Skip to content

Commit f52b137

Browse files
hanno-beckerhanno-becker
committed
CBMC: Add disjoint() and slices() to compact memory annotations
CBMC contracts in this repo currently require one instance of requires(memory_no_alias(...)) per pointer argument and a parallel set of memory_slice(...) targets in assigns(...). For functions dealing with multiple pointers, this quickly bloats and thereby impedes the readability of the CBMC specs. Introduce two variadic preprocessor macros in mldsa/src/cbmc.h that unfold a list of regions into the corresponding memory_no_alias / memory_slice calls, joined as required by their containing clause: ``` requires(disjoint(arg, ...)) -- AND-joined memory_no_alias checks assigns(..., slices(arg, ...)) -- comma-joined memory_slice targets ``` Each arg is either a bare object x (size sizeof(*x)) or a pair (x, N) where N is an element count (size sizeof(*x) * N). The pair form covers byte buffers like uint8_t seed[CRHBYTES] and typed arrays where the count comes from a parameter rather than the type. Implementation uses the standard C99 variadic-preprocessor toolkit (arg counting, IS_PAIR probe via parenthesis detection, per-arity map/join dispatch) capped at 16 arguments. The macros are defined only inside the existing #ifdef CBMC block, so the C90 build path is unaffected. Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
1 parent a71b5d2 commit f52b137

32 files changed

Lines changed: 656 additions & 852 deletions

dev/aarch64_clean/src/arith_native_aarch64.h

Lines changed: 27 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -66,11 +66,11 @@ void mld_ntt_aarch64_asm(int32_t *r, const int32_t *zetas_l123456,
6666
/* This must be kept in sync with the HOL-Light specification
6767
* in proofs/hol_light/aarch64/proofs/ntt_aarch64_asm.ml */
6868
__contract__(
69-
requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
69+
requires(disjoint((r, sizeof(int32_t) * MLDSA_N)))
7070
requires(array_abs_bound(r, 0, MLDSA_N, 8380417))
7171
requires(zetas_l123456 == mld_aarch64_ntt_zetas_layer123456)
7272
requires(zetas_l78 == mld_aarch64_ntt_zetas_layer78)
73-
assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
73+
assigns(slices((r, sizeof(int32_t) * MLDSA_N)))
7474
/* check-magic: off */
7575
ensures(array_abs_bound(r, 0, MLDSA_N, 75423753))
7676
/* check-magic: on */
@@ -82,11 +82,11 @@ void mld_intt_aarch64_asm(int32_t *r, const int32_t *zetas_l78,
8282
/* This must be kept in sync with the HOL-Light specification
8383
* in proofs/hol_light/aarch64/proofs/intt_aarch64_asm.ml */
8484
__contract__(
85-
requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
85+
requires(disjoint((r, sizeof(int32_t) * MLDSA_N)))
8686
requires(array_abs_bound(r, 0, MLDSA_N, 8380417))
8787
requires(zetas_l78 == mld_aarch64_intt_zetas_layer78)
8888
requires(zetas_l123456 == mld_aarch64_intt_zetas_layer123456)
89-
assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
89+
assigns(slices((r, sizeof(int32_t) * MLDSA_N)))
9090
/* check-magic: off */
9191
ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
9292
/* check-magic: on */
@@ -120,11 +120,9 @@ void mld_poly_decompose_32_aarch64_asm(int32_t *a1, int32_t *a0)
120120
/* This must be kept in sync with the HOL-Light specification
121121
* in proofs/hol_light/aarch64/proofs/poly_decompose_32_aarch64_asm.ml */
122122
__contract__(
123-
requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
124-
requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
123+
requires(disjoint((a1, sizeof(int32_t) * MLDSA_N), (a0, sizeof(int32_t) * MLDSA_N)))
125124
requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
126-
assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
127-
assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
125+
assigns(slices((a1, sizeof(int32_t) * MLDSA_N), (a0, sizeof(int32_t) * MLDSA_N)))
128126
/* check-magic: 16 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 32)) */
129127
ensures(array_bound(a1, 0, MLDSA_N, 0, 16))
130128
/* check-magic: 261889 == (MLDSA_Q - 1) / 32 + 1 */
@@ -137,11 +135,9 @@ void mld_poly_decompose_88_aarch64_asm(int32_t *a1, int32_t *a0)
137135
/* This must be kept in sync with the HOL-Light specification
138136
* in proofs/hol_light/aarch64/proofs/poly_decompose_88_aarch64_asm.ml */
139137
__contract__(
140-
requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
141-
requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
138+
requires(disjoint((a1, sizeof(int32_t) * MLDSA_N), (a0, sizeof(int32_t) * MLDSA_N)))
142139
requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
143-
assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
144-
assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
140+
assigns(slices((a1, sizeof(int32_t) * MLDSA_N), (a0, sizeof(int32_t) * MLDSA_N)))
145141
/* check-magic: 44 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 88)) */
146142
ensures(array_bound(a1, 0, MLDSA_N, 0, 44))
147143
/* check-magic: 95233 == (MLDSA_Q - 1) / 88 + 1 */
@@ -154,9 +150,9 @@ void mld_poly_caddq_aarch64_asm(int32_t *a)
154150
/* This must be kept in sync with the HOL-Light specification
155151
* in proofs/hol_light/aarch64/proofs/poly_caddq_aarch64_asm.ml */
156152
__contract__(
157-
requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
153+
requires(disjoint((a, sizeof(int32_t) * MLDSA_N)))
158154
requires(array_abs_bound(a, 0, MLDSA_N, MLDSA_Q))
159-
assigns(memory_slice(a, sizeof(int32_t) * MLDSA_N))
155+
assigns(slices((a, sizeof(int32_t) * MLDSA_N)))
160156
ensures(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
161157
);
162158

@@ -167,11 +163,10 @@ void mld_poly_use_hint_32_aarch64_asm(int32_t *a, const int32_t *h)
167163
/* This must be kept in sync with the HOL-Light specification
168164
* in proofs/hol_light/aarch64/proofs/poly_use_hint_32_aarch64_asm.ml */
169165
__contract__(
170-
requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
171-
requires(memory_no_alias(h, sizeof(int32_t) * MLDSA_N))
166+
requires(disjoint((a, sizeof(int32_t) * MLDSA_N), (h, sizeof(int32_t) * MLDSA_N)))
172167
requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
173168
requires(array_bound(h, 0, MLDSA_N, 0, 2))
174-
assigns(memory_slice(a, sizeof(int32_t) * MLDSA_N))
169+
assigns(slices((a, sizeof(int32_t) * MLDSA_N)))
175170
ensures(array_bound(a, 0, MLDSA_N, 0, 16))
176171
);
177172

@@ -181,11 +176,10 @@ void mld_poly_use_hint_88_aarch64_asm(int32_t *a, const int32_t *h)
181176
/* This must be kept in sync with the HOL-Light specification
182177
* in proofs/hol_light/aarch64/proofs/poly_use_hint_88_aarch64_asm.ml */
183178
__contract__(
184-
requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
185-
requires(memory_no_alias(h, sizeof(int32_t) * MLDSA_N))
179+
requires(disjoint((a, sizeof(int32_t) * MLDSA_N), (h, sizeof(int32_t) * MLDSA_N)))
186180
requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
187181
requires(array_bound(h, 0, MLDSA_N, 0, 2))
188-
assigns(memory_slice(a, sizeof(int32_t) * MLDSA_N))
182+
assigns(slices((a, sizeof(int32_t) * MLDSA_N)))
189183
ensures(array_bound(a, 0, MLDSA_N, 0, 44))
190184
);
191185
#endif /* !MLD_CONFIG_NO_VERIFY_API */
@@ -196,7 +190,7 @@ int mld_poly_chknorm_aarch64_asm(const int32_t *a, int32_t B)
196190
/* This must be kept in sync with the HOL-Light specification
197191
* in proofs/hol_light/aarch64/proofs/poly_chknorm_aarch64_asm.ml */
198192
__contract__(
199-
requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
193+
requires(disjoint((a, sizeof(int32_t) * MLDSA_N)))
200194
/* HOL Light precondition: abs(ival(x i)) < 2^31, i.e., a[i] != INT32_MIN */
201195
requires(forall(k0, 0, MLDSA_N, a[k0] > INT32_MIN))
202196
ensures(return_value == 0 || return_value == 1)
@@ -212,10 +206,9 @@ void mld_polyz_unpack_17_aarch64_asm(int32_t *r, const uint8_t *buf,
212206
/* This must be kept in sync with the HOL-Light specification
213207
* in proofs/hol_light/aarch64/proofs/polyz_unpack_17_aarch64_asm.ml */
214208
__contract__(
215-
requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
216-
requires(memory_no_alias(buf, 576))
209+
requires(disjoint((r, sizeof(int32_t) * MLDSA_N), (buf, 576)))
217210
requires(indices == mld_polyz_unpack_17_indices)
218-
assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
211+
assigns(slices((r, sizeof(int32_t) * MLDSA_N)))
219212
ensures(array_bound(r, 0, MLDSA_N, -((1 << 17) - 1), (1 << 17) + 1))
220213
);
221214
#endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLD_CONFIG_PARAMETER_SET == 44 \
@@ -230,10 +223,9 @@ void mld_polyz_unpack_19_aarch64_asm(int32_t *r, const uint8_t *buf,
230223
/* This must be kept in sync with the HOL-Light specification
231224
* in proofs/hol_light/aarch64/proofs/polyz_unpack_19_aarch64_asm.ml */
232225
__contract__(
233-
requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
234-
requires(memory_no_alias(buf, 640))
226+
requires(disjoint((r, sizeof(int32_t) * MLDSA_N), (buf, 640)))
235227
requires(indices == mld_polyz_unpack_19_indices)
236-
assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
228+
assigns(slices((r, sizeof(int32_t) * MLDSA_N)))
237229
ensures(array_bound(r, 0, MLDSA_N, -((1 << 19) - 1), (1 << 19) + 1))
238230
);
239231
#endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLD_CONFIG_PARAMETER_SET == 65 \
@@ -248,12 +240,11 @@ void mld_poly_pointwise_montgomery_aarch64_asm(int32_t *a, const int32_t *b)
248240
/* This must be kept in sync with the HOL-Light specification
249241
* in proofs/hol_light/aarch64/proofs/pointwise_montgomery_aarch64_asm.ml */
250242
__contract__(
251-
requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
252-
requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
243+
requires(disjoint((a, sizeof(int32_t) * MLDSA_N), (b, sizeof(int32_t) * MLDSA_N)))
253244
/* check-magic: off */
254245
requires(array_abs_bound(a, 0, MLDSA_N, 75423753))
255246
requires(array_abs_bound(b, 0, MLDSA_N, 75423753))
256-
assigns(memory_slice(a, sizeof(int32_t) * MLDSA_N))
247+
assigns(slices((a, sizeof(int32_t) * MLDSA_N)))
257248
ensures(array_abs_bound(a, 0, MLDSA_N, 8380417))
258249
/* check-magic: on */
259250
);
@@ -269,13 +260,11 @@ void mld_polyvecl_pointwise_acc_montgomery_l4_aarch64_asm(
269260
* proofs/hol_light/aarch64/proofs/mld_polyvecl_pointwise_acc_montgomery_l4_aarch64_asm.ml
270261
*/
271262
__contract__(
272-
requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
273-
requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
274-
requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
263+
requires(disjoint((r, sizeof(int32_t) * MLDSA_N), (a, sizeof(*a) * 4), (b, sizeof(*b) * 4)))
275264
/* check-magic: off */
276265
requires(forall(l0, 0, 4, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
277266
requires(forall(l1, 0, 4, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
278-
assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
267+
assigns(slices((r, sizeof(int32_t) * MLDSA_N)))
279268
ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
280269
/* check-magic: on */
281270
);
@@ -289,13 +278,11 @@ void mld_polyvecl_pointwise_acc_montgomery_l5_aarch64_asm(
289278
* proofs/hol_light/aarch64/proofs/mld_polyvecl_pointwise_acc_montgomery_l5_aarch64_asm.ml
290279
*/
291280
__contract__(
292-
requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
293-
requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
294-
requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
281+
requires(disjoint((r, sizeof(int32_t) * MLDSA_N), (a, sizeof(*a) * 5), (b, sizeof(*b) * 5)))
295282
/* check-magic: off */
296283
requires(forall(l0, 0, 5, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
297284
requires(forall(l1, 0, 5, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
298-
assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
285+
assigns(slices((r, sizeof(int32_t) * MLDSA_N)))
299286
ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
300287
/* check-magic: on */
301288
);
@@ -309,13 +296,11 @@ void mld_polyvecl_pointwise_acc_montgomery_l7_aarch64_asm(
309296
* proofs/hol_light/aarch64/proofs/mld_polyvecl_pointwise_acc_montgomery_l7_aarch64_asm.ml
310297
*/
311298
__contract__(
312-
requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
313-
requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
314-
requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
299+
requires(disjoint((r, sizeof(int32_t) * MLDSA_N), (a, sizeof(*a) * 7), (b, sizeof(*b) * 7)))
315300
/* check-magic: off */
316301
requires(forall(l0, 0, 7, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
317302
requires(forall(l1, 0, 7, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
318-
assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
303+
assigns(slices((r, sizeof(int32_t) * MLDSA_N)))
319304
ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
320305
/* check-magic: on */
321306
);

0 commit comments

Comments
 (0)