From program verification to program synthesis
Download
1 / 23

from program verification to program synthesis - PowerPoint PPT Presentation


  • 315 Views
  • Updated On :

From Program Verification to Program Synthesis. Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft Research, Redmond. Program Synthesis. Goal: Automatically generate program Important benefits of program synthesis

Related searches for from program verification to program synthesis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'from program verification to program synthesis' - johana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
From program verification to program synthesis l.jpg

From Program Verification to Program Synthesis

Saurabh Srivastava *

Sumit Gulwani ♯

Jeffrey S. Foster *

* University of Maryland, College Park

♯ Microsoft Research, Redmond


Program synthesis l.jpg
Program Synthesis

  • Goal: Automatically generate program

  • Important benefits of program synthesis

    • Reduced programmer burden

    • Potential to generate novel algorithms

    • Objective: Automatic program synthesis, given

    • Pre/post condition (functional specification)

    • Some hints about the form of the program

  • Ideally: program is automatically proved correct

    • Synthesized programs can be complicated

scaffold


Proof theoretic synthesis l.jpg
Proof-theoretic synthesis

Our approach:

Synthesize program and proof simultaneously

Benefits:

  • Pruning invalid proofs prunes invalid programs

    • E.g., A program that manipulates a ordered list

      • Ordered list invariant has to hold, preventing any program that would violate it

  • View synthesis as generalized verification

    • Reuse existing verification tools and technology

  • Tool synthesizes: linear arithmetic programs, sorting, dynamic programming programs


Discrete line drawing l.jpg
Discrete Line Drawing

Input

(X,Y)

0<Y≤X

(12,7)

(10,6)

(11,6)

(8,5)

(9,5)

(6,4)

(7,4)

(5,3)

Output values

|y-(Y/X)x| ≤ 1/2

(3,2)

(4,2)

(0,0)

Using only linear operations:

Bresenham’s line drawing algorithm

(2,1)

(1,1)

(0,0)


Scaffold 1 functional specification l.jpg
Scaffold(1): Functional Specification

  • Precondition Fpre

    • Formal specification of possible valid inputs

    • E.g., 0<Y≤X

  • Output PostconditionFpost

    • Formal specification that outputs need to meet

    • E.g., |y-(Y/X)x| ≤ 1/2


Scaffold 2 resource constraints l.jpg
Scaffold(2): Resource Constraints

  • Hints about the form of the desired program

  • Looping structure R loop

    • Acyclic fragments (*), loops (), sequencing (;)

    • Grammar: L ::= * | (L) | L;L

    • E.g., R loop = *;(*)

      • Acyclic fragment followed by a loop with an acyclic fragment inside

  • Stack R stack

    • Maximum number of local variables permitted

    • E.g., R stack = 1

      • Only one extra local variable is available

  • Hints about the form of the desired program

  • Looping structure R loop

    • Acyclic fragments (*), loops (), sequencing (;)

    • Grammar: L ::= * | (L) | L;L

    • E.g., R loop = *;(*)

      • Acyclic fragment followed by a loop with an acyclic fragment inside

  • Stack R stack

    • Maximum number of local variables permitted

    • E.g., R stack = 1

      • Only one extra local variable is available

*

*


Scaffold 3 domains l.jpg
Scaffold(3): Domains

  • Domains for program elements

    • Expressions Dexp

    • Guards Dgrd

    • E.g.

      • linear or quadratic expression over program variables

      • predicates with array lookups

  • Domain for invariants Dprf

    • Choice of solver

    • E.g., linear arithmetic

      • Invariant form: ⋀iaix+biy+ci≥ 0

      • Linear arithmetic fixed-point computation tool, i.e., verifier


Outline l.jpg
Outline

Input: Scaffold

Approach: Synthesis conditions

Experiments


Modeling basic blocks as transitions l.jpg
Modeling Basic Blocks as Transitions

  • Task:

  • Model statements in a manner that a solver can reason about

  • State update and ordering problematic

Basic Block as input->output transition

inputs: v,x,Y

v := v + 2Y; x++;

outputs: v’,x’

transition : ⋀i(output vari = fn(inputvars))

v’ = v + 2Y ⋀x’ = x + 1;

Sbody:


Synthesis task l.jpg
Synthesis Task

*;(*)

expand

Sinit

while ( Gloop ) {

output (x,y)

[]Gcond1 → Sbody1

[]Gcond2 → Sbody2

}

  • 0<Y≤X

  • Sinit

  • while ( Gloop ) {

  • |y-(Y/X)x| ≤ 1/2

  • []Gcond1 → Sbody1

  • []Gcond2 → Sbody2

  • }

Generate values for

unknown Sinit/body1/body2,Gloop/cond

  • Generate proof (invariants)


Vc safety constraints l.jpg
VC - Safety Constraints

Verification condition (VC)

output

I

entry

  • 0<Y≤X⋀Sinit⇒ I’

  • 0<Y≤X

  • Sinit

  • while ( Gloop ) {

  • |y-(Y/X)x| ≤ 1/2

  • []Gcond1 → Sbody1

  • []Gcond2 → Sbody2

  • }

entry:

  • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2

output:

  • I⋀Gcond1⋀Sbody1 ⇒ I’

induct:

  • I⋀Gcond2⋀Sbody2 ⇒ I’

induct


Fixed point solutions i e invariants l.jpg
Fixed point solutions, i.e., invariants

verifier

Verification condition (VC)

ik, i.e., invariant I

  • 0<Y≤X⋀Sinit⇒ I’

entry:

SAT solver

  • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2

output:

  • I⋀Gcond1⋀Sbody1 ⇒ I’

Assume a form for I,e.g.,

i1x+i2y+i3≥0 for I (given the domains)

induct:

  • I⋀Gcond2⋀Sbody2 ⇒ I’

boolean clauses

Gcond2

Sbody2

Domain specific reducer

i1x+i2y+i3≥0⋀ g1x+g2y+g3≥0 ⋀ x’=s1x+s2y+s3 ⋀ y’=…⇒ i1x’+i2y’+i3≥0

  • linear arithmetic

Linear arithmetic tricks

∃ik:

integer SAT instance

  • linear arithmetic [PLDI’08]

  • predicate abstraction [PLDI’09]


Fixed point solutions i e invariants13 l.jpg
Fixed point solutions, i.e., invariants

verifier

Verification condition (VC)

ik, i.e., invariant I

  • 0<Y≤X⋀Sinit⇒ I’

entry:

SAT solver

  • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2

output:

  • I⋀Gcond1⋀Sbody1 ⇒ I’

Assume a form for I,e.g.,

i1x+i2y+i3≥0 for I (given the domains)

induct:

  • I⋀Gcond2⋀Sbody2 ⇒ I’

boolean clauses

Gcond2

Sbody2

Domain specific reducer

i1x+i2y+i3≥0⋀ g1x+g2y+g3≥0 ⋀ x’=s1x+s2y+s3 ⋀ y’=…⇒ i1x’+i2y’+i3≥0

  • linear arithmetic

Linear arithmetic tricks

∃ik:

integer SAT instance

  • linear arithmetic [PLDI’08]

  • predicate abstraction [PLDI’09]


Unknown statements and guards l.jpg
Unknown statements and guards

verifier

Synthesize statements and guards!

Verification condition (VC)

ik, i.e., invariant I

  • 0<Y≤X⋀Sinit⇒ I’

entry:

SAT solver

  • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2

output:

  • I⋀Gcond1⋀Sbody1 ⇒ I’

Assume a form for I, Gcond2,Sbody2,e.g.,

i1x+i2y+i3≥0 for I (given the domains)

induct:

  • I⋀Gcond2⋀Sbody2 ⇒ I’

boolean clauses

Domain specific reducer

i1x+i2y+i3≥0⋀ g1x+g2y+g3≥0⋀ x’=s1x+s2y+s3 ⋀ y’=…⇒ i1x’+i2y’+i3≥0

gk and sk

guards/

statements

  • linear arithmetic

Linear arithmetic tricks

∃ik,gk,sk:

integer SAT instance

  • linear arithmetic [PLDI’08]

  • predicate abstraction [PLDI’09]


Statements unknown l.jpg
Statements unknown

Statements

unknown:

Trivial soln:

false

false

false

Ask

solver

false

false

false

  • 0<Y≤X⋀Sinit⇒ I’

  • 0<Y≤X⋀Sinit⇒ I’

false

false

false

  • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2

  • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2

But transitions, i.e., Sinit,Sbody1,Sbody2, cannot imply false

  • I⋀Gcond1⋀Sbody1⇒ I’

  • I⋀Gcond1⋀Sbody1⇒ I’

  • Issue: Well-formedness not ensured

  • Statements

  • Conditional Guards

  • I⋀Gcond2⋀Sbody2⇒ I’

  • I⋀Gcond2⋀Sbody2⇒ I’

  • Remember,

  • statement unknowns: transition

    • ⋀i(output vari = fn(inputvars))

    • E.g., v’ = v + 2Y ⋀x’ = x + 1

  • Can never imply false

  • Infer I and Sinit,Sbody1,Sbody2


Additional constraints l.jpg
Additional Constraints

  • Outputs reachable/termination constraints:

  • Exists ranking function r

  • r bounded from below

  • r decreases in each iteration

Safety

  • 0<Y≤X⋀Sinit⇒ I’

  • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2

Termination

Issue: Termination constraints

  • I⋀Gcond1⋀Sbody1⇒ I’

  • Issue: Well-formedness not ensured

  • Statements

  • Conditional Guards

Well-formedness

  • I⋀Gcond2⋀Sbody2⇒ I’

  • Well-formedness constraints:

  • Statement unknowns are not false

  • Conditional guards form tautologies

  • Infer I and Sinit,Sbody1,Sbody2,Gloop,Gcond


Additional constraints17 l.jpg
Additional Constraints

Safety

User input: Scaffold

User input: Program

Synthesis

Conditions

VCGen

SCGen

  • 0<Y≤X⋀Sinit⇒ I’

  • I⋀Gloop⇒ |y-(Y/X)x| ≤ 1/2

Synthesis Conditions

Verification Conditions

Termination

  • I⋀Gcond1⋀Sbody1⇒ I’

Fixed-pt Solver

Fixed-pt Solver

Well-formedness

  • I⋀Gcond2⋀Sbody2⇒ I’

Synthesized Program+ Proof

Verified Program + Proof

  • Infer I and Sinit,Sbody1,Sbody2,Gloop,Gcond

Synthesis

(Invariant + Program inference)

Verification

(Invariant inference)

  • Solving synthesis conditions does yield valid programs


Example discrete line drawing l.jpg
Example: Discrete Line Drawing

Scaffold

Fpre

Program:

v := 2Y-X; y := 0; x := 0;

while ( x≤X ) {

print (x,y)

if ( v<0 ) {

v := v + 2Y; x++;

} else {

v := v + 2(Y-X); y++; x++;

}

}

: 0<Y≤X

Fpost

: 2|y-(Y/X)x| ≤ 1

R loop

: *;(*)

R stack

Synthesis Conditions

: one extra variable

Program and Proof

Dexp

Constraint-based verifier

:

  • Dgrd

linear arithmetic

Invariant:

0<Y≤X

v = 2(x+1)Y-(2y+1)X

2(Y-X) ≤ v ≤ 2Y

constraint-based

linear arithmetic+

verifier

Dprf

:

Solution

strategy

(verifier)

Ranking function:

X-x

User Input


Outline19 l.jpg
Outline

Input: Scaffold

Approach: Synthesis conditions

Experiments


Experiments linear arithmetic l.jpg
Experiments: Linear Arithmetic

  • LIA verifier from previous work [PLDI’08]

  • Benchmarks

    • Strassen’s 2x2 matrix multiplication

      • R loop = * and Rstack = 7 --- for holding the seven intermediate results

    • Swapping two integers without a temporary

      • R loop = * and Rstack = 0

    • Computing the integral square root

      • Linear search

        • R loop = *;(*) and R stack = 1

      • Binary search

        • R loop = *;(*) and R stack = 2

    • Discrete line drawing

      • R loop = *;(*) and Rstack = 1


Experiments predicate abstraction l.jpg
Experiments: Predicate Abstraction

  • Predicate abstraction verifier from previous work [PLDI’09]

  • Benchmarks: Sorting

    • Requires quantified specification and invariants

    • E.g., All major sorting programs

      • Specification: sortedness

      • Vary resource constraints

        • Nested loop, 0 extra variables: bubble sort, insertion sort

        • Nested loop, 1 extra variable: selection sort

        • Recursive, 0 extra variables: merge sort

        • Recursive, 1 extra variable: quick sort

  • Benchmarks: Dynamic Programming

    • Iterative program from its recursive specification

    • E.g., Fibonacci

      • Specification f(0)=1, f(1)=1, ∀k>2: f(k)=f(k-1)+f(k-2)

      • R loop = *;(*) and R stack = 2

      • Generated program maintains sliding window (of size 2) and computes f(n)


Experiments synthesis times l.jpg
Experiments: Synthesis times

  • 1 around 10,000 seconds

  • 8 under 1000 seconds

  • 8 under 10 seconds

seconds (log scale)

0.1

0.01

0.001

Sorting Prg 1

Sorting Prg 2

Sorting Prg 5

Sorting Prg 4

Sorting Prg 3

All pairs SP (loop)

All pairs SP (body)

LIA verifier

Predicate abstraction verifier


Summary proof theoretic synthesis l.jpg
Summary: Proof-theoretic synthesis

  • Proof-theoretic synthesis

    • Synthesize programs and proof simultaneously

    • Treat synthesis as generalized verification

      • Principled approach to solving for programs using verification

  • User input: scaffold

    • Functional specification

    • Space of desired program

      • Domains of guards and statements

      • Resource constraints

  • Approach: One-shot synthesis, i.e., no iteration

    • Constraints, synthesis conditions, encode the desired program

      • Safety, termination, and well-formedness

    • Solve using existing constraint-based verifiers

    • Possible to synthesize wide variety of programs


ad