Skip to content

Tactic: add hoare split #888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
strub wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Tactic: add hoare split #888

strub wants to merge 1 commit into from
+115 −1

Conversation

@strub
Copy link
Member

@strub strub commented Feb 5, 2026

Introduce a new Hoare-only tactic hoare split that decomposes goals with conjunctive postconditions into independent Hoare goals.

It is intentionally restricted to Hoare logic, where this rule is sound.

@strub strub self-assigned this Feb 5, 2026
@strub strub added the tactics label Feb 5, 2026
@oskgo
Copy link
Contributor

oskgo commented Feb 6, 2026

The hoare case can be done outside the TCB using conseq:

 require import AllCore.

   module M = {
     proc incr(x : int) : int = {
       var y : int;
       y <- x + 1;
       return y;
     }
   }.

   lemma L (n : int) : 0 <= n =>
     hoare [M.incr : x = n ==> n < res /\ 0 <= res].
   proof.
     move=> ge0_n; proc.

     (*$*) (* Split the conjunctive postcondition *)
     conseq (_: _ ==> n < y) (_: _ ==> 0 <= y); 1:done.

@fdupress
Copy link
Member

fdupress commented Feb 6, 2026

There is still value in considering a high-level (non-TCB) tactic that infers the split postconditions and internally produces the conseq-based proof. But I tend to agree that this does not need to be TCB if we already have conseq in-TCB.

As an aside, I think we could generalize this to split all program-independent products that sit at the head of the postcondition (including universal quantification, and implications whose LHS does not use program variables).

@strub
Copy link
Member Author

strub commented Feb 6, 2026
edited
Loading

Ok. Will move it outside the TCB, I should have seen that.

But the tactic (that is going to have more complex inference mechanism) allows better proof edition.

@strub
Copy link
Member Author

strub commented Feb 6, 2026

Done. As a side note, the internal API for conseq is a non-sense and has to be rewritten.

@oskgo
Copy link
Contributor

oskgo commented Feb 6, 2026

The docs say that it should be splitting apart conjunctions recursively ("one for each conjunct"), but the implementation doesn't do that.

@strub
Copy link
Member Author

strub commented Feb 12, 2026

The docs say that it should be splitting apart conjunctions recursively ("one for each conjunct"), but the implementation doesn't do that.

@oskgo Why do you think this sentence implies recursion?

@strub
Tactic: add hoare split
150fcfa 
Introduce a new Hoare-only tactic `hoare split` that decomposes goals
with conjunctive postconditions into independent Hoare goals.

It is intentionally restricted to Hoare logic, where this rule is sound.
@oskgo
Copy link
Contributor

oskgo commented Feb 12, 2026

@strub Suppose the postcondition is a /\ b /\ c. I think most people when asked to list all the conjuncts are going to answer a, b and c rather than a and b /\ c.

If the intention is to just split apart one instance of the binary /\ operator this should be made clearer.

@strub
Copy link
Member Author

strub commented Feb 12, 2026

@oskgo Ok. What about "top-level conjunction"?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@strub strub

Labels

tactics

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@strub @oskgo @fdupress