-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improving pre-SMT reasoning capabilities #3861
Comments
I think we should have Because of that, I think we shouldn't need the
This can be a very specific reasoning module for just this case, only when dealing with side-conditions. |
Yes, |
That's fine, we can change the frontend to allow it for More important that the rule reads correctly. We don't need another way to say |
We have had an discussion of this proposal in yesterdays Kontrol<>HB meeting, here's the summary of what I recall:
The reason I am somewhat hostile to the idea of adding ad-hoc reasoning procedures as part of the requires clause check (or anywhere else) is that these are very difficult to maintain. We know that Kore has a number of such procedures that are essentially a black box for us as the backend developers. Deciphering and perhaps refactoring them is certainly possible, but would require significant resources. tl;drWe have the SMT solver for this sort of thing, both in Booster and in Kore. If we see examples where either Booster or Kore fails to apply simplifications due to unknown predicates, we should drill into why these are unknwon. There may be holes in Booster's SMT interface and hopes+historical baggage in Kore's. We should identify and fix those first, and only then extend K with additional rule types that hook into the backend. @goodlyrottenapple please add any points from the discussion that I have forgotten to mention. |
I understand the concern about ad-hoc reasoning modules, especially in the context of Kore history. I do believe that will not have the same issues if we document precisely what is being done and implement reasoning modules modularly, with the ability to be switched on and off. I think the question I would like to have an answer to is: is Z3 called in Booster when trying to determine if a condition of a |
This is not ad-hoc, it's very specific, and has come up as a soft ask several times over the years. Basically, what we want is existential binding against things that already exist in the side-conditions. It's easy to see how this reasoning works, and also easy for the backend to see when it should apply this reasoning (are there simplification rules with existentials in the I disagree fully with this being ad-hoc. Improving SMT translation is just making the backend better at "magic", but not giving the user more power here. |
The proposal has been refined and a new issue in the K repo has been opened. Let us use this issue to track the implementation of this feature in Booster. I have a question regarding what to do when we have multiple matches. Let's have a look at a happy-path scenario when we have two matches, but only one is actually non-False:
In order to apply rule
we need to prove
we match with the simplification
The question is: how do we pick the instantiation? In this particular case, it's relatively easy, as we only have two options and only one of them is valid: We can substitute
which the LLVM backbend will discharge as false, no Z3 needed. Or we can substitute
in this case, we get two clauses that are syntactically present in the constraints — we can apply The amount of matches will however grow exponentially with the amount of constraints, and we will likely start getting multiple non- How would we choose which one to use? |
I would apply first successful and would not cache - these simplifications should be instant. |
In the recent proofs, I have often observed the following pattern of reasoning:
C1: X <Int pow256
for a rule/simplification to fire;C2: X <Int pow96
, say, in the path constraints, soC1
holds;C1
holds, so rule/simplification does not get applied in Booster and then (I think?) we either fall back to Kore which uses Z3 (if we're dealing with a rule) or we do nothing (if we're dealing with a simplification).I believe that we could/should take care of these cases before they reach the SMT solver, and I would like to understand/discuss how this could be done modularly and where it should be done.
One way of doing this for this specific case would be to write simplifications in which I could tell the engine to syntactically match the path condition, rather than semantically, along the lines of:
where
match(C)
would mean 'match the path constraints syntactically to learnC
, possibly also specifying which conjunct of therequires
clause to use for the match (match(C, 1)
, for instance). In this example, we couldn't useC <=Int B
anyway because bothB
andC
are concrete, so that constraint would be fully resolved.The text was updated successfully, but these errors were encountered: