A Formal Semantics for Isorecursive and Equirecursive State Abstractions

Most methodologies for static program verification support recursively-defined predicates in specifications, in order to reason about recursive data structures. Intuitively, a predicate instance represents the complete unrolling of its definition; this is the equirecursive interpretation. However, this semantics is unsuitable for static verification, when the recursion becomes unbounded. For this reason, most static verifiers supporting recursive definitions employ explicit folding and unfolding of recursive definitions (specified using ghost commands, or inferred). Such a semantics differentiates between, e.g., a predicate instance and its corresponding body, while providing a facility to map between the two; this is the isorecursive semantics. While this latter interpretation is usually implemented in practice, only the equirecursive semantics is typically treated in theoretical work. In this paper we provide both an isorecursive and an equirecursive formal semantics for recursive definitions in the context of Chalice, a verification methodology based on implicit dynamic frames. We extend these assertion semantics to appropriate Hoare Logics, and prove the soundness of our definitions. The development of such formalisations requires addressing several subtle issues, regarding both the possibility of infinitelyrecursive definitions and the need for the isorecursive semantics to correctly reflect the restrictions that make it readily implementable. These questions are made more challenging still in the context of implicit dynamic frames, where the use of heap-dependent expressions provides further pitfalls for a correct formal treatment.