The Bernays-Schönfinkel-Ramsey Class of Separation Logic on Arbitrary Domains

. This paper investigates the satisﬁability problem for Separation Logic with k record ﬁelds, with unrestricted nesting of separating conjunctions and implications, for prenex formulæ with quantiﬁer preﬁx ∃ ∗ ∀ ∗ . In analogy with ﬁrst-order logic, we call this fragment Bernays-Sch¨onﬁnkel-Ramsey Separation Logic [ BSR ( SL k ) ]. In contrast to existing work in Separation Logic, in which the universe of possible locations is assumed to be inﬁnite, both ﬁnite and inﬁnite uni-verses are considered. We show that, unlike in ﬁrst-order logic, the (in)ﬁnite sat-isﬁability problem is undecidable for BSR ( SL k ) . Then we deﬁne two non-trivial subsets thereof, that are decidable for ﬁnite and inﬁnite satisﬁability respectively, by controlling the occurrences of universally quantiﬁed variables within the scope of separating implications, as well as the polarity of the occurrences of the latter. Beside the theoretical interest, our work has natural applications in program veriﬁcation, for checking that constraints on the shape of a data-structure are pre-served by a sequence of transformations.


Introduction
Separation Logic [10,14], or SL, is a logical framework used in program verification to describe properties of the dynamically allocated memory, such as topologies of data structures (lists, trees), (un)reachability between pointers, etc.In a nutshell, given an integer k ≥ 1, the logic SL k is obtained from the first-order theory of a finite partial function h : U U k called a heap, by adding two substructural connectives:(i) the separating conjunction φ 1 * φ 2 , that asserts a split of the heap into disjoint heaps satisfying φ 1 and φ 2 respectively, and (ii) the separating implication or magic wand φ 1 − * φ 2 , stating that each extension of the heap by a heap satisfying φ 1 must satisfy φ 2 .Intuitively, U is the universe of possible of memory locations (cells) and k is the number of record fields in each memory cell.
The separating connectives * and − * allow concise definitions of program semantics, via weakest precondition calculi [10] and easy-to-write specifications of recursive linked data structures (e.g.singly-and doubly-linked lists, trees with linked leaves and parent pointers, etc.), when higher-order inductive definitions are added [14].Investigating the decidability and complexity of the satisfiability problem for fragments of SL is of theoretical and practical interest.In this paper, we consider prenex SL formulae with prefix ∃ * ∀ * .In analogy with first-order logic with equality and uninterpreted predicates [12], we call this fragment Bernays-Schönfinkel-Ramsey SL [BSR(SL k )].
As far as we are aware, all existing work on SL assumes that the universe (set of available locations) is countably infinite.This assumption is not necessarily realistic in practice since the available memory is usually finite, although the bound depends on the hardware and is not known in advance.The finite universe hypothesis is especially useful when dealing with bounded memory issues, for instance checking that the execution of a program satisfies its postcondition, provided that there are sufficiently many available memory cells.In this paper we consider both the finite and infinite satisfiability problems.We show that both problems are undecidable for BSR(SL k ) (unlike in first-order logic) and that they become PSPACE-complete under some additional restrictions, related to the occurrences of the magic wand and universal variables: 1.The infinite satisfiability problem is PSPACE-complete if the positive occurrences of − * (i.e., the occurrences of − * that are in the scope of an even number of negations) contain no universal variables.2. The finite satisfiability problem is PSPACE-complete if there is no positive occurrence of − * (i.e., − * only occurs in the scope of an odd number of negations).Reasoning on finite domains is more difficult than on infinite ones, due to possibility of asserting cardinality constraints on unallocated cells, which explains that the latter condition is more restrictive than the former one.Actually, the finite satisfiability problem is undecidable even if there is only one positive occurrence of a − * with no variable within the scope of − * .These results establish sharp decidability frontiers within BSR(SL k ).
Undecidability is shown by reduction from BSR first-order formulae with two monadic function symbols.To establish the decidability results, we first show that every quantifier-free SL formula can be transformed into an equivalent boolean combination of formulae of some specific patterns, called test formulae.This result is interesting in itself, since it provides a precise and intuitive characterization of the expressive power of SL: it shows that separating connectives can be confined to a small set of test formulae.Afterward, we show that such test formulae can be transformed into first-order formulae.If the above conditions (1) or (2) are satisfied, then the obtained first-order formulae are in the BSR class, which ensures decidability.The PSPACE upper-bound relies on a careful analysis of the maximal size of the test formulae.The analysis reveals that, although the boolean combination of test formulae is of exponential size, its components (e.g., the conjunctions in its dnf) are of polynomial size and can be enumerated in polynomial space.For space reasons, full details and proofs are given in a technical report [8].Applications.Besides theoretical interest, our work has natural applications in program verification.Indeed, purely universal SL formulae are useful to express pre-or postconditions asserting "local" constraints on the shape of the data structures manipulated by a program.Consider the atomic proposition x → (y 1 , . . ., y k ) which states that the value of the heap at x is the tuple (y 1 , . . ., y k ) and there is no value, other than x, in the domain of h.With this in mind, the following formula describes a well-formed doublylinked list: Such constraints could also be expressed by using inductively defined predicates, unfortunately checking satisfiability of SL formulae, even of very simple fragments with no occurrence of − * in the presence of user-defined inductive predicates is undecidable, unless some rather restrictive conditions are fulfilled [9].In contrast, checking entailment between two universal formulae boils down to checking the satisfiability of a BSR(SL k ) formula, which can be done thanks to the decidability results in our paper.The separating implication (magic wand) seldom occurs in such shape constraints.However, it is useful to describe the dynamic transformations of the data structures, as in the following Hoare-style axiom, giving the weakest precondition of ∀u .ψ with respect to redirecting the i-th record field of x to z [10]: It is easy to check that the precondition is equivalent to the formula ∀u .x → (y 1 , .In contrast to first-order logic for which the decision problem has been thoroughly investigated [1], only a few results are known for SL.For instance, the problem is undecidable in general and PSPACE-complete for quantifier-free formulae [4].For k = 1, the problem is also undecidable, but it is PSPACE-complete if in addition there is only one quantified variable [6] and decidable but nonelementary if there is no magic wand [2].In particular, we have also studied the prenex form of SL 1 [7] and found out that it is decidable and nonelementary, whereas BSR(SL 1 ) is PSPACE-complete.In contrast, in this paper we show that undecidability occurs for BSR(SL k ), for k ≥ 2.
Expressive completeness results exist for quantifier-free SL 1 [11,2] and for SL 1 with one and two quantified variables [5,6].There, the existence of equivalent boolean combinations of test formulae is shown implicitly, using a finite enumeration of equivalence classes of models, instead of an effective transformation.Instead, here we present an explicit equivalence-preserving transformation of quantifier-free SL k into boolean combinations of test formulae, and translate the latter into first-order logic.Further, we extend the expressive completeness result to finite universes, with additional test formulae asserting cardinality constraints on unallocated cells.
Another translation of quantifier-free SL k into first-order logic with equality has been described in [3].There, the small model property of quantifier-free SL k [4] is used to bound the number of first-order variables to be considered and the separating connectives are interpreted as first-order quantifiers.The result is an equisatisfiable first-order formula.This translation scheme cannot be, however, directly applied to BSR(SL k ), which does not have a small model property, being moreover undecidable.Theoryparameterized versions of BSR(SL k ) have been shown to be undecidable, e.g. when integer linear arithmetic is used to reason about locations, and claimed to be PSPACEcomplete for countably infinite and finite unbounded location sorts, with no relation other than equality [13].In the present paper, we show that this claim is wrong, and draw a precise chart of decidability for both infinite and finite satisfiability of BSR(SL k ).

Preliminaries
Basic Definitions.Let Z ∞ = Z ∪ {∞} and N ∞ = N ∪ {∞}, where for each n ∈ Z we have n + ∞ = ∞ and n < ∞.For a countable set S we denote by ||S|| ∈ N ∞ the cardinality of S. Let Var be a countable set of variables, denoted as x, y, z and U be a sort.Vectors of variables are denoted by x, y, etc.A function symbol f has #( f ) ≥ 0 arguments of sort U and a sort σ( f ), which is either the boolean sort Bool or U.If #( f ) = 0, we call f a constant.We use ⊥ and for the boolean constants false and true, respectively.First-order (FO) terms t and formulae ϕ are defined by the following grammar: where x ∈ Var, f and p are function symbols, σ( f ) = U and σ(p) = Bool.We write and ∀x .ϕ for ¬∃x .¬ϕ.The size of a formula ϕ, denoted as size(ϕ), is the number of symbols needed to write it down.Let var(ϕ) be the set of variables that occur free in ϕ, i.e. not in the scope of a quantifier.A sentence ϕ is a formula where var(ϕ) = / 0. First-order formulae are interpreted over FO-structures (called structures, when no confusion arises) S = (U, s, i), where U is a countable set, called the universe, the elements of which are called locations, s : Var U is a mapping of variables to locations, called a store and i interprets each function symbol f by a function ||U|| ∈ N and infinite otherwise.We write S |= ϕ iff ϕ is true when interpreted in S.This relation is defined recursively on the structure of ϕ, as usual.When S |= ϕ, we say that S is a model of ϕ.A formula is [finitely] satisfiable when it has a [finite] model.We write ϕ 1 ≡ ϕ 2 when (U, s, i) |= ϕ 1 ⇔ (U, s, i) |= ϕ 2 , for every structure (U, s, i).
The Bernays-Schönfinkel-Ramsey fragment of FO, denoted by BSR(FO), is the set of sentences ∃x 1 . . .∃x n ∀y 1 . . .∀y m .ϕ, where ϕ is a quantifier-free formula in which all function symbols f of arity #( f ) > 0 have sort σ( f ) = Bool.Separation Logic.Let k be a strictly positive integer.The logic SL k is the set of formulae generated by the grammar: where x, y, y 1 , . . ., y k ∈ Var.The connectives * and − * are respectively called the separating conjunction and separating implication (magic wand).We write ϕ 1 ϕ 2 for ¬(ϕ 1 − * ¬ϕ 2 ) ( is called septraction).The size and set of free variables of an SL k formula ϕ are defined as for first-order formulae.
Given an SL k formula φ and a subformula ψ of φ, we say that ψ occurs at polarity p ∈ {−1, 0, 1} iff one of the following holds: (i) φ = ψ and p = 1, (ii) φ = ¬φ 1 and ψ occurs at polarity −p in φ 1 , (iii) φ = φ 1 ∧ φ 2 or φ = φ 1 * φ 2 , and ψ occurs at polarity p in φ i , for some i = 1, 2, or (iv) φ = φ 1 − * φ 2 and either ψ is a subformula of φ 1 and p = 0, or ψ occurs at polarity p in φ 2 .A polarity of 1, 0 or −1 is also referred to as positive, neutral or negative, respectively.Note that our notion of polarity is slightly different than usual, because the antecedent of a separating implication is of neutral polarity while the antecedent of an implication is usually of negative polarity.This is meant to strengthen upcoming decidability results, see Remark 2.
SL k formulae are interpreted over SL-structures I = (U, s, h), where U and s are as before and h : U fin U k is a finite partial mapping of locations to k-tuples of locations, called a heap.As before, a structure (U, s, h) is finite when ||U|| ∈ N and infinite otherwise.We denote by dom(h) the domain of the heap h and by ||h|| ∈ N the cardinality of dom(h).Two heaps h 1 and h 2 are disjoint iff dom(h 1 ) ∩ dom(h 2 ) = / 0, in which case h 1 h 2 denotes their union.A heap h is an extension of h by h iff h = h h .The relation (U, s, h) |= ϕ is defined inductively, as follows: The semantics of equality, boolean and first-order connectives is the usual one.Satisfiability, entailment and equivalence are defined for SL k as for FO formulae.
The Bernays-Schönfinkel-Ramsey fragment of SL k , denoted by BSR(SL k ), is the set of sentences ∃x 1 . . .∃x n ∀y 1 . . .∀y m .φ, where φ is a quantifier-free SL k formula.Since there is no function symbol of arity greater than zero in SL k , there is no restriction, other than the form of the quantifier prefix defining BSR(SL k ).

Test formulae for SL k
We define a small set of SL k patterns of formulae, possibly parameterized by a positive integer, called test formulae.These patterns capture properties related to allocation, points-to relations in the heap and cardinality constraints.
Definition 1.The following patterns are called test formulae: The semantics of test formulae is very natural: x → y means that x points to vector y, alloc(x) means that x is allocated, and the arithmetic expressions are interpreted as usual, where |h| and |U| respectively denote the number of allocated cells and the number of locations (possibly ∞).Formally: Proposition 1.Given an SL-structure (U, s, h), the following equivalences hold, for all variables x, y 1 , . . ., y k ∈ Var and integers n ∈ N: Not all atoms of SL k are test formulae, for instance x → y and emp are not test formulae.However, by Proposition 1, we have the equivalences x → y ≡ x → y ∧ ¬|h| ≥ 2 and emp ≡ ¬|h| ≥ 1.Note that, for any n ∈ N, the test formulae |U| ≥ n and |h| ≥ |U| − n are trivially true and false respectively, if the universe is infinite.We write t < u for ¬(t ≥ u).
We need to introduce a few notations useful to describe upcoming transformations in a concise and precise way.A literal is a test formula or its negation.Unless stated otherwise, we view a conjunction T of literals as a set 3 and we use the same symbol to denote both a set and the formula obtained by conjoining the elements of the set.The equivalence relation x ≈ T y is defined as T |= x ≈ y and we write x ≈ T y for T |= ¬x ≈ y.Observe that x ≈ T y is not the complement of x ≈ T y.For a set X of variables, |X| T is the number of equivalence classes of ≈ T in X.
For a set T of literals, let: Intuitively, av(T ) [nv(T )] is the set of variables that must be [are never] allocated in every [any] model of T , and fp X (T ) is the footprint of T relative to the set X ⊆ Var, i.e. the set of formulae describing allocation and points-to relations over variables from X.For example, if T = {x ≈ z, alloc(x), ¬alloc(y), ¬z → y}, then av(T ) = {x, z}, nv(T ) = {y}, fp a (T ) = {alloc(x), ¬z → y} and fp nv(T ) (T ) = {¬alloc(y)}.

From Test formulae to FO
The introduction of test formulae (Definition 1) is motivated by the reduction of the (in)finite satisfiability problem for quantified boolean combinations thereof to the same problem for FO.The reduction is devised in such a way that the obtained formula is in the BSR class, if possible.Given a quantified boolean combination of test formulae φ, the FO formula τ(φ) is defined by induction on the structure of φ: where p is a (k + 1)-ary function symbol of sort Bool and a n , b n and c n are constants of sort Bool, for all n ∈ N.These function symbols are related by the following axioms, where u n , v n and w n are constants of sort U, for all n > 0: Intuitively, p encodes the heap and a n (resp.b n ) is true iff there are at least n cells in the domain of the heap (resp. in the universe), namely u 1 , . . ., u n (resp.v 1 , . . ., v n ).If c n is true, then there are at least n locations w 1 , . . ., w n outside of the domain of the heap (free), but the converse does not hold.The C n axioms do not state the equivalence of c n with the existence of at least n free locations, because such an equivalence cannot be expressed in BSR(FO) 4 as the set of axioms related to φ.
The relationship between φ and τ(φ) is stated below.Lemma 1.Let φ be a quantified boolean combination of test formulae.The following hold, for any universe U and any store s: The translation of alloc(x) introduces existential quantifiers depending on x.For instance, ∀x .alloc(x) is translated as ∀x∃y 1 . . .∃y k .p(x, y 1 , . . ., y k ), which lies outside of the BSR(FO) fragment.Because upcoming decidability results (Thm.2) require that τ(φ) be in BSR(FO), we end this section by delimiting a fragment of SL k whose translation falls into BSR(FO).
Lemma 2. Given an SL k formula ϕ = ∀z 1 . . .∀z m .φ, where φ is a boolean combination of test formulae containing no positive occurrence of alloc(z i ) for any i ∈ [1, m], τ(ϕ) is equivalent (up to transformation into prenex form) to a BSR(FO) formula with the same constants and free variables as τ(ϕ).
Intuitively, if a formula alloc(x) occurs negatively then the quantifiers ∃y 1 . . .∃y k added when translating alloc(x) can be transformed into universal ones by transformation into nnf, and if x is not universal then they may be shifted at the root of the formula since y 1 , . . ., y k depend only on x.In both cases, the quantifier prefix ∃ * ∀ * is preserved.
4 From Quantifier-Free SL k to Test formulae This section states the expressive completeness result of the paper, namely that any quantifier-free SL k formula is equivalent, on both finite and infinite models, to a boolean combination of test formulae.Starting from a quantifier-free SL k formula ϕ, we define a set µ(ϕ) of conjunctions of test formulae and their negations, called minterms, such that ϕ ≡ M∈µ(ϕ) M.Although the number of minterms in µ(ϕ) is exponential in the size of ϕ, checking the membership of a given minterm M in µ(ϕ) can be done in PSPACE.
Together with the translation of minterms into FO ( §3.1), this fact is used to prove PSPACE membership of the two decidable fragments of BSR(SL k ), defined next ( §5.2).A minterm may be viewed as an abstract description of a heap.The conditions are for technical convenience only and are not restrictive.For instance, tautological test formulae of the form |h| ≥ 0 and/or |h| < ∞ may be added if needed so that the first condition holds.If M contains two literals t ≥ n 1 and t ≥ n 2 with n 1 < n 2 and t ∈ {|h|, |U|} then t ≥ n 1 is redundant and can be removed -and similarly if M contains literals |h| ≥ |U| − n 1 and |h| ≥ |U| − n 2 .Heterogeneous constraints are merged by performing a case split on the value of |U|.For example, if M contains both |h| ≥ |U| − 4 and |h| ≥ 1, then the first condition prevails if |U| ≥ 5 yielding the equivalence disjunction:

Minterms
Thus, in the following, we assume that any conjunction of literals can be transformed into a disjunction of minterms [8].
Definition 4. Given a minterm M, we define the sets: Thus, M = M e ∪M u ∪M a ∪M p ∪{|h| ≥ min M , |h| < max M }, for each minterm M. Given a set of variables X ⊆ Var, a minterm M is (1) E-complete for X iff for all x, y ∈ X exactly one of x ≈ y ∈ M, ¬x ≈ y ∈ M holds, and (2) A-complete for X iff for each x ∈ X exactly one of alloc(x) ∈ M, ¬alloc(x) ∈ M holds.
For a literal , we denote by its complement, i.e. θ where δ x (M) is the number of pairwise M-distinct tuples y for which there exists ¬x → y ∈ M such that x ≈ M x .Intuitively, dc(M) asserts that min M < max M and that the domain contains enough elements to allocate all cells.Essentially, given a structure (U, s, h), if h(x) is known to be defined and distinct from n pairwise distinct vectors of locations v 1 , . . ., v n , then necessarily at least n + 1 vectors must exist.Since there are ||U|| k vectors of length k, we must have For instance, if M = {¬x → y i , alloc(x), y i ≈ y j | i, j ∈ [1, n], i = j}, then it is clear that M is unsatisfiable if there are less than n locations, since x cannot be allocated in this case.Definition 5. A minterm M is footprint-consistent 6 if for all x, x ∈ Var and y, y ∈ Var k , such that x ≈ M x and y i ≈ M y i for all i ∈ [1, k], we have (1) if alloc(x) ∈ M then ¬alloc(x ) ∈ M, and (2) if x → y ∈ M then ¬alloc(x ), ¬x → y ∈ M.
We are now ready to define a boolean combination of test formulae that is equivalent to M 1 * M 2 , where M 1 and M 2 are minterms satisfying a number of additional conditions.
, y ∈ Var k } be the set of negative points-to literals common to M 1 and M 2 , involving left-hand side variables not allocated in either M 1 or M 2 .Lemma 3. Let M 1 , M 2 be two footprint-consistent minterms that are and E-complete for var(M 1 ∪ M 2 ), with cc(M and Intuitively, if M 1 and M 2 hold separately, then all heap-independent literals from M 1 ∪ M 2 must be satisfied (2), the variables allocated in M 1 and M 2 must be pairwise distinct and their footprints, relative to the allocated variables, jointly asserted (3).Moreover, unallocated variables on both sides must not be allocated and common negative pointsto literals must be asserted (4).Since the heap satisfying elim * (M 1 , M 2 ) is the disjoint union of the heaps for M 1 and M 2 , its bounds are the sum of the bounds on both sides (5) and, moreover, the variables that M 2 never allocates [nv(M 2 )] may occur allocated in the heap of M 1 and viceversa, thus the constraints η 12 and η 21 , respectively (6).
Next, we show a similar result for the separating implication.For technical convenience, we translate the septraction M 1 M 2 , instead of M 1 − * M 2 , as an equivalent boolean combination of test formulae.This is without loss of generality, because Unlike with the case of the separating conjuction (Lemma 3), here the definition of the boolean combination of test formulae depends on whether the universe is finite or infinite.
If the complement of some literal ∈ fp a (M 1 ) belongs to M 2 then no extension by a heap that satisfies may satisfy .Therefore, as an additional simplifying assumption, we suppose that fp a (M 1 ) ∩ M 2 = / 0, so that M 1 M 2 is not trivially unsatisfiable.We write φ ≡ fin ψ [φ ≡ inf ψ] if φ has the same truth value as ψ in all finite [infinite] structures.
Lemma 4. Let M 1 and M 2 be footprint-consistent minterms that are E-complete for , where: A heap satisfies M 1 M 2 iff it has an extension, by a disjoint heap satisfying M 1 , that satisfies M 2 .Thus, elim † (M 1 , M 2 ) must entail the heap-independent literals of both M 1 and M 2 (7).Next, no variable allocated by M 1 must be allocated by elim † (M 1 , M 2 ), otherwise no extension by a heap satisfying M 1 is possible and, moreover, the footprint of M 2 relative to the unallocated variables of M 1 must be asserted (8).The heap's cardinality constraints depend on the bounds of M 1 and M 2 (9) and, if Y is a set of variables not allocated in the heap, these variables can be allocated in the extension (10).Actually, this is where the finite universe assumption first comes into play.If the universe is infinite, then there are enough locations outside the heap to be assigned to Y .However, if the universe is finite, then it is necessary to ensure that there are at least # n (Y, M 1 ) free locations to be assigned to Y (10).

Translating Quantifier-free SL k into Minterms
We prove next that each quantifier-free SL k formula is equivalent to a finite disjunction of minterms: Lemma 5. Given a quantifier-free SL k formula φ, there exist two sets of minterms µ fin (φ) and µ inf (φ) such that the following equivalences hold: (1) φ ≡ fin M∈µ fin (φ) M, and (2) φ ≡ inf M∈µ inf (φ) M. The formal definition of µ fin (φ) and µ inf (φ) is given in [8] and omitted for the sake of conciseness and readability.Intuitively, these sets are defined by induction on the structure of the formula.For base cases, the following equivalences are used: For formulae ¬ψ 1 or ψ 1 ∧ ψ 2 , the transformation is first applied recursively on ψ 1 and ψ 2 , then the obtained formula is transformed into dnf.For formulae ψ 1 * ψ 2 or ψ 1 ψ 2 , the transformation is applied on ψ 1 and ψ 2 , then the following equivalences are used to shift * and innermost in the formula: Afterwards, the operands of * and are minterms, and the result is obtained using the equivalences in Lemmas 3 and 4, respectively (up to a transformation into dnf).The only difficulty is that these lemmas impose some additional conditions on the minterms (e.g., being E-complete, or A-complete).However, the conditions are easy to enforce by case splitting, as illustrated by the following example: To apply Lemma 4, we need to ensure that M 1 and M 2 are E-complete, which may be done by adding either x ≈ y or x ≈ y to each minterm.We also have to ensure that M 1 is A-complete, thus for z ∈ {x, y}, we add either alloc(z) or ¬alloc(z) to M 1 .Finally, we must have ), thus we add either y → y or ¬y → y to M 1 .After removing redundancies, we get (among others) the minterms: As explained in Section 3.1, boolean combinations of minterms can only be transformed into sat-equivalent BSR(FO) formulae if there is no positive occurrence of test formulae |h| ≥ |U| − n or alloc(x) (see the conditions in Lemmas 1 (2) and 2).Consequently, we relate the polarity of these formulae in some minterm M ∈ µ fin (φ) ∪ µ inf (φ) with that of a separating implication within φ.The analysis depends on whether the universe is finite or infinite.Lemma 6.For any quantifier-free SL k formula φ, the following properties hold: 1.For all M ∈ µ inf (φ), 0 for some minterm M ∈ µ fin (φ), then a formula ψ 1 − * ψ 2 , such that x ∈ var(ψ 1 ) ∪ var(ψ 2 ), occurs in φ at some polarity p ∈ {−1, 1}.Moreover, alloc(x) occurs at a polarity −p, only if alloc(x) is in the scope of a λ fin subformula (10) of a formula elim fin (M 1 , M 2 ) used to compute M∈µ fin (φ) M.
Given a quantifier-free SL k formula φ, the number of minterms occurring in µ fin (φ) [µ inf (φ)] is exponential in the size of φ, in the worst case.Therefore, an optimal decision procedure cannot generate and store these sets explicitly, but rather must enumerate minterms lazily.We show that (i) the size of the minterms in µ fin (φ) ∪ µ inf (φ) is bounded by a polynomial in the size of φ, and that (ii) the problem "given a minterm M, does M occur in µ fin (φ) [resp. in µ inf (φ)]?" is in PSPACE.To this aim, we define a measure on a quantifier-free formula φ, which bounds the size of the minterms in the sets µ fin (φ) and µ inf (φ), inductively on the structure of the formulae: A minterm M is M -bounded by a formula φ, if for each literal ∈ M, the following hold: The following lemma provides the desired result: The proof goes by a careful analysis of the test formulae introduced in Lemmas 3 and 4 or created by minterm transformations (see [8] for details).Since M (φ) is polynomially bounded by size(φ), this entails that it is possible to check whether M ∈ µ fin (φ) [resp.µ inf (φ)] using space bounded also by a polynomial in size(φ).
Lemma 8. Given a minterm M and an SL k formula φ, the problems of checking whether M ∈ µ fin (φ) and M ∈ µ inf (φ) are in PSPACE.
Remark 1. Observe that the formulae elim * (M 1 , M 2 ) and elim fin (M 1 , M 2 ) in Lemmas 3 and 4 are of exponential size, because Y ranges over sets of variables.However these formulae do not need to be constructed explicitly.To check that M ∈ µ fin (φ) or M ∈ µ inf (φ), we only have to guess such sets Y .See [8] for details.
5 Bernays-Schönfinkel-Ramsey SL k This section gives the results concerning decidability of the (in)finite satisfiability problems within the BSR(SL k ) fragment.BSR(SL k ) is the set of sentences ∀y 1 . . .∀y m .φ, where φ is a quantifier-free SL k formula, with var(φ) = {x 1 , . . ., x n , y 1 , . . ., y m }, where the existentially quantified variables x 1 , . . ., x n are left free.First, we show that, contrary to BSR(FO), the satisfiability of BSR(SL k ) is undecidable for k ≥ 2. Second, we carve two nontrivial fragments of BSR(SL k ), for which the infinite and finite satisfiability problems are both PSPACE-complete.These fragments are defined based on restrictions of (i) polarities of the occurrences of the separating implication, and (ii) occurrences of universally quantified variables in the scope of separating implications.These results draw a rather precise chart of decidability within the BSR(SL k ) fragment.

Undecidability of BSR(SL k )
Theorem 1.The finite and infinite satisfiability problems are both undecidable for BSR(SL k ).
We provide a brief sketch of the proof, see [8] for details.We consider the finite satisfiability problem of the [∀, (0), (2)] = fragment of FO, which consists of sentences of the form ∀x .φ(x), where φ is a quantifier-free boolean combination of atomic propositions t 1 ≈ t 2 , and t 1 ,t 2 are terms built using two function symbols f and g, of arity one, the variable x and constant c.It is known (see e.g.[1,Theorem 4.1.8])that finite satisfiability is undecidable for [∀, (0), (2)] = .We reduce this problem to BSR(SL k ) satisfiability.The idea is to encode the value of f and g into the heap, in such a way that every element x points to ( f (x), g(x)).Given a sentence ϕ = ∀x .φ(x) in [∀, (0), ( 2)] = , we proceed by first flattening each term in φ consisting of nested applications of f and g.The result is an equivalent sentence ϕ flat = ∀x 1 . . .∀x n .φ flat , in which the only terms are x i , c, f x → (y, z) → alloc(y) ∧ alloc(z) and φ sl is obtained from φ flat by replacing each occurrence of c by x c , each term f (c) [g(c)] by y c [z c ] and each term f (x i ) [g(x i )] by y i [z i ].Intuitively, α fin asserts that the heap is a total function, and α inf states that every referenced cell is allocated 7 .It is easy to check that ϕ and ϕ sl are equisatisfiable.The undecidability result still holds for finite satisfiability if a single occurrence of − * is allowed, in a (ground) formula |h| ≥ |U| − 0 (see the definition of α fin above).
Remark 2. Because the polarity of the antecedent of a − * is neutral, Definition 7 imposes no constraint on the occurrences of separating implications at the left of a − *8 .
The decidability result of this paper is stated below: Theorem 2. For any integer k ≥ 1 not depending on the input, the infinite satisfiability problem for BSR inf (SL k ) and the finite satisfiability problem for BSR fin (SL k ) are both PSPACE-complete.
We provide a brief sketch of the proof (all details are available in [8]).In both cases, PSPACE-hardness is an immediate consequence of the fact that the quantifier-free fragment of SL k , without the separating implication, but with the separating conjunction and negation, is PSPACE-hard [4].For PSPACE-membership, consider a formula ϕ in BSR inf (SL k ), and its equivalent disjunction of minterms ϕ (of exponential size).Lemma 8 gives us an upper bound on the size of test formulae in ϕ , hence on the number of constant symbols occurring in τ(ϕ ).This, in turns, gives a bound on the cardinality of the model of τ(ϕ ).We may thus guess such an interpretation, and check that it is indeed a model of τ(ϕ ) by enumerating all the minterms in ϕ (this is feasible in polynomial space thanks to Lemma 8) and translating them on-the-fly into first-order formulae.The only subtle point is that the model obtained in this way is finite, whereas our aim is to test that the obtained formula has a infinite model.This difficulty can be overcome by adding an axiom ensuring that the domain contains more unallocated elements than the total number of constant symbols and variables in the formula.This is sufficient to prove that the obtained model -although finite -can be extended into an infinite model, obtained by creating infinitely many copies of these elements.
The proof for BSR fin (SL k ) is similar, but far more involved.The problem is that, if the universe is finite, then alloc(x) test formulae may occur at a positive polarity, even if every φ 1 − * φ 2 subformula occurs at a negative polarity, due to the positive occurrences of alloc(x) within λ fin (10) in the definition of elim fin (M 1 , M 2 ).As previously discussed, positive occurrences of alloc(x) hinder the translation into BSR(FO), because of the existential quantifiers that may occur in the scope of a universal quantifier.The solution is to distinguish a class of finite structures (U, s, h), the so-called α-controlled structures, for some α ∈ N, for which there are locations 1 , . . ., α , such that every location ∈ U is either i or points to a tuple from the set { 1 , . . ., α , }.For such structures, the formulae alloc(x) can be eliminated in a straightforward way because they are equivalent to α i=1 (x ≈ i → alloc( i )).If the structure is not α-controlled, then we can show that there exist sufficiently many unallocated cells, so that all the cardinality constraints of the form |h| ≤ |U|−n or |U| ≥ n are always satisfied.This ensures that the truth value of the positive occurrences of alloc(x) are irrelevant, because they only occur in formulae λ fin that are always true if all test formulae |h| ≤ |U| − n or |U| ≥ n are true (see the definition of λ fin in Lemma 4).

Conclusions and Future Work
We have studied the decidability problem for SL formulae with quantifier prefix in the language ∃ * ∀ * , denoted as BSR(SL k ).Although the fragment was found to be undecidable, we identified two non-trivial subfragments for which the infinite and finite satisfiability are PSPACE-complete.These fragments are defined by restricting the use of universally quantified variables within the scope of separating implications at positive polarity.The universal quantifiers and separating conjunctions are useful to express local constraints on the shape of the data-structure, whereas the separating implications allow one to express dynamic transformations of these data-structures.As a consequence, separating implications usually occur negatively in the formulae tested for satisfiability, and the decidable classes found in this work are of great practical interest.Future work involves formalizing and implementing an invariant checking algorithm based on the above ideas, and using the techniques for proving decidability (namely the translation of quantifier-free SL(k) formulae into boolean combinations of test formulae) to solve other logical problems, such as frame inference, abduction and possibly interpolation.
the number of equivalence classes of ≈ T containing variables allocated in every model of T and # n (X, T ) def = |X ∩ nv(T )| T be the number of equivalence classes of ≈ T containing variables from X that are not allocated in any model of T .We also let fp a (T ) def = fp av(T ) (T ).

Definition 3 .
. As a consequence, the transformation preserves sat-equivalence only if the formulae |h| ≥ |U| − n occur only at negative polarity (see Lemma 1, Point 2).If the domain is infinite then this problem does not arise since the formulae |h| ≥ |U| − n are always false.For a quantified boolean combination of test formulae φ, we let N (φ) be the maximum integer n occurring in a test formula θ of the form |h| ≥ n, |U| ≥ n, or |h| ≥ |U| − n from φ and define A(φ)

A
minterm M is a set (conjunction) of literals containing: exactly one literal |h| ≥ min M and one literal |h| < max M , where min M ∈ N ∪ {|U| − n | n ∈ N} and max M ∈ N ∞ ∪ {|U| − n | n ∈ N}, and at most one literal of the form |U| ≥ n, respectively |U| < n.

def=
¬θ and ¬θ def = θ, where θ is a test formula.Let M be the minterm obtained from M by replacing each literal with its complement.The complement closure of M is cc(M)def = M ∪ M. Two tuples y, y ∈ Var k are M-distinct if y i ≈ M y i , for some i ∈ [1, k].Given a minterm M that is E-complete for var(M), its points-to closure is pc(M) def = ⊥ if there exist literals x → y, x → y ∈ M such that x ≈ M xand y, y are M-distinct, and pc(M) def = M, otherwise.Intuitively, pc(M) is ⊥ iff M contradicts the fact that the heap is a partial function 5 .The domain closure of M is dc(M) def = ⊥ if either min M = n 1 and max M = n 2 for some n 1 , n 2 ∈ Z such that n 1 ≥ n 2 , or min M = |U| − n 1 and max M = |U| − n 2 , where n 2 ≥ n 1 ; and otherwise: . ., y k ) * [x → (y 1 , . . ., y i−1 , z, y i+1 , . . ., y k ) − * ψ] because, although hoisting universal quantifiers outside of the separating conjunction is unsound in general, this is possible here due to the special form of the left-hand side x → (y 1 , . . ., y i−1 , z, . . ., y k ) which unambiguously defines a single heap cell.Therefore, checking that ∀u .ψ is an invariant of the program statement x.i := z amounts to checking that the formula ∀u .ψ∧∃u .¬[x → (y 1 , . . ., y k ) * (x → (y 1 , . . ., y i−1 , z, . . ., y k ) − * ψ)] is unsatisfiable.Because the magic wand occurs negated, this formula falls into a decidable class defined in the present paper, for both finite and infinite satisfiability.The complete formalization of this deductive program verification technique and the characterization of the class of programs for which it is applicable is outside the scope of the paper and is left for future work.Related Work.