Skip to content

Class/Trait Invariants #6313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 54 commits into
base: master
Choose a base branch
from
Open

Class/Trait Invariants #6313

wants to merge 54 commits into from

Conversation

@ssomayyajula
Copy link
Contributor

@ssomayyajula ssomayyajula commented Jul 20, 2025
edited
Loading

What was changed?

This PR introduces class and trait invariants as described in the updated reference manual (in this PR).

How has this been tested?

Tests in Source/IntegrationTests/TestFiles/LitTests/LitTest/invariants.

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

ssomayyajula and others added 30 commits May 14, 2025 13:40
@ssomayyajula
Support for parsing invariants in trait and class declarations
a7d3290 
TODO: source under SyntaxDeserializer needs to be properly regenerated
TODO: tests for parsing and resolving need to be completed
@ssomayyajula
resolution partially working but the lexical scope for invariants is …
8e6da68 
…not correct
@ssomayyajula
Correctly setting lexical scope for resolution of invariants
8bd76d9
@ssomayyajula
Fixed resolution incompletenesses + well-formedness/reads checks for …
ce72b84 
…invariants
@ssomayyajula
Check that invariants do not mention fields of supertype trait
51af362
@ssomayyajula
Merge branch 'master' into feat-invariants
0257ad1
@ssomayyajula
Better error message for resolution excluding trait variables
7392ba2
@ssomayyajula
Merge branch 'feat-invariants' of https://github.com/dafny-lang/dafny
482c4fb 
…into feat-invariants
@ssomayyajula
Merge remote-tracking branch 'origin/master' into feat-invariants
8fc38ed
@ssomayyajula
Ran make-deserializer and make-integration
1741f7c
@ssomayyajula
Hiding verification behind VerifyInvariants option
27e4b51
@ssomayyajula
Tests; erroring tests are crashing due to some poor interaction with …
80d1e59 
…refinement
@ssomayyajula
Fixing tests but there's an incompleteness with refinement
0463964
@ssomayyajula @robin-aws
Update Source/IntegrationTests/TestFiles/LitTests/LitTest/invariants/…
327082f 
…Expressivity.dfy

Co-authored-by: Robin Salkeld <[email protected]>
@ssomayyajula @robin-aws
Update Source/DafnyCore/Verifier/ReadFrameSubset.cs
60df788 
Co-authored-by: Robin Salkeld <[email protected]>
@ssomayyajula
- Invariants reimplemented to be MemberDecls, resolver modified accor…
119128a 
…dingly

- Wellformedness checks simplified, since they do not have to be scoped to an enclosing declaration
- VerifyInvariants renamed to CheckInvariants and is automatically checked when a MemberDecl is coerced to an Invariant
- Refinement is now implemented, solving issue in InheritedMemberError.dfy
- Printing now implemented
@ssomayyajula
Added Robin's suggestions for messages
4de68ff
@ssomayyajula
Forgot to actually add the Invariant AST node type
b33f062
@ssomayyajula
Merge remote-tracking branch 'origin/master' into feat-invariants
752792c
@ssomayyajula
Implemented Rustan's suggestion to have inherited member exclusion fr…
ec300ac 
…om invariants to be done as a visitor-based check
@ssomayyajula
Reran gen-integration and some more minor fixes
7b5b136
@ssomayyajula
Implementing invariant verification using rewriting
7800617
@ssomayyajula
Redo of invariants, as a subtype of predicates, using a combination o…
2c2c06c 
…f rewriting and axioms
@ssomayyajula
Reverting verification logic merged in from feat-invariant-verificati…
467428a 
…on, keeping invariant-as-predicate
@ssomayyajula
Removed needless special casing on invariants
1e67b23
@ssomayyajula
verification by rewriting
3fe9661
@ssomayyajula
added invariant member and using underlying clauses to effect verific…
5d354a8 
…ation
@ssomayyajula
Revamp of implementation, tests, but the Boogie being generated is on…
76357df 
…ly well-formed after printing
@ssomayyajula
Optimized implementation, most tests passing except generics due to l…
f2fa3cb 
…ack of triggers on type parameters
@ssomayyajula
Function well-formedness calling convention fixed and tests updated
88151ba
@ssomayyajula
Copy link
Contributor Author

Do we want to mention this as a new feature in the release notes for 4.11.0?

@robin-aws
Copy link
Member

Do we want to mention this as a new feature in the release notes for 4.11.0?

Absolutely at least add a docs/dev/news/*.feat note! Whether this makes it into 4.11 is a separate question (although I'm inclined towards yes - I think since we delayed it enough I'd rather start the code freeze over from master)

MikaelMayer
MikaelMayer reviewed Jul 29, 2025
View reviewed changes
Copy link
Member

@MikaelMayer MikaelMayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will comment only the error messages, but otherwise it looks great !

robin-aws
robin-aws requested changes Jul 31, 2025
View reviewed changes
Copy link
Member

@robin-aws robin-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some initial comments on the reference manual for now

keyboardDrummer
keyboardDrummer reviewed Aug 1, 2025
View reviewed changes
@ssomayyajula
Added convenience assumption of this.invariant() for instance functio…
2978fb8 
…ns + feature announcement
@ssomayyajula
Trait invariants can be overridden; corrected malformed Boogie output…
7bbfe54 
… for member assignments
@ssomayyajula
Expect file
cb0dffa
@ssomayyajula
Conditional invariant axiom triggers now computed from invariant body…
ed3ffb7 
…, removes need for "convenience assumption" of invariants for objects in scope
@ssomayyajula
Fixed unsoundness in circularity detection between invariants and fun…
5690f14 
…ctions/methods by moving it to call graph builder
@ssomayyajula
Merge remote-tracking branch 'origin/master' into feat-invariants-smart
dae0fe8
@ssomayyajula
Incomplete refactor of invariant boilerplate and uniform treatment of…
78c79b9 
… method and function calls; going to specialize to open set is always empty
@ssomayyajula
Refactor complete
9dae244
@ssomayyajula
Merge branch 'master' into feat-invariants-smart
ba5edef
@ssomayyajula
Excluding this from open set
cb01fb9
keyboardDrummer
keyboardDrummer reviewed Aug 19, 2025
View reviewed changes
Copy link
Member

@keyboardDrummer keyboardDrummer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be good to have a performance related test.

Something like:

class HasInvariant {
  var valid: boolean
  invariant valid
}
class HasNoInvariant {
  var valid: boolean
}

method processHasInvariant(h: HasInvariant) {
  useInvariant(h);
}

method useInvariant(h: HasInvariant) {
  assert h.valid;
}

method processHasNoInvariant(h: HasNoInvariant) {
  useHasNoInvariant(h);
}

method useHasNoInvariant(h: HasNoInvariant) {}

and then verify that the resource usage of processHasInvariant and processHasNoInvariant are equal: that processHasInvariant is agnostic to the existence of the invariant.

MikaelMayer
MikaelMayer reviewed Aug 19, 2025
View reviewed changes
Copy link
Member

@MikaelMayer MikaelMayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initial comments as I'm not done but it can still help

MikaelMayer
MikaelMayer reviewed Aug 19, 2025
View reviewed changes
Copy link
Member

@MikaelMayer MikaelMayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Finished commenting

ssomayyajula and others added 3 commits August 19, 2025 18:36
@ssomayyajula @MikaelMayer
Update docs/DafnyRef/Specifications.md
515d203 
Co-authored-by: Mikaël Mayer <[email protected]>
@ssomayyajula
Edits from feedback
e5e1513
@ssomayyajula
Major changes:
6393771 
- Open set is empty everywhere
- Invariant is inductive over program transitions and constructors are the initial condition
- Consequently, invariants must hold by the end of the first constructor phase
- VCs removed to retain performance of non-invariant-utilizing code (see Performance.dfy)
keyboardDrummer
keyboardDrummer reviewed Sep 4, 2025
View reviewed changes
@ssomayyajula
Copy link
Contributor Author

Note for myself: don't delete the branch after merging.

keyboardDrummer
keyboardDrummer requested changes Sep 24, 2025
View reviewed changes
Copy link
Member

@keyboardDrummer keyboardDrummer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without a test that proves that code that does not use a type invariant, but does use the type, does not have its verification performance affected by the invariant's existence, I don't think we should merge this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MikaelMayer MikaelMayer MikaelMayer left review comments

@robin-aws robin-aws robin-aws requested changes

@keyboardDrummer keyboardDrummer keyboardDrummer requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ssomayyajula @robin-aws @keyboardDrummer @MikaelMayer