Synthesis in Uclid5 by Mora, Federico et al.
ar
X
iv
:2
00
7.
06
76
0v
1 
 [c
s.P
L]
  1
4 J
ul 
20
20
Synthesis in Uclid5
Federico Mora
University of California, Berkeley
Kevin Cheang
University of California, Berkeley
Elizabeth Polgreen
University of California, Berkeley
Sanjit A. Seshia
University of California, Berkeley
Abstract
Wedescribe an integration of program synthesis intoUclid5,
a formal modelling and verification tool. To the best of our
knowledge, the new version of Uclid5 is the only tool that
supports program synthesis with bounded model checking,
k-induction, sequential programverification, and hyperprop-
erty verification. We use the integration to generate 25 pro-
gram synthesis benchmarks with simple, known solutions
that are out of reach of current synthesis engines, and we
release the benchmarks to the community.
ACM Reference Format:
Federico Mora, Kevin Cheang, Elizabeth Polgreen, and Sanjit A.
Seshia. 2020. Synthesis in Uclid5. In Proceedings of SYNT ’20: 9th
Workshop on Synthesis (SYNT ’20).ACM,NewYork, NY,USA, 4 pages.
1 Introduction
Formal verification can be a time-consuming task that re-
quires significant manual effort. Especially for complex sys-
tems, users often need to manually provide, for example,
loop invariants, function summaries, or environment mod-
els. Synthesis has the potential to alleviate some of this man-
ual burden [16]. For example, prior work has used synthesis
to reason about program loops [5], and to automate program
repair [9].We believe this is a promising direction, but, for it
to make a real impact, verification tools need to offer flexible
synthesis integration, generic support for proof procedures,
and a capable synthesis engine back-end.
In this work, we primarily address the first two require-
ments. Specifically, we integrate program synthesis into the
Uclid5 [14] formal modelling and verification tool by allow-
ing users to declare functions to synthesize and to use these
functions freely.WhileUclid5has previously supported use
of synthesis, it only supported invariant synthesis through
a special command that was independent of verification. We
use the new synthesis integration to generate 25 benchmarks
from existing verification tasks. These benchmarkshave small
Permission to make digital or hard copies of part or all of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. Copyrights for third-
party components of this work must be honored. For all other uses, contact
the owner/author(s).
SYNT ’20, July 19, 2020, Los Angeles, CA, USA
© 2020 Copyright held by the owner/author(s).
solutions, but are out of reach for current synthesis engines.
We hope that they will help the synthesis engine develop-
ment effort, particularly for syntax-guided synthesis [1].
Illustrative Example. Consider theUclid5model in Fig. 1,
which represents a Fibonacci sequence. The (hypothetical)
user wants to prove by induction that the invariant a_le_b
at line 13 always holds. Unfortunately, the proof fails be-
cause the invariant is not inductive. Without synthesis, the
user would need to manually strengthen the invariant until
it became inductive. However, the user can ask Uclid5 to
automatically do this for them. Fig. 1 demonstrates this on
lines 16, 17 and 18. Specifically, the user specifies a function
to synthesize called h at lines 16 and 17, and then uses h at
line 18 to strengthen the existing set of invariants. Given
this input, Uclid5, using e.g. cvc4 [2] as a synthesis engine,
will automatically generate the function h(x, y) = x >=
0, which completes the inductive proof.
In this example, the function to synthesize represents an
inductive invariant. However, functions to synthesize are
treated exactly like any interpreted function in Uclid5: the
user could have called h anywhere in the code. Furthermore,
this example uses induction and a global invariant, however,
the user could also have used a linear temporal logic (LTL)
specification and bounded model checking (BMC). In this
sense, our integration is fully flexible and generic.
Contributions. We present an integration of synthesis
into the verification tool Uclid5, allowing users to generate
program synthesis queries for unknown parts of a system
they wish to verify. The integration is a natural extension of
the existing Uclid5 language, and to the best of our knowl-
edge, is the first to support program synthesis with bounded
model checking, k-induction, sequential program verifica-
tion, and hyperproperty verification. The synthesis queries
Uclid5 generates are in the standard sygus-if [12] specifi-
cation language. We use this tool to generate a 25 sygus-if
synthesis benchmarks from existing verification queries and
release these benchmarks to the community.
2 Related work
Program sketching [17] synthesizes expressions to fill holes
in programs, and has subsequently been applied to program
repair [8, 9]. Uclid5 aims to be more flexible than this work,
allowing users to declare unknown functions even in the
SYNT ’20, July 19, 2020, Los Angeles, CA, USA Federico Mora, Kevin Cheang, Elizabeth Polgreen, and Sanjit A. Seshia
1 module main {
2 // Part 1: System Description .
3 var a, b : integer;
4 init {
5 a, b = 0, 1;
6 }
7 next {
8 a', b' = b, a + b;
9 }
10
11 // Part 2: System Specification .
12 invariant a_le_b: a <= b;
13
14 // Part 3: (NEW) Synthesis Integration
15 synthesis function
16 h(x : integer , y : integer): boolean;
17 invariant hole: h(a, b);
18
19 // Part 4: Proof Script.
20 control {
21 induction ;
22 check;
23 print_results ;
24 }
25 }
Figure 1. Uclid5 Fibonacci model. Part 3 shows the new
synthesis syntax, and how to find an auxiliary invariant.
verification annotations, as well as supporting multiple ver-
ification algorithms and types of properties. Rosette [18]
provides support for synthesis and verification, but the syn-
thesis is limited to bounded specifications of sequential pro-
grams, whereas Uclid5 can also synthesize programs that
satisfy unbounded specifications, by using proof procedures
like induction. Formal synthesis algorithms have been used
to assist in verification tasks, such as safety and termina-
tion of loops [5], and generating invariants [7, 19], but none
of this work to-date integrates program synthesis fully into
an existing verification tool. Before this new synthesis inte-
gration, Uclid5 supported synthesis of inductive invariants.
The key insight of this work is to generalize the synthesis
support, and to unify all synthesis tasks in Uclid5 by re-
using the verification back-end.
3 From Verification to Program Synthesis
In this section, we give the necessary background on pro-
gram synthesis, and the existing verification techniques in-
side of Uclid5. We then describe how we combine the two
to realize synthesis in Uclid5.
3.1 Program Synthesis
The program synthesis problem corresponds to the second-
order query ∃f ∀®xσ (f , ®x), where f is the function to syn-
thesize, ®x is the set of all possible inputs, and σ is the speci-
fication to be satisfied.
3.2 Verification in Uclid5
At at high level, Uclid5 takes in a model, generates a set of
verification conditions, asks a satisfiability modulo theory
(SMT) solver [4] to check the verification conditions, and
then returns the results to the user. This process is the same
regardless of the proof procedure used. The important point,
is that Uclid5 encodes the violation of each independent
verification condition as a separate smt-lib query.
Let Pi (®x) encode the i
th verification condition, and take
the ith smt-lib query to be checking the validity of∃®x ¬Pi (®x),
where Pi contains no free variables. We say that there is
a counterexample to the ith verification query if the query
∃®x ¬Pi (®x) is valid. Verification of amodel withn verification
conditions succeeds iff there are no counter-examples:
∀®x
i=n∧
i=0
Pi (®x).
3.3 Synthesis Encoding in Uclid5
Given aUclid5model in which the user has declared a func-
tion to synthesize, f , we wish to construct a synthesis query
that is satisfied iff there is an f for which all the verification
conditions pass for all possible inputs. We build this synthe-
sis query by taking the conjunction of the negation of all the
verification queries. Specifically, we check the validity of
∃f ∀®x
i=n∧
i=0
Pi (f , ®x)
where each Pi encodes a verification condition that may re-
fer to the function to synthesize, f . Note the similarity be-
tween this query and the standard program synthesis formu-
lation: the specification for synthesis, σ , from the equation
in Sec. 3.1, is now replaced with the conjunction of all the
verification conditions.With this observation, to enable syn-
thesis for any verification procedure in Uclid5, all we do is
let users declare and use functions to synthesize.
4 Implementation
The Uclid5 verification tool is constructed as shown in Fig-
ure 2. An input Uclid5 model is parsed by the front-end
into an abstract syntax tree. From this abstract syntax tree,
a symbolic simulator generates an assertion stack that con-
tains an assertion for each verification condition. Prior to
our work, assertions were then passed to an smt-lib inter-
face which converted the assertions to smt-lib and called
a solver. The new Uclid5 instead uses a new intermediate
representation, synth-lib, that is easily passed to either an
SMT solver or a synthesis engine. This architecture allows
us to use the same code that generates verification queries
for synthesis.
The synth-lib representation is smt-lib [3], but with one
extra command borrowed from sygus-if [12]. The syntax
Synthesis in Uclid5 SYNT ’20, July 19, 2020, Los Angeles, CA, USA
front-end
Symbolic Simulator
synth-lib interface
smt-lib interface sygus-if interface
Figure 2. Overview of synthesis in Uclid5. Dashed blocks
indicate blocks introduced for the new synthesis integra-
tion.
1 (synth -blocking -fun h ((x Int) (y Int)) Bool )
2 ;(define -fun h ((x Int) (y Int)) Bool (>= x 0))
3 (declare -fun initial_b () Int)
4 (declare -fun initial_a () Int)
5 (declare -fun new_a () Int)
6 (declare -fun new_b () Int)
7 (assert (or
8 (not (and (<= initial_a initial_b ) (h 0 1)))
9 (and
10 (and (<= initial_a initial_b ) (h initial_a
initial_b ))
11 (= new_a initial_b )
12 (= new_b (+ initial_a initial_b ))
13 (not (and (<= new_a new_b) (h new_a new_b))))))
14 (check -sat)
Figure 3. synth-lib induction query of Fig. 1
for the new command is
(synth-blocking-fun 〈fname〉
((〈argname〉 〈argsort〉)∗) 〈rsort〉 〈grammar〉?),
where 〈fname〉 is the name of the function, 〈argname〉 is the
name of an argument, 〈argsort〉 is the sort of the correspond-
ing argument, there are zero or more arguments, 〈rsort〉
is the sort returned by the function, and 〈grammar〉 is an
optional syntactic specification for the function body. Intu-
itively, a synth-lib query with a single synth-blocking
-fun declaration asks “is there a function that makes this
underlying smt-lib query unsatisfiable?”
Fig. 3 shows the synth-lib query corresponding to the
Fibonacci model in Fig. 1. A synthesis engine might solve
the query in Fig. 3 by finding the function h(x, y) = x
>= 0. This is a correct solution because the corresponding
smt-lib query—which we can get by commenting out line
1 of Fig. 3 and uncommenting line 2—is unsatisfiable.
The semantics of synth-lib is exactly that of smt-lib
when no function to synthesize is on the assertion stack, and
assertions are passed directly to the SMT solver. When the
assertion stack contains a function to synthesize, Uclid5 ap-
plies the following four rewrite rules to convert synth-lib
into sygus-if:
1. (assert a) → (constraint (not a))
2. (declare-fun a (s0...sn−1) sn → (declare-var a s0 ->...-> sn)
3. synth-blocking-fun→ synth-fun
4. check-sat→ check-synth
The first rewrite rule is the most important: it implements
the following equivalence
∃f ¬∃®x
i=n∨
i=0
¬Pi (f , ®x) ≡ ∃f ∀®x
i=n∧
i=0
Pi (f , ®x),
where the left hand side is the form of queries in synth-lib,
and the right hand side is the corresponding query in sygus-
if. The source code for Uclid5 is available online [15].
5 Benchmark Suite
The integration of synthesis into Uclid5 allows us to gen-
erate synthesis benchmarks from any Uclid5 verification
task. We thus present a set of 25 benchmarks with known,
small solutions that are out of reach of existing synthesis
solvers. These benchmarks use induction, BMC, LTL speci-
fications, and sequential code. To conform to the sygus-if
language, we limited ourselves to bit-vector, integer, array,
and boolean data-types, and did not use verification tasks
that required quantifiers. All benchmarks are available on-
line [11].
The benchmarks come from four different sources. Four
benchmarks come from a simplified model of the Two Phase
Commit protocol, written in P [6]; three benchmarks come
from Sahai at al’s [13] work on hyperproperty verification;
six benchmarks come from Uclid5’s documentation; and
the remaining 12 benchmarks come frommodels used in UC
Berkeley’s EECS 219C course. In all cases, we constructed
the benchmarks by replacing small parts of either auxiliary
invariants or parts of existing codewith functions to synthe-
size. 12 benchmarks come from models that use induction,
and 13 from models that use LTL specifications and BMC.
All 25 benchmarks are difficult for existing state-of-the-art
engines, but are a reasonable target for synthesis engines.
6 Conclusions and Future Work
Wehave presented an integration of synthesis into theUclid5
verification tool, allowing users to generate synthesis queries
for unknown parts of a system they wish to verify. This in-
tegration is compatible with all verification algorithms cur-
rently supported byUclid5, and generates synthesis queries
in the standard sygus-if format.
In the future, we intend to apply synthesis in Uclid5 to
the verification of distributed systems written in P. Prior
work has been successfully in finding invariants for bounded
distributed systems, and then generalizing the invariants to
the unbounded setting [10]. We plan to explore these ap-
proaches with Uclid5 now that we can easily switch be-
tween synthesis using e.g. BMC and k-induction.
SYNT ’20, July 19, 2020, Los Angeles, CA, USA Federico Mora, Kevin Cheang, Elizabeth Polgreen, and Sanjit A. Seshia
Acknowledgments
This work was supported in part by NSF grants 1739816 and
1837132, a gift from Intel under the SCAP program, SRC
Task 2867.001, and the iCyPhy center.
References
[1] Rajeev Alur, Rastislav Bodik, Garvit Juniwal, Milo M. K. Martin,
Mukund Raghothaman, Sanjit A. Seshia, Rishabh Singh, Armando
Solar-Lezama, Emina Torlak, and Abhishek Udupa. 2013. Syntax-
Guided Synthesis. In FMCAD. 1–17.
[2] Clark Barrett, Christopher L. Conway, Morgan Deters, Liana
Hadarean, Dejan Jovanovic, Tim King, Andrew Reynolds, and Cesare
Tinelli. 2011. CVC4. In CAV. 171–177.
[3] Clark Barrett, Pascal Fontaine, and Cesare Tinelli. 2016. The Satisfia-
bility Modulo Theories Library (SMT-LIB). www.SMT-LIB.org.
[4] Clark Barrett, Roberto Sebastiani, Sanjit A. Seshia, and Cesare Tinelli.
2009. Satisfiability Modulo Theories. In Handbook of Satisfiability,
Armin Biere, Hans van Maaren, and Toby Walsh (Eds.). Vol. 4. IOS
Press, Chapter 8.
[5] Cristina David, Daniel Kroening, and Matt Lewis. 2015. Using Pro-
gram Synthesis for Program Analysis. In LPAR. Springer, 483–498.
[6] Ankush Desai, Vivek Gupta, Ethan Jackson, Shaz Qadeer, Sriram Raja-
mani, and Damien Zufferey. 2013. P: safe asynchronous event-driven
programming. PLDI (2013), 321–332.
[7] Grigory Fedyukovich and Rastislav Bodík. 2018. Accelerating Syntax-
Guided Invariant Synthesis. In TACAS (1). Springer, 251–269.
[8] Jinru Hua, Mengshi Zhang, Kaiyuan Wang, and Sarfraz Khurshid.
2018. Towards practical program repair with on-demand candidate
generation. In ICSE. ACM, 12–23.
[9] Xuan-Bach D. Le, Duc-Hiep Chu, David Lo, Claire Le Goues, and
WillemVisser. 2017. S3: syntax- and semantic-guided repair synthesis
via programming by examples. In ESEC/SIGSOFT FSE. ACM, 593–604.
[10] Haojun Ma, Aman Goel, Jean-Baptiste Jeannin, Manos Kapritsos,
Baris Kasikci, and Karem A Sakallah. 2019. I4: incremental infer-
ence of inductive invariants for verification of distributed protocols.
In OSDI. ACM, 370–384.
[11] Federico Mora. 2020. UCLID5 Synthesis Benchmarks.
hps://github.com/FedericoAureliano/synthesis-benchmarks
[12] Mukund Raghothaman and Abhishek Udupa. 2014. Lan-
guage to Specify Syntax-Guided Synthesis Problems.
https://sygus.org/assets/pdf/SyGuS-IF.pdf.
[13] Shubham Sahai, Rohit Sinha, and Pramod Subramanyan. 2020. Ver-
ification of Quantitative Hyperproperties Using Trace Enumeration
Relations. In CAV.
[14] Sanjit Seshia and Pramod Subramanyan. 2018. UCLID5: Integrating
modeling, verification, synthesis, and learning. InMEMOCODE.
[15] Sanjit Seshia and Pramod Subramanyan. 2020. UCLID5: A system
for modeling, verification, and synthesis of computational systems.
hps://github.com/uclid-org/uclid
[16] Sanjit A. Seshia. [n.d.]. Combining Induction, Deduction, and Struc-
ture for Verification and Synthesis. IEEE.
[17] Armando Solar-Lezama. 2009. The sketching approach to program
synthesis. In Asian Symposium on Programming Languages and Sys-
tems. Springer, 4–13.
[18] Emina Torlak and Rastislav Bodík. 2013. Growing solver-aided lan-
guages with rosette. In Onward! ACM, 135–152.
[19] Hongce Zhang, Weikun Yang, Grigory Fedyukovich, Aarti Gupta, and
Sharad Malik. 2020. Synthesizing Environment Invariants for Modu-
lar Hardware Verification. In VMCAI. Springer, 202–225.
