FO-Complete Program Verification

• FO-complete program verification is a methodology that employs first-order logic to automatically prove properties of recursive and heap-manipulating programs under arbitrary fixpoint semantics.
• It uses specialized logics such as Frame Logic (FL) and a separation logic variant (SL-FL) to generate verification conditions that are transformed into quantifier-free formulas for SMT solving.
• Empirical evaluations demonstrate that this approach reliably generates sound and complete verification conditions, ensuring efficient analysis of diverse data structures and recursive programs.

FO-complete program verification refers to verification methodologies and logics that ensure the (recursively enumerable) completeness of first-order reasoning over program properties, specifically with respect to recursively defined predicates interpreted under arbitrary fixpoint semantics. In this context, a verification engine is “FO-complete” if every property valid for all first-order (not just least) fixpoints can in principle be automatically established by the engine. This property has particular relevance for verification of heap-manipulating and recursive programs, where the expressiveness and automation potential of first-order logic (FO) are exploited to their full theoretical limit, subject only to the inherent undecidability of the underlying semantic class. Recent developments yield logics and toolchains that are FO-complete for practical program verification tasks, notably in heap logics, frame logic, and related domains (Murali et al., 10 Jan 2026).

1. Formal Definition of FO-Completeness

FO-completeness, in the context of program verification with recursive definitions, distinguishes between two semantic regimes:

• Least-fixpoint semantics (lfp): Recursive definitions $R(\bar x) =_{\mathrm{lfp}} \rho_R(\bar x)$ are interpreted as the least set of tuples satisfying the defining equation.
• Arbitrary-fixpoint (FO) semantics: The predicate $R$ is interpreted as any fixpoint (not necessarily least) of the equation $R(\bar x) \iff \rho_R(\bar x)$, with no minimality constraint.

A program verification logic or tool is FO-complete if:

• Soundness: Whenever it proves a formula $\varphi$ valid, this $\varphi$ is valid under least-fixpoint semantics.
• Completeness: If $\varphi$ is valid under arbitrary-fixpoint semantics (i.e., in all FO models), it is eventually proved (recursively enumerable).

In verification, this means that any property of programs expressible in FO (possibly with recursive definitions as fixpoints) that is true for all fixpoints can be established by the system, subject to the practical limitations of proof search and unavoidably undecidable cases. The approach is strictly more general than only verifying properties true in the least-fixpoint sense, providing a “superset” guarantee at the cost of potential incompleteness relative to stronger (second-order) specification classes (Murali et al., 10 Jan 2026).

2. FO-Complete Heap Logics and Their Semantics

Recent advances provide the first two heap logics with implicit heaplets and FO-complete program verification: a frame logic (FL) and a separation logic variant (SL-FL) (Murali et al., 10 Jan 2026). These logics are tailored to bridge the gap between expressive heap reasoning and first-order completeness.

Frame Logic (FL)

• Extends first-order logic with recursive definitions (FORD) by introducing a support operator $Sp(\varphi)$, returning the unique subset of heap locations (“heaplet”) on which $\varphi$ depends.
• Introduces a cloud operator $[\varphi]$ (semantically $[\varphi]$ holds iff $\varphi$ holds and $Sp([\varphi]) = \emptyset$), used to eliminate existentials such as $\exists y. y=f(x):\varphi(y)$.
• Well-formed formulas ensure recursive definitions and supports do not occur in quantifier guards.

The operational semantics of $Sp(\varphi)$ is carefully formalized to ensure that every formula with a satisfying heaplet has a unique such heaplet, enabling translation to quantifier-free FO after suitable transformation (Murali et al., 10 Jan 2026).

Separation Logic SL-FL

• Modifies traditional separation logic by enforcing determined (unique) heaplets for each formula, sidestepping the non-determinism and second-order complexities of standard SL.
• Syntax includes pure pointer equality/disequality, atomic field accesses, separating conjunction ($\ast$), and existential “heaplet” quantification, with support-based semantics.

A key feature is the translation $\Pi$ from SL-FL to FL, ensuring FO-complete reasoning is preserved for separation-style specifications by reducing SL-FL formulas to FO-expressible FL formulas, with heaplet supports explicitly encoded (Murali et al., 10 Jan 2026).

3. FO-Complete Verification Condition Generation

The FO-complete pipeline leverages the expressiveness of FL to enable tractable VC generation grounded in FO reasoning:

• Program code is split into basic blocks, generating VCs of the form

$$(\wedge Fr \wedge T) \Longrightarrow (\beta \wedge Sp(\beta)=A)$$

or, for relaxed postconditions, $$(\dots) \Rightarrow (\beta \wedge Sp(\beta) \subseteq A)$$.

• $T$ encodes the strongest postcondition; $A$ tracks allocated sets; $Fr$ are frame axioms capturing heaplet locality, and $RD$ lists updated recursive definitions.

VCs are constructed such that their FO validity (after transformations) precisely mirrors validity in the operational or logical semantics of the program, modulo the well-formedness requirements (Murali et al., 10 Jan 2026).

This methodology is complete in the sense that, in the absence of procedure calls (for which modular reasoning requires further invariants), all lfp-valid Hoare triples produce VCs whose FO validity can be established by FO-complete proof methods.

4. FO-Complete Proof Search via Quantifier Instantiation

After VCs are formulated in FL (or after SL-FL to FL translation), they are reduced to quantifier-free FO using natural proof strategies:

1. Fixpoint-to-FO flattening: Recursive predicates are replaced with uninterpreted symbols, and fold (unrolling) axioms are introduced: $\forall \bar x.\;R(\bar x) = \rho(\bar x, R)$, which express the fixpoint condition in FO.
2. Quantifier Instantiation: These fold axioms are instantiated for ground terms up to increasing depth, incrementally unrolling recursive definitions.
3. SMT Solving: The resulting quantifier-free FO conjunction is dispatched to SMT solvers (e.g., Z3). If unsatisfiability is detected, the proof succeeds.
4. Loop: If necessary, the instantiation depth is increased iteratively.

The FO-completeness property of this procedure (as shown by [loding18]) guarantees every FO-valid VC (i.e., valid in all fixpoint models) will be discovered at some finite level of unrolling. The pipeline's design ensures soundness with respect to lfp semantics, so only correct program properties are ever proved in the intended sense (Murali et al., 10 Jan 2026).

5. Empirical Evaluation and Implementation

The methodology underpins two tool implementations: FLV for Frame Logic and SLFLV for SL-FL specifications (which first translates to FL). Optimization techniques include memoization and elision of trivial support-disjointness checks for improved efficiency.

Benchmarks:

• Covered 29 programs manipulating lists, trees, BSTs, treaps, and red-black trees, each annotated with quantifier-free functional contracts with recursive heap predicates.
• An additional 85 inductive lemmas (e.g., data structure invariants) were automatically proven.
• Performance: All program proofs were completed with per-routine times of 100–200 ms (FLV), with batch verification of all benchmarks within ∼1–2 minutes (with/without optimization, M2 Pro, 16GB RAM).

The specifications remain succinct (30–200 LOC including annotations). No interactive guidance beyond lemma provisioning was needed for successful verification (Murali et al., 10 Jan 2026).

6. Broader Context and Relationship to Other FO-Completeness Results

FO-completeness is also achieved for other program verification and logic systems under certain constraints:

• First-order abstract separation logic (FOASL): Sound and complete (in the FO sense) for abstract heap separation operators, with concrete heap models approximated via FO theories (Hou et al., 2016).
• First-order temporal logics over context-free structures: The logic POTL attains FO-completeness (precise correspondence with one-variable FO) for operator-precedence languages, extending the reach of FO-complete verification to broader classes of procedural languages (Chiari et al., 2021).
• Locally tight program verification: For answer set programs with no infinite dependency cycles at the ground-atom level, completion methods allow reduction of answer-set semantics to first-order logic, enabling verification through FO-complete theorem proving pipelines (Fandinno et al., 2022).

A plausible implication is that FO-completeness, while subject to the limitations of first-order reasoning (notably, incompleteness for least-fixpoint semantics and inability to capture certain strictly second-order properties), provides a maximally expressive, automatable, and tool-friendly verification frontier for recursively defined program properties within first-order logic.

7. Theoretical and Practical Significance

FO-complete program verification frameworks provide an effective compromise between expressiveness and automatable reasoning:

• They guarantee the eventual proof of all FO-valid program properties under arbitrary fixpoint semantics, enabling robust verification for large classes of recursive and heap-manipulating programs.
• The translation strategies ensure that heap separation, support reasoning, and recursive definitions remain tractable for SMT-style proof engines.
• The methodologies sidestep non–recursively enumerable and second-order barriers that undermine completeness in classical (concrete) separation logic and related systems.

These characteristics render FO-complete verification a linchpin in modern practical verification for heap-manipulating and recursively structured programs, with demonstrable efficiency and expressiveness in empirical analysis (Murali et al., 10 Jan 2026, Hou et al., 2016).