diff --git a/CHANGELOG.md b/CHANGELOG.md
index 02c7978720449cee7ce22c7f1a497b9ef3bf9c6a..58c63d1e296ca3a6b6332abfb519002d3c290176 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,8 +14,6 @@ Changes in the theory of Iris itself:
 * Add weakest preconditions for total program correctness.
 * "(Potentially) stuck" weakest preconditions and the "plainly modality" are no
   longer considered experimental.
-* The adequacy statement for weakest preconditions now also involves the
-  final state.
 * Add the notion of an "observation" to the language interface, so that
   every reduction step can optionally be marked with an event, and an execution
   trace has a matching list of events.  Change WP so that it is told the entire
@@ -28,8 +26,10 @@ Changes in the theory of Iris itself:
 * Extend the state interpretation with a natural number that keeps track of
   the number of forked-off threads, and have a global fixed proposition that
   describes the postcondition of each forked-off thread (instead of it being
-  `True`). Additionally, there is a stronger variant of the adequacy theorem
-  that allows to make use of the postconditions of the forked-off threads.
+  `True`).
+* A stronger adequacy statement for weakest preconditions that involves
+  the final state, the post-condition of forked-off threads, and also applies if
+  the main-thread has not terminated.
 * The user-chosen functor used to instantiate the Iris logic now goes from
   COFEs to Cameras (it was OFEs to Cameras).
 
diff --git a/docs/program-logic.tex b/docs/program-logic.tex
index 7f1c6a59fe8cb1505b1704506b801938d9cb15b0..354dda8b2e66d410ce2f0848efd3e5e0cebc4f9c 100644
--- a/docs/program-logic.tex
+++ b/docs/program-logic.tex
@@ -250,48 +250,77 @@ This basically just copies the second branch (the non-value case) of the definit
 
 \paragraph{Adequacy of weakest precondition.}
 
+\newcommand\traceprop{\Sigma}
+
 The purpose of the adequacy statement is to show that our notion of weakest preconditions is \emph{realistic} in the sense that it actually has anything to do with the actual behavior of the program.
-There are two properties we are looking for: First of all, the postcondition should reflect actual properties of the values the program can terminate with.
-Second, a proof of a weakest precondition with any postcondition should imply that the program is \emph{safe}, \ie that it does not get stuck.
-
-\begin{defn}[Adequacy]
-  A program $\expr$ in some initial state $\state$ is \emph{adequate} for stuckness  $\stuckness$ and a set $V \subseteq \Val \times \State$ of legal return-value-final-state combinations (written $\expr, \state \vDash_\stuckness V$) if for all $\tpool', \state'$ such that $([\expr], \state) \tpsteps[\vec\obs] (\tpool', \state')$ we have
-\begin{enumerate}
-\item Safety: If $\stuckness = \NotStuck$, then for any $\expr' \in \tpool'$ we have that either $\expr'$ is a
-  value, or \(\red(\expr'_i,\state')\):
-  \[ \stuckness = \NotStuck \Ra \All\expr'\in\tpool'. \toval(\expr') \neq \bot \lor \red(\expr', \state') \]
-  Notice that this is stronger than saying that the thread pool can reduce; we actually assert that \emph{every} non-finished thread can take a step.
-\item Legal return value: If $\tpool'_1$ (the main thread) is a value $\val'$, then $\val' \in V$:
-  \[ \All \val',\tpool''. \tpool' = [\val'] \dplus \tpool'' \Ra (\val',\state') \in V \]
-\end{enumerate}
-\end{defn}
-
-To express the adequacy statement for functional correctness, we assume that the signature $\Sig$ adds a predicate $\pred$ to the logic:
-\[ \pred : \Val \times \State \to \Prop \in \SigFn \]
-Furthermore, we assume that the \emph{interpretation} $\Sem\pred$ of $\pred$ reflects some set $V$ of legal return values and final states into the logic (also see \Sref{sec:model}):
+The most general form of the adequacy statement is about proving properties of arbitrary program executions.
+That is, the goal is to prove a statement of the form
+\[
+\All \expr_0, \state_0, \vec\obs, \tpool_1, \state_1. ([\expr_0], \state_0) \tpsteps[\vec\obs] (\tpool_1, \state_1) \Ra (\expr_0, \state_0, \vec\obs, \tpool_1, \state_1) \in \traceprop
+\]
+for some \emph{meta-level} relation $\traceprop$ characterizing the ``trace property'' we are interested in.
+
+To state the adequacy theorem, we need a way to talk about $\traceprop$ inside Iris.
+To this end, we assume that the signature $\Sig$ contains some predicate $\hat{\traceprop}$:
+\[ \hat{\traceprop} : \Expr \times \State \times \List(\Obs) \times \List(\Expr) \times \State \to \Prop \in \SigFn \]
+Furthermore, we assume that the \emph{interpretation} $\Sem{\hat{\traceprop}}$ of $\hat{\traceprop}$ reflects $\traceprop$ (also see \Sref{sec:model}):
 \[\begin{array}{rMcMl}
-  \Sem\pred &:& \Sem{\Val\times\State\,} \nfn \Sem\Prop \\
-  \Sem\pred &\eqdef& \Lam (\val,\state). \Lam \any. \setComp{n}{(v,\state) \in V}
+  \Sem{\hat{\traceprop}} &:& \Sem{\Expr \times \State \times \List(\Obs) \times \List(\Expr) \times \State\,} \nfn \Sem\Prop \\
+  \Sem{\hat{\traceprop}} &\eqdef& \Lam (\expr_0, \state_0, \vec\obs, \tpool_1, \state_1). \Lam \any. \setComp{n}{(\expr_0, \state_0, \vec\obs, \tpool_1, \state_1) \in \traceprop}
 \end{array}\]
-The signature can of course state arbitrary additional properties of $\pred$, as long as they are proven sound.
+The signature can of course state arbitrary additional properties of $\hat{\traceprop}$, as long as they are proven sound.
+
 The adequacy statement now reads as follows:
 \begin{align*}
- &\All \mask, \expr, \state.
- \\&( \TRUE \proves \All\vec\obs. \pvs[\mask] \Exists \stateinterp, \pred_F. \stateinterp(\state,\vec\obs,0) * \wpre[\stateinterp;\pred_F]{\expr}[\stuckness;\mask]{x.\; \All \state, m. \stateinterp(\state', (), m) \vsW[\top][\emptyset] \pred(x,\state')}) \Ra
- \\&\expr, \state \vDash_\stuckness V
+ &\All \expr_0, \state_0, \vec\obs, \tpool_1, \state_1.\\
+ &( \TRUE \proves \pvs[\top] \Exists \stuckness, \stateinterp, \pred_F, \pred. {}\\
+ &\quad\stateinterp(\state_0,\vec\obs,0) * \wpre[\stateinterp;\pred_F]{\expr_0}[\stuckness;\top]{x.\; \pred(x)} * {}\\
+ &\quad(\All \expr_1, \tpool_1'. \tpool_1 = [\expr_1] \dplus \tpool_1' \wand {}\\
+ &\quad\quad (s = \NotStuck \Ra \All \expr \in \tpool_1. \toval(\expr) \neq \bot \lor \red(\expr, \state_1) ) \wand {}\\
+ &\quad\quad \stateinterp(\state_1, (), |\tpool_1'|) \wand{}\\
+ &\quad\quad (\toval(\expr_1) \ne \bot \wand \pred(\toval(\expr_1))) \wand{}\\
+ &\quad\quad (\Sep[\expr \in \tpool_1'] \toval(\expr) \ne \bot \wand \pred_F(\toval(\expr))) \wand{}\\
+ &\quad\quad \pvs[\top,\emptyset] \hat{\traceprop}(\expr_0, \state_0, \vec\obs, \tpool_1, \state_1) \\
+ &\quad ) \Ra{}\\
+ &([\expr_0], \state_0) \tpsteps[\vec\obs] (\tpool_1, \state_1) \Ra (\expr_0, \state_0, \vec\obs, \tpool_1, \state_1) \in \traceprop
 \end{align*}
-Notice that the state invariant $S$ used by the weakest precondition is chosen \emph{after} doing a fancy update, which allows it to depend on the names of ghost variables that are picked in that initial fancy update.
-Also, notice that the proof of $\expr$ must be performed with a universally quantified list of observations $\vec\obs$, but the \emph{entire} list is known to the proof from the beginning.
+In other words, to show that $\traceprop$ holds for all possible executions of the program, we have to prove an entailment in Iris that, starting from the empty context, proves that the initial state interpretation holds, proves a weakest precondition, \emph{and} proves that $\hat{\traceprop}$ holds under the following assumptions:
+\begin{itemize}
+\item The final thread-pool $\tpool_1$ contains the final state of the main thread $\expr_1$, and any number of additional threads in $\tpool_1'$.
+\item If this is a stuck-free weakest precondition, then all threads in the final thread-pool are either values or are reducible in the final state $\state_1$.
+\item The state interpretation holds for the final state.
+\item If the main thread reduced to a value, the post-condition $\pred$ of the weakest precondition holds for that value.
+\item If any other thread reduced to a value, the forked-thread post-condition $\pred_F$ holds for that value.
+\end{itemize}
+Notice also that the adequacy statement quantifies over the program trace only once, so it can be easily specialized to, say, some particular initial state $\state_0$.
+This lets us show properties that only hold for some executions.
+Furthermore, the state invariant $S$ used by the weakest precondition is chosen \emph{after} doing a fancy update, which allows it to depend on the names of ghost variables that are picked in that initial fancy update.
+
+As an example for how to use this adequacy theorem, let us say we wanted to prove that a program $\expr_0$ for which we derived a $\NotStuck$ weakest-precondition cannot get stuck.
+We would pick
+\[
+\traceprop(\expr_0, \state_0, \vec\obs, \tpool_1, \state_1) \eqdef \All \expr \in \tpool_1. \toval(\expr) \neq \bot \lor \red(\expr, \state_1)
+\]
+and we would show the following in Iris:
+\[
+\TRUE \proves \All \state_0, \vec\obs. \pvs[\top] \Exists \stateinterp, \pred_F, \pred. \stateinterp(\state_0,\vec\obs,0) * \wpre[\stateinterp;\pred_F]{\expr_0}[\NotStuck;\top]{x.\; \pred(x)}
+\]
+The adequacy theorem would then give us:
+\[
+\All \state_0, \vec\obs, \tpool_1, \state_1. ([\expr_0], \state_0) \tpsteps[\vec\obs] (\tpool_1, \state_1) \Ra \All \expr \in \tpool_1. \toval(\expr) \neq \bot \lor \red(\expr, \state_1)
+\]
 
-The following variant of adequacy also allows exploiting the second parameter of $\stateinterp$, the number of threads, but only applies when \emph{all} threads have reduced to a value:
+Similarly, if we wanted to show that the final value of the main thread is always in some set $V \subseteq \Val$, we could pick
+\[
+\traceprop(\expr_0, \state_0, \vec\obs, \tpool_1, \state_1) \eqdef \All\val_1, \tpool_1'. \tpool_1 = [\ofval(\val_1)] \dplus \tpool_1' \Ra \val_1 \in \Val
+\]
+and then we could derive the following from the main adequacy theorem:
 \begin{align*}
- &\All \mask, \expr, \state, \vec\obs, \val, \vec\val, \state'.
- \\&( \TRUE \proves \pvs[\mask] \Exists \stateinterp, \pred_F. \stateinterp(\state,\vec\obs,0) * \wpre[\stateinterp;\pred_F]{\expr}[\stuckness;\mask]%
-      {x.\; \stateinterp(\state',(),|\vec\val|) * \Sep_{y \in \vec\val} \pred_F(y) \vsW[\top][\emptyset]  \pred(x,\state')}) \Ra
- \\&([\expr], \state) \tpsteps[\vec\obs] (\val :: \vec\val, \state') \Ra
- \\&(\val,\state') \in V
+ &(\TRUE \proves \All\state_0, \vec\obs. \pvs[\top] \Exists \stuckness, \stateinterp, \pred_F. \stateinterp(\state_0,\vec\obs,0) * \wpre[\stateinterp;\pred_F]{\expr_0}[\stuckness;\top]{x.\; x \in V}) \Ra{}\\
+ &\All \state_0, \vec\obs, \val_1, \tpool_1, \state_1. ([\expr_0], \state_0) \tpsteps[\vec\obs] ([\ofval(\val_1)] \dplus \tpool_1, \state_1) \Ra \val_1 \in V
 \end{align*}
 
+
 \paragraph{Hoare triples.}
 It turns out that weakest precondition is actually quite convenient to work with, in particular when performing these proofs in Coq.
 Still, for a more traditional presentation, we can easily derive the notion of a Hoare triple:
diff --git a/theories/heap_lang/adequacy.v b/theories/heap_lang/adequacy.v
index 6f13fbb39562e7baac1dc133963f6bc09875a91f..d3b20324a43c4ab9fac2cb3fb95aeed67bf7be80 100644
--- a/theories/heap_lang/adequacy.v
+++ b/theories/heap_lang/adequacy.v
@@ -22,7 +22,8 @@ Proof.
   intros Hwp; eapply (wp_adequacy _ _); iIntros (??) "".
   iMod (gen_heap_init Ïƒ.(heap)) as (?) "Hh".
   iMod (proph_map_init Îºs Ïƒ.(used_proph_id)) as (?) "Hp".
-  iModIntro.
-  iExists (Î» Ïƒ Îºs, (gen_heap_ctx Ïƒ.(heap) âˆ— proph_map_ctx Îºs Ïƒ.(used_proph_id))%I). iFrame.
-  iApply (Hwp (HeapG _ _ _ _)).
+  iModIntro. iExists
+    (Î» Ïƒ Îºs, (gen_heap_ctx Ïƒ.(heap) âˆ— proph_map_ctx Îºs Ïƒ.(used_proph_id))%I),
+    (Î» _, True%I).
+  iFrame. iApply (Hwp (HeapG _ _ _ _)).
 Qed.
diff --git a/theories/program_logic/adequacy.v b/theories/program_logic/adequacy.v
index d6d1480172fb261009959ca23963e1e2f27782b5..3abd61aaa488ba3d9fc456a8664bc72b9461e5ed 100644
--- a/theories/program_logic/adequacy.v
+++ b/theories/program_logic/adequacy.v
@@ -1,4 +1,3 @@
-From stdpp Require Import namespaces.
 From iris.program_logic Require Export weakestpre.
 From iris.algebra Require Import gmap auth agree gset coPset.
 From iris.base_logic.lib Require Import wsat.
@@ -6,32 +5,8 @@ From iris.proofmode Require Import tactics.
 Set Default Proof Using "Type".
 Import uPred.
 
-(* Program logic adequacy *)
-Record adequate {Î›} (s : stuckness) (e1 : expr Î›) (Ïƒ1 : state Î›)
-    (Ï† : val Î› â†’ state Î› â†’ Prop) := {
-  adequate_result t2 Ïƒ2 v2 :
-   rtc erased_step ([e1], Ïƒ1) (of_val v2 :: t2, Ïƒ2) â†’ Ï† v2 Ïƒ2;
-  adequate_not_stuck t2 Ïƒ2 e2 :
-   s = NotStuck â†’
-   rtc erased_step ([e1], Ïƒ1) (t2, Ïƒ2) â†’
-   e2 âˆˆ t2 â†’ (is_Some (to_val e2) âˆ¨ reducible e2 Ïƒ2)
-}.
-
-Theorem adequate_tp_safe {Î›} (e1 : expr Î›) t2 Ïƒ1 Ïƒ2 Ï† :
-  adequate NotStuck e1 Ïƒ1 Ï† â†’
-  rtc erased_step ([e1], Ïƒ1) (t2, Ïƒ2) â†’
-  Forall (Î» e, is_Some (to_val e)) t2 âˆ¨ âˆƒ Îº t3 Ïƒ3, step (t2, Ïƒ2) Îº (t3, Ïƒ3).
-Proof.
-  intros Had ?.
-  destruct (decide (Forall (Î» e, is_Some (to_val e)) t2)) as [|Ht2]; [by left|].
-  apply (not_Forall_Exists _), Exists_exists in Ht2; destruct Ht2 as (e2&?&He2).
-  destruct (adequate_not_stuck NotStuck e1 Ïƒ1 Ï† Had t2 Ïƒ2 e2) as [?|(Îº&e3&Ïƒ3&efs&?)];
-    rewrite ?eq_None_not_Some; auto.
-  { exfalso. eauto. }
-  destruct (elem_of_list_split t2 e2) as (t2'&t2''&->); auto.
-  right; exists Îº, (t2' ++ e3 :: t2'' ++ efs), Ïƒ3; econstructor; eauto.
-Qed.
-
+(** This file contains the adequacy statements of the Iris program logic. First
+we prove a number of auxilary results. *)
 Section adequacy.
 Context `{!irisG Î› Î£}.
 Implicit Types e : expr Î›.
@@ -92,184 +67,163 @@ Proof.
   by iApply (IH with "HÏƒ He Ht").
 Qed.
 
-Lemma wptp_result Ï† Îºs' s n e1 t1 Îºs v2 t2 Ïƒ1 Ïƒ2  :
-  nsteps n (e1 :: t1, Ïƒ1) Îºs (of_val v2 :: t2, Ïƒ2) â†’
-  state_interp Ïƒ1 (Îºs ++ Îºs') (length t1) -âˆ—
-  WP e1 @ s; âŠ¤ {{ v, âˆ€ Ïƒ, state_interp Ïƒ Îºs' (length t2) ={âŠ¤,âˆ…}=âˆ— âŒœÏ† v ÏƒâŒ }} -âˆ—
-  wptp s t1 ={âŠ¤,âˆ…}â–·=âˆ—^(S n) âŒœÏ† v2 Ïƒ2âŒ.
-Proof.
-  iIntros (?) "HÏƒ He Ht". rewrite Nat_iter_S_r.
-  iDestruct (wptp_steps with "HÏƒ He Ht") as "H"; first done.
-  iApply (step_fupdN_wand with "H").
-  iDestruct 1 as (e2 t2' ?) "(HÏƒ & H & _)"; simplify_eq.
-  iMod (wp_value_inv' with "H") as "H".
-  iMod (fupd_plain_mask_empty _ âŒœÏ† v2 Ïƒ2âŒ%I with "[H HÏƒ]") as %?.
-  { by iMod ("H" with "HÏƒ") as "$". }
-  by iApply step_fupd_intro.
-Qed.
-
-Lemma wptp_all_result Ï† Îºs' s n e1 t1 Îºs v2 vs2 Ïƒ1 Ïƒ2 :
-  nsteps n (e1 :: t1, Ïƒ1) Îºs (of_val <$> v2 :: vs2, Ïƒ2) â†’
-  state_interp Ïƒ1 (Îºs ++ Îºs') (length t1) -âˆ—
-  WP e1 @ s; âŠ¤ {{ v,
-    state_interp Ïƒ2 Îºs' (length vs2) -âˆ—
-    ([âˆ— list] v âˆˆ vs2, fork_post v) ={âŠ¤,âˆ…}=âˆ— âŒœÏ† v âŒ }} -âˆ—
-  wptp s t1
-  ={âŠ¤,âˆ…}â–·=âˆ—^(S n) âŒœÏ† v2 âŒ.
-Proof.
-  iIntros (Hstep) "HÏƒ He Ht". rewrite Nat_iter_S_r.
-  iDestruct (wptp_steps with "HÏƒ He Ht") as "H"; first done.
-  iApply (step_fupdN_wand with "H").
-  iDestruct 1 as (e2 t2' ?) "(HÏƒ & H & Hvs)"; simplify_eq/=.
-  rewrite fmap_length. iMod (wp_value_inv' with "H") as "H".
-  iAssert ([âˆ— list] v âˆˆ vs2, fork_post v)%I with "[> Hvs]" as "Hm".
-  { clear Hstep. iInduction vs2 as [|v vs] "IH"; csimpl; first by iFrame.
-    iDestruct "Hvs" as "[Hv Hvs]".
-    iMod (wp_value_inv' with "Hv") as "$". by iApply "IH". }
-  iMod (fupd_plain_mask_empty _ âŒœÏ† v2âŒ%I with "[H Hm HÏƒ]") as %?.
-  { iApply ("H" with "HÏƒ Hm"). }
-  by iApply step_fupd_intro.
-Qed.
-
 Lemma wp_safe Îºs m e Ïƒ Î¦ :
   state_interp Ïƒ Îºs m -âˆ—
-  WP e {{ Î¦ }} ={âŠ¤,âˆ…}â–·=âˆ— âŒœis_Some (to_val e) âˆ¨ reducible e ÏƒâŒ.
+  WP e {{ Î¦ }} ={âŠ¤}=âˆ— âŒœis_Some (to_val e) âˆ¨ reducible e ÏƒâŒ.
 Proof.
   rewrite wp_unfold /wp_pre. iIntros "HÏƒ H".
-  destruct (to_val e) as [v|] eqn:?.
-  { iApply step_fupd_intro. set_solver. eauto. }
-  iMod (fupd_plain_mask_empty _ âŒœreducible e ÏƒâŒ%I with "[H HÏƒ]") as %?.
-  { by iMod ("H" $! Ïƒ [] Îºs with "HÏƒ") as "[$ H]". }
-  iApply step_fupd_intro; first by set_solver+. 
-  iIntros "!> !%". by right.
+  destruct (to_val e) as [v|] eqn:?; first by eauto.
+  iSpecialize ("H" $! Ïƒ [] Îºs with "HÏƒ"). rewrite sep_elim_l.
+  iMod (fupd_plain_mask with "H") as %?; eauto.
 Qed.
 
-Lemma wptp_safe Îºs' n e1 Îºs e2 t1 t2 Ïƒ1 Ïƒ2 Î¦ :
-  nsteps n (e1 :: t1, Ïƒ1) Îºs (t2, Ïƒ2) â†’ e2 âˆˆ t2 â†’
-  state_interp Ïƒ1 (Îºs ++ Îºs') (length t1) -âˆ— WP e1 {{ Î¦ }} -âˆ— wptp NotStuck t1
-  ={âŠ¤,âˆ…}â–·=âˆ—^(S n) âŒœis_Some (to_val e2) âˆ¨ reducible e2 Ïƒ2âŒ.
-Proof.
-  iIntros (? He2) "HÏƒ He Ht". rewrite Nat_iter_S_r.
-  iDestruct (wptp_steps  with "HÏƒ He Ht") as "H"; first done.
-  iApply (step_fupdN_wand with "H").
-  iDestruct 1 as (e2' t2' ?) "(HÏƒ & H & Ht)"; simplify_eq.
-  apply elem_of_cons in He2 as [<-|(t1''&t2''&->)%elem_of_list_split].
-  - iMod (wp_safe with "HÏƒ H") as "$"; auto.
-  - iDestruct "Ht" as "(_ & He2 & _)". by iMod (wp_safe with "HÏƒ He2").
-Qed.
-
-Lemma wptp_invariance Ï† s n e1 Îºs Îºs' t1 t2 Ïƒ1 Ïƒ2 Î¦ :
+Lemma wptp_strong_adequacy Î¦ Îºs' s n e1 t1 Îºs e2 t2 Ïƒ1 Ïƒ2 :
   nsteps n (e1 :: t1, Ïƒ1) Îºs (t2, Ïƒ2) â†’
-  (state_interp Ïƒ2 Îºs' (pred (length t2)) ={âŠ¤,âˆ…}=âˆ— âŒœÏ†âŒ) -âˆ—
   state_interp Ïƒ1 (Îºs ++ Îºs') (length t1) -âˆ—
-  WP e1 @ s; âŠ¤ {{ Î¦ }} -âˆ— wptp s t1
-  ={âŠ¤,âˆ…}â–·=âˆ—^(S n) âŒœÏ†âŒ.
+  WP e1 @ s; âŠ¤ {{ Î¦ }} -âˆ—
+  wptp s t1 ={âŠ¤,âˆ…}â–·=âˆ—^(S n) âˆƒ e2 t2',
+    âŒœ t2 = e2 :: t2' âŒ âˆ—
+    âŒœ âˆ€ e2, s = NotStuck â†’ e2 âˆˆ t2 â†’ (is_Some (to_val e2) âˆ¨ reducible e2 Ïƒ2) âŒ âˆ—
+    state_interp Ïƒ2 Îºs' (length t2') âˆ—
+    from_option Î¦ True (to_val e2) âˆ—
+    ([âˆ— list] v âˆˆ omap to_val t2', fork_post v).
 Proof.
-  iIntros (?) "HÏ† HÏƒ He Ht". rewrite Nat_iter_S_r.
-  iDestruct (wptp_steps _ n with "HÏƒ He Ht") as "H"; first done.
-  iApply (step_fupdN_wand with "H"). iDestruct 1 as (e2' t2' ->) "[HÏƒ _]".
-  iMod (fupd_plain_mask_empty _ âŒœÏ†âŒ%I with "(HÏ† HÏƒ)") as %?.
-  by iApply step_fupd_intro.
+  iIntros (Hstep) "HÏƒ He Ht". rewrite Nat_iter_S_r.
+  iDestruct (wptp_steps with "HÏƒ He Ht") as "Hwp"; first done.
+  iApply (step_fupdN_wand with "Hwp").
+  iDestruct 1 as (e2' t2' ?) "(HÏƒ & Hwp & Ht)"; simplify_eq/=.
+  iMod (fupd_plain_keep_l âŠ¤
+    âŒœ âˆ€ e2, s = NotStuck â†’ e2 âˆˆ (e2' :: t2') â†’ (is_Some (to_val e2) âˆ¨ reducible e2 Ïƒ2) âŒ%I
+    (state_interp Ïƒ2 Îºs' (length t2') âˆ— WP e2' @ s; âŠ¤ {{ v, Î¦ v }} âˆ— wptp s t2')%I
+    with "[$HÏƒ $Hwp $Ht]") as "(Hsafe&HÏƒ&Hwp&Hvs)".
+  { iIntros "(HÏƒ & Hwp & Ht)" (e' -> He').
+    apply elem_of_cons in He' as [<-|(t1''&t2''&->)%elem_of_list_split].
+    - iMod (wp_safe with "HÏƒ Hwp") as "$"; auto.
+    - iDestruct "Ht" as "(_ & He' & _)". by iMod (wp_safe with "HÏƒ He'"). }
+  iApply step_fupd_fupd. iApply step_fupd_intro; first done. iNext.
+  iExists _, _. iSplitL ""; first done. iFrame "Hsafe HÏƒ".
+  iSplitL "Hwp".
+  - destruct (to_val e2') as [v2|] eqn:He2'; last done.
+    apply of_to_val in He2' as <-. iApply (wp_value_inv' with "Hwp").
+  - clear Hstep. iInduction t2' as [|e t2'] "IH"; csimpl; first by iFrame.
+    iDestruct "Hvs" as "[Hv Hvs]". destruct (to_val e) as [v|] eqn:He.
+    + apply of_to_val in He as <-. iMod (wp_value_inv' with "Hv") as "$".
+      by iApply "IH".
+    + by iApply "IH".
 Qed.
 End adequacy.
 
-Theorem wp_strong_adequacy Î£ Î› `{!invPreG Î£} s e Ïƒ Ï† :
-  (âˆ€ `{Hinv : !invG Î£} Îºs,
+(** Iris's generic adequacy result *)
+Theorem wp_strong_adequacy Î£ Î› `{!invPreG Î£} s e Ïƒ1 n Îºs t2 Ïƒ2 Ï† :
+  (âˆ€ `{Hinv : !invG Î£},
      (|={âŠ¤}=> âˆƒ
          (stateI : state Î› â†’ list (observation Î›) â†’ nat â†’ iProp Î£)
-         (fork_post : val Î› â†’ iProp Î£),
+         (Î¦ fork_post : val Î› â†’ iProp Î£),
        let _ : irisG Î› Î£ := IrisG _ _ Hinv stateI fork_post in
-       (* This could be strengthened so that Ï† also talks about the number 
-       of forked-off threads *)
-       stateI Ïƒ Îºs 0 âˆ— WP e @ s; âŠ¤ {{ v, âˆ€ Ïƒ m, stateI Ïƒ [] m ={âŠ¤,âˆ…}=âˆ— âŒœÏ† v ÏƒâŒ }})%I) â†’
-  adequate s e Ïƒ Ï†.
+       stateI Ïƒ1 Îºs 0 âˆ—
+       WP e @ s; âŠ¤ {{ Î¦ }} âˆ—
+       (âˆ€ e2 t2',
+         (* e2 is the final state of the main thread, t2' the rest *)
+         âŒœ t2 = e2 :: t2' âŒ -âˆ—
+         (* If this is a stuck-free triple (i.e. [s = NotStuck]), then all
+         threads in [t2] are either done (a value) or reducible *)
+         âŒœ âˆ€ e2, s = NotStuck â†’ e2 âˆˆ t2 â†’ (is_Some (to_val e2) âˆ¨ reducible e2 Ïƒ2) âŒ -âˆ—
+         (* The state interpretation holds for [Ïƒ2] *)
+         stateI Ïƒ2 [] (length t2') -âˆ—
+         (* If the main thread is done, its post-condition [Î¦] holds *)
+         from_option Î¦ True (to_val e2) -âˆ—
+         (* For all threads that are done, their postcondition [fork_post] holds. *)
+         ([âˆ— list] v âˆˆ omap to_val t2', fork_post v) -âˆ—
+         (* Under all these assumptions, and while opening all invariants, we
+         can conclude [Ï†] in the logic. After opening all required invariants,
+         one can use [fupd_intro_mask'] or [fupd_mask_weaken] to introduce the
+         fancy update. *)
+         |={âŠ¤,âˆ…}=> âŒœ Ï† âŒ))%I) â†’
+  nsteps n ([e], Ïƒ1) Îºs (t2, Ïƒ2) â†’
+  (* Then we can conclude [Ï†] at the meta-level. *)
+  Ï†.
 Proof.
-  intros Hwp; split.
-  - intros t2 Ïƒ2 v2 [n [Îºs ?]]%erased_steps_nsteps.
-    eapply (step_fupdN_soundness' _ (S (S n)))=> Hinv. rewrite Nat_iter_S.
-    iMod (Hwp _ (Îºs ++ [])) as (stateI fork_post) "[HÏƒ Hwp]".
-    iApply step_fupd_intro; first done. iModIntro.
-    iApply (@wptp_result _ _ (IrisG _ _ Hinv stateI fork_post) with "[HÏƒ] [Hwp]"); eauto.
-    iApply (wp_wand with "Hwp"). iIntros (v) "H"; iIntros (Ïƒ'). iApply "H".
-  - destruct s; last done. intros t2 Ïƒ2 e2 _ [n [Îºs ?]]%erased_steps_nsteps ?.
-    eapply (step_fupdN_soundness' _ (S (S n)))=> Hinv. rewrite Nat_iter_S.
-    iMod (Hwp _ (Îºs ++ [])) as (stateI fork_post) "[HÏƒ Hwp]".
-    iApply step_fupd_intro; first done. iModIntro.
-    iApply (@wptp_safe _ _ (IrisG _ _ Hinv stateI fork_post) with "[HÏƒ] Hwp"); eauto.
+  intros Hwp ?.
+  eapply (step_fupdN_soundness' _ (S (S n)))=> Hinv. rewrite Nat_iter_S.
+  iMod Hwp as (stateI Î¦ fork_post) "(HÏƒ & Hwp & HÏ†)".
+  iApply step_fupd_intro; [done|]; iModIntro.
+  iApply step_fupdN_S_fupd. iApply (step_fupdN_wand with "[-HÏ†]").
+  { iApply (@wptp_strong_adequacy _ _ (IrisG _ _ Hinv stateI fork_post) _ []
+    with "[HÏƒ] Hwp"); eauto; by rewrite right_id_L. }
+  iIntros "Hpost". iDestruct "Hpost" as (e2 t2' ->) "(? & ? & ? & ?)".
+  iApply fupd_plain_mask_empty.
+  iMod ("HÏ†" with "[% //] [$] [$] [$] [$]"). done.
 Qed.
 
-Theorem wp_adequacy Î£ Î› `{!invPreG Î£} s e Ïƒ Ï† :
-  (âˆ€ `{Hinv : !invG Î£} Îºs,
-     (|={âŠ¤}=> âˆƒ stateI : state Î› â†’ list (observation Î›) â†’ iProp Î£,
-       let _ : irisG Î› Î£ := IrisG _ _ Hinv (Î» Ïƒ Îºs _, stateI Ïƒ Îºs) (Î» _, True%I) in
-       stateI Ïƒ Îºs âˆ— WP e @ s; âŠ¤ {{ v, âŒœÏ† vâŒ }})%I) â†’
-  adequate s e Ïƒ (Î» v _, Ï† v).
-Proof.
-  intros Hwp. apply (wp_strong_adequacy Î£ _)=> Hinv Îºs.
-  iMod Hwp as (stateI) "[HÏƒ H]". iExists (Î» Ïƒ Îºs _, stateI Ïƒ Îºs), (Î» _, True%I).
-  iIntros "{$HÏƒ} !>".
-  iApply (wp_wand with "H"). iIntros (v ? Ïƒ') "_".
-  iIntros "_". by iApply fupd_mask_weaken.
-Qed.
+(** Since the full adequacy statement is quite a mouthful, we prove some more
+intuitive and simpler corollaries. These lemmas are morover stated in terms of
+[rtc erased_step] so one does not have to provide the trace. *)
+Record adequate {Î›} (s : stuckness) (e1 : expr Î›) (Ïƒ1 : state Î›)
+    (Ï† : val Î› â†’ state Î› â†’ Prop) := {
+  adequate_result t2 Ïƒ2 v2 :
+   rtc erased_step ([e1], Ïƒ1) (of_val v2 :: t2, Ïƒ2) â†’ Ï† v2 Ïƒ2;
+  adequate_not_stuck t2 Ïƒ2 e2 :
+   s = NotStuck â†’
+   rtc erased_step ([e1], Ïƒ1) (t2, Ïƒ2) â†’
+   e2 âˆˆ t2 â†’ (is_Some (to_val e2) âˆ¨ reducible e2 Ïƒ2)
+}.
 
-(* Special adequacy for when *all threads* evaluate to a value.  Here we let the
-user pick the one list of observations for which the proof needs to apply.  If
-you just got an [rtc erased_step], use [erased_steps_nsteps]. *)
-Theorem wp_strong_all_adequacy Î£ Î› `{!invPreG Î£} s e Ïƒ1 n Îºs v vs Ïƒ2 Ï† :
-  (âˆ€ `{Hinv : !invG Î£},
-     (|={âŠ¤}=> âˆƒ
-         (stateI : state Î› â†’ list (observation Î›) â†’ nat â†’ iProp Î£)
-         (fork_post : val Î› â†’ iProp Î£),
-       let _ : irisG Î› Î£ := IrisG _ _ Hinv stateI fork_post in
-       stateI Ïƒ1 Îºs 0 âˆ— WP e @ s; âŠ¤ {{ v,
-         stateI Ïƒ2 [] (length vs) -âˆ—
-         ([âˆ— list] v âˆˆ vs, fork_post v) ={âŠ¤,âˆ…}=âˆ— âŒœ Ï† v âŒ }})%I) â†’
-  nsteps n ([e], Ïƒ1) Îºs (of_val <$> v :: vs, Ïƒ2) â†’
-  Ï† v.
+Lemma adequate_alt {Î›} s e1 Ïƒ1 (Ï† : val Î› â†’ state Î› â†’ Prop) :
+  adequate s e1 Ïƒ1 Ï† â†” âˆ€ t2 Ïƒ2,
+    rtc erased_step ([e1], Ïƒ1) (t2, Ïƒ2) â†’
+      (âˆ€ v2 t2', t2 = of_val v2 :: t2' â†’ Ï† v2 Ïƒ2) âˆ§
+      (âˆ€ e2, s = NotStuck â†’ e2 âˆˆ t2 â†’ (is_Some (to_val e2) âˆ¨ reducible e2 Ïƒ2)).
+Proof. split. intros []; naive_solver. constructor; naive_solver. Qed.
+
+Theorem adequate_tp_safe {Î›} (e1 : expr Î›) t2 Ïƒ1 Ïƒ2 Ï† :
+  adequate NotStuck e1 Ïƒ1 Ï† â†’
+  rtc erased_step ([e1], Ïƒ1) (t2, Ïƒ2) â†’
+  Forall (Î» e, is_Some (to_val e)) t2 âˆ¨ âˆƒ t3 Ïƒ3, erased_step (t2, Ïƒ2) (t3, Ïƒ3).
 Proof.
-  intros Hwp ?.
-  eapply (step_fupdN_soundness' _ (S (S n)))=> Hinv. rewrite Nat_iter_S.
-  iMod Hwp as (stateI fork_post) "[HÏƒ Hwp]".
-  iApply step_fupd_intro; first done. iModIntro.
-  iApply (@wptp_all_result _ _ (IrisG _ _ Hinv stateI fork_post)
-    with "[HÏƒ] [Hwp]"); eauto. by rewrite right_id_L.
+  intros Had ?.
+  destruct (decide (Forall (Î» e, is_Some (to_val e)) t2)) as [|Ht2]; [by left|].
+  apply (not_Forall_Exists _), Exists_exists in Ht2; destruct Ht2 as (e2&?&He2).
+  destruct (adequate_not_stuck NotStuck e1 Ïƒ1 Ï† Had t2 Ïƒ2 e2) as [?|(Îº&e3&Ïƒ3&efs&?)];
+    rewrite ?eq_None_not_Some; auto.
+  { exfalso. eauto. }
+  destruct (elem_of_list_split t2 e2) as (t2'&t2''&->); auto.
+  right; exists (t2' ++ e3 :: t2'' ++ efs), Ïƒ3, Îº; econstructor; eauto.
 Qed.
 
-Theorem wp_invariance Î£ Î› `{!invPreG Î£} s e Ïƒ1 t2 Ïƒ2 Ï† :
-  (âˆ€ `{Hinv : !invG Î£} Îºs Îºs',
+Corollary wp_adequacy Î£ Î› `{!invPreG Î£} s e Ïƒ Ï† :
+  (âˆ€ `{Hinv : !invG Î£} Îºs,
      (|={âŠ¤}=> âˆƒ
-         (stateI : state Î› â†’ list (observation Î›) â†’ nat â†’ iProp Î£)
+         (stateI : state Î› â†’ list (observation Î›) â†’ iProp Î£)
          (fork_post : val Î› â†’ iProp Î£),
-       let _ : irisG Î› Î£ := IrisG _ _ Hinv stateI fork_post in
-       stateI Ïƒ1 (Îºs ++ Îºs') 0 âˆ— WP e @ s; âŠ¤ {{ _, True }} âˆ—
-       (stateI Ïƒ2 Îºs' (pred (length t2)) ={âŠ¤,âˆ…}=âˆ— âŒœÏ†âŒ))%I) â†’
-  rtc erased_step ([e], Ïƒ1) (t2, Ïƒ2) â†’
-  Ï†.
+       let _ : irisG Î› Î£ := IrisG _ _ Hinv (Î» Ïƒ Îºs _, stateI Ïƒ Îºs) fork_post in
+       stateI Ïƒ Îºs âˆ— WP e @ s; âŠ¤ {{ v, âŒœÏ† vâŒ }})%I) â†’
+  adequate s e Ïƒ (Î» v _, Ï† v).
 Proof.
-  intros Hwp [n [Îºs ?]]%erased_steps_nsteps.
-  apply (step_fupdN_soundness' _ (S (S n)))=> Hinv. rewrite Nat_iter_S.
-  iMod (Hwp Hinv Îºs []) as (Istate fork_post) "(HÏƒ & Hwp & Hclose)".
-  iApply step_fupd_intro; first done.
-  iApply (@wptp_invariance _ _ (IrisG _ _ Hinv Istate fork_post)
-    with "Hclose [HÏƒ] [Hwp]"); eauto.
+  intros Hwp. apply adequate_alt; intros t2 Ïƒ2 [n [Îºs ?]]%erased_steps_nsteps.
+  eapply (wp_strong_adequacy Î£ _); [|done]=> ?.
+  iMod Hwp as (stateI fork_post) "[HÏƒ Hwp]".
+  iExists (Î» Ïƒ Îºs _, stateI Ïƒ Îºs), (Î» v, âŒœÏ† vâŒ%I), fork_post.
+  iIntros "{$HÏƒ $Hwp} !>" (e2 t2' -> ?) "_ H _".
+  iApply fupd_mask_weaken; [done|]. iSplit; [|done].
+  iIntros (v2 t2'' [= -> <-]). by rewrite to_of_val.
 Qed.
 
-(* An equivalent version that does not require finding [fupd_intro_mask'], but
-can be confusing to use. *)
-Corollary wp_invariance' Î£ Î› `{!invPreG Î£} s e Ïƒ1 t2 Ïƒ2 Ï† :
-  (âˆ€ `{Hinv : !invG Î£} Îºs Îºs',
+Corollary wp_invariance Î£ Î› `{!invPreG Î£} s e Ïƒ1 t2 Ïƒ2 Ï† :
+  (âˆ€ `{Hinv : !invG Î£} Îºs,
      (|={âŠ¤}=> âˆƒ
          (stateI : state Î› â†’ list (observation Î›) â†’ nat â†’ iProp Î£)
          (fork_post : val Î› â†’ iProp Î£),
        let _ : irisG Î› Î£ := IrisG _ _ Hinv stateI fork_post in
        stateI Ïƒ1 Îºs 0 âˆ— WP e @ s; âŠ¤ {{ _, True }} âˆ—
-       (stateI Ïƒ2 Îºs' (pred (length t2)) -âˆ— âˆƒ E, |={âŠ¤,E}=> âŒœÏ†âŒ))%I) â†’
+       (stateI Ïƒ2 [] (pred (length t2)) -âˆ— âˆƒ E, |={âŠ¤,E}=> âŒœÏ†âŒ))%I) â†’
   rtc erased_step ([e], Ïƒ1) (t2, Ïƒ2) â†’
   Ï†.
 Proof.
-  intros Hwp. eapply wp_invariance; first done.
-  intros Hinv Îºs Îºs'. iMod (Hwp Hinv) as (stateI fork_post) "(? & ? & HÏ†)".
-  iModIntro. iExists stateI, fork_post. iFrame. iIntros "HÏƒ".
+  intros Hwp [n [Îºs ?]]%erased_steps_nsteps.
+  eapply (wp_strong_adequacy Î£ _); [|done]=> ?.
+  iMod (Hwp _ Îºs) as (stateI fork_post) "(HÏƒ & Hwp & HÏ†)".
+  iExists stateI, (Î» _, True)%I, fork_post.
+  iIntros "{$HÏƒ $Hwp} !>" (e2 t2' -> _) "HÏƒ _ _ /=".
   iDestruct ("HÏ†" with "HÏƒ") as (E) ">HÏ†".
   by iApply fupd_mask_weaken; first set_solver.
 Qed.
diff --git a/theories/program_logic/ownp.v b/theories/program_logic/ownp.v
index c57af7bba3ca6202ef6cfddec5a0b6d710803990..a99eaa683aceed22b09865490f8bd8c06ec2952e 100644
--- a/theories/program_logic/ownp.v
+++ b/theories/program_logic/ownp.v
@@ -55,7 +55,7 @@ Proof.
   iIntros (? Îºs).
   iMod (own_alloc (â— (Excl' Ïƒ) â‹… â—¯ (Excl' Ïƒ))) as (Î³Ïƒ) "[HÏƒ HÏƒf]";
     first by apply auth_both_valid.
-  iModIntro. iExists (Î» Ïƒ Îºs, own Î³Ïƒ (â— (Excl' Ïƒ)))%I.
+  iModIntro. iExists (Î» Ïƒ Îºs, own Î³Ïƒ (â— (Excl' Ïƒ)))%I, (Î» _, True%I).
   iFrame "HÏƒ".
   iApply (Hwp (OwnPG _ _ _ _ Î³Ïƒ)). rewrite /ownP. iFrame.
 Qed.
@@ -68,14 +68,14 @@ Theorem ownP_invariance Î£ `{!ownPPreG Î› Î£} s e Ïƒ1 t2 Ïƒ2 Ï† :
   Ï† Ïƒ2.
 Proof.
   intros Hwp Hsteps. eapply (wp_invariance Î£ Î› s e Ïƒ1 t2 Ïƒ2 _)=> //.
-  iIntros (? Îºs Îºs').
+  iIntros (? Îºs).
   iMod (own_alloc (â— (Excl' Ïƒ1) â‹… â—¯ (Excl' Ïƒ1))) as (Î³Ïƒ) "[HÏƒ HÏƒf]";
     first by apply auth_both_valid.
   iExists (Î» Ïƒ Îºs' _, own Î³Ïƒ (â— (Excl' Ïƒ)))%I, (Î» _, True%I).
   iFrame "HÏƒ".
   iMod (Hwp (OwnPG _ _ _ _ Î³Ïƒ) with "[HÏƒf]") as "[$ H]";
     first by rewrite /ownP; iFrame.
-  iIntros "!> HÏƒ". iMod "H" as (Ïƒ2') "[HÏƒf %]". rewrite /ownP.
+  iIntros "!> HÏƒ". iExists âˆ…. iMod "H" as (Ïƒ2') "[HÏƒf %]". rewrite /ownP.
   iDestruct (own_valid_2 with "HÏƒ HÏƒf")
     as %[Hp%Excl_included _]%auth_both_valid; simplify_eq; auto.
 Qed.