feat: Proof refactoring suggestions

[fabiomadge]

Description

This PR adds suggestions for proof refactoring in two scenarios. It suggests moving single-use assertions into by-proofs and hiding functions that are unused for the proof of a method.

How has this been tested?

New tests

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

[keyboardDrummer]

I think warnings that are turned off by default are anti-patterns. Turning them off by default implies that we do not recommend using this warning.

I think in this case the opposite is true: we do recommend using this warning! The only thing is that it drags down verification to do the analysis that enables it. I think it would be better to have a single option --analyse-proofs that turns on TrackVerificationCoverage and automatically all the warnings/suggestion that are associated with it.

We could then still have options that allow turning off some of the warning associated with --analyse-proofs, but I would be OK with not having those.

[keyboardDrummer]

Can you say more about this completeInformation variable? What's an example program in which it is false?

[fabiomadge]

It's when the dependency isn't of a type that we know how to handle.

[keyboardDrummer]

Do you have an example?

[fabiomadge]

FunctionDefinitionDependency? No point in moving that.

[keyboardDrummer]

What's the .Where for? Could you add a clarifying comment? If a fact is used to prove an ensures clause and an assertion (could be make sure we have a test for this?), then we should not recommend moving that fact to a by block right?

[fabiomadge]

It's the other way around, proving something using on ensures doesn't make much sense, so we exclude it.

[keyboardDrummer]

Is it a performance optimization then? Wouldn't assertionsProvenUsingFact[ensuresDependency].Any() always be false?

Also, do you do the same optimization on line 222?

[fabiomadge]

Isn't this convenient... dafny-lang/blog#37 (comment)

[keyboardDrummer]

Can you elaborate?

[fabiomadge]

It's an example of an ensures dependency being the singular dependency. Didn't you ask for that?

[keyboardDrummer]

Is it a performance optimization then? Wouldn't assertionsProvenUsingFact[ensuresDependency].Any() always be false?

Also, do you do the same optimization on line 222?

[keyboardDrummer]

Didn't you already fill this dictionary with values? Why do you sometimes need to add another value?

[fabiomadge]

Yes, but not with the function definition axioms

[keyboardDrummer]

Do you have an example?

[keyboardDrummer]

factDependency == assertDependency when does that occur? Is this for things like a loop invariant?

[fabiomadge]

We don't count the assertion itself when considering what was needed to proof it.

[keyboardDrummer]

I guess that this is not about a case where an expression is both an assumptions and assertion, as is the case with invariants, but this is about an assertion always being used in the VC in which it occurs.

[keyboardDrummer]

Maybe indicate that this only works for proofs that verify? Use data from verified proofs

I find refine ambiguous. I would go for to provide additional warnings and suggestions, or to warn about potential specification bugs and suggest changes to improve verification performance

Our documentation uses verifier, solver and prover. I'd use the term verifier (referring to the whole verification pipeline) or SMT solver in externally facing documentation.

Warning if any assertions are proved

I don't think that's valid English. I would use an imperative sentence Warn if ..

[keyboardDrummer]

Approved and set to auto-merge. I had one remaining comment about documentation. If you want to address that we can do it in a follow-up.