-
Notifications
You must be signed in to change notification settings - Fork 660
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Sketch Z3 custom tactic #659
Conversation
Hmm
Seems to break the I think this is exposing a bug the in CounterExampleCache somewhere. If I pass When using I also took at the queries Z3 was receiving with |
Note. Might also be related to tactic option for
|
b6e6b2e
to
aa7da2f
Compare
count other Z3 data types.
improved performance (we need to run experiments to check this). The custom tactic implemented is the one sketched at klee#653 (comment) The tactic is off by default but can be activated by passing `-z3-custom-tactic=array_ackermannize_to_qfbv` on the command line.
aa7da2f
to
e03c38e
Compare
@ccadar @andreamattavelli @MartinNowack
|
Cool. I guess there might be an argument here for performing "ackermannization" in KLEE directly. |
I'm not completely convinced that there is. What we are seeing here is the internal implementation details of Z3 manifesting as performance differences. The array ackermannization we are performing here is reducing the QF_ABV problem to QF_BV problem which lets Z3 use its faster SAT solver. For QF_ABV queries Z3 I think Z3 uses its slower Even though we implemented "array ackermannization" in our fork of KLEE that added floating point support it's not as sophisticated as what Z3's tactic does here. My implementation of "array ackermannization" in our fork of KLEE can only ackermannize arrays if all reads are performed at constant indices and there are no symbolic writes performed to array being read. Z3's tactic seems to be able to handle the non-symbolic case too (see Z3Prover/z3#1150 (comment) ). My implementation in our fork of KLEE is also crude and only works with Z3 anyway. This is because KLEE's expression language doesn't have bitvector variables (it only supports arrays) I am forced to do the expression transformation at the level of Z3 expressions. I'd also argue that what this PR doing is exactly what Z3's tactic interface was built for: customising Z3's strategy for solving queries for a particular use case. I'd like to see something resembling this PR merged in the not to distant future but there are a few things to do.
|
@andreamattavelli Any chance you could benchmark this PR using your infrastructure? Configuration
If you do this please use a very recent Z3 build (i.e. |
@delcypher yes, I can. I can not promise I will do it this week, sorry. (The problem is that the infrastructure runs STP only, so I also need to modify the build scripts. It is not an impossible job, it is just time-consuming) |
Okay thanks. I was hoping for this week because I'm giving a talk about Z3 tactics on Thursday and a performance win/loss would be interesting to discuss but it's not that important :) |
I'll try to update and run everything, but I'm not 100% sure to finish by Thursday. |
Given the age of the PR, I will close it, but place it in the Extensions project at https://github.com/klee/klee/projects/4, so that others can build up on it if there is interest. |
This depends on #658 EDIT: Now merged
This PR sketches implementing a custom tactic for using Z3 which I suspect will give us a performance boost. The tactic is the one sketched in #653 .
The implementation isn't really ideal
Z3TacticHandle
a "fluent" API so we write things liket.then(x).then(y).then(z)
.What we need to do now is benchmark this. I'd like to know
-z3-custom-tactic=array_ackermannize_to_qfbv
vs-z3-custom-tactic=none
.@MartinNowack / @andreamattavelli : Seeing as you have the infrastructure for this when you have time would you be able to conduct these experiments?
Please use a recent version of Z3 for this ( 2834fea9b3977f2988c528e221ff51fa12bfbe52 ). I suspect the one we use in TravisCI is too old