On the Complexity of Pointer Arithmetic in Separation Logic

Abstract: We investigate the complexity consequences of adding pointer arithmetic to separation logic. Specifically, we study extensions of the points-to fragment of symbolic-heap separation logic with various forms of Presburger arithmetic constraints. Most significantly, we find that, even in the minimal case when we allow only conjunctions of simple "difference constraints" x ′ ≤ x ± k (where k is an integer), polynomial-time decidability is already impossible: satisfiability becomes NP-complete, while quantifier-fre… Show more

“…Partitioning analysis: Based on the base-offset pointer analysis above, we define in Section 5.3 a new analysis that computes for each pointer expression an abstract location that collects a finite set of slices of symbolic blocks, i.e., the abstraction is a partial mapping from program's variables to sets of intervals representing offsets in the block. With this analysis, the abstract location computed for outArr+i (at line 39 of sort4, call in Figure 3 (b)) is more precise, i.e., {df → { [5,7], [0, 0]}}, and it allows to prove the post-condition for sort4. Notice that the analysis computes a finite set of slices in symbolic blocks whose concretizations (sets of locations) are pairwise disjoint.…”

“…. , df· [7]}. Given a cell-path c, we denote by r(c) the range of offsets (in bytes) that correspond to the path and which is computed using ABI.…”

“…For C programs with pointers, DV has been boosted by the usage of Separation Logic [29], which leads to compact proofs due to the local reasoning allowed by the separating conjunction operator. However, for programs with low-level operations on pointers (e.g., pointer arithmetics and casting), this approach is actually limited by the theoretical results on the fragment of separation logic employed [7] and on the availability of solvers. Therefore, this class of programs is most commonly dealt using classic approaches based on memory modelsà la Burstall-Bornat [9,6], which may be adapted to be sound in presence of low-level operations [31] and dynamic allocation [36].…”

Exploiting Pointer Analysis in Memory Models for Deductive Verification

“…Partitioning analysis: Based on the base-offset pointer analysis above, we define in Section 5.3 a new analysis that computes for each pointer expression an abstract location that collects a finite set of slices of symbolic blocks, i.e., the abstraction is a partial mapping from program's variables to sets of intervals representing offsets in the block. With this analysis, the abstract location computed for outArr+i (at line 39 of sort4, call in Figure 3 (b)) is more precise, i.e., {df → { [5,7], [0, 0]}}, and it allows to prove the post-condition for sort4. Notice that the analysis computes a finite set of slices in symbolic blocks whose concretizations (sets of locations) are pairwise disjoint.…”

“…. , df· [7]}. Given a cell-path c, we denote by r(c) the range of offsets (in bytes) that correspond to the path and which is computed using ABI.…”

“…For C programs with pointers, DV has been boosted by the usage of Separation Logic [29], which leads to compact proofs due to the local reasoning allowed by the separating conjunction operator. However, for programs with low-level operations on pointers (e.g., pointer arithmetics and casting), this approach is actually limited by the theoretical results on the fragment of separation logic employed [7] and on the availability of solvers. Therefore, this class of programs is most commonly dealt using classic approaches based on memory modelsà la Burstall-Bornat [9,6], which may be adapted to be sound in presence of low-level operations [31] and dynamic allocation [36].…”

Exploiting Pointer Analysis in Memory Models for Deductive Verification

“…Since the birth of separation logics, there has been a lot of interest in the study of decidability and computational complexity issues, see e.g. [3,10,11,7,15,31], and comparatively a bit less attention to the design of proof systems, and even less with the puristic approach that consists in discarding any external feature such as nominals or labels in the calculi. The well-known advantages of such an approach include an exhaustive understanding of the expressive power of the logic and discarding the use of any external artifact referring to semantical objects.…”

Internal Calculi for Separation Logics

Compositional Satisfiability Solving in Separation Logic