Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.

Published byClementine Clark Modified over 9 years ago

Similar presentations

Presentation on theme: "Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla."— Presentation transcript:

1 Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla

2 Outline Motivation Methodology Results and Future Work

3 Motivation How do we verify skiplist algorithms? Why? Why: Skiplists are important data structures, eg in databases, distributed systems Verifying is complicated because skiplists are multi-pointers structures There is no previous work that formally verify skiplists algorithms Our Motivation: Employ transitive closure logic to handle multi-pointers data structures Introduce a method to discover and verify quantified invariants for multi-pointers programs Apply such method to skiplist algorithms.

4 Skiplist Skiplist is a list with a number of sorted single linked lists, each linked list is located at a layer Properties: Every single linked list at any layer is sorted accorrding to node’s key values List at higer layer is a sublist of list at lower layer mmm ss -∞ 510 +∞ headtail

5 Example Add(8) mmm ss -∞ 510 +∞ headtail 8 m s m s sPred = mPred sSucc = mSucc

6 How to verify program invariants Assume that we have the invariant I of program P and we want to verify it. We need to: Annotate program P by computing assertions at program points and then verify I at all assertions

7 Program Assertion Assertion : Assertion at each program point is a conjunction of atomic predicates which are valid in that point and taken from abstract domain Example: P1: (x = y)  (y  * z)  (x  * t) Abstract Domain: Set of predicates P = { P 1, …, P n } given by users Each predicate describes relations between program variables

8 Example 1.int insert(x) Abstract Domain 2.{ head → * tail, head = pred head → * tail pred → * x, x → * tail 3. node* pred = head head = pred ˄ head → * tail 4. pred.next := x head = pred ˄ pred → * x 5. x.next := tail ? } How to get assertion for each program point?

9 Compute Post Assertion Let A’ is successor of program point A, then its assertion is obtained as below For each predicate P from the abstract domain If it is valid in A' that means if post(A,S)  P Add P to the assertion Here post(A,S) is post-condition which are program states reached from A when we execute the statement S

10 Example Abstract Domain head → * tail, head = pred pred → * x, x → * tail A.head = pred ˄ pred → * x x.next := tail A’.? } head = pred ok pred → * x: ok x → * tail: ok head → * tail: ok For each predicate P from the abstract domain If it is valid in A' that means that if post(A,S)  P Add P to the assertion For each predicate P from the abstract domain If it is valid in A' that means that if post(A,S)  P Add P to the assertion Post(head = pred ˄ pred → * x, x.next := tail ) = head = pred ˄ pred → * x ˄ x → tail Assertion : head = pred ˄ pred → * x ˄ x → * tail ˄ head → * tail

11 Assertion Template for Skiplists Invariant:  u,v  (P i (u,v)  e i (u,v)) Assertion form at each program point E   u,v  (P i (u,v)  e i (u,v)) Where ♦ E: conjunction of atomic predicates valid at that point ♦ e i (u,v): an atomic predicate of u and v ♦ P i (u,v): conjunction of atomic predicates of u and v global variables Example: E   u,v (u → m * v  u ≤ v)

12 Assertion Inferring Start with an empty list Run for a loop to insert and delete nodes randomlly For each loop iteration Generate environments for program points When the loop is terminated, take intersection of environments at the same program points. For each common environment: Find minimal conjunction P i (u,v) such that P i (u,v)  e i (u,v)

13 Example 1.int insert(x) 2.{ 3.find(x, mPred,sPred, mSucc,sSucc) head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc 4.node* n := Node(x,2) 5.n.mNext = mPred 6.mPred.mNext := n 7.n.sNext = sPred 8.mPred.mNext := n head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc ˄ mPred = sPred ˄ mSucc = sSucc ˄ mPred → m* n ˄ n → m* mSucc ˄ sPred → s* n ˄ n → s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n ˄ n < sSucc 9.return 0 10.} 1.int insert(x) 2.{ 3.find(x, mPred,sPred, mSucc,sSucc) head → m mPred ˄ head → s sPred ˄ mSucc → m tail ˄ sSucc → s tail 4.node* n := Node(x,2) 5.n.mNext = mPred 6.mPred.mNext := n 7.n.sNext = sPred 8.mPred.mNext := n head  m mPred ˄ head  s sPred ˄ mSucc  m tail ˄ sSucc  s tail mPred = sPred ˄ mSucc = sSucc ˄ mPred → m* n ˄ n → m* mSucc ˄ sPred → s* n ˄ n → s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n ˄ n < sSucc 9.return 0 10.}

14 Example (cont) Common environment at program point 9 head → m* mPred ˄ head → s* sPred ˄ mSucc → m* tail ˄ sSucc → s* tail ˄ mPred = sPred ˄ mSucc = sSucc ˄ mPred → m* n ˄ n → m* mSucc ˄ sPred → s* n ˄ n → s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n ˄ n < sSucc Invariant : u → s* v  u → m* v

15 Inductive Assertion Inductive Assertion Assertion is inductive  Holds at initial program points  If it holds at a program point A, it also holds at A’s sucssesor

16 Assertion Verifing Is  u,v  (P i (u,v)  e i (u,v)) valid in A’ ? E   u,v  (P i (u,v)  e i (u,v)) E’  post(  u,v  (P i (u,v)  e i (u,v))) S A’ A

17 Assertion Verifing Check that: E’   u,v post(  (P i (u,v)  e i (u,v)))   u,v  (P i (u,v)  e i (u,v)) General Form: E’   X  (X)   X  (Y)

18 Quantifier Instantiation To prove: E’   X  (X)   X  (Y)  Using terms Y 1, Y 2,…., Y n that appear in E’  Expand as ψ (Y 1 )  …  ψ (Y n )  ψ (Y)   (Y) If unsatisfiable, then so is quantified formula The approach is sound, but incomplete

19 Example Assume that the invariant  u,v (x → s* y  x → m* y) holds in program point 8 of previous insert function. Then we will show how to prove that its preserved in program point 9 1.int insert(x) 2.{ 3.find(x, mPred,sPred,mSucc,sSucc) head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc 4.node* n := Node(x,2) 5.n.mNext = mPred 6.mPred.mNext := n 7.n.sNext = sPred 8.mPred.mNext := n head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc ˄ mPred = sPred ˄ mSucc = sSucc ˄ mPred → m* n ˄ n → m* mSucc ˄ ˄ n < sSucc sPred → s* n ˄ n → s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n 9.return 0 10.}

20 Example(cont) Program point 8  = u → s* v  u → m* v = ˥ (u → s* v) ˅ u → m* v After statement: sPred.sNext := n E’ = sPred  m * n ˄...... Program point 9  = ˥ (u → s* v) ˅ (u → s* sPred ˄ n → s* v) ˅ u → m* v Prove : E’   u,y  (u,v)   u,v  (u,v) E’   u,y  (u,v) ˄ ˥  (u 1, v 1 ) is unsastifiable  (u 1,sPred) = ˥ (u 1 → s* sPred) ˅ u 1 → m* sPred  (n, v 1 ) = ˥ (n → s* v 1 ) ˅ n → m* v 1  (u 1, v 1 ) = ˥ (u 1 → s* v 1 ) ˅ (u 1 → s* sPred ˄ n → s* v 1 ) ˅ u → m* v 1 ˥  (u 1, v 1 ) = u 1 → s* v 1 ˄ ˥ (u 1 → m* v 1 ) E ˄  (u 1, v 1 ) ˄ ˥  (u 1, v 1 ) ˄  (u 1,sPred) ˄  (n, v 1 ) = u 1 → m* sPred ˄ sPred → m* n ˄ n → m* v 1 ˄ ˥ (u 1 → m* v 1 ) ˄ (u 1 → s* sPred ˄ n → s* v 1 ) contradiction

21 Results New method to infer and verify quantidied invariants of multi-pointers structures Apply such method to skiplist algorithms, manually infer and verify the invariant of the skiplist algorithm in the paper: A Simple Optimistic skip-list Algorithm http://www.cs.brown.edu/~levyossi/Pubs/LazySkipList.p df when we simplify it to two layers skiplist algorithm. http://www.cs.brown.edu/~levyossi/Pubs/LazySkipList.p df  x,y(x → s* y  x → m* y)  (x → m* y  x ≠ y  x< y) This algorithm is concurrent, so we use thread modular technique compute assertions but its not too important in this thesis

22 Future Work Implement the framework Develop methods to refine abstract domain automatically

23 Thank You

Download ppt "Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla."

Similar presentations

Chapter 22 Implementing lists: linked implementations.

Chapter 22 Implementing lists: linked implementations.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,

Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Copyright W. Howden1 Lecture 13: Programming by Contract.

Copyright W. Howden1 Lecture 13: Programming by Contract.
Discrete Mathematics Lecture 4 Harper Langston New York University.

Discrete Mathematics Lecture 4 Harper Langston New York University.

Similar presentations

Ads by Google