Theory Reference: Separation Logic
cvc5 supports a syntax for separation logic as an extension of the SMT-LIB 2.6 language.
Signature
Given a (decidable) base theory \(T\) , cvc5 implements a decision procedure for quantifier-free \(SL(T)_{Loc,Data}\) formulas [ RISK16 ] , where \(Loc\) and \(Data\) are any sort belonging to \(T\) .
A \(SL(T)_{Loc,Data}\) formula is one from the following grammar:
F : L | sep.emp | (pto t u) | (sep F1 ... Fn) | (wand F1 F2) | ~F1 | F1 op ... op Fn
where
op
is any classical Boolean connective,
t
and
u
are terms
built from symbols in the signature of
\(T\)
of sort
\(Loc\)
and
\(Data\)
respectively, and
\(L\)
is a
\(T\)
-literal.
The operator
sep.emp
denotes the empty heap constraint, the operator
pto
denotes the points-to predicate, the operator
sep
denotes separation start
and is variadic, and the operator
wand
denote magic wand.
Semantics
A satisfiability relation \(I,h \models_{SL} \varphi\) is defined for \(SL(T)_{Loc,Data}\) formulas \(\varphi\) , where \(I\) is an interpretation, and \(h\) is a heap.
The semantics of separation logic operators are as follows:
\(I,h \models_{SL} L\) |
Iff |
\(I \models L\) , if \(L\) is a \(T\) -literal |
\(I,h \models_{SL}\) (emp \(t \ u\) ) |
Iff |
\(h = \emptyset\) |
\(I,h \models_{SL}\) (pto \(t \ u\) ) |
Iff |
\(h = \{(t^I,u^I)\} \text{ and } t^I\not=nil^I\) |
\(I,h \models_{SL}\) (sep \(\phi_1 \ldots \phi_n)\) |
Iff |
there exist heaps \(h_1,\ldots,h_n\) s.t. \(h=h_1\uplus \ldots \uplus h_n\) and \(I,h_i \models_{SL} \phi_i, i = 1,\ldots,n\) |
\(I,h \models_{SL}\) (wand \(\phi_1 \ \phi_2\) ) |
Iff |
for all heaps \(h'\) if \(h'\#h\) and \(I,h' \models_{SL} \phi_1\) then \(I,h'\uplus h \models_{SL} \phi_2\) |
where \(h_1 \uplus \ldots \uplus h_n\) denotes the disjoint union of heaps \(h_1, \ldots, h_n\) and \(h'\#h\) denotes that heaps \(h'\) and \(h\) are disjoint, and \(nil\) is a distinguished variable of sort \(Loc\) . All classical Boolean connectives are interpreted as expected.
Syntax
Separation logic in cvc5 requires the
QF_ALL
logic, and for the types of the heap to be declared via the
declare-heap
command:
(declare-heap (T1 T2))
This command must be executed when the solver is in its Start mode (see page 52 of the SMT-LIB 2.6 standard [ BFT17 ] ). This command sets the location type of the heap \(Loc\) to \(T1\) and the data type \(Data\) to \(T2\) , where \(T1\) and \(T2\) are any defined types. This command can only be executed once in any context, and is reset only via a reset command.
The syntax for the operators of separation logic is summarized in the following
table. For the C++ API examples in this table, we assume that we have created
a
cvc5::Solver
object.
SMTLIB language |
C++ API |
|
Logic String |
|
|
Empty Heap |
|
where
|
Points-To |
|
|
Separation Star |
|
|
Magic Wand |
|
|
Nil Element |
|
|
Examples
The following input on heaps
Int
->
Int
is unsatisfiable:
(set-logic QF_ALL)
(declare-heap (Int Int))
(set-info :status unsat)
(declare-const x Int)
(declare-const a Int)
(declare-const b Int)
(assert (and (pto x a) (pto x b)))
(assert (not (= a b)))
(check-sat)
The following input on heaps
U
->
Int
is satisfiable. Notice that the
formula
(not
sep.emp)
is satisfied by heaps
U
->
Int
whose domain is
non-empty.
(set-logic QF_ALL)
(set-info :status sat)
(declare-sort U 0)
(declare-heap (U Int))
(declare-const x U)
(declare-const a Int)
(assert (and (not sep.emp) (pto x a)))
(check-sat)
The following input on heaps
Int
->
Node
is satisfiable, where
Node
denotes a user-defined inductive
Theory Reference: Datatypes
.
(set-logic QF_ALL)
(set-info :status sat)
(declare-const x Int)
(declare-const y Int)
(declare-const z Int)
(declare-datatype Node ((node (data Int) (left Int) (right Int))))
(declare-heap (Int Node))
(assert (pto x (node 0 y z)))
(check-sat)
Note
Given a separation logic input, the sorts \(Loc\) and \(Data\) declared via the declare-heap command must match all separation logic predicates in the input. cvc5 does not accept an input such as:
(set-logic QF_ALL)
(declare-sort U 0)
(declare-heap (U Int))
(declare-const x U)
(assert (and (pto x 0) (pto 1 2)))
(check-sat)
since the second points-to predicate uses Int for its location type.