String solver: avoid cubic formulas for string-to-int conversions #5226
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smowton
requested review from
martin-cs,
peterschrammel and
romainbrenguier
as code owners
xbauch
reviewed
Feb 6, 2020
|
|
||
| if(!digit_constraints.empty()) | ||
| if(no_overflow.has_value()) |
There was a problem hiding this comment.
Why not have the size - 1 >= max_string_length - 2 || radix_ul == 0 check here and build the no_overflow conjunction inside a5?
There was a problem hiding this comment.
AFAICT it wants to assert about the old sum, I'd guess that's why it was this way to begin with.
martin-cs
approved these changes
Feb 6, 2020
romainbrenguier
approved these changes
Feb 6, 2020
| { | ||
| const implies_exprt a5(premise, conjunction(digit_constraints)); | ||
| const binary_predicate_exprt string_length_gte_size{ |
There was a problem hiding this comment.
⛏️ why gte and not ge?
There was a problem hiding this comment.
Just habit to call this "Greater-Than or Equal", but I see we use ge elsewhere
| /*symbol_exprt result = | ||
| fresh_symbol("string_to_int_no_overflow_check", no_overflow.type()); | ||
| constraints.existential.push_back(equal_exprt(result, no_overflow)); | ||
| digit_constraints.push_back(result);*/ |
There was a problem hiding this comment.
don't leave commented code
| const implies_exprt a5(premise, conjunction(digit_constraints)); | ||
| const binary_predicate_exprt string_length_gte_size{ | ||
| length_expr, ID_ge, from_integer(size, length_expr.type())}; | ||
| const implies_exprt a5(string_length_gte_size, *no_overflow); | ||
| constraints.existential.push_back(a5); |
There was a problem hiding this comment.
the corresponding documentation needs to be updated
smowton
requested review from
cesaro,
chrisr-diffblue,
cristina-david,
kroening,
pkesseli,
tautschnig and
thk123
as code owners
smowton
force-pushed
the
smowton/feature/faster-string-to-int
branch
from
7651787 to
576b9f4
Compare
Previously when the string radix was unknown we generated a conjunction of no-overflow checks which was (in total) cubic in the number of digits in the string being converted to an integer. For instance, it would define a series of 'sum's, like: sum0 = digit0 sum1 = digit0 * radix + digit1 sum2 = (digit0 * radix + digit1) * radix + digit2 Where the definitions are truly inlined like this and don't use symbols to represent sum0...n, so |sumn| is O(n), and the sum of all sums is O(n^2) Then for each digit it would emit an overflow check: constraint2 = size = 2 => nooverflow(sum1) constraint3 = size = 3 => nooverflow(sum1) && nooverflow(sum2) constraint4 = size = 4 => nooverflow(sum1) && nooverflow(sum2) && nooverflow(sum3) However those sums are again expanded inline, meaning the sum of all constraints is O(n^3) The obvious fix is to define symbols for sum0... sumn and then constraint0... constraintn, but this slows the solver down considerably for small formulas (e.g. Byte.parseByte, with max size 3 digits), so I compromise here by replacing the constraints with: constraint2 = size >= 2 => nooverflow(sum1) constraint3 = size >= 3 => nooverflow(sum2) constraint4 = size >= 4 => nooverflow(sum3) Thus the formula size is quadratic not cubic but still fast for cases where the radix is known.
Previously we passed the input to parseInt/parseLong straight to the built-in string solver functions, meaning it was possible to crash jbmc by passing an out-of-range constant radix or for the solver to produce crazy results when it regarded the radix as a free choice. Now the models apply the constraint that it falls in a sensible range. I add a test for parseint with a free radix, but am unable to add one for parselong yet as it takes too long to solve.
smowton
force-pushed
the
smowton/feature/faster-string-to-int
branch
from
576b9f4 to
b8e774c
Compare
Codecov Report
@@ Coverage Diff @@
## develop #5226 +/- ##
===========================================
- Coverage 67.43% 67.43% -0.01%
===========================================
Files 1157 1157
Lines 95354 95352 -2
===========================================
- Hits 64306 64302 -4
- Misses 31048 31050 +2
Continue to review full report at Codecov.
|
peterschrammel
approved these changes
Feb 7, 2020
| @@ -0,0 +1,18 @@ | |||
| public class Test { | |||
|
|
|||
| public static void testMe(String input, int radix) { | |||
| @@ -0,0 +1,18 @@ | |||
| public class Test { | |||
|
|
|||
| public static void testMe(String input, int radix) { | |||
| @@ -1574,6 +1574,12 @@ void java_string_library_preprocesst::initialize_conversion_table() | |||
| std::placeholders::_2, | |||
| std::placeholders::_3, | |||
| std::placeholders::_4); | |||
| cprover_equivalent_to_java_function | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously when the string radix was unknown we generated a conjunction of no-overflow checks
which was (in total) cubic in the number of digits in the string being converted to an integer.
For instance, it would define a series of 'sum's, like:
Where the definitions are truly inlined like this and don't use symbols to represent sum0...n,
so |sumn| is O(n), and the sum of all sums is O(n^2)
Then for each digit it would emit an overflow check:
However those sums are again expanded inline, meaning the sum of all constraints is O(n^3)
The obvious fix is to define symbols for sum0... sumn and then constraint0... constraintn,
but this slows the solver down considerably for small formulas (e.g. Byte.parseByte, with
max size 3 digits), so I compromise here by replacing the constraints with:
Thus the formula size is quadratic not cubic but still fast for cases where the radix is known.