Nested Hoare Triples and Frame Rules for Higher-order Store

Separation logic is a Hoare-style logic for reasoning about programs with heap-allocated mutable data structures. As a step toward extending separation logic to high-level languages with ML-style general (higher-order) storage, we investigate the compatibility of nested Hoare triples with several variations of higher-order frame rules. The interaction of nested triples and frame rules can be subtle, and the inclusion of certain frame rules is in fact unsound. A particular combination of rules can be shown consistent by means of a Kripke model where worlds live in a recursively defined ultrametric space. The resulting logic allows us to elegantly prove programs involving stored code. In particular, using recursively defined assertions, it leads to natural specifications and proofs of invariants required for dealing with recursion through the store.

💡 Research Summary

The paper addresses a fundamental gap in the application of separation logic to languages that support higher‑order store, i.e., the ability to store code values in the heap and later invoke them. Traditional separation logic is well‑suited for reasoning about first‑order heap data, but it lacks mechanisms for abstractly specifying the behavior of stored code. To fill this gap, the authors introduce nested Hoare triples as first‑class assertions: a Hoare triple {P} e {Q} can appear inside any logical formula, allowing one to describe the pre‑ and post‑conditions of code that may be stored in a heap cell.

A naïve combination of such nested triples with the standard frame rule, however, turns out to be unsound. The problem, illustrated by concrete counter‑examples, is that a “deep” frame rule can extend the surrounding heap while silently breaking the invariants assumed by the inner triples. In other words, the frame may add or split heap resources that are referenced inside a nested triple, violating the triple’s assumed isolation.

To obtain a sound system the authors propose two complementary technical devices. First, they define an invariant‑extension operator ⊗ and a derived operator ◦. Given a formula P and an invariant R, P ⊗ R augments every Hoare triple occurring inside P with R on both sides, using the separating conjunction *. The operator ◦ is defined as (P ⊗ R) * R and is used to lift an invariant to the outermost pre‑ and post‑conditions of a triple. A collection of distribution axioms (Figure 2) shows how ⊗ pushes through logical connectives, quantifiers, and the separating conjunction, guaranteeing that any frame added to a judgment automatically propagates to all nested triples.

Second, the authors give a Kripke semantics in which worlds are points of a recursively defined ultrametric space. Worlds consist of a heap together with a “distance” that measures how much the heap may change. The crucial property is that the ⊗ operation is contractive with respect to this distance; consequently, the Banach fixed‑point theorem ensures the existence of unique fixed points for recursive assertions of the form µX.P. This semantic foundation validates the use of recursively defined specifications, which are essential for reasoning about programs that invoke stored code recursively (recursion through the store).

The paper’s concrete language includes integer expressions, immutable variables, a quoting construct 'C' for code values, heap write `