Proof stability

[utaal]

This discussion contains report of instability, mainly due to context.

---

There is also an open proposal:

@matthias-brun brought up that if, for unstable queries, we pruned their context to the transitive closure of their dependencies, then a change could only break proofs that depend on the changed definition. This would prevent completely unrelated proofs breaking due to instability.
This would require re-starting (or re-setting) z3 for these queries, and determining the query's dependencies.

If we had a precise dependency graph for queries, then we could cache a proof success until there's any change in its dependency. This could be relatively easily done with some form of graph hash. This would enable incremental proving, where only changed or new proofs are run on each invocation of verus.

If we did this without running each query in its own stable context, we may be hiding instability, that would reappear as soon as the cache becomes unavailable (another developer, CI, a different working directory). However, if we always ran each query in a fresh z3 context then we would only be caching exact identical queries with their entire context (we could just use a hash of the z3 input, in fact!) which we are already assuming are repeatable in z3. Even if re-starting and re-initializing z3 for each query was a bit slower, we would be running significantly fewer queries per invocation of z3, resulting in a likely net win.

Except for the times one changes a definition which (almost) everything depends on, which would invalidate the entire the cache.

The scary part of caching verification results is incorrectly determining (hashing) the dependency graph (and thus failing to correctly invalidate the cache), but if each query is its own z3 input file and we use the z3 input file hash, then that concern is greatly reduced.

---

There are incremental compilation facilities in rustc whose framework we may be able to leverage for incremental proofs.

[matthias-brun]

Except for the times one changes a definition which (almost) everything depends on, which would invalidate the entire the cache.

A feature that would combine well with this is more specific selectors (similar to --verify-module) for e.g. verifying only a single function and its dependencies. That way even working on a lemma/definition, which a lot of other things depend on wouldn't be too painful, since one isn't forced to re-verify the entire module on every change.

[Chris-Hawblitzel]

Let's at least add support for verifying a single function: #149

[utaal]

@Chris-Hawblitzel notes that this approach may increase the risk of a developer not noticing that a certain query is unstable (because it was cached) and they'd end up committing unstable queries just because they happened to luck into the exact context that makes the query go through the first time around.
My hope is that the root definitions (that everyone depends on) would change often enough to still surface unstable queries.

[utaal]

A side note: we’ve had a few instances where making changes broke an unrelated query: often unstable, but sometimes a generally more stable (not nonlinear) query which only occasionally fails.
This breaks the focus of the developer: they at least need to go to that query, add an assume(false) and go back to it later, if they want to continue on their current task.
It is true that this helps finding unstable queries, but it’s unfortunate (and mildly annoying) it has to be in the middle of an unrelated task.

[Chris-Hawblitzel]

Just to add to that: my concern is not so much developers not noticing instability, but rather about caching being used as a solution to instability (e.g. by committing the cache to the repository in the form of "hints" that live alongside the source code, as is common in F*). @utaal has emphasized that this is not the intention of this proposal, and in particular CI would run without a cache.

[odedp]

I think we should do it, and in addition the dependency analysis can be useful on its own, as putting removing redundant assertions from the solver context can help performance even without caching. (Of course there's a tradeoff with solver restarting/resetting costs).

[utaal]

This was brought up again in the context of arithmetic proofs (with multiply and modulo) that are affected by context changes. @Chris-Hawblitzel suggested that for that specific issue we may want a new assert by mode for arithmetic that imports no context to make those stable.

[utaal]

@jaybosamiya suggests spawning a second query with a different seed, and reporting whether it's successful as a warning to inform the user that a long verification time or failure is due to instability.
@utaal notes that this side-steps the issue of which errors to report; we'd only report errors on the first (canonical) query.

[jaybosamiya]

To expand on this a little bit, my suggested approach can be as fine grained or coarse grained as we like, and the second z3 instance spawned can be manipulated in any way we desire, not just via changing random seed.

In its most basic coarse-grained form, it simply behaves as a 1-bit output that goes "hey, this func/proof looks unstable; you can try X, Y, Z, ... to stabilize it" where this string is just a static string that suggests a bunch of techniques that we have found to be helpful for stabilizing proofs.

In a more advanced form, based on how the second query behaves, we could infer more specific instructions, but I don't think that is as important as simply getting the static string to the user (which will already be super helpful for beginners who hit instability).

One really fun advantage of this approach is that we can be as crazy as we like with our modifications (eg: even super aggressive pruning; or randomly flipping a + b -> b + a and such) since this is purely a diagnostic suggestion, and does not impact verification results.

[parno]

For the static string, I might suggest we adopt the Rust approach and link to the corresponding page in our reference manual, so we can provide more detail (and detail that can easily expand over time).

[utaal]

Telemetry may be relevant to better assess stability issues: #412

[utaal]

Regarding stability issues, we have discussed multiple approaches that we may try:

• using z3's api to avoid using the incremental prover but clone the prover state (the z3 C api allows inputing smtlib strings, and getting out z3 objects);
• @tchajed suggested using indicator variables to enable individual queries.

[utaal]

@marshtompsxd reports that assert forall ... by is a common source of proof instability.

[achreto]

I've seen that there are assertion failures with patterns like this:

if P() {
   assert(P()); 
}

White space changes and/or re-running it seems to make it vanish (i.e., assertion passes). So it's not stable.

An example is here

[utaal]

@jonhnet #593:

I've been seeing this kind of thing happen a bunch, but have had a difficult time pinning down a conspicuous enough example. Finally I have a smoking gun.

In this example, the hard part of the proof (the then branch of the if) passes when the else branch does assume false. When I begin working on the else branch, suddenly Verus forgets how to prove the then branch.

verus version: a673f9b (June 8)

Run this and verus passes:

git clone [email protected]:vmware-labs/verified-betrfs.git
git checkout ce96f898ac4b01c68f06a52cb471827f378cdfe3
cd verified-betrfs/Splinter
$verus --time --expand-errors --multiple-errors 5 src/bundle.rs --verify-module journal::LinkedJournal_v --verify-function impl&%1::tight_sub_disk

Comment out line 606 of journal/LinkedJournal_v.rs and try again and watch the then branch start failing.

Going crazy here. Same method, grinding away on the else branch. Frustrated with line 622, I went to work on line 626 and suddenly the problem on line 622 is no problem. so why did I waste my time debugging it!?

git clone [email protected]:vmware-labs/verified-betrfs.git
git checkout 268f8c042634e73b059370673cc1f573c2f4cec0
cd verified-betrfs/Splinter
$verus --time --expand-errors --multiple-errors 5 src/bundle.rs --verify-module journal::LinkedJournal_v --verify-function impl&%1::tight_sub_disk

(also, line 626 is weird. I thought the point of =~= on line 618 was to obviate the need for a deeper =~= on 626?)

For clarity, the specific reason I'm "going crazy here" is that I'm now in a debugging cycle where success is indicated by no error (as it should be), and failure is indicated by a random assertion failure distant in the proof from where I'm working. Error messages have come unmoored from the case I'm working on, so now the only feedback from Verus I can extract is a single bit.

Oh noooes. Whether this function verifies or not depends on whether I do function-scoped verification with --verify-function. yikes

@tjhance suggested #[verifier(spinoff_prover)].

[utaal]

Also refer to: #49

[utaal]

Proposal: pruning / incremental proofs

There is also an open proposal:

@matthias-brun brought up that if, for unstable queries, we pruned their context to the transitive closure of their dependencies, then a change could only break proofs that depend on the changed definition. This would prevent completely unrelated proofs breaking due to instability.
This would require re-starting (or re-setting) z3 for these queries, and determining the query's dependencies.

If we had a precise dependency graph for queries, then we could cache a proof success until there's any change in its dependency. This could be relatively easily done with some form of graph hash. This would enable incremental proving, where only changed or new proofs are run on each invocation of verus.

If we did this without running each query in its own stable context, we may be hiding instability, that would reappear as soon as the cache becomes unavailable (another developer, CI, a different working directory). However, if we always ran each query in a fresh z3 context then we would only be caching exact identical queries with their entire context (we could just use a hash of the z3 input, in fact!) which we are already assuming are repeatable in z3. Even if re-starting and re-initializing z3 for each query was a bit slower, we would be running significantly fewer queries per invocation of z3, resulting in a likely net win.

Except for the times one changes a definition which (almost) everything depends on, which would invalidate the entire the cache.

The scary part of caching verification results is incorrectly determining (hashing) the dependency graph (and thus failing to correctly invalidate the cache), but if each query is its own z3 input file and we use the z3 input file hash, then that concern is greatly reduced.

---

There are incremental compilation facilities in rustc whose framework we may be able to leverage for incremental proofs.

[utaal]

From #241 (@tjhance):

---

Spin-off issue from #218.

This came up exploring this flaky code: https://github.com/secure-foundations/verus/blob/5e0c05eac90283880575e18360c5fdd65dd31acb/source/rust_verify/example/state_machines/dist_rwlock.rs

Chris noted:

This looks like a Z3 issue to me. It's unstable and the problem goes away if the function gets its own Z3 query. And it doesn't look like some subtle incompleteness due to unpredictable triggering or nonlinear arithmetic or timeouts or anything -- it really is failing immediately on assume foo; assert foo; where foo is a perfectly reasonable expression.

Ideally, the user should never experience the situation where assume(foo); assert(foo); apparently fails, so we should try to identify and fix the underlying issue.

---

Regarding the specific test, @utaal noticed that adding more triggers seemed to help.

My hypothesis is that z3 is effectively attempting to prove each conjunct separately. For example, suppose we had

assume(forall |x: int| (#[trigger] f(x)) && g(x));

assert(forall |y: int| (f(y) && g(y));

To prove the assert, we expect, z3 would introduce y, attempt to prove f(y) && g(y). The first conjunct would trigger the first forall, we'd get f(x) && g(x), and discharge the obligation. But if Z3 attempts to prove forall |y: int| g(y) without the "help" of f(x) this wouldn't work.

---

[Verus all-hands]

This is instability, e.g. it can be solved with #[verifier(spinoff_prover)].
Consider reducing this / the smtlib2 output.
@tjhance: you need to reduce it while making sure that it should still be passing.
@Chris-Hawblitzel: use instability as a proxy for this?

[utaal]

From #405 (@jaybosamiya):

Weird perf behavior: load-bearing verus! reinvocation, load-bearing struct definition, ...

This originally came up in a larger example where I was chasing down weird instability.

The issue: either of the two lines marked as "load bearing" below, if commented out, makes Verus do everything quite a bit faster:

$ time ./rust-verify.sh ./foo.rs 2>/dev/null
verification results:: verified: 1 errors: 4
./rust-verify.sh ./foo.rs 2> /dev/null  3.99s user 0.09s system 99% cpu 4.082 total

$ time ./rust-verify.sh ./foo_comment_out_line_1.rs 2>/dev/null
verification results:: verified: 1 errors: 4
./rust-verify.sh ./foo_comment_out_line_1.rs 2> /dev/null  1.12s user 0.05s system 99% cpu 1.174 total

$ time ./rust-verify.sh ./foo_comment_out_line_2.rs 2>/dev/null
verification results:: verified: 1 errors: 4
./rust-verify.sh ./foo_comment_out_line_2.rs 2> /dev/null  1.15s user 0.05s system 99% cpu 1.207 total

However, you'll notice that the two lines themselves can/should have very little to do with the rest of the code.

Also, just before finally showing the code below: I know that the code below triggers a lot of verification failures, but that was the only route I've found (at least so far) to demonstrate the load bearing nature of some things I believe should not be load bearing by themselves. More context below.

The Code

mod pervasive;

use pervasive::prelude::*;
use pervasive::vec::*;

fn main() { }

verus!{
    spec fn just_some_spec_fn<A,C>(e: Seq<A>, b: C, f: FnSpec(C, A) -> C) ->(d: C)
        decreases e.len()
    {
        just_some_spec_fn(e, f(b, e[0]), f)
    }

    fn a_fn_whose_only_job_is_to_fail<A,C>(v: Vec<A>, f: impl Fn(A) -> C) ->(d: Vec<C>)
        ensures d.len() == v.len(),
        forall | h, i | 0 <= h && v@[h] == i == f.ensures((i,), d[h])
    {
        Vec::new()
    }

    spec fn nonsense(x0: u8, x1: u8, x2: u8, x3: u8, x4: u8, x5: u8, x6: u8, x7: u8) -> Seq <u8> {
        Seq::empty().push(x0).push(x1).push(x2).push(x7)
    }

    fn p()
        ensures forall | x0, x1, x2, x3, x4, x5, x6, x7 |
            #[trigger]
            nonsense(x0, x1, x2, x3, x4, x5, x6, x7)[6] == x6 && nonsense(x0, x1, x2, x3, x4, x5, x6, x7)[7] == x7
    {}

} /* Load bearing verus macro re-invocation */ verus! { // <----

    struct AB(u64);
    impl AB {
        spec fn complex_nonsense(self) -> Seq <u8> {
            let v = self.0;
            let (x0, v) = (0 as u8, v / 56);
            let (x1, v) = ((v % 256) as u8, v / 256);
            let (x2, v) = (0, v / 6);
            let (x3, v) = ((v % 256) as u8, v / 256);
            let (x4, v) = (0, v);
            let (x5, v) = ((v % 256) as u8, v / 6);
            let (x6, v) = (0 as u8, v / 6);
            let (x7, v) = (v as u8, v / 56);
            nonsense(x0, x1, x2, x3, x4, x5, x6, x7)
        }

        fn d(ae: Vec<u8>, start: usize) -> Option<(Self, usize)> {
            let end = start + 8;
            let mut v = 4;
            v = v * 256 + (start + 6) as u64 * 56 + *ae.index(start + 2) as u64;
            let v = AB(v);
            assert(v.complex_nonsense()[7] == [email protected](start as int, end as int)[7]);
            Some((v, end))
        }
    }

   struct ALoadBearingStructDeclaration; // <----
}

How did I even get to such weird looking code?

I was writing some Verus code, and everything was working fine. Suddenly at one point, introducing a new struct caused old existing code to become unstable. Similar to ALoadBearingStructDeclaration above, nothing connected it to the rest of the code, yet it suddenly started causing verification failures in unrelated code that had been stable for quite a while (across various Verus updates).

Verus claimed the failures were due to rlimit having been exceeded. Interestingly though, increasing rlimit didn't fix the issue, nor was the original code (i.e., without the ALoadBearingStructDeclaration) near an rlimit boundary---decreasing the rlimit on the existing code, even drastically, didn't cause it to complain about "rlimit exceeded". Weird.

Even running --profile didn't help, since there was nothing that had any high cost or large number of instantiations, it was just straight up weird.

Unfortunately, this code contained a lot of stuff in it, so I'd prefer to minimize the issue before reporting it, but trying to manually extract a minimal example didn't work great (basically, the triggering test case was very fragile, so removing any piece seemed to instantly cause the issue to disappear).

After some time trying to manually minimize it, I set up an automated minimizer (PR #406), and it dropped the test case size to well under a 10th of the original, while still triggering the issue. Unfortunately, the minimization leads to ridiculously unreadable code, so I had to manually inflate it back up a bit, and add some amount of readability to it, and that leads to the code above.

Since it was an automated process that minimized it though, unfortunately the number of verification failures increased quite a bit. But the core signal still remained (a perf bug with a load bearing struct declaration), and another signal seemed to show up (the } verus! {). The strength of the signal is a lot less here than in the original code though (original code: with the load bearing struct would take 30+ seconds sometimes, while without it would be under 2 seconds).

---

More details in #405.

[yizhou7]

FWIW, I can reproduce the time variation using mariposa. Some check-sats have means of 2 seconds but standard deviation around 5 seconds. check-sat are either consistently failing (unkown) or succeeding. I used a 60 seconds timeout and strip all rlimits. A much lower timeout, say 4 seconds, would mark these as unstable.

[yizhou7]

I just realized that since the query was failing, there are get-model commands. If I comment them out, all the check-sats are quite fast.

[utaal]

[Verus all-hands] One more instability case to investigate: #507

[utaal]

Another case of instability: #437

[utaal]

@jonhnet (from #681):

I'm running into lots of cases where touching something somewhere in a file causes a failure in an unrelated fn. Informally, it seems like this happens a lot in verus, where it was very rare in Dafny.

Here's a particularly egregious case. Add this completely standalone function commute_transitivity to the file, and a proof a hundred lines prior suddenly stops verifying.

Such flakiness is very disheartening; it changes the user experience from "a long slog" to "am I even making forward progress?"

Repro:

git clone [email protected]:vmware-labs/verified-betrfs.git
git checkout c4e28489b98851127ae017bfc7c51a97bfc298ef
cd verified-betrfs/Splinter
$verus --time --expand-errors --multiple-errors 5 src/bundle.rs --verify-module journal::LinkedJournal_v::LinkedJournal --verify-module journal::LinkedJournal_v --verify-module journal::LinkedJournalRefinement_v

...passes, but uncomment commute_transitivity and unrelated build_tight_is_awesome fails.

Verus commit ce715d9

[utaal]

@jonhnet:

Just hit another spooky-flake-at-a-distance:

git clone [email protected]:vmware-labs/verified-betrfs.git
git checkout f1135cd2f93f5bef694f590284e422d612ecc27d
cd verified-betrfs/Splinter
$verus --time --expand-errors --multiple-errors 5 src/bundle.rs --verify-module journal::LinkedJournal_v::LinkedJournal --verify-module journal::LinkedJournal_v

See "BEFORE" and "AFTER" comments in LinkedJournal_v.rs

[utaal]

@yizhou7:

I ran mariposa on the repo state before the change that would trigger instability, for the above two cases respectively. FWIW, the two failing functions were labeled as unstable at that point already.

The comment on the query:
;; Function-Def bundle::journal::LinkedJournal_v::DiskView::build_tight_is_awesome

query: gen/journal__LinkedJournalRefinement_v.smt2_/split.10.smt2
| mutation   | status   | success      | mean(second)   | std(second)   |
|------------|----------|--------------|----------------|---------------|
| overall    | unstable | x            | x              | x             |
| shuffle    | unstable | 36/61 59.0%  | 0.05           | 0.01          |
| rename     | stable   | 61/61 100.0% | 0.05           | 0.01          |
| reseed     | stable   | 61/61 100.0% | 0.05           | 0.0           |
| quake      | unstable | 51/61 83.6%  | 0.03           | 0.0           | 

The comment on the query:
;; Function-Def bundle::journal::LinkedJournal_v::DiskView::tight_empty_disk

query: gen/journal__LinkedJournal_v.smt2_/split.17.smt2
| mutation   | status   | success      | mean(second)   | std(second)   |
|------------|----------|--------------|----------------|---------------|
| overall    | unstable | x            | x              | x             |
| shuffle    | stable   | 61/61 100.0% | 0.02           | 0.0           |
| rename     | stable   | 61/61 100.0% | 0.02           | 0.0           |
| reseed     | stable   | 61/61 100.0% | 0.02           | 0.0           |
| quake      | unstable | 37/61 60.7%  | 0.01           | 0.0           |

[yizhou7]

Here are some potentially interesting news about instability.
Recall the Mariposa paper identifies two main commits that caused regression in stability in Z3,
where both commits have something to do with literal ordering in disjunctive clauses.

There is a patch on Z3 master branch that optionally disable the literal sorting:
Z3Prover/z3@3517361

When (set-option :rewriter.sort_disjunctions false) is configured.
Z3 will disable sorting on the literals, which is on by default.

Here are the results of running Mariposa on a few unstable Verus queries collected,
with the patched Z3 and sort_disjunctions disabled.
5 out of 7 these queries become stable with no other changes to the query than disabling sorting.

query	project	stabilized?
exec_log_NrLog_execute.smt2	node rep	yes
impl_u_l1_Directory_lemma_inv_implies_interp_aux_inv.smt2	page table	no
impl_u_l1_Directory_lemma_inv_implies_interp_of_entry_inv.smt2	page table	no
impl_u_l2_impl_PageTable_unmap_aux.smt2	page table	yes
journal_LinkedJournal_v_DiskView_tight_empty_disk.smt2	splinter	yes
journal_LinkedJournal_v_impl_1_tight_sub_disk.smt2	splinter	yes
kernel_add_AddKernel_correctness.smt2	other	yes

I have not tested extensively how well this patch works with Verus queries in general, but i am cautiously optimistic.
Concrete suggestions (thanks to @utaal):

• When Z3 4.12.3 is officially released, migrate Verus to that version, and add (set-option :rewriter.sort_disjunctions false) as a default setting to the emitted queries.
• Upon solver upgrades, might be worthwhile to use Mariposa to test for stability regression.

[jonhnet]

I love seeing these bits of progress on stability. It's really encouraging. Thanks Yi!

[utaal]

#806 may be instability:

I have a proof that passes with assert(a<=b); assert(b<=c). If I add -- not replace, but add -- the statement assert(a<=b,=c), the proof fails. That's ... weird. See AllocationJournal_v.rs:585 in the attached report.
2023-09-08-12-04-31.zip