-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVC5 support? #4100
Comments
At the moment, Dafny is known not to work well with CVC5. However, it's definitely an aspiration of ours to make it work better, and there are some ongoing efforts to make it work better. The particular application domain you're considering is one of the ones I have in mind that I'd like to be able to support better in Dafny, and supporting a variety of other solvers is probably part of the path there. Some of the things that I know we need to do to better support CVC5:
I'm currently working on some things in this direction, especially the first bullet. Contributions would be welcome! We should probably coordinate first, to make sure we're doing compatible things and not duplicating work, though. I'd also love to see examples you'd like to have work well but that don't currently. |
Hey @atomb, So, it does sound like a fair bit of work is required then --- but at least it is something you are already thinking about! I'm interested in this comment:
So, do you have any reason to think CVC5 might perform better than Z3 here? Or, is it just a case of: more solvers == more flexibility?
Well, definitely happy to talk more about this. Examples we can definitely come up with! We are currently investigating whether we can reduce verifier effort required by extracting key properties into e.g. datatypes, etc. |
There are some places where CVC5 has an edge. There's more thorough support for externally-checkable proofs, and new work on int blasting and the seq type. It's hard to say in advance whether there'd be performance benefit -- there isn't at the moment, with so many quantified axioms in the Dafny prelude -- but I'd like to find out.
On the topic of datatypes, I've been considering re-stating some of the axioms in the Dafny prelude, which currently emulate datatypes, using datatypes in Boogie and therefore the SMT datatype theory. |
Hey @atomb, Just following up on this, as we are definitely interested in pursuing this. Hopefully will have some capacity in a few weeks. I'm wondering what the minimal change required is to get something (anything) written in Dafny to verify with CVC5? Looking at the above list you wrote, I'm guessing that updating the prelude is key here. i.e. because it is included in every file which would be passed to CVC5. With changes made to that, we would then presumably be able to begin experimenting with CVC5 for small Dafny examples (e.g. which didn't lead to multi-dimensional arrays being generated, etc). Is that right? |
Very simple Dafny programs can be verified by CVC5 right now, sort of... I just discovered an issue (#4196) that leads to Dafny failing if you select a solver other than Z3 (using
To do so, with the current version of Dafny, I need to use However, you'll quickly get into cases that CVC5 can't solve, and I think you're exactly right that making modifications to the prelude is what we'll need to do to fix that. Dafny currently relies heavily on Z3's ability to quickly instantiate an absurd number of quantified axioms, and I think other solvers just can't keep up with that. I'm currently working on a number of such simplifications with the primary goal of making verification more predictable (with Z3). It should also have the side effect of making things work better with CVC5 (and other solvers), too. Some of the things I have in mind to simplify right now:
I've made some progress on the first two, but they're not quite ready to include yet. I'd be very interested to hear about any experiments you do, too! |
Oh, one other thing: Boogie supports several encodings for polymorphism, which Dafny currently uses heavily. Sometimes the non-default encodings can be faster with Z3, and might also make things work better with CVC5. Try |
Ok, I will try that and at least get to the point where I can see CVC5 actually doing something :) |
So, FYI, this does seem to work for me already (in Dafny 4.1):
I am noticing situations where it doesn't verify things though. |
Yeah, not being able to verify things that Z3 can is probably to be expected for now, but I expect the situation to get better. I think the explicit |
Some (not super scientific) results on
This is basically over a bunch of random (smallish) Dafny programs I had lying around using the options |
I've done some similar experiments and found that |
Can you give us some insight on this? Is it CVC5 or is it more related to the translation issues from Dafny? |
My general sense so far is that Dafny is currently set up in such a way that it depends heavily on efficient, large-scale quantifier instantiation. Z3 does that really well, whereas CVC5 is pickier about which quantifiers it instantiates. Whether that's a Dafny or CVC5 problem is pretty subjective. :) But I'm hoping some of the stuff I'm working on will make it possible to, at least optionally, not depend so heavily on so much quantifier instantiation. |
Some recent developments:
|
Fantastic!! |
(Not sure whether to focus this as a documentation request, feature request or bug report)
My team’s Dafny code is related to cryptography and hardware simulation so we're having problems seemingly caused by non-linear arithmetic. We saw that CVC5 supports a theory finite fields, so we hope it would work better than Z3 for what we do.
We saw that Boogie has some partial support for CVC5, so I tried running Dafny's integration tests with CVC5 to see how much of what Dafny does falls on the subset of Boogie/CVC5 that works.
I tried using the existing integration tests infrastructure but I had to resort to hack a couple of files to hardwire CVC5 options. The result is that some tests pass but some fail, or run forever, or hang, and the test suite soon stops.
So I thought I'd ask directly.
Some detail on the hardwiring for CVC5, in case it helps to improve support:
The LitTests.cs file implies that one can use DAFNY_EXTRA_TEST_ARGUMENTS to add general arguments, but this hardly works because it seems to only accept 1 argument and assumes the Dafny v3 CLI (which probably compounds with issue #3837)
I had to add CVC5 and Boogie options in DefaultArgumentsForTesting in DafnyDriver.cs.
However, even after adding the
tlimit
andTIME_LIMIT
options the tests that before ran forever now seem to just hang. So there is no way to progress past the few initial tests.The text was updated successfully, but these errors were encountered: