Standardize on signed integers in quantifiers and loops.

Specifically, use signed "int" for:
1. for loop counters
2. quantified expressions
3. variables and struct fields that count or index into arrays
4. formal parameters for array indexes, offsets and counts

Additionally, strengthen pre-conditions on polyvecl_add()
and polyveck_add() to stabilize proof of those functions
for all parameter sets.

Signed-off-by: Rod Chapman <[email protected]>

Author: rod-chapman

dev/aarch64_clean/meta.h

@@ -32,6 +32,7 @@
 
 
 #if !defined(__ASSEMBLER__)
+#include <stddef.h>
 #include "src/arith_native_aarch64.h"
 
 static MLD_INLINE void mld_ntt_native(int32_t data[MLDSA_N])
@@ -46,24 +47,23 @@ static MLD_INLINE void mld_intt_native(int32_t data[MLDSA_N])
                mld_aarch64_intt_zetas_layer123456);
 }
 
-static MLD_INLINE int mld_rej_uniform_native(int32_t *r, unsigned len,
-                                             const uint8_t *buf,
-                                             unsigned buflen)
+static MLD_INLINE int mld_rej_uniform_native(int32_t *r, int len,
+                                             const uint8_t *buf, int buflen)
 {
   if (len != MLDSA_N || buflen % 24 != 0)
   {
     return -1;
   }
 
-  /* Safety: outlen is at most MLDSA_N, hence, this cast is safe. */
+  /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
   return (int)mld_rej_uniform_asm(r, buf, buflen, mld_rej_uniform_table);
 }
 
-static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, unsigned len,
+static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, int len,
                                                   const uint8_t *buf,
-                                                  unsigned buflen)
+                                                  int buflen)
 {
-  unsigned int outlen;
+  int32_t outlen;
   /* AArch64 implementation assumes specific buffer lengths */
   if (len != MLDSA_N || buflen != MLD_AARCH64_REJ_UNIFORM_ETA2_BUFLEN)
   {
@@ -78,16 +78,16 @@ static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, unsigned len,
    */
   MLD_CT_TESTING_DECLASSIFY(buf, buflen);
   outlen = mld_rej_uniform_eta2_asm(r, buf, buflen, mld_rej_uniform_eta_table);
-  MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * outlen);
+  MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * (size_t)outlen);
   /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
   return (int)outlen;
 }
 
-static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, unsigned len,
+static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, int len,
                                                   const uint8_t *buf,
-                                                  unsigned buflen)
+                                                  int buflen)
 {
-  unsigned int outlen;
+  int32_t outlen;
   /* AArch64 implementation assumes specific buffer lengths */
   if (len != MLDSA_N || buflen != MLD_AARCH64_REJ_UNIFORM_ETA4_BUFLEN)
   {
@@ -102,7 +102,7 @@ static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, unsigned len,
    */
   MLD_CT_TESTING_DECLASSIFY(buf, buflen);
   outlen = mld_rej_uniform_eta4_asm(r, buf, buflen, mld_rej_uniform_eta_table);
-  MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * outlen);
+  MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * (size_t)outlen);
   /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
   return (int)outlen;
 }

dev/aarch64_clean/src/arith_native_aarch64.h

@@ -56,16 +56,16 @@ void mld_ntt_asm(int32_t *, const int32_t *, const int32_t *);
 void mld_intt_asm(int32_t *, const int32_t *, const int32_t *);
 
 #define mld_rej_uniform_asm MLD_NAMESPACE(rej_uniform_asm)
-uint64_t mld_rej_uniform_asm(int32_t *r, const uint8_t *buf, unsigned buflen,
+uint64_t mld_rej_uniform_asm(int32_t *r, const uint8_t *buf, int32_t buflen,
                              const uint8_t *table);
 
 #define mld_rej_uniform_eta2_asm MLD_NAMESPACE(rej_uniform_eta2_asm)
-unsigned mld_rej_uniform_eta2_asm(int32_t *r, const uint8_t *buf,
-                                  unsigned buflen, const uint8_t *table);
+int32_t mld_rej_uniform_eta2_asm(int32_t *r, const uint8_t *buf, int32_t buflen,
+                                 const uint8_t *table);
 
 #define mld_rej_uniform_eta4_asm MLD_NAMESPACE(rej_uniform_eta4_asm)
-unsigned mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf,
-                                  unsigned buflen, const uint8_t *table);
+int32_t mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf, int32_t buflen,
+                                 const uint8_t *table);
 
 #define mld_poly_decompose_32_asm MLD_NAMESPACE(poly_decompose_32_asm)
 void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0, const int32_t *a);

dev/x86_64/meta.h

@@ -31,6 +31,7 @@
 #define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7
 
 #if !defined(__ASSEMBLER__)
+#include <stddef.h>
 #include <string.h>
 #include "../../common.h"
 #include "src/arith_native_x86_64.h"
@@ -49,9 +50,8 @@ static MLD_INLINE void mld_intt_native(int32_t data[MLDSA_N])
   mld_invntt_avx2((__m256i *)data, mld_qdata.vec);
 }
 
-static MLD_INLINE int mld_rej_uniform_native(int32_t *r, unsigned len,
-                                             const uint8_t *buf,
-                                             unsigned buflen)
+static MLD_INLINE int mld_rej_uniform_native(int32_t *r, int len,
+                                             const uint8_t *buf, int buflen)
 {
   /* AVX2 implementation assumes specific buffer lengths */
   if (len != MLDSA_N || buflen != MLD_AVX2_REJ_UNIFORM_BUFLEN)
@@ -63,11 +63,11 @@ static MLD_INLINE int mld_rej_uniform_native(int32_t *r, unsigned len,
   return (int)mld_rej_uniform_avx2(r, buf);
 }
 
-static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, unsigned len,
+static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, int len,
                                                   const uint8_t *buf,
-                                                  unsigned buflen)
+                                                  int buflen)
 {
-  unsigned int outlen;
+  int32_t outlen;
   /* AVX2 implementation assumes specific buffer lengths */
   if (len != MLDSA_N || buflen != MLD_AVX2_REJ_UNIFORM_ETA2_BUFLEN)
   {
@@ -83,16 +83,16 @@ static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, unsigned len,
    */
   MLD_CT_TESTING_DECLASSIFY(buf, buflen);
   outlen = mld_rej_uniform_eta2_avx2(r, buf);
-  MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * outlen);
+  MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * (size_t)outlen);
   /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
   return (int)outlen;
 }
 
-static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, unsigned len,
+static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, int len,
                                                   const uint8_t *buf,
-                                                  unsigned buflen)
+                                                  int buflen)
 {
-  unsigned int outlen;
+  int32_t outlen;
   /* AVX2 implementation assumes specific buffer lengths */
   if (len != MLDSA_N || buflen != MLD_AVX2_REJ_UNIFORM_ETA4_BUFLEN)
   {
@@ -108,7 +108,7 @@ static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, unsigned len,
    */
   MLD_CT_TESTING_DECLASSIFY(buf, buflen);
   outlen = mld_rej_uniform_eta4_avx2(r, buf);
-  MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * outlen);
+  MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * (size_t)outlen);
   /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
   return (int)outlen;
 }

dev/x86_64/src/arith_native_x86_64.h

@@ -43,15 +43,15 @@ void mld_invntt_avx2(__m256i *r, const __m256i *mld_qdata);
 void mld_nttunpack_avx2(__m256i *r);
 
 #define mld_rej_uniform_avx2 MLD_NAMESPACE(mld_rej_uniform_avx2)
-unsigned mld_rej_uniform_avx2(int32_t *r,
-                              const uint8_t buf[MLD_AVX2_REJ_UNIFORM_BUFLEN]);
+int32_t mld_rej_uniform_avx2(int32_t *r,
+                             const uint8_t buf[MLD_AVX2_REJ_UNIFORM_BUFLEN]);
 
 #define mld_rej_uniform_eta2_avx2 MLD_NAMESPACE(mld_rej_uniform_eta2_avx2)
-unsigned mld_rej_uniform_eta2_avx2(
+int32_t mld_rej_uniform_eta2_avx2(
     int32_t *r, const uint8_t buf[MLD_AVX2_REJ_UNIFORM_ETA2_BUFLEN]);
 
 #define mld_rej_uniform_eta4_avx2 MLD_NAMESPACE(mld_rej_uniform_eta4_avx2)
-unsigned mld_rej_uniform_eta4_avx2(
+int32_t mld_rej_uniform_eta4_avx2(
     int32_t *r, const uint8_t buf[MLD_AVX2_REJ_UNIFORM_ETA4_BUFLEN]);
 
 #define mld_poly_decompose_32_avx2 MLD_NAMESPACE(mld_poly_decompose_32_avx2)

dev/x86_64/src/rej_uniform_avx2.c

@@ -36,8 +36,8 @@
  *            frontend to perform the unintuitive padding.
  */
 
-unsigned int mld_rej_uniform_avx2(
-    int32_t *MLD_RESTRICT r, const uint8_t buf[MLD_AVX2_REJ_UNIFORM_BUFLEN])
+int32_t mld_rej_uniform_avx2(int32_t *MLD_RESTRICT r,
+                             const uint8_t buf[MLD_AVX2_REJ_UNIFORM_BUFLEN])
 {
   unsigned int ctr, pos;
   uint32_t good;
@@ -116,7 +116,7 @@ unsigned int mld_rej_uniform_avx2(
     }
   }
 
-  return ctr;
+  return (int32_t)ctr;
 }
 
 #else /* MLD_ARITH_BACKEND_X86_64_DEFAULT && !MLD_CONFIG_MULTILEVEL_NO_SHARED \

dev/x86_64/src/rej_uniform_eta2_avx2.c

@@ -35,7 +35,7 @@
  *            rej_eta_avx and supports multiple values for ETA via preprocessor
  *            conditionals. We move the conditionals to the frontend.
  */
-unsigned int mld_rej_uniform_eta2_avx2(
+int32_t mld_rej_uniform_eta2_avx2(
     int32_t *MLD_RESTRICT r,
     const uint8_t buf[MLD_AVX2_REJ_UNIFORM_ETA2_BUFLEN])
 {
@@ -139,7 +139,7 @@ unsigned int mld_rej_uniform_eta2_avx2(
     }
   }
 
-  return ctr;
+  return (int32_t)ctr;
 }
 
 #else /* MLD_ARITH_BACKEND_X86_64_DEFAULT && !MLD_CONFIG_MULTILEVEL_NO_SHARED \

dev/x86_64/src/rej_uniform_eta4_avx2.c

@@ -36,7 +36,7 @@
  *            conditionals. We move the conditionals to the frontend.
  */
 
-unsigned int mld_rej_uniform_eta4_avx2(
+int32_t mld_rej_uniform_eta4_avx2(
     int32_t *MLD_RESTRICT r,
     const uint8_t buf[MLD_AVX2_REJ_UNIFORM_ETA4_BUFLEN])
 {
@@ -123,7 +123,7 @@ unsigned int mld_rej_uniform_eta4_avx2(
     }
   }
 
-  return ctr;
+  return (int32_t)ctr;
 }
 
 #else /* MLD_ARITH_BACKEND_X86_64_DEFAULT && !MLD_CONFIG_MULTILEVEL_NO_SHARED \

mldsa/src/cbmc.h

@@ -93,14 +93,14 @@
 #define forall(qvar, qvar_lb, qvar_ub, predicate)                 \
   __CPROVER_forall                                                \
   {                                                               \
-    unsigned qvar;                                                \
+    signed int qvar;                                              \
     ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==> (predicate)   \
   }
 
 #define exists(qvar, qvar_lb, qvar_ub, predicate)         \
   __CPROVER_exists                                              \
   {                                                             \
-    unsigned qvar;                                              \
+    signed int qvar;                                            \
     ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) && (predicate)  \
   }
 /* clang-format on */
@@ -119,7 +119,7 @@
                          value_lb, value_ub)                           \
   __CPROVER_forall                                                     \
   {                                                                    \
-    unsigned qvar;                                                     \
+    signed int qvar;                                                   \
     ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==>                    \
         (((int)(value_lb) <= ((array_var)[(qvar)])) &&		       \
          (((array_var)[(qvar)]) < (int)(value_ub)))		       \

mldsa/src/debug.c

@@ -30,11 +30,11 @@ void mld_debug_check_assert(const char *file, int line, const int val)
 }
 
 void mld_debug_check_bounds(const char *file, int line, const int32_t *ptr,
-                            unsigned len, int64_t lower_bound_exclusive,
+                            int len, int64_t lower_bound_exclusive,
                             int64_t upper_bound_exclusive)
 {
   int err = 0;
-  unsigned i;
+  int i;
   for (i = 0; i < len; i++)
   {
     int32_t val = ptr[i];

mldsa/src/debug.h

@@ -43,7 +43,7 @@ void mld_debug_check_assert(const char *file, int line, const int val);
  **************************************************/
 #define mld_debug_check_bounds MLD_NAMESPACE(mldsa_debug_check_bounds)
 void mld_debug_check_bounds(const char *file, int line, const int32_t *ptr,
-                            unsigned len, int64_t lower_bound_exclusive,
+                            int len, int64_t lower_bound_exclusive,
                             int64_t upper_bound_exclusive);
 
 /* Check assertion, calling exit() upon failure