Add contract and transparency pass#28
Add contract and transparency pass#28keyboardDrummer wants to merge 144 commits intoissue-21-assign-variable-typefrom
Conversation
…aurelTypes - Add FunctionsAndProofsProgram structure with functions, proofs, datatypes, constants - Add temporary laurelToFunctionsAndProofs translation (functional → functions, non-functional → proofs) - Rename OrderedLaurel to CoreWithLaurelTypes - Change OrderedDecl: replace 'procs' with 'funcs' (for function SCCs) and 'procedure' (for individual proofs) - Rewire pipeline: Laurel → FunctionsAndProofs → CoreWithLaurelTypes → Core - Both functions and proofs participate in topological ordering via the call graph Addresses steps (c) and (d) of strata-org#924.
(a) Contract pass (ContractPass.lean): - Generates precondition/postcondition helper procedures for non-functional procedures with contracts - Transforms procedure bodies to add assume/assert for own contracts - Not yet wired into pipeline (needs call-site rewriting for full activation) (b) Proof pass improvements (FunctionsAndProofs.lean): - Add stripAssertAssume utility for deep traversal that removes Assert/Assume nodes (to be used when full proof pass generates both functions and proofs for every procedure) - Import MapStmtExpr for AST traversal support - Improve documentation describing the future full proof pass Also: - CoreGroupingAndOrdering: use isFunctional flag instead of name lookup to partition functions and proofs in orderFunctionsAndProofs (more robust when functions and proofs share names) - Pipeline: import ContractPass, update documentation for new pipeline stages
…to pipeline; proof pass: every procedure generates function + proof Changes based on review feedback: 1. Contract pass treats all procedures the same — removed isFunctional guard from collectContractInfo, contractPass, and helper generation. 2. Call-site rewriting — added rewriteCallSites which uses mapStmtExpr for bottom-up traversal and handles three patterns: - Assign targets (StaticCall callee args) → Block [assert pre; assign; assume post] - LocalVariable name type (some (StaticCall callee args)) → Block [assert pre; decl; assume post] - Bare StaticCall callee args → Block [assert pre; call] 3. Contract pass wired into pipeline — replaced placeholder comment with actual contractPass call. 4. Full proof pass — every procedure now generates both a function copy (isFunctional=true, body only for transparent procedures, with Assert/Assume stripped) and a proof copy (isFunctional=false).
…riting and proof pass Three issues caused CI failures: 1. Call-site rewriting used bottom-up mapStmtExpr, which processed StaticCall nodes inside expressions (e.g., inside Assign/LocalVariable initializers) before the parent pattern could match. This created Block[Assert; StaticCall] inside expression positions, which the function translator rejected. Fixed by rewriting at the Block (statement) level instead. 2. The proof pass created both function and proof copies for every procedure with the same name, causing 'declaration already exists' errors in the Core type checker. Reverted to partition behavior (functional → functions, non-functional → proofs). 3. The contract pass changes verification diagnostics from 'precondition does not hold' to 'assertion does not hold', breaking test expectations. Disabled the contract pass in the pipeline pending test updates. The contract pass code (ContractPass.lean) is preserved with the fixes above and can be re-enabled. stripAssertAssume and mkFunctionCopy are also preserved for when the full proof pass is activated.
…-org/Strata into issue-924-contract-and-proof-pass
- Add 'opaque' keyword to the Laurel grammar (LaurelGrammar.st) that groups ensures and modifies clauses under it - Update ConcreteToAbstractTreeTranslator to parse the new opaqueSpec grammar node (8 args instead of 9) - Update AbstractToConcreteTreeTranslator to emit opaqueSpec when formatting procedures with Opaque bodies - Update all Laurel test files to mark all procedures as opaque - Update .lr.st and .laurel.st test files accordingly
Keep both the FunctionsAndProofs pipeline from this branch and the overflowChecks field added on main.
Adds a new Laurel-to-Laurel pass that replaces return statements with assignments to output parameters followed by exit to a labelled block wrapping the procedure body. This ensures postcondition assertions (inserted by the contract pass) are checked on all return paths. The pass runs after EliminateReturnsInExpression and before ConstrainedTypeElim/ContractPass in the pipeline.
…' into opaque-keyword-grammar
…assertions When a requires or ensures clause has a summary annotation, the contract pass now propagates that summary to the generated assert statement. This means verification errors will display the user-provided summary (e.g., 'divisor is non-zero does not hold') instead of the generic 'precondition does not hold' or 'postcondition does not hold'. - Added combinedSummary helper to extract summaries from clause metadata - Added preSummary/postSummary fields to ContractInfo - Updated all assertion generation sites to use clause summaries when available
|
I investigated the "Run internal benchmarks of Strata" CI failure. This is not a code issue — it's a pre-existing infrastructure problem with running CI on this fork. Root cause: The benchmark job tries to assume an AWS IAM role using This job has failed on every single Build run on this fork (all 5 runs), with the same error. It is not related to any code changes in this PR. To fix, either:
All other CI checks (Lean build, Python tests across 3.11–3.14, CBMC, lint, docs) pass successfully. |
keyboardDrummer
changed the base branch from
merge-1076-1077
to
issue-21-assign-variable-type
…nto issue-924-contract-and-proof-pass
keyboardDrummer
force-pushed
the
issue-924-contract-and-proof-pass
branch
from
da18905 to
3ce6673
Compare
github-actions
Bot
added
SMT
github_actions
and removed
Git conflicts
|
@keyboardDrummer-bot can you create another PR that copies these two passes from this PR: However, in the contract pass, the generated $post procedures should be marked as functional, and they should take all inputs and all outputs of the original procedure as parameters, so they don't need to call the original procedure in their body. At the call location, before the call, first assign all input arguments to temporary variables, and then pass those to both the call and the assumed call to the $post. |
|
@keyboardDrummer-bot can you create another PR that is a copy of this PR, but without the first two phases: You might run into issues with assertions not being lifted in the lifting pass. |
3 participants
Builds on:
Summary
Add these passes:
returntoexitstatements, needed for the next pass.$asFunction. If a Core procedure is marked as transparent, attempt to generate a functional version of it, where assertions are erased and all calls are to functional versions. Tie the functional version to the procedure using a free postcondition.The effect of the contract and transparency pass:
The combined effect of 2 and 4 is that there is no more difference between Laurel functions and transparent procedures.
Follow-up work