Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automating Separation Logic with Trees and Data Ruzica Piskac Yale University Thomas Wies New York University Damien Zufferey MIT CSAIL CAV, 22.07.2014,

Published byCamron Logan Modified over 9 years ago

Similar presentations

Presentation on theme: "Automating Separation Logic with Trees and Data Ruzica Piskac Yale University Thomas Wies New York University Damien Zufferey MIT CSAIL CAV, 22.07.2014,"— Presentation transcript:

1 Automating Separation Logic with Trees and Data Ruzica Piskac Yale University Thomas Wies New York University Damien Zufferey MIT CSAIL CAV, 22.07.2014, Vienna 1

2 Motivation: extracting max element in a BST procedure extract_max(root: Node, pr: Node) returns (new_root: Node, max: Node) { var c, m: Node; if (root.right != null) { c, m := extract_max(root.right, root); root.right := c; return root, m; } else { c := root.left; root.parent := null; if (c != null) c.parent := pr; return c, root; }} 0 6 0 6 2

3 Motivation: extracting max element in a BST procedure extract_max(root: Node, pr: Node) returns (new_root: Node, max: Node) { var c, m: Node; if (root.right != null) { c, m := extract_max(root.right, root); root.right := c; return root, m; } else { c := root.left; root.parent := null; if (c != null) c.parent := pr; return c, root; }} m p r 3

4 Motivation: extracting max element in a BST procedure extract_max(root: Node, pr: Node) returns (new_root: Node, max: Node) { var c, m: Node; if (root.right != null) { c, m := extract_max(root.right, root); root.right := c; return root, m; } else { c := root.left; root.parent := null; if (c != null) c.parent := pr; return c, root; }} p r 4

5 Motivation: extracting max element in a BST procedure extract_max(root: Node, pr: Node) returns (new_root: Node, max: Node) { var c, m: Node; if (root.right != null) { c, m := extract_max(root.right, root); root.right := c; return root, m; } else { c := root.left; root.parent := null; if (c != null) c.parent := pr; return c, root; }} 0 6 5 Memory safety Preserve shape of trees Functional correctness Preserve frame

6 Trees in SL x l r 6 Allocated (access) Separating conjunction

7 Motivation: extracting max element in a BST Non-empty binary search tree Binary search tree and a single node 7

8 Motivation: extracting max element in a BST 8

9 Existing approaches to reasoning about SL with trees Unrolling inductive definitions [Nguyen et al. 07, Qiu et al. 13] Advantages: conceptually simple and efficient Limitation: incompleteness Reduction to MSOL [Iosif et al. 13] Advantage: complete Limitations: high complexity, non trivial extensions with data Other approaches not targeting SL Limitations: global assumptions about structure of the heap 9

10 Limitation of unfolding based methods procedure contains(root: Node, val: Int) returns (res: Bool) requires tree(root); ensures tree(root); { var curr: Node := root; while (curr != null && curr.data != val) invariant ???; { if (curr.data < val) { curr := curr.left; } else if (curr.data > val) { curr := curr.right; } } if (curr != null) return true; else return false; } root curr 10

11 Contributions A decision procedure for a fragment of SL with trees and data Complete “Low” complexity (NP-complete) SMT-based (allows for combination with other theories) Implemented in the GRASShopper tool Functional correctness of tree based data structure 11

12 Limitation of unfolding based methods procedure contains(root: Node, val: Int) returns (res: Bool) requires tree(root); ensures tree(root); { var curr: Node := root; while (curr != null && curr.data != val) invariant tree(curr) -** tree(root); { if (curr.data < val) { curr := curr.left; } else if (curr.data > val) { curr := curr.right; } } if (curr != null) return true; else return false; } root curr “Russian dolls” operator 12

13 Reducing SL to First Order Logic 13

14 SL to First Order Logic [Piskac et al. 13] formula structurefootprint SL FOL For entailment queries: negate only reachabilitysets precise fragment 14 decidable fragment We provide a target logic, called GRIT, for SL of trees

15 Example of the Translation 15

16 Decision Procedure 16

17 Backward Reachability t1t1 t2t2 l l l r r r ( l,r ) * t1t1 t2t2 p pp p p p p*p* Reasoning using backward reachability [Balaban et al. 07] Allows us to use work on reachability logics [Rakamaric et al. 07, Lahiri & Qadeer 08] Axiomatization of Tree in terms of reachability predicates, based on [Wies et al. 11] 17

18 Axioms: definition of the footprint root x null p*p* 18

19 Axioms: p inverse of l x lp*p* 19

20 Axioms: l and r descendants y x p*p* y x l p*p* y x p*p* r x,y 20

21 Underlying Principle Based on local theory extensions [Sofronie-Stokkermans, CADE’05] Reasoning done on partial models p* p l,r 21

22 Extensions with Data 22

23 Monadic predicates 23 Apply the axioms to each term in the formula 21 3 3 2 1

24 Binary predicates Needs to be transitive (generalize to reachability) Sorted trees are ok Trees with height are not 24 01 2 3 03 Reasoning on partial model

25 Set projection 25 2 03 null

26 Experiments GRASShopper https://cs.nyu.edu/wies/software/grasshopper/ Tested on tree data structures: binary search trees skew heaps union-find (inverted trees) Show memory safety and functional correctness for basic operations Operations: from 8 to 77 LOC, spec from 3 to 7 lines Solving time: median=3s, average = 33s, max = 361s Detailed results in the paper 26

27 Contributions In this paper, we introduced: An NP-decision procedure for a fragment of SL with trees and data SMT-based decision procedure allows for combination with other theories Implemented in the GRASShopper tool https://cs.nyu.edu/wies/software/grasshopper/ 27

28 Related Work SL inductive definitions of bounded tree-width [Iosif et al. 13] MSOL [Thatcher & Wright 68, Klarlund & Møller 01] Reachability and data: [Bouajjani et al. 09, Madhusudan et al. 11] Tools for proving functional correctness of linked data structures: Bedrock [Chlipala 13], Dafny [Leino 13], Jahob [Zee et al. 08], HIP/SLEEK [Nguyen et al. 07], and VeriFast [Jacobs et al. 11]. … 28

29 Axioms: no non-trivial cycles x y x,y p*p* 29

30 Axioms: nothing between parent and child x l p*p* y x y l x,y lp*p*p*p* 30

31 Axioms: children distinct x l,r x null l,r 31

32 First Common Ancestor Needed to make sure we can build trees from partial models x y x y fca(p,x,y) 32

33 GRASShopper: experimental results 1 Data structureProcedure# LOC# L spec# L ghost#VCsTime in s Set as binary tree Functional correctness Contains173393 Destroy82271 Extract_max1453920 Insert24231561 Remove3321135117 Rotate (l,r)8341115 Set as sorted list Functional correctness Contains157641 Delete2676812 Difference20311513 Insert2576869 Union203115 33

34 GRASShopper: experimental results 2 Data structureProcedure# LOC# L spec# L ghost#VCsTime in s Union-find (tree view) Functional correctness Find122140.2 Union103140.3 Create113030.1 Union-find (list view) Path compression Find123140.1 Union97143 Create101030.1 Skew heap Shape, heap property Insert172270.3 Union11241235 Extract_max921116 34 And some more examples using loops …

35 Axiomatization of GRIT 35

36 First-Order Axioms for B(etween) 36

37 Graph Reachability and Inverted Trees (GRIT) 37

38 Frontend / SpecificationBackend / Solver SL + succinct + intuitive - tailor-made solvers - difficult to extend + local reasoning (frame inference) FOL + flexible - complex + standardized solvers (SMT-LIB) + extensible (e.g. Nelson-Oppen) Motivation for SMT-based SL reasoning Strong theoretical guarantees: sound, complete, tractable complexity (NP) Mixed specs: escape hatch when SL is not suitable. 38

Download ppt "Automating Separation Logic with Trees and Data Ruzica Piskac Yale University Thomas Wies New York University Damien Zufferey MIT CSAIL CAV, 22.07.2014,"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
§6 Leftist Heaps CHAPTER 5 Graph Algorithms  Heap: Structure Property + Order Property Target : Speed up merging in O(N). Leftist Heap: Order Property.

§6 Leftist Heaps CHAPTER 5 Graph Algorithms  Heap: Structure Property + Order Property Target : Speed up merging in O(N). Leftist Heap: Order Property.
Comp 122, Spring 2004 Binary Search Trees. btrees - 2 Comp 122, Spring 2004 Binary Trees  Recursive definition 1.An empty tree is a binary tree 2.A node.

Comp 122, Spring 2004 Binary Search Trees. btrees - 2 Comp 122, Spring 2004 Binary Trees  Recursive definition 1.An empty tree is a binary tree 2.A node.
Binary Trees, Binary Search Trees CMPS 2133 Spring 2008.

Binary Trees, Binary Search Trees CMPS 2133 Spring 2008.
1 Chapter 6 Priority Queues (Heaps) General ideas of priority queues (Insert & DeleteMin) Efficient implementation of priority queue Uses of priority queues.

1 Chapter 6 Priority Queues (Heaps) General ideas of priority queues (Insert & DeleteMin) Efficient implementation of priority queue Uses of priority queues.
CS 315 March 24 Goals: Heap (Chapter 6) priority queue definition of a heap Algorithms for Insert DeleteMin percolate-down Build-heap.

CS 315 March 24 Goals: Heap (Chapter 6) priority queue definition of a heap Algorithms for Insert DeleteMin percolate-down Build-heap.
Combining Theories Sharing Set Operations Thomas Wies joint work with Ruzica Piskac and Viktor Kuncak TexPoint fonts used in EMF. Read the TexPoint manual.

Combining Theories Sharing Set Operations Thomas Wies joint work with Ruzica Piskac and Viktor Kuncak TexPoint fonts used in EMF. Read the TexPoint manual.
1 Trees. 2 Outline –Tree Structures –Tree Node Level and Path Length –Binary Tree Definition –Binary Tree Nodes –Binary Search Trees.

1 Trees. 2 Outline –Tree Structures –Tree Node Level and Path Length –Binary Tree Definition –Binary Tree Nodes –Binary Search Trees.
Chapter 9 contd. Binary Search Trees Anshuman Razdan Div of Computing Studies

Chapter 9 contd. Binary Search Trees Anshuman Razdan Div of Computing Studies
1 BST Trees 5 38 149. 2 A binary search tree is a binary tree in which every node satisfies the following: the key of every node in the left subtree is.

1 BST Trees A binary search tree is a binary tree in which every node satisfies the following: the key of every node in the left subtree is.
CSCE 3110 Data Structures & Algorithm Analysis Binary Search Trees Reading: Chap. 4 (4.3) Weiss.

CSCE 3110 Data Structures & Algorithm Analysis Binary Search Trees Reading: Chap. 4 (4.3) Weiss.
CPS 100 9.1 Balanced Search Trees l BST: efficient lookup, insertion, deletion  Average case: O(log n) for all operations since find is O(log n) [complexity.

CPS Balanced Search Trees l BST: efficient lookup, insertion, deletion  Average case: O(log n) for all operations since find is O(log n) [complexity.
1 Trees A tree is a data structure used to represent different kinds of data and help solve a number of algorithmic problems Game trees (i.e., chess ),

1 Trees A tree is a data structure used to represent different kinds of data and help solve a number of algorithmic problems Game trees (i.e., chess ),
Verifying Properties of Well-Founded Linked Lists Verifying Properties of Well-Founded Linked Lists Shuvendu K. Lahiri Shaz Qadeer Software Reliability.

Verifying Properties of Well-Founded Linked Lists Verifying Properties of Well-Founded Linked Lists Shuvendu K. Lahiri Shaz Qadeer Software Reliability.
Binary Trees, Binary Search Trees RIZWAN REHMAN CENTRE FOR COMPUTER STUDIES DIBRUGARH UNIVERSITY.

Binary Trees, Binary Search Trees RIZWAN REHMAN CENTRE FOR COMPUTER STUDIES DIBRUGARH UNIVERSITY.

Similar presentations

Ads by Google