-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[cse] Precondition Refinement #742
Comments
Results: These implementations will improve the performance in verifying all the test harnesses in |
Results: This will improve performance when verifying functions that use |
Which specific improvements do you see with respect to the specific initial state of The way to get tighter pre-conditions is through annotations, which I believe @palinatolmach is implementing. CSE should not use a The problems that are not allowing us to get
|
I just tried running |
Thank you for your comments, @PetarMax! Here are some of my thoughts. There are indeed some points I don't understand and am not familiar with. So if my explanations have any issues, please let me know.
Inputting a purely abstract initial state would generate more branches than expected and could lead to some unreachable states under a reasonable initial state. Therefore, we need to refine the initial state to a reasonable state set to make the proof pass. I believe this is why we need to execute Regarding Additionally, I want to integrate
Sorry, I'm not sure. I think it's some variables assumed in the
I think @palinatolmach addressed this question, but I'm not sure.
In fact, when I ran match-test
I also think it's a better approach, but it seems to take more time. Is there anything I can do to help, @palinatolmach? Since I cannot validate the correctness of
Yes. So I think we need to remove unrelated context from the generated rules. As I mentioned before, I believe
Ok, I understand. If we execute the mutable variable parts, the pre-state would be too concrete to be reused. But why are the results of match-testing
Sorry, I don't fully understand these points. Is there anything I can help with? |
Thank you, @palinatolmach! I'll give it a try! |
Background
Presently, the CSE initiates symbolic execution from the call graph's leaf nodes progressing towards the root (enabled by the
--cse
option). The contract execution commences either from the symbolic values of its parameters or from the state post-execution of theconstructor
(using--run-constructor
). This approach results in overly abstract initial states for the functions, making it exceedingly time-consuming to determine the final states of the functions. Consequently, this prevents us from synthesizing reusable function summaries.Running Example
Using
DualGovernance.activateNextState()
as an example, theActivateNextStateTest.testActivateNextStateTermination
serves as a test harness for this function. The current situation is as follows:kontrol prove ActivateNextStateTest.testActivateNextStateTermination
: The proof is successful. The process starts from the root of the call graph, executing the constructor andsetUp
before runningtestActivateNextStateTermination
, and finally invokingactivateNextState
.cse
withkontrol prove ActivateNextStateTest.testActivateNextStateTermination --cse
: The proof fails. This failure occurs becauseDualGovernance.activateNextState()
is symbolically executed without calling the constructor andsetUp
, resulting in a PROOF-FAILED outcome forDualGovernance.activateNextState()
. Consequently,ActivateNextStateTest.testActivateNextStateTermination
inherits this failure when it uses the summary, leading to its own failure. This indicates that we should not executeactivateNextState
from the most abstract state to obtain its summary, i.e.,kontrol prove DualGovernance.activateNextState
.--run-constructor
withkontrol prove DualGovernance.activateNextState
: Verification out-of-time or out-of-memory. While the function inputs are correctly configured by the constructor, the state includes improbable and unreasonable conditions that can arise during function calls. The excessive branching states prevent termination. Even if termination is achieved, the final state obtained throughminimize_proof
and node merging remains too abstract, causing the verification to fail.Solution
To address the above problem, precondition refinement is necessary: more reasonable constraints should be provided for the initial state of the function. The following approaches can be considered. Given the simplicity of the
activateNextState
example, the first approach should suffice to resolve the issue:--cse
option to run theconstructor
andsetUp
before executing functions from the leaf to the root of the call graph.Additionally, function summaries should do the following before being included as lemmas:
minimize_proof
and node merging.Result / Expected
Upon the successful implementation of
minimize_proof
with node merging (issue #703), all tests withinActivateNextStateTest
are expected to be verified within seconds or minutes.The text was updated successfully, but these errors were encountered: