Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson...
-
Upload
clementine-clark -
Category
Documents
-
view
213 -
download
1
Transcript of Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson...
![Page 1: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/1.jpg)
Formal verification of skiplist algorithms
Student: Trinh Cong QuySupervisor: Bengt JonssonReviewer: Parosh Abdulla
![Page 2: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/2.jpg)
Outline• Motivation• Methodology• Results and Future Work
![Page 3: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/3.jpg)
MotivationHow do we verify skiplist algorithms? Why?
Why:• Skiplists are important data structures, eg in databases,
distributed systems• Verifying is complicated because skiplists are multi-pointers
structures• There is no previous work that formally verify skiplists algorithms
Our Motivation:• Employ transitive closure logic to handle multi-pointers data
structures• Introduce a method to discover and verify quantified invariants
for multi-pointers programs• Apply such method to skiplist algorithms.
![Page 4: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/4.jpg)
Skiplist Skiplist is a list with a number of sorted single linked
lists, each linked list is located at a layer
Properties: Every single linked list at any layer is sorted
accorrding to node’s key values
List at higer layer is a sublist of list at lower layer
m m m
s s
-∞ 5 10 +∞
head tail
![Page 5: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/5.jpg)
Example Add(8)
m m m
s s
-∞ 5 10 +∞
head tail8
m
s
m
s
sPred =
mPred
sSucc = mSucc
![Page 6: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/6.jpg)
How to verify program invariants Assume that we have the invariant I of
program P and we want to verify it. We need to:
Annotate program P by computing assertions at program points and then verify I at all assertions
![Page 7: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/7.jpg)
Program Assertion
Assertion: Assertion at each program point is a conjunction of
atomic predicates which are valid in that point and taken from abstract domain
Example: P1: (x = y) (y * z) (x * t)
Abstract Domain: Set of predicates P = { P1, …, Pn } given by users Each predicate describes relations between program
variables
![Page 8: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/8.jpg)
Example1.int insert(x) Abstract Domain2.{ head →* tail, head = pred
head →* tail pred →* x, x →* tail3. node* pred = head head = pred ˄ head →* tail4. pred.next := x head = pred ˄ pred →* x5. x.next := tail?}
How to get assertion for each program point?
![Page 9: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/9.jpg)
Compute Post Assertion Let A’ is successor of program point A, then
its assertion is obtained as below
• For each predicate P from the abstract domain• If it is valid in A' that means if post(A,S) P• Add P to the assertion
Here post(A,S) is post-condition which are program states reached from A when we execute the statement S
![Page 10: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/10.jpg)
ExampleAbstract Domainhead →* tail, head = pred pred →* x, x →* tailA.head = pred ˄ pred →* x x.next := tailA’.?}
head = pred ok pred →* x: okx →* tail: okhead →* tail: ok
For each predicate P from the abstract domain
If it is valid in A' that means that if post(A,S) P
Add P to the assertion
Post(head = pred ˄ pred →* x, x.next := tail ) = head = pred ˄ pred →* x ˄ x → tail
Assertion:
head = pred pred˄ →* x x˄ →* tail
head˄ →* tail
![Page 11: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/11.jpg)
Assertion Template for Skiplists• Invariant:
u,v (Pi (u,v) ei (u,v))• Assertion form at each program point
E u,v (Pi (u,v) ei (u,v))
Where
♦ E: conjunction of atomic predicates valid at that point
♦ ei(u,v): an atomic predicate of u and v
♦ Pi(u,v): conjunction of atomic predicates of u and v
global variables
Example: E u,v (u →m* v u ≤ v)
![Page 12: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/12.jpg)
Assertion Inferring
• Start with an empty list• Run for a loop to insert and delete nodes randomlly • For each loop iteration Generate environments for program points• When the loop is terminated , take intersection of
environments at the same program points.• For each common environment: Find minimal conjunction Pi (u,v) such that
Pi (u,v) ei (u,v)
![Page 13: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/13.jpg)
Example1.int insert(x)2.{ 3.find(x, mPred,sPred, mSucc,sSucc) head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc
4.node* n := Node(x,2) 5.n.mNext = mPred 6.mPred.mNext := n 7.n.sNext = sPred 8.mPred.mNext := n head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc ˄ mPred = sPred ˄ mSucc = sSucc ˄
mPred →m* n ˄ n →m* mSucc ˄
sPred →s* n ˄ n →s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n ˄ n < sSucc
9.return 010.}
1.int insert(x)2.{ 3.find(x, mPred,sPred, mSucc,sSucc) head →m mPred ˄ head →s sPred ˄ mSucc →m tail ˄ sSucc →s tail
4.node* n := Node(x,2) 5.n.mNext = mPred 6.mPred.mNext := n 7.n.sNext = sPred 8.mPred.mNext := n head m mPred ˄ head s sPred ˄ mSucc m tail ˄ sSucc s tail mPred = sPred ˄ mSucc = sSucc ˄ mPred →m* n ˄ n →m* mSucc ˄ sPred →s* n ˄ n →s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n ˄ n < sSucc
9.return 010.}
![Page 14: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/14.jpg)
Example (cont)Common environment at program point 9 head →m* mPred ˄ head →s* sPred ˄ mSucc →m* tail ˄ sSucc →s* tail ˄ mPred = sPred ˄ mSucc = sSucc ˄ mPred →m* n ˄ n →m* mSucc ˄ sPred →s* n ˄ n →s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n ˄ n <
sSucc
Invariant: u →s* v u →m* v
![Page 15: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/15.jpg)
Inductive Assertion Assertion is inductive Holds at initial program points If it holds at a program point A, it also holds at A’s sucssesor
![Page 16: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/16.jpg)
Assertion Verifing
• Is u,v (Pi (u,v) ei (u,v)) valid in A’ ?
E u,v (Pi (u,v) ei (u,v))
E’ post(u,v (Pi (u,v) ei (u,v)))
S
A’
A
![Page 17: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/17.jpg)
Assertion Verifing• Check that:
E’ u,v post( (Pi (u,v) ei (u,v)))
u,v (Pi (u,v) ei (u,v))
General Form: E’ X (X) X (Y)
![Page 18: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/18.jpg)
Quantifier Instantiation• To prove: E’ X (X) X (Y)
Using terms Y1, Y2,…., Yn that appear in E’
Expand as ψ (Y1) … ψ (Yn) ψ (Y) (Y)• If unsatisfiable, then so is quantified formula• The approach is sound, but incomplete
![Page 19: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/19.jpg)
Example Assume that the invariant u,v (x →s* y x →m* y)
holds in program point 8 of previous insert function. Then we will show how to prove that its preserved
in program point 9
1.int insert(x)2.{ 3.find(x, mPred,sPred,mSucc,sSucc)
head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc 4.node* n := Node(x,2) 5.n.mNext = mPred 6.mPred.mNext := n 7.n.sNext = sPred 8.mPred.mNext := n
head = mPred ˄ head = sPred ˄ tail = mSucc ˄ tail = sSucc ˄
mPred = sPred ˄ mSucc = sSucc ˄ mPred →m* n ˄ n →m* mSucc ˄ ˄ n < sSucc
sPred →s* n ˄ n →s* sSucc ˄ mPred < n ˄ n < mSucc ˄ sPred < n
9.return 010.}
![Page 20: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/20.jpg)
Example(cont) Program point 8 = u →s* v u →m* v = ˥(u →s* v) ˅ u →m* v
After statement: sPred.sNext := n
E’ = sPred m* n ˄ ...... Program point 9 = ˥(u →s* v) ˅ (u →s* sPred ˄ n →s* v) ˅ u →m* v
Prove: E’ u,y (u,v) u,v (u,v) <-> E’ u,y (u,v) ˄ ˥(u1, v1) is unsastifiable
(u1,sPred) = ˥(u1 →s* sPred) ˅ u1 →m* sPred
(n, v1) = ˥(n →s* v1) ˅ n →m* v1
(u1, v1) = ˥(u1 →s* v1) ˅ (u1 →s* sPred ˄ n →s* v1) ˅ u →m* v1
˥(u1, v1) = u1 →s* v1 ˄ ˥(u1 →m* v1)
E ˄ (u1, v1) ˄ ˥(u1, v1) ˄ (u1,sPred) ˄ (n, v1)
= u1 →m* sPred ˄ sPred →m* n ˄ n →m* v1 ˄ ˥(u1 →m* v1) ˄ (u1 →s* sPred ˄ n →s* v1)
contradiction
![Page 21: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/21.jpg)
Results• New method to infer and verify quantidied
invariants of multi-pointers structures• Apply such method to skiplist algorithms, manually
infer and verify the invariant of the skiplist algorithm in the paper:
A Simple Optimistic skip-list Algorithm http://www.cs.brown.edu/~levyossi/Pubs/LazySkipList.pdf when we simplify it to two layers skiplist algorithm.
x,y(x →s* y x →m* y) (x →m* y x ≠ y x< y) • This algorithm is concurrent, so we use thread
modular technique compute assertions but its not too important in this thesis
![Page 22: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/22.jpg)
Future Work• Implement the framework• Develop methods to refine abstract domain
automatically
![Page 23: Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f345503460f94c525e2/html5/thumbnails/23.jpg)
Thank You