anomaly on Hoare logic `match` when the precondition is an existential

EasyCrypt / easycrypt

EasyCrypt: Computer-Aided Cryptographic Proofs

MIT License

306 stars 46 forks source link

anomaly on Hoare logic `match` when the precondition is an existential #565

Closed fdupress closed 1 month ago

fdupress commented 2 months ago

MFE

require import List.

module M = {
  var r : int option

  proc hd(xs : int list) = {
    r <- match r with | None => None | Some _ => None end;
    match xs with
    | [] => { }
    | x :: xs => r <- Some x;
    end;
    return r;
  }
}.

hoare toto &m y ys:
     M.hd: arg = y :: ys ==> res = Some y.
proof.
proc. sp.
match. (* Fails with "anomaly: EcLib.EcCoreGoal.InvalidGoalShape" *)

fdupress commented 2 months ago

This was introduced by #510 .

fdupress commented 2 months ago

And also triggers:

when the precondition merely contains an existential quantifier (and perhaps a universal quantifier?);
in one-sided match applications in pRHL.

strub commented 1 month ago

Fix by #577