Skip to content

Commit 7694bc8

Browse files
dkcummingdkcumming
committed
Added case study for P-Token proofs
1 parent 961ff61 commit 7694bc8

1 file changed

Lines changed: 33 additions & 0 deletions

File tree

doc/src/tools/kmir.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -406,6 +406,39 @@ The full set of verified methods covers all integer types (i8-i128, u8-u128):
406406
| `carrying_mul` | u8, u16, u32, u64 | verified |
407407
| `to_int_unchecked` | f16, f32, f64, f128 | pending (float support) |
408408

409+
### Case Study 2: Solana P-Token / SPL-Token Equivalence Proofs
410+
411+
KMIR has been used to formally verify the equivalence of the
412+
[Solana P-Token](https://github.com/runtimeverification/solana-token/tree/proofs/p-token)
413+
(a compute-optimized rewrite using
414+
[Pinocchio](https://github.com/anza-xyz/pinocchio)) against the original
415+
[Solana SPL-Token](https://github.com/runtimeverification/solana-token/tree/proofs/program)
416+
program.
417+
418+
The verification proves that the P-Token program simulates the SPL-Token
419+
program: for each SPL-Token state and instruction (a request to perform an
420+
operation such as Transfer or Burn), there is an equivalent P-Token state
421+
and instruction that produces the same result. Both programs must agree on
422+
state transitions and error behaviour.
423+
424+
Each instruction is verified twice (once for each implementation) against a
425+
shared specification harness that captures the initial account state, invokes
426+
the instruction processor with symbolic input, and verifies the same
427+
postcondition holds after execution. 41 proofs are required to demonstrate
428+
equivalence.
429+
430+
For more details, please see:
431+
- [Proof Status](https://github.com/runtimeverification/solana-token/issues/24)
432+
- [Multisig Proof Status](https://github.com/runtimeverification/solana-token/issues/97)
433+
- [Shared Specifications](https://github.com/runtimeverification/solana-token/tree/proofs/specs)
434+
- [SPL-Token Implementation](https://github.com/runtimeverification/solana-token/blob/proofs/program/src/processor.rs)
435+
- [P-Token Implementation](https://github.com/runtimeverification/solana-token/tree/proofs/p-token/src/processor)
436+
437+
A detailed report covering the Solana programming model, the formal
438+
equivalence methodology, and per-instruction verification conditions is
439+
available in the
440+
[equivalence proofs report](https://github.com/runtimeverification/solana-token/blob/proofs/RV_EQUIVALENCE_PROOFS_REPORT.md).
441+
409442
## Background Reading
410443

411444
- **[Matching Logic](http://www.matching-logic.org/)**

0 commit comments

Comments
 (0)