[Infrastructure] Proof automation library expansion and optimization #79
Description
Summary
Expand and optimize the proof automation library (Automation.lean) to accelerate proof development and reduce boilerplate across all contracts.
Motivation
Current State (DumbContracts/Proofs/Stdlib/Automation.lean):
- ~15 core lemmas
- Safe arithmetic (safeAdd, safeSub)
- Storage operations
- Contract result helpers
Gaps:
- No mapping operation lemmas
- Limited control flow lemmas
- No authorization pattern lemmas
- No event emission helpers
- No composition lemmas for complex operations
Impact of Gaps:
- Repeated proof patterns across contracts
- Slower proof development
- Copy-paste errors
- Maintenance burden
Proposed Enhancements
Category 1: Mapping Operations (NEW)
-- File: DumbContracts/Proofs/Stdlib/MappingAutomation.lean
/-- Getting from mapping preserves state -/
@[simp] theorem getMapping_runState (slot : Nat) (key : Address) :
(getMapping slot key).runState s = s
/-- Setting mapping updates only that key -/
theorem setMapping_updates_key (slot : Nat) (key : Address) (value : Uint256) :
let s' := (setMapping slot key value).runState s
s'.mappings slot key = value
/-- Setting mapping preserves other keys -/
theorem setMapping_preserves_others (slot : Nat) (key key' : Address) (value : Uint256) :
key ≠ key' →
let s' := (setMapping slot key value).runState s
s'.mappings slot key' = s.mappings slot key'
/-- Mapping operations preserve storage -/
@[simp] theorem setMapping_preserves_storage :
(setMapping slot key value).runState s
|>.storage = s.storageCategory 2: Control Flow (NEW)
-- File: DumbContracts/Proofs/Stdlib/ControlFlowAutomation.lean
/-- Successful if-branch execution -/
theorem if_true_branch (cond : Bool) (thenBranch elseBranch : Contract α) :
cond = true →
(if cond then thenBranch else elseBranch) = thenBranch
/-- Failed if-branch execution -/
theorem if_false_branch (cond : Bool) (thenBranch elseBranch : Contract α) :
cond = false →
(if cond then thenBranch else elseBranch) = elseBranch
/-- Switch statement exhaustiveness -/
theorem switch_exhaustive (value : Uint256) (cases : List (Uint256 × Contract α)) :
(∃ case ∈ cases, case.1 = value) ∨ useDefault
/-- Loop invariant preservation -/
theorem for_loop_invariant (inv : ContractState → Prop) :
(∀ i, inv (loopBody i).runState s) →
inv (for_loop n loopBody).runState sCategory 3: Authorization Patterns (NEW)
-- File: DumbContracts/Proofs/Stdlib/AuthorizationAutomation.lean
/-- OnlyOwner succeeds when sender is owner -/
theorem onlyOwner_succeeds (h : s.owner = s.sender) :
(onlyOwner >> action).isSuccess = action.isSuccess
/-- OnlyOwner fails when sender is not owner -/
theorem onlyOwner_fails (h : s.owner ≠ s.sender) :
(onlyOwner >> action).isSuccess = false
/-- RequireAuth pattern -/
theorem requireAuth_succeeds (authorized : Address → Bool) :
authorized s.sender = true →
(requireAuth authorized >> action).isSuccess = action.isSuccess
/-- Multiple role authorization -/
theorem requireRole_succeeds (roles : Address → Set Role) (required : Role) :
required ∈ roles s.sender →
(requireRole required >> action).isSuccess = action.isSuccessCategory 4: Arithmetic Composition (ENHANCED)
-- Extend existing arithmetic automation
/-- SafeAdd associativity -/
theorem safeAdd_assoc (a b c : Uint256) :
safeAdd a (safeAdd b c) = safeAdd (safeAdd a b) c
/-- SafeSub anti-monotonicity -/
theorem safeSub_antimonotone (a b c : Uint256) :
b ≤ c → safeSub a c ≤ safeSub a b
/-- Arithmetic cancellation -/
theorem add_sub_cancel (a b : Uint256) :
(a + b) - b = a -- modulo overflow
/-- Bounded arithmetic -/
theorem safeAdd_bounded (a b : Uint256) (h : safeAdd a b = some c) :
c ≤ MAX_UINT256Category 5: Event Emission (NEW)
-- File: DumbContracts/Proofs/Stdlib/EventAutomation.lean
/-- Event emission preserves state -/
@[simp] theorem emitEvent_preserves_state (event : Event) :
(emitEvent event).runState s = s
/-- Event emission succeeds -/
@[simp] theorem emitEvent_succeeds (event : Event) :
(emitEvent event).isSuccess = true
/-- Multiple events accumulate -/
theorem emit_multiple_events (e1 e2 : Event) :
(emitEvent e1 >> emitEvent e2).events = [e1, e2]Category 6: State Composition (NEW)
-- File: DumbContracts/Proofs/Stdlib/CompositionAutomation.lean
/-- Sequential operations preserve properties -/
theorem seq_preserves_property (P : ContractState → Prop) :
P s →
(∀ s', P s' → P (op2.runState s')) →
P ((op1 >> op2).runState s)
/-- Bind associativity -/
theorem bind_assoc (m1 : Contract α) (f : α → Contract β) (g : β → Contract γ) :
(m1 >>= f >>= g) = (m1 >>= fun a => f a >>= g)
/-- State update idempotence -/
theorem update_idempotent (f : ContractState → ContractState) :
f (f s) = f s →
(updateState f >> updateState f) = updateState fCategory 7: Finite Set Reasoning (NEW)
-- File: DumbContracts/Proofs/Stdlib/FiniteSetAutomation.lean
/-- Insert preserves membership -/
theorem insert_preserves_member {a : α} {s : FiniteSet α} :
a ∈ s.insert a
/-- Insert preserves others -/
theorem insert_preserves_others {a b : α} {s : FiniteSet α} :
a ≠ b → (b ∈ s ↔ b ∈ s.insert a)
/-- Sum over finite set with update -/
theorem sum_update_existing {f : α → Nat} :
a ∈ s →
s.sum (fun x => if x = a then f a + 1 else f x) = s.sum f + 1Optimization: Tactic Development
Create custom tactics for common patterns:
-- File: DumbContracts/Proofs/Stdlib/Tactics.lean
/-- Solve storage preservation goals automatically -/
syntax "solve_storage_preservation" : tactic
macro_rules
| `(tactic| solve_storage_preservation) =>
`(tactic|
unfold runState
simp [setStorage, getStorage]
ext slot
by_cases h : slot = targetSlot
· simp [h]
· simp [h])
/-- Solve authorization goals -/
syntax "solve_authorization" : tactic
/-- Solve safe arithmetic goals -/
syntax "solve_safe_arithmetic" : tacticBenefits
✅ Accelerates proof development (30-50% faster)
✅ Reduces boilerplate
✅ Consistent proof style
✅ Easier maintenance
✅ Reusable across contracts
✅ Enables rapid prototyping
Implementation Plan
Phase 1: Core Extensions (1 week)
- Mapping operations
- Control flow helpers
- Authorization patterns
Phase 2: Advanced Automation (1 week)
- Arithmetic composition
- Event emission
- State composition
Phase 3: Finite Set Reasoning (3 days)
- Set operations
- Sum properties
- Membership proofs
Phase 4: Custom Tactics (1 week)
- Storage preservation tactic
- Authorization tactic
- Arithmetic tactic
Phase 5: Documentation & Testing (2 days)
- Document all lemmas
- Add examples
- Performance benchmarks
Files Affected
Extend:
DumbContracts/Proofs/Stdlib/Automation.lean
Create:
DumbContracts/Proofs/Stdlib/MappingAutomation.leanDumbContracts/Proofs/Stdlib/ControlFlowAutomation.leanDumbContracts/Proofs/Stdlib/AuthorizationAutomation.leanDumbContracts/Proofs/Stdlib/EventAutomation.leanDumbContracts/Proofs/Stdlib/CompositionAutomation.leanDumbContracts/Proofs/Stdlib/FiniteSetAutomation.leanDumbContracts/Proofs/Stdlib/Tactics.lean
Estimated Effort
3-4 weeks
Success Criteria
- 50+ new automation lemmas
- Custom tactics working
- 30%+ proof development speedup
- All contracts use automation
- Documentation complete
Related Issues
- Accelerates [Proofs] Complete Ledger sum property helper lemmas #65, [Example Contract] Implement ERC20 standard token with full verification #69, [Example Contract] Implement ERC721 NFT contract with advanced state modeling #73, [Example Contract] Multi-signature wallet with governance patterns #78 (contract proofs)
- Complements [Documentation] Create proof debugging handbook #70 (proof debugging guide)
- Enables [Documentation] Create 'Adding Your First Contract' tutorial #66 (first contract tutorial)
Future Work
- Machine learning for tactic suggestion
- Proof search automation
- SMT solver integration