port gmap_auth to view CMRA

_CoqProject

@@ -39,7 +39,7 @@ theories/algebra/lib/excl_auth.v
 theories/algebra/lib/frac_auth.v
 theories/algebra/lib/ufrac_auth.v
 theories/algebra/lib/frac_agree.v
-theories/algebra/lib/gmap_auth.v
+theories/algebra/lib/gmap_view.v
 theories/si_logic/siprop.v
 theories/si_logic/bi.v
 theories/bi/notation.v

theories/algebra/cmra.v

@@ -1433,6 +1433,12 @@ Section option.
   Proof. destruct ma, mb; naive_solver. Qed.
   Lemma op_is_Some ma mb : is_Some (ma ⋅ mb) ↔ is_Some ma ∨ is_Some mb.
   Proof. rewrite -!not_eq_None_Some op_None. destruct ma, mb; naive_solver. Qed.
+  (* When the goal is already of the form [None ⋅ x], the [LeftId] instance for
+     [ε] does not fire. *)
+  Global Instance op_None_left_id : LeftId (=) None (@op (option A) _).
+  Proof. intros [a|]; done. Qed.
+  Global Instance op_None_right_id : RightId (=) None (@op (option A) _).
+  Proof. intros [a|]; done. Qed.
 
   Lemma cmra_opM_opM_assoc a mb mc : a ⋅? mb ⋅? mc ≡ a ⋅? (mb ⋅ mc).
   Proof. destruct mb, mc; by rewrite /= -?assoc. Qed.

theories/algebra/gmap.v

@@ -175,6 +175,24 @@ Proof. by apply lookup_merge. Qed.
 Lemma lookup_core m i : core m !! i = core (m !! i).
 Proof. by apply lookup_omap. Qed.
 
+Lemma lookup_includedN n (m1 m2 : gmap K A) : m1 ≼{n} m2 ↔ ∀ i, m1 !! i ≼{n} m2 !! i.
+Proof.
+  split; [by intros [m Hm] i; exists (m !! i); rewrite -lookup_op Hm|].
+  revert m2. induction m1 as [|i x m Hi IH] using map_ind=> m2 Hm.
+  { exists m2. by rewrite left_id. }
+  destruct (IH (delete i m2)) as [m2' Hm2'].
+  { intros j. move: (Hm j); destruct (decide (i = j)) as [->|].
+    - intros _. rewrite Hi. apply: ucmra_unit_leastN.
+    - rewrite lookup_insert_ne // lookup_delete_ne //. }
+  destruct (Hm i) as [my Hi']; simplify_map_eq.
+  exists (partial_alter (λ _, my) i m2')=>j; destruct (decide (i = j)) as [->|].
+  - by rewrite Hi' lookup_op lookup_insert lookup_partial_alter.
+  - move: (Hm2' j). by rewrite !lookup_op lookup_delete_ne //
+      lookup_insert_ne // lookup_partial_alter_ne.
+Qed.
+
+(* [m1 ≼ m2] is not equivalent to [∀ n, m1 ≼{n} m2],
+so there is no good way to reuse the above proof. *)
 Lemma lookup_included (m1 m2 : gmap K A) : m1 ≼ m2 ↔ ∀ i, m1 !! i ≼ m2 !! i.
 Proof.
   split; [by intros [m Hm] i; exists (m !! i); rewrite -lookup_op Hm|].
@@ -238,6 +256,15 @@ Canonical Structure gmapUR := UcmraT (gmap K A) gmap_ucmra_mixin.
 (** Internalized properties *)
 Lemma gmap_validI {M} m : ✓ m ⊣⊢@{uPredI M} ∀ i, ✓ (m !! i).
 Proof. by uPred.unseal. Qed.
+Lemma singleton_validI {M} i x : ✓ {[ i := x ]} ⊣⊢@{uPredI M} ✓ x.
+Proof.
+  rewrite gmap_validI. apply: anti_symm.
+  - rewrite (bi.forall_elim i) lookup_singleton uPred.option_validI. done.
+  - apply bi.forall_intro=>j. destruct (decide (i = j)) as [<-|Hne].
+    + rewrite lookup_singleton uPred.option_validI. done.
+    + rewrite lookup_singleton_ne // uPred.option_validI.
+      apply bi.True_intro.
+Qed.
 End cmra.
 
 Arguments gmapR _ {_ _} _.

theories/algebra/lib/gmap_auth.v

-From iris.proofmode Require Import tactics.
-From iris.algebra Require Export auth gmap updates csum.
-From iris.algebra Require Import local_updates proofmode_classes.
-From iris.base_logic Require Import base_logic.
-From iris Require Import options.
-
-(** * Authoritative CMRA over a map.
-The elements of the map are of type [(frac * agree T) + agree T].
-"Right" elements (on the [agree] side) are immutable and their (fragment) ownership is persistent.
-"Left" elements behave like the usual separation logic heap with fractional permissions.
-
-This representation and the types of [gmap_auth_auth] and [gmap_auth_frag] are
-considered unstable and will change in a future version of Iris. However,
-the [mut]/[ro] variants should be unaffected by that change. *)
-
-Local Definition mapUR (K : Type) `{Countable K} (V : ofeT) : ucmraT :=
-  gmapUR K (csumR (prodR fracR (agreeR V)) (agreeR V)).
-Definition gmap_authR (K : Type) `{Countable K} (V : ofeT) : cmraT :=
-  authR (mapUR K V).
-Definition gmap_authUR (K : Type) `{Countable K} (V : ofeT) : ucmraT :=
-  authUR (mapUR K V).
-
-(** The abstract state of the authoritative map is given by a [gmap K (V*bool)],
-where the [bool] indicates if the element is still mutable ([false] = "left
-element") or already read-only ([true] = "right element"). *)
-
-Section definitions.
-  Context {K : Type} `{Countable K} {V : ofeT}.
-
-  Local Definition to_auth_elem (q : frac) (e : bool * V) :
-      csumR (prodR fracR (agreeR V)) (agreeR V) :=
-    if e.1 then Cinr (to_agree e.2) else Cinl (q, to_agree e.2).
-  Local Definition to_auth_map (m : gmap K (bool * V)) : mapUR K V :=
-    to_auth_elem 1 <$> m.
-  Local Definition to_frag_elem (mq : option Qp) (v : V) :
-      csumR (prodR fracR (agreeR V)) (agreeR V) :=
-    match mq with
-    | Some q => Cinl (q, to_agree v)
-    | None => Cinr (to_agree v)
-    end.
-
-  Definition gmap_auth_auth (m : gmap K (bool * V)) : gmap_authUR K V :=
-    ● (to_auth_map m).
-  (* [(false,.)] is [λ v, (false, v)]. *)
-  Definition gmap_auth_auth_mut (m : gmap K V) : gmap_authUR K V :=
-    gmap_auth_auth ((false,.) <$> m).
-  Definition gmap_auth_auth_ro (m : gmap K V) : gmap_authUR K V :=
-    gmap_auth_auth ((true,.) <$> m).
-
-  Definition gmap_auth_frag (k : K) (mq : option Qp) (v : V) : gmap_authUR K V :=
-    ◯ {[k := to_frag_elem mq v]}.
-  Definition gmap_auth_frag_mut (k : K) (q : Qp) (v : V) : gmap_authUR K V :=
-    gmap_auth_frag k (Some q) v.
-  Definition gmap_auth_frag_ro (k : K) (v : V) : gmap_authUR K V :=
-    gmap_auth_frag k None v.
-End definitions.
-
-Section lemmas.
-  Context {K : Type} `{Countable K} {V : ofeT}.
-  Implicit Types (m : gmap K (bool * V)) (k : K) (q : Qp) (v : V) (ro : bool) (e : bool * V).
-
-  Local Instance to_auth_elem_ne q : NonExpansive (to_auth_elem (V:=V) q).
-  Proof. intros n [v1 ro1] [v2 ro2] [??]. simpl in *. solve_proper. Qed.
-  Global Instance gmap_auth_auth_ne : NonExpansive (gmap_auth_auth (K:=K) (V:=V)).
-  Proof. solve_proper. Qed.
-  Global Instance gmap_auth_auth_mut_ne : NonExpansive (gmap_auth_auth_mut (K:=K) (V:=V)).
-  Proof. solve_proper. Qed.
-  Global Instance gmap_auth_auth_ro_ne : NonExpansive (gmap_auth_auth_ro (K:=K) (V:=V)).
-  Proof. solve_proper. Qed.
-
-  Local Instance to_frag_elem_ne oq : NonExpansive (to_frag_elem (V:=V) oq).
-  Proof. solve_proper. Qed.
-  Global Instance gmap_auth_frag_ne k oq : NonExpansive (gmap_auth_frag (V:=V) k oq).
-  Proof. solve_proper. Qed.
-  Global Instance gmap_auth_frag_mut_ne k q : NonExpansive (gmap_auth_frag_mut (V:=V) k q).
-  Proof. solve_proper. Qed.
-  Global Instance gmap_auth_frag_ro_ne k : NonExpansive (gmap_auth_frag_ro (V:=V) k).
-  Proof. solve_proper. Qed.
-
-  (** Map operations *)
-  Local Lemma to_auth_map_insert k e m :
-    to_auth_map (<[k:=e]> m) = <[k:=to_auth_elem 1 e]> (to_auth_map m).
-  Proof. by rewrite /to_auth_map fmap_insert. Qed.
-  Local Lemma to_auth_map_singleton_includedN qe n m k e :
-    {[k := to_auth_elem qe e]} ≼{n} to_auth_map m → m !! k ≡{n}≡ Some e.
-  Proof.
-    rewrite singleton_includedN_l => -[auth_e []].
-    rewrite /to_auth_map lookup_fmap fmap_Some_dist => -[e' [-> ->]] {m}.
-    rewrite Some_csum_includedN. intros [Hbot|[Hleft|Hright]].
-    - exfalso. destruct e' as [[] ?]; done.
-    - destruct Hleft as ([q v] & [q' v'] & He & He' & Hincl).
-      destruct e as [[] ev]; first done.
-      destruct e' as [[] ev']; first done.
-      f_equiv. f_equiv.
-      rewrite /to_auth_elem /= in He He'.
-      move:He He'=> [_ Heq] [_ Heq']. simplify_eq.
-      move:Hincl=> /Some_pair_includedN_total_2 [_] /to_agree_includedN. done.
-    - destruct Hright as (v & v' & He & He' & Hincl).
-      destruct e as [[] ev]; last done.
-      destruct e' as [[] ev']; last done.
-      f_equiv. f_equiv.
-      rewrite /to_auth_elem /= in He He'.
-      move:He He'=> [Heq] [Heq']. simplify_eq.
-      move:Hincl=> /Some_includedN [|].
-      * move /to_agree_injN. done.
-      * move /to_agree_includedN. done.
-  Qed.
-  Local Lemma to_auth_map_singleton_included qe m k e :
-    (∀ n, {[k := to_auth_elem qe e]} ≼{n} to_auth_map m) → m !! k ≡ Some e.
-  Proof.
-    intros Hincl. apply equiv_dist=>n.
-    by eapply to_auth_map_singleton_includedN.
-  Qed.
-  Local Lemma to_auth_map_singleton_includedI qe M m c k e :
-    to_auth_map m ≡ {[k := to_auth_elem qe e]} ⋅ c ⊢@{uPredI M} m !! k ≡ Some e.
-  Proof.
-    apply uPred.internal_eq_entails=>n Heq.
-    eapply to_auth_map_singleton_includedN.
-    by exists c.
-  Qed.
-
-  (** Composition and validity *)
-  Local Lemma to_auth_elem_valid e : ✓ to_auth_elem 1 e.
-  Proof. destruct e as [ro v]. by destruct ro. Qed.
-
-  Lemma gmap_auth_auth_valid m : ✓ gmap_auth_auth m.
-  Proof.
-    rewrite auth_auth_valid. intros l. rewrite lookup_fmap. case (m !! l); last done.
-    apply to_auth_elem_valid.
-  Qed.
-  Lemma gmap_auth_auth_mut_valid (m : gmap K V) : ✓ gmap_auth_auth_mut m.
-  Proof. apply gmap_auth_auth_valid. Qed.
-  Lemma gmap_auth_auth_ro_valid (m : gmap K V) : ✓ gmap_auth_auth_ro m.
-  Proof. apply gmap_auth_auth_valid. Qed.
-
-  Lemma gmap_auth_frag_valid k mq v : ✓ gmap_auth_frag k mq v ↔ ✓ mq.
-  Proof.
-    rewrite auth_frag_valid singleton_valid. split.
-    - destruct mq; last done. intros [??]. done.
-    - intros ?. destruct mq; split; done.
-  Qed.
-  Lemma gmap_auth_frag_mut_valid k q v : ✓ gmap_auth_frag_mut k q v ↔ ✓ q.
-  Proof. apply gmap_auth_frag_valid. Qed.
-  Lemma gmap_auth_frag_ro_valid k v : ✓ gmap_auth_frag_ro k v.
-  Proof. apply gmap_auth_frag_valid. done. Qed.
-
-  Lemma gmap_auth_frag_mut_frac_op k q1 q2 v :
-    gmap_auth_frag_mut k (q1 + q2)%Qp v ≡ gmap_auth_frag_mut k q1 v ⋅ gmap_auth_frag_mut k q2 v.
-  Proof. rewrite -auth_frag_op singleton_op -Cinl_op -pair_op agree_idemp //. Qed.
-  Lemma gmap_auth_frag_mut_op_valid k q1 q2 v1 v2 :
-    ✓ (gmap_auth_frag_mut k q1 v1 ⋅ gmap_auth_frag_mut k q2 v2) → ✓ (q1 + q2)%Qp ∧ v1 ≡ v2.
-  Proof.
-    rewrite auth_frag_valid singleton_op singleton_valid -Cinl_op -pair_op.
-    intros [? ?]. split; first done. apply to_agree_op_inv. done.
-  Qed.
-  Lemma gmap_auth_frag_mut_op_valid_L `{!LeibnizEquiv V} k q1 q2 v1 v2 :
-    ✓ (gmap_auth_frag_mut k q1 v1 ⋅ gmap_auth_frag_mut k q2 v2) → ✓ (q1 + q2)%Qp ∧ v1 = v2.
-  Proof.
-    unfold_leibniz. apply gmap_auth_frag_mut_op_valid.
-  Qed.
-
-  Lemma gmap_auth_frag_ro_op_mut_op_valid k q1 v1 v2 :
-    ¬ ✓ (gmap_auth_frag_mut k q1 v1 ⋅ gmap_auth_frag_ro k v2).
-  Proof. rewrite auth_frag_valid singleton_op singleton_valid. intros []. Qed.
-
-  Lemma gmap_auth_frag_ro_idemp k v :
-    gmap_auth_frag_ro k v ≡ gmap_auth_frag_ro k v ⋅ gmap_auth_frag_ro k v.
-  Proof. rewrite -auth_frag_op singleton_op -Cinr_op agree_idemp. done. Qed.
-
-  Lemma gmap_auth_frag_ro_op_valid k v1 v2 :
-    ✓ (gmap_auth_frag_ro k v1 ⋅ gmap_auth_frag_ro k v2) → v1 ≡ v2.
-  Proof.
-    rewrite auth_frag_valid singleton_op singleton_valid -Cinr_op.
-    apply to_agree_op_inv.
-  Qed.
-  Lemma gmap_auth_frag_ro_op_valid_L `{!LeibnizEquiv V} k v1 v2 :
-    ✓ (gmap_auth_frag_ro k v1 ⋅ gmap_auth_frag_ro k v2) → v1 = v2.
-  Proof.
-    unfold_leibniz. apply gmap_auth_frag_ro_op_valid.
-  Qed.
-
-  Lemma gmap_auth_auth_frag_valid m k mq v :
-    ✓ (gmap_auth_auth m ⋅ gmap_auth_frag k mq v) →
-    m !! k ≡ Some (if mq is None then true else false, v).
-  Proof.
-    rewrite /gmap_auth_auth /gmap_auth_frag.
-    intros [Hlk _]%auth_both_valid.
-    set (q := default 1%Qp mq).
-    eapply (to_auth_map_singleton_included q).
-    rewrite /to_auth_elem /to_frag_elem /= in Hlk *.
-    destruct mq; done.
-  Qed.
-
-  Lemma gmap_auth_auth_frag_mut_valid m k q v :
-    ✓ (gmap_auth_auth m ⋅ gmap_auth_frag_mut k q v) → m !! k ≡ Some (false, v).
-  Proof. apply gmap_auth_auth_frag_valid. Qed.
-  Lemma gmap_auth_auth_frag_mut_valid_L `{!LeibnizEquiv V} m k q v :
-    ✓ (gmap_auth_auth m ⋅ gmap_auth_frag_mut k q v) → m !! k = Some (false, v).
-  Proof. unfold_leibniz. apply gmap_auth_auth_frag_mut_valid. Qed.
-  Lemma gmap_auth_auth_mut_frag_mut_valid (m : gmap K V) k q v :
-    ✓ (gmap_auth_auth_mut m ⋅ gmap_auth_frag_mut k q v) → m !! k ≡ Some v.
-  Proof.
-    rewrite /gmap_auth_auth_mut. move /gmap_auth_auth_frag_mut_valid.
-    rewrite lookup_fmap /= fmap_Some_equiv => -[e [-> [/= _ ?]]]. by f_equiv.
-  Qed.
-  Lemma gmap_auth_auth_mut_frag_mut_valid_L `{!LeibnizEquiv V} (m : gmap K V) k q v :
-    ✓ (gmap_auth_auth_mut m ⋅ gmap_auth_frag_mut k q v) → m !! k = Some v.
-  Proof. unfold_leibniz. apply gmap_auth_auth_mut_frag_mut_valid. Qed.
-
-  Lemma gmap_auth_auth_frag_ro_valid m k v :
-    ✓ (gmap_auth_auth m ⋅ gmap_auth_frag_ro k v) → m !! k ≡ Some (true, v).
-  Proof. apply gmap_auth_auth_frag_valid. Qed.
-  Lemma gmap_auth_auth_frag_ro_valid_L `{!LeibnizEquiv V} m k v :
-    ✓ (gmap_auth_auth m ⋅ gmap_auth_frag_ro k v) → m !! k = Some (true, v).
-  Proof. unfold_leibniz. apply gmap_auth_auth_frag_ro_valid. Qed.
-  Lemma gmap_auth_auth_ro_frag_ro_valid (m : gmap K V) k v :
-    ✓ (gmap_auth_auth_ro m ⋅ gmap_auth_frag_ro k v) → m !! k ≡ Some v.
-  Proof.
-    rewrite /gmap_auth_auth_mut. move /gmap_auth_auth_frag_ro_valid.
-    rewrite lookup_fmap /= fmap_Some_equiv => -[e [-> [/= _ ?]]]. by f_equiv.
-  Qed.
-  Lemma gmap_auth_auth_ro_frag_ro_valid_L `{!LeibnizEquiv V} (m : gmap K V) k v :
-    ✓ (gmap_auth_auth_ro m ⋅ gmap_auth_frag_ro k v) → m !! k = Some v.
-  Proof. unfold_leibniz. apply gmap_auth_auth_ro_frag_ro_valid. Qed.
-
-  (** Frame-preserving updates *)
-  Lemma gmap_auth_alloc m k v ro :
-    m !! k = None →
-    gmap_auth_auth m ~~>
-      gmap_auth_auth (<[k := (ro, v)]> m) ⋅
-        gmap_auth_frag k (if ro then None else Some 1%Qp) v.
-  Proof.
-    intros Hfresh. etrans.
-    - eapply auth_update_alloc.
-      eapply (alloc_singleton_local_update _ k (to_auth_elem _ (ro, v)))=> //.
-      + rewrite lookup_fmap Hfresh. done.
-      + apply to_auth_elem_valid.
-    - apply reflexive_eq. f_equal.
-      + rewrite /gmap_auth_auth to_auth_map_insert. done.
-      + destruct ro; done.
-  Qed.
-  Lemma gmap_auth_mut_alloc (m : gmap K V) k v :
-    m !! k = None →
-    gmap_auth_auth_mut m ~~>
-      gmap_auth_auth_mut (<[k := v]> m) ⋅ gmap_auth_frag_mut k 1%Qp v.
-  Proof.
-    intros Hfresh.
-    etrans; first apply (gmap_auth_alloc _ k v false).
-    - rewrite lookup_fmap Hfresh //.
-    - apply reflexive_eq. f_equal. rewrite /gmap_auth_auth_mut fmap_insert //.
-  Qed.
-  Lemma gmap_auth_ro_alloc (m : gmap K V) k v :
-    m !! k = None →
-    gmap_auth_auth_ro m ~~> gmap_auth_auth_ro (<[k := v]> m) ⋅ gmap_auth_frag_ro k v.
-  Proof.
-    intros Hfresh.
-    etrans; first apply (gmap_auth_alloc _ k v true).
-    - rewrite lookup_fmap Hfresh //.
-    - apply reflexive_eq. f_equal. rewrite /gmap_auth_auth_ro fmap_insert //.
-  Qed.
-
-  Lemma gmap_auth_update m k v v' ro :
-    gmap_auth_auth m ⋅ gmap_auth_frag_mut k 1%Qp v ~~>
-      gmap_auth_auth (<[k := (ro, v')]> m) ⋅
-        gmap_auth_frag k (if ro then None else Some 1%Qp) v'.
-  Proof.
-    etrans.
-    - apply cmra_update_valid0=>Hval.
-      eapply auth_update, singleton_local_update_any=>??.
-      eapply (exclusive_local_update _ (to_auth_elem _ (ro, v'))).
-      apply to_auth_elem_valid.
-    - apply reflexive_eq. f_equal.
-      + rewrite /gmap_auth_auth to_auth_map_insert. done.
-      + destruct ro; done.
-  Qed.
-  Lemma gmap_auth_freeze m k v :
-    gmap_auth_auth m ⋅ gmap_auth_frag_mut k 1%Qp v ~~>
-      gmap_auth_auth (<[k := (true, v)]> m) ⋅ gmap_auth_frag_ro k v.
-  Proof.
-    etrans; first apply gmap_auth_update with (ro:=true).
-    apply reflexive_eq. f_equal.
-  Qed.
-  Lemma gmap_auth_mut_update (m : gmap K V) k v v' :
-    gmap_auth_auth_mut m ⋅ gmap_auth_frag_mut k 1%Qp v ~~>
-      gmap_auth_auth_mut (<[k := v']> m) ⋅ gmap_auth_frag_mut k 1%Qp v'.
-  Proof.
-    etrans; first apply gmap_auth_update with (ro:=false).
-    apply reflexive_eq. rewrite /gmap_auth_auth_mut fmap_insert.
-    f_equal.
-  Qed.
-
-  (** Typeclass instances
-  (These overlap up to conversion, but the functions are made TC-opaque below.) *)
-  Global Instance gmap_auth_frag_core_id k v :
-    CoreId (gmap_auth_frag k None v).
-  Proof. apply _. Qed.
-  Global Instance gmap_auth_frag_ro_core_id k v :
-    CoreId (gmap_auth_frag_ro k v).
-  Proof. apply _. Qed.
-
-  Global Instance gmap_auth_frag_mut_is_op q q1 q2 k v :
-    IsOp q q1 q2 →
-    IsOp' (gmap_auth_frag_mut k q v) (gmap_auth_frag_mut k q1 v) (gmap_auth_frag_mut k q2 v).
-  Proof. rewrite /IsOp' /IsOp => ->. apply gmap_auth_frag_mut_frac_op. Qed.
-
-  (** Internalized properties *)
-  Lemma gmap_auth_auth_frag_validI M m k mq v :
-    ✓ (gmap_auth_auth m ⋅ gmap_auth_frag k mq v) ⊢@{uPredI M}
-    m !! k ≡ Some (if mq is None then true else false, v).
-  Proof.
-    rewrite /gmap_auth_auth /gmap_auth_frag_mut.
-    rewrite auth_both_validI. iIntros "[Hmap Hval]".
-    iDestruct "Hmap" as (c) "Hmap".
-    set (q := default 1%Qp mq).
-    iApply (to_auth_map_singleton_includedI q).
-    destruct mq; try done.
-  Qed.
-
-  Lemma gmap_auth_auth_frag_mut_validI M m k q v :
-    ✓ (gmap_auth_auth m ⋅ gmap_auth_frag_mut k q v) ⊢@{uPredI M} m !! k ≡ Some (false, v).
-  Proof. apply gmap_auth_auth_frag_validI. Qed.
-  Lemma gmap_auth_auth_ro_frag_mut_validI M (m : gmap K V) k q v :
-    ✓ (gmap_auth_auth_mut m ⋅ gmap_auth_frag_mut k q v) ⊢@{uPredI M} m !! k ≡ Some v.
-  Proof.
-    rewrite /gmap_auth_auth_mut gmap_auth_auth_frag_mut_validI lookup_fmap /=.
-    rewrite !option_equivI. destruct (m !! k); simpl; last done.
-    rewrite prod_equivI /=. iIntros "[_ Heq]". done.
-  Qed.
-  Lemma gmap_auth_auth_frag_ro_validI M m k v :
-    ✓ (gmap_auth_auth m ⋅ gmap_auth_frag_ro k v) ⊢@{uPredI M} m !! k ≡ Some (true, v).
-  Proof. apply gmap_auth_auth_frag_validI. Qed.
-  Lemma gmap_auth_auth_ro_frag_ro_validI M (m : gmap K V) k v :
-    ✓ (gmap_auth_auth_ro m ⋅ gmap_auth_frag_ro k v) ⊢@{uPredI M} m !! k ≡ Some v.
-  Proof.
-    rewrite /gmap_auth_auth_ro gmap_auth_auth_frag_ro_validI lookup_fmap /=.
-    rewrite !option_equivI. destruct (m !! k); simpl; last done.
-    rewrite prod_equivI /=. iIntros "[_ Heq]". done.
-  Qed.
-
-End lemmas.
-
-(** Functor *)
-Definition gmap_authRF (K : Type) `{Countable K} (F : oFunctor) : rFunctor :=
-  authRF (gmapURF K (csumRF (prodRF fracR (agreeRF F)) (agreeRF F))).
-Instance gmap_authRF_contractive {K : Type} `{Countable K} (F : oFunctor) :
-  oFunctorContractive F → rFunctorContractive (gmap_authRF K F).
-Proof. apply _. Qed.
-
-Definition gmap_authURF (K : Type) `{Countable K} (F : oFunctor) : urFunctor :=
-  authURF (gmapURF K (csumRF (prodRF fracR (agreeRF F)) (agreeRF F))).
-Instance gmap_authURF_contractive {K : Type} `{Countable K} (F : oFunctor) :
-  oFunctorContractive F → urFunctorContractive (gmap_authURF K F).
-Proof. apply _. Qed.
-
-Typeclasses Opaque gmap_auth_auth gmap_auth_auth_mut gmap_auth_auth_ro
-  gmap_auth_frag gmap_auth_frag_mut gmap_auth_frag_ro gmap_authRF gmap_authURF.

theories/algebra/lib/gmap_view.v

+From Coq.QArith Require Import Qcanon.
+From iris.proofmode Require Import tactics.
+From iris.algebra Require Import view updates dfrac.
+From iris.algebra Require Export gmap dfrac.
+From iris.algebra Require Import local_updates proofmode_classes.
+From iris.base_logic Require Import base_logic.
+From iris Require Import options.
+
+(** * Authoritative CMRA over a map.
+The elements of the map are of type [dfrac * agree T]. *)
+
+Local Definition gmap_view_fragUR (K : Type) `{Countable K} (V : ofeT) : ucmraT :=
+  gmapUR K (prodR dfracR (agreeR V)).
+
+(** View relation. *)
+Section rel.
+  Context (K : Type) `{Countable K} (V : ofeT).
+  Implicit Types (m : gmap K V) (k : K) (v : V) (n : nat) (f : gmap_view_fragUR K V).
+
+  Local Definition gmap_view_rel_raw n m f : Prop :=
+    map_Forall (λ k dv, ∃ v, dv.2 ≡{n}≡ to_agree v ∧ ✓ dv.1 ∧ m !! k = Some v) f.
+
+  Local Lemma gmap_view_rel_raw_mono n1 n2 m1 m2 f1 f2 :
+    gmap_view_rel_raw n1 m1 f1 →
+    m1 ≡{n2}≡ m2 →
+    f2 ≼{n2} f1 →
+    n2 ≤ n1 →
+    gmap_view_rel_raw n2 m2 f2.
+  Proof.
+    intros Hrel Hm Hf Hn k [q va] Hk.
+    (* For some reason applying the lemma in [Hf] does not work... *)
+    destruct (lookup_includedN n2 f2 f1) as [Hf' _]. specialize (Hf' Hf). clear Hf.
+    specialize (Hf' k). rewrite Hk in Hf'.
+    apply option_includedN in Hf'.
+    destruct Hf' as [[=]|(? & [q' va'] & [= <-] & Hf1 & Hincl)].
+    specialize (Hrel _ _ Hf1) as (v & Hagree & Hdval & Hm1). simpl in *.
+    specialize (Hm k).
+    edestruct (dist_Some_inv_l _ _ _ _ Hm Hm1) as (v' & Hm2 & Hv).
+    exists v'. rewrite assoc. split; last done.
+    rewrite -Hv.
+    destruct Hincl as [[Heqq Heqva]|[Hinclq Hinclva]%pair_includedN].
+    - simpl in *. split.
+      + rewrite Heqva. eapply dist_le; last eassumption. done.
+      + rewrite <-discrete_iff in Heqq; last by apply _.
+        fold_leibniz. subst q'. done.
+    - split.
+      + etrans; last first.
+        { eapply dist_le; last eassumption. done. }
+        eapply agree_valid_includedN; last done.
+        eapply cmra_validN_le; last eassumption.
+        rewrite Hagree. done.
+      + rewrite <-cmra_discrete_included_iff in Hinclq.
+        eapply cmra_valid_included; done.
+  Qed.
+
+  Local Lemma gmap_view_rel_raw_valid n m f :
+    gmap_view_rel_raw n m f → ✓{n} f.
+  Proof.
+    intros Hrel k. destruct (f !! k) as [[q va]|] eqn:Hf; rewrite Hf; last done.
+    specialize (Hrel _ _ Hf) as (v & Hagree & Hdval & Hm1). simpl in *.
+    split; simpl.
+    - apply cmra_discrete_valid_iff. done.
+    - rewrite Hagree. done.
+  Qed.
+
+  Local Canonical Structure gmap_view_rel : view_rel (gmapO K V) (gmap_view_fragUR K V) :=
+    ViewRel gmap_view_rel_raw gmap_view_rel_raw_mono gmap_view_rel_raw_valid.
+
+  Local Lemma gmap_view_rel_discrete :
+    OfeDiscrete V → ViewRelDiscrete gmap_view_rel.
+  Proof.
+    intros ? n m f Hrel k [df va] Hk.
+    destruct (Hrel _ _ Hk) as (v & Hagree & Hdval & Hm).
+    exists v. split; last by auto.
+    eapply discrete_iff; first by apply _.
+    eapply discrete_iff; first by apply _.
+    done.
+  Qed.
+End rel.
+
+Local Existing Instance gmap_view_rel_discrete.
+
+Definition gmap_viewUR (K : Type) `{Countable K} (V : ofeT) : ucmraT :=
+  viewUR (gmap_view_rel K V).
+Definition gmap_viewR (K : Type) `{Countable K} (V : ofeT) : cmraT :=
+  viewR (gmap_view_rel K V).
+Definition gmap_viewO (K : Type) `{Countable K} (V : ofeT) : ofeT :=
+  viewO (gmap_view_rel K V).
+
+Section definitions.
+  Context {K : Type} `{Countable K} {V : ofeT}.
+
+  Definition gmap_view_auth (m : gmap K V) : gmap_viewR K V :=
+    ●V m.
+  Definition gmap_view_frag (k : K) (dq : dfrac) (v : V) : gmap_viewR K V :=
+    ◯V {[k := (dq, to_agree v)]}.
+End definitions.
+
+Section lemmas.
+  Context {K : Type} `{Countable K} {V : ofeT}.
+  Implicit Types (m : gmap K V) (k : K) (q : Qp) (dq : dfrac) (v : V).
+
+  Global Instance : Params (@gmap_view_auth) 4 := {}.
+  Global Instance gmap_view_auth_ne : NonExpansive (gmap_view_auth (K:=K) (V:=V)).
+  Proof. solve_proper. Qed.
+  Global Instance gmap_view_auth_proper : Proper ((≡) ==> (≡)) (gmap_view_auth (K:=K) (V:=V)).
+  Proof. apply ne_proper, _. Qed.
+
+  Global Instance : Params (@gmap_view_frag) 6 := {}.
+  Global Instance gmap_view_frag_ne k oq : NonExpansive (gmap_view_frag (V:=V) k oq).
+  Proof. solve_proper. Qed.
+  Global Instance gmap_view_frag_proper k oq : Proper ((≡) ==> (≡)) (gmap_view_frag (V:=V) k oq).
+  Proof. apply ne_proper, _. Qed.
+
+  (* Helper lemmas *)
+  Local Lemma gmap_view_rel_lookup n m k dq v :
+    gmap_view_rel K V n m {[k := (dq, to_agree v)]} ↔ ✓ dq ∧ m !! k ≡{n}≡ Some v.
+  Proof.
+    split.
+    - intros Hrel.
+      edestruct (Hrel k) as (v' & Hagree & Hval & ->).
+      { rewrite lookup_singleton. done. }
+      simpl in *. apply (inj _) in Hagree. rewrite Hagree.
+      done.
+    - intros [Hval (v' & Hm & Hv')%dist_Some_inv_r'] j [df va].
+      destruct (decide (k = j)) as [<-|Hne]; last by rewrite lookup_singleton_ne.
+      rewrite lookup_singleton. intros [= <- <-]. simpl.
+      exists v'. split_and!; by rewrite ?Hv'.
+  Qed.
+
+  (** Composition and validity *)
+  Lemma gmap_view_auth_valid m : ✓ gmap_view_auth m.
+  Proof.
+    apply view_auth_valid. intros n l ? Hl. rewrite lookup_empty in Hl. done.
+  Qed.
+
+  Lemma gmap_view_frag_validN n k dq v : ✓{n} gmap_view_frag k dq v ↔ ✓ dq.
+  Proof.
+    rewrite view_frag_validN singleton_validN. split.
+    - intros [??]. done.
+    - intros ?. split; done.
+  Qed.
+  Lemma gmap_view_frag_valid k dq v : ✓ gmap_view_frag k dq v ↔ ✓ dq.
+  Proof.
+    rewrite view_frag_valid singleton_valid. split.
+    - intros [??]. done.
+    - intros ?. split; done.
+  Qed.
+
+  Lemma gmap_view_frag_op k dq1 dq2 v :
+    gmap_view_frag k (dq1 ⋅ dq2) v ≡ gmap_view_frag k dq1 v ⋅ gmap_view_frag k dq2 v.
+  Proof. rewrite -view_frag_op singleton_op -pair_op agree_idemp //. Qed.
+  Lemma gmap_view_frag_plus k q1 q2 v :
+    gmap_view_frag k (DfracOwn (q1 + q2)) v ≡
+      gmap_view_frag k (DfracOwn q1) v ⋅ gmap_view_frag k (DfracOwn q2) v.
+  Proof. rewrite -gmap_view_frag_op. done. Qed.
+
+  Lemma gmap_view_frag_op_validN n k dq1 dq2 v1 v2 :
+    ✓{n} (gmap_view_frag k dq1 v1 ⋅ gmap_view_frag k dq2 v2) ↔
+      ✓ (dq1 ⋅ dq2) ∧ v1 ≡{n}≡ v2.
+  Proof.
+    rewrite view_frag_validN singleton_op singleton_validN -pair_op.
+    split; intros [Hfrac Hagree]; (split; first done); simpl in *.
+    - apply to_agree_op_invN. done.
+    - rewrite Hagree agree_idemp. done.
+  Qed.
+  Lemma gmap_view_frag_op_valid k dq1 dq2 v1 v2 :
+    ✓ (gmap_view_frag k dq1 v1 ⋅ gmap_view_frag k dq2 v2) ↔ ✓ (dq1 ⋅ dq2) ∧ v1 ≡ v2.
+  Proof.
+    rewrite view_frag_valid singleton_op singleton_valid -pair_op.
+    split; intros [Hfrac Hagree]; (split; first done); simpl in *.
+    - apply to_agree_op_inv. done.
+    - rewrite Hagree agree_idemp. done.
+  Qed.
+  Lemma gmap_view_frag_op_valid_L `{!LeibnizEquiv V} k dq1 dq2 v1 v2 :
+    ✓ (gmap_view_frag k dq1 v1 ⋅ gmap_view_frag k dq2 v2) ↔ ✓ (dq1 ⋅ dq2) ∧ v1 = v2.
+  Proof. unfold_leibniz. apply gmap_view_frag_op_valid. Qed.
+
+  Lemma gmap_view_both_validN n m k dq v :
+    ✓{n} (gmap_view_auth m ⋅ gmap_view_frag k dq v) ↔
+      ✓ dq ∧ m !! k ≡{n}≡ Some v.
+  Proof.
+    rewrite /gmap_view_auth /gmap_view_frag.
+    rewrite view_both_validN.
+    apply gmap_view_rel_lookup.
+  Qed.
+  Lemma gmap_view_both_valid m k dq v :
+    ✓ (gmap_view_auth m ⋅ gmap_view_frag k dq v) ↔
+    ✓ dq ∧ m !! k ≡ Some v.
+  Proof.
+    rewrite /gmap_view_auth /gmap_view_frag.
+    rewrite view_both_valid. setoid_rewrite gmap_view_rel_lookup.
+    split; intros Hm; split.
+    - apply (Hm 0).
+    - apply equiv_dist=>n. apply Hm.
+    - apply Hm.
+    - revert n. apply equiv_dist. apply Hm.
+  Qed.
+  Lemma gmap_view_both_valid_L `{!LeibnizEquiv V} m k dq v :
+    ✓ (gmap_view_auth m ⋅ gmap_view_frag k dq v) ↔
+    ✓ dq ∧ m !! k = Some v.
+  Proof. unfold_leibniz. apply gmap_view_both_valid. Qed.
+
+  (** Frame-preserving updates *)
+  Lemma gmap_view_alloc m k dq v :
+    m !! k = None →
+    ✓ dq →
+    gmap_view_auth m ~~> gmap_view_auth (<[k := v]> m) ⋅ gmap_view_frag k dq v.
+  Proof.
+    intros Hfresh Hdq. apply view_update_alloc=>n bf Hrel j [df va] /=.
+    rewrite lookup_op. destruct (decide (j = k)) as [->|Hne].
+    - assert (bf !! k = None) as Hbf.
+      { destruct (bf !! k) as [[df' va']|] eqn:Hbf; last done.
+        specialize (Hrel _ _ Hbf). destruct Hrel as (v' & _ & _ & Hm).
+        exfalso. rewrite Hm in Hfresh. done. }
+      rewrite lookup_singleton Hbf right_id.
+      intros [= <- <-]. eexists. do 2 (split; first done).
+      rewrite lookup_insert. done.
+    - rewrite lookup_singleton_ne; last done.
+      rewrite left_id=>Hbf.
+      specialize (Hrel _ _ Hbf). destruct Hrel as (v' & ? & ? & Hm).
+      eexists. do 2 (split; first done).
+      rewrite lookup_insert_ne //.
+  Qed.
+
+  Lemma gmap_view_update m k v v' :
+    gmap_view_auth m ⋅ gmap_view_frag k (DfracOwn 1) v ~~>
+      gmap_view_auth (<[k := v']> m) ⋅ gmap_view_frag k (DfracOwn 1) v'.
+  Proof.
+    apply view_update=>n bf Hrel j [df va] /=.
+    rewrite lookup_op. destruct (decide (j = k)) as [->|Hne].
+    - assert (bf !! k = None) as Hbf.
+      { move: Hrel =>/view_rel_validN /(_ k).
+        rewrite lookup_op lookup_singleton.
+        destruct (bf !! k) as [[df' va']|] eqn:Hbf; last done.
+        rewrite Hbf. clear Hbf.
+        rewrite -Some_op -pair_op.
+        move=>[/= /dfrac_full_exclusive Hdf _]. done. }
+      rewrite Hbf right_id lookup_singleton. clear Hbf.
+      intros [= <- <-].
+      eexists. do 2 (split; first done).
+      rewrite lookup_insert. done.
+    - rewrite lookup_singleton_ne; last done.
+      rewrite left_id=>Hbf.
+      edestruct (Hrel j) as (v'' & ? & ? & Hm).
+      { rewrite lookup_op lookup_singleton_ne // left_id. done. }
+      simpl in *. eexists. do 2 (split; first done).
+      rewrite lookup_insert_ne //.
+  Qed.
+
+  Lemma gmap_view_freeze k q v :
+    gmap_view_frag k (DfracOwn q) v ~~> gmap_view_frag k DfracDiscarded v.
+  Proof.
+    apply view_update_frag; last first.
+    { eapply singleton_update, prod_update; simpl; last done.
+      apply dfrac_discard_update. }
+    move=>m n bf Hrel j [df va] /=.
+    rewrite lookup_op. destruct (decide (j = k)) as [->|Hne].
+    - rewrite lookup_singleton.
+      edestruct (Hrel k ((DfracOwn q, to_agree v) ⋅? bf !! k)) as (v' & Hdf & Hva & Hm).
+      { rewrite lookup_op lookup_singleton.
+        destruct (bf !! k) eqn:Hbf; by rewrite Hbf. }
+      rewrite Some_op_opM. intros [= Hbf].
+      exists v'. rewrite assoc; split; last done.
+      destruct (bf !! k) as [[df' va']|] eqn:Hbfk; rewrite Hbfk in Hbf; clear Hbfk.
+      + simpl in *. rewrite -pair_op in Hbf.
+        move:Hbf=>[= <- <-]. split; first done.
+        eapply cmra_discrete_valid.
+        eapply (dfrac_discard_update _ _ (Some df')).
+        apply cmra_discrete_valid_iff. done.
+      + simpl in *. move:Hbf=>[= <- <-]. split; done.
+    - rewrite lookup_singleton_ne //.
+      rewrite left_id=>Hbf.
+      edestruct (Hrel j) as (v'' & ? & ? & Hm).
+      { rewrite lookup_op lookup_singleton_ne // left_id. done. }
+      simpl in *. eexists. do 2 (split; first done). done.
+  Qed.
+
+  (** Typeclass instances *)
+  Global Instance gmap_view_frag_core_id k v : CoreId (gmap_view_frag k DfracDiscarded v).
+  Proof. apply _. Qed.
+
+  Global Instance gmap_view_cmra_discrete : OfeDiscrete V → CmraDiscrete (gmap_viewR K V).
+  Proof. apply _. Qed.
+
+  Global Instance gmap_view_frag_mut_is_op dq dq1 dq2 k v :
+    IsOp dq dq1 dq2 →
+    IsOp' (gmap_view_frag k dq v) (gmap_view_frag k dq1 v) (gmap_view_frag k dq2 v).
+  Proof. rewrite /IsOp' /IsOp => ->. apply gmap_view_frag_op. Qed.
+
+  (** Internalized properties *)
+  Lemma gmap_view_both_validI M m k dq v :
+    ✓ (gmap_view_auth m ⋅ gmap_view_frag k dq v) ⊢@{uPredI M}
+    ✓ dq ∧ m !! k ≡ Some v.
+  Proof.
+    rewrite /gmap_view_auth /gmap_view_frag. apply view_both_validI_1.
+    intros n a. uPred.unseal. apply gmap_view_rel_lookup.
+  Qed.
+
+  Lemma gmap_view_frag_op_validI M k dq1 dq2 v1 v2 :
+    ✓ (gmap_view_frag k dq1 v1 ⋅ gmap_view_frag k dq2 v2) ⊢@{uPredI M}
+      ✓ (dq1 ⋅ dq2) ∧ v1 ≡ v2.
+  Proof.
+    rewrite /gmap_view_frag -view_frag_op view_frag_validI.
+    rewrite singleton_op singleton_validI -pair_op uPred.prod_validI /=.
+    apply bi.and_mono; first done.
+    rewrite agree_validI agree_equivI. done.
+  Qed.
+
+End lemmas.
+
+(** Functor *)
+Program Definition gmap_viewURF (K : Type) `{Countable K} (F : oFunctor) : urFunctor := {|
+  urFunctor_car A _ B _ := gmap_viewUR K (oFunctor_car F A B);
+  urFunctor_map A1 _ A2 _ B1 _ B2 _ fg :=
+    viewO_map (rel:=gmap_view_rel K (oFunctor_car F A1 B1))
+              (rel':=gmap_view_rel K (oFunctor_car F A2 B2))
+              (gmapO_map (K:=K) (oFunctor_map F fg))
+              (gmapO_map (K:=K) (prodO_map cid (agreeO_map (oFunctor_map F fg))))
+|}.
+Next Obligation.
+  intros K ?? F A1 ? A2 ? B1 ? B2 ? n f g Hfg.
+  apply viewO_map_ne.
+  - apply gmapO_map_ne, oFunctor_map_ne. done.
+  - apply gmapO_map_ne. apply prodO_map_ne; first done.
+    apply agreeO_map_ne, oFunctor_map_ne. done.
+Qed.
+Next Obligation.
+  intros K ?? F A ? B ? x; simpl in *. rewrite -{2}(view_map_id x).
+  apply (view_map_ext _ _ _ _)=> y.
+  - rewrite /= -{2}(map_fmap_id y).
+    apply map_fmap_equiv_ext=>k ??.
+    apply oFunctor_map_id.
+  - rewrite /= -{2}(map_fmap_id y).
+    apply map_fmap_equiv_ext=>k [df va] ?.
+    split; first done. simpl.
+    rewrite -{2}(agree_map_id va).
+    eapply agree_map_ext; first by apply _.
+    apply oFunctor_map_id.
+Qed.
+Next Obligation.
+  intros K ?? F A1 ? A2 ? A3 ? B1 ? B2 ? B3 ? f g f' g' x; simpl in *.
+  rewrite -view_map_compose.
+  apply (view_map_ext _ _ _ _)=> y.
+  - rewrite /= -map_fmap_compose.
+    apply map_fmap_equiv_ext=>k ??.
+    apply oFunctor_map_compose.
+  - rewrite /= -map_fmap_compose.
+    apply map_fmap_equiv_ext=>k [df va] ?.
+    split; first done. simpl.
+    rewrite -agree_map_compose.
+    eapply agree_map_ext; first by apply _.
+    apply oFunctor_map_compose.
+Qed.
+Next Obligation.
+  intros K ?? F A1 ? A2 ? B1 ? B2 ? fg; simpl.
+  (* [apply] does not work, probably the usual unification probem (Coq #6294) *)
+  apply: view_map_cmra_morphism; [apply _..|]=> n m f.
+  intros Hrel k [df va] Hf. move: Hf.
+  rewrite !lookup_fmap.
+  destruct (f !! k) as [[df' va']|] eqn:Hfk; rewrite Hfk; last done.
+  simpl=>[= <- <-].
+  specialize (Hrel _ _ Hfk). simpl in Hrel. destruct Hrel as (v & Hagree & Hdval & Hm).
+  exists (oFunctor_map F fg v).
+  rewrite Hm. split; last by auto.
+  rewrite Hagree. rewrite agree_map_to_agree. done.
+Qed.
+
+Instance gmap_viewURF_contractive (K : Type) `{Countable K} F :
+  oFunctorContractive F → urFunctorContractive (gmap_viewURF K F).
+Proof.
+  intros ? A1 ? A2 ? B1 ? B2 ? n f g Hfg.
+  apply viewO_map_ne.
+  - apply gmapO_map_ne. apply oFunctor_map_contractive. done.
+  - apply gmapO_map_ne. apply prodO_map_ne; first done.
+    apply agreeO_map_ne, oFunctor_map_contractive. done.
+Qed.
+
+Program Definition gmap_viewRF (K : Type) `{Countable K} (F : oFunctor) : rFunctor := {|
+  rFunctor_car A _ B _ := gmap_viewR K (oFunctor_car F A B);
+  rFunctor_map A1 _ A2 _ B1 _ B2 _ fg :=
+    viewO_map (rel:=gmap_view_rel K (oFunctor_car F A1 B1))
+              (rel':=gmap_view_rel K (oFunctor_car F A2 B2))
+              (gmapO_map (K:=K) (oFunctor_map F fg))
+              (gmapO_map (K:=K) (prodO_map cid (agreeO_map (oFunctor_map F fg))))
+|}.
+Solve Obligations with apply gmap_viewURF.
+
+Instance gmap_viewRF_contractive (K : Type) `{Countable K} F :
+  oFunctorContractive F → rFunctorContractive (gmap_viewRF K F).
+Proof. apply gmap_viewURF_contractive. Qed.
+
+Typeclasses Opaque gmap_view_auth gmap_view_frag.

theories/base_logic/lib/gen_heap.v

 From stdpp Require Export namespaces.
 From iris.bi.lib Require Import fractional.
 From iris.proofmode Require Import tactics.
-From iris.algebra Require Import gmap_auth namespace_map.
+From iris.algebra Require Import gmap_view namespace_map agree frac.
 From iris.base_logic.lib Require Export own.
 From iris Require Import options.
 Import uPred.
@@ -59,8 +59,8 @@ this RA would be quite inconvenient to deal with. *)
 
 (** The CMRA we need. *)
 Class gen_heapG (L V : Type) (Σ : gFunctors) `{Countable L} := GenHeapG {
-  gen_heap_inG :> inG Σ (gmap_authR L (leibnizO V));
-  gen_meta_inG :> inG Σ (gmap_authR L gnameO);
+  gen_heap_inG :> inG Σ (gmap_viewR L (leibnizO V));
+  gen_meta_inG :> inG Σ (gmap_viewR L gnameO);
   gen_meta_data_inG :> inG Σ (namespace_mapR (agreeR positiveO));
   gen_heap_name : gname;
   gen_meta_name : gname
@@ -69,14 +69,14 @@ Arguments gen_heap_name {L V Σ _ _} _ : assert.
 Arguments gen_meta_name {L V Σ _ _} _ : assert.
 
 Class gen_heapPreG (L V : Type) (Σ : gFunctors) `{Countable L} := {
-  gen_heap_preG_inG :> inG Σ (gmap_authR L (leibnizO V));
-  gen_meta_preG_inG :> inG Σ (gmap_authR L gnameO);
+  gen_heap_preG_inG :> inG Σ (gmap_viewR L (leibnizO V));
+  gen_meta_preG_inG :> inG Σ (gmap_viewR L gnameO);
   gen_meta_data_preG_inG :> inG Σ (namespace_mapR (agreeR positiveO));
 }.
 
 Definition gen_heapΣ (L V : Type) `{Countable L} : gFunctors := #[
-  GFunctor (gmap_authR L (leibnizO V));
-  GFunctor (gmap_authR L gnameO);
+  GFunctor (gmap_viewR L (leibnizO V));
+  GFunctor (gmap_viewR L gnameO);
   GFunctor (namespace_mapR (agreeR positiveO))
 ].
 
@@ -91,24 +91,24 @@ Section definitions.
     (* The [⊆] is used to avoid assigning ghost information to the locations in
     the initial heap (see [gen_heap_init]). *)
     ⌜ dom _ m ⊆ dom (gset L) σ ⌝ ∧
-    own (gen_heap_name hG) (gmap_auth_auth_mut (σ : gmap L (leibnizO V))) ∗
-    own (gen_meta_name hG) (gmap_auth_auth_ro (m : gmap L gnameO)).
+    own (gen_heap_name hG) (gmap_view_auth (σ : gmap L (leibnizO V))) ∗
+    own (gen_meta_name hG) (gmap_view_auth (m : gmap L gnameO)).
 
   Definition mapsto_def (l : L) (q : Qp) (v: V) : iProp Σ :=
-    own (gen_heap_name hG) (gmap_auth_frag_mut l q (v : leibnizO V)).
+    own (gen_heap_name hG) (gmap_view_frag l (DfracOwn q) (v : leibnizO V)).
   Definition mapsto_aux : seal (@mapsto_def). Proof. by eexists. Qed.
   Definition mapsto := mapsto_aux.(unseal).
   Definition mapsto_eq : @mapsto = @mapsto_def := mapsto_aux.(seal_eq).
 
   Definition meta_token_def (l : L) (E : coPset) : iProp Σ :=
-    ∃ γm, own (gen_meta_name hG) (gmap_auth_frag_ro l γm) ∗
+    ∃ γm, own (gen_meta_name hG) (gmap_view_frag l DfracDiscarded γm) ∗
           own γm (namespace_map_token E).
   Definition meta_token_aux : seal (@meta_token_def). Proof. by eexists. Qed.
   Definition meta_token := meta_token_aux.(unseal).
   Definition meta_token_eq : @meta_token = @meta_token_def := meta_token_aux.(seal_eq).
 
   Definition meta_def `{Countable A} (l : L) (N : namespace) (x : A) : iProp Σ :=
-    ∃ γm, own (gen_meta_name hG) (gmap_auth_frag_ro l γm) ∗
+    ∃ γm, own (gen_meta_name hG) (gmap_view_frag l DfracDiscarded γm) ∗
           own γm (namespace_map_data N (to_agree (encode x))).
   Definition meta_aux : seal (@meta_def). Proof. by eexists. Qed.
   Definition meta := meta_aux.(unseal).
@@ -127,10 +127,10 @@ Local Notation "l ↦ -" := (l ↦{1} -)%I (at level 20) : bi_scope.
 Lemma gen_heap_init `{Countable L, !gen_heapPreG L V Σ} σ :
   ⊢ |==> ∃ _ : gen_heapG L V Σ, gen_heap_ctx σ.
 Proof.
-  iMod (own_alloc (gmap_auth_auth_mut (σ : gmap L (leibnizO V)))) as (γh) "Hh".
-  { exact: gmap_auth_auth_mut_valid. }
-  iMod (own_alloc (gmap_auth_auth_ro (∅ : gmap L gnameO))) as (γm) "Hm".
-  { exact: gmap_auth_auth_ro_valid. }
+  iMod (own_alloc (gmap_view_auth (σ : gmap L (leibnizO V)))) as (γh) "Hh".
+  { exact: gmap_view_auth_valid. }
+  iMod (own_alloc (gmap_view_auth (∅ : gmap L gnameO))) as (γm) "Hm".
+  { exact: gmap_view_auth_valid. }
   iModIntro. iExists (GenHeapG L V Σ _ _ _ _ _ γh γm).
   iExists ∅; simpl. iFrame "Hh Hm". by rewrite dom_empty_L.
 Qed.
@@ -149,7 +149,7 @@ Section gen_heap.
   Proof. rewrite mapsto_eq /mapsto_def. apply _. Qed.
   Global Instance mapsto_fractional l v : Fractional (λ q, l ↦{q} v)%I.
   Proof.
-    intros p q. rewrite mapsto_eq /mapsto_def -own_op gmap_auth_frag_mut_frac_op //.
+    intros p q. rewrite mapsto_eq /mapsto_def -own_op gmap_view_frag_plus //.
   Qed.
   Global Instance mapsto_as_fractional l q v :
     AsFractional (l ↦{q} v) (λ q, l ↦{q} v)%I q.
@@ -159,7 +159,7 @@ Section gen_heap.
   Proof.
     apply wand_intro_r.
     rewrite mapsto_eq /mapsto_def -own_op own_valid discrete_valid.
-    apply pure_mono. intros [_ ?]%gmap_auth_frag_mut_op_valid_L. done.
+    apply pure_mono. intros [_ ?]%gmap_view_frag_op_valid_L. done.
   Qed.
 
   Lemma mapsto_combine l q1 q2 v1 v2 :
@@ -183,7 +183,7 @@ Section gen_heap.
   Lemma mapsto_valid l q v : l ↦{q} v -∗ ✓ q.
   Proof.
     rewrite mapsto_eq /mapsto_def own_valid !discrete_valid.
-    rewrite gmap_auth_frag_mut_valid //.
+    rewrite gmap_view_frag_valid //.
   Qed.
   Lemma mapsto_valid_2 l q1 q2 v1 v2 : l ↦{q1} v1 -∗ l ↦{q2} v2 -∗ ✓ (q1 + q2)%Qp.
   Proof.
@@ -218,7 +218,7 @@ Section gen_heap.
   Proof.
     rewrite meta_token_eq /meta_token_def.
     iDestruct 1 as (γm1) "[#Hγm1 Hm1]". iDestruct 1 as (γm2) "[#Hγm2 Hm2]".
-    iDestruct (own_valid_2 with "Hγm1 Hγm2") as %->%gmap_auth_frag_ro_op_valid_L.
+    iDestruct (own_valid_2 with "Hγm1 Hγm2") as %[_ ->]%gmap_view_frag_op_valid_L.
     iDestruct (own_valid_2 with "Hm1 Hm2") as %?%namespace_map_token_valid_op.
     iExists γm2. iFrame "Hγm2". rewrite namespace_map_token_union //. by iSplitL "Hm1".
   Qed.
@@ -241,7 +241,7 @@ Section gen_heap.
   Proof.
     rewrite meta_eq /meta_def.
     iDestruct 1 as (γm1) "[Hγm1 Hm1]"; iDestruct 1 as (γm2) "[Hγm2 Hm2]".
-    iDestruct (own_valid_2 with "Hγm1 Hγm2") as %->%gmap_auth_frag_ro_op_valid_L.
+    iDestruct (own_valid_2 with "Hγm1 Hγm2") as %[_ ->]%gmap_view_frag_op_valid_L.
     iDestruct (own_valid_2 with "Hm1 Hm2") as %Hγ; iPureIntro.
     move: Hγ. rewrite -namespace_map_data_op namespace_map_data_valid.
     move=> /to_agree_op_inv_L. naive_solver.
@@ -262,11 +262,11 @@ Section gen_heap.
     iIntros (Hσl). rewrite /gen_heap_ctx mapsto_eq /mapsto_def meta_token_eq /meta_token_def /=.
     iDestruct 1 as (m Hσm) "[Hσ Hm]".
     iMod (own_update with "Hσ") as "[Hσ Hl]".
-    { eapply (gmap_auth_mut_alloc _ l). done. }
+    { eapply (gmap_view_alloc _ l (DfracOwn 1)); done. }
     iMod (own_alloc (namespace_map_token ⊤)) as (γm) "Hγm".
     { apply namespace_map_token_valid. }
     iMod (own_update with "Hm") as "[Hm Hlm]".
-    { eapply (gmap_auth_ro_alloc _ l). 
+    { eapply (gmap_view_alloc _ l DfracDiscarded); last done.
       move: Hσl. rewrite -!(not_elem_of_dom (D:=gset L)). set_solver. }
     iModIntro. iFrame "Hl". iSplitL "Hσ Hm"; last by eauto with iFrame.
     iExists (<[l:=γm]> m). iFrame. iPureIntro.
@@ -291,8 +291,8 @@ Section gen_heap.
   Proof.
     iDestruct 1 as (m Hσm) "[Hσ _]". iIntros "Hl".
     rewrite /gen_heap_ctx mapsto_eq /mapsto_def.
-    iDestruct (own_valid_2 with "Hσ Hl") as %?%gmap_auth_auth_mut_frag_mut_valid.
-    iPureIntro. fold_leibniz. done.
+    iDestruct (own_valid_2 with "Hσ Hl") as %[??]%gmap_view_both_valid_L.
+    iPureIntro. done.
   Qed.
 
   Lemma gen_heap_update σ l v1 v2 :
@@ -300,9 +300,9 @@ Section gen_heap.
   Proof.
     iDestruct 1 as (m Hσm) "[Hσ Hm]".
     iIntros "Hl". rewrite /gen_heap_ctx mapsto_eq /mapsto_def.
-    iDestruct (own_valid_2 with "Hσ Hl") as %Hl%gmap_auth_auth_mut_frag_mut_valid_L.
+    iDestruct (own_valid_2 with "Hσ Hl") as %[_ Hl]%gmap_view_both_valid_L.
     iMod (own_update_2 with "Hσ Hl") as "[Hσ Hl]".
-    { eapply gmap_auth_mut_update. }
+    { eapply gmap_view_update. }
     iModIntro. iFrame "Hl". iExists m. iFrame.
     iPureIntro. apply (elem_of_dom_2 (D:=gset L)) in Hl.
     rewrite dom_insert_L. set_solver.

theories/base_logic/lib/own.v

@@ -106,7 +106,7 @@ Local Lemma iRes_singleton_validI γ a : ✓ (iRes_singleton γ a) ⊢@{iPropI
 Proof.
   rewrite /iRes_singleton.
   rewrite discrete_fun_validI (forall_elim (inG_id i)) discrete_fun_lookup_singleton.
-  rewrite gmap_validI (forall_elim γ) lookup_singleton option_validI.
+  rewrite singleton_validI.
   trans (✓ cmra_transport inG_prf a : iProp Σ)%I; last by destruct inG_prf.
   apply valid_entails=> n. apply inG_unfold_validN.
 Qed.

theories/base_logic/lib/proph_map.v

 From iris.proofmode Require Import tactics.
-From iris.algebra Require Import gmap_auth list.
+From iris.algebra Require Import gmap_view list.
 From iris.base_logic.lib Require Export own.
 From iris Require Import options.
 Import uPred.
@@ -9,16 +9,16 @@ Definition proph_val_list (P V : Type) := list (P * V).
 
 (** The CMRA we need. *)
 Class proph_mapG (P V : Type) (Σ : gFunctors) `{Countable P} := ProphMapG {
-  proph_map_inG :> inG Σ (gmap_authR P (listO (leibnizO V)));
+  proph_map_inG :> inG Σ (gmap_viewR P (listO $ leibnizO V));
   proph_map_name : gname
 }.
 Arguments proph_map_name {_ _ _ _ _} _ : assert.
 
 Class proph_mapPreG (P V : Type) (Σ : gFunctors) `{Countable P} :=
-  { proph_map_preG_inG :> inG Σ (gmap_authR P (listO $ leibnizO V)) }.
+  { proph_map_preG_inG :> inG Σ (gmap_viewR P (listO $ leibnizO V)) }.
 
 Definition proph_mapΣ (P V : Type) `{Countable P} : gFunctors :=
-  #[GFunctor (gmap_authR P (listO $ leibnizO V))].
+  #[GFunctor (gmap_viewR P (listO $ leibnizO V))].
 
 Instance subG_proph_mapPreG {Σ P V} `{Countable P} :
   subG (proph_mapΣ P V) Σ → proph_mapPreG P V Σ.
@@ -44,10 +44,10 @@ Section definitions.
   Definition proph_map_ctx pvs (ps : gset P) : iProp Σ :=
     (∃ R, ⌜proph_resolves_in_list R pvs ∧
           dom (gset _) R ⊆ ps⌝ ∗
-          own (proph_map_name pG) (gmap_auth_auth_mut (V:=listO $ leibnizO V) R))%I.
+          own (proph_map_name pG) (gmap_view_auth (V:=listO $ leibnizO V) R))%I.
 
   Definition proph_def (p : P) (vs : list V) : iProp Σ :=
-    own (proph_map_name pG) (gmap_auth_frag_mut (V:=listO $ leibnizO V) p 1 vs).
+    own (proph_map_name pG) (gmap_view_frag (V:=listO $ leibnizO V) p (DfracOwn 1) vs).
 
   Definition proph_aux : seal (@proph_def). Proof. by eexists. Qed.
   Definition proph := proph_aux.(unseal).
@@ -75,8 +75,8 @@ End list_resolves.
 Lemma proph_map_init `{Countable P, !proph_mapPreG P V PVS} pvs ps :
   ⊢ |==> ∃ _ : proph_mapG P V PVS, proph_map_ctx pvs ps.
 Proof.
-  iMod (own_alloc (gmap_auth_auth_mut ∅)) as (γ) "Hh".
-  { apply gmap_auth_auth_mut_valid. }
+  iMod (own_alloc (gmap_view_auth ∅)) as (γ) "Hh".
+  { apply gmap_view_auth_valid. }
   iModIntro. iExists (ProphMapG P V PVS _ _ _ γ), ∅. iSplit; last by iFrame.
   iPureIntro. done.
 Qed.
@@ -98,7 +98,7 @@ Section proph_map.
   Proof.
     rewrite proph_eq /proph_def. iIntros "Hp1 Hp2".
     iCombine "Hp1 Hp2" as "Hp".
-    iDestruct (own_valid with "Hp") as %[Hp _]%gmap_auth_frag_mut_op_valid_L.
+    iDestruct (own_valid with "Hp") as %[Hp _]%gmap_view_frag_op_valid_L.
     done.
   Qed.
 
@@ -110,7 +110,7 @@ Section proph_map.
     iIntros (Hp) "HR". iDestruct "HR" as (R) "[[% %] H●]".
     rewrite proph_eq /proph_def.
     iMod (own_update with "H●") as "[H● H◯]".
-    { eapply (gmap_auth_mut_alloc _ p).
+    { eapply (gmap_view_alloc _ p (DfracOwn 1)); last done.
       apply (not_elem_of_dom (D:=gset P)). set_solver. }
     iModIntro. iFrame.
     iExists (<[p := proph_list_resolves pvs p]> R).
@@ -125,11 +125,11 @@ Section proph_map.
   Proof.
     iIntros "[HR Hp]". iDestruct "HR" as (R) "[HP H●]". iDestruct "HP" as %[Hres Hdom].
     rewrite /proph_map_ctx proph_eq /proph_def.
-    iDestruct (own_valid_2 with "H● Hp") as %HR%gmap_auth_auth_mut_frag_mut_valid_L.
+    iDestruct (own_valid_2 with "H● Hp") as %[_ HR]%gmap_view_both_valid_L.
     assert (vs = v :: proph_list_resolves pvs p) as ->.
     { rewrite (Hres p vs HR). simpl. by rewrite decide_True. }
     iMod (own_update_2 with "H● Hp") as "[H● H◯]".
-    { eapply gmap_auth_mut_update. }
+    { eapply gmap_view_update. }
     iModIntro. iExists (proph_list_resolves pvs p). iFrame. iSplitR.
     - iPureIntro. done.
     - iExists _. iFrame. iPureIntro. split.

theories/base_logic/lib/wsat.v

 From stdpp Require Export coPset.
 From iris.proofmode Require Import tactics.
-From iris.algebra Require Import gmap_auth gset coPset.
+From iris.algebra Require Import gmap_view gset coPset.
 From iris.base_logic.lib Require Export own.
 From iris Require Import options.
 
@@ -9,7 +9,7 @@ exception of what's in the [invG] module. The module [invG] is thus exported in
 [fancy_updates], which [wsat] is only imported. *)
 Module invG.
   Class invG (Σ : gFunctors) : Set := WsatG {
-    inv_inG :> inG Σ (gmap_authR positive (laterO (iPropO Σ)));
+    inv_inG :> inG Σ (gmap_viewR positive (laterO (iPropO Σ)));
     enabled_inG :> inG Σ coPset_disjR;
     disabled_inG :> inG Σ (gset_disjR positive);
     invariant_name : gname;
@@ -18,12 +18,12 @@ Module invG.
   }.
 
   Definition invΣ : gFunctors :=
-    #[GFunctor (gmap_authRF positive (laterOF idOF));
+    #[GFunctor (gmap_viewRF positive (laterOF idOF));
       GFunctor coPset_disjUR;
       GFunctor (gset_disjUR positive)].
 
   Class invPreG (Σ : gFunctors) : Set := WsatPreG {
-    inv_inPreG :> inG Σ (gmap_authR positive (laterO (iPropO Σ)));
+    inv_inPreG :> inG Σ (gmap_viewR positive (laterO (iPropO Σ)));
     enabled_inPreG :> inG Σ coPset_disjR;
     disabled_inPreG :> inG Σ (gset_disjR positive);
   }.
@@ -36,7 +36,7 @@ Import invG.
 Definition invariant_unfold {Σ} (P : iProp Σ) : later (iProp Σ) :=
   Next P.
 Definition ownI `{!invG Σ} (i : positive) (P : iProp Σ) : iProp Σ :=
-  own invariant_name (gmap_auth_frag_ro i (invariant_unfold P)).
+  own invariant_name (gmap_view_frag i DfracDiscarded (invariant_unfold P)).
 Arguments ownI {_ _} _ _%I.
 Typeclasses Opaque ownI.
 Instance: Params (@invariant_unfold) 1 := {}.
@@ -54,7 +54,7 @@ Instance: Params (@ownD) 3 := {}.
 
 Definition wsat `{!invG Σ} : iProp Σ :=
   locked (∃ I : gmap positive (iProp Σ),
-    own invariant_name (gmap_auth_auth_ro (invariant_unfold <$> I)) ∗
+    own invariant_name (gmap_view_auth (invariant_unfold <$> I)) ∗
     [∗ map] i ↦ Q ∈ I, ▷ Q ∗ ownD {[i]} ∨ ownE {[i]})%I.
 
 Section wsat.
@@ -106,11 +106,11 @@ Lemma ownD_singleton_twice i : ownD {[i]} ∗ ownD {[i]} ⊢ False.
 Proof. rewrite ownD_disjoint. iIntros (?); set_solver. Qed.
 
 Lemma invariant_lookup (I : gmap positive (iProp Σ)) i P :
-  own invariant_name (gmap_auth_auth_ro (invariant_unfold <$> I)) ∗
-  own invariant_name (gmap_auth_frag_ro i (invariant_unfold P)) ⊢
+  own invariant_name (gmap_view_auth (invariant_unfold <$> I)) ∗
+  own invariant_name (gmap_view_frag i DfracDiscarded (invariant_unfold P)) ⊢
   ∃ Q, ⌜I !! i = Some Q⌝ ∗ ▷ (Q ≡ P).
 Proof.
-  rewrite -own_op own_valid gmap_auth_auth_ro_frag_ro_validI.
+  rewrite -own_op own_valid gmap_view_both_validI bi.and_elim_r.
   rewrite lookup_fmap option_equivI.
   case: (I !! i)=> [Q|] /=; last by eauto.
   iIntros "?". iExists Q; iSplit; first done.
@@ -152,7 +152,8 @@ Proof.
       as (i & [? HIi%not_elem_of_dom]%not_elem_of_union & ?); eauto. }
   iDestruct "HE" as (X) "[Hi HE]"; iDestruct "Hi" as %(i & -> & HIi & ?).
   iMod (own_update with "Hw") as "[Hw HiP]".
-  { eapply (gmap_auth_ro_alloc _ i). by rewrite /= lookup_fmap HIi. }
+  { eapply (gmap_view_alloc _ i DfracDiscarded); last done.
+    by rewrite /= lookup_fmap HIi. }
   iModIntro; iExists i;  iSplit; [done|]. rewrite /ownI; iFrame "HiP".
   iExists (<[i:=P]>I); iSplitL "Hw".
   { by rewrite fmap_insert. }
@@ -172,7 +173,8 @@ Proof.
       as (i & [? HIi%not_elem_of_dom]%not_elem_of_union & ?); eauto. }
   iDestruct "HD" as (X) "[Hi HD]"; iDestruct "Hi" as %(i & -> & HIi & ?).
   iMod (own_update with "Hw") as "[Hw HiP]".
-  { eapply (gmap_auth_ro_alloc _ i). by rewrite /= lookup_fmap HIi. }
+  { eapply (gmap_view_alloc _ i DfracDiscarded); last done.
+    by rewrite /= lookup_fmap HIi. }
   iModIntro; iExists i;  iSplit; [done|]. rewrite /ownI; iFrame "HiP".
   rewrite -/(ownD _). iFrame "HD".
   iIntros "HE". iExists (<[i:=P]>I); iSplitL "Hw".
@@ -186,8 +188,8 @@ End wsat.
 Lemma wsat_alloc `{!invPreG Σ} : ⊢ |==> ∃ _ : invG Σ, wsat ∗ ownE ⊤.
 Proof.
   iIntros.
-  iMod (own_alloc (gmap_auth_auth_ro ∅)) as (γI) "HI";
-    first by apply gmap_auth_auth_ro_valid.
+  iMod (own_alloc (gmap_view_auth ∅)) as (γI) "HI";
+    first by apply gmap_view_auth_valid.
   iMod (own_alloc (CoPset ⊤)) as (γE) "HE"; first done.
   iMod (own_alloc (GSet ∅)) as (γD) "HD"; first done.
   iModIntro; iExists (WsatG _ _ _ _ γI γE γD).