Add k-induction for SmtModelCheckers #713
Conversation
Reused much of the BMC code. - Perform BMC for cycles [0..k-1] - Asserted constraints for cycles [n..n + k] - Asserted assumptions for cycles [n..n + k-1] - Checked the negation of the assertions for cycle n + k
Gallagator
force-pushed
the
smtlib_KInd
branch
from
7faa6a6 to
6770f9d
Compare
|
Hi @ekiwi, it seems one of the tests in I'd also like to get some advice on the As a little backstory, I initially tried supporting k-induction through btormc but I was unable to get a |
Yes, should be spurious. I am rerunning the jobs. |
You should not have to remove any constraints. However, when you do the induction check, you need to remove all initial values. The way that the reset constraint works is that it creates a state which is initialized to a concrete value in order to denote the first cycle of execution. We then use this state to formulate a constraint that says that reset has to be active in the first cycle. Now when you do the induction check, you are not starting from the first, but from an arbitrary step. Thus you need to make sure that none of the states have an initial value. To do so you have two options:
|
In doing so there is no need to filter out the _resetActive constraint.
Gallagator
force-pushed
the
smtlib_KInd
branch
from
18d0539 to
c6ee282
Compare
| val writeVcd = annos.contains(WriteVcdAnnotation) | ||
| if (writeVcd) { | ||
| val sim = new TransitionSystemSimulator(sysInfo.sys) | ||
| sim.run(witness, vcdFileName = Some((targetDir / s"${circuit.main}.${vcdSuffix}.vcd").toString)) |
There was a problem hiding this comment.
When the simulator is run, the _resetActive constraint is violated in the induction case as we start from an arbitrary step. The message ERROR: Constraint #_resetActive was violated! will be printed every time an induction check fails. I suppose this ok, but I'm not sure we can prevent it from noticing the constraints are violated unless we remove the _resetActive constraint. Maybe it could be classed as something entirely different.
|
Hi @ekiwi, any chance I could get a review on this? I think the verilator checks timed out again but I think everything else is fine. I understand you're very busy so no rush! |
|
Thanks for the reminder! I will try to have a look at the PR tomorrow. Please ping me again if I do not respond by Thursday. Thanks and sorry I haven't responded sooner |
|
Happy to have helped! |
Reused much of the BMC code.
I think I've done much of the initial work to support k-induction for SmtModelCheckers. I believe I initially said I'd support it for btormc first but I was unable to generate a witness for my counter test I introduced which should fail. I have verified that the counter test creates a reasonable witness.
One thing I'm not too sure on is the filtering out of the
_resetActiveconstraint during the inductive step because it does seem like a reasonable constraint that someone could write them self. That said, if the constraint were present, the search space would be far too limited. Have I made the correct choice?There are a few things I'd like to do before this unmarking this as a draft
_resetActiveconstraint by hardcoding its name - I don't think this is great. The other is that there is some code that shares common functionality.As a final note, this repo has been a joy to work with and thanks for the guidance so far!