pr 354, based on 53f8e30

jcp19 · jcp19 · commit c8de95d06645 · 2026-03-15T11:06:51.000+01:00
diff --git a/pkg/slayers/path/path.go b/pkg/slayers/path/path.go
@@ -14,11 +14,6 @@
 
 // +gobra
 
-// @ initEnsures PathPackageMem()
-// Skipped the following post-condition due to performance reasons
-// initEnsures forall t Type :: 0 <= t && t < maxPathType ==> !Registered(t)
-// Instead, we have:
-// @ initEnsures !Registered(0) && !Registered(1) && !Registered(2) && !Registered(3)
 package path
 
 import (
diff --git a/verification/io/bios.gobra b/verification/io/bios.gobra
@@ -18,19 +18,19 @@
 
 package io
 
-type IO_bio3sIN adt {
+ghost type IO_bio3sIN adt {
 	IO_bio3s_enter{}
 	IO_bio3s_xover{}
 	IO_bio3s_exit{}
 }
 
-type IO_bio3sIO adt {
+ghost type IO_bio3sIO adt {
 	IO_bio3s_send{}
 	IO_bio3s_recv{}
 }
 
 // defined in Isabelle as (bios3sIN, bios3sIO) events
-type IO_bio3s adt {
+ghost type IO_bio3s adt {
 	IO_bio3s_IN {
 		IN IO_bio3sIN
 	}
diff --git a/verification/io/dataplane_abstract.gobra b/verification/io/dataplane_abstract.gobra
@@ -19,7 +19,7 @@ package io
 // links: representation of the network topology as a graph.
 //     `links[(a1,x)] == (a2,y)` means that the interface x of AS a1 is connected
 //     to the interface y of AS a2.
-type DataPlaneSpec adt {
+ghost type DataPlaneSpec adt {
 	DataPlaneSpec_{
 		linkTypes		dict[IO_ifs]IO_Link
 		neighborIAs		dict[IO_ifs]IO_as
@@ -28,7 +28,7 @@ type DataPlaneSpec adt {
 	}
 }
 
-type AsIfsPair struct {
+ghost type AsIfsPair ghost struct {
 	asid	IO_as
 	ifs		IO_ifs
 }
@@ -37,14 +37,14 @@ ghost
 opaque
 decreases
 pure func (dp DataPlaneSpec) Valid() bool {
-	return (forall ifs IO_ifs :: {ifs in domain(dp.neighborIAs)} ifs in domain(dp.neighborIAs)  ==>
-			(AsIfsPair{dp.localIA, ifs} in domain(dp.links) &&
+	return (forall ifs IO_ifs :: {ifs elem domain(dp.neighborIAs)} ifs elem domain(dp.neighborIAs)  ==>
+			(AsIfsPair{dp.localIA, ifs} elem domain(dp.links) &&
 			dp.Lookup(AsIfsPair{dp.localIA, ifs}).asid == dp.neighborIAs[ifs])) &&
-		(forall ifs IO_ifs :: {ifs in domain(dp.neighborIAs)} AsIfsPair{dp.localIA, ifs} in domain(dp.links) ==>
-			ifs in domain(dp.neighborIAs)) &&
-		(forall pairs AsIfsPair :: {dp.Lookup(pairs)} pairs in domain(dp.links) ==>
+		(forall ifs IO_ifs :: {ifs elem domain(dp.neighborIAs)} AsIfsPair{dp.localIA, ifs} elem domain(dp.links) ==>
+			ifs elem domain(dp.neighborIAs)) &&
+		(forall pairs AsIfsPair :: {dp.Lookup(pairs)} pairs elem domain(dp.links) ==>
 			let next_pair := dp.Lookup(pairs) in
-			(next_pair in domain(dp.links)) &&
+			(next_pair elem domain(dp.links)) &&
 			dp.Lookup(next_pair) == pairs) &&
 			domain(dp.linkTypes) == domain(dp.neighborIAs)
 }
@@ -57,7 +57,7 @@ pure func (dp DataPlaneSpec) GetLinkTypes() dict[IO_ifs]IO_Link {
 
 ghost
 decreases
-requires ifs in domain(dp.linkTypes)
+requires ifs elem domain(dp.linkTypes)
 pure func (dp DataPlaneSpec) GetLinkType(ifs IO_ifs) IO_Link {
 	return dp.linkTypes[ifs]
 }
@@ -69,7 +69,7 @@ pure func (dp DataPlaneSpec) GetNeighborIAs() dict[IO_ifs]IO_as {
 }
 
 ghost
-requires ifs in domain(dp.neighborIAs)
+requires ifs elem domain(dp.neighborIAs)
 decreases
 pure func (dp DataPlaneSpec) GetNeighborIA(ifs IO_ifs) IO_as {
 	return dp.neighborIAs[ifs]
@@ -88,7 +88,7 @@ pure func (dp DataPlaneSpec) GetLinks() dict[AsIfsPair]AsIfsPair {
 }
 
 ghost
-requires pair in domain(dp.links)
+requires pair elem domain(dp.links)
 decreases
 pure func(dp DataPlaneSpec) Lookup(pair AsIfsPair) AsIfsPair {
 	return dp.links[pair]
diff --git a/verification/io/hopfields.gobra b/verification/io/hopfields.gobra
@@ -21,7 +21,7 @@ package io
 // Abstract representation of an HopField
 // We consider 0 to be the ID of the internal network in HopField.
 // We consider None to be the ID of the internal network in HF.
-type IO_HF adt {
+ghost type IO_HF adt {
 	IO_HF_ {
 		InIF2 option[IO_ifs]
 		EgIF2 option[IO_ifs]
diff --git a/verification/io/io-spec.gobra b/verification/io/io-spec.gobra
@@ -95,8 +95,8 @@ requires v.isIO_Internal_val1
 requires dp.Valid()
 decreases
 pure func (dp DataPlaneSpec) dp3s_iospec_bio3s_enter_guard(s IO_dp3s_state_local, t Place, v IO_val) bool {
-	return some(v.IO_Internal_val1_2) in domain(s.ibuf) &&
-		(let ibuf_set := s.ibuf[some(v.IO_Internal_val1_2)] in (v.IO_Internal_val1_1 in ibuf_set)) &&
+	return some(v.IO_Internal_val1_2) elem domain(s.ibuf) &&
+		(let ibuf_set := s.ibuf[some(v.IO_Internal_val1_2)] in (v.IO_Internal_val1_1 elem ibuf_set)) &&
 		len(v.IO_Internal_val1_1.CurrSeg.Future) > 0 &&
 		let currseg := v.IO_Internal_val1_1.CurrSeg in
 		let hf1, fut := currseg.Future[0], currseg.Future[1:] in
@@ -219,8 +219,8 @@ requires v.isIO_Internal_val2
 requires dp.Valid()
 decreases
 pure func (dp DataPlaneSpec) dp3s_iospec_bio3s_exit_guard(s IO_dp3s_state_local, t Place, v IO_val) bool {
-	return none[IO_ifs] in domain(s.ibuf) &&
-		(let ibuf_set := s.ibuf[none[IO_ifs]] in (v.IO_Internal_val2_1 in ibuf_set)) &&
+	return none[IO_ifs] elem domain(s.ibuf) &&
+		(let ibuf_set := s.ibuf[none[IO_ifs]] in (v.IO_Internal_val2_1 elem ibuf_set)) &&
 		len(v.IO_Internal_val2_1.CurrSeg.Future) > 0 &&
 		dp.dp3s_forward_ext(v.IO_Internal_val2_1, v.IO_Internal_val2_2, v.IO_Internal_val2_3)
 }
@@ -261,8 +261,8 @@ requires v.isIO_val_Pkt2
 requires dp.Valid()
 decreases
 pure func (dp DataPlaneSpec) dp3s_iospec_bio3s_send_guard(s IO_dp3s_state_local, t Place, v IO_val) bool {
-	return v.IO_val_Pkt2_1 in domain(s.obuf) &&
-		(let obuf_set := s.obuf[v.IO_val_Pkt2_1] in (v.IO_val_Pkt2_2 in obuf_set))
+	return v.IO_val_Pkt2_1 elem domain(s.obuf) &&
+		(let obuf_set := s.obuf[v.IO_val_Pkt2_1] in (v.IO_val_Pkt2_2 elem obuf_set))
 }
 
 pred (dp DataPlaneSpec) dp3s_iospec_bio3s_send(s IO_dp3s_state_local, t Place) {
diff --git a/verification/io/other_defs.gobra b/verification/io/other_defs.gobra
@@ -18,7 +18,7 @@
 
 package io
 
-type Unit adt {
+ghost type Unit adt {
 	Unit_{}
 }
 
@@ -29,7 +29,7 @@ type IO_ifs uint16
 type IO_as uint
 
 // msgTerms consist of terms from our term algebra.
-type IO_msgterm adt {
+ghost type IO_msgterm adt {
 	MsgTerm_Empty{}
 
 	MsgTerm_AS {
@@ -67,7 +67,7 @@ type IO_msgterm adt {
 	}
 }
 
-type IO_key adt {
+ghost type IO_key adt {
 	Key_macK {
 		Key_macK_ IO_as
 	}
@@ -82,7 +82,7 @@ type IO_key adt {
 }
 
 // "authenticated hop information"
-type IO_ahi adt {
+ghost type IO_ahi adt {
 	IO_ahi_ {
 		InIF option[IO_ifs]
 		EgIF option[IO_ifs]
@@ -105,7 +105,7 @@ func (h IO_HF) Toab() IO_ahi {
 }
 
 /* Link Types */
-type IO_Link adt {
+ghost type IO_Link adt {
 	IO_CustProv{}
 	IO_ProvCust{}
 	IO_Core{}
@@ -120,7 +120,7 @@ requires dp.Valid()
 requires p1 == dp.Asid()
 decreases
 pure func (dp DataPlaneSpec) link_type(p1 IO_as, p2 IO_ifs) IO_Link{
-	return p2 in domain(dp.GetLinkTypes()) ? dp.GetLinkType(p2) : IO_NoLink{}
+	return p2 elem domain(dp.GetLinkTypes()) ? dp.GetLinkType(p2) : IO_NoLink{}
 }
 
 ghost
@@ -192,7 +192,7 @@ type ext2_rec struct {
 	op4 IO_as
 }
 
-type IO_dp2_state adt {
+ghost type IO_dp2_state adt {
 	IO_dp2_state_ {
 		// In the Isabelle spec, the following are functions
 		// instead of mathematical maps
diff --git a/verification/io/packets.gobra b/verification/io/packets.gobra
@@ -19,7 +19,7 @@
 package io
 
 // pkt2
-type IO_pkt2 adt {
+ghost type IO_pkt2 adt {
 	// Here, we already instantiated the type params
 	IO_Packet2 {
 		CurrSeg  IO_seg3
@@ -30,4 +30,4 @@ type IO_pkt2 adt {
 }
 
 // pkt3 is the same as pkt2 instantiated with type parameters
-type IO_pkt3 = IO_pkt2
+ghost type IO_pkt3 = IO_pkt2
diff --git a/verification/io/router.gobra b/verification/io/router.gobra
@@ -89,7 +89,7 @@ ghost
 requires dp.Valid()
 decreases
 pure func (dp DataPlaneSpec) is_target(asid IO_as, nextif IO_ifs, a2 IO_as, i2 IO_ifs) bool {
-	return AsIfsPair{asid, nextif} in domain(dp.GetLinks()) &&
+	return AsIfsPair{asid, nextif} elem domain(dp.GetLinks()) &&
 		dp.Lookup(AsIfsPair{asid, nextif}) == AsIfsPair{a2, i2}
 }
 
@@ -115,7 +115,7 @@ pure func dp3s_add_obuf(s IO_dp3s_state_local, i option[IO_ifs], pkt IO_pkt3) IO
 ghost
 decreases
 pure func insert(buf dict[option[IO_ifs]](set[IO_pkt3]), k option[IO_ifs], v IO_pkt3) dict[option[IO_ifs]](set[IO_pkt3]) {
-	return let newSet := (k in domain(buf) ? (let pre := buf[k] in pre union set[IO_pkt3]{v}) : set[IO_pkt3]{v}) in
+	return let newSet := (k elem domain(buf) ? (let pre := buf[k] in pre union set[IO_pkt3]{v}) : set[IO_pkt3]{v}) in
 		buf[k = newSet]
 }
 
@@ -129,7 +129,7 @@ pure func (dp DataPlaneSpec) dp3s_forward_ext(m IO_pkt3, newpkt IO_pkt3, nextif
 		let hf1, fut := currseg.Future[0], currseg.Future[1:] in
 		let traversedseg := newpkt.CurrSeg in
 		dp.dp2_forward_ext_guard(dp.Asid(), m, nextif, currseg, traversedseg, newpkt, fut, hf1) &&
-		(nextif in domain(dp.GetNeighborIAs())) &&
+		(nextif elem domain(dp.GetNeighborIAs())) &&
 		let a2 := dp.GetNeighborIA(nextif) in
 		let i2 := dp.Lookup(AsIfsPair{dp.Asid(), nextif}).ifs in
 		dp.is_target(dp.Asid(), nextif, a2, i2)
@@ -145,7 +145,7 @@ pure func (dp DataPlaneSpec) dp3s_forward_ext_xover(m IO_pkt3, newpkt IO_pkt3, n
 		let hf1, fut := currseg.Future[0], currseg.Future[1:] in
 		let traversedseg := newpkt.CurrSeg in
 		dp.dp2_forward_ext_guard(dp.Asid(), m, nextif, currseg, traversedseg, newpkt, fut, hf1) &&
-		(nextif in domain(dp.GetNeighborIAs())) &&
+		(nextif elem domain(dp.GetNeighborIAs())) &&
 		let a2 := dp.GetNeighborIA(nextif) in
 		let i2 := dp.Lookup(AsIfsPair{dp.Asid(), nextif}).ifs in
 		dp.is_target(dp.Asid(), nextif, a2, i2)
@@ -199,8 +199,8 @@ pure func (dp DataPlaneSpec) dp3s_xover_guard(
 	) bool {
 		// the first conjunct was added to Gobra, even though it was not in the original isabelle spec.
 		// this is because of the way math. maps are implemented, we can only obtain a key that is in the map before.
-		return some(recvif) in domain(s.ibuf) &&
-			(let lookupRes := s.ibuf[some(recvif)] in (m in lookupRes)) &&
+		return some(recvif) elem domain(s.ibuf) &&
+			(let lookupRes := s.ibuf[some(recvif)] in (m elem lookupRes)) &&
 			dp.dp2_xover_guard(m, currseg, nextseg, traversedseg, intermediatepkt, hf1, hf2, nextfut, dp.Asid(), recvif) &&
 			dp.dp3s_forward_xover(intermediatepkt, newpkt, nextif)
 }
diff --git a/verification/io/router_state.gobra b/verification/io/router_state.gobra
@@ -18,7 +18,7 @@
 
 package io
 
-type IO_dp3s_state_local adt {
+ghost type IO_dp3s_state_local adt {
 	IO_dp3s_state_local_ {
 		ibuf dict[option[IO_ifs]](set[IO_pkt3])
 		obuf dict[option[IO_ifs]](set[IO_pkt3])
diff --git a/verification/io/segments.gobra b/verification/io/segments.gobra
@@ -20,7 +20,7 @@ package io
 
 type IO_ainfo = uint
 
-type IO_seg2 adt {
+ghost type IO_seg2 adt {
 	// Here, we already instantiated the type params
 	IO_seg3_ {
 		AInfo IO_ainfo // nat in Isabelle
@@ -34,4 +34,4 @@ type IO_seg2 adt {
 }
 
 // seg3 is the same as seg2 instantiated with type parameters
-type IO_seg3 = IO_seg2
+ghost type IO_seg3 = IO_seg2
diff --git a/verification/io/values.gobra b/verification/io/values.gobra
@@ -22,7 +22,7 @@ package io
 //       ideally, we would use always op_i for every field, but Gobra currently complains if
 //       there are two constructors with a parameter that shares the name.
 
-type IO_val adt {
+ghost type IO_val adt {
 	// Unit
 	IO_val_Unit{}
 

Original file line number	Diff line number	Diff line change
`@@ -18,19 +18,19 @@`
`18`	`18`
`19`	`19`	`package io`
`20`	`20`
`21`		`-type IO_bio3sIN adt {`
	`21`	`+ghost type IO_bio3sIN adt {`
`22`	`22`	`IO_bio3s_enter{}`
`23`	`23`	`IO_bio3s_xover{}`
`24`	`24`	`IO_bio3s_exit{}`
`25`	`25`	`}`
`26`	`26`
`27`		`-type IO_bio3sIO adt {`
	`27`	`+ghost type IO_bio3sIO adt {`
`28`	`28`	`IO_bio3s_send{}`
`29`	`29`	`IO_bio3s_recv{}`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`// defined in Isabelle as (bios3sIN, bios3sIO) events`
`33`		`-type IO_bio3s adt {`
	`33`	`+ghost type IO_bio3s adt {`
`34`	`34`	`IO_bio3s_IN {`
`35`	`35`	`IN IO_bio3sIN`
`36`	`36`	`}`