Satisfiability Modulo Heap-Based Programs Quang Loc Le1(B) , Jun Sun1 , and Wei-Ngan Chin2 1 Singapore University of Technology and Design, Singapore, Singapore lequangloc@gmail.com 2 National University of Singapore, Singapore, Singapore Abstract. In this work, we present a semi-decision procedure for a fragment of separation logic with user-defined predicates and Presburger arithmetic. To check the satisfiability of a formula, our procedure iteratively unfolds the formula and examines the derived disjuncts. In each iteration, it searches for a proof of either satisfiability or unsatisfiability. Our procedure is further enhanced with automatically inferred invariants as well as detection of cyclic proof. We also identify a syntactically restricted fragment of the logic for which our procedure is terminating and thus complete. This decidable fragment is relatively expressive as it can capture a range of sophisticated data structures with non-trivial pure properties, such as size, sortedness and near-balanced. We have implemented the proposed solver and a new system for verifying heap-based programs. We have evaluated our system on benchmark programs from a software verification competition. Keywords: Decision procedures · Satisfiability Inductive predicates · Cyclic proofs 1 · Separation logic · Introduction Satisfiability solvers, particularly those based on Satisfiability Modulo Theory (SMT) technology [3,19], have made tremendous practical advances in the last decade to the point where they are now widely used in tools for applications as diverse as bug finding [27], program analyses [4] to automated verification [2]. However, current SMT solvers are based primarily on first-order logic, and do not yet cater to the needs of resource-oriented logics, such as separation logic [26,40]. Separation logic has recently established a solid reputation for reasoning about programs that manipulate heap-based data structures. One of its strengths is the ability to concisely and locally describe program states that hold in separate regions of heap memory. In particular, a spatial conjunction (i.e., κ1 ∗κ2 ) asserts that a given heap can be decomposed into two disjoint regions and the formulas, κ1 and κ2 , hold respectively and separately in the two memory regions. In this work, we investigate the problem of verifying heap-manipulating programs in the c Springer International Publishing Switzerland 2016  S. Chaudhuri and A. Farzan (Eds.): CAV 2016, Part I, LNCS 9779, pp. 382–404, 2016. DOI: 10.1007/978-3-319-41528-4 21 Satisfiability Modulo Heap-Based Programs 383 framework of SMT. We reduce this problem to solving verification conditions representing precise program semantics [9,10,22,44]. Developing an SMT solver supporting separation logic with inductive predicates and Presburger arithmetic is challenging as the satisfiability problem for this fragment is undecidable [30,31]. We focus on an expressive fragment which consists of spatial predicates expressing empty heap assertion (emp), points-to assertion (x→c(v̄)), and inductive predicate assertions (P(v̄)). Moreover, it may include pure constraints on data values and capture desired properties of structural heaps (such as size, height, sortedness and even near-balanced tree properties). We thus face the challenge of handling recursive predicates with pure properties, that are inherently infinite. Furthermore, we would like to support both satisfiability (SAT) and unsatisfiability (UNSAT) checks. There have been a number of preliminary attempts in this direction. For instance, early proposals fixed the set of shape predicates that may be used, for example, to linked lists (in SeLoger [17,23], and SLLB [34]) or trees (GRIT [36]). There are few approaches supporting user-defined predicates [14,25,39]. Brotherston et al. recently made an important contribution by introducing SLSAT, a decision procedure for a fragment of separation logic with arbitrary shape-only inductive predicates [12]. However, SLSAT is limited to the shape domain, whereas shape predicates extended with pure properties are often required for automated verification of functional correctness. In this paper, we start by proposing a new procedure, called S2SAT, which combines under-approximation and over-approximation for simultaneously checking SAT and UNSAT properties for a sound and complete theory augmented with inductive predicates. S2SAT takes a set of user-defined predicates and a logic formula as inputs. It iteratively constructs an unfolding tree by unfolding the formula in a breadth-first, flow- and context-sensitive manner until either a symbolic model, or a proof of unsatisfiability or a fixpoint (e.g., a cyclic proof) is identified. In each iteration, it searches over the leaves of the tree (the disjunction of which is equivalent to the input formula) to check whether there is a satisfiable leaf (which proves satisfiability) or whether all leaves are unsatisfiable. In particular, to prove SAT, it considers base disjuncts which are derived from base-case branches of the predicates. These disjuncts are under-approximations of the input formula and critical for satisfiability. Disjuncts which have no inductive predicates are precisely decided. To prove UNSAT, S2SAT over-approximates the leaves prior to prove UNSAT. Our procedure systematically enumerates all disjuncts derived from a given inductive formula, so it is terminating for SAT. However, it may not be terminating for UNSAT with those undecidable augmented logic. To facilitate termination, we propose an approach for fixpoint computation. This fixpoint computation is useful for domains with finite model semantics i.e., collecting semantics for a given formula of such domains is finite. In other words, the input formula is unsatisfiable when the unfolding goes on forever without uncovering any models. We have implemented one instantiation of the fixpoint detection for inductive proving based on cyclic proof [13] s.t. the soundness of the cyclic proof guarantees the well-foundedness of all reasoning. 384 Q.L. Le et al. Fig. 1. Motivating example. To explicitly handle heap-manipulating programs, we propose a separation logic instantiation of S2SAT, called S2SATSL . Our base theory is a combination of the aforementioned separation logic predicates except inductive predicates. We show that our decision procedure for this base theory is sound and complete. S2SATSL over-approximates formulas with soundly inferred predicate invariants. In addition, we describe some syntax restrictions such that S2SATSL is always able to construct a cyclic proof for a restricted formula so that our procedure is terminating and complete. To summarize, we make the following technical contributions in this work. – We introduce cyclic proof into a satisfiability procedure for a base theory augmented with inductive predicates (refer to Sect. 3). – We propose a satisfiability procedure for separation logic with user-defined predicates and Presburger arithmetic (Sect. 4). – We prove that S2SATSL is: (i) sound for SAT and UNSAT; (ii) and terminating (i.e., proposing a new decision procedure) for restricted fragments (Sect. 5). – We present a mechanism to automatically derive sound (over-approximated) invariants for user-defined predicates (Sect. 6). – We have implemented the satisfiability solver S2SATSL and the new verification system, called S2td . We evaluated S2SATSL and S2td with benchmarks from recent competitions. The experimental results show that our system is expressive, robust and efficient (Sect. 7). Proofs of Lemmas and Theorems presented in this paper are available in the companion technical report [30]. 2 Illustrative Example We illustrate how our approach works with the example shown in Fig. 1. Our verification system proves that this program is memory safe and function ERROR() (line 5) is never called. Our system uses symbolic execution in [6,14] and large-block encoding [8] to provide a semantic encoding of verification conditions. For safety, one of the generated verification conditions is: Δ0 ≡ ll(n,x)00 ∗test(x,r1 )10 ∧n≥0∧r1 =0. If Δ0 is unsatisfiable, function ERROR() is never called. In Δ0 , ll and test are Interprocedural Control Flow Graph (ICFG) Satisfiability Modulo Heap-Based Programs 385 of the functions ll and test. Our system eludes these ICFGs as inductive predicates. For each predicate, a parameter res is appended at the end to model the return value of the function; for instance, the variables x (in ll) and r1 (in test) of Δ0 are the actual parameters corresponding to res. Each inductive predicate instance is also labeled with a subscript for the unfolding number and a superscript for the sequence number, which are used to control the unfolding in a breadth-first and flow-sensitive manner. To discharge Δ0 , S2SATSL iteratively derives a series of unfolding trees Ti . An unfolding tree is a tree such that each node is labeled with an unfolded disjunct, corresponding to a path condition in the program. We say that a leaf of Ti is closed if it is unsatisfiable; otherwise it is open. During each iteration, S2SATSL either proves SAT by identifying a satisfiable leaf of Ti which contains no user-defined predicate instances or proves UNSAT by showing that an overapproximation of all leaves is unsatisfiable. Initially, T0 contains only one node Δ0 . As Δ0 contains inductive predicates, it is not considered for proving SAT. S2SATSL then over-approximates Δ0 to a first-order logic formula by substituting each predicate instance with its corresponding sound invariants in order to prove UNSAT. We assume that ll (resp. test) is annotated with invariant i≥0 (resp. 0≤res≤1). Hence, the over-approximation of Δ0 is computed as: π0 ≡n≥0∧0≤r1 ≤1∧n≥0∧r1 =0. Formula π0 is then passed to an SMT solver, such as Z3 [19], for unsatisfiable checking. As expected, π0 is not unsatisfiable. Next, S2SATSL selects an open leaf for unfolding to derive T1 . A leaf is selected in a breadth-first manner; furthermore a predicate instance of the selected leaf is selected for unfolding if its sequence number is the smallest. With Δ0 , the ll instance is selected. As so, T1 has two open leaves corresponding to two derived disjuncts: Δ11 ≡test(x,r1 )10 ∧n≥0∧r1 =0∧n=0∧x=null Δ12 ≡x→node(n,r2 )∗ll(n1 ,r2 )01 ∗test(x,r1 )10 ∧n≥0∧r1 =0∧n=0∧n1 =n−1 Since Δ11 and Δ12 include predicate instances, they are not considered for SAT. To prove UNSAT, S2SATSL computes their over-approximated invariants: π11 ≡0≤r1 ≤1∧n≥0∧r1 =0∧n=0∧x=null π12 ≡x=null∧n1 ≥0∧0≤r1 ≤1∧n≥0∧r1 =0∧n=0∧n1 =n−1 As neither π11 nor π12 is unsatisfiable, selects test of Δ11 for unfolding ∆0 to construct T2 . For efficiency, unfolding is performed in a context-sensitive manner. A ∆11 ∆12 branch is infeasible (and pruned in advance) if its invariant is inconsistent with the (over∆32 ∆33 approximated) context. For instance, the invariant of the then branch at line 12 of test is invtesto ≡p=null∧res=1. As invtesto (after Fig. 2. Unfolding tree T3 . proper renaming) is inconsistent with π11 , this branch is infeasible. Similarly, both else branches of test are infeasible. For T3 , S2SATSL 386 Q.L. Le et al. the remaining leaf Δ12 is selected for unfolding. As the test’s unfolding number is smaller than ll’s, test is selected. After the then branch is identified as infeasible and pruned, T3 is left with two open leaves as shown in Fig. 2, where infeasible leaves are dotted-lined. Δ32 and Δ33 are as below. ∆32 ≡x→node(n,r2 )∗ll(n1 ,r2 )01 ∧n≥0∧r1 =0∧n=0∧n1 =n−1∧x=null∧n<0∧r1 =0 ∆33 ≡x→node(n,r2 )∗ll(n1 ,r2 )01 ∗test(r2 ,r1 )11 ∧n≥0 ∧ r1 =0∧n=0∧n1 =n−1 ∧x=null∧n≥0 As Δ32 and Δ33 include inductive predicate instances, SAT checking is not applicable. For UNSAT checking, S2SATSL proves that Δ32 is unsatisfiable (its unsatisfiable cores are underlined as above); and shows that Δ33 can be linked back to Δ0 (i.e., subsumed by Δ0 ). The latter is shown based on some weakening and substitution principles (see Sect. 4.2). In particular: (i) Substituting Δ33 with θ=[n2 /n,x1 /x,n/n1 ,x/r2 ] such that predicate instances in the substituted formula, i.e., Δ33a , and Δ0 are identical; as such, Δ33a is computed as below. Δ33a ≡x1 →node(n2 ,x)∗ll(n,x)01 ∗test(x,r1 )11 ∧n2 ≥0∧r1 =0∧n2 =0∧n=n2 −1 ∧x1 =null∧n2 ≥0 (ii) subtracting identical inductive predicates between Δ33a and Δ0 ; (iii) weakening the remainder of Δ33a (i.e., x1 →node(n2 ,x) is eliminated); (iv) checking validity of the implication between pure of the remainder of Δ33a with the pure part of the remainder of Δ0 , i.e., n2 ≥0∧r1 =0∧n2 =0∧n=n2 −1∧ x1 =null∧n2 ≥0 =⇒ n≥0∧r1 =0. The back-link between Δ33 and Δ0 establishes a cyclic proof which then proves Δ0 is unsatisfiable. Algorithm 1. S2SAT Procedure. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 input : λind output: SAT or UNSAT i←0; T0 ←{λind } ; while true do (is sat,Ti ) ← UA test(Ti ) ; if is sat then return SAT ; else Ti ←OA test(Ti ) ; Ti ←link back(Ti ) ; if is closed(Ti ) then return UNSAT; else λind i ←choose bfs(Ti ) ; i←i+1 ; Ti ←unfold(λind i ); end end end /* initialize */ /* check SAT */ /* SAT */ /* prune UNSAT */ /* detect fixpoint */ /* UNSAT */ /* choose an open leaf */ Satisfiability Modulo Heap-Based Programs 3 S2SAT 387 Algorithm In this section, we present S2SAT, a procedure for checking satisfiability of formula with inductive predicates. We start by defining our target formulas. Let L be a base theory (logic) with the following properties: (i) L is closed under propositional combination and supports boolean variables; (ii) there exists a complete decision procedure for L. Let Lind be the extension of L with inductive predicate instances defined in a system with a set of predicates P={P1 , ..., Pk }. Each predicate may be annotated with a sound invariant. We use λ to denote a forind to denote a formula in the extended theory. Semantically, mula in nL and λ ind λ ≡ i=0 λi , n≥0. S2SAT is presented in Algorithm 1. S2SAT takes a formula λind as input, systematically enumerates disjuncts λi and can produce two possible outcomes if it terminates: SAT with a satisfiable formula λi or UNSAT with a proof. We remark that non-termination is classified as UNKNOWN. S2SAT maintains a set of open leaves of the unfolding tree Ti that is derived from λind . In each iteration, S2SAT selects and unfolds an open leaf so as either to include more reachable base formulas (with the hope to produce a SAT answer), or to refine inductive formulas (with the hope to produce an UNSAT answer). Specially, in each iteration, S2SAT checks whether the formula is SAT at line 3; whether it is UNSAT at line 6; whether a fixpoint can be established at line 7. Function UA test searches for a satisfiable base disjunct (i.e., is sat is set to true). Simultaneously, it marks all unsatisfiable base disjuncts closed. Next, function OA test uses predicate invariants to over-approximate open leaves of Ti , and marks those with an unsatisfiable over-approximation closed. After that, function link back attempts to link remaining open leaves back to interior nodes so as to form a fixpoint (i.e., a (partial) pre-proof for induction proving). The leaves which have been linked back are also marked as closed. Whenever all leaves are closed, S2SAT decides λind as UNSAT (line 8). Otherwise, the choose bfs (line 10) chooses an open leave in breadth-first manner for unfolding. Procedure link back takes the unfolding tree Ti as input and checks whether bud comp in Ti via each open leaf λind ∈Ti matches with one interior node λind a matching function ffix . ffix is based on weakening and substitution principles [13]. Intuitively, ffix detects the case of (i) the unfolding goes forever if bud bud comp has no model when λind has no we keep unfolding λind ; and (ii) λind bud ind comp bud model. If ffix (λ ,Δ )=true , Δ is marked closed. Our procedure systematically enumerates all disjuncts derived from a given inductive formula, so it is terminating for SAT. However, it may not be terminating for UNSAT with those undecidable augmented logic. In the next paragraph, we discuss the soundness of the algorithm. Soundness. When S2SAT terminates, there are the following three cases. – (case A) S2SAT produces SAT with a base satisfiable λind i ; 388 Q.L. Le et al. – (case B) S2SAT produces UNSAT with a proof that all leaves of Ti are unsatisfiable; – (case C) S2SAT produces UNSAT with a fixpoint: a proof that some leaves of Ti are unsatisfiable and the remaining leaves are linked back. Under the assumption that L is both sound and complete, case A can be shown to be sound straightforwardly. Soundness of case B immediately follows the soundness of OA test. In the following, we describe the cyclic proof instantiation of link back for fixpoint detection and prove the soundness of case C. We use CYCLIC to denote the cyclic proof for entailment procedure adapted from [13]. The following definitions are adapted from their analogues of CYCLIC. Definition 1 (Pre-Proof ). A pre-proof derived for a formula λind is a pair (Ti , L) where Ti is an unfolding tree whose root labelled by λind and L is a backlink function assigning every open leaf λind l of Ti to an interior node λind c = L(λind l ) such that there exists some substitution θ i.e., λind c = λind l [θ]. λind l is referred as a bud and λind c is referred as its companion. A path in a pre-proof is a sequence of nodes (λind i )i≥0 . Definition 2 (Trace). Let (λind i )i≥0 be a path in a pre-proof PP. A trace following (λind i )i≥0 is a sequence (αi )i≥0 such that, for all i≥0, αi is a predicate instance P(t̄) in the formula λind i , and either: 1. αi+1 is the subformula according to P(t̄) occurrence in λind i+1 , or 2. λind i [t̄/v̄] where λind i is branches of inductive predicate P(v̄). i is a progressing point of the trace. To ensure that pre-proofs correspond to sound proofs, a global soundness condition must be imposed on such pre-proofs as follows. Definition 3 (Cyclic Proof ). A pre-proof is a cyclic proof if, for every infinite path (λind i )i≥0 , there is a tail of the path p=(λind i )i≥n such that there is an infinitely progressing trace following p. Theorem 1 (Soundness). If there is a cyclic proof of λind 0 , λind 0 is UNSAT. Proof. We reduce our cyclic proof problem for satisfiability to the cyclic proof problem for entailment check, i.e., λind 0 ⊢ false of CYCLIC. Assume there is a cyclic proof PP of λind 0 . From PP we construct the pre-proof PP⊢ for the sequent λind 0 ⊢ false as follows. For each node (λind i )i≥0 in PP, we replace the formula λind i by the sequent λind i ⊢ false . Since PP is a cyclic proof, it follows that for every infinite path (λind i )i≥0 , there is a tail of the path, p=(λind i )i≥n , such that there is an infinitely progressing trace following p (Definition 3). Since formulas in [13] are only traced through the LHS of the sequent and not its RHS, it is implied that for every infinite path (λind i ⊢false )i≥0 , there is a tail of the path, p=(λind i ⊢ false )i≥n , such that there is an infinitely progressing trace following p. Thus, PP⊢ is a cyclic proof (Definition 3 of [13]). As such λind 0 |=false (Theorem 6 of [13]). In other words, λind 0 is UNSAT. ⊓ ⊔ Satisfiability Modulo Heap-Based Programs 389 To sum up, to implement a sound cyclic proof system besides the matching function, a global soundness condition must be established on pre-proofs to guarantee well-foundedness of all reasoning. 4 Separation Logic Instantiation of S2SAT In this section, to explicitly handle heap-manipulating programs, we propose a separation logic instantiation of S2SAT, called S2SATSL . We start by presenting SLPA, a fragment of separation logic with inductive predicates and arithmetic. 4.1 A Fragment of Separation Logic Syntax. The syntax of SLPA formulas is presented in Fig. 3. We use x̄ to denote a sequence (e.g., v̄ for sequence of variables), and xi to denote the ith element. Whenever possible, we discard fi of the points-to predicate and use its short form as x→c(vi ). Note that v1 =v2 and v =null are short forms for ¬(v1 =v2 ) and ¬(v=null), respectively. All free variables are implicitly universally quantified at the outermost level. To express different scenarios for shape predicates, the fragment supports disjunction Φ over formulas. Each predicate instance is of the form P(v̄)ou where o and u are labels used for context- and flow- sensitive unfolding. In particular, o captures the sequence number and u is the number of unfolding. For simplicity, we occasionally omit these two numbers if there is no ambiguity. A formula Δ is a base formula if it does not have any user-defined predicate instances. Otherwise, Δ is an inductive formula. User-Defined Predicate. A user-defined predicate P is of the following general form pred P(t̄) ≡ n  i=1 (∃w̄i · Δi | πib ) Fig. 3. Syntax. inv: π; 390 Q.L. Le et al. where P is predicate name; t̄ is a set of formal parameters; and ∃w̄i · Δi (i ∈ 1...n) is a branch. Each branch is optionally annotated with a sound invariant πib which is a pure formula that over-approximates the branch. π is an optionally sound predicate invariant. It must be a superset of all possible models of the predicate P via a pure constraint on stack. The default invariant of each inductive predicate is true . For efficiency, we infer more precise invariants automatically (see Sect. 6). Inductive branches may be recursive. We assume that the recursion is direct, i.e., a recursive branch of predicate P includes at least one predicate instance P. In each branch, we require that variables which are not formal parameters must be existentially quantified i.e., ∀i ∈ 1...n·FV(Δi )=t̄ and w̄i ∩t̄=∅ where FV(Δ) are all free variables in the formula Δ. In the following, we apply SLPA to model two data structures: sorted lists (sortll) without an annotated invariant and AVL trees (avl) with annotatedinvariant. pred sortll(root,n,m) ≡ root→node(m, null) ∧ n=1 ∨ ∃ q,n1 ,m1 ·root→node(m, q) ∗ sortll(q, n1 , m1 )∧n=n1 +1∧m≤m1 struct c2 { c2 left; c2 right; } // data structure declaration pred avl(root,n,h) ≡ emp ∧ root=null ∧ n=0 ∧ h=0 | root=null ∧ n=0 ∧ h=0 ∨ ∃ l, r, n1 , n2 , h1 , h2 ·root→c2 (l, r) ∗ avl(l, n1 , h1 ) ∗ avl(r, n2 , h2 )∧ n=n1 +n2 +1 ∧ h=max(h1 ,h2 )+1 ∧ −1≤h1 −h2 ≤1 | root=null ∧ n>0 ∧ h>0 inv: n≥0 ∧ h≥0 Semantics. In the following, we discuss the semantics of SLPA. Concrete heap models assume a fixed finite collection Node, a fixed finite collection Fields, a disjoint set Loc of locations (heap addresses), a set of non-address values Val , such that null ∈ Val and Val ∩ Loc = ∅. Further, we define: def Heaps = Loc⇀f in (Node → Fields → Val ∪ Loc) def Stacks = Var → Val ∪ Loc The semantics is given by a forcing relation: s,h |= Φ that forces the stack s and heap h to satisfy the constraint Φ where h ∈ Heaps, s ∈ Stacks, and Φ is a formula. The semantics is presented in Fig. 4. dom(f ) is the domain of function f ; h1 #h2 denotes that heaps h1 and h2 are disjoint, i.e., dom(h1 ) ∩ dom(h2 ) = ∅; and h1 ·h2 denotes the union of two disjoint heaps. Inductive predicates are interpreted using the least model semantics [42]. Semantics of pure formulas depend on stack valuations; it is straightforward and omitted in Fig. 4, for simplicity. 4.2 Implementation of Separation Logic Instantiation In the following, we describe how S2SATSL is realized. In particular, we show how the functions UA test, OA test, unfold, and link back are implemented. Satisfiability Modulo Heap-Based Programs 391 Fig. 4. Semantics. Deciding Separation Logic Formula. Given an SLPA formula, the functions UA test and OA test in S2SATSL work similarly, by reducing the formula to a first-order formula systematically and deciding the first-order formula. In the following, we define a function called eXPure, which transforms a separation logic formula into a first-order formula. eXPure is defined over the symbolic heap as follows:  x1 →c1 (v̄1 )∗...∗xn →cn (v̄n ) ∗ P1 (t̄1 )∗...∗Pm (t̄m ) ∧ π) ≡ ∃ w̄· {xi =null | i∈1...n} ∧ {xi =xj | i, j∈1...n and i=j} ∧  {inv(P, Pj , t¯j ) | j ∈ 1...m} ∧ π eXPure(∃w̄· where the reduction at the first line (after ≡) is for points-to predicates, and the second line is for user-defined predicates. The auxiliary function inv(P, P, v̄) returns the invariant of the predicate P with a proper renaming. Next, the auxiliary procedure satp (∃w̄· π) takes a quantified first-order formula as input. It preprocesses the formula and then invokes an SMT solver to solve it. The preprocessing consists of two steps. First, the existential quantifiers w̄ are eliminated through a projection Π(π, w̄). Second, remaining existential quantifiers are skolemized and null is substituted by special number (i.e., zero). The preprocessed formulas are of the form of linear arithmetic with free function symbols. These formulas may contain existential (∃) and universal (∀) quantifiers but no ∃∀ alternation. Hence, they are naively supported by SMT solvers. Deriving Unfolding Tree. Next, we describe how function unfold works in S2SATSL . Given a formula, unfold selects one predicate instance for unfolding as follows. Γi =unfoldP(P(v̄)ou , πc ) πc ≡eXPure(κ ∗ P(v̄) ∧ π) o unfold(∃w̄0 · κ∗P(v̄)u ∧π)  {∃w̄0 · κ∗Δi ∧π | Δi ∈Γi } Predicate instances in κ are sorted by a pair of unfolding number and ordering number where the former has higher priority. The instance P(v̄)ou is selected if u is 392 Q.L. Le et al. the smallest number of unfoldings and o is the smallest number among instances which have the same unfolding number u. The procedure unfold outputs a set of disjuncts which are combined from branches of the predicate P with the remainder κ∧π. At the middle, the predicate instance is unfolded by the procedure unfoldP. This auxiliary procedure unfoldP(P(t̄)ou , πc ) unfolds the user-defined predicate P with actual parameter t̄ under the context πc . It outputs branches of the predicate P that are not inconsistent with the context. It is formalized as follows.  b πcP ≡ Π(πc , v̄) ( m w̄i′ =fresh(w̄i ) i=1 (∃w̄i · κi ∧πi | πi ), t̄)=lookup(P, P) ∃ ′ /w̄ ] =[ w̄ ρp =[v¯′ /t̄] ρ∃ ρ =ρ (v¯′ , πeq )=freshEQ(v̄) p ◦ ρi i i i i o ′ P b unfoldP(P(v̄)u , πc )  {∃w̄i · [ρi ]κi ∧[ρi ]πi ∧πeq | satp (πc ∧[ρi ]πi ∧πeq )=unsat, i∈1...m} In the first line, the procedure looks up the definition of P and refreshes the existential quantifiers (using the function fresh(...)). In the second line, formal parameters are substituted by the corresponding actual arguments. Finally, the substituted definition is combined and pruned as shown in the RHS of . Function freshEQ(v̄) above refreshes the sequence of variables v̄ and produces the  equality constraints πeq between the old and new ones, i.e. πeq ≡ vi =vi′ . Let Q(t̄)ol denote a predicate instance of the derived κi , its unfolding number is set to u+1 if its corresponding branch Δi is recursive. Otherwise, it is u. Its sequence number is set to ol +o. The branch invariant is used as a necessary condition to unfold a branch. The formalism underlying the pruning process is as follows: given a context Δc with its over-approximation πc and a branch Δi with its over-approximation πib , if πc ∧πib is unsatisfiable, so is Δc ∗Δi . Similar to the specialization calculus [15], our unfolding mechanism also prunes infeasible disjuncts while unfolding user-defined predicates. However, the specialization calculus performs exhaustive pruning with multiple unfolding that may be highly costly and redundant compared with our one-step unfolding. Detecting Cyclic Proof. In the following, we implement the matching function fcyclic , an instantiation of ffix , to form a cyclic proof for fixpoint detection. fcyclic checks whether there exists a well-founded ordering relation R between Δcomp and Δbud so as to form an infinite path following the path between these two nodes. If Δbud matches with Δcomp , Δbud is marked as closed. For global infinitary soundness, fcyclic only considers those Δbud and Δcomp of the restricted form as: Δcomp ≡Δb1 ∗P1 (t̄1 )0m ∗...∗Pi (t¯i )im , and Δbud ≡Δb2 ∗P1 (t̄′1 )0n ∗...∗Pk (t¯′k )kn , where k≥i, n>m, Δb1 and Δb2 are base formulas. Like [13], fcyclic is implemented using the weakening and substitution principle. In particular, it looks for a substitution θ s.t. Δbud θ =⇒ Δcomp . fcyclic (Δbud ,Δcomp ) is formalized as the procedure Δbud ⊢lb Δcomp whose rules are presented in Fig. 5. These rules are applied as follows. – First, existential variables are refreshed ([EX−L], [EX−R] rules). Satisfiability Modulo Heap-Based Programs 393 Fig. 5. Rules for back-link. – Second, inductive variables in Δbud are substituted ([SUBST] rule). This substitution is based on well-ordering relations R. Let P(t)km be a predicate instance in Δcomp and its corresponding subformula in Δbud be R(s,t), then s, t are inductive variables. Two examples of well-founded relations R are structural induction for pointer types where R(s,t) iff s is a subterm of t and natural number induction on integers where R(s,t) iff 0<s<t. – Third, heaps are exhaustively matched ([PRED−MATCH] and [PTO−MATCH] rules) and weakened ([PRED−WEAKEN] and [PTO−WEAKEN] rules). Soundness of these rules directly follows from the frame rule [26,40]. – Last, back-link is decided via the implication between pure formulas ([PURE] rule). 5 Soundness and Termination of S2SATSL In the following, we establish the correctness of S2SATSL . 5.1 Soundness We show that (i) S2SATSL is sound and complete for base formulas; and (ii) the functions UA test, OA test and link back in S2SATSL are sound. These two tasks rely on soundness and completeness of the function eXPure over base formulas, soundness of eXPure over inductive formulas, and soundness of the function fcyclic . Lemma 1 (Equiv-Satisfiable Reduction). Let Δ≡∃w̄·x1 →c1 (v̄1 )∗... ∗xn →cn (v̄n )∧α∧φ be a base formula. Δ is satisfiable iff eXPure(Δ) is satisfiable. 394 Q.L. Le et al. The proof is based on structural induction on Δ. Lemma 2 (Over-Approximated Reduction). Given a formula Δ such that the invariants of user-defined predicates appearing in Δ are sound, then ∀s, h · s, h|=Δ =⇒ s|=eXPure(Δ) In the following lemma, we consider the case Γ ={} at line 8 of Algorithm 1. Lemma 3. Given a formula Δ0 and the matching function fcyclic as presented in the previous section, Δ0 is UNSAT if Γ ={} (line 8). To prove this Lemma, in [30] we show that there is a “trace manifold” which implies the global infinitary soundness (see [11], ch. 7) when a bud is linked back. Theorem 2 (Soundness). Given a formula Δ and a set of user-defined predicates P, – Δ is satisfiable if S2SATSL returns SAT. – if S2SATSL terminates and returns UNSAT, Δ is unsatisfiable. While the soundness of SAT queries follows Lemma 1, the soundness of UNSAT queries follows Lemmas 2 and 3. As satisfiability for SLPA is undecidable [30, 31], there is no guarantee that S2SATSL terminates on all inputs. In the next subsection, we show that S2SATSL terminates for satisfiable formulas in SLPA and with certain restrictions on the fragment, S2SATSL always terminates. 5.2 Termination Termination for SAT. In this paragraph, we show that S2SATSL always terminates when it decides a satisfiable formula. Given a satisfiable formula Δ≡∃w̄· x1 →c1 (v̄1 )∗...∗xn →cn (v̄n ) ∗P0 (t̄0 )00 ∗...∗Pn (t̄n )n0 ∧ π There exists a satisfiable base formula Δk such as: Δk ≡x1 →c1 (v̄1 )∗...∗xn →cn (v̄n ) ∗ ΔPk00 ∗...∗ΔPknn ∧ π where ΔP k (k≥0) denotes a base formula derived by unfolding the predicate P k times and then substituting all predicate instances P by P’s base branch. Let km be the maximal number among k0 ,..,kn . The breadth-first unfolding manner in the algorithm S2SAT ensures that S2SATSL identifies Δk before it encounters the following leaf: y1 →c1 (t̄1 )∗...∗yi →ci (t̄i ) ∗ P0 (t̄0 )km +1 ∗...∗Pj (t̄j )km +1 ∧ π We remark that the soundness of cyclic proof ensures that our link back function only considers infinitely many unfolding traces. Thus, it never links finite many unfolding traces, i.e., traces connecting the root to satisfiable base leaves, like Δk . Satisfiability Modulo Heap-Based Programs 395 Decidable Fragment. In the following, we describe universal SLPAind , a fragment of SLPA, for which we prove that S2SATSL always terminates. Compared to SLPA, universal SLPAind restricts the set of inductive predicates P as well as the inputs of S2SATSL . Definition 4 (SLPAind ). An inductive predicate pred P(t̄)≡Φ is well-founded SLPAind if it has one induction case with N occurrences of P, and it has the shape as follows. Φ ≡ Φ0 ∨ ∃w̄·x1 →c1 (v̄1 )∗...∗xn →cn (v̄n )∗P(w̄1 )∗...∗P(w̄N )∧π where Φ0 is disjunction of base formulas and the two following restrictions. 1. ∀n∈1...N w̄n ⊆w̄∪{null} and w̄n do not appear in the equalities of π, 2. if ti is a numerical parameter and there exists a well-ordering relation R such that R(s,ti ,w1i ,..,wmi ) (1≤m≤N ) is a subformula of π, the following conditions hold. – ti is constrained separately (i.e., there does not exist j =i and a subformula φ of π such that {ti , tj }⊆F V (φ) or {ti , wnj }⊆F V (φ) or {wmi , wnj }⊆F V (φ) ∀m,n∈1...N , and – ∀n∈1...N , π =⇒ ti >wni or π =⇒ ti <wni . – if ti ∈F V (Φ0 ) then Φ0 =⇒ ti =k, for some integer k ti is denoted as inductive parameters. Restriction 1 guarantees that fcyclic can soundly weaken the heap by discarding irrelevant points-to predicates and N −1 occurrences of P (when N ≥2) while it links back. Restriction 2 implies that ti >wi ≥k1 or ti <wi ≤k2 for some integer k1 , k2 . This ensures that leaf nodes of unfolding trees of an unsatisfiable input must be UNSAT or linked back. The above SLPAind fragment is expressive enough to describe a range of data structures, e.g. sorted lists sortll, lists/trees with size properties, or even AVL trees avl. Definition 5 (Universal SLPAind ). Given a separation logic formula Δ0 ≡x1 →c1 (v̄1 )∗...∗xn →cn (v̄n )∗P1 (t̄1 )∗...∗Pn (t̄n )∧φ0 Δ0 is universal SLPAind if all if all x̄ of free, arithmetical, conjunction of φ0,i where φ0,i xi ≥k1 for some integer k1 ; or Theorem 3 (Termination). formulas. predicates P1 ,..,Pn are well-founded SLPAind , and inductive variables, with x̄⊆(t̄1 ∪...∪t̄n ), φ0 is a is either of the following form: (i) true ; or (ii) (iii) xi ≤k2 for some integer k2 . S2SATSL terminates for universal SLPAind 396 6 Q.L. Le et al. Sound Invariant Inference In order to perform fully automatic verification without user-provided invariants, S2SATSL supports automatic invariant inference. In this section, we describe invariant inference from user-defined predicates and predicate branches. While the former is used for over-approximation, the latter is used for context-sensitive predicate unfolding. To infer invariants for a set of user-defined predicates, we first build a dependency graph among the predicates. After that, we process each group of mutual dependent predicates following a bottom-up manner. For simplicity, we present the inference for one directly recursive predicate. The inference for a group of mutual inductive predicates is similar. Inferring Predicate Invariant. Our invariant inference is based on the principle of second-order m abduction [28,45]. Given the predicate P defined by m branches as P(t̄) ≡ i=1 Δi , we assume a sound invariant of P as an unknown (secondorder) variable I(t̄). After that we prove the lemma P(v̄)⊢I(v̄) via induction; and simultaneously generate a set of pure relational assumptions using secondorder abduction. The steps to prove the above lemma and generate a set of m relational assumptions over I are as follows. 1. Unfold LHS of the lemma to generate a set of m subgoals i.e. Δi [v̄/t̄]⊢I(v̄) where i ∈ 1...m. The original lemma is taken as the induction hypothesis. 2. For each subgoal i, over-approximate its LHS to a pure formula πi and form an assumption relation πi =⇒ I(v̄). There are two cases to compute πi . – if Δi is a base formula, then πi ≡eXPure(Δi ). – if Δi includes k instances P such that Δi ≡Δresti ∗P(v¯1 )∗...∗P(v¯k ), then we compute πi0 ≡eXPure(Δresti ), πij ≡I(v¯j ), for all j ∈ 1...k, and k πi ≡ j=1 πik . 3. Our system applies a least fixed point analysis to the set of gathered relational assumptions. We use the analyzer LFP presented in [45] to compute these invariants. We illustrate this procedure to infer an invariant for sortll. First, our system introduces an unknown relation I(root,n,m). Second, it generates the below relational constraints. root=null∧n=1 =⇒ I(root,n,m) root=null∧I(Q,N1 ,M1 )∧n=N1 +1∧m≤M1 =⇒ I(root,n,m) Finally, it analyzes these two constraints and produces the following result: I(root,n,m)≡root=null∧n≥1 Lemma 4 (Sound Invariant Inference). Given a predicate P(t̄) ≡ Φ, and R be a set of relational assumptions generated by the steps above. If R has a solution, i.e., I(v̄)≡π, then we have ∀s, h · s, h |= P(v̄), s |=π. Proof Sketch: Soundness of Lemma 2 implies that for all i ∈ 1...m, πi is an over-approximated abstraction of Δi . As such, the soundness of this lemma immediately follows from the soundness of second-order abduction [28,45]. ⊓ ⊔ Satisfiability Modulo Heap-Based Programs 397 Table 1. Exponential time and space satisfiability checks. Succ-circuit (1–20) n Succ-rec (1–20) SLSAT S2SATSL n 1 1 ms 21 ms 11 SO 37.46 s 1 0 ms 25 ms 11 1796.4 s 410.92 s 2 2 ms 23 ms 12 SO 170.53 s 2 1 ms 30 ms 12 TO TO 3 27 ms 30 ms 13 SO 988.29 s 3 4 ms 33 ms 13 TO TO 4 867 ms 34 ms 14 SO TO 4 21 ms 39 ms 14 X TO 5 30 s 0.05 s 15 SO TO 5 134 ms 52 ms 15 X TO 6 30 s 0.09 s 16 SO TO 6 830 ms 76 ms 16 X TO 7 SO 0.20 s 17 SO TO 7 5.0 s 0.21 s 17 X TO 8 SO 0.61 s 18 SO TO 8 29.5 s 0.87 s 18 X TO 9 SO 2.21 s 19 SO TO 9 167.8 s 4.83 s 19 X TO 10 SO 8.49 s 20 SO TO 10 1065 s 20 X TO SLSAT S2SATSL n SLSAT S2SATSL n 45.28 s SLSAT S2SATSL Inferring mBranch Invariant. Given a predicate P defined by m branches as P(t̄) ≡ i=1 (∃w̄i · Δi ) inv: π, we compute invariants for each branch of P as Π(eXPure(Δi ), w̄i ) ∀ i=1...m. For example, with the invariant inferred for the predicate sortll as above, our system computes its branch invariants π1b for the base branch and π2b for the inductive branch as below. π1b ≡Π(eXPure(root→node(m, null) ∧ n=1), {})≡ root=null ∧ n=1 π2b ≡Π(eXPure(root→node(m, q) ∗ sortll(q, n1 , m1 )∧n=n1 +1∧m≤m1 ), {q,n1 ,m1 }) ≡ root=null ∧ n≥1 Soundness of branch. 7 eXPure implies that the branch invariant over-approximates its Implementation and Evaluation We have implemented the proposed solver S2SATSL and a new interprocedural (top-down) program verification tool, called S2td , which uses S2SATSL . We make use of Omega Calculator [38] to eliminate existential quantifiers, Z3 [19] as a back-end SMT solver, and FixCalc [37] to find closure form in inferring invariants for user-defined predicates. In the following, we evaluate S2SATSL and S2td ’s robustness and efficiency on a set of benchmarks from the software verification competition SV-COMP [7]. We also present an evaluation of S2SATSL in compositional (modular) program verification with the HIP/S2 system [14,28] for a range of data structures. 7.1 Robustness and Efficiency In [12], Brotherston et al. introduced a new and challenging set of satisfiability benchmarks discussed in Proposition 5.13 of [12]. In this Proposition, Brotherston et al. stated that there exists a family of predicates of size O(n) and 398 Q.L. Le et al. that SLSAT runs in Ω(2n ) time and space regardless of search strategies. Since SLSAT relies on bottom-up and context-insensitive fixed point computation, it has to explore all possible models before answering a query. Their approach is designed for computing invariants of shape predicates rather than satisfiability checks. In contrast, S2SATSL performs top-down and context-sensitive searches, as it is dedicated for satisfiability solving. Moreover, it prunes infeasible disjuncts, significantly reduces the search space, and provides better support for model discovery. We conducted an experiment on comparing SLSAT’s and S2SATSL ’s performance on this set of benchmarks. The results are shown in Table 1. The size n of succ−circuit∗ (succ−rec∗) benchmarks expresses the breadth (depth, resp.) of dependency. This set of benchmarks is a part of the User-Defined Predicate Satisfiability (UDB sat) suite of SL-COMP 2014 [41]. The output is either a definite answer (sat, unsat) with running time (in milliseconds (ms), or seconds (s)), or an error. In particular, SO denotes stack overflow; TO denotes timeout (i.e., tools run longer than 1800 s); and X denotes a fatal error. The experimental results show that S2SATSL is much more robust and also more efficient than SLSAT. While S2SATSL successfully solved 24 (out of 40) benchmarks, SLSAT was capable of handling 17 benchmarks. Furthermore, on 17 benchmarks that SLSAT discharged successfully, S2SATSL outperforms SLSAT, i.e., about 6.75 (3126 s/462 s) times faster. As shown in the table, S2SATSL ran with neither stack overflow nor fatal errors over all these challenging benchmarks. Table 2. Experimental results on complex data structures. Data structure (pure props) Singly llist (size) #Query #UNSAT #SAT Time 666 75 Even llist (size) 139 125 14 2.40 Sorted llist (size, sorted) 217 21 196 0.91 Doubly llist (size) 452 50 402 2.07 Complete tree (size, minheight) 387 33 354 143.98 Heap trees (size, maxelem) 467 67 400 13.87 AVL (height, size, near-balanced) 881 64 817 84.82 BST (height, size, sorted) 341 34 307 2.28 RBT (size, height, color) 1741 217 1524 65.54 55 6 49 0.34 rose-tree 591 1.25 TLL 128 13 115 0.24 Bubble (size, sorted) 300 20 280 1.09 Quick sort (size, sorted) 225 29 196 2.33 Satisfiability Modulo Heap-Based Programs 7.2 399 Modular Verification with S2SATSL In this subsection, we evaluate S2SATSL in the context of modular program verification. S2SATSL solver is integrated into the HIP/S2 [14,28,29] system to prune infeasible program paths in symbolic execution. Furthermore, S2SATSL is also used by the entailment procedure SLEEK to discharge verification conditions (VC) generated. In particular, when SLEEK deduces a VC to the following form: Δ ⊢ emp∧πr , the error calculus in SLEEK [29] invokes S2SATSL to discharge the following queries: Δ and Δ∧¬πr for safety and Δ∧πr for must errors. In experiments, we have extracted those VCs generated while HIP/S2 verified heapmanipulating programs. We have evaluated S2SATSL deciding the VCs discussed above. The experimental results are described in Table 2. Each line shows a test on one program. The first column lists data structures and their pure properties. rose-trees are trees with nodes that are allowed to have a variable number of children, stored as doubly-linked lists. TLL is a binary tree whose nodes point to their parents and all leaf nodes are linked as a singly-linked list. #Query is the number of satisfiability queries sent to S2SATSL for each data structure. The next two columns report the outputs from S2SATSL . The last column shows the time (in seconds) taken by the S2SATSL solver. In this experiment, S2SATSL terminated on all queries. Furthermore it exactly decided all SAT and UNSAT queries. These experimental results affirm the correctness of our algorithm S2SATSL . They also show that S2SATSL is expressive, effective, and can be integrated into program verification systems for discharging satisfiability problems of separation logic formulas. 7.3 Recursive Program Verification with S2SATSL We have evaluated and compared our verification system Table 3. Experimental results on recursive S2td with state-of-the-art ver- programs. √ √ Tool #s #e #unk #s✗ #e✗ Points Mins ification tools on a set of ESBMC [18] 38 40 21 0 3 20 53 SV-COMP benchmarks1 . The UAutomizer [24] 17 23 62 0 0 57 23 48 45 5 4 0 77 26 results are presented in Table 3. SeaHorn [22] CBMC [16] 33 39 29 1 0 89 90 There are 102 recursive/loop Smack-corral [1] 33 37 28 0 0 103 105 programs taken from Recursive S2td 41 45 16 0 0 127 25 and HeapReach sub-categories in the benchmark; timeout is set to 180 s. In each program, there is at least one user-supplied assertion to model safety properties. The first column identities the subset of verification systems which competed in both the above √ sub-categories. The next three columns count the instances of correct safe (s ), correct error √ (e ) and unknown (e.g., timeout). The next two columns capture the number of false positives (s✗) and false negatives (e✗). We rank these tools based on their √ points. Following the SV-COMP competition, we gave +2 for one s , +1 for one 1 http://sv-comp.sosy-lab.org/2016/. 400 Q.L. Le et al. √ e , 0 for unk, −16 for one s✗, and −32 for one e✗. The last column expresses the total time in minutes. The results show that the proposed verification approach is promising; indeed, our system is effective and efficient: it produces the best correctness with zero false answers within the nearly-shortest time. 8 Related Work Close to our work is the SeaHorn verification system [22]. While SeaHorn relies on Z3-PDR to handle inductive predicates on non-heap domains, it is unclear (to us) how SeaHorn supports induction reasoning for heap-based programs (which is one contribution of our present work). Our S2SAT satisfiability procedure is based on unfolding which is similar to the algorithm in the Leon system [43,44]. Leon, a verifier for functional programs, adds an unfolding mechanism for inductive predicates into complete theories. However, Leon only supports classic logic and not structural logic (i.e., separation logic). Neither does Leon support inductive reasoning. Furthermore, our system infers sound invariants for inductive predicates to facilitate over-approximation. Our work is related to work on developing satisfiability solvers in separation logic. In the following, we summarize the development in this area. Smallfoot [5] has the first implemented decision procedure for a fragment of separation logic. This solver was originally customized to work with spatial formulas over list segments. Based on a fixed equality (disequality) constraint branches of the list segment, the proposals presented by [17,32] further enhanced decision procedure for this fragment with equality reasoning. They provided normalization rules with a graph technique [17] and a superposition calculus [32] to infer (dis)equality constraints on pointers and used these constraints to prune infeasible branches of predicate instances during unfolding. Although these proposals can decide the formula of that fragment in polynomial time, it is not easy to extend them to a fragment with general inductive predicates (i.e., the fragment SLPA). Decision procedures in [33–36] support decidable fragments of separation logic with inter-reachable data structures using SMT. Our proposal extends these procedures to those fragments with general inductively-defined predicates. Indeed, our decidable fragment can include more complex data structures, such as AVL trees. S2SATSL is closely related to the satisfiability solvers [12,25] which are capable of handling separation logic formulas with general user-defined predicates. Decision procedures [12,25] are able to handle predicates without pure properties. The former described a decidable fragment of user-defined predicates with bounded tree width. The problem of deciding separation logic formulas is then reduced to monadic second-order logic over graphs. The latter, SLSAT, decides formulas with user-defined predicates via a equi-satisfiable fixed point calculation. The main disadvantage of SLSAT is that it is currently restricted to the domain of pointer equality and disequality, so that it cannot be used to support predicates with pure properties from infinite abstract domains. Using over-approximation in decision procedures is not new. For example, D’Silva et al. have recently made use of abstract domains inside satisfiability Satisfiability Modulo Heap-Based Programs 401 solvers [20,21]. In separation logic, satisfiability procedures in HIP/SLEEK [14] and Dryad [39] decide formulas via a sound reduction that over-approximates predicate instances. HIP/SLEEK and Dryad are capable of proving the validity of a wide range of expressive formulas with arbitrary predicates. However, expressivity comes with cost; as these procedures are incomplete, and they do not address the satisfiability problem. We believe that S2SAT can be integrated into these systems to improve upon these two shortcomings. 9 Conclusion and Future Work We have presented a satisfiability procedure for an expressive fragment of separation logic. Given a formula, our procedure examines both under-approximation (so as to prove SAT) and over-approximation (so as to prove UNSAT). Our procedure was strengthened with invariant generation and cyclic proof detection. We have also implemented a solver and a new verification system for heapmanipulating programs. We have evaluated them on a range of competition problems with either complex heap usage patterns or exponential complexity of time and space. For future work, we might investigate S2SAT-based decision procedures for other complete theories (i.e., Presburger, string, bag/set) augmented with inductive predicates. We would also study a more general decidable fragment of separation logic by relaxing the restrictions for termination. Finally, we would like to improve S2td for array, string and pointer arithmetic reasoning as well as witness generation for erroneous programs. Acknowledgements. We wish to thank Christopher M. Poskitt for his helpful comments on the manuscript. Quang Loc and Jun Sun are partially supported by NRF grant RGNRF1501 and Wei-Ngan by NRF grant NRF2014NCR-NCR001-040. References 1. Haran, A., Carter, M., Emmi, M., Lal, A., Qadeer, S., Rakamarić, Z.: SMACK+corral: a modular verifier. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 451–454. Springer, Heidelberg (2015) 2. Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., M. Leino, K.R.: Boogie: a modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006) 3. Barrett, C., Conway, C.L., Deters, M., Hadarean, L., Jovanović, D., King, T., Reynolds, A., Tinelli, C.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011) 4. Beckman, N.E., Nori, A.V., Rajamani, S.K., Simmons, R.J.: Proofs from tests. In: ISSTA, pp. 3–14. ACM, New York (2008) 5. Berdine, J., Calcagno, C., W.O’Hearn, P.: A decidable fragment of separation logic. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 97–109. Springer, Heidelberg (2004) 402 Q.L. Le et al. 6. Berdine, J., Calcagno, C., O’Hearn, P.W.: Symbolic execution with separation logic. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 52–68. Springer, Heidelberg (2005) 7. Beyer, D.: Reliable and reproducible competition results with benchexec and witnesses (report on SV-COMP 2016). In: Chechik, M., Raskin, J.-F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 887–904. Springer, Heidelberg (2016). doi:10.1007/ 978-3-662-49674-9 55 8. Beyer, D., Cimatti, A., Griggio, A., Keremoglu, M.E., Sebastiani, R.: Software model checking via large-block encoding. In: Proceedings of 9th International Conference on Formal Methods in Computer-Aided Design, FMCAD 2009, pp. 25–32 (2009) 9. Bjørner, N., Gurfinkel, A., McMillan, K., Rybalchenko, A.: Horn clause solvers for program verification. In: Blass, A., Dershowitz, N., Finkbeiner, B., Schulte, W., Beklemishev, L.D., Beklemishev, L.D. (eds.) Gurevich Festschrift II 2015. LNCS, vol. 9300, pp. 24–51. Springer, Heidelberg (2015). doi:10.1007/978-3-319-23534-9 2 10. Bjørner, N., McMillan, K.L., Rybalchenko, A.: Program verification as satisfiability modulo theories. In: SMT, pp. 3–11 (2012) 11. Brotherston. J.: Sequent calculus proof systems for inductive definitions. Ph.D. thesis, University of Edinburgh, November 2006 12. Brotherston, J., Fuhs, C., Pérez, J.A.N., Gorogiannis, N.: A decision procedure for satisfiability in separation logic with inductive predicates. In: CSL-LICS 2014, pp. 25:1–25:10. ACM, New York (2014) 13. Brotherston, J., Gorogiannis, N., Petersen, R.L.: A generic cyclic theorem prover. In: Jhala, R., Igarashi, A. (eds.) APLAS 2012. LNCS, vol. 7705, pp. 350–367. Springer, Heidelberg (2012) 14. Chin, W., David, C., Nguyen, H., Qin, S.: Automated verification of shape, size and bag properties via user-defined predicates in separation logic. SCP 77(9), 1006–1036 (2012) 15. Chin, W.-N., Gherghina, C., Voicu, R., Le, Q.L., Craciun, F., Qin, S.: A specialization calculus for pruning disjunctive predicates to support verification. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 293–309. Springer, Heidelberg (2011) 16. Clarke, E., Kroning, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004) 17. Cook, B., Haase, C., Ouaknine, J., Parkinson, M., Worrell, J.: Tractable reasoning in a fragment of separation logic. In: Katoen, J.-P., König, B. (eds.) CONCUR 2011. LNCS, vol. 6901, pp. 235–249. Springer, Heidelberg (2011) 18. Cordeiro, L., Fischer, B.: Verifying multi-threaded software using smt-based context-bounded model checking. In: Proceedings of the 33rd International Conference on Software Engineering, ICSE 2011, pp. 331–340. ACM, New York (2011) 19. de Moura, L., Bjørner, N.S.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008) 20. D’Silva, V., Haller, L., Kroening, D.: Satisfiability solvers are static analysers. In: Miné, A., Schmidt, D. (eds.) SAS 2012. LNCS, vol. 7460, pp. 317–333. Springer, Heidelberg (2012) 21. D’Silva, V., Haller, L., Kroening, D.: Abstract satisfaction. In: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2014, pp. 139–150. ACM, New York (2014) Satisfiability Modulo Heap-Based Programs 403 22. Gurfinkel, A., Kahsai, T., Komuravelli, A., Navas, J.A.: The seahorn verification framework. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 343–361. Springer, Heidelberg (2015) 23. Haase, C., Ishtiaq, S., Ouaknine, J., Parkinson, M.J.: SeLoger: a tool for graphbased reasoning in separation logic. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 790–795. Springer, Heidelberg (2013) 24. Heizmann, M., Hoenicke, J., Podelski, A.: Software model checking for people who love automata. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 36–52. Springer, Heidelberg (2013) 25. Iosif, R., Rogalewicz, A., Simacek, J.: The tree width of separation logic with recursive definitions. In: Bonacina, M.P. (ed.) CADE 2013. LNCS, vol. 7898, pp. 21–38. Springer, Heidelberg (2013) 26. Ishtiaq, S., O’Hearn, P.: BI as an assertion language for mutable data structures. In: ACM POPL, pp. 14–26, London, January 2001 27. Jose, M., Majumdar, R.: Cause clue clauses: error localization using maximum satisfiability. In: PLDI, pp. 437–446. ACM, New York (2011) 28. Le, Q.L., Gherghina, C., Qin, S., Chin, W.-N.: Shape analysis via second-order biabduction. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 52–68. Springer, Heidelberg (2014) 29. Le, Q.L., Sharma, A., Craciun, F., Chin, W.-N.: Towards complete specifications with an error calculus. In: Brat, G., Rungta, N., Venet, A. (eds.) NFM 2013. LNCS, vol. 7871, pp. 291–306. Springer, Heidelberg (2013) 30. Le, Q.L., Sun, J., Chin, W.-N.: Satisfiability modula heap-based programs. Technical report (2016). http://loc.bitbucket.org/papers/satsl-cav16.pdf 31. Makoto, T., Le, Q.L., Chin, W.-N.: Presburger arithmetic and separation logic with inductive definitions. Technical report, May 2016 32. Navarro Pérez, J.A., Rybalchenko, A.: Separation logic + superposition calculus = heap theorem prover. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pp. 556–566 (2011) 33. Navarro Pérez, J.A., Rybalchenko, A.: Separation logic modulo theories. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 90–106. Springer, Heidelberg (2013) 34. Piskac, R., Wies, T., Zufferey, D.: Automating separation logic using SMT. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 773–789. Springer, Heidelberg (2013) 35. Piskac, R., Wies, T., Zufferey, D.: Automating separation logic with trees and data. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 711–728. Springer, Heidelberg (2014) 36. Piskac, R., Wies, T., Zufferey, D., Piskac, R., Wies, T., Zufferey, D.: Automating separation logic with trees and data. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 711–728. Springer, Heidelberg (2014) 37. Popeea, C., Chin, W.-N.: Inferring disjunctive postconditions. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 331–345. Springer, Heidelberg (2008) 38. Pugh, W.: The omega test: a fast practical integer programming algorithm for dependence analysis. Commun. ACM 8, 102–114 (1992) 39. Qiu, X., Garg, P., Ştefănescu, A., Madhusudan, P.: Natural proofs for structure, data, and separation. In: PLDI, pp. 231–242. ACM, New York (2013) 40. Reynolds, J., Logic, S.: A logic for shared mutable data structures. In: Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science, pp. 55–74 (2002) 404 Q.L. Le et al. 41. Sighireanu, M., Cok, D.R.: Report on SL-COMP 2014. In: JSAT (2016) 42. Sims, É.-J.: Extending separation logic with fixpoints and postponed substitution. Theor. Comput. Sci. 351(2), 258–275 (2006) 43. Suter, P., Dotta, M., Kuncak, V.: Decision procedures for algebraic data types with abstractions. In: Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2010, pp. 199–210. ACM, New York (2010) 44. Suter, P., Köksal, A.S., Kuncak, V.: Satisfiability modulo recursive programs. In: Yahav, E. (ed.) Static Analysis. LNCS, vol. 6887, pp. 298–315. Springer, Heidelberg (2011) 45. Trinh, M.-T., Le, Q.L., David, C., Chin, W.-N.: Bi-abduction with pure properties for specification inference. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 107–123. Springer, Heidelberg (2013)