Fixing Code that Explodes Under Symbolic Evaluation

Effective symbolic evaluation is key to building scalable verification and synthesis tools based on SMT solving. These tools use symbolic evaluators to reduce the semantics of all paths through a finite program to logical constraints, discharged with an SMT solver. Using an evaluator effectively requires tool developers to be able to identify and repair performance bottlenecks in code under all-path evaluation, a difficult task, even for experts. This paper presents a new method for repairing such bottlenecks automatically. The key idea is to formulate the symbolic performance repair problem as combinatorial search through a space of semantics-preserving transformations, or repairs, to find an equivalent program with minimal cost under symbolic evaluation. The key to realizing this idea is (1) defining a small set of generic repairs that can be combined to fix common bottlenecks, and (2) searching for combinations of these repairs to find good solutions quickly and best ones eventually. Our technique, SymFix, contributes repairs based on deforestation and symbolic reflection, and an efficient algorithm that uses symbolic profiling to guide the search for fixes. To evaluate SymFix, we implement it for the Rosette solver-aided language and symbolic evaluator. Applying SymFix to 18 published verification and synthesis tools built in Rosette, we find that it automatically improves the performance of 12 tools by a factor of 1.1 \(\times \)–91.7 \(\times \), and 4 of these fixes match or outperform expert-written repairs. SymFix also finds 5 fixes that were missed by experts.

[1]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[2]  Emina Torlak,et al.  Growing solver-aided languages with rosette , 2013, Onward!.

[3]  Sam Tobin-Hochstadt,et al.  Optimization coaching: optimizers learn to communicate with programmers , 2012, OOPSLA '12.

[4]  Simon L. Peyton Jones,et al.  Cheap Deforestation in Practice: An Optimizer for Haskell , 1994, IFIP Congress.

[5]  Michael D. Ernst,et al.  Scalable verification of border gateway protocol configurations with an SMT solver , 2016, OOPSLA.

[6]  Emina Torlak,et al.  Refinement Types for Ruby , 2017, VMCAI.

[7]  Emina Torlak,et al.  Nickel: A Framework for Design and Verification of Information Flow Control Systems , 2018, OSDI.

[8]  Jan van Leeuwen,et al.  Handbook of Theoretical Computer Science, Vol. B: Formal Models and Semantics , 1994 .

[9]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[10]  An Wang,et al.  Swizzle Inventor: Data Movement Synthesis for GPU Kernels , 2019, ASPLOS.

[11]  Krste Asanovic,et al.  The RISC-V Instruction Set Manual Volume 2: Privileged Architecture Version 1.7 , 2015 .

[12]  Koushik Sen,et al.  Jalangi: a selective record-replay and dynamic analysis framework for JavaScript , 2013, ESEC/FSE 2013.

[13]  Mason Chang,et al.  Trace-based just-in-time type specialization for dynamic languages , 2009, PLDI '09.

[14]  Dinakar Dhurjati,et al.  Scaling up Superoptimization , 2016, ASPLOS.

[15]  Emina Torlak,et al.  Synthesizing memory models from framework sketches and Litmus tests , 2017, PLDI 2017.

[16]  Emina Torlak,et al.  Scaling symbolic evaluation for automated verification of systems code with Serval , 2019, SOSP.

[17]  BodikRastislav,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014 .

[18]  Emina Torlak,et al.  Synthesizing interpretable strategies for solving puzzle games , 2017, FDG.

[19]  AikenAlex,et al.  Conditionally correct superoptimization , 2015 .

[20]  Rastislav Bodík,et al.  Bonsai: synthesis-based reasoning for type systems , 2018, Proc. ACM Program. Lang..

[21]  Alan Borning Wallingford: toward a constraint reactive programming language , 2016, MODULARITY.

[22]  Xi Wang,et al.  Hyperkernel: Push-Button Verification of an OS Kernel , 2017, SOSP.

[23]  Nirav Dave,et al.  Smten with satisfiability-based search , 2014, OOPSLA 2014.

[24]  Cristian Cadar,et al.  Targeted program transformations for symbolic execution , 2015, ESEC/SIGSOFT FSE.

[25]  George Candea,et al.  -OVERIFY: Optimizing Programs for Fast Verification , 2013, HotOS.

[26]  Philip Wadler,et al.  Deforestation: Transforming Programs to Eliminate Trees , 1990, Theor. Comput. Sci..

[27]  Emina Torlak,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014, PLDI.

[28]  George Candea,et al.  Prototyping symbolic execution engines for interpreted languages , 2014, ASPLOS.

[29]  Emina Torlak,et al.  Specifying and Checking File System Crash-Consistency Models , 2016, International Conference on Architectural Support for Programming Languages and Operating Systems.

[30]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[31]  Cliff Click,et al.  The java hotspot TM server compiler , 2001 .

[32]  Peter Müller,et al.  The Axiom Profiler: Understanding and Debugging SMT Quantifier Instantiations , 2019, TACAS.

[33]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[34]  Alvin Cheung,et al.  Cosette: An Automated Prover for SQL , 2017, CIDR.

[35]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[36]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[37]  Xi Wang,et al.  Investigating Safety of a Radiotherapy Machine Using System Models with Pluggable Checkers , 2016, CAV.

[38]  Emina Torlak,et al.  Finding code that explodes under symbolic evaluation , 2018, Proc. ACM Program. Lang..

[39]  Alexander Aiken,et al.  Conditionally correct superoptimization , 2015, OOPSLA.

[40]  Julie L. Newcomb,et al.  Using human-in-the-loop synthesis to author functional reactive programs , 2019, ArXiv.