Guarded Interaction Trees (GITrees)

• Guarded Interaction Trees (GITrees) are a formal framework defined via guarded recursion in Coq that models higher-order and effectful computations with modular reasoning.
• They leverage the later modality to enforce contractiveness while uniformly capturing a broad spectrum of effects including I/O, state, exceptions, and concurrency.
• GITrees integrate domain theory with separation logic to enable precise verification of advanced language features like continuations and cross-language interoperability.

Guarded Interaction Trees (GITrees) are a formal structure and framework for representing higher-order computations with higher-order effects in proof assistants such as Coq, building on ideas from domain theory, guarded recursion, and the semantics of interaction trees. GITrees provide a canonical “universal domain” for modeling potentially non-terminating, effectful computations—capable of uniformly capturing a broad spectrum of computational effects (including state, I/O, exceptions, continuations, and preemptive concurrency) and supporting formal reasoning via separation logic and logical relations. The framework is fully mechanized in Coq, leveraging the Iris logic for guarded type theory and effectful program verification (Frumin et al., 2023, Stepanenko et al., 12 Dec 2025).

1. Guarded and Coinductive Structure of GITrees

GITrees generalize the interaction trees (ITrees) of first-order computation by allowing higher-order computation and effect signatures—enabling the direct semantic treatment of higher-order functions, continuations, and closures. Technically, a GITree $\IT_E(A)$ for effect signature $E$ and result type $A$ is the unique solution to a guarded domain equation:

$\IT_E(A)\; \cong \; A\;+\;\mathsf{Error}\;+\;\latert \IT_E(A)\;+\;\latert(\IT_E(A)\to\IT_E(A))\;+\; \sum_{i\in I} \left(\Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A))\right)$

Key constructors encapsulate:

• $\mathsf{Ret} : A \to \IT_E(A)$ (return value)
• $\mathsf{Err} : \Error \to \IT_E(A)$ (error)
• $\mathsf{Tau} : \latert \IT_E(A) \to \IT_E(A)$ (guarded tick)
• $\mathsf{Fun} : \latert(\IT_E(A) \to \IT_E(A)) \to \IT_E(A)$ (closure/recursion)
• $\mathsf{Vis}_i : \Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A)) \to \IT_E(A)$ (effectful observation, for each operation $i$ of $E$0)

The later modality $E$1 from Iris's guarded type theory is essential for enforcing productivity and contractiveness in recursive definitions. The GITree type arises as a guarded recursive (coinductive) solution, mechanized via a guarded fixpoint operator in Coq (Frumin et al., 2023, Stepanenko et al., 12 Dec 2025).

Effect signatures specify the set of effect operations, each with input and output functorial arities: $E$2.

2. Denotational Semantics and Domain-Theoretic Properties

GITrees have a precise denotational–domain-theoretic characterization. They are both the initial algebra and final coalgebra of a mixed-variance functor $E$3:

$E$4

Guards, enforced by the later modality, ensure contractiveness so that all recursive calls are well-founded. The semantic interpretation relates “finite truncations” of GITrees to approximations, and the type $E$5 is a projective limit: $E$6, supporting the domain-theoretic intuition in mechanized models (Frumin et al., 2023).

For languages, GITrees provide a compositional, modular domain for interpreting higher-order, effectful languages (including simply-typed PCF variants with recursion, I/O, state, and higher-order store).

3. Weakest-Precondition Separation Logic for GITrees

A custom weakest-precondition logic is defined for GITrees inside Iris, supporting reasoning about effectful, possibly nonterminating computations. The main predicate:

$E$7

where $E$8 denotes value forms ($E$9, $A$0). Key rules are:

• WP-VAL: Direct reduction to value.
• WP-TICK: $A$1
• WP-HOM: For effect-homomorphisms $A$2, summarizing compositionality.
• WP-REIFY: For operations $A$3, via reifier $A$4, producing delayed subtrees and new states.

Guardedness at the logic level enforces contractiveness of recursive specifications and supports Löb induction. Linear state ownership blocks refinement errors; all logical content is mechanized over Iris’s proof mode (Frumin et al., 2023).

With the extension to context-dependent effects (e.g., call/cc, shift/reset), the reifier interface is generalized to handle the current continuation $A$5 as an explicit argument: $A$6. This enables direct-style denotational semantics without a full program–level CPS transform, but entails that certain standard logical rules (notably the bind rule, “wp-hom”) become unsound and must be restricted to pure contexts (Stepanenko et al., 12 Dec 2025).

4. Modularity: Composition and Interoperability of Effects

GITrees enable modular effect combination. Given multiple effect signatures $A$7, the product signature $A$8 and product state space allow each reifier $A$9 to operate locally on corresponding effect operations and their fragments of the state. In the program logic, the global state assertion $\IT_E(A)\; \cong \; A\;+\;\mathsf{Error}\;+\;\latert \IT_E(A)\;+\;\latert(\IT_E(A)\to\IT_E(A))\;+\; \sum_{i\in I} \left(\Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A))\right)$0 is split into conjunctions of effect-local invariants, so that code, specification, and proofs for each effect remain fully modular (Frumin et al., 2023).

The modularity holds even for context-dependent effects. Multiple languages (e.g., I/O and higher-order store; delimited continuations and state) can have their denotational semantics embedded separately in the GITree universe, with type-level glue code expressed as conversions, and compatibility of logical relations established for cross-language interaction. A central compatibility lemma relates value-level conversions with logical relations, guaranteeing that the only possible cross-language runtime errors are those inherent in the source calculi (such as linearity violations when embedding non-affine into affine systems) (Frumin et al., 2023, Stepanenko et al., 12 Dec 2025).

Modular Extension	Mechanism	Logic/Proof Split
Multiple effects	Signature/product state	State assertions split
Cross-language interoperability	Type conversions/glue code	Logical relations by language

5. Context-Dependent Effects and Concurrency Extensions

Recent developments have extended GITrees to directly accommodate context-dependent effects (operations sensitive to their surrounding evaluation context), such as first-class continuations (call/cc) and delimited control (shift/reset). The technical innovation is to pass the current continuation explicitly to the reifier for every effect operation, thus maintaining the direct-style form of the denotational semantics. The operational rules are updated accordingly, and program logic rules for weakest-preconditions reflect the extra contextual parameter. The classical bind rule is localized to pure contexts—effectful computations carry their operational context along, precluding global compositionality in the presence of such effects (Stepanenko et al., 12 Dec 2025).

GITrees have also been extended to model preemptive concurrency. Thread pools become collections of GITrees, and fork/join operations are encoded as effects. A general atomic “CAS-like” effect supports verification of concurrent data structures (e.g., fetch-and-add, compare-and-swap), and invariants are maintained via custom resource assertions over the heap/state. The weakest-precondition logic adapts to concurrency via explicit thread-pool semantics and localized Hoare-style reasoning (Stepanenko et al., 12 Dec 2025).

6. Illustrative Examples and Applications

Numerous examples illustrate the expressiveness and practicality of GITrees:

• I/O tape effects: $\IT_E(A)\; \cong \; A\;+\;\mathsf{Error}\;+\;\latert \IT_E(A)\;+\;\latert(\IT_E(A)\to\IT_E(A))\;+\; \sum_{i\in I} \left(\Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A))\right)$1, modeled by tape-based state reifiers.
• Higher-order store: $\IT_E(A)\; \cong \; A\;+\;\mathsf{Error}\;+\;\latert \IT_E(A)\;+\;\latert(\IT_E(A)\to\IT_E(A))\;+\; \sum_{i\in I} \left(\Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A))\right)$2 for reference manipulation in $\IT_E(A)\; \cong \; A\;+\;\mathsf{Error}\;+\;\latert \IT_E(A)\;+\;\latert(\IT_E(A)\to\IT_E(A))\;+\; \sum_{i\in I} \left(\Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A))\right)$3.
• Recursive programs: e.g., factorial with explicit store allocation and recursion, proven correct via $\IT_E(A)\; \cong \; A\;+\;\mathsf{Error}\;+\;\latert \IT_E(A)\;+\;\latert(\IT_E(A)\to\IT_E(A))\;+\; \sum_{i\in I} \left(\Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A))\right)$4.
• Church-encoded pairs: Higher-order encodings up to ticks, e.g., $\IT_E(A)\; \cong \; A\;+\;\mathsf{Error}\;+\;\latert \IT_E(A)\;+\;\latert(\IT_E(A)\to\IT_E(A))\;+\; \sum_{i\in I} \left(\Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A))\right)$5.
• Iterators/iteration: $\IT_E(A)\; \cong \; A\;+\;\mathsf{Error}\;+\;\latert \IT_E(A)\;+\;\latert(\IT_E(A)\to\IT_E(A))\;+\; \sum_{i\in I} \left(\Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A))\right)$6 with logical specifications mentioning only persistent assumptions.
• Modular combinations: E.g., $\IT_E(A)\; \cong \; A\;+\;\mathsf{Error}\;+\;\latert \IT_E(A)\;+\;\latert(\IT_E(A)\to\IT_E(A))\;+\; \sum_{i\in I} \left(\Ins_i(\IT_E(A)) \times (\Outs_i(\IT_E(A)) \to \latert\IT_E(A))\right)$7, combining I/O and store.
• Affine/non-affine combinations: Embedding affine calculi by thunking variables, validating modular safety.
• Verified concurrent counter: Using fetch-and-add under the extended model, maintaining thread-local invariants and program-wide correctness under concurrency (Frumin et al., 2023, Stepanenko et al., 12 Dec 2025).

7. Formalization and Theoretical Significance

GITrees provide a unified, fully mechanized denotational and logical infrastructure for higher-order and higher-order-effect languages in Coq. The framework’s mixed-variance, required for higher-order constructs, is handled by the later modality and guarded fixpoints in Iris. Logical relations are fully internalized to prove computational adequacy with respect to operational semantics for rich source calculi. All effects—including I/O, state, exceptions, context-dependent control, and preemptive concurrency—are encapsulated in the GITree domain. Effects remain modular; composition via sum–product constructions and logic splitting ensures local reasoning.

A notable innovation is the explicit, context-parametric interface for effect reifiers, enabling modeling of advanced effects (continuations, delimited control) directly in the operational semantics and logic, without recourse to whole-program CPS transforms. This supports ongoing modular development in program verification, effect interoperability, and mechanized metatheory (Frumin et al., 2023, Stepanenko et al., 12 Dec 2025).