Open septract opened 1 month ago
@cp526 I imagine there is / was some rationale for this design. Is there some use-case I don't know about that requires the spec
/ trusted
distinction?
spec
and trusted
have a different purpose.
trusted
instructs CN not to verify the annotated function (CN only checks wellformedness of the specification).
spec
is for giving a specification to function prototypes. Because function prototypes don't necessarily assign names to their arguments, CN needs syntax such as spec unverified_spec(i32 x, i32 y); ...
to give names to the arguments so later specifications can refer to them.
Both of these are needed. That said, spec
was added in a rush and there are a couple of deficiencies: (1), as you mention, spec
does not accept the same syntax as specifications attached to function definitions (e.g. accesses
), (2) probably nothing in CN currently prevents using spec
for function definitions, but then, AIUI, these are not verified against that spec
(so here we have to either forbid spec
for defined functions or allow it but do the proof), (3) currently the spec
argument list is not even compared for compatibility with the C-types in the function prototype (that's quite bad and we already have a ticket for that).
There are two keywords for introducing unverified functions to CN -
trusted
andspec
. We should only have one keyword for both cases and make the usage consistent.This duplication makes the language more difficult to learn, in my opinion. The two keywords do similar but slightly different things, which makes for a more 'noisy' / confusing language design. It also causes specific incompatible behavior - eg.
spec
andtrusted
are parsed differently so we can't easily switch between them (see this ticket: #371).It also seems anomalous that
spec
needs an additional function declaration, andtrusted
doesn't. Is the 'spec-level prototype' taken byspec
ever not determined by the function arguments? (See @peterohanley making this same point here: https://github.com/rems-project/cerberus/issues/304#issuecomment-2225994635)Proposed resolution:
Ideally, we only use one keyword in both situations. To me,
trusted
is the more appropriate choice (but I don't feel strongly about this -spec
is also fine). So I propose:spec
as an alias fortrusted
, and deprecatespec
(Or vice versa)(CN version:
git-7ca5f6c3d [2024-08-05 18:31:25 +0100]
)