Allow multiple loop invariants for the same function, prefer same-module (#549)

* Allow multiple loop invariants for the same function, prefer same-module

When multiple modules provide a loop invariant for the same target
function and label, prefer the one from the same module as the target
function instead of erroring. Still errors on genuinely ambiguous cases.

Moves loop invariant resolution from PackageTargets to
FunctionTargetsHolder, collecting candidates during attribute scanning
and resolving them at holder construction time.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add secondary location labels to ambiguous loop invariant errors

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Restore flaky vec_map/remove.move.snap from main

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: andreistefanescu

crates/move-prover-boogie-backend/src/generator.rs

@@ -790,6 +790,7 @@ pub fn create_and_process_bytecode(
             targets.add_target(&func_env);
         }
     }
+    targets.resolve_loop_invariants(env);
 
     // Populate initial number operation state for each function and struct based on the pragma
     create_init_num_operation_state(env, &options.prover);
@@ -855,6 +856,7 @@ fn run_escape(env: &GlobalEnv, targets: &PackageTargets, options: &Options, now:
             targets.add_target(&func_env);
         }
     }
+    targets.resolve_loop_invariants(env);
     println!(
         "Analyzing {} modules, {} declared functions, {} declared structs, {} total bytecodes",
         env.get_module_count(),

crates/move-stackless-bytecode/src/function_target_pipeline.rs

@@ -44,6 +44,7 @@ pub struct FunctionTargetsHolder {
     package_targets: PackageTargets,
     function_specs: BiBTreeMap<QualifiedId<FunId>, QualifiedId<FunId>>,
     datatype_invs: BiBTreeMap<QualifiedId<DatatypeId>, QualifiedId<FunId>>,
+    loop_invariants: BTreeMap<QualifiedId<FunId>, BiBTreeMap<QualifiedId<FunId>, usize>>,
     target: FunctionHolderTarget,
     prover_options: ProverOptions,
 }
@@ -186,6 +187,7 @@ impl FunctionTargetsHolder {
             targets: BTreeMap::new(),
             function_specs: BiBTreeMap::new(),
             datatype_invs: BiBTreeMap::new(),
+            loop_invariants: BTreeMap::new(),
             prover_options,
             target,
             package_targets: package_targets.clone(),
@@ -366,11 +368,100 @@ impl FunctionTargetsHolder {
         self.package_targets.spec_timeouts().get(id)
     }
 
+    /// Resolve loop invariant candidates into the final map.
+    /// When multiple invariant functions target the same (target_func, label),
+    /// prefer the one from the same module as the spec selected by this holder.
+    pub fn resolve_loop_invariants(&mut self, env: &GlobalEnv) {
+        for (target_id, entries) in self.package_targets.loop_invariant_candidates() {
+            // group by label, checking for duplicate inv_funcs
+            let mut by_label: BTreeMap<usize, Vec<QualifiedId<FunId>>> = BTreeMap::new();
+            let mut func_to_label: BTreeMap<QualifiedId<FunId>, usize> = BTreeMap::new();
+            let mut has_error = false;
+
+            for (inv_id, label) in entries {
+                if let Some(&existing_label) = func_to_label.get(inv_id) {
+                    if existing_label != *label {
+                        env.diag(
+                            Severity::Error,
+                            &env.get_function(*inv_id).get_loc(),
+                            &format!(
+                                "Loop invariant function {} targets multiple labels ({} and {}) in {}",
+                                env.get_function(*inv_id).get_full_name_str(),
+                                existing_label,
+                                label,
+                                env.get_function(*target_id).get_full_name_str()
+                            ),
+                        );
+                        has_error = true;
+                    }
+                    continue;
+                }
+                func_to_label.insert(*inv_id, *label);
+                by_label.entry(*label).or_default().push(*inv_id);
+            }
+
+            if has_error {
+                continue;
+            }
+
+            // find the spec module for this target function;
+            // if the target itself is a spec, use its own module
+            let spec_module = self
+                .get_spec_by_fun(target_id)
+                .map(|spec_id| spec_id.module_id)
+                .unwrap_or(target_id.module_id);
+
+            let mut resolved: BiBTreeMap<QualifiedId<FunId>, usize> = BiBTreeMap::new();
+
+            for (label, inv_ids) in by_label {
+                let winner = if inv_ids.len() == 1 {
+                    inv_ids[0]
+                } else {
+                    // prefer the invariant from the same module as the spec
+                    let in_spec_module: Vec<_> = inv_ids
+                        .iter()
+                        .filter(|id| id.module_id == spec_module)
+                        .copied()
+                        .collect();
+
+                    if in_spec_module.len() == 1 {
+                        in_spec_module[0]
+                    } else {
+                        let labels = inv_ids
+                            .iter()
+                            .map(|id| {
+                                let f = env.get_function(*id);
+                                (f.get_loc(), f.get_full_name_str())
+                            })
+                            .collect::<Vec<_>>();
+                        env.diag_with_labels(
+                            Severity::Error,
+                            &env.get_function(*target_id).get_loc(),
+                            &format!(
+                                "Ambiguous loop invariants for label {} in {}",
+                                label,
+                                env.get_function(*target_id).get_full_name_str(),
+                            ),
+                            labels,
+                        );
+                        continue;
+                    }
+                };
+
+                resolved.insert(winner, label);
+            }
+
+            if !resolved.is_empty() {
+                self.loop_invariants.insert(*target_id, resolved);
+            }
+        }
+    }
+
     pub fn get_loop_invariants(
         &self,
         id: &QualifiedId<FunId>,
     ) -> Option<&BiBTreeMap<QualifiedId<FunId>, usize>> {
-        self.package_targets.loop_invariants().get(id)
+        self.loop_invariants.get(id)
     }
 
     pub fn get_uninterpreted_functions(
@@ -445,8 +536,7 @@ impl FunctionTargetsHolder {
     pub fn get_loop_inv_with_targets(
         &self,
     ) -> BiBTreeMap<QualifiedId<FunId>, BTreeSet<QualifiedId<FunId>>> {
-        self.package_targets
-            .loop_invariants()
+        self.loop_invariants
             .iter()
             .map(|(target_fun_id, invs)| {
                 (

crates/move-stackless-bytecode/src/package_targets.rs

@@ -1,5 +1,4 @@
 use crate::target_filter::TargetFilterOptions;
-use bimap::BiBTreeMap;
 use codespan_reporting::diagnostic::Severity;
 use move_binary_format::file_format::FunctionHandleIndex;
 use move_compiler::{
@@ -43,7 +42,7 @@ pub struct PackageTargets {
     spec_uninterpreted_functions: BTreeMap<QualifiedId<FunId>, BTreeSet<QualifiedId<FunId>>>,
     spec_boogie_options: BTreeMap<QualifiedId<FunId>, String>,
     spec_timeouts: BTreeMap<QualifiedId<FunId>, u64>,
-    loop_invariants: BTreeMap<QualifiedId<FunId>, BiBTreeMap<QualifiedId<FunId>, usize>>,
+    loop_invariant_candidates: BTreeMap<QualifiedId<FunId>, Vec<(QualifiedId<FunId>, usize)>>,
     module_external_attributes: BTreeMap<ModuleId, BTreeSet<ModuleExternalSpecAttribute>>,
     function_external_attributes:
         BTreeMap<QualifiedId<FunId>, BTreeSet<ModuleExternalSpecAttribute>>,
@@ -82,7 +81,7 @@ impl PackageTargets {
             spec_uninterpreted_functions: BTreeMap::new(),
             spec_boogie_options: BTreeMap::new(),
             spec_timeouts: BTreeMap::new(),
-            loop_invariants: BTreeMap::new(),
+            loop_invariant_candidates: BTreeMap::new(),
             module_external_attributes: BTreeMap::new(),
             function_external_attributes: BTreeMap::new(),
             module_extra_bpl: BTreeMap::new(),
@@ -200,53 +199,10 @@ impl PackageTargets {
         if let Some(target_func_env) =
             module_env.find_function(func_env.symbol_pool().make(fun_name.as_str()))
         {
-            if let Some(existing) = self
-                .loop_invariants
-                .get_mut(&target_func_env.get_qualified_id())
-            {
-                match existing.insert(func_env.get_qualified_id(), label) {
-                    bimap::Overwritten::Neither => {}
-                    bimap::Overwritten::Left(..) => {
-                        env.diag(
-                            Severity::Error,
-                            &func_env.get_loc(),
-                            &format!(
-                                "Duplicated Loop Invariant Function {} in {}",
-                                func_env.get_full_name_str(),
-                                fun_name
-                            ),
-                        );
-                        return;
-                    }
-                    bimap::Overwritten::Right(..) => {
-                        env.diag(
-                            Severity::Error,
-                            &func_env.get_loc(),
-                            &format!("Duplicated Loop Invariant Label {} in {}", label, fun_name),
-                        );
-                        return;
-                    }
-                    bimap::Overwritten::Both(..) | bimap::Overwritten::Pair(..) => {
-                        env.diag(
-                            Severity::Error,
-                            &func_env.get_loc(),
-                            &format!(
-                                "Duplicated Loop Invariant Function {} and Label {} in {}",
-                                func_env.get_full_name_str(),
-                                label,
-                                fun_name
-                            ),
-                        );
-                    }
-                }
-            } else {
-                self.loop_invariants
-                    .insert(target_func_env.get_qualified_id(), {
-                        let mut map = BiBTreeMap::new();
-                        map.insert(func_env.get_qualified_id(), label);
-                        map
-                    });
-            }
+            self.loop_invariant_candidates
+                .entry(target_func_env.get_qualified_id())
+                .or_default()
+                .push((func_env.get_qualified_id(), label));
         } else {
             env.diag(
                 Severity::Error,
@@ -1011,10 +967,10 @@ impl PackageTargets {
         &self.spec_timeouts
     }
 
-    pub fn loop_invariants(
+    pub fn loop_invariant_candidates(
         &self,
-    ) -> &BTreeMap<QualifiedId<FunId>, BiBTreeMap<QualifiedId<FunId>, usize>> {
-        &self.loop_invariants
+    ) -> &BTreeMap<QualifiedId<FunId>, Vec<(QualifiedId<FunId>, usize)>> {
+        &self.loop_invariant_candidates
     }
 
     pub fn get_module_extra_bpl(&self, module_id: &ModuleId) -> Option<&String> {

crates/move-stackless-bytecode/tests/testsuite.rs

@@ -195,6 +195,7 @@ fn test_runner(path: &Path) -> datatest_stable::Result<()> {
                 targets.add_target(&func_env);
             }
         }
+        targets.resolve_loop_invariants(&env);
         let show_livevars = std::env::var("STACKLESS_TEST_SHOW_LIVENESS").is_ok();
         let show_borrow = true;
         let show_reach = std::env::var("STACKLESS_TEST_SHOW_REACHING_DEFS").is_ok();

crates/sui-prover/src/build_model.rs

@@ -126,6 +126,7 @@ pub fn build_model_with_target(
             targets.add_target(&func_env);
         }
     }
+    targets.resolve_loop_invariants(&model);
 
     Ok((model, rerooted_path, targets))
 }

crates/sui-prover/tests/inputs/loop_invariant/external_multi_module.ok.move

@@ -0,0 +1,32 @@
+// Two modules provide a loop invariant for the same spec function.
+// The invariant in the same module as the spec should be selected.
+module 0x42::other_specs {
+    #[allow(unused_variable)]
+    #[spec_only(loop_inv(target = 0x42::my_specs::test_spec))]
+    #[ext(no_abort)]
+    fun loop_inv_other(i: u64, n: u64): bool {
+        // This invariant is intentionally too weak; it would fail if selected.
+        true
+    }
+}
+
+module 0x42::my_specs {
+    use prover::prover::ensures;
+
+    #[spec_only(loop_inv(target = test_spec))]
+    #[ext(no_abort)]
+    fun loop_inv(i: u64, n: u64): bool {
+        i <= n
+    }
+
+    #[spec(prove)]
+    fun test_spec(n: u64) {
+        let mut i = 0;
+
+        while (i < n) {
+            i = i + 1;
+        };
+
+        ensures(i == n);
+    }
+}

crates/sui-prover/tests/snapshots/loop_invariant/external_multi_module.ok.move.snap

@@ -0,0 +1,5 @@
+---
+source: crates/sui-prover/tests/integration.rs
+expression: output
+---
+Verification successful

crates/sui-prover/tests/snapshots/loop_invariant/external_wrong_label_2.fail.move.snap

@@ -1,13 +1,26 @@
 ---
 source: crates/sui-prover/tests/integration.rs
-assertion_line: 262
 expression: output
 ---
 exiting with bytecode transformation errors
-error: Duplicated Loop Invariant Label 0 in test_spec
-   ┌─ tests/inputs/loop_invariant/external_wrong_label_2.fail.move:13:1
-   │  
-13 │ ╭ fun loop_inv_2(i: u64, n: u64, s: u128): bool {
-14 │ │     i <= n && (s == (i as u128) * ((i as u128) + 1) / 2)
-15 │ │ }
-   │ ╰─^
+error: Ambiguous loop invariants for label 0 in loop_invariant_external_wrong_label_2_fail::test_spec
+   ┌─ tests/inputs/loop_invariant/external_wrong_label_2.fail.move:18:1
+   │      
+ 7 │   ╭   fun loop_inv_1(i: u64, n: u64, s: u128): bool {
+ 8 │   │       i <= n && (s == (i as u128) * ((i as u128) + 1) / 2)
+ 9 │   │   }
+   │   ╰───' loop_invariant_external_wrong_label_2_fail::loop_inv_1
+   ·   │  
+13 │     ╭ fun loop_inv_2(i: u64, n: u64, s: u128): bool {
+14 │     │     i <= n && (s == (i as u128) * ((i as u128) + 1) / 2)
+15 │     │ }
+   │     ╰─' loop_invariant_external_wrong_label_2_fail::loop_inv_2
+   ·     │
+18 │ ╭     fun test_spec(n: u64): u128 {
+19 │ │         let mut s: u128 = 0;
+20 │ │         let mut i = 0;
+21 │ │     
+   · │    
+28 │ │         s
+29 │ │     }
+   │ ╰─────^