Open dc-mak opened 3 months ago
One more:
On Wed, Jun 5, 2024 at 8:01 AM Dhruv Makwana @.***> wrote:
A few existing issues have touched upon the current syntax. The solutions for those bring function and `predicate a lot closer together.
- Remove if-restriction (#266 https://urldefense.com/v3/__https://github.com/rems-project/cerberus/issues/266__;!!IBzWLUs!WrxvcyM3niw6bzUcqm6-Ie4GOUQSynOR3z6wU7H4tQ3kLFlYzo0A3OgxEQikoeBN1lwPcMBP3UKDw47Z9u4Oo2pOtPdI$ )
- Remove predicate pointer first restriction (#303 https://urldefense.com/v3/__https://github.com/rems-project/cerberus/issues/303__;!!IBzWLUs!WrxvcyM3niw6bzUcqm6-Ie4GOUQSynOR3z6wU7H4tQ3kLFlYzo0A3OgxEQikoeBN1lwPcMBP3UKDw47Z9u4Oo-UGJ1EW$ )
- Unify namespaces for functions and predicates (#288 https://urldefense.com/v3/__https://github.com/rems-project/cerberus/issues/288__;!!IBzWLUs!WrxvcyM3niw6bzUcqm6-Ie4GOUQSynOR3z6wU7H4tQ3kLFlYzo0A3OgxEQikoeBN1lwPcMBP3UKDw47Z9u4Oo1tr5Hzx$ )
Though not strictly dependent on the above 3, it may be sensible to wait until they are finished for the next tasks (which are closer to nice-to-haves).
- Add base type heap and disallow that to be used in arguments or in data types 5a. Add new unified syntax and map to existing backend 5b. Optional but good engineering: refactor backend to match new sytnax
As mentioned in #288 https://urldefense.com/v3/__https://github.com/rems-project/cerberus/issues/288__;!!IBzWLUs!WrxvcyM3niw6bzUcqm6-Ie4GOUQSynOR3z6wU7H4tQ3kLFlYzo0A3OgxEQikoeBN1lwPcMBP3UKDw47Z9u4Oo1tr5Hzx$, at the end of this we could write things like
i32 add_one(i32 x) { let y = x + 1; y; }
heap
intQueueAux(i32 x) { return (add_one(x)); } heap
intQueue0(i32 x) { intQueueAux(0); } heap
intQueue(i32 x) { let y = add_one(x); let* q = intQueueAux(y); return y; } Pros:
- Concise.
- Generics are familiar to many (and monads familiar to theorists).
- Make polymorphism easier to add and explain later.
- Makes the type of locks easier to add and explain later.
Cons:
- Needs a few restrictions to keep things first-order for now (no heap<_> values in datatypes or in arguments).
- Not requiring a return (and using return as the monad heap<_> ) could be confusing for C developers.
Still unsure about let. Maybe let
= ;? Like in Idris https://urldefense.com/v3/__https://idris2.readthedocs.io/en/latest/tutorial/interfaces.html*notation__;Iw!!IBzWLUs!WrxvcyM3niw6bzUcqm6-Ie4GOUQSynOR3z6wU7H4tQ3kLFlYzo0A3OgxEQikoeBN1lwPcMBP3UKDw47Z9u4Oo2Bt_g88$ ). i32 add_one(i32 x) { return x + 1; }
heap intQueueAux(i32 x) { return (heap(add_one(x))); }
heap intQueue(i32 x) { return intQueueAux(0); }
heap intQueue(i32 x) { let y = add_one(x); let q = *intQueueAux(y); return heap(q); }
— Reply to this email directly, view it on GitHub https://urldefense.com/v3/__https://github.com/rems-project/cerberus/issues/304__;!!IBzWLUs!WrxvcyM3niw6bzUcqm6-Ie4GOUQSynOR3z6wU7H4tQ3kLFlYzo0A3OgxEQikoeBN1lwPcMBP3UKDw47Z9u4Oo1dJoef8$, or unsubscribe https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/ABVQQC2V6YY3QNIU2OANNALZF342HAVCNFSM6AAAAABI2R66LOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGMZTKNZRG42TQMI__;!!IBzWLUs!WrxvcyM3niw6bzUcqm6-Ie4GOUQSynOR3z6wU7H4tQ3kLFlYzo0A3OgxEQikoeBN1lwPcMBP3UKDw47Z9u4OoxPdRZbJ$ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Added, thanks
Are the type annotations in declaration specs ever not fully determined by the declaration? If not, why have a separate form for the declaration spec at all? Concretely:
//before
int foo(int x, const char *y, struct bar **z);
/*@ spec foo(i32 x, pointer y, pointer z);
requires ...; // hardcoded in grammar
ensures ...; // hardcoded in grammar
@*/
//after
int foo(int x, const char *y, struct bar **z);
/*@ spec foo(x, y, z); // added to function_spec_item grammar node
requires ...; // just another function_spec_item
ensures ...; // just another function_spec_item
trusted; // parses for free now
accesses qux; // also parses for free
@*/
The arguments could also be removed. I like concretely bringing them into CN scope in the same block.
Are the type annotations in declaration specs ever not fully determined by the declaration? If not, why have a separate form for the declaration spec at all? Concretely:
//before int foo(int x, const char *y, struct bar **z); /*@ spec foo(i32 x, pointer y, pointer z); requires ...; // hardcoded in grammar ensures ...; // hardcoded in grammar @*/ //after int foo(int x, const char *y, struct bar **z); /*@ spec foo(x, y, z); // added to function_spec_item grammar node requires ...; // just another function_spec_item ensures ...; // just another function_spec_item trusted; // parses for free now accesses qux; // also parses for free @*/
The arguments could also be removed. I like concretely bringing them into CN scope in the same block.
The reason for this aspect of the spec
syntax is that C does not require a function prototype to name all the arguments; and if it does, the Cerberus frontend (IIRC) forgets them. So spec
has syntax to introduce names for the arguments. AIUI, originally the idea of spec
was also to be able to give specifications to functions in a different source location from their declaration.
There are enough spec-related tickets (you can see a list of them here) that I've lost track of the broader language design issues we're considering. Here's a rough grouping of the current tickets.
Taken together, these issues address two broad points:
These issues are related to how specifications are associated with functions, and how/when specs are trusted vs. verified by CN. There are two use cases to keep in mind:
.h
file) without leaking internal state into the external spec (e.g. about non-exported static variables).
A few existing issues have touched upon the current syntax. The solutions for those bring
function
andpredicate
a lot closer together.Though not strictly dependent on the above, it may be sensible to wait until they are finished for the next tasks (which are closer to nice-to-haves).
As mentioned in https://github.com/rems-project/cerberus/issues/288, at the end of this we could write things like
Pros:
Cons:
return
(and usingreturn
as the monadheap<_>
) could be confusing for C developers.take
. Maybelet*
orlet <id> = *<heap_expr>;
? Like in Idris' !-notation could be nice.