Skip to content

Logical functions aliases #1346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
arnaudgolfouse wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Logical functions aliases #1346

arnaudgolfouse wants to merge 4 commits into from

Conversation

@arnaudgolfouse
Copy link
Collaborator

@arnaudgolfouse arnaudgolfouse commented Feb 5, 2025

Example

// In `creusot_contracts`

impl<K, V> FMap<K, V> {
    #[trusted]
    #[logic]
    #[ensures(result >= 0)]
    pub fn len_logic(self) -> Int {
        dead
    }

    #[trusted]
    #[pure]
    #[has_logical_alias(Self::len_logic)]
    pub fn len(self) -> Int {
        panic!()
    }
}

// User code

pub fn foo() {
    let mut m = FMap::new();
    proof_assert!(m.len() == 0); // logic call
    ghost! {
        m.insert_ghost(1int, 1int);
        let l = m.len(); // program (ghost) call
        proof_assert!(l == 1);
        m.insert_ghost(2int, 2int);
        proof_assert!(m.len() == 2);
    };
}

@arnaudgolfouse arnaudgolfouse force-pushed the logical-functions-alias branch from bb131ae to 9a174b3 Compare June 4, 2025 12:10
@jhjourdan jhjourdan mentioned this pull request Sep 30, 2025
Closed
@arnaudgolfouse arnaudgolfouse force-pushed the logical-functions-alias branch from 9a174b3 to ab7d097 Compare October 2, 2025 12:11
jhjourdan
jhjourdan reviewed Oct 22, 2025
View reviewed changes
Copy link
Collaborator

@jhjourdan jhjourdan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very interesting feature, howeer, there are a few important parts missing:

  • Support for aliases in traits. A simple constraint could be to force the alias to belong to the same trait. Then, we sould add a refinement check for implementations (i.e., implementors declare compatible aliases).

  • Uses in creusot_contracts, to get rid of all the _ghost and _logic functions.

  • Use this for Ghost::Deref, Rc::Deref, Snapshot::Deref, etc... and get rid of the special cases for this in Creusot's code.

creusot-contracts-proc/src/creusot/specs.rs
}
};
let tokens_2 = tokens.clone();
let func = parse_macro_input!(tokens_2 as syn::ImplItemFn);
Copy link
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means that you force the method to have a body, which forbids logical aliases for trait methods. This seems restrictive. Is this intended? A simple fix may be to use FnOrMethod here instead.

creusot-contracts-proc/src/creusot/specs.rs
Comment on lines +255 to +256
let pat = &pat_type.pat;
quote!(#pat)
Copy link
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assumes that the pattern is also a term, which is not always the case.

This is probably fine in this case, but it would be better to detect this in the macro, and emit an error.

creusot/src/ctx.rs
///
/// They can later be retrieved using [`Self::logical_alias`].
pub(crate) fn load_logical_aliases(&mut self) {
// FIXME: what about functions from another crate?
Copy link
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cannot we simply reject them?

creusot/src/ctx.rs
}
_ => unreachable!(),
};
if t1 != t2 {
Copy link
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't we check the equality of constant param names, too? It seems weird to do that for types and lifetimes, but not for constants.

creusot/src/ctx.rs
Comment on lines +348 to +349
let mut program_subst = program_subst.iter().map(|arg| arg.kind());
let mut logic_subst = logic_subst.iter().map(|arg| arg.kind());
Copy link
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doing that directly in the loop would be clearer and shorter.

creusot/src/ctx.rs
let logic_subst = erased_identity_for_item(tcx, logic_id);
let mut program_subst = program_subst.iter().map(|arg| arg.kind());
let mut logic_subst = logic_subst.iter().map(|arg| arg.kind());
loop {
Copy link
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From itertools:

for (prog_arg, logic_arg) in program_subst.zip_longest(logic_subst) { ... }

@jhjourdan
Copy link
Collaborator

jhjourdan commented Oct 22, 2025

Perhaps we could ask Maël Coulmance to work on this?

@jhjourdan jhjourdan mentioned this pull request Jan 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhjourdan jhjourdan jhjourdan left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arnaudgolfouse @jhjourdan