On the Expressive Completeness of Bernays-Schönfinkel-Ramsey Separation Logic

02/01/2018 ∙ by Mnacho Echenim, et al. ∙ 0

This paper investigates the satisfiability problem for Separation Logic, with unrestricted nesting of separating conjunctions and implications, for prenex formulae with quantifier prefix in the language ∃^*∀^*, in the cases where the universe of possible locations is either countably infinite or finite. In analogy with first-order logic with uninterpreted predicates and equality, we call this fragment Bernays-Schönfinkel-Ramsey Separation Logic [BSR(SLk)]. We show that, unlike in first-order logic, the (in)finite satisfiability problem is undecidable for BSR(SLk) and we define two non-trivial subsets thereof, that are decidable for finite and infinite satisfiability, respectively, by controlling the occurrences of universally quantified variables within the scope of separating implications, as well as the polarity of the occurrences of the latter. The decidability results are obtained by a controlled elimination of separating connectives, described as (i) an effective translation of a prenex form Separation Logic formula into a combination of a small number of test formulae, using only first-order connectives, followed by (ii) a translation of the latter into an equisatisfiable first-order formula.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Separation Logic [9, 14] is a logical framework used in program verification to describe properties of the dynamically allocated memory, such as topologies of data structures (lists, trees), (un)reachability between pointers, etc. The quest for automated push-button program verification methods motivates the need for understanding the decidability, complexity and expressive power of various dialects thereof, that are used as assertion languages in Hoare-style proofs [9], or logic-based abstract domains in static analysis [4].

In a nutshell, given an integer , the logic is obtained from the first-order theory of a finite functional relation of arity , called a heap111Intuitively, is the number of record fields in each memory cell., by adding two non-classical connectives:  (i) the separating conjunction , that asserts a split of the heap into disjoint heaps satisfying and respectively, and (ii) the separating implication or magic wand , stating that each extension of the heap by a heap satisfying must satisfy . The separating connectives and allow concise definitions of program semantics, via weakest precondition calculi [9] and easy-to-write specifications of recursive linked data structures (e.g. singly- and doubly-linked lists, trees with linked leaves and parent pointers, etc.), when higher-order inductive definitions are added [14].

A typical problem in verification, occurring as a subgoal in a Hoare-style proof of a program or in an inductive proof of inclusion between least fixed point models (sets of heaps) of higher-order predicates, is deciding the validity of entailments between existentially quantified formulae in the base assertion language. This problem is reduced to the (un)satisfiability of an formula with quantifier prefix in the language . In analogy with first-order logic with equality and uninterpreted predicates [11], we call this fragment Bernays-Schönfinkel-Ramsey Separation Logic [].

Unlike the Bernays-Schönfinkel-Ramsey fragment of first-order logic, is difficult to reason about, due to the unrestricted use of separating connectives. A way to circumvent this problem is to define a small set of patterns, called test formulae in the literature [10, 3, 7, 8], that are parametric in their arguments and some integer constants, and prove that every formula in the fragment is equivalent to a classical combination of instances of those patterns, bound only with first-order connectives.

These expressive completeness results are, in some sense, similar to the elimination of existential quantifiers in some interpreted theories of first-order logic, such as Presburger arithmetic. In fact, the existential quantifiers are not completely eliminated, but rather confined to a small set of modulo constraints, in which they occur in a controlled fashion. Similarly, in , it is possible to confine the separating conjunction and implication to a small set of test formulae and convert each formula from a certain fragment into an equivalent boolean combination of test formulae. As with Presburger arithmetic, this is an argument for showing decidability of the logical fragment under consideration.

Our contributions

The main contributions of this paper are:

  1. We show that the finite and infinite satisfiability problems are undecidable for the logic , interpreted over heaps with record fields. The main reason for undecidability lies in the presence of universally quantified variables within the scope of a separating implication, that occurs, moreover, under an even number of negations.

  2. By disallowing universally quantified variables in the scope of positive occurrences of separating implications, and even stronger, disallowing positive occurrences thereof, we define two non-trivial fragments and of , for which the infinite and finite satisfiability problems are PSPACE-complete, respectively. These results establish neat decidability frontiers within .

In contrast with the majority of the literature on Separation Logic, here the universe of available memory locations (besides the ones occurring in the heap, which is finite) is not automatically assumed to be infinite. In fact, we consider both cases in which the universe is countably infinite and finite. In particular, the finite universe hypothesis is useful when dealing with bounded memory issues, for instance checking that the execution of the program satisfies its postcondition, provided that there are enough many available memory cells.

Having different interpretations of the universe is also motivated by a recent integration of within a DPLL()-based SMT solver [13, 12], in which the theory is parameterized by the theory of locations, just like the theories of arrays and sets are parameterized by theories of values.

Surprisingly, when considering a finite universe, the separating connectives allow to define bounds also on the cardinality of the universe and on the number of free locations (not in the heap), besides specifying the shape and cardinality of the heap. As a result, the conditions needed for decidability within turn out to be stronger for finite universes than for infinite ones. The argument for decidability relies on (i) the definition of a restricted set of test formulae capturing all properties of heaps, that can be expressed in quantifier-free , together with (ii) an equivalence-preserving syntactic translation of a prenex form formula into a boolean combination of test formulae, with the same quantifier prefix. The latter formula is translated into first-order logic and decidability is established by tracking those formulae of that translate into the classical Bernays-Schönfinkel-Ramsey fragment of first-order logic [11].

Related Work.

Expressive completeness results exist for quantifier-free [10, 3] and for with one and two quantified variables [8, 7]. There, the existence of equivalent boolean combinations of test formulae is showed implicitly, using a finite enumeration of equivalence classes of models, instead of an effective transformation. Instead, here we present an explicit equivalence-preserving transformation of quantifier-free formulae over heaps with record fields into boolean combinations of test formulae, and translate the latter into first-order logic.

Another translation of quantifier-free into first-order logic with equality has been described in [5]. There, the small model property of quantifier-free [6] is used to bound the number of first-order variables to be considered and the separating connectives are interpreted as first-order quantifiers. The result is an equisatisfiable first-order formula whose satisfiability can be checked in PSPACE. This translation scheme cannot be, however, directly applied to , which does not have a small model property, and is, moreover, undecidable.

Existing decidability and complexity results for various fragments [6, 3, 8, 7] always assume the universe of heap locations to be countably infinite. In this paper we consider, in addition, the case where the universe is finite. Theory-parameterized versions of have been shown to be undecidable, e.g. when integer linear arithmetic is used to reason about locations, and wrongly claimed to be PSPACE-complete for countably infinite and finite unbounded location sorts, with no relation other than equality [12]. Here we correct the wrong claim of [12] and draw a precise chart of decidability for both infinite and finite satisfiability of .

2 Preliminaries

We denote by the set of integers and by the set of positive integers including zero. We define and , where for each we have and . For a countable set we denote by the cardinality of . A decision problem is in

if it can be decided by a (nondeterministic) Turing machine in space

and in PSPACE if it is in for some integer , independent of the input.

Let be a countable set of variables, denoted as and be a sort. A function symbol has arguments of sort and a sort , which is either the boolean sort or . If , we call a constant. We use and for the boolean constants false and true, respectively. First-order () terms and formulae are defined by the following grammar:

where , and are function symbols, and . We write for , for , for and for .

The size of a formula , denoted as , is the number of symbols needed to write it down. Let be the set of variables that occur free in , i.e. not in the scope of a quantifier. A sentence is a formula where . Given formulae , and , we write when is a subformula of and denote by the formula obtained by substituting for in .

First-order formulae are interpreted over -structures (called structures, when no confusion arises) , where is a countable set, called the universe, the elements of which are called locations, is a mapping of variables to locations, called a store and interprets each function symbol by a function , if and if . A structure is finite when and infinite otherwise.

We write iff is true when interpreted in . This relation is defined recursively on the structure of , as usual. When , we say that is a model of . A formula is satisfiable when it has a model. We write when every model of is also a model of and by we mean and . The (in)finite satisfiability problem asks, given a formula , whether a (in)finite model exists for this formula.

The Bernays-Schönfinkel-Ramsey fragment of , denoted by , is the set of sentences , where is a quantifier-free formula in which all function symbols of arity have sort . It is known that any satisfiable sentence has a finite model with at most locations, where is the length of the existential quantifier prefix222See, e.g., [2, Proposition 6.2.17]..

2.1 Separation Logic

Let be a strictly positive integer. The logic is the set of formulae generated by the grammar below:

where . The connectives and are respectively called the separating conjunction and separating implication (magic wand). We write for (also called septraction) and denote by , the tuples , respectively. The size of an formula , denoted , is the number of symbols needed to write it down.

Given an formula and a subformula of , we say that occurs at polarity iff one of the following holds: (i) and , (ii) and occurs at polarity in , (iii) or , and occurs at polarity in , for some , or (iv) and either is a subformula of and , or occurs at polarity in . A polarity of or is also referred to as positive, neutral or negative, respectively.

formulae are interpreted over -structures (called structures when no confusion arises) , where and are as before and is a finite partial mapping of locations to -tuples of locations, called a heap. As before, a structure is finite when and infinite otherwise. We denote by the domain of the heap and by the cardinality of . Two heaps and are disjoint iff , in which case denotes their union ( is undefined for non-disjoint heaps). A heap is an extension of iff , for some heap . The relation is defined inductively, as follows:

The semantics of equality, boolean and first-order connectives is the usual one. Satisfiability, entailment and equivalence are defined for as for formulae. The (in)finite satisfiability problem for asks whether a (in)finite model exists for a given formula. We write [] whenever holds for every finite [infinite] structure .

The Bernays-Schönfinkel-Ramsey fragment of , denoted by , is the set of sentences , where is a quantifier-free formula. Since there are no function symbols of arity greater than zero in , there are no restrictions, other than the form of the quantifier prefix, defining .

3 Test Formulae for

We define a small set of patterns of formulae, possibly parameterized by a positive integer, called test formulae. These patterns capture properties related to allocation, points-to relations in the heap and cardinality constraints.

Definition 1

The following patterns are called test formulae:

and , where , and is a positive integer or . A literal is either a test formula or its negation.

The intuitive semantics of test formulae is formally stated below:

Proposition 1

Given an -structure , we have:

for all variables and integers .

Proof: Let and, given a set of locations and a finite set , we will denote by the heap with domain , such that for all , . It is clear that .

Assume that . Then by definition, there exist disjoint heaps , such that , and . Thus and . Conversely, assume . Then is of the form , where is the restriction of to and is the restriction of to . It is straightforward to verify that and .

Assume that . Then there cannot be any heap disjoint from , such that . But for , we have , thus is not disjoint from and necessarily, . Conversely, assume , and let be a heap such that . Then cannot be disjoint from , which proves that .

Assume that . Then since has a finite domain, it is clear that if and that no such structure exists if . When , we prove the result by induction on . The case where is straightforward to prove. Otherwise, there exist disjoint heaps such that , and . By the induction hypothesis and by definition, , so that . Conversely, assume that . This always holds if and never holds if . Otherwise, we prove the result by induction on . Assume , so that . Consider and let and respectively denote the restrictions of to and to , so that . Since , by the induction hypothesis , and since , we have the result.

Assume that . Then there exists a heap disjoint from such that . This entails that and since , necessarily, . Conversely, if , then there exists a set such that and . Then , which proves that .

Assume that . Then there is no heap disjoint from with a domain of cardinality at least . In particular, if , then necessarily, . Since , we deduce that . Conversely, if then there is no heap disjoint from with a domain of cardinality at least , so that . ∎

Not all atoms of are test formulae, for instance and are not test formulae. However, by Proposition 1, we have the equivalences and . Moreover, for any , the test formulae and become trivially true and false, respectively, if we consider the universe to be infinite.

The integer parameter occurring in , and is assumed to be written in unary notation. We write for and for , where . For technical convenience, we also define the following linear combinations.

Definition 2

Given integers , where , let

Proposition 2

Given an -structure , we have iff , for all , .

Proof: We distinguish the four cases below:

  • If and then , never.

  • If and then , always.

  • If and , assume first that . Then thus , by Proposition 1. If then , which contradicts , by Proposition 1. Otherwise, we have , with . In this case , which implies , by Proposition 1. Conversely, assume that . Since necessarily , we obtain , i.e., and thus hence . Moreover, if then follows by Proposition 1.

  • If and , assume first that . If, moreover, , then , thus holds. Otherwise, and if , for some , we have , thus , by Proposition 1. Conversely, assume that and , for some integer . By Proposition 1, we have and , thus . ∎

Definition 3

A variable is allocated in an -structure iff . For a set of variables , let and . For a set of literals, we define:

We let be the number of equivalence classes of containing variables allocated in every model of and be the number of equivalence classes of containing variables from that are not allocated in any model of . We also let .

Intuitively, [] is the set of variables that must be [are never] allocated in every [any] model of and is the footprint of relative to the set , i.e. the set of formulae describing allocation and points-to relations over variables from . For example, if , then , , and .

Proposition 3

Given a set of test formulae and a structure , if , we have for any extension of .

Proof: By a case split on the form of the atom in , namely , with . For the case , since then for some variable such that , thus is unsatisfiable, contradicting the assumption that . ∎

3.1 From Test Formulae to

The introduction of test formulae (Definition 1) is motivated by the reduction of the (in)finite satisfiability problem for quantified boolean combinations thereof to the same problem for . Given a quantified boolean combination of test formulae , the formula is defined by induction on the structure of :

where is a -ary function symbol of sort and and are constants of sort , for all . These function symbols are related by the following axioms, where and are constants of sort , for all :


Intuitively, or are true iff there are at least locations in the domain of the heap and in the universe, respectively and . However, if is true, then there are at least locations outside of the domain of the heap (free), but the converse does not hold (remark 2). The following remarks motivate some of the restrictions that define decidable fragments of , by reduction to 5.2).

Remark 1

The translation of introduces existential quantifiers depending on . For instance, the formula is translated as , which lies outside of the fragment. Because upcoming results (Thm. 5.2) require that be in , we consider quantified boolean combinations of test formulae in which the formulae either occur at a negative polarity, or is not universally quantified. In both such cases, is in (Lemma 2).

Remark 2

The axioms do not state the equivalence of with the existence of at least free locations. Such an equivalence seems to be hard, if not impossible, to express in 333The converse of : is not in .. Note that if the domain is infinite then this problem does not arise since the formulae are always false.

Definition 4

Given a quantified boolean combination of test formulae , let be the maximum integer parameter occurring in a test formula from and let be the set of axioms related to .

The relationship between a boolean combination of test formulae and its translation into is stated below.

Lemma 1

Let be a quantified boolean combination of test formulae. The following hold, for any universe and any store :

  1. if , for a heap , then , for an interpretation , and

  2. if each test formula in occurs at negative polarity and , for an interpretation , such that , then , for a heap .

Proof: (1) Let be a model of . Considering an arbitrary interpretation and for the boolean constants true and false, we extend to the -ary function symbol , the constants of sort and of sort , for all and all , as follows. For all we set