Represent formula implication explicitly

coord-e · coord-e · commit 76e6ab350910 · 2026-06-13T15:31:22.000+09:00
diff --git a/src/analyze/annot.rs b/src/analyze/annot.rs
@@ -145,6 +145,14 @@ pub fn exists_path() -> [Symbol; 3] {
     ]
 }
 
+pub fn implies_path() -> [Symbol; 3] {
+    [
+        Symbol::intern("thrust"),
+        Symbol::intern("def"),
+        Symbol::intern("implies"),
+    ]
+}
+
 pub fn invariant_marker_path() -> [Symbol; 3] {
     [
         Symbol::intern("thrust"),
diff --git a/src/analyze/annot_fn.rs b/src/analyze/annot_fn.rs
@@ -102,6 +102,7 @@ enum FormulaOrTerm<T> {
     BinOp(chc::Term<T>, AmbiguousBinOp, chc::Term<T>),
     And(Box<FormulaOrTerm<T>>, Box<FormulaOrTerm<T>>),
     Or(Box<FormulaOrTerm<T>>, Box<FormulaOrTerm<T>>),
+    Implies(Box<FormulaOrTerm<T>>, Box<FormulaOrTerm<T>>),
     Not(Box<FormulaOrTerm<T>>),
     Literal(bool),
 }
@@ -124,6 +125,7 @@ impl<T> FormulaOrTerm<T> {
             }
             FormulaOrTerm::And(lhs, rhs) => lhs.into_formula()?.and(rhs.into_formula()?),
             FormulaOrTerm::Or(lhs, rhs) => lhs.into_formula()?.or(rhs.into_formula()?),
+            FormulaOrTerm::Implies(lhs, rhs) => lhs.into_formula()?.implies(rhs.into_formula()?),
             FormulaOrTerm::Not(formula_or_term) => formula_or_term.into_formula()?.not(),
             FormulaOrTerm::Literal(b) => {
                 if b {
@@ -148,6 +150,7 @@ impl<T> FormulaOrTerm<T> {
             FormulaOrTerm::BinOp(lhs, AmbiguousBinOp::Lt, rhs) => lhs.lt(rhs),
             FormulaOrTerm::And(lhs, rhs) => lhs.into_term()?.and(rhs.into_term()?),
             FormulaOrTerm::Or(lhs, rhs) => lhs.into_term()?.or(rhs.into_term()?),
+            FormulaOrTerm::Implies(lhs, rhs) => lhs.into_term()?.not().or(rhs.into_term()?),
             FormulaOrTerm::Not(formula_or_term) => formula_or_term.into_term()?.not(),
             FormulaOrTerm::Literal(b) => chc::Term::bool(b),
         };
@@ -607,6 +610,14 @@ impl<'a, 'tcx> AnnotFnTranslator<'a, 'tcx> {
                                 body_formula,
                             ));
                         }
+                        if Some(def_id) == self.def_ids.implies() {
+                            let [lhs, rhs] = args else {
+                                panic!("implies takes exactly 2 arguments");
+                            };
+                            let lhs = self.to_formula_or_term(lhs);
+                            let rhs = self.to_formula_or_term(rhs);
+                            return FormulaOrTerm::Implies(lhs.into(), rhs.into());
+                        }
                         if Some(def_id) == self.def_ids.mut_model_new() {
                             assert_eq!(args.len(), 2, "Mut::new takes exactly 2 arguments");
                             let t1 = self.to_term(&args[0]);
diff --git a/src/analyze/did_cache.rs b/src/analyze/did_cache.rs
@@ -25,6 +25,7 @@ struct DefIds {
     array_model_store: OnceCell<Option<DefId>>,
 
     exists: OnceCell<Option<DefId>>,
+    implies: OnceCell<Option<DefId>>,
     invariant_marker: OnceCell<Option<DefId>>,
 
     closure_precondition: OnceCell<Option<DefId>>,
@@ -181,6 +182,13 @@ impl<'tcx> DefIdCache<'tcx> {
             .get_or_init(|| self.annotated_def(&crate::analyze::annot::exists_path()))
     }
 
+    pub fn implies(&self) -> Option<DefId> {
+        *self
+            .def_ids
+            .implies
+            .get_or_init(|| self.annotated_def(&crate::analyze::annot::implies_path()))
+    }
+
     pub fn invariant_marker(&self) -> Option<DefId> {
         *self
             .def_ids
diff --git a/src/chc.rs b/src/chc.rs
@@ -1245,15 +1245,32 @@ impl<V> Atom<V> {
 /// While it allows arbitrary [`Atom`] in its `Atom` variant, we only expect atoms with known
 /// predicates (i.e., predicates other than `Pred::Var`) to appear in formulas. It is our TODO to
 /// enforce this restriction statically. Also see the definition of [`Body`].
-#[derive(Debug, Clone)]
+#[derive(Clone)]
 pub enum Formula<V = TermVarIdx> {
     Atom(Atom<V>),
     Not(Box<Formula<V>>),
     And(Vec<Formula<V>>),
     Or(Vec<Formula<V>>),
+    Implies(Box<Formula<V>>, Box<Formula<V>>),
     Exists(Vec<(String, Sort)>, Box<Formula<V>>),
 }
 
+impl<V> std::fmt::Debug for Formula<V>
+where
+    V: std::fmt::Debug,
+{
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Formula::Atom(atom) => atom.fmt(f),
+            Formula::Not(fo) => f.debug_tuple("Not").field(fo).finish(),
+            Formula::And(fs) => f.debug_tuple("And").field(fs).finish(),
+            Formula::Or(fs) => f.debug_tuple("Or").field(fs).finish(),
+            Formula::Implies(lhs, rhs) => write!(f, "({lhs:?} ==> {rhs:?})"),
+            Formula::Exists(vars, fo) => f.debug_tuple("Exists").field(vars).field(fo).finish(),
+        }
+    }
+}
+
 impl<V> Default for Formula<V> {
     fn default() -> Self {
         Formula::top()
@@ -1293,6 +1310,13 @@ where
                 );
                 inner.group()
             }
+            Formula::Implies(lhs, rhs) => lhs
+                .pretty_atom(allocator)
+                .append(allocator.space())
+                .append(allocator.text("==>"))
+                .append(allocator.line())
+                .append(rhs.pretty_atom(allocator))
+                .group(),
             Formula::Exists(vars, fo) => {
                 let vars = allocator.intersperse(
                     vars.iter().map(|(name, sort)| {
@@ -1327,7 +1351,7 @@ impl<V> Formula<V> {
         D::Doc: Clone,
     {
         match self {
-            Formula::And(_) | Formula::Or(_) | Formula::Exists { .. } => {
+            Formula::And(_) | Formula::Or(_) | Formula::Implies(_, _) | Formula::Exists { .. } => {
                 self.pretty(allocator).parens()
             }
             _ => self.pretty(allocator),
@@ -1348,6 +1372,7 @@ impl<V> Formula<V> {
             Formula::Not(fo) => fo.is_bottom(),
             Formula::And(fs) => fs.iter().all(Formula::is_top),
             Formula::Or(fs) => fs.iter().any(Formula::is_top),
+            Formula::Implies(lhs, rhs) => lhs.is_bottom() || rhs.is_top(),
             Formula::Exists(_, fo) => fo.is_top(),
         }
     }
@@ -1358,6 +1383,7 @@ impl<V> Formula<V> {
             Formula::Not(fo) => fo.is_top(),
             Formula::And(fs) => fs.iter().any(Formula::is_bottom),
             Formula::Or(fs) => fs.iter().all(Formula::is_bottom),
+            Formula::Implies(lhs, rhs) => lhs.is_top() && rhs.is_bottom(),
             Formula::Exists(_, fo) => fo.is_bottom(),
         }
     }
@@ -1389,6 +1415,10 @@ impl<V> Formula<V> {
         }
     }
 
+    pub fn implies(self, other: Self) -> Self {
+        Formula::Implies(Box::new(self), Box::new(other))
+    }
+
     pub fn exists(vars: Vec<(String, Sort)>, body: Self) -> Self {
         Formula::Exists(vars, Box::new(body))
     }
@@ -1406,6 +1436,9 @@ impl<V> Formula<V> {
                 Formula::And(fs.into_iter().map(|fo| fo.subst_var(&mut f)).collect())
             }
             Formula::Or(fs) => Formula::Or(fs.into_iter().map(|fo| fo.subst_var(&mut f)).collect()),
+            Formula::Implies(lhs, rhs) => {
+                Formula::Implies(Box::new(lhs.subst_var(&mut f)), Box::new(rhs.subst_var(f)))
+            }
             Formula::Exists(vars, fo) => Formula::Exists(vars, Box::new(fo.subst_var(f))),
         }
     }
@@ -1421,6 +1454,9 @@ impl<V> Formula<V> {
             Formula::Not(fo) => Formula::Not(Box::new(fo.map_var(&mut f))),
             Formula::And(fs) => Formula::And(fs.into_iter().map(|fo| fo.map_var(&mut f)).collect()),
             Formula::Or(fs) => Formula::Or(fs.into_iter().map(|fo| fo.map_var(&mut f)).collect()),
+            Formula::Implies(lhs, rhs) => {
+                Formula::Implies(Box::new(lhs.map_var(&mut f)), Box::new(rhs.map_var(f)))
+            }
             Formula::Exists(vars, fo) => Formula::Exists(vars, Box::new(fo.map_var(f))),
         }
     }
@@ -1435,6 +1471,7 @@ impl<V> Formula<V> {
             Formula::Not(fo) => Box::new(fo.fv()),
             Formula::And(fs) => Box::new(fs.iter().flat_map(Formula::fv)),
             Formula::Or(fs) => Box::new(fs.iter().flat_map(Formula::fv)),
+            Formula::Implies(lhs, rhs) => Box::new(lhs.fv().chain(rhs.fv())),
             Formula::Exists(_, fo) => Box::new(fo.fv()),
         }
     }
@@ -1449,6 +1486,7 @@ impl<V> Formula<V> {
             Formula::Not(fo) => Box::new(fo.iter_atoms()),
             Formula::And(fs) => Box::new(fs.iter().flat_map(Formula::iter_atoms)),
             Formula::Or(fs) => Box::new(fs.iter().flat_map(Formula::iter_atoms)),
+            Formula::Implies(lhs, rhs) => Box::new(lhs.iter_atoms().chain(rhs.iter_atoms())),
             Formula::Exists(_, fo) => Box::new(fo.iter_atoms()),
         }
     }
@@ -1469,6 +1507,17 @@ impl<V> Formula<V> {
         match self {
             Formula::Atom(_atom) => {}
             Formula::Not(fo) => fo.simplify(),
+            Formula::Implies(lhs, rhs) => {
+                lhs.simplify();
+                rhs.simplify();
+                if lhs.is_bottom() || rhs.is_top() {
+                    *self = Formula::top();
+                } else if lhs.is_top() {
+                    *self = std::mem::take(&mut **rhs);
+                } else if rhs.is_bottom() {
+                    *self = std::mem::take(&mut **lhs).not();
+                }
+            }
             Formula::And(fs) => {
                 for fo in &mut *fs {
                     fo.simplify();
@@ -1624,7 +1673,7 @@ where
                 .into_iter()
                 .map(|a| a.guarded(guard.clone()))
                 .collect(),
-            formula: guard.not().or(formula),
+            formula: guard.implies(formula),
         }
     }
 }
diff --git a/src/chc/smtlib2.rs b/src/chc/smtlib2.rs
@@ -288,6 +288,11 @@ impl<'ctx, 'a> std::fmt::Display for Formula<'ctx, 'a> {
                 let fs = List::open(fs.iter().map(|fo| Formula::new(self.ctx, self.clause, fo)));
                 write!(f, "(or {})", fs)
             }
+            chc::Formula::Implies(lhs, rhs) => {
+                let lhs = Formula::new(self.ctx, self.clause, lhs);
+                let rhs = Formula::new(self.ctx, self.clause, rhs);
+                write!(f, "(=> {lhs} {rhs})")
+            }
             chc::Formula::Exists(vars, fo) => {
                 let vars =
                     List::closed(vars.iter().map(|(v, s)| {
diff --git a/src/chc/unbox.rs b/src/chc/unbox.rs
@@ -81,6 +81,9 @@ fn unbox_formula(formula: Formula) -> Formula {
         Formula::Not(fo) => Formula::Not(Box::new(unbox_formula(*fo))),
         Formula::And(fs) => Formula::And(fs.into_iter().map(unbox_formula).collect()),
         Formula::Or(fs) => Formula::Or(fs.into_iter().map(unbox_formula).collect()),
+        Formula::Implies(lhs, rhs) => {
+            Formula::Implies(Box::new(unbox_formula(*lhs)), Box::new(unbox_formula(*rhs)))
+        }
         Formula::Exists(vars, fo) => {
             let vars = vars.into_iter().map(|(v, s)| (v, unbox_sort(s))).collect();
             Formula::Exists(vars, Box::new(unbox_formula(*fo)))
diff --git a/src/rty.rs b/src/rty.rs
@@ -1930,6 +1930,10 @@ fn subst_ty_params_in_formula<T, V>(formula: &mut chc::Formula<V>, subst: &TypeP
                 subst_ty_params_in_formula(f, subst);
             }
         }
+        chc::Formula::Implies(lhs, rhs) => {
+            subst_ty_params_in_formula(lhs, subst);
+            subst_ty_params_in_formula(rhs, subst);
+        }
         chc::Formula::Exists(vars, f) => {
             for (_, sort) in vars {
                 subst_ty_params_in_sort(sort, subst);
diff --git a/std.rs b/std.rs
@@ -325,6 +325,13 @@ mod thrust_models {
         unimplemented!()
     }
 
+    #[allow(dead_code)]
+    #[thrust::def::implies]
+    #[thrust::ignored]
+    pub fn implies(_lhs: bool, _rhs: bool) -> bool {
+        unimplemented!()
+    }
+
     #[thrust::def::invariant_marker]
     #[thrust::ignored]
     #[inline(never)]
diff --git a/thrust-macros/src/formula.rs b/thrust-macros/src/formula.rs
@@ -7,7 +7,7 @@
 //! which parses formulas as [`syn::Expr`] — never chokes on it, and gives one
 //! place to run preprocessing before the body reaches rustc / HIR lowering.
 //!
-//! The only pass today is implication desugaring; further passes can be appended
+//! The only pass today is implication lowering; further passes can be appended
 //! in [`expand`].
 
 use proc_macro2::{Group, Punct, Spacing, TokenStream, TokenTree};
@@ -27,17 +27,17 @@ pub fn expand(input: TokenStream) -> TokenStream {
 
     // `==>` is desugared to assignment (the lowest-precedence, right-associative
     // operator) so `syn` reproduces its precedence, then each assignment node is
-    // rewritten into `!lhs || rhs`.
+    // rewritten into a marker call that the analyzer lowers to `chc::Formula::Implies`.
     let desugared = desugar_arrows(input);
     let mut expr: syn::Expr = match syn::parse2(desugared) {
         Ok(expr) => expr,
         Err(e) => return e.to_compile_error(),
     };
 
     // Rewrites each assignment `lhs = rhs` (produced by [`desugar_arrows`] from
-    // `lhs ==> rhs`) into the boolean expression `(!(lhs)) || (rhs)`. Visiting
+    // `lhs ==> rhs`) into `thrust_models::model::implies(lhs, rhs)`. Visiting
     // post-order means nested implications are rewritten innermost-first, so the
-    // right-associative chain `a ==> b ==> c` becomes `!a || (!b || c)`.
+    // right-associative chain `a ==> b ==> c` becomes `implies(a, implies(b, c))`.
     struct ImplicationRewriter;
 
     impl VisitMut for ImplicationRewriter {
@@ -46,7 +46,7 @@ pub fn expand(input: TokenStream) -> TokenStream {
             if let syn::Expr::Assign(assign) = expr {
                 let left = &assign.left;
                 let right = &assign.right;
-                *expr = syn::parse_quote!((!(#left)) || (#right));
+                *expr = syn::parse_quote!(thrust_models::model::implies((#left), (#right)));
             }
         }
     }
@@ -98,10 +98,10 @@ fn desugar_arrows(input: TokenStream) -> TokenStream {
                 new_group.set_span(group.span());
                 out.extend([TokenTree::Group(new_group)]);
             }
-            TokenTree::Punct(p) if p.as_char() == '=' && p.spacing() == Spacing::Joint => {
+            TokenTree::Punct(p) if p.as_char() == '=' => {
                 // Look for `=` `=` `>`. `p` is the first `=`.
                 if let Some(TokenTree::Punct(p2)) = iter.peek() {
-                    if p2.as_char() == '=' && p2.spacing() == Spacing::Joint {
+                    if p2.as_char() == '=' {
                         let mut lookahead = iter.clone();
                         lookahead.next(); // consume the second `=`
                         if let Some(TokenTree::Punct(p3)) = lookahead.peek() {
@@ -140,21 +140,24 @@ mod tests {
 
     #[test]
     fn desugars_implication() {
-        assert_eq!(expand_expr("a ==> b"), expect("(!(a)) || (b)"));
+        assert_eq!(
+            expand_expr("a ==> b"),
+            expect("thrust_models::model::implies((a), (b))")
+        );
         // right-associative
         assert_eq!(
             expand_expr("a ==> b ==> c"),
-            expect("(!(a)) || ((!(b)) || (c))")
+            expect("thrust_models::model::implies((a), (thrust_models::model::implies((b), (c))))")
         );
         // lower precedence than `||` and `==`
         assert_eq!(
             expand_expr("a || b ==> c == d"),
-            expect("(!(a || b)) || (c == d)")
+            expect("thrust_models::model::implies((a || b), (c == d))")
         );
         // nested inside a closure argument
         assert_eq!(
             expand_expr("exists(|x| a ==> b)"),
-            expect("exists(|x| (!(a)) || (b))")
+            expect("exists(|x| thrust_models::model::implies((a), (b)))")
         );
     }
 
diff --git a/thrust-macros/src/spec.rs b/thrust-macros/src/spec.rs
@@ -103,7 +103,7 @@ fn wrap_trailing_block(item: TokenStream2) -> TokenStream2 {
 }
 
 pub fn expand_requires(attr: TokenStream, item: TokenStream) -> TokenStream {
-    let expr = crate::formula::wrap_formula(attr.into());
+    let expr = crate::formula::expand(attr.into());
     let mut func = parse_macro_input!(item as FnItemWithSignature);
 
     let (req_expr, ens_expr) = match extract_requires_ensures(&mut func) {
@@ -118,7 +118,7 @@ pub fn expand_requires(attr: TokenStream, item: TokenStream) -> TokenStream {
 }
 
 pub fn expand_ensures(attr: TokenStream, item: TokenStream) -> TokenStream {
-    let expr = crate::formula::wrap_formula(attr.into());
+    let expr = crate::formula::expand(attr.into());
     let mut func = parse_macro_input!(item as FnItemWithSignature);
 
     let (req_expr, ens_expr) = match extract_requires_ensures(&mut func) {

Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,14 @@ pub fn exists_path() -> [Symbol; 3] {`
`145`	`145`	`]`
`146`	`146`	`}`
`147`	`147`
	`148`	`+pub fn implies_path() -> [Symbol; 3] {`
	`149`	`+ [`
	`150`	`+ Symbol::intern("thrust"),`
	`151`	`+ Symbol::intern("def"),`
	`152`	`+ Symbol::intern("implies"),`
	`153`	`+ ]`
	`154`	`+}`
	`155`	`+`
`148`	`156`	`pub fn invariant_marker_path() -> [Symbol; 3] {`
`149`	`157`	`[`
`150`	`158`	`Symbol::intern("thrust"),`
Original file line number	Diff line number	Diff line change
`@@ -1930,6 +1930,10 @@ fn subst_ty_params_in_formula<T, V>(formula: &mut chc::Formula<V>, subst: &TypeP`
`1930`	`1930`	`subst_ty_params_in_formula(f, subst);`
`1931`	`1931`	`}`
`1932`	`1932`	`}`
	`1933`	`+ chc::Formula::Implies(lhs, rhs) => {`
	`1934`	`+ subst_ty_params_in_formula(lhs, subst);`
	`1935`	`+ subst_ty_params_in_formula(rhs, subst);`
	`1936`	`+ }`
`1933`	`1937`	`chc::Formula::Exists(vars, f) => {`
`1934`	`1938`	`for (_, sort) in vars {`
`1935`	`1939`	`subst_ty_params_in_sort(sort, subst);`
Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ fn wrap_trailing_block(item: TokenStream2) -> TokenStream2 {`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`pub fn expand_requires(attr: TokenStream, item: TokenStream) -> TokenStream {`
`106`		`- let expr = crate::formula::wrap_formula(attr.into());`
	`106`	`+ let expr = crate::formula::expand(attr.into());`
`107`	`107`	`let mut func = parse_macro_input!(item as FnItemWithSignature);`
`108`	`108`
`109`	`109`	`let (req_expr, ens_expr) = match extract_requires_ensures(&mut func) {`
`@@ -118,7 +118,7 @@ pub fn expand_requires(attr: TokenStream, item: TokenStream) -> TokenStream {`
`118`	`118`	`}`
`119`	`119`
`120`	`120`	`pub fn expand_ensures(attr: TokenStream, item: TokenStream) -> TokenStream {`
`121`		`- let expr = crate::formula::wrap_formula(attr.into());`
	`121`	`+ let expr = crate::formula::expand(attr.into());`
`122`	`122`	`let mut func = parse_macro_input!(item as FnItemWithSignature);`
`123`	`123`
`124`	`124`	`let (req_expr, ens_expr) = match extract_requires_ensures(&mut func) {`