Adversarial Examples Crack Program Synthesis
An adaptive attacker can drive a program-by-example system to zero accuracy.
The paper shows that when a bad actor can inspect the synthesizer and choose which examples to corrupt, the failure mode for finite program by example (PBE) tasks becomes decisively adversarial rather than random. The authors formalize fixed-set worst-case corruption, build exact-within-bounded-pool and heuristic corruption searches for a string transformation DSL, and propose version-space partition aggregation, or VPA, which tries to synthesize on disjoint example groups and vote by semantic signatures. The framing matters because it moves beyond the usual stochastic noise model and exposes a clear vulnerability even for systems that look robust under standard benchmarks.
Benchmarks indicate that low-margin PBE tasks are the ones most at risk. The team reports that a curated edit can flip all eight spike tasks, and that under corruption budgets like 200 trials of typo, DSL-pool, or distance-matched random controls, success rates land at 10.3, 11.0 and 16.7 percent respectively. In other words, small but deliberate perturbations can tilt outcomes dramatically. The study also finds that when margins stay semantically large, VPA can recover some tasks, but that recovery collapses as soon as the clean semantics do not guarantee a margins-based partition vote. This is a crucial constraint for engineers trying to harden PBE in real systems.
On public SyGuS benchmarks the situation is starker: the vote margin is near one, so an adaptive attacker can drive VPA accuracy down to zero. In short, the defense helps only under favorable margin conditions, and many practical tasks do not meet those conditions. The researchers emphasize that these findings are not just academic; they reflect real constraints in how PBE systems are used and tested today. The team reports that while VPA can provide a defense in some regimes, it does not universally fix the adversarial vulnerability, and its effectiveness hinges on the structure of the task space and the distribution of semantic signals.
For practitioners, the takeaway is practical and specific. First, the engineering constraint is that robustness work cannot rely on generic noise models alone; adversarial corruption requires testing under fixed-set, worst-case scenarios that mirror how an attacker might exploit the version space. Second, the tradeoff is clear: VPA introduces grouping and voting overhead, and its value depends on maintaining meaningful semantic partitions. If the task design yields tight margins, VPA may offer little protection. Third, failure modes are instructive: even modest adversarial budgets can degrade many tasks, so post-synthesis verification and cross-checks remain essential. Finally, the field should watch for methods that either strengthen margins directly, for example by designing tasks with clearer semantic separations, or blend VPA with complementary defenses such as redundancy in example selection or stronger formal specifications.
These results sharpen a core lesson for ML and software engineers: robustness is context dependent, not universal. The paper shows that what looks like a robust defense in one setting can evaporate under worst-case, adversarial scrutiny, underscoring the need for more nuanced, margin-aware design and evaluation in program synthesis pipelines.
- Fixed-Set Robustness in Programming by Example: Example Corruption and Semantic Partition RecoveryarXiv ML / Primary source / Published JUL 02, 2026 / Accessed JUL 03, 2026