Two for the Price of One: Lifting Separation Logic Assertions

Recently, data abstraction has been studied in the context of separation logic, with noticeable practical successes: the developed logics have enabled clean proofs of tricky challenging programs, such as subject-observer patterns, and they have become the basis of efficient verification tools for Java (jStar), C (VeriFast) and Hoare Type Theory (Ynot). In this paper, we give a new semantic analysis of such logic-based approaches using Reynolds's relational parametricity. The core of the analysis is our lifting theorems, which give a sound and complete condition for when a true implication between assertions in the standard interpretation entails that the same implication holds in a relational interpretation. Using these theorems, we provide an algorithm for identifying abstraction-respecting client-side proofs; the proofs ensure that clients cannot distinguish two appropriately-related module implementations.


Introduction
Data abstraction is one of the key design principles for building computer software, and it has been the focus of active research from the early days of computer science.Recently, data abstraction has been studied in the context of separation logic [26,7,22,27,12], with noticeable practical successes: the developed logics have enabled clean proofs of tricky challenging programs, such as the subject-observer pattern, and they have become the basis of efficient verification tools for Java (jStar [14]), C (VeriFast [18]) and Hoare Type Theory (Ynot [23]).
In this paper, we give a new semantic analysis of these logic-based approaches using Reynolds's relational parametricity.Our techniques can be used to prove representation independence, i.e., that clients cannot distinguish between related module implementations, a consequence that we would expect from using data abstraction, but (as we shall see) a consequence that only holds for certain good clients.

Interface Specification {1֒→ }init{a} {a}nxt{b} {b}fin{1֒→ } {a}inc{a} {b}dec{b}
Two Implementations of a Counter Logic-based Data Abstraction.The basic idea of the logic-based approaches is that the private states of modules are exposed to clients only abstractly using assertion variables [7], also known as abstract predicates [26] 1 .For concreteness, we consider a two-stage counter module and client programs in Figure 1.The module realizes a counter with increment and decrement operations, called inc and dec.An interesting feature is that the counter goes through two stages in its lifetime; in the first stage, it can perform only the increment operation, but in the second, it can only run the decrement.The interface specification in the figure formalizes this intended behavior of the counter using assertion variables a and b, where a means that the counter is in the first stage and b that the counter is in the second.The triple for init says that the initialization can turn the assertion 1֒→ , denoting heaps with cell 1, to the assertion variable a, which describes an abstract state where we can only call inc or nxt (since a is the precondition of only those operations).The abstract state a can be changed to b by calling nxt, says the triple for the nxt operation.In b we are allowed to run dec but not inc.Finally, fin can turn the abstract state b back to 1֒→ .Note that by using a and b, the interface specification does not expose the private state of the module to the client.It reveals only partial information about the private state of the module; here it is whether the private state is in the first or the second stage.The flexibility afforded by revealing partial information is very useful in applications; see the examples mentioned in the references above.In these logic-based approaches, proof attempts for clients of a module can succeed only when they are given with respect to the abstract interface specification, without making any further assumptions on assertion variables.For instance, the proof attempt on the bottom left of Figure 1 is successful, whereas the bottom right one is not, because the latter assumes that the assertion variable b entails the allocatedness of cell 1.This is not so, even when the entailment holds for an actual definition of b.
Representation Independence.In this paper, we give a condition on client-side proofs that ensure representation independence: take a client with a standard proof of correctness that satisfies this condition and two implementations of a module; if we can relate the heap-usage of the two modules in a way preserved by the module operations, then the client gives the same result with both modules.To relate the heap-usage, we need to give, for each assertion variable, a relation on heaps and verify that the module operations respect these relations -the coupling relations.
As an example, consider the left-hand side client in Figure 1.The proof of the specification {1֒→ } init; inc; nxt; dec; fin {1֒→ } satisfies the forthcoming condition on client-side proofs.Also, we have two implementations of the counter module that the client makes use of; both use cell 1 to represent their private states, but in different ways -the first stores the current value of the counter, but the second stores the current value or its negative version, depending on whether it is in the first stage or the second.Accordingly, we give the two coupling relations: It is easy to see that all module operations preserve these coupling relations.If, say, (h 1 , h 2 ) ∈ r b , then we have h 1 (1) = n and h 2 (1) = −n for some n and so (h 1 [1 → n − 1], h 2 [1 → −n + 1]) ∈ r b too; hence the decrement operations of the modules respect the coupling relation.By Theorem 6.1 we now get that the client specification is valid also in a binary reading: if we take any two heaps and run the client with one module in the first and with the other module in the second then we will end up with two heaps holding the same value in cell 1 -provided that we started out with two such.Indeed, the binary reading of the assertion 1֒→ is It is worthwhile to emphasize that this is not a consequence of the standard unary reading of the specification of the client: due to the existentially quantified content of cell 1, running with the one module could yield different contents of cell 1 than running with the other module, even if the contents are initially the same.On the other hand, it is the presence of this quantification that makes the binary reading worthwhile: if our client had a more exhaustive specification, say {1֒→0} init; inc; nxt; dec; fin {1֒→0}, then the standard unary reading suffices for representation independence and the binary reading would provide no news.Often, though, the more exhaustive specification will be harder to prove, in particular for verification tools.

Interface Specification
The Rule of Consequence and Lifting.In earlier work [10] we were able to prove such a representation independence result for a more restricted form of logical data abstraction, namely one given by frame rules rather than general assertion variables.Roughly speaking, frame rules use a restricted form of assertion variables that are not exposed to clients at all, as can be seen from some models of separation logic in which frame rules are modelled via quantification over semantic assertions [9].This means that the rules do not allow the exposure of even partial information about module internals.(On the other hand, frame rules implement information hiding, because they completely relieve clients of tracking the private state of a module, even in an abstracted form.)Our model in [10] exploited this restricted use of assertion variables, and gave relational meanings to Hoare triple specifications, which led to representation independence.
Removing this restriction and allowing assertion variables in client proofs turned out to be very challenging.The challenge is the use of the rule of consequence in client-side proofs; this has implications between assertions (possibly containing assertion variables) as hypotheses, and such do not always lift, i.e., they may hold in the standard, unary reading of assertion whilst failing in the binary reading.In this paper, we provide a sound and, in a certain sense, complete answer to when the lifting can be done.
For instance, consider the example in Figure 2. Our results let us conclude that the client-side proof on the left is good but the one on the right is bad; hence we expect to derive representation independence only from the former.The client on the left calls init and ends with the post-condition (1֒→ ∧ a * b).Since (1֒→ ∧ a * b) =⇒ 1֒→ is true in the standard interpretation, the rule of consequence can be applied to yield the precondition of fin, which can be called, ending up with the postcondition (1֒→ ).The key point here is the implication used in the rule of consequence.Our results imply that this implication can indeed be lifted to an implication between relational meanings of assertions (1֒→ ∧a * b) and 1֒→ (Theorem 4.5 in Section 4).They also entail that this lifting implies the representation independence theorem.The coupling relations are preserved by the modules: the relational meaning of 1֒→ * a ∨ 1֒→ * b is empty; note that separating conjunctions binds more tightly than conjunction and disjunction.Hence the client on the left should give the same result for both modules and, indeed, both init 1 ; fin 1 and init 2 ; fin 2 are the same skip command.
The client on the right also first calls init and then uses the rule of consequence.But this time our results say that a true implication (1֒→ ∧ a * b) =⇒ (1֒→ * a ∨ 1֒→ * b) in the rule of consequence does not lift to an implication between relational meanings of the assertions: the pair of heaps ([1 → 0], [1 → 0]) belong to the left hand side but possibly not to the right if the pair ([], [1 → 0]) is in the interpretation of a and the pair ([1 → 0], []) is in the interpretation of b; see Example 4.9 for details.Because of this failure, the proof of the client does not ensure representation independence.In fact, the client can indeed distinguish between the two module implementations -when the client is executed with the first module implementation, the final heap maps address 1 to 1, but when the client is executed with the second, the final heap maps address 1 to 2.
Note that we phrase the lifting only in terms of semantically true implications, without referring to how they are proved.By doing so, we make our results relevant to automatic tools that use the semantic model of separation logic to prove implications, such as the ones based on shallow embeddings of the assertion logic [23,16].
To sum up, the question of whether representation independence holds for a client with a proof comes down to whether, in the proof, the implications used in the rule of consequence can be lifted to a relational interpretation.In this paper, we give a sound and, in a certain sense, complete characterization of when that holds.
It is appropriate to remark already here, that although we extend our assertions with assertion variables we also restrict them to contain neither ordinary nor separating implication.And, in the end, we consider only a fragment of those.Details are given in Sections 2 and 4; here we just remark that the assertions we do study are not unlike the ones considered in the tools mentioned in the beginning of this introduction, in particular jStar.Also we use intuitionistic separation logic as we envision a language with garbage collection; this, too, is in line with the jStar tool.
The rest of the paper is organized as follows: Sections 2 and 3: give the meanings of assertions, both the standard and relational meanings.Indeed, we give, for any n ∈ PosInt, the n-ary meaning of assertions as n-ary relations on the set of heaps.These relations are intuitionistic, i.e., they are upward closed relations with respect to heap extension.Section 4: contain the main technical contributions of the paper.We give, for assertions of a particular form, a sound and, in a certain sense, complete answer to the question of when we may lift implications between assertions from the standard, unary meaning to the binary meaning.Section 5: has the curious spinoff result that an implication between assertions holds for arbitrary arity if and only if it holds for reasons of parametric polymorphism in a particular sense.
Section 6: returns to the main line of development; this is where we show that a clientside proof yields representation independence if it uses the rule of consequence only with implications that lift.Section 7: concludes the paper.
Proofs are found in the appendices, the main text only give details for a few examples.

Semantic Domain
In the following section we will define the meaning of an assertion to be an n-ary relation on heaps.To formalize this relational meaning, we need a semantic domain IRel n of relations, which we define and explain in this section.Let Heap be the set of finite partial functions from positive integers to integers (i.e., Heap def = PosInt → fin Int), ranged over by f, g, h.This is a commonly used set for modelling heaps in separation logic, and it has a partial commutative monoid structure ([], •), where [] is the empty heap and the • operator combines disjoint heaps: The operator • induces a partial order ⊑ on Heap, modelling heap extension, by f ⊑ g iff g = f • h for some h.
We also consider the + operator for combining possibly-overlapping but consistent heaps, and the − operator for subtracting one heap from another: We call an n-ary relation r ⊆ Heap n upward closed iff (f 1 , . . ., f n ) ∈ r∧(∀i.f i ⊑ g i ) =⇒ (g 1 , . . ., g n ) ∈ r.Definition 2.1.IRel n is the family of upward closed n-ary relations on heaps.
Note that IRel 1 consists of upward closed sets of heaps, which are frequently used to interpret assertions in separation logic for garbage-collected languages.We call elements of IRel 1 predicates and denote them by p, q.
For every n ≥ 1, domain IRel n has a complete lattice structure: join and meet are given by union and intersection, bottom is the empty relation, and top is Heap n .The domain also has a semantic separating conjunction connective defined by Here we use the component-wise extension of • for tuples.Intuitively, a tuple is related by r * s when it can be split into two disjoint tuples, one related by r and the other by s.
The domain IRel 1 of predicates is related to IRel n for every n, by the map ∆ n def = λp.{(f, . . ., f ) | f ∈ p} ↑ , where ↑ is the upward closure on relations.Note that each predicate is turned into an n-ary identity relation on p modulo the upward closure.This map behaves well with respect to the structures discussed on IRel 1 and IRel n , as expressed by the lemma below: Lemma 2.2.Function ∆ n preserves the complete lattice structure and the * operator.
For every n ≥ 1, the domain IRel n has further structure: it has standard, semantic separating implication and upwards-closed implication; as such, it is a complete BI algebra [8].Unfortunately, the above lemma fails for both implications.And that lemma is the pivot of the upcoming results; it is the basic link between the unary and binary (and n-ary) readings of assertions.This is why we leave out these connectives in our assertions in the next section; it is a fundamental limitation in our approach.

Assertions and Relational Semantics
Let Var and AVar be disjoint sets of normal variables x, y, ... and assertion variables a, b, ..., respectively.Our assertions ϕ are from separation logic, and they conform to the following grammar: In the grammar, E is a heap-independent expression, and P is a primitive predicate, which in the standard interpretation denotes an upward closed set of heaps.For instance, E֒→E ′ means heaps containing cell E with contents E ′ .The dots in the grammar indicate possible extensions of cases, such as multiplication for E and inductive predicates for P .We will use the abbreviation E֒→ for ∃y.E֒→y.
An assertion ϕ is given a meaning [[ϕ]] n η,ρ ∈ IRel n as an n-ary relation on heaps, where the arity n is a parameter of the interpretation.Here environment η maps normal variables in ϕ to integers, and ρ maps assertion variables in ϕ to n-ary relations in IRel n .When ϕ does not contain any assertion variables, we often omit ρ and write [[ϕ]] n η , because the meaning of ϕ does not depend on ρ.We will make use of unary and binary semantics most places, but in Section 5 we will explore higher arities as well.
We define the semantics of ϕ, using the complete lattice structure and the * operator of the domain IRel n ; see Figure 3.Note that the relational semantics of primitive predicates is defined by embedding their standard meanings via ∆ n .In fact, this embedding relationship holds for all assertions without assertion variables, because ∆ n preserves the semantic structures of the domains (Lemma 2.2): ] n η,ρ holds for all environments η, ρ.If n=1, this reduces to the standard semantics of assertions in separation logic.We will use the phrase "ϕ =⇒ ψ is n-ary valid" to mean that ϕ |= n ψ holds.In addition, we write ] n η,ρ holds for all environments ρ; we say that "ϕ =⇒ ψ is n-ary η-valid" if this is true.

Lifting Theorems and Completeness
We call an assertion ϕ simple if it is of the form ( I i=1 J j=1 ϕ (i,j) * a (i,j) ), where a (i,j) is a vector of assertion variables and ϕ i,j is an assertion not containing any assertion variables.We will consider the question of lifting an implication between simple assertions ϕ, ψ to a binary relational interpretation: when does ϕ |= 1 ψ imply that ϕ |= 2 ψ?
where P η is the standard semantics of P as an upward closed set of heaps, which satisfies: The simple assertions are a fragment of the assertions considered in the above section: simple assertions are not, in general, closed under separating conjunction as the latter does not distribute over conjunction, nor are quantified simple assertions necessarily simple.The divide, however, between simple and non-simple assertions is not deep.The forthcoming completeness result is intimately connected to the form of the assertions, but it is very possible that the basic ideas from lifting could be applied to a larger fragment.We have not considered that to any extent, however.It is worth mentioning that all assertions considered in Section 1 are simple.On the other hand, for assertions ϕ 1 , ϕ 2 and ϕ 3 with no assertion variables and assertion variables a 1 ,a 2 and a 3 , we do not, in general, have simplicity of an assertion like (ϕ 1 * a 1 ) ∧ (ϕ 2 * a 2 ) * ϕ 3 * a 3 .It should be noted, that simple assertions include most of the important aspects of the fragments of separation logic used by automatic program analysis tools.For instance, if we ignore so called primed variables (which correspond to existentially-quantified variables), the original SpaceInvader uses separation-logic formulas of the form I i=1 (P i,1 * . . .* P i,k i ) [13], and its most recent extension for handling a particular class of graph-like data structures uses J j=i I i=1 (P i,j,1 * . . .* P i,j,k i,j ) [19].Note that in both cases, either formulas are already simple or they can be easily transformed to equivalent simple formulas.The assertions used by the jStar tool [15] has neither ordinary implication, separating implication nor ordinary conjunction and only quite restricted use of quantifiers.Since proofs obtained from such tools are one target of our results, we argue that the restrictions imposed on assertions are not unreasonable in terms of usage.
The starting point of our analysis is to realize that it is sufficient to study implications of the form: where ϕ i 's and ψ j 's do not contain assertion variables, and no assertion variables occur only on the right hand side of the implication.

Lemma 4.1.
There is an algorithm taking simple assertions ϕ, ψ and returning finitely many implications {ϕ l =⇒ ψ l } l∈L , such that (a) ϕ l =⇒ ψ l has the form (4.1) for all l ∈ L, and (b) for any n ∈ {1, 2}, we have that ϕ |= n ψ holds iff ϕ l |= n ψ l holds for all l ∈ L.
The algorithm in the lemma is given in Appendix B. Thus, in this section, we will focus on lifting implications of the form (4.1).Specifically, we will give a complete answer to the following question: Given one such implication that is η-valid in the unary interpretation for some environment η, can we decide if the implication is η-valid in the binary interpretation merely by inspection of the layout of the assertion variables?The answer will come in two parts.The first part, in Section 4.3, provides three lifting theorems, each of which has a criterion on the variable layout that, if met, implies that η-validity may be lifted regardless of the ϕ i 's and ψ j 's.The second part, in Section 4.4, is a completeness theorem; it states that if the variables fail the criteria of all three lifting theorems then there are choices of ϕ i 's and ψ j 's with no variables such that we have unary but not binary validity.
This approach has pros and cons.Assume that we have an implication of the aforementioned form that is valid in the unary interpretation, and we would like to know if it is valid in the binary interpretation too.Trying out the layout of the variables against the criteria of the three lifting theorems is an easily decidable and purely syntactical process -and if it succeeds then we have binary validity.If it fails, however, we are at a loss; we know that there are ϕ i 's and ψ j 's with the same variable layout such that lifting fails but we do not learn anything about our concrete implication.There is, however, an alternate use of the theory below if the lifting criteria fail; we will elaborate on that in Section 6.
4.1.Notation.We need some notation that will accompany us throughout this section.Consider an implication of the form (4.1).Let V = M i=1 {a i,1 , . . ., a i,M i } be the set of all left hand side assertion variables, these include the right hand side assertion variables too by assumption.Define Π : {1, . . ., M } → Nat V and Ω : {1, . . ., N } → Nat V by the following: These functions give vectors of assertion variable counts for each conjunct and disjunct.For 1 ≤ i ≤ M and 1 ≤ j ≤ N we write Π(i) ≥ Ω(j) if we have Π(i)(c) ≥ Ω(j)(c) for each variable c ∈ V , i.e., if conjunct i has the same or a greater number of occurrences of all variables than disjunct j.We write Π(i) Ω(j) if this fails, i.e., if there is c ∈ V such that Π(i)(c) < Ω(j)(c).If a conjunct, say conjunct i, has no variables, i.e., if Π(i)(c) = 0 holds for all c ∈ V , then we say it is empty; the same goes for the disjuncts.
We shall write − to denote ∃n, m. n֒→m, meaning heaps with at least one cell.On the semantic side, we write [m] for m ∈ PosInt to denote the heap that stores 0 at location m and nothing else.For m 0 , ..., Finally we introduce a piece of sanity-preserving graphical notation.We depict an implication of the form (4.1) as a complete bipartite graph with the conjuncts lined up on the left hand side and the disjuncts on the right hand side.For any 1 ≤ i ≤ M and any 1 ≤ j ≤ N we draw a solid line from conjunct i to disjunct j if Π(i) ≥ Ω(j).We label that line with all the c ∈ V such that Π(i)(c) > Ω(j)(c) if indeed there are any such.If, on the other hand, Π(i) Ω(j) then we draw a dashed line instead and label it with all the c ∈ V such that Π(i)(c) < Ω(j)(c).Note that the drawing of edges depend solely on the layout of the variables; the ϕ i 's and ψ j 's have no say in the matter.As an example, the implication which we shall look into in Example 4.9, is depicted as follows: With a little experience, it is quite easy to check the conditions of the upcoming lifting theorems by looking at the corresponding graph; the graphs expose the structure of the assertions important to the proofs.4.2.Strategy.We give a brief strategic overview before the onslaught.Consider an implication of the form (4.1).If the layout of the variables satisfy (at least) one of three upcoming criteria then we know this: unary η-validity holds only if it holds for 'obvious reasons'.The latter is captured precisely in the Parametricity Condition but, loosely, it says that there are 1 ≤ i ≤ M and 1 ≤ j ≤ N such that φ i =⇒ ψ j is η-valid in the unary interpretation and such that Π(i) ≥ Ω(j).This is sufficiently parametric in the treatment of assertion variables that it immediately implies binary η-validity and even n-ary η-validity for any n.
The three criteria, as given in the next subsection, are rather technical; each is what it takes for proof idea of the corresponding lifting theorem to go through.They are complete, however: if the implication fails all three criteria then there are choices of ϕ i 's and ψ j 's such that unary η-validity holds for 'non-obvious reasons'; in particular such that binary η-validity fails.Non-obvious reasons comes down to exploiting the limited arity in different ways; we elaborate on that in Subsection 4.4.

Layouts that Lift.
The following is a first example of a layout of variables that ensure that for any choice of ϕ i 's and ψ j 's we get that unary η-validity of the implication yields binary η-validity.That it holds is a consequence of Theorem 4.5 but we have spelled out a concrete proof that will serve as a guide to the further development.
Example 4.2 (Shadow-Lift).For any four assertions ϕ 1 , ϕ 2 , ψ 1 , ψ 2 with no assertion variables and any appropriate environment η we have that unary η-validity of the following implication implies binary η-validity: Assume that we have unary η-validity.Before we go on to consider the binary case we derive a simple unary consequence that does not involve assertion variables: For any h ∈ Heap with subheaps h 1 ⊑ h and To prove this, let h, h 1 and h 2 be as assumed.We build ρ : {a, b} → IRel 1 by letting ρ(a) = Heap and letting ρ(b) be the following union of sets of heaps: and so by our assumption on the original implication it must lie in the interpretation on one of the disjuncts too.Suppose that we have , where the equality holds because ρ(a) = Heap is the unit for * .We then write h η and g 2 , g 3 ∈ ρ(b).But as g 2 and g 3 have disjoint domains we must have (h − h 2 ) • [n] ⊑ g 2 and [n + 1] ⊑ g 3 or the version with g 2 and g 3 swapped.In any case we have that dom(g η,ρ we proceed similarly.The above short proof is the crux of the example.It implies unary η-validity -this we knew already -but also the binary η-validity.To see this, we pick an arbitrary environment ρ : {a, b} → IRel 2 , we take arbitrary (h η,ρ and we aim to prove that (h η,ρ too.We split (h 1 , h 2 ) according to the conjuncts.Because of Lemma 3.1 and the upward closedness condition of IRel 2 , we can write 2 ) ∈ ρ(b).But now g 1 + f 1 with subheaps g 1 and f 1 meet the conditions of the unary consequence from above, and so we get η and the second splitting of (h 1 , h 2 ) shows that (h 1 , h 2 ) lie in the binary interpretation of the first or second disjunct, respectively.Notice that neither η would have worked since the first conjunct has too few variables, i.e., Π( 1) Ω(1) and Π( 1) Ω(2) The simple idea justifies the odd choice of name: we attach to each occurrence of b in the conjuncts a 'shadow' in such a way that any two shadows from different conjuncts overlap.This means that the two occurrences of b in, say, the first disjunction must correspond to occurrences of b in the same conjunct; in particular that conjunct must have at least two occurrences.We attach no shadow to a, instead we remove a by instantiating to Heap; this is because the second disjunct lacks an occurrence of a and hence we may fail to 'peel off' the entire shadow.Had a occurred as the single label of a dashed line, this removal would have 'introduced' a solid line and the approach would fail.
Generalizing the unary consequence that served as the crucial stepping stone in the above example we arrive at the following condition on our implications: Definition 4.3 (Parametricity Condition).Assume that we have an implication of the form (4.1) and an appropriate environment η.We say that the Parametricity Condition is satisfied if, for all h, h 1 , . . ., h M ∈ Heap with h i ⊑ h and h i ∈ [[ϕ i ]] 1 η for all 1 ≤ i ≤ M , it is is the case that one (or both) of the following conditions hold: (1) There are 1 η and the j-th disjunct is empty.Note that specializing the Parametricity Condition, henceforth just the PC, to an implication of the form treated in the above example yields the stated unary consequence because no disjuncts are empty.The second option in the PC will be motivated later.
We emphasize that the PC may hold or may fail for any given combination of an implication and environment η.But if it holds then we have binary η-validity; the proof in case of the first option of the PC is an easy generalization of the latter half of the above example: Proposition 4.4.The PC implies binary η-validity.
We arrive now at the first lifting theorem.It is a generalization of the former half of Example 4.2; the proof of the theorem has a lot more details to it than the example but the overall idea is the same.The theorem states a criterion on the layout of the variables that, if met, means that unary η-validity implies the PC and hence also binary η-validity.The criterion is, loosely, that we can remove all variables that occur as labels of solid lines without introducing new solid lines and without emptying any disjuncts: Theorem 4.5 (Shadow-Lift).Unary η-validity of an implication implies the PC if each dashed line is labeled with at least one variable which is not a label on a solid line and each disjunct has an occurrence of a variable that is not a label on a solid line.Spelling it out in symbols, we require, with As motivation for the next lifting theorem, we note that the variable layout criterion of the above theorem fails if one or more disjuncts are empty.Correspondingly, we never touch upon the second option of the PC.But there are variable layouts with empty disjuncts that ensure lifting: Example 4.6 (Balloon-Lift).For any four assertions ϕ 1 , ϕ 2 , ψ 1 , ψ 2 with no assertion variables and any appropriate environment η we have that unary η-validity of the following implication implies binary η-validity: Assume unary η-validity.As in Example 4.2 we derive a unary consequence as an intermediate result: For any h ∈ Heap with subheaps h 1 ⊑ h and To prove this, let h, h 1 and h 2 be as assumed.We construct ρ : {a, b} → IRel 1 by letting ρ(a) = Heap and ρ(b) = {h − h 2 } ↑ .We get that . This means that h must lie in the interpretation of one of the disjuncts.If it is the first, we inspect the interpretation and get that which implies that g 1 ⊑ h 2 and so If, on the other hand, h lies in the interpretation of the second disjunct then we are done immediately.Now we prove the claim of binary η-validity.We pick an arbitrary environment ρ : {a, b} → IRel 2 , we take arbitrary (h η,ρ and we must prove that η and (g 2 1 , g 2 2 ) ∈ ρ(a), and 2 ) ∈ ρ(b).But now g 1 + f 1 with subheaps g 1 and f 1 satisfies the above properties and so we get holds then the second splitting of (h 1 , h 2 ) shows that (h 1 , h 2 ) is in the interpretation of the first disjunct.If ] 1 η , we are done too, since we may write (h 1 , h 2 ) = (g 1 + f 1 , g 1 + f 1 ) • (e 1 , e 2 ) for some (e 1 , e 2 ) ∈ Heap 2 and so (h 1 , h 2 ) lies in the interpretation η ) of the second conjunct.Once again, the underlying idea is simple: we attach 'shadows' to occurrences of variables, but this time we stay within the the original heap.This is quite inhibitory as we may have to use the empty heap as shadow.Again we remove a variable (in general a set of variables) by instantiating to Heap but the remaining variable (in general the remaining set of variables) must satisfy quite restrictive demands.
Just as we did for Example 4.2 we may generalize the former half of this example yielding Theorem 4.7 below.The latter half of the example, on the other hand, constitutes an example of the approach of the proof of Proposition 4.4 in case we run into the second option of the PC.Note also that specializing the PC to an implication of the form considered in the example yields the stated unary consequence.Theorem 4.7 (Balloon-Lift).Unary η-validity of an implication implies the PC if there is a subset B ⊆ V with the following three properties.First, each conjunct has at most one occurrence of a variable from B, i.e., Second, each disjunct is empty or has exactly one occurrence of a variable from B, i.e., Third, each dashed line must have a label from B. That is, when One thing to note about the theorem is that if we have no empty disjuncts, none of the variables in the subset B ⊆ V can be labels of a solid line.In particular, the conditions of Theorem 4.5 are met, so the above theorem is really only useful if one or more disjuncts are empty.A simple but pleasing observation is that this theorem is applicable if all conjuncts and all disjuncts have at most a single occurrence of any assertion variable; in that case, we can just choose B = V above.
The final lifting theorem captures the oddities of the special case of just one conjunct: Theorem 4.8 (Lonely-Lift).Unary η-validity of an implication implies the PC if there is just one conjunct, i.e., M =1, and all lines are solid, i.e., Π(1) ≥ Ω(j) for all 1 ≤ j ≤ N .
But this line of argument breaks down if we change to binary reading.We have, e.g., ( [1], [1]) [1])} ↑ are empty.We can recast this as an implication that cannot be lifted: Example 4.9 (Fan-Counter).This implication is valid on the unary but not on the binary level: First we argue that the implication holds on the unary level.Let ρ : {a, b} → IRel 1 be an arbitrary environment of upwards closed sets of heaps to a and b.Let h ∈ Heap be arbitrary and assume that
An observation of similar nature is that for p ∈ IRel 1 we have either p = Heap or p Heap then it cannot contain the empty heap.On the binary level, however, we have One consequence is this: Example 4.10 (Bridge-Counter).This implication is valid on the unary but not on the binary level: First we argue that the implication holds on the unary level.Let ρ : {a, b} → IRel 1 be an arbitrary environment that assigns upwards closed sets of heaps to each of the two variables.We branch on the value of ρ(a).If ρ(a) = Heap then we have ρ(a) ⊆ [[−]] 1 η which again means that the first conjunct directly implies the second disjunct.If ρ(a) = Heap holds, we get that because Heap is the unit for * .Hence we get that the first conjunct implies the first disjunct and we have proved that the implication holds unarily.Now we prove that the implication fails on the binary level.Define an environment ρ : {a, b} → IRel 2 by ρ(a η,ρ too and so this pair of heaps lies in the interpretation of the left hand side.But it does not belong to the interpretation of either disjunct.An easy -if somewhat indirect -way of realizing this is to note that any pair of heaps in either [[−]] 2 η,ρ or in [[a * a]] 2 η,ρ must have a second component with nonempty domain.But then any pair of heaps in the interpretation of either disjunct must have a second component with a domain of at least two elements.In particular, neither can contain the pair ( [1,2], [2]).
In principle, the above two observations are all that we need to prove completeness.Or, phrased differently, assume that we have a layout of variables that fail the criteria of all three lifting theorems; by applying one of the two observations, we can then build a concrete implication with that variable layout and with unary but not binary validity.
Having said that, the territory to cover is huge; the full completeness proof is a lengthy and rather technical journey, the details of which do not provide much insight.We supply it as a series of lemmas in Appendix D; these include generalizations of Example 4.9 and Example 4.10 above.If one verifies the lemmas in the order listed and apply them as sketched then it is feasible, if not exactly easy, to prove the following: Theorem 4.11 (Completeness).If a variable layout meets none of the criteria in Theorems 4.5, 4.7 and 4.8, then there are choices of ϕ i 's and ψ j 's with no variables such we have unary but not binary validity.4.5.Future Work: Supported Assertions.By now, we have given a complete division of the possible layouts of variables into those that lift and those that do not.The divide is technical; without some understanding of the underlying proofs, it is hard to get an intuitive feel for it.
One way to simplify would be to consider supported assertions.A n-ary relation r ∈ IRel n is supported if, for every f ∈ Heap n , it holds that g 1 ⊑ f and g 2 ⊑ f and g 1 , g 2 ∈ r together implies the existence of g ∈ r with g ⊑ g 1 and g ⊑ g 2 .In an intuitionistic setting, the supported assertions play the role that the precise assertions do in a classical, non-intuitionistic setting: they validate reasoning about the resource invariant in the Hypothetical Frame Rule [25] and about shared resources in concurrent separation logic [11].The problems we face here appear reminiscent and a natural question is this: how about restricting assertion variables to supported assertions?
We have not investigated this in any detail, but initial findings suggest that this would simplify matters, maybe extensively so.The counter-example given in Example 4.9 still holds, so it is not the case that everything lifts, but the counter-example of Example 4.10 breaks.The central proof of Theorem 4.5 uses non-supported assertions; on the other hand, if r ∈ IRel n is supported then either r * r is empty or we have r = Heap n so maybe we could restrict to conjuncts with at most one occurrence of each assertion variable.
Along the same lines, it would be interesting to revisit the challenges in a classical, non-intuitionistic setting.This, too, is left for future work with the one comment that the counter-example given in Example 4.9 persists.

Higher Arities and Parametricity
We saw in Proposition 4.4 that the PC implies binary η-validity of an implication.It is easy to show that the PC also implies unary η-validity, either directly or by observing that binary implies unary.A natural question to ask is whether we can reverse this.Example 4.9 shows that unary validity does not entail the PC, because the latter fails for that concrete implication.But as binary validity fails too, we could hope that binary validity would enforce the PC.Unfortunately, this is not the case, as demonstrated by the implication Here the PC is the same as for Example 4.9 and hence still is not true, but we do have binary validity.We do not, however, have ternary validity but the example could easily be scaled: having n occurrences of a in the second conjunct means n-ary but not n + 1-ary validity for any n ≥ 1.In summary, we have seen that for any n ≥ 1 we can have n-ary validity whilst the PC fails.
What does hold, however, is the following: Theorem 5.1.For an implication of the form (4.1) and an appropriate environment η we have that n-ary η-validity implies the PC if n ≥ max{2, M 1 , . . ., M M }.
Notice how this fits nicely with the above example: with n occurrences of a we have n-ary validity but we need (n+1)-ary validity to prove the PC since there is also a single b.The proof is in Appendix E, and reuses techniques from the proofs of Theorems 4.5 and 4.7.
By an easy generalization of Proposition 4.4 we have the following corollary to the above theorem: Corollary 5.2.The PC holds iff we have n-ary η-validity for all n ≥ 1.This corollary can be read, loosely, as a coincidence between parametric polymorphism as introduced by Strachey [31] and relational parametricity as proposed by Reynolds [30]: The PC corresponds to Strachey parametricity in the loose sense that if it holds, then there is an approach, parametric in the assertion variables, that produce right hand side proofs of heap membership from the left hand side ones: Take a heap, split it along the conjuncts, apply the PC to the parts in the interpretations of the ϕ's and you are done, possibly after discarding some variables.This involves no branching or other intrinsic operations on the assertion variables, which we are free to discard by our intuitionistic setup.If, on the other hand, the implication is η-valid for arbitrary arity, then it is fair to call it relationally parametric.Note also that the Examples 4.9 and 4.10 branch on assertion variable values.
This result is analogous to the conjecture of coincidence between Strachey parametricity and n-ary relational parametricity for traditional type-based parametricity [29, Page 2].
Finally we note that as a consequence of the above corollary we have that the lifting theorems in the previous section really show that unary validity can be lifted to validity of arbitrary arity.In some sense, they are stronger than required for representation independence, for which binary validity suffices.The authors are unaware of any practical applications of this fact.

Representation Independence
In this section, we relate our lifting theorems to representation independence.We consider separation logic with assertion variables where the rule of consequence is restricted according to our lifting theorems, and we define a relational semantics of the logic, which gives a representation independence theorem: all proved clients cannot distinguish between appropriately related module implementations.
To keep the presentation simple, we omit while-loops and allocation from the language.Adding the former together with the standard proof rule is straightforward.Allocation, however, is non-trivial: the notion of having one client using two modules will be hardcoded into our relational reading of the logic, and allocation on part of the client must give the same address when run with either module.This fails with standard, non-deterministic allocation; it was resolved earlier, however, by Birkedal and Yang [10] using a combination of FM sets and continuations and that approach is applicable here too.
We consider commands C given by the grammar: Here B is a heap-independent boolean expression, such as x=0.Commands C are from the loop-free simple imperative language.They can call module operations k, and manipulate heap cells; command [x]:=E assigns E to the heap cell x, and this assigned value is read by let y=[x] in C, which also binds y to the read value and runs C under this binding.Properties of commands C are specified using Hoare triples Γ ⊢ {ϕ}C{ψ}, where the context Γ is a set of triples for module operations.Figure 4 shows rules for proving these properties.In the figure, we omit contexts, if the same context Γ is used for all the triples.
The rule of consequence deserves attention.Note that the rule uses semantic implications |= 1 in the standard unary interpretation, thus allowing the use of existing theorem provers for separation logic.The rule does not allow all semantic implications, but only those that pass our algorithm Chk, so as to ensure that the implications can lift to the Here err denotes a memory error, and η and u are environments that provide the meanings of, respectively, free ordinary variables and module operations.For instance, [[k]] η,u is u(k).
Our semantics of triples, on the other hand, is not standard, and uses the binary interpretation of assertions: (η, ρ, u) η,ρ * r.The environment ρ provides the meanings of assertion variables, and the 2-dimensional vector u gives the two meanings for module operations; intuitively, each u i corresponds to the i-th module implementation.The interpretation means that if two module implementations u are used by the same client C, then these combinations should result in the same computation, in the sense that they map ϕ-related input heaps to ψ-related outputs.The satisfaction of triples can be extended to (η, ρ, u) |= 2 Γ, by asking that all triples in Γ should hold wrt.(η, ρ, u).Using these satisfaction relations on triples and contexts, we define the notion of 2-validity of judgements: Γ ⊢ {ϕ}C{ψ} is 2-valid iff ∀(η, ρ, u).(η, ρ, u) |= 2 Γ =⇒ (η, ρ, u) |= 2 {ϕ}C{ψ}.Theorem 6.1.Every derivable Γ ⊢ {ϕ}C{ψ} is 2-valid. 2 Recall that the failure of the lifting theorems do not imply that a concrete implication cannot be lifted; consider, e.g., Example 4.9 and replace 1֒→ with true everywhere.One can sidestep the general lifting theorems and (try to) verify directly the Parametricity Condition from Definition 4.3 for all environments η.It is, however, a semantic condition and probably undecidable in general.
It is this theorem that we use to derive the representation independence results mentioned in the introduction.Consider again the example in Figure 1.Since the proof of the left hand side client C is derivable using the above rules in the context Γ = {1֒→ }init{a}, {a}inc{a}, {a}nxt{b}, {b}dec{b}, {b}fin{1֒→ }, we get 2-validity of Γ ⊢ {1֒→ }C{1֒→ }.Instantiating, in the definition of 2-validity, ρ with the given coupling relations and u with the module implementations gives us (∅, ρ, u) |= 2 {1֒→ }C{1֒→ }, since we already know that the different operations respect the coupling relations.Therefore, when we run the client C with the related module implementations, we find that C maps [[1֒→ ]] 2 -related heaps (i.e, heaps with the same value at cell 1) to [[1֒→ ]] 2 -related heaps again.

Conclusion and Discussion
In this paper, we have given a sound and, in a certain sense, complete characterization of when semantic implications in separation logic with assertion variables can be lifted to a relational interpretation.This characterization has, then, been used to identify proofs of clients that respect the abstraction of module internals, specified by means of assertion variables, and to show representation independence for clients with such proofs.We hope that our results provide a solid semantic basis for recent logic-based approaches to data abstraction.
In earlier work, Banerjee and Naumann [2] studied relational parametricity for dynamically allocated heap objects in a Java-like language.Later they extended their results to cover clients programs that are correct with respect to specifications following the "Boogie methodology" implemented in the Spec# verifier [3,4].In both works, Banerjee and Naumann made use of a non-trivial semantic notion of confinement to describe internal resources of a module; here instead we use separation logic with assertions variables to describe which resources are internal to the module.
Data abstraction and information hiding have been studied in logics and specification languages for pointer programs, other than separation logic.Good example projects are ESC-Modular-3 [20], ESC-Java [17] and Spec# [5], some of which use concepts analogous to abstract predicates, called abstract variables [21].It would be an interesting future direction to revisit the questions raised in the paper in the context of these logics and specification languages.
Relational interpretations have also been used to give models of programming languages with local state, which can validate representation independence results [24,28,6,1].These results typically rely on the module allocating the private state, whereas we use the power of separation logic and allow the ownership transfer of states from client to module.For instance, in the two-stage counter in the introduction, the ownership of the cell 1 is transferred from the client to the module upon calling init.Even with this ownership transfer, representation independence is guaranteed, because we consider only those clients having (good) proofs in separation logic.This contrasts with representation independence results in local state models, which consider not some but all well-typed clients.The work by Banerjee and Naumann [2] discussed above also permits ownership transfer.
Lemma 3.1.For all ϕ and η, ρ, ρ ′ , if ∆ n (ρ(a)) = ρ ′ (a) for every a ∈ AVar, we have that ] n η,ρ ′ .Proof.We prove by induction on the structure of ϕ.All the inductive cases and the cases of true and false follow from the preservation result of Lemma 2.2.Thus, it is sufficient to show the lemma when ϕ ≡ a or ϕ ≡ P .When ϕ ≡ a, the assumption of the lemma implies that Proof.Assume that we have an implication of the form (4.1) in Section 4 and an appropriate environment η, that the stated criterion on the variable layout holds and that we have unary η-validity.We must show that the PC holds.
According to Definition 4.3 we assume that we have heaps h, h 1 , . . ., h M ∈ Heap with h i ⊑ h and h i ∈ [[ϕ i ]]1 η for all 1 ≤ i ≤ M .The core of the proof is the construction of a particular environment ρ : V → IRel 1 .For that purpose we need some notation.For a subset M ⊆ PosInt we denote by [M ] the heap that has domain M and stores some fixed value, say 0, at all these locations.Let C ⊆ V be the set of assertion variables that do not occur as labels on solid edges, i.e., for a c ∈ V we have that c ∈ C iff For each 1 ≤ i ≤ M we let K i be the set of second indices of all variables in conjunct i that lie in C, i.e., we set We now define ρ(c) = Heap for c ∈ V \ C. For a variable c ∈ C we let ρ(c) be the union of where we have used K = max{M 1 , . . ., M M } and L = max(dom(h) ∪ {0}).For each 1 ≤ i ≤ M we can write h • [S M,K + L] as the following product which implies that we have h In summary, we have shown that h • [S M,K + L] lies in the unary interpretation of the left hand side in the environments η and ρ.By assumption, the same must hold for the right hand side and from this we aim to derive the PC.
We now know that h • [S M,K + L] lies in the interpretation of some disjunct, say disjunct j.This means that h where J = {1 ≤ k ≤ N j | b j,k ∈ C} is the set of second indices of variables of disjunct j that are in C. By the second assumption of the theorem we know that J = ∅.We write By the properties of segregating sets we get that there must be a common 1 ≤ i ≤ M such that for all k ∈ J there is i.e., the g k 's are all 'from the same conjunct'.But this implies Π(i)(c) ≥ Ω(j)(c) for all c ∈ C as the segregating sets are non-empty.But then Π(i)(c) ≥ Ω(j)(c) must hold for c ∈ V \ C too by the first assumption of the lemma and so Π(i) ≥ Ω(j).Also we must have Π(i)(c) = Ω(j)(c) for each c ∈ C by definition of C. By construction we have But then dom(g) ⊆ h i and so we have η too and we have proved the first option of the PC.Theorem 4.7 (Balloon-Lift).Unary η-validity of an implication implies the PC if there is a subset B ⊆ V with the following three properties.First, each conjunct has at most one occurrence of a variable from B, i.e., Second, each disjunct is empty or has exactly one occurrence of a variable from B, i.e., ∀1 ≤ j ≤ N.
Proof.Assume that we have an implication of the form (4.1) in Section 4 and an appropriate environment η, that the stated criterion on the variable layout holds and that we have unary η-validity.We must show that the PC holds.
According to Definition 4.3 we assume that we have heaps h, h 1 , . . ., h M ∈ Heap with h i ⊑ h and h i ∈ [[ϕ i ]] 1 η for all 1 ≤ i ≤ M .The core of the proof is the construction of a particular environment ρ : V → IRel 1 .We define ρ(c) = Heap for c ∈ V \ B. For a variable c ∈ B we let ρ(c) be the following union 1≤i≤M,1≤k≤M i ,a i,k ≡c {h − h i } ↑ .
For each 1 ≤ i ≤ M we can write h = h i •(h−h i ) and so we have by the first of the original assumptions on the set B. In summary, we have shown that h lies in the unary interpretation of the left hand side in the environments η and ρ.By assumption, the same must hold for the right hand side and from this we aim to derive the PC.
We now know that h lies in the interpretation of some disjunct, say disjunct j.If this disjunct is empty we have proved the second option of the PC.Otherwise we know that there is exactly one 1 ≤ k ≤ N j such that b j,k ∈ B. But then we have This lemma deals with the case of a variable layout with at least two conjuncts and no empty disjuncts but where the first condition of Theorem 4.5 fails.
Lemma D.4 (All-Out-Counter).Suppose that the layout of variables is as follows.There are at least two conjuncts, i.e., M ≥ 2, at least one non-empty disjunct and for each variable one of the following two holds: Either the variable occurs as a label on a solid line ending in a non-empty disjunct.Or it occurs at least twice in a conjunct and we have an empty disjunct.In symbols the variable condition is Then there are choices of ϕ i 's and ψ j 's ϕ i 's and ψ j 's with no variables such that the implication holds on the unary level but not on the binary level.
This lemma deals with two cases.The first is the case of a variable layout with at least two conjuncts and no empty disjuncts but where the second condition of Theorem 4.5 fails while the first holds.The second is the case of a variable layout with at least two conjuncts, at least one empty disjunct and no dashed lines for which Theorem 4.7 fails.
Appendix E. Higher Arities and Parametricity Theorem 5.1.For an implication of the form (4.1) and an appropriate environment η we have that n-ary η-validity implies the PC if n ≥ max{2, M 1 , . . ., M M }.
Proof.Assume that we have an implication of the form (4.1) in Section 4 and an appropriate environment η, that n ≥ max{2, M 1 , . . ., M M } and that we have n-ary η-validity.We must show that the PC holds.
According to Definition 4.3 we assume that we have heaps h, h 1 , . . ., h M ∈ Heap with h i ⊑ h and h i ∈ [[ϕ i ]] 1 η for all 1 ≤ i ≤ M .The core of the proof is the construction of a particular environment ρ : V → IRel n .For that purpose we need some notation.Define, for each 1 ≤ k ≤ n, a map γ k : Heap → Heap n by letting

. , []
for any h ∈ Heap, i.e., it returns the n-tuple that has h as the k-th entry and the empty heap everywhere else.Similarly, we define δ : Heap → Heap n by setting δ(h) = n h, . . ., h for any h ∈ Heap, i.e., it returns the n-tuple that has h as all entries.For a subset M ⊆ PosInt we denote by [M ] the heap that has domain M and stores some fixed value, say 0, at all these locations.
For a variable c ∈ V we now define ρ(c) to be the following union of relations in IRel n : 1≤i≤M,1≤k≤M i ,a (i,k) ≡c This is due to the correctness of Chk, which holds because all the transformations used in the first check of Chk are based on semantic equivalences holding in IRel 2 and the second lifting check is sound because of our lifting theorems.In order to prove the conclusion of the above implication, pick r ∈ IRel