A denotationally-based program logic for higher-order store

Separation logic is used to reason locally about stateful programs. State of the art program logics for higher-order store are usually built on top of untyped operational semantics, in part because traditional denotational methods have struggled to simultaneously account for general references and parametric polymorphism. The recent discovery of simple denotational semantics for general references and polymorphism in synthetic guarded domain theory has enabled us to develop TULIP, a higher-order separation logic over the typed equational theory of higher-order store for a monadic version of System F{mu,ref}. The Tulip logic differs from operationally-based program logics in two ways: predicates range over the meanings of typed terms rather than over the raw code of untyped terms, and they are automatically invariant under the equational congruence of higher-order store, which applies even underneath a binder. As a result,"pure"proof steps that conventionally require focusing the Hoare triple on an operational redex are replaced by a simple equational rewrite in Tulip. We have evaluated Tulip against standard examples involving linked lists in the heap, comparing our abstract equational reasoning with more familiar operational-style reasoning. Our main result is the soundness of Tulip, which we establish by constructing a BI-hyperdoctrine over the denotational semantics of F{mu,ref} in an impredicative version of synthetic guarded domain theory.


Introduction
State of the art program logics such as Iris [30] and the Verified Software Toolchain [1] typically combine two design decisions: the basic sorts of the logic are generated by the raw, untyped terms of the programming language, and constructs of the program logic are defined in terms of operational semantics layered over this raw syntax.In contrast, the original program logic LCF [24,41,39,23] and successors like HOLCF [27] work in a more abstract way: predicates range over typed denotations rather than over untyped raw syntax.The difference in abstraction is substantial: whereas a predicate on raw syntax need not even be invariant under α-equivalence, a predicate on denotations is automatically invariant under the entire equational theory of the language.Nevertheless, denotationally-based program logics have fallen by the wayside in part because of the historic failure of denotational methods to provide simple enough answers to the questions posed by higher-order effectful programming, e.g. the combination of general references, polymorphism, and concurrency; as a result, the benefits of denotations are primarily reaped today in the first-order realm, as in the successful revival of coinductive resumption semantics by Xia et al .[47]. 1 Email: aagaard@cs.au.dk 2 Email: jsterling@cs.au.dk 3 Email: birkedal@cs.au.dkDenotational and algebraic approaches to program semantics have other benefits besides their abstractness: they are more modular, and they are more directly compatible with practical mathematical tools from category theory and topology, which have become increasingly relevant in light of recent interest in probabilistic and differentiable computing for the sciences.We therefore have ample motivation to bridge the gap between denotational methods and modern logics for reasoning about programs.

Denotational semantics of general references and polymorphism
Sterling et al .[46] have recently discovered a simple denotational semantics for general references and polymorphism, decomposing the problem of higher-order store with semantic worlds into two separate constructs that are easily combined: impredicativity and guarded recursion.At the heart of their development is Impredicative Guarded Dependent Type Theory (iGDTT), a type theoretic metalanguage for synthetic guarded domain theory [11] extended by an impredicative universe of sets.Although op.cit.have made promising strides in the denotational understanding of higher-order stateful programs, non-trivial reasoning about state requires more than equational logic.Operationally-based program logics like Iris employ guarded higher-order separation logic for this purpose; our contribution in this paper is to adapt these methods to the denotational semantics of Sterling et al .

Higher-order separation logic over denotational semantics
We extend the monadic equational theory of higher-order store for System F ref µ to a full higher-order separation logic called Tulip.In contrast to systems like Iris which layer the separation logic over an encoding of the raw syntax of the object language, predicates in Tulip range not over code but rather over the actual types of F ref µ , subject to the full equational congruence.In a conventional operationally-based program logic, equational reasoning is rather only applicable within the focus of a Hoare triple and is moreover limited to operational head reduction and cannot occur under binders, etc.
Our main contribution is the soundness of Tulip for reasoning about Sterling et al .'s denotational semantics of F ref µ , which we establish by constructing a suitable BI-hyperdoctrine [8].We have made pervasive use of type theoretic internal languages to facilitate this work: first, System F ref µ is intepreted in internal co-presheaves on a poset of semantic heap layouts W defined in iGDTT by solving a guarded recursive domain equation; then, our BI-hyperdoctrine is itself constructed in the type theoretic language of co-presheaves on W. Because iGDTT itself is sound [46], it follows that our logic is sound.

Structure of this paper
In Section 2 we describe the Tulip logic and its computational substrate F ref µ ; in Section 3, we illustrate the use of Tulip through a worked example involving linked lists in the heap.In Section 4.1, we recall the iGDTT metalanguage and the basics of synthetic guarded domain theory, which we use in Sections 4.2 and 4.3 to explain the denotational semantics of higher-order store and the interpretation of guarded higher-order separation logic over this model.In Section 4.4, we show that Tulip is sound with respect to this model and therefore consistent.
2 Tulip: an equational program logic for higher-order store In this section, we introduce a Tulip program logic that extends the monadic equational logic of System F ref µ with the connectives and rules of guarded higher-order separation logic [13], together with a built-in connective for weakest preconditions.The Tulip logic is related to System F ref µ in roughly the same way that LCF relates to PCF [41,44].
Tulip will have two kinds of types -"program types" and "logical types" -and to efficiently organize the formalism, we will define the typehood judgment schematically in a flag ι ∈ {p, ℓ}. 4 With this convention in hand, the forms of judgment of Tulip classify type contexts Ξ tctx , element contexts Ξ ⊢ Γ ctx , types Ξ ⊢ A type @ ι , program elements Ξ | Γ ⊢ a : A , propositions Ξ | Γ ⊢ ϕ prop , and entailments Ξ | Γ | ϕ ⊢ ψ .Every syntactic construct of Tulip is subject to a relation of judgmental equality (≡) which is respected by all judgments and preserved by all operations; for instance, we shall write Ξ | Γ ⊢ u ≡ v : A to mean that u and v are judgmentally equal elements of type A.
Notation 2.1 When specifying the rules of Tulip, we will often write entailments Ξ | Γ | ϕ ⊢ ψ as ϕ ⊢ ψ when the contexts do not change from premise to conclusion.

Rules for types and elements
Type contexts Ξ tctx contain variables α ranging over program types only.Element contexts Ξ ⊢ Γ ctx contain variables x : A ranging over elements of types Ξ ⊢ A type @ ι.Both program types and logical types are closed under function spaces, cartesian products, inductive types, and universal quantification over program types; program types are furthermore closed under a computational monad in the sense of Moggi [36], as well as existential and recursive types.The only subtlety is that the unfold destructor for recursive types is treated effectfully, confining recursion to the monad.Every program type is a logical type, and the inclusion of program types into logical types commutes up to isomorphism with function spaces, product types, and inductive types.We will treat these coercions silently as it causes no ambiguity.
For lack of space, we will not dwell on the product and function types except to comment that they satisfy the full universal properties of exponentials and cartesian products up to judgmental equality.Likewise, we do not present here the (quite standard) account of inductive types -except to note that we close both program and logical types under inductives, and structurally recursive functions into logical types on program-level data are permitted.

The computational monad
The universe of program types is closed under a computational monad T in the sense of Moggi [36] governing both state and general recursion.
We present the standard equational theory of monads in Appendix A. We defer our discussion of the monadic operations for general recursion and state to Section 2.1.2.

General recursion and general references
Program types are closed under both general recursive types and general reference types.As the rules for these are somewhat subtle in our monadic environment, we cover them in detail.First we describe the formation rules for types and terms, before introducing their equational theory.
The step constructor above is a "no-op" instruction witnessing the guarded or intensional nature of our denotational semantics; 5 this is reflected in the equational theory by the emission of step instructions with reads to the heap and the unfolding of recursive types.Our logic, as we explain later, will provide rules that allow these steps to be used as fuel for recursive deductions.We also have, but do not present, rules that commute step past all primitive effects.Remark 2.2 Observe that ours is a theory of higher-order global store rather than higher-order local store in the sense that allocations are not hidden but rather have a globally observable effect.The state of the art in denotational semantics for local store is currently restricted to references of ground type [31].

Universal and existential types
Our language contains both universal and existential types; it is common to "encode" the latter in terms of the former, but encodings of this form are not quite correct as they neglect the equational theory of existential types. 6We therefore include both connectives as primitives.
The equational theory of universals and existentials is presented in Appendix A.

Rules for the propositional fragment
The logical layer of Tulip is a form of guarded higher-order separation logic.We will treat each of these aspects modularly; in Sections 2.2.1 and 2.2.2 we recall the rules of intuitionistic higher-order equational logic, and in Section 2.2.3 we recall (affine) separation logic, and we finish in Section 2.2.4 with an overview of the later modality and its Löb induction principle, and how they interact with the rest of the logic.

Equational logic
So far the only form of equality that we have considered is judgmental or external equality in the sense of Jacobs [29, §3.2]; in order to facilitate equational reasoning in the logic, we add propositional equality and relate it to judgmental equality using the following rules: As Jacobs [29] explains, the Lawvere rule entails all important properties of equality, including congruence for all constructs of Tulip and its F ref µ substrate.The equality reflection rule above is needed to complete the relationship between (unconditional) judgmental equality and propositional equality without assumptions.7

Intuitionistic higher-order logic
We assume the usual rules of intuitionistic first-order logic over logical types; in particular, in addition to implications ⇒, conjunctions ∧, and disjunctions ∨, we may form universal and existential quantifications ∀(x : A).ϕ and ∃(x : A).ϕ when A is a logical type.The logic is made higher-order by introducing a logical type classifying all propositions.

Separation logic for local reasoning
We assume the standard rules for intuitionistic affine separation logic, in which we have a separating conjunction ϕ * ψ with unit ⊤, and separating implications given as right adjoints (− * ψ) ⊣ (ψ − * −).
In addition to the separating conjunction and implication, separation logic contains a coreflective sublogic of persistent propositions, which are to a first approximation those that are not sensitive to the state of the heap and can therefore be duplicated freely.In particular, we add an idempotent comonadic modality □ that takes a proposition to its "persistent core"; a proposition ϕ is then called persistent if the entailment ϕ ⊢ □ϕ holds.Persistent propositions in this sense are closed under all the connectives of intuitionistic first-order logic; we omit the rules that establish this and instead focus on the interaction between persistence and the connectives of separation logic: It follows from the above that the separating conjunction of persistent propositions is their conjunction.

The later modality and guarded recursion
In order to use Tulip as a logic to reason about general recursion (including recursion inherent in the heap), it is necessary to introduce the later modality ; as in prior works [2,21,30], the later modality abstracts away the onerous step-indices of more concrete accounts of higher-order store leaving only the essential logical structure of guarded-recursive reasoning.The abstract will meet the concrete, however, when we illustrate below the interaction between the later modality and the constructions of our programming language in the fold equality and step equality rules.
The Löb induction rule above is what makes (guarded) recursive reasoning possible in Tulip; the function of the fold equality and step equality rules is to provide "fuel" that can be used to discharge the later modality in the Löb induction hypothesis.This is the sense in which Tulip evinces an abstract form of step-indexing: operations that semantically involve unfolding a recursive domain equation leave behind abstract steps that can be used to advance in time in relation to the later modality.

Weakest preconditions
For reasoning about programs, we introduce a connective called the partial weakest precondition.Morally, the weakest precondition of a program and a predicate, as the name suggests, is the weakest proposition that guarantees the predicate shall hold of any return value of the program.Note, however, that, despite the name, we make no claim, neither in the logic nor in its semantics, that it is in fact the weakest such proposition; this is in line with the usage in Iris [30].
It is worth comparing the above rules to the rules in Iris [30,Fig.13].Our first four entailments are exactly the same as the corresponding rules in Iris; note that as in Iris, wp-wand implies the frame rule.Our rules for wp-set and wp-new rules differ slightly from those of Iris, which have an occurrence of the later modality in the antecedent that ours lack.This is because every operation in Iris takes a step, but in our semantics, only operations that semantically correspond to unfolding a recursive domain equation do.
Values in the heap are stored "one step in the future", so get must take a step before returning; consequently, the postcondition of get only needs to hold later.However, it is not an issue for set and new to send a value to the future without going there, implying the postcondition must be known now.This behaviour is reflected in the rules get-after-set and set-after-new, where the former shows that get takes a step, whilst ret does not, and the latter shows that set does not take a step.A second difference to point out is that whilst Iris has a rule for β-reduction of functions, we do not.This is because our programming language is subject to the β/η-equational theory of monadic λ-calculus, so rather than having a rule stating that wp (e[v/x]) {y.ϕ} ⊢ wp ((λx.e) v) {y.ϕ}, the two propositions are actually convertible.

Recursive Functions
As is standard, recursive types can be used to derive recursive terms via self-referential types (see e.g.Harper [25]).Using this approach, we obtain terms rec f (x) in e for recursive functions typed as follows: This derived form satisfies the equation (rec f (x) in e) x ≡ step; e[rec f (x) in e/f ].Löb induction implies the following weakest precondition rule, reminiscent of the corresponding Hoare triple rule in Iris [9]: 3 Case study: verifying the append function on linked lists In this section, we illustrate the use of Tulip by an elementary case study: linked lists in the heap and their append function.The proof is very similar to the one in Iris [9, §4.2], although some steps are perhaps slightly simpler as they use equational reasoning rather than explicit rules for reduction in weakest preconditions.We first define a recursive type of imperative linked lists on any type α: Our goal is to define the append function on imperative linked lists and prove that it is correct.This means, in particular, to show that it behaves the same as a pure reference implementation defined on functional lists.In order to say what it means for a function on imperative lists to behave like a function on linked lists, we must first introduce a formal correspondence between the two types [9,Sec.4.2].This can be done directly as a structurally recursive function in Tulip.(≈) : Note that whilst elements of type ilist α could potentially be cyclic, this is ruled out by the list invariant above: the separating conjunction consumes the location r so it cannot appear again, and furthermore, a cyclic list would be infinite and therefore cannot correspond to a functional list.Construction 3.2 (The append function) We define the append function on linked lists and its pure reference implementation on functional lists below.
); set r (a, l 3 ); ret (fold (inr r)) The function above is both impure and general recursive.By contrast, the reference implementation below is pure and structurally recursive.We can now prove that iap behaves according to the reference implementation (⊕).

Theorem 3.3
The following sequent is derivable in Tulip: , and let Q be the following predicate: Our goal is to prove Q iap; applying the wp-rec rule, it suffices to show that We proceed by cases on u 1 ; the only non-trivial case is the following: Rewriting by the defining clause of (≈), we may assume r : ref (A × ilist α) and s : ilist α to prove the following: Applying equational reasoning (including unfold-of-fold), we convert our goal to the following: x ≈ v :: (vs ⊕ u 2 )} Applying wp-step and the introduction rule for the later modality, it suffices to prove: ; set r (a, l 3 ); ret (fold (inr r))) {x.x ≈ v :: (vs ⊕ u 2 )} Repeatedly applying weakest precondition rules and other administrative rules, it suffices to prove: Next we use Q iap and wp-wand to reduce our goal as follows, fixing l 3 : ilist α: Applying wp-set, we arrive at the following goal: The above is immediate by definition of (≈) and instantiation of existential variables.

Denotational semantics of Tulip in impredicative guarded dependent type theory
The denotational semantics of Tulip is an extension of the model of System F ref µ previously constructed by Sterling, Gratzer, and Birkedal [46].For lack of space, we can only give a brief introduction to the latter, focusing on the main ideas.The main ingredient to our semantics is the use of impredicative guarded dependent type theory (iGDTT) as a sufficiently powerful metalanguage to admit both the synthetic solution of domain equations for recursively defined semantic worlds (which uses guarded recursion) and the definition of the store-passing monad (which uses impredicativity).In Section 4.1 we give a brief overview of iGDTT, and we proceed in Section 4.2 to explain the interpretation of higher-order store.

Impredicative guarded dependent type theory
Impredicative guarded dependent type theory or iGDTT is roughly the extension of extensional guarded dependent type theory [14,15] by additional (impredicative) universe structure.We first describe the universes in Section 4.1.1,and then briefly explain the basics of iGDTT's synthetic guarded domain theory in Sections 4.1.2and 4.1.3.Finally, we describe a simple recipe for constructing models of iGDTT in Section 4.1.4from which consistency immediately follows.

Impredicative universes
iGDTT adds to ordinary guarded dependent type theory the following additional universe structure: (i) We assume an ordinary hierarchy of predicative universes Type 0 : Type 1 : . ..; when it causes no confusion, we will write Type for any appropriate Type i .
(ii) We further assume a pair of impredicative universes Set, Prop : Type 0 of small types and proof-irrelevant propositions respectively, where the latter satisfies propositional extensionality. 8Finally, we assume that any element of Prop is also an element of Set.
The universe structure above is roughly that of the Set and Prop universes of Coq [16] underneath Type when the -impredicative-set option is activated.Impredicativity of Set means closure under dependent products ∀x:A B : Set of "large-indexed" families x : A ⊢ B : Set when A : Type, and likewise for Prop.The coherent impredicative encoding of Awodey, Frey, and Speight [6] ensures that the full internal subcategory determined by Set is reflective in Type, and so a genuine existential ∃x:A B : Set can be obtained by applying the reflection to the (large) dependent sum x:A B : Type.On Prop these are exactly the ordinary universal and existential quantifiers -as the reflection is the "bracket type" of Awodey and Bauer [5].
In what follows, we shall let U stand for any of the universes of iGDTT described here.

The later modality and guarded recursion
Every universe U is closed under a "later modality" ▶ : U → U facilitating guarded recursion.The later modality also satisfies a dependently typed version of the rules of an applicative functor.Although there are many ways to present this structure, we choose to follow prior work [14,15,46] by formulating them using delayed substitutions δ ∆ , which we describe simultaneously with the rules of the later modality: Then the ordinary later modality ▶ : U → U sends A : U to ▶[•].A via the empty delayed substitution; likewise, we shall write next a for next[•].a.From these rules, we may deduce that the later modality forms a well-pointed endofunctor ▶ : U → U in the sense of Kelly [32], and moreover preserves cartesian products.The later modality also comes equipped with a Löb recursor for defining guarded fixed points as specified below:

Basic synthetic guarded domain theory
Definition 4.1 A guarded domain in U is defined to be an algebra for the endofunctor ▶ : U → U, i.e. a type X : U equipped with a function ϑ X : ▶A → A. A homomorphism from X to Y is then given by a function f : X → Y that commutes with the algebra maps in the sense that ϑ Y • ▶f = f • ϑ X .We will write U ▶ for the category of guarded domains in U and their homomorphisms.

Example 4.2
The universe U is a guarded domain in any higher universe V as we may define ϑ U : ▶U → U to send A : ▶U to the delayed type ▶[Z ← A].Z using the unary delayed substitution (Z ← A) Z : U.
Following Birkedal and Møgelberg [10], the Löb recursor can be used to solve domain equations by computing fixed points on the universe U.The simplest example of a guarded domain equation is the one that defines the guarded lift functor L : U → U ▶ of Paviotti, Møgelberg, and Birkedal [40] which sends a type to the free guarded domain on that type, i.e. the left adjoint to the forgetful functor from guarded domains to types.The domain equation in question is LA = A + ▶LA, which we solve using the Löb recursor on the universe together with the latter's guarded domain structure: The algebra structure ϑ LA : ▶LA → LA is given by the right-hand coproduct injection; the left-hand injection then defines the unit map η : A → LA for the monad determined by the resulting adjunction between guarded domains and types.Construction 4.3 (Guarded domains are lift-algebras) Any guarded domain X is also an algebra for the monad L. As LX is the free ▶-algebra on X, there is a unique homomorphism of ▶-algebras α X : LX → X such that α X • η = id X which induces an L-algebra structure on X. Construction 4.4 (Family lifting for the guarded lift monad) Let U be a universe, and let A : Type be a type.We may lift a family Φ : A → U to a family Φ L : LA → U defined using the induced L-algebra structure on U, i.e.Φ L ≜ α U • LΦ.We will occasionally write u ⇓ Φ to mean Φ L u.

Consistency and models of iGDTT
A simple and modular recipe for constructing non-trivial models of iGDTT is provided by Sterling, Gratzer, and Birkedal [46], from which consistency is easily deduced.Theorem 4.5 (S., Gratzer, and B. [46]) Let (O, ≤, ≺) be a separated intuitionistic well-founded poset9 in a realizability topos S .Then internal presheaves [O op , S ] give a model of iGDTT in which: (i) the predicative universes Type are modeled by the Hofmann-Streicher liftings [26,4] of the universes of (small) assemblies [34] from S ; (ii) the impredicative universes Prop, Set : Type are modeled by the Hofmann-Streicher liftings of the universes of ¬¬-closed propositions and of modest sets in S respectively; (iii) the later modality ▶ is computed explicitly by the limit (▶A)u = lim ← −v≺u Av.
Example 4. 6 The simplest example of a model of iGDTT instantiating Theorem 4.5 is given by the standard order of the natural numbers object in Hyland's [28] effective topos Eff ; this is exactly the "topos of trees" [11] constructed internally to Eff .This model can be adjusted in two orthogonal directions, by varying the underlying partial combinatory algebra and by varying the internal well-founded order.

Denotational semantics of general store in iGDTT
We briefly recall the denotational semantics of general store in iGDTT via a presheaf model.We will first construct a preorder W of semantic worlds (representing heap layouts), and then we shall interpret program types as Set-valued co-presheaves on W and logical types as Type-valued co-presheaves on W.
Notation 4.8 When P is a partial order and p ≤ P q, we will write q * : Ep → Eq for the covariant functorial action of any functor E : P → E .

Recursively defined semantic worlds
In this section, we will define a partial order (W, ≤) of semantic worlds simultaneously with the collection of semantic types by solving a guarded domain equation in Type.We will ultimately define W to be a kind of finite mapping of locations to types, but we must be more careful than usual because notions like "finite subtype" are somewhat sensitive when Prop is not a true subobject classifier.
Definition 4.9 Let I be a totally ordered type; a finite subtype U ⊆ fin.I is an element |U | : N together with a monotone injective10 function σ U : N <|U | → I.We will often abuse notation by writing U to refer to the image of σ U in I.There is a (decidable) preorder on finite subtypes given by inclusion, which is in fact a partial order because of the monotonicity of σ U in the total order I.
Definition 4.10 Given a totally ordered type I, a finite mapping w : I ⇀ fin.T is given by a finite subtype |w| ⊆ fin.I called the support together with a function τ w : |w| → T called the labeling .Given i ∈ |w| we shall simply write wi : T for τ w i.There is a partial order on finite mappings w : I ⇀ fin.T given by inclusion of supports: we say that w ≤ w ′ when |w| ≤ |w ′ | and the restriction of τ w ′ to |w| is equal to τ w .Note that the partial order on finite mappings is not decidable unless T has decidable equality.
We can now use the notion of finite mapping to define a partial order of semantic worlds W simultaneously with the categories S p , S ℓ of semantic program types and semantic logical types respectively by solving the following guarded domain equation: In the above, we have defined a world to be a finite mapping from memory locations to delayed semantic program types, which are defined to be Set-valued co-presheaves on the poset of semantic worlds.Semantic logical types are defined similarly as Type-valued co-presheaves.The impredicativity of Set is essential for S p to be cartesian closed and therefore capable of modelling function types.This is because exponentials of co-presheaves are defined from natural transformations.In S p , these are W-indexed, and thus, since W is not Set-small, were it not for the impredicativity of Set, the homsets would also not be Set-small.The cartesian closure of S ℓ follows simply from W being Type-small.

Semantic heaplets; total heaps and partial heaps
The semantic notion of heap or memory can be specified in terms of the more general heaplet distributor on W. This is the distributor H : W op × W → Set that classifies heaps whose layout is governed by the contravariant parameter and whose values vary in the covariant parameter.
Using the notion of a heaplet, we can define partial heaps and total heaps and at a given world; the latter are used to interpret the state monad of F ref µ , whereas the former are used to interpret the program logic.Partial heaps will be functorial in worlds, whereas total heaps are a non-functorial derived form.Definition 4.12 A partial heap h at a world w is given by a finite subtype ∥h∥ ⊆ fin.|w| together with a heaplet η h : H(w ∥h∥ , w).We shall write |h| ≜ w ∥h∥ for the supporting world; given l ∈ ∥h∥ we shall write hl for η h l.Partial heaps are arranged into a functor pH : W → Set; the covariant functoriality in worlds w ≤ w ′ takes a partial heap h : pHw to w ′ * h ≜ (∥h∥, w ′ * η h ).
We do not have the space to display the operations of the monad; we note, however, that T is S p -enriched and therefore strong.It follows that the semantic type operations in this section can be used to interpret the types of F ref µ .We show how to interpret the getter and setter for reference types in the model: Note that set A returns immediately in the guarded lift monad via the unit η, whereas get A takes a single step via the ▶-algebra map ϑ; this is because the heap stores its elements under the later modality, so reading from memory takes one abstract step of computation in the guarded lift monad.This is also reflected in the rule wp-get, which allows an assumption to be under the later modality.

Semantics of logical types
We interpret the logical type of propositions prop as the internal poset B = [pH, Prop W ]. The interpretation of the remaining type connectives is standard.

Semantics of predicate connectives
We will impose enough structure on B such that the indexed partial order B • : S op ℓ → Poset Type has the structure of a BI-hyperdoctrine with appropriate modalities (□, ) and weakest preconditions.

A complete BI-algebra
We will argue that B forms a complete BI-algebra in S ℓ .Note that in this section, when we say that a partial order is complete, we mean that it is complete in the sense of internal category theory [29].We will use Day's convolution [19,20] to construct a BI-algebra structure on B = [pH, Prop W ]. Day's convolution product is most well-known for extending monoidal structures on small categories to presheaves, but we will need the full generality of his result: the categories involved are Prop W -enriched, and the structure on the base is promonoidal rather than monoidal.Construction 4.20 (Prop W -enriched promonoidal structure on a pcm) A partial commutative monoid M = (M, ∅, •) in S ℓ can be viewed as a Prop W -enriched category, because its extension order is valued in Prop W .As a Prop W -enriched category, M has a Prop W -enriched promonoidal structure in the sense of Day [19,20], which essentially encodes graph of the partial multiplication operation: (iii) The associativity and unit isomorphisms are defined using the associativity and unit laws for the partial multiplication operation.These constructions are explained in more detail for BI-algebras arising from partial commutative monoids by Bizjak and Birkedal [13].

Modalities: persistence and later
The persistence modality is interpreted as the map □ : B → B obtained by reindexing along the constant endomap h → ∅, sending ϕ : B to h → ϕ ∅.The later modality : B → B is given pointwise.

The points-to predicate
We interpret the points-to predicate in the generic case α | ℓ : ref A, a : A ⊢ [ℓ → a] prop .In particular, we must define for each program type A : S p a natural transformation [− → −] : ref A × A → B, which will turn out to be representable by a singleton heap, i.e. we may define h |= [ℓ → a] ⇐⇒ {l → next a} ≤ h.

Weakest preconditions
Finally we must interpret the weakest precondition connective, which we do in the generic case of α | ϕ : α → prop, u : Tα ⊢ wp u {x.ϕ x} prop .This amounts to constructing for each semantic program type A : S p a natural transformation wp A : B A × TA → B. As the denotation of the state monad is defined world-by-world, so must be the interpretation of h |= wp A u ϕ; to that end, we give the forcing clause for w ⊩ (h |= wp A u ϕ) in the external iGDTT language as follows, recalling the ⇓ notation for the predicate lifting of L from Construction 4.4: Although the definition is quite technical, the idea is simple.The denotation of a monadic program is a guarded-recursive process taking a heap and ultimately producing a return configuration at a larger world.In simple terms, the weakest precondition of a predicate ϕ should quantify over all frames for the starting heap and check that the process returns only configurations satisfying ϕ without disturbing the frame.

Explicit Kripke-Joyal translation
We have given the interpretation of our logic in a mostly abstract-categorical way; such an abstract presentation verifies all the "logical" rules of our system, but explicit computations are needed in order to verify the rules for weakest preconditions.In this section, we provide some tools to assist with these explicit computations; in Computation 4.22 we describe how to interpret each of the main connectives of the logic as a transformer of subobjects in the internal language of S ℓ .Computation 4.22 (Kripke-Joyal translation of the B logic) The action of each connective on B = [pH, Prop W ] can be computed explicitly as a forcing clause in the Kripke-Joyal translation [35].We omit the forcing clauses for ⊤, ⊥, ∧, ∨, ∃, because they are pointwise:

Soundness results
The following results are stated internally to iGDTT.5 Conclusions; related and future work

Comparison with operationally-based program logics
We have contributed a program logic Tulip over the equational theory of polymorphic, general recursive, higher-order stateful programs by building on the recent denotational semantics of general references and polymorphism of Sterling et al .[46], adapting many ideas that were first developed in the context of operationally based program logics.Prior works on the operational side such as Iris [30], the Verified Software Toolchain [1], and TaDA [18] have reached great heights of expressivity, incorporating constructs such as invariants and higher-order ghost state which are critical for reasoning about concurrent programs.
For the sake of simplicity, we have restricted our attention to a fixed notion of resource (partial heaps), but we hope in the future to adapt more sophisticated constructs including higher-order ghost state, etc. to reach parity with existing operationally-based program logics.

Other denotationally-based program logics for state
The model of Sterling et al . is not the only denotational semantics of state.First-order store, both local and global, is well-represented in the literature [37,36,42,45]; there is also Levy's model of non-polymorphic higher-order store [33], and notably, a model of local full ground store by Kammar et al .[31].Polzer and Goncharov [43] have constructed a BI-hyperdoctrine over the denotational semantics of Kammar et al ., and our own work is much in the spirit of theirs.However, there is an apparent mismatch between the semantics of local store and the model of bunched implications over it, which has impeded op.cit.from developing a full program logic with an interpretation of weakest preconditions.

Future perspectives
One of the methodological questions raised by our work is where, exactly, to draw the line between equational reasoning and logical reasoning.For instance, conventional operationally-based program logics do not use equational reasoning at all: our logic, in contrast, allows some equational reasoning but it is limited by the intensionality of Sterling et al .'s model.One possible direction for future work is to attempt to make the model itself less intensional, either by enhancing the semantic worlds [22] or by improving the interpretation of the state monad [31].
Another question is how Tulip can be implemented in a practical tool.Currently, definitional and logical equality coincide due to equality reflection, which leads the former to become undecidable.An implementation will therefore require a more refined account of the interaction between definitional and logical equality.
unfold-of-fold ⊢ unfold (fold u) ≡ step; ret u : T A[µα.A/α] fold-of-unfold ⊢ x ← unfold u; ret (fold x) ≡ step; ret u : T (µα.A) get-after-set ⊢ set u v; get u ≡ step; set u v; ret v : T A set-after-new ⊢ (x ← new u; set x v; w) ≡ (x ← new v; w) : T B set-after-set ⊢ set u v; set u w ≡ set u w : T A get-after-get ⊢ (x ← get u; y ← get v; w) ≡ (y ← get v; x ← get u; w) : T C set-after-get ⊢ (x ← get u; set u x; w) ≡ (x ← get u; w) : T B

Construction 3 . 1 (
The list invariant) We define a correspondence (≈) : ilist α → list α → prop in Tulip by structural recursion on the second argument.

Observation 4 . 11
Note that both S p and S ℓ are guarded domains in the sense of Definition 4.1: the structure map ϑ Sι sends A : ▶S ι to the co-presheaf w → ▶[Z ← A].Zw.

Lemma 4 .
18 Prop W is a complete Heyting algebra in S ℓ .Corollary 4.19 The internal poset B is a complete Heyting algebra in S ℓ .

Construction 4 . 21 (
BI algebra) We obtain a BI-algebra structure ( * , − * ) on B = [pH, Prop W ] by taking the Day convolution of the induced Prop W -enriched promonoidal structure (Construction 4.20) on the partial commutative monoid pH, such that the separating conjunction extends the partial multiplication operation on representables.In particular, if h#h ′ are two disjoint partial heaps, then yh * yh ′ = y(h • h ′ ).