Relational Parametricity and Separation Logic

Separation logic is a recent extension of Hoare logic for reasoning about programs with references to shared mutable data structures. In this paper, we provide a new interpretation of the logic for a programming language with higher types. Our interpretation is based on Reynolds’s relational parametricity, and it provides a formal connection between separation logic and data abstraction.

💡 Research Summary

The paper “Relational Parametricity and Separation Logic” presents a novel semantic framework that unifies separation logic with Reynolds’s relational parametricity, targeting a higher‑order language with mutable heap structures. Traditional separation logic excels at local reasoning through the separating conjunction and frame rule, but its standard models treat heap locations as observable identifiers. Consequently, allocation of fresh cells is not parametric: the concrete address of a newly allocated cell can be distinguished, breaking the abstraction guarantees one would expect from data‑abstraction principles.

To overcome this, the authors construct a relational model based on FM‑domain theory (the “finite‑memory” model of Benton and Leperchey) and a continuation‑passing style (CPS) semantics. In this model, heaps are not merely sets of cells; instead, the semantic world is a Kripke structure whose points are relations on heaps. A world R relates two heaps h₀ and h₁, expressing how the internal resources of two module implementations correspond. The Kripke ordering captures the “framing‑in” of resources: moving to a larger world means more resources are available for framing, and the monotonicity condition guarantees that logical assertions remain true when additional resources are added.

The key conceptual shift is to read Hoare triples {P} c {Q} as relations between two executions of the same program under two different module implementations (or two environments η₀, η₁). The triple now asserts that, given related initial heaps (according to the current world R), the execution of c in both environments yields related final heaps and preserves R. Logical connectives, including the separating conjunction, are lifted pointwise to relations, so that P∗Q holds in a world R precisely when the heap can be split into two disjoint parts that are related separately.

Higher‑order frame rules, which in earlier work were presented as implicit quantifications over internal resources, become explicit in this setting. The authors introduce a universal quantifier over resources in the definition of triples, effectively quantifying over all possible internal invariants that could be framed. This yields a generalized frame rule: if {P} c {Q} holds in all worlds extending a given world, then {P∗I} c {Q∗I} holds for any invariant I, where I itself is a relational assertion. The rule is validated by the Kripke monotonicity of the semantics.

The paper illustrates the theory with a counter module example. Two implementations are given: one stores the integer directly, the other stores its negation. The relation R maps a heap containing a cell i with value v to a heap where the same cell holds –v. The operations inc and read preserve R in both implementations. A client program b that uses inc and read is shown to satisfy the relational triple {P} b {Q} under R, meaning the client cannot distinguish the two implementations. Existing non‑parametric models of separation logic cannot prove this; the new relational model does so directly.

Technical challenges addressed include: (1) non‑parametric allocation, solved by using FM‑cpos where locations can be named but not observed; (2) defining a Kripke structure of heap relations rather than predicates, enabling relational parametricity; (3) validating a broad class of higher‑order frame rules via the monotonicity property. The authors also relate their relational semantics to the standard “direct‑style” semantics of separation logic through an observation closure operation (–)⊥⊥, showing that both interpretations agree on the truth of assertions.

Finally, the paper proves an abstraction theorem: if a client program is provable in separation logic using only the abstract specification of a module (i.e., without referring to its internal resource invariant), then the program behaves uniformly across all implementations related by the appropriate heap relation. This theorem formalizes the intuition that separation logic, when interpreted relationally, enforces data abstraction in the same spirit as Reynolds’s parametricity for polymorphic types.

In summary, the contribution is a rigorous, relationally parametric model of separation logic that (a) handles fresh allocation without breaking abstraction, (b) supports higher‑order frame rules, (c) provides a clean semantic justification for modular reasoning about mutable abstract data types, and (d) bridges the gap between separation logic and relational parametricity, opening avenues for further integration of program logics with type‑theoretic abstraction principles.