Retarget public correctness toward native EVMYulLean#1822
Merged
Conversation
Contributor
| \n### CI Failure Hints\n\nFailed jobs: `checks`\n\nCopy-paste local triage:\n```bash\nmake check\nlake build\nFOUNDRY_PROFILE=difftest forge test -vv\n``` |
Th0rgal
force-pushed
the
native-evmyullean-public-correctness
branch
from
9de2da0 to
7daae7d
Compare
This was referenced May 6, 2026
Open
Lays out an 8-step constructor pyramid for NativeGeneratedSelectedUserBodyExecOnlyBridgeAtFuelRevived in the remaining-work tracker. Each step is intended to land as a separately green-buildable commit so that partial progress is durable even if the deep generic BridgedStraightStmts step is not reached in one pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements G1 plan step 2: a generic constructor for NativeGeneratedSelectedUserBodyExecOnlyBridgeAtFuelRevived covering selected user bodies of the shape [.block [.leave]]. The native lowering produces [.Block [.Leave]] which the outer dispatcher block wraps as .Block [.Block [.Leave]] — closed by the new exec_block_block_leave_ok_add_ten helper. The source side execIRFunction reduces the inner .block to its body and a single .leave to .continue, observationally matching the native post-reviveJump state. This widens the success-side revived bridge surface by one shape without modifying any existing constructor. lake build Compiler.Proofs.EndToEnd remains green. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements G1 plan step 3: a generic constructor for NativeGeneratedSelectedUserBodyExecOnlyBridgeAtFuelRevived covering selected user bodies of the shape [.block []]. The native lowering produces [.Block []] which the outer dispatcher block wraps as .Block [.Block []] — closed by the new exec_block_block_nil_ok_add_ten helper. The source side execIRFunction reduces the inner .block to its empty body returning .continue stateWithParams, observationally matching the native post state (no setLeave needed, so reviveJump is identity). Mirrors .of_empty_body shape with one extra nested-block layer. No existing constructor is modified. lake build Compiler.Proofs.EndToEnd remains green. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements G1 plan step 4: a generic constructor for NativeGeneratedSelectedUserBodyExecOnlyBridgeAtFuelRevived covering selected user bodies of the shape [.comment text]. The native lowering of .comment is .Block [] (via lowerStmtGroupNativeWithSwitchIds_comment), so the dispatcher-wrapped body becomes .Block [.Block []] — the same native shape as .of_block_empty, closed by the existing exec_block_block_nil_ok_add_ten. The source side execIRStmt of .comment is a no-op (.continue state), so the observable projection matches the empty-body path. The text is existentially extracted from the hypothesis so the constructor works for any concrete label. Mirrors .of_block_empty native shape; no existing constructor is modified. lake build Compiler.Proofs.EndToEnd remains green. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
A direct Revived-level .of_comment_cons recursive adapter is structurally awkward: the Revived predicate's nativeGeneratedSelectorHitUserBodyFuel depends on the full contract's fn.body size, so recursing into a stripped tail body would require either a predicate refactor parameterizing over the explicit body shape or duplicating the entire predicate logic inline. Instead, the runtime dispatcher's `.comment "label" :: <real body>` shape is handled at the NativeGeneratedSelectorHitSuccessBridge wiring (step 7): each leaf Revived constructor pairs with a one-shot comment-prefix adapter that strips the no-op label head, leaving <real body> to match an existing leaf constructor. Documentation-only change. lake build remains green. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Documents the shipped Revived constructor family (.of_block_empty, .of_block_leave, .of_singleton_comment, .of_leave_body, .of_empty_body) and the technical sketches for the three deeper remaining steps: - Step 5 (.of_nativePreservableStraightStmts_leave): cites the NativeBlockPreservesWord_lowerStmtsNativeWithSwitchIds_of_nativePreservableStraightStmts glue and proposes the execIRStmts_continue_of_nativePreservableStraightStmts_pre_leave companion lemma signature. - Step 6 (.of_bridgedStraightStmts_falling_through): notes the function-end fall-through convention alignment between execIRFunction's post-execIRStmts extraction and the dispatcher outer block exit. - Step 7 (success-bridge wiring + comment-prefix collapse). - Step 8 (hUserBodyHalt premise drop). Also regenerates PrintAxioms.lean to track the three new private theorems added by .of_block_empty (commit fa980235), .of_singleton_comment (commit f69044a1), and their source-side helpers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds a top-level "PR 1822 — Achievement Summary" block to the native EVMYulLean transition doc that calls out exactly what landed on `native-evmyullean-public-correctness` (public-surface retarget, native EndToEnd surface, leaf Revived constructors S1–S4 covering the full observational-no-op body family, supporting harness lemmas, zero-sorry / zero-axiom invariants) versus what is deferred to a follow-up PR (G1 steps S5–S8: the `<straight-stmts>; leave` and `<straight-stmts>` falling-through constructors, success-bridge wiring with per-leaf `_with_label_prefix` variants, and the final `hUserBodyHalt` premise drop). Per-step status lines now read "shipped in PR 1822" or "deferred to follow-up PR" so the document is self-contained as a hand-off without consulting commit history. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The test asserted that removing the canonical public-theorem mention from the native transition doc makes `check_doc` report an error. It used `replace(..., ..., 1)` (count=1), which only rewrote the first occurrence. Once the doc grew a second backticked mention (introduced by the G1 plan in `5535376f`, and again by the PR-1822 achievement summary), the post-replace text still contained the canonical name elsewhere, so `check_doc` found nothing missing and the assertion fired with an empty error list. Switch the test to a count-less `replace`, so every occurrence is rewritten before invoking `check_doc`. The test now matches its intent — "if no mention of the public theorem survives, the check must complain" — and stays robust against future natural mentions in the same doc. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
5 tasks
Th0rgal
added a commit
that referenced
this pull request
May 11, 2026
Captures concrete code-level facts gathered while reviewing the post-#1822 tree for the S5-S8 follow-up: - Verified line numbers for every shipped Revived leaf constructor and the one shipped chain (`of_empty_body`). - Corrected the original plan: the `of_leave_body` success-bridge chain is NOT pre-existing - it must be authored alongside E3, E4, E5. - Documented the per-body-shape preservation status: `empty_block` and `comment` preservation lemmas already ship; `Leave` and `NativePreservableStraightStmts` preservation are net-new work. - Pointed F1 readers at the redundancy with E5: F1 and E5 describe the same body shape `[.comment text]`, so F1 can be dropped once E5 lands. - Listed concrete file insertion points for Layers A, B, D, and the call-site sweep required for Layer G. - Revised the effort estimate to 5-9 senior-engineer days and noted why this scope is not compatible with a single autonomous coding session (prior worker attempts repeatedly stalled or fabricated phantom pushes). No code changes; planning document only. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Retargets Verity's public EVMYulLean correctness surface away from backend-parameterized oracle spellings and toward native EVMYulLean-named entry points, and lands the first wave of leaf
ExecOnlyBridgeAtFuelRevivedconstructors so the Revived family covers every observational-no-opfn.bodyshape.Public-surface retarget
interpretYulRuntimeEvmYulLeanandinterpretYulRuntimeEvmYulLeanFuelwrappers...._via_reference_oraclenames; renamed the lower legacy Layer 3 theorem toyulCodegen_preserves_semantics_via_reference_oracleand guarded against restoring the bare oracle name....Interpreterto...EvmYulLean.defaultBuiltinBackendto.evmYulLean; addedlegacyBuiltinBackend := .verity,legacyEvalBuiltinCallWithContext, andlegacyExecYulFuelso old reference-oracle / bridge-comparison paths opt into legacy semantics explicitly.Native EndToEnd surface
nativeResultsMatchOn,sourceResultMatchesNativeOn, source/native composition theorem over the result surface.compile_preserves_native_evmYulLean_callDispatcher_of_generated_callDispatcher_match, plus helper-free and mapping-helper lowering wrappers.Leaf Revived constructors (G1 increments S1–S4)
On
NativeGeneratedSelectedUserBodyExecOnlyBridgeAtFuelRevived:.of_block_empty—fn.body = [.block []].of_block_leave—fn.body = [.block [.leave]].of_singleton_comment—fn.body = [.comment text]Together with the pre-existing
.of_empty_bodyand.of_leave_body, the Revived family now covers every body of shape[],[.leave],[.block []],[.block [.leave]],[.comment text]— the full observational-no-op family. Concrete contracts whose user body is a label-only stub now have a direct Revived bridge without going through the halt path..of_comment_consis intentionally deferred to the success-bridge wiring layer (per-leaf_with_label_prefixadapters); seedocs/NATIVE_EVMYULLEAN_TRANSITION.mdfor the structural rationale.Supporting infrastructure
exec_block_block_nil_ok_add_ten,exec_block_block_leave_ok_add_ten,exec_block_noop_block_head_eq,lowerStmtsNativeWithSwitchIds_comment_head_eq.nativeResultsMatchOn_execIRFunction_block_empty_body_markedPrefix,..._block_leave_body_markedPrefix,..._singleton_comment_body_markedPrefix.Invariants
sorry, zero new axioms.lake build Compiler.Proofs.EndToEndgreen.make checkvalidators (axioms, capability boundary, builtin boundary, doc check) pass.Verification
lake build Compiler.Proofs.EndToEndlake build Compiler.Proofs.YulGeneration.Backends.EvmYulLeanBridgeTestpython3 scripts/check_proof_length.pypython3 scripts/generate_print_axioms.py --checkpython3 scripts/check_native_transition_doc.pypython3 scripts/test_check_native_transition_doc.pypython3 -m unittest scripts.test_evmyullean_capabilitymake checkDeferred to a follow-up PR
The composite body shapes and the final premise drop share heavy proof infrastructure (whole-block per-slot preservation, IR
execIRStmtsfalling-through induction) that does not fit a single landable increment in this branch's budget. Seedocs/NATIVE_EVMYULLEAN_TRANSITION.md— the "G1 Incremental Plan" section has full constructor signatures, harness-lemma signatures, and proof sketches..of_nativePreservableStraightStmts_leave— bodies<straight-stmts>; leave. Companion lemma:execIRStmts_continue_of_nativePreservableStraightStmts_pre_leave(purely IR-side; recommended starting point for a follow-up worker)..of_bridgedStraightStmts_falling_through— bodies<straight-stmts>(no terminator). Deepest case; requires aligningexecIRFunction's fall-through extraction with the dispatcher's outer block exit.NativeGeneratedSelectorHitSuccessBridgeadapters, including per-leaf_with_label_prefixvariants that strip a leading.comment "label"head viaexec_block_noop_block_head_eq. Subsumes the deferred.of_comment_consshape.hUserBodyHaltfromcompile_preserves_native_evmYulLean_of_compile_ok_supported_generated_callDispatcheronce S5–S7 land.Long-standing items (orthogonal to this PR)
legacyExecYulFuelremains inReferenceOracle/Semantics.leanfor legacy/reference-oracle comparisons.EvmYulLeanRetarget.leanstill proves the EVMYulLean retarget by composing throughyulCodegen_preserves_semantics_via_reference_oracleand backend comparison machinery.Note
Medium Risk
Touches the public proof surface (arithmetic correctness lemmas) and CI caching/install logic; while semantics should be equivalent, regressions could break downstream proofs or CI reliability.
Overview
Retargets the public arithmetic proof surface to state wrapping/bitwise/shift facts directly in terms of the native
evalPureBuiltinViaEvmYulLeanevaluator, removing reliance on legacy oracle/bridge comparison lemmas while keeping historical theorem names.Exposes
compileMappingSlotReadandcompileMappingSlotChainfromExpressionCompile.leanso proof modules can reference the exact lowering shapes, and trims top-levelCompiler.leanimports to drop unused proof modules.CI updates: adds a sticky-disk pruning step for stale Lake packages, increases
verify.ymljob timeout, and hardenssetup-solcby caching per-version in-repo with PATH injection plus install/repair retries and version verification (instead of writing to/usr/local/bin).Reviewed by Cursor Bugbot for commit 06d2aea. Bugbot is set up for automated code reviews on this repo. Configure here.