-
Notifications
You must be signed in to change notification settings - Fork 256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect and report use of mixing options that change semantics #3556
Comments
I updated the text to generalize it a bit to any option that changes language semantics. |
To me the root cause here is not having any mechanisms to enforce sound separate verification and compilation of Dafny code. I say the best solution is to define some kind of build artifact for Dafny that attaches metadata to the Dafny source, so that when consuming a library, rather than trusting the code was previously verified and assuming the details of how it was verified, the Dafny tooling can look for hard evidence and metadata about how the library was built, and fail if the consuming environment is not compatible. To that end, I propose the following:
|
Note that although a URL pointing to a |
Provides a build artifact for outputting after successful verification, with enough metadata attached to support safe consumption as a library, as loosely described in this comment: #3556 (comment) Also refactors the functionality used by `dafny audit` to ensure the library backend rejects `assume` statements as the other backends do, without having to implement a proper SinglePassCompiler subclass. Also hides the internal "Simple Dafny" backend, which isn't intended to be publicly documented, while the new library backend is. Provides a solution for #3556, but I'm not calling that resolved until we at least deprecate separate verification features that don't use .doo files (which isn't in scope for this PR).
The introduction of .doo files has I think mostly resolved this issue. What I think is left, is to let |
Summary
Mixing code that has been verified or compiled with values of certain options that modify the semantics of Dafny, such as
--unicode-char
, could lead to soundness problems.Background and Motivation
Dafny 4 has a default of unicode-char:true, previous versions had unicode-char:false
Proposed Feature
Detect whether modules are setting different values -- ideally only where it actually matters.
Alternatives
No response
The text was updated successfully, but these errors were encountered: