Enforce spec validation by default, fixes #14

FedericoPonzi · FedericoPonzi · commit c13fe2ab3331 · 2026-02-09T18:19:23.000Z
diff --git a/src/main/java/me/fponzi/tlaplusformatter/AstComparator.java b/src/main/java/me/fponzi/tlaplusformatter/AstComparator.java
@@ -0,0 +1,183 @@
+package me.fponzi.tlaplusformatter;
+
+import tla2sany.st.TreeNode;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Compares two SANY parse trees for structural equivalence.
+ * Used to verify that formatting preserves the AST structure.
+ */
+public final class AstComparator {
+
+    private AstComparator() {}
+
+    /**
+     * Result of an AST comparison. Contains mismatch details if the trees differ.
+     */
+    public static final class Result {
+        private final boolean match;
+        private final String description;
+        private final List<String> nodePath;
+
+        private Result(boolean match, String description, List<String> nodePath) {
+            this.match = match;
+            this.description = description;
+            this.nodePath = nodePath;
+        }
+
+        /** Creates a failure result for cases where re-parsing itself fails. */
+        public Result(String description) {
+            this(false, description, Collections.emptyList());
+        }
+
+        static Result ok() {
+            return new Result(true, null, Collections.emptyList());
+        }
+
+        static Result mismatch(String description, List<String> path) {
+            return new Result(false, description, path);
+        }
+
+        public boolean isMatch() {
+            return match;
+        }
+
+        public String getDescription() {
+            return description;
+        }
+
+        /** Path from root to the mismatched node, e.g. ["Module", "OpDef", "InfixExpr"]. */
+        public List<String> getNodePath() {
+            return Collections.unmodifiableList(nodePath);
+        }
+
+        public String formatDiagnostic() {
+            if (match) return "ASTs match.";
+            StringBuilder sb = new StringBuilder();
+            sb.append("AST verification failed:\n");
+            sb.append("  ").append(description).append("\n");
+            sb.append("  Node path: ").append(String.join(" -> ", nodePath)).append("\n");
+            return sb.toString();
+        }
+    }
+
+    /**
+     * Compare two parse trees for structural equivalence.
+     * Compares node kinds, zero/one children, and pre-comments.
+     */
+    public static Result compare(TreeNode original, TreeNode formatted) {
+        List<String> path = new ArrayList<>();
+        return compareRecursive(original, formatted, path);
+    }
+
+    private static Result compareRecursive(TreeNode n1, TreeNode n2, List<String> path) {
+        String nodeLabel = nodeLabel(n1);
+        path.add(nodeLabel);
+
+        // Compare zero() children
+        if (n1.zero() != null) {
+            if (n2.zero() == null) {
+                return Result.mismatch(
+                        "Node zero[] is null in formatted AST but not in original. Node: " + n1.getImage(),
+                        new ArrayList<>(path));
+            }
+            if (n1.zero().length != n2.zero().length) {
+                return Result.mismatch(
+                        "Node zero[] length mismatch: expected " + n1.zero().length
+                                + " but found " + n2.zero().length
+                                + ". Node: " + n1.getImage(),
+                        new ArrayList<>(path));
+            }
+            for (int i = 0; i < n1.zero().length; i++) {
+                Result childResult = compareRecursive(n1.zero()[i], n2.zero()[i], path);
+                if (!childResult.isMatch()) {
+                    return childResult;
+                }
+            }
+        }
+
+        // Compare one() children
+        if (n1.one() != null) {
+            if (n2.one() == null) {
+                return Result.mismatch(
+                        "Node one[] is null in formatted AST but not in original. Node: " + n1.getImage(),
+                        new ArrayList<>(path));
+            }
+            if (n1.one().length != n2.one().length) {
+                return Result.mismatch(
+                        "Node one[] length mismatch: expected " + n1.one().length
+                                + " but found " + n2.one().length
+                                + ". Node: " + n1.getImage(),
+                        new ArrayList<>(path));
+            }
+            for (int i = 0; i < n1.one().length; i++) {
+                Result childResult = compareRecursive(n1.one()[i], n2.one()[i], path);
+                if (!childResult.isMatch()) {
+                    return childResult;
+                }
+            }
+        }
+
+        // Compare pre-comments
+        Result commentResult = compareComments(n1, n2, path);
+        if (!commentResult.isMatch()) {
+            return commentResult;
+        }
+
+        // Compare node kind
+        if (n1.getKind() != n2.getKind()) {
+            return Result.mismatch(
+                    "Node kind mismatch: expected " + n1.getKind() + " (" + n1.getImage() + ")"
+                            + " but found " + n2.getKind() + " (" + n2.getImage() + ")",
+                    new ArrayList<>(path));
+        }
+
+        path.remove(path.size() - 1);
+        return Result.ok();
+    }
+
+    private static Result compareComments(TreeNode n1, TreeNode n2, List<String> path) {
+        boolean has1 = n1.getPreComments() != null && n1.getPreComments().length > 0;
+        boolean has2 = n2.getPreComments() != null && n2.getPreComments().length > 0;
+        if (has1 != has2) {
+            return Result.mismatch(
+                    "Comment presence mismatch on node: " + n1.getHumanReadableImage()
+                            + ". Expected comments: " + has1 + ", found: " + has2,
+                    new ArrayList<>(path));
+        }
+        if (has1) {
+            if (n1.getPreComments().length != n2.getPreComments().length) {
+                return Result.mismatch(
+                        "Comment count mismatch on node: " + n1.getHumanReadableImage()
+                                + ". Expected " + n1.getPreComments().length
+                                + " but found " + n2.getPreComments().length,
+                        new ArrayList<>(path));
+            }
+            for (int i = 0; i < n1.getPreComments().length; i++) {
+                if (!n1.getPreComments()[i].equals(n2.getPreComments()[i])) {
+                    return Result.mismatch(
+                            "Comment content mismatch on node: " + n1.getHumanReadableImage()
+                                    + ". Expected: \"" + n1.getPreComments()[i]
+                                    + "\" but found: \"" + n2.getPreComments()[i] + "\"",
+                            new ArrayList<>(path));
+                }
+            }
+        }
+        return Result.ok();
+    }
+
+    private static String nodeLabel(TreeNode node) {
+        String hri = node.getHumanReadableImage();
+        if (hri != null && !hri.isEmpty()) {
+            return hri + " (kind=" + node.getKind() + ")";
+        }
+        String image = node.getImage();
+        if (image != null && !image.isEmpty()) {
+            return image + " (kind=" + node.getKind() + ")";
+        }
+        return "kind=" + node.getKind();
+    }
+}
diff --git a/src/main/java/me/fponzi/tlaplusformatter/Main.java b/src/main/java/me/fponzi/tlaplusformatter/Main.java
@@ -1,6 +1,7 @@
 package me.fponzi.tlaplusformatter;
 
 import ch.qos.logback.classic.LoggerContext;
+import me.fponzi.tlaplusformatter.exceptions.AstVerificationException;
 import me.fponzi.tlaplusformatter.exceptions.SanyFrontendException;
 import org.apache.commons.cli.*;
 import org.slf4j.Logger;
@@ -27,6 +28,8 @@ public static int mainWrapper(String[] args) {
         options.addOption(VERBOSITY_OPTION, "verbosity", true, "Set the verbosity level (ERROR, WARN, *INFO, DEBUG)");
         options.addOption("w", "width", true, "Set the target line width for formatting (default: 80)");
         options.addOption("i", "indent", true, "Set the number of spaces for indentation (default: 4)");
+        options.addOption(null, "skip-ast-verification", false,
+                "Skip AST verification after formatting (not recommended, verification is enabled by default)");
 
         CommandLine cmd;
         try {
@@ -90,7 +93,20 @@ public static int mainWrapper(String[] args) {
             }
 
             FormatConfig config = new FormatConfig(lineWidth, indentSize);
-            TLAPlusFormatter formatter = new TLAPlusFormatter(inputFile, config);
+            boolean verifyAst = !cmd.hasOption("skip-ast-verification");
+            TLAPlusFormatter formatter;
+            try {
+                formatter = new TLAPlusFormatter(inputFile, config, verifyAst);
+            } catch (AstVerificationException e) {
+                // AST verification failed: print original input to stdout, diagnostics to stderr
+                System.out.print(Files.readString(inputFile.toPath()));
+                System.err.println("AST verification failed after formatting.");
+                System.err.println("tlaplus-formatter version: " + VersionInfo.getFullVersion());
+                System.err.println(e.getResult().formatDiagnostic());
+                System.err.println("This is a bug in the formatter. Please report it at:");
+                System.err.println("  https://github.com/FedericoPonzi/tlaplus-formatter/issues");
+                return 1;
+            }
             String formattedOutput = formatter.getOutput();
 
             if (remainingArgs.length == 2) {
diff --git a/src/main/java/me/fponzi/tlaplusformatter/TLAPlusFormatter.java b/src/main/java/me/fponzi/tlaplusformatter/TLAPlusFormatter.java
@@ -1,6 +1,7 @@
 package me.fponzi.tlaplusformatter;
 
 import com.opencastsoftware.prettier4j.Doc;
+import me.fponzi.tlaplusformatter.exceptions.AstVerificationException;
 import me.fponzi.tlaplusformatter.exceptions.SanyFrontendException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -23,14 +24,20 @@ public final class TLAPlusFormatter {
     private final TlaDocBuilder docBuilder;
     private String output;
     private final FormatConfig config;
+    private final boolean verifyAst;
 
     public TLAPlusFormatter(File specPath) throws IOException, SanyFrontendException {
-        this(specPath, new FormatConfig());
+        this(specPath, new FormatConfig(), true);
     }
 
     public TLAPlusFormatter(File specPath, FormatConfig config) throws IOException, SanyFrontendException {
+        this(specPath, config, true);
+    }
+
+    public TLAPlusFormatter(File specPath, FormatConfig config, boolean verifyAst) throws IOException, SanyFrontendException {
         this.docBuilder = new TlaDocBuilder(config);
         this.config = config.copy();
+        this.verifyAst = verifyAst;
         this.root = SANYWrapper.load(specPath);
         this.spec = specPath;
 
@@ -52,11 +59,15 @@ public String getOutput() {
      * @throws IOException
      */
     public TLAPlusFormatter(String spec) throws IOException, SanyFrontendException {
-        this(storeToTmp(spec), new FormatConfig());
+        this(storeToTmp(spec), new FormatConfig(), true);
     }
 
     public TLAPlusFormatter(String spec, FormatConfig config) throws IOException, SanyFrontendException {
-        this(storeToTmp(spec), config);
+        this(storeToTmp(spec), config, true);
+    }
+
+    public TLAPlusFormatter(String spec, FormatConfig config, boolean verifyAst) throws IOException, SanyFrontendException {
+        this(storeToTmp(spec), config, verifyAst);
     }
 
     private void format() throws IOException {
@@ -70,6 +81,59 @@ private void format() throws IOException {
         this.output = extraSections[0] +
                 moduleDoc.render(this.config.getLineWidth()) +
                 extraSections[1];
+
+        if (verifyAst) {
+            verifyAstPreservation();
+        }
+    }
+
+    /**
+     * Re-parses the formatted output and compares its AST to the original.
+     * Throws AstVerificationException if the ASTs differ.
+     */
+    private void verifyAstPreservation() throws IOException {
+        File tmpFile = null;
+        try {
+            // Write to the same directory as the original spec so SANY can resolve EXTENDS
+            tmpFile = storeForVerification(this.output, this.spec);
+            TreeNode formattedRoot = SANYWrapper.load(tmpFile);
+            AstComparator.Result result = AstComparator.compare(this.root, formattedRoot);
+            if (!result.isMatch()) {
+                throw new AstVerificationException(result);
+            }
+        } catch (SanyFrontendException e) {
+            throw new AstVerificationException(new AstComparator.Result(
+                    "Formatted output failed to parse: " + e.getMessage()));
+        } finally {
+            if (tmpFile != null && !tmpFile.delete()) {
+                LOG.debug("Failed to delete temporary verification file: {}", tmpFile);
+            }
+        }
+    }
+
+    /**
+     * Writes spec content to a temp directory with copies of sibling .tla files,
+     * so that SANY can resolve EXTENDS to sibling modules.
+     */
+    private static File storeForVerification(String content, File originalSpec) throws IOException {
+        File parentDir = originalSpec.getAbsoluteFile().getParentFile();
+        File tmpDir = java.nio.file.Files.createTempDirectory("sany-verify").toFile();
+        // Copy sibling .tla files so SANY can resolve EXTENDS
+        File[] siblings = parentDir.listFiles((dir, name) -> name.endsWith(".tla"));
+        if (siblings != null) {
+            for (File sibling : siblings) {
+                java.nio.file.Files.copy(
+                        sibling.toPath(),
+                        new File(tmpDir, sibling.getName()).toPath(),
+                        java.nio.file.StandardCopyOption.REPLACE_EXISTING);
+            }
+        }
+        // Write the formatted output with the original filename (SANY requires module name = filename)
+        File verifyFile = new File(tmpDir, originalSpec.getName());
+        try (java.io.FileWriter writer = new java.io.FileWriter(verifyFile, StandardCharsets.UTF_8)) {
+            writer.write(content);
+        }
+        return verifyFile;
     }
 
     static String getModuleName(String spec) {
diff --git a/src/main/java/me/fponzi/tlaplusformatter/exceptions/AstVerificationException.java b/src/main/java/me/fponzi/tlaplusformatter/exceptions/AstVerificationException.java
@@ -0,0 +1,19 @@
+package me.fponzi.tlaplusformatter.exceptions;
+
+import me.fponzi.tlaplusformatter.AstComparator;
+
+/**
+ * Thrown when the formatted output's AST does not match the original AST.
+ */
+public class AstVerificationException extends RuntimeException {
+    private final AstComparator.Result result;
+
+    public AstVerificationException(AstComparator.Result result) {
+        super(result.formatDiagnostic());
+        this.result = result;
+    }
+
+    public AstComparator.Result getResult() {
+        return result;
+    }
+}
diff --git a/src/test/java/me/fponzi/tlaplusformatter/AstVerificationTest.java b/src/test/java/me/fponzi/tlaplusformatter/AstVerificationTest.java
diff --git a/src/test/java/me/fponzi/tlaplusformatter/Utils.java b/src/test/java/me/fponzi/tlaplusformatter/Utils.java
