Zohar Manna1 Henny B. Sipma1 Ting Zhang2theory.stanford.edu/~tingz/talks/lfcs07_talk.pdf · VERIFYING BALANCED TREES VERIFYING BALANCED TREES Zohar Manna1 Henny B. Sipma1 Ting Zhang2

VERIFYING BALANCED TREES


Zohar Manna1 Henny B. Sipma1 Ting Zhang2

1Department of Computer ScienceStanford University

2Theory GroupMicrosoft Research Asia

Logical Foundations of Computer ScienceJune 5, 2007


OUTLINE

OUTLINE

1 INTRODUCTIONMotivationOur ContributionsRelated Work and Comparison

2 MAIN TALKDecidable Logic of R-B TreesAnalyze Algorithms on R-B Trees

3 CONCLUSIONOur ContributionsFuture Work


INTRODUCTION

MOTIVATION

OUTLINE





INTRODUCTION

MOTIVATION

VERIFYING HIGH-LEVEL DATA STRUCTURES

+ What?Complex data structure: Trees . . .High-level properties: Being Balanced . . .Intricate Operations: Self-balancing . . .

+ Why?Ubiquitous in advanced programming languagesBut hard to get it right

+ Difficulty?Lost in Translation

+ Approach?Develop decidable logics to model them directly

Get High, Stay High ,


INTRODUCTION

MOTIVATION








INTRODUCTION

MOTIVATION








INTRODUCTION

MOTIVATION








INTRODUCTION

MOTIVATION








INTRODUCTION

OUR CONTRIBUTIONS

OUTLINE





INTRODUCTION

OUR CONTRIBUTIONS

OUR CONTRIBUTIONS

+ Develop a first-order theory of red-black trees using thetheory of term algebras augmented with Presburgerarithmetic

+ Show how to use this theory to represent the transitionrelations of the tree operations directly from the programstatements, and how to use them to construct Hoare triples

+ Provide a decision procedure for automatically checkingvalidity of the resulting verification conditions

+ Generalizable to model other balanced tree structures,such as AVL trees and B-trees


INTRODUCTION

OUR CONTRIBUTIONS

OUR CONTRIBUTIONS






INTRODUCTION

OUR CONTRIBUTIONS

OUR CONTRIBUTIONS






INTRODUCTION

OUR CONTRIBUTIONS

OUR CONTRIBUTIONS






INTRODUCTION

RELATED WORK AND COMPARISON

OUTLINE





INTRODUCTION


RELATED WORK

+ Quantitative Shape Analysis [Rugina 04]ABSTRACT INTERPRETATION Performs forward propagationin an abstract heap

+ Tree Automata with Size Constraints [Habermehl et al 06]AUTOMATA TRANSFORMATION Encodes transition relations,pre- and post-conditions as tree languages

+ Hypergraph Rewriting [Baldan et al 05]REWRITING TECHNIQUES Uses approximate unfolding tocompute the reachable states of a graph rewriting system

+ Context Logic [Calcagno et al 05]DEDUCTIVE SYSTEM Proved sound and complete


INTRODUCTION


RELATED WORK






INTRODUCTION


RELATED WORK






INTRODUCTION


RELATED WORK






INTRODUCTION


COMPARISON

RELATED WORK

4 Express updates at an arbitrary pointed location8 Verification of Hoare triples is not fully automatic8 Lack of intuitive connections between low level program

statements and the high level formalism

OUR WORK

8 Cannot express updates at an arbitrary pointed locationResort to induction

4 Verification of Hoare triples is fully automatic4 Clear connections between low level program statements

and the high level formalism


INTRODUCTION


COMPARISON

RELATED WORK

4 Express updates at an arbitrary pointed location8 Verification of Hoare triples is not fully automatic8 Lack of intuitive connections between low level program

statements and the high level formalism

OUR WORK

8 Cannot express updates at an arbitrary pointed locationResort to induction

4 Verification of Hoare triples is fully automatic4 Clear connections between low level program statements

and the high level formalism


MAIN TALK

DECIDABLE LOGIC OF R-B TREES

OUTLINE





MAIN TALK


RED-BLACK TREES

DEFINITION (RED-BLACK TREES)

A binary tree with the following coloring properties:1 Every node is either red or black.2 Every leaf node is black.3 The root is black.4 Every red node has two black children.5 All paths from the root to leaf nodes contain the same

number of black nodes.


MAIN TALK


EXAMPLE: RED-BLACK TREES

7

2

1 5

4 nil

11

8 14

nil 15


MAIN TALK


COLOR FLIPPING

11

2

1 7

5

4 nil

8

14

nil 15

w

11

2

1 7

5

4 nil

8

14

nil 15


MAIN TALK


COLOR FLIPPING

11

2

1 7

5

4 nil

8

14

nil 15 w

11

2

1 7

5

4 nil

8

14

nil 15


MAIN TALK


COLOR FLIPPING

11

2

1 7

5

4 nil

8

14

nil 15 w

11

2

1 7

5

4 nil

8

14

nil 15


MAIN TALK


LEFT ROTATION

11

2

1 7

5

4 nil

8

14

nil 15

w

11

7

2

1 5

4 nil

8

14

nil 15


MAIN TALK


LEFT ROTATION

11

2

1 7

5

4 nil

8

14

nil 15 w

11

7

2

1 5

4 nil

8

14

nil 15


MAIN TALK


LEFT ROTATION

11

2

1 7

5

4 nil

8

14

nil 15 w

11

7

2

1 5

4 nil

8

14

nil 15


MAIN TALK


RIGHT ROTATION

11

7

2

1 5

4 nil

8

14

nil 15

w

7

2

1 5

4 nil

11

8 14

nil 15


MAIN TALK


RIGHT ROTATION

11

7

2

1 5

4 nil

8

14

nil 15 w

7

2

1 5

4 nil

11

8 14

nil 15


MAIN TALK


RIGHT ROTATION

11

7

2

1 5

4 nil

8

14

nil 15 w

7

2

1 5

4 nil

11

8 14

nil 15


MAIN TALK


TERM ALGEBRAS

DEFINITION (TERM ALGEBRAS)

A term algebra TA : 〈T; C,A,S, T 〉 consists of1 T: The term domain called C-terms2 C: A set of constructors: α, β, γ, . . .3 A: A set of constants: a, b, c, . . . We require A 6= ∅ andA ⊆ C.

4 S: A set of selectors. For a constructor α with arity k > 0,there are k selectors sα1 , . . . , s

αk in S.

5 T : A set of testers. For each constructor α there is acorresponding tester Isα.


MAIN TALK


COLORED TREES

RB = 〈 Trb; {red, black, nil}, {nil},{carred, cdrred, carblack, cdrblack}, {Isred, Isblack, Isnil} 〉 ,

where+ Trb denotes the domain+ nil denotes a leaf,+ red and black are binary constructors+ car] and cdr] are the left and the right ]-selectors

(] ∈ {red, black}).


MAIN TALK


RED-BLACK TREES

RBZ = 〈RB; PA; | · |max, | · |min : Trb → N 〉

with

| · |max : length of maxiaml black path| · |min : length of mimimal black path


MAIN TALK


MAXIMAL BLACK PATH

|x|max =

1 if x is nil

0 if x has two consecutive rednodes

max(|x1|max, |x2|max) + 1 if x is a well-formed black tree

max(|x1|max, |x2|max) if x is a well-formed red tree


MAIN TALK


MINIMAL BLACK PATH

|x|min =

1 if x is nil

0 if x has two consecutive rednodes

min(|x1|min, |x2|min) + 1 if x is a well-formed black tree

min(|x1|min, |x2|min) if x is a well-formed red tree


MAIN TALK


PREDICATES FOR WELL-FORMED TREES

x IS A WELL-FORMED BLACK TREE:

GB(x, x1, x2) def== x = black(x1, x2) ∧ |x1|max 6= 0 ∧ |x2|max 6= 0

x IS A WELL-FORMED RED TREE:

GR(x, x1, x2) def== x = red(x1, x2) ∧ |x1|max 6= 0 ∧ |x2|max 6= 0

x HAS TWO CONSECUTIVE RED NODES:

Vio(x) def== x 6= nil ∧ ∀x1∀x2(¬GB(x, x1, x2) ∨ ¬GR(x, x1, x2)

)


MAIN TALK


RED-BLACK PROPERTIES

x IS A RED BLACK TREE IF

ϕ1 : |x|max = |x|minany maximal path of x contains the samenumber of black nodes

ϕ2 : |x|max > 0 any red node of x must have two blackchildren

ϕ3 : Isblack(x) the root of x is black


MAIN TALK


RED-BLACK PROPERTIES

SUBDOMAIN PREDICATE:

ϕRB(x) def== ϕ1 ∧ ϕ2 ∧ ϕ3

THEORY OF THE SUBDOMAIN OBTAINED BY RELATIVIZATION:

∀x (ϕRB(x)→ Φ(x)) for universal properties∃x (ϕRB(x) ∧ Φ(x)) for existential properties


MAIN TALK


DECIDABILITY OF RBZ

THEOREM (DECIDABILITY OF RBZ)

1 Th∃(RBZ) is NP-complete.2 Th(RBZ) is decidable and admits quantifier elimination.

PROOF SKETCH.1 Reduce term constraints to integer constraints2 Reduce term quantifiers to integer quantifiers


MAIN TALK

ANALYZE ALGORITHMS ON R-B TREES

OUTLINE





MAIN TALK


TRANSITION RELATION

NOTATION

+ v̄: variables in the current state+ v̄′: the corresponding variables in the next state.+ ρq(v̄, v̄′): transition relation of a statement q

+ post(q, ϕ): post-condition of ϕ(v̄) after executing astatement q

COMPOSITION

The transition relation of the composite statement 〈q; r〉 is

(∃v̄1)(ρq(v̄, v̄1) ∧ ρr(v̄1, v̄′)

)


MAIN TALK


VERIFICATION CONDITIONS

HOARE TRIPLES

+ {ϕ}q{ψ}: state ψ reached after executing q at state ϕ+ {ϕ}q{ψ}: equivalent to post(q, ϕ)→ ψ

PROVING HOARE TRIPLES

post(q, ϕ) def== (∃v̄0)(ρq(v̄0, v̄) ∧ ϕ(v̄0)

){ϕ}q{ψ} def== (∃v̄0)

(ρq(v̄0, v̄) ∧ ϕ(v̄0)

)→ ψ(v̄)


MAIN TALK


COLOR FLIPPING: STEP 1

11

2

1 7x2

5x1

4x nil

8

14

nil 15

w

11

2

1 7x2

5x1

4x nil

8

14

nil 15

T ′[x− 1].tree = cdr(T ′[x− 2])= black(car(T[x− 1].tree), cdr(T[x− 1].tree))


MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15 w

11

2

1 7x2

5x1

4x nil

8

14

nil 15



MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15 w

11

2

1 7x2

5x1

4x nil

8

14

nil 15



MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15 w

11

2

1 7x2

5x1

4x nil

8

14

nil 15



MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15

w

11

2

1 7x2

5x1

4x nil

8

14

nil 15

car(T ′[x− 2]) = T ′[x− 1] = black(car(T[x− 1]), cdr(T[x− 1]))


MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15 w

11

2

1 7x2

5x1

4x nil

8

14

nil 15



MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15 w

11

2

1 7x2

5x1

4x nil

8

14

nil 15



MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15 w

11

2

1 7x2

5x1

4x nil

8

14

nil 15



MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15

w

11

2

1 7x2

5x1

4x nil

8

14

nil 15

T ′[x− 2] = red(car(T[x− 2]), cdr(T[x− 2]))


MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15 w

11

2

1 7x2

5x1

4x nil

8

14

nil 15



MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15 w

11

2

1 7x2

5x1

4x nil

8

14

nil 15



MAIN TALK



11

2

1 7x2

5x1

4x nil

8

14

nil 15 w

11

2

1 7x2

5x1

4x nil

8

14

nil 15



MAIN TALK


LEFT ROTATION: STEP 1

11

2x1

1 7x

5x1

4 nil

8

14

nil 15

w

11

7x1

8 2x

5x1

4 nil

1

14

nil 15

cdr(T ′[x− 1]) = T ′[x]∧ (T ′[x + 1].tree = cdr(T ′[x]) = T[x].tree)∧ (T ′[x].tree = car(T ′[x− 1]) = T[x + 1].tree)


MAIN TALK



11

2x1

1 7x

5x1

4 nil

8

14

nil 15 w

11

7x1

8 2x

5x1

4 nil

1

14

nil 15



MAIN TALK



11

2x1

1 7x

5x1

4 nil

8

14

nil 15 w

11

7x1

8 2x

5x1

4 nil

1

14

nil 15



MAIN TALK



11

2x1

1 7x

5x1

4 nil

8

14

nil 15 w

11

7x1

8 2x

5x1

4 nil

1

14

nil 15



MAIN TALK



11

7x1

8 2x

5x1

4 nil

1

14

nil 15

w

11

7x1

2x

5x1

4 nil

1

8

14

nil 15

T ′[x].dir = right ∧ T ′[x− 1] = red(cdr(T[x− 1]), car(T[x− 1]))


MAIN TALK



11

7x1

8 2x

5x1

4 nil

1

14

nil 15 w

11

7x1

2x

5x1

4 nil

1

8

14

nil 15



MAIN TALK



11

7x1

8 2x

5x1

4 nil

1

14

nil 15 w

11

7x1

2x

5x1

4 nil

1

8

14

nil 15



MAIN TALK



11

7x1

8 2x

5x1

4 nil

1

14

nil 15 w

11

7x1

2x

5x1

4 nil

1

8

14

nil 15



MAIN TALK



11

7x1

2x

5x1

4 nil

1

8

14

nil 15

w

11

7x1

2x

1 5 x1

4 nil

8

14

nil 15

T ′[x + 1].dir = left ∧ car(T ′[x− 1]) = T ′[x]∧ T ′[x] = red(cdr(T[x]), car(T[x]))


MAIN TALK



11

7x1

2x

5x1

4 nil

1

8

14

nil 15 w

11

7x1

2x

1 5 x1

4 nil

8

14

nil 15



MAIN TALK



11

7x1

2x

5x1

4 nil

1

8

14

nil 15 w

11

7x1

2x

1 5 x1

4 nil

8

14

nil 15



MAIN TALK



11

7x1

2x

5x1

4 nil

1

8

14

nil 15 w

11

7x1

2x

1 5 x1

4 nil

8

14

nil 15



CONCLUSION

OUR CONTRIBUTIONS

OUTLINE





CONCLUSION

OUR CONTRIBUTIONS

OUR CONTRIBUTIONS






CONCLUSION

OUR CONTRIBUTIONS

OUR CONTRIBUTIONS






CONCLUSION

OUR CONTRIBUTIONS

OUR CONTRIBUTIONS






CONCLUSION

OUR CONTRIBUTIONS

OUR CONTRIBUTIONS






CONCLUSION

FUTURE WORK

OUTLINE





CONCLUSION

FUTURE WORK

FUTURE WORK

+ Express more properties:Tree Orderings

+ Model Destructive Updates:Decidable Logic with Extraction and Assignment

T[p] def== the subtree of T at position p

T ⊕p T ′ def== the tree obtained from T by substituting T ′

for the subtree of T at position p


CONCLUSION

FUTURE WORK

FUTURE WORK

+ Express more properties:Tree Orderings

+ Model Destructive Updates:Decidable Logic with Extraction and Assignment

T[p] def== the subtree of T at position p

T ⊕p T ′ def== the tree obtained from T by substituting T ′

for the subtree of T at position p


CONCLUSION

FUTURE WORK

Thank You!

Documents

Zohar Manna1 Henny B. Sipma1 Ting Zhang2theory.stanford.edu/~tingz/talks/lfcs07_talk.pdf · VERIFYING BALANCED TREES VERIFYING BALANCED TREES Zohar Manna1 Henny B. Sipma1 Ting Zhang2