Being able to argue about the performance of self-adjusting data structures such as splay trees has been a main objective, when Sleator and Tarjan introduced the notion of amortised complexity.
Analysing these data structures requires sophisticated potential functions, which typically contain logarithmic expressions. Possibly for these reasons, and despite the recent progress in automated resource analysis, they have so far eluded automation. In this paper, we report on the first fully-automated amortised complexity analysis of self-adjusting data structures. Following earlier work, our analysis is based on potential function templates with unknown coefficients.
We make the following contributions: 1) We encode the search for concrete potential function coefficients as an optimisation problem over a suitable constraint system. Our target function steers the search towards coefficients that minimise the inferred amortised complexity. 2) Automation is achieved by using a linear constraint system in conjunction with suitable lemmata schemes that encapsulate the required non-linear facts about the logarithm. We discuss our choices that achieve a scalable analysis. 3) We present our tool \(\mathsf {ATLAS}\) and report on experimental results for splay trees, splay heaps and pairing heaps. We completely automatically infer complexity estimates that match previous results (obtained by sophisticated pen-and-paper proofs), and in some cases even infer better complexity estimates than previously published.
1 Introduction
Amortised analysis, as introduced by Sleator and Tarjan [47, 49], is a method for the worst-case cost analysis of data structures. The innovation of amortised analysis lies in considering the cost of a single data structure operation as part of a sequence of data structure operations. The methodology of amortised analysis allows one to assign a low (e.g., constant or logarithmic) amortised cost to a data structure operation even though the worst-case cost of a single operation might be high (e.g., linear, polynomial or worse). The setup of amortised analysis guarantees that for a sequence of data structure operations the worst-case cost is indeed the number of data structure operations times the amortised cost. In this way amortised cost analysis provides a methodology for worst-case cost analysis. Notably, the cost analysis of self-adjusting data structures, such as splay trees, has been a main objective already in the initial proposal of amortised analysis [47, 49]. Analysing these data structures requires sophisticated potential functions, which typically contain logarithmic expressions. Possibly for these reasons, and despite the recent progress in automated complexity analysis, they have so far eluded automation.
In this paper, we present the first fully-automated amortised cost analysis of self-adjusting data structures, that is, of splay trees, splay heaps and pairing heaps, which so far have only (semi-) manually been analysed in the literature. We implement and extend a recently proposed type-and-effect system for amortised resource analysis [26, 27]. This system belongs to a line of work (see [20, 22‐25, 28] and the references therein), where types are template potential functions with unknown coefficients and the type-and-effect system extracts constraints over these coefficients in a syntax directed way from the program under analysis. Our work improves over [26, 27] in three regards: 1) The approach of [26, 27] only supports type checking, i.e. verifying that a manually provided type is correct. In this paper, we add an optimisation layer to the set-up of [26, 27] in order to support type inference, i.e. our approach does not rely on manual annotations. Our target function steers the search towards coefficients that minimise the inferred amortised complexity. 2) The only case study of [26, 27] is partial, focusing on the zig-zig case of the splay tree function \(\mathtt {splay}\), while we report on the full analysis of the operations of several data structures. 3) [26, 27] does not report on a fully-automated analysis. Besides the requirement that the user needs to provide the resource annotation, the user also has to apply the structural rules of the type system manually. Our tool \(\mathsf {ATLAS}\) is able to analyse our benchmarks fully automatically. Achieving full automation required substantial implementation effort as the structural rules need to be applied carefully—as we learned during our experiments—in order to avoid a size explosion of the generated constraint system. We evaluate and discuss our design choices that lead to a scalable implementation.
Advertisement
With our implementation and the obtained experimental results we make two contributions to the complexity analysis of data structures:
1.) We automatically infer complexity estimates that match previous results (obtained by sophisticated pen-and-paper proofs), and in some cases even infer better complexity estimates than previously published. In Table 1, we state the complexity bounds computed by \(\mathsf {ATLAS}\) next to results from the literature. We match or improve the results from [37, 41, 42]. To the best of our knowledge, the bounds for splay trees and splay heaps represent the state-of-the-art. In particular, we improve the bound for the \(\mathtt {delete}\) function of splay trees and all bounds for the splay heap functions. For pairing heaps, Iacono [29, 30] has proven (using a more involved potential function) that \(\mathtt {insert}\) and \(\mathtt {merge}\) have constant amortised complexity, while the other data structure operations continue to have an amortised complexity of ; while we leave an automated analysis based on Iacono’s potential function for future work, we note that his coefficients k in the logarithmic terms are large, and that therefore the small coefficients in Table 1 are still of interest. We will detail below that we used a simpler potential function than [37, 41, 42] to obtain our results. Hence, also the new proofs of the confirmed complexity bounds can be considered a contribution.
Table 1.
Amortised complexity bounds for splay trees (module name SplayTree, abbrev. ST), splay heaps (SplayHeap, SH) and pairing heaps (PairingHeap, PH).
\(^\mathrm{a}\)[42] uses a different cost metric, i.e. the numbers of arithmetic comparisons, whereas we and [37] count the number of (recursive) function applications. We adapted the results of [42] to our cost metric to make the results easier to compare, i.e. the coefficients of the logarithmic terms are by a factor 2 smaller compared to [42].
\(^\mathrm{a}\)[42] uses a different cost metric, i.e. the numbers of arithmetic comparisons, whereas we and [37] count the number of (recursive) function applications. We adapted the results of [42] to our cost metric to make the results easier to compare, i.e. the coefficients of the logarithmic terms are by a factor 2 smaller compared to [42].
2.) We establish a new approach for the complexity analysis of data structures. Establishing the prior results in Table 1 required considerable effort. Schoenmakers studied in his PhD thesis [42] the best amortised complexity bounds that can be obtained using a parameterised potential function \(\phi (t)\), where t is a binary tree, defined by
and
, for real-valued parameters \(\alpha ,\beta > 0\). Carrying out a sophisticated optimisation with pen and paper, he concluded that the best bounds are obtained by setting \(\alpha = \root 3 \of {4}\) and \(\beta = \frac{1}{3}\) for splay trees, and by setting \(\alpha = \sqrt{2}\) and \(\beta = \frac{1}{2}\) for pairing heaps (splay heaps were proposed only some years later by Okasaki in [38]). Brinkop and Nipkow verify his complexity results for splay trees in the theorem prover Isabelle [37]. They note that manipulating the expressions corresponding to could only partly be automated1. For splay heaps, there is to the best of our knowledge no previous attempt to optimise the obtained complexity bounds, which might explain why our optimising analysis was able to improve all bounds. For pairing heaps, Brinkop and Nipkow did not use the optimal parameters reported by Schoenmakers—probably in order to avoid reasoning about polynomial inequalities—, which explains the worse complexity bounds. In contrast to the discussed approaches, we were able to verify and improve the previous results fully automatically. Our approach uses a variation of Schoenmakers’ potential function, where we roughly fix \(\alpha = 2\) and leave \(\beta \) as a parameter for the optimisation phase (see Sect. 2 for more details). Despite this choice, our approach was able to derive bounds that match and improve the previous results, which came as a surprise to us. Looking back at our experiments and interpreting the obtained results, we recognise that we might have been in luck with the particular choice of the potential function (because we can obtain the previous results despite fixing \(\alpha = 2\)). However, we would not have expected that an automated analysis is able to match and improve all previously reported coefficients, which shows the power of the optimisation phase. Thus, we believe that our results suggest a new approach for the complexity analysis of data structures. So far, self-adjusting data structures had to be analysed manually. This is possibly due to the use of sophisticated potential functions, which may contain logarithmic expressions. Both features are challenging for automated reasoning. Our results suggest that the following alternative (see Sects. 2 and 4.2 for more details): (i) Fix a parameterised potential function; (ii) derive a (linear) constraint system over the function parameters from the AST of the program; (iii) capture the required non-linear reasoning in lemmata, and use Farkas’ lemma to integrate the application of these lemmata into the constraint system (in our case two lemmata, one about an arithmetic property and one about the monotonicity of the logarithm, were sufficient for all of our benchmarks); and finally (iv) find values for the parameters by an (optimising) constraint solver. We believe that our approach will carry over to other data structures: one needs to adapt the potential functions and add suitable lemmata, but the overall setup will be the same. We compare the proposed methodology to program synthesis by sketching [48], where the synthesis engineer communicates her main insights to the synthesis engine (in our case the potential functions plus suitable lemmata), and a constraint solver then fills in the details. As conclusion from our benchmarking, we observe that an automated analysis of sophisticated data structures are possible without the need to (i) resort to user guidance; (ii) forfeit optimal results; or (iii) be bogged down in computation times. These results also show how dependencies on properties of functional correctness of the code can be circumvented.
Advertisement
Related Work. To the best of our knowledge the here presented automated amortised analysis of self-adjusting data-structures is novel and unparalleled in the literature. However, there is a vast amount of literature on (automated) resource analysis. Without hope for a completeness, we briefly mention [1‐7, 9‐11, 14, 15, 17, 18, 20, 22‐25, 39, 44‐46, 52] for an overview of the field. Logarithmic and sublinear bounds are typically not in the focus of the cited approaches, but can be inferred by some tools. In the recurrence relations based approach to cost analysis [1] refinements of linear ranking functions are combined with criteria for divide-and-conquer patterns; this allows the tool PUBS to recognise logarithmic bounds for some problems, but examples such as mergesort or splaying are beyond the scope of this approach. Logarithmic and exponential terms are integrated into the synthesis of ranking functions in [8], making use of an insightful adaption of Farkas’ and Handelman’s lemmas. The approach is able to handle examples such as mergesort, but again not suitable to handle self-balancing data structures. A type based approach to cost analysis for an ML-like language is presented in [50], which uses the Master Theorem to handle divide-and-conquer-like recurrences. Recently, support for the Master Theorem was also integrated for the analysis of rewriting systems [51], extending [4] on the modular resource analysis of rewriting to so-called logically constrained rewriting systems [12]. The resulting approach also supports the fully automated analysis of mergesort.
Structure. In Sects. 2 and 3 we review the type system of [26, 27]. We sketch the challenges to automation in Sect. 4 and present our contributions in Sects. 5 and 6. Finally, we conclude in Sect. 7.
2 Step by Step to an Automated Analysis of Splaying
In this and the next section we sketch the theory developed by Hofmann et al. in [27], in order to be able to present the contributions of this article in Sect. 4 and 5. For brevity, we restrict our exposition to those parts essential in the analysis of a particular program code. As motivating example consider splay trees, introduced by Sleator and Tarjan [47, 49]. Splaying is the most important operation on splay trees, which performs rotation. Consider Fig. 1, a depiction of the zig-zig case of
, which implements splaying.
The analysis of [27] (see also [26]) is formulated in terms of the physicist’s method of amortised analysis in the style of Sleator and Tarjan [47, 49]. The central idea of this approach is to assign a potential to the data structures of interest such that the difference in potential before and after executing a function is sufficient to pay for the actual cost of the function, i.e. one chooses potential functions \(\phi ,\psi \) such that \(\phi (v) \geqslant c_f(v) + \psi (f(v))\) holds for all inputs v to a function f, where \(c_f(v)\) denotes the worst-case cost of executing function f on v. This generalises the original formulation, which can be seen by setting , where \(a_f(v)\) denotes the amortised cost of f.
In order to be able to analyse self-adjusting data structures such as splay trees, one needs potential functions that can express logarithmic amortised cost. Hofmann et al. [26, 27] propose to make use of a variant of Schoenmakers’ potential, \(\mathsf {rk}(t)\) for a tree t, cf. [37, 41, 42], defined inductively by
where l, r are the left resp. right child of the tree
, denotes the size of a tree (defined as the number of leaves of the tree), and d is some data element that is ignored by the potential function. Besides Schoenmakers’ potential, further basic potential functions need to be added to the analysis: For a sequence of m trees and coefficients \(a_i,b \in {\mathbb {N}}\), the potential function
denotes the logarithm of a linear combination of the sizes of the tree.
Fig. 1.
Zig-zig case of the
function.
×
Following [37], we set the cost
of splaying a tree t to be the number of recursive calls to
. Splaying and all operations that depend on splaying can be done in \(O(\log _2 n)\) amortised cost. Employing the above introduced potential functions, the analysis of [27] is able verify the following cost annotation for splaying (the annotation needs to be provided by the user):
(1)
From this result, one directly reads off as bound on the amortised cost of splaying.2
Based on earlier work [6, 20, 22‐25, 27, 28] employs a type-and-effect system that uses template potential functions, i.e. functions of a fixed shape with indeterminate coefficients. The key challenge is to identify templates that are suitable for logarithmic analysis and that are closed under the basic operations of the considered programming language. For example, one introduces the coefficients \(q_*,q_{(1,0)},q_{(0,2)},q'_*,q'_{(1,0)},q'_{(0,2)}\) and introduces the potential function templates
for the input and output of the splay function. The type system then derives constraints on the template function coefficients, as indicated in the sequel. We take up further discussion of the constraint system, in particular how to maintain a scalable analysis, in Sect. 4.
We explain the use of the type system on the motivating example. For brevity, type judgements and the type rules are presented in a simplified form. In particular, we restrict our attention to tree types, denoted as \(\mathsf {T}\). This omission is inessential to the actual complexity analysis. For the full set of rules see [27].
Let e denote the body of the function definition of
, depicted in Fig. 1. Our automated analysis infers an annotated type of splaying, by verifying that the type judgement
is derivable. As above, types are decorated with annotations and —employed to express the potential carried by the arguments to
and its results.
The soundness theorem of the type system (Theorem 1) expresses that if the above type judgement is derivable, then the total cost
of splaying is bound by the difference between and
, i.e.
. In particular, Eq. 1 can be derived in this way.
We now provide an intuition on the type-and-effect system, stepping through the code of Fig. 1. The corresponding type derivation tree is depicted in Fig. 2. We note that the tree contains further annotations \(Q_1,Q_2,Q_3,Q_4\) (besides the annotations Q and \(Q'\)) which again represent the unknown coefficients of potential function templates. The goal of the type-and-effect system is to provide constraints for each programming construct that connect the annotations in subsequent derivation steps, e.g. \(Q_2\) and \(Q_3\). The type-and-effect system operates syntax-directed and formulates one rule per programming languages construct. We now discuss some of these rules for the partial derivation for
.
Fig. 2.
Partial typing derivation for the motivating example
.
×
The outermost command of e is a
statement, for which the following rule is applied:
Here \(e_1\) denotes the subexpression of e, which constitutes the nested pattern match. Primarily, this is a standard type rule for pattern matching. The novelty are the constraints on the annotations Q, \(Q'\) and \(Q_1\). More precisely, \((\mathsf {{match}})\) induces the constraints
which can be directly read-off the definition of . Similarly, the nested
command, starting expression \(e'_1\), is subject to the same rule; the resulting constraints amount to
Besides the rules for programming language constructs, the type-and-effect system contains structural rules, which operate on the type annotations themselves. The weakening rule allows a suitable adaptation of the coefficients of the potential function \(\varPhi ({\varGamma } {\mid } {Q_2})\) to obtain a new potential function \(\varPhi ({\varGamma } {\mid } {Q_3})\), where we use the shorthand :
The difficulty in applying the weakening rule, consists in discharging the constraint:
Note, that the comparison is to be performed symbolically, that is, abstracted from the concrete value of the variables. We emphasise that this step can neither be avoided, nor easily moved to the axioms of the derivation, as in related approaches in the literature [19, 21‐23, 28, 31, 35]. We use Farkas’ Lemma in conjunction with two facts about the logarithm to linearise this symbolic comparison, namely the monotonicity of the logarithm and the fact that \(2 + \log _2(x) + \log _2(y) \leqslant 2\log _2(x+y)\) for all \(x,y \geqslant 1\). For example, for the facts and , we use Farkas’ Lemma to generate the constraints
for some coefficients \(f,g \geqslant 0\) introduced by Farkas’ Lemma. We note that Farkas’ Lemma can be interpreted as systematically exploring all positive-linear combinations of the considered mathematical facts. This can be seen on the above example: one can combine g times the first fact with f times the second fact.
Next, we apply the rule for the
expression. This rule is the most involved typing rule in the system proposed by Hofmann et al. [27].
Ignoring the annotations and in particular the second premise for a moment, the type rule specifies a standard typing for a
expression. We note that, as required by the rule, all variables in the type context \(\varGamma \) occur at most once in the let-expression. \(\varGamma \) can then be split into contexts and . Here,
and \(e_3\) denotes the last
statement in e. The let-rule facilitates a splitting of the potential \(Q_3\) for the evaluation of \(e_2\) and \(e_3\) according to the type contexts \(\varDelta \) and \(\varTheta \). Abusing notation, the distribution of potentials facilitated by the let-rule can be stated very roughly as two “equalities”, that is, (i) “\(Q_3 = Q + R + P\)” and (ii) “\(Q_4 = (Q'-1) + R' + P\)”. (i) states that the potential \(Q_3\) pays for evaluating the
expression \(e_2\) (with and without costs, requiring the potential Q and R) and leaves the remainder potential P. (ii) states that the potential \(Q_4\) is constituted of the remainder potential P and of the potentials left after evaluating \(e_2\) (with and without costs, i.e. potentials \(Q'-1\) and \(R'\)). E.g. \(Q_4\) is given by the following constraints
where the coefficients \(q^3\) stem from the remainder potential of \(Q_3\), the coefficient \(q'_*\) from \(Q'-1\) and \({r'}_{(1,0)}\) from \(R'\).
The most original part of this type rule is the second premise
. Here, \(\vdash ^{\text {cf}}\) denotes the same kind of typing judgement as used in the overall typing derivation, but where all costs are set to zero (hence, the superscript cost-free). Let us assume \(R=[{r}_{(1,0)}]\), \(R'=[{r'}_{(1,0)}]\), and that \(\mathsf {ATLAS}\) was able to establish that
(4)
establishing the coefficients \({r}_{(1,0)} = 1\) and \({r'}_{(1,0)} =1\). (We note that cost-free typing derivations as in Eq. (4) constitute a size analysis that relates the sizes of input and output). Then, \(\mathsf {ATLAS}\) infers from (4), taking advantage of the monotonicity of \(\log \), that
This inequality expresses that if the summand is included in the potential \(\varPhi ({\varGamma } {\mid } {Q_3})\), then the summand may be included in the potential \(\varPhi ({{cr}{:}\!{\mathsf {T}},{br}{:}\!{\mathsf {T}},{s}{:}\!{\mathsf {T}}} {\mid } {Q_4})\). (The two logarithmic terms correspond to the coefficients \(q^3_{(1,1,1,0)}\) and \(q^4_{(1,1,1,0)}\) marked in red above.) Thus, the cost-free derivation allows the potential R to pass from \(Q_3\), via \(R'\), to \(Q_4\). This is crucial for being able to pay for the evaluation of \(e_3\).
The let-rule has the three premises \({\varDelta } {\mid } {Q} \vdash {e_2}{:}\!{\mathsf {T}} {\mid } {Q'-1}\), \({\varDelta } {\mid } {R} \vdash ^{\text {cf}} {e_2}{:}\!{\mathsf {T}} {\mid } {R'}\) and \({\varTheta } {\mid } {Q_4} \vdash {e_3}{:}\!{\mathsf {T}} {\mid } {Q'}\). We focus here on the first premise and do not state the derivations for the other two premises (such derivations can be found in [27]). The judgement
can be derived by the rule for function application, which states a cost of 1 with regard to the type signature of
, represented by decrementing the potential induced by the annotation \(Q'\).
The rule for function application is an axiom, and closes this branch of the typing derivation. This concludes the presentation of the partial type inference given in Fig. 2. Similarly to the above example of
, estimates for the amortised costs of insertion and deletion on splay trees can be automatically inferred by our tool \(\mathsf {ATLAS}\). Further, our analysis handles similar self-adjusting data structures like pairing heaps and splay heaps (see Sect. 6.1).
×
×
×
×
×
×
×
×
3 Technical Foundation
In this short section, we provide a more detailed account of the formal system underlying our tool \(\mathsf {ATLAS}\). We state the soundness of the system in Theorem 1.
A typing context is a mapping from variables \(\mathcal {V}\) to types; denoted by upper-case Greek letters. A program \(\mathsf {P}\) is a set of typed function definitions of the form , where the \(x_i\) are variables and e an expression. A substitution (or an environment) \(\sigma \) is a mapping from variables to values that respects types. Substitutions are denoted as sets of assignments: . We employ a simple cost-sensitive big-step semantics based on eager evaluation, dressed up with cost assertions. The judgement means that under environment \(\sigma \), expression e is evaluated to value v in exactly \(\ell \) steps. Here only rule applications emit (unit) costs. For brevity, the formal definition of the semantics is omitted but can be found in [27].
In Sect. 2, we introduced a variant of Schoenmakers’ potential function, denoted as \(\mathsf {rk}(t)\), and the additional potential functions , denoting the \(\log _2\) of a linear combination of tree sizes. \(\log _2\) denotes the logarithm to the base 2; throughout the paper we stipulate \(\log _2(0) := 0\) in order to avoid case distinctions. Note that the constant function 1 is representable: . We are now ready to state the resource annotation of a sequence of trees:
Definition 1
A resource annotation or simple annotation of length m is a sequence , vanishing almost everywhere. Let be a sequence of trees. Then, the potential of wrt. Q is given by
In case of an annotation of length 1, we sometimes write \(q_*\) instead of \(q_1\), as we already did above.
Example 1
Let t be a tree, then its potential could be defined as follows: . Wrt. the above definition this potential becomes representable by setting . Thus, .
\(\square \)
Let \(\sigma \) be a substitution, let \(\varGamma \) denote a typing context and let denote all tree types in \(\varGamma \). A resource annotation for\(\varGamma \) or simply annotation is an annotation for the sequence of trees . We define the potential of the annotated context \(\varGamma {\mid } Q\) wrt. a substitution \(\sigma \) as .
Definition 2
An annotated signature\(\mathcal {F}\) maps functions f to sets of pairs of the annotation type for the arguments and the annotation type of the result:
We suppose f takes n arguments of which m are trees; \(m \leqslant n\) by definition.
Instead of , we sometimes succinctly write . The cost-free signature, denoted as \(\mathcal {F}^{\text {cf}}\), is similarly defined.
Example 2
Consider the function
from above. Its signature is formally represented as \({\mathsf {B}\times \mathsf {T}} {\mid } {Q} \rightarrow {\mathsf {T}} {\mid } {Q'}\), where and . We leave it to the reader to specify the coefficients in Q, \(Q'\) so that the rule \((\mathsf {{app}})\) as depicted in Sect. 2 can indeed by employed to type the recursive call of
.
Let \(Q = [q_*] \cup [(q_{(a,b)})_{a,b \in {\mathbb {N}}}]\) be an annotation such that \(q_{(a,b)} > 0\). Then is defined as follows: \(Q' = [q_*] \cup [(q'_{(a,b)})_{a,b \in {\mathbb {N}}}]\), where and for all \((a,b) \not = (0,2)\). By definition the annotation coefficient \(q_{(0,2)}\) is the coefficient of the basic potential function , so the annotation \(Q-1\), decrements cost 1 from the potential induced by Q.
Type-and-Effect System. The typing system makes use of a cost-free semantics, which does not attribute any costs to the calculation. I.e. the rule \((\mathsf {{app}})\) (Sect. 2) is changed so that no cost is emitted. The cost-free application rule is denoted as \((\mathsf {{app:cf}})\). The cost-free typing judgement is written as \({\varGamma } {\mid } {Q} \vdash ^{\text {cf}} {e}{:}\!{\alpha } {\mid } {Q'}\). The judgement \({\varGamma } {\mid } {Q} \vdash {e}{:}\!{\alpha } {\mid } {Q'}\) is governed by a plethora of typing rules. We have illustrated several typing rules in Sect. 2 (the complete set of typing rules can be found in [27]).
A program \(\mathsf {P}\) is called well-typed if for any rule and any annotated signature , we have \({{x_1}{:}\!{\alpha _1},\dots ,{x_k}{:}\!{\alpha _k}} {\mid } {Q} \vdash {e}{:}\!{\beta } {\mid } {Q'}\). A program \(\mathsf {P}\) is called cost-free well-typed, if the cost-free typing relation is employed.
Hofmann et al. establish the following soundness result:3
Theorem 1 (Soundness Theorem)
Let \(\mathsf {P}\) be well-typed and let \(\sigma \) be an environment. Suppose \({\varGamma } {\mid } {Q} \vdash {e}{:}\!{\alpha } {\mid } {Q'}\) and . Then \(\varPhi ({\sigma };{\varGamma } {\mid } {Q}) - \varPhi ({v} {\mid } {Q'}) \geqslant \ell \). Further, if \({\varGamma } {\mid } {Q} \vdash ^{\text {cf}} {e}{:}\!{\alpha } {\mid } {Q'}\), then \(\varPhi ({\sigma };{\varGamma } {\mid } {Q}) \geqslant \varPhi ({v} {\mid } {Q'})\).
4 The Road to Automation, Continued
The above sketched type-and-effect system, originally proposed in [27], is only a first step towards full automation. Several challenges need to be overcome, which we detail in this section.
4.1 Type Checking
Comparison between logarithmic expressions, constitutes a first major challenge, as such a comparison cannot be directly encoded as a linear constraint problem. To achieve such linearisation, [27] makes use of the following: (i) a subtly and surprisingly effective variant of Schoenmakers potential (see Sect. 2); (ii) mathematical facts about the logarithm function—like Lemma 1 below—referred to as expert knowledge; and finally (iii) Farkas’ Lemma for turning the universally-quantified premise of the weakening rule into an existentially-quantified statement that can be added to the constraint system—see Lemma 2.
A simple mathematical fact that is employed by Hofmann et al.— following earlier pen-and-paper proofs in the literature [37, 38, 41]—states as follows:
Lemma 1
Let \(x, y \geqslant 1\). Then \(2 + \log _2(x) + \log _2(y) \leqslant 2\log _2(x+y)\).
We remark that our automated analysis shows that this lemma is not only crucial in the analysis of splaying, but also for the other data structures we have investigated. Further, Hofmann et al. state and prove the following variant of Farkas’ Lemma, which lies at the heart of an effective transformation of comparison demands like (3) into a linear constraint problem. Note that \(\vec {u}\) and \(\vec {f}\) denote column vectors of suitable length.
Lemma 2 (Farkas’ Lemma)
Suppose \(A\vec {x} \leqslant \vec {b}, \vec {x} \geqslant 0 \) is solvable. Then the following assertions are equivalent. (i) \(\forall \vec {x} \geqslant 0. \ A\vec {x} \leqslant \vec {b} \Rightarrow \vec {u}^T\vec {x} \leqslant \lambda \) and (ii) \(\exists \vec {f} \geqslant 0. \ \vec {u}^T \leqslant \vec {f}^T A \wedge \vec {f}^T \vec {b} \leqslant \lambda \).
The lemma allows the assumption of expert knowledge through the assumption \(A\vec {x} \leqslant \vec {b}\) for all \(\vec {x} \geqslant 0\). E.g., thus formalised expert knowledge is a clear point of departure for additional information. E.g. Hofmann et al. [27] propose the following potential extensions: (i) additional mathematical facts on the \(\log \) function; (ii) a dedicated size analysis; (iii) incorporation of basic static analysis techniques. The incorporation of Farkas’ Lemma with suitable expert knowledge is already essential for type checking, whenever the symbolic weakening rule (3) needs to be discharged.
\(\mathsf {ATLAS}\) incorporates two facts into the expert knowledge: Lemma 2 and the monotonicity of the logarithm (see Sect. 5). We found these two facts to be sufficient for handling our benchmarks, i.e. expert knowledge of form (ii) and (iii) was not needed. (We note though that we have experimented with adding a dedicated size analysis (ii), which interestingly increased the solver performance, despite generating a large constraint system).
We indicate how \(\mathsf {ATLAS}\) may be used to solve the constraints generated for the example in Sect. 2. We recall the crucial application of the weakening step between annotations \(Q_2\) and \(Q_3\). This weakening step can be automatically discharged using the monotonicity of logs and Lemma 1. (More precisely, \(\mathsf {ATLAS}\) employs the mode w{mono l2xy} see, Sect. 5.) For example, \(\mathsf {ATLAS}\) is able to verify the validity of the following concrete constants:
We extend the type-and-effect system of [27] from type checking to type inference. Further, we automate the application of structural rules like sharing or weakening, which have so far required user guidance.
The two central contributions of this paper, as delineated in the introduction, are based on significant improvement over the state-of-the-art as described above. Concretely, they came about by a novel (i) optimisation layer; (ii) a careful control of the structural rules; (iii) the generalisation of user-defined proof tactics into an overall strategy of type inference; and (iv) provision of an automated amortised analysis in the sense of Sleator and Tarjan. In the sequel of the section, we will discuss these stepping stones towards full automation in more details.
Optimisation Layer. We add an optimisation layer to the set-up, in order to support type inference. This allows for the inference of (optimal) type annotations based on user-defined type annotations. For example, assume the user-provided type annotation
can in principle be checked automatically. Then—instead of checking this annotation—\(\mathsf {ATLAS}\) automatically optimises the signature, by minimising the deduced coefficients. (In Sect. 5 we discuss how this optimisation step is performed.) That is, \(\mathsf {ATLAS}\) reports the following annotation
which yields the optimal amortised cost of splaying of . Optimality here means that no better bound has been obtained by earlier pen-and-paper verification methods (compare the discussion in Sect. 1).
Structural Rules. We observed that an unchecked application of the structural rules, that is of the sharing and the weakening rule, quickly leads to an explosion of the size of the constraint system and thus to de-facto unsolvable problems. To wit, an earlier version of our implementation ran continuously for 24/7 without being able to infer a type for the complete definition of the function
.4
The type-and-effect system proposed by Hofmann et al. is in principle linear, that is, variables occur at most once in the function body. For example, this is employed in the definition of the let-rule, cf. Sect. 2. However, a sharing rule is admissible, that allows to treat multiple occurrences of variables. Occurrences of non-linear variables are suitably renamed apart and the carried potential is shared among the variants. (See [27] for the details.) The number of variables strongly influences the size of the constraint problem. Hence, eager application of the sharing rule proved infeasible. Instead, we restricted its application to individual program traces. For the considered benchmark examples, this removed the need for sharing altogether.
With respect to weakening, a careful application of the weakening rule proved necessary for performance reasons: First, we apply weakening only selectively. Second, when applying weakening, we employ different levels of granularity. We may only perform a simple coefficient comparison, or we may apply monotonicity or Lemma 1 or both in conjunction with Farkas’ Lemma. We give the details in Sect. 5.
Fig. 3.
Tactic that matches the zig-zig case of
as shown in Fig. 1.
×
Proof Tactics. Hofmann et al. [27] already propose user-defined proof plans, so-called tactics, to improve the effectivity of type checking. In combination with our optimisation framework, tactics allow to significantly improve type annotations. To wit, \(\mathsf {ATLAS}\) can be invoked with user-defined resource annotations for the function
, representing its “standard” amortised complexity (e.g. copied from Okasaki’s book [38]) and an easily definable tactic, cf. Fig. 3. Then, \(\mathsf {ATLAS}\) automatically derives the optimal bound reported above. Still, for full-automation tactics are clearly not sufficient. In order to obtain type inference in general, we developed a generalisation of all the tactics that proved useful on our benchmark and incorporated this proof search strategy into the type inference algorithm. Using this, the aforementioned (unsuccessful) week-long quest for a type inference of splaying can now be successfully answered (in an optimal form) in mere minutes.
We’d like to argue that \(\mathsf {ATLAS}\) proof search strategy for full automation is free of bias towards the provided complexity analysis. As detailed in Sect. 5, the heuristics incorporates common design principles of the data structures analysed. Thus, we exploit recurring patterns in the input (destructuring of input trees, handling base/recursive cases, rotations) not in the solution. The situation is similar to the choice of the potential functions, which we expect to generalise to other data structures. Similarly, we expect generalisability of the current proof search strategy.
Automated Amortised Analysis. In Sect. 2, we provided a high-level introduction into the potential method and remarked that Sleator and Tarjan’s original formulation is re-obtained, if the corresponding potential functions are defined such that , see page 5. We now discuss how we can extract amortised complexities in the sense of Sleator and Tarjan from our approach. Suppose, we are interested in an amortised analysis of splay heaps. Then, it suffices to equate the right-hand sides of the annotated signatures of the splay heap functions. That is, we set
,
and
for some unknown resource annotations \(Q_1,Q_2,Q_3,Q'\). Note that we use the same annotation \(Q'\) for all signatures. We can then obtain a potential function from the annotation \(Q'\) in the sense of Sleator and Tarjan and deduce \(Q_i - Q'\) as an upper bound on the amortised complexity of the respective function. In Sect. 5, we discuss how to automatically optimise \(Q_i - Q'\) in order to minimise the amortised complexity bound. This automated minimisation is the second major contribution of our work. Our results suggest a new approach for the complexity analysis of data structures. On the one hand, we obtain novel insights into the automated worst-case runtime complexity analysis of involved programs. On the other hand, we provide a proof-of-concept of a computer-aided analysis of amortised complexities of data-structures that so far have only been analysed manually.
×
5 Implementation
In this section, we present our tool \(\mathsf {ATLAS}\), which implements type inference for the type system presented in Sects. 2 and 3. \(\mathsf {ATLAS}\) operates in three phases:
1.)
Preprocessing, \(\mathsf {ATLAS}\) parses and normalises the input program;
2.)
Generation of the Constraint System, \(\mathsf {ATLAS}\) extracts constraints from the normalised program according to the typing rules (as sketched in Sect. 2);
3.)
Solving, the derived constraint system is handed to an optimising constraint solver and the solver output is converted into a type annotation.
In terms of overall resource requirements, the bottleneck of the system is phase three. Preprocessing is both simple and fast. While the code implementing constraint generation might be complex, its execution is fast. All of the underlying complexity is shifted into the third phase. On modern machines with multiple gibibytes of main memory, \(\mathsf {ATLAS}\) is constrained by the CPU, and not by the available memory. In the remainder of this section, we first detail these phases of \(\mathsf {ATLAS}\). We then go into more details of the second phase. Finally, we elaborate the optimisation function which is the key enabler of type inference.
5.1 The Three Phases of \(\mathsf {ATLAS}\)
1.) Preprocessing. The parser used in the first phase is generated with ANTLR5 and transformation of the syntax is implemented in Java. The preprocessing performs two tasks: (i) Transformation of the input program into let-normal-form, which is the form of program input required by our type system. (ii) The unsharing conversion creates explicit copies for variables that are used multiple times. Making multiple uses of a variables explicit is required by the let-rule of the type system.
In order to satisfy the requirement of the let-rule, it is actually sufficient to track variable usage on the level of program paths. It turns out that in our benchmarks variables are only used multiple times in different branches of an if-statement, for which no unsharing conversion is needed. Hence, we do not discuss the unsharing conversion further in this paper and refer the interested reader to [27] for more details.
Let-Normal-Form Conversion. The let-normal-form conversion is performed recursively and rewrites composed expressions into simple expressions, where each operator is only applied to a variable or a constant. This conversion is achieved by introducing additional let-constructs. We exemplify let-normal-form conversion on a code snippet in Fig. 4.
Fig. 4.
Preprocessing: let normal forms.
×
2.) Generation of the Constraint System. After preprocessing, we apply the typing rules. Importantly, the application of all typing rules, except for the weakening rule, which we discuss in further detail below, is syntax-directed: This means that each node of the AST of the input program dictates which typing rule is to be applied. The weakening rule could in principle be applied at each AST node, giving the constraint solver more freedom to find a solution. This degree of freedom needs to be controlled by the tool designer. In addition, recall that the suggested implementation of the weakening rule (see Sect. 4.1) is to be parameterised by the expert knowledge, fed into the weakening rule. In our experiments we noticed that the weakening rule has to be applied sparingly in order to avoid an explosion of the resulting constraint system.
We summarise the degrees of freedom available to the tool designer, which can be specified as parameters to \(\mathsf {ATLAS}\) on source level. 1.) The selected template potential functions, i.e. the family of indices \(\vec {a}, b\) for which coefficients \(q_{(\vec {a}, b)}\) are generated (we assume not explicitly generated are set to zero). 2.) The number of annotated signatures (with costs and without costs) for each function. 3.) The policy for applying the (parameterised) weakening rule.
We detail our choices for instantiating the above degrees of freedom in Sect. 5.2.
3.) Solving. For solving the generated constraint system, we rely on the Z3 SMT solver. We employ Z3’s Java bindings, load Z3 as a shared library, and exchange constraints for solutions. \(\mathsf {ATLAS}\) forwards user-supplied configuration to Z3, which allows for flexible tuning of solver parameters. We also record Z3’s statistics, most importantly memory usage. During the implementation of \(\mathsf {ATLAS}\), Z3’s feature to extract unsatisfiable cores has proven valuable. It supplied us with many counterexamples, often directly pinpointing bugs in our implementation. The tool exports constraint systems in SMT-LIB format to the file system. This way, solutions could be cross-checked by re-computing them with other SMT solvers that support minimisation, such as OptiMathSAT [43].
5.2 Details on the Generation of the Constraint System
We now discuss our choices for the aforementioned degrees of freedom.
Potential Function Templates. Following [27], we create for each node in the AST of the considered input program, where n variables of tree-type are currently in context, the coefficients \(q_1, \ldots , q_n\) for the rank functions and the coefficients \(q_{(\vec {a}, b)}\) for the logarithmic terms, where \(\vec {a} \in \{0, 1\}^n\) and \(b \in \{0, 2\}\). This choice turned out to be sufficient in our experiments.
Number of Function Signatures. We fix the number of annotations for each function \(f : \alpha _1 \times \cdots \times \alpha _n | Q \rightarrow \beta | Q'\) to one regular and one cost-free signature. This was sufficient for our experiments.
Fig. 5.
Monotonicity Lattice for \(|Q| = 2\).
×
Weakening. We need to discharge symbolic comparisons of form \(\varPhi ({\varGamma } {\mid } {P}) \leqslant \varPhi ({\varGamma } {\mid } {Q})\). As indicated in Sect. 4, we employ Farkas’ Lemma to derive constraints for the weakening rule. For context \(\varGamma = t_1, \ldots , t_n\), we introduce variables \(x_{(\vec {a}, b)}\) where \(\vec {a} \in \{0, 1\}^n, b \in \{0, 2\}\), which represent the potential functions . Next, we explain how the monotonicity of \(\log _2\) and Lemma 1 can be used to derive inequalities on the variables \(x_{(\vec {a}, b)}\), which can then be used to instantiate matrix A in Farkas’ Lemma as stated in Sect. 4.
Monotonicity. We observe that if \(a_1 \leqslant a'_1, \ldots , a_n \leqslant a'_n\) and \(b \leqslant b'\). This allows us to obtain the lattice shown in Fig. 5. A path from \(x_{(\vec {a}', b')}\) to \(x_{(\vec {a}, b)}\) signifies \(x_{(\vec {a}, b)} \leqslant x_{(\vec {a}', b')}\) resp. \(x_{(\vec {a}, b)} - x_{(\vec {a}', b')} \leqslant 0\), represented by a row with coefficients 1 and \(-1\) in the corresponding columns of matrix A.
Mathematical Facts, Like Lemma1. For an annotated context of length 2, Lemma 1 can be stated by the inequality \(2 x_{(0, 0, 2)} + x_{(0, 1, 0)} + x_{(1, 0, 0)} - 2 x_{(1, 1, 0)} \leqslant 0\); we add a corresponding row with coefficients \(2, 1, 1, -2\) to the matrix A. Likewise, for contexts of length \(>2\), we add, for each subset of 2 variables, a row with coefficients \(2, 1, 1, -2\), setting the coefficients of all other variables to 0.
Sparse Expert Knowledge Matrix. We observe for both kinds of constraints that matrix A is sparse. We exploit this in our implementation and only store non-zero coefficients.
Parametrisation of Weakening. Each applications of the weakening rule is parameterised by the matrix A. In our tool, we instantiate A with either the constraints for (i) monotonicity, shortly referenced as w{mono}; (ii) Lemma 1 (w{l2xy}); (iii) both (w{mono l2xy}); or (iv) none of the constraints (w).
In the last case, Farkas’ Lemma is not needed because weakening defaults to point-wise comparison of the coefficients \(p_{(\vec {a}, b)}\), which can be implemented more directly. Each time we apply weakening, we need to choose how to instantiate matrix A. Our experiments demonstrate that we need to apply monotonicity and Lemma 1 sparingly in order to avoid blowing up the constraint system.
Tactics and Automation.\(\mathsf {ATLAS}\) supports manually applying the weakening rule—for this the user has to provide a tactic—and a fully-automated mode.
Naive Automation. Our first attempt to automation applied the weakening rule everywhere instantiated with the full amount of available expert knowledge. This approach did not scale.
Manual Mode via Tactics. A tactic is given as a text file that contains a tree of rule names corresponding to the AST nodes of the input program, into which the user can insert applications of the weakening rule, parameterised by the expert knowledge which should be applied. A simple tactic is depicted in Fig. 3. Tactics are distributed with \(\mathsf {ATLAS}\), see [32]. The user can name sub-trees for reference in the result of the analysis and include ML-style comments in the tactics text. We provide two special commands that allow the user to directly deal with a whole branch of the input program: The question mark (?) allows partial proofs; no constraints will be created for the part of the program thus marked. The underscore (_) switches to the naive automation of \(\mathsf {ATLAS}\) and will apply the weakening rule with full expert knowledge everywhere. Both, ? and _, were invaluable when developing and debugging the automated mode. We note that the manual mode still achieves solving times that are by a magnitude faster than the automated mode, which may be of interest to a user willing to hand-optimise solving times.
Automated Mode. For automation, we extracted common patterns from the tactics we developed manually: Weakening with mode w{mono} is applied before \((\mathsf {{var}})\) and \((\mathsf {{leaf}})\), w{mono l2xy} is applied only before \((\mathsf {{app}})\). (We recall that the full set of rules employed by our analysis can be found in [27].) Further, for AST subtrees that construct trees, i.e. which only consist of \((\mathsf {{node}})\), \((\mathsf {{var}})\) and \((\mathsf {{leaf}})\) rule applications, we apply w{mono} for each inner node, and w{l2xy} for each outermost node. For all other cases, no weakening is applied. This approach is sufficient to cover all benchmarks, with further improvements possible.
5.3 Optimisation
Given an annotated function , we want to find values for the coefficients of the resource annotations Q and \(Q'\) that minimise \(\varPhi ({\varGamma } {\mid } {Q}) \ - \ \varPhi ({\varGamma } {\mid } {Q'})\), since this difference is an upper bound on the amortised cost of f, cf. Sect. 4.2. However, as with weakening, we cannot directly express such a minimisation, and again resort to linearisation: We choose an optimisation function that directly maps from Q and \(Q'\) to \(\mathbb {Q}\). Our optimisation function combines four measures, three of which involve a difference between coefficients of Q and \(Q'\), and a fourth one that only involves coefficients from Q in order to minimise the absolute values of the discovered coefficients. We first present these measures for the special case of \(|Q| = 1\).
The first measure reflects our goal of preserving the coefficient for \(\mathsf {rk}\); note that for \(d_{1}(Q,Q') \ne 0\), the resulting complexity bound would be super-logarithmic. The second measure reflects the goal of achieving logarithmic bounds that are as small as possible. Weights are defined to penalise more complex terms, and to exclude constants. (Recall that 1 is representable as \(\log _2(0+2)\).) We set
The third measure reflects the goal of minimising constant cost. Lastly, we set in order to obtain small absolute numbers. The last measure does not influence bounds on the amortised cost, but leads to more beautiful solutions. These measures are then composed to the linear objective function \(\min \sum _{i = 1}^4 d_i(Q,Q') \cdot w_i\). In our implementation, we set \(w_i = [ 16127, 997, 97, 2 ]\); these weights are chosen (almost) arbitrary, we only noticed that \(w_1\) must be sufficiently large to guarantee its priority. (We note that these weights were sufficient for our experiments; we refer to the literature for more principled ways of choosing the weights of an aggregated cost function [34].)
Multiple Arguments. For \(|Q| > 1\), we set and . The required changes for \(d_3\) and \(d_4\) are straight-forward. In our benchmarks, there is only one function (
of pairing heaps) that requires this minimisation function.
6 Evaluation
We first describe the benchmark functions employed to evaluate \(\mathsf {ATLAS}\) and then detail this experimental evaluation, already depicted in Table 1.
6.1 Automated Analysis of Splaying et al.
Splay Trees. Introduced by Sleator and Tarjan [47, 49], splay trees are self-adjusting binary search trees with strictly increasing in-order traversal, but without an explicit balancing condition. Based on splaying, searching is performed by splaying with the sought element and comparing to the root of the result. Similarly, insertion and deletion are based on splaying. Above we used the zig-zig case of splaying, depicted in Fig. 1 as motivating code example. While the pen-and-paper analysis of this case is the most involved, type inference for this case alone did not directly yield the desired automation of the complete definition. Rather, full automation required substantial implementation effort, as detailed in Sect. 5. As already emphasised, it came as a surprise to us that our tool \(\mathsf {ATLAS}\) is able match up and partly improve upon the sophisticated optimisations performed by Schoenmakers [41, 42]. This seems to be evidence of the versatility of the employed potential functions. Further, we leverage the sophistication of our optimisation layer in conjunction with the current power of state-of-the-art constraint solvers, like Z3 [36].
Table 2.
Experimental results
Splay Heaps. To overcome deficiencies of splay trees when implemented functionally, Okasaki introduced splay heaps. Splay heaps are defined similarly to splay trees and their (manual) amortised cost analysis follows similar patterns as the one for splay trees. Due to the similarity in the definitions between splay heaps and splay trees, extension of our experimental results in this direction did not pose any problems. Notably, however, \(\mathsf {ATLAS}\) improves the known complexity bounds on the amortised complexity for the functions studied. We also remark that typical assumptions made in pen-and-paper proofs are automatically discharged by our approach: Schoenmakers [41, 42] as well as Nipkow and Brinkop [37] make use of the (obvious) fact that the size of the resulting tree \(t'\) or heap \(h'\) equals the size of the input. As discussed, this information is captured by a cost-free derivation, cf. Sect. 2.
Pairing Heaps. These are another implementation of heaps, which are represented as binary trees, subject to the invariant that they are either
, or the right child is
, respectively. The left child is conceivable as list of pairing heaps. Schoenmakers and Nipkow et al. provide a (semi-)manual analysis of pairing heaps, that \(\mathsf {ATLAS}\) can verify or even improve fully-automatically. We note that we analyse a single function
, whereas [37] breaks down the analysis and studies two functions
and
with
. All definitions can be found at [33].
6.2 Experimental Results
Our main results have already been stated in Table 1 of Sect. 1. Table 2a compares the differences between the “naive automation” and our actual automation (“automated mode”), see Sect. 5. Within the latter, we distinguish between a “selective” and a “full” mode. The “selective” mode is as described on page 18. The “full” mode employs weakening for the same rule applications as the “selective” mode, but always with option w{mono l2xy}. The same applies to the “full” manual mode. The naive automation does not support selection of expert knowledge. Thus the “selective” option is not available, denoted as “n/a”. Timeouts are denoted by “t/o”. As depicted in the table, the naive automation does not terminate within 24 h for the core operations of the three considered data structures, whereas the improved automated mode produces optimised results within minutes. In Table 2b, we compare the (improved) automated mode with the manual mode, and report on the sizes of the resulting constraint system and on the resources required to produce the same results. Observe that even though our automated mode achieves reasonable solving times, there is still a significant gap between the manually crafted tactics and the automated mode, which invites future work.
7 Conclusion
In this paper we have for the first time been able to automatically conduct an amortised analysis for self-adjusting data structures. Our analysis is based on the “sum of logarithms” potential function and we have been able to automate reasoning about these potential functions by using Farkas’ Lemma for the linear part of the calculations and adding necessary facts about the logarithm. Immediate future work is concerned with replacing the “sum of logarithms” potential function in order to analyse skew heaps and Fibonacci heaps [42]. In particular, the potential function for skew heaps, which counts “right heavy” nodes, is interesting, because it is also used as a building block by Iacono in his improved analysis of pairing heaps [29, 30]. Further, we envision to extend our analysis to related probabilistic settings such as priority queues [13] and skip lists [40].
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Nipkow et al. [37] state “The proofs in this subsection require highly nonlinear arithmetic. Only some of the polynomial inequalities can be automated with Harrison’s sum-of-squares method [16]”.
Note that soundness assumes a terminating execution of \(\mathsf {P}\). We point out that our analysis does not guarantee the termination of \(\mathsf {P}\) for all environments \(\sigma \).
; while we leave an automated analysis based on Iacono’s potential function for future work, we note that his coefficients k in the logarithmic terms are large, and that therefore the small coefficients in Table 1 are still of interest. We will detail below that we used a simpler potential function than [37, 41, 42] to obtain our results. Hence, also the new proofs of the confirmed complexity bounds can be considered a contribution.
and
, for real-valued parameters \(\alpha ,\beta > 0\). Carrying out a sophisticated optimisation with pen and paper, he concluded that the best bounds are obtained by setting \(\alpha = \root 3 \of {4}\) and \(\beta = \frac{1}{3}\) for splay trees, and by setting \(\alpha = \sqrt{2}\) and \(\beta = \frac{1}{2}\) for pairing heaps (splay heaps were proposed only some years later by Okasaki in [38]). Brinkop and Nipkow verify his complexity results for splay trees in the theorem prover Isabelle [37]. They note that manipulating the expressions corresponding to
could only partly be automated1. For splay heaps, there is to the best of our knowledge no previous attempt to optimise the obtained complexity bounds, which might explain why our optimising analysis was able to improve all bounds. For pairing heaps, Brinkop and Nipkow did not use the optimal parameters reported by Schoenmakers—probably in order to avoid reasoning about polynomial inequalities—, which explains the worse complexity bounds. In contrast to the discussed approaches, we were able to verify and improve the previous results fully automatically. Our approach uses a variation of Schoenmakers’ potential function, where we roughly fix \(\alpha = 2\) and leave \(\beta \) as a parameter for the optimisation phase (see Sect. 2 for more details). Despite this choice, our approach was able to derive bounds that match and improve the previous results, which came as a surprise to us. Looking back at our experiments and interpreting the obtained results, we recognise that we might have been in luck with the particular choice of the potential function (because we can obtain the previous results despite fixing \(\alpha = 2\)). However, we would not have expected that an automated analysis is able to match and improve all previously reported coefficients, which shows the power of the optimisation phase. Thus, we believe that our results suggest a new approach for the complexity analysis of data structures. So far, self-adjusting data structures had to be analysed manually. This is possibly due to the use of sophisticated potential functions, which may contain logarithmic expressions. Both features are challenging for automated reasoning. Our results suggest that the following alternative (see Sects. 2 and 4.2 for more details): (i) Fix a parameterised potential function; (ii) derive a (linear) constraint system over the function parameters from the AST of the program; (iii) capture the required non-linear reasoning in lemmata, and use Farkas’ lemma to integrate the application of these lemmata into the constraint system (in our case two lemmata, one about an arithmetic property and one about the monotonicity of the logarithm, were sufficient for all of our benchmarks); and finally (iv) find values for the parameters by an (optimising) constraint solver. We believe that our approach will carry over to other data structures: one needs to adapt the potential functions and add suitable lemmata, but the overall setup will be the same. We compare the proposed methodology to program synthesis by sketching [48], where the synthesis engineer communicates her main insights to the synthesis engine (in our case the potential functions plus suitable lemmata), and a constraint solver then fills in the details. As conclusion from our benchmarking, we observe that an automated analysis of sophisticated data structures are possible without the need to (i) resort to user guidance; (ii) forfeit optimal results; or (iii) be bogged down in computation times. These results also show how dependencies on properties of functional correctness of the code can be circumvented.
, which implements splaying.
, where \(a_f(v)\) denotes the amortised cost of f.
,
denotes the size of a tree (defined as the number of leaves of the tree), and d is some data element that is ignored by the potential function. Besides Schoenmakers’ potential, further basic potential functions need to be added to the analysis: For a sequence of m trees
and coefficients \(a_i,b \in {\mathbb {N}}\), the potential function
denotes the logarithm of a linear combination of the sizes of the tree.
function.
of splaying a tree t to be the number of recursive calls to
. Splaying and all operations that depend on splaying can be done in \(O(\log _2 n)\) amortised cost. Employing the above introduced potential functions, the analysis of [27] is able verify the following cost annotation for splaying (the annotation needs to be provided by the user):
From this result, one directly reads off
as bound on the amortised cost of splaying.2
, depicted in Fig. 1. Our automated analysis infers an annotated type of splaying, by verifying that the type judgementis derivable. As above, types are decorated with annotations
and
—employed to express the potential carried by the arguments to
and its results.
of splaying is bound by the difference between
and
, i.e.
. In particular, Eq. 1 can be derived in this way.
.
.
statement, for which the following rule is applied:
. Similarly, the nested
command, starting expression \(e'_1\), is subject to the same rule; the resulting constraints amount toBesides the rules for programming language constructs, the type-and-effect system contains structural rules, which operate on the type annotations themselves. The weakening rule allows a suitable adaptation of the coefficients of the potential function \(\varPhi ({\varGamma } {\mid } {Q_2})\) to obtain a new potential function \(\varPhi ({\varGamma } {\mid } {Q_3})\), where we use the shorthand
:
and
, we use Farkas’ Lemma to generate the constraints
expression. This rule is the most involved typing rule in the system proposed by Hofmann et al. [27].
expression. We note that, as required by the rule, all variables in the type context \(\varGamma \) occur at most once in the let-expression. \(\varGamma \) can then be split into contexts
and
. Here,
and \(e_3\) denotes the last
statement in e. The let-rule facilitates a splitting of the potential \(Q_3\) for the evaluation of \(e_2\) and \(e_3\) according to the type contexts \(\varDelta \) and \(\varTheta \). Abusing notation, the distribution of potentials facilitated by the let-rule can be stated very roughly as two “equalities”, that is, (i) “\(Q_3 = Q + R + P\)” and (ii) “\(Q_4 = (Q'-1) + R' + P\)”. (i) states that the potential \(Q_3\) pays for evaluating the
expression \(e_2\) (with and without costs, requiring the potential Q and R) and leaves the remainder potential P. (ii) states that the potential \(Q_4\) is constituted of the remainder potential P and of the potentials left after evaluating \(e_2\) (with and without costs, i.e. potentials \(Q'-1\) and \(R'\)). E.g. \(Q_4\) is given by the following constraints
. Here, \(\vdash ^{\text {cf}}\) denotes the same kind of typing judgement as used in the overall typing derivation, but where all costs are set to zero (hence, the superscript cost-free). Let us assume \(R=[{r}_{(1,0)}]\), \(R'=[{r'}_{(1,0)}]\), and that \(\mathsf {ATLAS}\) was able to establish that
establishing the coefficients \({r}_{(1,0)} = 1\) and \({r'}_{(1,0)} =1\). (We note that cost-free typing derivations as in Eq. (4) constitute a size analysis that relates the sizes of input and output). Then, \(\mathsf {ATLAS}\) infers from (4), taking advantage of the monotonicity of \(\log \), that
This inequality expresses that if the summand
is included in the potential \(\varPhi ({\varGamma } {\mid } {Q_3})\), then the summand
may be included in the potential \(\varPhi ({{cr}{:}\!{\mathsf {T}},{br}{:}\!{\mathsf {T}},{s}{:}\!{\mathsf {T}}} {\mid } {Q_4})\). (The two logarithmic terms correspond to the coefficients \(q^3_{(1,1,1,0)}\) and \(q^4_{(1,1,1,0)}\) marked in red above.) Thus, the cost-free derivation allows the potential R to pass from \(Q_3\), via \(R'\), to \(Q_4\). This is crucial for being able to pay for the evaluation of \(e_3\).
can be derived by the rule for function application, which states a cost of 1 with regard to the type signature of
, represented by decrementing the potential induced by the annotation \(Q'\).
, estimates for the amortised costs of insertion and deletion on splay trees can be automatically inferred by our tool \(\mathsf {ATLAS}\). Further, our analysis handles similar self-adjusting data structures like pairing heaps and splay heaps (see Sect. 6.1).
, where the \(x_i\) are variables and e an expression. A substitution (or an environment) \(\sigma \) is a mapping from variables to values that respects types. Substitutions are denoted as sets of assignments:
. We employ a simple cost-sensitive big-step semantics based on eager evaluation, dressed up with cost assertions. The judgement
means that under environment \(\sigma \), expression e is evaluated to value v in exactly \(\ell \) steps. Here only rule applications emit (unit) costs. For brevity, the formal definition of the semantics is omitted but can be found in [27].
, denoting the \(\log _2\) of a linear combination of tree sizes. \(\log _2\) denotes the logarithm to the base 2; throughout the paper we stipulate \(\log _2(0) := 0\) in order to avoid case distinctions. Note that the constant function 1 is representable:
. We are now ready to state the resource annotation of a sequence of trees:
, vanishing almost everywhere. Let
be a sequence of trees. Then, the potential of
wrt. Q is given by
. Wrt. the above definition this potential becomes representable by setting
. Thus,
.
denote all tree types in \(\varGamma \). A resource annotation for \(\varGamma \) or simply annotation is an annotation for the sequence of trees
. We define the potential of the annotated context \(\varGamma {\mid } Q\) wrt. a substitution \(\sigma \) as
.
We suppose f takes n arguments of which m are trees; \(m \leqslant n\) by definition.
, we sometimes succinctly write
. The cost-free signature, denoted as \(\mathcal {F}^{\text {cf}}\), is similarly defined.
from above. Its signature is formally represented as \({\mathsf {B}\times \mathsf {T}} {\mid } {Q} \rightarrow {\mathsf {T}} {\mid } {Q'}\), where
and
. We leave it to the reader to specify the coefficients in Q, \(Q'\) so that the rule \((\mathsf {{app}})\) as depicted in Sect. 2 can indeed by employed to type the recursive call of
.
is defined as follows: \(Q' = [q_*] \cup [(q'_{(a,b)})_{a,b \in {\mathbb {N}}}]\), where
and for all \((a,b) \not = (0,2)\)
. By definition the annotation coefficient \(q_{(0,2)}\) is the coefficient of the basic potential function
, so the annotation \(Q-1\), decrements cost 1 from the potential induced by Q.
and any annotated signature
, we have \({{x_1}{:}\!{\alpha _1},\dots ,{x_k}{:}\!{\alpha _k}} {\mid } {Q} \vdash {e}{:}\!{\beta } {\mid } {Q'}\). A program \(\mathsf {P}\) is called cost-free well-typed, if the cost-free typing relation is employed.
. Then \(\varPhi ({\sigma };{\varGamma } {\mid } {Q}) - \varPhi ({v} {\mid } {Q'}) \geqslant \ell \). Further, if \({\varGamma } {\mid } {Q} \vdash ^{\text {cf}} {e}{:}\!{\alpha } {\mid } {Q'}\), then \(\varPhi ({\sigma };{\varGamma } {\mid } {Q}) \geqslant \varPhi ({v} {\mid } {Q'})\).
can in principle be checked automatically. Then—instead of checking this annotation—\(\mathsf {ATLAS}\) automatically optimises the signature, by minimising the deduced coefficients. (In Sect. 5 we discuss how this optimisation step is performed.) That is, \(\mathsf {ATLAS}\) reports the following annotation
. Optimality here means that no better bound has been obtained by earlier pen-and-paper verification methods (compare the discussion in Sect. 1).
.4
as shown in Fig. 1.
, representing its “standard” amortised complexity (e.g. copied from Okasaki’s book [38]) and an easily definable tactic, cf. Fig. 3. Then, \(\mathsf {ATLAS}\) automatically derives the optimal bound reported above. Still, for full-automation tactics are clearly not sufficient. In order to obtain type inference in general, we developed a generalisation of all the tactics that proved useful on our benchmark and incorporated this proof search strategy into the type inference algorithm. Using this, the aforementioned (unsuccessful) week-long quest for a type inference of splaying can now be successfully answered (in an optimal form) in mere minutes.
, see page 5. We now discuss how we can extract amortised complexities in the sense of Sleator and Tarjan from our approach. Suppose, we are interested in an amortised analysis of splay heaps. Then, it suffices to equate the right-hand sides of the annotated signatures of the splay heap functions. That is, we set
,
and
for some unknown resource annotations \(Q_1,Q_2,Q_3,Q'\). Note that we use the same annotation \(Q'\) for all signatures. We can then obtain a potential function from the annotation \(Q'\) in the sense of Sleator and Tarjan and deduce \(Q_i - Q'\) as an upper bound on the amortised complexity of the respective function. In Sect. 5, we discuss how to automatically optimise \(Q_i - Q'\) in order to minimise the amortised complexity bound. This automated minimisation is the second major contribution of our work. Our results suggest a new approach for the complexity analysis of data structures. On the one hand, we obtain novel insights into the automated worst-case runtime complexity analysis of involved programs. On the other hand, we provide a proof-of-concept of a computer-aided analysis of amortised complexities of data-structures that so far have only been analysed manually.
. Next, we explain how the monotonicity of \(\log _2\) and Lemma 1 can be used to derive inequalities on the variables \(x_{(\vec {a}, b)}\), which can then be used to instantiate matrix A in Farkas’ Lemma as stated in Sect. 4.
if \(a_1 \leqslant a'_1, \ldots , a_n \leqslant a'_n\) and \(b \leqslant b'\). This allows us to obtain the lattice shown in Fig. 5. A path from \(x_{(\vec {a}', b')}\) to \(x_{(\vec {a}, b)}\) signifies \(x_{(\vec {a}, b)} \leqslant x_{(\vec {a}', b')}\) resp. \(x_{(\vec {a}, b)} - x_{(\vec {a}', b')} \leqslant 0\), represented by a row with coefficients 1 and \(-1\) in the corresponding columns of matrix A.
, we want to find values for the coefficients of the resource annotations Q and \(Q'\) that minimise \(\varPhi ({\varGamma } {\mid } {Q}) \ - \ \varPhi ({\varGamma } {\mid } {Q'})\), since this difference is an upper bound on the amortised cost of f, cf. Sect. 4.2. However, as with weakening, we cannot directly express such a minimisation, and again resort to linearisation: We choose an optimisation function that directly maps from Q and \(Q'\) to \(\mathbb {Q}\). Our optimisation function combines four measures, three of which involve a difference between coefficients of Q and \(Q'\), and a fourth one that only involves coefficients from Q in order to minimise the absolute values of the discovered coefficients. We first present these measures for the special case of \(|Q| = 1\).
reflects our goal of preserving the coefficient for \(\mathsf {rk}\); note that for \(d_{1}(Q,Q') \ne 0\), the resulting complexity bound would be super-logarithmic. The second measure
reflects the goal of achieving logarithmic bounds that are as small as possible. Weights are defined to penalise more complex terms, and to exclude constants. (Recall that 1 is representable as \(\log _2(0+2)\).) We set
The third measure
reflects the goal of minimising constant cost. Lastly, we set
in order to obtain small absolute numbers. The last measure does not influence bounds on the amortised cost, but leads to more beautiful solutions. These measures are then composed to the linear objective function \(\min \sum _{i = 1}^4 d_i(Q,Q') \cdot w_i\). In our implementation, we set \(w_i = [ 16127, 997, 97, 2 ]\); these weights are chosen (almost) arbitrary, we only noticed that \(w_1\) must be sufficiently large to guarantee its priority. (We note that these weights were sufficient for our experiments; we refer to the literature for more principled ways of choosing the weights of an aggregated cost function [34].)
and
. The required changes for \(d_3\) and \(d_4\) are straight-forward. In our benchmarks, there is only one function (
of pairing heaps) that requires this minimisation function.
, or the right child is
, respectively. The left child is conceivable as list of pairing heaps. Schoenmakers and Nipkow et al. provide a (semi-)manual analysis of pairing heaps, that \(\mathsf {ATLAS}\) can verify or even improve fully-automatically. We note that we analyse a single function
, whereas [37] breaks down the analysis and studies two functions
and
with
. All definitions can be found at [33].
for the resulting tree 
.