Refactor ecPhlConseq.ml: restructure, deduplicate, document, and annotate#965
Open
Refactor ecPhlConseq.ml: restructure, deduplicate, document, and annotate#965
Conversation
strub
added
chore
…tate
- Split the ~500-line monolithic t_hi_conseq dispatcher into 8
per-goal-type functions (hoareS/F, bdHoareS/F, ehoareS/F, equivS/F)
with a thin top-level dispatcher
- Extract shared helpers (t_hi_trivial, t_hi_apply_r, etc.) to module
level
- Unify three identical gen_conseq_nm variants into a single polymorphic
one
- Factor shared proof-term processing pipeline into process_conseq_core;
rename process_conseq_1/2 to process_conseq_hs/ss for clarity
- Extract cond_F_notmod_core / cond_S_notmod_core shared helpers,
reducing cond_{hoare,bdHoare}{F,S}_notmod to 3-line wrappers
- Remove unnecessary ~recurse indirection from equivS/equivF dispatchers
(make them directly recursive instead)
- Introduce hi_arg type alias and add type annotations to all top-level
functions
- Add inference-rule comments to every goal-closing tactic and document
the processing pipeline, naming conventions, and section structure
strub
changed the title
Gustavo2622
reviewed
Apr 7, 2026
| * —————————————————————————————————————————————————————————— | ||
| * ehoare[f] P ==> Q | ||
| * | ||
| * Note: for ehoare, the direction is reversed (xreal_le) compared |
Contributor
There was a problem hiding this comment.
Somewhat confusing comment, I would suggest "xreal_le (<=) is the ehoare analogue of implication (=>)"
Gustavo2622
reviewed
Apr 7, 2026
| let t_bdHoareF_conseq pre post tc = | ||
| (* bdHoareF consequence rule: | ||
| * | ||
| * ∀m, P m ⇒ P' m ∀m, Q' m ⇒/⇔ Q m phoare[f] P' ==> Q' cmp bd |
Contributor
There was a problem hiding this comment.
Minor: missing one of the directions for postcondition implication
Gustavo2622
reviewed
Apr 7, 2026
| (* t_*_conseq_nm: combines notmod with consequence *) | ||
| (* -------------------------------------------------------------------- *) | ||
|
|
||
| let mk_bind_pvar (m : memory) (id,_) (x, ty) = |
Contributor
There was a problem hiding this comment.
Maybe move utility functions to other file?
Gustavo2622
reviewed
Apr 7, 2026
| let mk_bind_globs (env : env) (m : memory) (bd1,bd2) = | ||
| List.map2 (mk_bind_glob env m) bd1 bd2 | ||
|
|
||
| let cond_equivF_notmod ?(mk_other=false) (tc : tcenv1) (cond : ts_inv) = |
Contributor
There was a problem hiding this comment.
Add small description of notmod condition
Gustavo2622
reviewed
Apr 7, 2026
| let t_equivF_notmod post tc = | ||
| (* equivF notmod rule: | ||
| * | ||
| * ∀ml mr, P ml mr ⇒ ∀res_L res_R modified_vars, Q' ml mr ⇒ Q ml mr |
Contributor
There was a problem hiding this comment.
Slightly unclear term separation, quantifier bindings and what modified_vars is here
Gustavo2622
reviewed
Apr 7, 2026
| let f = hf.hf_f in | ||
| let mpr,mpo = Fun.hoareF_memenv hf.hf_m f env in | ||
| (* Shared core for F-level notmod: substitutes the result variable, *) | ||
| (* generalizes over modified variables, quantifies over the result, *) |
Contributor
There was a problem hiding this comment.
Maybe be a bit clearer on what the result of this function is? (return type + what holds over the return objects)
Gustavo2622
reviewed
Apr 7, 2026
| (* hoareF notmod rule: | ||
| * | ||
| * ∀m, P m ⇒ ∀res modified_vars, Q' m ⇒ Q m [∧ Qe] | ||
| * hoare[f] P ==> Q'[/Qe'] |
Gustavo2622
reviewed
Apr 7, 2026
| let t_bdHoareF_notmod post tc = | ||
| (* bdHoareF notmod rule: | ||
| * | ||
| * ∀m, P m ⇒ ∀res modified_vars, Q' m ⇒/⇔ Q m |
Contributor
There was a problem hiding this comment.
Same as above, slightly unclear
Gustavo2622
reviewed
Apr 7, 2026
|
|
||
| (* -------------------------------------------------------------------- *) | ||
| let t_ehoareF_conseq_nm pre post tc = | ||
| let t_ehoareF_conseq_nm (pre : ss_inv) (post : ss_inv) (tc : tcenv1) = |
Contributor
There was a problem hiding this comment.
Suggestion: maybe move above concavity to group not mod rules? Results in a bigger diff but better organization
Gustavo2622
reviewed
Apr 7, 2026
| * hoare[c] P ==> post phoare[c] P ==> post' ∧ post cmp bd | ||
| * ————————————————————————————————————————————————————————————— | ||
| * phoare[c] P ==> post' cmp bd | ||
| * |
Contributor
There was a problem hiding this comment.
Difference between add=false and add=true unclear
Gustavo2622
reviewed
Apr 7, 2026
|
|
||
| let t_ehoareF_conseq_equiv f2 p q p2 q2 tc = | ||
| (* ehoareF via equivalence: similar to hoareF but with xreal ordering. | ||
| * cond1: ∀m1, ∃m2, P1 m1 = ⊥ ∨ (P m1 m2 ∧ P2 m2 ≤ P1 m1) |
Gustavo2622
reviewed
Apr 7, 2026
| let t_apply_r (pt, _f) tc = | ||
| match pt with | ||
| | Some pt -> EcLowGoal.Apply.t_apply_bwd_hi ~dpe:true pt tc | ||
| let t_hi_trivial = |
Contributor
There was a problem hiding this comment.
Move helper + print functions? From here to L1333
Gustavo2622
reviewed
Apr 7, 2026
| (* ehoareF via equivalence: similar to hoareF but with xreal ordering. | ||
| * cond1: ∀m1, ∃m2, P1 m1 = ⊥ ∨ (P m1 m2 ∧ P2 m2 ≤ P1 m1) | ||
| * cond2: ∀m1 m2, Q m1 m2 ⇒ Q1 m1 ≤ Q2 m2 *) | ||
| let t_ehoareF_conseq_equiv |
Contributor
There was a problem hiding this comment.
Missing ehoareS version?
Gustavo2622
reviewed
Apr 7, 2026
| (* Supported combinations (goal / f1 / f2 / f3): *) | ||
| (* bdhoareF / bdhoareF / ⊥ / ⊥ — consequence with bound change *) | ||
| (* bdhoareF / bdhoareF / hoareF / ⊥ — conjunction with hoare side-cond *) | ||
| (* bdhoareF / equivF / bdhoareF/ _ — transitivity via equiv *) |
Contributor
There was a problem hiding this comment.
Also no transitivity for S?
Gustavo2622
reviewed
Apr 7, 2026
| (* *) | ||
| (* Supported combinations (goal / f1 / f2 / f3): *) | ||
| (* equivS / equivS / ⊥ / ⊥ — simple consequence *) | ||
| (* equivS / equivS / hoareS / hoareS — conjunction (L+R+rel) *) |
Gustavo2622
reviewed
Apr 7, 2026
| (* *) | ||
| (* Supported combinations (goal / f1 / f2 / f3): *) | ||
| (* equivF / equivF / ⊥ / ⊥ — simple consequence *) | ||
| (* equivF / equivF / hoareF / hoareF — conjunction (L+R+rel) *) |
Contributor
There was a problem hiding this comment.
Same as above, rel + L + R?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
per-goal-type functions (hoareS/F, bdHoareS/F, ehoareS/F, equivS/F)
with a thin top-level dispatcher
level
one
rename process_conseq_1/2 to process_conseq_hs/ss for clarity
reducing cond_{hoare,bdHoare}{F,S}_notmod to 3-line wrappers
(make them directly recursive instead)
functions
the processing pipeline, naming conventions, and section structure