Do not unnecessarily sort guard conjuncts [blocks: #3486]

[tautschnig]

They are constructed in a consistent order anyway.

[smowton]

I don't think this works? For example, a & b - b would not erase the b, since it1 now has no way of moving except when erasing an element.

[smowton]

Relatedly, for vectors this has worst-case quadratic cost. How about making a utility inplace-set-difference that provides a good place to benchmark this sort of repeated single-element erase vs. std::set_difference followed by swap?

[tautschnig]

I agree that this would not work with a & b - b, but as the commit message says: we never construct those. My proposal for a full solution is #310: use BDDs. I'm open to all other ideas. But right now it's just computational overhead...

[smowton]

In that case I suggest renaming this remove_prefix_conjuncts, since its behaviour is much more specific than a generic operator-=, and add a doxy comment specifying that's all it can do. Also consider using std::mismatch?

[allredj]

✔️
Passed Diffblue compatibility checks (cbmc commit: 6bd4556).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/104021437

[tautschnig]

For the record: on ReachSafety-ECA this increases the number of symex steps per second from 2961.83 to 3580.92 - a speedup of approximately 20%. This is all due to saving approximately 2500 seconds in sort_operands (by not calling it).

Similar savings may be possible when using BDDs, in particular with CUDD. Benchmarking thereof started just now.

[tautschnig]

Adding data on BDDs (using CUDD): the operator|= is now, as hoped, basically free (0.5 seconds instead of 440 seconds with develop). Somewhat surprisingly, however, the cost of merge_ireps is now a lot higher. Consequently we only achieve 2608.81 steps per second.

[romainbrenguier]

@tautschnig

Adding data on BDDs (using CUDD): the operator|= is now, as hoped, basically free (0.5 seconds instead of 440 seconds with develop). Somewhat surprisingly, however, the cost of merge_ireps is now a lot higher. Consequently we only achieve 2608.81 steps per second.

The guards sometimes become much bigger with BDDs than with exprt. On my benchmarks I also noticed that while the global execution was 30% faster, the execution with --show-vcc --verbosity 0 was slower with BDDs on average. I also noticed merge_ireps taking a long time, in particular in the example I had to disable (grep for "bdd-expected-timeout").

[tautschnig]

The above data was all based on profiling information, which I prefer not to exclusively rely on. The optimised, competition-setting runs yield (more == better):

develop: 116 points
this PR: 119 points
BDDs/CUDD: 91 points

This of course is only a single (and somewhat peculiar: basically no pointers, but otherwise heavily stressing goto-symex) category.

[tautschnig]

I also noticed merge_ireps taking a long time, in particular in the example I had to disable (grep for "bdd-expected-timeout").

I'll try to do some benchmarking with HASH_CODE enabled at a later time to see whether that helps.

[romainbrenguier]

@tautschnig

I'll try to do some benchmarking with HASH_CODE enabled at a later time to see whether that helps.

Oh yes I always use HASH_CODE. For the merging of ireps it seems redundant for BDDs since all nodes that are logically equivalent are already "merged". So maybe the merge and the conversion from BDD to exprt should be done together. I will try some things.

[romainbrenguier]

@tautschnig

Adding data on BDDs (using CUDD): the operator|= is now, as hoped, basically free (0.5 seconds instead of 440 seconds with develop). Somewhat surprisingly, however, the cost of merge_ireps is now a lot higher. Consequently we only achieve 2608.81 steps per second.

I'm not sure I understand what these steps represent. Could you explain? If BDDs lead to fewer steps being executed for analyzing the same program, you could have fewer steps per second but still be faster?

[tautschnig]

If BDDs lead to fewer steps being executed for analyzing the same program, you could have fewer steps per second but still be faster?

Yes, this is certainly possible, hence me also posting the scores achieved in that category. What I'm looking at in the profiles is:

1. The number of calls to goto_symext::symex_with_state (that's basically the total number of runs of CBMC).
2. The number of calls to symex_bmct::symex_step (that's what I consider the total number of symbolic execution steps).
3. The time spent in symex_bmct::symex_step together with all of the functions that it calls.

For develop and ReachSafety-ECA those numbers were:

1. 4305 calls
2. 48005643 calls
3. 16208.08 seconds

I do agree and emphasise that this is by no means a complete picture. For me this mainly is about having reproducible data that I can key an eye on over time.

[tautschnig]

I'll try to do some benchmarking with HASH_CODE enabled at a later time to see whether that helps.

That's now done, scatter plot comparing current develop (y axis) vs BDDs+HASH_CODE (x axis) is shown below. The scores are now almost the same (155 with BDDs, 157 without BDDs).

[allredj]

⚠️
This PR failed Diffblue compatibility checks (cbmc commit: f4a99f0).
Build URL: https://travis-ci.com/diffblue/test-gen/builds/105613658
Status will be re-evaluated on next push.
Common spurious failures:

• the cbmc commit has disappeared in the mean time (e.g. in a force-push)

• the author is not in the list of contributors (e.g. first-time contributors).

• the compatibility was already broken by an earlier merge.

[martin-cs]

There is something significant in that graph to do with the number of time-outs. There is a vertical "smear" near the X axis time-out which suggests that there is a serious scalability difference there so I am surprised the numbers are so similar.

[martin-cs]

I believe the patch implements what is described in the PR. Whether we want it is a different question. I can see that this is performance critical and I don't think the current behaviour is optimal, even for this design. The "common prefix" comments give me pause for concern because that doesn't describe what I think is going on. Could we simply add (and document) some invariants on the guard expressions always being in (some) sorted order? It feels like that should be do-able, would give the performance benefits of this patch with some extra certainty of what is going on.

( I agree that BDDs are actually the way of solving this in full generality but I do wonder whether what we have is sufficiently restricted that we can solve it with a less heavy-weight solution. Regardless, I think pinning down what is going on here in terms of order with help the BDD case as well. )

[tautschnig]

With latest develop (and this PR rebased on top of it) profiling suggest that we save approximately 30% in guard_exprt::operator-= (reducing time spent in there from 1000s to 700s). For the overall result, however, there is no notable difference on ReachSafety-ECA.

[martin-cs]

On Mon, 2019-03-25 at 04:35 -0700, Michael Tautschnig wrote: With latest develop (and this PR rebased on top of it) profiling suggest that we save approximately 30% in `guard_exprt::operator-=` (reducing time spent in there from 1000s to 700s). For the overall result, however, there is no notable difference on ReachSafety-ECA.

Do we generate the same results? I can believe that we can save time in guard_exprt but generate more complex guards and thus loose time over-all.

[tautschnig]

Do we generate the same results? I can believe that we can save time
in guard_exprt but generate more complex guards and thus loose time
over-all.

As far as I can tell we generate exactly the same results.

[codecov]

Codecov Report

Merging #1998 (eabd67c) into develop (f564088) will decrease coverage by 0.08%.
The diff coverage is 82.38%.

@@             Coverage Diff             @@
##           develop    #1998      +/-   ##
===========================================
- Coverage    75.53%   75.45%   -0.09%     
===========================================
  Files         1447     1447              
  Lines       158116   158087      -29     
===========================================
- Hits        119431   119277     -154     
- Misses       38685    38810     +125     

Impacted Files	Coverage Δ
src/analyses/guard_expr.cpp	97.82% <ø> (-0.14%)	⬇️
src/goto-instrument/accelerate/accelerate.cpp	34.89% <0.00%> (ø)
src/goto-instrument/concurrency.cpp	0.00% <0.00%> (ø)
src/goto-instrument/nondet_volatile.cpp	86.55% <ø> (-0.15%)	⬇️
src/goto-instrument/replace_calls.cpp	89.55% <0.00%> (+1.31%)	⬆️
src/goto-programs/goto_convert_class.h	87.30% <ø> (ø)
src/goto-programs/goto_convert.cpp	91.69% <33.33%> (-0.24%)	⬇️
src/util/simplify_expr_struct.cpp	74.38% <50.00%> (+0.78%)	⬆️
src/goto-instrument/goto_program2code.cpp	69.20% <60.00%> (+0.06%)	⬆️
src/util/simplify_expr.cpp	78.14% <65.00%> (-6.93%)	⬇️
... and 75 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0ea7f13...eabd67c. Read the comment docs.

[tautschnig]

The following two flame graphs demonstrate what made me look into this (observe how goto_symext::merge_gotos seems to be (transitively) spending a lot of time in sort_and_join) and that merge_gotos now no longer is the most expensive part of execute_next_instruction.

That being said, the overall impact is fairly small (total CPU time saved is a few seconds), and this benchmark category of SV-COMP (Reachsafety-Recursive) is the only one where this was notable at all.

I do maintain that this sorting is unnecessary given the way guards are constructed by goto-symex (AFAIK the only user), but I don't think the performance data alone provide a great deal of support for this cleanup.

[martin-cs]

If the code is redundant and removing it 1. causes no harm, 2. improves things a bit then... why not?