[WIP] Invariants

[joshlf]

---

• 　  [WIP] Hermes.Std #2974
• 👉 [WIP] Invariants #2973
• 　  [WIP] Shadow crate + unsafe #2972
• 　  [WIP] Stitching engine #2971
• 　  [WIP] Parser + --allow-sorry #2969
• 　  [hermes] Initial commit #2968

Latest Update: v2 — Compare vs v1

📚 Full Patch History

Links show the diff between the row version and the column version.

Version	v1	Base
v2	vs v1	vs Base
v1		vs Base

⬇️ Download this PR

Branch

git fetch origin refs/heads/G2e56baadbd39a08c821418704f521a2cdd8d0e1f && git checkout -b pr-G2e56baadbd39a08c821418704f521a2cdd8d0e1f FETCH_HEAD

Checkout

git fetch origin refs/heads/G2e56baadbd39a08c821418704f521a2cdd8d0e1f && git checkout FETCH_HEAD

Cherry Pick

git fetch origin refs/heads/G2e56baadbd39a08c821418704f521a2cdd8d0e1f && git cherry-pick FETCH_HEAD

Pull

git pull origin refs/heads/G2e56baadbd39a08c821418704f521a2cdd8d0e1f

Stacked PRs enabled by GHerrit.

[gemini-code-assist]

Summary of Changes

Hello @joshlf, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces foundational support for defining and enforcing data structure invariants within the Hermes verification toolchain. By allowing users to specify invariants for Rust structs via doc comments, the system can now automatically generate corresponding Lean Verifiable instances. This enables the automatic injection of validity checks for function inputs and outputs, and propagates Verifiable constraints through generic types, significantly enhancing the formal verification capabilities for data integrity.

Highlights

• Struct Invariant Support: Introduced the ability to define and parse invariants for Rust structs using ///@ lean invariant doc comments, allowing for formal specification of data structure properties.
• Lean Verifiable Class Generation: Automatically generates a Verifiable Lean class and instances for primitive types and user-defined structs, incorporating their specified invariants into the formal model.
• Automatic Validity Checks: Injects Verifiable.is_valid checks for function arguments and return values in the generated Lean specifications, ensuring that data integrity is maintained across function boundaries.
• Generic Type Constraint Propagation: Ensures that generic type parameters in functions and structs are automatically constrained by the Verifiable class in the Lean output, extending invariant checking to generic code.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• tools/hermes/src/desugar.rs
  • Added automatic validity invariant checks for exposed binders (return values, final variables) in generated Lean function bodies.
• tools/hermes/src/parser.rs
  • Introduced ParsedStruct to represent structs and their invariants.
  • Updated parsing logic to extract ///@ lean invariant annotations from struct doc comments.
  • Modified ExtractedBlocks and SpecVisitor to handle struct information.
• tools/hermes/src/pipeline.rs
  • Extended the pipeline to collect and process struct definitions.
  • Generated the Verifiable Lean class and instances for primitive types.
  • Generated Verifiable instances for user-defined structs based on their parsed invariants, including support for generics.
  • Injected argument validity checks (Verifiable.is_valid) into generated Lean function signatures.
• tools/hermes/src/translator.rs
  • Added Verifiable constraints to generic type parameters during Lean signature translation.
• tools/hermes/tests/cases/success/generic_id.rs
  • Updated a proof tactic from simp to simp_all.
• tools/hermes/tests/cases/success/invariant.rs
  • Added a new test file demonstrating the usage and verification of struct invariants for both concrete and generic structs.
• tools/hermes/tests/cases/success/shadow_model.rs
  • Adjusted a proof call to safe_div_spec to include additional (by simp) arguments, likely due to new implicit validity requirements.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for struct invariants, a significant and valuable feature for the verification pipeline. The changes span from parsing new ///@ lean invariant annotations to generating Verifiable typeclass instances and injecting validity checks for function arguments and return values in the generated Lean code. The implementation is comprehensive, including new tests that validate the end-to-end functionality.

My review focuses on improving code maintainability and performance. I've identified a case of code duplication in the parser and an opportunity to use a more efficient string building pattern in the desugaring logic.

Overall, this is a great addition. Addressing the feedback will make the new code more robust and easier to maintain.

[gemini-code-assist]

This block of code for stripping prefixes from the joined invariant string is very similar to the logic on lines 141-152, which operates on the first line of an invariant. This duplication can be avoided by extracting the logic into a helper function. This would improve maintainability and reduce the chance of bugs if the logic needs to be updated in the future.

A single helper function could be used in both places to keep the parsing logic consistent and DRY (Don't Repeat Yourself).

[gemini-code-assist]

Calling format! inside a loop to build a string can be inefficient due to repeated memory allocations. A more idiomatic and performant approach is to use std::fmt::Write's write! macro, which appends to the string without creating intermediate String objects.

You'll need to add use std::fmt::Write; at the top of the file.

Suggested change

	for binder in binders {
	if binder != "_" {
	out.push_str(&format!(" /\\ Verifiable.is_valid {}", binder));
	}
	}
	for binder in binders {
	if binder != "_" {
	// The write! macro is more efficient here.
	write!(out, " /\\ Verifiable.is_valid {}", binder).unwrap();
	}
	}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (Gb85ad5e55a47c49ab2c049a2ec5972fc6d082e31@8f7e2d6). Learn more about missing BASE report.

Additional details and impacted files

@@                             Coverage Diff                              @@
##             Gb85ad5e55a47c49ab2c049a2ec5972fc6d082e31    #2973   +/-   ##
============================================================================
  Coverage                                             ?   92.02%           
============================================================================
  Files                                                ?       19           
  Lines                                                ?     6029           
  Branches                                             ?        0           
============================================================================
  Hits                                                 ?     5548           
  Misses                                               ?      481           
  Partials                                             ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.