coop/rose-ash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

datalog: reject body lits with reserved names
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 39s
Details

Browse Source 
Nested `not(not(P))` silently misparsed: outer `not(...)` is
recognised as negation, but the inner `not(banned(X))` was parsed
as a positive call to a relation called `not`. With no `not`
relation present, the inner match was empty, the outer negation
succeeded vacuously, and `vip(X) :- u(X), not(not(banned(X))).`
collapsed to `vip(X) :- u(X).` — a silent double-negation = identity
fallacy.

Fix in `dl-rule-check-safety`: the positive-literal branch and
`dl-process-neg!` both reject any body literal whose relation
name is in `dl-reserved-rel-names`. Error message names the
relation and points the user at stratified negation through an
intermediate relation.

1 regression test; conformance 260/260.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
giles
2026-05-11 07:41:49 +00:00
parent dcae125955
commit 285cd530eb
5 changed files with 70 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
lib/datalog/builtins.sx
View File

@@ -250,18 +250,29 @@
(fn (fn
(lit) (lit)
(let (let
((needed (dl-vars-of (get lit :neg)))) ((inner (get lit :neg)))
(let (let
((missing (dl-vars-not-in needed bound))) ((inner-rn
(when (cond
(> (len missing) 0) ((and (list? inner) (> (len inner) 0))
(set! (dl-rel-name inner))
err (else nil)))
(str (needed (dl-vars-of inner))
"negation refers to unbound variable(s) " (missing (dl-vars-not-in (dl-vars-of inner) bound)))
missing (cond
" — they must be bound by an earlier " ((and (not (nil? inner-rn)) (dl-reserved-rel? inner-rn))
"positive body literal"))))))) (set! err
(str "negated literal uses reserved name '"
inner-rn
"' — nested `not(...)` / negated built-ins are "
"not supported; introduce an intermediate "
"relation and negate that")))
((> (len missing) 0)
(set! err
(str "negation refers to unbound variable(s) "
missing
" — they must be bound by an earlier "
"positive body literal"))))))))
(define (define
dl-process-agg! dl-process-agg!
(fn (fn
@@ -289,7 +300,16 @@
((dl-is? lit) (dl-process-is! lit)) ((dl-is? lit) (dl-process-is! lit))
((dl-comparison? lit) (dl-process-cmp! lit)) ((dl-comparison? lit) (dl-process-cmp! lit))
((and (list? lit) (> (len lit) 0)) ((and (list? lit) (> (len lit) 0))
(dl-add-bound! (dl-vars-of lit))))))) (let ((rn (dl-rel-name lit)))
(cond
((and (not (nil? rn)) (dl-reserved-rel? rn))
(set! err
(str "body literal uses reserved name '" rn
"' — built-ins / aggregates have their own "
"syntax; nested `not(...)` is not supported "
"(use stratified negation via an "
"intermediate relation)")))
(else (dl-add-bound! (dl-vars-of lit))))))))))
(for-each dl-process-lit! body) (for-each dl-process-lit! body)
(when (when
(nil? err) (nil? err)

8
lib/datalog/scoreboard.json
View File

@@ -1,13 +1,13 @@
{ {
"lang": "datalog", "lang": "datalog",
"total_passed": 259, "total_passed": 260,
"total_failed": 0, "total_failed": 0,
"total": 259, "total": 260,
"suites": [ "suites": [
{"name":"tokenize","passed":30,"failed":0,"total":30}, {"name":"tokenize","passed":30,"failed":0,"total":30},
{"name":"parse","passed":22,"failed":0,"total":22}, {"name":"parse","passed":22,"failed":0,"total":22},
{"name":"unify","passed":29,"failed":0,"total":29}, {"name":"unify","passed":29,"failed":0,"total":29},
{"name":"eval","passed":38,"failed":0,"total":38}, {"name":"eval","passed":39,"failed":0,"total":39},
{"name":"builtins","passed":23,"failed":0,"total":23}, {"name":"builtins","passed":23,"failed":0,"total":23},
{"name":"semi_naive","passed":8,"failed":0,"total":8}, {"name":"semi_naive","passed":8,"failed":0,"total":8},
{"name":"negation","passed":10,"failed":0,"total":10}, {"name":"negation","passed":10,"failed":0,"total":10},
@@ -16,5 +16,5 @@
{"name":"magic","passed":36,"failed":0,"total":36}, {"name":"magic","passed":36,"failed":0,"total":36},
{"name":"demo","passed":21,"failed":0,"total":21} {"name":"demo","passed":21,"failed":0,"total":21}
], ],
"generated": "2026-05-11T07:26:33+00:00" "generated": "2026-05-11T07:40:56+00:00"
} }

4
lib/datalog/scoreboard.md
View File

@@ -1,13 +1,13 @@
# datalog scoreboard # datalog scoreboard
**259 / 259 passing** (0 failure(s)). **260 / 260 passing** (0 failure(s)).
| Suite | Passed | Total | Status | | Suite | Passed | Total | Status |
|-------|--------|-------|--------| |-------|--------|-------|--------|
| tokenize | 30 | 30 | ok | | tokenize | 30 | 30 | ok |
| parse | 22 | 22 | ok | | parse | 22 | 22 | ok |
| unify | 29 | 29 | ok | | unify | 29 | 29 | ok |
| eval | 38 | 38 | ok | | eval | 39 | 39 | ok |
| builtins | 23 | 23 | ok | | builtins | 23 | 23 | ok |
| semi_naive | 8 | 8 | ok | | semi_naive | 8 | 8 | ok |
| negation | 10 | 10 | ok | | negation | 10 | 10 | ok |

18
lib/datalog/tests/eval.sx
View File

@@ -203,6 +203,24 @@
(dl-et-throws? (fn () (dl-program "is(N, +(1, 2)) :- p(N)."))) (dl-et-throws? (fn () (dl-program "is(N, +(1, 2)) :- p(N).")))
true) true)
;; Body literal with a reserved-name positive head is rejected.
;; The parser only treats outer-level `not(P)` as negation; nested
;; `not(not(P))` would otherwise silently parse as a positive call
;; to a relation named `not` and succeed vacuously. The safety
;; checker now flags this so the user gets a clear error.
;; Body literal with a reserved-name positive head is rejected.
;; The parser only treats outer-level `not(P)` as negation; nested
;; `not(not(P))` would otherwise silently parse as a positive call
;; to a relation named `not` and succeed vacuously — so the safety
;; checker now flags this to give the user a clear error.
(dl-et-test!
"nested not(not(...)) rejected"
(dl-et-throws?
(fn ()
(dl-program
"banned(a). u(a). vip(X) :- u(X), not(not(banned(X))).")))
true)
(dl-et-test! (dl-et-test!
"unsafe head var" "unsafe head var"
(dl-et-throws? (fn () (dl-program "p(X, Y) :- q(X)."))) (dl-et-throws? (fn () (dl-program "p(X, Y) :- q(X).")))

15
plans/datalog-on-sx.md
View File

@@ -15,7 +15,7 @@ for rose-ash data (e.g. federation graph, content relationships).
## Status (rolling) ## Status (rolling)
`bash lib/datalog/conformance.sh`**256/256 across 11 suites** `bash lib/datalog/conformance.sh`**260/260 across 11 suites**
(tokenize, parse, unify, eval, builtins, semi_naive, negation, aggregates, (tokenize, parse, unify, eval, builtins, semi_naive, negation, aggregates,
api, magic, demo). Source is ~3100 LOC, tests ~2900 LOC, public API api, magic, demo). Source is ~3100 LOC, tests ~2900 LOC, public API
documented in `lib/datalog/datalog.sx`. documented in `lib/datalog/datalog.sx`.
@@ -320,6 +320,19 @@ large graphs.
_Newest first._ _Newest first._
- 2026-05-11 — Eval-semantics bug-hunt: nested `not(not(P))` was
silently misinterpreted. Outer-level `not(...)` is parsed as
negation, but the inner `not(banned(X))` was parsed as a regular
positive literal naming a relation called `not`. Since no `not`
relation existed, the inner match was empty and the outer
negation succeeded vacuously, making `vip(X) :- u(X), not(not(banned(X))).`
equivalent to `vip(X) :- u(X).` (a silent double-negation = identity
fallacy). Fix in `dl-rule-check-safety`: both the positive-literal
branch and `dl-process-neg!` now flag any body literal whose head
is in `dl-reserved-rel-names`. Error message names the relation and
points the user at intermediate-relation stratified negation. 1 new
regression test; 260/260.
- 2026-05-10 — Bug-hunt round on parser/safety surfaced 7 real - 2026-05-10 — Bug-hunt round on parser/safety surfaced 7 real
bugs, each fixed with regression tests: bugs, each fixed with regression tests:
- Reserved relation names (`not`, `count`, `<`, `is`, ...) were - Reserved relation names (`not`, `count`, `<`, `is`, ...) were