Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates to infinite gas abstraction #945

Merged
merged 30 commits into from
Dec 14, 2020
Merged

Updates to infinite gas abstraction #945

merged 30 commits into from
Dec 14, 2020

Conversation

ehildenb
Copy link
Member

@ehildenb ehildenb commented Dec 9, 2020
edited
Loading

  • Adds lemmas for reasoning about #gas around different constructs (eg. Cmem, minInt, /Int).
  • Makes separate modules for Haskell/Java lemmas about infinite gas which requires the concrete attribute.
  • Adds tests of the infinite gas abstraction (inspired by making the end-pack-pass-rough and pot-join-pass-rough proofs pass).
  • Adds the end-pack-pass-rough proof.
  • #gas abstraction now counts gas down, instead of up.
  • #gas should behave like a proper positive infinity now.

@ehildenb
tests/specs/mcd: rule => claim
d89ca90
@ehildenb
tests/specs/infinite-gas: add converse rule for #gas +Int
3fe63fd
@ehildenb
tests/specs/mcd/*-spec.k: switch to infinite gas abstraction
3ff3095
@ehildenb
tests/specs/mcd/verification: organize gas simplification
92187c3
@ehildenb
tests/specs/mcd/verification: more gas simplification lemmas
d60c3cc
@ehildenb
tests/specs/mcd/verification: add gas simplification rule for flopper…
204d003 
…-cage-pass
@ehildenb
tests/specs/mcd/end-pack-pass-rough: add failing test
3aa2eea
@ehildenb
tests/specs/mcd/concrete-rules: allow evaluating rule for Cgascap
6ebc600
@ehildenb
tests/specs/infinite-gas.k: separate concrete lemmas for java/haskell
180e974
@ehildenb
tests/specs/infinite-gas: rule for minint with #gas abstraction
708275b
@ehildenb
tests/specs/mcd/verification: lemmas for end-pack-pass-rough
98399b0
@ehildenb
tests/specs/infinite-gas: corrections to lemmas about <=
76601c4
@ehildenb
tests/specs/infinite-gas: corrections to make #gas behave like positi…
869062d 
…ve inf
@ehildenb
tests/specs/infinite-gas: lemma for simplifying addition
6f33308
@ehildenb
tests/specs/{infinite-gas,mcd/verification}: promote gas simplificati…
107436b 
…on lemmas
@ehildenb
tests/specs/functional/infinite-gas-specs: simplifications that need …
15edf25 
…to happen
@ehildenb
tests/failing-symbolic.haskell: add failing proof
2e20e27
@ehildenb
tests/specs/mcd: gas counts down, not up
ea9c028
@ehildenb
tests/specs/mcd/verification: organize gas simplification lemmas
20d53c7
@ehildenb ehildenb mentioned this pull request Dec 9, 2020
Open
denis-bogdanas
denis-bogdanas reviewed Dec 12, 2020
View reviewed changes
tests/specs/functional/infinite-gas-spec.k
Comment on lines +46 to +47
claim <k> runLemma(#gas(G) <Int #gas(G' +Int 700)) => doneLemma(false) ... </k>
claim <k> runLemma(#gas(G' +Int 700) <=Int #gas(G)) => doneLemma(true) ... </k>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How these 2 can be true? We don't know the value difference between G and G'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #945 (comment)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The values under the #gas do not matter, they are only used for tracking the gas usage as metadata. #gas(_) with any argument is the same positive infinity as any other #gas(_)

tests/specs/functional/infinite-gas-spec.k
Comment on lines +55 to +59
claim <k> runLemma(#if _:Int ==Int 0 #then #gas(VGas -Int Csstore(_, _, _,_)) #else #gas(VGas +Int -344) #fi <Int 8) => doneLemma(false) ... </k>
claim <k> runLemma(8 <=Int #if _:Int ==Int 0 #then #gas(VGas -Int Csstore(_, _, _,_)) #else #gas(VGas +Int -344) #fi) => doneLemma(true) ... </k>

claim <k> runLemma(#if _:Int ==Int 0 #then #gas(VGas -Int Csstore(_, _, _,_)) #else #gas(VGas +Int -344) #fi <Int minInt(#if _ #then #gas(_) #else #gas(_) #fi, #gas(_))) => doneLemma(false) ... </k>
claim <k> runLemma(minInt(#if _ #then #gas(_) #else #gas(_) #fi, #gas(_)) <=Int #if _:Int ==Int 0 #then #gas(VGas -Int Csstore(_, _, _,_)) #else #gas(VGas +Int -344) #fi) => doneLemma(true) ... </k>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, I don't understand how these lemmas can be proved. The if _ == 0 must be undecided.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If both branches of the #if are +Inf gas, then the entire expression will always be infinite gas. Same with minInt.

We have to make sure that #gas always "bubbles up" to the top of the expression in the <gas> cell, so that when we compare any particular value to it during execution we never run out of gas.

tests/specs/infinite-gas.k
Comment on lines +85 to +86
rule #gas(_) <Int #gas(_) => false [simplification]
rule #gas(_) <=Int #gas(_) => true [simplification]
Copy link
Contributor

@denis-bogdanas denis-bogdanas Dec 12, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rationale behind these lemmas is unclear to me. Can you add a comment explaining them?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, in what kind of scenarios are they useful?

Copy link
Member Author

@ehildenb ehildenb Dec 12, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#gas represents positive infinite: +Inf. We have that +Inf <Int +Inf => false and +Inf <=Int +Inf => true

They are used when you make a CALL, because you end up with a comparison between the current gas (which is some #gas(_) expression), and the gas allocated for the call (which is another #gas(_)) expression..

These are setup so that we never fail due to OOG.

Copy link
Contributor

@denis-bogdanas denis-bogdanas Dec 14, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! All makes sense now. I think it's useful to add your explanation as comment in k file, as this is non-obvious.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a comment with this explanation to the documentation at the top of the file.

@rv-jenkins rv-jenkins merged commit 6a352b3 into master Dec 14, 2020
@rv-jenkins rv-jenkins deleted the infinite-gas branch December 14, 2020 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@denis-bogdanas denis-bogdanas denis-bogdanas approved these changes

@kmbarry1 kmbarry1 Awaiting requested review from kmbarry1

@daejunpark daejunpark Awaiting requested review from daejunpark

Assignees
No one assigned
Labels
automerge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ehildenb @denis-bogdanas @rv-jenkins