I propose that we extend the summarize_verification command such that it lists any unsafe primitives or axioms that a proof uses. The particular use case I have in mind is reporting whether any proofs depend on the SAWCore fix function, which has the potential to introduce unsoundness if wielded improperly. For example, here is an example of a proof of False (relying on fix), as well a use of summarize_verification afterwards:
// test.saw
enable_experimental;
let f = parse_core "fix (EqTrue False) (id (EqTrue False))";
f_thm <- prove_core (goal_exact f) "EqTrue False";
summarize_verification;
This shows a proof of False, but it doesn't include the very important caveat that it relies on the unsafe fix primitive. This is especially important when you consider that one can introduce fix implicitly by writing recursive Cryptol definitions. (For example, let {{ r = ~r : Bit }}; gets translated to a SAWCore definition involving fix behind the scenes.) Inspired by Coq's Print Assumptions command, I propose that we extend the output so that it looks something like this:
# Theorems Proved or Assumed
* Theorem:
~~~~
EqTrue False
Depends on the following unsafe primitives or axioms:
* fix
~~~~
Another axiom that would be worth reporting here is unsafeAssert.
We will need to think a bit about which primitives or axioms should count as "unsafe" in this context. The SAWCore prelude defines many primitives and axioms that aren't really unsafe, but rather left undefined so that they can be overridden with more efficient implementations (e.g., boolEq). It might be overwhelming to include every single primitive and axiom in the list of output, so perhaps we should omit things like boolEq (or only print them if the user specifically requests them).
I propose that we extend the
summarize_verificationcommand such that it lists any unsafe primitives or axioms that a proof uses. The particular use case I have in mind is reporting whether any proofs depend on the SAWCorefixfunction, which has the potential to introduce unsoundness if wielded improperly. For example, here is an example of a proof ofFalse(relying onfix), as well a use ofsummarize_verificationafterwards:SAW's current output is:
This shows a proof of
False, but it doesn't include the very important caveat that it relies on the unsafefixprimitive. This is especially important when you consider that one can introducefiximplicitly by writing recursive Cryptol definitions. (For example,let {{ r = ~r : Bit }};gets translated to a SAWCore definition involvingfixbehind the scenes.) Inspired by Coq'sPrint Assumptionscommand, I propose that we extend the output so that it looks something like this:Another
axiomthat would be worth reporting here isunsafeAssert.We will need to think a bit about which primitives or axioms should count as "unsafe" in this context. The SAWCore prelude defines many primitives and axioms that aren't really unsafe, but rather left undefined so that they can be overridden with more efficient implementations (e.g.,
boolEq). It might be overwhelming to include every single primitive and axiom in the list of output, so perhaps we should omit things likeboolEq(or only print them if the user specifically requests them).