Move shared-access predicate invariants to preconditions#107
Draft
pawinkler wants to merge 2 commits intopaul/upcastsfrom
Draft
Move shared-access predicate invariants to preconditions#107pawinkler wants to merge 2 commits intopaul/upcastsfrom
pawinkler wants to merge 2 commits intopaul/upcastsfrom
Conversation
Add `sharedPredicateAccessInvariant` to method preconditions in `ProgramConverter` so that shared predicate access is expressed declaratively rather than inhaled inside the body. Remove the corresponding per-argument `sharedPredicateAccessInvariant` from `FullNamedFunctionSignature.toViperFunction` (pure functions), where it was previously prepended to the precondition list. Remove the inline `Stmt.Inhale` of shared predicate invariants from `FunctionExp.toViperMaybeStoringIn` (inline-function bodies), which was a workaround that is no longer needed once the precondition carries the permission. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR was extracted from #92 and is based on #106. It concerns moving the
sharedPredicateAccessInvariantfor method parameters from being expressed inside function bodies to being declared asrequiresclauses in method preconditions.Shared-access predicate invariants ensure that an access to an object on the heap is permitted. Previously, these were only inhaled before the access occurred and it was not verified that the individual function actually has enough permissions to access the object. Implementing this change demonstrated that functions expecting a super type of the provided type did not have enough permissions to access it, leading to failures in the test cases.
Changes
ProgramConverter: addssharedPredicateAccessInvariantto method preconditions for eachformal argument, so that the
requires acc(Type_shared(param), wildcard)clause appears inthe generated Viper method signature.
FullNamedFunctionSignature.toViperFunction: removes theformalArgs.mapNotNull { it.sharedPredicateAccessInvariant() }that was previously prepended to pure-function preconditions;
getPreconditions()is nowused directly, which picks up the invariant from the method level.
ControlFlow(FunctionExp.toViperMaybeStoringIn): removes the inlineStmt.InhaleofsharedPredicateAccessInvariantfor each formal argument of an inline function body, whichwas a workaround that is no longer needed.
Remaining tasks
.fir.diag.txtgolden files to reflect the newrequires acc(...)lines inmethod preconditions.
previously relied on the inhale.
uniquePredicateAccessInvariantshould be moved to preconditions in thesame way; currently only the shared predicate is moved.
Limitations
This strategy is not capable of handling casts to a subtype. Currently, when we explicitly or implicitly cast to a subtype, the permissions of this subtype are assumed. Our access predicate logic does not support an easy fix for this.