runtimeverification
diff --git a/‎kmir/src/kmir/kdist/mir-semantics/rt/data.md‎
Lines changed: 351 additions & 23 deletions b/‎kmir/src/kmir/kdist/mir-semantics/rt/data.md‎
Lines changed: 351 additions & 23 deletions
@@ -1456,28 +1456,6 @@ What can be supported without additional layout consideration is trivial casts b
       requires lookupTy(TY_SOURCE) ==K lookupTy(TY_TARGET)
 ```
 
-Transmuting a pointer to an integer discards provenance and reinterprets the pointer’s offset as a value of the target integer type.
-
-```k
-  // `prove-rs/interior-mut3.rs` needs this
-  // TODO: check its correctness, I assume the pointer offset is the address here and we can use it to recover the PtrLocal
-  rule <k> #cast(
-              PtrLocal(_, _, _, metadata(_, PTR_OFFSET, _)),
-              castKindTransmute,
-              _TY_SOURCE,
-              TY_TARGET
-            )
-          =>
-            #intAsType(
-              PTR_OFFSET,
-              #bitWidth(#numTypeOf(lookupTy(TY_TARGET))),
-              #numTypeOf(lookupTy(TY_TARGET))
-            )
-          ...
-        </k>
-      requires #isIntType(lookupTy(TY_TARGET))
-```
-
 Other `Transmute` casts that can be resolved are round-trip casts from type A to type B and then directly back from B to A.
 The first cast is reified as a `thunk`, the second one resolves it and eliminates the `thunk`:
 
@@ -1582,6 +1560,50 @@ Casting an integer to a `[u8; N]` array materialises its little-endian bytes.
   rule #staticArrayLenBits(_OTHER) => 0 [owise]
 ```
 
+Transmuting a raw pointer to an integer (and back) uses a reversible encoding that serialises the pointer provenance,
+its place/projection, mutability and metadata into a natural number. The helpers that implement this encoding are
+documented in the [Pointer/Integer Encoding Helpers](#pointerinteger-encoding-helpers) section at the end of this file.
+The encoding must fit the destination integer width; decoding rehydrates the pointer metadata and reinterprets the
+byte offset for the target pointee type.
+
+```k
+  rule <k> #cast(
+              PtrLocal(_, _, _, _) #as PTR,
+              castKindTransmute,
+              TY_SOURCE,
+              TY_TARGET
+            )
+          =>
+            #ptrIntValue(
+              #encodePtrInt(PTR, pointeeTy(lookupTy(TY_SOURCE))),
+              #numTypeOf(lookupTy(TY_TARGET))
+            )
+          ...
+        </k>
+      requires #isIntType(lookupTy(TY_TARGET))
+       andBool #isRawPointerType(lookupTy(TY_SOURCE))
+
+  rule <k> #cast(
+              Integer(VAL, WIDTH, SIGNED) #as _INT,
+              castKindTransmute,
+              TY_SOURCE,
+              TY_TARGET
+            )
+          =>
+            #ptrWithOffset(
+              #decodePtrBase(#cantorUnpairLeft(#unsignedFromIntValue(VAL, WIDTH, SIGNED))),
+              #bytesToPtrOffset(
+                #cantorUnpairRight(#unsignedFromIntValue(VAL, WIDTH, SIGNED)),
+                pointeeTy(lookupTy(TY_TARGET))
+              ),
+              lookupTy(TY_TARGET)
+            )
+          ...
+        </k>
+      requires #isIntType(lookupTy(TY_SOURCE))
+       andBool #isRawPointerType(lookupTy(TY_TARGET))
+```
+
 A transmutation from an integer to an enum is wellformed if:
 - The bit width of the incoming integer is the same as the discriminant type of the enum
     (e.g. `u8 -> i8` fine, `u8 -> u16` not fine) - this is guaranteed by the compiler;
@@ -2197,11 +2219,317 @@ A trivial case where `binOpOffset` applies an offset of `0` is added with higher
           _CHECKED)
     =>
           PtrLocal( STACK_DEPTH , PLACE , MUT, metadata(CURRENT_SIZE, CURRENT_OFFSET +Int OFFSET_VAL, staticSize(ORIGIN_SIZE)) )
-    requires OFFSET_VAL >=Int 0
+   requires OFFSET_VAL >=Int 0
      andBool CURRENT_OFFSET +Int OFFSET_VAL <=Int ORIGIN_SIZE
    [preserves-definedness]
 ```
 
+## Pointer/Integer Encoding Helpers
+
+The pointer/int transmute rules rely on a reversible encoding that serialises all pointer components into a single
+natural number. The encoding uses Cantor pairing/unpairing to store structured data (stack depth, place/projection,
+mutability, metadata, byte offset). A small helper recognises raw pointer `TypeInfo`s so that these rules do not match
+non-pointer transmutes.
+
+```k
+  syntax Bool ::= #isRawPointerType ( TypeInfo ) [function, total]
+  rule #isRawPointerType(typeInfoPtrType(_)) => true
+  rule #isRawPointerType(_) => false [owise]
+
+  syntax Value ::= #ptrWithOffset ( Value , Int , TypeInfo ) [function, total]
+  rule #ptrWithOffset(PtrLocal(STACK, PLACE, MUT, metadata(SIZE, _, ORIGIN)), OFFSET, TYINFO)
+    => PtrLocal(STACK, PLACE, MUT, #convertMetadata(metadata(SIZE, OFFSET, ORIGIN), TYINFO))
+  rule #ptrWithOffset(VAL:Value, _, _) => VAL [owise]
+
+  syntax Int ::= #encodePtrInt ( Value , MaybeTy ) [function, total]
+  rule #encodePtrInt(PtrLocal(STACK, PLACE, MUT, metadata(SIZE, PTR_OFFSET, ORIGIN)), TY)
+    => #cantorPair(
+         #encodePtrBase(PtrLocal(STACK, PLACE, MUT, metadata(SIZE, PTR_OFFSET, ORIGIN))),
+         #ptrOffsetBytes(PTR_OFFSET, TY)
+       )
+  rule #encodePtrInt(_OTHER:Value, _) => 0 [owise]
+
+  syntax Value ::= #ptrIntValue ( Int , NumTy ) [function]
+  rule #ptrIntValue(ENC, INTTY:IntTy)
+    => Integer(ENC, #bitWidth(INTTY), true)
+  rule #ptrIntValue(ENC, UINTTY:UintTy)
+    => Integer(ENC, #bitWidth(UINTTY), false)
+  rule #ptrIntValue(_, FLOATTY:FloatTy)
+    => Integer(0, #bitWidth(FLOATTY), false)
+  rule #ptrIntValue(_, _) => Integer(0, 0, false) [owise]
+
+  syntax Int ::= #unsignedFromIntValue ( Int , Int , Bool ) [function, total]
+  rule #unsignedFromIntValue(VAL, _WIDTH, _SIGNED) => VAL
+    requires VAL >=Int 0
+  rule #unsignedFromIntValue(VAL, WIDTH, _SIGNED)
+    => VAL +Int (1 <<Int WIDTH)
+    requires VAL <Int 0
+
+  syntax Int ::= #intToNat ( Int ) [function, total]
+  rule #intToNat(VAL) => 2 *Int VAL
+    requires VAL >=Int 0
+  rule #intToNat(VAL) => 0 -Int (2 *Int VAL) -Int 1
+    requires VAL <Int 0
+
+  syntax Int ::= #natToInt ( Int ) [function, total]
+  rule #natToInt(N) => N /Int 2
+    requires N >=Int 0
+     andBool N modInt 2 ==Int 0
+  rule #natToInt(N) => 0 -Int ((N +Int 1) /Int 2)
+    requires N >=Int 0
+     andBool N modInt 2 ==Int 1
+
+  syntax Int ::= #tri ( Int ) [function, total]
+  rule #tri(T) => (T *Int (T +Int 1)) /Int 2
+
+  syntax Int ::= #cantorPair ( Int , Int ) [function, total]
+  rule #cantorPair(A, B)
+    => ((A +Int B) *Int (A +Int B +Int 1)) /Int 2 +Int B
+    requires A >=Int 0
+     andBool B >=Int 0
+
+  syntax Int ::= #cantorUnpairLeft ( Int ) [function, total]
+  syntax Int ::= #cantorUnpairRight( Int ) [function, total]
+  syntax Int ::= #cantorUnpairLeftAux ( Int , Int ) [function, total]
+  syntax Int ::= #cantorUnpairRightAux( Int , Int ) [function, total]
+
+  rule #cantorUnpairLeft(Z) => #cantorUnpairLeftAux(Z, 0)
+    requires Z >=Int 0
+  rule #cantorUnpairLeftAux(Z, T)
+    => T -Int (#tri(T) -Int Z)
+    requires Z <Int #tri(T)
+  rule #cantorUnpairLeftAux(Z, T)
+    => #cantorUnpairLeftAux(Z, T +Int 1)
+    requires Z >=Int #tri(T)
+
+  rule #cantorUnpairRight(Z) => #cantorUnpairRightAux(Z, 0)
+    requires Z >=Int 0
+  rule #cantorUnpairRightAux(Z, T)
+    => Z -Int #tri(T)
+    requires Z <Int #tri(T)
+  rule #cantorUnpairRightAux(Z, T)
+    => #cantorUnpairRightAux(Z, T +Int 1)
+    requires Z >=Int #tri(T)
+
+  syntax Int ::= #encodeBool ( Bool ) [function, total]
+  syntax Bool ::= #decodeBool ( Int ) [function, total]
+  rule #encodeBool(false) => 0
+  rule #encodeBool(true)  => 1
+  rule #decodeBool(0) => false
+  rule #decodeBool(1) => true
+  rule #decodeBool(_) => false [owise]
+
+  syntax Int ::= #encodeMIRBool ( MIRBool ) [function, total]
+  syntax MIRBool ::= #decodeMIRBool ( Int ) [function, total]
+  rule #encodeMIRBool(mirBool(B)) => #encodeBool(B)
+  rule #encodeMIRBool(_) => 0 [owise]
+  rule #decodeMIRBool(N) => mirBool(#decodeBool(N))
+
+  syntax Int ::= #encodeMIRInt ( MIRInt ) [function, total]
+  syntax MIRInt ::= #decodeMIRInt ( Int ) [function, total]
+  rule #encodeMIRInt(mirInt(I)) => #intToNat(I)
+  rule #encodeMIRInt(_) => 0 [owise]
+  rule #decodeMIRInt(N) => mirInt(#natToInt(N))
+
+  syntax Int ::= #encodeLocal ( Local ) [function, total]
+  syntax Local ::= #decodeLocal ( Int ) [function, total]
+  rule #encodeLocal(local(I)) => #intToNat(I)
+  rule #decodeLocal(N) => local(#natToInt(N))
+    requires N >=Int 0
+
+  syntax Int ::= #encodeFieldIdx ( FieldIdx ) [function, total]
+  syntax FieldIdx ::= #decodeFieldIdx ( Int ) [function, total]
+  rule #encodeFieldIdx(fieldIdx(I)) => #intToNat(I)
+  rule #decodeFieldIdx(N) => fieldIdx(#natToInt(N))
+    requires N >=Int 0
+
+  syntax Int ::= #encodeVariantIdx ( VariantIdx ) [function, total]
+  syntax VariantIdx ::= #decodeVariantIdx ( Int ) [function, total]
+  rule #encodeVariantIdx(variantIdx(I)) => #intToNat(I)
+  rule #encodeVariantIdx(_) => 0 [owise]
+  rule #decodeVariantIdx(N) => variantIdx(#natToInt(N))
+    requires N >=Int 0
+
+  syntax Int ::= #encodeTy ( Ty ) [function, total]
+  syntax Ty ::= #decodeTy ( Int ) [function, total]
+  rule #encodeTy(ty(I)) => #intToNat(I)
+  rule #decodeTy(N) => ty(#natToInt(N))
+    requires N >=Int 0
+
+  syntax Int ::= #encodeMutability ( Mutability ) [function, total]
+  syntax Mutability ::= #decodeMutability ( Int ) [function, total]
+  rule #encodeMutability(mutabilityNot) => 0
+  rule #encodeMutability(mutabilityMut) => 1
+  rule #decodeMutability(0) => mutabilityNot
+  rule #decodeMutability(1) => mutabilityMut
+  rule #decodeMutability(_) => mutabilityNot [owise]
+
+  syntax Int ::= #encodeMetadataSize ( MetadataSize ) [function, total]
+  syntax MetadataSize ::= #decodeMetadataSize ( Int ) [function, total]
+  rule #encodeMetadataSize(noMetadataSize) => 0
+  rule #encodeMetadataSize(staticSize(SIZE)) => 1 +Int #cantorPair(0, #intToNat(SIZE))
+  rule #encodeMetadataSize(dynamicSize(SIZE)) => 1 +Int #cantorPair(1, #intToNat(SIZE))
+  rule #decodeMetadataSize(0) => noMetadataSize
+  rule #decodeMetadataSize(ENC)
+    => staticSize(#natToInt(#cantorUnpairRight(ENC -Int 1)))
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 0
+  rule #decodeMetadataSize(ENC)
+    => dynamicSize(#natToInt(#cantorUnpairRight(ENC -Int 1)))
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 1
+
+  syntax Int ::= #encodeMetadata ( Metadata ) [function, total]
+  syntax Metadata ::= #decodeMetadata ( Int ) [function, total]
+  rule #encodeMetadata(metadata(SIZE, PTR_OFFSET, ORIGIN))
+    => #cantorPair(
+         #encodeMetadataSize(SIZE),
+         #cantorPair(#intToNat(PTR_OFFSET), #encodeMetadataSize(ORIGIN))
+       )
+  rule #decodeMetadata(ENC)
+    => metadata(
+         #decodeMetadataSize(#cantorUnpairLeft(ENC)),
+         #natToInt(#cantorUnpairLeft(#cantorUnpairRight(ENC))),
+         #decodeMetadataSize(#cantorUnpairRight(#cantorUnpairRight(ENC)))
+       )
+    requires ENC >=Int 0
+
+  syntax Int ::= #encodeProjectionElem ( ProjectionElem ) [function, total]
+  syntax ProjectionElem ::= #decodeProjectionElem ( Int ) [function, total]
+  rule #encodeProjectionElem(projectionElemDeref) => 0
+  rule #encodeProjectionElem(projectionElemField(FIELD, TY))
+    => 1 +Int #cantorPair(0, #cantorPair(#encodeFieldIdx(FIELD), #encodeTy(TY)))
+  rule #encodeProjectionElem(projectionElemIndex(LOCAL))
+    => 1 +Int #cantorPair(1, #encodeLocal(LOCAL))
+  rule #encodeProjectionElem(projectionElemConstantIndex(OFFSET, MIN, FROM_END))
+    => 1 +Int #cantorPair(
+         2,
+         #cantorPair(
+           #encodeMIRInt(OFFSET),
+           #cantorPair(#encodeMIRInt(MIN), #encodeMIRBool(FROM_END))
+         )
+       )
+  rule #encodeProjectionElem(projectionElemSubslice(FROM, TO, FROM_END))
+    => 1 +Int #cantorPair(
+         3,
+         #cantorPair(
+           #encodeMIRInt(FROM),
+           #cantorPair(#encodeMIRInt(TO), #encodeMIRBool(FROM_END))
+         )
+       )
+  rule #encodeProjectionElem(projectionElemDowncast(VARIANT))
+    => 1 +Int #cantorPair(4, #encodeVariantIdx(VARIANT))
+  rule #encodeProjectionElem(projectionElemOpaqueCast(TY))
+    => 1 +Int #cantorPair(5, #encodeTy(TY))
+  rule #encodeProjectionElem(projectionElemSubtype(TY))
+    => 1 +Int #cantorPair(6, #encodeTy(TY))
+  rule #encodeProjectionElem(PointerOffset(OFFSET, LEN))
+    => 1 +Int #cantorPair(7, #cantorPair(#intToNat(OFFSET), #intToNat(LEN)))
+
+  rule #decodeProjectionElem(0) => projectionElemDeref
+  rule #decodeProjectionElem(ENC)
+    => projectionElemField(
+         #decodeFieldIdx(#cantorUnpairLeft(#cantorUnpairRight(ENC -Int 1))),
+         #decodeTy(#cantorUnpairRight(#cantorUnpairRight(ENC -Int 1)))
+       )
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 0
+  rule #decodeProjectionElem(ENC)
+    => projectionElemIndex(#decodeLocal(#cantorUnpairRight(ENC -Int 1)))
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 1
+  rule #decodeProjectionElem(ENC)
+    => projectionElemConstantIndex(
+         #decodeMIRInt(#cantorUnpairLeft(#cantorUnpairRight(ENC -Int 1))),
+         #decodeMIRInt(#cantorUnpairLeft(#cantorUnpairRight(#cantorUnpairRight(ENC -Int 1)))),
+         #decodeMIRBool(#cantorUnpairRight(#cantorUnpairRight(#cantorUnpairRight(ENC -Int 1))))
+       )
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 2
+  rule #decodeProjectionElem(ENC)
+    => projectionElemSubslice(
+         #decodeMIRInt(#cantorUnpairLeft(#cantorUnpairRight(ENC -Int 1))),
+         #decodeMIRInt(#cantorUnpairLeft(#cantorUnpairRight(#cantorUnpairRight(ENC -Int 1)))),
+         #decodeMIRBool(#cantorUnpairRight(#cantorUnpairRight(#cantorUnpairRight(ENC -Int 1))))
+       )
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 3
+  rule #decodeProjectionElem(ENC)
+    => projectionElemDowncast(#decodeVariantIdx(#cantorUnpairRight(ENC -Int 1)))
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 4
+  rule #decodeProjectionElem(ENC)
+    => projectionElemOpaqueCast(#decodeTy(#cantorUnpairRight(ENC -Int 1)))
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 5
+  rule #decodeProjectionElem(ENC)
+    => projectionElemSubtype(#decodeTy(#cantorUnpairRight(ENC -Int 1)))
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 6
+  rule #decodeProjectionElem(ENC)
+    => PointerOffset(
+         #natToInt(#cantorUnpairLeft(#cantorUnpairRight(ENC -Int 1))),
+         #natToInt(#cantorUnpairRight(#cantorUnpairRight(ENC -Int 1)))
+       )
+    requires ENC >Int 0
+     andBool #cantorUnpairLeft(ENC -Int 1) ==Int 7
+
+  syntax Int ::= #encodeProjectionElems ( ProjectionElems ) [function, total]
+  syntax ProjectionElems ::= #decodeProjectionElems ( Int ) [function, total]
+  rule #encodeProjectionElems(.ProjectionElems) => 0
+  rule #encodeProjectionElems(PROJ PROJS)
+    => 1 +Int #cantorPair(#encodeProjectionElem(PROJ), #encodeProjectionElems(PROJS))
+
+  rule #decodeProjectionElems(0) => .ProjectionElems
+  rule #decodeProjectionElems(ENC)
+    => #decodeProjectionElem(#cantorUnpairLeft(ENC -Int 1))
+       #decodeProjectionElems(#cantorUnpairRight(ENC -Int 1))
+    requires ENC >Int 0
+
+  syntax Int ::= #encodePlace ( Place ) [function, total]
+  syntax Place ::= #decodePlace ( Int ) [function, total]
+  rule #encodePlace(place(LOCAL, PROJS))
+    => #cantorPair(#encodeLocal(LOCAL), #encodeProjectionElems(PROJS))
+  rule #decodePlace(ENC)
+    => place(
+         #decodeLocal(#cantorUnpairLeft(ENC)),
+         #decodeProjectionElems(#cantorUnpairRight(ENC))
+       )
+    requires ENC >=Int 0
+
+  syntax Int ::= #encodePtrBase ( Value ) [function, total]
+  syntax Value ::= #decodePtrBase ( Int ) [function, total]
+  rule #encodePtrBase(PtrLocal(STACK, PLACE, MUT, META))
+    => #cantorPair(
+         #intToNat(STACK),
+         #cantorPair(
+           #encodePlace(PLACE),
+           #cantorPair(#encodeMutability(MUT), #encodeMetadata(META))
+         )
+       )
+  rule #encodePtrBase(_OTHER:Value) => 0 [owise]
+
+  rule #decodePtrBase(ENC)
+    => PtrLocal(
+         #natToInt(#cantorUnpairLeft(ENC)),
+         #decodePlace(#cantorUnpairLeft(#cantorUnpairRight(ENC))),
+         #decodeMutability(#cantorUnpairLeft(#cantorUnpairRight(#cantorUnpairRight(ENC)))),
+         #decodeMetadata(#cantorUnpairRight(#cantorUnpairRight(ENC)))
+       )
+    requires ENC >=Int 0
+
+  syntax Int ::= #ptrOffsetBytes ( Int , MaybeTy ) [function, total]
+  rule #ptrOffsetBytes(PTR_OFFSET, TyUnknown) => PTR_OFFSET
+  rule #ptrOffsetBytes(PTR_OFFSET, TY:Ty) => PTR_OFFSET *Int #elemSize(lookupTy(TY))
+
+  syntax Int ::= #bytesToPtrOffset ( Int , MaybeTy ) [function, total]
+  rule #bytesToPtrOffset(BYTES, TyUnknown) => BYTES
+  rule #bytesToPtrOffset(BYTES, TY:Ty)
+    => BYTES /Int #elemSize(lookupTy(TY))
+    requires #elemSize(lookupTy(TY)) >Int 0
+     andBool BYTES modInt #elemSize(lookupTy(TY)) ==Int 0
+```
+
 ```k
 endmodule
 ```