 \section{Algebraic Structures}
 By upward-closedness, it suffices to show $\textsf{frame}(s, T_f) \ststrans \tex$. This follows by induction on the path $(s, T) \ststrans (s', T')$, and using the lemma proven above for each step.
\end{proof}

\clearpage \input{algebra}
\clearpage \input{constructions}
\clearpage \input{logic}
\clearpage \input{model}
\clearpage \input{derived}

\clearpage\printbibliography We moreover assume a value \textsf{fRet} (giving the intended return value of a fork), and we assume that
\begin{align*}
  \fork{\expr} &\notin \textdom{Val} \\
  \fork{\expr_1} = \fork{\expr_2} &\implies \expr_1 = \expr_2
\end{align*}
\item A set $\textdom{Ectx}$ of \emph{evaluation contexts} ($\ectx$) that includes the empty context $[\; ]$, a plugging operation $\ectx[\expr]$ that produces an expression, and context composition $\circ$ satisfying the following axioms:
\begin{align*}
  [\; ][ \expr ] &= \expr \\
  \ectx_1[\ectx_2[\expr]] &= (\ectx_1 \circ \ectx_2) [\expr] \\
  \ectx_1[\expr] = \ectx_2[\expr] &\implies \ectx_1 = \ectx_2 \\
  \ectx[\expr_1] = \ectx[\expr_2] &\implies \expr_1 = \expr_2 \\
  \ectx_1 \circ \ectx_2 = [\; ] &\implies \ectx_1 = \ectx_2 = [\; ] \\
  \ectx[\expr] \in \textdom{Val} &\implies \ectx = [\;] \\
  \ectx[\expr] = \fork{\expr'} &\implies \ectx = [\;]
\end{align*}
\item A set \textdom{State} of shared machine states (\eg heaps), metavariable $\state$.
\item A set \textdom{Obs} of observations, metavariable $\obs$,
and notions of an expression to be \emph{reducible} or \emph{stuck}, such that
\begin{align*}
  \textlog{reducible}(\expr) &\iff \Exists \state, \expr_2, \state_2. \cfg{\state}{\expr} \step \cfg{\state_2}{\expr_2} \\
  \textlog{stuck}(\expr) &\iff \All \ectx, \expr'. \expr = \ectx[\expr'] \implies
  \lnot \textlog{reducible}(\expr')
\end{align*}
and the following hold

Axioms $\prop \Ra \propB$ stand for judgments $\vctx \mid \cdot \proves \prop \Ra \propB$.

\subsection{Laws of intuitionistic higher-order logic with guarded recursion over a simply-typed lambda calculus}\label{sec:HOL}

Standard. This is entirely standard. Soundness follows from the theorem that ${\cal U}(\any, \textdom{Prop}) : {\cal U}^{\textrm{op}} \to \textrm{Poset}$ is a hyperdoctrine.

\elide{
\begin{mathpar}
  \infer[Asm]
  {\prop \in \pfctx}
  {\pfctx \proves \prop}
\and
  \infer[Subst]
  {\pfctx \proves \prop(\term) \\
   \pfctx \proves \term = \term'}
  {\pfctx \proves \prop(\term')}
\and
  \infer[$\wedge$I]
  {\pfctx \proves \prop \\
   \pfctx \proves \propB}
  {\pfctx \proves \prop \wedge \propB}
\and
  \infer[$\wedge$EL]
  {\pfctx \proves \prop \wedge \propB}
  {\pfctx \proves \prop}
\and
  \infer[$\wedge$ER]
  {\pfctx \proves \prop \wedge \propB}
  {\pfctx \proves \propB}
\and
  \infer[$\vee$E]
  {\pfctx \proves \prop \vee \propB \\
   \pfctx, \prop \proves \propC \\
   \pfctx, \propB \proves \propC}
  {\pfctx \proves \propC}
\and
  \infer[$\vee$IL]
  {\pfctx \proves \prop }
  {\pfctx \proves \prop \vee \propB}
\and
  \infer[$\vee$IR]
  {\pfctx \proves \propB}
  {\pfctx \proves \prop \vee \propB}
\and
  \infer[$\Ra$I]
  {\pfctx, \prop \proves \propB}
  {\pfctx \proves \prop \Ra \propB}
\and
  \infer[$\Ra$E]
  {\pfctx \proves \prop \Ra \propB \\
   \pfctx \proves \prop}
  {\pfctx \proves \propB}
\and
  \infer[$\forall_1$I]
  {\pfctx, x : \sort \proves \prop}
  {\pfctx \proves \forall x: \sort.\; \prop}
\and
  \infer[$\forall_1$E]
  {\pfctx \proves \forall X \in \sort.\; \prop \\
   \pfctx \proves \term: \sort}
  {\pfctx \proves \prop[\term/X]}
\and
  \infer[$\exists_1$E]
  {\pfctx \proves \exists X\in \sort.\; \prop \\
   \pfctx, X : \sort, \prop \proves \propB}
  {\pfctx \proves \propB}
\and
  \infer[$\exists_1$I]
  {\pfctx \proves \prop[\term/X] \\
   \pfctx \proves \term: \sort}
  {\pfctx \proves \exists X: \sort. \prop}
\and
  \infer[$\forall_2$I]
  {\pfctx, \pvar: \Pred(\sort) \proves \prop}
  {\pfctx \proves \forall \pvar\in \Pred(\sort).\; \prop}
\and
  \infer[$\forall_2$E]
  {\pfctx \proves \forall \pvar. \prop \\
   \pfctx \proves \propB: \Prop}
  {\pfctx \proves \prop[\propB/\pvar]}
\and
  \infer[$\exists_2$E]
  {\pfctx \proves \exists \pvar \in \Pred(\sort).\prop \\
   \pfctx, \pvar : \Pred(\sort), \prop \proves \propB}
  {\pfctx \proves \propB}
\and
  \infer[$\exists_2$I]
  {\pfctx \proves \prop[\propB/\pvar] \\
   \pfctx \proves \propB: \Prop}
  {\pfctx \proves \exists \pvar. \prop}
\and
  \inferB[Elem]
  {\pfctx \proves \term \in (X \in \sort). \prop}
  {\pfctx \proves \prop[\term/X]}
\and
  \inferB[Elem-$\mu$]
  {\pfctx \proves \term \in (\mu\pvar \in \Pred(\sort). \pred)}
  {\pfctx \proves \term \in \pred[\mu\pvar \in \Pred(\sort). \pred/\pvar]}
\end{mathpar}
}

\subsection{Axioms from the logic of (affine) bunched implications}

The following specializations cover all cases of a heap-manipulating lambda calculus. The first is restricted to deterministic pure reductions, like $\beta$-reduction. The second is suited to proving triples for (possibly non-deterministic) atomic expressions; for example, with $\expr \eqdef \;!\ell$ (dereferencing $\ell$) and $\state \eqdef h \mtimes \ell \mapsto \valB$ and $\pred(\val, \state') \eqdef \state' = (h \mtimes \ell \mapsto \valB) \land \val = \valB$, one obtains the axiom $\All h, \ell, \valB. \hoare{\ownPhys{h \mtimes \ell \mapsto \valB}}{!\ell}{\Ret\val. \val = \valB \land \ownPhys{h \mtimes \ell \mapsto \valB} }$.
 \textdom{Res} &\eqdef& \{\, \rs = (\pres, \ghostRes) \mid \pres \in \textdom{State} \uplus \{\munit\} \land \ghostRes \in \mcarp{\monoid} \,\}
\\[0.5em]
  (\pres, \ghostRes) \rtimes (\pres', \ghostRes') &\eqdef&
  \begin{cases}
    (\pres, \ghostRes \mtimes \ghostRes') & \mbox{if $\pres' = \munit$ and $\ghostRes \mtimes \ghostRes' \neq \mzero$} \\
    (\pres', \ghostRes \mtimes \ghostRes') & \mbox{if $\pres = \munit$ and $\ghostRes \mtimes \ghostRes' \neq \mzero$} \\
    \mzero & \mbox{otherwise}
  \end{cases}
\\[0.5em]
  \rs \leq \rs' & \eqdef &
  \Exists \rs''. \rs' = \rs \rtimes \rs''\\[1em]
  \UPred(\textdom{Res}) &\eqdef& \{\, p \subseteq \mathbb{N} \times \textdom{Res} \mid

For a set $X$, write $\Delta X$ for the discrete c.o.f.e.\ with $x \nequiv{n} x'$ iff $n = 0$ or $x = x'$
\[
\begin{array}[t]{@{}l@{\ }c@{\ }l@{}}
  \semSort{\textsort{Unit}} &\eqdef& \Delta \{ \star \} \\
  \semSort{\textsort{InvName}} &\eqdef& \Delta \mathbb{N} \\
  \semSort{\textsort{InvMask}} &\eqdef& \Delta \pset{\mathbb{N}} \\
  \semSort{\textsort{Monoid}} &\eqdef& \Delta |\monoid|

$\rho\nequiv{n} \rho'$ iff $n=0 \lor \bigl(\dom(\rho)=\dom(\rho') \land$

\begin{align*}
  \fullSat{\state}{\mask}{\rs}{W} &=
  \begin{aligned}[t]
    \{\, n + 1 \in \mathbb{N} \mid &\Exists \rsB:\mathbb{N} \fpfn \textdom{Res}. (\rs \rtimes \rsB).\pres = \state \land{}\\
    &\quad \All \iota \in \dom(W). \iota \in \dom(W) \leftrightarrow \iota \in \dom(\rsB) \land {}\\
    &\quad\quad \iota \in \mask \ra (n, \rsB(\iota)) \in \wIso^{-1}(W(\iota))(W) \,\} \cup \{ 0 \}
  \end{aligned}

\begin{aligned}[t]
    \{\, (n, \rs) &\mid \All W_F \geq W. \All \rs_F, \mask_F, \state. \All k \leq n.\\
    &\qquad k \in (\fullSat{\state}{\mask_1 \cup \mask_F}{\rs \rtimes \rs_F}{W_F}) \land k > 0 \land \mask_F \sep (\mask_1 \cup \mask_2) \implies{} \\
    &\qquad \Exists W' \geq W_F. \Exists \rs'. k \in (\fullSat{\state}{\mask_2 \cup \mask_F}{\rs' \rtimes \rs_F}{W'}) \land (k, \rs') \in q(W')
    \,\}
  \end{aligned}
\end{align*}

\begin{align*}
  \mathit{wp}_\mask(\expr, q) &\eqdef \Lam W.
  \begin{aligned}[t]
    \{\, (n, \rs) &\mid \All W_F \geq W; k \leq n; \rs_F; \state; \mask_F \sep \mask. k > 0 \land k \in (\fullSat{\state}{\mask \cup \mask_F}{\rs \rtimes \rs_F}{W_F}) \implies{}\\
    &\qquad (\expr \in \textdom{Val} \implies \Exists W' \geq W_F. \Exists \rs'. \\
    &\qquad\qquad k \in (\fullSat{\state}{\mask \cup \mask_F}{\rs' \rtimes \rs_F}{W'}) \land (k, \rs') \in q(\expr)(W'))~\land \\
    &\qquad (\All\ectx,\expr_0,\expr'_0,\state'. \expr = \ectx[\expr_0] \land \cfg{\state}{\expr_0} \step \cfg{\state'}{\expr'_0} \implies \Exists W' \geq W_F. \Exists \rs'. \\
    &\qquad\qquad k - 1 \in (\fullSat{\state'}{\mask \cup \mask
 ... ... @@ -52,6 +52,7 @@ \newcommand*{\axiomhref}[3]{\inferhref{#1}{#2}{}{#3}} \newcommand*{\axiomH}[2]{\inferH{#1}{}{#2}} \newcommand*{\inferhrefB}[4]{{\BIIMP\inferhref{#1}{#2}{#3}{#4}}} \newcommand*{\inferB}[3][]{{\BIIMP\infer[#1]{#2}{#3}}} \newcommand*{\inferHB}[3]{{\BIIMP\inferH{#1}{#2}{#3}}} \newcommand*{\taghref}[2]{\label{#2}\tag{\rulenamestyle{#1}}} \newcommand*{\tagH}[1]{\taghref{#1}{#1}} ... ...
