-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Semantics of Message'Last
inside message types
#736
Comments
The representation of the buffer size as parameters (O3) does not fit well to the channel interface in sessions. The parameter representing the buffer size would need to be set before a For the current channel interface, a solution is required that does not require the knowledge of the message size before the message is read from a channel / before the message buffer is written. On the specification side, O3 cannot fulfill this requirement. In SPARK, the I have added two new options. O4 should fulfill all requirements, O5 might be seen as an optimization of O4. @senier Do you think continuing with an implementation of O4 makes sense or do we want to have a discussion? |
The idea presented in O5 is interesting (and having the only valid use of Message'Size replaced by something implicit may also avoid some false expectations). Unless you're sure that O5 saves us a lot of effort, I'd continue with O4 and discuss O5 as a potential optimization. |
Alright, then I will continue with O4. The changes for O4 should be limited to the generator. For O5, also the model and PyRFLX will need to be changed, but that can also be done after completing the changes for O4. |
Context and Problem Statement
Message'Last
is differently interpreted in PyRFLX and in the generated SPARK code:Ctx.Last
)The need for
Message'Last
originated in the specification of Ethernet II Frames, where the size of the Payload field is defined by the available space in the buffer. Similar cases also exist in TLS Heartbeat Messages and TCP Segments.Message'Last
is also used to check if a field is the last field based on the available space in the buffer, e.g., in TLS Handshake Client Hello.In the message specifications of HTTP/2 and TCP PyRFLX's interpretation is used to specify an invariant for the message size (this also led to #554). These invariants don't make sense considering the interpretation in the generated SPARK code, as the message size would need to be known before a message is parsed or serialized, even for messages with length fields (i.e., the to be parsed buffer or the target buffer would need to be restricted to the size of the message before parsing or serialization).
Considered Options
O1 Differentiate between
Buffer'Last
andMessage'Last
Buffer'Last
is added and corresponds to current semantics ofMessage'Last
in the generated SPARK code.Message'Last
is kept with the semantics of PyRFLX. #555 needs to be enforced forMessage'Last
.+ Enable specification of global invariants for message size (#554)
O2 Change semantics in PyRFLX
Message
is renamed toBuffer
and PyRFLX is changed so thatBuffer'Last
has the same semantics as in the generated SPARK code. #555 is obsolete.+ Less complexity
− Prevents specification of global invariants for message size (#554)
O3 Use parameters for buffer size, keep
Message'Last
As the buffer size is only known outside the specification, it is passed into the specification as a parameter (cf. #609).
Keep
Message
attributes, but allow references toMessage'Last
andMessage'Size
only in conditions towards FINAL (cf. #555).Message'First
can be used anywhere.O4 Change semantics in SPARK
Message'Last
represents the last bit of the last field (as in PyRFLX) and must only be used in size aspects for last fields (i.e., fields with a link to FINAL). In SPARK, this could be represented by adding a componentCtx.Written_Last
as proposed in #844.Allow references to
Message'Last
andMessage'Size
only in conditions towards FINAL (cf. #555).Message'First
can be used anywhere.+ Message size needs not to be known before writing message
O5 Change semantics in SPARK and forbid use of
Message
in size aspectsAs there is only one correct use of
Message
in a size aspect in O4, namely an expression that defines the field size as the message size minus the size of all previous fields, this special case could be as well represented by an opaque field without a size aspect.Allow references to
Message'Last
andMessage'Size
only in conditions towards FINAL (cf. #555).Message'First
can be used anywhere.+ Message size needs not to be known before writing message
+ Remove the need for an unnecessary size aspect
− Forgotten size aspects could be misinterpreted
O6 Change semantics in SPARK and allow opaque fields without size aspects
Same as O5, but allow explicit specification of size of opaque fields using
Message
for opaque fields without successor.Allow references to
Message'Last
andMessage'Size
only in conditions towards FINAL (cf. #555).Message'First
can be used anywhere.+ Message size needs not to be known before writing message
+ Remove the need for an unnecessary size aspect
− Forgotten size aspects could be misinterpreted
Decision Outcome
O3O6The text was updated successfully, but these errors were encountered: