annotations: calculus annotations (wp,ert,wlp)

[umutdural]

Implemented the system to add calculus annotations and implemented three main calculi:

• wp
• wlp
• ert

These annotations can be used only on top of procedures at the moment in the following format:

@wp
proc main() -> () {
    ...
}

Calculus annotations allow or reject certain proof rule encodings depending on the calculi that the proof rule argue about.

For example k-induction is a proof rule that proves an upper bound on the wp of the program. Therefore using k-induction in a proc (lower bound reasoning) is invalid. If the proc is annotated with @wp, Caesar will reject the file and throw an error. On the other hand, coproc (upper bound reasoning) with @wp allows @k_induction(...) annotations inside the procedure.

---

Technical:

To implement a new calculus annotation, one must create a new struct for the annotation in the src/calculi directory and this struct should implement the Calculus trait, which requires a simple name function and a check_encoding function that returns a Result<(),()> based on the given encoding annotation and direction. Afterward the corresponding declaration of the annotation must happen in the init_calculi function.

[Philipp15b]

Thanks for your PR! I left some comments about simplifying the code.

[Philipp15b]

Please add a module comment in this file outlining what the module does (introducing the calculus annotations and that they check which proof rules can be used where).

[Philipp15b]

Instead of returning () in case of error, return a singleton error type, e.g. CalculusAnnotationError that implements std::fmt::Error (you can do this via the thiserror crate we're using).

[Philipp15b]

Also it would be good to add a comment describing what this method is supposed to do.

[umutdural]

Result<(),()> is used as a boolean success flag in this context. The returned error is wrapped with a proper AnnotationError::CalculusEncodingMismatch by the visitor. Should I use the singleton error type in this case?

[Philipp15b]

Please add a comment describing shortly what this visitor does.

[Philipp15b]

Why do you need to clone encoding_ref? Why doesn't check_encoding simply accept a reference?

[Philipp15b]

I feel like these implementation files require surprisingly lots of boilerplate. Why not have one struct type for a calculus annotation that maintains the Ident and an enum Calculus (with values Wp, Wlp, etc.)? Then you have one (or multiple) functions that simply match on the Calculus value for the visitor. I don't see the need to pass these abstract dyn Trait objects around if the set of possible calculi is always known by Caesar and not extensible.

[Philipp15b]

These match statements could also be simplified. Instead of nesting every possible case and returning Ok or Err, simply match on the encoding kind and then return the expected direction from the match statement (or immediately abort for Ast, Past, Ost). Then, you can raise an Err if the direction does not match.

[Philipp15b]

I don't see the reason why these types should be cloneable.

[Philipp15b]

Why is this AnnotationInfo pub?

[Philipp15b]

I feel these impls are pretty verbose we'll need to think of a better approach to architect the types here. A very simple alternative would be to simply add a method to the Encoding trait called check_calculus that receives a simple value of a new enum type Calculus and a direction and then returns Ok(()) or an Err(EncodingCalculusError). Then the checks wouldn't be part of a specific calculus, but rather of the encoding.

[Philipp15b]

Does this error occur from the user? Or is it always a compiler error? If the latter is true, then we should simply panic instead of emitting an error if the user can't fix it.

[Philipp15b]

Why would this be an Ident if the calculus is always from a fixed set of values that are built into the compiler? Couldn't you save a value of an enum type Calculus here?

[Philipp15b]

Thanks a lot! I left a number of minor comments.

[Philipp15b]

The enum items should be named Wp, Wlp, Ert

[Philipp15b]

This method should return a descriptive error type, e.g. just an AnnotationError

[Philipp15b]

There should be an empty line after an fn

[Philipp15b]

The inline match expression inside an if statement should be rewritten to just a single match statement that either returns an Err or Ok without the if then else.

[Philipp15b]

Why not just if calculus.calculus_type == CalculusType::Wp && direction == Direction::Down?

[Philipp15b]

Rewrite into single if as described above.

[Philipp15b]

Empty line after fn.

[Philipp15b]

Colon after end of sentence and empty line before heading.

[Philipp15b]

extreme_lit

[Philipp15b]

I don't quite understand why this struct exists. Shouldn't the CalculusType enum be sufficient? Why have the additional Ident?

[Philipp15b]

Thanks a lot! This is looking very good. I'm traveling right now, but I'll create some documentation for this and then merge it in the next couple of days! :)

[Philipp15b]

Just a side note, if you derive PartialEq and Eq for the CalculusType enum, then you can use normal == to compare these values.

[Philipp15b]

The logic here seems a bit convoluted. Why not simply immediately return direction == match calculus.calculus_type { CalculusType::Wp | CalculusType::Ert => Direction::Up, CalculusType::Wlp => Direction::Down, }?

[darionhaase]

Maybe also include the direction? E.g. using @invariant with @wlp in a coproc causes confusion because the diagnostic "The 'wlp' calculus does not support the 'invariant' encoding." makes it look like the invariant-rule cannot be used for wlp at all.