Axiom ordering seems may be missing an edge when using a spec definition to satisfy the postcondition on a proof fn in a trait #885

utaal · 2023-11-03T18:28:50Z

There's code like this:

        pub trait KeyTrait : Sized {
            fn zero() -> (z: Self) ensures z == Self::zero_spec(); // <-- should this force the definition for `zero_spec` to appear before the proof obligation for `zero` in the impl?

            spec fn zero_spec() -> Self where Self: std::marker::Sized;
        }
        
        pub struct KeyStruct { pub ukey: u64, }
        
        impl KeyTrait for KeyStruct {
            fn zero() -> (z: Self) { KeyStruct{ukey: 0} }

            open spec fn zero_spec() -> Self { KeyStruct{ukey: 0} }
        }

that fails to verify, in:

2023-11-03-19-25-29.zip

ordering zero() after zero_spec() in the impl KeyTrait for SHTKey makes it pass.

The text was updated successfully, but these errors were encountered:

…completeness fix #885, and non-deterministic incompleteness for cases like: ```rust trait T { spec fn a() -> bool; proof fn p() ensures Self::a(); proof fn q() ensures Self::a(); } struct S { pub dummy: nat } impl T for S { spec fn a() -> bool; proof fn p() { Self::q(); } proof fn q() { /* ... */ } } ``` without this change, Self::p was sometimes lowered to AIR without having processed Self::q first, which was not found as a function with a postcondition, which resulted in the encoding for `p()` to be an empty block instead of the expected `(assume <q's postcondition>)`.

… SCC ordering fix #885, and non-deterministic incompleteness for cases like: ```rust trait T { spec fn a() -> bool; proof fn p() ensures Self::a(); proof fn q() ensures Self::a(); } struct S { pub dummy: nat } impl T for S { spec fn a() -> bool; proof fn p() { Self::q(); } proof fn q() { /* ... */ } } ``` without this change, Self::p was sometimes lowered to AIR without having processed Self::q first, which was not found as a function with a postcondition, which resulted in the encoding for `p()` to be an empty block instead of the expected `(assume <q's postcondition>)`.

utaal added the incompleteness label Nov 3, 2023

utaal added a commit that referenced this issue Nov 16, 2023

fix #885 and other ordering related incompleteness

ef2c02c

utaal linked a pull request Nov 16, 2023 that will close this issue

fix #885 and other ordering related incompleteness #905

Draft

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Axiom ordering seems may be missing an edge when using a spec definition to satisfy the postcondition on a proof fn in a trait #885

Axiom ordering seems may be missing an edge when using a spec definition to satisfy the postcondition on a proof fn in a trait #885

utaal commented Nov 3, 2023 •

edited

Loading

Axiom ordering seems may be missing an edge when using a spec definition to satisfy the postcondition on a proof fn in a trait #885

Axiom ordering seems may be missing an edge when using a spec definition to satisfy the postcondition on a proof fn in a trait #885

Comments

utaal commented Nov 3, 2023 • edited Loading

utaal commented Nov 3, 2023 •

edited

Loading