Context

Schorr-Waite

BDD

Conclusion

FraDeCo(P)P 2012 Proofs of pointer algorithms by inductive representation of graphs Mathieu Giorgino Ralph Matthes

Martin Strecker

Universit´e Paris-Est Cr´eteil 15/05/2012 Pointers / Graphs / Inductive

Mathieu Giorgino

1 / 24

Context

Schorr-Waite

BDD

Conclusion

Outline 1

Context Introduction Approach Verification of graph transformations

2

Schorr-Waite Demo Description Verification

3

BDD Description Verification

4

Conclusion

Pointers / Graphs / Inductive

Mathieu Giorgino

2 / 24

Context

Schorr-Waite

BDD

Conclusion

Introduction

First remark Most usual data structures are tree-shaped with several kind of additional pointers:

sharing pointers root pointers father pointers ...

For numerous algorithms, different views on data-structures can be used for the verification Pointers / Graphs / Inductive

Mathieu Giorgino

3 / 24

Context

Schorr-Waite

BDD

Conclusion

Introduction

First remark Most usual data structures are tree-shaped with several kind of additional pointers:

sharing pointers root pointers father pointers ...

For numerous algorithms, different views on data-structures can be used for the verification Pointers / Graphs / Inductive

Mathieu Giorgino

3 / 24

Context

Schorr-Waite

BDD

Conclusion

Introduction

First remark Most usual data structures are tree-shaped with several kind of additional pointers:

sharing pointers root pointers father pointers ...

For numerous algorithms, different views on data-structures can be used for the verification Pointers / Graphs / Inductive

Mathieu Giorgino

3 / 24

Context

Schorr-Waite

BDD

Conclusion

Introduction

First remark Most usual data structures are tree-shaped with several kind of additional pointers:

sharing pointers root pointers father pointers ...

For numerous algorithms, different views on data-structures can be used for the verification Pointers / Graphs / Inductive

Mathieu Giorgino

3 / 24

Context

Schorr-Waite

BDD

Conclusion

Introduction

First remark Most usual data structures are tree-shaped with several kind of additional pointers:

sharing pointers root pointers father pointers ...

For numerous algorithms, different views on data-structures can be used for the verification Pointers / Graphs / Inductive

Mathieu Giorgino

3 / 24

Context

Schorr-Waite

BDD

Conclusion

Introduction

First remark Most usual data structures are tree-shaped with several kind of additional pointers:

sharing pointers root pointers father pointers ...

For numerous algorithms, different views on data-structures can be used for the verification Pointers / Graphs / Inductive

Mathieu Giorgino

3 / 24

Context

Schorr-Waite

BDD

Conclusion

Approach

Verification Objective Generate efficient and verified programs (with pointers and/or mutable structures) Safe code generation

Abstract Language Arborescent data structure + pointers Properties verified by induction

Pointers / Graphs / Inductive

Imperative langage Efficient : Sharing Mutability

Same properties

Mathieu Giorgino

4 / 24

Context

Schorr-Waite

BDD

Conclusion

Approach

General frame

Isabelle/HOL theory

Isabelle/HOL extraction

Scala code

Imperative HOL theory

Pointers / Graphs / Inductive

Mathieu Giorgino

5 / 24

Context

Schorr-Waite

BDD

Conclusion

Approach

General frame

(Meta-)model

Isabelle/HOL theory Imperative HOL theory

Pointers / Graphs / Inductive

Isabelle/HOL extraction

other classes (Scala/Java)

Scala code

compatibles

Mathieu Giorgino

5 / 24

Context

Schorr-Waite

BDD

Conclusion

Approach

Related work Graph representation Nodes and edges Coinduction Trees + pointers: PALE [MS01] Term-graph rewriting in Tom using relative positions [BB08] Locally nameless encoding of lambda-terms [Cha09] B+ trees functional representation with pointers [MM10]

Verification Proofs on raw heap and pointers Hoare (Separation) Logic [Rey02]

Pointers / Graphs / Inductive

Mathieu Giorgino

6 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

Case studies - Overview Schorr-Waite Arbitrary rooted graph (with outgoing arity ≤ 2) High mutability Proof by simulation LOPSTR’2010 [GSMP10] BDD Rooted acyclic graph (shared tree) References comparisons Direct proof TAAPSD’2010 [GS10], FoVeOOS’2011 [GS11]

Pointers / Graphs / Inductive

Mathieu Giorgino

7 / 24

Context

Schorr-Waite

BDD

Conclusion

Outline 1

Context Introduction Approach Verification of graph transformations

2

Schorr-Waite Demo Description Verification

3

BDD Description Verification

4

Conclusion

Pointers / Graphs / Inductive

Mathieu Giorgino

8 / 24

Context

Schorr-Waite

BDD

Conclusion

Demo

Demo

Pointers / Graphs / Inductive

Mathieu Giorgino

9 / 24

Context

Schorr-Waite

BDD

Conclusion

Description

Algorithm features Purpose Marking graphs without using more space (stack, ...) Traversing a tree by terminal recursivity and without stack Use Garbage collector, case study... Principle Modification of the graph pointers to store the path to the root 2 variables containing the pointers : t: to the current node p: to the previously visited node Pointers / Graphs / Inductive

Mathieu Giorgino

10 / 24

Context

Schorr-Waite

BDD

Conclusion

Description

Steps : Push

p t

push

L

p

t

Pointers / Graphs / Inductive

Mathieu Giorgino

11 / 24

Context

Schorr-Waite

BDD

Conclusion

Description

Steps : Swing

L

p

swing

p

t

Pointers / Graphs / Inductive

R t

Mathieu Giorgino

11 / 24

Context

Schorr-Waite

BDD

Conclusion

Description

Steps : Pop

p p

pop

R

t

t

Pointers / Graphs / Inductive

Mathieu Giorgino

11 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

Proof by simulation

(p, t)

sw-tr

config-alloc-in-state

sw-tr (p, t)

config-alloc-in-state

⊥

⊥

(vs, s) ⊥

sw-impl-tr

runST (sw-impl-tr vs) s

⊥

⊥

⊥

⊥

Pointers / Graphs / Inductive

⊥

⊥

Mathieu Giorgino

⊥

12 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

Choosing the spanning tree: Example with 2 possibility

⊥

⊥ ⊥

Pointers / Graphs / Inductive

⊥

Mathieu Giorgino

13 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The wrong one! p

p

⊥ t

t

⊥

⊥ ⊥

Pointers / Graphs / Inductive

⊥

Mathieu Giorgino

14 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The wrong one! p

p

⊥ t

t

⊥

⊥ ⊥

⊥ push

push

Pointers / Graphs / Inductive

Mathieu Giorgino

14 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The wrong one! p

p

⊥ t

t

⊥

⊥ ⊥

⊥ push

push

Pointers / Graphs / Inductive

Mathieu Giorgino

14 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The wrong one! p

p

⊥ t

t

⊥

⊥ ⊥

⊥ swing

swing

Pointers / Graphs / Inductive

Mathieu Giorgino

14 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The wrong one! p

p

⊥ t

t

⊥

⊥ ⊥

⊥ pop

push

Pointers / Graphs / Inductive

Mathieu Giorgino

14 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The good one! p

p

⊥

t

t

⊥

⊥ ⊥

Pointers / Graphs / Inductive

⊥

Mathieu Giorgino

15 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The good one! p

p

⊥

t

t

⊥

⊥ ⊥

⊥ ...

... Pointers / Graphs / Inductive

Mathieu Giorgino

15 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The good one! p

p

⊥

t

t

⊥

⊥ ⊥

⊥ swing

swing

Pointers / Graphs / Inductive

Mathieu Giorgino

15 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The good one! p

p

⊥

t

t

⊥

⊥ ⊥

⊥ push

push

Pointers / Graphs / Inductive

Mathieu Giorgino

15 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

The good one! p

p

⊥

t

t

⊥

⊥ ⊥

⊥ swing

swing

Pointers / Graphs / Inductive

Mathieu Giorgino

15 / 24

Context

Schorr-Waite

BDD

Conclusion

Outline 1

Context Introduction Approach Verification of graph transformations

2

Schorr-Waite Demo Description Verification

3

BDD Description Verification

4

Conclusion

Pointers / Graphs / Inductive

Mathieu Giorgino

16 / 24

Context

Schorr-Waite

BDD

Conclusion

Description

Demo

Pointers / Graphs / Inductive

Mathieu Giorgino

17 / 24

Context

Schorr-Waite

BDD

Conclusion

Description

Sharing We add references to represent sharing. They also allow to add mutable content in the nodes. 4

x

2

z

3

3

y

y

0

1

2

1

2

⊥

>

z

>

z

Pointers / Graphs / Inductive

0

1

0

1

⊥

>

⊥

>

Mathieu Giorgino

0

nbrefs = 0

1

nbrefs = 0

2

nbrefs = 0

3

nbrefs = 0

4

nbrefs = 1

5

nbrefs = -

... ... ... ... ... ...

...

4

x

18 / 24

Context

Schorr-Waite

BDD

Conclusion

Description

build

primrec build :: 0 v expr ⇒ (bool, 0v) rtree Heap where build (Var i) = do{ cf ← constLeaf False; ct ← constLeaf True; mk i cf ct } | build (Const b) = (constLeaf b) | build (BExpr bop e1 e2) = do{ n1 ← build e1; n2 ← build e2; app bop (n1, n2) }

Pointers / Graphs / Inductive

E1

∧

build

E2 build

T1

T2 app

Mathieu Giorgino

19 / 24

Context

Schorr-Waite

BDD

Conclusion

Description

app function app :: (bool ⇒ bool ⇒ bool) ⇒ ((bool, 0v) rtree ∗ (bool, 0v) rtree) ⇒ (bool, 0v) rtree Heap where app bop (n1, n2) = do { if tpair is-leaf (n1, n2) then constLeaf (bop (leaf-val n1) (leaf-val n2)) else do { let ((l1, h1), (l2, h2)) = select split-lh dup (n1, n2); l ← app bop (l1, l2); h ← app bop (h1, h2); mk (varOfLev (min-level (n1, n2))) l h } }

Pointers / Graphs / Inductive

Mathieu Giorgino

x l1

x h1

app

l2

∧

l

h2

app

h mk

20 / 24

Context

Schorr-Waite

BDD

Conclusion

Description

Memoization and Garbage Collection

Memoization Records previous computations results to reuse them little change in functions and proofs Garbage collection Removes no more used BDDs from the maximal sharing table several reference counter mutations in functions and proofs weakening of an invariant

Pointers / Graphs / Inductive

Mathieu Giorgino

21 / 24

Context

Schorr-Waite

BDD

Conclusion

Verification

Main theorem & benchmarks Equivalent expressions construct the same BDD lemma build-correct: [[∀ t ∈ trees s1 ∪ trees s2. robdd-refs t; wf-heap s1; effect (build e1) s1 s1 0 t1; wf-heap s2; effect (build e2) s2 s2 0 t2]] =⇒ (interp-expr e1 = interp-expr e2) ←→ struct-equal (t1, t2) Pigeonhole benchmark

Urquhart benchmark

time (ms)

105 Isabelle → Scala

104

104

Scala JavaBDD (106 )

103

JavaBDD (5 × 106 ) 102

102 0

1,000 variable number

Pointers / Graphs / Inductive

2,000

8

10 12 pigeon number

Mathieu Giorgino

22 / 24

Context

Schorr-Waite

BDD

Conclusion

Outline 1

Context Introduction Approach Verification of graph transformations

2

Schorr-Waite Demo Description Verification

3

BDD Description Verification

4

Conclusion

Pointers / Graphs / Inductive

Mathieu Giorgino

23 / 24

Context

Schorr-Waite

BDD

Conclusion

Conclusion Approach Representing graphs as (trees + pointers) to verify transformations Schorr-Waite Arbitrary rooted graph (with outgoing arity ≤ 2) High mutability / Proof by simulation BDD Rooted acyclic graph (shared tree) References comparisons / Direct proof

Pointers / Graphs / Inductive

Mathieu Giorgino

24 / 24

Context

Schorr-Waite

BDD

Conclusion

Conclusion Approach Representing graphs as (trees + pointers) to verify transformations Schorr-Waite Arbitrary rooted graph (with outgoing arity ≤ 2) High mutability / Proof by simulation BDD Rooted acyclic graph (shared tree) References comparisons / Direct proof Thanks for your attention Pointers / Graphs / Inductive

Mathieu Giorgino

24 / 24

Context

Schorr-Waite

BDD

Conclusion

Emilie Balland and Paul Brauner. Term-graph rewriting in Tom using relative positions. In Ian Mackie, editor, 4th International Workshop on Computing with Terms and Graphs TERMGRAPH 2007 ENTCS, volume 203 of ENTCS, pages 3–17, Braga Portugal, 2008. ELSEVIER. Arthur Chargu´eraud. The locally nameless representation. Unpublished. http://arthur.chargueraud.org/research/2009/ln/, July 2009. Mathieu Giorgino and Martin Strecker. Bdds verified in a proof assistant (preliminary report). In A.V. Anisimov and M.S. Nikitchenko, editors, Proc. TAAPSD, Univ. Taras Shevchenko, Kiev, 2010. Mathieu Giorgino and Martin Strecker. Pointers / Graphs / Inductive

Mathieu Giorgino

24 / 24

Context

Schorr-Waite

BDD

Conclusion

Towards the verification of efficient bdd algorithms. In Formal Verification of Object-Oriented Software (FoVeOOS), 2011. Mathieu Giorgino, Martin Strecker, Ralph Matthes, and Marc Pantel. Verification of the Schorr-Waite algorithm – From trees to graphs. In Logic-Based Program Synthesis and Transformation (LOPSTR), 2010. http://www.irit.fr/~Mathieu.Giorgino/Publications/ GiSt2010SchorrWaite.html. J. Gregory Malecha and Greg Morrisett. Mechanized verification with sharing. In ICTAC, pages 245–259, 2010. Anders Møller and Michael I. Schwartzbach. The pointer assertion logic engine. Pointers / Graphs / Inductive

Mathieu Giorgino

24 / 24

Context

Schorr-Waite

BDD

Conclusion

In Proc. ACM PLDI, pages 221–231, 2001. John C. Reynolds. Separation logic: A logic for shared mutable data structures. In LICS ’02: Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science, pages 55–74, Washington, DC, USA, 2002. IEEE Computer Society.

Pointers / Graphs / Inductive

Mathieu Giorgino

24 / 24