Implicit Types

First Pass

In the previous chapter, we have introduced the key heap predicate operators, and we have defined the notion of Separation Logic triple. Before we can state and prove reasoning rules for establishing triples, we need to introduce the "entailment relation". This relation, written H₁ ==> H₂, asserts that any heap that satisfies H₁ also satisfies H₂. We also need to extend the entailment relation to postconditions. We write Q₁ ===> Q₂ to asserts that, for any result value v, the entailment Q₁ v ==> Q₂ v holds. The two entailment relations appear in the statement of the rule of consequence, which admits the same statement in Separation Logic as in Hoare logic. It asserts that precondition can be strengthened and postcondition can be weakened in a specification triple.
    Lemma triple_conseq : ∀ t H Q H' Q',
      triple t H' Q' →
      H ==> H' →
      Q' ===> Q →
      triple t H Q. This chapter presents:

• the formal definition of the entailment relations,
• the fundamental properties of the Separation Logic operators: these properties are expressed either as entailments, or as equalities, which denote symmetric entailments,
• the 4 structural rules of Separation Logic: the rule of consequence, the frame rule (which can be combined with the rule of consequence), and the extractions rules for pure facts and for quantifiers,
• the tactics xsimpl and xchange that are critically useful for manipulating entailments in practice,
• (optional) details on how to prove the fundamental properties and the structural rules.

Definition of Entailment

The "entailment relationship" H₁ ==> H₂ asserts that any heap h that satisfies the heap predicate H₁ also satisfies the heap predicate H₂.

H₁ ==> H₂ captures the fact that H₁ is a stronger precondition than H₂, in the sense that it is more restrictive. As we show next, the entailment relation is reflexive, transitive, and antisymmetric. It thus forms an order relation on heap predicates.

Exercise: 1 star, standard, especially useful (himpl_antisym)

Prove the antisymmetry of entailment result shown below using extensionality for heap predicates, as captured by lemma predicate_extensionality (or lemma hprop_eq) introduced in the previous chapter (Hprop).

Remark: as the proof scripts show, the fact that entailment on hprop constitutes an order relation is a direct consequence of the fact that implication on Prop, that is, →, is an order relation on Prop (when assuming the propositional extensionality axiom). The lemma himpl_antisym may, for example, be used to establish commutativity of separating conjunction: (H₁ \* H₂) = (H₂ \* H₁) by proving that each side entails the other side, that is, by proving (H₁ \* H₂) ==> (H₂ \* H₁) and (H₂ \* H₁) ==> (H₁ \* H₂).

Entailment for Postconditions

The entailment ==> relates heap predicates. It is used to capture that a precondition "entails" another one. We need a similar judgment to assert that a postcondition "entails" another one. For that purpose, we introduce Q₁ ===> Q₂, which asserts that for any value v, the heap predicate Q₁ v entails Q₂ v.

Remark: equivalently, Q₁ ===> Q₂ holds if for any value v and any heap h, the proposition Q₁ v h implies Q₂ v h. Entailment on postconditions also forms an order relation: it is reflexive, transitive, and antisymmetric.

Fundamental Properties of Separation Logic Operators

The 5 fundamental properties of Separation Logic operators are described next. Many other properties are derivable from those. (1) The star operator is associative.

(2) The star operator is commutative.

(3) The empty heap predicate is a neutral for the star. Because star is commutative, it is equivalent to state that hempty is a left or a right neutral for hstar. We chose, arbitrarily, to state the left-neutral property.

(4) Existentials can be "extruded" out of stars, that is: (\∃ x, J x) \* H is equivalent to \∃ x, (J x \* H).

(5) The star operator is "monotone" with respect to entailment, meaning that if H₁ ==> H₁' then (H₁ \* H₂) ==> (H₁' \* H₂). Viewed the other way around, if we have to prove the entailment relation (H₁ \* H₂) ==> (H₁' \* H₂), we can "cancel out" H₂ on both sides. In this view, the monotonicity property is a sort of "frame rule for the entailment relation". Here again, due to commutativity of star, it only suffices to state the left version of the monotonicity property.

Exercise: 1 star, standard, especially useful (hstar_comm_assoc)

The commutativity and associativity results combine into one result that is sometimes convenient to exploit in proofs.

Exercise: 1 star, standard, especially useful (himpl_frame_r)

Prove himpl_frame_r, which is the symmetric of himpl_frame_l.

Exercise: 1 star, standard, especially useful (himpl_frame_lr)

The monotonicity property of the star operator w.r.t. entailment can also be stated in a symmetric fashion, as shown next. Prove this result. Hint: exploit the transitivity of entailment (himpl_trans) and the asymmetric monotonicity result (himpl_frame_l).

Introduction and Elimination Rules w.r.t. Entailments

The rules for introducing and eliminating pure facts and existential quantifiers in entailments are essential. They are presented next. Consider an entailment of the form H ==> (\[P] \* H'). To establish this entailment, one must prove that P is true, and that H entails H'.

Exercise: 2 stars, standard, especially useful (himpl_hstar_hpure_r).

Prove the rule himpl_hstar_hpure_r. Hint: recall from Hprop the lemma hstar_hpure_l, which asserts the equality (\[P] \* H) h = (P ∧ H h).

Reciprocally, consider an entailment of the form (\[P] \* H) ==> H'. To establish this entailment, one must prove that H entails H' under the assumption that P is true. The "extraction rule for pure facts in the left of an entailment" captures the property that the pure fact \[P] can be extracted into the Coq context. It is stated as follows.

Exercise: 2 stars, standard, especially useful (himpl_hstar_hpure_l).

Prove the rule himpl_hstar_hpure_l.

Consider an entailment of the form H ==> (\∃ x, J x), where x has some type A and J has type A→hprop. To establish this entailment, one must exhibit a value for x for which H entails J x.

Exercise: 2 stars, standard, especially useful (himpl_hexists_r).

Prove the rule himpl_hexists_r.

Reciprocally, consider an entailment (\∃ x, (J x)) ==> H. To establish this entailment, one has to prove that, whatever the value of x, the predicate J x entails H. Indeed the former proposition asserts that if a heap h satisfies J x for some x, then h satisfies H', while the latter asserts that if, for some x, the predicate h satisfies J x, then h satisfies H'. Observe how the existential quantifier on the left of the entailment becomes an universal quantifier outside of the arrow. The "extraction rule for existentials in the left of an entailment" captures the property that existentials can be extracted into the Coq context. It is stated as follows.

Exercise: 2 stars, standard, especially useful (himpl_hexists_l).

Prove the rule himpl_hexists_l.

Extracting Information from Heap Predicates

We next present an example showing how entailments can be used to state lemmas allowing to extract information from particular heap predicates. We show that from a heap predicate of the form (p ~~> v₁) \* (p ~~> v₂) describes two "disjoint" cells that are both "at location p", one can extract a contradiction. Indeed, such a state cannot exist. The underlying contraction is formally captured by the following entailment relation, which concludes False.

The proof of this result exploits a result on finite maps. Essentially, the domain of a single singleton map that binds a location p to some value is the singleton set \{p}, thus such a singleton map cannot be disjoint from another singleton map that binds the same location p.
    Check disjoint_single_single_same_inv : ∀ (p:loc) (v₁ v₂:val),
      Fmap.disjoint (Fmap.single p v₁) (Fmap.single p v₂) →
      False. Using this lemma, we can prove hstar_hsingle_same_loc by unfolding the definition of hstar to reveal the contradiction on the disjointness assumption.

More generally, a heap predicate of the form H \* H is generally suspicious in Separation Logic. In (the simplest variant of) Separation Logic, such a predicate can only be satisfied if H covers no memory cell at all, that is, if H is a pure predicate of the form \[P] for some proposition P.

Consequence, Frame, and their Combination

The rule of consequence in Separation Logic is similar to that in Hoare logic.

Recall the frame rule introduced in the previous chapter.

Observe that, stated as such, it is very unlikely for the frame rule to be applicable in practice, because the precondition must be exactly of the form H \* H' and the postcondition exactly of the form Q \*+ H', for some H'. For example, the frame rule would not apply to a proof obligation of the form triple t (H' \* H) (Q \*+ H'), simply because H' \* H does not match H \* H'. This limitation of the frame rule can be addressed by combining the frame rule with the rule of consequence into a single rule, called the "consequence-frame rule". This rule, shown below, enables deriving a triple from another triple, without any restriction on the exact shape of the precondition and postcondition of the two triples involved.

Exercise: 1 star, standard, especially useful (triple_conseq_frame)

Prove the combined consequence-frame rule.

The Extraction Rules for Triples

A judgment of the form triple t (\[P] \* H) Q is equivalent to P → triple t H Q. This structural rule is called triple_hpure and formalized as shown below. It captures the extraction of the pure facts out of the precondition of a triple, in a similar way as himpl_hstar_hpure_l for entailments.

A judgment of the form triple t (\∃ x, J x) Q is equivalent to ∀ x, triple t (J x) Q. This structural rule is called triple_hexists and formalized as shown below. It captures the extraction of an existential quantifier out of the precondition of a triple, in a similar way as himpl_hexists_l for entailments.

More Details

Identifying True and False Entailments

Quiz: For each entailment relation, indicate (without a Coq proof) whether it is true or false. Solutions appear further on.

The answers to the quiz are as follows. 1. True, by commutativity. 2. False, because one cell does not entail two cells. 3. False, because one cell does not entail two cells. 4. False, because one cell does not entail two cells. 5. True, because \False entails anything. 6. False, because a satisfiable heap predicate does not entail \False. 7. True, because a cell cannot be starred with itself. 8. True, because a cell cannot be starred with itself. 9. True, by instantiating n with 3. 10. False, because n could be something else than 3. 11. True, by instantiating n in RHS with n+1 for the n of the LHS. 12. True, by instantiating n with 3. 13. True, because it is equivalent to \[False] ==> \[False]. Proofs for the true results appear below.

Proving Entailments by Hand

Proving an entailment by hand is generally a tedious task. This is why most Separation Logic based framework include an automated tactic for simplifying entailments. In this course, the relevant tactic is named xsimpl. Further in this chapter, we describe by means of examples the behavior of this tactic. But in order to best appreciate what the tactic provides and best understand how it works, it is very useful to complete a few proofs by hand.

Exercise: 3 stars, standard, optional (himpl_example_1)

Prove the example entailment below. Hint: exploit hstar_comm, hstar_assoc, or hstar_comm_assoc which combines the two, and exploit himpl_frame_l or himpl_frame_r to cancel out matching pieces.

Exercise: 3 stars, standard, optional (himpl_example_2)

Prove the example entailment below. Hint: use himpl_hstar_hpure_l to extract pure facts, once they appear at the head of the left-hand side of the entailment. For arithmetic inequalities, use the math tactic.

Exercise: 3 stars, standard, optional (himpl_example_3)

Prove the example entailment below. Hint: use lemmas among himpl_hexists_r, himpl_hexists_l, himpl_hstar_hpure_r and himpl_hstar_hpure_r to deal with pure facts and quantifiers.

The xsimpl Tactic

Performing manual simplifications of entailments by hand is an extremely tedious task. Fortunately, it can be automated using specialized Coq tactic. This tactic, called xsimpl, applies to an entailment and implements a 3-step process: 1. extract pure facts and existential quantifiers from the LHS, 2. cancel out equal predicates occurring both in the LHS and RHS, 3. generate subgoals for the pure facts occurring in the RHS, and instantiate the existential quantifiers from the RHS (using either unification variables or user-provided hints). These steps are detailed and illustrated next. The tactic xpull is a degraded version of xsimpl that only performs the first step. We will also illustrate its usage.

xsimpl to Extract Pure Facts and Quantifiers in LHS

The first feature of xsimpl is its ability to extract the pure facts and the existential quantifiers from the left-hand side out into the Coq context. In the example below, the pure fact n > 0 appears in the LHS. After calling xsimpl, this pure fact is turned into an hypothesis, which may be introduced with a name into the Coq context.

In case the LHS includes a contradiction, such as the pure fact False, the goal gets solved immediately by xsimpl.

The xsimpl tactic also extracts existential quantifier from the LHS. It turns them into universally quantified variables outside of the entailment relation, as illustrated through the following example.

A call to xsimpl, or to its degraded version xpull, extract at once all the pure facts and quantifiers from the LHS, as illustrated next.

xsimpl to Cancel Out Heap Predicates from LHS and RHS

The second feature of xsimpl is its ability to cancel out similar heap predicates that occur on both sides of an entailment. In the example below, H₂ occurs on both sides, so it is canceled out by xsimpl.

xsimpl actually cancels out at once all the heap predicates that it can spot appearing on both sides. In the example below, H₂, H₃, and H₄ are canceled out.

If all the pieces of heap predicate get canceled out, the remaining proof obligation is \[] ==> \[]. In this case, xsimpl automatically solves the goal by invoking the reflexivity property of entailment.

xsimpl to Instantiate Pure Facts and Quantifiers in RHS

The third feature of xsimpl is its ability to extract pure facts from the RHS as separate subgoals, and to instantiate existential quantifiers from the RHS. Let us first illustrate how it deals with pure facts. In the example below, the fact n > 0 gets spawned in a separated subgoal.

When it encounters an existential quantifier in the RHS, the xsimpl tactic introduces a unification variable denoted by a question mark, that is, an "evar", in Coq terminology. In the example below, the xsimpl tactic turns \∃ n, .. p ~~> n .. into .. p ~~> ?x ...

The "evar" often gets subsequently instantiated as a result of a cancellation step. For example, in the example below, xsimpl instantiates the existentially quantified variable n as ?x, then cancels out p ~~> ?x from the LHS against p ~~> 3 on the right-hand-side, thereby unifying ?x with 3.

The instantiation of the evar ?x can be observed if there is another occurrence of the same variable in the entailment. In the next example, which refines the previous one, observe how n > 0 becomes 3 > 0.

(Advanced.) In some cases, it is desirable to provide an explicit value for instantiating an existential quantifier that occurs in the RHS. The xsimpl tactic accepts arguments, which will be used to instantiate the existentials (on a first-match basis). The syntax is xsimpl v₁ .. vn, or xsimpl (>> v₁ .. vn) in the case n > 3.

(Advanced.) If two existential quantifiers quantify variables of the same type, it is possible to provide a value for only the second quantifier by passing as first argument to xsimpl the special value __. The following example shows how, on LHS of the form \∃ n m, ..., the tactic xsimpl __ 4 instantiates m with 4 while leaving n as an unresolved evar.

xsimpl on Entailments Between Postconditions

The tactic xsimpl also applies on goals of the form Q₁ ===> Q₂. For such goals, it unfolds the definition of ===> to reveal an entailment of the form ==>, then invokes the xsimpl tactic.

Example of Entailment Proofs using xsimpl

The xchange Tactic

The tactic xchange is to entailment what rewrite is to equality. Assume an entailment goal of the form H₁ \* H₂ \* H₃ ==> H₄. Assume an entailment assumption M, say H₂ ==> H₂'. Then xchange M turns the goal into H₁ \* H₂' \* H₃ ==> H₄, effectively replacing H₂ with H₂'.

The tactic xchange can also take as argument equalities. The tactic xchange M exploits the left-to-right direction of an equality M, whereas xchange <- M exploits the right-to-left direction .

The tactic xchange M does accept a lemma or hypothesis M featuring universal quantifiers, as long as its conclusion is an equality or an entailment. In such case, xchange M instantiates M before attemting to perform a replacement.

How does the xchange tactic work? Consider a goal of the form H ==> H' and assume xchange is invoked with an hypothesis of type H₁ ==> H₁' as argument. The tactic xchange should attempt to decompose H as the star of H₁ and the rest of H, call it H₂. If it succeeds, then the goal H ==> H' can be rewritten as H₁ \* H₂ ==> H'. To exploit the hypothesis H₁ ==> H₁', the tactic should replace the goal with the entailment H₁' \* H₂ ==> H'. The lemma shown below captures this piece of reasoning implemented by the tactic xchange.

Exercise: 2 stars, standard, especially useful (xchange_lemma)

Prove, without using the tactic xchange, the following lemma which captures the internal working of xchange.

Optional Material

Proofs for the Separation Algebra

We next show the details of the proofs establishing the fundamental properties of the Separation Logic operators. Note that all these results must be proved without help of the tactic xsimpl, because the implementation of the tactic xsimpl itself depends on these fundamental properties. We begin with the frame property, which is the simplest to prove.

Exercise: 1 star, standard, especially useful (himpl_frame_l)

Prove the frame property for entailment. Hint: unfold the definition of hstar.

Exercise: 1 star, standard, especially useful (himpl_frame_r)

Prove the lemma himpl_frame_r, symmetric to himpl_frame_l.

The second simplest result is the extrusion property for existentials. To begin with, we exploit the antisymmetry of entailment to turn the equality into a conjunction of two entailments. Then, it is simply a matter of unfolding the definitions of hexists, hstar and ==>. By default, Coq does not display any of the parentheses written in the statement below, making the proof obligation somewhat confusing. This is a small price to pay in exchange for maximal flexibility in allowing the parsing of unparenthesized expressions such as H₁ \* \∃ x, H₂ and \∃ x, H₁ \* H₂. As a result, for this proof and the subsequent ones form this section, you should consider activating the display of parentheses. In CoqIDE, use the "View" menu, check "Display Parentheses". Alternatively, use the command "Set Printing Parentheses", or even "Set Printing All".

There remains to establish the commutativity and associativity of the star operator, and the fact that the empty heap predicate is its neutral element. To establish these properties, we need to exploit a few basic facts about finite maps. We introduce them as we go along. To prove the commutativity of the star operator, i.e. H₁ \* H₂ = H₂ \* H₁, it is sufficient to prove the entailement in one direction, e.g., H₁ \* H₂ ==> H₂ \* H₁. Indeed, the other other direction is symmetrical. The symmetry argument is captured by the following lemma, which we will exploit in the proof of hstar_comm.

To prove commutativity of star, we need to exploit the fact that the union of two finite maps with disjoint domains commutes. This fact is captured by the following lemma.
    Check Fmap.union_comm_of_disjoint : ∀ h₁ h₂,
      Fmap.disjoint h₁ h₂ →
      h₁ \u h₂ = h₂ \u h₁. The commutativity result is then proved as follows. Observe the use of the lemma hprop_op_comm, which allows establishing the entailment in only one of the two directions.

Exercise: 3 stars, standard, especially useful (hstar_hempty_l)

Prove that the empty heap predicate is a neutral element for the star. You will need to exploit the fact that the union with an empty map is the identity, as captured by lemma Fmap.union_empty_l.
  Check Fmap.union_empty_l : ∀ h,
    Fmap.empty \u h = h.

The lemma showing that hempty is a right neutral can be derived from the previous result (hempty is a left neutral) and commutativity.

Associativity of star is the most tedious result to derive. We need to exploit the associativity of union on finite maps, as well as lemmas about the disjointness of a map with the result of the union of two maps.
  Check Fmap.union_assoc : ∀ h₁ h₂ h₃,
    (h₁ \u h₂) \u h₃ = h₁ \u (h₂ \u h₃).

  Check Fmap.disjoint_union_eq_l : ∀ h₁ h₂ h₃,
      Fmap.disjoint (h₂ \u h₃) h₁
    = (Fmap.disjoint h₁ h₂ ∧ Fmap.disjoint h₁ h₃).

  Check Fmap.disjoint_union_eq_r : ∀ h₁ h₂ h₃,
     Fmap.disjoint h₁ (h₂ \u h₃)
   = (Fmap.disjoint h₁ h₂ ∧ Fmap.disjoint h₁ h₃).

Exercise: 1 star, standard, optional (hstar_assoc)

Complete the right-to-left part of the proof of associativity of the star operator.

Proof of the Consequence Rule

Recall the statement of the rule of consequence.

A direct proof of triple_conseq goes through the low-level interpretation of Separation Logic triples in terms of heaps.

An alternative proof leverages the consequence rule for the hoare judgment, namely lemma hoare_conseq.

Exercise: 2 stars, standard, especially useful (triple_conseq)

Prove the consequence rule by leveraging the lemma hoare_conseq. Hint: unfold the definition of triple, apply the lemma hoare_conseq with the appropriate arguments, then exploit himpl_frame_l to prove the entailment relations.

Proof of the Extraction Rules for Triples

Recall the extraction rule for pure facts.

To prove this lemma, we first the establish corresponding result on hoare, then derive its version for triple.

Similarly, the extraction rule for existentials for triple can be derived from that for hoare.

Exercise: 2 stars, standard, especially useful (triple_hexists)

Prove the extraction rule triple_hexists. Hint: start by stating and proving The corresponding lemma for hoare triples, named hoare_hexists.

Remark: the rules for extracting existentials out of entailments and out of preconditions can be stated in a slightly more concise way by exploiting the combinator hexists rather than its associated notation \∃ x, H, which stands for hexists (fun x ⇒ H). These formulation, shown below, tend to behave slightly better with respect to Coq unification, hence we use them in the CFML framework.

Remark: in chapter Hprop, we observed that \[P] can be encoded as \∃ (p:P), \[]. When this encoding is used, the rule triple_hpure turns out to be a particular instance of the rule triple_hexists, as we prove next.

Rules for Naming Heaps

Thereafter, we write = h for fun h' ⇒ h' = h, that is, the heap predicate that only accepts heaps exactly equal to h.

Exercise: 3 stars, standard, optional (hexists_named_eq)

Prove that a heap predicate H is equivalent to the heap predicate which asserts that the heap is, for a heap h such that H h, exactly equal to H. Hint: use hstar_hpure_l and hexists_intro, as well as the extraction rules himpl_hexists_l and himpl_hstar_hpure_l.

Exercise: 1 star, standard, optional (hoare_named_heap)

Prove that the proposition hoare t H Q is equivalent to: for any heap h satisfying the precondition H, the Hoare triple whose precondition requires the input heap to be exactly equal to h, and whose postcondition is Q holds.

Exercise: 3 stars, standard, optional (triple_named_heap)

Prove the counterpart of hoare_named_heap for Separation Logic triples. It is possible to exploit the lemma hoare_named_heap, yet there exists a simpler, more direct proof that exploits the lemma hexists_name_eq, which is stated above.

Alternative Structural Rule for Existentials

Traditional papers on Separation Logic do not include triple_hexists, but instead a rule called triple_hexists2 that includes an existential quantifier both in the precondition and the postcondition. As we show next, in the presence of the consequence rule, the two rules are equivalent. The formulation of triple_hexists is not only more concise, it is also better suited for practical applications.

Historical Notes

Nearly every project that aims for practical program verification using Separation Logic features, in one way or another, some amount of tooling for automatically simplifying Separation Logic assertion. The tactic used here, xsimpl, was developed for the CFML tool. Its specification may be found in Appendix K from the paper: http://www.chargueraud.org/research/2020/seq_seplogic/seq_seplogic.pdf though it makes sense to wait until chapter Wand for reading it.