Decision Problems in a Logic for Reasoning About Reconfigurable Distributed Systems

Abstract

We consider a logic used to describe sets of configurations of distributed systems, whose network topologies can be changed at runtime, by reconfiguration programs. The logic uses inductive definitions to describe networks with an unbounded number of components and interactions, written using a multiplicative conjunction, reminiscent of Bunched Implications [37] and Separation Logic [39]. We study the complexity of the satisfiability and entailment problems for the configuration logic under consideration. Additionally, we consider the robustness property of degree boundedness (is every component involved in a bounded number of interactions?), an ingredient for decidability of entailments.

1 Introduction

Distributed systems are increasingly used as critical parts of the infrastructure of our digital society, as in e.g., datacenters, e-banking and social networking. In order to address maintenance (e.g., replacement of faulty and obsolete network nodes by new ones) and data traffic issues (e.g., managing the traffic inside a datacenter [35]), the distributed systems community has recently put massive effort in designing algorithms for reconfigurable systems, whose network topologies change at runtime [23]. However, dynamic reconfiguration in the form of software or network upgrades has been recognized as one of the most important sources of cloud service outage [25].

This paper contributes to a logical framework that addresses the timely problems of formal modeling and verification of reconfigurable distributed systems. The basic building blocks of this framework are (i) a Hoare-style program proof calculus [1] used to write formal proofs of correctness of reconfiguration programs, and (ii) an invariant synthesis method [6] that proves the safety (i.e., absence of reachable error configurations) of the configurations defined by the assertions that annotate a reconfiguration program. These methods are combined to prove that an initially correct distributed system cannot reach an error state, following the execution of a given reconfiguration sequence.

The assertions of the proof calculus are written in a logic that defines infinite sets of configurations, consisting of components (i.e., processes running on different nodes of the network) connected by interactions (i.e., multi-party channels alongside which messages between components are transfered). Systems that share the same architectural style (e.g., pipeline, ring, star, tree, etc.) and differ by the number of components and interactions are described using inductively defined predicates. Such configurations can be modified either by (a) adding or removing components and interactions (reconfiguration), or (b) changing the local states of components, by firing interactions.

The assertion logic views components and interactions as resources, that can be created or deleted, in the spirit of resource logics à la Bunched Implications [37], or Separation Logic [39]. The main advantage of using resource logics is their support for local reasoning [12]: reconfiguration actions are specified by pre- and postconditions mentioning only the resources involved, while framing out the rest of the configuration.

The price to pay for this expressive power is the difficulty of automating the reasoning in these logics. This paper makes several contributions in the direction of proof automation, by studying the complexity of the satisfiability and entailment problems, for the configuration logic under consideration. Additionally, we study the complexity of a robustness property [27], namely degree boundedness (is every component involved in a bounded number of interactions?). In particular, the latter problem is used as a prerequisite for defining a fragment with a decidable entailment problem. For space reasons, the proofs of the technical results are given in [5].

1.1 Motivating Example

The logic studied in this paper is motivated by the need for an assertion language that supports reasoning about dynamic reconfigurations in a distributed system. For instance, consider a distributed system consisting of a finite (but unknown) number of components (processes) placed in a ring, executing the same finite-state program and communicating via interactions that connect the out port of a component to the in port of its right neighbour, in a round-robin fashion, as in Fig. 1(a). The behavior of a component is a machine with two states, \(\mathsf {T}\) and \(\mathsf {H}\), denoting whether the component has a token (\(\mathsf {T}\)) or not (\(\mathsf {H}\)). A component \(c_i\) without a token may receive one, by executing a transition \(\mathsf {H}\xrightarrow {{\scriptstyle in }}_{{\scriptstyle }} \mathsf {T}\), simultaneously with its left neighbour \(c_j\), that executes the transition \(\mathsf {T}\xrightarrow {{\scriptstyle out }}_{{\scriptstyle }} \mathsf {H}\). Then, we say that the interaction \((c_j, out , c_i, in )\) has fired, moving a token one position to the right in the ring. Note that there can be more than one token, moving independently in the system, as long as no token overtakes another token.

The token ring system is formally specified by the following inductive rules:

$$\begin{aligned} \mathsf {ring}_{{h},{t}}(x)&\leftarrow \exists y \exists z ~.~ {[{x}]}@{q} * \langle {{x}. out ,\,{z}. in } \rangle * \mathsf {chain}_{{h'},{t'}}(z,y) * \langle {{y}. out ,\,{x}. in } \rangle \\ \mathsf {chain}_{{h},{t}}(x,\,y)&\leftarrow \exists z.~{[{x}]}@{q} * \langle {{x}.{ out },\,{z}.{ in }} \rangle * \mathsf {chain}_{{h'},{t'}}(z,y) \\ \mathsf {chain}_{{0},{1}}(x,\,x)&\leftarrow {[{x}]}@{\mathsf {T}} \mathsf {chain}_{{1},{0}}(x,\,x) \leftarrow {[{x}]}@{\mathsf {H}} \mathsf {chain}_{{0},{0}}(x,\,x) \leftarrow [{x}] \\ \text {where } h'&{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\left\{ \begin{array}{ll} \max (h-1,0) &{} \text {, if } q = \mathsf {H}\\ h &{} \text {, if } q = \mathsf {T}\end{array}\right. \text { and } t' {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\left\{ \begin{array}{ll} \max (t-1,0) &{} \text {, if } q = \mathsf {T}\\ t &{} \text {, if } q = \mathsf {H}\end{array}\right. \end{aligned}$$

The predicate \(\mathsf {ring}_{{h},{t}}(x)\) describes a ring with at least two components, such that at least h (resp. t) components are in state \(\mathsf {H}\) (resp. \(\mathsf {T}\)). The ring consists of a component x in state q, described by the formula \({[{x}]}@{q}\), an interaction from the \( out \) port of x to the \( in \) port of another component z, described as \(\langle {{x}. out ,\,{z}. in } \rangle \), a separate chain of components stretching from z to y (\(\mathsf {chain}_{{h'},{t'}}(z,y)\)), and an interaction connecting the \( out \) port of component y to the \( in \) port of component x (\(\langle {{y}. out ,\,{x}. in } \rangle \)). Inductively, a chain consists of a component \({[{x}]}@{q}\), an interaction \(\langle {{x}. out ,\,{z}. in } \rangle \) and a separate \(\mathsf {chain}_{{h'},{t'}}(z,y)\). Figure 1(b) depicts the unfolding of the inductive definition of the token ring, with the existentially quantified variables z from the above rules \(\alpha \)-renamed to \(z^1, z^2, \ldots \) to avoid confusion.

Fig. 1.

Inductive Specification and Reconfiguration of a Token Ring

A reconfiguration program takes as input a mapping of program variables to components and executes a sequence of basic operations i.e., component/interaction creation/deletion, involving the components and interactions denoted by these variables. For instance, the reconfiguration program in Fig. 1(c) takes as input three adjacent components, mapped to the variables \(\mathtt {x}\), \(\mathtt {y}\) and \(\mathtt {z}\), respectively, removes the component \(\mathtt {y}\) together with its left and right interactions and reconnects \(\mathtt {x}\) directly with \(\mathtt {z}\). Programming reconfigurations is error-prone, because the interleaving between reconfiguration actions and interactions in a distributed system may lead to bugs that are hard to trace. For instance, if a reconfiguration program removes the last component in state \(\mathsf {T}\) (resp. \(\mathsf {H}\)) from the system, no token transfer interaction may fire and the system deadlocks.

We prove absence of such errors using a Hoare-style proof system [1], based on the logic introduced above as assertion language. For instance, the proof from Fig. 1(c) shows that the reconfiguration sequence applied to a component \(\mathtt {y}\) in state \(\mathsf {H}\) (i.e., \({[{y}]}@{\mathsf {H}}\)) in a ring with at least \(h\ge 2\) components in state \(\mathsf {H}\) and at least \(t\ge 1\) components in state \(\mathsf {T}\) leads to a ring with at least \(h-1\) components in state \(\mathsf {H}\) and at least t in state \(\mathsf {T}\); note that the states of the components may change during the execution of the reconfiguration program, as tokens are moved by interactions.

The proof in Fig. 1(c) uses local axioms specifying, for each basic operation, only those components and interactions required to avoid faulting, with a frame rule ; for readability, the frame formulæ (from the preconditions of the conclusion of the frame rule applications) are enclosed in boxes.

The proof also uses the consequence rule \(\{ {\phi } \} ~\mathsf {P}~ \{ {\psi } \} \Rightarrow \{ {\phi '} \} ~\mathsf {P}~ \{ {\psi '} \}\) that applies if \(\phi '\) is stronger than \(\phi \) and \(\psi '\) is weaker than \(\psi \). The side conditions of the consequence rule require checking the validity of the entailments \(\mathsf {ring}_{{h},{t}}(y) \models \exists x \exists z ~.~ \langle {{x}.{ out },\,{y}.{ in }} \rangle * {[{y}]}@{\mathsf {H}} * \langle {{y}.{ out },\,{z}.{ in }} \rangle * \mathsf {chain}_{{h-1},{t}}(z,x)\) and \(\mathsf {chain}_{{h-1},{t}}(z,\,x) * \langle {{x}.{ out },\,{z}.{ in }} \rangle \models \mathsf {ring}_{{h-1},{t}}(z)\), for all \(h\ge 2\) and \(t\ge 1\). These side conditions can be automatically discharged using the results on the decidability of entailments given in this paper. Additionally, checking the satisfiability of a precondition is used to detect trivially valid Hoare triples.

1.2 Related Work

Formal modeling coordinating architectures of component-based systems has received lots of attention, with the development of architecture description languages (ADL), such as BIP [3] or REO [2]. Many such ADLs have extensions that describe programmed reconfiguration, e.g., [19, 30], classified according to the underlying formalism used to define their operational semantics: process algebras [13, 33], graph rewriting [32, 41, 44], chemical reactions [43] (see the surveys [7, 11]). Unfortunately, only few ADLs support formal verification, mainly in the flavour of runtime verification [10, 17, 20, 31] or finite-state model checking [14].

Parameterized verification of unbounded networks of distributed processes uses mostly hard-coded coordinating architectures (see [4] for a survey). A first attempt at specifying architectures by logic is the interaction logic of Konnov et al. [29], a combination of Presburger arithmetic with monadic uninterpreted function symbols, that can describe cliques, stars and rings. More structured architectures (pipelines and trees) can be described using a second-order extension [34]. However, these interaction logics are undecidable and lack support for automated reasoning.

Specifying parameterized component-based systems by inductive definitions is not new. Network grammars [26, 32, 40] use context-free grammar rules to describe systems with linear (pipeline, token-ring) architectures obtained by composition of an unbounded number of processes. In contrast, we use predicates of unrestricted arities to describe architectural styles that are, in general, more complex than trees. Moreover, we write inductive definitions using a resource logic, suitable also for writing Hoare logic proofs of reconfiguration programs, based on local reasoning [12].

Local reasoning about concurrent programs has been traditionally the focus of Concurrent Separation Logic (CSL), based on a parallel composition rule [36], initially with a non-interfering (race-free) semantics [8] and later combining ideas of assume- and rely-guarantee [28, 38] with local reasoning [22, 42] and abstract notions of framing [15, 16, 21]. However, the body of work on CSL deals almost entirely with shared-memory multithreading programs, instead of distributed systems, which is the aim of our work. In contrast, we develop a resource logic in which the processes do not just share and own resources, but become mutable resources themselves.

The techniques developed in this paper are inspired by existing techniques for similar problems in the context of Separation Logic (SL) [39]. For instance, we use an abstract domain similar to the one defined by Brotherston et al. [9] for checking satisfiability of symbolic heaps in SL and reduce a fragment of the entailment problem in our logic to SL entailment [18]. In particular, the use of existing automated reasoning techniques for SL has pointed out several differences between the expressiveness of our logic and that of SL. First, the configuration logic describes hypergraph structures, in which edges are \(\ell \)-tuples for \(\ell \ge 2\), instead of directed graphs as in SL, where \(\ell \) is a parameter of the problem: considering \(\ell \) to be a constant strictly decreases the complexity of the problem. Second, the degree (number of hyperedges containing a given vertex) is unbounded, unlike in SL, where the degree of heaps is constant. Therefore, we dedicate an entire section (Sect. 4) to the problem of deciding the existence of a bound (and computing a cut-off) on the degree of the models of a formula, used as a prerequisite for the encoding of the entailment problems from the configuration logic as SL entailments.

2 Definitions

We denote by \(\mathbb {N}\) the set of positive integers including zero. For a set A, we define \(A^1 {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}A\), \(A^{i+1} {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}A^i \times A\), for all \(i \ge 1\), and \(A^+ = \bigcup _{i\ge 1} A^i\), where \(\times \) denotes the Cartesian product. We denote by \(\text {pow}({A})\) the powerset of A and by \(\mathrm {mpow}({A})\) the power-multiset (set of multisets) of A. The cardinality of a finite set A is denoted as \(|\!| {A} |\!|\). By writing \(A \subseteq _{ fin }B\) we mean that A is a finite subset of B. Given integers i and j, we write \([{i},{j}]\) for the set \(\{ {i,i+1,\ldots ,j} \}\), assumed to be empty if \(i>j\). For a tuple \(\mathbf{t }= \langle {t_1, \ldots , t_n} \rangle \), we define \(|{\mathbf{t}}| {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}n\), and . By writing \(x= poly (y)\), for given \(x,y\in \mathbb {N}\), we mean that there exists a polynomial function \(f : \mathbb {N}\rightarrow \mathbb {N}\), such that \(x \le f(y)\).

2.1 Configurations

We model distributed systems as hypergraphs, whose vertices are components (i.e., the nodes of the network) and hyperedges are interactions (i.e., describing the way the components communicate with each other). The components are taken from a countably infinite set \(\mathbb {C}\), called the universe. We consider that each component executes its own copy of the same behavior, represented as a finite-state machine \(\mathbb {B}=(\mathcal {P},\mathcal {Q},\xrightarrow {{\scriptstyle }}_{{\scriptstyle }})\), where \(\mathcal {P}\) is a finite set of ports, \(\mathcal {Q}\) is a finite set of states and \(\xrightarrow {{\scriptstyle }}_{{\scriptstyle }} \subseteq \mathcal {Q}\times \mathcal {P}\times \mathcal {Q}\) is a transition relation. Intuitively, each transition \(q \xrightarrow {{\scriptstyle p}}_{{\scriptstyle }} q'\) of the behavior is triggerred by a visible event, represented by the port p. For instance, the behavior of the components of the token ring system from Fig. 1(a) is \(\mathbb {B}=(\{ { in , out } \}, \{ {\mathsf {H},\mathsf {T}} \}, \{ {\mathsf {H}\xrightarrow {{\scriptstyle in }}_{{\scriptstyle }}\mathsf {T}, \mathsf {T}\xrightarrow {{\scriptstyle out }}_{{\scriptstyle }}\mathsf {H}} \})\). The universe \(\mathbb {C}\) and the behavior \(\mathbb {B}=(\mathcal {P},\mathcal {Q},\xrightarrow {{\scriptstyle }}_{{\scriptstyle }})\) are fixed in the rest of this paper.

We introduce a logic for describing infinite sets of configurations of distributed systems with unboundedly many components and interactions. A configuration is a snapshot of the system, describing the topology of the network (i.e., the set of present components and interactions) together with the local state of each component:

Definition 1

A configuration is a tuple \(\gamma = (\mathcal {C},\mathcal {I}, \varrho )\), where:

• \(\mathcal {C}\subseteq _{ fin }\mathbb {C}\) is a finite set of components, that are present in the configuration,

• \(\mathcal {I}\subseteq _{ fin }(\mathbb {C}\times \mathcal {P})^+\) is a finite set of interactions, where each interaction is a sequence \((c_1, p_1, \ldots , c_n, p_n) \in (\mathbb {C}\times \mathcal {P})^n\) that binds together the ports \(p_1, \ldots , p_n\) of the pairwise distinct components \(c_1, \ldots , c_n\), respectively.

• \(\varrho : \mathbb {C}\rightarrow \mathcal {Q}\) is a state map associating each (possibly absent) component, a state of the behavior \(\mathbb {B}\), such that the set \(\{ {c \in \mathbb {C}\mid \varrho (c) = q} \}\) is infinite, for each \(q \in \mathcal {Q}\).

The last condition requires that there is an infinite pool of components in each state \(q \in \mathcal {Q}\); since \(\mathbb {C}\) is infinite and \(\mathcal {Q}\) is finite, this condition is feasible. For example, the configurations of the token ring from Fig. 1(a) are \((\{c_1, \ldots , c_n\}, \{(c_i, out ,c_{(i ~\mathrm {mod}~n) + 1}, in ) \mid i \in [{1},{n}]\}, \varrho )\), where \(\varrho :\mathbb {C}\rightarrow \{ {\mathsf {H},\mathsf {T}} \}\) is a state map. The ring topology is described by the set of components \(\{c_1, \ldots , c_n\}\) and interactions \(\{(c_i, out , c_{(i ~\mathrm {mod}~n) + 1}, in ) \mid i \in [{1},{n}]\}\).

Intuitively, an interaction \((c_1, p_1, \ldots , c_n, p_n)\) synchronizes transitions labeled by the ports \(p_1, \ldots , p_n\) from the behaviors (i.e., replicas of the state machine \(\mathbb {B}\)) of \(c_1, \ldots , c_n\), respectively. Note that the components \(c_i\) are not necessary part of the configuration. The interactions are classified according to their sequence of ports, called the interaction type and let \(\mathsf {Inter}{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\mathcal {P}^+\) be the set of interaction types; an interaction type models, for instance, the passing of a certain kind of message (e.g., request, acknowledgement, etc.). From an operational point of view, two interactions that differ by a permutation of indices e.g., \((c_1, p_1, \ldots , c_n, p_n)\) and \((c_{i_1}, p_{i_1}, \ldots , c_{i_n}, p_{i_n})\) such that \(\{ {i_1, \ldots , i_n} \} = [{1},{n}]\), are equivalent, since the set of transitions is the same; nevertheless, we chose to distinguish them in the following, exclusively for reasons of simplicity.

Below we define the composition of configurations, as the union of disjoint sets of components and interactions:

Definition 2

The composition of two configurations \(\gamma _i = (\mathcal {C}_i, \mathcal {I}_i, \varrho )\), for \(i = 1,2\), such that \(\mathcal {C}_1 \cap \mathcal {C}_2 = \emptyset \) and \(\mathcal {I}_1 \cap \mathcal {I}_2 = \emptyset \), is defined as \(\gamma _1 \bullet \gamma _2 {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}(\mathcal {C}_1 \cup \mathcal {C}_2, \mathcal {I}_1 \cup \mathcal {I}_2, \varrho )\). The composition \(\gamma _1 \bullet \gamma _2\) is undefined if \(\mathcal {C}_1 \cap \mathcal {C}_2 \ne \emptyset \) or \(\mathcal {I}_1 \cap \mathcal {I}_2 \ne \emptyset \).

In analogy with graphs, the degree of a configuration is the maximum number of interactions from the configuration that involve a (possibly absent) component:

Definition 3

The degree of a configuration \(\gamma = (\mathcal {C}, \mathcal {I}, \varrho )\) is defined as \(\delta _{}({\gamma }) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\max _{c\in \mathbb {C}} \delta _{c}({\gamma })\), where \(\delta _{c}({\gamma }) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}|\!| {\{(c_1, p_1, \ldots , c_n, p_n) \in \mathcal {I}\mid c = c_i,~ i \in [{1},{n}]\}} |\!|\).

For instance, the configuration of the system from Fig. 1(a) has degree two.

2.2 Configuration Logic

Let \(\mathbb {V}\) and \(\mathbb {A}\) be countably infinite sets of variables and predicates, respectively. For each predicate \(\mathsf {A}\in \mathbb {A}\), we denote its arity by \(\#{\mathsf {A}}\). The formulæ of the Configuration Logic (CL) are described inductively by the following syntax:

$$\phi := \mathsf {emp}\mid [{x}] \mid \langle {{x_1}. p_1 , \ldots , {x_n}. p_n } \rangle \mid {x}@{q} \mid x=y \mid x\ne y \mid \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \mid \phi * \phi \mid \exists x ~.~ \phi $$

where \(x, y, x_1, \ldots \in \mathbb {V}\), \(q \in \mathcal {Q}\) and \(\mathsf {A}\in \mathbb {A}\). A formula \([{x}]\), \(\langle {{x_1}. p_1 , \ldots , {x_n}. p_n } \rangle \), \({x}@{q}\) and \(\mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})\) is called a component, interaction, state and predicate atom, respectively. These formulæ are also referred to as atoms. The connective \(*\) is called the separating conjunction. We use the shorthand \({[{x}]}@{q} {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}[{x}] \,*\, {x}@{q}\). For instance, the formula \({[{x}]}@{q} \,*\, {[{y}]}@{q'} \,*\, \langle {{x}. out ,\,{y}. in } \rangle \,*\, \langle {{x}. in ,\,{y}. out } \rangle \) describes a configuration consisting of two distinct components, denoted by the values of x and y, in states q and \(q'\), respectively, and two interactions binding the \( out \) port of one to the \( in \) port of the other component.

A formula is said to be pure if and only if it is a separating conjunction of state atoms, equalities and disequalities. A formula with no occurrences of predicate atoms (resp. existential quantifiers) is called predicate-free (resp. quantifier-free). A variable is free if it does not occur within the scope of an existential quantifier ; we note \(\mathrm {fv}({\phi })\) the set of free variables of \(\phi \). A sentence is a formula with no free variables. A substitution \(\phi [x_1/y_1 \ldots x_n/y_n]\) replaces simultaneously every free occurrence of \(x_i\) by \(y_i\) in \(\phi \), for all \(i \in [{1},{n}]\). Before defining the semantics of CL formulæ, we introduce the set of inductive definitions that assigns meaning to predicates:

Definition 4

A set of inductive definitions (SID) \(\Delta \) consists of rules \(\mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \phi \), where \(x_1, \ldots , x_{\#{\mathsf {A}}}\) are pairwise distinct variables, called parameters, such that \(\mathrm {fv}({\phi }) \subseteq \{ {x_1, \ldots , x_{\#{\mathsf {A}}}} \}\). The rule \(\mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \phi \) defines \(\mathsf {A}\) and we denote by \(\mathrm {def}_{\Delta }({\mathsf {A}})\) the set of rules from \(\Delta \) that define \(\mathsf {A}\).

Note that having distinct parameters in a rule is without loss of generality, as e.g., a rule \(\mathsf {A}(x_1, x_1) \leftarrow \phi \) can be equivalently written as \(\mathsf {A}(x_1, x_2) \leftarrow x_1 = x_2 * \phi \). As a convention, we shall always use the names \(x_1, \ldots , x_{\#{\mathsf {A}}}\) for the parameters of a rule that defines \(\mathsf {A}\).

The semantics of CL formulæ is defined by a satisfaction relation \(\gamma \models ^\nu _\Delta \phi \) between configurations and formulæ. This relation is parameterized by a store \(\nu : \mathbb {V}\rightarrow \mathbb {C}\) mapping the free variables of a formula into components from the universe (possibly absent from \(\gamma \)) and an SID \(\Delta \). We write \(\nu [x \leftarrow c]\) for the store that maps x into c and agrees with \(\nu \) on all variables other than x. The definition of the satisfaction relation is by induction on the structure of formulæ, where \(\gamma = (\mathcal {C}, \mathcal {I}, \varrho )\) is a configuration (Definition 1):

$$\begin{array}{rclcl} \gamma &{} \models ^\nu _\Delta &{} \mathsf {emp}&{} \iff &{} \mathcal {C}= \emptyset \text { and } \mathcal {I}= \emptyset \\ \gamma &{} \models ^\nu _\Delta &{} [{x}] &{} \iff &{} \mathcal {C}= \{ {\nu (x)} \} \text { and } \mathcal {I}= \emptyset \\ \gamma &{} \models ^\nu _\Delta &{} \langle {{x_1}. p_1 , \ldots , {x_n}. p_n } \rangle &{} \iff &{} \mathcal {C}= \emptyset \text { and } \mathcal {I}= \{ {(\nu (x_1), p_1, \ldots , \nu (x_n), p_n)} \} \\ \gamma &{} \models ^\nu _\Delta &{} {x}@{q} &{} \iff &{} \gamma \models ^\nu _\Delta \mathsf {emp}\text { and } \varrho (\nu (x)) = q \\ \gamma &{} \models ^\nu _\Delta &{} x \sim y &{} \iff &{} \gamma \models ^\nu _\Delta \mathsf {emp}\text { and } \nu (x)\sim \nu (y) \text {, for all } \sim \in \{ {=,\ne } \} \\ \gamma &{} \models ^\nu _\Delta &{} \mathsf {A}(y_1, \ldots , y_{\#{\mathsf {A}}}) &{} \iff &{} \gamma \models ^\nu _\Delta \phi [x_1/y_1, \ldots , x_{\#{\mathsf {A}}}/y_{\#{\mathsf {A}}}] \text {, for some rule } \\ &{}&{}&{}&{} \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \phi \text { from } \Delta \\ \gamma &{} \models ^\nu _\Delta &{} \phi _1 * \phi _2 &{} \iff &{} \text {exist } \gamma _1, \gamma _2 \text {, such that } \gamma = \gamma _1 \bullet \gamma _2 \text { and } \gamma _i \models ^\nu _\Delta \phi _i \text {, for } i = 1,2 \\ \gamma &{} \models ^\nu _\Delta &{} \exists x ~.~ \phi &{} \iff &{} \gamma \models ^{\nu [x \leftarrow c]}_\Delta \phi \text {, for some } c \in \mathbb {C}\end{array}$$

If \(\phi \) is a sentence, the satisfaction relation \(\gamma \models ^\nu _\Delta \phi \) does not depend on the store, written \(\gamma \models _\Delta \phi \), in which case we say that \(\gamma \) is a model of \(\phi \). If \(\phi \) is a predicate-free formula, the satisfaction relation does not depend on the SID, written \(\gamma \models ^\nu \phi \). A formula \(\phi \) is satisfiable if and only if the sentence \(\exists x_1 \ldots \exists x_n ~.~ \phi \) has a model, where \(\mathrm {fv}({\phi }) = \{ {x_1, \ldots , x_n} \}\). A formula \(\phi \) entails a formula \(\psi \), written \(\phi \models _\Delta \psi \) if and only if, for any configuration \(\gamma \) and store \(\nu \), we have \(\gamma \models ^\nu _\Delta \phi \) only if \(\gamma \models ^\nu _\Delta \psi \).

2.3 Separation Logic

Separation Logic (SL) [39] will be used in the following to prove several technical results concerning the decidability and complexity of certain decision problems for CL. For self-containment reasons, we define SL below. The syntax of SL formulæ is described by the following grammar:

$$\phi := \mathsf {emp}\mid x_0 \mapsto (x_1, \ldots , x_\mathfrak {K}) \mid x = y \mid x \ne y \mid \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \mid \phi * \phi \mid \exists x ~.~ \phi $$

where \(x, y, x_0, x_1, \ldots \in \mathbb {V}\), \(\mathsf {A}\in \mathbb {A}\) and \(\mathfrak {K}\ge 1\) is an integer constant. Formulæ of SL are interpreted over finite partial functions \(\mathsf {h}: \mathbb {C}\rightharpoonup _{\scriptscriptstyle fin }\mathbb {C}^\mathfrak {K}\), called heaps¹, by a satisfaction relation \(\mathsf {h}\Vdash ^\nu \phi \), defined inductively as follows:

$$\begin{array}{rclcl} \mathsf {h}&{} \Vdash ^\nu _\Delta &{} \mathsf {emp}&{} \iff &{} \mathsf {h}= \emptyset \\ \mathsf {h}&{} \Vdash ^\nu _\Delta &{} x_0 \mapsto (x_1,\ldots ,x_\mathfrak {K}) &{} \iff &{} \mathrm {dom}({\mathsf {h}}) = \{ {\nu (x_0)} \} \text { and } \mathsf {h}(\nu (x_0)) = \langle {\nu (x_1), \ldots , \nu (x_\mathfrak {K})} \rangle \\ \mathsf {h}&{} \Vdash ^\nu &{} \phi _1 * \phi _2 &{} \iff &{} \text {there exist } \mathsf {h}_1, \mathsf {h}_2 \text { such that } \mathrm {dom}({\mathsf {h}_1}) \cap \mathrm {dom}({\mathsf {h}_2}) = \emptyset , \\ &{}&{}&{}&{} \mathsf {h}= \mathsf {h}_1 \cup \mathsf {h}_2 \text { and } \mathsf {h}_i \Vdash ^\nu _\Delta \phi _i \text {, for both } i = 1,2 \\ \end{array}$$

where \(\mathrm {dom}({\mathsf {h}}) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\{ {c \in \mathbb {C}\mid \mathsf {h}(c) \text { is defined}} \}\) is the domain of the heap and (dis-) equalities, predicate atoms and existential quantifiers are defined same as for CL.

2.4 Decision Problems

We define the decision problems that are the focus of the upcoming sections. As usual, a decision problem is a class of yes/no queries that differ only in their input. In our case, the input consists of an SID and one or two predicates, written between square brackets.

Definition 5

We consider the following problems, for a SID \(\Delta \) and predicates \(\mathsf {A}, \mathsf {B}\in \mathbb {A}\):

1. 1.

   \(\mathsf {Sat}[{\Delta },{\mathsf {A}}]\): is the sentence \(\exists x_1 \ldots \exists x_{\#{\mathsf {A}}} ~.~ \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})\) satisfiable for \(\Delta \)?

2. 2.

   \(\mathsf {Bnd}[{\Delta },{\mathsf {A}}]\): is the set \(\{ {\delta _{}({\gamma }) \mid \gamma \models _\Delta \exists x_1 \ldots \exists x_{\#{\mathsf {A}}} ~.~ \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})} \}\) finite?

3. 3.

   \(\mathsf {Entl}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\): does \(\mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \models _\Delta \exists x_{\#{\mathsf {B}}+1} \ldots \exists x_{\#{\mathsf {A}}} ~.~ \mathsf {B}(x_1, \ldots , x_{\#{\mathsf {B}}})\) hold?

The size of a formula \(\phi \) is the total number of occurrences of symbols needed to write it down, denoted by \(\mathrm {size}({\phi })\). The size of a SID \(\Delta \) is \(\mathrm {size}({\Delta }) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\sum _{\mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \phi \in \Delta } \mathrm {size}({\phi }) + \#{\mathsf {A}} + 1\). Other parameters of a SID \(\Delta \) are:

• \(\mathrm {arity}({\Delta }) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\max \{ {\#{\mathsf {A}} \mid \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \phi \in \Delta } \}\),

• \(\mathrm {width}({\Delta }) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\max \{ {\mathrm {size}({\phi }) \mid \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \phi \in \Delta } \}\),

• \(\mathrm {intersize}({\Delta }) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\max \{n \mid \langle {{x_1}. p_1 , \ldots , {x_n}. p_n } \rangle \text { occurs in } \phi , \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \phi \in \Delta \}\).

For a decision problem \(\mathsf {P}[{\Delta },{\mathsf {A},\mathsf {B}}]\), we consider its \((k,\ell )\)-bounded versions \(\mathsf {P}^{({k}, {\ell })}[{\Delta }, {\mathsf {A},\mathsf {B}}]\), obtained by restricting the predicates and interaction atoms occurring \(\Delta \) to \(\mathrm {arity}({\Delta }) \le k\) and \(\mathrm {intersize}({\Delta }) \le \ell \), respectively, where k and \(\ell \) are either positive integers or infinity. We consider, for each \(\mathsf {P}[{\Delta },{\mathsf {A},\mathsf {B}}]\), the subproblems \(\mathsf {P}^{({k}, {\ell })}[{\Delta }, {\mathsf {A},\mathsf {B}}]\) corresponding to the three cases (1) \(k<\infty \) and \(\ell =\infty \), (2) \(k=\infty \) and \(\ell <\infty \), and (3) \(k=\infty \) and \(\ell =\infty \). As we explain next, this is because, for the decision problems considered (Definition 5), the complexity for the case \(k<\infty , \ell <\infty \) matches the one for the case \(k<\infty , \ell =\infty \).

Satisfiability (1) and entailment (3) arise naturally during verification of reconfiguration programs. For instance, \(\mathsf {Sat}[{\Delta },{\phi }]\) asks whether a specification \(\phi \) of a set configurations (e.g., a pre-, post-condition, or a loop invariant) is empty or not (e.g., an empty precondition typically denotes a vacuous verification condition), whereas \(\mathsf {Entl}[{\Delta },{\phi },{\psi }]\) is used as a side condition for the Hoare rule of consequence, as in e.g., the proof from Fig. 1(c). Moreover, entailments must be proved when checking inductiveness of a user-provided loop invariant.

The \(\mathsf {Bnd}[{\Delta },{\phi }]\) problem is used to check a necessary condition for the decidability of entailments i.e., \(\mathsf {Entl}[{\Delta },{\phi },{\psi }]\). If \(\mathsf {Bnd}[{\Delta },{\phi }]\) has a positive answer, we can reduce the problem \(\mathsf {Entl}[{\Delta },{\phi },{\psi }]\) to an entailment problem for SL, which is always interpreted over heaps of bounded degree [18]. Otherwise, the decidability status of the entailment problem is open, for configurations of unbounded degree, such as the one described by the example below.

Example 1

The following SID describes star topologies with a central controller connected to an unbounded number of workers stations:

$$\begin{aligned} Controller (x) \leftarrow&[{x}] * Worker (x) \\ Worker (x) \leftarrow&\exists y ~.~ \langle {{x}. out ,\,{y}. in } \rangle * [{y}] * Worker (x) \qquad Worker (x) \leftarrow&\mathsf {emp}\quad \blacksquare \end{aligned}$$

3 Satisfiability

We show that the satisfiability problem (Definition 5, point 1) is decidable, using a method similar to the one pioneered by Brotherston et al. [9], for checking satisfiability of inductively defined symbolic heaps in SL. We recall that a formula \(\pi \) is pure if and only if it is a separating conjunction of equalities, disequalities and state atoms. In the following, the order of terms in (dis-)equalities is not important i.e., we consider \(x=y\) (resp. \(x\ne y\)) and \(y=x\) (resp. \(y\ne x\)) to be the same formula.

Definition 6

The closure \(\mathrm {cl}({\pi })\) of a pure formula \(\pi \) is the limit of the sequence \(\pi ^0, \pi ^1, \pi ^2, \ldots \) such that \(\pi ^0 = \pi \) and, for each \(i \ge 0\), \(\pi ^{i+1}\) is obtained by joining (with \(*\)) all of the following formulæ to \(\pi ^i\):

• \(x = z\), where x and z are the same variable, or \(x = y\) and \(y = z\) both occur in \(\pi ^i\),

• \(x \ne z\), where \(x = y\) and \(y \ne z\) both occur in \(\pi ^i\), or

• \({y}@{q}\), where \({x}@{q}\) and \(x = y\) both occur in \(\pi ^i\).

Because only finitely many such formulæ can be added, the sequence of pure formulæ from Definition 6 is bound to stabilize after polynomially many steps. A pure formula is satisfiable if and only if its closure does not contain contradictory literals i.e., \(x = y\) and \(x \ne y\), or \({x}@{q}\) and \({x}@{q'}\), for \(q \ne q' \in \mathcal {Q}\). We write \(x \approx _{\pi } y\) (resp. \(x ~{\not \approx }_{\pi } y\)) if and only if \(x = y\) (resp. \(x \ne y\)) occurs in \(\mathrm {cl}({\pi })\) and \(\mathrm {not}(x \approx _{\pi } y)\) (resp. \(\mathrm {not}(x ~{\not \approx }_{\pi } y)\)) whenever \(x \approx _{\pi } y\) (resp. \(x {\not \approx }_{\pi } y\)) does not hold. Note that e.g., \(\mathrm {not}(x \approx _{\pi } y)\) is not the same as \(x ~{\not \approx }_{\pi } y\).

Base tuples constitute the abstract domain used by the algorithms for checking satisfiability (point 1 of Definition 5) and boundedness (point 2 of Definition 5), defined as follows:

Definition 7

A base tuple is a triple \(\mathfrak {t}= (\mathcal {C}^\sharp , \mathcal {I}^\sharp , \pi )\), where:

• \(\mathcal {C}^\sharp \in \text {mpow}{\mathbb {V}}\) is a multiset of variables denoting present components,

• \(\mathcal {I}^\sharp : \mathsf {Inter}\rightarrow \text {mpow}{\mathbb {V}^+}\) maps each interaction type \(\tau \in \mathsf {Inter}\) into a multiset of tuples of variables of length \(|{\tau }|\) each, and

• \(\pi \) is a pure formula.

A base tuple is called satisfiable if and only if \(\pi \) is satisfiable and the following hold:

1. 1.

   for all \(x,y \in \mathcal {C}^\sharp \), \(\mathrm {not}(x \approx _{\pi } y)\),

2. 2.

   for all \(\tau \in \mathsf {Inter}\), \(\langle {x_1, \ldots , x_{|{\tau }|}} \rangle , \langle {y_1, \ldots , y_{|{\tau }|}} \rangle \in \mathcal {I}^\sharp (\tau )\), there exists \(i \in [{1},{|{\tau }|}]\) such that \(\mathrm {not}(x_i \approx _{\pi } y_i)\),

3. 3.

   for all \(\tau \in \mathsf {Inter}\), \(\langle {x_1, \ldots , x_{\#{\tau }}} \rangle \in \mathcal {I}^\sharp (\tau )\) and \(1 \le i < j \le |{\tau }|\), we have \(\mathrm {not}(x_i \approx _{\pi } x_j)\).

We denote by \(\mathsf {SatBase}\) the set of satisfiable base tuples.

Intuitively, a base tuple is an abstract representation of a configuration, where components (resp. interactions) are represented by variables (resp. tuples of variables). Note that a base tuple \((\mathcal {C}^\sharp , \mathcal {I}^\sharp , \pi )\) is unsatisfiable if \(\mathcal {C}^\sharp \) (\(\mathcal {I}^\sharp \)) contains the same variable (tuple of variables) twice (for the same interaction type), hence the use of multisets in the definition of base tuples. It is easy to see that checking the satisfiability of a given base tuple \((\mathcal {C}^\sharp , \mathcal {I}^\sharp , \pi )\) can be done in time \( poly (|\!| {\mathcal {C}^\sharp } |\!|+\sum _{\tau \in \mathsf {Inter}} |\!| {\mathcal {I}^\sharp (\tau )} |\!|+\mathrm {size}({\pi }))\).

We define a partial composition operation on satisfiable base tuples, as follows:

$$ (\mathcal {C}^\sharp _1, \mathcal {I}^\sharp _1, \pi _1) \otimes (\mathcal {C}^\sharp _2, \mathcal {I}^\sharp _2, \pi _2) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}(\mathcal {C}^\sharp _1 \cup \mathcal {C}^\sharp _2, \mathcal {I}^\sharp _1 \cup \mathcal {I}^\sharp _2, \pi _1 * \pi _2) $$

where the union of multisets is lifted to functions \(\mathsf {Inter}\rightarrow \text {mpow}({\mathbb {V}^+})\) in the usual way. The composition operation \(\otimes \) is undefined if \((\mathcal {C}^\sharp _1, \mathcal {I}^\sharp _1, \pi _1) \otimes (\mathcal {C}^\sharp _2, \mathcal {I}^\sharp _2, \pi _2)\) is not satisfiable e.g., if \(\mathcal {C}^\sharp _1 \cap \mathcal {C}^\sharp _2 \ne \emptyset \), \(\mathcal {I}^\sharp _1(\tau ) \cap \mathcal {I}^\sharp _2(\tau ) \ne \emptyset \), for some \(\tau \in \mathsf {Inter}\), or \(\pi _1 * \pi _2\) is not satisfiable.

Given a pure formula \(\pi \) and a set of variables X, the projection \({\pi }\!\!\downarrow _{\scriptscriptstyle {X}}\) removes from \(\pi \) all atoms \(\alpha \), such that \(\mathrm {fv}({\alpha }) \not \subseteq X\). The projection of a base tuple \((\mathcal {C}^\sharp ,\mathcal {I}^\sharp ,\pi )\) on a variable set X is formally defined below:

The substitution operation \((\mathcal {C}^\sharp , \mathcal {I}^\sharp , \pi )[x_1/y_1, \ldots , x_n/y_n]\) replaces simultaneously each \(x_i\) with \(y_i\) in \(\mathcal {C}^\sharp \), \(\mathcal {I}^\sharp \) and \(\pi \), respectively. We lift the composition, projection and substitution operations to sets of satisfiable base tuples, as usual.

Next, we define the base tuple corresponding to a quantifier- and predicate-free formula \(\phi = \psi \,*\, \pi \), where \(\psi \) consists of component and interaction atoms and \(\pi \) is pure. Since, moreover, we are interested in those components and interactions that are visible through a given indexed set of parameters \(X = \{ {x_1, \ldots , x_n} \}\), for a variable y, we denote by \({\{\!\!\{{y}\}\!\!\}}^{\scriptscriptstyle {X}}_{\pi }\) the parameter \(x_i\) with the least index, such that \(y \approx _{\pi } x_i\), or y itself, if no such parameter exists. We define the following sets of formulæ:

$$\begin{array}{rcl} \mathsf {Base}({\phi },{X}) &{} {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}&{} \left\{ \begin{array}{ll} \{ {(\mathcal {C}^\sharp , \mathcal {I}^\sharp , \pi )} \} &{} \text {, if } (\mathcal {C}^\sharp , \mathcal {I}^\sharp , \pi ) \text { is satisfiable} \\ \emptyset &{} \text {, otherwise} \end{array}\right. \\ \text {where } \mathcal {C}^\sharp &{} {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}&{} \{ {{\{\!\!\{{x}\}\!\!\}}^{\scriptscriptstyle {X}}_{\pi } \mid [{x}] \text { occurs in } \psi } \} \\ \mathcal {I}^\sharp &{} {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}&{} \lambda \langle {p_1, \ldots , p_s} \rangle . \left\{ {\left\langle {{\{\!\!\{{y_1}\}\!\!\}}^{\scriptscriptstyle {X}}_{\pi }, \ldots , {\{\!\!\{{y_s}\}\!\!\}}^{\scriptscriptstyle {X}}_{\pi }} \right\rangle \mid \langle {{y_1}. p_1 , \ldots , {y_s}. p_s } \rangle \text { occurs in } \psi } \right\} \end{array}$$

We consider a tuple of variables \(\overrightarrow{\mathcal {X}}\), having a variable \(\mathcal {X}({\mathsf {A}})\) ranging over \(\text {pow}({\mathsf {SatBase}})\), for each predicate \(\mathsf {A}\) that occurs in \(\Delta \). With these definitions, each rule of \(\Delta \):

$$\begin{aligned} \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \exists y_1 \ldots \exists y_m ~.~ \phi * \mathsf {B}_1(z^1_1, \ldots , z^1_{\#{\mathsf {B}_1}}) * \ldots * \mathsf {B}_h(z^h_1, \ldots , z^h_{\#{\mathsf {B}_h}}) \end{aligned}$$

where \(\phi \) is a quantifier- and predicate-free formula, induces the constraint:

$$\begin{aligned} \mathcal {X}({\mathsf {A}}) \supseteq {\big (\mathsf {Base}({\phi },{\{ {x_1, \ldots , x_{\#{\mathsf {A}}}} \}}) \otimes \bigotimes _{\ell =1}^h \mathcal {X}({\mathsf {B}_\ell })[x_1/z^\ell _1, \ldots , x_{\#{\mathsf {B}_\ell }}/z^\ell _{\#{\mathsf {B}_\ell }}]\big )}\!\!\downarrow _{\scriptscriptstyle {x_1, \ldots , x_{\#{\mathsf {A}}}}} \end{aligned}$$

(1)

Let \(\Delta ^\sharp \) be the set of such constraints, corresponding to the rules in \(\Delta \) and let \(\mu \overrightarrow{\mathcal {X}}.\Delta ^\sharp \) be the tuple of least solutions of the constraint system generated from \(\Delta \), indexed by the tuple of predicates that occur in \(\Delta \), such that \(\mu \overrightarrow{\mathcal {X}}.\Delta ^\sharp ({\mathsf {A}})\) denotes the entry of \(\mu \overrightarrow{\mathcal {X}}.\Delta ^\sharp \) correponding to \(\mathsf {A}\). Since the composition and projection are monotonic operations, such a least solution exists and is unique. Since \(\mathsf {SatBase}\) is finite, the least solution can be attained in a finite number of steps, using a Kleene iteration (see Fig. 2).

Fig. 2.

Algorithm for the Computation of the Least Solution

We state below the main result leading to an elementary recursive algorithm for the satisfiability problem (Theorem 1). The intuition is that, if \(\mu \overrightarrow{\mathcal {X}}.\Delta ^\sharp ({\mathsf {A}})\) is not empty, then it contains only satisfiable base tuples, from which a model of \(\mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})\) can be built.

Lemma 1

\(\mathsf {Sat}[{\Delta },{\mathsf {A}}]\) has a positive answer if and only if \(\mu \overrightarrow{\mathcal {X}}.\Delta ^\sharp ({\mathsf {A}}) \ne \emptyset \).

If the maximal arity of the predicates occurring in \(\Delta \) is bound by a constant k, no satisfiable base tuple \((\mathcal {C}^\sharp , \mathcal {I}^\sharp , \pi )\) can have a tuple \(\langle {y_1, \ldots , y_{|{\tau }|}} \rangle \in \mathcal {I}^\sharp (\tau )\), for some \(\tau \in \mathsf {Inter}\), such that \(|{\tau }| > k\), since all variables \(y_1, \ldots , y_{|{\tau }|}\) are parameters denoting distinct components (point 3 of Definition 7). Hence, the upper bound on the size of a satisfiable base tuple is constant, in both the \(k<\infty , \ell <\infty \) and \(k<\infty , \ell =\infty \) cases, which are, moreover indistinguishable complexity-wise (i.e., both are \(\mathsf {NP}\)-complete). In contrast, in the cases \(k=\infty , \ell <\infty \) and \(k=\infty , \ell =\infty \), the upper bound on the size of satisfiable base tuples is polynomial and simply exponential in \(\mathrm {size}({\Delta })\), incurring a complexity gap of one and two exponentials, respectively. The theorem below states the main result of this section:

Theorem 1

\(\mathsf {Sat}^{({k},{\infty })}[{\Delta },{\mathsf {A}}]\) is \(\mathsf {NP}\)-complete for \(k\ge 4\), \(\mathsf {Sat}^{({\infty },{\ell })}[{\Delta },{\mathsf {A}}]\) is \(\mathsf {EXP}\)-complete and \(\mathsf {Sat}[{\Delta },{\mathsf {A}}]\) is in \(2\mathsf {EXP}\).

The upper bounds are consequences of the fact that the size of a satisfiable base tuple is bounded by a simple exponential in the \(\min (\mathrm {arity}({\Delta }),\mathrm {intersize}({\Delta }))\), hence the number of such tuples is doubly exponential in \(\min (\mathrm {arity}({\Delta }),\mathrm {intersize}({\Delta }))\). The lower bounds are by a polynomial reduction from the satisfiability problem for SL [9].

Example 2

The doubly-exponential upper bound for the algorithm computing the least solution of a system of constraints of the form (1) is necessary, in general, as illustrated by the following worst-case example. Let n be a fixed parameter and consider the n-arity predicates \(A_1,\ldots ,A_n\) defined by the following SID:

where, for a list of variables \(x_i,\ldots ,x_n\) and an integer \(j\ge 0\), we write \([x_i,\ldots ,x_n]^j\) for the list rotated to the left j times (e.g., \([x_1,x_2,x_3,x_4,x_5]^2=x_3,x_4,x_5,x_1,x_2\)). In this example, when starting with \(A_1(x_1,\ldots ,x_n)\) one eventually obtains predicate atoms \(A_n(x_{i_1},\ldots ,x_{i_n})\), for any permutation \(x_{i_1},\ldots ,x_{i_n}\) of \(x_1,\ldots ,x_n\). Since \(A_n\) may choose to create or not an interaction with that permutation of variables, the total number of base tuples generated for \(A_1\) is \(2^{n!}\). That is, the fixpoint iteration generates \(2^{2^{\mathcal {O}(n \log n)}}\) base tuples, whereas the size of the input of \(\mathsf {Sat}[{\Delta },{\mathsf {A}}]\) is \( poly (n)\). \(\blacksquare \)

4 Degree Boundedness

The boundedness problem (Definition 5, point 2) asks for the existence of a bound on the degree (Definition 3) of the models of a sentence \(\exists x_1 \ldots \exists x_{\#{\mathsf {A}}} ~.~\mathsf {A}(x_1,\ldots ,x_{\#{\mathsf {A}}})\). Intuitively, the \(\mathsf {Bnd}[{\Delta },{\mathsf {A}}]\) problem has a negative answer if and only if there are increasingly large unfoldings (i.e., expansions of a formula by replacement of a predicate atom with one of its definitions) of \(\mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})\) repeating a rule that contains an interaction atom involving a parameter of the rule, which is always bound to the same component. We formalize the notion of unfolding below:

Definition 8

Given a predicate \(\mathsf {A}\) and a sequence \((\mathsf {r}_1, i_1), \ldots , (\mathsf {r}_n, i_n) \in \left( \Delta \times \mathbb {N}\right) ^+\), where \(\mathsf {r}_1 : \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \phi \in \Delta \), the unfolding is inductively defined as (1) \(\psi = \phi \) if \(n=1\), and (2) \(\psi \) is obtained from \(\phi \) by replacing its \(i_1\)-th predicate atom \(\mathsf {B}(y_1, \ldots , y_{\#{\mathsf {B}}})\) with \(\psi _1[x_1/y_1, \ldots , x_{\#{\mathsf {B}}}/y_{\#{\mathsf {B}}}]\), where is an unfolding, if \(n>1\).

We show that the \(\mathsf {Bnd}[{\Delta },{\mathsf {A}}]\) problem can be reduced to the existence of increasingly large unfoldings or, equivalently, a cycle in a finite directed graph, built by a variant of the least fixpoint iteration algorithm used to solve the satisfiability problem (Fig. 3).

Definition 9

Given satisfiable base pairs \(\mathfrak {t},\mathfrak {u}\in \mathsf {SatBase}\) and a rule from \(\Delta \):

$$\mathsf {r}~:~ \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \exists y_1 \ldots \exists y_m ~.~ \phi * \mathsf {B}_1(z^1_1, \ldots , z^1_{\#{\mathsf {B}_1}}) * \ldots * \mathsf {B}_h(z^h_1, \ldots , z^h_{\#{\mathsf {B}_h}})$$

where \(\phi \) is a quantifier- and predicate-free formula, we write if and only if \(\mathsf {B}= \mathsf {B}_i\) and there exist satisfiable base tuples \(\mathfrak {t}_1, \ldots , \mathfrak {u}= \mathfrak {t}_i, \ldots , \mathfrak {t}_h \in \mathsf {SatBase}\), such that \(\mathfrak {t}\in {\big (\mathsf {Base}({\phi },{\{ {x_1, \ldots , x_{\#{\mathsf {A}}}} \}}) \otimes \bigotimes _{\ell =1}^h \mathfrak {t}_\ell [x_1/z^\ell _1, \ldots , x_{\#{\mathsf {B}_\ell }}/z^\ell _{\#{\mathsf {B}_\ell }}]\big )}\!\!\downarrow _{\scriptscriptstyle {x_1, \ldots , x_{\#{\mathsf {A}}}}}\). We define the directed graph with edges labeled by pairs \((\mathsf {r},i) \in \Delta \times \mathbb {N}\):

Fig. 3.

Algorithm for the Construction of \(\mathcal {G}({\Delta })\)

The graph \(\mathcal {G}({\Delta })\) is built by the algorithm in Fig. 3, a slight variation of the classical Kleene iteration algorithm for the computation of the least solution of the constraints of the form (1). A path in \(\mathcal {G}({\Delta })\) induces a unique unfolding (Definition 8). Since the vertices of \(\mathcal {G}({\Delta })\) are pairs \((\mathsf {A},\mathfrak {t})\), where \(\mathfrak {t}\) is a satisfiable base tuple and the edges of \(\mathcal {G}({\Delta })\) reflect the construction of the base tuples from the least solution of the constraints (1), the outcome \(\phi \) of this unfolding is always a satisfiable formula.

An elementary cycle of \(\mathcal {G}({\Delta })\) is a path from some vertex \((\mathsf {B},\mathfrak {u})\) back to itself, such that \((\mathsf {B},\mathfrak {u})\) does not occur on the path, except at its endpoints. The cycle is, moreover, reachable from \((\mathsf {A},\mathfrak {t})\) if and only if there exists a path in \(\mathcal {G}({\Delta })\). We reduce the complement of the \(\mathsf {Bnd}[{\Delta },{\mathsf {A}}]\) problem, namely the existence of an infinite set of models of \(\exists x_1 \ldots \exists x_{\#{\mathsf {A}}} ~.~ \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})\) of unbounded degree, to the existence of a reachable elementary cycle in \(\mathcal {G}({\Delta '})\), where \(\Delta '\) is obtained from \(\Delta \), as described in the following.

First, we consider, for each predicate \(\mathsf {B}\in \mathrm {def}({\Delta })\), a predicate \(\mathsf {B}'\), of arity \(\#{\mathsf {B}}+1\), not in \(\mathrm {def}({\Delta })\) i.e., the set of predicates for which there exists a rule in \(\Delta \). Second, for each rule , where \(\phi \) is a quantifier- and predicate-free formula and \(\mathrm {iv}({\phi }) \subseteq \mathrm {fv}({\phi })\) denotes the subset of variables occurring in interaction atoms in \(\phi \), the SID \(\Delta '\) has the following rules:

(2)

(3)

There exists a family of models (with respect to \(\Delta \)) of \(\exists x_1 \ldots \exists x_{\#{\mathsf {A}}} ~.~ \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})\) of unbounded degree if and only if these are models of \(\exists x_1 \ldots \exists x_{\#{\mathsf {A}}+1} ~.~ \mathsf {A}'(x_1, \ldots , x_{\#{\mathsf {A}}+1})\) (with respect to \(\Delta '\)) and the last parameter of each predicate \(\mathsf {B}' \in \mathrm {def}({\Delta '})\) can be mapped, in each of the these models, to a component that occurs in unboundedly many interactions. The latter condition is equivalent to the existence of an elementary cycle, containing a rule of the form (3), that it, moreover, reachable from some vertex \((\mathsf {A}',\mathfrak {t})\) of \(\mathcal {G}({\Delta '})\), for some \(\mathfrak {t}\in \mathsf {SatBase}\). This reduction is formalized below:

Lemma 2

There exists an infinite sequence of configurations \(\gamma _1, \gamma _2, \ldots \) such that \(\gamma _i \models _\Delta \exists x_1 \ldots \exists x_{\#{\mathsf {A}}} ~.~ \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})\) and \(\delta _{}({\gamma _i}) < \delta _{}({\gamma _{i+1}})\), for all \(i\ge 1\) if and only if \(\mathcal {G}({\Delta '})\) has an elementary cycle containing a rule (3), reachable from a node \((\mathsf {A}',\mathfrak {t})\), for \(\mathfrak {t}\in \mathsf {SatBase}\).

The complexity result below uses a similar argument on the maximal size of (hence the number of) base tuples as in Theorem 1, leading to similar complexity gaps:

Theorem 2

\(\mathsf {Bnd}^{({k},{\infty })}[{\Delta },{\mathsf {A}}]\) is in \(\mathsf {co}\)-\(\mathsf {NP}\), \(\mathsf {Bnd}^{({\infty },{\ell })}[{\Delta },{\mathsf {A}}]\) is in \(\mathsf {EXP}\), \(\mathsf {Bnd}[{\Delta },{\mathsf {A}}]\) is in \(2\mathsf {EXP}\).

Moreover, the construction of \(\mathcal {G}({\Delta '})\) allows to prove the following cut-off result:

Proposition 1

Let \(\gamma \) be a configuration and \(\nu \) be a store, such that \(\gamma \models _\Delta ^\nu \mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})\). If \(\mathsf {Bnd}^{({k},{\ell })}[{\Delta },{\mathsf {A}}]\) then (1) \(\delta _{}({\gamma })= poly (\mathrm {size}({\Delta }))\) if \(k<\infty \), \(\ell =\infty \), (2) \(\delta _{}({\gamma })=2^{ poly (\mathrm {size}({\Delta }))}\) if \(k=\infty \), \(\ell < \infty \) and (3) \(\delta _{}({\gamma })=2^{2^{ poly (\mathrm {size}({\Delta }))}}\) if \(k=\infty \), \(\ell =\infty \).

5 Entailment

This section is concerned with the entailment problem \(\mathsf {Entl}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\), that asks whether \(\gamma \models ^\nu _\Delta \exists x_{\#{\mathsf {A}}+1} \ldots \exists x_{\#{\mathsf {B}}} ~.~ \mathsf {B}(x_1,\ldots ,x_{\#{\mathsf {B}}})\), for every configuration \(\gamma \) and store \(\nu \), such that \(\gamma \models ^\nu _\Delta \mathsf {A}(x_1,\ldots ,x_{\#{\mathsf {A}}})\). For instance, the proof from Fig. 1(c) relies on the following entailments, that occur as the side conditions of the Hoare logic rule of consequence:

$$\begin{array}{l} \mathsf {ring}_{{h},{t}}(y) \models _\Delta \exists x \exists z . {[{y}]}@{\mathsf {H}} * \langle {{y}.{ out },\,{z}.{ in }} \rangle * \mathsf {chain}_{{h-1},{t}}(z,x) * \langle {{x}.{ out },\,{y}.{ in }} \rangle \\ {[{z}]}@{\mathsf {H}} * \langle {{z}.{ out },\,{x}.{ in }} \rangle * \mathsf {chain}_{{h-1},{t}}(x,y) * \langle {{y}.{ out },\,{z}.{ in }} \rangle \models _\Delta \mathsf {ring}_{{h},{t}}(z) \end{array}$$

By introducing two fresh predicates \(\mathsf {A}_1\) and \(\mathsf {A}_2\), defined by the rules:

$$\begin{aligned} \mathsf {A}_1(x_1)&\leftarrow \exists y \exists z . {[{x_1}]}@{\mathsf {H}} \!*\! \langle {{x_1}.{ out },\,{z}.{ in }} \rangle * \mathsf {chain}_{{h-1},{t}}(z,y) \!*\! \langle {{y}.{ out },\,{x_1}.{ in }} \rangle \end{aligned}$$

(4)

$$\begin{aligned} \mathsf {A}_2(x_1,x_2)&\leftarrow \exists z . {[{x_1}]}@{\mathsf {H}} * \langle {{x_1}.{ out },\,{z}.{ in }} \rangle * \mathsf {chain}_{{h-1},{t}}(z,x_2) * \langle {{x_2}.{ out },\,{x_1}.{ in }} \rangle \end{aligned}$$

(5)

the above entailments are equivalent to \(\mathsf {Entl}[{\Delta },{\mathsf {ring}_{{h},{t}}},{\mathsf {A}_1}]\) and \(\mathsf {Entl}[{\Delta },{\mathsf {A}_2},{\mathsf {ring}_{{h},{t}}}]\), respectively, where \(\Delta \) consists of the rules (4) and (5), together with the rules that define the \(\mathsf {ring}_{{h},{t}}\) and \(\mathsf {chain}_{{h},{t}}\) predicates (Sect. 1.1).

We show that the entailment problem is undecidable, in general (Thm. 3), and recover a decidable fragment, by means of three syntactic conditions, typically met in our examples. These conditions use the following notion of profile:

Definition 10

The profile of a SID \(\Delta \) is the pointwise greatest function \(\lambda _{\scriptscriptstyle \Delta } : \mathbb {A}\rightarrow \text {pow}({\mathbb {N}})\), mapping each predicate \(\mathsf {A}\) into a subset of \([{1},{\#{\mathsf {A}}}]\), such that, for each rule \(\mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}}) \leftarrow \phi \) from \(\Delta \), each atom \(\mathsf {B}(y_1, \ldots , y_{\#{\mathsf {B}}})\) from \(\phi \) and each \(i \in \lambda _{\scriptscriptstyle \Delta }(\mathsf {B})\), there exists \(j \in \lambda _{\scriptscriptstyle \Delta }(\mathsf {A})\), such that \(x_j\) and \(y_i\) are the same variable.

The profile identifies the parameters of a predicate that are always replaced by a variable \(x_1, \ldots , x_{\#{\mathsf {A}}}\) in each unfolding of \(\mathsf {A}(x_1,\ldots ,x_{\#{\mathsf {A}}})\), according to the rules in \(\Delta \); it is computed by a greatest fixpoint iteration, in time \( poly (\mathrm {size}({\Delta }))\).

Definition 11

A rule , where \(\phi \) is a quantifier- and predicate-free formula, is said to be:

1. 1.

   progressing if and only if \(\phi = [{x_1}] * \psi \), where \(\psi \) consists of interaction atoms involving \(x_1\) and (dis-)equalities, such that \(\bigcup _{\ell =1}^h \{ {z^\ell _1, \ldots , z^\ell _{\#{\mathsf {B}_\ell }}} \} = \{ {x_2, \ldots , x_{\#{\mathsf {A}}}} \} \cup \{ {y_1, \ldots , y_m} \}\),

2. 2.

   connected if and only if, for each \(\ell \in [{1},{h}]\) there exists an interaction atom in \(\psi \) that contains both \(z^\ell _1\) and a variable from \(\{ {x_1} \} \cup \{ {x_i \mid i \in \lambda _{\scriptscriptstyle \Delta }(\mathsf {A})} \}\),

3. 3.

   equationally-restricted (e-restricted) if and only if, for every disequation \(x \ne y\) from \(\phi \), we have \(\{ {x,y} \} \cap \{ {x_i \mid i \in \lambda _{\scriptscriptstyle \Delta }(\mathsf {A})} \} \ne \emptyset \).

A SID \(\Delta \) is progressing, connected and e-restricted if and only if each rule in \(\Delta \) is progressing, connected and e-restricted, respectively.

For example, the SID consisting of the rules from Sect. 1.1, together with rules (4) and (5) is progressing, connected and e-restricted.

We recall that \(\mathrm {def}_{\Delta }({\mathsf {A}})\) is the set of rules from \(\Delta \) that define \(\mathsf {A}\) and denote by \(\mathrm {def}^*_{\Delta }({\mathsf {A}})\) the least superset of \(\mathrm {def}_{\Delta }({\mathsf {A}})\) containing the rules that define a predicate from a rule in \(\mathrm {def}^*_{\Delta }({\mathsf {A}})\). The following result shows that the entailment problem becomes undecidable as soon as the connectivity condition is even slightly lifted:

Theorem 3

\(\mathsf {Entl}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\) is undecidable, even when \(\Delta \) is progressing and e-restricted, and only the rules in \(\mathrm {def}^*_{\Delta }({\mathsf {A}})\) are connected (the rules in \(\mathrm {def}^*_{\Delta }({\mathsf {B}})\) may be disconnected).

On the positive side, we prove that \(\mathsf {Entl}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\) is decidable, if \(\Delta \) is progressing, connected and e-restricted, assuming further that \(\mathsf {Bnd}[{\Delta },{\mathsf {A}}]\) has a positive answer. In this case, the bound on the degree of the models of \(\mathsf {A}(x_1, \ldots , x_{\#{\mathsf {A}}})\) is effectively computable, using the algorithm from Fig. 3 (see Proposition 1 for a cut-off result) and denote by \(\mathfrak {B}\) this bound, throughout this section.

The proof uses a reduction of \(\mathsf {Entl}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\) to a similar problem for SL, showed to be decidable [18]. We recall the definition of SL, interpreted over heaps \(\mathsf {h}: \mathbb {C}\rightharpoonup _{\scriptscriptstyle fin }\mathbb {C}^\mathfrak {K}\), introduced in Sect. 2.3. SL rules are denoted as \(\overline{\mathsf {A}}^{}_{}(x_1, \ldots , x_{\#(\overline{\mathsf {A}}^{}_{})}) \leftarrow \phi \), where \(\phi \) is a SL formula, such that \(\mathrm {fv}({\phi }) \subseteq \{ {x_1, \ldots , x_{\#(\overline{\mathsf {A}}^{}_{})}} \}\) and SL SIDs are denoted as \({\overline{\Delta }}\). The profile \(\lambda _{\scriptscriptstyle {\overline{\Delta }}}\) is defined for SL same as for CL (Definition 10).

Definition 12

A SL rule \(\overline{\mathsf {A}}^{}_{}(x_1, \ldots , x_{\#(\overline{\mathsf {A}}^{}_{})}) \leftarrow \phi \) from a SID \({\overline{\Delta }}\) is said to be:

1. 1.

   progressing if and only if \(\phi = \exists t_1 \ldots \exists t_m ~.~ x_1 \mapsto (y_1, \ldots , y_\mathfrak {K}) * \psi \), where \(\psi \) contains only predicate and equality atoms,

2. 2.

   connected if and only if \(z_1 \in \{ {x_i \mid i \in \lambda _{\scriptscriptstyle {\overline{\Delta }}}(\overline{\mathsf {A}}^{}_{})} \} \cup \{ {y_1, \ldots , y_\mathfrak {K}} \}\), for every predicate atom \(\overline{\mathsf {B}}^{}_{}(z_1,\ldots ,z_{\#(\overline{\mathsf {B}}^{}_{})})\) from \(\phi \).

Note that the definitions of progressing and connected rules are different for SL, compared to CL (Definition 11); in the rest of this section, we rely on the context to distinguish progressing (connected) SL rules from progressing (connected) CL rules. Moreover, e-restricted rules are defined in the same way for CL and SL (point 3 of Definition 11). A tight upper bound on the complexity of the entailment problem between SL formulæ, interpreted by progressing, connected and e-restricted SIDs, is given below:

Theorem 4

([18]). The SL entailment problem is in \(2^{2^{ poly (\mathrm {width}({{\overline{\Delta }}}) \cdot \log \mathrm {size}({{\overline{\Delta }}}))}}\), for progressing, connected and e-restricted SIDs.

The reduction of \(\mathsf {Entl}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\) to SL entailments is based on the idea of viewing a configuration as a logical structure (hypergraph), represented by a undirected Gaifman graph, in which every tuple from a relation (hyperedge) becomes a clique [24]. In a similar vein, we encode a configuration, of degree at most \(\mathfrak {B}\), by a heap of degree \(\mathfrak {K}\) (Definition 13), such that \(\mathfrak {K}\) is defined using the following integer function:

$$\mathrm {pos}({i},{j},{k}) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}1 + \mathfrak {B}\cdot \sum _{\ell =1}^{j-1} |{\tau _\ell }| + i \cdot |{\tau _j}| + k$$

where \(\mathsf {Inter}{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\{ {\tau _1, \ldots , \tau _M} \}\) is the set of interaction types and \(\mathcal {Q}{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\{ {q_1, \ldots , q_N} \}\) is the set of states of the behavior \(\mathbb {B}=(\mathcal {P},\mathcal {Q},\xrightarrow {{\scriptstyle }}_{{\scriptstyle }})\) (Sect. 2). Here \(i \in [{0},{\mathfrak {B}-1}]\) denotes an interaction of type \(j \in [{1},{M}]\) and \(k \in [{0},{N-1}]\) denotes a state. We use M and N throughout the rest of this section, to denote the number of interaction types and states, respectively.

For a set \(\mathcal {I}\) of interactions, let \(\mathsf {Tuples}_{\mathcal {I}}^{j}({c}) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\{\langle {c_1, \ldots , c_n} \rangle \mid (c_1,p_1, \ldots , c_n,p_n) \in \mathcal {I},~ \tau _j = \langle {p_1, \ldots , p_n} \rangle ,~ c \in \{ {c_1,\ldots ,c_n} \}\}\) be the tuples of components from an interaction of type \(\tau _j\) from \(\mathcal {I}\), that contain a given component c.

Definition 13

Given a configuration \(\gamma = (\mathcal {C},\mathcal {I},\varrho )\), such that \(\delta _{}({\gamma }) \le \mathfrak {B}\), a Gaifman heap for \(\gamma \) is a heap \(\mathsf {h}: \mathbb {C}\rightharpoonup _{\scriptscriptstyle fin }\mathbb {C}^\mathfrak {K}\), where \(\mathfrak {K}{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\mathrm {pos}({0},{M+1},{N})\), \(\mathrm {dom}({\mathsf {h}}) = \mathrm {nodes}({\gamma })\) and, for all \(c_0 \in \mathrm {dom}({\mathsf {h}})\), such that \(\mathsf {h}(c_0) = \langle {c_1,\ldots ,c_\mathfrak {K}} \rangle \), the following hold:

1. 1.

   \(c_1 = c_0\) if and only if \(c_0 \in \mathcal {C}\),

2. 2.

   for all \(j \in [{1},{M}]\), \(\mathsf {Tuples}_{\mathcal {I}}^{j}({c}) = \{ {\mathbf{c}_1, \ldots , \mathbf{c}_s} \}\) if and only if there exist integers \(0 \le k_1< \ldots< k_s < \mathfrak {B}\), such that \(\langle {\mathsf {h}(c_0)} \rangle _{{\mathrm {inter}}({k_i},{j})} = \mathbf{c}_i\), for all \(i \in [{1},{s}]\), where \({\mathrm {inter}}({i},{j}) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}[{\mathrm {pos}({i-1},{j},{0})},{\mathrm {pos}({i},{j},{0})}]\) are the entries of the i-th interaction of type \(\tau _j\) in \(\mathsf {h}(c_0)\),

3. 3.

   for all \(k \in [{1},{N}]\), we have \(\langle {\mathsf {h}(c_0)} \rangle _{{\mathrm {state}}({k})} = c_0\) if and only if \(\varrho (c_0) = q_k\), where the entry \({\mathrm {state}}({k}) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\mathrm {pos}({0},{M+1},{k-1})\) in \(\mathsf {h}(c_0)\) corresponds to the state \(q_k \in \mathcal {Q}\).

We denote by \(\mathbb {G}({\gamma })\) the set of Gaifman heaps for \(\gamma \).

Intuitively, if \(\mathsf {h}\) is a Gaifman heap for \(\gamma \) and \(c_0 \in \mathrm {dom}({\mathsf {h}})\), then the first entry of \(\mathsf {h}(c_0)\) indicates whether \(c_0\) is present (condition 1 of Definition 13), the next \(\mathfrak {B}\cdot \sum _{j=1}^M |{\tau _j}|\) entries are used to encode the interactions of each type \(\tau _j\) (condition 2 of Definition 13), whereas the last N entries are used to represent the state of the component (condition 3 of Definition 13). Note that the encoding of configurations by Gaifman heaps is not unique: two Gaifman heaps for the same configuration may differ in the order of the tuples from the encoding of an interaction type and the choice of the unconstrained entries from \(\mathsf {h}(c_0)\), for each \(c_0 \in \mathrm {dom}({\mathsf {h}})\). On the other hand, if two configurations have the same Gaifman heap encoding, they must be the same configuration.

Fig. 4.

Gaifman Heap for a Chain Configuration

Example 3

Figure 4(b) shows a Gaifman heap for the configuration in Fig. 4(a), where each component belongs to at most 2 interactions of type \(\langle { out , in } \rangle \). \(\blacksquare \)

We build a SL SID \({\overline{\Delta }}\) that generates the Gaifman heaps of the models of the predicate atoms occurring in a progressing CL SID \(\Delta \). The construction associates to each variable x, that occurs free or bound in a rule from \(\Delta \), a unique \(\mathfrak {K}\)-tuple of variables \(\eta ({x}) \in \mathbb {V}^\mathfrak {K}\), that represents the image of the store value \(\nu (x)\) in a Gaifman heap \(\mathsf {h}\) i.e., \(\mathsf {h}(\nu (x)) = \nu (\eta ({x}))\). Moreover, we consider, for each predicate symbol \(\mathsf {A}\in \mathrm {def}({\Delta })\), an annotated predicate symbol \(\overline{\mathsf {A}}^{}_{\iota ^{}}\) of arity \(\#{\overline{\mathsf {A}}^{}_{\iota ^{}}} = (\mathfrak {K}+1)\cdot \#{\mathsf {A}}\), where \(\iota : [{1},{\#{\mathsf {A}}}] \times [{1},{M}] \rightarrow 2^{[{0},{\mathfrak {B}-1}]}\) is a map associating each parameter \(i \in [{1},{\#{\mathsf {A}}}]\) and each interaction type \(\tau _j\), for \(j \in [{1},{M}]\), a set of integers \(\iota (i,j)\) denoting the positions of the encodings of the interactions of type \(\tau _j\), involving the value of \(x_i\), in the models of \(\overline{\mathsf {A}}^{}_{\iota ^{}}(x_1, \ldots , x_{\#{\mathsf {A}}}, \eta ({x_1}), \ldots , \eta ({x_{\#{\mathsf {A}}}}))\) (point 2 of Definition 13). Then \({\overline{\Delta }}\) contains rules of the form:

(6)

for which \(\Delta \) has a stem rule , where \(\psi *\pi \) is a quantifier- and predicate-free formula and \(\pi \) is the conjunction of equalities and disequalities from \(\psi *\pi \). However, not all rules (6) are considered in \({\overline{\Delta }}\), but only the ones meeting the following condition:

Definition 14

A rule of the form (6) is well-formed if and only if, for each \(i \in [{1},{\#{\mathsf {A}}}]\) and each \(j \in [{1},{M}]\), there exists a set of integers \(Y_{i,j} \subseteq [{0},{\mathfrak {B}-1}]\), such that:

• \(|\!| {Y_{i,j}} |\!| = |\!| {\mathcal {I}_{\psi ,\pi }^{j}({x_i})} |\!|\), where \(\mathcal {I}_{\psi ,\pi }^{j}({x})\) is the set of interaction atoms \(\langle {{z_1}. p_1 , \ldots , {z_n}. p_n } \rangle \) from \(\psi \) of type \(\tau _j = \langle {p_1, \ldots , p_n} \rangle \), such that \(z_s \approx _{\pi } x\), for some \(s \in [{1},{n}]\),

• \(Y_{i,j} \subseteq \iota (i,j)\) and \(\iota (i,j) {\setminus } Y_{i,j} = \mathcal {Z}_{j}({x_i})\), where \(\mathcal {Z}_{j}({x}) {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\bigcup _{\ell =1}^h \bigcup _{k=1}^{\#{\mathsf {B}^\ell }} \{ {\iota ^\ell (k,j) \mid x \approx _{\pi } z^\ell _k} \}\) is the set of positions used to encode the interactions of type \(\tau _j\) involving the store value of the parameter x, in the sub-configuration corresponding to an atom \(\mathsf {B}_\ell (z^\ell _1, \ldots , z^\ell _{\#(\mathsf {B}^\ell )})\), for some \(\ell \in [{1},{h}]\).

We denote by \({\overline{\Delta }}\) the set of well-formed rules (6), such that, moreover:

Here for two tuples of variables \(\mathbf{x} = \langle {x_1, \ldots , x_k} \rangle \) and \(\mathbf{y} = \langle {y_1, \ldots , y_k} \rangle \), we denote by \(\mathbf{x}=\mathbf{y}\) the formula . Intuitively, the SL formula \(\mathsf {CompStates}_{\psi }({x})\) realizes the encoding of the component and state atoms from \(\psi \), in the sense of points (1) and (3) from Definition 13, whereas the formula \(\mathsf {InterAtoms}_{\psi }({x_i})\) realizes the encodings of the interactions involving a parameter \(x_i\) in the stem rule (point 2 of Definition 13). In particular, the definition of \(\mathsf {InterAtoms}_{\psi }({x_i})\) uses the fact that the rule is well-formed.

We state below the main result of this section on the complexity of the entailment problem. The upper bounds follow from a many-one reduction of \(\mathsf {Entl}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\) to the SL entailment \(\overline{\mathsf {A}}^{}_{\iota }(x_1,\ldots ,x_{\#{\mathsf {A}}}, \eta ({x_1}), \ldots ,\eta ({x_{\#{\mathsf {A}}}})) \Vdash _{\scriptscriptstyle {\overline{\Delta }}}\exists x_{\#{\mathsf {B}}+1} \ldots \exists x_{\#{\mathsf {B}}}\) \( \exists \eta ({x_{\#{\mathsf {B}}+1}}) \ldots \exists \eta ({x_{\#{\mathsf {B}}}}) ~.~ \overline{\mathsf {B}}^{}_{\iota '}(x_1,\ldots ,x_{\#{\mathsf {B}}}, \eta ({x_1}),\ldots ,\eta ({x_{\#{\mathsf {B}}}}))\), in combination with the upper bound provided by Theorem 4, for SL entailments. If \(k < \infty \), the complexity is tight for CL, whereas gaps occur for \(k=\infty , \ell <\infty \) and \(k=\infty , \ell =\infty \), due to the cut-off on the degree bound (Proposition 1), which impacts the size of \({\overline{\Delta }}\) and time needed to generate it from \(\Delta \).

Theorem 5

If \(\Delta \) is progressing, connected and e-restricted and, moreover, \(\mathsf {Bnd}[{\Delta },{\mathsf {A}}]\) has a positive answer, \(\mathsf {Entl}^{{k},{\ell }}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\) is in \(2\mathsf {EXP}\), \(\mathsf {Entl}^{{\infty },{\ell }}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\) is in \(3\mathsf {EXP}\) \(\cap \) \(2\mathsf {EXP}\)-hard, and \(\mathsf {Entl}[{\Delta },{\mathsf {A}},{\mathsf {B}}]\) is in \(4\mathsf {EXP}\) \(\cap \) \(2\mathsf {EXP}\)-hard.

6 Conclusions and Future Work

We study the satisfiability and entailment problems in a logic used to write proofs of correctness for dynamically reconfigurable distributed systems. The logic views the components and interactions from the network as resources and reasons also about the local states of the components. We reuse existing techniques for Separation Logic [39], showing that our configuration logic is more expressive than SL, fact which is confirmed by a number of complexity gaps. Closing up these gaps and finding tight complexity classes in the more general cases is considered for future work. In particular, we aim at lifting the boundedness assumption on the degree of the configurations that must be considered to check the validity of entailments.