Context-Dependent Effects and Concurrency in Guarded Interaction Trees (2512.11577v1)

Abstract: Guarded Interaction Trees are a structure and a fully formalized framework for representing higher-order computations with higher-order effects in Rocq. We present an extension of Guarded Interaction Trees to support formal reasoning about context-dependent effects. That is, effects whose behaviors depend on the evaluation context, e.g., call/cc, shift and reset. Using and reasoning about such effects is challenging since certain compositionality principles no longer hold in the presence of such effects. For example, the so-called ``bind rule'' in modern program logics is no longer valid. The goal of our extension is to support representation and reasoning about context-dependent effects in the most painless way possible. To that end, our extension is conservative: the reasoning principles for context-independent effects remain the same. We use it to give direct-style denotational semantics for higher-order programming languages with call/cc and with delimited continuations. We extend the program logic for Guarded Interaction Trees to account for context-dependent effects, and we use the program logic to prove that the denotational semantics is adequate with respect to the operational semantics. Additionally, we retain the ability to combine multiple effects in a modular way, which we demonstrate by showing type soundness for safe interoperability of a programming language with delimited continuations and a programming language with higher-order store. Furthermore, as another contribution, in addition to context-dependent effects, we show how to extend Guarded Interaction Trees with preemptive concurrency. To support implementation and verification of concurrent data structures and algorithms in the presence of preemptive concurrency one requires atomic state modification operations, e.g., compare-and-exchange.

• The paper introduces a conservative extension of Guarded Interaction Trees, enabling reifiers to access current continuations for advanced control effects.
• It establishes direct-style denotational semantics and tailored program logics for higher-order control operators, such as call/cc, exceptions, and delimited continuations.
• The work incorporates preemptive concurrency with generic atomic operations, proving soundness and type safety via mechanized logical relations in Rocq/Iris.

Context-Dependent and Concurrent Effects in Guarded Interaction Trees

Introduction

The paper "Context-Dependent Effects and Concurrency in Guarded Interaction Trees" (2512.11577) presents a comprehensive extension of the Guarded Interaction Trees (GITrees) framework to enable formal, modular reasoning about context-dependent effects and preemptive concurrency in higher-order effectful programs. The work is formalized in Rocq and builds upon the Iris separation logic and guarded type theory. It addresses longstanding barriers in giving direct-style denotational semantics and compositional program logic for higher-order control operators—such as call/cc, shift/reset, and exceptions—without global transformations (e.g., CPS translation) and extends the GITrees methodology to handle data races via generic atomic operations in concurrent settings.

Context-Dependent Effects and the GITrees Extension

Traditional GITrees, following the earlier ITrees paradigm, support higher-order effects and modular semantic models for a broad class of context-independent effects (such as IO and mutable state). However, they were not adequate for context-dependent control effects that interact non-trivially with their evaluation context by capturing, reifying, or reinstating continuations—examples include call/cc, delimited continuations, exceptions, and effect handlers. In the presence of such effects, canonical compositional reasoning principles—specifically, the homomorphism-based bind rule employed in program logics for GITrees—become unsound.

This paper generalizes the notion of effect reifiers in GITrees to be context-dependent by equipping each reifier with access to the current continuation at each effect site. Effect signatures no longer merely provide input/output arities: they allow reification operations to receive continuations as first-class arguments, effectively enabling full, extensible manipulation of the ambient control context as demanded by modern control operators. Importantly, this is a conservative extension: compositionality and reasoning for context-independent effects are completely preserved when the program does not use the new effects.

To demonstrate the expressiveness and soundness of this extension, the paper provides direct-style denotational semantics—without recourse to CPS transformation—for a rich $\lambda$-calculus extended with first-class continuations (call/cc, throw), exceptions, and delimited control (shift, reset). For each, the authors derive bespoke program logics, operational and denotational adequacy theorems, and mechanized logical relations relating syntax and denotations implemented in Rocq.

Semantics and Program Logic for Exceptions and Delimited Continuations

The methodology for context-dependent effects follows a principled, operationally driven design:

1. Effect Signature Decomposition: For features such as exceptions and delimited continuations, the operational behavior (handler stack manipulation, continuation delimiting, etc.) is distilled into effect signatures and associated state update protocols.
2. Contextual Reification: Reifiers manipulate both the effect state (handler stacks, metacontinuation stacks) and continuations, enabling correct dynamic dispatch and scope-based unwinding of control.
3. Direct-Style Semantics: Constructs such as catch/throw, shift/reset, and appcont are each mapped to corresponding generic effects, with state and control manipulation specified at the signature/reifier level, preserving modularity.
4. Program Logic Rules: The weakest precondition (WP) rules are specialized per effect. These rules account for both effectful computation and the ambient context, enabling modular soundness proofs and direct handling of context-dependent behavior.

Crucial numerical results include soundness and computational adequacy proofs for each extension, as well as type soundness and logical relations theorems validating the approach for complex combinations of effects.

Preemptive Concurrency and Atomic State Modification

The extension to concurrency introduces a thread pool semantics by lifting the step relation to lists of GITrees, allowing multiple threads to execute in parallel. Key to reasoning about concurrent state manipulation is the introduction of generic, parameterizable atomic operations, most notably compare-and-exchange (CAS) and fetch-and-add (FAA). The innovation is that, by allowing effects to take lambda functions as parameters, the atomic effect is expressed as a single, general state modification operation. From this, common concurrency primitives (XCHG, CAS, FAA) are derived.

The program logic extends WP rules to account for atomicity, resource separation, and persistence via Iris invariants. The fundamental lemma and type safety theorem for the affine, concurrent language with state are proved in this setting, demonstrating that verification scales to rich, concurrent effectful programs.

Language Interoperability and Modularity

A significant practical implication is the seamless, type-safe interoperability between languages featuring different effects. The paper formalizes an embedding of a language with delimited control (delimlang) into one with higher-order mutable state (embedstlang). The embedding is proved type-safe via logical relations, with effect system restrictions ensuring that control effects in embedded code do not interfere with the host context. The combined language thus supports compositional, modular reasoning about effectful interactions—an increasingly important requirement for verified systems and multi-language modules.

Theoretical and Practical Implications

Theoretical Implications:

• The context-dependent extension to GITrees provides a robust foundation for denotational models of control effects, matching or exceeding classical domain-theoretic approaches but now accessible in mechanized frameworks.
• The work demonstrates the viability of program logics and logical relations for languages with rich combinations of effects, including those not previously supported (e.g., unrestricted delimited continuations and concurrency).
• Homomorphism-based compositionality is preserved in context-independent cases, and precisely delimited in the presence of control effects.

Practical Implications:

• The modularity of effect signatures and reifiers supports extensible implementation of new language features and program logics within mechanized proof assistants (Rocq/Iris).
• The approach to atomic concurrency primitives via higher-order effects offers a blueprint for verified concurrent libraries and systems software.
• The methodology provides a scalable path for building formally verified, multi-effect, multi-language systems with complex effect interactions.

Speculation on Future Developments:

• Adapting the GITrees methodology to fully general algebraic effect handlers and effect polymorphism.
• Investigating finer-grained logical relations, step-indexed models, and modular program logics for more advanced forms of resource and synchronization protocols.
• Broad adoption of context-dependent GITrees in certified compilers, program verification tools, and mechanized meta-theory for next-generation programming languages.

Conclusion

This work marks a substantial advancement in the modular, direct-style semantic modeling and verification of complex effectful languages. By generalizing GITrees to context-dependent reifiers and generic concurrency, this framework supports practical, formal reasoning about higher-order control, effect handlers, and concurrent state—all mechanized in Rocq/Iris, with machine-checked adequacy and logical relations. The extension harmonizes powerful effectful programming idioms with the needs of compositional verification, confirming the significance of context-dependent GITrees as a foundation for future research in programming languages and formal methods.