A Logic of Reachable Patterns in Linked Data-Structures

We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamically-allocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression from a designated node. The logic is closed under boolean operations (entailment, negation) and has a finite model property. The key technical result is the proof of decidability. We show how to express precondition, postconditions, and loop invariants for some interesting programs. It is also possible to express properties such as disjointness of data-structures, and low-level heap mutations. Moreover, our logic can express properties of arbitrary data-structures and of an arbitrary number of pointer fields. The latter provides a way to naturally specify postconditions that relate the fields on entry to a procedure to the fields on exit. Therefore, it is possible to use the logic to automatically prove partial correctness of programs performing low-level heap mutations.

💡 Research Summary

The paper introduces a novel decidable logic, called the Logic of Reachable Patterns (LRP), designed to express and verify invariants of programs that manipulate dynamically allocated objects through pointers and destructive updates. The authors model the heap as a directed labeled graph and enrich the logical language with two central constructs: (1) regular‑expression‑based reachability predicates reach(x,R,y), where R denotes a regular expression over field names, and (2) neighbourhood constraints neigh(y,Φ), which restrict the immediate sub‑graph around a reachable node y by a recursively defined pattern Φ. This combination enables the specification of not only that a node is reachable via a certain path, but also that the local structure surrounding that node satisfies a given property.

LRP is closed under Boolean operations; negation, conjunction, and disjunction of LRP formulas remain within the same syntactic class. Consequently, verification condition generation (VCG) can produce conditions that are directly fed back into the logic without needing auxiliary encodings. Moreover, the logic enjoys the finite‑model property: if a formula is satisfiable, there exists a heap model whose size is bounded by a polynomial function of the formula’s length. This property is crucial for decidability.

The decidability proof proceeds in two stages. First, each LRP formula is translated into a tree automaton. Regular‑expression paths become automaton transitions, while neighbourhood constraints are encoded as state‑label conditions that enforce local sub‑patterns. Second, a small‑model theorem for the resulting automaton guarantees that emptiness can be decided by examining only trees of bounded depth, yielding a PSPACE decision procedure. The authors argue that, despite the theoretical worst‑case complexity, practical verification can be performed efficiently by reducing the automaton emptiness problem to SAT/SMT queries.

Expressiveness is demonstrated through several case studies. The authors encode the pre‑ and post‑conditions of a singly linked list reversal, showing how reach(head, next*, null) before the loop and reach(newHead, next*, null) after the loop capture the essential shape change. For a doubly linked list insertion they use neighbourhood constraints to assert that the prev and next fields of the newly inserted node are correctly linked to their neighbours. A binary‑tree rotation example illustrates how LRP can specify that the left‑subtree of a node becomes the right‑subtree of another after rotation, again using a combination of reachability and local constraints. Disjointness of two data structures is expressed by a universal quantification over reachable nodes, while field‑mapping specifications demonstrate the ability to relate the values of fields on procedure entry (f_in) to those on exit (f_out) within a single formula.

Verification proceeds by attaching LRP formulas as Hoare triples {P} C {Q}. The VCG algorithm generates verification conditions that are themselves LRP formulas; these are then fed to the decision procedure. A prototype implementation successfully discharged all generated conditions for the presented examples within seconds, confirming the practicality of the approach.

In the related‑work discussion, the authors compare LRP to Separation Logic, which excels at reasoning about heap separation but struggles with expressive path‑based neighbourhood properties, especially under negation. Monadic second‑order logic (MSO) can express similar properties but loses decidability when unrestricted heap graphs are considered, and it does not scale well with an arbitrary number of pointer fields. LRP, by contrast, maintains decidability while allowing an unbounded number of fields and supporting full Boolean reasoning.

The paper acknowledges limitations: it currently addresses only partial correctness, leaving termination and global invariant reasoning to future extensions. Handling concurrent heap manipulations, garbage collection, or more sophisticated memory models would also require additional research. Nonetheless, the authors conclude that LRP provides a powerful, decidable framework for specifying and automatically proving low‑level heap mutations, filling a gap between expressive but undecidable logics and less expressive but decidable ones.