Unifying Decidable Entailments in Separation Logic with Inductive Deﬁnitions

. The entailment problem ϕ | = ψ in Separation Logic [12,15], between separated conjunctions of equational ( x ≈ y and x (cid:54)≈ y ), spatial ( x (cid:55)→ ( y 1 ,..., y κ ) ) and predicate ( p ( x 1 ,..., x n ) ) atoms, interpreted by a ﬁnite set of inductive rules, is undecidable in general. Certain restrictions on the set of inductive deﬁnitions lead to decidable classes of entailment problems. Currently, there are two such decidable classes, based on two restrictions, called establishment [10,13,14] and restrictedness [8], respectively. Both classes are shown to be in 2 EXPTIME by the independent proofs from [14] and [8], respectively, and a many-one reduction of established to restricted entailment problems has been given [8]. In this paper, we strictly generalize the restricted class, by distinguishing the conditions that apply only to the left-( ϕ ) and the right-( ψ ) hand side of entailments, respectively. We provide a many-one reduction of this generalized class, called safe , to the established class. Together with the reduction of established to restricted entailment problems, this new reduction closes the loop and shows that the three classes of entailment problems (respectively established, restricted and safe) form a single, uniﬁed, 2 EXPTIME-complete class.


Introduction
Separation Logic [12,15] (SL) was primarily introduced for writing concise Hoare logic proofs of programs that handle pointer-linked recursive data structures (lists, trees, etc). Over time, SL has evolved into a powerful logical framework, that constitutes the basis of several industrial-scale static program analyzers [3,2,5], that perform scalable compositional analyses, based on the principle of local reasoning: describing the behavior of a program statement with respect only to the small (local) set of memory locations that are changed by that statement, with no concern for the rest of the program's state.
Given a set of memory locations (e.g., addresses), SL formulae describe heaps, that are finite partial functions mapping finitely many locations to records of locations. A location is allocated if it occurs in the domain of the heap. An atom x → (y 1 , . . . , y κ ) states that there is only one allocated location, associated with x, that moreover refers to the tuple of locations associated with (y 1 , . . . , y κ ), respectively. The separating conjunction φ * ψ states that the heap can split into two parts, with disjoint domains, that make φ and ψ true, respectively. The separating conjunction is instrumental in supporting local reasoning, because the disjointness between the (domains of the) models of its arguments ensures that no update of one heap can actually affect the other.
Reasoning about recursive data structures of unbounded sizes (lists, trees, etc.) is possible via the use of predicate symbols, whose interpretation is specified by a userprovided set of inductive definitions (SID) of the form p(x 1 , . . . , x n ) ⇐ π, where p is a predicate symbol of arity n and the free variables of the formula π are among the parameters x 1 , . . . , x n of the rule. Here the separating conjunction ensures that each unfolding of the rules, which substitute some predicate atom p(y 1 , . . . , y n ) by a formula π[x 1 /y 1 , . . . , x n /y n ], corresponds to a way of building the recursive data structure. For instance, a list is either empty, in which case its head equals its tail pointer, or is built by first allocating the head, followed by all elements up to but not including the tail, as stated by the inductive definitions ls(x, y) ⇐ x ≈ y and ls(x, y) ⇐ ∃z . x → (z) * ls(z, y).
An important problem in program verification, arising during the construction of Hoare-style correctness proofs of programs, is the discharge of verification conditions of the form φ |= ψ, where φ and ψ are SL formulae, asking whether every model of φ is also a model of ψ. These problems, called entailments, are, in general, undecidable in the presence of inductively defined predicates [11,1].
A first decidable class of entailments, described in [10], involves three restrictions on the SID rules: progress, connectivity and establishment. Intuitively, the progress (P) condition states that every rule allocates exactly one location, the connectivity (C) condition states that the set of allocated locations has a tree-shaped structure, and the establishment (E) condition states that every existentially quantified variable from a rule defining a predicate is (eventually) allocated in every unfolding of that predicate. A 2EXPTIME algorithm was proposed for testing the validity of PCE entailments [13,14] and a matching 2EXPTIME-hardness lower bound was provided shortly after [6].
Later work relaxes the establishment condition, necessary for decidability [7], by proving that the entailment problem is still in 2EXPTIME if the establishment condition is replaced by the restrictedness (R) condition, which requires that every disequality (x ≈ y) involves at least one free variable from the left-hand side of the entailment, propagated through the unfoldings of the inductive system [8]. Interestingly, the rules of a progressive, connected and restricted (PCR) entailment may generate data structures with "dangling" (i.e. existentially quantified but not allocated) pointers, which was not possible with PCE entailments.
In this paper, we generalize PCR entailments further, by showing that the connectivity and restrictedness conditions are needed only on the right-hand side of the entailment, whereas the only condition required on the left-hand side is progress (which can usually be enforced by folding or unfolding definitions). Our results thus allow for "asymetric" entailments, i.e., one can test whether the structures described by inductive rules that are (almost) arbitrary fulfill some restricted formula. Although the class of data structures that can be described is much larger, we show that this new class of entailments, called safe, is also 2EXPTIME-complete, by a many-one reduction of the validity of safe entailments to the validity of PCE entailments. A second contribution of the paper is the cross-certification of the two independent proofs of the 2EXPTIME upper bounds, for the PCE [6,14,8] and PCR [8] classes of entailments, respectively, by closing the loop. Namely, the reduction given in this paper enables the translation of any of the three entailment problems into an equivalent problem in any other class, while preserving the 2EXPTIME upper bound. This is because all the reductions are polynomial in the overall size of the SID and singly-exponential in the maximum size of the rules in the SID. The theoretical interest of the reduction is that it makes the proof of decidability and of the complexity class much shorter and clearer. It also has some practical advantages, since it allows one to re-use existing implementations designed for established systems instead of having to develop entirely new automated reasoning systems. Due to space restrictions, some of the proofs are omitted. All proofs can be found in [9].

Definitions
For a (partial) function f : A → B, we denote by dom( f ) and rng( f ) its domain and range, respectively. For a relation R ⊆ A×A, we denote by R * the reflexive and transitive closure of R.
Let κ be a fixed natural number throughout this paper and let P be a countably infinite set of predicate symbols. Each predicate symbol p ∈ P is associated a unique arity, denoted ar(p). Let V be a countably infinite set of variables. For technical convenience, we also consider a special constant ⊥, which will be used to denote "empty" record fields. Formulae are built inductively, according to the following syntax: where p ∈ P is a predicate symbol of arity n = ar(p), x, x , x 1 , . . . , x n ∈ V are variables and y 1 , . . . , y κ ∈ V ∪ {⊥} are terms, i.e. either variables or ⊥.
The set of variables freely occurring in a formula φ is denoted by fv(φ), we assume by α-equivalence that the same variable cannot occur both free and bound in the same formula φ, and that distinct quantifiers bind distinct variables. The size |φ| of a formula φ is the number of occurrences of symbols in φ. A formula x ≈ x or x ≈ x is an equational atom, x → (y 1 , . . . , y κ ) is a points-to atom, whereas p(x 1 , . . . , x n ) is a predicate atom. Note that ⊥ cannot occur in an equational or in a predicate atom. A formula is predicate-less if no predicate atom occurs in it. A symbolic heap is a formula of the form ∃x x x . * m j=1 α i , where each α i is an atom and x x x is a possibly empty vector of variables.
A substitution is a partial function mapping variables to variables. If σ is a substitution and φ is a formula, a variable or a tuple, then φσ denotes the formula, the variable or the tuple obtained from φ by replacing every free occurrence of a variable x ∈ dom(σ) by σ(x), respectively. We denote by { x i , y i | i ∈ 1, n } the substitution with domain {x 1 , . . . , x n } that maps x i to y i , for each i ∈ 1, n .
A set of inductive definitions (SID) R is a finite set of implications (or rules) of the form p(x 1 , . . . , x n ) ⇐ π, where p ∈ P, n = ar(p), x 1 , . . . , x n are pairwise distinct variables and π is a quantifier-free symbolic heap. The predicate atom p(x 1 , . . . , x n ) is the head of the rule and R (p) denotes the subset of R consisting of rules with head p(x 1 , . . . , x n ) (the choice of x 1 , . . . , x n is not important). The variables in fv(π) \ {x 1 , . . . , x n } are called the existential variables of the rule. Note that, by definition, these variables are not explicitly quantified inside π and that π is quantifier-free. For simplicity, we denote by p(x 1 , . . . , x n ) ⇐ R π the fact that the rule p(x 1 , . . . , x n ) ⇐ π belongs to R . The size of R is defined as |R | def = ∑ p(x 1 ,...,x n )⇐ R π |π| + n and its width as w(R ) def = max p(x 1 ,...,x n )⇐ R π |π| + n.
We write p R q, p, q ∈ P iff R contains a rule of the form p(x 1 , . . . , x n ) ⇐ π, and q occurs in π. We say that p depends on q if p * R q. For a formula φ, we denote by P (φ) the set of predicate symbols q, such that p * R q for some predicate p occurring in φ. Given formulae φ and ψ, we write φ ⇐ R ψ if ψ is obtained from φ by replacing an atom p(u 1 , . . . , u n ) by π { x 1 , u 1 , . . . , x n , u n }, where R contains a rule p(x 1 , . . . , x n ) ⇐ π. We assume, by a renaming of existential variables, that the set (fv(π) \ {x 1 , . . . , x n }) ∩ fv(φ) is empty. We call ψ an unfolding of φ iff φ ⇐ * R ψ.
We now define the semantics of SL. Let L be a countably infinite set of locations containing, in particular, a special location ‚. A structure is a pair (s, h), where: s is a partial function from V ∪ {⊥} to L, called a store, such that ⊥ ∈ dom(s) and h : L → L κ is a finite partial function, such that ‚ ∈ dom(h). If x 1 , . . . , x n are pairwise distinct variables and 1 , . . . , n ∈ L are locations, we denote by , n , and s (y) = s(x) otherwise. If x 1 , . . . , x n ∈ dom(s), then the store s is called an extension of s to {x 1 , . . . , x n }.
Given a heap h, we define ref . Two heaps h 1 and h 2 are disjoint iff dom(h 1 ) ∩ dom(h 2 ) = / 0, in which case h 1 h 2 denotes the union of h 1 and h 2 , undefined whenever h 1 and h 2 are not disjoint.
Given an SID R , (s, h) |= R φ is the least relation between structures and formulae such that whenever (s, h) |= R φ, we have fv(φ) ⊆ dom(s) and the following hold: We omit the subscript R whenever these relations hold for any SID. It is easy to check that, for all formulae Consequently, each formula can be transformed into an equivalent finite disjunction of symbolic heaps.

Decidable Entailment Problems
The class of general entailment problems is undecidable, see Theorem 5 below for a refinement of the initial undecidability proofs [11,1]. A first attempt to define a natural decidable class of entailment problems is described in [10] and involves three restrictions on the SID rules, formally defined below: C, E) for φ (resp. ψ). An entailment problem is P (resp. C, E) iff it is both left-and right-P (resp. C, E).
The decidability of progressing, connected and left-established entailment problems is an immediate consequence of the result of [10]. Moreover, an analysis of the proof [10] leads to an elementary recursive complexity upper bound, which has been recently tighten down to 2EXPTIME-complete [14,8,6]. In the following, we refer to Table 1 for a recap of the complexity results for the entailment problem. The last line is the main result of the paper and corresponds to the most general (known) decidable class of entailment problems (Definition 8). The following theorem is an easy consequence of previous results [6].
Theorem 4. The progressing, connected and left-established entailment problem is 2EXPTIME-complete. Moreover, there exists a decision procedure that runs in time for every instance P of this problem.
A natural question arises in this context: which of the restrictions from the above theorem can be relaxed and what is the price, in terms of computational complexity, of relaxing (some of) them? In the light of Theorem 5 below, the connectivity restriction cannot be completely dropped. Further, if we drop the establishment condition, the problem becomes undecidable [7,Theorem 6], even if both the left/right progress and connectivity conditions apply.
Theorem 5. The progressing, left-connected and established entailment problem is undecidable.
The second decidable class of entailment problems [8] relaxes the connectivity condition and replaces the establishment with a syntactic condition (that can be checked in polynomial time in the size of the SID), while remaining 2EXPTIME-complete. Informally, the definition forbids (dis)equations between existential variables in symbolic heaps or rules: the only allowed (dis)equations are of the form x y where x is a free variable (viewed as a constant in [8]). The definition given below is essentially equivalent to that of [8], but avoids any reference to constants; instead it uses a notion of R -positional functions, which helps to identify existential variables that are always replaced by a free variable from the initial formula during unfolding.
An R -positional function maps every n-ary predicate symbol p occurring in R to a subset of 1, n . Given an R -positional function λ and a formula φ, we denote by V λ (φ) the set of variables x i such that φ contains a predicate atom p(x 1 , . . . , x n ) with i ∈ λ(p). Note that V λ is stable under substitutions, i.e. V λ (φσ) = (V λ (φ))σ, for each formula φ and each substitution σ. Definition 6. Let ψ be a formula and R be an SID. The fv-profile of the pair (ψ, R ) is the R -positional function λ such that the sets λ(p), for p ∈ P, are the maximal sets satisfying the following conditions: 2. For all predicate symbols p ∈ P (ψ), all rules p(x 1 , . . . , x n ) ⇐ π in R , all predicate atoms q(y 1 , . . . , y m ) in π and all i ∈ λ(q), there exists j ∈ λ(p) such that x j = y i .
The fv-profile of (ψ, R ) is denoted by λ ψ R .
Intuitively, given a predicate p ∈ P, the set λ ψ R (p) denotes the formal parameters of p that, in every unfolding of ψ, will always be substituted by variables occurring freely in ψ. It is easy to check that λ ψ R can be computed in polynomial time w.r.t. |ψ| + |R |, using a straightforward greatest fixpoint algorithm. The algorithm starts with a function mapping every predicate p of arity n to 1, n and repeatedly removes elements from the sets λ(p) to ensure that the above conditions hold. In the worst case, we may have eventually λ(p) = / 0 for all predicate symbols p.
Definition 7. Let λ be an R -positional function, and V be a set of variables. A formula φ is λ-restricted (λ-R) w.r.t. V iff the following hold: 1. for every disequation y ≈ z in φ, we have {y, z} ∩V = / 0, and where λ is considered to be λ φ R (λ ψ R ). An entailment problem is λ-C (λ-R) iff it is both left-and right-λ-C (λ-R).
The class of progressing, λ-connected and λ-restricted entailment problems has been shown to be a generalization of the class of progressing, connected and left-established problems, because the latter can be reduced to the former by a many-one reduction [8,Theorem 13] that runs in time |P| · 2 O(w(P) 2 ) on input P ( Figure 1) and preserves the problem's width asymptotically. In the rest of this paper we close the loop by defining a syntactic extension of λprogressing, λ-connected and λ-restricted entailment problems and by showing that this extension can be reduced to the class of progressing, connected and left-established entailment problems by a many-one reduction. The new fragment is defined as follows: 3. all the rules from p∈P (ψ) R (p) are λ-connected and λ-restricted.
Note that there is no condition on the formula φ, or on the rules defining the predicates occurring only in φ, other than the progress condition. The conditions in Definition 8 ensure that all the disequations occurring in any unfolding of ψ involve at least one variable that is free in φ. Further, the heaps of the model of ψ must be forests, i.e. unions of trees, the roots of which are associated with the first argument of the predicate atoms in ψ or to free variables from φ.
A typical yet very simple example of such an entailment is the so-called "reversed list" problem that consists in checking that any list segment revls(z, y) defined in the reverse direction (from the tail to the head) is a list segment ls(x, y) in the usual sense (defined inductively from head to tail). This corresponds to the entailment problem revls(z, y) R ∃x.ls(x, y) where R contains the following rules: This problem is considered as challenging for proof search-based automated reasoning procedures (see, e.g., [4,16]). The antecedent does not fulfill the connectivity condition, but the subsequent does, hence the entailment is safe. Similar, more complex examples can be defined, for instance a list can be constructed by interleaving elements at odd or even positions. Another example is the case of a data structure containing an unbounded number of acylic lists (e.g., a list of acyclic lists). Such a data structure does not fulfill the restricteness condition, since one needs to compare the pointers occurring along each list to the point at the end. Checking, for instance, that the concatenation of two lists of acyclic lists is again a list of (possibly cyclic) lists is a problem that fits into the safe class and can thus be effectively checked by our algorithm. We refer the reader to Figure 1 for a general picture of the entailment problems considered so far and of the many-one reductions between them, where the reduction corresponding to the dashed arrow is the concern of the next section. Importantly, since all reductions are many-one, taking time polynomial in the size and exponential in the width of the input problem, while preserving its width asymptotically, the three classes from Figure 1 can be unified into a single (2EXPTIME-complete) class of entailments.

Reducing Safe to Established Entailments
In a model of a safe SID (Definition 8), the existential variables introduced by the replacement of predicate atoms with corresponding rule bodies are not required to be allocated. This is because safe SIDs are more liberal than established SIDs and allow heap structures with an unbounded number of dangling pointers. As observed in [8], checking the validity of an entailment (w.r.t a restricted SID) can be done by considering only those structures in which the dangling pointers point to pairwise distinct locations. The main idea of the hereby reduction of safe to established entailment problems is that any such structure can be extended by allocating all dangling pointers separately and, moreover, the extended structures can be defined by an established SID.
In what follows, we fix an arbitrary instance P = φ R ψ of the safe entailment problem (Definition 8) and denote by λ def = λ ψ R the fv-profile of (ψ, R ) (Definition 6). Let w w w def = (w 1 , . . . , w ν ) be the vector of free variables from φ and ψ, where the order of variables is not important and assume w.l.o.g. that ν > 0. Let P l def = P (φ) and P r def = P (ψ) be the sets of predicate symbols that depend on the predicate symbols occurring in the left-and right-hand side of the entailment, respectively. We assume that φ and ψ contain no points-to atoms and that P l ∩ P r = / 0. Again, these assumptions lose no generality, because a points-to atom u → (v 1 , . . . , v κ ) can be replaced by a predicate atom p(u, v 1 , . . . , v κ ), where p is a fresh predicate symbol associated with the rule p(x, y 1 , . . . , y κ ) ⇐ x → (y 1 , . . . , y κ ). Moreover the condition P l ∩P r = / 0 may be enforced by considering two copies of each predicate, for the left-hand side and for the right-hand side, respectively. Finally, we assume that every rule contains exactly µ existential variables, for some fixed µ ∈ N; this condition can be enforced by adding dummy literals x ≈ x if needed.
We describe a reduction of P to an equivalent progressing, connected, and leftestablished entailment problem. The reduction will extend heaps, by adding ν+µ record fields. We shall therefore often consider heaps and points-to atoms having κ + ν + µ record fields, where the formal definitions are similar to those given previously. Usually such formulae and heaps will be written with a prime. These additional record fields will be used to ensure that the constructed system is connected, by adding all the existential variables of a given rule (as well as the variables in w 1 , . . . , w ν ) into the image of the location allocated by the considered rule. Furthermore, the left-establishment condition will be enforced by adding predicates and rules in order to allocate all the locations that correspond to existential quantifiers and that are not already allocated, making such locations point to a dummy vector ⊥ ⊥ ⊥ def = (⊥, . . . , ⊥), of length κ + ν + µ, where ⊥ is the special constant denoting empty heap entries. To this aim, we shall use a predicate symbol ⊥ ⊥ ⊥ associated with the rule ⊥ ⊥ ⊥(x) ⇐ x → ⊥ ⊥ ⊥. Note that allocating all these locations will entail (by definition of the separating conjunction) that they are distinct, thus the addition of such predicates and rules will reduce the number of satisfiable unfoldings. However, due to the restrictions on the use of disequations 3 , we shall see that this does not change the status of the entailment problem.
The following lemma identifies conditions ensuring that the application of a mapping to a structure (Definition 9) preserves the truth value of a formula.
Lemma 10. Given a set of variables V , let α be a formula that is λ-restricted w.r.t. V , such that P (α) ⊆ P r and let (s, h) be an R -model of α. For every mapping γ : If γ is, moreover, injective, then the result of Lemma 10 holds for any formula: Lemma 11. Let α be a formula and let (s, h) be an R -model of α. For every injective mapping γ : L → L we have (γ(s), γ(h)) |= R α.

Expansions and Truncations
We introduce a so-called expansion relation on structures, as well as a truncation operation on heaps. Intuitively, the expansion of a structure is a structure with the same store and whose heap is augmented with new allocated locations (each pointing to ⊥) and additional record fields, referring in particular to all the newly added allocated locations. These locations are introduced to accommodate all the existential variables of the predicate-less unfolding of the left-hand side of the entailment (to ensure that the obtained entailment is left-established). Conversely, the truncation of a heap is the heap obtained by removing these extra locations. We also introduce the notion of a γ-expansion which is a structure whose image by γ is an expansion. We recall that, throughout this and the next sections, w w w = (w 1 , . . . , w ν ) denotes the vector of free variables occurring in the problem, which is assumed to be fixed throughout this section and that {w 1 , . . . , w ν , ⊥} ⊆ dom(s), for every store s considered here.
Moreover, we assume w.l.o.g. that w 1 , . . . , w ν do not occur in the considered SID R and denote by µ the number of existential variables in each rule of R . We refer to Figure 2 for an illustration of the definition below: Let (s, h ) be a γ-expansion of (s, h) and let ∈ dom(main(h )) be a location. Since ν > 0 and for all i ∈ 1, ν , s(w i ) occurs in h ( ), and since we assume that s(w i ) = ‚ = s(⊥) for every i ∈ 1, ν , necessarily main(h )( ) = ‚ ‚ ‚. This entails that the decomposition h = main(h ) aux(h ) is unique: main(h ) and aux(h ) are the restrictions of h to the locations in dom(h ) such that h ( ) = ‚ ‚ ‚ and h ( ) = ‚ ‚ ‚, respectively. In the following, we shall thus freely use the notations aux(h ) and main(h ), for arbitrary heaps h .
Definition 13. Given a heap h , we denote by trunc(h ) the heap h defined as follows: Note that, if h = trunc(h ) then h : L → L κ and h : L → L κ+µ+ν are heaps of different out-degrees. In the following, we silently assume this fact, to avoid cluttering the notation by explicitly specifying the out-degree of a heap.

Transforming the Consequent
We first describe the transformation for the right-hand side of the entailment problem, as this transformation is simpler.
Definition 17. We associate each n-ary predicate p ∈ P r with a new predicate p of arity n + ν. We denote by α the formula obtained from α by replacing every predicate atom p(x 1 , . . . , x n ) by p(x 1 , . . . , x n ,w w w), where w w w = (w 1 , . . . , w ν ).
Note that the free variables w w w are added as parameters in the rules above, instead of some arbitrary tuple of fresh variables ω ω ω, of the same length as w w w. This is for the sake of conciseness, since these parameters ω ω ω will be systematically mapped to w w w.
We now relate the SIDs R and R r by the following result: Lemma 20. Let α be a formula that is λ-restricted w.r.t. {w 1 , . . . , w ν } and contains no points-to atoms, with P (α) ⊆ P r . Given a store s and two heaps h and h , such that (s, h ) id (s, h), we have (s, h ) |= R r α if and only if (s, h) |= R α.

Transforming the Antecedent
We now describe the transformation operating on the left-hand side of the entailment problem. For technical convenience, we make the following assumption: Assumption 21. We assume that, for every predicate p ∈ P l , every rule of the form p(x 1 , . . . , x n ) ⇐ π in R and every atom q(x 1 , . . . , x m ) occurring in π, x 1 ∈ {x 1 , . . . , x n }. This is without loss of generality, because every variable x 1 ∈ {x 1 , . . . , x n } can be replaced by a fresh variable z, while conjoining the equational atom z ≈ x 1 to π. Note that the obtained SID may no longer be connected, but this is not problematic, because the left-hand side of the entailment is not required to be connected anyway.
Definition 22. We associate each pair (p, X), where p ∈ P l , ar(p) = n and X ⊆ 1, n , with a fresh predicate symbol p X , such that ar(p X ) = n + ν. A decoration of a formula α containing no points-to atoms, such that P (α) ⊆ P l , is a formula obtained by replacing each predicate atom β def = q(y 1 , . . . , y m ) in α by an atom of the form q X β (y 1 , . . . , y m ,w w w), with X β ⊆ 1, m . The set of decorations of a formula α is denoted by D(α).
The role of the set X in a predicate atom p X (x 1 , . . . , x n ,w w w) will be explained below. Note that the set of decorations of an atom α is always finite.
Definition 23. We denote by D(R ) the set of rules of the form p X (x 1 , . . . , x n ,w w w) ⇐ x 1 → (y 1 , . . . , y κ ,w w w, z 1 , . . . , z µ )σ * ρ * * i∈I ⊥ ⊥ ⊥(z i ), where: p(x 1 , . . . , x n ) ⇐ x 1 → (y 1 , . . . , y κ ) * ρ is a rule in R and X ⊆ 1, n ; At this point, the set X for predicate symbol p X is of little interest: atoms are simply decorated with arbitrary sets. However, we shall restrict the considered rules in such a way that for every model (s, h) of an atom p X (x 1 , . . . , x n+ν ), with n = ar(p), the set X denotes a set of indices i ∈ 1, n such that s(x i ) ∈ dom(h). In other words, X will denote a set of formal parameters of p X that are allocated in every model of p X .
Note that, in contrast with Definition 1, we do not consider that x ∈ Alloc(α), for those variables x related to a variable from Alloc(α) by equalities.
We denote by R l the set of well-defined rules in D(R ).
We first state an important properties of R l .
Lemma 27. Every rule in R l is progressing, connected and established.
We now relate the systems R and R l by the following result: Definition 28. A store s is quasi-injective if, for all x, y ∈ dom(s), the implication s(x) = s(y) ⇒ x = y holds whenever {x, y} ⊆ {w 1 , . . . , w ν }.
Lemma 29. Let L be an infinite subset of L. Consider a formula α containing no points-to atom, with P (α) ⊆ P l , and let (s, h) be an R -model of α, where s is quasiinjective, and (rng(s) ∪ loc(h)) ∩ L = / 0. There exists a decoration α of α, a heap h and a mapping γ : L → L such that:

Transforming Entailments
We define R def = R l ∪ R r . We show that the instance φ R ψ of the safe entailment problem can be solved by considering an entailment problem on R involving the elements of D(φ) (see Definition 22). Note that the rules from R l are progressing, connected and established, by Lemma 27, whereas the rules from R r are progressing and connected, by Definition 18. Hence, each entailment problem φ R ψ, where φ ∈ D(φ), is progressing, connected and left-established.
Proof. "⇒" Assume that φ |= R ψ and let φ ∈ D(φ) be a formula, (s, h ) be an R -model and consider a location ∈ dom(h ). By definition, must be allocated by some rule in R l . If is allocated by a rule of the form given in Definition 23, then necessarily h ( ) is of the form ( 1 , . . . , κ , s(w), 1 , . . . , µ ) and ∈ D 1 . Otherwise, is allocated by the predicate ⊥ ⊥ ⊥ and we must have ∈ D 2 by definition of the only rule for ⊥ ⊥ ⊥. Since this predicate must occur within a rule of the form given in Definition 23, necessarily occurs in the µ last components of the image of a location in D 1 , hence admits a connection in h . Consequently, by Lemma 16 (s, h ) id (s, h), and by Lemma 24, (s, h) |= R φ. Thus (s, h) |= R ψ, and by Lemma 20, (s, h ) |= R r ψ, thus (s, h ) |= R ψ.
"⇐" Assume that φ ∈D(φ) φ |= R ψ and let (s, h) be a R -model of φ. Since the truth values of φ and ψ depend only on the variables in fv(φ) ∪ fv(ψ), we may assume, w.l.o.g., that s is quasi-injective. Consider an infinite set L ⊆ L such that (rng(s) ∪ This leads to the main result of this paper: Theorem 31. The safe entailment problem is 2EXPTIME-complete.
Proof. The 2EXPTIME-hard lower bound follows from [8,Theorem 32], as the class of progressing, λ-connected and λ-restricted entailment problems is a subset of the safe entailment class. For the 2EXPTIME membership, Lemma 30 describes a many-one reduction to the progressing, connected and established class, shown to be in 2EXP-TIME, by Theorem 4. Considering an instance P = φ R ψ of the safe class, Lemma 30 reduces this to checking the validity of |D(φ)| instances of the form φ R ψ, that are all progressing, connected and established, by Lemma 27. Since a formula φ ∈ D(φ) is obtained by replacing each predicate atom p(x 1 , . . . , x n ) of φ by p X (x 1 , . . . , x n ,w w w) and there are at most 2 n such predicate atoms, it follows that |D(φ)| = 2 O(w(P)) . To obtain 2EXPTIME-membership of the problem, it is sufficient to show that each of the progressing, connected and established instances φ R ψ can be built in time |P|·2 O(w(P)·logw(P)) . First, for each φ ∈ D(φ), by Definition 22, we have |φ | ≤ |φ|·(1+ ν) ≤ |φ| · (1 + w(P)) = |φ| · 2 O(logw(P)) . By Definition 17, we have | φ| ≤ |φ| · (1 + ν) = |φ| · 2 O(logw(P)) . By Definition 23, D(R ) can be obtained by enumeration in time that depends linearly of |D(R )| ≤ |R | · 2 µ · (n + ν + µ) ν ≤ |R | · 2 w(P)+w(P)·log w(P) = |P| · 2 O(w(P)) This is because the number of intervals I is bounded by 2 µ and the number of substitutions σ by (n + ν + µ) ν , in Definition 23. By Definition 25, checking whether a rule is well-defined can be done in polynomial time in the size of the rule, hence in 2 O(w(P)) , so the construction of R l takes time |P| · 2 O(w(P)logw(P)) . Similarly, by Definition 23, the set R is constructed in time | R | ≤ |R | · 2 µ · w(P) ν ≤ |R | · 2 w (P) · 2 w(P)·log w(P) = |P| · 2 O(w(P)) Moreover, checking that a rule in R is connected can be done in time polynomial in the size of the rule, hence the construction of R r takes time 2 O(w(P)logw(P)) . Then the entire reduction takes time 2 O(w(P)logw(P)) , which proves the 2EXPTIME upper bound for the safe class of entailments.

Conclusion and Future Work
Together with the results of [10,14,6,8], Theorem 31 draws a clear and complete picture concerning the decidability and complexity of the entailment problem in Separation Logic with inductive definitions. The room for improvement in this direction is probably very limited, since Theorem 31 pushes the frontier quite far. Moreover, virtually any further relaxation of the conditions leads to undecidability.
A possible line of future research which could be relevant for applications would be to consider inductive rules constructing simultaneously several data structures, which could be useful for instance to handle predicates comparing two structures, but it is clear that very strong conditions would be required to ensure decidability. We are also interested in defining effective, goal-directed, proof procedures (i.e., sequent or tableaux calculi) for testing the validity of entailment problems. Thanks to the reduction devised in the present paper, it is sufficient to focus on systems that are progressing, connected and left-established. We are also trying to extend the results to entailments with formulae involving data with infinite domains, either by considering a theory of locations (e.g., arithmetic on addresses), or, more realistically, by considering additional sorts for data.