Proof container proof type #4358
Conversation
nwatson22
force-pushed
the
noah/multi-proof
branch
from
eed7978
to
66c49c1
Compare
|
Why does this need to be its own class? Doesn't |
@ehildenb The only real reason is that |
But e.g. In general, I see how having a |
|
I am also not understanding the gap between the current and the desired functionality. Any proof can have subproofs, and they needn't be the same type of proof as the superproof. We could structure the analysis process in Kontrol differently, so that |
@PetarMax We could and this would make some sense, but the idea is that, to be able to support proofs with branching |
@tothtamas28 Technically yes, but I'm trying to do this in a way that is clean and would be intuitive to the user. With the use case here there's no obvious single proof that is logically the superproof of everything else. We could make a dummy APRProof that fulfills the same "container" purpose, but that would have superfluous properties.
Subproofs can already be of mixed types/different types from the superproof. |
| """Thin concrete Proof class that has no execution logic of its own, but holds subproofs. The intended use | ||
| case for this is when we run kontrol proofs with setUp functions, to separate the proof into several | ||
| subproof APRProofs: one for the setUp function and one for the test function for each final configuration | ||
| of the setUp function. |
There was a problem hiding this comment.
(Continuing the discussion here to form a thread.)
What feature of a Proof does this class rely on, what makes it different from, say, a list[Proof]?
There was a problem hiding this comment.
It would be the logic in Proof.status which tracks the status of the subproofs to tell when the whole proof has been discharged, and the ability to save/load from disk.
| @@ -40,7 +40,7 @@ class Proof(Generic[PS, SR]): | |||
| :param SR: Step result: data produced by executing a PS with `Prover.step_proof` used to update the `Proof` | |||
| """ | |||
|
|
|||
| _PROOF_TYPES: Final = {'APRProof', 'EqualityProof', 'RefutationProof'} | |||
| _PROOF_TYPES: Final = {'APRProof', 'EqualityProof', 'RefutationProof', 'MultiProof'} | |||
There was a problem hiding this comment.
(forming a thread)
I would like to make the use case very precise. Imagine that we did have a branching setUp, with all of its final states, together with the proofs of the associated test for each of the branches. How are these connected in the MultiProof? How do I know which proof corresponds to which branch? Could you give an example - imagine setUp branches into 3 possibilities.
Also, from the test below, I see that subproof_ids are used, but I don't see a proof that's their superproof.
There was a problem hiding this comment.
I was thinking the constructor proof, setUp proof(s), and the main proof(s) could just go directly under one MultiProof.
To know which proof corresponds to each branch, we would probably set the proof ID of the test function subproofs to something which included the node ID of the setUp KCFG it copies its starting configuration from. So if the function is called my_test, and the setUp function branches into 3 and ends on nodes 10, 11, and 12, the subproof graph could look something like:
[MyContract.my_test (MultiProof)]-->(
[MyContract.setUp (APRProof)],
[MyContract.my_test_setup_config_10 (APRProof)],
[MyContract.my_test_setup_config_11 (APRProof)],
[MyContract.my_test_setup_config_12 (APRProof)],
)
And of course you can also inspect the initial configurations of the subproofs.
There was a problem hiding this comment.
Thoughts, @tothtamas28, @ehildenb?
There was a problem hiding this comment.
I guess the subproof abstraction cannot be used here because in kontrol these proof obligations are manually constructed from one another. i.e.
init -> constructor done
constructor done -> setup done
setup done -> target
------------------------------
init -> target
is done by hand (i.e. not by the prover backend).
I wonder, would it be possible to use subproofs if we changed the semantics? Because in a semantics where constructor and setup steps are handled internally, this sequential compositon can be handled by the backend.
There was a problem hiding this comment.
Example to better highlight the difference between subproofs and MultiProof as I understand it. Suppose we want to prove a -> c.
Subproof approach:
claim: a -> c
sub-claim: a -> b
If the proof passes, we know a -> c. The sub-claim might make proving more efficient, or might even be necessary for a -> c to pass.
MultiProof approach:
sub-claim: b -> c
sub-claim: a -> b
If the MultiProof passes, we know a -> c, but just because we constructed it so. The composition or the original calim a -> c is never machine-checked.
Adds
MultiProofproof type which is just a container to hold other proofs as subproofs. This is forkontrol, so instead of having proofs that aresetUpproofs, constructor proofs, and main test function proofs grafted together into a single CFG, we can have these as separate CFGs under a singleMultiProof.See: runtimeverification/kontrol#481 (comment)
Also fixes
Proof.subproofsproperty so that it does what it says in the docstring (updates the subproofs from disk if they changed). This uncovered a bug in one of the ImpliesProof tests occurring when converting anImpliesProofto aRefutationProofwhere we were adding antrue #Equals ...to#Topwhich got triggered when reloading theRefutationProoffrom disk.