Merge pull request #32 from h2parson/set_adrs

mkannwischer · web-flow · commit 64afc1545aa2 · 2025-08-15T23:30:46.000+08:00
diff --git a/cbmc.h b/cbmc.h
@@ -138,6 +138,10 @@
 #define array_abs_bound(arr, lb, ub, k) \
   array_bound((arr), (lb), (ub), -((int)(k)) + 1, (k))
 
+#define VALID_SLH_VAR_T(var) \
+  (memory_no_alias(var, sizeof(slh_var_t)) && memory_no_alias(var->prm, sizeof(slh_param_t)) && \
+   memory_no_alias(var->adrs, sizeof(adrs_t)))
+
 #endif /* CBMC */
 
 #endif /* !SLH_CBMC_H */
diff --git a/proofs/cbmc/adrs_set_hash_address/Makefile b/proofs/cbmc/adrs_set_hash_address/Makefile
@@ -0,0 +1,53 @@
+# Copyright (c) The mlkem-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = adrs_set_hash_address_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = adrs_set_hash_address
+
+DEFINES +=
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/slh_sha2.c
+
+CHECK_FUNCTION_CONTRACTS=adrs_set_hash_address
+USE_FUNCTION_CONTRACTS=
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = adrs_set_hash_address
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mlkem/src/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mlkem/src/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
diff --git a/proofs/cbmc/adrs_set_hash_address/adrs_set_hash_address_harness.c b/proofs/cbmc/adrs_set_hash_address/adrs_set_hash_address_harness.c
@@ -0,0 +1,14 @@
+// Copyright (c) The slhdsa-c project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include "slh_adrs.h"
+
+void harness(void)
+{
+  slh_var_t *var;
+  uint32_t x;
+  adrs_set_hash_address(var, x);
+}
diff --git a/slh_adrs.h b/slh_adrs.h
@@ -126,6 +126,10 @@ static SLH_INLINE uint32_t adrs_get_tree_index(const slh_var_t *var)
 
 /* === Set WOTS+ hash address. */
 static SLH_INLINE void adrs_set_hash_address(slh_var_t *var, uint32_t x)
+__contract__(
+  requires(VALID_SLH_VAR_T(var))
+  assigns(var->adrs->u32[7])
+)
 {
   var->adrs->u32[7] = rev8_be32(x);
 }

Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,10 @@ static SLH_INLINE uint32_t adrs_get_tree_index(const slh_var_t *var)`
`126`	`126`
`127`	`127`	`/* === Set WOTS+ hash address. */`
`128`	`128`	`static SLH_INLINE void adrs_set_hash_address(slh_var_t *var, uint32_t x)`
	`129`	`+__contract__(`
	`130`	`+ requires(VALID_SLH_VAR_T(var))`
	`131`	`+ assigns(var->adrs->u32[7])`
	`132`	`+)`
`129`	`133`	`{`
`130`	`134`	`var->adrs->u32[7] = rev8_be32(x);`
`131`	`135`	`}`