Add raise-slot helper and example#7
Closed
Th0rgal wants to merge 22 commits into
Closed
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| Stmt.if_ (Expr.gt a b) (Stmt.sstore slot a) (Stmt.sstore slot b) | ||
|
|
||
| def sstoreMin (slot a b : Expr) : Stmt := | ||
| Stmt.if_ (Expr.lt a b) (Stmt.sstore slot a) (Stmt.sstore slot b) |
There was a problem hiding this comment.
New sstoreMin helper is unused dead code
Low Severity
sstoreMin is defined but never referenced anywhere in the codebase. Grep confirms the only match is its definition. Its counterpart sstoreMax is actively used in maxStoreFun, but sstoreMin has zero callers — none of the new examples (updateMin, capSlot) use it, as they rely on sstoreIfLt instead.
3 tasks
Th0rgal
pushed a commit
that referenced
this pull request
Feb 22, 2026
…ypoints
check_selectors.py hardcodes _INTERNAL_FUNCTION_PREFIX ("internal_")
and _SPECIAL_ENTRYPOINTS ({"fallback", "receive"}) used in collision
and filtering checks. These were validated only by code comments
saying "Must match ContractSpec.lean" — no automated enforcement.
Add checks #10 and #11 that regex-extract the canonical Lean
definitions and validate both Python constants match, following
the same pattern as checks #7–9.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 tasks
Th0rgal
added a commit
that referenced
this pull request
Feb 22, 2026
…ypoints (#674) check_selectors.py hardcodes _INTERNAL_FUNCTION_PREFIX ("internal_") and _SPECIAL_ENTRYPOINTS ({"fallback", "receive"}) used in collision and filtering checks. These were validated only by code comments saying "Must match ContractSpec.lean" — no automated enforcement. Add checks #10 and #11 that regex-extract the canonical Lean definitions and validate both Python constants match, following the same pattern as checks #7–9. Co-authored-by: Claude <noreply@anthropic.com>
Th0rgal
pushed a commit
that referenced
this pull request
Apr 4, 2026
- evalIntent: reject non-void binding functions (Codex #4) - Eval eq/ne: return none for cross-type comparisons (Bugbot #5) - Circom: unique signal prefixes for repeated helper calls (Bugbot #13) - isUint256Expr: check constant value instead of assuming uint256 (Bugbot #10) - dedup: preserve first-occurrence order for Poseidon inputs (Bugbot #11) - Remove dead code: remapCtx, countEmitsExpr (Bugbot #12, #30) - compileStmts .call: skip non-void functions (Codex #24) - compileExpr .call: emit error comment for missing/bodyless fns (Codex #7) - validateParams: enforce positional order matching ABI (Codex #21) - evalConstInt: fuel-bounded to prevent cycles (Codex #22) - Update E2E test Poseidon orderings to match new dedup behavior Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Th0rgal
pushed a commit
that referenced
this pull request
Jun 7, 2026
Promotes a set of reusable EVM-frame and counting-trace primitives from the ERC-4337 EntryPoint benchmark into Verity proper. Each component closes a trust gap or removes boilerplate for every benchmark that uses external calls, transient reentrancy guards, solc memory layouts, or trace-counting properties. ## New modules - Verity/Core.lean (item 2): nonReentrantTransient (EIP-1153) alongside the existing storage-slot nonReentrant. Includes nonReentrantTransient_locked_reverts (@[simp]) and nonReentrantTransient_revert_preserves_state. Modern OpenZeppelin contracts use ReentrancyGuardTransient; benchmarks no longer need to roll their own. - Verity/EVM/MemoryModel.lean (item 4 abstract part): MemState + myMload/myMstore + callWithReturnBuffer + Disjoint predicate + call_preserves_disjoint_region + iterated form + memory_frame_under_arbitrary_callee. - Verity/EVM/Frame.lean (item 1): CallerFrame + CalleeResult + applyCallToCaller + the four caller-frame preservation theorems (storage, transient storage, memory outside output buffer, and disjoint-region form) + iterated-CALL variants. Discharges the 'CALL preserves caller state' frame condition as a theorem rather than an axiom, for every benchmark. - Verity/EVM/Layout.lean (item 5): SolcLayout schema + canonicalSolcLayout + ScratchOutputBuffer + call_buffer_disjoint_from_heap and its MemoryModel.Disjoint form. Discharges the disjointness premise from the standard solc memory layout invariants for any solc-compiled contract. - Verity/Trace.lean (item 6): generic countMatching predicate + emitLoop + emitLoop_event_origin + emitLoop_contains_emitted_event + count_le_one_under_pairwise_distinct. Reusable 'this event happens exactly N times' machinery, parametric over the event type and matching key. - Verity/Compiler/FromSolidity.lean (item 3 scaffold): public API surface for #fromSolidity 'path/to/Foo.sol' command. The current implementation shells out to verity-cli; the in-process translator is tracked in docs/ROADMAP.md as the canonical follow-up. ## Parser fix - Contracts/Common.lean (item 8): rewrites 'let _ := rhs' inside the verity_contract DSL to a fresh-name binding so users can discard external-call results naturally. Without this rule the verity_contract function-body parser rejects 'let _ := …' as an unsupported do element. ## Documentation - AXIOMS.md: External Call Module section now points to the new caller-frame preservation theorems and clarifies that EVM frame preservation is no longer an assumption. - TRUST_ASSUMPTIONS.md: #7 External Call Modules entry calls out the same shift. - docs/ROADMAP.md: new section 'ERC-4337 Frame Primitives Landed' lists the modules above, plus follow-ups (EvmYul correspondence, machine fromSolidity, solc_disjoint tactic, verity_contract doc-comment support). ## Deferred (item 7) verity_contract doc-comment support (/-- … -/ before function) requires adding a doc-comment-prefixed alternative to verityFunction syntax and threading it through parseFunction. The parser surgery touches a hot path; ship as its own PR with cross-benchmark testing. ## Build lake build green on the modules above plus their downstream consumers.
Th0rgal
pushed a commit
that referenced
this pull request
Jun 7, 2026
Promotes a set of reusable EVM-frame and counting-trace primitives from the ERC-4337 EntryPoint benchmark (lfglabs-dev/verity-benchmark#32) into Verity proper. Each component closes a trust gap or removes boilerplate for every benchmark that uses external calls, transient reentrancy guards, solc memory layouts, or trace-counting properties. ## New modules - Verity/Core.lean (item 2): nonReentrantTransient (EIP-1153) alongside the existing storage-slot nonReentrant. Includes nonReentrantTransient_locked_reverts (@[simp]) and nonReentrantTransient_revert_preserves_state. Modern OpenZeppelin contracts use ReentrancyGuardTransient. - Verity/EVM/MemoryModel.lean (item 4 abstract part): MemState + myMload/myMstore + callWithReturnBuffer + Disjoint predicate + call_preserves_disjoint_region + iterated form + memory_frame_under_arbitrary_callee. - Verity/EVM/Frame.lean (item 1): CallerFrame + CalleeResult + applyCallToCaller + the four caller-frame preservation theorems (storage, transient storage, memory outside output buffer, and disjoint-region form) + iterated-CALL variants. Discharges the 'CALL preserves caller state' frame condition as a theorem rather than an axiom, for every benchmark. - Verity/EVM/Layout.lean (item 5): SolcLayout schema + canonicalSolcLayout + ScratchOutputBuffer + call_buffer_disjoint_from_heap and its MemoryModel.Disjoint form. Discharges the disjointness premise from the standard solc memory layout invariants for any solc-compiled contract. - Verity/Trace.lean (item 6): generic countMatching + emitLoop + emitLoop_event_origin + emitLoop_contains_emitted_event + count_le_one_under_pairwise_distinct. Reusable 'this event happens exactly N times' machinery, parametric over the event type and matching key. ## Parser fix - Contracts/Common.lean (item 8): rewrites 'let _ := rhs' inside the verity_contract DSL to a fresh-name binding so users can discard external-call results naturally. Without this rule the verity_contract function-body parser rejects 'let _ := …' as an unsupported do element. ## Documentation - AXIOMS.md: External Call Module section now points to the new caller-frame preservation theorems and clarifies that EVM frame preservation is no longer an assumption. - TRUST_ASSUMPTIONS.md: #7 External Call Modules entry calls out the same shift. - docs/ROADMAP.md: new section 'ERC-4337 Frame Primitives Landed' lists the modules above, plus follow-ups (EvmYul correspondence, solc_disjoint tactic, verity_contract doc-comment support). ## Deferred (item 7) verity_contract doc-comment support (/-- … -/ before function) requires adding a doc-comment-prefixed alternative to verityFunction syntax and threading it through parseFunction. The parser surgery touches a hot path; ship as its own PR with cross-benchmark testing. ## Removed (item 3 — fromSolidity) The Verity.Compiler.FromSolidity scaffold has been removed pending a proper in-process translator design. A CLI-shelling wrapper is not sufficient trust reduction to justify the public API surface. ## Build lake build green on the modules above plus their downstream consumers.
Th0rgal
pushed a commit
that referenced
this pull request
Jun 7, 2026
Promotes a set of reusable EVM-frame and counting-trace primitives from the ERC-4337 EntryPoint benchmark (lfglabs-dev/verity-benchmark#32) into Verity proper. Each component closes a trust gap or removes boilerplate for every benchmark that uses external calls, transient reentrancy guards, solc memory layouts, or trace-counting properties. ## New modules - Verity/Core.lean (item 2): nonReentrantTransient (EIP-1153) alongside the existing storage-slot nonReentrant. Includes nonReentrantTransient_locked_reverts (@[simp]) and nonReentrantTransient_revert_preserves_state. Modern OpenZeppelin contracts use ReentrancyGuardTransient. - Verity/EVM/MemoryModel.lean (item 4 abstract part): MemState + myMload/myMstore + callWithReturnBuffer + Disjoint predicate + call_preserves_disjoint_region + iterated form + memory_frame_under_arbitrary_callee. - Verity/EVM/Frame.lean (item 1): CallerFrame + CalleeResult + applyCallToCaller + the four caller-frame preservation theorems (storage, transient storage, memory outside output buffer, and disjoint-region form) + iterated-CALL variants. Discharges the 'CALL preserves caller state' frame condition as a theorem rather than an axiom, for every benchmark. - Verity/EVM/Layout.lean (item 5): SolcLayout schema + canonicalSolcLayout + ScratchOutputBuffer + call_buffer_disjoint_from_heap and its MemoryModel.Disjoint form. Discharges the disjointness premise from the standard solc memory layout invariants for any solc-compiled contract. - Verity/Trace.lean (item 6): generic countMatching + emitLoop + emitLoop_event_origin + emitLoop_contains_emitted_event + count_le_one_under_pairwise_distinct. Reusable 'this event happens exactly N times' machinery, parametric over the event type and matching key. ## Parser fix - Contracts/Common.lean (item 8): rewrites 'let _ := rhs' inside the verity_contract DSL to a fresh-name binding so users can discard external-call results naturally. Without this rule the verity_contract function-body parser rejects 'let _ := …' as an unsupported do element. ## Documentation - AXIOMS.md: External Call Module section now points to the new caller-frame preservation theorems and clarifies that EVM frame preservation is no longer an assumption. - TRUST_ASSUMPTIONS.md: #7 External Call Modules entry calls out the same shift. - docs/ROADMAP.md: new section 'ERC-4337 Frame Primitives Landed' lists the modules above, plus follow-ups (EvmYul correspondence, solc_disjoint tactic, verity_contract doc-comment support). ## Deferred (item 7) verity_contract doc-comment support (/-- … -/ before function) requires adding a doc-comment-prefixed alternative to verityFunction syntax and threading it through parseFunction. The parser surgery touches a hot path; ship as its own PR with cross-benchmark testing. ## Removed (item 3 — fromSolidity) The Verity.Compiler.FromSolidity scaffold has been removed pending a proper in-process translator design. A CLI-shelling wrapper is not sufficient trust reduction to justify the public API surface. ## Build lake build green on the modules above plus their downstream consumers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sstoreIfGtfor monotonic raisesraiseSlotexample + Foundry testupdateMaxto use helperTesting
PATH=/opt/lean-4.27.0/bin:$PATH lake build./scripts/end_to_end.sh./scripts/foundry_test_generated.shNote
Medium Risk
Touches the example compiler/dispatcher and the hand-written
EvmAsmprogram, so selector/tag wiring or stack-order mistakes could break end-to-end bytecode or tests. Changes are mostly additive and covered by new Lean proofs and Foundry tests, but the assembly jumpdest layout is inherently brittle.Overview
Adds a much richer
DumbContracts.Stdliblayer (guard combinators likerequire*/revertIf, cachedletSload, and storage helpers likesstoreIfGt/sstoreIfLt/sstoreIfZero/sstoreIfEq,sstoreAdd/sstoreSub/sstoreInc,sstoreMax/sstoreMin) and refactors existing examples to use them.Introduces many new small example contracts (e.g.
raiseSlot,capSlot,updateMax/updateMin,setIf*,addIf*,init*,bump*,subIfEnough,clearIfEq,compareAndSwap) each with correspondingSpec/SpecRproofs, and wires them into the aggregatedExamples.leanimport list.Extends
Compiler.lean’sexampleEntriesdispatch table with new selectors and updatesEvmAsm.leanto include the expanded dispatcher + function bodies (switching label pushes toPUSH2and adjusting tag ordering/layout to match solc). Adds a large set of new generated Foundry tests for the new selectors/examples, and updates docs/status logs to reflect the iteration.Written by Cursor Bugbot for commit 5dac4af. This will update automatically on new commits. Configure here.