Proof development primitives #1637
Conversation
|
Here is a quick example of what this makes possible. Consider the following SAW script, and the following interaction. |
robdockins
force-pushed
the
rwd/dev-tools
branch
from
8c25b3d
to
9ed30cd
Compare
|
This is really neat! Some thoughts before looking at the code: I've been thinking a lot recently about to-disk serialization for We should also think about the Python story. I think a debugging tool like |
| Prover.writeSAIGInferLatches path1 t1 | ||
| Prover.writeSAIGInferLatches path2 t2 | ||
| io $ callCommand (abcDsec path1 path2) | ||
| write_t1 <- Prover.writeSAIGInferLatches t1 |
There was a problem hiding this comment.
I think these AIG-related changes might be unrelated work that was caught in the first commit.
There was a problem hiding this comment.
This is actually related, although the reason is pretty subtle. TopLevel no longer has a MonadMask instance, as continuation-based monads don't provide the necessary guarantees. However withSystemTempFile demands MonadMask in order to manage the temporary file lifetime. So, one solution is this, where we extract an IO action from the TopLevel and execute it later in an IO context.
This seems to be the only place that MonadMask instance was being used.
There was a problem hiding this comment.
Ah, makes sense. Thanks for the clarification.
src/SAWScript/Interpreter.hs
Outdated
| , prim "subshell" "() -> TopLevel ()" | ||
| (\_ _ -> toplevelSubshell) | ||
| Experimental | ||
| [] |
There was a problem hiding this comment.
We should make sure to include documentation for subshell before merging.
| @@ -203,13 +203,16 @@ writeSAIG file tt numLatches = do | |||
|
|
|||
| -- | Given a term a type '(i, s) -> (o, s)', call @writeSAIG@ on term | |||
| -- with latch bits set to '|s|', the width of 's'. | |||
| writeSAIGInferLatches :: FilePath -> TypedTerm -> TopLevel () | |||
| writeSAIGInferLatches file tt = do | |||
| writeSAIGInferLatches :: TypedTerm -> TopLevel (FilePath -> IO ()) | |||
There was a problem hiding this comment.
Maybe an unrelated change?
Agreed, these are all important and useful problems to be addressing, and should help with this kind of brokeness.
Also agreed. In some ways, I feel like the Python story is already ahead here, but the user-facing interaction needs some work. |
|
Is this what it looks like when we hit the CI memory limits? |
Most likely. I've seen the same error code (137) in the CI for #1563 as well. |
|
According to my local readings, the memory usage of this branch is only very slightly higher than for |
robdockins
force-pushed
the
rwd/dev-tools
branch
from
03045b8
to
ac2a910
Compare
robdockins
force-pushed
the
rwd/dev-tools
branch
2 times, most recently
from
89b408c
to
7f8f5ef
Compare
robdockins
force-pushed
the
rwd/dev-tools
branch
from
7f8f5ef
to
f15b8cd
Compare
|
FYI, the CI on this is not running due to a merge conflict (most likely with #1695). |
robdockins
force-pushed
the
rwd/dev-tools
branch
2 times, most recently
from
8c74519
to
1084357
Compare
|
Seems like this is now squeaking under the memory limits.... I'll work on getting this a little more polished up and see if we can get it merged. |
robdockins
force-pushed
the
rwd/dev-tools
branch
2 times, most recently
from
0907c55
to
9c451cb
Compare
|
Logs indicate some kind of failure downloading |
|
Whelp... looks like we're failing on memory limits again. |
StateContT transformer, which gives us the ability to capture continuations. This allows us to implement `callcc` as a saw-script command. Additionally, implement a "checkpoint" command that will capture the TopLevel monad state and allow it to be restored later. Also, rework some aspects of error handling. The previous method no longer worked properly with a continuation-based TopLevel monad.
When invoked from a batch file (or from an ongoing REPL session) starts a "subshell" REPL session. The intent here is to allow for exploration and experimentation in the middle of a larger run. For now, subshells are not very useful, as there isn't a good way to expose the local SAW environment to the shell.
of the TopLevel monad. This allows it to interact with primitive operations; in particular, we can start a subshell with local SAW script bindings in scope.
be leaving alone (async and exit exceptions).
`NameSeeds` value used internally by Cryptol to be carried forward
across checkpoints. This prevents internal nonce values from being
reused, which, in turn, avoids errors about registering duplicate
names.
It is unclear if this is the correct long-term fix, but it allows
checkpoint to work more reliably when importing Cryptol modules
or using `let {{ ... }}` constructs.
mutable state part of the TopLevel monad. This allows them to participate in the checkpoint/restore mechanism.
``` void saw_assert( uint32_t ); ``` This allows the program source to directly assert a proposition inline which is then assumed as part of the path condition. This can sometimes help the path sat checker by stating helpful lemmas whose proof can be deferred to the VC-checking phase. It can also be helpful for program/proof exploration, allowing the user to directly state inline hypotheses about program behavior, and then attempt to prove them.
allows the user to restore proof states.
robdockins
force-pushed
the
rwd/dev-tools
branch
from
9c451cb
to
6952456
Compare
|
After a rebase, this is back under memory limits... I think I'm going to go ahead and merge it, even though the CI seems a bit erratic. |
This PR reorganizes the execution internals of SAWScript and implements some additional experimental primitives that will hopefully yield quality-of-life improvements for proof development.
The two main new capabilities are a
callccprimitive, and asubshellprimitive. Thesubshellprimitive, when executed, will drop the user directly into a REPL session with the same context as the point wheresubshellwas called. This should allow the user to experiment, view internal state, etc. interactively.callcc, as typical, reifies the rest of the computation as a function that can be called. This is especially useful in combination withsubshell, as the user can experiment with state updates and see what effect that has on the remainder of the proof without having to rerun the proof from the beginning.There is additionally a new
checkpointprimitive that captures (some) of the mutable state of the system and allows it to be restored at a later time. This facility is highly experimental, and it is relatively easy to work yourself into broken states using it. Probably, we need a more comprehensive plan to deal with the general idea of checkpoint/resume in the entire SAW ecosystem to make this work more reliably.