@Byte subtraction silent underflow (follow-up to #520)

[aallan]

Follow-up to #520. Once #520 lands compile-time proof obligation + Tier-3 runtime trap for @Nat - @Nat underflow, the same soundness hole remains for @Byte - @Byte.

@Byte values are 0..=255 (unsigned, single octet). Subtraction with a < b underflows the same way @Nat - @Nat does, and the runtime currently emits a plain i64.sub with no guard. A negative @Byte slot violates the byte type's range invariant and propagates into anything that assumed bytes-are-non-negative (string indexing, array indexing into @Array<@Byte>, byte→string conversions).

Scope

Mirror the #520 implementation:

1. Verifier: emit lhs >= rhs proof obligation for BinaryExpr(Sub, lhs, rhs) when both operands are @Byte.
2. Codegen: at Tier 3, emit a guarded subtraction that traps with WasmTrapError(kind="underflow") (same trap kind as @Nat — both are unsigned underflow; a single Fix paragraph covers both).
3. Tests: positive (verifies with requires), negative (fails to verify), runtime (Tier-3 traps cleanly).
4. Conformance: ch??_byte_underflow.vera showing the canonical requires a >= b pattern.
5. Audit existing @Byte - @Byte sites (none expected in current corpus, but verify).

Why follow-up rather than bundled into #520

Keeps the #520 PR focused on the more commonly-used type (@Nat). Once #520 lands, the verifier helper and codegen guard are reusable — this becomes a small mechanical follow-up.

Acceptance

• All @Byte - @Byte sites either verify at Tier 1 (with explicit requires) or carry runtime guards at Tier 3.
• Trap diagnostic names the fix.
• ROADMAP / HISTORY entries follow the campaign's one-line discipline.

Related

• Nat subtraction silently underflows to negative i64 — refinement-type soundness hole #520 — @Nat subtraction silent underflow (parent)

[aallan]

Closing as not-a-bug — the original framing assumed @Byte - @Byte underflow was a runtime hole, but the type checker rejects the construct before it can reach the verifier or codegen.

What vera check actually does

vera/types.py:132 defines NUMERIC_TYPES = frozenset({INT, NAT, FLOAT64}) — BYTE is deliberately not included. The arithmetic check at vera/checker/expressions.py:252 (binary) and :384 (unary negation) rejects any operand whose base type isn't in NUMERIC_TYPES, producing E140:

$ cat /tmp/byte_sub.vera
public fn byte_sub(@Byte, @Byte -> @Byte)
  requires(@Byte.0 >= @Byte.1)
  ensures(true)
  effects(pure)
{ @Byte.0 - @Byte.1 }

$ vera check /tmp/byte_sub.vera
error: [E140] Operator '-' requires numeric operands, found @Byte and @Byte.
  Arithmetic operators work on Int, Nat, or Float64.

Refinement-type aliases (type MyByte = { @Byte | true }) don't bypass — base_type() strips refinements before the check.

Why I'm closing rather than fixing

The runtime hole described in the issue body doesn't exist: there's no Vera AST that contains BinaryExpr(SUB, @Byte, @Byte) because the checker prevents construction. No verifier obligation needs adding (the AST shape never arrives); no codegen guard needs adding (the AST shape never arrives).

A regression test is being added in the same housekeeping PR to pin the checker's current behavior so a future widening of NUMERIC_TYPES can't silently re-open this hole.

What was conflated

#551 was filed during #520's design discussion as a "mechanical follow-up" assuming Byte arithmetic was allowed. That assumption was wrong — and a quick vera check of a one-liner test would have caught it before #551 was filed.

The separable design question that #551 was conflated with — "should Vera allow Byte arithmetic at all?" — is genuinely speculative (no current user driver; the day-to-day use cases route through stdlib host imports like base64_encode / url_encode). That speculative question is now tracked as #564, with the full design analysis (pros, cons, trigger conditions, action checklist) preserved. #564 is labeled bookmark to indicate "deferred decision; revisit if user need emerges."

Housekeeping

• Regression test added: tests/test_checker.py::TestByteArithmeticRejection551 pins the current checker behavior.
• Spec §4.4 and §11.2.1 updated: removed the "Byte tracked as @Byte subtraction silent underflow (follow-up to #520) #551" caveat; replaced with note that Byte is excluded from arithmetic at the type-check layer.
• KNOWN_ISSUES.md: row removed from Bugs table.
• ROADMAP.md: removed from campaign Implementation order; Allow @Byte arithmetic with verified underflow + overflow guards (speculative) #564 added under a new ## Speculative section.

Related

• Nat subtraction silently underflows to negative i64 — refinement-type soundness hole #520 — @Nat subtraction underflow (parent of this issue).
• Allow @Byte arithmetic with verified underflow + overflow guards (speculative) #564 — Allow @byte arithmetic with verified underflow + overflow guards (speculative). The forward-looking feature request that @Byte subtraction silent underflow (follow-up to #520) #551 was conflated with.