1. Introduction to Satisfiability Modulo Theories (SMT) Clark Barrett, NYU Sanjit A. Seshia, UC Berkeley ICCAD Tutorial November 2, 2009

2. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) Ç Æ : Ç Æ Ç......  p2p2 p1p1 pnpn Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates to 1?

3. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 3 Satisfiability Modulo Theories Ç Æ : Ç Æ Ç......  p2p2 p1p1 pnpn Is there an assignment to the x,y,z,w variables s.t.  evaluates to 1? x + 2 z ¸ 1 x % 26 = v w & 0xFFFF = x x = y

4. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 4 Satisfiability Modulo Theories Given a formula in first-order logic, with associated background theories, is the formula satisfiable? –Yes: return a satisfying solution –No [generate a proof of unsatisfiability]

5. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 5 Applications of SMT Hardware verification at higher levels of abstraction (RTL and above) Verification of analog/mixed-signal circuits Verification of hybrid systems Software model checking Software testing Security: Finding vulnerabilities, verifying electronic voting machines, … Program synthesis …

6. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 6 References Satisfiability Modulo Theories Clark Barrett, Roberto Sebastiani, Sanjit A. Seshia, and Cesare Tinelli. Chapter 8 in the Handbook of Satisfiability, Armin Biere, Hans van Maaren, and Toby Walsh, editors, IOS Press, 2009. (available from our webpages) SMTLIB: A repository for SMT formulas (common format) and tools SMTCOMP: An annual competition of SMT solvers

7. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 7 Roadmap for this Tutorial Background and Notation Survey of Theories Theory Solvers Approaches to SMT Solving –Lazy Encoding to SAT –Eager Encoding to SAT Conclusion

8. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 8 Roadmap for this Tutorial  Background and Notation Survey of Theories Theory Solvers Approaches to SMT Solving –Lazy Encoding to SAT –Eager Encoding to SAT Conclusion

9. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 9 First-Order Logic A formal notation for mathematics, with expressions involving –Propositional symbols –Predicates –Functions and constant symbols –Quantifiers In contrast, propositional (Boolean) logic only involves propositional symbols and operators

10. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 10 First-Order Logic: Syntax As with propositional logic, expressions in first-order logic are made up of sequences of symbols. Symbols are divided into logical symbols and non-logical symbols or parameters. Example: (x = y) Æ (y = z) Æ (f(z) ¸ f(x)+1)

11. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 11 First-Order Logic: Syntax Logical Symbols –Propositional connectives: Ç, Æ, :, !, $ –Variables: v1, v2,... –Quantifiers: 8, 9 Non-logical symbols/Parameters –Equality: = –Functions: +, -, %, bit-wise &, f(), concat, … –Predicates: ·, is_substring, … –Constant symbols: 0, 1.0, null, …

12. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 12 Quantifier-free Subset We will largely restrict ourselves to formulas without quantifiers ( 8, 9 ) This is called the quantifier-free subset/fragment of first-order logic with the relevant theory

13. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 13 Logical Theory Defines a set of parameters (non-logical symbols) and their meanings This definition is called a signature. Example of a signature: Theory of linear arithmetic over integers Signature is (0,1,+,-, · ) interpreted over Z

14. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 14 Roadmap for this Tutorial  Background and Notation  Survey of Theories Theory Solvers Two Approaches to SMT Solving –Lazy Encoding to SAT –Eager Encoding to SAT Conclusion

15. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 15 Some Useful Theories Equality (with uninterpreted functions) Linear arithmetic (over Q or Z ) Difference logic (over Q or Z ) Finite-precision bit-vectors –integer or floating-point Arrays / memories Misc.: Non-linear arithmetic, strings, inductive datatypes (e.g. lists), sets, …

16. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 16 Theory of Equality and Uninterpreted Functions (EUF) Also called the “free theory” –Because function symbols can take any meaning –Only property required is congruence: that these symbols map identical arguments to identical values i.e., x = y ) f(x) = f(y) SMTLIB name: QF_UF

17. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 17 x0x0 x1x1 x2x2 x n-1 Data and Function Abstraction with EUF ALUALU x  f  Bit-vectors to Abstract Domain (e.g. Z ) Functional units to Uninterpreted Functions a = x Æ b = y ) f(a,b) = f(x,y) Common Operations 1010 x y p ITE(p, x, y) If-then-else x y x = y = Test for equality …

18. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 18 Hardware Abstraction with EUF For any Block that Transforms or Evaluates Data: –Replace with generic, unspecified function –Also view instruction memory as function Reg. File IF/ID Instr Mem +4 PC ID/EX ALUALU EX/WB = = Rd Ra Rb Imm Op Adat Control F2F2 F1F1 F3F3

19. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 19 Example QF_UF (EUF) Formula (x = y) Æ (y = z) Æ (f(x)  f(z)) Transitivity: (x = y) Æ (y = z) ) (x = z) Congruence: (x = z) ) (f(x) = f(z))

20. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 20 Equivalence Checking of Program Fragments int fun1(int y) { int x, z; z = y; y = x; x = z; return x*x; } int fun2(int y) { return y*y; } What if we use SAT to check equivalence? SMT formula  Satisfiable iff programs non-equivalent ( z = y Æ y1 = x Æ x1 = z Æ ret1 = x1*x1) Æ ( ret2 = y*y ) Æ ( ret1  ret2 )

21. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 21 Equivalence Checking of Program Fragments int fun1(int y) { int x, z; z = y; y = x; x = z; return x*x; } int fun2(int y) { return y*y; } SMT formula  Satisfiable iff programs non-equivalent ( z = y Æ y1 = x Æ x1 = z Æ ret1 = x1*x1) Æ ( ret2 = y*y ) Æ ( ret1  ret2 ) Using SAT to check equivalence (w/ Minisat) 32 bits for y: Did not finish in over 5 hours 16 bits for y: 37 sec. 8 bits for y: 0.5 sec.

22. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 22 Equivalence Checking of Program Fragments int fun1(int y) { int x, z; z = y; y = x; x = z; return x*x; } int fun2(int y) { return y*y; } SMT formula  ’ ( z = y Æ y1 = x Æ x1 = z Æ ret1 = sq(x1) ) Æ ( ret2 = sq(y) ) Æ ( ret1  ret2 ) Using EUF solver: 0.01 sec

23. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 23 Equivalence Checking of Program Fragments int fun1(int y) { int x; x = x ^ y; y = x ^ y; x = x ^ y; return x*x; } int fun2(int y) { return y*y; } Does EUF still work? No! Must reason about bit-wise XOR. Need a solver for bit-vector arithmetic. Solvable in less than a sec. with a current bit-vector solver.

24. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 24 Finite-Precision Bit-Vector Arithmetic (QF_BV) –Fixed width data words Can model int, short, long, etc. –Arithmetic operations E.g., add/subtract/multiply/divide & comparisons Two’s complement and unsigned operations –Bit-wise logical operations E.g., and/or/xor, shift/extract and equality –Boolean connectives

25. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 25 Linear Arithmetic (QF_LRA, QF_LIA) Boolean combination of linear constraints of the form (a 1 x 1 + a 2 x 2 + … + a n x n » b) x i ’s could be in Q or Z, » 2 { ¸,>, ·,<,=} Many applications, including: –Verification of analog circuits –Software verification, e.g., of array bounds

26. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 26 Difference Logic (QF_IDL, QF_RDL) Boolean combination of linear constraints of the form x i - x j » c ij or x i » c i » 2 { ¸,>, ·,<,=}, x i ’s in Q or Z Applications: –Software verification (most linear constraints are of this form) –Processor datapath verification –Job shop scheduling / real-time systems –Timing verification for circuits

27. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 27 Arrays/Memories SMT solvers can also be very effective in modeling data structures in software and hardware –Arrays in programs –Memories in hardware designs: e.g. instruction and data memories, CAMs, etc.

28. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 28 Theory of Arrays (QF_AX) Select and Store Two interpreted functions: select and store –select(A,i) Read from A at index i –store(A,i,d) Write d to A at index i Two main axioms: –select(store(A,i,d), i) = d –select(store(A,i,d), j) = select(A,j) for i  j One other axiom: –( 8 i. select(A,i) = select(B,i)) ) A = B

29. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 29 Equivalence Checking of Program Fragments int fun1(int y) { int x[2]; x[0] = y; y = x[1]; x[1] = x[0]; return x[1]*x[1]; } int fun2(int y) { return y*y; } SMT formula  ’’ [ x1 = store(x,0,y) Æ y1 = select(x1,1) Æ x2 = store(x1,1,select(x1,0)) Æ ret1 = sq(select(x2,1)) ] Æ ( ret2 = sq(y) ) Æ ( ret1  ret2 )

30. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 30 Roadmap for this Tutorial  Background and Notation  Survey of Theories  Theory Solvers Two Approaches to SMT Solving –Lazy Encoding to SAT –Eager Encoding to SAT Conclusion

31. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 31 Over to Clark…

32. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 32 Roadmap for this Tutorial  Background and Notation  Survey of Theories  Theory Solvers Approaches to SMT Solving –Lazy Encoding to SAT  Eager Encoding to SAT Conclusion

33. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 33 Eager Approach to SMT Key Ideas: Small-domain encoding –Constrain model search Rewrite rules Abstraction-based methods (eager + lazy) Example Solvers: UCLID, STP, Spear, Boolector, Beaver, … Input Formula Boolean Formula satisfiable unsatisfiable Satisfiability-preserving Boolean Encoder SAT Solver EAGER ENCODING SAT Solver involved in Theory Reasoning

34. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 34 Theories Eager Encoding Methods have been demonstrated for the following Theories: –Equality & Uninterpreted Functions –Integer Linear Arithmetic –Restricted Lambda expressions Arrays, memories, etc. –Finite-precision Bit-Vector Arithmetic –Strings

35. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 35 UCLID Operation Operation Operation –Series of transformations leading to Boolean formula –Each step is validity (satisfiability) preserving –Each step performs optimizations Lambda Expansion for Arrays Encoding Arithmetic Boolean Satisfiability Input Formula -free Formula Linear/ Bitvector ArithmeticFormula Boolean Formula Function & Predicate Elimination http://uclid.eecs.berkeley.edu

36. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 36 Rewrites: Eliminating Function Applications –Two applications of an uninterpreted function f in a formula –f( x 1 ) and f( x 2 )Ackermann’sEncoding f( x 1 ) vf 1 f( x 2 ) vf 2 x 1 = x 2 vf 1 = vf 2 x 1 = x 2  vf 1 = vf 2 Bryant, German, Velev’s Encoding f( x 1 ) vf 1 f( x 2 ) ITE( x 1 = x 2, vf 1, vf 2 )

37. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 37 Small-Domain Encoding Consider an SMT formula  (x 1, x 2, …, x n ) where x i 2 D i Small-domain encoding/Finite instantiation: Derive finite set S i ½ D i s.t. | S i | ¿ | D i | –In some cases, S i is finite where D i is infinite Encode each x i to take values only in S i –Could be done by encoding to SAT Example: Integer Linear Arithmetic (QF_LIA)

38. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 38 Solving QF_LIA is NP-complete In NP: –If a satisfying solution exists, then one exists within a bound d log d is polynomial in input size –Expression for d [Papadimitriou, ‘82] (n+m) ¢ (b max  +1) ¢ ( m ¢ a max ) 2m+3 –Input size: m – # constraints n – # variables b max  – largest constant (absolute value) a max  – largest coefficient (absolute value)

39. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 39 Small-domain encoding / Finite Instantiation: Naïve approach Steps –Calculate the solution bound d –Encode each integer variable with d log d e bits & translate to Boolean formula –Run SAT solver Problem: For QF_LIA, d is  ( m m ) –  ( m log m ) bits per variable Solution: Exploit special-cases and domain- specific structure

40. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 40 Special Case 1: Equality Logic Linear constraints are equalities x i = x j Result: d = n x 1  x 2 Æ x 2  x 3 Æ x 1  x 3 3-valued domain is needed: {1, 2, 3} x 1  x 2 Æ x 2  x 3 Æ x 1  x 3 Can find solution with domain {1, 2} [Pnueli et al., Information and Computation, 2002]

41. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 41 Special Case 2: Difference Logic Boolean combination of difference-bound constraints – x i ¸ x j + b, § x i ¸ b Result: d = n ¢ (b max + 1) [Bryant, Lahiri, Seshia, CAV’02] Proof sketch: satisfying solution corresponds to shortest path in constraint graph –Longest such path has length · n ¢ (b max + 1) Tighter formula-specific bounds possible

42. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 42 Special Case 3: Generalized 2SAT Generalized 2SAT constraints – x i + x j ¸ b, - x i - x j ¸ b, x i - x j ¸ b, x i ¸ b d = 2 ¢ n ¢ (b max + 1) [Seshia, Subramani, Bryant,’04]

43. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 43 Full Integer Linear Arithmetic Can we avoid the m m blow-up? In fact, yes. The idea is to derive a new parameterized solution bound d –Formalize parameters that the bound really depends on –Parameters characterize sparse structure Occurs especially in software verification; also in many high-level hardware models –[Seshia & Bryant, LICS’04, LMCS’05]

44. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 44 Structure of Linear Constraints in Software Verification Characteristics of studied benchmarks –Mostly difference constraints Only 3% of constraints were NOT difference constraints –Non-difference constraints are sparse At most 6 variables per constraint (total number of variables in 1000s) Some similar observations: Pratt’77, ESC/Java- Simplify-TR’03

45. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 45 Parameterized Solution Bound m#constraints n#variables b max max |constant| a max max |coefficient| New parameters: New parameters: – k non-difference constraints, – w variables per constraint (width) Our solution bound: Our solution bound: n ¢ (b max  +1) ¢ ( w ¢ a max ) k n ¢ (b max  +1) ¢ ( w ¢ a max ) kPrevious: (n+m) ¢ (b max  +1) ¢ ( m ¢ a max ) 2m+3 (n+m) ¢ (b max  +1) ¢ ( m ¢ a max ) 2m+3 Direct dependence on m eliminated Direct dependence on m eliminated (and k ¿ m ) (and k ¿ m )

46. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 46 Example x 1 - x 2 ¸ 1 Ç Æ : Ç x 1 + 2 x 2 + x 3 > - 3 x 2 – x 4 ¸ 0 m #constraints 3 k #non-difference 1 n #variables 4 w width 3 b max max |constant| 3 a max max |coefficient| 2 d = 96 Previous d = 282,175,488 = 282,175,488

47. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 47 Summary of d Values LogicSolution Bound d Equality logic n Difference logic n ¢ ( b max + 1 ) Generalized 2SAT logic 2 ¢ n ¢ ( b max + 1 ) Full Integer Linear Arithmetic n ¢ (b max + 1) ¢ ( a max k ¢ w k )

48. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 48 Abstraction-Based Methods For some logics, one cannot easily compute a closed-form expression for the small domain Example: Bit-Vector Arithmetic In such cases, an abstraction-refinement approach can be used to compute formula-specific small domains

49. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 49 Bit-Vector Arithmetic: Some History B.C. (Before Chaff) –String operations (concatenate, field extraction) –Linear arithmetic with bounds checking –Modular arithmetic SAT-Based “Bit Blasting” –Generate Boolean circuit based on bit-level behavior of operations Handles arbitrary operations –Check with best available SAT solver –Effective in many applications CBMC [Clarke, Kroening, Lerda, TACAS ’04] Microsoft Cogent + SLAM [Cook, Kroening, Sharygina, CAV ’05]

50. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 50 Research Challenge Is there a better way than bit blasting? Requirements –Provide same functionality as with bit blasting Must support all bit-vector operators –Exploit word-level structure –Improve on performance of bit blasting Current Approaches based on two core ideas: 1.Simplification: Simplify input formula using word-level rewrite rules and solvers 2.Abstraction: Can use automatic abstraction-refinement to solve simplified formula

51. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 51 Bit-Vector SMT Solvers, circa Spr.’2009 Current Techniques with Sample Tools –Proof-based abstraction-refinement – UCLID [Bryant et al., TACAS ’07] –Solver for linear modular arithmetic to simplify the formula – STP [Ganesh & Dill, CAV’07] –Automatic parameter tuning for SAT– Spear [Hutter et al., FMCAD ’07] –Rewrites, underapproximation, efficient SAT engine – Boolector [Brummayer & Biere, TACAS’09] –Equality/constant propagation, logic optimization, special rules for non-linear ops - Beaver [Jha et al., CAV’09] –DPLL(T) framework: Layered approach, rewriting – CVC3 [Barrett et al.], MathSAT [Bruttomesso et al], Yices [Dutertre et al.], Z3 [de Moura et al]

52. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 52 Abstraction-Refinement Deciding Bit-Vector Arithmetic with Abstraction [Bryant et al., TACAS ’07, STTT ’09] –Use bit blasting as core technique –Apply to simplified versions of formula: under and over approximations –Generate successive approximations until a solution is found or formula shown unsatisfiable –Inspired by McMillan & Amla’s proof-based abstraction for finite-state model checking Small Motivating Example: (x + y  y + x) Æ (x * y  y * x) –Sufficient to prove the left-hand conjunct unsat

53. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 53 Approximations to Formula Example Approximation Techniques –Underapproximating Restrict word-level variables to smaller ranges of values –Overapproximating Replace subformula with Boolean variable  Original Formula   +  + Overapproximation ++ More solutions: If unsatisfiable, then so is  Underapproximation  −   −− Fewer solutions: Satisfying solution also satisfies 

54. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 54 Starting Iterations Initial Underapproximation –(Greatly) restrict ranges of word-level variables –Intuition: Satisfiable formula often has small-domain solution  1−1−

55. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 55 First Half of Iteration SAT Result for  1 − –Satisfiable Then have found solution for  –Unsatisfiable Use UNSAT proof to generate overapproximation  1 +  1−1− If SAT, then done 1+1+ UNSAT proof: generate overapproximation

56. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 56 Second Half of Iteration SAT Result for  1 + –Unsatisfiable: then have shown  unsatisfiable –Satisfiable: solution indicates variable ranges that must be expanded Generate refined underapproximation  1−1− If UNSAT, then done 1+1+ SAT: Use solution to generate refined underapproximation 2−2−

57. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 57 Example  := ( x = y+2 ) Æ ( x 2 > y 2 )  1 − := ( x [1] = y [1] +2) Æ ( x [1] 2 > y [1] 2 )  2 − := ( x [2] = y [2] +2) Æ ( x [2] 2 > y [2] 2 )  1 + := ( x = y +2) SAT, done. UNSAT Look at proof SAT x = 2, y = 0

58. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 58 Iterative Behavior Underapproximations –Successively more precise abstractions of  –Allow wider variable ranges Overapproximations –No predictable relation –UNSAT proof not unique  1−1− 1+1+ 2−2−      k−k− 2+2+ k+k+     

59. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 59 Overall Effect Soundness –Only terminate with solution on underapproximation –Only terminate as UNSAT on overapproximation Completeness –Successive underapproximations approach  –Finite variable ranges guarantee termination In worst case, get  k −   SAT UNSAT  1−1− 1+1+ 2−2−      k−k− 2+2+ k+k+     

60. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 60 Roadmap for this Tutorial  Background and Notation  Survey of Theories  Theory Solvers  Approaches to SMT Solving –Lazy Encoding to SAT –Eager Encoding to SAT  Conclusion

61. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 61 Summary of Ideas: Modeling Philosophy: Model systems in first-order logic + suitable theories Widely-used theories: –Equality and uninterpreted functions –Linear arithmetic –Bit-vector arithmetic –Arrays

62. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 62C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 62 Summary of Ideas: Lazy Methods Philosophy: Extend DPLL framework from SAT to SMT Literals assigned by SAT are sent to Theory Solver Theory Solver determines if literals are satisfiable in the theory Key optimizations: small explanations, early conflict detection, theory propagation

63. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 63 Summary of Ideas: Eager Methods Philosophy: Constrain solution space with logic-specific methods Small-domain encoding –Compute bounds that work for any formula in the logic Abstraction-refinement of domains –Compute formula-specific small domains Rewrite rules: high level and bit level –Simplify formula before and after bit-blasting

64. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 64 Challenges and Opportunities Solvers for new theories –Strings –Non-linear arithmetic –Can we exploit domain-specific structure? Parallel SMT Better support for quantifiers Better proof/interpolant generation

65. C. Barrett & S. A. Seshia ICCAD 2009 Tutorial 65 Join the SMT Community We need your new, exciting applications! Contribute to SMT-LIB Create new solvers, compete in SMTCOMP Slides and book chapter available on our websites: Clark: http://cs.nyu.edu/~barrett Sanjit: http://www.eecs.berkeley.edu/~sseshiahttp://www.eecs.berkeley.edu/~sseshia