On the Complexity of Modal Separation Logics S. Demri (CNRS, LSV) - - PowerPoint PPT Presentation

On the Complexity of Modal Separation Logics

• S. Demri (CNRS, LSV) & R. Fervari (FAMAF, CONICET)

AiML, August 2018, Bern

Overview

Separation logics in a nutshell Introduction to modal separation logics Optimal decision procedures Complexity lower bounds Results for variants

Updating models

• Fascinating realm of (modal) logics updating models:

– logics of public announcement

[Lutz, AAMAS’06]

– sabotage modal logics

[van Benthem, 2002]

– relation-changing modal logics

[Fervari, PhD 2014]

– separation logics

[Reynolds, LICS’02]

– modal separation logic DMBI

[Courtault & Galmiche, JLC 2018]

– etc.

• This work: combining separation logics with modal logics,

leading to new relation-changing modal logics.

Separation logic in a nutshell

• Separation logic: extension of Hoare-Floyd logic for

(concurrent) programs with mutable data structures.

• Frame rule:

{φ} C {ψ} {φ ∗ ψ′} C {ψ ∗ ψ′} where C does not mess with ψ′.

• Entailment is a key decision problem.

ϕ ⇒ ϕ′ {ϕ′} C {ψ} ψ ⇒ ψ′ {ϕ} C {ψ′} strengthen/weaken

Memory states with one record field

• Program variables PVAR = {x1, x2, x3, . . .}.
• Loc: countably infinite set of locations

Val: countably infinite set of values with Loc ⊆ Val.

• Memory state (s, h):

– Store s : PVAR → Val. – Heap h : Loc ⇀fin Val (finite domain). (richer models, e.g. with h : Loc ⇀fin Valk) – In this talk, we assume Loc = Val = N.

x y s(x) = l1 s(y) = l3 dom(h) = {l1, l2, l3} h(l1) = l2 h(l2) = l3 h(l3) = l4

Graphical representation

1 11 12 121 122 2 3 31 311 4 41 y 411 4111 x 42 421 422 411 h

Disjoint heaps

• Disjoint heaps: dom(h1) ∩ dom(h2) = ∅ (noted h1 ⊥ h2).
• When h1 ⊥ h2, disjoint heap h1 ⊎ h2.

x1 x2 x3 x4 = x1 x2 x3 x4 ⊎ x1 x2 x3 x4

Motivations for modal separation logics

• Modal separation logics: Kripke-style semantics with modal

and separating connectives.

• To design modal logics with separating connectives as an

alternative to first-order separation logics.

• To propose a uniform framework so that the logics can be

understood either as modal logics or as separation logics.

• To study the computational properties of the decision

problems for such logics.

• As a by-product, we introduce another notion of

– hybrid separation logics

[Brotherstone & Villard, POPL’14]

– relation-changing modal logics

[Fervari, PhD 2014]

Modal separation logic MSL

• Formulae:

φ ::= p | emp | ¬φ | φ ∨ φ | ♦φ | =φ | φ ∗ φ | φ − ∗ φ

• Models M = N, R, V:

– R ⊆ N × N is finite and functional, – V : PROP → P(N).

• Disjoint unions M1 ⊎ M2.
• Alternative models:

– Finite model: N replaced by an arbitrary finite set W. – General model: N replaced by an arbitrary countable set W and R ⊆ W × W is arbitrary.

Semantics

M, l | = p

def

⇔ l ∈ V(p) M, l | = ♦φ

def

⇔ M, l′ | = φ, for some l′ ∈ N such that (l, l′) ∈ R M, l | = =φ

def

⇔ M, l′ | = φ, for some l′ ∈ N such that l′ = l M, l | = emp

def

⇔ R = ∅ M, l | = φ1 ∗ φ2

def

⇔ N, R1, V, l | = φ1 and N, R2, V, l | = φ2, for some partition {R1, R2} of R M, l | = φ1 − ∗ φ2

def

⇔ for all M′=N, R′, V such that R∪R′ is finite and functional, and R ∩ R′ = ∅, M′, l | = φ1 implies N, R ∪ R′, V, l | = φ2.

Decision problems

• Satisfiability problem for a logic L ⊆ MSL:

input: a formula φ in L.

• utput: 1 iff φ is satisfiable.
• Model-checking problem for a logic L ⊆ MSL:

input: a formula φ in L, a finite pointed model M, l.

• utput: 1 iff M, l |

= φ.

Relationships with propositional separation logic SL(∗, − ∗)

• Formulae:

φ ::= x = y | x ֒ → y | emp | ¬φ | φ ∧ φ | φ ∗ φ | φ − ∗ φ

• Satisfaction relation:

(s, h) | = x = y

def

⇔ s(x) = s(y) (s, h) | = emp

def

⇔ dom(h) = ∅ (s, h) | = x ֒ → y

def

⇔ s(x) ∈ dom(h) and h(s(x)) = s(y) (s, h) | = φ1 ∗ φ2

def

⇔ there are h1 and h2 s.t. h1 ⊎ h2 = h, (s, h1) | = φ1 and (s, h2) | = φ2 (s, h) | = φ1 − ∗ φ2

def

⇔ for all h1, if (dom(h1) ∩ dom(h) = ∅ and (s, h1) | = φ1), then (s, h ⊎ h1) | = φ2.

• Encoding SL(∗, −

∗) into MSL: x = y ≈ U(x ∧ y) x ֒ → y ≈ U(x ∧ ♦y) (assuming that x and y are nominals in MSL)

Overview about satisfiability problems

MSL = MSL(∗, − ∗, ♦, =), undec. MSL(∗, ♦, =), Tower-C. MSL(∗, ♦, ♦−1, =), in Tower MSL(∗, ♦, ♦−1), ? MSL(∗, ♦), NP-C. MSL(∗, =), NP-C. SL(∗, − ∗), PSpace-C. SL(∗, − ∗, ls), undec.

• PSpace-C. of SL(∗, −

∗)

[Calcagno & Yang & O’Hearn, FSTTCS’01]

• Undec. of SL(∗, −

∗, ls)

[Demri & Lozes & Mansutti, FOSSACS’18]

• Complexity class Tower

[Schmitz, ToCT 2016]

Tower upper bound for MSL(∗, ♦, =)

T(φ)

def

= φ ∧

• X⊆{p1,...,pn}

U( ⊥ ∧

• p∈X

p ∧

• p∈X

¬p ∧ =( ⊥ ∧

• p∈X

p ∧

• p∈X

¬p))

• ”2 unallocated locations satisfy the same variables from {p1,...,pn}”

. (φ built over {p1, . . . , pn})

• φ is satisfiable in MSL(∗, ♦, =) iff T(φ) is satisfiable in

MSLfin(∗, ♦, =) (finite models).

• The satisfiability problem for MSLfin(∗, ♦, =) is in Tower.

– Reduction from satisfiability for MSLfin(∗, ♦, =) into satisfiability for the weak MSO theory of D, f, =. – Internalisation of the semantics for MSLfin(∗, ♦, =). – Theory decidable in Tower (from Rabin’s Theorem).

[Borger & Grädel & Gurevich, Book 97]

Towards NP for MSL(∗, ♦) (= MSL(∗, ♦, =) minus =)

• Given φ ∈ MSL(∗, ♦), φ is satisfiable iff φ is satisfiable in a

finite and functional model with card(R) ≤ |φ|.

• It remains to show that the model-checking problem for

MSLfin(∗, ♦) is in P.

• The model-checking problem for propositional SL(∗) (with

x = y, x ֒ → y and emp) is already PSpace-complete.

Abstract frames up to a precision s

• Building abstract frames from concrete models:

M, l ∈ W, s ≥ 0, → abst(M, l, s) = ((l0, . . . , lt), r).

• Abstract frame up to s: F = ((l0, . . . , lt), r)

(truncation) t∗ + r ≤ s and t ≤ s with t∗ = card({(li, li+1) | i ∈ [0, t − 1]}). (maximality) t < s implies there is no i < t such that li = lt. (functionality) for all i < j < t, we have li = lj implies t = s and li+1 = lj+1.

• Abstract disjoint union F = F1 ⊎ F2 also defined.

Abstract disjoint union abstracts properly disjoint union

• s = s1 + s2 with s, s1, s2 ≥ 1, M = M1 ⊎ M2. For all l ∈ W,

we have abst(M, l, s) = abst(M1, l, s1) ⊎ abst(M2, l, s2).

• s = s1 + s2 with s, s1, s2 ≥ 1, abst(M, l, s) = F1 ⊎ F2. There

are M1 and M2 s.t. M = M1 ⊎ M2, Fi = abst(Mi, l, si).

Model-checking problem in P

• Let s = s1 + s2 with s, s1, s2 ≥ 1, F = ((l0, . . . , lt), r) be an

abstract frame up to s. card({(F1, F2) | F = F1⊎F2, Fi up to si}) ≤ 2(s+1)(s1+1)(s2+1)

• Design of a model-checking algorithm using abstract frames

and abstract disjoint unions. (See the algorithm in the paper)

• Upper bound in P thanks to dynamic programming and

polynomial amount of disjoint unions.

• Similar approach to show that

– the model-checking problem for MSL(∗, =) is in P, – the satisfiability problem for MSL(∗, =) in NP.

Towards lower bounds: encoding linear structures

• Linear model:

l0 l1 . . . ln

• Leaves:

⋆ ⋆ l2 ⋆ l4

• Pre-roots:

l0 l1 ⋆ ⋆ l4

Loops

• Loop:

l0 l1 l2

• M is linear iff M is loop-free and has a unique leaf.
• Loop

def

= ⊤ ∗ (([U]♦⊤) ∧ ¬emp) ([U]φ

def

= φ ∧ =φ)

• M |

= Loop iff M has at least one loop.

Auxiliary formulae

! φ

def

= U(φ ∧ [=]¬φ) size = 1

def

= ¬emp ∧ ¬(¬emp ∗ ¬emp)) PRoot

def

= ♦⊥ UniqTreePRoot

def

= ¬Loop ∧ ((¬(¬emp ∗ ¬emp)) ∨ ! PRoot) Leaf

def

= (♦⊤∧size = 1)∨(♦⊤∧¬PRoot∧((size = 1∧♦⊤)∗UniqTreePRoot))

• M, l |

= UniqTreePRoot iff M is loop-free and either R is empty or (M has at most one MCC and a unique pre-root).

⋆

• Assuming that M |

= UniqTreePRoot, we have M, l | = Leaf iff l is a leaf.

Characterisation of linear structures

• φ∃ls

def

= emp ∨ (UniqTreePRoot ∧ ! Leaf).

• M |

= φ∃ls iff M is linear.

• ls(x, y) from symbolic heap fragment can be encoded by

φls(x,y)

def

= φ∃ls∧((emp∧U(x∧y))∨(U(x∧Leaf)∧U(PRoot∧♦y)))

• As a by-product, SL(∗, −

∗, ls) can be encoded in MSL: – x = y ≈ U(x ∧ y) – x ֒ → y ≈ U(x ∧ ♦y)

• Satisfiability for SL(∗, −

∗, ls) is undecidable.

[Demri & Lozes & Mansutti, FOSSACS’18]

• So, MSL satisfiability problem is undecidable.

Nonemptiness problem for star-free expressions

• Star-free expressions:

e ::= a | ε | e ∪ e | ee | ∼ e

• Nonemptiness problem is Tower-complete.

[Meyer & Stockmeyer, STOC’73; Schmitz, ToCT 2016]

• Encoding words by linear models.

a1 a2 a1 ⊲

l0 l1 p1 l2 p2 l3 p1 , l0

Tower-hardness of MSL(∗, ♦, =)

ai

def

= pi ∧

• j=i

¬pj T(e)

def

= ([U]

• i

ai) ∧ φ∃ls ∧ (emp ∧ t(e)) ∨ (¬emp ∧ Leaf ∧ t(e)) (evaluation done on the leaf) t(ε)

def

= emp t(ai)

def

= (♦ai) ∧ size = 1 t(∼ e)

def

= ¬t(e) t(e1 ∪ e2)

def

= t(e1) ∨ t(e2) t(e1e2)

def

= ψ1 ∨ ψ2 ∨ ψ3 ∨ ψ4 ψ1

def

= emp ∧ t(e1) ∧ t(e2) ψ2

def

= (t(e1) ∧ emp) ∗ t(e2) ψ3

def

= t(e1) ∗ (t(e2) ∧ emp) ψ4

def

= (φ∃ls ∧ ¬emp ∧ t(e1)) ∗ (φ∃ls ∧ ¬emp ∧ U(Leaf ∧ t(e2)))

Adding the converse modality

• M, l |

= ♦−1φ

def

⇔ M, l′ | = φ, for some l′ ∈ N s.t. (l′, l) ∈ R.

• MSL(∗, ♦−1) is very close to MSL(∗, ♦) on finite trees, which

itself can be encoded in QCTL restricted to ♦.

• The satisfiability problem for MSL(∗, ♦−1) is PSpace-hard as

well as the model-checking problem for MSLfin(∗, ♦−1).

• The satisfiability problem for MSL(∗, ♦, ♦−1, =) is in Tower.
• Complexity characterisation for MSL(∗, ♦−1), MSL(∗, ♦−1, ♦)
• r MSL(∗, ♦−1, =) is open.

Global sabotage modal logic

• M, l |

= gsbφ

def

⇔ for some (l′, l′′) ∈ R, M−

l′,l′′, l |

= φ, where M−

l′,l′′ = W, R \ {(l′, l′′)}, V.

• General model M = W, R, V: W is an arbitrary countable

set, R ⊆ W × W and V : PROP → P(W).

• The satisfiability problem of MSLg(♦, gsb) is undecidable.

[Areces & Fervari & Hoffman & Martel, JLC]

• MSLg(∗, ♦) is also undecidable (gsbφ ≈ size = 1 ∗ φ).

Conclusion

Model checking Satisfiability (with finite models) MSL(∗, ♦), MSL(∗, =) P NP-complete MSL(∗, ♦, =) PSpace-complete Tower-complete MSL PSpace-complete Undecidable MSLg(∗, ♦)

• Undecidable

MSL(∗, ♦−1) PSpace-complete PSpace-hard, in Tower MSLg(♦, gsb) P NP-complete

• Tower-hardness for MSL(∗, ♦, U)?
• Complexity of the satisfiability problem for MSL(∗, ♦−1)?
• Proof systems for modal separation logics?
• Characterization of the expressive power of such logics?