[prover-v2] Connecting Prover to v2 code generation toolchain

[wrwg]

This concludes connecting the Move prover to the bytecode generated by the v2 compiler (modulo some remaining issues for which bugs have been opened).

• Generates full SourceMap as the prover needs it for error messages
• Generates new SpecBlock stackless bytecode instruction for specification blocks, and processes them such that they can be associated by the prover with the bytecode
• Plumbs the CLI --compiler-version v2 and MOVE_COMPILER_V2 env var through the spaghetti of aptos cli and Move package system such that v2 compiler is called for model building
• Adds a new entry point to the compiler run_move_compiler_for_analysis which builds a model with the v2 compiler for tools like the prover. Also refactors a few other entrypoints in the compiler.
• Adds a new flag to prover driver --compiler-v2 to for direct prover invocation. Also adds --aptos for adding Aptos specific prelude in standalone command line mode.
• Fixes a bug in the borrow analyis (but also see [prover-v2] Revise borrow analysis #12533)
• Adds some verify_duration_estimate pragmas to the framework spec as v2 prover times out (this might be a result of more complex code generated which we should fix down the road with optimizations)
• Adds a new test feature to the prover unit tests such that all of them run both against v1 and v2. The v2 exp files are different if it comes to backtracs, which is to be expected with different generated code, but have been compared 1:1 to check whether they are equivalent
• Adds a new warning to the prover if intrinsic fields are selected.
• Fixes a small bug in reference-safety discovered by the prover tests

[trunk-io]

⏱️ 13h 41m total CI duration on this PR

Job	Cumulative Duration	Recent Runs
rust-unit-tests	2h 46m	🟥 ⬜ 🟩 ⬜ 🟩 (+3 more)
windows-build	2h 39m	🟩 🟩 🟩 🟩 🟩 (+4 more)
rust-move-tests	2h 2m	🟥 ⬜ 🟩 ⬜ 🟩 (+3 more)
rust-move-unit-coverage	1h 58m	🟩 ⬜ 🟩 ⬜ 🟩 (+3 more)
rust-lints	49m	🟥 ⬜ 🟩 ⬜ 🟩 (+3 more)
run-tests-main-branch	33m	🟥 🟥 🟥 🟩 🟩 (+3 more)
rust-smoke-tests	33m	🟩
check	29m	🟩 🟩 ⬜ ⬜ 🟩 (+4 more)
execution-performance / single-node-performance	24m	🟩
check-dynamic-deps	18m	🟩 🟩 🟩 🟩 🟩 (+4 more)
general-lints	16m	🟩 🟩 🟩 ⬜ 🟩 (+3 more)
forge-e2e-test / forge	14m	🟩
rust-images / rust-all	14m	🟩
forge-compat-test / forge	12m	🟩
cli-e2e-tests / run-cli-tests	6m	🟩
semgrep/ci	3m	🟩 🟩 🟩 🟩 🟩 (+4 more)
file_change_determinator	1m	🟩 🟩 🟩 ⬜ 🟩 (+4 more)
file_change_determinator	1m	🟩 🟩 🟩 🟩 🟩 (+3 more)
node-api-compatibility-tests / node-api-compatibility-tests	52s	🟩
permission-check	29s	🟩 🟩 🟩 🟩 🟩 (+4 more)
permission-check	28s	🟩 🟩 🟩 🟩 🟩 (+4 more)
permission-check	25s	🟩 🟩 🟩 🟩 🟩 (+4 more)
permission-check	25s	🟩 🟩 🟩 🟩 🟩 (+4 more)
execution-performance / file_change_determinator	10s	🟩
file_change_determinator	8s	🟩
permission-check	2s	🟩
determine-docker-build-metadata	2s	🟩

_{settings ⋅ feedback ⋅ docs ⋅ learn more about trunk.io}

[codecov]

Codecov Report

Attention: Patch coverage is 75.71429% with 119 lines in your changes are missing coverage. Please review.

Project coverage is 64.1%. Comparing base (e2fd0ba) to head (221845a).
Report is 1 commits behind head on main.

Files	Patch %	Lines
...ools/move-package/src/compilation/model_builder.rs	21.6%	29 Missing ⚠️
third_party/move/move-model/src/ast.rs	54.7%	24 Missing ⚠️
third_party/move/move-compiler-v2/src/lib.rs	76.0%	18 Missing ⚠️
third_party/move/move-model/src/model.rs	62.9%	10 Missing ⚠️
...e-prover/boogie-backend/src/bytecode_translator.rs	53.8%	6 Missing ⚠️
...ty/move/move-model/bytecode/src/borrow_analysis.rs	66.6%	5 Missing ⚠️
third_party/move/tools/move-cli/src/base/docgen.rs	0.0%	5 Missing ⚠️
...iler-v2/src/pipeline/livevar_analysis_processor.rs	42.8%	4 Missing ⚠️
...model/bytecode/src/stackless_bytecode_generator.rs	33.3%	4 Missing ⚠️
...ty/move/move-model/bytecode/src/function_target.rs	84.2%	3 Missing ⚠️
... and 7 more

Additional details and impacted files

@@           Coverage Diff            @@
##             main   #12534    +/-   ##
========================================
  Coverage    64.0%    64.1%            
========================================
  Files         818      818            
  Lines      181627   181930   +303     
========================================
+ Hits       116377   116649   +272     
- Misses      65250    65281    +31     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[brmataptos]

You should consider moving the 2 flagged changes to move semantics to a separate PR so they can have a distinct commit message explaining what they're about.

[brmataptos]

mao -> map

[wrwg]

Done

[brmataptos]

Setting enable_in_ci to true seems questionable. Before it was disabled with comment "Do not enable in CI until we have more data about stability". Do we have that stability data now?

[brmataptos]

Please file an issue to do something to clean this up eventually (much later). For example, we may want to shake the tree and only include the dependences which are reachable from the original targets. Or we might want to distinguish the different levels (to be compiled, to be generated as code, to be included as needed). The mutable nature here is not ideal, as it could be dangerous in the long term. But it's fine for now.

[wrwg]

We are already minimizing the tree in the module_builder somewhere. For the other issue see above.

[brmataptos]

*** This (adding an edge for AssignKind::Copy) seems to be a significant change for borrow analysis. Might be better to give it its own commit/PR so it can have a reason attached.

[wrwg]

Yes, that is why I opened #12533.

[brmataptos]

*** This also is a pretty big deal for borrow analysis.

[wrwg]

Yes, it was a serious bug. The one-and-only the prover integration found so far.

[brmataptos]

"Everything as target" is probably not is wanted in the general analysis case. Our various compiler warning checks need to know the difference between "warn about this code" and "don't warn about this code". Currently they are using "target" to decide whether to warn about code, but for certain targeted analyses you would want to do different things for "real target" and "target because it's a dependency". That may mean we just need a new flag for "generate warnings/errors about this code".

[wrwg]

You usually expect that the prover is run an code which already passes type checks. But if not, we can't really differentiate whether the type check error is in the set targets or not, so we better produce errors in the dependencies as well. I think a really sustainable solution for the problem is that the package system somehow tracks this for us and/or we have some on-disk storage of compiled packages. Keeping for now like this until we have a better solution, perhaps after package system refactoring.

[brmataptos]

them --> all Temporary vars

[wrwg]

Done

[brmataptos]

Does this have anything to do with your change, or was it just not regenerated recently?

[wrwg]

Please do not look at md which is generated but at the Move source of the same name. There is a bug linked there already and a TODO (#12501).

[brmataptos]

This one too, does it have any relevance, or was it just stale before?

[wrwg]

Please comment on the .move source, this here is generated.

This was a test which was borderline regards timeout, and clearly times out with v2, I deactivated for CI using the pragma as here, as we do in many cases.

[brmataptos]

Are we expecting some other things that will be convertable to &Symbol that might show up here? I realize AsRef<Loc> was already fairly common in the code, and AsRef<str> is very useful in Rust, but do we anticipate other implementations that would warrant slightly more complex code here?

[wrwg]

Its really just about references, and we should have used it more frequently. With this you are able to pass parameters without * or &. We often need to do * because in matches, we get &Symbol. Similar for locations, we often need to add &. This reduces the noise a bit.

[vineethk]

Have some comments, but none of them blocking (but would be good to address/answer). I did not check the test outputs for the move prover, so someone from the prover team might be better equipped to review these.

[vineethk]

Interesting, this would mean that codegen quality could be affected solely by the presence of a use in specs (which is typically expected to be a no-op for compilation). Might be worth re-considering this as a future task.

[wrwg]

Yes, but this was always the case, also in v1.

We could actually make this optional depending on whether we generate code for the prover or not, but the problem with this is that then we wouldn't verify the same bytecode as it is running in production.

[vineethk]

Not suggesting that we do this now, but another alternative is to transform the specs as we transform the normal code.

[vineethk]

Update the function doc (which says this is getting temps referenced in borrow instructions, but now it does more).

[wrwg]

Done

[vineethk]

Curious: why do we need to insert a no-op, instead of not emitting anything?

[wrwg]

It's a convention the v1 compiler is using. It makes it easier to identify that this is a gluing point for specs and can be used e.g. in program analysis if some extra spec related info is generated for this program point.

[vineethk]

From looking at the code for get_fields(), it looks like they are already sorted based on their offsets?

[wrwg]

Good catch, fixed.

[vineethk]

Might be worth stating that this assertion holds because we are supposed to have inserted freezerefs when converting from &mut to & everywhere already?

[wrwg]

Frankly, I don't even know were this assumption comes from and whether it is needed (this is a duplicate of few lines below). In general I opened #12533 to follow up here.

[vineethk]

Check if we are still using something here that is deprecated.

[wrwg]

Yeah, we should remove this deprecation, some guy added it years ago not knowing the prover needs it.

[vineethk]

Have not looked into why the ordering changed - maybe worth a brief look whether this is an acceptable change?

[wrwg]

I'm also surprised why, but it doesn't hurt, so...

[vineethk]

I think you have also fixed this bug: #11925. If you think so too, maybe close that bug through this PR.

[wrwg]

Actually not, it is only that error message is more precise because I now generate the full source map.

[vineethk]

If a test case corresponding to this (eg, call to a function with multiple dup args that are non-mut references) has not been added, please do.

[wrwg]

Done, new test is duplicate_use.move

[vineethk]

Likely okay, but good to double check if this ordering change is known and acceptable.

[wrwg]

I checked its semantically the same, so at this point, I just let it go. If it is an issue like some hidden non-determinism we will detect soon anyway.

[wrwg]

Thanks for the review.

[wrwg]

Please do not look at md which is generated but at the Move source of the same name. There is a bug linked there already and a TODO (#12501).

[wrwg]

Please comment on the .move source, this here is generated.

This was a test which was borderline regards timeout, and clearly times out with v2, I deactivated for CI using the pragma as here, as we do in many cases.

[wrwg]

Yes, but this was always the case, also in v1.

We could actually make this optional depending on whether we generate code for the prover or not, but the problem with this is that then we wouldn't verify the same bytecode as it is running in production.

[wrwg]

Done

[wrwg]

Done

[wrwg]

Frankly, I don't even know were this assumption comes from and whether it is needed (this is a duplicate of few lines below). In general I opened #12533 to follow up here.

[wrwg]

Yes, that is why I opened #12533.

[wrwg]

Yes, but as long as we do not eliminate the temporaries, lifetime doesn't matter for the prover. We need to take care of pinning them similar as we do with borrows of locals. If one your optimizations needs this pinning, please let me know and we can have a followup PR to fix this.

[wrwg]

Yeah, we should remove this deprecation, some guy added it years ago not knowing the prover needs it.

[wrwg]

We are already minimizing the tree in the module_builder somewhere. For the other issue see above.

[vineethk]

@wrwg You probably already saw this, but it looks like "Aptos Move Test for Compiler V2" is failing (and it is not required, so easy to see past it).

[wrwg]

@wrwg You probably already saw this, but it looks like "Aptos Move Test for Compiler V2" is failing (and it is not required, so easy to see past it).

Yes, thank you @vineethk . There were a few tests failing after rebasing with various optimizations on. As I guessed, pinning spec locals for variable coalescing and considering for lifetime in the case of dead store elimination needed to be done. If you want, please check the last commit, as it effects some of the code you have written.

[vineethk]

Added some comments for the latest commit.

[vineethk]

Not suggesting that we do this now, but another alternative is to transform the specs as we transform the normal code.

[vineethk]

I think this should be state.insert_or_update so that we join rather than replace (which is what insert would do)?

[wrwg]

Done

[vineethk]

Search and replace borrowed with pinned in this file.

[wrwg]

Done

[github-actions]

✅ Forge suite compat success on aptos-node-v1.9.5 ==> 221845afa301b5f84573e33d6ec11a2998a42b4f

Compatibility test results for aptos-node-v1.9.5 ==> 221845afa301b5f84573e33d6ec11a2998a42b4f (PR)
1. Check liveness of validators at old version: aptos-node-v1.9.5
compatibility::simple-validator-upgrade::liveness-check : committed: 5527 txn/s, latency: 5719 ms, (p50: 4800 ms, p90: 9800 ms, p99: 14400 ms), latency samples: 210040
2. Upgrading first Validator to new version: 221845afa301b5f84573e33d6ec11a2998a42b4f
compatibility::simple-validator-upgrade::single-validator-upgrade : committed: 720 txn/s, latency: 34041 ms, (p50: 36700 ms, p90: 51300 ms, p99: 54300 ms), latency samples: 58340
3. Upgrading rest of first batch to new version: 221845afa301b5f84573e33d6ec11a2998a42b4f
compatibility::simple-validator-upgrade::half-validator-upgrade : committed: 262 txn/s, submitted: 586 txn/s, expired: 324 txn/s, latency: 32327 ms, (p50: 38100 ms, p90: 55600 ms, p99: 57500 ms), latency samples: 22587
4. upgrading second batch to new version: 221845afa301b5f84573e33d6ec11a2998a42b4f
compatibility::simple-validator-upgrade::rest-validator-upgrade : committed: 2021 txn/s, latency: 14900 ms, (p50: 18100 ms, p90: 20800 ms, p99: 22900 ms), latency samples: 95020
5. check swarm health
Compatibility test for aptos-node-v1.9.5 ==> 221845afa301b5f84573e33d6ec11a2998a42b4f passed
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite realistic_env_max_load success on 221845afa301b5f84573e33d6ec11a2998a42b4f

two traffics test: inner traffic : committed: 7116 txn/s, latency: 5504 ms, (p50: 5400 ms, p90: 6600 ms, p99: 10400 ms), latency samples: 3081540
two traffics test : committed: 100 txn/s, latency: 1874 ms, (p50: 1800 ms, p90: 2100 ms, p99: 4300 ms), latency samples: 1800
Latency breakdown for phase 0: ["QsBatchToPos: max: 0.230, avg: 0.203", "QsPosToProposal: max: 0.356, avg: 0.314", "ConsensusProposalToOrdered: max: 0.522, avg: 0.464", "ConsensusOrderedToCommit: max: 0.305, avg: 0.286", "ConsensusProposalToCommit: max: 0.770, avg: 0.750"]
Max round gap was 1 [limit 4] at version 1380866. Max no progress secs was 4.119738 [limit 15] at version 1380866.
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Test runner output
• Test run is land-blocking