feat(transform): Add ProcBodyVerify transformation#509
Draft
MikaelMayer wants to merge 76 commits intomainfrom
Draft
feat(transform): Add ProcBodyVerify transformation#509MikaelMayer wants to merge 76 commits intomainfrom
MikaelMayer wants to merge 76 commits intomainfrom
Conversation
Add transformation that converts a procedure into a statement that verifies the procedure's body against its contract. The transformation: - Initializes all input parameters, output parameters, and modified globals - For each modified global g, creates old_g (pre-state) and g (post-state) - Converts non-free preconditions to assume statements - Wraps the body in a labeled block - Converts non-free postconditions to assert statements Includes: - Strata/Transform/ProcBodyVerify.lean: Main transformation implementation - StrataTest/Transform/ProcBodyVerify.lean: Unit tests (placeholder) - StrataTest/Transform/ProcBodyVerifyCorrect.lean: Correctness proof (placeholder) TODO: - Get actual types from program context for modified globals - Add comprehensive unit tests - Complete correctness proof
- Add proper type lookup for modified globals using getIdentTy! - Add unit test verifying transformation succeeds - Remove placeholder type (was using int, now looks up actual types) The transformation now properly: - Looks up types from the program context for modified globals - Creates old_g and g variables with correct types - Initializes all parameters and modified globals - Converts preconditions to assumes and postconditions to asserts
Add structure for correctness proof with: - Helper functions to extract assertions and assumptions - Placeholder theorems for precondition and postcondition correspondence - Main soundness theorem (placeholder) The proof structure documents the key properties that need to be proven: 1. Preconditions in the procedure become assumptions in the verification statement 2. Postconditions in the procedure become assertions in the verification statement 3. If verification fails, the call can fail (main soundness property)
- Use DDM to parse test programs instead of manually constructing AST - Test procedure with modifies clause and old variables - Test simple procedure without modifies - Tests verify transformation succeeds on realistic programs
- Prove requiresToAssumes produces only assume statements - Prove ensuresToAsserts produces only assert statements - Add helper functions for counting non-free conditions - Improve theorem documentation
- Prove transformation preserves procedure body in output - Improve soundness theorem documentation - Explain what full proof would require
- Test that free preconditions/postconditions are correctly filtered - Verify transformation handles mixed free and non-free specs
- Test procedure modifying multiple global variables - Verify old_g variables created for each modified global
- Tests now verify transformation produces correct block structure - Check that output has expected label (verify_<ProcName>) - Tests cover: modifies clauses, free specs, multiple globals - Use DDM to parse input programs - All tests pass with #guard_msgs
- Each test now displays the actual transformed statement - Shows complete structure: inits, assumes, body block, asserts - Demonstrates how old_g variables are created for modified globals - Verifies free specifications are correctly filtered out
- Remove toString to display properly formatted output - No more escaped newlines in guard_msgs - Output is now human-readable
- Create showTransformed helper to reduce code duplication - Inline program definitions directly in #eval calls - Remove separate Test1-4 definitions - Tests now more concise and easier to read
- Add Core.formatStatement function to format statements using DDM - Update test outputs to show readable Core syntax instead of AST - Tests now display var declarations, assumes, and asserts in proper syntax
Free specifications are assumptions that won't be checked at call sites. They should be included in the verification statement as assumes.
- Rewrite correctness file to use small-step semantics - Add helper lemmas for requiresToAssumes and ensuresToAsserts lengths - Add main soundness theorem (structure proof in progress) - Remove old big-step based helpers
- Add requiresToAssumes_preserves_exprs lemma - Add ensuresToAsserts_preserves_exprs lemma - These lemmas establish that the transformation preserves contract expressions
The main soundness theorem has one sorry remaining - proving that procToVerifyStmt produces a block statement. This is trivially true by construction (the last line returns Stmt.block) but requires navigating through the ExceptT/StateM monad stack. All other helper lemmas are proven: - requiresToAssumes_length - ensuresToAsserts_length - requiresToAssumes_preserves_exprs - ensuresToAsserts_preserves_exprs - procBodyVerify_produces_block (helper for structure)
Completed proofs: - ensuresToAsserts_length: induction on list - requiresToAssumes_preserves_exprs: direct from definition - ensuresToAsserts_preserves_exprs: filterMap membership 3 sorries remaining (1 structural, 2 semantic)
The procBodyVerify_produces_block_structure theorem is trivially true by inspection (last line returns Stmt.block), but proving it requires unwinding the monad stack which is tedious. Remaining: 3 sorries (1 structural, 2 semantic)
Changed from call-based to body-based correctness: - Soundness: verification failure → contract violation - Completeness: verification success → contract satisfaction This better reflects that ProcBodyVerify verifies procedure bodies against their contracts, not procedure calls. Still 3 sorries (all substantive proofs)
Documented the proof approach for soundness and completeness: - Both require frame reasoning and semantic lemmas - Need to relate verification context to isolated body execution - Require lemmas about block evaluation, assumes, and asserts These are substantial proofs requiring significant infrastructure. Status: 4 theorems proven, 3 sorries remaining (all substantive)
Tried to prove procBodyVerify_produces_block_structure by unwinding the monad, but this is tedious. Started a helper lemma for assert checking but hit mutual induction issues. The main semantic theorems require substantial infrastructure: - Frame reasoning lemmas - Determinism/uniqueness of evaluation - Lemmas about how init/assume/assert interact with stores - Decomposition lemmas for block evaluation Status: 4 theorems proven, 3 sorries (1 structural, 2 semantic)
Added useful lemma showing block evaluation is equivalent to evaluating the list of statements inside. This will be useful for decomposing the verification statement. Status: 5 theorems proven, 3 sorries remaining
Added two key lemmas: - eval_assert_implies_condition: assert success → condition holds - eval_assume_implies_condition: assume success → condition holds These extract the semantic meaning from successful evaluation. Status: 7 theorems proven, 3 sorries remaining
Key lemma: if a list of statements containing an assert evaluates successfully, then the assert's condition held at some point. Uses structural recursion on the list to handle mutual induction. Status: 8 theorems proven, 3 sorries remaining
Simple wrapper showing postconditions appear in generated asserts. Status: 9 theorems proven, 3 sorries remaining
New lemmas: - eval_stmts_concat_with_assert: Assert in suffix of concat - postcondition_expr_in_getCheckExprs: Expression membership Added PROOF_PROGRESS.md to track completion (11/12 = 92%) Status: 11 theorems proven, 3 sorries remaining
MikaelMayer
commented
Mar 6, 2026
PROOF_PROGRESS.md
Outdated
| @@ -0,0 +1,66 @@ | |||
| # ProcBodyVerify Correctness Proof Progress | |||
Contributor
Author
There was a problem hiding this comment.
This file should go away
MikaelMayer
commented
Mar 6, 2026
.kiro/settings/lsp.json
Outdated
| @@ -0,0 +1,198 @@ | |||
| { | |||
Contributor
Author
There was a problem hiding this comment.
This file should go away from the PR
…tisfiable) Define the complete square of quantifier duality: - stmt_valid: ∀ reachable states, predicate holds (always true) - stmt_falsifiable: ∃ reachable state, predicate fails (counterexample) - stmt_satisfiable: ∃ reachable state, predicate holds (can be true) - stmt_unsatisfiable: ∀ reachable states, predicate fails (always false) stmt_correct is validity for all assertions in the list. stmt_fail is falsifiability at a specific initial state. Update assert_true_correct and removeLeadingAssertTrue_correct to use the new per-assertion stmt_valid definition.
MikaelMayer
commented
Mar 6, 2026
| /-! ## Helper Lemmas -/ | ||
|
|
||
| /-- requiresToAssumes produces exactly one assume per precondition -/ | ||
| theorem requiresToAssumes_length (preconditions : ListMap CoreLabel Procedure.Check) : |
Contributor
Author
There was a problem hiding this comment.
This theorem should go away. We are absolutely not interested in proving that the requires get mapped 1-1 to assumes.
MikaelMayer
commented
Mar 6, 2026
| simp [requiresToAssumes] | ||
|
|
||
| /-- ensuresToAsserts produces one assert per non-free postcondition -/ | ||
| theorem ensuresToAsserts_length (postconditions : ListMap CoreLabel Procedure.Check) : |
Contributor
Author
There was a problem hiding this comment.
Same here. We don't want to compare ensures and assertions
MikaelMayer
commented
Mar 6, 2026
| (δ : CoreEval) (σ σ_verify : CoreStore) (δ_verify : CoreEval) : | ||
| (procToVerifyStmt proc p).run st = (.ok stmt, st') → | ||
| -- If the verification statement succeeds | ||
| EvalStatement π φ δ σ stmt σ_verify δ_verify → |
Contributor
Author
There was a problem hiding this comment.
This is no longer checking if the verification statement succeed. Remember we are not talking about success of executions. We will only reason about the assertions and their validity.
MikaelMayer
commented
Mar 6, 2026
| (δ : CoreEval) (σ : CoreStore) : | ||
| (procToVerifyStmt proc p).run st = (.ok stmt, st') → | ||
| -- If the verification statement can fail | ||
| (∃ σ_verify δ_verify, ¬EvalStatement π φ δ σ stmt σ_verify δ_verify) → |
Contributor
Author
There was a problem hiding this comment.
Assert statements no longer fail so this theorem is entirely useless now.
MikaelMayer
commented
Mar 6, 2026
| (π : String → Option Procedure) (φ : CoreEval → PureFunc Expression → CoreEval) | ||
| (δ : CoreEval) (σ : CoreStore) : | ||
| (procToVerifyStmt proc p).run st = (.ok stmt, st') → | ||
| (∃ σ_verify δ_verify, ¬EvalStatement π φ δ σ stmt σ_verify δ_verify) → |
Contributor
Author
There was a problem hiding this comment.
I don't want to see any more negated EvalStatement or theorems that depend on it. If an eval statement evaluates to false, it means we were not interested in this execution.
MikaelMayer
commented
Mar 6, 2026
| (δ : CoreEval) (σ : CoreStore) : | ||
| (procToVerifyStmt proc p).run st = (.ok stmt, st') → | ||
| -- If the verification statement succeeds | ||
| (∀ σ_verify δ_verify, EvalStatement π φ δ σ stmt σ_verify δ_verify) → |
Contributor
Author
There was a problem hiding this comment.
This is always false in practice. IT's not true in practice that a statement links all the input states to the output states. So this is supposing false. I think this theorem can be removed.
MikaelMayer
commented
Mar 6, 2026
Fix the helper lemma by using unfold + split on removeLeadingAssertTrue directly, avoiding the catch-all wildcard issue. The split correctly handles the assert-true branch (with if-then-else sub-split) and the non-matching branch. The entire Soundness section now has zero sorries: - stmt_valid, stmt_falsifiable, stmt_satisfiable, stmt_unsatisfiable - stmt_correct, stmt_fail, transform_correct, transform_correct_counterexample - assert_true_correct (proven) - removeLeadingAssertTrue_cases (proven) - eval_skip_assert_rest (proven) - removeLeadingAssertTrue_correct (proven)
MikaelMayer
commented
Mar 6, 2026
| is correct, the original statement list is also correct. | ||
|
|
||
| `transform_correct T` = ∀ stmts, stmt_correct(T stmts) → stmt_correct(stmts) -/ | ||
| def transform_correct |
Contributor
Author
There was a problem hiding this comment.
Since there are four forms of stmt_ , there should be four form of transform_ too. Please give them appropriate names.
I don't like these long names but they represent what these four definitions should represent:
transform_if_after_transformed_valid_then_was_valid
transform_if_after_transformed_has_counterexample_then_was_having_counterexample
transform_if_after_transformed_satisfiable_then_was_satisfiable
transform_if_after_transformed_always_false_then_was_always_false.
- Remove PROOF_PROGRESS.md and .kiro/settings/lsp.json - Remove all old theorems with wrong formulations: requiresToAssumes_length, ensuresToAsserts_length, procBodyVerify_completeness_weak, procBodyVerify_soundness_weak, procBodyVerify_soundness, procBodyVerify_completeness, procBodyVerify_produces_block_structure, determinism theorems - Remove all theorems using negated EvalStatement - Add four transform_ definitions matching the four stmt_ judgments: transform_preserves_validity, transform_preserves_counterexample, transform_preserves_satisfiability, transform_preserves_unsatisfiability - Rename transform_correct to transform_preserves_validity - File now has ZERO sorries and ZERO axioms
Contributor
Author
|
All review comments addressed in commit d35a3a2:
Also removed all determinism theorems, monad unfolding theorems, and other infrastructure that was no longer needed. File now has ZERO sorries and ZERO axioms. All proven theorems:
|
…p semantics - Define ProgramState with store, eval, and pc (Option AssertId) - Extract ProgramState from small-step Config (pc is set when at an assert) - Define reachability via CoreStepStar from initial config to any config - All four judgments (valid/falsifiable/satisfiable/unsatisfiable) now: - Take a single Statement (not List Statement) - Use small-step reachability (not big-step EvalStatements) - Quantify over ProgramState with pc matching the assertion - Transformation structure bundles T, F, F_inv operating on Statement - Remove old examples (need rewriting for new definitions)
…bility A counterexample is a state where the predicate is false, not where it fails to evaluate. Using = some HasBool.ff excludes undefined evaluation results (none) which are evaluation errors, not counterexamples.
- Extend ProgramState.ofConfig to detect asserts at head of .stmts and .block configs (not just .stmt configs) - Add procBodyVerify_sound (trivial: stmt_correct implies stmt_valid) - Add wrapInBlock transformation with preserves_validity proof (modulo block_reachable_of_stmt_reachable lemma) - One sorry remaining: block_reachable_of_stmt_reachable needs induction on the step sequence to lift reachability through block wrapping
Define procedure_obeys_contract: for all initial states where preconditions hold, if the body executes to completion, then all postconditions hold at exit. State the main soundness theorem: stmt_correct(procToVerifyStmt(proc)) → procedure_obeys_contract(proc) This connects the verification framework (stmt_correct over the generated verification block) to the semantic property of the procedure (contract obedience). Proof is sorry for now.
Move general definitions to SoundnessFramework.lean: - ProgramState, AssertId, ProgramState.ofConfig - reachable (small-step reachability) - Four semantic judgments: stmt_valid, stmt_falsifiable, stmt_satisfiable, stmt_unsatisfiable - stmt_correct - Transformation structure with four preserves_* properties - procedure_obeys_contract ProcBodyVerifyCorrect.lean now contains only: - Operational semantics lemmas (eval_assert_is_skip, etc.) - procBodyVerify_sound theorem (sorry)
Key lemma: if a block is stmt_correct and the prefix executes to a state, then every assert in the suffix has its condition hold at that state. Proof uses: - List.append_of_mem to split asserts at the target - block_step_through_asserts to step through preceding assert skips - ReflTrans_Transitive to chain the execution paths - ProgramState.ofConfig to extract the assert id from the block config Three sorries remain: - procToVerifyStmt_has_asserts (monad unfolding) - block_step_through_asserts (single step for assert skip) - procBodyVerify_sound (execution path construction)
Complete the proof that stepping through assert skips in a block preserves the store and evaluator. Uses: - EvalCommand.cmd_sem + EvalCmd.eval_assert for the assert skip - StepStmt.step_cmd, step_stmt_cons, step_block_body to chain the steps - Induction on the list of assert skips Two sorries remain: - procToVerifyStmt_has_asserts (monad unfolding) - procBodyVerify_sound (execution path construction)
Complete the main soundness theorem structure: - procToVerifyStmt_has_asserts: PROVEN (monad unfolding) - block_step_through_asserts: PROVEN (assert skip stepping) - block_correct_implies_asserts_hold: PROVEN (key lemma) - h_all_asserts: PROVEN (ensuresToAsserts produces asserts) - procBodyVerify_sound: PROVEN modulo h_prefix_exec One sorry remains: constructing the small-step execution path through the verification block prefix (inits + assumes + body) to reach the postcondition asserts with the final store.
- procToVerifyStmt_structure: PROVEN - characterizes output as pre_body ++ [body_block] ++ asserts - procedure_obeys_contract: now uses small-step semantics - procBodyVerify_sound: structured proof using block_steps_through_prefix and block_correct_implies_asserts_hold Two sorries remain (small-step infrastructure): - block_steps_through_prefix: lifting .stmts steps to .block steps - prefix execution: .stmts (prefix ++ asserts) →* .stmts asserts
Complete proof by induction on ReflTrans step sequence: - step_stmts_nil case: impossible (terminal can't reach stmts) - step_stmt_cons case: lift via step_block_body, continue by IH - step_stmt_cons_exit case: impossible (exiting can't reach stmts) One sorry remains: constructing the small-step execution of the verification block prefix (inits + assumes + body). This requires showing that InitState with arbitrary values can produce any target state, which is a property of the init semantics.
The one remaining sorry requires constructing InitState derivations for each init statement in the verification block prefix, showing that the inits can produce the target store σ₀ from some initial store σ₀' where the parameters are undefined.
The small-step semantics has a limitation: step_stmt_cons requires the first statement to reach terminal in ONE step, but blocks take multiple steps. This makes it impossible to embed block execution inside a stmts context. procedure_obeys_contract now uses big-step EvalStatements for body execution. The proof of procBodyVerify_sound needs to bridge between small-step (stmt_correct/reachable) and big-step (EvalStatements). One sorry remains: constructing the execution path through the verification block prefix.
Replace small-step reachable/stmt_valid/stmt_correct with big-step reachable_in_stmts/stmts_correct/stmt_correct. This avoids the small-step step_stmt_cons limitation (requires single-step terminal). The proof of procBodyVerify_sound is structurally complete: - procToVerifyStmt_structure: PROVEN - List splitting and h_correct application: PROVEN - One sorry: constructing EvalStatements for the prefix (inits + assumes + body_block + assert_skips) This requires InitState derivations for each init statement.
Replace the big-step step_stmt_cons (which required single-step terminal) with truly small-step rules: - step_stmts_cons: enter a seq context for the first statement - step_seq_inner: step the inner config forward - step_seq_done: when inner reaches terminal, continue with rest - step_seq_exit: when inner exits, propagate the exit Add Config.seq constructor to represent 'execute inner config, then continue with remaining statements'. This fixes the limitation where blocks inside statement lists could not be processed (blocks take multiple steps to reach terminal, but the old step_stmt_cons required one step).
With the fixed small-step semantics (seq config), blocks inside statement lists can now be processed. Switch all definitions back to small-step: - reachable: small-step CoreStepStar - stmt_valid/stmt_correct: small-step reachability - procedure_obeys_contract: small-step body execution - ProgramState.ofConfig: handles seq config recursively One sorry remains: constructing the small-step execution path through the verification block.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
ProcBodyVerifytransformation converting procedures to verification statements. ComplementsCallElimby providing the callee's view of verification.Example
Input procedure:
procedure P(x: int) returns (y: int) spec { modifies g; requires x > 0; ensures y > 0; ensures g == old g + 1; } { y := x; g := g + 1; }Output verification statement:
Implementation
getIdentTy!for proper type lookupTesting
DDM-based tests verify transformation output matches expected structure for: