Symbolic execution queue should be used to run SMT as well #934
Conversation
msooseth
force-pushed
the
queue-check
branch
3 times, most recently
from
496d50b to
f6d8375
Compare
|
Now runs like: This will need an update to the docs. But it should be a lot easier to use for users. |
|
This is great, a leap forward in terms of usability (specially for getting counter examples!) |
|
Yes, this was the actual goal of the symbolic queue that Martin has helped with a lot. So we are finally making progress to be much more user-friendly, and show relevant results immediately. |
msooseth
force-pushed
the
queue-check
branch
3 times, most recently
from
61c2bce to
39f6258
Compare
msooseth
changed the title
Update ChangeLog some progress Making progress Cleaner Cleaner Changelog update Cleaner Fixing test.hs Fix rpc Cleanup Cleaner PR Fixing cexHander to cexHandler Update name of parameter
|
Oh, btw, should stop the exploration immediately if a CEX if found? |
Yep, we are thinking about adding that option exactly :) I'll add it in a sec :) |
msooseth
force-pushed
the
queue-check
branch
2 times, most recently
from
76ec6be to
749a796
Compare
Update Use Chan Cleanup
Cleaner Updte
OOops, forgot to add that. Will do it tomorrow as a separate PR. Should be very simple :) |
blishko
left a comment
blishko
left a comment
There was a problem hiding this comment.
I think this looks good! I have just a few small questions.
src/EVM/SymExec.hs
Outdated
| putStrLn $ " Exploration finished, " <> show (length results) <> " branch(es) checked in call " <> call <> " of which partial: " | ||
| <> show (length smtResults) |
There was a problem hiding this comment.
I think this message here is misleading now.
At this point, not only exploration has finished, but also all the solving, no?
At least before, "exploration" meant only the first phase, excluding the solving.
There was a problem hiding this comment.
Good point! I now did this:
commit c5a56bb3ebee5bcf42dc6cf7e1c2bb78c5920e9c (HEAD -> queue-check, origin/queue-check)
Author: Mate Soos <[email protected]>
Date: Thu Dec 4 12:59:01 2025 +0100
Better printing to the user
diff --git a/src/EVM/SymExec.hs b/src/EVM/SymExec.hs
index d26971b4..d702c11b 100644
--- a/src/EVM/SymExec.hs
+++ b/src/EVM/SymExec.hs
@@ -820,7 +820,9 @@ verifyInputsWithHandler
verifyInputsWithHandler solvers opts fetcher preState post cexHandler = do
conf <- readConfig
let call = mconcat ["prefix 0x", getCallPrefix preState.state.calldata]
- when conf.debug $ liftIO $ putStrLn $ " Exploring call " <> call
+ when conf.debug $ liftIO $ do
+ putStrLn $ " Keccak preimages in state: " <> (show $ length preState.keccakPreImgs)
+ putStrLn $ " Exploring call " <> call
results <- executeVM fetcher opts.iterConf preState $ \leaf -> do
-- Extract partial if applicable
@@ -846,9 +848,8 @@ verifyInputsWithHandler solvers opts fetcher preState post cexHandler = do
when conf.debug $ liftIO $ do
putStrLn $ " Exploration and solving finished, " <> show (length results) <> " branch(es) checked in call " <> call <> " of which partial: "
<> show (length smtResults)
- putStrLn $ " Keccak preimages in state: " <> (show $ length preState.keccakPreImgs)
let cexs = filter (\(res, _) -> not . isQed $ res) smtResults
- putStrLn $ " Found " <> show (length cexs) <> " potential counterexample(s) in call " <> call
+ putStrLn $ " Found " <> show (length cexs) <> " counterexample(s) in call " <> call
pure (smtResults, catMaybes partials)
whereSo the printing should be better I think!
|
Thanks, you have made this a lot better :) Can you take another look maybe? |
Description
This now finally does what I was aiming for :) You can pass in a function that will be run on the
Expr Endand the results will be collated. This is now done with thehandler.Notice that we now have to add a task for the
Partialas well as thehandlerneeds to be executed on this, here:This was actually done bye Claude Code at first, but I had to adjust quite a bit.
Now it finds the Cex for prove_inv_identity in
src/ABDKMath64x64PropertyTests.sol:CryticABDKMath64x64Propertiesinstantaneously, but keeps running.I will write a cexHander for equivalence checking as a follow-up PR.
Checklist