4012 evaluate pattern pruning

[geo2a]

Fixes #4012
Subsumes #4013 and #4011

Summary of changes:

• The "simplify" endpoint in Booster, when given a pattern (term and predicate) now checks the predicate for SAT before attempting to evaluate the term, returning #Bottom if the constraints are UNSAT.
• the "execute" endpoint in Booster will now too check the constraints of the initial pattern for SAT before starting the rewriting loop. This initial check can be disabled by setting the execute request parameter "assume-defined" to false
• the kore-rpc-booster server will now effectively have --no-post-exec-simplify option enabled as default, i.e. no simplification will be done at the Proxy level. The old behavior can be recovered by passing --post-exec-simplify to kore-rpc-booster

[geo2a]

KEVM performance:

Test	4012-evaluate-pattern-prunin time	master-b6f880749 time	(4012-evaluate-pattern-prunin/master-b6f880749) time
examples/sum-to-n-foundry-spec.k	71.91	107.83	0.6668830566632662
mcd/cat-exhaustiveness-spec.k	96.23	135.94	0.7078858319846991
examples/sum-to-n-spec.k	64.51	90.15	0.7155851358846367
mcd/vow-fess-fail-rough-spec.k	100.64	137.85	0.7300689154878491
mcd/vow-flog-fail-rough-spec.k	117.93	154.24	0.7645876556016598
mcd/flopper-dent-guy-same-pass-rough-spec.k	752.98	957.37	0.7865088732673888
erc20/ds/transferFrom-failure-1-b-spec.k	117.83	145.47	0.8099951880112738
mcd/flopper-dent-guy-diff-tic-not-0-pass-rough-spec.k	860.15	1033.84	0.8319952797338079
erc20/ds/transfer-failure-1-b-spec.k	77.1	92.52	0.8333333333333333
mcd/dstoken-approve-fail-rough-spec.k	84.57	100.94	0.8378244501684168
erc20/ds/transferFrom-failure-2-b-spec.k	82.58	98.47	0.8386310551436986
mcd/flopper-tick-pass-rough-spec.k	186.65	222.55	0.8386879352954392
erc20/ds/transferFrom-failure-1-c-spec.k	96.69	115.05	0.8404172099087354
benchmarks/ecrecoverloop00-sig1-invalid-spec.k	93.53	109.01	0.8579946793872122
erc20/hkg/transferFrom-failure-1-spec.k	76.36	88.66	0.861267764493571
mcd/pot-join-pass-rough-spec.k	217.49	251.28	0.8655284941101561
examples/erc721-spec.md	149.67	171.23	0.8740874846697424
mcd/functional-spec.k	500.79	571.38	0.8764569988449019
erc20/hkg/transferFrom-failure-2-spec.k	75.76	86.39	0.8769533510823012
mcd/flopper-file-pass-rough-spec.k	408.61	462.37	0.8837294807189048
examples/solidity-code-spec.md	105.45	119.25	0.8842767295597485
erc20/hkg/transfer-failure-1-spec.k	58.21	65.67	0.8864017054971829
mcd/flapper-yank-pass-rough-spec.k	175.31	197.14	0.8892665111088567
erc20/hkg/transfer-failure-2-spec.k	58.91	65.57	0.8984291596766815
mcd/flopper-kick-pass-rough-spec.k	126.1	139.69	0.9027131505476412
kontrol/test-arithmetictest-test_wmul_weakly_increasing_positive-uint256-uint256-0-spec.k	67.15	74.22	0.9047426569657775
benchmarks/functional-spec.k	379.11	417.66	0.9077000430972562
erc20/ds/transferFrom-failure-1-a-spec.k	81.28	88.98	0.9134636997077995
mcd/end-subuu-pass-spec.k	56.81	61.71	0.9205963377086372
kontrol/test-owneruponlytest-testincrementasowner-0-spec.k	70.33	76.34	0.9212732512444327
erc20/ds/transfer-failure-2-a-spec.k	65.99	71.22	0.9265655714686886
kontrol/test-arithmetictest-test_wdiv_rounding-uint256-uint256-0-spec.k	55.78	59.87	0.9316853181894105
mcd/end-cash-pass-rough-spec.k	204.76	219.33	0.9335704190033283
erc20/ds/transfer-failure-1-a-spec.k	66.57	71.22	0.9347093513058129
kontrol/test-countertest-testincrement-0-spec.k	92.85	99.23	0.9357049279451778
kontrol/test-expectcalltest-testexpectregularcall-0-spec.k	50.69	53.79	0.9423684699758319
erc20/ds/transferFrom-failure-2-a-spec.k	70.38	74.66	0.9426734529868738
kontrol/test-expectreverttest-testfail_expectrevert_false-0-spec.k	67.93	70.6	0.9621813031161475
benchmarks/ecrecover00-siginvalid-spec.k	58.86	56.85	1.0353562005277044
benchmarks/ecrecoverloop02-sigs-valid-spec.k	118.28	113.98	1.0377259168275135
examples/storage-spec.md	94.35	90.67	1.0405867431344435
mcd/flipper-ttl-pass-spec.k	56.81	54.47	1.0429594272076372
erc20/ds/transferFrom-failure-1-d-spec.k	63.84	61.19	1.0433077300212454
benchmarks/overflow00-nooverflow-spec.k	50.33	48.06	1.0472326258843112
benchmarks/dynamicarray00-spec.k	51.79	49.41	1.0481683869662013
erc20/ds/approve-failure-spec.k	50.7	48.34	1.048820852296235
examples/erc20-spec.md	165.92	158.08	1.0495951417004048
benchmarks/ecrecoverloop02-sig0-invalid-spec.k	93.71	89.24	1.0500896458987001
mcd/dai-symbol-pass-spec.k	57.04	54.26	1.051234795429414
erc20/ds/balanceOf-spec.k	50.75	48.16	1.0537790697674418
erc20/hkg/allowance-spec.k	52.34	49.63	1.0546040701188797
erc20/ds/transfer-failure-2-b-spec.k	53.91	50.95	1.058096172718351
benchmarks/encodepacked-keccak01-spec.k	52.41	49.43	1.0602872749342505
erc20/ds/allowance-spec.k	55.93	52.45	1.0663489037178264
erc20/hkg/approve-spec.k	53.71	50.33	1.0671567653486986
benchmarks/staticloop00-a0lt10-spec.k	53.8	50.31	1.0693699065792088
benchmarks/structarg00-spec.k	55.13	51.48	1.070901320901321
erc20/hkg/transferFrom-success-2-spec.k	62.36	58.23	1.0709256397046196
benchmarks/encode-keccak00-spec.k	59.03	55.05	1.0722979109900093
erc20/hkg/transfer-success-2-spec.k	56.92	53.07	1.0725456943659317
benchmarks/ecrecoverloop00-sig0-invalid-spec.k	68.63	63.48	1.0811279143037178
erc20/ds/transfer-failure-1-c-spec.k	56.24	51.74	1.0869733281793583
benchmarks/staticarray00-spec.k	52.31	47.87	1.092751201169835
erc20/ds/approve-success-spec.k	61.08	55.59	1.0987587695628709
erc20/hkg/transferFrom-success-1-spec.k	68.92	62.65	1.1000798084596968
benchmarks/requires01-a0gt0-spec.k	51.81	47.04	1.1014030612244898
benchmarks/ecrecoverloop00-sigs-valid-spec.k	78.45	70.54	1.1121349588885738
erc20/hkg/transfer-success-1-spec.k	57.88	51.84	1.1165123456790123
erc20/ds/transferFrom-success-1-spec.k	81.0	70.97	1.1413273214034099
erc20/ds/transferFrom-success-2-spec.k	74.15	64.79	1.1444667386942429
erc20/ds/transfer-success-1-spec.k	68.42	59.67	1.1466398525222055
benchmarks/structarg01-spec.k	70.95	61.85	1.1471301535974132
erc20/ds/transfer-success-2-spec.k	68.3	58.98	1.1580196676839607
TOTAL	8411.65	9319.34	0.9026014717780445

[geo2a]

The strange changes to this the output of test-collectiontest were caused by the reuse of .json output file by both kore-rpc-booster and booster-dev runs of the test. Since Booster's result is stuck (no more rules), kore-rpc-booster will fallback to Kore and the result will contain Kore's preferred set ordering.

[geo2a]

this diff really does not make much sense.

What happened to test-diamond is: the differences between booster-dev and kore-rpc-booster are mostly eliminated, but some test results have to be special-cased for kore-rpc-dev.

[geo2a]

This response (and response-branch-after-one.json) are now branching. Kore's simplifier is necessary to prune the state after jumpi.false. It is still unclear what it going on here.

[jberthold]

I would maybe just leave --post-exec-simplify on for this test instead...

[jberthold]

This is a bit weird... the updated output does not have any "predicate" any more?

[PetarMax]

There is a major slowdown in engagement proofs as a result of this PR. A setUp function that was passing in 6m39s with master is passing in 15m17s with this branch.

I think that we might need to construct a more representative test suite.

[geo2a]

I've removed the data in this comment as I've been running with an incorrect branch, sorry for the spam.

[geo2a]

I've run the testkontrolEscrowLockUnlockTest.setUp with master and this branch combined with two other SMT-related PRs (#4040 and #4038), and the results are:

master, kore-rpc-booster	7m 29s
master, booster-dev	6m 24s
#4020 + #4040 + #4038, kore-rpc-booster	28m 32s
#4020 + #4040 + #4038, booster-dev	26m 55s

This proof seems to be special in the sense that it does not branch a single time and always stays in Booster, hence this change introduces a slowdown, as we start calling Z3 at the beginning of every execute request.

It is not clear to me at that point why the slowdown is so massive.

[geo2a]

With cdce88c the runtime of testkontrolEscrowLockUnlockTest.setUp is back to 7m 34s. The problem was that we were checking the constraints with Z3 after every rewrite step (in simplifyP).

[PetarMax]

Just in case this could be useful. For me, the SAT checking points are:

• for prelude, once, at the very beginning of the execution;
• for the path constraint:
  • at the very beginning of the execution; and
  • when ensures adds something to it.

I don't think there is a need to make additional checks at branching points, because there are already checks in place that Prelude /\ G /\ P and Prelude /\ G /\ !P are SAT. If those are SAT, then also G and Prelude are SAT, and if those are both Unsat, we signal vacuous anyway presumably.

Even if we cut both Prelude and G, if the cut is correct then the above reasoning still holds, because irrelevant extensions cannot make UNSAT what was SAT unless they make either the Prelude or G itself UNSAT, but our initial checks, ensures checks, and branching point checks would have eliminated those cases already.

[geo2a]

Test	4012-evaluate-pattern-prunin time	master-b9e677da4 time	(4012-evaluate-pattern-prunin/master-b9e677da4) time
examples/sum-to-n-foundry-spec.k	68.92	106.76	0.6455601348819783
mcd/cat-exhaustiveness-spec.k	83.43	127.99	0.6518478006094227
examples/sum-to-n-spec.k	62.34	89.29	0.698174487624594
mcd/vow-fess-fail-rough-spec.k	90.13	125.99	0.7153742360504802
mcd/flopper-dent-guy-same-pass-rough-spec.k	629.83	876.62	0.7184755082019576
erc20/ds/transferFrom-failure-1-b-spec.k	106.39	148.04	0.7186571196973791
mcd/vow-flog-fail-rough-spec.k	103.2	143.01	0.7216278581917349
erc20/ds/transfer-failure-1-b-spec.k	66.44	91.66	0.7248527165612044
mcd/pot-join-pass-rough-spec.k	172.37	236.65	0.7283752376927952
benchmarks/ecrecoverloop00-sig1-invalid-spec.k	79.87	109.11	0.7320135642929154
erc20/ds/transferFrom-failure-2-b-spec.k	69.48	94.21	0.7375013268230549
erc20/hkg/transferFrom-failure-2-spec.k	63.2	82.45	0.7665251667677381
erc20/ds/transferFrom-failure-1-c-spec.k	89.88	115.68	0.7769709543568464
mcd/flopper-tick-pass-rough-spec.k	161.69	207.69	0.778516057585825
examples/erc721-spec.md	130.34	166.53	0.7826817990752417
mcd/flopper-dent-guy-diff-tic-not-0-pass-rough-spec.k	751.97	958.95	0.784159758068721
erc20/hkg/transferFrom-failure-1-spec.k	70.57	89.63	0.7873479861653464
mcd/dstoken-approve-fail-rough-spec.k	75.19	94.87	0.7925582375882786
mcd/flapper-yank-pass-rough-spec.k	155.57	195.09	0.7974268286431903
mcd/end-cash-pass-rough-spec.k	179.77	219.71	0.8182149196668336
examples/solidity-code-spec.md	99.47	120.61	0.824724318049913
erc20/hkg/transfer-failure-1-spec.k	54.88	66.18	0.8292535509217286
erc20/ds/transferFrom-failure-2-a-spec.k	61.74	74.01	0.8342115930279692
erc20/ds/transfer-failure-1-a-spec.k	60.55	72.38	0.8365570599613152
erc20/hkg/transfer-failure-2-spec.k	53.12	63.3	0.8391785150078989
mcd/flopper-kick-pass-rough-spec.k	112.96	133.37	0.8469670840518857
erc20/ds/transfer-failure-2-a-spec.k	58.63	68.61	0.8545401544964292
erc20/ds/transferFrom-failure-1-a-spec.k	76.76	88.89	0.863539205759928
mcd/end-pack-pass-rough-spec.k	138.71	160.5	0.8642367601246106
benchmarks/ecrecoverloop02-sigs-valid-spec.k	95.6	110.37	0.8661774032798767
examples/erc20-spec.md	139.07	159.42	0.8723497679086689
mcd/flopper-file-pass-rough-spec.k	396.77	453.81	0.8743086313655494
mcd/functional-spec.k	500.15	570.95	0.8759961467729223
benchmarks/ecrecoverloop00-sigs-valid-spec.k	63.8	72.67	0.8779413788358331
benchmarks/ecrecoverloop02-sig1-invalid-spec.k	93.95	106.85	0.8792700046794573
kontrol/test-owneruponlytest-testincrementasowner-0-spec.k	68.6	77.42	0.8860759493670886
benchmarks/ecrecoverloop02-sig0-invalid-spec.k	78.8	87.6	0.8995433789954338
kontrol/test-arithmetictest-test_wmul_weakly_increasing_positive-uint256-uint256-0-spec.k	66.86	73.99	0.9036356264360049
benchmarks/functional-spec.k	377.08	417.02	0.9042252170159705
benchmarks/ecrecoverloop00-sig0-invalid-spec.k	58.75	64.93	0.9048205760049283
kontrol/test-countertest-testincrement-0-spec.k	89.76	99.16	0.9052037111738606
erc20/ds/transferFrom-success-1-spec.k	65.16	71.2	0.9151685393258426
kontrol/test-arithmetictest-test_wdiv_rounding-uint256-uint256-0-spec.k	54.86	59.72	0.9186202277294039
mcd/end-subuu-pass-spec.k	56.16	60.98	0.9209576910462447
mcd/flipper-bids-pass-rough-spec.k	80.74	87.57	0.9220052529405047
kontrol/test-expectreverttest-testfail_expectrevert_false-0-spec.k	65.65	71.19	0.9221800814721169
kontrol/test-emitcontracttest-testexpectemitdonotcheckdata-0-spec.k	49.61	53.58	0.9259051885031728
kontrol/test-emitcontracttest-testexpectemitcheckemitter-0-spec.k	49.14	52.94	0.9282206271250473
erc20/ds/transfer-success-2-spec.k	54.92	59.09	0.9294296835335928
kontrol/test-storetest-testaccesses-0-spec.k	48.48	52.11	0.9303396660909614
kontrol/test-allowchangestest-testfailallowcallstoaddress-0-spec.k	49.91	53.61	0.9309830255549337
kontrol/test-emitcontracttest-testexpectemit-0-spec.k	48.2	51.65	0.9332042594385287
erc20/ds/transfer-success-1-spec.k	56.96	60.9	0.9353037766830871
kontrol/test-allowchangestest-testfailallowchangestostorage-0-spec.k	70.26	75.09	0.9356771873751498
kontrol/test-expectreverttest-testfail_expectrevert_failandsuccess-0-spec.k	48.19	51.44	0.9368195956454122
benchmarks/ecrecover00-sigvalid-spec.k	55.03	58.71	0.9373190257196389
kontrol/test-expectreverttest-testfail_expectrevert_bytes4-0-spec.k	48.54	51.71	0.9386965770643976
erc20/ds/transferFrom-success-2-spec.k	62.22	66.26	0.9390280712345306
examples/storage-spec.md	86.05	91.49	0.9405399497212811
kontrol/test-allowchangestest-testallow_fail-0-spec.k	50.5	53.52	0.9435724962630792
benchmarks/storagevar00-spec.k	46.92	49.71	0.943874471937236
kontrol/test-expectcalltest-testexpectstaticcall-0-spec.k	49.37	52.21	0.9456042903658303
kontrol/test-arithmetictest-test_max1_broken-uint256-uint256-0-spec.k	47.43	50.1	0.9467065868263472
erc20/hkg/transferFrom-success-1-spec.k	59.99	63.36	0.9468118686868687
benchmarks/ecrecover00-siginvalid-spec.k	53.86	56.88	0.9469057665260197
kontrol/test-safetest-testwithdrawfuzz-uint96-0-spec.k	49.6	52.29	0.9485561292790209
kontrol/test-storetest-teststoreload-0-spec.k	48.77	51.36	0.9495716510903428
kontrol/test-expectreverttest-test_expectrevert_bytes4-0-spec.k	68.87	72.52	0.949669056811914
kontrol/test-expectcalltest-testexpectregularcall-0-spec.k	50.45	52.69	0.9574871892199659
erc20/hkg/transferFrom-success-2-spec.k	56.35	58.81	0.958170379187213
erc20/ds/balanceOf-spec.k	47.45	49.49	0.9587795514245302
mcd/flopper-cage-pass-spec.k	55.0	57.29	0.9600279280851807
kontrol/test-expectreverttest-test_expectrevert_message-0-spec.k	50.68	52.73	0.9611227005499716
benchmarks/structarg00-spec.k	49.8	51.81	0.9612044006948465
benchmarks/keccak00-spec.k	52.27	54.37	0.9613757586904544
mcd/dsvalue-read-pass-spec.k	59.64	61.9	0.9634894991922456
mcd/dsvalue-peek-pass-rough-spec.k	60.37	62.65	0.963607342378292
mcd/dsvalue-read-pass-summarize-spec.k	56.06	58.14	0.9642242862057104
TOTAL	8020.05	9613.039999999997	0.8342886329402565

[PetarMax]

To measure the effect of this PR, I am running:

export GHCRTS=-N16
GHCRTS='' kontrol build --require test/kontrol/lido-lemmas.k --module-import VetoSignallingTest:LIDO-LEMMAS --verbose --regen --rekompile
kontrol prove --verbose --smt-timeout 64000 --match-test "VetoSignallingTest.testVetoSignallingInvariantsArePreserved" --max-depth 100000 --max-iterations 10000 --smt-retry-limit 0 --max-frontier-parallel 6 --kore-rpc-command='kore-rpc-booster --no-post-exec-simplify' --no-log-rewrites --no-fail-fast --no-counterexample-information --maintenance-rate 64 --assume-defined

I am running using commit e951c3171e189d25fa45679d7a93700ecc55ae6a of Kontrol (this will be master tomorrow), which has K version 7.1.112 (master now).

With HB version 0.1.67, which comes with that version of K (it's a bit behind, isn't it?), the result is as follows:

APRProof: test%kontrol%VetoSignallingTest.testVetoSignallingInvariantsArePreserved(uint256,uint256,uint256):0
    status: ProofStatus.PASSED
    admitted: False
    nodes: 568
    pending: 0
    failing: 0
    vacuous: 24
    stuck: 0
    terminal: 28
    refuted: 0
    bounded: 0
    execution time: 17m 19s

which is actually a record-breaking time by ~4 minutes.

Using HB from this branch, commit 5862b7029a89774de786e0b098e8808386bf3338, the result is as follows:

APRProof: test%kontrol%VetoSignallingTest.testVetoSignallingInvariantsArePreserved(uint256,uint256,uint256):0
    status: ProofStatus.PASSED
    admitted: False
    nodes: 568
    pending: 0
    failing: 0
    vacuous: 24
    stuck: 0
    terminal: 28
    refuted: 0
    bounded: 0
    execution time: 48m 13s

and it is clear that having a SAT check at the start of each request causes a substantial overhead. Here, it means that ~560 extra checks were made with respect to the master version, and as the execution progressed, they got harder and harder, resulting in a 30m 54s overhead.

TL; DR: This does not look good for real-world proofs. I think we need to really understand do we want this at all, that is, what is the worst that could happen if we actually started a request from an UNSAT state in the booster.

[geo2a]

Thanks @PetarMax!

I'd like to re-iterate on the ask to upstream this test, perhaps partially, as to KEVM as a claim, so that we can run is as part of out performance measurement.

Regarding having an RPC parameter to turn the initial constraints check off: we actually already have one we could use. It is the "assume-state-defined" parameter of the "execute" endpoint which we introduced for Kore purposes and which is unused in Booster. We can skip the initial pattern check if this parameter is set by the client. @jberthold @goodlyrottenapple what do you guys think?

[jberthold]

LGTM, a few suggestions

[jberthold]

...another place where we should probably catch UndefinedTerm and return KJBottom...

[jberthold]

We should probably also catch UndefinedTerm here... (but for now the endpoint anyway returns errors when it is unsure)

[jberthold]

Was this file supposed to be renamed (to state-vacuous-not-rewritten) instead of deleted?
We have the renamed/new response files but no state- file for it

[jberthold]

Maybe add (which is generally assumed bykore-rpc-booster) after the last sentence?

Suggested change

The `assume-defined` flag defaults to `false`. The `assume-defined` flag has different meaning in Booster and Kore. If set to `true`, Booster will not check the constraints of the initial pattern for satisfiability. It is the responsibility of the caller to ensure that the pattern is not vacuous. In Kore, if `assume-defined` is set to `true`, then all sub-terms of `state` will be assumed to be defined before attempting rewrite rules.

The `assume-defined` flag defaults to `false`. The `assume-defined` flag has different meaning in `kore-rpc-booster` and `kore-rpc`. If set to `true`, Booster will not check the constraints of the initial pattern for satisfiability. It is the responsibility of the caller to ensure that the pattern is not vacuous. In Kore, if `assume-defined` is set to `true`, then all sub-terms of `state` will be assumed to be defined before attempting rewrite rules (which is generally assumed by `kore-rpc-booster`).