feat: rename concat -> append_pure; add 6 vector pure variants; new InsertAtVec

vector_ext renames + new functions:
- concat -> append_pure (matches std::vector::append; updates 5 test files
  that imported concat)
- push_back_pure, pop_back_pure, push_front_pure, pop_front_pure,
  insert_pure, remove_pure — functional variants of std::vector ops
  (push_front/pop_front have no std counterpart)

Boogie:
- New InsertAtVec<T>(v, i, e) primitive in all three vector theories
  (vector-array, vector-array-intern, vector-smt-seq), parallel to
  RemoveAtVec.
- vector_ext pure helpers use InsertAtVec / RemoveAtVec / InRangeVec
  consistently.
- Fixed swapped argument order in $1_vector_insert{S}: Move signature
  is insert(v, e, i) but the Boogie procedure had (m, i, e) — corrected
  to (m, e, i). Was unused by any prior test, surfaced now by
  vector_ext::insert_pure's test_insert_matches.

Tests: 7 *_pure tests for vector_ext, all verifying the functional
helpers match the corresponding mutating ops via reference equality.

All 436 tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: andreistefanescu

crates/move-model/src/model.rs

@@ -1647,7 +1647,13 @@ impl GlobalEnv {
     const PROVER_VEC_SUM: &'static str = "sum";
     const PROVER_VEC_SUM_RANGE: &'static str = "sum_range";
     const PROVER_VEC_SLICE: &'static str = "slice";
-    const PROVER_VEC_CONCAT: &'static str = "concat";
+    const PROVER_VEC_APPEND_PURE: &'static str = "append_pure";
+    const PROVER_VEC_PUSH_BACK_PURE: &'static str = "push_back_pure";
+    const PROVER_VEC_POP_BACK_PURE: &'static str = "pop_back_pure";
+    const PROVER_VEC_PUSH_FRONT_PURE: &'static str = "push_front_pure";
+    const PROVER_VEC_POP_FRONT_PURE: &'static str = "pop_front_pure";
+    const PROVER_VEC_INSERT_PURE: &'static str = "insert_pure";
+    const PROVER_VEC_REMOVE_PURE: &'static str = "remove_pure";
 
     // vector function names
     const VECTOR_REVERSE_FUNCTION_NAME: &'static str = "reverse";
@@ -2195,12 +2201,60 @@ impl GlobalEnv {
         self.get_fun_qid_opt(Self::PROVER_VECTOR_MODULE_NAME, Self::PROVER_VEC_SLICE)
     }
 
-    pub fn prover_vec_concat_qid(&self) -> QualifiedId<FunId> {
-        self.get_fun_qid(Self::PROVER_VECTOR_EXT_MODULE_NAME, Self::PROVER_VEC_CONCAT)
+    pub fn prover_vec_append_pure_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_EXT_MODULE_NAME,
+            Self::PROVER_VEC_APPEND_PURE,
+        )
+    }
+
+    pub fn prover_vec_append_pure_qid_opt(&self) -> Option<QualifiedId<FunId>> {
+        self.get_fun_qid_opt(
+            Self::PROVER_VECTOR_EXT_MODULE_NAME,
+            Self::PROVER_VEC_APPEND_PURE,
+        )
+    }
+
+    pub fn prover_vec_push_back_pure_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_EXT_MODULE_NAME,
+            Self::PROVER_VEC_PUSH_BACK_PURE,
+        )
+    }
+
+    pub fn prover_vec_pop_back_pure_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_EXT_MODULE_NAME,
+            Self::PROVER_VEC_POP_BACK_PURE,
+        )
     }
 
-    pub fn prover_vec_concat_qid_opt(&self) -> Option<QualifiedId<FunId>> {
-        self.get_fun_qid_opt(Self::PROVER_VECTOR_EXT_MODULE_NAME, Self::PROVER_VEC_CONCAT)
+    pub fn prover_vec_push_front_pure_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_EXT_MODULE_NAME,
+            Self::PROVER_VEC_PUSH_FRONT_PURE,
+        )
+    }
+
+    pub fn prover_vec_pop_front_pure_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_EXT_MODULE_NAME,
+            Self::PROVER_VEC_POP_FRONT_PURE,
+        )
+    }
+
+    pub fn prover_vec_insert_pure_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_EXT_MODULE_NAME,
+            Self::PROVER_VEC_INSERT_PURE,
+        )
+    }
+
+    pub fn prover_vec_remove_pure_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_EXT_MODULE_NAME,
+            Self::PROVER_VEC_REMOVE_PURE,
+        )
     }
 
     pub fn vector_module_id(&self) -> ModuleId {
@@ -3657,7 +3711,13 @@ impl GlobalEnv {
                 self.prover_vec_sum_qid(),
                 self.prover_vec_sum_range_qid(),
                 self.prover_vec_slice_qid(),
-                self.prover_vec_concat_qid(),
+                self.prover_vec_append_pure_qid(),
+                self.prover_vec_push_back_pure_qid(),
+                self.prover_vec_pop_back_pure_qid(),
+                self.prover_vec_push_front_pure_qid(),
+                self.prover_vec_pop_front_pure_qid(),
+                self.prover_vec_insert_pure_qid(),
+                self.prover_vec_remove_pure_qid(),
             ]);
         }
 
@@ -3906,7 +3966,13 @@ impl GlobalEnv {
                 self.prover_vec_sum_qid(),
                 self.prover_vec_sum_range_qid(),
                 self.prover_vec_slice_qid(),
-                self.prover_vec_concat_qid(),
+                self.prover_vec_append_pure_qid(),
+                self.prover_vec_push_back_pure_qid(),
+                self.prover_vec_pop_back_pure_qid(),
+                self.prover_vec_push_front_pure_qid(),
+                self.prover_vec_pop_front_pure_qid(),
+                self.prover_vec_insert_pure_qid(),
+                self.prover_vec_remove_pure_qid(),
             ]);
         }
 
@@ -4207,7 +4273,13 @@ impl GlobalEnv {
             self.vec_map_get_idx_opt_qid(),
             self.vec_map_keys_qid(),
             self.prover_vec_slice_qid_opt(),
-            self.prover_vec_concat_qid_opt(),
+            self.prover_vec_append_pure_qid_opt(),
+            if self.has_prover_vector_module() { Some(self.prover_vec_push_back_pure_qid()) } else { None },
+            if self.has_prover_vector_module() { Some(self.prover_vec_pop_back_pure_qid()) } else { None },
+            if self.has_prover_vector_module() { Some(self.prover_vec_push_front_pure_qid()) } else { None },
+            if self.has_prover_vector_module() { Some(self.prover_vec_pop_front_pure_qid()) } else { None },
+            if self.has_prover_vector_module() { Some(self.prover_vec_insert_pure_qid()) } else { None },
+            if self.has_prover_vector_module() { Some(self.prover_vec_remove_pure_qid()) } else { None },
             self.prover_vec_sum_qid_opt(),
             self.prover_vec_sum_range_qid_opt(),
             self.prover_range_qid_opt(),

crates/move-prover-boogie-backend/src/boogie_backend/prelude/native.bpl

@@ -222,7 +222,7 @@ procedure {:inline 1} $1_vector_rotate_slice{{S}}(m: $Mutation (Vec ({{T}})), le
     n := left + (right - rot);
 }
 
-procedure {:inline 1} $1_vector_insert{{S}}(m: $Mutation (Vec ({{T}})), i: int, e: {{T}}) returns (m': $Mutation (Vec ({{T}}))) {
+procedure {:inline 1} $1_vector_insert{{S}}(m: $Mutation (Vec ({{T}})), e: {{T}}, i: int) returns (m': $Mutation (Vec ({{T}}))) {
     var left_vec: Vec ({{T}});
     var right_vec: Vec ({{T}});
     var v: Vec ({{T}});
@@ -374,20 +374,50 @@ function {:inline} $0_vector_iter_slice{{S}}(v: Vec ({{T}}), start: int, end: in
     SliceVec(v, start, end)
 }
 
-function {:inline} $0_vector_ext_concat{{S}}(v1: Vec ({{T}}), v2: Vec ({{T}})): Vec ({{T}}) {
+// prover::vector_ext::append_pure — functional concatenation.
+function {:inline} $0_vector_ext_append_pure{{S}}(v1: Vec ({{T}}), v2: Vec ({{T}})): Vec ({{T}}) {
     ConcatVec(v1, v2)
 }
 
-// Total borrow: for in-range indices this is ReadVec(v, i); for out-of-range
-// indices the underlying vector theory returns an uninterpreted (but
-// deterministic) value — exactly the "unknown" semantics. Never aborts.
+// prover::vector_ext::borrow_or_unknown — total borrow. Out-of-range
+// returns an uninterpreted (but deterministic) value. Never aborts.
 procedure {:inline 1} $0_vector_ext_borrow_or_unknown{{S}}(v: Vec ({{T}}), i: int) returns (dst: {{T}}) {
     dst := ReadVec(v, i);
 }
 function {:inline} $0_vector_ext_borrow_or_unknown{{S}}$pure(v: Vec ({{T}}), i: int): {{T}} {
     ReadVec(v, i)
 }
 
+// prover::vector_ext::push_back_pure
+function {:inline} $0_vector_ext_push_back_pure{{S}}(v: Vec ({{T}}), e: {{T}}): Vec ({{T}}) {
+    ExtendVec(v, e)
+}
+
+// prover::vector_ext::pop_back_pure — drop last; unchanged if empty.
+function {:inline} $0_vector_ext_pop_back_pure{{S}}(v: Vec ({{T}})): Vec ({{T}}) {
+    (if LenVec(v) == 0 then v else SliceVec(v, 0, LenVec(v) - 1))
+}
+
+// prover::vector_ext::push_front_pure
+function {:inline} $0_vector_ext_push_front_pure{{S}}(v: Vec ({{T}}), e: {{T}}): Vec ({{T}}) {
+    InsertAtVec(v, 0, e)
+}
+
+// prover::vector_ext::pop_front_pure — drop first; unchanged if empty.
+function {:inline} $0_vector_ext_pop_front_pure{{S}}(v: Vec ({{T}})): Vec ({{T}}) {
+    (if LenVec(v) == 0 then v else RemoveAtVec(v, 0))
+}
+
+// prover::vector_ext::insert_pure — insert at i; unchanged if i > length.
+function {:inline} $0_vector_ext_insert_pure{{S}}(v: Vec ({{T}}), e: {{T}}, i: int): Vec ({{T}}) {
+    (if i > LenVec(v) then v else InsertAtVec(v, i, e))
+}
+
+// prover::vector_ext::remove_pure — remove at i; unchanged if i out of range.
+function {:inline} $0_vector_ext_remove_pure{{S}}(v: Vec ({{T}}), i: int): Vec ({{T}}) {
+    (if InRangeVec(v, i) then RemoveAtVec(v, i) else v)
+}
+
 {%- if instance.is_number -%}
 {%- if include_vec_sum -%}
 

crates/move-prover-boogie-backend/src/boogie_backend/prelude/vector-array-intern-theory.bpl

@@ -87,6 +87,18 @@ function {:inline} RemoveAtVec<T>(v: Vec T, i: int): Vec T {
         l)))
 }
 
+function {:inline} InsertAtVec<T>(v: Vec T, i: int, e: T): Vec T {
+    (var l := v->l + 1;
+    VecIntern(Vec(
+        (lambda j: int ::
+           if j >= 0 && j < l then
+               if j < i then v->v[j]
+               else if j == i then e
+               else v->v[j-1]
+           else DefaultVecElem()),
+        l)))
+}
+
 function {:inline} ConcatVec<T>(v1: Vec T, v2: Vec T): Vec T {
     (var l1, m1, l2, m2 := v1->l, v1->v, v2->l, v2->v;
     VecIntern(Vec(

crates/move-prover-boogie-backend/src/boogie_backend/prelude/vector-array-theory.bpl

@@ -64,6 +64,18 @@ function {:inline} RemoveAtVec<T>(v: Vec T, i: int): Vec T {
         l))
 }
 
+function {:inline} InsertAtVec<T>(v: Vec T, i: int, e: T): Vec T {
+    (var l := v->l + 1;
+    Vec(
+        (lambda j: int ::
+           if j >= 0 && j < l then
+               if j < i then v->v[j]
+               else if j == i then e
+               else v->v[j-1]
+           else DefaultVecElem()),
+        l))
+}
+
 function {:inline} ConcatVec<T>(v1: Vec T, v2: Vec T): Vec T {
     (var l1, m1, l2, m2 := v1->l, v1->v, v2->l, v2->v;
     Vec(

crates/move-prover-boogie-backend/src/boogie_backend/prelude/vector-smt-seq-theory.bpl

@@ -53,6 +53,10 @@ function {:inline} RemoveAtVec<T>(v: Vec T, i: int): Vec T {
     ConcatVec(SliceVec(v, 0, i), SliceVec(v, i + 1, LenVec(v)))
 }
 
+function {:inline} InsertAtVec<T>(v: Vec T, i: int, e: T): Vec T {
+    ConcatVec3(SliceVec(v, 0, i), MakeVec1(e), SliceVec(v, i, LenVec(v)))
+}
+
 function {:builtin "seq.++"} ConcatVec<T>(v1: Vec T, v2: Vec T): Vec T;
 /*private*/ function {:builtin "seq.++"} ConcatVec3<T>(v1: Vec T, v2: Vec T, v3: Vec T): Vec T;
 /*private*/ function {:builtin "seq.++"} ConcatVec4<T>(v1: Vec T, v2: Vec T, v3: Vec T, v4: Vec T): Vec T;

crates/sui-prover/tests/inputs/quantifiers/concat.ok.move

@@ -1,4 +1,4 @@
-// Tests for the prover::vector_ext::concat native. Also demonstrates using
+// Tests for the prover::vector_ext::append_pure native. Also demonstrates using
 // concat in a loop invariant to express the relationship between the already-
 // processed prefix and the unprocessed suffix of a source vector.
 
@@ -11,37 +11,37 @@ use prover::prover::{ensures, requires, invariant};
 #[spec_only]
 use prover::vector_iter::slice;
 #[spec_only]
-use prover::vector_ext::concat;
+use prover::vector_ext::append_pure;
 
 // Concrete values: concat of two literal vectors.
 #[spec(prove)]
 fun test_concat_concrete() {
     let v1 = vector[1u64, 2, 3];
     let v2 = vector[4u64, 5];
-    ensures(concat(&v1, &v2) == vector[1, 2, 3, 4, 5]);
+    ensures(append_pure(&v1, &v2) == vector[1, 2, 3, 4, 5]);
 }
 
 // Identity: concat with an empty vector on either side is the other vector.
 #[spec(prove)]
 fun test_concat_empty_left() {
     let empty: vector<u64> = vector[];
     let v = vector[1, 2, 3];
-    ensures(concat(&empty, &v) == v);
+    ensures(append_pure(&empty, &v) == v);
 }
 
 #[spec(prove)]
 fun test_concat_empty_right() {
     let v = vector[1, 2, 3];
     let empty: vector<u64> = vector[];
-    ensures(concat(&v, &empty) == v);
+    ensures(append_pure(&v, &empty) == v);
 }
 
 // Length additivity.
 #[spec(prove)]
 fun test_concat_length() {
     let v1 = vector[1u64, 2];
     let v2 = vector[3u64, 4, 5];
-    let r = concat(&v1, &v2);
+    let r = append_pure(&v1, &v2);
     ensures(vector::length(r) == vector::length(&v1) + vector::length(&v2));
 }
 
@@ -52,7 +52,7 @@ fun test_concat_of_slices(v: &vector<u64>, i: u64) {
     requires(i <= vector::length(v));
     let prefix = slice(v, 0, i);
     let suffix = slice(v, i, vector::length(v));
-    ensures(concat(prefix, suffix) == *v);
+    ensures(append_pure(prefix, suffix) == *v);
 }
 
 // Loop invariant expressed via concat: the vector built so far plus the
@@ -65,7 +65,7 @@ fun copy_vec(v: &vector<u64>): vector<u64> {
     invariant!(|| ensures(
         i <= n
             && vector::length(&r) == i
-            && concat(&r, slice(v, i, n)) == *v
+            && append_pure(&r, slice(v, i, n)) == *v
     ));
     while (i < n) {
         r.push_back(*vector::borrow(v, i));

crates/sui-prover/tests/inputs/quantifiers/filter_suffix_loop.ok.move

@@ -1,15 +1,15 @@
 // Loop test with a suffix invariant for `filter`, expressed via concat. The
 // invariant
 //
-//   concat(r, filter_range(v, i, n, p)) == filter(v, p)
+//   append_pure(r, filter_range(v, i, n, p)) == filter(v, p)
 //
 // needs the start-step direction of filter's recursive axiom to verify.
 
 module 0x42::filter_suffix_loop_ok;
 
 use prover::prover::{ensures, invariant};
 use prover::vector_iter::{filter, filter_range};
-use prover::vector_ext::concat;
+use prover::vector_ext::append_pure;
 
 #[ext(pure)]
 fun is_odd(x: &u64): bool {
@@ -22,7 +22,7 @@ fun filter_odds(v: &vector<u64>): vector<u64> {
     let mut r = vector[];
     invariant!(|| ensures(
         i <= n
-            && concat(&r, filter_range!(v, i, n, |x| is_odd(x))) == *filter!(v, |x| is_odd(x))
+            && append_pure(&r, filter_range!(v, i, n, |x| is_odd(x))) == *filter!(v, |x| is_odd(x))
     ));
     while (i < n) {
         if (is_odd(vector::borrow(v, i))) {

crates/sui-prover/tests/inputs/quantifiers/find_indices_suffix_loop.ok.move

@@ -1,7 +1,7 @@
 // Loop test with a suffix invariant for `find_indices`, expressed via concat.
 // The invariant
 //
-//   concat(r, find_indices_range(v, i, n, p)) == find_indices(v, p)
+//   append_pure(r, find_indices_range(v, i, n, p)) == find_indices(v, p)
 //
 // needs the start-step direction of find_indices's recursive axiom to verify
 // the loop body. find_indices uses compound-trigger recursive axioms so this
@@ -11,7 +11,7 @@ module 0x42::find_indices_suffix_loop_ok;
 
 use prover::prover::{ensures, invariant};
 use prover::vector_iter::{find_indices, find_indices_range};
-use prover::vector_ext::concat;
+use prover::vector_ext::append_pure;
 
 #[ext(pure)]
 fun is_odd(x: &u64): bool {
@@ -24,7 +24,7 @@ fun find_odd_indices(v: &vector<u64>): vector<u64> {
     let mut r = vector[];
     invariant!(|| ensures(
         i <= n
-            && concat(&r, find_indices_range!(v, i, n, |x| is_odd(x)))
+            && append_pure(&r, find_indices_range!(v, i, n, |x| is_odd(x)))
                 == *find_indices!(v, |x| is_odd(x))
     ));
     while (i < n) {

crates/sui-prover/tests/inputs/quantifiers/map_suffix_loop.ok.move

@@ -1,15 +1,15 @@
 // Loop test with a suffix invariant for `map`, expressed via concat. The
 // invariant
 //
-//   concat(r, map_range(v, i, n)) == map(v, f)
+//   append_pure(r, map_range(v, i, n)) == map(v, f)
 //
 // needs the start-step direction of map's recursive axiom to verify the body.
 
 module 0x42::map_suffix_loop_ok;
 
 use prover::prover::{ensures, invariant};
 use prover::vector_iter::{map, map_range};
-use prover::vector_ext::concat;
+use prover::vector_ext::append_pure;
 
 #[ext(pure)]
 fun double(x: &u64): u64 {
@@ -26,7 +26,7 @@ fun map_doubles(v: &vector<u64>): vector<u64> {
     let mut r = vector[];
     invariant!(|| ensures(
         i <= n
-            && concat(&r, map_range!(v, i, n, |x| double(x))) == *map!(v, |x| double(x))
+            && append_pure(&r, map_range!(v, i, n, |x| double(x))) == *map!(v, |x| double(x))
     ));
     while (i < n) {
         r.push_back(double(vector::borrow(v, i)));