Palamedes: Deductive Generator Synthesis in Lean

• Palamedes is an extensible Lean library that automatically synthesizes generators from constrained predicates, ensuring soundness and completeness.
• It employs deductive program synthesis with denotational semantics and recursion-scheme reasoning to eliminate runtime backtracking in property-based testing.
• The system integrates core Lean modules for synthesis, optimization, and proof extraction, demonstrating empirical efficiency over prior SMT-based and handwritten approaches.

Palamedes is an extensible library for the Lean theorem prover that provides an automated synthesis procedure for generating sound and complete random generators from constrained, functional predicates. It targets the constrained random generation problem in property-based testing (PBT): given a predicate φ on values of type α, synthesize a generator g that samples uniformly from the set of α satisfying φ, performing no backtracking or search at test execution time. Unlike prior approaches that rely on user sketches or on-the-fly SMT calls, Palamedes employs deductive program synthesis at the generator construction phase, leveraging denotational semantics and recursion-scheme reasoning for expressiveness and correctness (Goldstein et al., 15 Nov 2025).

1. Problem Definition and Conceptual Foundations

The constrained random generation problem arises in PBT where properties to be tested frequently include stringent preconditions, yielding valid inputs sparsely distributed within the ambient type. Rejection sampling becomes impractical under such sparsity due to catastrophic inefficiency. Palamedes formulates a stricter version: the constrained generator synthesis problem, which requires constructing, ahead-of-time, a generator that is sound (produces only valid examples) and complete (able to produce any valid example), with no dynamic search or SMT involvement.

This is achieved by viewing generators as programs in a monadic domain-specific language (DSL). The DSL's denotational semantics are formalized as the generator's "support": the set of values producible by the generator. The synthesis approach seeks, given a specification φ: α → Prop, a program g in this DSL such that:

$$\forall a.\; a\in\llbracket g\rrbracket \;\Longleftrightarrow\; φ(a)$$

Both the generator and its correctness proof are extracted from a single witnessed proof term in Lean.

2. Generator Representation and Semantics

Palamedes implements the generator DSL as the inductive type Gen α, with explicit support for infinite sets and parametric recursion:

inductive Gen (α : Type) : Type where pure : α → Gen α pick : Gen α → Gen α → Gen α bind : Gen α → (α → Gen β) → Gen β indexed : (ℕ → Gen (Option α)) → Gen α assume : Bool → (h : True ∨ False) → Gen α → Gen α

The denotational semantics (the "support" ⟦g⟧) is specified for each Gen constructor. For example:

• $\mathsf{pure}\;x$ yields only $x$,
• $\mathsf{pick}\;g_1\;g_2$ yields the union of supports,
• $\mathsf{bind}\;g\;f$ corresponds to relational composition,
• $\mathsf{indexed}\;F$ admits countable disjunction,
• $\mathsf{assume}\;b\;g$ yields support only if $b$ is true.

Generator correctness relative to a predicate φ requires:

• Soundness: $$\forall a.\ a \in \llbracket g \rrbracket \rightarrow φ(a)$$,
• Completeness: $$\forall a.\ φ(a) \rightarrow a \in \llbracket g \rrbracket$$.

3. Deductive Synthesis Rules and Recursive Predicate Handling

Palamedes synthesizes generators via backward proof search using inference rules tied to each constructor. Selected rules:

• S-Pure produces a generator for singletons.
• S-Pick constructs generators for disjunctions.
• S-Bind handles existential quantification and chaining.
• S-Convert allows conversion via Lean's simplifier.
• Additional rules support standard combinators (choose, elements, greaterThan, lessThan), along with introduction and case-split rules for tuples, Booleans, and natural numbers.

Handling recursive predicates exploits categorical recursion schemes:

• Fold: abstracts structural recursion (e.g., $\mathsf{List.fold}$).
• Optional fold: aborts in the presence of none (for partial predicates).
• Unfold: the dual, constructs outputs from seeds, e.g., $\mathsf{List.unfold}$.

The pivotal synthesis rule ($\mathsf{S}$-List-Unfold′) realizes generators for predicates expressible as invariants under a fold by constructing an anamorphism:

$\inferrule{ \Gamma \vdash g:(b:\beta)\rightarrow \mathsf{Gen}\left(\lambda\,\mathit{step}.\; (step=\text{none} \land z=b)\ \lor \ \exists x,b'.\ step=\text{some}(x,b') \land f(x,b')=b \right) }{ \Gamma \vdash \mathsf{List.unfold}\,g\,b: \mathsf{Gen}\left(\lambda\,\mathit{xs}.\; \mathsf{List.fold}\,f\,z\,\mathit{xs}=b\right) }$

Tupling techniques automate merging multiple invariants by folding over product collectors. The normalization pipeline simplifies φ, computes the necessary fold data, merges folds when needed, applies the unfolding construction, and synthesizes the corresponding generator recursively.

4. Practical Usage and Lean Integration

In Lean, Palamedes is invoked via the generator_search tactic:

def genBST (lo hi : Nat) : Gen (Tree Nat) := by generator_search (fun t => isBST t (lo,hi) = true)

This executes four stages:

1. Proof search: Best-first search (using Aesop) to construct a Gen term with evidence of correctness.
2. Optimization: Applies rewrite rules to streamline the generator AST, e.g., propagating assume guards.
3. Assume check: Verifies or warns if any assume-guarded backtracking remains.
4. Extraction: Delivers the generator, discarding proof wrappers.

Example constructed generators include:

• Arbitrary $\mathsf{Nat}$ via recursive indexed unfolding,
• Sorted lists via $\mathsf{greaterThan}$ and $\mathsf{List.unfold}$,
• Binary search trees via recursive $\mathsf{Tree.unfold}$ using range-splitting,
• Well-typed STLC terms synthesizable in under 3 s.

5. Implementation Architecture

The Palamedes system is realized as four main Lean modules:

• Core: The Gen type, support semantics, and correctness subtypes.
• Synthesis: Integration of all deductive rules (S-Pure, S-Pick, S-Bind, etc.) as Aesop proof rules.
• Fold/Unfold: Automated discovery of fold algebra, collector types, and definitions for folds/unfolds on lists, trees, and user-defined inductives.
• Optimizer: Metaprogram performing AST rewrites as per the six rewrite laws.
• User Interface: Exposes both generator_search and a suggestive insertion tactic generator_search?.

6. Empirical Evaluation

Evaluation across 32 benchmarks (covering Nat, List, Tree, Stack, Term) highlights Palamedes' performance and expressiveness:

Tool/Scenario	Solution Rate	Time to Solution	Notes
Palamedes vs. Cobb	~80 % <3 s	Up to 100× faster	Cobb requires sketches, times out often
Palamedes vs. QuickChick	Slower (0.05–50 s)	Higher cost	QuickChick needs inductive/manual merge
Handwritten vs. synthesized	Essentially equivalent	—	For BSTs, sorted lists, STLC; AVL issues

For certain AVL-tree benchmarks, synthesized generators must include an assume (i.e., backtracking), consistent with existing PBT implementations. The system matches expert-written generators except where domain-specific optimization (e.g., insertion-based AVL generation) is required.

7. Extensibility and Formal Guarantees

Adding new combinators (e.g., shuffle, permutation) is modular: the user provides a support lemma and registers an inference rule. Palamedes accommodates new inductive types through the definition of fold/unfold and accumulator operations, with further automation possible via algebraic datatype (ACF) or quotient polynomial functor (QPF) machinery. As foundational proof automation in Lean advances (via SMT or e-graph tactics), Palamedes can directly integrate better simplification and conversion capabilities.

All synthesis rules are internally proved; each ensures that the resulting generator is sound and complete if its premises are. The core fold–unfold inversion is proved once and reused, guaranteeing that any bug in synthesis logic can only cause failure to construct a generator, never the construction of a spurious one. Lean's proof checker enforces this by construction.

A plausible implication is that Palamedes serves as a blueprint for integrating deductive synthesis of functional generators into interactive theorem proving environments, with minimal trusted code and maximal reusability of formalized metatheory (Goldstein et al., 15 Nov 2025).