Whole-known-network
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@regehr" class="u-url mention">@<span>regehr</span></a></span> <span class="h-card" translate="no"><a href="https://types.pl/@lenary" class="u-url mention">@<span>lenary</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@unlambda" class="u-url mention">@<span>unlambda</span></a></span> oh, this is really good to know, because my input space can be easily hundreds of bits and in the most general case any subset of them can be undef</p><p>i wonder if i should not feed the entire netlist to the solver but rather extract just the little bits my rewriting engine modifies (by doing RAUW) and then seeing if i can trace both the original and the new instruction for each RAUW to a common subset of bits...</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://types.pl/@lenary" class="u-url mention">@<span>lenary</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@unlambda" class="u-url mention">@<span>unlambda</span></a></span> inputs can be partially undef. so, like, we might get all odd numbers or something. this means that the input space for a 64 bit variable isn't 2^64 but rather 2^2^64. the resulting queries are effectively impossible to solve without good quantifier elimination, which Z3 doesn't seem to have.</p><p>in this case, Alive2 simply cuts a corner, it does not reason about the full 2^2^N, or nothing would ever get solved. this doesn't seem to matter much in practice.</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://types.pl/@lenary" class="u-url mention">@<span>lenary</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@unlambda" class="u-url mention">@<span>unlambda</span></a></span> ok now let me try to do undef.</p><p>on the source side, undef can yield any legal value and you need a \forall to model that. </p><p>on the target side, the rewrite is valid if any legal value makes it work, so there you need an \exists. </p><p>then there's one more wrinkle....</p>
<p><span class="h-card" translate="no"><a href="https://ublog.thirdlaw.net/users/sree" class="u-url mention">@<span>sree</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@unlambda" class="u-url mention">@<span>unlambda</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@regehr" class="u-url mention">@<span>regehr</span></a></span> <span class="h-card" translate="no"><a href="https://types.pl/@lenary" class="u-url mention">@<span>lenary</span></a></span> so one tricky bit is that the loop count is "forever" and the state of the loop is the only state in the system</p>
@whitequark@mastodon.social @unlambda@hachyderm.io @regehr@mastodon.social @lenary@types.pl I don't know how the loops in your language work, but if you can feasibly enumerate all the states the loop will pass through (e.g. it is independent of the actual values in the vector and the length of the vector), then you won't need an inductive invariant.
If the loop count is dependent on the length of the vector, then you will need one, though you could usually run the equivalence check for some limited vector lengths.
But it's easy to start and check with direct SMT-LIB if it will work.
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://types.pl/@lenary" class="u-url mention">@<span>lenary</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@unlambda" class="u-url mention">@<span>unlambda</span></a></span> </p><p>so the best reference here is the Alive2 paper where we describe the refinement check in a lot of detail.</p><p>but let me take a stab...</p><p>an equivalence check is easy: you ask the solver whether there exists a valuation of the inputs that makes source and target behave differently.</p><p>then, the refinement check is basically asking the solver whether there exist inputs that cause target to have a behavior not seen in source. target can have fewer behaviors but not more.</p>
<p><span class="h-card" translate="no"><a href="https://ublog.thirdlaw.net/users/sree" class="u-url mention">@<span>sree</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@unlambda" class="u-url mention">@<span>unlambda</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@regehr" class="u-url mention">@<span>regehr</span></a></span> <span class="h-card" translate="no"><a href="https://types.pl/@lenary" class="u-url mention">@<span>lenary</span></a></span> the way loops go is that i start with a base case (reset state) and for every possible input vector, output vector must be the same between two functions i'm considering</p><p>unrolling it won't work, i need induction if i'm to get anywhere, i think</p>
@whitequark@mastodon.social @unlambda@hachyderm.io @regehr@mastodon.social @lenary@types.pl Okay, that makes sense. Then if it's all bounded loops, unrolling and direct SMT-LIB is almost always good enough.
<p><span class="h-card" translate="no"><a href="https://ublog.thirdlaw.net/users/sree" class="u-url mention">@<span>sree</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@unlambda" class="u-url mention">@<span>unlambda</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@regehr" class="u-url mention">@<span>regehr</span></a></span> <span class="h-card" translate="no"><a href="https://types.pl/@lenary" class="u-url mention">@<span>lenary</span></a></span> i do feel that my domain is an incredibly close match for `QF_BV` or `BV` which simplifies things a lot. i could lower my IR to SMT-LIB in one evening</p>