VerifyThis 2016: Binary Tree Traversal
solution to VerifyThis 2016 challenge 2
Auteurs: Martin Clochard
Catégories: Trees / Pointer Programs
Outils: Why3
Références: VerifyThis @ ETAPS 2016
VerifyThis @ ETAPS 2016 competition, Challenge 2: Binary Tree Traversal
The following is the original description of the verification task, reproduced verbatim from the competition web site
Challenge 2: Binary Tree Traversal Consider a binary tree: class Tree { Tree left, right, parent; bool mark; } We are given a binary tree with the following properties: It is well formed, in the sense that following a child pointer (left or right) and then following a parent pointer brings us to the original node. Moreover, the parent pointer of the root is null. It has at least one node, and each node has 0 or 2 children. We do not know the initial value of the mark fields. Our goal is to set all mark fields to true. The algorithm below (Morris 1979) works in time linear in the number of nodes, as usual, but uses only a constant amount of extra space. void markTree(Tree root) { Tree x, y; x = root; do { x.mark = true; if (x.left == null && x.right == null) { y = x.parent; } else { y = x.left; x.left = x.right; x.right = x.parent; x.parent = y; } x = y; } while (x != null); } Tasks. Prove that: upon termination of the algorithm, all mark fields are set the tree shape does not change the code does not crash, and the code terminates. As a bonus, prove that the nodes are visited in depth-first order
The following is a solution by Martin Clochard (Université Paris-Sud) who entered the competition.
module Memory
Component-as-array memory model with null pointers.
use map.Map
is the type of memory locations (e.g pointers)
type loc val predicate eq (x y:loc) ensures { result <-> x = y }
Kinds of pointer fields.
type kind = Parent | Left | Right
Convenience alias for a pointer field table.
type pmem = map kind (map loc loc) type memory = abstract { mutable accessor : pmem; mutable mark : map loc bool; }
represent memory.
val memo : memory
the memory model has a null
constant null : loc val null () : loc ensures { result = null } val is_null (l:loc) : bool ensures { result <-> l = null }
Memory getter & setters. non-null preconditions to check absence of null pointer access.
val get_mark (l:loc) : bool requires { l <> null } reads { memo } ensures { result = memo.mark[l] } val set_mark (l:loc) (b:bool) : unit requires { l <> null } writes { memo.mark } ensures { memo.mark = (old memo).mark[l <- b] } val get_acc (p:kind) (l:loc) : loc requires { l <> null } reads { memo } ensures { result = memo.accessor[p][l] } val set_acc (p:kind) (l d:loc) : unit requires { l <> null } writes { memo.accessor } ensures { memo.accessor = (old memo).accessor[p <- (old memo).accessor[p][l <- d]] }
Ghost global accessors. Those are technical tools to create ghost witnesses of past states.
val ghost get_all_accs () : pmem reads { memo } ensures { result = memo.accessor } val ghost get_all_marks () : map loc bool reads { memo } ensures { result = memo.mark } type non_det_magic type non_det = abstract { mutable non_det_field : non_det_magic } val non_det : non_det val anyloc () : loc writes { non_det }
Non-deterministic initialization. In the original alorithm, the variable y starts uninitialized.
end module TreeShape
In module TreeShape
we describe the correlation between
the memory and the binary tree model. We also gives
elements of the algorithm specification, and prove
some frame/separation properties.
use int.Int use set.Set use map.Map use bintree.Tree use bintree.Size use Memory type treel = tree loc
The described structure can be modeled as a tree of locations
predicate is_tree (memo:pmem) (t:treel) (c p:loc) = match t with | Empty -> c = null | Node l m r -> c <> null /\ c = m /\ memo[Parent][c] = p /\ let cl = memo[Left][c] in let cr = memo[Right][c] in (cl = null <-> cr = null) /\ is_tree memo l cl c /\ is_tree memo r cr c end
is_tree memo t c p
describe the fact that c
points to
a well-formed tree modeled by t
, whose root parent node is p
function footprint (t:treel) : set loc = match t with | Empty -> empty | Node l m r -> add m (union (footprint l) (footprint r)) end
footprint t
is the memory footprint of t
, e.g the set of
locations occuring in the tree.
predicate ext (s:set loc) (memo1 memo2:pmem) = forall k x. mem x s -> memo1[k][x] = memo2[k][x]
ext s memo1 memo2
mean that the pointer fields associated to
locations in set s
are identical in memo1 and memo2.
unchanged memo1 memo2
mean that all pointer fields in
and memo2
are identical.
predicate unchanged (memo1 memo2:pmem) = forall k x. memo1[k][x] = memo2[k][x]
was_marked t memo1 memo2
mean that memo2
is the update
of memo1
obtained by marking all elements in t
predicate was_marked (t:treel) (memo1 memo2:map loc bool) = (forall l. mem l (footprint t) -> memo2[l]) /\ (forall l. not mem l (footprint t) -> memo2[l] = memo1[l]) let rec ghost ext_set (s:set loc) (memo1 memo2:pmem) (t:treel) (c p:loc) : unit requires { ext s memo1 memo2 } requires { subset (footprint t) s } requires { is_tree memo1 t c p } ensures { is_tree memo2 t c p } variant { t } = let ghost rc = ext_set s memo1 memo2 in match t with | Empty -> () | Node l _ r -> rc l (memo1[Left][c]) c; rc r (memo1[Right][c]) c end
General extensionality property.
let ghost ext_cur (memo1:pmem) (t:treel) (c p:loc) : unit reads { memo } requires { ext (footprint t) memo1 memo.accessor } requires { is_tree memo1 t c p } ensures { is_tree memo.accessor t c p } = ext_set (footprint t) memo1 (get_all_accs ()) t c p
Specialized for our use case.
let rec ghost unicity (memo:pmem) (t1 t2:treel) (c p1 p2:loc) : unit requires { is_tree memo t1 c p1 /\ is_tree memo t2 c p2 } ensures { t1 = t2 } variant { t1 } = match t1, t2 with | Empty, Empty -> () | Empty, _ | _, Empty -> absurd | Node l1 _ r1, Node l2 _ r2 -> unicity memo l1 l2 (memo[Left][c]) c c; unicity memo r1 r2 (memo[Right][c]) c c end
The tree model corresponding to a given pointer is unique.
let ghost not_below (memo:pmem) (lf rg:treel) (c p:loc) : unit requires { is_tree memo (Node lf c rg) c p } ensures { not mem c (footprint lf) /\ not mem c (footprint rg) } = let t0 = Node lf c rg in let rec aux (t:treel) (c2 p2:loc) : unit requires { size t < size t0 } requires { is_tree memo t c2 p2 } ensures { not mem c (footprint t) } variant { t } = match t with | Empty -> () | Node l _ r -> if eq c2 c then (unicity memo t t0 c p2 p;absurd); aux l (memo[Left][c2]) c2; aux r (memo[Right][c2]) c2 end in aux lf (memo[Left][c]) c; aux rg (memo[Right][c]) c
In a non-empty well formed tree, the top pointer cannot occur in the child subtree. Otherwise, their would be an infinite branch in the tree, which is impossible in our inductive tree setting.
type phase = | GoLeft | GoRight | GoBack | Finish
Algorithm phases.
mean that the algorithm will try to explore the left
mean that the algorithm will explore the right subtree
mean that the algorithm will go back to the parent node
mean that the alogrithm will exit
function next_phase (ph:phase) : phase = match ph with | GoLeft -> GoRight | GoRight -> GoBack | GoBack -> GoLeft | Finish -> Finish end
rotated memo1 memo2 ph c
describe how c
is rotated in
with respect to its initial position in memo1
current phase ph
. In final phase, it is not rotated but
null instead.
predicate rotated (memo1 memo2:pmem) (ph:phase) (c:loc) = (forall k x. x <> c -> memo1[k][x] = memo2[k][x]) /\ (ph <> Finish -> c <> null) /\ match ph with | GoLeft -> unchanged memo1 memo2 | GoRight -> memo2[Left][c] = memo1[Right][c] /\ memo2[Right][c] = memo1[Parent][c] /\ memo2[Parent][c] = memo1[Left][c] | GoBack -> memo1[Left][c] = memo2[Right][c] /\ memo1[Right][c] = memo2[Parent][c] /\ memo1[Parent][c] = memo2[Left][c] | Finish -> c = null end end module Recursive
In this module, we prove the algorithm by modifying the code to put it in recursive form. We justify that our limited usage of recursion makes the code equivalent to the one proposed in the challenge.
use map.Map use bintree.Tree use ref.Ref use Memory use TreeShape
Recursion-based proof of the algorithm.
The principal idea is the following: in its recursive
fashion, the algorithm is a standard tree traversal
(which is easy to prove correct).
Hence we nest the algorithm inside a recursive procedure
to link it with its recursive version. However,
the obtained algorithm does not really need the call stack
to run. Here is how we achieve this:
- We create a non-recursive sub-routine bloc
corresponding to
one turn of the while loop in the challenge's code.
It uses an exception to simulate exit.
Also, this sub-routine does not have any non-ghost argument,
so calling bloc
really amounts to advancing in the loop execution.
- We forbids use of any side-effect in the recursive procedure
except those obtained by calling bloc
. Hence calling
the recursive procedure is equivalent to run a certain
amounts of turns in the loop execution.
Note that since we will prove that the recursive procedure
terminates, it might not run a finite amount of turns and diverges
- After the topmost call to the recursive procedure,
we add an infinite loop who only calls bloc
at every turns.
This call and the loop are enclosed in an exception catching
construction to detect loop termination.
Hence it is justifiable that the algorithm with
the recursive procedure is equivalent (in the sense that
they have the same side-effects) as an infinite loop of bloc
encapsulated in an exception catching expression. And this
algorithm is evidently equivalent to the original challenge code.
exception Stop let markTree (ghost t:treel) (root:loc) : unit (* Requires a well-formed non-empty tree *) requires { is_tree memo.accessor t root null /\ root <> null } writes { memo, non_det } (* Tree shape is unchanged *) ensures { is_tree memo.accessor t root null } ensures { unchanged (old memo).accessor memo.accessor } (* All nodes are marked. *) ensures { was_marked t (old memo).mark memo.mark } = let x = ref (anyloc ()) in (* ==> Tree x, y *) let y = ref (anyloc ()) in x := root; (* ==> x = root *) let entered = ref false in (* ^ Used to encode the do { .. } while() loop as a while() {..}. Iterations will set the flag. *) let ghost z = ref (null ()) in (* Store previously explored node. *) (* Loop body. `mem0` is memory state at start of recursive call, `ph` is phase. *) let bloc (ghost mem0:pmem) (ghost ph:phase) : unit (* current node `!x` is rotated correctly with respect to the phase. *) requires { rotated mem0 memo.accessor ph !x } requires { ph = Finish -> !entered } writes { memo, x, y, z, entered } (* Caracterise `x` and `z` reference updates. *) ensures { !z = !(old x) /\ !x = memo.accessor[Parent][!z] } (* `Finish` phase never ends normally *) ensures { ph <> Finish /\ !entered } (* Node is marked, and other nodes do not change. *) ensures { memo.mark[!z] } ensures { forall l. l <> !z -> memo.mark[l] = (old memo).mark[l] } (* Describe phase shift. *) ensures { if (old memo).accessor[Left][!z] = null = (old memo).accessor[Right][!z] then memo.accessor = (old memo).accessor else rotated mem0 memo.accessor (next_phase ph) !z } (* In `Finish` phase, the code throws `Stop` without changing anything. *) raises { Stop -> ph = Finish /\ memo = old memo } = if !entered && is_null !x then raise Stop; (* ==> do { BODY *) entered := true; (* } while (x != null); *) (ghost z := !x); set_mark !x true; (* ==> x.mark = true; *) if is_null (get_acc Left !x) && is_null (get_acc Right !x) (* ==> if (x.left = null && x.right == null) { *) then y := get_acc Parent !x (* ==> y = x.parent *) else begin (* ==> } else { *) y := get_acc Left !x; (* ==> y = x.left; *) set_acc Left !x (get_acc Right !x); (* ==> x.left = x.right; *) set_acc Right !x (get_acc Parent !x); (* ==> x.right = x.parent; *) set_acc Parent !x !y; (* ==> x.parent = y; *) end; (* ==> } *) x := !y (* ==> x = y; *) in (* 'Recursive proof', corresponding to the expected depth-first traversal. *) let rec aux (ghost t:treel) : unit requires { !x <> null } requires { is_tree memo.accessor t !x !z } writes { memo, x, y, z, entered } ensures { unchanged (old memo).accessor memo.accessor } ensures { !x = old !z /\ !z = old !x } ensures { was_marked t (old memo).mark memo.mark } ensures { !entered } raises { Stop -> false } variant { t } = let ghost mem0 = get_all_accs () in let ghost _c = !x in let _lf = get_acc Left !x in let _rg = get_acc Right !x in let lf, rg = ghost match t with | Empty -> absurd | Node l _ r -> l, r end in (ghost not_below mem0 lf rg _c !z); bloc mem0 GoLeft; let b = begin ensures { result <-> _lf = null /\ _rg = null } ensures { result -> lf = Empty /\ rg = Empty } is_null _lf && is_null _rg end in if not b then begin (ghost ext_cur mem0 lf _lf _c); aux lf; bloc mem0 GoRight; (ghost ext_cur mem0 rg _rg _c); aux rg; bloc mem0 GoBack end in let ghost mem0 = get_all_accs () in try aux t; label I in while true do invariant { memo = (memo at I) } invariant { rotated mem0 memo.accessor Finish !x /\ !entered } variant { 0 } bloc mem0 Finish done with Stop -> (ghost ext_cur mem0 t root (null ())); () end end module Iterative
In this module we provide a proof of the initial algorithm by derecursiving the previous one
use int.Int use map.Map use map.Const use bintree.Tree use bintree.Size use option.Option use ref.Ref use Memory use TreeShape type snap = { pointers : pmem; cursor : loc; parent : loc; marks : map loc bool; }
Snapshot of all relevant memory values in the program
type frame = { (* Memory & ghost argument at call site (pc>=0). *) memo0 : snap; tree : treel; (* right & left trees/pointers (pc>=1) *) tleft : treel; pleft : loc; tright : treel; pright : loc; (* Memory after first bloc call (pc>=2) *) memo1 : snap; (* Memory after first recursive call (pc >= 4) *) memo2 : snap; (* Memory after second bloc call (pc >= 5) *) memo3 : snap; (* Memory after second recursive call (pc >= 6) *) memo4 : snap; }
Stack frame in the recursive version. Fields are assigned as the code pointer increase.
function frame_memo (f:frame) (pc:int) : snap = if pc <= 0 then f.memo0 else if pc <= 1 then f.memo1 else if pc <= 2 then f.memo2 else if pc <= 3 then f.memo3 else f.memo4
Find out current memory state with respect to code pointer.
predicate bloc_rel (mem0:pmem) (ph:phase) (s1 s2:snap) = s2.parent = s1.cursor /\ s2.cursor = s2.pointers[Parent][s2.parent] /\ s2.marks[s2.parent] /\ (forall l. l <> s2.parent -> s2.marks[l] = s1.marks[l]) /\ if s1.pointers[Left][s1.cursor] = null = s1.pointers[Right][s1.cursor] then s2.pointers = s1.pointers else rotated mem0 s2.pointers (next_phase ph) s2.parent
Postcondition relation for bloc
predicate rec_rel (t:treel) (s1 s2:snap) = unchanged s1.pointers s2.pointers /\ s2.cursor = s1.parent /\ s2.parent = s1.cursor /\ was_marked t s1.marks s2.marks
postcondition relation for recursive (aux
) calls.
type stack = | Bottom | Running stack int frame | Done
Call stack
predicate is_stack (t:treel) (stop scur:snap) (s:stack) (calls:option treel) = match s with | Bottom -> stop = scur /\ calls = Some t | Running s pc f -> 0 <= pc <= 4 /\ (* Correctness of caller stack. *) let m0 = f.memo0 in is_stack t stop m0 s (Some f.tree) /\ (* Precondition for recursive call. *) m0.cursor <> null /\ is_tree m0.pointers f.tree m0.cursor m0.parent /\ (* Initially obtained pointers & subtrees. *) f.tree = Node f.tleft m0.cursor f.tright /\ f.pleft = m0.pointers[Left][m0.cursor] /\ f.pright = m0.pointers[Right][m0.cursor] /\ (* First bloc run, if completed normally. *) (pc >= 1 -> bloc_rel m0.pointers GoLeft m0 f.memo1 /\ f.pleft <> null /\ f.pright <> null) /\ (* First recursive call. *) (pc >= 2 -> rec_rel f.tleft f.memo1 f.memo2) /\ (* Second bloc run. *) (pc >= 3 -> bloc_rel m0.pointers GoRight f.memo2 f.memo3) /\ (* Second recursive call. *) (pc >= 4 -> rec_rel f.tright f.memo3 f.memo4) /\ (* Current memory state. *) frame_memo f pc = scur /\ match calls with | None -> pc <> 1 /\ pc <> 3 | Some u -> if pc = 1 then u = f.tleft else pc = 3 /\ u = f.tright end | Done -> rec_rel t stop scur /\ calls = None end
Describe a valid call stack. Mostly precise which relation between states holds. Note that in the previous version, Why3 did that part for us via the weakest precondition calculus.
constant large_enough : int = 100 function stack_size (st:stack) : int = match st with | Bottom -> 1 | Done -> 0 | Running s pc f -> stack_size s + (large_enough - pc) + if pc = 0 then large_enough * (size f.tleft + size f.tright) else if pc <= 2 then large_enough * size f.tright else 0 end
Termination argument. In fully general cases, we would need a lexicographic ordering but here an integer size suffice.
let rec lemma stack_size_pos (st:stack) : unit requires { exists t stop scur calls. is_stack t stop scur st calls } ensures { stack_size st >= 0 } variant { st } = match st with Running s _ _ -> stack_size_pos s | _ -> () end let ghost opening (t ct:treel) (stop scur:snap) (ghost st:ref stack) requires { is_stack t stop scur !st (Some ct) } requires { is_tree scur.pointers ct scur.cursor scur.parent } requires { scur.cursor <> null } writes { st } ensures { is_stack t stop scur !st None } ensures { stack_size !st <= stack_size !(old st) + large_enough * size ct } = match ct with | Empty -> absurd | Node lf _ rg -> let f = { memo0 = scur; tree = ct; tleft = lf; tright = rg; pleft = scur.pointers[Left][scur.cursor]; pright = scur.pointers[Right][scur.cursor]; memo1 = scur; memo2 = scur; memo3 = scur; memo4 = scur; } in st := Running !st 0 f end
Create a stack frame for a recursive call
let ghost closing (t ct:treel) (stop sprev scur:snap) (ghost st:ref stack) : unit requires { is_stack t stop sprev !st (Some ct) } requires { rec_rel ct sprev scur } writes { st } ensures { is_stack t stop scur !st None } ensures { stack_size !st < stack_size !(old st) } = match !st with | Bottom -> st := Done | Done -> absurd | Running s pc f -> let f = if pc = 1 then { f with memo2 = scur } else { f with memo4 = scur } in st := Running s (pc+1) f end
Remove a stack frame at end of recursive call simulation
let ghost continuing (t:treel) (stop sprev scur:snap) (ghost st:ref stack) requires { is_stack t stop sprev !st None } requires { match !st with | Bottom | Done -> false | Running _ pc f -> let ph = if pc = 0 then GoLeft else if pc = 2 then GoRight else GoBack in bloc_rel f.memo0.pointers ph sprev scur end } writes { st } ensures { is_stack t stop scur !st None } ensures { stack_size !st < stack_size !(old st) } = match !st with | Bottom | Done -> absurd | Running s pc f -> not_below f.memo0.pointers f.tleft f.tright f.memo0.cursor f.memo0.parent; if pc = 0 then if is_null f.pleft && is_null f.pright then begin st := s; assert { match f.tleft, f.tright with Empty, Empty -> true | _ -> false end }; closing t f.tree stop f.memo0 scur st end else begin let f = { f with memo1 = scur } in st := Running s (pc+1) f; ext_set (footprint f.tleft) f.memo0.pointers scur.pointers f.tleft f.pleft f.memo0.cursor; opening t f.tleft stop scur st; end else if pc = 2 then begin let f = { f with memo3 = scur } in st := Running s (pc+1) f; ext_set (footprint f.tright) f.memo0.pointers scur.pointers f.tright f.pright f.memo0.cursor; opening t f.tright stop scur st; end else if pc = 4 then begin st := s; assert { unchanged scur.pointers f.memo0.pointers }; closing t f.tree stop f.memo0 scur st end end
Advance code pointer when a bloc is run. Takes care to open/close new frame as needed.
let markTree (ghost t:treel) (root:loc) : unit (* Requires a well-formed non-empty tree *) requires { is_tree memo.accessor t root null /\ root <> null } writes { memo, non_det } (* Tree shape is unchanged *) ensures { is_tree memo.accessor t root null } ensures { unchanged (old memo).accessor memo.accessor } (* All nodes are marked. *) ensures { was_marked t (old memo).mark memo.mark } = let x = ref (anyloc ()) in (* ==> Tree x, y *) let y = ref (anyloc ()) in let ghost z = ref (null ()) in let ghost snapshot () : snap ensures { result.pointers = memo.accessor } ensures { result.cursor = !x } ensures { result.parent = !z } ensures { result.marks = memo.mark } = { pointers = get_all_accs (); cursor = !x; parent = !z; marks = get_all_marks () } in x := root; (* ==> x = root; *) let ghost stop = snapshot () in let ghost scur = ref stop in let ghost st = ref Bottom in ghost opening t t stop stop st; let entered = ref false in (* encode do-while loop. *) while not (begin ensures { result <-> !x = null } !entered && is_null !x end) do (* ==> do { BODY } while(x != null); *) invariant { !x = null -> !entered } invariant { !scur.pointers = memo.accessor } invariant { !scur.cursor = !x } invariant { !scur.parent = !z } invariant { !scur.marks = memo.mark } invariant { is_stack t stop !scur !st None } variant { stack_size !st } entered := true; (ghost z := !x); set_mark !x true; (* ==> x.mark = true; *) if is_null (get_acc Left !x) && is_null (get_acc Right !x) (* ==> if (x.left == null && x.right == null) { *) then begin y := get_acc Parent !x; (* ==> y = x.parent; *) end else begin (* ==> } else { *) y := get_acc Left !x; (* ==> y = x.left; *) set_acc Left !x (get_acc Right !x); (* ==> x.left = x.right; *) set_acc Right !x (get_acc Parent !x); (* ==> x.right = x.parent; *) set_acc Parent !x !y; (* ==> x.parent = y; *) end; (* ==> } *) x := !y; (* ==> x = y; *) let ghost sprev = !scur in ghost scur := snapshot (); ghost continuing t stop sprev !scur st; done; (* ==> end 'do while' *) ghost (match !st with Done -> () | _ -> absurd end); ghost ext_cur stop.pointers t root (null ())
The main algorithm.
