Home Explore Help
Sign In
ariadne
/
shttpd
Watch 1
Star 0
Fork 0
Files Issues 7 Pull Requests 0 Wiki
Branch: verification
Branches Tags
shttpd
/
lex
/
nat-generic.c

nat-generic.c 5.0 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 
  1. // SPDX-License-Identifier: GPL-2.0 or GPL-3.0
    2. 

  2. // Copyright © 2019 Ariadne Devos
    3. 

  3. 

  4. // Integer model: wrap-around
    5. 

  5. // Proof status: auto
    6. 

  6. 

  7. #include <stdint.h>
    8. 

  8. #include <sHT/index.h>
    9. 

  9. #include <sHT/lex/digit.h>
    10. 

  10. #include <sHT/lex/nat.h>
    11. 

  11. #include <sHT/logic/arithmetic.h>
    12. 

  12. #include <sHT/test.h>
    13. 

  13. 

  14. #ifdef __FRAMAC__
    15. 

  15. #  include <sHT/math/vector-memory.h>
    16. 

  16. #  include <sHT/math/expnat/lt.h>
    17. 

  17. #endif
    18. 

  18. 

  19. /*@ requires S ==> \valid_read(&c[0 .. e - 1]);
    20. 

  20.     requires S ==> \valid_read(&c[0]);
    21. 

  21.     requires \valid_read(&c[b .. e - 1]);
    22. 

  22.     requires NS ==> b <= i < e;
    23. 

  23.     requires i < e || i == 0;
    24. 

  24.     requires NS ==> X_num_p(vector_load_u8(c + b, e - b));
    25. 

  25.     terminates \true;
    26. 

  26.     assigns \result;
    27. 

  27.     ensures NS ==> \result == X_val(c[i]); */
    28. 

  28. static inline uint32_t
    29. 

  29. sHT_X_given_X_num_p(uint8_t *c, size_t b, size_t e, size_t i)
    30. 

  30. {
    31. 

  31. 	/*@ assert NS ==> X_p(\nth(vector_load_u8(c + b, e - b), i - b)); */
    32. 

  32. 	/*@ assert NS ==> X_p((c + b)[i - b]); */
    33. 

  33. 	return sHT_X_val(c[i]);
    34. 

  34. }
    35. 

  35. 

  36. /** Reduce scope of X_num_p
    37. 

  37. 

  38.     (Doing i + 1 here avoids overflow later.) */
    39. 

  39. /*@ requires NS ==> i < n;
    40. 

  40.     requires NS ==> X_num_p(vector_load_u8(c, n));
    41. 

  41.     terminates \true;
    42. 

  42.     assigns \nothing;
    43. 

  43.     ensures NS ==> X_num_p(vector_load_u8(c, i + 1)); */
    44. 

  44. static inline void
    45. 

  45. sHT_X_num_p_less(uint8_t *c, size_t n, size_t i)
    46. 

  46. {
    47. 

  47. 	/* Limit range to 0 .. i: elements */
    48. 

  48. 	/*@ assert \length(vector_load_u8(c, n)) == n; */
    49. 

  49. 	/*@ assert \length(vector_load_u8(c, i + 1)) == i + 1; */
    50. 

  50. 	/*@ assert NS ==> ∀ ℤ j; 0 <= j < n
    51. 

  51. 	      ==> \nth(vector_load_u8(c, n), j) == c[j]; */
    52. 

  52. 	/*@ assert NS ==> ∀ ℤ j; 0 <= j < i + 1
    53. 

  53. 	      ==> \nth(vector_load_u8(c, n), j) == c[j]; */
    54. 

  54. 	/*@ assert NS ==> ∀ ℤ j; 0 <= j < i + 1
    55. 

  55. 	      ==> \nth(vector_load_u8(c, i + 1), j) == c[j]; */
    56. 

  56. 	/*@ assert NS ==> ∀ ℤ j; 0 <= j < i + 1
    57. 

  57. 	      ==> \nth(vector_load_u8(c, n), j) == \nth(vector_load_u8(c, i + 1), j); */
    58. 

  58. 

  59. 	/* Limit range to 0 .. i: predicate*/
    60. 

  60. 	/*@ assert NS ==> ∀ ℤ j; 0 <= j < \length(vector_load_u8(c, n))
    61. 

  61. 	      ==> X_p(\nth(vector_load_u8(c, n), j)); */
    62. 

  62. 	/*@ assert NS ==> ∀ ℤ j; 0 <= j < n
    63. 

  63. 	      ==> X_p(\nth(vector_load_u8(c, n), j)); */
    64. 

  64. 	/*@ assert NS ==> ∀ ℤ j; 0 <= j < i + 1
    65. 

  65. 	      ==> X_p(\nth(vector_load_u8(c, n), j)); */
    66. 

  66. 	/*@ assert NS ==> ∀ ℤ j; 0 <= j < i + 1
    67. 

  67. 	      ==> X_p(\nth(vector_load_u8(c, i + 1), j)); */
    68. 

  68. }
    69. 

  69. 

  70. /*@ requires NS ==> X_num_p(vector_load_u8(c, n));
    71. 

  71.     requires NS ==> k <= n;
    72. 

  72.     terminates \true;
    73. 

  73.     assigns \nothing;
    74. 

  74.     ensures NS ==> X_num_val(vector_load_u8(c, k))
    75. 

  75.       ≤ X_num_val(vector_load_u8(c, n)); */
    76. 

  76. static inline void
    77. 

  77. sHT_X_num_val_less_lt(uint8_t *c, size_t n, size_t k)
    78. 

  78. {
    79. 

  79. 	/*@ assert NS ==> ∀ integer j; 0 <= j < \length(vector_load_u8(c, n))
    80. 

  80. 	      ==> X_p(\nth(vector_load_u8(c, n), j)); */
    81. 

  81. 	/*@ assert NS ==> ∀ integer j; 0 <= j < n
    82. 

  82. 	      ==> X_p(\nth(vector_load_u8(c, n), j)); */
    83. 

  83. 	/*@ assert NS ==> ∀ integer j; 0 <= j < n
    84. 

  84. 	      ==> \nth(vector_load_u8(c, n), j) == c[j]; */
    85. 

  85. 	/*@ assert NS ==> ∀ integer j; 0 <= j < n
    86. 

  86. 	      ==> X_p(c[j]); */
    87. 

  87. 	/*@ assert NS ==> ∀ integer j; 0 <= j < n
    88. 

  88. 	      ==> 0 <= X_val(c[j]) < X_base; */
    89. 

  89. 

  90. 	/*@ loop invariant NS ==> k <= i <= n;
    91. 

  91. 	    loop invariant NS ==> X_num_val(vector_load_u8(c, k))
    92. 

  92. 	      ≤ X_num_val(vector_load_u8(c, i));
    93. 

  93. 	    loop assigns i;
    94. 

  94. 	    loop variant n - i; */
    95. 

  95. 	for (size_t i = k; i < n; i++) {
    96. 

  96. 		/* Step X_num_val */
    97. 

  97. 		sHT_X_num_p_less(c, n, i);
    98. 

  98. 		/*@ assert vector_load_u8(c, i + 1) == (vector_load_u8(c, i) ^ [| c[i] |]); */
    99. 

  99. 		/*@ assert NS ==> X_num_p(vector_load_u8(c, i) ^ [| c[i] |]); */
    100. 

  100. 		/*@ assert NS ==> X_num_val(vector_load_u8(c, i) ^ [| c[i] |])
    101. 

  101. 		      == X_base * X_num_val(vector_load_u8(c, i))
    102. 

  102. 		         + X_val(c[i]); */
    103. 

  103. 		/*@ assert NS ==> X_num_val(vector_load_u8(c, i + 1))
    104. 

  104. 		      == X_base * X_num_val(vector_load_u8(c, i))
    105. 

  105. 		         + X_val(c[i]); */
    106. 

  106. 

  107. 		/* Bounds on the accumulation */
    108. 

  108. 		/*@ assert NS ==> 0 <= X_num_val(vector_load_u8(c, i)); */
    109. 

  109. 

  110. 		/* Bounds on the extra digit */
    111. 

  111. 		/*@ assert NS ==> X_p(\nth(vector_load_u8(c, n), i)); */
    112. 

  112. 		/*@ assert NS ==> X_p(c[i]); */
    113. 

  113. 		/*@ assert NS ==> 0 <= X_val(c[i]) < X_base; */
    114. 

  114. 	}
    115. 

  115. }
    116. 

  116. 

  117. uint32_t
    118. 

  118. sHT_X_to_u32(uint8_t *c, size_t b, size_t e)
    119. 

  119. {
    120. 

  120. 	size_t i = b;
    121. 

  121. 	uint32_t x = 0;
    122. 

  122. 	if (sHT_ge(b, e))
    123. 

  123. 		return x;
    124. 

  124. 	/*@ loop invariant NS ==> b <= i < e;
    125. 

  125. 	    loop invariant NS ==> x == X_num_val(vector_load_u8(c + b, i - b));
    126. 

  126. 	    loop assigns i, x;
    127. 

  127. 	    loop variant e - i; */
    128. 

  128. 	do {	loop: i = sHT_index_nospec(i, e);
    129. 

  129. 		sHT_X_num_p_less(c + b, e - b, i - b);
    130. 

  130. 		uint32_t y = sHT_X_given_X_num_p(c, b, e, i);
    131. 

  131. 		/* Value */
    132. 

  132. 		/*@ assert NS ==> vector_load_u8(c + b, i - b + 1)
    133. 

  133. 		      == (vector_load_u8(c + b, i - b) ^ [| c[i] |]); */
    134. 

  134. 		/*@ assert NS ==> X_num_val(vector_load_u8(c + b, i - b + 1))
    135. 

  135. 		      == X_base * X_num_val(vector_load_u8(c + b, i - b))
    136. 

  136. 		         + X_val(c[i]); */
    137. 

  137. 		/*@ assert NS ==> X_num_val(vector_load_u8(c + b, i - b + 1))
    138. 

  138. 		      == X_base * X_num_val(vector_load_u8(c + b, i - b))
    139. 

  139. 		         + y; */
    140. 

  140. 		/* Bounds */
    141. 

  141. 		sHT_X_num_val_less_lt(c + b, e - b, (i - b) + 1);
    142. 

  142. 		/*@ assert NS ==> X_num_val(vector_load_u8(c + b, (i - b) + 1)) <= UINT32_MAX; */
    143. 

  143. 		x = sHT_muladd_nooverflowNS_u32(sHT_X_base, x, y);
    144. 

  144. 		i++;
    145. 

  145. 	} while (sHT_lt(i, e));
    146. 

  146. 	return x;
    147. 

  147. }
    148. 

  148.