New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add #[verifier(unforgeable)] attribute for #[proof] structs #15
Conversation
This does seem like a useful primitive to support. In the past, we've used a similar notion for things like "the file system" or "the trace of network operations". When adding features like this, I think it would be a good idea to include some example uses in a file in |
there's an example in |
Do you mean |
There aren't any ways to create a (useful) user-defined untrusted Regarding documentation, is there a document for mode-related rules & decisions? This kind of thing should go there. |
It seems like it would be useful for users to create their own (trusted) tokens, so that they don't have to cobble together a solution as we've done a number of times in Dafny for things like the contents of the file system, IO operations, or for LTS. |
I've imported Chris' modes doc from the old wiki into docs/design, where I've suggested we keep track of design decisions and motivations: https://github.com/secure-foundations/verus/tree/main/source/docs/design Another file here may be good, if examples are insufficient. In the fullness of time we'll probably need a manual, but probably not a priority yet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test harness changes look good to me (@Chris-Hawblitzel asked me to take a look at those).
I think it would be useful; the tokens we made for the verified cache were very ad hoc and as we only have the one example (using the ghost token methodology) I think we don't yet have a clear idea of the trusted-yet-principled way to structure the token definitions in conjunction with the model of the external system. Anyway, this PR is mostly meant to be a technical detail so we can build the more advanced stuff later, so I'm going to go ahead and merge it. |
There are - fundamentally - two different kinds of "proof" objects. One kind is basically like a normal struct, except that it gets erased. With such types, you build up a "struct" of smaller proof objects.
The other kind is the "base" objects that represent permissions or some other fancy thing, e.g.,
Permission
. To make it easier to handle this second type, I added an attribute#[verifier(unforgeable)]
to declare such types.The rules:
unforgeable
datatype must beproof
.unforgeable
datatype can only havespec
fields.unforgeable
datatype (inproof
mode)unforgeable
datatype.Here, I add the attribute, implement these rules, and add tests. Although, it doesn't look like there is any support at all for field updates yet, so there was nothing to do for the last step.