Merge branch 'master' into upstream

Author: aaronbojarski

pkg/slayers/path/hopfield_spec.gobra

@@ -31,13 +31,13 @@ pred (h *HopField) Mem() {
 ghost
 decreases
 pure func ifsToIO_ifs(ifs uint16) option[io.IO_ifs] {
-	return ifs == 0 ? none[io.IO_ifs] : some(io.IO_ifs(ifs))
+	return ifs == 0 ? none[io.IO_ifs] : some(io.IO_ifs{ifs})
 }
 
 ghost
 decreases
 pure func IO_ifsToIfs(ifs option[io.IO_ifs]) uint16 {
-	return ifs == none[io.IO_ifs] ? 0 : uint16(get(ifs))
+	return ifs == none[io.IO_ifs] ? 0 : uint16(get(ifs).V)
 }
 
 ghost
@@ -54,7 +54,7 @@ pure func BytesToIO_HF(raw [] byte, start int, middle int, end int) (io.IO_HF) {
 		let egif2 := binary.BigEndian.Uint16(raw[middle+4:middle+6])   in
 		let op_inif2 := ifsToIO_ifs(inif2)                             in
 		let op_egif2 := ifsToIO_ifs(egif2)                             in
-		io.IO_HF_ {
+		io.IO_HF {
 			InIF2: op_inif2,
 			EgIF2: op_egif2,
 			HVF: AbsMac(FromSliceToMacArray(raw[middle+6:middle+6+MacLen])),
@@ -109,7 +109,7 @@ func BytesToAbsHopFieldOffsetEq(raw [] byte, offset int) {
 ghost
 decreases
 pure func (h HopField) ToIO_HF() (io.IO_HF) {
-	return io.IO_HF_ {
+	return io.IO_HF {
 		InIF2: ifsToIO_ifs(h.ConsIngress),
 		EgIF2: ifsToIO_ifs(h.ConsEgress),
 		HVF: AbsMac(h.Mac),

pkg/slayers/path/infofield_spec.gobra

@@ -58,7 +58,7 @@ pure func Timestamp(raw []byte, currINF int, headerOffset int) io.IO_ainfo {
 	return let idx := InfoFieldOffset(currINF, headerOffset)+4 in
 		unfolding sl.Bytes(raw, 0, len(raw)) in
 		let _ := sl.AssertSliceOverlap(raw, idx, idx+4) in
-		io.IO_ainfo(binary.BigEndian.Uint32(raw[idx:idx+4]))
+		io.IO_ainfo{uint(binary.BigEndian.Uint32(raw[idx:idx+4]))}
 }
 
 ghost
@@ -93,8 +93,8 @@ decreases
 pure func BytesToAbsInfoFieldHelper(raw [] byte, middle int) (io.AbsInfoField) {
 	return let _ := sl.AssertSliceOverlap(raw, middle+2, middle+4) in
 		let _ := sl.AssertSliceOverlap(raw, middle+4, middle+8) in
-		io.AbsInfoField_{
-			AInfo: io.IO_ainfo(binary.BigEndian.Uint32(raw[middle+4:middle+8])),
+		io.AbsInfoField {
+			AInfo: io.IO_ainfo{uint(binary.BigEndian.Uint32(raw[middle+4:middle+8]))},
 			UInfo: AbsUInfoFromUint16(binary.BigEndian.Uint16(raw[middle+2:middle+4])),
 			ConsDir: raw[middle] & 0x1 == 0x1,
 			Peer: raw[middle] & 0x2  == 0x2,
@@ -133,8 +133,8 @@ func BytesToAbsInfoFieldOffsetEq(raw [] byte, middle int) {
 ghost
 decreases
 pure func (inf InfoField) ToAbsInfoField() (io.AbsInfoField) {
-	return io.AbsInfoField_{
-		AInfo: io.IO_ainfo(inf.Timestamp),
+	return io.AbsInfoField {
+		AInfo: io.IO_ainfo{uint(inf.Timestamp)},
 		UInfo: AbsUInfoFromUint16(inf.SegID),
 		ConsDir: inf.ConsDir,
 		Peer: inf.Peer,

pkg/slayers/path/scion/raw_spec.gobra

@@ -270,7 +270,7 @@ pure func segment(raw []byte,
 	peer bool,
 	segLen int) (res io.IO_seg2) {
 	return let hopfields := hopFields(raw, offset, 0, segLen) in
-		io.IO_seg3_ {
+		io.IO_seg3 {
 			AInfo: ainfo,
 			UInfo: uinfo,
 			ConsDir: consDir,
@@ -389,7 +389,7 @@ pure func (s *Raw) absPkt(raw []byte) (res io.IO_pkt2) {
 		let prevSegLen := segs.LengthOfPrevSeg(currHfIdx)        in
 		let numINF := segs.NumInfoFields() in
 		let offset := HopFieldOffset(numINF, prevSegLen, MetaLen) in
-		io.IO_Packet2 {
+		io.IO_pkt2 {
 			CurrSeg: CurrSeg(raw, offset, currInfIdx, currHfIdx - prevSegLen, segLen, MetaLen),
 			LeftSeg: LeftSeg(raw, currInfIdx + 1, segs, MetaLen),
 			MidSeg: MidSeg(raw, currInfIdx + 2, segs, MetaLen),
@@ -487,7 +487,7 @@ requires oldPkt.LeftSeg != none[io.IO_seg2]
 requires oldPkt.PathNotFullyTraversed()
 decreases
 pure func AbsXover(oldPkt io.IO_pkt2) (newPkt io.IO_pkt2) {
-	return io.IO_Packet2 {
+	return io.IO_pkt2 {
 		get(oldPkt.LeftSeg),
 		oldPkt.MidSeg,
 		oldPkt.RightSeg,
@@ -499,7 +499,7 @@ ghost
 requires oldPkt.PathNotFullyTraversed()
 decreases
 pure func AbsIncPath(oldPkt io.IO_pkt2) (newPkt io.IO_pkt2) {
-	return io.IO_Packet2 {
+	return io.IO_pkt2 {
 		absIncPathSeg(oldPkt.CurrSeg),
 		oldPkt.LeftSeg,
 		oldPkt.MidSeg,
@@ -511,7 +511,7 @@ ghost
 requires len(currseg.Future) > 0
 decreases
 pure func absIncPathSeg(currseg io.IO_seg3) io.IO_seg3 {
-	return io.IO_seg3_ {
+	return io.IO_seg3 {
 		AInfo: currseg.AInfo,
 		UInfo: currseg.UInfo,
 		ConsDir: currseg.ConsDir,

router/dataplane_concurrency_model.gobra

@@ -21,12 +21,11 @@ import (
 	io "verification/io"
 )
 
-// Never use `==` for comparisons! Because this is a ghost structure, only the ghost comparison (`===`)
-// is meaningful.
-type SharedArg struct {
-	ghost Place gpointer[io.Place] // Existential for the current place
-	ghost State gpointer[io.IO_dp3s_state_local] // Existential for the current model state
-	ghost IBufY, OBufY ElemRA // Parameters of the algebra
+ghost type SharedArg ghost struct {
+	Place gpointer[io.Place] // Existential for the current place
+	State gpointer[io.IO_dp3s_state_local] // Existential for the current model state
+	IBufY ElemRA // Parameter of the algebra
+	OBufY ElemRA // Parameter of the algebra
 }
 
 pred SharedInv(ghost dp io.DataPlaneSpec, ghost y SharedArg) {
@@ -246,11 +245,11 @@ func multiElemWitnessConvAux(y ElemRA, k Key, es seq[io.IO_val], i int) {
 /**** End of MultiElemWitness helper functions ****/
 
 /////////////////////////////////////// RA definitions ///////////////////////////////////////
-type Key = option[io.IO_ifs]
-type Val = set[io.IO_pkt3]
-type Elem = io.IO_pkt3
+ghost type Key = option[io.IO_ifs]
+ghost type Val = set[io.IO_pkt3]
+ghost type Elem = io.IO_pkt3
 
-type ElemRA domain{}
+ghost type ElemRA domain{}
 
 pred ElemAuth(ghost m dict[Key]Val, ghost y ElemRA)
 

router/dataplane_spec_test.gobra

@@ -93,8 +93,8 @@ func testRun(
 	key *[]byte,
 	metrics *Metrics,
 	ctx context.Context,
-	place io.Place,
-	state io.IO_dp3s_state_local) (d *DataPlane) {
+	ghost place io.Place,
+	ghost state io.IO_dp3s_state_local) (d *DataPlane) {
 	// body similar to foldDataPlaneMem
 	d = &DataPlane{}
 
@@ -137,43 +137,46 @@ func testRun(
 	fold accForwardingMetrics(d.forwardingMetrics)
 
 	ensures dp.Valid()
-	ensures dp === io.DataPlaneSpec_ {
+	// the following trivial assertion makes sure that `==` matches
+	// `===` for ghost structs
+	ensures dp != io.DataPlaneSpec{}
+	ensures dp == io.DataPlaneSpec {
 		linkTypes: dict[io.IO_ifs]io.IO_Link{
-			1: io.IO_ProvCust{},
-			2: io.IO_ProvCust{},
-			3: io.IO_ProvCust{},
+			io.IO_ifs{1}: io.IO_ProvCust{},
+			io.IO_ifs{2}: io.IO_ProvCust{},
+			io.IO_ifs{3}: io.IO_ProvCust{},
 		},
 		neighborIAs: dict[io.IO_ifs]io.IO_as{
-			1: 1001,
-			2: 1002,
-			3: 1000,
+			io.IO_ifs{1}: io.IO_as{1001},
+			io.IO_ifs{2}: io.IO_as{1002},
+			io.IO_ifs{3}: io.IO_as{1000},
 		},
-		localIA: 1000,
+		localIA: io.IO_as{1000},
 		links:  dict[io.AsIfsPair]io.AsIfsPair {
-			io.AsIfsPair{1000, 1}: io.AsIfsPair{1001, 7},
-			io.AsIfsPair{1000, 2}: io.AsIfsPair{1002, 8},
-			io.AsIfsPair{1000, 3}: io.AsIfsPair{1000, 3},
-			io.AsIfsPair{1001, 7}: io.AsIfsPair{1000, 1},
-			io.AsIfsPair{1002, 8}: io.AsIfsPair{1000, 2}}}
+			io.AsIfsPair{io.IO_as{1000}, io.IO_ifs{1}}: io.AsIfsPair{io.IO_as{1001}, io.IO_ifs{7}},
+			io.AsIfsPair{io.IO_as{1000}, io.IO_ifs{2}}: io.AsIfsPair{io.IO_as{1002}, io.IO_ifs{8}},
+			io.AsIfsPair{io.IO_as{1000}, io.IO_ifs{3}}: io.AsIfsPair{io.IO_as{1000}, io.IO_ifs{3}},
+			io.AsIfsPair{io.IO_as{1001}, io.IO_ifs{7}}: io.AsIfsPair{io.IO_as{1000}, io.IO_ifs{1}},
+			io.AsIfsPair{io.IO_as{1002}, io.IO_ifs{8}}: io.AsIfsPair{io.IO_as{1000}, io.IO_ifs{2}}}}
 	outline(
-	pair1 := io.AsIfsPair{1000, 1}
-	pair2 := io.AsIfsPair{1000, 2}
-	pair3 := io.AsIfsPair{1000, 3}
-	pair4 := io.AsIfsPair{1001, 7}
-	pair5 := io.AsIfsPair{1002, 8}
+	pair1 := io.AsIfsPair{io.IO_as{1000}, io.IO_ifs{1}}
+	pair2 := io.AsIfsPair{io.IO_as{1000}, io.IO_ifs{2}}
+	pair3 := io.AsIfsPair{io.IO_as{1000}, io.IO_ifs{3}}
+	pair4 := io.AsIfsPair{io.IO_as{1001}, io.IO_ifs{7}}
+	pair5 := io.AsIfsPair{io.IO_as{1002}, io.IO_ifs{8}}
 
-	dp := io.DataPlaneSpec_ {
+	dp := io.DataPlaneSpec {
 		linkTypes: dict[io.IO_ifs]io.IO_Link{
-			1: io.IO_ProvCust{},
-			2: io.IO_ProvCust{},
-			3: io.IO_ProvCust{},
+			io.IO_ifs{1}: io.IO_ProvCust{},
+			io.IO_ifs{2}: io.IO_ProvCust{},
+			io.IO_ifs{3}: io.IO_ProvCust{},
 		},
 		neighborIAs: dict[io.IO_ifs]io.IO_as{
-			1: 1001,
-			2: 1002,
-			3: 1000,
+			io.IO_ifs{1}: io.IO_as{1001},
+			io.IO_ifs{2}: io.IO_as{1002},
+			io.IO_ifs{3}: io.IO_as{1000},
 		},
-		localIA: 1000,
+		localIA: io.IO_as{1000},
 		links:  dict[io.AsIfsPair]io.AsIfsPair {
 			pair1: pair4,
 			pair2: pair5,
@@ -201,7 +204,7 @@ func testRun(
 	assert reveal dp.Valid()
 	)
 
-	assert dp.Asid() == 1000
+	assert dp.Asid().V == 1000
 	assert d.localIA == 1000
 	assert d.dpSpecWellConfiguredLocalIA(dp)
 	assert d.dpSpecWellConfiguredNeighborIAs(dp)
@@ -238,3 +241,16 @@ func allocateBatchConn() (b BatchConn)
 
 ensures u != nil && u.Mem()
 func allocateUDPAddr() (u *net.UDPAddr)
+
+// the following trivial assertion makes sure that `==` matches
+// `===` for ghost structs
+func testEquals() {
+	assert forall d1 io.DataPlaneSpec, d2 io.DataPlaneSpec :: { dummyTrigger(d1), dummyTrigger(d2) } (d1 == d2) == (d1 === d2)
+}
+
+ghost
+pure
+decreases
+func dummyTrigger(d io.DataPlaneSpec) bool {
+	return true
+}

router/io-spec-abstract-transitions.gobra

@@ -41,7 +41,7 @@ ensures  newPkt.PathNotFullyTraversed()
 ensures  len(newPkt.CurrSeg.Future) == len(oldPkt.CurrSeg.Future)
 decreases
 pure func AbsUpdateNonConsDirIngressSegID(oldPkt io.IO_pkt2, ingressID option[io.IO_ifs]) (newPkt io.IO_pkt2) {
-	return ingressID == none[io.IO_ifs] ? oldPkt : io.IO_Packet2 {
+	return ingressID == none[io.IO_ifs] ? oldPkt : io.IO_pkt2 {
 		io.establishGuardTraversedseg(oldPkt.CurrSeg, !oldPkt.CurrSeg.ConsDir),
 		oldPkt.LeftSeg,
 		oldPkt.MidSeg,
@@ -95,7 +95,7 @@ requires oldPkt.PathNotFullyTraversed()
 ensures  len(newPkt.CurrSeg.Future) >= 0
 decreases
 pure func AbsProcessEgress(oldPkt io.IO_pkt2) (newPkt io.IO_pkt2) {
-	return io.IO_Packet2 {
+	return io.IO_pkt2 {
 		io.establishGuardTraversedsegInc(oldPkt.CurrSeg, oldPkt.CurrSeg.ConsDir),
 		oldPkt.LeftSeg,
 		oldPkt.MidSeg,
@@ -114,7 +114,7 @@ ensures  newPkt.RightSeg != none[io.IO_seg2]
 ensures  len(get(newPkt.RightSeg).Past) > 0
 decreases
 pure func AbsDoXover(oldPkt io.IO_pkt2) (newPkt io.IO_pkt2) {
-	return io.IO_Packet2 {
+	return io.IO_pkt2 {
 		get(oldPkt.LeftSeg),
 		oldPkt.MidSeg,
 		oldPkt.RightSeg,
@@ -146,8 +146,9 @@ pure func AbsVerifyCurrentMACConstraint(pkt io.IO_pkt2, dp io.DataPlaneSpec) boo
 		let ts := currseg.AInfo in
 		let hf := currseg.Future[0] in
 		let uinfo := currseg.UInfo in
-		dp.hf_valid(d, ts, uinfo, hf)
+		dp.hf_valid(d, ts.V, uinfo, hf)
 }
+
 // This executes the IO enter event whenever a pkt was received
 // from a different AS (ingressID != none[io.IO_ifs])
 // and will be forwarded to another border router within the AS (egressID == none[io.IO_ifs])

router/io-spec-atomic-events.gobra

@@ -43,7 +43,7 @@ requires  dp.dp2_enter_guard(
 	get(ingressID),
 	oldPkt.CurrSeg.Future[1:])
 requires  dp.dp3s_forward(
-	io.IO_Packet2 {
+	io.IO_pkt2 {
 		io.establishGuardTraversedseg(oldPkt.CurrSeg, !oldPkt.CurrSeg.ConsDir),
 		oldPkt.LeftSeg,
 		oldPkt.MidSeg,
@@ -116,7 +116,7 @@ requires  dp.dp2_xover_guard(
 	oldPkt.CurrSeg,
 	get(oldPkt.LeftSeg),
 	io.establishGuardTraversedsegInc(oldPkt.CurrSeg, !oldPkt.CurrSeg.ConsDir),
-	io.IO_Packet2 {
+	io.IO_pkt2 {
 		get(oldPkt.LeftSeg),
 		oldPkt.MidSeg,
 		oldPkt.RightSeg,
@@ -128,7 +128,7 @@ requires  dp.dp2_xover_guard(
 	dp.Asid(),
 	get(ingressID))
 requires  dp.dp3s_forward_xover(
-	io.IO_Packet2 {
+	io.IO_pkt2 {
 		get(oldPkt.LeftSeg),
 		oldPkt.MidSeg,
 		oldPkt.RightSeg,

router/io-spec.gobra

@@ -52,7 +52,7 @@ pure func absPkt(raw []byte) (res io.IO_pkt2) {
 		let prevSegLen := segs.LengthOfPrevSeg(currHfIdx) in
 		let numINF := segs.NumInfoFields() in
 		let offset := scion.HopFieldOffset(numINF, prevSegLen, headerOffsetWithMetaLen) in
-		io.IO_Packet2 {
+		io.IO_pkt2 {
 			CurrSeg: scion.CurrSeg(raw, offset, currInfIdx, currHfIdx-prevSegLen, segLen, headerOffsetWithMetaLen),
 			LeftSeg: scion.LeftSeg(raw, currInfIdx + 1, segs, headerOffsetWithMetaLen),
 			MidSeg: scion.MidSeg(raw, currInfIdx + 2, segs, headerOffsetWithMetaLen),
@@ -106,7 +106,7 @@ ghost
 requires acc(&d.localIA)
 decreases
 pure func (d *DataPlane) dpSpecWellConfiguredLocalIA(dp io.DataPlaneSpec) bool {
-	return io.IO_as(d.localIA) == dp.Asid()
+	return io.IO_as{uint(d.localIA)} == dp.Asid()
 }
 
 ghost
@@ -115,8 +115,8 @@ requires d.neighborIAs != nil ==> acc(d.neighborIAs)
 decreases
 pure func (d *DataPlane) dpSpecWellConfiguredNeighborIAs(dp io.DataPlaneSpec) bool {
 	return forall ifs uint16 :: {ifs in domain(d.neighborIAs)} ifs in domain(d.neighborIAs) ==>
-		io.IO_ifs(ifs) in domain(dp.GetNeighborIAs()) &&
-		io.IO_as(d.neighborIAs[ifs]) == dp.GetNeighborIA(io.IO_ifs(ifs))
+		io.IO_ifs{ifs} in domain(dp.GetNeighborIAs()) &&
+		io.IO_as{uint(d.neighborIAs[ifs])} == dp.GetNeighborIA(io.IO_ifs{ifs})
 }
 
 ghost
@@ -135,8 +135,8 @@ requires d.linkTypes != nil ==> acc(d.linkTypes)
 decreases
 pure func (d *DataPlane) dpSpecWellConfiguredLinkTypes(dp io.DataPlaneSpec) bool {
 	return forall ifs uint16 :: {ifs in domain(d.linkTypes)} ifs in domain(d.linkTypes) ==>
-		io.IO_ifs(ifs) in domain(dp.GetLinkTypes()) &&
-		absLinktype(d.linkTypes[ifs]) == dp.GetLinkType(io.IO_ifs(ifs))
+		io.IO_ifs{ifs} in domain(dp.GetLinkTypes()) &&
+		absLinktype(d.linkTypes[ifs]) == dp.GetLinkType(io.IO_ifs{ifs})
 }
 
 ghost
@@ -172,7 +172,7 @@ requires d.DpAgreesWithSpec(dp)
 requires d.WellConfigured()
 requires egressID in d.getDomExternal()
 ensures  egressID != 0
-ensures  io.IO_ifs(egressID) in domain(dp.GetNeighborIAs())
+ensures  io.IO_ifs{egressID} in domain(dp.GetNeighborIAs())
 decreases
 func (d *DataPlane) EgressIDNotZeroLemma(egressID uint16, dp io.DataPlaneSpec) {
 	reveal d.WellConfigured()

verification/io/bios.gobra

@@ -18,19 +18,19 @@
 
 package io
 
-type IO_bio3sIN adt {
+ghost type IO_bio3sIN adt {
 	IO_bio3s_enter{}
 	IO_bio3s_xover{}
 	IO_bio3s_exit{}
 }
 
-type IO_bio3sIO adt {
+ghost type IO_bio3sIO adt {
 	IO_bio3s_send{}
 	IO_bio3s_recv{}
 }
 
 // defined in Isabelle as (bios3sIN, bios3sIO) events
-type IO_bio3s adt {
+ghost type IO_bio3s adt {
 	IO_bio3s_IN {
 		IN IO_bio3sIN
 	}