silicon icon indicating copy to clipboard operation
silicon copied to clipboard
verified publisher icon viperproject

Information following from field access receiver not known when checking for permission

Open marcoeilers opened this issue 9 months ago • 1 comments

The following program verifies in Carbon but not in Silicon (with or without MCE):

field f: Int

function flag(): Bool

function assuming(b: Bool, r: Ref): Ref
  ensures b
  ensures result == r

method m(r: Ref)
{
  inhale flag() ==> acc(r.f)
  var tmp : Int
  tmp := assuming(flag(), r).f
}

The issue seems to be that the knowledge that flag() is true, which follows from the field access receiver expression, is apparently not known when checking for the field permission. If the expression is moved to a separate statement, the program verifies:

method m2(r: Ref)
{
  inhale flag() ==> acc(r.f)
  var tmp : Int
  var r2: Ref
  r2 := assuming(flag(), r)
  tmp := r2.f
}

marcoeilers avatar Mar 20 '25 19:03 marcoeilers

These also fail:

method m2(r: Ref)
{
  inhale acc(r.f, flag() ? write : none)
  var tmp : Int
  tmp := assuming(flag(), r).f
}

method m3(r: Ref)
{
  inhale acc(r.f, flag() ? write : none)
  exhale acc(assuming(flag(), r).f)
}

method m4(r: Ref)
{
  inhale flag() ==> acc(r.f)
  exhale acc(assuming(flag(), r).f)
}

marcoeilers avatar Mar 20 '25 19:03 marcoeilers