Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • robbert/cmra_valid_elim
  • ralf/separable
  • robbert/mono_Z
  • ralf/Z
  • ralf/bi-persistently-emp
  • ralf/mono_Z
  • ci/robbert/big_op_binder
  • robbert/no_native_compute
  • simon/parametric-index
  • ci/robbert/set_solver_eauto
  • ralf/make
  • ci/msammler/nb_state
  • robbert/add_sub
  • ci/general-contractive
  • ralf/has-lc
  • robbert/has_lc_if
  • robbert/bi_cofe
  • robbert/bi_wand_notation
  • robbert/level
  • iris-4.0.0
  • iris-3.6.0
  • iris-3.5.0
  • iris-3.4.0
  • iris-3.3.0
  • iris-3.2.0
  • iris-3.1.0
  • iris-3.0.0
  • iris-2.0
  • iris-2.0-rc2
  • iris-2.0-rc1
  • iris-1.1
  • iris-1.0
  • hope-2015-coq-1
  • appendix-1.0.0
  • appendix-1
36 results
Blame Permalink
Forked from Iris / Iris
2149 commits behind the upstream repository.
To find the state of this project's repository at the time of any of these versions, check out the tags.
CHANGELOG.md 47.80 KiB

In this changelog, we document "large-ish" changes to Iris that affect even the way the logic is used on paper. We also document changes in the Coq development; every API-breaking change should be listed, but not every new lemma.

Iris master

With this release, we dropped support for Coq 8.9.

Changes in algebra:

  • Rename agree_op_inv' to to_agree_op_inv, agree_op_invL' to to_agree_op_inv_L, and add to_agree_op_invN.
  • Rename auth_auth_frac_op_invL to auth_auth_frac_op_inv_L, excl_auth_agreeL to excl_auth_agree_L, frac_auth_agreeL to frac_auth_agree_L, and ufrac_auth_agreeL to ufrac_auth_agree_L.
  • Add constructions to define a camera through restriction of the validity predicate (iso_cmra_mixin_restrict) and through an isomorphism (iso_cmra_mixin).
  • Add a frac_agree library which encapsulates frac * agree A for some OFE A, and provides some useful lemmas.
  • Fix direction of auth_auth_validN to make it consistent with similar lemmas, e.g., auth_auth_valid. The direction is now ✓{n} (● a) ↔ ✓{n} a.
  • Rename auth_both_valid to auth_both_valid_discrete and auth_both_frac_valid to auth_both_frac_valid_discrete. The old name is used for new, stronger lemmas that do not assume discreteness.
  • Add the view camera view, which generalizes the authoritative camera auth by being parameterized by a relation that relates the authoritative element with the fragments.
  • Redefine the authoritative camera in terms of the view camera. As part of this change, we have removed lemmas that leaked implementation details. Hence, the only way to construct elements of auth is via the elements ●{q} a and ◯ b. The constructor Auth, and the projections auth_auth_proj and auth_frag_proj no longer exist. Lemmas that referred to these constructors have been removed, in particular: auth_equivI, auth_validI, auth_included, auth_valid_discrete, and auth_both_op. For validity, use auth_auth_valid*, auth_frag_valid*, or auth_both_valid* instead.
  • Rename auth_update_core_id into auth_update_frac_alloc.
  • Add the camera of discardable fractions dfrac. This is a generalization of the normal fractional camera. See theories/algebra/dfrac.v for further information.
  • Rename cmra_monotone_valid into cmra_morphism_valid (this rename was forgotten in !56).
  • Add gmap_view, a camera providing a "view of a gmap". The authoritative element is any gmap; the fragment provides fractional ownership of a single key, including support for persistent read-only ownership through dfrac. See theories/algebra/lib/gmap_view.v for further information. NOTE: The API surface for gmap_view is experimental and subject to change.
  • Move the *_validI and *_equivI lemmas to a new module, base_logic.algebra. That module is exported by base_logic.base_logic so it should usually be available everywhere without further changes.
  • The authoritative fragment ✓ (◯ b : auth A) is no longer definitionally equal to ✓ b.
  • Add mnat_auth, a wrapper for auth max_nat. The result is an authoritative nat where a fragment is a lower bound whose ownership is persistent.

Changes in proofmode:

  • The proofmode now preserves user-supplied names for existentials when using iDestruct ... as (?) "...". This is backwards-incompatible if you were relying on the previous automatic names (which were always "H", possibly freshened). It also requires some changes if you were implementing IntoExist yourself, since the typeclass now forwards names. If your instance transforms one IntoExist into another, you can generally just forward the name from the premise.
  • The proofmode also preserves user-supplied names in iIntros, for example with iIntros (?) and iIntros "%", as described for destructing existentials above. As part of this change, it now uses a base name of H for pure facts rather than the previous default of a. This also requires some changes if you were implementing FromForall, in order to forward names.
  • Make iFrame "less" smart w.r.t. clean up of modalities. It now consistently removes the modalities <affine>, <absorbing>, <persistent> and only if the result after framing is True or emp. In particular, it no longer removes <affine> if the result after framing is affine, and it no longer removes if the result after framing is intuitionistic.
  • Allow framing below an <affine> modality if the hypothesis that is framed is affine. (Previously, framing below <affine> was only possible if the hypothesis that is framed resides in the intuitionistic context.)
  • Remove the laws pure_forall_2 : (∀ a, ⌜ φ a ⌝) ⊢ ⌜ ∀ a, φ a ⌝ from the BI interface and factor it into a type class BiPureForall.
  • Add notation ¬ P for P → False to bi_scope.

Changes in the logic (base_logic, bi):

  • Add a ghost_var library that provides (fractional) ownership of a ghost variable of arbitrary Type.
  • Change type of some ghost state lemmas (mostly about allocation) to use instead of (consistent with our usual style). This affects the following lemmas: own_alloc_strong_dep, own_alloc_cofinite_dep, own_alloc_strong, own_alloc_cofinite, own_updateP, saved_anything_alloc_strong, saved_anything_alloc_cofinite, saved_prop_alloc_strong, saved_prop_alloc_cofinite, saved_pred_alloc_strong, saved_pred_alloc_cofinite, auth_alloc_strong, auth_alloc_cofinite, auth_alloc.
  • Change uPred_mono to only require inclusion at the smaller step-index.
  • Put iProp/iPreProp-isomorphism into the own construction. This affects clients that define higher-order ghost state constructions. Concretely, when defining an inG, the functor no longer needs to be applied to iPreProp, but should be applied to iProp. This avoids clients from having to push through the iProp/iPreProp-isomorphism themselves, which is now handled once and for all by the own construction.
  • Rename gen_heap_ctx to gen_heap_interp, since it is meant to be used in the state interpretation of WP and since _ctx is elsewhere used as a suffix indicating "this is a persistent assumption that clients should always have in their context". Likewise, rename proph_map_ctx to proph_map_interp.
  • Move uPred.prod_validI, uPred.option_validI, and uPred.discrete_fun_validI to the new base_logic.algebra module. That module is exported by base_logic.base_logic so these names are now usually available everywhere, and no longer inside the uPred module.
  • Add an mnat library on top of mnat_auth that supports ghost state which is an authoritative, monotonically-increasing nat with a proposition giving a persistent lower bound. See base_logic.lib.mnat for further details.
  • Add big op lemmas big_op{L,L2,M,M2,S}_intuitionistically_forall and big_sepL2_forall, big_sepMS_forall, big_sepMS_impl, and big_sepMS_dup.

Changes in program_logic:

  • wp_strong_adequacy now applies to an initial state with multiple threads instead of only a single thread. The derived adequacy lemmas are unchanged.

The following sed script helps adjust your code to the renaming (on macOS, replace sed by gsed, installed via e.g. brew install gnu-sed). Note that the script is not idempotent, do not run it twice.

sed -i -E -f- $(find theories -name "*.v") <<EOF
# agree and L suffix renames
s/\bagree_op_inv'/to_agree_op_inv/g
s/\bagree_op_invL'/to_agree_op_inv_L/g
s/\bauth_auth_frac_op_invL\b/auth_auth_frac_op_inv_L/g
s/\b(excl|frac|ufrac)_auth_agreeL/\1_auth_agree_L/g
# auth_both_valid
s/\bauth_both_valid\b/auth_both_valid_discrete/g
s/\bauth_both_frac_valid\b/auth_both_frac_valid_discrete/g
# gen_heap_ctx and proph_map_ctx
s/\bgen_heap_ctx\b/gen_heap_interp/g
s/\bproph_map_ctx\b/proph_map_interp/g
EOF

Iris 3.3.0 (released 2020-07-15)

This release does not have any outstanding highlights, but contains a large number of improvements all over the board. For instance:

  • heap_lang now supports deallocation as well as better reasoning about "invariant locations" (locations that perpetually satisfy some Coq-level invariant).
  • Invariants (inv N P) are more flexible, now also supporting splitting and merging of invariants with respect to separating conjunction.
  • Performance of the proofmode for BIs constructed on top of other BIs (e.g., monPred) was greatly improved, leading to up to 70% speedup in individual files. As part of this refactoring, the proofmode can now also be instantiated with entirely "logical" notion of BIs that do not have a (non-trivial) metric structure, and still support reasoning about ▷.
  • The proof mode now provides experimental support for naming pure facts in intro patterns. See iris/string-ident for details.
  • Iris now provides official ASCII notation. We still recommend using the Unicode notation for better consistency and interoperability with other Iris libraries, but provide ASCII notation for when Unicode is not an option.
  • We removed several coercions, fixing "ambiguous coercion path" warnings and solving some readability issues.
  • Coq 8.10, 8.11, and 8.12 are newly supported by this release, and Coq 8.7 and 8.8 are no longer supported.

Further details are given in the changelog below. We always first list the potentially breaking changes, then (some of) the additions.

This release of Iris received contributions by Abel Nieto, Amin Timany, Dan Frumin, Derek Dreyer, Dmitry Khalanskiy, Gregory Malecha, Jacques-Henri Jourdan, Jonas Kastberg, Jules Jacobs, Matthieu Sozeau, Maxime Dénès, Michael Sammler, Paolo G. Giarrusso, Ralf Jung, Robbert Krebbers, Simon Friis Vindum, Simon Spies, and Tej Chajed. Thanks a lot to everyone involved!

Changes in heap_lang:

  • Remove global Open Scope Z_scope from heap_lang.lang, and leave it up to reverse dependencies if they want to Open Scope Z_scope or not.

  • Fix all binary operators performing pointer arithmetic (instead of just the dedicated OffsetOp operator doing that).

  • Rename heap_lang.lifting to heap_lang.primitive_laws. There now also exists heap_lang.derived_laws.

  • Make lemma names for fill more consistent

    • Use the _inv suffix for the the backwards directions: reducible_fillreducible_fill_inv, reducible_no_obs_fillreducible_no_obs_fill_inv, not_stuck_fillnot_stuck_fill_inv.
    • Use the non-_inv names (that freed up) for the forwards directions: reducible_fill, reducible_no_obs_fill, irreducible_fill_inv.

  • Remove namespace N from is_lock.

  • Add support for deallocation of locations via the Free operation.

  • Add a fraction to the heap_lang array assertion.

  • Add lib.array module for deallocating, copying and cloning arrays.

  • Add TWP (total weakest-pre) lemmas for arrays.

  • Add a library for "invariant locations": heap locations that will not be deallocated (i.e., they are GC-managed) and satisfy some pure, Coq-level invariant. See iris.base_logic.lib.gen_inv_heap for details.

  • Add the ghost state for "invariant locations" to heapG. This affects the statement of heap_adequacy, which is now responsible for initializing the "invariant locations" invariant.

  • Add lemma mapsto_mapsto_ne : ¬ ✓(q1 + q2)%Qp → l1 ↦{q1} v1 -∗ l2 ↦{q2} v2 -∗ ⌜l1 ≠ l2⌝.

  • Add lemma is_lock_iff and show that is_lock is contractive.