Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Constraint-less newtypes assumed to be nonempty #5521

Closed
RustanLeino opened this issue Jun 3, 2024 · 0 comments · Fixed by #5495
Closed

Constraint-less newtypes assumed to be nonempty #5521

RustanLeino opened this issue Jun 3, 2024 · 0 comments · Fixed by #5495
Assignees
@RustanLeino
Labels
during 3: execution of incorrect program An bug in the verifier that allows Dafny to run a program that does not correctly implement its spec kind: bug Crashes, unsoundness, incorrect output, etc. If possible, add a `part:` label

Comments

@RustanLeino
Copy link
Collaborator

Dafny version

4.6.0

Code to produce this issue

type Empty = x: int | false witness *

newtype NewEmpty = Empty

method OperateOnNewEmpty(x: NewEmpty)
  ensures false
{
  var y: Empty := x as Empty;
}

method Main() {
  var x: NewEmpty := *;
  OperateOnNewEmpty(x); // BOGUS: NewEmpty is assumed to be nonempty, so x is considered definitely assigned here
  print 10 / 0; // boom!
}

Command to run and resulting output

% dafny run test.dfy

Dafny program verifier finished with 2 verified, 0 errors
Unhandled exception. System.DivideByZeroException: Attempted to divide by zero.
   at System.Numerics.BigInteger.op_Division(BigInteger dividend, BigInteger divisor)
   at System.Numerics.BigInteger.Divide(BigInteger dividend, BigInteger divisor)
   at Dafny.Helpers.EuclideanDivision(BigInteger a, BigInteger b)
   at _module.__default._Main(ISequence`1 __noArgsParameter)
   at __CallToMain.<>c__DisplayClass0_0.<Main>b__0()
   at Dafny.Helpers.WithHaltHandling(Action action)
   at __CallToMain.Main(String[] args)

What happened?

A constraint-less newtype (that is, a declaration of the form newtype N = T for some previous type T) is only as nonempty as its base type. Yet, Dafny assumes NewEmpty to be nonempty. (This was correct years ago, before Dafny started supporting empty types.)

To fix this issue, the verifier should perform a non-emptiness test on constraint-less newtypes, just as if the type had been declared with a (trivial) constraint:

newtype NewEmpty = x: Empty | true

If this test fails and Dafny reports an error, then it would be nice to let the program declare a witness clause on the constraint-less newtype. However, at this time, only newtype declarations with constraints are (syntactically) allowed a witness clause. I propose that this be changed at the same time as the soundness bug is fixed.

What type of operating system are you experiencing the problem on?

Mac
@RustanLeino RustanLeino added kind: bug Crashes, unsoundness, incorrect output, etc. If possible, add a `part:` label during 3: execution of incorrect program An bug in the verifier that allows Dafny to run a program that does not correctly implement its spec labels Jun 3, 2024
@RustanLeino RustanLeino self-assigned this Jun 3, 2024
RustanLeino added a commit to RustanLeino/dafny that referenced this issue Jun 3, 2024
@RustanLeino
Add tests for Issue 5521
b1c656c 
Fixes dafny-lang#5521
@RustanLeino RustanLeino mentioned this issue Jun 3, 2024
Merged
dnezam pushed a commit to dnezam/dafny that referenced this issue Aug 29, 2024
@RustanLeino @dnezam
feat: Allow type parameters on newtypes (dafny-lang#5495)
e1ccb16 
This PR adds the following language features:

* type parameters of `newtype` declarations
* optional `witness` clause of constraint-less `newtype` declarations
* tool tips show auto-completed type parameters
* tool tips show inferred `(==)` characteristics

Along the way, the PR also fixes two previous soundness issues:

* fix: Check the emptiness status of constraint-less `newtype`
declarations (dafny-lang#5520)
* fix: Don't let `newtype` well-formedness checking affect witness
checking (dafny-lang#5521)

Fixes dafny-lang#5520
Fixes dafny-lang#5521

<small>By submitting this pull request, I confirm that my contribution
is made under the terms of the [MIT
license](https://github.com/dafny-lang/dafny/blob/master/LICENSE.txt).</small>
dnezam pushed a commit to dnezam/dafny that referenced this issue Sep 21, 2024
@RustanLeino @dnezam
feat: Allow type parameters on newtypes (dafny-lang#5495)
88b72ef 
This PR adds the following language features:

* type parameters of `newtype` declarations
* optional `witness` clause of constraint-less `newtype` declarations
* tool tips show auto-completed type parameters
* tool tips show inferred `(==)` characteristics

Along the way, the PR also fixes two previous soundness issues:

* fix: Check the emptiness status of constraint-less `newtype`
declarations (dafny-lang#5520)
* fix: Don't let `newtype` well-formedness checking affect witness
checking (dafny-lang#5521)

Fixes dafny-lang#5520
Fixes dafny-lang#5521

<small>By submitting this pull request, I confirm that my contribution
is made under the terms of the [MIT
license](https://github.com/dafny-lang/dafny/blob/master/LICENSE.txt).</small>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RustanLeino RustanLeino

Labels
during 3: execution of incorrect program An bug in the verifier that allows Dafny to run a program that does not correctly implement its spec kind: bug Crashes, unsoundness, incorrect output, etc. If possible, add a `part:` label
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Allow type parameters on newtypes RustanLeino/dafny
1 participant
@RustanLeino