Separation Logic with First-Class Heaps and a New Frame Rule

Separation Logic brought an advance to program verification of data structures through its use of (recursively defined) predicates to implicitly represent heaps, and the separation operator to construct heaps from disjoint subheaps. While this facilitated local reasoning in program fragments, the consideration of subheaps that are disjoint meant that any form of sharing between predicates is problematic and often requires manual proofs whose complexity may outweigh the core benefits of Separation Logic itself. With this as background motivation, we present an assertion language in which subheaps may be explicitly defined within predicates, and the effect of separation obtained by specifying that certain heaps are disjoint. Predicates can then be conjoined in the traditional way. We then present a new frame rule that is conditioned upon the heap-update operations of a program fragment. Essentially, a predicate can be framed over the program fragment if its footprint is disjoint from the updates. The main contribution is to demonstrate that the induced program verification method now provides local reasoning on problems that so far have not been adequately solved: • structure sharing in data structures, such as in cyclic graphs, where different program fragments act on different parts on these data structures; • summaries of program fragments where there is a recursively defined relationship between the global heap at the entry and exit program points of the fragment; and • incremental updates to complex data structures. Typically different parts of a complex data structure is manipulated by different program fragments (and this depends on the stored values).