dafny-lang · RustanLeino · Nov 4, 2024 · Nov 4, 2024 · Nov 4, 2024 · Nov 4, 2024
diff --git a/Source/DafnyCore/AST/Expressions/Variables/BoundVar.cs b/Source/DafnyCore/AST/Expressions/Variables/BoundVar.cs
@@ -1,6 +1,7 @@
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Diagnostics.Contracts;
+using JetBrains.Annotations;
 
 namespace Microsoft.Dafny;
 
@@ -36,7 +37,7 @@ public QuantifiedVar(IToken tok, string name, Type type, Expression domain, Expr
   }
 
   /// <summary>
-  /// Map a list of quantified variables to an eqivalent list of bound variables plus a single range expression.
+  /// Map a list of quantified variables to an equivalent list of bound variables plus a single range expression.
   /// The transformation looks like this in general:
   ///
   /// x1 <- C1 | E1, ..., xN <- CN | EN
@@ -48,7 +49,7 @@ public QuantifiedVar(IToken tok, string name, Type type, Expression domain, Expr
   /// Note the result will be null rather than "true" if there are no such domains or ranges.
   /// Some quantification contexts (such as comprehensions) will replace this with "true".
   /// </summary>
-  public static void ExtractSingleRange(List<QuantifiedVar> qvars, out List<BoundVar> bvars, out Expression range) {
+  public static void ExtractSingleRange(List<QuantifiedVar> qvars, out List<BoundVar> bvars, [CanBeNull] out Expression range) {
     bvars = new List<BoundVar>();
     range = null;
 

diff --git a/Source/DafnyCore/AST/Grammar/ParseErrors.cs b/Source/DafnyCore/AST/Grammar/ParseErrors.cs
@@ -96,6 +96,7 @@ public enum ErrorId {
     p_no_decreases_expressions_with_star,
     p_assert_needs_by_or_semicolon,
     p_deprecated_forall_with_no_bound_variables,
+    p_deprecated_forall_statement_with_parentheses_around_bound_variables,
     p_forall_with_ensures_must_have_body,
     p_deprecated_modify_statement_with_block,
     p_calc_operator_must_be_transitive,

diff --git a/Source/DafnyCore/Dafny.atg b/Source/DafnyCore/Dafny.atg
@@ -3091,36 +3091,45 @@ RevealStmt<out Statement s>
   .
 
 /*------------------------------------------------------------------------*/
-ForallStmt<out Statement/*!*/ s>
+ForallStmt<out Statement s>
 = (. Contract.Ensures(Contract.ValueAtReturn(out s) != null);
-     IToken/*!*/ x = Token.NoToken;
      List<BoundVar> bvars = null;
      Attributes qattrs = null;
      Expression range = null;
-     var ens = new List<AttributedExpression/*!*/>();
      IToken startToken = null;
-     BlockStmt block = null;
-     IToken bodyStart, bodyEnd;
-     IToken tok = Token.NoToken;
   .)
-  "forall"                                  (. x = t; tok = x; startToken = t; .)
+  "forall"                                  (. startToken = t; .)
 
   ( IF(la.kind == _openparen)  /* disambiguation needed, because of the possibility of a body-less forall statement */
-    "(" [ QuantifierDomain<out bvars, out qattrs, out range, true, true, true> ] ")"
-  |     [ IF(IsIdentifier(la.kind))  /* disambiguation needed, because of the possibility of a body-less forall statement */
-          QuantifierDomain<out bvars, out qattrs, out range, true, true, true>
-        ]
+    "("   (. errors.Deprecated(ErrorId.p_deprecated_forall_statement_with_parentheses_around_bound_variables, t,
+               "parentheses around the forall-statement bound variables are deprecated and not needed");
+          .)
+    [ QuantifierDomain<out bvars, out qattrs, out range, true, true, true> ]
+    ")"
+  | [ IF(IsIdentifier(la.kind))  /* disambiguation needed, because of the possibility of a body-less forall statement */
+      QuantifierDomain<out bvars, out qattrs, out range, true, true, true>
+    ]
   )
-  (. if (bvars == null) errors.Deprecated(ErrorId.p_deprecated_forall_with_no_bound_variables, startToken, "a forall statement with no bound variables is deprecated; use an 'assert by' statement instead");
-     if (bvars == null) { bvars = new List<BoundVar>(); }
-     if (range == null) { range = new LiteralExpr(x, true); }
+  (. if (bvars == null) {
+       errors.Deprecated(ErrorId.p_deprecated_forall_with_no_bound_variables, startToken,
+       "a forall statement with no bound variables is deprecated; use an 'assert by' statement instead");
+     }
+     bvars ??= new List<BoundVar>();
   .)
 
+  ForallStatementEnsuresAndBody<out s, startToken, bvars, qattrs, range>
+  .
+
+ForallStatementEnsuresAndBody<.out Statement s, IToken startToken, List<BoundVar> bvars, Attributes qattrs, Expression/*?*/ range.>
+= (. var ens = new List<AttributedExpression/*!*/>();
+     BlockStmt block = null;
+     range ??= new LiteralExpr(startToken, true);
+  .)
   {
     EnsuresClause<ens, true>
   }
   [ IF(la.kind == _lbrace)  /* if the input continues like a block statement, take it to be the body of the forall statement; a body-less forall statement must continue in some other way */
-    BlockStmt<out block, out bodyStart, out bodyEnd>
+    BlockStmt<out block, out _, out _>
   ]
   (. if (theOptions.DisallowSoundnessCheating && block == null && 0 < ens.Count) {
         SemErr(ErrorId.p_forall_with_ensures_must_have_body, t, "a forall statement with an ensures clause must have a body");
@@ -3994,7 +4003,7 @@ MapComprehensionExpr<out Expression e, bool allowLemma, bool allowLambda, bool a
      bool finite = true;
   .)
   ( "map" | "imap" (. finite = false; .) )     (. IToken mapToken = t; .)
-  QuantifierDomain<out bvars, out attrs, out range, allowLemma, allowLambda, allowBitwiseOps>
+  QuantifierDomain<out bvars, out attrs, out range, true, true, true>
   QSep
   Expression<out bodyRight, allowLemma, allowLambda, allowBitwiseOps>
   [ IF(IsGets())  /* greedily parse ":=" */    (. bodyLeft = bodyRight; .)
@@ -4019,7 +4028,8 @@ EndlessExpression<out Expression e, bool allowLemma, bool allowLambda, bool allo
   | QuantifierExpression<out e, allowLemma, allowLambda>  /* types are such that we can allow bitwise operations in the quantifier body */
   | SetComprehensionExpr<out e, allowLemma, allowLambda, allowBitwiseOps>
   | StmtInExpr<out s>
-    Expression<out e, allowLemma, allowLambda, allowBitwiseOps>    (. e = new StmtExpr(s.Tok, s, e) { RangeToken = new RangeToken(s.StartToken, e.EndToken) }; .)
+    Expression<out e, allowLemma, allowLambda, allowBitwiseOps>
+    (. e = new StmtExpr(s.Tok, s, e) { RangeToken = new RangeToken(s.StartToken, e.EndToken) }; .)
   | LetExpression<out e, allowLemma, allowLambda, allowBitwiseOps>
   | MapComprehensionExpr<out e, allowLemma, allowLambda, allowBitwiseOps>
   )
@@ -4497,20 +4507,30 @@ QuantifierExpression<out Expression q, bool allowLemma, bool allowLambda>
      List<BoundVar/*!*/> bvars;
      Attributes attrs;
      Expression range;
-     Expression/*!*/ body;
+     q = dummyExpr;
   .)
   ( Forall                                     (. x = t;  univ = true; .)
   | Exists                                     (. x = t; .)
   )
-  QuantifierDomain<out bvars, out attrs, out range, allowLemma, allowLambda, true>
-  QSep
-  Expression<out body, allowLemma, allowLambda>
-  (. if (univ) {
-       q = new ForallExpr(x, new RangeToken(x, t), bvars, range, body, attrs);
-     } else {
-       q = new ExistsExpr(x, new RangeToken(x, t), bvars, range, body, attrs);
-     }
-  .)
+  QuantifierDomain<out bvars, out attrs, out range, true, true, true>
+  ( IF(univ && (la.kind == _ensures || la.kind == _lbrace))
+    // It's a forall statement. Parse it as part of a StmtExpr.
+    ForallStatementEnsuresAndBody<out var forallStatement, x, bvars, attrs, range>
+    Expression<out var expr, allowLemma, allowLambda>
+    (. q = new StmtExpr(forallStatement.Tok, forallStatement, expr) {
+         RangeToken = new RangeToken(forallStatement.StartToken, forallStatement.EndToken)
+       };
+    .)
+
+  | QSep
+    Expression<out var body, allowLemma, allowLambda>
+    (. if (univ) {
+         q = new ForallExpr(x, new RangeToken(x, t), bvars, range, body, attrs);
+       } else {
+         q = new ExistsExpr(x, new RangeToken(x, t), bvars, range, body, attrs);
+       }
+    .)
+  )
   .
 
 /*------------------------------------------------------------------------*/
@@ -4584,9 +4604,7 @@ SetComprehensionExpr<out Expression q, bool allowLemma, bool allowLambda, bool a
        // This production used to have its own version of QuantifierDomain in which the
        // range was not optional, so we map null to "true" here so that the rest of the
        // logic doesn't hit exceptions.
-       if (range == null) {
-         range = LiteralExpr.CreateBoolLiteral(new AutoGeneratedToken(t), true);
-       }
+       range ??= LiteralExpr.CreateBoolLiteral(new AutoGeneratedToken(t), true);
        q = new SetComprehension(setToken, new RangeToken(setToken, t), finite, bvars, range, body, attrs);
      }
   .)

diff --git a/Source/DafnyStandardLibraries/src/Std/Arithmetic/DivMod.dfy b/Source/DafnyStandardLibraries/src/Std/Arithmetic/DivMod.dfy
@@ -152,7 +152,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaDivIsOrderedByDenominatorAuto()
     ensures forall x: int, y: int, z: int {:trigger x / y, x / z} :: 0 <= x && 1 <= y <= z ==> x / y >= x / z
   {
-    forall (x: int, y: int, z: int | 0 <= x && 1 <= y <= z)
+    forall x: int, y: int, z: int | 0 <= x && 1 <= y <= z
       ensures x / y >= x / z
     {
       LemmaDivIsOrderedByDenominator(x, y, z);
@@ -173,7 +173,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaDivIsStrictlyOrderedByDenominatorAuto()
     ensures forall x: int, d: int {:trigger x / d} :: 0 < x && 1 < d ==> x / d < x
   {
-    forall (x: int, d: int | 0 < x && 1 < d )
+    forall x: int, d: int | 0 < x && 1 < d
       ensures x / d < x
     {
       LemmaDivIsStrictlyOrderedByDenominator(x, d);
@@ -204,7 +204,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
               :: 0 < d &&  R == a%d + b%d - (a+b)%d ==> d*((a+b)/d) - R == d*(a/d) + d*(b/d)
   {
     // https://github.com/dafny-lang/dafny/issues/4771
-    forall (a: int, b: int, d: int, R: int {:trigger d * ((a + b) / d) - R, d*(a/d) + d*(b/d)} | 0< d &&  R == a%d + b%d - (a+b)%d)
+    forall a: int, b: int, d: int, R: int {:trigger d * ((a + b) / d) - R, d*(a/d) + d*(b/d)} | 0< d &&  R == a%d + b%d - (a+b)%d
       ensures d*((a+b)/d) - R == d*(a/d) + d*(b/d)
     {
       LemmaDividingSums(a, b, d, R);
@@ -224,7 +224,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaDivPosIsPosAuto()
     ensures forall x: int, d: int {:trigger x / d} :: 0 <= x && 0 < d ==> 0 <= x / d
   {
-    forall (x: int, d: int | 0 <= x && 0 < d)
+    forall x: int, d: int | 0 <= x && 0 < d
       ensures 0 <= x / d
     {
       LemmaDivPosIsPos(x, d);
@@ -243,7 +243,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaDivPlusOneAuto()
     ensures forall x: int, d: int {:trigger 1 + x / d, (d + x) / d} :: 0 < d ==> 1 + x / d == (d + x) / d
   {
-    forall (x: int, d: int | 0 < d)
+    forall x: int, d: int | 0 < d
       ensures 1 + x / d == (d + x) / d
     {
       LemmaDivPlusOne(x, d);
@@ -262,7 +262,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaDivMinusOneAuto()
     ensures forall x: int, d: int {:trigger -1 + x / d, (-d + x) / d} :: 0 < d ==> -1 + x / d == (-d + x) / d
   {
-    forall (x: int, d: int | 0 < d)
+    forall x: int, d: int | 0 < d
       ensures -1 + x / d == (-d + x) / d
     {
       LemmaDivMinusOne(x, d);
@@ -280,7 +280,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaBasicDivAuto()
     ensures forall x: int, d: int {:trigger x / d} :: 0 <= x < d ==> x / d == 0
   {
-    forall (x: int, d: int | 0 <= x < d)
+    forall x: int, d: int | 0 <= x < d
       ensures x / d == 0
     {
       LemmaBasicDiv(d);
@@ -299,7 +299,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaDivIsOrderedAuto()
     ensures forall x: int, y: int, z: int {:trigger x / z, y / z} :: x <= y && 0 < z ==> x / z <= y / z
   {
-    forall (x: int, y: int, z: int | x <= y && 0 < z)
+    forall x: int, y: int, z: int | x <= y && 0 < z
       ensures x / z <= y / z
     {
       LemmaDivIsOrdered(x, y, z);
@@ -319,7 +319,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaDivDecreasesAuto()
     ensures forall x: int, d: int {:trigger x / d} :: 0 < x && 1 < d ==> x / d < x
   {
-    forall (x: int, d: int | 0 < x && 1 < d)
+    forall x: int, d: int | 0 < x && 1 < d
       ensures x / d < x
     {
       LemmaDivDecreases(x, d);
@@ -339,7 +339,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaDivNonincreasingAuto()
     ensures forall x: int, d: int {:trigger x / d } :: 0 <= x && 0 < d ==> x / d <= x
   {
-    forall (x: int, d: int | 0 <= x && 0 < d)
+    forall x: int, d: int | 0 <= x && 0 < d
       ensures x / d <= x
     {
       LemmaDivNonincreasing(x, d);
@@ -409,7 +409,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
     ensures forall x: int, y: int, z: int {:trigger y * z, x % (y * z), y * ((x / y) % z) + x % y}
               :: 0 <= x && 0 < y && 0 < z ==> 0 < y * z && x % (y * z) == y * ((x / y) % z) + x % y
   {
-    forall (x: int, y: int, z: int  | 0 <= x && 0 < y && 0 < z)
+    forall x: int, y: int, z: int  | 0 <= x && 0 < y && 0 < z
       ensures 0 < y * z && x % (y * z) == y * ((x / y) % z) + x % y
     {
       LemmaBreakdown(x, y, z);
@@ -428,7 +428,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
   lemma LemmaRemainderUpperAuto()
     ensures forall x: int, d: int {:trigger x - d, d * d} :: 0 <= x && 0 < d ==> x - d < x / d * d
   {
-    forall (x: int, d: int | 0 <= x && 0 < d)
+    forall x: int, d: int | 0 <= x && 0 < d
       ensures x - d < x / d * d
     {
       LemmaRemainderUpper(x, d);
@@ -627,7 +627,7 @@ module {:disableNonlinearArithmetic} Std.Arithmetic.DivMod {
     ensures forall x: int, y: int, z: int {:trigger x * (y / z), (x * y) / z}
               :: 0 <= x && 0 < z ==> x * (y / z) <= (x * y) / z
   {
-    forall (x: int, y: int, z: int | 0 <= x && 0 < z)
+    forall x: int, y: int, z: int | 0 <= x && 0 < z
       ensures x * (y / z) <= (x * y) / z
     {
       LemmaMulHoistInequality(x, y, z);