Add Flux tool description and CI workflow

[nilehmann]

This PR introduces Flux to the list of tools used in the book and adds a corresponding CI workflow.

The CI workflow runs Flux on a subset of core (specifically, files under src/ascii) to verify the absence of array out-of-bounds errors. It demonstrates how to annotate the code with refinement types to specify the pre- and post-conditions necessary to prove safety on the subset that Flux is enabled.

The Flux tool and necessary dependencies are built from source on CI (pinning specific commits).

Resolves #362

[tautschnig]

Can you outline a path on how this might eventually get integrated upstream?

[nilehmann]

Could you clarify whether you're referring to specs in general or just the spec in this macro?

[tautschnig]

Actually just this one: to me (and I could be wrong!) it looks like a change that, if we were to try to do more proofs using Flux, would require changes in lots of places. For other specs/contracts there is a path in that Rust upstream has experimental contracts support. But tool-specific annotations seem a lot less likely to be merged upstream.

[nilehmann]

You are not wrong in that more proofs will require more annotations. We've thought about this, and one option is to provide signatures in a separate file (à la ocaml .mli files), but this is something we have not implemented yet (we have something similar for extern specs).

[tautschnig]

With this specific case: wouldn't it be possible to move the spec into the macro_rules so that all generated implementations feature a flux_spec?

[nilehmann]

Sadly, no, we try that first, but the macro is also used to convert from bool to integers, and we can't use the same signature for that, i.e., the following is ill-formed when $Small is bool.

#[cfg_attr(flux, flux::spec(fn(x: $Small) -> $Large[x]))]

[ranjitjhala]

Yes, the catch here is that we want to branch on the $Small and $Large and only put different specs depending on their values.

There is perhaps some way to do this with the macros but we couldn't quite work it out, unfortunately.

Would be great if you have any suggestions.

[tautschnig]

For these, does Flux distinguish between ones causing a panic vs ones deemed undefined behaviour?

[nilehmann]

No, we currently don't distinguish between those.

[tautschnig]

Would you mind including some documentation to this effect?

[nilehmann]

I added a sentence at the end of the section explaining this.

[tautschnig]

Do we have to stick with this particular version of Z3? Would it be conceivable to just install Ubuntu's version of Z3?

[nilehmann]

This is the version we use in our CI. I had problems in the past with Ubuntu's version being too old, and that's why I pinned it. That being said, I see that now they are in 4.13, so we should be fine with that. We may need to update in the future, though.

[tautschnig]

Could you please add a comment denoting the minimum version of Z3 required? I am worried about being stuck with a particular version of Z3 when soundness issue in that version of the solver may eventually be found.

[nilehmann]

@tautschnig, I'm unsure about what to do here. There's nothing special about this version; it's just the one we actively use in CI, so we have a bit more confidence with it. We (mostly) use standard smtlib, so newer and some older versions should also work.

[nilehmann]

Should I add a comment explaining exactly that?

[tautschnig]

I believe this is ready to go except for some remaining documentation gaps, see comments.

[tautschnig]

Can you please include a section on (current) limitations or caveats?

[nilehmann]

I added a section at the end of the document.