feat: Allow more assumptions in library backend #4545
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also corrected “modifies *” to “modifies {}”
atomb
requested changes
Sep 13, 2023
| issue: "Declaration with [{:extern}] has a ensures clause.", | ||
| mitigation: "Test external callee (maybe with [/testContracts]).", | ||
| mitigationIETF: "MUST test external callee.", | ||
| mitigation: "Turn into a [method] with [modifies {}] or test thoroughly for lack of side effects.", |
There was a problem hiding this comment.
Suggested change
| mitigation: "Turn into a [method] with [modifies {}] or test thoroughly for lack of side effects.", | |
| mitigation: "Turn into a [method] with [modifies {}] and test thoroughly for lack of side effects.", |
There was a problem hiding this comment.
Turning it into a method allows for non-determinism that may occur, but if we have modifies {} then we'll really want to know that it has no side effects.
| isExplicit: false, | ||
| allowedInLibraries: false); | ||
|
|
||
| public static AssumptionDescription ExternWithPrecondition(bool hasAxiomAttribute) { |
There was a problem hiding this comment.
I know I originally suggested this design, but now I'm thinking this should be treated as such:
- If an extern does not have
{:axiom}, have the auditor flag any pre- or post-conditions. Don't allow it in libraries. - If an extern does have
{:axiom}, have the auditor flag it as an explicit (intentional) assumption, and allow it in libraries. Don't say anything about pre- or post-conditions.
This is more consistent with treatments elsewhere. Having{:axiom}on an enclosing scope (e.g., a declaration) silences mention of other assumptions associated with it (e.g., the contract of a declaration).
TaBo2410
added a commit
that referenced
this pull request
Sep 20, 2023
…iment-trsplitexpr * commit '86840e6b14386c1e88480854dd8ce64ad17cb2ff': Map eq range (#4567) Fix: Declarations with {:only} ensure that other declarations aren't displayed as verified in the gutter icons (#4433) Fix caching of export declarations (#4556) Do not return exceptions when doing hover in a program with parse errors (#4557) Proof dependency warnings (#4542) [Test Generation] Reduce memory footprint by reusing the same Boogie program for multiple test generation queries (#4530) Fix a variety of bugs in Rust backend based on ESDK testing (#4538) Checker for .Values and .Items on maps (#4551) feat: Allow more assumptions in library backend (#4545) feat: Attributes on reads clauses (#4554) Fix gutter icons fields (#4549) Report errors that occur in the project file, in the IDE as well (#4539) Switch to ubuntu-20.04 for the refman build (#4555)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The "library backend" which is selected using
--target:liband produces.doofiles is currently more restrictive than the other backends. The common SinglePassCompiler logic rejects features that cannot be compiled such asassumestatements without{:axiom}, but the library backend doesn't actually use that base class. It instead leverages theDeclaration.Assumptions()method that the auditor uses to identify assumptions.AssumptionDescriptions have aallowedInLibrariesflag to indicate whether they should cause build errors when trying to build a.doofile, and the initial version was intentionally very conservative.This PR switches the value of this flag for a few cases that are very likely to appear in useful libraries and where the risk of misuse is zero or very low:
assume {:axiom} ...- already allowed by other backends.decreases *- not really an assumption, more of a sound specification limitation, and we may even remove this from the auditor as well in the future.{:extern}declarations withrequiresorensures- now allowed only if the declaration also has{:axiom}, and this case now creates auditor warnings as well.{:termination false}- allowed because there is no mitigation and traits are highly valuable to share in libraries.Also corrected a typo in mitigation text suggesting
modifies *when it should bemodifies {}-modifies *doesn't even parse. :)By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.