Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

:set iteSolver=on is unsound #252

Closed
LeventErkok opened this issue Jun 27, 2015 · 2 comments
Closed

:set iteSolver=on is unsound #252

LeventErkok opened this issue Jun 27, 2015 · 2 comments

Comments

@LeventErkok
Copy link
Contributor

@atomb @brianhuffman @acfoltzer

[This is a direct consequence of a bug in SBV: https://github.com/LeventErkok/sbv/issues/180. So, no immediate action is needed on the Crytpol side; but see below for a discussion.]

Consider this Cryptol program:

foo : [8] -> [8]
foo x = if x == 0 then y else y+1
  where y = if x == 0 then x else x+1

property bad x = foo x == if x == 0 then x else x+1

We have:

Main> :prove bad
bad 0xfe = False

which is correct. But:

Main> :set iteSolver=on
Main> :prove bad
Q.E.D.

Oops.. But Cryptol isn't to blame; as I mentioned, this is an SBV bug. See LeventErkok/sbv#180 for details.

I've outlined a proposed solution in the above ticket. Unfortunately, Cryptol can't just take advantage of it by a simple recompile. It'll have to pass a special configuration parameter to SBV if iteSolver is turned on. It should be a simple tweak, but will require a new release obviously. (Both for SBV and Cryptol.)

I don't want to make a big fuss about this either: Neither sBranch in SBV, nor iteSolver in Cryptol are heavily used; so we can have some discussion around how to best address the issue, and I'm open to hearing ideas on how to proceed. But strictly speaking, this is a soundness issue and thus needs to be dealt with; it's not just a matter of some programs not working, but rather Cryptol/SBV just plain lying about properties when iteSolver is turned on.
@LeventErkok LeventErkok changed the title iteSolver=True is unsound :set iteSolver=on is unsound Jun 28, 2015
@LeventErkok
Copy link
Contributor Author

After some consideration, it boils down to the fact that it's not just SBV's sharing, but also Haskell's own sharing that's getting into play here. I've put some comments in LeventErkok/sbv#180. Bottom line, sBranch/sAssert are not sound, and thus I removed them in: LeventErkok/sbv@d04fa40

There is now the following function, however:

isSatisfiableInCurrentPath :: SBool -> Symbolic Bool

You might still be able to implement iteSolver using this function, though it's not going to be as simple as before, since the Symbolic type is now exposed in this call. Let me know how you decide to proceed and once things settle down, I'll make a new SBV release.

@acfoltzer
Copy link
Contributor

This is now removed both from the 2.2 maintenance branch and master. When we eventually do a refactoring of the evaluator to permit a monadic context, we'll try to reintroduce this feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@acfoltzer @LeventErkok