-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Re)introduce Invariant
trait
#3190
Conversation
The PR is ready for review. Question: Since we're considering checking automatically these invariants at some level in the future, would it make sense to warn Kani users in the release notes? |
Invariant
traitInvariant
trait
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Btw, great documentation. Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is such a great addition. In the future, we could have something like safe_any()
, which would return non-deterministic values that automatically assume the safety invariants of a type.
This PR reintroduces the `Invariant` trait as a mechanism for the specification of type safety invariants. The trait is defined in the Kani library where we also provide `Invariant` implementations for primitive types. In contrast to the previous `Invariant` trait, this version doesn't require the `Arbitrary` bound (i.e., it has the same requirements as `Arbitrary`). This way, the user isn't required to provide an `Arbitrary` implementation in addition to the `Invariant` one. Related model-checking#3095
This PR reintroduces the
Invariant
trait as a mechanism for the specification of type safety invariants. The trait is defined in the Kani library where we also provideInvariant
implementations for primitive types.In contrast to the previous
Invariant
trait, this version doesn't require theArbitrary
bound (i.e., it has the same requirements asArbitrary
). This way, the user isn't required to provide anArbitrary
implementation in addition to theInvariant
one.Related #3095
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.