Support logical implication (==>) in annotations

claude · coord-e · commit 7165183ebb57 · 2026-06-13T15:45:51.000+09:00
Add a single formula-token preprocessing layer, the `thrust_macros::formula!` proc-macro, that every annotation wraps its formula body in. Its first pass desugars the implication operator `a ==> b` into `!a || b`: - `==>` is rewritten to assignment (the lowest-precedence, right-associative Rust operator) so `syn` reproduces implication's precedence/associativity for free, including inside closure bodies; - each resulting assignment node is rewritten to `(!(lhs)) || (rhs)` so the generated `#[thrust::formula_fn]` body is valid boolean Rust. `requires`/`ensures`, `predicate`, the `param`/`ret`/`sig` refinement types, and `invariant!` all route their formula through `formula!`. Closes #106. Reject bare `=` in formula! to avoid ambiguity with implication `==>` is desugared to assignment, so once parsed an `Expr::Assign` from a genuinely-written `=` is indistinguishable from an implication. Reject a bare `=` (a lone `Punct('=')` with Alone spacing, not preceded by a joint punct, so `==`/`!=`/`<=`/`>=`/`==>` are unaffected) up front with a clear diagnostic. Also enable syn's `extra-traits` feature explicitly (the crate compares `syn::Path` values), so the crate builds and its unit tests run standalone. https://claude.ai/code/session_017DdTwmnyZefiWR7zfcKsEL Document why formula wrapping isolates the body/tail expression https://claude.ai/code/session_017DdTwmnyZefiWR7zfcKsEL Address review: trim comments, dedupe self-rewrite, test expand() - shorten and de-duplicate doc/inline comments - call crate::formula::wrap_formula directly instead of importing it - rename rewrite_self_in_macro_tokens to rewrite_self_in_tokens and reuse it from rty, dropping rty's duplicate copy - unit-test the public formula::expand, not only reject_bare_assignment https://claude.ai/code/session_017DdTwmnyZefiWR7zfcKsEL cargo fmt https://claude.ai/code/session_017DdTwmnyZefiWR7zfcKsEL style fix
diff --git a/tests/ui/fail/annot_implication.rs b/tests/ui/fail/annot_implication.rs
@@ -0,0 +1,45 @@
+//@error-in-other-file: Unsat
+//@compile-flags: -C debug-assertions=off
+//@rustc-env: THRUST_SOLVER=tests/thrust-pcsat-wrapper
+
+use thrust_models::exists;
+
+#[thrust::trusted]
+#[thrust::callable]
+fn rand() -> i64 {
+    unimplemented!()
+}
+
+// Same contract as the `pass` counterpart, but the body returns a negative
+// value when `x > 0`, so the implication `(x > 0) ==> (result > 0)` is
+// violated. This confirms `==>` carries real implication semantics rather than
+// being silently accepted.
+#[thrust_macros::ensures((x > 0) ==> (result > 0))]
+fn f(x: i64) -> i64 {
+    if x > 0 {
+        -1
+    } else {
+        0
+    }
+}
+
+// An unparenthesized chain must parse right-associatively, i.e.
+// `(x > 10) ==> ((x > 5) ==> (result == 1))`. Left-associative parsing would
+// make this unprovable, so this case pins down associativity.
+#[thrust_macros::ensures((x > 10) ==> (x > 5) ==> (result == 1))]
+fn g(x: i64) -> i64 {
+    if x > 5 {
+        1
+    } else {
+        0
+    }
+}
+
+// Implication nested inside a quantifier's closure body.
+#[thrust_macros::ensures(exists(|y: i64| (1 == 1) ==> (result == 2 * y)))]
+fn k() -> i64 {
+    let x = rand();
+    x + x
+}
+
+fn main() {}
diff --git a/tests/ui/pass/annot_implication.rs b/tests/ui/pass/annot_implication.rs
@@ -0,0 +1,43 @@
+//@check-pass
+//@compile-flags: -C debug-assertions=off
+//@rustc-env: THRUST_SOLVER=tests/thrust-pcsat-wrapper
+
+use thrust_models::exists;
+
+#[thrust::trusted]
+#[thrust::callable]
+fn rand() -> i64 {
+    unimplemented!()
+}
+
+// Basic implication in a postcondition: when the antecedent holds the
+// consequent must too; otherwise the obligation is vacuous.
+#[thrust_macros::ensures((x > 0) ==> (result > 0))]
+fn f(x: i64) -> i64 {
+    if x > 0 {
+        x
+    } else {
+        0
+    }
+}
+
+// An unparenthesized chain must parse right-associatively, i.e.
+// `(x > 10) ==> ((x > 5) ==> (result == 1))`. Left-associative parsing would
+// make this unprovable, so this case pins down associativity.
+#[thrust_macros::ensures((x > 10) ==> (x > 5) ==> (result == 1))]
+fn g(x: i64) -> i64 {
+    if x > 5 {
+        1
+    } else {
+        0
+    }
+}
+
+// Implication nested inside a quantifier's closure body.
+#[thrust_macros::ensures(exists(|y: i64| (1 == 1) ==> (result == 2 * y)))]
+fn k() -> i64 {
+    let x = rand();
+    x + x
+}
+
+fn main() {}
diff --git a/thrust-macros/Cargo.toml b/thrust-macros/Cargo.toml
@@ -10,4 +10,4 @@ proc-macro = true
 [dependencies]
 proc-macro2 = "1"
 quote = "1"
-syn = { version = "2", features = ["full", "visit", "visit-mut"] }
+syn = { version = "2", features = ["extra-traits", "full", "visit", "visit-mut"] }
diff --git a/thrust-macros/src/formula.rs b/thrust-macros/src/formula.rs
@@ -0,0 +1,180 @@
+//! The `thrust_macros::formula!` proc-macro: the single preprocessing layer for
+//! formula tokens.
+//!
+//! Annotation macros wrap their formula body in `thrust_macros::formula!(...)`
+//! instead of splicing it raw. This hides syntax that is not valid Rust (the
+//! `==>` operator) inside a macro call's arguments, so the surrounding pipeline —
+//! which parses formulas as [`syn::Expr`] — never chokes on it, and gives one
+//! place to run preprocessing before the body reaches rustc / HIR lowering.
+//!
+//! The only pass today is implication desugaring; further passes can be appended
+//! in [`expand`].
+
+use proc_macro2::{Group, Punct, Spacing, TokenStream, TokenTree};
+use quote::{quote, ToTokens};
+use syn::visit_mut::VisitMut;
+
+/// Wraps formula tokens in a `thrust_macros::formula!(...)` call.
+pub fn wrap_formula(tokens: TokenStream) -> TokenStream {
+    quote!(::thrust_macros::formula!(#tokens))
+}
+
+/// Expands `formula!(<tokens>)` into the preprocessed boolean expression.
+pub fn expand(input: TokenStream) -> TokenStream {
+    if let Err(e) = reject_bare_assignment(&input) {
+        return e.to_compile_error();
+    }
+
+    // `==>` is desugared to assignment (the lowest-precedence, right-associative
+    // operator) so `syn` reproduces its precedence, then each assignment node is
+    // rewritten into `!lhs || rhs`.
+    let desugared = desugar_arrows(input);
+    let mut expr: syn::Expr = match syn::parse2(desugared) {
+        Ok(expr) => expr,
+        Err(e) => return e.to_compile_error(),
+    };
+
+    // Rewrites each assignment `lhs = rhs` (produced by [`desugar_arrows`] from
+    // `lhs ==> rhs`) into the boolean expression `(!(lhs)) || (rhs)`. Visiting
+    // post-order means nested implications are rewritten innermost-first, so the
+    // right-associative chain `a ==> b ==> c` becomes `!a || (!b || c)`.
+    struct ImplicationRewriter;
+
+    impl VisitMut for ImplicationRewriter {
+        fn visit_expr_mut(&mut self, expr: &mut syn::Expr) {
+            syn::visit_mut::visit_expr_mut(self, expr);
+            if let syn::Expr::Assign(assign) = expr {
+                let left = &assign.left;
+                let right = &assign.right;
+                *expr = syn::parse_quote!((!(#left)) || (#right));
+            }
+        }
+    }
+
+    ImplicationRewriter.visit_expr_mut(&mut expr);
+
+    expr.into_token_stream()
+}
+
+/// Rejects a bare assignment `=` anywhere in `input`. Desugaring turns `==>` into
+/// `=`, so a genuine `=` would be read as an implication; since assignment is
+/// meaningless in a formula we reject it up front. A genuine `=` is a lone
+/// `Punct('=')` with [`Spacing::Alone`] not preceded by a joint punct, which
+/// excludes the `=`s of `==`, `!=`, `<=`, `>=`, and `==>`.
+fn reject_bare_assignment(input: &TokenStream) -> syn::Result<()> {
+    let mut prev_joint = false;
+    for tt in input.clone() {
+        match tt {
+            TokenTree::Group(g) => {
+                reject_bare_assignment(&g.stream())?;
+                prev_joint = false;
+            }
+            TokenTree::Punct(p) => {
+                if p.as_char() == '=' && p.spacing() == Spacing::Alone && !prev_joint {
+                    return Err(syn::Error::new(
+                        p.span(),
+                        "`=` is not allowed in a formula; use `==` for equality or `==>` for implication",
+                    ));
+                }
+                prev_joint = p.spacing() == Spacing::Joint;
+            }
+            _ => prev_joint = false,
+        }
+    }
+    Ok(())
+}
+
+/// Replaces every contiguous `==>` (the puncts `=`, `=`, `>`) with a single `=`,
+/// recursing into every delimiter group. `==`, `=>`, `>=`, and `->` do not match
+/// the triple and are left untouched.
+fn desugar_arrows(input: TokenStream) -> TokenStream {
+    let mut out = TokenStream::new();
+    let mut iter = input.into_iter().peekable();
+    while let Some(tt) = iter.next() {
+        match tt {
+            TokenTree::Group(group) => {
+                let inner = desugar_arrows(group.stream());
+                let mut new_group = Group::new(group.delimiter(), inner);
+                new_group.set_span(group.span());
+                out.extend([TokenTree::Group(new_group)]);
+            }
+            TokenTree::Punct(p) if p.as_char() == '=' && p.spacing() == Spacing::Joint => {
+                // Look for `=` `=` `>`. `p` is the first `=`.
+                if let Some(TokenTree::Punct(p2)) = iter.peek() {
+                    if p2.as_char() == '=' && p2.spacing() == Spacing::Joint {
+                        let mut lookahead = iter.clone();
+                        lookahead.next(); // consume the second `=`
+                        if let Some(TokenTree::Punct(p3)) = lookahead.peek() {
+                            if p3.as_char() == '>' {
+                                // Matched `==>`; consume `=` and `>`, emit `=`.
+                                iter.next(); // second `=`
+                                iter.next(); // `>`
+                                out.extend([TokenTree::Punct(Punct::new('=', Spacing::Alone))]);
+                                continue;
+                            }
+                        }
+                    }
+                }
+                out.extend([TokenTree::Punct(p)]);
+            }
+            other => out.extend([other]),
+        }
+    }
+    out
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    /// `expand`s `s`, then renders it through `syn` so spacing matches `expect`.
+    fn expand_expr(s: &str) -> String {
+        let expr: syn::Expr = syn::parse2(expand(s.parse().unwrap())).unwrap();
+        quote!(#expr).to_string()
+    }
+
+    fn expect(s: &str) -> String {
+        let expr: syn::Expr = syn::parse_str(s).unwrap();
+        quote!(#expr).to_string()
+    }
+
+    #[test]
+    fn desugars_implication() {
+        assert_eq!(expand_expr("a ==> b"), expect("(!(a)) || (b)"));
+        // right-associative
+        assert_eq!(
+            expand_expr("a ==> b ==> c"),
+            expect("(!(a)) || ((!(b)) || (c))")
+        );
+        // lower precedence than `||` and `==`
+        assert_eq!(
+            expand_expr("a || b ==> c == d"),
+            expect("(!(a || b)) || (c == d)")
+        );
+        // nested inside a closure argument
+        assert_eq!(
+            expand_expr("exists(|x| a ==> b)"),
+            expect("exists(|x| (!(a)) || (b))")
+        );
+    }
+
+    #[test]
+    fn leaves_comparisons_untouched() {
+        for s in ["a == b", "a != b", "a >= b", "a <= b"] {
+            assert_eq!(expand_expr(s), expect(s), "{s}");
+        }
+    }
+
+    #[test]
+    fn rejects_bare_assignment() {
+        // `expand` emits a `compile_error!` instead of a valid expression.
+        for s in ["a = b", "f(x = y)"] {
+            assert!(
+                expand(s.parse().unwrap())
+                    .to_string()
+                    .contains("compile_error"),
+                "{s}"
+            );
+        }
+    }
+}
diff --git a/thrust-macros/src/invariant.rs b/thrust-macros/src/invariant.rs
@@ -30,11 +30,10 @@
 use std::sync::atomic::{AtomicUsize, Ordering};
 
 use proc_macro::TokenStream;
-use proc_macro2::TokenStream as TokenStream2;
+use proc_macro2::{TokenStream as TokenStream2, TokenTree as TokenTree2};
 use quote::{format_ident, quote, ToTokens};
 use syn::{
     parse::{Parse, ParseStream},
-    parse_macro_input,
     visit_mut::VisitMut,
     FnArg, GenericParam, Signature, WherePredicate,
 };
@@ -46,13 +45,38 @@ static COUNTER: AtomicUsize = AtomicUsize::new(0);
 /// Expands `invariant!(CLOSURE)`: a bare predicate closure with no threaded
 /// context.
 pub fn expand(input: TokenStream) -> TokenStream {
-    let closure = parse_macro_input!(input as syn::ExprClosure);
+    let input = wrap_closure_body(input.into());
+    let closure = match syn::parse2::<syn::ExprClosure>(input) {
+        Ok(closure) => closure,
+        Err(e) => return e.to_compile_error().into(),
+    };
     match expand_invariant(&closure, None) {
         Ok(expr) => expr.into_token_stream().into(),
         Err(e) => e.to_compile_error().into(),
     }
 }
 
+/// Wraps the closure body in `input` in `::thrust_macros::formula!(...)`, taking
+/// everything past the closure header (the first two top-level `|`) as the body.
+/// Only the body is wrapped: the closure must stay a parseable `ExprClosure` for
+/// [`expand_invariant`] to read its `.inputs`/`.body`, and the context form's
+/// threaded signature must not be preprocessed. Non-closure inputs pass through.
+fn wrap_closure_body(input: TokenStream2) -> TokenStream2 {
+    let tokens: Vec<TokenTree2> = input.into_iter().collect();
+    let bars: Vec<usize> = tokens
+        .iter()
+        .enumerate()
+        .filter(|(_, tt)| matches!(tt, TokenTree2::Punct(p) if p.as_char() == '|'))
+        .map(|(i, _)| i)
+        .collect();
+    let [_open, close, ..] = bars[..] else {
+        return tokens.into_iter().collect();
+    };
+    let header: TokenStream2 = tokens[..=close].iter().cloned().collect();
+    let body = crate::formula::wrap_formula(tokens[close + 1..].iter().cloned().collect());
+    quote!(#header #body)
+}
+
 /// Expands `_invariant_with_context!(#outer_attr #sig; CLOSURE)`, the form
 /// `#[thrust_macros::invariant_context]` rewrites each `invariant!` into.
 pub fn expand_with_context(input: TokenStream) -> TokenStream {
@@ -75,7 +99,11 @@ pub fn expand_with_context(input: TokenStream) -> TokenStream {
         }
     }
 
-    let WithContext { closure, context } = parse_macro_input!(input as WithContext);
+    let input = wrap_closure_body(input.into());
+    let WithContext { closure, context } = match syn::parse2::<WithContext>(input) {
+        Ok(parsed) => parsed,
+        Err(e) => return e.to_compile_error().into(),
+    };
     match expand_invariant(&closure, Some(&context)) {
         Ok(expr) => expr.into_token_stream().into(),
         Err(e) => e.to_compile_error().into(),
diff --git a/thrust-macros/src/lib.rs b/thrust-macros/src/lib.rs
@@ -3,6 +3,7 @@ use proc_macro2::{TokenStream as TokenStream2, TokenTree as TokenTree2};
 
 mod context;
 mod fn_outer_item;
+mod formula;
 mod formula_fn_type_lowering;
 mod invariant;
 mod invariant_context;
@@ -32,6 +33,12 @@ pub fn context(_attr: TokenStream, item: TokenStream) -> TokenStream {
     context::expand(item)
 }
 
+/// Preprocesses a formula body (see [`mod@formula`]); not written by hand.
+#[proc_macro]
+pub fn formula(input: TokenStream) -> TokenStream {
+    formula::expand(input.into()).into()
+}
+
 /// Declares a loop invariant inside a loop body:
 ///
 /// ```ignore
diff --git a/thrust-macros/src/rty.rs b/thrust-macros/src/rty.rs
diff --git a/thrust-macros/src/spec.rs b/thrust-macros/src/spec.rs
