Add Prover Based ShutdownManager

[baierd]

Most solvers allow either re-usable shutdown or we use shared environments that are created per prover, making them isolated enough to be shut down without stopping the context.

This PR adds a controlled way of shutting down only a single prover with the manager returned by our API IFF it is supported by the solver. These prover shutdown managers are all children of the context given shutdown manager.

This should only be merged after #501, is this branch is merged here.

[kfriedberger]

Overall, I find the idea good. It matches our architectural guidelines and solves a clear problem. The PR needs some minor improvements.

[kfriedberger]

Due to API change, better provide a default implementation that throws the UnsupportedException.

Additionally, his method is a plain getter. Why does a plain getter throw such an exception? The getter itself does not depend on solver-features that could be unsupported, but only on JavaSMT-internal code. Perhaps just remove the exception from signature.

[baierd]

Thanks for the feedback! I removed the exception from the signature and added a default implementation.

[kfriedberger]

As this method is not generic, we do not need it. just use inline it in the normal getShutdoenManagerForProver.
With a default implementation in the API, we can even remove this implmentation completely and just mark the overridden method as abstract.

[baierd]

True. I imagined that i need more solver specific code, but i didn't. I removed it. Thanks for the feedback!

[kfriedberger]

The comment is formatted ugly, and it might not be understandable, please rephrase.

Is getNotifier() a "fast" method call or does it construct any objects? The callback is expected to be executed quite often from native solver code. We could store the notifier directly within the class and just reuse it.

Addtiionally, we already have a method for getting the manager. Why do we then use direct access here? Please use the getter.

[baierd]

I removed the comment, as the new default should be obvious.

getNotifier() does not construct any objects, it just returns the notifier that is created when the ShutdownManager is created. You can argue that it is faster to have the reference directly, but this is built once when the prover is created. I changed it so that the notifier is generally accessible directly in the superclass.

Thanks for the feedback!

[kfriedberger]

Is it guaranteed that the manager always returns the same notifier-instance and the notifier always returns the same flag?

[baierd]

Yes! The notifier is created final and only once, see here: private final ShutdownNotifier notifier = new ShutdownNotifier(this); The flag can not be changed once a shutdown is triggered.

[kfriedberger]

Referencing some existing source code is no "guarantee".
The guarantee would be a JavaDoc specification for the ShutdownManager-API, which is missing:
https://sosy-lab.github.io/java-common-lib/api/org/sosy_lab/common/ShutdownManager.html#getNotifier()

A user can provide his own implementation of the shutdown-manager and change its behaviour.
I really would prefer to keep a local reference to this notifier.

[PhilippWendler]

There is no intention of a guarantee that getNotifier() always returns the same instance, but there is definitively the intention that this does not matter and that all notifiers handed out by a manager always return the shutdown state of the manager, and that shouldShutdown() will keep returning true forever after it has returned true once.

Since the split in separate manager and notifier classes this was not fully written down in the JavaDoc, but I improved this now: sosy-lab/java-common-lib@108faa6

[baierd]

@PhilippWendler i just noticed that there is/can be a delay in between the shutdown being requested and the children being informed. See the 2 tests here. Is this intentional?

[PhilippWendler]

I am not sure what exactly you are referring to. But if you have multi-threaded code, then you can of course never be sure when each of the threads is scheduled in relation to the others.

[baierd]

Yes, but i would have expected that the chain of signals in the shutdown notifiers/managers is built in such a way that they are all informed in a synchronized way.

[PhilippWendler]

What do you mean with "synchronized way"? "synchronized" is not some magic global property, one can only synchronize against specific things.

If you want help, you need to be more specific. What is the sequence of operations that you are observing and that is unexpected/unwanted?

[baierd]

I was merely curious ;D
We discussed this offline sufficiently. Thank you!

[kfriedberger]

One could move this method higher up in the hierarchy and just provide it in the abstract super-class.

[baierd]

I removed it completely, as we didn't really need it.

[kfriedberger]

Just for comparison to above: Here, we keep the same notifier and reuse it for all callback-calls.

[baierd]

We build a new manager in every prover creation (see here) and then use this new managers notifier to request shutdowns. So we always use the one notifier bound to the one manager of the prover (that is a child of the contexts ShutdownNotifier)

[baierd]

This is now outdated due to the changes.

[kfriedberger]

We could extract the reference to the notifier and just reuse.

Might look like this:

final ShutdownNotifier notifier = getShutdownManagerForProver().getNotifier()
return () -> {
  notifier.shutdownIfNecessary();
  return false;
};

[baierd]

Done! Thanks for the hint.

[kfriedberger]

None of the tests checks whether the solver is usable after a shutdown.
None of the tests checks that, out of multiple parallel instances, if one is terminated, then all other provers remain running and deliver results.

Could you add such tests?

[baierd]

I was just writing some tests and noticed that we do not really define how a solver (context and prover) should behave after a context-wide shutdown is requested.
Should prover creation throw a exception if the context is already shut down?
What operations are still usable and guaranteed to be correct/safe after a shutdown in your current prover?

[kfriedberger]

This PR might provide a solution for a quite old issue: #100 :-)

[kfriedberger]

Referencing some existing source code is no "guarantee".
The guarantee would be a JavaDoc specification for the ShutdownManager-API, which is missing:
https://sosy-lab.github.io/java-common-lib/api/org/sosy_lab/common/ShutdownManager.html#getNotifier()

A user can provide his own implementation of the shutdown-manager and change its behaviour.
I really would prefer to keep a local reference to this notifier.

[kfriedberger]

I would prefer to avoid calling getNotifier() more than once here.

[baierd]

I just forgot to push everything. Should be removed now. Sorry for the delay.

[baierd]

I cleaned up the default behavior of the prover API (isUnsat(), getModel(), getUnsatCore() etc.) so that they share the common prerequisites and no inconsistencies within the solver implementations exist.

I found 2 things i want to discuss:

1. The JavaDoc of unsatCoreOverAssumptions() states that: Returns an UNSAT core (if it exists, otherwise {@code Optional.empty()}), over the chosen assumptions. Does NOT require the {@link ProverOptions#GENERATE_UNSAT_CORE} option to work. But we have and check for the option GENERATE_UNSAT_CORE_OVER_ASSUMPTIONS. So i guess the JavaDoc should be updated?
2. the 2 public methods getSeqInterpolants0() and getTreeInterpolants0() are not named well in my opinion. I suggest better names like getSingletonSeqInterpolants)? (i am happy about better name suggestions ;D)

[PhilippWendler]

I don't understand this comment. The return type of the method is InterpolatingProverEnvironment, one always needs to return such an instance. What does this have to do with "solving with assumptions"?

[baierd]

This is a comment for developers (e.g. students) so that they get info what to implement. We have this at several locations and for example helped me back in my bachelors thesis.

[PhilippWendler]

Sure, having @implNotes is good. But what does this one want to say? Isn't InterpolatingProverEnvironment always required, and what does implementing it have to do with "satisfiability tests with assumptions"?

[baierd]

No it is not always required. The default impl throws a UnsupportedOperationException.
It is meant to lead the developer to the conclusion that this needs to be implemented if you want to interpolate. Usually students (in my experience) notice once they run the tests that things are missing ;D

[PhilippWendler]

Ok, but then the comment should still refer to interpolation and not satisfiability tests with assumptions.

[baierd]

@kfriedberger @PhilippWendler i now merged #501 into this to get the Solver/InterruptedExceptions for the model and prover API. I also added them to getUnsatCore(). So now nearly every method in the prover throws both. This allows us to remove all that special handling for the exceptions (except iterator() ;D).

[PhilippWendler]

I just realized that ca14eff was even more important than I thought before.

If the intention of checkShutdownState() was "the method must not be called with shutdown already being triggered before", then this is not even possible. The following sequence can always happen:

1. Caller checks that no shutdown is triggered and decides to call a method like getUnsatCore.
2. Other thread triggers shutdown, e.g., due to timeout.
3. checkShutdownState() is called and throws.

This means that no matter what an application does, if it uses the shutdown interface as it is intended, it would randomly crash with IllegalStateException, which would be a bug.

So the only way to handle shutdown requests properly can be to throw InterruptedException, as it is done now I guess?

But note that it is unnecessary to check for shutdown immediately when entering a method. Because of the asynchronicity no method can and needs to guarantee that it always notices a shutdown. The only place where one needs to check for shutdowns is in loops that execute for potentially long time.

[baierd]

I just realized that ca14eff was even more important than I thought before.

If the intention of checkShutdownState() was "the method must not be called with shutdown already being triggered before", then this is not even possible. The following sequence can always happen:

1. Caller checks that no shutdown is triggered and decides to call a method like `getUnsatCore`.

2. Other thread triggers shutdown, e.g., due to timeout.

3. `checkShutdownState()` is called and throws.

This means that no matter what an application does, if it uses the shutdown interface as it is intended, it would randomly crash with IllegalStateException, which would be a bug.

So the only way to handle shutdown requests properly can be to throw InterruptedException, as it is done now I guess?

But note that it is unnecessary to check for shutdown immediately when entering a method. Because of the asynchronicity no method can and needs to guarantee that it always notices a shutdown. The only place where one needs to check for shutdowns is in loops that execute for potentially long time.

Oh wow! Good catch! This means that all the API changes are actually fully justified.