New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support non-modular integer type #16
Comments
The syntax could be similar to Ada´s range type, e.g.:
We have to decide following questions:
If we want to support signed integers, a differentiation between signed and unsigned non-modular integers seems to be necessary. Ada only seems to know signed non-modular integers (and unsigned modular integers). But we had problems to get a correct proof in our Ethernet example, where a modular integer was used for the EtherType/Length field and later used for length checks. A signed integer would not make sense here. We could probably infer the signedness from the specified range.
@senier What do you think? |
I don't think we need the base type when we give the size anyway. A simpler version (which is also legal Ada) would be:
Signed integerNot sure, have you ever seen protocols doing this? As those special cases could always be modeled using a boolean indicating signedness + a positive integer type, I tend to say no. Other representation than 2s complementObsolete if we don't support signed integers. Even then, I doubt it's used anywhere. Arbitrary rangesThose could be helpful. I'd say we want them. Maybe we should realize that (in the code) using a subtype of some base type that covers the whole possible range of the bits that type is represented by. That will help with the proofs, as we can represent the (potentially out-of-bounds) value of the packet as a variable of the base type, perform range checks and if successful, represent it as the subtype. Does that make sense? |
I also do not know any protocol which uses signed integers. So let's stick with unsigned integers. Your description of the realization of arbitrary ranges is similar to what I thought of. Sounds reasonable to me. Let's do it that way. I just tried to write a function, which converts a byte array into an unsigned integer. Unfortunately, I cannot find a way to get a successful proof. Converting an element of the array to the target type seems to confuse the prover. Here is a small example, for which I get the following errors:
Interestingly, the issue still remains if I change the base type of the array from a modular integer to a non-modular one (e.g., @senier @jklmnn Do you have an idea how to solve the problem? |
Your example proves for me. Maybe you should throw more computing power and solvers at it? I used |
What a simple solution. You are right, I just used the default |
Done. @treiher: Please check whether this has been integrated into master. |
Add support for non-modular integers. The bit-length of a new integer type has to be defined.
The text was updated successfully, but these errors were encountered: