Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(Note that this is @zafer-esen's work. I created the PR for permissions reasons.) Dafny uses the Boogie option `prune` by default. (Introduced in [Boogie PR #427](boogie-org/boogie#427), although the semantics explained there is [out of date](boogie-org/boogie#767 (comment)).). The `prune` option, when enabled, runs a reachability analysis in Boogie, and prunes away functions, constants and axioms that are not reachable from root nodes. This greatly reduces resource counts, and leads to less brittleness; which is why pruning is intentionally made as strong as possible. The semantics of pruning, at a high level, is as follows. If an axiom is inside a `uses` clause of some symbol `s`: * without quantifiers or without triggers: do not prune if `s` is reachable. * with both quantifiers and triggers: do not prune if (a) `s` is reachable _or_ (b) all symbols in one of its triggers are reachable. If an axiom is not inside a `uses` clause: * without quantifiers or without triggers: always pruned. * with both quantifiers and triggers: do not prune if (b) all symbols in one of its triggers are reachable. If (a) holds but (b) does not, this leads to a weaker pruning if an axiom with quantifiers and triggers is inside a `uses` clause. (b) matches the semantics of how axioms with triggers are instantiated (AFAIK), so axioms with both quantifiers and triggers should not be inside `uses` clauses (with the exception of purely polymorphic quantifiers, more on this at the end of this comment). Consider the [following lines](https://github.com/dafny-lang/dafny/blob/c31932b4b4f77a38e5da9c9f6a7689d8f57346bf/Source/DafnyCore/DafnyPrelude.bpl#L230-L290) from `DafnyPrelude.bpl`: ``` function $Is<T>(T,Ty): bool uses { // no heap for now axiom(forall v : int :: { $Is(v,TInt) } $Is(v,TInt)); axiom(forall v : real :: { $Is(v,TReal) } $Is(v,TReal)); axiom(forall v : bool :: { $Is(v,TBool) } $Is(v,TBool)); axiom(forall v : char :: { $Is(v,TChar) } $Is(v,TChar)); axiom(forall v : ORDINAL :: { $Is(v,TORDINAL) } $Is(v,TORDINAL)); [...] // more axioms for every type } ``` `$Is` is a function symbol and `TInt`, `TReal` etc. are constant symbols, i.e., the axioms shown are quantified and all have triggers with two function or constant symbols. Since they are inside the `uses` clause of `$Is`, none of these axioms can be pruned if `$Is` is reachable. However, if the second symbol inside the triggers, say `TReal` in the second axiom, is still unreachable, that axiom cannot be triggered despite being preserved (but will negatively affect resource counts). This PR moves all quantified axioms with triggers outside of their `uses` clauses. The one exception is purely polymorphic quantifiers ([example](https://github.com/dafny-lang/dafny/blob/2a2e1c41af9b89c10437abc71cca92eb818e02a8/Source/DafnyCore/DafnyPrelude.bpl#L970-L972)), which should remain inside a `uses` clause, as these quantifiers disappear if monomorphization is used in Boogie. By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license. --------- Co-authored-by: Zafer Esen <[email protected]> Co-authored-by: Remy Willems <[email protected]>
- Loading branch information
3 people
authored
Aug 28, 2023
1 parent
528b593
commit 4f13ce1