Skip to content

rewritingSharedContext can break type safety #2676

New issue
New issue
Open
#2684
Open
rewritingSharedContext can break type safety#2676
#2684
Labels
priorityHigh-priority issuessubsystem: saw-coreIssues related to the saw-core representation or the saw-core subsystemtech debtIssues that document or involve technical debttype: bugIssues reporting bugs or unexpected/unwanted behaviorunsoundnessIssues that can lead to unsoundness or false verification
Milestone
current: severe
@brianhuffman

Description

@brianhuffman
brianhuffman
opened on Oct 4, 2025

The SAWCore.Rewriter library provides a dubious feature called rewritingSharedContext: It creates a SharedContext in which the rewriter is applied to every subterm as it is built:

saw-script/saw-core/src/SAWCore/Rewriter.hs

Lines 883 to 885 in 04597a9

-- | Generate a new SharedContext that normalizes terms as it builds them.
-- Rule annotations are ignored.
rewritingSharedContext :: SharedContext -> Simpset a -> SharedContext

This feature is incompatible with the idea of having a trusted SAWCore kernel with certified terms and proofs (#49), because it can break type safety: Even if it is not used with unsound rewrite rules, the rewriter is free to transform an input term into one that is not convertible according to the SAW type system.

The rewritingSharedContext feature is made possible because scTermF (which is the basis of all term-forming operations in SAW) is simply a field in the SharedContext record, and can be replaced by arbitrary code later on.

saw-script/saw-core/src/SAWCore/SharedTerm.hs

Lines 395 to 402 in 04597a9

data SharedContext = SharedContext
{ scModuleMap :: IORef ModuleMap
, scTermF :: TermF Term -> IO Term
, scDisplayNameEnv :: IORef DisplayNameEnv
, scURIEnv :: IORef (Map URI VarIndex)
, scGlobalEnv :: IORef (HashMap Ident Term)
, scNextVarIndex :: IORef VarIndex
}

This is a huge backdoor into any SAWCore proof kernel we might try to implement. We cannot have a trusted SAWCore kernel until this is changed and scTermF is given a fixed definition.

Metadata

Metadata

Assignees

No one assigned

    Labels

    priorityHigh-priority issuessubsystem: saw-coreIssues related to the saw-core representation or the saw-core subsystemtech debtIssues that document or involve technical debttype: bugIssues reporting bugs or unexpected/unwanted behaviorunsoundnessIssues that can lead to unsoundness or false verification

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions