-
Notifications
You must be signed in to change notification settings - Fork 256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable finer-grained control of redundant- and contradictory-assumption warnings #4778
Comments
### Description This PR imports the Unicode libraries from `dafny-lang/libraries`. Notes: - This disables redundant- and contradictory-assumptions warnings in `dfyconfig.toml`, as not all of the many false-positives can be resolved by rewriting existing proofs (as far as I can tell). We'll want to re-enable them in the future, for example if/when [finer-grained control](#4778) of such warnings is possible. - As a consequence of the above, verification performance of all the libraries are subject to perturbation. This PR also makes some non-Unicode-related changes to get other proofs to pass under the new set of options. - Because the `DafnyStdLibs` only supports a single set of verification options right now, and we are proceeding with `--unicode-char:true`, the `UnicodeStringsWithoutUnicodeChar` module is not included in this PR.
I'm wondering whether a more general |
Should we not first understand why we're getting warnings for the above proof, before adding an option to turn them off? I didn't find this explanation in the issue details. |
Ah, I guess it wasn't explicit here because @alex-chew and I discussed it offline. We do understand what's going on. The specific example above is an intentional proof by contradiction, which will always give rise to warnings about proof using contradictory assumptions. Because such proofs are legitimate, we fundamentally need a way to indicate that they're intentional. We could have something specific to the case of contradictory assumptions (marking something as an intentional proof by contradiction in some way). But we also want something for redundant assumptions that, for whatever reason, the developer decides they want to keep. And, while we're at it, I expect there are other warnings we may want to be able to disable on a local basis. |
I thought it wouldn't produce warnings because you added an exception for How come there's a contradictory warning in this case? |
I hope I'm not being too cautious here, but I'd rather see these cases explicitly before adding features to cover them. In C# for example, there's a warning you get when you call a method that returns a Task, and you do not await this task. There's a C# feature added so you can avoid this warning, which is to assign to |
Unfortunately, triggers make things complicated. It's possible to have a case where |
@atomb clear explanation! Thank you Some follow-up questions. Is there a textbook example of this problem? Or does it happen mostly by coincidence? Does this problem also occur in idiomatic Dafny code?
Seems like a simple solution. If there is a more automatic one we can always introduce that later. |
Allows a particular assertion to be marked as an intentional proof by contradiction, preventing `--warn-contradictory-assumptions` from flagging it. Fixes dafny-lang#4778
### Description Allows a particular assertion to be marked as an intentional proof by contradiction, preventing `--warn-contradictory-assumptions` from flagging it. Fixes #4778 ### How has this been tested? `Source/IntegrationTests/TestFiles/LitTests/LitTest/git-issues/git-issue-4778.dfy` By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.
Summary
No response
Background and Motivation
The
--warn-redundant-assumptions
and--warn-contradictory-assumptions
options are useful for locating redundant and contradictory assumptions, but can generate false positives in nontrivial proofs. In some cases the proofs can be rewritten to avoid the warnings - but not always, it seems. It would be nice to be able to disable such warnings on a per-assertion (or per-declaration, or per-module) level.Here is an excerpt from the Unicode libraries that generates contradictory-assumption warnings:
The
assert false
near the end (labeled// Here
) cannot be verified without theby { ... }
portion. But the assertion within theby { ... }
generates two warnings:Proposed Feature
This feature could, for example, be implemented as attributes (
{:warn_redundant_assumptions false}
, etc.) that are valid in assertions and at the declaration-/module-level.Alternatives
No response
The text was updated successfully, but these errors were encountered: