Guarded Interaction Trees

• Guarded Interaction Trees are a formal semantic framework that uses guarded recursion to represent higher-order computations and context-dependent effects.
• They enable direct-style semantics for languages with complex control operators such as call/cc, shift/reset, and algebraic effects, ensuring type soundness and computational adequacy.
• The framework supports mechanized proofs in Coq using Iris, facilitating formal verification of concurrency, exception handling, and cross-language interoperability.

Guarded Interaction Trees (GITs) are a fully formalized semantic framework for representing higher-order computations with higher-order effects, grounded in guarded type theory. This structure serves as an expressive and modular denotational domain enabling direct-style semantics and program logics for languages featuring complex control flow (e.g., call/cc, shift/reset), algebraic effects, and preemptive concurrency. Key advancements include the modeling of context-dependent effects, modular combination of disparate effect signatures, and mechanized proofs of computational adequacy and type soundness across interoperating languages (Stepanenko et al., 12 Dec 2025, Frumin et al., 2023).

1. Formal Definition and Core Structure

Guarded Interaction Trees formalize higher-order computation by the guarded recursive type: $$IT_{E}(A) \simeq \mu X. \;\text{Ret}:A\to X \oplus \text{Err}:Error\to X \oplus \text{Tau}:\square X \to X \oplus \text{Fun}:\square (IT_{E}(A)\to IT_{E}(A))\to X \oplus \text{Vis}_i:\prod_i (\text{Ins}_i(X)\times (\text{Outs}_i(X)\to \square X))\to X$$ where $\square$ denotes the “later” modality ensuring guarded recursion. The signature $E=(I,\text{Ins},\text{Outs})$ parametrizes the effect operations. The structure admits values, errors, silent ticks, higher-order functional nodes, and interaction nodes for effectful operations. The strict application and sequencing combinators (getval, getfun, getret, APP, Tick) underpin the execution semantics and define reduction as a union of Tau and Vis steps (Frumin et al., 2023).

2. Semantics for Higher-Order and Context-Dependent Effects

Denotational semantics for effectful languages are given in terms of GITs by assigning to each language construct a corresponding tree element. The framework particularly supports:

• Algebraic effects via modular effect signatures.
• Higher-order functions embedded compositionally.
• Context-dependent control effects (call/cc, shift, reset) by refining the reifier interface to accept the current continuation as a homomorphism parameter:

$$r_i : \text{Ins}_i(IT) \times \text{State} \times (\text{Outs}_i(IT) \to \square IT) \to \text{Option}(\square IT \times \text{State})$$

This allows correct modeling and reasoning of operational constructs whose semantics depend on evaluation context. The denotational model is extended to preserve adequacy w.r.t. operational semantics for such language features (Stepanenko et al., 12 Dec 2025).

In delimited control calculi, abstract stack frames and continuation-manipulating operations are encoded as effects; the framework’s direct-style semantics and program logic adapt to such context-dependent evaluation (Stepanenko et al., 12 Dec 2025).

3. Program Logic and Reasoning Principles

Reasoning for GITs is performed in Iris-style separation logic, augmented for guarded recursion. The central safety judgment is: $\vdash \text{WP}~\alpha~\{\Phi\}$ meaning "the tree $\alpha$ is safe and, upon returning $v$, the postcondition $\Phi(v)$ holds."

Selected wp-rules include (plain LaTeX):

• Standard reify:

$\inferrule[wp-reify] {\text{hasstate}(\sigma)~\text{reify}(\text{Vis}_i(x,k),\sigma)=(\text{Tick}(\beta),\sigma') \ \square (\text{hasstate}(\sigma') \wand \text{WP}~\beta~\{\Phi\}) } {\text{WP}~\text{Vis}_i(x,k)~\{\Phi\}}$

• Context-dependent reify (for effects inspecting continuations):

$\inferrule[wp-reify-ctx] {\text{hasstate}(\sigma)\ r_i(x,\sigma,k)=\Some(\text{Next}(\beta),\sigma') \ \square (\text{hasstate}(\sigma') \wand \text{WP}~\beta~\{\Phi\}) } {\text{WP}~\text{Vis}_i(x,k)~\{\Phi\}}$

• Homomorphism sequencing is generally unsound whenever effects are context-dependent and may invoke the ambient continuation.

These rules maintain modularity when effects do not inspect the continuation, simply splitting states and reifiers for different signatures (Stepanenko et al., 12 Dec 2025, Frumin et al., 2023).

4. Preemptive Concurrency and Atomicity

GITs model concurrent execution by generalizing the reifier to yield forked threads: $$r_i : \text{Ins}_i(IT) \times \text{State} \times (\text{Outs}_i(IT) \to \square IT) \to \text{Option}(\square IT \times \text{State} \times \text{List}(\square IT))$$ Two crucial primitives are introduced:

• Fork effect: creates new concurrent branches.
  • $$\text{FORK}(e) \equiv \text{Vis}_{fork}(\text{Next}(e),\lambda_.\text{Next}(\text{Ret}()))$$
• Atomic state modification effect: enables operations such as compare-and-exchange (CAS), fetch-and-add (FAA), and exchange (XCHG) by appropriate choice of state transformer $f$.

The logic supports threadpool extensions and atomic reasoning using invariants for heap references and fork counters, ensuring safety and atomicity of concurrent algorithms (Stepanenko et al., 12 Dec 2025).

5. Modularity, Type Soundness, and Adequacy

GITs allow effects to be combined modularly. States and reifiers for individual signatures are paired, and program logic for multiple effects merely splits the state ownership predicate: $$\text{hasstate}(\sigma) \leadsto \text{hasstate}(\sigma_1)\ast \text{hasstate}(\sigma_2)$$ For cross-language interoperability, type soundness is established by logical relations that are parametric in both store and control effects. Embedding mechanisms are precisely controlled (e.g., DELIM programs into STORE via RESET) and only answer-type-pure programs are allowed. Adequacy and soundness are proved: well-typed programs do not get stuck and all values have the desired shape, except for linearity violations in affine boundaries (Stepanenko et al., 12 Dec 2025, Frumin et al., 2023).

6. Applications and Case Studies

Extensive applications are described:

• Exception handlers: mode State as stack of (exception, handler, continuation) triples. Effects for registration, popping, and throwing model conventional exception semantics; logic follows immediately from context-dependent wp-rules.
• Control operators (call/cc, throw, shift, reset): semantics and program logic adapt to ambient continuation-passing, with computational adequacy proven w.r.t. CEK-style abstract machines using biorthogonal logical relations.
• Cross-language FFI: programs from delimited control languages safely interoperate with store-based languages, protected by type conversion rules and glue functions.
• Concurrency in affine calculi: atomic exchange primitives are realized from generic atomic effects; reasoning in Iris employs heap and fork invariants.

Table: Examples of GIT Applications

Area	Effect Mechanics	Reasoning Principle
Exceptions	Handlers stack, register/pop/throw effects	wp-reify-ctx
Call/cc	Continuation parameterized reifiers	Context-dependent wp-rules
Delimited	Reset/shift/pop/appcont effects	Logical relation adequacy
FFI	DELIM embedding into STORE, type conversion	context-local WP
Concurrency	Fork, atomic, derived XCHG/CAS/FAA effects	Invariants, atomic WP

7. Mechanization and Formal Verification

All definitions and proofs are mechanized in Coq using Iris over guarded type theory. Constructors, recursors, and logical relations are encoded as Coq objects and combinators:

Definition itree : Type := fix IT : Type := A + later (IT -> IT) + Error + later IT + { i : I E & Ins E i (later IT) * (Outs E i (later IT) -> later IT) }.

The framework supports rigorous mechanized proofs of soundness, adequacy, modularity, and cross-language safety theorems (Frumin et al., 2023).

---

Guarded Interaction Trees provide a conservative, modular, and general-purpose foundation for semantics and verification of higher-order effectful computation, enabling direct-style reasoning about context-dependent effects, concurrent programs, and safe cross-language interaction (Stepanenko et al., 12 Dec 2025, Frumin et al., 2023).