1 / 17

Formal Verification of AVL Trees using ACL2 in Software Engineering Education

This project, part of an NSF grant, integrates mechanized logic and formal verification of AVL trees into the software engineering curriculum. It showcases the use of ACL2 to define AVL tree structures and verify operations like insertion and deletion, ensuring properties like order and balance are maintained. The project highlights collaborative efforts with Matthias Felleisen at Northeastern University, as well as challenges in verifying complex tree structures. It emphasizes the importance of preserving keys during operations and presents methodologies for dealing with tree max and min proofs.

nirav
Télécharger la présentation

Formal Verification of AVL Trees using ACL2 in Software Engineering Education

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACL2-Certified AVL Trees Ryan Ralston University of Oklahoma • NSF DUE-0633004 • Integrating Mechanized Logic into the SE Curriculum • Collaboratiive Project with Matthias Felleisen, Northeastern University

  2. Formal Verification in Software Development Customer Specification Company Application Formal Verifier

  3. Related Work • Isabelle implementation of verified AVL trees only verifies correctness of insertion and look-up for balance and order • Gamboa and Cowles verified properties of red-black trees

  4. Defining AVL Structure in ACL2 • Single-rotation (zig), using (defstructure avl key left right height)‏ (defun easy-R (tr)‏ (let* ((L (lf (lf tr)))‏ (R (avl (key tr)‏ (rt (lf tr))‏ (rt tr)‏ (ht-incr (rt (lf tr)) (rt tr)))))‏ (avl (key (lf tr)) L R (ht-incr L R))))‏ ‏ • Double rotations (zig/zag defined similarly)‏ • Rebalancing operations select appropriate rotations

  5. Insertion MaintainsCorrect Recorded Height easy-L easy-L easy-R rebal-L rot-L hard-L ht-incr insert hard-L-able->easy-L-able easy-R easy-L rebal-R rot-R easy-R hard-R ht-incr hard-R-able->easy-R

  6. Deletion Does, Too rebal-L shrink ht-incr rebal-R delete rebal-L rebal-R raise-sacrum ht-incr

  7. Deletion Preserves Keys(old keys stay in tree)‏ rebal-L rebal-R rebal-R ht-incr->ht=ht-meas shrink-not-key delete shrink->ht=ht-meas ht-incr->ht=ht-meas delete->ht=ht-meas shrink->ht=ht-meas

  8. Deletion Conserves Keys(new tree has no new keys)‏ rebal-L rebal-R shrink rebal-R shrink-key ht-incr->ht=ht-meas delete ht-incr->ht=ht-meas shrink->ht=ht-meas delete->ht=ht-meas shrink->ht=ht-meas

  9. Insertion Does Not Decrease Max Key in Tree ht-incr->ht=ht-meas insert->ht=ht-meas rebal-L insert rebal-R tree-max-bigger-than-all-keys insert-is-tree

  10. DeletionDoes Not Increase Max Key in Tree delete->ht=ht-meas ht-incr->ht=ht-meas delete-lemma-lf rebal-L-is-tree rebal-L delete delete->ht=ht-meas ht-incr->ht=ht-meas delete-lemma-rt rebal-R-is-tree rebal-R

  11. Insert Preserves Order ht-incr->ht=ht-meas insert-is-tree insert-lf insert->max rebal-R insert rebal-L insert-is-tree insert-rt insert->min insert->ht=ht-meas

  12. Deletion Preserves Order delete-2-lemma-1 delete-2-lemma-2 ht-incr->ht=ht-meas delete-2-lemma-3 delete->ht=ht-meas rebal-L delete-3-lemma-1 delete delete-3-lemma-2 rebal-R delete-3-lemma-3 del->max delete-4-lemma-1 del->min delete-4-lemma-2 raise-sacrum delete-4-lemma-3

  13. Insertion Preserves Balance insert-empty insert-root insert insert-left insert-inc-at-most-1 insert-right insert-inc-at-most-1

  14. Noteworthy Facts • Requires a significant amount of code because of the number of cases it needs proven individually • The code does not build upon itself very well: double rotations theorems, for example, do not apply the single rotation theorems • My “handwritten” proof overlooked a detail I considered trivial, but ACL2 didn’t

  15. Preservation/Conservation of Keys Theorems (defthm operation-preserves-and-conserves-keys (iff (in-tree? k tr) (in-tree? k (operation tr))))‏ (defthm operation-preserves-keys (implies (in-tree? k tr)‏ (in-tree? k (operation tr))))‏ (defthm operation-conserves-keys (implies (not (in-tree? k tr))‏ (not (in-tree? k (operation tr)))))‏

  16. Working Backwards • Areas of Use include: tree max and min proofs on deletion. • Almost no unnecessary lemmas proven • The approach will work but can produce results such as: (defthm del-tree-max (implies (ht=ht-meas? tr)‏ (decreasing-max-p (del k tr) tr))‏ :hints (("Goal" :hands-off (rebal-L rebal-R ht-incr raise-sacrum decreasing-max-p))‏ ("Subgoal *1/7" :use ((:instance del-tree-max-lemma-5)))‏ ("Subgoal *1/5" :use ((:instance del-tree-max-lemma-4)))‏ ("Subgoal *1/3" :use ((:instance raise-sacrum-tree-max)))‏ ("Subgoal *1/2''" :use ((:instance avl-right-dec-max-p-tr)))‏ ("Subgoal *1/1'" :use ((:instance empty-tr1-is-dec-max-p (tr1 tr)‏ (tr2 tr))))))‏

  17. Questions?

More Related