Support logical implication (==>) in annotations

Add a single formula-token preprocessing layer, the `thrust_macros::formula!`
proc-macro, that every annotation wraps its formula body in. Its first pass
desugars the implication operator `a ==> b` into `!a || b`:

- `==>` is rewritten to assignment (the lowest-precedence, right-associative
  Rust operator) so `syn` reproduces implication's precedence/associativity for
  free, including inside closure bodies;
- each resulting assignment node is rewritten to `(!(lhs)) || (rhs)` so the
  generated `#[thrust::formula_fn]` body is valid boolean Rust.

`requires`/`ensures`, `predicate`, the `param`/`ret`/`sig` refinement types, and
`invariant!` all route their formula through `formula!`. Closes #106.

Reject bare `=` in formula! to avoid ambiguity with implication

`==>` is desugared to assignment, so once parsed an `Expr::Assign` from a
genuinely-written `=` is indistinguishable from an implication. Reject a bare
`=` (a lone `Punct('=')` with Alone spacing, not preceded by a joint punct, so
`==`/`!=`/`<=`/`>=`/`==>` are unaffected) up front with a clear diagnostic.

Also enable syn's `extra-traits` feature explicitly (the crate compares
`syn::Path` values), so the crate builds and its unit tests run standalone.

https://claude.ai/code/session_017DdTwmnyZefiWR7zfcKsEL

Document why formula wrapping isolates the body/tail expression

https://claude.ai/code/session_017DdTwmnyZefiWR7zfcKsEL

Address review: trim comments, dedupe self-rewrite, test expand()

- shorten and de-duplicate doc/inline comments
- call crate::formula::wrap_formula directly instead of importing it
- rename rewrite_self_in_macro_tokens to rewrite_self_in_tokens and reuse it
  from rty, dropping rty's duplicate copy
- unit-test the public formula::expand, not only reject_bare_assignment

https://claude.ai/code/session_017DdTwmnyZefiWR7zfcKsEL

cargo fmt

https://claude.ai/code/session_017DdTwmnyZefiWR7zfcKsEL

style fix

Author: claude

tests/ui/fail/annot_implication.rs

@@ -0,0 +1,45 @@
+//@error-in-other-file: Unsat
+//@compile-flags: -C debug-assertions=off
+//@rustc-env: THRUST_SOLVER=tests/thrust-pcsat-wrapper
+
+use thrust_models::exists;
+
+#[thrust::trusted]
+#[thrust::callable]
+fn rand() -> i64 {
+    unimplemented!()
+}
+
+// Same contract as the `pass` counterpart, but the body returns a negative
+// value when `x > 0`, so the implication `(x > 0) ==> (result > 0)` is
+// violated. This confirms `==>` carries real implication semantics rather than
+// being silently accepted.
+#[thrust_macros::ensures((x > 0) ==> (result > 0))]
+fn f(x: i64) -> i64 {
+    if x > 0 {
+        -1
+    } else {
+        0
+    }
+}
+
+// An unparenthesized chain must parse right-associatively, i.e.
+// `(x > 10) ==> ((x > 5) ==> (result == 1))`. Left-associative parsing would
+// make this unprovable, so this case pins down associativity.
+#[thrust_macros::ensures((x > 10) ==> (x > 5) ==> (result == 1))]
+fn g(x: i64) -> i64 {
+    if x > 5 {
+        1
+    } else {
+        0
+    }
+}
+
+// Implication nested inside a quantifier's closure body.
+#[thrust_macros::ensures(exists(|y: i64| (1 == 1) ==> (result == 2 * y)))]
+fn k() -> i64 {
+    let x = rand();
+    x + x
+}
+
+fn main() {}

tests/ui/pass/annot_implication.rs

@@ -0,0 +1,43 @@
+//@check-pass
+//@compile-flags: -C debug-assertions=off
+//@rustc-env: THRUST_SOLVER=tests/thrust-pcsat-wrapper
+
+use thrust_models::exists;
+
+#[thrust::trusted]
+#[thrust::callable]
+fn rand() -> i64 {
+    unimplemented!()
+}
+
+// Basic implication in a postcondition: when the antecedent holds the
+// consequent must too; otherwise the obligation is vacuous.
+#[thrust_macros::ensures((x > 0) ==> (result > 0))]
+fn f(x: i64) -> i64 {
+    if x > 0 {
+        x
+    } else {
+        0
+    }
+}
+
+// An unparenthesized chain must parse right-associatively, i.e.
+// `(x > 10) ==> ((x > 5) ==> (result == 1))`. Left-associative parsing would
+// make this unprovable, so this case pins down associativity.
+#[thrust_macros::ensures((x > 10) ==> (x > 5) ==> (result == 1))]
+fn g(x: i64) -> i64 {
+    if x > 5 {
+        1
+    } else {
+        0
+    }
+}
+
+// Implication nested inside a quantifier's closure body.
+#[thrust_macros::ensures(exists(|y: i64| (1 == 1) ==> (result == 2 * y)))]
+fn k() -> i64 {
+    let x = rand();
+    x + x
+}
+
+fn main() {}

thrust-macros/Cargo.toml

@@ -10,4 +10,4 @@ proc-macro = true
 [dependencies]
 proc-macro2 = "1"
 quote = "1"
-syn = { version = "2", features = ["full", "visit", "visit-mut"] }
+syn = { version = "2", features = ["extra-traits", "full", "visit", "visit-mut"] }

thrust-macros/src/formula.rs

@@ -0,0 +1,266 @@
+//! The `thrust_macros::formula!` proc-macro: the single preprocessing layer for
+//! formula tokens.
+//!
+//! Annotation macros wrap their formula body in `thrust_macros::formula!(...)`
+//! instead of splicing it raw. This hides syntax that is not valid Rust (the
+//! `==>` operator) inside a macro call's arguments, so the surrounding pipeline —
+//! which parses formulas as [`syn::Expr`] — never chokes on it, and gives one
+//! place to run preprocessing before the body reaches rustc / HIR lowering.
+//!
+//! The only pass today is implication desugaring; further passes can be appended
+//! in [`expand`].
+
+use proc_macro2::{Group, Punct, Spacing, TokenStream, TokenTree};
+use quote::{quote, ToTokens};
+use syn::visit_mut::VisitMut;
+
+/// Wraps formula tokens in a `thrust_macros::formula!(...)` call.
+pub fn wrap_expr(tokens: TokenStream) -> TokenStream {
+    quote!(::thrust_macros::formula!(#tokens))
+}
+
+/// Wraps an invariant closure's body in `::thrust_macros::formula!(...)`, taking
+/// everything past the closure header (the first two top-level `|`) as the body.
+/// Only the body is wrapped: the closure must stay a parseable `ExprClosure` for
+/// `invariant::expand_invariant` to read its `.inputs`/`.body`, and the context
+/// form's threaded signature must not be preprocessed. Non-closure inputs pass
+/// through.
+///
+/// A closure with an explicit return type (`|x| -> Ty { .. }`) must keep its body
+/// a block, so the `-> Ty {` / `}` is preserved and only the block's tail
+/// expression is wrapped.
+pub fn wrap_closure_body(input: TokenStream) -> TokenStream {
+    let tokens: Vec<TokenTree> = input.into_iter().collect();
+    let bars: Vec<usize> = tokens
+        .iter()
+        .enumerate()
+        .filter(|(_, tt)| matches!(tt, TokenTree::Punct(p) if p.as_char() == '|'))
+        .map(|(i, _)| i)
+        .collect();
+    let [_open, close, ..] = bars[..] else {
+        return tokens.into_iter().collect();
+    };
+    let header: TokenStream = tokens[..=close].iter().cloned().collect();
+    let tail = &tokens[close + 1..];
+
+    // `-> Ty { body }`: wrap the block's tail expression in place.
+    let has_return_type = matches!(tail.first(), Some(TokenTree::Punct(p)) if p.as_char() == '-')
+        && matches!(tail.get(1), Some(TokenTree::Punct(p)) if p.as_char() == '>');
+    if has_return_type {
+        if let Some((TokenTree::Group(block), prefix)) = tail.split_last() {
+            if block.delimiter() == proc_macro2::Delimiter::Brace {
+                let prefix: TokenStream = prefix.iter().cloned().collect();
+                let body = wrap_block_tail(block);
+                return quote!(#header #prefix #body);
+            }
+        }
+    }
+
+    // `|args| body`: the body is a bare expression; wrap it whole.
+    let body = wrap_expr(tail.iter().cloned().collect());
+    quote!(#header #body)
+}
+
+/// Returns a brace group like `block` but with its tail expression (the final
+/// `;`-separated segment) wrapped in `::thrust_macros::formula!(...)`. Leading
+/// statements are left untouched; a block with no tail expression is unchanged.
+fn wrap_block_tail(block: &Group) -> TokenStream {
+    let stmts: Vec<TokenTree> = block.stream().into_iter().collect();
+    let mut segments: Vec<Vec<TokenTree>> = vec![Vec::new()];
+    for tt in &stmts {
+        segments.last_mut().unwrap().push(tt.clone());
+        if matches!(tt, TokenTree::Punct(p) if p.as_char() == ';') {
+            segments.push(Vec::new());
+        }
+    }
+    let tail = segments.pop().unwrap();
+
+    let mut inner = TokenStream::new();
+    for seg in &segments {
+        inner.extend(seg.iter().cloned());
+    }
+    if !tail.is_empty() {
+        inner.extend(wrap_expr(tail.into_iter().collect()));
+    }
+
+    let mut wrapped = Group::new(proc_macro2::Delimiter::Brace, inner);
+    wrapped.set_span(block.span());
+    quote!(#wrapped)
+}
+
+/// Expands `formula!(<tokens>)` into the preprocessed boolean expression.
+pub fn expand(input: TokenStream) -> TokenStream {
+    if let Err(e) = reject_bare_assignment(&input) {
+        return e.to_compile_error();
+    }
+
+    // `==>` is desugared to assignment (the lowest-precedence, right-associative
+    // operator) so `syn` reproduces its precedence, then each assignment node is
+    // rewritten into `!lhs || rhs`.
+    let desugared = desugar_arrows(input);
+    let mut expr: syn::Expr = match syn::parse2(desugared) {
+        Ok(expr) => expr,
+        Err(e) => return e.to_compile_error(),
+    };
+
+    // Rewrites each assignment `lhs = rhs` (produced by [`desugar_arrows`] from
+    // `lhs ==> rhs`) into `(!(lhs)) || (rhs)`. Visiting post-order means nested
+    // implications are rewritten innermost-first, so the right-associative chain
+    // `a ==> b ==> c` becomes `!a || (!b || c)`.
+    struct ImplicationRewriter;
+
+    impl VisitMut for ImplicationRewriter {
+        fn visit_expr_mut(&mut self, expr: &mut syn::Expr) {
+            syn::visit_mut::visit_expr_mut(self, expr);
+            if let syn::Expr::Assign(assign) = expr {
+                let left = &assign.left;
+                let right = &assign.right;
+                *expr = syn::parse_quote!((!(#left)) || (#right));
+            }
+        }
+    }
+
+    ImplicationRewriter.visit_expr_mut(&mut expr);
+
+    expr.into_token_stream()
+}
+
+/// Rejects a bare assignment `=` anywhere in `input`. Desugaring turns `==>` into
+/// `=`, so a genuine `=` would be read as an implication; since assignment is
+/// meaningless in a formula we reject it up front. A genuine `=` is a lone
+/// `Punct('=')` with [`Spacing::Alone`] not preceded by a joint punct, which
+/// excludes the `=`s of `==`, `!=`, `<=`, `>=`, and `==>`.
+fn reject_bare_assignment(input: &TokenStream) -> syn::Result<()> {
+    let mut prev_joint = false;
+    for tt in input.clone() {
+        match tt {
+            TokenTree::Group(g) => {
+                reject_bare_assignment(&g.stream())?;
+                prev_joint = false;
+            }
+            TokenTree::Punct(p) => {
+                if p.as_char() == '=' && p.spacing() == Spacing::Alone && !prev_joint {
+                    return Err(syn::Error::new(
+                        p.span(),
+                        "`=` is not allowed in a formula; use `==` for equality or `==>` for implication",
+                    ));
+                }
+                prev_joint = p.spacing() == Spacing::Joint;
+            }
+            _ => prev_joint = false,
+        }
+    }
+    Ok(())
+}
+
+/// Replaces every contiguous `==>` (the puncts `=`, `=`, `>`) with a single `=`,
+/// recursing into every delimiter group. `==`, `=>`, `>=`, and `->` do not match
+/// the triple and are left untouched.
+fn desugar_arrows(input: TokenStream) -> TokenStream {
+    let mut out = TokenStream::new();
+    let mut iter = input.into_iter().peekable();
+    while let Some(tt) = iter.next() {
+        match tt {
+            TokenTree::Group(group) => {
+                let inner = desugar_arrows(group.stream());
+                let mut new_group = Group::new(group.delimiter(), inner);
+                new_group.set_span(group.span());
+                out.extend([TokenTree::Group(new_group)]);
+            }
+            TokenTree::Punct(p) if p.as_char() == '=' && p.spacing() == Spacing::Joint => {
+                // Look for a contiguous `==>`: `p` is the first `=`, joint to a
+                // second joint `=`, then a `>`. Requiring joint spacing avoids
+                // matching a spaced-out `= = >` / `== >`.
+                if let Some(TokenTree::Punct(p2)) = iter.peek() {
+                    if p2.as_char() == '=' && p2.spacing() == Spacing::Joint {
+                        let mut lookahead = iter.clone();
+                        lookahead.next(); // consume the second `=`
+                        if let Some(TokenTree::Punct(p3)) = lookahead.peek() {
+                            if p3.as_char() == '>' {
+                                // Matched `==>`; consume `=` and `>`, emit `=`.
+                                iter.next(); // second `=`
+                                iter.next(); // `>`
+                                let mut eq = Punct::new('=', Spacing::Alone);
+                                eq.set_span(p.span());
+                                out.extend([TokenTree::Punct(eq)]);
+                                continue;
+                            }
+                        }
+                    }
+                }
+                out.extend([TokenTree::Punct(p)]);
+            }
+            other => out.extend([other]),
+        }
+    }
+    out
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    /// `expand`s `s`, then renders it through `syn` so spacing matches `expect`.
+    fn expand_expr(s: &str) -> String {
+        let expr: syn::Expr = syn::parse2(expand(s.parse().unwrap())).unwrap();
+        quote!(#expr).to_string()
+    }
+
+    fn expect(s: &str) -> String {
+        let expr: syn::Expr = syn::parse_str(s).unwrap();
+        quote!(#expr).to_string()
+    }
+
+    #[test]
+    fn desugars_implication() {
+        assert_eq!(expand_expr("a ==> b"), expect("(!(a)) || (b)"));
+        // right-associative
+        assert_eq!(
+            expand_expr("a ==> b ==> c"),
+            expect("(!(a)) || ((!(b)) || (c))")
+        );
+        // lower precedence than `||` and `==`
+        assert_eq!(
+            expand_expr("a || b ==> c == d"),
+            expect("(!(a || b)) || (c == d)")
+        );
+        // nested inside a closure argument
+        assert_eq!(
+            expand_expr("exists(|x| a ==> b)"),
+            expect("exists(|x| (!(a)) || (b))")
+        );
+    }
+
+    #[test]
+    fn leaves_comparisons_untouched() {
+        for s in ["a == b", "a != b", "a >= b", "a <= b"] {
+            assert_eq!(expand_expr(s), expect(s), "{s}");
+        }
+    }
+
+    #[test]
+    fn rejects_bare_assignment() {
+        // `expand` emits a `compile_error!` instead of a valid expression.
+        for s in ["a = b", "f(x = y)"] {
+            assert!(
+                expand(s.parse().unwrap())
+                    .to_string()
+                    .contains("compile_error"),
+                "{s}"
+            );
+        }
+    }
+
+    /// `wrap_closure_body` must leave the input a parseable `ExprClosure`, both
+    /// for a bare-expression body and one with an explicit return type.
+    fn assert_wraps_to_closure(s: &str) {
+        let wrapped = wrap_closure_body(s.parse().unwrap());
+        syn::parse2::<syn::ExprClosure>(wrapped).unwrap_or_else(|e| panic!("{s}: {e}"));
+    }
+
+    #[test]
+    fn preserves_closure_forms() {
+        assert_wraps_to_closure("|x: i64| x >= 1 ==> x >= 0");
+        assert_wraps_to_closure("|x: i64| -> bool { x >= 1 ==> x >= 0 }");
+    }
+}

thrust-macros/src/invariant.rs

@@ -34,7 +34,6 @@ use proc_macro2::TokenStream as TokenStream2;
 use quote::{format_ident, quote, ToTokens};
 use syn::{
     parse::{Parse, ParseStream},
-    parse_macro_input,
     visit_mut::VisitMut,
     FnArg, GenericParam, Signature, WherePredicate,
 };
@@ -46,7 +45,11 @@ static COUNTER: AtomicUsize = AtomicUsize::new(0);
 /// Expands `invariant!(CLOSURE)`: a bare predicate closure with no threaded
 /// context.
 pub fn expand(input: TokenStream) -> TokenStream {
-    let closure = parse_macro_input!(input as syn::ExprClosure);
+    let input = crate::formula::wrap_closure_body(input.into());
+    let closure = match syn::parse2::<syn::ExprClosure>(input) {
+        Ok(closure) => closure,
+        Err(e) => return e.to_compile_error().into(),
+    };
     match expand_invariant(&closure, None) {
         Ok(expr) => expr.into_token_stream().into(),
         Err(e) => e.to_compile_error().into(),
@@ -75,7 +78,11 @@ pub fn expand_with_context(input: TokenStream) -> TokenStream {
         }
     }
 
-    let WithContext { closure, context } = parse_macro_input!(input as WithContext);
+    let input = crate::formula::wrap_closure_body(input.into());
+    let WithContext { closure, context } = match syn::parse2::<WithContext>(input) {
+        Ok(parsed) => parsed,
+        Err(e) => return e.to_compile_error().into(),
+    };
     match expand_invariant(&closure, Some(&context)) {
         Ok(expr) => expr.into_token_stream().into(),
         Err(e) => e.to_compile_error().into(),