Skip to content

chore(deps): bump scry-sai-core from 2.6.0 to 3.0.0#617

Merged
temper-pulseengine[bot] merged 1 commit into
mainfrom
dependabot/cargo/scry-sai-core-3.0.0
Jul 6, 2026
Merged

chore(deps): bump scry-sai-core from 2.6.0 to 3.0.0#617
temper-pulseengine[bot] merged 1 commit into
mainfrom
dependabot/cargo/scry-sai-core-3.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps scry-sai-core from 2.6.0 to 3.0.0.

Release notes

Sourced from scry-sai-core's releases.

v3.0.0

Headline: "Qualifiable + differentiated" — the strategic release. scry gains an IEEE-754 float domain, proves its i32.add sound against the OFFICIAL wrapping Wasm semantics, becomes the first sound analyzer to model Component-Model handle lifetimes, and ships an assessor-facing tool-qualification dossier. Four features (FEAT-047/048/049/050).

Added — FEAT-047 (REQ-015, AC-022) — IEEE-754 float domain

  • New zero-dep crate scry-sai-float: a sound f32/f64 abstraction (interval [lo,hi] with ±∞ bounds + a nan flag). Round-to-nearest-aware transfers (add/sub/mul/neg/abs): f64 needs no widening (RN monotone + exact endpoints), f32 snaps outward onto the f32 grid + coerces operands; ±∞/NaN via a 4-corner hull (incl. interior 0·∞). Exhaustive γ-sweep at f32+f64; admit-free Rocq Float.v (lattice). Straight-line compute_float_facts pass → library-only AnalysisResult.float_facts. Closes the scope hole where float arithmetic was un-analyzed.

Added — FEAT-048 (REQ-002, G-005, TE-004) — mechanized soundness vs official semantics

  • proofs/rocq/WrapAdd.v (admit-free): scry's shipped i32_add is sound against the OFFICIAL two's-complement wraparound semantics ((z+2³¹) mod 2³² − 2³¹), INCLUDING the wrap case — closing the REQ-002 "no-wrap only" gap. The widen-to-⊤ branch is sound because ⊤ = all i32; the exact branch because an in-range sum cannot wrap. (Models the semantics WasmCert-Coq mechanizes; a literal WasmCert-Coq import remains deferred, per the dossier's honesty note.)
  • The recorded-false Verus join proof is confirmed repaired to the semantic γ-equality statement (CI-verified).

Added — FEAT-049 (REQ-003, MF-007) — Component-Model handle-state (the moat)

  • New zero-dep crate scry-sai-handle: an affine handle-state lattice (Alive/Dropped/Top) with drop/use transitions; admit-free Rocq Handle.v. compute_handle_findings tracks handle locals across the canonical-ABI [resource-drop] / [method] call sites and reports DEFINITE use-after-drop / double-drop on AnalysisResult.handle_findings. Conservative at control flow (no false report). The first sound Component-Model handle-lifetime analysis (MF-007).

Added — FEAT-050 (G-005, CA-011) — tool-qualification dossier

  • docs/qualification-dossier-v1.md: maps every DO-330 TQL-5 and ISO 26262-8 §11 (derives TCL1) objective to a concrete scry artifact — the 17 admit-free Rocq proofs, the semantic Verus proof, the MC/DC gate, the live kill-criteria, and the FEAT-040 gap report as the per-artifact scope oracle. Honesty-first: test-/γ-sweep-validated evidence is labelled distinctly from mechanized proof; an adversarial overclaim audit caught and fixed three config-row overstatements before merge.

... (truncated)

Changelog

Sourced from scry-sai-core's changelog.

[3.0.0] — 2026-07-01

Headline: "Qualifiable + differentiated" — the strategic release. scry gains an IEEE-754 float domain, proves its i32.add sound against the OFFICIAL wrapping Wasm semantics, becomes the first sound analyzer to model Component-Model handle lifetimes, and ships an assessor-facing tool-qualification dossier. Four features (FEAT-047/048/049/050).

Added — FEAT-047 (REQ-015, AC-022) — IEEE-754 float domain

  • New zero-dep crate scry-sai-float: a sound f32/f64 abstraction (interval [lo,hi] with ±∞ bounds + a nan flag). Round-to-nearest-aware transfers (add/sub/mul/neg/abs): f64 needs no widening (RN monotone + exact endpoints), f32 snaps outward onto the f32 grid + coerces operands; ±∞/NaN via a 4-corner hull (incl. interior 0·∞). Exhaustive γ-sweep at f32+f64; admit-free Rocq Float.v (lattice). Straight-line compute_float_facts pass → library-only AnalysisResult.float_facts. Closes the scope hole where float arithmetic was un-analyzed.

Added — FEAT-048 (REQ-002, G-005, TE-004) — mechanized soundness vs official semantics

  • proofs/rocq/WrapAdd.v (admit-free): scry's shipped i32_add is sound against the OFFICIAL two's-complement wraparound semantics ((z+2³¹) mod 2³² − 2³¹), INCLUDING the wrap case — closing the REQ-002 "no-wrap only" gap. The widen-to-⊤ branch is sound because ⊤ = all i32; the exact branch because an in-range sum cannot wrap. (Models the semantics WasmCert-Coq mechanizes; a literal WasmCert-Coq import remains deferred, per the dossier's honesty note.)
  • The recorded-false Verus join proof is confirmed repaired to the semantic γ-equality statement (CI-verified).

Added — FEAT-049 (REQ-003, MF-007) — Component-Model handle-state (the moat)

  • New zero-dep crate scry-sai-handle: an affine handle-state lattice (Alive/Dropped/Top) with drop/use transitions; admit-free Rocq Handle.v. compute_handle_findings tracks handle locals across the canonical-ABI [resource-drop] / [method] call sites and reports DEFINITE use-after-drop / double-drop on AnalysisResult.handle_findings. Conservative at control flow (no false report). The first sound Component-Model handle-lifetime analysis (MF-007).

Added — FEAT-050 (G-005, CA-011) — tool-qualification dossier

  • docs/qualification-dossier-v1.md: maps every DO-330 TQL-5 and ISO 26262-8 §11 (derives TCL1) objective to a concrete scry artifact — the 17 admit-free Rocq proofs, the semantic Verus proof, the MC/DC gate, the live kill-criteria, and the FEAT-040 gap report as the per-artifact scope oracle. Honesty-first: test-/γ-sweep-validated evidence is labelled distinctly from mechanized proof; an adversarial overclaim audit caught and fixed three config-row overstatements before merge.

... (truncated)

Commits
  • e74042a release: v3.0.0 (FEAT-047/048/049/050 — qualifiable + differentiated) (#90)
  • 2adc566 FEAT-050 (v3.0): tool-qualification dossier (DO-330 TQL-5 / ISO 26262-8 §11) ...
  • 13091c6 FEAT-049 (v3.0): Component-Model handle-state / use-after-drop (REQ-003, MF-0...
  • a074ca5 FEAT-048 (v3.0): mechanized i32.add soundness vs official wrapping semantics ...
  • 6b8b44e FEAT-047 (v3.0): IEEE-754 float-interval domain (REQ-015, AC-022) (#86)
  • 4aa0b89 release: v2.7.0 — prove safety (FEAT-044/045/046) (#85)
  • 250db60 FEAT-046 (v2.7): out-of-bounds linear-memory trap detection (REQ-014, MF-006)...
  • 07bfc7b FEAT-045 (v2.7): div-by-zero + signed-overflow trap detection (REQ-014, MF-00...
  • faf7dc8 FEAT-044 (v2.7): Pentagons weakly-relational domain (AC-014) (#82)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [scry-sai-core](https://github.com/pulseengine/scry) from 2.6.0 to 3.0.0.
- [Release notes](https://github.com/pulseengine/scry/releases)
- [Changelog](https://github.com/pulseengine/scry/blob/main/CHANGELOG.md)
- [Commits](pulseengine/scry@v2.6.0...v3.0.0)

---
updated-dependencies:
- dependency-name: scry-sai-core
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Dependency updates label Jul 6, 2026
@temper-pulseengine temper-pulseengine Bot enabled auto-merge (squash) July 6, 2026 21:45
@temper-pulseengine temper-pulseengine Bot merged commit 0423b9d into main Jul 6, 2026
27 checks passed
@temper-pulseengine temper-pulseengine Bot deleted the dependabot/cargo/scry-sai-core-3.0.0 branch July 6, 2026 21:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency updates

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants