CHANGELOG.md 59.1 KB
 Ralf Jung committed Jul 25, 2016 1 ``````In this changelog, we document "large-ish" changes to Iris that affect even the `````` Ralf Jung committed Jul 14, 2020 2 3 4 ``````way the logic is used on paper. We also document changes in the Coq development; every API-breaking change should be listed, but not every new lemma. `````` Ralf Jung committed Aug 08, 2016 5 `````` `````` Ralf Jung committed Feb 16, 2021 6 ``````## Iris 3.4.0 `````` Tej Chajed committed Jul 21, 2020 7 `````` `````` Ralf Jung committed Feb 16, 2021 8 9 10 11 12 13 14 15 16 ``````The highlights and most notable changes of this release are as follows: * Coq 8.13 is now supported; the old Coq 8.9 and Coq 8.10 are not supported any more. * The new `view` RA construction generalizes `auth` to user-defined abstraction relations. * The new `dfrac` RA extends `frac` (fractions `0 < q ≤ 1`) with support for "discarding" some part of the fraction in exchange for a persistent witness that discarding has happened. This can be used to easily generalize fractional permissions with support for persistently owning "any part" of the resource. `````` Ralf Jung committed Feb 16, 2021 17 `````` (by Simon Friis Vindum) `````` Ralf Jung committed Feb 16, 2021 18 19 20 21 22 23 24 25 26 27 ``````* The new `gmap_view` RA provides convenient lemma for ghost ownership of heap-like structures with an "authoritative" view. Thanks to `dfrac`, it supports both exclusive (mutable) and persistent (immutable) ownership of individual map elements. * With this release we are beginning to provide logic-level abstractions for ghost state, which have the advantage that the user does not have to directly interact with RAs to use them. - `ghost_var` provides a logic-level abstraction of ghost variables: a mutable "variable" with fractional ownership. - `mono_nat` provides a "monotone counter" with persistent witnesses `````` Ralf Jung committed Feb 16, 2021 28 `````` representing a lower bound of the current counter value. (by Tej Chajed) `````` Ralf Jung committed Feb 16, 2021 29 30 31 32 `````` - `gset_bij` provides a monotonically growing partial bijection; this is useful in particular when building binary logical relations for languages with a heap. * HeapLang provides a persistent read-only points-to assertion `l ↦□ v`. `````` Ralf Jung committed Feb 16, 2021 33 `````` (by Simon Friis Vindum) `````` Ralf Jung committed Feb 16, 2021 34 35 36 37 38 39 40 41 ``````* We split Iris into multiple opam packages: `coq-iris` no longer contains HeapLang, which is now in a separate package `coq-iris-heap-lang`. The two packages `coq-iris-deprecated` (for old modules that we eventually plan to remove entirely) and `coq-iris-staging` (for new modules that are not yet ready for prime time) exist only as development version, so they are not part of this release. * The proofmode now does a better job at picking reasonable names when moving variables into the Coq context without a name being explicitly given by the `````` Ralf Jung committed Feb 16, 2021 42 `````` user. However, the exact variable names remain unspecified. (by Tej Chajed) `````` Ralf Jung committed Sep 14, 2020 43 `````` `````` Ralf Jung committed Feb 16, 2021 44 45 ``````Further details are given in the changelog below. `````` Ralf Jung committed Feb 16, 2021 46 47 48 49 ``````This release of Iris was managed by Ralf Jung and Robbert Krebbers, with contributions by Arthur Azevedo de Amorim, Dan Frumin, Enrico Tassi, Hai Dang, Michael Sammler, Paolo G. Giarrusso, Rodolphe Lepigre, Simon Friis Vindum, Tej Chajed, and Yusuke Matsushita. Thanks a lot to everyone involved! `````` Ralf Jung committed Nov 11, 2020 50 `````` `````` Ralf Jung committed Sep 14, 2020 51 52 ``````**Changes in `algebra`:** `````` Ralf Jung committed Sep 15, 2020 53 ``````* Add constructions to define a camera through restriction of the validity predicate `````` Robbert Krebbers committed Sep 27, 2020 54 `````` (`iso_cmra_mixin_restrict`) and through an isomorphism (`iso_cmra_mixin`). `````` Ralf Jung committed Sep 15, 2020 55 56 ``````* Add a `frac_agree` library which encapsulates `frac * agree A` for some OFE `A`, and provides some useful lemmas. `````` Ralf Jung committed Feb 16, 2021 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 ``````* Add the view camera `view`, which generalizes the authoritative camera `auth` by being parameterized by a relation that relates the authoritative element with the fragments. * Add the camera of discardable fractions `dfrac`. This is a generalization of the normal fractional camera. See [algebra.dfrac](iris/algebra/dfrac.v) for further information. * Add `gmap_view`, a camera providing a "view of a `gmap`". The authoritative element is any `gmap`; the fragment provides fractional ownership of a single key, including support for persistent read-only ownership through `dfrac`. See [algebra.lib.gmap_view](iris/algebra/lib/gmap_view.v) for further information. * Add `mono_nat`, a wrapper for `auth max_nat`. The result is an authoritative `nat` where a fragment is a lower bound whose ownership is persistent. See [algebra.lib.mono_nat](iris/algebra/lib/mono_nat.v) for further information. * Add the `gset_bij` resource algebra for monotone partial bijections. See [algebra.lib.gset_bij](iris/algebra/lib/gset_bij.v) for further information. * Rename `agree_op_inv'` → `to_agree_op_inv`, `agree_op_invL'` → `to_agree_op_inv_L`, and add `to_agree_op_invN`. * Rename `auth_auth_frac_op_invL` → `auth_auth_frac_op_inv_L`, `excl_auth_agreeL` → `excl_auth_agree_L`, `frac_auth_agreeL` → `frac_auth_agree_L`, and `ufrac_auth_agreeL` → `ufrac_auth_agree_L`. `````` Robbert Krebbers committed Sep 27, 2020 78 79 ``````* Fix direction of `auth_auth_validN` to make it consistent with similar lemmas, e.g., `auth_auth_valid`. The direction is now `✓{n} (● a) ↔ ✓{n} a`. `````` Ralf Jung committed Sep 29, 2020 80 81 82 ``````* Rename `auth_both_valid` to `auth_both_valid_discrete` and `auth_both_frac_valid` to `auth_both_frac_valid_discrete`. The old name is used for new, stronger lemmas that do not assume discreteness. `````` Robbert Krebbers committed Oct 01, 2020 83 84 85 86 87 ``````* Redefine the authoritative camera in terms of the view camera. As part of this change, we have removed lemmas that leaked implementation details. Hence, the only way to construct elements of `auth` is via the elements `●{q} a` and `◯ b`. The constructor `Auth`, and the projections `auth_auth_proj` and `auth_frag_proj` no longer exist. Lemmas that referred to these constructors `````` Ralf Jung committed Oct 03, 2020 88 89 90 `````` have been removed, in particular: `auth_equivI`, `auth_validI`, `auth_included`, `auth_valid_discrete`, and `auth_both_op`. For validity, use `auth_auth_valid*`, `auth_frag_valid*`, or `auth_both_valid*` instead. `````` Robbert Krebbers committed Oct 06, 2020 91 ``````* Rename `auth_update_core_id` into `auth_update_frac_alloc`. `````` Robbert Krebbers committed Oct 04, 2020 92 93 ``````* Rename `cmra_monotone_valid` into `cmra_morphism_valid` (this rename was forgotten in !56). `````` Ralf Jung committed Oct 20, 2020 94 95 96 ``````* Move the `*_validI` and `*_equivI` lemmas to a new module, `base_logic.algebra`. That module is exported by `base_logic.base_logic` so it should usually be available everywhere without further changes. `````` Robbert Krebbers committed Oct 20, 2020 97 98 ``````* The authoritative fragment `✓ (◯ b : auth A)` is no longer definitionally equal to `✓ b`. `````` Ralf Jung committed Nov 05, 2020 99 ``````* Change `*_valid` lemma statements involving fractions to use `Qp` addition and `````` 100 101 `````` inequality instead of RA composition and validity (also in `base_logic` and the higher layers). `````` Ralf Jung committed Nov 12, 2020 102 ``````* Move `algebra.base` module to `prelude.prelude`. `````` Ralf Jung committed Jan 15, 2021 103 104 ``````* Strengthen `cmra_op_discrete` to assume only `✓{0} (x1 ⋅ x2)` instead of `✓ (x1 ⋅ x2)`. `````` Robbert Krebbers committed Jan 19, 2021 105 ``````* Rename the types `ofeT`→`ofe`, `cmraT`→`cmra`, `ucmraT`→`ucmra`, and the `````` Robbert Krebbers committed Jan 25, 2021 106 107 108 `````` constructors `OfeT`→`Ofe`, `CmraT`→`Cmra`, and `UcmraT`→`Ucmra` since the `T` suffix is not needed. This change makes these names consistent with `bi`, which also does not have a `T` suffix. `````` Ralf Jung committed Feb 01, 2021 109 110 111 ``````* Rename typeclass instances of CMRA operational typeclasses (`Op`, `Core`, `PCore`, `Valid`, `ValidN`, `Unit`) to have a `_instance` suffix, so that their original names are available to use as lemma names. `````` Ralf Jung committed Feb 10, 2021 112 ``````* Rename `frac_valid'`→`frac_valid`, `frac_op'`→`frac_op`, `````` Ralf Jung committed Feb 10, 2021 113 114 115 116 117 `````` `ufrac_op'`→`ufrac_op`, `coPset_op_union` → `coPset_op`, `coPset_core_self` → `coPset_core`, `gset_op_union` → `gset_op`, `gset_core_self` → `gset_core`, `gmultiset_op_disj_union` → `gmultiset_op`, `gmultiset_core_empty` → `gmultiset_core`, `nat_op_plus` → `nat_op`, `max_nat_op_max` → `max_nat_op`. Those names were previously blocked by typeclass instances. `````` Ralf Jung committed Sep 14, 2020 118 `````` `````` Ralf Jung committed Nov 04, 2020 119 120 121 122 ``````**Changes in `bi`:** * Add big op lemmas `big_op{L,L2,M,M2,S}_intuitionistically_forall` and `big_sepL2_forall`, `big_sepMS_forall`, `big_sepMS_impl`, and `big_sepMS_dup`. `````` Ralf Jung committed Jan 26, 2021 123 124 125 126 127 ``````* Add lemmas to big-ops that provide ownership of a single element and permit changing the quantified-over predicate when re-assembling the big-op: `big_sepL_lookup_acc_impl`, `big_sepL2_lookup_acc_impl`, `big_sepM_lookup_acc_impl`, `big_sepM2_lookup_acc_impl`, `big_sepS_elem_of_acc_impl`, `big_sepMS_elem_of_acc_impl`. `````` Ralf Jung committed Jan 29, 2021 128 129 ``````* Add lemmas `big_sepM_filter'` and `big_sepM_filter` matching the corresponding `big_sepS` lemmas. `````` Ralf Jung committed Jan 29, 2021 130 131 ``````* Add lemmas for big-ops of magic wands: `big_sepL_wand`, `big_sepL2_wand`, `big_sepM_wand`, `big_sepM2_wand`, `big_sepS_wand`, `big_sepMS_wand`. `````` Ralf Jung committed Feb 16, 2021 132 ``````* Add notation `¬ P` for `P → False` to `bi_scope`. `````` Ralf Jung committed Feb 16, 2021 133 134 135 136 137 138 139 140 141 142 143 144 145 ``````* Add `fupd_mask_intro` which can be conveniently `iApply`ed to goals of the form `|={E1,E2}=>` to get rid of the `fupd` in the goal if `E2 ⊆ E1`. The lemma `fupd_mask_weaken Enew` can be `iApply`ed to shrink the first mask to `Enew` without getting rid of the modality; the same effect can also be obtained slightly more conveniently by using `iMod` with `fupd_mask_subseteq Enew`. To make the new names work, rename some existing lemmas: `fupd_intro_mask` → `fupd_mask_intro_subseteq`, `fupd_intro_mask'` → `fupd_mask_subseteq` (implicit arguments also changed here), `fupd_mask_weaken` → `fupd_mask_intro_discard`. Remove `fupd_mask_same` since it was unused and obscure. In the `BiFUpd` axiomatization, rename `bi_fupd_mixin_fupd_intro_mask` to `bi_fupd_mixin_fupd_mask_subseteq` and weaken the lemma to be specifically about `emp` (the stronger version can be derived). `````` Ralf Jung committed Feb 16, 2021 146 147 148 149 150 151 152 153 154 155 156 157 ``````* Remove `bi.tactics` with tactics that predate the proofmode (and that have not been working properly for quite some time). * Strengthen `persistent_sep_dup` to support propositions that are persistent and either affine or absorbing. * Fix the statement of the lemma `fupd_plainly_laterN`; the old lemma was a duplicate of `fupd_plain_laterN`. * Strengthen `big_sepL2_app_inv` by weakening a premise (it is sufficient for one of the two pairs of lists to have equal length). * Rename `equiv_entails` → `equiv_entails_1_1`, `equiv_entails_sym` → `equiv_entails_1_2`, and `equiv_spec` → `equiv_entails`. * Remove the laws `pure_forall_2 : (∀ a, ⌜ φ a ⌝) ⊢ ⌜ ∀ a, φ a ⌝` from the BI interface and factor it into a type class `BiPureForall`. `````` Ralf Jung committed Feb 16, 2021 158 `````` `````` Tej Chajed committed Jul 21, 2020 159 160 161 162 163 164 165 166 167 ``````**Changes in `proofmode`:** * The proofmode now preserves user-supplied names for existentials when using `iDestruct ... as (?) "..."`. This is backwards-incompatible if you were relying on the previous automatic names (which were always "H", possibly freshened). It also requires some changes if you were implementing `IntoExist` yourself, since the typeclass now forwards names. If your instance transforms one `IntoExist` into another, you can generally just forward the name from the premise. `````` Tej Chajed committed Jul 21, 2020 168 169 170 171 172 ``````* The proofmode also preserves user-supplied names in `iIntros`, for example with `iIntros (?)` and `iIntros "%"`, as described for destructing existentials above. As part of this change, it now uses a base name of `H` for pure facts rather than the previous default of `a`. This also requires some changes if you were implementing `FromForall`, in order to forward names. `````` Robbert Krebbers committed Sep 29, 2020 173 174 175 176 177 ``````* Make `iFrame` "less" smart w.r.t. clean up of modalities. It now consistently removes the modalities ``, ``, `` and `□` only if the result after framing is `True` or `emp`. In particular, it no longer removes `` if the result after framing is affine, and it no longer removes `□` if the result after framing is intuitionistic. `````` Robbert Krebbers committed Sep 29, 2020 178 179 180 ``````* Allow framing below an `` modality if the hypothesis that is framed is affine. (Previously, framing below `` was only possible if the hypothesis that is framed resides in the intuitionistic context.) `````` Robbert Krebbers committed Jan 07, 2021 181 182 ``````* Add Coq side-condition `φ` to class `ElimAcc` (similar to what we already had for `ElimInv` and `ElimModal`). `````` Rodolphe Lepigre committed Jan 27, 2021 183 184 ``````* Add a tactic `iSelect pat tac` (similar to `select` in std++) which runs the tactic `tac H` with the name `H` of the last hypothesis of the intuitionistic `````` Robbert Krebbers committed Feb 15, 2021 185 `````` or spatial context matching `pat`. The tactic `iSelect` is used to implement: `````` Rodolphe Lepigre committed Jan 27, 2021 186 187 188 189 190 `````` + `iRename select (pat)%I into name` which renames the matching hypothesis, + `iDestruct select (pat)%I as ...` which destructs the matching hypothesis, + `iClear select (pat)%I` which clears the matching hypothesis, + `iRevert select (pat)%I` which reverts the matching hypothesis, + `iFrame select (pat)%I` which cancels the matching hypothesis. `````` Tej Chajed committed Jul 21, 2020 191 `````` `````` Ralf Jung committed Sep 15, 2020 192 193 194 195 ``````**Changes in `base_logic`:** * Add a `ghost_var` library that provides (fractional) ownership of a ghost variable of arbitrary `Type`. `````` Ralf Jung committed Feb 16, 2021 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 ``````* Define a ghost state library on top of the `mono_nat` resource algebra. See [base_logic.lib.mono_nat](iris/base_logic/lib/mono_nat.v) for further information. * Define a ghost state library on top of the `gset_bij` resource algebra. See [base_logic.lib.gset_bij](iris/base_logic/lib/gset_bij.v) for further information. * Extend the `gen_heap` library with read-only points-to assertions using [discardable fractions](iris/algebra/dfrac.v). + The `mapsto` connective now takes a `dfrac` rather than a `frac` (i.e., positive rational number `Qp`). + The notation `l ↦{ dq } v` is generalized to discardable fractions `dq : dfrac`. + The new notation `l ↦{# q} v` is used for a concrete fraction `q : frac` (e.g., to enable writing `l ↦{# 1/2} v`). + The new notation `l ↦□ v` is used for the discarded fraction. This persistent proposition provides read-only access to `l`. + The lemma `mapsto_persist : l ↦{dq} v ==∗ l ↦□ v` is used for making the location `l` read-only. + See the [changes to HeapLang](https://gitlab.mpi-sws.org/iris/iris/-/merge_requests/554) for an indication on how to adapt your language. + See the [changes to iris-examples](https://gitlab.mpi-sws.org/iris/examples/-/commit/a8425b708ec51d918d5cf6eb3ab6fde88f4e2c2a) for an indication on how to adapt your development. In particular, instead of `∃ q, l ↦{q} v` you likely want to use `l ↦□ v`, which has the advantage of being persistent (rather than just duplicable). `````` Ralf Jung committed Sep 16, 2020 220 221 222 223 224 225 226 227 ``````* Change type of some ghost state lemmas (mostly about allocation) to use `∗` instead of `∧` (consistent with our usual style). This affects the following lemmas: `own_alloc_strong_dep`, `own_alloc_cofinite_dep`, `own_alloc_strong`, `own_alloc_cofinite`, `own_updateP`, `saved_anything_alloc_strong`, `saved_anything_alloc_cofinite`, `saved_prop_alloc_strong`, `saved_prop_alloc_cofinite`, `saved_pred_alloc_strong`, `saved_pred_alloc_cofinite`, `auth_alloc_strong`, `auth_alloc_cofinite`, `auth_alloc`. `````` Ralf Jung committed Sep 29, 2020 228 ``````* Change `uPred_mono` to only require inclusion at the smaller step-index. `````` Robbert Krebbers committed Oct 05, 2020 229 230 231 232 233 234 ``````* Put `iProp`/`iPreProp`-isomorphism into the `own` construction. This affects clients that define higher-order ghost state constructions. Concretely, when defining an `inG`, the functor no longer needs to be applied to `iPreProp`, but should be applied to `iProp`. This avoids clients from having to push through the `iProp`/`iPreProp`-isomorphism themselves, which is now handled once and for all by the `own` construction. `````` Ralf Jung committed Oct 13, 2020 235 236 237 238 ``````* Rename `gen_heap_ctx` to `gen_heap_interp`, since it is meant to be used in the state interpretation of WP and since `_ctx` is elsewhere used as a suffix indicating "this is a persistent assumption that clients should always have in their context". Likewise, rename `proph_map_ctx` to `proph_map_interp`. `````` Ralf Jung committed Oct 20, 2020 239 240 241 242 ``````* Move `uPred.prod_validI`, `uPred.option_validI`, and `uPred.discrete_fun_validI` to the new `base_logic.algebra` module. That module is exported by `base_logic.base_logic` so these names are now usually available everywhere, and no longer inside the `uPred` module. `````` Ralf Jung committed Nov 03, 2020 243 244 245 246 ``````* Remove the `gen_heap` notations `l ↦ -` and `l ↦{q} -`. They were barely used and looked very confusing in context: `l ↦ - ∗ P` looks like a magic wand. * Change `gen_inv_heap` notation `l ↦□ I` to `l ↦_I □`, so that `↦□` can be used by `gen_heap`. `````` Ralf Jung committed Nov 03, 2020 247 248 ``````* Strengthen `mapsto_valid_2` conclusion from `✓ (q1 + q2)%Qp` to `⌜✓ (q1 + q2)%Qp ∧ v1 = v2⌝`. `````` Ralf Jung committed Nov 10, 2020 249 250 ``````* Change `gen_heap_init` to also return ownership of the points-to facts for the initial heap. `````` Ralf Jung committed Nov 10, 2020 251 252 ``````* Rename `mapsto_mapsto_ne` to `mapsto_frac_ne`, and add a simpler `mapsto_ne` that does not require reasoning about fractions. `````` Ralf Jung committed Feb 16, 2021 253 254 255 256 257 258 259 ``````* Deprecate the `auth` and `sts` modules. These were logic-level wrappers around the underlying RAs; as far as we know, they are unused since they were not flexible enough for practical use. * Deprecate the `viewshift` module, which defined a binary view-shift connective with an implicit persistence modality. It was unused and too easily confused with `={_}=∗`, the binary view-shift (fancy update) *without* a persistence modality. `````` Ralf Jung committed Sep 15, 2020 260 `````` `````` Michael Sammler committed Oct 01, 2020 261 262 263 264 265 ``````**Changes in `program_logic`:** * `wp_strong_adequacy` now applies to an initial state with multiple threads instead of only a single thread. The derived adequacy lemmas are unchanged. `````` Ralf Jung committed Nov 27, 2020 266 267 ``````* `pure_exec_fill` is no longer registered as an instance for `PureExec`, to avoid TC search attempting to apply this instance all the time. `````` Ralf Jung committed Dec 04, 2020 268 ``````* Merge `wp_value_inv`/`wp_value_inv'` into `wp_value_fupd`/`wp_value_fupd'` by `````` Ralf Jung committed Feb 16, 2021 269 `````` making the lemmas bidirectional. `````` Robbert Krebbers committed Dec 18, 2020 270 271 272 ``````* Generalize HeapLang's `mapsto` (`↦`), `array` (`↦∗`), and atomic heap connectives to discardable fractions. See the CHANGELOG entry in the category `base_logic` for more information. `````` Robbert Krebbers committed Jan 07, 2021 273 ``````* Opening an invariant or eliminating a mask-changing update modality around a `````` Robbert Krebbers committed Jan 07, 2021 274 275 `````` non-atomic weakest precondition creates a side-condition `Atomic ...`. Before, this would fail with the unspecific error "iMod: cannot eliminate `````` Robbert Krebbers committed Jan 07, 2021 276 `````` modality (|={E1,E2}=> ...) in (WP ...)". `````` Ralf Jung committed Feb 05, 2021 277 278 ``````* In `Ectx_step` and `step_atomic`, mark the parameters that are determined by the goal as implicit. `````` Ralf Jung committed Feb 16, 2021 279 280 ``````* Deprecate the `hoare` module to prevent accidental usage; the recommended way to write Hoare-style specifications is to use Texan triples. `````` Michael Sammler committed Oct 01, 2020 281 `````` `````` Ralf Jung committed Nov 10, 2020 282 283 284 ``````**Changes in `heap_lang`:** * `wp_pures` now turns goals of the form `WP v {{ Φ }}` into `Φ v`. `````` Ralf Jung committed Nov 10, 2020 285 286 ``````* Fix `wp_bind` in case of a NOP (i.e., when the given expression pattern is already at the top level). `````` Ralf Jung committed Dec 04, 2020 287 288 ``````* The `wp_` tactics now preserve the possibility of doing a fancy update when the expression reduces to a value. `````` Robbert Krebbers committed Jan 04, 2021 289 290 291 292 ``````* Move `IntoVal`, `AsVal`, `Atomic`, `AsRecV`, and `PureExec` instances to their own file [heap_lang.class_instances](iris_heap_lang/class_instances.v). * Move `inv_head_step` tactic and `head_step` auto hints (now part of new hint database `head_step`) to [heap_lang.tactics](iris_heap_lang/tactics.v). `````` Robbert Krebbers committed Jan 17, 2021 293 294 295 ``````* The tactic `wp_apply` no longer performs `wp_pures` before applying the given lemma. The new tactic `wp_smart_apply` repeatedly performs single `wp_pure` steps until the lemma matches the goal. `````` Ralf Jung committed Nov 10, 2020 296 `````` `````` Ralf Jung committed Sep 14, 2020 297 298 299 300 301 302 ``````The following `sed` script helps adjust your code to the renaming (on macOS, replace `sed` by `gsed`, installed via e.g. `brew install gnu-sed`). Note that the script is not idempotent, do not run it twice. ``` sed -i -E -f- \$(find theories -name "*.v") < ■ (P -∗ Q) -∗ coreP P -∗ coreP Q`. * Remove notation for 3-mask step-taking updates, and made 2-mask notation less confusing by distinguishing it better from mask-changing updates. Old: `|={Eo,Ei}▷=> P`. New: `|={Eo}[Ei]▷=> P`. Here, `Eo` is the "outer mask" (used at the beginning and end) and `Ei` the "inner mask" (used around the ▷ in the middle). As part of this, the lemmas about the 3-mask variant were changed to be about the 2-mask variant instead, and `step_fupd_mask_mono` now also has a more consistent argument order for its masks. * Add a counterexample showing that sufficiently powerful cancellable invariants with a linear token subvert the linearity guarantee (see `bi.lib.counterexmples` for details). * Redefine invariants as "semantic invariants" so that they support splitting and other forms of weakening. * Add lemmas `inv_combine` and `inv_combine_dup_l` for combining invariants. * Add the type `siProp` of "plain" step-indexed propositions, together with basic proofmode support. `````` Ralf Jung committed Jul 14, 2020 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 ``````* New ASCII versions of Iris notations. These are marked parsing only and can be made available using `Require Import iris.bi.ascii`. The new notations are (notations marked [†] are disambiguated using notation scopes): - entailment: `|-` for `⊢` and `-|-` for `⊣⊢` - logic[†]: `->` for `→`, `/\\` for `∧`, `\\/` for `∨`, and `<->` for `↔` - quantifiers[†]: `forall` for `∀` and `exists` for `∃` - separation logic: `**` for `∗`, `-*` for `-∗`, and `*-*` for `∗-∗` - step indexing: `|>` for `▷` - modalities: `<#>` for `□` and `` for `◇` - most derived notations can be computed from previous notations using the substitutions above, e.g. replace `∗` with `*` and `▷` with `|>`. Examples include the following: - `|={E1,E2}=* P` for `|={E1,E2}=∗` - `P ={E}=* Q` for `P ={E}=∗ Q` - `P ={E1,E2}=* Q` for `P ={E1,E2}=∗ Q` `````` Ralf Jung committed Jul 15, 2020 499 `````` - `|={E1}[E2]|>=> Q` for `|={E1}[E2]▷=> Q` `````` Ralf Jung committed Jul 14, 2020 500 501 502 503 504 `````` The full list can be found in [theories/bi/ascii.v](theories/bi/ascii.v), where the ASCII notations are defined in terms of the unicode notations. * Add affine, absorbing, persistent and timeless instances for telescopes. * Add a construction `bi_rtc` to create reflexive transitive closures of PROP-level binary relations. `````` Simon Friis Vindum committed Jul 02, 2020 505 506 507 508 ``````* Slightly strengthen the lemmas `big_sepL_nil'`, `big_sepL2_nil'`, `big_sepM_nil'` `big_sepM2_empty'`, `big_sepS_empty'`, and `big_sepMS_empty'`. They now only require that the argument `P` is affine instead of the whole BI being affine. `````` Ralf Jung committed Jul 14, 2020 509 510 511 512 513 514 ``````* Add `big_sepL_insert_acc`, a variant of `big_sepL_lookup_acc` which allows updating the value. * Add many missing `Proper`/non-expansiveness lemmas for big-ops. * Add `big_*_insert_delete` lemmas to split a `<[i:=x]> m` map into `i` and the rest. * Seal the definitions of `big_opS`, `big_opMS`, `big_opM` and `big_sepM2` to prevent undesired simplification. `````` Ralf Jung committed Jul 14, 2020 515 ``````* Fix `big_sepM2_fmap*` only working for `nat` keys. `````` Ralf Jung committed Jul 14, 2020 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 `````` **Changes in `proofmode`:** * Make use of `notypeclasses refine` in the implementation of `iPoseProof` and `iAssumption`, see . This has two consequences: 1. Coq's "new" unification algorithm (the one in `refine`, not the "old" one in `apply`) is used more often by the proof mode tactics. 2. Due to the use of `notypeclasses refine`, TC constraints are solved less eagerly, see . In order to port your development, it is often needed to instantiate evars explicitly (since TC search is performed less eagerly), and in few cases it is needed to unfold definitions explicitly (due to new unification algorithm behaving differently). * Strengthen the tactics `iDestruct`, `iPoseProof`, and `iAssert`: - They succeed in certain cases where they used to fail. - They keep certain hypotheses in the intuitionistic context, where they were moved to the spatial context before. The latter can lead to stronger proof mode contexts, and therefore to backwards incompatibility. This can usually be fixed by manually clearing some hypotheses. A more detailed description of the changes can be found in . `````` Ralf Jung committed Jul 15, 2020 538 539 540 541 542 543 ``````* Remove the long-deprecated `cofeT` alias (for `ofeT`) and `dec_agree` RA (use `agree` instead). * Add `auto` hint for `∗-∗`. * Add new tactic `iStopProof` to turn the proof mode entailment into an ordinary Coq goal `big star of context ⊢ proof mode goal`. `````` Ralf Jung committed Jul 14, 2020 544 545 546 547 548 549 550 551 552 553 ``````* Add new introduction pattern `-# pat` that moves a hypothesis from the intuitionistic context to the spatial context. * The tactic `iAssumption` also recognizes assumptions `⊢ P` in the Coq context. * Better support for telescopes in the proof mode, i.e., all tactics should recognize and distribute telescopes now. * The proof mode now supports names for pure facts in intro patterns. Support requires implementing `string_to_ident`. Without this tactic such patterns will fail. We provide one implementation using Ltac2 which works with Coq 8.11 and can be installed with opam; see [iris/string-ident](https://gitlab.mpi-sws.org/iris/string-ident) for details. `````` Ralf Jung committed Apr 07, 2020 554 `````` `````` Ralf Jung committed Jul 14, 2020 555 556 557 558 559 560 ``````**Changes in `algebra`:** * Remove `Core` type class for defining the total core; it is now always defined in terms of the partial core. The only user of this type class was the STS RA. * The functions `{o,r,ur}Functor_diag` are no longer coercions, and renamed into `````` Ralf Jung committed Jul 14, 2020 561 562 `````` `{o,r,ur}Functor_apply` to better match their intent. This fixes "ambiguous coercion path" warnings. `````` Ralf Jung committed Jul 14, 2020 563 564 ``````* Rename `{o,r,ur}Functor_{ne,id,compose,contractive}` into `{o,r,ur}Functor_map_{ne,id,compose,contractive}`. `````` Ralf Jung committed Jul 14, 2020 565 566 ``````* Move derived camera constructions (`frac_auth` and `ufrac_auth`) to the folder `algebra/lib`. `````` Ralf Jung committed Jul 14, 2020 567 568 569 570 571 572 573 574 575 576 577 578 579 580 ``````* Rename `mnat` to `max_nat` and "box" it by creating a separate type for it. * Move the RAs for `nat` and `positive` and the `mnat` RA into a separate module. They must now be imported from `From iris.algebra Require Import numbers`. * Make names of `f_op`/`f_core` rewrite lemmas more consistent by always making `_core`/`_op` the suffix: `op_singleton` → `singleton_op`, `core_singleton` → `singleton_core`, `discrete_fun_op_singleton` → `discrete_fun_singleton_op`, `discrete_fun_core_singleton` → `discrete_fun_singleton_core`, `list_core_singletonM` → `list_singleton_core`, `list_op_singletonM` → `list_singleton_op`, `sts_op_auth_frag` → `sts_auth_frag_op`, `sts_op_auth_frag_up` → `sts_auth_frag_up_op`, `sts_op_frag` → `sts_frag_op`, `````` Ralf Jung committed Jul 14, 2020 581 582 583 584 585 586 587 588 589 590 591 `````` `list_op_length` → `list_length_op`, `list_core_singletonM` → `list_singletonM_core`, `list_op_singletonM` → `list_singletonM_op`. * All list "map singleton" lemmas consistently use `singletonM` in their name: `list_singleton_valid` → `list_singletonM_valid`, `list_singleton_core_id` → `list_singletonM_core_id`, `list_singleton_snoc` → `list_singletonM_snoc`, `list_singleton_updateP` → `list_singletonM_updateP`, `list_singleton_updateP'` → `list_singletonM_updateP'`, `list_singleton_update` → `list_singletonM_update`, `list_alloc_singleton_local_update` → `list_alloc_singletonM_local_update`. `````` Ralf Jung committed Jul 14, 2020 592 ``````* Remove `auth_both_op` and rename `auth_both_frac_op` into `auth_both_op`. `````` Ralf Jung committed Jul 14, 2020 593 594 ``````* Add lemma `singleton_included : {[ i := x ]} ≼ ({[ i := y ]} ↔ x ≡ y ∨ x ≼ y`, and rename existing asymmetric lemmas (with a singleton on just the LHS): `````` Ralf Jung committed Jul 14, 2020 595 596 597 `````` `singleton_includedN` → `singleton_includedN_l`, `singleton_included` → `singleton_included_l`, `singleton_included_exclusive` → `singleton_included_exclusive_l`. `````` Ralf Jung committed Jul 15, 2020 598 599 600 601 602 603 604 605 606 `````` * Add notion `ofe_iso A B` that states that OFEs `A` and `B` are isomorphic. This is used in the COFE solver. * Add `{o,r,ur}Functor_oFunctor_compose` for composition of functors. * Add `pair_op_1` and `pair_op_2` to split a pair where one component is the unit. * Add derived camera construction `excl_auth A` for `auth (option (excl A))`. * Make lemma `Excl_included` a bi-implication. * Make `auth_update_core_id` work with any fraction of the authoritative element. `````` Yusuke Matsushita committed Oct 31, 2020 607 ``````* Add `min_nat`, an RA for natural numbers with `min` as the operation. `````` Ralf Jung committed Jul 14, 2020 608 ``````* Add many missing `Proper`/non-expansiveness lemmas for maps and lists. `````` Ralf Jung committed Jul 15, 2020 609 610 611 612 ``````* Add `list_singletonM_included` and `list_lookup_singletonM_{lt,gt}` lemmas about singletons in the list RA. * Add `list_core_id'`, a stronger version of `list_core_id` which only talks about elements that are actually in the list. `````` Ralf Jung committed Jul 14, 2020 613 `````` `````` Ralf Jung committed Jul 14, 2020 614 615 616 ``````The following `sed` script helps adjust your code to the renaming (on macOS, replace `sed` by `gsed`, installed via e.g. `brew install gnu-sed`). Note that the script is not idempotent, do not run it twice. `````` Ralf Jung committed Apr 07, 2020 617 618 ````````` sed -i -E ' `````` Ralf Jung committed Jul 14, 2020 619 620 621 622 623 624 ``````# functor renames s/\b(o|r|ur)Functor_(ne|id|compose|contractive)\b/\1Functor_map_\2/g # singleton_included renames s/\bsingleton_includedN\b/singleton_includedN_l/g s/\bsingleton_included\b/singleton_included_l/g s/\bsingleton_included_exclusive\b/singleton_included_exclusive_l/g `````` Ralf Jung committed Apr 07, 2020 625 626 627 628 ``````# f_op/f_core renames s/\b(op|core)_singleton\b/singleton_\1/g s/\bdiscrete_fun_(op|core)_singleton\b/discrete_fun_singleton_\1/g s/\bsts_op_(auth_frag|auth_frag_up|frag)\b/sts_\1_op/g `````` Ralf Jung committed Jul 14, 2020 629 ``````s/\blist_(op|core)_singletonM\b/list_singletonM_\1/g `````` Ralf Jung committed Apr 07, 2020 630 ``````s/\blist_op_length\b/list_length_op/g `````` Ralf Jung committed Jul 14, 2020 631 632 633 634 635 636 637 ``````# list "singleton map" renames s/\blist_singleton_valid\b/list_singletonM_valid/g s/\blist_singleton_core_id\b/list_singletonM_core_id/g s/\blist_singleton_snoc\b/list_singletonM_snoc/g s/\blist_singleton_updateP\b/list_singletonM_updateP/g s/\blist_singleton_update\b/list_singletonM_update/g s/\blist_alloc_singleton_local_update\b/list_alloc_singletonM_local_update/g `````` Ralf Jung committed Jul 14, 2020 638 639 640 641 642 643 644 ``````# inv renames s/\binv_sep(|_1|_2)\b/inv_split\1/g s/\binv_acc\b/inv_alter/g s/\binv_open(|_strong|_timeless)\b/inv_acc\1/g s/\bcinv_open(|_strong)\b/cinv_acc\1/g s/\b(na_inv|auth|sts)_open\b/\1_acc/g # miscellaneous `````` Simon Friis Vindum committed Apr 23, 2020 645 ``````s/\bauth_both_frac_op\b/auth_both_op/g `````` Simon Friis Vindum committed Jun 17, 2020 646 ``````s/\bmnat\b/max_nat/g `````` Ralf Jung committed Jul 14, 2020 647 ``````s/\bcoreP_wand\b/coreP_entails/g `````` Ralf Jung committed Apr 07, 2020 648 649 650 ``````' \$(find theories -name "*.v") ``` `````` Ralf Jung committed Aug 29, 2019 651 ``````## Iris 3.2.0 (released 2019-08-29) `````` Ralf Jung committed Aug 28, 2019 652 `````` `````` Ralf Jung committed Aug 28, 2019 653 654 655 ``````The highlight of this release is the completely re-engineered interactive proof mode. Not only did many tactics become more powerful; the entire proof mode can now be used not just for Iris but also for other separation logics satisfying `````` Ralf Jung committed Aug 28, 2019 656 657 658 659 660 661 ``````the proof mode interface (e.g., [Iron] and [GPFSL]). Also see the [accompanying paper][MoSeL]. [Iron]: https://iris-project.org/iron/ [GPFSL]: https://gitlab.mpi-sws.org/iris/gpfsl/ [MoSeL]: https://iris-project.org/mosel/ `````` Ralf Jung committed Aug 28, 2019 662 663 664 665 666 667 668 669 670 671 672 673 674 675 `````` Beyond that, the Iris program logic gained the ability to reason about potentially stuck programs, and a significantly strengthened adequacy theorem that unifies the three previously separately presented theorems. There are now also Hoare triples for total program correctness (but with very limited support for invariants) and logical atomicity. And finally, our example language HeapLang was made more realistic (Compare-and-set got replaced by compare-exchange and limited to only compare values that can actually be compared atomically) and more powerful, with added support for arrays and prophecy variables. Further details are given in the changelog below. `````` Ralf Jung committed Aug 29, 2019 676 677 678 679 680 681 682 683 ``````This release of Iris received contributions by Aleš Bizjak, Amin Timany, Dan Frumin, Glen Mével, Hai Dang, Hugo Herbelin, Jacques-Henri Jourdan, Jan Menz, Jan-Oliver Kaiser, Jonas Kastberg Hinrichsen, Joseph Tassarotti, Mackie Loeffel, Marianna Rapoport, Maxime Dénès, Michael Sammler, Paolo G. Giarrusso, Pierre-Marie Pédrot, Ralf Jung, Robbert Krebbers, Rodolphe Lepigre, and Tej Chajed. Thanks a lot to everyone involved! **Changes in the theory of Iris itself:** `````` Ralf Jung committed Jan 24, 2018 684 `````` `````` Ralf Jung committed Jun 05, 2019 685 ``````* Change in the definition of WP, so that there is a fancy update between `````` Jacques-Henri Jourdan committed Jun 14, 2018 686 687 `````` the quantification over the next states and the later modality. This makes it possible to prove more powerful lifting lemmas: The new versions feature an `````` Ralf Jung committed Jun 14, 2018 688 `````` "update that takes a step". `````` Ralf Jung committed Jun 05, 2019 689 690 691 ``````* Add weakest preconditions for total program correctness. * "(Potentially) stuck" weakest preconditions and the "plainly modality" are no longer considered experimental. `````` Ralf Jung committed Jun 06, 2019 692 ``````* Add the notion of an "observation" to the language interface, so that `````` Ralf Jung committed Oct 05, 2018 693 694 `````` every reduction step can optionally be marked with an event, and an execution trace has a matching list of events. Change WP so that it is told the entire `````` Ralf Jung committed Jun 06, 2019 695 `````` future trace of observations from the beginning. `````` Ralf Jung committed Jun 05, 2019 696 ``````* The Löb rule is now a derived rule; it follows from later-intro, later `````` Ralf Jung committed Jul 06, 2018 697 698 `````` being contractive and the fact that we can take fixpoints of contractive functions. `````` Ralf Jung committed Jun 05, 2019 699 ``````* Add atomic updates and logically atomic triples, including tactic support. `````` Ralf Jung committed Jul 13, 2018 700 `````` See `heap_lang/lib/increment.v` for an example. `````` Ralf Jung committed Jun 06, 2019 701 702 703 ``````* Extend the state interpretation with a natural number that keeps track of the number of forked-off threads, and have a global fixed proposition that describes the postcondition of each forked-off thread (instead of it being `````` Robbert Krebbers committed Jun 12, 2019 704 `````` `True`). `````` Ralf Jung committed Jun 12, 2019 705 706 707 ``````* A stronger adequacy statement for weakest preconditions that involves the final state, the post-condition of forked-off threads, and also applies if the main-thread has not terminated. `````` Ralf Jung committed Jun 06, 2019 708 709 710 ``````* The user-chosen functor used to instantiate the Iris logic now goes from COFEs to Cameras (it was OFEs to Cameras). `````` Ralf Jung committed Aug 29, 2019 711 ``````**Changes in heap_lang:** `````` Ralf Jung committed Jun 06, 2019 712 `````` `````` Ralf Jung committed Jun 24, 2019 713 714 715 716 717 718 719 720 ``````* CAS (compare-and-set) got replaced by CmpXchg (compare-exchange). The difference is that CmpXchg returns a pair consisting of the old value and a boolean indicating whether the comparison was successful and hence the exchange happened. CAS can be obtained by simply projecting to the second component, but also providing the old value more closely models the primitive typically provided in systems languages (C, C++, Rust). The comparison by this operation also got weakened to be efficiently implementable: CmpXchg may only be used to compare "unboxed" values that can `````` Ralf Jung committed Jul 12, 2019 721 722 723 724 725 `````` be represented in a single machine word. It is sufficient if one of the two compared values is unboxed. * For consistency, the restrictions CmpXchg imposes on comparison also apply to the `=` binary operator. This also fixes the long-standing problem that that operator allowed compared closures with each other. `````` Ralf Jung committed Jul 13, 2019 726 727 ``````* Implement prophecy variables using the new support for "observations". The erasure theorem (showing that prophecy variables do not alter program `````` Ralf Jung committed Aug 28, 2019 728 `````` behavior) can be found [in the iris/examples repository][prophecy-erasure]. `````` Ralf Jung committed Jun 06, 2019 729 ``````* heap_lang now uses right-to-left evaluation order. This makes it `````` Ralf Jung committed Oct 05, 2018 730 `````` significantly easier to write specifications of curried functions. `````` Ralf Jung committed Jun 06, 2019 731 ``````* heap_lang values are now injected in heap_lang expressions via a specific `````` Jacques-Henri Jourdan committed Oct 31, 2018 732 733 `````` constructor of the expr inductive type. This simplifies much the tactical infrastructure around the language. In particular, this allow us to get rid `````` Robbert Krebbers committed Oct 31, 2018 734 `````` the reflection mechanism that was needed for proving closedness, atomicity and `````` Jacques-Henri Jourdan committed Oct 31, 2018 735 736 `````` "valueness" of a term. The price to pay is the addition of new "administrative" reductions in the operational semantics of the language. `````` Ralf Jung committed Jun 06, 2019 737 738 ``````* heap_lang now has support for allocating, accessing and reasoning about arrays (continuously allocated regions of memory). `````` Robbert Krebbers committed Jun 10, 2019 739 ``````* One can now assign "meta" data to heap_lang locations. `````` Ralf Jung committed Jan 24, 2018 740 `````` `````` Ralf Jung committed Aug 28, 2019 741 742 ``````[prophecy-erasure]: https://gitlab.mpi-sws.org/iris/examples/blob/3f33781fe6e19cfdb25259c8194d34403f1134d5/theories/logatom/proph_erasure.v `````` Ralf Jung committed Aug 29, 2019 743 ``````**Changes in Coq:** `````` Robbert Krebbers committed Jan 03, 2018 744 `````` `````` Ralf Jung committed Aug 28, 2019 745 ``````* An all-new generalized proof mode that abstracts away from Iris! Major new `````` Ralf Jung committed Jul 09, 2018 746 747 748 749 750 751 `````` features: - The proof mode can now be used with logics derived from Iris (like iGPS), with non-step-indexed logics and even with non-affine (i.e., linear) logics. - `iModIntro` is more flexible and more powerful, it now also subsumes `iNext` and `iAlways`. - General infrastructure for deriving a logic for monotone predicates over `````` Ralf Jung committed Aug 28, 2019 752 `````` an existing logic (see the paper for more details). `````` Ralf Jung committed Jul 09, 2018 753 `````` Developments instantiating the proof mode typeclasses may need significant `````` Robbert Krebbers committed May 02, 2019 754 755 `````` changes. For developments just using the proof mode tactics, porting should not be too much effort. Notable things to port are: `````` Ralf Jung committed Jul 02, 2018 756 757 758 759 760 `````` - All the BI laws moved from the `uPred` module to the `bi` module. For example, `uPred.later_equivI` became `bi.later_equivI`. - Big-ops are automatically imported, imports of `iris.base_logic.big_op` have to be removed. - The ⊢ notation can sometimes infer different (but convertible) terms when `````` Robbert Krebbers committed Dec 14, 2018 761 `````` searching for the BI to use, which (due to Coq limitations) can lead to `````` Ralf Jung committed Jul 02, 2018 762 763 764 765 `````` failing rewrites, in particular when rewriting at function types. * The `iInv` tactic can now be used without the second argument (the name for the closing update). It will then instead add the obligation to close the invariant to the goal. `````` Ralf Jung committed May 21, 2019 766 767 ``````* The new `iEval` tactic can be used to execute a simplification or rewriting tactic on some specific part(s) of the proofmode goal. `````` Ralf Jung committed Jul 04, 2018 768 769 ``````* Added support for defining derived connectives involving n-ary binders using telescopes. `````` Ralf Jung committed Jul 06, 2018 770 771 772 ``````* The proof mode now more consistently "prettifies" the goal after each tactic. Prettification also simplifies some BI connectives, like conditional modalities and telescope quantifiers. `````` Ralf Jung committed Jul 02, 2018 773 ``````* Improved pretty-printing of Iris connectives (in particular WP and fancy `````` Ralf Jung committed Jul 06, 2018 774 775 776 `````` updates) when Coq has to line-wrap the output. This goes hand-in-hand with an improved test suite that also tests pretty-printing. * Added a `gmultiset` RA. `````` Ralf Jung committed Jul 14, 2020 777 ``````* Rename `timelessP` → `timeless` (projection of the `Timeless` class) `````` Ralf Jung committed Feb 20, 2018 778 779 ``````* The CMRA axiom `cmra_extend` is now stated in `Type`, using `sigT` instead of in `Prop` using `exists`. This makes it possible to define the function space `````` Jacques-Henri Jourdan committed Feb 20, 2018 780 `````` CMRA even for an infinite domain. `````` Robbert Krebbers committed Feb 20, 2018 781 782 783 784 785 ``````* Rename proof mode type classes for laters: - `IntoLaterN` → `MaybeIntoLaterN` (this one _may_ strip a later) - `IntoLaterN'` → `IntoLaterN` (this one _should_ strip a later) - `IntoLaterNEnv` → `MaybeIntoLaterNEnv` - `IntoLaterNEnvs` → `MaybeIntoLaterNEnvs` `````` 786 787 ``````* Rename: - `frag_auth_op` → `frac_auth_frag_op` `````` 788 789 790 `````` - `cmra_opM_assoc` → `cmra_op_opM_assoc` - `cmra_opM_assoc_L` → `cmra_op_opM_assoc_L` - `cmra_opM_assoc'` → `cmra_opM_opM_assoc` `````` Robbert Krebbers committed Feb 21, 2018 791 ``````* `namespaces` has been moved to std++. `````` Ralf Jung committed Jun 18, 2018 792 793 ``````* Changed `IntoVal` to be directly usable for rewriting `e` into `of_val v`, and changed `AsVal` to be usable for rewriting via the `[v <-]` destruct pattern. `````` Ralf Jung committed Oct 05, 2018 794 ``````* `wp_fork` is now written in curried form. `````` Robbert Krebbers committed Oct 05, 2018 795 ``````* `PureExec`/`wp_pure` now supports taking multiple steps at once. `````` Jacques-Henri Jourdan committed Oct 31, 2018 796 797 798 ``````* A new tactic, `wp_pures`, executes as many pure steps as possible, excluding steps that would require unlocking subterms. Every impure wp_ tactic executes this tactic before doing anything else. `````` Dan Frumin committed Feb 03, 2019 799 ``````* Add `big_sepM_insert_acc`. `````` Dan Frumin committed Apr 07, 2019 800 801 802 803 ``````* Add big separating conjunctions that operate on pairs of lists (`big_sepL2`) and on pairs of maps (`big_sepM2`). In the former case the lists are required to have the same length, and in the latter case the maps are required to have the same domains. `````` Dan Frumin committed Mar 06, 2019 804 805 806 ``````* The `_strong` lemmas (e.g. `own_alloc_strong`) work for all infinite sets, instead of just for cofinite sets. The versions with cofinite sets have been renamed to use the `_cofinite` suffix. `````` Robbert Krebbers committed Mar 14, 2019 807 808 809 ``````* Remove locked value lambdas. The value scope notations `rec: f x := e` and `(λ: x, e)` no longer add a `locked`. Instead, we made the `wp_` tactics smarter to no longer unfold lambdas/recs that occur behind definitions. `````` Ralf Jung committed May 21, 2019 810 ``````* Export the fact that `iPreProp` is a COFE. `````` Hai Dang committed May 23, 2019 811 812 813 814 815 816 817 ``````* The CMRA `auth` now can have fractional authoritative parts. So now `auth` has 3 types of elements: the fractional authoritative `●{q} a`, the full authoritative `● a ≡ ●{1} a`, and the non-authoritative `◯ a`. Updates are only possible with the full authoritative element `● a`, while fractional authoritative elements have agreement: `✓ (●{p} a ⋅ ●{q} b) ⇒ a ≡ b`. As a consequence, `auth` is no longer a COFE and does not preserve Leibniz equality. `````` Ralf Jung committed Jun 24, 2019 818 819 ``````* Add a COFE construction (and functor) on dependent pairs `sigTO`, dual to `discrete_funO`. `````` Hai Dang committed May 24, 2019 820 821 822 823 824 825 ``````* Rename in `auth`: - Use `auth_auth_proj`/`auth_frag_proj` for the projections of `auth`: `authoritative` → `auth_auth_proj` and `auth_own` → `auth_frag_proj`. - Use `auth_auth` and `auth_frag` for the injections into authoritative elements and non-authoritative elements respectively. - Lemmas for the projections and injections are renamed accordingly. `````` Hai Dang committed May 24, 2019 826 827 828 829 830 `````` For examples: + `authoritative_validN` → `auth_auth_proj_validN` + `auth_own_validN` → `auth_frag_proj_validN` + `auth_auth_valid` was not renamed because it was already used for the authoritative injection. `````` Hai Dang committed May 24, 2019 831 832 `````` - `auth_both_valid` → `auth_both_valid_2` - `auth_valid_discrete_2` → `auth_both_valid` `````` Robbert Krebbers committed Jun 11, 2019 833 834 835 ``````* Add the camera `ufrac` for unbounded fractions (i.e. without fractions that can be `> 1`) and the camera `ufrac_auth` for a variant of the authoritative fractional camera (`frac_auth`) with unbounded fractions. `````` Ralf Jung committed Jun 11, 2019 836 837 ``````* Changed `frac_auth` notation from `●!`/`◯!` to `●F`/`◯F`. sed script: `s/◯!/◯F/g; s/●!/●F/g;`. `````` Paolo G. Giarrusso committed Aug 08, 2019 838 839 ``````* Lemma `prop_ext` works in both directions; its default direction is the opposite of what it used to be. `````` Paolo G. Giarrusso committed Aug 13, 2019 840 ``````* Make direction of `f_op` rewrite lemmas more consistent: Flip `pair_op`, `````` Paolo G. Giarrusso committed Aug 13, 2019 841 842 `````` `Cinl_op`, `Cinr_op`, `cmra_morphism_op`, `cmra_morphism_pcore`, `cmra_morphism_core`. `````` Robbert Krebbers committed Aug 24, 2019 843 844 ``````* Rename lemmas `fupd_big_sep{L,M,S,MS}` into `big_sep{L,M,S,MS}_fupd` to be consistent with other such big op lemmas. Also add such lemmas for `bupd`. `````` Robbert Krebbers committed Jun 18, 2019 845 ``````* Rename `C` suffixes into `O` since we no longer use COFEs but OFEs. Also `````` Ralf Jung committed Jun 18, 2019 846 `````` rename `ofe_fun` into `discrete_fun` and the corresponding notation `-c>` into `````` Ralf Jung committed Apr 02, 2020 847 848 `````` `-d>`. The renaming can be automatically done using the following script (on macOS, replace `sed` by `gsed`, installed via e.g. `brew install gnu-sed`): `````` Robbert Krebbers committed Jun 18, 2019 849 ````````` `````` Paolo G. Giarrusso committed Jun 21, 2019 850 ``````sed -i ' `````` Robbert Krebbers committed Jun 18, 2019 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 ``````s/\bCofeMor/OfeMor/g; s/\-c>/\-d>/g; s/\bcFunctor/oFunctor/g; s/\bCFunctor/OFunctor/g; s/\b\%CF/\%OF/g; s/\bconstCF/constOF/g; s/\bidCF/idOF/g s/\bdiscreteC/discreteO/g; s/\bleibnizC/leibnizO/g; s/\bunitC/unitO/g; s/\bprodC/prodO/g; s/\bsumC/sumO/g; s/\bboolC/boolO/g; s/\bnatC/natO/g; s/\bpositiveC/positiveO/g; s/\bNC/NO/g; s/\bZC/ZO/g; s/\boptionC/optionO/g; s/\blaterC/laterO/g; s/\bofe\_fun/discrete\_fun/g; s/\bdiscrete\_funC/discrete\_funO/g; s/\bofe\_morC/ofe\_morO/g; s/\bsigC/sigO/g; s/\buPredC/uPredO/g; s/\bcsumC/csumO/g; s/\bagreeC/agreeO/g; s/\bauthC/authO/g; s/\bnamespace_mapC/namespace\_mapO/g; s/\bcmra\_ofeC/cmra\_ofeO/g; s/\bucmra\_ofeC/ucmra\_ofeO/g; s/\bexclC/exclO/g; s/\bgmapC/gmapO/g; s/\blistC/listO/g; s/\bvecC/vecO/g; s/\bgsetC/gsetO/g; s/\bgset\_disjC/gset\_disjO/g; s/\bcoPsetC/coPsetO/g; s/\bgmultisetC/gmultisetO/g; s/\bufracC/ufracO/g s/\bfracC/fracO/g; s/\bvalidityC/validityO/g; s/\bbi\_ofeC/bi\_ofeO/g; s/\bsbi\_ofeC/sbi\_ofeO/g; s/\bmonPredC/monPredO/g; s/\bstateC/stateO/g; s/\bvalC/valO/g; s/\bexprC/exprO/g; s/\blocC/locO/g; s/\bdec\_agreeC/dec\_agreeO/g; s/\bgnameC/gnameO/g; s/\bcoPset\_disjC/coPset\_disjO/g; `````` Paolo G. Giarrusso committed Jun 21, 2019 902 ``````' \$(find theories -name "*.v") `````` Robbert Krebbers committed Jun 18, 2019 903 ````````` `````` Hai Dang committed May 24, 2019 904 `````` `````` Ralf Jung committed Dec 19, 2017 905 ``````## Iris 3.1.0 (released 2017-12-19) `````` Ralf Jung committed Apr 12, 2017 906 `````` `````` Ralf Jung committed Aug 29, 2019 907 ``````**Changes in and extensions of the theory:** `````` Ralf Jung committed Oct 26, 2017 908 `````` `````` Ralf Jung committed Dec 11, 2017 909 ``````* Define `uPred` as a quotient on monotone predicates `M -> SProp`. `````` Ralf Jung committed Dec 13, 2017 910 911 ``````* Get rid of some primitive laws; they can be derived: `True ⊢ □ True` and `□ (P ∧ Q) ⊢ □ (P ∗ Q)` `````` Ralf Jung committed Nov 23, 2017 912 ``````* Camera morphisms have to be homomorphisms, not just monotone functions. `````` Ralf Jung committed Oct 28, 2017 913 ``````* Add a proof that `f` has a fixed point if `f^k` is contractive. `````` Robbert Krebbers committed Oct 26, 2017 914 915 ``````* Constructions for least and greatest fixed points over monotone predicates (defined in the logic of Iris using impredicative quantification). `````` Ralf Jung committed Oct 28, 2017 916 ``````* Add a proof of the inverse of `wp_bind`. `````` Ralf Jung committed Dec 13, 2017 917 ``````* [Experimental feature] Add new modality: ■ ("plainly"). `````` Ralf Jung committed Dec 11, 2017 918 919 920 921 922 923 924 925 ``````* [Experimental feature] Support verifying code that might get stuck by distinguishing "non-stuck" vs. "(potentially) stuck" weakest preconditions. (See [Swasey et al., OOPSLA '17] for examples.) The non-stuck `WP e @ E {{ Φ }}` ensures that, as `e` runs, it does not get stuck. The stuck `WP e @ E ?{{ Φ }}` ensures that, as usual, all invariants are preserved while `e` runs, but it permits execution to get stuck. The former implies the latter. The full judgment is `WP e @ s; E {{ Φ }}`, where non-stuck WP uses *stuckness bit* `s = NotStuck` while stuck WP uses `s = MaybeStuck`. `````` Ralf Jung committed Oct 26, 2017 926 `````` `````` Ralf Jung committed Aug 29, 2019 927 ``````**Changes in Coq:** `````` Ralf Jung committed Oct 26, 2017 928 `````` `````` Robbert Krebbers committed Dec 14, 2017 929 930 ``````* Move the `prelude` folder to its own project: [coq-std++](https://gitlab.mpi-sws.org/robbertkrebbers/coq-stdpp) `````` Ralf Jung committed Dec 13, 2017 931 932 933 934 935 936 937 938 939 940 941 ``````* Some extensions/improvements of heap_lang: - Improve handling of pure (non-state-dependent) reductions. - Add fetch-and-add (`FAA`) operation. - Add syntax for all Coq's binary operations on `Z`. * Generalize `saved_prop` to let the user choose the location of the type-level later. Rename the general form to `saved_anything`. Provide `saved_prop` and `saved_pred` as special cases. * Improved big operators: + They are no longer tied to cameras, but work on any monoid + The version of big operations over lists was redefined so that it enjoys more definitional equalities. `````` Ralf Jung committed Oct 28, 2017 942 ``````* Rename some things and change notation: `````` Robbert Krebbers committed Oct 26, 2017 943 `````` - The unit of a camera: `empty` -> `unit`, `∅` -> `ε` `````` Ralf Jung committed Oct 29, 2017 944 `````` - Disjointness: `⊥` -> `##` `````` Ralf Jung committed Oct 28, 2017 945 `````` - A proof mode type class `IntoOp` -> `IsOp` `````` Robbert Krebbers committed Oct 26, 2017 946 947 948 949 950 951 `````` - OFEs with all elements being discrete: `Discrete` -> `OfeDiscrete` - OFE elements whose equality is discrete: `Timeless` -> `Discrete` - Timeless propositions: `TimelessP` -> `Timeless` - Camera elements such that `core x = x`: `Persistent` -> `CoreId` - Persistent propositions: `PersistentP` -> `Persistent` - The persistent modality: `always` -> `persistently` `````` Ralf Jung committed Dec 07, 2017 952 `````` - Adequacy for non-stuck weakestpre: `adequate_safe` -> `adequate_not_stuck` `````` Ralf Jung committed Oct 26, 2017 953 `````` - Consistently SnakeCase identifiers: `````` Robbert Krebbers committed Oct 26, 2017 954 955 956 957 958 959 960 961 962 963 `````` + `CMRAMixin` -> `CmraMixin` + `CMRAT` -> `CmraT` + `CMRATotal` -> `CmraTotal` + `CMRAMorphism` -> `CmraMorphism` + `CMRADiscrete` -> `CmraDiscrete` + `UCMRAMixin` -> `UcmraMixin` + `UCMRAT` -> `UcmraT` + `DRAMixin` -> `DraMixin` + `DRAT` -> `DraT` + `STS` -> `Sts` `````` Ralf Jung committed Oct 28, 2017 964 965 `````` - Many lemmas also changed their name. `always_*` became `persistently_*`, and furthermore: (the following list is not complete) `````` Robbert Krebbers committed Oct 26, 2017 966 967 968 969 970 971 972 973 974 975 `````` + `impl_wand` -> `impl_wand_1` (it only involves one direction of the equivalent) + `always_impl_wand` -> `impl_wand` + `always_and_sep_l` -> `and_sep_l` + `always_and_sep_r` -> `and_sep_r` + `always_sep_dup` -> `sep_dup` + `wand_impl_always` -> `impl_wand_persistently` (additionally, the direction of this equivalence got swapped for consistency's sake) + `always_wand_impl` -> `persistently_impl_wand` (additionally, the direction of this equivalence got swapped for consistency's sake) `````` Ralf Jung committed Jun 12, 2019 976 `````` The following `sed` snippet should get you most of the way (on macOS you will `````` Paolo G. Giarrusso committed Jun 21, 2019 977 `````` have to replace `sed` by `gsed`, installed via e.g. `brew install gnu-sed`): `````` Ralf Jung committed Oct 26, 2017 978 ````````` `````` Paolo G. Giarrusso committed Jun 21, 2019 979 ``````sed -i 's/\bPersistentP\b/Persistent/g; s/\bTimelessP\b/Timeless/g; s/\bCMRADiscrete\b/CmraDiscrete/g; s/\bCMRAT\b/CmraT/g; s/\bCMRAMixin\b/CmraMixin/g; s/\bUCMRAT\b/UcmraT/g; s/\bUCMRAMixin\b/UcmraMixin/g; s/\bSTS\b/Sts/g' \$(find -name "*.v") `````` Ralf Jung committed Oct 26, 2017 980 ````````` `````` Ralf Jung committed Dec 13, 2017 981 982 ``````* `PersistentL` and `TimelessL` (persistence and timelessness of lists of propositions) are replaces by `TCForall` from std++. `````` Ralf Jung committed Oct 26, 2017 983 984 ``````* Fix a bunch of consistency issues in the proof mode, and make it overall more usable. In particular: `````` Robbert Krebbers committed Oct 26, 2017 985 986 987 988 989 990 991 992 993 994 `````` - All proof mode tactics start the proof mode if necessary; `iStartProof` is no longer needed and should only be used for building custom proof mode tactics. - Change in the grammar of specialization patterns: `>[...]` -> `[> ...]` - Various new specification patterns for `done` and framing. - There is common machinery for symbolic execution of pure reductions. This is provided by the type classes `PureExec` and `IntoVal`. - There is a new connective `tc_opaque`, which can be used to make definitions opaque for type classes, and thus opaque for most tactics of the proof mode. `````` Ralf Jung committed Oct 28, 2017 995 996 997 998 999 1000 1001 1002 `````` - Define Many missing type class instances for distributing connectives. - Implement the tactics `iIntros (?)` and `iIntros "!#"` (i.e. `iAlways`) using type classes. This makes them more generic, e.g., `iIntros (?)` also works when the universal quantifier is below a modality, and `iAlways` also works for the plainness modality. A breaking change, however, is that these tactics now no longer work when the universal quantifier or modality is behind a type class opaque definition. Furthermore, this can change the name of anonymous identifiers introduced with the "%" pattern. `````` Ralf Jung committed Nov 24, 2017 1003 ``````* Make `ofe_fun` dependently typed, subsuming `iprod`. The latter got removed. `````` Ralf Jung committed Oct 28, 2017 1004 1005 1006 ``````* Define the generic `fill` operation of the `ectxi_language` construct in terms of a left fold instead of a right fold. This gives rise to more definitional equalities. `````` Robbert Krebbers committed Nov 23, 2017 1007 1008 1009 1010 1011 ``````* The language hierarchy (`language`, `ectx_language`, `ectxi_language`) is now fully formalized using canonical structures instead of using a mixture of type classes and canonical structures. Also, it now uses explicit mixins. The file `program_logic/ectxi_language` contains some documentation on how to setup Iris for your language. `````` Ralf Jung committed Dec 13, 2017 1012 1013 ``````* Restore the original, stronger notion of atomicity alongside the weaker notion. These are `Atomic a e` where the stuckness bit `s` indicates whether `````` Robbert Krebbers committed Dec 14, 2017 1014 1015 `````` expression `e` is weakly (`a = WeaklyAtomic`) or strongly (`a = StronglyAtomic`) atomic. `````` Robbert Krebbers committed Oct 26, 2017 1016 1017 1018 1019 ``````* Various improvements to `solve_ndisj`. * Use `Hint Mode` to prevent Coq from making arbitrary guesses in the presence of evars, which often led to divergence. There are a few places where type annotations are now needed. `````` Robbert Krebbers committed Oct 29, 2017 1020 ``````* The rules `internal_eq_rewrite` and `internal_eq_rewrite_contractive` are now `````` Ralf Jung committed Dec 13, 2017 1021 `````` stated in the logic, i.e., they are `iApply`-friendly. `````` Ralf Jung committed Apr 12, 2017 1022 `````` `````` Ralf Jung committed Jan 11, 2017 1023 ``````## Iris 3.0.0 (released 2017-01-11) `````` Ralf Jung committed Aug 08, 2016 1024 `````` `````` Ralf Jung committed Dec 12, 2016 1025 1026 1027 ``````* There now is a deprecation process. The modules `*.deprecated` contain deprecated notations and definitions that are provided for backwards compatibility and will be removed in a future version of Iris. `````` Ralf Jung committed Oct 10, 2016 1028 ``````* View shifts are radically simplified to just internalize frame-preserving `````` Ralf Jung committed Aug 08, 2016 1029 `````` updates. Weakestpre is defined inside the logic, and invariants and view `````` Ralf Jung committed Dec 09, 2016 1030 `````` shifts with masks are also coded up inside Iris. Adequacy of weakestpre is `````` Ralf Jung committed Dec 12, 2016 1031 `````` proven in the logic. The old ownership of the entire physical state is `````` Ralf Jung committed Dec 09, 2016 1032 1033 `````` replaced by a user-selected predicate over physical state that is maintained by weakestpre. `````` Ralf Jung committed Dec 05, 2016 1034 ``````* Use OFEs instead of COFEs everywhere. COFEs are only used for solving the `````` Ralf Jung committed Dec 12, 2016 1035 1036 `````` recursive domain equation. As a consequence, CMRAs no longer need a proof of completeness. (The old `cofeT` is provided by `algebra.deprecated`.) `````` Ralf Jung committed Dec 05, 2016 1037 ``````* Implement a new agreement construction. Unlike the old one, this one `````` Ralf Jung committed Dec 13, 2016 1038 1039 `````` preserves discreteness. dec_agree is thus no longer needed and has been moved to algebra.deprecated. `````` Ralf Jung committed Dec 12, 2016 1040 1041 1042 ``````* Renaming and moving things around: uPred and the rest of the base logic are in `base_logic`, while `program_logic` is for everything involving the general Iris notion of a language. `````` Ralf Jung committed Jan 11, 2017 1043 1044 1045 1046 ``````* Renaming in prelude.list: Rename `prefix_of` -> `prefix` and `suffix_of` -> `suffix` in lemma names, but keep notation ``l1 `prefix_of` l2`` and ``l1 `suffix_of` l2``. `` l1 `sublist` l2`` becomes ``l1 `sublist_of` l2``. Rename `contains` -> `submseteq` and change `` l1 `contains` l2`` to ``l1 ⊆+ l2``. `````` Ralf Jung committed Dec 12, 2016 1047 1048 1049 ``````* Slightly weaker notion of atomicity: an expression is atomic if it reduces in one step to something that does not reduce further. * Changed notation for embedding Coq assertions into Iris. The new notation is `````` Ralf Jung committed Oct 29, 2017 1050 `````` ⌜φ⌝. Also removed `=` and `⊥` from the Iris scope. (The old notations are `````` Ralf Jung committed Dec 12, 2016 1051 `````` provided in `base_logic.deprecated`.) `````` Ralf Jung committed Nov 22, 2016 1052 ``````* Up-closure of namespaces is now a notation (↑) instead of a coercion. `````` Ralf Jung committed Dec 12, 2016 1053 1054 ``````* With invariants and the physical state being handled in the logic, there is no longer any reason to demand the CMRA unit to be discrete. `````` Ralf Jung committed Oct 10, 2016 1055 ``````* The language can now fork off multiple threads at once. `````` Ralf Jung committed Dec 12, 2016 1056 1057 ``````* Local Updates (for the authoritative monoid) are now a 4-way relation with syntax-directed lemmas proving them. `````` Ralf Jung committed Jul 25, 2016 1058 1059 1060 `````` ## Iris 2.0 `````` Ralf Jung committed Jul 25, 2016 1061 1062 1063 1064 ``````* [heap_lang] No longer use dependent types for expressions. Instead, values carry a proof of closedness. Substitution, closedness and value-ness proofs are performed by computation after reflecting into a term langauge that knows about values and closed expressions. `````` Ralf Jung committed Jul 25, 2016 1065 1066 ``````* [program_logic/language] The language does not define its own "atomic" predicate. Instead, atomicity is defined as reducing in one step to a value. `````` Ralf Jung committed Aug 09, 2016 1067 1068 1069 1070 1071 ``````* [program_logic] Due to a lack of maintenance and usefulness, lifting lemmas for Hoare triples are removed. ## Iris 2.0-rc2 `````` Ralf Jung committed Dec 12, 2016 1072 ``````This version matches the final ICFP 2016 paper. `````` Ralf Jung committed Aug 09, 2016 1073 1074 `````` * [algebra] Make the core of an RA or CMRA a partial function. `````` Ralf Jung committed Jul 27, 2016 1075 ``````* [program_logic/lifting] Lifting lemmas no longer round-trip through a `````` Ralf Jung committed Jul 27, 2016 1076 1077 1078 `````` user-chosen predicate to define the configurations we can reduce to; they directly relate to the operational semantics. This is equivalent and much simpler to read. `````` Ralf Jung committed Jul 25, 2016 1079 1080 1081 `````` ## Iris 2.0-rc1 `````` Ralf Jung committed Dec 12, 2016 1082 ``This is the Coq development and Iris Documentation as submitted to ICFP 2016.``