1 / 23

From Program Verification to Program Synthesis

From Program Verification to Program Synthesis. Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft Research, Redmond. Program Synthesis. Goal: Automatically generate program Important benefits of program synthesis

johana
Download Presentation

From Program Verification to Program Synthesis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. From Program Verification to Program Synthesis Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft Research, Redmond

  2. Program Synthesis • Goal: Automatically generate program • Important benefits of program synthesis • Reduced programmer burden • Potential to generate novel algorithms • Objective: Automatic program synthesis, given • Pre/post condition (functional specification) • Some hints about the form of the program • Ideally: program is automatically proved correct • Synthesized programs can be complicated scaffold

  3. Proof-theoretic synthesis Our approach: Synthesize program and proof simultaneously Benefits: • Pruning invalid proofs prunes invalid programs • E.g., A program that manipulates a ordered list • Ordered list invariant has to hold, preventing any program that would violate it • View synthesis as generalized verification • Reuse existing verification tools and technology • Tool synthesizes: linear arithmetic programs, sorting, dynamic programming programs

  4. Discrete Line Drawing Input (X,Y) 0<Y≤X (12,7) (10,6) (11,6) (8,5) (9,5) (6,4) (7,4) (5,3) Output values |y-(Y/X)x| ≤ 1/2 (3,2) (4,2) (0,0) Using only linear operations: Bresenham’s line drawing algorithm (2,1) (1,1) (0,0)

  5. Scaffold(1): Functional Specification • Precondition Fpre • Formal specification of possible valid inputs • E.g., 0<Y≤X • Output PostconditionFpost • Formal specification that outputs need to meet • E.g., |y-(Y/X)x| ≤ 1/2

  6. Scaffold(2): Resource Constraints • Hints about the form of the desired program • Looping structure R loop • Acyclic fragments (*), loops (), sequencing (;) • Grammar: L ::= * | (L) | L;L • E.g., R loop = *;(*) • Acyclic fragment followed by a loop with an acyclic fragment inside • Stack R stack • Maximum number of local variables permitted • E.g., R stack = 1 • Only one extra local variable is available • Hints about the form of the desired program • Looping structure R loop • Acyclic fragments (*), loops (), sequencing (;) • Grammar: L ::= * | (L) | L;L • E.g., R loop = *;(*) • Acyclic fragment followed by a loop with an acyclic fragment inside • Stack R stack • Maximum number of local variables permitted • E.g., R stack = 1 • Only one extra local variable is available *  *

  7. Scaffold(3): Domains • Domains for program elements • Expressions Dexp • Guards Dgrd • E.g. • linear or quadratic expression over program variables • predicates with array lookups • Domain for invariants Dprf • Choice of solver • E.g., linear arithmetic • Invariant form: ⋀iaix+biy+ci≥ 0 • Linear arithmetic fixed-point computation tool, i.e., verifier

  8. Outline Input: Scaffold Approach: Synthesis conditions Experiments

  9. Modeling Basic Blocks as Transitions • Task: • Model statements in a manner that a solver can reason about • State update and ordering problematic Basic Block as input->output transition inputs: v,x,Y v := v + 2Y; x++; outputs: v’,x’ transition : ⋀i(output vari = fn(inputvars)) v’ = v + 2Y ⋀x’ = x + 1; Sbody:

  10. Synthesis Task *;(*) expand Sinit while ( Gloop ) { output (x,y) []Gcond1 → Sbody1 []Gcond2 → Sbody2 } • 0<Y≤X • Sinit • while ( Gloop ) { • |y-(Y/X)x| ≤ 1/2 • []Gcond1 → Sbody1 • []Gcond2 → Sbody2 • } Generate values for unknown Sinit/body1/body2,Gloop/cond • Generate proof (invariants)

  11. VC - Safety Constraints Verification condition (VC) output I entry • 0<Y≤X⋀Sinit⇒ I’ • 0<Y≤X • Sinit • while ( Gloop ) { • |y-(Y/X)x| ≤ 1/2 • []Gcond1 → Sbody1 • []Gcond2 → Sbody2 • } entry: • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2 output: • I⋀Gcond1⋀Sbody1 ⇒ I’ induct: • I⋀Gcond2⋀Sbody2 ⇒ I’ induct

  12. Fixed point solutions, i.e., invariants verifier Verification condition (VC) ik, i.e., invariant I • 0<Y≤X⋀Sinit⇒ I’ entry: SAT solver • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2 output: • I⋀Gcond1⋀Sbody1 ⇒ I’ Assume a form for I,e.g., i1x+i2y+i3≥0 for I (given the domains) induct: • I⋀Gcond2⋀Sbody2 ⇒ I’ boolean clauses Gcond2 Sbody2 Domain specific reducer i1x+i2y+i3≥0⋀ g1x+g2y+g3≥0 ⋀ x’=s1x+s2y+s3 ⋀ y’=…⇒ i1x’+i2y’+i3≥0 • linear arithmetic Linear arithmetic tricks ∃ik: integer SAT instance • linear arithmetic [PLDI’08] • predicate abstraction [PLDI’09]

  13. Fixed point solutions, i.e., invariants verifier Verification condition (VC) ik, i.e., invariant I • 0<Y≤X⋀Sinit⇒ I’ entry: SAT solver • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2 output: • I⋀Gcond1⋀Sbody1 ⇒ I’ Assume a form for I,e.g., i1x+i2y+i3≥0 for I (given the domains) induct: • I⋀Gcond2⋀Sbody2 ⇒ I’ boolean clauses Gcond2 Sbody2 Domain specific reducer i1x+i2y+i3≥0⋀ g1x+g2y+g3≥0 ⋀ x’=s1x+s2y+s3 ⋀ y’=…⇒ i1x’+i2y’+i3≥0 • linear arithmetic Linear arithmetic tricks ∃ik: integer SAT instance • linear arithmetic [PLDI’08] • predicate abstraction [PLDI’09]

  14. Unknown statements and guards verifier Synthesize statements and guards! Verification condition (VC) ik, i.e., invariant I • 0<Y≤X⋀Sinit⇒ I’ entry: SAT solver • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2 output: • I⋀Gcond1⋀Sbody1 ⇒ I’ Assume a form for I, Gcond2,Sbody2,e.g., i1x+i2y+i3≥0 for I (given the domains) induct: • I⋀Gcond2⋀Sbody2 ⇒ I’ boolean clauses Domain specific reducer i1x+i2y+i3≥0⋀ g1x+g2y+g3≥0⋀ x’=s1x+s2y+s3 ⋀ y’=…⇒ i1x’+i2y’+i3≥0 gk and sk guards/ statements • linear arithmetic Linear arithmetic tricks ∃ik,gk,sk: integer SAT instance • linear arithmetic [PLDI’08] • predicate abstraction [PLDI’09]

  15. Statements unknown Statements unknown: Trivial soln: false false false Ask solver false false false • 0<Y≤X⋀Sinit⇒ I’ • 0<Y≤X⋀Sinit⇒ I’ false false false • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2 • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2 But transitions, i.e., Sinit,Sbody1,Sbody2, cannot imply false • I⋀Gcond1⋀Sbody1⇒ I’ • I⋀Gcond1⋀Sbody1⇒ I’ • Issue: Well-formedness not ensured • Statements • Conditional Guards • I⋀Gcond2⋀Sbody2⇒ I’ • I⋀Gcond2⋀Sbody2⇒ I’ • Remember, • statement unknowns: transition • ⋀i(output vari = fn(inputvars)) • E.g., v’ = v + 2Y ⋀x’ = x + 1 • Can never imply false • Infer I and Sinit,Sbody1,Sbody2

  16. Additional Constraints • Outputs reachable/termination constraints: • Exists ranking function r • r bounded from below • r decreases in each iteration Safety • 0<Y≤X⋀Sinit⇒ I’ • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2 Termination Issue: Termination constraints • I⋀Gcond1⋀Sbody1⇒ I’ • Issue: Well-formedness not ensured • Statements • Conditional Guards Well-formedness • I⋀Gcond2⋀Sbody2⇒ I’ • Well-formedness constraints: • Statement unknowns are not false • Conditional guards form tautologies • Infer I and Sinit,Sbody1,Sbody2,Gloop,Gcond

  17. Additional Constraints Safety User input: Scaffold User input: Program Synthesis Conditions VCGen SCGen • 0<Y≤X⋀Sinit⇒ I’ • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2 Synthesis Conditions Verification Conditions Termination • I⋀Gcond1⋀Sbody1⇒ I’ Fixed-pt Solver Fixed-pt Solver Well-formedness • I⋀Gcond2⋀Sbody2⇒ I’ Synthesized Program+ Proof Verified Program + Proof • Infer I and Sinit,Sbody1,Sbody2,Gloop,Gcond Synthesis (Invariant + Program inference) Verification (Invariant inference) • Solving synthesis conditions does yield valid programs

  18. Example: Discrete Line Drawing Scaffold Fpre Program: v := 2Y-X; y := 0; x := 0; while ( x≤X ) { print (x,y) if ( v<0 ) { v := v + 2Y; x++; } else { v := v + 2(Y-X); y++; x++; } } : 0<Y≤X Fpost : 2|y-(Y/X)x| ≤ 1 R loop : *;(*) R stack Synthesis Conditions : one extra variable Program and Proof Dexp Constraint-based verifier : • Dgrd linear arithmetic Invariant: 0<Y≤X v = 2(x+1)Y-(2y+1)X 2(Y-X) ≤ v ≤ 2Y constraint-based linear arithmetic+ verifier Dprf : Solution strategy (verifier) Ranking function: X-x User Input

  19. Outline Input: Scaffold Approach: Synthesis conditions Experiments

  20. Experiments: Linear Arithmetic • LIA verifier from previous work [PLDI’08] • Benchmarks • Strassen’s 2x2 matrix multiplication • R loop = * and Rstack = 7 --- for holding the seven intermediate results • Swapping two integers without a temporary • R loop = * and Rstack = 0 • Computing the integral square root • Linear search • R loop = *;(*) and R stack = 1 • Binary search • R loop = *;(*) and R stack = 2 • Discrete line drawing • R loop = *;(*) and Rstack = 1

  21. Experiments: Predicate Abstraction • Predicate abstraction verifier from previous work [PLDI’09] • Benchmarks: Sorting • Requires quantified specification and invariants • E.g., All major sorting programs • Specification: sortedness • Vary resource constraints • Nested loop, 0 extra variables: bubble sort, insertion sort • Nested loop, 1 extra variable: selection sort • Recursive, 0 extra variables: merge sort • Recursive, 1 extra variable: quick sort • Benchmarks: Dynamic Programming • Iterative program from its recursive specification • E.g., Fibonacci • Specification f(0)=1, f(1)=1, ∀k>2: f(k)=f(k-1)+f(k-2) • R loop = *;(*) and R stack = 2 • Generated program maintains sliding window (of size 2) and computes f(n)

  22. Experiments: Synthesis times • 1 around 10,000 seconds • 8 under 1000 seconds • 8 under 10 seconds seconds (log scale) 0.1 0.01 0.001 Sorting Prg 1 Sorting Prg 2 Sorting Prg 5 Sorting Prg 4 Sorting Prg 3 All pairs SP (loop) All pairs SP (body) LIA verifier Predicate abstraction verifier

  23. Summary: Proof-theoretic synthesis • Proof-theoretic synthesis • Synthesize programs and proof simultaneously • Treat synthesis as generalized verification • Principled approach to solving for programs using verification • User input: scaffold • Functional specification • Space of desired program • Domains of guards and statements • Resource constraints • Approach: One-shot synthesis, i.e., no iteration • Constraints, synthesis conditions, encode the desired program • Safety, termination, and well-formedness • Solve using existing constraint-based verifiers • Possible to synthesize wide variety of programs

More Related