Skip to content

Revive the JS verification #365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
giltho wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Revive the JS verification #365

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
de8ecec
lemmas
Nov 3, 2025
fad0e46
correction
Nov 3, 2025
ea3dcf7
recovering Gillian-C
Nov 3, 2025
6d98c37
lots of changes
Nov 4, 2025
e09e7a6
stopping
Nov 4, 2025
dee5de0
well now this kinda works for main MM
Nov 5, 2025
819aff3
pmap correction
Nov 5, 2025
d6dd69e
additional print
Nov 5, 2025
95bda1b
soundness corrections
Nov 5, 2025
d26f3f6
cleanup
Nov 5, 2025
b533884
pass the state to recover!
giltho Nov 9, 2025
7075c63
recover the tactic
giltho Nov 9, 2025
230a706
Domain_add with reduction
N1ark Nov 12, 2025
d4dbe58
Better JS `get_domainset`
N1ark Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion Gillian-JS/Examples/Amazon/AmazonLogic.jsil
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ lemma ObjectTableAbsentProperty(l, PVPairs, prop)
((#l, #prop) -> none) *
empty_fields(#l : -u- (#pSet, -{ #prop }-))
]]
[* *]

(* Removing a property from a list of prop-value pairs *)
pred RemoveProp(+PVPairs : List, +prop : Str, found : Bool, value : Str, newPairs : List) :
Expand Down
216 changes: 117 additions & 99 deletions Gillian-JS/Examples/Amazon/EncryptionHeaderLogic.gil
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion Gillian-JS/Examples/Amazon/ListLogic.gil
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ lemma ListToSetAddElement(lst, set, element)
ListToSet(l+ (#lst, {{ #element }}), -u- (#set, -{ #element }-))
]]
[*
unfold ListToSet(#lst, #element);
unfold ListToSet(#lst, #set);
if (!(#lst == {{ }})) then {
sep_assert ((#lst == l+ ({{ #fProp }}, #restLst))) [bind: #fProp, #restLst];
sep_assert (ListToSet(#restLst, #restSet)) [bind: #restSet];
Expand Down
13 changes: 0 additions & 13 deletions Gillian-JS/Examples/Amazon/deserialize_factory.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,6 @@ function readElements(elementCount, fieldsPerElement, buffer, readPos) {
[bind: #doneEl, #innerLoopReadPos, #fLeft, #remElList, #remElLength, #doneElList, #doneElLength] */
while (fieldCount--) {
/* @tactic
unfold innerLoopInvariantFacts(#definition, #remElsList, #view, #innerLoopReadPos, #fLeft, #remElList, #eLength, #remElsLength, #doneElLength, #remElLength);
if (#definition = "Complete") then {
unfold CElement(#view, #innerLoopReadPos, #fLeft, #remElList, #remElLength)
} else {
Expand Down Expand Up @@ -809,19 +808,7 @@ function deserializeMessageHeader(messageBuffer) {

var suiteId = dataView.getUint16(2, false) // big endian
/* Precondition: suiteId must match supported algorithm suite */
/*
@tactic
if (#definition = "Complete") then {
unfold CAlgorithmSuite(#suiteId, #stringId, #headerIvLength, #tagLength)
}
*/
needs(AlgorithmSuiteIdentifier[suiteId], 'Malformed Header: Unsupported algorithm suite.')
/*
@tactic
if (#definition = "Complete") then {
fold CAlgorithmSuite(#suiteId, #stringId, #headerIvLength, #tagLength)
}
*/
var messageId = messageBuffer.slice(4, 20)
var contextLength = dataView.getUint16(20, false) // big endian

Expand Down
4 changes: 2 additions & 2 deletions Gillian-JS/runtime/JSLogic/ArrayBuffer.jsil
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ nounfold pred ArrayBuffer (+ab:Obj, data:List) :
((#md, "@extensible") -> true) * (* Array buffers are extensible *)
((#md, "@ArrayBufferData") -> data) * (* Array buffer contents *)
((#md, "@ArrayBufferByteLength") -> #len_data) * (* Array buffer length *)
(#len_data == l-len data) *
((as_int #len_data) == l-len data) *

(* No other internal properties *)
empty_fields (#md : -{ "@class", "@extensible", "@proto", "@ArrayBufferData", "@ArrayBufferByteLength" }-);
Expand Down Expand Up @@ -44,7 +44,7 @@ nounfold pred ArrayBufferPrototype (proto) :

axiomatic spec ABP_byteLength (xsc, vthis)
[[ (vthis == #vthis) * ArrayBuffer(#vthis, #data) ]]
[[ ArrayBuffer(#vthis, #data) * (ret == l-len #data) ]]
[[ ArrayBuffer(#vthis, #data) * (ret == (l-len #data)) ]]
normal

axiomatic spec ABP_slice (xsc, vthis, start, end)
Expand Down
64 changes: 35 additions & 29 deletions Gillian-JS/runtime/JSLogic/ByteLogic.gil
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,47 +7,53 @@
****************************************)

(* Interpretation: one byte as an unsigned 8-bit integer *)
pure pred rawToUInt8(+bytes:List, x:Int) :
pure pred rawToUInt8(+bytes:List, x:Num) :
(bytes == {{ #b0 }}) * (x == #b0) *
(0i i<=# #b0) * (#b0 i<# 256i);

pure pred rawToUInt8JS(+bytes:List, n:Num) :
rawToUInt8(bytes, #x) * (n == (as_num #x));
(0 <=# #b0) * (#b0 <# 256.) *
(is_int #b0);

(* Interpretation: two bytes as an unsigned 16-bit integer *)
@nopath
pure pred rawToUInt16(+bytes:List, +littleEndian:Bool, x:Int) :
pure pred rawToUInt16(+bytes:List, +littleEndian:Bool, x:Num) :
(littleEndian == false) *
(bytes == {{ #b0, #b1 }}) *
(0i i<=# #b0) * (#b0 i<# 256i) *
(0i i<=# #b1) * (#b1 i<# 256i) *
(x == (#b0 i* 256i) i+ #b1),
(0. <=# #b0) * (#b0 <# 256.) *
(0. <=# #b1) * (#b1 <# 256.) *
(x == (#b0 * 256.) + #b1) *
(is_int #b0) *
(is_int #b1),
(littleEndian == true) *
(bytes == {{ #b0, #b1 }}) *
(0i i<=# #b0) * (#b0 i<# 256i) *
(0i i<=# #b1) * (#b1 i<# 256i) *
(x == (#b1 i* 256i) i+ #b0);

pure pred rawToUInt16JS(+bytes:List, +littleEndian:Bool, n:Num) :
rawToUInt16(bytes, littleEndian, #x) * (n == (as_num #x));
(0. <=# #b0) * (#b0 <# 256.) *
(0. <=# #b1) * (#b1 <# 256.) *
(x == (#b1 * 256.) + #b0) *
(is_int #b0) *
(is_int #b1);
facts: (is_int x);

(* Interpretation: four bytes as an unsigned 32-bit integer *)
@nopath
pure pred rawToUInt32(+bytes:List, +littleEndian:Bool, x:Int) :
pure pred rawToUInt32(+bytes:List, +littleEndian:Bool, x:Num) :
(littleEndian == false) *
(bytes == {{ #b0, #b1, #b2, #b3 }}) *
(0i i<=# #b0) * (#b0 i<# 256i) *
(0i i<=# #b1) * (#b1 i<# 256i) *
(0i i<=# #b2) * (#b2 i<# 256i) *
(0i i<=# #b3) * (#b3 i<# 256i) *
(x == (#b0 i* 16777216i) i+ (#b1 i* 65536i) i+ (#b2 i* 256i) i+ #b3),
(0. <=# #b0) * (#b0 <# 256.) *
(0. <=# #b1) * (#b1 <# 256.) *
(0. <=# #b2) * (#b2 <# 256.) *
(0. <=# #b3) * (#b3 <# 256.) *
(x == (#b0 * 16777216.) + (#b1 * 65536.) + (#b2 * 256.) + #b3) *
(is_int #b0) *
(is_int #b1) *
(is_int #b2) *
(is_int #b3),
(littleEndian == true) *
(bytes == {{ #b0, #b1, #b2, #b3 }}) *
(0i i<=# #b0) * (#b0 i<# 256i) *
(0i i<=# #b1) * (#b1 i<# 256i) *
(0i i<=# #b2) * (#b2 i<# 256i) *
(0i i<=# #b3) * (#b3 i<# 256i) *
(x == (#b3 i* 16777216i) i+ (#b2 i* 65536i) i+ (#b1 i* 256i) i+ #b0);

pure pred rawToUInt32JS(+bytes:List, +littleEndian:Bool, n:Num) :
rawToUInt32(bytes, littleEndian, #x) * (n == (as_num #x));
(0. <=# #b0) * (#b0 <# 256.) *
(0. <=# #b1) * (#b1 <# 256.) *
(0. <=# #b2) * (#b2 <# 256.) *
(0. <=# #b3) * (#b3 <# 256.) *
(x == (#b3 * 16777216.) + (#b2 * 65536.) + (#b1 * 256.) + #b0) *
(is_int #b0) *
(is_int #b1) *
(is_int #b2) *
(is_int #b3);
facts: (is_int x);
22 changes: 11 additions & 11 deletions Gillian-JS/runtime/JSLogic/DataView.jsil
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,47 +116,47 @@ axiomatic spec DVP_byteOffset (xsc, vthis)
axiomatic spec DVP_getUint8 (xsc, vthis, byteOffset)
[[ (vthis == #vthis) * (byteOffset == #byteOffset) *
DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(0 <=# byteOffset) * (#elementSize == 1) * (#byteOffset + #elementSize <=# #viewSize) *
(0 <=# byteOffset) * (#elementSize == 1.) * (#byteOffset + #elementSize <=# #viewSize) *
(#view == l-sub(#data, #viewOffset, #viewSize)) ]]
[[ DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(#raw == l-sub (#view, #byteOffset, #elementSize)) *
rawToUInt8JS(#raw, ret) ]]
rawToUInt8(#raw, ret) ]]
normal

axiomatic spec DVP_getUint16 (xsc, vthis, byteOffset, littleEndian)
[[ (vthis == #vthis) * (byteOffset == #byteOffset) * (littleEndian == undefined) *
DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(0 <=# byteOffset) * (#elementSize == 2) * (#byteOffset + #elementSize <=# #viewSize) *
(0 <=# byteOffset) * (#elementSize == 2.) * (#byteOffset + #elementSize <=# #viewSize) *
(#view == l-sub(#data, #viewOffset, #viewSize)) ]]
[[ DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(#raw == l-sub (#view, #byteOffset, #elementSize)) *
rawToUInt16JS(#raw, false, ret) ]]
rawToUInt16(#raw, false, ret) ]]
normal;

[[ (vthis == #vthis) * (byteOffset == #byteOffset) * (littleEndian == #littleEndian) *
DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(0 <=# byteOffset) * (#elementSize == 2) * (#byteOffset + #elementSize <=# #viewSize) *
(0 <=# byteOffset) * (#elementSize == 2.) * (#byteOffset + #elementSize <=# #viewSize) *
(#view == l-sub(#data, #viewOffset, #viewSize)) ]]
[[ DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(#raw== l-sub (#view, #byteOffset, #elementSize)) *
rawToUInt16JS(#raw, #littleEndian, ret) ]]
(#raw == l-sub (#view, #byteOffset, #elementSize)) *
rawToUInt16(#raw, #littleEndian, ret) ]]
normal

axiomatic spec DVP_getUint32 (xsc, vthis, byteOffset, littleEndian)
[[ (vthis == #vthis) * (byteOffset == #byteOffset) * (littleEndian == undefined) *
DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(0 <=# byteOffset) * (#elementSize == 4) * (#byteOffset + #elementSize <=# #viewSize) *
(0 <=# byteOffset) * (#elementSize == 4.) * (#byteOffset + #elementSize <=# #viewSize) *
(#view == l-sub(#data, #viewOffset, #viewSize)) ]]
[[ DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(#raw == l-sub (#view, #byteOffset, #elementSize)) *
rawToUInt32JS(#raw, false, ret) ]]
rawToUInt32(#raw, false, ret) ]]
normal;

[[ (vthis == #vthis) * (byteOffset == #byteOffset) * (littleEndian == #littleEndian) *
DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(0 <=# byteOffset) * (#elementSize == 4) * (#byteOffset + #elementSize <=# #viewSize) *
(0 <=# byteOffset) * (#elementSize == 4.) * (#byteOffset + #elementSize <=# #viewSize) *
(#view == l-sub(#data, #viewOffset, #viewSize)) ]]
[[ DataView(#vthis, #buffer, #viewOffset, #viewSize) * ArrayBuffer(#buffer, #data) *
(#raw == l-sub (#view, #byteOffset, #elementSize)) *
rawToUInt32JS(#raw, #littleEndian, ret) ]]
rawToUInt32(#raw, #littleEndian, ret) ]]
normal
33 changes: 18 additions & 15 deletions GillianCore/engine/Abstraction/PState.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -587,22 +587,24 @@ module Make (State : SState.S) :
(* This will not do anything in the original pass,
but will do precisely what is needed in the re-establishment *)
let vars_to_forget = SS.inter state_lvars (SS.of_list lvar_binders) in
if vars_to_forget <> SS.empty then (
let oblivion_subst = fresh_subst vars_to_forget in
L.verbose (fun m ->
m "Forget @[%a@] with subst: %a"
Fmt.(iter ~sep:comma SS.iter string)
vars_to_forget SVal.SESubst.pp oblivion_subst);

(* TODO: THIS SUBST IN PLACE MUST NOT BRANCH *)
let subst_in_place =
substitution_in_place ~subst_all:true oblivion_subst astate
in
assert (List.length subst_in_place = 1);
let astate = List.hd subst_in_place in
let astate =
if vars_to_forget <> SS.empty then (
let oblivion_subst = fresh_subst vars_to_forget in
L.verbose (fun m ->
m "Forget @[%a@] with subst: %a"
Fmt.(iter ~sep:comma SS.iter string)
vars_to_forget SVal.SESubst.pp oblivion_subst);

(* TODO: THIS SUBST IN PLACE MUST NOT BRANCH *)
let subst_in_place =
substitution_in_place ~subst_all:true oblivion_subst astate
in
assert (List.length subst_in_place = 1);
let astate = List.hd subst_in_place in

L.verbose (fun m -> m "State after substitution:@\n@[%a@]\n" pp astate))
else ();
L.verbose (fun m -> m "State after substitution:@\n@[%a@]\n" pp astate);
astate)
else astate in
let mp =
match mp with
| Error asrts ->
Expand All @@ -628,6 +630,7 @@ module Make (State : SState.S) :
let open Res_list.Syntax in
let open Syntaxes.List in
let** new_state, subst', _ =
L.verbose (fun m -> m "State before matching:@\n@[%a@]\n" pp astate);
let+ result = SMatcher.match_ astate subst mp Invariant in
match result with
| Ok state -> Ok state
Expand Down
4 changes: 2 additions & 2 deletions GillianCore/engine/Abstraction/Verifier.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -623,7 +623,7 @@ struct
match test.flag with
| Some _ ->
let msg = "Verifying one spec of procedure " ^ test.name ^ "... " in
L.tmi (fun fmt -> fmt "%s" msg);
L.normal (fun fmt -> fmt "%s" msg);
Fmt.pr "%s@?" msg;
(* Reset coverage for every procedure in verification *)
{ prog with coverage = Hashtbl.create 1 }
Expand Down Expand Up @@ -656,7 +656,7 @@ struct
else Ok () (* It's already correct *)
| Some proof -> (
let msg = "Verifying lemma " ^ test.name ^ "... " in
L.tmi (fun fmt -> fmt "%s" msg);
L.normal (fun fmt -> fmt "%s" msg);
Fmt.pr "%s@?" msg;
let lemma_evaluation_results =
SAInterpreter.evaluate_lcmds prog proof state
Expand Down
Loading