Review and revise all x86_64 backend contract

- This commit re-check all x86_64 contract follow the corrseponding
  HOL-Light proof

- After checking, the follwoing contract need to be remove:
  - contract and proof for `mlk_poly_mulcache_compute_avx2`

- This commit also add the symmetric note for every .ml proof:
  (* NOTE: This must be kept in sync with the CBMC specification
   * in mlkem/src/native/x86_64/src/arith_native_x86_64.h *)

Signed-off-by: willieyz <[email protected]>

Author: willieyz

dev/x86_64/src/arith_native_x86_64.h

@@ -81,16 +81,7 @@ __contract__(
 
 #define mlk_poly_mulcache_compute_avx2 MLK_NAMESPACE(poly_mulcache_compute_avx2)
 void mlk_poly_mulcache_compute_avx2(int16_t *out, const int16_t *in,
-                                    const int16_t *qdata)
-/* This must be kept in sync with the HOL-Light specification
- * in proofs/hol_light/x86/proofs/mlkem_mulcache_compute.ml */
-__contract__(
-  requires(memory_no_alias(out, sizeof(int16_t) * (MLKEM_N / 2)))
-  requires(memory_no_alias(in, sizeof(int16_t) * MLKEM_N))
-  requires(qdata == mlk_qdata)
-  assigns(memory_slice(out, sizeof(int16_t) * (MLKEM_N / 2)))
-  ensures(array_abs_bound(out, 0, MLKEM_N/2, 3329))
-);
+                                    const int16_t *qdata);
 
 #define mlk_polyvec_basemul_acc_montgomery_cached_asm_k2 \
   MLK_NAMESPACE(polyvec_basemul_acc_montgomery_cached_asm_k2)

mlkem/src/native/x86_64/src/arith_native_x86_64.h

@@ -81,16 +81,7 @@ __contract__(
 
 #define mlk_poly_mulcache_compute_avx2 MLK_NAMESPACE(poly_mulcache_compute_avx2)
 void mlk_poly_mulcache_compute_avx2(int16_t *out, const int16_t *in,
-                                    const int16_t *qdata)
-/* This must be kept in sync with the HOL-Light specification
- * in proofs/hol_light/x86/proofs/mlkem_mulcache_compute.ml */
-__contract__(
-  requires(memory_no_alias(out, sizeof(int16_t) * (MLKEM_N / 2)))
-  requires(memory_no_alias(in, sizeof(int16_t) * MLKEM_N))
-  requires(qdata == mlk_qdata)
-  assigns(memory_slice(out, sizeof(int16_t) * (MLKEM_N / 2)))
-  ensures(array_abs_bound(out, 0, MLKEM_N/2, 3329))
-);
+                                    const int16_t *qdata);
 
 #define mlk_polyvec_basemul_acc_montgomery_cached_asm_k2 \
   MLK_NAMESPACE(polyvec_basemul_acc_montgomery_cached_asm_k2)

proofs/cbmc/poly_mulcache_compute_native_x86_64/Makefile

@@ -444,6 +444,9 @@ let MLKEM_FROMBYTES_NOIBT_SUBROUTINE_CORRECT = prove(
               MAYCHANGE [RSP] ,, MAYCHANGE [memory :> bytes(r, 512)])`,
   X86_PROMOTE_RETURN_NOSTACK_TAC mlkem_frombytes_tmc MLKEM_FROMBYTES_CORRECT);;
 
+(* NOTE: This must be kept in sync with the CBMC specification
+ * in mlkem/src/native/x86_64/src/arith_native_x86_64.h *)
+
 let MLKEM_FROMBYTES_SUBROUTINE_CORRECT = prove(
     `!r a (l:(12 word) list) pc.
         aligned 32 a /\

proofs/cbmc/poly_mulcache_compute_native_x86_64/poly_mulcache_compute_native_x86_64_harness.c

@@ -1194,6 +1194,9 @@ let MLKEM_INTT_NOIBT_SUBROUTINE_CORRECT  = prove
   CONV_TAC TWEAK_CONV THEN
   X86_PROMOTE_RETURN_NOSTACK_TAC mlkem_intt_tmc (CONV_RULE TWEAK_CONV MLKEM_INTT_CORRECT));;
 
+(* NOTE: This must be kept in sync with the CBMC specification
+ * in mlkem/src/native/x86_64/src/arith_native_x86_64.h *)
+
 let MLKEM_INTT_SUBROUTINE_CORRECT  = prove
   (`!a zetas (zetas_list:int16 list) x pc stackpointer returnaddress.
     aligned 32 a /\

proofs/hol_light/x86/proofs/mlkem_frombytes.ml

@@ -1210,6 +1210,9 @@ let MLKEM_NTT_NOIBT_SUBROUTINE_CORRECT  = prove
   CONV_TAC TWEAK_CONV THEN
   X86_PROMOTE_RETURN_NOSTACK_TAC mlkem_ntt_tmc (CONV_RULE TWEAK_CONV MLKEM_NTT_CORRECT));;
 
+(* NOTE: This must be kept in sync with the CBMC specification
+ * in mlkem/src/native/x86_64/src/arith_native_x86_64.h *)
+
 let MLKEM_NTT_SUBROUTINE_CORRECT  = prove
   (`!a zetas (zetas_list:int16 list) x pc stackpointer returnaddress.
     aligned 32 a /\

proofs/hol_light/x86/proofs/mlkem_intt.ml

@@ -1080,6 +1080,9 @@ let MLKEM_BASEMUL_K2_NOIBT_SUBROUTINE_CORRECT = prove(
                MAYCHANGE [memory :> bytes(dst, 512)])`,
   X86_PROMOTE_RETURN_NOSTACK_TAC mlkem_basemul_k2_tmc MLKEM_BASEMUL_K2_CORRECT);;
 
+(* NOTE: This must be kept in sync with the CBMC specification
+ * in mlkem/src/native/x86_64/src/arith_native_x86_64.h *)
+
 let MLKEM_BASEMUL_K2_SUBROUTINE_CORRECT = prove(
   `!src1 src2 src2t dst a0 b0 c0 d0 dz0 a1 b1 c1 d1 dz1 pc stackpointer returnaddress.
         aligned 32 src1 /\

proofs/hol_light/x86/proofs/mlkem_ntt.ml

@@ -1550,6 +1550,9 @@ let MLKEM_BASEMUL_K3_NOIBT_SUBROUTINE_CORRECT = prove(
                MAYCHANGE [memory :> bytes(dst, 512)])`,
   X86_PROMOTE_RETURN_NOSTACK_TAC mlkem_basemul_k3_tmc MLKEM_BASEMUL_K3_CORRECT);;
 
+(* NOTE: This must be kept in sync with the CBMC specification
+ * in mlkem/src/native/x86_64/src/arith_native_x86_64.h *)
+
 let MLKEM_BASEMUL_K3_SUBROUTINE_CORRECT = prove(
   `!src1 src2 src2t dst a0 b0 c0 d0 dz0 a1 b1 c1 d1 dz1 a2 b2 c2 d2 dz2 pc stackpointer returnaddress.
         aligned 32 src1 /\

proofs/hol_light/x86/proofs/mlkem_poly_basemul_acc_montgomery_cached_k2.ml

@@ -2026,6 +2026,9 @@ let MLKEM_BASEMUL_K4_NOIBT_SUBROUTINE_CORRECT = prove(
                MAYCHANGE [memory :> bytes(dst, 512)])`,
   X86_PROMOTE_RETURN_NOSTACK_TAC mlkem_basemul_k4_tmc MLKEM_BASEMUL_K4_CORRECT);;
 
+(* NOTE: This must be kept in sync with the CBMC specification
+ * in mlkem/src/native/x86_64/src/arith_native_x86_64.h *)
+
 let MLKEM_BASEMUL_K4_SUBROUTINE_CORRECT = prove(
   `!src1 src2 src2t dst a0 b0 c0 d0 dz0 a1 b1 c1 d1 dz1 a2 b2 c2 d2 dz2 a3 b3 c3 d3 dz3 pc stackpointer returnaddress.
         aligned 32 src1 /\