Skip to content

SymExec: Pre-filter safe branches #833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
blishko merged 1 commit into from
Aug 18, 2025
Merged

SymExec: Pre-filter safe branches #833

blishko merged 1 commit into from
Aug 18, 2025

Conversation

@blishko
Copy link
Collaborator

@blishko blishko commented Aug 14, 2025

Description

Not long ago, we were pre-filtering branches that could not lead to postcondition violation. This relied on calling simplification and the constraints being simplified to [PBool False]. However, recently (in c34d4d6), the code changed and it no longer simplified the constraints before sending them further down the pipeline, and thus the statically safe branches were no longer filtered before we started asking about their feasibility.

I believe we should bring back the filtering, if only to have an information about how many branches lead to Failure that we are interested in.

Checklist

  • tested locally
  • added automated tests
  • updated the docs
  • updated the changelog

@blishko blishko requested a review from msooseth August 14, 2025 14:46
@blishko blishko force-pushed the filer-safe-branches branch from d63023d to b9d64a8 Compare August 15, 2025 11:00
@blishko
SymExec: Pre-filter safe branches
6d644d2 
Not long ago, we were pre-filtering branches that could not lead to
postcondition violation.  This relied on calling simplification and the
constraints being simplified to [PBool False].  However, recently (in
c34d4d6), the code changed and it no longer simplified the constraints
before sending them further down the pipeline, and thus the statically
safe branches were no longer filtered before we started asking about
their feasibility.

I believe we should bring back the filtering, if only to have an
information about how many branches lead to Failure that we are
interested in.
@blishko blishko force-pushed the filer-safe-branches branch from b9d64a8 to 6d644d2 Compare August 18, 2025 11:57
msooseth
msooseth approved these changes Aug 18, 2025
View reviewed changes
Copy link
Collaborator

@msooseth msooseth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good!

I just want to note that the simplification and check before running the SMT solver will take place in checkSatWithProps -- it doesn't dispatch it to the SMT solver in case the concKeccak simplification returns a PBool False. That also means that the simplifications take place in a thread, concurrently so it's kinda nice. However, we do construct some Prop array and that's unnecessary. Note that in the old code, in c34d4d6 we actually simplified, too, and checked that for PBool False, so it was better than this version. However, this is much faster in many cases, I'm sure. So this is definitely an improvement, however, it's kinda different than the original code, and ultimately the PBool False will be filtered out before it hitting the SMT solver.

BTW, this could also be:

canBeSat (a, _) = not (PBool False `elem` a)

Which should be more complete I think?

@blishko
Copy link
Collaborator Author

blishko commented Aug 18, 2025

This is good!

I just want to note that the simplification and check before running the SMT solver will take place in checkSatWithProps -- it doesn't dispatch it to the SMT solver in case the concKeccak simplification returns a PBool False. That also means that the simplifications take place in a thread, concurrently so it's kinda nice. However, we do construct some Prop array and that's unnecessary. Note that in the old code, in c34d4d6 we actually simplified, too, and checked that for PBool False, so it was better than this version. However, this is much faster in many cases, I'm sure. So this is definitely an improvement, however, it's kinda different than the original code, and ultimately the PBool False will be filtered out before it hitting the SMT solver.

Indeed, the constraints are simplified in checkSatWithProps, so we have never been sending unnecessary queries to the solver.
Prefiltering in advance has the benefit that we have a rough estimate how many of the branches can actually lead to postcondition violation. For example, there is no need to look at the branches that end in Success.

BTW, this could also be:

canBeSat (a, _) = not (PBool False `elem` a)

Which should be more complete I think?

This is true. But I don't really think our encoding produces PBool False anywhere else, so I don't believe this would really cover more case, but it would be more expensive.

@blishko blishko merged commit 310669f into main Aug 18, 2025
14 of 15 checks passed
@blishko blishko deleted the filer-safe-branches branch August 18, 2025 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msooseth msooseth msooseth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@blishko @msooseth