feat(EVM,Trace,Core): land ERC-4337 frame primitives upstream#1969
Merged
Conversation
Promotes a set of reusable EVM-frame and counting-trace primitives from the ERC-4337 EntryPoint benchmark into Verity proper. Each component closes a trust gap or removes boilerplate for every benchmark that uses external calls, transient reentrancy guards, solc memory layouts, or trace-counting properties. ## New modules - Verity/Core.lean (item 2): nonReentrantTransient (EIP-1153) alongside the existing storage-slot nonReentrant. Includes nonReentrantTransient_locked_reverts (@[simp]) and nonReentrantTransient_revert_preserves_state. Modern OpenZeppelin contracts use ReentrancyGuardTransient; benchmarks no longer need to roll their own. - Verity/EVM/MemoryModel.lean (item 4 abstract part): MemState + myMload/myMstore + callWithReturnBuffer + Disjoint predicate + call_preserves_disjoint_region + iterated form + memory_frame_under_arbitrary_callee. - Verity/EVM/Frame.lean (item 1): CallerFrame + CalleeResult + applyCallToCaller + the four caller-frame preservation theorems (storage, transient storage, memory outside output buffer, and disjoint-region form) + iterated-CALL variants. Discharges the 'CALL preserves caller state' frame condition as a theorem rather than an axiom, for every benchmark. - Verity/EVM/Layout.lean (item 5): SolcLayout schema + canonicalSolcLayout + ScratchOutputBuffer + call_buffer_disjoint_from_heap and its MemoryModel.Disjoint form. Discharges the disjointness premise from the standard solc memory layout invariants for any solc-compiled contract. - Verity/Trace.lean (item 6): generic countMatching predicate + emitLoop + emitLoop_event_origin + emitLoop_contains_emitted_event + count_le_one_under_pairwise_distinct. Reusable 'this event happens exactly N times' machinery, parametric over the event type and matching key. - Verity/Compiler/FromSolidity.lean (item 3 scaffold): public API surface for #fromSolidity 'path/to/Foo.sol' command. The current implementation shells out to verity-cli; the in-process translator is tracked in docs/ROADMAP.md as the canonical follow-up. ## Parser fix - Contracts/Common.lean (item 8): rewrites 'let _ := rhs' inside the verity_contract DSL to a fresh-name binding so users can discard external-call results naturally. Without this rule the verity_contract function-body parser rejects 'let _ := …' as an unsupported do element. ## Documentation - AXIOMS.md: External Call Module section now points to the new caller-frame preservation theorems and clarifies that EVM frame preservation is no longer an assumption. - TRUST_ASSUMPTIONS.md: #7 External Call Modules entry calls out the same shift. - docs/ROADMAP.md: new section 'ERC-4337 Frame Primitives Landed' lists the modules above, plus follow-ups (EvmYul correspondence, machine fromSolidity, solc_disjoint tactic, verity_contract doc-comment support). ## Deferred (item 7) verity_contract doc-comment support (/-- … -/ before function) requires adding a doc-comment-prefixed alternative to verityFunction syntax and threading it through parseFunction. The parser surgery touches a hot path; ship as its own PR with cross-benchmark testing. ## Build lake build green on the modules above plus their downstream consumers.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Member
Author
|
@BugBot review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f3732ac. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Promotes a set of reusable EVM-frame and counting-trace primitives from the ERC-4337 EntryPoint benchmark (
lfglabs-dev/verity-benchmark#32) into Verity proper. Each component closes a trust gap or removes boilerplate for every benchmark that uses external calls, transient reentrancy guards, solc memory layouts, or trace-counting properties — not just ERC-4337.Modules landed (7 items)
Verity/EVM/Frame.leanCallerFrame+CalleeResult+applyCallToCaller; 4 single-call + 3 iterated-call preservation theorems. Discharges the EVM frame condition (CALL cannot mutate caller storage/transient/memory outside output buffer) as a theorem instead of an axiom.Verity/Core.leannonReentrantTransient(EIP-1153) alongside the existing storage-slotnonReentrant.@[simp] nonReentrantTransient_locked_reverts+_revert_preserves_state.Verity/EVM/MemoryModel.leanMemState+myMload/myMstore+callWithReturnBuffer+Disjoint+call_preserves_disjoint_region+ iterated form +memory_frame_under_arbitrary_callee.Verity/EVM/Layout.leanSolcLayoutschema +canonicalSolcLayout+ScratchOutputBuffer+call_buffer_disjoint_from_heapand itsMemoryModel.Disjointform. Discharges the disjointness premise from standard solc-allocator invariants.Verity/Trace.leancountMatching+emitLoop+ origin lemma + emitter-contains lemma +count_le_one_under_pairwise_distinct. Parametric over event type and matching key.Contracts/Common.leanlet _ := rhsinside the contract DSL to a fresh-name binding so users can discard external-call results naturally.verity_contractdoc-comment support — requires parser surgery on a hot path; ship separately with cross-benchmark testing. Documented indocs/ROADMAP.md.Removed since first push
Verity/Compiler/FromSolidity.leanhas been removed pending a proper in-process translator design. A CLI-shelling wrapper is not sufficient trust reduction to justify the public API surface; the scaffold form was producing confusion about what was actually proven vs. shelled out. The follow-up indocs/ROADMAP.mdno longer references it.Documentation updates
AXIOMS.md: External Call Module section now points to the new caller-frame preservation theorems and clarifies that EVM frame preservation is no longer an assumption.TRUST_ASSUMPTIONS.md: Add raise-slot helper and example #7 External Call Modules entry calls out the same shift.docs/ROADMAP.md: new section ✅ ERC-4337 Frame Primitives Landed with follow-ups (EvmYul ↔ frame correspondence,solc_disjointtactic,verity_contractdoc-comment support).Build
lake buildgreen on every new module and downstream consumer (Contracts.Common,Verity.Core).Why this matters
The ERC-4337 EntryPoint benchmark exercises every part of Verity's external-call surface and was the first benchmark that needed proper EVM frame conditions to defeat the Certora-era 'arbitrary callee bytecode' challenge. The frame proofs were already in
verity-benchmark; landing them upstream makes them available to every benchmark and replaces a trust assumption with a proven theorem.Trust-gap reduction
Before this PR (per
AXIOMS.md"External Call Module Assumptions"):callprimitive was storage-pure.After this PR:
Verity.EVM.Frameproves the EVM-side equivalent (CALL preserves caller state) as a theorem over the abstractCallerFrame/CalleeResultinterface, universally quantified over callee bytecode.docs/ROADMAP.md.Follow-ups (tracked in
docs/ROADMAP.md)solc_disjointtactic (~1 week). Removes the boilerplate aroundcall_buffer_disjoint_from_heap.verity_contractdoc-comment support (~1 day, deferred). Parser surgery; ship as its own PR.🤖 Generated with Claude Code