cse507
play

CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages - PowerPoint PPT Presentation

Jun 06, 2023 •477 likes •1.77k views

CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Program synthesis 2 Today Last lecture Program

  1. Layers of solver-aided languages spatial programming Chlorophyll solver-aided domain-specific data-parallel programming language (SDSL) SynthCL web scraping WebSynth library interpreter secure stack machines IFC ROSETTE solver-aided host language [Torlak & Bodik, Onward’13 , PLDI’14 ] symbolic virtual machine 20

  2. SDSLs developed with ROSETTE 16 development time (weeks) 12 8 4 0 Chlorophyll SynthCL WebSynth IFC (first-year grad) (expert) (undergrad) (expert) 21

  3. SDSLs developed with ROSETTE Spatial programming for a low-power x + z chip, using synthesis to partition code and data across 144 tiny cores. 16 development time (weeks) GreenArrays 12 GA144 8 4 0 Chlorophyll SynthCL WebSynth IFC (first-year grad) (expert) (undergrad) (expert) 21

  4. SDSLs developed with ROSETTE x + z Optimal partitioning synthesized in Spatial programming for a low-power x + z minutes, while manual partitioning chip, using synthesis to partition code x + z and data across 144 tiny cores. takes days [Phothilimthana et al., PLDI’14 ]. 16 development time (weeks) GreenArrays 12 GA144 8 4 0 Chlorophyll SynthCL WebSynth IFC (first-year grad) (expert) (undergrad) (expert) 21

  5. SDSLs developed with ROSETTE 16 Verification and synthesis for development time (weeks) data-parallel programming 12 with OpenCL. 8 4 0 Chlorophyll SynthCL WebSynth IFC (first-year grad) (expert) (undergrad) (expert) 21

  6. SDSLs developed with ROSETTE 16 Verification and synthesis for Used by a novice to develop development time (weeks) new vectorized kernels that data-parallel programming 12 with OpenCL. are as fast as expert code. 8 4 0 Chlorophyll SynthCL WebSynth IFC (first-year grad) (expert) (undergrad) (expert) 21

  7. SDSLs developed with ROSETTE 16 development time (weeks) 12 Synthesis of web scraping 8 scripts from examples (PBE). 4 0 Chlorophyll SynthCL WebSynth IFC (first-year grad) (expert) (undergrad) (expert) 21

  8. SDSLs developed with ROSETTE 16 development time (weeks) 12 Works on real web pages Synthesis of web scraping 8 scripts from examples (PBE). (e.g., iTunes) in seconds. 4 0 Chlorophyll SynthCL WebSynth IFC (first-year grad) (expert) (undergrad) (expert) 21

  9. SDSLs developed with ROSETTE 16 development time (weeks) 12 8 Verification for executable specifications 4 of secure stack machines. 0 Chlorophyll SynthCL WebSynth IFC (first-year grad) (expert) (undergrad) (expert) 21

  10. SDSLs developed with ROSETTE 16 development time (weeks) 12 8 Verification for Finds all bugs reported by a specialized tool executable specifications 4 [Hritcu et al., ICFP’13 ] . of secure stack machines. 0 Chlorophyll SynthCL WebSynth IFC (first-year grad) (expert) (undergrad) (expert) 21

  11. Anatomy of a solver-aided host language Modern descendent of Scheme with macro-based metaprogramming. Racket 22

  12. Anatomy of a solver-aided host language ( define-symbolic id type) ( assert expr) ( verify expr) ( debug [expr] expr) ( solve expr) ( synthesize [expr] expr) ROSETTE 22

  13. A tiny example SDSL def bvmax(r0, r1) : BV : A tiny assembly-like r2 = bvge(r0, r1) language for writing fast, low- r3 = bvneg(r2) level library functions. r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 debug synth 23

  14. A tiny example SDSL def bvmax(r0, r1) : BV : A tiny assembly-like r2 = bvge(r0, r1) language for writing fast, low- r3 = bvneg(r2) level library functions. r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 debug test synth verify 23

  15. A tiny example SDSL def bvmax(r0, r1) : BV : A tiny assembly-like r2 = bvge(r0, r1) language for writing fast, low- r3 = bvneg(r2) level library functions. r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 1. interpreter [10 LOC] 2. verifier [free] debug test 3. debugger [free] synth verify 4. synthesizer [free] 23

  16. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 > bvmax(-2, -1) 24

  17. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : ( define bvmax r2 = bvge(r0, r1) `((2 bvge 0 1) r3 = bvneg(r2) (3 bvneg 2) parse r4 = bvxor(r0, r2) (4 bvxor 0 2) r5 = bvand(r3, r4) (5 bvand 3 4) r6 = bvxor(r1, r5) (6 bvxor 1 5))) return r6 > bvmax(-2, -1) 24

  18. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : ( define bvmax ( define bvmax r2 = bvge(r0, r1) `((2 bvge 0 1) `((2 bvge 0 1) r3 = bvneg(r2) (3 bvneg 2) (3 bvneg 2) parse r4 = bvxor(r0, r2) (4 bvxor 0 2) (4 bvxor 0 2) r5 = bvand(r3, r4) (5 bvand 3 4) (5 bvand 3 4) r6 = bvxor(r1, r5) (6 bvxor 1 5))) (6 bvxor 1 5))) return r6 ( out opcode in ... ) > bvmax(-2, -1) 24

  19. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : ( define bvmax r2 = bvge(r0, r1) `((2 bvge 0 1) r3 = bvneg(r2) (3 bvneg 2) r4 = bvxor(r0, r2) (4 bvxor 0 2) r5 = bvand(r3, r4) (5 bvand 3 4) r6 = bvxor(r1, r5) (6 bvxor 1 5))) `(-2 -1) return r6 interpret ( define (interpret prog inputs) > bvmax(-2, -1) -1 (make-registers prog inputs) ( for ([stmt prog]) ( match stmt [(list out opcode in ...) ( define op (eval opcode)) ( define args (map load in)) (store out (apply op args))])) (load (last))) 25

  20. ROSETTE A tiny example SDSL: 0 -2 def bvmax(r0, r1) : ( define bvmax 1 -1 r2 = bvge(r0, r1) `((2 bvge 0 1) 2 0 r3 = bvneg(r2) (3 bvneg 2) 3 0 r4 = bvxor(r0, r2) (4 bvxor 0 2) 4 -2 r5 = bvand(r3, r4) (5 bvand 3 4) 5 0 6 -1 r6 = bvxor(r1, r5) (6 bvxor 1 5))) return r6 interpret ( define (interpret prog inputs) > bvmax(-2, -1) -1 (make-registers prog inputs) ( for ([stmt prog]) ( match stmt [(list out opcode in ...) ( define op (eval opcode)) ( define args (map load in)) (store out (apply op args))])) (load (last))) 25

  21. ROSETTE A tiny example SDSL: 0 -2 def bvmax(r0, r1) : ( define bvmax 1 -1 r2 = bvge(r0, r1) `((2 bvge 0 1) (2 bvge 0 1) 2 0 r3 = bvneg(r2) (3 bvneg 2) 3 0 r4 = bvxor(r0, r2) (4 bvxor 0 2) 4 -2 r5 = bvand(r3, r4) (5 bvand 3 4) 5 0 6 -1 r6 = bvxor(r1, r5) (6 bvxor 1 5))) return r6 interpret ( define (interpret prog inputs) > bvmax(-2, -1) -1 (make-registers prog inputs) ( for ([stmt prog]) ( match stmt [(list out opcode in ...) ( define op (eval opcode)) ( define args (map load in)) (store out (apply op args))])) (load (last))) 25

  22. ROSETTE A tiny example SDSL: 0 -2 def bvmax(r0, r1) : ( define bvmax 1 -1 r2 = bvge(r0, r1) `((2 bvge 0 1) (2 bvge 0 1) 2 0 r3 = bvneg(r2) (3 bvneg 2) 3 0 r4 = bvxor(r0, r2) (4 bvxor 0 2) 4 -2 r5 = bvand(r3, r4) (5 bvand 3 4) 5 0 6 -1 r6 = bvxor(r1, r5) (6 bvxor 1 5))) return r6 interpret ( define (interpret prog inputs) > bvmax(-2, -1) -1 (make-registers prog inputs) ( for ([stmt prog]) ( match stmt [(list out opcode in ...) ( define op (eval opcode)) ( define args (map load in)) (store out (apply op args))])) (load (last))) 25

  23. ROSETTE A tiny example SDSL: 0 -2 def bvmax(r0, r1) : ( define bvmax 1 -1 r2 = bvge(r0, r1) `((2 bvge 0 1) (2 bvge 0 1) 2 0 r3 = bvneg(r2) (3 bvneg 2) 3 0 r4 = bvxor(r0, r2) (4 bvxor 0 2) 4 -2 r5 = bvand(r3, r4) (5 bvand 3 4) 5 0 6 -1 r6 = bvxor(r1, r5) (6 bvxor 1 5))) return r6 interpret ( define (interpret prog inputs) > bvmax(-2, -1) -1 (make-registers prog inputs) ( for ([stmt prog]) ( match stmt [(list out opcode in ...) ( define op (eval opcode)) ( define args (map load in)) (store out (apply op args))])) (load (last))) 25

  24. ROSETTE A tiny example SDSL: 0 -2 def bvmax(r0, r1) : ( define bvmax 1 -1 r2 = bvge(r0, r1) `((2 bvge 0 1) (2 bvge 0 1) 2 0 r3 = bvneg(r2) (3 bvneg 2) 3 0 r4 = bvxor(r0, r2) (4 bvxor 0 2) 4 -2 r5 = bvand(r3, r4) (5 bvand 3 4) 5 0 6 -1 r6 = bvxor(r1, r5) (6 bvxor 1 5))) return r6 interpret ( define (interpret prog inputs) > bvmax(-2, -1) -1 (make-registers prog inputs) ( for ([stmt prog]) ( match stmt [(list out opcode in ...) ( define op (eval opcode)) ( define args (map load in)) (store out (apply op args))])) (load (last))) 25

  25. ROSETTE A tiny example SDSL: 0 -2 def bvmax(r0, r1) : ( define bvmax ( define bvmax 1 -1 r2 = bvge(r0, r1) `((2 bvge 0 1) `((2 bvge 0 1) (2 bvge 0 1) 2 0 r3 = bvneg(r2) (3 bvneg 2) (3 bvneg 2) 3 0 r4 = bvxor(r0, r2) (4 bvxor 0 2) (4 bvxor 0 2) 4 -2 r5 = bvand(r3, r4) (5 bvand 3 4) (5 bvand 3 4) 5 0 6 -1 r6 = bvxor(r1, r5) (6 bvxor 1 5))) (6 bvxor 1 5))) return r6 interpret ( define (interpret prog inputs) > bvmax(-2, -1) -1 (make-registers prog inputs) ( for ([stmt prog]) ( match stmt [(list out opcode in ...) ( define op (eval opcode)) ( define args (map load in)) (store out (apply op args))])) (load (last))) 25

  26. ROSETTE A tiny example SDSL: 0 -2 def bvmax(r0, r1) : ( define bvmax ( define bvmax 1 -1 r2 = bvge(r0, r1) `((2 bvge 0 1) `((2 bvge 0 1) (2 bvge 0 1) 2 0 r3 = bvneg(r2) (3 bvneg 2) (3 bvneg 2) 3 0 r4 = bvxor(r0, r2) (4 bvxor 0 2) (4 bvxor 0 2) 4 -2 r5 = bvand(r3, r4) (5 bvand 3 4) (5 bvand 3 4) 5 0 6 -1 r6 = bvxor(r1, r5) (6 bvxor 1 5))) (6 bvxor 1 5))) return r6 interpret ( define (interpret prog inputs) > bvmax(-2, -1) -1 (make-registers prog inputs) ( for ([stmt prog]) ( match stmt [(list out opcode in ...) ( define op (eval opcode)) ( define args (map load in)) (store out (apply op args))])) (load (last))) 25

  27. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : ( define bvmax ‣ pattern matching r2 = bvge(r0, r1) `((2 bvge 0 1) ‣ dynamic evaluation ‣ first-class & r3 = bvneg(r2) (3 bvneg 2) higher-order r4 = bvxor(r0, r2) (4 bvxor 0 2) procedures r5 = bvand(r3, r4) (5 bvand 3 4) ‣ side effects r6 = bvxor(r1, r5) (6 bvxor 1 5))) return r6 ( define (interpret prog inputs) > bvmax(-2, -1) -1 (make-registers prog inputs) ( for ([stmt prog]) ( match stmt [(list out opcode in ...) ( define op (eval opcode)) ( define args (map load in)) (store out (apply op args))])) (load (last))) 26

  28. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) ( define-symbolic n0 n1 number?) return r6 ( define inputs (list n0 n1)) query ( verify > verify (bvmax, max) (0, -2) ( assert (= (interpret bvmax inputs) (interpret max inputs)))) > bvmax(0, -2) -1 27

  29. ROSETTE A tiny example SDSL: Creates two fresh symbolic def bvmax(r0, r1) : constants of type number r2 = bvge(r0, r1) and binds them to variables r3 = bvneg(r2) n0 and n1. r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) ( define-symbolic n0 n1 number?) ( define-symbolic n0 n1 number?) return r6 ( define inputs (list n0 n1)) ( define inputs (list n0 n1)) query ( verify ( verify > verify (bvmax, max) (0, -2) ( assert (= (interpret bvmax inputs) ( assert (= (interpret bvmax inputs) (interpret max inputs)))) (interpret max inputs)))) > bvmax(0, -2) -1 27

  30. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : Symbolic values can be used r2 = bvge(r0, r1) just like concrete values of r3 = bvneg(r2) the same type. r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) ( define-symbolic n0 n1 number?) ( define-symbolic n0 n1 number?) ( define-symbolic n0 n1 number?) return r6 ( define inputs (list n0 n1)) ( define inputs (list n0 n1)) ( define inputs (list n0 n1)) query ( verify ( verify ( verify > verify (bvmax, max) (0, -2) ( assert (= (interpret bvmax inputs) ( assert (= (interpret bvmax inputs) ( assert (= (interpret bvmax inputs) (interpret max inputs)))) (interpret max inputs)))) (interpret max inputs)))) > bvmax(0, -2) -1 27

  31. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) ( define-symbolic n0 n1 number?) ( define-symbolic n0 n1 number?) ( define-symbolic n0 n1 number?) return r6 ( define-symbolic n0 n1 number?) ( define inputs (list n0 n1)) ( define inputs (list n0 n1)) ( define inputs (list n0 n1)) ( define inputs (list n0 n1)) query ( verify ( verify ( verify ( verify > verify (bvmax, max) (0, -2) ( assert (= (interpret bvmax inputs) ( assert (= (interpret bvmax inputs) ( assert (= (interpret bvmax inputs) ( assert (= (interpret bvmax inputs) (interpret max inputs)))) (interpret max inputs)))) (interpret max inputs)))) (interpret max inputs)))) > bvmax(0, -2) -1 (verify expr ) searches for a concrete interpretation of symbolic constants that causes expr to fail. 27

  32. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) ( define-symbolic n0 n1 number?) ( define-symbolic n0 n1 number?) ( define-symbolic n0 n1 number?) return r6 ( define-symbolic n0 n1 number?) ( define inputs (list n0 n1)) ( define inputs (list n0 n1)) ( define inputs (list n0 n1)) ( define inputs (list n0 n1)) query ( verify ( verify ( verify ( verify > verify (bvmax, max) (0, -2) ( assert (= (interpret bvmax inputs) ( assert (= (interpret bvmax inputs) ( assert (= (interpret bvmax inputs) ( assert (= (interpret bvmax inputs) (interpret max inputs)))) (interpret max inputs)))) (interpret max inputs)))) (interpret max inputs)))) > bvmax(0, -2) -1 27

  33. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 ( define inputs (list 0 -2)) query ( debug [input-register?] > debug (bvmax, max, (0, -2)) ( assert (= (interpret bvmax inputs) (interpret max inputs)))) 28

  34. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : def bvmax(r0, r1) : r2 = bvge(r0, r1) r2 = bvge(r0, r1) r3 = bvneg(r2) r3 = bvneg(r2) r4 = bvxor( r0 , r2 ) r4 = bvxor(r0, r2) r5 = bvand(r3, r4 ) r5 = bvand(r3, r4) r6 = bvxor( r1 , r5 ) r6 = bvxor(r1, r5) return r6 return r6 ( define inputs (list 0 -2)) query ( debug [input-register?] > debug (bvmax, max, (0, -2)) ( assert (= (interpret bvmax inputs) (interpret max inputs)))) 28

  35. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor( ?? , ?? ) r5 = bvand(r3, ?? ) r6 = bvxor( ?? , ?? ) ( define-symbolic n0 n1 number?) return r6 ( define inputs (list n0 n1)) query ( synthesize [inputs] > synthesize (bvmax, max) ( assert (= (interpret bvmax inputs) (interpret max inputs))))) 29

  36. ROSETTE A tiny example SDSL: def bvmax(r0, r1) : def bvmax(r0, r1) : r2 = bvge(r0, r1) r2 = bvge(r0, r1) r3 = bvneg(r2) r3 = bvneg(r2) r4 = bvxor(r0, r1) r4 = bvxor( ?? , ?? ) r5 = bvand(r3, r4) r5 = bvand(r3, ?? ) r6 = bvxor( ?? , ?? ) r6 = bvxor(r1, r5) ( define-symbolic n0 n1 number?) return r6 return r6 ( define inputs (list n0 n1)) query ( synthesize [inputs] > synthesize (bvmax, max) ( assert (= (interpret bvmax inputs) (interpret max inputs))))) 29

  37. tech symbolic virtual machine (SVM)

  38. How it all works: a big picture view query program SDSL ROSETTE symbolic solver virtual machine [Torlak & Bodik, [Torlak & Bodik, PLDI’14 ] Onward’13 ] 31

  39. How it all works: a big picture view result program SDSL ROSETTE symbolic solver virtual machine [Torlak & Bodik, [Torlak & Bodik, PLDI’14 ] Onward’13 ] 31

  40. How it all works: a big picture view result ‣ pattern matching program ‣ dynamic evaluation ‣ first-class procedures theory of ‣ higher-order procedures bitvectors ‣ side effects ‣ macros SDSL ROSETTE symbolic solver virtual machine [Torlak & Bodik, [Torlak & Bodik, PLDI’14 ] Onward’13 ] 31

  41. Translation to constraints by example solve : ps = () vs ps reverse and filter, keeping for v in vs: (3, 1, -2) (1, 3) only positive numbers if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) 32

  42. Translation to constraints by example solve : ps = () vs ps for v in vs: (3, 1, -2) (1, 3) if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) 32

  43. Translation to constraints by example solve : ps = () vs constraints ps for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) 32

  44. Translation to constraints by example solve : ps = () vs constraints ps for v in vs: (a, b) a>0 ∧ b>0 if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) 32

  45. Design space of precise symbolic encodings solve : bounded model checking ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic execution 33

  46. Design space of precise symbolic encodings solve : bounded model checking ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic execution vs ↦ (a, b) ps ↦ ( ) a > 0 ps ↦ (a) b ≤ 0 ps ↦ (a) { } a > 0 b ≤ 0 false 33

  47. Design space of precise symbolic encodings solve : bounded model checking ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic execution vs ↦ (a, b) ps ↦ ( ) a ≤ 0 a > 0 ps ↦ (a) ps ↦ ( ) b ≤ 0 b ≤ 0 b > 0 b > 0 ps ↦ (a) ps ↦ (b, a) ps ↦ ( ) ps ↦ (b) { } { } { } { } a ≤ 0 a ≤ 0 a > 0 a > 0 ∨ ∨ ∨ b ≤ 0 b ≤ 0 b > 0 b > 0 true false false false 33

  48. Design space of precise symbolic encodings solve : bounded model checking ps = () vs ↦ (a, b) for v in vs: ps ↦ ( ) if v > 0: a ≤ 0 a > 0 ps = insert(v, ps) assert len(ps) == len(vs) ps ↦ ( ) ps ↦ (a) symbolic execution ps ↦ ps 0 vs ↦ (a, b) ps ↦ ( ) a ≤ 0 a > 0 ps ↦ (a) ps ↦ ( ) b ≤ 0 b ≤ 0 b > 0 b > 0 ps ↦ (a) ps ↦ (b, a) ps ↦ ( ) ps ↦ (b) ps 0 = ite(a > 0, (a), ( )) { } { } { } { } a ≤ 0 a ≤ 0 a > 0 a > 0 ps 1 = insert(b, ps 0 ) ∨ ∨ ∨ b ≤ 0 b ≤ 0 b > 0 b > 0 ps 2 = ite(b > 0, ps 0 , ps 1 ) true false false false assert len(ps 2 ) = 2 33

  49. Design space of precise symbolic encodings solve : bounded model checking ps = () vs ↦ (a, b) for v in vs: ps ↦ ( ) if v > 0: a ≤ 0 a > 0 ps = insert(v, ps) assert len(ps) == len(vs) ps ↦ ( ) ps ↦ (a) symbolic execution ps ↦ ps 0 vs ↦ (a, b) b > 0 ps ↦ ( ) ps ↦ ps 1 a ≤ 0 a > 0 ps ↦ (a) ps ↦ ( ) b ≤ 0 b ≤ 0 b > 0 b > 0 ps ↦ (a) ps ↦ (b, a) ps ↦ ( ) ps ↦ (b) ps 0 = ite(a > 0, (a), ( )) { } { } { } { } a ≤ 0 a ≤ 0 a > 0 a > 0 ps 1 = insert(b, ps 0 ) ∨ ∨ ∨ b ≤ 0 b ≤ 0 b > 0 b > 0 ps 2 = ite(b > 0, ps 0 , ps 1 ) true false false false assert len(ps 2 ) = 2 33

  50. Design space of precise symbolic encodings solve : bounded model checking ps = () vs ↦ (a, b) for v in vs: ps ↦ ( ) if v > 0: a ≤ 0 a > 0 ps = insert(v, ps) assert len(ps) == len(vs) ps ↦ ( ) ps ↦ (a) symbolic execution ps ↦ ps 0 vs ↦ (a, b) b ≤ 0 b > 0 ps ↦ ( ) ps ↦ ps 0 ps ↦ ps 1 a ≤ 0 a > 0 ps ↦ (a) ps ↦ ( ) ps ↦ ps 2 b ≤ 0 b ≤ 0 b > 0 b > 0 ps ↦ (a) ps ↦ (b, a) ps ↦ ( ) ps ↦ (b) ps 0 = ite(a > 0, (a), ( )) { } { } { } { } a ≤ 0 a ≤ 0 a > 0 a > 0 ps 1 = insert(b, ps 0 ) ∨ ∨ ∨ b ≤ 0 b ≤ 0 b > 0 b > 0 ps 2 = ite(b > 0, ps 0 , ps 1 ) true false false false assert len(ps 2 ) = 2 33

  51. A new design: type-driven state merging solve : ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) { } a > 0 b > 0 true 34

  52. A new design: type-driven state merging solve : ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) Merge values of ‣ primitive types: symbolically ‣ immutable types: structurally ‣ all other types: via unions { } a > 0 b > 0 true 34

Recommend

CSE507 Computer-Aided Reasoning for Software Symbolic Execution

CSE507 Computer-Aided Reasoning for Software Symbolic Execution

CSE507 Computer-Aided Reasoning for Software Symbolic Execution courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Bounded verification: forward VCG for finitized programs 2

851 views • 45 slides
CSE507 Computer-Aided Reasoning for Software Finite Model Finding

CSE507 Computer-Aided Reasoning for Software Finite Model Finding

CSE507 Computer-Aided Reasoning for Software Finite Model Finding courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture The DPPL(T) framework for deciding quantifier-free SMT

986 views • 69 slides
CSE507 Computer-Aided Reasoning for Software Bounded Verification

CSE507 Computer-Aided Reasoning for Software Bounded Verification

CSE507 Computer-Aided Reasoning for Software Bounded Verification courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Full functional verification with Dafny, Boogie, and Z3 2

809 views • 54 slides
CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today Last lecture Angelic nondeterminism and execution Today Program synthesis:

645 views • 15 slides
CSE507 Computer-Aided Reasoning for Software Model Checking I

CSE507 Computer-Aided Reasoning for Software Model Checking I

CSE507 Computer-Aided Reasoning for Software Model Checking I courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Symbolic execution and concolic testing 2 Today Last lecture

776 views • 62 slides
CSE507 Computer-Aided Reasoning for Software Model Checking II

CSE507 Computer-Aided Reasoning for Software Model Checking II

CSE507 Computer-Aided Reasoning for Software Model Checking II courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Model checking basics 2 Today Last lecture Model

831 views • 55 slides

More recommend