Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade toolchain to nightly-2023-01-23 #2149

Merged
merged 5 commits into from
Mar 8, 2023

Conversation

celinval
Copy link
Contributor

@celinval celinval commented Jan 24, 2023

Description of changes:

Upgrade our toolchain to nightly-2023-01-23. The changes here are related to the following changes:

Resolved issues:

Resolves #2113

Related RFC:

Optional #ISSUE-NUMBER.

Call-outs:

I initially upgraded the toolchain to nightly-2023-01-16 as planned in #2113. However, the AsyncAwait tests were failing due to wrong monomorphization. To fix that, I decided to upgrade to nightly-2023-01-23 instead to include the changes related to rust-lang/rust#105977. That fixed the regression.

Note: We should consider prioritizing #1365 to stop having to amend the function abi code.

I had to disable the rust logs temporarily after the merge. The issue was already fixed on newer versions of rustc (rust-lang/rust#107761). So I added a note to the next toolchain upgrade issue to re-enable this.

Testing:

  • How is this change tested?

  • Is this a refactor change?

Checklist

  • Each commit message has a non-empty body, explaining why the change was made
  • Methods or procedures are documented
  • Regression or unit tests are included, or existing tests cover the modified code
  • My PR is restricted to a single feature or bugfix

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

to overcome an issue with async generators. Updated the
codegen_generator to follow the new logic implemented in
rust-lang/rust#105977
@celinval celinval requested a review from a team as a code owner January 24, 2023 03:00
@zhassan-aws
Copy link
Contributor

Weird: one s2n-quic perf harness is failing.

@celinval
Copy link
Contributor Author

Weird: one s2n-quic perf harness is failing.

I'm trying to find out what's going on here. CBMC detects a non-existing loop inside Option<>::ok_or(). This is an example of test that is failing:

#[kani::proof]
#[kani::unwind(2)]
fn check_ok_or() {
    let opt : Option<bool> = kani::any();
    let val_or = opt.ok_or(());
    assert!(val_or.is_ok());
}

Without the changes from this PR, CBMC still detects a loop, but it only fails for --unwind 1.

@zhassan-aws
Copy link
Contributor

This is an example of test that is failing:

Does it pass with a larger unwind value?

@celinval
Copy link
Contributor Author

Does it pass with a larger unwind value?

Yes. It does. It also passes if I don't specify a bound. But why there is a loop here in the first place is a mystery. Let me see if I can reproduce this in C.

@celinval
Copy link
Contributor Author

I did some digging and created a tiny C example that triggers the same issue: diffblue/cbmc#7506.

@tedinski
Copy link
Contributor

Is the decision to block this, waiting on a CBMC fix and release? From that CBMC issue's discussion it wasn't clear this was going to be fixed soon...

@celinval
Copy link
Contributor Author

celinval commented Jan 27, 2023

Is the decision to block this, waiting on a CBMC fix and release? From that CBMC issue's discussion it wasn't clear this was going to be fixed soon...

That's a great question. I don't think we have decided it yet. I don't think this change is urgent, so I think we can wait a few more days to see if CBMC can scope out the fix. Once we have an idea of when this can be resolved, we can decide if a work around is granted. I rather delay this update for a week or two than push a work around to our users code.

Let me know if that makes sense or if you feel like we should just move ahead.

@tautschnig
Copy link
Member

Is the decision to block this, waiting on a CBMC fix and release? From that CBMC issue's discussion it wasn't clear this was going to be fixed soon...

That's a great question. I don't think we have decided it yet. I don't think this change is urgent, so I think we can wait a few more days to see if CBMC can scope out the fix. Once we have an idea of when this can be resolved, we can decide if a work around is granted. I rather delay this update for a week or two than push a work around to our users code.

Let me know if that makes sense or if you feel like we should just move ahead.

Given the discussion we had in a meeting yesterday, a fix may be several weeks out. @martin-cs has a much more complete view of the concept of "loops" and their challenges, and tells me there are a lot of possible pitfalls. So I don't question that we need to find a way to address this for our customers, but it may well be worth upgrading with a workaround right now and then keeping open an issue to track reverting this workaround once a fix has been implemented.

@martin-cs
Copy link

On a previous project I learnt, to my cost, that there are a lot of weird loop configurations that turn up if you analyse a large enough code base. Either A. you play whack-a-mole and continuously tweak your loop handling or B. you need a dedicated loop normalisation pass. An A solution to this would be pretty quick but it will not be the last, a B solution to this will take longer but will benefit many other users ( @remi-delmas-3000 for one ).

At the moment I don't have the time allocation to solve the whole problem myself but am happy to meet with / share experience and benchmarks with anyone who does.

@celinval
Copy link
Contributor Author

On a previous project I learnt, to my cost, that there are a lot of weird loop configurations that turn up if you analyse a large enough code base. Either A. you play whack-a-mole and continuously tweak your loop handling or B. you need a dedicated loop normalisation pass. An A solution to this would be pretty quick but it will not be the last, a B solution to this will take longer but will benefit many other users ( @remi-delmas-3000 for one ).

At the moment I don't have the time allocation to solve the whole problem myself but am happy to meet with / share experience and benchmarks with anyone who does.

I would love to hear more about it @martin-cs but in this case there is no loop. A simple DFS in the CFG should be enough to at least rule out false positives in the loop detection.

@martin-cs
Copy link

@celinval I completely agree with your point that it will solve this specific problem. My experience with this and other loop-related weirdness is that "We just need a small tweak to deal with this one" is a very long road of spiralling complexity and increasing fragility of the algorithms. Although it might be a little more work initially, I would strongly recommend a robust loop normalisation pass and robust loop detection algorithms because the list of "just one more tweak" seems to never end.

@celinval
Copy link
Contributor Author

celinval commented Feb 2, 2023

@celinval I completely agree with your point that it will solve this specific problem. My experience with this and other loop-related weirdness is that "We just need a small tweak to deal with this one" is a very long road of spiralling complexity and increasing fragility of the algorithms. Although it might be a little more work initially, I would strongly recommend a robust loop normalisation pass and robust loop detection algorithms because the list of "just one more tweak" seems to never end.

I get your point. We might try doing a topological sort on our side to see if we overcome the current issues we are facing.

Rust doesn't support goto statements, so I am hoping that the weird cases you are talking about won't be a problem here.

@celinval
Copy link
Contributor Author

celinval commented Feb 3, 2023

It looks like #2181 fixed the s2n-quic regression, but another performance test may be running out of memory. 🤦‍♀️

@martin-cs
Copy link

martin-cs commented Feb 3, 2023 via email

@celinval
Copy link
Contributor Author

celinval commented Feb 3, 2023

Rust doesn't support goto statements, so I am hoping that the weird cases you are talking about won't be a problem here.
Unfortunately ... you can still cause chaos without goto. Once you have inlining then returns start to behave a lot like localised gotos. Also sensible normalisations like "if you have a GOTO instruction who's target is an unconditional GOTO then you can jump directly to the second target" can create some surprisingly anomalous situations like loops with multiple back edges.

Interesting. Do you have any examples for these cases? Shouldn't the return statements behave like break statements at that point?

@celinval
Copy link
Contributor Author

celinval commented Feb 4, 2023

Running the failing test in my local machine with cargo kani, I got the following:

Configuration Time Memory
main (CBMC 5.75) 5.74s 165MB
this PR (CBMC 5.75) 206s 16GB
main (CBMC 5.70) 200.s 16GB

Note that the time in this PR is very similar to the one I obtained when running main with an older CBMC version (before diffblue/cbmc#7230).

I wonder if whatever has changed neutralized the optimization that @tautschnig introduced. 😕

@celinval
Copy link
Contributor Author

celinval commented Feb 6, 2023

I created #2191 to track the performance regression. This PR is blocked till we have a better picture of what's going on.

Conflicts:
    - kani-compiler/src/kani_middle/stubbing/annotations.rs
    - kani-compiler/src/session.rs (logger initialization issue)
and enable them to be executed as part of CBMC nightly
Added --no-fail-fast to the script
@celinval
Copy link
Contributor Author

celinval commented Mar 8, 2023

Since the fix has already been merged to CBMC and we should update the CBMC version before the release, we decided to mark the performance regression tests as ignored. In the mean time, the CBMC latest workflow will run the ignored tests.

I manually triggered the job in my fork to see if it works: https://github.com/celinval/kani-dev/actions/runs/4368456571

@celinval celinval enabled auto-merge (squash) March 8, 2023 23:06
@celinval celinval merged commit 5195423 into model-checking:main Mar 8, 2023
@tautschnig tautschnig mentioned this pull request Mar 17, 2023
3 tasks
tautschnig added a commit to tautschnig/kani that referenced this pull request Mar 17, 2023
- Re-enable tests that had to be disabled with the toolchain upgrade in
  model-checking#2149. Fixes model-checking#2286, fixes model-checking#2191.
- Do not generate non-NULL pointer constants. Together with the CBMC
  version update this avoids the need for an unwinding annotation in the
  mir-linker test. Fixes model-checking#1978.
- CBMC 5.79.0 ships simplifier improvements that enable constant
  propagation to avoid slow-down with the Display trait. Fixes model-checking#1996.
- CBMC 5.79.0 ships SMT back-end fixes. Fixes model-checking#2002.

Co-authored-by: Zyad Hassan <88045115+zhassan-aws@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update rust toolchain version for Kani 0.20
5 participants