Skip to content

ABI Layer 2: prove C-binding signature preservation — flagship Idris2 proof#36

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/new-session-znxgm7
Jun 27, 2026
Merged

ABI Layer 2: prove C-binding signature preservation — flagship Idris2 proof#36
hyperpolymath merged 1 commit into
mainfrom
claude/new-session-znxgm7

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Summary

Raises nimiser's Idris2 ABI to Layer 2 with its first flagship semantic proof. nimiser's headline is generating high-performance C libraries via Nim metaprogramming; the correctness obligation is that the generated C binding preserves the source signature — arity and per-argument type lowering. This proves SigPreserved with a sound+complete Dec, so an arity/type mismatch is unrepresentable.

Mirrors the estate flagship-proof pattern: NimSig/CSig model, ArgsLower/SigPreserved propositions, sound+complete Dec, certifier proven sound, positive + negative controls.

Changes

  • Adds src/interface/abi/Nimiser/ABI/Semantics.idr — type lowering ArgsLower, SigPreserved, sound+complete decision, certifyBinding/soundness, positive + negative controls.
  • Registers the module in nimiser-abi.ipkg.

RSR Quality Checklist

Required

  • Tests pass — ABI builds clean (see Testing)
  • Linter clean — zero warnings
  • No banned language patterns
  • No banned functions — genuine proof
  • SPDX headers present
  • No secrets

As Applicable

  • ABI/FFI changes validated — additive proof; FFI untouched

Testing

Verified with Idris2 0.7.0: idris2 --build nimiser-abi.ipkg → exit 0, zero warnings. Adversarial check: a deliberately-false proof was rejected. build/ removed.

🤖 Generated with Claude Code

https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx


Generated by Claude Code

Add Nimiser.ABI.Semantics, a machine-checked semantic proof that the
Nim->C code generator preserves source signatures: same name, same
arity, and every argument/return type lowered by the canonical injective
nimToC mapping. An arity or type mismatch is unrepresentable as a
SigPreserved witness.

Contents:
- Faithful model: NimT / CT type universes, NimSig / CSig signatures,
  total nimToC lowering, genBinding code generator.
- Headline property SigPreserved with no constructor for any mismatch.
- genBindingPreserves: the generator ALWAYS preserves (soundness).
- nimToCInjective: the lowering is injective (non-vacuity engine).
- decSigPreserved: sound + complete Dec decision procedure.
- certifyBinding + certifyBindingSound tied to the project Result type;
  generatedAlwaysCertifies corollary.
- Positive control samplePreserved (explicit witness) and three
  negative controls (wrong return type, wrong arity, wrong arg type),
  all machine-checked.

Build: idris2 --build nimiser-abi.ipkg exits 0, zero warnings.
Adversarial false proof (claiming a type-mismatched binding is
preserved) is rejected by the type-checker, confirming non-vacuity.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
@hyperpolymath hyperpolymath marked this pull request as ready for review June 27, 2026 19:47
@hyperpolymath hyperpolymath merged commit 5b2fada into main Jun 27, 2026
22 of 25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants