## PINS: Path-based Inductive Synthesis ∗

### BibTeX

@MISC{Srivastava_pins:path-based,

author = {Saurabh Srivastava and Sumit Gulwani and Swarat Chaudhuri and Jeffrey S. Foster},

title = {PINS: Path-based Inductive Synthesis ∗},

year = {}

}

### OpenURL

### Abstract

In this paper, we present a novel program synthesis approach that is inspired by symbolic testing. We symbolically execute an unknown template program and constrain the program’s behavior over each executed path. As more paths are explored the space of candidate programs narrows until only the valid ones remain. Instead of randomly picking paths, we find that is possible and more efficient to direct path exploration over the unknown template program using a novel technique that parameterizes the symbolic executor by the remaining candidate solutions. We call this approach Pathbased Inductive Synthesis (PINS). We apply PINS to the problem of automatic program inversion. The specification for inversion is implicit as the combination of the original program and the inverse is the identity transform. We observe that an inverse is typically related to the original program and so the space of possible inverses can be inferred by automatically mining the original program for expressions, predicates, and control flow. Using PINS, we show we can synthesize inverses for compressors (e.g., LZ77), packers (e.g., UUEncode), and arithmetic transformers (e.g., image rotations). PINS synthesizes these inverses in a median time of 40 seconds and an average time of 293 seconds, demonstrating the viability of our testing-inspired synthesis approach. 1.

### Citations

1221 | A universal algorithm for sequential data compression
- Ziv, Lempel
- 1977
(Show Context)
Citation Context ... point and two loops that are nested), the outer loop is annotated as ↓ to allow processing the stream in the direction it was encoded. Our second compression benchmark is the LZ77 encoding algorithm =-=[31]-=-, which is the basis of the Deflate algorithm used in gzip, zip, and PNG images. We have already discussed this benchmark in detail earlier. LZ77 compresses data by outputting pointers to identical se... |

648 | Construction of abstract state graphs with PVS
- Graf, Säıdi
- 1997
(Show Context)
Citation Context ...) that can be used to instantiate the ρ’s and ε’s, respectively. Such user-provided sets are standard, as in the previous approaches to synthesis [28, 24] and predicate abstraction-based verification =-=[12]-=-. We shall see later that for program inversion the sets can almost entirely be mined from the original program, alleviating the human effort involved in guessing these sets. Notice that the above fin... |

523 |
Symbolic execution and program testing
- King
- 1976
(Show Context)
Citation Context ...vailable. For instance, we target program inversion in this paper, and we are not aware of any usable inversion verifiers. On the other hand, testing, and in our case symbolic execution-based testing =-=[19]-=-, has been shown to be a good (approximate) verification strategy—perhaps the only one in the absence of formal verifiers— and therefore can potentially be employed for synthesis. Our technique, calle... |

498 |
The Science of Programming
- Gries
- 1981
(Show Context)
Citation Context ...vel mechanism that directs path exploration by parameterizing the symbolic executor with a solution from the space of candidate programs. • We apply PINS to the problem of automatic program inversion =-=[8, 13, 4, 9, 11]-=-. Specifically, we consider inverting an injective program by finding another program that is its left inverse. • The effectiveness of automatic program synthesis techniques is limited by the relevanc... |

458 | A technique for high performance data compression - Welch - 1984 |

167 | The Daikon system for dynamic detection of likely invariants
- Ernst, Perkins, et al.
- 2007
(Show Context)
Citation Context ... l is an unknown expression ηl on which we impose constraints for boundedness and strictly decreasing, and whose proof may require dynamic invariants—in the spirit of trace-based invariant generation =-=[10]-=-. Boundedness Under our assumption about the relation of the (unknown) loop guard ρl to the ranking function ηl, we impose the following constraints: bounded(l) . = ∀X : ρl ⇒ ηl ≥ 0 Note that here the... |

142 | Termination proofs for systems code
- Cook, Podelski, et al.
- 2006
(Show Context)
Citation Context ...nd the entire program terminates if all loops terminate. We discover limited classes of numeric ranking functions, and our approach is based on assumptions that have been shown reasonable in practice =-=[6, 5, 2]-=-. A recent proposal for proving the termination of heap-manipulating programs reduces the problem to proving the termination of a related numeric program [21], and we can employ a similar preprocessin... |

97 |
Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. Lazy abstraction
- Henzinger
- 2002
(Show Context)
Citation Context ...ur template, then PINS generates paths that eliminate all solutions. In this case, we examine the paths and change either Πe, Πp, or flowgraph. This is very similar to abstraction refinement in CEGAR =-=[16]-=-, and therefore we expect the process can be automated. On the other hand, if a valid inverse does exist in our template, then PINS eliminates all but the valid ones. Then we manually inspect each syn... |

54 | From program verification to program synthesis
- Srivastava, Gulwani, et al.
- 2010
(Show Context)
Citation Context .... A key feature of our symbolic executor, and consequently of PINS, is its extensibility by means of axioms. This extensibility is already built into the underlying satisfiabilitybased solver VS 3 AX =-=[28]-=- that we use (which itself is based on a previous verifier VS 3 PA [27]). For an ADT, we assert quantified axioms about its interface functions in the SMT solver. For instance, consider the String ADT... |

40 | Variance analyses from invariance analyses
- Berdine, Chawdhary, et al.
- 2007
(Show Context)
Citation Context ...nd the entire program terminates if all loops terminate. We discover limited classes of numeric ranking functions, and our approach is based on assumptions that have been shown reasonable in practice =-=[6, 5, 2]-=-. A recent proposal for proving the termination of heap-manipulating programs reduces the problem to proving the termination of a related numeric program [21], and we can employ a similar preprocessin... |

38 |
Toward Automatic Program Synthesis
- Manna, Waldinger
- 1971
(Show Context)
Citation Context ...ing [24] is an example that uses a modelchecker to generate counterexample traces which refine the space of candidates. Deductive synthesis, in contrast, refines a specification to derive the program =-=[22]-=-. While our approach is similar to inductive synthesis it has elements of deductive synthesis as well. Since we use symbolic paths and not concrete traces each additional path captures the behavior of... |

30 | Complete functional synthesis
- Kuncak, Mayer, et al.
- 2010
(Show Context)
Citation Context ...g analogous approximate guarantees. Our approach combines ideas from symbolic execution-based testing and satisfiability-based program analysis to synthesize programs. Unlike some previous approaches =-=[17, 20]-=-, our technique is not limited to acyclic fragments, but can synthesize programs with loops. ∗ This work was supported in part by NSF grants CCF-0346982, and CCF0953507. [Copyright notice will appear ... |

21 |
Program inversion
- Dijkstra
- 1978
(Show Context)
Citation Context ...vel mechanism that directs path exploration by parameterizing the symbolic executor with a solution from the space of candidate programs. • We apply PINS to the problem of automatic program inversion =-=[8, 13, 4, 9, 11]-=-. Specifically, we consider inverting an injective program by finding another program that is its left inverse. • The effectiveness of automatic program synthesis techniques is limited by the relevanc... |

14 |
Programming with angelic nondeterminism
- Bodı́k, Chandra, et al.
- 2010
(Show Context)
Citation Context ...ance) that are missing. Thus, failing runs of PINS are themselves debugging tools for synthesis, which is unlike previous approaches [28, 24]. This debugging process is similar to angelic programming =-=[3]-=-, except that the traces generated are already symbolic and the user does not need to perform any generalizations. In our experience, we have found it easy to generalize from these instances and add t... |

14 |
Ramarathnam Venkatesan. Program analysis as constraint solving
- Gulwani, Srivastava
(Show Context)
Citation Context ... the (∃I∀X : vc) constraint—with I being an unknown invariant and vc being the program verification condition—used for invariant inference. Therefore, we will be able to use invariant inference tools =-=[27, 15]-=-, suitably modified to handle variable versions, to infer expressions and predicates. We then define the safety constraint for the entire program as: safety(̂Prog, spec) . = ^ safepath(t, spec) t∈path... |

13 |
M.: A Method for Automatic Program Inversion Based on LR(0) Parsing
- Glück, Kawabe
- 2005
(Show Context)
Citation Context ...vel mechanism that directs path exploration by parameterizing the symbolic executor with a solution from the space of candidate programs. • We apply PINS to the problem of automatic program inversion =-=[8, 13, 4, 9, 11]-=-. Specifically, we consider inverting an injective program by finding another program that is its left inverse. • The effectiveness of automatic program synthesis techniques is limited by the relevanc... |

12 | A Heuristic Approach to Program Inversion
- Eppstein
- 1985
(Show Context)
Citation Context |

12 |
Attribute Grammar Inversion and Source-to-Source Translation
- Yellin
- 1988
(Show Context)
Citation Context ...strategies that leverage the fact that if the output of the original can be parsed using a deterministic grammar, then that approximates the original computation and can be used to derive the inverse =-=[11, 30]-=-. The limitation of this technique is that grammarbased approaches need to work with grammars for which it is decidable to evaluate if they are unambiguous, which for all but the most trivial benchmar... |

11 | Proving Program Termination
- Cook, Podelski, et al.
(Show Context)
Citation Context ...nd the entire program terminates if all loops terminate. We discover limited classes of numeric ranking functions, and our approach is based on assumptions that have been shown reasonable in practice =-=[6, 5, 2]-=-. A recent proposal for proving the termination of heap-manipulating programs reduces the problem to proving the termination of a related numeric program [21], and we can employ a similar preprocessin... |

11 |
Sumit Gulwani, Sanjit A Seshia, and Ashish Tiwari. Oracle-guided component-based program synthesis
- Jha
- 2010
(Show Context)
Citation Context ...g analogous approximate guarantees. Our approach combines ideas from symbolic execution-based testing and satisfiability-based program analysis to synthesize programs. Unlike some previous approaches =-=[17, 20]-=-, our technique is not limited to acyclic fragments, but can synthesize programs with loops. ∗ This work was supported in part by NSF grants CCF-0346982, and CCF0953507. [Copyright notice will appear ... |

11 |
Liviu Tancau, Rastislav Bodík, Vijay A. Saraswat, and Sanjit A. Seshia. Sketching stencils
- Solar-Lezama, Arnold
- 2007
(Show Context)
Citation Context ... [Copyright notice will appear here once ’preprint’ option is removed.] Previous techniques capable of synthesizing programs with arbitrary loops, such as proof-theoretic synthesis [28] and sketching =-=[24]-=-, relied on verifiers, but the approach presented here works even in the absence of a formal verifier. Formal verifiers are hard to build, and for particular domains verifiers may not be readily avail... |

9 |
Susmit Jha, Ashish Tiwari, and Ramarathnam Venkatesan. Synthesis of loop-free programs
- Gulwani
- 2011
(Show Context)
Citation Context ...MT reasoning to generate concise SAT instances that can be efficiently solved, as shown by our experiments, while sketching uses bit-blasting, which generates large formulas that may be hard to solve =-=[14]-=-. Lastly, the verification process in sketching can potentially be testing-based, but it would need to be exhaustive to find the counterexample. On the other hand, we only need to find one feasible pa... |

9 |
Rastislav Bodík. Sketching Concurrent Data Structures
- Solar-Lezama, Jones
- 2008
(Show Context)
Citation Context ...ive reinforcing examples or through negative counterexamples, we refine using both positive and negative example paths. Formal verifiers are critical to previous approaches, namely, sketching (CEGIS) =-=[24, 25]-=- and proof-theoretic synthesis [28]. Sketching uses a model checker to explain why invalid candidates are not correct and uses the counterexample generated to refine the space. Proof-theoretic synthes... |

9 |
and Sumit Gulwani. Program verification using templates over predicate abstraction
- Srivastava
- 2009
(Show Context)
Citation Context ...erate the constraints without needing complicated loop invariants. We reduce these constraints to SAT constraints using techniques that were previously proposed in the context of invariant generation =-=[27]-=-. We then solve the SAT instance to get candidate inverses. For instance, one path, through (Prog ; ̂Prog) is n ≥ 0; i := 0; j := 0; i ≥ n; 〈i ′ , j ′ := ε1, ε2〉; ¬ρ1. This path generates the safety c... |

7 |
Rodric Rabbah, Rastislav Bodík, and Kemal Ebcioglu. Programming by sketching for bit-streaming programs
- Solar-Lezama
- 2005
(Show Context)
Citation Context ...ategy, our technique differs from sketching in four key aspects. First, the SKETCH compiler uses novel domain specific reductions to finitize loops for stencil [24], concurrent [25], or bit-streaming =-=[26]-=- programs, and is engineered to solve the resulting loop-finitized problem. On the other hand, we finitize the solution space using templates but do not finitize loops. Second, we refine at the granul... |

6 |
Yih-Kuen Tsay. Automatic numeric abstractions for heap-manipulating programs
- Magill, Tsai, et al.
(Show Context)
Citation Context ...ve been shown reasonable in practice [6, 5, 2]. A recent proposal for proving the termination of heap-manipulating programs reduces the problem to proving the termination of a related numeric program =-=[21]-=-, and we can employ a similar preprocessing step to potentially handle heapmanipulating programs. First, we assume that the loop guard implies a (lower or upper) bound on the ranking function. For exa... |

5 |
A formal approach to program inversion
- Chen
- 1990
(Show Context)
Citation Context |

3 | Representation dependence testing using program inversion
- Kanade, Alur, et al.
- 2010
(Show Context)
Citation Context ...ffort in automation. For a limited class of programs, a technique based on local inversion, and limited reordering of statements, while leaving the control-flow unchanged, has been shown to be usable =-=[18]-=-. The second are grammar-based strategies that leverage the fact that if the output of the original can be parsed using a deterministic grammar, then that approximates the original computation and can... |