Post on 24-Feb-2016
description
Formal verification of skiplist algorithms
Student: Trinh Cong QuySupervisor: Bengt JonssonReviewer: Parosh Abdulla
Outline• Motivation• Methodology• Results and Future Work
MotivationHow do we verify skiplist algorithms? Why?
Why:• Skiplists are important data structures, eg in databases,
distributed systems• Verifying is complicated because skiplists are multi-pointers
structures• There is no previous work that formally verify skiplists algorithms
Our Motivation:• Employ transitive closure logic to handle multi-pointers data
structures• Introduce a method to discover and verify quantified invariants
for multi-pointers programs• Apply such method to skiplist algorithms.
Skiplist Skiplist is a list with a number of sorted single linked
lists, each linked list is located at a layer
Properties: Every single linked list at any layer is sorted
accorrding to node’s key values
List at higer layer is a sublist of list at lower layer
m m m
s s
-∞ 5 10 +∞
head tail
Example Add(8)
m m m
s s
-∞ 5 10 +∞
head tail8
m
s
m
s
sPred =
mPred
sSucc = mSucc
How to verify program invariants Assume that we have the invariant I of
program P and we want to verify it. We need to:
Annotate program P by computing assertions at program points and then verify I at all assertions
Program AssertionAssertion: Assertion at each program point is a conjunction of
atomic predicates which are valid in that point and taken from abstract domain
Example: P1: (x = y) (y * z) (x * t)
Abstract Domain: Set of predicates P = { P1, …, Pn } given by users Each predicate describes relations between program
variables
Example1.int insert(x) Abstract Domain2.{ head →* tail, head = pred
head →* tail pred →* x, x →* tail3. node* pred = head head = pred ˄ head →* tail4. pred.next := x head = pred ˄ pred →* x5. x.next := tail?}
How to get assertion for each program point?
Compute Post Assertion Let A’ is successor of program point A, then
its assertion is obtained as below
• For each predicate P from the abstract domain• If it is valid in A' that means if post(A,S) P• Add P to the assertion
Here post(A,S) is post-condition which are program states reached from A when we execute the statement S
ExampleAbstract Domainhead →* tail, head = pred pred →* x, x →* tailA.head = pred ˄ pred →* x x.next := tailA’.?}
head = pred ok pred →* x: okx →* tail: okhead →* tail: ok
For each predicate P from the abstract domain
If it is valid in A' that means that if post(A,S) P
Add P to the assertion
Post(head = pred ˄ pred →* x, x.next := tail ) = head = pred ˄ pred →* x ˄ x → tail
Assertion:
head = pred pred˄ →* x x˄ →* tail head˄ →* tail
Assertion Template for Skiplists• Invariant:
u,v (Pi (u,v) ei (u,v))• Assertion form at each program point
E u,v (Pi (u,v) ei (u,v)) Where ♦ E: conjunction of atomic predicates valid at that point ♦ ei(u,v): an atomic predicate of u and v ♦ Pi(u,v): conjunction of atomic predicates of u and v global variables Example: E u,v (u →m* v u ≤ v)
Assertion Inferring
• Start with an empty list• Run for a loop to insert and delete nodes randomlly • For each loop iteration Generate environments for program points• When the loop is terminated , take intersection of
environments at the same program points.• For each common environment: Find minimal conjunction Pi (u,v) such that Pi (u,v) ei (u,v)
Example1.int insert(x)2.{ 3.find(x, mPred,sPred, mSucc,sSucc) head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc 4.node* n := Node(x,2) 5.n.mNext = mPred 6.mPred.mNext := n 7.n.sNext = sPred 8.mPred.mNext := n head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc ˄ mPred = sPred ˄ mSucc = sSucc ˄ mPred →m* n ˄ n →m* mSucc ˄ sPred →s* n ˄ n →s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n ˄ n < sSucc 9.return 010.}
1.int insert(x)2.{ 3.find(x, mPred,sPred, mSucc,sSucc) head →m mPred ˄ head →s sPred ˄ mSucc →m tail ˄ sSucc →s tail 4.node* n := Node(x,2) 5.n.mNext = mPred 6.mPred.mNext := n 7.n.sNext = sPred 8.mPred.mNext := n head m mPred ˄ head s sPred ˄ mSucc m tail ˄ sSucc s tail mPred = sPred ˄ mSucc = sSucc ˄ mPred →m* n ˄ n →m* mSucc ˄ sPred →s* n ˄ n →s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n ˄ n < sSucc 9.return 010.}
Example (cont)Common environment at program point 9 head →m* mPred ˄ head →s* sPred ˄ mSucc →m* tail ˄ sSucc →s* tail ˄ mPred = sPred ˄ mSucc = sSucc ˄ mPred →m* n ˄ n →m* mSucc ˄ sPred →s* n ˄ n →s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n ˄ n <
sSucc
Invariant: u →s* v u →m* v
Inductive Assertion Assertion is inductive Holds at initial program points If it holds at a program point A, it also holds at A’s sucssesor
Assertion Verifing
• Is u,v (Pi (u,v) ei (u,v)) valid in A’ ?
E u,v (Pi (u,v) ei (u,v))
E’ post(u,v (Pi (u,v) ei (u,v)))
S
A’
A
Assertion Verifing• Check that:
E’ u,v post( (Pi (u,v) ei (u,v)))
u,v (Pi (u,v) ei (u,v))
General Form: E’ X (X) X (Y)
Quantifier Instantiation• To prove: E’ X (X) X (Y)
Using terms Y1, Y2,…., Yn that appear in E’ Expand as ψ (Y1) … ψ (Yn) ψ (Y) (Y)• If unsatisfiable, then so is quantified formula• The approach is sound, but incomplete
Example Assume that the invariant u,v (x →s* y x →m* y)
holds in program point 8 of previous insert function. Then we will show how to prove that its preserved
in program point 9
1.int insert(x)2.{ 3.find(x, mPred,sPred,mSucc,sSucc) head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc 4.node* n := Node(x,2) 5.n.mNext = mPred 6.mPred.mNext := n 7.n.sNext = sPred 8.mPred.mNext := n head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc ˄ mPred = sPred ˄ mSucc = sSucc ˄ mPred →m* n ˄ n →m* mSucc ˄ ˄ n < sSucc sPred →s* n ˄ n →s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n 9.return 010.}
Example(cont) Program point 8 = u →s* v u →m* v = ˥(u →s* v) ˅ u →m* v
After statement: sPred.sNext := n
E’ = sPred m* n ˄ ...... Program point 9 = ˥(u →s* v) ˅ (u →s* sPred ˄ n →s* v) ˅ u →m* v
Prove: E’ u,y (u,v) u,v (u,v) <-> E’ u,y (u,v) ˄ ˥(u1, v1) is unsastifiable
(u1,sPred) = ˥(u1 →s* sPred) ˅ u1 →m* sPred (n, v1) = ˥(n →s* v1) ˅ n →m* v1
(u1, v1) = ˥(u1 →s* v1) ˅ (u1 →s* sPred ˄ n →s* v1) ˅ u →m* v1
˥(u1, v1) = u1 →s* v1 ˄ ˥(u1 →m* v1)
E ˄ (u1, v1) ˄ ˥(u1, v1) ˄ (u1,sPred) ˄ (n, v1)= u1 →m* sPred ˄ sPred →m* n ˄ n →m* v1 ˄ ˥(u1 →m* v1) ˄ (u1 →s* sPred ˄ n →s* v1)
contradiction
Results• New method to infer and verify quantidied
invariants of multi-pointers structures• Apply such method to skiplist algorithms, manually
infer and verify the invariant of the skiplist algorithm in the paper:
A Simple Optimistic skip-list Algorithm http://www.cs.brown.edu/~levyossi/Pubs/LazySkipList.pdf when we simplify it to two layers skiplist algorithm.
x,y(x →s* y x →m* y) (x →m* y x ≠ y x< y) • This algorithm is concurrent, so we use thread
modular technique compute assertions but its not too important in this thesis
Future Work• Implement the framework• Develop methods to refine abstract domain
automatically
Thank You