Fix distinct unsoundness #890
Conversation
Halbaroth
force-pushed
the
distinct-soundness
branch
2 times, most recently
from
83e7d92
to
e81c18a
Compare
This PR quickly fixes the clash between the SMT-LIB specification of `distinct` and the implementation of this expression in AE. Basically, we expand the expression `distinct x_1 ... x_n` into a conjunction of binary disequalities. Notice that the model outputted for `uf2.models.smt2` changes because I don't preserve the old order used in `distinct`. This fix doesn't change the smart constructor `mk_distinct`. We shouldn't change the API on the branch v2.5.x and I add a comment to advertise the user that this smart constructor doesn't behave as expected.
I disagree on this point. (One other way to think about it: if we have a function |
|
Besides, I checked that the constructor |
Halbaroth
force-pushed
the
distinct-soundness
branch
from
b164013
to
c55c086
Compare
The smart construct `mk_distinct` produces an SMT-LIB compliant expression.
There was a problem hiding this comment.
even if the API is undocumented
It actually is: https://ocamlpro.github.io/alt-ergo/Input_file_formats/Native/02_types/02_01_builtin.html#comparisons
Please remove the cleanups that have no place in a hotfix and it should be good.
src/lib/structures/expr.ml
Outdated
| (* This fix makes sure that the smart constructor agrees with | ||
| the SMT-LIB specification when used with at least 3 arguments. | ||
| To prevent a soundness bug, we translate the expected expression into a | ||
| conjonction of binary disequations. *) |
There was a problem hiding this comment.
Note: this is not specifically related to the SMT-LIB specification but to the usual definition of distinct.
There was a problem hiding this comment.
Also the comment should point to #889 which will track the fix in the next branch
There was a problem hiding this comment.
Actually I didn't plan to apply this patch on next but I can.
| let args = Array.of_list args in | ||
| let acc = ref vrai in | ||
| for i = 0 to Array.length args - 1 do | ||
| for j = i + 1 to Array.length args - 1 do | ||
| acc := | ||
| mk_and (neg (mk_eq ~iff args.(i) args.(j))) !acc false | ||
| done; | ||
| done; | ||
| !acc |
There was a problem hiding this comment.
Nit: it doesn't really matter here as this is a hotfix but conversion to an array is not needed:
let distinct_from x acc ys =
List.fold_left (fun acc y -> mk_and (neg (mk_eq ~iff x y)) acc) acc ys
in let rec distinct_aux acc = function
| [] -> acc
| x :: ys -> distinct_aux (distinct_from x acc ys) ys
in distinct_aux acc argsThere was a problem hiding this comment.
I know but I think the imperative version is the easier to read and a bit less error-prone. It's a matter of taste.
There was a problem hiding this comment.
It is not only a matter of taste (I also find the imperative version easier to read in this specific case); the imperative version is slower and uses more memory because of the call to Array.of_list. It is entirely negligible here (hence why it's a nit), just pointing that out.
src/lib/frontend/cnf.ml
Outdated
| | TAneq lt -> | ||
| let lt = List.map (make_term up_qv name_base) lt in | ||
| E.mk_distinct ~iff:true lt | ||
|
|
||
| | TAdistinct lt -> | ||
| E.mk_distinct ~iff:true (List.map (make_term up_qv name_base) lt) | ||
|
|
There was a problem hiding this comment.
Can we avoid these changes? They don't seem useful, and keeping the patch as tiny as possible makes it easier to cherry-pick and move around if needed.
There was a problem hiding this comment.
Sure. Besides, we should use a different constructor for TAneq? It's not documented and I'm not sure what is the expected semantic for this constructor.
There was a problem hiding this comment.
TAneq [x; y] is the constructor used for x <> y. "neq" is a fairly common shorthand for "not equal".
src/lib/frontend/d_cnf.ml
Outdated
| @@ -1337,7 +1337,7 @@ let rec mk_expr | |||
| end | |||
|
|
|||
| | B.Distinct, _ -> | |||
| E.mk_distinct ~iff:true (List.map (fun t -> aux_mk_expr t) args) | |||
| E.mk_distinct ~iff:true (List.map aux_mk_expr args) | |||
There was a problem hiding this comment.
Same as above, can we undo this? There shouldn't be this sort of unrelated cleanup in a hotfix.
Halbaroth
force-pushed
the
distinct-soundness
branch
from
634f3c9
to
2e9667e
Compare
src/lib/frontend/cnf.ml
Outdated
| @@ -242,6 +242,7 @@ and make_form up_qv name_base ~toplevel f loc ~decl_kind : E.t = | |||
| | TAneq lt | TAdistinct lt -> | |||
| let lt = List.map (make_term up_qv name_base) lt in | |||
| E.mk_distinct ~iff:true lt | |||
|
|
|||
There was a problem hiding this comment.
Can you undo this whitespace change? Thanks.
Halbaroth
force-pushed
the
distinct-soundness
branch
from
2e9667e
to
af20710
Compare
|
:D |
This PR quickly fixes the clash between the SMT-LIB specification of
distinctand the implementation of this expression in AE.Basically, we expand the expression
distinct x_1 ... x_ninto a conjunction of binary disequalities.Notice that the model outputted for
uf2.models.smt2changes because I don't preserve the old order used indistinct.Fix issue #889 for the
v2.5.xbranch.