Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

warn when using higher mode types in parameters (and return) with lower modes, #170 #323

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

warn when using higher mode types in parameters (and return) with lower modes, #170 #323

wants to merge 2 commits into from

Conversation

utaal
Copy link
Collaborator

@utaal utaal commented Nov 16, 2022
edited
Loading

@utaal utaal force-pushed the param-mode-types branch 5 times, most recently from 1834c82 to 849ebd3 Compare November 17, 2022 10:21
@Chris-Hawblitzel
Copy link
Collaborator

There's nothing inherently wrong with writing an exec function that takes an exec int parameter, but it's not really useful either, since you can't call it, since there are no exec int values. So I guess it's helpful to print out an error message to stop people from accidentally writing something useless and confusing. It probably improves diagnostics. But I'm wondering how far we intend to go with this feature. You can still write the following:

struct S<A>(A);

fn f(s: S<int>) {
    let x: int = s.0;
}

This is morally equivalent to fn f(x: int). Do we intend to disallow all possible exec usages of int and nat? Is it worth the effort? Or is this more like a linter that prints warnings in common cases?

@utaal
Copy link
Collaborator Author

utaal commented Nov 23, 2022

I agree that this isn't a soundness issue.

In terms of treating this as an error (vs a lint), my main concern was erasure: making sure that we wouldn't allow exec-mode parameters with types that don't have a runtime representation, but I suppose doing codegen for them may not be a big deal, as they can never be called by verified code. When we allow unverified clients, though, it may be best if these functions aren't allowed (although an unverified client would also find it non-trivial -- although not impossible -- to call these functions).

@utaal
Copy link
Collaborator Author

utaal commented Nov 27, 2022

Do we intend to disallow all possible exec usages of int and nat?

One thing that I forgot to point out is that the intent here is to disallow it only in parameters. Incorrect usage in e.g. variables would still be allowed.

The new commit should cover the case I missed and that you pointed out (thanks!), but there may be more that I missed. Do you think we should turn this into a warning? If we think this is fairly complete at this point, I'd argue we may want to have it be an error as (a) I don't see a use case where something that fails this check was intentional and (b) to protect against misuse by unverified clients in the future.

@tjhance
Copy link
Collaborator

tjhance commented Nov 27, 2022

What happens if the user writes Foo<int> where Foo is an exec type that uses its type parameter ghostily?

@utaal utaal marked this pull request as draft November 27, 2022 18:26
@utaal
Copy link
Collaborator Author

utaal commented Nov 27, 2022

What happens if the user writes Foo<int> where Foo is an exec type that uses its type parameter ghostily?

Right. I see the problem now (brain is still a bit on vacation, I suspect). Thanks! I'll have another more careful look at this later.

@utaal
Copy link
Collaborator Author

utaal commented Jan 4, 2023

Triaged in the Verus meeting; we want to lower to warning, and make the min_typ_mode function partial to be correct.

@utaal utaal changed the title disallow higher mode types in parameters (and return) with lower modes, fixes #290 disallow higher mode types in parameters (and return) with lower modes, #170 Apr 15, 2023
@utaal utaal changed the title disallow higher mode types in parameters (and return) with lower modes, #170 warn when using higher mode types in parameters (and return) with lower modes, #170 Apr 17, 2023
@utaal utaal force-pushed the param-mode-types branch from b5435ef to d168895 Compare April 17, 2023 09:41
@utaal utaal changed the base branch from main to main_new April 17, 2023 09:41
@utaal utaal mentioned this pull request Jun 14, 2023
Merged
@utaal utaal force-pushed the param-mode-types branch from d168895 to f2eb748 Compare August 15, 2023 17:19
@utaal utaal changed the base branch from main_new to preserve-decoration August 15, 2023 17:19
@utaal utaal force-pushed the preserve-decoration branch from 32a305f to 9a3d651 Compare August 15, 2023 17:20
@utaal utaal force-pushed the param-mode-types branch from f2eb748 to 3656fd7 Compare August 15, 2023 17:21
@utaal utaal force-pushed the param-mode-types branch from 3656fd7 to 6ad5ef3 Compare August 15, 2023 17:22
Base automatically changed from preserve-decoration to main August 15, 2023 18:43
@utaal utaal mentioned this pull request Jul 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tchajed tchajed tchajed left review comments

@Chris-Hawblitzel Chris-Hawblitzel Awaiting requested review from Chris-Hawblitzel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@utaal @Chris-Hawblitzel @tjhance @tchajed