[WIP] Stitching engine

[joshlf]

---

• 　  [WIP] Hermes.Std #2974
• 　  [WIP] Invariants #2973
• 　  [WIP] Shadow crate + unsafe #2972
• 👉 [WIP] Stitching engine #2971
• 　  [WIP] Parser + --allow-sorry #2969
• 　  [hermes] Initial commit #2968

Latest Update: v4 — Compare vs v3

📚 Full Patch History

Links show the diff between the row version and the column version.

Version	v3	v2	v1	Base
v4	vs v3	vs v2	vs v1	vs Base
v3		vs v2	vs v1	vs Base
v2			vs v1	vs Base
v1				vs Base

⬇️ Download this PR

Branch

git fetch origin refs/heads/G443fc7f8c3623131b48be56a7a16935a9fe8f234 && git checkout -b pr-G443fc7f8c3623131b48be56a7a16935a9fe8f234 FETCH_HEAD

Checkout

git fetch origin refs/heads/G443fc7f8c3623131b48be56a7a16935a9fe8f234 && git checkout FETCH_HEAD

Cherry Pick

git fetch origin refs/heads/G443fc7f8c3623131b48be56a7a16935a9fe8f234 && git cherry-pick FETCH_HEAD

Pull

git pull origin refs/heads/G443fc7f8c3623131b48be56a7a16935a9fe8f234

Stacked PRs enabled by GHerrit.

[gemini-code-assist]

Summary of Changes

Hello @joshlf, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant refactoring and enhancement to the Hermes tool's ability to "stitch" Rust code with Lean proofs. It establishes a new desugaring engine that interprets a more expressive specification language for Rust functions, allowing users to define requires and ensures clauses, and automatically generating the corresponding Lean theorem structure, including handling stateful function transformations. This change streamlines the process of translating Rust function signatures and specifications into verifiable Lean theorems, making the integration more robust and user-friendly.

Highlights

• New Specification Desugaring Engine: Introduced desugar.rs to process user-defined Lean specifications, supporting requires and ensures clauses, and automatically generating Lean quantifiers and forward/backward checks for stateful functions.
• Improved Rust-to-Lean Signature Translation: A new translator.rs module handles the conversion of Rust generics and function arguments into Lean-compatible signatures, including detection of stateful functions.
• Refactored Lean Theorem Generation: The pipeline.rs now leverages the new desugaring and translation modules to construct Lean theorems more robustly, moving away from direct string manipulation of spec bodies.
• Simplified ParsedFunction Representation: The parser.rs was updated to store syn::Signature directly, streamlining the representation of parsed Rust functions.
• Enhanced Spec Syntax in Tests: Existing test cases were updated to use the new ensures |ret| ... syntax, demonstrating the improved expressiveness of the specification language.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• tools/hermes/src/desugar.rs
  • Added new module for desugaring user-defined Lean specifications.
  • Implements parsing of requires and ensures clauses.
  • Generates Lean exists quantifiers, forward (_fwd) and backward (_back) checks for function calls.
  • Includes logic for handling stateful functions and their corresponding Lean transformations.
• tools/hermes/src/lib.rs
  • Exposed desugar and translator modules.
• tools/hermes/src/main.rs
  • Added std::fs::create_dir_all(&dest)?; to ensure output directory exists before writing.
• tools/hermes/src/orchestration.rs
  • Added cmd.env_remove("CARGO_TARGET_DIR"); to run_charon to prevent potential cargo deadlocks.
• tools/hermes/src/parser.rs
  • Refactored ParsedFunction to use syn::Signature for function signatures.
  • Updated spec visitor to handle @ lean model comments as specifications.
  • Removed redundant fn_name stripping logic during spec parsing.
  • Added a new test case test_parse_add_mod.
• tools/hermes/src/pipeline.rs
  • Integrated desugar::desugar_spec and translator::SignatureTranslator for Lean theorem generation.
  • Simplified get_crate_name logic by removing unnecessary comments.
  • Adjusted stitch_user_proofs to correctly identify and process .rs source files.
  • Rewrote generate_lean_file to use the new desugaring and translation logic, generating Lean namespace instead of open.
  • Removed extract_generics_context as its functionality is now in translator.rs.
• tools/hermes/src/translator.rs
  • Added new module SignatureTranslator for converting Rust generics and function arguments to Lean.
  • Implemented translate_generics to produce Lean-compatible generic contexts.
  • Implemented detect_statefulness to identify functions with mutable references.
• tools/hermes/tests/cases/failure/checked_add_sorry.rs
  • Updated lean spec syntax from : ∃ ret, ... to ensures |ret| ....
• tools/hermes/tests/cases/failure/incorrect_proof.rs
  • Updated lean spec syntax from : ∃ ret, ... to ensures |ret| ....
• tools/hermes/tests/cases/failure/missing_proof.rs
  • Updated lean spec syntax from : ∃ ret, ... to ensures |ret| ....
• tools/hermes/tests/cases/failure/syntax_error_in_spec.rs
  • Updated lean spec syntax from : ∃ ret, ... to ensures |ret| ....
• tools/hermes/tests/cases/failure/unchecked_wrapper_sorry.rs
  • Updated lean spec syntax from : ∃ ret, ... to ensures |ret| ....
• tools/hermes/tests/cases/success/add.rs
  • Updated lean spec syntax from : ∃ ret, ... to ensures |ret| ....
• tools/hermes/tests/cases/success/add_mod.rs
  • Added new test case demonstrating requires and ensures syntax.
• tools/hermes/tests/cases/success/generic_id.rs
  • Updated lean spec syntax from : generic_id.id x = ok x to ensures |ret| ret = x.

Activity

• This pull request is marked as '[WIP]', indicating it is still under active development.
• The description mentions it is part of a stacked PR series, suggesting ongoing work and dependencies on other related changes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a "stitching engine" to translate user-provided specs in Rust doc comments into Lean theorems. This is a significant feature that simplifies the spec syntax for users to a more intuitive ensures |...| format. The implementation involves adding new desugar and translator modules, and refactoring the parser and pipeline to integrate this new logic. The changes are well-structured. My review includes a couple of suggestions to improve the quality of the generated Lean code and to fix a test case that wasn't correctly testing the new functionality.

[gemini-code-assist]

This test is currently calling syn::parse_file, which only checks if the provided string is valid Rust syntax. It doesn't test any of the spec extraction logic in this module.

To make this test effective, it should call extract_blocks and assert that the specs and proofs are parsed correctly.

        let res = extract_blocks(content);
        if let Err(e) = &res {
            println!("Error: {}", e);
        }
        assert!(res.is_ok());
        assert_eq!(res.unwrap().functions.len(), 1);

[gemini-code-assist]

The current logic for generating quantifiers can produce a redundant exists clause if a binder is _. For example, if the first binder is _, this loop generates exists _, ... and then the forward check generates exists v, ..., resulting in exists _, exists v, .... This is valid Lean syntax, but it's redundant and can be simplified.

To improve the generated code, let's collect only the named binders and generate a single exists clause for them. The forward check already handles the _ case for the return value by introducing its own existential quantifier.

    let named_binders: Vec<_> = binders.iter().filter(|s| s.as_str() != "_").collect();
    if !named_binders.is_empty() {
        out.push_str("exists");
        for b in named_binders {
            out.push_str(" ");
            out.push_str(b);
        }
        out.push_str(",\n  ");
    }

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (G101266ed5cfc0fe74d16aaae0785d9622e8da5be@fc5689c). Learn more about missing BASE report.

Additional details and impacted files

@@                             Coverage Diff                              @@
##             G101266ed5cfc0fe74d16aaae0785d9622e8da5be    #2971   +/-   ##
============================================================================
  Coverage                                             ?   92.02%           
============================================================================
  Files                                                ?       19           
  Lines                                                ?     6029           
  Branches                                             ?        0           
============================================================================
  Hits                                                 ?     5548           
  Misses                                               ?      481           
  Partials                                             ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.