\mathlig

—-¿↦ \mathlig-‘⇀ \mathlig ¿↝ \mathlig=¿⇒ \mathlig—=⊨ \mathlig ∼ \mathlig¿=≥ \mathlig¡=≤ \mathlig¡=¿⇔ \mathlig-*\sepimp \mathlig-¿→ \mathlig—[⟦ \mathlig—]⟧ \mathlig!=≠

A separation logic for sequences
in pointer programs and its decidability

Tianyue Cao1, Bowen Zhang1, Zhao Jin3, Yongzhi Cao1 and Hanpin Wang12 1 Key Laboratory of High Confidence Software Technologies (MOE),
School of Computer Science, Peking University, Beijing, China 2 School of Computer Science and Cyber Engineering,
Guangzhou University, Guangzhou, China 3 School of Computer and Artificial Intelligence,
Zhengzhou University, Zhengzhou, China tycao@stu.pku.edu.cn, zhangbowen@pku.edu.cn,
jinzhao@zzu.edu.cn, caoyz@pku.edu.cn, whpxhy@pku.edu.cn

Abstract

Separation logic and its variants can describe various properties on pointer programs. However, when it comes to properties on sequences, one may find it hard to formalize. To deal with properties on variable-length sequences and multilevel data structures, we propose sequence-heap separation logic which integrates sequences into logical reasoning on heap-manipulated programs. Quantifiers over sequence variables and singleton heap storing sequence (sequence singleton heap) are new members in our logic. Further, we study the satisfiability problem of two fragments. The propositional fragment of sequence-heap separation logic is decidable, and the fragment with 2 alternations on program variables and 1 alternation on sequence variables is undecidable. In addition, we explore boundaries between decidable and undecidable fragments of the logic with prenex normal form.

Index Terms:

separation logic, predicate logic, higher-order, sequence, decidability

I Introduction

The classical separation logic proposed by Reynolds[1] is widely used to describe and verify various properties on heap-manipulated programs. It has evolved in many versions: object-oriented separation logic[2], quantitative separation logic [3], higher-order separation logic[4], separation logic with inductive predicates[5], etc. Its separating conjunction $*$ and separating implication $-*$ provides much succincter expressions on mutable data structures.

Sequences are also widely used in programs. Many data structures can be abstracted to sequences, including $\mathtt{vector}$ in C++, and $\mathtt{ArrayList}$ in Java. There are many string solvers on sequences, such as CVC4[6] and Z3str3[7]. Sequence predicate logic[8] introduces sequence variables and sequence functions, and allows quantifiers over sequence variables. With sequence variables, sort function can be defined elegantly.

However, to our best knowledge, there is no integral formal systems on logical reasoning of programs with both heap and sequence. The example proposed in [1] provides a way to formally verify whether a program implements list reversal. The program aims to reverse the sequence $\alpha_{0}$ in $x$ and put it into $y$ . The invariant of this program is written as follows:

\displaystyle\exists\alpha\exists\beta.\;\bigl{(}(\mathtt{ls}(x,\alpha)*\mathtt{ls}(y,\beta))\land\alpha_{0}^{{\dagger}}==\alpha^{{\dagger}}\circ\beta\bigr{)},

(1)

where $\alpha^{{\dagger}}$ denotes reversal of the sequence $\alpha$ , and the term $\alpha\circ\beta$ denotes the concatenation of the two sequences $\alpha$ and $\beta$ . The predicate $\mathtt{ls}(x,\alpha)$ denotes a singly-linked list starting from $x$ , which can be inductively defined as follows:

	$\displaystyle\mathtt{ls}(x,\varepsilon)$	$\displaystyle\quad\overset{\triangle}{=}\quad x=\mathbf{nil},$		(2)
	$\displaystyle\mathtt{ls}(x,n\circ\alpha)$	$\displaystyle\quad\overset{\triangle}{=}\quad\exists y.\;x\|->y\circ n*\mathtt{ls}(y,\alpha).$		(2)

The property defined in Equation 1 can be attributed to properties on variable-length sequences in pointer programs. These properties can be found in many commonly-used mutable data structures, such as in stacks, queues, and graphs. Besides, variable-length sequences also appear in multilevel data structures, such as paging on operating systems, and file systems. It is necessary to introduce a logic to describe and verify these kind of properties.

In this paper, we aim to establish a logical foundation for variable-length sequences and multilevel data structures in pointer programs, especially on definition, expressiveness and decidability. We propose sequence-heap separation logic to integrate sequences into logical reasoning in pointer programs. The logic is an extension of both classical separation logic proposed in [1], and sequence predicate logic proposed in [8].

Sequence-heap separation logic can be seen as a fragment of higher-order separation logic proposed in [4]. Quantifiers over sequences can be reduced to those over predicates (or over sets). Sequence-heap separation logic is less expressive than higher-order separation logic, but can be used in many scenarios on sequences in pointer programs, and has better deciability results.

In terms of definition for sequence-heap separation logic, we define the heap model as a finite partial mapping from locations to sequences, which is similar to the block model $\mathrm{Heap}_{B}$ defined in [9]. The model can be written as $h:\text{Loc}\overset{\mathrm{fin}}{\rightharpoonup}(\text{Loc}\cup\text{Val})^{*}$ , compared to the model $h:\text{Loc}\overset{\mathrm{fin}}{\rightharpoonup}\text{Loc}\cup\text{Val}$ defined in the classical separation logic.

We also define sequence singleton heap as the term $x|->\alpha$ to adapt more scenarios on variable-length sequences. The term can be used to denote stack, queue, variadic arguments, trees with variable-length branches, graphs with unbounded out-degree, etc. We take stack as an example.

In the classical separation logic, one has to describe stack with the inductive predicate $\mathtt{ls}(x,\alpha)$ defined in Equation 2, where $x$ and $\alpha$ denote the top pointer and contents of the stack respectively. However, with sequence singleton heap $x|->\alpha$ defined in sequence-heap separation logic, one can use this formula to denote stack without inductive predicate.

The definition of sequence singleton heap can help us to get a decidable result. We prove that the $\Sigma_{1}$ fragment with sequence singleton heap is decidable, compared to the undecidable result on $\Sigma_{1}$ fragment in [10] where the list predicate $\mathtt{ls}(x,y)$ , separating conjunctions, and separating implications are defined.

Besides, properly defining the form of $\alpha$ can help the logic to describe multilevel data structures. For example, if $\alpha$ is of the form $\alpha\#\beta$ (where $\alpha$ denotes the sequence of locations, $\beta$ denotes the sequence of contents, and $\#$ separates these two sequences), one can describe two-tier data structures[9] in block-based cloud storage systems in the following way.

\displaystyle(x|->\alpha\#\varepsilon)*\forall y\exists\beta.\;\bigl{(}y\overline{\in}\alpha=>(y\hookrightarrow\varepsilon\#\beta)\bigr{)},

(3)

where $x$ denotes the block location, $\alpha$ denotes the sequence of content location, and $\beta$ denotes contents in each location of $\alpha$ . The term $y\overline{\in}\alpha$ denotes $y$ appears in $\alpha$ , which is defined as follows:

\displaystyle y\overline{\in}\alpha\overset{\triangle}{=}\exists\alpha_{1}\exists\alpha_{2}.\;\alpha==\alpha_{1}\circ y\circ\alpha_{2}.

Equation 3 can be illustrated by Fig. (1).

Refer to caption — Figure 1: Representation of two-tier data structure

We notice that sequence predicate logic proposed in [8] is also capable of describing various properties on variable-length sequences. However, the logic cannot be directly used to describe sequences in pointer programs. sequence-heap separation logic is more than just the combination of sequence predicate logic and separation logic. The logic enriches the composition of the two.

We also notice that the model of sequence-heap separation logic is similar to that of block-based separation logic proposed in [9]. However, the sequence singleton heap and quantifiers over sequences in sequence-heap separation logic provide more abstraction, and can be used for wider application scenarios, not just for block-based cloud storage systems.

For example, the combined logic can simplify expressions on describing stack. Besides, sequence predicate logic and separation logic alone cannot describe multilevel data structures shown in Equation 3, but the combined one can do this.

We also study decidability problems of sequence-heap separation logic fragments. This can help us to find algorithms for decidable fragments, as well as to understand expressiveness of the logic intensively. We get the following two main fragments on satisfiability problems. One is a decidable fragment which lays between $\Sigma_{1}$ fragment of the classical separation logic, and the logic involving list predicate. The other is an undecidable fragment where there are two alternations on quantifiers over program variables, and one alternation on quantifiers over sequence variables.

The paper is organized as follows. In Section \@slowromancapii@, we introduce some basic concepts of separation logic and sequence predicate logic. In Section \@slowromancapiii@, we define sequence-heap separation logic and explore its expressiveness. In Section \@slowromancapiv@, we prove that the satisfiability problem of $\Sigma_{1}$ fragment is decidable. In Section \@slowromancapv@, we prove that the satisfiability problem of the fragment with the prenex normal form $\forall_{x}^{*}\forall_{\alpha}^{*}\cap\forall_{x}^{*}\exists_{x}^{*}\exists_{\alpha}^{*}$ is undecidable. In addition, we explore boundaries between decidable and undecidable fragments. In Section \@slowromancapvi@, we conclude our work, and propose future work on sequence-heap separation logic.

Related work. Separation logic can express properties on heaps, such as dangling pointers, non-circularity, and memory leakages.[11] However, the logic itself is proved to be undecidable[12]. We investigate the following two categories of fragments: basic fragments without inductive predicates and $\Sigma_{1}$ fragments with inductive predicates.

In basic fragments, there are no user-defined predicates or hard-corded predicates. It is known that the validity problem of $\Pi_{1}$ fragment $\mathrm{SL}(*,-*)$ is decidable[13], and that of basic fragment $\mathrm{SL}(\forall,\hookrightarrow)$ with quantifiers and no separation implications is undecidable[13]. If we restrict the size of the heap satisfying $\varphi_{1}$ in the formulae $\varphi_{1}-*\varphi_{2}$ to be bounded (namely $n$ ), then we can get a decidable basic fragment $\mathrm{SL}(*,-*^{n},\exists)$ [12]. To get decidable fragments, one can either restrict quantifier alternations in the formulae of prenex normal form, or number of quantified variables. For quantifier alternations, the fragment $\mathrm{SL}(\exists^{*}\forall^{*})$ with 2 quantifier alternations is decidable[14], while the fragment $\mathrm{SL}(\exists^{*}\forall^{*}\exists^{*})$ with 3 is undecidable[14]. For quantified variables, the fragment $1\mathrm{SL}1$ with 1 quantified variable is decidable [15], while the fragment $1\mathrm{SL}2$ with 2 quantified variables is undecidable [16].

In $\Sigma_{1}$ fragments, it contains separation implications (or its variants) and inductive predicates describing data structures. One basic result is that the satisfiability problem of $\Sigma_{1}$ fragment $\mathrm{SL}(*,-*,\mathtt{ls})$ with lists is undecidable[10]. However, if list predicates are restricted to the list with length at most 2, one can get a decidable fragment $\mathrm{SL}(*,-*,\mathtt{reach}_{2})$ [10]. Besides, if we further restrict heap unions in separation model, one can get strong-separation logic[17]. It is proved that the strong-separation fragment $\mathrm{SSL}(*,\mathrel{\sepimp\mkern-15.0mu^{\lnot}},\mathtt{ls})$ with list predicates is decidable.

All fragments mentioned above can be found in TABLE I.

Table I: Decidability of separation logic fragments

Fragment	Model	Key connectives and predicates	Decidability
$\mathrm{SL}(,-)$	separation model	$\lnot,\|->,,-$	decidable
$\mathrm{SL}(\forall,\hookrightarrow)$		$\lnot,\forall,\hookrightarrow$	undecidable
$\mathrm{SL}(,-^{n},\exists)$		$\lnot,,-^{n},\exists$	decidable
$\mathrm{SL}(\exists^{}\forall^{})$		prenex $\exists^{}\forall^{}$	decidable
$\mathrm{SL}(\exists^{}\forall^{}\exists^{*})$		prenex $\exists^{}\forall^{}\exists^{*}$	undecidable
$1\mathrm{SL}1$		1 quantified variable	decidable
$1\mathrm{SL}2$		2 quantified variables	undecidable
$\mathrm{SL}(,-,\mathtt{ls})$	separation model	$\lnot,,-,\mathtt{ls}(x,y)$	undecidable
$\mathrm{SL}(,-,\mathtt{reach}_{2})$	separation model	$\lnot,,-,\mathtt{reach}_{2}(x,y)$	decidable
$\mathrm{SSL}(*,\mathrel{\sepimp\mkern-15.0mu^{\lnot}},\mathtt{ls})$	strong-separation model	$\lnot,*,\mathrel{\sepimp\mkern-15.0mu^{\lnot}},\mathtt{ls}$	decidable

Sequence predicate logic is an extension of word equation. Specifically, word equations are $\Sigma_{1}$ fragment or $\Pi_{1}$ fragment of sequence predicate logic, where there are only quantifiers over sequence variables. It can express many properties on sequences, such as conjugates, and lexicographic ordering on words[18]. On the other hand, it cannot express properties such as ”the primitiveness” and ”the equal length”. It is shown that every Boolean combinations of word equations on free semigroup can be reduced to a single word equation[19].

Different from the classical predicate logic, sequence variables, sequence predicates and sequence functions are defined in sequence predicate logic[8]. The problem of whether there is a solution for word equation is decidable[19]. Namely, the truth of $\Sigma_{1}$ fragment of sequence predicate logic is decidable. Further researches show that the truth of positive formulae (where there is no negations or inequalities) which is of the form $\forall^{*}\exists^{*}$ [20], $\exists^{*}\forall^{*}$ [21] or $\exists^{*}\forall^{*}\exists^{*}$ [22] is shown to be undecidable. To get a decidable fragment, one can restrict the formulae of the form $\exists^{*}\forall^{*}$ to the positive one[22].

There are some works which combine separation logic and sequences. When formalizing cloud storage systems, one can construct a modeling language IMDSS[23], and a proof system based on separation logic[9]. These papers define values of heaps as finite sequences, and describe properties on blocks without using sequence singleton heap. Coq-based proof assistant[24] is implemented based on the logic defined in [9].

II Preliminaries

In this section, we introduce some basic concepts on separation logic and sequence predicate logic.

II-A Separation logic

In this subsection, we mainly focus on definitions and expressiveness of separation logic.

Definition II.1 (Definition of separation logic)

The syntax of separation logic[25] with 1 records is defined as follows:

	$\displaystyle t\quad::=$	$\displaystyle\quad\mathbf{nil}\mid n\mid x\mid\mathtt{f}^{n}(t,\dots,t)$
	$\displaystyle p\quad::=$	$\displaystyle\quad t=t\mid\mathbf{emp}\mid t\|->t\mid\mathtt{P}^{n}(t,\dots,t)$
	$\displaystyle\varphi\quad::=$	$\displaystyle\quad p\mid\lnot\varphi\mid\varphi\land\varphi\mid\varphi\lor\varphi\mid\varphi=>\varphi\mid\varphi\varphi\mid\varphi-\varphi\mid\exists x.\varphi,$

where $n$ denotes constants, $x$ denotes variables, $\mathtt{f}^{n}$ denotes $n$ -ary functions mapping $\mathbb{N}^{n}$ to $\mathbb{N}$ , and $\mathtt{P}^{n}$ denotes $n$ -ary predicates mapping $\mathbb{N}^{n}$ to $\{0,1\}$ .

The underlying model $\sigma=(s,h)$ of separation logic consists of a stack $s$ and a heap $h$ . The set $\mathrm{Loc}$ comprises locations excluding $\mathbf{nil}$ . The set $\mathrm{Var}$ comprises symbols of variables, including $x,y,z,\dots$ . The set $\mathrm{Val}$ comprises integer values. The model is defined as follows:

$\text{Loc},\text{Val}\subseteq\mathbb{N}$	$\mathbf{nil}\in\text{Atoms}$
$s:\text{Var}->\text{Loc}\cup\text{Val}$	$h:\text{Loc}\overset{\mathrm{fin}}{\rightharpoonup}(\text{Loc}\cup\text{Val})^{*}$ .

The semantics of the term $\mathtt{f}^{n}(t_{1},\dots,t_{n})$ can be defined as follows, where $\mathtt{f}_{\sigma}^{n}$ is the interpretation of $\mathtt{f}^{n}$ .

\displaystyle|[\mathtt{f}^{n}(t_{1},\dots,t_{n})|]\sigma=\mathtt{f}_{\sigma}^{n}(|[t_{1}|]\sigma,\dots,|[t_{n}|]\sigma).

The semantics of formulae is inductively defined as follows:

$\displaystyle\sigma\|=t_{1}=t_{2}$	iff	$\displaystyle\quad\|[t_{1}\|]\sigma=\|[t_{2}\|]\sigma.$
$\displaystyle\sigma\|=\mathbf{emp}$	iff	$\displaystyle\quad\mathtt{dom}(h)=\varnothing.$
$\displaystyle\sigma\|=t_{1}\|->t_{2}$	iff	$\displaystyle\quad\|[t_{1}\|]\sigma!=\mathbf{nil}\text{ and }\mathtt{dom}(h)=\{\|[t_{1}\|]\sigma\}$
$\displaystyle\quad\text{ and }h(\|[t_{1}\|]\sigma)=\|[t_{2}\|]\sigma.$
$\displaystyle\sigma\|=\mathtt{P}^{n}(t_{1},\dots,t_{n})$	iff	$\displaystyle\quad\mathtt{P}_{\sigma}^{n}(\|[t_{1}\|]\sigma,\dots,\|[t_{n}\|]\sigma)\text{ holds.}$
$\displaystyle\sigma\|=\lnot\varphi$	iff	$\displaystyle\quad\sigma\nvDash\varphi.$
$\displaystyle\sigma\|=\varphi_{1}\land\varphi_{2}$	iff	$\displaystyle\quad\sigma\|=\varphi_{1}\text{ and }\sigma\|=\varphi_{2}.$
$\displaystyle\sigma\|=\varphi_{1}\lor\varphi_{2}$	iff	$\displaystyle\quad\sigma\|=\varphi_{1}\text{ or }\sigma\|=\varphi_{2}.$
$\displaystyle\sigma\|=\varphi_{1}=>\varphi_{2}$	iff	$\displaystyle\quad\text{if }\sigma\|=\varphi_{1}\text{, then }\sigma\|=\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}*\varphi_{2}$	iff	$\displaystyle\quad\text{there exists heap }h_{1}\text{ and }h_{2},$
$\displaystyle\quad\text{such that }\mathtt{dom}(h_{1})\cap\mathtt{dom}(h_{2})=\varnothing,$
$\displaystyle\quad\text{and }h=h_{1}\uplus h_{2},\text{ and }(s,h_{1})\;\|=\;\varphi_{1},$
$\displaystyle\quad\text{and }(s,h_{2})\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}-*\varphi_{2}$	iff	$\displaystyle\quad\text{for all heaps }h_{1},$
$\displaystyle\quad\text{if }\mathtt{dom}(h_{1})\cap\mathtt{dom}(h)=\varnothing\text{,}$
$\displaystyle\quad\text{and }(s,h_{1})\;\|=\;\varphi_{1},$
$\displaystyle\quad\text{then }(s,h_{1}\uplus h)\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\exists x.\varphi$	iff	$\displaystyle\quad\text{there exists }x_{0}\text{ in Loc}\cup\text{Val,}$
$\displaystyle\quad\text{such that }(s[x->x_{0}],h)\;\|=\;\varphi,$

where $\mathtt{P}_{\sigma}^{n}$ denotes the interpretation of $\mathtt{P}^{n}$ .

For convenience, we have the following notation[25] denoting that $t$ points to $t_{1},\dots,t_{n}$ with some fixed $n$ .

\displaystyle t|->t_{1},\dots,t_{n}\overset{\triangle}{=}(t|->t_{1})*\dots*(t+n-1|->t_{n}).

(4)

In some fragments of separation logic, the heap model is defined as $h:\text{Loc}\overset{\text{fin}}{\rightharpoonup}\text{Val}^{n}$ with some fixed $n$ [25][26]. In this case, Equation 4 will no longer hold. The semantics of the notation is defined as follows:

	$\displaystyle\sigma\|=t\|->t_{1},\dots,t_{n}$	iff	$\displaystyle\|[t\|]\sigma!=\mathbf{nil}\text{ and }\mathtt{dom}(h)=\{\|[t\|]\sigma\},$
	$\displaystyle\text{ and }h(\|[t\|]\sigma)=(\|[t_{1}\|]\sigma,\dots,\|[t_{n}\|]\sigma).$

We notice that in either separation logic or one of its fragments (symbolic heap[11][26], strong-separation logic[17], etc.), the singleton heap is defined with some fixed number $n$ . It may not be suitable for describing properties on blocks, or graphs where each node is of unbounded out-degrees.

The paper [9] introduces sequence into separation logic to describe properties on block-based cloud storage systems. The model of the logic is defined as a quintuple of the form $(s_{F},s_{B},s_{V},h_{B},h_{V})$ , where $s_{F},s_{B},s_{V}$ are assignments of file variables, block variables and location variables respectively, $h_{B},h_{V}$ are heaps of blocks and heaps of values respectively. The file stack $s_{F}$ is a mapping from file variables to a sequence of block addresses, which is denoted as $s_{F}\overset{\triangle}{=}\text{FVar}->\text{BLoc}^{*}$ , and $h_{B}$ is a finite partial mapping from blocks to sequences of locations, which is denoted as $h_{B}\overset{\triangle}{=}\text{BLoc}\overset{\text{fin}}{\rightharpoonup}\text{Loc}^{*}$ . Although $s_{F}$ and $h_{B}$ both range over sequences, the logic does not introduce sequence variables, sequence functions, or sequence singleton heap. The logic visits these sequences by existential quantifiers on block variables, and by equality over values of block variables.

II-B Word equations and sequence predicate logic

Word equation can be seen as a special case of sequence predicate logic. It can be defined as follows:

Definition II.2 (Word equation)

Suppose $X^{*}$ is a free semigroup satisfying $X=\{n_{1},\dots,n_{k}\}$ with unknowns $\alpha_{1},\dots,\alpha_{m}\in X^{*}$ , where $n_{1},\dots,n_{k}$ are generators. Word equation is an equality of the form:

\displaystyle U(n_{1},\dots,n_{k},\alpha_{1},\dots,\alpha_{m})==V(n_{1},\dots,n_{k},\alpha_{1},\dots,\alpha_{m}),

where $==$ is the equality between two concatenations of sequences. If there is a solution for $U==V$ , then the word equation is satisfied.

The definition of word equation can be enhanced with Boolean combination, as is shown in Definition II.3.

Definition II.3 (Boolean combination of word equations)

Boolean combination of word equations is defined as follows:

	$\displaystyle t$	$\displaystyle\quad::=\quad n\mid\alpha\mid t\circ t$
	$\displaystyle\varphi$	$\displaystyle\quad::=\quad t==t\mid\lnot\varphi\mid\varphi\land\varphi\mid\varphi\lor\varphi,$

where $n$ denotes constants, $\alpha$ denotes sequence variables, and $t_{1}\circ t_{2}$ denotes the concatentation of two sequences $t_{1}$ and $t_{2}$ .

Word equation is capable of describing many properties on sequences. Every Boolean combinations of word equations can be reduced to a single word equation followed by Theorem II.1[18].

Theorem II.1

For every Boolean combinations $\varphi$ defined above, there exists a single word equation $T(\varphi)\overset{\triangle}{=}U==V$ , which is equivalent to $\varphi$ . The proof sketch of the theorem can be found in Appendix.

If word equation is enhanced with sequence function, and quantifiers over variables and sequences, then one can get the following definition of sequence predicate logic.

Definition II.4 (Sequence predicate logic)

The syntax of sequence predicate logic[8] can be defined as follows:

$\displaystyle t$	$\displaystyle\quad::=$	$\displaystyle n\mid x\mid\alpha\mid t\circ t\mid\mathtt{f}(t,\dots,t)\mid\overline{\mathtt{f}}(t,\dots,t)$
$\displaystyle\varphi$	$\displaystyle\quad::=$	$\displaystyle t==t\mid\mathtt{P}(t,\dots,t)\mid\lnot\varphi\mid\varphi\land\varphi\mid\varphi\lor\varphi$
$\displaystyle\mid\varphi=>\varphi\mid\exists x.\varphi\mid\exists\alpha.\varphi.$

The variable $x$ denotes individual variables, and $\alpha$ denotes sequence variables. The arity of $\mathtt{f}$ , $\overline{\mathtt{f}}$ , and $\mathtt{P}$ can be either fixed or flexible. When it is fixed, there is no sequence variables on parameters. When it is flexible, it may contain sequence variables.

The structure of the logic is defined as $(\mathrm{Val},I)$ , where $\mathrm{Val}$ is the domain, and $I$ is the interpretation on individual and sequence constants, functions and predicates. The assignment of the logic can be defined as $(s_{x},s_{\alpha})$ , where $s_{x}:\mathrm{IVar}->\mathrm{Val}$ , $s_{\alpha}:\mathrm{SVar}->\mathrm{Val}^{*}$ , and $\mathrm{IVar}=\{x,y,z,\dots\}$ , $\mathrm{SVar}=\{\alpha,\beta,\gamma,\dots\}$ .

In sequence predicate logic, $t_{1}\circ t_{2}$ denotes the concatenation between two sequences $t_{1}$ and $t_{2}$ , $t_{1}==t_{2}$ denotes that two equations $t_{1}$ and $t_{2}$ are equal. Due to space limitations, we do not list the semantics of the logic. The details can be found in [8][27].

II-C Expressiveness of sequence predicate logic

We recall properties which can be expressed by sequence predicate logic. They are useful for describing properties with sequence-heap separation logic.

Length. Sequence predicate logic can be used to get the length of a sequence. The function $\mathtt{length}(\alpha)$ denotes the length of the sequence $\alpha$ , which can be inductively defined as follows:

	$\displaystyle\mathtt{length}$	$\displaystyle(\varepsilon)\overset{\triangle}{=}0$
	$\displaystyle\mathtt{length}$	$\displaystyle(n\circ\alpha)\overset{\triangle}{=}1+\mathtt{length}(\alpha).$

For convenience, we define $|\alpha|$ to denote $\mathtt{length}(\alpha)$ .

Statistics. Sequence predicate logic can be used to get occurrences of specific terms. The function $\mathtt{find}(\alpha,x)$ denotes the occurrences of $x$ in sequence $\alpha$ , which can be inductively defined as follows:

$\displaystyle\mathtt{find}$	$\displaystyle(\varepsilon,x)\overset{\triangle}{=}0$
$\displaystyle\mathtt{find}$	$\displaystyle(n\circ\alpha,x)\overset{\triangle}{=}1+\mathtt{find}(\alpha,x),$	$\displaystyle n=x$
$\displaystyle\mathtt{find}$	$\displaystyle(n\circ\alpha,x)\overset{\triangle}{=}\mathtt{find}(\alpha,x),$	$\displaystyle n\neq x$

For convenience, we define $|\alpha|_{x}$ to denote $\mathtt{find}(\alpha,x)$ .

Lookups. The predicate $\mathtt{eq}(x_{1},\alpha,x_{2})$ denotes the $x_{2}$ -th item of sequence $\alpha$ is $x_{1}$ , which can be expressed as follows:

\displaystyle\mathtt{eq}(x_{1},\alpha,x_{2})\overset{\triangle}{=}\exists\alpha_{1}\exists\alpha_{2}.\;\alpha==\alpha_{1}\circ x_{1}\circ\alpha_{2}\land|\alpha_{1}\circ x_{1}|=x_{2}.

Note that $\alpha(x)$ does not appear as a term in Definition II.4. If so, consider the case where $x$ exceeds the length of sequence $\alpha$ . A new value $\perp$ should be introduced to denote illegal term, which may complicate the logic. We take $x_{1}=\alpha(x_{2})$ to denote $\mathtt{eq}(x_{1},\alpha,x_{2})$ for convenience:

\displaystyle x_{1}=\alpha(x_{2})\overset{\triangle}{=}\mathtt{eq}(x_{1},\alpha,x_{2}).

Other properties can be expressed with lookups. We list some of them below.

The relationships between items and sequences can be defined as $x\;\bar{\in}\;\alpha$ , which means $x$ can be found in the sequence $\alpha$ :

\displaystyle x\;\bar{\in}\;\alpha\overset{\triangle}{=}\exists x_{1}.\;x=\alpha(x_{1}).

The $x_{1}$ -th item of the sequence $\alpha_{1}$ is equal to the $x_{2}$ -th item of the sequence $\alpha_{2}$ :

\mathtt{eq}(\alpha_{1},x_{1},\alpha_{2},x_{2})\overset{\triangle}{=}\exists x_{3}.\;x_{3}=\alpha_{1}(x_{1})\land x_{3}=\alpha_{2}(x_{2}).

Unary property. All items in the sequence $\alpha$ satisfies the unary property $\mathtt{P}^{1}(x)$ :

\displaystyle\forall x\forall\alpha_{1}\forall\alpha_{2}.\;\alpha==\alpha_{1}\circ x\circ\alpha_{2}=>\mathtt{P}^{1}(x).

Binary property. Each two items with different indices in the sequence $\alpha$ satisfies the binary property $\mathtt{P}^{2}(x_{1},x_{2})$ :

	$\displaystyle\forall x_{1}\forall x_{2}\forall\alpha_{1}\forall\alpha_{2}\forall\alpha_{3}.\;$	$\displaystyle\alpha==\alpha_{1}\circ x_{1}\circ\alpha_{1}\circ x_{2}\circ\alpha_{3}$
		$\displaystyle=>\mathtt{P}^{2}(x_{1},x_{2}).$

Increment and set-like defined bellow are binary properties.

Increment. The sequence $\alpha$ is strictly increasing:

	$\displaystyle\mathtt{Inc}(\alpha)\overset{\triangle}{=}\;$	$\displaystyle\forall x_{1}\forall x_{2}\forall\alpha_{1}\forall\alpha_{2}\forall\alpha_{3}.$
		$\displaystyle\alpha==\alpha_{1}\circ x_{1}\circ\alpha_{2}\circ x_{2}\circ\alpha_{3}=>x_{1}<x_{2}.$

Set-like. Each two items in sequence $\alpha$ are distinct:

	$\displaystyle\mathtt{Diff}(\alpha)\overset{\triangle}{=}\;$	$\displaystyle\forall x_{1}\forall x_{2}\forall\alpha_{1}\forall\alpha_{2}\forall\alpha_{3}.$
		$\displaystyle\alpha==\alpha_{1}\circ x_{1}\circ\alpha_{1}\circ x_{2}\circ\alpha_{3}=>x_{1}!=x_{2}.$

Segment. The sequence $\alpha_{2}$ is the consecutive sub-sequence of $\alpha_{1}$ :

\alpha_{2}\;\in\;\mathtt{Seg}(\alpha_{1})\overset{\triangle}{=}\exists\alpha_{3}\exists\alpha_{4}.\\ \alpha_{1}==\alpha_{3}\circ\alpha_{2}\circ\alpha_{4}.

Truncation. The sequence $\alpha_{2}$ is the consecutive sub-sequence of $\alpha_{1}$ with indices ranging over $[x_{1},x_{2})$ :

		$\displaystyle\alpha_{2}==\;\mathtt{Trunc}(\alpha_{1},x_{1},x_{2})$
	$\displaystyle\overset{\triangle}{=}\quad$	$\displaystyle\exists\alpha_{3}\exists\alpha_{4}.\;\alpha_{1}==\alpha_{3}\circ\alpha_{2}\circ\alpha_{4}$
		$\displaystyle\hskip 40.00006pt\land\|\alpha_{3}\|=x_{1}-1\land\|\alpha_{3}\circ\alpha_{2}\|=x_{2}-1.$

III sequence-heap separation logic

sequence-heap separation logic is an extension of both classical separation logic and sequence predicate logic. It can describe properties on variable-length sequences, and multilevel data structures. Some properties cannot be expressed easily by the classical separation logic or sequence predicate logic alone.

In this section, we present the definition and expressiveness of sequence-heap separation logic (SeqSL).

III-A Definition of sequence-heap separation logic

Definition III.1 (Syntax of sequence-heap separation logic)

The syntax of the logic can be defined as follows:

	$\displaystyle t_{x}$	$\displaystyle\quad::=\quad\mathbf{nil}\mid\#\mid n\mid x$
	$\displaystyle t_{\alpha}$	$\displaystyle\quad::=\quad\varepsilon\mid t_{x}\mid\alpha\mid t_{\alpha}\circ t_{\alpha}$
	$\displaystyle\varphi$	$\displaystyle\quad::=\quad t_{x}=t_{x}\mid t_{\alpha}==t_{\alpha}\mid\lnot\varphi\mid\varphi\land\varphi\mid\varphi\lor\varphi\mid\varphi=>\varphi$
		$\displaystyle\hskip 35.00005pt\mid\mathbf{emp}\mid t_{x}\|->t_{\alpha}\mid\varphi\varphi\mid\varphi-\varphi\mid\exists_{x}x.\varphi\mid\exists_{\alpha}\alpha.\varphi.$

Note that other functions and predicates can be defined in SeqSL following the definition in [8], such as comparison between sequence, and picking up an item from a sequence. Most commonly-used predicates and functions can be expressed by the logic defined above.

Definition III.2 (Model of sequence-heap separation logic)

There are three types of variables in the signature of SeqSL: program variables $\text{PVar}=\{x,y,z,\dots\}$ , sequence variables $\text{SVar}=\{\alpha,\beta,\gamma,\dots\}$ . These sets are all countable. The model $\sigma=(s_{x},s_{\alpha},h)$ can be defined as follows:

$\text{Loc},\text{Val}\subseteq\mathbb{N}$	$\mathbf{nil},\#\in\text{Atoms}$
$\text{Loc}\cap\text{Atoms}=\varnothing$	$s_{x}:\text{PVar}->\text{Loc}\cup\text{Val}$
$s_{\alpha}:\text{SVar}->(\text{Loc}\cup\text{Val})^{*}$	$h:\text{Loc}\overset{\text{fin}}{\rightharpoonup}(\text{Loc}\cup\text{Val})^{*}$ ,

where Loc is the set of locations, Val is the set of values, Atoms is the set of reserved words, $s_{x}$ denotes the stack, $s_{\alpha}$ denotes the assignment on sequence variables, and $h$ denotes the heap which stores sequence of locations, values, or atoms.

Definition III.3 (Semantics of terms)

The symbol $t_{x}$ denotes individual term, whose value ranges over Val. The denotational semantics of the term can be inductively defined as follows:

	$\displaystyle\|[$	$\displaystyle\mathbf{nil}\|]\sigma=\mathbf{nil}$	$\displaystyle\|[$	$\displaystyle\#\|]\sigma=\#$
	$\displaystyle\|[$	$\displaystyle n\|]\sigma=n$	$\displaystyle\|[$	$\displaystyle x\|]\sigma=s_{x}(x),$

where $\mathbf{nil},\#$ in Atoms cannot be used as a location, and $\#$ is used to describe multilevel data structures.

The symbol $t_{\alpha}$ denotes sequence term, whose value ranges over $(\text{Loc}\cup\text{Val})^{*}$ . The denotational semantics of the term can be inductively defined as follows:

	$\displaystyle\|[$	$\displaystyle\varepsilon\|]\sigma=\varepsilon$	$\displaystyle\|[$	$\displaystyle t_{x}\|]\sigma\text{ is defined above}$
	$\displaystyle\|[$	$\displaystyle\alpha\|]\sigma=s_{\alpha}(\alpha)$	$\displaystyle\|[$	$\displaystyle t_{\alpha_{1}}\circ t_{\alpha_{2}}\|]\sigma=\|[t_{\alpha_{1}}\|]\sigma\circ\|[t_{\alpha_{2}}\|]\sigma,$

where $|[t_{\alpha_{1}}|]\sigma\circ|[t_{\alpha_{2}}|]\sigma$ denotes the concatenation of two sequences $|[t_{\alpha_{1}}|]\sigma$ and $|[t_{\alpha_{2}}|]\sigma$ .

Definition III.4 (Semantics of sequence-heap separation logic)

In SeqSL, the indices of sequence items start from 1. We set $\text{Values}=\text{Val}\;\cup\;\text{Loc}$ for convenience. The semantics of SeqSL can be defined as follows:

$\displaystyle\sigma\;\|=\;t_{x_{1}}=t_{x_{2}}$	iff	$\displaystyle\quad\|[t_{x_{1}}\|]\sigma=\|[t_{x_{2}}\|]\sigma.$
$\displaystyle\sigma\;\|=\;t_{\alpha_{1}}==t_{\alpha_{2}}$	iff	$\displaystyle\quad\|[t_{\alpha_{1}}\|]\sigma==\|[t_{\alpha_{2}}\|]\sigma.$
$\displaystyle\sigma\;\|=\;\lnot\varphi$	iff	$\displaystyle\quad\sigma\;\nvDash\;\varphi.$
$\displaystyle\sigma\;\|=\;\varphi_{1}\land\varphi_{2}$	iff	$\displaystyle\quad\sigma\;\|=\;\varphi_{1}\text{, and }\sigma\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}\lor\varphi_{2}$	iff	$\displaystyle\quad\sigma\;\|=\;\varphi_{1}\text{, or }\sigma\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}=>\varphi_{2}$	iff	$\displaystyle\quad\text{if }\sigma\;\|=\;\varphi_{1}\text{, then }\sigma\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\textbf{emp}$	iff	$\displaystyle\quad\mathtt{dom}(h)=\varnothing.$
$\displaystyle\sigma\;\|=\;t_{x}\|->t_{\alpha}$	iff	$\displaystyle\quad\|[t_{x}\|]\sigma\notin\mathrm{Atom},\;\mathtt{dom}(h)=\{\|[t_{x}\|]\sigma\},$
$\displaystyle\quad\text{ and }h(\|[t_{x}\|]\sigma)=\|[t_{\alpha}\|]\sigma$
$\displaystyle\sigma\;\|=\;\varphi_{1}*\varphi_{2}$	iff	$\displaystyle\quad\text{there exist heap }h_{1}\text{ and }h_{2},$
$\displaystyle\quad\text{such that }\mathtt{dom}(h_{1})\cap\mathtt{dom}(h_{2})=\varnothing\;,$
$\displaystyle\quad\text{and }h=h_{1}\uplus h_{2},\;(s_{x},s_{\alpha},h_{1})\;\|=\;\varphi_{1},$
$\displaystyle\quad\text{and }(s_{x},s_{\alpha},h_{2})\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}-*\varphi_{2}$	iff	$\displaystyle\quad\text{for all heaps }h_{1},$
$\displaystyle\quad\text{if }\mathtt{dom}(h_{1})\cap\mathtt{dom}(h)=\varnothing\text{ ,}$
$\displaystyle\quad\text{and }(s_{x},s_{\alpha},h_{1})\;\|=\;\varphi_{1},$
$\displaystyle\quad\text{then }(s_{x},s_{\alpha},h_{1}\uplus h)\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\exists_{x}x.\varphi$	iff	$\displaystyle\quad\text{there exists }x_{0}\text{ in Values,}$
$\displaystyle\quad\text{such that }(s_{x}[x->x_{0}],s_{\alpha},h)\;\|=\;\varphi.$
$\displaystyle\sigma\;\|=\;\exists_{\alpha}\alpha.\varphi$	iff	$\displaystyle\quad\text{there exists }\alpha_{0}\text{ in Values}^{*},$
$\displaystyle\quad\text{such that }(s_{x},s_{\alpha}[\alpha->\alpha_{0}],h)\;\|=\;\varphi,$

where $s_{x}[x->x_{0}]$ and $s_{\alpha}[\alpha->\alpha_{0}]$ denote substitution of program variable and sequence variable respectively. They are defined as follows.

\displaystyle s_{x}[x->x_{0}](x^{\prime})=\begin{cases}s_{x}(x_{0}),&x^{\prime}=x\\ s_{x}(x),&\text{otherwise}\end{cases}

\displaystyle s_{\alpha}[\alpha->\alpha_{0}](\alpha^{\prime})=\begin{cases}s_{\alpha}(\alpha_{0}),&\alpha^{\prime}==\alpha\\ s_{\alpha}(\alpha),&\text{otherwise}\end{cases}

For convenience, we write $\exists x.\varphi$ to denote $\exists_{x}x.\varphi$ , and $\exists\alpha.\varphi$ to denote $\exists_{\alpha}\alpha.\varphi$ .

SeqSL can express properties which is widely used in logic reasoning on pointer programs. We list some of them. These notations will be used in this paper.

	septraction	$\displaystyle\quad\varphi_{1}\mathrel{\sepimp\mkern-15.0mu^{\lnot}}\varphi_{2}\overset{\triangle}{=}\lnot(\varphi_{1}-*\lnot\varphi_{2})$
	universal quantifier	$\displaystyle\quad\forall\alpha.\varphi\overset{\triangle}{=}\lnot\exists\alpha.\;\lnot\varphi$
	$\displaystyle\alpha\text{ is stored in }x$	$\displaystyle\quad x\hookrightarrow\alpha\overset{\triangle}{=}x\|->\alpha*\mathbf{true}$
	$\displaystyle x\text{ has been allocated }$	$\displaystyle\quad\mathtt{alloc}(x)\overset{\triangle}{=}\exists\alpha.\;x\hookrightarrow\alpha$
	$\displaystyle\alpha_{2}\text{ is stored in }\alpha_{1}(x_{1})$	$\displaystyle\quad\alpha(x_{1})\hookrightarrow\alpha_{2}$
		$\displaystyle\hskip-5.0pt\overset{\triangle}{=}\;\exists x.\;x=\alpha_{1}(x_{1})\land x\hookrightarrow\alpha_{2}.$

III-B Expressiveness of sequence-heap separation logic

In this subsection, we list few examples to show expressiveness of SeqSL. We divide examples into 2 categories: properties on variable-length sequence in programs, and properties on multilevel data structures.

Similar to the classical separation logic, sequence-heap separation logic does not make differences between locations and values in formulae. To adjust more scenarios in practice, we use the atom $\#$ to manually separate locations and values. The sequence singleton heap can thus be written as $x|->\alpha_{l}\circ\#\circ\alpha_{x}$ , where $\alpha_{l}$ denotes sequence of locations, and $\alpha_{x}$ denotes sequence of values.

III-B1 Properties on variable-length sequences in programs

we list some properties on graphs to show the expressiveness of SeqSL on describing variable-length sequences in programs. These properties include: out-degree and reachability.

Out-degree. The out-degree of node $x$ can be denoted as $\mathtt{Outdeg}(x)$ . The formula $\mathtt{Outdeg}(x)=n$ means the out-degree of node $x$ is $n_{x}$ . It is defined as follows:

		$\displaystyle\mathtt{Outdeg}(x)=n_{x}$		(5)
	$\displaystyle\overset{\triangle}{=}$	$\displaystyle\exists\alpha_{l}\exists\alpha_{x}.\;x\hookrightarrow\alpha_{l}\circ\#\circ\alpha_{x}\land\|\alpha_{l}\|=n_{x}.$		(5)

Note that the reserved word nil might be in $\alpha_{l}$ . It does not affect the truth of the definition, because nil can be viewed as location 0. Its out-degree is 0, and in-degree is not necessarily be 0.

Reachability. First, we define one-step reachability $x_{1}\leadsto x_{2}$ , which means there exists an edge from $x_{1}$ to $x_{2}$ .

x_{1}\leadsto x_{2}\overset{\triangle}{=}\exists\alpha_{l_{1}}\exists\alpha_{l_{2}}\exists\alpha_{x}.\;l_{1}\hookrightarrow\alpha_{l_{1}}\circ l_{2}\circ\alpha_{l_{2}}\circ\#\circ\alpha_{x}.

Then we define $\mathtt{reach}^{n}(x_{1},x_{2})$ , which means there exists a path from $x_{1}$ to $x_{2}$ . The length of the path is $n$ ( $n>=0$ ).

	$\displaystyle\mathtt{reach}^{0}(x_{1},x_{2})$	$\displaystyle\quad\overset{\triangle}{=}\quad x_{1}=x_{2}$
	$\displaystyle\mathtt{reach}^{n+1}(x_{1},x_{2})$	$\displaystyle\quad\overset{\triangle}{=}\quad\exists x_{3}.\;x_{1}\leadsto x_{3}*\mathtt{reach}^{n}(x_{3},x_{2})$

Finally we define $\mathtt{reach}(x_{1},x_{2})$ , which means there exists a path from $x_{1}$ to $x_{2}$ , whose length is larger or equal than 0.

\displaystyle\mathtt{reach}(x_{1},x_{2})\overset{\triangle}{=}\exists n.\;n>=0\land\mathtt{reach}^{n}(x_{1},x_{2}).

Note that $\mathtt{reach}(x_{1},x_{2})$ defined in SeqSL is different from $\mathtt{ls}(x_{1},x_{2})$ defined in the separation logic fragments on shape analysis. The former can describe reachability on graphs without restrictions on out-degree of each nodes, while the latter can only describe reachability on linked lists.

III-B2 Properties on multilevel data structures

we list some properties on two kinds of storage systems to show expressiveness of SeqSL on describing multilevel data structures.

Different from SeqSL, the model $\sigma=(s_{x},s_{\alpha},h)$ of SeqSL describing storage systems should be interpreted in disk, not in memory.

Properties on Windows storage systems. The structure of Windows storage systems based on trees can be expressed by SeqSL. The indices $\alpha_{l}$ of files are stored in the location $l$ . The file $\alpha_{x}$ is stored in the location $l_{1}$ .

		$\displaystyle l\hookrightarrow\alpha_{l}\circ\#\circ\varepsilon\;*$		(6)
		$\displaystyle\forall l_{1}\exists\alpha_{x}.\;(l_{1}\overline{\in}\alpha_{l}=>l_{1}\hookrightarrow\varepsilon\circ\#\circ\alpha_{x}).$		(6)

Note that the sub-formula $\forall l_{1}\exists\alpha_{x}.\;(l_{1}\overline{\in}\alpha_{l}=>l_{1}\hookrightarrow\varepsilon\circ\#\circ\alpha_{x})$ can not be replaced by $\forall x.\;\alpha_{l}(x)\hookrightarrow\varepsilon\circ\#\circ\alpha_{x}$ . The reason is that, $\alpha_{l}$ is a finite sequence. When $x$ exceeds the length of $\alpha_{l}$ , it falsifies $\forall x.\;\alpha_{l}(x)\hookrightarrow\varepsilon\circ\#\circ\alpha_{x}$ . So we have to restrict $l_{1}$ with $l_{1}\overline{\in}\alpha_{l}$ .

We apply $\#$ in Equation 6 to describe two-tier data structures. The first tier merely stores locations $\alpha_{l}$ , while the second tier merely stores data $\alpha_{x}$ . These two different forms of contents prevent the location $l_{1}$ in the second tier from pointing to the location $l$ in the first tier.

With Equation 6 in hand, we can describe properties of files. We list two of them.

A file can be found by its index $x_{1}$ :

\displaystyle\exists\alpha_{x}.\;\alpha_{l}(x_{1})\hookrightarrow\varepsilon\circ\#\circ\alpha_{x}.

The content $x_{1}$ can be found in the file $\alpha_{x}$ :

\displaystyle\exists x_{2}.\;x_{1}=\alpha_{x}(x_{2}).

In addition, we can apply $x|->\alpha_{l}\circ\#^{n}\circ\alpha_{x}$ to describe n-th tier of multilevel data structure. This is useful for describing multilevel pointers in C++, multilevel paging, multilevel addressing, etc.

Properties on block-based cloud storage systems. SeqSL can be used to describe blocks in cloud storage systems. Generally speaking, the sequence $\alpha$ in the formula $x\hookrightarrow\alpha$ can be viewed as a block. With a relative address $l$ , the content $\alpha(l)$ can be found.

For convenience, we define the predicate $\mathtt{IncIndex}(\alpha_{0},n)$ , which means $\alpha_{0}$ with length $n+1$ is strictly increasing. The first item of $\alpha$ is 1, and the last is $n+1$ .

	$\displaystyle\mathtt{IncIndex}(\alpha_{0},n)\;\overset{\triangle}{=}\;$	$\displaystyle\mathtt{Inc}(\alpha_{0})\land\|\alpha_{0}\|=n+1$
		$\displaystyle\land 1=\alpha_{0}(1)\land n+1=\alpha_{0}(n+1).$

A big file $\alpha$ stored in location $l$ is divided into $n$ smaller blocks and is stored in disk. The indices $\alpha_{l}$ of the file are stored in location $l$ . The function $\mathtt{Trunc}(\alpha,x_{1},x_{2})$ can be used to locate these blocks. The sequence variable $\alpha_{0}$ in the following formula represents the sequence of division points, which should make the predicate $\mathtt{IncIndex}(\alpha_{l},n)$ to be true. The length of each block $\alpha_{x}$ can be additionally fixed to 64 by tahe formula $|\alpha_{x}|=64$ .

	$\displaystyle\exists\alpha_{0}.\;\Bigl{(}\mathtt{IncIndex}(\alpha_{l},n)\land l\hookrightarrow\alpha_{l}\circ\#\circ\varepsilon$
	$\displaystyle*\bigl{(}\forall l_{1}\exists x.\;(l_{1}=\alpha_{l}(x)\land\alpha_{x}==\mathtt{Trunc}(\alpha,\alpha_{0}(x),\alpha_{0}(x+1)))$
	$\displaystyle=>l_{1}\hookrightarrow\varepsilon\circ\#\circ\alpha_{x}\Bigr{)}.$

The formula defined above can be illustrated by Fig. (2).

IV Decidable fragments

In this section, we consider a decidable $\Sigma_{1}$ fragment of SeqSL. It contains sequence singleton heap, separating conjunction, separating implication, equality and concatenation on sequences. We present the following main result of this section.

Theorem IV.1 (Decidable fragment of SeqSL)

The satisfiability problem of the language is decidable when it is restricted as follows:

	$\displaystyle t_{x}\quad::=$	$\displaystyle\quad\mathbf{nil}\mid\#\mid x$
	$\displaystyle t_{\alpha}\quad::=$	$\displaystyle\quad\varepsilon\mid t_{x}\mid\alpha\mid t_{\alpha}\circ t_{\alpha}$
	$\displaystyle\varphi\quad::=$	$\displaystyle\quad t_{x}=t_{x}\mid t_{\alpha}==t_{\alpha}\mid\mathbf{false}\mid\varphi=>\varphi\mid\mathbf{emp}$
		$\displaystyle\quad\mid x\|->t_{\alpha}\mid\varphi\varphi\mid\varphi-\varphi.$

The model of the fragment is the same as that of SeqSL, which is defined in Definition III.2.

We call the above fragment the $\Sigma_{1}$ fragment of separation logic (PSeqSL, where the alphabet ’P’ means propositional). PSeqSL is a non-trivial fragment for the following reasons:

•

The expressiveness of PSeqSL is stronger than that of the $\Sigma_{1}$ fragment of the classical separation logic proposed in [1], because the former can express properties on variable-length sequences and on multilevel data structures.
•

The heap stores variable-length sequences in PSeqSL. The models of a formula in PSeqSL may have more possibilities than that of a formula in the classical separation logic.
•

Sequences and heap operations in the fragment are not independent. Their satisfiability may affect each other. For instance, to decide whether the formula $x_{1}|->\alpha_{1}\land x_{1}|->\alpha_{2}$ is true, we need to consider both conditions on heap, and the implicit condition $\alpha_{1}==\alpha_{2}$ on sequences. To decide whether the formula $(x_{1}|->\alpha_{1}*x_{2}|->\alpha_{2})\land(x_{1}|->\alpha_{3}*x_{2}|->\alpha_{4})\land x_{1}!=x_{2}$ is true, we need to consider the implicit condition $\alpha_{1}==\alpha_{3}\land\alpha_{2}==\alpha_{4}$ .
•

PSeqSL can describe some of the formulae consisting of existential quantifiers in SeqSL. The property $\mathtt{alloc}(x)\overset{\triangle}{=}\exists\alpha.\;x\hookrightarrow\alpha$ in SeqSL can be expressed in PSeqSL as:

$\displaystyle\mathtt{alloc}(x)\overset{\triangle}{=}(x|->\mathbf{nil})-*\mathbf{false}.$

We prove Theorem IV.1 following these three steps:

1.

prove the following problem is decidable: given the formula $\varphi$ in PSeqSL, and a part of the model $s_{x},h$ , decide whether there exists $s_{\alpha}$ , such that $(s_{x},s_{\alpha},h)|=\varphi$ .
2.

prove the following problem is decidable: given the formula $\varphi$ in PSeqSL, and a part of the model $s_{x}$ , decide whether there exists $s_{\alpha},h$ , such that $(s_{x},s_{\alpha},h)|=\varphi$ .
3.

prove the following problem is decidable: given the formula $\varphi$ in PSeqSL, decide whether there exists $s_{x},s_{\alpha},h$ , such that $(s_{x},s_{\alpha},h)|=\varphi$ . (Theorem IV.1)

The first step is the main part of the proof. The result on the fragment without separating implications is trivial, because the finiteness of $h$ leads to finite possibilities of models satisfying the formula $\varphi$ .

Similar to the paper [13], we define the size of the formula $\varphi$ as $\mathtt{sz}(\varphi)$ to represent the maximum heap size for deciding whether the formula $\varphi$ is true or its negation is true.

Definition IV.1 (Size of formula)

The size of the formula $\varphi$ , $\mathtt{sz}(\varphi)$ can be inductively defined as follows:

$\mathtt{sz}(t_{x_{1}}=t_{x_{2}})=0$	$\mathtt{sz}(t_{\alpha_{1}}==t_{\alpha_{2}})=0$
$\mathtt{sz}(\mathbf{false})=0$	$\mathtt{sz}(\mathbf{emp})=1$
$\mathtt{sz}(x\|->t_{\alpha})=1$	$\mathtt{sz}(\varphi_{1}-*\varphi_{2})=\mathtt{sz}(\varphi_{2})$
$\mathtt{sz}(\varphi_{1}=>\varphi_{2})=\mathtt{max}(\mathtt{sz}(\varphi_{1}),\mathtt{sz}(\varphi_{2}))$
$\mathtt{sz}(\varphi_{1}*\varphi_{2})=\mathtt{sz}(\varphi_{1})+\mathtt{sz}(\varphi_{2})$ .

We define free program variables as follows.

Definition IV.2 (Free program variables in PSeqSL)

In PSeqSL, free program variables $\mathrm{FV}_{t,x}(t_{x})$ in the term $t_{x}$ and free program variables $\mathrm{FV}_{t,x}(t_{\alpha})$ in the term $t_{\alpha}$ can be inductively defined as follows:

$\mathrm{FV}_{t,x}(\mathbf{nil})=\{\}$	$\mathrm{FV}_{t,x}(\#)=\{\}$	$\mathrm{FV}_{t,x}(x)=\{x\}$
$\mathrm{FV}_{t,x}(\alpha)=\{\}$	$\mathrm{FV}_{t,x}(\varepsilon)=\{\}$
$\mathrm{FV}_{t,x}(t_{\alpha_{x_{1}}}\circ t_{\alpha_{x_{2}}})=\mathrm{FV}_{t,x}(t_{\alpha_{x_{1}}})\cup\mathrm{FV}_{t,x}(t_{\alpha_{x_{2}}})$ .

Free program variables $\mathrm{FV}_{x}(\varphi)$ in the formula $\varphi$ can be inductively defined as follows:

	$\displaystyle\mathrm{FV}_{x}$	$\displaystyle(t_{x_{1}}=t_{x_{2}})=\mathrm{FV}_{t,x}(t_{x_{1}})\cup\mathrm{FV}_{t,x}(t_{x_{2}})$
	$\displaystyle\mathrm{FV}_{x}$	$\displaystyle(t_{\alpha_{1}}==t_{\alpha_{2}})=\mathrm{FV}_{t,x}(t_{\alpha_{1}})\cup\mathrm{FV}_{t,x}(t_{\alpha_{2}})$
	$\displaystyle\mathrm{FV}_{x}$	$\displaystyle(\mathbf{false})=\{\}$
	$\displaystyle\mathrm{FV}_{x}$	$\displaystyle(\varphi_{1}=>\varphi_{2})=\mathrm{FV}_{x}(\varphi_{1})\cup\mathrm{FV}_{x}(\varphi_{2})$
	$\displaystyle\mathrm{FV}_{x}$	$\displaystyle(\mathbf{emp})=\{\}$
	$\displaystyle\mathrm{FV}_{x}$	$\displaystyle(x\|->t_{\alpha})=\{x\}\cup\mathrm{FV}_{t,x}(t_{\alpha})$
	$\displaystyle\mathrm{FV}_{x}$	$\displaystyle(\varphi_{1}*\varphi_{2})=\mathrm{FV}_{x}(\varphi_{1})\cup\mathrm{FV}_{x}(\varphi_{2})$
	$\displaystyle\mathrm{FV}_{x}$	$\displaystyle(\varphi_{1}-*\varphi_{2})=\mathrm{FV}_{x}(\varphi_{1})\cup\mathrm{FV}_{x}(\varphi_{2}).$

We define the set of sequence terms to collect the terms appearing in the formula. It helps us to get a finite set of all possible heap models which may satisfy the formula.

Definition IV.3 (Set of sequence terms)

The set of sequence terms $\mathtt{SeqTerms}(\varphi)$ appearing in the formula $\varphi$ can be inductively defined as:

	$\displaystyle\mathtt{SeqTerms}$	$\displaystyle(t_{l_{1}}=t_{l_{2}})=\{t_{l_{1}},t_{l_{2}}\}$
	$\displaystyle\mathtt{SeqTerms}$	$\displaystyle(t_{\alpha_{1}}==t_{\alpha_{2}})=\{t_{\alpha_{1}},t_{\alpha_{2}}\}$
	$\displaystyle\mathtt{SeqTerms}$	$\displaystyle(\mathbf{false})=\{\}$
	$\displaystyle\mathtt{SeqTerms}$	$\displaystyle(\mathbf{emp})=\{\}$
	$\displaystyle\mathtt{SeqTerms}$	$\displaystyle(x\|->t_{\alpha})=\{x,t_{\alpha}\}$
	$\displaystyle\mathtt{SeqTerms}$	$\displaystyle(\varphi_{1}=>\varphi_{2})=\mathtt{SeqTerms}(\varphi_{1})\cup\mathtt{SeqTerms}(\varphi_{2})$
	$\displaystyle\mathtt{SeqTerms}$	$\displaystyle(\varphi_{1}*\varphi_{2})=\mathtt{SeqTerms}(\varphi_{1})\cup\mathtt{SeqTerms}(\varphi_{2})$
	$\displaystyle\mathtt{SeqTerms}$	$\displaystyle(\varphi_{1}-*\varphi_{2})=\mathtt{SeqTerms}(\varphi_{1})\cup\mathtt{SeqTerms}(\varphi_{2}).$

Separating implication involves universal quantifiers over heaps. The paper [13] presents a solution on searching all possible models of the formula in the classical $\Sigma_{1}$ separation logic fragment. They restrict the domain and the range of the heap $h$ to finite sets. To deal with sequences, we come up with a different restriction on the range of $h$ . The range of $h$ involves the set of all sequence terms appearing in the formula, empty sequence $\varepsilon$ , and a fresh sequence term whose value is different from all sequence terms in the formula. Thus, universal quantifiers over heaps can be reduced to those over finite heaps. The reduction preserves satisfiability.

We present the following lemma to show small model property on the formula $\varphi_{1}-*\varphi_{2}$ .

Lemma IV.1

Given the model $\sigma=(s_{x},s_{\alpha},h)$ and formulae $\varphi,\;\varphi_{1}\text{ and }\varphi_{2}$ satisfying $\varphi=\varphi_{1}-*\varphi_{2}$ , the set $L=\mathrm{FV}_{x}(\varphi_{1})\cup\mathrm{FV}_{x}(\varphi_{2})$ , the set $B$ which contains the first $\mathtt{max}(\mathtt{sz}(\varphi_{1}),\mathtt{sz}(\varphi_{2}))$ values in $\mathrm{Loc}\setminus(\mathtt{dom}(h)\cup s(L))$ , the fresh sequence variable $\overline{\beta}$ satisfying $|[\overline{\beta}|]\sigma^{\prime}\notin\{|[t_{\alpha}|]\sigma^{\prime}\mid t_{\alpha}\in\mathtt{SeqTerms}(\alpha)\}$ . We define $\sigma^{\prime}=(s_{x},s_{\alpha}^{\prime},h)$ where $s_{\alpha}^{\prime}$ contains a new assignment for $\overline{\beta}$ . Let $\mathcal{D}=B\cup s(L)$ , and $\mathcal{R}=\{|[t_{\alpha}|]\sigma^{\prime}\mid t_{\alpha}\in\mathtt{SeqTerms}(\varphi)\}\cup\{\varepsilon,|[\overline{\beta}|]\sigma^{\prime}\}$ . Then, $(s_{x},s_{\alpha},h)|=\varphi_{1}-*\varphi_{2}$ holds, if and only if for all $h^{\prime}$ satisfying:

•

$\mathtt{dom}(h^{\prime})\cap\mathtt{dom}(h)=\varnothing$ and $(s_{x},s_{\alpha}^{\prime},h^{\prime})|=\varphi_{1}$ ,
•

$\mathtt{dom}(h^{\prime})\subseteq\mathcal{D}$ ,
•

$\mathtt{rng}(h^{\prime})\subseteq\mathcal{R}$ ,

the proposition $(s_{x},s_{\alpha}^{\prime},h\uplus h^{\prime})|=\varphi_{2}$ holds, where $\mathtt{rng}(h^{\prime})$ denotes the range of $h^{\prime}$ .

According to Lemma IV.1, we define the reduction function as follows.

Definition IV.4

The reduction function $T(s_{x},h,\varphi)$ is a mapping from stack $s_{x}$ , heap $h$ , and the PSeqSL formula $\varphi$ , to the formula in $\Sigma_{1}$ sequence predicate logic. The reduction can be inductively defined in Fig. (3), \stripsep+2pt

	$\displaystyle T(s_{x},h,t_{x_{1}}=t_{x_{2}})$	$\displaystyle\quad\overset{\triangle}{=}\quad t_{x_{1}}==t_{x_{2}}$
	$\displaystyle T(s_{x},h,t_{\alpha_{1}}==t_{\alpha_{2}})$	$\displaystyle\quad\overset{\triangle}{=}\quad t_{\alpha_{1}}==t_{\alpha_{2}}$
	$\displaystyle T(s_{x},h,\mathbf{false})$	$\displaystyle\quad\overset{\triangle}{=}\quad\mathbf{false}$
	$\displaystyle T(s_{x},h,\varphi_{1}=>\varphi_{2})$	$\displaystyle\quad\overset{\triangle}{=}\quad T(s_{x},h,\varphi_{1})=>T(s_{x},h,\varphi_{2})$
	$\displaystyle T(s_{x},h,\mathbf{emp})$	$\displaystyle\quad\overset{\triangle}{=}\quad\mathtt{dom}(h)=\varnothing$
	$\displaystyle T(s_{x},h,x\|->t_{\alpha})$	$\displaystyle\quad\overset{\triangle}{=}\quad\mathtt{dom}(h)=\{s_{x}(x)\}\land s_{x}(x)\notin\mathrm{Atom}\land h(s_{x}(x))==t_{\alpha}$
	$\displaystyle T(s_{x},h,\varphi_{1}*\varphi_{2})$	$\displaystyle\quad\overset{\triangle}{=}\quad\bigvee_{h=h_{1}\uplus h_{2}}(T(s_{x},h_{1},\varphi_{1})\land T(s_{x},h_{2},\varphi_{2}))$
	$\displaystyle T(s_{x},h,\varphi_{1}-*\varphi_{2})$	$\displaystyle\quad\overset{\triangle}{=}\quad\bigwedge_{\mbox{ \tiny$\begin{array}[]{c}\mathtt{dom}(h_{\varphi})\cap\mathtt{dom}(h)=\varnothing\\ \mathtt{dom}(h_{\varphi})\subseteq\mathcal{D}\\ \mathtt{rng}(h_{\varphi})\subseteq\mathcal{R}\end{array}$ }}(T(s_{x},h_{\varphi},\varphi_{1})=>T(s_{x},h_{\varphi}\uplus h,\varphi_{2})),$

Figure 3: The reduction function

T(s_{x},h,\varphi)

where $\varphi=\varphi_{1}-*\varphi_{2}$ .

Given $s_{x}$ and $h$ , the formula $T(s_{x},h,\varphi_{1}*\varphi_{2})$ consists of finitely many terms of the form $T(s_{x},h,\varphi)$ , because the implicit existential quantifier in separating conjunction does not create new heaps. The formula $T(s_{x},h,\varphi_{1}-*\varphi_{2})$ also consists of finitely many terms of the form $T(s_{x},h,\varphi)$ according to Lemma IV.1. Moreover, the truth values of the following three formulae $\mathtt{dom}(h)=\varnothing$ , $\mathtt{dom}(h)={s_{x}(x)}$ , and $s_{x}(x)\notin\mathrm{Atom}$ can be determined, as well as the value of $h(s_{x}(x))$ (which is a sequence). So $T(s_{x},h,\varphi)$ consists of only $t_{\alpha_{1}}==t_{\alpha_{2}}$ and its conjunctions, disjunctions and negations. It can be further reduced to a single word equation followed by Theorem II.1. PSeqSL is thus reduced to the satisfiability problem of $\Sigma_{1}$ sequence predicate logic. The $\Sigma_{1}$ fragment of sequence predicate logic is shown to be decidable in [19].

Lemma IV.2

Given stack $s_{x}$ and heap $h$ . For all assignment $s_{\alpha}$ and formula $\varphi$ , the proposition $(s_{x},s_{\alpha},h)|=\varphi$ holds if and only if there exist assignments $(s_{x}^{\prime},s_{\alpha}^{\prime})$ , such that $(s_{x}^{\prime},s_{\alpha}^{\prime})|=T(s_{x},h,\varphi)$ holds, where $s_{x}^{\prime}$ and $s_{\alpha}^{\prime}$ are assignments of program variables and sequence variables respectively, $T(s_{x},h,\varphi)$ is the reduction from PSeqSL to $\Sigma_{1}$ sequence predicate logic defined by Definition IV.4.

Note that after doing reductions in Definition IV.4 and applying Theorem II.1, one can get a single word equation $U==V$ with constants ( $k$ contents for example) and sequence variables ( $k^{\prime}$ variables for example). It is easy to show the following fact: there is a solution for $U==V$ if and only if there is a solution for $U==V$ on the free monoid with $k+k^{\prime}$ generators, where the first $k$ generators coincide with $k$ constants, and the other $k^{\prime}$ generators are fresh in $\mathbb{N}$ .

To give readers some intuitions for Lemma IV.2, we list two examples below.

Example IV.1

Consider whether the formula $\varphi=(x_{1}|->\alpha_{1}\circ x_{3})*\big{(}(x_{1}|->\alpha_{1}\lor x_{1}|->\alpha_{2})-*(x_{1}|->\alpha_{2}*x_{2}|->\alpha_{3})\big{)}$ can be satisfied, given the stack satisfying $\{(x_{1},n_{1}),(x_{2},n_{2}),(x_{3},n_{3})\}\subseteq s$ where $n_{1},n_{2}$ and $n_{3}$ are distinct integer numbers and the heap $h=\{(n_{1},n_{1}\circ n_{3}),(n_{2},n_{2}\circ n_{3})\}$ . The assignment $s_{\alpha}$ is pending.

Suppose $\varphi=\varphi_{1}*\varphi_{2}$ , where $\varphi_{1}=x_{1}|->\alpha_{1}\circ x_{3}$ , $\varphi_{2}=(x_{1}|->\alpha_{1}\lor x_{1}|->\alpha_{2})-*(x_{1}|->\alpha_{2}*x_{2}|->\alpha_{3})$ . We have the formula in Fig. (4).

\stripsep

+0.5em

	$\displaystyle T(s_{x},h,\varphi)\quad=\quad$	$\displaystyle\bigvee_{h=h_{1}\uplus h_{2}}(T(s_{x},h_{1},\varphi_{1})\land T(s_{x},h_{2},\varphi_{2}))$
	$\displaystyle\quad=\quad$	$\displaystyle\;\big{(}T(s_{x},\{\},\varphi_{1})\land T(s_{x},\{(n_{1},n_{1}\circ n_{3}),(n_{2},n_{2}\circ n_{3})\},\varphi_{2})\big{)}$
		$\displaystyle\lor\big{(}T(s_{x},\{(n_{1},n_{1}\circ n_{3})\},\varphi_{1})\land T(s_{x},\{(n_{2},n_{2}\circ n_{3})\},\varphi_{2})\big{)}$
		$\displaystyle\lor\big{(}T(s_{x},\{(n_{2},n_{2}\circ n_{3})\},\varphi_{1})\land T(s_{x},\{(n_{1},n_{1}\circ n_{3})\},\varphi_{2})\big{)}$
		$\displaystyle\lor\big{(}T(s_{x},\{(n_{1},n_{1}\circ n_{3}),(n_{2},n_{2}\circ n_{3})\},\varphi_{1})\land T(s_{x},\{\},\varphi_{2})\big{)}$
	$\displaystyle\quad=\quad$	$\displaystyle\;T(s_{x},\{(n_{1},n_{1}\circ n_{3})\},\varphi_{1})\land T(s_{x},\{(n_{2},n_{2}\circ n_{3})\},\varphi_{2}).$

Figure 4: Construction in Example 1

Suppose $\varphi_{2}=\varphi_{21}-*\varphi_{22}$ , where $\varphi_{21}=x_{1}|->\alpha_{1}\lor x_{1}|->\alpha_{2}$ , and $\varphi_{22}=x_{1}|->\alpha_{2}*x_{2}|->\alpha_{3}$ . We have:

		$\displaystyle T(s_{x},\{(n_{2},n_{2}\circ n_{3})\},\varphi_{2})$
	$\displaystyle=$	$\displaystyle\bigwedge_{\mbox{ \tiny$\begin{array}[]{c}\mathtt{dom}(h_{\varphi_{2}})\cap\{n_{2}\}=\varnothing\\ \mathtt{dom}(h_{\varphi_{2}})\subseteq\mathcal{D}\\ \mathtt{rng}(h_{\varphi_{2}})\subseteq\mathcal{R}\end{array}$ }}\bigl{(}T(s_{x},h_{\varphi_{2}},\varphi_{21})$
		$\displaystyle=>T(s_{x},h_{\varphi_{2}}\uplus\{(n_{2},n_{2}\circ n_{3})\},\varphi_{22})\bigr{)},$

where

	$\displaystyle\mathcal{D}$	$\displaystyle=B\;\cup\;\{n_{1},n_{2},n_{3}\},\quad B=\{m_{1},m_{2},m_{3}\},$
	$\displaystyle\mathcal{R}$	$\displaystyle=\{\|[\alpha_{1}\circ x_{3}\|]\sigma^{\prime},\|[\alpha_{1}\|]\sigma^{\prime},\|[\alpha_{2}\|]\sigma^{\prime},\|[\alpha_{3}\|]\sigma^{\prime}\}\cup\{\varepsilon,\|[\overline{\beta}\|]\sigma^{\prime}\},$

and $m_{1},m_{2},m_{3}$ are the first three values in $\mathrm{Loc}\setminus(\mathtt{dom}(h)\cup s(L))$ , the term $\overline{\beta}$ satisfies:

\displaystyle|[\overline{\beta}|]\sigma^{\prime}\notin\{|[\alpha_{1}\circ x_{3}|]\sigma^{\prime},|[\alpha_{1}|]\sigma^{\prime},|[\alpha_{2}|]\sigma^{\prime},|[\alpha_{3}|]\sigma^{\prime}\}.

The domain $\mathtt{dom}(h_{\varphi_{2}})$ consists of many finite possibilities. However, there are only two possibilities $h_{\varphi_{2}}=\{(n_{1},s_{\alpha}^{\prime}(\alpha_{1}))\}$ and $h_{\varphi_{2}}=\{(n_{1},s_{\alpha}^{\prime}(\alpha_{2}))\}$ which may satisfy the formula. So,

		$\displaystyle T(s_{x},\{(n_{2},n_{2}\circ n_{3})\},\varphi_{2})$
	$\displaystyle=$	$\displaystyle\;(T(s_{x},\{(n_{1},s_{\alpha}^{\prime}(\alpha_{1})\},\varphi_{21})$
		$\displaystyle=>T(s_{x},\{(n_{1},s_{\alpha}^{\prime}(\alpha_{1})),(n_{2},n_{2}\circ n_{3})\},\varphi_{22}))$
		$\displaystyle\land(T(s_{x},\{(n_{1},n_{2}\circ n_{3})\},\varphi_{21})$
		$\displaystyle=>T(s_{x},\{(n_{1},n_{2}\circ n_{3}),(n_{2},n_{2}\circ n_{3})\},\varphi_{22}))$
	$\displaystyle=$	$\displaystyle\;T(s_{x},\{(n_{1},s_{\alpha}^{\prime}(\alpha_{1})),(n_{2},n_{2}\circ n_{3})\},\varphi_{22})$
		$\displaystyle\land T(s_{x},\{(n_{1},n_{2}\circ n_{3}),(n_{2},n_{2}\circ n_{3})\},\varphi_{22}).$

Similarly, we discuss possibilities of models satisfying the formula $\varphi_{22}$ . Then we have:

		$\displaystyle T(s_{x},\{(n_{1},s_{\alpha}^{\prime}(\alpha_{1})),(n_{2},n_{2}\circ n_{3})\},\varphi_{22})$
	$\displaystyle=\quad$	$\displaystyle\alpha_{1}==\alpha_{2}\land n_{2}\circ n_{3}==\alpha_{3},$
		$\displaystyle T(s_{x},\{(n_{1},n_{2}\circ n_{3}),(n_{2},n_{2}\circ n_{3})\},\varphi_{22})$
	$\displaystyle=\quad$	$\displaystyle\alpha_{2}==\alpha_{2}\land n_{2}\circ n_{3}==\alpha_{3}.$

So,

		$\displaystyle T(s_{x},h,\varphi)$
	$\displaystyle=\quad$	$\displaystyle(n_{1}\circ n_{3}==\alpha_{1}\circ n_{3})\land(\alpha_{1}==\alpha_{2}\land n_{2}\circ n_{3}==\alpha_{3})$
		$\displaystyle\land(\alpha_{2}==\alpha_{2}\land n_{2}\circ n_{3}==\alpha_{3}).$

We observe that $T(s_{x},h,\varphi)$ can be satisfied. Hence given $s_{x},h$ , there exists $s_{\alpha}$ such that $(s_{x},s_{\alpha},h)|=\varphi$ holds.

Example IV.2

Consider whether the formula $\varphi=x_{1}|->\alpha_{1}\circ x_{3}\land\big{(}(x_{2}|->\alpha_{1}\lor x_{2}|->\alpha_{2})-*(x_{1}|->\alpha_{1}*x_{2}|->\alpha_{3})\big{)}$ can be satisfied, given $s=\{(x_{1},n_{1}),(x_{2},n_{2}),(x_{3},n_{3})\},h=\{(x_{1},n_{1}\circ n_{3})\}$ .

Following definition Definition 4.4, we have:

		$\displaystyle T(s_{x},h,\varphi)$
	$\displaystyle=\quad$	$\displaystyle n_{1}\circ n_{3}==\alpha_{1}\circ n_{3}\land\big{(}(\alpha_{1}==\alpha_{3}\land\alpha_{1}==n_{1}\circ n_{3})$
		$\displaystyle\land(\alpha_{2}==\alpha_{3}\land\alpha_{1}==n_{1}\circ n_{3})\big{)}.$

We observe that $T(s_{x},h,\varphi)$ cannot be satisified. Hence given $s_{x},h$ , there does not exist $s_{\alpha}$ such that $(s_{x},s_{\alpha},h)|=\varphi$ holds. We omit the details here.

For the second step of the proof, heap $h$ is not given beforehand. The satisfiability problem of the formula in PSeqSL can be reduced to the problem in the first step by the following lemma.

Lemma IV.3

Given stack $s_{x}$ and the PSeqSL formula $\varphi$ , the following problem is decidable: whether there exists $s_{\alpha}$ and $h$ such that $(s_{x},s_{\alpha},h)|=\varphi$ .

The above problem is equivalent to the following problem: given $s_{x}$ , whether there exists $s_{\alpha}$ such that $(s_{x},s_{\alpha},\{\})|=\varphi\mathrel{\sepimp\mkern-15.0mu^{\lnot}}\mathbf{true}$ holds. Thus we can conclude Lemma IV.3.

For the third step, stack $s_{x}$ is not given. Similar to the paper[13], we need to figure out a finite range of $s_{x}$ , such that the formula is true on the range if and only if the formula is true on infinite range of $s_{x}$ .

Definition IV.5

Given two models $(s_{x},s_{\alpha},h),(s_{x}^{\prime},s_{\alpha}^{\prime},h^{\prime})$ , the set $P\subseteq\mathrm{PVar}$ , and the set $S\subseteq\mathrm{SVar}$ . The relation $(s_{x},s_{\alpha},h)\approx_{P}(s_{x}^{\prime},s_{\alpha}^{\prime},h^{\prime})$ holds, if and only if there exists an isomorphism $r:\;(\mathrm{Loc}^{*},\circ)->(\mathrm{Loc}^{*},\circ)$ , such that the following conditions are satisfied:

•

for each $\alpha_{1},\alpha_{2}\in S$ , we have $r(s_{\alpha}(\alpha_{1})\circ s_{\alpha}(\alpha_{2}))=r(s_{\alpha}(\alpha_{1}))\circ r(s_{\alpha}(\alpha_{2}))$ ,
•

$r(\mathbf{nil})=\mathbf{nil}$ , $r(\#)=\#$ , and for each $x\in P$ , we have $r(s_{x}(x))=s_{x}^{\prime}(x)$ ,
•

for each $x\in P$ , we have $r(h(x))=h^{\prime}(r(x))$ ,
•

for each $\alpha\in S$ , we have $r(s_{\alpha}(\alpha))=s_{\alpha}^{\prime}(\alpha)$ .

Proposition IV.1

Given two models $(s_{x},s_{\alpha},h),(s_{x}^{\prime},s_{\alpha}^{\prime},h^{\prime})$ , and the formula $\varphi$ satisfying $(s_{x},s_{\alpha},h)\approx_{\mathrm{FV}_{x}(\varphi)}(s_{x}^{\prime},s_{\alpha}^{\prime},h^{\prime})$ . If $(s_{x},s_{\alpha},h)|=\varphi$ , then $(s_{x}^{\prime},s_{\alpha}^{\prime},h^{\prime})|=\varphi$ .

Lemma IV.4

Given the model $(s_{x},s_{\alpha},h)$ and the formula $\varphi$ . Let $B$ be the first $|\mathrm{FV}_{x}(\varphi)|$ locations in $\mathrm{Loc}$ . There exists $(s_{x}^{\prime},s_{\alpha}^{\prime},h^{\prime})$ such that $s_{x}^{\prime}(\mathrm{PVar}\setminus\mathrm{FV}_{x}(\varphi))\subseteq\{\mathbf{nil},\#\},s_{x}^{\prime}(\mathrm{FV}_{x}(\varphi))\subseteq B\cup\{\mathbf{nil},\#\}$ , and $(s_{x},s_{\alpha},h)\approx_{\mathrm{FV}_{x}(\varphi)}(s_{x}^{\prime},s_{\alpha}^{\prime},h^{\prime})$ .

With Lemmas IV.2, IV.3 and IV.4, we can conclude that the satisfiability problem of PSeqSL is decidable, that is Theorem IV.1 holds.

As we know, the truth of $\Sigma_{1}$ fragment of sequence predicate logic is decidable[19]. As the fragment consists of negations without any restrictions, there is a one-to-one mapping from instances in $\Sigma_{1}$ fragment of sequence predicate logic and those in $\Pi_{1}$ fragment of sequence predicate logic. Thus we have Corollary IV.1.

Corollary IV.1

The theory of $\Pi_{1}$ fragment of sequence predicate logic is decidable.

The proof of Theorem IV.1 shows that PSeqSL has small model property. The satisfiability of a formula in PseqSL can be reduced to that of the formula with finite length in $\Sigma_{1}$ fragment sequence logic. According to small model property of PSeqSL and Corollary IV.1, we have Corollary IV.2.

Corollary IV.2

The satisfiability and validity problem of $\Pi_{1}$ fragment of PSeqSL is decidable, where $\Pi_{1}$ fragment of PSeqSL is of the form $\forall_{x}^{*}\forall_{\alpha}^{*}.\varphi$ , and $\varphi$ is quantifier-free.

V Undecidable fragments

In this section, we mainly focus on an undecidable fragment of the form $(\forall_{x}^{*}\forall_{\alpha}^{*}\cap\forall_{x}^{*}\exists_{x}^{*}\exists_{\alpha}^{*})\text{SeqSL}(*)$ . It is the conjunction of formula in $(\forall_{x}^{*}\forall_{\alpha}^{*})\text{SeqSL}(*)$ and formula $(\forall_{x}^{*}\exists_{x}^{*}\exists_{\alpha}^{*})\text{SeqSL}(*)$ , where $\exists_{\alpha}^{*}$ denotes there are 0 or more existential quantifiers over sequence variables, and $\exists_{x}^{*}$ denotes there are 0 or more existential quantifiers over program variables. The meaning of $\forall_{\alpha}^{*}$ and $\forall_{\alpha}^{*}$ are similar. We present the following main result of this section.

Theorem V.1 (Undecidable fragment of SeqSL)

The satisfiability problem of the language is undecidable when it is restricted as follows:

	$\displaystyle t_{x}\quad::=\quad$	$\displaystyle\mathbf{nil}\mid\#\mid x$
	$\displaystyle t_{\alpha}\quad::=\quad$	$\displaystyle\varepsilon\mid t_{x}\mid\alpha\mid t_{\alpha}\circ t_{\alpha}$
	$\displaystyle\psi\quad::=\quad$	$\displaystyle t_{x}=t_{x}\mid t_{\alpha}==t_{\alpha}\mid x\hookrightarrow t_{\alpha}\mid\mathbf{false}\mid\psi=>\psi$
		$\displaystyle\mid\mathbf{emp}\mid\psi*\psi$
	$\displaystyle\varphi\quad::=\quad$	$\displaystyle\forall_{x}^{}\forall_{\alpha}^{}.\psi\land\forall_{x}^{}\exists_{x}^{}\exists_{\alpha}^{*}.\psi,$

where $\varphi$ is a sentence.

The model of the fragment is defined in Definition III.2.

We reduce the problem from halting problem of two-counter Minsky machine. Before getting into details of the reduction, we recall the definition of two-counter Minsky machine.

Definition V.1 (Two-counter Minsky machine)

Let $M$ be a Minsky machine with $n>=1$ instructions. The machine $M$ has two counters $C_{1}$ and $C_{2}$ . The instructions are defined as follows:

1.

$I:\;C_{j}:=C_{j}+1;$ goto $k$ ,
2.

$I:$ if $C_{j}=0$ , then goto $k_{1}$ , else ( $C_{j}:=C_{j}-1$ ; goto $k_{2}$ ),
3.

$n:$ halt,

where $j\in[1,2],\;I\in[1,n-1],$ and $k,k_{1},k_{2}\in[1,n]$ . Machine $M$ halts if there is a run of the form

\displaystyle(I_{0},c_{0}^{1},c_{0}^{2}),\;(I_{1},c_{1}^{1},c_{1}^{2}),\dots,(I_{m},c_{m}^{1},c_{m}^{2}),

such that $(I_{i},c_{i}^{1},c_{i}^{2})\in[1,n]\times\mathbb{N}^{2}\;(i\in[1,m])$ , $I_{0}=1,\;I_{m}=n$ , and $c_{0}^{1}=c_{0}^{2}=0$ . The run follows the instructions defined above.

The set of instructions with type 1 (denoted by $\mathcal{I}_{1}$ ) consists of tuples $(k_{0},c_{j},c_{j}^{\prime},k)$ , and those with type 2 (denoted by $\mathcal{I}_{2}$ ) consists of tuples $(k_{0},c_{j},c_{j}^{\prime},k_{1},k_{2})$ , where $k_{0}$ denotes the current pointer, $c_{j},c_{j}^{\prime}\in[1,2]$ denote two counters ( $c_{j}!=c_{j}^{\prime}$ ), and $k,k_{1},k_{2}$ denote the next pointers.

The problem of deciding whether a machine $M$ halts is known to be undecidable[28].

We first show the undecidable fragment defined in Theorem V.1 is not that easy to get. In general, decidability results of both sequence logic fragments and separation logic fragments restrict the form of undecidable fragments of SeqSL.

Decidability results in free semigroup show that, the theory of $\Sigma_{2}$ fragment[21], the positive theory of $\Pi_{2}$ fragment[20] and $\Sigma_{3}$ fragment[20] of word equations are undecidable. The results in separation logic show that, the satisfiability problem of $\Sigma_{3}$ fragment of separation logic is undecidable. In this case, We can get V.1.

Fact V.1

In the fragment of SeqSL with prenex normal form, if there are 3 or more alternations of quantifiers over program variables, or 2 or more over sequence variables, then the satisfiability problems of resulting fragments are undecidable. For instance, the satisfiability problems of $(\exists_{x}^{*}\exists_{\alpha}^{*}\forall_{\alpha}^{*})\mathrm{SeqSL}$ , $(\exists_{x}^{*}\forall_{\alpha}^{*}\exists_{x}^{*})\mathrm{SeqSL}$ , $(\exists_{x}^{*}\forall_{x}^{*}\forall_{\alpha}^{*}\exists_{x}^{*})\mathrm{SeqSL}$ are undecidable.

In order to get a non-trivial undecidable fragment of SeqSL with negations, we have to restrict the alternations of quantifiers over program variables to be less than 3, and those over sequence variables to be less than 2.

To prove Theorem V.1, we first discuss the encoding of the reduction. The general structure is sapling, which is shown in Fig. (5).

We consider the encoding for sapling. Sapling is a fishbone-like structure with ’bones’ going in opposite directions. Sapling consists of a master branch and several slave branches attached to nodes in the master branch. The depth of each slave branch is 1, and the end points of them does not point to any nodes in master branch. Similar to the encoding for the list $x\overset{\circlearrowleft}{\longrightarrow}^{+}y$ defined in [12] and fishbone heap defined in [16], we encode the sapling in the following ways:

1.

There are smaller or equal than 1 predecessor of each node. It is denoted by the formula $\varPsi_{1}$ ,
2.

There is no predecessor on the first master node. It is denoted by the formula $\varPsi_{2}$ ,
3.

The first master node is allocated, and the last node does not point to the next master node. It is denoted by the formula $\varPsi_{3}$ (it is not necessary to make the predecessor of the last node to be 1),
4.

For each node except for the last node, there is another allocated node which follows the node. It is denoted by the formula $\varPsi_{4}$ .

The sapling from node $x_{0}$ to node $x_{0}^{\prime}$ (assume here that $x_{0}!=x_{0}^{\prime}$ ) can be expressed by

\displaystyle\mathtt{sapling}(x_{0},x_{0}^{\prime})

\displaystyle\overset{\triangle}{=}\varPsi_{1}\land\varPsi_{2}\land\varPsi_{3}\land\varPsi_{4}.

(7)

where $\varPsi_{1},\varPsi_{2},\varPsi_{3}$ , and $\varPsi_{4}$ are defined in Fig. (4).

\stripsep

+0.5em

	$\displaystyle\varPsi_{1}$	$\displaystyle\quad\overset{\triangle}{=}\quad\forall_{x}x_{1}\forall_{x}x_{2}\forall_{x}x_{3}\forall_{x}x_{4}\forall_{\alpha}\alpha_{1}\forall_{\alpha}\alpha_{2}.\;(x_{1}\hookrightarrow x_{3}\circ\alpha_{1}*x_{2}\hookrightarrow x_{4}\circ\alpha_{2}=>x_{3}!=x_{4})$
	$\displaystyle\varPsi_{2}$	$\displaystyle\quad\overset{\triangle}{=}\quad\forall_{x}x_{1}\forall_{\alpha}\alpha.\;\lnot(x_{1}\hookrightarrow x_{0}\circ\alpha)$
	$\displaystyle\varPsi_{3}$	$\displaystyle\quad\overset{\triangle}{=}\quad(\exists_{x}x_{1}.\;x_{0}\hookrightarrow x_{1}\circ\varepsilon)\land(\exists_{\alpha}\alpha.\;x_{0}^{\prime}\hookrightarrow\varepsilon\circ\alpha)$
	$\displaystyle\varPsi_{4}$	$\displaystyle\quad\overset{\triangle}{=}\quad\forall_{x}x_{1}\forall_{x}x_{2}\exists_{x}x_{3}\exists_{\alpha}\alpha_{1}\exists_{\alpha}\alpha_{2}.\;\bigl{(}(x_{1}\hookrightarrow x_{2}\circ\alpha_{1}\land x_{2}!=x_{0}^{\prime})=>x_{2}\hookrightarrow x_{3}\circ\alpha_{2}\bigr{)}.$

Figure 6: Definition of

\varPsi_{1},\varPsi_{2},\varPsi_{3}

, and

\varPsi_{4}

It can be easily shown that the predicate $\mathtt{sapling}(x_{0},x_{0}^{\prime})$ is of the form $(\forall_{x}^{*}\forall_{\alpha}^{*}\cap\forall_{x}^{*}\exists_{x}^{*}\exists_{\alpha}^{*})\varPsi$ .

Note that the encoding in Equation 7 is just a general idea. It does not prevent contents in slave nodes from pointing to other nodes. However, this does not have impacts on the main result, because these contents only consist of $\mathbf{nil}$ which will be shown in Equation 8.

Note also that the predicate $\mathtt{Sapling}$ not only encodes the graph consisting of only one sapling, but also graphs consisting of both one sapling and circles. It is not necessary to remove all these circles, because it does not have impacts on correctness of the reduction. It is shown in Lemma V.1.

Lemma V.1

Given the predicate $\mathtt{sapling}(x_{0},x_{0}^{\prime})$ defined in Equation 7, it can be satisfied by a model $\sigma$ if and only if there exists a model $\sigma^{\prime}$ that satisfies $\mathtt{sapling}(x_{0},x_{0}^{\prime})$ , and there are no circles in $\sigma^{\prime}$ .

The proof of Lemma V.1 can be found in Appendix. Now we prove Theorem V.1.

Proof:

We go into details of the reduction, which is shown in Fig. (7).

The master branch is the longest path from the beginning master node to the end master node. Each master node points to 0 or more slave nodes $\mathbf{nil}^{*}$ . The master nodes have the period of 4. Each period represents a state of the run. In the $i$ -th period ( $1<=i<=m$ ), the first master node represents a deliminator which separates each state of the run. There is no slave node attached to it. The second to the fourth master nodes represent the $i$ -th triple $(I,C_{1},C_{2})$ satisfying $I=k_{i},\;C_{1}=c_{i}^{1}+1,\text{ and }C_{2}=c_{i}^{2}+1$ . The slave nodes pointed from these 3 nodes are $\mathbf{nil}^{k_{i}},\;\mathbf{nil}^{c_{i}^{1}+1},\text{ and }\mathbf{nil}^{c_{i}^{2}+1}$ respectively. The first period represents the initial state, while the last represents the final state.

We observe that the values of two counters in the sapling are greater than the real values of the counters in the run by 1. It is because we need to distinguish these nodes from the first node of each period, to which there is no slave nodes attached.

In general, The reduction formula consists of the following three parts.

1.

Construct the basic structure of sapling, which is denoted by the formula $\varPhi_{1}=\forall_{x}^{*}\forall_{\alpha}^{*}.\varPhi_{1}^{\prime}$ .
2.

Initialize the initial and the final state, which is denoted by the formula $\varPhi_{2}=\exists_{x}^{*}\exists_{\alpha}^{*}.\varPhi_{2}^{\prime}$ .
3.

Encode the transition from one state to the other following the current instruction, which is denoted by the formula $\varPhi_{3}=\forall_{x}^{*}\exists_{x}^{*}\exists_{\alpha}^{*}.\varPhi_{3}^{\prime}$ .

The formula is of the form

	$\displaystyle\varPhi\quad=$	$\displaystyle\varPhi_{1}\land\varPhi_{2}\land\varPhi_{3}$		(8)
	$\displaystyle\quad=$	$\displaystyle\forall_{x}^{}\forall_{\alpha}^{}.\varPhi_{1}^{\prime}\land\exists_{x}^{}\exists_{\alpha}^{}.\varPhi_{2}^{\prime}\land\forall_{x}^{}\exists_{x}^{}\exists_{\alpha}^{*}.\varPhi_{3}^{\prime},$		(8)

\displaystyle\varPhi\quad=\quad\forall_{x}^{*}\forall_{\alpha}^{*}.\varPhi_{1}^{\prime}\land\forall_{x}^{*}\exists_{x}^{*}\exists_{\alpha}^{*}.(\varPhi_{2}^{\prime}\land\varPhi_{3}^{\prime}).

The detailed construction can be found in Appendix.

For each two-counter Minsky machine M, let $\varPhi$ be the formula of the form defined in Equation 8. If the machine M halts, then there is a finite run. It can be easily shown that there is a finite sapling from the first period encoding the first state to the final one encoding the final state, and each state except for the final state can be transformed to the next state by the corresponding instruction.

For the other side of the proof, we suppose that the formula $\varPhi$ of the form defined in Equation 8 is satisfied. The model $\sigma$ of $\varPhi$ may consist of circles. We can get a model $\sigma^{\prime}$ satisfying $\varPhi$ in which there is no circles according to Lemma V.1. ∎

VI Conclusion

In this paper, we propose sequence-heap separation logic which combines sequence predicate logic and separation logic. It is capable of describing the following properties which sequence predicate logic or separation logic alone cannot describe or cannot easily describe.

•

sequence operations in programs, such as list reversal, and lookups.
•

properties corresponding to variable-length sequences in programs, such as stack, queue, and graphs with unbounded out-degree.
•

multilevel data structures in programs, such as data structure in Windows storage systems, and in block-based cloud storage systems.

Besides, we find a boundary between decidable and undecidable SeqSL fragments, which are both of the prenex normal form. We prove the following two decidable results: the satisfiability problem of $\Sigma_{1}$ fragment and $\Pi_{1}$ fragment is decidable, and that of $(\forall_{x}^{*}\forall_{\alpha}^{*}\cap\forall_{x}^{*}\exists_{x}^{*}\exists_{\alpha}^{*})\text{SeqSL}(*)$ is undecidable. As corollaries, fragments with either 3 quantifier alternations over program variables or 2 quantifier alternations over sequence variables are undecidable.

We will do the following work in the future.

•

Find other boundaries between decidable and undecidable fragments of sequence-heap separation logic, such as boundaries on numbers of quantified variables, and on inductive predicates.
•

Investigate deeply on expressiveness of sequence-heap separation logic.
•

Construct a proof system for sequence-heap separation logic.
•

Implement formal verification tools for sequence-heap separation logic fragments.

References

[1] J. C. Reynolds, “Separation logic: A logic for shared mutable data structures,” in Proceedings 17th Annual IEEE Symposium on Logic in Computer Science (LICS). IEEE, 2002, pp. 55–74.
[2] M. J. Parkinson and G. M. Bierman, “Separation logic, abstraction and inheritance,” ACM SIGPLAN Notices, vol. 43, no. 1, pp. 75–86, 2008.
[3] K. Batz, B. L. Kaminski, J.-P. Katoen, C. Matheja, and T. Noll, “Quantitative separation logic: a logic for reasoning about probabilistic pointer programs,” Proceedings of the ACM on Programming Languages (POPL), vol. 3, no. POPL, pp. 1–29, 2019.
[4] B. Biering, L. Birkedal, and N. Torp-Smith, “Bi-hyperdoctrines, higher-order separation logic, and abstraction,” ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 29, no. 5, pp. 24–es, 2007.
[5] J. Brotherston, C. Fuhs, J. A. N. Pérez, and N. Gorogiannis, “A decision procedure for satisfiability in separation logic with inductive predicates,” in Proceedings of the Joint Meeting of the Twenty-Third EACSL Annual Conference on Computer Science Logic (CSL) and the Twenty-Ninth Annual ACM/IEEE Symposium on Logic in Computer Science (LICS), 2014, pp. 1–10.
[6] C. Barrett, C. L. Conway, M. Deters, L. Hadarean, D. Jovanović, T. King, A. Reynolds, and C. Tinelli, “Cvc4,” in International Conference on Computer Aided Verification (CAV). Springer, 2011, pp. 171–177.
[7] M. Berzish, V. Ganesh, and Y. Zheng, “Z3str3: A string solver with theory-aware heuristics,” in 2017 Formal Methods in Computer Aided Design (FMCAD). IEEE, 2017, pp. 55–59.
[8] T. Kutsia and B. Buchberger, “Predicate logic with sequence variables and sequence function symbols,” in International Conference on Mathematical Knowledge Management (MKM). Springer, 2004, pp. 205–219.
[9] Z. Jin, B. Zhang, T. Cao, Y. Cao, and H. Wang, “Reasoning about block-based cloud storage systems via separation logic,” Theoretical Computer Science (TCS), vol. 936, pp. 43–76, 2022.
[10] S. Demri, É. Lozes, and A. Mansutti, “The effects of adding reachability predicates in propositional separation logic,” in International Conference on Foundations of Software Science and Computation Structures (FoSSaCS). Springer, 2018, pp. 476–493.
[11] J. Berdine, C. Calcagno, and P. W. O’hearn, “A decidable fragment of separation logic,” in International Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS). Springer, 2004, pp. 97–109.
[12] R. Brochenin, S. Demri, and E. Lozes, “On the almighty wand,” Information and Computation (IANDC), vol. 211, pp. 106–137, 2012.
[13] C. Calcagno, H. Yang, and P. W. O’hearn, “Computability and complexity results for a spatial assertion language for data structures,” in International Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS). Springer, 2001, pp. 108–119.
[14] A. Reynolds, R. Iosif, and C. Serban, “Reasoning in the bernays-schönfinkel-ramsey fragment of separation logic,” in International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI). Springer, 2017, pp. 462–482.
[15] S. Demri, D. Galmiche, D. Larchey-Wendling, and D. Méry, “Separation logic with one quantified variable,” Theory of Computing Systems, vol. 61, no. 2, pp. 371–461, 2017.
[16] S. Demri and M. Deters, “Two-variable separation logic and its inner circle,” ACM Transactions on Computational Logic (TOCL), vol. 16, no. 2, pp. 1–36, 2015.
[17] J. Pagel and F. Zuleger, “Strong-separation logic,” ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 44, no. 3, pp. 1–40, 2022.
[18] J. Karhumäki, F. Mignosi, and W. Plandowski, “The expressibility of languages and relations by word equations,” Journal of the ACM (JACM), vol. 47, no. 3, pp. 483–505, 2000.
[19] G. S. Makanin, “The problem of solvability of equations in a free semigroup,” Matematicheskii Sbornik, vol. 145, no. 2, pp. 147–236, 1977.
[20] V. G. Durnev, “Undecidability of the positive $\forall$ $\exists$ 3-theory of a free semigroup,” Siberian Mathematical Journal, vol. 36, no. 5, pp. 917–929, 1995.
[21] J. D. Day, V. Ganesh, P. He, F. Manea, and D. Nowotka, “The satisfiability of word equations: Decidable and undecidable theories,” in International Conference on Reachability Problems (RP). Springer, 2018, pp. 15–29.
[22] J. M. Važenin and B. V. Rozenblat, “Decidability of the positive theory of a free countably generated semigroup,” Mathematics of the USSR-Sbornik, vol. 44, no. 1, p. 109, 1983.
[23] Y. Jing, H. Wang, Y. Huang, L. Zhang, J. Xu, and Y. Cao, “A modeling language to describe massive data storage management in cyber-physical systems,” Journal of Parallel and Distributed Computing (JPDC), vol. 103, pp. 113–120, 2017.
[24] B. Zhang, Z. Jin, H. Wang, and Y. Cao, “Tool for verifying cloud block storage based on separation logic,” Journal of Software, vol. 33, no. 6, pp. 2264–2287, 2022.
[25] J. C. Reynolds, “Intuitionistic reasoning about shared mutable data structure,” Millennial perspectives in computer science, vol. 2, no. 1, pp. 303–321, 2000.
[26] J. Berdine, C. Calcagno, and P. W. O’hearn, “Symbolic execution with separation logic,” in Asian Symposium on Programming Languages and Systems (APLAS). Springer, 2005, pp. 52–68.
[27] T. Kutsia, “Solving equations with sequence variables and sequence functions,” Journal of Symbolic Computation (JSC), vol. 42, no. 3, pp. 352–388, 2007.
[28] M. Minsky, Computation: Finite and Infinite Machines. JSTOR, 1968.

Appendix

Proof sketch of Theorem II.1: For every Boolean combinations $\varphi$ defined in Definition II.3, there exists a single word equation $T(\varphi)\overset{\triangle}{=}U==V$ , which is equivalent to $\varphi$ in the following inductive way:

$\displaystyle T$	$\displaystyle(t_{1}==t_{2})$	$\displaystyle\overset{\triangle}{=}\quad$	$\displaystyle t_{1}==t_{2}$
$\displaystyle T$	$\displaystyle(t_{1}==t_{2}\land t_{1}^{\prime}==t_{2}^{\prime})$	$\displaystyle\overset{\triangle}{=}\quad$	$\displaystyle F(t_{1},t_{2})==F(t_{1}^{\prime},t_{2}^{\prime})$
$\displaystyle T$	$\displaystyle(t_{1}==t_{2}\lor t_{1}^{\prime}==t_{2}^{\prime})$	$\displaystyle\overset{\triangle}{=}\quad$	$\displaystyle T_{0}(t_{1}\circ t_{2}^{\prime}==t_{2}\circ t_{2}^{\prime}\lor t_{2}\circ t_{1}^{\prime}==t_{2}\circ t_{2}^{\prime})$
$\displaystyle T$	$\displaystyle(\lnot\;t_{1}==t_{2})$	$\displaystyle\overset{\triangle}{=}\quad$	$\displaystyle\exists\beta\exists\beta^{\prime}\exists\beta^{\prime\prime}.(\bigvee_{n\in\Sigma}t_{1}==t_{2}\circ n\circ\beta)\lor(\bigvee_{n\in\Sigma}t_{2}==t_{1}\circ n\circ\beta)$
	$\displaystyle\lor(\bigvee_{\mbox{\scriptsize$\begin{array}[]{c}n,n^{\prime}\in\Sigma\\ n!=n^{\prime}\end{array}$ }}t_{1}==\beta\circ n\circ\beta^{\prime}\land t_{2}==\beta\circ n^{\prime}\circ\beta^{\prime\prime})$
$\displaystyle T$	${}_{0}(u==v\lor u^{\prime}==v)$	$\displaystyle\overset{\triangle}{=}\quad$	$\displaystyle\exists\beta\exists\beta^{\prime}.X==\beta\circ Y\circ\beta^{\prime},$

where $\Sigma$ is generator set, and

$\displaystyle X$	$\displaystyle\quad=\quad G(u\circ u^{\prime})^{2}\circ u\circ G(u\circ u^{\prime})^{2}\circ u^{\prime}\circ G(u\circ u^{\prime})^{2}$
$\displaystyle Y$	$\displaystyle\quad=\quad G(u\circ u^{\prime})^{2}\circ v\circ G(u\circ u^{\prime})^{2}$
$\displaystyle F(t_{1},t_{2})$	$\displaystyle\quad=\quad t_{1}\circ n\circ t_{2}\circ t_{1}\circ n^{\prime}\circ t_{2},\;$	$\displaystyle n!=n^{\prime}$
$\displaystyle G(t)$	$\displaystyle\quad=\quad t\circ n\circ t\circ n^{\prime},\;$	$\displaystyle n!=n^{\prime}$

$\hfill\square$

Proof sketch of Lemma V.1: The ’if’ part of the lemma is straightforward. For the ’only if’ part, we suppose that $\sigma|=\mathtt{sapling}(x_{0},x_{0}^{\prime})$ . It is sufficient to show the following two facts.

•

It is impossible that all connected components in $\sigma$ are circles,
•

If there are one or more circles in $\sigma$ , then let $\sigma^{\prime}$ be the model with only one sapling in $\sigma$ and without circles. We can get $\sigma^{\prime}|=\mathtt{sapling}(x_{0},x_{0}^{\prime})$ .

First we prove the first fact. We suppose that all connected components in $\sigma$ are circles. We can imply that each master node has one predecessor. It contradicts $\varPsi_{2}$ which claims there are no predecessors on the first node $x_{0}$ .

Then we prove the second fact. According to the first fact, there exists one sapling in $\sigma$ . The sapling does not intersect with other circles according to $\varPsi_{1}$ which claims that each master node has no more than 2 predecessors. Let $\sigma^{\prime}$ be the sapling in $\sigma$ , and $\sigma^{\prime\prime}$ be all circles in $\sigma$ . We can have $\sigma=\sigma^{\prime}\uplus\sigma^{\prime\prime}$ . So, the proposition $\sigma^{\prime}|=\mathtt{sapling}(x_{0},x_{0}^{\prime})$ is true, because removing circles does not affect the truth of $\varPsi_{1},\varPsi_{2},\varPsi_{3}$ , and $\varPsi_{4}$ . $\square$

Construction in Theorem 5.1. The formula $\varPhi_{1}$ in part 1 is exactly of the form $\varPsi_{1}\land\varPsi_{2}$ defined in eq. 7. It can be written in the following way:

\displaystyle\varPhi_{1}\;=

\displaystyle\;\forall_{x}x_{1}\forall_{x}x_{2}\forall_{x}x_{3}\forall_{x}x_{4}\forall_{\alpha}\alpha_{1}\forall_{\alpha}\alpha_{2}.\;(x_{1}\hookrightarrow x_{3}\circ\alpha_{1}*x_{2}\hookrightarrow x_{4}\circ\alpha_{2}=>x_{3}!=x_{4})\land\forall_{x}x_{1}\forall_{\alpha}\alpha.\;\lnot(x_{1}\hookrightarrow x\circ\alpha).

(9)

The formula $\varPhi_{2}$ in part 2 can be written in the following way.

	$\displaystyle\varPhi_{2}\quad=$	$\displaystyle\exists_{x}x_{0}\exists_{x}x_{k}\exists_{x}x_{c^{1}}\exists_{x}x_{c^{2}}\exists_{x}x_{1}\exists_{x}x_{0}^{\prime}\exists_{x}x_{k}^{\prime}\exists_{x}x_{c^{1}}^{\prime}\exists_{x}x_{c^{2}}^{\prime}\exists_{\alpha}\alpha_{c^{1}}^{\prime}\exists_{\alpha}\alpha_{c^{2}}^{\prime}.$		(10)
		$\displaystyle\mathtt{InitState}(x_{0},x_{k},x_{c^{1}},x_{c^{2}},x_{1})*\mathtt{FinState}(x_{0}^{\prime},x_{k}^{\prime},x_{c^{1}}^{\prime},x_{c^{2}}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime}).$		(10)

The predicate $\mathtt{InitState}(x_{0},x_{k},x_{c^{1}},x_{c^{2}},x_{1})$ encodes the initial state $(I_{0},c_{0}^{1},c_{0}^{2})=(1,0,0)$ (which corresponds to slave nodes on three master nodes $x_{k},x_{c^{1}},x_{c^{2}}$ in Fig. (7) ), and
$\mathtt{FinState}(x_{0}^{\prime},x_{k}^{\prime},x_{c^{1}}^{\prime},x_{c^{2}}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime})$ encodes the final state $(n,c_{m}^{1},c_{m}^{2})$ . The state $(n,c_{m}^{1},c_{m}^{2})$ corresponds to slave nodes on three master nodes $x_{k}^{\prime},x_{c^{1}}^{\prime},x_{c^{2}}^{\prime}$ in Fig. (7). These two predicates are defined as follows:

	$\displaystyle\mathtt{InitState}(x_{0},x_{k},x_{c^{1}},x_{c^{2}},x_{1})$	(11)
$\displaystyle\overset{\triangle}{=}$	$\displaystyle x_{0}\hookrightarrow x_{k}\circ\varepsilonx_{k}\hookrightarrow x_{c^{1}}\circ\mathbf{nil}x_{c^{1}}\hookrightarrow x_{c^{2}}\circ\mathbf{nil}*x_{c^{2}}\hookrightarrow x_{1}\circ\mathbf{nil},$

	$\displaystyle\mathtt{FinState}(x_{0}^{\prime},x_{k}^{\prime},x_{c^{1}}^{\prime},x_{c^{2}}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime})$
$\displaystyle\overset{\triangle}{=}$	$\displaystyle x_{0}^{\prime}\hookrightarrow x_{k}^{\prime}\circ\varepsilonx_{k}^{\prime}\hookrightarrow x_{c^{1}}^{\prime}\circ\mathbf{nil}^{n}x_{c^{1}}^{\prime}\hookrightarrow x_{c^{2}}^{\prime}\circ\alpha_{c^{1}}^{\prime}\circ\mathbf{nil}*x_{c^{2}}^{\prime}\hookrightarrow\varepsilon\circ\alpha_{c^{2}}^{\prime}\circ\mathbf{nil}.$

Note that $n$ is fixed when the two-counter Minsky machine is given.

Before constructing the formula $\varPhi_{3}$ , we need to formalize some additional properties shown below.

The sequence $\alpha$ is of the form $\mathbf{nil}^{*}$ :

\displaystyle\mathtt{ini}(\alpha)\overset{\triangle}{=}\mathbf{nil}\circ\alpha==\alpha\circ\mathbf{nil}.

(12)

The sequence $\alpha_{1}$ of the form $\mathbf{nil}^{*}$ is one element longer than sequence $\alpha_{2}$ of the same form:

\displaystyle\alpha_{1}==\alpha_{2}\circ\mathbf{nil}.

With the idea in $\varPsi_{4}$ , we can construct $\varPhi_{3}$ as follows:

$\displaystyle\varPhi_{3}\quad=$	$\displaystyle\forall_{x}x_{0}\forall_{x}x_{k}\forall_{x}x_{c^{1}}\forall_{x}x_{c^{2}}\forall_{x}x_{0}^{\prime}.\;\exists_{x}x_{k}^{\prime}\exists_{x}x_{c^{1}}^{\prime}\exists_{x}x_{c^{2}}^{\prime}\exists x_{1}^{\prime}\exists_{\alpha}\alpha_{k}\exists_{\alpha}\alpha_{c^{1}}\exists_{\alpha}\alpha_{c^{2}}\exists_{\alpha}\alpha_{k}^{\prime}\exists_{\alpha}\alpha_{c^{1}}^{\prime}\exists_{\alpha}\alpha_{c^{2}}^{\prime}.$	(13)
	$\displaystyle\bigl{(}\mathtt{CurrState}(x_{0},x_{k},x_{c^{1}},x_{c^{2}},x_{0}^{\prime},\alpha_{k},\alpha_{c^{1}},\alpha_{c^{2}})\land\lnot\mathtt{FinState}(x_{0},x_{k},x_{c^{1}},x_{c^{2}},\alpha_{c^{1}},\alpha_{c^{2}})\bigr{)}$
	$\displaystyle=>\mathtt{NextState}(x_{0},x_{k},x_{c^{1}},x_{c^{2}},x_{0}^{\prime},x_{k}^{\prime},x_{c^{1}}^{\prime},x_{c^{2}}^{\prime},x_{0}^{\prime\prime},\alpha_{k},\alpha_{c^{1}},\alpha_{c^{2}},\alpha_{k}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime}).$

In $\varPhi_{3}$ , the predicate $\mathtt{CurrState}$ represents the current state beginning from the master node which has no slave nodes, $\mathtt{FinState}$ represents the final state which has been defined in Equation 11, and $\mathtt{NextState}$ represents the transition from one state to the other. The formula $\varPhi_{3}$ encodes the following fact: for each current state except for the final state, there exists a next state which can be transitioned from the current state. The predicates $\mathtt{CurrState}$ and $\mathtt{NextState}$ are defined as follows:

		$\displaystyle\mathtt{CurrState}(x_{0},x_{k},x_{c^{1}},x_{c^{2}},x_{0}^{\prime},\alpha_{k},\alpha_{c^{1}},\alpha_{c^{2}})$
	$\displaystyle\overset{\triangle}{=}\quad$	$\displaystyle x_{0}\hookrightarrow x_{k}\circ\varepsilonx_{k}\hookrightarrow x_{c^{1}}\circ\alpha_{k}x_{c^{1}}\hookrightarrow x_{c^{2}}\circ\alpha_{c^{1}}\circ\mathbf{nil}*x_{c^{2}}\hookrightarrow x_{0}^{\prime}\circ\alpha_{c^{2}}\circ\mathbf{nil},$
		$\displaystyle\mathtt{NextState}(x_{0},x_{k},x_{c^{1}},x_{c^{2}},x_{0}^{\prime},x_{k}^{\prime},x_{c^{1}}^{\prime},x_{c^{2}}^{\prime},x_{0}^{\prime\prime},\alpha_{k},\alpha_{c^{1}},\alpha_{c^{2}},\alpha_{k}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime})$
	$\displaystyle\overset{\triangle}{=}\quad$	$\displaystyle\mathtt{Init}(\alpha_{k},\alpha_{c^{1}},\alpha_{c^{2}},\alpha_{k}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime})\land\mathtt{CurrState}(x_{0}^{\prime},x_{k}^{\prime},x_{c^{1}}^{\prime},x_{c^{2}}^{\prime},x_{0}^{\prime\prime},\alpha_{k}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime})\land\mathtt{Next}(\alpha_{k},\alpha_{c^{1}},\alpha_{c^{2}},\alpha_{k}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime}),$

where the predicate $\mathtt{Init}$ is defined as follows. The predicate $\mathtt{ini}$ has been defined in Equation 12.

		$\displaystyle\mathtt{Init}(\alpha_{k},\alpha_{c^{1}},\alpha_{c^{2}},\alpha_{k}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime})$
	$\displaystyle\quad\overset{\triangle}{=}\quad$	$\displaystyle\mathtt{ini}(\alpha_{k})\land\mathtt{ini}(\alpha_{c^{1}})\land\mathtt{ini}(\alpha_{c^{2}})\land\mathtt{ini}(\alpha_{k}^{\prime})\land\mathtt{ini}(\alpha_{c^{1}}^{\prime})\land\mathtt{ini}(\alpha_{c^{2}}^{\prime}).$

The predicate $\mathtt{Next}$ is defined as follows:

		$\displaystyle\mathtt{Next}(\alpha_{k},\alpha_{c^{1}},\alpha_{c^{2}},\alpha_{k}^{\prime},\alpha_{c^{1}}^{\prime},\alpha_{c^{2}}^{\prime})$
	$\displaystyle\overset{\triangle}{=}\quad$	$\displaystyle\bigwedge_{(k_{0},c_{j},c_{j}^{\prime},k)\in\mathcal{I}_{1}}\Bigl{(}\alpha_{k}==\mathbf{nil}^{k_{0}}\land\alpha_{c^{j}}^{\prime}==\alpha_{c^{j}}\circ\mathbf{nil}\land\alpha_{c^{j^{\prime}}}^{\prime}==\alpha_{c^{j^{\prime}}}\land\alpha_{k}^{\prime}==\mathbf{nil}^{k}\Bigr{)}$
	$\displaystyle\land$	$\displaystyle\;\bigwedge_{(k_{0},c_{j},c_{j}^{\prime},k_{1},k_{2})\in\mathcal{I}_{2}}\Bigl{(}\alpha_{k}==\mathbf{nil}^{k_{0}}\;\land\bigl{(}\alpha_{c^{j}}==\mathbf{nil}=>(\alpha_{c^{1}}^{\prime}==\alpha_{c^{1}}\land\alpha_{c^{2}}^{\prime}==\alpha_{c^{2}}\land\alpha_{k}^{\prime}==\mathbf{nil}^{k_{1}})\bigr{)}$
		$\displaystyle\hskip 80.00012pt\land\bigl{(}\lnot(\alpha_{c^{j}}==\mathbf{nil})=>(\alpha_{c^{j}}^{\prime}\circ\mathbf{nil}==\alpha_{c^{j}}\land\alpha_{c^{j^{\prime}}}^{\prime}==\alpha_{c^{j^{\prime}}}\land\alpha_{k}^{\prime}==\mathbf{nil}^{k_{2}})\bigr{)}\Bigr{)}.$

In the formula $\mathtt{Next}$ , the set $\mathcal{I}_{1}$ and $\mathcal{I}_{2}$ have been defined in Definition V.1. The reduction can be done following Equations 8, 9, 10 and 13. $\hfill\square$

$\displaystyle\sigma\|=t_{1}=t_{2}$	iff	$\displaystyle\quad\|[t_{1}\|]\sigma=\|[t_{2}\|]\sigma.$
$\displaystyle\sigma\|=\mathbf{emp}$	iff	$\displaystyle\quad\mathtt{dom}(h)=\varnothing.$
$\displaystyle\sigma\|=t_{1}\|->t_{2}$	iff	$\displaystyle\quad\|[t_{1}\|]\sigma!=\mathbf{nil}\text{ and }\mathtt{dom}(h)=\{\|[t_{1}\|]\sigma\}$
$\displaystyle\quad\text{ and }h(\|[t_{1}\|]\sigma)=\|[t_{2}\|]\sigma.$
$\displaystyle\sigma\|=\mathtt{P}^{n}(t_{1},\dots,t_{n})$	iff	$\displaystyle\quad\mathtt{P}_{\sigma}^{n}(\|[t_{1}\|]\sigma,\dots,\|[t_{n}\|]\sigma)\text{ holds.}$
$\displaystyle\sigma\|=\lnot\varphi$	iff	$\displaystyle\quad\sigma\nvDash\varphi.$
$\displaystyle\sigma\|=\varphi_{1}\land\varphi_{2}$	iff	$\displaystyle\quad\sigma\|=\varphi_{1}\text{ and }\sigma\|=\varphi_{2}.$
$\displaystyle\sigma\|=\varphi_{1}\lor\varphi_{2}$	iff	$\displaystyle\quad\sigma\|=\varphi_{1}\text{ or }\sigma\|=\varphi_{2}.$
$\displaystyle\sigma\|=\varphi_{1}=>\varphi_{2}$	iff	$\displaystyle\quad\text{if }\sigma\|=\varphi_{1}\text{, then }\sigma\|=\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}*\varphi_{2}$	iff	$\displaystyle\quad\text{there exists heap }h_{1}\text{ and }h_{2},$
$\displaystyle\quad\text{such that }\mathtt{dom}(h_{1})\cap\mathtt{dom}(h_{2})=\varnothing,$
$\displaystyle\quad\text{and }h=h_{1}\uplus h_{2},\text{ and }(s,h_{1})\;\|=\;\varphi_{1},$
$\displaystyle\quad\text{and }(s,h_{2})\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}-*\varphi_{2}$	iff	$\displaystyle\quad\text{for all heaps }h_{1},$
$\displaystyle\quad\text{if }\mathtt{dom}(h_{1})\cap\mathtt{dom}(h)=\varnothing\text{,}$
$\displaystyle\quad\text{and }(s,h_{1})\;\|=\;\varphi_{1},$
$\displaystyle\quad\text{then }(s,h_{1}\uplus h)\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\exists x.\varphi$	iff	$\displaystyle\quad\text{there exists }x_{0}\text{ in Loc}\cup\text{Val,}$
$\displaystyle\quad\text{such that }(s[x->x_{0}],h)\;\|=\;\varphi,$

	$\displaystyle\sigma\|=t\|->t_{1},\dots,t_{n}$	iff	$\displaystyle\|[t\|]\sigma!=\mathbf{nil}\text{ and }\mathtt{dom}(h)=\{\|[t\|]\sigma\},$
	$\displaystyle\text{ and }h(\|[t\|]\sigma)=(\|[t_{1}\|]\sigma,\dots,\|[t_{n}\|]\sigma).$

	$\displaystyle\|[$	$\displaystyle\mathbf{nil}\|]\sigma=\mathbf{nil}$	$\displaystyle\|[$	$\displaystyle\#\|]\sigma=\#$
	$\displaystyle\|[$	$\displaystyle n\|]\sigma=n$	$\displaystyle\|[$	$\displaystyle x\|]\sigma=s_{x}(x),$

	$\displaystyle\|[$	$\displaystyle\varepsilon\|]\sigma=\varepsilon$	$\displaystyle\|[$	$\displaystyle t_{x}\|]\sigma\text{ is defined above}$
	$\displaystyle\|[$	$\displaystyle\alpha\|]\sigma=s_{\alpha}(\alpha)$	$\displaystyle\|[$	$\displaystyle t_{\alpha_{1}}\circ t_{\alpha_{2}}\|]\sigma=\|[t_{\alpha_{1}}\|]\sigma\circ\|[t_{\alpha_{2}}\|]\sigma,$

$\displaystyle\sigma\;\|=\;t_{x_{1}}=t_{x_{2}}$	iff	$\displaystyle\quad\|[t_{x_{1}}\|]\sigma=\|[t_{x_{2}}\|]\sigma.$
$\displaystyle\sigma\;\|=\;t_{\alpha_{1}}==t_{\alpha_{2}}$	iff	$\displaystyle\quad\|[t_{\alpha_{1}}\|]\sigma==\|[t_{\alpha_{2}}\|]\sigma.$
$\displaystyle\sigma\;\|=\;\lnot\varphi$	iff	$\displaystyle\quad\sigma\;\nvDash\;\varphi.$
$\displaystyle\sigma\;\|=\;\varphi_{1}\land\varphi_{2}$	iff	$\displaystyle\quad\sigma\;\|=\;\varphi_{1}\text{, and }\sigma\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}\lor\varphi_{2}$	iff	$\displaystyle\quad\sigma\;\|=\;\varphi_{1}\text{, or }\sigma\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}=>\varphi_{2}$	iff	$\displaystyle\quad\text{if }\sigma\;\|=\;\varphi_{1}\text{, then }\sigma\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\textbf{emp}$	iff	$\displaystyle\quad\mathtt{dom}(h)=\varnothing.$
$\displaystyle\sigma\;\|=\;t_{x}\|->t_{\alpha}$	iff	$\displaystyle\quad\|[t_{x}\|]\sigma\notin\mathrm{Atom},\;\mathtt{dom}(h)=\{\|[t_{x}\|]\sigma\},$
$\displaystyle\quad\text{ and }h(\|[t_{x}\|]\sigma)=\|[t_{\alpha}\|]\sigma$
$\displaystyle\sigma\;\|=\;\varphi_{1}*\varphi_{2}$	iff	$\displaystyle\quad\text{there exist heap }h_{1}\text{ and }h_{2},$
$\displaystyle\quad\text{such that }\mathtt{dom}(h_{1})\cap\mathtt{dom}(h_{2})=\varnothing\;,$
$\displaystyle\quad\text{and }h=h_{1}\uplus h_{2},\;(s_{x},s_{\alpha},h_{1})\;\|=\;\varphi_{1},$
$\displaystyle\quad\text{and }(s_{x},s_{\alpha},h_{2})\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\varphi_{1}-*\varphi_{2}$	iff	$\displaystyle\quad\text{for all heaps }h_{1},$
$\displaystyle\quad\text{if }\mathtt{dom}(h_{1})\cap\mathtt{dom}(h)=\varnothing\text{ ,}$
$\displaystyle\quad\text{and }(s_{x},s_{\alpha},h_{1})\;\|=\;\varphi_{1},$
$\displaystyle\quad\text{then }(s_{x},s_{\alpha},h_{1}\uplus h)\;\|=\;\varphi_{2}.$
$\displaystyle\sigma\;\|=\;\exists_{x}x.\varphi$	iff	$\displaystyle\quad\text{there exists }x_{0}\text{ in Values,}$
$\displaystyle\quad\text{such that }(s_{x}[x->x_{0}],s_{\alpha},h)\;\|=\;\varphi.$
$\displaystyle\sigma\;\|=\;\exists_{\alpha}\alpha.\varphi$	iff	$\displaystyle\quad\text{there exists }\alpha_{0}\text{ in Values}^{*},$
$\displaystyle\quad\text{such that }(s_{x},s_{\alpha}[\alpha->\alpha_{0}],h)\;\|=\;\varphi,$

A separation logic for sequences in pointer programs and its decidability