Specification of cstring by LennartATSkylabsAI · Pull Request #48 · SkyLabsAI/brick-libcpp

LennartATSkylabsAI · 2026-04-22T17:38:39Z

Parent issue: https://github.com/SkyLabsAI/agent-foundation/issues/78

Added project layout, md files for verification of cstring. Proved initial set of functions using cstring.R and a lower-level alternative cstringz.R.

skylabs-ai-ci · 2026-04-22T17:46:47Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	bb55601	main	e96a0fc	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	e219b6b
fmdeps/auto/	main	26885ed
fmdeps/auto-docs/	main	9f57097
bluerock/NOVA/	skylabs-proof	e9a69cc
bluerock/bhv/	skylabs-main	e1da62f
fmdeps/ci/	main	749706e
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	3bed8c2
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
+0.00%	123356.6	123356.6	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

+0.00%	123356.6	123356.6	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

skylabs-ai-ci · 2026-04-22T19:45:53Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	6566292	main	e96a0fc	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	e219b6b
fmdeps/auto/	main	26885ed
fmdeps/auto-docs/	main	9f57097
bluerock/NOVA/	skylabs-proof	e9a69cc
bluerock/bhv/	skylabs-main	e1da62f
fmdeps/ci/	main	749706e
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	3bed8c2
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
+0.00%	123356.6	123356.6	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

+0.00%	123356.6	123356.6	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

skylabs-ai-ci · 2026-04-22T21:49:22Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	0410e8a	main	e96a0fc	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	e219b6b
fmdeps/auto/	main	26885ed
fmdeps/auto-docs/	main	9f57097
bluerock/NOVA/	skylabs-proof	e9a69cc
bluerock/bhv/	skylabs-main	e1da62f
fmdeps/ci/	main	749706e
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	3bed8c2
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
-0.00%	123356.6	123356.6	-0.0	total
-0.00%	22637.5	22637.5	-0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

-0.00%	123356.6	123356.6	-0.0	total
-0.00%	22637.5	22637.5	-0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

gmalecha-at-skylabs · 2026-04-23T13:21:35Z

+The current explicit `char[]` litmus tests are slightly different: cpp2v
+generates stack-array initializer resources as concrete `arrayR` predicates.
+Their proofs therefore use local `arrayR` splitting/recombination lemmas to
+match the generated proof state directly. This should not be read as a general
+preference for `arrayR` in library specs; it is a proof-local accommodation for
+the shape of generated stack-buffer resources.


From a technical PoV: "cpp2v generates ..." should be "BRiCk generates ..." since the logic is BRiCk.

Is it getting this information from reading BRiCk rules? If it was looking at proof states, then it should be seeing things after the arrayLR hints kick in.

Resolved in later PR, where the proof file uses the import statements from other verification case studies.

gmalecha-at-skylabs · 2026-04-23T13:25:27Z

+  Definition ab_0_cd_lit : literal_string.t :=
+    {|
+      literal_string.bytes :=
+        PrimStringAxioms.of_list
+          [Uint63Axioms.of_Z 97; Uint63Axioms.of_Z 98; Uint63Axioms.of_Z 0;
+           Uint63Axioms.of_Z 99; Uint63Axioms.of_Z 100];
+      literal_string.bytes_per_char := 1;
+    |}.


We should really implement some notation that takes standard C++ strings with escapes, this is pretty difficult to read.

skylabs-ai-ci · 2026-04-23T19:48:13Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	4e6e0f4	main	e96a0fc	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	e219b6b
fmdeps/auto/	main	26885ed
fmdeps/auto-docs/	main	9f57097
bluerock/NOVA/	skylabs-proof	e9a69cc
bluerock/bhv/	skylabs-main	e1da62f
fmdeps/ci/	main	749706e
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	3bed8c2
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
-0.00%	123356.6	123356.6	-0.0	total
-0.00%	22637.5	22637.5	-0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

-0.00%	123356.6	123356.6	-0.0	total
-0.00%	22637.5	22637.5	-0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

skylabs-ai-ci · 2026-04-23T21:11:03Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	6f0f2ca	main	e96a0fc	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	e219b6b
fmdeps/auto/	main	26885ed
fmdeps/auto-docs/	main	9f57097
bluerock/NOVA/	skylabs-proof	e9a69cc
bluerock/bhv/	skylabs-main	e1da62f
fmdeps/ci/	main	749706e
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	3bed8c2
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
-0.00%	123356.6	123356.6	-0.0	total
-0.00%	22637.5	22637.5	-0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

-0.00%	123356.6	123356.6	-0.0	total
-0.00%	22637.5	22637.5	-0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

skylabs-ai-ci · 2026-04-24T09:29:05Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	773b99d	main	e96a0fc	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	e219b6b
fmdeps/auto/	main	26885ed
fmdeps/auto-docs/	main	9f57097
bluerock/NOVA/	skylabs-proof	e9a69cc
bluerock/bhv/	skylabs-main	e1da62f
fmdeps/ci/	main	749706e
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	3bed8c2
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
-0.00%	123356.6	123356.6	-0.0	total
-0.00%	22637.5	22637.5	-0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

-0.00%	123356.6	123356.6	-0.0	total
-0.00%	22637.5	22637.5	-0.0	├ translation units
+0.00%	100719.1	100719.1	+0.0	└ proofs and tests

pgiarrusso-sl · 2026-04-28T13:56:49Z

+(*
+  Archived exact [unsigned char] array specs. These were useful for the first
+  byte-array slice, but they are too narrow for the standard [void*] memory
+  APIs, whose textual specifications operate on object bytes.


I think these specs are closer to what we'd prefer — the problem is real but we had separate plans about it.

In the meeting, we concluded these specs should use arrayR or arrayLR — dealing with object representations is out of scope for these specs/MRs.

pgiarrusso-sl · 2026-04-28T14:12:04Z

+     \prepost{q bytes} s_p |-> arrayLR Tuchar 0 (Z.of_N n)
+       (fun b : Z => ucharR q b) bytes
+     \require lengthZ bytes = Z.of_N n
+     \post[byte_search_result s_p (memchr bytes c)] emp).


This seems a weird way to use arrayLR.

We wondered about the best idiom to write these specs;
https://github.com/SkyLabsAI/psi_PROVER.data/pull/130 shows the "natural" one fails.

When given the text from https://cppreference.com/cpp/string/byte/memchr, codex proposes this:
cpp.spec "memchr(void*, int, unsigned long)" as memchr_mut_array_spec with
(\arg{s_p} "__s" (Vptr s_p)
\arg{c} "__c" (Vint c)
\arg{n} "__n" (Vn n)
\prepost{q bytes} s_p |-> arrayLR Tuchar 0 (lengthZ bytes)
(fun b : Z => ucharR q b) bytes
\require match memchr bytes c with
| Some off => (off < Z.of_N n / Z.of_N n <= lengthZ bytes)%Z
| None => (Z.of_N n <= lengthZ bytes)%Z
end
\post[byte_search_result Tuchar s_p
(memchr (takeZ (Z.of_N n) bytes) c)] emp).

That's a bit unwieldy but permits bytes to be short than n.

(and replacing ZLength bytes with fresh 'hi' and using Vint/Z instead of Vn/N/Z.ofN makes it a little nicer:pp.spec "memchr(void*, int, unsigned long)" as memchr_mut_array_spec with
(\arg{s_p} "__s" (Vptr s_p)
\arg{c} "__c" (Vint c)
\arg{n} "__n" (Vint n)
\prepost{q hi bytes} s_p |-> arrayLR Tuchar 0 hi
(fun b : Z => ucharR q b) bytes
\require match memchr bytes c with
| Some off => (off < n / n <= hi)%Z
| None => (n <= hi)%Z
end
\post[byte_search_result Tuchar s_p
(memchr (takeZ n bytes) c)] emp).

\require lengthZ bytes = Z.of_N n is redundant after all.

These comments are missing triple-backticks to mark code blocks...

That's a bit unwieldy but permits bytes to be short than n.

Apparently I was wrong there — as pointed in the meeting.

skylabs-ai-ci · 2026-04-28T15:00:11Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	a47ccc2	main	e96a0fc	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	9ab35f8
fmdeps/auto/	main	e2c9c3e
fmdeps/auto-docs/	main	bfa8f2d
bluerock/NOVA/	skylabs-proof	e9a69cc
bluerock/bhv/	skylabs-main	e1da62f
fmdeps/ci/	main	e32c9d8
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	a7722d5
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
+0.00%	123357.1	123357.1	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.6	100719.6	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

+0.00%	123357.1	123357.1	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.6	100719.6	+0.0	└ proofs and tests

skylabs-ai-ci · 2026-04-28T16:19:21Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	7ed4a45	main	e96a0fc	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	9ab35f8
fmdeps/auto/	main	e2c9c3e
fmdeps/auto-docs/	main	bfa8f2d
bluerock/NOVA/	skylabs-proof	e9a69cc
bluerock/bhv/	skylabs-main	e1da62f
fmdeps/ci/	main	e32c9d8
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	a7722d5
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
+0.00%	123357.1	123357.1	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.6	100719.6	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

+0.00%	123357.1	123357.1	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.6	100719.6	+0.0	└ proofs and tests

skylabs-ai-ci · 2026-04-29T11:56:12Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	82d4213	main	e96a0fc	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	9ab35f8
fmdeps/auto/	main	e2c9c3e
fmdeps/auto-docs/	main	bfa8f2d
bluerock/NOVA/	skylabs-proof	e9a69cc
bluerock/bhv/	skylabs-main	e1da62f
fmdeps/ci/	main	e32c9d8
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	a7722d5
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
+0.00%	123357.1	123357.1	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.6	100719.6	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

+0.00%	123357.1	123357.1	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	100719.6	100719.6	+0.0	└ proofs and tests

pgiarrusso-sl · 2026-04-30T13:54:51Z

+    (\arg{s_p} "__s" (Vptr s_p)
+     \prepost{q s} s_p |-> cstring.R q s
+     \require valid<"unsigned long"> (cstring.strlen s)
+     \post[Vn (Z.to_N (cstring.strlen s))] emp).


We fixed this in review. We should teach the agent (after merge).

pgiarrusso-sl · 2026-04-30T15:12:46Z

@@ -0,0 +1,36 @@
+(*


Consider removing this _old file.

pgiarrusso-sl · 2026-04-30T15:12:56Z

@@ -0,0 +1,188 @@
+(*


Consider removing this _old file.

pgiarrusso-sl · 2026-04-30T15:13:16Z

+ * This software is distributed under the terms of the BedRock Open-Source License.
+ * See the LICENSE-BedRock file in the repository root for details.
+ *)
+Require Import skylabs.prelude.numbers.


Consider removing this _old file.

pgiarrusso-sl · 2026-04-30T15:17:11Z

+  whether the model can produce an arithmetic expression that
+  `Arith.arith_simpl` can normalize. Avoid local tactics that know about one
+  test's concrete offsets or string literals.
+- `ego` is not always redundant after `go`. In these litmus proofs it often


I'd say go is redundant before ego, go. ego. is equivalent to ego.

Using go and fixing learning hints is often better.

pgiarrusso-sl · 2026-04-30T15:20:16Z

+- When proof automation is the goal, directional `_F` / `_B` / `_C`-style
+  hints are usually a better fit than borrowing lemmas. Borrowing lemmas are
+  continuation-oriented: open a view now, use it locally, and close it later.
+  Many reusable BRiCk proof steps are instead directional transformations:
+  decompose what is already in context, rebuild a canonical goal shape, or
+  replace one resource view by another. Keep semantically meaningful
+  split/rebuild steps as ordinary lemmas, and only package them as hints when
+  the step is routine enough that proof search should apply it opportunistically.


Suggested change

- When proof automation is the goal, directional `_F` / `_B` / `_C`-style

hints are usually a better fit than borrowing lemmas. Borrowing lemmas are

continuation-oriented: open a view now, use it locally, and close it later.

Many reusable BRiCk proof steps are instead directional transformations:

decompose what is already in context, rebuild a canonical goal shape, or

replace one resource view by another. Keep semantically meaningful

split/rebuild steps as ordinary lemmas, and only package them as hints when

the step is routine enough that proof search should apply it opportunistically.

Rejected as slop.

pgiarrusso-sl · 2026-04-30T15:21:44Z

+- For `\cancelx` hints, “provable” and “useful to automation” are different
+  thresholds. In this development, some `_guard` and `_using` variants could be
+  proved but still did not fire under `go`/`ego` at the relevant call site.


This is verbose for

Suggested change

- For `\cancelx` hints, “provable” and “useful to automation” are different

thresholds. In this development, some `_guard` and `_using` variants could be

proved but still did not fire under `go`/`ego` at the relevant call site.

- Not all provable hints help client automation.

which seems redundant

Suggested change

- For `\cancelx` hints, “provable” and “useful to automation” are different

thresholds. In this development, some `_guard` and `_using` variants could be

proved but still did not fire under `go`/`ego` at the relevant call site.

pgiarrusso-sl · 2026-04-30T15:23:17Z

+- If a side fact depends on a variable that will only be learned from the
+  consumed resources, putting that fact in `\using` may be too early. In such
+  cases, ordinary hint parameters or premises can be a better automation
+  surface than a more internal-looking `\cancelx` clause.


This seems either meaningless, wrong or confusing?

pgiarrusso-sl · 2026-04-30T15:23:36Z

+- Relatedly, ordinary hint parameters can sometimes outperform richer internal
+  clause structure. Even when a witness or equality seems conceptually “inside”
+  the hint, exposing it as an ordinary premise may let hint search instantiate
+  it more effectively.


Slop

Suggested change

it more effectively.

pgiarrusso-sl · 2026-04-30T15:24:33Z

+- Hint matching is very intensional. A reformulation that replaces compound
+  expressions by variables such as `mid` and `k`, together with simple equality
+  premises, can fire much more reliably because it matches the post-call proof
+  state more directly.


This is a terrible explanation of a true fact.

pgiarrusso-sl · 2026-04-30T15:25:13Z

+  from concrete data. In wrapper obligations, converting such a premise with
+  `%RedEq_eq` gives back an ordinary equality while keeping the client-facing
+  hint surface computation-friendly.
+- In the `memset` family, a direct Family A opener can be worthwhile even when


Do we have family A/B/C?

pgiarrusso-sl · 2026-04-30T15:45:05Z

@@ -0,0 +1,151 @@
+# Lessons Learned


I'm not sure we should commit such lessons in a public repository. For now, I'd move it to a follow-up PR and merge the rest.

I've also left lots of comments about these lessons, even if we probably can't act on them here.

pgiarrusso-sl · 2026-04-30T15:47:32Z

+- When a standard API is phrased in terms of object representation bytes, avoid
+  overspecifying the storage type. An abstract byte predicate is closer to the
+  text than a spec that insists on a concrete `unsigned char[]` object.


Outdated/counterproductive.

Suggested change

- When a standard API is phrased in terms of object representation bytes, avoid

overspecifying the storage type. An abstract byte predicate is closer to the

text than a spec that insists on a concrete `unsigned char[]` object.

pgiarrusso-sl · 2026-04-30T15:52:24Z

+- Match the abstraction to the API surface. Null-terminated string functions
+  want a string predicate such as `cstring.R`; counted byte APIs want a counted
+  byte predicate such as `object_bytesR`, not a string predicate with an
+  accidental terminator interpretation.


Suggested change

- Match the abstraction to the API surface. Null-terminated string functions

want a string predicate such as `cstring.R`; counted byte APIs want a counted

byte predicate such as `object_bytesR`, not a string predicate with an

accidental terminator interpretation.

The mention of object_bytesR is outdated

We did the opposite of what this advice suggests.

Lots of this advice seems a verbose way to be entirely redundant — "don't use AR when a spec requires BR" adds nothing to "write sound specifications" + the semantics of specs. Do we have that semantics?

…tial set of functions using ctring.R and a lower-level alternative cstringz.R

…spn, strcspn, strpbrk, and strstr

…non-ergonomic proofs)

…lished the model

…_embedded_null

…hr|move} remain ugly

skylabs-ai-ci · 2026-05-01T07:41:46Z

CI summary (Details)

Active Repos

Repo	Job Branch	Job Commit	Base branch	Base commit	PR
fmdeps/brick-libcpp/	lennart/cstring	187e28a	main	c0a7859	#48

Passive Repos

Repo	Job Branch	Job Commit
./	main	e8e81bb
fmdeps/BRiCk/	main	9ab35f8
fmdeps/auto/	main	6deed31
fmdeps/auto-docs/	main	bfa8f2d
bluerock/NOVA/	skylabs-proof	6cbef03
bluerock/bhv/	skylabs-main	448828c
fmdeps/ci/	main	3707442
vendored/elpi/	skylabs-master	aa4475f
vendored/flocq/	skylabs-master	cf9cc84
fmdeps/fm-ci/	main	262fb04
fmdeps/fm-tools/	main	e17f6db
psi/protos/	main	8fe3e7c
psi/backend/	main	a5fa400
psi/ide/	main	6b596cf
psi/data/	main	76acc2f
vendored/rocq/	skylabs-master	2ede3c9
fmdeps/rocq-agent-toolkit/	main	ac7e4ec
vendored/rocq-elpi/	skylabs-master	103a742
vendored/rocq-equations/	skylabs-main	a8c4832
vendored/rocq-ext-lib/	skylabs-master	94a6630
vendored/rocq-iris/	skylabs-master	3ad4ddd
vendored/rocq-lsp/	skylabs-main	a8b7272
vendored/rocq-stdlib/	skylabs-master	bc07423
vendored/rocq-stdpp/	skylabs-master	e01d802
fmdeps/skylabs-fm/	main	62d34c3
vendored/vsrocq/	skylabs-main	5b4527e

Performance

Relative	Master	MR	Change	Filename
+0.00%	124414.1	124414.1	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	101776.7	101776.7	+0.0	└ proofs and tests

Full Results

Relative	Master	MR	Change	Filename

+0.00%	124414.1	124414.1	+0.0	total
+0.00%	22637.5	22637.5	+0.0	├ translation units
+0.00%	101776.7	101776.7	+0.0	└ proofs and tests

gmalecha-at-skylabs · 2026-05-01T14:37:48Z

We won't merge this because we will merge #48

LennartATSkylabsAI · 2026-05-01T15:25:26Z

We won't merge this because we will merge #48

In fact we'll merge #53

LennartATSkylabsAI changed the title ~~https://github.com/SkyLabsAI/agent-foundation/issues/78Added poject layout, md files for verification of cstring. Proved ini…~~ Verification of cstring Apr 22, 2026

LennartATSkylabsAI self-assigned this Apr 22, 2026

LennartATSkylabsAI requested review from Janno, gmalecha-at-skylabs and pgiarrusso-sl April 22, 2026 19:37

gmalecha-at-skylabs reviewed Apr 23, 2026

View reviewed changes

pgiarrusso-sl reviewed Apr 28, 2026

View reviewed changes

pgiarrusso-sl changed the title ~~Verification of cstring~~ Specification of cstring Apr 30, 2026

pgiarrusso-sl reviewed Apr 30, 2026

View reviewed changes

Comment thread rocq-brick-libstdcpp/proof/cstring/lessons_learned.md

pgiarrusso-sl reviewed Apr 30, 2026

View reviewed changes

LennartATSkylabsAI added 11 commits May 1, 2026 03:32

Added poject layout, md files for verification of cstring. Proved ini…

161ed89

…tial set of functions using ctring.R and a lower-level alternative cstringz.R

First cut at step 3 of planning.md, ie functions strchr, strrchr, str…

3ec2018

…spn, strcspn, strpbrk, and strstr

Updated current state

6b0a8bd

Specs for several more functions and their litmus tests (with first, …

bf375c1

…non-ergonomic proofs)

Added comments about candidate predicates for object_bytesR

87a6dff

Split the litmus proof file, upstreamed predicate lemmas, slightly po…

1df7913

…lished the model

Moved remaining specs/proofs ofr embedded_null litmus tests to proofs…

9d995f5

…_embedded_null

Proof progrss in litmus tests proofs but proofs for mem{set|cmp|cpy|c…

3e3344d

…hr|move} remain ugly

Updated md files; split proofs into string and memory-related functions

b042999

Better usage of cancelx makes string proofs mostly-automatic

60ae984

Reviewed specs

699fffd

LennartATSkylabsAI force-pushed the lennart/cstring branch from f19562d to 699fffd Compare May 1, 2026 07:33

LennartATSkylabsAI mentioned this pull request May 1, 2026

cstring: reviewed specs, with test clients — slice 1 #53

Open

gmalecha-at-skylabs closed this May 1, 2026

	- For `\cancelx` hints, “provable” and “useful to automation” are different
	thresholds. In this development, some `_guard` and `_using` variants could be
	proved but still did not fire under `go`/`ego` at the relevant call site.

	- When a standard API is phrased in terms of object representation bytes, avoid
	overspecifying the storage type. An abstract byte predicate is closer to the
	text than a spec that insists on a concrete `unsigned char[]` object.

Conversation

LennartATSkylabsAI commented Apr 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

skylabs-ai-ci Bot commented Apr 22, 2026

CI summary (Details)

Active Repos

Passive Repos

Performance

Uh oh!

skylabs-ai-ci Bot commented Apr 22, 2026

CI summary (Details)

Active Repos

Passive Repos

Performance

Uh oh!

skylabs-ai-ci Bot commented Apr 22, 2026

CI summary (Details)

Active Repos

Passive Repos

Performance

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

skylabs-ai-ci Bot commented Apr 23, 2026

CI summary (Details)

Active Repos

Passive Repos

Performance

Uh oh!

skylabs-ai-ci Bot commented Apr 23, 2026

CI summary (Details)

Active Repos

Passive Repos

Performance

Uh oh!

skylabs-ai-ci Bot commented Apr 24, 2026

CI summary (Details)

Active Repos

Passive Repos

Performance

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

LennartATSkylabsAI Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

skylabs-ai-ci Bot commented Apr 28, 2026

CI summary (Details)

Active Repos

Passive Repos

Performance

Uh oh!

skylabs-ai-ci Bot commented Apr 28, 2026

CI summary (Details)

Active Repos

Passive Repos

Performance

Uh oh!

skylabs-ai-ci Bot commented Apr 29, 2026

CI summary (Details)

Active Repos

LennartATSkylabsAI commented Apr 22, 2026 •

edited

Loading

LennartATSkylabsAI Apr 29, 2026 •

edited

Loading

pgiarrusso-sl Apr 30, 2026 •

edited

Loading

pgiarrusso-sl Apr 30, 2026 •

edited

Loading