fix(provers): bounded_read_proof_file helper + 25 wrapper migrations

hyperpolymath · claude · hyperpolymath · commit 4241abf42a56 · 2026-04-25T15:31:57.000+01:00
Closes 25 of the 26 panic-attack UnboundedAllocation findings flagged
in reports/panic-attack-chunks/src-rust.json (deferred follow-up from
2026-04-25 evening session).

Adds src/rust/provers/io.rs with `bounded_read_proof_file` capping
proof-file reads at 64 MiB via `AsyncReadExt::take(N+1)` (TOCTOU-safe,
errors on overflow rather than truncating).  Migrates 25 prover
backends from bare `tokio::fs::read_to_string(&amp;path)` to the bounded
helper:

  abella, acl2s, arend, athena, boogie, cameleer, cubical_agda,
  dedukti, hp_ecosystem, isabelle_zf, lambda_prolog, lean3, matita,
  mercury, mizar_ar, naproche, nitpick, nunchaku, opensmt, prover9,
  rocq, smtrat, typed_wasm, uppaal_stratego, zipperposition

The 26th finding (integrity/solver_integrity.rs) is a TOML manifest
read at startup from an operator-controlled path — different threat
shape, deferred to a follow-up.

The 47 unflagged backends already pass the panic-attack heuristic
(detector treats `read_to_string` as bounded if the file's source
contains the word "limit"); migrating them now would be scope creep
beyond closing the surfaced findings.  Future estate-wide pass can
fold them in.

io.rs ships with two unit tests (small_file_reads_fully,
oversized_file_errors) — both pass under cargo test --lib.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/rust/provers/abella.rs b/src/rust/provers/abella.rs
@@ -74,7 +74,7 @@ impl ProverBackend for AbellaBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path)
+        let content = super::bounded_read_proof_file(&path)
             .await
             .with_context(|| format!("Abella: reading {}", path.display()))?;
         self.parse_string(&content).await
diff --git a/src/rust/provers/acl2s.rs b/src/rust/provers/acl2s.rs
@@ -56,7 +56,7 @@ impl ProverBackend for Acl2sBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path)
+        let content = super::bounded_read_proof_file(&path)
             .await
             .with_context(|| format!("ACL2s: reading {}", path.display()))?;
         self.parse_string(&content).await
diff --git a/src/rust/provers/arend.rs b/src/rust/provers/arend.rs
@@ -47,7 +47,7 @@ impl ProverBackend for ArendBackend {
         }
     }
     async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {
-        let c = tokio::fs::read_to_string(&p)
+        let c = super::bounded_read_proof_file(&p)
             .await
             .with_context(|| format!("Arend: reading {}", p.display()))?;
         self.parse_string(&c).await
diff --git a/src/rust/provers/athena.rs b/src/rust/provers/athena.rs
@@ -46,7 +46,7 @@ impl ProverBackend for AthenaBackend {
         }
     }
     async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {
-        let c = tokio::fs::read_to_string(&p)
+        let c = super::bounded_read_proof_file(&p)
             .await
             .with_context(|| format!("Athena: reading {}", p.display()))?;
         self.parse_string(&c).await
diff --git a/src/rust/provers/boogie.rs b/src/rust/provers/boogie.rs
@@ -59,7 +59,7 @@ impl ProverBackend for BoogieBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path)
+        let content = super::bounded_read_proof_file(&path)
             .await
             .with_context(|| format!("Boogie: reading {}", path.display()))?;
         self.parse_string(&content).await
diff --git a/src/rust/provers/cameleer.rs b/src/rust/provers/cameleer.rs
@@ -63,7 +63,7 @@ impl ProverBackend for CameleerBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path)
+        let content = super::bounded_read_proof_file(&path)
             .await
             .with_context(|| format!("Cameleer: reading {}", path.display()))?;
         self.parse_string(&content).await
diff --git a/src/rust/provers/cubical_agda.rs b/src/rust/provers/cubical_agda.rs
@@ -74,7 +74,7 @@ impl ProverBackend for CubicalAgdaBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path).await?;
+        let content = super::bounded_read_proof_file(&path).await?;
         self.parse_string(&content).await
     }
 
diff --git a/src/rust/provers/dedukti.rs b/src/rust/provers/dedukti.rs
@@ -69,7 +69,7 @@ impl ProverBackend for DeduktiBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path)
+        let content = super::bounded_read_proof_file(&path)
             .await
             .with_context(|| format!("Dedukti: reading {}", path.display()))?;
         self.parse_string(&content).await
diff --git a/src/rust/provers/hp_ecosystem.rs b/src/rust/provers/hp_ecosystem.rs
@@ -183,7 +183,7 @@ impl ProverBackend for HPEcosystemBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path)
+        let content = super::bounded_read_proof_file(&path)
             .await
             .with_context(|| format!("HP ecosystem: reading {}", path.display()))?;
         self.parse_string(&content).await
diff --git a/src/rust/provers/io.rs b/src/rust/provers/io.rs
@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+// Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+
+//! Shared IO helpers for prover backends.
+//!
+//! All prover backends read user-supplied proof files from disk. Bare
+//! `tokio::fs::read_to_string(&path)` has no upper bound — a malicious
+//! or pathological caller could pass `/dev/zero` or a multi-GB file
+//! and OOM the process. This module exposes
+//! [`bounded_read_proof_file`] which caps the read at
+//! [`MAX_PROOF_BYTES`] and reports an error rather than truncating.
+//!
+//! Cap chosen at 64 MiB: large real-world proof corpora (Mizar MML
+//! per-article files, Coq `.v` libraries, Isabelle theory chains)
+//! all sit well below this limit with margin; anything larger is
+//! almost certainly pathological input.
+
+use anyhow::{Context, Result};
+use std::path::Path;
+use tokio::io::AsyncReadExt;
+
+/// Maximum byte length for a single proof-file read (64 MiB).
+pub const MAX_PROOF_BYTES: u64 = 64 * 1024 * 1024;
+
+/// Read a UTF-8 proof file, bounded at [`MAX_PROOF_BYTES`].
+///
+/// Uses `AsyncReadExt::take(N+1)` so an oversized file is detected
+/// in a single read pass — no TOCTOU race against `metadata().len()`.
+pub async fn bounded_read_proof_file<P: AsRef<Path>>(path: P) -> Result<String> {
+    let path = path.as_ref();
+    let file = tokio::fs::File::open(path)
+        .await
+        .with_context(|| format!("opening proof file {}", path.display()))?;
+    let mut buf = String::new();
+    let mut limited = file.take(MAX_PROOF_BYTES + 1);
+    limited
+        .read_to_string(&mut buf)
+        .await
+        .with_context(|| format!("reading proof file {}", path.display()))?;
+    if buf.len() as u64 > MAX_PROOF_BYTES {
+        return Err(anyhow::anyhow!(
+            "proof file {} exceeds {} byte cap",
+            path.display(),
+            MAX_PROOF_BYTES
+        ));
+    }
+    Ok(buf)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[tokio::test]
+    async fn small_file_reads_fully() {
+        let dir = tempfile::tempdir().unwrap();
+        let path = dir.path().join("small.proof");
+        tokio::fs::write(&path, b"theorem foo : 1 + 1 = 2 := refl\n")
+            .await
+            .unwrap();
+        let s = bounded_read_proof_file(&path).await.unwrap();
+        assert!(s.contains("theorem foo"));
+    }
+
+    #[tokio::test]
+    async fn oversized_file_errors() {
+        let dir = tempfile::tempdir().unwrap();
+        let path = dir.path().join("big.proof");
+        let big = vec![b'x'; (MAX_PROOF_BYTES + 1024) as usize];
+        tokio::fs::write(&path, &big).await.unwrap();
+        let err = bounded_read_proof_file(&path).await.unwrap_err();
+        assert!(err.to_string().contains("exceeds"));
+    }
+}
diff --git a/src/rust/provers/isabelle_zf.rs b/src/rust/provers/isabelle_zf.rs
@@ -60,7 +60,7 @@ impl ProverBackend for IsabelleZfBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path)
+        let content = super::bounded_read_proof_file(&path)
             .await
             .with_context(|| format!("Isabelle/ZF: reading {}", path.display()))?;
         self.parse_string(&content).await
diff --git a/src/rust/provers/lambda_prolog.rs b/src/rust/provers/lambda_prolog.rs
@@ -48,7 +48,7 @@ impl ProverBackend for LambdaPrologBackend {
         }
     }
     async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {
-        let c = tokio::fs::read_to_string(&p)
+        let c = super::bounded_read_proof_file(&p)
             .await
             .with_context(|| format!("λProlog: reading {}", p.display()))?;
         self.parse_string(&c).await
diff --git a/src/rust/provers/lean3.rs b/src/rust/provers/lean3.rs
@@ -78,7 +78,7 @@ impl ProverBackend for Lean3Backend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path)
+        let content = super::bounded_read_proof_file(&path)
             .await
             .with_context(|| format!("Lean 3: reading {}", path.display()))?;
         self.parse_string(&content).await
diff --git a/src/rust/provers/matita.rs b/src/rust/provers/matita.rs
@@ -47,7 +47,7 @@ impl ProverBackend for MatitaBackend {
         }
     }
     async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {
-        let c = tokio::fs::read_to_string(&p)
+        let c = super::bounded_read_proof_file(&p)
             .await
             .with_context(|| format!("Matita: reading {}", p.display()))?;
         self.parse_string(&c).await
diff --git a/src/rust/provers/mercury.rs b/src/rust/provers/mercury.rs
@@ -48,7 +48,7 @@ impl ProverBackend for MercuryBackend {
         }
     }
     async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {
-        let c = tokio::fs::read_to_string(&p)
+        let c = super::bounded_read_proof_file(&p)
             .await
             .with_context(|| format!("Mercury: reading {}", p.display()))?;
         self.parse_string(&c).await
diff --git a/src/rust/provers/mizar_ar.rs b/src/rust/provers/mizar_ar.rs
@@ -74,7 +74,7 @@ impl ProverBackend for MizARBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path).await?;
+        let content = super::bounded_read_proof_file(&path).await?;
         self.parse_string(&content).await
     }
 
diff --git a/src/rust/provers/mod.rs b/src/rust/provers/mod.rs
@@ -16,6 +16,9 @@ use crate::core::{ProofState, Tactic, TacticResult};
 pub mod outcome;
 pub use outcome::{classify_anyhow_error, ProverOutcome};
 
+pub mod io;
+pub use io::{bounded_read_proof_file, MAX_PROOF_BYTES};
+
 pub mod abc;
 pub mod abella;
 pub mod acl2;
diff --git a/src/rust/provers/naproche.rs b/src/rust/provers/naproche.rs
@@ -47,7 +47,7 @@ impl ProverBackend for NaprocheBackend {
         }
     }
     async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {
-        let c = tokio::fs::read_to_string(&p)
+        let c = super::bounded_read_proof_file(&p)
             .await
             .with_context(|| format!("Naproche: reading {}", p.display()))?;
         self.parse_string(&c).await
diff --git a/src/rust/provers/nitpick.rs b/src/rust/provers/nitpick.rs
@@ -51,7 +51,7 @@ impl ProverBackend for NitpickBackend {
         }
     }
     async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {
-        let c = tokio::fs::read_to_string(&p)
+        let c = super::bounded_read_proof_file(&p)
             .await
             .with_context(|| format!("Nitpick: reading {}", p.display()))?;
         self.parse_string(&c).await
diff --git a/src/rust/provers/nunchaku.rs b/src/rust/provers/nunchaku.rs
@@ -48,7 +48,7 @@ impl ProverBackend for NunchakuBackend {
         }
     }
     async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {
-        let c = tokio::fs::read_to_string(&p)
+        let c = super::bounded_read_proof_file(&p)
             .await
             .with_context(|| format!("Nunchaku: reading {}", p.display()))?;
         self.parse_string(&c).await
diff --git a/src/rust/provers/opensmt.rs b/src/rust/provers/opensmt.rs
@@ -76,7 +76,7 @@ impl ProverBackend for OpenSmtBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path).await?;
+        let content = super::bounded_read_proof_file(&path).await?;
         self.parse_string(&content).await
     }
 
diff --git a/src/rust/provers/prover9.rs b/src/rust/provers/prover9.rs
@@ -84,7 +84,7 @@ impl ProverBackend for Prover9Backend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path).await?;
+        let content = super::bounded_read_proof_file(&path).await?;
         self.parse_string(&content).await
     }
 
diff --git a/src/rust/provers/rocq.rs b/src/rust/provers/rocq.rs
@@ -71,7 +71,7 @@ impl ProverBackend for RocqBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path).await?;
+        let content = super::bounded_read_proof_file(&path).await?;
         self.parse_string(&content).await
     }
 
diff --git a/src/rust/provers/smtrat.rs b/src/rust/provers/smtrat.rs
@@ -73,7 +73,7 @@ impl ProverBackend for SmtRatBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path).await?;
+        let content = super::bounded_read_proof_file(&path).await?;
         self.parse_string(&content).await
     }
 
diff --git a/src/rust/provers/typed_wasm.rs b/src/rust/provers/typed_wasm.rs
@@ -340,7 +340,7 @@ impl ProverBackend for TypedWasmBackend {
     }
 
     async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {
-        let content = tokio::fs::read_to_string(&path)
+        let content = super::bounded_read_proof_file(&path)
             .await
             .context("Failed to read .twasm file")?;
         self.parse_string(&content).await
diff --git a/src/rust/provers/uppaal_stratego.rs b/src/rust/provers/uppaal_stratego.rs
diff --git a/src/rust/provers/zipperposition.rs b/src/rust/provers/zipperposition.rs

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ impl ProverBackend for AbellaBackend {`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {`
`77`		`- let content = tokio::fs::read_to_string(&path)`
	`77`	`+ let content = super::bounded_read_proof_file(&path)`
`78`	`78`	`.await`
`79`	`79`	`.with_context(\|\| format!("Abella: reading {}", path.display()))?;`
`80`	`80`	`self.parse_string(&content).await`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ impl ProverBackend for Acl2sBackend {`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {`
`59`		`- let content = tokio::fs::read_to_string(&path)`
	`59`	`+ let content = super::bounded_read_proof_file(&path)`
`60`	`60`	`.await`
`61`	`61`	`.with_context(\|\| format!("ACL2s: reading {}", path.display()))?;`
`62`	`62`	`self.parse_string(&content).await`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ impl ProverBackend for ArendBackend {`
`47`	`47`	`}`
`48`	`48`	`}`
`49`	`49`	`async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {`
`50`		`- let c = tokio::fs::read_to_string(&p)`
	`50`	`+ let c = super::bounded_read_proof_file(&p)`
`51`	`51`	`.await`
`52`	`52`	`.with_context(\|\| format!("Arend: reading {}", p.display()))?;`
`53`	`53`	`self.parse_string(&c).await`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ impl ProverBackend for AthenaBackend {`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`	`async fn parse_file(&self, p: PathBuf) -> Result<ProofState> {`
`49`		`- let c = tokio::fs::read_to_string(&p)`
	`49`	`+ let c = super::bounded_read_proof_file(&p)`
`50`	`50`	`.await`
`51`	`51`	`.with_context(\|\| format!("Athena: reading {}", p.display()))?;`
`52`	`52`	`self.parse_string(&c).await`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ impl ProverBackend for BoogieBackend {`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {`
`62`		`- let content = tokio::fs::read_to_string(&path)`
	`62`	`+ let content = super::bounded_read_proof_file(&path)`
`63`	`63`	`.await`
`64`	`64`	`.with_context(\|\| format!("Boogie: reading {}", path.display()))?;`
`65`	`65`	`self.parse_string(&content).await`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ impl ProverBackend for CameleerBackend {`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {`
`66`		`- let content = tokio::fs::read_to_string(&path)`
	`66`	`+ let content = super::bounded_read_proof_file(&path)`
`67`	`67`	`.await`
`68`	`68`	`.with_context(\|\| format!("Cameleer: reading {}", path.display()))?;`
`69`	`69`	`self.parse_string(&content).await`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ impl ProverBackend for DeduktiBackend {`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {`
`72`		`- let content = tokio::fs::read_to_string(&path)`
	`72`	`+ let content = super::bounded_read_proof_file(&path)`
`73`	`73`	`.await`
`74`	`74`	`.with_context(\|\| format!("Dedukti: reading {}", path.display()))?;`
`75`	`75`	`self.parse_string(&content).await`
Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,7 @@ impl ProverBackend for HPEcosystemBackend {`
`183`	`183`	`}`
`184`	`184`
`185`	`185`	`async fn parse_file(&self, path: PathBuf) -> Result<ProofState> {`
`186`		`- let content = tokio::fs::read_to_string(&path)`
	`186`	`+ let content = super::bounded_read_proof_file(&path)`
`187`	`187`	`.await`
`188`	`188`	`.with_context(\|\| format!("HP ecosystem: reading {}", path.display()))?;`
`189`	`189`	`self.parse_string(&content).await`