A Relational Model for Confined Separation Logic Wang Shuling LMAM and Department of Informatics School of Mathematical Sciences Peking University, Beijing, China joycy@math.pku.edu.cn L. S. Barbosa and J. N. Oliveira CCTC and Department of Informatics Minho University Portugal {lsb,jno}@di.uminho.pt Abstract Confined separation logic is a new extension to sepa- ration logic designed to deal with problems involving dan- gling references within shared mutable structures. In par- ticular, it allows for reasoning about confinement in object- oriented programs. In this paper, we discuss the semantics of such an extension by defining a relational model for the overall logic, parametric on the shapes of both the store and the heap. This model provides a simple and elegant inter- pretation of the new confinement connectives and helps in seeking for duals. A number of properties of this logic are proved calculationally. 1. Introduction Reference aliasing is a well known problem in object ori- ented programming, where shared mutable structures are pervasive and access to a particular object may break an- other’s integrity or leak sensitive information of the whole system 1 . In this domain, the extensive body of research on encapsulation mechanisms to support data abstraction is of limited help because usually such mechanisms correspond directly to language constructs, and such is not the case in reference based programs. Confinement of objects to specific partitions of the global reference space have become, therefore, a major research issue in object-orientation. Static access modi- fiers found in current languages (such as the private and protected tags in JAVA) restrict only the visibility of methods, attributes, or variables, but do not constrain ob- ject references. Confined types [7], ownership [16] and universes [15] are fine-grained notions of confinement for aliasing control by enforcing static scoping of dynamic ob- ject references. However, they are either incomplete or too 1 Reference [28] reports on how the possibility of forging cryptographic authentication in a particular system arose as an unexpected consequence of a leaked reference to an internal data structure. restrictive. This entails the need for a formal approach to confinement independent of syntactic restrictions and en- abling one to assess different confinement schemes. An interesting attempt in this direction is [4], which re- sorts to denotational semantics. The approach formalises type-based full encapsulation but only to address object rep- resentation independence. Moreover, a number of strong syntactic restrictions are imposed which exclude useful pro- gram idioms. Our own contribution, partly presented in this paper, goes in a similar direction, but adopts a different approach. Our starting point is separation logic [24], an extension of Hoare Logic where formulæ are interpreted over suitable models of stores and heaps. In particular, it introduces a new form of conjunction, denoted p ∗ q, which asserts that p and q hold for disjoint parts of the heap. Separation logic has been extensively used to reason about pointer-based programs [24, 23, 8], fine-grained con- currency [17], and object orientation [21, 13, 14]. It can guarantee domain disjointness of object heaps and, there- fore, prevent aliasing between objects laying in separated heaps. However, no attention is paid to the behavior of out- going dangling references of separated heaps which may in- troduce subtle forms of indirect aliasing. As an illustration consider the following Hoare triple {p} x := new C (...); {p ∗ x →{...}} where {...} denotes the object created. C may be, for ex- ample, a node type used as an element of a linked stack. Then, the purpose of this piece of code is to allocate a node and use it as a link to a stack. Note, however, that such an object could not be put into a protection domain, because the post-condition of new does not assert the absence of any reference from the part of the heap which validates p to the new object. The point is that, besides the domain separation of two heaps, we often need to express the restrictions upon out- going references from heaps. In the example above, in fact we have more information about the relationship between