Skip to content

Commit f032c9b

Browse files
jcp19jcp19
authored
Fix doXover on the new semantics (#395)
* start * identify problematic postconditions * drop one assumption * drop comments * fix proof of new postconditions of XoverLemma * small simplifications * drop yet another assumption * drop last assumption
1 parent 0ac3ea8 commit f032c9b

File tree

4 files changed

+41
-5
lines changed

4 files changed

+41
-5
lines changed

pkg/slayers/path/scion/raw.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -234,11 +234,18 @@ func (s *Raw) ToDecoded( /*@ ghost ubuf []byte @*/ ) (d *Decoded, err error) {
234234
// @ ensures r != nil ==> s.NonInitMem()
235235
// @ ensures r != nil ==> r.ErrorMem()
236236
// post for IO:
237-
// @ ensures r == nil ==> s.GetBase(ubuf).EqAbsHeader(ubuf) && validPktMetaHdr(ubuf)
237+
// @ ensures r == nil ==>
238+
// @ s.GetBase(ubuf).EqAbsHeader(ubuf) && validPktMetaHdr(ubuf)
238239
// @ ensures r == nil && old(s.GetBase(ubuf).IsXoverSpec()) ==>
239240
// @ s.absPkt(ubuf) == AbsXover(old(s.absPkt(ubuf)))
240241
// @ ensures r == nil && !old(s.GetBase(ubuf).IsXoverSpec()) ==>
241242
// @ s.absPkt(ubuf) == AbsIncPath(old(s.absPkt(ubuf)))
243+
// (VerifiedSCION) the following post is technically redundant,
244+
// as it conveys information that could, in principle, be conveyed
245+
// with the previous posts. We should at some point revisit all
246+
// abstractions we use for paths and potentially unify them.
247+
// @ ensures r == nil ==>
248+
// @ s.GetBase(ubuf) == old(s.GetBase(ubuf).IncPathSpec())
242249
// @ decreases
243250
func (s *Raw) IncPath( /*@ ghost ubuf []byte @*/ ) (r error) {
244251
//@ unfold s.Mem(ubuf)

pkg/slayers/path/scion/raw_spec.gobra

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -290,13 +290,16 @@ requires 0 < segLen
290290
requires offset + path.HopLen * segLen <= len(raw)
291291
requires 0 <= currHfIdx && currHfIdx <= segLen
292292
requires 0 <= currInfIdx && currInfIdx < 3
293+
ensures len(res.Future) == segLen - currHfIdx
294+
ensures len(res.History) == currHfIdx
295+
ensures len(res.Past) == currHfIdx
293296
decreases
294297
pure func CurrSeg(raw []byte,
295298
offset int,
296299
currInfIdx int,
297300
currHfIdx int,
298301
segLen int,
299-
headerOffset int) io.IO_seg3 {
302+
headerOffset int) (res io.IO_seg3) {
300303
return let ainfo := path.Timestamp(raw, currInfIdx, headerOffset) in
301304
let consDir := path.ConsDir(raw, currInfIdx, headerOffset) in
302305
let peer := path.Peer(raw, currInfIdx, headerOffset) in
@@ -621,6 +624,8 @@ preserves validPktMetaHdr(ubuf)
621624
preserves s.GetBase(ubuf).EqAbsHeader(ubuf)
622625
ensures s.absPkt(ubuf).LeftSeg != none[io.IO_seg2]
623626
ensures len(s.absPkt(ubuf).CurrSeg.Future) == 1
627+
ensures len(get(s.absPkt(ubuf).LeftSeg).Future) > 0
628+
ensures len(get(s.absPkt(ubuf).LeftSeg).History) == 0
624629
decreases
625630
func (s *Raw) XoverLemma(ubuf []byte) {
626631
reveal validPktMetaHdr(ubuf)
@@ -640,6 +645,8 @@ func (s *Raw) XoverLemma(ubuf []byte) {
640645
assert pkt.LeftSeg == reveal LeftSeg(ubuf, currInfIdx + 1, segs, MetaLen)
641646
assert len(pkt.CurrSeg.Future) == 1
642647
assert pkt.LeftSeg != none[io.IO_seg2]
648+
assert len(get(s.absPkt(ubuf).LeftSeg).History) == 0
649+
assert len(get(pkt.LeftSeg).Future) > 0
643650
}
644651

645652
ghost

router/dataplane.go

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3115,8 +3115,8 @@ func (p *scionPacketProcessor) processEgress( /*@ ghost ub []byte @*/ ) (reserr
31153115
// @ let ubPath := p.scionLayer.UBPath(ub) in
31163116
// @ (unfolding acc(p.scionLayer.Mem(ub), _) in
31173117
// @ p.path === p.scionLayer.GetPath(ub) &&
3118-
// @ p.path.GetBase(ubPath) == currBase.IncPathSpec() &&
3119-
// @ currBase.IncPathSpec().Valid())
3118+
// @ p.path.GetBase(ubPath) == currBase.IncPathSpec())
3119+
// @ ensures reserr == nil ==> currBase.IncPathSpec().Valid()
31203120
// @ ensures reserr == nil ==>
31213121
// @ p.scionLayer.ValidPathMetaData(ub) == old(p.scionLayer.ValidPathMetaData(ub))
31223122
// @ decreases
@@ -3131,14 +3131,19 @@ func (p *scionPacketProcessor) doXover( /*@ ghost ub []byte, ghost currBase scio
31313131
// @ sl.SplitByIndex_Bytes(ub, 0, startP, slayers.CmnHdrLen, R54)
31323132
// @ sl.Reslice_Bytes(ub, 0, slayers.CmnHdrLen, R54)
31333133
// @ slayers.IsSupportedPktSubslice(ub, slayers.CmnHdrLen)
3134+
// @ assert p.path == p.scionLayer.GetPath(ub)
31343135
// @ p.AbsPktToSubSliceAbsPkt(ub, startP, endP)
3136+
// @ assert p.path == p.scionLayer.GetPath(ub)
31353137
// @ p.scionLayer.ValidHeaderOffsetToSubSliceLemma(ub, startP)
3138+
// @ ghost preAbsPkt := p.path.absPkt(ubPath)
31363139
// @ p.path.XoverLemma(ubPath)
31373140
// @ reveal p.EqAbsInfoField(absPkt(ub))
31383141
// @ reveal p.EqAbsHopField(absPkt(ub))
31393142
// @ sl.SplitRange_Bytes(ub, startP, endP, HalfPerm)
31403143
// @ reveal p.scionLayer.ValidHeaderOffset(ub, startP)
31413144
// @ unfold acc(p.scionLayer.Mem(ub), R55)
3145+
// @ assert p.path.GetBase(ubPath) == currBase
3146+
// @ ghost nextBase := currBase.IncPathSpec()
31423147
if err := p.path.IncPath( /*@ ubPath @*/ ); err != nil {
31433148
// TODO parameter problem invalid path
31443149
// (VerifiedSCION) we currently expose a lot of internal information from slayers here. Can we avoid it?
@@ -3150,18 +3155,28 @@ func (p *scionPacketProcessor) doXover( /*@ ghost ub []byte, ghost currBase scio
31503155
// @ fold p.scionLayer.NonInitMem()
31513156
return processResult{}, serrors.WrapStr("incrementing path", err)
31523157
}
3158+
// @ assert p.path.GetBase(ubPath) == nextBase
3159+
// @ assert p.path.absPkt(ubPath) == scion.AbsXover(preAbsPkt)
31533160
// @ fold acc(p.scionLayer.Mem(ub), R55)
31543161
// @ assert reveal p.scionLayer.ValidHeaderOffset(ub, startP)
31553162
// @ ghost sl.CombineRange_Bytes(ub, startP, endP, HalfPerm)
31563163
// @ slayers.IsSupportedPktSubslice(ub, slayers.CmnHdrLen)
31573164
// @ sl.Unslice_Bytes(ub, 0, slayers.CmnHdrLen, R54)
31583165
// @ sl.CombineAtIndex_Bytes(ub, 0, startP, slayers.CmnHdrLen, R54)
3166+
// @ assert p.path == p.scionLayer.GetPath(ub)
31593167
// @ p.scionLayer.ValidHeaderOffsetFromSubSliceLemma(ub, startP)
3168+
// @ assert p.scionLayer.ValidHeaderOffset(ub, len(ub))
3169+
// @ assert p.path == p.scionLayer.GetPath(ub)
31603170
// @ p.SubSliceAbsPktToAbsPkt(ub, startP, endP)
3171+
// @ assert p.scionLayer.ValidHeaderOffset(ub, len(ub))
3172+
// @ assert p.path == p.scionLayer.GetPath(ub)
3173+
// @ assert p.path.GetBase(ubPath) == nextBase
31613174
// @ assert len(get(old(absPkt(ub)).LeftSeg).Future) > 0
31623175
// @ assert len(get(old(absPkt(ub)).LeftSeg).History) == 0
31633176
// @ assert slayers.ValidPktMetaHdr(ub) && p.scionLayer.EqAbsHeader(ub)
31643177
// @ assert absPkt(ub) == reveal AbsDoXover(old(absPkt(ub)))
3178+
// @ assert p.path == p.scionLayer.GetPath(ub)
3179+
// @ assert p.path.GetBase(ubPath) == nextBase
31653180
var err error
31663181
// (VerifiedSCION) Due to an incompleteness (https://github.com/viperproject/gobra/issues/770),
31673182
// we introduce a temporary variable to be able to call `path.AbsMacArrayCongruence()`.
@@ -3173,6 +3188,7 @@ func (p *scionPacketProcessor) doXover( /*@ ghost ub []byte, ghost currBase scio
31733188
// TODO parameter problem invalid path
31743189
return processResult{}, err
31753190
}
3191+
// @ assert p.path.GetBase(ubPath) == nextBase
31763192
p.hopField = tmpHopField
31773193
// @ path.AbsMacArrayCongruence(p.hopField.Mac, tmpHopField.Mac)
31783194
// @ assert p.hopField.ToIO_HF() == tmpHopField.ToIO_HF()
@@ -3185,15 +3201,18 @@ func (p *scionPacketProcessor) doXover( /*@ ghost ub []byte, ghost currBase scio
31853201
// TODO parameter problem invalid path
31863202
return processResult{}, err
31873203
}
3188-
// @ ghost sl.CombineRange_Bytes(ub, startP, endP, HalfPerm)
3204+
// @ assert p.path.GetBase(ubPath) == nextBase
31893205
// @ p.SubSliceAbsPktToAbsPkt(ub, startP, endP)
3206+
// @ ghost sl.CombineRange_Bytes(ub, startP, endP, HalfPerm/2)
31903207
// @ absPktFutureLemma(ub)
31913208
// @ p.path.DecodingLemma(ubPath, p.infoField, p.hopField)
31923209
// @ assert reveal p.path.EqAbsInfoField(p.path.absPkt(ubPath), p.infoField.ToAbsInfoField())
31933210
// @ assert reveal p.path.EqAbsHopField(p.path.absPkt(ubPath), p.hopField.ToIO_HF())
31943211
// @ assert reveal p.EqAbsHopField(absPkt(ub))
31953212
// @ assert reveal p.EqAbsInfoField(absPkt(ub))
3213+
// @ ghost sl.CombineRange_Bytes(ub, startP, endP, HalfPerm/2)
31963214
// @ fold acc(p.scionLayer.Mem(ub), 1-R55)
3215+
// @ assert currBase.IncPathSpec().Valid()
31973216
return processResult{}, nil
31983217
}
31993218

router/io-spec-lemmas.gobra

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -263,6 +263,7 @@ ensures end == p.scionLayer.PathEndIdx(ub)
263263
ensures scion.validPktMetaHdr(ub[start:end])
264264
ensures p.path.GetBase(ub[start:end]).EqAbsHeader(ub[start:end])
265265
ensures p.scionLayer.ValidHeaderOffset(ub, len(ub))
266+
ensures p.path === p.scionLayer.GetPath(ub)
266267
ensures absPkt(ub) == p.path.absPkt(ub[start:end])
267268
decreases
268269
func (p* scionPacketProcessor) AbsPktToSubSliceAbsPkt(ub []byte, start int, end int) {
@@ -324,7 +325,9 @@ ensures start == p.scionLayer.PathStartIdx(ub)
324325
ensures end == p.scionLayer.PathEndIdx(ub)
325326
ensures scion.validPktMetaHdr(ub[start:end])
326327
ensures p.scionLayer.EqAbsHeader(ub)
328+
ensures p.path === p.scionLayer.GetPath(ub)
327329
ensures absPkt(ub) == p.path.absPkt(ub[start:end])
330+
ensures p.scionLayer.ValidHeaderOffset(ub, len(ub))
328331
decreases
329332
func (p* scionPacketProcessor) SubSliceAbsPktToAbsPkt(ub []byte, start int, end int){
330333
unfold acc(sl.Bytes(ub, 0, len(ub)), R56)

0 commit comments

Comments
 (0)