Automating Construction of Provably Correct Software Viktor Kuncak

Transcription

1 Your Wish is my Command Automating Construction of Provably Correct Software Viktor Kuncak EPFL School of Computer and Communication Sciences Laboratory for Automated Reasoning and Analysis

2 wish This Talk requirement formalization specification (constraint): C implementation (program): p conventional compilation How to automatically transform specifications into implementations? Command

3 Example Wish: Sorting input output > < < < Given a list of numbers, make this list sorted wish

4 Sorting Specification as a Program input output > < < < Given a list of numbers, make this list sorted wish def sort_spec(input : List, output : List) : Boolean = content(output)==content(input) /\ issorted(output) Specification (for us) is a program that checks, for a given input, whether the given output is acceptable

5 Specification vs Implementation def C(i : List, o : List) : Boolean = content(o)==content(i) /\ issorted(o) true / false constraint on the output more behaviors input specification U implementation output p C fewer behaviors function that computes the output def p(i : List) : List = sort i using a sorting algorithm and return the result

6 Synthesizing Sort in Leon System OOPSLA 2013: Synthesis Modulo Recursive Functions Etienne Kneuss Ivan Kuraj Philippe Suter

7 Example Results Techniques used: Leon s verification capabilities synthesis for theory of trees recursion schemas case splitting symbolic exploration of the space of programs synthesis based on type inhabitation fast falsification using previous counterexamples learning conditional expressions cost-based search over possible synthesis steps

8 Approaches and Their Guarantees both specification C and program p are given: a) Check assertion while program p runs: C(i,p(i)) only specification C is given: b) Verify whether program always meets the spec: i. C(i,p(i)) c) Constraint programming: once i is known, find o to satisfy a given constraint: find o such that C(i,o) run-time d) Synthesis: solve C symbolically to obtain program p that is correct by construction, for all inputs: find p such that i.c(i,p(i)) i.e. p C compile-time

9 Runtime Assertion Checking a) Check assertion while program p runs: C(i,p(i)) def p(i : List) : List = { sort i using a sorting algorithm and return the result } ensuring (o content(i)==content(o) && issorted(o)) def content(lst : List) = lst match { case Nil() Set.empty case Cons(x, xs) Set(x) ++ content(xs) } def issorted(lst : List) = lst match { case Nil() true case Cons(_, Nil()) true case Cons(x, Cons(y, ys)) } x < y && issorted(cons(y, ys)) Already works in Scala! Key design decision: constraints are programs Ongoing: high-level optimization of run-time checks Can we give stronger guarantees? prove postcondition always true

10 Static Verification in Leon b) Verify that program always meets spec: i. C(i,p(i)) def p(i : List) : List = { sort i using a sorting algorithm and return the result } ensuring (o content(i)==content(o) && issorted(o)) def content(lst : List) = lst match { case Nil() Set.empty case Cons(x, xs) Set(x) ++ content(xs) } def issorted(lst : List) = lst match { case Nil() true } case Cons(_, Nil()) true case Cons(x, Cons(y, ys)) x < y && issorted(cons(y, ys)) Type in a Scala program and spec, see it verified proof of i. C(i,p(i)) timeout input i such that not C (i,p(i))

11 Insertion Sort Verified as You Type It Web interface:

12 Reported Counterexample in Case of a Bug

13 Approaches and Their Guarantees both specification C and program p are given: a) Check assertion while program p runs: C(i,p(i)) only specification C is given: b) Verify that program always meets spec: i. C(i,p(i)) c) Constraint programming: once i is known, find o to satisfy a given constraint: find o such that C(i,o) run-time d) Synthesis: solve C symbolically to obtain program p that is correct by construction, for all inputs: find p such that i.c(i,p(i)) i.e. p C compile-time

14 Using Assertions to Compute what to do when assertion fail? presumably some values are wrong what to change (e.g. in repair) alternative: leave some variables unknown (logical variables); find their values to satisfy the assertions: constraint programming like CLP, but richer constraints new compilation techniques (synthesis) embedded in Scala, no Prolog with "cut"

15 Programming with Specifications c) Constraint programming: find a value that satisfies a given constraint: find o such that C(i,o) Method: use verification technology, try to prove that no such o exists, report counter-examples! Philippe Suter Ali Sinan Köksal Etienne Kneuss

16 Sorting a List Using Specifications def content(lst : List) = lst match { case Nil() Set.empty case Cons(x, xs) Set(x) ++ content(xs) } def issorted(lst : List) = lst match { case Nil() true case Cons(_, Nil()) true case Cons(x, Cons(y, ys)) x < y && issorted(cons(y,ys)) } ((l : List) issorted(lst) && content(lst) == Set(0, 1, -3)).solve > Cons(-3, Cons(0, Cons(1, Nil())))

17 Comparison: Date Conversion in C Knowing number of days since 1980, find current year and day BOOL ConvertDays(UINT32 days) { year = 1980; while (days > 365) { } if (IsLeapYear(year)) { if (days > 366) { } days -= 366; year += 1; } else { days -= 365; year += 1; }... Enter December 31, 2008 All music players (of a major brand) froze in the boot sequence.

18 Date Conversion using Specifications Knowing number of days since 1980, find current year and day val origin = 1980 // beginning of the universe def leapstill(y : Int) = (y-1)/4 - (y-1)/100 + (y-1)/400 val (year, day)=choose( (year:int, day:int) => { days == (year-origin)*365 + leapstill(year)-leapstill(origin) + day && 0 < day && day <= 366 }) // Choose year and day such that the property holds. We did not write how to compute year and day Instead, we gave a constraint they should satisfy We defined them implicitly, though this constraint More freedom (can still do it the old way, if needed) Correctness, termination simpler than with loop

19 Implementation: next 30 pages invariants - specification

20 Formalizing Tree Invariants (in Scala) sealed abstract class Tree case class Empty() extends Tree case class Node(color: Color, left: Tree, value: Int, right: Tree) extends Tree def blackbalanced(t : Tree) : Boolean = t match { case Node(_,l,_,r) => blackbalanced(l) && blackbalanced(r) && blackheight(l) ==blackheight(r) case Empty() => true } def blackheight(t : Tree) : Int = t match { case Empty() => 1 case Node(Black(), l, _, _) => blackheight(l) + 1 case Node(Red(), l, _, _) => blackheight(l) } def rb(t: Tree) : Boolean = t match { case Empty() => true case Node(Black(), l, _, r) => rb(l) && rb(r) case Node(Red(), l, _, r) => isblack(l) && isblack(r) && rb(l) && rb(r) }... def issorted(t:tree) =...

21 Define Abstraction as tree fold def content(t: Tree) : Set[Int] = t match { case Empty() => Set.empty case Node(_, l, v, r) => content(l) ++ Set(v) ++ content(r) } { 2, 4, 5, 7, 9 } 2 5

22 We can now define insertion def insert(x : Int, t : Tree) = choose(t1:tree => isrbt(t1) && content(t1) = content(t) ++ Set(x)) Objection: it took a lot of effort to write isrbt Answer: no more effort than implementation - wrote some functions these invariants is what drives data structure design this is how things are explained in a textbook it promotes reuse!

23 Evolving the Program Suppose we have a red-black tree implementation We only implemented insert and lookup Now we also need to implement remove

24 void RBDelete(rb_red_blk_tree* tree, rb_red_blk_node* z){ rb_red_blk_node* y; rb_red_blk_node* x; rb_red_blk_node* nil=tree->nil; rb_red_blk_node* root=tree->root; y= ((z->left == nil) (z->right == nil))? z : TreeSuccessor(tree,z); x= (y->left == nil)? y->right : y->left; if (root == (x->parent = y->parent)) { /* assignment of y->p to x->p is intentional */ root->left=x; } else { if (y == y->parent->left) { y->parent->left=x; } else { y->parent->right=x; } } if (y!= z) { /* y should not be nil in this case */ #ifdef DEBUG_ASSERT Assert( (y!=tree->nil),"y is nil in RBDelete\n"); #endif /* y is the node to splice out and x is its child */ if (!(y->red)) RBDeleteFixUp(tree,x); tree->destroykey(z->key); tree->destroyinfo(z->info); y->left=z->left; y->right=z->right; y->parent=z->parent; y->red=z->red; z->left->parent=z->right->parent=y; if (z == z->parent->left) { z->parent->left=y; } else { z->parent->right=y; } free(z); } else { tree->destroykey(y->key); tree->destroyinfo(y->info); if (!(y->red)) RBDeleteFixUp(tree,x); free(y); } #ifdef DEBUG_ASSERT Assert(!tree->nil->red,"nil not black in RBDelete"); #endif 140 lines of tricky C, even reusing existing functions void RBDeleteFixUp(rb_red_blk_tree* tree, rb_red_blk_node* x) { rb_red_blk_node* root=tree->root->left; rb_red_blk_node* w; while( (!x->red) && (root!= x)) { if (x == x->parent->left) { w=x->parent->right; if (w->red) { w->red=0; x->parent->red=1; LeftRotate(tree,x->parent); w=x->parent->right; } if ( (!w->right->red) && (!w->left->red) ) { w->red=1; x=x->parent; } else { if (!w->right->red) { w->left->red=0; w->red=1; RightRotate(tree,w); w=x->parent->right; } w->red=x->parent->red; x->parent->red=0; w->right->red=0; LeftRotate(tree,x->parent); x=root; /* this is to exit while loop */ } } else { /* the code below is has left and right switched from above */ w=x->parent->left; if (w->red) { w->red=0; x->parent->red=1; RightRotate(tree,x->parent); w=x->parent->left; } if ( (!w->right->red) && (!w->left->red) ) { w->red=1; x=x->parent; } else { if (!w->left->red) { w->right->red=0; w->red=1; LeftRotate(tree,w); w=x->parent->left; } w->red=x->parent->red; x->parent->red=0; w->left->red=0; RightRotate(tree,x->parent); x=root; /* this is to exit while loop */ } } } x->red=0; #ifdef DEBUG_ASSERT

25 remove using specifications: 2 lines def remove(x : Int, t : Tree) = choose(t1:tree => isrbt(t1) && content(t1)=content(t) Set(x)) The biggest expected payoff: properties are more reusable

26 Further Features Supported computing minimal / maximal solution of constraints value using binary search on-the-fly construction of constraints first-class constraints, like first-class functions but they can also be syntactically manipulated enumeration of all values that satisfy constraint application in automated test input generation can be used like Korat tool for test generation

27 Approaches and Their Guarantees both specification C and program p are given: a) Check assertion while program p runs: C(i,p(i)) c) Constraint programming: once i is known, find o to satisfy a given constraint: find o such that C(i,o) only specification C is given: run-time b) Verify that program always meets spec: i. C(i,p(i)) d) Synthesis: solve C symbolically to obtain program p that is correct by construction, for all inputs: find p such that i.c(i,p(i)) i.e. p C compile-time

28 Implicit Programming (ERC project) y o x specification (constraint) implicit x 2 + y 2 = 1 i is assignment for some vars of a propositional formula o is its completion to make formula true i synthesis U o U x implementation (function) explicit y = sqrt(1-x 2 ) compute missing part of a satisfying assignment (SAT) i

29 Synthesis for Linear Arithmetic def secondstotime(totalseconds: Int) : (Int, Int, Int) = choose((h: Int, m: Int, s: Int) ( h * m * 60 + s == totalseconds && h 0 && m 0 && m < 60 could infer from types && s 0 && s < 60 )) close to a wish def secondstotime(totalseconds: Int) : (Int, Int, Int) = val t1 = totalseconds div 3600 val t2 = totalseconds * t1 val t3 = t2 div 60 val t4 = totalseconds * t1-60 * t3 (t1, t3, t4)

30 Compile-time warnings def secondstotime(totalseconds: Int) : (Int, Int, Int) = choose((h: Int, m: Int, s: Int) ( h * m * 60 + s == totalseconds && h 0 && m 0 && m 60 && s 0 && s < 60 )) Warning: Synthesis predicate has multiple solutions for variable assignment: totalseconds = 60 Solution 1: h = 0, m = 0, s = 60 Solution 2: h = 0, m = 1, s = 0

31 Synthesis for sets (BAPA) def splitbalanced[t](s: Set[T]) : (Set[T], Set[T]) = choose((a: Set[T], b: Set[T]) ( a.size b.size 1 && balanced b.size a.size 1 && a union b == s && a intersect b == empty )) partition we can conjoin specs def splitbalanced[t](s: Set[T]) : (Set[T], Set[T]) = val k = ((s.size + 1)/2).floor val t1 = k val t2 = s.size k val s1 = take(t1, s) val s2 = take(t2, s minus s1) (s1, s2) s a Mikael Mayer Ruzica Piskac Philippe Suter b

32 Synthesis for Theories assert(i % 2 == 1) 3 i + 2 o = 13 o = (13 3 i)/2 Wanted: "Gaussian elimination" for programs for linear integer equations: extended Euclid s algorithm need to handle disjunctions, negations, more data types For every formula in e.g. Presburger arithmetic synthesis algorithm terminates produces the most general precondition (assertion characterizing when the result exists) generated code always terminates and gives correct result If there are multiple or no solutions for some input parameters, the algorithm identifies those inputs Works not only for arithmetic but also for e.g. sets with sizes and for trees Goal: lift everything done for SMT solvers to synthesizers

33 Decision & Synthesis Procedures For a well-defined class of formulas: Decision procedure Input: a formula Output: a model of the formula 5a + 7x = 31 a 2 x 3 (modelgenerating) a theorem prover that always succeeds Synthesis procedure a synthesizer that always succeeds Input: a formula, with input and output variables Output: a program to compute output values from input values Inputs: { a } outputs: { x } 5a + 7x = 31 x (31 5a) / 7 33

34 Framework: Transforming Relations a C 1 x a C 2 x Input variables Synthesis predicate Output variables a, x. C 2 C 1 Refinement a. ( x : C 1 ) ( x : C 2 ) Domain preservation 34

35 Programs as Relations a C x P T Input variables Output variables Precondition Program terms Represents the relation: P (x = T ) a. P C[x T ] Refinement a. ( x : C) P Domain preservation 35

36 Compare to Quantifier Elimination A problem of the form: Corresponds to constructively solving the quantifier elimination problem: In the solution, P corresponds to the result of Q.E. and T are witness terms. a C x x : C( a, x ) P T 36

37 Transforming Relations Equivalence a C 1 x P T C 1 C 2 a C 2 x P T Case-Split a C 1 x P 1 T 1 a C 2 x P 2 T 2 a C 1 C 2 x P 1 P 2 if(p 1 ) T 1 else T 2 One-Point a C[x 0 t] x P T x 0 vars(t) a x 0 = t C x 0 ;x P let x := T in t;x 37

38 Synthesis for Linear Integer Arithmetic a 7t a 5a 12t t 5a/12 3a/7 5a/12 a 5x + 7y = a 0 x x y x,y 5a/12 3a/7 let t = 5a/12 in (-7t+3a, 5t-2a) 5x + 7y = a One-dimensional solution space. x = -7t + 3a y = 5t 2a is a solution for any t. 7t a 5a 12t t is bound on both sides, and admits a solution whenever 5a/12 3a/7 38

39 And/Or Search for Rule Applications Synthesis problem Rule application 5 C F E Driven by cost - For rule applications: size of term contributed to program. - For (sub)problems: estimate based on variables and boolean structure. 4 D 1 A 2 3 G B 6 7 H J 39

40 Synthesis in Techniques used: Leon s verification capabilities synthesis for theory of trees recursion schemas case splitting symbolic exploration of the space of programs synthesis based on type inhabitation fast falsification using previous counterexamples learning conditional expressions cost-based search over possible synthesis steps

41 Generating Expression Terms What do we do with problems that: do not fall in a well-defined, synthesizable subset, do not get simplified by decomposition? Use counter-example guided inductive synthesis to search over small expressions Two algorithms use SMT solvers to enumerate terms and evaluate them to find new blocking clauses type-based enumeration (Gvero,Piskac,Kuraj) combined with discovery of preconditions 41

42 Approaches and Their Guarantees both specification C and program p are given: a) Check assertion while program p runs: C(i,p(i)) c) Constraint programming: once i is known, find o to satisfy a given constraint: find o such that C(i,o) only specification C is given: run-time b) Verify that program always meets spec: i. C(i,p(i)) d) Synthesis: solve C symbolically to obtain program p that is correct by construction, for all inputs: find p such that i.c(i,p(i)) i.e. p C compile-time

43 Synthesis and Constraint Solving If we did not find an expression that solves it in all cases, we emit a runtime call to solver Result: solver invoked only in some cases for some components of result for some conditions on inputs after timeout, close the remaining branches by inserting a C runtime solver call 1 A F E D G B 6 7 H J

44 Example Data Structure with Cache case class CTree(cache : Int, data : Tree) def inv(ct : CTree) : Boolean = isrbt(data) && (ct.data = Empty content(ct.data) contains ct.cache) def member(v : Int, ct : CTree) : Boolean = { require(inv(ct)) choose( (x:boolean) => x == (content(ct.data) contains v)) } ADT and equality split, one point rule, simplifications def member(v : Int, ct : CTree) : Boolean = { require(inv(ct)) ct.data match { case n:node => if (ct.cache == v) true else choose( (x:boolean) => x == (content(ct.data) contains v)) case Empty => false } Synthesis did not solve fully but optimized spec for 2 common cases

45 From In-Memory to External Sorting treefold[2 k ]([], unfoldr( funcpow[k](mrg)) in-memory sort external 2 k -way merge sort with blocking C implementation transformation rules for monad algebra of nested sequences exploration of equivalent algorithms through performance estimation w/ non-linear constraint solving Synthesis of Out-of-Core Algorithms (SIGMOD 2013) Ioannis Klonatos Christoph Koch Andres Nötzli Andrej Spielmann

46 Real-World Reasoning Gap between floating points and reality input measurement error floating-point round-off error numerical method error x<y need not mean x*<y* Automated verification tools to compute upper error bound generate code to match math Applied to code fragments for embedded systems (car,train) physics simulations OOPSLA'11,RV'12, EMSOFT'13, POPL'14 Eva Darulova

47 wish requirement formalization specification (constraint): C implementation (program): p conventional compilation Can we help with designing specification themselves, to make programming accessible to non-experts? Command

48 Programming by Demonstration Describe functionality by demonstrating and modifying behaviors while the program runs demonstrate desired actions by moving back in time and referring to past events system generalizes demonstrations into rules Try "Pong Designer" in Android Play Store Mikael Mayer and Lomig Mégard SPLASH Onward'13