kevm-pyk: add per_depth_timeout to run_prover for progressive depth halving#2850
Closed
Stevengre wants to merge 1 commit into
Closed
kevm-pyk: add per_depth_timeout to run_prover for progressive depth halving#2850Stevengre wants to merge 1 commit into
per_depth_timeout to run_prover for progressive depth halving#2850Stevengre wants to merge 1 commit into
Conversation
Stevengre
force-pushed
the
add-run-prover-per-depth-timeout
branch
2 times, most recently
from
09ff837 to
5cfb39b
Compare
Adds a `per_depth_timeout: int = 0` parameter to `run_prover`. When set, each APRProof advance attempt is given a wall-clock budget of `current_depth * per_depth_timeout` seconds; on expiry, `execute_depth` is halved (floor 1) and the proof resumes from the disk-persisted KCFG state (the `advance_proof` maintenance loop calls `write_proof_data` before each callback, so on-disk state is always current). Repeats down to `depth = 1`. Default `0` keeps the prior behavior: one attempt at `max_depth`, no timeout. The timeout is enforced via a maintenance callback that raises an internal `_ProgressiveTimeout`; the unwind closes the `parallel_advance_proof` worker pool cleanly between attempts. Use case: progressive cut-point finding. A proof that stalls because `execute_depth` is too coarse to cut at the next branch can complete once the depth halves enough times.
Stevengre
force-pushed
the
add-run-prover-per-depth-timeout
branch
from
5cfb39b to
39e9693
Compare
7 tasks
Contributor
Author
|
Superseded by kontrol#1141, which switched to a subprocess + SIGKILL design at the kontrol layer. The callback-based maintenance hook here only fires at iteration boundaries, so a single long-running step could overshoot the per-attempt budget arbitrarily — the kontrol use case requires a hard wall-clock cutoff. The hard-kill design lives entirely in kontrol; no upstream changes needed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new
per_depth_timeout: int = 0parameter torun_prover. When set, each APRProof advance attempt is given a wall-clock budget ofcurrent_depth * per_depth_timeoutseconds. If the budget is exhausted,execute_depthis halved (floor 1) and the proof resumes from the disk-persisted KCFG state, repeating down todepth = 1. Default0keeps the prior behavior — a single attempt atmax_depth, no timeout.Example:
run_prover(proof, ..., max_depth=1000, per_depth_timeout=10)runs1000 @ 10000s → 500 @ 5000s → ... → 1 @ 10s.Why
A proof can stall when
execute_depthis too coarse to cut at the next branch or terminal point. Halving the depth makes each step shorter and more interruptible, giving the prover more chances to find branch points without changing proof semantics — the saved KCFG carries over between attempts.Downstream tools (kontrol, kasmer, kmir, etc.) all wrap
run_prover; centralizing the policy here means every caller gets it via one option.Implementation
per_depth_timeoutkeyword argument (default0, off — fully backward-compatible).while True:retry loop. Each iteration:budget_s = current_depth * per_depth_timeout(orNonewhen disabled).maintenance_callback(_proof, _start, _budget)(defaults bound to avoid late-binding) which calls the existing status-bar update and raises_ProgressiveTimeoutwhen wall-clock exceeds_budget. With_budget = Nonethe callback is a no-op beyond the status update — single-attempt semantics forper_depth_timeout=0.APRProver/parallel_advance_proofwith that callback.advance_proofandparallel_advance_proofboth invoke the callback afterproof.write_proof_data(), so on-disk KCFG state is always current when the callback fires._ProgressiveTimeout: logs the halving (depth=N attempt exhausted Ms budget; halving.), halvescurrent_depth(floor 1), continues. Ondepth=1timeout we break out.try/except Exceptionand stored inproof.error_infoas before.parallel_advance_proofcleanly: its internalwith _ProverPool(...)runsshutdown(wait=True)so worker threads drain, no orphan workers.max_depthnotion there).Test plan
make checkclean (flake8, mypy, autoflake, isort, black).make test-unit— 21/21 pass.per_depth_timeout=0(default) must produce identical results to today.--per-depth-timeout 10on a contrived stalling proof exhibits halving logs and eventual completion at a smaller depth.Downstream
A kontrol PR (runtimeverification/kontrol#1141) consumes this parameter to add a
--per-depth-timeoutCLI option tokontrol prove. That PR currently inlines a copy of the retry logic; once this lands and kontrol bumpsdeps/kevm_release, the inlined logic will be replaced by a single kwarg passed torun_prover.