On Symbolic Heaps Modulo Permission Theories

We address the entailment problem for separation logic with symbolic heaps admitting list predicates and permissions for memory cells that are essential to express ownership of a heap region. In the permission-free case, the entailment problem is known to be in P. Herein, we design new decision procedures for solving the satisﬁability and entailment problems that are parameterised by the permission theories. This permits the use of solvers dealing with the permission theory at hand, independently of the shape analysis. We also show that the entailment problem without list predicates is coNP-complete for several permission models, such as counting permissions and binary tree shares but the problem is in P for fractional permissions. Furthermore, when list predicates are added, we prove that the entailment problem is coNP-complete when the entailment problem for permission formulae is in coNP, assuming the write permission can be split into as many read permissions as desired. Finally, we show that the entailment problem for any Boolean permission model with inﬁnite width is coNP-complete.


Introduction
Separation logics with permissions.In program verification, proving properties of the memory is one of the most difficult tasks and separation logic has been devised for this goal [14].Separation logic with permissions [4] can express that the ownership of a given heap region is shared with other threads.A permission can be thought of as a "quantity of ownership" associated to each cell of the heap.This quantity prescribes whether write accesses are allowed or not on this cell and how such a write access may be restored in the future.This abstract notion has lead to many permission theories and separation logics, including fractional permissions [5], token-based permissions [4], combinations of the two, binary tree shares [7], and yet some other models.Separation logic with permissions is supported by several tools like VeriFast [12], Hip/Sleek [11], or Heap-Hop [16].Usually, these tools support only one permission model and demand that permissions are explicit values.For instance, in a tool that supports fractional permissions, to express that a cell x is shared by two threads for read access, one may write x 0.3 → y and x 0.7 → y making an arbitrary choice for permissions (0.3 and 0.7) when a better approach would use x α → y and x β → y and the constraint 1 = α + β (as it is done in the paper).This hides the logical structure of the proof and ties it to a specific arbitrary permission model.
Our motivations.We wish to get rid of the use of explicit permission models and to provide a separation logic with permissions which can use symbolic permission expressions

25:2
On Symbolic Heaps Modulo Permission Theories such as 1 = α + β.Furthermore, we aim at lifting the results obtained so far for separation logic with lists but without permissions to separation logic with lists and symbolic permissions.
Our contributions.We devise a separation logic based on symbolic heaps with list predicates [3] modulo an unspecified permission theory (containing separation logic without permission as an instance).As far as we know, a uniform treatment with both features is new.We give generic decision procedures modulo a permission theory P for the satisfiability problem SATSH(P), and for the entailment problem ENTSH(P).Then we simply instantiate the permission theory by the desired theory (fractional models, token model, binary tree-share model,. . .).This approach has many advantages: (a) the reasoning on the spatial part is separated from the reasoning on permissions, (b) the latter part can be discharged to a dedicated solver, for instance any SMT specialised in the relevant permission theory (see e.g.[1]; and also [13] for the fractional case), and (c) we obtain optimal worst-case complexity results (obviously, the whole complexity depends on the complexity of the permission theory of interest).Since our logic contains the constant , we can treat both the intuitionistic and the non-intuitionistic case of the entailment problem in a uniform setting, see e.g.[6,10].Let us detail more precisely the technical contributions as well as the plan of the paper.
Outline of the paper.Permissions and separation logic with lists and permissions are introduced in Section 2. In Section 3, we treat separation logic with permissions but without lists and we give PTime algorithms for SATSH(P) and ENTSH(P) using an oracle for the corresponding problems on permission theories.As a byproduct, SATSH(P Boy ) and ENTSH(P Boy ) without list predicates are in PTime for the fractional model P Boy .In Section 4, we prove that SATSH(P) is NP-hard and that ENTSH(P) is coNP-hard even for a permission theory P which is in PTime, showing a complexity gap between the logic without permissions and the logic with permissions.At the end of Section 4, we design a non-deterministic polynomial-time procedure solving ENTSH(P) (fully parametrised by the entailment problem for the permission theory P).A key ingredient is the notion of SL-graphs that are used to abstract formulae and several variants of homomorphisms between graphs used to prove the entailment property.This approach is clearly inspired by [6] but on one hand we can take advantage of nondeterminism since there is little hope for a PTime algorithm, and on the other hand permissions lead to technical complications (such as the need to respect the linearisation induced by an SL-graph).In Section 5, we give our results on permission theories: (i) the fractional model P Boy has PTime satisfiability and entailment problems, (ii) we introduce the notion of Boolean permission models P B that encompasses all classical permission models but the trivial one and P Boy and (iii) we prove that SAT(P B ) is NP-complete and ENT(P B ) is coNP-complete in Boolean permission models P B that have an infinite width (which is the case for the aforementionned models).Section 6 concludes the paper.

Preliminaries
We introduce permission formulae and permission models which are the building blocks for defining symbolic heaps with permissions and their related decision problems.

Permission models
Permission formulae are defined by the grammar below: where PVar = {α, β, . . .} is a countably infinite set of permission variables.Permission formulae are interpreted in permission models, defined below.

Definition 1.
A permission model is a tuple P = (P P , 1 P , ⊕ P ) such that P P = {π, . . .} is a set of permissions, 1 P ∈ P P is a distinguished permission called the write permission or the total permission, ⊕ P : P P × P P → P P is a partial composition that is cancellative, commutative and associative, 1 the relation for some π } is irreflexive and transitive, with maximum element 1 P .An example of permission model is Boyland's fractional model P Boy = ((0, 1], 1, ⊕ P Boy ) [5], where π ⊕ P Boy π def = π + π is defined when the sum is at most 1.The width of a permission model P is width(P) ∈ N ∪ {ω} such that width(P) Given P = (P P , 1 P , ⊕ P ), a P-interpretation is a map ι : PVar → P P .The map ι is extended to a partial map from the set of permission terms to P P so that ι( 1 For example, the permission formula α ⊕ α = 1, is satisfied by the P Boy -interpretation ι defined by ι(α) = 0.5.We write ⊥ to denote 1 ⊕ 1 = 1.Observe that ι |=⊥ for all ι (by irreflexivity of < P ).

Separation logic with permissions
A symbolic heap with list predicates and symbolic permissions is a formula (Π, Σ) where Π is a pure formula and Σ a spatial formula according to the grammar below: where LVAR = {x, y, . . .} is a countably infinite set of location/program variables.We write Π pe and Π pv to denote respectively the permission constraints and the program variable constraints that appear in Π, so that Π is logically equivalent to Π pe ∧ Π pv .We write LVAR(ϕ) [resp.PVar(ϕ)] to denote the set of location [resp.permission] variables occurring in ϕ.
Example 2. The following symbolic heaps are used throughout the paper. ).
Let P = (P P , 1 P , ⊕ P ) be a fixed permission model and let Loc = { , . . .} be a countably infinite set of locations (by default, Loc = N).A P-memory state is a triple (s, h, ι) where: 1 in particular, whenever a sum π1 ⊕ P π2 . . .⊕ P πn is defined, each subsum π i1 ⊕ P . . .⊕ P π ik for each {i1, . . ., i k } ⊆ {1, . . ., n} is defined.Intuitively, h( ) = (π, ) holds if the cell at address is allocated and points to the location , and that the thread that owns has permission π on the cell .

F S T T C S
Before defining the semantics of symbolic heaps, we define the composition of P-heaps.The composition h 1 • h 2 of two P-heaps h 1 and h 2 is defined whenever there is no defined, say equal to the P-heap h, it takes the unique value satisfying the conditions below: The composition of heaps is partial, commutative, associative, and cancellative.We write h h if there is h so that h = h • h and we also write h h whenever h h and h = h.The satisfaction relations s, h, ι |= P Σ or s, h, ι |= P Π are defined below: p ι is defined, and either (s(x) = s(y) and dom(h iff there are subheaps h1, h2 such that h = h1 • h2, s, h1, ι |= P Σ1, and s, h2, ι |= P Σ2.
Reasoning Modulo Permission Theories Without List Predicates

Normalising formulae
In Figure 2, we present a set R of rewrite rules that are used to normalise formulae.The reduction =⇒ is the rewrite relation associated to R and =⇒ * is its reflexive and transitive closure.Note that if a rewrite sequence starts from a symbolic heap not containing an expression lseg p (x, y), then the rule Mergelist never applies.We write |(Π, Σ)| to denote the size of the symbolic heap for some reasonably succinct encoding.
Lemma 3. The rewrite relation =⇒ has the following properties.
The proof of the first part is a direct analysis of the rules according to the semantics of symbolic heaps and the termination proof is straightforward.Note that the rule Subst cannot be applied indefinitely because of the second side-condition.From now on, unless otherwise stated, normal form refers to a normal form with respect to =⇒.

Satisfiability and entailment for symbolic heaps without lists
We give our first results for symbolic heaps with permission but without lists.In the rest of this section, we consider symbolic heaps without lists.Given a spatial formula Σ, we denote by defined(Σ) the conjunction of formulae defined(p) for all p occuring in Σ.
Consequently, we can provide complexity upper bounds for SATSH(P).
Theorem 5. Let P be a permission model and C ⊇ PTime be a complexity class such that SAT(P) is in C. Then SATSH(P) restricted to symbolic heaps without list predicates is in C.
Let us now address the entailment problem (Π l , Σ l ) |= (Π r , Σ r ).First, we restrict our attention to instances of the form (Π l , Σ l ) |= ( , Σ r ), where (Π l , Σ l ) is in normal form.An entailment (Π l , Σ l ) |= ( , Σ r ) holds if there is a map from the points-to predicates x p → y that occur in Σ r to the x p → y that occur in Σ l , such that the sum of all permissions terms p mapped to a given x p → y is smaller or equal to p, with an equality required if does not occur in Σ r .We represent (Π l , Σ l ) |= ( , Σ r ) by a triple (Π l , Σ l , Σ r ), and we check the existence of such a map by means of the rewrite rules Align and Substract of  In order to check an entailment (Π l , Σ l ) |= (Π r , Σ r ) where Π r is not necessarily , we check on the one hand whether (Π l , Σ l ) |= Π r , and on the other hand, using rules Align and Substract, whether (Π l , Σ l ) |= Σ r , which is implemented by the algorithm below.Using the results from Section 5, it follows that ENTSH(P Boy ) restricted to symbolic heaps without list predicates is in PTime.

Reasoning on Symbolic Heaps with Lists and Permissions
Below, we design algorithms for SATSH(P) and ENTSH(P) respectively, parameterised by decision problems for P. Assuming that Σ and Σ are -free and emp-free spatial formulae, we introduce the following subproblems of ENTSH(P): (non-intuitionistic entailment) Below, we provide the developments for |= N I only but all our results can be adapted for the full problems SATSH(P) and ENTSH(P).In the permission model P 1 , SATSH(P 1 ) and ENTSH(P 1 ) are in PTime [6] but untractability of SATSH(P) and ENTSH(P) happens quite quickly, even with the rather simple permission model P Boy .A positive consequence of Theorem 9 is that we can use non-determinism to get optimal complexity bounds.

Lower bounds
In this short section, we explain how the combination of list predicates and permission leads to NP/coNP-hardness.Let G = (V, E) be an instance of the three-colorability problem, known to be NP-complete.W.l.o.g., we can assume that V = {x 1 , . . ., x n } for some n ≥ 1 and E is a set of edges of the form {x i , x j } with i = j.The hardness proof is by reduction from the three-colorability problem following a similar treatment when conjunctions are added to spatial formulae in the standard symbolic heap fragment, see [6,Section 5].The main difference below rests on the replacement of Boolean conjunctions by separating conjunctions.Let Π G be the pure formula ( {xi,xj }∈E ( , where the α i 's and α i 's are distinct permission variables.Lemma 8. Assuming that width(P) = ω, G has a three-coloring iff (Π G , Σ G ) is satisfiable.
Consequently, we get the following hardness results.Theorem 9.If width(P) = ω then SATSH(P) is NP-hard and ENTSH(P) is coNP-hard.

SL-graphs and homomorphisms
We assume a fixed permission model P and a fixed set of variables {x 1 , . . ., x q } with its ordering x 1 < . . .< x q .All the symbolic heaps are assumed to be built from {x 1 , . . ., x q }.Given ∅ = X ⊆ {x 1 , . . ., x q }, min(X) denotes the variable in X with the minimal index.Below, we introduce a notion of SL-graph that can be understood as a graphical representation of a symbolic heap in which the permission part of the pure formula is encoded directly by a permission formula, the location variable part of a pure formula is encoded by an inequality relation ( = ← →) and by a labelling (L).Besides, the atomic spatial formulae are encoded by the two relations − → and = ⇒.Such structures are quite convenient to characterise entailment between symbolic heaps via homomorphisms, as it is done in the permissionfree setting in [6].Contrary to the developments in [6] that aim to reach a PTime upper bound, nondeterminism will be essential below since this is the best we can hope for, see Theorem 9.
An SL-graph G is either ⊥ or a tuple (A, V, − →, = ⇒, = ← →, L) such that A is a permission formula and V is a non-empty finite subset of N (the nodes).− → and = ⇒ are finite subsets of V × P T × V where P T is the set of permission terms.We also write

= min(vars(v)). As expected, the arrow v
Our notion of SL-graph shares in spirit the one from [6] but there are essential differences (permission formulae and terms as well as slight simplifications).Figure 3 An empty separating conjunction is understood as emp.If G =⊥, then the corresponding symbolic heap is (x = x, ).In the sequel, spatial(G) is also written * where and G 2 2 are deterministic in Figure 3 unlike G 1 and G 2 ).A deterministic SL-graph can be viewed as a syntactic structure whose interpretation stands between the P-memory states (thanks to the determinism and the syntactic nature of the inequality relation) and the SL-graphs (no P-interpretation and no permission values are involved).Each deterministic SL-graph carries a lot of structural properties about the P-memory states that satisfy it, which explains why this is a crucial structure to consider (see also the dependency graphs in [8]). Let 2 ) be two SL-graphs with G 2 being deterministic.We introduce below a notion of precise homomorphism that will admit a counterpart in terms of entailment, see e.g.Theorem 11.A map f : V 1 → V 2 is a precise homomorphism from G 1 to G 2 whenever the conditions below are satisfied: Above, given a non-empty and finite multiset T = {{p 1 , . . ., p k }} of permission terms, we write ⊕T instead of p 1 ⊕ • • • ⊕ p k (the ordering of the terms is irrelevant because ⊕ is AC).Precise homomorphisms could be defined between two arbitrary SL-graphs (as done in [6]) but the unicity of the path in the condition (H5) is not anymore guaranteed.We assume that G 2 is deterministic to have unicity, which also leads to the right upper bounds for the complexity.The existence of a precise homomorphism f implies that for all u p 1 u ∈ G 1 , we have A |= defined(p), which is partly justified by defined(p 1 ⊕ p 2 ) |= P defined(p 1 ) ∧ defined(p 2 ).The dotted arrows in Figure 3 partly materialize two precise homomorphisms from G 1 to G 1 2 or to G 2 2 (assuming the permission formulae match).A precise homomorphism f is strongly precise In Figure 3, there is a strongly precise homomorphism from G 2 to G 1 2 [resp.to G 2  2 ] with the adequate permission formulae.Notably, checking whether f : V 1 → V 2 is a [resp.strongly] precise homomorphism can be checked in coNP [resp.PTime ] when ENT(P) is in coNP, which is useful to establish the complexity upper bounds.

Relating memory states and deterministic SL-graphs
Given G 1 and G 2 , we write f G1,G2 : Without any further assumption, note that f G1,G2 is not necessarily a precise homomorphism.Below, we establish an equivalence between the existence of a precise homomorphism and the entailment |= N I .A similar statement can be found in [6] but herein we deal with permissions and with the deterministic SL-graphs.This is a key result at the heart of our whole entreprise.An auxiliary definition is needed.Given a deterministic SL-graph G and a symbolic heap (Π, Σ), we write (pure(G ), spatial(G )) |= lin Π, Σ iff for all P-memory states (s, h, ι) such that (s, h, ι) Lemma 11.Let G be a deterministic SL-graph such that (pure(G ), spatial(G )) is satisfiable.For all SL-graphs G, the statements below are equivalent: The map f G,G is a precise homomorphism from G to G .

Decision procedures modulo permission theories
Let us characterise non-entailment between two symbolic heaps in the non-intuitionistic setting (leading to entailment of symbolic heaps from Figure 3 with . This induces a nondeterministic algorithm by guessing the appropriate G (see below).Such a guess could be formalised in a proof system, as done for a fragment in Section 3, but herein we focus on the characterisation.In Theorem 12 below, note the use of |= N I (instead of |= lin ).Note that in these two permission models a permission term α ⊕ α has no interpretation since the partial function ⊕ is not defined for identical elements.As a consequence, it holds for instance that defined(α ⊕ α) is unsatisfiable and lseg α⊕α (x, y) |= P Tok x = x.
These two permission models are particular instances of what we call Boolean permission models, i.e. permission models defined on top of a given Boolean algebra, as explained below.Let B = (B B , ∧ B , ∨ B , B , ⊥ B , ¬ B ) be a Boolean algebra.The permission model P B associated to B is P B def = (P B , ⊕ B , B ) where P B = B B \ {⊥ B } and π ⊕ B π is defined when π ∧ B π = ⊥ B , and in that case π ⊕ B π def = π ∨ B π .A permission model is Boolean if it is isomorphic to P B for some Boolean algebra B. Both P Tok and P Bin are Boolean, the first one through the Boolean algebra of finite or co-finite subsets of N, the second one through the Boolean algebra of open-closed sets of {0, 1} ω , see e.g.[7].As stated below, Boolean permission models are canonical in some sense.
Lemma 17.Let A L , A R be permission formulae.Let P be a Boolean permission model with at least two elements such that A L |= P A R , and width(P) ≥ card(PVar(A L )).Then for all Boolean permission models P , we have A L |= P A R .
Lemma 17 entails ENT(P Tok ) = ENT(P Bin ).The case card(P P ) = 1 cannot be added to Lemma 17 since |= P1 α 1 = α 2 but |= P Tok α 1 = α 2 with α 1 different from α 2 .Note also that if we could express the atomicity of a permission, the two models could be distinguished.
From now on, we consider an arbitrary Boolean permission model P B associated to a Boolean algebra B such that width(P B ) = ω.Boolean permission models behave quite nicely and below we establish that their decision problems are in coNP.
Theorem 19.Let P B be a Boolean permission model such that width(P B ) = ω.SAT(P B ) is NP-complete and, ENT(P B ) is coNP-complete.
A reduction from the NP-complete problem 1-in-3 SAT [15] gives the hardness result.We give below the proof idea for SAT(P B ) is in NP.Actually, we can consider only permission terms equal to 1 and of the form α i and atomic permission formulae of the form α i = α j , α i ≤ α j , α i = 1 or defined( α i ) and we can assume that each A contains a conjunct defined(p) for each permission term p.Let A be a permission formula built on α 1 , . . ., α n .We introduce an arithmetical formula ψ A such that A is satisfiable iff ψ A is satisfiable.The Boolean/arithmetical variables of ψ A taking their values in {0, 1} are precisely X 1 1 , . . ., X n 1 , . . ., X 1 n , . . ., X n n .The formula ψ A is a conjunction of formulae ψ 1 ∧ • • • ∧ ψ n where each ψ i is built on the variables X i 1 , . . ., X i n .For each i ∈ [1, n], we define t i (α j ) def = X i j , and t i (p) replaces each occurrence of α j by t i (α j ) and each occurrence of ⊕ by +, each occurrence of 1 by 1.Each ψ i is a conjunction of constraints defined by: (a) for each p = p [resp.p ≤ p ] in A, ψ i contains t i (p) ≤ t i (p ) ∧ t i (p ) ≤ t i (p) [resp.t i (p) ≤ t i (p )] and (b) for each formula defined(p) in A, ψ i contains t i (p) ≤ 1, and X i i = 1 belongs to ψ i .The next lemma relates A and ψ A .
Lemma 20.A is satisfiable iff ψ A is satisfiable.This lemma entails that SAT(P B ) is in NP.

Conclusion
Our results provide optimal complexity results about several standard permission models and are summarized by the following table.The algorithms can be implemented using any S. Demri, E. Lozes and D. Lugiez

25:13
checker following the standard viewpoint for SMT solvers [2] for reasoning on permission.Besides, this work could be continued in several directions, for instance to consider enriched permission theories (e.g., adding inequalities between permission terms), permission models without infinite width, to allow existential quantifications or to design sequent-style proof systems for checking entailment based on our characterisations.

Figure 2 . 7 25: 6 On
Intuitively, we remove each points-to predicate of Σ r , one by one, until Σ r is trivial.This new rewrite relation, denoted by =⇒ AS , terminates in at most |Σ r | steps, and it F S T T C S 2 0 1 Symbolic Heaps Modulo Permission Theories preserves the entailment validity : if

FL
We require a functionality condition: v p − → v implies the unicity of p and v .= ← → is an irreflexive and symmetric binary relation on V .: {x 1 , . . ., x q } → V is a surjective labelling.Given v ∈ V , we write vars(v) to denote the (non-empty) set {x | L(x) = v} and var(v) def presents SL-graphs where dashed lines encode the inequality relation, thick arrows encode = ⇒, normal arrows encode − → and the permission formulae are omitted.Below, we provide a semantics to the SL-graphs by defining a symbolic heap for each SL-graph.Given G = (A, V, − →, = ⇒, = ← →, L), (pure(G), spatial(G)) denotes the symbolic heap defined from G: deterministic, there is a unique path satisfying the above condition (if any).

2 v
in G 2 contributes to at least one edge of G 1 , and we have H5 ) is equal to (H5) except that in the case f(v) = f(v ), we do not require that A |= defined(p), (H6 ) each edge v p 2 v in G 2 contributes to at least one edge of G 1 , and we have ⊕{{p | v p 2 v contributes to u p 1 u ∈ G 1 }} equal to p modulo AC (implying (H6 )).
Given a P-memory state (s, h, ι) and a deterministic SL-graphG = (A, V, − →, = ⇒, = ← →, L),we write (s, h, ι) lin ≈ G whenever for all v, v , v ∈ V , if there are non-empty paths from v to v and from v to v in G, then for all variables x, x , x such that L(x) = v, L(x ) = v and L(x ) = v , one of the conditions below holds: F S T T C S 2 0 1 7 lin ≈ G holds when (s, h, ι) respects the linearisation induced by the graphical part of G.