-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for prophecy variables #1293
base: main
Are you sure you want to change the base?
Conversation
This design of prophecy variables follows the "Future is ours" paper: both allocation and resolution of a prophecy variable are exec-mode, and the prophecy value is an executable type.
Unfortunately the mode-restriction doesn't have the intended effect because ghost code can be embedded in exec code:
However, we have a not-documented feature that lets you mark spec functions as 'prophetic':
This adds some additional restrictions that prevent time travel paradoxes. Nobody's actually used the feature until now -- I originally implemented it in preparation for mutable reference support, which is still in-progress. However, it should be usable for standard prophecy variables as well, so I'd be happy to accept the PR if you add There's also a discussion page for the feature here, though it's a little dated: #559 |
That's a nice counter-example -- thanks! I saw the prophetic attribute support, but it seems pretty infectious. In the specific use case of prophecy variables that I wanted to achieve, this would cause every aspect of the specification to become prophetic, and as a result, hard to use higher up in the stack. The Iris-style prophecy variables don't require tracking prophecy propagation in spec/proof, which is more ergonomic in some use cases (including mine). Is there some type constraint that can require the type T for Prophecy to be purely-exec? As a strawman proposal, how about requiring the type |
Or even simpler, how about only allowing prophecies for byte slices? |
Interesting idea. I think this should work. |
We should probably add Travis's counterexample as a test to make sure it fails to verify. |
Minor: when erased,
This is just so that the value I will note that this is a mostly backwards-compatible change to the signature (unless someone is depending on it returning a |
Another minor comment: perhaps |
Another minor point: since these are |
Thanks for the suggestions! Re: returning value to avoid being like
|
I don't know if verus/source/rust_verify/example/adts.rs Lines 14 to 18 in 1a2fb58
I don't have a strong preference on the non-mut-ref vs take-and-return-value approaches; the take-and-return-value has the niceness of not needing Not for this PR, but potential future improvement, we don't currently have a support for I'm likely over-thinking this :) |
In that ADT example, adding |
This design of prophecy variables follows the "Future is ours" paper: both allocation and resolution of a prophecy variable are exec-mode, and the prophecy value is an executable type.