# Modular Labelled Sequent Calculi for Abstract Separation Logics

Abstract separation logics are a family of extensions of Hoare logic for reasoning about programs that manipulate resources such as memory locations. These logics are "abstract" because they are independent of any particular concrete resource model. Their assertion languages, called propositional abstract separation logics (PASLs), extend the logic of (Boolean) Bunched Implications (BBI) in various ways. In particular, these logics contain the connectives * and -, denoting the composition and extension of resources respectively. This added expressive power comes at a price since the resulting logics are all undecidable. Given their wide applicability, even a semi-decision procedure for these logics is desirable. Although several PASLs and their relationships with BBI are discussed in the literature, the proof theory and automated reasoning for these logics were open problems solved by the conference version of this paper, which developed a modular proof theory for various PASLs using cut-free labelled sequent calculi. This paper non-trivially improves upon this previous work by giving a general framework of calculi on which any new axiom in the logic satisfying a certain form corresponds to an inference rule in our framework, and the completeness proof is generalised to consider such axioms. Our base calculus handles Calcagno et al.'s original logic of separation algebras by adding sound rules for partial-determinism and cancellativity, while preserving cut-elimination. We then show that many important properties in separation logic, such as indivisible unit, disjointness, splittability, and cross-split, can be expressed in our general axiom form. Thus our framework offers inference rules and completeness for these properties for free. Finally, we show how our calculi reduce to calculi with global label substitutions, enabling more efficient implementation.

There are no comments yet.

## Authors

• 6 publications
• 4 publications
• 5 publications
• 7 publications
02/14/2020

### Uniform labelled calculi for preferential conditional logics based on neighbourhood semantics

The preferential conditional logic PCL, introduced by Burgess, and its e...
02/23/2021

### Syntactic completeness of proper display calculi

A recent strand of research in structural proof theory aims at exploring...
10/11/2019

### Internal Calculi for Separation Logics

We present a general approach to axiomatise separation logics with heapl...
11/19/2019

### Local Reasoning for Global Graph Properties

Separation logics are widely used for verifying programs that manipulate...
06/09/2020

### A Complete Axiomatisation for Quantifier-Free Separation Logic

We present the first complete axiomatisation for quantifier-free separat...
09/20/2017

### An Algebraic Glimpse at Bunched Implications and Separation Logic

We overview the logic of Bunched Implications (BI) and Separation Logic ...
12/14/2021

### A note on calculi for non-deterministic many-valued logics

We present two deductively equivalent calculi for non-deterministic many...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1. Introduction

Reynolds’s Separation logic (SL) (Reynolds, 2002) is an extension of Hoare logic for reasoning about programs that explicitly mutate memory. Its assertion logic, also called separation logic, extends the usual (additive) connectives for conjunction , disjunction , implication , and the (additive) verum constant , with the multiplicative connectives separating conjunction , its unit (denoted by in some literature), and separating implication , also called magic wand, from the logic of Bunched Implications (BI) (O’Hearn and Pym, 1999). Moreover, the assertion language introduces the points-to predicate on expressions, along with the usual quantifiers and predicates of first-order logic with equality and arithmetic. The additive connectives may be either intuitionistic, as for BI, or classical, as for the logic of Boolean Bunched Implications (BBI). Classical additives are more expressive as they support reasoning about non-monotonic commands such as memory de-allocation, and assertions such as “the heap is empty” (Ishtiaq and O’Hearn, 2001). In this paper we consider classical additives only.

The concrete memory model for SL is given in terms of heaps, where a heap is a finite partial function from addresses to values. A heap satisfies iff it can be partitioned into heaps satisfying and respectively; it satisfies iff it is empty; it satisfies iff any extension with a heap that satisfies must then satisfy ; and it satisfies iff it is a singleton map sending the address specified by the expression to the value specified by the expression . While the predicate refers to the content of heaps, the BI connectives refer only to their structure. Some basic spatial properties of heaps include the following:

Empty heap:

There is a unique empty heap ;

Identity:

Combining heap with the empty heap gives the original heap ;

Commutativity:

Combining heap with heap is the same as combining with ;

Associativity:

Combining heap with heap and then combining the result with heap is the same as combining heap with the combination of heaps and .

These conditions define a non-deterministic monoid: giving algebraic models for BBI (Galmiche and Larchey-Wendling, 2006).

The idea of separation logic has proved fruitful for a range of memory (or, more generally, resource) models, some quite different from the original heap model. In this paper we will present examples drawn from (Boyland, 2003; Parkinson, 2005; Bornat et al., 2005; Calcagno et al., 2007a; Dockins et al., 2009; Villard et al., 2009; Jensen et al., 2013), but this list is far from exhaustive. Each such model has its own notion of separation and sharing of resources, and hence may formally give rise to a new logic with respect to the BI connectives, let alone any special-purpose predicates which might be added to the logic. As new variations of separation logic are introduced, their relation to prior logics is seldom developed formally, and so new metatheory and tool support must be substantially reconstructed for each case. This has led to a subgenre of papers highlighting the need for organisation and generalisation across these logics (Biering et al., 2007; Calcagno et al., 2007a; Parkinson, 2010; Jensen, 2013).

In this paper we take as a starting point Abstract Separation Logic (Calcagno et al., 2007a), which is intended to generalise the logics of many concrete models. In particular we set quantifiers aside to work with Propositional Abstract Separation Logic (PASL). This logic is defined via the abstract semantics of partial cancellative monoids, or separation algebras, which are non-deterministic monoids restricted by:

Partial-determinism:

The combination of heap with heap is either undefined, or a unique heap;

Cancellativity:

If combining and gives and combining heap and also gives , then .

Semantics in this style are reminiscent of the ternary algebraic semantics often used in connection with substructural logics (Anderson and Belnap, 1976), an observation we exploit in this paper. Separation algebras allow interpretation of , and , although the latter is not considered by (Calcagno et al., 2007a). The points-to () predicate is not a first class citizen of PASL; it may be introduced as a predicate only if an appropriate concrete separation algebra is fixed. PASL is appropriate to reasoning about the structure of memory, but not its content.

Precondition strengthening and postcondition weakening in Hoare-style logics require reasoning in the assertion logic, but proof search and structural proof theory for PASL have received little attention until recently. It is known that the added expressive power of the multiplicative connectives comes at a price, yielding a logic that is in general undecidable (Brotherston and Kanovich, 2014; Larchey-Wendling and Galmiche, 2010). Given the wide applicability of abstract separation logic, even a semi-decision procedure for PASL would assist program verification.

However the definition of separation algebras presented by (Calcagno et al., 2007a) is not necessarily canonical. Most notably (Dockins et al., 2009) suggested the following useful additional properties for spatial reasoning111Dockins et al. (Dockins et al., 2009) also suggested generalising separation algebras to have a set of units; it is an easy corollary of (Brotherston and Villard, 2014, Lemma 3.11) that single-unit and multiple-unit separation algebras satisfy the same set of formulae, and we do not pursue this generalisation in this paper.:

Indivisible unit:

If combining heap with heap gives the empty heap, then and must themselves be the empty heap;

Disjointness:

If the result of combining heap with itself is defined, then must be the empty heap;

Splittability:

Every non-empty heap can be split into two non-empty heaps and ;

Cross-split:

If a heap can be split in two different ways, then there should be heaps that constitute the intersections of these splittings.

Conversely, following (Gotsman et al., 2011) some authors have further generalised separation algebras by dropping cancellativity; we will present concrete examples from (Jensen and Birkedal, 2012; Vafeiadis and Narayan, 2013). These extensions and restrictions of PASL point to a need to present modular proof theory and proof search techniques which allow the axiomatic properties of the abstract models to be adjusted according to the needs of a particular application.

This paper is an extended journal version of the conference paper (Hóu et al., 2014). In that paper, we solved the open problems of presenting sound and complete structural proof theory, and gave a semi-decision procedure, along with an efficient implementation, for Propositional Abstract Separation Logic. We further showed that our methods could encompass the axiomatic extensions of (Dockins et al., 2009), and conversely that cancellativity and partial-determinism could be dropped, and so our proof theory was modular in the sense that it could be used for many neighbouring logics of PASL, including BBI. In this journal paper we make a major extension to the modularity of our approach by introducing a technique to synthesise proof rules from any spatial axiom in a certain format, general enough to encompass all axioms of (Dockins et al., 2009). The remainder of this introduction sketches the techniques used in this paper.

Because of the similarity between non-deterministic monoids, which provide semantics for BBI (Galmiche and Larchey-Wendling, 2006), and the separation algebras which provide semantics for PASL, it is natural to investigate whether techniques used successfully for BBI can be extended to PASL. This paper answers this question in the affirmative by extending the work on BBI of (Hóu et al., 2013, 2015b). In these papers, a sound and complete proof theory was provided for BBI in the style of labelled sequent calculus (Negri and von Plato, 2001), a proof style for modal and substructural logics with Kripke-style frame semantics in which statements about the elements of the frame are explicitly included in the context of sequents. This allows relational properties of the semantics to be explicitly represented as proof rules, which allows labelled sequent calculi to encompass a wide variety of logics in a modular style – the addition or subtraction of semantic properties corresponds exactly to the addition or subtraction of the corresponding proof rules.

This paper builds on (Hóu et al., 2015b) by presenting a labelled sequent calculus for a sublogic of BBI, which is of no intrinsic interest that we are aware of, but which does include all BI connectives. We then show that it can be extended to a labelled sequent calculus for BBI, for PASL, and for various neighbouring logics, by extending it with instances of a general structural rule synthesised from axioms on the semantics. This is possible so long as the axiom is in a certain format, which is sufficiently general to encompass, for example, the spatial properties identified by (Dockins et al., 2009). We call an axiom in this format a frame axiom. We then show that our sequent calculi can be used for effective backward proof search, thereby providing semi-decision procedures for a variety of logics. Our implementation, Separata222Available at http://users.cecs.anu.edu.au/~zhehou., is the first automated theorem prover for PASL and many of its neighbours. Separata differs from our previous implementation for BBI in two aspects: first, Separata can handle multiple abstract separation logics, including BBI, whereas is designed for BBI only; second, Separata is a semi-decision procedure, whereas

adopts a heuristic proof search which is incomplete.

In this work, we are interested in proof search procedures that are complete. In this setting, sequent calculi are amenable to backward proof-search only if the cut rule is redundant. This result follows much as for the calculus of (Hóu et al., 2015b). However completeness does not follow so easily; in (Hóu et al., 2015b) the completeness of was shown by mimicking derivations in the Hilbert axiomatisation of BBI. This avenue is no longer viable for PASL because partial-determinism and cancellativity are not axiomatisable in BBI (Brotherston and Villard, 2014). That is, there can be no Hilbert calculus in the language of BBI which is sound and complete with respect to separation algebras. We instead prove the cut-free completeness of our labelled sequent calculi via a counter-model construction procedure which shows that if a formula is not cut-free derivable in our sequent calculus then it is falsifiable in some PASL-model.

The calculi of this paper differ in style from because, in (Hóu et al., 2015b), explicit substitutions are used in the proof rules, whereas in this paper these are replaced by explicit equality assertions. These are easier for us to manage with respect to proving the modular completeness of our family of calculi, but the presentation with substitutions is more amenable to implementation. We hence show how equivalent new calculi can be defined, with substitutions replacing equalities, and show how this allows a semi-decision procedure to be implemented. Experimental results show that our prover is usually faster than other provers for BBI when tested against the same benchmarks of BBI formulae.

This paper improves upon all aspects of the presentation of results from its conference predecessor (Hóu et al., 2014), partly because of lesser limitations on space, but we here briefly summarise the more important differences between this paper and the earlier work:

• A new modular framework of calculi based on frame axioms and synthesised structural rules. The completeness of calculi in this framework can be obtained in one proof. In the previous work, each new calculus required a new proof;

• A new completeness proof by counter-model construction for a framework of calculi. This proof includes treatments for splittability and cross-split, which are not included in the previous work;

• A translation from the current calculi to previous calculi with global label substitutions;

• More comprehensive experiments with testing of randomly generated formulae;

• Many more examples of concrete separation algebras and their applications;

• Example derivations of various formulae; and a

• Discussion of applications of this work.

The remainder of this paper is structured as follows. Section 2 introduces Propositional Abstract Separation Logic via its separation algebra semantics, gives a number of concrete examples of these semantics, and defines the labelled sequent calculus for PASL. Fundamental results such as soundness and cut-elimination are also proved. Section 3 proves the completeness of our calculi framework by counter-model construction. Section 4 shows how our framework can encompass various neighbouring logics of PASL, based on models with different spatial properties, and discusses how these properties manifest in examples. Section 5 shows how to translate our calculi into a format that is more amenable to implementation, and presents some example derivations. Section 6 presents the implementation and experiments. Section 7 discusses applications and extensions of the calculi in this work. Finally, Section 8 discusses related work.

## 2. A labelled sequent calculus for Pasl

In this section we define the separation algebra semantics of Calcagno et al. (Calcagno et al., 2007a) for Propositional Abstract Separation Logic (PASL), present concrete examples of these semantics, and give the labelled sequent calculus for this logic. Soundness and cut-elimination are then demonstrated for .

### 2.1. Propositional abstract separation logic

The formulae of PASL are defined inductively as follows, where ranges over some set of propositional variables:

 A::= p∣⊤∣⊥∣¬A∣A∨A∣A∧A∣A→A∣⊤∗∣A∗A∣A−∗A

PASL-formulae will be interpreted via the following semantics:

###### Definition 2.1 ().

A separation algebra, or partial cancellative commutative monoid, is a triple where is a non-empty set, is a partial binary function written infix, and , satisfying the following conditions, where ‘’ is interpreted as “either, both sides are undefined, or, both sides are defined and equal”:

identity::

commutativity::

associativity::

cancellativity::

if and then

Note that the partial-determinism of the monoid is assumed since is a partial function: for any , if and then .

###### Example 2.2 ().

The paradigmatic example of a separation algebra is the set of heaps (Reynolds, 2002): finite partial functions from an infinite set of locations to a set of values. Then if have disjoint domains, and is undefined otherwise. is the empty function.

###### Example 2.3 ().

A partial commutative semigroup (Bornat et al., 2005), also known as a permission algebra333We prefer the former term, as many interesting examples have little to do with permissions, and the ‘permissions algebra’ terminology is not used consistently in the literature; compare (Calcagno et al., 2007a; Vafeiadis, 2007). (Calcagno et al., 2007a), is a set equipped with an associative commutative partial binary operator , written infix. In other words, it is a separation algebra without the requirement to have a unit, or to be cancellative.

Fixing such a , for which we will give some example definitions shortly, and given an infinite set of locations , we define two finite partial functions from to to be compatible iff for all in the intersection of their domains, is defined. We then define the binary operation on partial functions as undefined if they are not compatible. Where they are compatible, is defined as:

 (h1∘h2)(l)=⎧⎪ ⎪ ⎪⎨⎪ ⎪ ⎪⎩h1(l)⋆h2(l)l∈dom(h1)∩dom(h2)h1(l)l∈dom(h1)∖dom(h2)h2(l)l∈dom(h2)∖dom(h1)undefinedl∉dom(h1)∪dom(h2)

Setting as the empty function, many examples of concrete separation algebras have this form, with the operation, where defined, intuitively corresponding to some notion of sharing of resources. The following are some example definitions of such a construction:

• Heaps: let be the set of values, and be undefined everywhere.

• Fractional permissions (Boyland, 2003): let be the set of pairs of values (denoted by ) and (real or rational) numbers (denoted by ) in the interval , and

 (v,i)⋆(w,j)={(v,i+j)v=w and i+j≤1undefinedotherwise
• Named permissions (Parkinson, 2005): given a set of permission names, let be the set of pairs of values (denoted by ) and non-empty subsets (denoted by ) of , and

 (v,P)⋆(w,Q)={(v,P∪Q)v=w and P∩Q=∅undefinedotherwise
• Counting permissions (Bornat et al., 2005): let be the set of pairs of values (denoted by ) and integers (denoted by ). Here is interpreted as total permission, negative integers as read permissions, and positive integers as counters of the number of permissions taken. Let

 (v,i)⋆(w,j)=⎧⎨⎩(v,i+j)v=w and i<0 and j<0(v,i+j)v=w and i+j≥0 and (i<0 or j<0)undefinedotherwise
• Binary Tree Share Model (Dockins et al., 2009): Consider the set of finite non-empty binary trees whose leaves are labelled true () or false (), modulo the smallest congruence such that

Let (resp. ) be the pointwise disjunction (resp. conjunction) of representative trees of the same shape. Then let be the pairs of values (denoted by ) and equivalence classes of trees (denoted by ) so defined, and with defined as shown below, where is the equivalence class containing the tree whose only node contains :

 (v,t)⋆(w,u)={(v,t∨u)v=w and t∧u=[⊥]undefinedotherwise.

Note that the construction above with partial commutative semigroups does not in general guarantee cancellativity of the separation algebra; for this we need to require further that is cancellative and has no idempotent elements (satisfying ). As we will see later, some interesting concrete models fail this requirement, and so we will generalise the results of the paper to drop cancellativity in Section 4.

###### Example 2.4 ().

Other concrete separation algebras resemble the construction of Example 2.3 without fitting it precisely:

• Finite set of locations: The concrete memory model of a 32-bit machine (Jensen et al., 2013) has as its locations the set of integers .

• Total functions: Markings of Petri nets (Murata, 1989) without capacity constraints are simply multisets. They may be considered as separation algebras (Calcagno et al., 2007a) by taking to be and to be the set of natural numbers with addition, then considering the set of total functions , with defined as usual (hence, as multiset union), and as the constant function. If there is a global capacity constraint then we let be undefined if , and hence becomes undefined also in the usual way.

Note that this example can only be made to exactly fit the construction of Example 2.3 if we restrict ourselves to markings of infinite Petri nets with finite numbers of tokens. In this case we would consider a place without tokens to have an undefined map, rather than map to , and set to be the positive integers.

• Constraints on functions: The endpoint heaps of (Villard et al., 2009) are only those partial functions that are dual, irreflexive and injective (we refer to the citation for the definition of these properties). Similarly, if the places of a Petri net comes equipped with a capacity constraint function , we consider only those functions compatible with those constraints.

The examples above, which we do not claim to be exhaustive, justify the study of the abstract properties shared by these concrete semantics. We hence now turn to the logic PASL, which has semantics in any separation algebra (Definition 2.1). In this paper we prefer to express PASL semantics in the style of ternary relations, which are standard in substructural logic (Anderson and Belnap, 1976) and in harmony with the most important work preceding this paper (Hóu et al., 2015b). We give the ternary relations version of Definition 2.1, easily seen to be equivalent, as follows.

###### Definition 2.5 ().

A PASL Kripke relational frame is a triple , where is a non-empty set of worlds, , and , satisfying the following conditions for all in :

identity::

commutativity::

associativity::

cancellativity::

partial-determinism::

.

A PASL Kripke relational model is a tuple of a PASL Kripke relational frame and a valuation function (where is the power set of ). The forcing relation between a model and a formula is defined in Table 1, where we write for the negation of . Given a model , a formula is true at (world) iff . The formula is valid iff it is true at all worlds of all models.

### 2.2. The labelled sequent calculus LSPASL

Let be an infinite set of label variables, and let the set of labels be , where is a label constant not in ; here we overload the notation for the identity world in the semantics. Labels will be denoted by lower-case letters such as . A labelled formula is a pair of a label and formula . As usual in a labelled sequent calculus, one needs to incorporate Kripke relations explicitly into the sequents. This is achieved via the syntactic notion of relational atoms, which have the form of either (equality), (inequality), or a ternary relational atom standing for , where are labels. A sequent takes the form

 G;Γ⊢Δ

where is a set of relational atoms, and and are sets of labelled formulae. We also use the symbol “” inside , and to indicate set union: for example, is . Given , we denote by the set of equations occurring in .

We now abuse the sequent turnstile slightly to write , where is a (possibly infinite) set of equations, to denote an equality judgment under the assumption , defined inductively as follows:

 \AxiomC{(s=t)∈E} \UnaryInfC{E⊢s=t} \DisplayProof \AxiomC{} \UnaryInfC{E⊢s=s} \DisplayProof \AxiomC{E⊢s=t} \UnaryInfC{E⊢t=s} \DisplayProof \AxiomC{E⊢s=t} \AxiomC{E⊢t=u} \BinaryInfC{E⊢s=u} \DisplayProof

It is easy to see that iff for a finite subset of Note that an equality judgement is not a sequent but abuses the sequent turnstile to keep track of equalities.

As we shall soon see, working within a labelled sequent calculus framework allows us to synthesise, in a generic way, proof rules that correspond to a variety of different properties of separation algebras, and their extensions. However we first must introduce a core logic, a sublogic of BBI (and hence, of PASL) which we call , which consists only of identity, cut, logical rules and the structural rules and . The proof system for this sublogic is presented in Figure 1. The structural rule is essentially a form of cut on equality predicates. The rules and are admissible for and many of its extensions, but will be needed for some extensions, such as the extension of PASL with splittability. Note that the equality judgment is not a premise requiring proof, but rather a condition for the rule id. Therefore the rules , , , , are zero-premise rules. In the rules and , the respective principal formulae and also occur in the premises. This is to ensure that contraction is admissible, which is essential to obtain cut-elimination.

Given a relational frame , a function from labels to worlds is a label mapping iff it satisfies , mapping the label constant to the identity world . Intuitively, a labelled formula means that formula is true in world . Thus we define an extended PASL Kripke relational model as a model equipped with a label mapping.

###### Definition 2.6 (Sequent Falsifiability).

A sequent is falsifiable in an extended model if for every , , and for every , we have each of and and It is falsifiable if it is falsifiable in some extended model.

#### Synthesising structural rules from frame axioms

We now define extensions of the sublogic via first-order axioms that correspond to various semantic conditions used to define PASL and its variations. For this work, we consider only axioms that are closed formulae of the following general axiom form where are natural numbers:

 (1) ∀x1,…,xm.(s1=t1&⋯&sp=tp&S1&⋯&Sk⇒∃y1,…,yn.(T1&⋯&Tl))

Note that where , , or are , we assume the empty conjunction is . We further require the following conditions:

• each , for , is either a ternary relational atom or an inequality;

• each , for , is a relational atom;

• every label variable in occurs only once;

• if , for , is a ternary relational atom, then does not occur in .

We call axioms of this form frame axioms. A frame axiom can be given semantics in terms of Kripke frames, following the standard classical first-order interpretation (see e.g., (Fitting, 1996)). Recall that a first-order model is a pair of a non-empty domain and an interpretation function that associates each constant in the first-order language to a member of and every -ary relation symbol to an -ary relation over . When interpreting first-order formulae with free variables, we additionally need to specify the valuation of the free variables, i.e., a mapping of the free variables to elements of . The notion of truth of a first-order formula (under a model and a given valuation of its free variables) is standard and the reader is referred to, e.g., (Fitting, 1996) for details.

###### Definition 2.7 ().

A Kripke frame satisfies a frame axiom iff is true in the first order model , where is the interpretation function that associates the symbol to the label constant in the set , the predicate symbol to the relation , and the equality symbol to the identity relation over . A Kripke frame satisfies a set of frame axioms iff it satisfies every frame axiom in the set.

A frame axiom such as the one from Formula (1) induces the following general structural rule:

 G;S1;…;Sk;T1;…;Tl;Γ⊢Δ E(G)⊢s1=t1⋯E(G)⊢sp=tp G;S1;…;Sk;Γ⊢Δ

where the existential condition in Equation 1 becomes a side-condition that the existentially quantified variables must be fresh label variables not occurring in the conclusion of the rule.

###### Example 2.8 ().

The semantic clauses in Definition 2.5 can be captured by the following frame axioms:

identity 1::

identity 2::

commutativity::

associativity::

cancellativity::

partial-determinism::

.

These frame axioms are mostly a straightforward translation from the semantic clauses of Definition 2.5 into the syntactic form, replacing the relation with the predicate symbol It is trivial to show that the Kripke frames defined in Definition 2.5 satisfy the frame axioms above. However, notice that the syntactic form of the frame axioms does not allow more than one occurrence of a variable in the left hand side of the implications. Thus, for each semantic clause of Definition 2.5, we need to identify each world that occurs multiple (say, ) times on the left hand side of the implications, make distinct copies of that world, and add equalities relating them. If occurs in a ternary relational atom on the left hand side, we need to create a fresh (universally quantified) variable, e.g., , and add that .

Take the associativity axiom in Definition 2.5 as an example:

The world occurs twice on the left hand side, so we make two copies of it: and . The corresponding axiom in frame axiom form is then:

We may then synthesise the following structural rule for associativity:

with the “freshness” side-condition that does not appear in the conclusion.

Note that this rule is applicable on , as is trivial.

From the frame axioms in Example 2.8 above, we obtain the structural rules of Figure 2. The identity axiom, as it is a bi-implication, gives rise to two rules and . The commutativity axiom translates to rule , associativity to , cancellativity to and partial determinism to . The proof system is defined to be the rules of Figure 1 for the sublogic , plus the synthesised structural rules of Figure 2.

We remark here that it is not always obvious what the effect of each semantic property will be on the set of valid formulae; for example it was only recently discovered (Larchey-Wendling and Galmiche, 2014) that cancellativity does not affect validity in the presence of the other properties. This lends weight to the suggestion of (Gotsman et al., 2011) that cancellativity should be omitted from the definition of separation algebra; see also our examples of concrete separation algebras without cancellativity in Section 4.5. It is nonetheless harmless to include it in our rules, and may be useful for some extensions of PASL, as we discuss in Section 8.

It is easy to check that the following hold:

###### Theorem 2.9 (Soundness of the general structural rule).

Every synthesised instance of the general structural rule is sound with respect to the Kripke relational frames with the corresponding frame axiom.

###### Corollary 2.10 (Soundness of LSPASL).

For any formula , and for an arbitrary label , if the labelled sequent is derivable in then is valid.

Note that the soundness of has been formally verified via the interactive theorem prover Isabelle (Hóu et al., 2016).

We will give the name to the general proof system that extends the rules of Figure 1 with any set of structural rules synthesised from frame axioms. A proof system consisting of the rules in Figure 1 plus a finite number of instances of the general structural rule is called an instance of .

### 2.3. Cut-elimination for the general proof system LSG

In this section we see that the rule of Figure 1 is admissible in the general nested sequent calculus . Since cut-admissibility can be obtained indirectly from the cut-free completeness proof in the next section, we do not give full details here.

A label substitution is a mapping from label variables to labels. The domain of a substitution is the set . We restrict to substitutions with only finite domains. We use the notation to denote a substitution mapping variables to labels Application of a substitution to a term or a formula is written in a postfix notation, e.g., denotes a formula obtained by substituting for every free occurrence of in This notation generalises straightforwardly to applications of substitutions to (multi)sets of formulas, relational atoms and sequents.

We will first present a substitution lemma for instance systems of . This requires the following lemma.

###### Lemma 2.11 (Substitution in equality judgments).

Given any set of equality relational atoms, any labels , and , and any label variable , if , then , where every occurrence of is replaced with .

In the substitution lemma below we use to denote the height of the derivation .

###### Lemma 2.12 (Substitution for LSG).

In any instance system of , if is a derivation for the sequent , then there is a derivation of the sequent where every occurrence of label variable is replaced by label , such that .

Since does not involve explicit label substitutions in the rules anymore, the proof for the substitution lemma is actually simpler than the proof for  (Hóu et al., 2015b), to which we refer interested readers.

The admissibility of weakening for any instance system of can be proved by a simple induction on the length of the derivation. The invertibility of the inference rules in can be proved in a similar way as for  (Hóu et al., 2015b), which uses similar techniques as for  (Negri and von Plato, 2001). The proofs for the following lemmas are a straightforward adaptation of similar proofs from (Hóu et al., 2015b) so we omit details here.

###### Lemma 2.13 (Weakening admissibility of LSG).

If is derivable in any instance system of , then for any set of relational atoms, and any set and of labelled formulae, the sequent is derivable with the same height in that instance of .

###### Lemma 2.14 (Invertibility of rules in LSG).

In any instance system of , if is a cut-free derivation of the conclusion of a rule, then there is a cut-free derivation for each premise, with height at most .

Since the sequents in our definition consists of sets, the admissibility of contraction is trivial and we do not state it as a lemma here. The cut-elimination proof here is an adaptation of that of (Hóu et al., 2015b). The proof in our case is simpler, as our cut rule does not split context, and our inference rules do not involve explicit label substitutions. We hence state the theorem here without proof:

###### Theorem 2.15 (Cut-elimination for LSG).

For any instance of , if a formula is derivable in that instance, then it is derivable without using in that instance.

## 3. Counter-model construction for LSG

We now give a counter-model construction procedure that works for all finite instances (systems with finite rules) of the general proof system , and hence establishes their completeness.

As the counter-model construction involves infinite sets and sequents, we extend the definition of equality judgment:

###### Definition 3.1 ().

Given a (possibly infinite) set of relational atoms, the judgment holds iff holds for some finite .

Given a set of relational atoms, we define the relation as follows: iff . We next state a lemma which is an immediate result from our equality judgment rules and will be useful in our counter-model construction later:

###### Lemma 3.2 ().

Given a set of relational atoms, the relation is an equivalence relation on the set of labels.

The equivalence relation partitions into equivalence classes for each label :

 [a]G={a′∈L∣a=Ga′}.

The counter-model construction is essentially a procedure to saturate a sequent by applying all backward applicable rules repeatedly. The aim is to obtain an infinite saturated sequent from which a counter-model can be extracted. We first define a list of required conditions for such an infinite sequent which would allow the counter-model construction.

###### Definition 3.3 (General Hintikka sequent).

A labelled sequent is a general Hintikka sequent if it satisfies the following conditions for any formulae and any labels :

1. It is not the case that , and

2. and

3. If then

4. If then

5. If then and

6. If then or

7. If then or

8. If then and

9. If then s.t. , , and

10. If then if and then or

11. If then if and , then or

12. If then s.t. , , and

13. It is not the case that and .

14. Either or .

15. Given a frame axiom of the form

 ∀x1,…,xm.(s1=t1&⋯&sp=tp&S1&⋯&Sk⇒∃y1,…,yn.(T1&⋯&Tl))

for any labels and substitution , if and for , then there exist and substitution such that .

In condition 15, the variables and are schematic variables, i.e., symbols that belong to the metalanguage, and the substitutions and replace these schematic variables with labels. Since and have disjoint domains, we have that and . These will be useful in the proofs below.

We are often interested in some particular Hintikka sequents that correspond to certain frame axioms. Given a set of frame axioms, a -Hintikka sequent is an instance of the general Hintikka sequent where condition 15 holds for each frame axiom in . We say a Kripke frame satisfies when every frame axiom in is satisfied by the Kripke frame.

Next we show a parametric Hintikka lemma: a Hintikka sequent parameterised over a set of frame axioms gives a Kripke relational frame where the set of frame axioms are satisfied and the formulae in the right hand side of the sequent are false.

###### Lemma 3.4 ().

Given a set of frame axioms, every -Hintikka sequent is falsifiable in some Kripke frame satisfying

###### Proof.

Let be an arbitrary -Hintikka sequent. We construct an extended model as follows:

• iff s.t.