- In Lean, that goal is split into three named properties: + In Lean, that goal is split into four families of properties:
inListReachable
- : every node with a non-zero successor is reachable from
- SENTINEL
- ownerListInvariant
: membership (non-zero successor) is equivalent to
- reachability from SENTINEL (combines{' '}
- inListReachable and{' '}
- reachableInList)
+ reachability from SENTINEL
+ uniquePredecessor
+ : each non-zero node has at most one non-zero predecessor
+ (the list is a simple path with no branching)
acyclic: the
linked list has no internal SENTINEL cycles
isOwner correctness
+ : each operation changes exactly the intended owners and
+ leaves all others unchanged
+
- These correspond to invariants from Certora's{' '}
+ The invariant properties correspond to Certora's{' '}
- All 12 theorems are proven.{' '}
+ All 15 theorems are proven.{' '}
Function
- inListReachable
+ uniquePredecessor
ownerListInvariant
acyclicity
+ isOwner
require{' '}
guard the contract already enforces, or a structural fact
- about the linked list that holds inductively.
+ about the linked list that holds inductively. Properties like{' '}
+ noSelfLoops,{' '}
+ freshInList, and{' '}
+ acyclic are derived
+ inside the proofs rather than assumed.
setupOwners{' '}
- is the base case and needs{' '}
- hClean{' '}
- (all storage slots start zero) instead.
+ is the base case (needs clean storage instead).
+ Properties like{' '}
+ noSelfLoops{' '}
+ and{' '}
+ freshInList{' '}
+ are derived from these three, not assumed.
swapOwner,
- the old owner cannot be its own predecessor — a self-loop
- would zero the previous owner's pointer and orphan the
- new node.
+ For{' '}
+ removeOwner{' '}
+ and{' '}
+ swapOwner{' '}
+ functional correctness, we need the target owner to actually
+ be in the list. This is implied by{' '}
+ owners[prevOwner] == owner{' '}
+ plus the invariant, but is stated explicitly to keep the
+ correctness proofs self-contained.