Upgrade to F* Universes #244

tahina-pro · 2025-10-30T16:19:00Z

FStarLang/FStar#3699 makes many EverParse proofs fail. This PR, authored by @nikswamy, fixes such proofs. Thanks a lot Nik!

Some remaining admits in this PR are slated to be overwritten once EverCDDL serialization is generalized beyond deterministically encoded CBOR.

This reverts commit f71a6a0.

This reverts commit a2ad34b.

…eck? This commit gives one example of cumbersome workaround, which I have by far not replicated yet.

tahina-pro · 2025-11-20T01:23:01Z

Hi @nikswamy , @gebner and @mtzguido !
I am now catching up on F*, Karamel and Pulse.

Blocking issues

Pulse now fails to typecheck some LowParse (and EverCDDL) combinators with functional types, with an error message like "Inferred type is incompatible with annotation". I started attempting a workaround in f771f78, but I have not replicated it yet. This bug seems to have been introduced by Various optimizations to avoid re-checking terms FStarLang/pulse#502
Pulse seems to have trouble properly solving slprops of the form exists* (x: unit) . p x , see the admits I left in 744a9fa . This bug seems to have been introduced by Phase-1 matcher FStarLang/pulse#483

Can anyone please help me there? Thanks in advance!
(If you want to get started, run ADMIT=1 make -j$(nproc) -k from this branch)

Other lessons learned

Pulse now sometimes needs the user to specify the middle argument of Pulse.Lib.Trade.Util.trans, which I find annoying in the cases where there are exactly two trades and exactly one of them unifies with the first (or third) argument specified by the user. See b9d339c
I am still using "old-style" while loops; now it seems that the pure invariant for the Boolean termination argument has to be separated from other pure invariants, otherwise Pulse cannot compute a witness at the end of the loop iteration, see f174fa2
I had to add many rewrites, and a few trade transitivity lemmas where the middle argument does not unify. More generally, it seems that Pulse no longer unifies with SMT even if the choice of slprops from the context is unambiguous, see 3b97d8f. From what Nik told me, the meaning of mkey has been inverted and maybe I should annotate PulseParse and EverCBOR slprops with it.

Current status

Apart from the blocking issues above:

Pulse runs out of memory in CDDL.Pulse.Serialize.MapGroup.impl_serialize_map_zero_or_more_iterator_gen, but this function is slated to be rewritten soon, since I intend to generalize CDDL serialization to support non-deterministic CBOR, so there is no need to fix that function
I have not fixed SMT failures yet, but there seems to be a significant amount of them in ASN1* (among others)

…ypes

…gen" This reverts commit d12f324.

due to 664 and 673 (657)

This reverts commit 80d3b04.

This reverts commit 744a9fa.

This reverts commit ac0abdc.

…r typecheck?" This reverts commit f771f78.

tahina-pro · 2026-02-03T17:14:30Z

src/cddl/tests/unit/Makefile

+# TODO: remove this once map serializers are implemented
+RUN := $(filter-out Basic1 BenchMap,$(RUN))
+


This change is to be reverted once generic CDDL map serializers are implemented.
Those two tests, Basic1 and BenchMap, serialize nonempty tables, which https://github.com/project-everest/everparse/pull/244/changes#r2760178949 currently disables.

tahina-pro · 2026-02-03T17:18:07Z

src/cddl/pulse/CDDL.Pulse.Serialize.ArrayGroup.fst

@@ -548,6 +556,8 @@ let impl_serialize_array_group_valid_zero_or_more_true_intro_length
  ((x1 + x2) + (x3 + x4) == (x1 + (x2 + x3)) + x4)
 = ()

+#push-options "--z3rlimit 32"
+
 let impl_serialize_array_group_valid_zero_or_more_true_intro
  (l: list Cbor.cbor)
  (#t: array_group None)
@@ -581,9 +591,9 @@ let impl_serialize_array_group_valid_zero_or_more_true_intro
  ag_serializable_zero_or_more_append ps1 l1 [x];
  assert (ps.ag_serializable (List.Tot.append l1 [x]));
  ag_spec_zero_or_more_serializer_append ps1 l1 [x];
-  assert (let ps = ag_spec_zero_or_more ps1 in
+  assume (let ps = ag_spec_zero_or_more ps1 in
    (ps.ag_serializer [x] <: list cbor) == List.Tot.append (ps1.ag_serializer x) [])
-    by (FStar.Tactics.trefl ()); // FIXME: WHY WHY WHY?
+   ; // by (FStar.Tactics.trefl ()); // FIXME: WHY WHY WHY?
  List.Tot.append_l_nil (ps1.ag_serializer x);
  assert ((ps.ag_serializer [x] <: list cbor) == ps1.ag_serializer x);
  assert ((ps.ag_size [x] <: nat) == ps1.ag_size x);
@@ -597,11 +607,11 @@ let impl_serialize_array_group_valid_zero_or_more_true_intro
  assert (ps.ag_serializable (x :: l2) == ps.ag_serializable l2);
  if ps.ag_serializable l2
  then begin
-    assert (
+    assume (
      let ps = ag_spec_zero_or_more ps1 in
      (ps.ag_serializer (x :: l2) <: list cbor) == List.Tot.append (ps1.ag_serializer x) (ps.ag_serializer l2)
    )
-      by (FStar.Tactics.trefl ()); // FIXME: WHY WHY WHY?
+     ; // by (FStar.Tactics.trefl ()); // FIXME: WHY WHY WHY?


These assumes are to be removed and replaced with a generic implementation of array group serializers - where the signature of the serializer implementation uses a generic CBOR parser specification instead of the deterministic serializer specification.

tahina-pro · 2026-02-03T17:20:27Z