ACL2-Certified AVL Trees
Ryan Ralston
University of Oklahoma
NSF DUE-0633004
Integrating Mechanized Logic into the SE Curriculum
Collaboratiive Project with Matthias Felleisen, Northeastern University
Formal Verification in
Software Development
Formal
Verifier
Company
Application
Customer
Specification
Related Work


Isabelle implementation of verified AVL trees only verifies
correctness of insertion and look-up for balance and order
Gamboa and Cowles verified properties of red-black trees
Defining AVL Structure in ACL2

Single-rotation (zig), using (defstructure avl key left right height)
(defun easy-R (tr)
(let* ((L (lf (lf tr)))
(R (avl (key tr)
(rt (lf tr))
(rt tr)
(ht-incr (rt (lf tr)) (rt tr)))))
(avl (key (lf tr)) L R (ht-incr L R))))


Double rotations (zig/zag defined similarly)
Rebalancing operations select appropriate rotations
Insertion Maintains
Correct Recorded Height
easy
-L
easy-L
easy-R
rebal-L
rot-L
hard-L
ht-incr
hard-L-able>easy-L-able
insert
easy-R
easy-L
rebal-R
rot-R
easy-R
hard-R
ht-incr
hard-R-able>easy-R
Deletion Does, Too
reba
l-L
shri
nk
htincr
dele
te
reba
l-R
reba
l-L
reba
l-R
raisesacrum
htincr
Deletion Preserves Keys
(old keys stay in tree)
rebal-L
rebal-R
shrinknot-key
delete
ht-incr>ht=ht-meas
delete>ht=htmeas
shrink>ht=ht-meas
rebal-R
ht-incr>ht=ht-meas
shrink>ht=ht-meas
Deletion Conserves Keys
(new tree has no new keys)
rebal-L
rebal-R
shrink
delete
shrinkkey
ht-incr->ht=htmeas
delete->ht=htmeas
shrink->ht=htmeas
rebal-R
ht-incr->ht=htmeas
shrink->ht=htmeas
Insertion
Does Not Decrease Max Key in Tree
ht-incr->ht=htmeas
insert->ht=htmeas
rebal-L
insert
rebal-R
tree-max-bigger-thanall-keys
insert-istree
Deletion
Does Not Increase Max Key in Tree
delete->ht=ht-meas
ht-incr->ht=ht-meas
deletelemma-lf
rebal-Lis-tree
reba
l-L
dele
te
delete->ht=htmeas
ht-incr->ht=htmeas
deletelemma-rt
rebal-R-istree
reba
l-R
Insert Preserves Order
ht-incr->ht=htmeas
insert-istree
inse
rt-lf
insert>max
reba
l-R
inse
rt
reba
l-L
insert-istree
inse
rt-rt
insert->ht=htmeas
insert>min
Deletion Preserves Order
delete-2lemma-1
ht-incr>ht=ht-meas
delete-2lemma-2
delete-2lemma-3
delete>ht=ht-meas
delete-3lemma-1
rebal-L
delete-3lemma-2
delete
rebal-R
delete-3lemma-3
delete-4lemma-1
del->max
delete-4lemma-2
del->min
raisesacrum
delete-4lemma-3
Insertion Preserves Balance
insertempty
insertroot
insert
insertleft
insertright
insert-inc-atmost-1
insert-inc-atmost-1
Noteworthy Facts



Requires a significant amount of code because of the number of
cases it needs proven individually
The code does not build upon itself very well: double rotations
theorems, for example, do not apply the single rotation theorems
My “handwritten” proof overlooked a detail I considered trivial, but
ACL2 didn’t
Preservation/Conservation of Keys
Theorems
(defthm operation-preserves-and-conserves-keys
(iff (in-tree? k tr)
(in-tree? k (operation tr))))
(defthm operation-preserves-keys
(implies (in-tree? k tr)
(in-tree? k (operation tr))))
(defthm operation-conserves-keys
(implies (not (in-tree? k tr))
(not (in-tree? k (operation tr)))))
Working Backwards



Areas of Use include: tree max and min proofs on deletion.
Almost no unnecessary lemmas proven
The approach will work but can produce results such as:
(defthm del-tree-max
(implies (ht=ht-meas? tr)
(decreasing-max-p (del k tr) tr))
:hints (("Goal" :hands-off (rebal-L rebal-R ht-incr raise-sacrum decreasing-max-p))
("Subgoal *1/7" :use ((:instance del-tree-max-lemma-5)))
("Subgoal *1/5" :use ((:instance del-tree-max-lemma-4)))
("Subgoal *1/3" :use ((:instance raise-sacrum-tree-max)))
("Subgoal *1/2''" :use ((:instance avl-right-dec-max-p-tr)))
("Subgoal *1/1'" :use ((:instance empty-tr1-is-dec-max-p
(tr1 tr)
(tr2 tr))))))
Questions?