HOL-Light: improve tooling and CI#1634
Open
L-series wants to merge 2 commits into
Open
Conversation
Contributor
CBMC Results (ML-KEM-768)
Full Results (191 proofs)
|
Contributor
CBMC Results (ML-KEM-512)Full Results (191 proofs)
|
Contributor
CBMC Results (ML-KEM-1024)Full Results (191 proofs)
|
L-series
changed the title
L-series
force-pushed
the
HOL-Light-CI
branch
2 times, most recently
from
724e0b1 to
9a3e91a
Compare
Contributor
Author
|
Modified the two remaining occurences of _MEMSAFE to _SAFE in order to fit the expected format for aarch proofs. |
L-series
force-pushed
the
HOL-Light-CI
branch
2 times, most recently
from
25cad96 to
3e258d8
Compare
mkannwischer
requested changes
Apr 2, 2026
mkannwischer
left a comment
mkannwischer
left a comment
Contributor
There was a problem hiding this comment.
Thanks @L-series - I left a couple of comments.
This PR actually takes another approach that I had in mind: I thought that after running each HOL-Light proof we check for the expected theorems to be present.
The approach implemented here is more like a linter. But I support the addition!
The -a flag is highly appreciated - thank you!
Contributor
Author
Thank you for the review! Indeed, the idea I had in mind was that one should avoid using compute on proofs which do not contain the required theorems. However, I see now that there is still value running the HOL CI even if the routine is only partially proven. |
mkannwischer
requested changes
Apr 3, 2026
mkannwischer
left a comment
mkannwischer
left a comment
Contributor
There was a problem hiding this comment.
Thanks @L-series for the changes! I'm happy with the overall approach now.
Two comments still need to be addressed. Thank you!
mkannwischer
reviewed
Apr 3, 2026
Contributor
|
@L-series, gentle ping. Could you please adjust this PR so we can get this merged? |
Contributor
|
@L-series, are you still working on this? |
Contributor
|
@L-series, do you expect to finish this PR soon? |
Contributor
Author
Apologies for the long delay, I was away traveling this last month. I just pushed some changes and I've reworked However, I just wanted to make sure that this is okay with you as it would require renaming around 15 proofs. |
Contributor
Thanks for picking this upa gain @L-series! Welcome back! |
L-series
force-pushed
the
HOL-Light-CI
branch
2 times, most recently
from
318c17a to
ac97d80
Compare
Contributor
|
@L-series, is this ready for review? Thanks for the work! |
Contributor
Author
|
@mkannwischer Yes it is! Please let me know if the renaming scheme is appropriate. Given that the HOL proofing CI is passing I assume I didn't break any of the proofs 😅 |
L-series
force-pushed
the
HOL-Light-CI
branch
3 times, most recently
from
8a3f6d0 to
a583d82
Compare
Comment on lines
+403
to
+405
| if ! grep -qE "^[[:space:]]*let ${theorem}[[:space:]]+=[[:space:]]+(time[[:space:]]+)?prove" "$file"; then | ||
| gh_error "${routine}" "" "Missing theorem" "${file}: ${theorem} not found" | ||
| success=false |
Contributor
There was a problem hiding this comment.
Suggestion: Can we complement list_proofs.sh by list_thms.sh which runs this grep and emits all (so-declared) theorems? I'd like to have a little logic as possible in lint itself.
Contributor
There was a problem hiding this comment.
I don't think this is done yet, is it?
Comment on lines
+389
to
+400
| local expected=( | ||
| "${prefix}_CORRECT" | ||
| "${prefix}_SUBROUTINE_CORRECT" | ||
| "${prefix}_SUBROUTINE_${safe}" | ||
| ) | ||
| if [[ $arch == "x86_64" ]]; then | ||
| expected+=( | ||
| "${prefix}_${safe}" | ||
| "${prefix}_NOIBT_SUBROUTINE_CORRECT" | ||
| "${prefix}_NOIBT_SUBROUTINE_${safe}" | ||
| ) | ||
| fi |
Contributor
There was a problem hiding this comment.
It would be nice to make this logic and exception more prominent... I wonder if one could define this in some TOML/YAML in proofs/{arch}... not sure if it's worth it. Ideas?
Contributor
Author
There was a problem hiding this comment.
Hmm.. I think the advantages of such a move are twofold:
- It would make the maintaining the naming conventions and exceptions such as
rej_uniformsimpler and more visible as they are in the same directory as the proofs. - It could be useful if there are any ideas to reuse or refer to the naming conventions elsewhere in the project.
However, if the sole use is within the linting script for CI, I think that it would be preferable to keep it as is as we would not have to add any additional files or TOML/YAML parsing logic.
L-series
commented
Jun 4, 2026
L-series
left a comment
L-series
left a comment
Contributor
Author
There was a problem hiding this comment.
I just realized that the comments I had written many weeks ago as well as last week which were labelled "pending", were in a "pending to be submitted" not a "pending to be reviewed" state. I wasn't aware that one had to submit the comments through the files changed page 😓
Comment on lines
+403
to
+405
| if ! grep -qE "^[[:space:]]*let ${theorem}[[:space:]]+=[[:space:]]+(time[[:space:]]+)?prove" "$file"; then | ||
| gh_error "${routine}" "" "Missing theorem" "${file}: ${theorem} not found" | ||
| success=false |
Comment on lines
+389
to
+400
| local expected=( | ||
| "${prefix}_CORRECT" | ||
| "${prefix}_SUBROUTINE_CORRECT" | ||
| "${prefix}_SUBROUTINE_${safe}" | ||
| ) | ||
| if [[ $arch == "x86_64" ]]; then | ||
| expected+=( | ||
| "${prefix}_${safe}" | ||
| "${prefix}_NOIBT_SUBROUTINE_CORRECT" | ||
| "${prefix}_NOIBT_SUBROUTINE_${safe}" | ||
| ) | ||
| fi |
Contributor
Author
There was a problem hiding this comment.
Hmm.. I think the advantages of such a move are twofold:
- It would make the maintaining the naming conventions and exceptions such as
rej_uniformsimpler and more visible as they are in the same directory as the proofs. - It could be useful if there are any ideas to reuse or refer to the naming conventions elsewhere in the project.
However, if the sole use is within the linting script for CI, I think that it would be preferable to keep it as is as we would not have to add any additional files or TOML/YAML parsing logic.
This commit introduces a new flag --arch to the hol_light command of the tests script that allows user specification of which architecture to run/list the proofs for. If not passed, the behavior is unchanged. Signed-off-by: Andreas Hatziiliou <andreas.hatziiliou@savoirfairelinux.com>
We add a check to the linting script called check-theorems that ensures that all HOL-Light proofs provide the expected set of theorems depending on the architecture. Signed-off-by: Andreas Hatziiliou <andreas.hatziiliou@savoirfairelinux.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit aims to resolve the two following issues:
testsscript to allow cross-platform proof checking #1585Note that the
check-theoremsscript will currently fail the HOL-Light CI because for AArch, the naming convention for the memory safety proof (usually _SAFE) is not respected inmlkem_rej_uniform(it uses _MEMSAFE). @hanno-becker please advise if I should modify this.