04:01 <ignaloidas> came across an interesting edge case with undefs while going over the cells, right now shifts are all undef if the shift value has any undefs, even though with some partial undefs you could argue some of the bits are known

04:01 <ignaloidas> for example consider %0:8 = shl 00011100 01X #1

04:03 <ignaloidas> the shift ammount is either 2 or 3, and as such the most accurate end result is X11X000

04:04 <ignaloidas> but the const shift right now gives all X

04:06 <ignaloidas> I'm not sure if this is truly worth the bother that caring about cases like this is, but it kinda feels like the undef semantics are wrong for this

04:14 <Wanda[cis]> this is the kind of stuff that's simply not worth modeling

04:16 <Wanda[cis]> verilog also gives an all-X value for this, and there's no real use in assuming a stricter definition

04:47 <ignaloidas> feels inconsistent to me, you can get different results depending on whether you run optimization first, or lower it to muxes first

04:47 <whitequark[cis]> yep

04:47 <whitequark[cis]> that's expected, muxes are special

04:47 <ignaloidas> that's how I encountered this in the first place, by lowering shifts into chained muxes

04:49 <whitequark[cis]> you need a guard for undefs around the whole shift then yeah

04:50 <ignaloidas> yep, and I can do that, just feels kinda bad losing information that's technically there :D

04:50 <whitequark[cis]> well if you don't then you'll be inconsistent with basically every tool out there

04:50 <whitequark[cis]> so what inconsistency is woree

04:50 <whitequark[cis]> s/woree/worse/

04:51 <ignaloidas> similar stuff with adc - %0:4 = adc 1111 XXXX 1 is technically 1XXXX

04:52 <ignaloidas> but yeah, understand the consistency with the rest of the ecosystem argument

04:52 <ignaloidas> just ahhh, the horrible edge cases where you could do better but mustn't

05:09 <whitequark[cis]> i don't feel like it's that horrible?

05:09 <whitequark[cis]> tracking this stuff has a cost, like not being able to use SMT shifts

05:44 <ignaloidas> for my SAT work that doesn't really matter, my primitives are undef-aware, though everywhere else it is indeed quite a pain

05:46 <ignaloidas> the edge cases feel horrible to me because it kinda defies expectations, e.g. with the adc case, a higher bit is defined, even though one whole input is fully undef

05:53 <whitequark[cis]> the way I think of undef is that it's a bound, not a precise contract

05:53 <whitequark[cis]> "we make at most this much undefined, because we want to make these transformations"

10:06 <Chips4MakersakaS> Things is that most flows based on proprietary tools contain custom TCL scripts which may not be vetted so much and thus be bug free.

10:06 <Chips4MakersakaS> <whitequark[cis]> "I think there are cases where..." <- Also for ASIC I feel that the code base should be bug free enough, with proper CI and regression tests so that LEC should not be needed all the way through. Big gripe I have with the proprietary EDA tools and flows.

10:58 <mei[m]> i disagree. if you're betting millions on the output being correct, you want formal verification. you do not want to be betting that you haven't accidentally triggered an unexplored edgecase

11:30 <Chips4MakersakaS> I'm not stopping anyone from including LEC in their flow along the way. What I am saying that one should strive to make your EDA tools and flows dependable even when no LEC is included in the flow; just like GCC/LLVM.

11:32 <Chips4MakersakaS> lets's say: ... just like GCC/LLVM/rustc/...

11:36 <mei[m]> oh, yeah, definitely

11:36 <widlarizerEmilJT> Naturally, yes, but for LLVM there's alive2, an optional add-on to basically do LEC

11:37 <widlarizerEmilJT> To me knowledge it doesn't work by verifying an optimization's implementation generally but by turning it on for a run of the compiler quite like LEC

11:38 <widlarizerEmilJT> To my* knowledge. I'm not british

12:31 <povikMartinPovie> > one should strive to make your EDA tools and flows dependable even when no LEC is included in the flow

12:33 <povikMartinPovie> I haven’t seen anyone propose otherwise. It would be foolish to take the availability of LEC across the flow as an excuse for leaving correctness bugs in

12:34 <povikMartinPovie> If anything it can help to make the tool robust even if you don’t enable it

12:34 <povikMartinPovie> So I don’t see much to discuss there

12:35 <catlos> fwiw i was under the impression that ASIC tools introducing bugs and thus LEC failures is pretty rare these days. from the perspective of a user LEC failure is a really annoying situation to be in because it tends to be very difficult to debug and even if you can debug you then have to try to get the tool fixed or whatever

12:35 <catlos> but if i had millions at risk on a tapeout I would run LEC too lol

12:35 <povikMartinPovie> Yeah, me to

12:40 <catlos> when I say bugs i more mean unexpected correctness bugs. it is no suprise that ASIC tools contain bugs, but I think people tend to be conservative with the RTL they write etc to stick to parts that are believed to be robust (ofc I am not saying this is the ideal scenario)

13:38 <ignaloidas> I feel like a big part of of people not regularly using LEC is that it is usually quite a bit slower than the normal flow. I hope to make it fast enough to not feel the difference by using SAT solvers which are generally way faster than SMT ones

13:40 <ignaloidas> compilers for software kinda have to use SMT instead of SAT because building more useful properties for software out of just booleans gets hard real quick

13:41 <ignaloidas> but I think for hardware, it's a lot simpler to build useful properties with just booleans, so SAT becomes more viable

13:51 <catlos> all SMT solvers solve BV theories by reduction to SAT anyway so its in many ways a moot point, the difference is only in the efficiency to get to the SAT encoding (and the quality of the SAT encoding) but all you are doing is reinventing what the SMT solvers do anyway

13:53 <catlos> also fwiw most commercial LEC tools predate the proliferation of SMT solvers so are largely built as rewriters with SAT solvers underneath (which is what an SMT solver is anyway, but I mean that they aren't calling out to dedicated SMT solvers)

13:55 <catlos> (at least this is my impression, I don't know the LEC tools super well so I'm not certain, but for general formal verification tools this is to a reasonable extent true)

13:58 <catlos> I suspect also there is a split between the tools that compare two high level designs (e.g. C2RTL/HECTOR) which can benefit more from SMT than the tools that verify synthesis where the post synth netlist naturally has no high level structure left

13:59 <ignaloidas> right, but for software, BV is in a wide variety of cases not enough

13:59 <ignaloidas> whereas for hardware, it's all that you need

14:00 <catlos> array theory is useful for the case of memories

14:00 <catlos> and depending on what you are verifying in software QF_ABV can be sufficient for software verification

14:01 <ignaloidas> also there's the fact that the SAT solvers integrated into SMT solvers tend to lag behind quite a lot

14:03 <ignaloidas> and like, a two evening project to port what's being done with SMT solvers 1-1 to SAT gave me almost 100x speedup

14:03 <ignaloidas> there are overheads associated with SMT, and that's unavoidable

14:05 <catlos> of the state of the art SAT solvers that I would consider stable enough to use practically, kissat is the best non-incremental and cadical the best incremental. bzla supports both, cvc5 and btor support cadical, and I would also add that it is relatively well known that modern SAT solvers are not necessarily better on hardware verification problems than minisat/glucose era solvers

14:06 <catlos> its already been discussed but wq suggested that a lot of the SMT overheads in the project at the moment are probably avoidable/are to an extent justifiable

17:49 <whitequark[cis]> a lot of the overhead is just "sending a command to the solver over a pipe one at a time and waiting for a reply"

17:50 <whitequark[cis]> rushing to rewrite something in a way without even measuring where the overheads are is just foolish

17:50 <whitequark[cis]> s/in a way//

17:55 <whitequark[cis]> would be interesting to force bzla and some others who have it (cvc5?) to use kissat specifically and see if that improves runtimes over z3