Adapt spec according to PR 944 from Gobra (#405)

* adapt according to PR 944 from Gobra

* fix parsing issues with slayers

* fix remaining parsing errors

* fix missing parsing error

Author: jcp19

pkg/slayers/scion.go

@@ -780,9 +780,9 @@ func packAddr(hostAddr net.Addr /*@ , ghost wildcard bool @*/) (addrtyp AddrType
 	switch a := hostAddr.(type) {
 	case *net.IPAddr:
 		// @ ghost if wildcard {
-		// @     unfold acc(hostAddr.Mem(), _)
+		// @ 	unfold acc(hostAddr.Mem(), _)
 		// @ } else {
-		// @ 	 unfold acc(hostAddr.Mem(), R20)
+		// @ 	unfold acc(hostAddr.Mem(), R20)
 		// @ }
 		if ip := a.IP.To4( /*@ wildcard @*/ ); ip != nil {
 			// @ ghost if !wildcard && isIPv6(a) {
@@ -805,13 +805,13 @@ func packAddr(hostAddr net.Addr /*@ , ghost wildcard bool @*/) (addrtyp AddrType
 		// @ assert !wildcard && isIP(hostAddr) ==> (unfolding acc(hostAddr.Mem(), R20) in (isIPv6(hostAddr) && isConvertibleToIPv4(hostAddr) ==> forall i int :: { &b[i] } 0 <= i && i < len(b) ==> &b[i] == &hostAddr.(*net.IPAddr).IP[12+i]))
 		verScionTmp := a.IP
 		// @ ghost if wildcard {
-		// @   fold acc(sl.Bytes(verScionTmp, 0, len(verScionTmp)), _)
+		// @ 	fold acc(sl.Bytes(verScionTmp, 0, len(verScionTmp)), _)
 		// @ } else {
-		// @   fold acc(sl.Bytes(verScionTmp, 0, len(verScionTmp)), R20)
-		// @   package acc(sl.Bytes(verScionTmp, 0, len(verScionTmp)), R20) --* acc(hostAddr.Mem(), R20) {
-		// @     unfold acc(sl.Bytes(verScionTmp, 0, len(verScionTmp)), R20)
-		// @     fold acc(hostAddr.Mem(), R20)
-		// @   }
+		// @ 	fold acc(sl.Bytes(verScionTmp, 0, len(verScionTmp)), R20)
+		// @ 	package acc(sl.Bytes(verScionTmp, 0, len(verScionTmp)), R20) --* acc(hostAddr.Mem(), R20) {
+		// @ 		unfold acc(sl.Bytes(verScionTmp, 0, len(verScionTmp)), R20)
+		// @ 		fold acc(hostAddr.Mem(), R20)
+		// @ 	}
 		// @ }
 		return T16Ip, verScionTmp, nil
 	case addr.HostSVC:

pkg/slayers/scion_spec.gobra

@@ -409,20 +409,22 @@ requires sl.Bytes(ub, 0, len(ub))
 decreases
 pure func (s *SCION) EqAbsHeader(ub []byte) bool {
 	return unfolding s.Mem(ub) in
-		let low := CmnHdrLen+s.AddrHdrLenSpecInternal() in
-		let high := s.HdrLen*LineLen in
-		GetAddressOffset(ub) == low  &&
-		GetLength(ub) == int(high)   &&
+		// the '_' in the identifier below is now necessary to avoid
+		// parsing errors (since the SIF PR in Gobra, low is a keyword).
+		let low_ := CmnHdrLen+s.AddrHdrLenSpecInternal() in
+		let high := s.HdrLen*LineLen  in
+		GetAddressOffset(ub) == low_  &&
+		GetLength(ub) == int(high)    &&
 		// Might be worth introducing EqAbsHeader as an interface method on Path
 		// to avoid doing these casts, especially when we add support for EPIC.
 		typeOf(s.Path) == (*scion.Raw) &&
-		unfolding s.Path.Mem(ub[low:high]) in
-		unfolding sl.Bytes(ub, 0, len(ub)) in
-		let _ := Asserting(forall k int :: {&ub[low:high][k]} 0 <= k && k < high ==>
-			&ub[low:high][k] == &ub[low + k]) in
-		let _ := Asserting(forall k int :: {&ub[low:high][:scion.MetaLen][k]} 0 <= k && k < scion.MetaLen ==>
-			&ub[low:high][:scion.MetaLen][k] == &ub[low:high][k]) in
-		let metaHdr := scion.DecodedFrom(binary.BigEndian.Uint32(ub[low:high][:scion.MetaLen])) in
+		unfolding s.Path.Mem(ub[low_:high]) in
+		unfolding sl.Bytes(ub, 0, len(ub))  in
+		let _ := Asserting(forall k int :: {&ub[low_:high][k]} 0 <= k && k < high ==>
+			&ub[low_:high][k] == &ub[low_ + k]) in
+		let _ := Asserting(forall k int :: {&ub[low_:high][:scion.MetaLen][k]} 0 <= k && k < scion.MetaLen ==>
+			&ub[low_:high][:scion.MetaLen][k] == &ub[low_:high][k]) in
+		let metaHdr := scion.DecodedFrom(binary.BigEndian.Uint32(ub[low_:high][:scion.MetaLen])) in
 		let seg1 := int(metaHdr.SegLen[0]) in
 		let seg2 := int(metaHdr.SegLen[1]) in
 		let seg3 := int(metaHdr.SegLen[2]) in
@@ -437,11 +439,13 @@ opaque
 requires s.Mem(ub)
 decreases
 pure func (s *SCION) ValidScionInitSpec(ub []byte) bool {
-	return unfolding s.Mem(ub)                          in
-		let low := CmnHdrLen+s.AddrHdrLenSpecInternal() in
-		let high := s.HdrLen*LineLen                    in
+	return unfolding s.Mem(ub)                           in
+		// the '_' in the identifier below is now necessary to avoid
+		// parsing errors (since the SIF PR in Gobra, low is a keyword).
+		let low_ := CmnHdrLen+s.AddrHdrLenSpecInternal() in
+		let high := s.HdrLen*LineLen                     in
 		typeOf(s.Path) == (*scion.Raw) &&
-		s.Path.(*scion.Raw).GetBase(ub[low:high]).WeaklyValid()
+		s.Path.(*scion.Raw).GetBase(ub[low_:high]).WeaklyValid()
 }
 
 // Checks if the common path header is valid in the serialized scion packet.
@@ -604,11 +608,11 @@ requires s.Mem(ub)
 decreases
 pure func (s *SCION) GetScionPath(ub []byte) path.Path {
 	return unfolding s.Mem(ub) in (
-	typeOf(s.Path) == *epic.Path ?
-		(let ubPath := ub[CmnHdrLen+s.AddrHdrLenSpecInternal() : s.HdrLen*LineLen] in
-			unfolding s.Path.Mem(ubPath) in
-			(path.Path)(s.Path.(*epic.Path).ScionPath)) :
-		s.Path)
+		typeOf(s.Path) == *epic.Path ?
+			(let ubPath := ub[CmnHdrLen+s.AddrHdrLenSpecInternal() : s.HdrLen*LineLen] in
+				unfolding s.Path.Mem(ubPath) in
+				(path.Path)(s.Path.(*epic.Path).ScionPath)) :
+			s.Path)
 }
 
 ghost

pkg/slayers/scmp_typecode_spec.gobra

@@ -18,14 +18,14 @@ package slayers
 
 pred SCMPTypeCodeMem() {
 	// We don't use a trigger here since triggers of the form scmpTypeCodeInfo[i].codes would generate a ternary expression
-	// The default trigger generated is: { (i_V0 in domain((getMap(scmpTypeCodeInfo_e8d3837_G().underlyingMapField): Map[Int,Tuple2[Int, Ref]]))) }
+	// The default trigger generated is: { (i_V0 elem domain((getMap(scmpTypeCodeInfo_e8d3837_G().underlyingMapField): Map[Int,Tuple2[Int, Ref]]))) }
 	acc(scmpTypeCodeInfo) &&
-	forall i SCMPType :: { scmpTypeCodeInfo[i] } i in domain(scmpTypeCodeInfo) ==> scmpTypeCodeInfo[i].codes != nil ==> acc(scmpTypeCodeInfo[i].codes)
+	forall i SCMPType :: { scmpTypeCodeInfo[i] } i elem domain(scmpTypeCodeInfo) ==> scmpTypeCodeInfo[i].codes != nil ==> acc(scmpTypeCodeInfo[i].codes)
 }
 
 mayInit
 requires acc(scmpTypeCodeInfo)
-requires forall i SCMPType :: { scmpTypeCodeInfo[i] } i in domain(scmpTypeCodeInfo) ==> scmpTypeCodeInfo[i].codes != nil ==> acc(scmpTypeCodeInfo[i].codes)
+requires forall i SCMPType :: { scmpTypeCodeInfo[i] } i elem domain(scmpTypeCodeInfo) ==> scmpTypeCodeInfo[i].codes != nil ==> acc(scmpTypeCodeInfo[i].codes)
 ensures SCMPTypeCodeMem()
 decreases
 func satisfyInitEnsures() int {

router/dataplane.go

@@ -564,8 +564,8 @@ func (d *DataPlane) getInterfaceState(interfaceID uint16) control.InterfaceState
 	// @ 	defer fold acc(accBfdSession(d.bfdSessions), R20)
 	// @ }
 	if bfdSession, ok := bfdSessions[interfaceID]; ok {
-		// @ assert interfaceID in domain(d.bfdSessions)
-		// @ assert bfdSession in range(d.bfdSessions)
+		// @ assert interfaceID elem domain(d.bfdSessions)
+		// @ assert bfdSession elem range(d.bfdSessions)
 		// @ assert bfdSession != nil
 		// (VerifiedSCION) This checked used to be conjoined with 'ok' in the condition
 		// of the if stmt above. We broke it down to perform intermediate asserts.
@@ -835,12 +835,12 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 		// dPtr as an helper parameter. It always receives the value &d.
 		// @ requires acc(dPtr, _)
 		// @ requires let d := *dPtr in
-		// @ 	acc(d.Mem(), _)                            &&
-		// @ 	d.WellConfigured()                         &&
-		// @ 	d.getValSvc() != nil                       &&
-		// @ 	d.getValForwardingMetrics() != nil         &&
-		// @ 	(0 in d.getDomForwardingMetrics())         &&
-		// @ 	(ingressID in d.getDomForwardingMetrics()) &&
+		// @ 	acc(d.Mem(), _)                              &&
+		// @ 	d.WellConfigured()                           &&
+		// @ 	d.getValSvc() != nil                         &&
+		// @ 	d.getValForwardingMetrics() != nil           &&
+		// @ 	(0 elem d.getDomForwardingMetrics())         &&
+		// @ 	(ingressID elem d.getDomForwardingMetrics()) &&
 		// @ 	d.getMacFactory() != nil
 		// @ requires rd != nil && acc(rd.Mem(), _)
 		// contracts for IO-spec
@@ -919,8 +919,8 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 			// @ invariant acc(d.Mem(), _) && d.WellConfigured()
 			// @ invariant d.getValSvc() != nil
 			// @ invariant d.getValForwardingMetrics() != nil
-			// @ invariant 0 in d.getDomForwardingMetrics()
-			// @ invariant ingressID in d.getDomForwardingMetrics()
+			// @ invariant 0 elem d.getDomForwardingMetrics()
+			// @ invariant ingressID elem d.getDomForwardingMetrics()
 			// @ invariant acc(rd.Mem(), _)
 			// @ invariant processor.sInit() && processor.sInitD() === d
 			// @ invariant let ubuf := processor.sInitBufferUBuf() in
@@ -991,8 +991,8 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 				// @ invariant acc(d.Mem(), _) && d.WellConfigured()
 				// @ invariant d.getValSvc() != nil
 				// @ invariant d.getValForwardingMetrics() != nil
-				// @ invariant 0 in d.getDomForwardingMetrics()
-				// @ invariant ingressID in d.getDomForwardingMetrics()
+				// @ invariant 0 elem d.getDomForwardingMetrics()
+				// @ invariant ingressID elem d.getDomForwardingMetrics()
 				// @ invariant acc(rd.Mem(), _)
 				// @ invariant pkts <= len(msgs)
 				// @ invariant 0 <= i0 && i0 <= pkts
@@ -1147,7 +1147,7 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 					// @ ghost t, s := *ioSharedArg.Place, *ioSharedArg.State
 					// @ ghost if(newAbsPkt.isValPkt) {
 					// @ 	ApplyElemWitness(s.obuf, ioSharedArg.OBufY, newAbsPkt.ValPkt_1, newAbsPkt.ValPkt_2)
-					// @ 	assert newAbsPkt.ValPkt_2 in AsSet(s.obuf[newAbsPkt.ValPkt_1])
+					// @ 	assert newAbsPkt.ValPkt_2 elem AsSet(s.obuf[newAbsPkt.ValPkt_1])
 					// @ 	assert dp.dp3s_iospec_bio3s_send_guard(s, t, newAbsPkt)
 					// @ } else { assert newAbsPkt.isValUnsupported }
 					// @ unfold dp.dp3s_iospec_ordered(s, t)
@@ -1188,7 +1188,7 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 					}
 					// @ requires acc(dPtr, _) && *dPtr === d
 					// @ requires acc(d.Mem(), _)
-					// @ requires result.EgressID in d.getDomForwardingMetrics()
+					// @ requires result.EgressID elem d.getDomForwardingMetrics()
 					// @ decreases
 					// @ outline(
 					// ok metric
@@ -1208,7 +1208,7 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 		}
 	// @ unfold acc(d.Mem(), R1)
 	// @ assert d.WellConfigured()
-	// @ assert 0 in d.getDomForwardingMetrics()
+	// @ assert 0 elem d.getDomForwardingMetrics()
 	// @ ghost if d.bfdSessions != nil { unfold acc(accBfdSession(d.bfdSessions), R2) }
 
 	// (VerifiedSCION) we introduce this to avoid problems with the invariants that
@@ -1257,7 +1257,7 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 	// @ invariant acc(d.Mem(), _) && d.WellConfigured()
 	// @ invariant d.getValSvc() != nil
 	// @ invariant d.getValForwardingMetrics() != nil
-	// @ invariant 0 in d.getDomForwardingMetrics()
+	// @ invariant 0 elem d.getDomForwardingMetrics()
 	// @ invariant d.getMacFactory() != nil
 	// @ invariant dp.Valid()
 	// @ invariant d.DpAgreesWithSpec(dp)
@@ -1271,8 +1271,8 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 			// @ requires acc(d.Mem(), _) && d.WellConfigured()
 			// @ requires d.getValSvc() != nil
 			// @ requires d.getValForwardingMetrics() != nil
-			// @ requires 0 in d.getDomForwardingMetrics()
-			// @ requires i in d.getDomForwardingMetrics()
+			// @ requires 0 elem d.getDomForwardingMetrics()
+			// @ requires i elem d.getDomForwardingMetrics()
 			// @ requires d.getMacFactory() != nil
 			// @ requires c != nil && acc(c.Mem(), _)
 			// contracts for IO-spec
@@ -1285,7 +1285,7 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 				read(i, c, &d /*@, ioLock, ioSharedArg, dp @*/) //@ as rc
 			}
 		// @ ghost if d.external != nil { unfold acc(accBatchConn(d.external), R50) }
-		// @ assert v in range(d.external)
+		// @ assert v elem range(d.external)
 		// @ assert acc(v.Mem(), _)
 		// @ d.InDomainExternalInForwardingMetrics3(ifID)
 		// @ ghost if d.external != nil { fold acc(accBatchConn(d.external), R50) }
@@ -1297,7 +1297,7 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 		// @ requires acc(d.Mem(), _) && d.WellConfigured()
 		// @ requires d.getValSvc() != nil
 		// @ requires d.getValForwardingMetrics() != nil
-		// @ requires 0 in d.getDomForwardingMetrics()
+		// @ requires 0 elem d.getDomForwardingMetrics()
 		// @ requires d.getMacFactory() != nil
 		// @ requires c != nil && acc(c.Mem(), _)
 		// contracts for IO-spec
@@ -1334,7 +1334,7 @@ func (d *DataPlane) Run(ctx context.Context /*@, ghost place io.Place, ghost sta
 // @ ensures   d.Mem()
 // @ ensures   d.MetricsAreSet()
 // @ ensures   d.WellConfigured()
-// @ ensures   0 in d.DomainForwardingMetrics()
+// @ ensures   0 elem d.DomainForwardingMetrics()
 // @ ensures   d.InternalConnIsSet()
 // @ ensures   d.KeyIsSet()
 // @ ensures   d.SvcsAreSet()
@@ -1386,14 +1386,14 @@ func (d *DataPlane) initMetrics( /*@ ghost dp io.DataPlaneSpec @*/ ) {
 	// @ invariant d.external === dExternal
 	// @ invariant acc(&d.forwardingMetrics) && acc(d.forwardingMetrics)
 	// @ invariant domain(d.forwardingMetrics) == set[uint16]{0} union visitedSet
-	// @ invariant 0 in domain(d.forwardingMetrics)
+	// @ invariant 0 elem domain(d.forwardingMetrics)
 	// @ invariant acc(&d.internalNextHops, R15)
 	// @ invariant d.internalNextHops === dInternalNextHops
 	// @ invariant d.internalNextHops != nil ==> acc(d.internalNextHops, R20)
 	// @ invariant domain(d.internalNextHops) intersection domain(d.external) == set[uint16]{}
 	// @ invariant acc(&d.neighborIAs, R15)
 	// @ invariant d.neighborIAs != nil ==> acc(d.neighborIAs, R15)
-	// @ invariant forall i uint16 :: { d.forwardingMetrics[i] } i in domain(d.forwardingMetrics) ==>
+	// @ invariant forall i uint16 :: { d.forwardingMetrics[i] } i elem domain(d.forwardingMetrics) ==>
 	// @ 	acc(forwardingMetricsMem(d.forwardingMetrics[i], i), _)
 	// @ invariant acc(&d.Metrics, R15)
 	// @ invariant acc(d.Metrics.Mem(), _)
@@ -1694,7 +1694,7 @@ func (p *scionPacketProcessor) processInterBFD(oh *onehop.Path, data []byte) (er
 	}
 
 	if v, ok := p.d.bfdSessions[p.ingressID]; ok {
-		// @ assert v in range(p.d.bfdSessions)
+		// @ assert v elem range(p.d.bfdSessions)
 		v.ReceiveMessage(bfd /*@ , data @*/)
 		return nil
 	}
@@ -1742,12 +1742,12 @@ func (p *scionPacketProcessor) processIntraBFD(data []byte) (res error) {
 	// @ invariant acc(&p.d.internalNextHops, _)
 	// @ invariant m === p.d.internalNextHops
 	// @ invariant m != nil ==> acc(m, R20)
-	// @ invariant m != nil ==> forall a *net.UDPAddr :: { a in range(m) } a in range(m) ==> acc(a.Mem(), _)
+	// @ invariant m != nil ==> forall a *net.UDPAddr :: { a elem range(m) } a elem range(m) ==> acc(a.Mem(), _)
 	// @ invariant acc(&p.srcAddr, R20) && acc(p.srcAddr.Mem(), _)
 	// @ decreases len(p.d.internalNextHops) - len(keys)
 	for k, v := range p.d.internalNextHops /*@ with keys @*/ {
 		// @ assert acc(&p.d.internalNextHops, _)
-		// @ assert forall a *net.UDPAddr :: { a in range(m) } a in range(m) ==> acc(a.Mem(), _)
+		// @ assert forall a *net.UDPAddr :: { a elem range(m) } a elem range(m) ==> acc(a.Mem(), _)
 		// @ assert acc(v.Mem(), _)
 		// @ unfold acc(v.Mem(), _)
 		// @ unfold acc(p.srcAddr.Mem(), _)
@@ -1763,7 +1763,7 @@ func (p *scionPacketProcessor) processIntraBFD(data []byte) (res error) {
 	// @ assert acc(&p.d.bfdSessions, _)
 	// @ ghost if p.d.bfdSessions != nil { unfold acc(accBfdSession(p.d.bfdSessions), _) }
 	if v, ok := p.d.bfdSessions[ifID]; ok {
-		// @ assert v in range(p.d.bfdSessions)
+		// @ assert v elem range(p.d.bfdSessions)
 		v.ReceiveMessage(bfd /*@ , data @*/)
 		return nil
 	}
@@ -2544,8 +2544,8 @@ func (p *scionPacketProcessor) validateTransitUnderlaySrc( /*@ ghost ub []byte @
 	// @ ghost if p.d.internalNextHops != nil { unfold acc(accAddr(p.d.internalNextHops), _) }
 	expectedSrc, ok := p.d.internalNextHops[pktIngressID]
 	// @ ghost if ok {
-	// @ 	assert expectedSrc in range(p.d.internalNextHops)
-	// @    unfold acc(expectedSrc.Mem(), _)
+	// @ 	assert expectedSrc elem range(p.d.internalNextHops)
+	// @ 	unfold acc(expectedSrc.Mem(), _)
 	// @ }
 	// @ unfold acc(p.srcAddr.Mem(), _)
 	if !ok || !expectedSrc.IP.Equal(p.srcAddr.IP) {
@@ -4191,7 +4191,7 @@ func (p *scionPacketProcessor) processOHP() (respr processResult, reserr error /
 		// @ ghost if p.d.external != nil { unfold acc(accBatchConn(p.d.external), _) }
 		if c, ok := p.d.external[ohp.FirstHop.ConsEgress]; ok {
 			// @ p.d.getDomExternalLemma()
-			// @ assert ohp.FirstHop.ConsEgress in p.d.getDomExternal()
+			// @ assert ohp.FirstHop.ConsEgress elem p.d.getDomExternal()
 			// @ p.d.InDomainExternalInForwardingMetrics(ohp.FirstHop.ConsEgress)
 			// @ fold p.d.validResult(processResult{EgressID: ohp.FirstHop.ConsEgress, OutConn: c, OutPkt: p.rawPkt}, false)
 			return processResult{EgressID: ohp.FirstHop.ConsEgress, OutConn: c, OutPkt: p.rawPkt},

router/dataplane_concurrency_model.gobra

@@ -258,7 +258,7 @@ pred ElemWitness(ghost y ElemRA, ghost k Key, ghost e Elem)
 ghost
 decreases
 requires ElemAuth(m, y) && ElemWitness(y, k, e)
-ensures  ElemAuth(m, y) && ElemWitness(y, k, e) && k in domain(m) && e in AsSet(m[k])
+ensures  ElemAuth(m, y) && ElemWitness(y, k, e) && k elem domain(m) && e elem AsSet(m[k])
 func ApplyElemWitness(m dict[Key]Val, y ElemRA, k Key, e Elem)
 
 ghost