1 / 17

ACL2-Certified AVL Trees

ACL2-Certified AVL Trees. Ryan Ralston University of Oklahoma. NSF DUE-0633004 Integrating Mechanized Logic into the SE Curriculum Collaboratiive Project with Matthias Felleisen, Northeastern University. Formal Verification in Software Development. Customer Specification. Company

nirav
Download Presentation

ACL2-Certified AVL Trees

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACL2-Certified AVL Trees Ryan Ralston University of Oklahoma • NSF DUE-0633004 • Integrating Mechanized Logic into the SE Curriculum • Collaboratiive Project with Matthias Felleisen, Northeastern University

  2. Formal Verification in Software Development Customer Specification Company Application Formal Verifier

  3. Related Work • Isabelle implementation of verified AVL trees only verifies correctness of insertion and look-up for balance and order • Gamboa and Cowles verified properties of red-black trees

  4. Defining AVL Structure in ACL2 • Single-rotation (zig), using (defstructure avl key left right height)‏ (defun easy-R (tr)‏ (let* ((L (lf (lf tr)))‏ (R (avl (key tr)‏ (rt (lf tr))‏ (rt tr)‏ (ht-incr (rt (lf tr)) (rt tr)))))‏ (avl (key (lf tr)) L R (ht-incr L R))))‏ ‏ • Double rotations (zig/zag defined similarly)‏ • Rebalancing operations select appropriate rotations

  5. Insertion MaintainsCorrect Recorded Height easy-L easy-L easy-R rebal-L rot-L hard-L ht-incr insert hard-L-able->easy-L-able easy-R easy-L rebal-R rot-R easy-R hard-R ht-incr hard-R-able->easy-R

  6. Deletion Does, Too rebal-L shrink ht-incr rebal-R delete rebal-L rebal-R raise-sacrum ht-incr

  7. Deletion Preserves Keys(old keys stay in tree)‏ rebal-L rebal-R rebal-R ht-incr->ht=ht-meas shrink-not-key delete shrink->ht=ht-meas ht-incr->ht=ht-meas delete->ht=ht-meas shrink->ht=ht-meas

  8. Deletion Conserves Keys(new tree has no new keys)‏ rebal-L rebal-R shrink rebal-R shrink-key ht-incr->ht=ht-meas delete ht-incr->ht=ht-meas shrink->ht=ht-meas delete->ht=ht-meas shrink->ht=ht-meas

  9. Insertion Does Not Decrease Max Key in Tree ht-incr->ht=ht-meas insert->ht=ht-meas rebal-L insert rebal-R tree-max-bigger-than-all-keys insert-is-tree

  10. DeletionDoes Not Increase Max Key in Tree delete->ht=ht-meas ht-incr->ht=ht-meas delete-lemma-lf rebal-L-is-tree rebal-L delete delete->ht=ht-meas ht-incr->ht=ht-meas delete-lemma-rt rebal-R-is-tree rebal-R

  11. Insert Preserves Order ht-incr->ht=ht-meas insert-is-tree insert-lf insert->max rebal-R insert rebal-L insert-is-tree insert-rt insert->min insert->ht=ht-meas

  12. Deletion Preserves Order delete-2-lemma-1 delete-2-lemma-2 ht-incr->ht=ht-meas delete-2-lemma-3 delete->ht=ht-meas rebal-L delete-3-lemma-1 delete delete-3-lemma-2 rebal-R delete-3-lemma-3 del->max delete-4-lemma-1 del->min delete-4-lemma-2 raise-sacrum delete-4-lemma-3

  13. Insertion Preserves Balance insert-empty insert-root insert insert-left insert-inc-at-most-1 insert-right insert-inc-at-most-1

  14. Noteworthy Facts • Requires a significant amount of code because of the number of cases it needs proven individually • The code does not build upon itself very well: double rotations theorems, for example, do not apply the single rotation theorems • My “handwritten” proof overlooked a detail I considered trivial, but ACL2 didn’t

  15. Preservation/Conservation of Keys Theorems (defthm operation-preserves-and-conserves-keys (iff (in-tree? k tr) (in-tree? k (operation tr))))‏ (defthm operation-preserves-keys (implies (in-tree? k tr)‏ (in-tree? k (operation tr))))‏ (defthm operation-conserves-keys (implies (not (in-tree? k tr))‏ (not (in-tree? k (operation tr)))))‏

  16. Working Backwards • Areas of Use include: tree max and min proofs on deletion. • Almost no unnecessary lemmas proven • The approach will work but can produce results such as: (defthm del-tree-max (implies (ht=ht-meas? tr)‏ (decreasing-max-p (del k tr) tr))‏ :hints (("Goal" :hands-off (rebal-L rebal-R ht-incr raise-sacrum decreasing-max-p))‏ ("Subgoal *1/7" :use ((:instance del-tree-max-lemma-5)))‏ ("Subgoal *1/5" :use ((:instance del-tree-max-lemma-4)))‏ ("Subgoal *1/3" :use ((:instance raise-sacrum-tree-max)))‏ ("Subgoal *1/2''" :use ((:instance avl-right-dec-max-p-tr)))‏ ("Subgoal *1/1'" :use ((:instance empty-tr1-is-dec-max-p (tr1 tr)‏ (tr2 tr))))))‏

  17. Questions?

More Related