From Verification to Synthesis Sumit Gulwani August 2013
advertisement
From Verification to Synthesis
Sumit Gulwani
sumitg@microsoft.com
Microsoft Research, Redmond
August 2013
Marktoberdorf Summer School Lectures: Part 1
Synthesis
Goal: Synthesize a computational concept in some underlying
language from user intent using some search technique.
Significance:
– Variety of computational devices, platforms, models.
• Difficult to remember/learn a new programming framework.
• Billions of non-experts have access to these!
– Enabling technology is now available.
• Better search algorithms
• Faster machines (good application for multi-cores)
State of the art: We can synthesize programs of size 10-20.
This is a revolutionary capability if we
• target the right set of application domains, and
• provide the right intent specification mechanism
1
Synthesis
Goal: Synthesize a computational concept in some underlying
language from user intent using some search technique.
Significance:
– Variety of computational devices, platforms, models.
• Difficult to remember/learn a new programming framework.
• Billions of non-experts have access to these!
– Enabling technology is now available.
• Better search algorithms
• Faster machines (good application for multi-cores)
State of the art: We can synthesize programs of size 10-20.
This is a revolutionary capability if we
• target the right set of application domains, and
• provide the right intent specification mechanism
2
Dimensions in Synthesis
• Language (Application)
– Programs
• Straight-line programs
– Automata
– Queries
• User Intent (Ambiguity)
– Logic, Natural Language
– Examples, Demonstrations/Traces
– Program
• Search Technique (Algorithm)
– SAT/SMT solvers (Formal Methods)
– A*-style goal-directed search (AI)
– Version space algebras (Machine Learning)
PPDP 2010: “Dimensions in Program Synthesis”, Gulwani.
3
Compilers vs. Synthesizers
Dimension
Compilers
Synthesizers
Concept
Language
Executable Program
Variety of concepts:
Program, Automata, Query,
Sequence
User Intent
Structured language Variety/mixed form of
constraints: logic, examples,
traces
Search
Technique
Syntax-directed
Uses some kind of search
translation (No new (Discovers new algorithmic
algorithmic insights) insights)
4
Outline
• Part 1: From verification to synthesis
–
–
–
–
–
Bitvector algorithms (PLDI 2011, ICSE 2012)
General loopy programs (POPL 2010)
SIMD algorithms (PPoPP 2013)
Program inverses (PLDI 2011)
Graph algorithms (OOPSLA 2010)
• Part 2: End-user Programming (Examples & Natural Language)
–
–
–
–
Syntactic string transformations: Flash Fill (POPL 2011)
Semantic string transformations (VLDB 2012)
Table layout transformations (PLDI 2011)
Smartphone scripts (MobiSys 2013)
• Part 3: Computer-aided Education
–
–
–
–
Problem Synthesis (AAAI 2012, CHI 2013)
Solution Synthesis (PLDI 2011, IJCAI 2013)
Feedback Synthesis (PLDI 2013, IJCAI 2013)
Content Authoring (CHI 2012)
5
From Verification to Synthesis
Application
Generating Synthesis Solving Synthesis
Constraint
Constraint
Bitvector
Loopy Alg.
SIMD
Location variables
CEGIS + SMT
Template-based
SMT
Relational verification CEGIS +
Reachability value graph
Template-based +
SMT
symbolic execution
Inverses
Graph Alg.
Already in constraint
form!
CEGIS +
Fact enumeration
6
From Verification to Synthesis
Application
Generating Synthesis Solving Synthesis
Constraint
Constraint
Bitvector
Loopy Alg.
SIMD
Location variables
CEGIS + SMT
Inverses
Graph Alg.
Reference:
Synthesis of Loop-free Programs,
PLDI 2011, Gulwani, Jha, Tiwari, Venkatesan
7
Dimensions in Synthesis
• Language
– Programs
• Straight-line programs
– Automata
– Queries
• User Intent
– Logic, Natural Language
– Examples, Demonstrations/Traces
– Program
• Search Technique
– SAT/SMT solvers (Formal Methods)
– A*-style goal-directed search (AI)
– Version space algebras (Machine Learning)
8
Bitvector Algorithms
Straight-line programs that use
– Arithmetic Operators: +,-,*,/
– Logical Operators: Bitwise and/or/not, Shift left/right
9
Examples of Bitvector Algorithms
Turn-off rightmost 1-bit
10101100
&
Z
10101000
Z & (Z-1)
10101100
Z
10101011
Z-1
10101000
Z & (Z-1)
10
Examples of Bitvector Algorithms
Turn-off rightmost contiguous sequence of 1-bits
10101100
10100000
Z
Z & (1 + (Z | (Z-1)))
Ceil of average of two integers without overflowing
(Y|Z) – ((Y©Z) >> 1)
11
Examples of Bitvector Algorithms
Round up to next
highest power of 2
o1 := sub(x,1);
o2 := shr(o1,1);
o3 := or(o1,o2);
o4 := shr(o3,2);
o5 := or(o3,o4);
o6 := shr(o5,4);
o7 := or(o5,o6);
o8 := shr(o7,8);
o9 := or(o7,o8);
o10 := shr(o9,16);
o11 := or(o9,o10);
res := add(o10,1);
Higher order half
of product of x and y
o1 := and(x,0xFFFF);
o2 := shr(x,16);
o3 := and(y,0xFFFF);
o4 := shr(y,16);
o5 := mul(o1,o3);
o6 := mul(o2,o3);
o7 := mul(o1,o4);
o8 := mul(o2,o4);
o9 := shr(o5,16);
o10 := add(o6,o9);
o11 := and(o10,0xFFFF);
o12 := shr(o10,16);
o13 := add(o7,o11);
o14 := shr(o13,16);
o15 := add(o14,o12);
res := add(o15,o8);
12
Problem Definition
Given:
• Specification
• Specification
of desired functionality
of library components
Synthesize a straight-line program
where
• Each variable in is either or some
•
is a permutation of 1...n
where k<j
that meets the desired specification.
Verification
Constraint
13
Problem Definition: Turn-off rightmost 1 bit
• Specification of desired functionality
• Specification of library components
14
Synthesis Constraint
Verification
Constraint
Synthesis
Constraint
15
Idea # 1: Reduce Second-order Quantification in
Synthesis Constraint to First Order
represents which component goes on which location
(line #) and from which location does it gets its input
arguments. We encode this by location variables L.
16
Example: Possible programs that use 2 components
and their Representation using Location Variables
17
Encoding Well-formedness of Programs
The following constraint ensures that L assignments
correspond to well-formed programs.
• Consistency Constraint: Every line in the program
should have at most one component.
• Acyclicity Constraint: A variable should be initialized
before being used.
18
Encoding data-flow
The following constraint describes connections
between inputs and outputs of various components.
19
Idea # 1: Reduce Second-order Quantification in
Synthesis Constraint to First Order
20
Idea # 2: Using CEGIS style procedure to
solve the Synthesis Constraint
Synthesis constraint is of the form: 9L 8Y F(L,Y)
Choose some values y1,..,yn for y
Finite Synthesis Step
9L F(L,y1) Æ … Æ F(L,yn)
No Solution
Failure
Solution L = S
Verification Step
Does 8Y F(S,Y) hold?
Or, equivalently 9Y :F(S,Y)
Solution Y = yn+1
No Solution
return S
21
Experiments: Comparison with Brute-force Search
Program
Brahma
AHA
time
Program
Name
lines iters time
P13
4
4
6
X
P14
4
4
60
X
P15
4
8
119
X
P16
4
5
62
X
P17
4
6
78
109
P18
6
5
46
X
P19
6
5
35
X
P20
7
6
108
X
P21
8
5
28
X
P22
8
8
279
X
P23
10
8
1668
X
P24
12
9
224
X
P25
16
11
2779 X
Name
lines iters
time
P1
2
2
3
0.1
P2
2
3
3
0.1
P3
2
3
1
0.1
P4
2
2
3
0.1
P5
2
3
2
0.1
P6
2
2
2
0.1
P7
3
2
1
2
P8
3
2
1
1
P9
3
2
6
7
P10
3
14
76
10
P11
3
7
57
9
P12
3
9
67
10
Brahma
AHA
time
22
Related Work: Program Sketching
Reference:
Program Synthesis by Sketching, Phd Thesis 2008,
Armando Solar-Lezama (Advisor: Ras Bodik @ UC-Berkeley)
• Key Ideas:
– Write an arbitrary program with holes, where each hole
takes values from a finite domain.
– Use CEGIS to generate SAT constraints on holes.
• Cons: Not as efficient as domain-specific synthesizers.
– (On bitvector benchmark, times out on 9/25 tasks, and on
the remaining it is slower by 20x on average).
• Pros:
– A very powerful formalism that can be used to model a
variety of synthesis problems.
– Sees synthesis as an interactive process.
23
Synthesizing Bitvector Algorithms
from Examples
Reference:
Oracle-Guided Component-Based Program Synthesis,
ICSE 2012, Jha, Gulwani, Seshia, Tiwari
Dimensions in Synthesis
• Language
– Programs
• Straight-line programs
– Automata
– Queries
• User Intent
– Logic, Natural Language
– Examples, Demonstrations/Traces
– Program
• Search Technique
– SAT/SMT solvers (Formal Methods)
– A*-style goal-directed search (AI)
– Version space algebras (Machine Learning)
25
Synthesis from Logical Specifications
Turn-off rightmost contiguous string of 1-bits
10101100
𝑥
10100000
𝑦 = 𝑥 & (1 + (𝑥 | (𝑥 − 1)))
26
Interactive Synthesis using Examples
Turn-off rightmost contiguous string of 1’s
User: I want a program that maps 01011 -> 01000
Tool: There exist at least two programs that match the spec
Program 1: (𝑥 + 1) & (𝑥 − 1)
Program 2: (𝑥 + 1) & 𝑥
But they differ on 00000 (Distinguishing Input)
What should 00000 be mapped to?
User: 00000 -> 00000
27
Interactive Synthesis using Examples
Turn-off rightmost contiguous string of 1’s
User: 01011 -> 01000
Tool: 00000 ?
User: 00000
Tool: 01111 ?
User: 00000
Tool: 00110 ?
User: 00000
Tool: 01100 ?
User: 00000
Tool: 01010 ?
User: 01000
Tool: Your program is
𝑥 & (1 + (𝑥 | (𝑥 − 1)))
28
Distinguishing Input Constraint
L is a program that on input 𝐼 returns output 𝑂.
L is consistent with the set E of examples.
∃ 𝑰, 𝑳, 𝑳′ ∶ 𝑩𝒆𝒉𝒂𝒗𝒆𝑬 𝑳 ∧ 𝑩𝒆𝒉𝒂𝒗𝒆𝑬 𝑳′ ∧
𝝓𝒇𝒖𝒏𝒄 (𝑳, 𝑰, 𝑶) ∧ 𝝓𝒇𝒖𝒏𝒄 𝑳′, 𝑰, 𝑶′ ∧ 𝑶 ≠ 𝑶′
29
Related Work: Smart Sampling
Reference:
Automated Synthesis of Symbolic Instruction Encodings
from I/O Samples
PLDI 2012, Patrice Godefroid, Ankur Taly
• Key Idea: Generate upfront a set of distinguishing
inputs for a given class of programs.
• Pros: Makes the process much more efficient that
distinguishing constraint generation at run-time.
• Cons: Domain-specific
30
From Verification to Synthesis
Application
Generating Synthesis Solving Synthesis
Constraint
Constraint
Bitvector
Loopy Alg.
SIMD
Location variables
Template-based
CEGIS + SMT
SMT
Inverses
Graph Alg.
Reference:
From Program Verification to Program Synthesis,
POPL 2011, Srivastava, Gulwani, Foster
31
Dimensions in Synthesis
• Language
– Programs
• Straight-line programs
– Automata
– Queries
• User Intent
– Logic, Natural Language
– Examples, Demonstrations/Traces
– Program
• Search Technique
– SAT/SMT solvers (Formal Methods)
– A*-style goal-directed search (AI)
– Version space algebras (Machine Learning)
32
Template-based Invariant Generation
• Goal-directed invariant generation for verification
of a Hoare triple (Pre, Program, Post)
Pre
I while (c)
S
Post
VCGen
Base Case
Pre ) I
9 I 8X I Æ :c ) Post Precision
(I Æ c)[S] ) I Inductive Case
Verification Constraint
(Second-order)
• Key Idea: Reduce the second-order verification constraint
to a first-order satisfiability constraint that can be solved
using off-the-shelf SAT/SMT solvers
– Choose a template for I (specific color/shade in some logic).
– Convert 8 into 9.
33
Key Idea in reducing 8 to 9 for various Domains
Trick for converting 8 to 9 is known for following domains:
• Linear Arithmetic
– Farkas Lemma
• Linear Arithmetic + Uninterpreted Fns.
– Farkas Lemma + Ackerman’s Reduction
• Non-linear Arithmetic
– Grobner Basis
• Predicate Abstraction
– Boolean indicator variables + Cover Algorithm (Abduction)
• Quantified Predicate Abstraction
– Boolean indicator variables + More general Abduction
34
Template-based Invariant Generation: References
• Linear Arithmetic
– Constraint-based Linear-relations analysis;
Sankaranarayanan, Sipma, Manna; SAS ’04
– Program analysis as constraint solving;
Gulwani, Srivastava, Venkatesan; PLDI ‘08
• Linear Arithmetic + Uninterpreted Fns.
– Invariant synthesis for combined theories;
Beyer, Henzinger, Majumdar, Rybalchenko; VMCAI ‘07
• Non-linear Arithmetic
– Non-linear loop invariant generation using Gröbner bases;
Sankaranarayanan, Sipma, Manna; POPL ’04
• Predicate Abstraction
– Constraint-based invariant inference over predicate abstraction;
Gulwani, Srivastava, Venkatesan; VMCAI ’09
• Quantified Predicate Abstraction
– Program verification using templates over predicate abstraction;
Srivastava, Gulwani; PLDI ‘09
35
Example: Bresenham’s Line Drawing Algorithm
[0<Y·X]
v1:=2Y-X; y:=0; x:=0;
while (x · X)
out[x] := y;
if (v1<0) v1:=v1+2Y;
else v1:=v1+2(Y-X); y++;
return out;
[8k (0·k·X ) |out[k]–(Y/X)k| · ½)]
Postcondition: The best fit line shouldn’t deviate more than
half a pixel from the real line, i.e., |y – (Y/X)x| · 1/2
36
Transition System Representation
[0<Y·X]
v1:=2Y-X; y:=0; x:=0;
while (x·X)
v1<0: out’=Update(out,x,y) Æ v’1=v1+2Y Æ y’=y Æ x’=x+1
v1¸0: out’=Update(out,x,y) Æ v1=v1+2(Y-X) Æ y’=y+1Æ x’=x+1
[8k (0·k·X ) |out[k]–(Y/X)k| · ½)]
Or, equivalently, [Pre]
sentry;
Where,
while (gloop)
gbody1: v1<0
gbody1: sbody1;
gbody2: v1¸0
gbody2: sbody2;
gloop: x·X
[Post]
sentry: v1’=2Y-X Æ y’=0 Æ x’=0
sbody1: out’=Update(out,x,y) Æ v’1=v1+2Y Æ x’=x+1 Æ y’=y
sbody2: out’=Update(out,x,y) Æ v’1=v1+2(Y-X) Æ x’=x+1 Æ y’=y+1 37
Verification Constraint Generation & Solution
Verification Constraint:
Pre Æ sentry ) I’
I Æ gloop Æ gbody1 Æ sbody1 ) I’
I Æ gloop Æ gbody2 Æ sbody2 ) I’
I Æ :gloop ) Post
Given Pre, Post, gloop, gbody1, gbody2, sbody1, sbody2, we can find
solution for I using constraint-based techniques.
I:
0<Y·X Æ v1=2(x+1)Y-(2y+1)X Æ 2(Y-X)·v1·2Y Æ
8k(0·k·x ) |out[k]–(Y/X)k| · ½)
38
From Verification to Synthesis
Verification Constraint:
Pre Æ sentry ) I’
I Æ gloop Æ gbody1 Æ sbody1 ) I’
I Æ gloop Æ gbody2 Æ sbody2 ) I’
I Æ :gloop ) Post
• What if we treat each g and s as unknowns like I?
• We get a solution that has gbody1 = gbody2 = false.
– This doesn’t correspond to a valid transition system.
– We can fix this by encoding gbody1 Ç gbody2 = true.
• We now get a solution that has gloop = true.
– This corresponds to a non-terminating loop.
– We can fix this by encoding existence of a ranking function.
• We now discover each g and s along with I.
– We have gone from Invariant Synthesis to Program Synthesis.
39
From Verification to Synthesis
Application
Generating Synthesis Solving Synthesis
Constraint
Constraint
Bitvector
Location variables
Loopy Alg.
SIMD
Template-based
SMT
Relational verification CEGIS +
Reachability value graph
CEGIS + SMT
Inverses
Graph Alg.
Reference:
From Relational Verification to SIMD Loop Synthesis,
PPoPP 2013 (Best Paper Award),
Barthe, Crespo, Gulwani, Kunz, Marron
40
Dimensions in Synthesis
• Language
– Programs
• Straight-line programs
– Automata
– Queries
• User Intent
– Logic, Natural Language
– Examples, Demonstrations/Traces
– Program
• Search Technique
– SAT/SMT solvers (Formal Methods)
– A*-style goal-directed search (AI)
– Version space algebras (Machine Learning)
41
Example (Exists Function)
struct { int tag; int score; } widget;
int exists(widget* vals, int len, int t, int s)
{
for(int i = 0; i < len; ++i)
{
int tagok = vals[i].tag == t;
int scoreok = vals[i].score > s;
int andok = tagok & scoreok;
if(andok) return 1;
}
return 0;
}
SIMD Example (Exists Function)
int exists_sse(widget* vals, int len, int t, int s) {
m128i vect = [t, t, t, t] ;
m128i vecs = [s, s, s, s] ;
for(int i=0; i < (len - 3); i=i+4)
{
]
m128i blck1 = [t
load_128(vals,
i);
i, si, ti+1, si+1
m128i blck2 = [t
load_128(vals,
i + 4);
i+2, si+2, ti+3, si+3]
m128i tagvs = [t
shuffle_i32(blck1,
i, ti+1, ti+2, ti+3] blck2, ORDER(0,2,0,2));
m128i scorevs = [s
shuffle_i32(blck1,
blck2, ORDER(1,3,1,3));
i, si+1, si+2, si+3]
…, si+3>s ? 0xF…F : 0x0]
m128i cmptag = [s
cmpeq_i32(vect,
tagvs);
i>s ? 0xF…F : 0x0,
0x0, …, ti+3==t ? 0xF…F : 0x0]
m128i cmpscore = [t
cmpgt_i32(vecs,
i==t ? 0xF…F : scorevs);
m128i cmpr = [cmptag
and_i128(cmptag,
cmpscore);
0 & cmpscore
0, …, cmptag3 & cmpscore3]
int match = (cmpr
!allzeros(cmpr);
0!=0 | cmpr1!=0 | cmpr2!=0 | cmpr3!=0)
if (match) return 1;
}
return 0;
}
Performance Impact
2.5
Speedup
2
1.5
1
0.5
4
8
16
32
64
128
Array Size
256
512 1024 2048
Verification Methodology
struct { int tag; int score; } widget;
int exists(widget* vals, int len, int t, int s)
{
for(int i = 0; i < len; ++i)
{
int tagok = vals[i].tag == t;
int scoreok = vals[i].score > s;
int andok = tagok & scoreok;
if(andok) return 1;
}
return 0;
}
Verification: Step 1 (Structural transformation of source)
struct { int tag; int score; } widget;
int exists(widget* vals, int len, int t, int s)
{
for(int i = 0; i < len-3; i=i+4)
{
int tagok0 = vals[i].tag == t;
int scoreok0 = vals[i].score > s;
int andok0 = tagok0 & scoreok0;
...
int tagok3 = vals[i+3].tag == t;
int scoreok3 = vals[i+3].score > s;
int andok3 = tagok3 & scoreok3;
match = andok3 | andok1 | andok2 | andok3
if(match) return 1;
}
return 0;
}
Verification: Step 2 (Simulation relation)
Simulation relation at start of loop bodies:
Rpre := i2=i1 ∧ t2=t2 ∧ s2=s1 ∧ vals2=vals1 ∧
vectv2 = <t1,t1,t1,t1> ∧ vecsv2 = <s1,s1,s1,s1>
Simulation relation at end of loop bodies:
Rpost := Epre ∧ match2=match1
Verification Condition: Rpre => WP(B2, WP(B1, Rpost)
47
Synthesis
Verification Condition: Rpre => WP(B2, WP(B1, Rpost)
Synthesis Condition: Find B2 such that the Hoare triple
<Rpre, B2, R’> holds, where R’ = WP(B1, Rpost).
Rpre and Rpost require guessing the vectorized versions of
variables in the source code.
There are two kinds of vectorized variables.
• Loop invariant expressions e1: v2 = <e1,, e1, e1, e1>
• Reduction variables r1: v2[1] + v2[2] + v2[3] + v2[4] = r1
48
Other Examples
Cyclic Hash
4
3.5
3
2.5
2
1.5
1
0.5
CountIf
4
3.5
3
2.5
2
1.5
1
0.5
Actual
Predicted
Actual
Predicted
49
From Verification to Synthesis
Application
Generating Synthesis Solving Synthesis
Constraint
Constraint
Bitvector
Loopy Alg.
SIMD
Location variables
CEGIS + SMT
Template-based
SMT
Relational verification CEGIS +
Reachability value graph
Template-based +
SMT
symbolic execution
Inverses
Graph Alg.
Reference:
Path-based Inductive Synthesis for Program Inversion,
PLDI 2011, Srivastava, Gulwani, Chaudhuri, Foster
50
Dimensions in Synthesis
• Language
– Programs
• Straight-line programs
– Automata
– Queries
• User Intent
– Logic, Natural Language
– Examples, Demonstrations/Traces
– Program
• Search Technique
– SAT/SMT solvers (Formal Methods)
– A*-style goal-directed search (AI)
– Version space algebras (Machine Learning)
51
Program Inversion: Example
In-place run-length encoding:
A = [1,1,1,0,0,2,2,2,2]
Encoder
A=[1,0,2]
N=[3,2,4]
Decoder
A’=[1,1,1,0,0,2,2,2,2]
IN(A,n); Assume (n >= 0)
i, m := 0, 0; // parallel assignment
while (i<n)
r := 1;
while (i+1<n && A[i]=A[i+1])
r, i := r+1, i+1;
A[m], N[m], m, i := A[i], r, m+1, i+1;
OUT(A,N,m);
IN(A,N,m)
i’, m’ := 0, 0;
while (m’ < m)
r’ := N[m’];
while (r’>0)
r’,i’, A’[i’] := r’-1, i’+1, A[m’];
m’ := m’+1;
OUT(A’,m’); assert(A’=A; m’=n);
52
Program Inversion as Synthesis Problem
In-place run-length encoding:
A = [1,1,1,0,0,2,2,2,2]
Encoder
A=[1,0,2]
N=[3,2,4]
Decoder
A’=[1,1,1,0,0,2,2,2,2]
E = { 0, 1, m’±1, r’±1, i’±1, A[i’],
A[m’], N[m’] }
P = { m’<m, r’>0, A’[i’]= A’[i’+1] }
IN(A,n); Assume (n >= 0)
i, m := 0, 0; // parallel assignment
while (i<n)
r := 1;
while (i+1<n && A[i]=A[i+1])
r, i := r+1, i+1;
A[m], N[m], m, i := A[i], r, m+1, i+1;
OUT(A,N,m);
IN(A,N,m)
i’, m’ := e1, e2; // ei ∈ E
while (p1)
// pi ∈ P
r’ := e3;
while (p2)
r’,i’, A’[e4] := e5, e6, e7;
m’ := e8;
OUT(A’,m’); Assert(A’=A; m’=n);
53
Synthesis Technique
• Inductive invariant required to establish correctness
are too sophisticated.
• We use symbolic execution to generate verification
condition for correctness on certain paths in the
original and the inverted program.
• This generates constraints of the form
∃ 𝑒𝑖 , 𝑝𝑖 ∀𝑉 (𝜙1 𝑉, 𝑒𝑖 , 𝑝𝑗 ∧ ⋯ ∧ 𝜙𝑘 𝑉, 𝑒𝑖 , 𝑝𝑗 )
which are solved using the template-based approach.
54
Other Program Inversion Examples
LZ77 Compressor
LZW Compressor
55
From Verification to Synthesis
Application
Generating Synthesis Solving Synthesis
Constraint
Constraint
Bitvector
Loopy Alg.
SIMD
Location variables
CEGIS + SMT
Template-based
SMT
Relational verification CEGIS +
Reachability value graph
Template-based +
SMT
symbolic execution
Inverses
Graph Alg.
Already in constraint
form!
CEGIS +
Fact enumeration
Reference:
A Simple Inductive Synthesis Methodology and its Applications,
56
OOPSLA 2010, Itzhaky, Gulwani, Immerman, Sagiv
Dimensions in Synthesis
• Language
– Programs
• Straight-line programs
– Automata
– Queries
• User Intent
– Logic, Natural Language
– Examples, Demonstrations/Traces
– Program
• Search Technique
– SAT/SMT solvers (Formal Methods)
– A*-style goal-directed search (AI)
– Version space algebras (Machine Learning)
57
Bipartite-ness
Specification: Second order logic
∃! 𝐶 ∀𝑢, 𝑣 𝐸 𝑢, 𝑣 → 𝐶 𝑢 ∧ ¬𝐶 𝑣
Synthesis Algorithm
Implementation: First order logic + Transitive Closure
𝐸 2∗ 𝑢 ∩ 𝐸 2∗ 𝐸 𝑢
=∅
58
Tree-ness
Specification: Second order logic
∃𝑟 ∀𝑢 ∃! 𝑃 (𝑟 →𝑃 𝑢)
𝑟 →𝑃 𝑢 ≡
∀𝑥, 𝑦 𝑃 𝑥, 𝑦 → 𝐸 𝑥, 𝑦 ∧
∀𝑥, 𝑦, 𝑧 𝑃 𝑥, 𝑦 ∧ 𝑃 𝑥, 𝑧 → 𝑦 = 𝑧 ∧
Synthesis
∀ 𝑥, 𝑦, 𝑧 𝑃 𝑥, 𝑦 ∧
𝑃 𝑧, 𝑦 →Algorithm
𝑥=𝑧∧
∀𝑥, 𝑦 𝑃 𝑥, 𝑦 → ∃𝑥 𝑃 𝑧, 𝑥 ↔ 𝑥 ≠ 𝑢 ∧
∀ 𝑥, 𝑦 𝑃 𝑥, 𝑦 → ∃𝑧 𝑃 𝑦, 𝑧 ↔ 𝑦 ≠ 𝑣 ∧
∃𝑥
𝑃 𝑢, 𝑥 ∧ ∃𝑦 𝑃(𝑦,
𝑣) order logic + Transitive Closure
Implementation:
First
Let 𝑓 𝑢 = 𝑢 ∈ 𝑉 𝐸 𝑣, 𝑢 } in
∀𝑢 𝑓 𝑢 ≤ 1
∧ ∃𝑟 𝑓 𝑟 = 0
∧ 𝐸∗ 𝑟 = 𝑉
59
Synthesis Algorithm
• Use CEGIS to generate models (where source
specification and target query don’t match).
• Generate the set S of clauses (from the target
query language) that are satisfied by each positive
model.
• Generate a minimal subset of S that rules out each
negative model.
60
From Verification to Synthesis
Application
Generating Synthesis Solving Synthesis
Constraint
Constraint
Bitvector
Loopy Alg.
SIMD
Location variables
CEGIS + SMT
Template-based
SMT
Relational verification CEGIS +
Reachability value graph
Template-based +
SMT
symbolic execution
Inverses
Graph Alg.
Already in constraint
form!
CEGIS +
Fact enumeration
61
