Strange interaction between framing, preconditions, and conditionals #216
Description
test4 fails and the only difference with test2 is that it contains an irrelevant framed assertion ff xx
module MemCpy
open Steel.Memory
open Steel.Effect
open Steel.Effect.Atomic
module U32 = FStar.UInt32
#push-options "--ide_id_info_off"
#push-options "--max_fuel 0 --max_ifuel 0"
let fst = fst
let snd = snd
assume
val array (t:Type0) : Type0
let contents (t:Type0) = Seq.seq t
let length #t (c:contents t) = Seq.length c
assume
val is_array (#t:_) (x:array t) (c:contents t) : slprop u#1
assume
val split (#t:Type) (#r:contents t) (a:array t) (i:U32.t { U32.v i <= length r})
: SteelT (array t & array t)
(is_array a r)
(fun lr ->
let s = Seq.split r (U32.v i) in
is_array (fst lr) (fst s) `star` is_array (snd lr) (snd s))
let test1 (a:Type) (len:U32.t { U32.v len > 0 })
(v0:contents a { length v0 == U32.v len })
(src:array a)
: SteelT unit
(is_array src v0)
(fun _ -> emp)
= let x = split src 1ul in
sladmit()
let test2 (a:Type) (len:U32.t)
(v0:contents a { length v0 == U32.v len })
(src:array a)
: SteelT unit
(is_array src v0)
(fun _ -> emp)
= if len = 0ul
then (noop(); sladmit())
else (
let x = split src 1ul in
sladmit()
)
assume
val t : Type0
assume
val ff (x:t) : slprop u#1
let test3 (a:Type) (len:U32.t { U32.v len > 0 })
(v0:contents a { length v0 == U32.v len })
(src:array a) (xx:t)
: SteelT unit
(is_array src v0 `star` ff xx)
(fun _ -> emp)
= let x = split src 1ul in
sladmit()
let test4 (a:Type) (len:U32.t)
(v0:contents a { length v0 == U32.v len })
(src:array a) (xx:t)
: SteelT unit
(is_array src v0 `star` ff xx)
(fun _ -> emp)
= if len = 0ul
then (noop(); sladmit())
else (let x = split src 1ul in
sladmit())