Verify packSCMP (#243)

* start * make type-check * backup * fix syntax errors * establish necessary precondition of DecodeFromBytes * remove TODOs * backup * move on with proof obligations * verify packSCMP; reinstate TODO()s for doing the proof step by step * backup * backup * fix parse and type errors * fix packscmp * backup * backup * kill branches for now * backup * backup * remove files pushed by mistake * del file * fix verification error * change comment format * backup * reset changes to scion_spec.gobra * continue making progress * backup * simplify spec * backup * non-termination again * backup * packSCMP Continued (#373) * fix missing precondition for packSCMP * progress scmp * further progress * further scmp fixes * fix syntax error and strengthen spec of erros.Is function * fix verification error * fix verification errors in process() * drop last scmp assumption * fix verification errors in process() * add missing postconditions to resolveInbound * fix p.d permissions * remove wrong precondition from validateEgressUp() * clean up * feedback * Update router/dataplane.go --------- Co-authored-by: João Pereira <[email protected]> * Move ownership of underlying slice of `SerializableBuffer` to outside of `Mem()` (#374) * fix missing precondition for packSCMP * progress scmp * further progress * further scmp fixes * fix syntax error and strengthen spec of erros.Is function * fix verification error * fix verification errors in process() * drop last scmp assumption * fix verification errors in process() * add missing postconditions to resolveInbound * fix p.d permissions * save * remove wrong precondition from validateEgressUp() * clean up * feedback * change dependencies to new buffer approach * remove buffWithFullPerm flag from scionPacketProcessor * fix verification errors * fix permission mistake * Apply suggestions from code review Co-authored-by: João Pereira <[email protected]> * pass underlying buffer slice to prepareSCMP * remove deep ownership of buffer slice in message * fix verification error in run * fix injectivity issue in run() and verification error in newPacketProcessor * different trigger * proves injectivity for message buffer directly without sets * test: remove unnecessary invariants in run() * improvements to injectivity lemma for messages * introduce new lemma PermsImplyIneq() * fixed missing preconditions * minor fixes and feedback * fix verification error * fmt --------- Co-authored-by: João Pereira <[email protected]> --------- Co-authored-by: Markus Limbeck <[email protected]>
viperproject · Aug 29, 2024 · 68b984b · 68b984b
1 parent 445bbad
commit 68b984b
Show file tree

Hide file tree

Showing 18 changed files with 1,014 additions and 492 deletions.
diff --git a/.gitignore b/.gitignore
@@ -101,3 +101,5 @@ target
 *.internal
 .devcontainer
 .metals
+.bazelbsp
+.bazel
diff --git a/pkg/private/serrors/serrors_spec.gobra b/pkg/private/serrors/serrors_spec.gobra
@@ -76,12 +76,12 @@ func Wrap(msg, cause error, errCtx ...interface{}) (res error)
 // Elements of errCtx are limited to "primitive types" at the moment.
 // This is a safe but strict under-approximation of what can be done
 // with this method.
-requires cause.ErrorMem()
+requires cause != nil ==> cause.ErrorMem()
 preserves forall i int :: { &errCtx[i] } 0 <= i && i < len(errCtx) ==> acc(&errCtx[i], R15)
 // The following precondition cannot be adequately captured in Gobra.
 // requires forall i int :: 0 <= i && i < len(errCtx) ==> IsOfPrimitiveType(errCtx[i])
 ensures res != nil && res.ErrorMem()
-ensures res.ErrorMem() --* cause.ErrorMem()
+ensures cause != nil ==> (res.ErrorMem() --* cause.ErrorMem())
 decreases
 func WrapStr(msg string, cause error, errCtx ...interface{}) (res error)
 

diff --git a/pkg/slayers/path/scion/raw_spec.gobra b/pkg/slayers/path/scion/raw_spec.gobra
@@ -373,15 +373,15 @@ requires validPktMetaHdr(raw)
 decreases
 pure func (s *Raw) absPkt(raw []byte) (res io.IO_pkt2) {
  return let _ := reveal validPktMetaHdr(raw) in
- let metaHdr := RawBytesToMetaHdr(raw) in
+ let metaHdr := RawBytesToMetaHdr(raw)  in
  let currInfIdx := int(metaHdr.CurrINF) in
- let currHfIdx := int(metaHdr.CurrHF) in
- let seg1Len := int(metaHdr.SegLen[0]) in
- let seg2Len := int(metaHdr.SegLen[1]) in
- let seg3Len := int(metaHdr.SegLen[2]) in
+ let currHfIdx := int(metaHdr.CurrHF)  in
+ let seg1Len := int(metaHdr.SegLen[0])  in
+ let seg2Len := int(metaHdr.SegLen[1])  in
+ let seg3Len := int(metaHdr.SegLen[2])  in
  let segs := io.CombineSegLens(seg1Len, seg2Len, seg3Len) in
- let segLen := segs.LengthOfCurrSeg(currHfIdx) in
- let prevSegLen := segs.LengthOfPrevSeg(currHfIdx) in
+ let segLen := segs.LengthOfCurrSeg(currHfIdx)  in
+ let prevSegLen := segs.LengthOfPrevSeg(currHfIdx)  in
  let numINF := segs.NumInfoFields() in
  let offset := HopFieldOffset(numINF, prevSegLen, MetaLen) in
  io.IO_Packet2 {
@@ -428,7 +428,7 @@ pure func validPktMetaHdr(raw []byte) bool {
  let segs := io.CombineSegLens(seg1, seg2, seg3) in
  let base := RawBytesToBase(raw) in
  0 < metaHdr.SegLen[0] &&
- base.Valid() &&
+ base.Valid()  &&
  PktLen(segs, MetaLen) <= len(raw)
 }
 

diff --git a/pkg/slayers/scion.go b/pkg/slayers/scion.go
@@ -218,9 +218,11 @@ func (s *SCION) NetworkFlow() (res gopacket.Flow) {
 // @ requires b != nil && b.Mem()
 // @ requires acc(s.Mem(ubuf), R0)
 // @ requires sl.Bytes(ubuf, 0, len(ubuf))
+// @ requires sl.Bytes(b.UBuf(), 0, len(b.UBuf()))
 // @ ensures b.Mem()
 // @ ensures acc(s.Mem(ubuf), R0)
 // @ ensures sl.Bytes(ubuf, 0, len(ubuf))
+// @ ensures sl.Bytes(b.UBuf(), 0, len(b.UBuf()))
 // TODO: hide internal spec details
 // @ ensures e == nil && s.HasOneHopPath(ubuf) ==>
 // @ len(b.UBuf()) == old(len(b.UBuf())) + unfolding acc(s.Mem(ubuf), R55) in
@@ -257,7 +259,6 @@ func (s *SCION) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeO
  }
  // @ ghost uSerBufN := b.UBuf()
  // @ assert buf === uSerBufN[:scnLen]
- // @ b.ExchangePred()
 
  // @ unfold acc(sl.Bytes(uSerBufN, 0, len(uSerBufN)), writePerm)
  // Serialize common header.
@@ -287,7 +288,6 @@ func (s *SCION) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeO
  // @ sl.Unslice_Bytes(uSerBufN, 0, CmnHdrLen, R54)
  // @ sl.CombineRange_Bytes(uSerBufN, CmnHdrLen, scnLen, writePerm)
  // @ sl.CombineRange_Bytes(ubuf, CmnHdrLen, len(ubuf), R10)
- // @ b.RestoreMem(uSerBufN)
  return err
  }
  offset := CmnHdrLen + s.AddrHdrLen( /*@ nil, true @*/ )
@@ -320,7 +320,6 @@ func (s *SCION) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeO
  // @ sl.CombineRange_Bytes(uSerBufN, offset, scnLen, HalfPerm)
  // @ sl.CombineRange_Bytes(ubuf, startP, endP, HalfPerm)
  // @ reveal IsSupportedPkt(uSerBufN)
- // @ b.RestoreMem(uSerBufN)
  // @ reveal IsSupportedRawPkt(b.View())
  return tmp
 }

diff --git a/pkg/slayers/scion_spec.gobra b/pkg/slayers/scion_spec.gobra
@@ -336,8 +336,8 @@ ghost
 requires 0 < p
 preserves acc(s.Mem(ub), p)
 ensures let start := s.PathStartIdx(ub) in
-  let end  := s.PathEndIdx(ub) in
-  0 <= start && start <= end && end <= len(ub)
+ let end := s.PathEndIdx(ub) in
+ 0 <= start && start <= end && end <= len(ub)
 decreases
 func LemmaPathIdxStartEnd(s *SCION, ub []byte, p perm) {
  unfold acc(s.Mem(ub), p)
@@ -462,7 +462,7 @@ pure func ValidPktMetaHdr(raw []byte) bool {
  let length := GetLength(raw) in
  length <= len(raw) &&
  unfolding acc(sl.Bytes(raw, 0, len(raw)), R56) in
-   let _ := Asserting(forall k int :: {&rawHdr[k]} 0 <= k && k < scion.MetaLen ==> &rawHdr[k] == &raw[start + k]) in
+ let _ := Asserting(forall k int :: {&rawHdr[k]} 0 <= k && k < scion.MetaLen ==> &rawHdr[k] == &raw[start + k]) in
  let hdr := binary.BigEndian.Uint32(rawHdr) in
  let metaHdr := scion.DecodedFrom(hdr) in
  let seg1 := int(metaHdr.SegLen[0]) in

diff --git a/pkg/slayers/scmp.go b/pkg/slayers/scmp.go
@@ -111,6 +111,7 @@ func (s *SCMP) NextLayerType( /*@ ghost ub []byte @*/ ) gopacket.LayerType {
 // @ requires b != nil
 // @ requires s.Mem(ubufMem)
 // @ preserves b.Mem()
+// @ preserves sl.Bytes(b.UBuf(), 0, len(b.UBuf()))
 // @ ensures err == nil ==> s.Mem(ubufMem)
 // @ ensures err != nil ==> err.ErrorMem()
 // @ decreases
@@ -121,15 +122,6 @@ func (s *SCMP) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeOp
  return err
  }
  // @ unfold s.Mem(ubufMem)
-
- // @ requires len(underlyingBufRes) >= 4
- // @ requires bytes === underlyingBufRes[:4]
- // @ requires b != nil
- // @ preserves acc(&s.TypeCode)
- // @ preserves b.Mem() && b.UBuf() === underlyingBufRes
- // @ decreases
- // @ outline (
- // @ b.ExchangePred()
  // @ sl.SplitByIndex_Bytes(underlyingBufRes, 0, len(underlyingBufRes), 2, writePerm)
  // @ unfold sl.Bytes(underlyingBufRes, 0, 2)
  // @ assert forall i int :: { &bytes[i] } 0 <= i && i < 2 ==> &bytes[i] == &underlyingBufRes[i]
@@ -138,59 +130,37 @@ func (s *SCMP) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeOp
  // @ unfold sl.Bytes(bytes, 0, 2)
  // @ fold sl.Bytes(underlyingBufRes, 0, 2)
  // @ sl.CombineAtIndex_Bytes(underlyingBufRes, 0, len(underlyingBufRes), 2, writePerm)
- // @ b.RestoreMem(underlyingBufRes)
- // @ )
 
  if opts.ComputeChecksums {
  if s.scn == nil {
  // @ fold s.Mem(ubufMem)
  return serrors.New("can not calculate checksum without SCION header")
  }
  // zero out checksum bytes
- // @ requires len(underlyingBufRes) >= 4
- // @ requires bytes === underlyingBufRes[:4]
- // @ requires b != nil
- // @ preserves b.Mem() && b.UBuf() === underlyingBufRes
- // @ decreases
- // @ outline (
- // @ b.ExchangePred()
  // @ sl.SplitByIndex_Bytes(underlyingBufRes, 0, len(underlyingBufRes), 4, writePerm)
  // @ unfold sl.Bytes(underlyingBufRes, 0, 4)
  // @ assert forall i int :: { &bytes[i] } 0 <= i && i < 4 ==> &bytes[i] == &underlyingBufRes[i]
  bytes[2] = 0
  bytes[3] = 0
  // @ fold sl.Bytes(underlyingBufRes, 0, 4)
  // @ sl.CombineAtIndex_Bytes(underlyingBufRes, 0, len(underlyingBufRes), 4, writePerm)
- // @ b.RestoreMem(underlyingBufRes)
- // @ )
  verScionTmp := b.Bytes()
  // @ unfold s.scn.ChecksumMem()
  s.Checksum, err = s.scn.computeChecksum(verScionTmp, uint8(L4SCMP))
  // @ fold s.scn.ChecksumMem()
- // @ b.RestoreMem(verScionTmp)
  if err != nil {
  // @ fold s.Mem(ubufMem)
  return err
  }
 
  }
- // @ requires len(underlyingBufRes) >= 4
- // @ requires bytes === underlyingBufRes[:4]
- // @ requires b != nil
- // @ preserves acc(&s.Checksum)
- // @ preserves b.Mem() && b.UBuf() === underlyingBufRes
- // @ decreases
- // @ outline (
- // @ b.ExchangePred()
  // @ sl.SplitByIndex_Bytes(underlyingBufRes, 0, len(underlyingBufRes), 4, writePerm)
  // @ unfold sl.Bytes(underlyingBufRes, 0, 4)
  // @ assert forall i int :: { &bytes[i] } 0 <= i && i < 4 ==> &bytes[i] == &underlyingBufRes[i]
  // @ assert forall i int :: { &bytes[2:][i] } 0 <= i && i < 2 ==> &bytes[2:][i] == &bytes[i + 2]
  binary.BigEndian.PutUint16(bytes[2:], s.Checksum)
  // @ fold sl.Bytes(underlyingBufRes, 0, 4)
  // @ sl.CombineAtIndex_Bytes(underlyingBufRes, 0, len(underlyingBufRes), 4, writePerm)
- // @ b.RestoreMem(underlyingBufRes)
- // @ )
  // @ fold s.Mem(ubufMem)
  return nil
 }