diff --git a/LICENSE b/LICENSE
index 4aed1f5521030b679c66b001b4f8f1af755dc924..1f85999fb2575996d980ef1629737c5929d89466 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,5 +1,5 @@
-All files in this development are distributed under the terms of the BSD
-license, included below.
+All files in this development, excluding those in docs/, are distributed
+under the terms of the BSD license, included below.
------------------------------------------------------------------------------
diff --git a/docs/.gitignore b/docs/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..b0c520f6f1f62474548cbe8f27ad3630551ea5a0
--- /dev/null
+++ b/docs/.gitignore
@@ -0,0 +1,12 @@
+*.pdf
+*.aux
+*.log
+*.out
+*.synctex.gz
+*.txss
+*.thm
+*.toc
+*.bbl
+*.blg
+*.bcf
+*.run.xml
diff --git a/docs/bib.bib b/docs/bib.bib
new file mode 100644
index 0000000000000000000000000000000000000000..03e1cd6a463713c43f545a2bf59154bfbf181cf3
--- /dev/null
+++ b/docs/bib.bib
@@ -0,0 +1,3579 @@
+
+
+@inproceedings{liang-feng,
+ author = {Liang, Hongjin and Feng, Xinyu},
+ title = {Modular Verification of Linearizability with Non-fixed Linearization Points},
+ booktitle = {PLDI},
+ year = {2013}
+}
+
+@INPROCEEDINGS{hlrg,
+ author = {Ming Fu and Yong Li and Xinyu Feng and Zhong Shao and Yu Zhang},
+ title = {Reasoning about optimistic concurrency using a program logic for history},
+ booktitle = {CONCUR},
+ year = {2010}
+}
+
+@Book{Milner1999,
+ author={Robin Milner},
+ title={Communicating and Mobile Systems: the $\pi$-Calculus},
+ publisher={Cambridge University Press},
+ year={1999},
+}
+
+@article{Walker:IC1995,
+ Author = {David Walker},
+ Journal = {Inf. Comput.},
+ Number = {2},
+ Pages = {253--271},
+ Title = {Objects in the pi-Calculus},
+ Volume = {116},
+ Year = {1995}}
+
+@inproceedings{jensen-fsl,
+ author = {Jensen, Jonas Braband and Birkedal, Lars},
+ title = {Fictional Separation Logic},
+ booktitle = {ESOP},
+ year = {2012},
+}
+
+@article{America-Rutten:JCSS89,
+ Author = {Pierre America and Jan Rutten},
+ Journal = {J. Comput. Syst. Sci.},
+ Number = {3},
+ Pages = {343--375},
+ Title = {Solving Reflexive Domain Equations in a Category of Complete Metric Spaces},
+ Volume = {39},
+ Year = {1989}}
+
+@Misc{Sieczkowski+:tutorial14,
+ author = {Filip Sieczkowski and Ale\v{s} Bizjak and Yannick Zakowski and Lars Birkedal},
+ title = {Modular Reasoning about Concurrent Higher-Order Imperative Programs: a {Coq} Tutorial},
+ howpublished = {\url{http://users-cs.au.dk/birke/modures/tutorial/index.html}},
+ year = 2014
+}
+
+@inproceedings{birkedal:popl11,
+ author = "Lars Birkedal and Bernhard Reus and Jan Schwinghammer and Kristian St{\o}vring and Jacob Thamsborg and Hongseok Yang",
+ title = "Step-Indexed {Kripke} Models over Recursive Worlds",
+ booktitle = "POPL",
+ year = 2011,
+}
+
+@inproceedings{parkinson+:popl08,
+ author = "Matthew Parkinson and Gavin Bierman",
+ title = "Separation Logic, Abstraction and Inheritance",
+ booktitle = "POPL",
+ year = 2008,
+}
+
+@Unpublished{mogelberg:2009,
+ author = {Rasmus E. M{\o}gelberg},
+ title = {A Nominal Relational Model for Local Variables},
+ note = {Manuscript},
+ month = {may},
+ year = 2009,
+ annote = {Available at: \url{http://www.itu.dk/people/mogel/papers/nom-rel-model.pdf}}
+}
+
+@InProceedings{mogelberg-simpson:07,
+ author = {Rasmus E. M{\o}gelberg and Alex Simpson},
+ title = {Relational Parametricity for Computational Effects},
+ booktitle = {LICS},
+ year = 2007}
+
+@inproceedings{parkinson05,
+ author = {M. J. Parkinson and G. M. Bierman},
+ title = {Separation logic and abstraction},
+ booktitle = {POPL},
+ year = {2005},
+ pages = {247--258},
+}
+
+@phdthesis{parkinson_thesis,
+ author = "Matthew Parkinson",
+ title = "Local Reasoning for Java",
+ school = "University of Cambridge",
+ month = "November",
+ year = "2005"
+}
+
+
+@Article{honsell+:variable-typed,
+ author = {Furio Honsell and Ian A. Mason and Scott Smith and Carolyn Talcott},
+ title = {A Variable Typed Logic of Effects},
+ journal = {Inf. Comput.},
+ year = {1995},
+ volume = {119},
+ number = {1},
+ pages = {55--90},
+}
+
+@article{sumii-pierce:jacm,
+ author = {Eijiro Sumii and Benjamin Pierce},
+ title = {A Bisimulation for Type Abstraction and Recursion},
+ journal = {JACM},
+ volume = 54,
+ number = 5,
+ year = 2007,
+ pages = {1--43},
+}
+
+@inproceedings{banerjee-naumann:ecoop05,
+ author = "Anindya Banerjee and David A. Naumann",
+ title = "State based ownership, reentrance, and encapsulation",
+ booktitle = {ECOOP},
+ year = 2005,
+}
+
+@InProceedings{koutavas-wand:popl06,
+ author = {Vasileios Koutavas and Mitchell Wand},
+ title = {Small Bisimulations for Reasoning About Higher-Order Imperative Programs},
+ booktitle = {POPL},
+ year = {2006},
+}
+
+@Misc{appendix,
+ title = {Appendix and {Coq} development},
+ note = {\url{http://plv.mpi-sws.org/iris}},
+}
+
+
+@inproceedings{dreyer+:icfp10,
+ author = {Derek Dreyer and Georg Neis and Lars Birkedal},
+ title = {The Impact of Higher-Order State and Control Effects on Local Relational Reasoning},
+ year = 2010,
+ booktitle = {ICFP},
+}
+
+@InProceedings{thamsborg+:icfp11,
+ author = {Jacob Thamsborg and Lars Birkedal},
+ title = {A {Kripke} Logical Relation for Effect-Based Program Transformations},
+ booktitle = {ICFP},
+ year = 2011,
+}
+
+@inproceedings{hur+:popl11,
+ author = {Chung-Kil Hur and Derek Dreyer},
+ title = {A {Kripke} Logical Relation Between {ML} and Assembly},
+ year = {2011},
+ booktitle = {POPL},
+}
+
+@inproceedings{nakano:lics00,
+ author = "Hiroshi Nakano",
+ title = {A modality for recursion},
+ booktitle = {LICS},
+ year = "2000",
+}
+
+
+
+@InProceedings{birkedal+:fossacs09,
+ author = {Lars Birkedal and Kristian St\o{}vring and Jacob Thamsborg},
+ title = {Realizability Semantics of Parametric Polymorphism, General References, and Recursive Types},
+ booktitle = {FOSSACS},
+ year = {2009},
+}
+
+@inproceedings{plotkin-abadi,
+ AUTHOR = {Gordon Plotkin and Mart\'in Abadi},
+ TITLE = {A logic for parametric polymorphism},
+ BOOKTITLE = {TLCA},
+ year = 1993,
+}
+
+@InCollection{pitts:attapl,
+ author = {Andrew Pitts},
+ title = {Typed Operational Reasoning},
+ booktitle = {Advanced Topics in Types and Programming Languages},
+ year = 2005,
+ publisher = {MIT Press},
+ chapter = {7},
+ editor = {B. C. Pierce},
+}
+
+
+
+@Article{yoshida+:lmcs08,
+ author = {Nobuko Yoshida and Kohei Honda and Martin Berger},
+ title = {Logical Reasoning for Higher-Order Functions with Local State},
+ journal = {LMCS},
+ year = {2008},
+ volume = {4},
+ number = {4:2},
+}
+
+@Article{BirkedalL:semslt-lmcs,
+ author = {L. Birkedal and N. Torp-Smith and H. Yang},
+ title = {Semantics of Separation-logic Typing and Higher-order Frame Rules for {Algol}-like Languages},
+ journal = {LMCS},
+ volume = {2},
+ number = {5:1},
+ year = 2006,
+}
+ @Article{BirkedalL:parsepl-journal,
+ author = {L. Birkedal and H. Yang},
+ title = {Relational Parametricity and Separation Logic},
+ journal = {Logical Methods in Computer Science},
+ year = 2008,
+ volume = 4,
+ number = {2:6},
+ pages = {1--27},
+ month = {may}}
+
+
+
+@InProceedings{BirkedalL:bihsl,
+ author = {B. Biering and L. Birkedal and N. Torp-Smith},
+ title = {BI Hyperdoctrines and Higher-order Separation Logic},
+ booktitle = {ESOP},
+ year = 2005,
+}
+
+@InProceedings{Schwinghammer-nested-triples-conf,
+ author = {J. Schwinghammer and L. Birkedal and B. Reus and H. Yang},
+ title = {Nested {H}oare Triples and Frame Rules for Higher-order Store},
+ booktitle = {CSL},
+ year = 2009,
+}
+
+@inproceedings{krishnaswami-tldi09,
+ author = {Neelakantan R. Krishnaswami and
+ Jonathan Aldrich and
+ Lars Birkedal and
+ Kasper Svendsen and
+ Alexandre Buisse},
+ title = {Design patterns in separation logic},
+ booktitle = {TLDI},
+ year = {2009},
+}
+
+@inproceedings{nanevski+:esop07,
+ author = {Aleksandar Nanevski and
+ Amal Ahmed and
+ Greg Morrisett and
+ Lars Birkedal},
+ title = {Abstract Predicates and Mutable {ADTs in Hoare Type Theory}},
+ booktitle = {ESOP},
+ year = {2007},
+}
+
+@inproceedings{petersen-htt,
+ author = {Rasmus Lerchedahl Petersen and
+ Lars Birkedal and
+ Aleksandar Nanevski and
+ Greg Morrisett},
+ title = {A Realizability Model for Impredicative {H}oare Type Theory},
+ booktitle = {ESOP},
+ year = {2008},
+}
+
+@InProceedings{ohearn+:popl04,
+ author = "Peter W. O'Hearn and Hongseok Yang and John C.
+ Reynolds",
+ title = "Separation and Information Hiding",
+ booktitle = "POPL",
+ year = "2004",
+}
+
+@InProceedings{Birkedal:Reus:Schwinghammer:Yang:08,
+ author = "Lars Birkedal and Bernhard Reus and Jan Schwinghammer and Hongseok Yang",
+ title = "A Simple Model of Separation Logic for Higher-order Store",
+ booktitle = "{ICALP'08}",
+ pages = "348--360",
+ year = "2008"
+}
+
+@InProceedings{Banerjee:Naumann:Rosenberg:08,
+ author = "Anindya Banerjee and David Naumann and Stan Rosenberg",
+ title = "Regional Logic for Local Reasoning about Global Invariants",
+ booktitle = "ECOOP",
+ year = "2008",
+ url = "\url{http://www.cs.stevens.edu/~naumann/publications/node2.html}",
+}
+
+
+
+@Article{yang:relational,
+ title = "Relational Separation Logic",
+ author = "Hongseok Yang",
+ journal = "TCS",
+ year = "2007",
+ number = "1--3",
+ volume = "375",
+ pages = "308--334",
+}
+
+@IProceedings{birkedal+:ho-frame-rules,
+ author = {Lars Birkedal and Noah Torp-Smith and Hongseok Yang},
+ title = {Semantics of Separation-logic Typing and
+ Higher-order Frame Rules},
+ booktitle = {Proc. of LICS'05},
+ year = {2005},
+ pages = {260-269}
+}
+
+@InProceedings{aydemir+:popl08,
+ author = {Brian Aydemir and Arthur Chargu\'{e}raud and Benjamin C. Pierce and Randy Pollack and Stephanie Weirich},
+ title = {Engineering Formal Metatheory},
+ booktitle = "POPL",
+ year = 2008
+}
+
+@Article{birkedal+:lmcs06,
+ author = {Lars Birkedal and Noah Torp-Smith and Hongseok Yang},
+ title = {Semantics of Separation-logic Typing and
+ Higher-order Frame Rules},
+ journal = {LMCS},
+ year = {2006},
+ volume = {2},
+ number = {5:1},
+}
+
+@Article{birkedal-yang,
+ author = {Lars Birkedal and Hongseok Yang},
+ title = {Relational Parametricity and Separation Logic},
+ journal = {LMCS},
+ year = {2008},
+ volume = {4},
+ number = {2:6},
+}
+
+@Article{reynolds:types,
+ author = {John C. Reynolds},
+ title = {Types, Abstraction, and Parametric Polymorphism},
+ journal = {Information Processing},
+ year = 1983,
+}
+
+@inproceedings{reynolds:separation,
+ author = "John C. Reynolds",
+ title = "Separation logic: A logic for shared mutable data structures",
+ booktitle = "LICS",
+ year = "2002",
+}
+
+@InProceedings{birkedal-yang-fossacs,
+ title = "Relational Parametricity and Separation Logic",
+ author = "Lars Birkedal and Hongseok Yang",
+ year = "2007",
+ booktitle = "FOSSACS",
+ pages = "",
+ volume = "4423",
+ series = "Lecture Notes in Computer Science",
+ editor = "Helmut Seidl",
+}
+
+@InProceedings{reus-schwinghammer:csl06,
+ author = {Bernhard Reus and Jan Schwinghammer},
+ title = {Separation Logic for Higher-order Store},
+ booktitle = {CSL},
+ year = "2006",
+}
+
+@InProceedings{Birkedal:Torp-Smith:Reynolds:04,
+ author = "Lars Birkedal and Noah Torp-Smith and John C.
+ Reynolds",
+ title = "Local Reasoning about a Copying Garbage Collector",
+ booktitle = "Conference Record of the 31st Annual {ACM}
+ Symposium on Principles of Programming Languages",
+ publisher = "ACM Press",
+ year = 2004,
+ series = "ACM SIGPLAN Notices",
+ pages = "220--231",
+}
+
+@InProceedings{Thielecke:06,
+ author = "Hayo Thielecke",
+ title = "Frame rules from answer types for code pointers",
+ booktitle = "Conference Record of the 33rd Annual ACM Symposium on
+ Principles of Programming Languages",
+ publisher = "ACM Press",
+ pages = "309--319",
+ year = 2006,
+}
+
+
+@Article{Reus:Schwinghammer:MSCS,
+ author = {Bernhard Reus and Jan Schwinghammer},
+ title = {Denotational Semantics for a Program Logic of Objects},
+ journal = {Mathematical Structures in Computer Science},
+ year = 2006,
+ volume = 16,
+ number = 2,
+ pages = {313--358},
+ month = {April},
+}
+
+@InProceedings{Reus:Streicher:05,
+ author = {Bernhard Reus and Thomas Streicher},
+ title = {About {Hoare} Logics for Higher-Order Store},
+ booktitle = {International Colloquium on Automata,
+ Languages and Programming (ICALP'05)},
+pages = "1337--1348",
+ year = 2005,
+ series = {Lecture Notes in Computer Science},
+ publisher = {Springer}
+}
+
+@InProceedings{Reddy:88,
+ author = "Uday S. Reddy",
+ title = "Objects as Closures: Abstract Semantics of
+ Object-oriented Languages",
+ pages = "289--297",
+ editor = "Jerome Chailloux",
+ booktitle = "Proceedings of the {ACM} Conference on {LISP} and
+ Functional Programming",
+ month = jul,
+ year = 1988,
+ publisher = "ACM Press",
+}
+
+@InCollection{OHearn:Tennent:92,
+ author = "Peter W. O'Hearn and Robert D. Tennent",
+ title = "Semantics of Local Variables",
+ pages = "217--238",
+ booktitle = "Applications of Categories in Computer Science",
+ editor = "M. P. Fourman and P. T. Johnstone and A. M. Pitts",
+ year = "1992",
+ publisher = "Cambridge University Press",
+ series = "London Mathematical Society Lecture Note Series",
+ volume = "177",
+}
+
+@InProceedings{Morrisett:Ahmed:Fluet,
+ author = {Greg Morrisett and Amal Ahmed and Matthew Fluet},
+ title = {L3: A Linear Language with Locations},
+ booktitle = {Proceedings of the 7th International Conference on Typed Lambda Calculi and Applications (TLCA '05)},
+ year = 2005,
+ volume = 3461,
+ series = {Lecture Notes in Computer Science},
+ publisher = {Springer}
+}
+
+@InProceedings{Ahmed:Fluet:Morrisett:05,
+ author = {Amal Ahmed and Matthew Fluet and Greg Morrisett},
+ title = {A Step-Indexed Model of Substructural State},
+ booktitle = {Proceedings of the 10th ACM SIGPLAN International Conference on Functional Programming (ICFP '05)},
+ year = 2005,
+ note = {To appear}
+}
+
+@TechReport{Aboul-Hosn:Kozen:05,
+ author = {Kamal Aboul-Hosn and Dexter Kozen},
+ title = {Relational Semantics of Local Variable Scoping},
+ institution = {Computer Science Department, Cornell University},
+ year = 2005,
+ number = {2005-2000},
+ month = jul,
+}
+
+@Article{Abadi:Cardelli:95,
+ author = "Mart{\'\i}n Abadi and Luca Cardelli",
+ title = "A theory of primitive objects: Second-order systems",
+ journal = "Science of Computer Programming",
+ volume = "25",
+ number = "2-3",
+ pages = "81--116",
+ month = dec,
+ year = "1995",
+}
+
+@Book{Davey:Priestley:02,
+ author = "Brian A. Davey and Hilary A. Priestley",
+ publisher = "Cambridge University Press",
+ title = "Introduction to Lattices and Order",
+ edition = "Second",
+ year = 2002,
+}
+
+@Article{Mason:Smith:Talcott:96,
+ author = "Ian A. Mason and Scott F. Smith and Carolyn L.
+ Talcott",
+ title = "From Operational Semantics to Domain Theory",
+ journal = "Information and Computation",
+ volume = "128",
+ number = "1",
+ year = "1996",
+ pages = "26--47",
+}
+
+@InCollection{Talcott:98,
+ author = "Carolyn L. Talcott",
+ title = "Reasoning about Functions with Effects",
+ pages = "347--390",
+ editor = "Andrew D. Gordon and Andrew M. Pitts",
+ booktitle = "Higher Order Operational Techniques in Semantics",
+ publisher = "Cambridge University Press",
+ series = "Publications of the Newton Institute",
+ year = "1998",
+}
+
+
+@Book{Abadi:Cardelli:96,
+ author = "Mart{\'\i}n Abadi and Luca Cardelli",
+ title = "A Theory of Objects",
+ publisher = "Springer",
+ year = "1996",
+}
+
+@Article{Abadi:Cardelli:96a,
+ title = "A Theory of Primitive Objects: Untyped and First-Order
+ Systems",
+ author = "Mart{\'\i}n Abadi and Luca Cardelli",
+ pages = "78--102",
+ journal = "Information and Computation",
+ month = mar,
+ year = "1996",
+ volume = "125",
+ number = "2",
+}
+
+@InProceedings{Mitchell:84,
+ author = "John C. Mitchell",
+ title = "Coercion and type inference",
+ booktitle = "Conference Record of the 11th Annual ACM Symposium on
+ Principles of Programming Languages",
+ pages = "175--185",
+ publisher = "ACM Press",
+ month = jan,
+ year = 1984,
+}
+
+
+@InProceedings{Reynolds:80,
+ author = "John C. Reynolds",
+ title = "Using category theory to design implicit conversions
+ and generic operators",
+ booktitle = "Proceedings of the Aarhus Workshop on
+ Semantics-Directed Compiler Generation",
+ editor = "Neil D. Jones",
+ month = jan,
+ year = 1980,
+ publisher = "Springer",
+ series = "Lecture Notes in Computer Science",
+ number = 94,
+ pages = "211--258",
+}
+
+@Article{OHearn:Reynolds:00,
+ author = "Peter W. O'Hearn and John C. Reynolds",
+ title = "From Algol to Polymorphic Linear Lambda-calculus",
+ journal = "Journal of the ACM",
+ volume = "47",
+ number = "1",
+ pages = "167--223",
+ month = jan,
+ year = "2000",
+}
+
+
+@InProceedings{Abadi:Cardelli:Curien:93,
+ author = "Mart\'{\i}n Abadi and Luca Cardelli and Pierre-Louis Curien",
+ title = "Formal Parametric Polymorphism",
+ booktitle = "Conference Record of the 20th Annual ACM
+ SIGPLAN-SIGACT Symposium on Principles of Programming
+ Languages",
+ pages = "157--170",
+ year = "1993",
+}
+
+@InProceedings{Abadi:Cardelli:Plotkin:94,
+ author = "Gordon D. Plotkin and Mart\'{\i}n Abadi and Luca
+ Cardelli",
+ title = "Subtyping and Parametricity",
+ booktitle = "Proceedings of 9th Annual IEEE Symposium on Logic in Computer
+ Science",
+ pages = "310--319",
+ month = jul,
+ year = "1994",
+ publisher = {IEEE Computer Society Press},
+}
+
+@InProceedings{Abadi:Cardelli:Viswanathan:96,
+ author = "Mart{\'\i}n Abadi and Luca Cardelli and Ramesh
+ Viswanathan",
+ title = "An interpretation of objects and object types",
+ booktitle = "Conference record of the 23rd Symposium on Principles of Programming Languages",
+ year = "1996",
+ pages = "396--409",
+ publisher = {{ACM} Press},
+}
+
+
+
+
+
+
+@InProceedings{Abadi:Leino:97,
+ author = {Mart{\'\i}n Abadi and K.~R.~M.~Leino},
+ title = {A Logic of Object-oriented Programs},
+ booktitle = {Proceedings of Theory and Practice of Software Development},
+ pages = {682--696},
+ year = {1997},
+ editor = {Michel Bidoit and Max Dauchet},
+ volume = {1214},
+ series = {Lecture Notes in Computer Science},
+ publisher = {Springer},
+}
+
+@InProceedings{Abadi:Pierce:Plotkin:89,
+ author = "Mart\'{\i}n Abadi and Benjamin C. Pierce and Gordon D. Plotkin",
+ title = "Faithful Ideal Models for Recursive Polymorphic Types",
+ booktitle = "Proceedings of 4th Annual IEEE Symposium on Logic in Computer Science",
+ pages = "216--225",
+ month = jun,
+ year = "1989",
+ publisher = {IEEE Computer Society Press},
+}
+
+
+@InProceedings{Abadi:Plotkin:90,
+ author = {Mart\'{\i}n Abadi and Gordon D. Plotkin},
+ title = {A PER Model of Polymorphism and Recursive Types},
+ booktitle = {Proceedings of 5th Annual IEEE Symposium on Logic in Computer Science},
+ pages = {355--365},
+ year = {1990},
+ publisher = {IEEE Computer Society Press},
+}
+
+@InProceedings{Abadi:Plotkin:93,
+ author = "Gordon D. Plotkin and Mart\'{\i}n Abadi",
+ title = "A logic for parametric polymorphism",
+ booktitle = "International Conference on Typed Lambda Calculi and
+ Applications",
+ year = "1993",
+ editor = "M. Bezem and J. F. Groote",
+ series = "Lecture Notes in Computer Science",
+ number = "664",
+ pages = "361--375",
+ month = mar,
+}
+
+
+
+@InProceedings{Abramsky:Ghica:Murawski:Ong:Stark:04,
+ author = {Samson Abramsky and Dan Ghica and Andrzej Murawski and
+ Luke Ong and Ian Stark},
+ title = {Nominal Games and Full Abstraction for the
+ Nu-Calculus},
+ booktitle = {Proceedings of the 19th Annual IEEE Symposium on
+ Logic in Computer Science},
+ pages = {150--159},
+ year = 2004,
+ publisher = {IEEE Computer Society Press},
+}
+
+
+
+@InCollection{Abramsky:Jung:94,
+ author = {Samson Abramsky and Achim Jung},
+ booktitle = {Handbook of Logic in Computer Science},
+ title = {Domain Theory},
+ publisher = {Clarendon Press},
+ pages = {1--168},
+ year = 1994,
+ editor = {S. Abramsky and D. M. Gabbay and T. S. E. Maibaum},
+ volume = 3
+}
+
+@InProceedings{Abramsky:McCusker:97,
+ author = {Samson Abramsky and Guy McCusker},
+ title = {Game Semantics},
+ booktitle = {Logic and Computation. Proceedings of the 1997 Marktoberdorf Summer School},
+ year = {1998},
+ editor = {H. Schwichtenberg and U. Berger},
+ publisher = {Springer},
+}
+
+@InProceedings{Abramsky:McCusker:Honda:98,
+ title = "A Fully Abstract Game Semantics for General
+ References",
+ author = "Samson Abramsky and Kohei Honda and Guy {McCusker}",
+ booktitle = "Proceedings 13th Annual IEEE Symposium on Logic
+ in Computer Science",
+ publisher = "IEEE Computer Society Press",
+pages = {334--344},
+ year = "1998",
+}
+
+@inproceedings{Aceto:Huettel:Ingolfsdottir:Kleist:00,
+ author = {Luca Aceto and Hans H{\"u}ttel and Anna Ing{\'o}lfsd{\'o}ttir and Josva Kleist},
+ title = {Relating semantic models for the object calculus},
+ booktitle = {Electronic Notes in Theoretical Computer Science},
+ volume = {7},
+ editor = {C. Palamidessi and J. Parrow},
+ year = {2000}
+}
+
+@InProceedings{Ahmed:Appel:Virga:02,
+ author = {Amal J. Ahmed and Andrew W. Appel and Roberto Virga},
+ title = {A Stratified Semantics of General References Embeddable in Higher-Order Logic},
+ booktitle = {Proceedings of 17th Annual IEEE Symposium Logic in Computer Science},
+ publisher = "IEEE Computer Society Press",
+ pages = {75--86},
+ year = {2002},
+}
+
+
+@Unpublished{Ahmed:Appel:Virga:03,
+ author = {Amal J. Ahmed and Andrew W. Appel and Roberto Virga},
+ title = {An Indexed Model of Impredicative Polymorphism and Mutable References},
+ note = {Princeton University},
+ month = {January},
+ year = {2003},
+}
+
+
+@Article{Amadio:91,
+ author = "R. M. Amadio",
+ title = "Recursion over realizability structures",
+ journal = "Information and Computation",
+ volume = "91",
+ number = "1",
+ pages = "55--86",
+ year = "1991",
+}
+
+@InProceedings{Amadio:Cardelli:91,
+ author = "Roberto M. Amadio and Luca Cardelli",
+ title = "Subtyping Recursive Types",
+ pages = "104--118",
+ booktitle = "Conference Record of the 18th Annual {ACM} Symposium
+ on Principles of Programming Languages",
+ month = jan,
+ year = "1991",
+ note = "Journal version in \cite{Amadio:Cardelli:93}",
+}
+
+
+@Article{Amadio:Cardelli:93,
+ author = "Roberto M. Amadio and Luca Cardelli",
+ title = "Subtyping Recursive Types",
+ journal = "ACM Transactions on Programming Languages and
+ Systems",
+ volume = "15",
+ number = "4",
+ pages = "575--631",
+ year = "1993",
+}
+
+
+@inProceedings{Andersen:Pedersen:Huettel:Kleist:97,
+ author = "Dan S. Andersen and Lars H. Pedersen and Hans H{\"u}ttel and Josva Kleist",
+ title = "Objects, Types and Modal Logics",
+ booktitle = "Proceedings of {FOOL4}",
+ year = "1997",
+ month = nov,
+ url = "citeseer.nj.nec.com/andersen96objects.html",
+}
+
+@inproceedings{mellies-vouillon,
+ author = "Paul-Andr{\'e} Melli{\`e}s and J{\'e}r{\^o}me Vouillon",
+ title = {Recursive polymorphic types and parametricity in an operational framework},
+ booktitle = {LICS},
+ year = "2005",
+}
+
+
+@Article{appel-mcallester,
+ author = {Andrew Appel and David McAllester},
+ title = {An Indexed Model of Recursive Types for Foundational Proof-Carrying Code},
+ journal = {TOPLAS},
+ year = {2001},
+ volume = {23},
+ number = {5},
+ pages = {657--683},
+}
+
+@InProceedings{appel+:vmm,
+ author = {Andrew Appel and Paul-Andr{\'e} Melli{\`e}s and Christopher Richards and J{\'e}r{\^o}me Vouillon},
+ title = {A Very Modal Model of a Modern, Major, General Type System},
+ booktitle = {POPL},
+ year = 2007
+}
+
+@InProceedings{dockins+:mfps08,
+ author = {Robert Dockins and Andrew W. Appel and Aquinas Hobor},
+ title = {Multimodal Separation Logic for Reasoning About Operational Semantics},
+ booktitle = {MFPS},
+ year = {2008},
+}
+
+@Article{Apt:Plotkin:86,
+ title = "Countable Nondeterminism and Random Assignment",
+ author = "Krzysztof R. Apt and Gordon D. Plotkin",
+ area = "Programming Languages and Systems",
+ pages = "724--767",
+ journal = "Journal of the ACM",
+ month = oct,
+ year = "1986",
+ volume = "33",
+ number = "4",
+}
+
+@Article{DiGianantonio:Honsell:Plotkin:95,
+ title = "Uncountable Limits and the lambda Calculus",
+ author = "Pietro {di Gianantonio} and Furio Honsell and Gordon D.
+ Plotkin",
+ journal = "Nordic Journal of Computing",
+ year = 1995,
+ number = 2,
+ volume = 2,
+ pages = "126--145",
+}
+
+@Article{Apt:81,
+ author = "Krzysztof R. Apt",
+ title = "Ten Years of {Hoare}'s Logic: {A} Survey --- Part
+ {I}",
+ journal = "ACM Transactions on Programming Languages and
+ Systems",
+ volume = "3",
+ number = "4",
+ pages = "431--483",
+ month = oct,
+ year = "1981",
+}
+
+@Book{Arnold:Gosling:Holmes:00,
+ author = "Ken Arnold and James Gosling and David Holmes",
+ key = "Arnold \& Gosling",
+ title = "The {Java} Programming Language",
+ publisher = "Addison-Wesley",
+ year = "2000",
+ edition = "Third",
+}
+
+@InProceedings{Banerjee:Naumann:02,
+ author = "Anindya Banerjee and David A. Naumann",
+ title = "Representation independence, confinement and access
+ control",
+ pages = "166--177",
+ month = jan,
+ year = "2002",
+ booktitle = "Proceedings of the 29th ACM SIGPLAN-SIGACT symposium
+ on Principles of Programming Languages",
+ publisher = "IEEE Computer Society Press",
+}
+
+
+@InCollection{Barendregt:92,
+ author = {Henk P. Barendregt},
+ title = {Lambda Calculi with Types},
+ booktitle = {Handbook of Logic in Computer Science},
+ pages = {117--309},
+ publisher = {Oxford University Press},
+ year = 1992,
+ editor = {Samson Abramsky and Dov Gabbay and T.~S.~E. Maibaum},
+ volume = 2,
+ chapter = 2
+}
+
+
+
+
+@InProceedings{ahmed:esop06,
+ author = {Amal Ahmed},
+ title = {Step-Indexed Syntactic Logical Relations for Recursive and Quantified Types},
+ booktitle = {ESOP},
+ year = 2006,
+}
+
+@InProceedings{ahmed+:popl09,
+ author = {Amal Ahmed and Derek Dreyer and Andreas Rossberg},
+ title = {State-Dependent Representation Independence},
+ booktitle = {POPL},
+ year = {2009},
+}
+
+@InProceedings{dreyer+:lics09,
+ author = {Derek Dreyer and Amal Ahmed and Lars Birkedal},
+ title = {Logical Step-Indexed Logical Relations},
+ booktitle = {LICS},
+ year = {2009},
+}
+
+@InProceedings{benton:popl04,
+ author = {Nick Benton},
+ title = {Simple Relational Correctness Proofs for Static Analyses and Program Transformations},
+ booktitle = {POPL},
+ year = {2004},
+}
+
+@InProceedings{benton-leperchey,
+ author = {Nick Benton and Benjamin Leperchey},
+ title = {Relational Reasoning in a Nominal Semantics for Storage},
+ booktitle = {TLCA},
+ year = {2005},
+}
+
+@Article{Birkedal:Harper:99,
+ author = "Lars Birkedal and Robert W. Harper",
+ title = "Constructing interpretations of recursive types in an
+ operational setting",
+ journal = "Information and Computation",
+ year = "1999",
+ volume = "155",
+ pages = "3--63",
+}
+
+@Article{Blass:Gurevich:00,
+ author = "Andreas Blass and Yuri Gurevich",
+ title = "The Underlying Logic of {Hoare} Logic",
+ journal = "Bulletin of the European Association for Theoretical
+ Computer Science",
+ volume = "70",
+ pages = "82--110",
+ month = feb,
+ year = "2000",
+ url = "\url{http://research.microsoft.com/~gurevich/Opera/142.ps}",
+}
+
+@InProceedings{Bodirsky:Gaertner:Oertzen:Schwinghammer:01,
+author = {Manuel Bodirsky and Tobias G\"artner and Timo von Oertzen and Jan Schwinghammer},
+title = {Computing the Density of Regular Languages},
+pages = {23--35},
+month = aug,
+address = {Helsinki},
+booktitle = {Proceedings of the Student Session of the European Summer School in Logic, Language, and Information},
+year = {2001},
+}
+
+@Misc{Bodirsky:Gaertner:Oertzen:Schwinghammer:LongRun,
+ author = {Manuel Bodirsky and Tobias G\"artner and Timo von Oertzen and Jan Schwinghammer},
+ year = {2002},
+ title = {Long-run properties of periodic probabilistic systems},
+ howpublished = {Manuscript},
+}
+
+
+@Misc{Bodirsky:Gaertner:Oertzen:Schwinghammer:Periods,
+ author = {Manuel Bodirsky and Tobias G\"artner and Timo von Oertzen and Jan Schwinghammer},
+ title = {Periodic Sequences of Group Elements},
+ year = {2002},
+ howpublished = {Manuscript},
+}
+
+@InProceedings{Bono:Bugliesi:99,
+ author = {Viviana Bono and Michele Bugliesi},
+ title = {Interpretations of Extensible Objects and Types},
+ booktitle = {Proceedings of the 12th Int. Symposium on Fundamentals of Computing},
+ pages = {112--123},
+ year = {1999},
+ volume = {1684},
+ series = {Lecture Notes in Computer Science},
+ publisher = {Springer},
+}
+
+
+@InProceedings{Bono:Patel:Shmatikov:Mitchell:99,
+ author = "Viviana Bono and Amit J. Patel and Vitaly Shmatikov
+ and John C. Mitchell",
+ title = "A Core Calculus of Classes and Objects",
+ booktitle = "15th Conference on the Mathematical Foundations
+ of Programming Semantics",
+ series = "Electronic Notes in Computer Science",
+ volume = "20",
+ year = "1999",
+ month = apr,
+}
+
+@Article{Boudol:04,
+ author = {G{\'}erard Boudol},
+ title = {The recursive record semantics of objects revisited},
+ journal = {Journal of Functional Programming},
+ year = {2004},
+ volume = {14},
+ number = {3},
+ pages = {263-315},
+ month = may,
+}
+
+@Article{Bracha:Odersky:Stoutamire:Wadler:98,
+ author = "Gilad Bracha and Martin Odersky and David Stoutamire
+ and Philip Wadler",
+ title = "Making the Future Safe for the Past: Adding Genericity
+ to the {Java} Programming Language",
+ journal = "ACM SIG{\-}PLAN Notices",
+ volume = "33",
+ number = "10",
+ pages = "183--200",
+ month = oct,
+ year = "1998",
+}
+
+
+
+@InProceedings{Bracha:Ungar:04,
+ author = {Gilad Bracha and David Ungar},
+ title = {Mirrors: Design Principles for Meta-level Facilities of Object-Oriented Programming Languages},
+ booktitle = {Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages and Applications},
+ year = {2004},
+ month = oct,
+ publisher = {ACM Press},
+}
+
+
+@Article{Breazu-Tannen:EtAl:91,
+ author = "Val {Breazu-Tannen} and Thierry Coquand and Gunter
+ Gunter and Andre Scedrov",
+ title = "Inheritance as Implicit Coercion",
+ journal = "Information and Computation",
+ month = jul,
+ year = "1991",
+ number = "1",
+ volume = "93",
+ pages = "172--221",
+}
+
+
+@Book{Bruce:02,
+ author = "Kim B. Bruce",
+ title = "Foundations of Object-Oriented Languages: Types and
+ Semantics",
+ publisher = "MIT Press",
+ year = "2002",
+}
+
+
+
+@Article{Bruce:94,
+ author = "Kim B. Bruce",
+ title = "A Paradigmatic Object-Oriented Programming Language:
+ Design, Static Typing and Semantics",
+ journal = "Journal of Functional Programming",
+ volume = "4",
+ number = "2",
+ month = apr,
+ pages = "127--206",
+ year = "1994",
+}
+
+@article {Bruce:Cardelli:Pierce:99,
+author = "Kim B. Bruce and Luca Cardelli and Benjamin C. Pierce",
+title = "Comparing Object Encodings",
+journal = "Information and Computation",
+year = 1999,
+month = nov,
+volume = 155,
+number = "1/2",
+pages = "108--133",
+}
+
+@Article{Bruce:etal:95,
+ author = "Kim B. Bruce and Luca Cardelli and Giuseppe Castagna
+ and {The Hopkins Objects Group} and Gary T. Leavens and
+ Benjamin Pierce",
+ title = "On Binary Methods",
+ journal = "Theory and Practice of Object Systems",
+ publisher = "John Wiley and Sons, Inc.",
+ year = "1995",
+ pages = "221--242",
+ volume = "1",
+ number = "3",
+}
+
+@Book{Castagna:97,
+ author = "Giuseppe Castagna",
+ title = "Object-Oriented Programming: {A} Unified Foundation",
+ publisher = "Birkhauser",
+ year = 1997,
+ series = "Progress in Theoretical Computer Science",
+}
+
+@Article{Bugliesi:Delzanno:Liquori:Martelli:00,
+ author = "Michele Bugliesi and Giorgio Delzanno and Luigi Liquori and Maurizio Martelli",
+ title = "Object Calculi in Linear Logic",
+ journal = "Journal of Logic and Computation",
+ volume = 10,
+ number = 1,
+ pages = "75 --104",
+ month = feb,
+ year = "2000",
+}
+
+@InProceedings{Calcagno+:lics09,
+ author={Cristiano Calcagno and Peter W. O'Hearn and Hongseok Yang},
+ title={Local Action and Abstract Separation Logic},
+ booktitle={LICS},
+ year={2007},
+}
+
+@InProceedings{Calcagno:Ishtiaq:OHearn:00,
+ author = "Cristiano Calcagno and Samin Ishtiaq and Peter W.
+ O'Hearn",
+ title = "Semantic Analysis of Pointer Aliasing, Allocation and
+ Disposal in {H}oare Logic",
+ booktitle = "Proceedings of 2nd International Conference on Principles and
+ Practice of Declarative Programming",
+ year = "2000",
+ pages = "190--201",
+ editor = "Maurizio Gabbrielli and Frank Pfenning",
+ series = "Lecture Notes in Computer Science",
+publisher = {Springer},
+}
+
+@InProceedings{Canning:Cook:Hill:Olthoff:Mitchell:89,
+ author = "P. Canning and W. Cook and W. Hill and W. Olthoff and
+ J. Mitchell",
+ title = "{F}-bounded polymorphism for object-oriented
+ programming",
+ booktitle = "Proceedings 4th International Conference on Functional Programming Languages and Computer
+ Architecture",
+ year = "1989",
+ publisher = "ACM Press",
+ pages = "273--280",
+}
+
+@InCollection{Cardelli:84,
+ author = "Luca Cardelli",
+ title = "A Semantics of Multiple Inheritance",
+ booktitle = "Semantics of Data Types",
+ editor = "Gilles Kahn and David MacQueen and Gordon Plotkin",
+ series = "Lecture Notes in Computer Science",
+ volume = "173",
+ pages = "51--67",
+ year = "1984",
+ month = jun,
+ publisher = "Springer",
+ abstract-url = "http://www.luca.demon.co.uk/Papers.html#Inheritance",
+ note = "Full version in \cite{Cardelli:88}"
+}
+
+
+
+@Article{Cardelli:88,
+ author = "Luca Cardelli",
+ title = "A Semantics of Multiple Inheritance",
+ journal = "Information and Computation",
+ volume = "76",
+ number = "2/3",
+ month = feb,
+ year = "1988",
+ pages = "138--164",
+}
+
+@Article{Cardelli:Martini:Mitchell:Scedrov:94,
+ author = "Luca Cardelli and Simone Martini and John C. Mitchell
+ and Andre Scedrov",
+ title = "An Extension of {S}ystem {F} with Subtyping",
+ journal = "Information and Computation",
+ volume = "109",
+ number = "1--2",
+ pages = "4--56",
+ year = "1994",
+}
+
+@Article{Cardelli:Wegner:85,
+ author = "Luca Cardelli and Peter Wegner",
+ title = "On Understanding Types, Data Abstraction, and
+ Polymorphism",
+ journal = "ACM Computing Surveys",
+ volume = "17",
+ number = "4",
+ pages = "471--522",
+ month = dec,
+ year = "1985",
+}
+
+@InProceedings{Cardone:89,
+ title = "Relational Semantics for Recursive Types and Bounded
+ Quantification",
+ author = "Felice Cardone",
+ editor = "Giorgio Ausiello and Mariangiola Dezani-Ciancaglini
+ and Simona Ronchi Della Rocca",
+ booktitle = "16th International Colloquium Automata, Languages and Programming",
+ month = jul,
+ year = "1989",
+ series = "Lecture Notes in Computer Science",
+ volume = "372",
+ publisher = "Springer",
+ pages = "164--178",
+}
+
+@Article{Clarke:79,
+ author = "E. M. Clarke",
+ year = "1979",
+ title = "Programming Language Constructs for which it it
+ Impossible to obtain good {Hoare} Axiom Systems",
+ journal = "Journal of the ACM",
+ volume = "26",
+ number = "1",
+ pages = "129--147",
+}
+
+@Article{Cook:78,
+ author = {Stephen A. Cook},
+ title = {Soundness and Completeness of an Axiom System for Program Verification},
+ journal = {{SIAM} Journal on Computing},
+ year = {1978},
+ volume = {7},
+ number = {1},
+ pages = {70--90},
+}
+
+
+@PhdThesis{Cook:89,
+ author = "William R. Cook",
+ title = "A Denotational Semantics of Inheritance",
+ school = "Department of Computer Science, Brown University",
+ type = "Ph.{D}. Thesis",
+ month = may,
+ year = "1989",
+}
+
+
+@Article{Cook:Palsberg:94,
+ author = "William Cook and Jens Palsberg",
+ title = "A Denotational Semantics of Inheritance and its
+ Correctness",
+ journal = "Information and Computation",
+ pages = "329--350",
+ year = "1994",
+month = nov,
+ number = "2",
+ volume = "114",
+}
+
+@article{Coquand:Gunter:Winskel:89,
+ author = "Thierry Coquand and Carl A. Gunter and Glynn Winskel",
+ title = "Domain Theoretic Models of Polymorphism",
+ journal = "Information and Computation",
+ volume = "81",
+ number = "2",
+ pages = "123--167",
+ year = "1989",
+ url = "citeseer.nj.nec.com/coquand89domain.html"
+}
+
+
+@incollection{Cousot:90,
+ author = {Patrick Cousot},
+ title = {Methods and Logics for Proving Programs},
+ pages = {843--993},
+ editor = {Jan {van Leeuwen}},
+ chapter = 15,
+ booktitle = {Formal Models and Semantics},
+ volume = {B},
+ series = {Handbook of Theoretical Computer Science},
+ publisher = {Elsevier},
+ year = 1990,
+}
+
+@TechReport{Crary:99,
+ author = {Karl Crary},
+ title = {Simple, Efficient Object Encoding using Intersection Types},
+ institution = {Carnegie Mellon University},
+ year = {1999},
+ month = jan,
+ number = {CMU-CS-99-100},
+}
+
+
+@InCollection{Curien:Ghelli:94,
+ author = "Pierre-Louis Curien and Giorgio Ghelli",
+ title = "Coherence of Subsumption, Minimum Subtyping and
+ Type-Checking in ${F}_{\leq}$",
+ editor = "Carl A. Gunter and John C. Mitchell",
+ booktitle = "Theoretical Aspects of Object-Oriented Programming:
+ Types, Semantics, and Language Design",
+ series = "Foundations of Computing Series",
+ pages = "247--292",
+ publisher = "MIT Press",
+ year = "1994",
+}
+
+
+@InProceedings{Eifrig:Smith:Trifonov:95,
+ author = "Jonathan Eifrig and Scott Smith and Valery Trifonov",
+ title = "Type Inference for Recursively Constrained Types and
+ its Application to {OOP}",
+ booktitle = "Proceedings of the 1995 Mathematical Foundations of
+ Programming Semantics Conference",
+ series = "Electronic Notes in Theoretical Computer Science",
+ publisher = "Elsevier",
+ volume = "1",
+ year = "1995",
+ fullurl = "http://www.elsevier.nl/locate/entcs/volume1.html",
+}
+
+@Article{Eifrig:Smith:Trifonov:Zwarico:95,
+ author = "Jonathan Eifrig and Scott Smith and Valery Trifonov
+ and Amy Zwarico",
+ title = "An Interpretation of Typed {OOP} in a Language with
+ State",
+ journal = "Lisp and Symbolic Computation",
+ volume = 8,
+ number = 4,
+ pages = "357--397",
+ month = dec,
+ year = 1995,
+}
+
+@Article{Erkok:Launchbury:00,
+ author = "Levent Erk{\"o}k and John Launchbury",
+ title = "Recursive monadic bindings",
+ journal = "ACM SIG{\-}PLAN Notices",
+ volume = "35",
+ number = "9",
+ pages = "174--185",
+ month = sep,
+ year = "2000",
+}
+
+@MastersThesis{Fecher:99,
+ author = {Harald Fecher},
+ title = {Denotational Semantics of Untyped Object-Based Programming Languages},
+ school = {Technische Universit{\"a}t Darmstadt},
+ year = {1999},
+}
+
+@Article{Filinski:94,
+ author = "Andrzej Filinski",
+ title = "Recursion from Iteration",
+ journal = "{LISP} and Symbolic Computation",
+ volume = "7",
+ number = "1",
+ pages = "11--37",
+ month = jan,
+ year = "1994",
+}
+
+@InProceedings{Findler:Felleisen:01,
+ author = "Robert Bruce Findler and Matthias Felleisen",
+ title = "Contract Soundness for Object-Oriented Languages",
+ booktitle = "OOPSLA '01 Conference Proceedings",
+ year = "2001",
+ month = oct,
+ pages = "1--15",
+}
+
+
+@InProceedings{Findler:Felleisen:02,
+ author = {Robert Bruce Findler and Matthias Felleisen},
+ title = {Contracts for Higher-Order Functions},
+ booktitle = {Proceedings of the 2002 International Conference on Functional Programming},
+ OPTpages = {},
+ year = {2002},
+ OPTseries = {},
+ month = oct,
+}
+
+
+
+@Article{felleisen-hieb,
+ author = {Matthias Felleisen and Robert Hieb},
+ title = {The revised report on the syntactic theories of sequential control and state},
+ journal = {TCS},
+ year = {1992},
+ volume = {103},
+ number = {2},
+ pages = {235--271},
+}
+
+@PhdThesis{Fiore:94,
+ author = {Marcelo P. Fiore},
+ title = {Axiomatic Domain Theory in Categories of Partial Maps},
+ school = {University of Edinburgh},
+ year = {1994},
+ note = {LFCS report ECS-LFCS-94-307},
+}
+
+
+@Book{Fiore:96,
+ author = {Marcelo P. Fiore},
+ title = {Axiomatic Domain Theory in Categories of Partial Maps},
+ publisher = {Cambridge University Press},
+ year = 1996,
+ series = {Distinguished Dissertations in Computer Science}
+}
+
+@Article{FioreEtAl:96,
+ author = "Marcelo Fiore and Achim Jung and Eugenio Moggi and
+ Peter O'Hearn and Jon Riecke and Giuseppe Rosolini and
+ Ian Stark",
+ title = "Domains and Denotational Semantics: History,
+ Accomplishments and Open Problems",
+ journal = "Bulletin of the European Association for Theoretical
+ Computer Science",
+ volume = "59",
+ pages = "227--256",
+ month = jun,
+ year = "1996",
+}
+
+@Article{Fisher:Honsell:Mitchell:94,
+ author = "Kathleen Fisher and Furio Honsell and John C.
+ Mitchell",
+ title = "A lambda calculus of objects and method
+ specialization",
+ journal = "Nordic Journal of Computing",
+ year = "1994",
+ volume = "1",
+ pages = "3--37",
+}
+
+
+@Article{Fisher:Mitchell95,
+ title = "The Development of Type Systems for Object-Oriented
+ Languages",
+ author = "Kathleen Fisher and John C. Mitchell",
+ journal = "Theory and Practice of Object Sytems",
+ pages = "189--220",
+ year = "1995",
+ volume = "1",
+ number = "3",
+}
+
+@InProceedings{Fisher:Mitchell:95,
+ author = "Kathleen Fisher and John C. Mitchell",
+ title = "A Delegation-based Object Calculus with Subtyping",
+ booktitle = "Fundamentals of Computation Theory (FCT'95)",
+ series = "Lecture Notes in Computer Science",
+ volume = "965",
+ pages = "42--61",
+ year = "1995",
+publisher = {Springer},
+}
+
+@Article{Fisher:Mitchell:98,
+ author = "Kathleen Fisher and John C. Mitchell",
+ title = "On the Relationship Between Classes, Objects and Data
+ Abstraction",
+ journal = "Theory and Practice of Object Systems",
+ year = "1998",
+ volume = "4",
+ number = "1",
+ pages = "3--25",
+}
+
+@InProceedings{Floyd:67,
+ author = "Robert W. Floyd",
+ title = "Assigning Meanings to Programs",
+ booktitle = "Proceedings of Mathematical Aspects of Computer Science",
+ month = apr,
+ year = "1967",
+ pages = "19--32",
+ editor = "Jacob T. Schwartz",
+ volume = "19",
+ series = "Proceedings of Symposia in Applied Mathematics",
+ publisher = "American Mathematical Society",
+}
+
+
+@InProceedings{Freyd:91,
+ author = "Peter J. Freyd",
+ title = "Algebraically Complete Categories",
+ editor = "A. Carboni and M. C. Pedicchio and G. Rosolini",
+ booktitle = "Proceedings of 1990 Como Category Theory Conference",
+ series = "Lecture Notes in Mathematics",
+ volume = "1488",
+ pages = "95--104",
+ publisher = "Springer",
+ year = "1991",
+}
+
+@Article{Freyd:Rosolini:Mulry:Scott:92,
+ author = "Peter Freyd and Giuseppe Rosolini and Philip Mulry and
+ Dana Scott",
+ title = "Extensional {PERs}",
+ journal = "Information and Computation",
+ volume = "98",
+ number = "2",
+ special = "Selected Papers from 5th Ann.\ IEEE Symp.\ on Logic in
+ Computer Science, LICS'90, Philadelphia, PA, USA, 4--7
+ June 1990",
+ pages = "211--227",
+ year = "1992",
+}
+
+
+@Book{GangOfFourBook,
+ author = "Erich Gamma and Richard Helm and Ralph Johnson and
+ John Vlissides",
+ title = "Design Patterns: Elements of Reusable Object-Oriented
+ Software",
+ publisher = "Addison Wesley",
+ year = "1995",
+}
+
+
+@Article{Gapeyev:Levin:Pierce:00,
+ author = "Vladimir Gapeyev and Michael Y. Levin and Benjamin C.
+ Pierce",
+ title = "Recursive subtyping revealed (functional pearl)",
+ journal = "ACM SIG{\-}PLAN Notices",
+ volume = "35",
+ number = "9",
+ pages = "221--231",
+ month = sep,
+ year = "2000",
+ url = "http://www.acm.org/pubs/citations/proceedings/fp/351240/p221-gapeyev/",
+}
+
+ @InCollection{Abadi:Leino:04,
+ author = {Mart{\'\i}n Abadi and K.~R.~M.~Leino},
+ title = {A Logic of Object-Oriented Programs},
+ booktitle = {Verification: Theory and Practice. Essays Dedicated to Zohar Manna on the Occasion of His 64th Birthday
+ },
+ pages = {11--41},
+ publisher = {Springer},
+series = {Lecture Notes in Computer Science},
+volumne = {2772},
+ year = {2004},
+ editor = {Nachum Dershowitz},
+}
+
+@Book{Girard:Lafont:Taylor:89,
+ author = "Jean-Yves Girard and Yves Lafont and Paul Taylor",
+ title = "Proofs and Types",
+ publisher = "Cambridge University Press",
+ series = "Cambridge Tracts in Theoretical Computer Science",
+ year = "1989",
+ volume = "7",
+}
+
+@Misc{Glimming:05,
+ author = {Johan Glimming},
+ title = {\emph{Dialgebraic Semantics of Typed Object Calculi}},
+ year = 2005,
+ month = {May},
+ howpublished = {Licentiate thesis, Stockholm University}
+}
+
+@inproceedings{Glimming:Ghani:04,
+ author = {Johan Glimming and Neil Ghani},
+ title = {Difunctorial Semantics of Object Calculus},
+ booktitle = {Proceedings {WOOD} '04: Workshop on Object-Oriented Developments},
+ series = {Electronic Notes in Theoretical Computer Science},
+ publisher = {Elsevier},
+ year = 2004,
+ note = {To appear},
+}
+
+@InProceedings{Goerdt:88,
+ title = "Hoare Calculi for Higher-Type Control Structures and
+ Their Completeness in the Sense of~{Cook}",
+ author = "Andreas Goerdt",
+ booktitle = "Mathematical Foundations of Computer Science 1988",
+ editor = "Michael P. Chytil and Ladislav Janiga and V{\'a}clav
+ Koubek",
+ month = sep,
+ year = "1988",
+ series = "Lecture Notes in Computer Science",
+ volume = "324",
+ publisher = "Springer",
+ pages = "329--338",
+}
+
+
+@InCollection{Gordon:98,
+ author = {Andrew~D.~Gordon},
+ title = {Operational equivalences for untyped and polymorphic object calculi},
+ booktitle = {\cite{Gordon:Pitts:98}},
+ pages = {9--54},
+ year = {1998},
+}
+
+
+@inproceedings{Gordon:Hankin:00,
+ author = {Andrew D. Gordon and Paul D. Hankin},
+ title = {A Concurrent Object Calculus: Reduction and Typing},
+ booktitle = {Proceedings {HLCL}'98},
+ series = {Electronic Notes in Theoretical Computer Science},
+ publisher = {Elsevier},
+ volume = {16},
+ issue = {3},
+ editor = {Uwe Nestmann and Benjamin C. Pierce},
+ year = {2000}
+}
+
+@InProceedings{Gordon:Hankin:Lassen:97,
+ author = "Andrew D. Gordon and Paul D. Hankin and S{\o}ren. B. Lassen",
+ title = "Compilation and Equivalence of Imperative Objects",
+ booktitle = "Proceedings of FST+TCS'97",
+ series = "Lecture Notes in Computer Science",
+ pages = {74--87},
+ volume = {1346},
+ month = dec,
+ year = "1997",
+}
+
+
+@book{Gordon:Pitts:98,
+ editor = {Andrew D. Gordon and Andrew M. Pitts},
+ title = {Higher Order Operational Techniques in Semantics},
+ publisher = {Cambridge University Press},
+ series = {Publications of the Newton Institute},
+ year = 1998,
+}
+
+@InProceedings{Gordon:Rees:96,
+ author = {Andrew~D.~Gordon and Gareth~D.~Rees},
+ title = {Bisimilarity for a First-Order Calculus of Objects with Subtyping},
+ booktitle = {Conference Record of the 23rd Symposium on Principles of Programming Languages},
+ pages = {386--395},
+ year = {1996},
+ month = jan,
+}
+
+
+@Book{Gosling:Joy:Steele:Bracha:04,
+ author = {James Gosling and Bill Joy and Guy Steele and Gilad Bracha},
+ title = {The Java Language Specification},
+ publisher = {Addison-Wesley},
+ year = {2004},
+ edition = {Third},
+}
+
+
+
+@InProceedings{Goubault-Larrecq:Lasota:Nowak:02,
+ author = "Jean {Goubault-Larrecq} and Slawomir Lasota and David
+ Nowak",
+ title = "Logical Relations for Monadic Types",
+ booktitle = "Proc.\ 16th Int.\ Workshop Computer Science Logic (CSL
+ 2002)",
+ volume = "2471",
+ pages = "553--568",
+ series = "Lecture Notes in Computer Science",
+ year = "2002",
+ publisher = "Springer",
+}
+
+@InProceedings{Goubault-Larrecq:Lasota:Nowak:Zhang:04,
+ author = "Jean {Goubault-Larrecq} and Slawomir Lasota and David Nowak and
+ Yu Zhang",
+ title = "Complete Lax Logical Relations for Cryptographic
+ Lambda-Calculi",
+ booktitle = "Proc.\ 18th Int.\ Workshop Computer Science Logic (CSL
+ 2004)",
+ volume = "3210",
+ series = "Lecture Notes in Computer Science",
+ pages = "400--414",
+ year = "2004",
+ publisher = "Springer",
+}
+
+
+@InProceedings{Halpern:84,
+ author = "Joseph Y. Halpern",
+ title = "A Good {H}oare Axiom System for an {A}lgol-Like
+ Language",
+ booktitle = "Conference Record of the Eleventh Annual {ACM}
+ Symposium on Principles of Programming Languages",
+ publisher = "ACM Press",
+ month = jan,
+ year = "1984",
+ pages = "262--271",
+}
+
+
+@Article{Hasegawa:94,
+ title = "Categorical data types in parametric polymorphism",
+ author = "Ryu Hasegawa",
+ pages = "71--109",
+ journal = "Mathematical Structures in Computer Science",
+ month = mar,
+ year = "1994",
+ volume = "4",
+ number = "1",
+}
+
+
+@Book{Haskell98,
+editor = {Simon {Peyton Jones}},
+title = {Haskell 98 Language and Libraries. The Revised Report},
+publisher = {Cambridge University Press},
+year = {2003},
+OPTmonth = {April},
+}
+
+@InProceedings{Hensel:Huismann:Jacobs:Tews:98,
+ title = "Reasoning about Classes in Object-Oriented Languages:
+ Logical Models and Tools",
+ author = "Ulrich Hensel and Marieke Huisman and Bart Jacobs and
+ Hendrik Tews",
+ booktitle = "Programming Languages and Systems---{ESOP}'98, 7th
+ European Symposium on Programming",
+ editor = "Chris Hankin",
+ month = mar,
+ year = "1998",
+ series = "Lecture Notes in Computer Science",
+ volume = "1381",
+ pages = "105--121",
+ publisher = {Springer},
+}
+
+@Article{Hoare:69,
+ author = "C. A. R. Hoare",
+ title = "{An Axiomatic Basis of Computer Programming}",
+ journal = "Communications of the ACM",
+ year = "1969",
+ volume = "12",
+ pages = "576--580",
+ publisher = "ACM Press",
+}
+
+@Article{Hofmann:Pierce:94,
+ author = "Martin Hofmann and Benjamin Pierce",
+ title = "A Unifying Type-Theoretic Framework for Objects",
+ journal = "Journal of Functional Programming",
+ volume = "5",
+ number = "4",
+ pages = "593--635",
+ month = oct,
+ year = "1995",
+}
+
+@Article{Hofmann:Pierce:95,
+ author = "Martin Hofmann and Benjamin C. Pierce",
+ title = "A Unifying Type-Theoretic Framework for Objects",
+ journal = "Journal of Functional Programming",
+ month = oct,
+ year = "1995",
+ volume = "5",
+ number = "4",
+ pages = "593--635",
+}
+
+
+@Article{Hofmann:Pierce:96,
+ author = {Martin Hofmann and Benjamin Pierce},
+ title = {Positive Subtyping},
+ journal = {Information and Computation},
+ year = {1996},
+ volume = {126},
+ number = {1},
+ pages = {11--33},
+}
+
+@Misc{Hofmann:Tang:02,
+ author = {Francis Tang and Martin Hofmann},
+ title = {Generation of Verification Conditions for {Abadi} and {Leino}'s Logic of Objects},
+ howpublished = {Presented at 9th International Workshop on Foundations of Object-Oriented Languages},
+ month = jan,
+ year = {2002},
+}
+
+@InProceedings{Berger:Honda:Yoshida:05,
+ author = "Martin Berger and Kohei Honda and Nobuko Yoshida",
+ title = "A Logical Analysis of Aliasing in Imperative
+ Higher-Order Functions",
+ booktitle = "Proceedings of the 10th {ACM} {SIGPLAN} International
+ Conference on Functional Programming ({ICFP} '05)",
+ publisher = "ACM Press",
+ year = "2005",
+ notes = "To appear",
+}
+
+@InProceedings{Honda:Yoshida:Berger:05,
+ author = {Kohei Honda and Nobuko Yoshida and Martin Berger},
+ title = {An Observationally Complete Program Logic for Imperative Higher-Order Functions},
+ booktitle = {{LICS'05}},
+ pages = {270--279},
+ year = 2005,
+}
+
+@Article{Honda:04,
+ author = "Kohei Honda",
+ title = "From process logic to program logic",
+ journal = "ACM SIG{\-}PLAN Notices",
+ volume = "39",
+ number = "9",
+ pages = "163--174",
+ month = sep,
+ year = "2004",
+}
+
+@Article{Honsell:Pravato:Rocca:98,
+ title = "{Structured Operational Semantics} of a fragment of
+ the language {Scheme}",
+ author = "Furio Honsell and Alberto Pravato and Simona Ronchi
+ Della Rocca",
+ pages = "335--365",
+ journal = "Journal of Functional Programming",
+ month = jul,
+ year = "1998",
+ volume = "8",
+ number = "4",
+}
+
+@InProceedings{Igarashi:Pierce:00,
+ author = {Atsushi Igarashi and Benjamin C. Pierce},
+ title = {On inner Classes},
+ booktitle = {Proceedings of the European Conference on Object-Oriented Programming},
+ pages = {129--153},
+ year = {2000},
+ volume = {1850},
+ series = {Lecture Notes in Computer Science},
+ publisher = {Springer},
+}
+
+@Article{Ishtiaq:OHearn:01,
+ author = "Samin S. Ishtiaq and Peter W. O'Hearn",
+ title = "{BI} as an Assertion Language for Mutable Data
+ Structures",
+ journal = "ACM SIG{\-}PLAN Notices",
+ volume = "36",
+ number = "3",
+ pages = "14--26",
+ month = mar,
+ year = "2001",
+}
+
+@inproceedings{Jacobs:00,
+ author = {Bart Jacobs},
+ title = {Subtypes and bounded quantification from a fibred perspective},
+ booktitle = {Electronic Notes in Theoretical Computer Science},
+ volume = {1},
+ editor = {S. Brookes, M. Main, A. Melton and M. Mislove},
+ year = {2000},
+ publisher = {Elsevier},
+}
+
+@InCollection{Jacobs:96,
+ author = "Bart P. F. Jacobs",
+ title = "Objects and classes, coalgebraically",
+ editor = "B. Freitag and C. B. Jones and C. Lengauer and H. J.
+ Schek",
+ booktitle = "Object-Orientation with Parallelism and Persistence",
+ pages = "83--103",
+ publisher = "Kluwer Academic Publishers",
+ year = "1996",
+ url = "http://www.cwi.nl/pub/CWIreports/AP/CS-R9536.ps.Z",
+}
+
+@InProceedings{Jacobs:Poll:01,
+ author = "Bart Jacobs and Erik Poll",
+ title = "A Logic for the {Java} Modeling Language {JML}",
+ series = "Lecture Notes in Computer Science",
+ volume = "2029",
+ pages = "284--299",
+ year = "2001",
+ booktitle = "Fundamental Approaches to Software Engineering
+ (FASE'2001)",
+ publisher = "Springer",
+}
+
+@Article{Jacobs:Poll:03,
+ author = "Bart Jacobs and Erik Poll",
+ title = "Coalgebras and monads in the semantics of {Java}",
+ journal = "Theoretical Computer Science",
+ volume = "291",
+ number = "3",
+ pages = "329--349",
+ year = "2003",
+}
+
+@Article{Jacobs:Rutten:97,
+ author = "Bart Jacobs and Jan Rutten",
+ title = "A Tutorial on (Co)Algebras and (Co)Induction",
+ journal = "Bulletin of the European Association for Theoretical
+ Computer Science",
+ volume = "62",
+ pages = "222--259",
+ month = jun,
+ year = "1997",
+}
+
+@inproceedings{Jeffrey:Rathke:02,
+author = {Alan Jeffrey and Julian Rathke},
+year = {2002},
+title = {A fully abstract may testing semantics for concurrent objects},
+booktitle = {Proceedings $17^{th}$ Annual Symposium on Logic in Computer Science},
+publisher = {IEEE Computer Society Press},
+pages = {101--112}
+}
+
+@inproceedings{Jeffrey:Rathke:99,
+ author = {Alan Jeffrey and Julian Rathke},
+ title = {Towards a theory of bisimulation for local names},
+ booktitle = {Proc. LICS'99, 14th Annual Symposium on Logic in Computer Science},
+ year = {1999},
+ publisher = {IEEE Computer Society Press},
+ pages = {56--66},
+}
+
+@InCollection{Kamin:Reddy:94,
+ author = "Samuel N. Kamin and Uday S. Reddy",
+ title = "Two Semantic Models of Object-Oriented Languages",
+ booktitle = "Theoretical Aspects of Object-Oriented Programming:
+ Types, Semantics, and Language Design",
+ editor = "Carl A. Gunter and John C. Mitchell",
+ publisher = "MIT Press",
+ pages = "464--495",
+ year = "1994",
+}
+
+@Book{Kernighan:Ritchie:88,
+ author = {Brian Kernighan and Dennis Ritchie},
+ title = {The {C} Programming Language},
+ publisher = {Prentice-Hall},
+ year = {1988},
+ edition = {Second},
+}
+
+
+
+@InProceedings{Kleist:Sangiorgi:98,
+ author = "Josva Kleist and Davide Sangiorgi",
+ title = "Imperative Objects and Mobile Processes",
+ pages = "285--303",
+ booktitle = "Programming Concepts and Methods",
+ year = "1998",
+ editor = "David Gries and Willem-Paul {de Roever}",
+}
+
+@article{Kleymann:99,
+ author = "Thomas Kleymann",
+ title = "Hoare Logic and Auxiliary Variables",
+ journal = "Formal Aspects of Computing",
+ volume = "11",
+ number = "5",
+ pages = "541--566",
+ year = "1999",
+month = dec,
+}
+
+@InProceedings{Laeufer:95,
+ author = "L{\"{a}}ufer, K.",
+ title = "A Framework for Higher-Order Functions in {C}++",
+ booktitle = "Proceedings of Conference on Object-Oriented Technologies",
+ year = 1995,
+ address = "Monterey, CA",
+ month = jun,
+ pages = "103--116",
+}
+
+@InProceedings{Laird:02,
+ author = {James Laird},
+ title = {A Categorical Semantics of Higher-Order Store},
+ booktitle = {Proceedings of the 9th Conference on Category Theory and Computer Science, CTCS '02},
+ pages = {1--18},
+ year = {2003},
+ editor = {Rick Blute and Peter Selinger},
+ volume = {69},
+ series = {Electronic notes in Theoretical Computer Science},
+ publisher = {Elsevier},
+}
+
+@Article{Landin:64,
+ author = "Peter J. Landin",
+ title = "The Mechanical Evaluation of Expressions",
+ journal = "Computer Journal",
+ volume = "6",
+ number = "4",
+ month = jan,
+ year = "1964",
+ pages = "308--320",
+}
+
+
+@InProceedings{Leino:98,
+ title = "Recursive Object Types in a Logic of Object-Oriented
+ Programs",
+ author = "K. Rustan M. Leino",
+ booktitle = "7th European Symposium on Programming",
+ editor = "Chris Hankin",
+ month = mar,
+ year = "1998",
+ series = "Lecture Notes in Computer Science",
+publisher = {Springer},
+ volume = "1381",
+ pages = "170--184",
+}
+
+
+@InProceedings{Levy:02,
+ author = "Paul Blain Levy",
+ title = "Possible World Semantics for General Storage in
+ Call-By-Value",
+ booktitle = "CSL: 16th Workshop on Computer Science Logic",
+ series = "Lecture Notes in Computer Science",
+ volume = "2471",
+ editor = "Julian Bradfield",
+ publisher = "Springer",
+ year = "2002",
+}
+
+
+@Book{Levy:04,
+ author = {Paul Blain Levy},
+ title = {Call-By-Push-Value. A Functional/Imperative Synthesis},
+ publisher = {Kluwer},
+ year = {2004},
+ volume = {2},
+ series = {Semantic Structures in Computation},
+}
+
+@Article{Liang:Bracha:98,
+ author = "Sheng Liang and Gilad Bracha",
+ title = "Dynamic Class Loading in the {Java Virtual Machine}",
+ pages = "36--44",
+ booktitle = "Proceedings of the 13th Conference on Object-Oriented
+ Programming, Systems, Languages, and Applications",
+ month = oct,
+ journal = "ACM SIGPLAN Notices",
+ volume = "33",
+number = "10",
+ publisher = "ACM Press",
+ year = "1998",
+}
+
+
+@Article{Liskov:Wing:94,
+ author = "Barbara H. Liskov and Jeannette M. Wing",
+ title = "A Behavioral Notion of Subtyping",
+ journal = "ACM Transactions on Programming Languages and
+ Systems",
+ volume = "16",
+ number = "6",
+ pages = "1811--1841",
+ month = nov,
+ year = "1994",
+}
+
+@PhdThesis{Longley:95,
+ author = "John Longley",
+ title = "Realizability toposes and language semantics",
+ school = "University of Edinburgh",
+ year = "1995",
+}
+
+@Article{Longo:Moggi:91,
+ author = "Giuseppe Longo and Eugenio Moggi",
+ title = "Constructive Natural Deduction and its `$\omega$-set'
+ Interpretation",
+ journal = "Mathematical Structures in Computer Science",
+ pages = "215--254",
+ volume = "1",
+ number = "2",
+ month = jul,
+ year = "1991",
+}
+
+
+@InProceedings{Ma:Reynolds:92,
+ author = "QingMing Ma and John C. Reynolds",
+ title = "Types, Abstraction, and Parametric Polymorphism, Part
+ 2",
+ booktitle = "Proceedings 7th International Conference on Mathematical Foundations of Programming Semantics",
+ editor = "Stephen Brookes and Michael Main and Austin Melton and
+ Michael Mislove and David A. Schmidt",
+ series = "Lecture Notes in Computer Science",
+ volume = "598",
+ publisher = "Springer",
+ year = "1992",
+ pages = "1--40",
+}
+
+@Book{MacLane:97,
+ author = {Saunders {Mac Lane}},
+ title = {Categories for the Working Mathematician},
+ series = {Graduate Texts in Mathematics},
+ volume = {5},
+ publisher = {Springer},
+ year = {1997},
+}
+
+
+@Article{MacQueen:Plotkin:Sethi:86,
+ author = "David B. MacQueen and Gordon D. Plotkin and Ravi
+ Sethi",
+ title = "An Ideal Model for Recursive Polymorphic Types",
+ journal = "Information and Control",
+ month = oct,
+ volume = "71",
+ number = "1--2",
+ year = "1986",
+ pages = "95--130",
+}
+
+@InProceedings{Meyer:Sieber:88,
+ author = "Albert R. Meyer and K. Sieber",
+ title = "Towards Fully Abstract Semantics for Local Variables:
+ Preliminary Report",
+ pages = "191--203",
+ booktitle = "Conference Record of the Fifteenth Annual {ACM}
+ Symposium on Principles of Programming Languages",
+ year = "1988",
+ publisher = "ACM Press",
+ month = jan,
+}
+
+
+@Article{Milner:78,
+ author = "Robin Milner",
+ journal = "Journal of Computer and System Science",
+ pages = "348--375",
+ title = "A Theory of Type Polymorphism in Programming
+ Languages",
+ volume = "17",
+ number = "3",
+ year = "1978",
+}
+
+@InProceedings{Mitchell:90,
+ author = "John C. Mitchell",
+ title = "Toward a Typed Foundation for Method Specialization
+ and Inheritance",
+ booktitle = "Conference Record of the 17th Annual {ACM}
+ Symposium on Principles of Programming
+ Languages",
+publisher = {ACM Press},
+ year = "1990",
+ pages = "109--124",
+ month = jan,
+}
+
+@InCollection{Mitchell:91,
+ author = "John C. Mitchell",
+ title = "On the Equivalence of Data Representations",
+ editor = "V. Lifschitz",
+ booktitle = "Artificial Intelligence and Mathematical Theory of
+ Computation: Papers in Honor of {John McCarthy}",
+ publisher = "Academic Press",
+ pages = "305--330",
+ year = "1991",
+}
+
+@Book{Mitchell:96,
+ author = "John C. Mitchell",
+ title = "Foundations for Programming Languages",
+ publisher = "MIT Press",
+ year = "1996",
+}
+
+@Article{Mitchell:Moggi:91,
+ author = "John C. Mitchell and Eugenio Moggi",
+ title = "{K}ripke-Style Models for Typed Lambda Calculus",
+ journal = "Annals of Pure and Applied Logic",
+ volume = "51",
+ number = "1--2",
+ pages = "99--124",
+ year = "1991",
+}
+
+@Article{Mitchell:Plotkin:88,
+ author = "John C. Mitchell and Gordon D. Plotkin",
+ title = "Abstract Types Have Existential Type",
+ journal = "ACM Transactions on Programming Languages and
+ Systems",
+ volume = "10",
+ number = "3",
+ pages = "470--502",
+ month = jul,
+ year = "1988",
+}
+
+@InProceedings{Mitchell:Scedrov:93,
+ author = "John C. Mitchell and Andre Scedrov",
+ title = "Notes on Sconing and Relators",
+ publisher = "Springer",
+ series = "Lecture Notes in Computer Science",
+ volume = "702",
+ pages = "352--378",
+ year = "1993",
+ booktitle = "Computer Science Logic '92, Selected Papers",
+ editor = {Egon B{\"o}rger and
+ Gerhard J{\"a}ger and
+ Hans Kleine B{\"u}ning and
+ Simone Martini and
+ Michael M. Richter},
+}
+
+
+@InProceedings{Mitchell:Viswanathan:96,
+ title = "Effective Models of Polymorphism, Subtyping and
+ Recursion (Extended Abstract)",
+ author = "John C. Mitchell and Ramesh Viswanathan",
+ editor = "Friedhelm {Meyer auf der Heide} and Burkhard Monien",
+ booktitle = "23rd International Colloquium on Automata, Languages and Programming",
+ month = jul,
+ year = "1996",
+ series = "Lecture Notes in Computer Science",
+ publisher = "Springer",
+ volume = "1099",
+ pages = "170--181",
+}
+
+@Article{Moggi:Sabry:04,
+ author = "Eugenio Moggi and Amr Sabry",
+ title = "An Abstract Monadic Semantics for Value Recursion",
+ journal = "Theoretical Informatics and Applications",
+ volume = "38",
+ number = "4",
+ special = "Selected Papers from 5th Int.\ Wksh.\ on Fixed Points
+ in Comp.\ Sci., FICS 2003, Warsaw, Poland, 12--13 Apr.\
+ 2003",
+ pages = "375--400",
+ year = "2004",
+}
+
+
+@Misc{Niehren:Schwinghammer:Smolka:Futures,
+ author = {Joachim Niehren and Jan Schwinghammer and Gert Smolka},
+ title = {Concurrent Computation in a Lambda Calculus with Futures},
+ year = {2003},
+ howpublished = {Draft},
+}
+
+@inproceedings{Nipkow:Oheimb:02,
+author={David von Oheimb and Tobias Nipkow},
+title={Hoare Logic for {NanoJava}: Auxiliary Variables, Side Effects and
+Virtual Methods Revisited},
+booktitle={Formal Methods Europe (FME 2002)},
+editor={L.-H. Eriksson and P. Lindsay},
+publisher={Springer},
+series={LNCS},
+volume=2391,
+pages={89-105},
+year={2002},
+}
+
+@Article{OHearn:03,
+ author = {Peter W. O'Hearn},
+ title = {On Bunched Typing},
+ journal = {Journal of Functional Programming},
+ year = {2003},
+ pages = {747--796},
+volume = {13},
+ number = "4",
+}
+
+@Article{OHearn:98,
+ author = {Peter W. O'Hearn},
+ title = {Polymorphism, Objects and Abstract Types},
+ journal = {{SIGACT} News},
+ year = {1998},
+ volume = {29},
+ number = {4},
+ pages = {39--50},
+ month = dec,
+}
+
+@Article{OHearn:Pym:99,
+ author = {Peter W. O'Hearn and David J. Pym},
+ title = {The Logic of Bunched Implications},
+ journal = {Bulletin of Symbolic Logic},
+ year = {1999},
+ volume = {5},
+ number = {2},
+ pages = {215--244},
+ month = jun,
+}
+
+@Article{OHearn:Reddy:99,
+ author = {Peter W. O'Hearn and Uday S. Reddy},
+ title = {Objects, interference and the Yoneda embedding},
+ journal = {Theoretical Computer Science},
+ year = {1999},
+ volume = {228},
+ number = {1--2},
+ pages = {253--282},
+}
+
+
+@InProceedings{OHearn:Reynolds:Yang:01,
+ author = {Peter W. O'Hearn and John C. Reynolds and Hongseok Yang},
+ title = {Local Reasoning about Programs that Alter Data Structures},
+ booktitle = {Proceedings Computer Science Logic (CSL'01)},
+ pages = {1--18},
+ year = {2001},
+ editor = {L. Fribourg},
+ volume = {2142},
+ series = {Lecture Notes in Computer Science},
+ publisher = {Springer},
+}
+
+@Article{OHearn:Tennent:95,
+ title = "Parametricity and Local Variables",
+ author = "Peter W. O'Hearn and Robert D. Tennent",
+ pages = "658--709",
+ journal = "Journal of the ACM",
+ month = may,
+ year = "1995",
+ volume = "42",
+ number = "3",
+}
+
+
+@Book{OHearn:Tennent:97,
+ editor = "Peter W. O'Hearn and Robert D. Tennent",
+ title = "{{A}lgol-Like Languages, Vols {I} and {II}}",
+ publisher = "Birkhauser",
+ year = "1997",
+ series = "Progress in Theoretical Computer Science",
+}
+
+@Article{Ohori:Buneman:89,
+ key = "Ohori \& Buneman",
+ author = "Atsushi Ohori and Peter Buneman",
+ title = "Static Type Inference for Parametric Classes",
+ journal = "ACM SIGPLAN Notices",
+ volume = "24",
+ number = "10",
+ month = oct,
+ year = "1989",
+ pages = "445--456",
+editor = "Norman Meyerowitz",
+ note = "OOPSLA '89 Conference Proceedings",
+}
+
+
+@PhdThesis{Oles:82,
+ title = "A Category-theoretic approach to the semantics of
+ programming languages",
+ author = "Frank Joseph Oles",
+ year = "1982",
+ school = "Syracuse University",
+}
+
+@Article{Palsberg:95,
+ title = "Efficient Inference of Object Types",
+ author = "Jens Palsberg",
+ pages = "198--209",
+ journal = "Information and Computation",
+ month = dec,
+ year = "1995",
+ volume = "123",
+ number = "2",
+}
+
+@Book{Paulson:87,
+ author = "Larry C. Paulson",
+ title = "Logic and Computation : Interactive proof with
+ Cambridge {LCF}",
+ series = "Cambridge Tracts in Theoretical Computer Science",
+ volume = "2",
+ year = "1987",
+publisher = "Cambridge University Press",
+}
+
+@TechReport{Phoa:92,
+ author = "Wesley Phoa",
+ title = "An Introduction to Fibrations, Topos Theory, the
+ Effective Topos and Modest Sets",
+ number = "ECS-LFCS-92-208",
+ institution = "Department of Computer Science, University of
+ Edinburgh",
+ year = "1992",
+}
+
+@Book{Pierce:02,
+ author = "Benjamin C. Pierce",
+ title = "Types and Programming Languages",
+ publisher = "The MIT Press",
+ year = "2002",
+}
+
+
+@Book{Pierce:91,
+ author = "Benjamin C. Pierce",
+ title = "Basic Category Theory for Computer Scientists",
+ publisher = "MIT Press",
+ year = "1991",
+}
+
+@Article{Pierce:Turner:94,
+ author = "Benjamin C. Pierce and David N. Turner",
+ title = "Simple Type-Theoretic Foundations for Object-Oriented
+ Programming",
+ journal = "Journal of Functional Programming",
+ volume = "4",
+ number = "2",
+ pages = "207--247",
+ year = "1994",
+}
+
+@Article{Pierik:deBoer:05,
+ author = {Cees Pierik and Frank S. de Boer},
+ title = {A Proof Outline Logic for Object-Oriented Programming},
+ journal = {Theoretical Computer Science},
+ year = {2005},
+ note = {To appear},
+}
+
+@InProceedings{Pitts:87,
+ author = "Andrew M. Pitts",
+ title = "Polymorphism is Set Theoretic, Constructively",
+ booktitle = "Category Theory and Computer Science",
+ editor = "D. H. Pitt and A. Poign\'{e} and David E. Rydeheard",
+ series = "Lecture Notes in Computer Science",
+ publisher = "Springer",
+ volume = "283",
+ year = "1987",
+}
+
+
+@ARTICLE{pitts:relational,
+ AUTHOR={Andrew M. Pitts},
+ TITLE={Relational Properties of Domains},
+ JOURNAL={Information and Computation},
+ VOLUME=127,
+ YEAR=1996,
+ PAGES={66--90},
+}
+
+@InProceedings{Pitts:Stark:93,
+ author = "Andrew M. Pitts and Ian D. B. Stark",
+ title = "Observable Properties of Higher Order Functions That
+ Dynamically Create Local Names, or: What's new?",
+ booktitle = "Proceedings 18th International Symposium on Mathematical Foundations of Computer Science",
+ editor = "Andrzej M. Borzyszkowski and Stefan Sokolowski",
+ series = "Lecture Notes in Computer Science",
+ volume = "711",
+ publisher = "Springer",
+ year = "1993",
+ pages = "122--141",
+}
+
+@InProceedings{pitts-stark:state,
+ author = "Andrew Pitts and Ian Stark",
+ title = "Operational Reasoning for Functions with Local State",
+ booktitle = "HOOTS",
+ year = "1998",
+}
+
+
+
+
+
+@InProceedings{chin+:popl08,
+ author = {Wei-Ngan Chin and Cristina David and Huu Hai Nguyen and Shengchao Qin},
+ title = {Enhancing Modular {OO} Verification with Separation Logic},
+ booktitle = "POPL",
+ year = 2008,
+}
+
+@Unpublished{Plotkin:83,
+ author = {Gordon D. Plotkin},
+ title = {Domain Theory},
+note = "Pisa notes",
+ year = {1983},
+}
+
+@Article{Plotkin:Smyth:82,
+ author = "Michael B. Smyth and Gordon D. Plotkin",
+ title = "The Category-theoretic Solution of Recursive Domain
+ Equations",
+ journal = "SIAM J. Comput.",
+ volume = "11",
+ number = "4",
+ pages = "761--783",
+ year = "1982",
+}
+
+@InProceedings{Poetzsch-Heffter:Mueller:98,
+ author = "Arnd Poetzsch-Heffter and Peter M{\"u}ller",
+ title = "Logical Foundations for Typed Object-Oriented
+ Languages",
+ editor = "David Gries and Willem-Paul {De~Roever}",
+ booktitle = "Proceedings {IFIP} Working Conference on Programming
+ Concepts and Methods",
+ year = "1998",
+ publisher = "Chapman \& Hall",
+}
+
+
+@InProceedings{Poetzsch-Heffter:Mueller:99,
+ key = "Poetzsch-Heffter \& M{\"u}ller",
+ author = "Arnd Poetzsch-Heffter and Peter M{\"u}ller",
+ title = "A Programming Logic for Sequential {J}ava",
+ booktitle = "European Symposium on Programming",
+ editor = "S. D. Swierstra",
+ series = "Lecture Notes in Computer Science",
+ publisher = "Springer",
+ volume = "1576",
+ pages = "162--176",
+ year = "1999",
+}
+
+@Article{Pym:OHearn:Yang:04,
+ author = "David J. Pym and Peter W. O'Hearn and Hongseok
+ Yang",
+ title = "Possible worlds and resources: the semantics of {BI}",
+ journal = "Theoretical Computer Science",
+ volume = "315",
+ number = "1",
+ pages = "257--305",
+ day = "5",
+ month = may,
+ year = "2004",
+}
+
+@Article{Reddy:02,
+ author = {Uday S.~Reddy},
+ title = {Objects and classes in Algol-like languages},
+ journal = {Information and Computation},
+ year = {2002},
+ volume = {172},
+ number = {1},
+ pages = {63--97},
+ month = {January},
+}
+
+@Article{Reddy:96,
+ author = "Uday S. Reddy",
+ title = "Global State Considered Unnecessary: An Introduction
+ to Object-Based Semantics",
+ journal = "{LISP} and Symbolic Computation",
+ volume = "9",
+ number = "1",
+ pages = "7--76",
+ month = feb,
+ year = "1996",
+}
+
+@Misc{Reddy:98,
+ author = {Uday S. Reddy},
+ title = {Objects and Classes in {Algol}-like Languages},
+ year = {1998},
+ note = {Presented at {FOOL} 5 workshop},
+}
+
+
+@Article{Reddy:Yang:04,
+ author = {Uday S. Reddy and Hongseok Yang},
+ title = {Correctness of Data Representations Involving Heap
+ Data Structures},
+ journal = {Science of Computer Programming},
+ year = {2004},
+ volume = {50},
+ number = {1--3},
+ pages = {129--160},
+ month = {March},
+}
+
+
+@Article{Remy:Vouillon:98,
+author = "Didier R{\'e}my and J{\'e}r{\^o}me Vouillon",
+ title = "Objective {ML}:
+ An effective object-oriented extension to {ML}",
+ journal = "Theory And Practice of Object Systems",
+ year = 1998,
+ volume = "4",
+ number = "1",
+ pages = "27--50",
+}
+
+
+@InProceedings{Reus:02,
+ author = {Bernhard Reus},
+ title = {Class-based versus Object-based: A Denotational Comparison},
+ booktitle = {Proceedings of 9th International Conference on Algebraic Methodology And Software
+Technology},
+ series = "Lecture Notes in Computer Science",
+ publisher = "Springer",
+editor = {H{\'}el{\`}ene Kirchner and Christophe Ringeissen},
+ volume = {2422},
+ pages = {473--488},
+ year = {2002},
+}
+
+@INPROCEEDINGS{Reus:03,
+ author = {B.~Reus},
+ title = {Modular Semantics and Logics of Classes},
+ booktitle = "Computer Science Logic",
+ pages = "456--469",
+ editor = "Matthias Baatz and Johann A.~Makowsky",
+ publisher = "Springer",
+ Series = "Lecture Notes in Computer Science",
+ volume = "2803",
+ year = "2003"
+}
+
+
+@Unpublished{Reus:99,
+ author = {Bernhard Reus},
+ title = {Realizability Models for Type Theories},
+ note = {Draft of a Tutorial for the {R}ealizability {W}orkshop'99 in {T}rento},
+ month = nov,
+ year = {2000},
+}
+
+
+
+@TechReport{Reus:Schwinghammer:04,
+ author = {Bernhard Reus and Jan Schwinghammer},
+ title = {Denotational Semantics for {Abadi} and {Leino}'s Logic of Objects},
+ institution = {Informatics, University of Sussex},
+ year = {2004},
+ number = {2004:03},
+}
+
+@InProceedings{Reus:Schwinghammer:05,
+ author = {Bernhard Reus and Jan Schwinghammer},
+ title = {Denotational Semantics for {Abadi} and {Leino}'s Logic of Objects},
+ booktitle = {Proceedings of the European Symposium on Programming},
+ year = {2005},
+pages = {264--279},
+ editor = {Mooly Sagiv},
+ series = {Lecture Notes in Computer Science},
+volume = {3444},
+ publisher = {Springer},
+}
+
+@InProceedings{Reus:Streicher:02,
+ author = {Bernhard Reus and Thomas Streicher},
+ title = {Semantics and Logic of Object Calculi},
+ booktitle = {Proceedings of 17th Annual IEEE Symposium Logic in Computer Science},
+ publisher = {IEEE Computer Society Press},
+ year = {2002},
+ pages = {113--124},
+}
+
+
+@Article{Reus:Streicher:04,
+ author = {Bernhard Reus and Thomas Streicher},
+ title = {Semantics and Logic of Object Calculi},
+ journal = {Theoretical Computer Science},
+ year = {2004},
+ volume = {316},
+ publisher = "Elsevier",
+ pages = {191--213},
+}
+
+@INPROCEEDINGS{Reus:Wirsing:Hennicker:01,
+ Author = "B.~Reus and M.~Wirsing and R.~Hennicker",
+ Title = "{A Hoare-Calculus for Verifying Java Realizations of OCL-Constrained Design Models}",
+ Booktitle = "FASE 2001",
+ Year = 2001,
+Editor = "Heinrich Hussmann",
+ Publisher = "Springer",
+ Volume = 2029,
+ Pages = "300--317",
+ Series = "Lecture Notes in Computer Science",
+}
+
+@incollection{Reynolds:02a,
+author = "Reynolds, John C.",
+title = "What do Types Mean? --- {From} Intrinsic to Extrinsic Semantics",
+booktitle = "Essays on Programming Methodology",
+editor = "Annabelle McIver and Carroll Morgan",
+publisher = "Springer",
+year = "2002",
+}
+
+@InProceedings{Reynolds:02,
+ author = "John C. Reynolds",
+ title = "Separation Logic: {A} Logic for Shared Mutable Data
+ Structures",
+ pages = "55--74",
+ booktitle = "LICS'02",
+ year = "2002"
+}
+
+@InProceedings{hobor+:esop08,
+ author = {Aquinas Hobor and Andrew Appel and Francesco {Zappa Nardelli}},
+ title = {Oracle Semantics for Concurrent Separation Logic},
+ booktitle = {ESOP},
+ year = {2008},
+}
+
+@InProceedings{stovring+:popl07,
+ author = {Kristian St\o{}vring and Soren Lassen},
+ title = {A Complete, Co-Inductive Syntactic Theory of Sequential Control and State},
+ booktitle = {POPL},
+ year = {2007},
+}
+
+@InProceedings{lassen+:lics08,
+ author = {Soren B. Lassen and Paul Blain Levy},
+ title = {Typed Normal Form Bisimulation for Parametric Polymorphism},
+ booktitle = {LICS},
+ year = {2008},
+}
+
+@inproceedings{meyer-sieber-1988,
+ author = "Albert R. Meyer and Kurt Sieber",
+ title = "Towards fully abstract semantics for local variables",
+ booktitle = {POPL},
+ year = 1988,
+}
+
+@InProceedings{pottier:lics08,
+ author = {Fran\c{c}ois Pottier},
+ title = {Hiding local state in direct style: a higher-order anti-frame rule},
+ booktitle = {LICS},
+ year = {2008},
+}
+
+@InProceedings{hobor+:popl10,
+ author = {Aquinas Hobor and Robert Dockins and Andrew Appel},
+ title = {A Theory of Indirection via Approximation},
+ booktitle = {POPL},
+ year = {2010},
+}
+
+@InProceedings{Dockins+:aplas09,
+ author={Robert Dockins and Aquinas Hobor and Andrew W. Appel},
+ title={A Fresh Look at Separation Algebras and Share Accounting},
+ booktitle={APLAS},
+ year={2009},
+}
+
+@InProceedings{Balabonski+:flops14,
+ author={Thibaut Balabonski and Fran\c{c}ois Pottier and Jonathan Protzenko},
+ title={Type Soundness and Race Freedom for {M}ezzo},
+ booktitle={FLOPS},
+ year={2014},
+}
+
+@Article{Pottier:jfp13,
+ author={Fran\c{c}ois Pottier},
+ title={Syntactic soundness proof of a type-and-capability system with hidden state},
+ journal={JFP},
+ volume={23},
+ number={1},
+ pages={38--144},
+ year={2013},
+}
+
+@Unpublished{pottier:generalized,
+ author = {Fran\c{c}ois Pottier},
+ title = {Generalizing the higher-order frame and anti-frame rules},
+ note = {Unpublished},
+ year = {2009},
+ mon = jul,
+}
+
+@inproceedings{pilkiewicz+:monotonic,
+ author = {Alexandre Pilkiewicz and Fran\c{c}ois Pottier},
+ title = {The Essence of Monotonic State},
+ booktitle = {TLDI},
+ year = 2011,
+}
+
+@InProceedings{schwinghammer+:antiframe,
+ author = {Jan Schwinghammer and Hongseok Yang and Lars Birkedal and Fran\c{c}ois Pottier and Bernhard Reus},
+ title = {A Semantic Foundation for Hidden State},
+ booktitle = {FOSSACS},
+ year = 2010,
+}
+
+@InProceedings{chargueraud+:icfp08,
+ author = {Arthur Chargu\'eraud and Fran\c{c}ois Pottier},
+ title = {Functional translation of a calculus of capabilities},
+ booktitle = {ICFP},
+ year = {2008},
+}
+
+@InProceedings{benton+:tldi09,
+ author = {Nick Benton and Nicolas Tabareau},
+ title = {Compiling functional types to relational specifications for low level imperative code},
+ booktitle = {TLDI},
+ year = {2009},
+}
+
+@InProceedings{benton+:icfp09,
+ author = {Nick Benton and Chung-Kil Hur},
+ title = {Biorthogonality, Step-Indexing and Compiler Correctness},
+ booktitle = {ICFP},
+ year = 2009}
+
+
+@InProceedings{benton-tabareau-tldi2009,
+ author = {Nick Benton and Nicolas Tabareau},
+ title = {Compiling Functional Types to Relational Specifications for Low Level Imperative Code},
+ booktitle = {TLDI},
+ year = {2009},
+}
+
+@article{DBLP:journals/iandc/AbramskyJM00,
+ author = {Samson Abramsky and
+ Radha Jagadeesan and
+ Pasquale Malacaria},
+ title = {Full Abstraction for PCF},
+ journal = {Inf. Comput.},
+ volume = {163},
+ number = {2},
+ year = {2000},
+ pages = {409-470},
+ bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@article{DBLP:journals/iandc/HylandO00,
+ author = {J. M. E. Hyland and
+ C.-H. Luke Ong},
+ title = {On Full Abstraction for PCF: I, II, and III},
+ journal = {Inf. Comput.},
+ volume = {163},
+ number = {2},
+ year = {2000},
+ pages = {285-408},
+ bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+
+@Unpublished{koutavas-lassen,
+ author = {V. Koutavas and S. Lassen},
+ title = {Fun with Fully Abstract Operational Game Semantics for General References},
+ note = {Unpublished},
+ month = feb,
+ year = 2008
+}
+
+
+
+@InProceedings{murawski+:lics11,
+ author = {Andrzej S. Murawski and Nikos Tzevelekos},
+ title = {Game semantics for good general references},
+ booktitle = {LICS},
+ year = {2011},
+}
+
+@inproceedings{laird:icalp07,
+ author = {James Laird},
+ title = {A Fully Abstract Trace Semantics for General References},
+ booktitle = {ICALP},
+ year = {2007}
+}
+
+@inproceedings{DBLP:conf/fossacs/Laird04,
+ author = {James Laird},
+ title = {A Game Semantics of Local Names and Good Variables},
+ booktitle = {Foundations of Software Science and Computation Structures,
+ 7th International Conference, FOSSACS 2004, Held as Part
+ of the Joint European Conferences on Theory and Practice
+ of Software, ETAPS 2004, Barcelona, Spain, March 29 - April
+ 2, 2004, Proceedings},
+ year = {2004},
+ publisher = {Springer},
+ series = {Lecture Notes in Computer Science},
+ volume = {2987},
+ pages = {289-303},
+ ee = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=2987{\&}spage=289},
+ bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+
+@inproceedings{lassen+:csl07,
+ author = {Soren B. Lassen and
+ Paul Blain Levy},
+ title = {Typed Normal Form Bisimulation},
+ booktitle = {CSL},
+ year = {2007}
+}
+
+
+
+@inproceedings{DBLP:conf/fossacs/MurawskiT09,
+ author = {Andrzej S. Murawski and
+ Nikos Tzevelekos},
+ title = {Full Abstraction for Reduced ML},
+ booktitle = {FOSSACS},
+ year = {2009}
+}
+
+
+@article{DBLP:journals/tcs/MurawskiW08,
+ author = {Andrzej S. Murawski and
+ Igor Walukiewicz},
+ title = {Third-order {Idealized Algol} with iteration is decidable},
+ journal = {TCS},
+ volume = {390},
+ number = {2--3},
+ year = {2008},
+ pages = {214--229}
+}
+
+@inproceedings{DBLP:conf/icalp/GhicaM00,
+ author = {Dan R. Ghica and
+ Guy McCusker},
+ title = {Reasoning about {Idealized Algol} Using Regular Languages},
+ booktitle = {ICALP},
+ year = {2000}
+}
+
+@inproceedings{DBLP:conf/galop/Murawski05,
+ author = {Andrzej S. Murawski},
+ title = {Functions with local state: from regularity to undecidability},
+ booktitle = {GALOP},
+ year = {2005}
+}
+
+@inproceedings{DBLP:conf/icalp/MurawskiOW05,
+ author = {Andrzej S. Murawski and
+ C.-H. Luke Ong and
+ Igor Walukiewicz},
+ title = {{Idealized Algol} with Ground Recursion, and DPDA Equivalence},
+ booktitle = {ICALP 2005},
+ year = 2005
+}
+
+@article{murawski-rml-badvars,
+ author = {Andrzej S. Murawski},
+ title = {Functions with local state: regularity and undecidability},
+ journal = {TCS},
+ volume = {338},
+ number = {1--3},
+ year = {2005},
+ pages = {315--349}
+}
+
+@inproceedings{DBLP:conf/lics/McCusker96,
+ author = {Guy McCusker},
+ title = {Games and Full Abstraction for FPC},
+ booktitle = {LICS},
+ year = {1996},
+ pages = {174-183},
+ bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{DBLP:conf/fossacs/AbramskyJ03,
+ author = {Samson Abramsky and
+ Radha Jagadeesan},
+ title = {A Game Semantics for Generic Polymorphism},
+ booktitle = {Foundations of Software Science and Computational Structures,
+ 6th International Conference, FOSSACS 2003 Held as Part
+ of the Joint European Conference on Theory and Practice
+ of Software, ETAPS 2003, Warsaw, Poland, April 7-11, 2003,
+ Proceedings},
+ publisher = {Springer},
+ series = {Lecture Notes in Computer Science},
+ volume = {2620},
+ year = {2003},
+ pages = {1-22},
+ ee = {http://link.springer.de/link/service/series/0558/bibs/2620/26200001.htm},
+ bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{DBLP:conf/lics/LongoMS93,
+ author = {Giuseppe Longo and
+ Kathleen Milsted and
+ Sergei Soloviev},
+ title = {The Genericity Theorem and the Notion of Parametricity in
+ the Polymorphic lambda-calculus (Extended Abstract)},
+ booktitle = {LICS},
+ year = {1993}
+}
+
+@inproceedings{DBLP:conf/lics/AbramskyHM98,
+ author = {Samson Abramsky and
+ Kohei Honda and
+ Guy McCusker},
+ title = {A Fully Abstract Game Semantics for General References},
+ booktitle = {LICS},
+ year = {1998},
+}
+
+@inproceedings{abramsky-mccusker-lecturenotes,
+ author = {Samson Abramsky and
+ Guy McCusker},
+ title = {Game Semantics},
+ booktitle = {Proceedings of the 1997 Marktoberdorf Summer School},
+ year = {1998}
+}
+
+@inproceedings{DBLP:conf/lics/Hughes97,
+ author = {Dominic J. D. Hughes},
+ title = {Games and Definability for System F},
+ booktitle = {LICS},
+ year = {1997}
+}
+
+@Unpublished{laird:icalpsubmission,
+ author = {James Laird},
+ title = {Game Semantics for Call-by-Value Polymorphism},
+ note = {Manuscript},
+ month = {March},
+ year = 2010
+}
+
+
+
+@article{DBLP:journals/entcs/AbramskyM96,
+ author = {Samson Abramsky and
+ Guy McCusker},
+ title = {Linearity, Sharing and State: a fully abstract game semantics
+ for {Idealized Algol} with active expressions},
+ journal = {Electr. Notes Theor. Comput. Sci.},
+ volume = {3},
+ year = {1996}
+}
+
+@InProceedings{ohearn-reddy-95,
+ author = {Peter O'Hearn and Uday Reddy},
+ title = {Objects, Interference, and the {Y}oneda Embedding},
+ booktitle = {MFPS},
+ year = 1995}
+
+
+@InProceedings{pitts:96,
+ author = {Andrew M. Pitts},
+ title = {Reasoning about Local Variables with Operationally-Based Logical Relations},
+ booktitle = {LICS},
+ year = 1996}
+
+
+
+@InProceedings{sumii:csl09,
+ author = {Eijiro Sumii},
+ title = {A Complete Characterization of Observational Equivalence in Polymorphic $\lambda$-Calculus with General References},
+ booktitle = {CSL},
+ year = 2009}
+
+@inproceedings{sangiorgi+:lics07,
+ title = {Environmental Bisimulations for Higher-Order Languages},
+ author = {Davide Sangiorgi and Naoki Kobayashi and Eijiro Sumii},
+ booktitle = {LICS},
+ year = 2007,
+}
+
+@inproceedings{bohr-birkedal-2006,
+ author = "Nina Bohr and Lars Birkedal",
+ title = {Relational reasoning for recursive types and references},
+ booktitle = {APLAS},
+ year = 2006,
+}
+@PhdThesis{bohr:thesis,
+ author = {Nina Bohr},
+ title = {Advances in Reasoning Principles for Contextual Equivalence and Termination},
+ school = {IT University of Copenhagen},
+ year = {2007},
+}
+@article{sumii-pierce-jacm,
+ author = {Eijiro Sumii and Benjamin Pierce},
+ title = {A Bisimulation for Type Abstraction and Recursion},
+ journal = {Journal of the ACM},
+ volume = 54,
+ number = 5,
+ year = 2007,
+ pages = {1--43},
+}
+
+@inproceedings{koutavas-wand-2006,
+ author = {Vasileios Koutavas and Mitchell Wand},
+ title = {Small Bisimulations for Reasoning About Higher-Order Imperative Programs},
+ booktitle = {POPL},
+ year = {2006},
+}
+
+
+@PhDthesis{ahmed:thesis,
+ title = {Semantics of Types for Mutable State},
+ author = "Amal Ahmed",
+ school = "Princeton University",
+ year = 2004
+}
+
+@Article{johann+:impact,
+ author = {Patricia Johann and Janis Voigtl\"ander},
+ title = {The Impact of \emph{seq} on Free Theorems-Based Program Transformations},
+ journal = {Fundamenta Informaticae},
+ year = {2006},
+ volume = {69},
+ number = {1--2},
+ pages = {63--102},
+}
+
+@InProceedings{johann+:lics10,
+ author = {Patricia Johann and Alex Simpson and Janis Voigtl\"ander},
+ title = {A Generic Operational Metatheory for Algebraic Effects},
+ booktitle = {LICS},
+ year = {2010},
+}
+
+@InProceedings{laird:lics97,
+ author = {James Laird},
+ title = {Full Abstraction for Functional Languages with Control},
+ booktitle = {LICS},
+ year = {1997},
+}
+
+@Article{krivine:realize,
+ author = {Jean-Louis Krivine},
+ title = {Classical logic, storage operators and second-order lambda-calculus},
+ journal = {Annals of Pure and Applied Logic},
+ year = {1994},
+ volume = {68},
+ pages = {53--78},
+}
+
+@InProceedings{friedman-haynes,
+ author = {Daniel Friedman and Christopher Haynes},
+ title = {Constraining control},
+ booktitle = {POPL},
+ year = {1985},
+}
+
+@InProceedings{dreyer+:popl10,
+ author = {Derek Dreyer and Georg Neis and Andreas Rossberg and Lars Birkedal},
+ title = {A Relational Modal Logic for Higher-Order Stateful {ADTs}},
+ booktitle = {POPL},
+ year = {2010},
+}
+
+@Article{mason-talcott,
+ author = {Ian Mason and Carolyn Talcott},
+ title = {Equivalence in functional languages with effects},
+ journal = {JFP},
+ year = {1991},
+ volume = {1},
+ number = {3},
+ pages = {287--327},
+}
+
+@InProceedings{thielecke:esop00,
+ author = {Hayo Thielecke},
+ title = {On Exceptions versus Continuations in the Presence of State},
+ booktitle = {ESOP},
+ year = {2000},
+}
+
+
+@Article{johann:shortcut,
+ author = {Patricia Johann},
+ title = {Short Cut Fusion is Correct},
+ journal = {JFP},
+ year = {2003},
+ volume = {13},
+ number = {4},
+ pages = {797--814},
+}
+
+@InProceedings{neis+:icfp09,
+ author = {Georg Neis and Derek Dreyer and Andreas Rossberg},
+ title = {Non-Parametric Parametricity},
+ booktitle = {ICFP},
+ year = {2009},
+}
+
+@Article{neis+:jfp11,
+ author = {Georg Neis and Derek Dreyer and Andreas Rossberg},
+ title = {Non-Parametric Parametricity},
+ journal = {JFP},
+ year = {2011},
+ volume = {21},
+ number = {4\&5},
+ pages = {497--562},
+}
+
+@Article{dreyer+:lmcs11,
+ author = {Derek Dreyer and Amal Ahmed and Lars Birkedal},
+ title = {Logical Step-Indexed Logical Relations},
+ journal = {LMCS},
+ year = {2011},
+ volume = {7},
+ number = {2:16},
+ pages = {1--37},
+ month = jun,
+}
+
+@InProceedings{lassen:lics05,
+ author = {Soren Lassen},
+ title = {Eager Normal Form Bisimulation},
+ booktitle = {LICS},
+ year = {2005},
+}
+
+@inproceedings{reynolds-1983,
+ author = "John C. Reynolds",
+ title = "Types, abstraction and parametric polymorphism",
+ booktitle = "Information Processing",
+ year = 1983,
+}
+
+@Article{pierce-sangiorgi,
+ author = {Benjamin C. Pierce and Davide Sangiorgi},
+ title = {Behavioral Equivalence in the Polymorphic Pi-Calculus},
+ journal = {Journal of the ACM},
+ year = {2000},
+ volume = {47},
+ number = {3},
+ pages = {531--586},
+}
+
+@InProceedings{gotsman+:aplas07,
+ author = {Alexey Gotsman and Josh Berdine and Byron Cook and Noam Rinetzky and Mooly Sagiv},
+ title = {Local Reasoning About Storable Locks and Threads},
+ booktitle = {APLAS},
+ year = {2007},
+}
+
+@InProceedings{buisse+:mfps11,
+ author = {Alexandre Buisse and Lars Birkedal and Kristian St\o{}vring},
+ title = {A Step-Indexed {Kripke} Model of Separation Logic for Storable Locks},
+ booktitle = {MFPS},
+ year = {2011},
+}
+
+@Article{sangiorgi:lazy-lambda,
+ author = {Davide Sangiorgi},
+ title = {The Lazy Lambda Calculus in a Concurrency Scenario},
+ journal = {Information and Computation},
+ year = {1994},
+ volume = {111},
+ number = {1},
+ pages = {120--153},
+}
+
+@inproceedings{wadler:free-theorems,
+ author = "Philip Wadler",
+ title = "Theorems for free!",
+ booktitle = {FPCA},
+ year = 1989,
+}
+
+@InProceedings{birkedal+:lics11,
+ author = {Lars Birkedal and Rasmus Ejlers M\o{}gelberg and Jan Schwinghammer and Kristian St\o{}vring},
+ title = {First steps in synthetic guarded domain theory: step-indexing in the topos of trees},
+ booktitle = {LICS},
+ year = {2011},
+
+
+}
+
+@InProceedings{ahmed+:icfp11,
+ author = {Amal Ahmed and Matthias Blume},
+ title = {An Equivalence-Preserving {CPS} Translation via Multi-Language Semantics},
+ booktitle = {ICFP},
+ year = 2011,
+}
+
+
+@Article{uustalu+:njc99,
+ author = {Tarmo Uustalu and Varmo Vene},
+ title = {Mendler-style Inductive Types, Categorically},
+ journal = {Nordic Journal of Computing},
+ year = {1999},
+ volume = {6},
+ number = {3},
+ pages = {343--361},
+}
+
+
+@Article{mendler:pal91,
+ author = {Nax P. Mendler},
+ title = {Inductive Types and Type Constraints in the Second-Order Lambda-Calculus},
+ journal = {Annals of Pure and Applied Logic},
+ year = {1991},
+ volume = {51},
+ number = {1--2},
+ pages = {159--172},
+}
+
+
+@InProceedings{koutavas+:mfps11,
+ author = {Vasileios Koutavas and Paul Blain Levy and Eijiro Sumii},
+ title = {From Applicative to Environmental Bisimulation},
+ booktitle = {MFPS},
+ year = 2011,
+}
+
+
+@InCollection{abramsky:applicative,
+ author = {Samson Abramsky},
+ title = {The Lazy Lambda Calculus},
+ booktitle = {Research Topics in Functional Programming},
+ pages = {65--117},
+ editor = {D. A. Turner},
+ year = 1990,
+}
+
+
+@InProceedings{vafeiadis:mfps11,
+ author = {Viktor Vafeiadis},
+ title = {Concurrent separation logic and operational semantics},
+ booktitle = {MFPS},
+ year = 2011,
+}
+
+
+
+@InProceedings{hur+:popl12,
+ author = {Chung-Kil Hur and Derek Dreyer and Georg Neis and Viktor Vafeiadis},
+ title = {The Marriage of Bisimulations and {Kripke} Logical Relations},
+ booktitle = {POPL},
+ year = {2012},
+}
+
+
+@InProceedings{le+:pldi14,
+ author = {Vu Le and Mehrdad Afshari and Zhengdong Su},
+ title = {Compiler Validation via Equivalence Modulo Inputs},
+ booktitle = {PLDI},
+ year = {2014},
+}
+
+
+@Article{leroy:compcert,
+ author = {Xavier Leroy},
+ title = {A formally verified compiler back-end},
+ journal = {Journal of Automated Reasoning},
+ year = {2009},
+ volume = {43},
+ number = {4},
+ pages = {363--446},
+}
+
+
+@InProceedings{perconti+:esop14,
+ author = {James T. Perconti and Amal Ahmed},
+ title = {Verifying an Open Compiler Using Multi-Language Semantics},
+ booktitle = {ESOP},
+ year = {2014},
+}
+
+
+@InProceedings{matthews+:popl07,
+ author = {Jacob Matthews and Robert Bruce Findler},
+ title = {Operational Semantics for Multi-Language Programs},
+ booktitle = {POPL},
+ year = {2007},
+}
+
+
+@InProceedings{beringer+:esop14,
+ author = {Lennart Beringer and Gordon Stewart and Robert Dockins and Andrew W. Appel},
+ title = {Verified Compilation for Shared-Memory {C}},
+ booktitle = {ESOP},
+ year = {2014},
+}
+
+@inproceedings{caresl,
+ title={Unifying refinement and {Hoare}-style reasoning in a logic for higher-order concurrency},
+ author={Aaron Turon and Derek Dreyer and Lars Birkedal},
+ booktitle={ICFP},
+ year={2013},
+}
+@InProceedings{fcsl,
+ author = {Aleksandar Nanevski and Ruy Ley-Wild and Ilya Sergey and Germ\'an Andr\'es Delbianco},
+ title = {Communicating State Transition Systems for Fine-Grained Concurrent Resources},
+ booktitle = {ESOP},
+ year = {2014},
+}
+@InProceedings{tada,
+ author = {Pedro {da Rocha Pinto} and Thomas Dinsdale-Young and Philippa Gardner},
+ title = {{TaDA}: A Logic for Time and Data Abstraction},
+ booktitle = {ECOOP},
+ year = {2014},
+}
+@InProceedings{icap,
+ author = {Kasper Svendsen and Lars Birkedal},
+ title = {Impredicative Concurrent Abstract Predicates},
+ booktitle = {ESOP},
+ year = {2014},
+}
+
+@InProceedings{krishnaswami+:icfp12,
+ author = {Neelakantan R. Krishnaswami and Aaron Turon and Derek Dreyer and Deepak Garg},
+ title = {Superficially substructural types},
+ booktitle = {ICFP},
+ year = {2012},
+}
+@inproceedings{cap,
+ title={Concurrent abstract predicates},
+ author={Dinsdale-Young, T. and Dodds, M. and Gardner, P. and Parkinson, M.
+ and Vafeiadis, V.},
+ booktitle={ECOOP},
+ year={2010},
+}
+@inproceedings{scsl,
+author = {Ley-Wild, Ruy and Nanevski, Aleksandar},
+booktitle = {POPL},
+title = {Subjective Auxiliary State for Coarse-Grained Concurrency},
+year = {2013}
+}
+
+@InProceedings{views,
+ author = {Thomas Dinsdale-Young and Lars Birkedal and Philippa Gardner and Matthew J. Parkinson and Hongseok Yang},
+ title = {Views: Compositional reasoning for concurrent programs},
+ booktitle = {POPL},
+ year = {2013},
+}
+
+@article{rg,
+ author = {Jones, C. B.},
+ title = {Tentative steps toward a development method for interfering programs},
+ journal = {TOPLAS},
+ volume = {5},
+ number = {4},
+ year = {1983},
+ pages = {596--619},
+ publisher = {ACM},
+ }
+
+@inproceedings{lrg,
+ author = {Feng, Xinyu},
+ title = {Local rely-guarantee reasoning},
+ booktitle = {POPL},
+ year = {2009}
+ }
+
+@inproceedings{rgsep,
+ title={A marriage of rely/guarantee and separation logic},
+ author={Vafeiadis, V. and Parkinson, M.},
+ booktitle={CONCUR},
+ year={2007},
+}
+
+@InProceedings{Parkinson+:popl07,
+ author={Matthew J. Parkinson and Richard Bornat and Peter W. O'Hearn},
+ title={Modular verification of a non-blocking stack},
+ booktitle={POPL},
+ year={2007},
+}
+
+@article{ohearn:csl,
+ title={Resources, concurrency, and local reasoning},
+ author={O'Hearn, P.W.},
+ journal={TCS},
+ volume={375},
+ number={1},
+ pages={271--307},
+ year={2007},
+}
+
+@InProceedings{Elmas+:tacas10,
+ author={Tayfun Elmas and Shaz Qadeer and Ali Sezgin and Omer Subasi and Serdar Tasiran},
+ title={Simplifying Linearizability Proofs with Reduction and Abstraction},
+ booktitle={TACAS},
+ year={2010},
+}
+
+@InProceedings{Elmas+:popl09,
+ author={Tayfun Elmas and Shaz Qadeer and Serdar Tasiran},
+ title={A calculus of atomic actions},
+ booktitle={POPL},
+ year={2009},
+}
+
+@article{linearizability,
+ author = {Herlihy, Maurice P. and Wing, Jeannette M.},
+ title = {Linearizability: a correctness condition for concurrent objects},
+ journal = {TOPLAS},
+ volume = {12},
+ number = {3},
+ year = {1990},
+ pages = {463--492},
+ publisher = {ACM},
+ }
+
+@inproceedings{blaming,
+ title = {Blaming the client: On data refinement in the presence of pointers},
+ author = {Filipovi\'{c}, Ivana and O’Hearn, Peter and Torp-Smith, Noah and Yang, Hongseok},
+ year = 2009,
+ booktitle = {FACS},
+}
+
+@InProceedings{jacobs-piessens,
+ author = {Bart Jacobs and Frank Piessens},
+ title = {Expressive modular fine-grained concurrency specification},
+ booktitle = {POPL},
+ year = 2011,
+}
+
+@Misc{Jacobs:personalcommunication2014,
+ author = {Bart Jacobs},
+ title = {Personal communication},
+ year = {2014},
+}
+
+@InProceedings{turon+:popl13,
+ author = {Aaron Turon and Jacob Thamsborg and Amal Ahmed and Lars Birkedal and Derek Dreyer},
+ title = {Logical relations for fine-grained concurrency},
+ booktitle = {POPL},
+ year = {2013},
+}
+
+@InProceedings{elimination-stack,
+ author = {D. Hendler and N. Shavit and L. Yerushalmi},
+ title = {A Scalable Lock-Free Stack Algorithm},
+ booktitle = {SPAA},
+ year = 2004
+}
+
+@Article{lamport:sc,
+ author={Leslie Lamport},
+ title={How to Make a Multiprocessor Computer That Correctly Executes Multiprocess Programs},
+ journal={IEEE Trans.\ Comput.},
+ year={1979},
+ volume={28},
+ number={9},
+ pages={690--691},
+}
+
+@InProceedings{sagl,
+ author = {Xinyu Feng and Rodrigo Ferreira and Zhong Shao},
+ title = {On the relationship between concurrent separation logic and assume-guarantee reasoning},
+ booktitle = {ESOP},
+ year = {2007},
+}
+
+
+@Article{owicki-gries:ghost-state,
+ author = {Susan Owicki and David Gries},
+ title = {Verifying Properties of Parallel Programs: An Axiomatic Approach},
+ journal = {CACM},
+ year = {1976},
+ volume = {19},
+ number = {5},
+ pages = {279--285},
+}
+
+@InProceedings{cohen+:imr,
+ author = {Cohen, Ernie and Alkassar, Eyad and Boyarinov, Vladimir and Dahlweid, Markus and Degenbaev, Ulan and Hillebrand, Mark and Langenstein, Bruno and Leinenbach, Dirk and Moskal, Micha\l and Obua, Steven and Paul, Wolfgang and Pentchev, Hristo and Petrova, Elena and Santen, Thomas and Schirmer, Norbert and Schmaltz, Sabine and Schulte, Wolfram and Shadrin, Andrey and Tobies, Stephan and Tsyban, Alexandra and Tverdyshev, Sergey},
+ title = {Invariants, Modularity, and Rights},
+ booktitle = {PSI},
+ year = {2009},
+}
+
+@Article{ashcroft:invariants,
+ author = {Edward A. Ashcroft},
+ title = {Proving assertions about parallel programs},
+ journal = {J. Comput. Syst. Sci.},
+ year = {1975},
+ volume = {10},
+ number = {1},
+ pages = {110--135},
+}
+
+@PhdThesis{vafeiadis-thesis,
+ author = {Viktor Vafeiadis},
+ title = {Modular fine-grained concurrency verification},
+ school = {University of Cambridge},
+ year = {2007},
+}
+
+@article{abadi+:speculation,
+ author = {Mart{\'{\i}}n Abadi and
+ Leslie Lamport},
+ title = {The Existence of Refinement Mappings},
+ journal = {TCS},
+ year = {1991},
+ volume = {82},
+ number = {2},
+ pages = {253--284},
+ url = {http://dx.doi.org/10.1016/0304-3975(91)90224-P},
+ doi = {10.1016/0304-3975(91)90224-P},
+ timestamp = {Wed, 29 Oct 2014 20:04:49 +0100},
+ biburl = {http://dblp.uni-trier.de/rec/bib/journals/tcs/AbadiL91},
+ bibsource = {dblp computer science bibliography, http://dblp.org}
+}
+
+@inproceedings{hocap,
+ author = {Kasper Svendsen and
+ Lars Birkedal and
+ Matthew J. Parkinson},
+ title = {Modular Reasoning about Separation of Concurrent Data Structures},
+ booktitle = {{ESOP}},
+ pages = {169--188},
+ year = {2013},
+ timestamp = {Mon, 18 Feb 2013 15:03:29 +0100},
+ biburl = {http://dblp.uni-trier.de/rec/bib/conf/esop/SvendsenBP13},
+ bibsource = {dblp computer science bibliography, http://dblp.org}
+}
+
+@report{catlogic,
+ author = {Lars Birkedal and Ale\v{s} Bizjak},
+ title = {A Taste of Categorical Logic --- Tutorial Notes},
+ month = oct,
+ year = {2014},
+ note = {Available at \url{http://users-cs.au.dk/birke/modures/tutorial/categorical-logic-tutorial-notes.pdf}}
+}
+
diff --git a/docs/iris/algebra.tex b/docs/iris/algebra.tex
new file mode 100644
index 0000000000000000000000000000000000000000..6d8717504f5794c355409c1f63a02adea3ccdf03
--- /dev/null
+++ b/docs/iris/algebra.tex
@@ -0,0 +1 @@
+\section{Algebraic Structures}
diff --git a/docs/iris/bib.bib b/docs/iris/bib.bib
new file mode 120000
index 0000000000000000000000000000000000000000..8b7cbf87be88dfca92040a7222aa88e397178620
--- /dev/null
+++ b/docs/iris/bib.bib
@@ -0,0 +1 @@
+../bib.bib
\ No newline at end of file
diff --git a/docs/iris/constructions.tex b/docs/iris/constructions.tex
new file mode 100644
index 0000000000000000000000000000000000000000..af4e73cdbf7dd95e2ed3097a8712e141ff63a7e0
--- /dev/null
+++ b/docs/iris/constructions.tex
@@ -0,0 +1,381 @@
+% !TEX root = ./appendix.tex
+
+\section{Monoid constructions}
+
+We will use the notation $\mcarp{M} \eqdef |M| \setminus \{\mzero_M\}$ for the carrier of monoid $M$ without zero. When we define a carrier, a zero element is always implicitly added (we do not explicitly give it), and all cases of multiplication that are not defined (including those involving a zero element) go to that element.
+
+To disambiguate which monoid an element is part of, we use the notation $a : M$ to denote an $a$ s.t.\ $a \in |M|$.
+
+When defining a monoid, we will show some \emph{frame-preserving updates} $\melt \mupd \meltsB$ that it supports.
+Remember that
+\[
+ \melt \mupd \meltsB \eqdef \always\All \melt_f. \melt \sep \melt_f \Ra \Exists \meltB \in \meltsB. \meltB \sep \melt_f.
+\]
+The rule \ruleref{FpUpd} (and, later, \ruleref{GhostUpd}) allows us to use such updates in Hoare proofs.
+The following principles generally hold for frame-preserving updates.
+\begin{mathpar}
+ \infer{
+ \melt \mupd \meltsB
+ }{
+ \melt \mupd \meltsB \cup \meltsB'
+ }
+ \and
+ \infer{
+ \melt \mupd \meltsB
+ }{
+ \melt \mtimes \melt_f \mupd \{ \meltB \mtimes \melt_f \mid \meltB \in \meltsB \}
+ }
+\end{mathpar}
+
+Some of our constructions require or preserve \emph{cancellativity}:
+\[
+ \text{$\monoid$ cancellative} \eqdef
+ \All \melt_f, \melt, \meltB \in \mcar{\monoid}. \melt_f \mtimes \melt = \melt_f \mtimes \meltB \neq \mzero \Ra \melt = \meltB
+\]
+
+
+\subsection{Exclusive monoid}
+
+Given a set $X$, we define a monoid such that at most one $x \in X$ can be owned.
+Let $\exm{X}$ be the monoid with carrier $X \uplus \{ \munit \}$ and multiplication
+\[
+\melt \cdot \meltB \;\eqdef\;
+\begin{cases}
+ \melt & \mbox{if } \meltB = \munit \\
+ \meltB & \mbox{if } \melt = \munit
+\end{cases}
+\]
+
+The frame-preserving update
+\begin{mathpar}
+\inferH{ExUpd}
+ {x \in X}
+ {x \mupd \melt}
+\end{mathpar}
+is easily shown, as the only possible frame for $x$ is $\munit$.
+
+Exclusive monoids are cancellative.
+\begin{proof}[Proof of cancellativity]
+If $\melt_f = \munit$, then the statement is trivial.
+If $\melt_f \neq \munit$, then we must have $\melt = \meltB = \munit$, as otherwise one of the two products would be $\mzero$.
+\end{proof}
+
+\subsection{Agreement monoid}
+
+Given a set $X$, we define a monoid such that everybody agrees on which $x \in X$ has been chosen.
+Let $\agm{X}$ be the monoid with carrier $X \uplus \{ \munit \}$ and multiplication
+\[
+\melt \cdot \meltB \;\eqdef\;
+\begin{cases}
+\melt & \mbox{if } \meltB = \munit \lor \melt = \meltB \\
+\meltB & \mbox{if } \melt = \munit
+\end{cases}
+\]
+
+Agreement monoids are cancellative.
+\begin{proof}[Proof of cancellativity]
+ If $\melt_f = \munit$, then the statement is trivial.
+ If $\melt_f \neq \munit$, then if $\melt = \munit$, we must have $\meltB = \munit$ and we are done.
+ Similar so for $\meltB = \munit$.
+ So let $\melt \neq \munit \neq \meltB$ and $\melt_f \mtimes \melt = \melt_f \mtimes \meltB \neq \mzero$.
+ It follows immediately that $\melt = \melt_f = \meltB$.
+\end{proof}
+
+\subsection{Finite Powerset Monoid}
+
+Given an infinite set $X$, we define a monoid $\textmon{PowFin}$ with carrier $\mathcal{P}^{\textrm{fin}}(X)$ as follows:
+\[
+\melt \cdot \meltB \;\eqdef\; \melt \cup \meltB \quad \mbox{if } \melt \cap \meltB = \emptyset
+\]
+
+We obtain:
+\begin{mathpar}
+ \inferH{PowFinUpd}{}
+ {\emptyset \mupd \{ \{x\} \mid x \in X \}}
+\end{mathpar}
+
+\begin{proof}[Proof of \ruleref{PowFinUpd}]
+ Assume some frame $\melt_f \sep \emptyset$. Since $\melt_f$ is finite and $X$ is infinite, there exists an $x \notin \melt_f$.
+ Pick that for the result.
+\end{proof}
+
+The powerset monoids is cancellative.
+\begin{proof}[Proof of cancellativity]
+ Let $\melt_f \mtimes \melt = \melt_f \mtimes \meltB \neq \mzero$.
+ So we have $\melt_f \sep \melt$ and $\melt_f \sep \meltB$, and we have to show $\melt = \meltB$.
+ Assume $x \in \melt$. Hence $x \in \melt_f \mtimes \melt$ and thus $x \in \melt_f \mtimes \meltB$.
+ By disjointness, $x \notin \melt_f$ and hence $x \in meltB$.
+ The other direction works the same way.
+\end{proof}
+
+\subsection{Product monoid}
+\label{sec:prodm}
+
+Given a family $(M_i)_{i \in I}$ of monoids ($I$ countable), we construct a product monoid.
+Let $\prod_{i \in I} M_i$ be the monoid with carrier $\prod_{i \in I} \mcarp{M_i}$ and point-wise multiplication, non-zero when \emph{all} individual multiplications are non-zero.
+For $f \in \prod_{i \in I} \mcarp{M_i}$, we write $f[i \mapsto a]$ for the disjoint union $f \uplus [i \mapsto a]$.
+
+Frame-preserving updates on the $M_i$ lift to the product:
+\begin{mathpar}
+ \inferH{ProdUpd}
+ {a \mupd_{M_i} B}
+ {f[i \mapsto a] \mupd \{ f[i \mapsto b] \mid b \in B\}}
+\end{mathpar}
+\begin{proof}[Proof of \ruleref{ProdUpd}]
+Assume some frame $g$ and let $c \eqdef g(i)$.
+Since $f[i \mapsto a] \sep g$, we get $f \sep g$ and $a \sep_{M_i} c$.
+Thus there exists $b \in B$ such that $b \sep_{M_i} c$.
+It suffices to show $f[i \mapsto b] \sep g$.
+Since multiplication is defined pointwise, this is the case if all components are compatible.
+For $i$, we know this from $b \sep_{M_i} c$.
+For all the other components, from $f \sep g$.
+\end{proof}
+
+If every $M_i$ is cancellative, then so is $\prod_{i \in I} M_i$.
+\begin{proof}[Proof of cancellativity]
+Let $\melt, \meltB, \melt_f \in \prod_{i \in I} \mcarp{M_i}$, and assume $\melt_f \mtimes \melt = \melt_f \mtimes \meltB \neq \mzero$.
+By the definition of multiplication, this means that for all $i \in I$ we have $\melt_f(i) \mtimes \melt(i) = \melt_f(i) \mtimes \meltB(i) \neq \mzero_{M_i}$.
+As all base monoids are cancellative, we obtain $\forall i \in I.\; \melt(i) = \meltB(i)$ from which we immediately get $\melt = \meltB$.
+\end{proof}
+
+\subsection{Fractional monoid}
+\label{sec:fracm}
+
+Given a monoid $M$, we define a monoid representing fractional ownership of some piece $\melt \in M$.
+The idea is to preserve all the frame-preserving update that $M$ could have, while additionally being able to do \emph{any} update if we own the full state (as determined by the fraction being $1$).
+Let $\fracm{M}$ be the monoid with carrier $(((0, 1] \cap \mathbb{Q}) \times M) \uplus \{\munit\}$ and multiplication
+\begin{align*}
+ (q, a) \mtimes (q', a') &\eqdef (q + q', a \mtimes a') \qquad \mbox{if $q+q'\le 1$} \\
+ (q, a) \mtimes \munit &\eqdef (q,a) \\
+ \munit \mtimes (q,a) &\eqdef (q,a).
+\end{align*}
+
+We get the following frame-preserving update.
+\begin{mathpar}
+ \inferH{FracUpdFull}
+ {a, b \in M}
+ {(1, a) \mupd (1, b)}
+ \and\inferH{FracUpdLocal}
+ {a \mupd_M B}
+ {(q, a) \mupd \{q\} \times B}
+\end{mathpar}
+
+\begin{proof}[Proof of \ruleref{FracUpdFull}]
+Assume some $f \sep (1, a)$. This can only be $f = \munit$, so showing $f \sep (1, b)$ is trivial.
+\end{proof}
+
+\begin{proof}[Proof of \ruleref{FracUpdLocal}]
+ Assume some $f \sep (q, a)$. If $f = \munit$, then $f \sep (q, b)$ is trivial for any $b \in B$. Just pick the one we obtain by choosing $\munit_M$ as the frame for $a$.
+
+ In the interesting case, we have $f = (q_f, a_f)$.
+ Obtain $b$ such that $b \in B \land b \sep a_f$.
+ Then $(q, b) \sep f$, and we are done.
+\end{proof}
+
+$\fracm{M}$ is cancellative if $M$ is cancellative.
+\begin{proof}[Proof of cancellativitiy]
+If $\melt_f = \munit$, we are trivially done.
+So let $\melt_f = (q_f, \melt_f')$.
+If $\melt = \munit$, then $\meltB = \munit$ as otherwise the fractions could not match up.
+Again, we are trivially done.
+Similar so for $\meltB = \munit$.
+So let $\melt = (q_a, \melt')$ and $\meltB = (q_b, \meltB')$.
+We have $(q_f + q_a, \melt_f' \mtimes \melt') = (q_f + q_b, \melt_f' \mtimes \meltB')$.
+We have to show $q_a = q_b$ and $\melt' = \meltB'$.
+The first is trivial, the second follows from cancellativitiy of $M$.
+\end{proof}
+
+\subsection{Finite partial function monoid}
+\label{sec:fpfunm}
+
+Given a countable set $X$ and a monoid $M$, we construct a monoid representing finite partial functions from $X$ to (non-unit, non-zero elements of) $M$.
+Let $\fpfunm{X}{M}$ be the product monoid $\prod_{x \in X} M$, as defined in \secref{sec:prodm} but restricting the carrier to functions $f$ where the set $\dom(f) \eqdef \{ x \mid f(x) \neq \munit_M \}$ is finite.
+This is well-defined as the set of these $f$ contains the unit and is closed under multiplication.
+(We identify finite partial functions from $X$ to $\mcarp{M}\setminus\{\munit_M\}$ and total functions from $X$ to $\mcarp{M}$ with finite $\munit_M$-support.)
+
+We use two frame-preserving updates:
+\begin{mathpar}
+ \inferH{FpFunAlloc}
+ {a \in \mcarp{M}}
+ {f \mupd \{ f[x \mapsto a] \mid x \notin \dom(f) \}}
+ \and
+ \inferH{FpFunUpd}
+ {a \mupd_M B}
+ {f[i \mapsto a] \mupd \{ f[i \mapsto b] \mid b \in B\}}
+\end{mathpar}
+Rule \ruleref{FpFunUpd} simply restates \ruleref{ProdUpd}.
+
+\begin{proof}[Proof of \ruleref{FpFunAlloc}]
+ Assume some $g \sep f$. Since $\dom(f \mtimes g)$ is finite, there will be some undefined element $x \notin \dom(f \mtimes g)$. Let $f' \eqdef f[x \mapsto a]$. This is compatible with $g$, so we are done.
+\end{proof}
+
+We write $[x \mapsto a]$ for the function mapping $x$ to $a$ and everything else in $X$ to $\munit$.
+
+%\subsection{Disposable monoid}
+%
+%Given a monoid $M$, we construct a monoid where, having full ownership of an element $\melt$ of $M$, one can throw it away, transitioning to a dead element.
+%Let \dispm{M} be the monoid with carrier $\mcarp{M} \uplus \{ \disposed \}$ and multiplication
+%% The previous unit must remain the unit of the new monoid, as is is always duplicable and hence we could not transition to \disposed if it were not composable with \disposed
+%\begin{align*}
+% \melt \mtimes \meltB &\eqdef \melt \mtimes_M \meltB & \IF \melt \sep[M] \meltB \\
+% \disposed \mtimes \disposed &\eqdef \disposed \\
+% \munit_M \mtimes \disposed &\eqdef \disposed \mtimes \munit_M \eqdef \disposed
+%\end{align*}
+%The unit is the same as in $M$.
+%
+%The frame-preserving updates are
+%\begin{mathpar}
+% \inferH{DispUpd}
+% {a \in \mcarp{M} \setminus \{\munit_M\} \and a \mupd_M B}
+% {a \mupd B}
+% \and
+% \inferH{Dispose}
+% {a \in \mcarp{M} \setminus \{\munit_M\} \and \All b \in \mcarp{M}. a \sep b \Ra b = \munit_M}
+% {a \mupd \disposed}
+%\end{mathpar}
+%
+%\begin{proof}[Proof of \ruleref{DispUpd}]
+%Assume a frame $f$. If $f = \disposed$, then $a = \munit_M$, which is a contradiction.
+%Thus $f \in \mcarp{M}$ and we can use $a \mupd_M B$.
+%\end{proof}
+%
+%\begin{proof}[Proof of \ruleref{Dispose}]
+%The second premiss says that $a$ has no non-trivial frame in $M$. To show the update, assume a frame $f$ in $\dispm{M}$. Like above, we get $f \in \mcarp{M}$, and thus $f = \munit_M$. But $\disposed \sep \munit_M$ is trivial, so we are done.
+%\end{proof}
+
+\subsection{Authoritative monoid}\label{sec:auth}
+
+Given a monoid $M$, we construct a monoid modeling someone owning an \emph{authoritative} element $x$ of $M$, and others potentially owning fragments $\melt \le_M x$ of $x$.
+(If $M$ is an exclusive monoid, the construction is very similar to a half-ownership monoid with two asymmetric halves.)
+Let $\auth{M}$ be the monoid with carrier
+\[
+ \SET{ (x, \melt) }{ x \in \mcarp{\exm{\mcarp{M}}} \land \melt \in \mcarp{M} \land (x = \munit_{\exm{\mcarp{M}}} \lor \melt \leq_M x) }
+\]
+and multiplication
+\[
+(x, \melt) \mtimes (y, \meltB) \eqdef
+ (x \mtimes y, \melt \mtimes \meltB) \quad \mbox{if } x \sep y \land \melt \sep \meltB \land (x \mtimes y = \munit_{\exm{\mcarp{M}}} \lor \melt \mtimes \meltB \leq_M x \mtimes y)
+\]
+Note that $(\munit_{\exm{\mcarp{M}}}, \munit_M)$ is the unit and asserts no ownership whatsoever, but $(\munit_{M}, \munit_M)$ asserts that the authoritative element is $\munit_M$.
+
+Let $x, \melt \in \mcarp M$.
+We write $\authfull x$ for full ownership $(x, \munit_M):\auth{M}$ and $\authfrag \melt$ for fragmental ownership $(\munit_{\exm{\mcarp{M}}}, \melt)$ and $\authfull x , \authfrag \melt$ for combined ownership $(x, \melt)$.
+If $x$ or $a$ is $\mzero_{M}$, then the sugar denotes $\mzero_{\auth{M}}$.
+
+\ralf{This needs syncing with the Coq development.}
+The frame-preserving update involves a rather unwieldy side-condition:
+\begin{mathpar}
+ \inferH{AuthUpd}{
+ \All\melt_f\in\mcar{\monoid}. \melt\sep\meltB \land \melt\mtimes\melt_f \le \meltB\mtimes\melt_f \Ra \melt'\mtimes\melt_f \le \melt'\mtimes\meltB \and
+ \melt' \sep \meltB
+ }{
+ \authfull \melt \mtimes \meltB, \authfrag \melt \mupd \authfull \melt' \mtimes \meltB, \authfrag \melt'
+ }
+\end{mathpar}
+We therefore derive two special cases.
+
+\paragraph{Local frame-preserving updates.}
+
+\newcommand\authupd{f}%
+Following~\cite{scsl}, we say that $\authupd: \mcar{M} \ra \mcar{M}$ is \emph{local} if
+\[
+ \All a, b \in \mcar{M}. a \sep b \land \authupd(a) \neq \mzero \Ra \authupd(a \mtimes b) = \authupd(a) \mtimes b
+\]
+Then,
+\begin{mathpar}
+ \inferH{AuthUpdLocal}
+ {\text{$\authupd$ local} \and \authupd(\melt)\sep\meltB}
+ {\authfull \melt \mtimes \meltB, \authfrag \melt \mupd \authfull \authupd(\melt) \mtimes \meltB, \authfrag \authupd(\melt)}
+\end{mathpar}
+
+\paragraph{Frame-preserving updates on cancellative monoids.}
+
+Frame-preserving updates are also possible if we assume $M$ cancellative:
+\begin{mathpar}
+ \inferH{AuthUpdCancel}
+ {\text{$M$ cancellative} \and \melt'\sep\meltB}
+ {\authfull \melt \mtimes \meltB, \authfrag \melt \mupd \authfull \melt' \mtimes \meltB, \authfrag \melt'}
+\end{mathpar}
+
+\subsection{Fractional heap monoid}
+\label{sec:fheapm}
+
+By combining the fractional, finite partial function, and authoritative monoids, we construct two flavors of heaps with fractional permissions and mention their important frame-preserving updates.
+Hereinafter, we assume the set $\textdom{Val}$ of values is countable.
+
+Given a set $Y$, define $\FHeap(Y) \eqdef \fpfunm{\textdom{Val}}{\fracm{Y}}$ representing a fractional heap with codomain $Y$.
+From \S\S\ref{sec:fracm} and~\ref{sec:fpfunm} we obtain the following frame-preserving updates as well as the fact that $\FHeap(Y)$ is cancellative.
+\begin{mathpar}
+ \axiomH{FHeapUpd}{h[x \mapsto (1, y)] \mupd h[x \mapsto (1, y')]} \and
+ \axiomH{FHeapAlloc}{h \mupd \{\, h[x \mapsto (1, y)] \mid x \in \textdom{Val} \,\}}
+\end{mathpar}
+We will write $qh$ with $h : \textsort{Val} \fpfn Y$ for the function in $\FHeap(Y)$ mapping every $x \in \dom(h)$ to $(q, h(x))$, and everything else to $\munit$.
+
+Define $\AFHeap(Y) \eqdef \auth{\FHeap(Y)}$ representing an authoritative fractional heap with codomain $Y$.
+We easily obtain the following frame-preserving updates.
+\begin{mathpar}
+ \axiomH{AFHeapUpd}{
+ (\authfull h[x \mapsto (1, y)], \authfrag [x \mapsto (1, y)]) \mupd (\authfull h[x \mapsto (1, y')], \authfrag [x \mapsto (1, y')])
+ }
+ \and
+ \inferH{AFHeapAdd}{
+ x \notin \dom(h)
+ }{
+ \authfull h \mupd (\authfull h[x \mapsto (q, y)], \authfrag [x \mapsto (q, y)])
+ }
+ \and
+ \axiomH{AFHeapRemove}{
+ (\authfull h[x \mapsto (q, y)], \authfrag [x \mapsto (q, y)]) \mupd \authfull h
+ }
+\end{mathpar}
+
+\subsection{STS with tokens monoid}
+\label{sec:stsmon}
+
+\ralf{This needs syncing with the Coq development.}
+
+Given a state-transition system~(STS) $(\STSS, \ra)$, a set of tokens $\STSS$, and a labeling $\STSL: \STSS \ra \mathcal{P}(\STST)$ of \emph{protocol-owned} tokens for each state, we construct a monoid modeling an authoritative current state and permitting transitions given a \emph{bound} on the current state and a set of \emph{locally-owned} tokens.
+
+The construction follows the idea of STSs as described in CaReSL \cite{caresl}.
+We first lift the transition relation to $\STSS \times \mathcal{P}(\STST)$ (implementing a \emph{law of token conservation}) and define upwards closure:
+\begin{align*}
+ (s, T) \ra (s', T') \eqdef&\, s \ra s' \land \STSL(s) \uplus T = \STSL(s') \uplus T' \\
+ \textsf{frame}(s, T) \eqdef&\, (s, \STST \setminus (\STSL(s) \uplus T)) \\
+ \upclose(S, T) \eqdef&\, \SET{ s' \in \STSS}{\exists s \in S.\; \textsf{frame}(s, T) \ststrans \textsf{frame}(s', T) }
+\end{align*}
+
+\noindent
+We have
+\begin{quote}
+ If $(s, T) \ra (s', T')$\\
+ and $T_f \sep (T \uplus \STSL(s))$,\\
+ then $\textsf{frame}(s, T_f) \ra \textsf{frame}(s', T_f)$.
+\end{quote}
+\begin{proof}
+This follows directly by framing the tokens in $\STST \setminus (T_f \uplus T \uplus \STSL(s))$ around the given transition, which yields $(s, \STST \setminus (T_f \uplus \STSL{T}(s))) \ra (s', T' \uplus (\STST \setminus (T_f \uplus T \uplus \STSL{T}(s))))$.
+This is exactly what we have to show, since we know $\STSL(s) \uplus T = \STSL(s') \uplus T'$.
+\end{proof}
+
+Let $\STSMon{\STSS}$ be the monoid with carrier
+\[
+ \SET{ (s, S, T) \in \exm{\STSS} \times \mathcal{P}(\STSS) \times \mathcal{P}(\STST) }{ \begin{aligned} &(s = \munit \lor s \in S) \land \upclose(S, T) = S \land{} \\& S \neq \emptyset \land \All s \in S. \STSL(s) \sep T \end{aligned} }
+\]
+and multiplication
+\[
+ (s, S, T) \mtimes (s', S', T') \eqdef (s'' \eqdef s \mtimes_{\exm{\STSS}} s', S'' \eqdef S \cap S', T'' \eqdef T \cup T') \quad \text{if }\begin{aligned}[t] &(s = \munit \lor s' = \munit) \land T \sep T' \land{} \\& S'' \neq \emptyset \land (s'' \neq \munit \Ra s'' \in S'') \end{aligned}
+\]
+
+Some sugar makes it more convenient to assert being at least in a certain state and owning some tokens: $(s, T) : \STSMon{\STSS} \eqdef (\munit, \upclose(\{s\}, T), T) : \STSMon{\STSS}$, and
+$s : \STSMon{\STSS} \eqdef (s, \emptyset) : \STSMon{\STSS}$.
+
+We will need the following frame-preserving update.
+\begin{mathpar}
+ \inferH{StsStep}{(s, T) \ststrans (s', T')}
+ {(s, S, T) \mupd (s', \upclose(\{s'\}, T'), T')}
+\end{mathpar}
+\begin{proof}[Proof of \ruleref{StsStep}]
+Assume some upwards-closed $S_f, T_f$ (the frame cannot be authoritative) s.t.\ $s \in S_f$ and $T_f \sep (T \uplus \STSL(s))$. We have to show that this frame combines with our final monoid element, which is the case if $s' \in S_f$ and $T_f \sep T'$.
+By upward-closedness, it suffices to show $\textsf{frame}(s, T_f) \ststrans \textsf{frame}(s', T_f)$.
+This follows by induction on the path $(s, T) \ststrans (s', T')$, and using the lemma proven above for each step.
+\end{proof}
+
diff --git a/docs/iris/derived.tex b/docs/iris/derived.tex
new file mode 100644
index 0000000000000000000000000000000000000000..10b2cffd51d9dc9647798aed21a46f6f8ec5b358
--- /dev/null
+++ b/docs/iris/derived.tex
@@ -0,0 +1,187 @@
+\section{Derived constructions}
+
+In this section we describe some constructions that we will use throughout the rest of the appendix.
+
+\subsection{Global monoid}
+
+Hereinafter we assume the global monoid (served up as a parameter to Iris) is obtained from a family of monoids $(M_i)_{i \in I}$ by first applying the construction for finite partial functions to each~(\Sref{sec:fpfunm}), and then applying the product construction~(\Sref{sec:prodm}):
+\[ M \eqdef \prod_{i \in I} \fpfunm{\textdom{GhName}}{M_i} \]
+We don't care so much about what concretely $\textdom{GhName}$ is, as long as it is countable and infinite.
+We write $\ownGhost{\gname}{\melt : M_i}$ (or just $\ownGhost{\gname}{\melt}$ if $M_i$ is clear from the context) for $\ownGGhost{[i \mapsto [\gname \mapsto \melt]]}$ when $\melt \in \mcarp {M_i}$, and for $\FALSE$ when $\melt = \mzero_{M_i}$.
+In other words, $\ownGhost{\gname}{\melt : M_i}$ asserts that in the current state of monoid $M_i$, the name $\gname$ is allocated and has at least value $\melt$.
+
+From~\ruleref{FpUpd} and the multiplications and frame-preserving updates in~\Sref{sec:prodm} and~\Sref{sec:fpfunm}, we have the following derived rules.
+\begin{mathpar}
+ \axiomH{NewGhost}{
+ \TRUE \vs \Exists\gname. \ownGhost\gname{\melt : M_i}
+ }
+ \and
+ \inferH{GhostUpd}
+ {\melt \mupd_{M_i} B}
+ {\ownGhost\gname{\melt : M_i} \vs \Exists \meltB\in B. \ownGhost\gname{\meltB : M_i}}
+ \and
+ \axiomH{GhostEq}
+ {\ownGhost\gname{\melt : M_i} * \ownGhost\gname{\meltB : M_i} \Lra \ownGhost\gname{\melt\mtimes\meltB : M_i}}
+
+ \axiomH{GhostUnit}
+ {\TRUE \Ra \ownGhost{\gname}{\munit : M_i}}
+
+ \axiomH{GhostZero}
+ {\ownGhost\gname{\mzero : M_i} \Ra \FALSE}
+
+ \axiomH{GhostTimeless}
+ {\timeless{\ownGhost\gname{\melt : M_i}}}
+\end{mathpar}
+
+\subsection{STSs with interpretation}\label{sec:stsinterp}
+
+Building on \Sref{sec:stsmon}, after constructing the monoid $\STSMon{\STSS}$ for a particular STS, we can use an invariant to tie an interpretation, $\pred : \STSS \to \Prop$, to the STS's current state, recovering CaReSL-style reasoning~\cite{caresl}.
+
+An STS invariant asserts authoritative ownership of an STS's current state and that state's interpretation:
+\begin{align*}
+ \STSInv(\STSS, \pred, \gname) \eqdef{}& \Exists s \in \STSS. \ownGhost{\gname}{(s, \STSS, \emptyset):\STSMon{\STSS}} * \pred(s) \\
+ \STS(\STSS, \pred, \gname, \iname) \eqdef{}& \knowInv{\iname}{\STSInv(\STSS, \pred, \gname)}
+\end{align*}
+
+We can specialize \ruleref{NewInv}, \ruleref{InvOpen}, and \ruleref{InvClose} to STS invariants:
+\begin{mathpar}
+ \inferH{NewSts}
+ {\infinite(\mask)}
+ {\later\pred(s) \vs[\mask] \Exists \iname \in \mask, \gname. \STS(\STSS, \pred, \gname, \iname) * \ownGhost{\gname}{(s, \STST \setminus \STSL(s)) : \STSMon{\STSS}}}
+ \and
+ \axiomH{StsOpen}
+ { \STS(\STSS, \pred, \gname, \iname) \vdash \ownGhost{\gname}{(s_0, T) : \STSMon{\STSS}} \vsE[\{\iname\}][\emptyset] \Exists s\in \upclose(\{s_0\}, T). \later\pred(s) * \ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T):\STSMon{\STSS}}}
+ \and
+ \axiomH{StsClose}
+ { \STS(\STSS, \pred, \gname, \iname), (s, T) \ststrans (s', T') \proves \later\pred(s') * \ownGhost{\gname}{(s, S, T):\STSMon{\STSS}} \vs[\emptyset][\{\iname\}] \ownGhost{\gname}{(s', T') : \STSMon{\STSS}} }
+\end{mathpar}
+\begin{proof}
+\ruleref{NewSts} uses \ruleref{NewGhost} to allocate $\ownGhost{\gname}{(s, \upclose(s, T), T) : \STSMon{\STSS}}$ where $T \eqdef \STST \setminus \STSL(s)$, and \ruleref{NewInv}.
+
+\ruleref{StsOpen} just uses \ruleref{InvOpen} and \ruleref{InvClose} on $\iname$, and the monoid equality $(s, \upclose(\{s_0\}, T), T) = (s, \STSS, \emptyset) \mtimes (\munit, \upclose(\{s_0\}, T), T)$.
+
+\ruleref{StsClose} applies \ruleref{StsStep} and \ruleref{InvClose}.
+\end{proof}
+
+Using these view shifts, we can prove STS variants of the invariant rules \ruleref{Inv} and \ruleref{VSInv}~(compare the former to CaReSL's island update rule~\cite{caresl}):
+\begin{mathpar}
+ \inferH{Sts}
+ {\All s \in \upclose(\{s_0\}, T). \hoare{\later\pred(s) * P}{\expr}{\Ret \val. \Exists s', T'. (s, T) \ststrans (s', T') * \later\pred(s') * Q}[\mask]
+ \and \physatomic{\expr}}
+ { \STS(\STSS, \pred, \gname, \iname) \vdash \hoare{\ownGhost{\gname}{(s_0, T):\STSMon{\STSS}} * P}{\expr}{\Ret \val. \Exists s', T'. \ownGhost{\gname}{(s', T'):\STSMon{\STSS}} * Q}[\mask \uplus \{\iname\}]}
+ \and
+ \inferH{VSSts}
+ {\forall s \in \upclose(\{s_0\}, T).\; \later\pred(s) * P \vs[\mask_1][\mask_2] \exists s', T'.\; (s, T) \ststrans (s', T') * \later\pred(s') * Q}
+ { \STS(\STSS, \pred, \gname, \iname) \vdash \ownGhost{\gname}{(s_0, T):\STSMon{\STSS}} * P \vs[\mask_1 \uplus \{\iname\}][\mask_2 \uplus \{\iname\}] \Exists s', T'. \ownGhost{\gname}{(s', T'):\STSMon{\STSS}} * Q}
+\end{mathpar}
+
+\begin{proof}[Proof of \ruleref{Sts}]\label{pf:sts}
+ We have to show
+ \[\hoare{\ownGhost{\gname}{(s_0, T):\STSMon{\STSS}} * P}{\expr}{\Ret \val. \Exists s', T'. \ownGhost{\gname}{(s', T'):\STSMon{\STSS}} * Q}[\mask \uplus \{\iname\}]\]
+ where $\val$, $s'$, $T'$ are free in $Q$.
+
+ First, by \ruleref{ACsq} with \ruleref{StsOpen} and \ruleref{StsClose} (after moving $(s, T) \ststrans (s', T')$ into the view shift using \ruleref{VSBoxOut}), it suffices to show
+ \[\hoareV{\Exists s\in \upclose(\{s_0\}, T). \later\pred(s) * \ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T)} * P}{\expr}{\Ret \val. \Exists s, T, S, s', T'. (s, T) \ststrans (s', T') * \later\pred(s') * \ownGhost{\gname}{(s, S, T):\STSMon{\STSS}} * Q(\val, s', T')}[\mask]\]
+
+ Now, use \ruleref{Exist} to move the $s$ from the precondition into the context and use \ruleref{Csq} to (i)~fix the $s$ and $T$ in the postcondition to be the same as in the precondition, and (ii)~fix $S \eqdef \upclose(\{s_0\}, T)$.
+ It remains to show:
+ \[\hoareV{s\in \upclose(\{s_0\}, T) * \later\pred(s) * \ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T)} * P}{\expr}{\Ret \val. \Exists s', T'. (s, T) \ststrans (s', T') * \later\pred(s') * \ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T)} * Q(\val, s', T')}[\mask]\]
+
+ Finally, use \ruleref{BoxOut} to move $s\in \upclose(\{s_0\}, T)$ into the context, and \ruleref{Frame} on $\ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T)}$:
+ \[s\in \upclose(\{s_0\}, T) \vdash \hoare{\later\pred(s) * P}{\expr}{\Ret \val. \Exists s', T'. (s, T) \ststrans (s', T') * \later\pred(s') * Q(\val, s', T')}[\mask]\]
+
+ This holds by our premise.
+\end{proof}
+
+\begin{proof}[Proof of \ruleref{VSSts}]
+This is similar to above, so we only give the proof in short notation:
+
+\hproof{%
+ Context: $\knowInv\iname{\STSInv(\STSS, \pred, \gname)}$ \\
+ \pline[\mask_1 \uplus \{\iname\}]{
+ \ownGhost\gname{(s_0, T)} * P
+ } \\
+ \pline[\mask_1]{%
+ \Exists s. \later\pred(s) * \ownGhost\gname{(s, S, T)} * P
+ } \qquad by \ruleref{StsOpen} \\
+ Context: $s \in S \eqdef \upclose(\{s_0\}, T)$ \\
+ \pline[\mask_2]{%
+ \Exists s', T'. \later\pred(s') * Q(s', T') * \ownGhost\gname{(s, S, T)}
+ } \qquad by premiss \\
+ Context: $(s, T) \ststrans (s', T')$ \\
+ \pline[\mask_2 \uplus \{\iname\}]{
+ \ownGhost\gname{(s', T')} * Q(s', T')
+ } \qquad by \ruleref{StsClose}
+}
+\end{proof}
+
+\subsection{Authoritative monoids with interpretation}\label{sec:authinterp}
+
+Building on \Sref{sec:auth}, after constructing the monoid $\auth{M}$ for a cancellative monoid $M$, we can tie an interpretation, $\pred : \mcarp{M} \to \Prop$, to the authoritative element of $M$, recovering reasoning that is close to the sharing rule in~\cite{krishnaswami+:icfp12}.
+
+Let $\pred_\bot$ be the extension of $\pred$ to $\mcar{M}$ with $\pred_\bot(\mzero) = \FALSE$.
+Now define
+\begin{align*}
+ \AuthInv(M, \pred, \gname) \eqdef{}& \exists \melt \in \mcar{M}.\; \ownGhost{\gname}{\authfull \melt:\auth{M}} * \pred_\bot(\melt) \\
+ \Auth(M, \pred, \gname, \iname) \eqdef{}& M~\textlog{cancellative} \land \knowInv{\iname}{\AuthInv(M, \pred, \gname)}
+\end{align*}
+
+The frame-preserving updates for $\auth{M}$ gives rise to the following view shifts:
+\begin{mathpar}
+ \inferH{NewAuth}
+ {\infinite(\mask) \and M~\textlog{cancellative}}
+ {\later\pred_\bot(a) \vs[\mask] \exists \iname \in \mask, \gname.\; \Auth(M, \pred, \gname, \iname) * \ownGhost{\gname}{\authfrag a : \auth{M}}}
+ \and
+ \axiomH{AuthOpen}
+ {\Auth(M, \pred, \gname, \iname) \vdash \ownGhost{\gname}{\authfrag \melt : \auth{M}} \vsE[\{\iname\}][\emptyset] \exists \melt_f.\; \later\pred_\bot(\melt \mtimes \melt_f) * \ownGhost{\gname}{\authfull \melt \mtimes \melt_f, \authfrag a:\auth{M}}}
+ \and
+ \axiomH{AuthClose}
+ {\Auth(M, \pred, \gname, \iname) \vdash \later\pred_\bot(\meltB \mtimes \melt_f) * \ownGhost{\gname}{\authfull a \mtimes \melt_f, \authfrag a:\auth{M}} \vs[\emptyset][\{\iname\}] \ownGhost{\gname}{\authfrag \meltB : \auth{M}} }
+\end{mathpar}
+
+These view shifts in turn can be used to prove variants of the invariant rules:
+\begin{mathpar}
+ \inferH{Auth}
+ {\forall \melt_f.\; \hoare{\later\pred_\bot(a \mtimes \melt_f) * P}{\expr}{\Ret\val. \exists \meltB.\; \later\pred_\bot(\meltB\mtimes \melt_f) * Q}[\mask]
+ \and \physatomic{\expr}}
+ {\Auth(M, \pred, \gname, \iname) \vdash \hoare{\ownGhost{\gname}{\authfrag a:\auth{M}} * P}{\expr}{\Ret\val. \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q}[\mask \uplus \{\iname\}]}
+ \and
+ \inferH{VSAuth}
+ {\forall \melt_f.\; \later\pred_\bot(a \mtimes \melt_f) * P \vs[\mask_1][\mask_2] \exists \meltB.\; \later\pred_\bot(\meltB \mtimes \melt_f) * Q(\meltB)}
+ {\Auth(M, \pred, \gname, \iname) \vdash
+ \ownGhost{\gname}{\authfrag a:\auth{M}} * P \vs[\mask_1 \uplus \{\iname\}][\mask_2 \uplus \{\iname\}]
+ \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q(\meltB)}
+\end{mathpar}
+
+
+\subsection{Ghost heap}
+\label{sec:ghostheap}%
+
+We define a simple ghost heap with fractional permissions.
+Some modules require a few ghost names per module instance to properly manage ghost state, but would like to expose to clients a single logical name (avoiding clutter).
+In such cases we use these ghost heaps.
+
+We seek to implement the following interface:
+\newcommand{\GRefspecmaps}{\textsf{GMapsTo}}%
+\begin{align*}
+ \exists& {\fgmapsto[]} : \textsort{Val} \times \mathbb{Q}_{>} \times \textsort{Val} \ra \textsort{Prop}.\;\\
+ & \All x, q, v. x \fgmapsto[q] v \Ra x \fgmapsto[q] v \land q \in (0, 1] \\
+ &\forall x, q_1, q_2, v, w.\; x \fgmapsto[q_1] v * x \fgmapsto[q_2] w \Leftrightarrow x \fgmapsto[q_1 + q_2] v * v = w\\
+ & \forall v.\; \TRUE \vs[\emptyset] \exists x.\; x \fgmapsto[1] v \\
+ & \forall x, v, w.\; x \fgmapsto[1] v \vs[\emptyset] x \fgmapsto[1] w
+\end{align*}
+We write $x \fgmapsto v$ for $\exists q.\; x \fgmapsto[q] v$ and $x \gmapsto v$ for $x \fgmapsto[1] v$.
+Note that $x \fgmapsto v$ is duplicable but cannot be boxed (as it depends on resources); \ie we have $x \fgmapsto v \Lra x \fgmapsto v * x \fgmapsto v$ but not $x \fgmapsto v \Ra \always x \fgmapsto v$.
+
+To implement this interface, allocate an instance $\gname_G$ of $\FHeap(\textdom{Val})$ and define
+\[
+ x \fgmapsto[q] v \eqdef
+ \begin{cases}
+ \ownGhost{\gname_G}{x \mapsto (q, v)} & \text{if $q \in (0, 1]$} \\
+ \FALSE & \text{otherwise}
+ \end{cases}
+\]
+The view shifts in the specification follow immediately from \ruleref{GhostUpd} and the frame-preserving updates in~\Sref{sec:fheapm}.
+The first implication is immediate from the definition.
+The second implication follows by case distinction on $q_1 + q_2 \in (0, 1]$.
+
diff --git a/docs/iris/encodings.tex b/docs/iris/encodings.tex
new file mode 100644
index 0000000000000000000000000000000000000000..06b00d3193eed5131f110ad8b00943e872a91a8a
--- /dev/null
+++ b/docs/iris/encodings.tex
@@ -0,0 +1,568 @@
+% !TEX root = ./appendix.tex
+
+\section{Monoid constructions}
+
+We will use the notation $\mcarp{M} \eqdef |M| \setminus \{\mzero_M\}$ for the carrier of monoid $M$ without zero. When we define a carrier, a zero element is always implicitly added (we do not explicitly give it), and all cases of multiplication that are not defined (including those involving a zero element) go to that element.
+
+To disambiguate which monoid an element is part of, we use the notation $a : M$ to denote an $a$ s.t.\ $a \in |M|$.
+
+When defining a monoid, we will show some \emph{frame-preserving updates} $\melt \mupd \meltsB$ that it supports.
+Remember that
+\[
+ \melt \mupd \meltsB \eqdef \always\All \melt_f. \melt \sep \melt_f \Ra \Exists \meltB \in \meltsB. \meltB \sep \melt_f.
+\]
+The rule \ruleref{FpUpd} (and, later, \ruleref{GhostUpd}) allows us to use such updates in Hoare proofs.
+The following principles generally hold for frame-preserving updates.
+\begin{mathpar}
+ \infer{
+ \melt \mupd \meltsB
+ }{
+ \melt \mupd \meltsB \cup \meltsB'
+ }
+ \and
+ \infer{
+ \melt \mupd \meltsB
+ }{
+ \melt \mtimes \melt_f \mupd \{ \meltB \mtimes \melt_f \mid \meltB \in \meltsB \}
+ }
+\end{mathpar}
+
+Some of our constructions require or preserve \emph{cancellativity}:
+\[
+ \text{$\monoid$ cancellative} \eqdef
+ \All \melt_f, \melt, \meltB \in \mcar{\monoid}. \melt_f \mtimes \melt = \melt_f \mtimes \meltB \neq \mzero \Ra \melt = \meltB
+\]
+
+
+\subsection{Exclusive monoid}
+
+Given a set $X$, we define a monoid such that at most one $x \in X$ can be owned.
+Let $\exm{X}$ be the monoid with carrier $X \uplus \{ \munit \}$ and multiplication
+\[
+\melt \cdot \meltB \;\eqdef\;
+\begin{cases}
+ \melt & \mbox{if } \meltB = \munit \\
+ \meltB & \mbox{if } \melt = \munit
+\end{cases}
+\]
+
+The frame-preserving update
+\begin{mathpar}
+\inferH{ExUpd}
+ {x \in X}
+ {x \mupd \melt}
+\end{mathpar}
+is easily shown, as the only possible frame for $x$ is $\munit$.
+
+Exclusive monoids are cancellative.
+\begin{proof}[Proof of cancellativity]
+If $\melt_f = \munit$, then the statement is trivial.
+If $\melt_f \neq \munit$, then we must have $\melt = \meltB = \munit$, as otherwise one of the two products would be $\mzero$.
+\end{proof}
+
+\subsection{Agreement monoid}
+
+Given a set $X$, we define a monoid such that everybody agrees on which $x \in X$ has been chosen.
+Let $\agm{X}$ be the monoid with carrier $X \uplus \{ \munit \}$ and multiplication
+\[
+\melt \cdot \meltB \;\eqdef\;
+\begin{cases}
+\melt & \mbox{if } \meltB = \munit \lor \melt = \meltB \\
+\meltB & \mbox{if } \melt = \munit
+\end{cases}
+\]
+
+Agreement monoids are cancellative.
+\begin{proof}[Proof of cancellativity]
+ If $\melt_f = \munit$, then the statement is trivial.
+ If $\melt_f \neq \munit$, then if $\melt = \munit$, we must have $\meltB = \munit$ and we are done.
+ Similar so for $\meltB = \munit$.
+ So let $\melt \neq \munit \neq \meltB$ and $\melt_f \mtimes \melt = \melt_f \mtimes \meltB \neq \mzero$.
+ It follows immediately that $\melt = \melt_f = \meltB$.
+\end{proof}
+
+\subsection{Finite Powerset Monoid}
+
+Given an infinite set $X$, we define a monoid $\textmon{PowFin}$ with carrier $\mathcal{P}^{\textrm{fin}}(X)$ as follows:
+\[
+\melt \cdot \meltB \;\eqdef\; \melt \cup \meltB \quad \mbox{if } \melt \cap \meltB = \emptyset
+\]
+
+We obtain:
+\begin{mathpar}
+ \inferH{PowFinUpd}{}
+ {\emptyset \mupd \{ \{x\} \mid x \in X \}}
+\end{mathpar}
+
+\begin{proof}[Proof of \ruleref{PowFinUpd}]
+ Assume some frame $\melt_f \sep \emptyset$. Since $\melt_f$ is finite and $X$ is infinite, there exists an $x \notin \melt_f$.
+ Pick that for the result.
+\end{proof}
+
+The powerset monoids is cancellative.
+\begin{proof}[Proof of cancellativity]
+ Let $\melt_f \mtimes \melt = \melt_f \mtimes \meltB \neq \mzero$.
+ So we have $\melt_f \sep \melt$ and $\melt_f \sep \meltB$, and we have to show $\melt = \meltB$.
+ Assume $x \in \melt$. Hence $x \in \melt_f \mtimes \melt$ and thus $x \in \melt_f \mtimes \meltB$.
+ By disjointness, $x \notin \melt_f$ and hence $x \in meltB$.
+ The other direction works the same way.
+\end{proof}
+
+\subsection{Product monoid}
+\label{sec:prodm}
+
+Given a family $(M_i)_{i \in I}$ of monoids ($I$ countable), we construct a product monoid.
+Let $\prod_{i \in I} M_i$ be the monoid with carrier $\prod_{i \in I} \mcarp{M_i}$ and point-wise multiplication, non-zero when \emph{all} individual multiplications are non-zero.
+For $f \in \prod_{i \in I} \mcarp{M_i}$, we write $f[i \mapsto a]$ for the disjoint union $f \uplus [i \mapsto a]$.
+
+Frame-preserving updates on the $M_i$ lift to the product:
+\begin{mathpar}
+ \inferH{ProdUpd}
+ {a \mupd_{M_i} B}
+ {f[i \mapsto a] \mupd \{ f[i \mapsto b] \mid b \in B\}}
+\end{mathpar}
+\begin{proof}[Proof of \ruleref{ProdUpd}]
+Assume some frame $g$ and let $c \eqdef g(i)$.
+Since $f[i \mapsto a] \sep g$, we get $f \sep g$ and $a \sep_{M_i} c$.
+Thus there exists $b \in B$ such that $b \sep_{M_i} c$.
+It suffices to show $f[i \mapsto b] \sep g$.
+Since multiplication is defined pointwise, this is the case if all components are compatible.
+For $i$, we know this from $b \sep_{M_i} c$.
+For all the other components, from $f \sep g$.
+\end{proof}
+
+If every $M_i$ is cancellative, then so is $\prod_{i \in I} M_i$.
+\begin{proof}[Proof of cancellativity]
+Let $\melt, \meltB, \melt_f \in \prod_{i \in I} \mcarp{M_i}$, and assume $\melt_f \mtimes \melt = \melt_f \mtimes \meltB \neq \mzero$.
+By the definition of multiplication, this means that for all $i \in I$ we have $\melt_f(i) \mtimes \melt(i) = \melt_f(i) \mtimes \meltB(i) \neq \mzero_{M_i}$.
+As all base monoids are cancellative, we obtain $\forall i \in I.\; \melt(i) = \meltB(i)$ from which we immediately get $\melt = \meltB$.
+\end{proof}
+
+\subsection{Fractional monoid}
+\label{sec:fracm}
+
+Given a monoid $M$, we define a monoid representing fractional ownership of some piece $\melt \in M$.
+The idea is to preserve all the frame-preserving update that $M$ could have, while additionally being able to do \emph{any} update if we own the full state (as determined by the fraction being $1$).
+Let $\fracm{M}$ be the monoid with carrier $(((0, 1] \cap \mathbb{Q}) \times M) \uplus \{\munit\}$ and multiplication
+\begin{align*}
+ (q, a) \mtimes (q', a') &\eqdef (q + q', a \mtimes a') \qquad \mbox{if $q+q'\le 1$} \\
+ (q, a) \mtimes \munit &\eqdef (q,a) \\
+ \munit \mtimes (q,a) &\eqdef (q,a).
+\end{align*}
+
+We get the following frame-preserving update.
+\begin{mathpar}
+ \inferH{FracUpdFull}
+ {a, b \in M}
+ {(1, a) \mupd (1, b)}
+ \and\inferH{FracUpdLocal}
+ {a \mupd_M B}
+ {(q, a) \mupd \{q\} \times B}
+\end{mathpar}
+
+\begin{proof}[Proof of \ruleref{FracUpdFull}]
+Assume some $f \sep (1, a)$. This can only be $f = \munit$, so showing $f \sep (1, b)$ is trivial.
+\end{proof}
+
+\begin{proof}[Proof of \ruleref{FracUpdLocal}]
+ Assume some $f \sep (q, a)$. If $f = \munit$, then $f \sep (q, b)$ is trivial for any $b \in B$. Just pick the one we obtain by choosing $\munit_M$ as the frame for $a$.
+
+ In the interesting case, we have $f = (q_f, a_f)$.
+ Obtain $b$ such that $b \in B \land b \sep a_f$.
+ Then $(q, b) \sep f$, and we are done.
+\end{proof}
+
+$\fracm{M}$ is cancellative if $M$ is cancellative.
+\begin{proof}[Proof of cancellativitiy]
+If $\melt_f = \munit$, we are trivially done.
+So let $\melt_f = (q_f, \melt_f')$.
+If $\melt = \munit$, then $\meltB = \munit$ as otherwise the fractions could not match up.
+Again, we are trivially done.
+Similar so for $\meltB = \munit$.
+So let $\melt = (q_a, \melt')$ and $\meltB = (q_b, \meltB')$.
+We have $(q_f + q_a, \melt_f' \mtimes \melt') = (q_f + q_b, \melt_f' \mtimes \meltB')$.
+We have to show $q_a = q_b$ and $\melt' = \meltB'$.
+The first is trivial, the second follows from cancellativitiy of $M$.
+\end{proof}
+
+\subsection{Finite partial function monoid}
+\label{sec:fpfunm}
+
+Given a countable set $X$ and a monoid $M$, we construct a monoid representing finite partial functions from $X$ to (non-unit, non-zero elements of) $M$.
+Let $\fpfunm{X}{M}$ be the product monoid $\prod_{x \in X} M$, as defined in \secref{sec:prodm} but restricting the carrier to functions $f$ where the set $\dom(f) \eqdef \{ x \mid f(x) \neq \munit_M \}$ is finite.
+This is well-defined as the set of these $f$ contains the unit and is closed under multiplication.
+(We identify finite partial functions from $X$ to $\mcarp{M}\setminus\{\munit_M\}$ and total functions from $X$ to $\mcarp{M}$ with finite $\munit_M$-support.)
+
+We use two frame-preserving updates:
+\begin{mathpar}
+ \inferH{FpFunAlloc}
+ {a \in \mcarp{M}}
+ {f \mupd \{ f[x \mapsto a] \mid x \notin \dom(f) \}}
+ \and
+ \inferH{FpFunUpd}
+ {a \mupd_M B}
+ {f[i \mapsto a] \mupd \{ f[i \mapsto b] \mid b \in B\}}
+\end{mathpar}
+Rule \ruleref{FpFunUpd} simply restates \ruleref{ProdUpd}.
+
+\begin{proof}[Proof of \ruleref{FpFunAlloc}]
+ Assume some $g \sep f$. Since $\dom(f \mtimes g)$ is finite, there will be some undefined element $x \notin \dom(f \mtimes g)$. Let $f' \eqdef f[x \mapsto a]$. This is compatible with $g$, so we are done.
+\end{proof}
+
+We write $[x \mapsto a]$ for the function mapping $x$ to $a$ and everything else in $X$ to $\munit$.
+
+%\subsection{Disposable monoid}
+%
+%Given a monoid $M$, we construct a monoid where, having full ownership of an element $\melt$ of $M$, one can throw it away, transitioning to a dead element.
+%Let \dispm{M} be the monoid with carrier $\mcarp{M} \uplus \{ \disposed \}$ and multiplication
+%% The previous unit must remain the unit of the new monoid, as is is always duplicable and hence we could not transition to \disposed if it were not composable with \disposed
+%\begin{align*}
+% \melt \mtimes \meltB &\eqdef \melt \mtimes_M \meltB & \IF \melt \sep[M] \meltB \\
+% \disposed \mtimes \disposed &\eqdef \disposed \\
+% \munit_M \mtimes \disposed &\eqdef \disposed \mtimes \munit_M \eqdef \disposed
+%\end{align*}
+%The unit is the same as in $M$.
+%
+%The frame-preserving updates are
+%\begin{mathpar}
+% \inferH{DispUpd}
+% {a \in \mcarp{M} \setminus \{\munit_M\} \and a \mupd_M B}
+% {a \mupd B}
+% \and
+% \inferH{Dispose}
+% {a \in \mcarp{M} \setminus \{\munit_M\} \and \All b \in \mcarp{M}. a \sep b \Ra b = \munit_M}
+% {a \mupd \disposed}
+%\end{mathpar}
+%
+%\begin{proof}[Proof of \ruleref{DispUpd}]
+%Assume a frame $f$. If $f = \disposed$, then $a = \munit_M$, which is a contradiction.
+%Thus $f \in \mcarp{M}$ and we can use $a \mupd_M B$.
+%\end{proof}
+%
+%\begin{proof}[Proof of \ruleref{Dispose}]
+%The second premiss says that $a$ has no non-trivial frame in $M$. To show the update, assume a frame $f$ in $\dispm{M}$. Like above, we get $f \in \mcarp{M}$, and thus $f = \munit_M$. But $\disposed \sep \munit_M$ is trivial, so we are done.
+%\end{proof}
+
+\subsection{Authoritative monoid}\label{sec:auth}
+
+Given a monoid $M$, we construct a monoid modeling someone owning an \emph{authoritative} element $x$ of $M$, and others potentially owning fragments $\melt \le_M x$ of $x$.
+(If $M$ is an exclusive monoid, the construction is very similar to a half-ownership monoid with two asymmetric halves.)
+Let $\auth{M}$ be the monoid with carrier
+\[
+ \SET{ (x, \melt) }{ x \in \mcarp{\exm{\mcarp{M}}} \land \melt \in \mcarp{M} \land (x = \munit_{\exm{\mcarp{M}}} \lor \melt \leq_M x) }
+\]
+and multiplication
+\[
+(x, \melt) \mtimes (y, \meltB) \eqdef
+ (x \mtimes y, \melt \mtimes \meltB) \quad \mbox{if } x \sep y \land \melt \sep \meltB \land (x \mtimes y = \munit_{\exm{\mcarp{M}}} \lor \melt \mtimes \meltB \leq_M x \mtimes y)
+\]
+Note that $(\munit_{\exm{\mcarp{M}}}, \munit_M)$ is the unit and asserts no ownership whatsoever, but $(\munit_{M}, \munit_M)$ asserts that the authoritative element is $\munit_M$.
+
+Let $x, \melt \in \mcarp M$.
+We write $\authfull x$ for full ownership $(x, \munit_M):\auth{M}$ and $\authfrag \melt$ for fragmental ownership $(\munit_{\exm{\mcarp{M}}}, \melt)$ and $\authfull x , \authfrag \melt$ for combined ownership $(x, \melt)$.
+If $x$ or $a$ is $\mzero_{M}$, then the sugar denotes $\mzero_{\auth{M}}$.
+
+\ralf{This needs syncing with the Coq development.}
+The frame-preserving update involves a rather unwieldy side-condition:
+\begin{mathpar}
+ \inferH{AuthUpd}{
+ \All\melt_f\in\mcar{\monoid}. \melt\sep\meltB \land \melt\mtimes\melt_f \le \meltB\mtimes\melt_f \Ra \melt'\mtimes\melt_f \le \melt'\mtimes\meltB \and
+ \melt' \sep \meltB
+ }{
+ \authfull \melt \mtimes \meltB, \authfrag \melt \mupd \authfull \melt' \mtimes \meltB, \authfrag \melt'
+ }
+\end{mathpar}
+We therefore derive two special cases.
+
+\paragraph{Local frame-preserving updates.}
+
+\newcommand\authupd{f}%
+Following~\cite{scsl}, we say that $\authupd: \mcar{M} \ra \mcar{M}$ is \emph{local} if
+\[
+ \All a, b \in \mcar{M}. a \sep b \land \authupd(a) \neq \mzero \Ra \authupd(a \mtimes b) = \authupd(a) \mtimes b
+\]
+Then,
+\begin{mathpar}
+ \inferH{AuthUpdLocal}
+ {\text{$\authupd$ local} \and \authupd(\melt)\sep\meltB}
+ {\authfull \melt \mtimes \meltB, \authfrag \melt \mupd \authfull \authupd(\melt) \mtimes \meltB, \authfrag \authupd(\melt)}
+\end{mathpar}
+
+\paragraph{Frame-preserving updates on cancellative monoids.}
+
+Frame-preserving updates are also possible if we assume $M$ cancellative:
+\begin{mathpar}
+ \inferH{AuthUpdCancel}
+ {\text{$M$ cancellative} \and \melt'\sep\meltB}
+ {\authfull \melt \mtimes \meltB, \authfrag \melt \mupd \authfull \melt' \mtimes \meltB, \authfrag \melt'}
+\end{mathpar}
+
+\subsection{Fractional heap monoid}
+\label{sec:fheapm}
+
+By combining the fractional, finite partial function, and authoritative monoids, we construct two flavors of heaps with fractional permissions and mention their important frame-preserving updates.
+Hereinafter, we assume the set $\textdom{Val}$ of values is countable.
+
+Given a set $Y$, define $\FHeap(Y) \eqdef \fpfunm{\textdom{Val}}{\fracm{Y}}$ representing a fractional heap with codomain $Y$.
+From \S\S\ref{sec:fracm} and~\ref{sec:fpfunm} we obtain the following frame-preserving updates as well as the fact that $\FHeap(Y)$ is cancellative.
+\begin{mathpar}
+ \axiomH{FHeapUpd}{h[x \mapsto (1, y)] \mupd h[x \mapsto (1, y')]} \and
+ \axiomH{FHeapAlloc}{h \mupd \{\, h[x \mapsto (1, y)] \mid x \in \textdom{Val} \,\}}
+\end{mathpar}
+We will write $qh$ with $h : \textsort{Val} \fpfn Y$ for the function in $\FHeap(Y)$ mapping every $x \in \dom(h)$ to $(q, h(x))$, and everything else to $\munit$.
+
+Define $\AFHeap(Y) \eqdef \auth{\FHeap(Y)}$ representing an authoritative fractional heap with codomain $Y$.
+We easily obtain the following frame-preserving updates.
+\begin{mathpar}
+ \axiomH{AFHeapUpd}{
+ (\authfull h[x \mapsto (1, y)], \authfrag [x \mapsto (1, y)]) \mupd (\authfull h[x \mapsto (1, y')], \authfrag [x \mapsto (1, y')])
+ }
+ \and
+ \inferH{AFHeapAdd}{
+ x \notin \dom(h)
+ }{
+ \authfull h \mupd (\authfull h[x \mapsto (q, y)], \authfrag [x \mapsto (q, y)])
+ }
+ \and
+ \axiomH{AFHeapRemove}{
+ (\authfull h[x \mapsto (q, y)], \authfrag [x \mapsto (q, y)]) \mupd \authfull h
+ }
+\end{mathpar}
+
+\subsection{STS with tokens monoid}
+\label{sec:stsmon}
+
+\ralf{This needs syncing with the Coq development.}
+
+Given a state-transition system~(STS) $(\STSS, \ra)$, a set of tokens $\STSS$, and a labeling $\STSL: \STSS \ra \mathcal{P}(\STST)$ of \emph{protocol-owned} tokens for each state, we construct a monoid modeling an authoritative current state and permitting transitions given a \emph{bound} on the current state and a set of \emph{locally-owned} tokens.
+
+The construction follows the idea of STSs as described in CaReSL \cite{caresl}.
+We first lift the transition relation to $\STSS \times \mathcal{P}(\STST)$ (implementing a \emph{law of token conservation}) and define upwards closure:
+\begin{align*}
+ (s, T) \ra (s', T') \eqdef&\, s \ra s' \land \STSL(s) \uplus T = \STSL(s') \uplus T' \\
+ \textsf{frame}(s, T) \eqdef&\, (s, \STST \setminus (\STSL(s) \uplus T)) \\
+ \upclose(S, T) \eqdef&\, \SET{ s' \in \STSS}{\exists s \in S.\; \textsf{frame}(s, T) \ststrans \textsf{frame}(s', T) }
+\end{align*}
+
+\noindent
+We have
+\begin{quote}
+ If $(s, T) \ra (s', T')$\\
+ and $T_f \sep (T \uplus \STSL(s))$,\\
+ then $\textsf{frame}(s, T_f) \ra \textsf{frame}(s', T_f)$.
+\end{quote}
+\begin{proof}
+This follows directly by framing the tokens in $\STST \setminus (T_f \uplus T \uplus \STSL(s))$ around the given transition, which yields $(s, \STST \setminus (T_f \uplus \STSL{T}(s))) \ra (s', T' \uplus (\STST \setminus (T_f \uplus T \uplus \STSL{T}(s))))$.
+This is exactly what we have to show, since we know $\STSL(s) \uplus T = \STSL(s') \uplus T'$.
+\end{proof}
+
+Let $\STSMon{\STSS}$ be the monoid with carrier
+\[
+ \SET{ (s, S, T) \in \exm{\STSS} \times \mathcal{P}(\STSS) \times \mathcal{P}(\STST) }{ \begin{aligned} &(s = \munit \lor s \in S) \land \upclose(S, T) = S \land{} \\& S \neq \emptyset \land \All s \in S. \STSL(s) \sep T \end{aligned} }
+\]
+and multiplication
+\[
+ (s, S, T) \mtimes (s', S', T') \eqdef (s'' \eqdef s \mtimes_{\exm{\STSS}} s', S'' \eqdef S \cap S', T'' \eqdef T \cup T') \quad \text{if }\begin{aligned}[t] &(s = \munit \lor s' = \munit) \land T \sep T' \land{} \\& S'' \neq \emptyset \land (s'' \neq \munit \Ra s'' \in S'') \end{aligned}
+\]
+
+Some sugar makes it more convenient to assert being at least in a certain state and owning some tokens: $(s, T) : \STSMon{\STSS} \eqdef (\munit, \upclose(\{s\}, T), T) : \STSMon{\STSS}$, and
+$s : \STSMon{\STSS} \eqdef (s, \emptyset) : \STSMon{\STSS}$.
+
+We will need the following frame-preserving update.
+\begin{mathpar}
+ \inferH{StsStep}{(s, T) \ststrans (s', T')}
+ {(s, S, T) \mupd (s', \upclose(\{s'\}, T'), T')}
+\end{mathpar}
+\begin{proof}[Proof of \ruleref{StsStep}]
+Assume some upwards-closed $S_f, T_f$ (the frame cannot be authoritative) s.t.\ $s \in S_f$ and $T_f \sep (T \uplus \STSL(s))$. We have to show that this frame combines with our final monoid element, which is the case if $s' \in S_f$ and $T_f \sep T'$.
+By upward-closedness, it suffices to show $\textsf{frame}(s, T_f) \ststrans \textsf{frame}(s', T_f)$.
+This follows by induction on the path $(s, T) \ststrans (s', T')$, and using the lemma proven above for each step.
+\end{proof}
+
+\section{Derived constructions}
+
+In this section we describe some constructions that we will use throughout the rest of the appendix.
+
+\subsection{Global monoid}
+
+Hereinafter we assume the global monoid (served up as a parameter to Iris) is obtained from a family of monoids $(M_i)_{i \in I}$ by first applying the construction for finite partial functions to each~(\Sref{sec:fpfunm}), and then applying the product construction~(\Sref{sec:prodm}):
+\[ M \eqdef \prod_{i \in I} \fpfunm{\textdom{GhName}}{M_i} \]
+We don't care so much about what concretely $\textdom{GhName}$ is, as long as it is countable and infinite.
+We write $\ownGhost{\gname}{\melt : M_i}$ (or just $\ownGhost{\gname}{\melt}$ if $M_i$ is clear from the context) for $\ownGGhost{[i \mapsto [\gname \mapsto \melt]]}$ when $\melt \in \mcarp {M_i}$, and for $\FALSE$ when $\melt = \mzero_{M_i}$.
+In other words, $\ownGhost{\gname}{\melt : M_i}$ asserts that in the current state of monoid $M_i$, the name $\gname$ is allocated and has at least value $\melt$.
+
+From~\ruleref{FpUpd} and the multiplications and frame-preserving updates in~\Sref{sec:prodm} and~\Sref{sec:fpfunm}, we have the following derived rules.
+\begin{mathpar}
+ \axiomH{NewGhost}{
+ \TRUE \vs \Exists\gname. \ownGhost\gname{\melt : M_i}
+ }
+ \and
+ \inferH{GhostUpd}
+ {\melt \mupd_{M_i} B}
+ {\ownGhost\gname{\melt : M_i} \vs \Exists \meltB\in B. \ownGhost\gname{\meltB : M_i}}
+ \and
+ \axiomH{GhostEq}
+ {\ownGhost\gname{\melt : M_i} * \ownGhost\gname{\meltB : M_i} \Lra \ownGhost\gname{\melt\mtimes\meltB : M_i}}
+
+ \axiomH{GhostUnit}
+ {\TRUE \Ra \ownGhost{\gname}{\munit : M_i}}
+
+ \axiomH{GhostZero}
+ {\ownGhost\gname{\mzero : M_i} \Ra \FALSE}
+
+ \axiomH{GhostTimeless}
+ {\timeless{\ownGhost\gname{\melt : M_i}}}
+\end{mathpar}
+
+\subsection{STSs with interpretation}\label{sec:stsinterp}
+
+Building on \Sref{sec:stsmon}, after constructing the monoid $\STSMon{\STSS}$ for a particular STS, we can use an invariant to tie an interpretation, $\pred : \STSS \to \Prop$, to the STS's current state, recovering CaReSL-style reasoning~\cite{caresl}.
+
+An STS invariant asserts authoritative ownership of an STS's current state and that state's interpretation:
+\begin{align*}
+ \STSInv(\STSS, \pred, \gname) \eqdef{}& \Exists s \in \STSS. \ownGhost{\gname}{(s, \STSS, \emptyset):\STSMon{\STSS}} * \pred(s) \\
+ \STS(\STSS, \pred, \gname, \iname) \eqdef{}& \knowInv{\iname}{\STSInv(\STSS, \pred, \gname)}
+\end{align*}
+
+We can specialize \ruleref{NewInv}, \ruleref{InvOpen}, and \ruleref{InvClose} to STS invariants:
+\begin{mathpar}
+ \inferH{NewSts}
+ {\infinite(\mask)}
+ {\later\pred(s) \vs[\mask] \Exists \iname \in \mask, \gname. \STS(\STSS, \pred, \gname, \iname) * \ownGhost{\gname}{(s, \STST \setminus \STSL(s)) : \STSMon{\STSS}}}
+ \and
+ \axiomH{StsOpen}
+ { \STS(\STSS, \pred, \gname, \iname) \vdash \ownGhost{\gname}{(s_0, T) : \STSMon{\STSS}} \vsE[\{\iname\}][\emptyset] \Exists s\in \upclose(\{s_0\}, T). \later\pred(s) * \ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T):\STSMon{\STSS}}}
+ \and
+ \axiomH{StsClose}
+ { \STS(\STSS, \pred, \gname, \iname), (s, T) \ststrans (s', T') \proves \later\pred(s') * \ownGhost{\gname}{(s, S, T):\STSMon{\STSS}} \vs[\emptyset][\{\iname\}] \ownGhost{\gname}{(s', T') : \STSMon{\STSS}} }
+\end{mathpar}
+\begin{proof}
+\ruleref{NewSts} uses \ruleref{NewGhost} to allocate $\ownGhost{\gname}{(s, \upclose(s, T), T) : \STSMon{\STSS}}$ where $T \eqdef \STST \setminus \STSL(s)$, and \ruleref{NewInv}.
+
+\ruleref{StsOpen} just uses \ruleref{InvOpen} and \ruleref{InvClose} on $\iname$, and the monoid equality $(s, \upclose(\{s_0\}, T), T) = (s, \STSS, \emptyset) \mtimes (\munit, \upclose(\{s_0\}, T), T)$.
+
+\ruleref{StsClose} applies \ruleref{StsStep} and \ruleref{InvClose}.
+\end{proof}
+
+Using these view shifts, we can prove STS variants of the invariant rules \ruleref{Inv} and \ruleref{VSInv}~(compare the former to CaReSL's island update rule~\cite{caresl}):
+\begin{mathpar}
+ \inferH{Sts}
+ {\All s \in \upclose(\{s_0\}, T). \hoare{\later\pred(s) * P}{\expr}{\Ret \val. \Exists s', T'. (s, T) \ststrans (s', T') * \later\pred(s') * Q}[\mask]
+ \and \physatomic{\expr}}
+ { \STS(\STSS, \pred, \gname, \iname) \vdash \hoare{\ownGhost{\gname}{(s_0, T):\STSMon{\STSS}} * P}{\expr}{\Ret \val. \Exists s', T'. \ownGhost{\gname}{(s', T'):\STSMon{\STSS}} * Q}[\mask \uplus \{\iname\}]}
+ \and
+ \inferH{VSSts}
+ {\forall s \in \upclose(\{s_0\}, T).\; \later\pred(s) * P \vs[\mask_1][\mask_2] \exists s', T'.\; (s, T) \ststrans (s', T') * \later\pred(s') * Q}
+ { \STS(\STSS, \pred, \gname, \iname) \vdash \ownGhost{\gname}{(s_0, T):\STSMon{\STSS}} * P \vs[\mask_1 \uplus \{\iname\}][\mask_2 \uplus \{\iname\}] \Exists s', T'. \ownGhost{\gname}{(s', T'):\STSMon{\STSS}} * Q}
+\end{mathpar}
+
+\begin{proof}[Proof of \ruleref{Sts}]\label{pf:sts}
+ We have to show
+ \[\hoare{\ownGhost{\gname}{(s_0, T):\STSMon{\STSS}} * P}{\expr}{\Ret \val. \Exists s', T'. \ownGhost{\gname}{(s', T'):\STSMon{\STSS}} * Q}[\mask \uplus \{\iname\}]\]
+ where $\val$, $s'$, $T'$ are free in $Q$.
+
+ First, by \ruleref{ACsq} with \ruleref{StsOpen} and \ruleref{StsClose} (after moving $(s, T) \ststrans (s', T')$ into the view shift using \ruleref{VSBoxOut}), it suffices to show
+ \[\hoareV{\Exists s\in \upclose(\{s_0\}, T). \later\pred(s) * \ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T)} * P}{\expr}{\Ret \val. \Exists s, T, S, s', T'. (s, T) \ststrans (s', T') * \later\pred(s') * \ownGhost{\gname}{(s, S, T):\STSMon{\STSS}} * Q(\val, s', T')}[\mask]\]
+
+ Now, use \ruleref{Exist} to move the $s$ from the precondition into the context and use \ruleref{Csq} to (i)~fix the $s$ and $T$ in the postcondition to be the same as in the precondition, and (ii)~fix $S \eqdef \upclose(\{s_0\}, T)$.
+ It remains to show:
+ \[\hoareV{s\in \upclose(\{s_0\}, T) * \later\pred(s) * \ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T)} * P}{\expr}{\Ret \val. \Exists s', T'. (s, T) \ststrans (s', T') * \later\pred(s') * \ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T)} * Q(\val, s', T')}[\mask]\]
+
+ Finally, use \ruleref{BoxOut} to move $s\in \upclose(\{s_0\}, T)$ into the context, and \ruleref{Frame} on $\ownGhost{\gname}{(s, \upclose(\{s_0\}, T), T)}$:
+ \[s\in \upclose(\{s_0\}, T) \vdash \hoare{\later\pred(s) * P}{\expr}{\Ret \val. \Exists s', T'. (s, T) \ststrans (s', T') * \later\pred(s') * Q(\val, s', T')}[\mask]\]
+
+ This holds by our premise.
+\end{proof}
+
+\begin{proof}[Proof of \ruleref{VSSts}]
+This is similar to above, so we only give the proof in short notation:
+
+\hproof{%
+ Context: $\knowInv\iname{\STSInv(\STSS, \pred, \gname)}$ \\
+ \pline[\mask_1 \uplus \{\iname\}]{
+ \ownGhost\gname{(s_0, T)} * P
+ } \\
+ \pline[\mask_1]{%
+ \Exists s. \later\pred(s) * \ownGhost\gname{(s, S, T)} * P
+ } \qquad by \ruleref{StsOpen} \\
+ Context: $s \in S \eqdef \upclose(\{s_0\}, T)$ \\
+ \pline[\mask_2]{%
+ \Exists s', T'. \later\pred(s') * Q(s', T') * \ownGhost\gname{(s, S, T)}
+ } \qquad by premiss \\
+ Context: $(s, T) \ststrans (s', T')$ \\
+ \pline[\mask_2 \uplus \{\iname\}]{
+ \ownGhost\gname{(s', T')} * Q(s', T')
+ } \qquad by \ruleref{StsClose}
+}
+\end{proof}
+
+\subsection{Authoritative monoids with interpretation}\label{sec:authinterp}
+
+Building on \Sref{sec:auth}, after constructing the monoid $\auth{M}$ for a cancellative monoid $M$, we can tie an interpretation, $\pred : \mcarp{M} \to \Prop$, to the authoritative element of $M$, recovering reasoning that is close to the sharing rule in~\cite{krishnaswami+:icfp12}.
+
+Let $\pred_\bot$ be the extension of $\pred$ to $\mcar{M}$ with $\pred_\bot(\mzero) = \FALSE$.
+Now define
+\begin{align*}
+ \AuthInv(M, \pred, \gname) \eqdef{}& \exists \melt \in \mcar{M}.\; \ownGhost{\gname}{\authfull \melt:\auth{M}} * \pred_\bot(\melt) \\
+ \Auth(M, \pred, \gname, \iname) \eqdef{}& M~\textlog{cancellative} \land \knowInv{\iname}{\AuthInv(M, \pred, \gname)}
+\end{align*}
+
+The frame-preserving updates for $\auth{M}$ gives rise to the following view shifts:
+\begin{mathpar}
+ \inferH{NewAuth}
+ {\infinite(\mask) \and M~\textlog{cancellative}}
+ {\later\pred_\bot(a) \vs[\mask] \exists \iname \in \mask, \gname.\; \Auth(M, \pred, \gname, \iname) * \ownGhost{\gname}{\authfrag a : \auth{M}}}
+ \and
+ \axiomH{AuthOpen}
+ {\Auth(M, \pred, \gname, \iname) \vdash \ownGhost{\gname}{\authfrag \melt : \auth{M}} \vsE[\{\iname\}][\emptyset] \exists \melt_f.\; \later\pred_\bot(\melt \mtimes \melt_f) * \ownGhost{\gname}{\authfull \melt \mtimes \melt_f, \authfrag a:\auth{M}}}
+ \and
+ \axiomH{AuthClose}
+ {\Auth(M, \pred, \gname, \iname) \vdash \later\pred_\bot(\meltB \mtimes \melt_f) * \ownGhost{\gname}{\authfull a \mtimes \melt_f, \authfrag a:\auth{M}} \vs[\emptyset][\{\iname\}] \ownGhost{\gname}{\authfrag \meltB : \auth{M}} }
+\end{mathpar}
+
+These view shifts in turn can be used to prove variants of the invariant rules:
+\begin{mathpar}
+ \inferH{Auth}
+ {\forall \melt_f.\; \hoare{\later\pred_\bot(a \mtimes \melt_f) * P}{\expr}{\Ret\val. \exists \meltB.\; \later\pred_\bot(\meltB\mtimes \melt_f) * Q}[\mask]
+ \and \physatomic{\expr}}
+ {\Auth(M, \pred, \gname, \iname) \vdash \hoare{\ownGhost{\gname}{\authfrag a:\auth{M}} * P}{\expr}{\Ret\val. \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q}[\mask \uplus \{\iname\}]}
+ \and
+ \inferH{VSAuth}
+ {\forall \melt_f.\; \later\pred_\bot(a \mtimes \melt_f) * P \vs[\mask_1][\mask_2] \exists \meltB.\; \later\pred_\bot(\meltB \mtimes \melt_f) * Q(\meltB)}
+ {\Auth(M, \pred, \gname, \iname) \vdash
+ \ownGhost{\gname}{\authfrag a:\auth{M}} * P \vs[\mask_1 \uplus \{\iname\}][\mask_2 \uplus \{\iname\}]
+ \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q(\meltB)}
+\end{mathpar}
+
+
+\subsection{Ghost heap}
+\label{sec:ghostheap}%
+
+We define a simple ghost heap with fractional permissions.
+Some modules require a few ghost names per module instance to properly manage ghost state, but would like to expose to clients a single logical name (avoiding clutter).
+In such cases (\eg \Sref{sec:mcas}), we use these ghost heaps.
+
+We seek to implement the following interface:
+\newcommand{\GRefspecmaps}{\textsf{GMapsTo}}%
+\begin{align*}
+ \exists& {\fgmapsto[]} : \textsort{Val} \times \mathbb{Q}_{>} \times \textsort{Val} \ra \textsort{Prop}.\;\\
+ & \All x, q, v. x \fgmapsto[q] v \Ra x \fgmapsto[q] v \land q \in (0, 1] \\
+ &\forall x, q_1, q_2, v, w.\; x \fgmapsto[q_1] v * x \fgmapsto[q_2] w \Leftrightarrow x \fgmapsto[q_1 + q_2] v * v = w\\
+ & \forall v.\; \TRUE \vs[\emptyset] \exists x.\; x \fgmapsto[1] v \\
+ & \forall x, v, w.\; x \fgmapsto[1] v \vs[\emptyset] x \fgmapsto[1] w
+\end{align*}
+We write $x \fgmapsto v$ for $\exists q.\; x \fgmapsto[q] v$ and $x \gmapsto v$ for $x \fgmapsto[1] v$.
+Note that $x \fgmapsto v$ is duplicable but cannot be boxed (as it depends on resources); \ie we have $x \fgmapsto v \Lra x \fgmapsto v * x \fgmapsto v$ but not $x \fgmapsto v \Ra \always x \fgmapsto v$.
+
+To implement this interface, allocate an instance $\gname_G$ of $\FHeap(\textdom{Val})$ and define
+\[
+ x \fgmapsto[q] v \eqdef
+ \begin{cases}
+ \ownGhost{\gname_G}{x \mapsto (q, v)} & \text{if $q \in (0, 1]$} \\
+ \FALSE & \text{otherwise}
+ \end{cases}
+\]
+The view shifts in the specification follow immediately from \ruleref{GhostUpd} and the frame-preserving updates in~\Sref{sec:fheapm}.
+The first implication is immediate from the definition.
+The second implication follows by case distinction on $q_1 + q_2 \in (0, 1]$.
+
diff --git a/docs/iris/iris.tex b/docs/iris/iris.tex
new file mode 100644
index 0000000000000000000000000000000000000000..a692d984f1ada584bdbbd2ce3e44d9564371a916
--- /dev/null
+++ b/docs/iris/iris.tex
@@ -0,0 +1,49 @@
+\documentclass[10pt]{article}
+\usepackage{lmodern}
+\usepackage[T1]{fontenc}
+\usepackage[utf8]{inputenc}
+
+\newif\ifslow\slowfalse %\slowtrue
+\ifslow
+ \usepackage[english]{babel}
+ \usepackage[babel=true]{microtype}
+\fi
+\usepackage[top=1in, bottom=1in, left=1.25in, right=1.25in]{geometry}
+
+\usepackage[backend=biber]{biblatex}
+\bibliography{bib}
+
+\input{setup}
+
+\begin{document}
+
+\title{\bfseries The Iris Documentation}
+
+%FIXME any better way to do this?
+\author{%
+ Ralf Jung \\ MPI-SWS \& Saarland University \\ jung@mpi-sws.org \and
+ David Swasey \\ MPI-SWS \\ swasey@mpi-sws.org \andcr
+ Filip Sieczkowski \\ Aarhus University \\ filips@cs.au.dk \and
+ Kasper Svendsen \\ Aarhus University \\ ksvendsen@cs.au.dk \and
+ Aaron Turon \\ Mozilla Research \\ aturon@mozilla.com \andcr
+ Lars Birkedal \\ Aarhus University \\ birkedal@cs.au.dk \and
+ Derek Dreyer \\ MPI-SWS \\ dreyer@mpi-sws.org}
+
+\def\andcr{\end{tabular}\\\begin{tabular}[t]{c}}% see \@maketitle in article.cls and \and in latex.ltx
+\maketitle
+\let\andcr\relax%
+
+\thispagestyle{empty}
+
+%\clearpage
+\tableofcontents
+
+\clearpage\input{algebra}
+\clearpage\input{constructions}
+\clearpage\input{logic}
+\clearpage\input{model}
+\clearpage\input{derived}
+
+\clearpage\printbibliography % If we want biblatex
+
+\end{document}
diff --git a/docs/iris/listproc.sty b/docs/iris/listproc.sty
new file mode 120000
index 0000000000000000000000000000000000000000..7c5b7f009564ed54ac2302e55e70730bda96e97c
--- /dev/null
+++ b/docs/iris/listproc.sty
@@ -0,0 +1 @@
+../listproc.sty
\ No newline at end of file
diff --git a/docs/iris/logic.tex b/docs/iris/logic.tex
new file mode 100644
index 0000000000000000000000000000000000000000..cf9e26dd662a3aa7c0b3e4ef9cd60d7c8f0617bc
--- /dev/null
+++ b/docs/iris/logic.tex
@@ -0,0 +1,809 @@
+% CONVENTION:
+% Use \Ra/Lra for the logic and \implies/\iff for the metalogic.
+
+% This short (for now) note lays out a \emph{generic} separation logic which
+% manages sharing through invariants and ownership through (partial commutative)
+% monoids. The logic is generic in that the actual language it applies to is
+% taken as a parameter, giving in particular the atomic (per-thread) reduction
+% relation. Over this, we layer concurrency (by giving a semantics to \kw{fork}
+% and lifting to thread pools). The generic logic provides numerous logical
+% connectives and the semantics of Hoare triples and view shifts, together with a
+% large portion of the proof theory---including, in particular, the structural
+% rules for Hoare logic. Ultimately, these are proved sound relative to some
+% simple assumptions about the language. It should be possible, moreover, to give
+% a generic adequacy proof for Hoare triples as applied to the lifted thread-pool
+% semantics.
+
+\section{Parameters to the logic}
+
+\begin{itemize}
+\item A set \textdom{Exp} of \emph{expressions} (metavariable $\expr$) with a
+ subset \textdom{Val} of values ($\val$). We assume that if $\expr$ is an
+ expression then so is $\fork{\expr}$. We moreover assume a value
+ \textsf{fRet} (giving the intended return value of a fork), and we assume that
+ \begin{align*}
+ \fork{\expr} &\notin \textdom{Val} \\
+ \fork{\expr_1} = \fork{\expr_2} &\implies \expr_1 = \expr_2
+ \end{align*}
+\item A set $\textdom{Ectx}$ of \emph{evaluation contexts} ($\ectx$) that includes the empty context $[\; ]$,
+ a plugging operation $\ectx[\expr]$ that produces an expression, and context composition $\circ$
+ satisfying the following axioms:
+ \begin{align*}
+ [\; ][ \expr ] &= \expr \\
+ \ectx_1[\ectx_2[\expr]] &= (\ectx_1 \circ \ectx_2) [\expr] \\
+ \ectx_1[\expr] = \ectx_2[\expr] &\implies \ectx_1 = \ectx_2 \\
+ \ectx[\expr_1] = \ectx[\expr_2] &\implies \expr_1 = \expr_2 \\
+ \ectx_1 \circ \ectx_2 = [\; ] &\implies \ectx_1 = \ectx_2 = [\; ] \\
+ \ectx[\expr] \in \textdom{Val} &\implies \ectx = [\;] \\
+ \ectx[\expr] = \fork{\expr'} &\implies \ectx = [\;]
+ \end{align*}
+
+\item A set \textdom{State} of shared machine states (\eg heaps), metavariable $\state$.
+\item An \emph{atomic stepping relation} \[
+ (- \step -) \subseteq (\textdom{State} \times \textdom{Exp}) \times (\textdom{State} \times \textdom{Exp})
+\]
+and notions of an expression to be \emph{reducible} or \emph{stuck}, such that
+\begin{align*}
+ \textlog{reducible}(\expr) &\iff \Exists \state, \expr_2, \state_2. \cfg{\state}{\expr} \step \cfg{\state_2}{\expr_2} \\
+ \textlog{stuck}(\expr) &\iff \All \ectx, \expr'. \expr = \ectx[\expr'] \implies
+ \lnot \textlog{reducible}(\expr')
+\end{align*}
+and the following hold
+\begin{align*}
+&\textlog{stuck}(\fork{\expr})& \\
+ &\textlog{stuck}(\val)&\\
+ &\ectx[\expr] = \ectx'[\expr'] \implies \textlog{reducible}(\expr') \implies
+ \expr \notin \textdom{Val} \implies \Exists \ectx''. \ectx' = \ectx \circ \ectx'' &\mbox{(step-by-value)} \\
+ &\ectx[\expr] = \ectx'[\fork{\expr'}] \implies
+ \expr \notin \textdom{Val} \implies \Exists \ectx''. \ectx' = \ectx \circ \ectx'' &\mbox{(fork-by-value)} \\
+\end{align*}
+
+\item A predicate \textlog{atomic} on expressions satisfying
+ \begin{align*}
+ &\textlog{atomic}(\expr) \implies \textlog{reducible}(\expr) &\\
+ &\textlog{atomic}(\expr) \implies \cfg{\state}{\expr} \step \cfg{\state_2}{\expr_2} \implies \expr_2 \in \textdom{Val} &\mbox{(atomic-step)}
+ \end{align*}
+
+
+\item A commutative monoid with zero, $M$.
+That is, a set $\mcar{M}$ with two distinguished elements $\mzero$ (zero, undefined) and $\munit$ (one, unit) and an operation $\mtimes$ (times, combine) such that
+\begin{align*}
+ \melt \mtimes \meltB &= \meltB \mtimes \melt \\
+ \munit \mtimes \melt &= \melt \\
+ (\melt \mtimes \meltB) \mtimes \meltC &= \melt \mtimes (\meltB \mtimes \meltC) \\
+ \mzero \mtimes \melt &= \mzero \\
+ \mzero &\neq \munit
+\end{align*}
+Let $\mcarp{M} \eqdef |\monoid| \setminus \{\mzero\}$.
+
+\item Arbitrary additional types and terms.
+\end{itemize}
+
+\section{The concurrent language}
+
+\paragraph{Machine syntax}
+\[
+ \tpool \in \textdom{ThreadPool} \eqdef \mathbb{N} \fpfn \textdom{Exp}
+\]
+
+\judgment{Machine reduction} {\cfg{\state}{\tpool} \step
+ \cfg{\state'}{\tpool'}}
+\begin{mathpar}
+\infer
+ {\cfg{\state}{\expr} \step \cfg{\state'}{\expr'}}
+ {\cfg{\state}{\tpool [i \mapsto \ectx[\expr]]} \step
+ \cfg{\state'}{\tpool [i \mapsto \ectx[\expr']]}}
+\and
+\infer
+ {}
+ {\cfg{\state}{\tpool [i \mapsto \ectx[\fork{\expr}]]} \step
+ \cfg{\state}{\tpool [i \mapsto \ectx[\textsf{fRet}]] [j \mapsto \expr]}}
+\end{mathpar}
+
+\section{Syntax}
+
+\subsection{Grammar}\label{sec:grammar}
+
+\paragraph{Signatures.}
+We use a signature to account syntactically for the logic's parameters.
+A \emph{signature} $\SigNat = (\SigType, \SigFn)$ comprises a set
+\[
+ \SigType \supseteq \{ \textsort{Val}, \textsort{Exp}, \textsort{Ectx}, \textsort{State}, \textsort{Monoid}, \textsort{InvName}, \textsort{InvMask}, \Prop \}
+\]
+of base types (or base \emph{sorts}) and a set $\SigFn$ of typed function symbols.
+This means that each function symbol has an associated \emph{arity} comprising a natural number $n$ and an ordered list of $n+1$ base types.
+We write
+\[
+ \sigfn : \type_1, \dots, \type_n \to \type_{n+1} \in \SigFn
+\]
+to express that $\sigfn$ is a function symbol with the indicated arity.
+\dave{Say something not-too-shabby about adequacy: We don't spell out what it means.}
+
+\paragraph{Syntax.}
+Iris syntax is built up from a signature $\SigNat$ and a countably infinite set $\textdom{Var}$ of variables (ranged over by metavariables $x$, $y$, $z$, and $\pvar$):
+\newcommand{\unitterm}{()}%
+\newcommand{\unitsort}{1}% \unit is bold.
+\begin{align*}
+ \term, \prop, \pred ::={}&
+ x \mid
+ \sigfn(\term_1, \dots, \term_n) \mid
+ \unitterm \mid
+ (\term, \term) \mid
+ \pi_i\; \term \mid
+ \Lam x.\term \mid
+ \term\;\term \mid
+ \mzero \mid
+ \munit \mid
+ \term \mtimes \term \mid
+\\&
+ \FALSE \mid
+ \TRUE \mid
+ \term =_\sort \term \mid
+ \prop \Ra \prop \mid
+ \prop \land \prop \mid
+ \prop \lor \prop \mid
+ \prop * \prop \mid
+ \prop \wand \prop \mid
+\\&
+ \MU \pvar. \pred \mid
+ \Exists x:\sort. \prop \mid
+ \All x:\sort. \prop \mid
+\\&
+ \knowInv{\term}{\prop} \mid
+ \ownGGhost{\term} \mid
+ \ownPhys{\term} \mid
+ \always\prop \mid
+ {\later\prop} \mid
+ \pvsA{\prop}{\term}{\term} \mid
+ \dynA{\term}{\pred}{\term} \mid
+ \timeless{\prop}
+\\[0.4em]
+ \sort ::={}&
+ \type \mid
+ \unitsort \mid
+ \sort \times \sort \mid
+ \sort \to \sort
+\end{align*}
+Recursive predicates must be \emph{guarded}: in $\MU \pvar. \pred$, the variable $\pvar$ can only appear under the later $\later$ modality.
+
+\paragraph{Metavariable conventions.}
+We introduce additional metavariables ranging over terms and generally let the choice of metavariable indicate the term's sort:
+\[
+\begin{array}{r|l}
+ \text{metavariable} & \text{sort} \\\hline
+ \term, \termB & \text{arbitrary} \\
+ \val, \valB & \textsort{Val} \\
+ \expr & \textsort{Exp} \\
+ \ectx & \textsort{Ectx} \\
+ \state & \textsort{State} \\
+\end{array}
+\qquad\qquad
+\begin{array}{r|l}
+ \text{metavariable} & \text{sort} \\\hline
+ \iname & \textsort{InvName} \\
+ \mask & \textsort{InvMask} \\
+ \melt, \meltB & \textsort{Monoid} \\
+ \prop, \propB, \propC & \Prop \\
+ \pred, \predB, \predC & \sort\to\Prop \text{ (when $\sort$ is clear from context)} \\
+\end{array}
+\]
+
+\paragraph{Variable conventions.}
+We often abuse notation, using the preceding \emph{term} metavariables to range over (bound) \emph{variables}.
+We omit type annotations in binders, when the type is clear from context.
+
+
+\subsection{Types}\label{sec:types}
+
+Iris terms are simply-typed.
+The judgment $\vctx \proves_\SigNat \wtt{\term}{\sort}$ expresses that, in signature $\SigNat$ and variable context $\vctx$, the term $\term$ has sort $\sort$.
+In giving the rules for this judgment, we omit the signature (which does not change).
+
+A variable context, $\vctx = x_1:\sort_1, \dots, x_n:\sort_n$, declares a list of variables and their sorts.
+In writing $\vctx, x:\sort$, we presuppose that $x$ is not already declared in $\vctx$.
+
+\judgment{Well-typed terms}{\vctx \proves_\SigNat \wtt{\term}{\sort}}
+\begin{mathparpagebreakable}
+%%% variables and function symbols
+ \axiom{x : \sort \proves \wtt{x}{\sort}}
+\and
+ \infer{\vctx \proves \wtt{\term}{\sort}}
+ {\vctx, x:\sort' \proves \wtt{\term}{\sort}}
+\and
+ \infer{\vctx, x:\sort', y:\sort' \proves \wtt{\term}{\sort}}
+ {\vctx, x:\sort' \proves \wtt{\term[x/y]}{\sort}}
+\and
+ \infer{\vctx_1, x:\sort', y:\sort'', \vctx_2 \proves \wtt{\term}{\sort}}
+ {\vctx_1, x:\sort'', y:\sort', \vctx_2 \proves \wtt{\term[y/x,x/y]}{\sort}}
+\and
+ \infer{
+ \vctx \proves \wtt{\term_1}{\type_1} \and
+ \cdots \and
+ \vctx \proves \wtt{\term_n}{\type_n} \and
+ \sigfn : \type_1, \dots, \type_n \to \type_{n+1} \in \SigFn
+ }{
+ \vctx \proves \wtt {\sigfn(\term_1, \dots, \term_n)} {\type_{n+1}}
+ }
+%%% products
+\and
+ \axiom{\vctx \proves \wtt{\unitterm}{\unitsort}}
+\and
+ \infer{\vctx \proves \wtt{\term}{\sort_1} \and \vctx \proves \wtt{\termB}{\sort_2}}
+ {\vctx \proves \wtt{(\term,\termB)}{\sort_1 \times \sort_2}}
+\and
+ \infer{\vctx \proves \wtt{\term}{\sort_1 \times \sort_2} \and i \in \{1, 2\}}
+ {\vctx \proves \wtt{\pi_i\,\term}{\sort_i}}
+%%% functions
+\and
+ \infer{\vctx, x:\sort \proves \wtt{\term}{\sort'}}
+ {\vctx \proves \wtt{\Lam x. \term}{\sort \to \sort'}}
+\and
+ \infer
+ {\vctx \proves \wtt{\term}{\sort \to \sort'} \and \wtt{\termB}{\sort}}
+ {\vctx \proves \wtt{\term\;\termB}{\sort'}}
+%%% monoids
+\and
+ \axiom{\vctx \proves \wtt{\mzero}{\textsort{Monoid}}}
+\and
+ \axiom{\vctx \proves \wtt{\munit}{\textsort{Monoid}}}
+\and
+ \infer{\vctx \proves \wtt{\melt}{\textsort{Monoid}} \and \vctx \proves \wtt{\meltB}{\textsort{Monoid}}}
+ {\vctx \proves \wtt{\melt \mtimes \meltB}{\textsort{Monoid}}}
+%%% props and predicates
+\\
+ \axiom{\vctx \proves \wtt{\FALSE}{\Prop}}
+\and
+ \axiom{\vctx \proves \wtt{\TRUE}{\Prop}}
+\and
+ \infer{\vctx \proves \wtt{\term}{\sort} \and \vctx \proves \wtt{\termB}{\sort}}
+ {\vctx \proves \wtt{\term =_\sort \termB}{\Prop}}
+\and
+ \infer{\vctx \proves \wtt{\prop}{\Prop} \and \vctx \proves \wtt{\propB}{\Prop}}
+ {\vctx \proves \wtt{\prop \Ra \propB}{\Prop}}
+\and
+ \infer{\vctx \proves \wtt{\prop}{\Prop} \and \vctx \proves \wtt{\propB}{\Prop}}
+ {\vctx \proves \wtt{\prop \land \propB}{\Prop}}
+\and
+ \infer{\vctx \proves \wtt{\prop}{\Prop} \and \vctx \proves \wtt{\propB}{\Prop}}
+ {\vctx \proves \wtt{\prop \lor \propB}{\Prop}}
+\and
+ \infer{\vctx \proves \wtt{\prop}{\Prop} \and \vctx \proves \wtt{\propB}{\Prop}}
+ {\vctx \proves \wtt{\prop * \propB}{\Prop}}
+\and
+ \infer{\vctx \proves \wtt{\prop}{\Prop} \and \vctx \proves \wtt{\propB}{\Prop}}
+ {\vctx \proves \wtt{\prop \wand \propB}{\Prop}}
+\and
+ \infer{
+ \vctx, \pvar:\sort\to\Prop \proves \wtt{\pred}{\sort\to\Prop} \and
+ \text{$\pvar$ is guarded in $\pred$}
+ }{
+ \vctx \proves \wtt{\MU \pvar. \pred}{\sort\to\Prop}
+ }
+\and
+ \infer{\vctx, x:\sort \proves \wtt{\prop}{\Prop}}
+ {\vctx \proves \wtt{\Exists x:\sort. \prop}{\Prop}}
+\and
+ \infer{\vctx, x:\sort \proves \wtt{\prop}{\Prop}}
+ {\vctx \proves \wtt{\All x:\sort. \prop}{\Prop}}
+\and
+ \infer{
+ \vctx \proves \wtt{\prop}{\Prop} \and
+ \vctx \proves \wtt{\iname}{\textsort{InvName}}
+ }{
+ \vctx \proves \wtt{\knowInv{\iname}{\prop}}{\Prop}
+ }
+\and
+ \infer{\vctx \proves \wtt{\melt}{\textsort{Monoid}}}
+ {\vctx \proves \wtt{\ownGGhost{\melt}}{\Prop}}
+\and
+ \infer{\vctx \proves \wtt{\state}{\textsort{State}}}
+ {\vctx \proves \wtt{\ownPhys{\state}}{\Prop}}
+\and
+ \infer{\vctx \proves \wtt{\prop}{\Prop}}
+ {\vctx \proves \wtt{\always\prop}{\Prop}}
+\and
+ \infer{\vctx \proves \wtt{\prop}{\Prop}}
+ {\vctx \proves \wtt{\later\prop}{\Prop}}
+\and
+ \infer{
+ \vctx \proves \wtt{\prop}{\Prop} \and
+ \vctx \proves \wtt{\mask}{\textsort{InvMask}} \and
+ \vctx \proves \wtt{\mask'}{\textsort{InvMask}}
+ }{
+ \vctx \proves \wtt{\pvsA{\prop}{\mask}{\mask'}}{\Prop}
+ }
+\and
+ \infer{
+ \vctx \proves \wtt{\expr}{\textsort{Exp}} \and
+ \vctx \proves \wtt{\pred}{\textsort{Val} \to \Prop} \and
+ \vctx \proves \wtt{\mask}{\textsort{InvMask}}
+ }{
+ \vctx \proves \wtt{\dynA{\expr}{\pred}{\mask}}{\Prop}
+ }
+\and
+ \infer{
+ \vctx \proves \wtt{\prop}{\Prop}
+ }{
+ \vctx \proves \wtt{\timeless{\prop}}{\Prop}
+ }
+\end{mathparpagebreakable}
+
+
+\section{Base logic}
+
+The judgment $\vctx \mid \pfctx \proves \prop$ says that with free variables $\vctx$, proposition $\prop$ holds whenever all assumptions $\pfctx$ hold.
+We implicitly assume that an arbitrary variable context, $\vctx$, is added to every constituent of the rules.
+Axioms $\prop \Ra \propB$ stand for judgments $\vctx \mid \cdot \proves \prop \Ra \propB$ with no assumptions.
+(Bi-implications are analogous.)
+
+% \subsubsection{Judgments}
+%
+% Proof rules implicitly assume well-sortedness.
+
+\subsection{Laws of intuitionistic higher-order logic with guarded recursion over a simply-typed lambda calculus}\label{sec:HOL}
+
+Standard.
+
+Soundness follows from the theorem that ${\cal U}(\any, \textdom{Prop})
+: {\cal U}^\textrm{op} \to \textrm{Poset}$ is a hyperdoctrine.
+
+\elide{
+\begin{mathpar}
+\inferH{Asm}
+ {\prop \in \pfctx}
+ {\pfctx \proves \prop}
+\and
+\inferH{Eq}
+ {\pfctx \proves \prop(\term) \\ \pfctx \proves \term = \term'}
+ {\pfctx \proves \prop(\term')}
+\and
+\inferH{$\wedge$I}
+ {\pfctx \proves \prop \\ \pfctx \proves \propB}
+ {\pfctx \proves \prop \wedge \propB}
+\and
+\inferH{$\wedge$EL}
+ {\pfctx \proves \prop \wedge \propB}
+ {\pfctx \proves \prop}
+\and
+\inferH{$\wedge$ER}
+ {\pfctx \proves \prop \wedge \propB}
+ {\pfctx \proves \propB}
+\and
+\inferH{$\vee$E}
+ {\pfctx \proves \prop \vee \propB \\
+ \pfctx, \prop \proves \propC \\
+ \pfctx, \propB \proves \propC}
+ {\pfctx \proves \propC}
+\and
+\inferH{$\vee$IL}
+ {\pfctx \proves \prop }
+ {\pfctx \proves \prop \vee \propB}
+\and
+\inferH{$\vee$IR}
+ {\pfctx \proves \propB}
+ {\pfctx \proves \prop \vee \propB}
+\and
+\inferH{$\Ra$I}
+ {\pfctx, \prop \proves \propB}
+ {\pfctx \proves \prop \Ra \propB}
+\and
+\inferH{$\Ra$E}
+ {\pfctx \proves \prop \Ra \propB \\ \pfctx \proves \prop}
+ {\pfctx \proves \propB}
+\and
+\inferH{$\forall_1$I}
+ {\pfctx, x : \sort \proves \prop}
+ {\pfctx \proves \forall x: \sort.\; \prop}
+\and
+\inferH{$\forall_1$E}
+ {\pfctx \proves \forall X \in \sort.\; \prop \\
+ \pfctx \proves \term: \sort}
+ {\pfctx \proves \prop[\term/X]}
+\and
+\inferH{$\exists_1$E}
+ {\pfctx \proves \exists X\in \sort.\; \prop \\
+ \pfctx, X : \sort, \prop \proves \propB}
+ {\pfctx \proves \propB}
+\and
+\inferH{$\exists_1$I}
+ {\pfctx \proves \prop[\term/X] \\
+ \pfctx \proves \term: \sort}
+ {\pfctx \proves \exists X: \sort. \prop}
+\and
+\inferH{$\forall_2$I}
+ {\pfctx, \pvar: \Pred(\sort) \proves \prop}
+ {\pfctx \proves \forall \pvar\in \Pred(\sort).\; \prop}
+\and
+\inferH{$\forall_2$E}
+ {\pfctx \proves \forall \pvar. \prop \\
+ \pfctx \proves \propB: \Prop}
+ {\pfctx \proves \prop[\propB/\pvar]}
+\and
+\inferH{$\exists_2$E}
+ {\pfctx \proves \exists \pvar \in \Pred(\sort).\prop \\
+ \pfctx, \pvar : \Pred(\sort), \prop \proves \propB}
+ {\pfctx \proves \propB}
+\and
+\inferH{$\exists_2$I}
+ {\pfctx \proves \prop[\propB/\pvar] \\
+ \pfctx \proves \propB: \Prop}
+ {\pfctx \proves \exists \pvar. \prop}
+\and
+\inferHB{Elem}
+ {\pfctx \proves \term \in (X \in \sort). \prop}
+ {\pfctx \proves \prop[\term/X]}
+\and
+\inferHB{Elem-$\mu$}
+ {\pfctx \proves \term \in (\mu\pvar \in \Pred(\sort). \pred)}
+ {\pfctx \proves \term \in \pred[\mu\pvar \in \Pred(\sort). \pred/\pvar]}
+\end{mathpar}
+}
+
+\subsection{Axioms from the logic of (affine) bunched implications}
+\begin{mathpar}
+\begin{array}{rMcMl}
+ \prop * \propB &\Lra& \propB * \prop \\
+ (\prop * \propB) * \propC &\Lra& \prop * (\propB * \propC) \\
+ \prop * \propB &\Ra& \prop
+\end{array}
+\and
+\begin{array}{rMcMl}
+ (\prop \vee \propB) * \propC &\Lra&
+ (\prop * \propC) \vee (\propB * \propC) \\
+ (\prop \wedge \propB) * \propC &\Ra&
+ (\prop * \propC) \wedge (\propB * \propC) \\
+ (\Exists x. \prop) * \propB &\Lra& \Exists x. (\prop * \propB) \\
+ (\All x. \prop) * \propB &\Ra& \All x. (\prop * \propB)
+\end{array}
+\and
+\infer
+ {\pfctx, \prop_1 \proves \propB_1 \and
+ \pfctx, \prop_2 \proves \propB_2}
+ {\pfctx, \prop_1 * \prop_2 \proves \propB_1 * \propB_2}
+\and
+\infer
+ {\pfctx, \prop * \propB \proves \propC}
+ {\pfctx, \prop \proves \propB \wand \propC}
+\and
+\infer
+ {\pfctx, \prop \proves \propB \wand \propC}
+ {\pfctx, \prop * \propB \proves \propC}
+\end{mathpar}
+
+\subsection{Laws for ghosts and physical resources}
+
+\begin{mathpar}
+\begin{array}{rMcMl}
+\ownGGhost{\melt} * \ownGGhost{\meltB} &\Lra& \ownGGhost{\melt \mtimes \meltB} \\
+\TRUE &\Ra& \ownGGhost{\munit}\\
+\ownGGhost{\mzero} &\Ra& \FALSE\\
+\multicolumn{3}{c}{\timeless{\ownGGhost{\melt}}}
+\end{array}
+\and
+\begin{array}{c}
+\ownPhys{\state} * \ownPhys{\state'} \Ra \FALSE \\
+\timeless{\ownPhys{\state}}
+\end{array}
+\end{mathpar}
+
+\subsection{Laws for the later modality}\label{sec:later}
+
+\begin{mathpar}
+\inferH{Mono}
+ {\pfctx \proves \prop}
+ {\pfctx \proves \later{\prop}}
+\and
+\inferhref{L{\"o}b}{Loeb}
+ {\pfctx, \later{\prop} \proves \prop}
+ {\pfctx \proves \prop}
+\and
+\begin{array}[b]{rMcMl}
+ \later{\always{\prop}} &\Lra& \always{\later{\prop}} \\
+ \later{(\prop \wedge \propB)} &\Lra& \later{\prop} \wedge \later{\propB} \\
+ \later{(\prop \vee \propB)} &\Lra& \later{\prop} \vee \later{\propB} \\
+\end{array}
+\and
+\begin{array}[b]{rMcMl}
+ \later{\All x.\prop} &\Lra& \All x. \later\prop \\
+ \later{\Exists x.\prop} &\Lra& \Exists x. \later\prop \\
+ \later{(\prop * \propB)} &\Lra& \later\prop * \later\propB
+\end{array}
+\end{mathpar}
+
+\subsection{Laws for the always modality}\label{sec:always}
+
+\begin{mathpar}
+\axiomH{Necessity}
+ {\always{\prop} \Ra \prop}
+\and
+\inferhref{$\always$I}{AlwaysIntro}
+ {\always{\pfctx} \proves \prop}
+ {\always{\pfctx} \proves \always{\prop}}
+\and
+\begin{array}[b]{rMcMl}
+ \always(\term =_\sort \termB) &\Lra& \term=_\sort \termB \\
+ \always{\prop} * \propB &\Lra& \always{\prop} \land \propB \\
+ \always{(\prop \Ra \propB)} &\Ra& \always{\prop} \Ra \always{\propB} \\
+\end{array}
+\and
+\begin{array}[b]{rMcMl}
+ \always{(\prop \land \propB)} &\Lra& \always{\prop} \land \always{\propB} \\
+ \always{(\prop \lor \propB)} &\Lra& \always{\prop} \lor \always{\propB} \\
+ \always{\All x. \prop} &\Lra& \All x. \always{\prop} \\
+ \always{\Exists x. \prop} &\Lra& \Exists x. \always{\prop} \\
+\end{array}
+\end{mathpar}
+Note that $\always$ binds more tightly than $*$, $\land$, $\lor$, and $\Ra$.
+
+\section{Program logic}\label{sec:proglog}
+
+Hoare triples and view shifts are syntactic sugar for weakest (liberal) preconditions and primitive view shifts, respectively:
+\[
+\hoare{\prop}{\expr}{\Ret\val.\propB}[\mask] \eqdef \always{(\prop \Ra \dynA{\expr}{\lambda\Ret\val.\propB}{\mask})}
+\qquad\qquad
+\begin{aligned}
+\prop \vs[\mask_1][\mask_2] \propB &\eqdef \always{(\prop \Ra \pvsA{\propB}{\mask_1}{\mask_2})} \\
+\prop \vsE[\mask_1][\mask_2] \propB &\eqdef \prop \vs[\mask_1][\mask_2] \propB \land \propB \vs[\mask2][\mask_1] \prop
+\end{aligned}
+\]
+We write just one mask for a view shift when $\mask_1 = \mask_2$.
+The convention for omitted masks is generous:
+An omitted $\mask$ is $\top$ for Hoare triples and $\emptyset$ for view shifts.
+
+% PDS: We're repeating ourselves. We gave Γ conventions and we're about to give Θ conventions. Also, the scope of "Below" is unclear.
+% Below, we implicitly assume the same context for all judgements which don't have an explicit context at \emph{all} pre-conditions \emph{and} the conclusion.
+
+Henceforward, we implicitly assume a proof context, $\pfctx$, is added to every constituent of the rules.
+Generally, this is an arbitrary proof context.
+We write $\provesalways$ to denote judgments that can only be extended with a boxed proof context.
+
+\ralf{Give the actual base rules from the Coq development instead}
+
+\subsection{Hoare triples}
+\begin{mathpar}
+\inferH{Ret}
+ {}
+ {\hoare{\TRUE}{\valB}{\Ret\val. \val = \valB}[\mask]}
+\and
+\inferH{Bind}
+ {\hoare{\prop}{\expr}{\Ret\val. \propB}[\mask] \\
+ \All \val. \hoare{\propB}{K[\val]}{\Ret\valB.\propC}[\mask]}
+ {\hoare{\prop}{K[\expr]}{\Ret\valB.\propC}[\mask]}
+\and
+\inferH{Csq}
+ {\prop \vs \prop' \\
+ \hoare{\prop'}{\expr}{\Ret\val.\propB'}[\mask] \\
+ \All \val. \propB' \vs \propB}
+ {\hoare{\prop}{\expr}{\Ret\val.\propB}[\mask]}
+\and
+\inferH{Frame}
+ {\hoare{\prop}{\expr}{\Ret\val. \propB}[\mask]}
+ {\hoare{\prop * \propC}{\expr}{\Ret\val. \propB * \propC}[\mask \uplus \mask']}
+\and
+\inferH{AFrame}
+ {\hoare{\prop}{\expr}{\Ret\val. \propB}[\mask] \and \text{$\expr$ not a value}
+ }
+ {\hoare{\prop * \later\propC}{\expr}{\Ret\val. \propB * \propC}[\mask \uplus \mask']}
+\and
+\inferH{Fork}
+ {\hoare{\prop}{\expr}{\Ret\any. \TRUE}[\top]}
+ {\hoare{\later\prop * \later\propB}{\fork{\expr}}{\Ret\val. \val = \textsf{fRet} \land \propB}[\mask]}
+\and
+\inferH{ACsq}
+ {\prop \vs[\mask \uplus \mask'][\mask] \prop' \\
+ \hoare{\prop'}{\expr}{\Ret\val.\propB'}[\mask] \\
+ \All\val. \propB' \vs[\mask][\mask \uplus \mask'] \propB \\
+ \physatomic{\expr}
+ }
+ {\hoare{\prop}{\expr}{\Ret\val.\propB}[\mask \uplus \mask']}
+\end{mathpar}
+
+\subsection{View shifts}
+
+\begin{mathpar}
+\inferH{NewInv}
+ {\infinite(\mask)}
+ {\later{\prop} \vs[\mask] \exists \iname\in\mask.\; \knowInv{\iname}{\prop}}
+\and
+\inferH{FpUpd}
+ {\melt \mupd \meltsB}
+ {\ownGGhost{\melt} \vs \exists \meltB \in \meltsB.\; \ownGGhost{\meltB}}
+\and
+\inferH{VSTrans}
+ {\prop \vs[\mask_1][\mask_2] \propB \and \propB \vs[\mask_2][\mask_3] \propC \and \mask_2 \subseteq \mask_1 \cup \mask_3}
+ {\prop \vs[\mask_1][\mask_3] \propC}
+\and
+\inferH{VSImp}
+ {\always{(\prop \Ra \propB)}}
+ {\prop \vs[\emptyset] \propB}
+\and
+\inferH{VSFrame}
+ {\prop \vs[\mask_1][\mask_2] \propB}
+ {\prop * \propC \vs[\mask_1 \uplus \mask'][\mask_2 \uplus \mask'] \propB * \propC}
+\and
+\inferH{VSTimeless}
+ {\timeless{\prop}}
+ {\later \prop \vs \prop}
+\and
+\axiomH{InvOpen}
+ {\knowInv{\iname}{\prop} \proves \TRUE \vs[\{ \iname \} ][\emptyset] \later \prop}
+\and
+\axiomH{InvClose}
+ {\knowInv{\iname}{\prop} \proves \later \prop \vs[\emptyset][\{ \iname \} ] \TRUE }
+\end{mathpar}
+
+\vspace{5pt}
+Note that $\timeless{\prop}$ means that $\prop$ does not depend on the step index.
+Furthermore, $$\melt \mupd \meltsB \eqdef \always{\All \melt_f. \melt \sep \melt_f \Ra \Exists \meltB \in \meltsB. \meltB \sep \melt_f}$$
+
+\subsection{Derived rules}
+
+\paragraph{Derived structural rules.}
+The following are easily derived by unfolding the sugar for Hoare triples and view shifts.
+\begin{mathpar}
+\inferHB{Disj}
+ {\hoare{\prop}{\expr}{\Ret\val.\propC}[\mask] \and \hoare{\propB}{\expr}{\Ret\val.\propC}[\mask]}
+ {\hoare{\prop \lor \propB}{\expr}{\Ret\val.\propC}[\mask]}
+\and
+\inferHB{VSDisj}
+ {\prop \vs[\mask_1][\mask_2] \propC \and \propB \vs[\mask_1][\mask_2] \propC}
+ {\prop \lor \propB \vs[\mask_1][\mask_2] \propC}
+\and
+\inferHB{Exist}
+ {\All \var. \hoare{\prop}{\expr}{\Ret\val.\propB}[\mask]}
+ {\hoare{\Exists \var. \prop}{\expr}{\Ret\val.\propB}[\mask]}
+\and
+\inferHB{VSExist}
+ {\All \var. (\prop \vs[\mask_1][\mask_2] \propB)}
+ {(\Exists \var. \prop) \vs[\mask_1][\mask_2] \propB}
+\and
+\inferHB{BoxOut}
+ {\always\propB \provesalways \hoare{\prop}{\expr}{\Ret\val.\propC}[\mask]}
+ {\hoare{\prop \land \always{\propB}}{\expr}{\Ret\val.\propC}[\mask]}
+\and
+\inferHB{VSBoxOut}
+ {\always\propB \provesalways \prop \vs[\mask_1][\mask_2] \propC}
+ {\prop \land \always{\propB} \vs[\mask_1][\mask_2] \propC}
+ \and
+\inferH{False}
+ {}
+ {\hoare{\FALSE}{\expr}{\Ret \val. \prop}[\mask]}
+\and
+\inferH{VSFalse}
+ {}
+ {\FALSE \vs[\mask_1][\mask_2] \prop }
+\end{mathpar}
+The proofs all follow the same pattern, so we only show two of them in detail.
+\begin{proof}[Proof of \ruleref{Exist}]
+ After unfolding the syntactic sugar for Hoare triples and removing the boxes from premise and conclusion, our goal becomes
+ \[
+ (\Exists \var. \prop(\var)) \Ra \dynA{\expr}{\Lam\val. \propB}{\mask}
+ \]
+ (remember that $\var$ is free in $\prop$) and the premise reads
+ \[
+ \All \var. \prop(\var) \Ra \dynA{\expr}{\Lam\val. \propB}{\mask}.
+ \]
+ Let $\var$ be given and assume $\prop(\var)$.
+ To show $\dynA{\expr}{\Lam\val. \propB}{\mask}$, apply the premise to $\var$ and $\prop(\var)$.
+
+ For the other direction, assume
+ \[
+ \hoare{\Exists \var. \prop(\var)}{\expr}{\Ret\val. \propB}[\mask]
+ \]
+ and let $\var$ be given.
+ We have to show $\hoare{\prop(\var)}{\expr}{\Ret\val. \propB}[\mask]$.
+ This trivially follows from \ruleref{Csq} with $\prop(\var) \Ra \Exists \var. \prop(\var)$.
+\end{proof}
+
+\begin{proof}[Proof of \ruleref{BoxOut}]
+ After unfolding the syntactic sugar for Hoare triples, our goal becomes
+ \begin{equation}\label{eq:boxin:goal}
+ \always\pfctx \proves \always\bigl(\prop\land\always \propB \Ra \dynA{\expr}{\Lam\val. \propC}{\mask}\bigr)
+ \end{equation}
+ while our premise reads
+ \begin{equation}\label{eq:boxin:as}
+ \always\pfctx, \always\propB \proves \always(\prop \Ra \dynA{\expr}{\Lam\val. \propC}{\mask})
+ \end{equation}
+ By the introduction rules for $\always$ and implication, it suffices to show
+ \[ (\always\pfctx), \prop,\always \propB \proves \dynA{\expr}{\Lam\val. \propC}{\mask} \]
+ By modus ponens and \ruleref{Necessity}, it suffices to show~\eqref{eq:boxin:as}, which is exactly our assumption.
+
+ For the other direction, assume~\eqref{eq:boxin:goal}. We have to show~\eqref{eq:boxin:as}. By \ruleref{AlwaysIntro} and implication introduction, it suffices to show
+ \[ (\always\pfctx), \prop,\always \propB \proves \dynA{\expr}{\Lam\val. \propC}{\mask} \]
+ which easily follows from~\eqref{eq:boxin:goal}.
+\end{proof}
+
+\paragraph{Derived rules for invariants.}
+Invariants can be opened around atomic expressions and view shifts.
+
+\begin{mathpar}
+\inferH{Inv}
+ {\hoare{\later{\propC} * \prop }
+ {\expr}
+ {\Ret\val. \later{\propC} * \propB }[\mask]
+ \and \physatomic{\expr}
+ }
+ {\knowInv{\iname}{\propC} \proves \hoare{\prop}
+ {\expr}
+ {\Ret\val. \propB}[\mask \uplus \{ \iname \}]
+ }
+\and
+\inferH{VSInv}
+ {\later{\prop} * \propB \vs[\mask_1][\mask_2] \later{\prop} * \propC}
+ {\knowInv{\iname}{\prop} \proves \propB \vs[\mask_1 \uplus \{ \iname \}][\mask_2 \uplus \{ \iname \}] \propC}
+\end{mathpar}
+
+\begin{proof}[Proof of \ruleref{Inv}]
+ Use \ruleref{ACsq} with $\mask_1 \eqdef \mask \cup \{\iname\}$, $\mask_2 \eqdef \mask$.
+ The view shifts are obtained by \ruleref{InvOpen} and \ruleref{InvClose} with framing of $\mask$ and $\prop$ or $\propB$, respectively.
+\end{proof}
+
+\begin{proof}[Proof of \ruleref{VSInv}]
+Analogous to the proof of \ruleref{Inv}, using \ruleref{VSTrans} instead of \ruleref{ACsq}.
+\end{proof}
+
+\subsubsection{Unsound rules}
+
+Some rule suggestions (or rather, wishes) keep coming up, which are unsound. We collect them here.
+\begin{mathpar}
+ \infer
+ {P \vs Q}
+ {\later P \vs \later Q}
+ \and
+ \infer
+ {\later(P \vs Q)}
+ {\later P \vs \later Q}
+\end{mathpar}
+
+Of course, the second rule implies the first, so let's focus on that.
+Since implications work under $\later$, from $\later P$ we can get $\later \pvs{Q}$.
+If we now try to prove $\pvs{\later Q}$, we will be unable to establish world satisfaction in the new world:
+We have no choice but to use $\later \pvs{Q}$ at one step index below what we are operating on (because we have it under a $\later$).
+We can easily get world satisfaction for that lower step-index (by downwards-closedness of step-indexed predicates).
+We can, however, not make much use of the world satisfaction that we get out, becaase it is one step-index too low.
+
+\subsection{Adequacy}
+
+The adequacy statement reads as follows:
+\begin{align*}
+ &\All \mask, \expr, \val, \pred, i, \state, \state', \tpool'.
+ \\&( \proves \hoare{\ownPhys\state}{\expr}{x.\; \pred(x)}[\mask]) \implies
+ \\&\cfg{\state}{[i \mapsto \expr]} \step^\ast
+ \cfg{\state'}{[i \mapsto \val] \uplus \tpool'} \implies
+ \\&\pred(\val)
+\end{align*}
+where $\pred$ can mention neither resources nor invariants.
+
+\subsection{Axiom lifting}\label{sec:lifting}
+
+The following lemmas help in proving axioms for a particular language.
+The first applies to expressions with side-effects, and the second to side-effect-free expressions.
+\dave{Update the others, and the example, wrt the new treatment of $\predB$.}
+\begin{align*}
+ &\All \expr, \state, \pred, \prop, \propB, \mask. \\
+ &\textlog{reducible}(e) \implies \\
+ &(\All \expr', \state'. \cfg{\state}{\expr} \step \cfg{\state'}{\expr'} \implies \pred(\expr', \state')) \implies \\
+ &{} \proves \bigl( (\All \expr', \state'. \pred (\expr', \state') \Ra \hoare{\prop}{\expr'}{\Ret\val. \propB}[\mask]) \Ra \hoare{ \later \prop * \ownPhys{\state} }{\expr}{\Ret\val. \propB}[\mask] \bigr) \\
+ \quad\\
+ &\All \expr, \pred, \prop, \propB, \mask. \\
+ &\textlog{reducible}(e) \implies \\
+ &(\All \state, \expr_2, \state_2. \cfg{\state}{\expr} \step \cfg{\state_2}{\expr_2} \implies \state_2 = \state \land \pred(\expr_2)) \implies \\
+ &{} \proves \bigl( (\All \expr'. \pred(\expr') \Ra \hoare{\prop}{\expr'}{\Ret\val. \propB}[\mask]) \Ra \hoare{\later\prop}{\expr}{\Ret\val. \propB}[\mask] \bigr)
+\end{align*}
+Note that $\pred$ is a meta-logic predicate---it does not depend on any world or resources being owned.
+
+The following specializations cover all cases of a heap-manipulating lambda calculus like $F_{\mu!}$.
+\begin{align*}
+ &\All \expr, \expr', \prop, \propB, \mask. \\
+ &\textlog{reducible}(e) \implies \\
+ &(\All \state, \expr_2, \state_2. \cfg{\state}{\expr} \step \cfg{\state_2}{\expr_2} \implies \state_2 = \state \land \expr_2 = \expr') \implies \\
+ &{} \proves (\hoare{\prop}{\expr'}{\Ret\val. \propB}[\mask] \Ra \hoare{\later\prop}{\expr}{\Ret\val. \propB}[\mask] ) \\
+ \quad \\
+ &\All \expr, \state, \pred, \mask. \\
+ &\textlog{atomic}(e) \implies \\
+ &\bigl(\All \expr_2, \state_2. \cfg{\state}{\expr} \step \cfg{\state_2}{\expr_2} \implies \pred(\expr_2, \state_2)\bigr) \implies \\
+ &{} \proves (\hoare{ \ownPhys{\state} }{\expr}{\Ret\val. \Exists\state'. \ownPhys{\state'} \land \pred(\val, \state') }[\mask] )
+\end{align*}
+The first is restricted to deterministic pure reductions, like $\beta$-reduction.
+The second is suited to proving triples for (possibly non-deterministic) atomic expressions; for example, with $\expr \eqdef \;!\ell$ (dereferencing $\ell$) and $\state \eqdef h \mtimes \ell \mapsto \valB$ and $\pred(\val, \state') \eqdef \state' = (h \mtimes \ell \mapsto \valB) \land \val = \valB$, one obtains the axiom $\All h, \ell, \valB. \hoare{\ownPhys{h \mtimes \ell \mapsto \valB}}{!\ell}{\Ret\val. \val = \valB \land \ownPhys{h \mtimes \ell \mapsto \valB} }$.
+%Axioms for CAS-like operations can be obtained by first deriving rules for the two possible cases, and then using the disjunction rule.
diff --git a/docs/iris/mathpartir.sty b/docs/iris/mathpartir.sty
new file mode 120000
index 0000000000000000000000000000000000000000..882eef9e39db25828dccb87e6f655b55d290f2ae
--- /dev/null
+++ b/docs/iris/mathpartir.sty
@@ -0,0 +1 @@
+../mathpartir.sty
\ No newline at end of file
diff --git a/docs/iris/model.tex b/docs/iris/model.tex
new file mode 100644
index 0000000000000000000000000000000000000000..df990558829da968d9f5ddc0512ca036876b2291
--- /dev/null
+++ b/docs/iris/model.tex
@@ -0,0 +1,522 @@
+\section{Model and semantics}
+
+The semantics closely follows the ideas laid out in~\cite{catlogic}.
+We just repeat some of the most important definitions here.
+
+An \emph{ordered family of equivalence relations} (o.f.e.\@) is a pair
+$(X,(\nequiv{n})_{n\in\mathbb{N}})$, with $X$ a set, and each $\nequiv{n}$
+an equivalence relation over $X$ satisfying
+\begin{itemize}
+ \item $\All x,x'. x \nequiv{0} x',$
+ \item $\All x,x',n. x \nequiv{n+1} x' \implies x \nequiv{n} x',$
+ \item $\All x,x'. (\All n. x\nequiv{n} x') \implies x = x'.$
+\end{itemize}
+
+Let $(X,(\nequivset{n}{X})_{n\in\mathbb{N}})$ and
+$(Y,(\nequivset{n}{Y})_{n\in\mathbb{N}})$ be o.f.e.'s. A function $f:
+X\to Y$ is \emph{non-expansive} if, for all $x$, $x'$ and $n$,
+\[
+x \nequivset{n}{X} x' \implies
+fx \nequivset{n}{Y} f x'.
+\]
+Let $(X,(\nequiv{n})_{n\in\mathbb{N}})$ be an o.f.e.
+A sequence $(x_i)_{i\in\mathbb{N}}$ of elements in $X$ is a
+\emph{chain} (aka \emph{Cauchy sequence}) if
+\[
+\All k. \Exists n. \All i,j\geq n. x_i \nequiv{k} x_j.
+\]
+A \emph{limit} of a chain $(x_i)_{i\in\mathbb{N}}$ is an element
+$x\in X$ such that
+\[
+\All n. \Exists k. \All i\geq k. x_i \nequiv{n} x.
+\]
+An o.f.e.\ $(X,(\nequiv{n})_{n\in\mathbb{N}})$ is \emph{complete}
+if all chains have a limit.
+A complete o.f.e.\ is called a c.o.f.e.\ (pronounced ``coffee'').
+When the family of equivalence relations is clear from context we
+simply
+write $X$ for a c.o.f.e.\ $(X,(\nequiv{n})_{n\in\mathbb{N}})$.
+
+
+Let $\cal U$ be the category of c.o.f.e.'s and nonexpansive maps.
+
+Products and function spaces are defined as follows.
+For c.o.f.e.'s $(X,(\nequivset{n}{X})_{n\in\mathbb{N}})$ and
+$(Y,(\nequivset{n}{Y})_{n\in\mathbb{N}})$, their product
+is
+$(X\times Y, (\nequiv{n})_{n\in\mathbb{N}}),$
+where
+\[
+(x,y) \nequiv{n} (x',y') \iff
+x \nequiv{n} x' \land
+y \nequiv{n} y'.
+\]
+The function space is
+\[
+(\{\, f : X\to Y \mid f \text{ is non-expansive}\,\}, (\nequiv{n})_{n\in\mathbb{N}}),
+\]
+where
+\[
+f \nequiv{n} g \iff
+\All x. f(x) \nequiv{n} g(x).
+\]
+
+For a c.o.f.e.\ $(X,(\nequiv{n}_{n\in\mathbb{N}}))$,
+$\latert (X,(\nequiv{n}_{n\in\mathbb{N}}))$ is the c.o.f.e.\@
+$(X,(\nequivB{n}_{n\in\mathbb{N}}))$, where
+\[
+x \nequivB{n} x' \iff \begin{cases}
+\top &\IF n=0 \\
+x \nequiv{n-1} x' &\IF n>0
+\end{cases}
+\]
+
+(Sidenote: $\latert$ extends to a functor on $\cal U$ by the identity
+action on morphisms).
+
+
+\subsection{Semantic structures: propositions}
+\ralf{This needs to be synced with the Coq development again.}
+
+\[
+\begin{array}[t]{rcl}
+% \protStatus &::=& \enabled \ALT \disabled \\[0.4em]
+\textdom{Res} &\eqdef&
+\{\, \res = (\pres, \ghostRes) \mid
+\pres \in \textdom{State} \uplus \{\munit\} \land \ghostRes \in \mcarp{\monoid} \,\} \\[0.5em]
+(\pres, \ghostRes) \rsplit
+(\pres', \ghostRes') &\eqdef&
+\begin{cases}
+(\pres, \ghostRes \mtimes \ghostRes') & \mbox{if $\pres' = \munit$ and $\ghostRes \mtimes \ghostRes' \neq \mzero$} \\
+(\pres', \ghostRes \mtimes \ghostRes') & \mbox{if $\pres = \munit$ and $\ghostRes \mtimes \ghostRes' \neq \mzero$}
+\end{cases}
+\\[0.5em]
+%
+\res \leq \res' & \eqdef &
+\Exists \res''. \res' = \res \rsplit \res''\\[1em]
+%
+\UPred(\textdom{Res}) &\eqdef&
+\{\, p \subseteq \mathbb{N} \times \textdom{Res} \mid
+\All (k,\res) \in p.
+\All j\leq k.
+\All \res' \geq \res.
+(j,\res')\in p \,\}\\[0.5em]
+\restr{p}{k} &\eqdef&
+\{\, (j, \res) \in p \mid j < k \,\}\\[0.5em]
+p \nequiv{n} q & \eqdef & \restr{p}{n} = \restr{q}{n}\\[1em]
+%
+\textdom{PreProp} & \cong &
+\latert\big( \textdom{World} \monra \UPred(\textdom{Res})
+\big)\\[0.5em]
+%
+\textdom{World} & \eqdef &
+\mathbb{N} \fpfn \textdom{PreProp}\\[0.5em]
+%
+w \nequiv{n} w' & \eqdef &
+n = 0 \lor
+\bigl(\dom(w) = \dom(w') \land \All i\in\dom(w). w(i) \nequiv{n} w'(i)\bigr)
+\\[0.5em]
+%
+w \leq w' & \eqdef &
+\dom(w) \subseteq \dom(w') \land \All i \in \dom(w). w(i) = w'(i)
+\\[0.5em]
+%
+\textdom{Prop} & \eqdef & \textdom{World} \monra \UPred(\textdom{Res})
+\end{array}
+\]
+
+For $p,q\in\UPred(\textdom{Res})$ with $p \nequiv{n} q$ defined
+as above, $\UPred(\textdom{Res})$ is a
+c.o.f.e.
+
+$\textdom{Prop}$ is a c.o.f.e., which exists by America and Rutten's theorem~\cite{America-Rutten:JCSS89}.
+We do not need to consider how the object is constructed.
+We only need the isomorphism, given by maps
+\begin{align*}
+ \wIso &: \latert \bigl(World \monra \UPred(\textdom{Res})\bigr) \to \textdom{PreProp} \\
+ \wIso^{-1} &: \textdom{PreProp} \to \latert \bigl(World \monra \UPred(\textdom{Res})\bigr)
+\end{align*}
+which are inverses to each other.
+Note: this is an isomorphism in $\cal U$, i.e., $\wIso$ and
+$\wIso^{-1}$ are both non-expansive.
+
+$\textdom{World}$ is a c.o.f.e.\ with the family of equivalence
+relations defined as shown above.
+
+\subsection{Semantic structures: types and environments}
+
+For a set $X$, write $\Delta X$ for the discrete c.o.f.e.\ with $x \nequiv{n}
+x'$ iff $n = 0$ or $x = x'$
+\[
+\begin{array}[t]{@{}l@{\ }c@{\ }l@{}}
+\semSort{\unit} &\eqdef& \Delta \{ \star \} \\
+\semSort{\textsort{InvName}} &\eqdef& \Delta \mathbb{N} \\
+\semSort{\textsort{InvMask}} &\eqdef& \Delta \pset{\mathbb{N}} \\
+\semSort{\textsort{Monoid}} &\eqdef& \Delta |\monoid|
+\end{array}
+\qquad\qquad
+\begin{array}[t]{@{}l@{\ }c@{\ }l@{}}
+\semSort{\textsort{Val}} &\eqdef& \Delta \textdom{Val} \\
+\semSort{\textsort{Exp}} &\eqdef& \Delta \textdom{Exp} \\
+\semSort{\textsort{Ectx}} &\eqdef& \Delta \textdom{Ectx} \\
+\semSort{\textsort{State}} &\eqdef& \Delta \textdom{State} \\
+\end{array}
+\qquad\qquad
+\begin{array}[t]{@{}l@{\ }c@{\ }l@{}}
+\semSort{\sort \times \sort'} &\eqdef& \semSort{\sort} \times \semSort{\sort} \\
+\semSort{\sort \to \sort'} &\eqdef& \semSort{\sort} \to \semSort{\sort} \\
+\semSort{\Prop} &\eqdef& \textdom{Prop} \\
+\end{array}
+\]
+
+The balance of our signature $\SigNat$ is interpreted as follows.
+For each base type $\type$ not covered by the preceding table, we pick an object $X_\type$ in $\cal U$ and define
+\[
+\semSort{\type} \eqdef X_\type
+\]
+For each function symbol $\sigfn : \type_1, \dots, \type_n \to \type_{n+1} \in \SigFn$, we pick an arrow $\Sem{\sigfn} : \semSort{\type_1} \times \dots \times \semSort{\type_n} \to \semSort{\type_{n+1}}$ in $\cal U$.
+
+An environment $\vctx$ is interpreted as the set of
+maps $\rho$, with $\dom(\rho) = \dom(\vctx)$ and
+$\rho(x)\in\semSort{\vctx(x)}$,
+and
+$\rho\nequiv{n} \rho' \iff n=0 \lor \bigl(\dom(\rho)=\dom(\rho') \land
+\All x\in\dom(\rho). \rho(x) \nequiv{n} \rho'(x)\bigr)$.
+
+\ralf{Re-check all the following definitions with the Coq development.}
+%\typedsection{Validity}{valid : \pset{\textdom{Prop}} \in Sets}
+%
+%\begin{align*}
+%valid(p) &\iff \All n \in \mathbb{N}. \All \res \in \textdom{Res}. \All W \in \textdom{World}. (n, \res) \in p(W)
+%\end{align*}
+
+\typedsection{Later modality}{\later : \textdom{Prop} \to \textdom{Prop} \in {\cal U}}
+
+\begin{align*}
+ \later p &\eqdef \Lam W. \{\, (n + 1, r) \mid (n, r) \in p(W) \,\} \cup \{\, (0, r) \mid r \in \textdom{Res} \,\}
+\end{align*}
+\begin{lem}
+ $\later{}$ is well-defined: $\later {p}$ is a valid proposition (this amounts to showing non-expansiveness), and $\later{}$ itself is a \emph{contractive} map.
+\end{lem}
+
+\typedsection{Always modality}{\always{} : \textdom{Prop} \to \textdom{Prop} \in {\cal U}}
+
+\begin{align*}
+ \always{p} \eqdef \Lam W. \{\, (n, r) \mid (n, \munit) \in p(W) \,\}
+\end{align*}
+\begin{lem}
+ $\always{}$ is well-defined: $\always{p}$ is a valid proposition (this amounts to showing non-expansiveness), and $\always{}$ itself is a non-expansive map.
+\end{lem}
+
+% PDS: p \Rightarrow q not defined.
+%\begin{lem}\label{lem:always-impl-valid}
+%\begin{align*}
+%&\forall p, q \in \textdom{Prop}.~\\
+%&\qquad
+% (\forall n \in \mathbb{N}.~\forall \res \in \textdom{Res}.~\forall W \in \textdom{World}.~(n, \res) \in p(W) \Rightarrow (n, \res) \in q(W)) \Leftrightarrow~valid(\always{(p \Rightarrow q)})
+%\end{align*}
+%\end{lem}
+
+\typedsection{Invariant definition}{inv : \Delta(\mathbb{N}) \times \textdom{Prop} \to \textdom{Prop} \in {\cal U}}
+\begin{align*}
+ \mathit{inv}(\iota, p) &\eqdef \Lam W. \{\, (n, r) \mid \iota\in\dom(W) \land W(\iota) \nequiv{n+1}_{\textdom{PreProp}} \wIso(p) \,\}
+\end{align*}
+\begin{lem}
+ $\mathit{inv}$ is well-defined: $\mathit{inv}(\iota, p)$ is a valid proposition (this amounts to showing non-expansiveness), and $\mathit{inv}$ itself is a non-expansive map.
+\end{lem}
+
+\typedsection{World satisfaction}{\fullSat{-}{-}{-}{-} :
+ \textdom{State} \times
+ \pset{\mathbb{N}} \times
+ \textdom{Res} \times
+ \textdom{World} \to \psetdown{\mathbb{N}} \in {\cal U}}
+\ralf{Make this Dave-compatible: Explicitly compose all the things in $s$}
+\begin{align*}
+ \fullSat{\state}{\mask}{\res}{W} &=
+ \begin{aligned}[t]
+ \{\, n + 1 \in \mathbb{N} \mid &\Exists \resB:\mathbb{N} \fpfn \textdom{Res}. (\res \rsplit \resB).\pres = \state \land{}\\
+ &\quad \All \iota \in \dom(W). \iota \in \dom(W) \leftrightarrow \iota \in \dom(\resB) \land {}\\
+ &\quad\quad \iota \in \mask \ra (n, \resB(\iota)) \in \wIso^{-1}(W(\iota))(W) \,\} \cup \{ 0 \}
+ \end{aligned}
+\end{align*}
+\begin{lem}\label{lem:fullsat-nonexpansive}
+ $\fullSat{-}{-}{-}{-}$ is well-defined: It maps into $\psetdown{\mathbb{N}}$. (There is no need for it to be a non-expansive map, it doesn't itself live in $\cal U$.)
+\end{lem}
+
+\begin{lem}\label{lem:fullsat-weaken-mask}
+ \begin{align*}
+ \MoveEqLeft
+ \All \state \in \Delta(\textdom{State}).
+ \All \mask_1, \mask_2 \in \Delta(\pset{\mathbb{N}}).
+ \All \res, \resB \in \Delta(\textdom{Res}).
+ \All W \in \textdom{World}. \\&
+ \mask_1 \subseteq \mask_2 \implies (\fullSat{\state}{\mask_2}{\res}{W}) \subseteq (\fullSat{\state}{\mask_1}{\res}{W})
+ \end{align*}
+\end{lem}
+
+\begin{lem}\label{lem:nequal_ext_world}
+ \begin{align*}
+ &
+ \All n \in \mathbb{N}.
+ \All W_1, W_1', W_2 \in \textdom{World}.
+ W_1 \nequiv{n} W_2 \land W_1 \leq W_1' \implies \Exists W_2' \in \textdom{World}. W_1' \nequiv{n} W_2' \land W_2 \leq W_2'
+ \end{align*}
+\end{lem}
+
+\typedsection{Timeless}{\textit{timeless} : \textdom{Prop} \to \textdom{Prop}}
+
+\begin{align*}
+ \textit{timeless}(p) \eqdef
+ \begin{aligned}[t]
+ \Lam W.
+ \{\, (n, r) &\mid \All W' \geq W. \All k \leq n. \All r' \in \textdom{Res}. \\
+ &\qquad
+ k > 0 \land (k - 1, r') \in p(W') \implies (k, r') \in p(W') \,\}
+ \end{aligned}
+\end{align*}
+
+\begin{lem}
+ \textit{timeless} is well-defined: \textit{timeless}(p) is a valid proposition, and \textit{timeless} itself is a non-expansive map.
+\end{lem}
+
+% PDS: \Ra undefined.
+%\begin{lem}
+%\begin{align*}
+%&
+% \All p \in \textdom{Prop}.
+% \All \mask \in \pset{\mathbb{N}}.
+%valid(\textit{timeless}(p) \Ra (\later p \vs[\mask][\mask] p))
+%\end{align*}
+%\end{lem}
+
+\typedsection{View-shift}{\mathit{vs} : \Delta(\pset{\mathbb{N}}) \times \Delta(\pset{\mathbb{N}}) \times \textdom{Prop} \to \textdom{Prop} \in {\cal U}}
+\begin{align*}
+ \mathit{vs}_{\mask_1}^{\mask_2}(q) &= \Lam W.
+ \begin{aligned}[t]
+ \{\, (n, \res) &\mid \All W_F \geq W. \All \res_F, \mask_F, \state. \All k \leq n.\\
+ &\qquad
+ k \in (\fullSat{\state}{\mask_1 \cup \mask_F}{\res \rsplit \res_F}{W_F}) \land k > 0 \land \mask_F \sep (\mask_1 \cup \mask_2) \implies{} \\
+ &\qquad
+ \Exists W' \geq W_F. \Exists \res'. k \in (\fullSat{\state}{\mask_2 \cup \mask_F}{\res' \rsplit \res_F}{W'}) \land (k, \res') \in q(W')
+ \,\}
+ \end{aligned}
+\end{align*}
+\begin{lem}
+ $\mathit{vs}$ is well-defined: $\mathit{vs}_{\mask_1}^{\mask_2}(q)$ is a valid proposition, and $\mathit{vs}$ is a non-expansive map.
+\end{lem}
+
+
+%\begin{lem}\label{lem:prim_view_shift_trans}
+%\begin{align*}
+%\MoveEqLeft
+% \All \mask_1, \mask_2, \mask_3 \in \Delta(\pset{\mathbb{N}}).
+% \All p, q \in \textdom{Prop}. \All W \in \textdom{World}.
+% \All n \in \mathbb{N}.\\
+%&
+% \mask_2 \subseteq \mask_1 \cup \mask_3 \land
+% \bigl(\All W' \geq W. \All r \in \textdom{Res}. \All k \leq n. (k, r) \in p(W') \implies (k, r) \in vs_{\mask_2}^{\mask_3}(q)(W')\bigr) \\
+%&\qquad
+% {}\implies \All r \in \textdom{Res}. (n, r) \in vs_{\mask_1}^{\mask_2}(p)(W) \implies (n, r) \in vs_{\mask_1}^{\mask_3}(q)(W)
+%\end{align*}
+%\end{lem}
+
+% PDS: E_1 ==>> E_2 undefined.
+%\begin{lem}
+%\begin{align*}
+%&
+% \forall \mask_1, \mask_2, \mask_3 \in \Delta(\pset{\mathbb{N}}).~
+% \forall p_1, p_2, p_3 \in \textdom{Prop}.~\\
+%&\qquad
+% \mask_2 \subseteq \mask_1 \cup \mask_3 \Rightarrow
+% valid(((p_1 \vs[\mask_1][\mask_2] p_2) \land (p_2 \vs[\mask_2][\mask_3] p_3)) \Rightarrow (p_1 \vs[\mask_1][\mask_3] p_3))
+%\end{align*}
+%\end{lem}
+
+%\begin{lem}
+%\begin{align*}
+%\MoveEqLeft
+% \All \iota \in \mathbb{N}.
+% \All p \in \textdom{Prop}.
+% \All W \in \textdom{World}.
+% \All \res \in \textdom{Res}.
+% \All n \in \mathbb{N}. \\
+%&
+% (n, \res) \in inv(\iota, p)(W) \implies (n, \res) \in vs_{\{ \iota \}}^{\emptyset}(\later p)(W)
+%\end{align*}
+%\end{lem}
+
+% PDS: * undefined.
+%\begin{lem}
+%\begin{align*}
+%&
+% \forall \iota \in \mathbb{N}.~
+% \forall p \in \textdom{Prop}.~
+% \forall W \in \textdom{World}.~
+% \forall \res \in \textdom{Res}.~
+% \forall n \in \mathbb{N}.~\\
+%&\qquad
+% (n, \res) \in (inv(\iota, p) * \later p)(W) \Rightarrow (n, \res) \in vs^{\{ \iota \}}_{\emptyset}(\top)(W)
+%\end{align*}
+%\end{lem}
+
+% \begin{lem}
+% \begin{align*}
+% &
+% \forall \mask_1, \mask_2 \in \Delta(\pset{\mathbb{N}}).~
+% valid(\bot \vs[\mask_1][\mask_2] \bot)
+% \end{align*}
+% \end{lem}
+
+% PDS: E_1 ==>> E_2 undefined.
+%\begin{lem}
+%\begin{align*}
+%&
+% \forall p, q \in \textdom{Prop}.~
+% \forall \mask \in \pset{\mathbb{N}}.~
+%valid(\always{(p \Rightarrow q)} \Rightarrow (p \vs[\mask][\mask] q))
+%\end{align*}
+%\end{lem}
+
+% PDS: E # E' and E_1 ==>> E_2 undefined.
+%\begin{lem}
+%\begin{align*}
+%&
+% \forall p_1, p_2, p_3 \in \textdom{Prop}.~
+% \forall \mask_1, \mask_2, \mask \in \pset{\mathbb{N}}.~
+%valid(\mask \sep \mask_1 \Ra \mask \sep \mask_2 \Ra (p_1 \vs[\mask_1][\mask_2] p_2) \Rightarrow (p_1 * p_3 \vs[\mask_1 \cup \mask][\mask_2 \cup \mask] p_2 * p_3))
+%\end{align*}
+%\end{lem}
+
+\typedsection{Weakest precondition}{\mathit{wp} : \Delta(\pset{\mathbb{N}}) \times \Delta(\textdom{Exp}) \times (\Delta(\textdom{Val}) \to \textdom{Prop}) \to \textdom{Prop} \in {\cal U}}
+
+\begin{align*}
+ \mathit{wp}_\mask(\expr, q) &\eqdef \Lam W.
+ \begin{aligned}[t]
+ \{\, (n, \res) &\mid \All W_F \geq W; k \leq n; \res_F; \state; \mask_F \sep \mask. k > 0 \land k \in (\fullSat{\state}{\mask \cup \mask_F}{\res \rsplit \res_F}{W_F}) \implies{}\\
+ &\qquad
+ (\expr \in \textdom{Val} \implies \Exists W' \geq W_F. \Exists \res'. \\
+ &\qquad\qquad
+ k \in (\fullSat{\state}{\mask \cup \mask_F}{\res' \rsplit \res_F}{W'}) \land (k, \res') \in q(\expr)(W'))~\land \\
+ &\qquad
+ (\All\ectx,\expr_0,\expr'_0,\state'. \expr = \ectx[\expr_0] \land \cfg{\state}{\expr_0} \step \cfg{\state'}{\expr'_0} \implies \Exists W' \geq W_F. \Exists \res'. \\
+ &\qquad\qquad
+ k - 1 \in (\fullSat{\state'}{\mask \cup \mask_F}{\res' \rsplit \res_F}{W'}) \land (k-1, \res') \in wp_\mask(\ectx[\expr_0'], q)(W'))~\land \\
+ &\qquad
+ (\All\ectx,\expr'. \expr = \ectx[\fork{\expr'}] \implies \Exists W' \geq W_F. \Exists \res', \res_1', \res_2'. \\
+ &\qquad\qquad
+ k - 1 \in (\fullSat{\state}{\mask \cup \mask_F}{\res' \rsplit \res_F}{W'}) \land \res' = \res_1' \rsplit \res_2'~\land \\
+ &\qquad\qquad
+ (k-1, \res_1') \in \mathit{wp}_\mask(\ectx[\textsf{fRet}], q)(W') \land
+ (k-1, \res_2') \in \mathit{wp}_\top(\expr', \Lam\any. \top)(W'))
+ \,\}
+ \end{aligned}
+\end{align*}
+\begin{lem}
+ $\mathit{wp}$ is well-defined: $\mathit{wp}_{\mask}(\expr, q)$ is a valid proposition, and $\mathit{wp}$ is a non-expansive map. Besides, the dependency on the recursive occurrence is contractive, so $\mathit{wp}$ has a fixed-point.
+\end{lem}
+
+\begin{lem}
+ $\mathit{wp}$ on values and non-mask-changing $\mathit{vs}$ agree:
+ \[ \mathit{wp}_\mask(\val, q) = \mathit{vs}_{\mask}^{\mask}(q \: \val) \]
+\end{lem}
+
+\typedsection{Interpretation of terms}{\Sem{\vctx \proves \term : \sort} : \Sem{\vctx} \to \semSort{\sort} \in {\cal U}}
+
+%A term $\vctx \proves \term : \sort$ is interpreted as a non-expansive map from $\Sem{\vctx}$ to $\semSort{\sort}$.
+
+\begin{align*}
+ \semTerm{\vctx \proves x : \sort}_\gamma &= \gamma(x) \\
+ \semTerm{\vctx \proves \sigfn(\term_1, \dots, \term_n) : \type_{n+1}}_\gamma &= \Sem{\sigfn}(\semTerm{\vctx \proves \term_1 : \type_1}_\gamma, \dots, \semTerm{\vctx \proves \term_n : \type_n}_\gamma) \ \WHEN \sigfn : \type_1, \dots, \type_n \to \type_{n+1} \in \SigFn \\
+ \semTerm{\vctx \proves \Lam x. \term : \sort \to \sort'}_\gamma &=
+ \Lam v : \semSort{\sort}. \semTerm{\vctx, x : \sort \proves \term : \sort'}_{\gamma[x \mapsto v]} \\
+ \semTerm{\vctx \proves \term~\termB : \sort'}_\gamma &=
+ \semTerm{\vctx \proves \term : \sort \to \sort'}_\gamma(\semTerm{\vctx \proves \termB : \sort}_\gamma) \\
+ \semTerm{\vctx \proves \unitterm : \unitsort}_\gamma &= \star \\
+ \semTerm{\vctx \proves (\term_1, \term_2) : \sort_1 \times \sort_2}_\gamma &= (\semTerm{\vctx \proves \term_1 : \sort_1}_\gamma, \semTerm{\vctx \proves \term_2 : \sort_2}_\gamma) \\
+ \semTerm{\vctx \proves \pi_i~\term : \sort_1}_\gamma &= \pi_i(\semTerm{\vctx \proves \term : \sort_1 \times \sort_2}_\gamma)
+\end{align*}
+%
+\begin{align*}
+ \semTerm{\vctx \proves \mzero : \textsort{Monoid}}_\gamma &= \mzero \\
+ \semTerm{\vctx \proves \munit : \textsort{Monoid}}_\gamma &= \munit \\
+ \semTerm{\vctx \proves \melt \mtimes \meltB : \textsort{Monoid}}_\gamma &=
+ \semTerm{\vctx \proves \melt : \textsort{Monoid}}_\gamma \mtimes \semTerm{\vctx \proves \meltB : \textsort{Monoid}}_\gamma
+\end{align*}
+%
+\begin{align*}
+ \semTerm{\vctx \proves t =_\sort u : \Prop}_\gamma &=
+ \Lam W. \{\, (n, r) \mid \semTerm{\vctx \proves t : \sort}_\gamma \nequiv{n+1} \semTerm{\vctx \proves u : \sort}_\gamma \,\} \\
+ \semTerm{\vctx \proves \FALSE : \Prop}_\gamma &= \Lam W. \emptyset \\
+ \semTerm{\vctx \proves \TRUE : \Prop}_\gamma &= \Lam W. \mathbb{N} \times \textdom{Res} \\
+ \semTerm{\vctx \proves P \land Q : \Prop}_\gamma &=
+ \Lam W. \semTerm{\vctx \proves P : \Prop}_\gamma(W) \cap \semTerm{\vctx \proves Q : \Prop}_\gamma(W) \\
+ \semTerm{\vctx \proves P \lor Q : \Prop}_\gamma &=
+ \Lam W. \semTerm{\vctx \proves P : \Prop}_\gamma(W) \cup \semTerm{\vctx \proves Q : \Prop}_\gamma(W) \\
+ \semTerm{\vctx \proves P \Ra Q : \Prop}_\gamma &=
+ \Lam W. \begin{aligned}[t]
+ \{\, (n, r) &\mid \All n' \leq n. \All W' \geq W. \All r' \geq r. \\
+ &\qquad
+ (n', r') \in \semTerm{\vctx \proves P : \Prop}_\gamma(W')~ \\
+ &\qquad
+ \implies (n', r') \in \semTerm{\vctx \proves Q : \Prop}_\gamma(W') \,\}
+ \end{aligned} \\
+ \semTerm{\vctx \proves \All x : \sort. P : \Prop}_\gamma &=
+ \Lam W. \{\, (n, r) \mid \All v \in \semSort{\sort}. (n, r) \in \semTerm{\vctx, x : \sort \proves P : \Prop}_{\gamma[x \mapsto v]}(W) \,\} \\
+ \semTerm{\vctx \proves \Exists x : \sort. P : \Prop}_\gamma &=
+ \Lam W. \{\, (n, r) \mid \Exists v \in \semSort{\sort}. (n, r) \in \semTerm{\vctx, x : \sort \proves P : \Prop}_{\gamma[x \mapsto v]}(W) \,\}
+\end{align*}
+%
+\begin{align*}
+ \semTerm{\vctx \proves \always{\prop} : \Prop}_\gamma &= \always{\semTerm{\vctx \proves \prop : \Prop}_\gamma} \\
+ \semTerm{\vctx \proves \later{\prop} : \Prop}_\gamma &= \later \semTerm{\vctx \proves \prop : \Prop}_\gamma\\
+ \semTerm{\vctx \proves \MU x. \pred : \sort \to \Prop}_\gamma &=
+ \mathit{fix}(\Lam v : \semSort{\sort \to \Prop}. \semTerm{\vctx, x : \sort \to \Prop \proves \pred : \sort \to \Prop}_{\gamma[x \mapsto v]}) \\
+ \semTerm{\vctx \proves \prop * \propB : \Prop}_\gamma &=
+ \begin{aligned}[t]
+ \Lam W. \{\, (n, r) &\mid \Exists r_1, r_2. r = r_1 \bullet r_2 \land{} \\
+ &\qquad
+ (n, r_1) \in \semTerm{\vctx \proves \prop : \Prop}_\gamma \land{} \\
+ &\qquad
+ (n, r_2) \in \semTerm{\vctx \proves \propB : \Prop}_\gamma \,\}
+ \end{aligned} \\
+ \semTerm{\vctx \proves \prop \wand \propB : \Prop}_\gamma &=
+ \begin{aligned}[t]
+ \Lam W. \{\, (n, r) &\mid \All n' \leq n. \All W' \geq W. \All r'. \\
+ &\qquad
+ (n', r') \in \semTerm{\vctx \proves \prop : \Prop}_\gamma(W') \land r \sep r' \\
+ &\qquad
+ \implies (n', r \bullet r') \in \semTerm{\vctx \proves \propB : \Prop}_\gamma(W')
+ \}
+ \end{aligned} \\
+ \semTerm{\vctx \proves \knowInv{\iname}{\prop} : \Prop}_\gamma &=
+ inv(\semTerm{\vctx \proves \iname : \textsort{InvName}}_\gamma, \semTerm{\vctx \proves \prop : \Prop}_\gamma) \\
+ \semTerm{\vctx \proves \ownGGhost{\melt} : \Prop}_\gamma &=
+ \Lam W. \{\, (n, \res) \mid \res.\ghostRes \geq \semTerm{\vctx \proves \melt : \textsort{Monoid}}_\gamma \,\} \\
+ \semTerm{\vctx \proves \ownPhys{\state} : \Prop}_\gamma &=
+ \Lam W. \{\, (n, \res) \mid \res.\pres = \semTerm{\vctx \proves \state : \textsort{State}}_\gamma \,\}
+\end{align*}
+%
+\begin{align*}
+ \semTerm{\vctx \proves \pvsA{\prop}{\mask_1}{\mask_2} : \Prop}_\gamma &=
+ \textdom{vs}^{\semTerm{\vctx \proves \mask_2 : \textsort{InvMask}}_\gamma}_{\semTerm{\vctx \proves \mask_1 : \textsort{InvMask}}_\gamma}(\semTerm{\vctx \proves \prop : \Prop}_\gamma) \\
+ \semTerm{\vctx \proves \dynA{\expr}{\pred}{\mask} : \Prop}_\gamma &=
+ \textdom{wp}_{\semTerm{\vctx \proves \mask : \textsort{InvMask}}_\gamma}(\semTerm{\vctx \proves \expr : \textsort{Exp}}_\gamma, \semTerm{\vctx \proves \pred : \textsort{Val} \to \Prop}_\gamma) \\
+ \semTerm{\vctx \proves \wtt{\timeless{\prop}}{\Prop}}_\gamma &=
+ \textdom{timeless}(\semTerm{\vctx \proves \prop : \Prop}_\gamma)
+\end{align*}
+
+\typedsection{Interpretation of entailment}{\Sem{\vctx \mid \pfctx \proves \prop} : 2 \in \mathit{Sets}}
+
+\[
+\Sem{\vctx \mid \pfctx \proves \propB} \eqdef
+\begin{aligned}[t]
+\MoveEqLeft
+\forall n \in \mathbb{N}.\;
+\forall W \in \textdom{World}.\;
+\forall \res \in \textdom{Res}.\;
+\forall \gamma \in \semSort{\vctx},\;
+\\&
+\bigl(\All \propB \in \pfctx. (n, \res) \in \semTerm{\vctx \proves \propB : \Prop}_\gamma(W)\bigr)
+\implies (n, \res) \in \semTerm{\vctx \proves \prop : \Prop}_\gamma(W)
+\end{aligned}
+\]
diff --git a/docs/iris/pfsteps.sty b/docs/iris/pfsteps.sty
new file mode 120000
index 0000000000000000000000000000000000000000..958ef7a1484b06f1f647ab5344ee3025a063a7bd
--- /dev/null
+++ b/docs/iris/pfsteps.sty
@@ -0,0 +1 @@
+../pfsteps.sty
\ No newline at end of file
diff --git a/docs/iris/setup.tex b/docs/iris/setup.tex
new file mode 120000
index 0000000000000000000000000000000000000000..7a0f2491cb5a519dc1909df6ef55a74fd0a1b039
--- /dev/null
+++ b/docs/iris/setup.tex
@@ -0,0 +1 @@
+../setup.tex
\ No newline at end of file
diff --git a/docs/listproc.sty b/docs/listproc.sty
new file mode 100644
index 0000000000000000000000000000000000000000..1e3b167e8ae6779580cbc4454ec1a49435f23639
--- /dev/null
+++ b/docs/listproc.sty
@@ -0,0 +1,349 @@
+%%
+%% This is file `listproc.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% listproc.dtx (with options: `package')
+%%
+%% Copyright (C) 2011 by Jesse A. Tov
+%%
+%% This file may be distributed and/or modified under the conditions of the
+%% LaTeX Project Public License, either version 1.2 of this license or (at
+%% your option) any later version. The latest version of this license is
+%% in:
+%%
+%% http://www.latex-project.org/lppl.txt
+%%
+%% and version 1.2 or later is part of all distributions of LaTeX
+%% version 1999/12/01 or later.
+%%
+\NeedsTeXFormat{LaTeX2e}[1999/12/01]
+\ProvidesPackage{listproc}[2011/03/26 v0.1 (list processing)]
+\newcommand\newlist{\@lstp@def{}\newcommand}
+\newcommand\renewlist{\@lstp@def{}\renewcommand}
+\newcommand\deflist{\@lstp@def{}\def}
+\newcommand\gdeflist{\@lstp@def\global\def}
+\newcommand\@lstp@def[4]{%
+ #2#3{}%
+ \@for\lstp@def@temp:=#4\do{%
+ \eSnocTo\lstp@def@temp#3%
+ }%
+ #1\let#3#3%
+ \let\lstp@def@temp\@undefined
+}
+\newtoks\lstp@ta
+\newtoks\lstp@tb
+\newcommand\ConsTo{\@lstp@ConsTo\relax\def}
+\newcommand\gConsTo{\@lstp@ConsTo\global\def}
+\newcommand\eConsTo{\@lstp@ConsTo\relax\edef}
+\newcommand\xConsTo{\@lstp@ConsTo\global\edef}
+\newcommand\@lstp@ConsTo[4]{%
+ \long#2\lstp@temp{#3}%
+ \lstp@ta=\expandafter{\expandafter\listitem\expandafter{\lstp@temp}}%
+ \lstp@tb=\expandafter{#4}%
+ #1\edef#4{\the\lstp@ta\the\lstp@tb}%
+}
+\newcommand\SnocTo{\@lstp@SnocTo\relax\def}
+\newcommand\gSnocTo{\@lstp@SnocTo\global\def}
+\newcommand\eSnocTo{\@lstp@SnocTo\relax\edef}
+\newcommand\xSnocTo{\@lstp@SnocTo\global\edef}
+\newcommand\@lstp@SnocTo[4]{%
+ \long#2\lstp@temp{#3}%
+ \lstp@ta=\expandafter{\expandafter\listitem\expandafter{\lstp@temp}}%
+ \lstp@tb=\expandafter{#4}%
+ #1\edef#4{\the\lstp@tb\the\lstp@ta}%
+}
+\newcommand\AppendTo{\@lstp@AppendTo\relax}
+\newcommand\gAppendTo{\@lstp@AppendTo\global}
+\newcommand\@lstp@AppendTo[3]{%
+ \lstp@ta=\expandafter{#2}%
+ \lstp@tb=\expandafter{#3}%
+ #1\edef#3{\the\lstp@ta\the\lstp@tb}%
+}
+\long\def\@LopOff\listitem#1#2\@LopOff#3#4{%
+ #3{#1}%
+ #4{#2}%
+}
+\newcommand\@lstp@LopTo[4]{\expandafter\@LopOff#3\@LopOff{#1\def#4}{#2\def#3}}
+\newcommand\@lstp@RestTo[3]{\expandafter\@LopOff#2\@LopOff{\@gobble}{#1\def#3}}
+\newcommand\LopTo{\@lstp@LopTo\relax\relax}
+\newcommand\gLopTo{\@lstp@LopTo\global\global}
+\newcommand\glLopTo{\@lstp@LopTo\global\relax}
+\newcommand\lgLopTo{\@lstp@LopTo\relax\global}
+\newcommand\FirstTo{\@lstp@LopTo\relax\@gobblethree}
+\newcommand\gFirstTo{\@lstp@LopTo\global\@gobblethree}
+\newcommand\RestTo{\@lstp@RestTo\relax}
+\newcommand\gRestTo{\@lstp@RestTo\global}
+\newcommand*\IfList[1]{%
+ {%
+ \expandafter\@IfList#1\@IfList
+ }%
+}
+\def\@IfList#1#2\@IfList{%
+ \ifx\listitem#1\relax
+ \aftergroup\@firstoftwo
+ \else
+ \aftergroup\@secondoftwo
+ \fi
+}
+\def\@forList#1:=#2\do#3{%
+ \long\def\lstp@for@listitem##1{%
+ \long\def#1{##1}%
+ #3%
+ \let\listitem\lstp@for@listitem%
+ }%
+ \let\listitem\lstp@for@listitem%
+ #2%
+ \let\listitem\@undefined%
+}
+\newcommand\SetToListLength[2]{%
+ \lstp@length{#2}{\value{#1}}%
+}
+\newcommand\lstp@length[2]{%
+ #2=0 %
+ \long\def\listitem##1{\advance#2 by1 }%
+ #1\let\listitem\@undefined%
+}
+\newcommand\MapListTo{\@lstp@MapListTo\relax}
+\newcommand\gMapListTo{\@lstp@MapListTo\global}
+\newcommand\MapAndAppendTo{\@lstp@MapAndAppendTo\relax}
+\newcommand\gMapAndAppendTo{\@lstp@MapAndAppendTo\global}
+\newcommand\@lstp@MapListTo[4]{%
+ \let\lstp@map@temp#3%
+ #1\let#4\empty%
+ \@lstp@MapAndAppendTo{#1}{#2}\lstp@map@temp#4%
+ \let\lstp@map@temp\@undefined%
+}
+\newcommand\@lstp@MapAndAppendTo[4]{%
+ \long\def\listitem##1{\@lstp@SnocTo{#1}\def{#2}{#4}}%
+ #3%
+ \let\listitem\@undefined%
+}
+\newcommand\lstp@insert[3]{%
+ \edef\lstp@insert@temp@a{#2{#1}}%
+ \let\lstp@insert@temp@i#3%
+ \let#3\empty
+ \long\def\lstp@insert@listitem##1{%
+ \edef\lstp@insert@temp@b{#2{##1}}%
+ \ifnum\lstp@insert@temp@a<\lstp@insert@temp@b
+ \SnocTo{#1}{#3}%
+ \let\listitem\lstp@insert@listitem@done
+ \else
+ \let\listitem\lstp@insert@listitem
+ \fi
+ \SnocTo{##1}{#3}%
+ }%
+ \long\def\lstp@insert@listitem@done##1{\SnocTo{##1}{#3}}%
+ \let\listitem\lstp@insert@listitem
+ \lstp@insert@temp@i%
+ \ifx\listitem\lstp@insert@listitem%
+ \SnocTo{#1}{#3}%
+ \fi%
+ \let\lstp@insert@temp@i\@undefined%
+ \let\listitem\@undefined%
+}
+\providecommand\@apply@group[2]{#1#2}
+\newcommand\SortList[2][\@apply@group{}]{%
+ \let\lstp@sort@temp@i#2%
+ \let#2\empty
+ \long\def\lstp@sort@listitem##1{%
+ \lstp@insert{##1}{#1}{#2}%
+ \let\listitem\lstp@sort@listitem
+ }%
+ \let\listitem\lstp@sort@listitem
+ \lstp@sort@temp@i
+ \let\lstp@sort@temp@i\@undefined
+ \let\listitem\@undefined
+}
+\newcounter{lstp@ifsucc}
+\newcommand\lstp@ifsucc[2]{%
+ \setcounter{lstp@ifsucc}{#1}%
+ \addtocounter{lstp@ifsucc}{1}%
+ \ifnum#2=\value{lstp@ifsucc}%
+ \let\@lstp@ifsucc@kont\@firstoftwo
+ \else
+ \let\@lstp@ifsucc@kont\@secondoftwo
+ \fi
+ \@lstp@ifsucc@kont
+}
+\newcommand\CompressList[2][\@apply@group{}]{%
+ \let\lstp@compress@temp@i#2%
+ \let#2\empty
+ \def\lstp@compress@add@single{%
+ \expandafter\SnocTo\expandafter
+ {\expandafter\@single\expandafter{\lstp@compress@temp@a}}{#2}%
+ }%
+ \def\lstp@compress@add@range{%
+ \expandafter\expandafter\expandafter\SnocTo
+ \expandafter\expandafter\expandafter{%
+ \expandafter\expandafter\expandafter\@range
+ \expandafter\expandafter\expandafter{%
+ \expandafter\lstp@compress@temp@a\expandafter}%
+ \expandafter{\lstp@compress@temp@b}}#2%
+ }%
+ \long\def\lstp@compress@listitem@start##1{%
+ \def\lstp@compress@temp@a{##1}%
+ \edef\lstp@compress@temp@a@key{#1{##1}}%
+ \let\listitem\lstp@compress@listitem@single
+ }%
+ \long\def\lstp@compress@listitem@single##1{%
+ \def\lstp@compress@temp@b{##1}%
+ \edef\lstp@compress@temp@b@key{#1{##1}}%
+ \ifnum\lstp@compress@temp@a@key=\lstp@compress@temp@b@key
+ \let\listitem\lstp@compress@listitem@single
+ \else
+ \lstp@ifsucc{\lstp@compress@temp@a@key}{\lstp@compress@temp@b@key}
+ {\let\listitem\lstp@compress@listitem@range}
+ {\lstp@compress@add@single
+ \let\lstp@compress@temp@a\lstp@compress@temp@b
+ \let\lstp@compress@temp@a@key\lstp@compress@temp@b@key
+ \let\listitem\lstp@compress@listitem@single}%
+ \fi
+ }%
+ \long\def\lstp@compress@listitem@range##1{%
+ \def\lstp@compress@temp@c{##1}%
+ \edef\lstp@compress@temp@c@key{#1{##1}}%
+ \ifnum\lstp@compress@temp@b@key=\lstp@compress@temp@c@key
+ \let\listitem\lstp@compress@listitem@range
+ \else
+ \lstp@ifsucc{\lstp@compress@temp@b@key}{\lstp@compress@temp@c@key}
+ {%
+ \let\lstp@compress@temp@b\lstp@compress@temp@c
+ \let\lstp@compress@temp@b@key\lstp@compress@temp@c@key
+ \let\listitem\lstp@compress@listitem@range
+ }
+ {%
+ \lstp@compress@add@range
+ \let\lstp@compress@temp@a\lstp@compress@temp@c
+ \let\lstp@compress@temp@a@key\lstp@compress@temp@c@key
+ \let\listitem\lstp@compress@listitem@single
+ }%
+ \fi
+ }%
+ \let\listitem\lstp@compress@listitem@start
+ \lstp@compress@temp@i
+ \ifx\listitem\lstp@compress@listitem@single
+ \lstp@compress@add@single
+ \else
+ \ifx\listitem\lstp@compress@listitem@range
+ \lstp@compress@add@range
+ \fi
+ \fi
+ \let\lstp@compress@temp@a\@undefined
+ \let\lstp@compress@temp@b\@undefined
+ \let\lstp@compress@temp@c\@undefined
+ \let\lstp@compress@temp@a@key\@undefined
+ \let\lstp@compress@temp@b@key\@undefined
+ \let\lstp@compress@temp@c@key\@undefined
+ \let\lstp@compress@temp@i\@undefined
+ \let\listitem\@undefined
+}
+\newcommand\FormatListSepTwo{ and }
+\newcommand\FormatListSepMore{, }
+\newcommand\FormatListSepLast{, and }
+\newcounter{lstp@FormatList@length}
+\newcounter{lstp@FormatList@posn}
+\newcommand\FormatList[4]{{%
+ \deflist\lstp@FormatList@list{#4}%
+ \SetToListLength{lstp@FormatList@length}\lstp@FormatList@list%
+ \setcounter{lstp@FormatList@posn}{0}%
+ \ifnum\value{lstp@FormatList@length}=1%
+ #1%
+ \else%
+ #2%
+ \fi%
+ \def\listitem##1{%
+ \addtocounter{lstp@FormatList@posn}{1}%
+ \ifnum1<\value{lstp@FormatList@posn}%
+ \ifnum2=\value{lstp@FormatList@length}%
+ \FormatListSepTwo
+ \else
+ \ifnum\value{lstp@FormatList@length}=\value{lstp@FormatList@posn}%
+ \FormatListSepLast
+ \else
+ \FormatListSepMore
+ \fi
+ \fi
+ \fi
+ #3{##1}%
+ }%
+ \lstp@FormatList@list
+}}
+\newcommand\ListExpr[1]{\@lstp@ListExpr{#1}\relax}
+\newcommand\ListExprTo[2]{\@lstp@ListExpr{#1}{\def#2}}
+\newcommand\gListExprTo[2]{\@lstp@ListExpr{#1}{\gdef#2}}
+\newcommand\@lstp@defbinop[2]{%
+ \newcommand#1[2]{%
+ \Eval{##1}\let\@lstp@tmp\@lstp@acc
+ {\Eval{##2}}%
+ #2\@lstp@tmp\@lstp@acc
+ }%
+}
+\newcommand\@lstp@defunop[2]{%
+ \newcommand#1[1]{%
+ \Eval{##1}%
+ #2\@lstp@acc\@lstp@acc
+ }%
+}
+\newcommand\@lstp@definplaceunopopt[3][]{%
+ \newcommand#2[2][#1]{%
+ \Eval{##2}%
+ #3[##1]\@lstp@acc
+ \global\let\@lstp@acc\@lstp@acc
+ }%
+}
+\newcommand\@lstp@ListExpr[2]{%
+ {%
+ \gdef\@lstp@acc{}%
+ \def\Eval##1{%
+ \IfList{##1}{%
+ \global\let\@lstp@acc##1%
+ }{%
+ \@lstp@ifListOp##1\@lstp@ifListOp{%
+ ##1%
+ }{%
+ \xdef\@lstp@acc{##1}%
+ }%
+ }%
+ }%
+ \def\Q##1{\gdef\@lstp@acc{##1}}%
+ \def\Nil{\global\let\@lstp@acc\empty}%
+ \def\List##1{\gdeflist\@lstp@acc{##1}}%
+ \@lstp@defbinop\Cons\xConsTo
+ \@lstp@defbinop\Snoc\xSnocTo
+ \@lstp@defunop\First\gFirstTo
+ \@lstp@defunop\Rest\gRestTo
+ \@lstp@defbinop\Append\gAppendTo
+ \@lstp@definplaceunopopt[\@apply@group{}]\Sort\SortList
+ \@lstp@definplaceunopopt[\@apply@group{}]\Compress\CompressList
+ \newcommand\Map[2]{%
+ \Eval{##2}%
+ \gMapListTo{##1}\@lstp@acc\@lstp@acc
+ }%
+ \Eval{#1}%
+ }%
+ \def\@lstp@finish##1{#2{##1}}%
+ \expandafter\@lstp@finish\expandafter{\@lstp@acc}%
+}
+\def\@lstp@ifListOp#1#2\@lstp@ifListOp{%
+ \@lstp@ifInToks#1{
+ \Q\Nil\List\Cons\Snoc\Append
+ \First\Rest\Sort\Compress\Map
+ }
+}
+\newcommand\@lstp@ifInToks[2]{%
+ {%
+ \def\@tester##1#1##2\@tester{%
+ \ifx\@notfound##2\relax
+ \aftergroup\@secondoftwo
+ \else
+ \aftergroup\@firstoftwo
+ \fi
+ }%
+ \@tester#2\@lstp@ifInToks#1\@notfound\@tester
+ }%
+}
+\endinput
+%%
+%% End of file `listproc.sty'.
diff --git a/docs/mathpartir.sty b/docs/mathpartir.sty
new file mode 100644
index 0000000000000000000000000000000000000000..a39595a5977867ce837c5c37f143c70cbbedc254
--- /dev/null
+++ b/docs/mathpartir.sty
@@ -0,0 +1,446 @@
+% Mathpartir --- Math Paragraph for Typesetting Inference Rules
+%
+% Copyright (C) 2001, 2002, 2003, 2004, 2005 Didier Rémy
+%
+% Author : Didier Remy
+% Version : 1.2.0
+% Bug Reports : to author
+% Web Site : http://pauillac.inria.fr/~remy/latex/
+%
+% Mathpartir is free software; you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation; either version 2, or (at your option)
+% any later version.
+%
+% Mathpartir is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details
+% (http://pauillac.inria.fr/~remy/license/GPL).
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% File mathpartir.sty (LaTeX macros)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\NeedsTeXFormat{LaTeX2e}
+\ProvidesPackage{mathpartir}
+ [2005/12/20 version 1.2.0 Math Paragraph for Typesetting Inference Rules]
+
+%%
+
+%% Identification
+%% Preliminary declarations
+
+\RequirePackage {keyval}
+
+%% Options
+%% More declarations
+
+%% PART I: Typesetting maths in paragraphe mode
+
+%% \newdimen \mpr@tmpdim
+%% Dimens are a precious ressource. Uses seems to be local.
+\let \mpr@tmpdim \@tempdima
+
+% To ensure hevea \hva compatibility, \hva should expands to nothing
+% in mathpar or in inferrule
+\let \mpr@hva \empty
+
+%% normal paragraph parametters, should rather be taken dynamically
+\def \mpr@savepar {%
+ \edef \MathparNormalpar
+ {\noexpand \lineskiplimit \the\lineskiplimit
+ \noexpand \lineskip \the\lineskip}%
+ }
+
+\def \mpr@rulelineskip {\lineskiplimit=0.3em\lineskip=0.2em plus 0.1em}
+\def \mpr@lesslineskip {\lineskiplimit=0.6em\lineskip=0.5em plus 0.2em}
+\def \mpr@lineskip {\lineskiplimit=1.2em\lineskip=1.2em plus 0.2em}
+\let \MathparLineskip \mpr@lineskip
+\def \mpr@paroptions {\MathparLineskip}
+\let \mpr@prebindings \relax
+
+\newskip \mpr@andskip \mpr@andskip 2em plus 0.5fil minus 0.5em
+
+\def \mpr@goodbreakand
+ {\hskip -\mpr@andskip \penalty -1000\hskip \mpr@andskip}
+\def \mpr@and {\hskip \mpr@andskip}
+\def \mpr@andcr {\penalty 50\mpr@and}
+\def \mpr@cr {\penalty -10000\mpr@and}
+\def \mpr@eqno #1{\mpr@andcr #1\hskip 0em plus -1fil \penalty 10}
+
+\def \mpr@bindings {%
+ \let \and \mpr@andcr
+ \let \par \mpr@andcr
+ \let \\\mpr@cr
+ \let \eqno \mpr@eqno
+ \let \hva \mpr@hva
+ }
+\let \MathparBindings \mpr@bindings
+
+% \@ifundefined {ignorespacesafterend}
+% {\def \ignorespacesafterend {\aftergroup \ignorespaces}
+
+\newenvironment{mathpar}[1][]
+ {$$\mpr@savepar \parskip 0em \hsize \linewidth \centering
+ \vbox \bgroup \mpr@prebindings \mpr@paroptions #1\ifmmode $\else
+ \noindent $\displaystyle\fi
+ \MathparBindings}
+ {\unskip \ifmmode $\fi\egroup $$\ignorespacesafterend}
+
+\newenvironment{mathparpagebreakable}[1][]
+ {\begingroup
+ \par
+ \mpr@savepar \parskip 0em \hsize \linewidth \centering
+ \mpr@prebindings \mpr@paroptions #1%
+ \vskip \abovedisplayskip \vskip -\lineskip%
+ \ifmmode \else $\displaystyle\fi
+ \MathparBindings
+ }
+ {\unskip
+ \ifmmode $\fi \par\endgroup
+ \vskip \belowdisplayskip
+ \noindent
+ \ignorespacesafterend}
+
+% \def \math@mathpar #1{\setbox0 \hbox {$\displaystyle #1$}\ifnum
+% \wd0 < \hsize $$\box0$$\else \bmathpar #1\emathpar \fi}
+
+%%% HOV BOXES
+
+\def \mathvbox@ #1{\hbox \bgroup \mpr@normallineskip
+ \vbox \bgroup \tabskip 0em \let \\ \cr
+ \halign \bgroup \hfil $##$\hfil\cr #1\crcr \egroup \egroup
+ \egroup}
+
+\def \mathhvbox@ #1{\setbox0 \hbox {\let \\\qquad $#1$}\ifnum \wd0 < \hsize
+ \box0\else \mathvbox {#1}\fi}
+
+
+%% Part II -- operations on lists
+
+\newtoks \mpr@lista
+\newtoks \mpr@listb
+
+\long \def\mpr@cons #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
+{#2}\edef #2{\the \mpr@lista \the \mpr@listb}}
+
+\long \def\mpr@snoc #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
+{#2}\edef #2{\the \mpr@listb\the\mpr@lista}}
+
+\long \def \mpr@concat#1=#2\mpr@to#3{\mpr@lista \expandafter {#2}\mpr@listb
+\expandafter {#3}\edef #1{\the \mpr@listb\the\mpr@lista}}
+
+\def \mpr@head #1\mpr@to #2{\expandafter \mpr@head@ #1\mpr@head@ #1#2}
+\long \def \mpr@head@ #1#2\mpr@head@ #3#4{\def #4{#1}\def#3{#2}}
+
+\def \mpr@flatten #1\mpr@to #2{\expandafter \mpr@flatten@ #1\mpr@flatten@ #1#2}
+\long \def \mpr@flatten@ \\#1\\#2\mpr@flatten@ #3#4{\def #4{#1}\def #3{\\#2}}
+
+\def \mpr@makelist #1\mpr@to #2{\def \mpr@all {#1}%
+ \mpr@lista {\\}\mpr@listb \expandafter {\mpr@all}\edef \mpr@all {\the
+ \mpr@lista \the \mpr@listb \the \mpr@lista}\let #2\empty
+ \def \mpr@stripof ##1##2\mpr@stripend{\def \mpr@stripped{##2}}\loop
+ \mpr@flatten \mpr@all \mpr@to \mpr@one
+ \expandafter \mpr@snoc \mpr@one \mpr@to #2\expandafter \mpr@stripof
+ \mpr@all \mpr@stripend
+ \ifx \mpr@stripped \empty \let \mpr@isempty 0\else \let \mpr@isempty 1\fi
+ \ifx 1\mpr@isempty
+ \repeat
+}
+
+\def \mpr@rev #1\mpr@to #2{\let \mpr@tmp \empty
+ \def \\##1{\mpr@cons ##1\mpr@to \mpr@tmp}#1\let #2\mpr@tmp}
+
+%% Part III -- Type inference rules
+
+\newif \if@premisse
+\newbox \mpr@hlist
+\newbox \mpr@vlist
+\newif \ifmpr@center \mpr@centertrue
+\def \mpr@htovlist {%
+ \setbox \mpr@hlist
+ \hbox {\strut
+ \ifmpr@center \hskip -0.5\wd\mpr@hlist\fi
+ \unhbox \mpr@hlist}%
+ \setbox \mpr@vlist
+ \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
+ \else \unvbox \mpr@vlist \box \mpr@hlist
+ \fi}%
+}
+% OLD version
+% \def \mpr@htovlist {%
+% \setbox \mpr@hlist
+% \hbox {\strut \hskip -0.5\wd\mpr@hlist \unhbox \mpr@hlist}%
+% \setbox \mpr@vlist
+% \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
+% \else \unvbox \mpr@vlist \box \mpr@hlist
+% \fi}%
+% }
+
+\def \mpr@item #1{$\displaystyle #1$}
+\def \mpr@sep{2em}
+\def \mpr@blank { }
+\def \mpr@hovbox #1#2{\hbox
+ \bgroup
+ \ifx #1T\@premissetrue
+ \else \ifx #1B\@premissefalse
+ \else
+ \PackageError{mathpartir}
+ {Premisse orientation should either be T or B}
+ {Fatal error in Package}%
+ \fi \fi
+ \def \@test {#2}\ifx \@test \mpr@blank\else
+ \setbox \mpr@hlist \hbox {}%
+ \setbox \mpr@vlist \vbox {}%
+ \if@premisse \let \snoc \mpr@cons \else \let \snoc \mpr@snoc \fi
+ \let \@hvlist \empty \let \@rev \empty
+ \mpr@tmpdim 0em
+ \expandafter \mpr@makelist #2\mpr@to \mpr@flat
+ \if@premisse \mpr@rev \mpr@flat \mpr@to \@rev \else \let \@rev \mpr@flat \fi
+ \def \\##1{%
+ \def \@test {##1}\ifx \@test \empty
+ \mpr@htovlist
+ \mpr@tmpdim 0em %%% last bug fix not extensively checked
+ \else
+ \setbox0 \hbox{\mpr@item {##1}}\relax
+ \advance \mpr@tmpdim by \wd0
+ %\mpr@tmpdim 1.02\mpr@tmpdim
+ \ifnum \mpr@tmpdim < \hsize
+ \ifnum \wd\mpr@hlist > 0
+ \if@premisse
+ \setbox \mpr@hlist
+ \hbox {\unhbox0 \hskip \mpr@sep \unhbox \mpr@hlist}%
+ \else
+ \setbox \mpr@hlist
+ \hbox {\unhbox \mpr@hlist \hskip \mpr@sep \unhbox0}%
+ \fi
+ \else
+ \setbox \mpr@hlist \hbox {\unhbox0}%
+ \fi
+ \else
+ \ifnum \wd \mpr@hlist > 0
+ \mpr@htovlist
+ \mpr@tmpdim \wd0
+ \fi
+ \setbox \mpr@hlist \hbox {\unhbox0}%
+ \fi
+ \advance \mpr@tmpdim by \mpr@sep
+ \fi
+ }%
+ \@rev
+ \mpr@htovlist
+ \ifmpr@center \hskip \wd\mpr@vlist\fi \box \mpr@vlist
+ \fi
+ \egroup
+}
+
+%%% INFERENCE RULES
+
+\@ifundefined{@@over}{%
+ \let\@@over\over % fallback if amsmath is not loaded
+ \let\@@overwithdelims\overwithdelims
+ \let\@@atop\atop \let\@@atopwithdelims\atopwithdelims
+ \let\@@above\above \let\@@abovewithdelims\abovewithdelims
+ }{}
+
+%% The default
+
+\def \mpr@@fraction #1#2{\hbox {\advance \hsize by -0.5em
+ $\displaystyle {#1\mpr@over #2}$}}
+\def \mpr@@nofraction #1#2{\hbox {\advance \hsize by -0.5em
+ $\displaystyle {#1\@@atop #2}$}}
+
+\let \mpr@fraction \mpr@@fraction
+
+%% A generic solution to arrow
+
+\def \mpr@make@fraction #1#2#3#4#5{\hbox {%
+ \def \mpr@tail{#1}%
+ \def \mpr@body{#2}%
+ \def \mpr@head{#3}%
+ \setbox1=\hbox{$#4$}\setbox2=\hbox{$#5$}%
+ \setbox3=\hbox{$\mkern -3mu\mpr@body\mkern -3mu$}%
+ \setbox3=\hbox{$\mkern -3mu \mpr@body\mkern -3mu$}%
+ \dimen0=\dp1\advance\dimen0 by \ht3\relax\dp1\dimen0\relax
+ \dimen0=\ht2\advance\dimen0 by \dp3\relax\ht2\dimen0\relax
+ \setbox0=\hbox {$\box1 \@@atop \box2$}%
+ \dimen0=\wd0\box0
+ \box0 \hskip -\dimen0\relax
+ \hbox to \dimen0 {$%
+ \mathrel{\mpr@tail}\joinrel
+ \xleaders\hbox{\copy3}\hfil\joinrel\mathrel{\mpr@head}%
+ $}}}
+
+%% Old stuff should be removed in next version
+\def \mpr@@nothing #1#2
+ {$\lower 0.01pt \mpr@@nofraction {#1}{#2}$}
+\def \mpr@@reduce #1#2{\hbox
+ {$\lower 0.01pt \mpr@@fraction {#1}{#2}\mkern -15mu\rightarrow$}}
+\def \mpr@@rewrite #1#2#3{\hbox
+ {$\lower 0.01pt \mpr@@fraction {#2}{#3}\mkern -8mu#1$}}
+\def \mpr@infercenter #1{\vcenter {\mpr@hovbox{T}{#1}}}
+
+\def \mpr@empty {}
+\def \mpr@inferrule
+ {\bgroup
+ \ifnum \linewidth<\hsize \hsize \linewidth\fi
+ \mpr@rulelineskip
+ \let \and \qquad
+ \let \hva \mpr@hva
+ \let \@rulename \mpr@empty
+ \let \@rule@options \mpr@empty
+ \let \mpr@over \@@over
+ \mpr@inferrule@}
+\newcommand {\mpr@inferrule@}[3][]
+ {\everymath={\displaystyle}%
+ \def \@test {#2}\ifx \empty \@test
+ \setbox0 \hbox {$\vcenter {\mpr@hovbox{B}{#3}}$}%
+ \else
+ \def \@test {#3}\ifx \empty \@test
+ \setbox0 \hbox {$\vcenter {\mpr@hovbox{T}{#2}}$}%
+ \else
+ \setbox0 \mpr@fraction {\mpr@hovbox{T}{#2}}{\mpr@hovbox{B}{#3}}%
+ \fi \fi
+ \def \@test {#1}\ifx \@test\empty \box0
+ \else \vbox
+%%% Suggestion de Francois pour les etiquettes longues
+%%% {\hbox to \wd0 {\RefTirName {#1}\hfil}\box0}\fi
+ {\hbox {\RefTirName {#1}}\box0}\fi
+ \egroup}
+
+\def \mpr@vdotfil #1{\vbox to #1{\leaders \hbox{$\cdot$} \vfil}}
+
+% They are two forms
+% \inferrule [label]{[premisses}{conclusions}
+% or
+% \inferrule* [options]{[premisses}{conclusions}
+%
+% Premisses and conclusions are lists of elements separated by \\
+% Each \\ produces a break, attempting horizontal breaks if possible,
+% and vertical breaks if needed.
+%
+% An empty element obtained by \\\\ produces a vertical break in all cases.
+%
+% The former rule is aligned on the fraction bar.
+% The optional label appears on top of the rule
+% The second form to be used in a derivation tree is aligned on the last
+% line of its conclusion
+%
+% The second form can be parameterized, using the key=val interface. The
+% folloiwng keys are recognized:
+%
+% width set the width of the rule to val
+% narrower set the width of the rule to val\hsize
+% before execute val at the beginning/left
+% lab put a label [Val] on top of the rule
+% lskip add negative skip on the right
+% left put a left label [Val]
+% Left put a left label [Val], ignoring its width
+% right put a right label [Val]
+% Right put a right label [Val], ignoring its width
+% leftskip skip negative space on the left-hand side
+% rightskip skip negative space on the right-hand side
+% vdots lift the rule by val and fill vertical space with dots
+% after execute val at the end/right
+%
+% Note that most options must come in this order to avoid strange
+% typesetting (in particular leftskip must preceed left and Left and
+% rightskip must follow Right or right; vdots must come last
+% or be only followed by rightskip.
+%
+
+%% Keys that make sence in all kinds of rules
+\def \mprset #1{\setkeys{mprset}{#1}}
+\define@key {mprset}{andskip}[]{\mpr@andskip=#1}
+\define@key {mprset}{lineskip}[]{\lineskip=#1}
+\define@key {mprset}{flushleft}[]{\mpr@centerfalse}
+\define@key {mprset}{center}[]{\mpr@centertrue}
+\define@key {mprset}{rewrite}[]{\let \mpr@fraction \mpr@@rewrite}
+\define@key {mprset}{atop}[]{\let \mpr@fraction \mpr@@nofraction}
+\define@key {mprset}{myfraction}[]{\let \mpr@fraction #1}
+\define@key {mprset}{fraction}[]{\def \mpr@fraction {\mpr@make@fraction #1}}
+\define@key {mprset}{sep}{\def\mpr@sep{#1}}
+
+\newbox \mpr@right
+\define@key {mpr}{flushleft}[]{\mpr@centerfalse}
+\define@key {mpr}{center}[]{\mpr@centertrue}
+\define@key {mpr}{rewrite}[]{\let \mpr@fraction \mpr@@rewrite}
+\define@key {mpr}{myfraction}[]{\let \mpr@fraction #1}
+\define@key {mpr}{fraction}[]{\def \mpr@fraction {\mpr@make@fraction #1}}
+\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{width}{\hsize #1}
+\define@key {mpr}{sep}{\def\mpr@sep{#1}}
+\define@key {mpr}{before}{#1}
+\define@key {mpr}{lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
+\define@key {mpr}{Lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
+\define@key {mpr}{narrower}{\hsize #1\hsize}
+\define@key {mpr}{leftskip}{\hskip -#1}
+\define@key {mpr}{reduce}[]{\let \mpr@fraction \mpr@@reduce}
+\define@key {mpr}{rightskip}
+ {\setbox \mpr@right \hbox {\unhbox \mpr@right \hskip -#1}}
+\define@key {mpr}{LEFT}{\setbox0 \hbox {$#1$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{Left}{\llap{$\TirName {#1}\;$}}
+\define@key {mpr}{right}
+ {\setbox0 \hbox {$\;\TirName {#1}$}\relax \advance \hsize by -\wd0
+ \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
+\define@key {mpr}{RIGHT}
+ {\setbox0 \hbox {$#1$}\relax \advance \hsize by -\wd0
+ \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
+\define@key {mpr}{Right}
+ {\setbox \mpr@right \hbox {\unhbox \mpr@right \rlap {$\;\TirName {#1}$}}}
+\define@key {mpr}{vdots}{\def \mpr@vdots {\@@atop \mpr@vdotfil{#1}}}
+\define@key {mpr}{after}{\edef \mpr@after {\mpr@after #1}}
+
+\newcommand \mpr@inferstar@ [3][]{\setbox0
+ \hbox {\let \mpr@rulename \mpr@empty \let \mpr@vdots \relax
+ \setbox \mpr@right \hbox{}%
+ $\setkeys{mpr}{#1}%
+ \ifx \mpr@rulename \mpr@empty \mpr@inferrule {#2}{#3}\else
+ \mpr@inferrule [{\mpr@rulename}]{#2}{#3}\fi
+ \box \mpr@right \mpr@vdots$}
+ \setbox1 \hbox {\strut}
+ \@tempdima \dp0 \advance \@tempdima by -\dp1
+ \raise \@tempdima \box0}
+
+\def \mpr@infer {\@ifnextchar *{\mpr@inferstar}{\mpr@inferrule}}
+\newcommand \mpr@err@skipargs[3][]{}
+\def \mpr@inferstar*{\ifmmode
+ \let \@do \mpr@inferstar@
+ \else
+ \let \@do \mpr@err@skipargs
+ \PackageError {mathpartir}
+ {\string\inferrule* can only be used in math mode}{}%
+ \fi \@do}
+
+
+%%% Exports
+
+% Envirnonment mathpar
+
+\let \inferrule \mpr@infer
+
+% make a short name \infer is not already defined
+\@ifundefined {infer}{\let \infer \mpr@infer}{}
+
+\def \TirNameStyle #1{\small \textsc{#1}}
+\def \tir@name #1{\hbox {\small \TirNameStyle{#1}}}
+\let \TirName \tir@name
+\let \DefTirName \TirName
+\let \RefTirName \TirName
+
+%%% Other Exports
+
+% \let \listcons \mpr@cons
+% \let \listsnoc \mpr@snoc
+% \let \listhead \mpr@head
+% \let \listmake \mpr@makelist
+
+
+
+
+\endinput
diff --git a/docs/pfsteps.sty b/docs/pfsteps.sty
new file mode 100644
index 0000000000000000000000000000000000000000..203ab154313f3a6f21067ceb1516d8588cc905b3
--- /dev/null
+++ b/docs/pfsteps.sty
@@ -0,0 +1,279 @@
+%%
+%% This is file `pfsteps.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% pfsteps.dtx (with options: `package')
+%%
+%% Copyright (C) 2011 by Jesse A. Tov
+%%
+%% This file may be distributed and/or modified under the conditions of the
+%% LaTeX Project Public License, either version 1.2 of this license or (at
+%% your option) any later version. The latest version of this license is
+%% in:
+%%
+%% http://www.latex-project.org/lppl.txt
+%%
+%% and version 1.2 or later is part of all distributions of LaTeX
+%% version 1999/12/01 or later.
+%%
+\NeedsTeXFormat{LaTeX2e}[1999/12/01]
+\ProvidesPackage{pfsteps}
+ [2011/04/04 v0.4 proof tools]
+\RequirePackage{listproc}
+\newcommand*\pfsteps@set[3][]{
+ \expandafter\let\csname #1pfsteps@#2\endcsname#3
+}
+\newcommand*\pfsteps@option[2][\iffalse]{
+ \pfsteps@set[if]{#2}#1
+ \pfsteps@set[if]{#2@set}\iffalse
+ \DeclareOption{#2}{
+ \pfsteps@set[if]{#2}\iftrue
+ \pfsteps@set[if]{#2@set}\iftrue
+ }
+ \DeclareOption{no#2}{
+ \pfsteps@set[if]{#2}\iffalse
+ \pfsteps@set[if]{#2@set}\iftrue
+ }
+}
+\pfsteps@option[\iftrue]{atsign}
+\pfsteps@option[\iftrue]{hyperref}
+\pfsteps@option[\iftrue]{loadunicode}
+\pfsteps@option[\iftrue]{mathpartir}
+\pfsteps@option{unicode}
+\ProcessOptions
+\ifpfsteps@unicode
+ \ifpfsteps@loadunicode
+ \RequirePackage{ucs}
+ \RequirePackage[utf8x]{inputenc}
+ \fi
+\fi
+\ifpfsteps@mathpartir
+ \ifpfsteps@mathpartir@set
+ \RequirePackage{mathpartir}
+ \fi
+\fi
+\ifpfsteps@hyperref
+ \ifpfsteps@hyperref@set
+ \RequirePackage{hyperref}
+ \fi
+\fi
+\newcommand{\pfcounteranchor}[1]{(#1)}
+\newcommand{\pfcounterref}[1]{(#1)}
+\newcounter{pfsteps@pfc@global}
+\newcounter{pfsteps@pfc@local}
+\newcommand{\resetpfcounter}[1][0]
+ {\stepcounter{pfsteps@pfc@global}\setcounter{pfsteps@pfc@local}{#1}}
+\newcommand{\thepfcounter}
+ {\the\value{pfsteps@pfc@local}}
+\newcommand{\thepfsectioncounter}
+ {\the\value{pfsteps@pfc@global}}
+\newcommand{\steppfcounter}[1][\relax]{%
+ \addtocounter{pfsteps@pfc@local}{1}%
+ \ifx\relax#1\relax\else
+ \pflabel{#1}%
+ \fi
+}
+\newcommand{\usepfcounter}[1][\relax]{%
+ \steppfcounter[#1]%
+ \pfsteps@hypertarget{pfc:\thepfsectioncounter:\thepfcounter}{%
+ \pfcounteranchor{\thepfcounter}%
+ }%
+}
+\newcommand{\pfsteps@pfc@cs}[1]
+ {\csname\pfsteps@pfc@{\pfsteps@strip#1 \@empty}\endcsname}
+\newcommand{\pfsteps@pfc@}[1]
+ {pfsteps@pfc@\pfsteps@strip#1 \@empty @\thepfsectioncounter}
+\def\pfsteps@strip#1 #2{%
+ #1%
+ \ifx#2\@empty\else\expandafter\pfsteps@strip\fi
+ #2}
+\newcommand{\pflabel}[1]
+ {\expandafter\ifx\csname\pfsteps@pfc@{#1}@thisrun\endcsname\relax
+ \expandafter\xdef\csname\pfsteps@pfc@{#1}\endcsname
+ {\thepfcounter}%
+ \expandafter\gdef\csname\pfsteps@pfc@{#1}@thisrun\endcsname
+ {}%
+ \immediate\write\@auxout{
+ \noexpand\pfsteps@def@label
+ {#1}{\thepfsectioncounter}{\thepfcounter}
+ }%
+ \else
+ \PackageWarning{pfsteps}
+ {Proof step (#1) already defined in this section}%
+ \fi}
+\newcommand*{\pfsteps@def@label}[3]{
+ \expandafter\gdef
+ \csname pfsteps@pfc@#1@#2\endcsname
+ {#3}
+}
+\newcommand*{\pfref}[1]
+{{\ListExprTo
+ {\Compress[\@apply@group\@firstoftwo]
+ {\Sort[\@apply@group\@firstoftwo]
+ {\Map
+ {%
+ {\@ifundefined{\pfsteps@pfc@{##1}}
+ {-1}
+ {\csname\pfsteps@pfc@{##1}\endcsname}}%
+ {\@ifundefined{\pfsteps@pfc@{##1}}
+ {\PackageWarning{pfsteps}
+ {Proof step (##1) not yet defined in this section}%
+ \textbf{?}}
+ {\pfsteps@hyperlink
+ {pfc:\thepfsectioncounter:\pfsteps@pfc@cs{##1}}
+ {\pfsteps@pfc@cs{##1}}}}}
+ {\List{#1}}}}}
+ \pfsteps@pfref@list
+ \let\listitem\pfsteps@pfref@listitem@first
+ \def\@single##1{\@secondoftwo##1}%
+ \def\@range##1##2{\@secondoftwo##1--\@secondoftwo##2}%
+ \pfcounterref{\pfsteps@pfref@list}%
+}}
+\newcommand\pfsteps@pfref@listitem@first[1]{%
+ #1\let\listitem\pfsteps@pfref@listitem@rest
+}
+\newcommand\pfsteps@pfref@listitem@rest[1]{%
+ , #1\let\listitem\pfsteps@pfref@listitem@rest
+}
+\newcommand\pfsteps@hypertarget[2]{#2}
+\newcommand\pfsteps@hyperlink[2]{#2}
+\ifpfsteps@hyperref
+ \AtBeginDocument{
+ \ifcsname hypertarget\endcsname
+ \let\pfsteps@hypertarget=\hypertarget
+ \let\pfsteps@hyperlink=\hyperlink
+ \fi
+ }
+\fi
+\newlength{\proofleftskip}
+\newlength{\proofrightwidth}
+\setlength{\proofleftskip}{2pc}
+\setlength{\proofrightwidth}{0.3\linewidth}
+\newenvironment{pfsteps}
+ {\begin{pfsteps@with}$}
+ {\end{pfsteps@with}}
+\newenvironment{pfsteps*}
+ {\begin{pfsteps@with}{}}
+ {\end{pfsteps@with}}
+\newenvironment{pfsteps@with}[1]
+{
+ \leavevmode\begingroup
+ \setlength{\parskip}{0pt}%
+ \trivlist
+ \raggedright
+ \setlength{\leftskip}{1.5\proofleftskip}
+ \let\pfstepsSavedItem\item
+ \let\pfstepsSavedLabel\label
+ \let\pfstepsSavedQedhere\qedhere
+ \newcommand\AND[1][and]{\mathrel{\mbox{##1}}}
+ \newcommand\BY[2][by]
+ {\pfsteps@unmath{\penalty-1 \mbox{~}\hfill%
+ \begin{minipage}[t]{\proofrightwidth}%
+ \raggedright##1 ##2%
+ \end{minipage}}}
+ \def\pfstepsItem{%
+ \pfsteps@stopmath
+ \pfstepsSavedItem\mbox{}\kern-1.25\proofleftskip
+ \makebox[\proofleftskip]{\hfill\usepfcounter}\kern0.25\proofleftskip
+ #1\relax}
+ \def\pfstepsQedhere{\pfsteps@unmath{\pfstepsSavedQedhere}}
+ \let\item\pfstepsItem
+ \let\label\pflabel
+ \let\qedhere\pfstepsQedhere
+ \ifpfsteps@atsign
+ \pfsteps@setup@atsign
+ \fi
+ \relax
+}
+{
+ \pfsteps@stopmath
+ \endtrivlist\endgroup
+ \noindent\ignorespaces
+}
+\newcommand\pfsteps@stopmath{\ifmmode$\fi}
+\newcommand\pfsteps@unmath[1]{\ifmmode$\relax#1\relax$\else\relax#1\relax\fi}
+{
+ \def\atsign{@}
+ \catcode`\@=\active\relax
+ \expandafter\gdef\csname pfsteps\atsign setup\atsign atsign\endcsname{
+ \catcode`\@=\active\relax
+ \gdef@##1 {\pflabel{##1}}
+ }
+}
+\newcommand\pfstepsmathmode{\def\pfsteps@unicode@arg{$}}
+\newcommand\pfstepstextmode{\def\pfsteps@unicode@arg{\relax}}
+\newcommand\pfstepsSetupUnicode[3]{
+ \DeclareUnicodeCharacter{#1}{\pfsteps@unicode@startpfsteps}
+ \DeclareUnicodeCharacter{#3}{\pfsteps@unicode@item}
+ \def\pfsteps@unicode@startpfsteps
+ {\begingroup
+ \ifpfsteps@atsign\catcode`\@=\active\relax\fi
+ \pfsteps@unicode@startpfsteps@kont}
+ \def\pfsteps@unicode@startpfsteps@kont##1#2
+ {\begin{pfsteps@with}\pfsteps@unicode@arg\item##1\end{pfsteps@with}%
+ \endgroup}
+ \def\pfsteps@unicode@item{\item}
+ \pfstepsmathmode
+}
+\ifpfsteps@unicode
+ \pfstepsSetupUnicode{171}{»}{8226} % « » •
+\fi
+\newcommand\byCasesEveryCase{\resetpfcounter}
+\newcommand\byCasesEveryOtherwise{\byCasesEveryCase}
+\providecommand{\byCasesOtherwiseTemplate}{\textbf{Otherwise:}}
+\providecommand{\byCasesCaseTemplate}[1]{\textbf{Case\ \ \fbox{#1}}}
+\providecommand{\byCasesWhereTemplate}{\textbf{where}}
+\newenvironment{byCases}
+ {%
+ \begingroup
+ \let\case\byCases@case
+ \let\otherwise\byCases@otherwise
+ \ifpfsteps@mathpartir
+ \ifcsname inferrule\endcsname\let\icase\byCases@icase\fi
+ \fi
+ \list{}{\labelwidth\z@ \itemindent-\leftmargin
+ \let\makelabel\byCases@label}%
+ }
+ {%
+ \endlist
+ \endgroup
+ }
+\newcommand*\byCases@label[1]{%
+ \hspace\labelsep
+ \normalfont~\strut
+ \expandafter\ifx#1\relax\relax
+ \byCasesOtherwiseTemplate
+ \else
+ \byCasesCaseTemplate{\normalfont${#1}$}%
+ \fi
+}
+\newcommand*\byCases@case[2][\byCasesEveryCase]
+ {\item[{\let\AND\byCases@and #2}]\strut#1\pfsteps@reallynopagebreak}
+\newcommand*\byCases@otherwise[1][\byCasesEveryOtherwise]
+ {\item[]\strut#1\pfsteps@reallynopagebreak}
+\newcommand\pfsteps@reallynopagebreak{\par\nopagebreak\@nobreaktrue}
+\newcommand\byCases@and[1][and]{\mathrel{\mbox{\textbf{#1}}}}
+\newcommand*\byCases@icase{
+ \@ifnextchar* \byCases@icase@star \byCases@icase@nostar
+}
+\def\byCases@icase@nostar{\byCases@icase@i{\inferrule}}
+\def\byCases@icase@star*{\byCases@icase@i{\inferrule*}}
+\newcommand*\byCases@icase@i[1]{
+ \@ifnextchar [{\byCases@icase@opts{#1}}{\byCases@icase@noopts{#1}}
+}
+\def\byCases@icase@opts#1[#2]{\byCases@icase@ii{#1[#2]}}
+\def\byCases@icase@noopts#1{\byCases@icase@ii{#1}}
+\newcommand*\byCases@icase@ii[3]{
+ \@ifnextchar [
+ {\byCases@icase@where{#1}{#2}{#3}}
+ {\byCases@icase@nowhere{#1}{#2}{#3}}
+}
+\def\byCases@icase@where#1#2#3[#4]{
+ \case{#1{#2}{#3}\AND[\byCasesWhereTemplate]#4}%
+}
+\def\byCases@icase@nowhere#1#2#3{\case{#1{#2}{#3}}}
+\endinput
+%%
+%% End of file `pfsteps.sty'.
diff --git a/docs/setup.tex b/docs/setup.tex
new file mode 100644
index 0000000000000000000000000000000000000000..50500d946afd567f68313d24c3e3a5969cb016f4
--- /dev/null
+++ b/docs/setup.tex
@@ -0,0 +1,1395 @@
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% PACKAGES
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\usepackage{mathtools}
+%\usepackage{amsmath}
+\usepackage{amsfonts}
+\usepackage{amsthm}
+\usepackage{amssymb}
+\usepackage{stmaryrd}
+\SetSymbolFont{stmry}{bold}{U}{stmry}{m}{n} % this fixes warnings when \boldsymbol is used with stmaryrd included
+
+\usepackage{mathpartir}
+
+\usepackage{array}\extrarowheight=\jot % else, arrays are scrunched compared to, say, aligned
+\newcolumntype{.}{@{}}
+% Array {rMcMl} modifies array {rcl}, putting mathrel-style spacing
+% around the centered column. (We used this, for example, in laying
+% out some of Iris' axioms. Generally, aligned is simpler but aligned
+% does not work in mathpar because \\ inherits mathpar's 2em vskip.)
+% The capital M stands for THICKMuskip. The smaller medmuskip would be
+% right for mathbin-style spacing.
+\newcolumntype{M}{@{\mskip\thickmuskip}}
+\usepackage{tabu}%\tabulinesep=_0pt^\jot
+
+\usepackage{dashbox}
+%\usepackage{arydshln}
+%\setlength{\dashlinegap}{1pt}
+%\setlength{\dashlinedash}{3pt}
+
+% \biimp above below
+% The double lines obtained by the simpler
+% "\mprset{fraction={===}}" overlap the conclusion (e.g., the
+% mask E_M in an atomic triple).
+\newcommand*{\biimp}[2]{%
+ \hbox{%
+ \ooalign{%
+ $\genfrac{}{}{1.6pt}1{#1}{#2}$\cr%
+ $\color{white}\genfrac{}{}{.8pt}1{\phantom{#1}}{\phantom{#2}}$%
+ }%
+ }%
+}
+\newcommand{\BIIMP}{\mprset{myfraction=\biimp}}
+\newcommand{\infern}[3]{\inferrule[#1]{#2}{#3}}
+\newcommand{\infernB}[3]{{\BIIMP\inferrule*[right={#1}]{#2}{#3}}}
+\newcommand{\inferB}[2]{{\BIIMP\infer{#1}{#2}}}
+
+%% inferH is infern with hyperlinks.
+% \savelabel lab text: Arrange for \ref{lab} to print text and to link to the current spot.
+\makeatletter
+ \newcommand*{\savelabel}[2]{%
+ % Think @currentlabel : text ref.
+ \edef\@currentlabel{#2}% Save text
+ \phantomsection% Correct hyper reference link
+ \label{#1}% Print text and store name↦text.
+ }
+\makeatother
+% \textlabel label text: Print and label text.
+\newcommand*{\textlabel}[2]{{#2}\savelabel{#1}{#2}}
+% \rulenamestyle visible
+\newcommand*{\rulenamestyle}[1]{{\TirNameStyle{#1}}} % From mathpartir.sty.
+% \ruleref [discharged] lab
+\def\optionaldischarge#1{%
+ \if\relax\detokenize{#1}\relax\else\ensuremath{^{#1}}\fi}
+\newcommand*{\ruleref}[2][]{\rulenamestyle{\ref{#2}}\optionaldischarge{#1}}
+\newcommand*{\fakeruleref}[2][]{\rulenamestyle{#2}\optionaldischarge{#1}}
+% \rulename label
+\newcommand*{\rulename}[1]{\rulenamestyle{\textlabel{#1}{#1}}}
+% \inferhref name lab premise conclusion
+\newcommand*{\inferhref}[4]{%
+ \inferrule*[lab=\textlabel{#2}{#1}]{#3}{#4}%
+}
+% \infernH name premise conclusion, if name a valid label.
+\newcommand*{\inferH}[3]{\inferhref{#1}{#1}{#2}{#3}}
+\newcommand*{\axiom}[1]{\infer{}{#1}}
+\newcommand*{\axiomhref}[3]{\inferhref{#1}{#2}{}{#3}}
+\newcommand*{\axiomH}[2]{\inferH{#1}{}{#2}}
+\newcommand*{\inferhrefB}[4]{{\BIIMP\inferhref{#1}{#2}{#3}{#4}}}
+\newcommand*{\inferHB}[3]{{\BIIMP\inferH{#1}{#2}{#3}}}
+
+\usepackage{hyperref}
+\hypersetup{%
+ linktocpage=true, pdfstartview=FitV,
+ breaklinks=true, pageanchor=true, pdfpagemode=UseOutlines,
+ plainpages=false, bookmarksnumbered, bookmarksopen=true, bookmarksopenlevel=3,
+ hypertexnames=true, pdfhighlight=/O,
+ colorlinks=true,linkcolor=LinkColor,citecolor=CiteColor,
+ urlcolor=LinkColor
+}
+
+\newcommand*{\Sref}[1]{\hyperref[#1]{\S\ref*{#1}}}
+\newcommand*{\secref}[1]{\hyperref[#1]{Section~\ref*{#1}}}
+\newcommand*{\lemref}[1]{\hyperref[#1]{Lemma~\ref*{#1}}}
+\newcommand{\corref}[1]{\hyperref[#1]{Cor.~\ref*{#1}}}
+\newcommand*{\defref}[1]{\hyperref[#1]{Definition~\ref*{#1}}}
+\newcommand*{\egref}[1]{\hyperref[#1]{Example~\ref*{#1}}}
+\newcommand*{\appendixref}[1]{\hyperref[#1]{Appendix~\ref*{#1}}}
+\newcommand*{\figref}[1]{\hyperref[#1]{Figure~\ref*{#1}}}
+\newcommand*{\tabref}[1]{\hyperref[#1]{Table~\ref*{#1}}}
+
+\usepackage{multicol}
+
+%\usepackage{pfsteps}
+%\newcommand*{\pflab}[1]{\steppfcounter[#1](\thepfcounter)}
+%\newcommand*{\pftag}[1]{\steppfcounter[#1]\tag{\thepfcounter}}
+%\renewcommand\byCasesEveryCase{} % turn off counter reset on cases
+%\renewcommand\byCasesEveryOtherwise{}
+
+%\usepackage[monochrome]{color} % for print version
+\usepackage{xcolor} % for print version
+
+\usepackage{graphicx}
+
+\definecolor{StringRed}{rgb}{.637,0.082,0.082}
+\definecolor{CommentGreen}{rgb}{0.0,0.55,0.3}
+\definecolor{KeywordBlue}{rgb}{0.0,0.3,0.55}
+\definecolor{LinkColor}{rgb}{0.55,0.0,0.3}
+\definecolor{CiteColor}{rgb}{0.55,0.0,0.3}
+\definecolor{HighlightColor}{rgb}{0.0,0.0,0.0}
+
+\usepackage{tikz}
+\usetikzlibrary{shapes}
+%\usetikzlibrary{snakes}
+\usetikzlibrary{arrows}
+\usetikzlibrary{calc}
+\usetikzlibrary{arrows.meta}
+\tikzstyle{state}=[circle, draw, minimum size=1.2cm, align=center]
+\tikzstyle{trans}=[arrows={->[scale=1.4]}]
+
+\tikzstyle{layer}=[rounded corners=2pt, thin, align=center, draw, minimum width=4.2cm,minimum height=0.8cm]
+
+\definecolor{grey}{rgb}{0.5,0.5,0.5}
+\definecolor{red}{rgb}{1,0,0}
+%\renewcommand{\pfcounteranchor}[1]
+% {{\scriptsize#1\color{grey}.}\ \ }
+% {{\scriptsize{\color{grey}(}#1{\color{grey})}}\ \ }
+
+% \usepackage[all,cmtip]{xy}
+% \usepackage{diagxy}
+
+%\theoremstyle{definition}
+%\newtheorem{prop}{Prop}
+\newtheorem{defn}{Definition}
+\newtheorem{cor}{Corollary}
+\newtheorem{conj}{Conj}
+\newtheorem{lem}{Lemma}
+\newtheorem{thm}{Theorem}
+
+\newtheorem{exercise}{Exercise}
+
+\usepackage{rotating}
+\usepackage{xparse}
+\usepackage{xstring}
+\usepackage{semantic}
+\usepackage{csquotes}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% MACROS
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\newcommand{\changes}{{\bf\color{red}{Changes}}}
+\newcommand{\TODO}{\vskip 4pt {\color{red}\bf TODO}}
+
+%\newcommand{\bigast}{\scalebox{3}{\raisebox{-0.3ex}{$\ast$}}}
+%\newcommand{\bigtimes}{\scalebox{2.5}{\raisebox{-0.3ex}{$\times$}}}
+\DeclareMathOperator*{\Sep}{\scalerel*{\ast}{\sum}}
+\newcommand{\bigast}{\Sep}
+
+\newcommand*{\sep}[1][]{\mathrel{\#_{#1}}} % bad name; it's a different "sep"
+
+\newcommand{\kw}[1]{\textbf{\textsf{#1}}}
+\newcommand{\ALT}{\ |\ }
+
+\newenvironment{pf}
+ {\resetpfcounter\begin{proof}}
+ {\end{proof}}
+
+% superscript to the left
+\def\presuper#1#2%
+ {\mathop{}%
+ \mathopen{\vphantom{#2}}^{#1}%
+ \kern-\scriptspace%
+ #2}
+
+
+\newcommand{\upclose}{\mathord{\uparrow}}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% METAVARIABLES
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newcommand{\aexpr}{a}
+\newcommand{\expr}{e}
+\newcommand{\type}{\tau}
+\newcommand{\htype}{\sigma}
+\newcommand{\ctype}{\sigma}
+\newcommand{\heap}{h}
+\newcommand{\tyvar}{\alpha}
+\newcommand{\tyvarB}{\beta}
+\newcommand{\val}{v}
+\newcommand{\valB}{w}
+\newcommand{\hval}{u}
+\newcommand{\tls}{L}
+\newcommand{\tlsVar}{L}
+
+\newcommand{\cenv}{\Omega}
+\newcommand{\tenv}{\Gamma}
+\newcommand{\tvenv}{\Delta}
+
+%\newcommand{\vctx}{\mathcal{X}}
+\newcommand{\pvar}{p}
+\newcommand{\pvarB}{q}
+%\newcommand{\pvarC}{r}
+
+\newcommand{\ectx}{K}
+\newcommand{\tpool}{T}
+
+% \newcommand{\progexpr}{p}
+% \newcommand{\progctx}{D}
+
+\newcommand{\subst}{\gamma}
+
+\newcommand{\island}{I}
+\newcommand{\sisland}{\iota}
+%\newcommand{\islands}{\omega}
+\newcommand{\islands}{\mathbf{\island}}
+
+\newcommand{\predinterp}{\PRED}
+\newcommand{\propinterp}{\mathcal{P}}
+
+\newcommand{\PROP}{\mathcal{P}}
+\newcommand{\PROPB}{\mathcal{Q}}
+
+\newcommand{\interp}{\textrm{interp}}
+\newcommand{\interps}{\textrm{interpAll}}
+
+\newcommand{\restype}{\theta}
+\newcommand{\restypes}{\boldsymbol{\theta}}
+
+
+\newcommand{\aprop}{{\color{red}A}}
+
+\newcommand{\prop}{P}
+\newcommand{\propB}{Q}
+\newcommand{\propC}{R}
+
+\newcommand{\pred}{\varphi}
+\newcommand{\predB}{\psi}
+\newcommand{\predC}{\zeta}
+
+\newcommand{\Prop}{\textlog{Prop}}
+\newcommand{\Pred}{\textlog{Pred}}
+
+\newcommand{\PropDom}{\textit{Prop}}
+\newcommand{\PredDom}{\textit{Pred}}
+
+% \newcommand{\Prop}{\mathbb{B}}
+% \newcommand{\Pred}{\mathbb{P}}
+
+\newcommand{\res}{r}
+\newcommand{\resB}{s}
+
+%\newcommand{\propSet}{\mathcal{P}}
+%\newcommand{\apropSet}{\mathcal{A}}
+%\newcommand{\pfctx}{\mathcal{C}}
+\newcommand{\vctx}{\Gamma}
+\newcommand{\pfctx}{\Theta}
+
+\newcommand{\PCLCTX}{Prop context}
+\newcommand{\PCVARS}{Variables}
+
+\newcommand{\PContextStyle}[1]{\fbox{\extrasepB{0.5pt}\color{CommentGreen}$#1$}}
+%\newcommand{\PContextStyle}[1]{\ensuremath{\color{CommentGreen}\left[#1\right]}}
+\newcommand{\PContext}[1]{\PContextStyle{\begin{array}{@{}l@{}}\textbf{\PCLCTX: }\\#1\end{array}}}
+\newcommand{\PContextB}[2]{\PContextStyle{\begin{array}{@{}l@{}}
+ \textbf{\PCLCTX: }\hspace{\stretch{1}}\textbf{\PCVARS: }{#1}
+ \\#2
+ \end{array}}}
+\newcommand{\PContextC}[2]{\PContextStyle{\begin{array}{@{}l@{}}
+ \textbf{\PCLCTX: }\qquad\textbf{\PCVARS: }{#1}
+ \\#2
+ \end{array}}}
+\newcommand{\PContextD}[2]{\PContextStyle{
+ \textbf{\PCLCTX: }{#2}\qquad\textbf{\PCVARS: }{#1}}}
+\newcommand{\PContextE}[1]{\PContextStyle{\textbf{\PCVARS: }{#1}}}
+
+\newcommand{\assert}{\varphi}
+\newcommand{\assertB}{\psi}
+
+\newcommand{\PRED}{\Phi}
+
+%% \newcommand{\pname}{\pi}
+%% \newcommand{\prot}{\pi}
+%% \newcommand{\prots}{\boldsymbol{\pi}}
+%% \newcommand{\protSet}{\mathcal{N}}
+
+\newcommand{\iname}{\iota}
+\newcommand{\inameB}{\iota'}
+\newcommand{\inv}{I}
+\newcommand{\invs}{\mathcal{I}}
+\newcommand{\mask}{\mathcal{E}}
+\newcommand{\consistent}{\textsf{consistent}}
+
+\newcommand{\fullSat}[4]{#1 \models_{#2} #3; #4}
+\newcommand{\fullNSat}[6]{#2 \models_{#3}^{#1} #4; #5; #6}
+
+\newcommand{\state}{\varsigma}
+\newcommand{\prescar}{\Pi}
+\newcommand{\pres}{\pi}
+
+\newcommand{\erasestate}[1]{|#1|_\state}
+\newcommand{\eraseexp}[1]{|#1|_\expr}
+
+\newcommand{\var}{x}
+\newcommand{\varB}{y}
+\newcommand{\varC}{z}
+%\newcommand{\VAL}{d}
+\newcommand{\ectxVar}{\kappa}
+
+\newcommand{\term}{t}
+\newcommand{\termB}{u}
+\newcommand{\termVal}{V}
+
+\newcommand{\sort}{\sigma}
+
+\newcommand{\SigNat}{\Sigma}
+\newcommand{\SigType}{\mathcal{T}}
+\newcommand{\SigFn}{\mathcal{F}}
+\newcommand{\sigfn}{F}
+
+\newcommand{\tmap}{B}
+\newcommand{\ttokSet}{I}
+
+\newcommand{\monoid}{M}
+\newcommand{\mcar}[1]{|#1|}
+\newcommand{\mcarp}[1]{\mcar{#1}^{+}}
+\newcommand{\mzero}{\bot}
+\newcommand{\munit}{\mathord{\varepsilon}}
+\newcommand{\mtimes}{\mathbin{\cdot}}
+%\newcommand{\mvar}{a}
+%\newcommand{\mvarB}{b}
+\newcommand{\melt}{a}
+\newcommand{\meltB}{b}
+\newcommand{\meltC}{c}
+\newcommand{\melts}{A}
+\newcommand{\meltsB}{B}
+\newcommand{\ghostRes}{g}
+\newcommand{\gtimes}{\bullet}
+\newcommand{\monoids}{\textrm{ProdMonoid}}
+\newcommand{\gname}{\gamma}
+\newcommand{\valid}{\textsf{valid}}
+\newcommand{\textmon}[1]{\textsc{#1}}
+
+
+\newcommand{\textstate}[1]{\textsf{#1}}
+\newcommand{\texttok}[1]{\textsc{#1}}
+
+\newcommand{\atlas}{A}
+
+
+\newcommand{\chmap}{C}
+\newcommand{\bag}{M}
+\newcommand{\chan}{c}
+\newcommand{\chanmaps}{\Yleft}
+\newcommand{\fchanmaps}[1][-]{\stackrel{#1}{\chanmaps}}
+
+
+\newcommand{\msg}{m}
+\newcommand{\dest}{d}
+\let\mkbag=\bag
+\newcommand{\bagB}{N}
+\newcommand{\emptybag}{\emptyset}
+\newcommand{\MASK}{InvMask}
+\newcommand{\CHAN}{Chan}
+\newcommand{\VAR}{Var}
+\newcommand{\VAL}{Val}
+\newcommand{\EXP}{Exp}
+\newcommand{\ECTX}{Ctx}
+\newcommand{\hole}{[]}
+\newcommand{\BAG}{Bag}
+\newcommand{\STATE}{State}
+\newcommand{\rvar}{r}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% SYNTAX
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\All #1.{\forall #1.\;}%
+\def\Exists #1.{\exists #1.\;}%
+\def\Absp #1.{({#1}).\;}
+\def\Ret #1.{#1.\;}%
+\def\Lam #1.{\lambda #1.\;}%
+\def\MU #1.{\mu #1.\;}%
+\newcommand{\any}{{\rule[-.2ex]{1ex}{.4pt}}}%
+\newcommand{\unitval}{()}%
+
+%\newcommand{\emptytenv}{\bullet}
+%\newcommand{\fn}[2]{\lambda {#1}. {#2}}
+%\newcommand{\app}[2]{{#1}\;{#2}}
+%\newcommand{\pair}[1]{\llparenthesis #1 \rrparenthesis}
+%\newcommand{\true}{\kw{true}}
+%\newcommand{\false}{\kw{false}}
+%\newcommand{\ite}[3]{\kw{if}\ #1\ \kw{then}\ #2\ \kw{else}\ #3}
+%\newcommand{\new}{\kw{new}\;}
+%\newcommand{\deref}[1]{\kw{get}\;{#1}}
+%\newcommand{\assign}[2]{{#1}\;:=\;{#2}}
+%\newcommand{\cas}{\kw{CAS}}
+%\newcommand{\unfold}{\kw{unfold}\ }
+%\newcommand{\fold}{\kw{fold}\ }
+%\newcommand{\unroll}{\kw{unroll}\ }
+%\newcommand{\roll}{\kw{roll}\ }
+%\newcommand{\rec}[2]{\kw{rec}\; {#1}.{#2}}
+%\newcommand{\recf}[3]{\kw{rec}\;{#1}({#2}).{#3}}
+%\newcommand{\recf}[3]{\mu{#1}({#2}).{#3}}
+%\newcommand{\fix}[2]{\kw{fix}\ {#1}.{#2}}
+%\newcommand{\pack}[1]{\kw{pack}\;{#1}}
+%\newcommand{\unpack}[3]{\kw{unpack}\ #1\ \kw{as}\ #2\ \kw{in}\ #3}
+%\newcommand{\atomic}[1]{\kw{atomic}\;{#1}}
+%\newcommand{\inatomic}[1]{\kw{inatomic}\;{#1}}
+%\newcommand{\bind}[2]{\kw{let}\;{#1}\;\kw{in}\;{#2}}
+%
+%\newcommand{\lnew}{\kw{newLcl}}
+%\newcommand{\lderef}[1]{\kw{getLcl}({#1})}
+%\newcommand{\lassign}[2]{\kw{setLcl}({#1},{#2})}
+%
+%\newcommand{\makeAtomic}{\textsf{mkAtomic}}
+%\newcommand{\withLock}{\textsf{withLock}}
+
+\newcommand{\inj}[2]{\kw{inj}_{#1}\;#2}
+\newcommand{\inl}[1]{\inj{1}{#1}}
+\newcommand{\inr}[1]{\inj{2}{#1}}
+
+\newcommand{\prj}[2]{\kw{prj}_{#1}\;#2}
+\newcommand{\prl}[1]{\prj{1}{#1}}
+\newcommand{\prr}[1]{\prj{2}{#1}}
+
+%% \newcommand{\match}[5]{\kw{case}\;{#1}\;\kw{of}\;
+%% \inl{#2} \Rightarrow {#3}\;|\;
+%% \inr{#4} \Rightarrow {#5}}
+\newcommand{\match}[5]{
+ \kw{case}({#1}, #2 \Rightarrow {#3}, {#4} \Rightarrow {#5})}
+\newcommand{\tabs}[1]{\Lambda. {#1}}
+\newcommand{\tapp}[1]{{#1}\;\any}
+\newcommand{\fork}[1]{\kw{fork}\;{#1}}
+\newcommand{\forkid}[1]{\textsf{forkID}\;{#1}}
+\newcommand{\join}[1]{\textsf{join}\;{#1}}
+\newcommand{\tryAcq}{\textsf{tryAcq}}
+\newcommand{\acq}{\textsf{acq}}
+\newcommand{\rel}{\textsf{rel}}
+%\newcommand{\sync}[2]{\textsf{sync}(#1)\;\{\;{#2}\;\}}
+\newcommand{\sync}{\textsf{sync}}
+\newcommand{\mkSync}{\textsf{mkSync}}
+
+\definecolor{Erased}{rgb}{0.35,0.35,0.35}
+\definecolor{ErasedLight}{rgb}{0.5,0.5,0.5}
+\newcommand{\erased}[1]{{\color{ErasedLight}[}{\color{Erased}#1}{\color{ErasedLight}]}}
+%\newcommand{\erased}[1]{\underline{#1}}
+
+\newcommand{\bool}{\kw{B}}
+\newcommand{\nat}{\kw{N}}
+\newcommand{\unit}{\kw{1}}
+%% \newcommand{\b\ool}{\kw{bool}}
+%% \newcommand{\nat}{\kw{nat}}
+%% \newcommand{\unit}{\kw{unit}}
+%\newcommand{\refTy}[1]{\kw{ref}\;{#1}}
+%\newcommand{\lrefTy}[1]{\kw{refLcl}\;{#1}}
+
+%\newcommand{\optrefTy}[1]{\kw{ref}_{?}({#1})}
+%\newcommand{\optTy}[1]{{#1}_{?}}
+%\newcommand{\none}{\textsf{none}}
+%\newcommand{\some}{\textsf{some}}
+
+%\newcommand{\threadTy}[1]{\kw{thread}\;{#1}}
+%\newcommand{\all}[2]{\forall {#1}.{#2}}
+%\newcommand{\ex}[2]{\exists {#1}.{#2}}
+%\newcommand{\recTy}[2]{\mu {#1}.{#2}}
+%\newcommand{\thread}[1]{\kw{thread}\;{#1}}
+%
+%\newcommand{\derefi}[2]{\kw{get}({#1}[{#2}])}
+%\newcommand{\assigni}[3]{{#1}[#2]\;:=\;{#3}}
+%\newcommand{\casi}[4]{\cas({#1}[{#2}], #3, #4)}
+%
+%\newcommand{\casF}[3]{\cas({#1}, #2, #3)}
+
+%% \newcommand{\mpair}[2]{#1 \otimes #2}
+%% \newcommand{\assignL}[2]{{#1}\;:=_1\;{#2}}
+%% \newcommand{\assignR}[2]{{#1}\;:=_2\;{#2}}
+
+\newcommand{\emptyivar}{\bot}
+
+\newcommand{\cfg}[2]{{#1};{#2}}
+\newcommand{\acfg}[3]{{#1};\;{#2};\;{#3}}
+\newcommand{\enables}[2]{#1\mbox{ enables }#2}
+
+\newcommand{\R}[1]{\mbox{$\{\;\begin{array}[t]{@{}l@{}}{#1}\;\}\end{array}$}}
+
+\newcommand{\id}{\bot}
+
+\newcommand{\isvar}{N}
+\newcommand{\iset}{N}
+
+
+%\newcommand*\kwd[1]{\textup{\textbf{\texttt{#1}}}}
+\let\kwd\kw
+\newcommand*\dform[1]{\textsf{#1}}
+\newcommand*{\ide}[1]{\mathit{#1}}
+
+\reservestyle{\keyword}{\kw}
+\reservestyle{\langop}{\mathrm}
+\reservestyle{\derivedform}{\dform}
+\reservestyle{\identifier}{\ide}
+
+\keyword{let[let\:],let*[let],in[\:in\:],if[if\:],then[\:then\:],else[\:else\:],skip,skip*[skip]}
+\keyword{case[case\:],of[\:of\:]}%
+\keyword{rec[rec\:],rec*[rec]}
+\def\Rec #1.{\<rec>{#1}.\;}
+\keyword{fork[fork\:],newch,newch*[newch],send,send*[send],tryrecv[tryrecv\:],tryrecv*[tryrecv]}%
+\derivedform{recv[recv\:],recv*[recv]}%
+\derivedform{cas,cas*[cas],ref[ref\:],ref*[ref]}
+%\newcommand{\cas}{\<cas*>}% override setup's \kw{CAS}
+\langop{!,:=}
+\derivedform{true,false}
+\derivedform{Some,None}
+\derivedform{null}
+\identifier{reply}%
+\derivedform{srv,rpc,rpc*[rpc],Get,Set,Cas}%
+\derivedform{spawn,join}
+
+\newcommand\parcomp{\mathrel{||}}
+
+\identifier{loop}%
+\newcommand*{\Esend}[2]{\<send>(#1, #2)}
+\newcommand{\Eref}{\mask_\textsf{ref}}
+\newcommand*{\refmaps}{\mapsto}
+\newcommand{\Echan}{\mask_\mathsf{chan}}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% ASSERTIONS
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\newcommand{\protAt}[3]{\mbox{$
+ \begin{array}{|@{}l@{}|@{}l@{}|}
+ \firsthline \;#1 : #2\;\; & \;#3\;\; \\
+ \lasthline
+ \end{array}$}}
+\newcommand{\protAtB}[2]{\mbox{$
+ \begin{array}{|@{}l@{}|}
+ \firsthline \;#1 : #2\;\; \\
+ \lasthline
+ \end{array}$}}
+
+% PDS: The baseline of the boxed contents of
+% \oldKnowInv and \oldOwnGGhost and \oldOwnGhost isn't right:
+% It can be lower than the surrounding formula.
+%\newcommand{\oldKnowInv}[2]{\mbox{$
+% \begin{array}{|@{\;}c@{\;}|}
+% \firsthline #2 \\
+% \lasthline
+% \end{array}$}{}^{\,#1}}
+
+%% \newcommand{\ownGhost}[2]{{\dbox{$#1 : #2$}}}
+%% \newcommand{\ownGhostB}[3]{\dbox{$#1 : #2$}{}_{#3}}
+
+% \newcommand{\ownGhost}[3]{\mbox{$
+% \begin{array}{:@{}l@{}:@{}l@{}:}
+% \firsthdashline \;#1 : #2\;\; & \;#3\;\; \\
+% \lasthdashline
+% \end{array}$}}
+%\newcommand{\oldOwnGhost}[2]{\mbox{$
+% \begin{array}{:@{\;}c@{\;}:}
+% \firsthdashline #2 \\
+% \lasthdashline
+% \end{array}$}{}^{\,#1}}
+%\newcommand{\oldOwnGGhost}[1]{\mbox{$
+% \begin{array}{:@{\;}c@{\;}:}
+% \firsthdashline #1 \\
+% \lasthdashline
+% \end{array}$}}
+
+% PDS: Was 0pt inner, 2pt outer.
+% \boxedassert [tikzoptions] contents [name]
+\tikzstyle{boxedassert_border} = [sharp corners,line width=0.2pt]
+\NewDocumentCommand \boxedassert {O{} m o}{%
+ \tikz[baseline=(m.base)]{
+ % \node[rectangle, draw,inner sep=0.8pt,anchor=base,#1] (m) {${#2}\mathstrut$};
+ \node[rectangle,inner sep=0.8pt,outer sep=0.2pt,anchor=base] (m) {${#2}\mathstrut$};
+ \draw[#1,boxedassert_border] ($(m.south west) + (0,0.65pt)$) rectangle ($(m.north east) + (0, 0.7pt)$);
+ }\IfNoValueF{#3}{^{\,#3}}%
+}
+\newcommand*{\knowInv}[2]{\boxedassert{#2}[#1]}
+\newcommand*{\ownGhost}[2]{\boxedassert[densely dashed]{#2}[#1]}
+\newcommand*{\ownGGhost}[1]{\boxedassert[densely dashed]{#1}}
+
+\newcommand{\ownPhys}[1]{\lfloor#1\rfloor}
+
+\newcommand{\supported}[1]{\left[ #1 \right]}
+
+
+%\newcommand*{\know}[2]{\knowInv{#1}{#2}}%
+%\newcommand*{\own}[2]{\ownGhost{#1}{#2}}%
+
+%\newcommand{\varset}{\mathcal{X}}
+
+\newcommand{\simpl}{\textsc{i}}
+\newcommand{\sspec}{\textsc{s}}
+\newcommand{\IMSP}{\simpl\sspec}
+
+\newcommand{\pointsto}{\hookrightarrow}
+\newcommand{\wand}{\;{{\mbox{---}}\!\!{*}}\;}
+%\newcommand{\gm}{\Rrightarrow}
+
+\NewDocumentCommand \vsGen {O{} m O{}}%
+ {\mathrel{%
+ \ifthenelse{\equal{#3}{}}{%
+ % Just one mask, or none
+ {#2}_{#1}%
+ }{%
+ % Two masks
+ \presuper{#1}{#2}^{#3}
+ }%
+ }}%
+\NewDocumentCommand \vs {O{} O{}} {\vsGen[#1]{\Rrightarrow}[#2]}
+\NewDocumentCommand \vsL {O{} O{}} {\vsGen[#1]{\Lleftarrow}[#2]}
+\NewDocumentCommand \vsE {O{} O{}} %
+ {\vsGen[#1]{\Lleftarrow\!\!\!\Rrightarrow}[#2]}
+
+\newcommand{\mupd}{\rightsquigarrow}
+
+\newcommand{\heapmaps}[1]{\hookrightarrow_{#1}}
+\newcommand{\codemaps}[1]{\Mapsto_{#1}}
+
+\newcommand{\implmaps}{\heapmaps{\IM}}
+\newcommand{\implmapscode}{\codemaps{\IM}}
+
+\newcommand{\specmaps}{\heapmaps{\SP}}
+\newcommand{\specmapscode}{\codemaps{\SP}}
+
+\newcommand{\IM}{\simpl}
+\newcommand{\SP}{\sspec}
+
+%\newcommand{\tRole}[1]{\texttok{Tid}(#1)}
+\newcommand{\bij}[2]{{#1} \bowtie {#2}}
+
+\newcommand{\iassert}[3]{\fbox{$#1$}{}^{#2}_{#3}}
+
+%\newcommand{\mown}[2]{\textsf{own}(#1, #2)}
+\newcommand{\mown}[3]{\fbox{$#1$}^{#2}_{#3}}
+\newcommand{\minterp}[2]{\textsf{interp}(#1) = #2}
+\newcommand{\mdisable}[2]{\delta_{#1}(#2)}
+
+\newcommand{\TRUE}{\textlog{True}}
+\newcommand{\FALSE}{\textlog{False}}
+\newcommand{\emp}{\textsf{emp}}
+
+\newcommand{\const}{\textlog{Inv}}
+
+\newcommand{\infinite}{\textlog{infinite}}
+
+\newcommand{\tokPure}{\textlog{TokPure}}
+\newcommand{\timeless}[1]{\textlog{timeless}(#1)}
+
+\newcommand{\physatomic}[1]{\text{$#1$ phys.\ atomic}}
+
+\newcommand{\unlimRely}[1]{\cdot \geqRely {#1}}
+
+\newcommand{\fmapsto}[1][-]{\stackrel{#1}{\mapsto}}
+\newcommand{\gmapsto}{\hookrightarrow}%
+\newcommand{\fgmapsto}[1][-]{\stackrel{#1}{\gmapsto}}%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% EXAMPLES
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newcommand{\onemany}[3]{
+ \draw[thick,->] (#1) to node [swap] {#2} (#3)
+% \draw[-,thick] (#1) to node [swap] {#2} (#3)
+}
+\newcommand{\onemanyB}[3]{
+ \draw[thick,->] (#1) to node {#2} (#3)
+% \draw[-,thick] (#1) to node [swap] {#2} (#3)
+}
+\newcommand{\onemanyabove}[3]{
+ \draw[thick,->] (#1) to [out=90,in=90] node [swap] {#2} (#3)
+% \draw[-,thick] (#1) to [out=90,in=90] node [swap] {#2} (#3)
+}
+
+\newcommand{\ret}{\textsf{ret}}
+
+\newcommand{\try}{\textsf{try}}
+
+%\newcommand{\lock}{\textsf{lock}}
+%\newcommand{\unlock}{\textsf{unlock}}
+%\newcommand{\newlock}{\textsf{newlock}}
+\newcommand{\head}{\textsf{hd}}
+
+\newcommand{\optionTy}{\textsf{option}}
+
+\newcommand{\extract}[1]{\textsf{getVal}(#1)}
+
+\newcommand{\listTy}{\textsf{list}}
+\newcommand{\cons}{\textsf{cons}}
+\newcommand{\nil}{\textsf{nil}}
+\newcommand{\nullv}{\textsf{null}}
+%\newcommand{\nil}{\none}
+\newcommand{\setNext}{\textsf{setNext}}
+
+\newcommand{\consAtI}[3]{{#1} \propto_\simpl \cons({#2}, {#3})}
+\newcommand{\consAtS}[3]{{#1} \propto_\sspec \cons({#2}, {#3})}
+
+%\newcommand{\consAt}[3]{\cons({#1}, {#2})@{#3}}
+
+\newcommand{\enq}{\textsf{enq}}
+%\newcommand{\tryDeq}{\textsf{tryDeq}}
+\newcommand{\deq}{\textsf{deq}}
+
+\newcommand{\live}{\textsf{Live}}
+\newcommand{\dead}{\textsf{Dead}}
+\newcommand{\sentinel}{\textsf{Sentinel}}
+
+\newcommand{\link}{\textlog{Link}}
+
+%\newcommand{\lateChoice}{\textsf{lateChoice}}
+%\newcommand{\earlyChoice}{\textsf{earlyChoice}}
+%\newcommand{\rand}{\textsf{rand}}
+
+%\newcommand{\redFlag}{\textsf{redFlag}}
+%\newcommand{\blueFlag}{\textsf{blueFlag}}
+%\newcommand{\flag}{\textit{flag}}
+%\newcommand{\chan}{\textit{chan}}
+%\newcommand{\flip}{\textsf{flip}}
+%\newcommand{\flipBody}{\textsf{flipBody}}
+%\newcommand{\read}{\textsf{read}}
+
+%\newcommand{\install}{\textsf{install}}
+%\newcommand{\commit}{\textsf{commit}}
+%\newcommand{\abort}{\textsf{abort}}
+%\newcommand{\complete}{\textsf{complete}}
+
+\newcommand{\undecided}{\textsf{U}}
+\newcommand{\committed}{\textsf{C}}
+\newcommand{\aborted}{\textsf{A}}
+
+\newcommand{\descriptor}{\textsf{descriptor}}
+
+\newcommand{\ccas}{\widehat{\textsf{ccas}}}
+\newcommand{\ccasCAS}{\widehat{\textsf{cas}}}
+\newcommand{\ccasRead}{\widehat{\textsf{read}}}
+
+\newcommand{\Empty}{\textsf{Empty}}
+\newcommand{\Offered}{\textsf{Offered}}
+\newcommand{\Accepted}{\textsf{Accepted}}
+
+\newcommand{\counter}{\textsf{counter}}
+\newcommand{\fun}{\textsf{fun}}
+\newcommand{\get}{\textsf{get}}
+\newcommand{\complete}{\textsf{complete}}
+\newcommand{\setFlag}{\textsf{setFlag}}
+\newcommand{\condInc}{\textsf{cinc}}
+
+\newcommand{\Signaled}{\textsf{Signaled}}
+\newcommand{\Speculated}{\textsf{Speculated}}
+\newcommand{\Completed}{\textsf{Done}}
+\newcommand{\Withdrawn}{\textsf{Gone}}
+
+\newcommand{\Upd}{\textsf{Upd}}
+\newcommand{\Const}{\textsf{Const}}
+
+\newcommand{\reach}{\textsf{reach}}
+
+\newcommand{\ann}[1]{
+ {\color{KeywordBlue}\ensuremath{
+ \{
+ \begin{array}[t]{@{}l@{}}
+ #1
+ \end{array}
+ \}}}
+}
+
+\newcommand{\annB}[1]{
+ {\color{KeywordBlue}\ensuremath{
+ \left\{
+ \begin{array}{@{}l@{}}
+ #1
+ \end{array}
+ \right\}}}
+}
+
+\newcommand{\aann}[1]{
+ {\color{KeywordBlue}
+ \begin{array}{@{}l@{}}
+ \llparenthesis #1 \rrparenthesis
+ \end{array}}
+}
+
+\newcommand{\sortOf}{\textlog{sort}}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% JUDGMENTS
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\newcommand{\wfte}[1]{{#1}\;\mbox{tyenv}}
+\newcommand{\wtt}[2]{#1 : #2}
+\newcommand{\wt}[3]{#1 \proves #2 : #3}
+\newcommand{\wtd}[4]{#1; #2 \proves #3 : #4}
+
+\newcommand{\judgment}[2]{\paragraph{#1}\hspace{\stretch{1}}\fbox{$#2$}}
+\newcommand{\judgmentB}[2]{\paragraph{#1}\hspace{\stretch{1}}{$#2$}}
+\newcommand{\judgmentC}[2]{{\normalsize\textbf{\emph{#1}}}\hspace{\stretch{1}}{\fbox{$#2$}}}
+\newcommand{\judgmentD}[2]{{\normalsize\textbf{\emph{#1}}}\quad{\fbox{$#2$}}}
+
+\newcommand{\isAtomic}[2]{\cfg{#1}{#2}\ \textrm{atomic}}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% MATH
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\newcommand{\pabs}{\lambda}
+
+\newcommand{\textdom}[1]{\textit{#1}}
+%\newcommand{\texttok}[1]{\textit{#1}}
+\newcommand{\textlog}[1]{\textsf{#1}}
+\newcommand{\textsort}[1]{\textlog{#1}}
+\newcommand{\textvar}[1]{\textit{#1}}
+
+\newcommand{\erase}[1]{\lfloor #1 \rfloor}
+\newcommand{\UNLIMITED}{\textdom{UWorld}}
+
+\newcommand{\sat}[3]{(#1,#2) : {#3}}
+\newcommand{\satw}[3]{#1, #2 : #3}
+\newcommand{\satwi}[4]{#1, #2 : #3, #4}
+\newcommand{\satwiB}[3]{#1 : #2, #3}
+
+\newcommand{\satall}[5]{#1, #2 \models_{#3} #4, #5}
+
+\newcommand{\ftv}[1]{\mathrm{ftv}(#1)}
+\newcommand{\tv}[1]{\mathrm{tyvars}(#1)}
+\newcommand{\vars}[1]{\mathrm{vars}(#1)}
+\newcommand{\threads}[1]{\mathrm{threads}(#1)}
+\newcommand{\spec}[2]{\mathrm{spec}(#1,#2)}
+
+\newcommand{\refisland}[2]{\mathrm{ref}(#1, #2)}
+\newcommand{\hvalisland}[2]{\mathrm{hval}(#1, #2)}
+\newcommand{\halloc}[2]{\mathrm{halloc}\left(#1, #2\right)}
+
+\newcommand{\withIsland}{\blacktriangleleft}
+\newcommand{\withIslands}{\blacktriangleleft}
+\newcommand{\wimplspecextend}[2]{#1 \blacktriangleleft #2}
+\newcommand{\whvalalloc}[3]{#1 \blacktriangleleft_{#2} #3}
+
+\newcommand{\wok}[1]{{#1}\;\mbox{valid}} % ``World OK''
+
+\newcommand{\pfn}{\rightharpoonup}
+\newcommand{\fpfn}{\stackrel{\textrm{fin}}{\rightharpoonup}}
+\newcommand{\ra}{\rightarrow}
+\newcommand{\Ra}{\Rightarrow}
+\newcommand{\Lra}{\Leftrightarrow}
+\newcommand{\monra}{\stackrel{\textrm{mon}}{\rightarrow}}
+%\newcommand{\res}{\upharpoonright}
+
+\newcommand{\restr}[2]{\lfloor #1 \rfloor_{#2}}
+
+\newcommand{\zipTo}{\upharpoonright}
+
+\newcommand{\OLDPRIMSTEP}[1]{{\color{red}\hookrightarrow}}
+
+\newcommand{\reachable}{\diamond}
+\newcommand{\cstep}{\rightrightarrows}
+\newcommand{\primstep}[1]{\stackrel{#1}{\rightarrow}}
+\newcommand{\purestep}{\stackrel{\textrm{pure}}{\rightarrow}}%
+\newcommand{\step}{\ra}
+\newcommand{\lstep}[1]{\stackrel{#1}{\step}}
+\newcommand{\starstep}{\step^{*}}
+\newcommand{\stepstar}{\starstep}
+\newcommand{\resstep}[3]{#1 \vdash #2 \step #3}
+\newcommand{\lresstep}[4]{#1 \vdash #2 \lstep{#4} #3}
+
+\newcommand{\heapOf}{\textrm{heap}}
+
+\newcommand{\mstep}[1]{\stackrel{#1}{\leadsto}}
+
+\newcommand{\exclusive}[1]{\textrm{ex}(#1)}
+\newcommand{\tpalg}[1]{\overline{\wp}(#1)}
+\newcommand{\optional}[1]{{#1}_\id}
+\newcommand{\tsys}[1]{\textrm{trans}(#1)}
+
+\newcommand{\pstep}{\leadsto}
+\newcommand{\lpstep}[1]{\stackrel{#1}{\pstep}}
+\newcommand{\downto}{\searrow}
+
+\newcommand{\wstep}[5]{\langle#1, #2\rangle \stackrel{#3}{\rightarrow} \langle#4, #5\rangle}
+
+\newcommand{\wsplit}{\bullet}
+\newcommand{\rsplit}{\bullet}
+
+\newcommand{\issplit}{\otimes}
+\newcommand{\ssplit}{\otimes}
+\newcommand{\orspec}{\oplus}
+\newcommand{\withCtx}{\triangleleft}
+
+\newcommand{\protStatus}{E}
+\newcommand{\disabled}{\textsf{disabled}}
+\newcommand{\enabled}{\textsf{enabled}}
+
+%\newcommand{\monora}{\stackrel{\textrm{mono}}{\longrightarrow}}
+\newcommand{\monora}{\Rightarrow}
+
+% LB
+\newcommand{\nequiv}[1]{\ensuremath{\mathrel{\stackrel{#1}{=}}}}
+\newcommand{\notnequiv}[1]{\ensuremath{\mathrel{\stackrel{#1}{\neq}}}}
+\newcommand{\nequivset}[2]{\ensuremath{\mathrel{\stackrel{#1}{=}_{#2}}}}
+\newcommand{\nequivB}[1]{\ensuremath{\mathrel{\stackrel{#1}{\equiv}}}}
+\newcommand{\UPred}{\textdom{UPred}}
+\newcommand{\SPred}{\textdom{SPred}}
+\newcommand{\latert}{\mathord{\blacktriangleright}}
+
+%\newcommand{\emp}{1}
+% \newcommand{\lget}{\textrm{get}}
+% \newcommand{\lput}{\textrm{put}}
+% \newcommand{\trans}{\textrm{trans}}
+
+\newcommand{\lift}[1]{\lfloor {#1} \rfloor}
+
+\newcommand{\Sem}[1]{\llbracket #1 \rrbracket}
+
+\newcommand{\semSort}[1]{\Sem{#1}}
+\newcommand{\semTerm}[1]{\Sem{#1}}
+\newcommand{\semVCtx}[1]{\Sem{#1}}
+\newcommand{\semProtSet}[1]{\Sem{#1}}
+\newcommand{\semAProp}[1]{\Sem{#1}}
+
+%\newcommand{\semProp}[3]{#1 \models^{#2} #3}
+\newcommand{\semProp}[3]{#1 \in \llbracket #3 \rrbracket^{#2}}
+\newcommand{\semPropB}[2]{\llbracket #2 \rrbracket^{#1}}
+\newcommand{\semPred}[2]{\llbracket{#1}\rrbracket^{#2}}
+
+\newcommand{\Interp}[1]{\mathcal{I}\llbracket #1 \rrbracket}
+\newcommand{\Val}[1]{\llbracket #1 \rrbracket}
+\newcommand{\ValB}{\mathbb{V}}
+\newcommand{\LiftVal}[1]{\widehat{\mathcal{V}}\llbracket #1 \rrbracket}
+\newcommand{\Exp}[1]{\mathcal{E}\llbracket #1 \rrbracket}
+\newcommand{\LiftExp}[1]{\widehat{\mathcal{E}}\llbracket #1 \rrbracket}
+
+\newcommand{\expPred}[3]{(#1, #2) \downarrow #3}
+\newcommand{\expPredPure}[3]{(#1, #2) \downarrow^{\textrm{pure}} #3}
+
+\newcommand{\Store}[1]{\mathcal{H}\llbracket #1 \rrbracket}
+\newcommand{\Heap}[1]{\mathcal{H}\llbracket #1 \rrbracket}
+\newcommand{\Env}[1]{\mathcal{G}\llbracket #1 \rrbracket}
+\newcommand{\TEnv}[1]{\mathcal{D}\llbracket #1 \rrbracket}
+\newcommand{\Ctx}[1]{\mathcal{K}\llbracket #1 \rrbracket}
+% \newcommand{\Thread}[1]{\mathcal{T}\llbracket #1 \rrbracket}
+% \newcommand{\ThreadRel}[3]{\mathcal{T}(#1,#2,#3)}
+% \newcommand{\TRel}[4]{\mathcal{T}(#1,#2,#3,#4)}
+% \newcommand{\TRelD}[1]{\mathcal{T}\llbracket{#1}\rrbracket}
+\newcommand{\HVal}[1]{\mathcal{H}\llbracket #1 \rrbracket}
+\newcommand{\Obs}[1]{\mathcal{O}(#1)}
+
+\newcommand{\dyn}[2]{\textlog{wp}({#1}, {#2})}
+\newcommand{\adyn}[2]{{#1}\;\llparenthesis{#2}\rrparenthesis}
+\newcommand{\dynpred}[2]{\textdom{wp}({#1}, {#2})}
+\newcommand{\dynA}[3]{\textlog{wp}_{#3}({#1}, {#2})}
+\newcommand{\pvs}[1]{\textlog{vs}({#1})}
+\newcommand{\pvsA}[3]{\textlog{vs}_{#2}^{#3}({#1})}
+
+
+\usepackage{scalerel}
+% \hoaresizebox pre post
+% \hoarescalebox char sizebox
+\newcommand*{\hoaresizebox}[1]{%
+ \hbox{$\mathsurround=0pt{#1}\mathstrut$}}
+\newcommand*{\hoarescalebox}[2]{%
+ \hbox{\scalerel*[1ex]{#1}{#2}}}
+\newcommand{\triple}[5]{%
+ \setbox0=\hoaresizebox{{#3}{#5}}%
+ \setbox1=\hoarescalebox{#1}{\copy0}%
+ \setbox2=\hoarescalebox{#2}{\copy0}%
+ \copy1{#3}\copy2%
+ \;{#4}\;%
+ \copy1{#5}\copy2}
+\NewDocumentCommand \hoare {m m m O{}}{
+ \triple\{\}{#1}{#2}{#3}%
+ _{#4}%
+}
+
+\newcommand{\bracket}[4][]{%
+ \setbox0=\hbox{$\mathsurround=0pt{#1}{#4}\mathstrut$}%
+ \scalerel*[1ex]{#2}{\copy0}%
+ {#4}%
+ \scalerel*[1ex]{#3}{\copy0}}
+% \curlybracket[other] x
+\newcommand{\curlybracket}[2][]{\bracket[{#1}]\{\}{#2}}
+\newcommand{\anglebracket}[2][]{\bracket[{#1}]\langle\rangle{#2}}
+% \hoareV[t] pre c post [mask]
+\NewDocumentCommand \hoareV {O{c} m m m O{}}{
+ {\begin{aligned}[#1]
+ &\curlybracket{#2} \\
+ &\quad{#3} \\
+ &{\curlybracket{#4}}_{#5}
+ \end{aligned}}%
+}
+% \hoareHV[t] pre c post [mask]
+\NewDocumentCommand \hoareHV {O{c} m m m O{}}{
+ {\begin{aligned}[#1]
+ &\curlybracket{#2} \; {#3} \\
+ &{\curlybracket{#4}}_{#5}
+ \end{aligned}}%
+}
+
+\newcommand{\ttrip}[4]{
+ \semPropB{#1}{\rho}{\safe(#2, #3, #4)}
+}
+%% \newcommand{\ttrip}[4]{
+%% #1 \models^\rho
+%% {#2}@{#3}\;
+%% \big\{ #4 \big\}
+%% }
+\newcommand{\halfttrip}[3]{
+ {#1}@{#2}\;
+ \big\{ #3 \big\}
+}
+
+\newcommand{\rewriteSpec}{\ra_\SP}
+
+%\newcommand{\dyn}[2]{{#1}\;\{{#2}\}}
+
+\newcommand{\safe}{\textsf{safe}}
+
+\newcommand{\mthread}{m}
+\newcommand{\absent}{\textsf{none}}
+
+\newcommand{\PROG}[1]{\textrm{prog}\llbracket #1 \rrbracket}
+\newcommand{\PRES}[1]{\textrm{pres}\llbracket #1 \rrbracket}
+
+\newcommand{\pset}[1]{\wp(#1)}
+\newcommand{\pmset}[1]{\wp_{m}(#1)}
+\newcommand{\psetup}[1]{\wp^\uparrow(#1)}
+\newcommand{\psetdown}[1]{\wp^\downarrow(#1)}
+\newcommand{\fpset}[1]{\wp_{\textrm{fin}}(#1)}
+\newcommand{\mset}[1]{\mathrm{bag}(#1)}
+%\newcommand{\bag}[1]{\Lbag #1 \Rbag}
+\newcommand{\eqdef}{\triangleq}
+
+\newcommand{\extendseq}{\sqsupseteq}
+\newcommand{\extends}{\sqsupset}
+\newcommand{\beforeeq}{\sqsubseteq}
+\newcommand{\extby}{\sqsubseteq}
+%\newcommand{\ntime}{\triangleright}
+\newcommand{\later}{\mathord{\triangleright}}
+%\newcommand{\always}[1]{\Box{#1}}
+\newcommand{\always}{\Box{}}
+\newcommand{\dup}[1]{\textrm{dup}({#1})}
+\newcommand{\restrict}[2]{\lfloor #1 \rfloor_{#2}}
+
+\newcommand{\extendseqCtx}{\stackrel{\textrm{ctx}}{\sqsupseteq}}
+\newcommand{\extbyCtx}{\stackrel{\textrm{ctx}}{\sqsubseteq}}
+
+\newcommand{\leqWT}{\sqsubseteq}
+\newcommand{\geqWT}{\sqsubseteq}
+\newcommand{\lubWT}{\sqcup}
+
+\newcommand{\leqRes}{\leq}
+\newcommand{\geqRes}{\geq}
+
+\newcommand{\geqIS}{\sqsupseteq}
+
+\newcommand{\relyguar}{\textrm{rg}}
+\newcommand{\leqRG}{\stackrel{\relyguar}{\sqsubseteq}}
+\newcommand{\leqRGB}[1]{\stackrel{\textrm{rg}}{\sqsubseteq_{#1}}}
+
+\newcommand{\geqAll}{\sqsupseteq}
+\newcommand{\geqRely}{\stackrel{\textrm{rely}}{\sqsupseteq}}
+\newcommand{\geqRelyB}[1]{\stackrel{\textrm{rely}}{\sqsupseteq_{#1}}}
+\newcommand{\geqRelyC}[1]{\sqsupseteq^{\textrm{rely}}_{#1}}
+\newcommand{\geqGuar}{\stackrel{\textrm{guar}}{\sqsupseteq}}
+\newcommand{\geqGuarB}[1]{\stackrel{\textrm{guar}}{\sqsupseteq_{#1}}}
+\newcommand{\geqGuarC}[1]{\sqsupseteq^{\textrm{guar}}_{#1}}
+
+\newcommand{\leqRely}{\stackrel{\textrm{rely}}{\sqsubseteq}}
+\newcommand{\leqRelyB}[1]{\stackrel{\textrm{rely}}{\sqsubseteq_{#1}}}
+\newcommand{\leqRelyC}[1]{\sqsubseteq^{\textrm{rely}}_{#1}}
+\newcommand{\leqGuar}{\stackrel{\textrm{guar}}{\sqsubseteq}}
+\newcommand{\leqGuarB}[1]{\stackrel{\textrm{guar}}{\sqsubseteq_{#1}}}
+\newcommand{\leqGuarC}[1]{\sqsubseteq^{\textrm{guar}}_{#1}}
+
+\newcommand{\intleq}{\stackrel{\textrm{int}}{\sqsubseteq}}
+\newcommand{\extleq}{\stackrel{\textrm{ext}}{\sqsubseteq}}
+\newcommand{\intgeq}{\stackrel{\textrm{int}}{\sqsupseteq}}
+\newcommand{\extgeq}{\stackrel{\textrm{ext}}{\sqsupseteq}}
+
+\newcommand{\withframe}{\ \mbox{${<}\!\!*$}\ }
+
+\newcommand{\proves}{\vdash}
+\newcommand{\provesalways}{\vdash_{\!\!\boxempty}}
+\newcommand{\refines}{\leq}
+\newcommand{\pbrk}{\mbox{\phantom{.}}}
+
+\newcommand{\hasHVal}[3]{#1 \Ra \textrm{hval}(#2, #3)}
+
+\newcommand{\multi}[1]{\!\!\!\begin{array}[t]{l}
+#1
+\end{array}
+}
+\newcommand{\multic}[1]{\!\!\!\begin{array}[c]{l}
+#1
+\end{array}
+}
+
+\newcommand{\pureleq}{\preceq_{\textrm{pure}}}
+\newcommand{\logleq}[4]{#1 \proves #2 \preceq #3 : #4}
+\newcommand{\semleq}[4]{#1 \models #2 \preceq #3 : #4}
+
+\newcommand{\hypleq}[6]{{#1}; {#2} \models {#3} \proves {#4} \preceq {#5} : {#6}}
+
+\newcommand{\progleq}[4]{#1 \models #2 \stackrel{\textrm{prog}}{\preceq} #3 : #4}
+\newcommand{\specleq}[4]{#1 \models #2 \stackrel{\textrm{spec}}{\preceq} #3 : #4}
+\newcommand{\mixleq}[4]{#1 \models #2 \stackrel{\textrm{mix}}{\preceq} #3 : #4}
+
+\newcommand{\result}[2]{\pbrk
+\begin{quotation}
+\hskip -0.25in
+$\begin{array}{@{}ll}
+ \textrm{If} & #1 \\
+ \textrm{then} & #2
+ \end{array}$
+\end{quotation}
+}
+\newcommand{\resrule}[2]{\pbrk
+\begin{quotation}
+\hskip -0.25in
+$\infer{#1}{#2}$
+\end{quotation}
+}
+%\newcommand{\rand}{\\&}
+\newcommand{\randB}{\qquad}
+
+%\renewcommand{\labelitemi}{$\bullet$}
+%\renewcommand{\labelitemii}{$\bullet$}
+%\renewcommand{\labelitemiii}{$\bullet$}
+%\renewcommand{\labelitemiv}{$\bullet$}
+
+\newcommand{\mc}[1]{\multicolumn{2}{@{}l}{#1}}
+\newcommand{\mcl}[2]{\multicolumn{#1}{@{}l}{#2}}
+
+\newcommand{\citem}[1]{\item\textit{Case: } \fbox{$#1$}\quad}
+\newcommand{\cand}{\textrm{ and }}
+
+\newcommand{\claim}[1]{\vskip 5pt \noindent \mbox{\textit{Claim: } \fbox{$#1$}}\quad}
+\newcommand{\case}[1]{\vskip 5pt \noindent \textit{Case: } \fbox{$#1$}\quad}
+\newcommand{\casec}[1]{\vskip 5pt \noindent \mbox{\textit{Case \textsc{#1}}: \ }}
+\newcommand{\subcase}[1]{\vskip 5pt \textit{Subcase: } \fbox{$#1$}\ }
+\newcommand{\subcasec}[1]{\vskip 5pt \noindent \qquad \mbox{\textit{Subcase \textsc{#1}}: \ }}
+\newcommand{\subcasen}{\vskip 5pt \noindent \qquad \mbox{\textit{Subcase: } \ }}
+
+\newcommand{\have}[1]{$\begin{array}[t]{@{}l} #1 \end{array}$}
+
+\newcommand{\TIME}{\textrm{time}}
+\newcommand{\MAP}{\textrm{map}}
+
+\newcommand{\dom}{\textrm{dom}}
+\newcommand{\rng}{\textrm{rng}}
+\newcommand{\cod}{\textrm{cod}}
+
+\newcommand{\elide}[1]{}
+
+\newcommand{\ov}[1]{\overline{#1}}
+\newcommand{\CR}{\mathcal{R}}
+\newcommand{\CS}{\mathcal{S}}
+
+\newcommand{\IF}{\mathrel{\text{if}}}
+\newcommand{\OW}{\text{otherwise}} % not a relation
+\newcommand{\WHEN}{\textrm{when }}
+\newcommand{\FIX}{\textrm{Fix }}
+\newcommand{\LET}{\textrm{Let }}
+\newcommand{\IN}{\textrm{ in }}
+\newcommand{\SUPPOSE}{\textrm{Suppose }}
+\newcommand{\HAVE}{\textrm{Have }}
+\newcommand{\RAND}{\textrm{ and }}
+\newcommand{\WHERE}{\mathrel{\text{where}}}
+\newcommand{\ASSUMPTION}{\textrm{assumption}}
+\newcommand{\THEN}{\textrm{Then }}
+\newcommand{\WRITE}{\textrm{Write }}
+\newcommand{\PICK}{\textrm{Pick }}
+\newcommand{\WITH}{\textrm{ with }}
+\newcommand{\WLOG}{\textrm{ WLOG}}
+%newcommand{\STS}{\textrm{Suffices to show }}
+
+\newcommand{\extrasep}{\setlength{\extrarowheight}{1.5pt}}
+\newcommand{\extrasepB}[1]{\setlength{\extrarowheight}{#1}}
+\newcommand{\medextrasep}{\setlength{\extrarowheight}{2pt}}
+\newcommand{\bigextrasep}{\setlength{\extrarowheight}{3pt}}
+\newcommand{\hugeextrasep}{\setlength{\extrarowheight}{5pt}}
+\newcommand{\noextrasep}{\setlength{\extrarowheight}{0pt}}
+
+\newcommand{\iffrule}{\mprset{fraction={===}}}
+
+\newcommand{\ie}{\emph{i.e.,} }
+\newcommand{\eg}{\emph{e.g.,} }
+\newcommand{\etal}{\emph{et~al.}}
+\newcommand{\wrt}{w.r.t.~}
+\newcommand{\deadfootnote}[1]{}
+
+\newcommand{\idisl}[2]{{#1} \mapsto {#2}}
+
+%\newcommand{\region}[4]
+
+\newcommand{\SET}[2]{
+\left\{%
+#1%
+\;\middle|\;%
+#2%
+\right\}
+}
+\newcommand{\SETB}[1]{
+\left\{%
+#1%
+\right\}
+}
+\newcommand{\SETC}[2]{#1 & #2}
+
+\newcommand{\SPACER}{\;\;\;}
+
+\newcommand{\wIso}{\xi}
+
+\newcommand{\sembox}[1]{\hfill \normalfont \mbox{\fbox{\(#1\)}}}
+\newcommand{\typedsection}[2]{\subsubsection*{\rm\em #1 \sembox{#2}}}
+
+% what are we calling the manuscript?
+\newcommand{\book}{book}
+
+\newcommand{\aaron}[1]{{\color{red}\textbf{AT: #1}}}
+\newcommand{\derek}[1]{{\color{red}\textbf{DD: #1}}}
+\newcommand{\lars}[1]{{\color{red}\textbf{LB: #1}}}
+\newcommand{\kasper}[1]{{\color{red}\textbf{KS: #1}}}
+\newcommand{\ralf}[1]{{\color{red}\textbf{RJ: #1}}}
+\newcommand{\dave}[1]{{\color{red}\textbf{PDS: #1}}}
+\newcommand{\hush}[1]{}
+\newcommand{\relaxguys}{%
+ \let\aaron\hush%
+ \let\derek\hush%
+ \let\lars\hush%
+ \let\kasper\hush%
+ \let\ralf\hush%
+ \let\dave\hush%
+}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% ATOMIC SHIFTS
+
+\newcommand{\funnyforall}{\boldsymbol\forall}
+\newcommand{\funnyexists}{\boldsymbol\exists}
+
+\newcommand{\aspre}{P}
+\newcommand{\asfrom}{\alpha}
+\newcommand{\asto}{\beta}
+\newcommand{\aspost}{Q}
+%\newcommand{\asprop}{\aspost}
+%\newcommand{\aspred}{\aspost}
+\newcommand{\asframe}{R}
+\newcommand{\asfmask}{\mask_{\asframe}}
+\newcommand\nomask{\,\!}% to avoid \as defaults. It ain't empty, but it looks empty.
+
+% we need 10 arguments, so use some magic to get that...
+\newcommand\ascore[1]{%
+ \def\tempflags{#1}%
+ \ascoreContinued%
+}
+\newcommand{\ascoreContinued}[9]{
+ {\stretchleftright[450]{\langle}{ %
+ \IfSubStr{\tempflags}{l}{ \begin{inbox} }{} %
+ #2
+ \IfSubStr{\tempflags}{b}{\vsE}{\vs} %
+ \IfSubStr{\tempflags}{a}{ #1.\;}{} %
+ #3 %
+ \IfSubStr{\tempflags}{x}{ \mid #4}{} %
+ \IfSubStr{\tempflags}{f}{ %
+ \mid %
+ \IfSubStr{\tempflags}{l}{ \\ }{} %
+ \IfSubStr{\tempflags}{e}{ #5.\;}{} %
+ #6 \vs #7 %
+ }{} %
+ \IfSubStr{\tempflags}{l}{ \end{inbox} }{} %
+ }{\rangle}}_{#9}^{#8} %
+}
+\NewDocumentCommand \as {d() m m o d() m m O{\top} O{}}
+ { \ascore{ %
+ \IfNoValueF{#1}{a} % universal quantifier
+ b % arrow back to start
+ \IfNoValueF{#4}{x} % explicit R and E
+ f % add forwards shift to final state
+ \IfNoValueF{#5}{e} % existential quantifier
+ }{#1}{#2}{#3}{#4}{#5}{#6}{#7}{#8}{#9} %
+ }
+\NewDocumentCommand \asl {d() m m o d() m m O{\top} O{}}
+ { \ascore{ %
+ l % use multiple lines
+ \IfNoValueF{#1}{a} % universal quantifier
+ b % arrow back to start
+ \IfNoValueF{#4}{x} % explicit R and E
+ f % add forwards shift to final state
+ \IfNoValueF{#5}{e} % existential quantifier
+ }{#1}{#2}{#3}{#4}{#5}{#6}{#7}{#8}{#9} %
+ }
+% \NewDocumentCommand \am {d() m m o m}
+% { \ascore{ %
+% \IfNoValueF{#1}{a} % universal quantifier
+% b % arrow back to start
+% \IfNoValueF{#4}{x} % explicit R and E
+% }{#1}{#2}{#3}{#4}{#5}{}{}{} %
+% }
+
+%%% Atomic triples
+
+\NewDocumentCommand \ahoare {m m m O{} O{}}{
+ \triple\langle\rangle{#1}{#2}{#3}%
+ _{#5}^{#4}%
+}
+
+\NewDocumentCommand \ahoareV {O{c} m m m O{} O{}}{
+ {\begin{aligned}[#1]
+ &\anglebracket{#2} \\
+ &\quad{#3} \\
+ &{\anglebracket{#4}}_{#6}^{#5}
+ \end{aligned}}%
+}
+
+\NewDocumentCommand \ahoareHV {O{c} m m m O{} O{}}{
+ {\begin{aligned}[#1]
+ &\anglebracket{#2}\;\;\; {#3} \\
+ &{\anglebracket{#4}}_{#6}^{#5}
+ \end{aligned}}%
+}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% hoare proof typesetting
+
+\newenvironment{inbox}[1][]{
+ \begin{array}[#1]{@{}l@{}}
+}{
+ \end{array}
+}
+
+\newcommand{\tabubox}[2][]{%
+ \begin{tabu}{@{#1}X[1,l,m]@{}}%
+ #2 %
+ \end{tabu}%
+}
+\newcommand{\hproofnospace}[1]{\noindent\parbox{\linewidth}{#1}} %
+\newcommand{\hproof}[1]{\vspace{0.5em}\hproofnospace{#1}\vspace{0.5em}} %
+\newcommand\psub[2]{%
+ \begin{tabu}{ m{0.9em} | X[1,l,m] }%
+ \begin{sideways}#1\end{sideways} &%
+ \tabubox{#2}%
+ \end{tabu}%
+}%
+
+\newcommand\pind[1]{\tabubox[\hspace{1em}]{#1}}
+\newcommand{\pline}[2][\empty]{\ensuremath{\left\{{#2\mathstrut}\right\}_{#1}}}
+\newcommand{\pmline}[2][\empty]{\ensuremath{\left\{\begin{inbox}#2\end{inbox}\right\}_{#1}}}
+\newcommand{\aline}[2][\empty]{\ensuremath{{\stretchleftright[450]{\langle}{#2\mathstrut}{\rangle}}_{#1}}}
+\newcommand{\amline}[2][\empty]{\ensuremath{{\stretchleftright[450]{\langle}{\begin{inbox}#2\end{inbox}}{\rangle}}_{#1}}}
+\definecolor{code_color}{rgb}{0, 0, 0.6}
+\newcommand{\cdline}[1]{\ensuremath{\color{code_color}#1}}
+
+\definecolor{interp_p_backgr}{rgb}{0.8, 0.8, 1.0}
+\definecolor{interp_q_backgr}{rgb}{0.8, 1.0, 0.8}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% Monoid and other constructions
+
+\newcommand{\FHeap}{\textsc{FHeap}}
+\newcommand{\AFHeap}{\textsc{AFHeap}}
+
+\newcommand{\auth}[1]{\ensuremath{\textsc{Auth}(#1)}}
+\newcommand{\authfull}{\mathord{\bullet}\,}
+\newcommand{\authfrag}{\mathord{\circ}\,}
+
+\newcommand{\fpfunm}[2]{\ensuremath{\textsc{FpFun}(#1, #2)}}
+\newcommand{\fracm}[1]{\ensuremath{\textsc{Frac}(#1)}}
+\newcommand{\exm}[1]{\ensuremath{\textsc{Ex}(#1)}}
+\newcommand{\agm}[1]{\ensuremath{\textsc{Ag}(#1)}}
+
+%\newcommand{\dispm}[1]{\ensuremath{\textsc{Disp}(#1)}}
+%\newcommand{\disposed}{\mathord{\dagger}}
+
+
+\newcommand{\STSMon}[1]{\textsc{Sts}_{#1}}
+\newcommand{\STSInv}{\textsf{STSInv}}
+\newcommand{\STS}{\textsf{STS}}
+\newcommand{\STSS}{\mathcal{S}} % states
+\newcommand{\STST}{\mathcal{T}} % tokens
+\newcommand{\STSL}{\mathcal{L}} % labels
+\newcommand{\ststrans}{\ra^{*}}% the relation relevant to the STS rules
+
+\newcommand{\AuthInv}{\textsf{AuthInv}}
+\newcommand{\Auth}{\textsf{Auth}}