296c809d85
A `v, err := failable()` destructure now binds the value slot(s) "live
only where `err` is proven absent". Reading `v` where the compiler cannot
prove `err == null` is a compile error.
New diagnostic-only Pass 1e (`checkErrorFlow` in ir/lower.zig): a
structured, path-sensitive walk over each main-file function body. A
proven-null set is threaded across branches and joined by intersection
at each `if`'s merge. Proof shapes recognized:
- `if !err { … v … }` (proven inside the guard)
- `if err { return/raise } … v` (proven on the fall-through)
- `if err { … } else { … v … }` (proven in the else branch)
- `!err and <reads v>` (short-circuit refinement)
Error-set tag compares (`if err == error.X`) prove nothing about
absence — they narrow the tag only. Nested lambdas are analyzed as their
own boundaries. Library modules are trusted (skipped).
Migrated the canon value-failable examples (1011/1012/1018/1044) to read
their value slots under `if !err` guards — output unchanged. New
regressions: 1046 (every proof shape compiles + runs, exit 210) and 1047
(unproven reads rejected, exit 1).
Gates: zig build, zig build test, run_examples.sh -> 338 passed, 0 failed.
61 lines
2.1 KiB
Plaintext
61 lines
2.1 KiB
Plaintext
// Path-sensitive value-slot liveness (ERR step E1.8). After `v, err := f()`, the
|
|
// value slot `v` is "live only where `err` is proven absent". Every read of `v`
|
|
// below sits on a path where the compiler can prove `err == null`:
|
|
//
|
|
// • `if !err { … v … }` — proven inside the guard
|
|
// • `if err { return } … v …` — proven on the fall-through
|
|
// • `if err { raise } … v …` — fall-through in a failable function
|
|
// • `if err { … } else { … v … }` — proven in the else branch
|
|
// • `!err and <reads v>` — short-circuit keeps the proof
|
|
//
|
|
// A bare tag-compare (`if err == error.X`) proves NOTHING about absence — see the
|
|
// rejection regression in 1047. (Regression for the E1.8 path-sensitive slice.)
|
|
|
|
#import "modules/std.sx";
|
|
|
|
E :: error { Bad, Empty }
|
|
|
|
parse :: (n: s32) -> (s32, !E) {
|
|
if n < 0 { raise error.Bad; }
|
|
if n == 0 { raise error.Empty; }
|
|
return n * 10;
|
|
}
|
|
|
|
// Early-return guard: the fall-through proves `err` absent.
|
|
guarded :: (n: s32) -> s32 {
|
|
v, err := parse(n);
|
|
if err { return -1; }
|
|
return v; // err proven absent here
|
|
}
|
|
|
|
// `if err { raise }` in a failable function: same fall-through proof.
|
|
relay :: (n: s32) -> (s32, !E) {
|
|
v, err := parse(n);
|
|
if err { raise err; }
|
|
return v + 1; // err proven absent here
|
|
}
|
|
|
|
main :: () -> s32 {
|
|
total : s32 = 0;
|
|
|
|
// (1) proven inside `if !err`
|
|
v1, e1 := parse(5);
|
|
if !e1 { total = total + v1; } // +50
|
|
|
|
// (2) proven in the else branch
|
|
v2, e2 := parse(7);
|
|
if e2 { total = total + 1; } else { total = total + v2; } // +70
|
|
|
|
// (3) short-circuit `&&` keeps the proof for the rhs
|
|
v3, e3 := parse(3);
|
|
if !e3 and v3 > 0 { total = total + v3; } // +30
|
|
|
|
// (4) early-return / raise helpers
|
|
total = total + guarded(4); // +40
|
|
total = total + guarded(-1); // -1
|
|
total = total + (relay(2) catch e 0); // parse(2)=20 → +1 = 21
|
|
|
|
print("liveness total: {}\n", total); // 50+70+30+40-1+21 = 210
|
|
return total;
|
|
}
|