Solving Computations. Viktor Kuncak. PhD MIT,

Transcription

1 Solving Computations Viktor Kuncak PhD MIT, 2007 School of Computer and Communication Sciences Laboratory for Automated Reasoning and Analysis 1

2 GOAL Help people construct software that does what they expect. My methodology is to develop mathematical models and theorems (theory) algorithms based on the theory tools for computer-aided software construction 2

3 Software is everywhere. But does it do what we expect? For more examples, see Lecture 1 of my M.Sc. course Synthesis, Analysis, and Verification

4 Computer-Aided Software Construction Software verification (Jahob, Udita, Phantm, Leon) specification software verifier correctness constraint constraint solver solutions are counterexamples Software synthesis (Comfusy, Regsy, Kaplan) correct error input specification constraint solver software solutions are programs (or program outputs) 4

5 Underlying technique: Constraint Solving Constraint C(x,y) e.g. x + y > 2 x < y a computable mathematical function (program) with discrete domain (e.g. pair of integers) returns 0 (false) or 1 (true) C : N 2 {0,1} Given x,y we can directly compute C(x,y). But, given x, how to find y such that C(x,y) holds? Wanted: "Gaussian elimination" for programs. 5

6 Constraint solving algorithms enable: Checking assertions while program runs: C(x,y) Verifying that program meets spec: x y. C(x,y) Falsifying: producing a counterexample when verification fails: find x,y such that C(x,y) Computing: find any (or, least) value that satisfies a given constraint: find y such that C(x,y) Generating tests to exercise program behavior: enumerate/sample y such that C(x,y) Synthesis: solving symbolically for all inputs to obtain program that is correct by construction find f such that x. C(x,f(x)) 6

7 Highlights 1) Constraints on multisets and sizes: Optimal complexity through sparse encoding into disjunctive integer linear programs (JAR 06, CADE 07, VMCAI 08, CAV 08, VMCAI 10,CSL'10,VMCAI 11) 2) Constraints with recursive functions on trees Decidable extensions of term algebra (POPL 10, SAS 11, POPL 12) 3) Complete Functional Synthesis Constructive quantifier elimination techniques (PLDI'10,FMCAD'10,CACM'12,POPL'12,IJCAR'12) 7

8 Constraints on Multisets def removeduplicates(i: Bag): Bag = var W = I // Working bag var duplicateexists = false var R = empty // Resulting bag invariant (duplicateexists W R I) W R I while (W empty) val elem = selectone(w) W = W - {elem} if (elem R) duplicateexists = true else R = R {elem} assert duplicateexists R < I R Verification constraint: W R I W R I R < I Solutions to its negation indicate errors, proof of their absence - correctness. Multiset m is a function m: E {0,1,2,...} E unknown (infinite space) (m 1 m 2 )(e)= m 1 (e) + m 2 (e) m = Σe E m(e) Gave optimal constraint solving algorithm. Techniques used: - introduced extension of integer linear arithmetic (LIA*) - reduced MAPA to this extension - semilinear set characterization of solution space of PA formulas - bounds on solution sizes - sparsity theorems by Eisenbrand 8

9 Calculus of Data Structures (VMCAI'10) tree multiset elements treesize 7 msetsize setsize 3 setof Supports operations on data types and homomorphisms between them. Showed decidability, optimal complexity, gave algorithm, implemented. Adding maps - decidable; injective ones - undecidable (Hilbert's 10th) set

10 Verification Using Constraints with Recursive Functions (POPL'10, SAS'11) Adding arbitrary recursive functions yields Turing-complete, unsolvable constraints We identified a useful sub-class of recursive functions preserves decidability Implemented a verification tool: Found and corrected errors during code development Proved automatically that, for all inputs red-black tree implements a set and maintains height invariants associative list has correct read-over-write property insertion sort returns sorted list, of identical content amortized queue implements balanced queue Benchmark LoC #Funs. #VCs. Time (s) ListOperations AssociativeList InsertionSort RedBlackTrees PropLogic AmortizedQueue VSComp

11 program and properties in Scala (accessible) we find counterexamples and proofs fast

12 Use in industry Filtering highly confidential information: In the context of a project to reason about a domain specific language called Guardol for XML message processing applications [ the] procedure has allowed us to prove a number of interesting things [ ], so I'm extremely grateful for it. Michael Whalen Rockwell Collins 12

13 Step beyond: Executing Specifications (POPL'12) def insert(x : Int, t : Tree) = choose(t1:tree => balanced(t1) && content(t1) = content(t) ++ Set(x)) def remove(x : Int, t : Tree) = choose(t1:tree => balanced(t1) && content(t1) = content(t) Set(x)) The biggest expected payoff: declarative knowledge is more reusable Received interest to use such language in research (UCLA) and teaching (Rice University).

14 Faster code: Software synthesis def secondstotime (totalseconds : Int) : Int = choose((h: Int, m: Int, s: Int) ( h * m * 60 + s == totalseconds && h 0 && m 0 && m < 60 && s 0 && s < 60)).find def secondstotime (totalseconds : Int) : Int = t1 = totalseconds div 3600 t2 = totalseconds * t1 t3 = t2 div 60 t4 = totalseconds * t1-60 * t3 (t1, t3, t4) This approach could have avoided e.g. freeze bug in Microsoft Zune. 14

15 Properties of Synthesis Algorithm For every formula in linear integer arithmetic synthesis algorithm terminates produces the most general precondition (assertion saying when result exists) generated code always gives correct values whenever correct values exist; reports when they do not exist If there are multiple or no solutions for some parameters, the algorithm detects this Extended to arithmetic pattern matching Extended to sets with cardinalities Handling bitwise operations (FMCAD'10, IJCAR'12) 15

16 Foreword to the Research Highlights Article in the Communications of the ACM I predict that as we identify more such restricted languages and integrate them into generalpurpose (Turing-complete) languages, we will make programming more productive and programs more reliable. Rastislav Bodik Associate Professor, UC Berkeley 16

17 certified moon computations found security bugs in web applications found bugs in Java compilers and IDEs

18 Doctoral Students Eva Darulová Tihomir Gvero Hossein Hojjat Etienne Kneuss Giuliano Losa (w/ Rachid Guerraoui) Andrej Spielmann (w/ Christoph Koch) Philippe Suter graduating in 2012, joining IBM Research, NY Ruzica Piskac, graduated 2011, now tenure-track faculty member at the Max-Planck Institute 18

19 Future Work Implicit Programming As announced in early June 2012 this research is funded with a million EUR Starting ERC grant from the European Research Council (Remark: total funding of around 3.8 million CHF so far) 19

20 Problem: Programming is hard, because computation is given explicitly (how) Claim: We can make it easier, if we support implicit computation (what) 20

21 human intentions Implicit Programming GAP 21

22 human intentions IMPRO 22

23 1) Synthesis Procedures = compiler for specifications constraint between inputs and outputs (from a decidable class) computable function from inputs to outputs Numeric domains: linear integers, reals (PLDI 10, OOPSLA 11) Symbolic domains: Calculus of Data Structures (VMCAI 10,CSL 10) 23

24 2) Empowering Users Application customization: modify an application through feedback on its behavior, e.g. Change layout/text/parameters Change the order of actions Programming by demonstration: learning Development assistance tools Synthesis of code snippets: Ambiguous input handling Programs that are almost correct (repair) Specifications written in natural language Prototype language under development Revisit a combination of NLP and PL techniques 24

25 Interactive Synthesis within an IDE 25

26 Interactive Synthesis within an IDE - working on technology transfer to Typesafe startup of Martin Odersky

27 Implicit Programming Human-friendly and verification-friendly computation Programming with implicit specifications Synthesis procedures: compile implicit specs into code Build on advances in SAT and decision procedures SMT Quantifier elimination, partial evaluation, modularity Deploy specifications into programming languages Just-in-time synthesis for efficiency Strengthening specifications using static analysis Validation of code containing implicit computation Help developers construct specifications Run-time application customization and manipulation Programming assistance tools Ambiguous inputs as specification source 27

28 Related Efforts April 2012: U.S. National Science Foundation awarded 10 million USD Expedition grant: Computer-Augmented Program Engineering Leader: Rajeev Alur from UPenn Participanting universities: Cornell, MIT, Rice, Berkeley, UCLA, UIUC, Maryland, Michigan, UPenn COST (Networking) Action IC0901 that I am chairing is one of few activities in Europe supporting this area countries 6% acceptance rate in 2009 when it was approved Established work groups on: standardization of languages, decision procedures, verification, and synthesis Supported and co-organized 1 st summer school on synthesis 28

29 Further Activities at EPFL Member of doctoral admissions committee Participated in two NNCR pre-proposals Member of EcoCloud center (Babak Falsafi) Teaching, last median student evaluation: Compiler Construction (BSc, 5.0) Synthesis, Analysis, and Verification (MSc, 6.0) Automated grading infrastructure relevant for online courses CTI Projects and tech transfer planned 29

30 Conclusions Theory, algorithms, and tools for software construction Communications of the ACM Research Highlight; Best papers Working with 7 doctoral students Graduated one doctoral student, Ruzica Piskac she is now tenure-track faculty at a peer institution Philippe Suter graduating, joining top research lab (IBM, US) Raised 3.8 million, including 1.7 million CHF ERC starting grant Released tools that help construct reliable software Technology transfer with Typesafe startup of Martin Odersky Also collaborations with Guerraoui, Koch; Atienza, Eisenbrand Teaching at BSc, MSc, PhD level (future: online courses) Chair of COST Action gathering 20 countries, PC chair, keynotes