BLVM Spec Lock
Purpose-built formal verification tool for Bitcoin Commons.
Locking mechanism: See docs/LOCKING_MECHANISM.md for the full lifecycle (discover → enrich → verify), attribute syntax, and status semantics. Spec wording: See SPEC_WORDING.md for parseable condition patterns. How to annotate: See docs/ANNOTATION_GUIDE.md for adding #[spec_locked] to new functions.
Overview
BLVM Spec Lock provides formal verification for Bitcoin consensus code by:
- Linking Rust functions to Orange Paper specifications via
#[spec_locked]attributes - Verifying contracts (
#[requires]and#[ensures]) using static analysis and Z3 - Providing a
cargo test-like CLI experience
Installation
The binary will be at target/release/cargo-spec-lock.
To use as a cargo subcommand, create a symlink:
Usage
Basic Verification
# Verify all functions with #[spec_locked]
# With Orange Paper: derive contracts from spec (required for 0 no-contracts)
# Strict mode: fail on partial or no-contracts (for CI gates)
# Verify specific file
# Verify by subsystem
# Verify by function name
# Verify by Orange Paper section
# Lock status summary (no verification)
Output Formats
# Human-readable (default)
# JSON
# JUnit XML (for CI)
Writing Contracts
use spec_locked;
Related Projects (blvm-spec-lock sibling to blvm-consensus, blvm-spec)
From blvm-spec-lock directory:
# Verify blvm-consensus (140 functions)
# Verify blvm-node (Dandelion 10.6)
With Z3: add --features z3 to the cargo run command.
Validation
- Negative test:
cargo test wrong_implementation_fails— wrong impl must fail verification. - Spec coverage:
cargo spec-lock coverage --spec-path ...— theorems → contracts → parseable %. - Drift:
cargo spec-lock check-drift --spec-path ...— unparseable contracts, missing impls.--scoped-unparseableslimits unparseable failures to Orange Paper sections under the crate’s#[spec_locked("…")]prefixes.
Spec Wording
Orange Paper conditions must be parseable for verification. See SPEC_WORDING.md for:
- Supported patterns (
\in {true, false},extracts lower N bits, etc.) - LaTeX → Rust translation (
\land→&,≥→>=) - What to avoid (activation heights in conditions, mixed prose)
To add #[spec_locked] to new functions, see docs/ANNOTATION_GUIDE.md.
Features
- Function Discovery: Automatically finds all
#[spec_locked]functions - Spec-derived Contracts: Orange Paper parser + lexer extract parseable conditions (LaTeX,
\text{},\geq, etc.) - Contract Parsing: Extracts
#[requires]and#[ensures]attributes - Static Checking: Fast Rust-based checks for simple properties
- Z3 Verification: Full SMT solving for complex properties (requires
--features z3) - Flexible Filtering: By file, subsystem, name, or Orange Paper section
- Multiple Output Formats: Human-readable, JSON, JUnit XML, Markdown
Z3 Support
Z3 verification requires the z3 feature and system dependencies:
Arch Linux
# Install Z3, LLVM, LLVM libs, and clang (required for bindgen)
# Build with Z3 feature
# Run verification
Important: You need both llvm and llvm-libs packages. The llvm package provides static libraries, while llvm-libs provides the shared libraries (.so files) that bindgen needs.
Note: Ensure LLVM and llvm-libs versions match your clang version. If you have clang 21.x, you need llvm 21.x and llvm-libs 21.x. If versions don't match:
Other Linux Distributions
For Debian/Ubuntu:
For other distributions, install:
- Z3 development libraries
- LLVM and clang (matching versions)
- libclang development headers