cleanup, finish last lemma

jcp19 · jcp19 · commit 9dfa7e7634e2 · 2026-01-02T01:58:38.000+01:00
diff --git a/router/dataplane_concurrency_model.gobra b/router/dataplane_concurrency_model.gobra
@@ -297,77 +297,43 @@ decreases
 pure func (ra TypeAuthRA) IsValid(e resalgebra.Elem) bool {
 	return let x := e.(AuthCarrier) in
 		x.fst === Bottom{} ||
-		(typeOf(x.fst) == type[Dict] && DictLessThan(x.snd.V, x.fst.(Dict).V))
+		(typeOf(x.fst) == type[Dict] && dictLessThan(x.snd.V, x.fst.(Dict).V))
 }
 
 ghost
 decreases
-pure func DictLessThan(d1 dict[Key]Val, d2 dict[Key]Val) bool {
+pure func dictLessThan(d1 dict[Key]Val, d2 dict[Key]Val) bool {
 	return (forall k Key :: k elem domain(d1) ==> k elem domain(d2) && AsSet(d1[k]) union AsSet(d2[k]) == AsSet(d2[k]))
 }
 
 ghost
-requires DictLessThan(d1, d2)
-requires DictLessThan(d2, d3)
-ensures  DictLessThan(d1, d3)
+ensures forall d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val :: {dictLessThan(d1, d2), dictLessThan(d2, d3)} dictLessThan(d1, d2) && dictLessThan(d2, d3) ==>
+	dictLessThan(d1, d3)
 decreases
-func DictLessThanTransitive(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) {
+func dictLessThanTransitiveQ() {
 	// proven
 }
 
 ghost
-requires DictLessThan(d1, d2)
-requires DictLessThan(d2, d3)
-requires !DictLessThan(d2, d1) || !DictLessThan(d3, d2)
-ensures  DictLessThan(d1, d3)
-ensures  !DictLessThan(d3, d1)
+ensures  dictLessThan(d1, d3) && dictLessThan(d2, d3) ==> dictLessThan(dictMax(d1, d2), d3)
 decreases
-func StrictDictLessThanTransitive(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) {
-	DictLessThanTransitive(d1, d2, d3)
-	assert DictLessThan(d1, d3)
-	assert d1 !== d3
-
-	if DictLessThan(d3, d1) {
-		DictLessEq(d1, d3)
-		assert false // Unreachable
-	}
-}
-
-ghost
-ensures  forall d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val :: DictLessThan(d1, d2) && DictLessThan(d2, d3) ==>
-	DictLessThan(d1, d3)
-decreases
-func DictLessThanTransitiveQ() {
-	// proven
+pure func dictMaxIsLessThan(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) U {
+	return dictUnionIsLessThan(d1, d2, d3)
 }
 
 ghost
-ensures DictLessThan(m, io.insert(m, k, e))
 decreases
-func DictLessThanInsert(m dict[Key]Val, k Key, e Elem) {
-	// proven
-}
-
-ghost
-ensures  DictLessThan(d1, d3) && DictLessThan(d2, d3) ==> DictLessThan(DictMax(d1, d2), d3)
-decreases
-func DictMaxIsLessThan(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) {
-	DictUnionIsLessThan(d1, d2, d3)
-}
-
-ghost
-decreases
-pure func DictMax(d1 dict[Key]Val, d2 dict[Key]Val) dict[Key]Val {
+pure func dictMax(d1 dict[Key]Val, d2 dict[Key]Val) dict[Key]Val {
 	// logically redundant but it simplifies automated reasoning when
-	// either DictLessThan(d1, d2) or DictLessThan(d2, d1) is known.
-	return DictLessThan(d1, d2) ? d2 : DictLessThan(d2, d1) ? d1 : DictUnion(d1, d2)
+	// either dictLessThan(d1, d2) or dictLessThan(d2, d1) is known.
+	return dictLessThan(d1, d2) ? d2 : dictLessThan(d2, d1) ? d1 : dictUnion(d1, d2)
 }
 
 ghost
-requires DictLessThan(d1, d2) && DictLessThan(d2, d1)
+requires dictLessThan(d1, d2) && dictLessThan(d2, d1)
 ensures  d1 === d2
 decreases
-func DictLessEq(d1 dict[Key]Val, d2 dict[Key]Val) {
+func dictLessEq(d1 dict[Key]Val, d2 dict[Key]Val) {
 	assert forall k Key :: k elem domain(d1) ==> k elem domain(d2) && AsSet(d1[k]) union AsSet(d2[k]) == AsSet(d2[k])
 	assert forall k Key :: k elem domain(d2) ==> k elem domain(d1) && AsSet(d1[k]) union AsSet(d2[k]) == AsSet(d1[k])
 	assert domain(d1) == domain(d2)
@@ -380,37 +346,37 @@ pure func keyInDict(d dict[Key]Val, k Key, v io.Pkt) bool {
 }
 
 ghost
-ensures domain(DictMax(d1, d2)) == domain(d1) union domain(d2)
-ensures let d := DictMax(d1, d2) in
+ensures domain(dictMax(d1, d2)) == domain(d1) union domain(d2)
+ensures let d := dictMax(d1, d2) in
 	forall k Key, v io.Pkt :: !keyInDict(d, k, v) == !(keyInDict(d1, k, v) || keyInDict(d2, k, v))
 decreases
 func dictMaxAssocLemma0(d1 dict[Key]Val, d2 dict[Key]Val) {
-	reveal DictUnion(d1, d2)
+	reveal dictUnion(d1, d2)
 }
 
 ghost
-ensures domain(DictMax(d1, DictMax(d2, d3))) == domain(d1) union domain(d2) union domain(d3)
-ensures let d := DictMax(d1, DictMax(d2, d3)) in
+ensures domain(dictMax(d1, dictMax(d2, d3))) == domain(d1) union domain(d2) union domain(d3)
+ensures let d := dictMax(d1, dictMax(d2, d3)) in
 	forall k Key, v io.Pkt :: keyInDict(d, k, v) == (keyInDict(d1, k, v) || keyInDict(d2, k, v) || keyInDict(d3, k, v))
 decreases
 func dictMaxAssocLemma1(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) {
-	d := DictMax(d1, DictMax(d2, d3))
+	d := dictMax(d1, dictMax(d2, d3))
 	assert forall k Key, v io.Pkt :: (keyInDict(d1, k, v) || keyInDict(d2, k, v) || keyInDict(d3, k, v)) ==> keyInDict(d, k, v)
 	dictMaxAssocLemma0(d2, d3)
-	dictMaxAssocLemma0(d1, DictMax(d2, d3))
+	dictMaxAssocLemma0(d1, dictMax(d2, d3))
 	assert forall k Key, v io.Pkt :: keyInDict(d, k, v) ==> (keyInDict(d1, k, v) || keyInDict(d2, k, v) || keyInDict(d3, k, v))
 }
 
 ghost
-ensures domain(DictMax(DictMax(d1, d2), d3)) == domain(d1) union domain(d2) union domain(d3)
-ensures let d := DictMax(DictMax(d1, d2), d3) in
+ensures domain(dictMax(dictMax(d1, d2), d3)) == domain(d1) union domain(d2) union domain(d3)
+ensures let d := dictMax(dictMax(d1, d2), d3) in
 	forall k Key, v io.Pkt :: keyInDict(d, k, v) == (keyInDict(d1, k, v) || keyInDict(d2, k, v) || keyInDict(d3, k, v))
 decreases
 func dictMaxAssocLemma2(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) {
-	d := DictMax(DictMax(d1, d2), d3)
+	d := dictMax(dictMax(d1, d2), d3)
 	assert forall k Key, v io.Pkt :: (keyInDict(d1, k, v) || keyInDict(d2, k, v) || keyInDict(d3, k, v)) ==> keyInDict(d, k, v)
 	dictMaxAssocLemma0(d1, d2)
-	dictMaxAssocLemma0(DictMax(d1, d2), d3)
+	dictMaxAssocLemma0(dictMax(d1, d2), d3)
 	assert forall k Key, v io.Pkt :: keyInDict(d, k, v) ==> (keyInDict(d1, k, v) || keyInDict(d2, k, v) || keyInDict(d3, k, v))
 }
 
@@ -427,9 +393,9 @@ func dictExtensionality(d1 dict[Key]Val, d2 dict[Key]Val) {
 	lemmaSubSet()
 	assert forall k Key :: k elem domain(d1) ==> AsSet(d1[k]) union AsSet(d2[k]) == AsSet(d2[k])
 	assert forall k Key :: k elem domain(d2) ==> AsSet(d2[k]) union AsSet(d1[k]) == AsSet(d1[k])
-	assert DictLessThan(d1, d2)
-	assert DictLessThan(d2, d1)
-	DictLessEq(d1, d2)
+	assert dictLessThan(d1, d2)
+	assert dictLessThan(d2, d1)
+	dictLessEq(d1, d2)
 }
 
 ghost
@@ -440,27 +406,27 @@ func lemmaSubSet() {
 }
 
 ghost
-ensures  DictMax(d1, DictMax(d2, d3)) === DictMax(DictMax(d1, d2), d3)
+ensures  dictMax(d1, dictMax(d2, d3)) === dictMax(dictMax(d1, d2), d3)
 decreases
-func DictMaxAssoc(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) {
+func dictMaxAssoc(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) {
 	dictMaxAssocLemma1(d1, d2, d3)
 	dictMaxAssocLemma2(d1, d2, d3)
-	dictExtensionality(DictMax(d1, DictMax(d2, d3)), DictMax(DictMax(d1, d2), d3))
+	dictExtensionality(dictMax(d1, dictMax(d2, d3)), dictMax(dictMax(d1, d2), d3))
 }
 
 ghost
-ensures DictMax(d1, d2) == DictMax(d2, d1)
+ensures dictMax(d1, d2) == dictMax(d2, d1)
 decreases
-func DictMaxIsComm(d1 dict[Key]Val, d2 dict[Key]Val) {
-	if DictLessThan(d1, d2) && DictLessThan(d2, d1) {
-		DictLessEq(d1, d2)
+func dictMaxIsComm(d1 dict[Key]Val, d2 dict[Key]Val) {
+	if dictLessThan(d1, d2) && dictLessThan(d2, d1) {
+		dictLessEq(d1, d2)
 	}
-	assert d1 != d2 && DictLessThan(d1, d2) ==> !DictLessThan(d2, d1)
-	assert DictLessThan(d1, d2) ==> DictMax(d1, d2) == d2
-	assert DictLessThan(d1, d2) ==> DictMax(d2, d1) == d2
-	assert DictLessThan(d2, d1) ==> DictMax(d1, d2) == d1
-	assert DictLessThan(d2, d1) ==> DictMax(d2, d1) == d1
-	DictUnionIsComm(d1, d2)
+	assert d1 != d2 && dictLessThan(d1, d2) ==> !dictLessThan(d2, d1)
+	assert dictLessThan(d1, d2) ==> dictMax(d1, d2) == d2
+	assert dictLessThan(d1, d2) ==> dictMax(d2, d1) == d2
+	assert dictLessThan(d2, d1) ==> dictMax(d1, d2) == d1
+	assert dictLessThan(d2, d1) ==> dictMax(d2, d1) == d1
+	dictUnionIsComm(d1, d2)
 }
 
 ghost
@@ -480,10 +446,10 @@ pure func (ra TypeAuthRA) Compose(e1 resalgebra.Elem, e2 resalgebra.Elem) (res r
 	return let c1 := e1.(AuthCarrier) in
 		let c2 := e2.(AuthCarrier)    in
 		(c1.fst === Bottom{} ?
-			AuthCarrier{c2.fst, Dict{DictMax(c1.snd.V, c2.snd.V)}} :
+			AuthCarrier{c2.fst, Dict{dictMax(c1.snd.V, c2.snd.V)}} :
 			(c2.fst === Bottom{} ?
-				AuthCarrier{c1.fst, Dict{DictMax(c1.snd.V, c2.snd.V)}} :
-				AuthCarrier{Top{}, Dict{DictMax(c1.snd.V, c2.snd.V)}}))
+				AuthCarrier{c1.fst, Dict{dictMax(c1.snd.V, c2.snd.V)}} :
+				AuthCarrier{Top{}, Dict{dictMax(c1.snd.V, c2.snd.V)}}))
 }
 
 ghost
@@ -499,7 +465,7 @@ func (ra TypeAuthRA) ComposeAssoc(e1 resalgebra.Elem, e2 resalgebra.Elem, e3 res
 	comp2 := ra.Compose(e1, ra.Compose(e2, e3)).(AuthCarrier)
 
 	assert comp1.fst === comp2.fst
-	DictMaxAssoc(c1.snd.V, c2.snd.V, c3.snd.V)
+	dictMaxAssoc(c1.snd.V, c2.snd.V, c3.snd.V)
 }
 
 ghost
@@ -509,7 +475,7 @@ decreases
 func (ra TypeAuthRA) ComposeComm(e1 resalgebra.Elem, e2 resalgebra.Elem) {
 	c1 := e1.(AuthCarrier)
 	c2 := e2.(AuthCarrier)
-	DictMaxIsComm(c1.snd.V, c2.snd.V)
+	dictMaxIsComm(c1.snd.V, c2.snd.V)
 }
 
 ghost
@@ -557,8 +523,8 @@ func (ra TypeAuthRA) ValidOp(e1 resalgebra.Elem, e2 resalgebra.Elem) {
 	if (c1.fst !== Bottom{}) {
 		fst := c.fst.(Dict).V
 		snd := c.snd.V
-		assert DictLessThan(snd, fst)
-		assert snd === DictMax(c1.snd.V, c2.snd.V)
+		assert dictLessThan(snd, fst)
+		assert snd === dictMax(c1.snd.V, c2.snd.V)
 	}
 }
 
@@ -608,18 +574,39 @@ func UpdateElemWitness(m dict[Key]Val, y ElemRA, k Key, e Elem) {
 	fold ElemWitness(y, k, e)
 }
 
+// by far, the slowest lemma to prove atm
 ghost
 ensures let d := Dict{dict[Key]Val{k: set[io.Pkt]{e}}} in
 	let c := (TypeAuthRA{}).Compose(AuthView(Dict{io.insert(m, k, e)}), FragView(d)) in
 	resalgebra.IsFramePreservingUpdate(TypeAuthRA{}, AuthView(Dict{m}), c)
 decreases
 func updateElemWitnessAuxLemma(m dict[Key]Val, k Key, e Elem) {
+	ra := TypeAuthRA{}
+	a := AuthView(Dict{m})
 	d := Dict{dict[Key]Val{k: set[io.Pkt]{e}}}
-	c := (TypeAuthRA{}).Compose(AuthView(Dict{io.insert(m, k, e)}), FragView(d))
-	assert (TypeAuthRA{}).IsValid(AuthView(Dict{m})) ==>
-		(TypeAuthRA{}).IsValid(c)
-	//assert forall e resalgebra.Elem :: (TypeAuthRA{}).IsValid(AuthView(Dict{m}))
-	assume false
+	c := ra.Compose(AuthView(Dict{io.insert(m, k, e)}), FragView(d))
+	assert ra.IsValid(a) ==> ra.IsValid(c)
+	assert forall ee resalgebra.Elem :: ra.IsElem(ee) && ra.IsValid(ra.Compose(a, ee)) ==>
+		(let ae := ra.Compose(a, ee).(AuthCarrier) in
+			(ae.fst == Bottom{} || dictLessThan(ae.snd.V, m)))
+	dictLessThanTransitiveQ()
+	assert forall ee resalgebra.Elem :: ra.IsElem(ee) && ra.IsValid(ra.Compose(a, ee)) ==>
+		ee.(AuthCarrier).fst === Bottom{}       &&
+		dictLessThan(ee.(AuthCarrier).snd.V, m) &&
+		dictLessThan(m, io.insert(m, k, e))     &&
+		dictLessThan(ee.(AuthCarrier).snd.V, io.insert(m, k, e))
+	assert forall ee resalgebra.Elem :: ra.IsElem(ee) && ra.IsValid(ra.Compose(a, ee)) ==>
+		ee.(AuthCarrier).fst === Bottom{}         &&
+		let ce := ra.Compose(c, ee).(AuthCarrier) in
+		ce.fst.(Dict).V === io.insert(m, k, e)
+	assert forall ee resalgebra.Elem :: ra.IsElem(ee) && ra.IsValid(ra.Compose(a, ee)) ==>
+		ee.(AuthCarrier).fst === Bottom{}         &&
+		let ce := ra.Compose(c, ee).(AuthCarrier) in
+		ce.snd.V == dictMax(d.V, ee.(AuthCarrier).snd.V) &&
+		dictLessThan(d.V, io.insert(m, k, e)) &&
+		dictLessThan(ee.(AuthCarrier).snd.V, io.insert(m, k, e)) &&
+		let _ := dictMaxIsLessThan(d.V, ee.(AuthCarrier).snd.V, io.insert(m, k, e)) in
+		true
 }
 
 ghost
@@ -635,9 +622,9 @@ func InitElemAuth(m dict[Key]Val) (y ElemRA) {
 
 ghost
 opaque
-ensures DictLessThan(d1, res) && DictLessThan(d2, res)
+ensures dictLessThan(d1, res) && dictLessThan(d2, res)
 decreases
-pure func DictUnion(d1 dict[Key]Val, d2 dict[Key]Val) (res dict[Key]Val) {
+pure func dictUnion(d1 dict[Key]Val, d2 dict[Key]Val) (res dict[Key]Val) {
 	return dictUnionAux(d1, d2)
 }
 
@@ -664,32 +651,33 @@ decreases len((domain(d1) union domain(d2)) setminus visitedKeys)
 pure func dictUnionAuxIter(d1 dict[Key]Val, d2 dict[Key]Val, visitedKeys set[Key]) (res dict[Key]Val) {
 	return visitedKeys === (domain(d1) union domain(d2)) ?
 		dict[Key]Val{} :
-		let _ := LemmaSetInclusion(visitedKeys, domain(d1) union domain(d2)) in
+		let _ := lemmaSetInclusion(visitedKeys, domain(d1) union domain(d2)) in
 		let c := choose((domain(d1) union domain(d2)) setminus visitedKeys) in
 		let v := (c elem domain(d1) && c elem domain(d2) ? AsSet(d1[c]) union AsSet(d2[c]) : (c elem domain(d1) ? d1[c] : d2[c])) in
 		let d := dictUnionAuxIter(d1, d2, visitedKeys union set[Key]{c}) in
 		d[c = v]
 }
 
 ghost
-ensures DictUnion(d1, d2) === DictUnion(d2, d1)
+ensures dictUnion(d1, d2) === dictUnion(d2, d1)
 decreases
-func DictUnionIsComm(d1 dict[Key]Val, d2 dict[Key]Val) {
-	u1 := reveal DictUnion(d1, d2)
-	u2 := reveal DictUnion(d2, d1)
+func dictUnionIsComm(d1 dict[Key]Val, d2 dict[Key]Val) {
+	u1 := reveal dictUnion(d1, d2)
+	u2 := reveal dictUnion(d2, d1)
 	assert domain(u1) === domain(u2)
 	assert forall k Key :: k elem domain(u1) ==> u1[k] == u2[k]
 }
 
-// DictUnion(d1, d2) is the smallest dict that is bigger than both d1 and d2
+// dictUnion(d1, d2) is the smallest dict that is bigger than both d1 and d2
 ghost
-ensures  DictLessThan(d1, d3) && DictLessThan(d2, d3) ==> DictLessThan(DictUnion(d1, d2), d3)
+ensures  dictLessThan(d1, d3) && dictLessThan(d2, d3) ==> dictLessThan(dictUnion(d1, d2), d3)
 decreases
-func DictUnionIsLessThan(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) {
-	u1 := reveal DictUnion(d1, d2)
-	u2 := reveal DictUnion(d2, d1)
-	assert domain(u1) === domain(u2)
-	assert forall k Key :: k elem domain(u1) ==> u1[k] == u2[k]
+pure func dictUnionIsLessThan(d1 dict[Key]Val, d2 dict[Key]Val, d3 dict[Key]Val) U {
+	return let u1 := reveal dictUnion(d1, d2) in
+		let u2 := reveal dictUnion(d2, d1) in
+		let _ := domain(u1) === domain(u2) in
+		let _ := forall k Key :: k elem domain(u1) ==> u1[k] == u2[k] in
+		U{}
 }
 
 /////////////////////////////////////// Utility ///////////////////////////////////////
@@ -706,13 +694,14 @@ ghost
 requires (s1 union s2) === s2 && s1 !== s2
 ensures  0 < len(s2 setminus s1)
 decreases
-pure func LemmaSetInclusion(s1 set[Key], s2 set[Key]) U {
+pure func lemmaSetInclusion(s1 set[Key], s2 set[Key]) U {
 	return U{}
 }
 
 
 // Hilbert's choice operator, cannot be proven in Gobra yet.
 ghost
+trusted
 requires 0 < len(s)
 ensures  res elem s
 decreases
