## From Program Verification to Program Synthesis

### Cached

### Download Links

Citations: | 54 - 23 self |

### BibTeX

@MISC{Srivastava_fromprogram,

author = {Saurabh Srivastava and Sumit Gulwani and Jeffrey S. Foster},

title = {From Program Verification to Program Synthesis},

year = {}

}

### OpenURL

### Abstract

This paper describes a novel technique for the synthesis of imperative programs. Automated program synthesis has the potential to make programming and the design of systems easier by allowing programs to be specified at a higher-level than executable code. In our approach, which we call proof-theoretic synthesis, the user provides an input-output functional specification, a description of the atomic operations in the programming language, and a specification of the synthesized program’s looping structure, allowed stack space, and bound on usage of certain operations. Our technique synthesizes a program, if there exists one, that meets the inputoutput specification and uses only the given resources. The insight behind our approach is to interpret program synthesis as generalized program verification, which allows us to bring verification tools and techniques to program synthesis. Our synthesis

### Citations

8843 |
Introduction to Algorithms
- Cormen, Leiserson, et al.
(Show Context)
Citation Context ...S 3 AX, which we use as our solver. As in the previous section, since our tool does not currently infer predicates, we give it a candidate set. We choose all the textbook dynamic programming examples =-=[8]-=- and attempt to synthesize them from their functional specifications. The first hurdle (even for verification) for these algorithms is that the meaning of the computation is not easily specified. To a... |

1958 |
Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...owerful program verification tools now exist that can generate fixedpoint solutions—inductive invariants such as τ—automatically using constraint-based techniques [6, 21, 32], abstract interpretation =-=[9]-=- or model checking [3]. There are also tools that can prove termination [7]—by inferring ranking functions such as ϕ—and together with the safety proof provide a proof for total correctness. The insig... |

825 |
Design and Synthesis of Synchronization Skeletons using Branching Time Temporal Logic
- Clarke, Emerson
- 1981
(Show Context)
Citation Context ...cation tools now exist that can generate fixedpoint solutions—inductive invariants such as τ—automatically using constraint-based techniques [6, 21, 32], abstract interpretation [9] or model checking =-=[3]-=-. There are also tools that can prove termination [7]—by inferring ranking functions such as ϕ—and together with the safety proof provide a proof for total correctness. The insight behind our paper is... |

492 |
Interactive Theorem Proving and Program Development: Coq’Art: the Calculus of Inductive Constructions
- Bertot, Castéran
- 2004
(Show Context)
Citation Context ...rem induced by a program specification can be used to extract a program [27]. Using significant human input, theorems proved interactively in the Coq have a computational analog that can be extracted =-=[2]-=-. The difficulty is that the theorem is of the whole program, and proves that an output exists for the specification. Such a theorem is much more difficult than the simple theorem proving queries gene... |

480 |
The science of programming
- Gries
(Show Context)
Citation Context ...er new non-trivial programs that are difficult for programmers to build. In this paper, we present an approach to program synthesis that takes the correct-by-construction philosophy of program design =-=[14, 18, 38]-=- and shows how it can be automated. Program verification tools routinely synthesize program proofs in the form of inductive invariants for partial correctness and ranking functions for termination. We... |

430 |
Guarded commands, nondeterminacy and formal derivation of programs
- Dijkstra
- 1975
(Show Context)
Citation Context ...e a tautology. The second term imposes this constraint. Notice that this construction does not constrain the guards to be disjoint (mutually exclusive). Disjointedness is not required for correctness =-=[11]-=- because if multiple guards are triggered then arbitrarily choosing the body for any one suffices. Therefore, without loss of generality, the branches can be arbitrarily ordered (thus ensuring mutual ... |

343 |
On the synthesis of a reactive module
- Pnueli, Rosner
- 1989
(Show Context)
Citation Context ...eminal work on model checking [3] proposed synthesizing synchronization skeletons—a problem that has recently seen renewed interest [36, 37]. Synthesis from LTL specification has also been considered =-=[28]-=-. For the case of reactive systems, proposals exist that reduce the synthesis problem to a game between the environment and the synthesizer where the winning strategy corresponds to the synthesized pr... |

220 | Abstractions from proofs
- Henzinger, Jhala, et al.
- 2004
(Show Context)
Citation Context ..., which we use as our solver. The current version of our tool works with a user-supplied set of predicates. We are working on predicate inference techniques—in the style of CEGAR-based model checkers =-=[23]-=-—but for now, we give the tool a candidate set of predicates. . The sortedness specification consists of the precondition Fpre = . true and the postcondition Fpost = ∀k : 0 ≤ k < n ⇒ A[k] ≤ A[k + 1]. ... |

139 | Termination proofs for systems code
- Cook, Podelski, et al.
- 2006
(Show Context)
Citation Context ...olutions—inductive invariants such as τ—automatically using constraint-based techniques [6, 21, 32], abstract interpretation [9] or model checking [3]. There are also tools that can prove termination =-=[7]-=-—by inferring ranking functions such as ϕ—and together with the safety proof provide a proof for total correctness. The insight behind our paper is to ask the question, if we can infer τ in Eq. (1), t... |

68 | Back to the future: revisiting precise program verification using SMT solvers
- Lahiri, Qadeer
- 2008
(Show Context)
Citation Context ...call this augmented solver VS 3 QA. • Axiomatization Proposals exist for extending verification tools with axioms for theories they do not natively support, e.g., the theory of reachability for lists =-=[26]-=-. We take such axiomatization a step further and allow the user to specify axioms over uninterpreted symbols that define computations. We implement this in VS 3 PA to specify the meaning of dynamic pr... |

53 |
Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample-guided abstraction re¯nement for symbolic model checking
- Clarke
(Show Context)
Citation Context ...e used to iteratively refine the set of predicates, akin to a manual run of CE1 These timings are for separately (i) synthesizing the loop guards, and for (ii) synthesizing the acyclic fragments. GAR =-=[4]-=-. Aside from these avoidable incompleteness issues of verifiers, there are two major concerns for any synthesis system, namely scalability and relevance. Scalability The synthesis conditions we genera... |

47 |
A constructive approach to the problem of program correctness
- Dijkstra
- 1968
(Show Context)
Citation Context ...truction by manually developing the proof of correctness alongside the program. Because techniques for efficient invariant inference were unavailable in the past, synthesis was considered intractable =-=[12]-=-. Recently, scheme-guided synthesis [17] has been proposed but specialized to the arithmetic domain [5]. Categorizations of approaches as constructive/deductive synthesis, schema-guided synthesis and ... |

38 |
Toward Automatic Program Synthesis
- Manna, Waldinger
- 1971
(Show Context)
Citation Context ...e program terminates. To our knowledge, our approach is the first that automatically synthesizes programs and their proofs, while previous approaches have either used given proofs to extract programs =-=[27]-=- or made no attempt to generate the proof. Some approaches, while not generating proofs, do ensure correctness for a limited class of finitizable programs [29]. To illustrate our approach, we next sho... |

36 | R.: Program repair as a game
- Jobstmann, Griesmayer, et al.
- 2005
(Show Context)
Citation Context ...thesis problem to a game between the environment and the synthesizer where the winning strategy corresponds to the synthesized program. Recently, this approach has also been applied to program repair =-=[25, 19]-=-, which can be seen as restricted program synthesis. Despite optimizations [24], the practicality of these approaches for complete program synthesis remains unclear. 7. Conclusions We have presented a... |

35 | Optimizations for LTL synthesis
- Jobstmann, Bloem
- 2006
(Show Context)
Citation Context ...ing strategy corresponds to the synthesized program. Recently, this approach has also been applied to program repair [25, 19], which can be seen as restricted program synthesis. Despite optimizations =-=[24]-=-, the practicality of these approaches for complete program synthesis remains unclear. 7. Conclusions We have presented a principled approach to synthesis that treats synthesis as a generalized verifi... |

32 | J.D.Ullman: Flow graph reducibility - Hecht - 1972 |

19 |
Systematic Programming: An Introduction
- Wirth
- 1973
(Show Context)
Citation Context ...er new non-trivial programs that are difficult for programmers to build. In this paper, we present an approach to program synthesis that takes the correct-by-construction philosophy of program design =-=[14, 18, 38]-=- and shows how it can be automated. Program verification tools routinely synthesize program proofs in the form of inductive invariants for partial correctness and ranking functions for termination. We... |

15 | B.: Repair of boolean programs with an application to C. In: CAV
- Griesmayer, Bloem, et al.
- 2006
(Show Context)
Citation Context ...thesis problem to a game between the environment and the synthesizer where the winning strategy corresponds to the synthesized program. Recently, this approach has also been applied to program repair =-=[25, 19]-=-, which can be seen as restricted program synthesis. Despite optimizations [24], the practicality of these approaches for complete program synthesis remains unclear. 7. Conclusions We have presented a... |

13 |
Ramarathnam Venkatesan. Program analysis as constraint solving
- Gulwani, Srivastava
- 2008
(Show Context)
Citation Context ...ed using SMT solvers [10]. In fact, powerful program verification tools now exist that can generate fixedpoint solutions—inductive invariants such as τ—automatically using constraint-based techniques =-=[6, 21, 32]-=-, abstract interpretation [9] or model checking [3]. There are also tools that can prove termination [7]—by inferring ranking functions such as ϕ—and together with the safety proof provide a proof for... |

12 |
Schema-guided synthesis of imperative programs by constraint solving
- Colón
- 2004
(Show Context)
Citation Context ...fficient invariant inference were unavailable in the past, synthesis was considered intractable [12]. Recently, scheme-guided synthesis [17] has been proposed but specialized to the arithmetic domain =-=[5]-=-. Categorizations of approaches as constructive/deductive synthesis, schema-guided synthesis and inductive synthesis are presented in a recent survey [1]. Our approach can be seen as midway between co... |

11 |
Liviu Tancau, Rastislav Bodík, Vijay A. Saraswat, and Sanjit A. Seshia. Sketching stencils
- Solar-Lezama, Arnold
- 2007
(Show Context)
Citation Context ...er used given proofs to extract programs [27] or made no attempt to generate the proof. Some approaches, while not generating proofs, do ensure correctness for a limited class of finitizable programs =-=[29]-=-. To illustrate our approach, we next show how to synthesize Bresenham’s line drawing algorithm. This example is an ideal candidate for automated synthesis because, while the program’s requirements ar... |

11 | Vs3: Smt solvers for program verification
- Srivastava, Gulwani, et al.
- 2009
(Show Context)
Citation Context ...or this work, we used tools that are part of the VS 3 project [33]. We used two tools: an arithmetic verification tool [21], which we call VS 3 LIA here; and a predicate abstraction verification tool =-=[32, 34, 20]-=-, which we call VS 3 PA here. Capabilities Both verification tools VS 3 LIA and VS 3 PA are based on the idea of reducing the problem of invariant generation to satisfiability solving. Each tool takes... |

9 |
Sriram Sankaranarayanan, and Henny Sipma. Linear invariant generation using non-linear constraint solving
- Colón
- 2003
(Show Context)
Citation Context ...ed using SMT solvers [10]. In fact, powerful program verification tools now exist that can generate fixedpoint solutions—inductive invariants such as τ—automatically using constraint-based techniques =-=[6, 21, 32]-=-, abstract interpretation [9] or model checking [3]. There are also tools that can prove termination [7]—by inferring ranking functions such as ϕ—and together with the safety proof provide a proof for... |

9 |
Rastislav Bodík. Sketching Concurrent Data Structures
- Solar-Lezama, Jones
- 2008
(Show Context)
Citation Context ...re difficult than the simple theorem proving queries generated by the verification tool. Sketching Instead of a declarative specification of the desired computation as we use, combinatorial sketching =-=[29, 30, 31]-=- uses an unoptimized program as the specification. A model checker eliminates invalid candidate programs that the synthesizer generates. Loops are handled in a novel but incomplete manner, by unrollin... |

9 |
and Sumit Gulwani. Program verification using templates over predicate abstraction
- Srivastava
- 2009
(Show Context)
Citation Context ...ed using SMT solvers [10]. In fact, powerful program verification tools now exist that can generate fixedpoint solutions—inductive invariants such as τ—automatically using constraint-based techniques =-=[6, 21, 32]-=-, abstract interpretation [9] or model checking [3]. There are also tools that can prove termination [7]—by inferring ranking functions such as ϕ—and together with the safety proof provide a proof for... |

7 | Synthesis of programs in computational logic
- Basin, DeVille, et al.
- 2004
(Show Context)
Citation Context ...posed but specialized to the arithmetic domain [5]. Categorizations of approaches as constructive/deductive synthesis, schema-guided synthesis and inductive synthesis are presented in a recent survey =-=[1]-=-. Our approach can be seen as midway between constructive/deductive synthesis and schema-guided synthesis. Some researchers proposed heuristic techniques for automation, but they cater to a very limit... |

7 |
Rodric Rabbah, Rastislav Bodík, and Kemal Ebcioglu. Programming by sketching for bit-streaming programs
- Solar-Lezama
- 2005
(Show Context)
Citation Context ...gment of the domain over the variables in V . Also, the set of operations in ei is bounded by Rcomp. The expansion has some similarities to the notion of a userspecified sketch in previous approaches =-=[31, 29]-=-. However, the unknowns in the expansion here are more expressive than the integer unknowns considered earlier, and this allows us to perform a lattice search as opposed to the combinatorial approache... |

4 |
An abstract formalization of correct schemas for program synthesis
- Flener, Lau, et al.
(Show Context)
Citation Context ...f of correctness alongside the program. Because techniques for efficient invariant inference were unavailable in the past, synthesis was considered intractable [12]. Recently, scheme-guided synthesis =-=[17]-=- has been proposed but specialized to the arithmetic domain [5]. Categorizations of approaches as constructive/deductive synthesis, schema-guided synthesis and inductive synthesis are presented in a r... |

4 |
Ramarathnam Venkatesan. Constraint-based invariant inference over predicate abstraction
- Gulwani, Srivastava
- 2009
(Show Context)
Citation Context ...am verification that has been successfully used for difficult analyses [32]. In previous work, we designed efficient constraint-based verification tools for two popular domains, predicate abstraction =-=[32, 20]-=- and linear arithmetic [21]. The tools for both domains satisfy Requirement 1. Constraint-based verification tools reduce a verification condition vc (with invariant unknowns) to a boolean constraint ... |

3 |
Heuristics for program synthesis using loop invariants
- Duran
- 1978
(Show Context)
Citation Context ...ductive synthesis and schema-guided synthesis. Some researchers proposed heuristic techniques for automation, but they cater to a very limited schematic of programs are limited in their applicability =-=[15]-=-. In this paper, we have shown that verification has reached a point where automatic synthesis is feasible. Extracting program from proofs The semantics of program loops is related to mathematical ind... |

3 |
Using smt solvers for deductive verification of c and java programs
- Filliâtre
(Show Context)
Citation Context ...Bresenham’s Line Drawing Algorithm Consider Bresenham’s line drawing algorithm, as we discussed in Section 1.1. For efficiency, the algorithm only uses linear updates, which are non-trivial to verify =-=[16]-=- or even understand (let alone discover from scratch). . We specify the precondition Fpre = 0 < Y ≤ X. The postcondition can be written as a quantified assertion outside the loop or as a quantifier-fr... |

3 |
Eran Yahav, and Greta Yorsh. Abstractionguided synthesis of synchronization
- Vechev
- 2010
(Show Context)
Citation Context ...program, and the proof. Model checking-based synthesis of automata Seminal work on model checking [3] proposed synthesizing synchronization skeletons—a problem that has recently seen renewed interest =-=[36, 37]-=-. Synthesis from LTL specification has also been considered [28]. For the case of reactive systems, proposals exist that reduce the synthesis problem to a game between the environment and the synthesi... |

2 |
Eran Yahav, and Greta Yorsh. Inferring synchronization under limited observability
- Vechev
- 2009
(Show Context)
Citation Context ...program, and the proof. Model checking-based synthesis of automata Seminal work on model checking [3] proposed synthesizing synchronization skeletons—a problem that has recently seen renewed interest =-=[36, 37]-=-. Synthesis from LTL specification has also been considered [28]. For the case of reactive systems, proposals exist that reduce the synthesis problem to a game between the environment and the synthesi... |

1 |
Prooftheoretic program synthesis: From program verification to program synthesis
- Srivastava, Gulwani, et al.
- 2009
(Show Context)
Citation Context ...e summarize the capabilities of these tools and our extensions to them. The description here is necessarily brief due to lack of space, and more details can be found in the companion technical report =-=[35]-=-. We also describe a technique we use to simplify user input by expanding flowgraphs to be more expressive as required sometimes. Verification Tools Our synthesis technique relies on an underlying pro... |