verify: fix/document 1 of 3 Kani matrix failures (format/merkle/wasm_module)

avrabe · claude · avrabe · commit 40cd9b259b1b · 2026-05-11T06:14:31.000+02:00
wasm_module — FIXED. The workflow filter was `wasm_module::tests`, which
matched zero harnesses (the Kani module is named `component_proofs`, not
`tests`), so `cargo kani --harness wasm_module::tests` exited non-zero.
Pointed the matrix entry at `wasm_module::component_proofs`. The single
underlying harness has no loops and no crypto, so it should run cleanly
at --default-unwind 4. Mask lifted.

merkle — DOCUMENTED. Three of five harnesses
(proof_leaf_node_domain_separation, proof_leaf_hash_deterministic,
proof_node_hash_deterministic) call SHA-256 with symbolic input. The
sha2 crate's 64-round compression loop blows past --default-unwind 4,
producing an unwinding-assertion failure before the assert is reached.
proof_leaf_node_domain_separation additionally asks Kani to disprove
SHA-256 collisions, which is outside bounded model checking entirely.
Added per-harness doc-comments with the diagnosis. Mask retained.

format — DOCUMENTED. Static analysis of the four harnesses shows
sound, loop-free properties on 4 symbolic bytes, yet CI reports them
failing under cargo kani --default-unwind 4 --harness format. Suspected
SMT-state-space blow-up similar to the documented slowness already
noted in proof_consistency_validation_agrees_with_detection. Added a
mod-level doc-comment recording the analysis and the suggested next
attempt (split harnesses per magic-byte pattern). Mask retained.

Also restructured the Kani matrix to carry `tolerate_failure` per
include entry so the step-level continue-on-error is now per-matrix-
job rather than blanket — this is what audit C-7's partial-closure
plan required.

Closes audit C-7 partially — 1 of 3 jobs no longer needs continue-on-error.
varint + dsse remain unmasked; wasm_module is newly unmasked; merkle +
format stay masked with explicit diagnosis.

Refs: audit C-7

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/formal-verification.yml b/.github/workflows/formal-verification.yml
@@ -64,14 +64,38 @@ jobs:
         include:
           - module: varint
             harness: wasm_module::varint
+            tolerate_failure: false
           - module: merkle
             harness: signature::keyless::merkle
+            # WIP — see audit C-7 partial closure. Three of the five harnesses
+            # in this module call SHA-256 with symbolic input; the sha2 crate's
+            # 64-round compression loop exceeds --default-unwind 4. Bumping the
+            # per-harness #[kani::unwind] is necessary but may still hit Kani
+            # SMT timeouts on SHA-256. proof_leaf_node_domain_separation also
+            # asks Kani to prove SHA-256 collision-resistance, which is outside
+            # the scope of bounded model checking entirely.
+            tolerate_failure: true
           - module: dsse
             harness: dsse
+            tolerate_failure: false
           - module: format
             harness: format
+            # WIP — see audit C-7 partial closure. CI observation: the format
+            # harnesses fail under cargo kani --default-unwind 4 despite static
+            # analysis showing the properties are sound and loop-free. Suspected
+            # root cause is Kani SMT slowness on 4 fully-symbolic bytes combined
+            # with multiple equality checks (similar to the documented blow-up
+            # noted in proof_consistency_validation_agrees_with_detection).
+            # Next attempt: try concretizing each magic-byte pattern as its own
+            # harness rather than enumerating in one 4-byte-symbolic harness.
+            tolerate_failure: true
           - module: wasm_module
-            harness: wasm_module::tests
+            # Filter was wasm_module::tests, which matched no harness (the
+            # module is named component_proofs, not tests). Fixed in this PR
+            # so the single harness — header mutual-exclusivity, no loops, no
+            # crypto — actually runs.
+            harness: wasm_module::component_proofs
+            tolerate_failure: false
     steps:
     - uses: actions/checkout@v4
 
@@ -85,18 +109,16 @@ jobs:
         cargo install --locked kani-verifier
         cargo kani setup
 
-    # Audit 2026-04-30 finding C-7 (partial): on inspection, several
-    # matrix jobs (format, merkle, wasm_module) fail when continue-on-error
-    # is removed. The harnesses cover specific bounded properties and not
-    # all are passing today. Mask retained per-job until the failing
-    # harnesses are fixed; varint and dsse pass cleanly today and could be
-    # ungated in a follow-up.
+    # Audit 2026-04-30 finding C-7 (partial): mask is now per-matrix-entry via
+    # matrix.tolerate_failure. varint, dsse, and wasm_module run unmasked;
+    # merkle and format remain masked with diagnosis at the matrix include
+    # site above and in the harness doc-comments.
     - name: Run Kani ${{ matrix.module }} proofs
       env:
         HARNESS: ${{ matrix.harness }}
       run: cargo kani -p wsc --default-unwind 4 --output-format terse --harness "$HARNESS"
       timeout-minutes: 60
-      continue-on-error: true  # WIP — see audit C-7 partial closure
+      continue-on-error: ${{ matrix.tolerate_failure }}
 
   rocq-proofs:
     name: Rocq/coq-of-rust Translation
diff --git a/src/lib/src/format/mod.rs b/src/lib/src/format/mod.rs
@@ -205,6 +205,26 @@ mod tests {
 // ============================================================================
 // Kani proof harnesses for format detection
 // ============================================================================
+//
+// AUDIT C-7 (partial closure): the `Kani format` matrix entry remains masked
+// (continue-on-error). Static analysis of the four harnesses below shows the
+// properties are sound, loop-free, and operate on small symbolic inputs (4
+// bytes max). They should all pass — but they do not, on CI, with
+// `cargo kani -p wsc --default-unwind 4 --harness format`.
+//
+// Suspected causes, to investigate next:
+//   1. `proof_consistency_validation_agrees_with_detection` already documents
+//      that the previous variant blew up the SMT state space via `format!()`
+//      in an unreachable error path. The current variant inlines the logic,
+//      but the same Kani slowness pattern may apply to other harnesses too.
+//   2. assert_ne! on &'static str compiles to a length+pointer/byte compare;
+//      Kani may force evaluation of both sides as symbolic, ballooning state.
+//   3. The 4-byte fully-symbolic input space (~4 billion combinations) is
+//      tractable for SMT only if the equality checks short-circuit cleanly;
+//      a Kani version regression could change this.
+// Next-attempt direction: split each magic-byte pattern into its own
+// per-pattern harness (concrete on one pattern, symbolic on the others) to
+// localize whichever harness is hanging. Until then this job stays masked.
 #[cfg(kani)]
 mod proofs {
     use super::*;
diff --git a/src/lib/src/signature/keyless/merkle.rs b/src/lib/src/signature/keyless/merkle.rs
@@ -459,6 +459,12 @@ mod tests {
 // ============================================================================
 // Kani proof harnesses for Merkle tree operations
 // ============================================================================
+//
+// AUDIT C-7 (partial closure): the `Kani merkle` matrix entry remains
+// masked (continue-on-error). proof_largest_power_of_two_* run cleanly,
+// but the three SHA-256-touching harnesses (proof_leaf_node_domain_separation,
+// proof_leaf_hash_deterministic, proof_node_hash_deterministic) do not pass
+// at --default-unwind 4 — see per-harness doc-comments below for diagnosis.
 #[cfg(kani)]
 mod proofs {
     use super::*;
@@ -504,6 +510,19 @@ mod proofs {
     ///
     /// This is the domain separation property: leaf hash uses 0x00 prefix,
     /// node hash uses 0x01 prefix, so they cannot collide.
+    ///
+    /// AUDIT C-7 (partial closure) — currently masked in CI.
+    /// This harness is unprovable with Kani as written:
+    ///   1. Verifying assert_ne! on two SHA-256 outputs requires reasoning
+    ///      about SHA-256 collision-resistance — a cryptographic assumption,
+    ///      not a computational property bounded model checking can discharge.
+    ///   2. Even setting that aside, the sha2 crate's compression loop runs
+    ///      64 rounds; --default-unwind 4 cannot unroll it, so the harness
+    ///      hits an unwinding-assertion failure before reaching the assert.
+    /// To make this prov-able the leaf/node domain-separation property should
+    /// be moved to a tool that can model SHA-256 as an uninterpreted function
+    /// (e.g. Verus or Lean axiomatisation). Until then, the prefix-byte check
+    /// in #[cfg(test)] (test_node_hash_computation) is the operational guard.
     #[kani::proof]
     fn proof_leaf_node_domain_separation() {
         // For a 64-byte input that could be interpreted as either a leaf or
@@ -524,6 +543,14 @@ mod proofs {
     }
 
     /// Prove: compute_leaf_hash is deterministic.
+    ///
+    /// AUDIT C-7 (partial closure) — currently masked in CI.
+    /// Determinism is trivial for any pure Rust function, but Kani still
+    /// has to fully symbolically execute the SHA-256 compression on both
+    /// calls. That loop is 64 rounds, so --default-unwind 4 produces an
+    /// unwinding-assertion failure long before the assert_eq is reached.
+    /// A per-harness #[kani::unwind(65)] is necessary; even then Kani's
+    /// SMT backend may time out within the 60-minute job budget.
     #[kani::proof]
     fn proof_leaf_hash_deterministic() {
         let b0: u8 = kani::any();
@@ -536,6 +563,12 @@ mod proofs {
     }
 
     /// Prove: compute_node_hash is deterministic.
+    ///
+    /// AUDIT C-7 (partial closure) — currently masked in CI.
+    /// Same blocker as proof_leaf_hash_deterministic: SHA-256's 64-round
+    /// compression loop is too deep for --default-unwind 4 and a per-harness
+    /// #[kani::unwind(65)] may still hit SMT timeout because inputs are two
+    /// fully-symbolic 32-byte arrays.
     #[kani::proof]
     fn proof_node_hash_deterministic() {
         let l: [u8; 32] = [kani::any(); 32];
diff --git a/src/lib/src/wasm_module/mod.rs b/src/lib/src/wasm_module/mod.rs
@@ -1026,10 +1026,23 @@ mod tests {
 // ============================================================================
 // Kani proof harnesses for WASM module/component headers
 // ============================================================================
+//
+// AUDIT C-7 (partial closure): the `Kani wasm_module` matrix entry is
+// unmasked as of this PR. The previous workflow filter was
+// `--harness wasm_module::tests`, which matched zero harnesses (this module
+// is named `component_proofs`, not `tests`) and therefore caused Kani to
+// exit non-zero. The workflow now uses `wasm_module::component_proofs`.
+//
+// The single harness below has no loops and no crypto; it should run in
+// well under a minute at --default-unwind 4.
 #[cfg(kani)]
 mod component_proofs {
     use super::*;
 
+    /// Prove: a WASM module header and a WASM component header are mutually
+    /// exclusive. They share the first four magic bytes (\0asm) but differ at
+    /// byte 4 (0x01 for modules, 0x0d for components), so no 8-byte sequence
+    /// can satisfy both.
     #[kani::proof]
     fn proof_component_module_header_mutual_exclusivity() {
         let b: [u8; 8] = kani::any();
