Bug in the desugaring process of rel() when using ghost if #991
Description
Consider the following example code:
package exercises
// ##(--hyperMode extended --enableExperimentalHyperFeatures)
// @ requires rel(t,0)!= rel(t,1)
func relGhostIf(t uint64) {
/*@
ghost if rel(t,0) < rel(t,1){
assert true
} else{
assert true
}
@*/
}
When running this code, we will get the following error:
[info] An unknown Exception was thrown.
[info] java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.lang.RuntimeException: Unexpected expression rel(t_V0_CN0, 0) cannot be symbolically evaluated
[info] java.util.concurrent.ExecutionException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.lang.RuntimeException: Unexpected expression rel(t_V0_CN0, 0) cannot be symbolically evaluated
[info] at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
[info] at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
[info] at viper.silicon.Silicon.verify(Silicon.scala:205)
[info] at viper.silicon.Silicon.verify(Silicon.scala:163)
When looking into the SIF encoding, we can see that the code p1_0 and p3 are not correctly desugared, which leads to the following issues:
p1_0 := p1 && rel(t_V0_CN0, 0) < rel(t_V0_CN0, 1)
p2_0 := p2 && t_V0_CN0 < t_V0_CN0_0
p3 := p1 && !(rel(t_V0_CN0, 0) < rel(t_V0_CN0, 1))
p4 := p2 && !(t_V0_CN0 < t_V0_CN0_0)
The correct workaround consists of the following: we force rel(t, 0) and rel(t, 1) to be desugared first, and then compare them using ghost functions.
package exercises
// ##(--hyperMode extended --enableExperimentalHyperFeatures)
// @ requires rel(t,0)!= rel(t,1)
func relGhostIf(t uint64) {
/*@
ghost var t0 uint64 = rel(t,0)
ghost var t1 uint64 = rel(t,1)
ghost if t0 < t1{
assert true
} else{
assert true
}
@*/
}