Skip to content

QP-related incompleteness #923

Closed
Closed
QP-related incompleteness#923
@marcoeilers

Description

@marcoeilers
marcoeilers
opened on May 20, 2025

The final assertion in the following program does not verify in Silicon, but should (and does in Carbon):

field f: Int

predicate Mem(x: Ref)
{
    acc(x.f) && 0 <= x.f
}

predicate nothing() {
  forall r: Ref :: false ==> acc(r.f, 1/2)
}

function recurse(x: Ref): Int
requires nothing()
requires acc(x.f, 1/2) 
requires acc(Mem(x), wildcard)
{
    (unfolding nothing() in 0) + (unfolding acc(Mem(x), wildcard) in (x.f))
}

method fooUnsound(x: Ref)
requires nothing()
requires acc(Mem(x), 1/2)
requires acc(x.f, 1/2)
requires x.f == 0
ensures  acc(Mem(x), 1/2)
{

    var oldResult: Int := recurse(x)
    assert oldResult == 0 // fails
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions