Deciding Satisfiability of Boolean Separation Logic with Inductive Predicates via Small Models

The authors present a novel decision procedure for a fragment of separation logic with arbitrary nesting of separating conjunctions, boolean conjunctions, disjunctions, and guarded negations, along with support for common variants of linked lists. The decision procedure is based on a model-based translation to SMT, with optimizations that bound the size of predicate instantiations within models, leading to an efficient translation.

The paper presents a decision procedure for a fragment of separation logic called boolean separation logic (BSL). BSL allows arbitrary nesting of separating conjunctions and boolean connectives of conjunction, disjunction, and guarded negation, along with support for common inductive predicates like singly-linked lists (SLL), doubly-linked lists (DLL), and nested singly-linked lists (NLL). The key contributions are: A small-model property that shows satisfiable BSL formulae have models of bounded size. A translation-based decision procedure that encodes BSL formulae into SMT, with optimizations to avoid expensive quantifier instantiations. The translation uses a model-based approach, where the heap is decomposed into "chunks" that can be efficiently encoded. For inductive predicates, the translation expresses reachability using bounded paths, avoiding unbounded quantification. Experimental evaluation showing the decision procedure is competitive with state-of-the-art approaches on the symbolic heap fragment, and can handle some formulae beyond their capabilities. A proof that adding guarded negations to the fragment makes the satisfiability problem PSPACE-hard. The decision procedure supports a richer boolean structure than previous approaches, which is useful in applications like symbolic execution and entailment checking. The authors demonstrate the usefulness of the supported features through several examples.

The location bound for a formula φ is defined as bound(φ) = 1 + ⌊P x∈vars(φ)||x||⌋, where ||xS|| = 2 if S ∈ {S, N} and ||xD|| = 1.5. The translation of a separating conjunction ψ1 ∗ψ2 uses an over-approximation of the footprints of ψ1 and ψ2, denoted as FP#(ψ1) and FP#(ψ2). The translation of inductive predicates π(x, y) uses a main path formula to express reachability from x to y, and additional invariants to ensure the correct shape of the data structure.

"To the best of our knowledge, no existing, practically applicable decision procedure supports a fragment with such a rich boolean structure and at least basic inductive predicates." "Our approach to deciding BSL formulae is inspired by previous works on translation of SL to SMT. The early works [26] and [27] translate SL to intermediate theories first. Our approach is closer to the more recent approach of [15], which builds on small-model properties and axiomatizes reachability through pointer links directly." "We further show that adding guarded negations to BSL makes its satisfiability problem PSPACE-hard."