• Home

  • Documents

  • KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair,...
72
K O DKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

  • Upload
    others

  • View
    8

  • Download
    0

Embed Size (px)

Citation preview

Page 1: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

KODKOD by example

code checking, data repair, debugging and synthesis in 20 minutes

emina torlak Dagstuhl · April 11, 2012

Page 2: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

alloy.mit.edu/kodkod

2

Page 3: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

some applications of kodkod

checking theorems & designs‣ Alloy4 (Alloy), Nitpick (Isabelle/HOL), ProB (B,

Event-B, Z and TLA+), ExUML (UML)

checking code & memory models‣ Forge, Karun, Miniatur, TACO, MemSAT

declarative programming, fault recovery & data structure repair‣ Squander, PBnJ, Tarmeem, Cobbler

declarative configuration‣ ConfigAssure (networks), Margrave (policies)

test-case generation‣ Kesit, Whispec

3

MemSAT

SQUANDER

Page 4: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

class List {Node head;

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;!!

}}

class Node {Node next;String data; }

example: reversing a linked list

4

?

Page 5: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

class List {Node head;

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;!!

}}

class Node {Node next;String data; }

example: reversing a linked list

4

Page 6: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@invariant no ^next ∩ iden

invariants, pre and post conditions

5

class List {Node head;

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;!!

}}

class Node {Node next;String data;

}

Page 7: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@requires this.head != null && this.head.next != null

@invariant no ^next ∩ iden

invariants, pre and post conditions

5

class List {Node head;

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;!!

}}

class Node {Node next;String data;

}

Page 8: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@ensures this.head.*next = this.old(head).*old(next) &&

@requires this.head != null && this.head.next != null

@invariant no ^next ∩ iden

invariants, pre and post conditions

5

class List {Node head;

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;!!

}}

class Node {Node next;String data;

}

Page 9: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@ensures this.head.*next = this.old(head).*old(next) && let N = (this.head.*next − null), bound = N × N |

next ∩ bound = ~old(next) ∩ bound

@requires this.head != null && this.head.next != null

@invariant no ^next ∩ iden

invariants, pre and post conditions

5

class List {Node head;

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;!!

}}

class Node {Node next;String data;

}

Page 10: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@ensures this.head.*next = this.old(head).*old(next) && let N = (this.head.*next − null), bound = N × N |

next ∩ bound = ~old(next) ∩ bound

@requires this.head != null && this.head.next != null

@invariant no ^next ∩ iden

invariants, pre and post conditions

5

class List {Node head;

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;!!

}}

class Node {Node next;String data;

}

Inv(next)

Pre(this, head, next)

Post(this, old(head), head, old(next), next)

Page 11: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

a relational view of the heap

6

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

Page 12: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

a relational view of the heap

6

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

fields as binary relations

‣ head ≡ { <this, n2> }, next ≡ { <n2, n1>, … }

Page 13: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

a relational view of the heap

6

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

fields as binary relations

‣ head ≡ { <this, n2> }, next ≡ { <n2, n1>, … }

types as sets (unary relations)‣ List ≡ { <this> }, Node ≡ { <n0>, <n1>, <n2> }

Page 14: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

a relational view of the heap

6

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

fields as binary relations

‣ head ≡ { <this, n2> }, next ≡ { <n2, n1>, … }

types as sets (unary relations)‣ List ≡ { <this> }, Node ≡ { <n0>, <n1>, <n2> }

objects as scalars (singleton unary relations)‣ this ≡ { <this> }, null ≡ { <null> }

Page 15: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

a relational view of the heap

6

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

fields as binary relations

‣ head ≡ { <this, n2> }, next ≡ { <n2, n1>, … }

types as sets (unary relations)‣ List ≡ { <this> }, Node ≡ { <n0>, <n1>, <n2> }

objects as scalars (singleton unary relations)‣ this ≡ { <this> }, null ≡ { <null> }

field access as relational join (.)‣ this.head ≡ { <this> } . { <this, n2> } = { <n2> }

Page 16: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

a relational view of the heap

6

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

fields as binary relations

‣ head ≡ { <this, n2> }, next ≡ { <n2, n1>, … }

types as sets (unary relations)‣ List ≡ { <this> }, Node ≡ { <n0>, <n1>, <n2> }

objects as scalars (singleton unary relations)‣ this ≡ { <this> }, null ≡ { <null> }

field access as relational join (.)‣ this.head ≡ { <this> } . { <this, n2> } = { <n2> }

field update as relational override (++)

‣ this.head = null ≡ head ++ (this × null) = { <this, n2> } ++ { <this, null> } = { <this, null> }

Page 17: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

code checking with kodkod

7

Page 18: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

code checking with kodkod

finitize loops‣ e.g., unwind once

7

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;if (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}assume far == null;

mid.next = near;head = mid;! !

}

Page 19: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

code checking with kodkod

finitize loops‣ e.g., unwind once

convert to SSA‣ SSA for both locals and fields

7

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;if (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}assume far == null;

mid.next = near;head = mid;! !

}

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 20: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

code checking with kodkod

finitize loops‣ e.g., unwind once

convert to SSA‣ SSA for both locals and fields

encode program semantics in relational logic

7

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;if (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}assume far == null;

mid.next = near;head = mid;! !

}

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 21: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

code checking with kodkod

finitize loops‣ e.g., unwind once

convert to SSA‣ SSA for both locals and fields

encode program semantics in relational logic

specify analysis bounds

7

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;if (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}assume far == null;

mid.next = near;head = mid;! !

}

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 22: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

code checking with kodkod

finitize loops‣ e.g., unwind once

convert to SSA‣ SSA for both locals and fields

encode program semantics in relational logic

specify analysis bounds

for details see‣ Forge [Dennis, 2006, 2008]‣ Miniatur [Dolby et al., 2007]‣ MemSAT [Torlak et al., 2010]

7

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = far;if (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}assume far == null;

mid.next = near;head = mid;! !

}

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 23: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ ¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

translating code to relational logic

8

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

introduce a unary relation for each reference and type, and a binary relation for each field‣ constrain reference relations to be singletons‣ constrain field relations to be functions

encode the post-state relations in terms of the pre-state, using relational joins and overrides

use the pre- and post-state relations to encode invariants, preconditions, and negated postconditions

Page 24: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ ¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

translating code to relational logic

8

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

encode the post-state relations in terms of the pre-state, using relational joins and overrides

use the pre- and post-state relations to encode invariants, preconditions, and negated postconditions

Page 25: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ ¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

translating code to relational logic

8

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

head ⊆ List × (Node ∪ null) ∧(∀ l: List | one l.head)

encode the post-state relations in terms of the pre-state, using relational joins and overrides

use the pre- and post-state relations to encode invariants, preconditions, and negated postconditions

Page 26: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ ¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

translating code to relational logic

8

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 27: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one thishead ⊆ List → (Node ∪ null)next ⊆ Node → (Node ∪ null)data ⊆ Node → (String ∪ null)

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

{ this, n0, n1, n2, s0, s1, s2, null }

{ <null> } ⊆ null ⊆ { <null> }

{} ⊆ this ⊆ { < this > } {} ⊆ List ⊆ { < this > }{} ⊆ Node ⊆ { <n0>, <n1>, <n2> }{} ⊆ String ⊆ { <s0>, <s1>, <s2> }

{} ⊆ head ⊆ { this } × { n0, n1, n2, null }{} ⊆ next ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ data ⊆ { n0, n1, n2 } × { s0, s1, s2, null }

specifying analysis bounds

9

finite universe of uninterpreted elements‣ e.g., 1 List object, 3 of everything else

upper bound on each relation‣ set of tuples, drawn from the universe,

that the relation may contain

lower bound on each relation‣ set of tuples, drawn from the universe,

that the relation must contain

‣ lower bounds collectively form a partial model

Page 28: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one thishead ⊆ List → (Node ∪ null)next ⊆ Node → (Node ∪ null)data ⊆ Node → (String ∪ null)

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

{ this, n0, n1, n2, s0, s1, s2, null }

{ <null> } ⊆ null ⊆ { <null> }

{} ⊆ this ⊆ { < this > } {} ⊆ List ⊆ { < this > }{} ⊆ Node ⊆ { <n0>, <n1>, <n2> }{} ⊆ String ⊆ { <s0>, <s1>, <s2> }

{} ⊆ head ⊆ { this } × { n0, n1, n2, null }{} ⊆ next ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ data ⊆ { n0, n1, n2 } × { s0, s1, s2, null }

specifying analysis bounds

9

universe

Page 29: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one thishead ⊆ List → (Node ∪ null)next ⊆ Node → (Node ∪ null)data ⊆ Node → (String ∪ null)

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

{ this, n0, n1, n2, s0, s1, s2, null }

{ <null> } ⊆ null ⊆ { <null> }

{} ⊆ this ⊆ { < this > } {} ⊆ List ⊆ { < this > }{} ⊆ Node ⊆ { <n0>, <n1>, <n2> }{} ⊆ String ⊆ { <s0>, <s1>, <s2> }

{} ⊆ head ⊆ { this } × { n0, n1, n2, null }{} ⊆ next ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ data ⊆ { n0, n1, n2 } × { s0, s1, s2, null }

specifying analysis bounds

9

universe

upper bound

Page 30: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one thishead ⊆ List → (Node ∪ null)next ⊆ Node → (Node ∪ null)data ⊆ Node → (String ∪ null)

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

{ this, n0, n1, n2, s0, s1, s2, null }

{ <null> } ⊆ null ⊆ { <null> }

{} ⊆ this ⊆ { < this > } {} ⊆ List ⊆ { < this > }{} ⊆ Node ⊆ { <n0>, <n1>, <n2> }{} ⊆ String ⊆ { <s0>, <s1>, <s2> }

{} ⊆ head ⊆ { this } × { n0, n1, n2, null }{} ⊆ next ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ data ⊆ { n0, n1, n2 } × { s0, s1, s2, null }

specifying analysis bounds

9

universe

upper bound

lower bound

Page 31: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one thishead ⊆ List → (Node ∪ null)next ⊆ Node → (Node ∪ null)data ⊆ Node → (String ∪ null)

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

{ this, n0, n1, n2, s0, s1, s2, null }

{ <null> } ⊆ null ⊆ { <null> }

{} ⊆ this ⊆ { < this > } {} ⊆ List ⊆ { < this > }{} ⊆ Node ⊆ { <n0>, <n1>, <n2> }{} ⊆ String ⊆ { <s0>, <s1>, <s2> }

{} ⊆ head ⊆ { this } × { n0, n1, n2, null }{} ⊆ next ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ data ⊆ { n0, n1, n2 } × { s0, s1, s2, null }

specifying analysis bounds

9

universe

upper bound

lower bound

null = { <null> }

Page 32: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

code checking demo

10

Page 33: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

a bug! what to do about it?

11

Page 34: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

data repair: fallback to the specification

12

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 35: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

data repair: fallback to the specification

given a (valid) pre-state and a bad post-state at runtime, solve for a post-state that satisfies the specification and continue executing

12

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 36: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

data repair: fallback to the specification

given a (valid) pre-state and a bad post-state at runtime, solve for a post-state that satisfies the specification and continue executing

don’t solve for the pre-state; express it as a partial model

12

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 37: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

data repair: fallback to the specification

given a (valid) pre-state and a bad post-state at runtime, solve for a post-state that satisfies the specification and continue executing

don’t solve for the pre-state; express it as a partial model

for details see ‣ Cobbler [Zaeem et al., 2012]‣ Squander [Milicevic et al., 2011]‣ PBnJ [Samimi et al., 2010]‣ Tarmeem [Zaeem et al., 2010]

12

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 38: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

head0 ⊆ List → (Node ∪ null) ∧next3 ⊆ Node → (Node ∪ null) ∧

Inv(next) ∧ Pre(this, head, next) ∧Inv(next3) ∧ Post(this, head, head0, next, next3)

data repair using partial models

13

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }

this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

{} ⊆ head0 ⊆ { this } × { n0, n1, n2, null }{} ⊆ next3 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }

pre-state

Page 39: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

head0 ⊆ List → (Node ∪ null) ∧next3 ⊆ Node → (Node ∪ null) ∧

Inv(next) ∧ Pre(this, head, next) ∧Inv(next3) ∧ Post(this, head, head0, next, next3)

data repair using partial models

13

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }

this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

{} ⊆ head0 ⊆ { this } × { n0, n1, n2, null }{} ⊆ next3 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }

pre-state

encoding of the repair

Page 40: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

head0 ⊆ List → (Node ∪ null) ∧next3 ⊆ Node → (Node ∪ null) ∧

Inv(next) ∧ Pre(this, head, next) ∧Inv(next3) ∧ Post(this, head, head0, next, next3)

data repair using partial models

13

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }

this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

{} ⊆ head0 ⊆ { this } × { n0, n1, n2, null }{} ⊆ next3 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }

pre-state

encoding of the repair

post-state as variables

Page 41: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

head0 ⊆ List → (Node ∪ null) ∧next3 ⊆ Node → (Node ∪ null) ∧

Inv(next) ∧ Pre(this, head, next) ∧Inv(next3) ∧ Post(this, head, head0, next, next3)

data repair using partial models

13

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }

this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

{} ⊆ head0 ⊆ { this } × { n0, n1, n2, null }{} ⊆ next3 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }

pre-state

encoding of the repair

post-state as variables

pre-state as a partial model; solve for post-state only

Page 42: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

data repair demo

14

Page 43: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

but the bug is still lurking in the code …

15

Page 44: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

fault localization with minimal unsat cores

16

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 45: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

fault localization with minimal unsat cores

given a buggy program, a valid input and the expected output, find a minimal subset of program statements that prevents the execution on the given input from reaching the desired output state

16

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 46: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

fault localization with minimal unsat cores

given a buggy program, a valid input and the expected output, find a minimal subset of program statements that prevents the execution on the given input from reaching the desired output state

introduce additional “indicator” relations into the encoding

16

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 47: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

fault localization with minimal unsat cores

given a buggy program, a valid input and the expected output, find a minimal subset of program statements that prevents the execution on the given input from reaching the desired output state

introduce additional “indicator” relations into the encoding

the resulting formula, together with the input/output partial model, will be unsatisfiable

16

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 48: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

fault localization with minimal unsat cores

given a buggy program, a valid input and the expected output, find a minimal subset of program statements that prevents the execution on the given input from reaching the desired output state

introduce additional “indicator” relations into the encoding

the resulting formula, together with the input/output partial model, will be unsatisfiable

a minimal unsatisfiable core of this formula represents an irreducible cause of the program’s failure to meet the specification‣ there may be (and usually are) more than

one such core

‣ a fully fleshed out approach would take advantage of additional cores and cores from multiple failing input/output pairs

16

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 49: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ ¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

fault localization encoding

17

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

start with the encoding for validation

Page 50: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ ¬ (Inv(next3) ∧ Post(this, head, head0, next, next3))

fault localization encoding

17

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}Inv(next3) ∧ Post(this, head, head0, next, next3)

post-condition must hold

Page 51: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

fault localization encoding: indicator relations

18

introduce free variables for source-level expressions

Page 52: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);boolean guard = (far0 != null);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

near0 = this.head ∧mid0 = near0.next ∧far0 = mid0.next ∧

next0 = next ++ (near0 × far0) ∧next1 = next0 ++ (mid0 × near0) ∧near1 = mid0 ∧mid1 = far0 ∧far1 = far0.next1 ∧

let guard = (far0 != null),near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0 |

next3 = next2 ++ (mid2 × near2) ∧head0 = head ++ (this × mid2) ∧ far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

fault localization encoding: indicator relations

18

introduce free variables for source-level expressions

Page 53: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

head0 = { <this, n0> }next3 = { <n0, n1>, <n1, n2>, <n2, null> }

{} ⊆ next0 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ next1 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ near0 ⊆ { n0, n1, n2, null }{} ⊆ near1 ⊆ { n0, n1, n2, null }{} ⊆ mid0 ⊆ { n0, n1, n2, null }{} ⊆ mid1 ⊆ { n0, n1, n2, null }{} ⊆ far0 ⊆ { n0, n1, n2, null }{} ⊆ far1 ⊆ { n0, n1, n2, null }

fault localization encoding: partial model

19

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

near0 = this.head ∧mid0 = near0.next ∧far0 = mid0.next ∧

next0 = next ++ (near0 × far0) ∧next1 = next0 ++ (mid0 × near0) ∧near1 = mid0 ∧mid1 = far0 ∧far1 = far0.next1 ∧

let guard = (far0 != null),near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0 |

next3 = next2 ++ (mid2 × near2) ∧head0 = head ++ (this × mid2) ∧ far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

valid input state

desired output state

Page 54: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

head0 = { <this, n0> }next3 = { <n0, n1>, <n1, n2>, <n2, null> }

{} ⊆ next0 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ next1 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ near0 ⊆ { n0, n1, n2, null }{} ⊆ near1 ⊆ { n0, n1, n2, null }{} ⊆ mid0 ⊆ { n0, n1, n2, null }{} ⊆ mid1 ⊆ { n0, n1, n2, null }{} ⊆ far0 ⊆ { n0, n1, n2, null }{} ⊆ far1 ⊆ { n0, n1, n2, null }

fault localization encoding: partial model

19

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

near0 = this.head ∧mid0 = near0.next ∧far0 = mid0.next ∧

next0 = next ++ (near0 × far0) ∧next1 = next0 ++ (mid0 × near0) ∧near1 = mid0 ∧mid1 = far0 ∧far1 = far0.next1 ∧

let guard = (far0 != null),near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0 |

next3 = next2 ++ (mid2 × near2) ∧head0 = head ++ (this × mid2) ∧ far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

Page 55: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

head0 = { <this, n0> }next3 = { <n0, n1>, <n1, n2>, <n2, null> }

{} ⊆ next0 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ next1 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ near0 ⊆ { n0, n1, n2, null }{} ⊆ near1 ⊆ { n0, n1, n2, null }{} ⊆ mid0 ⊆ { n0, n1, n2, null }{} ⊆ mid1 ⊆ { n0, n1, n2, null }{} ⊆ far0 ⊆ { n0, n1, n2, null }{} ⊆ far1 ⊆ { n0, n1, n2, null }

fault localization encoding: partial model

19

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

near0 = this.head ∧mid0 = near0.next ∧far0 = mid0.next ∧

next0 = next ++ (near0 × far0) ∧next1 = next0 ++ (mid0 × near0) ∧near1 = mid0 ∧mid1 = far0 ∧far1 = far0.next1 ∧

let guard = (far0 != null),near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0 |

next3 = next2 ++ (mid2 × near2) ∧head0 = head ++ (this × mid2) ∧ far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

Page 56: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

head0 = { <this, n0> }next3 = { <n0, n1>, <n1, n2>, <n2, null> }

{} ⊆ next0 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ next1 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ near0 ⊆ { n0, n1, n2, null }{} ⊆ near1 ⊆ { n0, n1, n2, null }{} ⊆ mid0 ⊆ { n0, n1, n2, null }{} ⊆ mid1 ⊆ { n0, n1, n2, null }{} ⊆ far0 ⊆ { n0, n1, n2, null }{} ⊆ far1 ⊆ { n0, n1, n2, null }

fault localization encoding: partial model

19

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

near0 = this.head ∧mid0 = near0.next ∧far0 = mid0.next ∧

next0 = next ++ (near0 × far0) ∧next1 = next0 ++ (mid0 × near0) ∧near1 = mid0 ∧mid1 = far0 ∧far1 = far0.next1 ∧

let guard = (far0 != null),near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0 |

next3 = next2 ++ (mid2 × near2) ∧head0 = head ++ (this × mid2) ∧ far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

Page 57: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

head0 = { <this, n0> }next3 = { <n0, n1>, <n1, n2>, <n2, null> }

{} ⊆ next0 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ next1 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ near0 ⊆ { n0, n1, n2, null }{} ⊆ near1 ⊆ { n0, n1, n2, null }{} ⊆ mid0 ⊆ { n0, n1, n2, null }{} ⊆ mid1 ⊆ { n0, n1, n2, null }{} ⊆ far0 ⊆ { n0, n1, n2, null }{} ⊆ far1 ⊆ { n0, n1, n2, null }

fault localization encoding: partial model

19

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

near0 = this.head ∧mid0 = near0.next ∧far0 = mid0.next ∧

next0 = next ++ (near0 × far0) ∧next1 = next0 ++ (mid0 × near0) ∧near1 = mid0 ∧mid1 = far0 ∧far1 = far0.next1 ∧

let guard = (far0 != null),near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0 |

next3 = next2 ++ (mid2 × near2) ∧head0 = head ++ (this × mid2) ∧ far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

Page 58: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

fault localization demo

20

Page 59: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

minimal unsatisfiable core

21

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

near0 = this.head ∧mid0 = near0.next ∧far0 = mid0.next ∧

next0 = next ++ (near0 × far0) ∧next1 = next0 ++ (mid0 × near0) ∧near1 = mid0 ∧mid1 = far0 ∧far1 = far0.next1 ∧

let guard = (far0 != null),near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0 |

next3 = next2 ++ (mid2 × near2) ∧head0 = head ++ (this × mid2) ∧ far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

{ this, n0, n1, n2, s0, s1, s2, null }

null = { <null> }this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

head0 = { <this, n0> }next3 = { <n0, n1>, <n1, n2>, <n2, null> }

{} ⊆ next0 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ next1 ⊆ { n0, n1, n2 } × { n0, n1, n2, null }{} ⊆ near0 ⊆ { n0, n1, n2, null }{} ⊆ near1 ⊆ { n0, n1, n2, null }{} ⊆ mid0 ⊆ { n0, n1, n2, null }{} ⊆ mid1 ⊆ { n0, n1, n2, null }{} ⊆ far0 ⊆ { n0, n1, n2, null }{} ⊆ far1 ⊆ { n0, n1, n2, null }

constraints that are UNSAT (with respect to bounds) but become SAT if any member is removed

Page 60: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

minimal unsatisfiable core

21

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

near0 = this.head ∧mid0 = near0.next ∧far0 = mid0.next ∧

next0 = next ++ (near0 × far0) ∧next1 = next0 ++ (mid0 × near0) ∧near1 = mid0 ∧mid1 = far0 ∧far1 = far0.next1 ∧

let guard = (far0 != null),near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0 |

next3 = next2 ++ (mid2 × near2) ∧head0 = head ++ (this × mid2) ∧ far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 61: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

synthesizing a sketch-like fix

22

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 62: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

synthesizing a sketch-like fix

drill a hole in one of the localized statements‣ e.g., at the earliest opportunity for a fix

22

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, ??);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 63: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

synthesizing a sketch-like fix

drill a hole in one of the localized statements‣ e.g., at the earliest opportunity for a fix

we want to replace the hole with an expression from a (small) grammar so that the program satisfies its spec on all inputs‣ e.g., [ variable | null ]

22

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, ??);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 64: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

synthesizing a sketch-like fix

drill a hole in one of the localized statements‣ e.g., at the earliest opportunity for a fix

we want to replace the hole with an expression from a (small) grammar so that the program satisfies its spec on all inputs‣ e.g., [ variable | null ]

encode the synthesis problem (for one input) using relations that represent syntax, together with a “meaning” expression connecting syntax to semantics

22

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, ??);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 65: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

synthesizing a sketch-like fix

drill a hole in one of the localized statements‣ e.g., at the earliest opportunity for a fix

we want to replace the hole with an expression from a (small) grammar so that the program satisfies its spec on all inputs‣ e.g., [ variable | null ]

encode the synthesis problem (for one input) using relations that represent syntax, together with a “meaning” expression connecting syntax to semantics

wrap into a CEGIS loop (not done here)

22

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, far0);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, ??);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

Page 66: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

synthesis encoding

23

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, ??);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

start with the first step of the repair encoding

Page 67: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

this ⊆ List ∧ one this ∧head ⊆ List → (Node ∪ null) ∧next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

next0 = next ++ (near0 × far0),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

synthesis encoding

23

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near0 = this.head;Node mid0 = near0.next;Node far0 = mid0.next;

next0 = update(next, near0, ??);next1 = update(next0, mid0, near0);near1 = mid0;mid1 = far0;far1 = far0.next1;

boolean guard = (far0 != null);near2 = phi(guard, near1, near0);mid2 = phi(guard, mid1, mid0);far2 = phi(guard, far1, far0);next2 = phi(guard, next1, next0); assume far2 == null;

next3 = update(next2, mid2, near2);head0 = update(head, this, mid2);

}

this ⊆ List ∧ one this ∧ one hole ∧head ⊆ List → (Node ∪ null) ∧ next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

meaning = (null × null) ∪ (“head” × this.head) ∪ (“near0” × near0) ∪ (“mid0” × mid0) ∪ (“far0” × far0)

next0 = next ++ (near0 × hole.meaning),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

encode the hole using syntax relations

Page 68: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

synthesis encoding: partial model

24

this ⊆ List ∧ one this ∧ one hole ∧head ⊆ List → (Node ∪ null) ∧ next ⊆ Node → (Node ∪ null) ∧data ⊆ Node → (String ∪ null) ∧

let near0 = this.head,mid0 = near0.next,far0 = mid0.next,

meaning = (null × null) ∪ (“head” × this.head) ∪ (“near0” × near0) ∪ (“mid0” × mid0) ∪ (“far0” × far0)

next0 = next ++ (near0 × hole.meaning),guard = (far0 != null),next1 = next0 ++ (mid0 × near0),near1 = mid0,mid1 = far0,far1 = far0.next1,

near2 = if guard then near1 else near0,mid2 = if guard then mid1 else mid0,far2 = if guard then far1 else far0,next2 = if guard then next1 else next0,next3 = next2 ++ (mid2 × near2)head0 = head ++ (this × mid2) |

far2 = null ∧ Inv(next) ∧ Pre(this, head, next) ∧ Inv(next3) ∧ Post(this, head, head0, next, next3)

{ this, n0, n1, n2, s0, s1, s2, null, “head”, “near0”, “mid0”, “far0” }

null = { <null> }this = { <this> } List = { <this> }Node = { <n0>, <n1>, <n2> }String = { <s1>, <s2> }

head = { <this, n2> }next = { <n2, n1>, <n1, n0>, <n0, null> }data = { <n2, s1>, <n1, s2>, <n0, null> }

“head” = { <“head”> }“near0” = { <“near0”> }“mid0” = { <“mid0”> }“far0” = { <“far0”> }

{} ⊆ hole ⊆ { <null>, <“head”>, <“near0”>, <“mid0”>, <“far0”> }

Page 69: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

synthesis demo

25

Page 70: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

patched list reversal

26

@invariant Inv(next)@requires Pre(this, head, next)@ensures Post(this, old(head), head, old(next), next)

void reverse() {Node near = head;Node mid = near.next;Node far = mid.next;

near.next = null;while (far != null) {

mid.next = near;near = mid;mid = far;far = far.next;

}

mid.next = near;head = mid;! !

}

Page 71: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

alloy.mit.edu/kodkod

27

questions?

Page 72: KODKOD by exampleemina/talks/kodkod.dagstuhl12.pdf · KODKOD by example code checking, data repair, debugging and synthesis in 20 minutes emina torlak Dagstuhl · April 11, 2012

alloy.mit.edu/kodkod

27

questions?


In Virtual Realities Dagstuhl Seminar

In Virtual Realities Dagstuhl Seminar

Documents
CSE 311 Lecture 01: Propositional Logic · CSE 311 Lecture 01: Propositional Logic Emina Torlak and Kevin Zatloukal 1. Topics About CSE 311 What you will learn and why! Course logistics

CSE 311 Lecture 01: Propositional Logic · CSE 311 Lecture 01: Propositional Logic Emina Torlak and Kevin Zatloukal 1. Topics About CSE 311 What you will learn and why! Course logistics

Documents
CSE 311 Lecture 26: Limitations of DFAs, NFAs, and Regular ...CSE 311 Lecture 26: Limitations of DFAs, NFAs, and Regular Expressions Emina Torlak and Kevin Zatloukal 1

CSE 311 Lecture 26: Limitations of DFAs, NFAs, and Regular ...CSE 311 Lecture 26: Limitations of DFAs, NFAs, and Regular Expressions Emina Torlak and Kevin Zatloukal 1

Documents
Effective Interprocedural Resource Leak Detection ICSE 10 Emina Torlak Satish Chandra IBM T.J. Watson Research Center, USA

Effective Interprocedural Resource Leak Detection ICSE 10 Emina Torlak Satish Chandra IBM T.J. Watson Research Center, USA

Documents
Dagstuhl-Seminar-Report 180

Dagstuhl-Seminar-Report 180

Documents
Scalable Test Data Generation from Multidimensional Models€¦ · Scalable Test Data Generation from Multidimensional Models Emina Torlak Electrical Engineering and Computer Sciences

Scalable Test Data Generation from Multidimensional Models€¦ · Scalable Test Data Generation from Multidimensional Models Emina Torlak Electrical Engineering and Computer Sciences

Documents
Multiple-valued Logic - Schloss Dagstuhl : Über Dagstuhl · Multiple-valued Logic Peter H. Schmitt Daniele Mundici (editors) Lotfi Zadeh Dagstuhl-Seminar-Report (Seminar 9744) 27.10.–31.10.1997

Multiple-valued Logic - Schloss Dagstuhl : Über Dagstuhl · Multiple-valued Logic Peter H. Schmitt Daniele Mundici (editors) Lotfi Zadeh Dagstuhl-Seminar-Report (Seminar 9744) 27.10.–31.10.1997

Documents
Path Loss - Laboratório de Comunicações e Sinaisablima/grad/tfm/slides/Torlak/...EE4367 Telecom. Switching & Transmission Prof. Murat Torlak Linear Path Loss Suppose s(t) of power

Path Loss - Laboratório de Comunicações e Sinaisablima/grad/tfm/slides/Torlak/...EE4367 Telecom. Switching & Transmission Prof. Murat Torlak Linear Path Loss Suppose s(t) of power

Documents
Hyperkernel: Push-Button Verification of an OS Kernel · Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang University of

Hyperkernel: Push-Button Verification of an OS Kernel · Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang University of

Documents
Generic Programming - Schloss Dagstuhl : œber Dagstuhl

Generic Programming - Schloss Dagstuhl : œber Dagstuhl

Documents
Emina Ribera del Duero

Emina Ribera del Duero

Documents
Abstractions and small languages in synthesis CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Abstractions and small languages in synthesis CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Documents
Cognitive Perspective Dagstuhl - MyWebPages

Cognitive Perspective Dagstuhl - MyWebPages

Documents
Report from Dagstuhl Seminar 13141

Report from Dagstuhl Seminar 13141

Documents
A Lightweight Symbolic Virtual Machine for Solver-Aided ...emina/pubs/rosette.pldi14.pdfA Lightweight Symbolic Virtual Machine for Solver-Aided Host Languages Emina Torlak Rastislav

A Lightweight Symbolic Virtual Machine for Solver-Aided ...emina/pubs/rosette.pldi14.pdfA Lightweight Symbolic Virtual Machine for Solver-Aided Host Languages Emina Torlak Rastislav

Documents
Aesthetic Computing - Dagstuhl · Aesthetic Computing Dagstuhl Seminar Nº 02291, ... Dagstuhl Seminar Report Nº 348 ... manufacturing system is playing at a modelling desk,

Aesthetic Computing - Dagstuhl · Aesthetic Computing Dagstuhl Seminar Nº 02291, ... Dagstuhl Seminar Report Nº 348 ... manufacturing system is playing at a modelling desk,

Documents
Synthesizing Programs with Constraint Solvers CAV 2012 invited tutorial Ras Bodik Emina Torlak Division of Computer Science University of California, Berkeley

Synthesizing Programs with Constraint Solvers CAV 2012 invited tutorial Ras Bodik Emina Torlak Division of Computer Science University of California, Berkeley

Documents
History of Software Engineering - Schloss Dagstuhl : œber Dagstuhl

History of Software Engineering - Schloss Dagstuhl : œber Dagstuhl

Documents
tiny stories BIG IMPACT: Emina Demiri at NetSquared London

tiny stories BIG IMPACT: Emina Demiri at NetSquared London

Education
From Kalman to Hodrick-Prescott filter - ubalt.edu Kalman to Hodrick-Prescott filter Theory and Application Emina Cardamone Economics 616 April 26, 2006 Emina Cardamone Economics

From Kalman to Hodrick-Prescott filter - ubalt.edu Kalman to Hodrick-Prescott filter Theory and Application Emina Cardamone Economics 616 April 26, 2006 Emina Cardamone Economics

Documents
CSE 311 Lecture 04: Boolean Algebra - University of Washington › courses › cse311 › 18au › doc › le… · CSE 311 Lecture 04: Boolean Algebra Emina Torlak and Kevin Zatloukal

CSE 311 Lecture 04: Boolean Algebra - University of Washington › courses › cse311 › 18au › doc › le… · CSE 311 Lecture 04: Boolean Algebra Emina Torlak and Kevin Zatloukal

Documents
Report from Dagstuhl Seminar 13452 Proxemics in Human …grouplab.cpsc.ucalgary.ca/.../2014-Dagstuhl-13452.pdf · 2014. 3. 9. · Report from Dagstuhl Seminar 13452 Proxemics in Human-Computer

Report from Dagstuhl Seminar 13452 Proxemics in Human …grouplab.cpsc.ucalgary.ca/.../2014-Dagstuhl-13452.pdf · 2014. 3. 9. · Report from Dagstuhl Seminar 13452 Proxemics in Human-Computer

Documents
Dagstuhl-Seminar-Report; 91 27.06.-01.07.94 (9426) · Dagstuhl-Seminar-Report; 91 27.06.-01.07.94 (9426) 1. Report of the First Dagstuhl Seminar on ... The seminar was intended to

Dagstuhl-Seminar-Report; 91 27.06.-01.07.94 (9426) · Dagstuhl-Seminar-Report; 91 27.06.-01.07.94 (9426) 1. Report of the First Dagstuhl Seminar on ... The seminar was intended to

Documents
Report from Dagstuhl Seminar 11172 ArtificialImmuneSystemsdrops.dagstuhl.de/volltexte/2011/3200/pdf/dagrep_v001_i004_p100_s... · Report from Dagstuhl Seminar 11172 ArtificialImmuneSystems

Report from Dagstuhl Seminar 11172 ArtificialImmuneSystemsdrops.dagstuhl.de/volltexte/2011/3200/pdf/dagrep_v001_i004_p100_s... · Report from Dagstuhl Seminar 11172 ArtificialImmuneSystems

Documents
HCIinMedicalVisualization - Dagstuhl

HCIinMedicalVisualization - Dagstuhl

Documents
Politički marketing Emina Hatunić

Politički marketing Emina Hatunić

Documents
Bodega Emina Rueda

Bodega Emina Rueda

Documents
Scalable Verification of Border Gateway Protocol ... · Scalable Verification of Border Gateway Protocol Configurations with an SMT Solver Konstantin Weitz Doug Woos Emina Torlak

Scalable Verification of Border Gateway Protocol ... · Scalable Verification of Border Gateway Protocol Configurations with an SMT Solver Konstantin Weitz Doug Woos Emina Torlak

Documents
Summary-Based Symbolic Evaluation for Smart Contractsemina/doc/solar.ase20.pdf · 2020. 9. 1. · ASE ’20, September 21–25, 2020, Virtual Event, Australia Yu Feng, Emina Torlak,

Summary-Based Symbolic Evaluation for Smart Contractsemina/doc/solar.ase20.pdf · 2020. 9. 1. · ASE ’20, September 21–25, 2020, Virtual Event, Australia Yu Feng, Emina Torlak,

Documents
Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Documents