Strong-Separation Logic

Most automated verifiers for separation logic target the symbolic-heap fragment, disallowing both the magic-wand operator and the application of classical Boolean operators to spatial formulas. This is not surprising, as support for the magic wand quickly leads to undecidability, especially when combined with inductive predicates for reasoning about data structures. To circumvent these undecidability results, we propose to assign a more restrictive semantics to the separating conjunction. We argue that the resulting logic, strong-separation logic, can be used for compositional program verification and bi-abductive static analysis just like"standard"separation logic, while remaining decidable even in the presence of both the magic wand and the list-segment predicate---a combination of features that leads to undecidability assuming the standard semantics.


Introduction
Separation logic [37] is one of the most successful formalisms for the analysis and verification of programs making use of dynamic resources such as heap memory and access permissions [5,7,9,10,17,24,30]. At the heart of the success of separation logic (SL) is the separating conjunction, * , which supports concise statements about the disjointness of resources. In this article, we will focus on separation logic for describing the heap in single-threaded heap-manipulating programs. In this setting, the formula φ * ψ can be read as "the heap can be split into two disjoint parts, such that φ holds for one part and ψ for the other. " Our article starts from the following observation: The standard semantics of * allows splitting a heap into two arbitrary sub-heaps. The magic-wand operator − * , which is the adjoint of * , then allows adding arbitrary heaps. This arbitrary splitting and adding of heaps makes reasoning about SL formulas difficult, and quickly renders separation logic undecidable when inductive predicates for data structures are considered. For example, Demri et al. recently showed that adding only the singly-linked list-segment predicate to propositional separation logic (i.e., with * , − * and classical connectives ∧, ∨, ¬) leads to undecidability [16].
Most SL specifications used in automated verification do, however, not make use of arbitrary heap compositions. For example, the widely used symbolic-heap fragments of separation logic considered, e.g., in [3,4,13,21,22], have the following property. To show that a model of a symbolic heap satisfies a separating conjunction, it is always sufficient to split the model at program variables (for quantifier-free symbolic heaps) and logical variables (for existentially-quantified symbolic heaps).
Motivated by this observation, we propose a more restrictive separating conjunction that allows splitting the heap only at locations pointed to by variables. We call the resulting logic strong-separation logic. Strong-separation logic (SSL) shares many properties with standard separation-logic semantics; for example, the models of our logic form a separation algebra. Because the frame rule and other standard SL inference rules continue to hold for SSL, SSL is suitable for deductive Hoare-style verification à la [23,37], symbolic execution [4], as well as Infer-style bi-abductive analyses [9,10]. At the same time, SSL has much better computational properties than standard SL-especially when formulas contain expressive features such as the magic wand, − * , or negation.
We now give a more detailed introduction to the contributions of this article.
The standard semantics of the separating conjunction.
To be able to justify our changed semantics of * , we need to introduce a bit of terminology. As standard in separation logic, we interpret SL formulas over stack-heap pairs. A stack is a mapping of the program variables to memory locations. A heap is a finite partial function between memory locations; if a memory location l is mapped to location l ′ , we say the heap contains a pointer from l to l ′ . A memory location l is allocated if there is a pointer of the heap from l to some location l ′ . We call a location dangling if it is the target of a pointer but not allocated; a pointer is dangling if its target location is dangling.
Dangling pointers arise naturally in compositional specifications, i.e., in formulas that employ the separating conjunction * : In the standard semantics of separation logic, a stack-heap pair (s, h) satisfies a formula φ * ψ , if it is possible to split the heap h into two disjoint parts h 1 and h 2 such that (s, h 1 ) satisfies φ and (s, h 2 ) satisfies ψ . Here, disjoint means that the allocated locations of h 1 and h 2 are disjoint; however, the targets of the pointers of h 1 and h 2 do not have to be disjoint. Hence, all shared locations of h 1 and h 2 are necessarily dangling in (at least) one of the sub-heaps.
We illustrate this in Fig. 1a, where we show a graphical representation of a stack-heap pair (s, h) that satisfies the formula ls(x, ) * ls( , nil). Here, ls denotes the listsegment predicate. As shown in Fig. 1a, h can be split into two disjoint parts h 1 and h 2 such that (s, h 1 ) is a model of ls(x, ) and (s, h 2 ) is a model of ls( , nil). Now, the subheap h 1 has a dangling pointer with target s( ) (displayed (a) A model of ls(x, ) * ls( , nil) in both the standard semantics and our semantics.
x nil = x nil + (b) A model of ls(x, nil) * t in the standard semantics. Figure 1. Two models and their decomposition into disjoint submodels. We use an orange background to highlight the dangling pointers of submodels.
with an orange background), while no pointer is dangling in the heap h.
In what sense is the standard semantics too permissive?
The standard semantics of * allows splitting a heap into two arbitrary sub-heaps, which may result in the introduction of arbitrary dangling pointers into the sub-heaps. We note, however, that the introduction of dangling pointers is not arbitrary when splitting the models of ls(x, ) * ls( , nil); there is only one way of splitting the models of this formula, namely at the location of program variable . The formula ls(x, ) * ls( , nil) belongs to a certain variant of the symbolic-heap fragment of separation logic, and all formulas of this fragment have the property that their models can only be split at variables. Standard SL semantics also allows the introduction of dangling pointers without the use of variables. Fig. 1b shows a model of ls(x, nil) * t-assuming the standard semantics. Here, the formula t (for true) stands for any arbitrary heap. In particular, this includes heaps with arbitrary dangling pointers into the list segment ls(x, nil). This power of introducing arbitrary dangling pointers is what is used by Demri et al. for their undecidability proof of propositional separation logic with the singly-linked list-segment predicate [16].
Strong-separation logic. In this article, we want to explicitly disallow the implicit sharing of dangling locations when composing heaps with the separating conjunction. We propose to parameterize the separating conjunction by the stack, where-as discussed above-the stack is the current mapping of the program variables to memory locations. We restrict the separating conjunction to exclusively allow the union of heaps that only share locations that are pointed to by the stack. For example, the model in Fig. 1b is not a model of ls(x, nil) * t in our semantics because of the dangling pointers in the sub-heap that satisfies t. Strong-separation logic (SSL) is the logic resulting from this restricted definition of the separating conjunction.
Why should I care? We argue that strong-separation logic is a promising proposal for automated program verification: 1) We show that the memory models of strong-separation logic form a separation algebra [11], which guarantees the soundness of the standard frame rule of separation logic [37]. Consequently, SSL can be used instead of standard SL in a wide variety of (semi-)automated analyzers and verifiers, including Hoare-style verification [37], symbolic execution [4], and bi-abductive shape analysis [10].
2) To date, most automated reasoners for separation logic have been developed for symbolic-heap separation logic [3,4,10,21,22,26]. In these fragments of separation logic, assertions about the heap can exclusively be combined via * ; neither the magic wand − * nor classical Boolean connectives are permitted. We show that the semantics of strongseparation logic agrees with the standard semantics on symbolic heaps. For this reason, many SL specifications remain unchanged when switching to strong-separation logic.
3) We establish that the satisfiability problem for full propositional separation logic with the singly-linked list-segment predicate is decidable in our semantics (in PS )-in stark contrast to the aforementioned undecidability result obtained by Demri et al. [16] assuming the standard semantics. The decidability result makes SSL a very promising formalism for automating Hoare-style verification, as we can automatically discharge the verification conditions (VC) generated by strongest-postcondition and weakest-precondition calculi. This is in contrast to standard SL; to quote from [2, p. 131]: "VC-generators do not work especially well with separation logic, as they introduce magic-wand − * operators which are difficult to eliminate. " 4) The shape analysis in Facebook's Infer analyzer [9], builds on bi-abductive reasoning for achieving a scalable and fully-automated analysis of heap-manipulating programs [10]. We show that the decidability result of strong-separation logic extends to abduction, frame inference and bi-abduction. Furthermore, we argue that we can automatically find the most precise solutions to these problems, the solutions with the smallest memory footprint, as well as all symbolic-heap solutions. As such, our results generalize the only known complete algorithms for abduction and bi-abduction [10,19].
Contributions. Our main contributions are as follows.
1. We propose and motivate strong-separataion logic, a new semantics for separation logic. 2. We present a PS decision procedure for strongseparation logic with points-to assertions, the list-segment predicate ls(x, ), and spatial and classical operators, i.e., * , − * , ∧, ∨, ¬-a logic that is undecidable when assuming the standard semantics [16]. 3. We present decision procedures for abduction, frame inference and bi-abduction for strong-separation logic, showing both how to obtain optimal solutions and how to obtain symbolic-heap solutions. We strongly believe that these results motivate further research on strong-separation logic (e.g., going beyond the singly-linked list-segment predicate and the integration into fully-automated analyzers).
Related work. The undecidability of separation logic was established already in [12]. Since then, decision problems for a large number of fragments and variants of separation logic have been studied. Most of this work has been on symbolicheap separation logic or other variants of the logic that neither support the magic wand nor the use of negation below the * operator. While entailment in the symbolic-heap fragment with inductive definitions is undecidable in general [1], there are decision procedures for variants with builtin lists and/or trees [3,13,[31][32][33], support for defining variants of linear structures [20] or tree structures [22,39] or graphs of bounded tree width [21,26]. The expressive heap logics S [29] and D [34] also have decidable fragments, as have some other separation logics that allow combining shape and data constraints. Besides the already mentioned work [32,33], these include [25,28].
Among the aforementioned works, the graph-based decision procedures of [13] and [25] are most closely related to our approach. Note however, that neither of these works supports reasoning about magic wands or negation below the separating conjunction.
In contrast to symbolic-heap SL, separation logics with the magic wand quickly become undecidable. Propositional separation logic with the magic wand, but without inductive data structures, was shown to be decidable in PS in the early days of SL research [12]. Support for this fragment was added to CVC4 a few years ago [36]. Some tools have "lightweight" support for the magic wand involving heuristics and user annotations, in part motivated by the unavailability of decision procedures [6,38].
There is a significant body of work studying first-order SL with the magic wand and unary points-to assertions, but without a list predicate. This logic was first shown to be undecidable in [8]; a result that has since been refined, showing e.g. that while satisfiability is still in PS if we allow one quantified variable [15], two variables already lead to undecidability, even without the separating conjunction [14]. Echenim et al. [18] have recently addressed the satisfiability problem of SL with ∃ * ∀ * quantifier prefix, separating conjunction, magic wand, and full Boolean closure, but no inductive definitions. The logic was shown to be undecidable in general (contradicting an earlier claim [35]), but decidable in PS under certain restrictions. Most closely related to our paper, and in fact to a large extent motivating our work, is the undecidability result of Demri et al. [16] for the logic with list segments, * , − * and classical operators: We will prove the decidability of this fragment assuming our strong-separation semantics.
Outline. In Section 2, we introduce two semantics of propositional separation logic, the standard semantics and our new strong-separation semantics. We also discuss key differences and similarities between the two semantics. We show the decidability of the satisfiability and entailment problems of strong-separation logic with lists in Section 3. We extend the decidability result to abduction, frame inference and biabduction in Section 4. We conclude in Section 5.
2 Strong-and Weak-Separation Logic

Preliminaries
We denote by |X | the cardinality of the set X . Let f be a (partial) function. Then dom(f ) and img(f ) denote the domain and image of f , respectively. We write | f | := |dom(f )|. We frequently use set notation to define and reason about partial functions. For example, f := {x 1 → 1 , . . . , x k → k } is the partial function that maps x i to i , 1 ≤ i ≤ k, and is undefined on all other values; f ∪ is the union of partial functions f and ; and f ⊆ holds if dom(f ) ⊆ dom( ) and f (a) = (a) for all a ∈ dom(f ).
Sets and ordered sequences are denoted in boldface, e.g., x. To list the elements of a sequence, we write x 1 , . . . , x k .
We assume a linearly-ordered infinite set of variables Var with nil ∈ Var and denote by max(v) the maximal variable among a finite set of variables v according to this order.
In Fig. 2, we define the syntax of the separation-logic fragment we study in this article. The atomic formulas of our logic are the empty-heap predicate emp, points-to assertions x → , the list-segment predicate ls(x, ), and equalities x = ; in all these cases, x, ∈ Var. Formulas are closed under the classical Boolean operators ∧, ∨, ¬ as well as under the separating conjunction * and the existential magic wand, − ⊛ (see e.g. [8]). We collect the set of all SL formulas in SL.

Two Semantics of Separation Logic
Memory model. Loc is an infinite set of heap locations. A stack is a partial function s : Var ⇀ Loc. A heap is a partial function h : Loc ⇀ Loc. A model is a stack-heap pair (s, h) with nil ∈ dom(s) and s(nil) dom(h). We let locs(h) := dom(h) ∪ img(h). A location ℓ is dangling if ℓ ∈ img(h) \ dom(h). We write S for the set of all stacks and H for the set of all heaps.
Two notions of disjoint union of heaps. We write h 1 +h 2 for the union of disjoint heaps, i.e., This standard notion of disjoint union is commonly used to assign semantics to the separating conjunction and magic wand. It requires that h 1 and h 2 are domain-disjoint, but does not impose any restrictions on the images of the heaps.
In particular, the dangling pointers of h 1 may alias arbitrarily with the domain and image of h 2 and vice-versa. Let s be a stack. We write h 1 ⊎ s h 2 for the disjoint union of h 1 and h 2 that restricts aliasing of dangling pointers to the locations in stack s. This yields an infinite family of union operators: One for each stack. Formally, Intuitively, h 1 ⊎ s h 2 is the (disjoint) union of heaps that share only locations that are in the image of the stack s. Note that if h 1 ⊎ s h 2 is defined then h 1 + h 2 is defined, but not viceversa. Just like the standard disjoint union +, the operator ⊎ s gives rise to a separation algebra, i.e., a cancellative, commutative partial monoid [11]. Proof. Trivially, the operation ⊎ s is commutative and associative with unit u.
Since the domain h is disjoint from both the domain of h 1 and the domain of h 2 , it follows that for all x, h 1 (x) = h 2 (x) and thus h 1 = h 2 . As h 1 and h 2 were chosen arbitrarily, we obtain that the function h ⊎ s (·) is injective. Consequently, the monoid is cancellative.
Weak-and strong-separation logic. Both + and ⊎ s can be used to give a semantics to the separating conjunction and septraction. We denote the corresponding model relations wk |= and st |= and define them in Fig. 3. Where the two semantics agree, we simply write |=.
In both semantics, x = holds in all models that interpret x and by the same location and emp only holds in the empty heap. Points-to assertions x → are precise, i.e., only hold in singleton heaps. (It is, of course, possible to express intuitionistic points-to assertions by x → * t.) The list segment predicate ls(x, ) holds in possibly-empty lists of pointers from s(x) to s( ). Note that our list semantics implies that ls(x, x) is only satisfied by empty lists, not by cyclic lists. This is in line with, for example, the work by Demri et al. [16]. All results in this article can be easily adapted to a semantics that allows cyclic list segments.
The semantics of Boolean connectives are standard. The semantics of the separating conjunction, * , and septraction, − ⊛, differ based on the choice of + vs. ⊎ s for combining disjoint heaps. In the former case, denoted wk |=, we get the standard semantics of separation logic (cf. [37]). In the latter case, denoted st |=, we get a semantics that imposes stronger requirements on sub-heap composition: Sub-heaps may only overlap at locations that are stored in the stack.
Because the semantics st |= imposes stronger constraints, we will refer to the standard semantics wk |= as the weak semantics of separation logic and to the semantics st |= as the strong semantics of separation logic. Moreover, we use the terms weak-separation logic (WSL) and strong-separation logic (SSL) to distinguish between SL with the semantics wk |= and st |=.
In Fig. 4, we show two models of φ. On the left, we assume that a, b are the only program variables, whereas on the right, we assume that there is a third program variable c.
Note that the latter model, where the two lists overlap, is possible in SSL only because the lists come together at the location labeled by c. If we removed the variable c from the stack, the model would no longer satisfy φ according to the strong semantics, because ⊎ s would no longer allow splitting the heap at that location. Conversely, the model would still satisfy φ according to the standard semantics. This is a feature rather than a bug of SSL: By demanding that the user of SSL specify aliasing explicitly-for example by using the specification ls(a, c) * ls(b, c) * ls(c, nil) ∧ c nil-we rule out unintended aliasing effects. △ Isomorphism. SL formulas cannot distinguish isomorphic models.
Proof. We prove the claim by induction on the structure of the formula φ. Clearly, the claim holds for the base cases emp, x → , ls(x, ) and x = . Further, the claim immediately follows from the induction assumption for the cases φ 1 ∧ φ 2 , φ 1 ∨ φ 2 and ¬φ. It remains to consider the cases φ 1 * φ 2 and φ 1 − * φ 2 . Let (s, h) and (s ′ , h ′ ) be two stack-heap pairs with (s, h) (s ′ , h ′ ).
We will show that (s, h) We consider the bijection σ that witnesses the isomorphism between (s, h) and Hence, we can apply the induction assumption and get that ( the other direction is completely symmetric. We assume that We consider the bijection σ that witnesses the isomorphism between (s, h) and (s ′ , h ′ ). Let L ⊆ Loc be some subset of locations with L ∩ (locs(h) ∪ img(s)) = ∅ and |L| = locs(h ′ 0 ) \(locs(h ′ ) ∪img(s ′ )). We can extend σ to some bijective function σ ′ : Semantic consequence. We denote by φ

Correspondence of Strong and Weak Separation on Positive Formulas
We call an SL formula φ positive if it does not contain ¬. Note that, in particular, this implies that φ does not contain the magic wand − * or the atom t.
In models of positive formulas, all dangling locations are labeled by variables.
Proof. By a straightforward structural induction on φ As every location that is shared between heaps h 1 + h 2 is dangling either in h 1 or in h 2 (or both), the union operations + and ⊎ s coincide on models of positive formulas.
Since the semantics coincide on atomic formulas by definition and on * by Lemma 2.5, we can easily show that they coincide on all positive formulas.
Lemma 2.7. Let φ be a positive formula and let (s, h) be a model.
Proof. We proceed by structural induction on φ. If φ is atomic, there is nothing to show. For φ = φ 1 * φ 2 and φ = φ 1 − ⊛φ 2 , the claim follows from the induction hypotheses and Lemma 2.6.
By negating Lemma 2.7, we thus have that implies that φ contains negation, either explicitly or, for example, in the form of a magic wand or t. In particular, Lemma 2.7 implies that the two semantics coincide on the popular symbolicheap fragment of separation logic. 2

Deciding the SSL Satisfiability Problem
The goal of this section is to develop a decision procedure for SSL. Specifically, we will prove the following theorem. Note the parameterization on x that reflects that our semantics changes as we increase the stack size.
Our approach is based on the following two insights. 1. The union ⊎ s induces a unique decomposition of the heap into at most |s | minimal chunks of memory that cannot be further decomposed.

To decide whether (s, h)
st |= φ, it is sufficient to know for each chunk of h (1) which atomic formulas the chunk satisfies and (2) which variables are allocated in the chunk. We proceed as follows. In Sec 3.1, we make precise the notion of memory chunks. In Sec. 3.2, we define abstract memory states (AMS), an abstraction of models that retains for every chunk precisely the information from point 2 above. We show how to map every SSL formula to the AMS of its models in Sec. 3.3 through Sec. 3.5. In Secs. 3.6 and 3.7, we use these results to develop a procedure for deciding satisfiability of SSL formulas by means of AMS computation. Finally, we prove the PS -completeness result in Sec. 3.8.

Memory Chunks
We will abstract stack-heap pairs by abstracting every chunk of memory in the heap. For our purposes, a chunk of h is a minimal nonempty sub-heap of h that can be split off of h according to the strong-separation semantics.
there exists a heap h 0 such that h = h 1 ⊎ s h 0 , and 2 Strictly speaking, Lemma 2.7 implies this only for the symbolic-heap fragment of the separation logic studied in this paper, i.e., with the list predicate but no other data structures. The result can, however, easily be generalized to symbolic heaps with trees (as studied e.g. in [22,40]) or symbolic heaps of bounded treewidth as proposed in [21].

for all
Proof. We will prove the claim by providing a graph-theoretic representation of the chunks of (s, h). We consider the di- . G contains all the edges of the heap h except for the edges that end in a location which is pointed to by a variable. Let C 1 , . . . , C n be the connected components of G. We note that connected components may consist of a single location and no edges. We now consider the induced sub-heaps h 1 , . . . , h n of h, where we define h i to be the heap h restricted to the locations of C i . We now prove that h 1 , . . . , h n are indeed the chunks of h: We consider two heaps S and T such that S ⊎ s T = h. Then we have that each sub-heap h i is fully contained in either S or T because only edges that end in a location can be used to connect the two heaps S and T . Further, for all i j, the locations in locs(h i ) ∩ locs(h j ) are pointed to by stack variables, i.e., locs(h i ) ∩ locs(h j ) ⊆ img(s), because these locations are the targets of the removed edges and thus in img(s) by construction. Consequently, h 1 ⊎ s h 2 ⊎ s · · ·⊎ s h n is defined. Moreover, every location in dom(h) is contained in some connected componentC i and thus in some sub-heap h i . Hence, h = h 1 ⊎ s h 2 ⊎ s · · · ⊎ s h n .   (2) there exists an l with preds h (l) = ∅. h c is a cycle iff preds h (l) = 1 for all l ∈ locs(h). △ Note that not every chunk falls into the above categories, as a single chunk may consist of a cycles overlaid with an acyclic heap. We define a couple of operations on chunks.
Since heap locations can have arbitrarily many predecessors, roots(h c ) can be arbitrarily large.  Intuitively, every path chunk corresponds to a points-to assertion or a nonempty list segment in (s, h) that is delimited by stack variables (because it has both root and sink variables). Conversely, malformed chunks can be classified into four (not mutually-exclusive) categories: 1. A cyclic list of length at least two. 3 2. Overlaid lists that cannot be separated via ⊎ s (because they are joined at locations that are not in img(s)). 3. Garbage, i.e., memory inaccessible via stack variables. 4. Lists that end in a dangling pointer that cannot be made non-dangling via composition (because the dangling location is not in img(s)).
For example, the chunk h 3 from Ex. 3.3 can be viewed as two overlaid list segments (from 4 to 3 and 5 to 3), and it contains garbage, namely the location 4 that cannot be reached via stack variables; and the chunk h 4 ends in a dangling pointer that is not in img(s). Every path chunk satisfies at least one atomic formula (a points-to assertion, a list predicate, or both), whereas malformed chunks do not satisfy any positive SSL formula.

Abstract Memory States
Our goal is to abstract the heap by abstracting every chunk in the heap in such a way that (1) we retain enough information to determine which atomic formulas the chunks satisfy and (2) we keep track of which variables are allocated within each chunk. To this end, we map every model to an abstract memory state defined as follows.   The reverse also holds: Every AMS is the induced AMS of at least one model; in fact, even of a model of linear size. Proof. For simplicity, we assume Loc = N; this allows us to add locations. Let x := V ∪ ρ be the set of variables that occur in A and n := |x|. Furthermore, let ν : V → {0, . . . , |x|} be an injective function from nodes to natural numbers. We define s := ∈V { → ν ( ) | ∈ } and h as the (disjoint) union of: We abstract SL formulas by the set of AMS of their models.  Proof. Let A ∈ α s (φ). Then there exists a heap h such that ams(s, h) = A and (s, h) The other direction is proved analogously.
Consequently, we have |α x (φ)| = B |x | if B k denotes the k-th Bell number, i.e., the number of partitions of a set with k elements.
In Secs. 3.3 through 3.5, we will derive the sets α s (φ) for all formulas φ. We will then show how to effectively compute a finite representation of these sets in Secs. 3.6 to 3.8.

Abstract Memory States of Atomic Formulas
We begin by deriving α s (φ) for atomic φ. In the remainder of this subsection, let s be an arbitrary but fixed stack.
The empty-heap predicate emp is only satisfied by the empty heap, i.e., by a heap that consists of zero chunks. Consequently, A points-to assertion x → is satisfied only in the heap that consists of a single path chunk of size one mapping s(x) to s( ). Therefore, Intuitively, the list segment ls(x, ) is satisfied by models that consist of zero or more path chunks, corresponding to a (possibly empty) list from s(x) to s( ) via (zero or more) intermediate stack-referenced locations s( 1 ), . . . , s( n ). Let us make this precise. Let z 1 , . . . , z n be variables. We call Then A ∈ α s (ls(x, )) iff A is an abstract list w.r.t. s.
Proof. Assume A ∈ α s (ls(x, )). Then there eixsts a heap h with (s, h) st |= ls(x, ). By the semantics, there exist locations l 1 , . . . , l n , n ≥ 1, with s(x) = l 1 , s( ) = l n and h(l i ) = l i +1 . Let j 1 , . . . , j k those indices among 1, . . . , n with l j i ∈ img(s). (In particular, j 1 = 1 and j k = n.) Then for each j i , the restriction of h to l j i , l j i +1 , . . . , l j i +1 −1 is a path chunk. Moreover, the sink variables of the i-th path chunk are the root variables of the (i + 1)-st path chunk. Consequently, A is an abstract list w.r.t. s.
The proof of the other direction is similar.
Finally, the atom x = is independent of the heap; its truth value depends only on the aliasing between x and in the stack. Consequently, α s (x = ) either contains every AMS or no AMS with V = cls = (s).

Abstract Memory States of Boolean Operators
Having defined the sets of AMS of all atomic SSL formulas, we next turn to the Boolean operators. Not surprisingly, the sets of AMS of the Boolean operators ∧, ∨ and ¬ can be expressed in terms of intersection, union, and complement.

Composing Abstract Memory States
Our next goal is to lift the * and − ⊛ operators to (sets of values from) the abstract domain AMS: We will define operators • and − • with Together with Sections 3.3 and Sections 3.4, we thus obtain a full characterization of the function α.
We will first define • for pairs of AMS and then lift the operation to sets of AMS to obtain the above homomorphisms. AMS composition is a partial operation defined only on compatible AMS. Compatibility enforces (1) that there is no double allocation and (2) that the AMS were obtained for equivalent stacks (i.e., for stacks s, s ′ with cls = (s) = cls = (s ′ )).

Definition 3.26. Two AMS
AMS composition is defined in a point-wise manner on compatible AMS and undefined otherwise.
The composition of A 1 , A 2 is then given by We lift composition to sets of AMS A 1 , A 2 and define Note that ams(s, h 1 ) and ams(s, h 2 ) are compatible if (s, h 1 )⊎ s (s, h 2 ) is defined.

Garbage Equivalence
Over the course of the previous subsections, we have seen how to compute the set α s (φ) for every formula φ. There is no direct implementation of this approach, however: While α s (φ) is finite if φ is a spatial atom, the set is infinite in general; see α s (¬φ), α s (φ 1 − ⊛φ 2 ), and α s (x = ).
As every node in V and every set in ρ has to contain at least one stack variable, there are for every fixed stack s only finitely many ways to pick the nodes V , the edges E and the malformed-allocation constraint ρ. The garbage-chunk count can, however, be an arbitrary natural number. Fortunately, to decide the satisfiability of any fixed formula φ, it is not necessary to keep track of arbitrarily large garbagechunk counts.
We introduce a notion of chunk size of formula φ, ⌈φ⌉, that provides an upper bound on the number of chunks that may be necessary to satisfy and/or falsify the formula; ⌈φ⌉ is defined as follows.
We generalize Lemma 3.32 to models whose AMS differ in their garbage-chunk count, provided both garbage-chunk counts exceed the chunk size of the formula. Lemma 3.36. Let φ be a formula with ⌈φ⌉ = k. Let m ≥ k, n ≥ k and let (s, h 1 ), (s, h 2 ) be models with ams(s, Proof. If m = n, the result follows from Lemma 3.32. If m n, assume w.l.o.g. that m < n. We proceed by structural induction on φ. We only prove one implication, as the proof of the other direction is very similar. it follows that, either m 1 ≥ ⌈φ 1 ⌉ or m 2 ≥ ⌈φ 2 ⌉ (or both). Assume w.l.o.g. that m 1 ≥ ⌈m⌉ and let A ′ 1 := V 1 , E 1 , ρ 1 , n − m 2 . Observe that ams(s, h 2 ) = A ′ 1 • A 2 . There thus exist by Lemma 3.31 heaps h 2, 1 , h 2, 2 such that (s, h 2 ) = h 2, 1 ⊎ s h 2, 2 , ams(s, h 2, 1 ) = A ′ 1 and ams(s, h 2, 1 ) = A 2 . As both m 1 ≥ ⌈φ 1 ⌉ and n − m 2 > m − m 2 = m 1 ≥ ⌈φ 1 ⌉, we have by the induction hypothesis for φ 1 that (s, h 2, 1 ) st |= φ 1 . Additionally, we have h 2, 2 st |= φ 2 by Lemma 3.32. Consequently, . Trivially, m +m 2 ≥ m = ⌈φ 2 ⌉ and n + m 2 ≥ n > m = ⌈φ 2 ⌉. It thus follows from the induction hypothesis for In other words, φ is satisfiable over stack s iff φ is satisfiable by a heap that contains at most ⌈φ⌉ garbage chunks. Conversely, if φ is not satisfiable over s it is, not satisfied by any heap; in particular, it is not satisfied by heaps with garbage-chunk count of at most k.
As all sets that occur in the definition of abst s (φ) are finite, the function is computable. To decide whether φ is satisfiable in a stack of size n, we can thus proceed as follows. We pick a set of variables x ⊇ fvs(φ). By Lemma 3.17, there are only finitely many stacks over x that have different abstractions. For each of these stacks, we can decide the nonemptiness of α s by Lemma 3.39 and Cor. 3.40. The formula is satisfiable iff α s is nonempty for any of the stacks.
Theorem 3.41. It is decidable whether φ is satisfiable in a stack of size at most n.
Proof. Observe that φ is satisfiable in a stack of size at most n iff φ is satisfiable in a stack s with dom(s) ⊆ {fvs(φ)} ∪ a 1 , . . . , a n− |fvs(φ)| ( †), where we assume w.l.o.g. that a i fvs(φ) for all i. Observe that C := {cls = (s) | dom(s) ⊆ x} is finite; and that all stacks s, s ′ with cls = (s) = cls = (s ′ ) have the same abstraction by Lemma 3.17. Consequently, we can compute the set R := {abst s (φ) | dom(s) ⊆ x} by picking for each element X ∈ C one stack s with cls = (s) = X and computing abst s (φ) for this stack. Moreover, by Cor. 3.40, abst s (φ) is computable for every such stack. By Lemma 3.39 and Cor. 3.37, φ is satisfiable over stack s iff abst s (φ) is nonempty. Putting all this together, we obtain φ is satisfiable in stacks of size n if and only if any of finitely many computable sets abst s (φ) is nonempty.
As our logic is closed under negation, we can, of course, also decide the entailment problem for SSL formulas. Proof. φ st |= x ψ iff φ ∧ ¬ψ is unsatisfiable over stacks of size |x|, which is decidable by Theorem 3.41.

Complexity of the SSL Satisfiability Problem
It is easy to see that the algorithm abst s (φ) runs in exponential time. We conclude this section with a proof that SSL satisfiability and entailment are actually PS -complete. Figure 7. Translation qbf_to_sl(F ) from closed QBF formula F (in negation normal form) to an SSL formula that is satisfiable iff F is true.

PS
-hardness. An easy reduction from quantified Boolean formulas (QBF) shows that the SSL satisfiability problem is PS -hard. The reduction is presented in Fig. 7. We encode positive literals x by (x → nil) * t (the heap contains the pointer x → nil) and negative literals by (x → nil)− ⊛t (it is possible to extend the heap with a pointer x → nil, implying that the heap does not contain the pointer x → nil). The magic wand is used to simulate universals (i.e., to enforce that we consider both the case x → nil and the case emp, thus setting x both to true and to false). Analogously, septraction is used to simulate existentials. Similar reductions can already be found (for standard SL) in [12].
Lemma 3.43. The SSL satisfiability problem is PS -hard.
Note that this reduction simultaneously proves the PS hardness of SSL model checking: If F is a QBF formula over variables x 1 , . . . , x k , then qbf_to_sl(F ) is satisfiable iff

PS
-membership. For every stack s and every bound on the garbage-chunk count of the AMS we consider, it is possible to encode every AMS by a string of polynomial length.
Proof. Let A = V , E, ρ, γ ∈ AMS k,s . Each of the |s | ≤ n variables that occur in A can be encoded by a logarithmic number of bits.
Observe that | V | ≤ |s |, so V can be encoded by at most O(n log(n) + n) symbols (using a constant-length delimiter between the nodes). Each of the at most |V | edges can be encoded by O(log(n)) bits, encoding the position of the source and target nodes in the encoding of V by O(log(n)) bits each and expending another bit to differentiate between = 1 and ≥ 2 edges. ρ can be encoded like V . Since γ ≤ k ≤ n, γ can    x (φ,ψ * t)) and ζ 2 := formof ⌈φ ⌉+ ⌈ψ ⌉ x (frame bounded x (φ,ψ )). The pair ζ 1 , ζ 2 is a minimal bi-abduction solution for φ and ψ .

Symbolic-Heap Anti-Frames
While Theorem 4.5 allows us to compute optimal solutions to abduction, frame inference and bi-abduction, these optimal solutions have a complicated Boolean structure and may thus be unsuitable for some program analyses. For example, the bi-abduction-based analysis in Infer [9] uses the symbolic-heap fragment as abstract domain for symbolic execution, as do many other SL-based analyzers. A symbolic heap is a formula of the form τ 1 * · · · * τ k ∧ Π, where the τ i are spatial atoms (in our case, emp, x → , ls(x, )) and Π is a conjunction of equalities x = and disequalities x .
We can systematically obtain symbolic-heap solutions for the abduction problem by our method as follows. First, we add to SSL a new spatial atom ls ≥2 (x, ) with the following semantics. ls ≥2 (x, ) holds in a model iff the model is a list segment of length at least 2 from x to . We can then simplify the formula graph(A) in formof x (A) by translating edges E( ) = ( ′ , ≥ 2) edges to the atom ls ≥2 (max( ), max( ′ )). We denote the resulting translation function by formof ′ x (A). We then have that formof ′ x ( V , E, ρ, γ ) is a symbolic heap iff ρ = ∅ and γ = 0.

Conclusion
We showed that the satisfiability problem for strong-separation logic with lists is in the same complexity class as the satisfiability problem for standard "weak" separation logic without any data structures: PS -complete. This is in stark contrast to the undecidability result standard (weak) SL semantics, as shown in [16]. Additionally, we showed how to solve abduction, frame inference and bi-abduction for strong-separation logic. This constitutes the first work that addresses (bi-)abduction and frame inference for a separation logic closed under Boolean operators and the magic wand and generalizes the results of [10,19].
We consider this work just a first step in examining strongseparation logic, motivated by the desire to circumvent the undecidability result of [16]. Our immediate future work is concerned with the practical evaluation of our decision procedures. We have already implemented the decision procedures and are currently working on the integration of our solver both into a deductive verification framework and into a bi-abductive shape analysis. Moreover, we are convinced that our results can be generalized to much richer separation logics; for example, we believe that it possible to extend our decision procedure to SL with trees, SL with nested data structures or SL with limited support for arithmetic reasoning like in [25]-claims we plan to substantiate in future work.