Synthesis and Verification for All Emina Torlak

Transcription

1 Synthesis and Verification for All Emina Torlak University of Washington homes.cs.washington.edu/~emina/

2 Emina Racket

3 Racket a programmable programming language

4 Racket a programmable programming language

5 verification synthesis ROSETTE a programmable programming language

6 verification synthesis ROSETTE a programmable solver-aided programming language

7 vision a little programming for everyone

8 A little programming for everyone Every knowledge worker wants to program 8

9 A little programming for everyone Every knowledge worker wants to program spreadsheet data manipulation [Flashfill, POPL 11] social scientist 8

10 A little programming for everyone Every knowledge worker wants to program spreadsheet data manipulation [Flashfill, POPL 11] models of cell fates [SBL, POPL 13] biologist social scientist 8

11 A little programming for everyone Every knowledge worker wants to program spreadsheet data manipulation [Flashfill, POPL 11] models of cell fates [SBL, POPL 13] cache coherence protocols [Transit, PLDI 13] memory models [MemSAT, PLDI 10] hardware designer biologist social scientist 8

12 A little programming for everyone Every knowledge worker wants to program spreadsheet data manipulation [Flashfill, POPL 11] models of cell fates [SBL, POPL 13] cache coherence protocols [Transit, PLDI 13] memory models [MemSAT, PLDI 10] hardware designer biologist social scientist 8

13 A little programming for everyone Every knowledge worker wants to program spreadsheet data manipulation [Flashfill, POPL 11] models of cell fates [SBL, POPL 13] cache coherence protocols [Transit, PLDI 13] memory models [MemSAT, PLDI 10] expertise time hardware designer biologist social scientist 8

14 A little programming for everyone We all want to build programs spreadsheet data manipulation models of cell fates solver-aided languages cache coherence protocols memory models less time less expertise hardware designer biologist social scientist 9

15 outline solver-aided tools, languages and beyond

16 outline solver-aided tools tools, languages and beyond

17 outline solver-aided tools, tools, languages and beyond

18 outline solver-aided tools, tools, languages, and and applications beyond

19 solver-aided tools

20 Programming specification P(x) { } 12

21 Programming specification test case P(x) { } assert safe(p(2)) 12

22 Programming with a solver-aided tool? P(x) { } assert safe(p(2)) translator SAT/SMT solver 13

23 Programming with a solver-aided tool 42? verify P(x) { } assert safe(p(x)) Find an input on which the program fails. x. safe(p(x)) SAT/SMT solver CBMC [Kroening et al., DAC 03] Dafny [Leino, LPAR 10] Miniatur [Vaziri et al., FSE 07] Klee [Cadar et al., OSDI 08] 13

24 Programming with a solver-aided tool 42? verify debug P(x) { v = x + 2 } assert safe(p(x)) Find an input on which the program fails. Localize bad parts of the program. x = 42 safe(p(x)) SAT/SMT solver BugAssist [Jose & Majumdar, PLDI 11] 13

25 Programming with a solver-aided tool 42 40? verify debug solve P(x) { v = choose() } assert safe(p(x)) Find an input on which the program fails. Localize bad parts of the program. Find values that repair the failing run. v. safe(p(42, v)) SAT/SMT solver Kaplan [Koksal et al, POPL 12] PBnJ [Samimi et al., ECOOP 10] Squander [Milicevic et al., ICSE 11] 13

26 Programming with a solver-aided tool x 2? verify debug solve synth P(x) { v =?? } assert safe(p(x)) Find an input on which the program fails. Localize bad parts of the program. Find values that repair the failing run. Find code that repairs the program. e. x. safe(pe(x)) SAT/SMT solver Sketch [Solar-Lezama et al., ASPLOS 06] Comfusy [Kuncak et al., CAV 10] 13

27 The standard (hard) way to build a tool expertise in PL, FM, SE? verify debug solve synth P(x) { } assert safe(p(x)) translator SAT/SMT solver 14

28 A new, easy way to build tools programming? verify debug solve synth P(x) { } assert safe(p(x)) an interpreter or a library 15

29 A new, easy way to build tools? verify debug solve synth P(x) { } assert safe(p(x)) Implement a language for an application domain, get the tools for free! an interpreter or a library ROSETTE 15

30 A new, easy way to build tools? verify debug solve synth P(x) { } assert safe(p(x)) Implement a language for an application domain, get the tools for free! an interpreter or a library ROSETTE symbolic virtual machine 15

31 A new, easy way to build tools? verify debug solve synth P(x) { } assert safe(p(x)) Implement a language for an application domain, get the tools for free! an interpreter or a library ROSETTE symbolic virtual machine Hard technical challenge: how to efficiently translate a program and its interpreter? [Torlak & Bodik, PLDI 14, Onward 13] 15

32 design solver-aided languages

33 Layers of languages domain-specific language (DSL) A formal language that is specialized to a particular application domain and often limited in capability. library interpreter host language A high-level language for implementing DSLs, usually with meta-programming features. 17

34 Layers of languages domain-specific language (DSL) library interpreter artificial intelligence Church, BLOG databases SQL, Datalog hardware design Bluespec, Chisel, Verilog, VHDL math and statistics Eigen, Matlab, R layout and visualization LaTex, dot, dygraphs, D3 host language Scala, Racket, JavaScript 17

35 Layers of languages domain-specific language (DSL) C = A * B Eigen / Matlab [associativity] library interpreter C / Java host language for (i = 0; i < n; i++) for (j = 0; j < m; j++) for (k = 0; k < p; k++) C[i][k] += A[i][j] * B[j][k] 17

36 Layers of solver-aided languages solver-aided domain-specific language (SDSL) library interpreter solver-aided host language symbolic virtual machine 18

37 Layers of solver-aided languages solver-aided domain-specific language (SDSL) library interpreter solver-aided host language ROSETTE symbolic virtual machine [Torlak & Bodik, Onward 13, PLDI 14] 18

38 Layers of solver-aided languages solver-aided domain-specific language (SDSL) library interpreter solver-aided host language spatial programming Chlorophyll intelligent tutoring RuleSynth memory models MemSynth optimal synthesis Synapse radiotherapy controllers Neutrons BGP router configurations BagPipe symbolic virtual machine ROSETTE [Torlak & Bodik, Onward 13, PLDI 14] 18

39 Anatomy of a solver-aided host language Racket 19

40 Anatomy of a solver-aided host language (define-symbolic id type) (assert expr) (verify expr) (debug [expr] expr) (solve expr) (synthesize [expr] expr) ROSETTE 19

41 A tiny example SDSL def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 BV: A tiny assembly-like language for writing fast, lowlevel library functions. debug synth 20

42 A tiny example SDSL def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 BV: A tiny assembly-like language for writing fast, lowlevel library functions. test verify debug synth 20

43 A tiny example SDSL def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 BV: A tiny assembly-like language for writing fast, lowlevel library functions. 1. interpreter [10 LOC] test verify debug synth 2. verifier [free] 3. debugger [free] 4. synthesizer [free] 20

44 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 > bvmax(-2, -1) 21

45 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 parse (define bvmax `((2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) > bvmax(-2, -1) 21

46 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 parse (define bvmax `((2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) > bvmax(-2, -1) (out opcode in...) 21

47 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 (define bvmax `((2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) `(-2-1) > bvmax(-2, -1) -1 interpret (define (interpret prog inputs) (make-registers prog inputs) (for ([stmt prog]) (match stmt [(list out opcode in...) (define op (eval opcode)) (define args (map load in)) (store out (apply op args))])) (load (last))) 22

48 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 (define bvmax `((2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) > bvmax(-2, -1) -1 interpret (define (interpret prog inputs) (make-registers prog inputs) (for ([stmt prog]) (match stmt [(list out opcode in...) (define op (eval opcode)) (define args (map load in)) (store out (apply op args))])) (load (last))) 22

49 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 (define bvmax `((2 (2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) > bvmax(-2, -1) -1 interpret (define (interpret prog inputs) (make-registers prog inputs) (for ([stmt prog]) (match stmt [(list out opcode in...) (define op (eval opcode)) (define args (map load in)) (store out (apply op args))])) (load (last))) 22

50 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 (define bvmax `((2 (2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) > bvmax(-2, -1) -1 interpret (define (interpret prog inputs) (make-registers prog inputs) (for ([stmt prog]) (match stmt [(list out opcode in...) (define op (eval opcode)) (define args (map load in)) (store out (apply op args))])) (load (last))) 22

51 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 (define bvmax `((2 (2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) > bvmax(-2, -1) -1 interpret (define (interpret prog inputs) (make-registers prog inputs) (for ([stmt prog]) (match stmt [(list out opcode in...) (define op (eval opcode)) (define args (map load in)) (store out (apply op args))])) (load (last))) 22

52 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 (define bvmax `((2 (2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) > bvmax(-2, -1) -1 interpret (define (interpret prog inputs) (make-registers prog inputs) (for ([stmt prog]) (match stmt [(list out opcode in...) (define op (eval opcode)) (define args (map load in)) (store out (apply op args))])) (load (last))) 22

53 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 (define bvmax `((2 (2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) > bvmax(-2, -1) -1 interpret (define (interpret prog inputs) (make-registers prog inputs) (for ([stmt prog]) (match stmt [(list out opcode in...) (define op (eval opcode)) (define args (map load in)) (store out (apply op args))])) (load (last))) 22

54 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 (define bvmax `((2 (2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) > bvmax(-2, -1) -1 interpret (define (interpret prog inputs) (make-registers prog inputs) (for ([stmt prog]) (match stmt [(list out opcode in...) (define op (eval opcode)) (define args (map load in)) (store out (apply op args))])) (load (last))) 22

55 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 (define bvmax `((2 bvge 0 1) (3 bvneg 2) (4 bvxor 0 2) (5 bvand 3 4) (6 bvxor 1 5))) pattern matching dynamic evaluation first-class & higher-order procedures side effects > bvmax(-2, -1) -1 (define (interpret prog inputs) (make-registers prog inputs) (for ([stmt prog]) (match stmt [(list out opcode in...) (define op (eval opcode)) (define args (map load in)) (store out (apply op args))])) (load (last))) 23

56 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 > verify(bvmax, max) (0, -2) > bvmax(0, -2) -1 query (define-symbolic n0 n1 integer?) (define inputs (list n0 n1)) (verify (assert (= (interpret bvmax inputs) (interpret max inputs)))) 24

57 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 > verify(bvmax, max) (0, -2) > bvmax(0, -2) -1 query (define-symbolic n0 n1 integer?) (define inputs (list n0 n1)) (verify Creates two fresh symbolic constants of type number and binds them to variables n0 and n1. (assert (= (interpret bvmax inputs) (interpret max inputs)))) 24

58 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 > verify(bvmax, max) (0, -2) > bvmax(0, -2) -1 query (define-symbolic n0 n1 integer?) (define inputs (list n0 n1)) (verify Symbolic values can be used just like concrete values of the same type. (assert (= (interpret bvmax inputs) (interpret max inputs)))) 24

59 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 > verify(bvmax, max) (0, -2) > bvmax(0, -2) -1 query (define-symbolic n0 n1 integer?) (define inputs (list n0 n1)) (verify (assert (= (interpret bvmax inputs) (interpret max inputs)))) (verify expr) searches for a concrete interpretation of symbolic constants that causes expr to fail. 24

60 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 > verify(bvmax, max) (0, -2) > bvmax(0, -2) -1 query (define-symbolic n0 n1 integer?) (define inputs (list n0 n1)) (verify (assert (= (interpret bvmax inputs) (interpret max inputs)))) 24

61 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 > debug(bvmax, max, (0, -2)) query (define inputs (list 0-2)) (debug [input-register?] (assert (= (interpret bvmax inputs) (interpret max inputs)))) 25

62 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(r0, r2) r5 = bvand(r3, r4) r6 = bvxor(r1, r5) return r6 > debug(bvmax, max, (0, -2)) query (define inputs (list 0-2)) (debug [input-register?] (assert (= (interpret bvmax inputs) (interpret max inputs)))) 25

63 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(??,??) r5 = bvand(r3,??) r6 = bvxor(??,??) return r6 > synthesize(bvmax, max) query (define-symbolic n0 n1 integer?) (define inputs (list n0 n1)) (synthesize [inputs] (assert (= (interpret bvmax inputs) (interpret max inputs))))) 26

64 A tiny example SDSL: ROSETTE def bvmax(r0, r1) : r2 = bvge(r0, r1) r3 = bvneg(r2) r4 = bvxor(??, bvxor(r0,??) r1) r5 = bvand(r3,??) r4) r6 = bvxor(??, bvxor(r1,??) r5) return r6 > synthesize(bvmax, max) query (define-symbolic n0 n1 integer?) (define inputs (list n0 n1)) (synthesize [inputs] (assert (= (interpret bvmax inputs) (interpret max inputs))))) 26

65 tech symbolic virtual machine (SVM)

66 How it all works: a big picture view query program SDSL ROSETTE symbolic virtual machine solver [Torlak & Bodik, Onward 13] [Torlak & Bodik, PLDI 14] 28

67 How it all works: a big picture view result program SDSL ROSETTE symbolic virtual machine solver [Torlak & Bodik, Onward 13] [Torlak & Bodik, PLDI 14] 28

68 How it all works: a big picture view result program SDSL pattern matching dynamic evaluation first-class procedures higher-order procedures side effects macros theories of bitvectors, integers, reals, and uninterpreted functions ROSETTE symbolic virtual machine solver [Torlak & Bodik, Onward 13] [Torlak & Bodik, PLDI 14] 28

69 Translation to constraints by example solve: vs ps = () ps (3, 1, -2) for reverse v in and vs: filter, keeping only if positive v > 0: numbers (1, 3) ps = insert(v, ps) assert len(ps) == len(vs) 29

70 Translation to constraints by example solve: vs ps = () ps (3, 1, -2) for v in vs: if v > 0: (1, 3) ps = insert(v, ps) assert len(ps) == len(vs) 29

71 Translation to constraints by example vs solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) constraints ps 29

72 Translation to constraints by example vs (a, b) solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) constraints ps 29

73 Translation to constraints by example vs (a, b) solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) constraints ps a>0 b>0 29

74 Design space of precise symbolic encodings solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) bounded model checking symbolic execution 30

75 Design space of precise symbolic encodings solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) bounded model checking symbolic execution vs (a, b) ps ( ) a > 0 ps (a) b 0 ps (a) { a > 0 } b 0 false 30

76 Design space of precise symbolic encodings solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) bounded model checking b 0 ps ( ) { a 0 } b 0 false a 0 ps ( ) symbolic execution vs (a, b) ps ( ) a > 0 b > 0 b 0 b > 0 ps (b) ps (a) ps (b, a) { a 0 } { a > 0 } b > 0 b 0 false false true { a > 0 } ps (a) 30

77 Design space of precise symbolic encodings solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) b 0 ps ( ) { a 0 } b 0 false a 0 ps ( ) symbolic execution vs (a, b) ps ( ) a > 0 b > 0 b 0 b > 0 ps (b) ps (a) ps (b, a) { a 0 } { a > 0 } b > 0 b 0 false false true { a > 0 } ps (a) bounded model checking a 0 ps ( ) vs (a, b) ps ( ) ps ps0 a > 0 ps (a) ps0 = ite(a > 0, (a), ( )) ps1 = insert(b, ps0) ps2 = ite(b > 0, ps0, ps1) assert len(ps2) = 2 30

78 Design space of precise symbolic encodings solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) b 0 ps ( ) { a 0 } b 0 false a 0 ps ( ) symbolic execution vs (a, b) ps ( ) a > 0 b > 0 b 0 b > 0 ps (b) ps (a) ps (b, a) { a 0 } { a > 0 } b > 0 b 0 false false true { a > 0 } ps (a) bounded model checking a 0 ps ( ) vs (a, b) ps ( ) ps ps0 a > 0 ps (a) b > 0 ps ps1 ps0 = ite(a > 0, (a), ( )) ps1 = insert(b, ps0) ps2 = ite(b > 0, ps0, ps1) assert len(ps2) = 2 30

79 Design space of precise symbolic encodings solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) b 0 ps ( ) { a 0 } b 0 false a 0 ps ( ) symbolic execution vs (a, b) ps ( ) a > 0 b > 0 b 0 b > 0 ps (b) ps (a) ps (b, a) { a 0 } { a > 0 } b > 0 b 0 false false true { a > 0 } ps (a) bounded model checking a 0 ps ( ) b 0 ps ps0 vs (a, b) ps ( ) ps ps0 ps ps2 a > 0 ps (a) b > 0 ps ps1 ps0 = ite(a > 0, (a), ( )) ps1 = insert(b, ps0) ps2 = ite(b > 0, ps0, ps1) assert len(ps2) = 2 30

80 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) { a > 0 } b > 0 true 31

81 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) Merge values of primitive types: symbolically immutable types: structurally all other types: via unions { a > 0 } b > 0 true 31

82 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) g a g b Merge values of primitive types: symbolically immutable types: structurally all other types: via unions c { a > 0 } b > 0 true 31

83 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) Merge values of primitive types: symbolically immutable types: structurally all other types: via unions g (a, a b) (c, bd) (e, cf) g { a > 0 } b > 0 true 31

84 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) Merge values of primitive types: symbolically immutable types: structurally all other types: via unions g a (c, () bd) { g (e, a, cf) g () } g { a > 0 } b > 0 true 31

85 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic virtual machine 32

86 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic virtual machine a 0 ps ( ) vs (a, b) ps ( ) a > 0 ps (a) 32

87 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) Symbolic union: a set of guarded values, with disjoint guards. symbolic virtual machine g0 a 0 ps ( ) vs (a, b) ps ( ) ps { g0 (a), g0 ( ) } a > 0 g0 ps (a) g0 = a > 0 g1 = b > 0 g2 = g0 g1 g3 = (g0 g1) g4 = g0 g1 c = ite(g1, b, a) assert g2 32

88 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic virtual machine g0 a 0 ps ( ) vs (a, b) ps ( ) a > 0 g0 ps (a) Execute insert concretely on all lists in the union. ps { g0 (a), g0 ( ) } g1 g0 = a > 0 g1 = b > 0 g2 = g0 g1 g3 = (g0 g1) g4 = g0 g1 c = ite(g1, b, a) assert g2 ps { g0 (b, a), g0 (b) } 32

89 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic virtual machine g0 a 0 ps ( ) vs (a, b) ps ( ) a > 0 g0 ps (a) ps { g0 (a), g0 ( ) } g1 g1 g0 = a > 0 g1 = b > 0 g2 = g0 g1 g3 = (g0 g1) g4 = g0 g1 c = ite(g1, b, a) assert g2 ps { g0 (a), g0 ( ) } ps { g0 (b, a), g0 (b) } 32

90 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic virtual machine g0 a 0 ps ( ) vs (a, b) ps ( ) a > 0 g0 ps (a) ps { g0 (a), g0 ( ) } g1 g1 g0 = a > 0 g1 = b > 0 ps { g0 (a), g0 ( ) } ps { g0 (b, a), g0 (b) } g2 = g0 g1 g3 = (g0 g1) g4 = g0 g1 c = ite(g1, b, a) assert g2 ps { g2 (b, a), g3 (c), g4 ( ) } 32

91 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic virtual machine g0 a 0 ps ( ) vs (a, b) ps ( ) a > 0 g0 ps (a) Evaluate len concretely on all lists in the union; assertion true only on the list guarded by g2. g0 = a > 0 g1 = b > 0 g2 = g0 g1 g3 = (g0 g1) g4 = g0 g1 c = ite(g1, b, a) assert g2 g1 g1 ps { g0 (a), g0 ( ) } ps { g0 (a), g0 ( ) } ps { g2 (b, a), g3 (c), g4 ( ) } ps { g0 (b, a), g0 (b) } 32

92 A new design: type-driven state merging solve: ps = () for v in vs: if v > 0: ps = insert(v, ps) assert len(ps) == len(vs) symbolic virtual machine g0 a 0 ps ( ) vs (a, b) ps ( ) a > 0 g0 ps (a) polynomial encoding concrete evaluation g0 = a > 0 g1 = b > 0 g2 = g0 g1 g3 = (g0 g1) g4 = g0 g1 c = ite(g1, b, a) assert g2 ps { g0 (a), g0 ( ) } g1 g1 ps { g0 (a), g0 ( ) } ps { g2 (b, a), g3 (c), g4 ( ) } ps { g0 (b, a), g0 (b) } 32

93 apps solver-aided programming for everyone

94 Recent applications of ROSETTE Synthesizing Memory Models from Litmus Tests James Bornholt and Emina Torlak (under submission) Synthesizing Custom Tutoring Rules for Introductory Algebra Eric Butler, Emina Torlak, and Zoran Popovic (under submission) Scalable Verification of BGP Configurations (OOPSLA 16) Konstantin Weitz, Doug Woos, Emina Torlak, Michael D. Ernst, Arvind Krishnamurthy, and Zachary Tatlock Investigating Investigating Safety Safety of of a Radiotherapy Radiotherapy Machine Machine (CAV 16) (CAV 16) Stuart Stuart Pernsteiner, Pernsteiner, Calvin Calvin Loncaric, Loncaric, Emina Emina Torlak, Torlak, Zachary Zachary Tatlock, Tatlock, Xi Xi Wang, Michael Ernst, Wang, and Michael Jon Jacky Ernst, and Jon Jacky A Framework for Synthesis and Parameterized Design of Rule Systems Applied to Algebra (ITS 16) Eric Butler, Emina Torlak, and Zoran Popovic Specifying and Checking File System Crash-Consistency Models (ASPLOS 16) James Bornholt, Antoine Kaufmann, Jialin Li, Arvind Krishnamurthy, Emina Torlak, and Xi Wang. Scaling up Superoptimization (ASPLOS 16) Phitchaya Mangpo Phothilimthana, Aditya Thakur, Rastislav Bodík, and Dinakar Dhurjati. and Dinakar Dhurjati. Synapse: Optimizing Synthesis with Metasketches (POPL 16) James Bornholt, Emina Torlak, Dan Grossman, and Luis Ceze. 34

95 Recent applications of ROSETTE Investigating Safety of a Radiotherapy Machine (CAV 16) Stuart Pernsteiner, Calvin Loncaric, Emina Torlak, Zachary Tatlock, Xi Wang, Michael Ernst, and Jon Jacky Scaling up Superoptimization (ASPLOS 16) Phitchaya Mangpo Phothilimthana, Aditya Thakur, Rastislav Bodík, and Dinakar Dhurjati. 35

96 Recent applications of ROSETTE: Neutrons Investigating Safety of a Radiotherapy Machine (CAV 16) Stuart Pernsteiner, Calvin Loncaric, Emina Torlak, Zachary Tatlock, Xi Wang, Michael Ernst, and Jon Jacky Clinical Neutron Therapy System (CNTS) at UW Scaling up Superoptimization (ASPLOS 16) Phitchaya Mangpo Phothilimthana, Aditya Thakur, Rastislav Bodík, and Dinakar Dhurjati. Used Rosette to build a verifier for the EPICS DSL. Found safety-critical defects in a pre-release version of the therapy control software. Used by CNTS staff to verify changes to the control software. 36

97 Recent applications of ROSETTE: Enlearn Investigating Safety of a Radiotherapy Machine (CAV 16) Stuart Pernsteiner, Calvin Loncaric, Emina Torlak, Zachary Tatlock, Xi Wang, Michael Ernst, and Jon Jacky Scaling up Superoptimization (ASPLOS 16) Phitchaya Mangpo Phothilimthana, Aditya Thakur, Rastislav Bodík, and Dinakar Dhurjati. Education technology company founded by Zoran Popovic. Uses Rosette to develop educational math games, released to thousands (and eventually millions) of students. Building a Rosette-based DSL to enable educators to develop their own educational tools. 37

98 Recent applications of ROSETTE: Greenthumb Investigating Safety of a Radiotherapy Machine (CAV 16) Stuart Pernsteiner, Calvin Loncaric, Emina Torlak, Zachary Tatlock, Xi Wang, Michael Ernst, and Jon Jacky Scaling up Superoptimization (ASPLOS 16) Phitchaya Mangpo Phothilimthana, Aditya Thakur, Rastislav Bodík, and Dinakar Dhurjati. A Rosette-based framework for creating efficient superoptimizers for new ISAs. Requires only an emulator for the ISA and a few ISA-specific search utility functions! Hosts superoptimizers for ARM and GreenArrays (GA) ISA. Up to 82% speedup over gcc - O3 for ARM; within 19% of hand optimized code for GA. 38

99 thanks

100 your SDSL verify synthesize debug solve thanks ROSETTE symbolic virtual machine