Skip to content

feat(verify): validator pattern — full i32 + i64 op surface (#76)#133

Merged
avrabe merged 1 commit into
mainfrom
feat/validator-i64
May 23, 2026
Merged

feat(verify): validator pattern — full i32 + i64 op surface (#76)#133
avrabe merged 1 commit into
mainfrom
feat/validator-i64

Conversation

@avrabe
Copy link
Copy Markdown
Contributor

@avrabe avrabe commented May 22, 2026

Summary

Closes #76. Promotes synth's validator-based verification from PR #113's single-op (I32Add) prototype to production coverage of the full i32 + i64 op surface.

This is CompCert's untrusted-solver + trusted-validator pattern: the instruction selector (untrusted) produces a lowering, and Z3ArmValidator (trusted, simple, auditable) confirms each lowering is semantics-preserving via Z3 SMT — instead of writing thousands of Rocq lemmas by hand. It's the strategy that sidesteps the Rocq-divergence problem (#73).

Coverage

Z3ArmValidator now certifies:

  • i32 — arithmetic, logic, shifts/rotates, comparisons, unary ops, div/rem.
  • i64 — the same arithmetic/logic/shift/comparison surface, modeled as 64-bit bitvectors then decomposed into the (lo, hi) 32-bit register pair the ARM lowering actually uses, with an equivalence assertion.

i64 is the highest-value target: it's exactly where hand-written Rocq proofs are most painful, so Z3 validation buys the most there.

Trusted-code discipline

The validator is trusted code. The Z3 query construction is kept readable so a reviewer can convince themselves each query genuinely models the op's semantics; the non-obvious i64 lo/hi decomposition is commented (the i64_shl / i64_shr_s / i64_shr_u case-split helpers).

Tests

Per-op Z3-validation tests (the op certifies — the negated equivalence query is unsat), plus negative tests: a deliberately wrong lowering must NOT certify — a validator that certifies everything is useless. The 3 prototype tests from #113 still pass. synth-verify: 133 tests passing.

docs/validator-pattern.md updated — coverage section reflects the i32+i64 surface.

Validation

  • cargo test --package synth-verify — 133 pass, 0 fail.
  • cargo clippy --package synth-verify --all-targets -- -D warnings — clean.
  • cargo fmt --check — clean.

Test plan

  • CI green
  • Z3 Verification job passes
  • Negative tests confirm the validator rejects bad lowerings

Refs: #76 (closes), PR #113 (prototype), #73 (Rocq divergence this sidesteps).

🤖 Generated with Claude Code

@avrabe @claude
feat(verify): validator pattern — full i32 + i64 op surface (#76)
d571ae5 
Promotes the validator-based verification strategy from PR #113's
single-op (`I32Add`) prototype to production coverage of the i32 + i64
op surface. This is the CompCert untrusted-solver + trusted-validator
pattern: the instruction selector (untrusted) produces a lowering, and
`Z3ArmValidator` (trusted, simple, auditable) confirms each lowering is
semantics-preserving via Z3 SMT — instead of writing thousands of Rocq
lemmas by hand.

i64 is the highest-value target: it's exactly where hand-written Rocq
proofs are most painful, and the validator models the 64-bit semantics
directly, then decomposes into the lo/hi 32-bit register pair the ARM
lowering uses and asserts equivalence.

Coverage now certified by `Z3ArmValidator`:
- i32: arithmetic, logic, shifts/rotates, comparisons, unary, div/rem.
- i64: the same arithmetic/logic/shift/comparison surface, modeled as
  64-bit bitvectors decomposed to the (lo, hi) register pair.

The validator is trusted code — the Z3 query construction is kept
readable so a reviewer can confirm the query actually models each op's
semantics; the non-obvious i64 lo/hi decomposition is commented.

Tests: per-op Z3-validation tests plus negative tests (a deliberately
wrong lowering must NOT certify — a validator that certifies everything
is useless). The 3 prototype tests from #113 still pass. synth-verify:
133 tests passing.

`docs/validator-pattern.md` updated — coverage section now reflects the
i32+i64 surface instead of the I32Add prototype.

Refs: #76, PR #113 (prototype), #73 (the Rocq-divergence problem this
strategy sidesteps).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented May 22, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@avrabe avrabe merged commit 53b8fb4 into main May 23, 2026
10 of 13 checks passed
@avrabe avrabe deleted the feat/validator-i64 branch May 23, 2026 12:24
@avrabe avrabe mentioned this pull request May 23, 2026
Merged
avrabe added a commit that referenced this pull request May 23, 2026
@avrabe @claude
docs(changelog): cut v0.5.0 section (#134)
55a3c3c 
v0.5.0 — verification & robustness:
- #133 validator pattern to full i32 + i64 surface (#76)
- #131 RV32 i64 div/rem (Phase 3 completes i64 integer)
- #132 panic-free ir_to_arm + macro fix + gating fuzz restored

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Adopt validator-based verification strategy (CompCert pattern) for i64/f32/f64 proof coverage

1 participant

@avrabe