A decidable class of verification conditions for programs with higher order store


Electronic Communications of the EASST
Volume 23 (2009)

Proceedings of the
Ninth International Workshop on

Automated Verification of Critical Systems
(AVOCS 2009)

A decidable class of verification conditions for programs with higher
order store

Nathaniel Charlton Bernhard Reus

17 pages

Guest Editor: Markus Roggenbach
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

A decidable class of verification conditions for programs with higher
order store

Nathaniel Charlton Bernhard Reus

n.a.charlton@sussex.ac.uk bernhard@sussex.ac.uk
School of Informatics
University of Sussex

Abstract: Recent years have seen a surge in techniques and tools for automatic
and semi-automatic static checking of imperative heap-manipulating programs. At
the heart of such tools are algorithms for automatic logical reasoning, using heap
description formalisms such as separation logic. In this paper we work towards
extending these static checking techniques to languages with procedures as first
class citizens. To do this, we first identify a class of entailment problems which
arise naturally as verification conditions during the static checking of higher order
heap-manipulating programs. We then present a decision procedure for this class
and prove its correctness. Entailments in our class combine simple symbolic heaps,
which are descriptions of the heap using a subset of separation logic, with (limited
use of) nested Hoare triples to specify properties of higher order procedures.

Keywords: higher order store, verification, nested triples, separation logic

1 Introduction

Program verification systems can be characterised according to the range and depth of properties
they prove about programs, and the degree of user assistance they require. Some systems are
designed for proving “full functional correctness”, that is, for proving that a program performs
exactly the function it is intended to. Proving full functional correctness involves a signifi-
cant annotation burden, and difficult verification conditions must be discharged interactively by
users due to the limitations of automated theorem proving. On the other hand systems such as
ESC/Java [FLL+02] check only a limited range of properties (e.g., memory safety), which en-
ables them to run automatically, using decision procedures or automated theorem provers. Such
systems have been termed lightweight, and behave much like enhanced type checkers.

Among the systems for lightweight verification are several successful tools which use sep-
aration logic [Rey02], an extension of classical logic which facilitates local reasoning about
heap-manipulating programs. These tools include Smallfoot [BCO05a] and its descendants and
HIP [NDQC07]. Separation logic provides two main ingredients: the separating conjunction ?
and the frame rule. The formula P ? Q describes heaps which can be split into two disjoint parts,
one part satisfying P and the other satisfying Q. Other new subformulae include emp, which
describes the empty heap, and the points-to formulae such as x 7→{| f1 : y, f2 : |} which describes
a heap containing exactly one object, pointed to by variable x; this object has at least the field f1,
with value y, and the field f2 which may have any value. The frame rule states that if a command

1 / 17 Volume 23 (2009)

mailto:n.a.charlton@sussex.ac.uk
mailto:bernhard@sussex.ac.uk


A decidable class of verification conditions for programs with higher order store

C satisfies the triple {P}C{Q}, and does not modify any variables free in R, then it also satisfies
{P ? R}C{Q ? R}. This embodies the idea that parts of the heap which the command does not
access (here described by R) remain unchanged.

We work towards extending these lightweight program checking tools to higher order lan-
guages, and in particular those with higher order store. A programming language is called
higher order if it treats procedures as first class values, so that procedures can be returned by
expressions, passed as parameters etc. and then invoked later when needed. Additionally, such a
language is said to have higher order store if procedures can be stored in updateable variables.
Higher order store presents a serious obstacle to verification: since the procedure referred to
by a particular name (e.g. stored in a particular variable) can change as the program executes,
it is no longer adequate to use a single static specification for each procedure. Nested triples
(e.g. [SBRY09, HYB05]) are a natural idea for reasoning about such procedure updates. In this
approach, specifications (Hoare triples) for procedures can appear as ordinary assertions about
program state, and hence triples can be nested inside other triples, in the pre- or post-conditions.

Our contribution in this paper is to give a decision procedure for a class of verification con-
ditions (VCs) which supports the combined use of the two logical features we have described,
separation logic and nested triples. By providing these features, our class includes VCs which
arise naturally during the verification of heap-manipulating imperative programs with higher or-
der store. We prove the correctness of our decision procedure, and illustrate by example the role
it plays within the static program checker we are developing. The class of VCs we decide is
strongly restricted; however the result we give is, to our knowledge, the first decidability result
for verification conditions involving nested triples.

1.1 Related work

We have already mentioned lightweight tools which check properties of programs specified using
separation logic. Decision procedures for fragments of separation logic are known, and used in
such tools; [BIP08] gives arguably the most general of these. None of the existing tools allow the
use of nested triples, however. Our aim is to use our decision procedure and its future extensions
to extend such tools to languages with higher order store.

Various works build verification systems on top of powerful theorem proving environments
such as Isabelle and Coq, which can be used for proving full functional correctness. [MN05]
uses higher order logic to reason about the heap, and formalises (imperative) programs and proofs
about them in Isabelle. [ZKR08] also uses higher order logic and Isabelle. We believe that these
two works could be extended to address higher order store. [NMB08] shows using Coq that
separation logic reasoning principles are admissible in Hoare Type Theory, an extension of a
dependently and polymorphically typed functional language (allowing higher order functions)
with Hoare-style specifications for state. We expect that our results, or adaptions thereof, can
also be usefully integrated with such systems: decision procedures can be used to automatically
discharge many proof obligations, leaving only the most involved proofs to be done interactively.

Several papers have investigated the theoretical aspects of adapting separation logic for use
with higher order programs. [SBRY09, BRSY08, RS06, HYB05] study programs with higher
order store and use logics with nested triples, while [BTY06, BY07, KAB+09] study higher order
procedures in the style of Idealised Algol and use a form of specification logic. This existing

Proc. AVOCS 2009 2 / 17



ECEASST

procedure MAIN GetEvent UserProcTemplate
new ctr;
ctr.cnt := 0;
SendToAll := INCR ctr;
new eventBuffer;
call GetEvent eventBuffer;
t := eventBuffer.eventType;

procedure INCR x y
n := x.cnt; x.cnt := n + 1

procedure APPLY2 F G a
call F a; call G a

while t 6= END do . This is the main event-handling loop
if t = TALK then . A connected user has typed a message

m := eventBuffer.message;
call SendToAll m

else if t = CONNECT then . A new user has joined the chatroom
u := eventBuffer.newUserInfo;
NewUserProc := UserProcTemplate u;
OldSend := SendToAll;
SendToAll := APPLY2 OldSend NewUserProc

call GetEvent eventBuffer;
t := eventBuffer.eventType

dispose eventBuffer;
dispose ctr

Figure 1: The (idealised) outline of a chatroom server, programmed using higher order store.

research does not discuss the issue of decidability i.e. the issue of which kinds of verification
conditions can be proved or falsified fully automatically.

2 An example verification problem with higher order store

Fig. 1 gives an imperative program which uses higher order store to implement (the idealised out-
line of) a server for a chatroom. In addition to three fixed procedures INCR, APPLY2 and MAIN,
the program uses dynamically created procedures as follows. Each connected user is encapsu-
lated in a procedure which, when invoked on a message argument m, sends m to the appropriate
user. The server maintains a procedure SendToAll which is run whenever a connected user types
a message (a ‘Talk’ event). SendToAll broadcasts its message argument to all connected users,
by invoking the procedure encapsulating each user, and also updates a counter which records the
number of messages sent. When a new user joins the chatroom (a ‘Connect’ event) the program
updates the procedure SendToAll, replacing it with one which additionally broadcasts to the new
user. The new SendToAll is built from the old one, the procedure encapsulating the new user, and
the higher order procedure APPLY2. Using procedures like APPLY2 in a Curried style provides
a useful way to dynamically generate new code; as in functional languages we write (partial)
application of (Curried) procedures simply as juxtaposition.

Using nested triples and separation logic we can reason naturally about the example program.

3 / 17 Volume 23 (2009)



A decidable class of verification conditions for programs with higher order store

Specifications
for fixed
procedures

∀x∀y {x 7→{|cnt : |}} INCR x y {x 7→{|cnt : |}}

∀F∀G∀a
{
∀x{Ψ} F x {Ψ} ∧ ∀x{Ψ} G x {Ψ} ∧ Ψ

}
APPLY2 F G a {Ψ}

∀ GetEvent ∀ UserProcTemplate {Φ} MAIN GetEvent UserProcTemplate {D}

Loop invariant
for loop in
MAIN (ΦINV)

∀x {D ? ctr 7→{|cnt : |}} SendToAll x {D ? ctr 7→{|cnt : |}}
∧ ∀a∀x {D} UserProcTemplate a x {D}
∧ ∀buf {D ? buf 7→{||}} GetEvent buf {D ? buf 7→{|eventType : , X|}}
∧ D ? eventBuffer 7→{|eventType : , X|} ? ctr 7→{|cnt : |}

State after
initialisation
section of MAIN
(ΦINIT)

∀x {ctr 7→{|cnt : |}} SendToAll x {ctr 7→{|cnt : |}}
∧ ∀a∀x {D} UserProcTemplate a x {D}
∧ ∀buf {D ? buf 7→{||}} GetEvent buf {D ? buf 7→{|eventType : , X|}}
∧ D ? eventBuffer 7→{|eventType : t, X|} ? ctr 7→{|cnt : |}

where X is the two entries “message : , newUserInfo : ”, Ψ is D ? ctr 7→{|cnt : |}, and Φ is

D ∧ ∀buf {D ? buf 7→{||}} GetEvent buf {D ? buf 7→{|eventType : , X|}}
∧ ∀u ∀msg {D} UserProcTemplate u msg {D}

Figure 2: Memory safety specifications for the fixed procedures in Fig. 1.

For instance, the initialisation statement “SendToAll := INCR ctr” in Fig. 1 satisfies the triple

∀x∀y{x 7→{|cnt : |}}

INCR x y
{x 7→{|cnt : |}}


 SendToAll :=INCR ctr



∀x∀y{x 7→{|cnt : |}}

INCR x y
{x 7→{|cnt : |}}

∧
∀y{ctr 7→{|cnt : |}}

SendToAll y
{ctr 7→{|cnt : |}}




Here the program variable ctr appears free in the triple for SendToAll, nested in the postcondition:
the value of ctr has been “hard-wired” into SendToAll via partial application of the Curried
procedure INCR. As explained earlier, the specification for INCR is lightweight: specifically, the
pre- and post-conditions say which objects should be in the heap at which addresses, and which
fields they should contain, but not what the values of the fields should be. We remark that with
higher order programs one can do almost no reasoning without using universal quantifiers, as
one needs to specify how procedures behave for all possible invocations.

Suppose we annotate our program with specifications for the three fixed procedures, plus an
invariant for the loop in MAIN, as in Fig. 2. We use the assertion variable D to stand for whatever
concrete data structure is used to store the necessary information about the connected users.
Our verification of the code in Fig. 1 will not need any assumptions about this data structure,
and so will be generic with respect to it; when one verifies implementations of GetEvent and
UserProcTemplate (which we shall not do here), however, one will instantiate D concretely.

Proc. AVOCS 2009 4 / 17



ECEASST

We want our specifications checked by machine. A standard technique is to cut up the code
into “straight-line” pieces, and from these and the annotations (specifications and loop invariant)
generate verification conditions in the form of logical entailments. The VC generation step is
not the subject of this paper: instead, we focus on the problem of how to automatically check the
VCs once they have been generated. We just mention that we use forward reasoning rules akin
to those of [BCO05b], rather than (backwards) weakest precondition rules.

The critical point is that for programs with higher order store the VCs contain (nested) triples.
For instance (as can be shown by forward reasoning rules), after the initialisation section of MAIN
the program state satisfies the formula ΦINIT in Fig. 2. Thus one of the VCs is ΦINIT � ΦINV,
which corresponds to checking that the loop invariant is correctly established. Both ΦINIT and
Φ

INV contain triples for SendToAll. For this particular entailment, the main task is to show

∀x {ctr 7→{|cnt : |}} SendToAll x {ctr 7→{|cnt : |}}
� ∀x {D ? ctr 7→{|cnt : |}} SendToAll x {D ? ctr 7→{|cnt : |}}

which can be done using a frame rule to add D on the left of �. Similarly, one must prove VCs
to show that the loop body preserves the invariant, e.g. one must prove that the new procedure
stored in SendToAll during (one branch of) the loop body still meets the appropriate specification,
which amounts to checking the following entailment (where Ψ is D ? ctr 7→{|cnt : |}).

∀x {Ψ} OldSend x {Ψ} ∧ ∀x {D} NewUserProc x {D}

∧ ∀a
{

∀x {Ψ} OldSend x {Ψ}
∧ ∀x {Ψ} NewUserProc x {Ψ} ∧ Ψ

}
SendToAll a {Ψ}

� ∀x {Ψ} SendToAll x {Ψ}

(1)

Intuitively the triple for SendToAll in the antecedent says that SendToAll works as required pro-
vided the procedures NewUserProc and OldSend, from which it was built, also behave properly.
The decidable class of VCs that we identify and solve contains (1) and similar entailments.

3 Formal foundations

In this section, we formalise a simple logic for reasoning about imperative programs with higher
order store, which includes nested triples and separation logic features. Our VCs will then be
entailment problems between formulae of this logic. In order to give formal semantics to the
logic, however, we first give an overview of the higher order programming language we work
with (we lack the space to give formal definitions for the language).

3.1 Overview of our programming language with higher order store

The language we work with is very similar to that used in Fig. 1: it is a while language with
heap manipulation statements, extended with higher order storable procedures with value param-
eters, and is interpreted within the solution to the following system of domain equations.

Heap = RecZ>0 (RecFieldN(Z)) Stack = (Var → Z)×(PVar → Proc)
State = Stack×Heap Cmd = State ⇀ (State +{fault})
Proc = VarList×Cmd

5 / 17 Volume 23 (2009)



A decidable class of verification conditions for programs with higher order store

Here RecS(A) is the set of records with fields from set S and values from domain A. Such a record
is written {| f1 = v1, . . . , fn = vn|} (where f1, . . . , fn ∈ S and v1, . . . , vn ∈ A). We overload the ?
symbol to mean the “union” of disjoint records: {| f1 = v1, . . . , fn = vn|}?{| f ′1 = v

′
1, . . . , f

′
m = v

′
m|}

is the record {| f1 = v1, . . . , fn = vn, f ′1 = v
′
1, . . . , f

′
m = v

′
m|} if { f1, . . . , fn}∩{ f ′1, . . . , f

′
m} = /0 and is

undefined otherwise. We write R[ f := v] for the record R updated (if f ∈ dom(R)) or extended
(if f /∈ dom(R)) with value v at field f (and overload this notation for updating functions too).
VarList is the set of finite lists of variables from Var or PVar, where x : xs is a list with head x
and tail xs, and [] is the empty list.

There are two kinds of values in our language: integers and procedures. We also distinguish
two kinds of program variables, integer variables in Var (written in lower case), and procedure
variables in PVar (written in upper case). Program states take the form (s,t, h) where s is the
integer part of the stack (or simply integer stack), mapping Vars to integer values, t is the pro-
cedure stack, mapping PVars to procedures, and h is the heap. Heap cells in our language are
similar to objects in e.g. JavaScript, in that they are essentially associative arrays, associating
integer values to field names. Thus, procedures can be stored on the stack but not on the heap.

Observe that the domain equations above are recursive to accommodate higher order store:
commands map states to states but states themselves contain commands, stored in procedure
variables. Commands can also produce the special value fault which indicates a low-level error
such as accessing or disposing a non-allocated heap address. Commands are deterministic; in
particular the language’s memory allocator is deterministic. Procedures comprise a list of vari-
ables (the parameters) and a command (the body); when invoked, procedures run in a new stack
with default values for all variables.

By JCK we denote the interpretation of a program statement C into Cmd. The interpretation of
an expression E in stack (s,t), which gives a value in Z + Proc +{fault}, is written JEKE(s,t). As
usual when separation logic is used, there is no expression for accessing the heap; rather, values
needed from the heap must first be read into variables using the statement form v := E. f which
reads field f at address E. The expression EP EA denotes the (partial) application of a (Curried)
procedure EP to an argument expression EA. This provides a useful way to dynamically generate
new procedures. For example, a statement “G := F a” copies the procedure stored in F into G,
additionally fixing the first parameter to the current value of a. Future changes to the variable a
will have no effect on the procedure stored in G, so programs cannot use the stack to dynamically
create new recursions as in Landin’s knot. The fixed procedures of a program, however, can be
(mutually) recursive.

Procedures can only be invoked if they are not expecting further parameters; otherwise fault
results. Inherent in our treatment of procedures is that all parameters behave as value parameters,
so that from the caller’s point of view procedure calls do not modify any stack variables. Integer
values can be returned via the heap but procedures cannot.

3.2 A simple logic with nested triples and separating conjunction

Fig. 3 gives the syntax and semantics of our logic. Let AVar be the set of assertion variables (in-
troduced on page 4) such as D; these are interpreted by an environment ρ : AVar → P(Heap).
Assertions are then interpreted w.r.t. a state (s,t, h) and such a ρ . When no assertion variables
are present we omit ρ . The following definition gives our total correctness, fault-avoiding in-

Proc. AVOCS 2009 6 / 17



ECEASST

Φ ::= E 7→{|N∗|} | emp | I | Φ ? Φ | Φ∧Φ | ∀v Φ | {Φ} E {Φ} N ::= f : E | f :

JΦ1∧Φ2Kρ = JΦ1Kρ ∩JΦ2Kρ JempK ={(s,t, h) | h ={||}} JIKρ ={(s,t, h) | h ∈ ρ(I)}

JΦ1 ? Φ2Kρ = {(s,t, h) | ∃h1, h2 s.t. h = h1 ? h2, (s,t, h1) ∈ JΦ1Kρ and (s,t, h2) ∈ JΦ2Kρ}

J∀v ΦKρ = {(s,t, h) | for all n ∈ Z, (s[v := n],t, h) ∈ JΦKρ}

JE 7→{|N1, . . . , Nk|}K =


(s,t, h)

∣∣∣∣∣∣∣
dom(h) = {JEKE(s,t)} and for each Ni = f : X
f ∈ dom(h(JEKE(s,t))) and if X is an expression
(i.e. not ) then (h(JEKE(s,t)))( f ) = JX K

E
(s,t)




For J{Φ1}E{Φ2}Kρ see Definition 1. E means any expression of the programming language.

Figure 3: Syntax and semantics for a simple logic with separating conjunction and nested triples.

terpretation of triples. This definition is non-standard in that it also requires the procedure E to
behave “locally”: any extra piece of heap hI must be left untouched by the procedure.

Definition 1 Semantics of nested triples. We define J{Φ1}E{Φ2}Kρ := S×Heap where S ⊆
Stack is all those stacks (s,t) such that:

1. JEKE(s,t) has the form ([], c) where c ∈ Cmd, and

2. for all disjoint heaps h, hI ∈ Heap, if (s,t, h) ∈ JΦ1Kρ then there exist a heap g and a stack
(sL,tL) such that c(s0,t 0, h ? hI ) = (sL,tL, g ? hI ) where (s,t, g) ∈ JΦ2Kρ .

Here the stack (s0,t 0) maps all Vars to the default value 0, and maps all PVars to ([], d), where
d ∈ Cmd always faults. The callee’s local stack (sL,tL) is thrown away when the procedure
returns and so, as stated earlier, procedure calls do not modify any of the caller’s variables.

The interpretation of the other connectives is standard. Because procedure calls do not change
the value of any variables, we can quantify program variables over nested triples, and do not
need a separate set of auxiliary variables. For a quantified formula Φ =∀x1 . . .∀xnΨ we will write
Φ(E1, . . . , En) for the instantiation Ψ[x1, . . . , xn\E1, . . . , En], where E1, . . . , En are any expressions.

Definition 2 Entailment between assertions. Let Φ1, Φ2 be assertions. We say that Φ1 entails
Φ2, and write Φ1 � Φ2, if: for all ρ : AVar → P(Heap), JΦ1Kρ ⊆ JΦ2Kρ .

We list the properties of entailment between triples that we will need in our proofs.

Frame property. {P}E{Q}�{P ? R}E{Q ? R}. Because our inner triples concern procedure
calls, and we use only value parameters, the usual side condition concerning variable mod-
ification [Rey02] is not needed. In our setting the frame property follows directly from the
semantics of Hoare triples: the heap hI in Definition 1 accounts for the added invariant R.
This approached is called “baking in” the frame property, and is borrowed from [BY07].

7 / 17 Volume 23 (2009)



A decidable class of verification conditions for programs with higher order store

AVar-substitution property. If T1 � T2 then T1[I\Φ] � T2[I\Φ]. This is a typical substitution
property. (Again no side condition concerning variable modification is needed.)

Consequence property. If P2 � P1 and Q1 � Q2 then {P1}E{Q1}�{P2}E{Q2}. This holds
in the same way that the consequence rule for basic Hoare logic holds.

Crossing Out property. If Θ does not depend on the heap and does not contain x1, . . . , xn
free, then Θ∧∀x1 . . . xn{Θ∧P}E{Q}�∀x1 . . . xn{P}E{Q}. This follows straightforwardly
from the axiom (e5) in [HYB05] which also holds in our setting. This axiom states that
Φ →{P}E{Q} is equivalent to {Φ∧P}E{Q} provided Φ does not depend on the heap.

3.3 Simple symbolic heaps (SSHs)

We next define a simple class of formulae that we will work with, inspired by the symbolic heaps
of [BCO05b], and set up some machinery for manipulating them.

Definition 3 Simple symbolic heaps. A simple symbolic heap (SSH) is a formula

I1 ? ···? Ik ?
n
F
i=1

vi 7→{| f 1i : v
1
i , . . . , f

mi
i : v

mi
i |}

where I1, . . . , Ik ∈ AVar are distinct, f 1i , . . . , f
mi
i ∈ FieldN are distinct for each i, v1, . . . , vn ∈ Var

are distinct and each v ji is either an integer variable or the special symbol . (Here we allow k = 0
and/or n = 0, leaving just emp in the appropriate part of the formula.) Each assertion variable or
points-to formula occurring in the formula is called a spatial conjunct.

Definition 4 “Ensures” relation. We define a relation ensures, between spatial conjuncts of
the kind found in SSHs, as follows.

• u 7→{| f 1 : u1, . . . , f N : uN|} ensures v 7→{|g1 : v1, . . . , gM : vM|} if u = v and for each entry
g j : v j there is an entry f l : ul with f l = g j and such that v j is either ul or .

• A formula I ∈ AVar ensures itself.

We say that an SSH Φ ensures an SSH Ψ if Φ, Ψ have the same number of spatial conjuncts, and
each spatial conjunct of Ψ is ensured by a spatial conjunct of Φ.

We write P =SSH Q when SSHs P and Q are syntactically equal (modulo the order of the spatial
conjuncts, and modulo the order of fields in the points-to subformulae). We lift the ? connective
to give an operator on SSHs in the obvious way; note that this lifted operator is partial (e.g.
A = x 7→ {| f : y|} is an SSH, but A ? A is not). Finally we define a partial subtraction operator:
A−SSH B is the SSH C (unique up to =SSH when it exists) such that for some SSH B′ we have
A =SSH B′ ? C and B′ ensures B. (Where convenient, we shall treat partial operations as though
they have an option type as in ML, that is, return either Some x or None.)

Lemma 1 Properties of SSHs.

1. The (syntactic) relation “ensures” exactly captures the (semantic) entailment relation be-
tween SSHs, i.e. Φ � Ψ iff Φ ensures Ψ.

Proc. AVOCS 2009 8 / 17



ECEASST

2. If P2 −SSH P1 = R then P2 � P1 ? R. (Implication in the other direction fails in general.)

3. If P is an SSH containing no assertion variables, and s : Var
∼=→ Z>0 (by which we mean

that the integer stack s is a bijection between Var and Z>0) then there exists a heap h such
that for all t, (s,t, h) ∈ JPK.

We will use stacks s : Var
∼=→ Z>0 frequently because, as noted in 3. above, they free us from

the concern that a formula such as x 7→{| f : |}? y 7→{| f : |} cannot be satisfied in any heap just
because x and y contain the same address (recall that ? partitions the heap into disjoint pieces).

3.4 SSH-triples and their properties

Next we define some classes of Hoare triples based on SSHs. These classes will be used to define
our decidable class of verification conditions.

Definition 5 Suitable pairs of SSHs. A pair (P, Q) of SSHs is suitable if, writing P and Q as

P = I1 ? ···? Ik ?
n
F
i=1

ui 7→ Xi Q = J1 ? ···? Jl ?
m
F
j=1

v j 7→Yj

each v j appears somewhere in u1, . . . , un, and I1 ? ···? Ik is equal (modulo order) to J1 ? ···? Jl .
(The role played by suitable SSH pairs will become clear later, when we discuss Theorem 1.)

Definition 6 SSH-triples.

• By a level 0 SSH-triple about procedure F we mean a triple ∀x1 . . . xn{P} F vs {Q} where
(P, Q) is a suitable pair of SSHs, F ∈PVar, vs∈VarList are integer variables and x1, . . . , xn ∈
Var occur in vs and are distinct.

• By a level 1 SSH-triple about F we mean a triple ∀x1 . . . xn {T1 ∧···∧Tk ∧ P} F vs {Q}
in which (P, Q) is a suitable pair of SSHs, F ∈ PVar, vs ∈ VarList are integer variables,
x1, . . . , xn ∈ vs are distinct and T1, . . . , Tk are level 0 SSH-triples about distinct procedures
not including F , in which x1, . . . , xn do not occur free.

At two points later we will reduce an entailment problem P1 to a simpler entailment problem
P2. As part of proving such a reduction correct, we will take a counterexample to the entailment
P2 and construct from it a counterexample to P1. To make this reasoning work smoothly, we will
work only with counterexamples that have a particular form, as per the following definition.

Definition 7 Convenient counterexamples. Consider a non-entailment T1 ∧···∧ Tk 6� T ,
where T1, . . . , Tk, T are level 1 SSH-triples containing assertion variables I1, . . . , In. We say that
the non-entailment has convenient counterexamples if, for any fresh variables a1, . . . , an, there ex-
ist formulae Φ1, . . . , Φn and a state (s,t, h) such that: each Φi is emp or ai 7→{||}, s : Var

∼=→ Z>0,
(s,t, h) ∈ J(T1 ∧···∧Tk)[I1, . . . , In\Φ1, . . . , Φn]K and (s,t, h) /∈ JT [I1, . . . , In\Φ1, . . . , Φn]K.

Convenient counterexamples (which really are counterexamples due to the AVar-instantiation
property) are convenient in two ways. Firstly they provide states where s : Var

∼=→ Z>0 which is

9 / 17 Volume 23 (2009)



A decidable class of verification conditions for programs with higher order store

useful as explained above, and secondly they provide counterexamples that contain only points-
to conjuncts, with assertion variables having been eliminated by substitution. In fact, because
we can eliminate assertion variables in this way, we will ignore them in our sketch proofs.

Now we come to our first theorem. We show that for any level 1 SSH-triple T about a pro-
cedure F , given any values for the integer variables and any interpretation of I, J, . . ., we can
construct a program for F that meets the specification T .

Theorem 1 Existence of models for level 1 SSH-triples. Let T be a level 1 SSH-triple about
F . For any s, ρ there exists t such that (s,t, h) ∈ JT Kρ for all h.

Sketch proof. Let s, ρ be arbitrary; T has the form ∀x1 . . . xn {T1 ∧···∧Tk ∧ P} F vs {Q}. Let
us write P and Q as in Definition 5. We build a program C1; . . . ;Cn where each Ci deals with the
subformula ui 7→ Xi in an appropriate way, to build a heap satisfying Q. If Q contains nothing
of the form ui 7→ X′ then Ci is the statement dispose ui which deallocates the cell at address ui.
Otherwise, some ui 7→ X′ is present in Q and Ci writes the appropriate values into the fields of
the cell at ui, e.g. if Q contains ui 7→{| f1 : y, f2 : z|} then Ci will be ui. f1 := y; ui. f2 := z. Putting
t(F) := (vs, JC1; . . . ;CnK) we get (s,t, h)∈J∀x1 . . . xn{P}F vs{Q}Kρ for all h, which suffices.

We will depend crucially on this theorem later, because to show non-entailments TA 6� TB
we generally begin with a model of TA and modify it in some way, so that it remains a model
of TA but is not a model of TB. Note that the restrictions in Definition 5 are carefully chosen
to make this theorem work: for instance, the triple {a 7→ {| f : |}} F vs {b 7→ {| f : |}}, in
which the pair of SSHs is not suitable, is not satisfiable with respect to every s, but only when
s(a) = s(b). Intuitively this is because if the program for F (which cannot change b) wishes
to allocate new heap cells, it must use whatever locations the allocator chooses, and cannot
demand to be allocated a particular address b. The suitability condition allows assertion variables
I ∈ AVar to be used only as invariants, which means that the program constructed in the proof of
Theorem 1 can simply leave alone the parts of the heap corresponding to assertion variables.

4 Three decidable entailment problems involving nested triples

In this, the main section of the paper, we give decision procedures for three classes of entailment
problem involving triples, and prove their correctness. The classes are of increasing difficulty
and each algorithm builds on the previous one.

4.1 Deciding entailments between quantifier-free level 0 SSH-triples

Fig. 4 gives a simple procedure DECIDE-ENT-QF-0 which, using the syntactic operators “en-
sures” and −SSH, decides entailment problems {PA} F vs {QA}�{PB} F vs {QB} between two
quantifier-free level 0 SSH-triples. The following lemma establishes the procedure’s correctness
in the case that it returns true. The proof is easy, using the Frame and Consequence properties.

Lemma 2 Let TA = {PA} F vs {QA} and TB = {PB} F vs {QB} be level 0 SSH-triples such that
PB −SSH PA = R and QA ? R ensures QB. Then TA � TB.

Proc. AVOCS 2009 10 / 17



ECEASST

procedure DECIDE-ENT-QF-0( {PA} F vs {QA}, {PB} F vs {QB} )
if PB −SSH PA = Some R then return (R ? QA ensures QB)
else return false

procedure DECIDE-ENT-0( ∀x1 . . . xn{PA} F ts {QA}, TB )
let {PB} F vs {QB} = FRESHEN(TB) in

if INSTANTIATE(∀x1 . . . xn{PA} F ts {QA}, vs) has the form Some {P} F vs {Q} then
return DECIDE-ENT-QF-0({P} F vs {Q}, {PB} F vs {QB})

else return false

procedure DECIDE-ENT-1( T1, . . . , Tk, T )
let {P2} F vs {Q2} = FRESHEN(T ) in

if exists i such that Ti is about F then
if INSTANTIATE(Ti, vs) has the form Some {T ′1 ∧···∧T

′
r ∧P1} F vs {Q1} then

if forall j DECIDE-ENT-1(T1, . . . , Tk, T ′j ) then
return DECIDE-ENT-QF-0({P1} F vs {Q1}, {P2} F vs {Q2})

else return false else return false else return false

Figure 4: Procedures for deciding three increasingly complex entailment problems involving
SSH-triples. For explanation of FRESHEN and INSTANTIATE see main text (pages 12 and 13).

Proof. Using the Frame property to add R, TA entails {PA ? R} F vs {QA ? R}. This entails TB by
the Consequence axiom, provided we have PB � PA ? R and QA ? R � QB. These two entailments
follow from the hypotheses by Lemma 1, using parts 2. and 1. respectively.

However, to justify our claim that DECIDE-ENT-QF-0 is a decision procedure, we must also
show that when false is returned, the entailment genuinely does not hold; to do this, we construct
a command for F that satisfies TA but not TB. It is in constructing such counterexample programs
that the main work of the present paper lies. The following lemmas prove the required non-
entailments and also show the existence of convenient counterexamples; these will be needed
later when we use DECIDE-ENT-QF-0 as a subroutine when solving entailments with quantifiers.

Lemma 3 Let TA = {PA} F vs {QA} and TB = {PB} F vs {QB} be level 0 SSH-triples such that
PB −SSH PA does not exist. Then TA 6� TB with convenient counterexamples.

Sketch proof. PB −SSH PA does not exist, so there is some v 7→{| f 1 : v1, . . . , f m : vm|} in PA that is
not ensured by any spatial conjunct of PB. By Theorem 1 there exists (s,t, h) such that s : Var

∼=→
Z>0 and (s,t, h) ∈ JTAK (and thus JF vsKE(s,t) = ([], c) for some c ∈ Cmd). We build a program
C which tests for the presence of the missing heap cell at v. Specifically, we define C to be
{var x; C1; . . . ;Cm} where each statement C j is constructed as follows.

C j :=

{
x := n. f j if v j is
x := n. f j; if x = n j then skip else dispose 0 otherwise

Here n is a literal integer constant with the value s(v), which we can use because we work w.r.t. a

11 / 17 Volume 23 (2009)



A decidable class of verification conditions for programs with higher order store

fixed s. Similarly each n j is the literal integer constant s(v j). Now we “prepend” our program C
to c: put t̂ := t[F := ([], c◦JCK)]. It suffices to show (s, t̂, h) ∈ JTAK and (s, t̂, h) /∈ JTBK. (s, t̂, h) ∈
JTAK follows from (s,t, h)∈JTAK because the precondition PA makes sure that everything “tested”
by C is in place; the call to F will behave as c. But (s, t̂, h) ∈ JTBK fails because we can choose a
heap h′ which satisfies PB but does not have the “tested” cell in place; C will fault on heap h′.

Lemma 4 Let TA = {PA} F vs {QA} and TB = {PB} F vs {QB} be level 0 SSH-triples such that
PB −SSH PA = R and R ? QA does not ensure QB. Then TA 6� TB with convenient counterexamples.

Sketch proof. R ? QA not ensuring QB can happen in several ways; we sketch the case where a
whole heap cell from QB is missing from R ? QA, i.e. QB contains some v 7→X but R ? QA contains
no v 7→ X′. (Other cases include e.g. when only a field, rather than a whole cell, is missing.)

By Theorem 1 there exists (s,t, h) such that s : Var
∼=→ Z>0 and (s,t, h) ∈ JTAK (and thus

JF vsKE(s,t) = ([], c) for some c ∈ Cmd). It suffices to show (s,t, h) /∈ JTBK. Since s : Var
∼=→ Z>0

there exists a heap h′ such that (s,t, h′) ∈ JPBK. From P2 −SSH P1 = R and Lemma 1 we have
P2 � P1 ? R, so there exist disjoint h1, h2 such that (s,t, h1) ∈ JPAK, (s,t, h2) ∈ JRK and h1 ? h2 = h′.
Now, c(s0,t 0, h′) = c(s0,t 0, h1 ? h2) = (sL,tL, h′′? h2) where (s,t, h′′)∈JQAK. Thus (s,t, h′′? h2)∈
JQA ? RK; since QA ? R contains no v 7→ X′ it follows that s(v) /∈ dom(h′′ ? h2). Suppose for a
contradiction that (s,t, h) ∈ JTBK. Then, since (s,t, h′) ∈ JPBK, we can use the triple TB to see
that c(s0,t 0, h′) = (sL,tL, g) where (s,t, g) ∈ JQBK. Thus s(v) ∈ dom(g). But g = h′′ ? h2, so
s(v) ∈ dom(h′′ ? h2) and we have a contradiction.

Corollary 1 Correctness of the procedure DECIDE-ENT-QF-0 (Fig. 4). The procedure DECIDE-
ENT-QF-0 decides TA � TB for quantifier-free level 0 SSH-triples TA, TB. Furthermore, when
TA 6� TB there are convenient counterexamples.

4.2 Deciding entailments between level 0 SSH-triples

We now extend our methods to decide entailments between pairs of level 0 SSH-triples. Univer-
sal quantifiers appearing on the right of � are unproblematic: one can use the standard technique
of replacing the quantified variables with fresh free variables. We will assume that this is done
by a procedure FRESHEN. This leaves an entailment problem TA � TB of the form

∀x1, . . . , xn{PA} F ts {QA} � {PB} F vs {QB} (2)

between level 0 SSH-triples. The universal quantifiers appearing on the left of � are more dif-
ficult. The standard way to use a universally quantified formula ∀xΦ in a proof is to instantiate
it i.e. choose an expression E and then make use of Φ[x\E]. In general, proving an entailment
∀xΦ � Ψ might need us to instantiate x with several different expressions, and even where one
instantiation suffices, finding the right E can be difficult.

However, recall that our use of quantifiers is quite restricted: as per Definition 6, each quanti-
fied variable x must appear as a parameter in the procedure call F ts. Thus the natural approach
is to choose instantiations, if any exist, which “unify” F ts with F vs. In our restricted setting,
this method turns out to suffice, as the following results show.

Proc. AVOCS 2009 12 / 17



ECEASST

Lemma 5 If there do not exist v1, . . . , vn ∈ Var such that ts[x1, . . . , xn\v1, . . . , vn] = vs, or if such
exist but TA(v1, . . . , vn) is not an SSH-triple, then (2) fails with convenient counterexamples.

Sketch proof. We sketch very briefly the case where no such v1, . . . , vn exist. Theorem 1 provides
an interpretation c for F which fulfils the antecedent of (2). Using this, we construct an interpre-
tation c′ which faults if the values of its parameters match vs, and otherwise behaves as c. Using
c′ in place of c clearly falsifies the consequent of (2), but crucially it also preserves the truth of
the antecedent; the non-existence of v1, . . . , vn is exactly what is required to show this.

Theorem 2 Let v1, . . . , vn ∈ Var be such that ts[x1, . . . , xn\v1, . . . , vn] = vs and TA(v1, . . . , vn) is
an SSH-triple. If TA(v1, . . . , vn) � TB fails with convenient counterexamples then so does TA � TB.

Sketch proof. We assume TA(v1, . . . , vn) 6�TB with convenient counterexamples and prove TA 6�TB
with convenient counterexamples, by constructing a program for F that satisfies TA but not TB.

Because TA(v1, . . . , vn) 6� TB with convenient counterexamples, there exists (s,t, h) such that
s : Var

∼=→ Z>0 and (s,t, h) ∈ JTA(v1, . . . , vn)K (and thus t(F) = ([p1, . . . , pm], c) for some c ∈
Cmd) but (s,t, h) /∈ JTBK. By Theorem 1 there also exists t′ such that (s,t′, h) ∈ JTAK where
t′(F) = ([p1, . . . , pm], c′) for some command c′ ∈ Cmd. Thus, we have two models: one for TA,
and another for TA(v1, . . . , vn)∧¬TB. Our idea is to merge these into a model for TA ∧¬TB. Here
it is crucial that Theorem 1 works for any integer stack: if the two models had different integer
stack components, the merging would not be possible. We define t̂ := t[F := ([], d)] where the
command d examines its parameters and decides whether to behave as c or as c′.

d(S, T, H) :=

{
c(S, T, H) if S(p1), . . . , S(pm) = s(v1), . . . , s(vm)
c′(S, T, H) otherwise

It suffices to show (s, t̂, h) ∈ JTAK but (s, t̂, h) /∈ JTBK. Firstly we explain why (s, t̂, h) ∈ JTAK.
If the parameters do not match s(v1), . . . , s(vm) then d behaves like c′ and the result follows
from (s,t′, h) ∈ JTAK; if the parameters do match, one combines p1 = s(v1), . . . , pm = s(vm) and
(s,t, h) ∈ JTA(v1, . . . , vm)K to obtain the required result. Secondly, (s, t̂, h) /∈ JTBK follows from
(s,t, h) /∈ JTBK because if the parameters match s(v1), . . . , s(vm) then d behaves like c.

The other direction, if TA(v1, . . . , vn) � TB then TA � TB, is obvious. Informally the preceding
theorem shows that when an instantiation is discovered, it is the correct instantiation. Identi-
fying the appropriate v1, . . . , vn is a straightforward unification problem, so let us assume that a
procedure INSTANTIATE does this, returning either Some T where T is the triple TA with the ap-
propriate instantiation already performed, or None. Armed with INSTANTIATE we can now give,
in Fig. 4, an algorithm DECIDE-ENT-0 which decides entailments between level 0 SSH-triples.

Corollary 2 Correctness of the procedure DECIDE-ENT-0 (Fig. 4). The procedure DECIDE-
ENT-0 decides TA � TB for level 0 SSH-triples TA, TB. Furthermore, when TA 6� TB there are
convenient counterexamples.

We emphasise that in general, computing instantiations in this way is insufficient. Given triples
T1 =∀x{true} F x {a 6= 1 ∨ x = 2} and T2 ={true} F b {a 6= 1 ∨ b 6= 2} we have T1 � T2, but the

13 / 17 Volume 23 (2009)



A decidable class of verification conditions for programs with higher order store

obvious instantiation T1(b) does not entail T2. Non-intuitively one does have T1(a)∧T1(b) � T2,
however. The existence of such cases is what makes Theorem 2 non-obvious and non-trivial.

On the other hand, the method used to prove Theorem 2 does extend to some more general
cases. Consider for instance entailment problems of the form ∀xy{x 7→{| f : y|}? PA} F x {QA}�
{a 7→{| f : b|}? PB} F a {QB}. Here y (resp. b) does not appear as a parameter, but the procedure
F can safely access y (resp. b) nevertheless, by looking into the heap at x (resp. a). Thus, we
can construct a body for F that tests y against a constant value, and the technique used to prove
Theorem 2 still works. Hence we can conclude that the only useful instantiation for y is b.

4.3 Deciding level 1 entailment problems

Finally we are in a position to address level 1 entailment problems, that is, entailments which
have the form T1 ∧···∧Tk � T where T1, . . . , Tk are level 1 SSH-triples about distinct procedures
and T is a level 0 SSH-triple. Suppose we wish to prove something of the following form:

∀x{R} G x {S} ∧
{
∀x{R′} G x {S′} ∧ P

}
F y {Q} � {P′} F y {Q′}

Here we need to prove that F y has some desired behaviour (unconditionally), but the spec-
ification we have available for F y (on the left of �) only applies provided G satisfies a par-
ticular specification ∀x{R′} G x {S′}. Our idea is to split our argument into subproofs: 1.
∀x{R} G x {S}�∀x{R′} G x {S′} and 2. {P} F y {Q}�{P′} F y {Q′}. If these two subproofs
can be done, then we can use the Crossing Out property to combine them into the required proof.

The algorithm DECIDE-ENT-1, given in Fig. 4, makes precise this idea. In general, part 1.
of the proof attempt can require further splitting, which leads to a recursive algorithm. The
following theorem shows that this approach is both sound when it succeeds, and complete, so
that when the approach fails, a counterexample to the entailment exists.

Theorem 3 Let ∀x1 . . . xn {T ′1 ∧···∧T
′

r ∧PA} F ts {QA} be a level 1 SSH-triple, let T1, . . . , Tk be
a list of level 1 SSH-triples for distinct procedures not including F and let {PB} F vs {QB} be a
level 0 SSH-triple. Consider the following entailment problems.

(A) T1∧···∧Tk � T ′1 ∧···∧T
′

r (B) ∀x1 . . . xn{PA} F ts {QA} � {PB} F vs {QB}

(C) T1 ∧···∧Tk ∧ ∀x1 . . . xn{T ′1 ∧···∧T
′

r ∧PA} F ts {QA} � {PB} F vs {QB}

Then: 1. If (A) fails with convenient counterexamples, then so does (C). 2. If (A) holds and (B)
fails with convenient counterexamples, then (C) fails with convenient counterexamples. 3. If (A)
and (B) hold then (C) holds.

Sketch proof. For 1.: There exists a witness (s,t, h), where s : Var
∼=→ Z>0, for the non-entailment

T1 ∧···∧Tk 6� T ′1 ∧···∧T
′

r . We make use of (s,t, h) to construct a countermodel in which the
antecedent of (C) is true but the consequent is false: specifically, our countermodel is (s, t̂, h)
where t̂ = t[F := (ts, Jdispose 0K)].

To see that the consequent triple is false in (s, t̂, h) observe that there exists a heap h′ such
that (s,t, h′) ∈ JPBK (this follows from s : Var

∼=→ Z>0), but running F always causes a fault. Now
we show that the antecedent is true in (s, t̂, h). The triples T1 ∧···∧Tk are not “about” F , so

Proc. AVOCS 2009 14 / 17



ECEASST

their truth is not broken by the “update” we have made at F . It remains to show that (s, t̂, h) ∈
J∀x1 . . . xn{T ′1 ∧···∧T

′
r ∧PA} F ts {QA}K; this follows from three facts: (s,t, h) /∈ JT ′1 ∧···∧T

′
r K,

T ′1 , . . . , T
′

r are not about F , and x1, . . . , xn do not appear free in T
′

1 , . . . , T
′

r .
For 2.: There exists a witness (s,t, h) for ∀x1 . . . xn{PA} F ts {QA} 6� {PB} F vs {QB} where

s : Var
∼=→ Z>0. Again we use (s,t, h) to construct a countermodel for the entailment (C). By iter-

ated application of the construction in the proof of Theorem 1 there exists t′, agreeing with t on F ,
such that (s,t′, h)∈JT1∧···∧TkK. Thus we have (s,t′, h)∈JT1∧···∧Tk ∧∀x1 . . . xn{PA}F vs{QA}K.
But we also have (s,t′, h) /∈ J{PB} F vs {QB}K and this suffices.

For 3.: We use the Crossing Out property to derive

T1 ∧···∧Tk ∧ ∀x1 . . . xn {T ′1 ∧···∧T
′

r ∧PA} F ts {QA}
� T ′1 ∧···∧T

′
r ∧ ∀x1 . . . xn {T

′
1 ∧···∧T

′
r ∧PA} F ts {QA}

� ∀x1 . . . xn {PA} F ts {QA} � {PB} F vs {QB}

Corollary 3 Correctness of the procedure DECIDE-ENT-1 (Fig. 4). The procedure DECIDE-
ENT-1 decides entailments T1∧···∧Tk � T where T1, . . . , Tk are level 1 SSH-triples about distinct
procedures and T is a level 0 SSH-triple.

Sketch proof. The first thing we must show is that T1∧···∧Tk �T iff T1∧···∧Tk � FRESHEN(T );
this is a standard result. Then we need to prove that the entailment fails (with convenient coun-
terexamples) if none of the triples T1, . . . , Tk is about F ; this is straightforward.

Next, we consider the call to INSTANTIATE. If this returns None, we can show that the entail-
ment fails: Lemma 5 supplies the main part of the argument. On the other hand if an instantiation
is returned we use Theorem 2 to show that it is the correct instantiation.

To finish, we use Theorem 3. If one of the calls to DECIDE-ENT-1 returns false, then part 1
of Theorem 3 applies; if all those calls return true, then parts 2 and 3 of Theorem 3 reduce the
problem to a level 0 entailment problem, which Corollary 2 tells us is correctly solved.

5 Conclusions

Revisiting our example. To demonstrate the working of our decision procedure, we revisit the
verification condition (1) (on page 5) which arose from the example program in our introduction.
Running on (1), DECIDE-ENT-1 first invokes FRESHEN which rewrites the desired conclusion to
{D ? ctr 7→ {|cnt : |}} SendToAll z {D ? ctr 7→ {|cnt : |}}. Then the third triple on the left of �
is chosen and INSTANTIATE determines that a should be instantiated with z. Now two recursive
calls are made to DECIDE-ENT-1, to check the two entailments

∀x {D ? ctr 7→{|cnt : |}} OldSend x {D ? ctr 7→{|cnt : |}}
� ∀x {D ? ctr 7→{|cnt : |}} OldSend x {D ? ctr 7→{|cnt : |}}

∀x {D} NewUserProc x {D}
� ∀x {D ? ctr 7→{|cnt : |}} NewUserProc z {D ? ctr 7→{|cnt : |}}

15 / 17 Volume 23 (2009)



A decidable class of verification conditions for programs with higher order store

We trace into the second of these which, after dealing with the quantifiers, makes a call

DECIDE-ENT-QF-0
(
{D} NewUserProc z {D},
{D ? ctr 7→{|cnt : |}} NewUserProc z {D ? ctr 7→{|cnt : |}}

)
Inside this call, R = D ? ctr 7→{|cnt : |} −SSH D is computed and found to be ctr 7→{|cnt : |}.
Then the algorithm checks that R ? D ensures D ? ctr 7→{|cnt : |} which is the case. Returning to
the outer call to DECIDE-ENT-1, the final check is

DECIDE-ENT-QF-0
(
{D ? ctr 7→{|cnt : |}} SendToAll z {D ? ctr 7→{|cnt : |}},
{D ? ctr 7→{|cnt : |}} SendToAll z {D ? ctr 7→{|cnt : |}}

)
Future work. A natural next step for this line of work is to investigate which of the restrictions
we have made are necessary to obtain decidability. For instance, it appears that our method
will generalise to arbitrary nesting depth if we can handle conjunctions T1 ∧···∧Tk containing
multiple triples about the same procedure. Of particular interest is to see whether one can allow,
without breaking decidability, a limited use of a universal quantifier ∀ over assertion variables,
which allows much more generic specifications. The specification we gave for APPLY2 in Fig. 2
is generic with respect to the parameters F , G and a, but not with respect to the invariant that F
and G must preserve, which is fixed as D ? ctr 7→{|cnt : |}. The assertion variable D represents
an arbitrary invariant, but it is the same arbitrary invariant as mentioned in the specification of
MAIN. This suffices for our example, but a better specification would be:

∀I∀F∀G∀a
{

I ∧ ∀x{I} F x {I} ∧ ∀x{I} G x {I}
}

APPLY2 F G a {I}

One sees here that ∀ supports reasoning akin to that provided by the hypothetical frame rule
described in [OYR04], but also goes beyond it: an even more general specification is

∀I∀J∀K∀F∀G∀a
{

I ∧ ∀x{I} F x {J} ∧ ∀x{J} G x {K}
}

APPLY2 F G a {K}

Universally quantified assertion variables can be instantiated with arbitrary formulae — we have
∀IΦ � Φ[I\Ψ] — but the issue is how one computes the “right” Ψ. Finally, we plan to extend
our work to treat programs where procedures are stored on the heap as well as on the stack.

Acknowledgements: This work was supported by EPSRC grant EP/G003173/1. We thank the
anonymous referees for their suggestions for improving the presentation.

Bibliography

[BCO05a] J. Berdine, C. Calcagno, P. W. O’Hearn. Smallfoot: Modular Automatic Assertion
Checking with Separation Logic. In FMCO. Pp. 115–137. 2005.

[BCO05b] J. Berdine, C. Calcagno, P. W. O’Hearn. Symbolic Execution with Separation Logic.
In APLAS. Pp. 52–68. 2005.

Proc. AVOCS 2009 16 / 17



ECEASST

[BIP08] M. Bozga, R. Iosif, S. Perarnau. Quantitative Separation Logic and Programs with
Lists. In IJCAR. Pp. 34–49. 2008.

[BRSY08] L. Birkedal, B. Reus, J. Schwinghammer, H. Yang. A Simple Model of Separation
Logic for Higher-Order Store. In ICALP (2). Pp. 348–360. 2008.

[BTY06] L. Birkedal, N. Torp-Smith, H. Yang. Semantics of Separation-Logic Typing and
Higher-order Frame Rules for Algol-like Languages. LMCS 2(5), 2006.

[BY07] L. Birkedal, H. Yang. Relational Parametricity and Separation Logic. In FoSSaCS.
Pp. 93–107. 2007.

[FLL+02] C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, R. Stata. Ex-
tended Static Checking for Java. In PLDI. Pp. 234–245. 2002.

[HYB05] K. Honda, N. Yoshida, M. Berger. An Observationally Complete Program Logic for
Imperative Higher-Order Functions. In LICS. Pp. 270–279. 2005.

[KAB+09] N. R. Krishnaswami, J. Aldrich, L. Birkedal, K. Svendsen, A. Buisse. Design pat-
terns in separation logic. In TLDI. Pp. 105–116. 2009.

[MN05] F. Mehta, T. Nipkow. Proving pointer programs in higher-order logic. Inf. Comput.
199(1-2):200–227, 2005.

[NDQC07] H. H. Nguyen, C. David, S. Qin, W.-N. Chin. Automated Verification of Shape and
Size Properties Via Separation Logic. In VMCAI. Pp. 251–266. 2007.

[NMB08] A. Nanevski, J. G. Morrisett, L. Birkedal. Hoare type theory, polymorphism and
separation. J. Funct. Program. 18(5-6):865–911, 2008.

[OYR04] P. W. O’Hearn, H. Yang, J. C. Reynolds. Separation and information hiding. In
POPL. Pp. 268–280. 2004.

[Rey02] J. C. Reynolds. Separation Logic: A Logic for Shared Mutable Data Structures. In
LICS. Pp. 55–74. 2002.

[RS06] B. Reus, J. Schwinghammer. Separation Logic for Higher-Order Store. In CSL.
Pp. 575–590. 2006.

[SBRY09] J. Schwinghammer, L. Birkedal, B. Reus, H. Yang. Nested Hoare Triples and Frame
Rules for Higher-Order Store. In CSL. Pp. 440–454. 2009.

[ZKR08] K. Zee, V. Kuncak, M. C. Rinard. Full functional verification of linked data struc-
tures. In PLDI. Pp. 349–361. 2008.

17 / 17 Volume 23 (2009)


	Introduction
	Related work

	An example verification problem with higher order store
	Formal foundations
	Overview of our programming language with higher order store
	A simple logic with nested triples and separating conjunction
	Simple symbolic heaps (SSHs)
	SSH-triples and their properties

	Three decidable entailment problems involving nested triples
	Deciding entailments between quantifier-free level 0 SSH-triples
	Deciding entailments between level 0 SSH-triples
	Deciding level 1 entailment problems

	Conclusions