clean up, currently crashing gobra

viperproject · Oct 21, 2023 · be38675 · be38675
1 parent 3625d3b
commit be38675
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 17 deletions.
diff --git a/pkg/slayers/path/empty/empty.go b/pkg/slayers/path/empty/empty.go
@@ -57,8 +57,14 @@ func RegisterPath() {
 // bytes on the wire and is used for AS internal communication.
 type Path struct{}
 
-// @ ensures  len(r) == 0 ==> (e == nil && o.Mem())
-// @ ensures  len(r) != 0 ==> (e != nil && e.ErrorMem() && o.NonInitMem())
+// @ ensures  len(r) == 0 ==> (
+// @ 	e == nil &&
+// @ 	o.Mem()  &&
+// @ 	o.Valid(r))
+// @ ensures  len(r) != 0 ==> (
+// @ 	e != nil     &&
+// @ 	e.ErrorMem() &&
+// @ 	o.NonInitMem())
 // @ decreases
 func (o Path) DecodeFromBytes(r []byte) (e error) {
 	if len(r) != 0 {
@@ -71,29 +77,27 @@ func (o Path) DecodeFromBytes(r []byte) (e error) {
 
 // @ ensures e == nil
 // @ decreases
-func (o Path) SerializeTo(b []byte /*@, underlyingBuf []byte @*/) (e error) {
+func (o Path) SerializeTo(b []byte /*@, ghost ub []byte @*/) (e error) {
 	return nil
 }
 
-// @ requires o.Mem()
-// @ ensures  p == o
-// @ ensures  p.Mem()
-// @ ensures  e == nil
+// @ ensures   p == o
+// @ ensures   e == nil
 // @ decreases
-func (o Path) Reverse( /*@ ub []byte @*/ ) (p path.Path, e error) {
+func (o Path) Reverse( /*@ ghost ub []byte @*/ ) (p path.Path, e error) {
 	return o, nil
 }
 
 // @ pure
 // @ ensures 0 <= r
 // @ decreases
-func (o Path) Len( /*@ underlyingBuf []byte @*/ ) (r int) {
+func (o Path) Len( /*@ ghost ub []byte @*/ ) (r int) {
 	return PathLen
 }
 
 // @ pure
 // @ ensures r == PathType
 // @ decreases
-func (o Path) Type( /*@ underlyingBuf []byte @*/ ) (r path.Type) {
+func (o Path) Type( /*@ ghost ub []byte @*/ ) (r path.Type) {
 	return PathType
 }
diff --git a/pkg/slayers/path/empty/empty_spec.gobra b/pkg/slayers/path/empty/empty_spec.gobra
@@ -27,14 +27,12 @@ pred (e Path) Mem() { true }
 pred (e Path) NonInitMem() { true }
 
 ghost
-requires acc(e.Mem(), _)
 decreases
 pure func (e Path) Valid(ghost ub []byte) bool {
 	return len(ub) == 0
 }
 
 ghost
-requires e.Mem()
 ensures  e.NonInitMem()
 decreases
 func (e Path) DowngradePerm(buf []byte) {
@@ -49,8 +47,16 @@ pred (e *Path) Mem() { acc(e) }
 pred (e *Path) NonInitMem() { acc(e) }
 
 ghost
-requires acc(e.Mem(), _)
 decreases
 pure func (e *Path) Valid(ghost ub []byte) bool {
 	return len(ub) == 0
+}
+
+ghost
+requires e.Mem()
+ensures  e.NonInitMem()
+decreases
+func (e *Path) DowngradePerm(buf []byte) {
+	unfold e.Mem()
+	fold e.NonInitMem()
 }
diff --git a/pkg/slayers/path/path.go b/pkg/slayers/path/path.go
@@ -74,7 +74,7 @@ type Path interface {
 	//@ ghost
 	//@ requires acc(Mem(), _)
 	//@ decreases
-	//@ pure Valid(ghost ub []byte) bool
+	//@ pure Valid(ghost ub []byte) bool // TODO: rename to 'DecodedFrom'
 
 	// SerializeTo serializes the path into the provided buffer.
 	// (VerifiedSCION) There are implementations of this interface that modify the underlying
@@ -98,20 +98,20 @@ type Path interface {
 	//@ requires  Mem() && Valid(ub)
 	//@ preserves sl.AbsSlice_Bytes(ub, 0, len(ub))
 	//@ ensures   e == nil ==> p != nil
-	//@ ensures   e == nil ==> p.Mem()
+	//@ ensures   e == nil ==> p.Mem() && p.Valid(ub)
 	//@ ensures   e != nil ==> e.ErrorMem()
 	//@ decreases
 	Reverse( /*@ ghost ub []byte @*/ ) (p Path, e error)
 	// Len returns the length of a path in bytes.
 	// TODO: make this impure and use LenSpec
 	//@ pure
-	//@ requires acc(Mem(), _)
+	//@ requires acc(Mem(), _) // TODO: do we need Valid?
 	//@ ensures  l >= 0
 	//@ decreases
 	Len( /*@ ghost underlyingBuf []byte @*/ ) (l int) // TODO: drop param
 	// Type returns the type of a path.
 	//@ pure
-	//@ requires acc(Mem(), _)
+	//@ requires acc(Mem(), _) // TODO: do we need Valid?
 	//@ decreases
 	Type( /*@ ghost underlyingBuf []byte @*/ ) Type // TODO: drop param