SEAL: Symbolic Execution with Separation Logic (Competition Contribution)

SEAL is a static analyser for the verification of programs that manipulate unbounded linked data structures. It is based on separation logic to represent abstract memory states and, unlike other separation-logic-based approaches, it employs a general-purpose separation logic solver Astral for satisfiability and entailment checking, which itself is based on translation to SMT. This design results in a modular architecture intended to be easier to extend and to combine with reasoning in other theories. Although still a prototype, SEAL achieved competitive results in the LinkedLists base category and was one of only four analysers capable of verifying programs with unbounded lists. We believe that the tool’s extensibility, combined with further development, can lead to significant improvements in future competitions.

💡 Research Summary

The paper presents SEAL, a static analysis tool designed to verify safety properties of C programs that manipulate heap‑allocated linked data structures. SEAL’s novelty lies in its use of separation logic (SL) as the abstract domain while delegating all SL satisfiability and entailment queries to a general‑purpose SL solver called Astral. Astral translates SL formulas into a bounded set of SMT queries (bit‑vectors and arrays) and solves them with the Bitwuzla solver. This architecture cleanly separates shape reasoning from other theories (e.g., integer arithmetic), making the tool highly modular and extensible.

In SEAL, an abstract state is represented as a symbolic heap of the form ∃x₁…xₘ. φ₁ ∗ … ∗ φₙ, where each φᵢ is either a pure equality/inequality, a points‑to atom, or an inductive predicate describing a list segment. The current prototype supports three kinds of linked structures: singly‑linked lists (SLL), doubly‑linked lists (DLL), and nested singly‑linked lists (NLL). All are assumed to be acyclic, though a limited cyclic representation is possible by combining multiple acyclic components.

Abstraction is performed by merging compatible points‑to atoms and list predicates into a single list‑segment predicate, provided the merged memory cell is not referenced by external pointers and the start and end of the segment are distinct. This “list‑segment abstraction” mirrors techniques used in other shape analysers such as PredatorHP and CPAchecker, but SEAL’s SL‑based representation allows seamless integration with function summaries. Each function is summarized by a pair of pre‑ and post‑conditions expressed as symbolic heaps; during interprocedural analysis, a call can be replaced by a matching summary without inlining.

Loop handling relies on a fix‑point computation: the analyzer checks whether the symbolic heap set S from the current iteration entails the set T from the previous iteration. Because full entailment is undecidable in practice, SEAL uses a heuristic that searches for, for each Sᵢ ∈ S, a Tⱼ ∈ T such that Sᵢ ⊨ Tⱼ, while also ensuring that the right‑hand side does not allocate more cells than the left. Redundant heaps are pruned using syntactic simplifications (equivalence‑class reduction, scope cleanup, duplicate removal).

Integer variables are tracked concretely within a default range of