[stack] Finish the stack module refinement

d6237350 · Dan Frumin · a8c7557d · d6237350 · d6237350 · d6237350
Commit d6237350 authored Sep 13, 2017 by Dan Frumin
4 changed files
--- a/_CoqProject
+++ b/_CoqProject
@@ -33,6 +33,7 @@ theories/examples/stack/stack_rules.v
 theories/examples/stack/CG_stack.v
 theories/examples/stack/FG_stack.v
 theories/examples/stack/refinement.v
+theories/examples/stack/module_refinement.v
 theories/examples/stack/mailbox.v
 theories/examples/stack/helping.v
 theories/tests/typetest.v

--- a/theories/examples/stack/module_refinement.v
+++ b/theories/examples/stack/module_refinement.v
@@ -4,17 +4,17 @@ From iris_logrel.examples.stack Require Import
  CG_stack FG_stack stack_rules refinement.

 Section Mod_refinement.
-  Context `{logrelG Σ, stackG Σ}.
+  Context `{HLR : logrelG Σ}.
  Notation D := (prodC valC valC -n> iProp Σ).
  Implicit Types Δ : listC D.
  Import lang.

-  Program Definition sint `{logrelG Σ, stackG Σ} τi : prodC valC valC -n> iProp Σ := λne vv,
-    (∃ (l stk stk' : loc), ⌜(vv.2) = (# stk', # l)%V⌝ ∗ ⌜(vv.1) = #stk⌝
-      ∗ inv stackN (sinv τi stk stk' l))%I.
-  Next Obligation. solve_proper. Qed.
+  Program Definition sint {LG : logrelG Σ} {Z : stackPreG Σ} τi : prodC valC valC -n> iProp Σ := λne vv,
+    (∃ γ (l stk stk' : loc), ⌜(vv.2) = (#stk', #l)%V⌝ ∗ ⌜(vv.1) = #stk⌝
+      ∗ inv (stackN .@ (stk,stk')) (sinv' γ τi stk stk' l))%I.
+  Solve Obligations with solve_proper.

-  Instance sint_persistent τi vv : PersistentP (sint τi vv).
+  Instance sint_persistent `{logrelG Σ, stackPreG Σ} τi vv : PersistentP (sint τi vv).
  Proof. apply _. Qed.

  Lemma interp_subst_up_2 Δ1 Δ2 τ τi :
@@ -60,7 +60,7 @@ Section Mod_refinement.
    by rewrite -interp_subst_2.
  Qed.
  
-  Lemma module_refinmenet Δ Γ :
+  Lemma module_refinement `{SPG : stackPreG Σ} Δ Γ :
    {⊤,⊤;Δ;Γ} ⊨ FG_stack.stackmod ≤log≤ CG_stack.stackmod : TForall $ TExists $ TProd (TProd
                                                 (TArrow TUnit (TVar 0))
                                                 (TArrow (TVar 0) (TSum TUnit (TVar 1))))
@@ -79,13 +79,29 @@ Section Mod_refinement.
      rel_seq_r.
      rel_alloc_l as istk "Histk". simpl.
      rel_alloc_l as stk "Hstk".
-      rel_alloc_r as stl' "Hstk'".
+      rel_alloc_r as stk' "Hstk'".
      rel_alloc_r as l "Hl".
      rel_vals.
-      admit.
+      rewrite -persistentP.
+      iMod (own_alloc (● (∅ : stackUR))) as (γ) "Hemp"; first done.
+      pose (SG := StackG Σ _ γ).
+      iAssert (prestack_owns γ ∅) with "[Hemp]" as "Hoe".
+      { rewrite /prestack_owns big_sepM_empty fmap_empty.
+        iFrame "Hemp". }
+      iMod (stack_owns_alloc with "[$Hoe $Histk]") as "[Hoe #Histk]".
+      iAssert (preStackLink γ τi (#istk, FoldV (InjLV (LitV Unit)))) with "[Histk]" as "#HLK".
+      { rewrite preStackLink_unfold.
+        iExists _, _. iSplitR; simpl; trivial.
+        iFrame "Histk". iLeft. iSplit; trivial. }
+      iAssert (sinv' γ τi stk stk' l) with "[Hoe Hstk Hstk' HLK Hl]" as "Hinv".
+      { iExists _, _, _. by iFrame. }
+      iMod (inv_alloc (stackN.@(stk,stk')) with "[Hinv]") as "#Hinv".
+      { iNext. iExact "Hinv". }
+      iModIntro.
+      iExists γ, l, stk, stk'. eauto.
    - iApply bin_log_related_arrow_val; eauto.
      iAlways. iIntros (? ?) "#Hvv /=".
-      iDestruct "Hvv" as (l stk stk') "(% & % & #Hinv)".
+      iDestruct "Hvv" as (γ l stk stk') "(% & % & #Hinv)".
      simplify_eq/=.
      rel_let_l.
      rel_let_r.
@@ -100,11 +116,15 @@ Section Mod_refinement.
      replace (TSum TUnit (TVar 1))
      with (TSum TUnit (TVar 0)).[ren (+1)] by done.
      iApply bin_log_weaken_2.
-      by iApply FG_CG_pop_refinement'.
+      pose (SG := StackG Σ _ γ).
+      change γ with stack_name.
+      iApply (FG_CG_pop_refinement' (stackN.@(stk,stk'))).
+      { solve_ndisj. }
+      by rewrite sinv_unfold.
    - iApply bin_log_related_arrow_val; eauto.
      { unlock FG_push. done. }
      iAlways. iIntros (? ?) "#Hvv /=".
-      iDestruct "Hvv" as (l stk stk') "(% & % & #Hinv)".
+      iDestruct "Hvv" as (γ l stk stk') "(% & % & #Hinv)".
      simplify_eq/=.
      rel_let_r.
      Transparent FG_push.
@@ -121,7 +141,22 @@ Section Mod_refinement.
        with ((CG_locked_push $/ LitV stk' $/ LitV l) v')%E; last first.
      { unlock CG_locked_push. simpl_subst/=. done. }
      change TUnit with (TUnit.[ren (+1)]).
-      iApply (FG_CG_push_refinement with "Hinv Hτi").
-  Admitted.
-
+      pose (SG := StackG Σ _ γ).
+      change γ with stack_name.
+      iApply (FG_CG_push_refinement (stackN.@(stk,stk')) with "[Hinv] Hτi").
+      { solve_ndisj. }
+      by rewrite sinv_unfold.
+  Qed.
 End Mod_refinement.
+
+Theorem module_ctx_refinement :
+  ∅ ⊨ FG_stack.stackmod ≤ctx≤ CG_stack.stackmod :
+    TForall $ TExists $ TProd (TProd
+                                 (TArrow TUnit (TVar 0))
+                                 (TArrow (TVar 0) (TSum TUnit (TVar 1))))
+                                 (TArrow (TVar 0) (TArrow (TVar 1) TUnit)).
+Proof.
+  set (Σ := #[logrelΣ; GFunctor (authR stackUR)]).
+  eapply (logrel_ctxequiv Σ); [solve_closed.. | intros ].
+  apply module_refinement.
+Qed.
--- a/theories/examples/stack/refinement.v
+++ b/theories/examples/stack/refinement.v
@@ -6,40 +6,52 @@ From iris_logrel.examples.stack Require Import
 Definition stackN : namespace := nroot .@ "stack".

 Section Stack_refinement.
-  Context `{logrelG Σ, stackG Σ}.
+  Context `{logrelG Σ}.
  Notation D := (prodC valC valC -n> iProp Σ).
  Implicit Types Δ : listC D.
  Import lang.

-  Definition sinv τi stk stk' l' {SH: stackG Σ} : iProp Σ :=
+  Definition sinv' {SPG : authG Σ stackUR} γ τi stk stk' l' : iProp Σ :=
+    (∃ (istk : loc) v h, (prestack_owns γ h)
+        ∗ stk' ↦ₛ v
+        ∗ stk ↦ᵢ (FoldV #istk)
+        ∗ preStackLink γ τi (#istk, v)
+        ∗ l' ↦ₛ #false)%I.
+
+  Context `{stackG Σ}.
+  Definition sinv τi stk stk' l : iProp Σ := 
    (∃ (istk : loc) v h, (stack_owns h)
        ∗ stk' ↦ₛ v
        ∗ stk ↦ᵢ (FoldV #istk)
        ∗ StackLink τi (#istk, v)
-        ∗ l' ↦ₛ #false)%I.
+        ∗ l ↦ₛ #false)%I.
+  Lemma sinv_unfold τi stk stk' l :
+    sinv τi stk stk' l = sinv' stack_name τi stk stk' l.
+  Proof. reflexivity. Qed.

  Ltac close_sinv Hcl asn :=
    iMod (Hcl with asn) as "_";
    [iNext; rewrite /sinv; iExists _,_,_; by iFrame |]; try iModIntro.

-  Lemma FG_CG_push_refinement st st' (τi : D) (v v' : val) l {τP : ∀ ww, PersistentP (τi ww)} Γ :
-    inv stackN (sinv τi st st' l) -∗ τi (v,v') -∗
+  Lemma FG_CG_push_refinement N st st' (τi : D) (v v' : val) l {τP : ∀ ww, PersistentP (τi ww)} Γ :
+    N ⊥ logrelN →
+    inv N (sinv τi st st' l) -∗ τi (v,v') -∗
    Γ ⊨ (FG_push $/ (LitV (Loc st))) v ≤log≤ (CG_locked_push $/ (LitV (Loc st')) $/ (LitV (Loc l))) v' : TUnit.
  Proof.
-    iIntros "#Hinv #Hvv'" (Δ).
+    iIntros (?) "#Hinv #Hvv'". iIntros (Δ).
    Transparent FG_push.
    unfold FG_push. unlock. simpl_subst/=.
    iLöb as "IH".
    rel_rec_l.
    rel_load_l_atomic.
-    iInv stackN as (istk w h) "[Hoe [>Hst' [Hst [HLK >Hl]]]]" "Hclose".
+    iInv N as (istk w h) "[Hoe [>Hst' [Hst [HLK >Hl]]]]" "Hclose".
    iExists (FoldV #istk). iFrame.
    iModIntro. iNext. iIntros "Hst".
    close_sinv "Hclose" "[Hst Hoe Hst' Hl HLK]". clear w h.
    rel_rec_l.
    rel_alloc_l as nstk "Hnstk". simpl.
    rel_cas_l_atomic.
-    iInv stackN as (istk' w h) "[Hoe [>Hst' [Hst [HLK >Hl]]]]" "Hclose".
+    iInv N as (istk' w h) "[Hoe [>Hst' [Hst [HLK >Hl]]]]" "Hclose".
    iExists (FoldV #istk'). iFrame.
    iModIntro.
    destruct (decide (istk' = istk)) as [e | nestk]; subst.
@@ -70,12 +82,13 @@ Section Stack_refinement.
      by iApply "IH".
  Qed.

-  Lemma FG_CG_pop_refinement' st st' (τi : D) l {τP : ∀ ww, PersistentP (τi ww)} Δ Γ :
-    inv stackN (sinv τi st st' l) -∗
+  Lemma FG_CG_pop_refinement' N st st' (τi : D) l {τP : ∀ ww, PersistentP (τi ww)} Δ Γ :
+    N ⊥ logrelN →
+    inv N (sinv τi st st' l) -∗
    {⊤,⊤;τi::Δ;Γ} ⊨ (FG_pop $/ LitV (Loc st)) #() ≤log≤ (CG_locked_pop $/ LitV (Loc st') $/ LitV (Loc l)) #() : TSum TUnit (TVar 0).
  Proof.
 Transparent CG_locked_pop FG_pop CG_pop.
-    iIntros "#Hinv".
+    iIntros (?) "#Hinv".
    iLöb as "IH".
    rewrite {2}/FG_pop. unlock.  simpl_subst/=.

@@ -91,7 +104,7 @@ replace ((rec: "pop" "st" <> :=

    rel_rec_l.
    rel_load_l_atomic.
-    iInv stackN as (istk v h) "[Hoe [Hst' [Hst [#HLK Hl]]]]" "Hclose".
+    iInv N as (istk v h) "[Hoe [Hst' [Hst [#HLK Hl]]]]" "Hclose".
    iExists _. iFrame.
    iModIntro. iNext. iIntros "Hst /=".
    rel_rec_l.
@@ -107,7 +120,7 @@ replace ((rec: "pop" "st" <> :=
      iIntros "Hst' Hl".
      close_sinv "Hclose" "[Hoe Hst' Hst Hl HLK']". clear h. iClear "HLK'".
      rel_load_l_atomic.
-      iInv stackN as (istk v h) "[Hoe [Hst' [Hst [#HLK Hl]]]]" "Hclose".
+      iInv N as (istk v h) "[Hoe [Hst' [Hst [#HLK Hl]]]]" "Hclose".
      iDestruct (stack_owns_later_open_close with "Hoe Histk") as "[Histk_i Hoe]".
      iExists _. iFrame "Histk_i".
      iModIntro. iNext. iIntros "Histk_i /=".
@@ -123,7 +136,7 @@ replace ((rec: "pop" "st" <> :=
      iDestruct "HLK" as (y1 z1 y2 z2) "(% & % & Hτ & HLK_tail)"; simplify_eq/=.
      close_sinv "Hclose" "[Hoe Hst' Hst Hl HLK']". clear h.
      rel_load_l_atomic.
-      iInv stackN as (istk v h) "[Hoe [Hst' [Hst [HLK Hl]]]]" "Hclose".
+      iInv N as (istk v h) "[Hoe [Hst' [Hst [HLK Hl]]]]" "Hclose".
      iDestruct (stack_owns_later_open_close with "Hoe Histk") as "[Histk_i Hoe]".
      iExists _. iFrame.
      iModIntro. iNext. iIntros "Histk_i /=".
@@ -134,7 +147,7 @@ replace ((rec: "pop" "st" <> :=
      do 2 (rel_proj_l; rel_rec_l).
      close_sinv "Hclose" "[Hoe Hst' Hst Hl HLK]". clear h istk v.
      rel_cas_l_atomic.
-      iInv stackN as (istk v h) "[Hoe [Hst' [Hst [HLK2 Hl]]]]" "Hclose".
+      iInv N as (istk v h) "[Hoe [Hst' [Hst [HLK2 Hl]]]]" "Hclose".
      iExists _. iFrame.
      iModIntro.
      destruct (decide (istk = istk2)) as [? |NE]; simplify_eq/=.
@@ -179,10 +192,11 @@ replace ((rec: "pop" "st" <> :=
    { unlock FG_pop CG_locked_pop. simpl_subst/=. solve_closed. }
    { unlock FG_pop CG_locked_pop. simpl_subst/=. solve_closed. }
    iAlways. iIntros (? ?) "[% %]". simplify_eq/=.
-    by iApply FG_CG_pop_refinement'.
+    iApply (FG_CG_pop_refinement' stackN); eauto.
+    { solve_ndisj. }
  Qed.

-  Lemma FG_CG_iter_refinement st st' (τi : D) l Δ {τP : ∀ ww, PersistentP (τi ww)} {SH : stackG Σ} Γ:
+  Lemma FG_CG_iter_refinement st st' (τi : D) l Δ {τP : ∀ ww, PersistentP (τi ww)} Γ:
    inv stackN (sinv τi st st' l) -∗
    {⊤,⊤;τi::Δ;Γ} ⊨ FG_read_iter $/ LitV (Loc st) ≤log≤ CG_snap_iter $/ LitV (Loc st') $/ LitV (Loc l) : TArrow (TArrow (TVar 0) TUnit) TUnit.
  Proof.
@@ -234,7 +248,7 @@ replace ((rec: "pop" "st" <> :=
      rel_rec_r.

      rel_load_l_atomic.
-      iInv stackN as (istk v h) "[Hoe [Hst' [Hst [#HLK Hl]]]]" "Hclose".
+      iInv stackN as (istk v h) "[Hoe [Hst' [Hst [#HLK Hl]]]]" "Hclose".      
      iDestruct (stack_owns_later_open_close with "Hoe Histk") as "[Histk_i Hoe]".
      iExists _. iFrame "Histk_i".
      iModIntro. iNext. iIntros "Histk_i /=".
@@ -299,7 +313,7 @@ Section Full_refinement.
    end.

  (* ∀ α. (α → Unit) * (Unit → Unit + α) * ((α → Unit) → Unit) *)
-  Lemma FG_CG_stack_refinement `{stackPreG Σ, logrelG Σ} Δ Γ :
+  Lemma FG_CG_stack_refinement `{SPG: stackPreG Σ, logrelG Σ} Δ Γ :
     {⊤,⊤;Δ;Γ} ⊨ FG_stack ≤log≤ CG_stack : TForall (TProd (TProd
           (TArrow (TVar 0) TUnit)
           (TArrow TUnit (TSum TUnit (TVar 0))))
@@ -330,10 +344,10 @@ Section Full_refinement.
    iMod (own_alloc (● (∅ : stackUR))) as (γ) "Hemp"; first done.
    set (istkG := StackG _ _ γ).
    change γ with (@stack_name _ istkG).
-    change (@stack_pre_inG _ H) with (@stack_inG _ istkG).
-    clearbody istkG. clear γ H1.
+    change (@stack_pre_inG _ SPG) with (@stack_inG _ istkG).
+    clearbody istkG. clear γ SPG.
    iAssert (@stack_owns _ istkG _ ∅) with "[Hemp]" as "Hoe".
-    { rewrite /stack_owns big_sepM_empty fmap_empty.
+    { rewrite /stack_owns /prestack_owns big_sepM_empty fmap_empty.
      iFrame "Hemp". }
    iMod (stack_owns_alloc with "[$Hoe $Histk]") as "[Hoe #Histk]".
    iAssert (StackLink τi (#istk, FoldV (InjLV (LitV Unit)))) with "[Histk]" as "#HLK".
@@ -368,6 +382,7 @@ Section Full_refinement.
      replace_r ((CG_locked_push $/ LitV (Loc st') $/ LitV (Loc l)) v2)%E.
      { unlock CG_locked_push. simpl_subst/=. reflexivity. }
      iApply (FG_CG_push_refinement with "Hinv Hτ").
+      { solve_ndisj. }
    - replace_l (FG_pop $/ LitV (Loc st))%E.
      { unlock FG_pop. by simpl_subst/=. }
      replace_r (CG_locked_pop $/ LitV (Loc st') $/ LitV (Loc l))%E.

--- a/theories/examples/stack/stack_rules.v
+++ b/theories/examples/stack/stack_rules.v
@@ -12,67 +12,72 @@ Class stackPreG Σ := StackPreG { stack_pre_inG :> authG Σ stackUR }.
 Definition stackΣ : gFunctors := #[authΣ stackUR].
 Instance subG_stackPreG {Σ} : subG stackΣ Σ → stackPreG Σ.
 Proof. solve_inG. Qed.
+(* Instance stackG_stackPreG {Σ} : stackG Σ → stackPreG Σ. *)
+(* Proof. intros [S ?]. by constructor. Qed. *)

-Definition stack_mapsto `{stackG Σ} (l : loc) (v : val) : iProp Σ :=
-  own stack_name (◯ {[ l := to_agree v ]}).
+Definition prestack_mapsto `{authG Σ stackUR} (γ : gname) (l : loc) (v : val) : iProp Σ :=
+  own γ (◯ {[ l := to_agree v ]}).
+
+Definition stack_mapsto `{stackG Σ} l v : iProp Σ := prestack_mapsto stack_name l v.

 Notation "l ↦ˢᵗᵏ v" := (stack_mapsto l v) (at level 20) : uPred_scope.

-Section Rules.
-  Context `{stackG Σ}.
+Section Rules_pre.
+  Context `{authG Σ stackUR}.
+  Variable (γ : gname).
  Notation D := (prodC valC valC -n> iProp Σ).
+  Notation "l ↦ˢᵗᵏ v" := (prestack_mapsto γ l v) (at level 20) : uPred_scope.

  Global Instance stack_mapsto_persistent l v : PersistentP (l ↦ˢᵗᵏ v).
  Proof. apply _. Qed.
  
-  (* TODO:this is bad*)
-  Lemma stack_mapstos_agree_uncurried l v w : l ↦ˢᵗᵏ v ∗ l ↦ˢᵗᵏ w ⊢ ⌜v = w⌝.
+  Lemma prestack_mapstos_agree_uncurried l v w : l ↦ˢᵗᵏ v ∗ l ↦ˢᵗᵏ w ⊢ ⌜v = w⌝.
  Proof.
    rewrite -own_op -auth_frag_op op_singleton.
-    change (own stack_name (◯ {[l := to_agree v ⋅ to_agree w]}))
-      with (auth_own stack_name {[l := to_agree v ⋅ to_agree w]}).
+    change (own γ (◯ {[l := to_agree v ⋅ to_agree w]}))
+      with (auth_own γ {[l := to_agree v ⋅ to_agree w]}).
    rewrite auth_own_valid. iIntros "Hvalid". iDestruct "Hvalid" as %Hvalid.
    rewrite singleton_valid in Hvalid *.
    intros Hagree. by rewrite (agree_op_inv' v w Hagree).
  Qed.

-  Lemma stack_mapstos_agree l v w : l ↦ˢᵗᵏ v -∗ l ↦ˢᵗᵏ w -∗ ⌜v = w⌝.
+  Lemma prestack_mapstos_agree l v w : l ↦ˢᵗᵏ v -∗ l ↦ˢᵗᵏ w -∗ ⌜v = w⌝.
  Proof.
    iIntros "??".
-    iApply stack_mapstos_agree_uncurried. by iFrame.
+    iApply prestack_mapstos_agree_uncurried. by iFrame.
  Qed.
  
  (* stacklink Q := {((Loc l), nil) ∣ l ↦ˢᵗᵏ (InjL #()) }
          ∪  {((Loc l), cons y2 z2) ∣ ∃ y1 z1, l ↦ˢᵗᵏ (y1, z1) 
                                    ∗ (y1, y2) ∈ Q
                                    ∗ ▷ stacklink Q (z1, z2) }*)
-  Program Definition StackLink_pre (Q : D) : D -n> D := λne P v,
+  Program Definition preStackLink_pre (Q : D) : D -n> D := λne P v,
    (∃ (l : loc) w, ⌜v.1 = # l⌝ ∗ l ↦ˢᵗᵏ w ∗
            ((⌜w = InjLV #()⌝ ∧ ⌜v.2 = FoldV (InjLV #())⌝) ∨
            (∃ y1 z1 y2 z2, ⌜w = InjRV (PairV y1 (FoldV z1))⌝ ∗
              ⌜v.2 = FoldV (InjRV (PairV y2 z2))⌝ ∗ Q (y1, y2) ∗ ▷ P(z1, z2))))%I.
  Solve Obligations with solve_proper.

-  Global Instance StackLink_pre_contractive Q : Contractive (StackLink_pre Q).
+  Global Instance StackLink_pre_contractive Q : Contractive (preStackLink_pre Q).
  Proof. solve_contractive. Qed.

-  Definition StackLink (Q : D) : D := fixpoint (StackLink_pre Q).
+  Definition preStackLink (Q : D) : D := fixpoint (preStackLink_pre Q).

-  Lemma StackLink_unfold Q v :
-    StackLink Q v ≡ (∃ (l : loc) w,
+  Lemma preStackLink_unfold Q v :
+    preStackLink Q v ≡ (∃ (l : loc) w,
      ⌜v.1 = # l⌝ ∗ l ↦ˢᵗᵏ w ∗
      ((⌜w = InjLV #()⌝ ∧ ⌜v.2 = FoldV (InjLV #())⌝) ∨
      (∃ y1 z1 y2 z2, ⌜w = InjRV (PairV y1 (FoldV z1))⌝
                      ∗ ⌜v.2 = FoldV (InjRV (PairV y2 z2))⌝
-                      ∗ Q (y1, y2) ∗ ▷ StackLink Q (z1, z2))))%I.
-  Proof. by rewrite {1}/StackLink fixpoint_unfold. Qed.
+                      ∗ Q (y1, y2) ∗ ▷ preStackLink Q (z1, z2))))%I.
+  Proof. by rewrite {1}/preStackLink fixpoint_unfold. Qed.

-  Global Opaque StackLink. (* So that we can only use the unfold above. *)
+  Global Opaque preStackLink. (* So that we can only use the unfold above. *)

-  Global Instance StackLink_persistent (Q : D) v `{∀ vw, PersistentP (Q vw)} :
-    PersistentP (StackLink Q v).
+  Global Instance preStackLink_persistent (Q : D) v `{∀ vw, PersistentP (Q vw)} :
+    PersistentP (preStackLink Q v).
  Proof. 
-    iIntros "H". iLöb as "IH" forall (v). rewrite StackLink_unfold.
+    iIntros "H". iLöb as "IH" forall (v). rewrite preStackLink_unfold.
    iDestruct "H" as (l w) "[% [#Hl [[% %]|Hr]]]"; subst.
    { iExists l, _; iAlways; eauto. }
    iDestruct "Hr" as (y1 z1 y2 z2) "[% [% [#HQ Hrec]]]"; subst.    
@@ -87,14 +92,12 @@ Section Rules.
    h !! i = None → ● h ~~> ● (<[i := to_agree v]> h) ⋅ ◯ {[i := to_agree v]}.
  Proof. intros. by apply auth_update_alloc, alloc_singleton_local_update. Qed.

-  Context `{logrelG Σ}.
-
-  Definition stack_owns (h : gmap loc val) : iProp Σ :=
-    (own stack_name (● (to_agree <$> h : stackUR))
+  Definition prestack_owns `{logrelG Σ} (h : gmap loc val) : iProp Σ :=
+    (own γ (● (to_agree <$> h : stackUR))
        ∗ [∗ map] l ↦ v ∈ h, l ↦ᵢ v)%I.

-  Lemma stack_owns_alloc h l v :
-    stack_owns h ∗ l ↦ᵢ v ==∗ stack_owns (<[l := v]> h) ∗ l ↦ˢᵗᵏ v.
+  Lemma prestack_owns_alloc `{logrelG Σ} h l v :
+    prestack_owns h ∗ l ↦ᵢ v ==∗ prestack_owns (<[l := v]> h) ∗ l ↦ˢᵗᵏ v.
  Proof.
    iIntros "[[Hown Hall] Hl]".
    iDestruct (own_valid with "Hown") as %Hvalid.
@@ -107,14 +110,14 @@ Section Rules.
      eapply (alloc_singleton_local_update _ l (to_agree v)).
      - rewrite lookup_fmap Hhl. by compute.
      - by compute.
-      - iModIntro. rewrite /stack_owns. rewrite fmap_insert.
+      - iModIntro. rewrite /prestack_owns. rewrite fmap_insert.
        iFrame "Hown Hl'".
        iApply big_sepM_insert; eauto.
        by iFrame. }
  Qed.

-  Lemma stack_owns_open_close h l v :
-    stack_owns h -∗ l ↦ˢᵗᵏ v -∗ l ↦ᵢ v ∗ (l ↦ᵢ v -∗ stack_owns h).
+  Lemma prestack_owns_open_close `{logrelG Σ} h l v :
+    prestack_owns h -∗ l ↦ˢᵗᵏ v -∗ l ↦ᵢ v ∗ (l ↦ᵢ v -∗ prestack_owns h).
  Proof.
    iIntros "[Howns Hls] Hl".
    iDestruct (own_valid_2 with "Howns Hl") 
@@ -125,10 +128,48 @@ Section Rules.
    move=> [v' [Hl Hav]]; subst.
    apply to_agree_included in Hav'; setoid_subst.
    iDestruct (big_sepM_lookup_acc with "Hls") as "[$ Hclose]"; first done.
-    iIntros "Hl'". rewrite /stack_owns. iFrame "Howns". by iApply "Hclose".
+    iIntros "Hl'". rewrite /prestack_owns. iFrame "Howns". by iApply "Hclose".
  Qed.

-  Lemma stack_owns_later_open_close h l v :
+  Lemma prestack_owns_later_open_close `{logrelG Σ} h l v :
+    ▷ prestack_owns h -∗ l ↦ˢᵗᵏ v -∗ ▷ (l ↦ᵢ v ∗ (l ↦ᵢ v -∗ prestack_owns h)).
+  Proof. iIntros "H1 H2". iNext; by iApply (prestack_owns_open_close with "H1"). Qed.
+End Rules_pre.
+
+Section Rules.
+  Context `{stackG Σ}.
+  Notation D := (prodC valC valC -n> iProp Σ).
+
+  Definition stack_owns `{logrelG Σ} := prestack_owns stack_name.
+
+  Lemma stack_mapstos_agree l v w : l ↦ˢᵗᵏ v -∗ l ↦ˢᵗᵏ w -∗ ⌜v = w⌝.
+  Proof. apply prestack_mapstos_agree. Qed.
+
+  Lemma stack_owns_alloc `{logrelG Σ} h l v :
+    stack_owns h ∗ l ↦ᵢ v ==∗ stack_owns (<[l := v]> h) ∗ l ↦ˢᵗᵏ v.
+  Proof. apply prestack_owns_alloc. Qed.
+
+  Lemma stack_owns_open_close `{logrelG Σ} h l v :
+    stack_owns h -∗ l ↦ˢᵗᵏ v -∗ l ↦ᵢ v ∗ (l ↦ᵢ v -∗ stack_owns h).
+  Proof. apply prestack_owns_open_close. Qed.
+
+  Lemma stack_owns_later_open_close `{logrelG Σ} h l v :
    ▷ stack_owns h -∗ l ↦ˢᵗᵏ v -∗ ▷ (l ↦ᵢ v ∗ (l ↦ᵢ v -∗ stack_owns h)).
-  Proof. iIntros "H1 H2". iNext; by iApply (stack_owns_open_close with "H1"). Qed.
+  Proof. apply prestack_owns_later_open_close. Qed.
+
+  Definition StackLink Q v := preStackLink stack_name Q v.
+  Lemma StackLink_unfold Q v :
+    StackLink Q v ≡ (∃ (l : loc) w,
+      ⌜v.1 = # l⌝ ∗ l ↦ˢᵗᵏ w ∗
+      ((⌜w = InjLV #()⌝ ∧ ⌜v.2 = FoldV (InjLV #())⌝) ∨
+      (∃ y1 z1 y2 z2, ⌜w = InjRV (PairV y1 (FoldV z1))⌝
+                      ∗ ⌜v.2 = FoldV (InjRV (PairV y2 z2))⌝
+                      ∗ Q (y1, y2) ∗ ▷ StackLink Q (z1, z2))))%I.
+  Proof. by rewrite /StackLink preStackLink_unfold. Qed.
+
+  Global Instance StackLink_persistent (Q : D) v `{∀ vw, PersistentP (Q vw)} :
+    PersistentP (StackLink Q v).
+  Proof. apply _. Qed.
+  Global Opaque StackLink.
+
 End Rules.