feat: Actions, Frames, Termination, and Ordinal standard libraries #6074
Conversation
…-streaming-stdlibs
…-streaming-stdlibs # Conflicts: # Source/DafnyStandardLibraries/src/Std/Collections/Seq.dfy
…-streaming-stdlibs
…-streaming-stdlibs # Conflicts: # Source/DafnyCore/Backends/Java/JavaCodeGenerator.cs # Source/DafnyStandardLibraries/Makefile # Source/DafnyStandardLibraries/binaries/DafnyStandardLibraries-cs.doo # Source/DafnyStandardLibraries/binaries/DafnyStandardLibraries-go.doo # Source/DafnyStandardLibraries/binaries/DafnyStandardLibraries-java.doo # Source/DafnyStandardLibraries/binaries/DafnyStandardLibraries-js.doo # Source/DafnyStandardLibraries/binaries/DafnyStandardLibraries-notarget.doo # Source/DafnyStandardLibraries/binaries/DafnyStandardLibraries-py.doo # Source/DafnyStandardLibraries/binaries/DafnyStandardLibraries.doo
…/dafny into actions-and-streaming-stdlibs
| nodeCount := left.nodeCount + right.nodeCount + 1; | ||
| } | ||
|
|
||
| if (right is Node<T>) { |
There was a problem hiding this comment.
No need for parentheses
| } | ||
|
|
||
| ghost predicate ValidInput(history: seq<((), Box)>, next: ()) | ||
| requires ValidHistory(history) |
There was a problem hiding this comment.
Precondition not necessary in this override, but I agree it's good style to include it here. Especially since these examples will serve as a guide to other subtypes.
| import opened Std.Wrappers | ||
|
|
||
|
|
||
| // Adapting an iterator to a producer |
There was a problem hiding this comment.
I do still want to add an example of enumerating a codatatype, but I'll include that in the next batch of changes to this library.
| { | ||
| this.iter := new FibonacciIterator(); | ||
| new; | ||
| Repr := {this, iter} + NonNullElements(iter._reads) + NonNullElements(iter._modifies) + NonNullElements(iter._new); |
There was a problem hiding this comment.
Hmm, so the type of _reads, _modifies, and _new is set<object?>? That must be legacy from before Dafny had non-null types. Good for now here, but this would be nice (as easy, I imagine) to change in Dafny.
There was a problem hiding this comment.
Yeah I was surprised too. Probably not worth changing by itself, but worth changing if and when we revamp iterators in general.
|
|
||
| } | ||
|
|
||
| method {:test} FibonnaciExample() { |
| // TODO: Okay it's now or never - Repr or repr?? :) | ||
| ghost var Repr: set<object> |
There was a problem hiding this comment.
My vote is for Repr. It's an abstraction of something and it is something that public clients need to know about. For example, a class that implements a set would probably declare ghost var Elements: set<T>.
There was a problem hiding this comment.
So it sounds like you'd like to amend the Dafny style guide to add a clause something like:
"Any fields or constants that public clients may reference are named with PascalCase, and camelCase otherwise. This includes at least all symbols included in at least one export set."
The style guide currently doesn't say anything about fields and non-static constants, and I think most users have inferred that they should always be camelCase. The existing standard library code is already not consistent -for example DynamicArray has:
ghost var items: seq<A>
ghost var Repr: set<object>I'll definitely keep Repr here, but independently we should clarify this point and then go back and align the code better throughout (possibly as part of Dafny 5.0 since we may want change symbols that may already be in use).
| // TODO: Similarly, would Invariant() be better? | ||
| ghost predicate Valid() |
There was a problem hiding this comment.
I vote for Valid. The intention is that the condition be invariant, but it describes what it means for the data structure to be valid. Also, it's a bit funny to say that a method "requires and ensures the invariant", since it's the fact that the method "requires and ensures X" that makes X an invariant in the first place.
| ensures forall result' {:trigger} | | ||
| forall right' | right' < right :: Plus(left, right') < result' :: result <= result' |
There was a problem hiding this comment.
The fact that you're using {:trigger} here suggests to me that Dafny doesn't recognize that <= on ORDINAL would be acceptable as a trigger. We should consider extending Dafny to do that.
There was a problem hiding this comment.
I'd definitely love to consider adding more axioms and operations on ordinals in the future in general, but only if we think anything besides this module would benefit.
| ensures a < b <==> a + 1 <= b | ||
|
|
||
| ghost function {:axiom} PlusLimit(left: ORDINAL, right: ORDINAL): (result: ORDINAL) | ||
| decreases right, 0 |
There was a problem hiding this comment.
I usually write the decreases clause after requires, reads, modifies, and ensures. If you feel the same, feel free to make that change here and below.
There was a problem hiding this comment.
For the record I've actually always preferred this order:
requires ...
reads ...
modifies ...
decreases ...
ensures ...
Mainly because I think of it "chronologically", and it feels like the decreases is relevant "during" the evaluation to ensure termination, and the ensures is relevant "after".
But I do see that the style guide agrees with you so I'm happy to align. :)
There was a problem hiding this comment.
I see. That's a decent rule. For the record, here are two other thoughts on this matter:
-
I, too, think of
requiresas happening beforereads, but the language design is actually to allow the two to be mutually dependent. For example,class Cell { var data: int } function F(a: array<Cell>, i: nat): int requires i < a.Length && a[i].data == 10 reads a, a[i]
-
I think the reason I've placed
decreaseslast is because it feels relevant to the implementation of the function/method, not so much to the caller. This makes sense for a function/methodMthat is in its own SCC and is itself recursive. But for a caller that's mutually recursive withM, thedecreasesclause ofMis part of the specification that a caller needs to know about.
| // parent is a MaxOrdinal() parameter just to prove termination, | ||
| // but doesn't affect the actual result. |
There was a problem hiding this comment.
This comment would be good on MaxOrdinal as well.
What was changed?
See Std/Actions/Actions.md etc.
Also:
nondeterministicsub-project toexamples, for code that isn't valid in--enforce-determinismmodeHow has this been tested?
See ActionsExamples.dfy etc.
By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.