Verification and Data Structures int kmp_search(char str[], char pat[]){ p = 0; s = 0; while (p<pat.length && s<str.length){ if (str[s] == pat[p]){s++; p++;} else if (p == 0){s++;} else{p = table[p-1] + 1;} } if (p >= plen) {return (s-plen)}; return (-1); } Need Universally Quantified Invariants 8 i: 0≤ i<table.length ) -1 ≤ table[i] Every element of table exceeds -1 Prove Access Within Array Bounds

Logic Types Precise data invariants Generalization, instantiation hard Coarse data structure invariants Generalization, instantiation easy Good SMT solvers available

Refinement Types Factor Invariant Into Logic x Type 8 i: 0 ≤ i < table.length ) -1 ≤ table[i] Logic Type table :: {v:int|-1 ≤ v} array (Refinement)

How To Retain Precision And Inference

table :: {v:int|-1 ≤ v} array Atoms Liquid Types Set of quantifier-free predicates -1 ≤ v0 < v0 < v v < 20 Refinements are conjunctions of atoms index :: {v:int|-1 ≤ v ∧ v < 20}

OCaml + Asserts Liquid Types Error Dsolve Atoms

Dsolve 1.Liquid Type Inference 2.Results 3.Demo

Liquid Type Inference program ML Type Inference int ! int int ! {v:int| X } x>0 ⊢ {v:int | v=x} <:{v:int |X } int ! {v:int|0 ≤ v} x>0 ∧ v=x ) X Liquid Type Templates Subtyping Implication Constraints Liquid Types

let rec ffor l u f = if l < u then ( f l; ffor (l+1) u f ) Type of f int ! unit Template of f {v:int| X } ! unit Liquid Type of f {v:int|l≤v ∧ v<u} ! unit l Flows Into Input of f {v:int | v=l} <: {v:int |X } l<u ⊢ l<u ∧ v=l ) X Solution X = l≤v ∧ v<u Reduces to

mapreduce (nearest dist ctra) (centroid plus) xs |> List.iter (fun (i,(x,sz)) -> ctra.(i)<- div x sz) Type of mapreduce (’a ! ’b * ’c list) !... ! ’b * ’c list Template of mapreduce (’a ! { X 1 } * ’a * { X 2 } list) !... ! { X 1 } * ’a * { X 2 } list Type Instantiation ’a with ’a ’b with int ’c with ’a * int Template Instantiation ’a with ’a ’b with {v:int| X 1 } ’c with ’a * {v:int| X 2 } Liquid Type of (nearest dist ctra) ’a ! {0≤ v<len ctra} * ’a * {0<v} list <: ’a ! { X 1 } * ’a * { X 2 } list Solution X 1 = 0≤v<len ctra X 2 = 0<v Reduces To 0 ≤ v <len ctra ) X 1 0<v ) X 2 Liquid Type of mapreduce Output {0≤ v<len ctra} * ’a * {0 < v} list

Dsolve 1.Liquid Type Inference 2.Results 3.Demo

Finite Maps 5: ‘cat’ 3: ‘cow’ 8: ‘tic’ 1: ‘doc’ 4: ‘hog’ 7: ‘ant’ 9: ‘emu’ From OCaml Standard Library Implemented as AVL Trees Rotate/Rebalance on Insert/Delete Verified Invariants Binary Search Ordered Height Balanced Keys Implement Set

Binary Decision Diagrams X1X1 X2X2 X2X2 X3X3 X4X4 X4X4 1 X 1  X 2  X 3  X 4 Verified Invariant Variables Ordered Along Each Path

ProgramVerified Invariants List-Based SortingSorted, Outputs Permutation of Input Finite Map (AVL)Balance, BST, Implements a Set Red-Black TreesBalance, BST, Color StablesortSorted Extensible VectorsBalance, Bounds Checking, … Binary HeapsHeap, Returns Min, Implements Set Splay HeapsBST, Returns Min, Implements Set MallocUsed and Free Lists Are Accurate BDDsVariable Order Union FindAcyclicity Bitvector UnificationAcyclicity

Dsolve 1.Liquid Type Inference 2.Results 3.Demo