Skip to content

Commit bbadb55

Browse files
ehildenbclaude
andcommitted
lemmas/buf.md, lemmas-no-smt-spec.k: add powByteLen-lt-concrete-false to close asWord-unif-03/04 without asWord-eq-false
Removing the looping asWord-eq-false lemma un-masked a coverage gap: the lemmas-spec asWord-unif-03/04 claims (#2604) decompose an out-of-range #asWord(B) ==Int CONST via asWord-eq-num into CONST <Int #powByteLen(N), which must reduce to false. #powByteLen is [no-evaluators] and #2859 added only the true-direction powByteLen-lt-concrete rule, leaving the false direction to asWord-eq-false. Add the mutually-exclusive, loop-safe false-direction companion so the concrete comparison is total, plus a focused regression claim alongside the existing true-direction test. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1 parent a4f3a54 commit bbadb55

2 files changed

Lines changed: 15 additions & 0 deletions

File tree

kevm-pyk/src/kevm_pyk/kproj/evm-semantics/buf.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,13 @@ module BUF
4848
rule [powByteLen-lt-concrete]: CONST <Int #powByteLen(N) => true
4949
requires 0 <=Int N andBool CONST <Int 2 ^Int (8 *Int N)
5050
[simplification, concrete(CONST, N), preserves-definedness]
51+
// Companion false-direction: a concrete CONST that does not fit into N bytes is not
52+
// less than #powByteLen(N). Together with the rule above this makes the concrete
53+
// comparison total. The two requires are mutually exclusive and neither RHS re-exposes
54+
// `_ <Int #powByteLen(_)`, so the pair is loop-safe.
55+
rule [powByteLen-lt-concrete-false]: CONST <Int #powByteLen(N) => false
56+
requires 0 <=Int N andBool 2 ^Int (8 *Int N) <=Int CONST
57+
[simplification, concrete(CONST, N), preserves-definedness]
5158
rule #write(WM, IDX, VAL) => WM [ IDX := #buf(1, VAL) ] [simplification]
5259
5360
rule #bufStrict(SIZE, DATA) => #buf(SIZE, DATA)

tests/specs/functional/lemmas-no-smt-spec.k

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,4 +85,12 @@ module LEMMAS-NO-SMT-SPEC
8585
claim [powByteLen-lt-concrete]:
8686
<k> runLemma ( 31 <Int #powByteLen(32) ) => doneLemma ( true ) ... </k>
8787

88+
// powByteLen-lt-concrete-false: CONST <Int #powByteLen(N) => false when CONST does
89+
// not fit into N bytes. The companion false-direction of the rule above; together they
90+
// make the concrete comparison total. Regression for the `asWord-unif-03/04` lemmas-spec
91+
// claims, which decompose an out-of-range `#asWord(B) ==Int CONST` into exactly this
92+
// comparison and previously relied on the (removed, looping) `asWord-eq-false` to close.
93+
claim [powByteLen-lt-concrete-false]:
94+
<k> runLemma ( 2 ^Int 160 <Int #powByteLen(16) ) => doneLemma ( false ) ... </k>
95+
8896
endmodule

0 commit comments

Comments
 (0)