A Complete Axiomatisation for Quantifier-Free Separation Logic
aa r X i v : . [ c s . L O ] J un A COMPLETE AXIOMATISATION FORQUANTIFIER-FREE SEPARATION LOGIC
ST´EPHANE DEMRI, ´ETIENNE LOZES, AND ALESSIO MANSUTTILSV, CNRS, ENS Paris-Saclay - 4, avenue des Sciences - 91190 Gif-sur-Yvette e-mail address : [email protected] - Les Algorithmes - Bˆatiment Euclide B - 2000, route des Lucioles - 06900 Sophia Antipolis e-mail address : [email protected], CNRS, ENS Paris-Saclay - 4, avenue des Sciences - 91190 Gif-sur-Yvette e-mail address : [email protected]
Abstract.
We present the first complete axiomatisation for quantifier-free separationlogic. The logic is equipped with the standard concrete heaplet semantics and the proofsystem has no external feature such as nominals/labels. It is not possible to rely completelyon proof systems for Boolean BI as the concrete semantics needs to be taken into account.Therefore, we present the first internal Hilbert-style axiomatisation for quantifier-free sep-aration logic. The calculus is divided in three parts: the axiomatisation of core formulaewhere Boolean combinations of core formulae capture the expressivity of the whole logic,axioms and inference rules to simulate a bottom-up elimination of separating connectives,and finally structural axioms and inference rules from propositional calculus and BooleanBI with the magic wand. Introduction
The virtue of axiomatising program logics.
Designing a Hilbert-style axiomatisationfor your favourite logic is usually quite challenging. This does not lead necessarily to op-timal decision procedures, but the completeness proof usually provides essential insightsto better understand the logic at hand. That is why many logics related to program ver-ification have been axiomatised, often requiring non-trivial completeness proofs. By wayof example, there are axiomatisations for the linear-time µ -calculus [Kai95, Dou17], themodal µ -calculus [Wal00] or for the alternating-time temporal logic ATL [GvD06], the fullcomputation tree logic CTL ˚ [Rey01], for probabilistic extensions of µ -calculus [LMX16]or for a coalgebraic generalisation [SV18]. Concerning the separation logics that extendHoare-Floyd logic to verify programs with mutable data structures (see e.g. [OP99, Rey02,IO01, O’H12, PSO18]), a Hilbert-style axiomatisation of Boolean BI has been introducedin [GLW06], but remained at the abstract level of Boolean BI. More recently, HyBBI [BV14], Key words and phrases: separation logic, internal calculus, adjunct/quantifier elimination. ˚ This is the long version of the first part of [DLM20].
Preprint submitted toLogical Methods in Computer Science c (cid:13)
S. Demri, E. Lozes, and A. Mansutti CC (cid:13) Creative Commons
S. DEMRI, E. LOZES, AND A. MANSUTTI a hybrid version of Boolean BI has been introduced in order to axiomatise various classes ofabstract separation logics; HyBBI naturally considers classes of abstract models (typicallypreordered partial monoids) but it does not fit exactly the heaplet semantics of separationlogics. Furthermore, the addition of nominals (in the sense of hybrid modal logics, seee.g. [ABM01]) extends substantially the object language. Other frameworks to axioma-tise classes of abstract separation logics can be found in [DP18, Doc19] and in [HCGT18],respectively with labelled tableaux calculi and with sequent-style proof systems.
Our motivations.
Since the birth of separation logics, there has been a lot of interest inthe study of decidability and computational complexity issues, see e.g. [COY01, BDL09,BIP10, CHO `
11, DGLWM17, BK18, DLM18a, Man18], and comparatively less attentionto the design of proof systems, and even less with the puristic approach that consists indiscarding any external feature such as nominals or labels in the calculi. The well-knownadvantages of such an approach include an exhaustive understanding of the expressive powerof the logic and discarding the use of any external artifact referring to semantical objects.For instance, a tableaux calculus with labels for quantifier-free separation logic is designedin [GM10], whereas Hilbert-style calculi for abstract separation logics with nominals aredefined in [BV14]. Similarly, display calculi for bunched logics are provided in [Bro12] butsuch calculi extend Gentzen-style proof systems by allowing new structural connectives,which provides an elegant means to simulate labels. In this paper, we advocate a puristicapproach and aim at designing a Hilbert-style proof system for quantifier-free separationlogic SL p˚ , ´˚q (which includes the separating conjunction ˚ and implication ´˚ , as well asall Boolean connectives) and more generally for other separation logics, while remainingwithin the very logical language (see the second part of [DLM20]). Consequently, in thiswork, we only focus on axiomatising separation logics, and we have no claim for practicalapplications in the field of program verification with separation logics. Aiming at internalcalculi is a non-trivial task as the general frameworks for abstract separation logics makeuse of labels, see e.g. [DP18, HCGT18]. We cannot rely on label-free calculi for BI, seee.g. [Pym02, GLW06], as separation logics are usually understood as Boolean BI interpretedon models of heap memory and therefore require calculi that cannot abstract as much asit is the case for Boolean BI. Finally, there are many translations from separation logicsinto logics or theories, see e.g. [CGH05, PWZ13, BDL12, RISK16]. However, completenesscannot in general be inherited by sublogics as the proof system should only use the sublogicand therefore the axiomatisation of sublogics may lead to different methods. A more detaileddiscussion about the related work can be found in Section 7.
Our contribution.
We propose a modular axiomatisation of quantifier-free separationlogic, starting with a complete axiomatisation of a Boolean algebra of core formulae, andincrementally adding support for the spatial connectives: the separating conjunction andthe separating implication (a.k.a. the magic wand). The same approach could be followed forother fragments of separation logic, as we did in the conference version of this paper [DLM20](see also a similar approach in [DFM19]). Thus, our approach can be considered with thebroader perspective of a generic method for axiomatising separation logics. Let us be a bitmore precise. We aim at defining internal calculi according to the terminology from the Workshop on External andInternal Calculi for Non-Classical Logics, FLOC’18, Oxford, http://weic2018.loria.fr . XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 3
In Section 3, we present the first Hilbert-style proof system for SL p˚ , ´˚q that usesaxiom schemas and rules involving only formulae of this logic. We mainly introduce ourapproach and present the notations that are used throughout the paper. Each formulaof SL p˚ , ´˚q is equivalent to a Boolean combination of core formulae : simple formulae ofthe logic expressing elementary properties about the models [Loz04b]. Though core for-mulae (also called test formulae ) have been handy in several occasions for establishingcomplexity results for separation logics, see e.g. [BDL09, DLM18a, Man18, EIP19], in thepaper, these formulae are instrumental for the axiomatisation. Indeed, the axiomatisationof SL p˚ , ´˚q is designed starting from an axiomatisation of Boolean combinations of coreformulae (introduced in Section 4), and adding axioms and rules that allow to syntacticallytransform every formula of SL p˚ , ´˚q into such Boolean combinations. This transformationis introduced in Section 5 and in Section 6: the former section shows how to eliminatethe separating conjunction ˚ , whereas the latter one treat the separating implication ´˚ .Schematically, for a valid formula ϕ , we conclude $ ϕ from $ ϕ and $ ϕ ô ϕ , where ϕ is a Boolean combination of core formulae. Our methodology leads to a calculus thatis divided in three parts: (1) the axiomatisation of Boolean combinations of core formulae,(2) axioms and inference rules to simulate a bottom-up elimination of separating the sepa-rating conjunction, and (3) axioms and inference rules to simulate a bottom-up eliminationof the magic wand. Such an approach that consists in first axiomatising a syntactic frag-ment of the whole logic (in our case, the core formulae), is best described in [Dou17] (seealso [Wal00, vB11, WC13, L¨uc18, DFM19]). Section 7 compares works from the literaturewith our contribution, either for separation logics (abstract versions, fragments, etc.) or forknowledge logics for which the axiomatisation has been performed by using a reduction toa strict syntactic fragment though expressively complete.This paper is the complete version of the first part of [DLM20] dedicated to quantifier-free separation logic SL p˚ , ´˚q . The complete version of the second part of [DLM20] ded-icated to the new separation logic SL p˚ , D : ù q is too long to be included in the presentdocument. 2. Preliminaries
Quantifier-free separation logic.
We present the quantifier-free separation logic SL p˚ , ´˚q , that includes standard features such as the separating conjunction ˚ , the sepa-rating implication ´˚ and closure under Boolean connectives. Let VAR “ t x , y , . . . u be acountably infinite set of program variables . The formulae ϕ of SL p˚ , ´˚q and its atomicformulae π are built from the grammars below where x , y P VAR . π :: “ x “ y | x ã Ñ y | emp ϕ :: “ π | ϕ | ϕ ^ ϕ | ϕ ˚ ϕ | ϕ ´˚ ϕ. The connectives ñ , ô and _ are defined as usually. In the heaplet semantics, the formulaeof SL p˚ , ´˚q are interpreted on memory states that are pairs p s, h q where s : VAR Ñ LOC isa variable valuation (the store ) from the set of program variables to a countably infiniteset of locations
LOC “ t ℓ , ℓ , ℓ , . . . u , whereas h : LOC Ñ fin LOC is a partial function withfinite domain (the heap ). We write dom p h q to denote its domain and ran p h q to denote itsrange. A memory cell of h is understood as a pair of locations p ℓ, ℓ q such that ℓ P dom p h q and ℓ “ h p ℓ q . As usual, the heaps h and h are said to be disjoint , written h K h , ifdom p h qX dom p h q “ H ; when this holds, we write h ` h to denote the heap corresponding S. DEMRI, E. LOZES, AND A. MANSUTTI to the disjoint union of the graphs of h and h , hence dom p h ` h q “ dom p h q Z dom p h q .When the domains of h and h are not disjoint, the composition h ` h is not defined.Moreover, we write h Ď h to denote that dom p h q Ď dom p h q and for all locations ℓ P dom p h q , we have h p ℓ q “ h p ℓ q . If h Ď h then h is said to be a subheap of h . The satisfactionrelation |ù is defined as follows (we omit standard clauses for the Boolean connectives and ^ ): p s, h q |ù x “ y def ô s p x q “ s p y q , p s, h q |ù emp def ô dom p h q “ H , p s, h q |ù x ã Ñ y def ô s p x q P dom p h q and h p s p x qq “ s p y q , p s, h q |ù ϕ ˚ ϕ def ô there are h , h such that h K h , p h ` h q “ h , p s, h q |ù ϕ and p s, h q |ù ϕ , p s, h q |ù ϕ ´˚ ϕ def ô for all h such that h K h and p s, h q |ù ϕ ,we have p s, h ` h q |ù ϕ .We denote with K the contradiction x ‰ x , and with J its negation K . The septractionoperator ´ f (kind of dual of ´˚ ), defined by ϕ ´ f ψ def “ p ϕ ´˚ ψ q , has the following semantics: p s, h q |ù ϕ ´ f ψ def ô there is a heap h such that h K h , p s, h q |ù ϕ , and p s, h ` h q |ù ψ .We adopt the standard precedence between classical connectives, and extend it for theconnectives of separation logic as follows: t , Du ą t^ , _ , ˚u ą tñ , ´˚ , ´ f u . Notice that theseparating conjunction ˚ has a higher precedence than the separating implication ´˚ , andit has the same precedence as the (classical) conjunction ^ . For instance, ϕ ˚ ψ ñ χ and ϕ ´˚ ψ ˚ ψ stand for p ϕ ˚ ψ q ñ χ and p ϕ q ´˚ p ψ ˚ ψ q , respectively.A formula ϕ is valid if p s, h q |ù ϕ for all memory states p s, h q (and we write |ù ϕ ). Fora complete description of separation logic, see e.g. [Rey02]. Given a set of formulae Γ, wewrite Γ |ù ϕ (semantical entailment) whenever p s, h q |ù ϕ holds for every memory state p s, h q satisfying every formula in Γ.It is worth noting that quantifier-free SL p˚ , ´˚q axiomatised in the paper admits a PSpace -complete validity problem, see e.g. [COY01], and should not be confused withpropositional separation logic with the stack-heap models shown undecidable in [BK14,Corollary 5.1] (see also [DD15, Section 4]), in which there are propositional variables inter-preted by sets of memory states.2.2.
Core formulae.
We introduce the following well-known shortcuts, that play an im-portant role in the sequel. Let x P VAR and β P N .Shortcut: Definition: Semantics: alloc p x q def “ p x ã Ñ x q´˚ K p s, h q |ù alloc p x q iff s p x q P dom p h q size ě β def “ $’&’% J if β “ emp if β “ emp ˚ size ě β ´ p s, h q |ù size ě β iff card p dom p h qq ě β We use size “ β as a shorthand for size ě β ^ size ě β ` XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 5
The core formulae are expressions of the form x “ y , alloc p x q , x ã Ñ y and size ě β ,where x , y P VAR and β P N . As we can see, the core formulae are simple SL p˚ , ´˚q formulae.It is well-known, see e.g. [Yan01, Loz04a], that these formulae capture essential propertiesof the memory states. In particular, every formula of SL p˚ , ´˚q is logically equivalent to aBoolean combination of core formulae [Loz04a].As a simple but crucial insight, since the core formulae are formulae of SL p˚ , ´˚q , wecan freely use them to help us defining the proof system for SL p˚ , ´˚q , and preventing usfrom going outside the original language. Having this in mind, the resulting proof systemis Hilbert-style and completely internal (the formal definition of these types of systems isrecalled below).Given X Ď fin VAR and α P N , we define Core p X , α q as the set t x “ y , alloc p x q , x ã Ñ y , size ě β | x , y P X , β P r , α su . Bool p Core p X , α qq is defined as the set of Boolean combinations of formulae from Core p X , α q ,whereas Conj p Core p X , α qq is the set of conjunctions of literals built upon Core p X , α q . Asusual, a literal is understood as a core formula or its negation. Let ϕ “ L ^ ¨ ¨ ¨ ^ L n P Conj p Core p X , α qq be a conjunction of literals L , . . . , L n . We write Lt p ϕ q to denote t L , . . . , L n u .In forthcoming developments, we are interested in the maximum β (if any) of formulae ofthe form size ě β occurring positively in a conjunction of literals, if any. For this rea-son, we write max size p ϕ q for max pt β P N | size ě β P Lt p ϕ qu Y t uq . For instance, given ϕ “ alloc p x q ^ size ě ^ size ě
4, we have Lt p ϕ q “ t alloc p x q , size ě , size ě u ,and max size p ϕ q “
2. Given two conjunctions of literals ϕ P Conj p Core p X , α qq and ψ P Conj p Core p X , α qq , ψ Ď Lt ϕ stands for Lt p ψ q Ď Lt p ϕ q . Finally, we introduce a few moreshortcuts and we write– χ Ď Lt t ϕ | ψ u for “ χ Ď Lt ϕ or χ Ď Lt ψ ”.– t ϕ | ψ u Ď Lt χ for “ ϕ Ď Lt χ or ψ Ď Lt χ ”. – χ Ď Lt t ϕ ; ψ u for “ χ Ď Lt ϕ and χ Ď Lt ψ ”.Given a finite set of formulae Γ “ t ϕ , . . . , ϕ n u , we write Ź Γ as a shorthand for ϕ ^¨ ¨ ¨^ ϕ n .Similarly, ˚ Γ stands for ϕ ˚ . . . ˚ ϕ n . It is important to notice that, similarly to the classicalconjunction, the separating conjunction ˚ is associative and commutative (see axioms (A ˚ ) and (A ˚ ) in Figure 1), and therefore the semantics of ˚ Γ is uniquely defined, regardless ofthe choice of ordering for ϕ , . . . , ϕ n .2.3. Hilbert-style proof systems. A Hilbert-style proof system H is defined as a setof tuples pp Φ , . . . , Φ n q , Ψ q with n ě
0, where Φ , . . . , Φ n , Ψ are formula schemata (a.k.a axiom schemata ). When n ě pp Φ , . . . , Φ n q , Ψ q is called an inference rule , otherwise itis an axiom . As usual, formula schemata generalise the notion of formulae by allowingmetavariables for formulae (typically ϕ, ψ, χ ), for program variables (typically x , y , z ) or forany type of syntactic objects in formulae, depending on the context. The set of formulae derivable from H is the least set S such that for all pp Φ , . . . , Φ n q , Ψ q P H and for allsubstitutions σ , if Φ σ, . . . , Φ n σ P S then Ψ σ P S . We write $ H ϕ if ϕ is derivable from H .A proof system H is sound if all derivable formulae are valid. H is complete if all validformulae are derivable. We say that H is adequate whenever it is both sound and complete.Lastly, H is strongly complete whenever for all sets of formulae Γ and formulae ϕ , we haveΓ |ù ϕ (semantical entailment) if and only if $ H Y Γ ϕ .Interestingly enough, there is no strongly complete proof system for SL p˚ , ´˚q , as strongcompleteness implies compactness and separation logic is not compact. Indeed, t size ě β | β P N u is unsatisfiable, as heaps have finite domains, but all finite subsets of it are satisfiable. S. DEMRI, E. LOZES, AND A. MANSUTTI (A C ) x “ x (A C ) ϕ ^ x “ y ñ ϕ r y Ð x s (A C ) x ã Ñ y ñ alloc p x q (A C ) x ã Ñ y ^ x ã Ñ z ñ y “ z (A ˚ ) p ϕ ˚ ψ q ô p ψ ˚ ϕ q (A ˚ ) p ϕ ˚ ψ q ˚ χ ô ϕ ˚ p ψ ˚ χ q (A ˚ ) ϕ ô ϕ ˚ emp (A ˚ ) p alloc p x q ˚ alloc p x qq ô K (A ˚ ) e ˚J ñ e đ r e P t emp , x “ y , x ‰ y , x ã Ñ y us (A ˚ ) alloc p x q ˚ alloc p x q ñ alloc p x q (A ˚ ) p alloc p x q ^ x ã Ñ y q ˚ J ñ x ã Ñ y (A ˚ ) alloc p x q ñ p alloc p x q ^ size “ q ˚ J (A ˚ ) emp ñ size “ ˚ J (A ˚ ) size ě β ˚ size ě β ñ size ě β ` β . ´ (A ˚ ) alloc p x q ^ alloc p y q ^ x ‰ y ñ size ě (A ´˚ ) p size “ ^ Ź x P X alloc p x qq ´ f J đ r X Ď fin VAR s (A ´˚ ) alloc p x q ñ pp x ã Ñ y ^ size “ q ´ f Jq (A ´˚ ) alloc p x q ñ pp alloc p x q ^ size “ ^ Ź y P X x ã Ñ y q ´ f Jq đ r X Ď fin VAR s˚ -Intro : ϕ ñ χϕ ˚ ψ ñ χ ˚ ψ ˚ -Adj : ϕ ˚ ψ ñ χϕ ñ p ψ ´˚ χ q ´˚ -Adj : ϕ ñ p ψ ´˚ χ q ϕ ˚ ψ ñ χ (axioms and modus ponens from propositional calculus are omitted) Figure 1: The proof system H C p˚ , ´˚q .Even for the weaker notion of completeness, deriving an Hilbert-style axiomatisation for SL p˚ , ´˚q remains challenging. Indeed, the satisfiability problem for SL p˚ , ´˚q reduces to itsvalidity problem, making SL p˚ , ´˚q an unusual logic from a proof-theoretical point of view.Let us develop a bit further this point.Let ϕ be a formula built over program variables in X Ď fin VAR , and let « be an equiva-lence relation on X . The formula ψ « def “ p emp ^ Ź x « y x “ y ^ Ź x ff y x ‰ y q ñ p ϕ ´ f Jq can beshown to be valid iff for every store s agreeing on « , there is a heap h such that p s, h q |ù ϕ .It is known that for all stores s, s agreeing on « , and every heap h , the memory states p s, h q and p s , h q satisfy the same set of formulae having variables from X . Since the antecedentof ψ « is satisfiable, we conclude that ψ « is valid iff there are a store s agreeing on « anda heap h such that p s, h q |ù ϕ . To check whether ϕ is satisfiable, it is sufficient to find anequivalence relation « on X such that ψ « is valid. As the number of equivalence relationson X is finite, we obtain a Turing reduction from satisfiability to validity. Consequently, itis not possible to define sound and complete axiom systems for any extension of SL p˚ , ´˚q admitting an undecidable validity problem (as long as there is a reduction from satisfiabil-ity to validity, as above). A good example is the logic SL p˚ , ´˚ , ls q [DLM18b] (extension of SL p˚ , ´˚q with the well-known list-segment predicate ls ); see also the first-order separationlogic in [BDL12]. Indeed, to obtain a sound and complete axiom system, the validity prob-lem has to be recursively enumerable (r.e.). However, this would imply that the satisfiabilityproblem is also r.e.. As a formula ϕ is not valid if and only if ϕ is satisfiable, we thenconclude that the set of valid formulae is recursive, hence decidable, a contradiction.3. Hilbert-style proof system for SL p˚ , ´˚q In Figure 1, we present the proof system H C p˚ , ´˚q that shall be shown to be sound andcomplete for quantifier-free separation logic SL p˚ , ´˚q . H C p˚ , ´˚q and all the subsequent XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 7 fragments of H C p˚ , ´˚q contain the axiom schemata and modus ponens for the propositionalcalculus (we omit these rules in the presentation). In the axioms (A ˚ ) , (A ´˚ ) and (A ´˚ ) ,the notation ϕ đ r B s refers to the axiom schema ϕ assuming that the Boolean condition B holds. We highlight the fact that, in these three axioms, B is a simple syntactical condition.In the axiom (A ˚ ) , a . ´ b , where a, b P N , stands for max p , a ´ b q .Though the full proof system H C p˚ , ´˚q is presented quite early in the paper, its finaldesign remains the outcome of a refined analysis on principles behind SL p˚ , ´˚q tautologies.Fortunately, we do not start from scratch as the calculus must contain the axioms and rulesfrom the Hilbert-style proof system for Boolean BI [GLW06]. At first glance the system H C p˚ , ´˚q may seem quite arbitrary, but the role of the different axioms shall become clearerduring the paper. In designing the system, we tried to define axioms that are as simpleas possible, which helps highlighting the most fundamental properties of SL p˚ , ´˚q . At thisstage, it is probably easier to appreciate the simplicity of the axioms for the readers alreadyfamiliar with the essential properties of SL p˚ , ´˚q .We insist: the core formulae in H C p˚ , ´˚q should be understood as mere abbreviations,which makes all the axioms in Figure 1 belong to the original language of SL p˚ , ´˚q . Inorder to show completeness of H C p˚ , ´˚q , we first establish completeness for subsystemsof H C p˚ , ´˚q , with respect to syntactical fragments of SL p˚ , ´˚q . In particular, we consider ‚ H C : an adequate proof system for the propositional logic of core formulae (see Figure 4), ‚ H C p˚q : an extension of H C that is adequate for the logic SL p˚ , alloc q , i.e. the logicobtained from SL p˚ , ´˚q by removing the separating implication ´˚ at the price of addingthe formula alloc p x q (see Figure 5). ‚ The full H C p˚ , ´˚q , which can be seen as an extension of H C p˚q that allows to reasonabout the separating implication (see Figure 7).For the completeness of H C and H C p˚q , we add intermediate axioms that reveal to beuseless when the full proof system H C p˚ , ´˚q is considered, as they become derivable. Byconvention, the axioms whose name is of the form A ? i are axioms that remain in H C p˚ , ´˚q (see Figure 1) whereas those named I ? i are intermediate axioms that are instrumental forthe proof of completeness of a subsystem among H C and H C p˚q (and therefore none of themoccur in Figure 1). The numbering of the axioms in Figure 1 is not consecutive, as inter-mediate axioms shall be placed within the holes. It is worth noting that the axiom (A ˚ ) had an intermediate status in [DLM20] but we realised that actually this axiom does needto be considered as a first-class axiom in the proof system H C p˚ , ´˚q .The choice of introducing H C and H C p˚q naturally follows from the main steps requiredfor the completeness of H C p˚ , ´˚q . In particular, the main “task” of H C p˚q is to produce abottom-up elimination of the separating conjunction ˚ , at the price of introducing Booleancombinations of core formulae, which can be proved valid thanks to H C . Similarly, theaxioms and rules added to H C p˚q to define H C p˚ , ´˚q are dedicated to perform a bottom-upelimination of the separating implication. A merit of this methodology is that only thecompleteness of the calculus H C is proved using the standard countermodel method. Theadditional steps required to prove the completeness of H C p˚q and H C p˚ , ´˚q are (almost)completely syntactical. For instance, to show the completeness of H C p˚q , we consider arbi-trary Boolean combinations of core formulae ϕ and ψ , and exhibiting a Boolean combinationof core formulae χ such that ϕ ˚ ψ ô χ is valid. We show that this validity can be syn-tactically proved within H C p˚q , and then rely on the fact that H C is complete for Booleancombination of core formulae to deduce that H C p˚q is complete for SL p˚ , alloc q . S. DEMRI, E. LOZES, AND A. MANSUTTI
Along the paper, we shall have the opportunity to explain the intuition between the ax-ioms and rules. Below, we provide a few hints. The axioms (A C ) – (A C ) deal with the coreformulae and are quite immediate to grasp. More interestingly, whereas the axioms (A ˚ ) – (A ˚ ) are quite general about separating conjunction and are inherited from Boolean BI,the axioms (A ˚ ) – (A ˚ ) state how separating conjunction behaves with the core formulae.As for Boolean combinations of core formulae involved in the axioms (A C ) – (A C ) , theseaxioms (A ˚ ) – (A ˚ ) are also not difficult to understand. Besides, the inference rules ˚ -Adj and ´˚ -Adj simply reflect that separating conjunction and separating implication are adjointoperators, and are taken from Boolean BI, see e.g. [GLW06]. The axioms (A ´˚ ) – (A ´˚ ) ded-icated to the interaction between the separating implication and core formulae are expressedwith the help of the septraction operator ´ f to ease the understanding but as well-known,septraction is defined with the help of the separating implication and Boolean negation. Forinstance, the axiom (A ´˚ ) states that it is always possible to add some one-memory-cellheap h to some heap h while none of the variables from a finite set X is allocated in h .This natural property in our framework would not hold in general if LOC were not infinite.Obviously, the septraction ´ f is also understood as an abbreviation.As a sanity check, we show that the proof system H C p˚ , ´˚q is sound with respect to SL p˚ , ´˚q . The proof does not pose any specific difficulty (as usual with most soundnessproofs) but this is the opportunity for the reader to further get familiar with the axiomsand rules from H C p˚ , ´˚q . Lemma 3.1. H C p˚ , ´˚q is sound.Proof. The validity of the axioms (A C ) , (A C ) , (A C ) and (A C ) is straightforward. Moreover,the validity of the axioms (A ˚ ) , (A ˚ ) and (A ˚ ) and the three rules ( ˚ -Intro , ˚ -Adj and ´˚ -Adj ) is inherited from Boolean BI (see [BV14] and [GLW06, Section 2]). Validity of the axiom (A ˚ ): Let us show that p alloc p x q ˚ alloc p x qq is not satisfiable. Ad absurdum , suppose there isa memory state p s, h q such that p s, h q |ù p alloc p x q˚ alloc p x qq . By definition of |ù , thereare h , h such that h K h , p h ` h q “ h , p s, h q |ù alloc p x q and p s, h q |ù alloc p x q .Thus, s p x q P dom p h q and s p x q P dom p h q , which leads to a contradiction with h K h . Validity of the axiom (A ˚ ): The proof of the validity of every instantiation of (A ˚ ) is similar (and quite easy),therefore we show just the case with x ã Ñ y ˚ J ñ x ã Ñ y . Suppose p s, h q |ù x ã Ñ y ˚ J .Then, there is a subheap h Ď h such that p s, h q |ù x ã Ñ y . Hence, h p s p x qq “ s p y q . As h Ď h , we obtain h p s p x qq “ s p y q , which by definition implies p s, h q |ù x ã Ñ y . Validity of the axiom (A ˚ ): Suppose p s, h q |ù alloc p x q ˚ alloc p x q . Then, there are two disjoint heaps h , h suchthat h “ h ` h , p s, h q |ù alloc p x q and p s, h q |ù alloc p x q . Then s p x q R dom p h q and s p x q R dom p h q . Since h “ h ` h , dom p h q “ dom p h q Y dom p h q and therefore s p x q R dom p h q . We conclude that p s, h q |ù alloc p x q . Validity of the axiom (A ˚ ): Suppose p s, h q |ù p alloc p x q ^ x ã Ñ y q ˚ J . Then there is a subheap h Ď h such that p s, h q |ù alloc p x q ^ x ã Ñ y . Hence, s p x q P dom p h q and h p s p x qq ‰ s p y q . As h Ď h ,we obtain s p x q P dom p h q and h p s p x qq ‰ s p y q which by definition implies p s, h q |ù x ã Ñ y . Validity of the axiom (A ˚ ): XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 9 emp ñ size ě ( I) and def. of size ě alloc p x q ^ size “ ñ size ě ( ^ Er) emp ˚ p alloc p x q ^ size “ q ñ size ě ˚ size ě ˚ -Ilr , 1, 24 size ě ˚ size ě ñ size ě (A ˚ ) emp ˚ p alloc p x q ^ size “ q ñ size ě ñ -Tr , 3, 46 emp ñ ` alloc p x q ^ size “ ´˚ size ě ˘ ˚ -Adj , 5 Figure 2: A proof of emp ñ ` p alloc p x q ^ size “ q ´˚ size ě ˘ .Suppose p s, h q |ù alloc p x q . Then s p x q P dom p h q . Let h def “ t s p x q ÞÑ h p s p x qqu . Trivially, h Ď h and p s, h q |ù alloc p x q ^ size “
1. We define h as the unique heap such that h ` h “ h . Trivially, p s, h q |ù J . Hence, p s, h q |ù p alloc p x q ^ size “ q ˚ J .The proof for the validity of the axiom (A ˚ ) is similar, and therefore omitted herein. Validity of the axiom (A ˚ ): Let β , β ě
0. Suppose p s, h q |ù size ě β ˚ size ě β . Since size ě β , β ě
1. Hence, the axiom (A ˚ ) is triviallyvalid when β “ β “
0. In the sequel, β , β ě
1. Then, there are two disjointheaps h , h such that h ` h “ h , p s, h q |ù size ě β and p s, h q |ù size ě β .By definition of size , card p dom p h qq ď β ´ p dom p h qq ď β ´
1. Sincedom p h q “ dom p h q Y dom p h q , we obtain card p dom p h qq ď β ` β ´
2, which implies p s, h q |ù size ě β ` β . ´ Validity of the axiom (A ˚ ): Suppose p s, h q |ù alloc p x q ^ alloc p y q ^ x ‰ y . By definition, s p x q ‰ s p y q and both s p x q and s p y q are in dom p h q . Hence card p dom p h qq ě
2, which implies p s, h q |ù size ě Validity of the axiom (A ´˚ ): Let X Ď fin VAR and p s, h q be a memory state. Let h be a heap of size one such that h p ℓ q “ ℓ for some ℓ R dom p h q Y s p X q . We write s p X q to denote the set t s p x q | x P X u .Trivially p s, h q |ù size “ ^ Ź x P X alloc p x q . Moreover h K h holds, hence h ` h is defined and p s, h ` h q |ù J . Then, p s, h q |ù p size “ ^ Ź x P X alloc p x qq ´ f J . Validity of the axiom (A ´˚ ): Suppose p s, h q |ù alloc p x q . Let h be the heap of size one such that h p s p x qq “ s p y q .Trivially, p s, h q |ù x ã Ñ y ^ size “
1. Moreover, as s p x q R dom p h q , h K h holds, hence h ` h is defined and p s, h ` h q |ù J . Then, p s, h q |ù p x ã Ñ y ^ size “ q ´ f J . Validity of the axiom (A ´˚ ): Let X Ď fin VAR and suppose p s, h q |ù alloc p x q . Let h be the heap of size one such that h p s p x qq “ ℓ where ℓ R s p X q . Trivially, p s, h q |ù alloc p x q ^ size “ ^ Ź y P X x ã Ñ y .Moreover, as s p x q R dom p h q , h K h holds, hence h ` h is defined and p s, h ` h q |ù J .Then, p s, h q |ù p alloc p x q ^ size “ ^ Ź y P X x ã Ñ y q ´ f J . Example 3.2.
To further familiarise with the axioms and the rules of H C p˚ , ´˚q , in Figure 2,we present a proof of emp ñ ` alloc p x q ^ size “ ´˚ size ě ˘ . In the proof, a line“ j | χ A, i , . . . , i k ” states that χ is a theorem denoted by the index j and derivable by theaxiom or the rule A . If A is a rule, the indices i , . . . , i k ă j denote the theorems used as premises in order to derive χ . When a formula is obtained as a propositional tautology or bypropositional reasoning from other formulae, we may write “PC” (short for PropositionalCalculus). Similarly, we provide any useful piece of information justifying the derivation,such as “Ind. hypothesis”, “See . . . ” or “Previously derived”. In the example, we use therule ˚ -Adj , which together with the rule ´˚ -Adj states that the connectives ˚ and ´˚ areadjoint operators, as well as the axiom (A ˚ ) , stating that card p dom p h qq ď β ` β holdswhenever a heap h can be split into two subheaps whose domains have less than β ` β ` ( ^ Er) ψ ^ ϕ ñ ϕ ( I) ϕ ñ ϕ ñ -Tr : ϕ ñ χ χ ñ ψϕ ñ ψ ˚ -Ilr : ϕ ñ ϕ ψ ñ ψ ϕ ˚ ψ ñ ϕ ˚ ψ The first two theorems and the first rule are derivable by pure propositional reasoning. Byway of example, we show that the inference rule ˚ -Ilr is admissible. ϕ ñ ϕ Hypothesis2 ψ ñ ψ Hypothesis3 ϕ ˚ ψ ñ ϕ ˚ ψ ˚ -Intro , 14 ψ ˚ ϕ ñ ψ ˚ ϕ ˚ -Intro , 2 5 ϕ ˚ ψ ñ ψ ˚ ϕ (A ˚ ) ψ ˚ ϕ ñ ϕ ˚ ψ (A ˚ ) ϕ ˚ ψ ñ ψ ˚ ϕ ñ -Tr , 3, 58 ϕ ˚ ψ ñ ϕ ˚ ψ ñ -Tr twice, 7, 4, 6 Remark 3.3.
Note that an alternative proof of theorem 5 in Figure 2 consists in applying ñ -Tr to theorem 2 and emp ˚ ` alloc p x q ^ size “ ˘ ñ alloc p x q ^ size “
1, which holds bythe axioms (A ˚ ) and (A ˚ ) . Example 3.4.
In Figure 3, we develop the proof of emp ñ p alloc p x q^ size “ ´˚ size “ q as a more complete example. We use the following theorems and rules: ( ´˚^ -DistrL) p ϕ ´˚ ψ q ^ p ϕ ´˚ χ q ñ p ϕ ´˚ ψ ^ χ q ( ^J IL) ϕ ñ J ^ ϕ ^ -InfL : ϕ ñ χϕ ^ ψ ñ χ ^ ψ The rightmost axiom and the only rule are derivable by propositional reasoning. We showthe admissibility of the axiom ( ´˚^ -DistrL) . ϕ ´ f p ψ _ χ q ñ p ϕ ´ f ψ q _ p ϕ ´ f χ q (I ´˚ . . ) , Lemma 6.32 ϕ ´˚ p ψ _ χ q ñ p ϕ ´˚ ψ q _ p ϕ ´˚ χ q Def. ´ f , 13 p ϕ ´˚ ψ ^ χ q ñ p ϕ ´˚ ψ q _ p ϕ ´˚ χ q Replacement of equivalents, 24 p ϕ ´˚ ψ q ^ p ϕ ´˚ χ q ñ p ϕ ´˚ ψ ^ χ q PC, 3
Main ingredients of the method.
Before showing completeness of H C p˚ , ´˚q , let usrecall the key ingredients of the method we follow, not only to provide a vade mecum foraxiomatising other separation logics (which, in the second part of [DLM20], we illustrate onthe newly introduced logic SL p˚ , D : ù q ), but also to identify the essential features and wherevariations are still possible. The Hilbert-style axiomatisation of SL p˚ , ´˚q shall culminatewith Theorem 6.6 that states the adequateness of the proof system H C p˚ , ´˚q .In order to axiomatise SL p˚ , ´˚q internally, as already emphasised several times, thecore formulae play an essential role. The main properties of these formulae is that theirBoolean combinations capture the full logic SL p˚ , ´˚q [Loz04a] and all the core formulae can XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 11 J ˚ p alloc p x q ^ size “ q ñ p alloc p x q ^ size “ q ˚ J (A ˚ ) alloc p x q ^ size “ ñ size ě ( ^ Er) alloc p x q ^ size “ ˚ J ñ size ě ˚ J ˚ -Intro , 24 size ě ˚ J ñ size ě (A ˚ ) ( size ě def “ emp )5 J ˚ p alloc p x q ^ size “ q ñ size ě ñ -Tr twice, 1, 3, 46 J ñ p alloc p x q ^ size “ ´˚ size ě q ˚ -Adj , 57 emp ñ p alloc p x q ^ size “ ´˚ size ě q See Example 3.28 p alloc p x q ^ size “ ´˚ size ě q ñJ ^ p alloc p x q ^ size “ ´˚ size ě q ( ^J IL) J ^ p alloc p x q ^ size “ ´˚ size ě q ñ ` p alloc p x q ^ size “ ´˚ size ě q^p alloc p x q ^ size “ ´˚ size ě q ˘ ^ -InfL , 610 ` p alloc p x q ^ size “ ´˚ size ě q^p alloc p x q ^ size “ ´˚ size ě q ˘ ñp alloc p x q ^ size “ ´˚ size “ q ( ´˚^ -DistrL) + Def. size p alloc p x q ^ size “ ´˚ size ě q ñp alloc p x q ^ size “ ´˚ size “ q ñ -Tr twice, 8, 9, 1012 emp ñ p alloc p x q ^ size “ ´˚ size “ q ñ -Tr , 7, 11 (recall that size “ β is a shortcut for size ě β ^ size ě β ` Figure 3: A proof of emp ñ p alloc p x q ^ size “ ´˚ size “ q .be expressed in SL p˚ , ´˚q . Generally speaking, our axiom system naturally leads to a formof constructive completeness, as advocated in [Dou17, L¨uc18]: the axiomatisation providesproof-theoretical means to transform any formula into an equivalent Boolean combinationof core formulae, and it contains also a part dedicated to the derivation of valid Booleancombinations of core formulae (understood as a syntactical fragment of SL p˚ , ´˚q ). What isspecific to each logic is the design of the set of core formulae and in the case of SL p˚ , ´˚q ,this was already known since [Loz04a].Derivations in the proof system H C p˚ , ´˚q shall simulate the bottom-up elimination ofseparating connectives (see forthcoming Lemmata 5.5 and 6.2) when the arguments aretwo Boolean combinations of core formulae. To do so, H C p˚ , ´˚q contains axiom schemasthat perform such an elimination in multiple “small-step” derivations, e.g. by deriving asingle alloc p x q predicate from alloc p x q ˚ J (with forthcoming intermediate axiom (I ˚ ) ).Alternatively, it would have been possible to include “big-step” axiom schemas that, giventhe two Boolean combinations of core formulae, derive the equivalent formula in one singlederivation step (see e.g. [EIP19]). The main difference is that small-step axioms provide asimpler understanding of the key properties of the logic. (A C ) x “ x (A C ) ϕ ^ x “ y ñ ϕ r y Ð x s (A C ) x ã Ñ y ñ alloc p x q (A C ) x ã Ñ y ^ x ã Ñ z ñ y “ z (I C ) size ě β ` ñ size ě β (I C ) Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñ size ě card p X q Figure 4: Proof system H C for Boolean conbinations of core formulae.4. A simple calculus for the core formulae
To axiomatise SL p˚ , ´˚q , we start by introducing the proof system H C dedicated to Booleancombinations of core formulae, see Figure 4. As explained earlier, it contains also the axiomschemata and modus ponens for the propositional calculus. Moreover, the axioms whosename is of the form A C i are axioms that remain in the global system for SL p˚ , ´˚q , whereasthose named I C i are intermediate axioms that are removed when considering the axiomsdealing with the separating connectives. As explained before, the intermediate axiomsare handy to establish results about the axiomatisation of Boolean combinations of coreformulae but are not needed when all the axioms and rules of H C p˚ , ´˚q are considered.In the axiom (A C ) , ϕ r y Ð x s stands for the formula obtained from ϕ by replacing withthe variable x every occurrence of y . Let p s, h q be a memory state. The axioms statethat “ is an equivalence relation (first two axioms), h p s p x qq “ s p y q implies s p x q P dom p h q (axiom (A C ) ) and that h is a (partial) function (axiom (A C ) ). Furthermore, there aretwo intermediate axioms about size formulae: (I C ) states that if dom p h q has at least β ` β elements, whereas (I C ) states instead that if there are β distinct memory cells corresponding to program variables, then indeed dom p h q ě β . It iseasy to check that H C is sound (see also Lemma 3.1). In order to establish its completenesswith respect to Boolean combinations of core formulae, we first show that H C is completefor a subclass of Boolean combinations of core formulae, namely for core types defined below.Then, we show that every formula in Bool p Core p X , α qq is provably equivalent to a disjunctionof core types (Lemma 4.3). Introduction to core types.
Let X Ď fin VAR and α P N ` . We write CoreTypes p X , α q todenote the set of core types defined by ϕ P Conj p Core p X , α qq ˇˇ for all ψ P Core p X , α q , t ψ | ψ u Ď Lt ϕ, and p ψ ^ ψ q Ď Lt ϕ ( . Note that if ϕ P CoreTypes p X , α q , then ϕ is a conjunction such that for every ψ P Core p X , α q ,there is exactly one literal in ϕ built upon ψ . Lemma 4.1 (Refutational completeness) . Let ϕ P CoreTypes p X , α q with α ě card p X q . Wehave ϕ is valid iff $ H C ϕ .Proof. We show that ϕ is unsatisfiable if and only if $ H C ϕ . The “only if” part followsfrom the soundness of H C , so we prove the “if” part. Let ϕ P CoreTypes p X , α q be such that & H C ϕ ñ K , and let us prove that ϕ is satisfiable. By the axioms (A C ) and (A C ) , there is anequivalence relation « on X such that x « y iff x “ y occurs positively in ϕ . We write r x s todenote the equivalence class of x with respect to « . By the axioms (A C ) and (A C ) , there isa partial map f : p X { «q Ñ p X { «q on equivalence classes such that x ã Ñ y occurs positivelyiff f pr x sq is defined and f pr x sq “ r y s . Let D “ tr x s | alloc p x q occurs positively in ϕ u .By the axiom (A C ) , dom p f q Ď D . Let n “ max size p ϕ q . We recall that, by definition ofmax size p . q , n is the greatest β such that size ě β occurs positively in ϕ . XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 13
Let us show that n ě card p D q . Ad absurdum suppose that n ă card p D q . By theaxiom (I C ) , $ H C ϕ ñ size ě card p D q and by definition of n and the fact that α ě card p X q ě card p D q , $ H C ϕ ñ size ě n and $ H C ϕ ñ p size ě p n ` qq since both size ě n and p size ě p n ` qq (possibly negated) occur in ϕ as α ě card p X q . By usingthe axiom (I C ) and propositional reasoning, we can get that $ H C ϕ ñ p size ě card p D qq since $ H C ϕ ñ p size ě p n ` qq , which leads to a contradiction. Consequently, we have n ě card p D q .Let ℓ , ℓ , . . . , ℓ n P LOC be n ` C , . . . , C card p D q on the equivalence classes of « . Let p s, h q be defined by ‚ s p x q def “ ℓ i if r x s is the i th equivalence class C i , ‚ h p ℓ i q def “ ℓ j if 0 ă i ď card p D q and the i th equivalence class is mapped to the j th one by f , ‚ h p ℓ i q def “ ℓ if either 0 ă i ď card p D q and the i th equivalence class is not in the domain of f , or i ą card p D q .Then, by construction, p s, h q satisfies all positive literals of the form x “ y or x ã Ñ y or alloc p x q that occur positively in ϕ , and all negative literals that occur in ϕ . It also satisfies size ě n , falsifies size ě n ` n ` ď α ), and by the axiom (I C ) , it satisfiesall size literals in ϕ .By classical reasoning, one can show that every ϕ P Bool p Core p X , α qq is provably equiv-alent to a disjunction of core types. Together with Lemma 4.1, this implies that H C isadequate with respect to the propositional logic of core formulae. Theorem 4.2 (Adequacy) . A Boolean combination of core formulae ϕ is valid iff $ H C ϕ . In order to prove Theorem 4.2, let us first establish the following simple lemma.
Lemma 4.3 (Core Types Lemma) . Let ϕ P Bool p Core p X , α qq . There is a disjunction ψ “ ψ _ . . . _ ψ n with ψ i P CoreTypes p X , max p card p X q , α qq for all i such that $ H C ϕ ô ψ .Proof. Let ψ _ . . . _ ψ n be a formula in disjunctive normal form logically equivalent to ϕ . If ψ i is not a core type in CoreTypes p X , max p card p X q , α qq , there is a core formula χ P Core p X , max p card p X q , α qq that occurs neither positively nor negatively in ψ i . Replacing ψ i with p ψ i ^ χ q _ p ψ i ^ χ q , and repeating this for all missing core formulae and for all i , weobtain a disjunction of core types of the expected form. Since all equivalences follow frompure propositional reasoning, the equivalence between ϕ and the obtained formula can beproved in H C . Proof. (Theorem 4.2) Let ϕ be a Boolean combination of core formulae in CoreTypes p X , α q for some X and α . As all the axioms are valid (Lemma 3.1), $ H C ϕ implies that ϕ isvalid. Let us assume that ϕ is valid, and let us prove that $ H C ϕ . By Lemma 4.3, thereis a disjunction ψ “ ϕ _ . . . _ ϕ n of core types in CoreTypes p X , max p card p X q , α qq such that $ H C p ϕ q ô ψ . As ϕ is valid, the formulae ϕ , ψ and all the ψ i ’s are unsatisfiable. ByLemma 4.1, $ H C ϕ i ñ K , for all i . By propositional reasoning, $ H C ϕ . (A ˚ ) p ϕ ˚ ψ q ô p ψ ˚ ϕ q (A ˚ ) p ϕ ˚ ψ q ˚ χ ô ϕ ˚ p ψ ˚ χ q (I ˚ ) p ϕ _ ψ q ˚ χ ñ p ϕ ˚ χ q _ p ψ ˚ χ q (I ˚ ) pK ˚ ϕ q ô K (A ˚ ) ϕ ô ϕ ˚ emp (I ˚ ) alloc p x q ˚ J ñ alloc p x q (A ˚ ) p alloc p x q ˚ alloc p x qq ô K˚ -Intro : ϕ ñ χϕ ˚ ψ ñ χ ˚ ψ (A ˚ ) e ˚ J ñ e đ r e P t emp , x “ y , x ‰ y , x ã Ñ y us (A ˚ ) alloc p x q ˚ alloc p x q ñ alloc p x q (A ˚ ) p alloc p x q ^ x ã Ñ y q ˚ J ñ x ã Ñ y (A ˚ ) alloc p x q ñ p alloc p x q ^ size “ q ˚ J (A ˚ ) emp ñ size “ ˚ J (A ˚ ) size ě β ˚ size ě β ñ size ě β ` β . ´ (A ˚ ) alloc p x q ^ alloc p y q ^ x ‰ y ñ size ě a . ´ b “ max p , a ´ b q ) Figure 5: Additional axioms and rule for H C p˚q .5. Axiomatisation for SL p˚ , alloc q We write SL p˚ , alloc q to denote the fragment of SL p˚ , ´˚q in which the separating implica-tion is removed at the price of adding the atomic formulae of the form alloc p x q . We definean Hilbert-style axiomatisation for SL p˚ , alloc q , obtained by enriching H C with axiomsand one inference rule that handle the separating conjunction ˚ , leading to the proof sys-tem H C p˚q . Fundamentally, as we work now within SL p˚ , alloc q , the core formula size ě β can be encoded in the logic. According to its definition, given in Section 2.2, we see size ě J , size ě emp and size ě β ` emp ˚ size ě β ` H C in order to define H C p˚q are presented in Figure 5.Their soundness has been proved in Lemma 3.1, with the exception of the three intermediateaxioms (I ˚ ) , (I ˚ ) and (I ˚ ) , which are used for the completeness of H C p˚q with respectto SL p˚ , alloc q , but are discharged from the proof system for SL p˚ , ´˚q (Figure 1), as theybecomes derivable (Lemma 6.1). Lemma 5.1. H C p˚q is sound.Proof. The axioms (I ˚ ) and (I ˚ ) are inherited from Boolean BI (see [BV14] and [GLW06,Section 2]). The soundness of (I ˚ ) is straightforward. Indeed, suppose p s, h q |ù alloc p x q ˚J . So, there is h Ď h such that p s, h q |ù alloc p x q . By definition of alloc p x q , s p x q P dom p h q .By h Ď h , s p x q P dom p h q . We conclude that p s, h q |ù alloc p x q .Let us look further at the axioms in Figure 5. The axioms deal with the commuta-tive monoid properties of p˚ , emp q and its distributivity over _ (as for Boolean BI, seee.g. [GLW06]). The rule ˚ -Intro , sometimes called “frame rule” by analogy with the ruleof the same name in program logic, states that logical equivalence is a congruence for ˚ . H C p˚q is designed with the idea of being as simple as possible. On one side, this helpsunderstanding the key ingredients of SL p˚ , alloc q . On the other side, this makes the proofof completeness of H C p˚q more challenging. To work towards this proof while familiarisingwith the new axioms, we first show a set of intermediate theorems. Lemma 5.2.
The following rules and axioms are admissible in H C p˚q : (I ˚ . . ) Given „P t“ , ‰u , x „ y ^ p ϕ ˚ ψ q ñ p ϕ ^ x „ y q ˚ ψ . (I ˚ . . ) x “ y ^ pp ϕ ^ alloc p x qq ˚ ψ q ñ p ϕ ^ alloc p y qq ˚ ψ . (I ˚ . . ) p ϕ ^ alloc p x qq ˚ ψ ñ ϕ ˚ p ψ ^ alloc p x qq . XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 15 (I ˚ . . ) alloc p x q ^ p ϕ ˚ ψ q ñ p ϕ ^ alloc p x qq ˚ ψ . (I ˚ . . ) alloc p x q ^ p ϕ ˚ p alloc p x q ^ ψ qq ñ p ϕ ^ alloc p x qq ˚ p alloc p x q ^ ψ q (I ˚ . . ) x ã Ñ y ^ pp ϕ ^ alloc p x qq ˚ ψ q ñ p ϕ ^ x ã Ñ y q ˚ ψ . (I ˚ . . ) x ã Ñ y ^ p ϕ ˚ ψ q ñ p ϕ ^ x ã Ñ y q ˚ ψ .Proof of ( I ˚ . . ) . ϕ ñ p ϕ ^ x „ y q _ p ϕ ^ x „ y q PC2 ϕ ˚ ψ ñ pp ϕ ^ x „ y q _ p ϕ ^ x „ y qq ˚ ψ ˚ -Intro , 13 pp ϕ ^ x „ y q_ p ϕ ^ x „ y qq ˚ ψ ñ pp ϕ ^ x „ y q ˚ ψ q_pp ϕ ^ x „ y q ˚ ψ q (I ˚ ) ϕ ^ x „ y ñ x „ y PC5 ψ ñ J PC6 p ϕ ^ x „ y q ˚ ψ ñ p x „ y q ˚ J ˚ -Ilr , 4, 57 p x „ y q ˚ J ñ x „ y (A ˚ ) p ϕ ^ x „ y q ˚ ψ ñ x „ y ñ -Tr , 6, 79 pp ϕ ^ x „ y q ˚ ψ q _ pp ϕ ^ x „ y q ˚ ψ q ñ pp ϕ ^ x „ y q ˚ ψ q _ x „ y
8, PC10 ϕ ˚ ψ ñ pp ϕ ^ x „ y q ˚ ψ q _ x „ y ñ -Tr , 2, 3, 911 x „ y ^ p ϕ ˚ ψ q ñ p ϕ ^ x „ y q ˚ ψ
10, PC
Proof of ( I ˚ . . ) . alloc p x q ^ x “ y ñ alloc p y q (A C ) x “ y ^ pp ϕ ^ alloc p x qq ˚ ψ q ñ pp ϕ ^ alloc p x q ^ x “ y q ˚ ψ q (I ˚ . . ) p ϕ ^ alloc p x q ^ x “ y q ˚ ψ ñ p ϕ ^ alloc p y qq ˚ ψ PC, ˚ -Intro , 14 x “ y ^ pp ϕ ^ alloc p x qq ˚ ψ q ñ p ϕ ^ alloc p y qq ˚ ψ ñ -Tr , 2, 3 Proof of ( I ˚ . . ) . ψ ñ p ψ ^ alloc p x qq _ p ψ ^ alloc p x qq PC2 p ϕ ^ alloc p x qq ˚ ψ ñp ϕ ^ alloc p x qq ˚ pp ψ ^ alloc p x qq _ p ψ ^ alloc p x qqq (A ˚ ) , ˚ -Intro , 13 p ϕ ^ alloc p x qq ˚ pp ψ ^ alloc p x qq _ p ψ ^ alloc p x qqq ñpp ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qqq _ pp ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qqq (A ˚ ) , (I ˚ ) , 24 χ ^ alloc p x q ñ alloc p x q p χ P t ϕ, ψ uq , PC5 p ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qq ñ alloc p x q ˚ alloc p x q ˚ -Ilr , 46 alloc p x q ˚ alloc p x q ñK (A ˚ ) p ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qq ñK ñ -Tr , 5, 6 p ϕ ^ alloc p x qq ˚ ψ ñ K _pp ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qqq PC, 2, 3, 79 p ϕ ^ alloc p x qq ˚ ψ ñ p ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qq PC, 810 ϕ ^ alloc p x q ñ ϕ PC11 p ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qq ñ ϕ ˚ p ψ ^ alloc p x qq ˚ -Intro , 1012 p ϕ ^ alloc p x qq ˚ ψ ñ ϕ ˚ p ψ ^ alloc p x qq ñ -Tr , 9, 11 Proof of ( I ˚ . . ) . ϕ ñ p ϕ ^ alloc p x qq _ p ϕ ^ alloc p x qq PC2 ϕ ˚ ψ ñ ` p ϕ ^ alloc p x qq _ p ϕ ^ alloc p x qq ˘ ˚ ψ ˚ -Intro , 13 ` p ϕ ^ alloc p x qq _ p ϕ ^ alloc p x qq ˘ ˚ ψ ñpp ϕ ^ alloc p x qq ˚ ψ q _ pp ϕ ^ alloc p x qq ˚ ψ q (I ˚ ) ϕ ^ alloc p x q ñ alloc p x q PC5 ψ ñ J PC6 p ϕ ^ alloc p x qq ˚ ψ ñ p alloc p x q ˚ Jq ˚ -Ilr , 4, 57 alloc p x q ˚ J ñ alloc p x q (I ˚ ) ϕ ˚ ψ ñ alloc p x q _ pp ϕ ^ alloc p x qq ˚ ψ q PC, 2, 3, 6, 79 alloc p x q ^ p ϕ ˚ ϕ q ñ p ϕ ^ alloc p x qq ˚ ψ PC, 8
Proof of ( I ˚ . . ) . ϕ ñ p ϕ ^ alloc p x qq _ p ϕ ^ alloc p x qq PC2 ϕ ˚ p alloc p x q ^ ψ q ñpp ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qqq _ pp ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qqq ˚ -Intro , 1, (I ˚ ) χ ^ alloc p x q ñ alloc p x q p χ P t ϕ, ψ uq , PC4 p ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qq ñ alloc p x q ˚ alloc p x q PC, ˚ -Ilr , 35 alloc p x q ˚ alloc p x q ñ alloc p x q (A ˚ ) ϕ ˚ p alloc p x q ^ ψ q ñ pp ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qqq _ alloc p x q PC, 2, 4, 57 alloc p x q ^ p ϕ ˚ p alloc p x q ^ ψ qq ñ p ϕ ^ alloc p x qq ˚ p ψ ^ alloc p x qq PC, 6
Proof of ( I ˚ . . ) . ϕ ^ alloc p x q ñ p ϕ ^ alloc p x q ^ x ã Ñ y q _ p ϕ ^ alloc p x q ^ x ã Ñ y q PC2 p ϕ ^ alloc p x qq ˚ ψ ñ ` p ϕ ^ alloc p x q ^ x ã Ñ y q _ p ϕ ^ alloc p x q ^ x ã Ñ y q ˘ ˚ ψ ˚ -Intro , 13 p ϕ ^ alloc p x qq ˚ ψ ñpp ϕ ^ alloc p x q ^ x ã Ñ y q ˚ ψ q _ pp ϕ ^ alloc p x q ^ x ã Ñ y q ˚ ψ q (I ˚ ) , ñ -Tr , 2 XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 17 ϕ ^ alloc p x q ^ x ã Ñ y ñ alloc p x q ^ x ã Ñ y PC5 ψ ñ J PC6 p ϕ ^ alloc p x q ^ x ã Ñ y q ˚ ψ ñ p alloc p x q ^ x ã Ñ y q ˚ J ˚ -Ilr p alloc p x q ^ x ã Ñ y q ˚ J ñ x ã Ñ y (A ˚ ) p ϕ ^ alloc p x qq ˚ ψ ñ pp ϕ ^ alloc p x q ^ x ã Ñ y q ˚ ψ q _ x ã Ñ y PC, 3, 6, 79 x ã Ñ y ^ pp alloc p x q ^ ϕ q ˚ ψ q ñ p ϕ ^ alloc p x q ^ x ã Ñ y q ˚ ψ PC, 810 ϕ ^ alloc p x q ^ x ã Ñ y ñ ϕ ^ x ã Ñ y PC11 p ϕ ^ alloc p x q ^ x ã Ñ y q ˚ ψ ñ p ϕ ^ x ã Ñ y q ˚ ψ ˚ -Intro , 1012 x ã Ñ y ^ pp alloc p x q ^ ϕ q ˚ ψ q ñ p ϕ ^ x ã Ñ y q ˚ ψ ñ -Tr , 9, 11 Proof of ( I ˚ . . ) . Similar to the proof of (I ˚ . . ) , by replacing alloc p x q with x ã Ñ y . ϕ ñ p ϕ ^ x ã Ñ y q _ p ϕ ^ x ã Ñ y q PC2 ϕ ˚ ψ ñ pp ϕ ^ x ã Ñ y q ˚ ψ q _ pp ϕ ^ x ã Ñ y q ˚ ψ q ˚ -Intro , 1, (I ˚ ) ϕ ^ x ã Ñ y ñ x ã Ñ y PC4 ψ ñ J PC5 p ϕ ^ x ã Ñ y q ˚ ψ ñ p x ã Ñ y ˚ Jq ˚ -Ilr , 3, 46 x ã Ñ y ˚ J ñ x ã Ñ y (A ˚ ) ϕ ˚ ψ ñ x ã Ñ y _ pp ϕ ^ x ã Ñ y q ˚ ψ q PC, 2, 5, 68 x ã Ñ y ^ p ϕ ˚ ψ q ñ p ϕ ^ x ã Ñ y q ˚ ψ PC, 7 In H C p˚q , the axioms (I C ) and (I C ) of H C are superfluous and can be removed. Indeed,notice that both axioms do not appear in the proof system H C p˚ , ´˚q given in Figure 1. Lemma 5.3.
The axioms ( I C ) and ( I C ) are derivable in H C p˚q .Proof of ( I C ) . The proof is by induction on β . base case: β “ : The instance of the axiom (I C ) with β “ size ě ñ size ě
0. By definition size ě “ emp and size ě “ J , andtherefore, by propositional reasoning, $ H C p˚q size ě ñ size ě induction step: β ą : By induction hypothesis, assume $ H C p˚q size ě β ñ size ě β ´
1. The formula size ě β ` ñ size ě β is derived as follows: size ě β ñ size ě β ´ p size ě β q ˚ emp ñ p size ě β ´ q ˚ emp ˚ -Intro , 13 size ě β ` ñ size ě β
2, def. of size
Before proving (I C ) , we derive the following intermediate theorem. Let X Ď fin VAR . (I ´˚ . . ) Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñ p ˚ x P X p alloc p x q ^ size “ qq ˚ J Proof of ( I ´˚ . . ) . The proof is by induction on the size of X . We distinguish two base cases,for card p X q “ p X q “ base case: card p X q “ : In this case, (I ´˚ . . ) is J ñ J ˚ J . emp ñ J PC2
J ñ J ˚ emp (A ˚ ) J ˚ emp ñ emp ˚ J (A ˚ ) emp ˚ J ñ J ˚ J ˚ -Intro , 15 J ñ J ˚ J ñ -Tr , 2, 3, 4 base case: card p X q “ : In this case, (I ´˚ . . ) is exactly (A ˚ ) . induction step: card p X q ě : Let z P X . By induction hypothesis, $ H C p˚q Ź u P X zt z u p alloc p x q ^ Ź v P X zt u , z u u ‰ v q ñ p ˚ u P X zt z u p alloc p u q ^ size “ qq ˚ J . We write χ for the premise Ź u P X zt z u p alloc p x q ^ Ź v P X zt u , z u u ‰ v q above. Below, we aimfor a proof of $ H C p˚q Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñ p alloc p z q ^ size “ q ˚ χ. In this way, the provability of (I ´˚ . . ) follows directly by induction hypothesis togetherwith (A ˚ ) and ˚ -Intro . We have Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñ p alloc p z q ^ size “ q ˚ J (A ˚ ) and PC2 J ñ χ _ χ PC3 p alloc p z q ^ size “ q ˚ J ñ p alloc p z q ^ size “ q ˚ p χ _ χ q ˚ -Intro , (A ˚ ) , 24 p alloc p z q ^ size “ q ˚ p χ _ χ q ñpp alloc p z q ^ size “ q ˚ χ q _ pp alloc p z q ^ size “ q ˚ χ q (A ˚ ) and (I ˚ ) Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñpp alloc p z q ^ size “ q ˚ χ q _ pp alloc p z q ^ size “ q ˚ χ q ñ -Tr
1, 3, 4
By propositional reasoning, χ is propositionally equivalent to Ž u P X zt z u p alloc p x q _ Ž v P X zt u , z u u “ v q . Due to the complexity of this formula, we proceed now rather infor-mally, but our arguments entail the existence of a proper derivation. We aim at showingthat $ H C p˚q ľ x P X p alloc p x q ^ ľ y P X zt x u x ‰ y q ^ pp alloc p z q ^ size “ q ˚ χ q ñK . ( : )By propositional calculus and (I ˚ ) , we can distribute conjunctions and separating con-junctions over disjunctions. We derive: $ H C p˚q ľ x P X p alloc p x q ^ ľ y P X zt x u x ‰ y q ^ pp alloc p z q ^ size “ q ˚ χ q ñ γ _ γ , XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 19 where γ and γ are defined, respectively, as Ž u P X zt z u ´Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ^ pp alloc p z q ^ size “ q ˚ alloc p u qq ¯ , Ž u P X zt z u v P X zt z , u u ´ Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ^ pp alloc p z q ^ size “ q ˚ u “ v q ¯ . In order to deduce ( : ) it is sufficient to prove, in H C p˚q , that every disjunct of γ and γ implies K . Clearly, if γ and γ do not have any disjunct, i.e. when X zt z u is empty, thenthe formula is propositionally equivalent to K , which allows us to conclude ( : ). Otherwise,let us consider each disjunct in γ and γ (separately), and prove their inconsistency. case: γ : Let u P X zt z u . We show the inconsistency of γ def “ Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ^ pp alloc p z q ^ size “ q ˚ alloc p u qq . Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñ alloc p u q ^ u ‰ z PC7 γ ñ alloc p u q ^ u ‰ z ^ pp alloc p z q ^ size “ q ˚ alloc p u qq PC8 alloc p u q ^ pp alloc p z q ^ size “ q ˚ alloc p u qq ñpp alloc p z q ^ size “ ^ alloc p u qq ˚ alloc p u qq (I ˚ . . ) u ‰ z ^ pp alloc p z q ^ size “ ^ alloc p u qq ˚ alloc p u qq ñpp alloc p z q ^ size “ ^ alloc p u q ^ u ‰ z q ˚ alloc p u qq (I ˚ . . ) alloc p z q ^ alloc p u q ^ u ‰ z ñ size ě (A ˚ ) size “ ñ size ě alloc p z q ^ size “ ^ alloc p u q ^ u ‰ z ñK ñ -Tr , PC, 10, 1113 γ ñ p alloc p z q ^ size “ ^ alloc p u q ^ u ‰ z q ˚ alloc p u q PC, 7, 8, 914 p alloc p z q ^ size “ ^ alloc p u q ^ u ‰ z q ˚ alloc p u q ñ K ˚ alloc p u q ˚ -Intro , 1215 K ˚ alloc p u q ñK (I ˚ ) , 1416 γ ñK PC, 13, 15
Since γ is an arbitrary disjunct appearing in γ , we conclude that $ H C p˚q γ ñK . case: γ : Let u P X zt z u and v P X zt z , v u . Notice that if u or v do not exist, then γ isdefined as K and so the proof is complete. Otherwise, we show the inconsistency of p γ def “ Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ^ pp alloc p z q ^ size “ q ˚ u “ v q . Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñ u ‰ v PC18 alloc p z q ^ size “ ñ J PC19 p alloc p z q ^ size “ q ˚ u “ v ñ u “ v ˚ J ˚ -Intro , 18, (A ˚ ) u “ v ˚ J ñ u “ v (A ˚ ) pp alloc p z q ^ size “ q ˚ u “ v q ñ u “ v ñ -Tr , 19, 20 ľ x „ y Ď Lt t ϕ | ψ u ˇˇ „P t“ , ‰u ( ^ ľ t alloc p x q Ď Lt t ϕ | ψ uu ^ ľ t alloc p x q Ď Lt t ϕ ; ψ uu ^ ľ x ã Ñ y ˇˇ alloc p x q ^ x ã Ñ y Ď Lt t ϕ | ψ u ( ^ ľ x ‰ x ˇˇ alloc p x q Ď Lt t ϕ ; ψ u ( ^ ľ " size ě β ` β ˇˇˇˇ size ě β Ď Lt ϕ size ě β Ď Lt ψ * ^ ľ t x ã Ñ y Ď Lt t ϕ | ψ uu ^ ľ " size ě β ` β . ´ ˇˇˇˇ size ě β Ď Lt ϕ size ě β Ď Lt ψ * Figure 6: The formula x˚yp ϕ, ψ q . p γ ñK PC, 17, 22
Since p γ is an arbitrary disjunct appearing in γ , we conclude that $ H C p˚q γ ñK .From $ H C p˚q γ ñK and $ H C p˚q γ ñK we conclude that ( : ) holds. From the theorem5 derived in this proof, this allows us to conclude that $ H C p˚q Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñ p alloc p z q ^ size “ q ˚ χ, which concludes the proof, as explained at the beginning of the induction step.Let us move to the derivation of (I C ) . Proof of ( I C ) . Let X Ď fin VAR . If X “ H , then the instance of the axiom (I C ) becomes J ñ size ě
0, i.e.
J ñ J , by definition of size ě
0. Below, assume X ‰ H and fix z P X . Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñp ˚ x P X p alloc p x q ^ size “ qq ˚ J (I ´˚ . . ) alloc p x q ^ size “ ñ size ě size “ p ˚ x P X p alloc p x q ^ size “ qq ˚ J ñ p ˚ x P X size ě q ˚ J . multiple applications of ˚ -Intro , 2, (A ˚ ) and ñ -Tr p ˚ x P X size ě q ˚ J ñ p size ě ˚ Jq ˚ p ˚ x P X zt z u size ě q (A ˚ ) , (A ˚ ) , def. of z size ě ˚ J ñ size ě (A ˚ ) , def. of size ě p size ě ˚ Jq ˚ p ˚ x P X zt z u size ě q ñ p ˚ x P X size ě q ˚ -Intro p ˚ x P X size ě q ñ size ě card p X q (A ˚ ) , def. of size ě card p X q Ź x P X p alloc p x q ^ Ź y P X zt x u x ‰ y q ñ size ě card p X q ñ -Tr , 1, 3, 4, 6, 7 From now on, we understand H C p˚q as the proof system obtained from H C by addingall schemata from Figure 5 but by removing (I C ) and (I C ) . We show that H C p˚q enjoysthe ˚ elimination property when the argument formulae are core types. That is, given twosatisfiable core types ϕ and ψ , in CoreTypes p X , α q , we show that the formula ϕ ˚ ψ is provablyequivalent to the formula x˚yp ϕ, ψ q in Conj p Core p X , α qq , defined in Figure 6. Lemma 5.4.
Let X Ď fin VAR and α ě card p X q . If ϕ and ψ are two satisfiable core types in CoreTypes p X , α q , then $ H C p˚q ϕ ˚ ψ ô x˚yp ϕ, ψ q . XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 21
The equivalence ϕ ˚ ψ ô x˚yp ϕ, ψ q is reminiscent to the one in [EIP19, Lemma 3] that isproved semantically. In a way, because H C p˚q will reveal to be complete, the restrictionof the proof of [EIP19, Lemma 3] to SL p˚ , alloc q can actually be replayed completelysyntactically within H C p˚q . Proof.
First of all, let us briefly explain what is the rationale for having literals of the form x ‰ x in the definition of x˚yp ϕ, ψ q . Recall that alloc p x q Ď Lt t ϕ ; ψ u is a shortcut to statethat alloc p x q occurs in the core type ϕ and alloc p x q also occurs in the core type ψ . Since p alloc p x q ^ ϕ q ˚ p alloc p x q ^ ψ q is unsatisfiable, alloc p x q Ď Lt t ϕ ; ψ u entails that x˚yp ϕ, ψ q should be unsatisfiable. That is why, if alloc p x q Ď Lt t ϕ ; ψ u , then x ‰ x is part of x˚yp ϕ, ψ q .( ñ ): Let us show that $ H C p˚q ϕ ˚ ψ ñ x˚yp ϕ, ψ q . We establish that $ H C p˚q ϕ ˚ ψ ñ L holdsfor every literal L of x˚yp ϕ, ψ q . We reason by a case analysis on L Ď Lt x˚yp ϕ, ψ q . case: L is an (in)equality or L “ x ã Ñ y : For all the equalities and inequalities in ϕ or ψ , as well as all the literals of the form x ã Ñ y , $ H C p˚q ϕ ˚ ψ ñ L follow from therule ˚ -Intro and the axiom (A ˚ ) . Let us provide below the proper derivation when L is a literal in ϕ that is an equality, an inequality or of the form x ã Ñ y . ϕ ñ L PC2 ψ ñ J PC3 ϕ ˚ ψ ñ L ˚ J ˚ -Ilr , 1, 2 4 L ˚ J ñ L (A ˚ ) ϕ ˚ ψ ñ L ñ -Tr , 3, 4 Assume there is a literal x ‰ x that occurs in x˚yp ϕ, ψ q . As both ϕ and ψ are satisfiable,and thanks to (A C ) , this is necessarily due to alloc p x q occurring both in ϕ and ψ . ϕ ñ alloc p x q PC2 ψ ñ alloc p x q PC3 ϕ ˚ ψ ñ alloc p x q ˚ alloc p x q ˚ -Ilr , 1, 2 4 alloc p x q ˚ alloc p x q ñK (A ˚ ) Kñ x ‰ x PC6 ϕ ˚ ψ ñ x ‰ x ñ -Tr , 4, 5 case: L “ alloc p x q : Follows from (I ˚ ) and ˚ -Intro . case: L “ alloc p x q : Follows from (A ˚ ) and ˚ -Intro . case: L “ x ã Ñ y : Let x ã Ñ y be a literal occurring in x˚yp ϕ, ψ q . So, alloc p x q ^ x ã Ñ y occurs in ϕ or ψ , say in ϕ (the other case is equivalent, due to (A ˚ ) ). ϕ ñ alloc p x q ^ x ã Ñ y PC2 ψ ñ J PC3 ϕ ˚ ψ ñ p alloc p x q ^ x ã Ñ y q ˚ J ˚ -Ilr , 1, 24 p alloc p x q ^ x ã Ñ y q ˚ J ñ x ã Ñ y (A ˚ ) ϕ ˚ ψ ñ x ã Ñ y ñ -Tr , 3, 4 case : L “ size ě β ` β , where size ě β Ď Lt ϕ and size ě β Ď Lt ψ : ϕ ñ size ě β PC2 ψ ñ size ě β PC3 ϕ ˚ ψ ñ size ě β ˚ size ě β ˚ -Ilr , 1, 2 ϕ ˚ ψ ñ size ě p β ` β q Def. size
Notice that, as ϕ and ψ are satisfiable core types, size ě x˚yp ϕ, ψ q . case: L “ size ě β ` β . ´ , where size ě β Ď Lt ϕ and size ě β Ď Lt ψ : ϕ ñ size ě β PC2 ψ ñ size ě β PC3 ϕ ˚ ψ ñ size ě β ˚ size ě β ˚ -Ilr , 1, 24 size ě β ˚ size ě β ñ size ě β ` β . ´ (A ˚ ) ϕ ˚ ψ ñ size ě β ` β . ´ ñ -Tr , 3, 4 ( ð ): Let us show that $ H C p˚q x˚yp ϕ, ψ q ñ ϕ ˚ ψ . If x˚yp ϕ, ψ q is unsatisfiable, then bycompleteness of H C (Theorem 4.2), $ H C x˚yp ϕ, ψ q ñK , and thus $ H C x˚yp ϕ, ψ q ñ ϕ ˚ ψ .Since H C p˚q includes H C , we conclude that $ H C p˚q x˚yp ϕ, ψ q ñ ϕ ˚ ψ . Otherwise, below, weassume x˚yp ϕ, ψ q to be satisfiable. In particular, this implies that no literals of the form x ‰ x or size ě x˚yp ϕ, ψ q . Moreover, by definition of x˚yp ϕ, ψ q , this implies that ϕ , ψ and x˚yp ϕ, ψ q agree on the satisfaction of the core formulae x “ y , i.e. ϕ , ψ and x˚yp ϕ, ψ q contain exactly the same (in)equalities. Since ϕ is satisfiable, these equalities define anequivalence relation. Let x , . . . x n be a maximal enumeration of representatives of theequivalence classes (one per equivalence class) such that alloc p x i q occurs in x˚yp ϕ, ψ q . Asit is maximal, for every alloc p x q Ď Lt x˚yp ϕ, ψ q there is i P r , n s such that x i is syntacticallyequal to x . Consequently, from the definition of x˚yp ϕ, ψ q , if alloc p x q occurs in ϕ or in ψ ,then there is some x i such that x “ x i occurs in ϕ (and therefore also in ψ and in x˚yp ϕ, ψ q ).Let us define the formula ALLOC below:
ALLOC def “ ` alloc p x q ^ size “ ˘ ˚ ¨ ¨ ¨ ˚ ` alloc p x n q ^ size “ ˘ . We have, x˚yp ϕ, ψ q ñ Ź i Pr ,n s p alloc p x i q ^ Ź j Pr ,n szt i u x i ‰ x j q PC, def. of x , . . . , x n Ź i Pr ,n s p alloc p x i q ^ Ź j Pr ,n szt i u x i ‰ x j q ñ ALLOC ˚ J (I ´˚ . . ) x˚yp ϕ, ψ q ñ ALLOC ˚ J ñ -Tr , 1, 2
Moreover, we show that $ H C p˚q ALLOC ñ size ě n and $ H C p˚q ALLOC ñ size ě n ` $ H C p˚q ALLOC ñ size “ n . χ ^ size “ ñ size ě size “ χ ^ size “ ñ size ě size “ ALLOC ñ ˚ i Pr ,n s size ě ˚ -Intro , 1, (A ˚ ) and ñ -Tr ALLOC ñ size ě n
3, def. of size ě n ALLOC ñ ˚ i Pr ,n s size ě XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 23 ˚ -Intro , 2, (A ˚ ) and ñ -Tr ˚ i Pr ,n s size ě ñ size ě n ` n applications of (A ˚ ) and ˚ -Intro ALLOC ñ size ě n ` ñ -Tr , 5, 68 ALLOC ñ size “ n PC, 4, 7, def. of size “ n After deriving $ H C p˚q x˚yp ϕ, ψ q ñ ALLOC ˚ J and $ H C p˚q ALLOC ñ size “ n , the proof isdivided in three steps: (1) we isolate the allocated cells and the garbage, (2) we distributethe alloc and size literals according to the goal ϕ ˚ ψ and (3) we add the missing literals. Step 1, isolating allocated cells and garbage . Since x˚yp ϕ, ψ q is a conjunction of literalsbuilt from core formulae, we can rely on max size px˚yp ϕ, ψ qq , i.e. the maximum β amongthe formulae size ě β appearing positively in x˚yp ϕ, ψ q . First, we show some importantproperties of x˚yp ϕ, ψ q , related to max size px˚yp ϕ, ψ qq .A. max size px˚yp ϕ, ψ qq “ max size p ϕ q ` max size p ψ q ,B. If there is β P N such that size ě β Ď Lt x˚yp ϕ, ψ q , then size ě max size p ϕ q ` Ď Lt ϕ , size ě max size p ψ q ` Ď Lt ψ .C. If there is β P N such that size ě β Ď Lt x˚yp ϕ, ψ q , then size ě max size px˚yp ϕ, ψ qq ` Ď Lt x˚yp ϕ, ψ q . Proof of (A) . By definition of max size p . q , we know that size ě max size p ϕ q Ď Lt ϕ and size ě max size p ψ q Ď Lt ψ . B definition of x˚yp ϕ, ψ q , this allows us to conclude that size ě max size p ϕ q` max size p ψ q Ď Lt x˚yp ϕ, ψ q . Ad absurdum , suppose that max size p ϕ q` max size p ψ q ‰ max size px˚yp ϕ, ψ qq and thus, by definition of max size p . q , there is β ą max size p ϕ q ` max size p ψ q such that size ě β Ď Lt x˚yp ϕ, ψ q . By definition of x˚yp ϕ, ψ q ,we conclude that there are β and β such that β ` β “ β , size ě β Ď Lt ϕ and size ě β Ď Lt ψ . As β ` β ą max size p ϕ q ` max size p ψ q , either β ą max size p ϕ q or β ą max size p ψ q . Let us assume β ą max size p ϕ q (the other case is analogous). We have size ě β Ď Lt ϕ . However, this is contradictory, since by definition of max size p . q for all β ą max size p ϕ q , size ě β Ď Lt ϕ . Thus, max size p ϕ q ` max size p ψ q “ max size px˚yp ϕ, ψ qq . Proof of (B) . Let β P N such that size ě β Ď Lt x˚yp ϕ, ψ q . By definition of x˚yp ϕ, ψ q ,this implies that there are β , β P r , α s such that β “ β ` β . ´ size ě β Ď Lt ϕ and size ě β Ď Lt ψ . Since ϕ and ψ are satisfiable, by definition of max size p . q , wederive that β ą max size p ϕ q and β ą max size p ψ q . This implies that the core formula size ě max size p ϕ q ` Core p X , α q and, analogously, that the core formula size ě max size p ψ q ` Core p X , α q . Since ϕ is in CoreTypes p X , α q , this impliesthat size ě max size p ϕ q ` ϕ . By definition ofmax size p ϕ q , the formula cannot appear positively, i.e. size ě max size p ϕ q ` Ď Lt ϕ .Analogously, ψ is in CoreTypes p X , α q , which leads to size ě max size p ψ q ` Ď Lt ψ . Proof of (C) . Directly from (A) and (B). Indeed, by definition of x˚yp ϕ, ψ q , we know that forevery size ě β Ď Lt ϕ and every size ě β Ď Lt ψ , size ě β ` β . ´ Ď Lt x˚yp ϕ, ψ q .Now, let us consider β g “ max size px˚yp ϕ, ψ qq . ´ n . We define the formula GARB below:
GARB def “ size “ β g if size ě β Ď Lt x˚yp ϕ, ψ q , for some β size ě β g otherwise , where we recall that size “ β g stands for size ě β g ^ p size ě β g ` q . Notice that GARB is a conjunction of literals where at least one size ě β occurs positively (i.e. size ě $ H C p˚q x˚yp ϕ, ψ q ñ ALLOC ˚ GARB . First,we focus on the positive part of
GARB , and prove $ H C p˚q x˚yp ϕ, ψ q ñ ALLOC ˚ size ě β g . If β g “ size ě β g “ J and we have already shown $ H C p˚q x˚yp ϕ, ψ q ñ ALLOC ˚ J . So,let us assume that β g ą
1. Notice that then max size px˚yp ϕ, ψ qq . ´ n “ max size px˚yp ϕ, ψ qq´ n .We have J ñ size ě β g _ size ě β g PC2
ALLOC ˚ J ñ
ALLOC ˚ p size ě β g _ size ě β g q ˚ -Intro , (A ˚ ) , 13 ALLOC ˚ p size ě β g _ size ě β g q ñp ALLOC ˚ size ě β g q _ p ALLOC ˚ size ě β g q (I ˚ ) , (A ˚ ) ALLOC ñ size ě n ` ALLOC ˚ size ě β g ñ p size ě n ` q ˚ size ě β g ˚ -Intro , 46 p size ě n ` q ˚ size ě β g ñ size ě max size px˚yp ϕ, ψ qq (A ˚ ) , def. of β g ALLOC ˚ J ñ p
ALLOC ˚ size ě β g q _ size ě max size px˚yp ϕ, ψ qq PC, 2, 3, 5, 68 x˚yp ϕ, ψ q ñ size ě max size px˚yp ϕ, ψ qq PC, def. of max size p . q x˚yp ϕ, ψ q ñ ALLOC ˚ J
Previously derived10 x˚yp ϕ, ψ q ñ p
ALLOC ˚ size ě β g q _ size ě max size px˚yp ϕ, ψ qq ñ -Tr , 7, 911 x˚yp ϕ, ψ q ñ ALLOC ˚ size ě β g PC, 8, 10
If for every β , size ě β Ď Lt x˚yp ϕ, ψ q , then by definition of GARB we conclude that $ H C p˚q x˚yp ϕ, ψ q ñ ALLOC ˚ GARB . Otherwise, suppose that there is β such that size ě β Ď Lt x˚yp ϕ, ψ q . So, GARB is de-fined as size ě β g ^ p size ě β g ` q . Directly from (C), we know that size ě max size px˚yp ϕ, ψ qq ` Ď Lt x˚yp ϕ, ψ q . By propositional reasoning, $ H C p˚q x˚yp ϕ, ψ q ñ size ě max size px˚yp ϕ, ψ qq ` . Then, x˚yp ϕ, ψ q ñ
ALLOC ˚ GARB is derived as follows: size ě β g ñ p size ě β g ^ size ě β g ` q _ size “ β g PC, def. of size “ β g ALLOC ˚ size ě β g ñ ALLOC ˚ ` p size ě β g ^ size ě β g ` q _ size “ β g ˘ ˚ -Intro , (A ˚ ) , 13 ALLOC ˚ ` p size ě β g ^ size ě β g ` q _ size “ β g ˘ ñ ` ALLOC ˚ p size ě β g ^ size ě β g ` q ˘ _ ` ALLOC ˚ size “ β g ˘ (I ˚ ) , (A ˚ ) size ě β g ^ size ě β g ` ñ size ě β g ` ALLOC ñ size ě n Previously derived6
ALLOC ˚ p size ě β g ^ size ě β g ` q ñ size ě n ˚ size ě β g ` ˚ -Ilr , 4, 57 size ě n ˚ size ě β g ` ñ size ě max size px˚yp ϕ, ψ qq ` (A ˚ ) , def. of size ě β XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 25 ALLOC ˚ size ě β g ñ size ě max size px˚yp ϕ, ψ qq ` _ ` ALLOC ˚ size “ β g ˘ PC, 2, 3, 6, 79 x˚yp ϕ, ψ q ñ
ALLOC ˚ size ě β g Previously derived10 x˚yp ϕ, ψ q ñ size ě max size px˚yp ϕ, ψ qq ` _ ` ALLOC ˚ size “ β g ˘ ñ -Tr , 8, 911 x˚yp ϕ, ψ q ñ size ě max size px˚yp ϕ, ψ qq ` x˚yp ϕ, ψ q ñ ` ALLOC ˚ size “ β g loooomoooon GARB ˘ PC, 10, 11
Step 2, distributing alloc and size literals . In this step, we aim at showing that $ H C p˚q ALLOC ˚ GARB ñ ϕ p q ˚ ψ p q where ϕ p q and ψ p q are two formulae defined as follows: ϕ p q def “ size “ max size p ϕ q ^ Ź t alloc p x i q Ď Lt ϕ | i P r , n su if max size p ϕ q ă α size ě max size p ϕ q ^ Ź t alloc p x i q Ď Lt ϕ | i P r , n su otherwise ψ p q def “ size “ max size p ψ q ^ Ź t alloc p x i q Ď Lt ψ | i P r , n su if max size p ψ q ă α size ě max size p ψ q ^ Ź t alloc p x i q Ď Lt ψ | i P r , n su otherwiseBefore tackling this derivation, a few more steps are required. First of all, notice that, ifthere is a formula alloc p x q occurring both in ϕ and ψ , then, by definition of x˚yp ϕ, ψ q , x ‰ x occurs in x˚yp ϕ, ψ q . This contradicts fact that x˚yp ϕ, ψ q is satisfiable. Therefore, we derivethat the set of variables x , . . . , x n can be split into two disjoint subsets, the one “allocated”in ϕ , and the others in ψ . Let n ϕ (resp. n ψ ) denote the number of equivalence classesof variables allocated in ϕ (resp. ψ ). Clearly, n “ n ϕ ` n ψ . Moreover, since ϕ and ψ aresatisfiable core types in CoreTypes p X , α q , where α ě card p X q , we must have n ϕ ď max size p ϕ q and n ψ ď max size p ψ q (see axiom (I C ) ). By (A), we conclude that n ď max size px˚yp ϕ, ψ qq .We define the following formulae ALLOC p ϕ q def “ ˚ t alloc p x i q ^ size “ | alloc p x i q Ď Lt ϕ, i P r , n su GARB p ϕ q def “ size “ max size p ϕ q ´ n ϕ if max size p ϕ q ă α size ě max size p ϕ q ´ n ϕ otherwiseNotice that, since max size p ϕ q ě n ϕ , the formula GARB p ϕ q is well-defined. The formu-lae ALLOC p ψ q and GARB p ψ q are defined accordingly. Obviously, ALLOC is equal to
ALLOC p ϕ q˚ ALLOC p ψ q modulo associativity and commutativity for the separating conjunction ˚ . Hence,by taking advantage of the axioms (A ˚ ) and (A ˚ ) , we have $ H C p˚q ALLOC ô ALLOC p ϕ q ˚ ALLOC p ψ q . Let us now look at
GARB p ϕ q and GARB p ψ q . We aim at deriving $ H C p˚q GARB ñ GARB p ϕ q ˚ GARB p ψ q . Since, ϕ is a core type, we know that if max size p ϕ q ă α then, by definition of max size p ϕ q , size ě max size p ϕ q ` Ď Lt ϕ . A similar analysis can be done for ψ , which leads to thetwo following equivalences, by definition of GARB p ϕ q and GARB p ψ q : ‚ size ě max size p ϕ q ` Ď Lt ϕ if and only if GARB p ϕ q “ p size “ max size p ϕ q´ n ϕ q , ‚ size ě max size p ψ q ` Ď Lt ψ if and only if GARB p ψ q “ p size “ max size p ψ q´ n ψ q .By definition of GARB , (B) and (C), we know that
GARB “ p size “ max size px˚yp ϕ, ψ qq . ´ n q holds if and only if size ě max size p ϕ q ` Ď Lt ϕ and size ě max size p ϕ q ` Ď Lt ψ .From n ď max size px˚yp ϕ, ψ qq and and by relying on the previous two equivalences, thisallows us to conclude that:D. GARB p ϕ q “ p size “ max size p ϕ q´ n ϕ q and GARB p ψ q “ p size “ max size p ψ q´ n ψ q if andonly if GARB “ p size “ max size px˚yp ϕ, ψ qq ´ n q .To show $ H C p˚q GARB ñ p
GARB p ϕ q ˚ GARB p ψ qq , we split the proof depending on whether GARB p ϕ q “ p size “ max size p ϕ q´ n ϕ q and GARB p ψ q “ p size “ max size p ψ q´ n ψ q hold. case: GARB p ϕ q ‰ p size “ max size p ϕ q´ n ϕ q and GARB p ψ q ‰ p size “ max size p ψ q´ n ψ q : We have
GARB p ϕ q “ p size ě max size p ϕ q´ n ϕ q and GARB p ψ q “ p size ě max size p ψ q´ n ψ q .By definition of GARB and (D),
GARB “ p size ě max size px˚yp ϕ, ψ qq ´ n q . By n “ n ϕ ` n ψ and (A), max size px˚yp ϕ, ψ qq ´ n “ p max size p ϕ q´ n ϕ q ` p max size p ψ q´ n ψ q . Bydefinition of the core formula size ě β , GARB is already equivalent to
GARB p ϕ q ˚ GARB p ψ q , modulo associativity and commutativity for the separating conjunction ˚ .Hence, by taking advantage of the axioms (A ˚ ) and (A ˚ ) , we have $ H C p˚q GARB ñ GARB p ϕ q ˚ GARB p ψ q . case: GARB p ϕ q “ p size “ max size p ϕ q´ n ϕ q and GARB p ψ q ‰ p size “ max size p ψ q´ n ψ q : We have
GARB p ψ q “ p size ě max size p ψ q´ n ψ q and, by definition of GARB and (D), to-gether with n “ n ϕ ` n ψ and (A), GARB “ p size ě p max size p ϕ q´ n ϕ q`p max size p ψ q´ n ψ qq .In this case, GARB ñ GARB p ϕ q ˚ GARB p ψ q is an instantiation of the following valid for-mula with β “ max size p ϕ q´ n ϕ and β “ max size p ψ q ´ n ψ : size ě β ` β ñ size “ β ˚ size ě β . The derivability of this formula in H C p˚q is proven by induction on β . The derivationfor the base case β “ size ě β ñ emp ˚ size ě β (A ˚ ) emp ñ size ě ^ size ě size ě emp ˚ size ě β ñ size “ ˚ size ě β ˚ -Intro , 2, def. of size “ size ě β ñ size “ ˚ size ě β ñ -Tr , 1, 3 For the induction step, let us suppose the formula to be derivable for a certain β , andlet us prove that it is also derivable for β ` size ě β ` ` β ñ size ě ˚ size ě β ` β def. of size ě β , (A ˚ ) , (A ˚ ) size ě ñ size “ ˚ J (A ˚ ) , def. of size ě size ě ˚ size ě β ` β ñp size “ ˚ Jq ˚ size ě β ` β ˚ -Intro , 24 p size “ ˚ Jq ˚ size ě β ` β ñ size “ ˚ size ě β ` β PC, (A ˚ ) , (A ˚ ) , (A ˚ ) size ě β ` β ñ size “ β ˚ size ě β Induction Hypothesis
XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 27 size “ ˚ size ě β ` β ñp size “ ˚ size “ β q ˚ size ě β (A ˚ ) , ˚ -Intro , (A ˚ ) size “ r β ñ size ě r β PC, def. of size “ r β size “ r β ñ size ě r β ` size “ r β size “ ˚ size “ β ñ size ě ˚ size ě β ˚ -Ilr , 710 size “ ˚ size “ β ñ size ě ˚ size ě β ` ˚ -Ilr , 811 size ě ˚ size ě β ñ size ě β ` size ě β , (A ˚ ) , (A ˚ ) size ě ˚ size ě β ` ñ size ě β ` (A ˚ ) size “ ˚ size “ β ñ size “ β ` size “ β p size “ ˚ size “ β q ˚ size ě β ñ size “ β ` ˚ size ě β ˚ -Intro , 1315 size ě β ` ` β ñ size “ β ` ˚ size ě β ñ -Tr , , , , , case: GARB p ϕ q ‰ p size “ max size p ϕ q´ n ϕ q and GARB p ψ q “ p size “ max size p ψ q´ n ψ q : Analogously to the previous case, we have
GARB p ϕ q “ p size ě max size p ϕ q´ n ϕ q and GARB “ p size ě p max size p ϕ q´ n ϕ q ` p max size p ψ q´ n ψ qq . We instantiate the theorem size ě β ` β ñ size “ β ˚ size ě β , shown derivable in the previous case of the proof, with β “ max size p ψ q´ n ψ and β “ max size p ϕ q ´ n ϕ . This corresponds to GARB ñ GARB p ψ q ˚ GARB p ϕ q . Afterwards, bycommutativity of the separating conjunction (axiom (A ˚ ) ) and propositional reasoning,we conclude that $ H C p˚q GARB ñ GARB p ϕ q ˚ GARB p ψ q . case: GARB p ϕ q “ p size “ max size p ϕ q´ n ϕ q and GARB p ψ q “ p size “ max size p ψ q´ n ψ q : By (D), n “ n ϕ ` n ψ and (A), GARB “ p size “ p max size p ϕ q´ n ϕ q ` p max size p ψ q´ n ψ qq .In this case, GARB ñ GARB p ϕ q ˚ GARB p ψ q is an instantiation of the following validformula, with β “ max size p ϕ q´ n ϕ and β “ max size p ψ q ´ n ψ : size “ β ` β ñ size “ β ˚ size “ β . Here is the derivation of this formula: size “ β ` β ñ size ě β ` β PC, def. of size “ β size ě β ` β ñ size “ β ˚ size ě β Previously derived3 size ě β ñ p size ě β ^ size ě β ` q _ size “ β PC, def. of size “ β size “ β ˚ size ě β ñ size “ β ˚ pp size ě β ^ size ě β ` q _ size “ β q (A ˚ ) , ˚ -Intro , 35 size “ β ˚ pp size ě β ^ size ě β ` q _ size “ β q ñp size “ β ˚ p size ě β ^ size ě β ` qq_p size “ β ˚ size “ β q (A ˚ ) , (I ˚ ) size ě r β ^ χ ñ size ě r β PC7 size “ β ˚ p size ě β ^ size ě β ` q ñ size ě β ˚ size ě β ` ˚ -Ilr , 68 size ě β ˚ size ě β ` ñ size ě β ` β ` (A ˚ ) , (A ˚ ) size “ β ˚ p size ě β ^ size ě β ` q ñ size ě β ` β ` ñ -Tr , 7, 810 size “ β ˚ pp size ě β ^ size ě β ` q _ size “ β q ñ size ě β ` β ` _p size “ β ˚ size “ β q PC, 5, 911 size “ β ` β ñ size ě β ` β ` _p size “ β ˚ size “ β q ñ -Tr , 1, 2, 4, 1012 size “ β ` β ñ size ě β ` β ` size “ β size “ β ` β ñ size “ β ˚ size “ β PC, 11, 12
Thanks to the case analysis above, we conclude that $ H C p˚q GARB ñ GARB p ϕ q ˚ GARB p ψ q .Thus, $ H C p˚q ALLOC ˚ GARB ñ p
ALLOC p ϕ q ˚ GARB p ϕ qq ˚ p ALLOC p ψ q ˚ GARB p ψ qq . Indeed, ALLOC ñ ALLOC p ϕ q ˚ ALLOC p ψ q Previously derived2
GARB ñ GARB p ϕ q ˚ GARB p ψ q Previously derived3
ALLOC ˚ GARB ñ p
ALLOC p ϕ q ˚ ALLOC p ψ qq ˚ p GARB p ϕ q ˚ GARB p ψ qq ˚ -Ilr , 1, 24 p ALLOC p ϕ q ˚ ALLOC p ψ qq ˚ p GARB p ϕ q ˚ GARB p ψ qq ñp ALLOC p ϕ q ˚ GARB p ϕ qq ˚ p ALLOC p ψ q ˚ GARB p ψ qq (A ˚ ) , (A ˚ ) ALLOC ˚ GARB ñ p
ALLOC p ϕ q ˚ GARB p ϕ qq ˚ p ALLOC p ψ q ˚ GARB p ψ qq ñ -Tr , 3, 4 To conclude this step of the proof, it is sufficient to show $ H C p˚q ALLOC p ϕ q ˚ GARB p ϕ q ñ ϕ p q and $ H C p˚q ALLOC p ψ q ˚ GARB p ψ q ñ ψ p q . Indeed, by relying on the rule ˚ -Ilr , we thenobtain $ H C p˚q ALLOC ˚ GARB ñ ϕ p q ˚ ψ p q . Below, we show $ H C p˚q ALLOC p ϕ q ˚ GARB p ϕ q ñ ϕ p q . The developments of $ H C p˚q ALLOC p ψ q ˚ GARB p ψ q ñ ψ p q are analogous. We recallthat the formula ALLOC p ϕ q is defined as ALLOC p ϕ q “ ˚ t alloc p x i q ^ size “ | alloc p x i q Ď Lt ϕ u . First of all, let us show that $ H C p˚q ALLOC p ϕ q ˚ J ñ Ź t alloc p x i q Ď Lt ϕ | i P r , n su . Theproof is divided in three cases: case: t alloc p x i q ^ size “ | alloc p x i q Ď Lt ϕ u “ H : In this case, the formula we want toderive syntactically equal to is
J ˚ J ñ J , which is derivable by propositional reasoning. case: card pt alloc p x i q ^ size “ | alloc p x i q Ď Lt ϕ uq “ : In this case, the formula we wantto derive is syntactically equal to p alloc p x q ^ size “ q ˚ J ñ alloc p x q . Therefore, itis derivable in H C p˚q by (I ˚ ) and ˚ -Intro . case: card pt alloc p x i q ^ size “ | alloc p x i q Ď Lt ϕ uqě : In the derivation below, we write
ALLOC p ϕ q ´ i for ˚ t alloc p x j q ^ size “ | j P r , n szt i u , alloc p x j q Ď Lt ϕ u . Roughlyspeaking, ALLOC p ϕ q ´ i is obtained from ALLOC p ϕ q by removing the subformula alloc p x i q^ size “
1. Since card pt alloc p x i q ^ size “ | alloc p x i q Ď Lt ϕ uqě
2, the formula
ALLOC p ϕ q ´ i is different from J . We have, ALLOC p ϕ q ˚ J ñp alloc p x i q ^ size “ q ˚ p ALLOC p ϕ q ´ i ˚ Jq (A ˚ ) , (A ˚ ) , def. of ALLOC p ϕ q where alloc p x i q Ď Lt ϕ and i P r , n s ALLOC p ϕ q ´ i ˚ J ñ J PC XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 29 alloc p x i q ^ size “ ñ alloc p x i q PC4 p alloc p x i q ^ size “ q ˚ p ALLOC p ϕ q ´ i ˚ Jq ñ alloc p x i q ˚ J ˚ -Ilr , 2, 35 alloc p x i q ˚ J ñ alloc p x i q (I ˚ ) ALLOC p ϕ q ˚ J ñ alloc p x i q ñ -Tr , 1, 4, 57 ALLOC p ϕ q ˚ J ñ Ź t alloc p x i q Ď Lt ϕ | i P r , n su PC, repeating 6for all i P r , n s such that alloc p x i q Ď Lt ϕ So, we have $ H C p˚q ALLOC p ϕ q ˚ J ñ Ź t alloc p x i q Ď Lt ϕ | i P r , n su .Now, recall that card pt i P r , n s | alloc p x i q Ď Lt ϕ uq “ n ϕ . At the beginning of the proof,we have shown a derivation of $ H C p˚q ALLOC ñ size “ n , where ALLOC is defined as ˚ t alloc p x i q ^ size “ | i P r , n su . Replacing ALLOC by ALLOC p ϕ q and n by n ϕ in thederivation of ALLOC ñ size “ n leads to a derivation in H C p˚q of ALLOC p ϕ q ñ size “ n ϕ .To show $ H C p˚q ALLOC p ϕ q ˚ GARB p ϕ q ñ ϕ p q , we split the proof in two cases: case: max size p ϕ q “ α : By definition of ϕ p q and GARB p ϕ q , we have: ‚ ϕ p q “ size ě max size p ϕ q ^ Ź t alloc p x i q Ď Lt ϕ | i P r , n su , ‚ GARB p ϕ q “ size ě max size p ϕ q ´ n ϕ ,Then, ALLOC p ϕ q ˚ J ñ Ź t alloc p x i q Ď Lt ϕ | i P r , n su Previously derived2
GARB p ϕ q ñ J PC3
ALLOC p ϕ q ˚ GARB p ϕ q ñ ALLOC p ϕ q ˚ J ˚ -Intro , (A ˚ ) , 24 ALLOC p ϕ q ˚ GARB p ϕ q ñ Ź t alloc p x i q Ď Lt ϕ | i P r , n su ñ -Tr , 1, 35 ALLOC p ϕ q ñ size “ n ϕ See above6 size “ n ϕ ñ size ě n ϕ PC, def. of size “ n ϕ ALLOC p ϕ q ñ size ě n ϕ GARB p ϕ q ñ size ě max size p ϕ q ´ n ϕ PC, def. of
GARB p ϕ q ALLOC p ϕ q˚ GARB p ϕ q ñ size ě n ϕ ˚ size ě max size p ϕ q´ n ϕ ˚ -Ilr , 7, 810 size ě n ϕ ˚ size ě max size p ϕ q ´ n ϕ ñ size ě max size p ϕ q (A ˚ ) , (A ˚ ) , def. of size ě β ALLOC p ϕ q ˚ GARB p ϕ q ñ size ě max size p ϕ q ñ -Tr , 9, 1012 ALLOC p ϕ q ˚ GARB p ϕ q ñ ϕ p q PC, 4, 11, def. of ϕ p q case: max size p ϕ q ‰ α : In this case, max size p ϕ q ă α and so we have: ‚ ϕ p q “ size “ max size p ϕ q ^ Ź t alloc p x i q Ď Lt ϕ | i P r , n su , ‚ GARB p ϕ q “ size “ max size p ϕ q ´ n ϕ ,We can rely on the previous case of the proof in order to show that $ H C p˚q ALLOC p ϕ q ˚ GARB p ϕ q ñ size ě max size p ϕ q ^ ľ t alloc p x i q Ď Lt ϕ | i P r , n su . By propositional reasoning, we can derive $ H C p˚q ALLOC p ϕ q ˚ GARB p ϕ q ñ ϕ p q as soonas we show that $ H C p˚q ALLOC p ϕ q ˚ GARB p ϕ q ñ size ě max size p ϕ q `
1, as we donow: ALLOC p ϕ q ñ size “ n ϕ Already discussed above2 size “ n ϕ ñ size ě n ϕ ` size “ n ϕ ALLOC p ϕ q ñ size “ n ϕ ` ñ -Tr , 1, 24 GARB ϕ ñ size ě max size p ϕ q ´ n ϕ ` size “ β ALLOC p ϕ q ˚ GARB p ϕ q ñ size ě n ϕ ` ˚ size ě max size p ϕ q ´ n ϕ ` ˚ -Ilr , 3, 46 size ě n ϕ ` ˚ size ě max size p ϕ q ´ n ϕ ` ñ size ě max size p ϕ q ` (A ˚ ) ALLOC p ϕ q ˚ GARB p ϕ q ñ size ě max size p ϕ q ` ñ -Tr , 5, 6 This concludes the proof of $ H C p˚q ALLOC p ϕ q ˚ GARB p ϕ q ñ ϕ p q . As already stated, onecan analogously show that $ H C p˚q ALLOC p ψ q ˚ GARB p ψ q ñ ψ p q . Afterwards, by ˚ -Ilr andfrom $ H C p˚q ALLOC ˚ GARB ñ p
ALLOC p ϕ q˚ GARB p ϕ qq˚p ALLOC p ψ q˚ GARB p ψ qq , we concludethat $ H C p˚q ALLOC ˚ GARB ñ ϕ p q ˚ ψ p q . Step 3, add the missing literals . From the first and second step of the proof, and bypropositional reasoning, $ H C p˚q x˚yp ϕ, ψ q ñ ϕ p q ˚ ψ p q . We now rely on x˚yp ϕ, ψ q to add to ϕ p q and ψ p q missing literals from ϕ and ψ , respectively. We add the literals progressively,building a sequence of formulae ϕ p q ˚ ψ p q , ϕ p q ˚ ψ p q , . . . , ϕ p k q ˚ ψ p k q , where for all i P r , k s , ϕ p i q and ψ p i q are conjunctions of core formulae such that $ H C p˚q x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q ,and for all j P r , i s , ϕ p j q Ď Lt ϕ p i q and ψ p j q Ď Lt ψ p i q . Fundamentally, we obtain ϕ “ ϕ p k q and ψ “ ψ p k q (modulo associativity and commutativity of the classical conjunction), whichallows us to derive $ H C p˚q x˚yp ϕ, ψ q ñ ϕ ˚ ψ , ending the proof. Below, we focus on theformula ϕ p i q and ϕ . Since x˚yp ϕ, ψ q is equal to x˚yp ψ, ϕ q (by definition) and the separatingconjunction is commutative (axiom (A ˚ ) ), a similar analysis can be done for ψ p i q and ψ .Thus, we assume that $ H C p˚q x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q holds, where in particular ϕ p q Ď Lt ϕ p i q and ψ p q Ď Lt ψ p i q , and that there is a literal L Ď Lt ϕ that does not appear in ϕ p i q . Byrelying on the theorems in Lemma 5.2, we show that $ H C p˚q x˚yp ϕ, ψ q ñ p ϕ p i q ^ L q ˚ ψ p i q by a case analysis on L . case: L “ x „ y , where „P t“ , ‰u : By definition of x˚yp ϕ, ψ q , x „ y Ď Lt x˚yp ϕ, ψ q . x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q Hypothesis2 x˚yp ϕ, ψ q ñ x „ y PC, def. of x˚yp ϕ, ψ q , see above3 x˚yp ϕ, ψ q ñ x „ y ^ p ϕ p i q ˚ ψ p i q q PC, 1, 24 x „ y ^ p ϕ p i q ˚ ψ p i q q ñ p ϕ p i q ^ x „ y q ˚ ψ p i q (I ˚ . . ) x˚yp ϕ, ψ q ñ p ϕ p i q ^ x „ y q ˚ ψ p i q ñ -Tr , 3, 4 XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 31 case: L “ alloc p x q : Since alloc p x q Ď Lt ϕ , by definition, alloc p x q Ď Lt x˚yp ϕ, ψ q . Bydefinition of x , . . . , x n , there is j P r , n s such that x j “ x Ď Lt x˚yp ϕ, ψ q . Since ϕ is acore type, alloc p x j q Ď Lt ϕ . By definition of ϕ p q , alloc p x j q Ď Lt ϕ p q . From ϕ p q Ď Lt ϕ p i q ,we have alloc p x j q Ď Lt ϕ p i q . Afterwards, ϕ p i q ñ ϕ p i q ^ alloc p x j q PC, see above2 x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q Hypothesis3 ϕ p i q ˚ ψ p i q ñ p ϕ p i q ^ alloc p x j qq ˚ ψ p i q ˚ -Intro , 14 x˚yp ϕ, ψ q ñ x j “ x PC, see above5 x˚yp ϕ, ψ q ñ x j “ x ^ pp ϕ p i q ^ alloc p x j qq ˚ ψ p i q q PC, 2, 3, 46 x j “ x ^ pp ϕ p i q ^ alloc p x j qq ˚ ψ p i q q ñ p ϕ p i q ^ alloc p x qq ˚ ψ p i q (I ˚ . . ) x˚yp ϕ, ψ q ñ pp ϕ p i q ^ alloc p x qq ˚ ψ p i q q ñ -Tr , 5, 6 Without loss of generality, thanks to the derivation above dealing with alloc p x q literals, wenow assume that for all alloc p x q Ď Lt ϕ and all alloc p y q Ď Lt ψ , we have alloc p x q Ď Lt ϕ p i q and alloc p y q Ď Lt ψ p i q . case: L “ alloc p x q : We distinguish two main subcases. ‚ First, assume alloc p x q Ď Lt ψ . By definition of x˚yp ϕ, ψ q , alloc p x q Ď Lt x˚yp ϕ, ψ q . x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q Hypothesis2 x˚yp ϕ, ψ q ñ alloc p x q PC, def. of x˚yp ϕ, ψ q , see above3 x˚yp ϕ, ψ q ñ alloc p x q ^ p ϕ p i q ˚ ψ p i q q PC, 1, 24 alloc p x q ^ p ϕ p i q ˚ ψ p i q q ñ p ϕ p i q ^ alloc p x qq ˚ ψ p i q (I ˚ . . ) x˚yp ϕ, ψ q ñ p ϕ p i q ^ alloc p x qq ˚ ψ p i q ñ -Tr , 3, 4 ‚ Otherwise, alloc p x q Ď Lt ψ . By assumption, alloc p x q Ď Lt ψ p i q . ψ p i q ñ ψ p i q ^ alloc p x q PC, see above2 x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q Hypothesis3 ϕ p i q ˚ ψ p i q ñ p ψ p i q ^ alloc p x qq ˚ ϕ p i q (A ˚ ) , ˚ -Intro , 14 p ψ p i q ^ alloc p x qq ˚ ϕ p i q ñ ψ p i q ˚ p ϕ p i q ^ alloc p x qq (I ˚ . . ) ψ p i q ˚ p ϕ p i q ^ alloc p x qq ñ p ϕ p i q ^ alloc p x qq ˚ ψ p i q (A ˚ ) x˚yp ϕ, ψ q ñ p ϕ p i q ^ alloc p x qq ˚ ψ p i q ñ -Tr , 2, 3, 4, 5 case: L “ x ã Ñ y : Similar to the case L “ alloc p x q . Since ϕ is a satisfiable core type,we have alloc p x q Ď Lt ϕ (see axiom (A C ) ). By assumption, alloc p x q Ď Lt ϕ p i q . Bydefinition of x˚yp ϕ, ψ q , we have x ã Ñ y Ď Lt x˚yp ϕ, ψ q . ϕ p i q ñ ϕ p i q ^ alloc p x q PC, see above2 x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q Hypothesis x˚yp ϕ, ψ q ñ x ã Ñ y PC, see above4 ϕ p i q ˚ ψ p i q ñ p ϕ p i q ^ alloc p x qq ˚ ψ p i q ˚ -Intro , 15 x˚yp ϕ, ψ q ñ x ã Ñ y ^ pp ϕ p i q ^ alloc p x qq ˚ ψ p i q q PC, 3, 46 x ã Ñ y ^ pp ϕ p i q ^ alloc p x qq ˚ ψ p i q q ñ p ϕ p i q ^ x ã Ñ y q ˚ ψ p i q (I ˚ . . ) x˚yp ϕ, ψ q ñ p ϕ p i q ^ x ã Ñ y q ˚ ψ p i q ˚ -Intro , 5, 6 Without loss of generality, thanks to the previous cases dealing with alloc p x q literals,below we assume that for every alloc p x q Ď Lt ϕ and every alloc p y q Ď Lt ψ , we have alloc p x q Ď Lt ϕ p i q and alloc p y q Ď Lt ψ p i q . case: L “ x ã Ñ y : We distinguish two main subcases ‚ First, suppose alloc p x q Ď Lt ϕ . In this case, by definition of x˚yp ϕ, ψ q , we have x ã Ñ y Ď Lt x˚yp ϕ, ψ q . Therefore, x˚yp ϕ, ψ q ñ x ã Ñ y PC, see above2 x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q Hypothesis3 x˚yp ϕ, ψ q ñ x ã Ñ y ^ p ϕ p i q ˚ ψ p i q q PC, 1, 24 x ã Ñ y ^ p ϕ p i q ˚ ψ p i q q ñ p ϕ p i q ^ x ã Ñ y q ˚ ψ p i q (I ˚ . . ) ‚ Otherwise, we have alloc p x q Ď Lt ϕ . By assumption, alloc p x q Ď Lt ϕ p i q , and thus ϕ p i q ñ alloc p x q PC, see above2 alloc p x q ñ x ã Ñ y (A C ) , PC3 ϕ p i q ñ x ã Ñ y ñ -Tr , 1, 24 ϕ p i q ñ ϕ p i q ^ x ã Ñ y PC, 35 x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q Hypothesis6 ϕ p i q ˚ ψ p i q ñ p ϕ p i q ^ x ã Ñ y q ˚ ψ p i q ˚ -Intro , 47 x˚yp ϕ, ψ q ñ p ϕ p i q ^ x ã Ñ y q ˚ ψ p i q ñ -Tr , 5, 6 case: L “ size ě β : By definition of max size p . q , β ď max size p ϕ q . By definition of ϕ p q , size ě max size p ϕ q Ď Lt ϕ p q . From ϕ p q Ď Lt ϕ p i q , we get size ě max size p ϕ q Ď Lt ϕ p i q . ϕ p i q ñ size ě max size p ϕ q PC, see above2 size ě max size p ϕ q ñ size ě β repeated (I C ) , PC, as β ď max size p ϕ q ϕ p i q ñ ϕ p i q ^ size ě β PC, 1, 24 x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q Hypothesis5 ϕ p i q ˚ ψ p i q ñ p ϕ p i q ^ size ě β q ˚ ψ p i q ˚ -Intro , 36 x˚yp ϕ, ψ q ñ p ϕ p i q ^ size ě β q ˚ ψ p i q ñ -Tr , 4, 5 XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 33 case: L “ size ě β : In this case, max size p ϕ q ă α . Since ϕ is a satisfiable core type, wehave β ą max size p ϕ q . Moreover, by definition of ϕ p q , size ě max size p ϕ q ` Ď Lt ϕ p q .From ϕ p q Ď Lt ϕ p i q , we have size ě max size p ϕ q ` Ď Lt ϕ p i q . ϕ p i q ñ size ě max size p ϕ q` size ě max size p ϕ q` ñ size ě β repeated (I C ) , PC, as β ą max size p ϕ q by PC, the contrapositive of (I C ) is derivable3 ϕ p i q ñ ϕ p i q ^ size ě β PC, 1, 24 x˚yp ϕ, ψ q ñ ϕ p i q ˚ ψ p i q Hypothesis5 ϕ p i q ˚ ψ p i q ñ p ϕ p i q ^ size ě β q ˚ ψ p i q ˚ -Intro , 36 x˚yp ϕ, ψ q ñ p ϕ p i q ^ size ě β q ˚ ψ p i q ñ -Tr , 4, 5 Corollary 5.5 (Star elimination) . Let X Ď fin VAR and α ě card p X q . Let ϕ and ψ in CoreTypes p X , α q . There is χ in Conj p Core p X , α qq such that $ H C p˚q ϕ ˚ ψ ô χ .Proof. If both ϕ and ψ are satisfiable, the results holds directly by Lemma 5.4, as x˚yp ϕ, ψ q is in Conj p Core p X , α ` α qq . Otherwise, let us treat the case where one of the two formulas isunsatisfiable. For instance, assume that ϕ is unsatisfiable. Then $ H C ϕ ñ K by complete-ness of H C (Lemma 4.1) and, ad H C p˚q includes H C , $ H C p˚q ϕ ñ K . By the rule ˚ -Intro and by the axiom (I ˚ ) , we get $ H C p˚q ϕ ˚ ψ ñ K . Thus χ can take the value p x “ x q .The case where ψ is not satisfiable is analogous, thanks to (A ˚ ) .By the distributivity axiom (I ˚ ) , Corollary 5.5 is extended from core types to arbitraryBoolean combinations of core formulae. H C p˚q is therefore complete for SL p˚ , alloc q . Inorder to derive a valid formula ϕ P SL p˚ , alloc q , we repeatedly apply the elimination of ˚ in a bottom-up fashion, starting from the leaves of ϕ (which are Boolean combinations ofcore formulae) and obtaining a Boolean combination of core formulae ψ that is equivalentto ϕ . Then, we rely on the completeness of H C (Theorem 4.2) to prove that ψ is derivable. Theorem 5.6.
A formula ϕ in SL p˚ , alloc q is valid iff $ H C p˚q ϕ .Proof. Soundness of the proof system H C p˚q has been already established earlier.As far as the completeness proof is concerned, we need to show that for every formula ϕ in SL p˚ , alloc q , there is a Boolean combination of core formulae ψ such that $ H C p˚q ϕ ô ψ .In order to conclude the proof, when ϕ is valid for SL p˚ , alloc q , by soundness of H C p˚q , weobtain that ψ is valid too and therefore $ H C p˚q ψ as H C is a subsystem of H C p˚q and H C iscomplete by Theorem 4.2. By propositional reasoning, we get that $ H C p˚q ϕ .To show that every formula ϕ has a provably equivalent Boolean combination of coreformulae, we heavily rely on Corollary 5.5. The proof is by simple induction on the numberof occurrences of ˚ in ϕ that are not involved in the definition of some core formula of theform size ě β . For the base case, when ϕ has no occurrence of the separating conjunction, x “ y and x ã Ñ y are already core formulae, and emp is logically equivalent to size ě H C p˚q , the replacement ofprovably equivalent formulae holds true, which is stated as follows: R0 Let ϕ, ϕ and ψ be formulae of SL p˚ , alloc q such that $ H C p˚q ϕ ô ϕ . Then, $ H C p˚q ψ r ϕ s ρ ñ ψ r ϕ s ρ Above, ψ r ϕ s ρ refers to the formula ψ in which the subformula at the occurrence ρ (in thestandard sense) is replaced by ϕ . ( ϕ and ϕ are therefore placed at the same occurrence.)To prove R0 , we first note that the following rules can be shown admissible in H C p˚q : ϕ ô ϕ ϕ ô ϕ ϕ ô ϕ ϕ _ ψ ô ϕ _ ψ ϕ ô ϕ ϕ ^ ψ ô ϕ ^ ψ Admissibility of such rules is a direct consequence of the presence of axioms and modusponens for the propositional calculus. As a consequence of the presence of the rule ˚ -Intro in H C p˚q , the rule below is also admissible: ϕ ô ϕ ϕ ˚ ψ ô ϕ ˚ ψ Consequently, by structural induction on ψ , one can conclude that $ H C p˚q ϕ ô ϕ implies $ H C p˚q ψ r ϕ s ρ ñ ψ r ϕ s ρ (the axiom (A ˚ ) needs to be used here).Assume that ϕ is a formula in SL p˚ , alloc q with n ` size ě β ( n ě ψ be a subformulaof ϕ (at the occurrence ρ ) of the form ψ ˚ ψ such that ψ and ψ are Boolean combinations ofcore formulae, in Bool p Core p X , α qq and Bool p Core p X , α qq . By pure propositional reasoning,one can show that there are formulae in disjunctive normal form ψ _ ¨ ¨ ¨ _ ψ n and ψ _¨ ¨ ¨ _ ψ n such that $ H C ψ i ô ψ i _ ¨ ¨ ¨ _ ψ n i i for i P t , u and moreover, all the ψ ji ’s arecore types in CoreTypes p X , max p card p X q , α , α qq . Again, by using propositional reasoningbut this time using also the axiom (I ˚ ) for distributivity, we have $ H C p˚q ψ ˚ ψ ô ł j Pr ,n s ,j Pr ,n s ψ j ˚ ψ j . We now rely on Corollary 5.5 and derive that there is a conjunction of core formulae ψ j ,j in Conj p Core p X , p card p X q , α , α qqq such that $ H C p˚q ψ ˚ ψ ô ψ j ,j . By propositionalreasoning, we get $ H C p˚q ψ ˚ ψ ô ł j Pr ,n s ,j Pr ,n s ψ j ,j . Consequently (thanks to the property R0 ), we obtain $ H C p˚q ϕ ô ϕ r ł j Pr ,n s ,j Pr ,n s ψ j ,j s ρ Note that the right-hand side formula has n occurrences of the separating conjunction thatare not involved in the definition of some core formula of the form size ě β . The inductionhypothesis applies, which concludes the proof.6. A constructive elimination of ´˚ leading to full completeness In order to obtain the final proof system H C p˚ , ´˚q , we add the axioms and rules fromFigure 7 to the proof system H C p˚q . These new axioms are rules and dedicated to the sep-arating implication. The axioms involving ´ f (kind of dual of ´˚ , introduced in Section 2)express that it is always possible to extend a given heap with an extra cell, and that theaddress and the content of this cell can be fixed arbitrarily (provided it is not already allo-cated). The adjunction rules ˚ -Adj and ´˚ -Adj are from the Hilbert-style axiomatisation of XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 35 (A ´˚ ) p size “ ^ Ź x P X alloc p x qq ´ f J đ r X Ď fin VAR s (A ´˚ ) alloc p x q ñ pp x ã Ñ y ^ size “ q ´ f Jq (A ´˚ ) alloc p x q ñ pp alloc p x q ^ size “ ^ Ź y P X x ã Ñ y q ´ f Jq đ r X Ď fin VAR s˚ -Adj : ϕ ˚ ψ ñ χϕ ñ p ψ ´˚ χ q ´˚ -Adj : ϕ ñ p ψ ´˚ χ q ϕ ˚ ψ ñ χ Figure 7: Additional axioms and rules for handling the separating implication.Boolean BI [GLW06, Section 2]. One can observe that, in H C p˚ , ´˚q , the axioms (I ˚ ) , (I ˚ ) and (I ˚ ) of H C p˚q are derivable. Lemma 6.1.
The axioms ( I ˚ ) , ( I ˚ ) and ( I ˚ ) are derivable in H C p˚ , ´˚q . As the whole enterprise of this section is to establish completeness of the proof sys-tem H C p˚ , ´˚q , as usual, we shall provide below the derivations in the calculus. Proof of ( I ˚ ) . p ϕ ˚ χ q ñ p ϕ ˚ χ q _ p ψ ˚ χ q PC2 p ψ ˚ χ q ñ p ϕ ˚ χ q _ p ψ ˚ χ q PC3 ϕ ñ p χ ´˚ pp ϕ ˚ χ q _ p ψ ˚ χ qqq ˚ -Adj , 14 ψ ñ p χ ´˚ pp ϕ ˚ χ q _ p ψ ˚ χ qqq ˚ -Adj , 25 ϕ _ ψ ñ p χ ´˚ pp ϕ ˚ χ q _ ψ ˚ χ qq PC, 3, 46 p ϕ _ ψ q ˚ χ ñ p ϕ ˚ χ q _ p ψ ˚ χ q ´˚ -Adj , 5 Proof of ( I ˚ ) . The axiom (I ˚ ) is provable by ˚ -Adj . Indeed, proving pK ˚ ϕ q ñK reducesto proving Kñ p ϕ ´˚ Kq . The latter is a tautology by propositional reasoning. Proof of ( I ˚ ) . K ˚J ñK (I ˚ ) p x ã Ñ x ´˚ Kq ñ p x ã Ñ x ´˚ Kq PC3 p x ã Ñ x ´˚ Kq ˚ x ã Ñ x ñK ´˚ -Adj , 24 x ã Ñ x ˚ p x ã Ñ x ´˚ Kq ñ p x ã Ñ x ´˚ Kq ˚ x ã Ñ x (A ˚ ) x ã Ñ x ˚ p x ã Ñ x ´˚ Kq ñK ñ -Tr , 4, 36 p x ã Ñ x ˚ p x ã Ñ x ´˚ Kqq ˚ J ñK ˚J ˚ -Intro , 57 pp x ã Ñ x ´˚ Kq ˚ Jq ˚ p x ã Ñ x q ñ p x ã Ñ x ˚ p x ã Ñ x ´˚ Kqq ˚ J (A ˚ ) , (A ˚ ) pp x ã Ñ x ´˚ Kq ˚ Jq ˚ p x ã Ñ x q ñK ñ -Tr , 7, 6, 19 p x ã Ñ x ´˚ Kq ˚ J ñ p x ã Ñ x ´˚ Kq ˚ -Adj , 810 alloc p x q ˚ J ñ alloc p x q Def. alloc p x q , 9 Fundamentally, H C p˚ , ´˚q enjoys the ´˚ elimination property, as shown below. Actually,we state the property with the help of ´ f as we find the related statements and developmentsmore intuitive. Lemma 6.2.
Let X Ď fin VAR and α ě card p X q . Let ϕ and ψ in CoreTypes p X , α q . There is aconjunction χ P Conj p Core p X , α qq such that $ H C p˚ , ´˚q p ϕ ´ f ψ q ô χ . In the proof of Lemma 6.2, the formula χ is explicitly constructed from ϕ and ψ , followinga pattern analogous to the construction of x˚yp . , . q in Figure 6. The derivation of theequivalence p ϕ ´ f ψ q ô χ is shown as follows. First, the formulae χ ˚ ϕ ñ ψ and χ ˚ ϕ ñ ψ are shown valid (by using semantical means). As H C p˚q is complete for SL p˚ , alloc q , it isa subsystem of H C p˚ , ´˚q , and the formulae ϕ , ψ and χ are Boolean combinations of core formulae, we get $ H C p˚ , ´˚q χ ˚ ϕ ñ ψ and $ H C p˚ , ´˚q χ ˚ ϕ ñ ψ . The latter theoremleads to $ H C p˚ , ´˚q p ϕ ´ f ψ q ñ χ by using the definition of ´ f and the rule ˚ -Adj . In orderto show that $ H C p˚ , ´˚q χ ñ p ϕ ´ f ψ q holds, we take advantage of the admissibility of thetheorem (I ´˚ . . ) (see Lemma 6.3) for which an instance is p ϕ ´ f Jq^p ϕ ´˚ ψ q ñ p ϕ ´ f pJ^ ψ qq .From $ H C p˚ , ´˚q χ ˚ ϕ ñ ψ and by ˚ -Adj we have $ H C p˚ , ´˚q χ ñ p ϕ ´˚ ψ q . Therefore, themain technical development lies in the proof of $ H C p˚ , ´˚q χ ñ p ϕ ´ f Jq , which allows us totake advantage of (I ´˚ . . ) , and leads to $ H C p˚ , ´˚q χ ñ p ϕ ´ f ψ q by propositional reasoning.In order to formalise the proof of Lemma 6.2 sketched above, we start by establishingseveral admissible axioms and rules (Lemma 6.3). Afterwards, we define the formula χ andshow the validity of χ ˚ ϕ ñ ψ and χ ˚ ϕ ñ ψ (Lemma 6.4). Then, come the final bitsof the proof of Lemma 6.2. Lemma 6.3.
The following rules and axioms are admissible in H C p˚ , ´˚q : (I ´˚ . . ) K ´ f ϕ ñ K (I ´˚ . . ) ϕ ´ f K ñ K (I ´˚ . . ) ϕ ˚ p ϕ ´˚ ψ q ñ ψ (I ´˚ . . ) ϕ ñ ψϕ ´ f χ ñ ψ ´ f χ (I ´˚ . . ) ϕ ñ ψχ ´ f ϕ ñ χ ´ f ψ (I ´˚ . . ) p ϕ _ ψ q ´ f χ ô ϕ ´ f χ _ ψ ´ f χ (I ´˚ . . ) χ ´ f p ϕ _ ψ q ô χ ´ f ϕ _ χ ´ f ψ (I ´˚ . . ) ϕ ´ f p ψ ´ f χ q ô p ϕ ˚ ψ q ´ f χ (I ´˚ . . ) p ϕ ´ f ψ q ^ p ϕ ´˚ χ q ñ ` ϕ ´ f p ψ ^ χ q ˘ (I ´˚ . . ) x “ y ^ ϕ ´ f ψ ñ p ϕ ^ x “ y q ´ f ψ . (I ´˚ . . ) x ‰ y ^ ϕ ´ f ψ ñ p ϕ ^ x ‰ y q ´ f ψ .Proof of ( I ´˚ . . ) . K ˚J ñK (I ˚ ) Kñ ϕ PC3
K ˚J ñ ϕ ñ -Tr , 1, 2 4 J ñ pK ´˚ ϕ q (A ˚ ) , ˚ -Adj J ñ pK ´ f ϕ q Def. ´ f , PC6 pK ´ f ϕ q ñK
5, PC
Proof of ( I ´˚ . . ) . J ˚ ϕ ñ J PC2
J ñ p ϕ ´˚ Jq ˚ -Adj p ϕ ´˚ Jq ñK PC, 24 p ϕ ´ f Kq ñK
Def. ´ f , PC Note that implicitly, we have assumed that we can replace J by K in the scope of ´ f or ´˚ , which is possible as the replacement of equivalents holds in the calculus H C p˚ , ´˚q (seee.g. the proof of Theorem 6.6). Proof of ( I ´˚ . . ) . p ϕ ´˚ ψ q ñ p ϕ ´˚ ψ q PC2 p ϕ ´˚ ψ q ˚ ϕ ñ ψ ´˚ -Adj , 13 p ϕ ˚ p ϕ ´˚ ψ qq ñ pp ϕ ´˚ ψ q ˚ ϕ q (A ˚ ) ϕ ˚ p ϕ ´˚ ψ q ñ ψ ñ -Tr , 3, 2 Proof of ( I ´˚ . . ) . XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 37 ϕ ñ ψ Hypothesis2 ψ ˚ p ψ ´˚ χ q ñ χ (I ´˚ . . ) p ψ ´˚ χ q ˚ ϕ ñ ϕ ˚ p ψ ´˚ χ q (A ˚ ) ϕ ˚ p ψ ´˚ χ q ñ ψ ˚ p ψ ´˚ χ q ˚ -Intro , 15 ϕ ˚ p ψ ´˚ χ q ñ χ ñ -Tr , 2, 46 p ψ ´˚ χ q ˚ ϕ ñ χ ñ -Tr , 3, 57 ψ ´˚ χ ñ ϕ ´˚ χ ˚ -Adj , 68 p ϕ ´˚ χ q ñ p ψ ´˚ χ q PC, 79 ϕ ´ f χ ñ ψ ´ f χ Def. ´ f , 8 Proof of ( I ´˚ . . ) . ϕ ñ ψ Hypothesis2 ψ ñ ϕ PC, 13 χ ˚ p χ ´˚ ψ q ñ ψ (I ´˚ . . ) χ ˚ p χ ´˚ ψ q ñ ϕ ñ -Tr , 3, 25 p χ ´˚ ψ q ˚ χ ñ χ ˚ p χ ´˚ ψ q (A ˚ ) p χ ´˚ ψ q ˚ χ ñ ϕ ñ -Tr , 4, 57 p χ ´˚ ψ q ñ p χ ´˚ ϕ q ˚ -Adj , 68 p χ ´˚ ϕ q ñ p χ ´˚ ψ q PC, 79 χ ´ f ϕ ñ χ ´ f ψ Def. ´ f Proof of ( I ´˚ . . ) . We derive each implication separately. ϕ ´˚ χ ^ ψ ´˚ χ ñ ψ ´˚ χ PC2 ψ ˚ p ϕ ´˚ χ ^ ψ ´˚ χ q ñ ψ ˚ p ψ ´˚ χ q ˚ -Ilr , 13 ϕ ´˚ χ ^ ψ ´˚ χ ñ ϕ ´˚ χ PC4 ϕ ˚ p ϕ ´˚ χ ^ ψ ´˚ χ q ñ ϕ ˚ p ϕ ´˚ χ q ˚ -Ilr , 35 ϕ ˚ p ϕ ´˚ χ q ñ χ (I ´˚ . . ) ψ ˚ p ψ ´˚ χ q ñ χ (I ´˚ . . ) ψ ˚ p ϕ ´˚ χ ^ ψ ´˚ χ q ñ χ ñ -Tr , 2, 68 ϕ ˚ p ϕ ´˚ χ ^ ψ ´˚ χ q ñ χ ñ -Tr , 4, 59 p ϕ _ ψ q ˚ p ϕ ´˚ χ ^ ψ ´˚ χ q ñ ϕ ˚ p ϕ ´˚ χ ^ ψ ´˚ χ q _ ψ ˚ p ϕ ´˚ χ ^ ψ ´˚ χ q (I ˚ ) p ϕ _ ψ q ˚ p ϕ ´˚ χ ^ ψ ´˚ χ q ñ χ PC, 7, 8, 911 p ϕ ´˚ χ ^ ψ ´˚ χ q ˚ p ϕ _ ψ q ñ p ϕ _ ψ q ˚ p ϕ ´˚ χ ^ ψ ´˚ χ q (A ˚ ) p ϕ ´˚ χ ^ ψ ´˚ χ q ˚ p ϕ _ ψ q ñ χ ñ -Tr , 12, 1013 p ϕ ´˚ χ ^ ψ ´˚ χ q ñ pp ϕ _ ψ q ´˚ χ q ˚ -Adj , 1214 pp ϕ _ ψ q ´˚ χ q ñ p ϕ ´˚ χ q _ p ψ ´˚ χ q PC, 1315 p ϕ _ ψ q ´ f χ ñ p ϕ ´ f χ q _ p ψ ´ f χ q Def. ´ f , 14 The derivation of the other implication can be found below. ϕ ñ ϕ _ ψ PC2 ψ ñ ϕ _ ψ PC3 ϕ ´ f χ ñ p ϕ _ ψ ´ f χ q (I ´˚ . . ) , 14 ψ ´ f χ ñ p ϕ _ ψ ´ f χ q (I ´˚ . . ) , 25 pp ψ ´ f χ q _ p ϕ ´ f χ qq ñ p ϕ _ ψ ´ f χ q PC, 3, 4
Proof of ( I ´˚ . . ) . We handle each implication separately, and we follow a pattern similarto the one used in the proof of (I ´˚ . . ) . χ ˚ p χ ´˚ ϕ q ñ ϕ (I ´˚ . . ) p χ ´˚ ϕ ^ χ ´˚ ψ q ñ χ ´˚ ϕ PC3 χ ˚ p χ ´˚ ϕ ^ χ ´˚ ψ q ñ χ ˚ p χ ´˚ ϕ q ˚ -Ilr ,24 χ ˚ p χ ´˚ ϕ ^ χ ´˚ ψ q ñ ϕ ñ -Tr , 3, 15 χ ˚ p χ ´˚ ψ q ñ ψ (I ´˚ . . ) p χ ´˚ ϕ ^ χ ´˚ ψ q ñ χ ´˚ ψ PC7 χ ˚ p χ ´˚ ϕ ^ χ ´˚ ψ q ñ χ ˚ p χ ´˚ ψ q ˚ -Ilr ,68 χ ˚ p χ ´˚ ϕ ^ χ ´˚ ψ q ñ ψ ñ -Tr , 7, 59 χ ˚ p χ ´˚ ϕ ^ χ ´˚ ψ q ñ p ϕ _ ψ q PC, 4, 810 p χ ´˚ ϕ ^ χ ´˚ ψ q ˚ χ ñ p ϕ _ ψ q (A ˚ ) + ñ -Tr , 911 p χ ´˚ ϕ ^ χ ´˚ ψ q ñ p χ ´˚ p ϕ _ ψ q ˚ -Adj , 1012 p χ ´˚ p ϕ _ ψ qq ñ p χ ´˚ ϕ q _ p χ ´˚ ψ q PC, 1113 χ ´ f p ϕ _ ψ q ñ p χ ´ f ϕ q _ p χ ´ f ψ q Def. ´ f , 12 The derivation of the other implication can be found below. ϕ ñ ϕ _ ψ PC2 ψ ñ ϕ _ ψ PC3 χ ´ f ϕ ñ p χ ´ f ϕ _ ψ q (I ´˚ . . ) , 14 χ ´ f ψ ñ p χ ´ f ϕ _ ψ q (I ´˚ . . ) , 25 pp χ ´ f ϕ q _ p χ ´ f ψ qq ñ p χ ´ f ϕ _ ψ q PC, 3, 4
XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 39
Proof of ( I ´˚ . . ) . By definition of the septraction operator ´ f , (I ´˚ . . ) is equivalent to ϕ ´˚p ψ ´˚ χ qq ô p ϕ ˚ ψ q ´˚ χ . This equivalence is provable in H C p˚ , ´˚q , thanks to theadjunction rules. p ϕ ˚ ψ q ˚ pp ϕ ˚ ψ q ´˚ χ q ñ χ (I ´˚ . . ) ψ ˚ p ϕ ˚ pp ϕ ˚ ψ q ´˚ χ qq ñ χ (A ˚ ) , (A ˚ ) , 13 ϕ ˚ pp ϕ ˚ ψ q ´˚ χ q ñ ψ ´˚ χ ˚ -Adj , 24 p ϕ ˚ ψ q ´˚ χ ñ ϕ ´˚ p ψ ´˚ χ q ˚ -Adj , 3, (A ˚ ) ϕ ˚ p ϕ ´˚ p ψ ´˚ χ qq ñ ψ ´˚ χ (I ´˚ . . ) ψ ˚ ϕ ˚ p ϕ ´˚ p ψ ´˚ χ qq ñ χ ´˚ -Adj , 5, (A ˚ ) , (A ˚ ) p ϕ ˚ ψ q ˚ p ϕ ´˚ p ψ ´˚ χ qq ñ χ (A ˚ ) , (A ˚ ) , 68 ϕ ´˚ p ψ ´˚ χ q ñ p ϕ ˚ ψ q ´˚ χ ˚ -Adj , 79 ϕ ´˚ p ψ ´˚ χ q ô p ϕ ˚ ψ q ´˚ χ PC, 4, 8
Proof of ( I ´˚ . . ) . ϕ ˚ p ϕ ´˚ χ q ñ χ (I ´˚ . . ) ϕ ˚ p ϕ ´˚ p ψ ^ χ qq ñ p ψ ^ χ q (I ´˚ . . ) ϕ ˚ p ϕ ´˚ χ q ^ ϕ ˚ p ϕ ´˚ p ψ ^ χ qq ñ ψ PC, 1, 24 ϕ ˚ pp ϕ ´˚ χ q ^ p ϕ ´˚ p ψ ^ χ qqq ñ ϕ ˚ p ϕ ´˚ χ q ^ ϕ ˚ p ϕ ´˚ p ψ ^ χ qq ˚ -Ilr , PC5 ϕ ˚ pp ϕ ´˚ χ q ^ p ϕ ´˚ p ψ ^ χ qqq ñ ψ ñ -Tr , 46 p ϕ ´˚ χ q ^ p ϕ ´˚ p ψ ^ χ qq ñ p ϕ ´˚ ψ q (A ˚ ) , ˚ -Adj , 57 p ϕ ´˚ χ q ^ p ϕ ´ f ψ q ñ p ϕ ´˚ p ψ ^ χ qq PC8 p ϕ ´˚ χ q ^ p ϕ ´ f ψ q ñ p ϕ ´ f p ψ ^ χ qq Def. ´ f , 7 Proof of ( I ´˚ . . ) and ( I ´˚ . . ) . Below, we provide the derivation for the admissible axiomschema (I ´˚ . . ) (the derivation for (I ´˚ . . ) is very similar and is thus omitted). ϕ ñ p ϕ ^ x “ y q _ p ϕ ^ x ‰ y q PC2 ϕ ´ f J ñ pp ϕ ^ x “ y q _ p ϕ ^ x ‰ y qq ´ f J (I ´˚ . . ) , 13 ϕ ´ f J ñ p ϕ ^ x “ y q ´ f J _ p ϕ ^ x ‰ y q ´ f J (I ´˚ . . ) , ñ -Tr , 24 x “ y ˚ x ‰ y ñ x “ y (A ˚ ) , ˚ -Ilr x ‰ y ˚ x “ y ñ x ‰ y (A ˚ ) , ˚ -Ilr x “ y ˚ x ‰ y ñ x “ y ^ x ‰ y (A ˚ ) , ñ -Tr , PC, 4, 57 x “ y ˚ x ‰ y ñ J PC, 68 x “ y ñ p x ‰ y ´˚ Jq ˚ -Adj , 7 Ź x „ y Ď Lt t ϕ | ψ u ˇˇ „P t“ , ‰u ( ^ Ź " alloc p x q ˇˇˇˇ alloc p x q Ď Lt ϕ alloc p x q Ď Lt ψ * ^ Ź t alloc p x q Ď Lt ψ u ^ Ź alloc p x q ˇˇ alloc p x q Ď Lt ϕ ( ^ Ź t x ã Ñ y Ď Lt ψ u ^ Ź " x ã Ñ y ˇˇˇˇ alloc p x q Ď Lt ϕ x ã Ñ y Ď Lt ψ * ^ Ź " x ‰ x ˇˇˇˇ alloc p x q ^ x ã Ñ y Ď Lt ϕ x ã Ñ y Ď Lt ψ * ^ Ź " size ě β ` ´ β ˇˇˇˇ size ě β Ď Lt ϕ size ě β Ď Lt ψ * ^ Ź " x ‰ x ˇˇˇˇ x ã Ñ y Ď Lt ϕ x ã Ñ y Ď Lt ψ * ^ Ź " size ě β . ´ β ˇˇˇˇ size ě β Ď Lt ϕ size ě β Ď Lt ψ * ^ Ź " x ‰ x ˇˇˇˇ alloc p x q Ď Lt ϕ alloc p x q Ď Lt ψ * Figure 8: The formula x´ f yp ϕ, ψ q . p x ‰ y ´˚ Jq ñ x ‰ y PC, 810 p x ‰ y ´ f Jq ñ x ‰ y Def. ´ f , 911 ϕ ^ x ‰ y ñ x ‰ y PC12 p ϕ ^ x ‰ y q ´ f J ñ x ‰ y ´ f J (I ´˚ . . ) , 1113 p ϕ ^ x ‰ y q ´ f J ñ x ‰ y ñ -Tr , 10, 1214 p x “ y ^ ϕ ´ f Jq ñ p ϕ ^ x “ y q ´ f J _ x ‰ y PC, 3, 1315 p x “ y ^ ϕ ´ f Jq ñ p ϕ ^ x “ y q ´ f J PC, 14
Let ϕ and ψ be two satisfiable core types in Conj p Core p X , α qq . Following the develop-ments of Section 5, we define a formula x´ f yp ϕ, ψ q in Conj p Core p X , α qq , for which we showthat ϕ ´ f ψ ô x´ f yp ϕ, ψ q is provable in H C p˚ , ´˚q . The formula x´ f yp ϕ, ψ q is defined in Fig-ure 8. Lemma 6.4.
Let X Ď fin VAR , α ě card p X q and ϕ , ψ be satisfiable core types in CoreTypes p X , α q .The formulae x´ f yp ϕ, ψ q ˚ ϕ ñ ψ and p x´ f yp ϕ, ψ qq ˚ ϕ ñ ψ are valid. Since we aim at proving the derivability of ϕ ´ f ψ ô x´ f yp ϕ, ψ q in H C p˚ , ´˚q , the validity ofthe formula p x´ f yp ϕ, ψ qq ˚ ϕ ñ ψ should not surprise the reader. Indeed, by replacing x´ f yp ϕ, ψ q with ϕ ´ f ψ we obtain p p ϕ ´ f ψ qq ˚ ϕ ñ ψ which, unfolding the definition of ´ f ,is equivalent to the valid formula p ϕ ´˚ ψ q ˚ ϕ ñ ψ (see (I ´˚ . . ) ). On the other hand, thefact that x´ f yp ϕ, ψ q ˚ ϕ ñ ψ is valid can be puzzling at first, as the formula p ϕ ´ f ψ q ˚ ϕ ñ ψ is not valid (in general). In its essence, Lemma 6.4 shows that p ϕ ´ f ψ q ˚ ϕ ñ ψ is validwhenever ϕ and ψ are restricted to core types. Proof.
Notice that the proof of lemma requires essentially semantical arguments. Since ϕ , ψ and x´ f yp ϕ, ψ q are conjunctions of literals built from core formulae, derivability of thesetwo tautologies in H C p˚ , ´˚q follows from the completeness of H C p˚q (Theorem 5.6). XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 41
Validity of x´ f yp ϕ, ψ q ˚ ϕ ñ ψ . If x´ f yp ϕ, ψ q ˚ ϕ is inconsistent, then x´ f yp ϕ, ψ q ˚ ϕ ñ ψ is straightforwardly valid. Below, we assume that x´ f yp ϕ, ψ q ˚ ϕ is satisfiable. In particular,none of the conditions depicted in Figure 8 that result in x´ f yp ϕ, ψ q having a literal x ‰ x applies. Let p s, h q |ù x´ f yp ϕ, ψ q ˚ ϕ . Therefore, there are two disjoint heaps h and h suchthat h “ h ` h , p s, h q |ù x´ f yp ϕ, ψ q and p s, h q |ù ϕ . We show that p s, h q satisfies eachliteral L in ψ . We perform a simple case analysis on the shape of L . Notice that, below, wehave x , y P X and β P r , α s , as ψ is a core type in CoreTypes p X , α q . case: L “ x „ y , where „P t“ , ‰u : By definition of x´ f yp ϕ, ψ q , x „ y Ď Lt x´ f yp ϕ, ψ q and so p s, h q |ù x „ y . We conclude that s p x q „ s p y q , and thus p s, h q |ù x „ y . case: L “ alloc p x q : If alloc p x q Ď Lt ϕ , then p s, h q |ù alloc p x q , which implies s p x q P dom p h q directly from h Ď h . Thus, p s, h q |ù alloc p x q . Otherwise, if alloc p x q Ď Lt ϕ then, since ϕ is a core type in CoreTypes p X , α q , we have alloc p x q Ď Lt ϕ . By definitionof x´ f yp ϕ, ψ q , we derive that alloc p x q Ď Lt x´ f yp ϕ, ψ q . So, p s, h q |ù alloc p x q and thus,by h Ď h , s p x q P dom p h q . We conclude that p s, h q |ù alloc p x q . case: L “ alloc p x q : In this case, by definition of x´ f yp ϕ, ψ q , we have alloc p x q Ď Lt x´ f yp ϕ, ψ q , which implies p s, h q |ù alloc p x q . Ad absurdum , suppose p s, h q |ù alloc p x q .Since ϕ is a core type in CoreTypes p X , α q , we conclude that alloc p x q Ď Lt ϕ . However, bydefinition of x´ f yp ϕ, ψ q , this implies x ‰ x Ď Lt x´ f yp ϕ, ψ q , which contradicts the fact that x´ f yp ϕ, ψ q is satisfiable. Thus, p s, h q |ù alloc p x q , which implies s p x q R dom p h q . From h “ h ` h and s p x q R dom p h q we conclude that s p x q R dom p h q . So, p s, h q |ù alloc p x q . case: L “ x ã Ñ y : If alloc p x q Ď Lt ϕ , then x ã Ñ y Ď Lt x´ f yp ϕ, ψ q holds by definition of x´ f yp ϕ, ψ q . So, h p s p x qq “ s p y q and, from h Ď h we conclude that p s, h q |ù x ã Ñ y .Otherwise, let us assume that alloc p x q Ď Lt ϕ . Ad absurdum , suppose x ã Ñ y Ď Lt ϕ . Then, by definition of x´ f yp ϕ, ψ q , we derive x ‰ x Ď Lt x´ f yp ϕ, ψ q . However, thiscontradicts the satisfiability of x´ f yp ϕ, ψ q . Therefore, x ã Ñ y Ď Lt ϕ . Since ϕ is a coretype, this implies x ã Ñ y Ď Lt ϕ , and therefore h p s p x qq “ s p y q . From h Ď h we concludethat p s, h q |ù x ã Ñ y . case: L “ x ã Ñ y : By definition of x´ f yp x , y q , we have x ã Ñ y Ď Lt x´ f yp x , y q , whichimplies that if s p x q P dom p h q then h p s p x qq ‰ s p y q . Ad absurdum , suppose x ã Ñ y Ď Lt ϕ . Then, by definition of x´ f yp ϕ, ψ q , we derive x ‰ x Ď Lt x´ f yp ϕ, ψ q . However, thiscontradicts the satisfiability of x´ f yp ϕ, ψ q . Therefore x ã Ñ y Ď Lt ϕ and, since ϕ is a coretype, x ã Ñ y Ď Lt ϕ . So, if s p x q P dom p h q then h p s p x qq ‰ s p y q . By h “ h ` h andthe fact that h p s p x qq ‰ s p y q , we conclude that p s, h q |ù x ã Ñ y . case: L “ size ě β : If size ě α Ď Lt ϕ , then card p dom p h qq ě card p dom p h qq ě α , by h Ď h . As β P r , α s , this implies p s, h q |ù size ě β . Otherwise, assume size ě α Ď Lt ϕ . In particular, since ϕ is in CoreTypes p X , α q , this implies that max size p ϕ q ă α and size ě max size p ϕ q ^ size ě max size p ϕ q ` Ď Lt ϕ. We have card p dom p h qq “ max size p ϕ q . If max size p ϕ q ě β , then from h Ď h we con-clude that p s, h q |ù size ě β . Otherwise, let us assume β ą max size p ϕ q . By definitionof x´ f yp ϕ, ψ q , we conclude that size ě β ` ´ p max size p ϕ q ` q Ď Lt x´ f yp ϕ, ψ q . To-gether with β ą max size p ϕ q , this implies card p dom p h qq ě β ´ max size p ϕ q . Withcard p dom p h qq “ max size p ϕ q and h “ h ` h , this implies p s, h q |ù size ě β . case: L “ size ě β : Ad absurdum , suppose that size ě α Ď Lt ϕ . Then, by definitionof x´ f yp ϕ, ψ q we have size ě β . ´ α Ď Lt x´ f yp ϕ, ψ q . However, since β P r , α s , thismeans that size ě Ď Lt x´ f yp ϕ, ψ q , which contradicts the satisfiability of x´ f yp ϕ, ψ q . Therefore, size ě α Ď Lt ϕ . As ϕ is in CoreTypes p X , α q , we derive max size p ϕ q ă α and size ě max size p ϕ q ^ size ě max size p ϕ q ` Ď Lt ϕ. We conclude that card p dom p h qq ď max size p ϕ q . From size ě max size p ϕ q Ď Lt ϕ and bydefinition of x´ f yp ϕ, ψ q , we conclude that size ě β . ´ max size p ϕ q Ď Lt x´ f yp ϕ, ψ q . If β ď max size p ϕ q , then size ě Ď Lt x´ f yp ϕ, ψ q , which contradicts the satisfiabilityof x´ f yp ϕ, ψ q . Therefore, β ą max size p ϕ q . So, card p dom p h qq ă β ´ max size p ϕ q . To-gether with card p dom p h qq ď max size p ϕ q and h “ h ` h , we conclude that card p dom p h qq ă β , and thus p s, h q |ù size ě β . Validity of p x´ f yp ϕ, ψ qq ˚ ϕ ñ ψ . Let us assume p s, h q |ù p x´ f yp ϕ, ψ qq ˚ ϕ . Conse-quently, there is a literal L of x´ f yp ϕ, ψ q such that p s, h q |ù p L q ˚ ϕ holds. We show that p s, h q |ù ψ . Let h and h be two disjoint heaps such that h “ h ` h , p s, h q |ù L and p s, h q |ù ϕ . We perform a case analysis on the shape of L . As in the previous part of theproof, recall that x , y P X and β , β P r , α s . case: L “ x ‰ x : Since ϕ and ψ are satisfiable, by definition of x´ f yp ϕ, ψ q , the fact that x ‰ x Ď Lt x´ f yp ϕ, ψ q implies that one of the following three cases holds:1: alloc p x q ^ x ã Ñ y Ď Lt ϕ and x ã Ñ y Ď Lt ψ .From alloc p x q ^ x ã Ñ y Ď Lt ϕ and h Ď h , we have s p x q P dom p h q and h p s p x qq ‰ s p y q .Thus p s, h q |ù x ã Ñ y , and so, by x ã Ñ y Ď Lt ψ , p s, h q |ù ψ .2: x ã Ñ y Ď Lt ϕ and x ã Ñ y Ď Lt ψ .From x ã Ñ y Ď Lt ϕ and h Ď h , h p s p x qq “ s p y q . Thus p s, h q |ù x ã Ñ y and so, by x ã Ñ y Ď Lt ψ , p s, h q |ù ψ .3: alloc p x q Ď Lt ϕ and alloc p x q Ď Lt ψ .From alloc p x q Ď Lt ϕ and h Ď h , s p x q P dom p h q . Thus p s, h q |ù alloc p x q and so, by alloc p x q Ď Lt ψ , p s, h q |ù ψ . case: L “ x „ y , where „P t“ , ‰u : In this case, since p s, h q |ù L , then we have p s, h q |ù L . Now, it cannot be that L Ď Lt ϕ , as it would imply p s, h q |ù L , whichis contradictory. Therefore, by definition of x´ f yp ϕ, ψ q , we must have L Ď Lt ψ . Thisimplies p s, h q |ù ψ . case: L “ alloc p x q : By definition of x´ f yp ϕ, ψ q , alloc p x q Ď Lt ϕ and alloc p x q Ď Lt ψ .From p s, h q |ù alloc p x q we conclude that s p x q R dom p h q . By alloc p x q Ď Lt ϕ , s p x q R dom p h q . By h “ h ` h , s p x q R dom p h q . As alloc p x q Ď Lt ψ , p s, h q |ù ψ . case: L “ alloc p x q : As p s, h q |ù L , we have s p x q P dom p h q . According to the defi-nition of x´ f yp ϕ, ψ q , either alloc p x q Ď Lt ϕ or alloc p x q Ď Lt ψ . The first case cannothold, as it implies s p x q P dom p h q which contradicts the fact that h and h are disjoint.In the second case, from s p x q P dom p h q and h Ď h , we have p s, h q |ù alloc p x q . So, p s, h q |ù ψ . case: L “ x ã Ñ y : Then by definition of x´ f yp ϕ, ψ q , alloc p x q Ď Lt ϕ and x ã Ñ y Ď Lt ψ .From p s, h q |ù L , if s p x q P dom p h q then h p s p x qq ‰ s p y q . As alloc p x q Ď Lt ϕ , s p x q R dom p h q and therefore, by h “ h ` h , h p s p x qq ‰ s p y q . From x ã Ñ y Ď Lt ψ , weconclude that p s, h q |ù ψ . case: L “ x ã Ñ y : Then, by definition of x´ f yp ϕ, ψ q , x ã Ñ y Ď Lt ψ . From p s, h q |ù L and h Ď h , we derive h p s p x qq “ s p y q . From x ã Ñ y Ď Lt ψ , we derive p s, h q |ù ψ . XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 43 case: L “ size ě β ` . ´ β , where size ě β Ď Lt ψ and size ě β Ď Lt ϕ : Since itholds that p s, h q |ù L and p s, h q |ù ϕ , we derive (respectively) card p dom p h qq ď β . ´ β and card p dom p h qq ă β . From h “ h ` h , we conclude that card p dom p h qq ă β .From size ě β Ď Lt ψ , we derive p s, h q |ù ψ . case: L “ size ě β . ´ β , where size ě β Ď Lt ψ and size ě β Ď Lt ϕ : Since wehave p s, h q |ù L and p s, h q |ù ϕ , we conclude that card p dom p h qq ě β . ´ β andcard p dom p h qq ě β . So, h “ h ` h implies card p dom p h qq ě β . By size ě β Ď Lt ψ ,we derive p s, h q |ù ψ .Before providing the proof for Lemma 6.2, we establish the existence of further derivations. Lemma 6.5.
Let X Ď fin VAR and let ϕ size be a satisfiable conjunction of literals of the form size ě β or size ě β . The following axiom schema is admissible in H C p˚ , ´˚q : (I ´˚ . . ) p ϕ size ^ Ź x P X alloc p x qq ´ f J .Proof. Notice that, since ϕ size is satisfiable, for every β , β P N such that size ě β ^ size ě β Ď Lt ϕ , we must have β ă β . Moreover, thanks to (I C ) and (I ´˚ . . ) , withoutloss of generality, we can restrict ourselves to ϕ size of the form:(1) ϕ size “ size ě β for some β ě ϕ size “ p size ě β q for some β ą ϕ size “ size ě β ^ p size ě β q for some β ą β .Indeed, given an arbitrary ϕ size , every positive literal size ě β such that β ă max size p ϕ size q can be derived starting from size ě max size p ϕ size q , by repeated applications of (I C ) . Simi-larly, let β be the smallest natural number such that size ě β Ď Lt ϕ , if any. Every literal size ě β Ď Lt ϕ with β ě β can be derived from size ě β , by repeated applicationsof the axiom (I C ) (taken in contrapositive form i.e. size ě β ñ size ě β `
1, which isderivable in H C by propositional reasoning).We write U p X q to denote the conjunction Ź x P X alloc p x q . Below, given β P N , we aimat deriving the formula p size “ β ^ U p X qq ´ f J . Notice that this implies that (I ´˚ . . ) isderivable in its instances (1)–(3): case (1): Let ϕ size “ size ě β . p size “ β ^ U p X qq ´ f J Hypothesis2 size “ β ^ U p X q ñ size ě β ^ U p X q PC, def. of size “ β p size “ β ^ U p X qq ´ f J ñ p size ě β ^ U p X qq ´ f J (I ´˚ . . ) , 24 p size ě β ^ U p X qq ´ f J Modus Ponens, 1, 3 case (2):
Let ϕ size “ size ě β . Since ϕ size is satisfiable, we have β ě p size “ β ´ ^ U p X qq ´ f J Hypothesis2 size “ β ´ ^ U p X q ñ size ě β ^ U p X q PC, def. of size “ β ´ ` p size “ β ´ ^ U p X qq ´ f J ˘ ñ ` p size ě β ^ U p X qq ´ f J ˘ (I ´˚ . . ) , 24 p size ě β ^ U p X qq ´ f J Modus Ponens, 1, 3 case (3):
Let ϕ size “ size ě β ^ size ě β . Since ϕ size is satisfiable, β ą β . p size “ β ´ ^ U p X qq ´ f J Hypothesis2 size “ β ´ ñ size ě β repeated (I C ) , as β ą β size “ β ´ ñ size ě β PC, def. of size “ β ´ size “ β ´ ^ U p X q ñ size ě β ^ size ě β ^ U p X q PC, 2, 35 ` p size “ β ´ ^ U p X qq ´ f J ˘ ñ ` p size ě β ^ size ě β ^ U p X qq ´ f J ˘ (I ´˚ . . ) , 46 p size ě β ^ size ě β ^ U p X qq ´ f J Modus Ponens, 1, 5
To conclude the proof, let us show that p size “ β ^ U p X qq ´ f J is derivable in H C p˚ , ´˚q .The proof is by induction on β , with two base cases, for β “ β “ base case: β “ : In this case, size “ “ size ě ^ size ě
1. We have, emp ´˚ Kñ emp ˚ p emp ´˚ Kq (A ˚ ) emp ˚ p emp ´˚ Kq ñK (I ´˚ . . ) emp ´˚ KñK ñ -Tr , 1, 24 emp ´ f J PC, 3, def. of ´ f alloc p x q ñ size ě (I C ) emp ñ alloc p x q PC, 5, as size ě “ emp emp ñ U p X q PC, 6 used for all x P X emp ñ size ě ^ p size ě q PC, def. of size ě β emp ñ size ě ^ p size ě q ^ U p X q PC, 7, 810 p emp ´ f Jq ñ ` p size ě ^ p size ě q ^ U p X qq ´ f J ˘ (I ´˚ . . ) , 911 p size ě ^ p size ě q ^ U p X qq ´ f J Modus Ponens, 4, 10 base case: β “ : This case corresponds exactly to the axiom (A ´˚ ) . induction step: β ě : First of all, we notice that the following formula is valid: p size “ ^ U p X qq ˚ p size “ β ´ ^ U p X qq ñ size “ β ^ U p X q . ( : )Indeed, let p s, h q be a memory state satisfying the antecedent of the implication above.So, there are disjoint heaps h and h such that h “ h ` h , card p dom p h qq “ p dom p h qq “ β ´
1, and for every x P X , s p x q R dom p h q and s p x q R dom p h q . By h “ h ` h , card p dom p h qq “ card p dom p h qq ` card p dom p h qq “ β , and for every x P X , s p x q R dom p h q . Thus, p s, h q |ù size “ β ^ U p X q .As ( : ) can be seen as a formula in SL p˚ , alloc q , by Theorem 5.6 it is derivable in H C p˚q and thus in H C p˚ , ´˚q . Let us derive p size “ β ^ U p X qq ´ f J . Let us consider asinduction hypothesis the derivability of p size “ β ´ ^ U p X qq ´ f J . Therefore, p size “ β ´ ^ U p X qq ´ f J Induction Hypothesis2 p size “ ^ U p X qq ˚ p size “ β ´ ^ U p X qq ñ size “ β ^ U p X q ( : ), see above3 p size “ ^ U p X qq ´ f J (A ´˚ ) XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 45 J ñ ` p size “ β ´ ^ U p X qq ´ f J ˘ PC, 15 ` p size “ ^ U p X qq ´ f J ˘ ñ ` p size “ ^ U p X qq ´ f pp size “ β ´ ^ U p X qq ´ f Jq ˘ (I ´˚ . . ) , 46 ` p size “ ^ U p X qq ´ f pp size “ β ´ ^ U p X qq ´ f Jq ˘ ñ ` pp size “ ^ U p X qq ˚ p size “ β ´ ^ U p X qqq ´ f J ˘ (I ´˚ . . ) ` pp size “ ^ U p X qq ˚ p size “ β ´ ^ U p X qqq ´ f J ˘ ñ ` p size “ β ^ U p X qq ´ f J ˘ (I ´˚ . . ) , 28 ` p size “ ^ U p X qq ´ f J ˘ ñ ` p size “ β ^ U p X qq ´ f J ˘ ñ -Tr , 5, 6, 79 p size “ β ^ U p X qq ´ f J Modus Ponens, 3, 8
Proof. (of Lemma 6.2) As in the statement of the lemma, let us consider X Ď fin VAR and α ě card p X q , and two core types ϕ and ψ in CoreTypes p X , α q . We want to show that thereis a conjunction χ P Conj p Core p X , α qq such that $ H C p˚ , ´˚q p ϕ ´ f ψ q ô χ .First of all, if ϕ or ψ is unsatisfiable, then $ H C p˚ , ´˚q ϕ ´ f ψ ñ K by using Lemma 4.1and the admissible axioms (I ´˚ . . ) and (I ´˚ . . ) from Lemma 6.3. Therefore, in this case,it is enough to take χ equal to x “ x to complete the proof. Otherwise, let us assumethat ϕ and ψ are satisfiable. We consider χ def “ x´ f yp ϕ, ψ q (see Figure 8), and show that $ H C p˚ , ´˚q p ϕ ´ f ψ q ô x´ f yp ϕ, ψ q . We derive each implication separately.( ñ ): Given Lemma 6.4, the proof of $ H C p˚ , ´˚q ϕ ´ f ψ ñ x´ f yp ϕ, ψ q is straightforward: x´ f yp ϕ, ψ q ˚ ϕ ñ ψ Lemma 6.4, Theorem 5.62 x´ f yp ϕ, ψ q ñ p ϕ ´˚ ψ q ˚ -Adj , 13 p ϕ ´˚ ψ q ñ x´ f yp ϕ, ψ q PC, 24 p ϕ ´ f ψ q ñ x´ f yp ϕ, ψ q Def. of ´ f , 3 ( ð ): Let us now show that $ H C p˚ , ´˚q x´ f yp ϕ, ψ q ñ ϕ ´ f ψ . First, let us note that, since x´ f yp ϕ, ψ q ˚ ϕ ñ ψ is valid (Lemma 6.4), it is derivable in H C p˚q (Theorem 5.6), andtherefore, by the rule ˚ -Adj , $ H C p˚ , ´˚q x´ f yp ϕ, ψ q ñ ϕ ´˚ ψ . From that, it follows thatit is enough to show that x´ f yp ϕ, ψ q ñ ϕ ´ f J is derivable in H C p˚ , ´˚q . Indeed, from x´ f yp ϕ, ψ q ñ ϕ ´ f J and x´ f yp ϕ, ψ q ñ ϕ ´˚ ψ , we get, by (I ´˚ . . ) , that x´ f yp ϕ, ψ q ñ ϕ ´ f ψ is derivable too.Thus, let us prove that x´ f yp ϕ, ψ q ñ ϕ ´ f J is derivable. If x´ f yp ϕ, ψ q is unsatisfiable,then from the completeness of H C with respect to Boolean combinations of core formulae(Theorem 4.2), we conclude that $ H C x´ f yp ϕ, ψ q ñK . Since H C p˚ , ´˚q extends H C , wehave $ H C p˚ , ´˚q x´ f yp ϕ, ψ q ñK . By propositional reasoning, $ H C p˚ , ´˚q x´ f yp ϕ, ψ q ñ ϕ ´ f J .Otherwise, let us assume that x´ f yp ϕ, ψ q is satisfiable. Directly from the definition of x´ f yp ϕ, ψ q , the following simple facts hold.1. ϕ , ψ and x´ f yp ϕ, ψ q have exactly the same equalities and inequalities.2. size ě x´ f yp ϕ, ψ q , and therefore, following the definition of x´ f yp ϕ, ψ q ,there are no size ě β Ď Lt ϕ and size ě β Ď Lt ψ with β ě β . x ‰ x does not belong to x´ f yp ϕ, ψ q . In particular, by definition of x´ f yp ϕ, ψ q , none ofthe following conditions apply: – there is x P X such that alloc p x q Ď Lt ϕ and alloc p x q Ď Lt ψ , – there are x , y P X such that x ã Ñ y P ϕ and x ã Ñ y Ď Lt ψ , – there are x , y P X such that alloc p x q ^ x ã Ñ y Ď Lt ϕ and x ã Ñ y Ď Lt ψ .From (1), we know that x´ f yp ϕ, ψ q and ϕ satisfy the same (in)equalities. Similarly tothe proof of Lemma 5.4, let x , . . . x n be a maximal enumeration of representatives of theequivalence classes (one per equivalence class) such that alloc p x i q occurs in ϕ . As it ismaximal, for every alloc p x q in Lt p ϕ q there is i P r , n s such that x i is syntactically equalto x . Moreover, by definition of x´ f yp ϕ, ψ q , for every i P r , n s , alloc p x i q Ď Lt x´ f yp ϕ, ψ q .The proof of $ H C p˚ , ´˚q x´ f yp ϕ, ψ q ñ ϕ ´ f J is by induction on the number j of variables x P X for which alloc p x q Ď Lt ϕ holds. base case: j “ : In the base case, no formula alloc p x q occurs positively in ϕ . Since ϕ is a core type, this implies that for every x P X , alloc p x q Ď Lt ϕ . Moreover, since ϕ issatisfiable, for every x , y P X , x ã Ñ y Ď Lt ϕ (see (A C ) ). Therefore, the core type ϕ issyntactically equivalent (up to associativity and commutativity of conjunction) to theformula ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq , where ‚ ϕ size def “ Ź ` t size ě β Ď Lt ϕ u Y t size ě β Ď Lt ϕ u ˘ , ‚ ϕ alloc def “ Ź x P X alloc p x q , ‚ ϕ ã Ñ def “ Ź x , y P X x ã Ñ y , ‚ ϕ (in)eq def “ Ź t x „ y Ď Lt ϕ |„P t“ , ‰uu .Since ϕ is satisfiable, so is ϕ size . We show that $ H C p˚ , ´˚q p ϕ size ^ ϕ alloc ^ ϕ ã Ñ q´ f J : p ϕ size ^ ϕ alloc q ´ f J (I ´˚ . . ) alloc p x q ñ x ã Ñ y (A C ) , PC3 ϕ alloc ñ ϕ ã Ñ PC, repeated 24 ϕ size ^ ϕ alloc ñ ϕ size ^ ϕ alloc ^ ϕ ã Ñ PC, 35 ` p ϕ size ^ ϕ alloc q ´ f J ˘ ñ ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ q ´ f J ˘ (I ´˚ . . ) , 46 p ϕ size ^ ϕ alloc ^ ϕ ã Ñ q ´ f J Modus Ponens, 1, 5
Now, let us treat the formula ϕ (in)eq . From the definition of x´ f yp ϕ, ψ q , we have ϕ (in)eq Ď Lt x´ f yp ϕ, ψ q , and so by propositional reasoning, $ H C p˚ , ´˚q x´ f yp ϕ, ψ q ñ ϕ (in)eq .This allows us to conclude that $ H C p˚ , ´˚q x´ f yp ϕ, ψ q ñ ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq q ´ f J ˘ , ( : )by induction on the number of literals x „ y appearing in ϕ (in)eq , and by relying on thetwo theorems (I ´˚ . . ) and (I ´˚ . . ) . In the base case, ϕ (in)eq “ J , and so ϕ size ^ ϕ alloc ^ ϕ ã Ñ ñ ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq PC8 ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ q ´ f J ˘ ñ ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq q ´ f J ˘ (I ´˚ . . ) , 79 p ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq q ´ f J Modus Ponens, 6, 810 x´ f yp ϕ, ψ q ñ ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq q ´ f J ˘ PC, 9
XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 47
In the induction step, let ϕ (in)eq “ ϕ (in)eq ^ x „ y , where x „ y Ď Lt ϕ (in)eq . We have, x´ f yp ϕ, ψ q ñ ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq q ´ f J ˘ Induction Hypothesis2 x´ f yp ϕ, ψ q ñ x „ y PC, as ϕ (in)eq Ď Lt x´ f yp ϕ, ψ q x „ y ^ ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq q ´ f J ˘ ñ ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq ^ x „ y q ´ f J ˘ (I ´˚ . . ) / (I ´˚ . . ) x´ f yp ϕ, ψ q ñ ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq ^ x „ y q ´ f J ˘ PC, 1, 2, 35 x´ f yp ϕ, ψ q ñ ` p ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq q ´ f J ˘ Def. of ϕ (in)eq , 4 Since ϕ size ^ ϕ alloc ^ ϕ ã Ñ ^ ϕ (in)eq is equivalent to ϕ , from ( : ) and by (I ´˚ . . ) , weconclude that $ H C p˚ , ´˚q x´ f yp ϕ, ψ q ñ ϕ ´ f J . induction step: j ě : In this case, let i P r , n s such that alloc p x i q Ď Lt ϕ and thus, bydefinition of x´ f yp ϕ, ψ q , alloc p x i q Ď Lt x´ f yp ϕ, ψ q . We define the formula: ATOM p x i q def “ x i ã Ñ y ^ size “ x i ã Ñ y Ď Lt ϕ, for some y P Xalloc p x i q ^ size “ ^ Ź y P X x i ã Ñ y otherwiseNotice that, if there is y P X such that x i ã Ñ y Ď Lt ϕ , then the axiom schema (A ´˚ ) canbe instantiated to alloc p x i q ñ p ATOM p x i q´ f Jq . Otherwise (for all y P X , x i ã Ñ y Ď Lt ϕ )this formula is an instantiation of the axiom schema (A ´˚ ) . This allows us to show thefollowing theorem: x´ f yp ϕ, ψ q ñ ` ATOM p x i q ´ f px´ f yp ϕ, ψ q ˚ ATOM p x i qq ˘ ( ; ) alloc p x i q ñ p ATOM p x i q ´ f Jq (A ´˚ ) / (A ´˚ ) x´ f yp ϕ, ψ q ñ alloc p x i q Def. of x´ f yp ϕ, ψ q , PC3 x´ f yp ϕ, ψ q ñ p ATOM p x i q ´ f Jq ñ -Tr , 1, 24 x´ f yp ϕ, ψ q ˚ ATOM p x i q ñ x´ f yp ϕ, ψ q ˚ ATOM p x i q PC5 x´ f yp ϕ, ψ q ñ ` ATOM p x i q ´˚ px´ f yp ϕ, ψ q ˚ ATOM p x i qq ˘ ˚ -Adj , 46 x´ f yp ϕ, ψ q ñ ` ATOM p x i q ´ f px´ f yp ϕ, ψ q ˚ ATOM p x i qq ˘ (I ´˚ . . ) , 3, 5, PC From the hypothesis card p X q ď α , together with alloc p x i q Ď Lt ϕ and the fact that ϕ is satisfiable, we have max size p ϕ q ě (I C ) , instantiated with X “ t x i u ). In orderto show that $ H C ˚ , ´˚ x´ f yp ϕ, ψ q ñ p ϕ ´ f Jq , we split the proof depending on whethermax size p ϕ q ă α holds. case: max size p ϕ q ă α : Since ϕ is a satisfiable core type in CoreTypes p X , α q , by definitionof max size p . q , we have size ě max size p ϕ q ^ size ě max size p ϕ q ` Ď Lt ϕ . Below,we consider the formula ϕ obtained from ϕ by: ‚ replacing size ě max size p ϕ q Ď Lt ϕ with size ě max size p ϕ q , ‚ for every x P X such that x “ x i Ď Lt ϕ , replacing every literal alloc p x q Ď Lt ϕ with alloc p x q , and every literal x ã Ñ y Ď Lt ϕ with x ã Ñ y , where y P X . Explicitly, ϕ def “ ľ t x „ y Ď Lt ϕ |„P t“ , ‰uu ^ ľ t alloc p x q Ď Lt ϕ | x ‰ x i Ď Lt ϕ u^ ľ t alloc p x q Ď Lt ϕ u ^ ľ t alloc p x q | x “ x i Ď Lt ϕ u ^ ľ t x ã Ñ y Ď Lt ϕ | x ‰ x i Ď Lt ϕ u^ ľ t x ã Ñ y Ď Lt ϕ u ^ ľ t x ã Ñ y | x “ x i ^ x ã Ñ y Ď Lt ϕ u ^ size ě max size p ϕ q^ ľ t size ě β Ď Lt ϕ | β ă max size p ϕ qu ^ ľ t size ě β Ď Lt ϕ u . The formula ϕ enjoys the two following properties:A. ϕ is a satisfiable core type in CoreTypes p X , α q .B. p ATOM p x i q ˚ ϕ q ñ ϕ is valid. Proof of (A) . Since ϕ is obtained from ϕ simply by changing the polarity of some ofthe literals in Lt p ϕ q , clearly ϕ is in CoreTypes p X , α q . To show that ϕ is satisfiable,we rely on the fact that ϕ is satisfiable. Let p s, h q be a memory state satisfying ϕ .Since alloc p x i q Ď Lt ϕ , we conclude that s p x i q P dom p h q . Let us consider thedisjoint heaps h and h such that h “ h ` h and dom p h q “ t s p x i qu . We showthat p s, h q |ù ϕ by considering every L P Lt p ϕ q and showing that p s, h q |ù L . case: L “ x „ y , where „P t“ , ‰u : By definition of ϕ , p s, h q |ù L and therefore s p x q „ s p y q . Thus, p s, h q |ù L . case: L “ alloc p x q : If x “ x i Ď Lt ϕ then s p x q P dom p h q , and therefore, by h K h , s p x q R dom p h q . So, p s, h q |ù alloc p x q . Otherwise ( x ‰ x i Ď Lt ϕ ), bydefinition of ϕ , we have alloc p x q Ď Lt ϕ . So s p x q R dom p h q and, from h Ď h ,we conclude that p s, h q |ù alloc p x q . case: L “ x ã Ñ y : Similar to the previous case. Briefly, if x “ x i Ď Lt ϕ then,by definition of ATOM p x i q , p s, h q |ù alloc p x q , which implies p s, h q |ù x ã Ñ y .Otherwise, by definition of ϕ , x ã Ñ y Ď Lt ϕ and thus p s, h q |ù x ã Ñ y . From h Ď h , we conclude that p s, h q |ù x ã Ñ y . case: L “ alloc p x q : By definition of ϕ , alloc p x q ^ x ‰ x i Ď Lt ϕ . Therefore s p x q P dom p h q and, by definition of ATOM p x i q , s p x q R dom p h q . Since h “ h ` h , we conclude that p s, h q |ù alloc p x q . case: L “ x ã Ñ y : Similar to the previous case. By definition of ϕ , we have x ã Ñ y ^ x ‰ x i Ď Lt ϕ . Thus, h p s p x qq “ s p y q . By definition of ATOM p x i q , s p x q P dom p h q and thus h p s p x qq “ s p y q . So, p s, h q |ù x ã Ñ y . case: L “ size ě β : By definition of ϕ , β ă max size p ϕ q . Since p s, h q |ù ϕ ,we have card p dom p h qq ě max size p ϕ q . By definition of ATOM p x i q and from h “ h ` h , we have card p dom p h qq “ card p dom p h qq´ ě max size p ϕ q´ ě β .Therefore, p s, h q |ù size ě β . case: L “ size ě β : By definition of ϕ , size ě β Ď Lt ϕ or β “ max size p ϕ q .In the former case, since ϕ is satisfiable, we know that β ą max size p ϕ q . There-fore, in both cases we have β ě max size p ϕ q . Moreover, as p s, h q |ù ϕ and size ě max size p ϕ q ` Ď Lt ϕ , we have card p dom p h qq ď max size p ϕ q . Sincecard p dom p h qq “
1, by h “ h ` h we conclude that card p dom p h qq ă max size p ϕ q ď β . Therefore, p s, h q |ù size ě β . Proof of (B) . Let p s, h q |ù ATOM p x i q˚ ϕ . So, there are h and h such that h “ h ` h , p s, h q |ù ATOM p x i q and p s, h q |ù ϕ . By definition of ATOM p x i q , dom p h q “ t s p x i qu .In order to prove (B), we show that p s, h q |ù L , for every literal L P Lt p ϕ q . XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 49 Ź x „ y Ď Lt t ϕ | ψ u ˇˇ „P t“ , ‰u ( ^ Ź " alloc p x q ˇˇˇˇ alloc p x q Ď Lt ϕ alloc p x q Ď Lt ψ * ^ Ź t alloc p x q Ď Lt ψ u ^ Ź alloc p x q ˇˇ alloc p x q Ď Lt ϕ ( ^ Ź t x ã Ñ y Ď Lt ψ u ^ Ź " x ã Ñ y ˇˇˇˇ alloc p x q Ď Lt ϕ x ã Ñ y Ď Lt ψ * ^ Ź " x ‰ x ˇˇˇˇ alloc p x q ^ x ã Ñ y Ď Lt ϕ x ã Ñ y Ď Lt ψ * ^ Ź " size ě β ` ´ β ˇˇˇˇ size ě β Ď Lt ϕ size ě β Ď Lt ψ * ^ Ź " x ‰ x ˇˇˇˇ x ã Ñ y Ď Lt ϕ x ã Ñ y Ď Lt ψ * ^ Ź " size ě β . ´ β ˇˇˇˇ size ě β Ď Lt ϕ size ě β Ď Lt ψ * ^ Ź " x ‰ x ˇˇˇˇ alloc p x q Ď Lt ϕ alloc p x q Ď Lt ψ * Figure 9: The formula x´ f yp ϕ , ψ q . case: L “ x „ y , where „P t“ , ‰u : By definition of ϕ , p s, h q |ù L and so s p x q „ s p y q . Thus, p s, h q |ù L . case: L “ alloc p x q : By definition of
ATOM p x i q , alloc p x i q Ď Lt ϕ and therefore s p x q R dom p h q . By definition of ϕ , for every y P X , alloc p y q Ď Lt ϕ implies alloc p y q Ď Lt ϕ . Therefore, s p x q R dom p h q . We conclude that s p x q R dom p h q ,and so p s, h q |ù alloc p x q . case: L “ x ã Ñ y : Similar to the previous case. Briefly, by definition of
ATOM p x i q , p s, h q |ù x ã Ñ y . By definition of ϕ , p s, h q |ù x ã Ñ y . So, p s, h q |ù x ã Ñ y . case: L “ alloc p x q : If x “ x i Ď Lt ϕ , then s p x q “ s p x i q (first case of the proof),and by definition of ATOM p x i q , s p x q P dom p h q . As h Ď h , we conclude that p s, h q |ù alloc p x q . Otherwise, if x ‰ x i Ď Lt ϕ , then by definition of ϕ wehave alloc p x q Ď Lt ϕ . This implies that s p x q P dom p h q and so, from h Ď h , weconclude that p s, h q |ù alloc p x q . case: L “ x ã Ñ y : Similar to the previous case. Briefly, if x “ x i Ď Lt ϕ then, bydefinition of ATOM p x i q , p s, h q |ù x ã Ñ y and so p s, h q |ù x ã Ñ y . Otherwise ( x ‰ x i Ď Lt ϕ ), x ã Ñ y Ď Lt ϕ and therefore p s, h q |ù x ã Ñ y . So, p s, h q |ù x ã Ñ y . case: L “ size ě β : If β ă max size p ϕ q , then directly by definition of ϕ , wehave p s, h q |ù size ě β . From h Ď h , we conclude that p s, h q |ù size ě β .Otherwise, β “ max size p ϕ q . Recall that max size p ϕ q ě ϕ , size ě max size p ϕ q ´ Ď Lt ϕ . Thus, card p dom p h qq ě max size p ϕ q ´ ATOM p x i q we have card p dom p h qq “
1. As h “ h ` h , weconclude that p s, h q |ù size ě max size p ϕ q . case: L “ size ě β : As ϕ is satisfiable, β ą max size p ϕ q . By definition of ϕ , size ě max size p ϕ q Ď Lt ϕ , and so card p dom p h qq ă max size p ϕ q . Sincecard p dom p h qq “
1, card p dom p h qq ď max size p ϕ q ă β . So, p s, h q |ù size ě β .The property (A) allows us to consider the formula x´ f yp ϕ , ψ q , and show thatC. px´ f yp ϕ, ψ q ˚ ATOM p x i qq ñ x´ f yp ϕ , ψ q is valid. Proof of (C) . Figure 9 recalls the definition of x´ f yp ϕ , ψ q . First of all, notice thatit cannot be that there is x P X such that x ‰ x Ď Lt x´ f yp ϕ , ψ q . Indeed, adabsurdum , suppose the opposite. By definition of x´ f yp ϕ , ψ q , this implies that (1) alloc p x q ^ x ã Ñ y Ď Lt ϕ and x ã Ñ y Ď Lt ψ , (2) x ã Ñ y Ď Lt ϕ and x ã Ñ y Ď Lt ψ , or (3) alloc p x q Ď Lt ϕ and alloc p x q Ď Lt ψ . By definition of ϕ , this implies that(1) alloc p x q ^ x ã Ñ y Ď Lt ϕ , (2) x ã Ñ y Ď Lt ϕ or (3) alloc p x q Ď Lt ϕ . However,by definition of x´ f yp ϕ, ψ q , this implies that x ‰ x Ď Lt x´ f yp ϕ, ψ q , in contradictionwith the satisfiability of x´ f yp ϕ, ψ q . Therefore, below we assume that for all x P X , x ‰ x Ď Lt x´ f yp ϕ , ψ q .Let p s, h q |ù x´ f yp ϕ, ψ q ˚ ATOM p x i q . There are h and h such that h “ h ` h , p s, h q |ù x´ f yp ϕ, ψ q and p s, h q |ù ATOM p x i q . By definition of ATOM p x i q , dom p h q “t s p x i qu . To prove (C), we show that p s, h q |ù L , for every literal L P Lt px´ f yp ϕ , ψ qq . case: L “ x „ y , where „P t“ , ‰u : By definition of x´ f yp ϕ , ψ q , L Ď Lt t ϕ | ψ u and so, by definition of ϕ , L Ď Lt t ϕ | ψ u . By definition of x´ f yp ϕ, ψ q , L Ď Lt x´ f yp ϕ, ψ q . From p s, h q |ù x´ f yp ϕ, ψ q we derive s p x q „ s p y q . So, p s, h q |ù L . case: L “ alloc p x q : By definition of x´ f yp ϕ , ψ q , either alloc p x q Ď Lt ψ or alloc p x q Ď Lt ϕ . In the first case, by definition of x´ f yp ϕ, ψ q , alloc p x q Ď Lt x´ f yp ϕ, ψ q , and therefore s p x q R dom p h q . Moreover, since x´ f yp ϕ, ψ q is sat-isfiable, alloc p x q Ď Lt ϕ (otherwise we would have x ‰ x Ď Lt x´ f yp ϕ, ψ q ).Therefore, by definition of ATOM p x i q , we conclude that s p x q R dom p h q . From h “ h ` h , we derive s p x q R dom p h q , and thus p s, h q |ù alloc p x q .In the second case, ( alloc p x q Ď Lt ϕ ), by definition of ϕ we have alloc p x q Ď Lt ϕ and x ‰ x i Ď Lt ϕ . By definition of ATOM p x i q , s p x q R dom p h q . By definitionof x´ f yp ϕ, ψ q , alloc p x q Ď Lt x´ f yp ϕ, ψ q , and therefore s p x q R dom p h q . Again,by h “ h ` h , we have p s, h q |ù alloc p x q . case: L “ x ã Ñ y : Following the definition of x´ f yp ϕ , ψ q , x ã Ñ y Ď Lt ψ andtherefore x ã Ñ y Ď Lt x´ f yp ϕ, ψ q . Therefore, p s, h q |ù x ã Ñ y . Since x´ f yp ϕ, ψ q is satisfiable, x ã Ñ y Ď Lt ϕ . By definition of ATOM p x i q , we de-rive p s, h q |ù x ã Ñ y . From h “ h ` h , p s, h q |ù x ã Ñ y . case: L “ alloc p x q : By definition of x´ f yp ϕ , ψ q , we have alloc p x q Ď Lt ϕ and alloc p x q Ď Lt ψ . First, let us suppose alloc p x q Ď Lt ϕ . By definition of ϕ , x “ x i Ď Lt ϕ and so, by definition of ATOM p x i q , s p x q P dom p h q . From h Ď h , p s, h q |ù alloc p x q . Otherwise ( alloc p x q Ď Lt ϕ ), by definition of x´ f yp ϕ, ψ q , alloc p x q Ď Lt x´ f yp ϕ, ψ q . So, s p x q P dom p h q , and by h Ď h , p s, h q |ù alloc p x q . case: L “ x ã Ñ y : Similar to the previous case. By definition of x´ f yp ϕ , ψ q , alloc p x q Ď Lt ϕ and x ã Ñ y Ď Lt ψ . First, let us assume alloc p x q Ď Lt ϕ . By definitionof ϕ , x “ x i Ď Lt ϕ . By definition of ATOM p x i q , s p x q P dom p h q . Ad ab-surdum , suppose h p s p x qq ‰ s p y q . By definition of ATOM p x i q , we have that alloc p x q ^ x ã Ñ y Ď Lt ϕ . However, from x ã Ñ y Ď Lt ψ , this implies x ‰ x Ď Lt x´ f yp ϕ, ψ q , which contradicts the satisfiability of x´ f yp ϕ, ψ q . Therefore, h p s p x qq “ s p y q and, from h Ď h , we conclude that p s, h q |ù x ã Ñ y . Otherwise( alloc p x q Ď Lt ϕ ), by definition of x´ f yp ϕ, ψ q , x ã Ñ y Ď Lt x´ f yp ϕ, ψ q . So, h p s p x qq “ s p y q , and by h Ď h , we derive p s, h q |ù x ã Ñ y . case: L “ size ě β ` . ´ β , where size ě β Ď Lt ϕ and size ě β Ď Lt ψ : By definition of ϕ , size ě β Ď Lt ϕ , and so β ą max size p ϕ q , since ϕ is satisfiable. By definition of x´ f yp ϕ, ψ q and as size ě max size p ϕ q ` Ď Lt ϕ , we have size ě β ` ´ p max size p ϕ q ` q Ď Lt x´ f yp ϕ, ψ q , whichin turn implies card p dom p h qq ě β . ´ max size p ϕ q . By definition of ATOM p x i q ,card p dom p h qq ě
1. By h “ h ` h , card p dom p h qq ě p β . ´ max size p ϕ qq ` ěp β ` q . ´ max size p ϕ q . As β ą max size p ϕ q , p s, h q |ù size ě β ` ´ β . XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 51 case: L “ size ě β . ´ β , where size ě β Ď Lt ϕ and size ě β Ď Lt ψ : By definition of ϕ , β ă max size p ϕ q . By definition of x´ f yp ϕ, ψ q , we have size ě β . ´ max size p ϕ q Ď Lt x´ f yp ϕ, ψ q . Notice that, since x´ f yp ϕ, ψ q issatisfiable, β ą max size p ϕ q . Thus, card p dom p h qq ă β ´ max size p ϕ q . Bydefinition of ATOM p x i q , card p dom p h qq ď
1. From h “ h ` h , we concludethat card p dom p h qq ă p β ´ max size p ϕ qq `
1. As β ă max size p ϕ q , we have β ´ max size p ϕ q ` ď β . ´ β . Therefore, p s, h q |ù size ě β . ´ β .We are now ready to prove that x´ f yp ϕ, ψ q ñ p ϕ ´ f Jq . Notice that, by complete-ness of H C p˚q (Theorem 5.6), we conclude that the tautologies in (B) and (C) arederivable in H C p˚ , ´˚q . Moreover, notice that alloc p x i q Ď Lt ϕ and, for every y P X , alloc p y q Ď Lt ϕ implies alloc p y q Ď Lt ϕ . This allows us to rely on the inductionhypothesis, and conclude that $ H C p˚ , ´˚q x´ f yp ϕ , ψ q ñ p ϕ ´ f Jq . The derivation of x´ f yp ϕ, ψ q ñ p ϕ ´ f Jq is given below: x´ f yp ϕ , ψ q ñ p ϕ ´ f Jq Induction hypothesis2 p ATOM p x i q ˚ ϕ q ñ ϕ (B), Theorem 5.63 px´ f yp ϕ, ψ q ˚ ATOM p x i qq ñ x´ f yp ϕ , ψ q (C), Theorem 5.64 px´ f yp ϕ, ψ q ˚ ATOM p x i qq ñ p ϕ ´ f Jq ñ -Tr , 1, 35 x´ f yp ϕ, ψ q ñ ` ATOM p x i q ´ f px´ f yp ϕ, ψ q ˚ ATOM p x i qq ˘ ( ; )6 ` ATOM p x i q ´ f px´ f yp ϕ, ψ q ˚ ATOM p x i qq ˘ ñ ` ATOM p x i q ´ f p ϕ ´ f Jq ˘ (I ´˚ . . ) , 47 ` ATOM p x i q ´ f p ϕ ´ f Jq ˘ ñ ` p ATOM p x i q ˚ ϕ q ´ f J ˘ (I ´˚ . . ) ` p ATOM p x i q ˚ ϕ q ´ f J ˘ ñ p ϕ ´ f Jq (I ´˚ . . ) , 29 x´ f yp ϕ, ψ q ñ p ϕ ´ f Jq ñ -Tr , 5, 6, 7, 8 case: max size p ϕ q “ α : In this case, we have size ě α Ď Lt ϕ , where we recall that α “ max size p ϕ q ě
1. Following the developments of the previous case, we would liketo define a formula ϕ for which the formula ϕ ˚ ATOM p x i q ô ϕ is valid. However, since ϕ is in CoreTypes p X , α q , we cannot hope for ϕ to be a core type in CoreTypes p X , α q .Indeed, because of size ě α Ď Lt ϕ , in order to achieve the valid formula above wemust differentiate between the case where ϕ is satisfied by a memory state p s, h q suchthat card p dom p h qq ą α , to the case where card p dom p h qq “ α . Therefore, below we in-troduce two core types ϕ α and ϕ α ´ , and define ϕ as ϕ α _ ϕ α ´ . Since the separatingconjunction distributes over disjunctions, after defining these two core types, we caneasily adapt the arguments of the previous case to prove that x´ f yp ϕ, ψ q ñ p ϕ ´ f Jq .The formula ϕ α is obtained from ϕ by replacing, for every x P X such that x “ x i Ď Lt ϕ , every literal alloc p x q Ď Lt ϕ with alloc p x q , and every x ã Ñ y Ď Lt ϕ with x ã Ñ y , where y P X . Notice that ϕ α is defined similarly to ϕ (in the previous caseof the proof), with the exception that we do not modify the polarity of size literals.Explicitly, ϕ α is defined as follows. ϕ α def “ ľ t x „ y Ď Lt ϕ |„P t“ , ‰uu ^ ľ t alloc p x q Ď Lt ϕ | x ‰ x i Ď Lt ϕ u ^ ľ t alloc p x q Ď Lt ϕ u^ ľ t alloc p x q | x “ x i Ď Lt ϕ u ^ ľ t x ã Ñ y Ď Lt ϕ | x ‰ x i Ď Lt ϕ u ^ ľ t x ã Ñ y Ď Lt ϕ u^ ľ t x ã Ñ y | x “ x i ^ x ã Ñ y Ď Lt ϕ u ^ ľ t size ě β | β P r , α ´ su ^ size ě α. The formula ϕ α ´ is obtained from ϕ α by replacing size ě α (highlighted in thedefinition of ϕ α above), by size ě α . The two following properties are satisfied:D. ϕ α and ϕ α ´ are satisfiable core types in CoreTypes p X , α q ,E. p ATOM p x i q ˚ p ϕ α _ ϕ α ´ qq ñ ϕ is valid. Proof of (D) . The proof is very similar to the one of the property (A). Here, wepinpoint the main differences. First of all, since both ϕ α and ϕ α ´ are obtainedfrom ϕ by changing the polarity of some of the literals in Lt p ϕ q , they are both in CoreTypes p X , α q . To show that ϕ α and ϕ α ´ are satisfiable, we rely on the fact that ϕ is satisfiable. Let p s, h q be a memory state satisfying ϕ . Since size ě α Ď Lt ϕ ,card p dom p h qq ě α . Without loss of generality, we can assume card p dom p h qq ą α .Indeed, if card p dom p h qq “ α it is sufficient to add a memory cell p ℓ, ℓ q to h , suchthat ℓ does not correspond to a program variable x P X . It is straightforwardto check that the resulting memory state still satisfies ϕ . We introduce a secondheap h . Let L “ dom p h q X t s p x q | x P X u be the set of locations in dom p h q thatcorresponds to variables in X . Since card p X q ď α , card p L q ď α . Let h Ď h suchthat L Ď dom p h q and card p dom p h qq “ α . Again, it is straightforward to see that p s, h q satisfies ϕ . Intuitively, we rely on p s, h q to show that ϕ α is satisfiable, and on p s, h q to show that ϕ α ´ is satisfiable. As alloc p x i q Ď Lt ϕ , we have s p x q P dom p h q and s p x q P dom p h q . We consider heaps h and h such that h “ h ` h anddom p h q “ t s p x i qu . Similarly, we consider heaps h and h such that h “ h ` h and dom p h q “ t s p x i qu . We show that p s, h q |ù ϕ α and p s, h q |ù ϕ α ´ . Let usfirst discuss the former result. Let L P Lt p ϕ α q . If L is not of the form size ě β or size ě β , then p s, h q |ù L follows exactly as in the proof of (A). Otherwise, case: L “ size ě β : By definition of h , card p dom p h qq “ card p dom p h qq ´ ě α .Since β ď α (as ϕ α is in CoreTypes p X , α q ), we conclude that p s, h q |ù size ě β . case: L “ size ě β : By definition of ϕ α , there are no literals of the form size ě β in Lt p ϕ α q . Therefore, this case does not occur.This concludes the proof of p s, h q |ù ϕ α . For the proof of p s, h q |ù ϕ α ´ , let usconsider L P Lt p ϕ α ´ q . Again, L is not of the form size ě β or size ě α , then p s, h q |ù L follows exactly as in the proof of (A) (replacing h by h and h by h ).Otherwise, case: L “ size ě β : By definition of ϕ α ´ , we have β ă α . By definition of h ,card p dom p h qq “ card p dom p h qq ´ “ α ´
1. Therefore, p s, h q |ù size ě β . case: L “ size ě β : By definition of ϕ α ´ , β “ α . Since card p dom p h qq “ α ´
1, we conclude that p s, h q |ù size ě β . Proof of (E) . The proof is very similar to the one of the property (B). We show that p ATOM p x i q˚ ϕ α q ñ ϕ and p ATOM p x i q˚ ϕ α q ñ ϕ . Then, (E) follows as the separatingconjunction distributes over disjunction. First, let us consider p ATOM p x i q˚ ϕ α q ñ ϕ ,and a memory state p s, h q satisfying ATOM p x i q ˚ ϕ α . There are h and h such that h “ h ` h , p s, h q |ù ATOM p x i q and p s, h q |ù ϕ α . Let L P Lt p ϕ q . Notice that ϕ does not contain negated size ě β literals. If L is not size ě β , for some β P r , α s ,then p s, h q |ù L follows exactly as it is shown in the proof of (B). Otherwise, suppose L “ size ě β , where β P r , α s . By definition of ϕ α , size ě α Ď Lt ϕ α . Therefore,card p dom p h qq ě α and, from h Ď h , we conclude that p s, h q |ù size ě β . So, p s, h q |ù ϕ . XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 53
Let us now consider p ATOM p x i q ˚ ϕ α ´ q ñ ϕ and a memory state p s, h q satisfying ATOM p x i q ˚ ϕ α ´ . There are h and h such that h “ h ` h , p s, h q |ù ATOM p x i q and p s, h q |ù ϕ α ´ . Let L P Lt p ϕ q . Again, ϕ does not contain negated size ě β literals, and if L is not size ě β , for some β P r , α s , then p s, h q |ù L follows exactlyas is shown in the proof of (B). Otherwise, suppose L “ size ě β , where β P r , α s .By definition of ϕ α ´ , size ě α . ´ Ď Lt ϕ α ´ . Therefore, card p dom p h qq ě α ´ ATOM p x i q , card p dom p h qq “
1. From h “ h ` h , we conclude thatcard p dom p h qq ě α and thus p s, h q |ù size ě β . Therefore, p s, h q |ù ϕ .As in the previous case of the proof, (D) allows us to consider the formulae x´ f yp ϕ α , ψ q and x´ f yp ϕ α ´ , ψ q and show thatF. px´ f yp ϕ, ψ q ˚ ATOM p x i qq ñ x´ f yp ϕ α , ψ q _ x´ f yp ϕ α ´ , ψ q is valid. Proof of (F) . We recall that x´ f yp ϕ, ψ q is satisfiable. In particular, from its defi-nition together with size ě α Ď Lt ϕ , this implies that size ě α Ď Lt ψ , asotherwise we would have size ě Ď Lt x´ f yp ϕ, ψ q . So, as ψ is a satisfiablecore type in CoreTypes p X , α q , for all β P r , α s , size ě β Ď Lt ψ . Alternatively, ψ does not contain size ě β literals. We look at the definitions of x´ f yp ϕ α , ψ q and x´ f yp ϕ α ´ , ψ q .a. Since for all β P r , α s , size ě β Ď Lt ϕ α and size ě β Ď Lt ψ , we derive that x´ f yp ϕ α , ψ q does not contain size ě β nor size ě β literals (for all β P r , α s ).This holds directly by definition of x´ f yp ϕ α , ψ q , which can be retrieved by sub-stituting ϕ by ϕ α in Figure 9.b. Analogously, we know that size ě α Ď Lt ϕ α ´ whereas for every β P r , α ´ s , size ě β Ď Lt ϕ α ´ , and therefore among all the literals size ě β or size ě β ( β P r , α s ), x´ f yp ϕ α ´ , ψ q only contains size ě size ě α (occurring positively in ϕ α and negatively in ϕ α ´ ), the two core types ϕ α ´ and ϕ α are equal. Directly by definition of x´ f yp ϕ α , ψ q and x´ f yp ϕ α ´ , ψ q , to-gether with (a) and (b), this implies that x´ f yp ϕ α ´ , ψ q is syntactically equalto x´ f yp ϕ α , ψ q ^ size ě x´ f yp ϕ α ´ , ψ q ñ x´ f yp ϕ α , ψ q is valid, and suggests us that, in orderto show (F), we can simply establish that px´ f yp ϕ, ψ q ˚ ATOM p x i qq ñ x´ f yp ϕ α , ψ q isvalid. As we already stated, ϕ α is defined as ϕ (in the previous step of the proof),with the exception that we do not modify the polarity of size ě β literals. Be-cause of this, we can rely on the proof of (C). Briefly, we consider a memory state p s, h q satisfying x´ f yp ϕ, ψ q ˚ ATOM p x i q . There are h and h such that h “ h ` h , p s, h q |ù x´ f yp ϕ, ψ q and p s, h q |ù ATOM p x i q . Let L P Lt px´ f yp ϕ α ´ , ψ qq . By (a), L is neither of the form size ě β nor of the form size ě β . Therefore, p s, h q |ù L follows exactly as shown in the proof of (C).We are now ready to prove that x´ f yp ϕ, ψ q ñ p ϕ ´ f Jq . By Theorem 5.6, the tau-tologies in (D) and (F) are derivable in H C p˚ , ´˚q . Moreover, since alloc p x i q Ď Lt t ϕ α ; ϕ α ´ u and, for every y P X , alloc p y q Ď Lt ϕ implies alloc p y q Ď Lt t ϕ α ; ϕ α ´ u ,we rely on the induction hypothesis to derive $ H C p˚ , ´˚q x´ f yp ϕ α , ψ q ñ p ϕ α ´ f Jq , $ H C p˚ , ´˚q x´ f yp ϕ α ´ , ψ q ñ p ϕ α ´ ´ f Jq . We are ready to derive x´ f yp ϕ, ψ q ñ p ϕ ´ f Jq , concluding the proof: x´ f yp ϕ α , ψ q ñ p ϕ α ´ f Jq Induction hypothesis x´ f yp ϕ α ´ , ψ q ñ p ϕ α ´ ´ f Jq Induction hypothesis3 p ATOM p x i q ˚ p ϕ α _ ϕ α ´ qq ñ ϕ (E), Theorem 5.64 px´ f yp ϕ, ψ q ˚ ATOM p x i qq ñ x´ f yp ϕ α , ψ q _ x´ f yp ϕ α ´ , ψ q (F), Theorem 5.65 x´ f yp ϕ α , ψ q _ x´ f yp ϕ α ´ , ψ q ñ p ϕ α ´ f Jq _ p ϕ α ´ ´ f Jq PC, 1, 26 p ϕ α ´ f Jq _ p ϕ α ´ ´ f Jq ñ pp ϕ α _ ϕ α ´ q ´ f Jq (I ´˚ . . ) px´ f yp ϕ, ψ q ˚ ATOM p x i qq ñ pp ϕ α _ ϕ α ´ q ´ f Jq ñ -Tr , 4, 5, 68 x´ f yp ϕ, ψ q ñ ` ATOM p x i q ´ f px´ f yp ϕ, ψ q ˚ ATOM p x i qq ˘ ( ; )9 ` ATOM p x i q ´ f px´ f yp ϕ, ψ q ˚ ATOM p x i qq ˘ ñ ` ATOM p x i q ´ f pp ϕ α _ ϕ α ´ q ´ f Jq ˘ (I ´˚ . . ) , 410 ` ATOM p x i q ´ f pp ϕ α _ ϕ α ´ q ´ f Jq ˘ ñ ` p ATOM p x i q ˚ p ϕ α _ ϕ α ´ qq ´ f J ˘ (I ´˚ . . ) ` p ATOM p x i q ˚ p ϕ α _ ϕ α ´ qq ´ f J ˘ ñ p ϕ ´ f Jq (I ´˚ . . ) , 312 x´ f yp ϕ, ψ q ñ p ϕ ´ f Jq ñ -Tr , 8, 9, 10, 11
Lemma 6.2 for core types can be extended to arbitrary Boolean combinations of coreformulae, as we show that the distributivity of ´ f over disjunctions is provable in H C p˚ , ´˚q .As a consequence of this development, we achieve the main result of the paper. Theorem 6.6. H C p˚ , ´˚q is sound and complete for SL p˚ , ´˚q .Proof. Soundness of the proof system H C p˚ , ´˚q has been already established earlier, seeLemma 3.1. As far as the completeness proof is concerned, its structure is very similar to theproof of Theorem 5.6 except that we have to be able to handle the separating implication. Inorder to be self-contained, we reproduce some of its arguments albeit adapted to H C p˚ , ´˚q .We need to show that for every formula ϕ in SL p˚ , ´˚q , there is a Boolean combinationof core formulae ψ such that $ H C p˚ , ´˚q ϕ ô ψ . In order to conclude the proof, when ϕ isvalid for SL p˚ , ´˚q , by soundness of H C p˚ , ´˚q , we obtain that ψ is valid too and therefore $ H C p˚ , ´˚q ψ as H C is a subsystem of H C p˚ , ´˚q and H C is complete by Theorem 4.2. Bypropositional reasoning, we get that $ H C p˚ , ´˚q ϕ .In order to show that every formula ϕ has a provably equivalent Boolean combinationof core formulae, we heavily rely on Corollary 5.5 and on Lemma 6.2. The proof is by simpleinduction on the number of occurrences of ˚ or ´˚ in ϕ that are not involved in the definitionof some core formula of the form size ě β or alloc p x q . For the base case, when ϕ hasno occurrence of the separating connectives, x “ y and x ã Ñ y are already core formulae,whereas emp is logically equivalent to size ě H C p˚ , ´˚q , the replacementof provably equivalent formulae holds true, which is stated as follows: R1 Let ϕ, ϕ and ψ be formulae of SL p˚ , ´˚q such that $ H C p˚ , ´˚q ϕ ô ϕ . Then, $ H C p˚ , ´˚q ψ r ϕ s ρ ñ ψ r ϕ s ρ In order to prove R1 , we are almost done as we have already shown R0 in the proof ofTheorem 5.6 and the same properties hold for SL p˚ , ´˚q though the language is richer. XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 55
As a direct consequence of the admissibility of the rules (I ´˚ . . ) and (I ´˚ . . ) fromLemma 6.3, the rules below are also admissible: ϕ ô ϕ ϕ ´˚ ψ ô ϕ ´˚ ψ ϕ ô ϕ ψ ´˚ ϕ ô ψ ´˚ ϕ We need the two rules as ´˚ is not commutative. Consequently, by structural inductionon ψ , one can conclude that $ H C p˚ , ´˚q ϕ ô ϕ implies $ H C p˚ , ´˚q ψ r ϕ s ρ ñ ψ r ϕ s ρ .Now, assume ϕ is a formula in SL p˚ , ´˚q . Without loss of generality, we can assume thatthat the separating connectives in ϕ are restricted to ˚ and ´ f for the occurrences that arenot related to abbreviations for core formulae. Indeed, ψ ´ f ψ is a shortcut for p ψ ´˚ ψ q and therefore one can replace every occurrence of ψ ´˚ ψ by p ψ ´ f ψ q assuming that ψ and ψ are already of the appropriate shape. Such a replacement is possible thanks to R1 .Assume that ϕ is a formula in SL p˚ , ´ f q with n ` ˚ or ´ f not involvedin the definition of core formulae.Let ψ be a subformula of ϕ (at the occurrence ρ ) of the form ψ ´ f ψ such that ψ and ψ are in Bool p Core p X , α qq and Bool p Core p X , α qq , respectively. By propositional reasoning, onecan show that there are formulae in disjunctive normal form ψ _¨ ¨ ¨_ ψ n and ψ _¨ ¨ ¨_ ψ n such that $ H C ψ i ô ψ i _ ¨ ¨ ¨ _ ψ n i i for i P t , u , and moreover every ψ ji ’s is a core type in CoreTypes p X , max p card p X q , α , α qq . Again, by using propositional reasoning but this timeestablishing also distributivity of _ over ´ f , we have $ H C p˚ , ´˚q ψ ´ f ψ ô ł j Pr ,n s ,j Pr ,n s ψ j ´ f ψ j . We rely on Lemma 6.2, and conclude that there is a conjunction of core formulae ψ j ,j in Conj p Core p X , max p card p X q , α , α qqq such that $ H C p˚ , ´˚q ψ ´ f ψ ô ψ j ,j . By propositionalreasoning, we get $ H C p˚ , ´˚q ψ ´ f ψ ô ł j Pr ,n s ,j Pr ,n s ψ j ,j . Consequently (thanks to the property R1 ), we obtain $ H C p˚ , ´˚q ϕ ô ϕ r ł j Pr ,n s ,j Pr ,n s ψ j ,j s ρ Note that the right-hand side formula has n occurrences of the separating connnectives thatare not involved in the definition of some core formula. The induction hypothesis applies,which concludes the proof.The case when ψ is a subformula of ϕ (at the occurrence ρ ) of the form ψ ˚ ψ is treatedas in the proof of Theorem 5.6 and therefore is omitted herein.7. Related work
In this section, we briefly compare our Hilbert-style proof system H C p˚ , ´˚q with existingproof systems for SL p˚ , ´˚q , fragments or extensions and we recall a few landmark worksproposing proof systems for abstract separation logics or for logics that are variants ofBoolean BI. Those latter proof systems are not necessarily Hilbert-style and may containlabels or other similar machineries. So, this section completes the presentation of the contextfrom Section 1 while pinpointing the main original features of our calculus. Finally, we alsoevoke several works that use the idea of axiomatising a fragment of a logic and to provide in the proof system means to transform any formula into an equivalent formula from thatfragment. This is clearly similar to the approach we have followed, but we aim at pickingexamples from outside the realm of spatial and resource logics. In order to keep the length ofthis section reasonable, we limit ourselves to the main bibliographical entries but additionalrelevant works can be found in the cited materials. Proof systems for quantifier-free separation logic.
Surprisingly, as far as we know,sound and complete proof systems for SL p˚ , ´˚q are very rare and the only system we areaware of is a tableaux-based calculus from [GM10] with labelled formulae (each formula isenriched with a label to be interpreted by some heap) and with resource graphs to encodesymbolically constraints between heap expressions (i.e. labels). Of course, translationsfrom separation logics into logics or theories have been designed, see e.g. [CGH05, RISK16],but the finding of proof systems for SL p˚ , ´˚q with all Boolean connectives and the separat-ing connectives ˚ and ´˚ has been quite challenging. Unlike [GM10], H C p˚ , ´˚q uses only SL p˚ , ´˚q formulae and therefore can be viewed as a quite orthodox Hilbert-style calculuswith no extra syntactic objects. In particular, H C p˚ , ´˚q has no syntactic machinery to referto heaps or to other semantical objects related to SL p˚ , ´˚q . In [GM10], the resource graphsattached to the tableaux are designed to reason about heap constraints, and to provide con-trol for designing strategies that lead to termination. Interestingly, the calculus in [GM10] isintended to be helpful to synthesize countermodels (which is a standard feature for labelleddeduction systems [Gab96]) or to be extended to the first-order case, which is partly donein [GM10] but we know that completeness is theoretically impossible. Besides, a soundlabelled sequent calculus for the first-order extension of SL p˚ , ´˚q is presented in [HGT15]but completeness for the sublogic SL p˚ , ´˚q is not established. The calculus in [HGT15] hasalso labels, which differs from our puristic approach. A complete sequent-style calculus forthe symbolic heap fragment has been designed quite early in [BCO04] but does not dealwith full SL p˚ , ´˚q (in particular it is not closed under Boolean connectives and does notcontain the separating implication). A complexity-wise optimal decision procedure for thesymbolic heap fragment is designed in [CHO `
11] based on a characterisation in terms ofhomomorphisms.
Frameworks for abstract separation logics.
Bunched logics, such as the original bunchedlogic BI in [OP99], are known to be closely related to separation logics that can be viewed asconcretisation of (Boolean) BI with models made of memory states, see e.g. [Pym02, Rey02,GM05, PSO18]. Actually, bunched logics come with different flavours, Boolean BI beingconsidered as the genuine abstract version of SL p˚ , ´˚q . Though Boolean BI has been shownundecidable in [LG13, BK14], a Hilbert-style axiomatisation can be found in [GLW06]. Ourproof system H C p˚ , ´˚q inherits all the axiom schemas and inference rules for Boolean BIfrom [GLW06], which is expected as SL p˚ , ´˚q can be viewed as Boolean BI on concreteheaps but with the notable difference of having built-in atomic formulae x “ y and x ã Ñ y .Bunched logics, such as Boolean BI, can be defined in several ways, for instance assum-ing classical or intuitionistic connectives, and in [Bro12], a unified proof theory based ondisplay calculi [Bel82] is designed for a variety of four bunched logics, including BooleanBI (see also the nested sequent calculus for Boolean BI in [PSP13]). In display calculi,structural connectives enrich the sequent-style structures, providing a family of structuralconnectives accompanying the standard comma from sequent-style calculi. The main results XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 57 in [Bro12] include cut-elimination, soundness and completeness. So, compared to our cal-culus H C p˚ , ´˚q , the calculi in [Bro12] are designed for logics with more abstract semanticalstructures and owns a proof-theoretical machinery that does not include labels but insteadcomplex structured sequents.The quest for designing frameworks dedicated to classes of abstract separation logicshave been pursued in several directions. For instance, models for Boolean BI are typicallyrelational commutative monoids but properties can be added leading to a separation theory.In [BV14], a hybrid version of Boolean BI is introduced, called HyBBI, in which nominals(in the sense of hybrid modal logics, see e.g. [ABM01]) are added in order to be able toexpress rich standard properties in separation theory, such as cancellativity. Not only anHilbert-style proof system is provided for HyBBI [BV14] but also a parametric completenessresult is shown. More precisely, any extension of the proof system for HyBBI with a setof specific axioms is actually complete with respect to the class of models that satisfy theaxioms. This provides a very general means to axiomatise variants of Boolean BI but at thecost of having the extra machinery for nominals. Moreover, as HyBBI and its extensionsare abstract separation logics with no atomic formulae of the form x “ y or x ã Ñ y , thetools developed in [BV14] are of no help to design an Hilbert-style proof system for SL p˚ , ´˚q (except that its part dealing with Boolean BI is precisely borrowed from [GLW06] too).Besides, in [HCGT18] labelled sequent calculi are designed for several abstract separa-tion logics by considering different sets of properties. The sequents contain labelled formulae(a formula prefixed by a label to be interpreted as an abstract heap) as well as relationalatoms to express relationships between abstract heaps. Though the framework in [HCGT18]is modular and very general to handle abstract separation logics, it is not tailored to separa-tion logics with concrete semantics, see [HCGT18, Section 7] for possible future directions.In contrast, as explained already, the paper [HGT15] deals with first-order separation logicwith concrete semantics and presents a sound labelled sequent calculus for it. Of course,the calculus cannot be complete but more importantly in the context of the current paper,completeness is not established for the quantifier-free fragment. In [HGT15], the sequentscontain labelled formulae and relational atoms, similarly to [HCGT18] (see also [H´ou15]).Hence, this does not meet our requirements to have a pure axiomatisation in which onlylogical formulae from quantifier-free separation logic are allowed.Modularity of the approaches from [Bro12, BV14, HCGT18] is further developed inthe recent work [DP18, Doc19] by proposing a framework for labelled tableaux systemsparametrised by the choice of separation theories (in the very sense of [BV14]). It is re-markable that the developments in [DP18, Doc19] are very general as it can handle sep-aration theories that can be expressed in the rich class of so-called coherent first-orderformulae, included in the first-order fragment Π . The first-order axioms are directly trans-lated into inference rules. The calculi use labelled formulae (every formula is decorated bya sign and by a label) as well as constraints enforcing properties between worlds/resources.Unlike [GM10], the reasoning about labels is not outsourced but handled directly by thecalculus. As several works mentioned above, the framework in [DP18, Doc19] does notprovide for free a proof system for SL p˚ , ´˚q (which might have been a close cousin of theone in [GM10]). More importantly, similarly to the works [GM10, BV14, HCGT18], thelabelled tableaux systems handle syntactic objects referring to semantical concepts relatedto the abstract separation logics that go beyond the only presence of formulae. In a way,modularity of the approach prevents from having a puristic calculus for SL p˚ , ´˚q , apartfrom the fact that SL p˚ , ´˚q is not part of the logics handled in [DP18]. Axiomatising knowledge logics with reduction axioms.
In order to conclude thissection, let us recall that the derivations in H C p˚ , ´˚q are able to simulate the bottom-upelimination of separating connectives, leading to Boolean combinations of core formulae forwhich the system H C p˚ , ´˚q is also complete. As the core formulae are (simple) formulaein SL p˚ , ´˚q , the axiomatisation provided by H C p˚ , ´˚q uses only SL p˚ , ´˚q formulae and iscomplete for the full logic SL p˚ , ´˚q (and not only for Boolean combinations of core formu-lae). Note that as a by-product of our completeness proof for SL p˚ , ´˚q , we get expressivecompleteness of SL p˚ , ´˚q with respect to Boolean combinations of core formulae, with aproof different from the developments in [Loz04a, BDL09, EIP19].This general principle described above is familiar for axiomatising dynamic epistemiclogics in which dynamic connectives might be eliminated with the help of so-called reductionaxioms , see e.g. standard examples in [vDvdHK08, vB11, WC13, FVQ19]. In a nutshell,every formula containing a dynamic operator is provably reduced to a formula withoutsuch an operator. Completeness is then established thanks to the completeness of theunderlying ‘basic’ language, A similar approach for the linear µ -calculus is recently presentedin [Dou17] for which a form of constructive completeness is advocated, see also [L¨uc18].Hilbert-style axiomatisations following similar high-level principles for the modal separationlogics MSL( ˚ , ♦ ) and MSL( ˚ , x‰y ) introduced in [DF18], have been designed in [DFM19].8. Conclusion
We presented a method to axiomatise internally quantifier-free separation logic SL p˚ , ´˚q based on the axiomatisation of Boolean combinations of core formulae (and even moreprecisely, based on the restricted fragment of core types). We designed the first proofsystem for SL p˚ , ´˚q that is completely internal and highlights the essential ingredients ofthe heaplet semantics. The fact that the calculus is internal simply means that the axiomsand inference rules involve schemas instantiated by formulae in SL p˚ , ´˚q (no use of nominals,labels or other syntactic objects that are not SL p˚ , ´˚q formulae). Obviously, the Hilbert-style proof system presented in the paper is of theoretical interest, at least to grasp whatare the essential features of SL p˚ , ´˚q . Still, it remains to be seen whether applications arepossible for designing decision procedures, for instance to feed provers with appropriateaxiom instances to accelerate the proof search.To provide further evidence that our method is robust, it is desirable to apply itto axiomatise other separation logics, for instance by adding the list segment predicate ls [BCO04] (or more generally user-defined inductive predicates) or by adding first-orderquantification. A key step in our approach is first to show that the logic admits a charac-terisation in terms of core formulae and such formulae need to be designed adequately. Ofcourse, it is required that the set of valid formulae is recursively enumerable, which discardsany attempt with SL p˚ , ´˚ , ls q or with the first-order version of SL p˚ , ´˚q [DLM18a, BDL12].The second part of the paper [DLM20] introduces an extension of SL p˚ , ls q and presentsan axiomatisation with our method. More separation logics could be axiomatised that way,other good candidates are the version of separation logic with one individual variable stud-ied in [DGLWM17] as well as the quantifier-free separation logic with general universesfrom [EIP19]. XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 59
References [ABM01] C. Areces, P. Blackburn, and M. Marx. Hybrid logics: characterization, interpolation andcomplexity.
The Journal of Symbolic Logic , 66(3):977–1010, 2001.[BCO04] J. Berdine, C. Calcagno, and P.W. O’Hearn. A decidable fragment of separation logic. In
FST&TCS’04 , volume 3328 of
LNCS , pages 97–109. Springer, 2004.[BDL09] R. Brochenin, S. Demri, and ´E. Lozes. Reasoning about sequences of memory states.
Annalsof Pure and Applied Logic , 161(3):305–323, 2009.[BDL12] R. Brochenin, S. Demri, and ´E. Lozes. On the almighty wand.
Information and Computation ,211:106–137, 2012.[Bel82] N. Belnap. Display logic.
Journal of Philosophical Logic , 11:375–417, 1982.[BIP10] M. Bozga, R. Iosif, and S. Perarnau. Quantitative separation logic and programs with lists.
Journal of Automated Reasoning , 45(2):131–156, 2010.[BK14] J. Brotherston and M. Kanovich. Undecidability of propositional separation logic and its neigh-bours.
Journal of the Association for Computing Machinery , 61(2), 2014.[BK18] J. Brotherston and M. Kanovich. On the complexity of pointer arithmetic in separation logic.In
APLAS’18 , volume 11275 of
LNCS , pages 329–349. Springer, 2018.[Bro12] J. Brotherston. Bunched logics displayed.
Studia Logica , 100(6):1223–1254, 2012.[BV14] J. Brotherston and J. Villard. Parametric completeness for separation theories. In
POPL’14 ,pages 453–464. ACM, 2014.[CGH05] C. Calcagno, Ph. Gardner, and M. Hague. From separation logic to first-order logic. In
FoS-SaCS’05 , volume 3441 of
LNCS , pages 395–409. Springer, 2005.[CHO `
11] B. Cook, C. Haase, J. Ouaknine, M. Parkinson, and J. Worrell. Tractable reasoning in afragment of separation logic. In
CONCUR’11 , volume 6901 of
LNCS , pages 235–249. Springer,2011.[COY01] C. Calcagno, P.W. O’Hearn, and H. Yang. Computability and complexity results for a spatialassertion language for data structures. In
FST&TCS’01 , volume 2245 of
LNCS , pages 108–119.Springer, 2001.[DD15] S. Demri and M. Deters. Separation logics and modalities: A survey.
Journal of Applied Non-Classical Logics , 25(1):50–99, 2015.[DF18] S. Demri and R. Fervari. On the complexity of modal separation logics. In
AiML’18 , pages179–198. College Publications, 2018.[DFM19] S. Demri, R. Fervari, and A. Mansutti. Axiomatising logics with separating conjunction andmodalities. In
JELIA’19 , volume 11468 of
LNAI , pages 692–708. Springer, 2019.[DGLWM17] S. Demri, D. Galmiche, D. Larchey-Wendling, and D. Mery. Separation logic with one quanti-fied variable.
Theory of Computing Systems , 61:371–461, 2017.[DLM18a] S. Demri, ´E. Lozes, and A. Mansutti. The effects of adding reachability predicates in propo-sitional separation logic. In
FoSSaCS’18 , volume 10803 of
LNCS , pages 476–493. Springer,2018.[DLM18b] S. Demri, ´E. Lozes, and A. Mansutti. The effects of adding reachability predicates in proposi-tional separation logic. arXiv:1810.05410, October 2018. 44 pages. Long version of [DLM18a].[DLM20] S. Demri, ´E. Lozes, and A. Mansutti. Internal calculi for separation logics. In
CSL’20 , LeibnizInternational Proceedings in Informatics, pages 19:1–19:18. Leibniz-Zentrum f¨ur Informatik,2020.[Doc19] S. Docherty.
Bunched logics: a uniform approach . PhD thesis, University College London,2019.[Dou17] A. Doumane. Constructive completeness for the linear-time µ -calculus. In LiCS’17 , pages 1–12.IEEE Computer Society, 2017.[DP18] S. Docherty and D. Pym. Modular tableaux calculi for separation theories. In
FoSSaCS’18 ,volume 10803 of
LNCS , pages 441–458. Springer, 2018.[EIP19] M. Echenim, R. Iosif, and N. Peltier. The Bernays-Sch¨onfinkel-Ramsey class of separation logicon arbitrary domains. In
FoSSaCS’19 , volume 11425 of
LNCS , pages 242–259. Springer, 2019.[FVQ19] R. Fervari and F. R. Vel´azquez-Quesada. Introspection as an action in relational models.
Jour-nal of Logical and Algebraic Methods in Programming , 108:1–23, 2019.[Gab96] D. Gabbay.
Labelled Deductive Systems . Oxford University Press, 1996. [GLW06] D. Galmiche and D. Larchey-Wending. Expressivity properties of boolean BI through relationalmodels. In
FST&TCS’06 , volume 4337 of
LNCS , pages 358–369. Springer, 2006.[GM05] D. Galmiche and D. Mery. Characterizing provability in BI’s pointer logic through resourcegraphs. In
LPAR’05 , volume 3835 of
LNCS , pages 459–473. Springer, 2005.[GM10] D. Galmiche and D. M´ery. Tableaux and resource graphs for separation logic.
Journal of Logicand Computation , 20(1):189–231, 2010.[GvD06] V. Goranko and G. van Drimmelen. Complete axiomatization and decidability of alternating-time temporal logic.
Theoretical Computer Science , 353(1-3):93–117, 2006.[HCGT18] Z. H´ou, R. Clouston, R. Gor´e, and A. Tiu. Modular labelled sequent calculi for abstractseparation logics.
ACM Transactions on Computational Logic , 19(2):13:1–13:35, 2018.[HGT15] Z. H´ou, R. Gor´e, and A. Tiu. Automated theorem proving for assertions in separation logicwith all connectives. In
CADE’15 , volume 9195 of
LNCS , pages 501–516. Springer, 2015.[H´ou15] Z. H´ou.
Labelled sequent calculi and automated reasoning for assertions in separation logic .PhD thesis, Australian National University, November 2015.[IO01] S. Ishtiaq and P.W. O’Hearn. BI as an assertion language for mutable data structures. In
POPL’01 , pages 14–26. ACM, 2001.[Kai95] R. Kaivola. Axiomatising linear time mu-calculus. In
CONCUR’95 , volume 962 of
LNCS , pages423–437. Springer, 1995.[LG13] D. Larchey-Wendling and D. Galmiche. Nondeterministic phase semantics and the undecid-ability of Boolean BI.
ACM Transactions on Computational Logic , 14(1), 2013.[LMX16] K.G. Larsen, R. Mardare, and B. Xue. Probabilistic mu-calculus: Decidability and completeaxiomatization. In
FST&TCS’16 , volume 65 of
LIPIcs , pages 25:1–25:18. Schloss Dagstuhl -Leibniz-Zentrum fuer Informatik, 2016.[Loz04a] ´E. Lozes.
Expressivit´e des Logiques Spatiales . PhD thesis, ENS Lyon, 2004.[Loz04b] ´E. Lozes. Separation logic preserves the expressive power of classical logic. In
SPACE’04 , 2004.[L¨uc18] M. L¨uck. Axiomatizations of team logics.
Annals of Pure and Applied Logic , 169(9):928–969,2018.[Man18] A. Mansutti. Extending propositional separation logic for robustness properties. In
FST&TCS’18 , volume 122 of
LIPIcs , pages 42:1–42:23. Schloss Dagstuhl - Leibniz-Zentrumfuer Informatik, 2018.[O’H12] P.W. O’Hearn. A primer on separation logic. In
Software Safety and Security: Tools for Analy-sis and Verification , volume 33 of
NATO Science for Peace and Security Series , pages 286–318,2012.[OP99] P.W. O’Hearn and D. Pym. The logic of bunched implications.
Bulletin of Symbolic Logic ,5(2):215–244, 1999.[PSO18] D. Pym, J. Spring, and P.W. O’Hearn. Why separation logic works.
Philosophy & Technology ,pages 1–34, 2018.[PSP13] J. Park, J. Seo, and S. Park. A theorem prover for Boolean BI. In
POPL’13 , pages 219–232.ACM, 2013.[PWZ13] R. Piska´c, Th. Wies, and D. Zufferey. Automating separation logic using SMT. In
CAV’13 ,volume 8044 of
LNCS , pages 773–789. Springer, 2013.[Pym02] D. Pym.
The Semantics and Proof Theory of the Logic of Bunched Implications , volume 26 of
Applied Logic . Kluwer Academic Publishers, 2002.[Rey01] M. Reynolds. An axiomatization of full computation tree logic.
The Journal of Symbolic Logic ,66(3):1011–1057, 2001.[Rey02] J.C. Reynolds. Separation logic: a logic for shared mutable data structures. In
LiCS’02 , pages55–74. IEEE, 2002.[RISK16] A. Reynolds, R. Iosif, C. Serban, and T. King. A decision procedure for separation logic inSMT. In
ATVA’16 , volume 9938 of
LNCS , pages 244–261, 2016.[SV18] L. Schr¨oder and Y. Venema. Completeness of flat coalgebraic fixpoint logics.
ACM Transactionson Computational Logic , 19(1):4:1–4:34, 2018.[vB11] J. van Benthem.
Logical Dynamics of Information and Interaction . Cambridge University Press,2011.[vDvdHK08] H. van Ditmarsch, W. van der Hoek, and B. Kooi.
Dynamic Epistemic Logic , volume 337 of
Synthese Library Series . Springer, Dordrecht, 2008.
XIOMATISATION FOR QUANTIFIER-FREE SEPARATION LOGIC 61 [Wal00] I. Walukiewicz. Completeness of Kozen’s axiomatisation of the propositional µ -calculus. Infor-mation and Computation , 157(1–2):142–182, 2000.[WC13] Y. Wang and Q. Cao. On axiomatizations of public announcement logic.
Synthese ,190(Supplement-1):103–134, 2013.[Yan01] H. Yang.
Local Reasoning for Stateful Programs . PhD thesis, University of Illinois, Urbana-Champaign, 2001.
This work is licensed under the Creative Commons Attribution License. To view a copy of thislicense, visit https://creativecommons.org/licenses/by/4.0/https://creativecommons.org/licenses/by/4.0/