Bounded unsigned integer spells

[Kukovec]

• Tests added for any new code
• Documentation added for any new functionality
• Entries added to the respective CHANGELOG.md for any new functionality
• Feature table on README.md updated for any listed functionality

coauthored w/ @thpani

[shonfeder]

Just a few questions and small suggestions from me :)

Generally looks great.

[shonfeder]

Seems like UInt would be a more descriptive type name. Otherwise it is impractical to import the module unqualified.

[shonfeder]

I'm wondering if actual use case needs an error message string. Would it be possible that having error: bool would be more ergonomic and just knowing that there is an error one way or the other would suffice?

[Kukovec]

I can rename it UintT (UInt clashes with the constructor). As for the error field, I prefer keeping it. You can always call i.isValid, and get a boolean evaluation, whereas the error string is more descriptive (and already implemented)

[shonfeder]

The constructor could be intToUInt. I think this is how we are making converters of, e.g., maps to sets: https://github.com/informalsystems/quint/blob/main/quint/src/builtin.qnt#L310

[Kukovec]

Not sure if that article is supposed to be an example of nomenclature, or if you mis-pasted it.

[shonfeder]

Miss pasted! Sorry. That should be https://github.com/informalsystems/quint/blob/main/quint/src/builtin.qnt#L310

[konnov]

I'm wondering if actual use case needs an error message string. Would it be possible that having error: bool would be more ergonomic and just knowing that there is an error one way or the other would suffice?

The error field is similar to what was done with the modelling of Decimals in https://github.com/informalsystems/quint-sandbox/blob/main/decimal/decimal.qnt. While a Boolean would suffice, having a string is almost as cheap (from the analysis p.o.v.) as having a Boolean, and it it produces better counterexamples.

[shonfeder]

I'm fine with leaving it as an error message if that has proven useful.

I think the remaining item left for this comment is then the type name.

[Kukovec]

I think

UInt: int => UIntT

looks much nicer than

intToUInt: int => UInt

mainly because, if I have to type intToUInt for every integer literal in my spec, that's a lot of line-width bloat.
@konnov @thpani @bugarela

[shonfeder]

True, it looks nicer. If we go with an interface that requires wrapping values, makes sense to keep it short.

[shonfeder]

Since these don't error out, would it not make more sense to just have it defined over int?

[bugarela]

I thought the same thing. Seems to me that we'd want all saturating and wrapping operators to be defined over int.

[Kukovec]

It's an interface question. You want these operations to all be (UIntT, UIntT) => UIntT so you can chain them.
If this returned an int, you couldn't do e.g. saturatingAdd(saturatingAdd(a,b), c)

[shonfeder]

We are thinking the signature should be (int, int) => int, so that would chain fine.

[Kukovec]

For saturating alone, yes, but you couldn't combine e.g. saturatingAdd(checkedAdd(a,b), c) (which was supposed to be the example above, but I borked it in copypaste)

[Kukovec]

Just to make sure I understand the above, you also prefer

saturatingAdd: (int, int) => int
checkedAdd: (int, int) => T

?
We can do it like that, but I'll just reiterate #1230 (comment), doing this allows for "nonsensical" (in the unsigned-int universe) constructions.

[Kukovec]

Both ways are "chainable"

[shonfeder]

Our goal here should be brief, self-explanatory specs

I agree with that goal! But its worth noting that requiring the saturatinAdd arguments and return value to be wrapped introduces its own complexity, and leaving them as type int makes it clearer when interacting with other int operators, like say the predicates or indexing operations.

Wrapping everything in the UInt type, whether or not it is needed, will make it easier to chain these operators and that is clearer, but at the expense of every other point where the returned or supplied values have to be cast to/from an int.

An additional benefit of expecting this to use Option combinators for chaining (once sum types are in, but using a makeshift maybe in the meantime) is that it makes it self-explanatory to readers that one is chaining partial computations.

Some example use cases using the two different approaches may be illustrative to track the tradeoffs. Do we have any code in mind that would be a good test case?

[thpani]

At least from the code where this would be useful that I've seen (Rust in Cosmos, bounded integers in smart contracts), you would firmly stay within the bounded fragment. I've never seen an unwrap to integers.

For this purpose, I believe that a single, initial wrapping of Quint's native int into a UInt, and then simply remaining in UInt, is the most practical.

But I'm happy to consider other examples, or if we have none atm, revise this library when necessary.

[shonfeder]

Makes sense.

[shonfeder]

Tests should get run in the examples dashboard. Whats the added value of adding an additional test here?

[konnov]

left a few comments

[konnov]

yeah, chaining would be good IMO

[bugarela]

I love the new tests! Thank you for all the changes 💅

[shonfeder]

Thanks for making the tests clearer :)