Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE),...
-
Upload
jenifer-peak -
Category
Documents
-
view
214 -
download
0
Transcript of Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE),...
![Page 1: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/1.jpg)
Program synthesis with Jennisys
K. Rustan M. LeinoResearch in Software Engineering (RiSE), Microsoft Research, Redmond
Aleksandar MilicevicMIT
IFIP Working Group 2.3 meetingWinchester, UK22 September 2011
![Page 2: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/2.jpg)
Post-mortem verification
TimelineIdea
CodeTest Verifi
catio
n
Ouch!
Need
specifications
Forward-looking design
![Page 3: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/3.jpg)
More help during software designMore expressive languages
RefinementSynthesis…
![Page 4: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/4.jpg)
This is where programs begin
Jennisys
![Page 5: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/5.jpg)
Jennisys programs
Each type has:Public interfaceData modelCode
![Page 6: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/6.jpg)
Example: Public interfaceinterface ExtensibleArray[T] { var Contents: seq[T] constructor Init() Contents := [] method Get(i) returns (t) requires 0 <= i && i < |Contents| t := Contents[i] method Set(i, t) requires 0 <= i && i < |Contents| Contents := Contents[i := t] method Append(t) Contents := Contents + [t]}
![Page 7: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/7.jpg)
ExtensibleArray data structure
Extensible-
Array[T]
Append( )
.elements
![Page 8: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/8.jpg)
ExtensibleArray data structure
Extensible-
Array[T]
Append( )
.elements
![Page 9: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/9.jpg)
ExtensibleArray data structure
Extensible-
Array[T]
Append( )
.elements
![Page 10: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/10.jpg)
ExtensibleArray data structure
Extensible-
Array[T]
Append( )
.elements
.more
![Page 11: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/11.jpg)
ExtensibleArray data structure
Extensible-
Array[T] .elements
.more
ExtensibleArray
[array[T]]
![Page 12: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/12.jpg)
Example: Data structure designdatamodel ExtensibleArray[T] {
var elements: array[T] var more: ExtensibleArray[array[T]] frame elements, more, more.Contents[*] invariant elements.Length = 256 256 < |Contents| ==> more != null more.Contents[*].Length = 256 val M = if more = null then 0 else 256 * |more.Contents| Contents[i] = elements[i – M] where i in M <= i Contents[i] = more.Contents[i / 256][i % 256] where i in i < M}
![Page 13: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/13.jpg)
Example: Data structure designdatamodel ExtensibleArray<T> {
var elements: array<T> var more: ExtensibleArray<array<T>>? frame elements, more, more.Contents[*] invariant elements.Length = 256 256 < |Contents| ==> more != null more.Contents[*].Length = 256 val M = if more = null then 0 else 256 * |more.Contents| Contents[i] = elements[i – M] where i in M <= i Contents[i] = more.Contents[i / 256][i % 256] where i in i < M}
Can all operations be
implemented with
this design?
![Page 14: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/14.jpg)
Example: Data structure designdatamodel ExtensibleArray<T> {
var elements: array<T> var more: ExtensibleArray<array<T>>? frame elements, more, more.Contents[*] invariant elements.Length = 256 256 < |Contents| ==> more != null more.Contents[*].Length = 256 val M = if more = null then 0 else 256 * |more.Contents| Contents[i] = elements[i – M] where i in M <= i Contents[i] = more.Contents[i / 256][i % 256] where i in i < M}
Is this good?|Contents| = 5more ≠ null|more.Contents| = 100
![Page 15: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/15.jpg)
Example: Implementation
code ExtensibleArray[T] {
}Code is
generated
from public
interface and
data modelCode generated automaticallyProgrammer supplies hints
E.g., “loop n”, “e[n] := t”Programmer uses sketches, holes[Bodik, Solar-Lezama, …]
As last resort, code is written manually
![Page 16: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/16.jpg)
Jennisys, abstractlyinterface T {
var aconstructor
Init()S(a)
}
datamodel T {var cinvariant R(a,
c)}
![Page 17: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/17.jpg)
Jennisys, abstractlyinterface T {
var aconstructor
Init()a := E
}
datamodel T {var cinvariant R(a,
c)}
![Page 18: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/18.jpg)
Synthesis basics:
Constraint solvinginterface T {
var aconstructor
Init()a := E
}
datamodel T {var cinvariant R(a,
c)}
var a, c
a := Ec :[ R(a, c) ]
constraint solve to find feasible a,c
here
![Page 19: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/19.jpg)
Synthesis basics:
Constraint solvinginterface T {
var aconstructor
Init()a := E
}
datamodel T {var cinvariant R(a,
c)}
var a, c
a := Eassume R(a, c)assert false
attempt to verify and look
at resulting counterexampl
e model
![Page 20: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/20.jpg)
a := 0 with a = ca := 0 with a = c+d
Demo
![Page 21: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/21.jpg)
Extrapolationinterface T {
var aconstructor
Init(p)a := E(p)
}
datamodel T {var cinvariant R(a, c)
}
Constraint solving gives possible values for a,p,c
From this, we want to extrapolate a value for c in terms of p
![Page 22: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/22.jpg)
Extrapolation: Exampleinterface T {
var aconstructor
Init(p)a := p
}
datamodel T {var cinvariant a = c
}
Sample values:a=7, p=7, c=7
Match up c with p
![Page 23: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/23.jpg)
Custom spec evaluationinterface T {
var aconstructor
Init(p,q)a := {p + q}
}
datamodel T {var cinvariant a = {c}
}
Partially evaluate spec with the sample values for non-parameters
Match things upa={7}, p=3, q=4,
c=7
{7} = {p+q}, {7} = {7}
![Page 24: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/24.jpg)
a := p+q with a = ca := {p+q} with a = {c}
Demo
![Page 25: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/25.jpg)
Program extrapolation, so far
Constraint solving: get sample valuesPartial evaluation: simplify spec using samples valuesUnification: match things up
What if it doesn’t work?
![Page 26: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/26.jpg)
Inferring branch structure
Program extrapolationAttempt to verifyIf resulting program does not verify:
Infer the needed guard using custom spec evaluationRepeat synthesis for remaining cases
![Page 27: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/27.jpg)
Branch structure: Exampleinterface T {
var aconstructor
Init(p,q)a := {p, q}
} datamodel T {
var c, dinvariant a =
{c,d} c ≤ d
}
a={7}, p=3, q=4, c=3, d=4
Match c,d with p,qWorks only if p≤qGenerate ifRepeat assuming ¬(p≤q)
if (p≤q) {c,d := p,q
} else {c,d := q,p
}
![Page 28: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/28.jpg)
Objects
Each interface denotes an instantiable type, that is, a class of objectsA data model can also make use of objects
![Page 29: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/29.jpg)
SimpleCell
Demo
![Page 30: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/30.jpg)
Delegation
An interface has model fieldspart of the specificationnot part of compiled code
If type X uses objects of type Y, its code should:
not set Y’s model fields directly, butuse Y’s interface to call constructors and methods to achieve the desired result
![Page 31: Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.](https://reader035.fdocuments.in/reader035/viewer/2022062620/551b0e4d55034607418b519e/html5/thumbnails/31.jpg)
ConclusionsSynthesis by combination of:
Constraint solvingSymbolic/concrete evaluationUnification
More to do:MethodsFormalization, better understand the technique…
Reflection:Is this how we should be programming?