feat: Compute triggers for such-that operations #6023
Conversation
# Conflicts: # Source/DafnyCore/Triggers/QuantifiersCollector.cs
# Conflicts: # Source/DafnyCore/AST/Expressions/Comprehensions/ExistsExpr.cs # Source/DafnyCore/AST/Substituter.cs # Source/DafnyCore/Dafny.atg # Source/DafnyCore/Triggers/ComprehensionTriggerGenerator.cs # Source/DafnyCore/Verifier/BoogieGenerator.ExpressionWellformed.cs # Source/DafnyCore/Verifier/BoogieGenerator.cs # Source/DafnyCore/Verifier/Statements/BoogieGenerator.TrStatement.cs # Source/IntegrationTests/TestFiles/LitTests/LitTest/auditor/TestAuditor.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/dafny0/CoinductiveProofs.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/dafny0/Comprehensions.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/dafny0/ComprehensionsNewSyntax.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/dafny0/DirtyLoops.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/dafny0/LetExpr.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/dafny0/snapshots/Snapshots5.run.legacy.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/git-issues/git-issue-1207.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/git-issues/git-issue-1545.dfy.refresh.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/git-issues/git-issue-897.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/triggers/emptyTrigger.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/triggers/loop-detection-messages--unit-tests.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/triggers/some-terms-do-not-look-like-the-triggers-they-match.dfy.expect # Source/IntegrationTests/TestFiles/LitTests/LitTest/wishlist/assign-such-that-antecedent.dfy.expect
# Conflicts: # Source/IntegrationTests/TestFiles/LitTests/LitTest/dafny0/CoinductiveProofs.dfy.expect
# Conflicts: # Source/DafnyCore/Verifier/BoogieGenerator.Types.cs
# Conflicts: # Source/DafnyCore/Verifier/Statements/BoogieGenerator.TrStatement.cs
Source/IntegrationTests/TestFiles/LitTests/LitTest/git-issues/git-issue-3855.dfy
Outdated
Show resolved
Hide resolved
Source/IntegrationTests/TestFiles/LitTests/LitTest/dafny0/DiscoverBounds.dfy
Show resolved
Hide resolved
| } else if (LiteralExpr.IsFalse(a) || LiteralExpr.IsTrue(b)) { | ||
| return a; | ||
| } | ||
| // Note, to respect evaluation order, we don't simplify "X && false" to "false". |
There was a problem hiding this comment.
Is it really a matter of evaluation order? What actually goes wrong with the relaxed criterion from before?
It could be side effets, but what side effects does an expression have?
Also, isn't that what the allowSimplification flag is for?
There was a problem hiding this comment.
Good call-out. I thought some more and agree that it's okay that, when requested by allowSimplification, include that simplication after all. The test suite seems to confirm this. (I applied the change to &&, ==>, and ||.)
| @@ -76,7 +76,9 @@ method Correct2<W>(s: seq<W>) returns (ghost r: Option<W>) | |||
| } | |||
| var b := exists w: W :: P(w); | |||
| ghost var nonempty: W := s[0]; // this leads the verifier to see that W must be nonempty after all | |||
| ghost var w: W :| b ==> P(w); | |||
| ghost var w: W :| b ==> P(w) by { | |||
| var pw := P(nonempty); // introduce something to trigger quantification with | |||
There was a problem hiding this comment.
I wonder if we actually left :| alone (without triggers) on purpose back when we added them elsewhere, because it's not completely unreasonable to just try ambient values when we're trying to prove that a :| clause is inhabited (and indeed we do try to enumerate a few reasonable values by hand). That said I think that more stability is a reasonable price to pay here.
Source/IntegrationTests/TestFiles/LitTests/LitTest/git-issues/git-issue-1163.dfy
Outdated
Show resolved
Hide resolved
|
Thanks for your detailed review, @cpitclaudel! I've made changes accordingly, so the PR is ready for your reapproval (if you like my changes). |
This PR computes triggers for
:|operations ("assign such that", "let such that", bindingifstatements, and bindingif casestatements). It also improves the logic used to guess witnesses.Main new features
:|constructsifandif-casestatements with:|, output warning if there is no trigger:|constructs, support the same trigger attributes as for quantifiers, namely:{:trigger <exprs>}to manually specify a trigger{:trigger}to suppress any warning{:nowarn}to change the warning into an information messageRelated new features
A proof obligation associated with assign-such-that and let-such-that constructs
x :| P(x)is to show that such anxexists. The general form of this is the proof obligationexists x :: P(x). However, Dafny also allows the proof obligation to be established from candidate witnesses that the verifier guesses. Thus, the proof obligation may have several disjuncts, for example:This PR improves this machinery further; specifically:
xis a mapP(x)has the formx in map[...]for some map displaymap[...], use the given keys as guesses (just like is done for other collection displays)P(x)that don't mentionxto outside the existential, so that instead ofexists x :: R || P(x), the proof obligation isR || exists x :: P(x)(for soundness, this is done only if the type ofxis nonempty)Notes for reviewers
The PR also contains smaller changes, namely:
BoundVarcreation to indicate ghost statusifstatements to print the original:|syntax in the guard, rather than its desugaringLiteralExpr.IsFalsemethodBlockByProofStmtstatementsZero, return an empty mapGuessWitnessesmake more use of theZeromethodAnd regarding tests:
triggers/TriggersForSuchThat.dfy(also relevant:wishlist/assign-such-that-antecedent.dfy):|constructs have specific triggersBy submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.