Programming with Specifications THÈSE NO 5581 (2012) PRÉSENTÉE LE 7 DÉCEMBRE 2012 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS LABORATOIRE D'ANALYSE ET DE RAISONNEMENT AUTOMATISÉS PROGRAMME DOCTORAL EN INFORMATIQUE, COMMUNICATIONS ET INFORMATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Philippe Paul Henri SUTER acceptée sur proposition du jury: Prof. C. Koch, président du jury Prof. V. Kuncak, directeur de thèse Dr N. Bjørner, rapporteur Prof. T. Henzinger, rapporteur Prof. M. Odersky, rapporteur Suisse 2012 Acknowledgements I would like to thank for advisor Viktor Kuncak for five years of guidance throughout my graduate studies. The enthusiasm and energy Viktor devotes to research are particularly contagious. I cannot say with certainty that I would have pursued a PhD, had I not met him in 2007. To this day, I am still equally impressed by his knowledge and humility. It was a real pleasure being his student. I am grateful to Nikolaj Bjørner, Tom Henzinger, Christoph Koch, and Martin Odersky for taking the time to serve on my thesis committee, for their advice on this dissertation, and for their excellent questions during the defense. Without my co-authors, parts of this dissertation would not exist : I thank Ruzica Piskac and Mikaël Mayer for initiating the research on synthesis procedures, and Swen Jacobs for his contribution to reduction-based synthesis. The combination of these efforts forms the basis of Chapter6. I thank Ali Sinan Köksal for his help with the development and evaluation of Leon, presented in Chapter3. I also thank him for the many fruitful discussions on the design of Kaplan, described in Chapter5, and for his work on the implementation. I thank Robin Steiger for his collaboration on the decision procedure presented in Chapter4. My studies gave me the chance to interact with experts from around the world. For their help and inspiration, I thank Sergio Antoy, Nikolaj Bjørner, Rupak Majumdar, Pete Manolios, David Monniaux, J. Strother Moore, and Leonardo de Moura. I owe a particular thank you to Mike Whalen for his detailed feedback on technical aspects of chapters2 and3. I thank the members of the LARA group, past or present, who made my work more enjoyable in many different ways : Ali, Andrej, Etienne, Eva, Filip, Giuliano, Hossein, Mikaël, Mirco, Ravi, Ruzica, Régis, Swen, Tihomir, and Utkarsh. I thank the members of the LAMP group, including Adriaan, Alex, Gilles, Ingo, Iulian, Lukas, Miguel, and Philipp, for their help in taming Scala and its compiler, and for the stimulating conversations at the coffee machine. I thank Danielle Chamberlain and Yvette Gallay for their mastery of the bureaucratic ways, and in particular for their patience when dealing with me. I thank Fabien Salvi for keeping our technical infrastructure running, and for rescuing me whenever my urge to switch to the latest technology proved damaging. I thank my parents for their continuous support. In particular, my father introducing me to programming on his HP-85 some twenty years ago most certainly has something to do with where I am now. Finally of course, I thank Violaine. Lausanne, November 2012 P.S. iii Preface Formal specifications have at some point acquired a bad reputation as being heavy-weight and hardly cost effective. However, new generations of constraint solving and verification tools emerging in recent years are rapidly changing this view. This thesis provides an outlook into the near future where developers will no longer question the usefulness of specifications in software validation. This is not merely a matter of educating programmers, but comes through fundamental improvements to the usability of tools. First of all, the specifications considered here are not in a notation foreign to programmers, but are written in a programming language itself, making it easy for developers to write. Like in model checking for finite-state systems, the tool gives concrete counterexamples in cases of wrong code or wrong specifications. As a result, the specifications and code are guided by each other and help the developer navigate the space of reasonable programs much more effectively. Unlike heuristic bug-finding tools, these approaches can also establish rigorous proofs of correctness, using symbolic reasoning to replace an infinite number of test cases. In particular, a roadblock to reasoning about software correctness is induction. This thesis shows that seemingly inductive properties do not always require explicit induction with heuristically chosen inductive steps to be solved, but can be tackled using systematic approaches of decision procedures. Rarely do we find results that are non-obvious, but end up having very elegant solutions that work well in practice. Such results can be discovered by opportunistically pursuing natural problems that we do not understand yet and building tools that validate the algorithmic and theoretical ideas. What sets this thesis apart is a remarkable interplay between motivation from concrete programming tasks, theoretical ideas that apply broadly, and experimental validation that shows the algorithms and theory make a real difference in practice. Once we accept that specifications and programs are merely different pieces in describing the same object —the intended functionality, the desirability of executing and compiling specifica- tions becomes a natural goal. The thesis makes exciting steps into this direction, first showing what expressive constraint programming becomes in the age of modern SMT (satisfiability modulo theory) solvers integrated into high-productivity languages like Scala. The work on the constraint programming system, Kaplan, establishes a bar in what we should expect today : a language that does not compromise on types, higher-order features, interoperability, and a constraint solving technology that leverages advances such as conflict-driven clause learning and domain-specific reasoning in e.g. integer linear programming and reasoning about finitely generated data structures. v Preface As a way to point to the future, one can consider bridging the gap between the formal require- ments and efficient code by compiling input/output relations into computable functions that realize them, through the process termed complete functional synthesis. The gap between specifications and efficient code will perhaps never be fully automated, but each aspect of its automation can bring huge savings in software development efforts. The agenda of going from specifications to executable code is as relevant as ever before, and the tools at our disposal to solve it are starting to be up to the task. This dissertation shows the results that make this feasible. Lausanne, November 2012 Viktor Kuncak vi Abstract This thesis explores the use of specifications for the construction of correct programs. We go beyond their standard use as run-time assertions, and present algorithms, techniques and implementations for the tasks of 1) program verification, 2) declarative programming and 3) software synthesis. These results are made possible by our advances in the domains of decision procedure design and implementation. In the first part of this thesis, we present a decidability result for a class of logics that support user-defined recursive function definitions. Constraints in this class can encode expressive properties of recursive data structures, such as sortedness of a list, or balancing of a search tree. As a result, complex verification conditions can be stated concisely and solved entirely automatically. We also present a new decision procedure for a logic to reason about sets and constraints over their cardinalities. The key insight lies in a technique to decompose con- straints according to mutual dependencies. Compared to previous techniques, our algorithm brings significant improvements in running times, and for the first time integrates reasoning about cardinalities within the popular DPLL(T ) setting. We integrated our algorithmic ad- vances into Leon, a static analyzer for functional programs. Leon can reason about constraints involving arbitrary recursive function definitions, and has the desirable theoretical property that it will always find counter-examples to assertions that do not hold. We illustrate the flexibility and efficiency of Leon through experimental evaluation, where we used it to prove detailed correctness properties of data structure implementations. We then illustrate how program specifications can be used as a high-level programming construct ; we present Kaplan, an extension of Scala with first-class logical constraints. Kaplan allows programmers to create, manipulate and combine constraints as they would any other data structure. Our implementation of Kaplan illustrates how declarative programming can be incorporated into an existing mainstream programming language. Moreover, we examine techniques to transform, at compile-time, program specifications into efficient executable code. This approach of software synthesis combines the correctness benefits of declarative programming with the efficiency of imperative or functional programming. Keywords : constraint solving, decision procedures, software verification, declarative pro- gramming, software synthesis, synthesis procedures. vii Résumé La présente thèse est consacrée à la construction de programmes corrects. Nous allons au-delà de l’utilisation standard de spécifications en tant qu’assertions, et présentons des techniques, des algorithmes et leurs implémentations pour les questions de 1) la vérification