A Software Toolchain for Physical System Description and Synthesis, and Applications to Microfluidic Design Automation

Microfluidic circuits are currently designed by hand, using a combination of the designer’s domain knowledge and educated intuition to determine unknown design parameters. As no microfluidic circuit design software exists to assist designers, circuits are typically tested by physically constructing them in silico and performing another design iteration should the prototype fail to operate correctly. Similar to how electronic design automation tools revolutionized the digital circuit design process, so too do microfluidic design packages have the potential to increase productivity for microfluidic circuit designers and allow more complex devices to be designed. Two of the primary software engineering problems to be solved in this space relate to design entry and design synthesis. First, the circuit designer requires a programming language to describe the behaviour and properties of the device they wish to build, and a compiler toolchain to convert this description into a model that can then be processed by other software tools. Second, once such a model is constructed, the remaining portions of the design toolchain must be constructed. It is necessary to implement software that can find unknown design parameters automatically to relieve the designer of much of the complexity that goes into creating such a circuit. Furthermore, automated testing and verification tools must be used to simulate the device and check for correctness and safety requirements before the engineer can have confidence in their design. In this thesis I outline work that has been done towards both of these goals. First, I describe a new programming language that has been developed for the purpose of describing and modelling physical systems, including but not limited to microfluidic circuits. This programming language, called “Manifold”, has been implemented following principles and features of modern functional programming languages, as well as drawing inspiration from VHDL and Verilog, the two industry-standard programming languages for EDA. The Manifold high-level language compiler carries out the process of translating a system description into a domain-agnostic intermediate representation. This representation is then passed to a domain-specific backend compiler which can perform further operations on the design, such as creating simulations, performing verification, and generating appropriate output products. Second, I perform a case study with respect to the creation of such a domain-specific backend for the domain of multi-phase microfluidic circuits. The process involved in taking a circuit description from design entry to device specification has a number of significant steps. I discuss in detail these steps with respect to the design of a multi-way droplet generator circuit. Such a circuit is difficult to design because of the behaviour of the key design parameter, the volume of generated droplets. The design goal is for each droplet generator on the device to produce droplets of a certain specified volume. However, the equation relating the properties of a droplet generator to the predicted droplet volume is complex and contains several nonlinearities, making it very difficult to solve by traditional methods. Recent advances in constraint solvers which can reason about nonlinear equations over real-valued terms make it possible to solve this equation efficiently for a given set of design constraints and goals, and produce many feasible specifications for droplet generators that meet the requirements. Another difficulty in designing these circuits is due to interactions between droplet generators. As the produced droplets have a significant hydrodynamic resistance, they affect the behaviour of the circuit by causing perturbations in the flow rates into the droplet generators. This has the potential to alter the volume of droplets that are being produced. Therefore, a means of regulating or controlling the flow rates must be found. I describe a potential solution in the form of a passive element analogous to a capacitor in an electrical circuit. Once an appropriate value for the capacitor is chosen, it remains to verify that it operates correctly under manufacturing variances in fabrication of the device. To perform this verification, a bounded model checker for real-valued differential equations is employed to demonstrate correctness or discover robustness issues. Furthermore, a simulation file for the MapleSim numerical simulation engine is generated in order to perform whole-design tests for further validation. The sequence in which these steps are performed closely follows the concept of “abstraction refinement” in formal methods, in which successively more detailed models are checked and a failure in one step can invoke a previous step with new information, allowing errors to be caught early and introducing the ability to iterate on the design. I describe such a refinement loop in place in the microfluidics backend that integrates these three steps in a coherent design flow, able to synthesize and verify many specifications for a microfluidic circuit, thereby automating a significant portion of the design process. The combination of the Manifold high-level language and microfluidics backend introduces a new design automation toolchain that demonstrates the effectiveness of constraint solvers in the tasks of design synthesis and verification. Further enhancements to the performance and capabilities of these solvers, as well as to the high-level language and backend, will in the future produce a general-purpose design package for microfluidic circuits that will allow for new, complex designs to be created and checked with confidence

Z3str4: A Solver for Theories over Strings

Satisfiability Modulo Theories (SMT) solvers supporting rich theories of strings have facilitated numerous industrial applications with the need to reason about string operations and predicates that are present in many popular programming languages. Constraints encountered in practical applications have immense value in inspiring new algorithms and heuristics that string solvers can take advantage of to tackle new, more difficult problems. This is especially relevant as the combinations of operators typically supported by string solvers, or that are encountered in program analysis constraints, quickly result in theories whose satisfiability problems are undecidable. I present a number of theoretical and practical contributions in the domain of string solving. On the theoretical side, I illustrate decidability and undecidability results related to different relevant theories which include strings. On the practical side, I describe a collection of algorithms and heuristics designed to address challenges encountered in applications of string solvers, culminating with the introduction of Z3str4, a state-of-the-art solver for theories over strings. Z3str4 incorporates many improvements over its predecessor Z3str3, including an algorithm selection architecture that takes advantage of multiple solving algorithms in order to leverage the strengths of diverse string solving procedures against formulas they are predicted to be able to solve efficiently. I also present a back-end model construction algorithm for Z3str4 which is a hybrid between word-based and unfolding-based algorithms. Furthermore, I showcase the power of Z3str4 against other state-of-the-art tools in an empirical evaluation over a large and diverse collection of benchmarks. Additionally, I describe algorithms and heuristics specific to solving regular expression constraints, and demonstrate their effectiveness in a detailed and focused empirical evaluation

Decision procedures for path feasibility of string-manipulating programs with complex operations

The design and implementation of decision procedures for checking path feasibility in string-manipulating programs is an important problem, with such applications as symbolic execution of programs with strings and automated detection of cross-site scripting (XSS) vulnerabilities in web applications. A (symbolic) path is given as a finite sequence of assignments and assertions (i.e. without loops), and checking its feasibility amounts to determining the existence of inputs that yield a successful execution. Modern programming languages (e.g. JavaScript, PHP, and Python) support many complex string operations, and strings are also often implicitly modified during a computation in some intricate fashion (e.g. by some autoescaping mechanisms). In this paper we provide two general semantic conditions which together ensure the decidability of path feasibility: (1) each assertion admits regular monadic decomposition (i.e. is an effectively recognisable relation), and (2) each assignment uses a (possibly nondeterministic) function whose inverse relation preserves regularity. We show that the semantic conditions are expressive since they are satisfied by a multitude of string operations including concatenation, one-way and two-way finite-state transducers, replaceall functions (where the replacement string could contain variables), string-reverse functions, regular-expression matching, and some (restricted) forms of letter-counting/length functions. The semantic conditions also strictly subsume existing decidable string theories (e.g. straight-line fragments, and acyclic logics), and most existing benchmarks (e.g. most of Kaluza’s, and all of SLOG’s, Stranger’s, and SLOTH’s benchmarks). Our semantic conditions also yield a conceptually simple decision procedure, as well as an extensible architecture of a string solver in that a user may easily incorporate his/her own string functions into the solver by simply providing code for the pre-image computation without worrying about other parts of the solver. Despite these, the semantic conditions are unfortunately too general to provide a fast and complete decision procedure. We provide strong theoretical evidence for this in the form of complexity results. To rectify this problem, we propose two solutions. Our main solution is to allow only partial string functions (i.e., prohibit nondeterminism) in condition (2). This restriction is satisfied in many cases in practice, and yields decision procedures that are effective in both theory and practice. Whenever nondeterministic functions are still needed (e.g. the string function split), our second solution is to provide a syntactic fragment that provides a support of nondeterministic functions, and operations like one-way transducers, replaceall (with constant replacement string), the string-reverse function, concatenation, and regular-expression matching. We show that this fragment can be reduced to an existing solver SLOTH that exploits fast model checking algorithms like IC3. We provide an efficient implementation of our decision procedure (assuming our first solution above, i.e., deterministic partial string functions) in a new string solver OSTRICH. Our implementation provides built-in support for concatenation, reverse, functional transducers (FFT), and replaceall and provides a framework for extensibility to support further string functions. We demonstrate the efficacy of our new solver against other competitive solvers

An SMT solver for regular expressions and linear arithmetic over string length

We present a novel length-aware solving algorithm for the quantifier-free first-order theory over regex membership predicate and linear arithmetic over string length. We implement and evaluate this algorithm and related heuristics in the Z3 theorem prover. A crucial insight that underpins our algorithm is that real-world regex and string formulas contain a wealth of information about upper and lower bounds on lengths of strings, and such information can be used very effectively to simplify operations on automata representing regular expressions. Additionally, we present a number of novel general heuristics, such as the prefix/suffix method, that can be used to make a variety of regex solving algorithms more efficient in practice. We showcase the power of our algorithm and heuristics via an extensive empirical evaluation over a large and diverse benchmark of 57256 regex-heavy instances, almost 75% of which are derived from industrial applications or contributed by other solver developers. Our solver outperforms five other state-of-the-art string solvers, namely, CVC4, OSTRICH, Z3seq, Z3str3, and Z3-Trau, over this benchmark, in particular achieving a speedup of 2.4 × over CVC4, 4.4 × over Z3seq, 6.4 × over Z3-Trau, 9.1 × over Z3str3, and 13 × over OSTRICH