docs(rivet): #494 proof-carrying design + VCR-SEL-001 first-increment scope (#242)#609
Merged
Conversation
… scope (#242) Two rivet-traced designs, artifacts/docs only — no code files touched, so every frozen anchor is trivially safe by construction. 1. VCR-PERF-002 (new sw-req, proposed): proof-carrying specialization — synth consumes loom's wsc.facts premises (loom#231/loom#240 contract) to elide proven-dead guards; each elision carries a per-site obligation discharged by the ordeal-backed validator (#595), certificate-checked + differential-gated over the proven bound. Phased: fact ingestion (codegen- neutral) -> single-elision prototype (SYNTH_FACT_SPEC, flag-off) -> gust_mix measurement vs gale's measured 0.45x floor (target <=0.70x, kill-criterion per #494). Design: docs/design/proof-carrying-specialization.md 2. VCR-SEL-001 (updated, status as-is): FIRST INCREMENT SCOPE — tier-A no-scratch i32 ALU six (the pilot's 6/6 auto-discharge class) + i32.rotl as the side-condition-carrying stretch; checked-in rule table + committed generated Rust delegated from select_default behind SYNTH_SEL_DSL (default off, OFF == baseline); one universally-quantified T1 Qed per rule (1:1 naming, coverage check fails the //coq build); flip gated by per-op mirror-pinning byte-equality then frozen fixtures bit-identical under the flag. Design: docs/design/vcr-sel-001-first-increment.md Gate: rivet validate non-xref ERROR count 0 (CI formula, identical to baseline); rivet coverage exit 0; the single new WARN is the standard not-yet-verified notice every proposed sw-req carries. Refs #494, #242, pulseengine/loom#240 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Design/rivet artifacts only — no code files touched, so the frozen anchors (control_step 0x00210A55, flat+inlined flight_algo 0x07FDF307, divseam) are trivially safe by construction (stated, not run). Two rivet-traced designs in
artifacts/verified-codegen-roadmap.yaml, each with a design doc underdocs/design/(the repo's convention, sibling ofvcr-ra-allocator-wiring.md).1.
VCR-PERF-002(new sw-req,proposed) — proof-carrying specialization (#494 part (a))The below-native lever: gale measured the floor (pulseengine/gale#121,
gust_floor_bench, qemu-icount) — elidinggust_mix's dead clamp under a provench∈[524,1524]is 0.45× of native LLVM (0.825 → 0.225 ticks/call), past the 0.70× target, a lowering LLVM structurally cannot reach.wsc.factscustom section — value-range, shift-bound, divisor-nonzero, in-bounds, disjointness, select-totality — keyed by (fn index, value id); unknown kinds ignored, facts-absent compile byte-identical by construction.UNSAT(P ∧ general ≠ specialized), certificate-checked; Sat/Unknown ⇒ loud decline to the general lowering.SYNTH_FACT_SPECdefault-off; no frozen fixture carries facts ⇒ lever can't fire on them.gust_floor_bench+ STM32F100 DWT vs the 0.45× floor; kill-criterion unchanged from Beyond parity: proof-carrying specialization + optimal-alloc to BEAT LLVM (0.7× target) #494 (<1.0× then ≤0.70×, bit-identical under the bound).Design doc:
docs/design/proof-carrying-specialization.md.2.
VCR-SEL-001(updated, status staysapproved) — first-increment scopeConcretizes the next big Track-A rivet from the 2026-06-20 pilot (
VcrSelPilot.v, 7 Qed):i32.rotlas the deliberate side-condition-carrying stretch (rs<>rnhypothesis). Div/rem excluded (VCR-ISA-001-gated); optimized path excluded.select_defaultkeeps dispatch — migrated arms delegate behindSYNTH_SEL_DSL(default off, OFF ≡ baseline byte-identical); the exhaustiveWasmOpmatch stays.synth_binop_proof_poly), 1:1 rule↔theorem naming, coverage check fails the//coqbuild if a rule lacks its proof.SYNTH_SEL_DSL=1must keep all frozen fixtures bit-identical + full differential green — increment 1 migrates structure, never bytes.Design doc:
docs/design/vcr-sel-001-first-increment.md.Gate
rivet validate(0.23.0): non-xref ERROR count 0 (exact CI formula), identical to baseline; the 51 pre-existing errors are all filtered cross-repo refs; the one new WARN is the standard not-yet-verified notice everyproposedsw-req sibling carries.rivet coverageexit 0.artifacts/verified-codegen-roadmap.yaml,docs/design/proof-carrying-specialization.md,docs/design/vcr-sel-001-first-increment.md— artifacts/docs only.Refs #494, #242, pulseengine/loom#240, pulseengine/loom#231.
🤖 Generated with Claude Code