[Civl] Introduction of pure Assert action

Source/Concurrency/YieldingProcDuplicator.cs

@@ -19,6 +19,7 @@ public class YieldingProcDuplicator : Duplicator
     private Dictionary<Procedure, Procedure> procToDuplicate; /* Original -> Duplicate */
     private AbsyMap absyMap; /* Duplicate -> Original */
     private Dictionary<string, Procedure> asyncCallPreconditionCheckers;
+    private Dictionary<string, Procedure> noRequiresPureProcedures;
 
     private LinearRewriter linearRewriter;
 
@@ -31,6 +32,7 @@ public YieldingProcDuplicator(CivlTypeChecker civlTypeChecker, int layerNum, boo
       this.procToDuplicate = [];
       this.absyMap = new AbsyMap();
       this.asyncCallPreconditionCheckers = [];
+      this.noRequiresPureProcedures = [];
       this.linearRewriter = new LinearRewriter(civlTypeChecker);
       this.doRefinementCheck = doRefinementCheck;
     }
@@ -129,27 +131,21 @@ public override Ensures VisitEnsures(Ensures node)
     #region Implementation duplication
 
     private YieldProcedureDecl enclosingYieldingProc;
-    private Block enclosingBlock;
-    private bool inPredicatePhase;
 
     private List<Cmd> newCmdSeq;
 
-    private Dictionary<CtorType, Variable> returnedPAs;
-
     private Dictionary<string, Variable> addedLocalVariables;
 
     public override Implementation VisitImplementation(Implementation impl)
     {
       enclosingYieldingProc = (YieldProcedureDecl)impl.Proc;
       Debug.Assert(layerNum <= enclosingYieldingProc.Layer);
 
-      returnedPAs = new Dictionary<CtorType, Variable>();
       addedLocalVariables = new Dictionary<string, Variable>();
 
       Implementation newImpl = base.VisitImplementation(impl);
       newImpl.Name = newImpl.Proc.Name;
 
-      newImpl.LocVars.AddRange(returnedPAs.Values);
       newImpl.LocVars.AddRange(addedLocalVariables.Values);
 
       absyMap[newImpl] = impl;
@@ -158,9 +154,7 @@ public override Implementation VisitImplementation(Implementation impl)
 
     public override Block VisitBlock(Block node)
     {
-      enclosingBlock = node;
       var block = base.VisitBlock(node);
-      enclosingBlock = null;
       absyMap[block] = node;
       return block;
     }
@@ -173,19 +167,7 @@ public override Cmd VisitAssertCmd(AssertCmd node)
         assertCmd.Expr = Expr.True;
         return assertCmd;
       }
-      if (layerNum != enclosingYieldingProc.Layer)
-      {
-        return assertCmd;
-      }
-      bool insideLoopInvariantOfYieldingLoop = enclosingYieldingProc.IsYieldingLoopHeaderAtProcedureLayer(enclosingBlock) && inPredicatePhase;
-      if (insideLoopInvariantOfYieldingLoop)
-      {
-        return doRefinementCheck ? new AssumeCmd(node.tok, assertCmd.Expr, node.Attributes) : assertCmd;
-      }
-      else
-      {
-        return doRefinementCheck ? assertCmd : new AssumeCmd(node.tok, assertCmd.Expr, node.Attributes);
-      }
+      return doRefinementCheck ? new AssumeCmd(node.tok, assertCmd.Expr, node.Attributes) : assertCmd;
     }
 
     public override Cmd VisitCallCmd(CallCmd call)
@@ -209,7 +191,6 @@ public override Cmd VisitParCallCmd(ParCallCmd parCall)
     public override List<Cmd> VisitCmdSeq(List<Cmd> cmdSeq)
     {
       newCmdSeq = new List<Cmd>();
-      inPredicatePhase = true;
       foreach (var cmd in cmdSeq)
       {
         Cmd newCmd = (Cmd) Visit(cmd);
@@ -225,7 +206,6 @@ public override List<Cmd> VisitCmdSeq(List<Cmd> cmdSeq)
         {
           newCmdSeq.Add(newCmd);
         }
-        inPredicatePhase = inPredicatePhase && (cmd is PredicateCmd || cmd is CallCmd callCmd && callCmd.Proc is YieldInvariantDecl);
       }
       return newCmdSeq;
     }
@@ -302,7 +282,7 @@ cmd is AssertCmd assertCmd && makeAssume
           }
           else
           {
-            newCmdSeq.Add(newCall);
+            DesugarPureCall(newCall);
           }
         }
         return;
@@ -553,21 +533,39 @@ private void AddDuplicateCall(CallCmd newCall, bool makeParallel)
 
     private void DesugarAsyncCall(CallCmd newCall)
     {
-      if (!asyncCallPreconditionCheckers.ContainsKey(newCall.Proc.Name))
+      if (!asyncCallPreconditionCheckers.TryGetValue(newCall.Proc.Name, out Procedure checker))
       {
-        asyncCallPreconditionCheckers[newCall.Proc.Name] = DeclHelper.Procedure(
+        checker = DeclHelper.Procedure(
           civlTypeChecker.AddNamePrefix($"AsyncCall_{newCall.Proc.Name}_{layerNum}"),
           newCall.Proc.InParams, newCall.Proc.OutParams,
           procToDuplicate[newCall.Proc].Requires, [], [], []);
+        asyncCallPreconditionCheckers[newCall.Proc.Name] = checker;
       }
-
-      var asyncCallPreconditionChecker = asyncCallPreconditionCheckers[newCall.Proc.Name];
       newCall.IsAsync = false;
-      newCall.Proc = asyncCallPreconditionChecker;
+      newCall.Proc = checker;
       newCall.callee = newCall.Proc.Name;
       newCmdSeq.Add(newCall);
     }
 
+    private void DesugarPureCall(CallCmd newCall)
+    {
+      if (doRefinementCheck)
+      {
+        if (!noRequiresPureProcedures.TryGetValue(newCall.Proc.Name, out Procedure checker))
+        {
+          checker = DeclHelper.Procedure(
+            civlTypeChecker.AddNamePrefix($"NoRequires_{newCall.Proc.Name}_{layerNum}"),
+            newCall.Proc.InParams, newCall.Proc.OutParams,
+            [], [], new List<Ensures>(newCall.Proc.Ensures), []);
+          noRequiresPureProcedures[newCall.Proc.Name] = checker;
+        }
+        newCall.IsAsync = false;
+        newCall.Proc = checker;
+        newCall.callee = newCall.Proc.Name;
+      }
+      newCmdSeq.Add(newCall);
+    }
+
     #endregion
 
     public List<Declaration> Collect()
@@ -577,6 +575,7 @@ public List<Declaration> Collect()
       var newImpls = absyMap.Keys.OfType<Implementation>();
       decls.AddRange(newImpls);
       decls.AddRange(asyncCallPreconditionCheckers.Values);
+      decls.AddRange(noRequiresPureProcedures.Values);
       decls.AddRange(YieldingProcInstrumentation.TransformImplementations(
         civlTypeChecker,
         layerNum,

Source/Core/AST/Absy.cs

@@ -3301,11 +3301,6 @@ public bool IsYieldingLoopHeader(Block block, int layerNum)
       }
       return layerNum <= YieldingLoops[block].Layer;
     }
-
-    public bool IsYieldingLoopHeaderAtProcedureLayer(Block block)
-    {
-      return IsYieldingLoopHeader(block, Layer);
-    }
   }
 
   public class LoopProcedure : Procedure

Source/Core/AST/Commands/CallCmd.cs

@@ -283,55 +283,59 @@ private void TypecheckCallCmdInYieldProcedureDecl(TypecheckingContext tc)
       return;
     }
 
+    void CheckRefinedChainIsLeftMover(YieldProcedureDecl callerDecl, YieldProcedureDecl calleeDecl)
+    {
+      var highestRefinedActionDecl = calleeDecl.RefinedActionAtLayer(callerDecl.Layer);
+      var calleeRefinedAction = calleeDecl.RefinedAction;
+      while (calleeRefinedAction != null)
+      {
+        var calleeActionDecl = calleeRefinedAction.ActionDecl;
+        if (!calleeActionDecl.IsLeftMover)
+        {
+          tc.Error(this,
+            $"callee abstraction in synchronized call must be a left mover: {calleeActionDecl.Name}");
+          break;
+        }
+        if (calleeActionDecl == highestRefinedActionDecl)
+        {
+          break;
+        }
+        calleeRefinedAction = calleeActionDecl.RefinedAction;
+      }
+    }
+
     // check layers
     if (Proc is YieldProcedureDecl calleeDecl)
     {
-      var isSynchronized = this.HasAttribute(CivlAttributes.SYNC);
       if (calleeDecl.Layer > callerDecl.Layer)
       {
         tc.Error(this, "layer of callee must not be more than layer of caller");
+        return;
+      }
+      if (!calleeDecl.HasMoverType && calleeDecl.RefinedAction == null)
+      {
+        return;
       }
-      else if (!calleeDecl.HasMoverType)
+      var isSynchronized = this.HasAttribute(CivlAttributes.SYNC);
+      if (IsAsync && !isSynchronized)
       {
+        tc.Error(this, "async call must be synchronized");
+        return;
+      }
+      // call is synchronous or synchronized
+      if (!calleeDecl.HasMoverType)
+      {
+        Debug.Assert(calleeDecl.RefinedAction != null);
         if (callerDecl.Layer > calleeDecl.Layer)
         {
-          if (calleeDecl.RefinedAction != null)
+          var highestRefinedActionDecl = calleeDecl.RefinedActionAtLayer(callerDecl.Layer);
+          if (highestRefinedActionDecl == null)
           {
-            var highestRefinedActionDecl = calleeDecl.RefinedActionAtLayer(callerDecl.Layer);
-            if (highestRefinedActionDecl == null)
-            {
-              tc.Error(this, $"called action is not available at layer {callerDecl.Layer}");
-            }
-            else
-            {
-              if (IsAsync)
-              {
-                if (isSynchronized)
-                {
-                  // check that entire chain of refined actions all the way to highestRefinedAction is comprised of left movers
-                  var calleeRefinedAction = calleeDecl.RefinedAction;
-                  while (calleeRefinedAction != null)
-                  {
-                    var calleeActionDecl = calleeRefinedAction.ActionDecl;
-                    if (!calleeActionDecl.IsLeftMover)
-                    {
-                      tc.Error(this,
-                        $"callee abstraction in synchronized call must be a left mover: {calleeActionDecl.Name}");
-                      break;
-                    }
-                    if (calleeActionDecl == highestRefinedActionDecl)
-                    {
-                      break;
-                    }
-                    calleeRefinedAction = calleeActionDecl.RefinedAction;
-                  }
-                }
-                else if (callerDecl.HasMoverType)
-                {
-                  tc.Error(this, "async call must be synchronized in mover procedure");
-                }
-              }
-            }
+            tc.Error(this, $"called action is not available at layer {callerDecl.Layer}");
+          }
+          else if (IsAsync)
+          {
+            CheckRefinedChainIsLeftMover(callerDecl, calleeDecl);
           }
         }
         else // callerDecl.Layer == calleeDecl.Layer
@@ -340,20 +344,9 @@ private void TypecheckCallCmdInYieldProcedureDecl(TypecheckingContext tc)
           {
             tc.Error(this, "caller must not be a mover procedure");
           }
-          else if (IsAsync && calleeDecl.RefinedAction != null)
+          else if (IsAsync)
           {
-            if (isSynchronized)
-            {
-              tc.Error(this, "layer of callee in synchronized call must be less than layer of caller");
-            }
-            else
-            {
-              var highestRefinedAction = calleeDecl.RefinedActionAtLayer(callerDecl.Layer + 1);
-              if (highestRefinedAction == null)
-              {
-                tc.Error(this, $"called action is not available at layer {callerDecl.Layer + 1}");
-              }
-            }
+            tc.Error(this, "layer of callee in synchronized call must be less than layer of caller");
           }
         }
       }
@@ -363,18 +356,12 @@ private void TypecheckCallCmdInYieldProcedureDecl(TypecheckingContext tc)
         {
           tc.Error(this, "layer of caller must be equal to layer of callee");
         }
-        else
+        else if (IsAsync)
         {
-          if (IsAsync)
+          Debug.Assert(isSynchronized);
+          if (!calleeDecl.IsLeftMover)
           {
-            if (!isSynchronized)
-            {
-              tc.Error(this, "async call to mover procedure must be synchronized");
-            }
-            else if (!calleeDecl.IsLeftMover)
-            {
-              tc.Error(this, "callee in synchronized call must be a left mover");
-            }
+            tc.Error(this, "callee in synchronized call must be a left mover");
           }
         }
       }
@@ -402,7 +389,7 @@ private void TypecheckCallCmdInYieldProcedureDecl(TypecheckingContext tc)
         }
         else
         {
-          // Check global outputs only; the checking of local outputs is done later
+          // Check global outputs only; the checking of local outputs is done separately
           var calleeLayer = Layers[0];
           var globalOutputs = Outs.Select(ie => ie.Decl).OfType<GlobalVariable>().Cast<Variable>();
           if (CivlPrimitives.LinearPrimitives.Contains(Proc.Name))
@@ -513,7 +500,8 @@ public override void Typecheck(TypecheckingContext tc)
         var actual = Outs[i];
         if (actual.Decl is GlobalVariable)
         {
-          if (!Proc.IsPure) // global outputs of pure calls already checked
+          // layer range for global outputs of pure calls checked in TypecheckCallCmdInYieldProcedureDecl
+          if (!Proc.IsPure)
           {
             tc.Error(actual, $"global variable directly modified in a yield procedure: {actual.Decl.Name}");
           }
@@ -537,7 +525,7 @@ public override void Typecheck(TypecheckingContext tc)
         }
         else if (modifiedArgument is { Decl: GlobalVariable })
         {
-          // already done in TypecheckCallCmdInYieldProcedureDecl
+          // checked in TypecheckCallCmdInYieldProcedureDecl
         }
         else
         {

Source/Core/base.bpl

@@ -338,3 +338,8 @@ datatype Unit { Unit() }
 function {:inline} UnitSet(): Set Unit {
   Set_Add(Set_Empty(), Unit())
 }
+
+pure action Assert(b: bool)
+{
+  assert b;
+}

Test/civl/large-samples/GC.bpl

@@ -301,7 +301,7 @@ preserves call Yield_Iso();
 preserves call Yield_Lock();
 requires {:layer 95, 96, 99} tid->i == i;
 {
-    assert {:layer 100} mutatorTidWhole(tid) && rootAddr(x) && tidOwns(tid, x) && fieldAddr(f) && rootAddr(y) && tidOwns(tid, y) && memAddrAbs(rootAbs[x]);
+    call {:layer 100} Assert(mutatorTidWhole(tid) && rootAddr(x) && tidOwns(tid, x) && fieldAddr(f) && rootAddr(y) && tidOwns(tid, y) && memAddrAbs(rootAbs[x]));
     call WriteBarrier(tid, i, y);
     call Yield_Iso() | Yield_WriteField(tid, x, y);
     call WriteFieldRaw(tid, x, f, y) | Yield_Lock();
@@ -1936,7 +1936,8 @@ refines AtomicLockAcquire;
 preserves call Yield_Lock();
 {
     var status:bool;
-    assert {:layer 95} tid->i != 0;
+
+    call {:layer 95} Assert(tid->i != 0);
     while (true)
         invariant {:yields} true;
         invariant call Yield_Lock();

Test/civl/large-samples/cache-coherence.bpl

@@ -357,7 +357,7 @@ refines atomic action {:layer 2} _ {
   call Set_Put(cachePermissions, drp);
 }
 {
-  assert {:layer 1} Set_Contains(drp, One(CachePermission(i, Hash(ma))));
+  call {:layer 1} Assert(Set_Contains(drp, One(CachePermission(i, Hash(ma)))));
   call cache_evict_resp#0(i, ma);
   call {:layer 1} Set_Put(cachePermissions, drp);
 }
@@ -397,7 +397,7 @@ refines left action {:layer 2} _ {
   call Set_Put(cachePermissions, drp);
 }
 {
-  assert {:layer 1} Set_Contains(drp, One(CachePermission(i, Hash(ma))));
+  call {:layer 1} Assert(Set_Contains(drp, One(CachePermission(i, Hash(ma)))));
   call cache_read_resp#0(i, ma, v, s);
   call {:layer 1} Set_Put(cachePermissions, drp);
 }
@@ -722,7 +722,7 @@ refines left action {:layer 2} _ {
   call Set_Put(dirPermissions, dp);
 }
 {
-  assert {:layer 1} dp == WholeDirPermission(ma);
+  call {:layer 1} Assert(dp == WholeDirPermission(ma));
   call dir_req_end#0(ma, dirState);
   call {:layer 1} Set_Put(dirPermissions, dp);
 }