The Ramify Rule of Separation Logic Compositional Reasoning for - - PowerPoint PPT Presentation

The Ramify Rule of Separation Logic

Compositional Reasoning for Sharing Jules Villard1

Joint work with Aquinas Hobor2

1University College London 2National University of Singapore

Programs with Sharing in the Wild

Graphs Acyclic graphs (DAGs) Overlaid data structures (threaded tree)

Sharing ④

Programs with Sharing

✌ Everywhere ✌ Many variations over a few core principles (traversal, marking, copying, . . . ) ✌ Short programs, intricate reasoning ✌ Lots of pointer swinging (tree rotation, Schorr-Waite, . . . ) ✌ Challenge for compositionality

Sharing ④

Compositional Formal Verification

✌ Reasoning about a system by reasoning about its parts in isolation ✌ System = Program ✌ Parts = Functions ✌ Reasoning = tP✉ c tQ✉

Sharing ④

Compositionality for Pointer Programs

Success: Separation Logic

✌ The frame rule provides compositional reasoning: Frame tP✉ c tQ✉ tP ✎ F✉ c tQ ✎ F✉ t ✉ t ✉ t ✉ t ✉ ✏ ✌ Data structures without sharing (lists, trees, . . . ) ✌ Compositionality based on disjointness of memory accesses An answer to the frame problem: “Describing what does not change as a result of an action”

Sharing ④

Compositionality for Pointer Programs

Success: Separation Logic

✌ The frame rule provides compositional reasoning: Frame tP✉ c tQ✉ tP ✎ F✉ c tQ ✎ F✉ t ✉ c t ✉ t ✉ c t ✉ F ✏ ✌ Data structures without sharing (lists, trees, . . . ) ✌ Compositionality based on disjointness of memory accesses An answer to the frame problem: “Describing what does not change as a result of an action”

Sharing ④

Framing vs Data Structures with Sharing

Frame

t ✉ c t ✉ t ✉ c t ✉ F ✏ ✌ ✌ ✌

Sharing ④

Framing vs Data Structures with Sharing

Frame

t ✉ c t ✉ t ✉ c t ✉ F ✏ ✌ ✌ ✌

Sharing ④

Framing vs Data Structures with Sharing

Frame

t ✉ c t ✉ t ✉ c t ✉ F ✏

Previous Attempts

✌ Contrived predicates that circumvent the sharing ✌ Leads to compositional, but ad-hoc reasoning ✌ No general solution

Sharing ④

This Talk: Ramification

Ramification Problem in AI: “The ramification problem is concerned with indirect consequences of an action.”

Ramification Rule of Separation Logic

✌ Embrace sharing ✌ Concise, compositional proofs ✌ Expose and resolve global effects of local actions uniformly ✌ All within vanilla separation logic

Sharing ④

Separation, Frame, and Trees

The Frame Rule of Separation Logic

Frame tP✉ c tQ✉ tP ✎ F✉ c tQ ✎ F✉ ✌ σ1 ✌ σ2 is the disjoint union of σ1 and σ2 ✌ σ ✭ P1 ✎ P2 iff ❉σ1, σ2. σ ✏ σ1 ✌ σ2 & σ1 ✭ P1 & σ2 ✭ P2 P1 ✎ P2 ô P1 P2

Separation, Frame, and Trees ④

The Frame Rule of Separation Logic

Frame tP✉ c tQ✉ tP ✎ F✉ c tQ ✎ F✉ P

c

Q ✌ σ1 ✌ σ2 is the disjoint union of σ1 and σ2 ✌ σ ✭ P1 ✎ P2 iff ❉σ1, σ2. σ ✏ σ1 ✌ σ2 & σ1 ✭ P1 & σ2 ✭ P2 P1 ✎ P2 ô P1 P2

Separation, Frame, and Trees ④

The Frame Rule of Separation Logic

Frame tP✉ c tQ✉ tP ✎ F✉ c tQ ✎ F✉ P F

c

Q F ✌ σ1 ✌ σ2 is the disjoint union of σ1 and σ2 ✌ σ ✭ P1 ✎ P2 iff ❉σ1, σ2. σ ✏ σ1 ✌ σ2 & σ1 ✭ P1 & σ2 ✭ P2 P1 ✎ P2 ô P1 P2

Separation, Frame, and Trees ④

Binary Trees in SL

tree♣x, τq

def

✏ ♣x ✏ 0 ❫ emp ❫ τ ✏ ❍q ❍ ❴ ❉L, R, M, τL, τR. x ÞÑ m : M, ℓ : L, r : R ✎ tree♣L, τLq ✎ tree♣R, τRq ❫ τ ✏ node♣x, M, τL, τRq

Separation, Frame, and Trees ④

Marking a Tree

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴tr❡❡✭ str✉❝t ♥♦❞❡ ✯t✮ ④ ✴✴ ttree♣t, τq✉

4

✐❢ ✭✦t ⑤⑤ t✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ t✲❃❧✱ ✯r ❂ t✲❃r❀

6 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ q ✎ ♣r q ❫ ✏ ♣ q ✯

7

♠❛r❦❴tr❡❡✭❧✮❀

8 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ ♣ qq ✎ ♣r q ❫ ✏ ♣ q ✯

9

♠❛r❦❴tr❡❡✭r✮❀

10 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ ♣ qq ✎ ♣r ♣ qq ❫ ✏ ♣ q ✯

11

t✲❃♠ ❂ ✶❀

12 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ ♣ qq ✎ ♣r ♣ qq ❫ ✏ ♣ q ✯

13 ⑥ ✴✴ ttree♣t, m♣τqq✉

Separation, Frame, and Trees ④

Marking a Tree

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴tr❡❡✭ str✉❝t ♥♦❞❡ ✯t✮ ④ ✴✴ ttree♣t, τq✉

4

✐❢ ✭✦t ⑤⑤ t✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ t✲❃❧✱ ✯r ❂ t✲❃r❀

6 ✴✴

✧ t ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ tree♣❧, τℓq ✎ tree♣r, τrq ❫ τ ✏ node♣0, τℓ, τrq ✯

7

♠❛r❦❴tr❡❡✭❧✮❀

8 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ ♣ qq ✎ ♣r q ❫ ✏ ♣ q ✯

9

♠❛r❦❴tr❡❡✭r✮❀

10 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ ♣ qq ✎ ♣r ♣ qq ❫ ✏ ♣ q ✯

11

t✲❃♠ ❂ ✶❀

12 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ ♣ qq ✎ ♣r ♣ qq ❫ ✏ ♣ q ✯

13 ⑥ ✴✴ ttree♣t, m♣τqq✉

Separation, Frame, and Trees ④

Marking a Tree

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴tr❡❡✭ str✉❝t ♥♦❞❡ ✯t✮ ④ ✴✴ ttree♣t, τq✉

4

✐❢ ✭✦t ⑤⑤ t✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ t✲❃❧✱ ✯r ❂ t✲❃r❀

6 ✴✴

✧ t ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ tree♣❧, τℓq ✎ tree♣r, τrq ❫ τ ✏ node♣0, τℓ, τrq ✯

7

♠❛r❦❴tr❡❡✭❧✮❀

8 ✴✴

✧ t ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ tree♣❧, m♣τℓqq ✎ tree♣r, τrq ❫ τ ✏ node♣0, τℓ, τrq ✯

9

♠❛r❦❴tr❡❡✭r✮❀

10 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ ♣ qq ✎ ♣r ♣ qq ❫ ✏ ♣ q ✯

11

t✲❃♠ ❂ ✶❀

12 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ ♣ qq ✎ ♣r ♣ qq ❫ ✏ ♣ q ✯

13 ⑥ ✴✴ ttree♣t, m♣τqq✉

Separation, Frame, and Trees ④

Marking a Tree

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴tr❡❡✭ str✉❝t ♥♦❞❡ ✯t✮ ④ ✴✴ ttree♣t, τq✉

4

✐❢ ✭✦t ⑤⑤ t✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ t✲❃❧✱ ✯r ❂ t✲❃r❀

6 ✴✴

✧ t ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ tree♣❧, τℓq ✎ tree♣r, τrq ❫ τ ✏ node♣0, τℓ, τrq ✯

7

♠❛r❦❴tr❡❡✭❧✮❀

8 ✴✴

✧ t ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ tree♣❧, m♣τℓqq ✎ tree♣r, τrq ❫ τ ✏ node♣0, τℓ, τrq ✯

9

♠❛r❦❴tr❡❡✭r✮❀

10 ✴✴

✧ t ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ tree♣❧, m♣τℓqq ✎ tree♣r, m♣τrqq ❫ τ ✏ node♣0, τℓ, τrq ✯

11

t✲❃♠ ❂ ✶❀

12 ✴✴

✧ t ÞÑ ♠ ❧ r r ✎ ♣❧ ♣ qq ✎ ♣r ♣ qq ❫ ✏ ♣ q ✯

13 ⑥ ✴✴ ttree♣t, m♣τqq✉

Separation, Frame, and Trees ④

Marking a Tree

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴tr❡❡✭ str✉❝t ♥♦❞❡ ✯t✮ ④ ✴✴ ttree♣t, τq✉

4

✐❢ ✭✦t ⑤⑤ t✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ t✲❃❧✱ ✯r ❂ t✲❃r❀

6 ✴✴

✧ t ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ tree♣❧, τℓq ✎ tree♣r, τrq ❫ τ ✏ node♣0, τℓ, τrq ✯

7

♠❛r❦❴tr❡❡✭❧✮❀

8 ✴✴

✧ t ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ tree♣❧, m♣τℓqq ✎ tree♣r, τrq ❫ τ ✏ node♣0, τℓ, τrq ✯

9

♠❛r❦❴tr❡❡✭r✮❀

10 ✴✴

✧ t ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ tree♣❧, m♣τℓqq ✎ tree♣r, m♣τrqq ❫ τ ✏ node♣0, τℓ, τrq ✯

11

t✲❃♠ ❂ ✶❀

12 ✴✴

✧ t ÞÑ ♠ : 1, ℓ : ❧, r : r ✎ tree♣❧, m♣τℓqq ✎ tree♣r, m♣τrqq ❫ τ ✏ node♣0, τℓ, τrq ✯

13 ⑥ ✴✴ ttree♣t, m♣τqq✉

Separation, Frame, and Trees ④

Program Proofs without Sharing

• 1. Define inductive predicates for recursive data structures
• 2. Express pre- and post-conditions of the program
• 3. Apply logic rules to the program

Separation, Frame, and Trees ④

Overlap, Ramification, and DAGs

Describing DAGs in SL?

✌ DAG predicate: dag♣x, δq

def

✏ ♣x ✏ 0 ❫ ❡♠♣ ❫ δ ✏ ❍q ❴ ❉ℓ, r, m, δℓ, δr. x ÞÑ ℓ : ℓ, r : r, m : m ✎ ♣dag♣ℓ, δℓq ? dag♣r, δrqq ❫ δ ✏ node♣x, m, δℓ, δrq ✌ ✎ ✌ ❫ ✌ ❫ ✎ ✌

Overlap, Ramification, and DAGs ④

Describing DAGs in SL?

✌ DAG predicate: dag♣x, δq

def

✏ ♣x ✏ 0 ❫ ❡♠♣ ❫ δ ✏ ❍q ❴ ❉ℓ, r, m, δℓ, δr. x ÞÑ ℓ : ℓ, r : r, m : m ✎ ♣dag♣ℓ, δℓq ✎ dag♣r, δrqq ❫ δ ✏ node♣x, m, δℓ, δrq ✌ With “✎”: a tree ✌ ❫ ✌ ❫ ✎ ✌

Overlap, Ramification, and DAGs ④

Describing DAGs in SL?

✌ DAG predicate: dag♣x, δq

def

✏ ♣x ✏ 0 ❫ ❡♠♣ ❫ δ ✏ ❍q ❴ ❉ℓ, r, m, δℓ, δr. x ÞÑ ℓ : ℓ, r : r, m : m ✎ ♣dag♣ℓ, δℓq❫dag♣r, δrqq ❫ δ ✏ node♣x, m, δℓ, δrq ✌ With “✎”: a tree ✌ With “❫”: ✌ ❫ ✎ ✌

Overlap, Ramification, and DAGs ④

Describing DAGs in SL?

✌ DAG predicate: dag♣x, δq

def

✏ ♣x ✏ 0 ❫ ❡♠♣ ❫ δ ✏ ❍q ❴ ❉ℓ, r, m, δℓ, δr. x ÞÑ ℓ : ℓ, r : r, m : m ✎ ♣dag♣ℓ, δℓq❫dag♣r, δrqq ❫ δ ✏ node♣x, m, δℓ, δrq ✌ With “✎”: a tree ✌ With “❫”: a list ✌ ❫ ✎ ✌

Overlap, Ramification, and DAGs ④

Describing DAGs in SL?

✌ DAG predicate: dag♣x, δq

def

✏ ♣x ✏ 0 ❫ ❡♠♣ ❫ δ ✏ ❍q ❴ ❉ℓ, r, m, δℓ, δr. x ÞÑ ℓ : ℓ, r : r, m : m ✎ ♣♣dag♣ℓ, δℓq✎trueq❫♣dag♣r, δrq✎trueqq ❫ δ ✏ node♣x, m, δℓ, δrq ✌ With “✎”: a tree ✌ With “❫”: a list ✌ With “❫” and “ ✎ true”: a DAG + anything ✌

Overlap, Ramification, and DAGs ④

Describing DAGs in SL?

✌ DAG predicate: dag♣x, δq

def

✏ ♣x ✏ 0 ❫ ❡♠♣ ❫ δ ✏ ❍q ❴ ❉ℓ, r, m, δℓ, δr. x ÞÑ ℓ : ℓ, r : r, m : m ✎ ♣♣dag♣ℓ, δℓq✎trueq❫♣dag♣r, δrq✎trueqq ❫ δ ✏ node♣x, m, δℓ, δrq ✌ With “✎”: a tree ✌ With “❫”: a list ✌ With “❫” and “ ✎ true”: a DAG + anything ✌ We need something else. . .

Overlap, Ramification, and DAGs ④

Overlapping Conjunction

✌ Separating vs Overlapping conjunction: P1 ✎ P2 ô P1 P2 P1 ❨ ✎ P2 ô P1 P2 ✌ σ ✭ P1 ❨ ✎ P2 iff ❉σ1, σ2, σ3. σ ✏ σ1 ✌ σ2 ✌ σ3 & σ1 ✌ σ2 ✭ P1 & σ2 ✌ σ3 ✭ P2

Overlap, Ramification, and DAGs ④

Overlapping Conjunction

✌ Separating vs Overlapping conjunction: P1 ✎ P2 ô P1 P2 P1 ❨ ✎ P2 ô P1 P2 ✌ DAG predicate: dag♣x, δq

def

✏ ♣x ✏ 0 ❫ ❡♠♣ ❫ δ ✏ ❍q ❴ ❉ℓ, r, m, δℓ, δr. x ÞÑ ℓ : ℓ, r : r, m : m ✎ ♣dag♣ℓ, δℓq ❨ ✎ dag♣r, δrqq ❫ δ ✏ node♣x, m, δℓ, δrq

Overlap, Ramification, and DAGs ④

A Failed Attempt at Framing

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴❞❛❣✭str✉❝t ♥♦❞❡ ✯❞✮ ④ ✴✴ tdag♣❞, δq✉

4

✐❢ ✭✦❞ ⑤⑤ ❞✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ ❞✲❃❧✱ ✯r ❂ ❞✲❃r❀

6 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ q ❨ ✎ ♣r qq ❫ ✏ ♣ q ✯

7 ✴✴

t ♣ q ✎ ✉

8

♠❛r❦❴❞❛❣✭❧✮❀

9 ✴✴ 10

♠❛r❦❴❞❛❣✭r✮❀

11 ✴✴ 12

❞✲❃♠ ❂ ✶❀

13 ✴✴ 14 ⑥ ✴✴ tdag♣❞, m♣δqq✉

Overlap, Ramification, and DAGs ④

A Failed Attempt at Framing

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴❞❛❣✭str✉❝t ♥♦❞❡ ✯❞✮ ④ ✴✴ tdag♣❞, δq✉

4

✐❢ ✭✦❞ ⑤⑤ ❞✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ ❞✲❃❧✱ ✯r ❂ ❞✲❃r❀

6 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, δℓq ❨ ✎ dag♣r, δrqq ❫ δ ✏ node♣0, δℓ, δrq ✯

7 ✴✴

t ♣ q ✎ ✉

8

♠❛r❦❴❞❛❣✭❧✮❀

9 ✴✴ 10

♠❛r❦❴❞❛❣✭r✮❀

11 ✴✴ 12

❞✲❃♠ ❂ ✶❀

13 ✴✴ 14 ⑥ ✴✴ tdag♣❞, m♣δqq✉

Overlap, Ramification, and DAGs ④

A Failed Attempt at Framing

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴❞❛❣✭str✉❝t ♥♦❞❡ ✯❞✮ ④ ✴✴ tdag♣❞, δq✉

4

✐❢ ✭✦❞ ⑤⑤ ❞✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ ❞✲❃❧✱ ✯r ❂ ❞✲❃r❀

6 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, δℓq ❨ ✎ dag♣r, δrqq ❫ δ ✏ node♣0, δℓ, δrq ✯

7 ✴✴ tdag♣l, δlq ✎ ???✉ 8

♠❛r❦❴❞❛❣✭❧✮❀

9 ✴✴ 10

♠❛r❦❴❞❛❣✭r✮❀

11 ✴✴ 12

❞✲❃♠ ❂ ✶❀

13 ✴✴ 14 ⑥ ✴✴ tdag♣❞, m♣δqq✉

Overlap, Ramification, and DAGs ④

A Failed Attempt at Framing

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴❞❛❣✭str✉❝t ♥♦❞❡ ✯❞✮ ④ ✴✴ tdag♣❞, δq✉

4

✐❢ ✭✦❞ ⑤⑤ ❞✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ ❞✲❃❧✱ ✯r ❂ ❞✲❃r❀

6 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, δℓq ❨ ✎ dag♣r, δrqq ❫ δ ✏ node♣0, δℓ, δrq ✯

7 ✴✴ tdag♣l, δlq ✎ ???✉ 8

♠❛r❦❴❞❛❣✭❧✮❀

9 ✴✴ stuck! 10

♠❛r❦❴❞❛❣✭r✮❀

11 ✴✴ 12

❞✲❃♠ ❂ ✶❀

13 ✴✴ 14 ⑥ ✴✴ tdag♣❞, m♣δqq✉

Overlap, Ramification, and DAGs ④

The Ramify Rule of Separation Logic

Ramify tP✉ c tQ✉ ramify♣P Q, Rq ✏ R✶ tR✉ c tR✶✉ ✌ ramify♣P Q, Rq ✏ R✶

def

✏ R ✩ P ✎ ♣Q ✁ ✁ ✎ R✶q ✌ σ ✭ P1 ✁ ✁ ✎ P2 iff ❅σ✶ ✭ P1. σ ✌ σ✶ ✭ P2

Overlap, Ramification, and DAGs ④

Program Proofs with Sharing

• 1. Define inductive predicates for recursive data structures
• 2. Express pre- and post-conditions of the program
• 3. Apply logic rules to the program
• 4. Prove ramification conditions

Overlap, Ramification, and DAGs ④

Marking a DAG

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴❞❛❣✭str✉❝t ♥♦❞❡ ✯❞✮ ④ ✴✴ tdag♣❞, δq✉

4

✐❢ ✭✦❞ ⑤⑤ ❞✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ ❞✲❃❧✱ ✯r ❂ ❞✲❃r❀

6 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ q ❨ ✎ ♣r qq ❫ ✏ ♣ q ✯

7

♠❛r❦❴❞❛❣✭❧✮❀

8 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ ♣ qq ❨ ✎ ♣r

✶qq

❫ ♣ q ✏ ♣ ✶q ❫ ✏ ♣ q ✯

9

♠❛r❦❴❞❛❣✭r✮❀

10 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ ♣ qq ❨ ✎ ♣r ♣ ✶qqq ❫ ♣ q ✏ ♣ ✶q ❫ ✏ ♣ q ✯

11

❞✲❃♠ ❂ ✶❀

12 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ ♣ qq ❨ ✎ ♣r ♣ ✶qqq ❫ ♣ q ✏ ♣ ✶q ❫ ✏ ♣ q ✯

13 ⑥ ✴✴ tdag♣❞, m♣δqq✉

Overlap, Ramification, and DAGs ④

Marking a DAG

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴❞❛❣✭str✉❝t ♥♦❞❡ ✯❞✮ ④ ✴✴ tdag♣❞, δq✉

4

✐❢ ✭✦❞ ⑤⑤ ❞✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ ❞✲❃❧✱ ✯r ❂ ❞✲❃r❀

6 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, δℓq ❨ ✎ dag♣r, δrqq ❫ δ ✏ node♣0, δℓ, δrq ✯

7

♠❛r❦❴❞❛❣✭❧✮❀

8 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ ♣ qq ❨ ✎ ♣r

✶qq

❫ ♣ q ✏ ♣ ✶q ❫ ✏ ♣ q ✯

9

♠❛r❦❴❞❛❣✭r✮❀

10 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ ♣ qq ❨ ✎ ♣r ♣ ✶qqq ❫ ♣ q ✏ ♣ ✶q ❫ ✏ ♣ q ✯

11

❞✲❃♠ ❂ ✶❀

12 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ ♣ qq ❨ ✎ ♣r ♣ ✶qqq ❫ ♣ q ✏ ♣ ✶q ❫ ✏ ♣ q ✯

13 ⑥ ✴✴ tdag♣❞, m♣δqq✉

Overlap, Ramification, and DAGs ④

Marking a DAG

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴❞❛❣✭str✉❝t ♥♦❞❡ ✯❞✮ ④ ✴✴ tdag♣❞, δq✉

4

✐❢ ✭✦❞ ⑤⑤ ❞✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ ❞✲❃❧✱ ✯r ❂ ❞✲❃r❀

6 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, δℓq ❨ ✎ dag♣r, δrqq ❫ δ ✏ node♣0, δℓ, δrq ✯

7

♠❛r❦❴❞❛❣✭❧✮❀

8 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, m♣δℓqq ❨ ✎ dag♣r, δ✶

rqq

❫ m♣δrq ✏ m♣δ✶

rq ❫ δ ✏ node♣0, δℓ, δrq

✯

9

♠❛r❦❴❞❛❣✭r✮❀

10 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ ♣ qq ❨ ✎ ♣r ♣ ✶qqq ❫ ♣ q ✏ ♣ ✶q ❫ ✏ ♣ q ✯

11

❞✲❃♠ ❂ ✶❀

12 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ ♣ qq ❨ ✎ ♣r ♣ ✶qqq ❫ ♣ q ✏ ♣ ✶q ❫ ✏ ♣ q ✯

13 ⑥ ✴✴ tdag♣❞, m♣δqq✉

Overlap, Ramification, and DAGs ④

Marking a DAG

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴❞❛❣✭str✉❝t ♥♦❞❡ ✯❞✮ ④ ✴✴ tdag♣❞, δq✉

4

✐❢ ✭✦❞ ⑤⑤ ❞✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ ❞✲❃❧✱ ✯r ❂ ❞✲❃r❀

6 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, δℓq ❨ ✎ dag♣r, δrqq ❫ δ ✏ node♣0, δℓ, δrq ✯

7

♠❛r❦❴❞❛❣✭❧✮❀

8 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, m♣δℓqq ❨ ✎ dag♣r, δ✶

rqq

❫ m♣δrq ✏ m♣δ✶

rq ❫ δ ✏ node♣0, δℓ, δrq

✯

9

♠❛r❦❴❞❛❣✭r✮❀

10 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, m♣δℓqq ❨ ✎ dag♣r, m♣δ✶

rqqq

❫ m♣δrq ✏ m♣δ✶

rq ❫ δ ✏ node♣0, δℓ, δrq

✯

11

❞✲❃♠ ❂ ✶❀

12 ✴✴

✧ ❞ ÞÑ ♠ ❧ r r ✎ ♣ ♣❧ ♣ qq ❨ ✎ ♣r ♣ ✶qqq ❫ ♣ q ✏ ♣ ✶q ❫ ✏ ♣ q ✯

13 ⑥ ✴✴ tdag♣❞, m♣δqq✉

Overlap, Ramification, and DAGs ④

Marking a DAG

1 str✉❝t

♥♦❞❡ ④s❤♦rt ♠❀ str✉❝t ♥♦❞❡ ✯❧✱✯r❀⑥❀

2 3 ✈♦✐❞

♠❛r❦❴❞❛❣✭str✉❝t ♥♦❞❡ ✯❞✮ ④ ✴✴ tdag♣❞, δq✉

4

✐❢ ✭✦❞ ⑤⑤ ❞✲❃♠✮ r❡t✉r♥❀

5

str✉❝t ♥♦❞❡ ✯❧ ❂ ❞✲❃❧✱ ✯r ❂ ❞✲❃r❀

6 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, δℓq ❨ ✎ dag♣r, δrqq ❫ δ ✏ node♣0, δℓ, δrq ✯

7

♠❛r❦❴❞❛❣✭❧✮❀

8 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, m♣δℓqq ❨ ✎ dag♣r, δ✶

rqq

❫ m♣δrq ✏ m♣δ✶

rq ❫ δ ✏ node♣0, δℓ, δrq

✯

9

♠❛r❦❴❞❛❣✭r✮❀

10 ✴✴

✧ ❞ ÞÑ ♠ : 0, ℓ : ❧, r : r ✎ ♣dag♣❧, m♣δℓqq ❨ ✎ dag♣r, m♣δ✶

rqqq

❫ m♣δrq ✏ m♣δ✶

rq ❫ δ ✏ node♣0, δℓ, δrq

✯

11

❞✲❃♠ ❂ ✶❀

12 ✴✴

✧ ❞ ÞÑ ♠ : 1, ℓ : ❧, r : r ✎ ♣dag♣❧, m♣δℓqq ❨ ✎ dag♣r, m♣δ✶

rqqq

❫ m♣δrq ✏ m♣δ✶

rq ❫ δ ✏ node♣0, δℓ, δrq

✯

13 ⑥ ✴✴ tdag♣❞, m♣δqq✉

Overlap, Ramification, and DAGs ④

Ramification Conditions

dag♣ℓ, δℓq ❨ ✎ dag♣r, δrq ✩ dag♣ℓ, δℓq ✎ ♣dag♣ℓ, m♣δℓqq ✁ ✁ ✎ dag♣ℓ, m♣δℓqq ❨ ✎ dag♣r, δ✶

rq ❫ m♣δrq ✏ m♣δ✶ rqq

(1) dag♣ℓ, δ✶

ℓq ❨

✎ dag♣r, δ✶

rq

✩ dag♣r, δ✶

rq ✎ ♣dag♣r, m♣δ✶ rqq ✁

✁ ✎ dag♣ℓ, δ✷

ℓ q ❨

✎ dag♣r, m♣δ✶

rqq ❫ m♣δ✶ ℓq ✏ m♣δ✷ ℓ qq

(2)

Overlap, Ramification, and DAGs ④

Overlaid Data Structures

Threaded Tree

list♣sq ❫ tree♣tq t s

Overlaid Data Structures ④

Removal from a Threaded Tree

1 str✉❝t

♥♦❞❡ ④ str✉❝t ♥♦❞❡ ✯❧✱✯r❀

2

str✉❝t ♥♦❞❡ ✯♥❡①t❀ ⑥❀

3 str✉❝t

♥♦❞❡ ✯ ♣♦♣✭✈♦✐❞✮ ④ ✴✴ tlist♣sq ❫ tree♣tq✉

4

✐❢ ✭✦s✮ r❡t✉r♥ ✵❀

5

str✉❝t ♥♦❞❡ ✯ ❝ ❂ s❀

6 ✴✴

t♣❉ ÞÑ ❫ ✏ ✎ ♣ qq ❫ ♣ q✉

7

s ❂ s✲❃♥❡①t❀

8 ✴✴

t♣ ÞÑ ✎ ♣ qq ❫ ♣ q✉

9

t ❂ tr❡❡❴r❡♠♦✈❡✭t✱❝✮❀

10 ✴✴

t ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✁q✉

11

r❡t✉r♥ ❝❀

12 ⑥ ✴✴ t♣list♣sqq ❫ tree♣tqq ✎ r❡t ÞÑ ✁, ✁, ✁✉

With ttree♣tq✉ tree_remove(t,c) ttree♣retq ✎ c ÞÑ ✁, ✁, ✁✉

Overlaid Data Structures ④

Removal from a Threaded Tree

1 str✉❝t

♥♦❞❡ ④ str✉❝t ♥♦❞❡ ✯❧✱✯r❀

2

str✉❝t ♥♦❞❡ ✯♥❡①t❀ ⑥❀

3 str✉❝t

♥♦❞❡ ✯ ♣♦♣✭✈♦✐❞✮ ④ ✴✴ tlist♣sq ❫ tree♣tq✉

4

✐❢ ✭✦s✮ r❡t✉r♥ ✵❀

5

str✉❝t ♥♦❞❡ ✯ ❝ ❂ s❀

6 ✴✴ t♣❉n. s ÞÑ ℓ, r, n ❫ s ✏ c ✎ list♣nqq ❫ tree♣tq✉ 7

s ❂ s✲❃♥❡①t❀

8 ✴✴

t♣ ÞÑ ✎ ♣ qq ❫ ♣ q✉

9

t ❂ tr❡❡❴r❡♠♦✈❡✭t✱❝✮❀

10 ✴✴

t ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✁q✉

11

r❡t✉r♥ ❝❀

12 ⑥ ✴✴ t♣list♣sqq ❫ tree♣tqq ✎ r❡t ÞÑ ✁, ✁, ✁✉

With ttree♣tq✉ tree_remove(t,c) ttree♣retq ✎ c ÞÑ ✁, ✁, ✁✉

Overlaid Data Structures ④

Removal from a Threaded Tree

1 str✉❝t

♥♦❞❡ ④ str✉❝t ♥♦❞❡ ✯❧✱✯r❀

2

str✉❝t ♥♦❞❡ ✯♥❡①t❀ ⑥❀

3 str✉❝t

♥♦❞❡ ✯ ♣♦♣✭✈♦✐❞✮ ④ ✴✴ tlist♣sq ❫ tree♣tq✉

4

✐❢ ✭✦s✮ r❡t✉r♥ ✵❀

5

str✉❝t ♥♦❞❡ ✯ ❝ ❂ s❀

6 ✴✴ t♣❉n. s ÞÑ ℓ, r, n ❫ s ✏ c ✎ list♣nqq ❫ tree♣tq✉ 7

s ❂ s✲❃♥❡①t❀

8 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ tree♣tq✉ 9

t ❂ tr❡❡❴r❡♠♦✈❡✭t✱❝✮❀

10 ✴✴

t ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✁q✉

11

r❡t✉r♥ ❝❀

12 ⑥ ✴✴ t♣list♣sqq ❫ tree♣tqq ✎ r❡t ÞÑ ✁, ✁, ✁✉

With ttree♣tq✉ tree_remove(t,c) ttree♣retq ✎ c ÞÑ ✁, ✁, ✁✉

Overlaid Data Structures ④

Removal from a Threaded Tree

1 str✉❝t

♥♦❞❡ ④ str✉❝t ♥♦❞❡ ✯❧✱✯r❀

2

str✉❝t ♥♦❞❡ ✯♥❡①t❀ ⑥❀

3 str✉❝t

♥♦❞❡ ✯ ♣♦♣✭✈♦✐❞✮ ④ ✴✴ tlist♣sq ❫ tree♣tq✉

4

✐❢ ✭✦s✮ r❡t✉r♥ ✵❀

5

str✉❝t ♥♦❞❡ ✯ ❝ ❂ s❀

6 ✴✴ t♣❉n. s ÞÑ ℓ, r, n ❫ s ✏ c ✎ list♣nqq ❫ tree♣tq✉ 7

s ❂ s✲❃♥❡①t❀

8 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ tree♣tq✉ 9

t ❂ tr❡❡❴r❡♠♦✈❡✭t✱❝✮❀

10 ✴✴ t??? ❫ ♣tree♣tq ✎ c ÞÑ ✁, ✁, ✁q✉ 11

r❡t✉r♥ ❝❀

12 ⑥ ✴✴ t♣list♣sqq ❫ tree♣tqq ✎ r❡t ÞÑ ✁, ✁, ✁✉

With ttree♣tq✉ tree_remove(t,c) ttree♣retq ✎ c ÞÑ ✁, ✁, ✁✉

Overlaid Data Structures ④

Skeleton Trees and Lists

list♣sq ❫ tree♣tq t s

Overlaid Data Structures ④

Skeleton Trees and Lists

tree♣tq t s tree♣xq

def

✏ ♣x ✏ 0❫empq❴❉L, R, N. x ÞÑ L, R, N✎tree♣Lq✎tree♣Rq

Overlaid Data Structures ④

Skeleton Trees and Lists

sktree♣tq t s sktree♣xq

def

✏ ♣x ✏ 0❫empq❴❉L, R, N. x ÞÑ L, R✎sktree♣Lq✎sktree♣Rq

Overlaid Data Structures ④

Skeleton Trees and Lists

sklist♣sq t s sklist♣xq

def

✏ ♣x ✏ 0 ❫ empq ❴ ❉N. x 2 ÞÑ N ✎ sklist♣Nq

Overlaid Data Structures ④

Skeleton Trees and Lists

tree♣tq ô sktree♣t, πq ✎ sklist♣t, πq t s

Overlaid Data Structures ④

Removal from a Threaded Tree

1 str✉❝t

♥♦❞❡ ④ str✉❝t ♥♦❞❡ ✯❧✱✯r❀

2

str✉❝t ♥♦❞❡ ✯♥❡①t❀ ⑥❀

3 str✉❝t

♥♦❞❡ ✯ ♣♦♣✭✈♦✐❞✮ ④ ✴✴ tlist♣sq ❫ tree♣tq✉

4

✐❢ ✭✦s✮ r❡t✉r♥ ✵❀

5

str✉❝t ♥♦❞❡ ✯ ❝ ❂ s❀

6 ✴✴ t♣❉n. s ÞÑ ℓ, r, n ❫ s ✏ c ✎ list♣nqq ❫ tree♣tq✉ 7

s ❂ s✲❃♥❡①t❀

8 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ tree♣tq✉ 9 ✴✴

t♣ ÞÑ ✎ ♣ qq ❫ ♣ ♣ ❩ t ✉q ✎ ♣ ❩ t ✉qq✉

10

t ❂ tr❡❡❴r❡♠♦✈❡✭t✱❝✮❀

11 ✴✴

t♣ ÞÑ ✁ ✁ ✎ ♣ qq ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✎ ♣ ❩ t ✉qq✉

12 ✴✴

t♣ ÞÑ ✁ ✁ ✎ ♣ qq ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✎ ♣ q ✎

• ÞÑ ✁q✉

13 ✴✴

t♣ ÞÑ ✁ ✁ ✁ ✎ ♣ qq ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✁q✉

14

r❡t✉r♥ ❝❀

15 ⑥ ✴✴ t♣list♣sqq ❫ tree♣tqq ✎ r❡t ÞÑ ✁, ✁, ✁✉

With tsktree♣t, π ❩ tc✉q✉ tree_remove(t,c) tsktree♣ret, πq ✎ c ÞÑ ✁, ✁✉

Overlaid Data Structures ④

Removal from a Threaded Tree

1 str✉❝t

♥♦❞❡ ④ str✉❝t ♥♦❞❡ ✯❧✱✯r❀

2

str✉❝t ♥♦❞❡ ✯♥❡①t❀ ⑥❀

3 str✉❝t

♥♦❞❡ ✯ ♣♦♣✭✈♦✐❞✮ ④ ✴✴ tlist♣sq ❫ tree♣tq✉

4

✐❢ ✭✦s✮ r❡t✉r♥ ✵❀

5

str✉❝t ♥♦❞❡ ✯ ❝ ❂ s❀

6 ✴✴ t♣❉n. s ÞÑ ℓ, r, n ❫ s ✏ c ✎ list♣nqq ❫ tree♣tq✉ 7

s ❂ s✲❃♥❡①t❀

8 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ tree♣tq✉ 9 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ ♣sktree♣t, π ❩ tc✉q ✎ sklist♣c, π ❩ tc✉qq✉ 10

t ❂ tr❡❡❴r❡♠♦✈❡✭t✱❝✮❀

11 ✴✴

t♣ ÞÑ ✁ ✁ ✎ ♣ qq ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✎ ♣ ❩ t ✉qq✉

12 ✴✴

t♣ ÞÑ ✁ ✁ ✎ ♣ qq ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✎ ♣ q ✎

• ÞÑ ✁q✉

13 ✴✴

t♣ ÞÑ ✁ ✁ ✁ ✎ ♣ qq ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✁q✉

14

r❡t✉r♥ ❝❀

15 ⑥ ✴✴ t♣list♣sqq ❫ tree♣tqq ✎ r❡t ÞÑ ✁, ✁, ✁✉

With tsktree♣t, π ❩ tc✉q✉ tree_remove(t,c) tsktree♣ret, πq ✎ c ÞÑ ✁, ✁✉

Overlaid Data Structures ④

Removal from a Threaded Tree

1 str✉❝t

♥♦❞❡ ④ str✉❝t ♥♦❞❡ ✯❧✱✯r❀

2

str✉❝t ♥♦❞❡ ✯♥❡①t❀ ⑥❀

3 str✉❝t

♥♦❞❡ ✯ ♣♦♣✭✈♦✐❞✮ ④ ✴✴ tlist♣sq ❫ tree♣tq✉

4

✐❢ ✭✦s✮ r❡t✉r♥ ✵❀

5

str✉❝t ♥♦❞❡ ✯ ❝ ❂ s❀

6 ✴✴ t♣❉n. s ÞÑ ℓ, r, n ❫ s ✏ c ✎ list♣nqq ❫ tree♣tq✉ 7

s ❂ s✲❃♥❡①t❀

8 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ tree♣tq✉ 9 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ ♣sktree♣t, π ❩ tc✉q ✎ sklist♣c, π ❩ tc✉qq✉ 10

t ❂ tr❡❡❴r❡♠♦✈❡✭t✱❝✮❀

11 ✴✴ t♣c ÞÑ ✁, ✁, s ✎ list♣sqq ❫ ♣sktree♣t, πq ✎ c ÞÑ ✁, ✁ ✎ sklist♣s, π ❩ tc✉qq✉ 12 ✴✴

t♣ ÞÑ ✁ ✁ ✎ ♣ qq ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✎ ♣ q ✎

• ÞÑ ✁q✉

13 ✴✴

t♣ ÞÑ ✁ ✁ ✁ ✎ ♣ qq ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✁q✉

14

r❡t✉r♥ ❝❀

15 ⑥ ✴✴ t♣list♣sqq ❫ tree♣tqq ✎ r❡t ÞÑ ✁, ✁, ✁✉

With tsktree♣t, π ❩ tc✉q✉ tree_remove(t,c) tsktree♣ret, πq ✎ c ÞÑ ✁, ✁✉

Overlaid Data Structures ④

Removal from a Threaded Tree

1 str✉❝t

♥♦❞❡ ④ str✉❝t ♥♦❞❡ ✯❧✱✯r❀

2

str✉❝t ♥♦❞❡ ✯♥❡①t❀ ⑥❀

3 str✉❝t

♥♦❞❡ ✯ ♣♦♣✭✈♦✐❞✮ ④ ✴✴ tlist♣sq ❫ tree♣tq✉

4

✐❢ ✭✦s✮ r❡t✉r♥ ✵❀

5

str✉❝t ♥♦❞❡ ✯ ❝ ❂ s❀

6 ✴✴ t♣❉n. s ÞÑ ℓ, r, n ❫ s ✏ c ✎ list♣nqq ❫ tree♣tq✉ 7

s ❂ s✲❃♥❡①t❀

8 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ tree♣tq✉ 9 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ ♣sktree♣t, π ❩ tc✉q ✎ sklist♣c, π ❩ tc✉qq✉ 10

t ❂ tr❡❡❴r❡♠♦✈❡✭t✱❝✮❀

11 ✴✴ t♣c ÞÑ ✁, ✁, s ✎ list♣sqq ❫ ♣sktree♣t, πq ✎ c ÞÑ ✁, ✁ ✎ sklist♣s, π ❩ tc✉qq✉ 12 ✴✴ t♣c ÞÑ ✁, ✁, s ✎ list♣sqq ❫ ♣sktree♣t, πq ✎ c ÞÑ ✁, ✁ ✎ sklist♣s, πq ✎ c 2 ÞÑ ✁q✉ 13 ✴✴

t♣ ÞÑ ✁ ✁ ✁ ✎ ♣ qq ❫ ♣ ♣ q ✎ ÞÑ ✁ ✁ ✁q✉

14

r❡t✉r♥ ❝❀

15 ⑥ ✴✴ t♣list♣sqq ❫ tree♣tqq ✎ r❡t ÞÑ ✁, ✁, ✁✉

With tsktree♣t, π ❩ tc✉q✉ tree_remove(t,c) tsktree♣ret, πq ✎ c ÞÑ ✁, ✁✉

Overlaid Data Structures ④

Removal from a Threaded Tree

1 str✉❝t

♥♦❞❡ ④ str✉❝t ♥♦❞❡ ✯❧✱✯r❀

2

str✉❝t ♥♦❞❡ ✯♥❡①t❀ ⑥❀

3 str✉❝t

♥♦❞❡ ✯ ♣♦♣✭✈♦✐❞✮ ④ ✴✴ tlist♣sq ❫ tree♣tq✉

4

✐❢ ✭✦s✮ r❡t✉r♥ ✵❀

5

str✉❝t ♥♦❞❡ ✯ ❝ ❂ s❀

6 ✴✴ t♣❉n. s ÞÑ ℓ, r, n ❫ s ✏ c ✎ list♣nqq ❫ tree♣tq✉ 7

s ❂ s✲❃♥❡①t❀

8 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ tree♣tq✉ 9 ✴✴ t♣c ÞÑ ℓ, r, s ✎ list♣sqq ❫ ♣sktree♣t, π ❩ tc✉q ✎ sklist♣c, π ❩ tc✉qq✉ 10

t ❂ tr❡❡❴r❡♠♦✈❡✭t✱❝✮❀

11 ✴✴ t♣c ÞÑ ✁, ✁, s ✎ list♣sqq ❫ ♣sktree♣t, πq ✎ c ÞÑ ✁, ✁ ✎ sklist♣s, π ❩ tc✉qq✉ 12 ✴✴ t♣c ÞÑ ✁, ✁, s ✎ list♣sqq ❫ ♣sktree♣t, πq ✎ c ÞÑ ✁, ✁ ✎ sklist♣s, πq ✎ c 2 ÞÑ ✁q✉ 13 ✴✴ t♣c ÞÑ ✁, ✁, ✁ ✎ list♣sqq ❫ ♣tree♣tq ✎ c ÞÑ ✁, ✁, ✁q✉ 14

r❡t✉r♥ ❝❀

15 ⑥ ✴✴ t♣list♣sqq ❫ tree♣tqq ✎ r❡t ÞÑ ✁, ✁, ✁✉

With tsktree♣t, π ❩ tc✉q✉ tree_remove(t,c) tsktree♣ret, πq ✎ c ÞÑ ✁, ✁✉

Overlaid Data Structures ④

Ramification Conditions

♣c ÞÑ ℓ, r, n ✎ list♣sqq ❫ ♣sktree♣t, π ❩ tc✉q ✎ ptrs♣π ❩ tc✉qq ✩ sktree♣t, π ❩ tc✉q ✎ ♣sktree♣t✶, πq ✎ c ÞÑ ✁, ✁ ✁ ✁ ✎ ♣c ÞÑ ✁, ✁, n ✎ list♣sqq ❫ ♣sktree♣t✶, πq ✎ c ÞÑ ✁, ✁ ✎ ptrs♣πqq

Overlaid Data Structures ④

Towards Tool Support

Program Proofs with Ramification

✌ Meta-theory validated in Coq ✌ Programs proved by hand ✌ Ramification conditions proved in Coq (work in progress)

Towards Tool Support ④

Ramification Library

Collection of lemmas to simplify ramification conditions, e.g. ✌ ❅P, Q, R, R✶, F R ✩ P ✎ ♣Q ✁ ✁ ✎ R✶q R ✩ P ✎ F ✎ true F ✁ ✁

• ✎ R✶ ✩ F ✁

✁ ✎ R✶ R ✩ P ✎ F ✎ ♣Q ✎ F ✁ ✁ ✎ R✶q ✌ ❅P, Q, R, R✶, F precise♣Pq precise♣Qq P ❨ ✎ R ✩ P ✎ ♣Q ✁ ✁ ✎ Q ❨ ✎ R✶q ♣P ✎ Fq ❨ ✎ R ✩ P ✎ ♣Q ✁ ✁ ✎ ♣Q ✎ Fq ❨ ✎ R✶q ✌ ❅P, Q, R, R✶, F P ❨ ✎ R ✩ P ✎ ♣Q ✁ ✁ ✎ Q ❨ ✎ R✶q P ❨ ✎ ♣R ✎ Fq ✩ P ✎ ♣Q ✁ ✁ ✎ Q ❨ ✎ ♣R✶ ✎ Fqq

Towards Tool Support ④

Benchmark: Cheney’s GC

Cheney’s Copying Garbage Collector

1 ✈♦✐❞ ❝♦❧❧❡❝t✭✈♦✐❞ ✯✯r✮ ④ 2 ✈♦✐❞ ✯t♠♣ ❂ ❢r♦♠❙♣❛❝❡❀ 3 ❢r♦♠❙♣❛❝❡ ❂ t♦❙♣❛❝❡❀ 4 t♦❙♣❛❝❡ ❂ t♠♣❀ 5 ❢r❡❡ ❂ t♦❙♣❛❝❡❀ 6 s❝❛♥ ❂ ❢r❡❡❀ 7 ❝♦♣②❴r❡❢✭r✮❀ 8 ✇❤✐❧❡ ✭s❝❛♥ ✦❂ ❢r❡❡✮ ④ 9 ❝♦♣②❴r❡❢ ✭✭ ✈♦✐❞ ✯✯✮ s❝❛♥ ✮❀ 10 ❝♦♣②❴r❡❢ ✭✭ ✈♦✐❞ ✯✯✮✭ s❝❛♥ ✰ ✹✮✮❀ 11 s❝❛♥ ❂ s❝❛♥ ✰ ✽❀ 12 ⑥ 13 ⑥ 1 ✈♦✐❞ ❝♦♣②❴r❡❢✭✈♦✐❞ ✯✯♣✮ ④ 2 ✐❢ ✭♣ ✫✫ ✯♣✮ ④ 3 ✈♦✐❞ ✯♦❜❥ ❂ ✯♣❀ 4 ✐♥t ❢✇❞ ❂ ✯✭ ✐♥t ✯✮ ♦❜❥❀ 5 ✐❢ ✭❢✇❞ ✫✫ 6 t♦❙♣❛❝❡ ❁❂ ✭✈♦✐❞ ✯✮❢✇❞ ✫✫ 7 ✭✈♦✐❞ ✯✮ ❢✇❞ ❁ t♦❙♣❛❝❡✰s♣❛❝❡❙③ ✮④ 8 ✯✭ ✈♦✐❞ ✯✯✮♣ ❂ ✭✈♦✐❞ ✯✮ ❢✇❞❀ 9 ⑥ ❡❧s❡ ④ 10 ✈♦✐❞ ✯♥❡✇❖❜❥ ❂ ❢r❡❡❀ 11 ❢r❡❡ ❂ ❢r❡❡ ✰ ✽❀ 12 ✯✭✐♥t✯✮ ♥❡✇❖❜❥ ❂ ✯✭✐♥t✯✮ ♦❜❥❀ 13 ✯✭✐♥t ✯✮✭ ♥❡✇❖❜❥ ✰ ✹✮ ❂ 14 ✯✭ ✐♥t ✯✮✭ ♦❜❥ ✰ ✹✮❀ 15 ✯✭ ✈♦✐❞ ✯✯✮ ♦❜❥ ❂ ♥❡✇❖❜❥❀ 16 ✯✭ ✈♦✐❞ ✯✯✮♣ ❂ ♥❡✇❖❜❥❀ 17 ⑥ ⑥ ⑥

Benchmark: Cheney’s GC ④

With Framing

Loop Invariant

iso♣φ, FORW, BUSYq ❫ ♣ALIVE ✏ FORW ❨ UNFORWq ❫ Reachable♣head, tail, ALIVE, rootq❫♣ALIVE❑NEWq❫PtrRg♣head, ALIVEq❫ PtrRg♣tail, ALIVEq ❫ Tfun♣head, ALIVEq ❫ Tfun♣tail, ALIVEq ❫ ♣✼ALIVE ↕ ✼NEWq ❫ ♣root P FORWq ❫ ♣scan ↕ freeq ❫ Ptr♣freeq ❫ Ptr♣scanq ❫ Ptr♣offsetq ❫ Ptr♣maxFreeq ❫ ❅✎y P UNFORW.♣♣❉z. ♣y, zq P head ❫ y ÞÑ zq ✎ ♣❉z✶. ♣y, z✶q P tail ❫ y 4 ÞÑ zqq ✎ ❅✎y P FORW.♣❉z. ♣y, zq P φ ❫ y ÞÑ z, ✁q ✎ ❅✎y P UNFIN.♣♣❉z. ♣y, zq P head ✆ φ✿ ❫ y ÞÑ zq ✎ ♣❉z✶. ♣y, z✶q P tail ✆ φ✿ ❫ y 4 ÞÑ z✶qq ✎ ❅✎y P FIN.♣♣❉z. ♣y, zq P φ ✆ ♣head ✆ φ✿q ❫ y ÞÑ zq ✎ ♣❉z✶. ♣y, z✶q P φ ✆ ♣tail ✆ φ✿q ❫ y 4 ÞÑ z✶qq ✎ ❅✎y P FREE.y ÞÑ ✁, ✁

Benchmark: Cheney’s GC ④

With Ramification

Loop Invariant

to ↕ scan ↕ free ➔ to size❫ cheney♣✯to, scan, freeq ❨ ✎ cheney♣✯scan, scan, freeq

In-Copy Graph Predicate

cheney♣g, scan, freeq

def

✏ ♣g ✏ 0 ❫ ❡♠♣q ❴ ♣g ÞÑ a, b ❫ ♣to ↕ g ↕ scan ñ to ↕ a, b ↕ to sizeq❫ ♣scan ↕ g ↕ free ñ from ↕ a, b ↕ from sizeqq ❨ ✎ cheney♣a, scan, freeq ❨ ✎ cheney♣b, scan, freeq

Benchmark: Cheney’s GC ④

Conclusion

Summary

Ramify Rule

✌ Small and intricate programs with sharing ✌ Exposes the essence of the proofs ✌ Concise and compositional proofs ✌ Valid in any separation logic

Ramification Conditions R ✩ P ✎ ♣Q ✁ ✁ ✎ R✶q

✌ Beyond the reach of today’s automatic theorem provers ✌ Simplification lemmas provided for Coq ✌ Expressed as SL entailments ✌ ❨ ✎ is a useful connective!

Conclusion ④

Prospects for Automation

Current Tools

✌ Automatic shape analysis tools cannot deal with sharing ✌ Have separation baked in

Automatic Proofs of Programs with Sharing

✌ Extend classic shape domains to express sharing ✌ Automate checks of ramification conditions ✌ More proved programs to come!

Conclusion ④

The Ramify Rule of Separation Logic

Compositional Reasoning for Sharing Jules Villard1

Joint work with Aquinas Hobor2

1University College London 2National University of Singapore