Skip to content

Improve specs of bitwise operations #1839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Lysxia wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Improve specs of bitwise operations #1839

Lysxia wants to merge 3 commits into from

Conversation

@Lysxia
Copy link
Collaborator

@Lysxia Lysxia commented Nov 26, 2025

No description provided.

jhjourdan
jhjourdan reviewed Nov 26, 2025
View reviewed changes
creusot-contracts/src/std/num.rs
Comment on lines +207 to +209
#[ensures(self >> $type::BITS - result == $zero)]
#[ensures((result != $type::BITS) == (self >> ($type::BITS - result - 1u32) == $one))]
#[ensures((result == $type::BITS) == (self == $zero))]
Copy link
Collaborator

@jhjourdan jhjourdan Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#[ensures(self >> $type::BITS - result == $zero)]
#[ensures((result != $type::BITS) == (self >> ($type::BITS - result - 1u32) == $one))]
#[ensures((result == $type::BITS) == (self == $zero))]
#[ensures((result != $type::BITS) == (self >> ($type::BITS - result - 1u32) == $one))]
#[ensures((result == $type::BITS) == (self == $zero))]

This clause is redundant (though it's unclear whether SMT solvers will be more comfortable with suc or such clause).

jhjourdan
jhjourdan reviewed Nov 26, 2025
View reviewed changes
creusot-contracts/src/std/num.rs
Comment on lines +213 to +215
#[ensures(self << $type::BITS - result == $zero)]
#[ensures((result != $type::BITS) == ((self >> $type::BITS) & $one == $one))]
#[ensures((result == $type::BITS) == (self == $zero))]
Copy link
Collaborator

@jhjourdan jhjourdan Nov 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#[ensures(self << $type::BITS - result == $zero)]
#[ensures((result != $type::BITS) == ((self >> $type::BITS) & $one == $one))]
#[ensures((result == $type::BITS) == (self == $zero))]
#[ensures((result != $type::BITS) == (self << ($type::BITS - result - 1u32) == $one << ($type::BITS - 1u32))]
#[ensures((result == $type::BITS) == (self == $zero))]

I see no reason we would have a different spec for both functions.

jhjourdan
jhjourdan reviewed Nov 26, 2025
View reviewed changes
creusot-contracts/src/std/num.rs
Comment on lines +219 to +221
#[ensures(!self >> $type::BITS - result == $zero)]
#[ensures((result != $type::BITS) == (!self >> ($type::BITS - result - 1u32) == $zero))]
#[ensures((result == $type::BITS) == (self == $type::MAX))]
Copy link
Collaborator

@jhjourdan jhjourdan Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#[ensures(!self >> $type::BITS - result == $zero)]
#[ensures((result != $type::BITS) == (!self >> ($type::BITS - result - 1u32) == $zero))]
#[ensures((result == $type::BITS) == (self == $type::MAX))]
#[ensures((result != $type::BITS) == (!self >> ($type::BITS - result - 1u32) == $zero))]
#[ensures((result == $type::BITS) == (self == $type::MAX))]

jhjourdan
jhjourdan reviewed Nov 26, 2025
View reviewed changes
creusot-contracts/src/std/num.rs
Comment on lines +225 to +227
#[ensures(!self << $type::BITS - result == $zero)]
#[ensures((result != $type::BITS) == ((!self >> $type::BITS) & $one == $one))]
#[ensures((result == $type::BITS) == (self == $type::MAX))]
Copy link
Collaborator

@jhjourdan jhjourdan Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#[ensures(!self << $type::BITS - result == $zero)]
#[ensures((result != $type::BITS) == ((!self >> $type::BITS) & $one == $one))]
#[ensures((result == $type::BITS) == (self == $type::MAX))]
#[ensures((result == $type::BITS) == (!self << ($type::BITS - result - 1u32) == $one << ($type::BITS - 1u32)))]
#[ensures((result == $type::BITS) == (self == $type::MAX))]

@jhjourdan
Copy link
Collaborator

jhjourdan commented Nov 26, 2025

Suggestion: have logic functions for trailing/leading_one/zeros, specified the same way, and use them to specify the program function.

@Lysxia
Copy link
Collaborator Author

Lysxia commented Dec 1, 2025

@mcoulmance the main todo is to fix the translation of << in logic to lsl_bv : t -> t -> t instead of lsl : t -> int -> t. The challenge is that << allows arguments of different types, so we need to cast the second argument accordingly. This also means deciding of a way to handle overflows, which we didn't need before when the second argument was cast to int.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhjourdan jhjourdan jhjourdan left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Lysxia @jhjourdan