Weimer Gradpl Reach Synth - University of Michigan
Transcript of Weimer Gradpl Reach Synth - University of Michigan
![Page 1: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/1.jpg)
Program Synthesis“is”
Program Reachability
![Page 2: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/2.jpg)
Westley Weimer 2
One-Slide Summary
● The template-based program synthesis problem asks if values can be found for template parameters such that the instantiated program passes all tests.
● The program reachability problem asks if values can be found for a set of program variables such that program execution reaches a given label.
● There is a constructive, polytime reduction between synthesis and reachability.
![Page 3: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/3.jpg)
Westley Weimer 3
Program Repair via Synthesis
● Suppose we have a buggy program● It passes some tests and fails others
● Suppose we have localized the bug● We know which line is buggy
● Suppose we have a repair template● Fix is of the form “x = □ + □(y, □);”
● Can we fill in the template so that the program passes all of the tests?
![Page 4: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/4.jpg)
Westley Weimer 4
Templated Program Syntaxcmd ::= skip
| cmd1 ; cmd
2
| v := aexp
| …
aexp ::= aexp1 + aexp
2
| aexp1 – aexp
2
| ci
| …
Called a template parameter
![Page 5: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/5.jpg)
Westley Weimer 5
Template Instantation
● Given a templated program with template parameters c
1 … c
n, and given template values
v = v1 … v
n (expressions or constants), we can
instantiate, yielding a non-templated program.● inst(skip, v) skip→● inst(cmd
1; cmd
2, v) inst(cmd→
1, v) ; inst(cmd
2, v)
● inst(x = aexp, v) x = inst(aexp, → v)
● inst( ci , v) → v
i
![Page 6: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/6.jpg)
Westley Weimer 6
Template-Based Program Synthesis
● Given a templated program P with template parameters c
1 … c
n, and a
set T of input-output pairs (tests)
do there exist template values v = v
1 … v
n such that for all
<input, output> pairs in T, (inst(P, v))(input) = output ?
![Page 7: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/7.jpg)
Westley Weimer 7
Analysis
● How hard is it to solve program synthesis in general?● “Can you find values for these template variables
such that this program passes all of its tests?”
![Page 8: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/8.jpg)
Westley Weimer 8
Tools Exist: sketch
Armando Solar-Lezama: The Sketching Approach to Program Synthesis. APLAS 2009: 4-13.
![Page 9: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/9.jpg)
Westley Weimer 9
Tools Exist: sketch
Armando Solar-Lezama: The Sketching Approach to Program Synthesis. APLAS 2009: 4-13.
![Page 10: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/10.jpg)
Westley Weimer 10
Program Synthesis as Repair
● A program synthesis algorithm can be used to solve program repair
● Conceptually: replace the buggy line with● If you can synthesize XYZ to fill in that hole,
the patch is “delete that line and replace it with XYZ”
● In practice, template: □ = □ + □*a + □*b + □*c;● where a, b, c are all in-scope variables● cf. Linear Regression. cf. Daikon.
![Page 11: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/11.jpg)
Westley Weimer 11
Program Repair Example
![Page 12: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/12.jpg)
Westley Weimer 12
Program Repair Example
![Page 13: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/13.jpg)
Westley Weimer 13
Program Repair Example
c0 = 100c0 = 100c1 = 0c1 = 0c2 = 0c2 = 0c3 = 1c3 = 1c4 = 0c4 = 0““bias = up + 100;”bias = up + 100;”
![Page 14: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/14.jpg)
Westley Weimer 14
Program Reachability
● Given a program P and a set of program variables x
1 … x
n and a program label L, do
there exist values c1 … c
n such that P with x
i
set to ci reaches label L in finite time?
● This is what SLAM and BLAST do (repeatedly).
● L is the error label, ci is the counterexample.
● This is what H5 does (repeatedly).
● L is the end of a path, ci is the test input.
![Page 15: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/15.jpg)
Westley Weimer 15
Reachability Example
![Page 16: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/16.jpg)
Westley Weimer 16
Reachability Example
x = -20x = -20y = -40y = -40
![Page 17: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/17.jpg)
Westley Weimer 17
Reachability Analysis
● How hard is it to solve reachability in general?● “Can you find values for these variables such that
this program reaches this label?”
● Many tools exist, including some that are quite mature:● DART, KLEE, SLAM, BLAST, PEX, CREST, CUTE,
AUSTIN, “tigen”
![Page 18: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/18.jpg)
Westley Weimer 18
Comparative Analysis
● Program synthesis and program reachability are both undecidable in general
● The “heart” of reachability is solving all path constraints● Each “if” makes it harder to find a single
consistent set of values
● The “heart” of synthesis is handling all tests● Each new test makes it harder to find a single
consistent set of values
![Page 19: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/19.jpg)
Westley Weimer 19
Reductions
● Problem A is reducible to Problem B if an efficient algorithm for B could be used as a subroutine to solve A efficiently.
● A gadget is a subset of a problem instance that simulates the behavior of one of the fundamental units of a different problem.● Gadgets are hard to come up with the first time
(e.g., when you are doing your Algo homework)● Gadgets often look simple once presented
![Page 20: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/20.jpg)
Westley Weimer 20
Reduction Recipe
● Given an instance I of problem X● Assume an oracle that can solve Y● Transform I into f(I), verify f is polytime● Let J = Y(f(I))● Transform J into g(J), verify g is polytime● Verify g(J) = X(I)● Return g(J)
![Page 21: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/21.jpg)
Westley Weimer 21
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 22: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/22.jpg)
Westley Weimer 22
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 23: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/23.jpg)
Westley Weimer 23
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 24: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/24.jpg)
Westley Weimer 24
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 25: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/25.jpg)
Westley Weimer 25
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 26: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/26.jpg)
Westley Weimer 26
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 27: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/27.jpg)
Westley Weimer 27
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 28: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/28.jpg)
Westley Weimer 28
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 29: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/29.jpg)
Westley Weimer 29
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 30: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/30.jpg)
Westley Weimer 30
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 31: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/31.jpg)
Westley Weimer 31
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 32: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/32.jpg)
Westley Weimer 32
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)
![Page 33: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/33.jpg)
Westley Weimer 33
Gadget Example
● Use Graph 3-Colorability to solve 3-SAT
● Instance shown:
(x || y || !z) &&
(!x || !y || z)● X = true● Y = false● Z = true
![Page 34: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/34.jpg)
Westley Weimer 34
Trivia
● The this-Howard Isomorphism establishes a direct relationship between computer program and proofs. It shows a correspondence between proof calculi and type systems for models of computation.
Logic side Programming side
axiom variable
introduction rule constructor
elimination rule destructor
normal deduction normal form
normalisation of deductions weak normalisation
provability type inhabitation problem
intuitionistic tautology inhabited type
![Page 35: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/35.jpg)
Westley Weimer 35
Physics
● This 1909 experiment involved tiny charged droplets of a fluid falling between two horizontal electrodes. With the electrodes uncharged, the drops reach terminal velocity while falling. By varying the voltage in the electrode plates and inducing an electromagnetic field, the drops could be perfectly suspended (electric force = gravitational force). Using the mass of the drops and the voltage, they solved for the electric charge, finding it to be always a small integer multiple of a basic constant (1.6 * 10^-19 C): the charge of a single electron. Name the experimenter or the fluid.
![Page 36: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/36.jpg)
Westley Weimer 36
Reducing Synthesis To Reachability
● Given an instance of a synthesis (repair) problem, and assuming we have an oracle that can solve reachability, let us convert the synthesis instance into a reachability instance.
● If we can do this efficiently, any existing reachability tool (e.g., DART, KLEE, SLAM) could be used to repair programs.
![Page 37: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/37.jpg)
Westley Weimer 37
![Page 38: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/38.jpg)
Westley Weimer 38
??????
![Page 39: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/39.jpg)
Westley Weimer 39
??????
“Heart” insights:
Multiple tests makeSynthesis difficult.
Multiple path conditionsmake Reachability difficult.
![Page 40: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/40.jpg)
Westley Weimer 40
Convert
Convert
![Page 41: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/41.jpg)
Westley Weimer 41
Proving Correctness
● We must show that the constructed reachability instance is solvable (with values c1 … cn) iff the original synthesis instance is solvable (with values c1 … cn).
● The reachability instance is solved if those values cause execution to reach L.
● The synthesis instance is solved if those values cause every test to pass.
![Page 42: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/42.jpg)
Westley Weimer 42
High-Level Proof Structure● Lemma 1. The reachability instance method
and the synthesis instance method agree on all (non-template) variables.
● Lemma 2. If the reachability instance reaches L from a state S (with values c1 … cn), then that state and values model the weakest precondition of the synthesis instance method passing each test.
● Theorem 1. The synthesis instance is solvable iff the reachability instance is solvable (with the same values).
![Page 43: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/43.jpg)
Westley Weimer 43
Lemm
a 1:
Lemm
a 1:
““Method Executions
Method Executions
Agree On Variables”
Agree On Variables”
Lemm
a 2:
Lemm
a 2:
““Reaching L Corresponds
Reaching L Corresponds
To Passing All Tests”
To Passing All Tests”
![Page 44: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/44.jpg)
Westley Weimer 44
Lemma 1 (Agree on Vars)
● Let Q be the input synthesis instance method with template variables v
1 … v
n.
● Let P = Gadget(Q) be the reachability instance corresponding to method P.
● For all states σ1, σ
2, σ
3, all values c
1 ...c
n, all
inputs values x, it holds that
● If σ1(v
i) = c
i, then <P(x), σ
1> ↓ S
2 iff
<inst(Q,c), σ1> ↓ σ
3
and for all y ≠ vi, σ
2(y) = σ
3(y).
![Page 45: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/45.jpg)
Westley Weimer 45
Lemma 1 Proof
● If σ1(v
i) = c
i, then <P(x), σ
1> ↓ S
2 iff
<inst(Q,c), σ1> ↓ σ
3
and for all y ≠ vi, σ
2(y) = σ
3(y).
● How shall we prove it? What proof technique should we use?
![Page 46: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/46.jpg)
Westley Weimer 46
Lemma 1 Proof
● If σ1(v
i) = c
i, then D
1 :: <P(x), σ
1> ↓ S
2 iff
D2 :: <inst(Q,c), σ
1> ↓ σ
3
and for all y ≠ vi, σ
2(y) = σ
3(y).
● The proof proceeds by induction on the structure of the operational semantics derivation D
1. By inversion, the structure of D
1
corresponds exactly to the structure of D2
except for template variables.
![Page 47: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/47.jpg)
Westley Weimer 47
Lemma 1 Case: Template Variable
● Case. Suppose D1 (reachability instance) is:
σ2 = σ
1 [ a →σ
1(v
i) ]
< a := vi, σ
1 > ↓ σ
2
● By inversion and the construction of P, D2 is:
σ3 = σ
1 [ a c→
i ]
< a := exp, σ1 > ↓ σ
3
● where exp = inst( ci , c) = c
i
![Page 48: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/48.jpg)
Westley Weimer 48
Lemma 1 Case: Template Variable
● Have: σ2 = σ
1 [ a →σ
1(v
i) ]
● Have: σ3 = σ
1 [ a c→
i ]
● To show: “for all y ≠ vi, σ
2(y) = σ
3(y)”
● Sub-Case 1. y ≠ a. Then σ2(y) = σ
3(y).
● Sub-Case 2. y = a. To show: σ1(v
i) = c
i. This was
actually one of the assumptions in the statement of the lemma. (Intuitively, it means the reachability analysis assigned c
i to each variable v
i to reach the label L.)
![Page 49: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/49.jpg)
Westley Weimer 49
Lemma 1 (Agree on Vars)
● Let Q be the input synthesis instance method with template variables v
1 … v
n.
● Let P = Gadget(Q) be the reachability instance corresponding to method P.
● For all states σ1, σ
2, σ
3, all values c
1 ...c
n, all
inputs values x, it holds that
● If σ1(v
i) = c
i, then <P(x), σ
1> ↓ S
2 iff
<inst(Q,c), σ1> ↓ σ
3
and for all y ≠ vi, σ
2(y) = σ
3(y).
![Page 50: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/50.jpg)
Westley Weimer 50
Lemma 2 (Reach L = Pass Tests)
● Let Q be the input synthesis instance method with template variables v
1 … v
n and tests <input
1, output
n>.
● Let P = Gadget(Q) be the reachability instance method main.
● The execution of P reaches L starting from state σ1 iff
σ1 |= wp(result = inst(Q,c)(input
1), result = output
1)
&& … wp(result = inst(Q,c)(inputn), result = output
n)
where σ1(v
i) = c
i.
![Page 51: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/51.jpg)
Westley Weimer 51
Lemma 2 Proof
● By gadget construction there is only one label L in P, “if e then [L]” where e is of the form f(input
1) = output
1 && … f(intput
n) = output
n.
● By standard weakest precondition definitions for if, conjunction, equality and function calls, we have that L is reachable iff σ
1 |= wp(result =
f(input1), result = output
1) && … wp(result = f(input
n),
result = outputn).
![Page 52: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/52.jpg)
Westley Weimer 52
Lemma 2 Proof
● Have: L is reachable iff σ1 |= wp(result = f(input
1),
result = output1) && … wp(result = f(input
n), result =
outputn).
● Want: L is reachable iff σ1 |= wp(result = inst(Q,
c)(input1), result = output
1) && … wp(result = inst(Q,
c)(inputn), result = output
n)
● To show: σ1 |= wp(result = f(input
i), result = output
i)
iff σ1|= wp(result = inst(Q, c)(input
i), result = output
i)
![Page 53: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/53.jpg)
Westley Weimer 53
Lemma 2 Proof
● To show: σ1 |= wp(result = f(input
i), result = output
i)
iff σ1|= wp(result = inst(Q, c)(input
i), result = output
i)
… where f is the method from Gadget(Q)
● By the soundness and completeness of weakest preconditions with respect to operational semantics, we have < result = f(input
i) , σ
1 > ↓ σ
2 iff σ
2 |= result =
outputi.
![Page 54: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/54.jpg)
Westley Weimer 54
Lemma 2 Proof
● Have: < result = f(inputi) , σ
1 > ↓ σ
2 iff σ
2 |= result =
outputi.
● By Lemma 1, we have < result = inst(Q, c)(inputi) , σ
1
> ↓ σ3 iff σ
1(y) = σ
3(y) for all y ≠ v
i.
● Since “result” ≠ vi, σ
1(result) = σ
1(result) = output
i.
● So running the template program Q instantiated with c
i = v
i on a test input produces the required output.
![Page 55: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/55.jpg)
Westley Weimer 55
Correctness Theorem
● Let Q be the input synthesis instance method with template variables v
1 … v
n and tests <input
1, output
n>.
● Let P = Gadget(Q) be the reachability instance method main.
● There exist parameter values ci such that for all
<input,output>, inst(Q,c)(input) = output iff there exist input values t
i such that the execution of P with
vi t→
i reaches L.
● Proof: From Lemma 2 with ti = c
i.
![Page 56: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/56.jpg)
Westley Weimer 56
Reducing Reachability To Synthesis
● We can also carry out a constructive reduction going the other direction.
● Suppose we are given an instance of program reachability. Can we convert it into a program synthesis instance to solve it?
![Page 57: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/57.jpg)
Westley Weimer 57
Reachability to Synthesis Example
??????
![Page 58: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/58.jpg)
Westley Weimer 58
Reachability to Synthesis Example
Convert
Convert
![Page 59: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/59.jpg)
Westley Weimer 59
Implications
● Program reachability tools are much more mature than program repair tools.
● CETI Program Repair Algorithm● For each buggy line, in ranked order
– For every repair template, in ranked order● Convert repair instance to reachability instance● Call off-the-shelf reachability tool (e.g., SMT solver / KLEE)● If reachable, return parameters as patch
![Page 60: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/60.jpg)
Westley Weimer 60
Prototype CETI Evaluation● Considered 41 bugs and
simple one-line templates
● Fixed 100% of bugs admitting one-line fixes
● 22 seconds each, average
● Debroy & Wong (random mutation): 9 repairs
● GenProg: 11 repairs
● Forensic (concolic execution): 23 repairs
● CETI: 26 repairs
![Page 61: Weimer Gradpl Reach Synth - University of Michigan](https://reader030.fdocuments.in/reader030/viewer/2022012701/61a43e7a0e3b9605500c7f7a/html5/thumbnails/61.jpg)
Westley Weimer 61
Concluding Thoughts● PL Theory almost always translates into useful PL
Practice (just with an X year lag time)
● There is plenty of scope for insight and creativity (cf. whence these gadgets?)
● Techniques like structural induction, SMT solving, fault localization, substitution, axiomatic semantics, etc., remain relevant!
● HW0 (BLAST), HW5 (tigen), FlashFill (Gulwani Excel) and GenProg (last lecture) are all “secretly the same thing”
= “statically reason about dynamic execution”