Amortised Resource Analysis with Separation Logic

Type-based amortised resource analysis following Hofmann and Jost—where resources are associated with individual elements of data structures and doled out to the programmer under a linear typing discipline—have been successful in providing concrete resource bounds for functional programs, with good support for inference. In this work we translate the idea of amortised resource analysis to imperative pointer-manipulating languages by embedding a logic of resources, based on the affine intuitionistic Logic of Bunched Implications, within Separation Logic. The Separation Logic component allows us to assert the presence and shape of mutable data structures on the heap, while the resource component allows us to state the consumable resources associated with each member of the structure. We present the logic on a small imperative language, based on Java bytecode, with procedures and mutable heap. We have formalised the logic and its soundness property within the Coq proof assistant and extracted a certified verification condition generator. We also describe an proof search procedure that allows generated verification conditions to be discharged while using linear programming to infer consumable resource annotations. We demonstrate the logic on some examples, including proving the termination of in-place list reversal on lists with cyclic tails.

💡 Research Summary

The paper presents a novel program logic that brings amortised resource analysis—originally developed for functional languages—into the realm of imperative, pointer‑manipulating programs. The authors achieve this by embedding a resource logic, based on the affine intuitionistic Logic of Bunched Implications (BI), inside Separation Logic. In this combined setting, the usual separating conjunction “*” describes the physical separation of heap fragments, while a second conjunction “⊗” (the monoidal product of the resource algebra) captures the combination of consumable resources such as credits or time units.

A program state is modelled as a pair (H, r) where H is the mutable heap and r is the amount of resource currently available to the program. Assertions can simultaneously talk about heap shape and resource distribution; for example the predicate lseg p R, x, y asserts that the segment from address x to y forms a linked list and that each node carries a unit of resource R. Because the resource algebra is assumed to be a commutative monoid, the total resource can be split and recombined in lock‑step with heap splitting, enabling local reasoning about mutations without having to track global counters.

The logic is formalised in the Coq proof assistant. The soundness theorem states that for every execution step the sum of resources already consumed and those still available never exceeds a pre‑specified bound. This guarantees that any program proved correct in the logic is resource‑bounded. The authors also define a restricted fragment of the assertion language that is amenable to automated proof search. Verification conditions (VCs) generated from Hoare triples are translated into a mixture of Separation‑Logic entailments (handled by a standard SL prover) and linear arithmetic constraints over resource variables. The arithmetic part is discharged by a linear programming (LP) solver, which simultaneously infers the numeric resource annotations that were left unspecified in the source code.

Two substantial case studies illustrate the approach. The first proves termination and a tight resource bound for in‑place list reversal even when the list contains a cyclic tail. By assigning one credit to each node at the outset, the reversal algorithm can consume exactly those credits as it rewrites pointers, and the logic automatically shows that no extra resources are needed. The second case study tackles the inner loop of an in‑place merge‑sort on linked lists. The method mergeInner processes the list in blocks of size k, merging two sub‑lists while counting swap operations. The authors encode the pre‑condition as a list segment annotated with an unknown amount of resource per element; the LP solver then discovers that each element must carry a credit equal to the cost of a potential swap, yielding a precise bound on the total number of swaps and, consequently, on the overall running time.

A further contribution is a variant of the logic that permits dynamic, possibly failing, resource acquisition (Section 3.6). By exploiting the affine nature of the resource algebra, the logic can model operations that may or may not succeed without breaking soundness.

In summary, the paper makes four key contributions: (1) a unified logical framework that simultaneously reasons about heap shape and consumable resources, (2) a machine‑checked formalisation and soundness proof in Coq, (3) an automated verification condition generator coupled with linear‑programming based resource inference, and (4) successful application to non‑trivial pointer‑intensive algorithms, including termination proofs for cyclic data structures. By internalising resources in the data structures themselves, the approach eliminates the need for auxiliary ghost counters, simplifies specifications, and paves the way for scalable, automated verification of resource‑aware imperative programs.