fix(soundness): generated Chapel must not report success on failed work#47
Merged
Conversation
Adds Chapeliser.ABI.Invariants, a new machine-checked theorem deeper than
and distinct from the Layer-2 Partition tiling proof. Partition.idr proved
the block partition is a gapless, non-overlapping tiling for all n,k but
explicitly left open the arithmetic residual `sumNat (perItemCounts n k) = n`
("the only div/mod obligation"). This module discharges exactly that.
blockCountsComplete : (n,k') -> sumNat (blockCounts n k') = n proves every
item is covered exactly once, for ALL n and all k>0, via the Euclidean
division theorem (contrib Data.Nat.Division) plus a self-contained count of
remainder slots. Counts are expressed with the public-export divNatNZ/modNatNZ
(the reducing form of Prelude div/mod on a positive divisor) so the proof and
its concrete controls reduce at the type level.
Includes: a sound+complete Dec (decCoversExactly), positive controls
(covers10over3, covers12over4 by Refl + via the general theorem), and
non-vacuity/negative controls (notCovers10as9, dec10over3as9No,
remainderCountMatters). Genuine proof: no believe_me/postulate/assert_total/
sorry/admitted. Builds clean (0 warnings); a deliberately false variant is
rejected by the type checker.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
…I.FfiSeam) Add a new module proving the Result FFI encoding is sound: - intToResult decoder + resultRoundTrip: the C integer faithfully round-trips back to the ABI Result (lossless/faithful encoding). - resultToIntInjective: distinct ABI outcomes never collide on the wire, derived from the round-trip via justInj . cong intToResult. - Positive controls (concrete decode = Refl) and a machine-checked non-vacuity control: distinct codes have distinct ints. Genuine total proofs, no believe_me/postulate/assert_total/etc. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Assemble the existing proof layers into one inhabited certificate value in Chapeliser.ABI.Capstone: - ABISound record whose fields reuse real exported witnesses: * flagshipValid -> Proofs.tenAcrossTwoValid (Layer 2, complete+disjoint) * blockComplete -> Invariants.blockPartitionIsComplete 10 2 (Layer 3) * blockCompleteAll -> Invariants.blockCountsComplete (Layer 3, general) * ffiInjective -> FfiSeam.resultToIntInjective (Layer 4 seam) - abiContractDischarged : ABISound — the single inhabited capstone value; ties manifest -> ABI proofs (flagship + invariant) -> FFI seam into one end-to-end soundness statement. Stops typechecking if any layer weakens. No believe_me/postulate/assert_total/sorry/%hint; %default total; SPDX line 1. Build clean (0 warnings); adversarial false-field certificate is rejected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
…ble fix); port ABI-FFI gate Python->Bash (Python is estate-banned) Resolves the standing baseline CI reds (rust-ci toolchain error, governance Language/anti-pattern, governance workflow-lint) without altering the proven ABI. The Bash gate reproduces the former Python gate's verdict verbatim (validated across all -iser repos) and catches the same drift classes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
…simiser) in place of the interim Bash port
…t --check + clippy -D warnings clean
Two soundness holes in the generated Chapel: - Reduce gather seeded its accumulator from resultData[0]/resultSizes[0] without checking resultOk[0], then unconditionally set resultOk[0]=true. A failed first item folded garbage into the reduction and the result was reported valid. Now seed from the first SUCCESSFUL item, fail-closed on a c_reduce step error, and set resultOk[0]=haveAccum (valid only if >=1 input succeeded). - The store phase only warned on a c_store_result failure and exited 0, so a result that never reached the user's storage looked like success. Now track the failure and halt() with a non-zero status. Adds codegen tests asserting the reduce gather is failure-aware and the store phase aborts on a store failure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes two soundness holes in the generated Chapel program — both cases where the program silently produced/reported a wrong result as success.
resultData[0]/resultSizes[0]without checkingresultOk[0], then setresultOk[0] = trueunconditionally. If item 0 (or all items) had failed, garbage was folded into the reduction and the result was marked valid. Now it seeds from the first successful item, fails closed if ac_reducestep errors, and setsresultOk[0] = haveAccum— valid only if at least one input succeeded.c_store_resultonly printedWARN: …and the program continued and exited 0 — so a result that never reached the user's storage looked like success. Now a store failure sets a flag and the programhalt()s with a non-zero status (loud failure, never silent green).The Idris2 ABI proofs and the Zig FFI reference impl were already sound; the gap was in
src/codegen/chapel.rs.Changes
src/codegen/chapel.rs:write_gather_reduce(failure-aware fold) andwrite_store_phase(trackstoreFailed,halton failure;WARN→ERROR).Testing
reduce_gather_is_failure_aware— generated Chapel useshaveAccum/resultOk[0] = haveAccum;and neverresultOk[0] = true;.store_phase_aborts_on_store_failure— generated Chapel tracksstoreFailedandhalt()s; no silentWARN: c_store_result.cargo fmt --check,cargo clippy --all-targets -- -D warnings,cargo test --locked --all-targets(64 tests). (Generated Chapel is asserted by string, as in the existing tests; it is compiled bychpldownstream.)RSR Quality Checklist
🤖 Generated with Claude Code
Generated by Claude Code