Skip to content

Fix issue #297 and #268, make proc inlining visit subblocks #302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aqjune-aws merged 17 commits into from
Jan 14, 2026
Merged

Fix issue #297 and #268, make proc inlining visit subblocks #302

aqjune-aws merged 17 commits into from
Jan 14, 2026

Conversation

@aqjune-aws
Copy link
Contributor

@aqjune-aws aqjune-aws commented Jan 6, 2026

This patch fixes

  • Issue Possible bug in Python Prelude: inconsistent use of days and hours #297: BoogiePrelude.lean's timedelta was not updating hours_i
  • Issue Soundness issue: fresh RHS identifiers in procedure inlining #268: procedure inlining was reducing nondeterminism because it was missing havocs to output vars
    • In fact, this depends on how the "correctness" of procedure inlining is defined; if we say that procedure inlining is allowed to reduce nondeterminism, the original implementation was correct of course, but since this makes procedure inlining inherently unsound to use for deductive verification I chose to fix it. This is all under the assumption that the spec of the inlining procedure exactly represents the actual behavior of the contents of the procedure.
  • Procedure inlining wasn't visiting subblocks, which was fixed here. This required small updates in the function signature of inlineCallCmd and callElimCmd so that they receive Command rather than Statement.

For these changes, checks are needed to confirm whether Python applications of interest are not affected.

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@aqjune-aws
Fix issue #297 and #268, make proc inlining visit subblocks
8ad82b7 
This patch fixes

- Issue #297: BoogiePrelude.lean's `timedelta` was not updating `hours_i`
- Issue #268: procedure inlining was reducing nondeterminism because it was missing havocs to output vars
(this depends on how the "correctness" of procedure inlining is defined;
 if we say that procedure inlining is allowed to reduce nondeterminism, the original
 implementation was correct of course, but since this makes procedure inlining inherently
 unsound to use for deductive verification I chose to fix it.)
- Procedure inlining wasn't visiting subblocks, which was fixed here. This required small updates
  in the function signature of `inlineCallCmd` and `callElimCmd` so that they receive Command
  rather than Statement.

For these changes, checks are needed to confirm whether Python applications of interest are not affected.
@aqjune-aws aqjune-aws assigned joscoh and unassigned joscoh Jan 6, 2026
@aqjune-aws aqjune-aws mentioned this pull request Jan 6, 2026
Closed
joscoh
joscoh previously approved these changes Jan 6, 2026
View reviewed changes
@aqjune-aws
Copy link
Contributor Author

aqjune-aws commented Jan 6, 2026

I will revisit the failing Python cases in this afternoon.

@shigoel
Copy link
Contributor

shigoel commented Jan 6, 2026

I will revisit the failing Python cases in this afternoon.

@aqjune-aws Maybe also see if #301 can help, if you have the bandwidth?

@aqjune-aws
Copy link
Contributor Author

aqjune-aws commented Jan 7, 2026

The reason of the failure was that this extra main() invocation could now be inlined, multiplying the number of invoked assertions (and hence making it diverged from the .expected file):

(procedure __main__ :  () → ((maybe_except : ExceptOrNone)))
modifies: []
preconditions: 
postconditions: 
body: init (exception_ty_matches : bool) := #false
havoc exception_ty_matches
import$inlined : {init (import_names_32 : ListStr) := (((~ListStr_cons : (arrow string (arrow ListStr ListStr))) #test_helper) (~ListStr_nil : ListStr))}
if (__name__ == #__main__) then {call [maybe_except] := main([])
 if ((~ExceptOrNone_tag maybe_except) == ~EN_STR_TAG) then {goto end} else{}}
else{}
end : {}

I will add a parameter to the procedure inlining call so that functions to be excluded from inlining like main can be designated

joscoh
joscoh previously approved these changes Jan 12, 2026
View reviewed changes
@aqjune-aws aqjune-aws enabled auto-merge January 12, 2026 18:35
@aqjune-aws aqjune-aws added this pull request to the merge queue Jan 14, 2026
Merged via the queue into main with commit 1b05546 Jan 14, 2026
12 checks passed
@aqjune-aws aqjune-aws deleted the jlee/issue-297-and-268 branch January 14, 2026 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joscoh joscoh joscoh approved these changes

@andrewmwells-amazon andrewmwells-amazon andrewmwells-amazon approved these changes

@atomb atomb Awaiting requested review from atomb

@joehendrix joehendrix Awaiting requested review from joehendrix

@shigoel shigoel Awaiting requested review from shigoel

@MikaelMayer MikaelMayer Awaiting requested review from MikaelMayer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aqjune-aws @shigoel @joscoh @andrewmwells-amazon