Modular Tableaux Calculi for Separation Theories

. In recent years, the key principles behind Separation Logic have been generalized to generate formalisms for a number of veriﬁcation tasks in program analysis via the formulation of ‘non-standard’ models utilizing notions of separation distinct from heap disjointness. These models can typically be characterized by a separation theory , a collection of ﬁrst-order axioms in the signature of the model’s underlying ordered monoid. While all separation theories are interpreted by models that instantiate a common mathematical structure, many are undeﬁnable in Separation Logic and determine diﬀerent classes of valid formulae, leading to incompleteness for existing proof systems. Generalizing systems utilized in the proof theory of bunched logics, we propose a framework of tableaux calculi that are generically extendable by rules that correspond to separation theories axiomatized by coherent formulas. This class covers all separation theories in the literature—for both classical and intuitionistic Separation Logic—as well as axioms for a number of related formalisms appropriate for reasoning about complex systems, security, and concurrency. Parametric soundness and completeness of the framework is proved by a novel representation of tableaux systems as coherent theories, suggesting a strategy for implementation and a tentative ﬁrst step towards a new logical framework for non-classical logics.


Introduction
Separation Logic [44], introduced by Ishtiaq & O'Hearn [36], Reynolds [50] and Yang & O'Hearn [55], is a Hoare-style program logic suitable for reasoning about programs that mutate data structures.In its original formulation, the assertion language of Separation Logic is based on a model of O'Hearn & Pym's logic of bunched implications [45] formulated by considering heaps as possible worlds with internal structure that allows their decomposition into separate pieces of memory.This decomposition is witnessed in the logic by the separating conjunction * , with φ * ψ informally read as 'the heap can be split into separate parts; one satisfying φ and the other satisfying ψ'.[14] abstract the details of the heap model to a structure called a separation algebra, a partial-deterministic and cancellative monoid model of the Boolean logic of bunched implications (BBI), which can be used to generate bespoke separation logics suitable for program analysis tasks beyond that of the original formalism.Conflicting definitions of separation algebra have since been given by adding/removing first-order properties or strengthening/weakening the monoid properties [11,15,23,26].These mutually exclusive definitions can be encompassed in a framework of separation theories [11], collections of first-order axioms (separation properties) common to separation logic models which the definition of (B)BI model can be extended by.All separation logics in the literature can be seen to be models of separation theories, while the frameworks Views [23] and Iris [38] explicitly implement the idea of generating program logics parametrically by separation theory.

Calcagno, O'Hearn & Yang
Recent work has revealed an expressivity gap between the logic of bunched implications and common separation theories in the literature, however.Brotherston & Villard [11] and Larchey-Wendling & Galmiche [41] have shown that separation properties like indivisibility of units and partial deterministic composition determine distinct sets of valid BBI formulae, leading to the incompleteness of standard proof systems with respect to typical classes of memory models.To make matters worse, Brotherston & Villard additionally show that many separation properties (among them partial determinism) are undefinable in BBI, and thus cannot be axiomatized by the logic.Similar arguments can be made for BI [48], the intuitionistic logic of bunched implications.This is an increasingly relevant issue given the growing number of intuitionistic separation logics, most prominent amongst them Iris, a framework that utilizes a 'later' modality [42] that can only be nontrivially defined in intuitionistic systems.
This expressivity gap is a significant problem for Separation Logic.A theorem prover for deriving assertions satisfied by the underlying model is a necessary component of any implementation of a separation logic, with the deployable proof theory of the standard formalism crucial for its scalability to large code bases [13,55].Standard implementations are model-specific, however, and only suitable for the heap model.In order to account for the large numbers of bespoke separation logics, as well as Views/Iris-style frameworks, we require tools that support parametrization by separation theory.
Technical Approach.The present work generalizes methods pioneered on tableaux systems for a range of logics including and related to BI and BBI [21,22,24,29,31,39] to specify modular tableaux calculi for the breadth of classical and intuitionistic separation theories in the literature, proved sound and complete uniformly and parametrically in choice of separation theory.While previous systems implicitly implement a systematic method for constructing tableaux proof theory for bunched logics, subtle but signficant changes must be made to additionally capture separation theories.Past systems can be formulated as particular instances of our framework, thus making the systematic method explicit.
First, we specify tableaux proof systems for BI and BBI, the propositional basis for Separation Logic.The key difference between our calculi and tableaux systems previously given in the literature is that we do not outsource any part of the derivation of proofs to an algebra of labels or auxilliary proof system for constraints.Instead, we utilize frame expansion rules that are of the same form as the standard logical expansion rules of the system.These rules capture the same structural properties (and more) but can also be added/removed in a modular fashion.Crucially, this ensures separation properties -for example, partial determinism -are not hard-coded into the basic systems via the structure of labels, and facilitates the parametricity of our completeness theorem.
We extend these systems with a rule schema for separation properties axiomatized by coherent formulae; a subset of first-order formulae with a special syntactic form.This set contains every separation property that can be found in the literature and is expressive enough to include virtually any axiom that might be utilized in future.The strength of this statement can be justified by a folklore result recently reconstructed by Dyckhoff & Negri [27] that shows that every first-order axiom can be reconstructed as an equivalent system of coherent formulae .We thus obtain a modular framework of (B)BI +Σ-tableaux systems, where Σ is an arbitrary collection of coherent axioms.
In order to prove soundness and completeness of the system, we utilize a novel representation of labelled tableaux systems as theories of coherent logic.The key insight here is that the translation of coherent formulae into tableaux rules is not one way: tableaux rules can naturally be seen as coherent formulae in a signature augmented with special predicate symbols.The parametric soundness and completeness of the framework can then be reduced to proving the soundness and completeness of Tarskian truth for coherent logic with respect to a metatableaux method, a problem positively resolved by Bezem & Coquand [4].To our knowledge, the application of this technique to labelled tableaux is new, although, in the aforementioned work, Bezem & Coquand show how to encode the tableaux method for first-order classical logic as a coherent theory, and trace the idea of abbreviating formulae with predicate symbols to Skolem [52].
Contributions.We identify three principal contributions.
1.An exhaustive, sound and complete proof theory for the full breadth of separation theories in the literature.Notably, this includes intuitionistic separation theories that have never been considered proof theoretically.2. A new technique for constructing proof systems for essentially any logic interpreted on Kripke structures that are axiomatized by coherent theories.3. The identification of tableaux systems with theories of coherent logic.
On points 2 and 3, we believe many prefixed/labelled tableaux systems in the literature (e.g., [28]) are subsumed by this method, with their respective 'Hintikka set' completeness proofs actually localized instances of the parametric completeness theorem given here.This suggests coherent logic is a natural mathematical foundation for Kripke semantics and opens up the possibility of a logical framework for non-classical logics via the representation of tableaux systems as coherent theories.As Bezem & Coquand [4] mention, reasoning in coherent logic is constructive and proof objects can easily be produced from derivations.We discuss these possibilities in more detail in Section 6.
Related Work.While much work has been done on the proof theory of BI and BBI [9,31,34,46], as well as proof systems for the concrete heap model of Separation Logic [5,30,33], very little exists for separation theories.A key exception to this is Hóu et al.'s [35] labelled sequent calculi for propositional abstract separation logic.There, a labelled sequent calculus for BBI is extended with rules corresponding to the most common separation properties -partial determinism, cancellativity, indivisible unit and disjointness -and completeness and cut elimination is proved.In Hóu's PhD dissertation [32] the properties cross-split and splittability are additionally handled, although completeness for these new rules requires 'non-trivial changes' to the previous proofs.
The classes of model captured by our systems strictly extend those of Hóu et al. -in particular, by additionally considering classes of BI models that are appropriate for intuitionistic separation logics -and our calculi are proved complete uniformly.Our systems are also generically extendable according to a rule schema, meaning the framework should be suitable for new separation theories devised in the future.A deficiency of our approach with respect to Hóu et al's is a lack of implementation, though we note that the representation of our systems as theories of coherent logic suggests off-the-shelf coherent logic provers could be used to give naive implementations of our framework.
Brotherston & Villard [11] deal with the undefinability of separation theories by defining a conservative extension of BBI called HyBBI, extending the syntax with nominals, satisfaction operators and binders.This extra expressivity leads to the axiomatizability of the undefinable separation properties.This work is not specifically concerned with proof theory, giving only a Hilbert-style system for HyBBI, and has the defect of requiring modifications to the syntax of Separation Logic.In addition, a significant theoretical reformulation would be required to capture intuitionistic separation theories this way.In contrast, in our work the necessary machinery is internalized within the proof system and both Boolean and intuitionistic cases are taken care of uniformly.
Finally, we connect our work to a recent line of research in proof theory investigating the generation of proof rules from coherent theories.Simpson [51] and Braüner [8] have used this technique to produce natural deduction rules, while Negri [43] has extensively developed it to generate systems of labelled sequent rules from frame conditions axiomatized by generalized coherent formulae.To our knowledge the present work is the first application of these ideas to the tableaux method.In addition, we believe the encoding of the proof systems themselves as coherent theories is novel.

Preliminaries
The Logics of Bunched Implications.We first recall O'Hearn & Pym's logics of bunched implications BI and BBI [45], the propositional basis of Separation Logic's assertion language.BI and BBI are archetypal examples of bunched logics; systems given by combining the standard additives of classical or intutionistic propositional logic with the multiplicatives of a substructural logic.This idea has been developed to give logics for reasoning about concurrency [25] and the layering structure of complex systems [18,19,24], Hennessey-Milner-style process logics for reasoning about security and systems modelling [1] and modal and epistemic systems for reasoning about reachability/knowledge subject to the availability of resources [22,29].Let Prop be a set of atomic propositions, ranged over by p.The set of all formulae of (B)BI is generated by the following grammar: For BI, the standard connectives are interpreted intuitionistically; in BBI, classically.Negation is defined by ¬φ := φ → ⊥. Figure 1 gives Hilbert rules for the multiplicative fragment of the logics.
A BI frame is given by a tuple X = (X, ≤, •, E), where (X, ≤) is a partial order, • : X 2 → P(X) a binary composition (where P(X) denotes the power set of X) and E ⊆ X a unary relation.This structure must satisfy the following axioms, where the outermost universal quantification is left implicit: The axioms formalize intuitive ideas about the composition of generic resources: for example, that the composition satisfies a generalized associativity that is compatible with the comparison order.This analysis is known as resource semantics.
A sound interpretation of BI is given by extending the standard poset semantics for propositional intuitionistic logic.This requires a persistent valuation: a map V : Prop → P(X) such that x ∈ V(p) and x ≤ y entail y ∈ V(p).We call a BI frame X together with a persistent valuation V a Kripke BI model.The satisfaction relation V is given in Fig 2 .As standard for intuitionistic logics, persistence extends to all formulae of BI.Kripke BBI models and their associated semantics are given by the special case of the definitions for BI when the partial order ≤ is equality.
Coherent Logic.Coherent logic is the fragment of first-order logic consisting of formulae of the form for n, m ≥ 0, where each A i is an atomic formula involving only variables from the vector x, and each B i is the conjunction of atomic formulae involving only variables from the vectors x and y i .In a coherent formula, the variables x φ * ψ iff there exists r , s, t such that r ≥ r ∈ s • t, s φ and t ψ r φ − * ψ iff for all r , s, t such that r ≤ r , t ∈ r • s, s φ implies t ψ Fig. 2. Satisfaction for (B)BI.BBI is the case where ≤ is substituted with =.
are implicitly universally quantified (with scope the whole formula) and both x and y i may be empty.The case n = 0 is a consequent that is always true The case m = 1 with empty y 1 gives the Horn clause fragment of first-order logic utilized in logic programming and first-order theorem provers based on the resolution method.
We call a set of coherent formulae Φ a coherent theory.Models of coherent theories are given in a way standard for first-order logic: a Tarskian model of Φ is a non-empty set X together with an interpretation I, which assigns to every nary relation symbol R in the signature a set R I ⊆ X n such that for each coherent formulae in Φ, for all x ∈ X, the consequent Many common mathematical structures are axiomatized by coherent theories.For example, algebraic structures like groups, rings, lattices and fields, as well as total, partial, and linear orders.Further examples are found in the theory of confluence for term rewriting systems [4,53].Of interest for our purposes, (B)BI frames are axiomatized by coherent theories.As we will see, virtually every separation property in the literature is given directly as a coherent axiom.

Modular Tableaux Calculi for Separation Theories
The Base Tableaux Systems.We begin with tableaux systems designed for the semantics of (B)BI as outlined in Section 2. As is standard for tableaux systems, derivations in our calculi are implicit attempts to construct a countermodel for the formula φ to be proved.This is done via the derivation of syntactic expressions that give partial specifications of a (B)BI model that can be realized as a real model if the formula is invalid.If every possible countermodel construction (i.e., every branch of a tableau) results in a contradiction, then we may conclude that no countermodel exists and call such a tableau a proof of φ.
A labelled formula Sφ : x is given by a sign S ∈ {T, F} together with a (B)BI formula φ and a label x ∈ {c i | i ∈ N}.A labelled formula states that a (B)BI formula φ is true (T) or false (F) at the state represented by the label x.A constraint is a syntactic expression of the form x ∼ y, R * xyz or Ex, where x, y, z ∈ {c i | i ∈ N}.Constraints are partial specifications of the structure of a (B)BI frame corresponding to a partial order ≤, composition •, or unit set E respectively.Unlike other bunched logic tableaux systems, we only utilize atomic

Logical expansion rules
Frame expansion rules with ci a fresh label, Expr(x) any expression in which x occurs.
Fig. 3. Shared rules for the tableaux systems.
labels, as opposed to a monoidal algebra of labels that encodes properties of the multiplicative connectives.New constraints are derived only by frame expansion rules, rather than by using the properties of the algebra of labels and a separate proof system for constraints.A constrained set of statements (CSS) is a pair F, C , where F is a set of labelled formulae and C is a set of constraints.It is finite if F and C are.
Informally, tableaux are trees annotated with finite CSSs.Each branch determines a CSS F, C where F (respectively C) is the union of the formula (constraint) sets that occur on the branch.Figures 3 and 4 give rules dictating the expansion of tableaux: Figure 3 gives rules shared by both the BI and BBI systems, while Figure 4 gives rules specific to each system.While c i , c j , c k denote concrete fresh labels, x, y, z etc. are label variables.An instance of a rule is triggered for a branch CSS when a concrete substitution instance of the premiss holds of it, and the same label substitutions carry through to the (branching) CSS(s) that the conclusion dictates are added to the tree.We now define (B)BI tableaux formally, with ⊕ giving concatenation of lists.
Definition 1 (Tableau).A (B)BI tableau for a finite CSS F 0 , C 0 is a list of CSSs, called branches, built inductively according to the following rules:   We note that we could simply add T¬ , F¬ , and Sym to the BI system and obtain one for BBI.However, this causes a significant amount of redundancy in the production of labels and constraints while requiring many more derivation steps in proofs, something that does not arise with the BBI rules given.
Extension with Coherent Axioms.Figure 5 gives a number of separation properties taken from across the Separation Logic literature [11,14,15,26].A separation theory is a collection Σ of axioms from Figure 5.All of the separation properties given are axiomatized as coherent formulae and we now show how to translate them into tableaux expansion rules and closure conditions.First, each first-order atomic formula is translated into constraints: T r(z with n, m = 0, we obtain the frame expansion rule where each C i is the set of constraints translated from the conjuncts of B i , using fresh labels c i in place of the previously quantified y i .For example, the separation properties Cross-Split and Non-Branching are translated to the rules where c i , c j , c k , c l are fresh labels.The special case n = 0 gives a rule with premiss Expr 1 (x 1 ), . . ., Expr p (x p ) ∈ F ∪ C, where each Expr i (x i ) is any expression in which x i occurs and the x i are the universally quantified variables in the original formula.The case m = 0 gives a new closure condition consisting of the conjunction of constraints translated from the antecedent of the original formula.Note that the property Splittability is defined by a system of coherent axioms.This axiomatization additionally requires a new type of constraint to be added to the tableaux system for their translated rules: E, for the complement of E.
Given a separation theory Σ, a (B)BI + Σ-tableau/proof is defined in the same way as Definitions 1 and 2, except that a tableau can also be expanded by translated Σ-rules, and any new closure properties obtained from Σ can factor into the closure of a tableau and thus into proofs.
and using ⊗ to denote closed branches -shows that the tableaux system for BBI + Total proves it.The left-hand branch is closed because both FI : c 0 , TI : c 0 and c 0 ∼ c 0 occur, while the right is closed because T⊥ : c 1 occurs.

Applications to Separation Logics
The construction principles guiding the wide variety of separation logics in the literature are described in Jensen [37]: a separation logic is determined by a programming language, an assertion logic to describe machine state -a firstorder theory of (B)BI generated by validity in a concrete model of (B)BI + Σ for some separation theory Σ -and a specification logic to describe computations -typically a logic of Hoare triples {φ}C{ψ}, where φ and ψ are formulas of the assertion language and C a program.Soundness of the frame rule, where χ does not include any free variables modified by the program C, witnesses the coherence of these different aspects, and facilitates Separation Logic's characteristic 'local reasoning', which allows conclusions about a program's effect on the global state to be derived from reasoning on just the resource it accesses.
To demonstrate the wide applicability of our framework we now give a number of separation logic models satisfying separation theories captured by our tableaux systems.Because of space constraints this selection is demonstrative rather than exhaustive.Other examples include Petri nets [14]; step-indexed models for storable locks [12] and the Iris framework [38]; separation logics incorporating named [47] and fractional [7] permissions; and separation logics designed for message passing [54] and amortized resource analysis [3].Heaps.Our first example is given by the standard memory models of Separation Logic [36].A heap is a partial function h : N → Z, representing an allocation of memory addresses to values.Given heaps h, h , h#h denotes that dom(h)∩dom(h ) = ∅; h•h denotes the union of functions with disjoint domains, which is defined iff h#h .The empty heap, [], is defined nowhere.
Let H denote the set of all heaps.Then Heap BBI = (H, BI frame.These frames generate the standard classical and intuitionistic models of Separation Logic.Heap BBI satisfies Partial Determinism, Cancellativity, Single Unit, Indivisible Units, Cross-Split and Unit Self Joining; Heap BI additionally satisfies Splittability, Upwards-Closed, Downwards-Closed, Increasing and Normal Increasing while dropping Single Unit and Unit Self Joining.One of the key properties distinguishing the standard memory models is that weakening for * (i.e., φ * ψ → ψ) is valid in the intuitionistic heap model but not the classical.Cao et al. [15] show that this corresponds to the separation property Increasing. Figure 7 -again, written using the traditional representation of tableaux -shows a single branch tableaux proof of φ * ψ → ψ for BI+Increasing, closed because Tψ : c 4 , Fψ : c 1 and c 4 ∼ c 1 occur.
Permissions.Permissions are incorporated into variants of separation logics that are designed to reason about certain kinds of concurrent algorithms and more fine-grained notions of memory disjointness: for example, disjointness modulo shared read permission.Hóu [32] reports a schema of Clouston that encompasses many such models: we recall it, with two concrete instances.
Let V be a set of values and : V 2 → V an associative and commutative partial function.Denote by H V the set of V-valued heaps h : ) is a BBI frame, where • is defined by Hóu defines Bornat et al.'s [6] counting permissions model with V = Z 2 and This frame satisfies Partial Determinism, Cancellativity, Indivisible Units, Single Unit, Cross-Split and Unit Self Joining.Hóu defines Dockins et al.'s [26] binary tree model by considering the set T of non-empty binary trees with leaves labelled or ⊥ that are quotiented by the smallest congruence that identifies any subtree in which all leaves have the same label with a single leaf carrying that label.Then V = Z × T , and is defined, where ∨ (∧) denotes pointwise disjunction (conjunction) of equivalent trees, by This frame satisfies Partial Determinism, Cancellativity, Single Unit, Indivisible Units, Disjointness, Splittability, Cross-Split and Unit Self Joining.Crash Hoare Logic.Chen et al. [17] use a separation logic to verify that the FSCQ file system meets its specification and secures its data under any sequence of crashes.Cao et.al. [15] give the underlying model as the following BI frame.Let V + be the set of non-empty lists over a set V and the empty list.Buffer heaps are defined to be heaps h : N → V + .Let H buff be the set of all buffer heaps.Then Heap buff = (H buff , ≤, •, {[]}) is a BI frame, where • is the usual heap composition, and . This frame satisfies Partial Determinism, Cancellativity, Single Unit, Indivisible Units, Cross-Split, Upwards-Closed, Downwards-Closed, Always-Joins, Non-Branching, Unit Self Joining, and Normal Increasing.
Typed Heaps.Cao et al. [15] give an example derived from the handling of multibyte locks in Appel's [2] Verified System Toolchain separation logic for CompCert C. Let a typed heap be a partial map h : N → {char, short 1 , short 2 } such that h(n) = short 1 implies h(n + 1) = short 2 .Let H typ denote the set of all typed heaps.Then Heap Typ = (H typ , ≤, •, H typ ) is a BI frame, where h 1 ≤ h 2 iff, for all n ∈ dom(h 1 ) either n ∈ dom(h 2 ) and h This frame satisfies Indivisible Units, Disjointness, Splittability, Cross-Split, Upwards-Closed, Downwards-Closed, Non-Branching, Increasing, and Normal Increasing.

Metatheory
Tableaux Systems as Coherent Theories.Just as coherent formulae yield tableaux rules, tableaux rules yield coherent formulae, allowing a complete specification of our calculi as coherent theories.Our framework determines a firstorder signature: for each formula φ of (B)BI, we have unary relation symbols Tφ and Fφ, together with the unary relation symbol E, the binary relation symbol ∼ and the ternary relation symbol R * .
Given a rule premiss 'Sφ : x ∈ F and A 1 x 1 1 . . .x 1 k1 , . . ., A m x m 1 . . .x m km ∈ C' we obtain the coherent antecedent C( x) ≡ Sφ(x) ∧ i A i x i 1 . . .x i ki .For the j − th conclusion F j , C j of the rule we obtain ∃ y j C j ( x, y j ), where C j is the conjunction of atomic formulae translated from the constraints in F j ∪ C j , with any fresh labels c that occurred substituted with y j .The translated rule is thus For example, the instance of the BI rule F− * for φ − * ψ becomes Fφ − * ψ(x) → ∃y 1 , y 2 , y 3 (Tφ(y 2 ) ∧ Fψ(y 3 ) ∧ x ∼ y 1 ∧ R * y 1 y 2 y 3 ).
There are some special cases to pay attention to.For tableaux rules with premiss Expr(x) ∈ F ∪ C the antecedent of the translated coherent formula is .This is not the case for rules with premiss Expr(x) ∈ C: these must be translated into a separate rule for each of the finitely many ways x can occur in each constraint.Finally, each closure condition 'S 1 φ 1 : x 1 , . . ., S n φ n : x n , A 1 y 1 1 . . .y 1 k1 , . .., and A m y m 1 . . .y m km ' gives i S i φ i (x i ) ∧ i A i y i 1 . . .y i ki → ⊥.Given a (B)BI formula φ, the finite coherent theory Φ (B)BI+Σ φ is given by the translated (B)BI + Σ-frame expansion rules, the translated closure conditions and the instances of translated logical expansion rules for subformulae of φ.We note that we could specify the whole tableaux system for (B)BI + Σ as an infinite coherent theory (similar to the axiomatization of a Hintikka set in standard tableaux completeness proofs), but finiteness is required for our argument.
Soundness and Completeness.We now prove soundness and completeness of the tableaux method via an analogous result for the Tarskian semantics of coherent logic.First, we show that the existence of a Kripke (B)BI + Σ-model with a state that doesn't satisfy φ is equivalent to the existence of a Tarskian model of The induced Kripke frame is a well-defined structure because of the frame tableaux rules, with [−] forming equivalence classes and ≤ M , • M , and E M independent from the choice of representatives due to Cong .The (B)BI + Σframe properties for the induced frame follow from their correspondent rules in the tableaux and the valuation V M is independent of choice of representative and persistent for induced Kripke BI + Σ-models.
We can also induce Tarskian models from Kripke models.Let (X , V) be a Kripke (B)BI + Σ-model.We define the induced Tarskian model by taking X to be the carrier, and defining the interpretation I by We now connect the existence of a closed tableaux to Bezem & Coquand's [4] breadth-first forward reasoning proof system for coherent logic.In their system, judgments of the form X Φ D are derived, where X is a set of atomic first-order sentences, Φ a finite coherent theory and D a closed coherent disjunction; a firstorder sentence with the same syntactic shape as the consequent of a coherent formula.The derivation of the judgment X Φ D is defined inductively: 1. (Base) X Φ D holds if for one of the disjuncts ∃ y.C of D, there are constants a such that all conjuncts of C[ y := a] occur in X; 2. (Inductive Step) Consider all closed instances C i → D i of Φ-axioms such that the conjuncts of C i occur in X but the conjuncts of no disjunct C i,j of D i do.There exist finitely many, with their consequents thus enumerated D 0 , . . ., D n .Let ∃ y i,j .C i,j denote the j-th of the m i disjuncts of D i , and denote by C i,j the substitution of y i,j with fresh constants.Infer X Φ D from ∀j 0 ∈ {1, . . ., m 0 }, . . ., ∀j n ∈ {1, . . ., m n }(X, C 0,j0 , . . ., C n,jn Φ D).Importantly, if a D i is ⊥, then m i = 0, and X Φ D is trivially inferred.
A derivation can be seen as a kind of tableau, branching at each stage by adding every possible consequence of Φ obtainable from the atomic first-order sentences at the current node.A semi-decidable procedure is given to systematically search for a derivation of X Φ D. First check the base case.If it doesn't hold, apply the inductive step to any Φ-axioms fireable from X.If there are none, X forms an Herbrand countermodel of Φ against D. If the inductive step can be applied, apply the search procedure recursively to all premisses.Bezem & Coquand show that successful termination corresponds to Tarskian truth.

Theorem 1 ([4]
). X Φ D is derivable iff the search procedure successfully terminates for X Φ D iff D is true in all Tarskian models of X, Φ.
It is straightforward that the search procedure for {Fφ(a)} Φ (B)BI+Σ φ ⊥ corresponds precisely to an exhaustive search for a closed tableau for φ.

Conclusions and Further Work
We have given a framework of tableaux systems that exhaustively captures the breadth of separation theories in the literature.Our framework is proven sound and complete parametrically by a novel representation of tableaux systems as coherent theories that allows us to apply existing theory from coherent logic.This resolves the expressivity gap between the logics of bunched implications and the separation logics defined upon them, and provides proof theory for the assertion languages of a wide array of program logics.
The completeness of tableaux systems is usually proved by defining a notion of a Hintikka set: a saturated set of (labelled) formulae (and possibly constraints) that can be transformed into a term model of the logic.It is then shown that the uncloseability of a tableau generates a Hintikka set that can be used as a countermodel, thus entailing invalidity of any formula without a tableau proof.Our method can be seen as a generalization of this idea, implemented parametrically by choice of tableaux system.While we have focused on Separation Logic, this technique is adaptable to virtually any logic interpreted on relational structures, including the breadth of bunched and modal logics.That this can all be performed in the setting of coherent logic suggests the significance of the fragment extends beyond the generation of proof rules for frame conditions.We aim to investigate the possibility of using coherent logic as a logical framework for non-classical logics more generally in work to be presented.
The implementation of our systems is of principal importance for future work.Our tableaux representation suggests existing coherent logic provers (see [49] for a survey) may already be suitable, though tactics designed specifically for tableaux coherent theories may have to be developed to make this efficient.A closely related goal is the development of Separation Logic implementations that utilize our systems as assertion language provers; if such an implementation could be done parametrically it would be very powerful indeed.Finally, our results suggest interesting theoretical work.Coherent logic has close connections to topos theory, and Caramello [16] has developed techniques to transfer results between mathematical fields via bridges between the classifying topoi of coherent theories.We wish to investigate if any results of logical interest can be found by utilizing the representation of tableaux as coherent theories.

Lemma 1 .
Given a Tarskian model M of Φ (B)BI+Σ φ , the induced Kripke model X M is a Kripke (B)BI + Σ-model.The significance of this model is that satisfiability of subformulae ψ of φ is determined by the interpretation of the relation symbols Sψ in the original Tarskian model.A simple proof by induction yields the next lemma.Lemma 2. Let M be a Tarskian model of the coherent theory Φ