CHANGELOG.md

In this changelog, we document "large-ish" changes to Iris that affect even the way the logic is used on paper. We also document changes in the Coq development; every API-breaking change should be listed, but not every new lemma.

Iris master

With this release, we dropped support for Coq 8.9 and Coq 8.10.

We also split Iris into multiple opam packages: coq-iris no longer contains HeapLang, which is now in a separate package coq-iris-heap-lang.

Changes in algebra:

• Rename agree_op_inv' to to_agree_op_inv, agree_op_invL' to to_agree_op_inv_L, and add to_agree_op_invN.
• Rename auth_auth_frac_op_invL to auth_auth_frac_op_inv_L, excl_auth_agreeL to excl_auth_agree_L, frac_auth_agreeL to frac_auth_agree_L, and ufrac_auth_agreeL to ufrac_auth_agree_L.
• Add constructions to define a camera through restriction of the validity predicate (iso_cmra_mixin_restrict) and through an isomorphism (iso_cmra_mixin).
• Add a frac_agree library which encapsulates frac * agree A for some OFE A, and provides some useful lemmas.
• Fix direction of auth_auth_validN to make it consistent with similar lemmas, e.g., auth_auth_valid. The direction is now ✓{n} (● a) ↔ ✓{n} a.
• Rename auth_both_valid to auth_both_valid_discrete and auth_both_frac_valid to auth_both_frac_valid_discrete. The old name is used for new, stronger lemmas that do not assume discreteness.
• Add the view camera view, which generalizes the authoritative camera auth by being parameterized by a relation that relates the authoritative element with the fragments.
• Redefine the authoritative camera in terms of the view camera. As part of this change, we have removed lemmas that leaked implementation details. Hence, the only way to construct elements of auth is via the elements ●{q} a and ◯ b. The constructor Auth, and the projections auth_auth_proj and auth_frag_proj no longer exist. Lemmas that referred to these constructors have been removed, in particular: auth_equivI, auth_validI, auth_included, auth_valid_discrete, and auth_both_op. For validity, use auth_auth_valid*, auth_frag_valid*, or auth_both_valid* instead.
• Rename auth_update_core_id into auth_update_frac_alloc.
• Add the camera of discardable fractions dfrac. This is a generalization of the normal fractional camera. See algebra.dfrac for further information.
• Rename cmra_monotone_valid into cmra_morphism_valid (this rename was forgotten in !56).
• Add gmap_view, a camera providing a "view of a gmap". The authoritative element is any gmap; the fragment provides fractional ownership of a single key, including support for persistent read-only ownership through dfrac. See algebra.lib.gmap_view for further information. NOTE: The API surface for gmap_view is experimental and subject to change.
• Move the *_validI and *_equivI lemmas to a new module, base_logic.algebra. That module is exported by base_logic.base_logic so it should usually be available everywhere without further changes.
• The authoritative fragment ✓ (◯ b : auth A) is no longer definitionally equal to ✓ b.
• Add mono_nat, a wrapper for auth max_nat. The result is an authoritative nat where a fragment is a lower bound whose ownership is persistent. See algebra.lib.mono_nat for further information.
• Add the gset_bij resource algebra for monotone partial bijections. See algebra.lib.gset_bij for further information.
• Change *_valid lemma statements involving fractions to use Qp addition and inequality instead of RA composition and validity (also in base_logic and the higher layers).
• Move algebra.base module to prelude.prelude.
• Strengthen cmra_op_discrete to assume only ✓{0} (x1 ⋅ x2) instead of ✓ (x1 ⋅ x2).
• Rename the types ofeT→ofe, cmraT→cmra, ucmraT→ucmra, and the constructors OfeT→Ofe, CmraT→Cmra, and UcmraT→Ucmra since the T suffix is not needed. This change makes these names consistent with bi, which also does not have a T suffix.
• Rename typeclass instances of CMRA operational typeclasses (Op, Core, PCore, Valid, ValidN, Unit) to have a _instance suffix, so that their original names are available to use as lemma names.
• Rename frac_valid'→frac_valid, frac_op'→frac_op, ufrac_op'→ufrac_op, coPset_op_union → coPset_op, coPset_core_self → coPset_core, gset_op_union → gset_op, gset_core_self → gset_core, gmultiset_op_disj_union → gmultiset_op, gmultiset_core_empty → gmultiset_core, nat_op_plus → nat_op, max_nat_op_max → max_nat_op. Those names were previously blocked by typeclass instances.

Changes in bi:

• Add big op lemmas big_op{L,L2,M,M2,S}_intuitionistically_forall and big_sepL2_forall, big_sepMS_forall, big_sepMS_impl, and big_sepMS_dup.
• Remove bi.tactics with tactics that predate the proofmode (and that have not been working properly for quite some time).
• Strengthen persistent_sep_dup to support propositions that are persistent and either affine or absorbing.
• Fix the statement of the lemma fupd_plainly_laterN; the old lemma was a duplicate of fupd_plain_laterN.
• Strengthen big_sepL2_app_inv by weakening a premise (it is sufficient for one of the two pairs of lists to have equal length).
• Add lemmas to big-ops that provide ownership of a single element and permit changing the quantified-over predicate when re-assembling the big-op: big_sepL_lookup_acc_impl, big_sepL2_lookup_acc_impl, big_sepM_lookup_acc_impl, big_sepM2_lookup_acc_impl, big_sepS_elem_of_acc_impl, big_sepMS_elem_of_acc_impl.
• Add lemmas big_sepM_filter' and big_sepM_filter matching the corresponding big_sepS lemmas.
• Add lemmas for big-ops of magic wands: big_sepL_wand, big_sepL2_wand, big_sepM_wand, big_sepM2_wand, big_sepS_wand, big_sepMS_wand.
• Rename equiv_entails → equiv_entails_1_1, equiv_entails_sym → equiv_entails_1_2, and equiv_spec → equiv_entails.
• Remove the laws pure_forall_2 : (∀ a, ⌜ φ a ⌝) ⊢ ⌜ ∀ a, φ a ⌝ from the BI interface and factor it into a type class BiPureForall.
• Add notation ¬ P for P → False to bi_scope.

Changes in proofmode:

• The proofmode now preserves user-supplied names for existentials when using iDestruct ... as (?) "...". This is backwards-incompatible if you were relying on the previous automatic names (which were always "H", possibly freshened). It also requires some changes if you were implementing IntoExist yourself, since the typeclass now forwards names. If your instance transforms one IntoExist into another, you can generally just forward the name from the premise.
• The proofmode also preserves user-supplied names in iIntros, for example with iIntros (?) and iIntros "%", as described for destructing existentials above. As part of this change, it now uses a base name of H for pure facts rather than the previous default of a. This also requires some changes if you were implementing FromForall, in order to forward names.
• Make iFrame "less" smart w.r.t. clean up of modalities. It now consistently removes the modalities <affine>, <absorbing>, <persistent> and □ only if the result after framing is True or emp. In particular, it no longer removes <affine> if the result after framing is affine, and it no longer removes □ if the result after framing is intuitionistic.
• Allow framing below an <affine> modality if the hypothesis that is framed is affine. (Previously, framing below <affine> was only possible if the hypothesis that is framed resides in the intuitionistic context.)
• Add Coq side-condition φ to class ElimAcc (similar to what we already had for ElimInv and ElimModal).
• Add a tactic iSelect pat tac (similar to select in std++) which runs the tactic tac H with the name H of the last hypothesis of the intuitionistic or spatial context matching pat. The tactic iSelect is used to implement:
  • iRename select (pat)%I into name which renames the matching hypothesis,
  • iDestruct select (pat)%I as ... which destructs the matching hypothesis,
  • iClear select (pat)%I which clears the matching hypothesis,
  • iRevert select (pat)%I which reverts the matching hypothesis,
  • iFrame select (pat)%I which cancels the matching hypothesis.