atomic_spinlock.vo ``` to force recompilation/reverification of the spin lock. This should at least print ``` COQC supplements/diaframe_heap_lang_examples/logatom/atomic_spinlock.v ``` and terminate succesfully without printing errors. ## Compilation targets Once you have a functioning `opam` with the proper dependencies, you can `make` Diaframe 2.0's various compilation targets. We list some relevant compliation targets here: - `diaframe`: core of Diaframe 2.0, not instantiated for a specific goal - `diaframe-heap-lang`: adds proof automation for weakest preconditions and logical atomicity for Iris's default language, HeapLang - `diaframe-reloc`: adds proof automation for ReLoC's contextual refinement - `logatom-voila`: compiles all logically atomic examples from Voila's benchmark - `logatom-other`: compiles all logically atomic examples for the comparison to interactive proofs - `reloc`: compiles all refinement examples to compare to ReLoC To get a report of compilation times, use `make pretty-timed TGTS="{your_target_here}" TIMING_INCLUDE_MEM=0` instead of `make {your_target_here}`. ## Directory structure The source code of the artifact can be found in the `diaframe` folder of the source code artifact, at `~/Documents/paper-auto-iris-artifact/diaframe2-artifact-source/diaframe` in the virtual machine artifact. This directory contains the following relevant subdirectories: - `diaframe` contains Diaframe's proof search procedure, not instantiated for a language or goal, and various hint libraries - `diaframe_heap_lang` contains an instantiation of Diaframe for weakest-preconditions on `heap_lang`, Iris's default language - `tutorial` contains five tutorial files with lots of comments, to get users started on using Diaframe - `tests` contains some files to test Diaframe's proof search, used for development - `supplements` contains verifications of various examples, and instantiations of Diaframe for ReLoC: - `supplements/diaframe_heap_lang_examples/comparison` contains all examples from the original benchmark of Diaframe 1.0 - `supplements/diaframe_heap_lang_examples/logatom` contains all logical atomicity verifications with Diaframe 2.0 - `supplements/diaframe_reloc/` contains the proof automation for ReLoC built with Diaframe 2.0 - `supplements/diaframe_reloc/examples` contains all ReLoC examples verified with above proof automation. - `utils` contains various scripts and other utilities, independent of the Coq formalization. For more information on the source code of Diaframe 2.0, see `diaframe/README.md`. To get started easily, we have included all Coq dependencies of Diaframe 2.0. These can be found in the `coq-stdpp`, `coq-iris`, `coq-iris-heap-lang`, `coq-reloc` and `coq-autosubst` folders, and are **not** part of the artifact. ## Using Diaframe 2.0 If you want to take a shot at using Diaframe 2.0 to verify linearizability of some program, these are the steps you need to take. They are discussed in more detail below. 1. Create a new file in `supplements/diaframe_heap_lang_examples` 2. Import heap_lang and Diaframe (+ hint libraries) 3. Define your program in Iris's default language, heap_lang 4. Write down specifications 5. Use the Diaframe tactics to (help) prove the specifications __We recommend checking out the tutorial-style files first__. These can be found in `diaframe/tutorial` and contain lots of comments to help you get started. It explains the general process of verifying examples, and also explains how to define your own hints. You can also look at the examples in `supplements/diaframe_heap_lang_examples/logatom` and `supplements/diaframe_reloc/examples`, although these are not commented on. For getting started on verifying contextual refinement, see `tutorial/ex3_xchg_refinements.v`. For getting started on verifying logical atomicity, see `tutorial/ex4_xchg_logatom.v`. #### 1. Create a new file We recommend using any Coq IDE (such as CoqIDE) to interact with Diaframe. Create a new file in a location where Coq can find Diaframe, such as `supplements/diaframe_heap_lang_examples`. #### 2. Import heap_lang and Diaframe Get access to heap_lang by adding `From iris.heap_lang Require Import proofmode.` This makes it possible to write down programs in the heap_lang language, and gives you access to some tactics that may be helpful when verifying heap_lang programs. Get access to Diaframe 2.0 for heap_lang by adding `From diaframe.heap_lang Require Import proof_automation.`. This gives you access to the `iStepS`, `iStepsS` and `iSmash` tactics. For more explanation on these tactics, see `diaframe/README.md`. #### 3. Write your program In this file, write down your program in the heap_lang language. heap_lang is a lambda-calculus with a heap, deeply embedded in Coq. An example function is: ``` Definition add_locs : val := λ: "l" "r", ! "l" + ! "r". ``` This defines a Coq-term `add_locs`, which has type `val`: a value in the heap_lang language. This value _is_ a function, and when applied to two locations, it returns the sum of their stored values. `add_locs` uses the `!` operation to load from a heap-location. Note that the binders in the function are strings (`"l"` and `"r"`), not regular Coq binders! Please also see the tutorial files in `diaframe/tutorial` for more examples and heap operations. You may also wish to consult [the heap_lang documentation](https://gitlab.mpi-sws.org/iris/iris/-/blob/master/docs/heap_lang.md). #### 4. Write down specifications for your program Please see the tutorial files for details and examples on writing specifications for programs. For getting started on verifying contextual refinement, see `tutorial/ex3_xchg_refinements.v`. For getting started on verifying logical atomicity, see `tutorial/ex4_xchg_logatom.v`. #### 5. Use Diaframe 2.0 to prove specifications. After writing the specification, enter the Coq proof mode with `Proof.` After at least a single whitespace, you can start using Diaframe tactics to construct a proof. Make Diaframe run a chunk of steps with the `iStepS` tactic. Run the automation until it finishes or gets stuck with the `iStepsS` tactic. If your goal/invariants contain disjunctions and you wish to use backtracking to choose a side, use the `iSmash` tactic. If the function you are verifying is not recursive, proofs usually only consist of `Proof. iStepsS. Qed.`, where one possibly needs to replace `iStepsS` with `iSmash`. It may be the case that Diaframe gets stuck. In this case you can try to manually prove the problematic part of the goal, then resume Diaframe's automation with `iStepsS`. Another option is to add appropriate hints, thereby teaching Diaframe to handle the problematic parts of the goal. See the tutorial files in `diaframe/tutorial` for examples. ## Extending or changing Diaframe 2.0 Please see `diaframe/README.md` for some pointers on extending or changing Diaframe 2.0. This file also contains more information on the directory structure and the function of each of the Coq source code files. # Step-by-Step Instructions To evaluate the artifact, we encourage you to check that the artifact supports the following list of claims made in the paper: 1. §2: Proof automation for contextual refinement is functional, and follows the procedure from §2.3. The rules in Fig. 4 hold. 2. §3: Proof automation for logical atomicity is functional, and follows the procedure from §3.3. AU-ACCESS-DIAFRAME holds. 3. §4: The description of Diaframe 2.0's proof automation framework is accurate. 4. §5.1: The comparison to Voila is accurate (Fig. 7) 5. §5.2: The comparison to interactive logical atomicity proofs is accurate (Fig. 8) 6. §5.4: The comparison to interactive proofs in ReLoC is accurate (Fig. 9) Each claim above comes with a subsection below, describing our suggestions to verify the claims. ## Claim 1 (§2): Proof automation for contextual refinement is functional, and follows the procedure from §2.3. The rules in Fig. 4 hold. The example contextual refinement from §2 can be found in `supplements/diaframe_reloc/examples/paper_example.v`. To establish that the proof automation is functional, verify this file using either a Coq IDE, or the command line. When using the command line, the procedure is: 1. Navigate to the `diaframe` folder (not `diaframe/diaframe`!). 2. Activate the correct opam switch with `eval $(opam env)` 3. Run: `touch supplements/diaframe_reloc/examples/paper_example.v && make supplements/diaframe_reloc/examples/paper_example.vo`. This will print some things to the console: the two assumed Axioms under which the proven refinement holds. These axioms all stem from dependencies of Diaframe 2.0. The first one is an admitted lemma in ReLoC, whose fix is yet to be merged. The second one is functional extensionality, which is assumed by `autosubst`, a dependency of ReLoC. To check that the proof automation works for other examples, see Claim 6: §5.4: The comparison to interactive proofs in ReLoC is accurate (Fig. 9). One can check that the proof automation follows the procedure from §2.3 by 'stepping' through the proof. That is, replace calls to the `iStepsS.` tactic with multiple `iStepS. ` and verify that each new goal is what you expect from §2.3. The rules in Figure 4 are proven in the separate file `supplements/diaframe_reloc/correspondence_figure_4.v`. This file only demonstrates that the shown rules hold, and is not used by the proof automation itself. The corresponding rules in the proof automation are more abstract and their correspondence is harder to see. For completeness, we list them below. - `refines_values_abduct` in `supplements/diaframe_reloc/proof_automation.v`, line 17-20 for both `val_Z` and `val_fun`. - `refinement_bind` in `supplements/diaframe_reloc/proof_automation.v`, line 102-106 for `reloc_apply`. This includes machinery to find appropriate evaluation contexts `K` automatically. - `left_execute_reduction_compat` in `supplements/diaframe_reloc/symb_exec.v`, line 244-246 contains the proof of `exec_l` in more generality. Its effect is that any specification for WPs can be used as a specification for a refinement, but this is quite difficult to see directly. - `left_execute_reduction_compat` in `supplements/diaframe_reloc/symb_exec.v`, line 244-246 contains the proof of `exec_l` in more generality. Its effect is that any specification for WPs can be used as a specification for a refinement, but this is quite difficult to see directly. - `right_execute_reduction_compat` in `supplements/diaframe_reloc/symb_exec.v`, line 96-98 contains the proof of `exec_r` in more generality. Its effect is like above, but for thread pool specifications. ## Claim 2 (§3): Proof automation for logical atomicity is functional, and follows the procedure from §3.3. `AU-ACCESS-DIAFRAME` holds. The example logically atomic triple from §3 can be found in `supplements/diaframe_reloc/examples/paper_example.v`. To establish that the proof automation is functional, verify this file using either a Coq IDE, or the command line. When using the command line, the procedure is: 1. Navigate to the `diaframe` folder (not `diaframe/diaframe`!). 2. Activate the correct opam switch with `eval $(opam env)` 3. Run: `touch supplements/diaframe_reloc/examples/paper_example.v && make supplements/diaframe_reloc/examples/paper_example.vo` Note that above file contains both the contextual refinement and the logically atomic triple. The logical atomicity part starts at line 65. To check that the proof automation works for other examples, see Claim 4 and Claim 5. One can check that the proof automation follows the procedure from §3.3 by 'stepping' through the proof. That is, replace calls to the `iStepsS.` tactic with multiple `iStepS. ` and verify that each new goal is what you expect from §3.3. The `AU-ACCESS-DIAFRAME` rule is called `atomic_update_access` and located in `diaframe/lib/atomic.v` at line 113-121. It states that an `atomic_update` entails the desired mask shift, although generalized somewhat. Unlike in the paper, the quantification variable `v` is a telescope (dependent list of variables) in the formalization. To avoid universe problems, we do not use an option type, and instead require that we can establish default inhabitants of the quantified type (`Inhabited TB`). Morally, the rule is precisely as described in the paper. There is an additional generalization on masks, since the `atomic_update`s in the formalization have an additional 'inner mask' parameter `Ei`, and an established `atomic_update` for some (outer) mask `Eo` can be used for any larger mask `E`. ## Claim 3 (§4): The description of Diaframe 2.0's proof automation framework is accurate. Abduction hints (§4.1) are defined in `diaframe/solve_defs.v`, line 113, transformer hints are defined in lines 162-166. The abduction hint definition in the artifact is also parametrized by a modality and existential quantification, although this feature is not used. The hypothesis transformer hint definition `TransformHyp` takes an additional boolean `p` to indicate whether the hypothesis is from the intuitionistic context. Notations for these hints are also defined in `diaframe/solve_defs.v`, from line 409-594. The notation is slightly different between paper and artifact: - Abduction hints, paper: H ∗ [G'] ⊫ G - Abduction hints, artifact: HINT1 H ✱ [G'] ⊫ [id]; G - Transformer hints, paper: H, T →\~\_{hyp} [T'] and Δ, T →\~\_{ctx} [G] - Transformer hints, artifact: TRANSFORM □⟨p H, T =[hyp]=> T' and TRANSFORM Δ, T =[ctx]=> G. ### The hints and strategies behave as described We have included a tutorial file to demonstrate building new proof automation with Diaframe 2.0. It is located in `tutorial/ex5_custom_proof_automation.v`, and builds some proof automation for `WP` from scratch. Following this file should allow you to get a feel for the behavior of the proof automation, and how one can extend and change it by adding hints. ### The hints and strategies are implemented as described The following steps will be quite technical and require experience and knowledge of Coq's typeclasses and Iris. We recommend checking just the behavior of the hints and strategies above, if one is less familiar with the setting. #### Equations in §4.1 The `abduct-wp-val` abduction hint is `collect_modal_wp_value` in `diaframe/symb_exec/weakestpre.v`, line 542-545. Both `abduct-wp-bind` and `abduct-sym-ex-logatom` are consequences of `abduct_from_execution` in `diaframe/symb_exec/weakestpre.v`, line 534-539. The `abduct_from_execution` abduction hint is quite abstract, so this is hard to see directly. The important part is on line 536, where (given some `WP e {{ Φ }}` as input), the hint tries to find `e = K[e_in']`, where we have any kind of specification for `e_in'` -- a `ReductionTemplateStep`. For `abduct-wp-bind`, this will be `reduction_step_from` in line 307-309. For `abduct-sym-ex-logatom`, this will be an instance of `AtomicReductionStep'`, defined in `diaframe/symb_exec/weakestpre_logatom.v`. Finally, the recursive hint rules like `abduct-wand` are found in `diaframe/hint_search/lemmas_abd.v`. `abduct_wand` can be found on line 144-149. #### Equations in §4.3 The `au-intro-pre` abduction hint is `abduct_aupd_as_gfp` in `diaframe/lib/atomic.v`, line 69. Note `AU_pre` is defined differently in the artifact, namely as `run_greatest_fixpoint (λ Ψ, atomic_acc' Eo Ei α Ψ β Φ)`. This reflects the definition of atomic updates in Iris. The transformer hint which corresponds to `au-intro-go` is `gfp_introduce_all_laterable` in `diaframe/lib/greatest_fixpoint.v`. #### Strategy in §4.4 The implementation of this strategy resides in the `diaframe/steps` folder. The strategy in 4.4 is a simplified representation, the implementation contains more details and cases. We list the correspondence of the top-level cases to the files in `diaframe/steps`: 1. `∀ x. G` is handled in `introduce_var.v` 2. `U -∗ G` is handled in `introduce_hyp.v` 3. `A` is handled in `solve_one.v` 4. `|={E1, E2}=> ∃ x. L ∗ G` is handled in `solve_sep.v` 5. `T` is handeld in `transform.v` ## Claim 4 (§5.1): The comparison to Voila is accurate (Fig. 7) To (re)verify all the files for the Voila comparison, navigate to the `diaframe` folder and run `make clean` and `rm time-of-build*`. Make sure your opam switch is functional with `eval $(opam env)`. Then run the following command: ``` make diaframe diaframe-heap-lang && make pretty-timed TGTS="logatom-voila" TIMING_INCLUDE_MEM=0 ``` to verify all of the examples listed in Fig. 7. On a single core, this should take about 5 minutes, depending on your hardware. Enable parallel verification by additionally supplying make with the `-j NUMBEROFJOBS` argument. Note that due to multi-threading, this will probably give slower times for each file. Once this is finished, `make` should print a table of verification times for each file. You may also wish to check that the contents of each `supplements/diaframe_heap_lang_examples/logatom/atomic_*` file correspond to real verifications of logically atomic triples, the same as those performed by Voila. ### Checking linenumbers of Diaframe Each row in figure 7 corresponds to a file in `supplements/diaframe_heap_lang_examples/logatom/`. Usually, the file name is `atomic_{name}.v`, where you should replace `{name}` with the `name` entry in the figure. The number for `total` is just the total lines in the file. The `time` entry refers to compilation/verification time, which can be obtained with above `make` call. The `impl` entry is obtained by counting all the lines that define the functions (`: val`) which we will verify. For example, for `atomic_ticketlock.v` this is line 24-41. The `proof` entry refers to any lines enclosed between `Proof.` and `Qed.`. For `atomic_ticketlock.v`, this is line 47-50. ### Checking linenumbers of Voila We have not run Voila on new benchmarks. The numbers for Voila were found by inspecting the source code, which is available here [here](https://github.com/viperproject/voila/tree/master/src/test/resources/voila_evaluation_examples/strong_spec/correct). The number for `total` is just the total lines in the file. The number for `proof` is a bit harder to construct. We went manually through each file, counting lines which constituted proof burden for the user. By 'constitute proof burden', we mean: - `inhale`/`exhale`/`fold` statements - `make_atomic using ... {`, which explicitly instructs Voila to prove the enclosed statement atomic - `open_region using` which explictly instructs Voila to open a region (akin to an invariant) - `update_region using` which explictly instructs Voila to update a region (akin to an invariant) - `assert`/`assume` statements - Proofs of `lemmas`, and explicit `use` of such lemmas ### Differences between generated table and Table 1 The table generated with the artifact and Table 1 in the submitted version of the paper differ in various places. We mention and comment on large differences below. - `bag_stack`: larger annotation and proof burden. We added an additional `is_list_skel` predicate and corresponding hints, making it longer, but this makes the proof (in our opinion) more elegant and faster to verify. This increased the total line count with 21 lines, and the proof burden with 10 lines. The old version of `bag_stack` still works, but takes about twice as long to verify. - `barrier_client`: smaller annotation and proof burden, due to fixes and improvements in Diaframe's implementation - `lclist`: smaller annotation and proof burden, due to fixes and improvements in Diaframe's implementation - `msc_queue`: smaller annotation and proof burden, due to fixes and improvements in Diaframe's implementation, and a small change to the used ghost state - `queue`: smaller annotation and proof burden, due to fixes and improvements in Diaframe's implementation, and a small change to the used ghost state - `rwlock_duolock`: smaller annotation and proof burden, due to fixes and improvements in Diaframe's implementation - `total`: The total numbers have changed, not just because of the changed numbers. The calculation of totals also turned out to be wrong in the submitted version (you can check this by manually adding, for example, all implementation line counts - the actual total does not match the listed total) An updated screenshot of Table 1 is included in this artifact as `table1_updated.png`. The takeaway from this updated table is that the actual numbers are slightly better than originally presented in the paper: averaged over all examples, Diaframe actually requires about 0.4 lines of proof work per line of implementation (321 lines of proof work for 823 lines of implementation), whereas in the paper we spoke of 0.5 lines of proof work per line of implementation. ## Claim 5 (§5.2): The comparison to interactive logical atomicity proofs is accurate (Fig. 8) The files for Fig. 8 also reside in `supplements/diaframe_heap_lang_examples/logatom/`. To (re)verify all the files for this comparison, navigate to the `diaframe` folder and run `make clean` and `rm time-of-build*`. Make sure your opam switch is functional with `eval $(opam env)`. Then run the following command: ``` make diaframe diaframe-heap-lang && make pretty-timed TGTS="logatom-other" TIMING_INCLUDE_MEM=0 ``` to verify all of the examples listed in Fig. 8. On a single core, this should take about 20 minutes, depending on your hardware. Enable parallel verification by additionally supplying `make` with the `-j NUMBEROFJOBS` argument. Note that due to multi-threading, this will probably give slower times for each file. Once this is finished, `make` should print a table of verification times for each file. You may also wish to check that the contents of each file correspond to real verifications of logically atomic triples. ### Checking linenumbers of Diaframe Each row in figure 8 corresponds to a file in `supplements/diaframe_heap_lang_examples/logatom/`. Usually, the file name is `{name}.v`, where you should replace `{name}` with the `name` entry in the figure. The number for `total` is just the total lines in the file. The `time` entry refers to compilation/verification time, which can be obtained with above `make` call. The `impl` entry is obtained by counting all the lines that define the functions (`: val`) which we will verify. For example, for `msc_queue_faithful.v` this is line 7-58. The `proof` entry refers to any lines enclosed between `Proof.` and `Qed.`. The numbers for the Michael Scott queue `msc_queue` are obtained by adding the results of multiple files: `msc_queue_faithful.v` and `queue_lib.v`. The `queue_lib.v` file defines some shared lemmas and hints for verifying simpler queues, which are also included in the artifact: `queue.v` and `msc_queue_simplified.v`. These queues do not need prophecy variables in their verification. ### Checking linenumbers of IPM proofs Both the RDCSS example aswell as the Elimination stack example were taken from the [Iris examples](https://gitlab.mpi-sws.org/iris/examples) repository: [rdcss](https://gitlab.mpi-sws.org/iris/examples/-/blob/master/theories/logatom/rdcss/rdcss.v) and [elimination_stack](https://gitlab.mpi-sws.org/iris/examples/-/blob/master/theories/logatom/elimination_stack/stack.v). The number for `total` is just the total lines in the file. The `proof` entry refers to any lines enclosed between `Proof.` and `Qed.`. ## Claim 6 (§5.4): The comparison to interactive proofs in ReLoC is accurate (Fig. 9) The files for Fig. 9 reside in `supplements/diaframe_reloc/examples/`. To (re)verify all the files for this comparison, navigate to the `diaframe` folder. Make sure your opam switch is functional with `eval $(opam env)`. We advise you not to `clean` if you have verified the `msc_queue_faithful.v` from Claim 5: this file will be required for this claim, and takes a while to recompile. Run the following command: ``` make diaframe-reloc && make pretty-timed TGTS="reloc" TIMING_INCLUDE_MEM=0 ``` to verify all of the examples listed in Fig. 8. On a single core, this should take about 10 minutes, depending on your hardware and assuming `msc_queue_faithful.v` has been compiled. Enable parallel verification by additionally supplying `make` with the `-j NUMBEROFJOBS` argument. Note that due to multi-threading, this will probably give slower times for each file. ### Checking linenumbers of ReLoC's interactive proofs. The ReLoC source code is included in the artifact: the `coq-reloc` folder in `diaframe2-artifact-source`. The examples are located at `coq-reloc/theories/examples/`. The number for `interactive total` is just the total lines in the file. The `interactive proof` entry refers to any lines enclosed between `Proof.` and `Qed.` in these files. ### Checking linenumbers of Diaframe Unlike the logical atomicity examples, we directly import and reverify the compiled examples of ReLoC. This is mainly for convenience, since we are importing ReLoC anyway. This makes calculating the line numbers a bit different from the previous examples. The `impl` entry is obtained by counting all the lines _in the corresponding ReLoC example file_ that define the functions (`: val`) which we will verify. The `proof` entry is obtained by counting any lines enclosed between `Proof.` and `Qed.` _in the Diaframe files_ located at `supplements/diaframe_reloc/examples/`. The `total` entry is then derived as `{interactive total} - {interactive proof} + {proof}`: if one would reverify from scratch, the longer interactive proofs would be replaced by the shorter more automated proofs. ### Logical atomicity of the Michael Scott queue implies contextual refinement (§5.3). In §5.3, the paper claims that logical atomicity is stronger and implies contextual refinement. We have worked out this fact for the Michael Scott queue, in the `supplements/diaframe_reloc/exampes/msc_queue_refinement.v` file. This imports the logically atomic specification of the Michael Scott queue, then directly proves contextual refinement using this fact. Specifically, it proves the Michael Scott queue contextually refines a coarse-grained queue implementation, with lemma `queue_refinement` in line 94. The coarse-grained queue `CG_queue` is fully defined in the current file. `MS_queue_original` is built with the `new_queue`, `dequeue` and `enqueue` methods imported from `msc_queue_faithful.v` # Troubleshooting ### Starting the virtual machine with KVM's Virtual Machine Manager If you want to use `virt-manager` (`virsh` and friends), you have to convert the `diaframe2-artifact-vm.ova` file to a `.qcow2` file. You can do this as follows. An `.ova` file is just a `tar` archive, extract it: ``` tar xvf diaframe2-artifact-vm.ova ``` This will print a list of extracted files (in the current directory). The `.vmdk` file can be converted to a `.qcow2` file, which is the format `virt-manager` prefers. Now create a new virtual machine, choose 'import existing disk image' and select the `.qcow2` file. You should now be able to run the artifacts virtual machine. ### make complains: `make: *** no rule to make target `. Ensure that you have run `eval $(opam env)`. If you haven't, `opam switch list` will warn you that your environment is not in sync with the current switch. If just running `eval $(opam env)` does not fix this, try first running `make clean` before retrying. ### make says: `Nothing to be done for ...`, while I have just `touch`ed the source See above.