Exact Separation Logic

Over-approximating (OX) program logics, such as separation logic, are used to verify properties of heap-manipulating programs: all terminating behaviour is characterised but the reported results and errors need not be reachable. OX function specifications are thus incompatible with true bug-finding supported by symbolic execution tools such as Pulse and Gillian. In contrast, under-approximating (UX) program logics, such as incorrectness separation logic, are used to find true results and bugs: reported results and errors are reachable, but not all behaviour can be characterised. UX function specifications thus cannot capture full verification. We introduce exact separation logic (ESL), which provides fully verified function specifications compatible with true bug finding: all terminating behaviour is characterised, and all reported results and errors are reachable. ESL requires subtle definitions of internal and external function specifications compared with the familiar definitions of OX logics. It supports reasoning about mutually recursive functions and non-termination. We prove frame-preserving soundness for ESL, demonstrating, for the first time, functional compositionality for a non-OX program logic. We investigate the expressivity of ESL and the role of abstraction in UX reasoning by verifying abstract ESL specifications of list algorithms. To show overall viability of exact verification for true bug-finding, we formalise a compositional symbolic execution semantics capable of using ESL specifications and characterise the conditions that these specifications must respect so that true bug-finding is preserved.