liquid resource types for verification and synthesisnpolikarpova/talks/lrt-chalmers...checking...

liquid resource typesfor verification and synthesis

Nadia Polikarpovawith Tristan Knoth, Di Wang, and Jan Hoffmann

program synthesis

2

code

specification

components

type-driven program synthesis

3

code

specification

components

type-driven program synthesis

4

code

specification

components

liquid types

synquid

example: compress a list

5


input:

5

2 3 32 3 2


input:

output:

5

2 3 32 3 2

2 3 2


6

2 3 32 3 2


6

2 3 32 3 2

22 3 2


6

2 3 32 3 2

2 3 2

22 3 2

synthesizing compress

7

code

??specification

components

compress :: xs: List a → {v:CList a | elems v = elems xs}

compress: specification

8

CList aList a



8

CList a

compressed list(no adjacent duplicates)



8

same set of elements

synthesizing compress

9

codecompress ::xs:List a →{v:CList a |elems v = elems xs}

synquid

specification

components

(==), List, CList

19

http://comcom.csail.mit.edu/demos/#compress

http://comcom.csail.mit.edu/demos/#compress

compress: generated solution

10

compress xs =match xs with

Nil → NilCons y ys →

match compress ys withNil → Cons y NilCons z zs → if z == y

then compress yselse Cons y (Cons z zs)

compress: generated solution

10




then compress yselse Cons y (Cons z zs)

Cons z zs

11

specification code

compress a listO(2|xs|)

synthesizing efficient programs

11

specification code

compress a list

compress a listin linear time O(|xs|)

O(2|xs|)


12



specification code

12



specification code

liquidresource

types

12



specification code

liquidresource

types

resyn

this talk

1. liquid types + resource bounds

13

this talk


2. type checking

13

this talk


2. type checking

3. non-linear bounds

13

this talk


2. type checking


4. value-dependent bounds

13

this talk


2. type checking



13

[PLDI’19]

this talk


2. type checking



13

[PLDI’19]

[ICFP’20 ?]

this talk


2. type checking



14

types + refinements

15

{ v:Int | 0 ≤ v }

types + refinements

15

{ v:Int | 0 ≤ v }

refinement

types + refinements

15

{ v:Int | 0 ≤ v }

natural numbers

types + refinements

15

{ v:Int | 0 ≤ v }List

lists of nats

types + refinements + resources

16

{ v:Int | 0 ≤ v | 1 }}

refinement


16

{ v:Int | 0 ≤ v | 1 }

refinement potential


16

{ v:Int | 0 ≤ v | 1 }List

refinement potential


16

{ v:Int | 0 ≤ v | 1 }List

lists of nats with length units of potential


17

code

specification

components

resyn


17

code

specification

components

resyn

cost model


17

code

specification

components

resyn

cost model

resource bound


17

code

specification

components

resyn

cost model

(==) :: x:a → y:{a| |1} →{v:Bool | v = (x == y)}

compress: cost model

18

y:a →

(==) :: x:a → y:{a| |1} →{v:Bool | v = (x == y)}

compress: cost model

18


19

code

specification

components

resynresource bound

compress :: xs:List {a | | 1} →{v:CList a | elems v = elems xs}

compress: resource bound

20

xs:List a

compress :: xs:List {a | | 1} →{v:CList a | elems v = elems xs}

compress: resource bound

20

synthesizing linear compress

21

code

specification

components

(==) :: x:a → y:{a | | 1}→ {v:Bool | …}

resyn

O(|xs|)

compress ::xs:List {a | | 1} →{v:CList a | …}

54

http://comcom.csail.mit.edu/demos/#compress_linear

http://comcom.csail.mit.edu/demos/#compress_linear

this talk


2. type checking



22

checking compress (exponential)

23

compress :: List {a||1} → List a


23

compress :: List {a||1} → List a




then compress yselse …


24

List a

compress xs = match xs with




xs: List {a||1}

compress: List {a||1} → List a

Context:


24

List a





xs: List {a||1}


Context:

idea: generate constraints that have a solution if


24

List a





we can partition resources in context

xs: List {a||1}


Context:



24

List a





we can partition resources in context

between terms that require potential

xs: List {a||1}


Context:



25

List a





:

xs: List {a||1}


Context:


25

List a





xs: List {a||???}

compress: …

xs: List {a||???}

compress: …

+

:

xs: List {a||1}


Context:


26

List a





xs: List {a||1}

compress: … compress: …

+ xs: List {a||0}

xs: List {a||1}


Context:


27

List a

compress xs = match xs :: List {a||1} with




xs: List {a||1}

compress: …


27

List a

compress xs = match xs :: List {a||1} with




destructing yieldsys: List {a||1}y: {a||1}

xs: List {a||1}

compress: …


28

List a





ys: List {a||1}


y: {a||1}

Context:


29

List a





ys: List {a||1}


y: {a||1}

Context:


29

List a





ys: List {a||p} ys: List {a||q}+

ys: List {a||1}


y: {a||1}

Context:


30

List a



match compress (ys :: List {a||p}) withNil → Cons y NilCons z zs → if z == y

then compress (ys :: List {a||q})else …

ys: List {a||1}


y: {a||1}

Context:

ys: List {a||1}


y: {a||1}

Context:


31

List a





Constraints: ∃p,q:

1 = p + q

1. total potential must be partitioned

ys: List {a||1}


y: {a||1}

Context:


32

List a






1 = p + q

p ≥ 12. p must be enough to call compress

ys: List {a||1}


y: {a||1}

Context:


33

List a






1 = p + q

p ≥ 13. q must be enough to call compress

q ≥ 1

ys: List {a||1}


y: {a||1}

Context:


34

List a






1 = p + q

p ≥ 1

q ≥ 1

checking compress (linear)

35

List a



match compress (ys :: List {a||1}) withNil → Cons y NilCons z zs → if z == (y :: {a||1})

then Cons z zselse Cons y (Cons z zs)

ys: List {a||1}


y: {a||1}

Context:


35

List a





all potential in ysgoes here

ys: List {a||1}


y: {a||1}

Context:


35

List a






pays for comparison

ys: List {a||1}


y: {a||1}

Context:


35

List a






pays for comparison

no potential consumed here

ys: List {a||1}


y: {a||1}

Context:

formally: context sharing

36

Γ = Γ1 + Γ2Γ1 ⊢ 𝑒 ∷ List 𝑇′Γ2 ⊢ 𝑒1 ∷ 𝑇

Γ2, 𝑥: 𝑇′, 𝑥𝑠: List 𝑇′ ⊢ 𝑒1 ∷ 𝑇

Γ ⊢ match 𝑒 with 𝑒1; 𝜆𝑥 𝑥𝑠. 𝑒2 ∷ 𝑇

formally: subtyping

37

Γ ⇒ 𝑟 ⇒ 𝑟′ Γ ⇒ 𝑝 ≥ 𝑝′

Γ ⊢ 𝐵 𝑟 𝑝

this talk


2. type checking



38

example: insertion sort

39

input: 5 28 3


39

8 35

input:

2

5 28 3


39

8 35

5

input:

2

5 28 3

2 83


39

8 35

5

input:

2

output:

5 28 3

2 83

2 3 85


39

8 35

5

input:

2

output:

5 28 3

2 83

2 3 85

how many comparisons does insertion sort make?


40

sort xs =match xs withNil → NilCons y ys →

insert y (sort ys)


40

insert x xs =match xs withNil → Cons x NilCons y ys →

if x ≤ ythen Cons x xselse Cons y (insert x ys)


insert y (sort ys)


40




insert y (sort ys)

(≤) :: x:a → y:{a | | 1} → Bool


40




insert y (sort ys)

insert :: a → List {a| |1} → List a

(≤) :: x:a → y:{a | | 1} → Bool


40




insert y (sort ys)


(≤) :: x:a → y:{a | | 1} → Bool

sort :: ???


40




insert y (sort ys)


(≤) :: x:a → y:{a | | 1} → Bool

sort :: ???

how can we assign more potential to the tail of list than the head?

data QList a whereNil :: QList aCons :: a →

QList {a | | 1} →QList aList a →

41

inductive potentials

List aList a

List a


QList {a | | 1} →QList aList a →

41


List aList a

List a

idea: annotate the datatypewith distribution of potential!


QList {a | | 1} →QList aQList a →

41




QList {a | | 1} →QList a

41





41



one more unit of potential than a has



41



5 28 3 :: QList {Int | | 1}




41



5 28 3 :: QList {Int | | 1}1




41



5 28 3 :: QList {Int | | 1}1 2




41



5 28 3 :: QList {Int | | 1}1 2 3




41



5 28 3 :: QList {Int | | 1}1 2 3 4




41



5 28 3 :: QList {Int | | 1}1 2 3 4 𝑛(𝑛 + 1)

2


checking sort

42

sort :: QList {a | | 1} → List a

sort xs =match xs with


insert y (sort ys)

checking sort

43

List a

sort xs = match xs with


insert y (sort ys)

xs: QList {a||1}

sort: QList {c||1} → List c

Context:

insert: b → List {b||1} → List b

checking sort

44

List a

sort xs = match xs :: QList {a||1} with


insert y (sort ys)

xs: QList {a||1}


Context:


checking sort

44

List a



insert y (sort ys)

xs: QList {a||1}


Context:


data QList t whereNil :: QList tCons :: t → QList {t||1} → QList t

checking sort

44

List a



insert y (sort ys)

xs: QList {a||1}


Context:


so destructing yields

ys: QList {a||2}y: {a||1}

data QList t whereNil :: QList tCons :: t → QList {t||1} → QList t

t = {a||1}

checking sort

45

List a



insert y (sort ys)


Context:



checking sort

46

List a



insert y(sort (ys::QList{a||2}))


Context:



checking sort

47

List a



insert y((sort::QList{a||2} → List {a||1}) (ys::QList{a||2}))


Context:


ys: QList {a||2}y: {a||1}polymorphic

recursion withc = {a||1}

checking sort

48

List a



insert y((sort ys) :: List {a||1})


Context:


ys: QList {a||2}y: {a||1}polymorphic

recursion withc = {a||1}

checking sort

49

List a



insert y ((sort ys) :: List {a||1})


Context:



enough linear potential to pay for insertwith b = a

quadratic insertion sort

50




insert y (sort ys)

insert :: a → List {a| |1} → List asort :: QList {a| |1} → List a

128

http://comcom.csail.mit.edu/demos/#insertion_sort_coarse

http://comcom.csail.mit.edu/demos/#insertion_sort_coarse

this talk


2. type checking



51

insertion sort: fine-grained bound

52




insert y (sort ys)

sort :: QList {a| |1} → List a insert :: a → List {a| |1} → List a


52

makes one comparison per element < x




insert y (sort ys)



52


makes one comparison per decreasing pair of elements




insert y (sort ys)



52


makes one comparison per decreasing pair of elements




insert y (sort ys)

sort :: QList {a| |1} → List a insert :: a → List {a| |1} → List asort :: ??? insert :: ???

value-dependent potential

53

{ v:Int | 0 ≤ v | v }| 1 }


53

{ v:Int | 0 ≤ v | v }


53

{ v:Int | 0 ≤ v | v }

nat with potential equal to its value

insert: fine-grained bound

54

insert x xs =match xs with

Nil → Cons x NilCons y ys →


insert :: a → List {a | | 1} → List a



55




insert :: {a||1} → List {a||ite (v < x) 1 0} → List a


55




insert :: {a||1} → List {a||ite (v < x) 1 0} → List a

only assign potential to elements < x

checking insert

56

List a

insert x xs = match xs with



Context:

ys: List {a||ite (v < x) 1 0}

y: {a||ite (v < x) 1 0}

x: {a||1}

insert:{a||1}→ List {a||ite (v < x) 1 0} → List a

checking insert

56

List a




Context:


y: {a||ite (v < x) 1 0}

x: {a||1}

pays for comparison


checking insert

57

List a



if x ≤ ythen Cons x xselse Cons y (insert (x::{a||1}) ys)

Context:



y: {a||ite (v < x) 1 0}

x: {a||0}

checking insert

57

List a



if x ≤ ythen Cons x xselse Cons y (insert (x::{a||1}) ys)

Context:



y: {a||ite (v < x) 1 0}

x: {a||0}

equivalent to {a||1}in this branch

y < x


58




insert y (sort ys)

sort :: QList {a| |1} → List a

insert :: {a||1} →List {a||ite (v < x) 1 0} → List asort :: ???

sort: fine-grained bound

59



insert y (sort ys)

sort :: ISList {a||1} → List a

sort: fine-grained bound

59



insert y (sort ys)

sort :: ISList {a||1} → List a

data ISList a whereNil :: ISList aCons :: x:a →

ISList {a||ite (v < x) 1 0} →ISList t

abstract potentials

60

data List a whereNil :: List aCons :: h:a →

t:List a →List a

abstract potentials

60


t:List a →List a

idea: parameterize the datatypeby a potential function!

abstract potentials

60


t:List a →List a


List a where

abstract potentials

60


t:List a →List a


List a whereList a

List a List {a||q h v} →


61




insert y (sort ys)


61




insert y (sort ys)

insert :: {a||1}→ List {a||ite (v < x) 1 0} → List a


61




insert y (sort ys)

insert :: {a||1}→ List {a||ite (v < x) 1 0} → List a

sort :: List a → List a

157

http://comcom.csail.mit.edu/demos/#insertion_sort

http://comcom.csail.mit.edu/demos/#insertion_sort

liquid resource types


2. type checking



62

[PLDI’19]

[ICFP’20 ?]

liquid resource types for verification and synthesisnpolikarpova/talks/lrt-chalmers...checking...

Documents

Transcript of liquid resource types for verification and synthesisnpolikarpova/talks/lrt-chalmers...checking...