Skip to content

[WIP] SIF #394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
henriman wants to merge 181 commits into
base: master
Choose a base branch
from
Draft

[WIP] SIF #394

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
181 commits
Select commit Hold shift + click to select a range
d606c27
Add MWE for proving SIF
henriman Nov 26, 2024
f5603b6
Add MWE2
henriman Dec 9, 2024
9328a95
Address PR feedback
henriman Dec 17, 2024
df0fed8
Fix package names and remove state.lastMsg3
henriman Dec 17, 2024
973541b
Merge branch 'master' into master
jcp19 Dec 19, 2024
8acf6c4
Merge branch 'master' into master
jcp19 Jan 13, 2025
05df206
Extend io-spec with declassification spec
henriman Jan 20, 2025
389235f
Fix declassification spec
henriman Jan 20, 2025
1831b53
Fix adding decl to dp3s_iospec_ordered
henriman Jan 20, 2025
094d917
Start implementing IOD spec
henriman Jan 22, 2025
0e6eff1
Start implementing classification spec
henriman Jan 22, 2025
85d1d0a
Merge remote-tracking branch 'base/master' into sif
henriman Jan 22, 2025
f7db996
Merge branch 'sif' into sif-io-spec
henriman Jan 22, 2025
b0795a9
Mostly finished implementing security policy
henriman Jan 29, 2025
2e41d12
Verify private/topology/underlay
henriman Jan 29, 2025
82a3239
Finish implementing security policy
henriman Jan 30, 2025
e5d6e3d
Merge branch 'sif-io-spec' into sif-private-topology-underlay
henriman Feb 1, 2025
9620262
Add additional annotations to private/topology/underlay
henriman Feb 1, 2025
4f88e97
Add minimum annotations to verify private/topology
henriman Feb 1, 2025
c8b7b5c
Add appropriate postconditions to private/topology
henriman Feb 1, 2025
799cd4d
Add `low` precondition to `fmt.Sprintf`
henriman Feb 1, 2025
2380d49
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Feb 1, 2025
9863f30
Add assumption due to Gobra issue #835
henriman Feb 1, 2025
ccd088c
Add minimum annotations to pkg/addr
henriman Feb 2, 2025
9e1a702
Remove MWEs here
henriman Feb 2, 2025
d72140a
Merge branch 'sif' into sif-io-spec
henriman Feb 2, 2025
1280d92
Merge branch 'sif-io-spec' into sif-private-topology-underlay
henriman Feb 2, 2025
12c655e
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Feb 2, 2025
e8ca70a
Merge branch 'sif-private-topology' into sif-pkg-addr
henriman Feb 2, 2025
5728d9e
Clean up and minor fixes and improvements
henriman Feb 2, 2025
69f6de4
Add additional postconditions to pkg/addr/fmt.go
henriman Feb 4, 2025
41c38db
Change sensitivity requirements of mt.Sprintf and serrors.New
henriman Feb 11, 2025
9e03a1a
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Feb 11, 2025
3eda2f0
Change pkg/slayers/doc.go to prevent parsing error
henriman Feb 13, 2025
e9e9ef0
Merge branch 'sif' into sif-io-spec
henriman Feb 13, 2025
2e6d9d5
Merge branch 'sif-io-spec' into sif-private-topology-underlay
henriman Feb 13, 2025
75df8c6
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Feb 13, 2025
8283193
Introduce functions to express assumptions
henriman Feb 14, 2025
e1ea5e1
Merge branch 'sif-private-topology' into sif-pkg-addr
henriman Feb 14, 2025
576461f
Delete verification/scratch/mwe2/mwe2.gobra
jcp19 Feb 14, 2025
19627eb
Delete verification/scratch/mwe1/mwe1.gobra
jcp19 Feb 14, 2025
efd776c
Merge branch 'sif-io-spec' of https://github.com/henriman/VerifiedSCI…
henriman Feb 15, 2025
7d185ea
Improve style
henriman Feb 24, 2025
20e891c
Align pre- and postconditions
henriman Feb 24, 2025
4a7404b
Merge branch 'master' of https://github.com/viperproject/VerifiedSCIO…
henriman Feb 24, 2025
85f858f
Merge branch 'sif-io-spec' into sif-private-topology-underlay
henriman Feb 24, 2025
085f827
Adjust to sif.LowBytes
henriman Feb 24, 2025
6366aa7
Fix typo
henriman Feb 27, 2025
c91d9db
Merge branch 'sif-io-spec' into sif-private-topology-underlay
henriman Feb 27, 2025
3e12921
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Feb 27, 2025
ea50e39
Merge branch 'master' of https://github.com/viperproject/VerifiedSCIO…
henriman Mar 2, 2025
86b6484
Merge branch 'master' of https://github.com/viperproject/VerifiedSCIO…
henriman Mar 2, 2025
9743687
Merge branch 'master' of https://github.com/viperproject/VerifiedSCIO…
henriman Mar 2, 2025
005ed12
Verify private/underlay/conn
henriman Mar 3, 2025
8e17e27
Verify pkg/slayers/path/empty except for implementation proof
henriman Mar 5, 2025
a353468
Address PR feedback and clean up
henriman Mar 10, 2025
e2e8827
Declassify concrete instead of abstract MAC tag
henriman Mar 11, 2025
c94f229
Use `trusted` to suppress problems with closure implementation proof …
henriman Mar 11, 2025
d16b7c9
Verify pkg/slayers/path
henriman Mar 11, 2025
f0ced95
Verify pkg/slayers/path/onehop
henriman Mar 11, 2025
f63a7d6
Verify pkg/slayers/path/epic
henriman Mar 11, 2025
44a0b6d
Merge branch 'sif-private-topology' of https://github.com/henriman/Ve…
henriman Mar 13, 2025
01950a7
Fix typo
henriman Mar 13, 2025
6c3067e
Clean up
henriman Apr 10, 2025
9304eb3
Merge branch 'sif-io-spec' into sif-private-topology-underlay
henriman Apr 10, 2025
439ff54
Fix contract of `serrors.New`
henriman Apr 14, 2025
5772210
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Apr 14, 2025
1e0500b
Clean up
henriman Apr 14, 2025
29e7444
Rename `AssumeLowSliceToLowString` to `LowSliceImpliesLowString`
henriman Apr 14, 2025
1b4a07c
Merge branch 'sif-private-topology' into sif-pkg-addr
henriman Apr 14, 2025
890558a
Stop using `sif.LowBytes`
henriman Apr 14, 2025
a83dde0
Clean up
henriman Apr 14, 2025
0b6ec9c
Use abstract pure Boolean functions instead of `LowMem` etc.
henriman Apr 14, 2025
d5f94cb
Clean up
henriman Apr 14, 2025
ca4cf53
Fix contract of `TextUnmarshaler.UnmarshalText`
henriman Apr 14, 2025
56b6396
Merge branch 'sif-pkg-addr' into sif-private-underlay-conn
henriman Apr 19, 2025
32f8f6f
Address feedback
henriman Jun 18, 2025
6c50035
Address missed feedback
henriman Jun 18, 2025
ba47020
Merge branch 'master' of https://github.com/viperproject/VerifiedSCIO…
henriman Jun 26, 2025
17c535d
Merge branch 'sif-io-spec' into sif-private-topology-underlay
henriman Jun 26, 2025
3781fa0
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Jun 26, 2025
da722cb
Minor style adjustments
henriman Jun 26, 2025
33b9948
Merge branch 'sif-private-topology' into sif-pkg-addr
henriman Jun 26, 2025
79f7d31
Make verification/dependencies/net verify
henriman Jun 26, 2025
aa7fd1d
Merge branch 'sif-pkg-addr' into sif-pkg-addr-rework
henriman Jun 26, 2025
6edbb0c
Minor style adjustments
henriman Jun 26, 2025
910d03f
Merge branch 'sif-pkg-addr-rework' into sif-private-underlay-conn
henriman Jun 26, 2025
3b3762c
Explain need for longer names for `IsLow`
henriman Jul 1, 2025
a19e521
Replace Low predicates with abstract IsLow functions
henriman Jul 2, 2025
9acac01
Adjust annotations of serrors
henriman Jul 2, 2025
b89413f
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Jul 2, 2025
8f3c41c
Remove workaround for Gobra issue #835/#890
henriman Jul 2, 2025
9b3fada
Merge branch 'sif-private-topology' into sif-pkg-addr
henriman Jul 2, 2025
d6d212f
Adjust annotations for serrors
henriman Jul 2, 2025
a8b3c64
Remove unnecessary annotations
henriman Jul 2, 2025
2fd3750
Merge branch 'sif-pkg-addr' into sif-pkg-addr-rework
henriman Jul 2, 2025
10042fb
Merge branch 'sif-pkg-addr-rework' into sif-private-underlay-conn
henriman Jul 2, 2025
09da9b3
Fix sensitivity annotations of pointers
henriman Jul 2, 2025
43b4ab3
Clean up
henriman Jul 2, 2025
21aa6a9
Add some clarifications
henriman Jul 3, 2025
f51c894
Fix merge
henriman Jul 3, 2025
182a483
Clean up
henriman Jul 3, 2025
c799b92
Merge branch 'sif-pkg-slayers-path-empty' into sif-pkg-slayers-path
henriman Jul 3, 2025
23a050f
Clean up
henriman Jul 3, 2025
d9dfcf5
Merge branch 'sif-pkg-slayers-path' into sif-pkg-slayers-path-epic
henriman Jul 3, 2025
1d9a1d7
Rework sensitivity in interfaces
henriman Jul 5, 2025
5446132
Improve stability and make BatchConn match
henriman Jul 17, 2025
a05c2a0
"Introduce body" to `isZeros` and improve stability of `NewReadMessages`
henriman Jul 24, 2025
0a210ed
Avoid requiring input of `fmt.Sprintf` to be low
henriman Jul 25, 2025
eaed1c5
Merge branch 'master' of https://github.com/viperproject/VerifiedSCIO…
henriman Jul 30, 2025
8f933aa
Merge branch 'sif-io-spec' into sif-private-topology-underlay
henriman Jul 30, 2025
064c6eb
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Jul 30, 2025
9120830
Merge branch 'sif-private-topology' into sif-pkg-addr
henriman Jul 30, 2025
b509ded
Merge branch 'sif-private-topology' into sif-pkg-addr-rework
henriman Jul 30, 2025
24ace34
Merge branch 'sif-pkg-addr' into sif-private-underlay-conn
henriman Jul 30, 2025
feed939
Merge branch 'sif-private-underlay-conn' into sif-pkg-slayers-path-empty
henriman Jul 30, 2025
2c57016
Merge branch 'sif-private-underlay-conn' into sif-pkg-slayers-path
henriman Jul 30, 2025
4457ac8
Add comments
henriman Jul 30, 2025
2f96475
Clean up
henriman Jul 31, 2025
20a1b8f
Add //@ before assert
henriman Jul 31, 2025
2125136
Clean up
henriman Jul 31, 2025
b4084b5
Clean up
henriman Jul 31, 2025
aca63f2
Merge branch 'sif-pkg-addr' into sif-private-underlay-conn
henriman Jul 31, 2025
7bf7104
Clean up further and add notes (NOTE[henri])
henriman Aug 5, 2025
8f64df5
Address PR feedback
henriman Aug 5, 2025
d833312
Merge branch 'sif-pkg-addr' into sif-private-underlay-conn
henriman Aug 5, 2025
3520a56
Merge branch 'sif-private-underlay-conn' into sif-pkg-slayers-path-empty
henriman Aug 5, 2025
2b6f1bf
Merge branch 'sif-pkg-slayers-path-empty' into sif-pkg-slayers-path
henriman Aug 5, 2025
e475136
Minor adjustments
henriman Aug 5, 2025
424dbdb
Merge branch 'sif-pkg-slayers-path' into sif-pkg-slayers-path-epic
henriman Aug 5, 2025
e59f604
Clean up
henriman Aug 6, 2025
b8d8b82
Make pkg/slayers/path/empty verify again
henriman Aug 6, 2025
06a4907
Further clean up
henriman Aug 6, 2025
886fbe5
Add explicit contract to `TrimSuffix`
henriman Aug 6, 2025
315a653
Adapt pure annotations elsewhere
henriman Aug 6, 2025
d14eb1e
Adapt pure annotations that I missed
henriman Aug 6, 2025
ceacce8
Address PR feedback and add `&& low(i) ==>`
henriman Aug 12, 2025
8a3278f
Merge branch 'sif-private-topology-underlay' into sif-private-topology
henriman Aug 12, 2025
8dce993
Merge branch 'sif-private-topology' into sif-pkg-addr
henriman Aug 12, 2025
9686422
Make contract of `net.IP.To4` less implementation-specific
henriman Aug 12, 2025
e270180
Add `&& low(i) ==>` in quantified assertions where appropriate
henriman Aug 12, 2025
92a35f7
Clean up
henriman Aug 12, 2025
0003f81
Remove `&& low(i) ==>` from one assertion not dealing with sensitivity
henriman Aug 12, 2025
65aebc6
Merge branch 'sif-private-topology' into sif-pkg-addr
henriman Aug 12, 2025
09e4f2f
Remove occurrences of `&& low(i) ==>` added accidentally
henriman Aug 12, 2025
240fe92
Merge branch 'sif-pkg-addr' into sif-private-underlay-conn
henriman Aug 13, 2025
5ed0d5b
Address PR feedback
henriman Aug 13, 2025
2bd4ffd
Add `&& low(i) ==>`
henriman Aug 13, 2025
f24f0b3
Refer to Gobra issue #957 on NewReadMessages
henriman Aug 13, 2025
27f66a5
Remove assumption for Gobra issue 831
henriman Aug 18, 2025
714e7f7
Merge branch 'sif-private-topology' into sif-pkg-addr
henriman Aug 18, 2025
555f91a
Add TODO to IsLow regarding adding hyper
henriman Aug 18, 2025
000a7d9
Add TODO to IsLow regarding adding hyper
henriman Aug 18, 2025
b5f9d9c
Merge branch 'sif-pkg-addr' into sif-private-underlay-conn
henriman Aug 18, 2025
296be69
Add TODO regarding hyper to DataPlane as well
henriman Aug 18, 2025
94be47a
Merge branch 'sif-private-underlay-conn' into sif-pkg-slayers-path-empty
henriman Aug 18, 2025
f01b621
Merge branch 'sif-pkg-slayers-path-empty' into sif-pkg-slayers-path
henriman Aug 18, 2025
7bad729
Address PR feedback
henriman Aug 18, 2025
00c70ae
Merge branch 'sif-pkg-slayers-path' into sif-pkg-slayers-path-epic
henriman Aug 18, 2025
b53945a
Add TODO to IsLow regarding adding hyper
henriman Aug 18, 2025
acebe54
Merge branch 'sif-pkg-slayers-path-empty' into sif-pkg-slayers-path-o…
henriman Aug 18, 2025
5598aa7
Use abstract functions instead of predicate and clean up
henriman Aug 19, 2025
4d936ca
Merge pull request #1 from henriman/sif-private-topology-underlay
henriman Sep 19, 2025
c72c877
Align contract clauses
henriman Sep 19, 2025
7f5f579
Merge pull request #2 from henriman/sif-private-topology
henriman Sep 19, 2025
64814a8
Remove addressed NOTE[henri] comments
henriman Sep 19, 2025
d43f141
Merge pull request #5 from henriman/sif-pkg-addr
henriman Sep 19, 2025
c0ed125
Merge branch 'sif-io-spec' into sif-private-underlay-conn
henriman Sep 19, 2025
f93c449
Address PR feedback
henriman Sep 19, 2025
b807f2b
Remove `trusted` from `UDPConn.IsLow`
henriman Sep 20, 2025
3eab3a9
Fix comment on `NewReadMessages`
henriman Sep 20, 2025
15f776b
Merge pull request #6 from henriman/sif-private-underlay-conn
henriman Sep 20, 2025
392bb5a
Merge branch 'sif-io-spec' into sif-pkg-slayers-path-empty
henriman Sep 20, 2025
0f8b583
Merge pull request #7 from henriman/sif-pkg-slayers-path-empty
henriman Sep 20, 2025
e36e88d
Merge branch 'sif-io-spec' into sif-pkg-slayers-path
henriman Sep 20, 2025
cf5e90f
Merge pull request #8 from henriman/sif-pkg-slayers-path
henriman Sep 20, 2025
5377dd5
Merge branch 'sif-io-spec' into sif-pkg-slayers-path-epic
henriman Sep 20, 2025
7eaabb1
Merge pull request #9 from henriman/sif-pkg-slayers-path-epic
henriman Sep 20, 2025
355f924
Merge branch 'sif-io-spec' into sif-pkg-slayers-path-onehop
henriman Sep 23, 2025
bb19940
Clean up
henriman Sep 25, 2025
e22daf9
Merge pull request #12 from henriman/sif-pkg-slayers-path-onehop
henriman Oct 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions pkg/addr/fmt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,7 @@ func FormatAS(as_ AS, opts ...FormatOption) string {
}

// @ requires as_.inRange()
// @ requires low(as_)
// @ decreases
func fmtAS(as_ AS, sep string) string {
if !as_.inRange() {
Expand All @@ -132,6 +133,7 @@ func fmtAS(as_ AS, sep string) string {
// @ b.ZeroBuilderIsReadyToUse()
b.Grow(maxLen)
// @ invariant b.Mem()
// @ invariant low(i)
// @ decreases asParts - i
for i := 0; i < asParts; i++ {
if i > 0 {
Expand Down
65 changes: 51 additions & 14 deletions pkg/addr/host.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ const (
HostTypeSVC
)

// @ requires low(t)
// @ requires isValidHostAddrType(t)
// @ decreases
func (t HostAddrType) String() string {
Expand Down Expand Up @@ -91,6 +92,14 @@ const (
type HostAddr interface {
//@ pred Mem()

// Return whether all the underlying data that needs to be low for the
// computation of `Pack`, `IP`, `String` is low.
// TODO: Once Gobra issue #955 is resolved, mark as `hyper`.
//@ ghost
//@ requires Mem()
//@ decreases
//@ pure IsLow() bool

//@ preserves acc(Mem(), R13)
//@ decreases
Size() int
Expand All @@ -99,12 +108,12 @@ type HostAddr interface {
//@ decreases
Type() HostAddrType

//@ requires acc(Mem(), R13)
//@ requires acc(Mem(), R13) && IsLow()
//@ ensures forall i int :: { &res[i] } 0 <= i && i < len(res) ==> acc(&res[i], R13)
//@ decreases
Pack() (res []byte)

//@ requires acc(Mem(), R13)
//@ requires acc(Mem(), R13) && IsLow()
//@ ensures forall i int :: { &res[i] } 0 <= i && i < len(res) ==> acc(&res[i], R13)
//@ decreases
IP() (res net.IP)
Expand All @@ -114,6 +123,7 @@ type HostAddr interface {
//@ decreases
Copy() (res HostAddr)

//@ requires low(typeOf(o))
//@ preserves acc(Mem(), R13) && acc(o.Mem(), R13)
//@ decreases
Equal(o HostAddr) bool
Expand All @@ -123,7 +133,8 @@ type HostAddr interface {
// replaced by the String() method which is the one that should be implemented
//fmt.Stringer

//@ preserves acc(Mem(), R13)
//@ requires acc(Mem(), R13) && IsLow()
//@ ensures acc(Mem(), R13)
//@ decreases
String() string
}
Expand Down Expand Up @@ -163,14 +174,16 @@ func (h HostNone) Copy() (res HostAddr) {
return tmp
}

// @ ensures res == (typeOf(o) == type[HostNone])
// The Viper encoding branches on `typeOf(o)`.
// @ requires low(typeOf(o))
// @ ensures res == (typeOf(o) == type[HostNone])
// @ decreases
func (h HostNone) Equal(o HostAddr) (res bool) {
_, ok := o.(HostNone)
return ok
}

// @decreases
// @ decreases
func (h HostNone) String() string {
return "<None>"
}
Expand All @@ -189,21 +202,28 @@ func (h HostIPv4) Type() HostAddrType {
return HostTypeIPv4
}

// @ requires acc(h.Mem(), R13)
// @ requires acc(h.Mem(), R13) && h.IsLow()
// @ ensures forall i int :: { &res[i] } 0 <= i && i < len(res) ==> acc(&res[i], R13)
// @ decreases
func (h HostIPv4) Pack() (res []byte) {
return []byte(h.IP())
}

// @ requires acc(h.Mem(), R13)
// @ requires acc(h.Mem(), R13) && h.IsLow()
// @ ensures forall i int :: { &res[i] }{ &h[i] } 0 <= i && i < len(res) ==> acc(&res[i], R13) && &res[i] == &h[i]
// @ ensures len(res) == HostLenIPv4
// @ decreases
func (h HostIPv4) IP() (res net.IP) {
// XXX(kormat): ensure the reply is the 4-byte representation.
//@ unfold acc(h.Mem(), R13)
//@ unfold acc(sl.Bytes(h, 0, len(h)), R13)
//@ h.RevealIsLow(R13)
//@ unfold acc(h.Mem(), R13/2)
//@ assert forall i int :: { h.GetByte(i) } 0 <= i && i < len(h) ==>
//@ sl.GetByte(h, 0, len(h), i) == h.GetByte(i)
//@ unfold acc(sl.Bytes(h, 0, len(h)), R13/2)
//@ assert forall i int :: { &h[i] } 0 <= i && i < len(h) ==>
//@ h.GetByte(i) == h[i]
//@ unfold acc(h.Mem(), R13/2)
//@ unfold acc(sl.Bytes(h, 0, len(h)), R13/2)
return net.IP(h).To4( /*@ false @*/ )
}

Expand All @@ -221,6 +241,7 @@ func (h HostIPv4) Copy() (res HostAddr) {
return tmp
}

// @ requires low(typeOf(o))
// @ preserves acc(h.Mem(), R13)
// @ preserves acc(o.Mem(), R13)
// @ decreases
Expand All @@ -233,7 +254,8 @@ func (h HostIPv4) Equal(o HostAddr) bool {
return ok && net.IP(h).Equal(net.IP(ha))
}

// @ preserves acc(h.Mem(), R13)
// @ requires acc(h.Mem(), R13) && h.IsLow()
// @ ensures acc(h.Mem(), R13)
// @ decreases
func (h HostIPv4) String() string {
//@ assert unfolding acc(h.Mem(), R13) in len(h) == HostLenIPv4
Expand Down Expand Up @@ -289,6 +311,7 @@ func (h HostIPv6) Copy() (res HostAddr) {
return tmp
}

// @ requires low(typeOf(o))
// @ preserves acc(h.Mem(), R13)
// @ preserves acc(o.Mem(), R13)
// @ decreases
Expand Down Expand Up @@ -318,6 +341,7 @@ type HostSVC uint16
// SVC addresses, use BS_A, PS_A, CS_A, and SB_A; shorthand versions without
// the _A suffix (e.g., PS) also return anycast SVC addresses. For multicast,
// use BS_M, PS_M, CS_M, and SB_M.
// @ requires low(str)
// @ decreases
func HostSVCFromString(str string) HostSVC {
var m HostSVC
Expand Down Expand Up @@ -373,13 +397,15 @@ func (h HostSVC) IP() (res net.IP) {
return nil
}

// @ ensures low(h) ==> low(res)
// @ decreases
func (h HostSVC) IsMulticast() bool {
func (h HostSVC) IsMulticast() (res bool) {
return (h & SVCMcast) != 0
}

// @ ensures low(h) ==> low(res)
// @ decreases
func (h HostSVC) Base() HostSVC {
func (h HostSVC) Base() (res HostSVC) {
return h & ^SVCMcast
}

Expand All @@ -395,14 +421,18 @@ func (h HostSVC) Copy() (res HostAddr) {
return h
}

// @ requires low(typeOf(o))
// @ decreases
func (h HostSVC) Equal(o HostAddr) bool {
ha, ok := o.(HostSVC)
return ok && h == ha
}

// @ requires acc(h.Mem(), R13) && h.IsLow()
// @ ensures acc(h.Mem(), R13)
// @ decreases
func (h HostSVC) String() string {
//@ h.RevealIsLow(R13)
name := h.BaseString()
cast := 'A'
if h.IsMulticast() {
Expand All @@ -413,6 +443,7 @@ func (h HostSVC) String() string {

// BaseString returns the upper case name of the service. For hosts or unrecognized services, it
// returns UNKNOWN.
// @ requires low(h)
// @ decreases
func (h HostSVC) BaseString() string {
switch h.Base() {
Expand All @@ -432,6 +463,7 @@ func (h HostSVC) Network() string {
return ""
}

// @ requires low(htype)
// @ requires acc(b)
// @ requires isValidHostAddrType(htype)
// @ requires len(b) == sizeOfHostAddrType(htype)
Expand Down Expand Up @@ -475,7 +507,9 @@ func HostFromRaw(b []byte, htype HostAddrType) (res HostAddr, err error) {

// @ requires acc(ip)
// @ requires len(ip) == HostLenIPv4 || len(ip) == HostLenIPv6
// @ ensures res.Mem()
// @ requires low(len(ip)) && forall i int :: { &ip[i] } 0 <= i && i < len(ip) &&
// @ low(i) ==> low(ip[i])
// @ ensures res.Mem()
// @ decreases
func HostFromIP(ip net.IP) (res HostAddr) {
if ip4 := ip.To4( /*@ false @*/ ); ip4 != nil {
Expand All @@ -490,7 +524,8 @@ func HostFromIP(ip net.IP) (res HostAddr) {
return tmp
}

// @ ensures res.Mem()
// @ requires low(s)
// @ ensures res.Mem()
// @ decreases
func HostFromIPStr(s string) (res HostAddr) {
ip := net.ParseIP(s)
Expand All @@ -502,6 +537,7 @@ func HostFromIPStr(s string) (res HostAddr) {
return HostFromIP(ip)
}

// @ requires low(htype)
// @ requires isValidHostAddrType(htype)
// @ decreases
func HostLen(htype HostAddrType) (uint8, error) {
Expand All @@ -521,6 +557,7 @@ func HostLen(htype HostAddrType) (uint8, error) {
return length, nil
}

// @ requires low(t)
// @ decreases
func HostTypeCheck(t HostAddrType) bool {
switch t {
Expand Down
58 changes: 58 additions & 0 deletions pkg/addr/host_spec.gobra
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,24 +25,82 @@ import (

pred (h HostNone) Mem() { len(h) == HostLenNone }

ghost
requires h.Mem()
decreases
pure func (h HostNone) IsLow() bool {
return true
}

HostNone implements HostAddr

pred (h HostIPv4) Mem() {
len(h) == HostLenIPv4 &&
slices.Bytes(h, 0, len(h))
}

ghost
requires h.Mem()
requires 0 <= i && i < len(h)
decreases
pure func (h HostIPv4) GetByte(i int) byte {
return unfolding h.Mem() in slices.GetByte(h, 0, len(h), i)
}

// TODO: Once Gobra issue #846 is resolved, implement this.
ghost
trusted
requires h.Mem()
decreases
pure func (h HostIPv4) IsLow() bool

// "Reveal the body" of `h.IsLow` (necessary bc. we can't implement `h.IsLow` yet).
// TODO: Once Gobra issue #846 is resolved, implement this.
ghost
trusted
requires p > 0
requires acc(h.Mem(), p) && h.IsLow()
ensures acc(h.Mem(), p)
ensures low(len(h)) && forall i int :: { h.GetByte(i) } 0 <= i && i < len(h) &&
low(i) ==> low(h.GetByte(i))
decreases
func (h HostIPv4) RevealIsLow(p perm)

HostIPv4 implements HostAddr

pred (h HostIPv6) Mem() {
len(h) == HostLenIPv6 &&
slices.Bytes(h, 0, len(h))
}

ghost
requires h.Mem()
decreases
pure func (h HostIPv6) IsLow() bool {
return true
}

HostIPv6 implements HostAddr

pred (h HostSVC) Mem() { true }

// TODO: Once Gobra issue #846 is resolved, actually implement `IsLow`.
ghost
trusted
requires h.Mem()
decreases
pure func (h HostSVC) IsLow() bool

// "Reveal the body" of `h.IsLow` (necessary bc. we can't implement `h.IsLow` yet).
// TODO: Once Gobra issue #846 is resolved, implement this.
ghost
trusted
requires p > 0
requires acc(h.Mem(), p) && h.IsLow()
ensures acc(h.Mem(), p) && low(h)
decreases
func (h HostSVC) RevealIsLow(p perm)

HostSVC implements HostAddr

pred (h *HostSVC) Mem() { acc(h) }
Expand Down
Loading
Loading