Debug: Reduce number of macros, assimilate to CBMC assertions

Previously, debug.h provided a host of bounds checking assertions,
such as POLY_BOUND, POLY_UBOUND, POLY_BOUND_MSG, POLYVEC_BOUND, ...

This commit simplifies debug.h by reducing to three assertions
- debug_assert: For any boolean valued assertion
- debug_assert_bound: For a lower+upper bounds assertion on an array,
    akin to the CBMC assertion array_bound
- debug_assert_abs_bound: For an absolute bounds assertion on an array,
    akin to the CBMC assertion array_abs_bound.

Moreover, assertion strings are removed: The filename and linenumber
already provide enough information to locate the issue when an assertion
fails -- the additional test clutters the code and doesn't add much.

While adjusting the code, two smaller issues were noted and fixed:
- The debug assertions had gone out of sync with the CBMC specs for
  the basemul functions: The CBMC spec would assert that the a-input
  is coefficient-wise in [0..4095], while the debug assertions would
  assert an absolute bound. This is unified by using bound by [0..4095]
  as proved correct by CBMC.
- In `poly_basemul_montgomery_cached`, a debug assertion was placed on
  the mulcache what should have been placed on the a-input. This is fixed.
- The documentation of `poly_basemul_montgomery_cached` had gone out of
  sync with the CBMC assertions: The documentation still stated the older
  output bound by 3/2q, while the CBMC assertions showed only 2q. This change
  stemmed from the recent relaxation of input bounds from MLKEM_Q -> 4096.
  Also, there was no debug-assertion for the post-condition, which is added.

Signed-off-by: Hanno Becker <[email protected]>

Author: hanno-becker

examples/monolithic_build/mlkem_native_monobuild.c

@@ -358,114 +358,39 @@
 #undef empty_cu_debug
 #endif
 
-/* mlkem/debug/debug.h */
-#if defined(BOUND)
-#undef BOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(BOUND)
-#undef BOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(CASSERT)
-#undef CASSERT
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(CASSERT)
-#undef CASSERT
-#endif
-
 /* mlkem/debug/debug.h */
 #if defined(MLKEM_DEBUG_H)
 #undef MLKEM_DEBUG_H
 #endif
 
 /* mlkem/debug/debug.h */
-#if defined(POLYVEC_BOUND)
-#undef POLYVEC_BOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLYVEC_BOUND)
-#undef POLYVEC_BOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLYVEC_UBOUND)
-#undef POLYVEC_UBOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLYVEC_UBOUND)
-#undef POLYVEC_UBOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLY_BOUND)
-#undef POLY_BOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLY_BOUND)
-#undef POLY_BOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLY_BOUND_MSG)
-#undef POLY_BOUND_MSG
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLY_BOUND_MSG)
-#undef POLY_BOUND_MSG
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLY_UBOUND)
-#undef POLY_UBOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLY_UBOUND)
-#undef POLY_UBOUND
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLY_UBOUND_MSG)
-#undef POLY_UBOUND_MSG
-#endif
-
-/* mlkem/debug/debug.h */
-#if defined(POLY_UBOUND_MSG)
-#undef POLY_UBOUND_MSG
+#if defined(debug_assert)
+#undef debug_assert
 #endif
 
 /* mlkem/debug/debug.h */
-#if defined(SCALAR_BOUND)
-#undef SCALAR_BOUND
+#if defined(debug_assert)
+#undef debug_assert
 #endif
 
 /* mlkem/debug/debug.h */
-#if defined(SCALAR_BOUND)
-#undef SCALAR_BOUND
+#if defined(debug_assert_abs_bound)
+#undef debug_assert_abs_bound
 #endif
 
 /* mlkem/debug/debug.h */
-#if defined(STATIC_ASSERT)
-#undef STATIC_ASSERT
+#if defined(debug_assert_abs_bound)
+#undef debug_assert_abs_bound
 #endif
 
 /* mlkem/debug/debug.h */
-#if defined(UBOUND)
-#undef UBOUND
+#if defined(debug_assert_bound)
+#undef debug_assert_bound
 #endif
 
 /* mlkem/debug/debug.h */
-#if defined(UBOUND)
-#undef UBOUND
+#if defined(debug_assert_bound)
+#undef debug_assert_bound
 #endif
 
 /* mlkem/debug/debug.h */

mlkem/cbmc.h

@@ -13,7 +13,7 @@
 
 #define __contract__(x)
 #define __loop__(x)
-#define cassert(x, y)
+#define cassert(x)
 
 #else /* CBMC _is_ defined, therefore we're doing proof */
 
@@ -30,7 +30,7 @@
 #define invariant(...) __CPROVER_loop_invariant(__VA_ARGS__)
 #define decreases(...) __CPROVER_decreases(__VA_ARGS__)
 /* cassert to avoid confusion with in-built assert */
-#define cassert(...) __CPROVER_assert(__VA_ARGS__)
+#define cassert(x) __CPROVER_assert(x, "cbmc assertion failed")
 #define assume(...) __CPROVER_assume(__VA_ARGS__)
 
 /***************************************************

mlkem/debug/debug.c

@@ -7,24 +7,23 @@
 #if defined(MLKEM_DEBUG)
 
 #include <stdio.h>
+#include <stdlib.h>
 #include "debug.h"
 
 #define MLKEM_NATIVE_DEBUG_ERROR_HEADER "[ERROR:%s:%04d] "
 
-void mlkem_debug_assert(const char *file, int line, const char *description,
-                        const int val)
+void mlkem_debug_assert(const char *file, int line, const int val)
 {
   if (val == 0)
   {
     fprintf(stderr,
-            MLKEM_NATIVE_DEBUG_ERROR_HEADER "Assertion failed: %s (value %d)\n",
-            file, line, description, val);
+            MLKEM_NATIVE_DEBUG_ERROR_HEADER "Assertion failed (value %d)\n",
+            file, line, val);
     exit(1);
   }
 }
 
-void mlkem_debug_check_bounds(const char *file, int line,
-                              const char *description, const int16_t *ptr,
+void mlkem_debug_check_bounds(const char *file, int line, const int16_t *ptr,
                               unsigned len, int lower_bound_exclusive,
                               int upper_bound_exclusive)
 {
@@ -35,11 +34,12 @@ void mlkem_debug_check_bounds(const char *file, int line,
     int16_t val = ptr[i];
     if (!(val > lower_bound_exclusive && val < upper_bound_exclusive))
     {
-      fprintf(stderr,
-              MLKEM_NATIVE_DEBUG_ERROR_HEADER
-              "%s, index %u, value %d out of bounds (%d,%d)\n",
-              file, line, description, i, (int)val, lower_bound_exclusive,
-              upper_bound_exclusive);
+      fprintf(
+          stderr,
+          MLKEM_NATIVE_DEBUG_ERROR_HEADER
+          "Bounds assertion failed: Index %u, value %d out of bounds (%d,%d)\n",
+          file, line, i, (int)val, lower_bound_exclusive,
+          upper_bound_exclusive);
       err = 1;
     }
   }