Initial commit.

.gitignore

+*.vo
+*.vio
+*.v.d
+.coqdeps.d
+*.glob
+*.cache
+*.aux
+\#*\#
+.\#*
+*~
+*.bak
+.coqdeps.d
+.coq-native/
+build-dep/
+Makefile.coq
+Makefile.coq.conf
+*.crashcoqide

LICENSE

+All files in this development are distributed under the terms of the BSD
+license, included below.
+
+------------------------------------------------------------------------------
+
+                            BSD LICENCE
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Makefile

+# Forward most targets to Coq makefile (with some trick to make this phony)
+%: Makefile.coq phony
+	+@make -f Makefile.coq $@
+
+all: Makefile.coq
+	+@make -f Makefile.coq all
+.PHONY: all
+
+clean: Makefile.coq
+	+@make -f Makefile.coq clean
+	find theories $$(test -d tests && echo tests) \( -name "*.d" -o -name "*.vo" -o -name "*.aux" -o -name "*.cache" -o -name "*.glob" -o -name "*.vio" \) -print -delete
+	rm -f Makefile.coq
+.PHONY: clean
+
+# Create Coq Makefile. POSIX awk can't do in-place editing, but coq_makefile wants the real
+# filename, so we do some file gymnastics.
+Makefile.coq: _CoqProject Makefile awk.Makefile
+	"$(COQBIN)coq_makefile" -f _CoqProject -o Makefile.coq
+	mv Makefile.coq Makefile.coq.tmp && awk -f awk.Makefile Makefile.coq.tmp > Makefile.coq && rm Makefile.coq.tmp
+
+# Install build-dependencies
+build-dep/opam: opam Makefile
+	@echo "# Creating build-dep package."
+	@mkdir -p build-dep
+	@sed <opam -E 's/^(build|install|remove):.*/\1: []/; s/^name: *"(.*)" */name: "\1-builddep"/' >build-dep/opam
+	@fgrep builddep build-dep/opam >/dev/null || (echo "sed failed to fix the package name" && exit 1) # sanity check
+
+build-dep: build-dep/opam phony
+	@# We want opam to not just instal the build-deps now, but to also keep satisfying these
+	@# constraints.  Otherwise, `opam upgrade` may well update some packages to versions
+	@# that are incompatible with our build requirements.
+	@# To achieve this, we create a fake opam package that has our build-dependencies as
+	@# dependencies, but does not actually install anything.
+	@# Reinstalling is needed with opam 1 in case the pin already exists, but the builddep
+	@# package changed.
+	@BUILD_DEP_PACKAGE="$$(egrep "^name:" build-dep/opam | sed 's/^name: *"\(.*\)" */\1/')" && \
+	  echo "# Pinning build-dep package." && \
+	  opam pin add -k path $(OPAMFLAGS) "$$BUILD_DEP_PACKAGE".dev build-dep && \
+	  ((! opam --version | grep "^1\." > /dev/null) || ( \
+	    echo "# Reinstalling build-dep package." && \
+	    opam reinstall $(OPAMFLAGS) "$$BUILD_DEP_PACKAGE" \
+	  ))
+
+# Some files that do *not* need to be forwarded to Makefile.coq
+Makefile: ;
+_CoqProject: ;
+awk.Makefile: ;
+opam: ;
+
+# Phony wildcard targets
+phony: ;
+.PHONY: phony

README.md

+# Iron: Managing Obligations in Higher-Order Concurrent Separation Logic
+
+This repository contains the Iron logic, as described in the POPL'19 paper
+"Iron: Managing Obligations in Higher-Order Concurrent Separation Logic" by
+Aleš Bizjak, Daniel Gratzer, Robbert Krebbers, and Lars Birkedal.
+
+## Building Iris
+
+Iron has been built and tested with the following dependencies
+
+ - Coq 8.7.1 / 8.7.2 / 8.8.0
+ - A development version of [std++](https://gitlab.mpi-sws.org/robbertkrebbers/coq-stdpp)
+
+## Directory Structure
+
+- In `theories/algebra` two new cameras are defined.
+  1. Improper fractions as a camera without identity with addition as
+     the operation are defined in `theories/algebra/vfrac.v`.
+  2. The fractional authoritative camera described in Section 5 built
+     with improper fractions is defined in
+     `theories/algebra/vfrac_auth.v`.
+
+- The semantics of the connectives of the lifted logic are given in
+  `theories/bi/fracpred.v`.
+
+    This file does not contain a description of the lifted program
+  logic but instead contains the definitions of ∧, ∗, ∀, and other
+  the other connectives. It also contains all the rules of the
+  specific to this logic that are used later.
+
+- The machinery for connecting the generalized proofmode from
+ `iris-coq` to fractional predicates is contained in
+ `theories/proofmode`.
+
+- In `theories/iron_logic` much of the core Iron logic discussed
+  in Section 2 is defined.
+
+  * Uniformity with respect to fractions is defined in
+    `theories/iron_logic/iron.v` as `Uniform` and
+    several closure properties of it are proved.
+  * Trackable invariants as discussed in Section 2.1 are formalized
+    in `theories/iron_logic/fcinv.v`.
+  * The definition of weakest preconditions from Section 4 is in
+   `theories/iron_logic/weakestpre.v`.
+
+- The formalization specific to the λref,conc is in
+  `theories/heap_lang`.
+
+  * The definition of the heap in terms of ghost state from Section
+    5 is in `theories/heap_lang/heap.v` as `heapG`. So too are
+    the definitions of ↦ and e (in the formalization called `perm`).
+  * The theorems stated in Section 5 about updates to the heap ghost
+    state are proven in `theories/heap_lang/heap.v`.
+  * The state interpretation from Section 5 is defined in
+    `theories/heap_lang/heap.v` as `heap_ctx`.
+  * Theorems 2.1, 2.2, 4.1, and 4.2 are proven in
+    `theories/heap_lang/adequacy.v`.
+  * The operational semantics from Figure 4 are defined in
+    `theories/heap_lang/lang.v`.
+  * The rules from Figures 1, 2, 3, and 5 are proven in
+    `theories/heap_lang/lifting.v`.
+
+- All of the examples of the paper are formalized and may be found in
+  `theories/heap_lang/lib/`. All of the examples are formalized
+  purely within the lifted logic. There is no fraction accounting in
+  the proofs and no significant bookkeeping beyond what is found in
+  vanilla Iris.
+ 
+    As mentioned in the paper, a small portion of `par` cannot be
+  formalized in the lifted logic but in the formalization this is
+  factored out into `spawn` in `theories/heap_lang/lib/spawn.v`.
+
+  * The example from 3.1 is in `theories/heap_lang/lib/resource_transfer_par.v`.
+  * The example from 3.2 is in `theories/heap_lang/lib/resource_transfer_fork.v`.
+  * The example from 3.3 is in `theories/heap_lang/lib/message_passing.v`.
+  * The example from 3.4 is in `theories/heap_lang/lib/message_passing_example.v`.
+  * The example from 3.5 is in `theories/heap_lang/lib/par.v`.
+
+    Note that `spawn.v`, `resource_transfer_par.v`, and `resource_transfer_fork.v`
+  use the same state transition system (from Figure 3). This is formalized in
+  `theories/heap_lang/lib/transfer_resource_sts.v`.
+   
+## Differences Between the Formalization and The Paper
+
+There are a number of small differences between the paper presentation
+of Iron and the formalization in Coq. We briefly discuss them here.
+
+### Weakest Preconditions and Texan Triples
+
+In the paper we have worked with Hoare triples in
+specifying theorems and rules. In the Iris formalization we have used
+weakest preconditions. Weakest preconditions are used for the
+definition of Hoare triples (see Section 5) but in the formalization
+we also work with them throughout the proofs and in some
+specifications. They are often easier more convenient to work with in
+Coq because they allow us to use the Iris proofmode context and native
+Coq context for manipulating preconditions.
+
+More than this, in the paper we define Hoare triples as follows:
+
+    {P} e {v. Q(v)} ≜ □ (P -∗ wp e {v. Q(v)})
+
+In the Coq formalization this proves to be often unwieldy. Generally
+when we has a Hoare triple `{P} e {v.Q(v)}` we use it by applying it to a
+goal of the form `wp e {v. Q'(v')}`. With this definition, we must
+first apply a lemma about the monotonicity of Hoare triples to obtain
+`{P} e {Q'(v)}` from `∀ v. Q(v) -∗ Q'(v)` and then we may apply
+this. In Coq we *bake in this cut* with so called Texan Triples,
+defined as follows:
+
+    {P} e {v. Q(v)} ≜
+      □ ∀ Φ : Val → iProp. P -∗ ▷ (∀ v. Q(v) -∗ Φ(v)) -∗ wp e {v. Φ(v)}
+
+With this formulation we can apply `{P} e {v. Q(v)}` to any goal of the
+form `wp e {v. Q'(v)}`, saving a step. Additionally, the fact that we
+only need to prove the implication for post-conditions under a ▷ is
+a strictly more general requirement.
+
+### Invariant Rules
+
+In the paper all of the invariant rules are stated in terms of Hoare
+triples. In Coq this is a needless entangling and a more flexible
+collection of invariant rules is used instead.
+Specifically, rather than proving rules such as
+`LTINV-OPEN` which specify how to open an invariant with a Hoare
+triple, we have rules specifying invariants in terms of the fancy
+update modality.
+
+This modality was briefly discussed in the paper. It is defined in
+`iris-coq/theories/base_logic/lib/fancy_update.v` (as `fupd_def`) and
+its adaption to for the the lifted logic is defined in
+`theories/iron_logic/iron.v` (as `iron_fupd_def`). Briefly, it's
+a frame-preserving update which also allows for the use of invariants.
+
+Since weakest preconditions (and by extension Hoare triples) are
+defined with fancy updates the invariant rules written in terms of fancy
+updates lift easily to the ones described in the paper.
+The paper rules are less flexible though because they only
+apply when the goal is a weakest precondition or Hoare triple rather
+than any goal with fancy updates.
+
+Instead of the Hoare rule for invariant allocation, for instance, in
+the formalization we have `fcinv_alloc_named` from
+`theories/iron_logic/fcinv.v` which states that the following
+holds:
+
+    ▷ (∀ γ. Ψ γ) -∗
+      |={E}=> ∃ γ. fcinv_own γ 1 ∗ fcinv_cancel_own γ 1 ∗ fcinv N γ (Ψ γ)
+
+This can be used to derive `LINV-ALLOC` when used in conjunction with
+`HOARE-CONS`. The latter rule is called `ht_vs` in
+`iris-coq/theories/program_logic/hoare.v`.
+
+There is a correspondence between the invariant rules presented in the
+paper with Hoare triples and those in the formalization.
+
+ - `TINV-ALLOC` and `LTINV-ALLOC` follow from `fcinv_alloc_named`.
+ - `TINV-OPEN` and `LTINV-OPEN` follow from `fcinv_open`.
+ - `TINV-DEALLOC` and `LTINV-DEALLOC` follow from `fcinv_cancel`.
+
+All of these theorems are proven in `theories/iron_logic/fcinv.v`.
+
+The rules governing normal Iris invariants, such as those for `INV-OPEN`,
+are also defined using the fancy update modality. They may be found in
+`iris-coq/theories/base_logic/lib/invariants.v`.
+
+## A Correspondence of Theorems, Definitions, and Examples in the Paper to the Formalization
+
+While the correspondence between the contents of the paper and the
+formalization is discussed above, we have provided an explicit table
+for convenience.
+
+The format of the table is as follows: Name of
+Theorem/Rule/Definition/Proposition, the name in the formalization,
+and the file in the formalization.
+
+ - The language definition in Section 2, `expr`, `theories/heap_lang/lang.v`
+ - `e` and `↦`, `perm` and `↦`, `theories/heap_lang/heap.v`
+ - Trackable invariants, `fcinv`, `theories/iron_logic/fcinv.v`
+ - `OPerm(-, -)`, `fcinv_own`, `theories/iron_logic/fcinv.v`
+ - `DPerm(-, -)`, `fcinv_cancel_own`, `theories/iron_logic/fcinv.v`
+ - `HOARE-FRAME`, `hoare_frame_r`, `iris-coq/theories/program_logic/hoare.v`
+ - `HOARE-VAL`, `ht_val`, `iris-coq/theories/program_logic/hoare.v`
+ - `HOARE-λ`, `pure_rec`, `theories/heap_lang/lifting.v`
+ - `HOARE-BIND`, `ht_bind`, `iris-coq/theories/program_logic/hoare.v`
+ - `EMP-SPLIT`, `perm_split`, `theories/heap_lang/heap.v`
+ - `PT-SPLIT`, `mapsto_uniform`, `theories/heap_lang/heap.v`
+ - `PT-DISJ`, `mapsto_valid_2`, `theories/heap_lang/heap.v`
+ - `HOARE-ALLOC`, `wp_alloc`, `theories/heap_lang/lifting.v`
+ - `HOARE-FREE`, `wp_free`, `theories/heap_lang/lifting.v`
+ - `HOARE-LOAD`, `wp_load`, `theories/heap_lang/lifting.v`
+ - `HOARE-STORE`, `wp_store`, `theories/heap_lang/lifting.v`
+ - `HOARE-FORK-EMP`/`HOARE-FORK-TRUE`, `wp_fork`, `theories/heap_lang/lifting.v`
+ - `INV-DUP`, `inv_persistent`, `theories/heap_lang/lifting.v`
+ - `INV-ALLOC`, `inv_alloc`, `iris-coq/theories/base_logic/lib/invariants.v`
+ - `INV-OPEN`, `inv_open`, `iris-coq/theories/base_logic/lib/invariants.v`
+ - `TINV-SPLIT`, `fcinv_own_fractional`, `theories/iron_logic/fcinv.v`
+ - `TINV-DUP`, `fcinv_persistent`, `theories/iron_logic/fcinv.v`
+ - `TINV-ALLOC`, `fcinv_alloc_named`, `theories/iron_logic/fcinv.v`
+ - `TINV-OPEN`, `fcinv_open`, `theories/iron_logic/fcinv.v`
+ - `TINV-DEALLOC`, `fcinv_cancel`, `theories/iron_logic/fcinv.v`
+ - Uniform with respect to fractions, `Uniform`, `theories/iron_logic/iron.v`
+ - `HOARE-CONS`, `ht_vs`, `iris-coq/theories/program_logic/hoare.v`
+ - The rules from Figure 4, `head_step`, `theories/heap_lang/lang.v`
+ - Theorem 2.1, `heap_adequacy`, `theories/heap_lang/adequacy.v`
+ - Theorem 2.2, `heap_strong_adequacy`, `theories/heap_lang/adequacy.v`
+ - `HOARE-PAR`, `par_spec`, `theories/heap_lang/lib/par.v`
+ - The example from 3.1, `transfer_works1`, `theories/heap_lang/lib/resource_tranfer_par.v`
+ - The example from 3.2, `transfer_works1`, `theories/heap_lang/lib/resource_tranfer_fork.v`
+ - The example from 3.3, Several theorems, `theories/heap_lang/lib/message_passing.v`
+ - The example from 3.4, `program_spec`, `theories/heap_lang/lib/message_passing_example.v`
+ - The example from 3.5, Several theorems, `theories/heap_lang/lib/{spawn, par}.v`
+ - Definitions of lifted connectives, Several definitions, `theories/bi/fracpred.v`
+ - Definition of lifted `↦`, `↦`, `theories/heap_lang/heap.v`
+ - `LHOARE-FRAME`, `iron_wp_frame_r`, `iris-coq/theories/program_logic/hoare.v`
+ - `LHOARE-VAL`, `iron_wp_val`, `iris-coq/theories/program_logic/hoare.v`
+ - `LHOARE-λ`, `pure_rec`, `theories/heap_lang/lifting.v`
+ - `LHOARE-BIND`, `iron_wp_bind`, `iris-coq/theories/program_logic/hoare.v`
+ - `LPT-DISJ`, `mapsto_valid_2`, `theories/heap_lang/heap.v`
+ - `LHOARE-ALLOC`, `iron_wp_alloc`, `theories/heap_lang/lifting.v`
+ - `LHOARE-FREE`, `iron_wp_free`, `theories/heap_lang/lifting.v`
+ - `LHOARE-LOAD`, `iron_wp_load`, `theories/heap_lang/lifting.v`
+ - `LHOARE-STORE`, `iron_wp_store`, `theories/heap_lang/lifting.v`
+ - `LHOARE-FORK`, `iron_wp_fork`, `theories/heap_lang/lifting.v`
+ - `LTINV-SPLIT`, `fcinv_own_fractional`, `theories/iron_logic/fcinv.v`
+ - `LTINV-DUP`, `fcinv_persistent`, `theories/iron_logic/fcinv.v`
+ - `LTINV-ALLOC`, `fcinv_alloc_named`, `theories/iron_logic/fcinv.v`
+ - `LTINV-OPEN`, `fcinv_open`, `theories/iron_logic/fcinv.v`
+ - `LTINV-DEALLOC`, `fcinv_cancel`, `theories/iron_logic/fcinv.v`
+ - Definition of Hoare triples, `iron_wp`, `theories/iron_logic/weakestpre.v`
+ - Theorem 4.1, `heap_adequacy`, `theories/heap_lang/adequacy.v`
+ - Theorem 4.2, `heap_strong_adequacy`, `theories/heap_lang/adequacy.v`
+ - Definition of WP in Section 5, `wp_def`, `iris-coq/theories/program_logic/weakestpre.v`
+ - Definition of state interp from Section 5, `heap_ctx`, `theories/heap_lang/heap.v`
+ - Theorem 5.1, `wp_strong_all_adequacy`, `iris-coq/theories/program_logic/adequacy.v`
+

_CoqProject

+-Q theories iron
+-arg -w -arg -notation-overridden,-redundant-canonical-projection,-several-object-files
+theories/algebra/vfrac.v
+theories/algebra/vfrac_auth.v
+theories/bi/fracpred.v
+theories/proofmode/fracpred.v
+theories/iron_logic/iron.v
+theories/iron_logic/fcinv.v
+theories/iron_logic/weakestpre.v
+theories/iron_logic/adequacy.v
+theories/iron_logic/lifting.v
+theories/heap_lang/lang.v
+theories/heap_lang/heap.v
+theories/heap_lang/tactics.v
+theories/heap_lang/lifting.v
+theories/heap_lang/notation.v
+theories/heap_lang/adequacy.v
+theories/heap_lang/proofmode.v
+theories/heap_lang/lib/spawn.v
+theories/heap_lang/lib/par.v
+theories/heap_lang/lib/spin_lock.v
+theories/heap_lang/lib/spin_lock_track.v
+theories/heap_lang/lib/resource_transfer_par.v
+theories/heap_lang/lib/resource_transfer_fork.v
+theories/heap_lang/lib/resource_transfer_sts.v
+theories/heap_lang/lib/list.v
+theories/heap_lang/lib/bag.v
+theories/heap_lang/lib/queue.v
+theories/heap_lang/lib/message_passing.v
+theories/heap_lang/lib/message_passing_example.v

awk.Makefile

+# awk program that patches the Makefile generated by Coq.
+
+# Detect the name this project will be installed under.
+/\$\(COQLIBINSTALL\)\/.*\/\$\$i/ {
+# Wow, POSIX awk is really broken.  I mean, isn't it supposed to be a text processing language?
+# And there is not even a way to access the matched groups of a regexp...?!? Lucky enough,
+# we can just split the string at '/' here.
+	split($0, PIECES, /\//);
+	PROJECT=PIECES[2];
+}
+
+# Patch the uninstall target to work properly, and to also uninstall stale files.
+# Also see <https://coq.inria.fr/bugs/show_bug.cgi?id=4907>.
+# This (and the section above) can be removed once we no longer support Coq 8.6.
+/^uninstall: / {
+	print "uninstall:";
+	print "\tif [ -d \"$(DSTROOT)\"$(COQLIBINSTALL)/"PROJECT"/ ]; then find \"$(DSTROOT)\"$(COQLIBINSTALL)/"PROJECT"/ \\( -name \"*.vo\" -o -name \"*.v\" -o -name \"*.glob\" -o \\( -type d -empty \\) \\) -print -delete; fi";
+	getline;
+	next
+}
+
+# This forwards all unchanged lines
+1

theories/algebra/vfrac.v

+(** This file provides a version of the fractional camera whose elements can be
+between (not including) 0 and infinity. This differs from the standard
+fractional camera in [algebra/frac] in the Iris repository, whose elements
+be [≤ 1]. Fractions [> 1] are mainly useful in combination with the fractional
+authoritative cameras, as in the file [vfrac_auth].
+
+This file is much the same as the one in the Iris repository. The main
+difference is that the validity predicate is changed (it is [True] instead of
+[≤ 1]). To avoid ambiguity in the canonical structure search, we wrap the
+type of fractions [vfrac] in a definition instead of a notation. *)
+From Coq.QArith Require Import Qcanon.
+From iris.algebra Require Export cmra.
+From iris.algebra Require Import proofmode_classes.
+Set Default Proof Using "Type".
+
+Definition vfrac := Qp.
+
+Section vfrac.
+Canonical Structure vfracC := leibnizC vfrac.
+
+Instance vfrac_valid : Valid vfrac := λ x, True.
+Instance vfrac_pcore : PCore vfrac := λ _, None.
+Instance vfrac_op : Op vfrac := λ x y, (x + y)%Qp.
+
+Lemma vfrac_included (x y : vfrac) : x ≼ y ↔ (x < y)%Qc.
+Proof. by rewrite Qp_lt_sum. Qed.
+
+Corollary vfrac_included_weak (x y : vfrac) : x ≼ y → (x ≤ y)%Qc.
+Proof. intros ?%vfrac_included. auto using Qclt_le_weak. Qed.
+
+Definition vfrac_ra_mixin : RAMixin vfrac.
+Proof. split; try apply _; try done. Qed.
+Canonical Structure vfracR := discreteR vfrac vfrac_ra_mixin.
+
+Global Instance vfrac_cmra_discrete : CmraDiscrete vfracR.
+Proof. apply discrete_cmra_discrete. Qed.
+End vfrac.
+
+Global Instance vfrac_cancelable (q : vfrac) : Cancelable q.
+Proof. intros ?????. by apply Qp_eq, (inj (Qcplus q)), (Qp_eq (q+y) (q+z))%Qp. Qed.
+
+Global Instance vfrac_id_free (q : vfrac) : IdFree q.
+Proof.
+  intros [q0 Hq0] ? EQ%Qp_eq. rewrite -{1}(Qcplus_0_r q) in EQ.
+  eapply Qclt_not_eq; first done. by apply (inj (Qcplus q)).
+Qed.
+
+Lemma vfrac_op' (q p : vfrac) : (p ⋅ q) = (p + q)%Qp.
+Proof. done. Qed.
+
+Global Instance is_op_vfrac (q : vfrac) : IsOp' q (q/2)%Qp (q/2)%Qp.
+Proof. by rewrite /IsOp' /IsOp vfrac_op' Qp_div_2. Qed.

theories/algebra/vfrac_auth.v

+(** This file provides a version of the fractional authoritative camera that
+can be used with fractions [> 1]. This is useful in the state interpretation of
+Iron (see the file [heap_lang/heap]), where we want to keep track of a surplus
+of fragmental elements by forked-off threads.
+
+Much of the reasoning principles for this version of the fractional
+authoritative cameras are the same as for the original version. There are two
+difference:
+
+- We get the additional rule:
+
+  <<<
+  ✓ (a ⋅ b) → ●?{p} a ~~> ●?{p + q} (a ⋅ b) ⋅ ◯?{q} b
+  >>>
+
+  That can be used to allocate a surplus.
+- We no longer have the [◯?{1} a] is the exclusive fragmental element (cf.
+  [frac_auth_frag_validN_op_1_l] in Iris).
+*)
+From iris.algebra Require Export auth frac.
+From iron.algebra Require Import vfrac.
+From iris.algebra Require Export updates local_updates.
+From iris.algebra Require Import proofmode_classes.
+From Coq Require Import QArith Qcanon.
+
+Definition vfrac_authR (A : cmraT) : cmraT :=
+  authR (optionUR (prodR vfracR A)).
+Definition vfrac_authUR (A : cmraT) : ucmraT :=
+  authUR (optionUR (prodR vfracR A)).
+
+Definition vfrac_auth_auth {A : cmraT} (q : Qp) (x : A) : vfrac_authR A :=
+  ● (Some (q,x)).
+Definition vfrac_auth_frag {A : cmraT} (q : Qp) (x : A) : vfrac_authR A :=
+  ◯ (Some (q,x)).
+
+Typeclasses Opaque vfrac_auth_auth vfrac_auth_frag.
+
+Instance: Params (@vfrac_auth_auth) 2.
+Instance: Params (@vfrac_auth_frag) 2.
+
+Notation "●?{ q } a" := (vfrac_auth_auth q a) (at level 10, format "●?{ q }  a").
+Notation "◯?{ q } a" := (vfrac_auth_frag q a) (at level 10, format "◯?{ q }  a").
+
+Section vfrac_auth.
+  Context {A : cmraT}.
+  Implicit Types a b : A.
+
+  Global Instance vfrac_auth_auth_ne q : NonExpansive (@vfrac_auth_auth A q).
+  Proof. solve_proper. Qed.
+  Global Instance vfrac_auth_auth_proper q : Proper ((≡) ==> (≡)) (@vfrac_auth_auth A q).
+  Proof. solve_proper. Qed.
+  Global Instance vfrac_auth_frag_ne q : NonExpansive (@vfrac_auth_frag A q).
+  Proof. solve_proper. Qed.
+  Global Instance vfrac_auth_frag_proper q : Proper ((≡) ==> (≡)) (@vfrac_auth_frag A q).
+  Proof. solve_proper. Qed.
+
+  Global Instance vfrac_auth_auth_discrete a : Discrete a → Discrete (●?{q} a).
+  Proof. intros; apply Auth_discrete; apply _. Qed.
+  Global Instance vfrac_auth_frag_discrete a : Discrete a → Discrete (◯?{q} a).
+  Proof. intros; apply Auth_discrete, Some_discrete; apply _. Qed.
+
+  Lemma vfrac_auth_validN n a p : ✓{n} a → ✓{n} (●?{p} a ⋅ ◯?{p} a).
+  Proof. done. Qed.
+
+  Lemma vfrac_auth_valid p a : ✓ a → ✓ (●?{p} a ⋅ ◯?{p} a).
+  Proof. done. Qed.
+
+  Lemma vfrac_auth_agreeN n p a b : ✓{n} (●?{p} a ⋅ ◯?{p} b) → a ≡{n}≡ b.
+  Proof.
+    rewrite auth_validN_eq /= => -[Hincl Hvalid].
+    move: Hincl=> /Some_includedN=> -[[_ ? //]|[[[p' ?] ?] [/=]]].
+    move=> /discrete_iff /leibniz_equiv_iff; rewrite vfrac_op'=> [/Qp_eq/=].
+    rewrite -{1}(Qcplus_0_r p)=> /(inj (Qcplus p))=> ?; by subst.
+  Qed.
+  Lemma vfrac_auth_agree p a b : ✓ (●?{p} a ⋅ ◯?{p} b) → a ≡ b.
+  Proof.
+    intros. apply equiv_dist=> n. by eapply vfrac_auth_agreeN, cmra_valid_validN.
+  Qed.
+  Lemma vfrac_auth_agreeL `{!LeibnizEquiv A} p a b : ✓ (●?{p} a ⋅ ◯?{p} b) → a = b.
+  Proof. intros. by eapply leibniz_equiv, vfrac_auth_agree. Qed.
+
+  Lemma vfrac_auth_includedN n p q a b : ✓{n} (●?{p} a ⋅ ◯?{q} b) → Some b ≼{n} Some a.
+  Proof. by rewrite auth_validN_eq /= => -[/Some_pair_includedN [_ ?] _]. Qed.
+  Lemma vfrac_auth_included `{CmraDiscrete A} q p a b :
+    ✓ (●?{p} a ⋅ ◯?{q} b) → Some b ≼ Some a.
+  Proof. rewrite auth_valid_discrete /= => -[/Some_pair_included [_ ?] _] //. Qed.
+  Lemma vfrac_auth_includedN_total `{CmraTotal A} n q p a b :
+    ✓{n} (●?{p} a ⋅ ◯?{q} b) → b ≼{n} a.
+  Proof. intros. by eapply Some_includedN_total, vfrac_auth_includedN. Qed.
+  Lemma vfrac_auth_included_total `{CmraDiscrete A, CmraTotal A} q p a b :
+    ✓ (●?{p} a ⋅ ◯?{q} b) → b ≼ a.
+  Proof. intros. by eapply Some_included_total, vfrac_auth_included. Qed.
+
+  Lemma vfrac_auth_auth_validN n q a : ✓{n} (●?{q} a) ↔ ✓{n} a.
+  Proof.
+    split; [by intros [_ [??]]|].
+    repeat split; simpl; by try apply: ucmra_unit_leastN.
+  Qed.
+  Lemma vfrac_auth_auth_valid q a : ✓ (●?{q} a) ↔ ✓ a.
+  Proof. rewrite !cmra_valid_validN. by setoid_rewrite vfrac_auth_auth_validN. Qed.
+
+  Lemma vfrac_auth_frag_validN n q a : ✓{n} (◯?{q} a) ↔ ✓{n} a.
+  Proof. split. by intros [??]. by split. Qed.
+  Lemma vfrac_auth_frag_valid q a : ✓ (◯?{q} a) ↔ ✓ a.
+  Proof. split. by intros [??]. by split. Qed.
+
+  Lemma vfrac_auth_frag_op q1 q2 a1 a2 : ◯?{q1+q2} (a1 ⋅ a2) ≡ ◯?{q1} a1 ⋅ ◯?{q2} a2.
+  Proof. done. Qed.
+
+  Global Instance is_op_vfrac_auth q q1 q2 a a1 a2 :
+    IsOp q q1 q2 → IsOp a a1 a2 → IsOp' (◯?{q} a) (◯?{q1} a1) (◯?{q2} a2).
+  Proof. by rewrite /IsOp' /IsOp=> /leibniz_equiv_iff -> ->. Qed.
+
+  Global Instance is_op_vfrac_auth_core_id q q1 q2 a :
+    CoreId a → IsOp q q1 q2 → IsOp' (◯?{q} a) (◯?{q1} a) (◯?{q2} a).
+  Proof.
+    rewrite /IsOp' /IsOp=> ? /leibniz_equiv_iff ->.
+    by rewrite -vfrac_auth_frag_op -core_id_dup.
+  Qed.
+
+  Lemma vfrac_auth_update p q a b a' b' :
+    (a,b) ~l~> (a',b') → ●?{p} a ⋅ ◯?{q} b ~~> ●?{p} a' ⋅ ◯?{q} b'.
+  Proof.
+    intros. apply: auth_update.
+    apply: option_local_update. by apply: prod_local_update_2.
+  Qed.
+
+  Lemma vfrac_auth_update' p q a b :
+   ✓ (a ⋅ b) → ●?{p} a ~~> ●?{p + q} (a ⋅ b) ⋅ ◯?{q} b.
+  Proof.
+    intros Hconsistent. apply: auth_update_alloc.
+    intros n m; simpl; intros [Hvalid1 Hvalid2] Heq.
+    split.
+    - split; by apply cmra_valid_validN.
+    - rewrite -pair_op Some_op Heq comm.
+      destruct m; simpl; [rewrite left_id | rewrite right_id]; done.
+  Qed.
+End vfrac_auth.

theories/heap_lang/adequacy.v

+(** This file proves the basic and correct usage of resources adequacy
+statements for [heap_lang]. It does do so by appealing to the generic results
+in [iron_logic/adequacy].
+
+Note, we only state adequacy for the lifted logic, because in the Coq
+formalization we state all specifications in terms of the lifted logic. *)
+From iris.algebra Require Import big_op gmap.
+From iron.iron_logic Require Export weakestpre adequacy.
+From iron.algebra Require Import vfrac_auth vfrac.
+From iron.heap_lang Require Import heap.
+From iris.proofmode Require Import tactics.
+Set Default Proof Using "Type".
+
+Class heapPreG Σ := HeapPreG {
+  heap_preG_iris :> ironInvPreG Σ;
+  heap_preG_inG :> inG Σ (vfrac_authR heapUR);