Merge pull request #573 from FStarLang/gebner_rmoldwhile

Remove legacy while-loop syntax

Author: gebner

lib/pulse/lib/Pulse.Lib.Sort.Merge.Array.fst

@@ -20,7 +20,6 @@ let merge_invariant_prop
     (hi: SZ.t)
     (l1_0: Ghost.erased (list t))
     (l2_0: Ghost.erased (list t))
-    (cont: bool)
     i1 i2 (res: bool) accu l1 l2
 : Tot prop
 =
@@ -31,8 +30,7 @@ let merge_invariant_prop
                 if res
                 then spec_merge compare accu l1 l2
                 else (false, accu `List.Tot.append` (l1 `List.Tot.append` l2))
-            ) /\
-            cont == (res && not (i1 = i2 || i2 = hi))
+            )
 
 let merge_invariant // FIXME: WHY WHY WHY?
     (#tl #th: Type)
@@ -47,7 +45,6 @@ let merge_invariant // FIXME: WHY WHY WHY?
     (pi1: R.ref SZ.t)
     (pi2: R.ref SZ.t)
     (pres: R.ref bool)
-    (cont: bool)
     i1 i2 (res: bool) c c1 c2 accu l1 l2
 : Tot slprop
 =
@@ -61,7 +58,7 @@ let merge_invariant // FIXME: WHY WHY WHY?
         Trade.trade
           (SM.seq_list_match c accu vmatch ** (SM.seq_list_match c1 l1 vmatch ** SM.seq_list_match c2 l2 vmatch))
           (SM.seq_list_match c1_0 l1_0 vmatch ** SM.seq_list_match c2_0 l2_0 vmatch) **
-        pure (merge_invariant_prop compare lo hi l1_0 l2_0 cont i1 i2 res accu l1 l2)
+        pure (merge_invariant_prop compare lo hi l1_0 l2_0 i1 i2 res accu l1 l2)
 
 inline_for_extraction
 fn merge
@@ -107,27 +104,22 @@ requires
     let mut pi2 = mi;
     let mut pres = true;
     fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres
-        (not (lo = mi || mi = hi))
         lo mi true
         c1l c1 c2 [] l1_0 l2_0
     );
     while (
-        with gcont gi1 gi2 gres c c1' c2' accu l1' l2' .
-            assert (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres gcont gi1 gi2 gres c c1' c2' accu l1' l2');
-        unfold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres gcont gi1 gi2 gres c c1' c2' accu l1' l2');
+        unfold merge_invariant;
         let i1 = !pi1;
         let i2 = !pi2;
         let res = !pres;
-        let cont = (res && not (i1 = i2 || i2 = hi));
-        fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres cont gi1 gi2 gres c c1' c2' accu l1' l2');
-        cont
+        (res && not (i1 = i2 || i2 = hi))
     )
-    invariant cont . exists* i1 i2 res c c1' c2' accu l1' l2' .
-        merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres cont i1 i2 res c c1' c2' accu l1' l2'
+    invariant exists* i1 i2 res c c1' c2' accu l1' l2'.
+        merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres i1 i2 res c c1' c2' accu l1' l2'
     {
         with gi1 gi2 gres c c1' c2' accu l1 l2 .
-            assert (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres true gi1 gi2 gres c c1' c2' accu l1 l2);
-        unfold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres true gi1 gi2 gres c c1' c2' accu l1 l2);
+            fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres gi1 gi2 gres c c1' c2' accu l1 l2);
+        unfold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres gi1 gi2 gres c c1' c2' accu l1 l2);
         let prf_res : squash (gres == true) = ();
         SM.seq_list_match_length vmatch c1' l1;
         SM.seq_list_match_length vmatch c2' l2;
@@ -158,7 +150,7 @@ requires
         Trade.elim (vmatch x2 (List.Tot.hd l2) ** _) _;
         if (comp = 0s) {
             pres := false;
-            fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres false gi1 gi2 false c
+            fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres gi1 gi2 false c
                 c1'
                 c2'
                 accu
@@ -181,8 +173,7 @@ requires
                 as (pts_to_range a (SZ.v gi2) (SZ.v hi) c2');
             rewrite (pts_to_range a (SZ.v i1') (Ghost.reveal (SZ.v gi2)) (Seq.tail c1'))
                 as (pts_to_range a (SZ.v i1') (SZ.v gi2) (Seq.tail c1'));
-            let gcont' = Ghost.hide (gres && not (i1' `size_eq` gi2 || gi2 `size_eq` hi));
-            fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres gcont' i1' gi2 gres
+            fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres i1' gi2 gres
                 (Seq.append c (Seq.cons x1 Seq.empty))
                 (Seq.tail c1')
                 c2'
@@ -208,8 +199,7 @@ requires
             pi2 := i2';
             merge_aux_consume_2 vmatch c accu c1' l1 c2' l2 x2 ();
             Trade.trans _ _ (SM.seq_list_match c1 l1_0 vmatch ** SM.seq_list_match c2 l2_0 vmatch);
-            let gcont' = Ghost.hide (gres && not (i1' `size_eq` i2' || i2' `size_eq` hi));
-            fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres gcont' i1' i2' gres
+            fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres i1' i2' gres
                 (Seq.append c (Seq.cons x2 Seq.empty))
                 c1'
                 (Seq.tail c2')
@@ -220,8 +210,8 @@ requires
         }
     };
     with i1 i2 res c c1' c2' accu l1' l2' .
-        assert (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres false i1 i2 res c c1' c2' accu l1' l2');
-    unfold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres false i1 i2 res c c1' c2' accu l1' l2');
+        fold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres i1 i2 res c c1' c2' accu l1' l2');
+    unfold (merge_invariant vmatch compare a c1 c2 lo hi l1_0 l2_0 pi1 pi2 pres i1 i2 res c c1' c2' accu l1' l2');
     SM.seq_list_match_length vmatch c1' l1';
     SM.seq_list_match_length vmatch c2' l2';
     List.Tot.append_l_nil l1';

lib/pulse/lib/Pulse.Lib.Sort.Merge.Slice.fst

@@ -20,7 +20,6 @@ let merge_invariant_prop
     (len: SZ.t)
     (l1_0: Ghost.erased (list t))
     (l2_0: Ghost.erased (list t))
-    (cont: bool)
     i1 i2 (res: bool) accu l1 l2
 : Tot prop
 =
@@ -33,8 +32,7 @@ let merge_invariant_prop
                 if res
                 then spec_merge compare accu l1 l2
                 else (false, accu `List.Tot.append` (l1 `List.Tot.append` l2))
-            ) /\
-            cont == (res && not (i1 = i2 || i2 = len))
+            )
 
 let merge_invariant
     (#tl #th: Type)
@@ -47,7 +45,6 @@ let merge_invariant
     (pi1: R.ref SZ.t)
     (pi2: R.ref SZ.t)
     (pres: R.ref bool)
-    (cont: bool)
     i1 i2 (res: bool) c c1 c2 accu l1 l2
 : Tot slprop
 = exists* ca .
@@ -60,7 +57,7 @@ let merge_invariant
           (SM.seq_list_match c accu vmatch ** (SM.seq_list_match c1 l1 vmatch ** SM.seq_list_match c2 l2 vmatch))
           (SM.seq_list_match c1_0 l1_0 vmatch ** SM.seq_list_match c2_0 l2_0 vmatch) **
         pure (ca == (Seq.append c (Seq.append c1 c2))) **
-        pure (merge_invariant_prop compare (S.len a) l1_0 l2_0 cont i1 i2 res accu l1 l2)
+        pure (merge_invariant_prop compare (S.len a) l1_0 l2_0 i1 i2 res accu l1 l2)
 
 let merge_case_1
   (#t: Type)
@@ -139,27 +136,22 @@ requires
     let mut pi2 = mi;
     let mut pres = true;
     fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres
-        (not (0sz = mi || mi = S.len a))
         0sz mi true
         Seq.empty c1 c2 [] l1_0 l2_0
     );
     while (
-        with gcont gi1 gi2 gres c c1' c2' accu l1' l2' .
-            assert (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres gcont gi1 gi2 gres c c1' c2' accu l1' l2');
-        unfold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres gcont gi1 gi2 gres c c1' c2' accu l1' l2');
+        unfold merge_invariant;
         let i1 = !pi1;
         let i2 = !pi2;
         let res = !pres;
-        let cont = (res && not (i1 = i2 || i2 = S.len a));
-        fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres cont gi1 gi2 gres c c1' c2' accu l1' l2');
-        cont
+        (res && not (i1 = i2 || i2 = S.len a))
     )
-    invariant cont . exists* i1 i2 res c c1' c2' accu l1' l2' .
-        merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres cont i1 i2 res c c1' c2' accu l1' l2'
+    invariant exists* i1 i2 res c c1' c2' accu l1' l2' .
+        merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres i1 i2 res c c1' c2' accu l1' l2'
     {
         with gi1 gi2 gres c c1' c2' accu l1 l2 .
-            assert (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres true gi1 gi2 gres c c1' c2' accu l1 l2);
-        unfold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres true gi1 gi2 gres c c1' c2' accu l1 l2);
+            fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres gi1 gi2 gres c c1' c2' accu l1 l2);
+        unfold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres gi1 gi2 gres c c1' c2' accu l1 l2);
         let prf_res : squash (gres == true) = ();
         S.pts_to_len a;
         SM.seq_list_match_length vmatch c accu;
@@ -186,7 +178,7 @@ requires
         Trade.elim (vmatch x2 (List.Tot.hd l2) ** _) _;
         if (comp = 0s) {
             pres := false;
-            fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 (* pc pc1 pc2 *) pi1 pi2 pres false gi1 gi2 false c
+            fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 (* pc pc1 pc2 *) pi1 pi2 pres gi1 gi2 false c
                 c1'
                 c2'
                 accu
@@ -202,12 +194,11 @@ requires
               seq_helper_1 c1' x1;
             merge_aux_consume_1 vmatch c accu c1' l1 c2' l2 x1 ();
             Trade.trans _ _ (SM.seq_list_match c1 l1_0 vmatch ** SM.seq_list_match c2 l2_0 vmatch);
-            let gcont' = Ghost.hide (gres && not (i1' `size_eq` gi2 || gi2 `size_eq` S.len a));
             List.Tot.append_assoc accu l1 l2;
             List.Tot.append_assoc accu [List.Tot.hd l1] (List.Tot.tl l1);
             List.Tot.append_assoc (List.Tot.append accu [List.Tot.hd l1]) (List.Tot.tl l1) l2;
             merge_case_1 c x1 c1' c2';
-            fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres gcont' i1' gi2 gres
+            fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres i1' gi2 gres
                 (Seq.append c (Seq.cons x1 Seq.empty))
                 (Seq.tail c1')
                 c2'
@@ -230,13 +221,12 @@ requires
             pi2 := i2';
             merge_aux_consume_2 vmatch c accu c1' l1 c2' l2 x2 ();
             Trade.trans _ _ (SM.seq_list_match c1 l1_0 vmatch ** SM.seq_list_match c2 l2_0 vmatch);
-            let gcont' = Ghost.hide (gres && not (i1' `size_eq` i2' || i2' `size_eq` S.len a));
             List.Tot.append_assoc l1 [List.Tot.hd l2] (List.Tot.tl l2);
             List.Tot.append_assoc accu (List.Tot.append l1 [List.Tot.hd l2]) (List.Tot.tl l2);
             List.Tot.append_assoc accu l1 [List.Tot.hd l2];
             List.Tot.append_assoc accu [List.Tot.hd l2] l1;
             List.Tot.append_assoc (List.Tot.append accu [List.Tot.hd l2]) l1 (List.Tot.tl l2);
-            fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres gcont' i1' i2' gres
+            fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres i1' i2' gres
                 (Seq.append c (Seq.cons x2 Seq.empty))
                 c1'
                 (Seq.tail c2')
@@ -247,8 +237,8 @@ requires
         }
     };
     with i1 i2 res c c1' c2' accu l1' l2' .
-        assert (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres false i1 i2 res c c1' c2' accu l1' l2');
-    unfold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres false i1 i2 res c c1' c2' accu l1' l2');
+        fold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres i1 i2 res c c1' c2' accu l1' l2');
+    unfold (merge_invariant vmatch compare a c1 c2 l1_0 l2_0 pi1 pi2 pres i1 i2 res c c1' c2' accu l1' l2');
     SM.seq_list_match_append_intro_trade vmatch c1' l1' c2' l2';
     List.Tot.append_length l1' l2';
     Trade.trans_hyp_r (SM.seq_list_match c accu vmatch) (SM.seq_list_match (Seq.append c1' c2') (List.Tot.append l1' l2') vmatch) (SM.seq_list_match c1' l1' vmatch ** SM.seq_list_match c2' l2' vmatch) _;

lib/pulse/lib/Pulse.Lib.WhileLoop.fst

@@ -20,27 +20,7 @@ open Pulse.Main
 open Pulse.Lib.Core
 
 
-fn rec while_loop'
-  (inv:bool -> slprop)
-  (cond:unit -> stt bool (exists* x. inv x) (fun b -> inv b))
-  (body:unit -> stt unit (inv true) (fun _ -> exists* x. inv x))
-  norewrite
-  requires exists* x. inv x
-  ensures inv false
-{
-  let b = cond ();
-  if b {
-     body ();
-     while_loop' inv cond body;
-  }
-}
-
-
-let while_loop inv cond body = 
-  while_loop' inv (fun _ -> cond) (fun _ -> body)
-
-
-fn rec nu_while_loop
+fn rec while_loop
   (inv:slprop)
   (post:bool -> slprop)
   (cond:unit -> stt bool inv (fun b -> post b))
@@ -51,6 +31,6 @@ fn rec nu_while_loop
   let b = cond ();
   if b {
      body ();
-     nu_while_loop inv post cond body;
+     while_loop inv post cond body;
   }
 }

lib/pulse/lib/Pulse.Lib.WhileLoop.fsti

@@ -7,14 +7,6 @@ open Pulse.Lib.Core
 (* Not to be called directly. *)
 
 fn while_loop
-  (inv : bool -> slprop)
-  (cond : stt bool (exists* x. inv x) (fun b -> inv b))
-  (body : stt unit (inv true) (fun _ -> exists* x. inv x))
-  norewrite
-  requires exists* x. inv x
-  ensures inv false
-
-fn nu_while_loop
   (inv:slprop)
   (post:bool -> slprop)
   (cond:unit -> stt bool inv (fun b -> post b))

share/pulse/examples/AuxPredicate.fst

@@ -26,10 +26,10 @@ module R = Pulse.Lib.Reference
 
 // Defining a slprop using F* syntax. We do not yet allow
 // writing Pulse syntax for slprops in predicates 
-let my_inv (b:bool) (r:R.ref int) : slprop
+let my_inv (r:R.ref int) : slprop
   = exists* v.
       pts_to r v ** 
-      pure ( (v==0 \/ v == 1) /\ b == (v = 0) )
+      pure ( (v==0 \/ v == 1) )
 
 
 
@@ -40,54 +40,30 @@ fn invar_introduces_ghost (r:R.ref int)
 {
   r := 0;
 
-  fold (my_inv true r); //to prove the precondition of the while loop
+  fold (my_inv r); //to prove the precondition of the while loop
 
   while 
    (  //unfold the predicate to expose its contents to the prover context
-      with b. unfold (my_inv b r);
+      unfold my_inv;
       let vr = !r;
       let res = (vr = 0);
       //show that the condition restores the invariant by explicitly folding it back
-      fold (my_inv res r);
       res
    )
-  invariant b. my_inv b r
+  invariant my_inv r
   {
     // Same in the body;
     // unfold to expose it
-    unfold (my_inv true r);
     r := 1;
     // fold it back to show its preserved
-    fold (my_inv false r)
+    fold (my_inv r)
   };
 
   // unfold after the loop for the postcondition 
-  unfold (my_inv false r)
 }
 
 
 
-[@@expect_failure]
-
-fn invar_introduces_orig (r:R.ref int)
-  requires pts_to r 0
-  ensures pts_to r 1
-{
-  r := 0;
-
-  fold (my_inv true r);
-
-  while (let vr = !r; //fails here, as expected; we have my_inv, not pts_to
-         (vr = 0))
-  invariant b. my_inv b r
-  {
-    r := 1;
-  };
-
-  ()   
-}
-
-
 // If you don't introduce the indirection of my_inv
 // it just works without further ado
 
@@ -104,38 +80,3 @@ fn invar_introduces_ghost_alt (r:R.ref int)
     r := 1;
   }
 }
-
-
-// Some other examples
-
-
-fn exists_introduces_ghost (r:R.ref int)
-  requires pts_to r 0
-  ensures exists* v. pts_to r v ** pure (v == 0 \/ v == 1)
-{
-  r := 0;
-
-  fold (my_inv true r);
-
-  introduce exists* b. (my_inv b r) with _; 
-  // once you hide the witness in the existential
-  // you lose knowledge about it, i.e., we do not know that r = 0
-  with b. unfold (my_inv b r)
-}
-
-
-
-fn with_assert_OK (r:R.ref int)
-  preserves pts_to r 0
-{
-  r := 0;
-
-  fold (my_inv true r);
-
-  with b. assert (my_inv b r); // similar to above but we don't lose access
-                               // to witness b=true because with...assert... 
-                               // puts b=true into the typing context
-
-  assert (my_inv true r);
-  unfold (my_inv true r);
-}