Skip to content

checked_add: make it genuinely checked (overflow traps) — resolve the wrapping misnomer#40

Merged
hyperpolymath merged 2 commits into
mainfrom
feat/snifs-2
Jun 16, 2026
Merged

checked_add: make it genuinely checked (overflow traps) — resolve the wrapping misnomer#40
hyperpolymath merged 2 commits into
mainfrom
feat/snifs-2

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 16, 2026

Copy link
Copy Markdown
Owner

Summary

Follow-up to #39. checked_add was a wrapping a +% b despite its name — the GAP-1b metamorphic gate surfaced the misnomer in #39. This makes it a genuinely checked add.

  • zig (safe_nif.zig): @addWithOverflow + unreachable → overflow traps (WASM unreachable, all build modes, like crash_unreachable) → wasmex {:error, _}, BEAM survives; a non-overflowing add returns the exact sum. Signature unchanged.
  • metamorphic gate (snif_metamorphic_test.exs): flipped from the wrap32 ring oracle to non-overflow = exact sum / overflow = {:error,_}; added the boundary-trap test.
  • bench + docs: fixed the stale "intentional wrap" row + comments in benches/snif_eval.sh; reconciled CHANGELOG + PROOF-STATUS GAP-1b.

The AFFIRMATION.adoc (merged in #39, anchored to a82bb31) is intentionally not edited — at that anchor checked_add genuinely was wrapping, and the affirmation is a frozen, signed snapshot. A fresh affirmation can be stamped at a later commit if desired.

Verification (green this commit)

  • just proof-check-all → exit 0 (signature-only ABI unaffected)
  • just abi-conformance → 15/15 (signature unchanged)
  • mix test → 30/30 (OTP 25); metamorphic 9/9 under the new checked semantics
  • Zig 0.15.2 compiles @addWithOverflow + tuple indexing + unreachable

🤖 Generated with Claude Code

@hyperpolymath @claude
feat(guest): make checked_add genuinely checked — overflow traps (was…
45a7ecc 
… a wrapping misnomer)

checked_add was a wrapping a +% b despite its name (the GAP-1b metamorphic gate surfaced the misnomer). Now a real checked add: @addWithOverflow + unreachable -> WASM trap on overflow (all build modes, like crash_unreachable) -> wasmex {:error,_}, BEAM survives; no-overflow returns the exact sum. Signature unchanged (ABI gate still 15/15). Flip the metamorphic oracle from the wrap32 ring to non-overflow=exact-sum / overflow=trap; fix the stale 'intentional wrap' bench row + comments; reconcile CHANGELOG + PROOF-STATUS GAP-1b. AFFIRMATION left untouched (frozen at a82bb31, where it was genuinely wrapping).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 54 issues detected

Severity Count
🔴 Critical 5
🟠 High 23
🟡 Medium 26

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action actions/checkout@v4 needs attention",
    "type": "unpinned_action",
    "file": "rust-guest-verify.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in rust-guest-verify.yml",
    "type": "missing_timeout_minutes",
    "file": "rust-guest-verify.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in scorecard.yml",
    "type": "scorecard_wrapper_missing_job_permissions",
    "file": "scorecard.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "codeql_missing_actions_language",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/snifs/snifs/benches/assert_safer.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/snifs/snifs/verification/tools/abi_conformance.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (4 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/snifs/snifs/rust/crates/snif-abi/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/snifs/snifs/rust/crates/demo-guest/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit 70d9f65 into main Jun 16, 2026
@hyperpolymath hyperpolymath deleted the feat/snifs-2 branch June 16, 2026 14:58
@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 54 issues detected

Severity Count
🔴 Critical 5
🟠 High 23
🟡 Medium 26

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action actions/checkout@v4 needs attention",
    "type": "unpinned_action",
    "file": "rust-guest-verify.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in rust-guest-verify.yml",
    "type": "missing_timeout_minutes",
    "file": "rust-guest-verify.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in scorecard.yml",
    "type": "scorecard_wrapper_missing_job_permissions",
    "file": "scorecard.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "codeql_missing_actions_language",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/snifs/snifs/benches/assert_safer.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/snifs/snifs/verification/tools/abi_conformance.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (4 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/snifs/snifs/rust/crates/snif-abi/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/snifs/snifs/rust/crates/demo-guest/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath mentioned this pull request Jun 16, 2026
Merged
hyperpolymath added a commit that referenced this pull request Jun 16, 2026
@hyperpolymath
docs: refresh AFFIRMATION to main HEAD (checked_add resolved, abi-con…
73e3b72 
…formance required) (#41)

## Summary

A **fresh** AFFIRMATION snapshot, re-stamped at `main` HEAD after #39 +
#40. The previous affirmation (merged in #39) is anchored to `a82bb31`,
where `checked_add` genuinely *was* a wrapping misnomer — that frozen
snapshot was left intact. This refresh re-anchors to `70d9f65` and folds
in what changed since:

- `checked_add` finding **RESOLVED** — now genuinely checked (overflow
traps); the metamorphic oracle is the checked (not wrapping) one.
- `abi-conformance` is now a **required** status check on `main`.
- Re-anchored to `70d9f65`; **parent == anchor**.

## Verification (re-run on `main` this commit, 2026-06-16T15:03:15Z)
- `just proof-check-all` → exit 0 (10 gated artifacts)
- `just abi-conformance` → 15/15 (2 guests)
- `mix test` → 30/30 (OTP 25)

🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath