The Logic of Separation Logic: Models and Proofs

. The standard semantics of separation logic is restricted to ﬁnite heaps. This restriction already gives rise to a logic which does not satisfy compactness, hence it does not allow for an eﬀective, sound and complete axiomatization. In this paper we therefore study both the general model theory and proof theory of the separation logic of ﬁnite and inﬁnite heaps over arbitrary (ﬁrst-order) models. We show that we can express in the resulting logic ﬁniteness of the models and the existence of both countably inﬁnite and uncountable models. We further show that a sound and complete sequent calculus still can be obtained by restricting the second-order quantiﬁcation over heaps to ﬁrst-order deﬁnable heaps.


Introduction
Separation logic [Rey02], in the sequel also referred to by SL, extends firstorder logic with the separating connectives of conjunction and implication for reasoning about programs which feature the dynamic allocation of variables that are stored at locations of that part of the memory called the 'heap'.The separating conjunction allows to specify properties of a partition of the heap into two disjoint sub-heaps.The separating implication (also called 'the magic wand') allows to express properties of disjoint extensions of the heap.Both separating connectives involve a second-order quantification over heaps (which are represented by binary relations).
In this paper we study both the model theory and the proof theory of SL.The standard model of SL (as introduced in [Rey02]) extends the standard model of arithmetic with the so-called 'points-to' relation which provides a formalization of the heap in terms of the graph of a finitely-based partial function.This function assigns to each location of the heap its stored value, or is undefined if the location is not allocated.In the standard semantics of SL (here also called weak SL), the domains of heaps are finite, that is, only finitely many locations are allocated.Reasoning about finite heaps however requires an infinitary logic because the logic of finite heaps, and that of finite model theory in general, does not satisfy the compactness property: it is straightforward to express for each natural number that the domain of the heap contains at least that number of elements.It follows that every finite subset of this infinite set of sentences is satisfiable, but clearly no finite heap satisfies the entire set.
To study the general model and proof theory of full SL1 we (1) extend its semantics to arbitrary first-order models and (2) generalize the notion of a heap to a partial function on the underlying domain of the given (first-order) model: no restrictions are imposed on the cardinality of the domain of heap, in contrast to weak SL which restricts to finite heaps.Our main model-theoretic results are that in this general setting we can express: (1) finiteness of models, (2) well-foundedness of the points-to relation, and (3) existence of countably infinite and uncountable models.As a consequence we have that full SL satisfies neither compactness nor the downward and upward Löwenheim-Skolem theorems (see [CK13]).Non-compactness implies that there does not exist an effective, sound and complete proof theory for SL.In fact, we will show that the well-foundedness of the points-to relation can already be expressed in full SL using only separating conjunction.Consequently, full SL without separating implication is already non-compact.For full SL without separating implication but in which separating conjunction only occurs positively, the fragment which we call separation logic light (SLL), we do have compactness, but its semantic consequence relation is not compact and therefore also does not allow for an effective, sound and complete proof theory.
The question thus arises whether there exists an alternative interpretation of SL that does allow for an effective, sound and complete proof theory.Clearly, the main complexity of SL stems from the (second-order) quantification over heaps (or sub-heaps, as in the case of the separating conjunction).For second-order logic a sound and complete axiomatization can be obtained by generalizing its semantics by means of so-called general models.Such models extend first-order models with a set of possible interpretations of the second-order variables.For example, instead of interpreting a monadic predicate over all possible subsets of the given first-order domain, a general model restricts its interpretation to a given set of such subsets.This generalization of the semantics of second-order logic allows for a sound and complete axiomatization by restricting to so-called Henkin models.A Henkin model is a general model for second-order logic which additionally satisfies the comprehension axiom for any second-order formula φ(x 1 , . . ., x n ) which does not contain the n-ary relation symbol R. In the arithmetic comprehension axiom φ(x 1 , . . ., x n ) is firstorder.
Generalizing the semantics of SL accordingly in terms of a given set of possible heaps, which does not necessarily contain all heaps, we can formulate in SL the following version of the arithmetic comprehension axiom which expresses the existence of a heap such that its graph, as denoted by the points-to relation →, satisfies the 'pure' first-order formula φ(x, y) (i.e., φ does not involve the separation connectives and the points-to relation).Themodality (formally defined in Sect.3) expresses the existence of a heap which satisfies the associated formula.Such an instance of the arithmetic comprehension axiom holds if there exists a heap which is characterized by the formula φ(x, y).We cannot generalize this axiom to arbitrary SL formulas because it is not obvious how to avoid contradictions like (∀x, y((x → y) ↔ ¬(x → y))).Simply requiring that the points-to relation does not occur in φ(x, y) does not work because the separating connectives implicitly refer to it.Therefore, we introduce a new interpretation of SL that restricts the (second-order) quantification to first-order definable heaps.For this new interpretation we introduce a sequent calculus which is sound and complete.The completeness proof is based on the construction of a model for a consistent theory (a theory from which false is not derivable), following [Hen49].From the completeness proof we further derive that this new interpretation satisfies both compactness and the downward Löwenheim-Skolem theorem.By the seminal theorem of Lindström we then infer that this new interpretation is as expressive as first-order logic.
Related Work.The model theory of SL has been focused mainly on finite heaps.For example, the computability and complexity results in [CYO01] depend on this assumption.Surprisingly, in [BDL12] the authors show that weak SL is as expressive as weak second-order logic [Man96], which is a semantics of secondorder logic where quantification is restricted to finite relations.In [DD16] this result is further refined by the restriction to two variables and the separating implication (no separating conjunction) which still is as expressive as weak second-order logic.In [EIP20] the satisfiability problem for SL with k record fields has been studied for finite heaps, but over arbitrary first-order models.A tableaux method for a propositional fragment of SL has been developed in [GM10] which has been proven sound and complete.Extensions to first-order SL are discussed assuming finite heaps.In fact, the tableaux method introduced is based on a labelling mechanism for encoding finite heap structures.
In contrast, when investigating complete proof systems for SL the assumption of the finiteness of heaps has to be dropped, thus allowing for infinite heaps, because, as already observed above, finiteness leads to non-compactness.Our general model theory shows that this generalization of SL, full SL, is also non-compact, and therefore does not allow for a finitary sound and complete logic either.Consequently, to obtain such a logic one either has to syntactically restrict SL or further abstract or generalize its semantics.In [DLM21], for example, a sound and complete sequent calculus is described for a quantifier-free subset of SL.On the other hand, examples of further abstractions and generalizations are [HT16] and [Pym02], and both describe a finitary logic which is sound and complete.In [Pym02], models are based on very general preordered commutative monoids and there is no points-to relation.In [HT16], special commutative monoids called separation algebras are used to give semantics to the separating connectives.The elements of such separation algebras represent heaps as relations on the underlying (first-order) domain.This allows for a standard set-theoretic interpretation of the points-to relation.However, the semantics of separating conjunction is defined in terms of the abstract monoid, and as such is decoupled from the set-theoretic interpretation of the points-to relation.For example, a first-order specification (using plain conjunction) of an enumeration of the elements of the domain of a (finite) heap as a set does not in general correspond with an enumeration using separation conjunction.
A sound and complete axiomatization of the points-to relation in the general context of first-order SL respecting its standard set-theoretic interpretation thus remains a main challenge.
Second-order logic allows for a straightforward translation of the (weak or full) semantics of SL, and one can use second-order logic to reason about validity in SL.This approach is followed for example by the IRIS project [JKJ+18] which formalizes the semantics of weak SL in the higher-order logic of Coq [HH14].By restricting the semantics of the separating connectives to (first-order) definable heaps, our approach instead transforms a compositional second-order logical description of the semantics of SL into corresponding rules of a standard firstorder sequent calculus.The resulting calculus allows us to reason, in a natural manner, in first-order logic about the (hierarchical) heap structures generated by the rules for the separating connectives.As such it does not involve the additional tree structures of the so-called bunched contexts of the sequent calculi of [HT16] and [Pym02].Also [Kri08] avoids the use of bunched contexts in a modal sequent calculus for propositional SL, which is proven sound.However it is incomplete because it provides limited support for equational reasoning about the modal contexts (so-called 'worlds') associated with the SL formulas.
Plan of the Paper.In the next section we introduce the syntax and semantics of full SL.In Sect. 3 we investigate the expressiveness of full SL.Section 4 introduces a restriction of the semantics to definable heaps.In Sect. 5 we introduce the sequent calculus, and discuss soundness and completeness.Finally, in the conclusion section we wrap up, and discuss some future work.

Separation Logic
In this section we introduce the syntax of SL and define its classical semantics with respect to arbitrary first-order models.For an intuitive introduction to separation logic, see [Rey05].Given a first-order signature of function and predicate symbols 2 and a countably infinite set of first-order variables x, y, z, . .., the first-order terms of this signature are denoted by t, t , . ...
We have the following inductive definition of formulas of separation logic.
Definition 1 (Syntax of SL).We define 2 We allow for a countably infinite set of such symbols.
where R is a n-ary relation symbol.As a special case we have the binary 'pointsto' relation symbol → (also called the weak/loose points-to).
Let M = (D, I) denote a first-order model, where D denotes the non-empty domain and I provides an interpretation of the function and predicate symbols as functions and relations over D. A valuation s assigns elements of the domain D of M to the first-order variables x, y, z, . ... We omit the standard inductive definition of the value I s (t) of a term t.Given a model M = (D, I), we denote by M, h, s |= p that p holds in the model M , under the interpretation h ⊆ D × D of the binary relation symbol →, where h denotes a so-called heap, represented as the graph of a partial function with finite domain.
Definition 2 (Semantics of SL).We have the following main cases.
Other cases are the Tarksi-style semantics of classical logic [Yan01, Table 5.2].
In the above definition we use the set-theoretic operation of union of binary relations as sets of pairs.On the other hand, by h 1 ⊥ h 2 we denote that the domains of the relations h 1 and h 2 are disjoint3 .As such, we can introduce the strict/tight points-to relation → of SL, defined by M, h, s |= t → t if and only if h = { I s (t), I s (t ) }, as a derived concept: it can be expressed by . The concept emp of the empty relation can also be expressed by ∀x, y(x → y).Intuitionistic SL only allows for the weak/loose points-to relation.The strict version cannot be expressed in intuitionistic SL because of its monotonicity property that the truth of a formula is preserved by extensions of the domain of the heap [Rey00].In this article we focus on classical separation logic only.Let (x i → −) abbreviate ∃y(x i → y).The sentences φ n defined by then state that there exist at least n allocated elements of the underlying domain of the given first-order model.Note that the semantics of the separating conjunction implies that x i = x j for i = j.It is also possible to formulate the same property using propositional conjunction instead of separating conjunction by explicitly stating this fact, that the variables are not aliases.Now collect all φ n in a set.Clearly, every finite subset of this set of sentences is satisfied by a finite heap, but that there does not exist a finite heap satisfying all these sentences.
This simple counterexample to compactness provides the basic motivation to study the above semantics of SL extended to unbounded heaps, i.e. heaps which potentially have an infinite domain.
Further, for technical convenience only, we generalize the semantics to arbitrary binary relations.For an arbitrary (binary) relation R ⊆ D × D on the underlying domain D of the given first-order model, we define M, R, s |= p as above, where the interpretation of the separating connectives ranges over arbitrary subsets of D × D. In fact, in this generalized semantics, which we call relational SL, we can model the restriction to heaps simply by syntactically restricting the separating implication to assertions of the form (p ∧ fun) − * q, where fun denotes the assertion ∀x, y, z((x → y ∧ x → z) → y = z).Let p denote the result of restricting syntactically all occurrences of the separating implication in p to heaps (as described above).It follows that the evaluation of p ∧ fun is restricted to heaps.
It is worthwhile to observe here that there exists a straightforward formalization of relational SL in second-order logic.For any formula p as defined above we define inductively the second-order formula p(R), where R is a binary relation.

Definition 3 (Logical formalization of relational SL).
We have the following main cases.
Here we denote by R = R 1 R 2 , for any binary relation symbols R, R 1 , R 2 , the conjunction of the formulas ∀x, y(R(x, y) ↔ (R 1 (x, y) ∨ R 2 (x, y))) and ∀x, y, z(¬R 1 (x, y) ∨ ¬R 2 (x, z)).We denote by M, s |= φ the standard truth definition of a second-order formula φ, where the evaluation s additionally interprets the second-order variables.Correctness of this translation, that is, M, R, s |= p if and only if M, s[R := R] |= p(R) (where s[R := R] denotes the update of s which assigns to the binary variable R the relation R), can be established by a straightforward induction on p.

Model Theory: Compactness and Countability
To explore the general model theory of SL we introduce the modalities p and p as abbreviations of true * (emp ∧ (true − * p)) and ¬(true * ¬p), respectively4 .
Characterizing Finite Models.The above -modality allows to express that the domain D of a model M = (D, I) is finite, by asserting that every injective function f : D → D is a surjection: Let inj be the conjunction of the formulas fun (as defined above), ∀x, y, z((x → z ∧ y → z) → x = y), and ∀x∃y(x → y).We have that M, R, s |= inj if and only if R : D → D is injective (note that the domain of R is D because M, R, s |= ∀x∃y(x → y)).And so M, R, s |= (inj → ∀x∃y(y → x)) if and only if D is finite.Note that the occurrences of → in the scope of the -modality are universally bounded, and the interpretation of → thus ranges over all R ⊆ D × D.
Characterizing Countable Infinity.We next show that countability of the underlying domain of a model can be expressed, using the above two modalities.We will be working with chains related by →, and in that sense we speak of a predecessor of x, being any y such that (y → x), and successor of x, being any y such that (x → y).Let enum be the conjunction of the following formulas: -the above formula inj , -the formula ∃!x∀y(y → x)5 , which states the existence of a unique minimal element (that is, an element that has no predecessor), -the formula (emp ∨ ∃x((x → −) ∧ ∀y((y → −) → (y → x))), which expresses that the points-to relation → is well-founded.We thus have that M, R, s |= enum implies that the domain of M is countably infinite.The formula enum further abstracts from the current interpretation of the points-to relation →, so that if the domain of M is countably infinite then M, R, s |= enum, for arbitrary R (and s).

Note that a relation
The class of uncountable models is characterized by ¬( enum ∨ fin), where fin denotes the above formula which characterizes the class of finite models.
Summarizing, the logic of full SL is neither compact nor does it satisfy the Löwenheim-Skolem theorem because it can distinguish between countable and uncountable models.Further, we observe that the above expressiveness results do not depend on the interpretation of the points-to relation as an arbitrary relation.That is, these results also hold for the semantics restricted to (infinite) heaps.
Interestingly, since we can express that the points-to relation → is wellfounded (see above), even restricting to the separating conjunction gives rise to non-compactness: given a countably infinite set of individual constants c n , n ≥ 0, let Γ consist of the above formula (emp ∨ ∃x((x → −) ∧ ∀y((y → −) → (y → x))) and the formulas c n+1 → c n , n ≥ 0. Clearly, every finite subset of Γ is satisfiable but Γ itself is not.Note that we do not need to require that all the c i = c j , for every i = j, because in case the formulas c n+1 → c n , n ≥ 0, are satisfied and additionally c i = c j holds, for some i = j, we have a loop in the interpretation of →.Further, restricting SL to separating conjunction also does not satisfy the upward Löwenheim-Skolem theorem, because, as argued above, M, R, s |= enum implies (infinite) countability of the domain of M .
Separation Logic Light.What about further restricting to positive occurrences of the separating conjunction?Since we then can push negation inside, this restriction can be formally defined by the following syntax describing SLL ('separation logic light'): Here R denotes either a n-ary relation symbol or the points-to relation →.Thus, in this version of SL, negation can only be applied to atomic formulas.To show that the notion of satisfiability of SLL is compact, we introduce the following first-order translation p@R, where R is a binary predicate different from →, • denotes conjunction/disjunction, and Q denotes the existential/universal quantifier.
The binary relation symbols R 1 and R 2 are 'fresh'.It follows that p is satisfiable if and only if p@R is satisfiable.More precisely, M, R, s |= p if and only if there exists a (first-order) model M such that M , s |= p@R.Consequently, compactness of first-order logic implies compactness of SLL: Let Γ be an infinite set of formulas of SLL and Γ = {p@R | p ∈ Γ } 6 , for some binary relation symbol R. If every finite subset of Γ is satisfiable, so is every finite subset of Γ .By the compactness of first-order logic Γ is satisfiable, and so is Γ .Along the same lines it follows that if Γ is satisfiable then there exists a model M = (D, I) such that D is countable and M, R, s |= p, for every p ∈ Γ .Note however that compactness of the satisfiability relation does not imply that the (semantic) consequence relation is compact.In fact, non-compactness of the consequence relation for SLL follows directly from the above argument involving well-founded relations: Let Γ denote the set formulas c n+1 → c n , n ≥ 0. It follows that Γ |= true * (¬emp ∧ ∀x((x → −) → ∃y(y → x))).But clearly, there does not exist a finite subset Γ 0 of Γ such that Γ 0 |= true * (¬emp ∧ ∀x((x → −) → ∃y(y → x))).Some Open Problems.The question remains whether restricting to separating conjunction satisfies the downward Löwenheim-Skolem theorem.A counterexample to the downward Löwenheim-Skolem theorem would be the expressibility of uncountable models.This seems to require the p modality (and thus the separating implication).
Another interesting question is whether we can express finiteness of the domain of the current interpretation of the points-to relation, that is, does there exist a formula p in SL such that M, R, s |= p if and only if the domain of the relation R is finite?
A main open problem is a formalization of the relation between full SL and second-order logic.Intuitively, one of the main differences is the local perspective of SL, which is determined by the current heap.Remarkably, as already mentioned in the introduction, [BDL12] presents a rather intricate encoding of (dyadic) weak second-order logic into weak SL.Apparently this restriction to finite heaps allows to break the local perspective.Our conjecture however is that full SL is strictly less expressive than (dyadic) second-order logic.To illustrate how subtle this difference may be, consider the following extension of separation logic with a binding operator ↓ R(p) which binds the binary variable R in the evaluation of p to the current interpretation of the points-to relation.In other words, it corresponds to a bounded (second-order) quantification ∃R((R = →) ∧ p), where, R = → abbreviates the first-order formula ∀x, y(R(x, y) ↔ (x → y)).Alternatively, we can directly define M, R, s |= ↓ R(p) if and only if M, R, s[R := R] |= p.This definition thus assumes an extension of the valuation s to (binary) second-order variables.The expressive power of this binding operator lies in that it allows to 'break the spell' of the local perspective since the bound binary variable allows in the local context of the current interpretation of the points-to relation to refer to those 'outer' ones that have generated it (by the separating connectives).This extension of SL allows for a simple, compositional translation of (dyadic) second-order logic.We have the following main case which translates ∃R(φ), where φ a dyadic second-order formula (which is assumed not to contain occurrences of the points-to relation of SL), into the SL formula (↓ R(p)).

Separation Logic of Definable Binary Relations
In this section we restrict the interpretation of the separating connectives to first-order definable binary relations.By φ we now denote a first-order formula which does not contain occurrences of the points-to relation → of SL.We omit the standard inductive truth definition M, s |= φ of a first-order formula φ.
By φ(x 1 , . . ., x n ) we denote that the free (first-order) variables of φ are among the distinct variables x 1 , . . ., x n .A formula φ(x, y) is called a binary formula.
A binary formula is also simply denoted by φ, omitting its free variables x and y.Given a model M = (D, I), and a first-order formula φ(x, y), we denote by Rel M (φ) the relation { s(x), s(y) | M, s |= φ} ⊆ D × D. Note that the evaluation of φ(x, y) only depends on the values of its free variables x and y, that is, M, s |= φ if and only if M, s |= φ, where s(x) = s (x) and s(y) = s (y).By φ(t, t ) we denote the result of replacing in φ(x, y) the variables x and y by t and t , respectively (if necessary renaming bound variables to ensure that the variables of t and t do not become bound).
Definition 4 (First-order definability).Given a model M = (D, I), a relation R ⊆ D × D is first-order definable if R = Rel M (φ), for some binary formula φ(x, y).
Note that, given a model M = (D, I), I(R) = Rel M (R), that is, for any binary relation symbol R its interpretation I(R) is trivially a first-order definable relation.We generalize the definition of R = R 1 R 2 to arbitrary binary formulas: we denote by φ = φ 1 φ 2 that the binary formulas φ 1 (x, y) and φ 2 (x, y) represent a partition of the binary formula φ(x, y) which is expressed by the conjunction of ∀x, y(φ(x, y) ↔ (φ 1 (x, y) ∨ φ 2 (x, y))) and ∀x, y, z(¬φ 1 (x, y) ∨ ¬φ 2 (x, z)).The latter formula, which states that the domains of the binary relations represented by φ 1 (x, y) and φ 1 (x, y) are disjoint, we abbreviate by φ 1 ⊥ φ 2 .
In the sequel we denote by M, R, s |= p the restriction of the relational semantics of full SL (Definition 2 extended to binary relations) such that instead of quantifying over arbitrary binary relations, the separating connectives involve quantification over first-order definable binary relations.It is worthwhile to observe here that, as for Henkin models of second-order logic [Hen50], the implicit second-order quantification depends on the underlying signature of function and relation symbols.Extending or restricting the signature affects the semantics of formulas of the 'old' signature.

Sequent Calculus
To reason about the implicit quantification over definable (binary) relations, we introduce rooted assertions of the form p@φ, where φ denotes a binary formula and p is a formula of SL (see Definition 1).We define M, s |= p@φ if and only if M, R, s |= p, where R = Rel M (φ).The variables x and y of the binary formula φ(x, y) are thus implicitly bound by the @-operator, that is, M, s |= p@φ if and only if M, s |= p@φ, for any s and s such that s(z) = s (z), for any free variable occurring in p.
We now develop a calculus for sequents A 1 , . . ., A n ⇒ B 1 , . . ., B m , where each A i , i = 1, . . ., n, and B j , j = 1, . . ., m, is constructed from first-order formulas and rooted assertions, which can be further composed using propositional connectives and quantification of first-order variables.This calculus is an extension of standard first-order sequent calculus (including cut), where the standard rules are applicable with respect to top-level propositional connectives and quantifiers.Figure 1 shows the left and right rules for separating conjunction and implication.These rules closely follow the translation in Definition 3 of SL into second-order logic, eliminating the explicit second-order quantification by applying the standard proof rules for second-order quantification (which themselves are straightforward generalizations of the rules for first-order quantification, instantiating the second-order variables by formulas).The binary relation symbols R 1 , R 2 and R introduced in the rules L * and R − * are 'fresh' binary relation symbols, that is, they must not appear in the formulas of the conclusion of the rules.
In the so-called 'points-to' rules of Fig. 1 the formula p does not involve occurrences of the separating connectives.Such a formula of SL we call basic.Note that it differs from pure first-order formulas in that basic formulas additionally may involve the points-to relation.For such formulas we denote by p[φ/ →], for any binary formula φ(x, y), the result of replacing every atomic assertion (t → t ) in p by φ(t, t ), which is a pure first-order formula.It follows that M, s |= p[φ/ →] if and only if M, Rel M (φ), s |= p, for any basic formula p.

Example Proofs
As a first example of the use of the sequent calculus, above we have a derivation of the sequent ⇒ ((p * (p − * q)) → q)@R which represents the validity of (p * (p − * q)) → q.This derivation essentially consists of an application of the rule L * followed by an application of the rule L − * .In this derivation Γ denotes the formulas R = R 1 R 2 , p@R 1 generated by the application of rule L * .The second premise of the application of the rule L − * is derivable from an instance of the axiom Γ, A ⇒ A, Δ.Note that ψ (in the L − * rule) is instantiated with R 1 .The first and third premise follows from the fact that Next we show how to use the calculus in reasoning about the equivalence of weakest preconditions that arise in the practice of verifying the correctness of heap manipulating programs.Let p denote the weakest precondition (u → −) ∧ (z = 0 u = v v → z) of the heap update [u] := 0 which ensures the postcondition v → z after assigning the value 0 to the location denoted by the variable u (here φ b ψ abbreviates (b ∧ φ) ∨ (¬b ∧ ψ)) (in [dBHdG23] a dynamic logic extension of SL is introduced which generates this weakest precondition).The standard rule for backwards reasoning in [Rey02] gives the weakest precondition (u → −) * (u → 0 − * v → z), which we denote by p .These preconditions are equivalent because both are the weakest.
Surprisingly, a proof of the implication p → p however exceeds the capability of all the automatic SL provers in the benchmark competition for SL [SNPR+19].
In particular, of the automatic provers, only the CVC4-SL tool [RISK16] supports the fragment of SL that includes the separating implication connective.However, from our own experiments with that tool, we found that it produces an incorrect counter-example and reported this as a bug to one of the maintainers of the project (Andrew Reynolds).In fact, the latest version, CVC5-SL, reports the same input as 'unknown', indicating that the tool is incomplete.In the case of (semi) interactive SL provers (such as Iris [JKJ+18], and VerCors [AH21,MRH22] that uses Viper [MSS16] as a back-end) we sought out expertise and collaborated in our search for a tool-supported proof of the above equivalence.Even after personally visiting the Iris team in Nijmegen (lead by Robbert Krebbers) and the VerCors team in Twente (lead by Marieke Huisman), we were unable to guide the tools to produce a proof of p → p.The problem here seems similar to that of [HT16], in that their semantics of separating connectives, which are formalized in terms of abstract monoids, are not compatible with the set-theoretic interpretation of the points-to relation.
In fact, the equivalence between the above two formulas can be expressed in quantifier-free separation logic, for which a complete axiomatization of all valid formulas has been given in [DLM21].In the sequent calculus we can express the equivalence of p and p in terms of the sequent fun(R) ⇒ (p ↔ p )@R.Here R is an arbitrary binary relation symbol used to represent the current interpretation of the points-to relation.We abbreviate ∀x, y, z((R(x, y) ∧ R(x, z)) → y = z) by fun(R).A proof of the above sequent amounts to proving the sequents fun(R), p @R ⇒ p@R and fun(R), p@R ⇒ p @R. Below we present a highlevel proof of the first sequent, abstracting from some basic first-order reasoning in the calculus.
By an application of L * to derive the sequent fun(R), p @R ⇒ p@R it suffices to derive for some fresh R 1 and R 2 .Let ψ(x, y) denote the binary formula x = u ∧ y = 0. Further, let Γ denote the set of formulas fun(R), R = R 1 R 2 , (u → −)@R 1 .By an application of the rule L − * it then suffices to prove the following sequents (from Γ ⇒ Δ we can derive Γ ⇒ A, Δ by right-weakening).First we prove Γ ⇒ R 2 ∩ ψ = ∅: By the points-to rules the rooted assertion (u (the forall-part of the formula is due to the 'strict' points-to which states that the domain contains u as its only location).Further, R 2 ∩ ψ = ∅ logically boils down to ¬∃x, y(R 2 (x, y) ∧ (x = u ∧ y = 0)), that is, ¬R 2 (u, 0), which in basic first-order logic follows from ∃zR 1 (u, z) and the assumptions R = R 1 R 2 and fun(R).
Second, we prove Γ ⇒ (u → 0)@ψ: By the points-to rules (u → 0)@ψ (using the expanded definition φ of u → 0 and the definition of the substitution And, finally, we prove Γ, (v → z)@(R 2 ∨ ψ) ⇒ p@R: First note that (again, by the points-to rules) The assertion ∃zR(u, z) clearly follows from the assumptions R = R 1 R 2 and (u → −)@R 1 in Γ .To prove z = 0 u = v R(v, z), we first reduce the assump- So we have that z = 0. Otherwise, we have R 2 (v, z), and thus Soundness and Completeness.We denote by Γ ⇒ Δ that there exists a proof of the sequent Γ ⇒ Δ.In the soundness proof below we use these substitutions to instantiate the fresh binary relation symbols introduced in the rules L * and R − * .Note that updating the interpretation of these symbols (as provided by M ) would affect the semantics of the separating connectives if binary formulas would refer to these fresh binary relation symbols (note that they are only supposed not to appear in formulas of the conclusion of the rules L * and R − * ).
Proof.We prove that the rules for the separating connectives preserve validity.The points-to rules are sound because M, Rel M (φ), s |= p if and only if M, s |= p[φ/ →], for any basic formula p (note that p[φ/ →] is a pure first-order formula which does not depend on the heap).
As a corollary we obtain that Γ Δ implies Γ |= Δ.Following the completeness proof of first-order logic as described in [Hen49], it suffices to show that every consistent set of formulas is satisfiable (the socalled 'model existence theorem').A set of formulas Γ is consistent if Γ ∅.We first show that every consistent set of formulas can be extended to a maximal consistent set.To this end we assume an infinite set of 'fresh' binary relation symbols R that do not appear in Γ .We construct for any consistent set Γ a maximal consistent extension Γ ∞ , assuming an enumeration of all formulas A (which also covers all first-order formulas).We define Γ 0 = Γ and Γ n+1 satisfies the general rule: Additionally, in case A n is added and A n is of the form ∃xA or a rooted assertion (p * q)@φ or ¬(p − * q)@φ, we also include corresponding witnesses in Γ n+1 : -If A n is of the form ∃xA we additionally add A(y), where A(y) results from replacing all free occurrences of x in A by the fresh variable y which does not appear in Γ n .Note that A(y) can indeed be added consistently because from Γ n , A(y) ∅ we would derive Γ n , ∃xA ∅, which contradicts the assumption that Γ n , ∃xA ∅. -If A n is of the form (p * q)@φ we additionally add the formulas φ = R 1 R 2 , R 1 ⊥ R 2 , p@R 1 , and q@R 2 , where R 1 and R 2 are fresh (e.g., not appearing in Γ n ).Note that these formulas can indeed be added consistently because from φ (which is equivalent to ¬((p − * q)@φ)) we additionally add the formulas R ⊥ φ, p@R(x, y), and ¬q@(φ ∨ R), where R is fresh (e.g., not appearing in Γ n ).Note that these formulas can indeed be added consistently because from Γ n , R ⊥ φ, p@R(x, y), ¬q@(φ ∨ R) ∅ we would derive Γ n (p − * q)@φ (by rule R − * ), which contradicts the assumption that Γ n , ¬(p − * q)@φ ∅.

We define Γ
The above interpretation of the function and relational symbols is welldefined because its definition does not depend on the choice of the representatives (this follows from the equality axioms).
Given a maximal consistent set of formulas Γ and the model M Γ = (D, I), a corresponding valuation s assigns to every variable x an equivalence class [t].However, in the sequel we will represent such a valuation by a substitution s which simply assigns to each variable a term.The value I s (x) of a variable x then is given by the equivalence class [s(x)] of the term s(x).
Given a substitution s, for any term t and formula A (of the sequent calculus) we denote by ts and As the result of replacing every free occurrence of a (firstorder) variable x in t and A by s(x).Note that (p@φ)s = ps@φ, because the meaning of p@φ does not depend on the free variables x and y of the binary formula φ(x, y).
Given a maximal consistent set of formulas Γ and the model M Γ = (D, I), it follows that I s (t) = [ts], for every term t and substitution s.Proof.The proof proceeds by induction on the following well-founded ordering A < B on formulas of the sequent calculus: Let #A = (n, m), where n denotes the number of occurrences of the separating connectives and the @-binding operator of A and m denotes the number of occurrences of the (standard) first-order logical operations of A. Then A < B if #A < #B, where the latter denotes the lexicographical ordering on N × N (w.r.t. the standard 'smaller than' ordering on the natural numbers).We treat the following main cases (for notational convenience M denotes the model M Γ ).
We The downward Löwenheim-Skolem property follows.It should be noted that we cannot remove from the constructed model the binary relation symbols which are introduced as witnesses, as these determine the notion of first-order definability.
Compactness follows.We thus derive (by Lindström's theorem [Vää10]) that this version of SL is as expressive as first-order logic.

Conclusion
We investigated the expressiveness of full SL over arbitrary first-order models.We have shown that restricting the quantification over first-order definable heaps gives rise to a semantic consequence relation that can be captured by a sound and complete extension of the standard sequent calculus for first-order logic.
The main question remains what is the exact relationship between full SL which allows for infinite heaps and second-order logic.In [KR04] a translation is given of general second-order logic in a first-order logic with spatial conjunction.Spatial conjunction (as defined in [KR04]) allows to split a global set of arbitrary relations.As such it goes beyond the local scope of separating conjunction which is restricted to the points-to relation.We conjecture that second-order logic is strictly more expressive than full SL.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material.If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
R is well-founded iff every (non-empty) sub-relation of R has a minimal element (with respect to that sub-relation).This fact can be expressed by the use of the formula enum.Let M, R, s |= enum.We show that R encodes an enumeration d n n of D (still we have M = (D, I)).We define the sequence d n n by induction on n: for d 0 we take the (unique) minimal element, and for d n+1 we take the unique element d ∈ D such that d n , d ∈ R. Note that inj implies that every element of D has a unique 'successor' and that d n+1 ∈ {d 0 , . . ., d n }.Wellfoundedness ensures that every element of D appears in the enumeration d n n .Because otherwise we can construct an infinite descending chain of elements not appearing in the enumeration d n n (since d 0 denotes the unique minimal element with respect to the functional interpretation R of →, it follows that for any d ∈ D which does not appear in the enumeration d n n there exists a d ∈ D which also does not appear in the enumeration d n n and d , d ∈ R).

Fig. 1 .
Fig. 1.Sequent calculus.The binary relation symbols R1, R2 and R introduced in the rules L * and R− * are 'fresh'.In the points-to rules p denotes a basic formula (which does not contain occurrences of the separating connectives).
By construction Γ ∞ is maximal consistent.Given a maximal consistent set of formulas Γ , let M Γ = (D, I), where D is the set of equivalences classes [t] = {t | t = t ∈ Γ }.For any function symbol f and relation symbol R (excluding the points-to relation →) we define -

Lemma 2 .
Given a maximal consistent set of formulas Γ and the model M Γ = (D, I), we have M, s |= A if and only ifAs ∈ Γ , for every formula A and substitution s.