Laurel: test the modifies frame

Jules · Jules · commit d5ece2c83765 · 2026-06-19T15:53:45.000-07:00
Structural #guards that the enumerated frame is quantifier-free while the
pointwise frame is not (ModifiesFrameQuantifierFreeTest), the array-theory path
including allocating bodies (T2c), and a perf/completeness regression for a
chained spec procedure (T2e).
diff --git a/StrataTest/Languages/Laurel/Examples/Objects/T2c_ModifiesClausesArrayTheory.lean b/StrataTest/Languages/Laurel/Examples/Objects/T2c_ModifiesClausesArrayTheory.lean
@@ -0,0 +1,112 @@
+/-
+  Copyright Strata Contributors
+
+  SPDX-License-Identifier: Apache-2.0 OR MIT
+-/
+
+/-
+Under `--use-array-theory`, the `ModifiesClauses` pass emits a quantifier-free
+heap-equation frame —
+  `data!($heap) == update(data!(old), ref, select(data!($heap), ref))`
+— instead of the `forall obj fld. notModified(obj) ==> readField(old) == readField(new)`
+form. The same procedures must verify under either encoding; this pins the
+array-theory path. Mirrors `T2_ModifiesClauses` but with `useArrayTheory := true`.
+-/
+
+import StrataTest.Util.TestLaurel
+
+open StrataTest.Util
+open Strata
+
+#eval testLaurel
+    (options := { defaultLaurelTestOptions with
+      translateOptions := { defaultLaurelTestOptions.translateOptions with useArrayTheory := true },
+      verifyOptions := { defaultLaurelTestOptions.verifyOptions with useArrayTheory := true } }) <|
+#strata
+program Laurel;
+composite Container {
+  var value: int
+}
+
+procedure modifyContainerOpaque(c: Container) returns (b: bool)
+  opaque
+  modifies c
+{
+  c#value := c#value + 1;
+  true
+};
+
+procedure caller()
+  opaque
+{
+  var c: Container := new Container;
+  var d: Container := new Container;
+  var x: int := d#value;
+  var b: bool := modifyContainerOpaque(c);
+  assert x == d#value // pass: d#value is preserved (d ∉ modifies)
+};
+
+procedure multipleModifiesClauses(c: Container, d: Container, e: Container)
+  opaque
+  modifies c
+  modifies d
+;
+
+procedure multipleModifiesClausesCaller()
+  opaque
+{
+  var c: Container := new Container;
+  var d: Container := new Container;
+  var e: Container := new Container;
+  var x: int := e#value;
+  multipleModifiesClauses(c, d, e);
+  assert x == e#value // pass: e is preserved (not in the modifies set)
+};
+
+procedure newObjectDoNotCountForModifies()
+  opaque
+{
+  var c: Container := new Container;
+  c#value := 1
+};
+
+// Regression: an allocating body verifies under array theory (bodies use the pointwise frame).
+procedure allocatesInModifiesBody(c: Container) returns (b: bool)
+  opaque
+  modifies c
+{
+  c#value := c#value + 1;
+  var t: Container := new Container;
+  t#value := 99;
+  true
+};
+
+// Regression: a body that allocates via a CALL still verifies (the callee
+// newObjectDoNotCountForModifies grows the heap); the pointwise frame tolerates it.
+procedure allocatesViaCall(c: Container) returns (b: bool)
+  opaque
+  modifies c
+{
+  c#value := c#value + 1;
+  newObjectDoNotCountForModifies();
+  true
+};
+
+// Soundness: writes outside the modifies clause are still rejected.
+
+procedure modifyContainerWithoutPermission2(c: Container, d: Container)
+//        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ error: modifies clause does not hold
+  opaque
+  modifies d
+{
+    c#value := 2
+};
+
+procedure modifyContainerWithoutPermission3(c: Container, d: Container)
+//        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ error: modifies clause could not be proved
+  opaque
+  modifies d
+{
+    var i: bool := modifyContainerOpaque(c)
+};
+#end
diff --git a/StrataTest/Languages/Laurel/Examples/Objects/T2e_ModifiesArrayTheoryPerf.lean b/StrataTest/Languages/Laurel/Examples/Objects/T2e_ModifiesArrayTheoryPerf.lean
@@ -0,0 +1,121 @@
+/-
+  Copyright Strata Contributors
+
+  SPDX-License-Identifier: Apache-2.0 OR MIT
+-/
+
+/-
+Perf / regression: the array-theory frame is not merely faster, it is more
+complete on heap-heavy code.
+
+`stress` makes a deep chain of opaque heap-modifying calls on freshly allocated
+objects, then asserts that an object allocated *before* the chain is untouched.
+
+  - Under the `∀` frame (array theory off) the solver cannot instantiate the
+    quantified frame across the whole chain: the assertion "could not be proved".
+    This is a definite verdict in ~2s, not a wall-clock timeout.
+  - Under the quantifier-free frame (`--use-array-theory`) the same assertion
+    verifies: each step is a `store` on a single row, so the read of the
+    untouched object is a pure array rewrite with nothing to instantiate.
+
+The two blocks are identical apart from `useArrayTheory`.
+
+Note: the `∀` outcome depends on the SMT solver's quantifier heuristics. If a
+future solver discharges it, the annotation below must be updated.
+-/
+
+import StrataTest.Util.TestLaurel
+
+open StrataTest.Util
+open Strata
+
+-- ∀ frame (array theory off): the chain defeats quantifier instantiation.
+#eval testLaurel
+    (options := { defaultLaurelTestOptions with
+      translateOptions := { defaultLaurelTestOptions.translateOptions with useArrayTheory := false },
+      verifyOptions := { defaultLaurelTestOptions.verifyOptions with useArrayTheory := false } }) <|
+#strata
+program Laurel;
+composite Container {
+  var value: int
+}
+
+procedure modifyOne(c: Container)
+  opaque
+  modifies c;
+
+procedure stress()
+  opaque
+  modifies *
+{
+  var target: Container := new Container;
+  var x: int := target#value;
+  var c0: Container := new Container; modifyOne(c0);
+  var c1: Container := new Container; modifyOne(c1);
+  var c2: Container := new Container; modifyOne(c2);
+  var c3: Container := new Container; modifyOne(c3);
+  var c4: Container := new Container; modifyOne(c4);
+  var c5: Container := new Container; modifyOne(c5);
+  var c6: Container := new Container; modifyOne(c6);
+  var c7: Container := new Container; modifyOne(c7);
+  var c8: Container := new Container; modifyOne(c8);
+  var c9: Container := new Container; modifyOne(c9);
+  var c10: Container := new Container; modifyOne(c10);
+  var c11: Container := new Container; modifyOne(c11);
+  var c12: Container := new Container; modifyOne(c12);
+  var c13: Container := new Container; modifyOne(c13);
+  var c14: Container := new Container; modifyOne(c14);
+  var c15: Container := new Container; modifyOne(c15);
+  var c16: Container := new Container; modifyOne(c16);
+  var c17: Container := new Container; modifyOne(c17);
+  var c18: Container := new Container; modifyOne(c18);
+  var c19: Container := new Container; modifyOne(c19);
+  assert x == target#value
+//^^^^^^^^^^^^^^^^^^^^^^^^ error: assertion could not be proved
+};
+#end
+
+-- Quantifier-free frame (--use-array-theory): the same program verifies.
+#eval testLaurel
+    (options := { defaultLaurelTestOptions with
+      translateOptions := { defaultLaurelTestOptions.translateOptions with useArrayTheory := true },
+      verifyOptions := { defaultLaurelTestOptions.verifyOptions with useArrayTheory := true } }) <|
+#strata
+program Laurel;
+composite Container {
+  var value: int
+}
+
+procedure modifyOne(c: Container)
+  opaque
+  modifies c;
+
+procedure stress()
+  opaque
+  modifies *
+{
+  var target: Container := new Container;
+  var x: int := target#value;
+  var c0: Container := new Container; modifyOne(c0);
+  var c1: Container := new Container; modifyOne(c1);
+  var c2: Container := new Container; modifyOne(c2);
+  var c3: Container := new Container; modifyOne(c3);
+  var c4: Container := new Container; modifyOne(c4);
+  var c5: Container := new Container; modifyOne(c5);
+  var c6: Container := new Container; modifyOne(c6);
+  var c7: Container := new Container; modifyOne(c7);
+  var c8: Container := new Container; modifyOne(c8);
+  var c9: Container := new Container; modifyOne(c9);
+  var c10: Container := new Container; modifyOne(c10);
+  var c11: Container := new Container; modifyOne(c11);
+  var c12: Container := new Container; modifyOne(c12);
+  var c13: Container := new Container; modifyOne(c13);
+  var c14: Container := new Container; modifyOne(c14);
+  var c15: Container := new Container; modifyOne(c15);
+  var c16: Container := new Container; modifyOne(c16);
+  var c17: Container := new Container; modifyOne(c17);
+  var c18: Container := new Container; modifyOne(c18);
+  var c19: Container := new Container; modifyOne(c19);
+  assert x == target#value
+};
+#end
diff --git a/StrataTest/Languages/Laurel/ModifiesFrameQuantifierFreeTest.lean b/StrataTest/Languages/Laurel/ModifiesFrameQuantifierFreeTest.lean
@@ -0,0 +1,34 @@
+/-
+  Copyright Strata Contributors
+
+  SPDX-License-Identifier: Apache-2.0 OR MIT
+-/
+
+/-
+Structural check, independent of the solver: the enumerated modifies frame
+(`buildEnumeratedFrame`) must contain no quantifier, so there is nothing for the
+solver to instantiate. The `∀`-based frame it replaces (`buildPointwiseFrame`)
+does contain one; asserting both pins the property and shows the check
+discriminates between the two encodings.
+-/
+
+import Strata.Languages.Laurel.ModifiesClauses
+
+open Strata.Laurel
+
+namespace StrataTest.Laurel.ModifiesFrameQuantifierFree
+
+private def selfRef : StmtExprMd := { val := .Var (.Local "self"), source := none }
+private def heapIn  : StmtExprMd := { val := .Var (.Local "$heap_in"), source := none }
+private def heapOut : StmtExprMd := { val := .Var (.Local "$heap"), source := none }
+private def singleRefModifies : List ModifiesEntry := [.single selfRef]
+
+/-- Whether the (pretty-printed) frame mentions a quantifier. -/
+private def hasQuantifier (e : StmtExprMd) : Bool :=
+  let s := reprStr e
+  (s.splitOn "forall").length > 1 || (s.splitOn "exists").length > 1
+
+#guard !hasQuantifier (buildEnumeratedFrame default singleRefModifies heapIn heapOut)
+#guard  hasQuantifier (buildPointwiseFrame   default singleRefModifies heapIn heapOut)
+
+end StrataTest.Laurel.ModifiesFrameQuantifierFree
