Abstract
Automated deductive program synthesis promises to generate executable programs from concise specifications, along with proofs of correctness that can be independently verified using third-party tools. However, an attempt to exercise this promise using existing proof-certification frameworks reveals significant discrepancies in how proof derivations are structured for two different purposes: program synthesis and program verification. These discrepancies make it difficult to use certified verifiers to validate synthesis results, forcing one to write an ad-hoc translation procedure from synthesis proofs to correctness proofs for each verification backend.
In this work, we address this challenge in the context of the synthesis and verification of heap-manipulating programs. We present a technique for principled translation of deductive synthesis derivations (a.k.a. source proofs) into deductive target proofs about the synthesised programs in the logics of interactive program verifiers. We showcase our technique by implementing three different certifiers for programs generated via SuSLik, a Separation Logic-based tool for automated synthesis of programs with pointers, in foundational verification frameworks embedded in Coq: Hoare Type Theory (HTT), Iris, and Verified Software Toolchain (VST), producing concise and efficient machine-checkable proofs for characteristic synthesis benchmarks.
Supplemental Material
- Andrew W. Appel. 2001. Foundational Proof-Carrying Code. In LICS. IEEE Computer Society, 247–256. https://doi.org/10.1109/LICS.2001.932501 Google Scholar
Cross Ref
- Andrew W. Appel. 2011. Verified Software Toolchain - (Invited Talk). In ESOP (LNCS, Vol. 6602). Springer, 1–17. https://doi.org/10.1007/978-3-642-19718-5_1 Google Scholar
- Andrew W. Appel, Robert Dockins, Aquinas Hobor, Lennart Beringer, Josiah Dodds, Gordon Stewart, Sandrine Blazy, and Xavier Leroy. 2014. Program Logics for Certified Compilers. Cambridge University Press. isbn:978-1-10-704801-0 https://doi.org/10.1017/CBO9781107256552 Google Scholar
Cross Ref
- Gilles Barthe, David Pichardie, and Tamara Rezk. 2013. A certified lightweight non-interference Java bytecode verifier. Math. Struct. Comput. Sci., 23, 5 (2013), 1032–1081. https://doi.org/10.1017/S0960129512000850 Google Scholar
Cross Ref
- Josh Berdine, Cristiano Calcagno, and Peter W. O’Hearn. 2005. Symbolic Execution with Separation Logic. In APLAS (LNCS, Vol. 3780). Springer, 52–68. https://doi.org/10.1007/11575467_5 Google Scholar
Digital Library
- Josh Berdine, Cristiano Calcagno, and Peter W. O’Hearn. 2006. Smallfoot: Modular Automatic Assertion Checking with Separation Logic. In FMCO (LNCS, Vol. 4111). Springer, 115–137. https://doi.org/10.1007/11804192_6 Google Scholar
Digital Library
- Frédéric Besson, Thomas P. Jensen, and David Pichardie. 2006. Proof-carrying code from certified abstract interpretation and fixpoint compression. Theor. Comput. Sci., 364, 3 (2006), 273–291. https://doi.org/10.1016/j.tcs.2006.08.012 Google Scholar
Digital Library
- Frédéric Besson and Evgeny Makarov. 2020. Micromega: solvers for arithmetic goals over ordered rings. Online documentation available at https://coq.inria.fr/refman/addendum/micromega.htmlGoogle Scholar
- Qinxiang Cao, Lennart Beringer, Samuel Gruetter, Josiah Dodds, and Andrew W. Appel. 2018. VST-Floyd: A Separation Logic Tool to Verify Correctness of C Programs. J. Autom. Reason., 61, 1-4 (2018), 367–422. https://doi.org/10.1007/s10817-018-9457-5 Google Scholar
Digital Library
- Arthur Charguéraud. 2020. Separation logic for sequential programs (functional pearl). Proc. ACM Program. Lang., 4, ICFP (2020), 116:1–116:34. https://doi.org/10.1145/3408998 Google Scholar
Digital Library
- Juan Chen, Ravi Chugh, and Nikhil Swamy. 2010. Type-preserving compilation of end-to-end verification of security enforcement. In PLDI. ACM, 412–423. https://doi.org/10.1145/1806596.1806643 Google Scholar
Digital Library
- Wei-Ngan Chin, Cristina David, and Cristian Gherghina. 2011. A HIP and SLEEK verification system. In OOPSLA (Companion). ACM, 9–10. https://doi.org/10.1145/2048147.2048152 Google Scholar
Digital Library
- Adam Chlipala. 2011. Mostly-automated verification of low-level programs in computational separation logic. In PLDI. ACM, 234–245. https://doi.org/10.1145/1993498.1993526 Google Scholar
Digital Library
- Adam Chlipala, Benjamin Delaware, Samuel Duchovni, Jason Gross, Clément Pit-Claudel, Sorawit Suriyakarn, Peng Wang, and Katherine Ye. 2017. The End of History? Using a Proof Assistant to Replace Language Design with Library Design. In SNAPL (LIPIcs, Vol. 71). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 3:1–3:15. https://doi.org/10.4230/LIPIcs.SNAPL.2017.3 Google Scholar
Cross Ref
- Claudio Sacerdoti Coen. 2004. A Semi-reflexive Tactic for (Sub-)Equational Reasoning. In TYPES (LNCS, Vol. 3839). Springer, 98–114. https://doi.org/10.1007/11617990_7 Google Scholar
Digital Library
- Lukasz Czajka and Cezary Kaliszyk. 2018. Hammer for Coq: Automation for Dependent Type Theory. J. Autom. Reason., 61, 1-4 (2018), 423–453. https://doi.org/10.1007/s10817-018-9458-4 Google Scholar
Digital Library
- David Delahaye. 2000. A Tactic Language for the System Coq. In LPAR (LNCS, Vol. 1955). Springer, 85–95. https://doi.org/10.1007/3-540-44404-1_7 Google Scholar
Cross Ref
- Benjamin Delaware, Clément Pit-Claudel, Jason Gross, and Adam Chlipala. 2015. Fiat: Deductive Synthesis of Abstract Data Types in a Proof Assistant. In POPL. ACM, 689–700. https://doi.org/10.1145/2676726.2677006 Google Scholar
Digital Library
- Burak Ekici, Alain Mebsout, Cesare Tinelli, Chantal Keller, Guy Katz, Andrew Reynolds, and Clark W. Barrett. 2017. SMTCoq: A Plug-In for Integrating SMT Solvers into Coq. In CAV (LNCS, Vol. 10427). Springer, 126–133. https://doi.org/10.1007/978-3-319-63390-9_7 Google Scholar
Cross Ref
- Georges Gonthier, Assia Mahboubi, and Enrico Tassi. 2009. A Small Scale Reflection Extension for the Coq system. Microsoft Research – Inria Joint Centre.Google Scholar
- Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In OSDI. USENIX Association, 653–669. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/guGoogle Scholar
- Robert Harper, Furio Honsell, and Gordon D. Plotkin. 1993. A Framework for Defining Logics. J. ACM, 40, 1 (1993), 143–184. https://doi.org/10.1145/138027.138060 Google Scholar
Digital Library
- Jifeng He, C. A. R. Hoare, and Jeff W. Sanders. 1986. Data Refinement Refined. In ESOP (LNCS, Vol. 213). Springer, 187–196. https://doi.org/10.1007/3-540-16442-1_14 Google Scholar
Cross Ref
- Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George C. Necula, Grégoire Sutre, and Westley Weimer. 2002. Temporal-Safety Proofs for Systems Code. In CAV (LNCS, Vol. 2404). Springer, 526–538. https://doi.org/10.1007/3-540-45657-0_45 Google Scholar
Cross Ref
- Shachar Itzhaky, Hila Peleg, Nadia Polikarpova, Reuben Rowe, and Ilya Sergey. 2021. Cyclic Program Synthesis. In PLDI. ACM, 944–959. https://doi.org/10.1145/3453483.3454087 Google Scholar
Digital Library
- Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In NASA Formal Methods (LNCS, Vol. 6617). Springer, 41–55. https://doi.org/10.1007/978-3-642-20398-5_4 Google Scholar
Cross Ref
- Ralf Jung. 2020. Understanding and Evolving the Rust Programming Language. Ph.D. Dissertation. Saarland University.Google Scholar
- Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In ICFP. ACM, 256–269. https://doi.org/10.1145/2951913.2951943 Google Scholar
Digital Library
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Program., 28 (2018), e20. https://doi.org/10.1017/S0956796818000151 Google Scholar
Cross Ref
- Etienne Kneuss, Ivan Kuraj, Viktor Kuncak, and Philippe Suter. 2013. Synthesis modulo recursive functions. In OOPSLA. ACM, 407–426. https://doi.org/10.1145/2509136.2509555 Google Scholar
Digital Library
- Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017. Interactive Proofs in Higher-Order Concurrent Separation Logic. In POPL. ACM, 205–217. https://doi.org/10.1145/3009837.3009855 Google Scholar
Digital Library
- Ramana Kumar, Magnus O. Myreen, Michael Norrish, and Scott Owens. 2014. CakeML: a verified implementation of ML. In POPL. ACM, 179–192. https://doi.org/10.1145/2535838.2535841 Google Scholar
Digital Library
- Xavier Leroy. 2006. Formal certification of a compiler back-end or: programming a compiler with a proof assistant. In POPL. ACM, 42–54. https://doi.org/10.1145/1111037.1111042 Google Scholar
Digital Library
- Assia Mahboubi and Enrico Tassi. 2013. Canonical Structures for the Working Coq User. In ITP (LNCS, Vol. 7998). Springer, 19–34. https://doi.org/10.1007/978-3-642-39634-2_5 Google Scholar
Digital Library
- Assia Mahboubi and Enrico Tassi. 2021. Mathematical Components. https://doi.org/10.5281/zenodo.4457887 Available at Google Scholar
Cross Ref
- Zohar Manna and Richard J. Waldinger. 1980. A Deductive Approach to Program Synthesis. ACM Trans. Program. Lang. Syst., 2, 1 (1980), 90–121. https://doi.org/10.1145/357084.357090 Google Scholar
Digital Library
- Alberto Martelli and Ugo Montanari. 1973. Additive AND/OR Graphs. In IJCAI. William Kaufmann, 1–11.Google Scholar
- Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In VMCAI (LNCS, Vol. 9583). Springer, 41–62. https://doi.org/10.1007/978-3-662-49122-5_2 Google Scholar
Digital Library
- Aleksandar Nanevski, Greg Morrisett, Avi Shinnar, Paul Govereau, and Lars Birkedal. 2008. Ynot: Dependent Types for Imperative Programs. In ICFP. ACM, 229–240. https://doi.org/10.1145/1411204.1411237 Google Scholar
Digital Library
- Aleksandar Nanevski, Viktor Vafeiadis, and Josh Berdine. 2010. Structuring the verification of heap-manipulating programs. In POPL. ACM, 261–274. https://doi.org/10.1145/1706299.1706331 Google Scholar
Digital Library
- George C. Necula. 1997. Proof-Carrying Code. In POPL. ACM Press, 106–119. https://doi.org/10.1145/263699.263712 Google Scholar
Digital Library
- George C. Necula and Peter Lee. 1996. Safe Kernel Extensions Without Run-Time Checking. In OSDI. ACM, 229–243. https://doi.org/10.1145/238721.238781 Google Scholar
Digital Library
- George C. Necula and Peter Lee. 1998. The Design and Implementation of a Certifying Compiler. In PLDI. ACM, 333–344. https://doi.org/10.1145/277650.277752 Google Scholar
Digital Library
- Peter W. O’Hearn, John C. Reynolds, and Hongseok Yang. 2001. Local Reasoning about Programs that Alter Data Structures. In CSL (LNCS, Vol. 2142). Springer, 1–19. https://doi.org/10.1007/3-540-44802-0_1 Google Scholar
Cross Ref
- Clément Pit-Claudel, Peng Wang, Benjamin Delaware, Jason Gross, and Adam Chlipala. 2020. Extensible Extraction of Efficient Imperative Programs with Foreign Functions, Manually Managed Memory, and Proofs. In IJCAR (LNCS, Vol. 12167). Springer, 119–137. https://doi.org/10.1007/978-3-030-51054-1_7 Google Scholar
Digital Library
- Nadia Polikarpova and Ilya Sergey. 2019. Structuring the Synthesis of Heap-Manipulating Programs. PACMPL, 3, POPL (2019), 72:1–72:30. https://doi.org/10.1145/3290385 Google Scholar
Digital Library
- John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In LICS. IEEE Computer Society, 55–74. https://doi.org/10.1109/LICS.2002.1029817 Google Scholar
- Reuben N. S. Rowe and James Brotherston. 2017. Automatic cyclic termination proofs for recursive procedures in separation logic. In CPP. ACM, 53–65. https://doi.org/10.1145/3018610.3018623 Google Scholar
Digital Library
- Ilya Sergey. 2014. Programs and Proofs: Mechanizing Mathematics with Dependent Types. https://doi.org/10.5281/zenodo.4996238 Lecture notes with exercises. Google Scholar
Cross Ref
- Christian Skalka, John Ring, David Darais, Minseok Kwon, Sahil Gupta, Kyle Diller, Steffen Smolka, and Nate Foster. 2019. Proof-Carrying Network Code. In CCS. ACM, 1115–1129. https://doi.org/10.1145/3319535.3363214 Google Scholar
Digital Library
- Matthieu Sozeau. 2009. A New Look at Generalized Rewriting in Type Theory. J. Formaliz. Reason., 2, 1 (2009), 41–62. https://doi.org/10.6092/issn.1972-5787/1574 Google Scholar
Cross Ref
- Yasunari Watanabe. 2021. A Framework for Certified Program Synthesis. Master’s thesis. National University of Singapore.Google Scholar
- Yasunari Watanabe, Kiran Gopinathan, George Pîrlea, Nadia Polikarpova, and Ilya Sergey. 2021. Certified (ICFP 2021 Artifact): Code and Benchmarks. https://doi.org/10.5281/zenodo.5005829 Google Scholar
Digital Library
- Eran Yahav. 2020. "A synthesizer is a compiler that doesn’t work". https://twitter.com/IsilDillig/status/1287125716761542656 Attributed to Eran Yahav by Işil Dillig in a tweet on July 26, 2020.Google Scholar
Index Terms
Certifying the synthesis of heap-manipulating programs
Recommendations
Cyclic program synthesis
PLDI 2021: Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and ImplementationWe describe the first approach to automatically synthesizing heap-manipulating programs with auxiliary recursive procedures. Such procedures occur routinely in data structure transformations (e.g., flattening a tree into a list) or traversals of ...
Structuring the synthesis of heap-manipulating programs
This paper describes a deductive approach to synthesizing imperative programs with pointers from declarative specifications expressed in Separation Logic. Our synthesis algorithm takes as input a pair of assertions—a pre- and a postcondition—which ...
Structuring the verification of heap-manipulating programs
POPL '10Most systems based on separation logic consider only restricted forms of implication or non-separating conjunction, as full support for these connectives requires a non-trivial notion of variable context, inherited from the logic of bunched implications ...






Comments