CHANGELOG.md

In this changelog, we document "large-ish" changes to Iris that affect even the
way the logic is used on paper.  We also document changes in the Coq
development; every API-breaking change should be listed, but not every new
lemma.

## Iris master

**Changes in `bi`:**

* Generalize `big_op` lemmas that were previously assuming `Absorbing`ness of
  some assertion: they now take any of (`TCOr`) an `Affine` instance or an
  `Absorbing` instance. This breaks uses where an `Absorbing` instance was
  provided without relying on TC search (e.g. in `by apply ...`; a possible fix
  is `by apply: ...`). (by Glen Mével, Bedrock Systems)

**Changes in `proofmode`:**

* `iAssumption` no longer instantiates evar premises with `False`. This used
   to occur when the conclusion contains variables that are not in scope of the
   evar, thus blocking the default behavior of instantiating the premise with
   the conclusion. The old behavior can be emulated with`iExFalso. iExact "H".`
* `iInduction` now supports induction schemes that involve `Forall` and
  `Forall2` (for example, for trees with finite branching).
* `iRevert` of a pure hypothesis generates a wand instead of an implication.

**Changes in `base_logic`:**

* Make the `inG` instances for `libG` fields local, so they are only used inside
  the library that defines the `libG`.

**Changes in `iris_heap_lang`:**

* Changed the `num_laters_per_step` of `heap_lang` to `λ n, n`, signifying that
  each step of the weakest precondition strips `n` laters, where `n` is the
  number of steps taken so far. This number is tied to ghost state in the state
  interpretation, which is exposed, updated, and used with new lemmas
  `wp_lb_init`, `wp_lb_update`, and `wp_step_fupdN_lb`. (by Jonas Kastberg Hinrichsen)

## Iris 3.6.0 (2022-01-22)

The highlights and most notable changes of this release are:

* Coq 8.15 is now supported, while Coq 8.13 and Coq 8.14 remain supported.
  Coq 8.12 is no longer supported.
* Support for discardable fractions (`dfrac`) has been added to `gmap_view`
  authoritative elements, and to the `mono_nat` library. See below for other
  `dfrac`-related changes.
* A new `mono_list` algebra provides monotonically growing lists with an
  exclusive authoritative element and persistent prefix witnesses. See
  `iris/algebra/lib/mono_list.v` for details. An experimental logic-level
  library wrapping the algebra is available at
  `iris_staging/base_logic/mono_list.v`; if you use it, please give feedback on
  the tracking issue
  [iris/iris#439](https://gitlab.mpi-sws.org/iris/iris/-/issues/439).

This release was managed by Ralf Jung, Robbert Krebbers, and Tej Chajed, with
contributions from Dan Frumin, Jonas Kastberg Hinrichsen, Lennard Gäher,
Matthieu Sozeau, Michael Sammler, Paolo G. Giarrusso, Ralf Jung, Robbert
Krebbers, Simon Friis Vindum, Tej Chajed, and Vincent Siles. Thanks a lot to
everyone involved!

**Changes in `algebra`**

* Define non-expansive instance for `dom`. This, in particular, makes it
  possible to `iRewrite` below `dom` (even if the `dom` appears in `⌜ _ ⌝`).
* Generalize the authorative elements of `gmap_view` to be parameterized by a
  [discardable fraction](iris/algebra/dfrac.v) (`dfrac`) instead of a fraction
  (`frac`). Lemmas affected by this have been renamed such that the "frac" in
  their name has been changed into "dfrac". (by Simon Friis Vindum)
* Change `ufrac_auth` notation to not use curly braces, since these fractions do
  not behave like regular fractions (and cannot be made `dfrac`).
  Old: `●U{q} a`, `◯U{q} b`; new: `●U_q a`, `◯U_q b`.
* Equip `frac_agree` with support for `dfrac` and rename it to `dfrac_agree`.
  The old `to_frac_agree` and its lemmas still exist, except that the
  `frac_agree_op_valid` lemmas are made bi-directional.
* Rename typeclass instance `Later_inj` -> `Next_inj`.
* Remove `view_auth_frac_op`, `auth_auth_frac_op`, `gmap_view_auth_frac_op`; the
  corresponding `dfrac` lemmas can be used instead (together with `dfrac_op_own`
  if needed).
* Equip `mono_nat` algebra with support for `dfrac`, make API more consistent,
  and add notation for algebra elements. See `iris/algebra/lib/mono_nat.v` for
  details. This affects some existing terms and lemmas:
  - `mono_nat_auth` now takes a `dfrac`, but the recommendation is to port to the notation.
  - `mono_nat_lb_op`: direction of equality is swapped.
  - `mono_nat_auth_frac_op`, `mono_nat_auth_frac_op_valid`,
    `mono_nat_auth_frac_valid`, `mono_nat_both_frac_valid`: use `dfrac` variant
    instead.
* Add `mono_list` algebra for monotonically growing lists with an exclusive
  authoritative element and persistent prefix witnesses. See
  `iris/algebra/lib/mono_list.v` for details.

**Changes in `bi`:**

* Rename `least_fixpoint_ind` into `least_fixpoint_iter`,
  rename `greatest_fixpoint_coind` into `greatest_fixpoint_coiter`,
  rename `least_fixpoint_strong_ind` into `least_fixpoint_ind`,
  add lemmas `least_fixpoint_{ind_wf, ne', strong_mono}`, and
  add lemmas `greatest_fixpoint_{coind, paco, ne', strong_mono}`.
* Move `persistently_forall_2` (`∀ <pers> ⊢ <pers> ∀`) out of the BI interface
  into a new typeclass, `BiPersistentlyForall`. The BI interface instead just
  demands the equivalent property for conjunction (`(<pers> P) ∧ (<pers> Q) ⊢
  <pers> (P ∧ Q)`). This enables the IPM to support logics where the
  persistently modality is defined with an existential quantifier. This also
  necessitates removing `persistently_impl_plainly` from `BiPlainly` into a new
  typeclass `BiPersistentlyImplPlainly`.
  Proofs that are generic in `PROP` might have to add those new classes as
  assumptions to remain compatible, and code that instantiates the BI interface
  needs to provide instances for the new classes.
* Make `frame_fractional` not an instance any more; instead fractional
  propositions that want to support framing are expected to register an
  appropriate instance themselves. HeapLang and gen_heap `↦` still support
  framing, but the other fractional propositions in Iris do not.

**Changes in `heap_lang`:**

* The `is_closed_expr` predicate is formulated in terms of a
  set of binders (as opposed to a list of binders).

The following `sed` script helps adjust your code to the renaming (on macOS,
replace `sed` by `gsed`, installed via e.g. `brew install gnu-sed`).
Note that the script is not idempotent, do not run it twice.
```
sed -i -E -f- $(find theories -name "*.v") <<EOF
# least/greatest fixpoint renames
s/\bleast_fixpoint_ind\b/least_fixpoint_iter/g
s/\bgreatest_fixpoint_coind\b/greatest_fixpoint_coiter/g
s/\bleast_fixpoint_strong_ind\b/least_fixpoint_ind/g
# gmap_view renames from frac to dfrac
s/\bgmap_view_(auth|both)_frac_(op_invN|op_inv|op_inv_L|valid|op_validN|op_valid|op_valid_L)\b/gmap_view_\1_dfrac_\2/g
s/\bgmap_view_persist\b/gmap_view_frag_persist/g
# frac_agree with dfrac
s/\bfrac_agreeR\b/dfrac_agreeR/g
EOF
```

## Iris 3.5.0 (2021-11-05)

The highlights and most notable changes of this release are:

* Coq 8.14 is now supported, while Coq 8.12 and Coq 8.13 remain supported.
* The proof mode now has native support for pure names `%H` in intro patterns,
  without installing
  [iris/string-ident](https://gitlab.mpi-sws.org/iris/string-ident). If you had
  the plugin installed, to migrate simply uninstall the plugin and stop
  importing it.
* The proof mode now supports destructing existentials with the `"[%x ...]"`
  pattern.
* `iMod` and `iModIntro` now report an error message for mask mismatches.
* Performance improvements for the proof mode in `iFrame` in non-affine
  logics, `iPoseProof`, and `iDestruct` (by Paolo G. Giarrusso, Bedrock Systems,
  and Armaël Guéneau).
* The new `ghost_map` logic-level library supports a ghost `gmap K V` with an
  authoritative view and per-element points-to facts written `k ↪[γ] w`.
* Weakest preconditions now support a flexible number of laters per
  physical step of the operational semantics. See merge request
  [!585](https://gitlab.mpi-sws.org/iris/iris/-/merge_requests/595) (by
  Jacques-Henri Jourdan and Yusuke Matsushita).
* HeapLang now has an atomic `Xchg` (exchange) operation (by Simon Hudon,
  Google).

This release was managed by Ralf Jung, Robbert Krebbers, and Tej Chajed, with
contributions from Amin Timany, Armaël Guéneau, Dan Frumin, Dmitry Khalanskiy,
Hoang-Hai Dang, Jacques-Henri Jourdan, Lennard Gäher, Michael Sammler, Paolo G.
Giarrusso, Ralf Jung, Robbert Krebbers, Simon Friis Vindum, Simon Hudon, Tej
Chajed, and Yusuke Matsushita. Thanks a lot to everyone involved!

**Changes in `algebra`:**

* Generalize the authorative elements of the `view`, `auth` and `gset_bij`
  cameras to be parameterized by a [discardable fraction](iris/algebra/dfrac.v)
  (`dfrac`) instead of a fraction (`frac`). Normal fractions are now denoted
  `●{#q} a` and `●V{#q} a`. Lemmas affected by this have been renamed such that
  the "frac" in their name has been changed into "dfrac". (by Simon Friis Vindum)
* Generalize `namespace_map` to `reservation_map` which enhances `gmap positive
  A` with a notion of 'tokens' that enable allocating a particular name in the
  map. See [algebra.reservation_map](iris/algebra/reservation_map.v) for further
  information.
* Add `dyn_reservation_map` which further extends `reservation_map` with the
  ability to dynamically allocate an infinite set of tokens. This is useful to
  perform synchronized allocation of the same name in two maps/APIs without
  dedicated support from one of the involved maps/APIs. See
  [algebra.dyn_reservation_map](iris/algebra/dyn_reservation_map.v) for further
  information.
* Demote the Camera structure on `list` to `iris_staging` since its composition
  is not very well-behaved.
* Extend `gmap_view` with lemmas for "big" operations on maps.
* Typeclasses instances triggering a canonical structure search such as `Equiv`,
  `Dist`, `Op`, `Valid`, `ValidN`, `Unit`, `PCore` now use an `Hint Extern`
  based on `refine` instead of `apply`, in order to use Coq's newer unification
  algorithm.
* Set `Hint Mode` for the classes `OfeDiscrete`, `Dist`, `Unit`, `CmraMorphism`,
  `rFunctorContractive`, `urFunctorContractive`.
* Set `Hint Mode` for the stdpp class `Equiv`. This might require few spurious
  type annotations until
  [Coq bug #14441](https://github.com/coq/coq/issues/14441) is fixed.
* Add `max_prefix_list` RA on lists whose composition is only defined when one
  operand is a prefix of the other. The result is the longer list.
* Add `NonExpansive` instances for `curry` and friends.

**Changes in `bi`:**

* Add new lemmas `big_sepM2_delete_l` and `big_sepM2_delete_r`.
* Rename `big_sepM2_lookup_1` → `big_sepM2_lookup_l` and
  `big_sepM2_lookup_2` → `big_sepM2_lookup_r`.
* Add lemmas for swapping nested big-ops: `big_sep{L,M,S,MS}_sep{L,M,S,MS}`.
* Rename `big_sep{L,L2,M,M2,S}_intuitionistically_forall` →
  `big_sep{L,L2,M,M2,S}_intro`, and `big_orL_lookup` → `big_orL_intro`.
* Rename `bupd_forall` to `bupd_plain_forall`, and add
  `{bupd,fupd}_{and,or,forall,exist}`.
* Decouple `Wp` and `Twp` typeclasses from the `program_logic.language`
  interface. The typeclasses are now parameterized over an expression and a
  value type, instead of a language. This requires extra type annotations or
  explicit coercions in a few cases, in particular `WP v {{ Φ }}` must now be
  written `WP (of_val v) {{ Φ }}`.
* Improve `make_laterable`:
  - Adjust definition such that `Laterable P` iff `P ⊢ make_laterable P`.
    As a consequence, `make_laterable_elim` got weaker: elimination now requires
    an except-0 modality (`make_laterable P -∗ ◇ P`).
  - Add `iModIntro` support for `make_laterable`.
* Improvements to `BiMonoPred`:
  - Use `□`/`-∗` instead of `<pers>`/`→`.
  - Strengthen to ensure that functions for recursive calls are non-expansive.
* Add `big_andM` (big conjunction on finite maps) with lemmas similar to `big_andL`.
* Add transitive embedding that constructs an embedding of `PROP1` into `PROP3`
  by combining the embeddings of `PROP1` into `PROP2` and `PROP2` into `PROP3`.
  This construct is *not* declared as an instance to avoid TC search divergence.
  (by Hai Dang, BedRock Systems)
* Improve notation printing around magic wands, view shifts, `WP`, Texan
  triples, and logically atomic triples.
* Slight change to the `AACC` notation for atomic accessors (which is usually
  only printed, not parsed): added a `,` before `ABORT`, for consistency with `COMM`.
* Add the lemmas `big_sepM_impl_strong` and `big_sepM_impl_dom_subseteq` that
  generalize the existing `big_sepM_impl` lemma. (by Simon Friis Vindum)
* Add new instance `fractional_big_sepL2`. (by Paolo G. Giarrusso, BedRock Systems)

**Changes in `proofmode`:**

* Add support for pure names `%H` in intro patterns. This is now natively
  supported whereas the previous experimental support required installing
  https://gitlab.mpi-sws.org/iris/string-ident. (by Tej Chajed)
* Add support for destructing existentials with the intro pattern `[%x ...]`.
  (by Tej Chajed)
* `iMod`/`iModIntro` show proper error messages when they fail due to mask
  mismatches. To support this, the proofmode typeclass `FromModal` now takes an
  additional pure precondition.
* Fix performance of `iFrame` in logics without `BiAffine`.
  To adjust your code if you use such logics and define `Frame` instances,
  ensure these instances to have priority at least 2: they should have either at
  least 2 (non-dependent) premises, or an explicit priority.
  References: docs for `frame_here_absorbing` in
  [iris/proofmode/frame_instances.v](iris/proofmode/frame_instances.v) and
  https://coq.inria.fr/refman/addendum/type-classes.html#coq:cmd.Instance. (by
  Paolo G. Giarrusso, BedRock Systems)
* Rename the main entry point module for the proofmode from
  `iris.proofmode.tactics` to `iris.proofmode.proofmode`. Under normal
  circumstances, this should be the only proofmode file you need to import.
* Improve performance of the `iIntoEmpValid` tactic used by `iPoseProof`,
  especially in the case of large goals and lemmas with many forall quantifiers.
  (by Armaël Guéneau)
* Improve performance of the `iDestruct` tactic, by using user-provided names
  more eagerly in order to avoid later calls to `iRename`.
  (by Armaël Guéneau)

**Changes in `bi`:**

* Add lemmas characterizing big-ops over pure predicates (`big_sep*_pure*`).
* Move `BiAffine`, `BiPositive`, `BiLöb`, and `BiPureForall` from
  `bi.derived_connectives` to `bi.extensions`.
* Strengthen `persistent_fractional` to support propositions that are persistent
  and either affine or absorbing. (by Paolo G. Giarrusso, BedRock Systems)

**Changes in `base_logic`:**

* Add `ghost_map`, a logic-level library for a `gmap K V` with an authoritative
  view and per-element points-to facts written `k ↪[γ] w`.
* Generalize the soundness lemma of the base logic `step_fupdN_soundness`.
  It applies even if invariants stay open accross an arbitrary number of laters.
  (by Jacques-Henri Jourdan)
* Rename those `*G` typeclasses that must be global singletons to `*GS`, and
  their corresponding `preG` class to `GpreS`. Affects `invG`, `irisG`,
  `gen_heapG`, `inv_heapG`, `proph_mapG`, `ownPG`, `heapG`.

**Changes in `program_logic`:**

* Change definition of weakest precondition to use a variable number of laters
  (i.e., logical steps) for each physical step of the operational semantics,
  depending on the number of physical steps executed since the begining of the
  execution of the program. See merge request [!595](https://gitlab.mpi-sws.org/iris/iris/-/merge_requests/595).
  This implies several API-breaking changes, which can be easily fixed in client
  formalizations in a backward compatible manner as follows:
   - Ignore the new parameter `ns` in the state interpretation, which
     corresponds to a step counter.
   - Use the constant function "0" for the new field `num_laters_per_step` of
     `irisG`.
   - Use `fupd_intro _ _` for the new field `state_interp_mono` of `irisG`.
   - Some proofs using lifting lemmas and adequacy theorems need to be adapted
     to ignore the new step counter.
  (by Jacques-Henri Jourdan)
* Remove `wp_frame_wand_l`; add `wp_frame_wand` as more symmetric replacement.
* Swap the polarity of the mask in logically atomic triples, so that it matches
  regular `WP` masks.
* Rename `iris_invG` to `iris_invGS`.

**Changes in `heap_lang`:**

* Rename `Build_loc` constructor for `loc` type to `Loc`.
* Add atomic `Xchg` ("exchange"/"swap") operation. (by Simon Hudon, Google LLC)

The following `sed` script helps adjust your code to the renaming (on macOS,
replace `sed` by `gsed`, installed via e.g. `brew install gnu-sed`).
Note that the script is not idempotent, do not run it twice.
```
sed -i -E -f- $(find theories -name "*.v") <<EOF
# auth and view renames from frac to dfrac
s/\b(auth|view)_(auth|both|update)_frac_(is_op|op_invN|op_inv|inv_L|validN|op_validN|valid|op_valid|valid_2|valid_discrete|includedN|included|alloc|validI|validI_2|validI_1|validI|)\b/\1_\2_dfrac_\3/g
s/\bgset_bij_auth_frac_(\w*)\b/gset_bij_auth_dfrac_\1/g
s/\bgset_bij_auth_empty_frac_valid\b/gset_bij_auth_empty_dfrac_valid/g
s/\bbij_both_frac_valid\b/bij_both_dfrac_valid/g
# big_sepM renames
s/\bbig_sepM2_lookup_1\b/big_sepM2_lookup_l/g
s/\bbig_sepM2_lookup_2\b/big_sepM2_lookup_r/g
# big_*_intro
s/\bbig_sep(L|L2|M|M2|S)_intuitionistically_forall\b/big_sep\1_intro/g
s/\bbig_orL_lookup\b/big_orL_intro/g
s/\bbupd_forall\b/bupd_plain_forall/g
# "global singleton" rename
s/\b(inv|iris|(gen|inv)_heap|(Gen|Inv)Heap|proph_map|ProphMap|[oO]wnP|[hH]eap)G\b/\1GS/g
s/\b([iI]nv|iris|(gen|inv)_heap|(Gen|Inv)Heap|proph_map|ProphMap|[oO]wnP|[hH]eap)PreG\b/\1GpreS/g
# iris.proofmode.tactics → iris.proofmode.proofmode
s/\bproofmode\.tactics\b/proofmode.proofmode/
s/(From +iris\.proofmode +Require +(Import|Export).*)\btactics\b/\1proofmode/
# iris_invG → iris_invGS
s/\biris_invG\b/iris_invGS/g
EOF
```

## Iris 3.4.0 (released 2021-02-16)

The highlights and most notable changes of this release are as follows:
* Coq 8.13 is now supported; the old Coq 8.9 and Coq 8.10 are not supported any
  more.
* The new `view` RA construction generalizes `auth` to user-defined abstraction
  relations. (thanks to Gregory Malecha for the inspiration)
* The new `dfrac` RA extends `frac` (fractions `0 < q ≤ 1`) with support for
  "discarding" some part of the fraction in exchange for a persistent witness
  that discarding has happened. This can be used to easily generalize fractional
  permissions with support for persistently owning "any part" of the resource.
  (by Simon Friis Vindum)
* The new `gmap_view` RA provides convenient lemmas for ghost ownership
  of heap-like structures with an "authoritative" view. Thanks to `dfrac`, it
  supports both exclusive (mutable) and persistent (immutable) ownership of
  individual map elements.
* With this release we are beginning to provide logic-level abstractions for
  ghost state, which have the advantage that the user does not have to directly
  interact with RAs to use them.
  - `ghost_var` provides a logic-level abstraction of ghost variables: a mutable
    "variable" with fractional ownership.
  - `mono_nat` provides a "monotone counter" with a persistent witnesses
    representing a lower bound of the current counter value. (by Tej Chajed)
  - `gset_bij` provides a monotonically growing partial bijection; this is
    useful in particular when building binary logical relations for languages
    with a heap.
* HeapLang provides a persistent read-only points-to assertion `l ↦□ v`.
  (by Simon Friis Vindum)
* We split Iris into multiple opam packages: `coq-iris` no longer contains
  HeapLang, which is now in a separate package `coq-iris-heap-lang`. The two
  packages `coq-iris-deprecated` (for old modules that we eventually plan to
  remove entirely) and `coq-iris-staging` (for new modules that are not yet
  ready for prime time) exist only as development versions, so they are not part
  of this release.
* The proofmode now does a better job at picking reasonable names when moving
  variables into the Coq context without a name being explicitly given by the
  user. However, the exact variable names remain unspecified. (by Tej Chajed)

Further details are given in the changelog below.

This release of Iris was managed by Ralf Jung and Robbert Krebbers, with
contributions by Arthur Azevedo de Amorim, Dan Frumin, Enrico Tassi, Hai Dang,
Michael Sammler, Paolo G. Giarrusso, Rodolphe Lepigre, Simon Friis Vindum, Tej
Chajed, and Yusuke Matsushita.  Thanks a lot to everyone involved!

**Changes in `algebra`:**

* Add constructions to define a camera through restriction of the validity predicate
  (`iso_cmra_mixin_restrict`) and through an isomorphism (`iso_cmra_mixin`).
* Add a `frac_agree` library which encapsulates `frac * agree A` for some OFE
  `A`, and provides some useful lemmas.
* Add the view camera `view`, which generalizes the authoritative camera
  `auth` by being parameterized by a relation that relates the authoritative
  element with the fragments.
* Add the camera of discardable fractions `dfrac`. This is a generalization of
  the normal fractional camera.
  See [algebra.dfrac](iris/algebra/dfrac.v) for further information.
* Add `gmap_view`, a camera providing a "view of a `gmap`". The authoritative
  element is any `gmap`; the fragment provides fractional ownership of a single
  key, including support for persistent read-only ownership through `dfrac`.
  See [algebra.lib.gmap_view](iris/algebra/lib/gmap_view.v) for further information.
* Add `mono_nat`, a wrapper for `auth max_nat`. The result is an authoritative
  `nat` where a fragment is a lower bound whose ownership is persistent.
  See [algebra.lib.mono_nat](iris/algebra/lib/mono_nat.v) for further information.
* Add the `gset_bij` resource algebra for monotone partial bijections.
  See [algebra.lib.gset_bij](iris/algebra/lib/gset_bij.v) for further information.
* Rename `agree_op_inv'` → `to_agree_op_inv`,
  `agree_op_invL'` → `to_agree_op_inv_L`, and add `to_agree_op_invN`.
* Rename `auth_auth_frac_op_invL` → `auth_auth_frac_op_inv_L`,
  `excl_auth_agreeL` → `excl_auth_agree_L`,
  `frac_auth_agreeL` → `frac_auth_agree_L`, and
  `ufrac_auth_agreeL` → `ufrac_auth_agree_L`.
* Fix direction of `auth_auth_validN` to make it consistent with similar lemmas,
  e.g., `auth_auth_valid`. The direction is now `✓{n} (● a) ↔ ✓{n} a`.
* Rename `auth_both_valid` to `auth_both_valid_discrete` and
  `auth_both_frac_valid` to `auth_both_frac_valid_discrete`. The old name is
  used for new, stronger lemmas that do not assume discreteness.
* Redefine the authoritative camera in terms of the view camera. As part of this
  change, we have removed lemmas that leaked implementation details. Hence, the
  only way to construct elements of `auth` is via the elements `●{q} a` and
  `◯ b`. The constructor `Auth`, and the projections `auth_auth_proj` and
  `auth_frag_proj` no longer exist. Lemmas that referred to these constructors
  have been removed, in particular: `auth_equivI`, `auth_validI`,
  `auth_included`, `auth_valid_discrete`, and `auth_both_op`.  For validity, use
  `auth_auth_valid*`, `auth_frag_valid*`, or `auth_both_valid*` instead.
* Rename `auth_update_core_id` into `auth_update_frac_alloc`.
* Rename `cmra_monotone_valid` into `cmra_morphism_valid` (this rename was
  forgotten in !56).
* Move the `*_validI` and `*_equivI` lemmas to a new module, `base_logic.algebra`.
  That module is exported by `base_logic.base_logic` so it should usually be
  available everywhere without further changes.
* The authoritative fragment `✓ (◯ b : auth A)` is no longer definitionally
  equal to `✓ b`.
* Change `*_valid` lemma statements involving fractions to use `Qp` addition and
  inequality instead of RA composition and validity (also in `base_logic` and
  the higher layers).
* Move `algebra.base` module to `prelude.prelude`.
* Strengthen `cmra_op_discrete` to assume only `✓{0} (x1 ⋅ x2)` instead of `✓
  (x1 ⋅ x2)`.
* Rename the types `ofeT`→`ofe`, `cmraT`→`cmra`, `ucmraT`→`ucmra`, and the
  constructors `OfeT`→`Ofe`, `CmraT`→`Cmra`, and `UcmraT`→`Ucmra` since the `T`
  suffix is not needed. This change makes these names consistent with `bi`,
  which also does not have a `T` suffix.
* Rename typeclass instances of CMRA operational typeclasses (`Op`, `Core`,
  `PCore`, `Valid`, `ValidN`, `Unit`) to have a `_instance` suffix, so that
  their original names are available to use as lemma names.
* Rename `frac_valid'`→`frac_valid`, `frac_op'`→`frac_op`,
  `ufrac_op'`→`ufrac_op`, `coPset_op_union` → `coPset_op`, `coPset_core_self` →
  `coPset_core`, `gset_op_union` → `gset_op`, `gset_core_self` → `gset_core`,
  `gmultiset_op_disj_union` → `gmultiset_op`, `gmultiset_core_empty` →
  `gmultiset_core`, `nat_op_plus` → `nat_op`, `max_nat_op_max` →
  `max_nat_op`. Those names were previously blocked by typeclass instances.

**Changes in `bi`:**

* Add big op lemmas `big_op{L,L2,M,M2,S}_intuitionistically_forall` and
  `big_sepL2_forall`, `big_sepMS_forall`, `big_sepMS_impl`, and `big_sepMS_dup`.
* Add lemmas to big-ops that provide ownership of a single element and permit
  changing the quantified-over predicate when re-assembling the big-op:
  `big_sepL_lookup_acc_impl`, `big_sepL2_lookup_acc_impl`,
  `big_sepM_lookup_acc_impl`, `big_sepM2_lookup_acc_impl`,
  `big_sepS_elem_of_acc_impl`, `big_sepMS_elem_of_acc_impl`.
* Add lemmas `big_sepM_filter'` and `big_sepM_filter` matching the corresponding
  `big_sepS` lemmas.
* Add lemmas for big-ops of magic wands: `big_sepL_wand`, `big_sepL2_wand`,
  `big_sepM_wand`, `big_sepM2_wand`, `big_sepS_wand`, `big_sepMS_wand`.
* Add notation `¬ P` for `P → False` to `bi_scope`.
* Add `fupd_mask_intro` which can be conveniently `iApply`ed to goals of the
  form `|={E1,E2}=>` to get rid of the `fupd` in the goal if `E2 ⊆ E1`. The
  lemma `fupd_mask_weaken Enew` can be `iApply`ed to shrink the first mask to
  `Enew` without getting rid of the modality; the same effect can also be
  obtained slightly more conveniently by using `iMod` with `fupd_mask_subseteq
  Enew`. To make the new names work, rename some existing lemmas:
  `fupd_intro_mask` → `fupd_mask_intro_subseteq`,
  `fupd_intro_mask'` → `fupd_mask_subseteq` (implicit arguments also changed
  here), `fupd_mask_weaken` → `fupd_mask_intro_discard`. Remove `fupd_mask_same`
  since it was unused and obscure.  In the `BiFUpd` axiomatization, rename
  `bi_fupd_mixin_fupd_intro_mask` to `bi_fupd_mixin_fupd_mask_subseteq` and
  weaken the lemma to be specifically about `emp` (the stronger version can be
  derived).
* Remove `bi.tactics` with tactics that predate the proofmode (and that have not
  been working properly for quite some time).
* Strengthen `persistent_sep_dup` to support propositions that are persistent
  and either affine or absorbing.
* Fix the statement of the lemma `fupd_plainly_laterN`; the old lemma was a
  duplicate of `fupd_plain_laterN`.
* Strengthen `big_sepL2_app_inv` by weakening a premise (it is sufficient for
  one of the two pairs of lists to have equal length).
* Rename `equiv_entails` → `equiv_entails_1_1`,
  `equiv_entails_sym` → `equiv_entails_1_2`, and `equiv_spec` → `equiv_entails`.
* Remove the laws `pure_forall_2 : (∀ a, ⌜ φ a ⌝) ⊢ ⌜ ∀ a, φ a ⌝` from the BI
  interface and factor it into a type class `BiPureForall`.

**Changes in `proofmode`:**

* The proofmode now preserves user-supplied names for existentials when using
  `iDestruct ... as (?) "..."`. This is backwards-incompatible if you were
  relying on the previous automatic names (which were always "H", possibly
  freshened). It also requires some changes if you were implementing `IntoExist`
  yourself, since the typeclass now forwards names. If your instance transforms
  one `IntoExist` into another, you can generally just forward the name from the
  premise.
* The proofmode also preserves user-supplied names in `iIntros`, for example
  with `iIntros (?)` and `iIntros "%"`, as described for destructing
  existentials above. As part of this change, it now uses a base name of `H` for
  pure facts rather than the previous default of `a`. This also requires some
  changes if you were implementing `FromForall`, in order to forward names.
* Make `iFrame` "less" smart w.r.t. clean up of modalities. It now consistently
  removes the modalities `<affine>`, `<absorbing>`, `<persistent>` and `□` only
  if the result after framing is `True` or `emp`. In particular, it no longer
  removes `<affine>` if the result after framing is affine, and it no longer
  removes `□` if the result after framing is intuitionistic.
* Allow framing below an `<affine>` modality if the hypothesis that is framed is
  affine. (Previously, framing below `<affine>` was only possible if the
  hypothesis that is framed resides in the intuitionistic context.)
* Add Coq side-condition `φ` to class `ElimAcc` (similar to what we already had
  for `ElimInv` and `ElimModal`).
* Add a tactic `iSelect pat tac` (similar to `select` in std++) which runs the
  tactic `tac H` with the name `H` of the last hypothesis of the intuitionistic
  or spatial context matching `pat`. The tactic `iSelect` is used to implement:
  + `iRename select (pat)%I into name` which renames the matching hypothesis,
  + `iDestruct select (pat)%I as ...` which destructs the matching hypothesis,
  + `iClear select (pat)%I` which clears the matching hypothesis,
  + `iRevert select (pat)%I` which reverts the matching hypothesis,
  + `iFrame select (pat)%I` which cancels the matching hypothesis.

**Changes in `base_logic`:**

* Add a `ghost_var` library that provides (fractional) ownership of a ghost
  variable of arbitrary `Type`.
* Define a ghost state library on top of the `mono_nat` resource algebra.
  See [base_logic.lib.mono_nat](iris/base_logic/lib/mono_nat.v) for further
  information.
* Define a ghost state library on top of the `gset_bij` resource algebra.
  See [base_logic.lib.gset_bij](iris/base_logic/lib/gset_bij.v) for further
  information.
* Extend the `gen_heap` library with read-only points-to assertions using
  [discardable fractions](iris/algebra/dfrac.v).
  + The `mapsto` connective now takes a `dfrac` rather than a `frac` (i.e.,
    positive rational number `Qp`).
  + The notation `l ↦{ dq } v` is generalized to discardable fractions
    `dq : dfrac`.
  + The new notation `l ↦{# q} v` is used for a concrete fraction `q : frac`
    (e.g., to enable writing `l ↦{# 1/2} v`).
  + The new notation `l ↦□ v` is used for the discarded fraction. This
    persistent proposition provides read-only access to `l`.
  + The lemma `mapsto_persist : l ↦{dq} v ==∗ l ↦□ v` is used for making the
    location `l` read-only.
  + See the [changes to HeapLang](https://gitlab.mpi-sws.org/iris/iris/-/merge_requests/554)
    for an indication on how to adapt your language.
  + See the [changes to iris-examples](https://gitlab.mpi-sws.org/iris/examples/-/commit/a8425b708ec51d918d5cf6eb3ab6fde88f4e2c2a)
    for an indication on how to adapt your development. In particular, instead
    of `∃ q, l ↦{q} v` you likely want to use `l ↦□ v`, which has the advantage
    of being persistent (rather than just duplicable).
* Change type of some ghost state lemmas (mostly about allocation) to use `∗`
  instead of `∧` (consistent with our usual style).  This affects the following
  lemmas: `own_alloc_strong_dep`, `own_alloc_cofinite_dep`, `own_alloc_strong`,
  `own_alloc_cofinite`, `own_updateP`, `saved_anything_alloc_strong`,
  `saved_anything_alloc_cofinite`, `saved_prop_alloc_strong`,
  `saved_prop_alloc_cofinite`, `saved_pred_alloc_strong`,
  `saved_pred_alloc_cofinite`, `auth_alloc_strong`, `auth_alloc_cofinite`,
  `auth_alloc`.
* Change `uPred_mono` to only require inclusion at the smaller step-index.
* Put `iProp`/`iPreProp`-isomorphism into the `own` construction. This affects
  clients that define higher-order ghost state constructions. Concretely, when
  defining an `inG`, the functor no longer needs to be applied to `iPreProp`,
  but should be applied to `iProp`. This avoids clients from having to push
  through the `iProp`/`iPreProp`-isomorphism themselves, which is now handled
  once and for all by the `own` construction.
* Rename `gen_heap_ctx` to `gen_heap_interp`, since it is meant to be used in
  the state interpretation of WP and since `_ctx` is elsewhere used as a suffix
  indicating "this is a persistent assumption that clients should always have in
  their context". Likewise, rename `proph_map_ctx` to `proph_map_interp`.
* Move `uPred.prod_validI`, `uPred.option_validI`, and
  `uPred.discrete_fun_validI` to the new `base_logic.algebra` module. That
  module is exported by `base_logic.base_logic` so these names are now usually
  available everywhere, and no longer inside the `uPred` module.
* Remove the `gen_heap` notations `l ↦ -` and `l ↦{q} -`. They were barely used
  and looked very confusing in context: `l ↦ - ∗ P` looks like a magic wand.
* Change `gen_inv_heap` notation `l ↦□ I` to `l ↦_I □`, so that `↦□` can be used
  by `gen_heap`.
* Strengthen `mapsto_valid_2` conclusion from `✓ (q1 + q2)%Qp` to
  `⌜✓ (q1 + q2)%Qp ∧ v1 = v2⌝`.
* Change `gen_heap_init` to also return ownership of the points-to facts for the
  initial heap.
* Rename `mapsto_mapsto_ne` to `mapsto_frac_ne`, and add a simpler
  `mapsto_ne` that does not require reasoning about fractions.
* Deprecate the `auth` and `sts` modules. These were logic-level wrappers around
  the underlying RAs; as far as we know, they are unused since they were not
  flexible enough for practical use.
* Deprecate the `viewshift` module, which defined a binary view-shift connective
  with an implicit persistence modality. It was unused and too easily confused
  with `={_}=∗`, the binary view-shift (fancy update) *without* a persistence
  modality.

**Changes in `program_logic`:**

* `wp_strong_adequacy` now applies to an initial state with multiple
  threads instead of only a single thread. The derived adequacy lemmas
  are unchanged.
* `pure_exec_fill` is no longer registered as an instance for `PureExec`, to
  avoid TC search attempting to apply this instance all the time.
* Merge `wp_value_inv`/`wp_value_inv'` into `wp_value_fupd`/`wp_value_fupd'` by
  making the lemmas bidirectional.
* Generalize HeapLang's `mapsto` (`↦`), `array` (`↦∗`), and atomic heap
  connectives to discardable fractions. See the CHANGELOG entry in the category
  `base_logic` for more information.
* Opening an invariant or eliminating a mask-changing update modality around a
  non-atomic weakest precondition creates a side-condition `Atomic ...`.
  Before, this would fail with the unspecific error "iMod: cannot eliminate
  modality (|={E1,E2}=> ...) in (WP ...)".
* In `Ectx_step` and `step_atomic`, mark the parameters that are determined by
  the goal as implicit.
* Deprecate the `hoare` module to prevent accidental usage; the recommended way
  to write Hoare-style specifications is to use Texan triples.

**Changes in `heap_lang`:**

* `wp_pures` now turns goals of the form `WP v {{ Φ }}` into `Φ v`.
* Fix `wp_bind` in case of a NOP (i.e., when the given expression pattern is
  already at the top level).
* The `wp_` tactics now preserve the possibility of doing a fancy update when
  the expression reduces to a value.
* Move `IntoVal`, `AsVal`, `Atomic`, `AsRecV`, and `PureExec` instances to their
  own file [heap_lang.class_instances](iris_heap_lang/class_instances.v).
* Move `inv_head_step` tactic and `head_step` auto hints (now part of new hint
  database `head_step`) to [heap_lang.tactics](iris_heap_lang/tactics.v).
* The tactic `wp_apply` no longer performs `wp_pures` before applying the given
  lemma. The new tactic `wp_smart_apply` repeatedly performs single `wp_pure`
  steps until the lemma matches the goal.

The following `sed` script helps adjust your code to the renaming (on macOS,
replace `sed` by `gsed`, installed via e.g. `brew install gnu-sed`).
Note that the script is not idempotent, do not run it twice.
```
sed -i -E -f- $(find theories -name "*.v") <<EOF
# agree and L suffix renames
s/\bagree_op_inv'/to_agree_op_inv/g
s/\bagree_op_invL'/to_agree_op_inv_L/g
s/\bauth_auth_frac_op_invL\b/auth_auth_frac_op_inv_L/g
s/\b(excl|frac|ufrac)_auth_agreeL/\1_auth_agree_L/g
# auth_both_valid
s/\bauth_both_valid\b/auth_both_valid_discrete/g
s/\bauth_both_frac_valid\b/auth_both_frac_valid_discrete/g
# gen_heap_ctx and proph_map_ctx
s/\bgen_heap_ctx\b/gen_heap_interp/g
s/\bproph_map_ctx\b/proph_map_interp/g
# other gen_heap changes
s/\bmapsto_mapsto_ne\b/mapsto_frac_ne/g
# remove Ts in algebra
s/\bofeT\b/ofe/g
s/\bOfeT\b/Ofe/g
s/\bcmraT\b/cmra/g
s/\bCmraT\b/Cmra/g
s/\bucmraT\b/ucmra/g
s/\bUcmraT\b/Ucmra/g
# _op/valid/core lemmas
s/\b(u?frac_(op|valid))'/\1/g
s/\b((coPset|gset)_op)_union\b/\1/g
s/\b((coPset|gset)_core)_self\b/\1/g
s/\b(gmultiset_op)_disj_union\b/\1/g
s/\b(gmultiset_core)_empty\b/\1/g
s/\b(nat_op)_plus\b/\1/g
s/\b(max_nat_op)_max\b/\1/g
# equiv_spec
s/\bequiv_entails\b/equiv_entails_1_1/g
s/\bequiv_entails_sym\b/equiv_entails_1_2/g
s/\bequiv_spec\b/equiv_entails/g
EOF
```

## Iris 3.3.0 (released 2020-07-15)

This release does not have any outstanding highlights, but contains a large
number of improvements all over the board.  For instance:

* `heap_lang` now supports deallocation as well as better reasoning about
  "invariant locations" (locations that perpetually satisfy some Coq-level
  invariant).
* Invariants (`inv N P`) are more flexible, now also supporting splitting
  and merging of invariants with respect to separating conjunction.
* Performance of the proofmode for BIs constructed on top of other BIs (e.g.,
  `monPred`) was greatly improved, leading to up to 70% speedup in individual
  files. As part of this refactoring, the proofmode can now also be instantiated
  with entirely "logical" notion of BIs that do not have a (non-trivial) metric
  structure, and still support reasoning about ▷.
* The proof mode now provides experimental support for naming pure facts in
  intro patterns.  See
  [iris/string-ident](https://gitlab.mpi-sws.org/iris/string-ident) for details.
* Iris now provides official ASCII notation. We still recommend using the
  Unicode notation for better consistency and interoperability with other Iris
  libraries, but provide ASCII notation for when Unicode is not an option.
* We removed several coercions, fixing "ambiguous coercion path" warnings and
  solving some readability issues.
* Coq 8.10, 8.11, and 8.12 are newly supported by this release, and Coq 8.7 and
  8.8 are no longer supported.

Further details are given in the changelog below. We always first list the
potentially breaking changes, then (some of) the additions.

This release of Iris received contributions by Abel Nieto, Amin Timany, Dan
Frumin, Derek Dreyer, Dmitry Khalanskiy, Gregory Malecha, Jacques-Henri Jourdan,
Jonas Kastberg, Jules Jacobs, Matthieu Sozeau, Maxime Dénès, Michael Sammler,
Paolo G. Giarrusso, Ralf Jung, Robbert Krebbers, Simon Friis Vindum, Simon
Spies, and Tej Chajed.  Thanks a lot to everyone involved!

**Changes in `heap_lang`:**

* Remove global `Open Scope Z_scope` from `heap_lang.lang`, and leave it up to
  reverse dependencies if they want to `Open Scope Z_scope` or not.
* Fix all binary operators performing pointer arithmetic (instead of just the
  dedicated `OffsetOp` operator doing that).
* Rename `heap_lang.lifting` to `heap_lang.primitive_laws`. There now also
  exists `heap_lang.derived_laws`.
* Make lemma names for `fill` more consistent
  - Use the `_inv` suffix for the the backwards directions:
   `reducible_fill` → `reducible_fill_inv`,
   `reducible_no_obs_fill` → `reducible_no_obs_fill_inv`,
   `not_stuck_fill` → `not_stuck_fill_inv`.
  - Use the non-`_inv` names (that freed up) for the forwards directions:
   `reducible_fill`, `reducible_no_obs_fill`, `irreducible_fill_inv`.
* Remove namespace `N` from `is_lock`.

* Add support for deallocation of locations via the `Free` operation.
* Add a fraction to the heap_lang `array` assertion.
* Add `lib.array` module for deallocating, copying and cloning arrays.
* Add TWP (total weakest-pre) lemmas for arrays.
* Add a library for "invariant locations": heap locations that will not be
  deallocated (i.e., they are GC-managed) and satisfy some pure, Coq-level
  invariant.  See `iris.base_logic.lib.gen_inv_heap` for details.
* Add the ghost state for "invariant locations" to `heapG`.  This affects the
  statement of `heap_adequacy`, which is now responsible for initializing the
  "invariant locations" invariant.
* Add lemma `mapsto_mapsto_ne : ¬ ✓(q1 + q2)%Qp → l1 ↦{q1} v1 -∗ l2 ↦{q2} v2 -∗ ⌜l1 ≠ l2⌝`.
* Add lemma `is_lock_iff` and show that `is_lock` is contractive.

**Changes in `program_logic`:**

* In the axiomatization of ectx languages, replace the axiom of positivity of
  context composition with an axiom that says if `fill K e` takes a head step,
  then either `K` is the empty evaluation context or `e` is a value.

**Changes in the logic (`base_logic`, `bi`):**

* Rename some accessor-style lemmas to consistently use the suffix `_acc`
  instead of `_open`:
  `inv_open` → `inv_acc`, `inv_open_strong` → `inv_acc_strong`,
  `inv_open_timeless` → `inv_acc_timeless`, `na_inv_open` → `na_inv_acc`,
  `cinv_open` → `cinv_acc`, `cinv_open_strong` → `cinv_acc_strong`,
  `auth_open` → `auth_acc`, `sts_open` → `sts_acc`.
  To make this work, also rename `inv_acc` → `inv_alter`.
  (Most developments should be unaffected as the typical way to invoke these
  lemmas is through `iInv`, and that does not change.)
* Change `inv_iff`, `cinv_iff` and `na_inv_iff` to make order of arguments
  consistent and more convenient for `iApply`. They are now of the form
  `inv N P -∗ ▷ □ (P ↔ Q) -∗ inv N Q` and (similar for `na_inv_iff` and
  `cinv_iff`), following e.g., `inv_alter` and `wp_wand`.
* Rename `inv_sep_1` → `inv_split_1`, `inv_sep_2` → `inv_split_2`, and
  `inv_sep` → `inv_split` to be consistent with the naming convention in boxes.
* Update the strong variant of the accessor lemma for cancellable invariants to
  match that of regular invariants, where you can pick the mask at a later time.
  (The other part that makes it strong is that you get back the token for the
  invariant immediately, not just when the invariant is closed again.)
* Rename `iProp`/`iPreProp` to `iPropO`/`iPrePropO` since they are `ofeT`s.
  Introduce `iProp` for the `Type` carrier of `iPropO`.
* Flatten the BI hierarchy by merging the `bi` and `sbi` canonical structures.
  This gives significant performance benefits on developments that construct BIs
  from BIs (e.g., use `monPred`). For, example it gives a performance gain of 37%
  overall on lambdarust-weak, with improvements for individual files up to 72%,
  see Iris issue #303. The concrete changes are as follows:
  + The `sbi` canonical structure has been removed.
  + The `bi` canonical structure contains the later modality. It does not
    require the later modality to be contractive or to satisfy the Löb rule, so
    we provide a smart constructor `bi_later_mixin_id` to get the later axioms
    "for free" if later is defined to be the identity function.
  + There is a separate class `BiLöb`, and a "free" instance of that class if
    the later modality is contractive. A `BiLöb` instance is required for the
    `iLöb` tactic, and for timeless instances of implication and wand.
  + There is a separate type class `BiInternalEq` for BIs with a notion of
    internal equality (internal equality was part of `sbi`). An instance of this
    class is needed for the `iRewrite` tactic, and the various lemmas about
    internal equality.
  + The class `SbiEmbed` has been removed and been replaced by classes
    `BiEmbedLater` and `BiEmbedInternalEq`.
  + The class `BiPlainly` has been generalized to BIs without internal equality.
    As a consequence, there is a separate class `BiPropExt` for BIs with
    propositional extensionality (i.e., `■ (P ∗-∗ Q) ⊢ P ≡ Q`).
  + The class `BiEmbedPlainly` is a bi-entailment (i.e., `⎡■ P⎤ ⊣⊢ ■ ⎡P⎤`
    instead of `■ ⎡P⎤ ⊢ ⎡■ P⎤`) as it has been generalized to BIs without a
    internal equality. In the past, the left-to-right direction was obtained for
    "free" using the rules of internal equality.
* Remove coercion from `iProp` (and other MoSeL propositions) to `Prop`.
  Instead, use the new unary notation `⊢ P`, or `⊢@{PROP} P` if the proposition
  type cannot be inferred. This also means that `%I` should not be necessary any
  more when stating lemmas, as `P` above is automatically parsed in scope `%I`.
* Some improvements to the `bi/lib/core` construction:
  + Rename `coreP_wand` into `coreP_entails` since it does not involve wands.
  + Generalize `coreP_entails` to non-affine BIs, and prove more convenient
    version `coreP_entails'` for `coreP P` with `P` affine.
  + Add instance `coreP_affine P : Affine P → Affine (coreP P)` and
    lemma `coreP_wand P Q : <affine> ■ (P -∗ Q) -∗ coreP P -∗ coreP Q`.
* Remove notation for 3-mask step-taking updates, and made 2-mask notation less
  confusing by distinguishing it better from mask-changing updates.
  Old: `|={Eo,Ei}▷=> P`. New: `|={Eo}[Ei]▷=> P`.
  Here, `Eo` is the "outer mask" (used at the beginning and end) and `Ei` the
  "inner mask" (used around the ▷ in the middle).
  As part of this, the lemmas about the 3-mask variant were changed to be about
  the 2-mask variant instead, and `step_fupd_mask_mono` now also has a more
  consistent argument order for its masks.

* Add a counterexample showing that sufficiently powerful cancellable invariants
  with a linear token subvert the linearity guarantee (see
  `bi.lib.counterexmples` for details).
* Redefine invariants as "semantic invariants" so that they support
  splitting and other forms of weakening.
* Add lemmas `inv_combine` and `inv_combine_dup_l` for combining invariants.
* Add the type `siProp` of "plain" step-indexed propositions, together with
  basic proofmode support.
* New ASCII versions of Iris notations. These are marked parsing only and
  can be made available using `Require Import iris.bi.ascii`. The new
  notations are (notations marked [†] are disambiguated using notation scopes):
  - entailment: `|-` for `⊢` and `-|-` for `⊣⊢`
  - logic[†]: `->` for `→`, `/\\` for `∧`, `\\/` for `∨`, and `<->` for `↔`
  - quantifiers[†]: `forall` for `∀` and `exists` for `∃`
  - separation logic: `**` for `∗`, `-*` for `-∗`, and `*-*` for `∗-∗`
  - step indexing: `|>` for `▷`
  - modalities: `<#>` for `□` and `<except_0>` for `◇`
  - most derived notations can be computed from previous notations using the
    substitutions above, e.g. replace `∗` with `*` and `▷` with `|>`. Examples
    include the following:
    - `|={E1,E2}=* P` for `|={E1,E2}=∗`
    - `P ={E}=* Q` for `P ={E}=∗ Q`
    - `P ={E1,E2}=* Q` for `P ={E1,E2}=∗ Q`
    - `|={E1}[E2]|>=> Q` for `|={E1}[E2]▷=> Q`
    The full list can be found in [theories/bi/ascii.v](theories/bi/ascii.v),
    where the ASCII notations are defined in terms of the unicode notations.
* Add affine, absorbing, persistent and timeless instances for telescopes.
* Add a construction `bi_rtc` to create reflexive transitive closures of
  PROP-level binary relations.
* Slightly strengthen the lemmas `big_sepL_nil'`, `big_sepL2_nil'`,
  `big_sepM_nil'` `big_sepM2_empty'`, `big_sepS_empty'`, and `big_sepMS_empty'`.
  They now only require that the argument `P` is affine instead of the whole BI
  being affine.
* Add `big_sepL_insert_acc`, a variant of `big_sepL_lookup_acc` which allows
  updating the value.
* Add many missing `Proper`/non-expansiveness lemmas for big-ops.
* Add `big_*_insert_delete` lemmas to split a `<[i:=x]> m` map into `i` and the rest.
* Seal the definitions of `big_opS`, `big_opMS`, `big_opM` and `big_sepM2`
  to prevent undesired simplification.
* Fix `big_sepM2_fmap*` only working for `nat` keys.

**Changes in `proofmode`:**

* Make use of `notypeclasses refine` in the implementation of `iPoseProof` and
  `iAssumption`, see <https://gitlab.mpi-sws.org/iris/iris/merge_requests/329>.
  This has two consequences:
  1. Coq's "new" unification algorithm (the one in `refine`, not the "old" one
     in `apply`) is used more often by the proof mode tactics.
  2. Due to the use of `notypeclasses refine`, TC constraints are solved less
     eagerly, see <https://github.com/coq/coq/issues/6583>.
  In order to port your development, it is often needed to instantiate evars
  explicitly (since TC search is performed less eagerly), and in few cases it is
  needed to unfold definitions explicitly (due to new unification algorithm
  behaving differently).
* Strengthen the tactics `iDestruct`, `iPoseProof`, and `iAssert`:
  - They succeed in certain cases where they used to fail.
  - They keep certain hypotheses in the intuitionistic context, where they were
    moved to the spatial context before.
  The latter can lead to stronger proof mode contexts, and therefore to
  backwards incompatibility. This can usually be fixed by manually clearing some
  hypotheses. A more detailed description of the changes can be found in
  <https://gitlab.mpi-sws.org/iris/iris/merge_requests/341>.
* Remove the long-deprecated `cofeT` alias (for `ofeT`) and `dec_agree` RA (use
  `agree` instead).

* Add `auto` hint for `∗-∗`.
* Add new tactic `iStopProof` to turn the proof mode entailment into an ordinary
  Coq goal `big star of context ⊢ proof mode goal`.
* Add new introduction pattern `-# pat` that moves a hypothesis from the
  intuitionistic context to the spatial context.
* The tactic `iAssumption` also recognizes assumptions `⊢ P` in the Coq context.
* Better support for telescopes in the proof mode, i.e., all tactics should
  recognize and distribute telescopes now.
* The proof mode now supports names for pure facts in intro patterns. Support
  requires implementing `string_to_ident`. Without this tactic such patterns
  will fail. We provide one implementation using Ltac2 which works with Coq 8.11
  and can be installed with opam; see
  [iris/string-ident](https://gitlab.mpi-sws.org/iris/string-ident) for details.

**Changes in `algebra`:**

* Remove `Core` type class for defining the total core; it is now always
  defined in terms of the partial core. The only user of this type class was the
  STS RA.
* The functions `{o,r,ur}Functor_diag` are no longer coercions, and renamed into
  `{o,r,ur}Functor_apply` to better match their intent. This fixes "ambiguous
  coercion path" warnings.
* Rename `{o,r,ur}Functor_{ne,id,compose,contractive}` into
  `{o,r,ur}Functor_map_{ne,id,compose,contractive}`.
* Move derived camera constructions (`frac_auth` and `ufrac_auth`) to the folder
  `algebra/lib`.
* Rename `mnat` to `max_nat` and "box" it by creating a separate type for it.
* Move the RAs for `nat` and `positive` and the `mnat` RA into a separate
  module. They must now be imported from `From iris.algebra Require Import
  numbers`.
* Make names of `f_op`/`f_core` rewrite lemmas more consistent by always making
  `_core`/`_op` the suffix:
  `op_singleton` → `singleton_op`, `core_singleton` → `singleton_core`,
  `discrete_fun_op_singleton` → `discrete_fun_singleton_op`,
  `discrete_fun_core_singleton` → `discrete_fun_singleton_core`,
  `list_core_singletonM` → `list_singleton_core`,
  `list_op_singletonM` → `list_singleton_op`,
  `sts_op_auth_frag` → `sts_auth_frag_op`,
  `sts_op_auth_frag_up` → `sts_auth_frag_up_op`,
  `sts_op_frag` → `sts_frag_op`,
  `list_op_length` → `list_length_op`,
  `list_core_singletonM` → `list_singletonM_core`,
  `list_op_singletonM` → `list_singletonM_op`.
* All list "map singleton" lemmas consistently use `singletonM` in their name:
  `list_singleton_valid` → `list_singletonM_valid`,
  `list_singleton_core_id` → `list_singletonM_core_id`,
  `list_singleton_snoc` → `list_singletonM_snoc`,
  `list_singleton_updateP` → `list_singletonM_updateP`,
  `list_singleton_updateP'` → `list_singletonM_updateP'`,
  `list_singleton_update` → `list_singletonM_update`,
  `list_alloc_singleton_local_update` → `list_alloc_singletonM_local_update`.
* Remove `auth_both_op` and rename `auth_both_frac_op` into `auth_both_op`.
* Add lemma `singleton_included : {[ i := x ]} ≼ ({[ i := y ]} ↔ x ≡ y ∨ x ≼ y`,
  and rename existing asymmetric lemmas (with a singleton on just the LHS):
  `singleton_includedN` → `singleton_includedN_l`,
  `singleton_included` → `singleton_included_l`,
  `singleton_included_exclusive` → `singleton_included_exclusive_l`.

* Add notion `ofe_iso A B` that states that OFEs `A` and `B` are
  isomorphic. This is used in the COFE solver.
* Add `{o,r,ur}Functor_oFunctor_compose` for composition of functors.
* Add `pair_op_1` and `pair_op_2` to split a pair where one component is the unit.
* Add derived camera construction `excl_auth A` for `auth (option (excl A))`.
* Make lemma `Excl_included` a bi-implication.
* Make `auth_update_core_id` work with any fraction of the authoritative
  element.
* Add `min_nat`, an RA for natural numbers with `min` as the operation.
* Add many missing `Proper`/non-expansiveness lemmas for maps and lists.
* Add `list_singletonM_included` and `list_lookup_singletonM_{lt,gt}` lemmas
  about singletons in the list RA.
* Add `list_core_id'`, a stronger version of `list_core_id` which only talks
  about elements that are actually in the list.

The following `sed` script helps adjust your code to the renaming (on macOS,
replace `sed` by `gsed`, installed via e.g. `brew install gnu-sed`).
Note that the script is not idempotent, do not run it twice.
```
sed -i -E '
# functor renames
s/\b(o|r|ur)Functor_(ne|id|compose|contractive)\b/\1Functor_map_\2/g
# singleton_included renames
s/\bsingleton_includedN\b/singleton_includedN_l/g
s/\bsingleton_included\b/singleton_included_l/g
s/\bsingleton_included_exclusive\b/singleton_included_exclusive_l/g
# f_op/f_core renames
s/\b(op|core)_singleton\b/singleton_\1/g
s/\bdiscrete_fun_(op|core)_singleton\b/discrete_fun_singleton_\1/g
s/\bsts_op_(auth_frag|auth_frag_up|frag)\b/sts_\1_op/g
s/\blist_(op|core)_singletonM\b/list_singletonM_\1/g
s/\blist_op_length\b/list_length_op/g
# list "singleton map" renames
s/\blist_singleton_valid\b/list_singletonM_valid/g
s/\blist_singleton_core_id\b/list_singletonM_core_id/g
s/\blist_singleton_snoc\b/list_singletonM_snoc/g
s/\blist_singleton_updateP\b/list_singletonM_updateP/g
s/\blist_singleton_update\b/list_singletonM_update/g
s/\blist_alloc_singleton_local_update\b/list_alloc_singletonM_local_update/g
# inv renames
s/\binv_sep(|_1|_2)\b/inv_split\1/g
s/\binv_acc\b/inv_alter/g
s/\binv_open(|_strong|_timeless)\b/inv_acc\1/g
s/\bcinv_open(|_strong)\b/cinv_acc\1/g
s/\b(na_inv|auth|sts)_open\b/\1_acc/g
# miscellaneous
s/\bauth_both_frac_op\b/auth_both_op/g
s/\bmnat\b/max_nat/g
s/\bcoreP_wand\b/coreP_entails/g
' $(find theories -name "*.v")
```

## Iris 3.2.0 (released 2019-08-29)

The highlight of this release is the completely re-engineered interactive proof
mode.  Not only did many tactics become more powerful; the entire proof mode can
now be used not just for Iris but also for other separation logics satisfying
the proof mode interface (e.g., [Iron] and [GPFSL]). Also see the
[accompanying paper][MoSeL].

[Iron]: https://iris-project.org/iron/
[GPFSL]: https://gitlab.mpi-sws.org/iris/gpfsl/
[MoSeL]: https://iris-project.org/mosel/

Beyond that, the Iris program logic gained the ability to reason about
potentially stuck programs, and a significantly strengthened adequacy theorem
that unifies the three previously separately presented theorems.  There are now
also Hoare triples for total program correctness (but with very limited support
for invariants) and logical atomicity.

And finally, our example language HeapLang was made more realistic