Presentation is loading. Please wait.

Presentation is loading. Please wait.

From Program Verification to Program Synthesis Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft.

Published byKelley Owens Modified over 8 years ago

Similar presentations

Presentation on theme: "From Program Verification to Program Synthesis Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft."— Presentation transcript:

1 From Program Verification to Program Synthesis Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft Research, Redmond

2 Program Synthesis Goal: Automatically generate program Important benefits of program synthesis – Reduced programmer burden – Potential to generate novel algorithms Objective: Automatic program synthesis, given – Pre/post condition (functional specification) – Some hints about the form of the program Ideally: program is automatically proved correct – Synthesized programs can be complicated scaffold

3 Proof-theoretic synthesis Our approach: Synthesize program and proof simultaneously Benefits: Pruning invalid proofs prunes invalid programs – E.g., A program that manipulates a ordered list Ordered list invariant has to hold, preventing any program that would violate it View synthesis as generalized verification – Reuse existing verification tools and technology Tool synthesizes: linear arithmetic programs, sorting, dynamic programming programs

4 Discrete Line Drawing (0,0) (X,Y) |y-(Y/X)x| ≤ 1/2 Output values Input (0,0) (1,1) (2,1) (3,2)(4,2) (5,3) (6,4)(7,4) (8,5)(9,5) (10,6)(11,6) (12,7) 0<Y≤X Using only linear operations: Bresenham’s line drawing algorithm Using only linear operations: Bresenham’s line drawing algorithm

5 Scaffold(1): Functional Specification Precondition F pre – Formal specification of possible valid inputs – E.g., 0<Y≤X Output Postcondition F post – Formal specification that outputs need to meet – E.g., |y-(Y/X)x| ≤ 1/2

6 Hints about the form of the desired program Looping structure R loop – Acyclic fragments (*), loops (  ), sequencing (;) – Grammar: L ::= * |  (L) | L;L – E.g., R loop = *;  (*) Acyclic fragment followed by a loop with an acyclic fragment inside Stack R stack – Maximum number of local variables permitted – E.g., R stack = 1 Only one extra local variable is available Hints about the form of the desired program Looping structure R loop – Acyclic fragments (*), loops (  ), sequencing (;) – Grammar: L ::= * |  (L) | L;L – E.g., R loop = *;  (*) Acyclic fragment followed by a loop with an acyclic fragment inside Stack R stack – Maximum number of local variables permitted – E.g., R stack = 1 Only one extra local variable is available Scaffold(2): Resource Constraints  * *

7 Scaffold(3): Domains Domains for program elements – Expressions D exp – Guards D grd – E.g. linear or quadratic expression over program variables predicates with array lookups Domain for invariants D prf – Choice of solver – E.g., linear arithmetic Invariant form: ⋀ i a i x+b i y+c i ≥ 0 Linear arithmetic fixed-point computation tool, i.e., verifier

8 Outline Input: Scaffold Approach: Synthesis conditions Experiments

9 Modeling Basic Blocks as Transitions v := v + 2Y; x++; Basic Block as input->output transition inputs: v,x,Y outputs: v’,x’ S body : v’ = v + 2Y ⋀ x’ = x + 1; transition : ⋀ i ( output var i = fn(input vars) ) Task: Model statements in a manner that a solver can reason about State update and ordering problematic Task: Model statements in a manner that a solver can reason about State update and ordering problematic

10 S init while ( G loop ) { output (x,y) []G cond1 → S body1 []G cond2 → S body2 } S init while ( G loop ) { output (x,y) []G cond1 → S body1 []G cond2 → S body2 } expand 0<Y≤X S init while ( G loop ) { |y-(Y/X)x| ≤ 1/2 []G cond1 → S body1 []G cond2 → S body2 } 0<Y≤X S init while ( G loop ) { |y-(Y/X)x| ≤ 1/2 []G cond1 → S body1 []G cond2 → S body2 } Synthesis Task Generate values for unknown S init/body1/body2, G loop/cond Generate values for unknown S init/body1/body2, G loop/cond Generate proof (invariants) *;  (*)

11 0<Y≤X S init while ( G loop ) { |y-(Y/X)x| ≤ 1/2 []G cond1 → S body1 []G cond2 → S body2 } 0<Y≤X S init while ( G loop ) { |y-(Y/X)x| ≤ 1/2 []G cond1 → S body1 []G cond2 → S body2 } Verification condition (VC) VC - Safety Constraints entry output induct induct: entry: output: 0<Y≤X ⋀ S init ⇒ I’ I ⋀ G loop ⇒ |y-(Y/X)x| ≤ 1/2 I ⋀ G cond1 ⋀ S body1 ⇒ I’ I ⋀ G cond2 ⋀ S body2 ⇒ I’ I

12 linear arithmetic verifier Verification condition (VC) Fixed point solutions, i.e., invariants induct: entry: output: 0<Y≤X ⋀ S init ⇒ I’ I ⋀ G loop ⇒ |y-(Y/X)x| ≤ 1/2 I ⋀ G cond1 ⋀ S body1 ⇒ I’ I ⋀ G cond2 ⋀ S body2 ⇒ I’ i k, i.e., invariant I SAT solver boolean clauses Domain specific reducer linear arithmetic [PLDI’08] predicate abstraction [PLDI’09] ∃ik:∃ik: ∃ik:∃ik: integer SAT instance Linear arithmetic tricks i 1 x+i 2 y+i 3 ≥0 ⋀ g 1 x+g 2 y+g 3 ≥0 ⋀ x’=s 1 x+s 2 y+s 3 ⋀ y’=… ⇒ i 1 x’+i 2 y’+i 3 ≥0 Assume a form for I, e.g., i 1 x+i 2 y+i 3 ≥0 for I (given the domains) G cond2 S body2

13 linear arithmetic verifier Verification condition (VC) Fixed point solutions, i.e., invariants induct: entry: output: 0<Y≤X ⋀ S init ⇒ I’ I ⋀ G loop ⇒ |y-(Y/X)x| ≤ 1/2 I ⋀ G cond1 ⋀ S body1 ⇒ I’ I ⋀ G cond2 ⋀ S body2 ⇒ I’ i k, i.e., invariant I SAT solver boolean clauses Domain specific reducer linear arithmetic [PLDI’08] predicate abstraction [PLDI’09] ∃ik:∃ik: ∃ik:∃ik: integer SAT instance Linear arithmetic tricks i 1 x+i 2 y+i 3 ≥0 ⋀ g 1 x+g 2 y+g 3 ≥0 ⋀ x’=s 1 x+s 2 y+s 3 ⋀ y’=… ⇒ i 1 x’+i 2 y’+i 3 ≥0 Assume a form for I, e.g., i 1 x+i 2 y+i 3 ≥0 for I (given the domains) G cond2 S body2

14 linear arithmetic verifier Verification condition (VC) Unknown statements and guards induct: entry: output: 0<Y≤X ⋀ S init ⇒ I’ I ⋀ G loop ⇒ |y-(Y/X)x| ≤ 1/2 I ⋀ G cond1 ⋀ S body1 ⇒ I’ I ⋀ G cond2 ⋀ S body2 ⇒ I’ i k, i.e., invariant I SAT solver boolean clauses Domain specific reducer linear arithmetic [PLDI’08] predicate abstraction [PLDI’09] ∃ i k,g k,s k : integer SAT instance Linear arithmetic tricks i 1 x+i 2 y+i 3 ≥0 ⋀ g 1 x+g 2 y+g 3 ≥0 ⋀ x’=s 1 x+s 2 y+s 3 ⋀ y’=… ⇒ i 1 x’+i 2 y’+i 3 ≥0 Assume a form for I, G cond2, S body2, e.g., i 1 x+i 2 y+i 3 ≥0 for I (given the domains) g k and s k Synthesize statements and guards! guards/ statements

15 Statements unknown Infer I and S init,S body1,S body2 0<Y≤X ⋀ S init ⇒ I’ I ⋀ G loop ⇒ |y-(Y/X)x| ≤ 1/2 I ⋀ G cond1 ⋀ S body1 ⇒ I’ I ⋀ G cond2 ⋀ S body2 ⇒ I’ 0<Y≤X ⋀ S init ⇒ I’ I ⋀ G loop ⇒ |y-(Y/X)x| ≤ 1/2 I ⋀ G cond1 ⋀ S body1 ⇒ I’ I ⋀ G cond2 ⋀ S body2 ⇒ I’ false Trivial soln: Statements unknown: Ask solver Issue: Well-formedness not ensured Statements Conditional Guards Issue: Well-formedness not ensured Statements Conditional Guards But transitions, i.e., S init,S body1,S body2, cannot imply false Remember, statement unknowns: transition ⋀ i ( output var i = fn(input vars) ) E.g., v’ = v + 2Y ⋀ x’ = x + 1 Can never imply false

16 Infer I and S init,S body1,S body2,G loop,G cond Additional Constraints 0<Y≤X ⋀ S init ⇒ I’ I ⋀ G loop ⇒ |y-(Y/X)x| ≤ 1/2 I ⋀ G cond1 ⋀ S body1 ⇒ I’ I ⋀ G cond2 ⋀ S body2 ⇒ I’ Well-formedness constraints: Statement unknowns are not false Conditional guards form tautologies Well-formedness constraints: Statement unknowns are not false Conditional guards form tautologies Outputs reachable/termination constraints: Exists ranking function r r bounded from below r decreases in each iteration Outputs reachable/termination constraints: Exists ranking function r r bounded from below r decreases in each iteration Safety Termination Well-formedness Issue: Termination constraints Issue: Well-formedness not ensured Statements Conditional Guards Issue: Well-formedness not ensured Statements Conditional Guards

17 Infer I and S init,S body1,S body2,G loop,G cond Additional Constraints 0<Y≤X ⋀ S init ⇒ I’ I ⋀ G loop ⇒ |y-(Y/X)x| ≤ 1/2 I ⋀ G cond1 ⋀ S body1 ⇒ I’ I ⋀ G cond2 ⋀ S body2 ⇒ I’ Solving synthesis conditions does yield valid programs Synthesis Conditions Synthesis Conditions Safety Termination Well-formedness User input: Program VCGen User input: Scaffold SCGen Verification Conditions Verified Program + Proof Fixed-pt Solver Verification (Invariant inference) Synthesized Program+ Proof Fixed-pt Solver Synthesis (Invariant + Program inference) Synthesis Conditions

18 User Input linear arithmetic : one extra variable : *;  (*) : 2|y-(Y/X)x| ≤ 1 : 0<Y≤X : : constraint-based linear arithmetic + verifier Program and Proof Solution strategy (verifier) Solution strategy (verifier) Example: Discrete Line Drawing F pre F post R loop R stack D exp Program: v := 2Y-X; y := 0; x := 0; while ( x≤X ) { print (x,y) if ( v<0 ) { v := v + 2Y; x++; } else { v := v + 2(Y-X); y++; x++; } Program: v := 2Y-X; y := 0; x := 0; while ( x≤X ) { print (x,y) if ( v<0 ) { v := v + 2Y; x++; } else { v := v + 2(Y-X); y++; x++; } Invariant: 0<Y≤X v = 2(x+1)Y-(2y+1)X 2(Y-X) ≤ v ≤ 2Y Invariant: 0<Y≤X v = 2(x+1)Y-(2y+1)X 2(Y-X) ≤ v ≤ 2Y Ranking function: X-x Ranking function: X-x D grd D prf Scaffol d Constraint- based verifier

19 Outline Input: Scaffold Approach: Synthesis conditions Experiments

20 Experiments: Linear Arithmetic LIA verifier from previous work [PLDI’08] Benchmarks – Strassen’s 2x2 matrix multiplication R loop = * and R stack = 7 --- for holding the seven intermediate results – Swapping two integers without a temporary R loop = * and R stack = 0 – Computing the integral square root Linear search – R loop = *;  (*) and R stack = 1 Binary search – R loop = *;  (*) and R stack = 2 – Discrete line drawing R loop = *;  (*) and R stack = 1

21 Experiments: Predicate Abstraction Predicate abstraction verifier from previous work [PLDI’09] Benchmarks: Sorting – Requires quantified specification and invariants – E.g., All major sorting programs Specification: sortedness Vary resource constraints – Nested loop, 0 extra variables: bubble sort, insertion sort – Nested loop, 1 extra variable: selection sort – Recursive, 0 extra variables: merge sort – Recursive, 1 extra variable: quick sort Benchmarks: Dynamic Programming – Iterative program from its recursive specification – E.g., Fibonacci Specification f(0)=1, f(1)=1, ∀ k>2: f(k)=f(k-1)+f(k-2) R loop = *;  (*) and R stack = 2 Generated program maintains sliding window (of size 2) and computes f(n)

22 1 around 10,000 seconds 8 under 1000 seconds 8 under 10 seconds Experiments: Synthesis times 0.1 0.01 0.001 seconds (log scale) Predicate abstraction verifierLIA verifier Sorting Prg 1 Sorting Prg 2 Sorting Prg 3 Sorting Prg 4 Sorting Prg 5 All pairs SP (loop) All pairs SP (body)

23 Summary: Proof-theoretic synthesis Proof-theoretic synthesis – Synthesize programs and proof simultaneously – Treat synthesis as generalized verification Principled approach to solving for programs using verification User input: scaffold – Functional specification – Space of desired program Domains of guards and statements Resource constraints Approach: One-shot synthesis, i.e., no iteration – Constraints, synthesis conditions, encode the desired program Safety, termination, and well-formedness – Solve using existing constraint-based verifiers – Possible to synthesize wide variety of programs

Download ppt "From Program Verification to Program Synthesis Saurabh Srivastava * Sumit Gulwani ♯ Jeffrey S. Foster * * University of Maryland, College Park ♯ Microsoft."

Similar presentations

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Constraint-based Invariant Inference over Predicate Abstraction Sumit Gulwani Ramarathnam Venkatesan Microsoft Research, Redmond Saurabh Srivastava University.

Constraint-based Invariant Inference over Predicate Abstraction Sumit Gulwani Ramarathnam Venkatesan Microsoft Research, Redmond Saurabh Srivastava University.
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
HST 952 Computing for Biomedical Scientists Lecture 10.

HST 952 Computing for Biomedical Scientists Lecture 10.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
CS 355 – Programming Languages

CS 355 – Programming Languages
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.

Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.
Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.

Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.
VS 3 : Verification and Synthesis using SMT Solvers SMT Solvers for Program Verification Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University.

VS 3 : Verification and Synthesis using SMT Solvers SMT Solvers for Program Verification Saurabh Srivastava * Sumit Gulwani ** Jeffrey S. Foster * * University.
Program Verification using Templates over Predicate Abstraction Saurabh Srivastava University of Maryland, College Park Sumit Gulwani Microsoft Research,

Program Verification using Templates over Predicate Abstraction Saurabh Srivastava University of Maryland, College Park Sumit Gulwani Microsoft Research,

Similar presentations

Ads by Google