A Decidable Logic for Tree DataStructures with Measurements
A Decidable Logic for Tree Data-Structures with Measurements Xiaokang Qiu and Yanjun Wang Purdue University September 14, 2021 1
Reasoning about trees Compiler Optimization Program Verification key key prt sz sz ht prt sz sz prt sz ht ht key ht key ht prt Web Browsers prt sz ht key prt sz ht 2
Measurements for Trees • • Height Size Black Height for Red-Black Trees etc. Optimization 3
Challenges Aggregate functions determined by the whole tree Tangled with data properties (e. g. , sortedness) and shape properties (e. g. , balancedness) “An AVL tree is a self-balancing binary search tree…In an AVL tree, the heights of the two child subtrees of any node differ by at most one…” Strand [POPL’ 11, SAS’ 11] decidable but cannot describe this Dryad [POPL’ 12, PLDI’ 13, PLDI’ 14, OOPSLA’ 17] can but undecidable 4
Our Work: Dryaddec A decidable logic that can solve a wide variety of problems requiring flexible combination of measure-related, data-related and shape-related properties for trees Dryad + Syntactic restrictions = Decidable Dryaddec (Refined templates for recursive definitions) Program verification (Based on small model property) Dryaddec Dryad Traversal fusion Program synthesis 5
Dryad + Syntactic restrictions = Decidable Dryaddec 6
Dryad is expressive • Dryad 7
Dryad • Base case Recursive case 8
Dryad is expressive Dryaddec Dryad 9
Dryad + Syntactic restrictions = Decidable Dryaddec 10
Deciding Satisfiability Small Model Property root l’ l r l r r’ l r r Large satisfying tree Satisfying tailored tree 11
Decision procedure • l’ n 2 l’ root n 1 r’ n 3 n 4 Satisfying tailored tree 12
Dryad + Syntactic restrictions = Decidable Dryaddec 13
Dryaddec: a decidable subset of Dryad Refines the general template to seven templates Increasing Int Function General Predicate Max-based Function Decreasing Int Function Increasing Int. Set Function Non-Measure Functions Measure-Related Predicates Sum-based Function Measure Functions 14
Non-Measure Functions Three classes of non-measure functions (min, max, keys, etc. ): Increasing Int functions: Local Int term Decreasing Int functions: Increasing Int. Set functions: 15
Why increasing/decreasing? 16
Lemma 1: monotonically increasing/decreasing 17
An Argument for Small Model Property �� 18
An Argument for Small Model Property �� 19
Lemma 2: a witness node is sufficient to preserve the value 20
An Argument for Small Model Property �� 21
Bound for Non-Measure Functions 22
Dryaddec: a decidable subset of Dryad Refines the general template to seven templates Increasing Int Function General Predicate Max-based Function Decreasing Int Function Increasing Int. Set Function Non-Measure Functions Measure-Related Predicates Sum-based Function Measure Functions 23
Measure Functions Measure functions are first-class citizens Local constraints Max-based (height) functions: Sum-based (size) functions: 24
An Argument for Small Model Property �� 25
An Argument for Small Model Property �� 26
There is NO witness node for measure functions. (because they are aggregate functions. ) 27
Idea: Preserve the difference • x y - - = 1 28
Dryaddec: a decidable subset of Dryad Refines the general template to seven templates Increasing Int Function General Predicate Max-based Function Decreasing Int Function Increasing Int. Set Function Non-Measure Functions Measure-Related Predicates Sum-based Function Measure Functions 30
General Predicate • May involve many general predicates and non-measure functions max occurs only on the LHS min occurs only on the RHS 31
Measure-related Predicate • May involve one Maxbased measure function and many non -measure functions 32
Dryaddec: a decidable subset of Dryad Refines the general template to seven templates Increasing Int Function General Predicate Max-based Function Decreasing Int Function Increasing Int. Set Function Non-Measure Functions Measure-Related Predicates Sum-based Function Measure Functions 33
Sketch of proof A long-enough path 34
Bound for Max-based measure functions • witness nodes One can tailor to such that 35
Bound for Sum-based measure functions • One can tailor to such that 37
Decidability of Dryaddec • 38
Bound refinement • Refinement based on BST mutation Refinement based on Treap mutation _ … Refinement based on AVL, RBT mutation _ Worst case Not common _ … _ _… … 39
Experimental Result 40
Applications Dryaddec Program verification Traversal fusion Program synthesis 41
Program verification Category BST_insert Treap_insert #Formulae 5 buggy 7 buggy AVL_insert (balanced) 11 buggy 13 Dryaddec size Bound (unrefined) Z 3 size (KB) Time (s) (unrefined) Sat? <=48 5 (11) <=161 N 48 5 (11) 161 <=108 7 (17) <=1696 88 7 (17) 1172 0. 7 (89. 8) Y <=197 7 (10) <=399 <1 (<6) N 197 7 (10) 399 2. 7 (63. 2) Y <=150 7 (10) <=464 <1 (<6) N 142 7 (10) 279 0. 4 (9. 4) Y 0. 3 (100. 5) Y N RBT_insert (balanced) buggy AVL_insert (sorted) 9 <=134 5 (11) <=271 N RBT_insert (sorted) 13 <=136 5 (11) <=271 N 42
Traversal fusion A(n) if (n == nil) return A)n. l; ( A)n. r); SA; B(n) if (n == nil) return SB; B)n. l; ( B)n. r); �� Fused(n) if (n == nil) return Fused)n. l; ( Fused)n. r); SA; SB; Category Fusion (post_pre) Fusion (mult_rec) #Formulae Dryaddec size Bound Z 3 size (KB) Time (s) 2 4 2 Sat ? 5 84 <1 N 4 5 84 <1 Y 20 4 6 <=216 <1 Y 4 4 7 604 <3 N 20 4 9 <=3304 <7 Y Checking the fusibility of mutually recursive traversals can not be handled by any state-of-art checkers. 43
Program synthesis Formulae Name (solved in #iteration) Dryaddec size Time (s) fg_fivefuncs, fg_sixfuncs, fg_sevenfuncs, fg_eightfuncs, fg_ninefuncs, fg_tenfunc 1, fg_tenfunc 2 3 <279 <1 fg_polynomial 1, fg_polynomial 2, fg_polynomial 3 3 <1 fg_polynomial 4 4 <60 fg_max 2 7 <2227 <1 <936 <1 Category Sy. Gu. S synthesizer Dryaddec Synthesizer Decision Procedure Multiple functions Candidate CEGIS Polynomial Verifier Other CLIA Counterexample INV fg_VC 22_a 17 ex 11 -new 18 ex 11 17 vsend 4 ex 14_simp, ex 14_vars, treax 1, trex 1_vars 3 formula 22, formula 25, formula 27 1 44
Conclusion Dryad + Syntactic restrictions = Decidable Dryaddec (Refined templates for recursive definitions) Program verification (Based on small model property) Dryaddec Dryad Traversal fusion Program synthesis Thank you! 45
- Slides: 44