Footprints in Local Reasoning

Local reasoning about programs exploits the natural local behaviour common in programs by focussing on the footprint - that part of the resource accessed by the program. We address the problem of formally characterising and analysing the footprint notion for abstract local functions introduced by Calcagno, O Hearn and Yang. With our definition, we prove that the footprints are the only essential elements required for a complete specification of a local function. We formalise the notion of small specifications in local reasoning and show that for well-founded resource models, a smallest specification always exists that only includes the footprints, and also present results for the non-well-founded case. Finally, we use this theory of footprints to investigate the conditions under which the footprints correspond to the smallest safe states. We present a new model of RAM in which, unlike the standard model, the footprints of every program correspond to the smallest safe states, and we also identify a general condition on the primitive commands of a programming language which guarantees this property for arbitrary models.


INTRODUCTION
Local reasoning about programs focusses on the collection of resources directly acted upon by the program.It has recently been introduced and used to substantial effect in local Hoare reasoning about memory update.Researchers previously used Hoare reasoning based on First-order Logic to specify how programs interacted with the whole memory.O'Hearn, Reynolds and Yang instead introduced local Hoare reasoning based on Separation Logic [14,11].The idea is to reason only about the local parts of the memory-the footprints-that are accessed by a program.Intuitively, the footprints form the pre-conditions of the small axioms, which provide the smallest complete specification of the program.All the true Hoare triples are derivable from the small axioms and the general Hoare rules.In particular, the frame rule extends the reasoning to properties about the rest of the heap which has not been changed by the command.
O'Hearn, Reynolds and Yang originally introduced Separation Logic to solve the problem of how to reason about the mutation of data structures in memory.They have applied their reasoning to several memory models, including heaps based on pointer arithmetic [14], heaps with permissions [4], and the combination of heaps with variable stacks which views variables as resource [5,17].In each case, the basic soundness and completeness results for local Hoare reasoning are essentially the same.For this reason, Calcagno, O'Hearn and Yang [9] recently introduced abstract local functions over abstract resource models which they call separation algebras.They generalised their specific examples of local imperative commands and memory models in this abstract framework.They introduced Abstract Separation Logic to provide local Hoare reasoning about such functions, and give general soundness and completeness results.
We believe that the general concept of a local function is a fundamental step towards establishing the theoretical foundations of local reasoning, and Abstract Separation Logic is an important generalisation of the local Hoare reasoning systems now widely studied in the literature.However, Calcagno, O'Hearn and Yang do not characterise the footprints and small axioms in this general theory, which is a significant omission.O'Hearn, Reynolds and Yang, in one of their first papers on the subject [14], state the local reasoning viewpoint as: 'to understand how a program works, it should be possible for reasoning and specification to be confined to the cells that the program actually accesses.The value of any other cell will automatically remain unchanged.'A complete understanding of the foundations of local Hoare reasoning therefore requires a formal characterisation of the footprint notion.O'Hearn tried to formalise footprints in his work on Separation Logic (personal communication with O'Hearn).His intuition was that the footprints should be the smallest states on which the program is safe -the safety footprint, and that the small axioms arising from these footprints should give rise to a complete specification using the general rules for local Hoare reasoning.However, Yang discovered that this notion of footprint does not work, since it does not always yield a complete specification for the program.Consider the program 1AD ::= x := new(); dispose(x) This allocate-deallocate program allocates a new cell, stores its address value in the stack variable x, and then deallocates the cell.It is local because all its atomic constituents are local.This tiny example captures the essence of a common type of program; there are many programs which, for example, create a list, work on the list, and then destroy the list.
The smallest heap on which the AD program is safe is the empty heap emp.The specification using this pre-condition is: We can extend our reasoning to larger heaps by applying the frame rule: for example, extending to a one-cell heap with arbitrary address l and value v gives However, axiom (1) does not give the complete specification of the AD program.In fact, it captures very little of the spirit of allocation followed by de-allocation.For example, the following triple is also true: This triple (3) is true because, if l is already allocated, then the new address cannot be l and hence x cannot be l.It cannot be derived from (1).However, the combination of axiom (1) and axiom (3) for arbitrary one-cell heaps does provide the smallest complete specification.This example illustrates that O'Hearn's intuitive view of the footprints as the minimal safe states just does not work for common imperative programs.
In this paper, we introduce the formal definition of the footprint of a local function that does yield a complete specification for the function.For our AD example, our definition identifies emp and the arbitrary one-cell heaps l → v as footprints, as expected.We prove the general result that, for any local function, the footprints are the only elements which are essential to specify completely the behaviour of this function.
We then investigate the question of sufficiency.For well-founded resource, we show that the footprints are also always sufficient: that is, a complete specification always exists that only uses the footprints.We also explore results for the non-well-founded case, which depend on the presence of negativity.A resource has negativity if it is possible to combine two non-unit elements to get the unit, which is like taking two non-empty pieces of resource and joining them to get nothing.For non-well-founded models without negativity, such as heaps with infinitely divisible fractional permissions, either the footprints are sufficient (such as for the write command in the permissions model) or there is no smallest complete specification (such as for the read command in the permissions model).For models with negativity, such as the integers under addition, we show that there do exist smallest complete specifications based on elements that are not essential and hence not footprints.
In the final section, we apply our theory of footprints to the issue of regaining the safety footprints.We address a question that arose from discussions with O'Hearn and Yang, which is whether there is an alternative model of RAM in which the safety footprint does correspond to the actual footprint, yielding complete specifications.We present such a model based on an examination of the cause of the AD problem in the original model.We prove that in this new model the footprint of every program, including AD, does correspond to the safety footprint.Moreover, we identify a general condition on the primitive commands of a programming language which ensures that this property holds in arbitrary models.
A preliminary version of this paper was presented at the FOSSACS 2008 conference.The final section reports on work that is new to this journal version.This paper also contains the proofs which were excluded from the conference paper.

BACKGROUND
The discussion in this paper is based on the framework introduced in [9], where the approach of local reasoning about programs with separation logic was generalised to local reasoning about local functions that act on an abstract model of resource.Our objective in this work is to investigate the notion of footprint in this abstract setting, and this section gives a description of the underlying framework.

Separation Algebras and Local
Functions.We begin by describing separation algebras, which provide a model of resource which generalises over the specific heap models used in separation logic works.Informally, a separation algebra models resource as a set of elements that can be 'glued' together to create larger elements.The 'glueing' operator satisfies properties in accordance with this resource intuition, such as commutativity and associativity, as well as the cancellation property which requires that, if we are given an element and a subelement, then 'ungluing' that subelement gives us a unique element.

Definition 2.1 (Separation Algebra).
A separation algebra is a cancellative, partial commutative monoid (Σ, •, u), where Σ is a set and • is a partial binary operator with unit u.The operator satisfies the familiar axioms of associativity, commutativity and unit, using a partial equality on Σ where either both sides are defined and equal, or both are undefined.It also satisfies the cancellative property stating that, for each σ ∈ Σ, the partial function σ • (•) : Σ → Σ is injective.
We shall sometimes overload notation, using Σ to denote the separation algebra (Σ, •, u).Examples of separation algebras include multisets with union and unit ∅, the natural numbers with addition and unit 0, heaps as finite partial functions from locations to values ( [9] and example 2.8), heaps with permissions [9,4], and the combination of heaps and variable stacks enabling us to model programs with variables as local functions ( [9], [17] and example 2.8).These examples all have an intuition of resource, with σ 1 • σ 2 intuitively giving more resource than just σ 1 and σ 2 for σ 1 , σ 2 = u.However, notice that the general notion of a separation algebra also permits examples which may not have this resource intuition, such as {a, u} with a • a = u.Since our aim is to investigate general properties of local reasoning, our inclination is to impose minimal restrictions on what counts as resource and to work with a simple definition of a separation algebra.Definition 2.2 (Separateness and substate).Given a separation algebra (Σ, •, u), the separateness (#) relation between two states σ 0 , σ 1 ∈ Σ is given by σ Proof.Existence follows by definition of .For uniqueness, assume there exist σ and thus by the cancellation property we have σ ′ = σ ′′ .
We consider functions on separation algebras that generalise imperative programs operating on heaps.Such programs can behave non-deterministically, and can also fault.To model nondeterminism, we consider functions from a separation algebra Σ to its powerset P(Σ).To model faulting, we add a special top element ⊤ to the powerset.We therefore consider total functions of the form f : Σ → P(Σ) ⊤ .On any element of Σ, the function can either map to a set of elements, which models safe execution with non-deterministic outcomes, or to ⊤, which models a faulting execution.Mapping to the empty set represents divergence (non-termination).
Definition 2.4.The standard subset relation on the powerset is extended to P(Σ) ⊤ by defining p ⊑ ⊤ for all p ∈ P(Σ) ⊤ .The binary operator * on P(Σ) ⊤ is given by ⊤ is a total commutative monoid under * with unit {u}.
Definition 2.5 (Function ordering).For functions f, g : We shall only consider functions that are well-behaved in the sense that they act locally with respect to resource.For imperative commands on the heap model, the locality conditions were first characterised in [21], where a soundness proof for local reasoning with separation logic was demonstrated for the specific heap model.The conditions identified were • Safety monotonicity: if the command is safe on some heap, then it is safe on any larger heap.
• Frame property: if the command is safe on some heap, then in any outcome of applying the command on a larger heap, the additional heap portion will remain unchanged by the command.
In [9], these two properties were amalgamated and formulated for abstract functions on arbitrary separation algebras.

Definition 2.6 (Local Function
).A local function on Σ is a total function f : Σ → P(Σ) ⊤ which satisfies the locality condition: We let LocF unc be the set of local functions on Σ.
Intuitively, we think of a command to be local if, whenever the command executes safely on any resource element, then the command will not 'touch' any additional resource that may be added.Safety monotonicity follows from the above definition because, if f is safe on σ (f (σ) ⊏ ⊤), then it is safe on any larger state, since f (σ The frame property follows by the fact that the additional state σ ′ is preserved in the output of f (σ ′ • σ).Note, however, that the ⊑ ordering allows for reduced non-determinism on larger states.This, for example, is the case for the AD command from the introduction which allocates a cell, assigns its address to stack variable x, and then deallocates the cell.On the empty heap, its result would allow all possible values for variable x.However, on the larger heap where cell 1 is already allocated, its result would allow all values for x except 1, and we therefore have a more deterministic outcome on this larger state.Lemma 2.7.Locality is preserved under sequential composition, non-deterministic choice and Kleene-star, which are defined as Example 2.8 (Separation algebras and local functions).
(1) Plain heap model.A simple example is the separation algebra of heaps (H, •, u H ), where H = L ⇀ fin V al are finite partial functions from a set of locations L to a set of values V al with L ⊆ V al, the partial operator • is the union of partial functions with disjoint domains, and the unit u H is the function with the empty domain.For h ∈ H, let dom(h) be the domain of h.We write l → v for the partial function with domain {l} that maps l to v.For . An example of a local function is the dispose[l] command that deletes the cell at location l: (2) Heap and stack.There are two approaches to modelling the stack in the literature.One is to treat the stack as a total function from variables to values, and only combine two heap and stack pairs if the stacks are the same.The other approach, which we use here, is to allow splitting of the variable stack and treat it as part of the resource.We can incorporate the variable stack into the heap model by using the set H = L ∪ V ar ⇀ fin V al, where L and V al are as before and V ar is the set of stack variables {x, y, z, ...}.The • operator combines heap and stack portions with disjoint domains, and is undefined otherwise.The unit u H is the function with the empty domain which represents the empty heap and empty stack.Although this approach is limited to disjoint reference to stack variables, this constraint can be lifted by enriching the separation algebra with permissions [4].However, this added complexity using permissions can be avoided for the discussion in this paper.For a state h ∈ H, we let loc(h) and var(h) denote the set of heap locations and stack variables in the domain of h respectively.In this model we can define the allocation and deallocation commands as Commands for heap mutation and lookup can be defined as The AD command described in the introduction, which is the composition new[x]; dispose[x], corresponds to the following local function Note that in all cases, any stack variables that the command refers to should be in the stack in order for the command to execute safely, otherwise the command will be acting non-locally.(3) Integers.The integers form a separation algebra under addition with identity 0. In this case we have that any 'adding' function f (x) = {x + c} that adds a constant c is local, while a function that multiplies by a constant c, f (x) = {cx}, is non-local in general.However, the integers under multiplication also form a separation algebra with identity 1, and in this case every multiplying function is local but not every adding function.This illustrates the point that the notion of locality of commands depends on the notion of separation of resource that is being used.

Predicates, Specifications and Local Hoare
Reasoning.We now present the local reasoning framework for local functions on separation algebras.This is an adaptation of Abstract Separation Logic [9], with some minor changes in formulation for the purposes of this paper.Predicates over separation algebras are treated simply as subsets of the separation algebra.
Definition 2.9.A predicate p over Σ is an element of the powerset P(Σ).
Note that the top element ⊤ is not a predicate and that the * operator, although defined on P(Σ) ⊤ × P(Σ) ⊤ → P(Σ) ⊤ , acts as a binary connective on predicates.We have the distributive law for union that, for any X ⊆ P(Σ), The same is not true for intersection in general, but does hold for precise predicates.A predicate is precise if, for any state, there is at most a single substate that satisfies the predicate.Definition 2.10 (Precise predicate).A predicate p ∈ P(Σ) is precise iff, for every σ ∈ Σ, there exists at most one σ p ∈ p such that σ p σ.
Thus, with precise predicates, there is at most a unique way to break a state to get a substate that satisfies the predicate.Any singleton predicate {σ} is precise.Another example of a precise predicate is {l → v | v ∈ V al} for some l, while {l → v | l ∈ L} for some v is not precise.

Lemma 2.11 (Precision characterization).
A predicate p is precise iff, for all X ⊆ P(Σ), ( X) * p = {x * p | x ∈ X} Proof.We first show the left to right direction.Assume p is precise.We have to show that for all Thus we have σ 2 ∈ x for all x ∈ X, and so σ 2 ∈ X. Hence we have σ ∈ ( X) * p.
For the other direction, we assume that p is not precise and show that there exists an X such that ( X) * p = {x * p | x ∈ X}.Since p is not precise, there exists σ ∈ Σ such that, for two distinct σ 1 , σ 2 ∈ p, we have σ 1 σ and However, because of the cancellation property, we also have that σ ′ 1 = σ ′ 2 , and so ( X) * p = ∅ * p = ∅.Hence, σ ∈ ( X) * p, and we therefore have Our Hoare reasoning framework is formulated with tuples of pre-and post-conditions, rather than the usual Hoare triples that include the function as in [9].In our case the standard triple shall be expressed as a function f satisfying a tuple (p, q), written f |= (p, q).The reason for this is that we shall be examining the properties that a pre-and post-condition tuple may have with respect to a given function, such as whether a given tuple is complete for a given function.This approach is very similar to the notion of the specification statement (a Hoare triple with a 'hole') introduced in [12], which is used in refinement calculi, and was also used to prove completeness of a local reasoning system in [21].Definition 2.12 (Specification).Let Σ be a separation algebra.A statement on Σ is a tuple (p, q), where p, q ∈ P(Σ) are predicates.A specification φ on Σ is a set of statements.We let Φ Σ = P(P(Σ) × P(Σ)) denote the set of all specifications on Σ.We shall exclude the subscript when it is clear from the context.The domain of a specification is defined as Thus the domain is the union of the preconditions of all the statements in the specification.It is one possible measure of size: how much of Σ the specification is referring to.We also adapt the notion of precise predicates to specifications.Definition 2.13.A specification is precise iff its domain is precise.

Definition 2.14 (Satisfaction). A local function
Definition 2.15 (Semantic consequence).Let p, q, r, s ∈ P(Σ) and φ, ψ ∈ Φ.Each judgement (p, q) |= (r, s), φ |= (p, q), (p, q) |= φ, and φ |= ψ holds iff all local functions that satisfy the left hand side also satisfy the right hand side.Proposition 2.16 (Order Characterization).f ⊑ g iff, for all p, q ∈ P(Σ), g |= (p, q) implies f |= (p, q).For every specification φ, there is a 'best' local function satisfying φ (lemma 2.18), in the sense that all statements that the best local function satisfies are satisfied by any local function that satisfies φ.For example, in the heap and stack separation algebra of example 2.8.2, consider the specification There are many local functions that satisfy this specification.Trivially, the local function that always diverges satisfies it.Another example is the local function that assigns the value w of the newly allocated cell to be 0, rather than any non-deterministically chosen value.However, the best local function for this specification is the new[x] function described in example 2.8.2, as it can be checked that for any local function f satisfying φ new , we have f ⊑ new[x].The notion of the best local function shall be used when addressing questions about completeness of specifications.It is adapted from [9], except that we generalise to the best local function of a specification rather than a single pre-and post-condition pair.

Definition 2.17 (Best local function). For a specification
As an example, it can be checked that the best local function bla[φ new ] of the specification φ new given above is indeed the function new[x] described in example 2.8.2.The following lemma presents the important properties which characterise the best local function.
To show that bla[φ] satisfies φ, consider (p, q) ∈ φ and σ ∈ p. Then bla[φ](σ) ⊑ {u} * q = q.For the last point, suppose f is local and f |= φ.Then, for any In the case that there do not exist (by definition 2.15).
The inference rules of the proof system are given in figure 1. Consequence, union and intersection are adaptations of standard rules of Hoare logic.The frame rule is what permits local reasoning, as it codifies the fact that, since all functions are local, any assertion about a separate part of resource will continue to hold for that part after the application of the function.We omit the standard rules for basic constructs such as sequential composition, non-deterministic choice, and Kleene-star which can be found in [9].Definition 2.20 (Proof-theoretic consequence).For predicates p, q, r, s and specifications φ, ψ, each of the judgements (p, q) ⊢ (r, s), φ ⊢ (p, q), (p, q) ⊢ φ, and φ ⊢ ψ holds iff the right-hand side is derivable from the left-hand side by the rules in figure 1.
The proof system of figure 1 is sound and complete with respect to the satisfaction relation.Proof.Soundness can be checked by checking each of the proof rules in figure 1.The frame rule is sound by the locality condition, and the others are easy to check.
For completeness, assume we are given φ |= (p, q).By lemma 2.19, we have bla[φ] |= (p, q).So for all σ ∈ p, bla[φ](σ) ⊑ q, which implies Now we have the following derivation: The last step in the proof is by ( * ) and the rule of consequence.Note that the intersection rule can be safely applied because the argument of the intersection is necessarily non-empty (if it were empty then bla[φ](σ) = ⊤, which contradicts bla[φ](σ) ⊑ q).

PROPERTIES OF SPECIFICATIONS
We discuss certain properties of specifications as a prerequisite for our main discussion on footprints in Section 4. We introduce the notion of a complete specification for a local function, which is a specification from which follows every property that holds for the function.However, a function may have many complete specifications, so we introduce a canonical form for specifications.We show that of all the complete specifications of a local function, there exists a unique canonical complete specification for every domain.As discussed in the introduction, an important notion of local reasoning is the small specification which completely describes the behaviour of a local function by mentioning only the footprint.Thus, as a prerequisite to investigating their existence, we formalise small specifications as complete specifications with the smallest possible domain.Similarly, we define big specifications as complete specifications with the biggest domain.Definition 3.1 (Complete Specification).A specification φ ∈ Φ is a complete specification for f , written complete(φ, f ), iff, for all p, q ∈ P(Σ),f |= (p, q) ⇔ φ |= (p, q).Let Φ comp(f ) be the set of all complete specifications of f. φ is complete for f whenever the tuples that hold for f are exactly the tuples that follow from φ.This also means that any two complete specfications φ and ψ for a local function are semantically equivalent, that is, φ ψ.The following proposition illustrates how the notions of best local action and complete specification are closely related.Proposition 3.2.For all φ ∈ Φ and local functions f , complete(φ, f Then, by lemma 2.19, we have that φ is a complete specification for f . For the converse, assume complete(φ, f ).We shall show that for any σ ∈ Σ, Any specification is therefore only complete for a unique local function, which is its best local action.However, a local function may have lots of complete specifications.For example, if φ is a complete specification for f and (p, q) ∈ φ, then φ ∪ {(p, q ′ )} is also complete for f if q ⊆ q ′ .For this reason it will be useful to have a canonical form for specifications.Definition 3.3 (Canonicalisation).The canonicalisation of a specification φ is defined as Notice that a given local function does not necessarily have a unique canonical complete specification.For example, both {({u}, {u})} and {({u}, {u}), ({σ}, {σ})}, for some σ ∈ Σ, are canonical complete specifications for the identity function.Proof.We first show φ φ can .For any (p, q) ∈ φ can , (p, q) is of the form ({σ}, bla[φ](σ)) for some σ ∈ D(φ).So we have bla[φ] |= (p, q), and so φ |= (p, q) by lemma 2.19.We now show φ can φ.For any (p, q) ∈ φ, we have bla[φ] |= (p, q).So for all σ ∈ p, bla[φ](σ) ⊑ q, which implies Now we have the following derivation: The last step is by ( * ) and consequence.So we have φ can ⊢ φ, and by soundness φ can |= φ.
Thus, the canonicalisation of a specification is logically equivalent to the specification.The following corollary shows that all complete specifications that have the same domain have a unique canonical form, and specifications of different domains have different canonical forms.
Proof.By proposition 3.2, all complete specifications for f have the same best local action, which is f itself.So by the definition of canonicalisation, it can be seen that complete specifications with different domains have different canonicalisations, and complete specifications with the same domain have the same canonicalisation.This shows that the mapping is well-defined and injective.Every canonical complete specification φ is also complete, and [φ]∼ =D maps to φ can = φ, so the mapping is surjective.Definition 3.6 (Small and Big specifications).φ is a small specification for f iff φ ∈ Φ comp(f ) and there is no ψ ∈ Φ comp(f ) such that D(ψ) ⊏ D(φ).A big specification is defined similarly.
Small and big specifications are thus the specifications with the smallest and biggest domains respectively.The question is if/when small and big specifications exist.The following result shows that a canonical big specification exists for every local function.

Proposition 3.7 (Big Specification). For any local function f , the canonical big specification for f is given by
Proof.f |= φ big(f ) is trivial to check.To show complete(φ big(f ) , f ), assume f |= (p, q) for some p, q ∈ P(Σ).Note that, for any σ ∈ p, f (σ) ⊑ q and so σ∈p f (σ) ⊑ q.We then have the derivation By soundness we get φ big(f ) |= (p, q).φ big(f ) has the biggest domain because f would fault on any element not included in φ big(f ) .
The notion of a small specification has until now been used in an informal sense in local reasoning papers [14,4,7] as specifications that completely specify the behaviour of an update command by only describing the command's behaviour on the part of the resource that it affects.Although these papers present examples of such specifications for specific commands, the notion has so far not received a formal treatment in the general case.The question of the existence of small specifications is strongly related to the concept of footprints, since finding a small specification is about finding a complete specification with the smallest possible domain, and therefore enquiring about which elements of Σ are essential and sufficient for a complete specification.This requires a formal characterisation of the footprint notion, which we shall now present.

FOOTPRINTS
In the introduction we discussed how the AD program demonstrates that the footprints of a local function do not correspond simply to the smallest safe states, as these states alone do not always yield complete specifications.In this section we introduce the definition of footprint that does yield complete specifications.In order to understand what the footprint of a local function should be, we begin by analysing the definition of locality.Recall that the definition of locality (definition 2.6) says that the action on a certain state σ 1 imposes a limit on the action on a bigger state Another way of viewing this definition is that for any state σ, the action of the function on that state has to be within the limit imposed by every substate In the case where σ ′ = σ, this condition is trivially satisfied for any function (local or non-local).The distinguishing characteristic of local functions is that this condition is also satisfied by every strict substate of σ, and thus we have We define this overall constraint imposed on σ by all of its strict substates as the local limit of f on σ, and show that the locality definition is equivalent to satisfying the local limit constraint.Definition 4.1 (Local limit).For a local function f on Σ and σ ∈ Σ, the local limit of f on σ is defined as is therefore smaller than the intersection of all these sets, which is L f (σ).
For the converse, assume the rhs and that Thus for any local function f acting on a certain state σ, the local limit determines a smallest upper bound on the possible outcomes on σ, based on the outcomes on all smaller states.If this smallest upper bound does correspond exactly to the set of all possible outcomes on σ, then σ is 'large enough' that just the action of f on smaller states and the locality of f determines the complete behaviour of f on σ.In this case we will not think of σ as a footprint of f , as smaller states are sufficient to determine the action of f on σ.With this observation, we define footprints as those states on which the outcomes cannot be determined only by the smaller states, that is, the set of outcomes is a strict subset of the local limit.

Definition 4.3 (Footprint). For a local function f and σ
We denote the set of footprints of f by F (f ).
Note that an element σ is therefore not a footprint if and only if the action of f on σ is at the local limit, that is f (σ) = L f (σ).Proof.Let σ be a smallest safe state for f .Then for any σ ′ ≺ σ, f (σ ′ ) = ⊤.Therefore L f (σ) = ⊤ and so f (σ) ⊏ L f (σ).
However, the smallest safe states are not always the only footprints.An example is the AD command discussed in the introduction.The empty heap is a footprint as it is the smallest safe heap, but the heap cell l → v is also a footprint.
Example 4.5 (Dispose).The footprints of the dispose[l] command in the plain heap model (example 2.8.1) are the cells at location l.We check this by considering the following cases (1) The empty heap, u H , is not a footprint since By proposition 4.2, we have The intuition is that σ does not characterise any 'new' behaviour of the function: its action on σ is just a consequence of its action on the cells at location l and the locality property of the function.
(4) Every state σ such that σ ≻ (l → v) for some v is not a footprint Example 4.6 (AD command).The AD (Allocate-Deallocate) command was defined on the heap and stack model in example 2.8.2.We have the following cases for σ.
Our footprint definition therefore works properly for these specific examples.Now we give the formal general result which captures the underlying intuition of local reasoning, that the footprints of a local function are the only essential elements for a complete specification of the function.

Theorem 4.7 (Essentiality). The footprints of a local function are the essential domain elements for any complete specification of that function, that is,
Proof.Assume some fixed f and σ.We establish the following equivalent statement : We first show the right to left implication.So assume φ is a complete specification of f such that σ ∈ D(φ).Since complete(φ, f ), by proposition 3.2, we have Now for any set {σ − σ 1 } * q in the above intersection, we have that σ 1 ∈ p, and (p, q) ∈ φ for some p.Since σ 1 ∈ p, we have f (σ 1 ) ⊑ q, and therefore {σ − σ 1 } * f (σ 1 ) ⊑ {σ − σ 1 } * q.Also, σ 1 = σ, because otherwise we would have σ ∈ p, which would contradict the assumption that σ / ∈ D(φ).So σ 1 ≺ σ and we have So the local limit is smaller than each set {σ − σ 1 } * q in the intersection, and therefore it is smaller than the intersection itself: L f (σ) ⊑ f (σ).We know from proposition 4.2 that f (σ) ⊑ L f (σ), so we get f (σ) = L f (σ) and therefore ¬F f (σ).
We now show the left to right implication.Assume that σ is not a footprint of f .We shall use the big specification, φ big(f ) , to construct a complete specification of f which does not contain σ in its domain.If f (σ) = ⊤ then the big specification itself is such a specification, and we are done.Otherwise assume f (σ) ⊏ ⊤.Let φ = φ big(f ) /{({σ}, f (σ))}.It can be seen that σ / ∈ D(φ).Now we need to show that φ is complete for f .For this it is sufficient to show φ ⊣⊢ φ big(f ) because we know that φ big(f ) is complete for f .The right to left direction, φ ⊣ φ big(f ) , is trivial.
For φ ⊢ φ big(f ) , we just need to show φ ⊢ ({σ}, f (σ)).We have the following derivation: The intersection rule can be safely applied as there is at least one σ ′ ≺ σ such that f (σ ′ ) ⊏ ⊤.This is because f (σ) ⊏ ⊤, so if there were no such σ ′ then σ would be a footprint, which is a contradiction.Note that the last step uses the fact that because adding the top element to an intersection does not change its value.Since σ is not a footprint, f (σ) = L f (σ), and so φ ⊢ ({σ}, f (σ)).

SUFFICIENCY AND SMALL SPECIFICATIONS
We know that the footprints are the only elements that are essential for a complete specification of a local function in the sense that every complete specification must include them.Now we ask when a set of elements is sufficient for a complete specification of a local function, in the sense that there exists a complete specification of the function that only includes these elements.In particular, we wish to know if the footprints alone are sufficient.To study this, we begin by identifying the notion of the basis of a local function.

5.1.
Bases.In the last section we defined the local limit of a function f on a state σ as the constraint imposed on f by all the strict substates of σ.This was used to identify the footprints as those states on which the action of f cannot be determined by just its action on the smaller states.We are now addressing the question of when a set of states is sufficient to determine the behaviour of f on any state.We shall do this by identifying a fixed set of states, which we call a basis for f , such that the action of f on any state σ can be determined by just the substates of σ taken from this set (rather than all the strict substates of σ).Thus we first generalise the local limit definition to consider the constraint imposed by only the substates taken from a given set.Definition 5.1 (Local limit imposed by a set).For a subset A of a separation algebra Σ, the local limit imposed by A on the action of f on σ is defined by Sometimes, the local limit imposed by A is enough to completely determine f .In this case, we call A a basis for f .Definition 5.2 (Basis).A ⊑ Σ is a basis for f , written basis(A, f ), iff L A,f = f .This means that, when given the action of f on elements in A alone, we can determine the action of f on any element in Σ by just using the locality property of f .Every local function has at least one basis, namely the trivial basis Σ itself.We next show the correspondence between the bases and complete specifications of a local function.
Proof.We have L A,f = bla[φ A,f ] by definition.The result follows by proposition 3.2 and the definition of basis.
For every canonical complete specification φ ∈ Φ can(f ) , we have φ = φ D(φ),f .By the previous lemma it follows that D(φ) forms a basis for f .The lemma therefore shows that every basis determines a complete canonical specification, and vice versa.This correspondence also carries over to all complete specifications for f by the fact that every domain-equivalent class of complete specifications for f is represented by the canonical complete specification with that domain (corollary 3.5).By the essentiality of footprints (theorem 4.7), it follows that the footprints are present in every basis of a local function.
Lemma 5.4.The footprints of f are included in every basis of f.Proof.Every basis A of f determines a complete specification for f the domain of which is a subset of A. By the essentiality theorem (4.7), the domain includes the footprints.
The question of sufficiency is about how small the basis can get.Given a local function, we wish to know if it has a smallest basis.

5.2.
Well-founded Resource.We know that every basis must contain the footprints.Thus if the footprints alone form a basis, then the function will have a smallest complete specification whose domain are just the footprints.We find that, for well-founded resource models, this is indeed the case.

Theorem 5.5 (Sufficiency I). If a separation algebra Σ is well-founded under the relation, then the footprints of any local function form a basis for it, that is
Proof.Assume that Σ is well-founded under .We shall show by induction that case 1: Assume σ is a footprint of f .We have f (σ) = {u} * f (σ) is in the intersection in the definition of L F (f ),f (σ), and so L F (f ),f (σ) ⊑ f (σ).We have by locality that f (σ) ⊑ L F (f ),f (σ), and so f (σ) = L F (f ),f (σ).case 2: Assume σ is not a footprint of f .We have In section 3, the notions of big and small specifications were introduced (definition 3.6), and the existence of a big specification was shown (proposition 3.7).We are now in a position to show the existence of the small specification for well-founded resource.If Σ is well-founded, then every local function has a small specification whose domain is the footprints of the function.

Corollary 5.6 (Small specification).
For well-founded separation algebras, every local function has a small specification given by φ F (f ),f .Proof.φ F (f ),f is complete by theorem 5.5 and lemma 5.3.It has the smallest domain by the essentiality theorem.
Thus, for well-founded resource, the footprints are always essential and sufficient, and specifications need not consider any other elements.In practice, small specifications may not always be in canonical form even though they always have the same domain as the canonical form.For example, the heap dispose command can have the specification In practical examples it is usually the case that resource is well-founded.A notable exception is the fractional permissions model [4] in which the resource includes 'permissions to access', which can be indefinitely divided.We next investigate the non-well-founded case.

Non-well-founded Resource.
If a separation algebra is non-well-founded under the relation, then there is some infinite descending chain of elements σ 1 ≻ σ 2 ≻ σ 3 .... From a resourceoriented point of view, there are two distinct ways in which this could happen.One way is when it is possible to remove non-empty pieces of resource from a state indefinitely, as in the separation algebra of non-negative real numbers under addition.In this case any infinite descending chain does not have more than one occurrence of any element.Another way is when an infinite chain may exist because of repeated occurrences of some elements.This happens when there is negativity present in the resource: some elements have inverses in the sense that adding two non-unit elements together may give the unit.An example is the separation algebra of integers under addition, where 1 + (−1) = 0, so adding -1 to 1 is like adding negative resource.Also, since 1 = 0 + 1, we have that 1 ≻ 0 ≻ 1... forms an infinite chain.Definition 5.7 (Negativity).A separation algebra Σ has negativity iff there exists a non-unit element σ ∈ Σ that has an inverse; that is, σ = u and σ • σ ′ = u for some σ ′ ∈ Σ.We say that Σ is non-negative if no such element exists.
All separation algebras with negativity are non-well-founded because, for elements σ and σ ′ such that σ • σ ′ = u, the set {σ, u} forms an infinite descending chain (there is no least element).All well-founded models are therefore non-negative.For the general non-negative case, we find that either the footprints form a basis, or there is no smallest basis.Theorem 5.8 (Sufficiceny II).If Σ is non-negative then, for any local f , either the footprints form a smallest basis or there is no smallest basis for f.Proof.Let A be a basis for f (we know there is at least one, which is the trivial basis Σ itself).If A is the set of footprints then we are done.So assume A contains some non-footprint µ.We shall show that there exists a smaller basis for f , which is A/{µ}.So it suffices to show f (σ) = L A/{µ},f (σ) for all σ ∈ Σ. case 1: µ σ.We have as desired case 2: µ σ.This implies It remains to show that the right hand side of this intersection contains the left hand side: Corollary 5.9 (Small Specification).If Σ is non-negative, then every local function either has a small specification given by φ F (f ),f or there is no smallest complete specification for that function.
Example 5.10 (Permissions).The fractional permissions model [4] is non-well-founded and nonnegative.It can be represented by the separation algebra HPerm = L ⇀ fin V al × P where L and V al are as in example 2.8, and P is the interval (0, 1] of rational numbers.Elements of P represent 'permissions' to access a heap cell.A permission of 1 for a cell means both read and write access, while any permission less than 1 is read-only access.The operator • joins disjoint heaps and adds the permissions together for any cells that are present in both heaps only if the resulting permission for each heap cell does not exceed 1; the operation is undefined otherwise.In this case, the write function that updates the value at a location requires a permission of at least 1 and faults on any smaller permission.It therefore has a small specification with precondition being the cell with permission 1.The read function, however, can execute safely on any positive permission, no matter how small.Thus, this function can be completely specified with a specification that has a precondition given by the cell with permission z, for all 0 < z ≤ 1.However, this is not a smallest specification, as a smaller one can be given by further restricting 0 < z ≤ 0.5.We can therefore always find a smaller specification by reducing the value of z but keeping it positive. For resource with negativity, we find that it is possible to have small specifications that include non-essential elements (which by theorem 4.7 are not footprints).These elements are non-essential in the sense that complete specifications exist that do not include them, but there is no complete specification that includes only essential elements.
Example 5.11 (Integers).An example of a model with negativity is the separation algebra of integers (Z, +, 0).In this case there can be local functions which can have small specifications that contain non-footprints.Let f : Z → P(Z) ⊤ be defined as f (n) = {n + c} for some constant c, as in example 2.8.f is local, but it has no footprints.This is because for any n, f (n) = 1 + f (n − 1), and so n is not a footprint of f .However, f does have small specifications, for example, {({0}, {c})}, {({5}, {5 + c})}, or indeed {({n}, {n + c})} for any n ∈ Z.So although every element is nonessential, some element is required to give a complete specification.

REGAINING SAFETY FOOTPRINTS
In the introduction we discussed how the notion of footprints as the smallest safe states -the safety footprint-is inadequate for giving complete specifications, as illustrated by the AD example.For this reason, so far in this paper we have investigated the general notion of footprint for arbitrary local functions on arbitrary separation algebras.Equipped with this general theory, we now investigate how the regaining of safety footprints may be achieved with different resource modelling choices.We start by presenting an alternative model of RAM, based on an investigation of why the AD phenomenon occurs in the standard model.We then demonstrate that the footprints of the AD command in this new model do correspond to the safety footprints.In the final section we identify, for arbitrary separation algebras, a condition on local functions which guarantees the equivalence of the safety footprint and the actual footprint.We then show that if this condition is met by all the primitive commands of a programming language then the safety footprints are regained for every program in the language, and finally show that this is indeed the case in our new RAM model.

6.
1.An alternative model.In this section we explore an alternative heap model in which the safety footprints do correspond to the actual footprints.We begin by taking a closer look at why the AD anomaly occurs in the standard heap and stack model described in example 2.8.2.Consider an application of the allocation command in this model: The intuition of locality is that the initial state 42 → v • x → w is only describing a local region of the heap and the stack, rather than the whole global state.In this case it says that the address 42 is initially allocated, and the definition of the allocation command is that the resulting state will have a new cell, the address of which can be anything other than 42.However, we notice that the initial state is in fact not just describing only its local region of the heap.It does state that 42 is allocated, but it also implicitly states a very global property: that all other addresses are not allocated.This is why the allocation command can choose to allocate any location that is not 42.Thus in this model, every local state implicitly contains some global allocation information which is used by the allocation command.In contrast, a command such as mutate does not require this global 'knowledge' of the allocation status of any other cell that it is not affecting.Now the global information of which cells are free changes as more resource is added to the initial state, so this can lead to program behaviour being sensitive to the addition of more resource to the initial state, and this sensitivity is apparant in the case of the AD program.
Based on this observation, we consider an alternative model.As before, a state l → v will represent a local allocated region of the heap at address l with value v.However, unlike before, this state will say nothing about the allocation status any locations other than l.This information about the allocation status of other locations will be represented explicitly in a free set, which will contain every location that is not allocated in the global heap.The model can be interpreted from an ownership point of view, where the free set is to be thought of as a unique, atomic piece of resource, ownership of which needs to be obtained by a command if it wants to do allocation or deallocation.An analogy is with the permissions model: a command that wants to read or write to a cell needs ownership of the appropriate permission on that cell.In the same way, in our new model, a command that wants to do allocation or deallocation needs to have ownership of the free set: the 'permission' to see which cells are free in the global heap so that it can choose one of them to allocate, or update the free set with the address that it deallocates.On the other hand, commands that only read or write to cells shall not require ownership of the free set.Example 6.1 (Heap model with free set).Formally, we work with a separation algebra (H, •, u H ). Let L, V ar and V al be locations, variables and values, as before.States h ∈ H are given by the grammar: ar and F ∈ P(L).The operator • is undefined for states with overlapping locations or variables.Let loc(h) and var(h) be the set of locations and variables in state h respectively.The set F carries the information of which locations are free.Thus we allow at most one free set in a state, and the free set must be disjoint from all locations in the state.So h • F is only defined when loc(h) ∩ F = ∅ and h = h ′ • F ′ for any h ′ and F ′ .We assume • is associative and commutative with unit u H .
In this model, the allocation command requires ownership of the free set for safe execution, since it chooses the location to allocate from this set.It removes the chosen address from the free set as it allocates the cell.It is defined as Note that the output states h ′ • x → l • l → w • F \{l} are defined, since we have l ∈ F \{l} and the input state The deallocation command also requires the free set, as it updates the set with the address of the cell that it deletes: Again, the output states are defined, since the input state implies that loc(h ′ )∪{l} is disjoint from F , and so loc(h ′ ) is disjoint from F ∪{l}.Notice that in this model, only the allocation and deallocation commands require ownership of the free set, since commands such as mutation and lookup are completely independent of the allocation status of other cells, and they are defined exactly as in example 2.8.2:Proof.Let f = new[x] and assume h ′ #h.We want to show f (h x, l, v and F , because otherwise f (h) = ⊤ and we are done.So we have The other functions can be checked in a similar way.
The smallest safe states are given by the set {x → v • F | v ∈ V al, F ∈ P(L)}.By lemma 4.4, these smallest safe states are footprints.However, unlike before, in this model these are the only footprints of the AD command.To see this, consider a larger state h • x → v • F for non-empty h.
We have Thus the footprints of AD in this model do not include any non-empty heaps.By corollary 5.6, in this model the AD command has a smallest complete specification in which the pre-condition only describes the empty heap.This specification is Intuitively, it says that if initially the heap is empty, the variable x is present in the stack, and we know which cells are free in the global heap, then after the execution, the heap will still be empty, exactly the same cells will still be free, and x will point to one of those free cells.This completely describes the behaviour of the command for all larger states using the frame rule.For example, we get the complete specification on the larger state in which 42 is allocated: In the pre-condition, the presence of location 42 in the heap means that 42 is not in the free set F (by definition of * ).Therefore, in the post-condition, x cannot point to 42.
Notice that in order to check that we have 'regained' safety footprints, we only needed to check that the footprint definition (definition 4.3) corresponds to the smallest safe states.The desired properties such as essentiality, sufficiency, and small specifications then follow by the results established in previous sections.6.3.Safety footprints for arbitrary programs.Now that we have regained the safety footprints for AD in the new model, we want to know if this is generally the case for any program.We consider the abstract imperative programming language given in [9]: where c ranges over an arbitrary collection of primitive commands, + is nondeterministic choice, ; is sequential composition, and (•) ⋆ is Kleene-star (iterated ;).As discussed in [9], conditionals and while loops can be encoded using + and (•) ⋆ and assume statements.The denotational semantics of commands is given in Figure 2.
Taking the primitive commands to be new[x], dispose[x], mutate[x, v], and lookup[x, y], our original aim was to show that, for every command C, the footprints of C in the new model are the smallest safe states.However, in attempting to do this, we identified a general condition on primitive commands under which the result holds for arbitrary separation algebras.
Let f be a local function on a separation algebra Σ. If, for A ∈ P(Σ), we define f (A) = σ∈A f (σ), then the locality condition (definition 2.6) can be restated as The ⊑ ordering in this definition allows local functions to be more deterministic on larger states.This sensitivity of determinism to larger states is apparant in the AD command in the standard model from example 2.8.2.On the empty heap, the command produces an empty heap, and reassigns variable x to any value, while on the singleton cell 1, it disallows the possibility that x = 1 afterwards.In the new model, the AD command does not have this sensitivity of determinism in the output states.In this case, the presence or absence of the cell 1 does not affect the outcomes of the AD command, since the command can only assign x to a value chosen from the free set, which does not change no matter what additional cells may be framed in.With this observation, we consider the general class of local functions in which this sensitivity of determinism is not present.Definition 6.3 (Determinism Constancy).Let f be a local function and safe(f ) the set of states on which f does not fault.f has the determinism constancy property iff, for every σ ∈ safe(f ), Notice that the determinism constancy property by itself implies that the function is local, and it can therefore be thought of as a form of 'strong locality'.Firstly, we find that local functions that have determinism constancy always have footprints given by the smallest safe states.Lemma 6.4.If a local function f has determinism constancy then its footprints are the smallest safe states.
Proof.Let min(f ) be the smallest safe states of f .These are footprints by lemma 4.4.For any larger state σ ′ • σ where σ ∈ min(f ), σ ′ ∈ Σ and σ is non-empty, we have We now demonstrate that the determinism constancy property is preserved by all the constructs of our programming language.This implies that if all the primitive commands of the programming language have determinism constancy, then the footprints of every program are the smallest safe states.Theorem 6.5.If all the primitive commands of the programming language have determinism constancy, then the footprint of every program is given by the smallest safe states.
Proof.Assuming all primitive commands have determinism constancy, we shall show by induction that every composite command has determinism constancy and the result follows by lemma 6.4.So for commands C 1 and C 2 , let f = C 1 and g = C 2 and assume f and g have determinism constancy.For sequential composition we have, for σ ∈ safe(f ; g) and σ ′ ∈ Σ, {σ ′ } * g(σ 1 ) (g has determinism constancy and For non-deterministic choice, we have for σ ∈ safe(f + g) and σ ′ ∈ Σ, (f and g have determinism constancy and σ ∈ safe(f ) and σ ∈ safe(g) since σ ∈ safe(f + g)) For Kleene-star, we have for σ ∈ safe(f ⋆ ) and σ ′ ∈ Σ, Now that we have shown the general result, it remains to check that all the primitive commands in the new model of section 6.1 do have determinism constancy.Proof.We give the proofs for the new and dispose commands in the two models, and the cases for mutate and lookup can be checked in a similar way.For dispose[x] in H 1 , the following counterexample shows that it does not have determinism constancy.
For new[x] in H 1 , any safe state is of the form h • x → v.For any h ′ ∈ H 1 , we have is undefined then h ′ shares locations with loc(h) or variables with var(h)∪{x}.This means that the RHS in † is the empty set.We have new is undefined then either h ′ contains a free set or it contains locations in loc(h) ∪ {l} or variables in var(h) ∪ {x}.If h ′ contains a free set or it contains locations in loc(h) or variables in var(h) ∪ {x}, then the RHS in † † is the empty set.If h ′ contains the location l then also the RHS in † † is the empty set since the free set F ∪ {l} also contains l.Thus in both cases the RHS in † † is the empty set, and we have dispose For new[x] in H 2 , any safe state is of the form h • x → v • F .Let h ′ ∈ H 2 .We have is undefined then either h ′ contains a free set or it contains locations in loc(h) or variables in var(h) ∪ {x}.In all these cases the RHS in † † † is the empty set, and so we have new Thus theorem 6.5 and proposition 6.6 tell us that using the alternative model of example 6.1, the footprint of every program is given by the smallest safe states, and hence we have regained safety footprints for all programs.In fact, the same is true for the original model of example 2.8.2 if we do not include the dispose command as a primitive command, since all the other primitive commands have determinism constancy.This, for example, would be the case when modelling a garbage collected language [16].

CONCLUSIONS
We have developed a general theory of footprints in the abstract setting of local functions that act on separation algebras.Although central and intuitive concepts in local reasoning, the notion of footprints and small specifications had evaded a formal general treatment until now.The main obstacle was presented by the AD problem, which demonstrated the inadequacy of the safety footprint notion in yielding complete specifications.In addressing this issue, we first investigated the notion of footprint which does not suffer from this inadequacy.Based on an analysis of the definition of locality, we introduced the definition of the footprint of a local function, and demonstrated that, according to this definition, the footprints are the only essential elements necessary to obtain a complete specification of the function.For well-founded resource models, we showed that the footprints are also sufficient, and we also presented results for non-well-founded models.
Having established the footprint definition, we then explored the conditions under which the safety footprint does correspond to the actual footprint.We introduced an alternative heap model in which safety footprints are regained for every program, including AD.We also presented a general condition on local functions in arbitrary models under which safety footprints are regained, and showed that if this condition is met by all the primitive commands of the programming language, then safety footprints are regained for every program.The theory of footprints has proven very useful in exploring the situations in which safety footprints could be regained, as one only needs to check that the smallest safe states correspond to the footprint definition 4.3.This automatically gives the required properties such as essentiality and sufficiency, which, without the footprint definition and theorems, would need to be explicitly checked in the different cases.
Finally, we comment on some related work.The discussion in this paper has been based on the static notion of footprints as states of the resource on which a program acts.A different notion of footprint has recently been described in [10], where footprints are viewed as traces of execution of a computation.O'Hearn has described how the AD problem is avoided in this more elaborate semantics, as the allocation of cells in an execution prevents the framing of those cells.Interestingly, however, the heap model from example 6.1 illustrates that it is not essential to move to this more elaborate setting and incorporate dynamic, execution-specific information into the footprint in order to resolve the AD problem.Instead, with the explicit representation of free cells in states, one can remain in an extensional semantics and have a purely static, resource-based (rather than executionbased) view of footprints.

Lemma 4 . 4 .
For any local function f , the smallest safe states of f are footprints of f .

6. 2 .
Safety footprints for AD.We consider the footprint of the AD command in the new model.In this model the sequential composition new[x]; dispose[x] gives the function

Figure 2 :
Figure 2: Denotational semantics for the imperative programming language

otherwise
Lemma 6.2.The functions new[x], dispose[x], mutate[x, v] and lookup[x, y] are all local in the separation algebra (H, •, u H ) from example 6.1.