You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The particular way in which this is done, i.e., by let-binding the post condition and then asserting the bound variable subverts existing machinery for leaving certain parts of postconditions unchecked. Namely, conjuncts annotated with @unchecked are filtered out in TypeChecker (see
), but only if they occur directly in the VC to be checked. The indirection (let pc = @unchecked cond; assert(pc) instead of assert(@unchecked cond)) leads to cond being check nonetheless.
This leads to an issue with correct-by-construction postconditions introduced in lowering phases, such as TypeEncoding. In particular, for generic functions f[T](x: T): T we lower to f(T: Object => Boolean, x: { v: Object | T(v) }): { v: Object | T(v) } where f's postcondition has been strengthened by ... && @unchecked res == f'(x) referring to auxiliary function f'(x: Object): Object = ???. That postcondition holds by construction, but cannot be proven automatically, so the above-described bug leads to spurious counter-examples.
See also #1125 for a related discussion on how to control the unchecked behavior in a more fine-grained way. As far as I can tell the split in that PR won't help us in this case, unfortunately, but I'll try to have a closer look.
The text was updated successfully, but these errors were encountered:
For
@syntheticfunctions we re-assert postconditions at inlined call sites (seestainless/core/src/main/scala/stainless/extraction/inlining/FunctionInlining.scala
Line 114 in 3da44e4
The particular way in which this is done, i.e., by let-binding the post condition and then asserting the bound variable subverts existing machinery for leaving certain parts of postconditions unchecked. Namely, conjuncts annotated with
@uncheckedare filtered out inTypeChecker(seestainless/core/src/main/scala/stainless/verification/TypeChecker.scala
Line 1006 in 3da44e4
let pc = @unchecked cond; assert(pc)instead ofassert(@unchecked cond)) leads tocondbeing check nonetheless.This leads to an issue with correct-by-construction postconditions introduced in lowering phases, such as
TypeEncoding. In particular, for generic functionsf[T](x: T): Twe lower tof(T: Object => Boolean, x: { v: Object | T(v) }): { v: Object | T(v) }wheref's postcondition has been strengthened by... && @unchecked res == f'(x)referring to auxiliary functionf'(x: Object): Object = ???. That postcondition holds by construction, but cannot be proven automatically, so the above-described bug leads to spurious counter-examples.See also #1125 for a related discussion on how to control the unchecked behavior in a more fine-grained way. As far as I can tell the split in that PR won't help us in this case, unfortunately, but I'll try to have a closer look.
The text was updated successfully, but these errors were encountered: