1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
//! Creusot deductive verifier adapter for formal verification.
//!
//! This module adapts the generic [`Contract`](super::Contract) trait for use
//! with the [Creusot Rust Verifier](https://github.com/creusot-rs/creusot).
//!
//! # Creusot Integration
//!
//! Creusot uses **deductive verification** through Why3:
//! - Translates Rust + contracts → Why3 intermediate language
//! - SMT solvers prove verification conditions
//! - Prophecy variables for reasoning about mutable borrows
//! - Supports both safe and unsafe code verification
//!
//! # Contract Syntax
//!
//! Creusot uses the `creusot-contracts` crate with attribute macros:
//!
//! ```rust,ignore
//! use creusot_contracts::*;
//!
//! #[requires(x > 0)]
//! #[ensures(result > x)]
//! fn increment(x: i32) -> i32 {
//! x + 1
//! }
//! ```
//!
//! # Prophecy Variables
//!
//! For mutable borrows, use `old()` to refer to pre-state:
//!
//! ```rust,ignore
//! #[requires(x.len() > 0)]
//! #[ensures(x[0] == old(x[0]) + 1)]
//! fn increment_first(x: &mut [i32]) {
//! x[0] += 1;
//! }
//! ```
//!
//! # Integration with Generic Contract
//!
//! This module provides helpers to bridge our generic [`Contract`] trait
//! to Creusot's native annotation system.
//!
//! ```rust,ignore
//! use elicitation::verification::{Contract, creusot::Tool};
//!
//! struct ValidateEmail;
//!
//! impl Contract for ValidateEmail {
//! type Input = String;
//! type Output = String;
//!
//! fn requires(input: &String) -> bool {
//! input.contains('@')
//! }
//!
//! fn ensures(_input: &String, output: &String) -> bool {
//! output.contains('@')
//! }
//! }
//!
//! #[async_trait::async_trait]
//! impl Tool for ValidateEmail {
//! #[requires(Self::requires(&input))]
//! #[ensures(Self::ensures(&input, &result))]
//! async fn execute(&self, input: String) -> ElicitResult<String> {
//! // Implementation
//! Ok(input)
//! }
//! }
//! ```
//!
//! # Key Features
//!
//! - **Deductive Verification**: Proves correctness via Why3/SMT solvers
//! - **Prophecy Variables**: Handles mutable references elegantly
//! - **Ghost Code**: Specification-only constructs erased at compile time
//! - **Pearlite Language**: Rust-inspired specification language
//! - **Trait Verification**: Can verify trait method contracts
//!
//! # Installation
//!
//! Creusot requires external tools:
//!
//! ```bash
//! # Install Creusot
//! cargo install creusot
//!
//! # Install Why3 (required backend)
//! # See: https://why3.lri.fr/download.html
//! ```
//!
//! # Running Verification
//!
//! ```bash
//! # Verify a file
//! creusot verify my_code.rs
//!
//! # With Why3 GUI for interactive proof
//! creusot verify --why3-gui my_code.rs
//! ```
use Contract;
use crateElicitResult;
// Re-export Contract as CreusotContract for consistency
pub use Contract as CreusotContract;
/// Executable tool with Creusot contract verification.
///
/// Extends [`Contract`] with async execution and Creusot-compatible annotations.
///
/// # Usage
///
/// Use Creusot's native `#[requires]` and `#[ensures]` attributes on the
/// `execute` method, referencing the `Contract` trait methods:
///
/// ```rust,ignore
/// #[async_trait::async_trait]
/// impl Tool for MyTool {
/// #[requires(Self::requires(&input))]
/// #[ensures(Self::ensures(&old(input), &result))]
/// async fn execute(&self, input: Self::Input) -> ElicitResult<Self::Output> {
/// // Implementation
/// }
/// }
/// ```
///
/// # Prophecy Example
///
/// For mutable state, use `old()` prophecy:
///
/// ```rust,ignore
/// #[requires(self.counter < 100)]
/// #[ensures(self.counter == old(self.counter) + 1)]
/// fn increment(&mut self) {
/// self.counter += 1;
/// }
/// ```
/// Helper macros for bridging to Creusot annotations.
///
/// These provide ergonomic ways to connect generic `Contract` trait
/// to Creusot's native annotation system.
///
/// Generate Creusot `#[requires]` from Contract trait.
///
/// # Example
///
/// ```rust,ignore
/// #[requires_from_contract(ValidateEmail)]
/// async fn execute(&self, input: String) -> ElicitResult<String> {
/// // Expands to: #[requires(ValidateEmail::requires(&input))]
/// }
/// ```
/// Generate Creusot `#[ensures]` from Contract trait.
///
/// # Example
///
/// ```rust,ignore
/// #[ensures_from_contract(ValidateEmail)]
/// async fn execute(&self, input: String) -> ElicitResult<String> {
/// // Expands to: #[ensures(ValidateEmail::ensures(&old(input), &result))]
/// }
/// ```
/// Documentation-only marker for Creusot ghost code.
///
/// In actual Creusot verification, you would use:
/// ```rust,ignore
/// use creusot_contracts::*;
/// ghost! {
/// let previous_state = input.clone();
/// // Ghost code here
/// }
/// ```
;
/// Documentation-only marker for Creusot prophecy variables.
///
/// In actual Creusot verification, prophecies are expressed via `old()`:
/// ```rust,ignore
/// #[ensures(output.value == old(input.value) + 1)]
/// ```
;
/// Helper trait for types that can be used in Creusot specifications.
///
/// Creusot requires types in specifications to be clonable and have
/// decidable equality for verification.
// Blanket implementation for types that meet requirements