On the Complexity of Modal Separation Logics S. Demri (CNRS, LSV) - PowerPoint PPT Presentation

On the Complexity of Modal Separation Logics S. Demri (CNRS, LSV) & R. Fervari (FAMAF, CONICET) AiML, August 2018, Bern

Overview Separation logics in a nutshell Introduction to modal separation logics Optimal decision procedures Complexity lower bounds Results for variants

Updating models • Fascinating realm of (modal) logics updating models: – logics of public announcement [Lutz, AAMAS’06] – sabotage modal logics [van Benthem, 2002] – relation-changing modal logics [Fervari, PhD 2014] – separation logics [Reynolds, LICS’02] – modal separation logic DMBI [Courtault & Galmiche, JLC 2018] – etc. • This work: combining separation logics with modal logics, leading to new relation-changing modal logics.

Separation logic in a nutshell • Separation logic: extension of Hoare-Floyd logic for (concurrent) programs with mutable data structures. • Frame rule: { φ } C { ψ } { φ ∗ ψ ′ } C { ψ ∗ ψ ′ } where C does not mess with ψ ′ . • Entailment is a key decision problem. ϕ ⇒ ϕ ′ { ϕ ′ } C { ψ } ψ ⇒ ψ ′ strengthen / weaken { ϕ } C { ψ ′ }

Memory states with one record field • Program variables PVAR = { x 1 , x 2 , x 3 , . . . } . • Loc : countably infinite set of locations Val : countably infinite set of values with Loc ⊆ Val . • Memory state ( s , h ) : – Store s : PVAR → Val . – Heap h : Loc ⇀ fin Val (finite domain). (richer models, e.g. with h : Loc ⇀ fin Val k ) – In this talk, we assume Loc = Val = N . s ( x ) = l 1 s ( y ) = l 3 y x dom ( h ) = { l 1 , l 2 , l 3 } h ( l 1 ) = l 2 h ( l 2 ) = l 3 h ( l 3 ) = l 4

Graphical representation y x h 4111 411 411 41 4 2 3 31 311 42 1 421 422 11 12 121 122

Disjoint heaps • Disjoint heaps: dom ( h 1 ) ∩ dom ( h 2 ) = ∅ (noted h 1 ⊥ h 2 ). • When h 1 ⊥ h 2 , disjoint heap h 1 ⊎ h 2 . x 4 x 4 x 4 x 3 x 2 x 3 x 2 x 3 x 2 x 1 x 1 x 1 = ⊎

Motivations for modal separation logics • Modal separation logics: Kripke-style semantics with modal and separating connectives. • To design modal logics with separating connectives as an alternative to first-order separation logics. • To propose a uniform framework so that the logics can be understood either as modal logics or as separation logics. • To study the computational properties of the decision problems for such logics. • As a by-product, we introduce another notion of – hybrid separation logics [Brotherstone & Villard, POPL’14] – relation-changing modal logics [Fervari, PhD 2014]

Modal separation logic MSL • Formulae: φ ::= p | emp | ¬ φ | φ ∨ φ | ♦ φ | �� = � φ | φ ∗ φ | φ − ∗ φ • Models M = � N , R , V � : – R ⊆ N × N is finite and functional, – V : PROP → P ( N ) . • Disjoint unions M 1 ⊎ M 2 . • Alternative models: – Finite model: N replaced by an arbitrary finite set W . – General model: N replaced by an arbitrary countable set W and R ⊆ W × W is arbitrary.

Semantics def M , l | = p ⇔ l ∈ V ( p ) M , l ′ | = φ, for some l ′ ∈ N such that ( l , l ′ ) ∈ R def M , l | = ♦ φ ⇔ M , l ′ | = φ, for some l ′ ∈ N such that l ′ � = l def M , l | = �� = � φ ⇔ def M , l | ⇔ R = ∅ = emp def M , l | = φ 1 ∗ φ 2 ⇔ � N , R 1 , V � , l | = φ 1 and � N , R 2 , V � , l | = φ 2 , for some partition { R 1 , R 2 } of R for all M ′ = � N , R ′ , V � such that R ∪ R ′ is finite def M , l | = φ 1 − ∗ φ 2 ⇔ and functional, and R ∩ R ′ = ∅ , M ′ , l | = φ 1 implies � N , R ∪ R ′ , V � , l | = φ 2 .

Decision problems • Satisfiability problem for a logic L ⊆ MSL : input: a formula φ in L . output: 1 iff φ is satisfiable. • Model-checking problem for a logic L ⊆ MSL : input: a formula φ in L , a finite pointed model M , l . output: 1 iff M , l | = φ .

Relationships with propositional separation logic SL ( ∗ , − ∗ ) • Formulae: φ ::= x = y | x ֒ → y | emp | ¬ φ | φ ∧ φ | φ ∗ φ | φ − ∗ φ • Satisfaction relation: def ( s , h ) | ⇔ = x = y s ( x ) = s ( y ) def ( s , h ) | = emp ⇔ dom ( h ) = ∅ def ( s , h ) | = x ֒ → y ⇔ s ( x ) ∈ dom ( h ) and h ( s ( x )) = s ( y ) def ( s , h ) | = φ 1 ∗ φ 2 ⇔ there are h 1 and h 2 s.t. h 1 ⊎ h 2 = h , ( s , h 1 ) | = φ 1 and ( s , h 2 ) | = φ 2 def ( s , h ) | = φ 1 − ∗ φ 2 ⇔ for all h 1 , if (dom ( h 1 ) ∩ dom ( h ) = ∅ and ( s , h 1 ) | = φ 1 ), then ( s , h ⊎ h 1 ) | = φ 2 . • Encoding SL ( ∗ , − ∗ ) into MSL : x = y ≈ � U � ( x ∧ y ) → y ≈ � U � ( x ∧ ♦ y ) x ֒ (assuming that x and y are nominals in MSL )

Overview about satisfiability problems MSL = MSL ( ∗ , − ∗ , ♦ , �� = � ) , undec. SL ( ∗ , − ∗ , ls ) , undec. MSL ( ∗ , ♦ , ♦ − 1 , �� = � ) , in Tower MSL ( ∗ , ♦ , ♦ − 1 ) , ? MSL ( ∗ , ♦ , �� = � ) , Tower-C. MSL ( ∗ , ♦ ) , NP-C. MSL ( ∗ , �� = � ) , NP-C. SL ( ∗ , − ∗ ) , PSpace-C. • PSpace-C. of SL ( ∗ , − ∗ ) [Calcagno & Yang & O’Hearn, FSTTCS’01] • Undec. of SL ( ∗ , − ∗ , ls ) [Demri & Lozes & Mansutti, FOSSACS’18] • Complexity class Tower [Schmitz, ToCT 2016]

Tower upper bound for MSL ( ∗ , ♦ , �� = � ) def = φ ∧ T ( φ ) � � � � � � U � ( � ⊥ ∧ p ∧ ¬ p ∧ �� = � ( � ⊥ ∧ p ∧ ¬ p )) . X ⊆{ p 1 ,..., p n } p ∈ X p �∈ X p ∈ X p �∈ X � �� � ” 2 unallocated locations satisfy the same variables from { p 1 ,..., p n } ” ( φ built over { p 1 , . . . , p n } ) • φ is satisfiable in MSL ( ∗ , ♦ , �� = � ) iff T ( φ ) is satisfiable in MSL fin ( ∗ , ♦ , �� = � ) (finite models). • The satisfiability problem for MSL fin ( ∗ , ♦ , �� = � ) is in Tower. – Reduction from satisfiability for MSL fin ( ∗ , ♦ , �� = � ) into satisfiability for the weak MSO theory of � D , f , = � . – Internalisation of the semantics for MSL fin ( ∗ , ♦ , �� = � ) . – Theory decidable in Tower (from Rabin’s Theorem). [Borger & Grädel & Gurevich, Book 97]

Towards NP for MSL ( ∗ , ♦ ) ( = MSL ( ∗ , ♦ , �� = � ) minus �� = � ) • Given φ ∈ MSL ( ∗ , ♦ ) , φ is satisfiable iff φ is satisfiable in a finite and functional model with card ( R ) ≤ | φ | . • It remains to show that the model-checking problem for MSL fin ( ∗ , ♦ ) is in P. • The model-checking problem for propositional SL( ∗ ) (with x = y , x ֒ → y and emp ) is already PSpace-complete.

Abstract frames up to a precision s • Building abstract frames from concrete models: M , l ∈ W , s ≥ 0, �→ abst ( M , l , s ) = (( l 0 , . . . , l t ) , r ) . • Abstract frame up to s : F = (( l 0 , . . . , l t ) , r ) (truncation) t ∗ + r ≤ s and t ≤ s with t ∗ = card ( { ( l i , l i + 1 ) | i ∈ [ 0 , t − 1 ] } ) . (maximality) t < s implies there is no i < t such that l i = l t . (functionality) for all i < j < t , we have l i = l j implies t = s and l i + 1 = l j + 1 . • Abstract disjoint union F = F 1 ⊎ F 2 also defined.

Abstract disjoint union abstracts properly disjoint union • s = s 1 + s 2 with s , s 1 , s 2 ≥ 1, M = M 1 ⊎ M 2 . For all l ∈ W , we have abst ( M , l , s ) = abst ( M 1 , l , s 1 ) ⊎ abst ( M 2 , l , s 2 ) . • s = s 1 + s 2 with s , s 1 , s 2 ≥ 1, abst ( M , l , s ) = F 1 ⊎ F 2 . There are M 1 and M 2 s.t. M = M 1 ⊎ M 2 , F i = abst ( M i , l , s i ) .

Model-checking problem in P • Let s = s 1 + s 2 with s , s 1 , s 2 ≥ 1, F = (( l 0 , . . . , l t ) , r ) be an abstract frame up to s . card ( { ( F 1 , F 2 ) | F = F 1 ⊎F 2 , F i up to s i } ) ≤ 2 ( s + 1 )( s 1 + 1 )( s 2 + 1 ) • Design of a model-checking algorithm using abstract frames and abstract disjoint unions. (See the algorithm in the paper) • Upper bound in P thanks to dynamic programming and polynomial amount of disjoint unions. • Similar approach to show that – the model-checking problem for MSL ( ∗ , �� = � ) is in P, – the satisfiability problem for MSL ( ∗ , �� = � ) in NP.

Towards lower bounds: encoding linear structures • Linear model: . . . l 0 l 1 l n • Leaves: ⋆ ⋆ ⋆ l 2 l 4 • Pre-roots: ⋆ l 1 ⋆ l 0 l 4

Loops • Loop: l 1 l 0 l 2 • M is linear iff M is loop-free and has a unique leaf. def def • Loop = ⊤ ∗ (([ U ] �♦ ⊤ ) ∧ ¬ emp ) ( [ U ] φ = φ ∧ �� = � φ ) • M | = Loop iff M has at least one loop.

Auxiliary formulae def def � ! � φ = � U � ( φ ∧ [ � =] ¬ φ ) = ¬ emp ∧ ¬ ( ¬ emp ∗ ¬ emp )) size = 1 def PRoot = ♦� ⊥ def UniqTreePRoot = ¬ Loop ∧ (( ¬ ( ¬ emp ∗ ¬ emp )) ∨ � ! � PRoot ) def Leaf = ( ♦ ⊤∧ size = 1 ) ∨ ( ♦ ⊤∧¬ PRoot ∧ (( size = 1 ∧ ♦ ⊤ ) ∗ UniqTreePRoot )) • M , l | = UniqTreePRoot iff M is loop-free and either R is empty or ( M has at most one MCC and a unique pre-root). ⋆ • Assuming that M | = UniqTreePRoot, we have M , l | = Leaf iff l is a leaf.