type-driven program synthesis

Nadia Polikarpova

2

my goal: automate programming

example: insert into a sorted list

Input:

Output:

3

1 2 7 8

5

xs

x

1 2 7 85ys

insert in a functional language

4

insert x xs =match xs with

Nil →Cons x Nil

Cons h t →if x ≤ h

then Cons x xselse Cons h (insert x t)

5

875 9

5

5

insert x xs =match xs with

Nil →Cons x Nil

Cons h t →if x ≤ h

then Cons x xselse Cons h (insert x t)

void insert(node *xs, int x) {node *new;node *temp;node *prev;

new = (node *)malloc(sizeof(node));if(new == NULL) {printf("Insufficient memory.");return;

}new->val = x;new->next = NULL;if (xs == NULL) {xs = new;

} else if(x < xs->val) {new->next = xs;xs = new;

} else { prev = xs;temp = xs->next;while(temp != NULL && x > temp->val) {

prev = temp;temp = temp->next;

}if(temp == NULL) {

prev->next = new;} else {

new->next = temp;prev->next = new;

}}

}

automatespointer manipulation &memory management

C Haskell

what’s next?

6

void insert(node *xs, int x) {node *new;node *temp;node *prev;

new = (node *)malloc(sizeof(node)); if(new == NULL) {printf("Insufficient memory.");return;

} new->val = x;new->next = NULL;if (xs == NULL) {xs = new;

} else if(x < xs->val) {new->next = xs;xs = new;

} else { prev = xs;temp = xs->next;while(temp != NULL && x > temp->val) {prev = temp;temp = temp->next;

}if(temp == NULL) {prev->next = new;

} else {new->next = temp;prev->next = new;

}}

}

insert x xs =match xs withNil → Cons x NilCons h t →if x ≤ hthen Cons x xselse Cons h (insert x t)

append:push ebpmov ebp, esppush eaxpush ebxpush lencall mallocmov ebx, [ebp + 12]mov [eax + info], ebxmov dword [eax + next], 0mov ebx, [ebp + 8]cmp dword [ebx], 0je null_pointermov ebx, [ebx]

next_element:cmp dword [ebx + next], 0je found_lastmov ebx, [ebx + next]jmp next_element

found_last:push eaxpush addMescall putsadd esp, 4pop eaxmov [ebx + next], eax

go_out:pop ebxpop eaxmov esp, ebppop ebpret 8

null_pointer:push eaxpush nullMescall putsadd esp, 4pop eaxmov [ebx], eaxjmp go_out

Assembly C Haskell

?future

automatesargument passing& memory access

this talk

I. specificationsare the new cool language feature

II. program synthesisis the way to make it happen

III. synthesis-aided programmingis the the future

7

this talk

I. specifications

II. program synthesis

III. synthesis-aided programming

8

this talk

I. specifications

9

how do I tell the machine what I want?

specification for insert

10

Input:

x

xs: sorted list

Output:

ys: sorted list

elems ys = elems xs ∪ {x}

easy to write ☺

hard to execute

specification code

program synthesis

11

match xs withNil → Cons x NilCons h t →if x ≤ hthen Cons x xselse Cons h (insert x t)

in: x, sorted xsout: sorted ys

elems ys = elemsxs ∪ {x}

Synquidspecification code

program synthesis

12

match xs withNil → Cons x NilCons h t →if x ≤ hthen Cons x xselse Cons h (insert x t)

in: x, sorted xsout: sorted ys

elems ys = elemsxs ∪ {x}

Synquid

Synquidspecification code

program synthesis

13

match xs withNil → Cons x NilCons h t →if x ≤ hthen Cons x xselse Cons h (insert x t)

in: x, sorted xsout: sorted ys

elems ys = elemsxs ∪ {x}

formalize this

types are specifications

14

insert :: a → List a → List a

types are specifications

15

insert :: a → List a → List a

ordinary types are insufficient!

refinement types

16

{ v:Int | 0 ≤ v }

shape refinement

data SList a whereNil :: SList aCons :: h:a →

t:SList {v:a | h ≤ v} →SList a

from lists to sorted lists

17

List aList a

List aSList a →List a →

data SList a whereNil :: SList aCons :: h:a →

t:SList {v:a | h ≤ v} →SList a

from lists to sorted lists

18

7 82

all you need is one simple predicate!

insert :: x:a → xs:SList a →{v:SList a | elems v = elems xs ∪ {x}}

insert in Synquid

19

Synquid generates correct code in under a second!

this talk

20

I. specifications

II.program synthesis

III. synthesis-aided programming

this talk

21

I. specifications

II.program synthesis

how do we get from specification to code?

type-driven program synthesis

22

match xs withNil → Cons x NilCons h t →if x ≤ hthen Cons x xselse Cons h (insert x t)

? insert :: x:a →xs:SList a →{v:SList a | elems v =elems xs ∪ {x}}

specification code

synthesis as search

23

...

insert :: x:a →xs:SList a →{v:SList a | elems v =elems xs ∪ {x}}

Nil, Cons, ≤, …

specification

components

code

synthesis as search

24

...

too many270

insert :: x:a →xs:SList a →{v:SList a | elems v =elems xs ∪ {x}}

Nil, Cons, ≤, …

specification

components

code

25

synthesis as search

26

synthesis as search

27

synthesis as search

28

key idea: reject hopeless programs early

synthesis as search

reject hopeless programs early

29

insert :: x:a →xs:SList a →{v:SList a | elems v =elems xs ∪ {x}}

specification

reject hopeless programs early

30

insert :: x:a →xs:SList a →{v:SList a | elems v =elems xs ∪ {x}}

specification

reject hopeless programs early

31

insert :: x:a →xs:SList a →{v:SList a | elems v =elems xs ∪ {x}}

specification

x:a → xs:SList a →{v:SList a | elems v = elems xs ∪ {x}}

insert x xs =match xs with

Nil → NilCons h t → ??

reject hopeless programs early

32

x:a → xs:SList a →{v:SList a | elems v = elems xs ∪ {x}}

insert x xs =match xs with

Nil → NilCons h t → ??

reject hopeless programs early

33

250

x:a → xs:SList a →{v:SList a | elems v = elems xs ∪ {x}}

insert x xs =match xs with

Nil → NilCons h t → ??

insert x xs =match xs with

Nil → NilCons h t → ??

{v:SList a | elems v = elems xs ∪ {x}}

reject hopeless programs early

34

x:a → xs:SList a →{v:SList a | elems v = elems xs ∪ {x}}

insert x xs =match xs with

Nil → NilCons h t → ??

insert x xs =match xs with

Nil → NilCons h t → ??

insert x xs =match xs with

Nil → NilCons h t → ??

{v:SList a | elems v = elems xs ∪ {x}}{v:SList a | elems v = {x}}

reject hopeless programs early

35

x:a → xs:SList a →{v:SList a | elems v = elems xs ∪ {x}}

insert x xs =match xs with

Nil → NilCons h t → ??

insert x xs =match xs with

Nil → NilCons h t → ??

insert x xs =match xs with

Nil → NilCons h t → ??

{v:SList a | elems v = elems xs ∪ {x}}{v:SList a | elems v = {x}}

reject hopeless programs early

36

Expected {v:SList a | elems v = {x}}and got {v:SList a | elems v = {}}

synquid

37

match xs withNil → Cons x NilCons h t →if x ≤ hthen Cons x xselse Cons h (insert x t)

insert :: x:a →xs:SList a →{v:SList a | elems v =elems xs ∪ {x}}

specification code

components

experiments

38

0

10

20

30

40

50

60

70

Lis

t-N

ull

Lis

t-E

lem

Lis

t-S

tutt

er

Lis

t-R

ep

lica

teLis

t-A

pp

en

dLis

t-C

on

cat

Lis

t-Ta

keLis

t-D

rop

Lis

t-D

ele

teLis

t-M

ap

Lis

t-Z

ipLis

t-Z

ipW

ith

Lis

t-P

rod

uct

Lis

t-It

hLis

t-E

lem

Ind

ex

Lis

t-S

no

cLis

t-R

eve

rse

Lis

t-Fo

ldr

Lis

t-Fo

ld-L

en

gth

Lis

t-Fo

ld-A

pp

en

dU

niq

ue

Lis

t-In

sert

Un

iqu

eLis

t-D

ele

teLis

t-N

ub

Lis

t-C

om

pre

ssU

niq

ue

Lis

t-R

an

ge

Str

ictI

ncL

ist-

Inse

rtS

tric

tIn

cLis

t-D

ele

teS

tric

tIn

cLis

t-In

ters

ect

IncL

ist-

Inse

rtLis

t-In

sert

So

rtLis

t-Fo

ld-S

ort

Lis

t-E

xtra

ctM

inLis

t-S

ele

ctS

ort

Lis

t-S

plit

IncL

ist-

Me

rge

Lis

t-M

erg

eS

ort

Lis

t-P

art

itio

nIn

cLis

t-P

ivo

tAp

pe

nd

Lis

t-Q

uic

kSo

rtT

ree

-Ele

mT

ree

-Co

un

tT

ree

-To

Lis

tB

ST

-Me

mb

er

BS

T-I

nse

rtB

ST

-De

lete

BS

T-S

ort

AV

L-R

ota

teL

AV

L-R

ota

teR

AV

L-B

ala

nce

AV

L-I

nse

rtA

VL-E

xtr

act

Min

AV

L-D

ele

teR

BT

-Ba

lan

ceL

RB

T-B

ala

nce

RR

BT

-In

sert

Ru

nLe

n-E

nco

de

Ru

nLe

n-D

eco

de

AS

T-D

esu

ga

rBo

ol

AS

T-D

esu

ga

rBo

ol2

AS

T-N

NF

AS

T-N

NFL

itB

DD

-Ma

keB

DD

-An

dB

DD

-Or

sec

lists sorting BSTAVL /

red-blackcustom

data types

¬(a ⇒ b ∨ c)¬(a ⇒ b ∨ c)¬(a ⇒ b ∨ c)

case study: negation normal form

39

1. only ¬, ∧, ∨

2. ¬ only at variables

¬(a ⇒ b ∨ c)¬(a ⇒ b ∨ c)¬(a ⇒ b ∨ c)

case study: negation normal form

40

a ∧ (¬b ∨ ¬c)

1. only ¬, ∧, ∨

2. ¬ only at variables

¬(¬a ∨ (b ∨ c))

¬¬a ∧ ¬(b ∨ c)

a ∧ ¬(b ∨ c)

⇒ def.

De Morgan

double-neg

De Morgan

nnf: data types

41

data Fml whereVar :: String → FmlNot :: Fml → FmlAnd :: Fml → Fml → FmlOr :: Fml → Fml → FmlImp :: Fml → Fml → Fml

data NNF whereNAtom :: String → Bool

→ NNFNAnd :: NNF → NNF → NNFNOr :: NNF → NNF → NNF

negated?

nnf: specification

42

data Fml whereVar :: String → FmlNot :: Fml → FmlAnd :: Fml → Fml → FmlOr :: Fml → Fml → FmlImp :: Fml → Fml → Fml

data NNF whereNAtom :: String → Bool

→ NNFNAnd :: NNF → NNF → NNFNOr :: NNF → NNF → NNF

measure eval :: Fml → Bool whereVar v → env vNot f → !(eval f)And l r → eval l && eval rOr l r → eval l || eval rImp l r → eval l ==> eval r

measure nEval :: NNF → Bool whereNAtom neg v → if neg then env v

else !(env v)NAnd l r → nEval l && nEval rNOr l r → nEval l || nEval r

nnf: specification

43

nnf :: f:Fml → {v:NNF | nEval v = eval f}

nnf: synthesized code

44

nnf :: f:Fml → {v:NNF | nEval v = eval f}nnf p = match p with

BoolLiteral x2 → if x2then NOr (NAtom dummy x2) (NAtom dummy False)else NAnd (NAtom dummy x2) (NAtom dummy True)

Var x16 → NAtom x16 FalseNot x20 → match x20 withBoolLiteral x22 → if x22then nnf (BoolLiteral False)else nnf (BoolLiteral True)

Var x28 → NAtom x28 TrueNot x32 → nnf x32And x36 x37 → NOr (nnf (Not x36)) (nnf (Not x37))Or x46 x47 → NAnd (nnf (Not x46)) (nnf (Not x47))Implies x56 x57 → NAnd (nnf x56) (nnf (Not x57))

And x65 x66 → NAnd (nnf x65) (nnf x66)Or x73 x74 → NOr (nnf x73) (nnf x74)Imp x81 x82 → NOr (nnf x82) (nnf (Not x81)) ⇒ def.

double-neg

De Morgan

this talk

45

I. specifications

II. program synthesis

III. synthesis-aided programming

this talk

46

I. specifications

II. program synthesis

III. synthesis-aided programming

how can synthesis help us build software?

the future of programming

47

Let there be Instagram!

the future of programming

48

Let there be Instagram!

(not)

orthogonal concerns

49

functional requirements

datainvariants

security policies

resource constraints

I worry about all concerns together

synthesis-aided programming

50

functional requirements

datainvariants

security policies

resource constraints

I worry about one concern at a time ☺

specification

synthesis weaves them together

synthesis-aided programming

51

functional requirements

security policies

specification

information leaks

52

electronic health records social networks e-commerce

information leaks

53

social networks

policy checks

information leaks

54

social networks

James ComeyBrian Comey

Ashley Feinberg

information security with Lifty

55

program with checks

securitypolicies

program

Lifty

synthesis-aided programming

56

functional requirements

resource constraints

specification

timing attacks

57

password

attempt

execution time reveals length!

Compare the lengths of two strings:

resource-aware programming with ReSyn

58

password

attempt

compare :: pass:List a → att:List a →{v:Bool | v = (len key = len guess)}

unit resource per element

1 1 1 11

{a || 1} →

synthesis-aided programming

59

60

http://comcom.csail.mit.edu