From 925889d60d3039670daadb9c1a65c215c373df72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pereira?= Date: Sun, 15 Sep 2024 19:15:47 +0200 Subject: [PATCH 1/4] fmtAS --- pkg/addr/fmt.go | 75 +++++++++++++------ pkg/addr/fmt_spec.gobra | 21 ------ .../dependencies/strings/builder.gobra | 46 ++++++++++++ 3 files changed, 97 insertions(+), 45 deletions(-) delete mode 100644 pkg/addr/fmt_spec.gobra create mode 100644 verification/dependencies/strings/builder.gobra diff --git a/pkg/addr/fmt.go b/pkg/addr/fmt.go index ed9b2d9de..753ad39f3 100644 --- a/pkg/addr/fmt.go +++ b/pkg/addr/fmt.go @@ -12,6 +12,8 @@ // See the License for the specific language governing permissions and // limitations under the License. +// +gobra + package addr import ( @@ -24,6 +26,7 @@ import ( // ParseFormattedIA parses an IA that was formatted with the FormatIA function. // The same options must be provided to successfully parse. +// @ trusted func ParseFormattedIA(ia string, opts ...FormatOption) (IA, error) { parts := strings.Split(ia, "-") if len(parts) != 2 { @@ -33,15 +36,16 @@ func ParseFormattedIA(ia string, opts ...FormatOption) (IA, error) { if err != nil { return 0, serrors.WrapStr("parsing ISD part", err, "value", ia) } - as, err := ParseFormattedAS(parts[1], opts...) + as_, err := ParseFormattedAS(parts[1], opts...) if err != nil { return 0, serrors.WrapStr("parsing AS part", err, "value", ia) } - return MustIAFrom(isd, as), nil + return MustIAFrom(isd, as_), nil } // ParseFormattedISD parses an ISD number that was formatted with the FormatISD // function. The same options must be provided to successfully parse. +// @ trusted func ParseFormattedISD(isd string, opts ...FormatOption) (ISD, error) { o := applyFormatOptions(opts) if o.defaultPrefix { @@ -56,29 +60,32 @@ func ParseFormattedISD(isd string, opts ...FormatOption) (ISD, error) { // ParseFormattedAS parses an AS number that was formatted with the FormatAS // function. The same options must be provided to successfully parse. -func ParseFormattedAS(as string, opts ...FormatOption) (AS, error) { +// @ trusted +func ParseFormattedAS(as_ string, opts ...FormatOption) (AS, error) { o := applyFormatOptions(opts) if o.defaultPrefix { - trimmed := strings.TrimPrefix(as, "AS") - if trimmed == as { - return 0, serrors.New("prefix is missing", "prefix", "AS", "value", as) + trimmed := strings.TrimPrefix(as_, "AS") + if trimmed == as_ { + return 0, serrors.New("prefix is missing", "prefix", "AS", "value", as_) } - as = trimmed + as_ = trimmed } - return parseAS(as, o.separator) + return parseAS(as_, o.separator) } // FormatIA formats the ISD-AS. +// @ trusted func FormatIA(ia IA, opts ...FormatOption) string { o := applyFormatOptions(opts) - as := fmtAS(ia.AS(), o.separator) + as_ := fmtAS(ia.AS(), o.separator) if o.defaultPrefix { - return fmt.Sprintf("ISD%d-AS%s", ia.ISD(), as) + return fmt.Sprintf("ISD%d-AS%s", ia.ISD(), as_) } - return fmt.Sprintf("%d-%s", ia.ISD(), as) + return fmt.Sprintf("%d-%s", ia.ISD(), as_) } // FormatISD formats the ISD number. +// @ trusted func FormatISD(isd ISD, opts ...FormatOption) string { o := applyFormatOptions(opts) if o.defaultPrefix { @@ -88,44 +95,61 @@ func FormatISD(isd ISD, opts ...FormatOption) string { } // FormatAS formats the AS number. -func FormatAS(as AS, opts ...FormatOption) string { +// @ trusted +func FormatAS(as_ AS, opts ...FormatOption) string { o := applyFormatOptions(opts) - s := fmtAS(as, o.separator) + s := fmtAS(as_, o.separator) if o.defaultPrefix { return "AS" + s } return s } -func fmtAS(as AS, sep string) string { - if !as.inRange() { - return fmt.Sprintf("%d [Illegal AS: larger than %d]", as, MaxAS) +// @ requires as_.inRange() +// @ decreases +func fmtAS(as_ AS, sep string) string { + if !as_.inRange() { + return fmt.Sprintf("%d [Illegal AS: larger than %d]", as_, MaxAS) } - // Format BGP ASes as decimal - if as <= MaxBGPAS { - return strconv.FormatUint(uint64(as), 10) + // Format BGP ASes as_ decimal + if as_ <= MaxBGPAS { + // (VerifiedSCION) the following property is guaranteed by the type system, + // but Gobra cannot infer it yet + // @ assume 0 <= as_ + return strconv.FormatUint(uint64(as_), 10) } - // Format all other ASes as 'sep'-separated hex. - const maxLen = len("ffff:ffff:ffff") - var b strings.Builder + // Format all other ASes as_ 'sep'-separated hex. + // (VerifiedSCION) revert this change when Gobra is fixed. + // const maxLen = len("ffff:ffff:ffff") + var maxLen = len("ffff:ffff:ffff") + var b /*@@@*/ strings.Builder + // @ b.ZeroBuilderIsReadyToUse() b.Grow(maxLen) + // @ invariant b.Mem() + // @ decreases asParts - i for i := 0; i < asParts; i++ { if i > 0 { b.WriteString(sep) } shift := uint(asPartBits * (asParts - i - 1)) - b.WriteString(strconv.FormatUint(uint64(as>>shift)&asPartMask, asPartBase)) + // (VerifiedSCION) the following property is guaranteed by the type system, + // but Gobra cannot infer it yet + // @ assume 0 <= uint64(as_>>shift)&asPartMask + b.WriteString(strconv.FormatUint(uint64(as_>>shift)&asPartMask, asPartBase)) } return b.String() } -type FormatOption func(*formatOptions) +// (VerifiedSCION) revert this change when Gobra is fixed. +// type FormatOption func(*formatOptions) +type FormatOption = func(*formatOptions) type formatOptions struct { defaultPrefix bool separator string } +// @ trusted func applyFormatOptions(opts []FormatOption) formatOptions { o := formatOptions{ defaultPrefix: false, @@ -139,6 +163,7 @@ func applyFormatOptions(opts []FormatOption) formatOptions { // WithDefaultPrefix enables the default prefix which depends on the type. For // the AS number, the prefix is 'AS'. For the ISD number, the prefix is 'ISD'. +// @ trusted func WithDefaultPrefix() FormatOption { return func(o *formatOptions) { o.defaultPrefix = true @@ -147,6 +172,7 @@ func WithDefaultPrefix() FormatOption { // WithSeparator sets the separator to use for formatting AS numbers. In case of // the empty string, the ':' is used. +// @ trusted func WithSeparator(separator string) FormatOption { return func(o *formatOptions) { o.separator = separator @@ -154,6 +180,7 @@ func WithSeparator(separator string) FormatOption { } // WithFileSeparator returns an option that sets the separator to underscore. +// @ trusted func WithFileSeparator() FormatOption { return WithSeparator("_") } diff --git a/pkg/addr/fmt_spec.gobra b/pkg/addr/fmt_spec.gobra deleted file mode 100644 index a180f94e3..000000000 --- a/pkg/addr/fmt_spec.gobra +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright 2022 ETH Zurich -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// +gobra - -package addr - -requires _as.inRange() -decreases -func fmtAS(_as AS, sep string) string diff --git a/verification/dependencies/strings/builder.gobra b/verification/dependencies/strings/builder.gobra new file mode 100644 index 000000000..7f49895c8 --- /dev/null +++ b/verification/dependencies/strings/builder.gobra @@ -0,0 +1,46 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in https://golang.org/LICENSE + +// Signatures for the public declarations in file +// https://github.com/golang/go/blob/master/src/strings/strings.go + +// +gobra + +package strings + +// A Builder is used to efficiently build a string using Write methods. +// It minimizes memory copying. The zero value is ready to use. +// Do not copy a non-zero Builder. +type Builder struct { + addr *Builder // of receiver, to detect copies by value + buf []byte +} + +pred (b *Builder) Mem() + +// String returns the accumulated string. +preserves b.Mem() +decreases _ +func (b *Builder) String() string + +requires 0 <= n +preserves b.Mem() +decreases _ +func (b *Builder) Grow(n int) + +preserves b.Mem() +ensures err == nil +decreases _ +func (b *Builder) WriteString(s string) (n int, err error) + +requires b.Mem() +decreases _ +func (b *Builder) String() string + +ghost +requires acc(b) +requires *b === Builder{} +ensures b.Mem() +decreases _ +func (b *Builder) ZeroBuilderIsReadyToUse() \ No newline at end of file From 2ec5a3bc1c8f4bf5539e081ae91d4b137fe15961 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pereira?= Date: Sun, 15 Sep 2024 21:18:52 +0200 Subject: [PATCH 2/4] tiny changes --- pkg/addr/fmt.go | 9 +++++++++ verification/dependencies/strings/builder.gobra | 4 ---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/pkg/addr/fmt.go b/pkg/addr/fmt.go index 753ad39f3..d182612fb 100644 --- a/pkg/addr/fmt.go +++ b/pkg/addr/fmt.go @@ -27,6 +27,7 @@ import ( // ParseFormattedIA parses an IA that was formatted with the FormatIA function. // The same options must be provided to successfully parse. // @ trusted +// @ requires false func ParseFormattedIA(ia string, opts ...FormatOption) (IA, error) { parts := strings.Split(ia, "-") if len(parts) != 2 { @@ -46,6 +47,7 @@ func ParseFormattedIA(ia string, opts ...FormatOption) (IA, error) { // ParseFormattedISD parses an ISD number that was formatted with the FormatISD // function. The same options must be provided to successfully parse. // @ trusted +// @ requires false func ParseFormattedISD(isd string, opts ...FormatOption) (ISD, error) { o := applyFormatOptions(opts) if o.defaultPrefix { @@ -75,6 +77,7 @@ func ParseFormattedAS(as_ string, opts ...FormatOption) (AS, error) { // FormatIA formats the ISD-AS. // @ trusted +// @ requires false func FormatIA(ia IA, opts ...FormatOption) string { o := applyFormatOptions(opts) as_ := fmtAS(ia.AS(), o.separator) @@ -86,6 +89,7 @@ func FormatIA(ia IA, opts ...FormatOption) string { // FormatISD formats the ISD number. // @ trusted +// @ requires false func FormatISD(isd ISD, opts ...FormatOption) string { o := applyFormatOptions(opts) if o.defaultPrefix { @@ -96,6 +100,7 @@ func FormatISD(isd ISD, opts ...FormatOption) string { // FormatAS formats the AS number. // @ trusted +// @ requires false func FormatAS(as_ AS, opts ...FormatOption) string { o := applyFormatOptions(opts) s := fmtAS(as_, o.separator) @@ -150,6 +155,7 @@ type formatOptions struct { } // @ trusted +// @ requires false func applyFormatOptions(opts []FormatOption) formatOptions { o := formatOptions{ defaultPrefix: false, @@ -164,6 +170,7 @@ func applyFormatOptions(opts []FormatOption) formatOptions { // WithDefaultPrefix enables the default prefix which depends on the type. For // the AS number, the prefix is 'AS'. For the ISD number, the prefix is 'ISD'. // @ trusted +// @ requires false func WithDefaultPrefix() FormatOption { return func(o *formatOptions) { o.defaultPrefix = true @@ -173,6 +180,7 @@ func WithDefaultPrefix() FormatOption { // WithSeparator sets the separator to use for formatting AS numbers. In case of // the empty string, the ':' is used. // @ trusted +// @ requires false func WithSeparator(separator string) FormatOption { return func(o *formatOptions) { o.separator = separator @@ -181,6 +189,7 @@ func WithSeparator(separator string) FormatOption { // WithFileSeparator returns an option that sets the separator to underscore. // @ trusted +// @ requires false func WithFileSeparator() FormatOption { return WithSeparator("_") } diff --git a/verification/dependencies/strings/builder.gobra b/verification/dependencies/strings/builder.gobra index 7f49895c8..e614b1726 100644 --- a/verification/dependencies/strings/builder.gobra +++ b/verification/dependencies/strings/builder.gobra @@ -34,10 +34,6 @@ ensures err == nil decreases _ func (b *Builder) WriteString(s string) (n int, err error) -requires b.Mem() -decreases _ -func (b *Builder) String() string - ghost requires acc(b) requires *b === Builder{} From 70855bc26aa0e92cf9a2f209f93450bbc6f0692e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pereira?= Date: Sun, 15 Sep 2024 21:19:50 +0200 Subject: [PATCH 3/4] tiny changes --- pkg/addr/fmt.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/addr/fmt.go b/pkg/addr/fmt.go index d182612fb..d4d6be5f0 100644 --- a/pkg/addr/fmt.go +++ b/pkg/addr/fmt.go @@ -63,6 +63,7 @@ func ParseFormattedISD(isd string, opts ...FormatOption) (ISD, error) { // ParseFormattedAS parses an AS number that was formatted with the FormatAS // function. The same options must be provided to successfully parse. // @ trusted +// @ requires false func ParseFormattedAS(as_ string, opts ...FormatOption) (AS, error) { o := applyFormatOptions(opts) if o.defaultPrefix { From 5575874f093029269918776d00cd9a88fa7a335a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pereira?= Date: Mon, 16 Sep 2024 10:19:41 +0200 Subject: [PATCH 4/4] Apply suggestions from code review --- pkg/addr/fmt.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/addr/fmt.go b/pkg/addr/fmt.go index d4d6be5f0..f534b82ea 100644 --- a/pkg/addr/fmt.go +++ b/pkg/addr/fmt.go @@ -117,14 +117,14 @@ func fmtAS(as_ AS, sep string) string { if !as_.inRange() { return fmt.Sprintf("%d [Illegal AS: larger than %d]", as_, MaxAS) } - // Format BGP ASes as_ decimal + // Format BGP ASes as decimal if as_ <= MaxBGPAS { // (VerifiedSCION) the following property is guaranteed by the type system, // but Gobra cannot infer it yet // @ assume 0 <= as_ return strconv.FormatUint(uint64(as_), 10) } - // Format all other ASes as_ 'sep'-separated hex. + // Format all other ASes as 'sep'-separated hex. // (VerifiedSCION) revert this change when Gobra is fixed. // const maxLen = len("ffff:ffff:ffff") var maxLen = len("ffff:ffff:ffff")