Add kani::spawn and an executor to the Kani library

[fzaiser]

Description of changes:

This adds an executor (scheduler for async futures) to the Kani library, thus supporting kani::spawn as a replacement for tokio::spawn.

It also includes kani::yield_now which is similar to tokio::yield_now.

Resolved issues:

Resolves #1504

Call-outs:

Testing:

• How is this change tested? Additional regression tests.

• Is this a refactor change? No.

Checklist

• Each commit message has a non-empty body, explaining why the change was made
• Methods or procedures are documented
• Regression or unit tests are included, or existing tests cover the modified code
• My PR is restricted to a single feature or bugfix

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

[celinval]

More tests please! :)

[fzaiser]

TODO: add check that the number of tasks is less than MAX_TASKS. Done

[fzaiser]

With the MIR linker, this is no longer blocked! Ready for review @danielsn @celinval

[fzaiser]

The latest CI run failed for spawn.rs: CBMC failed with status 137. Exit code 137 means that it ran out of memory, I think.

@celinval: could this be related to the new linker? If the scheduling code is in the same file, like in manual_spawn.rs, everything finishes quickly. (#1818 seems to be related?)

[celinval]

Yes,

The latest CI run failed for spawn.rs: CBMC failed with status 137. Exit code 137 means that it ran out of memory, I think.

@celinval: could this be related to the new linker? If the scheduling code is in the same file, like in manual_spawn.rs, everything finishes quickly. (#1818 seems to be related?)

Yes, the main purpose of the new linker was to get rid of the undefined symbols from the standard library. Fixing this issue meant that some models got bigger and harder to process.

[fzaiser]

Yes, the main purpose of the new linker was to get rid of the undefined symbols from the standard library. Fixing this issue meant that some models got bigger and harder to process.

@celinval That makes sense. What I don't get is that it works fine if all the scheduling code is in the same file, see manual_spawn.rs. This file uses the same code that this PR puts into the Kani library, but puts that code directly into the file with the harness. That seems to verify much more quickly, which does not make sense to me. Do you know why?

[celinval]

Yes, the main purpose of the new linker was to get rid of the undefined symbols from the standard library. Fixing this issue meant that some models got bigger and harder to process.

@celinval That makes sense. What I don't get is that it works fine if all the scheduling code is in the same file, see manual_spawn.rs. This file uses the same code that this PR puts into the Kani library, but puts that code directly into the file with the harness. That seems to verify much more quickly, which does not make sense to me. Do you know why?

I see. Let me take a look, but it is possible that moving the file into a different crate changed how rustc optimizes the code.

[celinval]

I looked at the issue you mentioned, and I think the difference is due to the second harness in spawn.rs (nondeterministic_schedule). If you remove it, the time and problem size is basically the same independent on the location of the scheduling code.

The interesting thing is that the time is pretty bad even if you run --harness deterministic_schedule. That's probably because we perform reachability analysis for all harnesses at the same time, instead of doing them separately. My guess is that CBMC slicer is not smart enough to prune the closures out of the model due to a more conservative pointer analysis.

You can see a similar effect with the --legacy-linker by just moving the scheduling code to spawn.rs. If you run kani --harness deterministic_schedule --legacy-linker with and without the second harness co-located in spawn.rs, the times are drastically different. In my machine, Kani verification succeeds after 70ish seconds if you remove the second harness, but it doesn't finish under 5min if you add the second one.

[fzaiser]

@celinval Thanks for that investigation. I've removed the nondeterministic test for now to make CI (hopefully) pass. I've also converted a bool to an enum and improved the documentation.

[fzaiser]

Hm, seems like CI still runs out of memory. I'm not sure what to do about that. Any ideas?

[celinval]

Can you run it locally and measure the memory consumption so we have an idea on how bad the problem is?

[fzaiser]

@celinval I renamed the function spawnable_block_on to block_on_with_spawn as I think this name is clearer. ("spawnable" sounds like "can be spawned" instead of "can spawn")

If you don't have any other concerns, this should be ready to be merged.

[fzaiser]

@danielsn @celinval friendly reminder :)

[celinval]

@dsn @celinval friendly reminder :)

Sorry about that. Let me take a look

[celinval]

Hi @fzaiser, I think this is good to go, except that I think we should add a mechanism to guard this code under a unstable flag. Let me just sketch something quick and we can merge this. Thanks!

[celinval]

@fzaiser I created #2281 to get some feedback. Feel free to add comments there, but it should be a very quick change (famous last words).

[celinval]

I created #2373 to add the unstable attribute and I'm planning to create another one to enforce the opt-in model.

Once #2373 is merged, I believe you can just tag the public APIs from this PR as unstable and we can merge these changes.

[celinval]

Hi @fzaiser, I just wanted to let you know that we have merged the unstable API code, so you should be good to go. Please tag all public functions in this PR as unstable.

[fzaiser]

@celinval This should be good to go :) Could you please merge this if you're happy with it?

[fzaiser]

I'm not sure what the perf-benchcomp failure is about. Could it be spurious? Any ideas?

[zhassan-aws]

I'm not sure what the perf-benchcomp failure is about. Could it be spurious? Any ideas?

Yes, this is most likely spurious due to variance in performance. The perf-benchcomp workflow is not blocking for merges.

[celinval]

Thanks! Can you please add a reason to the unstable attribute? It could be something "recently added" or something like "experimental API". @adpaco-aws any suggestion?

[adpaco-aws]

Thanks! Can you please add a reason to the unstable attribute? It could be something "recently added" or something like "experimental API". @adpaco-aws any suggestion?

I'd suggest "experimental async support/library" or something along those lines.

Also, thanks @fzaiser for persistence on this one!

[fzaiser]

@celinval Thanks for reviewing and making the final changes for the merge! 🎉