Skip to content

Logical functions aliases#1346

Draft
dianegolfouse wants to merge 4 commits intocreusot-rs:masterfrom
dianegolfouse:logical-functions-alias
Draft

Logical functions aliases#1346
dianegolfouse wants to merge 4 commits intocreusot-rs:masterfrom
dianegolfouse:logical-functions-alias

Conversation

@dianegolfouse
Copy link
Copy Markdown
Collaborator

@dianegolfouse dianegolfouse commented Feb 5, 2025

Example

// In `creusot_contracts`

impl<K, V> FMap<K, V> {
    #[trusted]
    #[logic]
    #[ensures(result >= 0)]
    pub fn len_logic(self) -> Int {
        dead
    }

    #[trusted]
    #[pure]
    #[has_logical_alias(Self::len_logic)]
    pub fn len(self) -> Int {
        panic!()
    }
}

// User code

pub fn foo() {
    let mut m = FMap::new();
    proof_assert!(m.len() == 0); // logic call
    ghost! {
        m.insert_ghost(1int, 1int);
        let l = m.len(); // program (ghost) call
        proof_assert!(l == 1);
        m.insert_ghost(2int, 2int);
        proof_assert!(m.len() == 2);
    };
}

@dianegolfouse dianegolfouse force-pushed the logical-functions-alias branch from bb131ae to 9a174b3 Compare June 4, 2025 12:10
@jhjourdan jhjourdan mentioned this pull request Sep 30, 2025
Closed
@dianegolfouse dianegolfouse force-pushed the logical-functions-alias branch from 9a174b3 to ab7d097 Compare October 2, 2025 12:11
jhjourdan
jhjourdan reviewed Oct 22, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jhjourdan jhjourdan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very interesting feature, howeer, there are a few important parts missing:

  • Support for aliases in traits. A simple constraint could be to force the alias to belong to the same trait. Then, we sould add a refinement check for implementations (i.e., implementors declare compatible aliases).

  • Uses in creusot_contracts, to get rid of all the _ghost and _logic functions.

  • Use this for Ghost::Deref, Rc::Deref, Snapshot::Deref, etc... and get rid of the special cases for this in Creusot's code.

Comment thread creusot-contracts-proc/src/creusot/specs.rs
}
};
let tokens_2 = tokens.clone();
let func = parse_macro_input!(tokens_2 as syn::ImplItemFn);
Copy link
Copy Markdown
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means that you force the method to have a body, which forbids logical aliases for trait methods. This seems restrictive. Is this intended? A simple fix may be to use FnOrMethod here instead.

Comment thread creusot-contracts-proc/src/creusot/specs.rs
Comment on lines +255 to +256
let pat = &pat_type.pat;
quote!(#pat)
Copy link
Copy Markdown
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assumes that the pattern is also a term, which is not always the case.

This is probably fine in this case, but it would be better to detect this in the macro, and emit an error.

Comment thread creusot/src/ctx.rs
///
/// They can later be retrieved using [`Self::logical_alias`].
pub(crate) fn load_logical_aliases(&mut self) {
// FIXME: what about functions from another crate?
Copy link
Copy Markdown
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cannot we simply reject them?

Comment thread creusot/src/ctx.rs
}
_ => unreachable!(),
};
if t1 != t2 {
Copy link
Copy Markdown
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't we check the equality of constant param names, too? It seems weird to do that for types and lifetimes, but not for constants.

Comment thread creusot/src/ctx.rs
Comment on lines +348 to +349
let mut program_subst = program_subst.iter().map(|arg| arg.kind());
let mut logic_subst = logic_subst.iter().map(|arg| arg.kind());
Copy link
Copy Markdown
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doing that directly in the loop would be clearer and shorter.

Comment thread creusot/src/ctx.rs
let logic_subst = erased_identity_for_item(tcx, logic_id);
let mut program_subst = program_subst.iter().map(|arg| arg.kind());
let mut logic_subst = logic_subst.iter().map(|arg| arg.kind());
loop {
Copy link
Copy Markdown
Collaborator

@jhjourdan jhjourdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From itertools:

for (prog_arg, logic_arg) in program_subst.zip_longest(logic_subst) { ... }

@jhjourdan
Copy link
Copy Markdown
Collaborator

jhjourdan commented Oct 22, 2025

Perhaps we could ask Maël Coulmance to work on this?

@jhjourdan jhjourdan mentioned this pull request Jan 7, 2026
Merged
@xldenis
Copy link
Copy Markdown
Collaborator

xldenis commented Feb 7, 2026

What is the current thinking on this? I think this would be really nice and would really contribute to making proofs & specs easier to follow by getting rid of ubioquitous "_logic" suffixes, especially if there's a macro to help you automatically generate these aliases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhjourdan jhjourdan jhjourdan left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dianegolfouse @jhjourdan @xldenis