Add Formal Specifications for Vouch & Burn Module Safety and Correctness

[Jayfromthe13th]

Description:
This PR adds comprehensive formal specifications to the vouch module to ensure safety, correctness, and proper state management. The specifications verify critical properties of the vouching system.

File Location:
vouch.spec.move

Key Specifications Added:

1. Global Invariants:

• Ensures vector alignment between incoming_vouches and epoch_vouched
• Maintains consistency of vouch state across operations

2. Function Specifications:

• true_friends(): Verifies correct friend relationship validation
• revoke(): Ensures proper vouch removal and state updates
• all_not_expired(): Validates epoch-based expiration logic
• is_valid_voucher_for(): Confirms voucher validity
• bulk_set(): Ensures atomic updates of vouch records

3. Safety Properties:

• No self-vouching allowed
• Proper initialization checks
• Maximum vouch limit enforcement
• Expiration period validation

4. State Management:

• VouchInvariant schema for consistent state transitions
• Proper handling of GivenVouches and ReceivedVouches
• Price calculation verification

These specifications help ensure:

• Vector alignment invariants are maintained
• Proper validation of vouch operations
• Safe revocation procedures
• Correct expiration checks
• Consistent state management

Testing:

• All specifications verified using Move Prover
• Aborts conditions properly specified
• State transitions verified

Add Formal Specifications for Burn Module Safety and Correctness

This PR adds comprehensive formal specifications to the burn module to ensure safety, correctness, and proper state management of burning operations.

File Location:
burn.spec.move

Key Specifications Added:

1. Global Invariants:

• Ensures BurnCounter is always initialized before operations
• Maintains lifetime burned and recycled counters within MAX_U64
• Enforces consistent state management across burn operations

2. Function Specifications:

• initialize(): Verifies proper initialization of burn counter
• epoch_burn_fees(): Ensures safe fee burning and state updates
• burn_and_track(): Validates burn operations and counter updates
• set_send_community(): Manages community burn preferences

3. Safety Properties:

• Arithmetic overflow prevention for burn counters
• Authorization checks for privileged operations
• Resource existence validation
• Safe state transitions during burns

4. State Management:

• BurnCounter resource invariants
• UserBurnPreference state consistency
• Proper tracking of burned and recycled amounts
• Safe counter updates during operations

These specifications help ensure:

• Safe initialization of burn tracking
• Proper authorization for burn operations
• Prevention of counter overflows
• Consistent state updates during burns
• Safe community preference management

Testing:

• All specifications verified using Move Prover
• Abort conditions comprehensively specified
• State transitions fully verified
• Resource management safety confirmed

The burn module specifications provide critical safety guarantees for:

1. Tracking burned coins accurately
2. Managing recycled amounts safely
3. Handling community burn preferences
4. Maintaining consistent burn state
5. Preventing unauthorized operations

These formal specifications help ensure the burn module operates safely and correctly under all conditions.

[0o-de-lally]

Really tremendous first PR! No changes necessary to merge. There are a couple opportunities for more code comments.
Amazing!

[0o-de-lally]

good one, an important check for all system state

[0o-de-lally]

nice. it might be good to check that some of the interim calculations don't overflow as well.

[0o-de-lally]

Great. For future reference: this is an important check for all initializers. There is the 0x0 address which is the VM and the 0x1 which is framework. In the past, and in tests we have used is_root(), which would actually cause missing state if we used 0x0. So yes, this is an important check going forward.

[0o-de-lally]

Nicely done here. Perhaps add a comment about where result_1 comes from.

[0o-de-lally]

Looks good. One check we could possibly add for completeness, is that system addresses should not be able to add this.

[0o-de-lally]

Great! Something we have been concerned about in the past.

[0o-de-lally]

Would be great if you added the same code comments as you did in burn.move.spec: preconditions, aborts, postconditions.

[0o-de-lally]

I'm not 100% what is being checked here, it may be I forgot how it this check works. Can you add a comment?

[0o-de-lally]

@Jayfromthe13th All looks good above, except that one of our CI tests is failing on a Move compilation issue. I haven't seen this before. The rest of the Move code compiles and tests fine. It's just on our Upgrade verification.

https://github.com/0LNetworkCommunity/libra-framework/actions/runs/11947536237/job/33395319449#step:5:1190

[dboreham]

This looks great thanks. However I noticed that these tests appear to fail in CI:
https://github.com/0LNetworkCommunity/libra-framework/actions/runs/11947536238/job/33395302385#step:5:308
Even more interesting -- the CI job actually shows as passing even though there are fatal errors output by the move prover.
So presumably we have a bug somewhere in the connecting up between test result and action step pass/fail?

[kalvkusk]

run: make -f prover.mk prove
possibly subcommand that runs actual prover tests fails, but make command exits with 0 ( success), hence the job is marked success.

[Jayfromthe13th]

Thanks for the feedback. I'll make those changes @0o-de-lally . Also, thanks for catching this @dboreham ! It does seem like there's an issue with the make command not propagating the error correctly. I’ll investigate further and see locally to confirm. Ik there was some recent updates with the fv which may be causing issues depending