The Effects of Adding Reachability Predicates in Propositional Separation Logic

The list segment predicate ls used in separation logic for verifying programs with pointers is well-suited to express properties on singly-linked lists. We study the effects of adding ls to the full propositional separation logic with the separating conjunction and implication, which is motivated by the recent design of new fragments in which all these ingredients are used indifferently and verification tools start to handle the magic wand connective. This is a very natural extension that has not been studied so far. We show that the restriction without the separating implication can be solved in polynomial space by using an appropriate abstraction for memory states whereas the full extension is shown undecidable by reduction from first-order separation logic. Many variants of the logic and fragments are also investigated from the computational point of view when ls is added, providing numerous results about adding reachability predicates to propositional separation logic.


INTRODUCTION
Separation logic [23,29,32] is a well-known assertion logic for reasoning about programs with dynamic data structures.Since the implementation of Smallfoot and the evidence that the method is scalable [3,38], many tools supporting separation logic as an assertion language have been developed [3,9,10,18,20,38].Even though the first tools could handle relatively limited fragments of separation logic, like symbolic heaps [13], there is a growing interest and demand to consider extensions with richer expressive power.We can point out three particular extensions of symbolic heaps (without list predicates) that have been proved decidable.
• Symbolic heaps with generalised inductive predicates, adding a fixpoint combinator to the language, is a convenient logic for specifying data structures that are more advanced than lists or trees.The entailment problem is known to be decidable by means of tree automata techniques for the bounded tree-width fragment [1,22], whereas satisfiability is ExpTimecomplete [7].Other related results can be found in [24].• List-free symbolic heaps with all classical Boolean connectives ∧ and ¬ (and with the separating conjunction * ), called herein SL( * ), is a convenient extension when combinations of results of various analysis need to be expressed, or when the analysis requires a complementation.This extension already is PSpace-complete [12].• Propositional separation logic with separating implication, a.k.a.magic wand (− * ), is a convenient fragment (called herein SL( * , − * )) with decidable frame inference and abduction, two problems that play an important role in static analysers and provers built on top of separation logic.SL( * , − * ) can be decided in PSpace thanks to a small model property [37].
A natural question is how to combine these extensions, and which separation logic fragment that allows Boolean connectives, magic wand and generalised recursive predicates can be decided with some adequate restrictions.As already advocated in [8,21,28,34,36], dealing with the separating implication − * is a desirable feature for program verification and several semi-automated or automated verification tools support it in some way, see e.g.[21,28,34,36].
Besides, allowing quantifications is another direction to extend the symbolic heap fragment: in [4], an extension of the symbolic heap fragment with quantification over locations and over arithmetic variables for list lengths is introduced and several fragments are shown decidable (the whole extension is undecidable).Such an extension combines shape and arithmetic specifications (see also [14] for a theory of singly-linked lists with length combining such features) and the decidability results are obtained by using so-called symbolic shape graphs that are finite representations of sets of heaps.In the current paper, we consider only shape analysis (since herein, the heaps are restricted to a single record field) but the separating implication is admitted.
Our contribution.In this paper, we address the question of combining the magic wand and inductive predicates in the extremely limited case where the only inductive predicate is the gentle list segment predicate ls.So the starting point of this work is this puzzling question: what is the complexity/decidability status of propositional separation logic SL( * , − * ) enriched with the list segment predicate ls (herein called SL( * , − * , ls))?More precisely, we study the decidability/complexity status of extensions of propositional separation logic SL( * , − * ) by adding one of the reachability predicates among ls (precise predicate as usual in separation logic), reach (existence of a path, possibly empty) and reach + (existence of a non-empty path).At this point, it is worth noting that in the presence of the separating conjunction * , ls and reach are interdefinable, and reach + can easily define ls and reach.Consequently, the complexity upper bounds will be stated with reach + and the complexity lower bounds or undecidability results are sharper with ls or reach.
First, we establish that the satisfiability problem for the propositional separation logic SL( * , − * , ls) is undecidable.Our proof is by reduction from the undecidability of first-order separation logic SL(∀, − * ) [6,15], using an encoding of the variables as heap cells (see Theorem 3.12).As a consequence, we also establish that SL( * , − * , ls) is not finitely axiomatisable.Moreover, our reduction requires a rather limited expressive power of the list segment predicate, and we can strengthen our undecidability results to some fragments of SL( * , − * , ls).For instance, surprisingly, the extension of SL( * , − * ) with the atomic formulae of the form reach(x, y) = 2 and reach(x, y) = 3 (existence of a path between x and y of respective length 2 or 3) is already undecidable, whereas the satisfiability problem for SL( * , − * , reach(x, y) = 2) is known to be in PSpace [16].
Second, we show that the satisfiability problem for SL( * , reach + ) is PSpace-complete, extending the well-known result on SL( * ).The PSpace upper bound relies on a small heap property based on the techniques of test formulae, see e.g.[5,16,25,26], and the PSpace-hardness of SL( * ) is inherited from [12].The PSpace upper bound can be extended to the fragment of SL( * , − * , reach + ) made of Boolean combinations of formulae from SL( * , reach + ) ∪ SL( * , − * ) (see the developments in Section 4).As a by-product of our proof technique, we obtain that the satisfiability problem for Boolean combinations of pure formulae and spatial formulae from the symbolic heap fragment, Bool(SHF), is NP-complete via a proof different from the one in [30].Figure 1 presents a summary of the main results of the paper.An unlabelled arrow between two logics means that there is a many-one reduction between the satisfiability problem of the first logic and the problem for the second one (sometimes, the reduction is the identity in the case of syntactic fragments).
This paper is an extended and completed version of [17].

PRELIMINARIES
2.1 Separation logic with the list segment predicate Let PVAR = {x, y, . ..} be a countably infinite set of program variables and LOC = {ℓ 0 , ℓ 1 , ℓ 2 , . ..} be a countable infinite set of locations.A memory state is a pair (s, h) such that s : PVAR → LOC is a variable valuation (known as the store) and h : LOC → fin LOC is a partial function with finite domain, known as the heap.We write dom(h) to denote its domain and ran(h) to denote its range.Given a heap h with dom(h) = {ℓ 1 , . . ., ℓ n }, we also write {ℓ 1 → h(ℓ 1 ), . . ., ℓ n → h(ℓ n )} to denote h.Each ℓ i → h(ℓ i ) is understood as a memory cell of h.
As usual, the heaps h 1 and h 2 are said to be disjoint, written h 1 ⊥ h 2 , if dom(h 1 ) ∩ dom(h 2 ) = ∅; when this holds, we write h 1 + h 2 to denote the heap corresponding to the disjoint union of the graphs of h 1 and h 2 , hence dom(h 1 + h 2 ) = dom(h 1 ) ⊎ dom(h 2 ).When the domains of h 1 and h 2 are not disjoint, the composition h 1 + h 2 is not defined.Moreover, we write h ′ ⊑ h to denote that dom(h ′ ) ⊆ dom(h) and for all locations ℓ ∈ dom(h ′ ), we have h ′ (ℓ) = h(ℓ).
Given a heap h, we define a family of heaps (h i ) i ∈N as follows understood that h i is obtained from i functional composition(s) of h.By definition, h 0 is the identity function on LOC, h 1 def = h and for all β ≥ 2 and ℓ ∈ LOC, we have h β (ℓ) def = h(h β −1 (ℓ)), assuming that h β −1 (ℓ) is defined and belongs to dom(h), otherwise h β (ℓ) is undefined.
The semantics for * , − * , →, ls and for all other ingredients is the usual one in separation logic and ls is the precise list segment predicate.
When the heap h is understood as its graph with a finite and functional edge relation, reach(x, y) corresponds to the standard reachability predicate (no need to be precise as for ls) and reach + (x, y) corresponds to the reachability predicate in at least one step.For instance, reach(x, x) always holds, whereas ls(x, x) holds only on the empty heap and reach + (x, x) holds on heaps such that there is i ≥ 1 with h i (s(x)) = s(x), i.e. there is a non-empty loop from s(x) to itself.
As ls(x, y) ≡ reach(x, y) ∧ ¬(¬emp * reach(x, y)) and reach(x, y) ≡ ⊤ * ls(x, y), the logics SL( * , − * , reach) and SL( * , − * , ls) have identical decidability status.As far as computational complexity is concerned, a similar analysis can be done as soon as * , ¬, ∧ and emp are parts of the fragments (the details are omitted here).Similarly, we have the following equivalences: So clearly, SL( * , reach) and SL( * , ls) can be viewed as fragments of SL( * , reach + ) and, SL( * , − * , ls) as a fragment of SL( * , − * , reach + ).It is therefore stronger to establish decidability or complexity upper bounds with reach + and to show undecidability or complexity lower bounds with ls or reach.Herein, we provide the optimal results.

Decision problems
Let L be a logic defined above.As usual, the satisfiability problem for L takes as input a formula φ from L and asks whether there is a memory state (s, h) such that (s, h) |= φ.The validity problem is also defined as usual.If L is not closed under negation, then it is also worth considering the entailment problem that takes as inputs two formulae φ, φ ′ and asks whether for all (s, h), we have The model-checking problem for L takes as input a formula φ from L, (s, h) and asks whether (s, h) |= φ (s is restricted to the variables occurring in φ and h is encoded as a finite and functional graph).Unless otherwise specified, the size of a formula φ is understood as its tree size, i.e. approximately its number of symbols.Below, we recall a few complexity results about well-known strict fragments of SL( * , − * , ls).
(III) The satisfiability problem for the fragment of SL( * , ls) restricted to formulae obtained by Boolean combinations of formulae from the symbolic heap fragment is NP-complete [13,30].
We refer the reader to [13] for a complete description of the symbolic heap fragment, or to Section 4.3 for its definition.The main purpose of this paper is to study the decidability/complexity status of SL( * , − * , ls), fragments and other variants.

UNDECIDABILITY OF SL( * , − * , ls)
In this section, we show that SL( * , − * , ls) has an undecidable satisfiability problem even though it does not admit explicitly first-order quantification.
Let SL(∀, − * ) be the first-order extension of SL(− * ) obtained by adding the universal quantifier ∀.In the versions of SL(∀, − * ) defined in [6,15], one distinguishes program variables from quantified variables (used with the quantifier ∀).This distinction made by the two sets of variables is not necessary herein and for the sake of simplicity, we adopt a version of SL(∀, − * ) with a unique type of variables.The formulae φ of SL(∀, − * ) are built from the grammars below: where x, y ∈ PVAR.Note that emp can be easily defined by ∀ x, x ′ ¬(x → x ′ ).Models of the logic SL(∀, − * ) are memory states and the satisfaction relation |= is defined as for SL(− * ) with the additional clause: Without any loss of generality, we can assume that the satisfiability (resp.validity) problem for SL(∀, − * ) is defined by taking as inputs closed formulae (i.e.without free occurrences of the variables).Proposition 3.1.[6,15] The satisfiability problem for SL(∀, − * ) is undecidable and the set of valid formulae for SL(∀, − * ) is not recursively enumerable.
We recall that the undecidability proof of SL(∀, − * ) makes extensive use of the − * operator, whereas a similar result can be achieved without − * if we interpret the logic on heaps having at least two record fields (i.e.h is of the form LOC → fin LOC k with k ≥ 2) [12].In a nutshell, we establish the undecidability of SL( * , − * , ls) by reduction from the satisfiability problem for SL(∀, − * ).The reduction is nicely decomposed in two intermediate steps: (1) the undecidability of SL( * , − * ) extended with a few atomic predicates, to be defined soon, and (2) a tour de force resulting in the encoding of these atomic predicates in SL( * , − * , ls).So, Section 3.1 explains how stores are encoded as subheaps and how this helps to mimic first-order quantification.Section 3.2 provides the formal presentation of the translation as well as its correctness.Finally, Section 3.3 establishes how the additional predicates can be indeed expressed in SL( * , − * , ls).

Encoding quantified variables as cells in the heap
In this section, we assume for a moment that we can express three atomic predicates that will be used in the translation and have the following semantics: ).The satisfaction of n(x) = n(y) corresponds to the existence of the following pattern in the memory state (s, h • (s, h) |= n(x) →n(y) holds iff {s(x), s(y)} ⊆ dom(h) and h 2 (s(x)) = h(s(y)).The satisfaction of n(x) →n(y) corresponds to the existence of the following pattern in the memory state (s, h): Let us first intuitively explain how the two last predicates will help encoding SL(∀, − * ).By definition, the satisfaction of the quantified formula ∀x ψ from SL(∀, − * ) requires the satisfaction of the formula ψ for all the values in LOC assigned to x.The principle of the encoding is to use a set L of locations initially not in the domain or range of the heap to mimic the store by modifying how they are allocated.In this way, a variable will be interpreted by a location in the heap and, instead of checking whether x → y (or x = y) holds, we will check if n(x) → n(y) (or n(x) = n(y)) holds, where x and y correspond, after the translation, to the locations in L that mimic the store for those variables.Let X be the finite set of variables needed for the translation.To properly encode the store, each location in L only mimics exactly one variable, i.e. there is a bijection between X and L, and cannot be reached by any location.As such, the formula ∀x ψ will be encoded by a formula of the form where Safe(X ) (formally defined below) checks whenever the locations in L still satisfy the auxiliary conditions just described, whereas T(ψ ) is the translation of ψ .Unfortunately, the formula ψ 1 − * ψ 2 cannot simply be translated into T(ψ 1 ) − * (Safe(X ) ⇒ T(ψ 2 )) because the evaluation of T(ψ 1 ) in a disjoint heap may need the values of free variables occurring in ψ 1 but our encoding of the variable valuations via the heap does not allow to preserve these values through disjoint heaps.In order to solve this problem, for each variable x in the formula, X will contain an auxiliary variable x, or alternatively we define on X an involution (.).If the translated formula has q variables then the set X of variables needed for the translation will have cardinality 2q.In the translation of a formula whose outermost connective is the magic wand, the locations corresponding to variables of the form x will be allocated on the left side of the magic wand, and checked to be equal to their non-bar versions on the right side of the magic wand.As such, the left side of the magic wand will be translated into where Z is the set of free variables in ψ 1 , whereas the right side will be The use of the separating conjunction before the formula T(ψ 2 ) separates the memory cells corresponding to x from the rest of the heap.By doing this, we can reuse x whenever a magic wand appears in T(ψ 2 ).
For technical convenience, we consider a slight alternative for the semantics of the logics SL(∀, − * ) and SL( * , − * , ls), which does not modify the notion of satisfiability/validity and such that the set of formulae and the definition of the satisfaction relation |= remain unchanged.
So far, the memory states are pairs of the form (s, h) with s : PVAR → LOC and h : LOC → fin LOC for a fixed countably infinite set of locations LOC, say LOC = N.Alternatively, the models for SL(∀, − * ) and SL( * , − * , ls) can be defined as triples (LOC 1 , s 1 , h 1 ) such that LOC 1 is a countable infinite set, s 1 : PVAR → LOC 1 and h 1 : LOC 1 → fin LOC 1 .As shown below, this does not change the notion of satisfiability and validity, but this generalisation will be handy in a few places.Most of the time, a generalised memory state (LOC 1 , s 1 , h 1 ) shall be written (s 1 , h 1 ) when no confusion is possible.Given a bijection f : LOC 1 → LOC 2 and a heap h 1 : LOC 1 → fin LOC 1 equal to {ℓ 1 → h 1 (ℓ 1 ), . . ., ℓ n → h 1 (ℓ n )}, we write f(h 1 ) to denote the heap h 2 : LOC 2 → fin LOC 2 with . Two generalised memory states (LOC 1 , s 1 , h 1 ) and (LOC 2 , s 2 , h 2 ) are said to be isomorphic with respect to X , written (LOC 1 , s 1 , h 1 ) ≈ X (LOC 2 , s 2 , h 2 ), if and only if there exists an X -isomorphism between them.
It is easy to check that ≈ X is an equivalence relation.A folklore result states that isomorphic memory states satisfy the same formulae since the logics SL(∀, − * ) and SL( * , − * , ls) can only perform equality tests.Below, we state the precise result we need in the sequel, the proof being by a standard induction on the formula structure.Lemma 3.3.Let (LOC 1 , s 1 , h 1 ), (LOC 2 , s 2 , h 2 ) be generalised memory states and X ⊆ PVAR be a finite set of variables such that (LOC 1 , s 1 , h 1 ) ≈ X (LOC 2 , s 2 , h 2 ).
(I) For all formulae φ in SL( * , − * , ls) built on variables among X , we have (LOC Proof.The proof is by induction on the tree structure of φ.Let X be a set of variables that includes the free variables from φ.To be more concise, this is done on formulae from SL(∀, * , − * , ls).Let f : LOC 1 → LOC 2 be a bijection defined as in Definition 3.2.We just show one direction of the proof.Indeed, it is easy to check that ≈ X is a symmetric relation and therefore these results also hold in the other direction by considering f −1 instead of f.We start by proving the base cases with the atomic formulae x = y, x → y and ls(x, y).
If dom(h 1 ) = ∅ and s 1 (x) = s 1 (y) then it also holds dom(h 2 ) = ∅, since f is a bijection between LOC 1 and LOC 2 such that a location in LOC 1 is in the domain of h 1 if and only if its image via f is in the domain of h 2 and reciprocally.Moreover, ), as shown in the picture below.
For negation and conjunction, the proof simply applies the induction hypothesis: the images of h ′ 1 and h ′′ 1 via f.Since f is an X -isomorphism between h 1 and h 2 it holds that: , since f is an X -isomorphism also between these structures.The same holds for h ′′ 1 and h ′′ 2 .Therefore, by the induction hypothesis, we get Fig. 2. A memory state and its encoding.
Then by the induction hypothesis, 2 )⊥h 1 since f is an X -isomorphism.We conclude that the memory state 2 ) + h 1 ) satisfies φ 2 and by the induction hypothesis Using the induction hypothesis, we conclude that As a direct consequence, satisfiability in SL( * , − * , ls) as defined in Section 2, is equivalent to satisfiability with generalised memory states, the same holds for SL(∀, − * ).Next, we define the encoding of a generalised memory state.This can be seen as the semantical counterpart of the syntactical translation process and, as such, formalises the intuition of using part of the heap to mimic the store.Definition 3.4.Let X = {x 1 , . . ., x 2q }, Y ⊆ {x 1 , . . ., x q } and, (LOC 1 , s 1 , h 1 ) and (LOC 2 , s 2 , h 2 ) be two (generalised) memory states.We say that , if the following conditions hold: Notice that the heap h 2 is equal to the heap h 1 augmented with the heap {s 2 (x) → s 1 (x) | x ∈ Y } that encodes the store s 1 .In Figure 2, we present a memory state (left) and its encoding (right), where Y = {x i , x j , x k }.From the encoding, we can retrieve the initial heap by removing the memory cells corresponding to x i , x j and x k .By way of example, the first memory state satisfies the formulae x i = x j , x i → x k and x k → x k whereas its encoding satisfies the formulae n(x i ) = n(x j ), n(x i ) → n(x k ) and n(x k ) → n(x k ).For the memory state on the right, the simple formula below is satisfied: which is written Safe({x i , x j , x k }) in the next section.This is essential for the forthcoming encoding.

The translation
We are now ready to define the translation of a first-order formula in propositional separation logic extended with the three predicates introduced at the beginning of the section.Let φ be a closed formula of SL(∀, − * ) with quantified variables {x 1 , . . ., x q }.Without loss of generality, we can assume that distinct quantifications involve distinct variables.Moreover, let X = {x 1 , . . ., x 2q } and (.) be the involution on X such that for all i ∈ [1, q] x i def = x i+q .We write Safe(X ) to denote the formula below Safe(X The translation function T has two arguments: the formula in SL(∀, − * ) to be recursively translated and the total set of variables potentially appearing in the target formula (useful to check that Safe(X ) holds on every heap involved in the satisfaction of the translated formula).Let us come back to the definition of T(ψ , X ) (homomorphic for Boolean connectives) with the assumption that the variables in ψ are among x 1 , . . ., x q .T( Lastly, the translation T(ψ 1 − * ψ 2 , X ) is defined as where Z ⊆ {x 1 , . . ., x q } is the set of free variables in ψ 1 .Above, T(ψ 1 , X )[z ← z] denotes the formula obtained from T(ψ 1 , X ) obtained by replacing simultaneously all the variables x i ∈ X by x i .
Example 3.5.Assuming that q = 2, and therefore is defined as the formula below: Here is the main result of this section, which is essential for the correctness of the formula T SAT (φ), defined below.Lemma 3.6.Let X = {x 1 , . . ., x 2q }, Y ⊆ {x 1 , . . ., x q }, ψ be a formula in SL(∀, − * ) with free variables among Y that does not contain any bound variable of ψ and Proof.The proof is by induction on the structure of ψ .We start by proving the two base cases with the atomic formulae x i = x j and x i → x j .Actually, we shall take advantage of the formulae n(x i ) = n(x j ) and n(x i ) → n(x j ).
(1) Let ψ be x i = x j .We have {x i , x j } ⊆ Y ⊆ X and T(ψ , X ) = n(x i ) = n(x j ).The following equivalences hold.
• By definition, (s 1 , h 1 ) |= x i = x j if and only if s 1 (x i ) = s 1 (x j ).
• From the third condition in Definition 3.4, s 1 (x i ) = s 1 (x j ) if and only if • Lastly, by definition, (2) Let ψ be (x i → x j ).We have {x i , x j } ⊆ Y ⊆ X and T(ψ , X ) = n(x i ) → n(x j ).The following equivalences hold.
• From the third condition in the definition of ▷ Y q , we have We now consider the inductive step and we distinguish the different cases depending on the outermost connective.In order to be precise, we assume that the induction hypothesis is the following (the obvious one): given Y ⊆ {x 1 , . . ., x q }, (LOC 1 , s 1 , h 1 ) ▷ Y q (LOC 2 , s 2 , h 2 ) and a formula ψ in SL(∀, − * ) of size ≤ N and with free variables among Y , and Y does not contain any bound variable of ψ , we have (s 1 , h 1 ) |= ψ iff (s 2 , h 2 ) |= T(ψ , X ).In the induction step, we take a formula ψ of size N + 1.
Before treating the different cases, let us introduce the binary relation ▶ Y q defined as a slight variant of ▷ Y q (just the last condition is modified as well as the set of indices for the variables in Y ).So, given Y ⊆ {x q+1 , . . ., x 2q } (the variable indices are different) and two generalised memory states when the conditions below are satisfied: ( for all x y ∈ X , s 2 (x) s 2 (y), Given a set of variables Z ⊆ {x 1 , . . ., x q }, let Z def = {y | y ∈ Z }.One can show that properties below are equivalent: , then from the last two conditions of their definition it holds that (s 2 , h 2 ) |= Safe(X ) and for all x ∈ (X \ Z ), we have 2 ) and a formula ψ in SL(∀, − * ) with free variables among Z of size ≤ N , and Z does not contain any bound variable of ψ , we have x] (therefore both equivalent to (s 1 , h 1 ) |= ψ ).Actually, the above property is equivalent to the induction hypothesis.
Let us start the induction step now.The proofs for negation and conjunction are straightforward as the translation is homomorphic for Boolean connectives.
(3) Let ψ = ¬φ.So φ and ψ share the same set of free variables.We can therefore apply the induction hypothesis as shown below: It holds that the free variables of φ 1 or φ 2 are a subset of the free variables of φ 1 ∧ φ 2 .We can therefore apply the induction hypothesis as shown below: We now prove the result for ∀x i φ and φ 1 − * φ 2 .
(5) Let ψ = ∀ x i φ with x i Y and therefore by definition By definition, (s 1 , h 1 ) |= ∀x i φ if and only if for all locations ℓ ∈ LOC 1 , (s Let us now consider the generalised memory state are satisfied.By application of the induction hypothesis, we get that for all ℓ ∈ LOC 1 , we have Indeed, if ℓ ∈ LOC 1 then Safe(X ) and T(φ, X ) are both satisfied (for Safe(X ), remember that all locations in {s 2 (y) | y ∈ X } ∩ dom(h 2 ) already point to elements of LOC 1 , due to the fulfilment of the conditions in ▷ Y q ), otherwise whenever ℓ ∈ LOC 2 \ LOC 1 the premise of the implication does not hold and therefore the formula is trivially satisfied.Observe that (s 2 , {s 2 (x i ) → ℓ}) satisfies alloc(x i ) ∧ size = 1.Then, the last formula can be written as: By definition of |=, this is equivalent to where Z is the set of free variables in φ 1 .
Let h ′ 2 a heap that satisfies the premises of the implication.Since (s 2 , This entails that h ′ 2 can be written as Observe that h Z has domain included in LOC 2 and codomain included in LOC 1 whereas h ′ 1 has domain and codomain included in LOC 1 .Therefore, it holds that holds because h ′ 1 has domain and codomain included in LOC 1 and is a subset of h ′ 2 which is disjoint from h 2 , we can use the induction hypothesis and obtain that (s 2 , h 2 + h ′ 1 ) |= T(φ 2 , X ).It remains to establish that where Z is the set of free variables in φ 1 .
Let us show how to prove that (s 1 , h 1 ) |= φ 1 − * φ 2 , which by definition holds whenever for all heaps Moreover, by the induction hypothesis, we get Besides this, h 2 can be written as 2 ) also satisfies Safe(X ) and therefore this entails that We have just seen that h 2 + h ′ 2 can be written as , we can use the induction hypothesis to conclude that (s, We define the translation T SAT (φ) in SL( * , − * , ls) where T(φ, X ) is defined recursively.
The first two conjuncts specify initial conditions, namely each variable x in X is interpreted by a location that is unallocated, it is not in the heap range and it is distinct from the interpretation of all other variables; in other words, the value for x is isolated.Similarly, let T VAL (φ) be the formula in SL( * , − * , ls) defined by As a consequence of Lemma 3.6, φ and T SAT (φ) are shown equisatisfiable, whereas φ and T VAL (φ) are shown equivalid.

Expressing the auxiliary atomic predicates
To complete the reduction, we explain how to express the formulae alloc −1 (x), n(x) = n(y) and n(x) → n(y) within SL( * , − * , ls).Let us introduce a few macros that shall be helpful.
• Given φ in SL( * , − * , reach + ) and γ ≥ 0, we write [φ] γ to denote the formula It is easy to show that for any memory state (s, h), (s, h) γ can be used to ensure that the minimum path between two locations interpreted by program variables is of length γ .• We write reach(x, y) = γ to denote the formula [ls(x, y)] γ , which is satisfied in any memory state (s, h) where h γ (s(x)) = s(y).Lastly, we write reach(x, y) ≤ γ to denote the formula 0≤γ ′ ≤γ reach(x, y) = γ ′ .In order to define the existence of a predecessor (i.e.alloc −1 (x)) in SL( * , − * , ls), we need to take advantage of an auxiliary variable y whose value is different from the one for x.Let alloc −1 y (x) be the formula (I) For all memory states (s, h) such that s(x) s(y), we have (s, h) |= alloc −1 y (x) iff s(x) ∈ ran(h).(II) In the translation, alloc −1 (x) (with x ∈ X ) can be replaced with alloc −1  x (x).As stated in Lemma 3.8(II), we can exploit the fact that in the translation of a formula with variables in {x 1 , . . ., x q }, we use 2q variables that correspond to 2q distinguished locations in the heap in order to retain the soundness of the translation while using alloc −1  x (x) as alloc −1 (x).Proof.We recall that alloc −1 y (x) is equal to the formula below: Otherwise, there exists a location ℓ such that h(ℓ) = s(x), s(x) ℓ and s(y) ℓ.Let h ′ ⊑ h be the one-memory-cell heap such that h ′ (ℓ) = s(x).From the previous assumptions, it must hold that y is not allocated in h ′ .Let h ′′ be the one-memorycell heap such that h ′′ (s(y)) = ℓ.It holds that (s, h ′′ ) |= alloc(y) ∧ ¬y → x ∧ size = 1 and (s, Conversely, suppose that (s, h) |= alloc −1 y (x) and s(x) s(y).If x → x or y → x, then obviously, s(x) ∈ ran(h).Otherwise, suppose that (s, h) |= [(alloc(y)∧¬y → x∧size = 1)− ⊛reach(y, x) = 2] 1 .Then there must exist a one-memory-cell heap h ′ ⊑ h such that (s, h ′ ) |= (alloc(y) ∧ ¬y → x ∧ size = 1) − ⊛ reach(y, x) = 2. Since (s, h ′ ) |= (alloc(y) ∧ ¬y → x ∧ size = 1) − ⊛ reach(y, x) = 2, there exists a one-memory-cell heap h ′′ that allocates y and such that h ′′ (s(y)) s(x).As such, alloc(y) does not hold in (s, h ′ ) (otherwise h ′′ cannot be disjoint from h ′ ).The following picture represents all the memory states with one memory cell that do not satisfy alloc(y) and such that s(x) s(y).
x y x y x y x y x y x y x y Notice how s(x) ∈ ran(h) holds only for the second and the last memory state, where the second memory state satisfies x → x.Therefore, we just need to express exactly the latter one.Again, from (s, Therefore, from h ′ , it must be possible to allocate only s(y) and obtain a heap that satisfies reach(y, x) = 2 without satisfying y → x.This can be only realised for the last memory state in the picture.For (II), since by definition, x and x are interpreted by different locations, they satisfy the additional hypothesis s(x) s(y) (where y = x).Therefore, we can use one of these two variables to check if the other is in ran(h).As such, instead of alloc −1 (x) we can use alloc −1  x (x) in the translation.□ Moreover, alloc −1 y (x) allows to express in SL( * , − * , ls) whenever a location corresponding to a program variable reaches itself in exactly two steps (we use this property in the definition of n(x) → n(y)).We write x → 2 y x to denote the formula Lemma 3.9.For any memory state (s, h) such that s(x) s(y), we have Proof.So, let (s, h) be a memory state such that s(x) is distinct from s(y).First, we assume that h 2 (s(x)) = s(x) and h(s(x)) s(x).So, there is a location ℓ distinct from s(x) such that h(s(x)) = ℓ and h(ℓ) = s(x).Obviously, (s, h) |= ¬(x → x) as ℓ is distinct from s(x).Below, we distinguish two cases.
x y x y The last part of the formula, ⊤ − * ¬(reach(x, y) = 2 ∧ reach(y, x) = 2) allows to differentiate these two cases by excluding the left heap.Indeed, that very formula holds on (s, h ′ ) if and only if there is no heap h ′′ such that h ′′ ⊥h ′ and (s, h ′ + h ′′ ) |= reach(x, y) = 2 ∧ reach(y, x) = 2.This property holds on the right heap, as already discussed in the first part of the proof, but not on the left one, as can be shown by defining h ′′ as {h ′ (s(x)) → s(y), h ′ (s(y)) → s(x)}.□ Similarly to alloc −1 (x), we can show that n(x) → n(y) is definable in SL( * , − * , ls) by using one additional variable z whose value is different from both x and y.Let φ → (x, y, z) be (n(x) = n(y) ∧ φ = → (x, y, z)) ∨ (n(x) n(y) ∧ φ → (x, y)) where φ = → (x, y, z) is defined as whereas φ → (x, y) is defined as Lemma 3.11.Let x, y, z ∈ PVAR.
If one of the three first disjuncts of φ = → (x, y, z) holds, we have immediately {s(x), s(y)} ⊆ dom(h) and h(h(s(x))) = h(s(y)).The remaining case is when none of the three first disjuncts holds and therefore (s, h) which leads to a contradiction).We can assume that ℓ is distinct from s(x) as the first disjunct of φ = → (x, y, z) does not hold.Similarly, we have (s, h ′ ) |= ¬(x → z) ∧ ¬(reach(x, z) = 2), otherwise this is in contradiction with (s, h ′ ) |= ⊤ − * ¬reach(x, z) ≤ 3. Consequently, we are left with of the forms below for the heap h ′ (we also exclude the cases when both s(x) and s(y) are allocated in h ′ and does not point to the same location): Only the second memory state satisfies ⊤ − * ¬reach(x, z) ≤ 3.For the four other memory states, it is always possible to add memory cells so that there is a path of length less than three between s(x) and s(z).Consequently, h(h(s(x))) = h(s(x)).Moreover, (s, h) |= n(x) = n(y) implies from Lemma 3.10 that h(s(x)) = h(s(y)).h(h(s(x))) = h(s(y)) and {s(x), s(y)} ⊆ dom(h) follows.Case 2: (s, h) |= ¬n(x) = n(y) ∧ φ → (x, y).This implies s(x) s(y).If one of the three first disjuncts of φ → (x, y) holds, we have immediately {s(x), s(y)} ⊆ dom(h) and h(h(s(x))) = h(s(y)).The remaining case is when none of the three first disjuncts holds and (s, h) satisfies the fourth one.So, there is a heap h ′ ⊑ h with card(dom(h ′ )) = 3 such that (s, h ′ ) satisfies )) Since (s, h) |= ¬n(x) = n(y), the only memory states with three memory cells satisfying alloc(x) ∧ alloc(y) ∧ ( z,z ′ ∈ {x,y} ¬z → z ′ ) are the following (up to isomorphism with respect to {x, y}): x y x y x y x y x y x y x y x y x y x y x y x y x y x y x y x y The formula (size x y) is satisfied on heaps where there exists a way of adding a one-memory-cell heap h ′′ with s(y) ∈ ran(h ′′ ) and (h ′ + h ′′ ) 3 (s(x)) = s(y).This rules out all the memory states of the figure but the first and last one of the last row: x y x y Typically, h ′′ can only take the value {h ′ (h ′ (s(x))) → s(y)}.However, only the second memory state is able to verify the condition (s, h ′ + h ′′ ) |= y → 2 x y.Then h ′ (s(y)) = h ′ (h ′ (s(x))) and we conclude that {s(x), s(y)} ⊆ dom(h) and h(h(s(x))) = h(s(y)).
(II) It is easy to show that n(x) → n(x) will never occur in the translation.Indeed, by always translating formulae with variables in {x 1 , . . ., x q } we can only have n(x i ) → n(x j ) or n(x i ) → n(x j ) (the latter case due to the renaming in the translation of the left side of the magic wand).As such, φ → (x, y, x) can be used to check whenever n(x) → n(y).□ As for alloc −1 y (x), the properties of the translation imply the equivalence between n(x) → n(y) and φ → (x, y, x) (as stated in Lemma 3.11(II)).By looking at the formulae herein defined, the predicate reach only appears bounded, i.e. in the form of reach(x, y) = 2 and reach(x, y) = 3.The three new predicates can therefore be defined in SL( * , − * ) enriched with reach(x, y) = 2 and reach(x, y) = 3.

Undecidability results and non-finite axiomatization
It is time to collect the fruits of all our efforts and to conclude this part about undecidability.As a direct consequence of Corollary 3.7 and the undecidability of SL(∀, − * ), here is one of the main results of the paper.Theorem 3.12.The satisfiability problem for SL( * , − * , ls) is undecidable.
As a by-product, we get the following (negative) result.Theorem 3.13.The set of valid formulae for SL( * , − * , ls) is not recursively enumerable.
Indeed, suppose that the set of valid formulae for SL( * , − * , ls) were recursively enumerable, then one can enumerate the valid formulae of the form T VAL (φ) as it is decidable in PTime whether ψ in SL( * , − * , ls) is syntactically equal to T VAL (φ) for some SL(∀, − * ) formula φ.This leads to a contradiction since this would allow the enumeration of valid formulae in SL(∀, − * ).
Below, the essential ingredients to establish the undecidability of SL( * , − * , ls) allow us to propose several refinements.For instance, the key property remains on the fact that the following properties n(x) = n(y), n(x) → n(y) and alloc −1 (x) are expressible in the logic.Corollary 3.14.SL( * , − * ) augmented with built-in formulae of the form n(x) = n(y), n(x) → n(y) and alloc −1 (x) admits an undecidable satisfiability problem.
Corollary 3.14 can be refined a bit further by noting in which context the reachability predicates ls and reach are used in the formulae.This allows us to get the result below.Corollary 3.15.SL( * , − * ) augmented with built-in formulae of the form reach(x, y) = 2 and reach(x, y) = 3 admits an undecidable satisfiability problem.This is the addition of reach(x, y) = 3 that is crucial for undecidability since the satisfiability problem for SL( * , − * , reach(x, y) = 2) is in PSpace [16].
(II) Consequence of (I), as n(x) → n(y) can be expressed with ls.
(III) Consequence of (I), as n(x) → n(y) can be expressed with two quantified variables.
(IV) It is shown in [15] that SL(∀, − * ) restricted to two quantified variables is undecidable.The translation provided in Section 3.2 assumes that distinct quantifications involve distinct variables.In order to translate SL(∀, − * ) restricted to two quantified variables, it is necessary to give up that assumption and to update the definition of T. Actually, only the clause for formulae of the form ∀x i ψ requires a change (i ∈ {1, 2} and the formulae to be translated contains at most two variables).Here is the new value for T(∀x i ψ , X ): The proof of Lemma 3.6 can be updated accordingly.

DECISION PROCEDURES IN PSPACE FOR SL( * , reach + ) AND VARIANTS
As already seen in Section 2, SL( * , ls) can be understood as a fragment of SL( * , reach + ) and therefore we can focus on SL( * , reach + ) below.We show that the satisfiability problem for SL( * , reach + ) can be solved in polynomial space.Refining the arguments used in our proof, we also show that it is possible to push further the PSpace upper bound to the formulae expressible as a Boolean combination of the two fragments SL( * , reach + ) and SL( * , − * ).The latter logic is shown to be PSpace-complete in [25,37].
Our proof relies on a small heap property: a formula φ is satisfiable if and only if it admits a model with a polynomial amount of memory cells.The PSpace upper bound then follows by establishing that the model-checking problem for SL( * , reach + ) is in PSpace too.To establish the small heap property, an equivalence relation on memory states with finite index is designed, following the standard approach in [11,37] and using test formulae as in [5,16,19,25,26].

Introduction to test formulae
Before presenting the test formulae for SL( * , reach + ), let us recall the standard result for SL( * , − * ), that will also be used later on (see Theorem 4.15).Proposition 4.1.[25,37] Any formula φ in SL( * , − * ) built over variables in x 1 , . . .,x q is logically equivalent to a Boolean combination of formulae among size ≥ β, alloc(x i ), x i → x j and x i = x j with β ≥ 0 and i, j ∈ [1, q].The formulae of the form size ≥ β and alloc(x i ) are introduced in Section 2 and alloc(x i ) holds when s(x i ) belongs to the heap domain and size ≥ β holds when the heap has at least β memory cells.By way of example, (¬emp * (( As a corollary of the proof of Proposition 4.1, in size ≥ β we can enforce that β ≤ 2 × |φ| (rough upper bound) where |φ| is the size of φ (seen as a tree).Consequently, for any satisfiable formula φ in SL( * , − * ), there is a memory state with less that 2 × |φ| memory cells that satisfies it.Similar results will be shown for SL( * , reach + ) and for some of its extensions.
In order to define a set of test formulae that captures the expressive power of SL( * , reach + ), we need to study which basic properties on memory states can be expressed by formulae in SL( * , reach + ).For example, consider the memory states from Figure 3.The memory states (s 1 , h 1 ) and (s 2 , h 2 ) can be distinguished by the formula Indeed, (s 1 , h 1 ) satisfies this formula by considering a subheap that does not contain a path from s(x k ) to s(x i ), whereas it is impossible to find a subheap for (s 2 , h 2 ) that retains the path from s(x i ) x k Fig. 3. Memory states (s 1 , h 1 ), . . ., (s 4 , h 4 ) (from left to right) to s(x j ), the one from s(x j ) to s(x k ) but where the path from s(x k ) to s(x i ) is lost.This suggests that SL( * , reach + ) can express whether, for example, any path from s(x i ) to s(x j ) also contains s(x k ).
We will introduce the test formula sees q (x i , x j ) ≥ β to capture this property.
Similarly, the memory states (s 3 , h 3 ) and (s 4 , h 4 ) can be distinguished by the formula The memory state (s 3 , h 3 ) satisfies this formula by separating {ℓ → ℓ ′ } from the rest of the heap, whereas the formula is not satisfied by (s 4 , h 4 ).Indeed, there is no way to break the loop from s(x k ) to itself by removing just one location from the heap while retaining the path from s(x j ) to s(x k ) and loosing the path from s(x i ) to s(x k ).This suggests that the two locations ℓ and ℓ ′ are particularly interesting since they are reachable from several locations corresponding to program variables.Therefore by separating them from the rest of the heap, several paths are lost.In order to capture this, we introduce the notion of meet-points.Now, let us introduce further notations.Let Terms q be the set {x 1 , . . ., x q } ∪ {m q (x i , x j ) | i, j ∈ [1, q]} understood as the set of terms that are either variables or expressions denoting a meetpoint.We write [[x i ]] q s,h to denote s(x i ) and [[m q (x i , x j )]] q s,h to denote (if it exists) the first location reachable from s(x i ) that is also reachable from s(x j ).Moreover we require that this location can reach another location corresponding to a program variable.Formally, [[m q (x i , x j )]] q s,h is defined as the unique location ℓ such that Proof.Let ℓ 1 and ℓ 2 be two locations that satisfy the conditions of [[m q (x i , x j )]] q s,h .Let L min = min{n | h n (s(x i )) ∈ {ℓ 1 , ℓ 2 }}.By way of example h L min (s(x i )) = ℓ 1 and for all L ≥ 0, h L (s(x i )) = ℓ 2 implies L > L min .As ℓ 2 satisfies the conditions of [[m q (x i , x j )]] q s,h , this leads to a contradiction by the second condition.□ The notion of meet-point is quite natural for studying fragments of separation logic with ls.For instance, a similar notion of cut point, although satisfying different conditions, is considered for the fragments studied in [4].Figure 4 provides a taxonomy of meet-points, where arrows labelled by '+' represent paths of non-zero length and zig-zag arrows any path (possibly of length zero).Symmetrical cases, obtained by swapping x i and x j , are omitted.Following Figure 4, the taxonomy with three distinct shapes depends on the following conditions on [[m q (x i , x j )]] q s,h and s(x k ):

Fig. 4. A taxonomy of meet-points
• s(x k ) is not inside a loop iff h witnesses the first shape of the taxonomy.
q s,h iff h witnesses the third shape.Notice how the asymmetrical definition of meet-points is captured in the third case.Consider the memory states from Figure 3, (s 3 , h 3 ) and (s 4 , h 4 ) can be seen as an instance of this case of the taxonomy and, as such, it holds that [[m q (x i , x j )]] We identify as special locations the s(x i )'s and the meet-points of the form [[m q (x i , x j )]] q s,h when it exists (i, j ∈ [1, q]).We call such locations, labelled locations and denote by Labels q s,h the set of labelled locations.The following lemma states an important property of labelled locations: taking subheaps can only reduce their set.Lemma 4.3.Let (s, h) be a memory state, h ′ ⊑ h and q ≥ 1.It holds that Labels q s,h ′ ⊆ Labels q s,h .
Proof.Let ℓ ∈ Labels q s,h ′ .We want to prove that ℓ ∈ Labels q s,h .The only interesting case is when as (s, h) and (s, h ′ ) shares the same store and therefore the result is trivial for locations that correspond to the interpretation of program variables.So, suppose that ℓ = [[m q (x i , x j )]] q s,h ′ for some i, j.We just need to prove that there exist i Then, it holds that there is k ∈ [1, q] and L such that h L (ℓ) = s(x k ).As such, we only need to prove that that there exist i ⋆ , j ⋆ ∈ [1, q] such that there are We consider the taxonomy of m q (x i , x j ) shown in Figure 4, where (i), (ii) and (iii) refers to the categories in Figure 4 (from left to right).Based on the classification, [[m q (x i , x j )]] q s,h ′ = ℓ entails that the heap h ′ witnesses one of the situations among (i)-(iii).
If the heap h ′ belongs to (ii) or (iii), the variables x i and x j eventually reach a loop and this property is also satisfied by h.Hence, in h, the location ℓ is still the first location reachable from x i that is also reachable from x j and therefore i ⋆ = i and j ⋆ = j.
Alternatively, if h ′ belongs to (i), the heap h may belong to any of the three situations (i)-(iii) as far as ℓ is concerned.It is easy to see that in h, either ℓ = [[m q (x i , x j )]] q s,h or ℓ = [[m q (x j , x i )]] q s,h , which guarantees that ℓ is a labelled location in h.Let us justify this claim.As (i) holds, in h ′ there is a location ℓ ′ reachable from s(x k ) that is not in dom(h ′ ).We now consider how h extends h ′ .
• If h belongs to (i), then ℓ = [[m q (x i , x j )]] q s,h = [[m q (x i , x j )]] q s,h ′ .The same holds true if h extends h ′ by introducing a loop so that h belongs to (ii).
• If h extends h ′ by adding a path from ℓ ′ to a location in the path between s(x j ) to ℓ (ℓ excluded), q s,h ′ and h belongs to (iii).• Lastly, if h extends h ′ by adding a path from ℓ ′ to a location in the path between s(x i ) to ℓ (ℓ excluded), then h belongs also to (iii).Unlike the previous case however, we have Test formulae primarily speak about relationships between labelled locations and specific shapes of the heap.In order to highlight the properties expressible with these formulae, we introduce the notion of support graphs.Definition 4.4.Let q ≥ 1 and (s, h) be a memory state.Its support graph SG q (s, h) is defined as the tuple (V, E, Alloc, TEq, Interior, Rem) such that: Informally, E(ℓ, ℓ ′ ) if and only if there is a non-empty path from ℓ to ℓ ′ whose intermediate locations are not labelled.
• TEq : V → P(Terms q ), for any labelled location ℓ ∈ V, is the (non-empty) set of terms corresponding to ℓ. Formally, TEq(ℓ • Interior : E → P(LOC), for any (ℓ, ℓ ′ ) ∈ E, is the set of intermediate locations of the shortest path beginning in ℓ and ending with ℓ ′ .Formally, and for all Despite the definition of E, we need to keep the condition "for all L ′′ ∈ [1, L], h L ′′ (ℓ) V " in the definition of Interior(ℓ, ℓ ′ ) in order to handle the case when ℓ and ℓ ′ belongs to the same cycle.
e. the set of memory cells that are not labelled locations or in a path between labelled locations.
One can think of the support graph SG q (s, h) simply as a selection of properties from (s, h).Indeed, from its definition it is straightforward to see that {Alloc, Given q, α ≥ 1, we write Test(q, α) to denote the following set of atomic test formulae: where v, v ′ ∈ Terms q and β ∈ [1, α].It is worth noting that the alloc(v)'s are not needed for the logic SL( * , reach + ) but it is required for extensions.The formal semantics for the test formulae, given in terms of the elements from the support graph (V, E, Alloc, TEq, Interior, Rem) of a memory state (s, h), is the following: The semantics is deliberately defined with the help of support graphs.For instance the formula sees q (m q (x i , x j ), x k ) ≥ 4 is satisfied whenever [[m q (x i , x j )]] q s,h is defined and there is a path of length at least 4 beginning in this location, ending in s(x k ) and whose intermediate locations are not labelled.Notice that there is no need for test formulae of the form sees q (v, v ′ ) ≥ 1 since it is equivalent to v → v ′ ∨ sees q (v, v ′ ) ≥ 2. In the sequel, occurrences of sees q (v, v ′ ) ≥ 1 as understood as abbreviations.One can check whether [[m q (x i , x j )]] q s,h is defined thanks to the formula m q (x i , x j ) = m q (x i , x j ).The satisfaction of sees q (v, v ′ ) ≥ β + 1 entails the exclusion of labelled locations in the witness path, which is reminiscent to atomic formulae of the form T in the logic GRASS [30].Indeed, by way of example, x 1 h\x 3 − − → x 2 states that there is a path in the graph of the heap h that connects x 1 and x 2 without passing via x 3 .In the case of the satisfaction of sees q (v, v ′ ) ≥ β + 1, obviously we exclude labelled locations strictly between the interpretation of the terms v and v ′ .Our test formulae are quite expressive since they capture the atomic formulae from SL( * , reach + ) and the test formulae for SL( * , − * ) (introduced in Proposition 4.1).Lemma 4.5.Let α, q ≥ 1, i, j ∈ [1, q].Any atomic formula among reach + (x i , x j ), emp and size ≥ β (with β ≤ α), is equivalent to a Boolean combination of test formulae from Test(q, α).
Proof.Let q, α ≥ 1 and consider the family of test formulae Test(q, α).Let (s, h) be a memory state and SG q (s, h) = (V, E, Alloc, TEq, Interior, Rem) be its support graph.
• The formula reach + (x i , x j ) can be shown equivalent to First, suppose (s, h) |= reach + (x i , x j ).Then, there exists L ≥ 1 such that h L (s(x i )) = s(x j ).
Let ℓ 1 = s(x i ), ℓ n = s(x j ) and let ℓ 2 , . . ., ℓ n−1 ∈ Labels q s,h be all labelled locations in the path witnessing (s, h) |= reach + (x i , x j ), such that h L δ (ℓ δ ) = ℓ δ +1 , where L δ ≥ 1, and there are no labelled locations between ℓ δ and ℓ δ +1 , 1 ≤ δ ≤ n − 1 ≤ card(Labels q s,h ).The path from s(x i ) to s(x j ) is therefore uniquely split into n − 1 subpaths starting and ending with a labelled location and without labelled locations in between.Let v 1 = x i , v n = x j and v 2 , . . ., v n−1 ∈ Terms q be such that Then, there are v 1 , . . ., From the semantics of sees, this implies that there are L 1 , . . ., , where δ L δ ≥ 1 and reach + (x i , x j ) is satisfied.
• Lastly, we define size ≥ β, where β ∈ [1, α], that holds when the heap has at least β memory cells.Notice that, as emp is shown definable by a Boolean combination of test formulae, from Theorem 4.10(II) we can already conclude that there is a Boolean combination of test formulae equivalent to size ≥ β.Nevertheless, we explicitly define size ≥ β.To do so, let us first define sizeV q (v) ≥ β, with v ∈ Terms q : sizeV q (v) ≥ 0 is always true, sizeV q (v) ≥ 1 holds in a memory state (s, h) if and only if (s, h) |= alloc(v), whereas sizeV q (v) ≥ β + 1 holds if and only if there exists v ′ ∈ Terms q such that (s, h) From the definition of sees and meet-points, it follows that the locations considered for the satisfaction of sizeV q (v) ≥ β do not play any role in the satisfaction of sizeV q (v ′ ) ≥ β ′ , where Similarly, the locations considered for the satisfaction of this formula are not in Rem and therefore (s, h) |= sizeV q (v) ≥ β ∧ sizeR q ≥ β ′ implies card(dom(h)) ≥ β + β ′ .We can then use this formula to define size ≥ β as follows, where we write sizeR q ≥ 0 instead of x 1 = x 1 (any tautological Boolean combination of test formulae would be fine).
Suppose that this formula is satisfied by (s, h).Then there exists a subset of terms q s,h also follows (from the last conjunct of the formula).From the property just stated about sizeV q (v) ≥ β, it must therefore hold that card(dom(h)) Conversely, suppose card(dom(h)) ≥ β.We can define a partition h R + ℓ ∈Labels q s,h h ℓ = h such that each subheap h ℓ of the partition will contain exactly the locations of dom(h) considered for the satisfaction of test formulae sizeV q (v) ≥ β ′ , β ′ ∈ [0, α + 1], for a specific labelled location ℓ = [[v]] q s,h , whereas h R contains all the locations considered for the satisfaction of sizeR q ≥ β ′ , β ′ ∈ [0, α].Consider a representative v ∈ Terms q for each subheap h ℓ , where From the definition of V , it immediately holds that (s, h) |= v v ′ ∈V v v ′ .Lastly, from their definition, it holds that (s, h) |= sizeR q ≥ β R and for all v ∈ V (s, h) |= sizeV q (v) ≥ β v .We conclude that the formula defining size ≥ β is satisfied.□
• Let us consider the test formula v = v ′ .The statements below are equivalent: • Let us consider the test formula alloc(v).The statements below are equivalent: (by definition of |= and SG q (s ′ , h ′ )).
• Let us consider the test formula sees q (v, v ′ ) ≥ β + 1.The statements below are equivalent: • Let us consider the test formula sizeR q ≥ β.The statements below are equivalent: - , (by definition of |= and SG q (s ′ , h ′ )).□ We now state the key intermediate result of the section that can be viewed as a distributivity lemma.The expressive power of the test formulae allows us to mimic the separation between two equivalent memory states with respect to the relation ≈ q α .Separating conjunctions can therefore be eliminated from the logic in favour of test formulae, which is essential in the proof of Theorem 4.10(I), Lemma 4.8.Let q, α, α 1 , α 2 ≥ 1 with α = α 1 + α 2 and (s, h), (s ′ , h ′ ) be memory states such that (s, h) . Proof.Let q, α, α 1 , α 2 , (s, h), (s ′ , h ′ ), h 1 and h 2 be defined as in the statement.Let SG q (s, h) = (V, E, Alloc, TEq, Interior, Rem) and SG q (s ′ , h ′ ) = (V ′ , E ′ , Alloc ′ , TEq ′ , Interior ′ , Rem ′ ) be the support graphs of (s, h) and (s ′ , h ′ ) respectively, with respect to q.As (s, h) ≈ q α (s ′ , h ′ ), let f : V → V ′ be a map satisfying (A1)-(A5) from Lemma 4.7.Below, for conciseness, let k ∈ {1, 2}.
The proof is rather long and can be summed up in the following steps: (1) We first define a strategy to split h ′ into h ′ 1 and h ′ 2 by closely following the way that h is split into h 1 and h 2 .To do this, we look at the support graphs.For instance, suppose that Rem is split into two sets R 1 ⊆ dom(h 1 ) and R 2 ⊆ dom(h 2 ).By definition, it is quite easy to see that R 1 ⊆ Rem 1 and R 2 ⊆ Rem 2 , where Rem k is the last set in SG q (s, h k ) (this will be better formalised later).Then, following Lemma 4.7, to obtain (s, . Indeed, otherwise the equisatisfaction of the test formulae of the form sizeR q ≥ β is not ensured.
(2) After defining h ′ 1 and h ′ 2 , we show that (s, To do so, again, we follow Lemma 4.7 and show that we can find suitable bijections form labelled locations of h k to the ones of h ′ k satisfying (A1)-(A5).

Let us define explicitly h ′
1 and h ′ 2 via an iterative process that consists in adding locations to dom(h ′ 1 ) or to dom(h ′ 2 ).Whenever we enforce that ℓ ∈ dom(h ′ k ), implicitly we have . Indeed, this result directly follows from the property (A4) satisfied by f.Moreover, this means that a path between two labelled locations ℓ, ℓ ′ ∈ Labels q s,h is preserved in h k (meaning that all of its locations are assigned to h k ) if and only if the path from f(ℓ . This result directly follows from the property (A5) satisfied by f.The proof (that can be applied also for the previous step of the construction), works as follows.First, suppose that the sets of remaining locations in the heap domain is small, i.e. min(α, card(Rem)) = min(α, card(Rem ′ )) < α 1 + α 2 .

This ends the construction of h ′
1 and h ′ 2 as any location in dom(h ′ ) has been assigned to one of the two heaps.
In the following, let Thanks to Lemma 4.7, we can show that (s, h 1 ) ≈ q α 1 (s ′ , h ′ 1 ) and (s, h 2 ) ≈ q α 2 (s, h ′ 2 ), by finding, for each k ∈ {1, 2}, a map f k : V k → V ′ k satisfying (A1)-(A5) between SG q (s, h k ) and SG q (s, h ′ k ).Now, we prove that for each k ∈ {1, 2}, f k can be defined as the restriction of f to V k and V ′ k .The proof is divided in three parts.
(P1) We prove that f restricted to V k satisfies (A2) and (A3).Thanks to Lemma 4.3, it holds that V k ⊆ V and V ′ k ⊆ V ′ .Therefore, for the vertices of the support graphs, we just need to prove that for all ℓ ∈ V it holds that ℓ ∈ k holds trivially from the first point of the construction.Therefore, we only need to show that for all ℓ ∈ V, the set of terms corresponding to ℓ and f(ℓ) are identical.This also implies that ℓ ∈ V k iff f(ℓ) ∈ V ′ k , since V k and V ′ k are defined as the sets of all labelled locations of (s, h k ) and (s ′ , h ′ k ) respectively.Let ℓ ∈ V and i ∈ [1, q].It holds that x i ∈ TEq k (ℓ) if and only if s(x i ) = ℓ, or equivalently x i ∈ TEq(ℓ) which, by Lemma 4.7, holds whenever x i ∈ TEq ′ (f(ℓ)).The latter is equivalent to s ′ (x i ) = f(ℓ), or equivalently x i ∈ TEq ′ k (f(ℓ)).Now, we show that, for all i, j ∈ [1, q], m q (x i , x j ) ∈ TEq k (ℓ) if and only if m q (x i , Let z i (resp.z j ) be the program variable in {x 1 , . . ., x q } such that s(z i ) is the first location corresponding to a program variable that is reachable from [[m q (x i , x j )]] q s,h (resp.[[m q (x j , x i )]] q s,h ), itself included.This property of a program variable can be captured with the formula firstvar(m q (x i , x j ), z i ) defined as the following boolean combination of test formulae: x k v m Indeed, this formula is satisfied only by memory states where there is a (possibly empty) path from the location corresponding to m q (x i , x j ) to the location ℓ corresponding to z i so that each labelled location in the path, apart from ℓ, does not correspond to any program variable.We now recall the taxonomy of meet-points, where the rightmost case from Figure 4 is split into three cases, highlighting z i and z j .
x i m q (x i ,x j ) m q (x j ,x i ) We refer to these structures (from left to right) as (i)-(v).Distinct structures satisfy different test formulae (however they all satisfy firstvar(m q (x i , x j ), z i ) ∧ firstvar(m q (x j , x i ), z j )).
For instance, (i) is the only formula not satisfying reach + (z i , z i ) (recall that this formula can be expressed as a combination of test formulae, as shown in Lemma 4.5), whereas (ii) can be distinguished as the only formula satisfying both reach + (z i , z i ) and m q (x i , x j ) = m q (x j , x i ).Moreover, the last structure is the only one satisfying z i z j whereas (iii) and (iv) can be distinguished with a formula, similar to firstvar(m q (x i , x j ), z i ), stating that from the location corresponding to z i it is possible to reach the location corresponding to m q (x i , x j ) without reaching the location corresponding to m q (x j , x i ): Differently from (iii), the structure (iv) does not satisfy this formula.Since (s, h) ≈ q α (s ′ , h ′ ), the heaps h and h ′ agree on the structure of every meet-point.Thanks to the property of the construction shown in (C2) and from Lemma 4.3, we are able to prove that the same holds for h k and h ′ k .This implies that for all i, j ∈ [1, q], for all ℓ ∈ V , we have m q (x i , x j ) ∈ TEq k (ℓ) if and only if m q (x i , x j ) ∈ TEq ′ k (f(ℓ)).For this result we need to proceed by cases, accordingly to the taxonomy.Suppose that h (and therefore h ′ ) witnesses (i), (ii) or (iv).One of the following holds: • The path from s(x i ) to s(z i ) and the path from s(x j ) to s(z j ) are both preserved in h k .
Then h ′ k witnesses (i) (ii) or (iv).From the property of the construction the same holds for h ′ k .In every case ((i), (ii) and (iv)), it holds that [[m q (x i , x j )]] q s,h )).• The path from s(x i ) to s(z i ) or the path from s(x j ) to s(z j ) are not preserved in h k .Then, by the property of the construction the same holds for h ′ k with respect to (s ′ , h ′ ).By definition of meet-points, both [[m q (x i , x j )]] q s,h k and [[m q (x i , x j )]] q s ′ ,h ′ k are not defined.
If instead h and h ′ witness (iii) then one of the following holds: • h k also witnesses (iii), meaning that the path from s(x i ) to [[m q (x j , x i )]] q s,h and the path from s(x j ) to [[m q (x i , x j )]] q s,h are both preserved in h k .Then by the property of the construction shown in (C2), the heap h ′ k also witnesses (iii).Then, [[m q (x i , x j )]] • The path from s(x i ) to s(z i ) and the path from s(x j ) to s(z i ) are preserved in h k , whereas the path from s(z i ) to [[m q (x i , x j )]] q s,h is not preserved in h k (i.e. at least one of its location is assigned to the other heap h 3−k ).Then h k witnesses (i) and by definition of meet-points it holds that By the property of the construction (shown in (C2)) h ′ k also witnesses (i).Then, Then, we conclude that • The path from s(x i ) to s(z i ) or the path from s(x j ) to s(z i ) are not preserved in h k .Then, by the property of the construction the same holds for h ′ k with respect to (s ′ , h ′ ).By definition of meet-points, both [[m q (x i , x j )]] Lastly, suppose now that h and h ′ witness (v).One of the following holds: • The path from s(x i ) to s(z i ) and the path from s(x j ) to s(z i ) are both preserved in h k .Then, depending on whether or not the path from s(z i ) to [[m q (x j , x i )]] q s,h is also preserved, h ′ k witnesses (i) or (v).From the property of the construction the same holds for h ′ k (where h ′ k witnesses (i) iff h k witnesses (i)).In both cases ((i) and (v)), it holds that [[m q (x i , x j )]] q s,h )).• The path from s(x i ) to s(z j ) and the path from s(x j ) to s(z j ) are preserved in h k , whereas the path from s(z j ) to [[m q (x i , x j )]] q s,h is not preserved in h k .Then h k witnesses (i) and by definition of meet-points it holds that By the property of the construction (shown in (C2)), the heap h ′ k also witnesses (i).Then, Then, we conclude that q s,h )).• The path from s(x i ) to s(z j ) and the path from s(x j ) to s(z j ) are both not preserved in h k .
Then, by the property of the construction the same holds for h ′ k with respect to (s ′ , h ′ ).By definition of meet-points, both [[m q (x i , x We conclude that for every ℓ ∈ V, m q (x i , x j ) ∈ TEq k (ℓ) if and only if m q (x i , x j ) ∈ TEq ′ k (f(ℓ)).(P2) We show that (A1) and (A4) holds, i.e. for any ℓ, ℓ P1) it holds that f −1 (ℓ ′′ ) ∈ V k and therefore there exists an intermediate location in V k between ℓ to ℓ ′ , which leads to a contradiction.This proves that Recall that, from Lemma 4.3, labelled locations are only lost after splitting a heap into two subheaps.Some of the locations in Interior k (ℓ, ℓ ′ ) could therefore be labelled w.r.t.(s, h) (but not for (s, h k )).More precisely, this location corresponds to meet-points of h.Let ℓ 0 = ℓ, ℓ n+1 = ℓ ′ and without any loss of generality, let {ℓ 1 , . . ., ℓ n } = Interior k (ℓ, ℓ ′ ) ∩ V such that for all i ∈ [0, n] (ℓ i , ℓ i+1 ) ∈ E. So, {ℓ 1 , . . ., ℓ n } is a set of locations in Interior k (ℓ, ℓ ′ ) that corresponds to meet-points of (s, h).From (P1), a location ℓ ∈ as each path from ℓ i to ℓ i+1 in h is also a path h k and each path from f(ℓ i ) to f(ℓ i+1 ) in h ′ is also a path in h ′ k , as represented by the picture below where the arrow between two locations ℓ i and ℓ i+1 labelled by E means that E(ℓ i , ℓ i+1 ).
and card(Interior k (ℓ, ℓ ′ )) and card(Interior ′ k (f k (ℓ), f k (ℓ ′ ))) can be written respectively as card(Interior k (ℓ, ℓ If there exists i ∈ [0, n] such that card(Interior(ℓ i , ℓ i+1 )) ≥ α, then by the properties of f, it also holds card( In both cases, we conclude that ).Indeed, in the first case, the equivalence holds since α > α k , whereas in the second case, card(Interior k (ℓ, ℓ ′ )) and card(Interior ′ k (f k (ℓ), f k (ℓ ′ ))) are equal.This concludes the proof that the restriction of f to V k and V ′ k is a graph isomorphism between (V k , E k ) and (V ′ k , E ′ k ) satisfying the condition (A4) from Lemma 4.7.(P3) Lastly, we prove that (A5) holds, i.e. min(α k , card(Rem k )) = min(α k , card(Rem ′ k )).We take advantage of three intermediate results.
• First, we prove that for all ℓ ∈ V, we have ℓ ∈ Rem k if and only if f(ℓ) ∈ Rem ′ k .Suppose ℓ ∈ V.By Definition 4.4, it holds that ℓ ∈ Rem k if and only if ℓ V k and there is no path between two labelled locations ℓ ′ , ℓ ′′ ∈ V k such that ℓ ∈ Interior k (ℓ ′ , ℓ ′′ ).From (P1) and (C2), this holds if and only if f(ℓ) V ′ k and there is no path between two labelled locations ℓ ′ , ℓ ′′ ∈ V ′ k such that f(ℓ) ∈ Interior ′ k (ℓ ′ , ℓ ′′ ).Again, by Definition 4.4, this result holds whenever f and since for all locations ℓ, we have ℓ ∈ Alloc if and only if f(ℓ) ∈ Alloc ′ , it also holds that card(Rem are not in V k .Moreover, for the same reason, h k does not contain any path between two locations ℓ 1 , ℓ 2 ∈ V k such that Interior(ℓ, ℓ ′ )∩dom(h k ) ⊆ Interior k (ℓ 1 , ℓ 2 ).By (P1) and (C2) it must hold that h ′ k does not contain any path between two locations ℓ . Indeed, if such a path exists then, for (C2) there would be a path from f −1 (ℓ ′ 1 ) to f −1 (ℓ ′ 2 ) in h k that contains all the locations in Interior(ℓ, ℓ ′ ) and therefore these locations would not be in Rem k .Hence, we conclude that Interior The converse follows by using a similar argument.
Indeed, this is immediate as, if a location in dom(h) is in Rem and in dom(h k ) then it cannot be in dom(h k ) \ Rem k , since h k ⊑ h and therefore will be in Rem k .The same holds true for Rem ′ , h ′ and h ′ k .We can now prove that min(α k , card(Rem k )) = min(α k , card(Rem ′ k )).First of all, the following properties can be easily shown from the definition of support graphs: Therefore, it is easy to show that Rem k and Rem ′ k can be decomposed respectively as follows Following the three previous intermediate results, (C2) and (C3), we show below that min(α k , card(Rem k )) = min(α k , card(Rem ′ k )).It is easy to show that the following set of equalities holds and the same can be done for min . This implies, for the second intermediate result, that I = I ′ .Furthermore, from (C3), it follows also that R ).This concludes the proof: for the support graphs of h k and h ′ k , f restricted to the domain V k and the codomain V ′ k satisfies all conditions of Lemma 4.7 with respect to α k .Therefore it holds that (s, h 1 ) ≈ q α 1 (s ′ , h ′ 1 ) and (s, h 2 ) ≈ q α 2 (s ′ , h ′ 2 ).□ Thanks to Lemma 4.8, we can now characterise every formula of SL( * , reach + ) by a Boolean combination of test formulae in Test(q, α), where α is related to the memory size msize(φ) of a formula φ in SL( * , reach + ) defined as follows (see also [37]): We have 1 ≤ msize(φ) ≤ |φ|, where |φ| is the tree size of φ.Below, we establish the characterisation of SL( * , reach + ) formulae in terms of test formulae.Theorem 4.9.Let φ be in SL( * , reach + ) built over the variables x 1 , . . ., x q .For all α ≥ msize(φ) and all memory states (s, h), (s ′ , h ′ ) such that (s, h) Proof.Assume that φ is a formula with msize(φ) ≤ α and (s, h) ≈ q α (s ′ , h ′ ).By structural induction we show that (s, h) |= φ iff (s ′ , h ′ ) |= φ.It is sufficient to establish one direction of the equivalence thanks to its symmetry.
The basic cases for the atomic formulae x i → x j and x i = x j are immediate since these are test formulae.For emp and reach + (x i , x j ) we use directly Lemma 4.5.Suppose ψ = emp.Then msize(ψ ) = 1 ≤ α and we can express emp with the Boolean combination of test formulae Similarly, suppose that ψ = reach + (x i , x j ).Then msize(ψ ) = 1 ≤ α and we can express ψ with the Boolean combination of test formulae: v 1 , ...,v n ∈Terms q , pairwise distinct v 1 , ...,v n−1 , x i =v 1 ,x j =v n δ ∈[1,n−1] sees q (v δ , v δ +1 ) ≥ 1.
Since Test(q, α) is a finite set, LIT(s, h) is finite too and let us consider the well-defined formula ψ ∈LIT(s,h) ψ .We have the following equivalence: The expression ψ ′ def = (s,h) |=φ ( ψ ∈LIT(s,h) ψ ) is equivalent to a Boolean combination φ ′ of formulae from Test(q, α) because LIT(s, h) ranges over the finite set of elements from Test(q, α) (just select a finite amount of disjuncts).By Theorem 4.9, the formula φ is logically equivalent to ψ ′ , which concludes the proof.Indeed, suppose that (s, h) |= φ.Obviously, we get (s, h) |= ψ ∈LIT(s,h) ψ and therefore (s, h) |= ψ ′ .Conversely, suppose that (s, h) |= ψ ′ .This means that there is a memory state (s ′ , h ′ ) such that (s ′ , h ′ ) |= φ and (s, h) |= ψ ∈LIT(s ′ ,h ′ ) ψ .Since (s, h) ≈ q α (s ′ , h ′ ), msize(φ) ≤ α and (s ′ , h ′ ) |= φ, by Theorem 4.9 we get (s, h) |= φ. □ It is now possible to establish a small heap property of SL( * , reach + ) by inheriting it from the small heap property for Boolean combinations of test formulae, which is analogous to the small model property for other theories of singly linked lists, see e.g.[14,31].Indeed, following Lemma 4.7, now it is straightforward to derive an upper bound on the size of a small model satisfying a formula in SL( * , reach + ).
Let P(q, n) be the polynomial (q 2 + q) • (n + 1) + n used in the sequel.
Proof.Let φ be a formula built over x 1 , . . ., x q with α = msize(φ) ≤ |φ| and let (s, h) be a memory state satisfying φ.Let (V, E, Alloc, TEq, Interior, Rem) be equal to SG q (s, h) with respect to q and ℓ * be an arbitrary location not in the domain of h.We construct a heap h ′ such that card(dom(h ′ )) ≤ P(q, |φ|) and (s, h ′ ) |= φ.
(1) Let R ⊆ Rem be a set of min(α, card(Rem)) locations.For all ℓ ∈ Rem, ℓ ∈ dom(h ′ ) def ⇔ ℓ ∈ R and for all ℓ ∈ R, we have h ′ (ℓ) def = ℓ * .As it will be soon clear, these locations in R will happen to be the only ones in Rem ′ (from h ′ ).In that way, (s, h) and (s, h ′ ) shall agree on all test formulae of the form sizeR q ≥ β with β ∈ [1, α].
(3) Lastly, for all ℓ ∈ Alloc, h ′ (ℓ) def = h(ℓ) and therefore ℓ ∈ dom(h ′ ).So, for all v ∈ Terms q (s, h ′ ) |= alloc(v) if and only if (s, h) |= alloc(v).After this step, this implies that the two memory states satisfy the same set of test formulae.Note that in the computation of the upper bound, there is no need to take into account the location introduced in this step, since the upper bound mentioned in the previous step already includes this case.It follows that h ′ is a heap such that card(dom(h ′ )) ≤ (q 2 + q) • (|φ| + 1) + |φ| and (s, h ′ ) |= φ. □
Proof.Let φ be a formula in SL( * , reach + ) built over x 1 , . . ., x q .By Theorem 4.11, φ is satisfiable if and only if there is a memory state satisfying φ with card(dom(h)) ≤ P(q, |φ|).The non-deterministic polynomial-space algorithm (leading to the PSpace upper bound by Savitch Theorem [33]) works as follows.First, guess a heap h with card(dom(h)) ≤ P(q, |φ|) and dom(h)∪ran(h) ≤ 2 × P(q, |φ|) and a store restricted to x 1 , . . ., x q such that ran(s) ≤ 2 × P(q, |φ|) + q (in the worst case all the variables have different values, and the memory cells have different values too).
Then, checking whether (s, h) |= φ can be done in polynomial-space as for the standard SL( * ) by using a recursive algorithm that internalises the semantics (see e.g.[12]): the recursive depth is linear and at each call, the algorithm uses at most linear space in the size of (s, h) and φ, which is polynomial in |φ|.We only need to guarantee that (s, h) |= reach + (x, y) can be checked in polynomial space, actually this can be done in polynomial time in the size of (s, h), that is therefore in polynomial space in |φ|.□ Besides, we may consider restricting the usage of Boolean connectives.Let us briefly define the symbolic heap fragment formulae φ as conjunctions Π ∧ Σ where Π is a pure formula and Σ is a spatial formula Σ: As usual, x i → x j is interpreted as the exact points-to relation.We write Bool(SHF) to denote the set of Boolean combinations of formulae from the symbolic heap fragment [2].A PTime upper bound for the entailment/satisfiability problem for the symbolic heap fragment is successfully solved in [13,20], whereas the satisfiability problem for a slight variant of Bool(SHF) is shown in NP in [30,Theorem 4].This NP upper bound can be obtained as a by-product of Theorem 4.11.
Proof.The NP-hardness is obtained thanks to the presence of equalities and Boolean connectives.As far as the complexity upper bound is concerned, let φ be a Boolean combination of pure or spatial formulae built over x 1 , . . ., x q .By Theorem 4.11, φ is satisfiable iff there is (s, h) satisfying φ with card(dom(h)) ≤ P(q, |ψ |), where ψ is the translation of φ where • every occurrences of x i → x j is rewritten as the equivalent formula x i → x j ∧ size = 1, and • every ls(x i , x j ) is rewritten as the equivalent formula (x i = x j ∧ emp) ∨ (x i x j ∧ reach + (x i , x j ) ∧ ¬(¬emp * reach + (x i , x j ))).
This technicality is introduced as Theorem 4.9 requires φ to be in SL( * , reach + ) and, as such, the formula ψ is not then used to check for satisfiability.The non-deterministic polynomial-time algorithm works as follows.Similarly to the proof of Theorem 4.12, guess a heap h with card(dom(h)) ≤ P(q, |ψ |), dom(h) ∪ ran(h) ≤ 2 × P(q, |ψ |) and a store restricted to x 1 , . . ., x q and such that ran(s) ≤ 2 × P(q, |ψ |) + q.Then, confirming that the valuation is correct can be done in PTime: checking whether a pure formula is satisfied by (s, h) can be done in linear time.Similarly, checking whether a spatial formula Σ is satisfied by (s, h) can be done in PTime [2, Lemma 1].So, the satisfiability problem for Boolean combinations of symbolic heap fragment formulae can be solved in NP. □ We have seen that we can take advantage of the small heap property to derive complexity results for fragments of SL( * , reach + ).However, it is also possible to push further the PSpace upper bound by allowing occurrences of − * in a controlled way (as unrestricted use of the magic wand leads to undecidability, see Theorem 3.12).The following result can be shown thanks to Proposition 4.1 and Lemma 4.5.Lemma 4.14.Let φ be in SL( * , − * ) built over x 1 , . . ., x q .The formula φ is logically equivalent to a Boolean combination of test formulae from Test(q, |φ|).
Proof.First, translate φ into a Boolean combination of formulae from as stated in Proposition 4.1.Then, rewrite every occurrences of size ≥ β into the equivalent Boolean combination of test formulae shown in Lemma 4.5.The resulting formula is in Test(q, |φ|).□ Let SL( * , reach + , q,α Test(q, α)) be the extension of SL( * , reach + ) augmented with the test formulae.The memory size function is extended as follows.