Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming...
-
date post
22-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming...
![Page 1: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/1.jpg)
Higher-Order VerificationWith Liquid Types
Ranjit Jhala, UC San Diego(with Pat Rondon, Ming Kawaguchi)
![Page 2: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/2.jpg)
Part IFirst-Order Verification
Part IIHigher-Order Verification
![Page 3: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/3.jpg)
char* rev_copy(char* a, int n){
i = 0; j = n – 1; b = malloc(n); while(0<=j){ b[i] = a[j]; i++; j--; } return b;}
First-Order Verification
![Page 4: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/4.jpg)
char* rev_copy(char* a, int n){
i = 0; j = n – 1; b = malloc(n); while(0<=j){ b[i] = a[j]; i++; j--; } return b;}
Example: Memory Safety
Access Within Array Bounds
![Page 5: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/5.jpg)
char* rev_copy(char* a, int n){
i = 0; j = n – 1; b = malloc(n); while(j>=0){ b[i] = a[j]; i++; j--; } return b;}
assert (0<=i && i<n);
0:
1: 2:
How to prove assert never fails ?
assert (i<n);
0: i = 0; j = n–1; 1: while (0<=j){ 2: assert(i<n); i = i+1; j = j–1; }Access Within Array Bounds
![Page 6: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/6.jpg)
How to prove asserts?Invariants [Floyd-Hoare]
![Page 7: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/7.jpg)
Invariants
Predicate that is always true@ Program Location
0: i = 0; j = n–1; 1: while (0<=j){
2: assert(i<n);
i = i+1; j = j–1; }
true
i+j=n-1
i+j=n-1 Æ 0·j
Invariant Proves Assert
![Page 8: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/8.jpg)
How to Prove Asserts?How to Find Invariants?
![Page 9: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/9.jpg)
0: i = 0; j = n–1; 1: while (0<=j){
2: assert(i<n);
i = i+1; j = j–1; }
?
What are Invariants ?
??
![Page 10: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/10.jpg)
What are Invariants ?
Let Xi = Invariant @ location i
![Page 11: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/11.jpg)
0: i = 0; j = n–1; 1: while (0<=j){
2: assert(i<n);
i = i+1; j = j–1; }
?
What are Invariants ?
??
X0
X1
X2Properties of X0,X1,X2?
![Page 12: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/12.jpg)
0: i = 0; j = n–1; 1: while (0<=j){
2: assert(i<n);
i = i+1; j = j–1; }
What are Invariants ?
X0
Initial Values ArbitraryX0= true
![Page 13: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/13.jpg)
0: i = 0; j = n–1; 1: while (0<=j){
2: assert(i<n);
i = i+1; j = j–1; }
What are Invariants ?
i=0 Æ j=n-1 )
X1
true
X1
![Page 14: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/14.jpg)
0: i = 0; j = n–1; 1: while (0<=j){
2: assert(i<n);
i = i+1; j = j–1; }
What are Invariants ?
0·j Æ X1 ) X2
X1X2
![Page 15: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/15.jpg)
0: i = 0; j = n–1; 1: while (0<=j){
2: assert(i<n);
i = i+1; j = j–1; }
What are Invariants ?
X2 ) i<n
X2
![Page 16: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/16.jpg)
0: i = 0; j = n–1; 1: while (0<=j){
2: assert(i<n);
i = i+1; j = j–1; }
What are Invariants ?
i=io+1 Æ j=jo-1 Æ [io/i][jo/j]X2 )
X1
X1X2
![Page 17: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/17.jpg)
What are Invariants ?
… Æ [io/i][jo/j]X2 ) X1
Predicates X1, X2 s.t.
i=0 Æ j=n-1 ) X1
0·j Æ X1 ) X2
X2 ) i<n
![Page 18: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/18.jpg)
What are Invariants ?
… Æ [io/i][jo/j]X2 ) X1
Predicates X1, X2 s.t.i=0 Æ j=n-1 ) X1
0·j Æ X1 ) X2
X2 ) i<n
How to Infer Invariants? How to Solve for X1, X2? Idea: Lazy Abstraction
![Page 19: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/19.jpg)
Idea: Lazy AbstractionTree of executions over atomic predicates
i+j=n-10·j
Nodes: X1, X2
Edges: X1 ) X2
![Page 20: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/20.jpg)
… [io/i][jo/j]X2 ) X1
0·j Æ X1 ) X2
X2 ) i<n
Lazy Predicate Abstraction
X0 trueTree Root Root X (i.e. non-RHS)
i=0 Æ j=n-1Æ X0 )
X1
Atoms: i+j=n-1, 0·j
![Page 21: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/21.jpg)
Lazy Predicate Abstraction
X0 true
X1
Tree Edge“Unrolled” Implication
… [io/i][jo/j]X2 ) X1
0·j Æ X1 ) X2
X2 ) i<n
i=0 Æ j=n-1Æ X0 )
X1
Atoms: i+j=n-1, 0·j
![Page 22: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/22.jpg)
Lazy Predicate Abstraction
X0 true
X1
Theorem Prover
i=0 Æ j=n-1Æ X0 )
X1
Atoms: i+j=n-1, 0·j
?i=0 Æ j=n-1Ætrue
)i+j=n-1
Valid
![Page 23: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/23.jpg)
Lazy Predicate Abstraction
X0 true
X1i+j=n-1
Theorem Prover
i=0 Æ j=n-1Æ X0 )
X1
Atoms: i+j=n-1, 0·j
i=0 Æ j=n-1Ætrue
)0·j
Invalid
… [io/i][jo/j]X2 ) X1
0·j Æ X1 ) X2
X2 ) i<n
?
![Page 24: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/24.jpg)
Lazy Predicate Abstraction
X0 true
X1i+j=n-1
… [io/i][jo/j]X2 ) X1
0·j Æ X1 ) X2
X2 ) i<n
i=0 Æ j=n-1Æ X0 )
X1
Atoms: i+j=n-1, 0·jX2 i+j=n-1 Æ 0·j?
![Page 25: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/25.jpg)
Lazy Predicate Abstraction
X0 true
X1i+j=n-1
… [io/i][jo/j]X2 ) X1
0·j Æ X1 ) X2
X2 ) i<n
i=0 Æ j=n-1Æ X0 )
X1
Atoms: i+j=n-1, 0·jX2 i+j=n-1 Æ 0·j
i<n
Theorem Prover0·j Æ i+j=n-1 )i<n
Valid
![Page 26: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/26.jpg)
Lazy Predicate Abstraction
X0 true
X1i+j=n-1
X2
X1 i<n?
i+j=n-1 Æ 0·j
… [io/i][jo/j]X2 ) X1
0·j Æ X1 ) X2
X2 ) i<n
i=0 Æ j=n-1Æ X0 )
X1
Atoms: i+j=n-1, 0·j
i+j=n-1
![Page 27: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/27.jpg)
Lazy Predicate Abstraction
X0 true
X1i+j=n-1
X2
X1 i<n
i+j=n-1 Æ 0·j
… [io/i][jo/j]X2 ) X1
0·j Æ X1 ) X2
X2 ) i<n
i=0 Æ j=n-1Æ X0 )
X1
Atoms: i+j=n-1, 0·j
i+j=n-1
FixpointStop UnrollingInferred InvariantsProved Asserts…Constraints Solved
…not so fast!
![Page 28: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/28.jpg)
C Program+
Asserts
Lazy Abstraction[popl 02]
Atoms
Safety Invariants
How to get good atoms?e.g. i+j=n-1
If we have bad atoms...e.g. i=0, j=n-1, 0·j
![Page 29: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/29.jpg)
X2 i<n
X0true
X1i=0 Æ j=n-1
X2
X1
i<ni=0 Æ j=n-1 Æ 0·j
true
true
…Yields Counterexample “Path”Abstraction With Bad Atoms...
Assert Holds
Not a fixpoint
Assert Fails
i:=0j:=n–1
0<=j?
i:=i+1j:=j-1
0<=j?
![Page 30: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/30.jpg)
Bad atoms yield counterexample paths
![Page 31: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/31.jpg)
C Program+
Asserts
Lazy Abstraction[popl 02]
Atoms Path
Safety Invariants
CounterexampleAnalysis
UnsafePaths
“Counterexample Guided Abstraction Refinement”[Kurshan 94, Clarke et al. 00, Ball & Rajamani 00]
Path Atoms
![Page 32: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/32.jpg)
X2
i<n
X0
X1
X2
X1
i:=0j:=n–1
0<=j?
i:=i+1j:=j-1
0<=j?
Path AtomsFormula Proof
Good AtomsRelationships from pastProve safety of future
i:=0j:=n–1
0<=j?
i:=i+1j:=j-1
0<=j?
How to computegood atoms from paths?
![Page 33: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/33.jpg)
Path AtomsFormula Proof
Æ i0 = 0
Æ j0 = n–1Æ 0 · j0
Æ i1 = i0 + 1
Æ j1 = j0 - 1Æ n · i1 ¸
Æ 0 · j1
Negate Assert
RenameVariables
(SSA)
Formula Unsatisfiable iff Assert Holds
X2
i<n
X0
X1
X2
X1
i:=0j:=n–1
0<=j?
i:=i+1j:=j-1
0<=j?
![Page 34: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/34.jpg)
Path AtomsFormula Proof
Æ i0=0
Æ j0=n–1
Æ 0·j0
Æ i1=i0+1
Æ j1=j0-1
Æ n·i1
Æ 0·j1
Æ i0 = 0
Æ j0 = n–1Æ 0 · j0
Æ i1 = i0 + 1
Æ j1 = j0 - 1Æ i1 ¸ n
Æ 0 · j1
0·j1
j1=j0-1
j0=n-1
n·i1
i1=i0+1
i0=0
0·j0-1
0·n-2
0·-1
n·i0+1
n·1
False
X2
i<n
X0
X1
X2
X1
i:=0j:=n–1
0<=j?
i:=i+1j:=j-1
0<=j?
+
+
+
+
+
![Page 35: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/35.jpg)
Path AtomsFormula Proof
0·j1
j1=j0-1
j0=n-1
n·i1
i1=i0+1
i0=0
0·j0-1
0·n-2
n·i0+1
n·1
False
+
+
+
+
+
Good AtomsRelationships from pastProve safety of future+ i+j=n-1
![Page 36: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/36.jpg)
Atom = Craig InterpolantOf Past, Future FormulasExtracted from proof
Of path unsatifiabilityInferred Good Atomi+j=n-1X2
i<n
X0
X1
X2
X1
0<=j?
i:=0j:=n–1
0<=j?
i:=i+1j:=j-1
0<=j?
![Page 37: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/37.jpg)
RecapHow to verify safety ?Compute invariants X1, X2 ...
How to solve for X1, X2 ... ?Tree of executions over atoms
How to find good atoms ?Interpolants of path formulas
![Page 38: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/38.jpg)
RecapSafety
Invariants
Implications
AI, PA, CEGAR,…
X0 , X1
X0 ) X1
![Page 39: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/39.jpg)
Part IFirst-Order (by Logic)
Part IIHigher-Order Verification
![Page 40: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/40.jpg)
Key Problem: Invariants for…
Collections?Closures?
Polymorphism?Recursive Data?
![Page 41: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/41.jpg)
Idea: Logically Qualified TypesFactor Invariant to Logic x Type
Idea: Liquid Types
![Page 42: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/42.jpg)
LogicDescribes Individual Data
TypeQuantifies over Structure
![Page 43: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/43.jpg)
factored into
8i: 0 ·i<table.length )-1· table[i]
table :: {v:int|-1 · v} array
Type Logic
![Page 44: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/44.jpg)
factored into
8x: next*(root,x) )-1 · x.data
root :: {v:int|-1 · v} list
Type Logic
![Page 45: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/45.jpg)
Pre-Condition x:’a array
-> {v:int|0·v< len x}-> ’a
Functions: Array.get
Post-Condition
’a array
-> int-> ’a
![Page 46: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/46.jpg)
int-> int-> (int-> unit) -> unit
Higher-Order: ffor
lo:int-> hi:{int|lo·v}-> ({v:int|lo·v<hi}->
unit) -> unit
![Page 47: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/47.jpg)
LogicDescribes Individual Data
TypeQuantifies over Structure
Theorem ProverReasoning about Individual Data
Type SystemQuantified Reasoning about Structure
![Page 48: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/48.jpg)
Demo“Map-Reduce”
![Page 49: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/49.jpg)
“Map-Reduce”map :: (e -> (k, v) list) -> e list -> (k, v) list
group :: (k, v) list -> (k, v list)
tablereduce :: (v -> v -> v) -> (k, v list)
table -> (k, v) table
![Page 50: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/50.jpg)
K-Means Clustering
![Page 51: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/51.jpg)
0. Choose K Centers Arbitrarily
![Page 52: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/52.jpg)
1. (Map) Points to Nearest Center
![Page 53: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/53.jpg)
2. (Group) Points by Center
![Page 54: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/54.jpg)
3. (Reduce) Centroids into New Centers
![Page 55: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/55.jpg)
Repeat 1,2,3 Until Convergence
![Page 56: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/56.jpg)
DemoK-Means via Map-Reduce
![Page 57: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/57.jpg)
Base TypesCollections
ClosuresPolymorphismRecursive Data
![Page 58: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/58.jpg)
let rec ffor l u f =
if l < u then ( f l; ffor (l+1) u f )
Type of f
int ! unitTemplate of f
{v:int|X1}!unit
Liquid Type of f
{v:int|l·v Æ v<u} ! unit
l Flows Into Input of f {v:int|v=l} <: {v:int|X1}
l<u |-
l<u Æ v=l ) X1
Solution X1 = l·v Æ v<u
Reduces to
![Page 59: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/59.jpg)
Base TypesCollections
ClosuresPolymorphismRecursive Data
![Page 60: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/60.jpg)
let nearest dist ctra x = let da = Array.map (dist x) ctra in
[min_index da, (x, 1)]Type of Output
int * ’b * int listTemplate of Output
{v:int | X1} * ’b * {v:int | X2} list
(’a !’b)!x:’a array!{v:’b array|len x = len v}
Liquid Type of
x:’a array!{v:int| 0·v Æ v < len x}
min_index da {v:int| 0·v Æ v < len da}da {v:’b array| len v = len ctra}
len da = len ctra Æ 0·v<len da ) X1
len da = len ctra Æ v=1 ) X2
da:{len v = len ctra}|-{ 0·v<len da} * ’b * {v=1} list <: {X1} * ’b * {X2}
list
Reduces To
Solution X1 = 0·v < len ctra X2 = 0 < v
Liquid Type of Output{v:int|0·v<len ctra}*’b*{v:int|0<v}
list
![Page 61: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/61.jpg)
Base TypesCollections
ClosuresPolymorphismRecursive Data
![Page 62: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/62.jpg)
let min_index a = let min = ref 0 in ffor 0 (Array.length a) (fun i -> if a.(i) < a.(!min) then min :=
i ); !min
Liquid Type of ffor 0 (len a)
({v:int|0· v < len a} ! unit)! unit
Template of (fun i ->...)
{v:int|Xi} ! unit
{Xi}!unit <: {0·v<len a}!unit{0·v<len a} unit{Xi} unit
{0·v<len a} <: {Xi}
Reduces To
unit <: unit0· v < len a ) Xi
Solution Xi = 0·v< len a
Liquid Type of (fun i ->...) {v:int|0·v<len a} ! unit
Liquid Type of fforl:int!u:int!({v:int|l·v<u}!unit)!unit
Liquid Type of ffor 0u:int!({v:int|0·v< u} ! unit)! unit
![Page 63: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/63.jpg)
Base TypesCollections
ClosuresPolymorphismRecursive Data
![Page 64: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/64.jpg)
mapreduce (nearest dist ctra) (centroid plus) xs
|> List.iter (fun (i,(x,sz)) -> ctra.(i)<- div x
sz) Type of mapreduce(’a !’b * ’c list) !...! ’b * ’c list
Template of mapreduce(’a ! {X1} * ’a * {X2} list)!...! {X1} * ’a * {X2} list
Type Instantiation ’a with ’a ’b with int
’c with ’a * int
Template Instantiation ’a with ’a
’b with {v:int|X1}
’c with ’a * {v:int|X2}
Liquid Type of (nearest dist ya)’a ! {0 · v < len ctra} * ’a * {0<v} list’a ! {0 · v < len ctra} * ’a * {0<v} list
<:’a ! {X1} * ’a * {X2} list
Solution X1 = 0 · v < len ctra X2 = 0 < v
Reduces To0 · v < len ctra ) X1
0 < v ) X2
Liquid Type of mapreduce Output {0 · v < len ctra} * ’a * {0 < v} list
![Page 65: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/65.jpg)
Polymorphism = “Meta” Invariants
![Page 66: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/66.jpg)
Polymorphism = “Meta Invariants”
foldl :: (a->b-> a)-> a-> b list-> a
![Page 67: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/67.jpg)
Polymorphism = “Meta Invariants”
foldl :: (a->b-> a)-> a-> b list-> a
Initial Value Satisfies a
![Page 68: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/68.jpg)
Polymorphism = “Meta Invariants”
foldl :: (a->b-> a)-> a-> b list-> a
Each “Iteration” Preserves a
![Page 69: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/69.jpg)
Polymorphism = “Meta Invariants”
foldl :: (a->b-> a)-> a-> b list-> a
Hence, Output Satisfies a
![Page 70: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/70.jpg)
Polymorphism = “Meta Invariants”
foldl :: (a->b-> a)-> a-> b list-> a
At callsite instantiate a for invariantAnalysis oblivious to iterated structure
![Page 71: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/71.jpg)
Base TypesCollections
ClosuresPolymorphismRecursive Data
![Page 72: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/72.jpg)
Recursive Data Structures
![Page 73: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/73.jpg)
Data (Structure) Invariants
Piggyback Predicates On Types
![Page 74: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/74.jpg)
[] ::
{x:int|0<x} listint list0<x Describes all elementsx:int
Representation
![Page 75: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/75.jpg)
[] ::
0<x
x:int
Type Unfolding
[] ::
0<h
h:int
[] ::
0<x
x:int
Head TailEmptyPositive Property holds recursivelyList of positive integers
![Page 76: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/76.jpg)
[] ::
0<x Describes all elementsx:int
x<v v Describes tail elements
Representation
![Page 77: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/77.jpg)
[] ::
x<v
x:int
Type Unfolding
[] ::
h:int
[] ::
x<v
x:int
Head TailEmptyElements larger than head Property holds recursively
List of sorted integers
h<v
Push Edge Predicate Into NodeRename Variable
h<x
![Page 78: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/78.jpg)
Piggyback Predicates On Types
Data (Structure) Invariants
![Page 79: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/79.jpg)
[] ::
x:intUnfold
::
h:int
[] ::
x:int
l:sorted list h:int t:sorted
list & {h<x}
list
Instantiate
tl
match l with
h::t
x<Vx<V
h<x
Quantifier Instantiation
![Page 80: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/80.jpg)
Piggyback Predicates On Types
Data (Structure) Invariants
![Page 81: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/81.jpg)
[] ::
x:intFold
h:int
[] ::
x:int
::
l:sorted list h:int t:sorted
list & {h<x}
list
Generalize
tl
let l = h::t in
x<Vx<V
h<x
Quantifier Generalization
![Page 82: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/82.jpg)
Demoisort
![Page 83: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/83.jpg)
Recursive Data Structures
![Page 84: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/84.jpg)
Piggyback Predicates On Types
(Data) Structure Invariants
![Page 85: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/85.jpg)
measure len =| [] -> 0 | x::xs -> 1 + len xs
Representation: List Length
![Page 86: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/86.jpg)
Representation: List Length
8l,x,xs. len([]) = 0 len(x::xs) = 1+len(xs)
![Page 87: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/87.jpg)
Piggyback Predicates On Types
(Data) Structure Invariants
![Page 88: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/88.jpg)
l:’a list
l:’a listh:’at:’a listlen(l)=1+len(t)
Instantiate
match l with
h::t
Quantifier Instantiation
8l,x,xs. len([]) = 0 len(x::xs) = 1+len(xs)
![Page 89: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/89.jpg)
Piggyback Predicates On Types
(Data) Structure Invariants
![Page 90: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/90.jpg)
h:’at:’a list
Quantifier Generalization
8l,x,xs. len([]) = 0 len(x::xs) = 1+len(xs)
Generalize
let l = h::t in h:’at:’a listl:’a listlen(l)=1+len(t)
![Page 91: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/91.jpg)
Demomsortb
![Page 92: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/92.jpg)
Recursive Data StructuresPiggyback Measures
![Page 93: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/93.jpg)
Leaf
l r
l = Left subtreer = Right subtree
treeHeight
H l = Left subtree’s heightH r = Right subtree’s height
measure H =
| Leaf = 0| Node(x,l,r) = 1 + max (H l) (H r)
Height Balanced Tree
|Hl–Hr|<2
Node
Height difference bounded at each node
![Page 94: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/94.jpg)
Demoeval
![Page 95: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/95.jpg)
Automatic Liquid Type InferenceBy Predicate Abstraction
![Page 96: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/96.jpg)
0<x
[] ::
x:int
x<v
Automatic Liquid Type Inference
Predicates Determine InvariantLet X1, X2, ... = Unknown Predicates
Complex Subtyping Between data types
X1
X2
Reduces To Simple Implications Between X1, X2, ...
Solved by Predicate AbstractionOver atoms 0<x, x<v, ...
![Page 97: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/97.jpg)
Part IFirst-Order (by Logic)
Part IIHigher-Order (by Types)
![Page 98: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/98.jpg)
Take Home LessonsWhy are HO Programs difficult?Complex “invariants”
How to represent invariants? Factor into liquid type
How to compute liquid type?AbsInt/Predicate Abstraction/…
![Page 99: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/99.jpg)
“Back-End” LogicConstraint Solving
Rich Decidable Logics Qualifier Discovery…
Much Work Remains…
![Page 100: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/100.jpg)
“Front-End” TypesDestructive Update
ConcurrencyObjects & Classes
Dynamic Languages…
Much Work Remains…
![Page 101: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/101.jpg)
User InterfaceThe smarter your analysis,
the harder to tell why it fails!
Much Work Remains…
![Page 102: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/102.jpg)
http://goto.ucsd.edu/liquidsource, papers, demo, etc.
![Page 103: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/103.jpg)
Finite Maps (ML)5: ‘cat’
3: ‘cow’ 8: ‘tic’
1: ‘doc’ 4: ‘hog’ 7: ‘ant’ 9: ‘emu’From Ocaml Standard Library
Implemented as AVL TreesRotate/Rebalance on Insert/Delete
Verified InvariantsBinary Search Ordered
Height BalancedKeys Implement Set
![Page 104: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/104.jpg)
Binary Decision Diagrams (ML)X1
X2 X2
X3
X4 X4
1
Graph-Based Boolean Formulas [Bryant 86]
X1ÛX2 Ù X3ÛX4 Efficient Formula Manipulation
Memoizing Results on SubformulasVerified Invariant
Variables Ordered Along Each Path
![Page 105: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/105.jpg)
Vec: Extensible Arrays (317 LOC)
“Python-style” extensible arrays for Ocaml
find, insert, delete, join etc.
Efficiency via balanced trees
Balanced
Height difference between siblings ≤ 2
Dsolve found balance violation
![Page 106: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/106.jpg)
fatal off-by-one error
Recursive Rebalance
![Page 107: Higher-Order Verification With Liquid Types Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d7e5503460f94a6167d/html5/thumbnails/107.jpg)
Debugging via Inference
Using Dsolve we found
Where imbalance occurred
(specific path conditions)
How imbalance occurred
(left tree off by up to 4)
Leading to test and fix