Skip to content
GitLab
Closed
Issue created by Guillaume Melquiond@melquionOwner

Make `any ... ensures` less error-prone

I didn't know that any ... ensures introduces an axiom. And I was not the only developer to get it wrong. We really should limit the number of language constructions that introduce axioms.

There are only three occurrences of this construction in the gallery:

  • unraveling_a_card_trick: any int ensures { 0 <= result <= n*m }
  • white_and_black_balls: any (x: int, y: int) ensures { 0 <= x && 0 <= y && x + y = 2 && x <= !b && y <= !w }
  • vstte12_bfs: any B.t ensures { !!result = succ v }

The first two occurrences are actually provable, so I am not sure their authors intended them to generate axioms. The last one is an actual axiom, but it should ideally have been val, so that the user could instantiate it to obtain an effective algorithm.

Thus, I suggest that this construction be repurposed so that it generates a verification condition.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information