Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid logic in s2n tls proof #2169

Open
sauclovian-g opened this issue Dec 20, 2024 · 2 comments
Open

Invalid logic in s2n tls proof #2169

sauclovian-g opened this issue Dec 20, 2024 · 2 comments
Labels
tech debt Issues that document or involve technical debt test assets Issues involving test programs or other test assets tooling: CI Issues involving CI/CD scripts or processes type: bug Issues reporting bugs or unexpected/unwanted behavior
Milestone

Comments

@sauclovian-g
Copy link
Contributor

handshake_io_lowlevel.saw in the s2n tls proofs contains the following:

// Ghost state that represents the number of times the connection write socket
// has been corked/uncorked. 
corked <- crucible_declare_ghost_state "corked";
crucible_ghost_value corked {{ 0 : [2] }};

This is invalid because crucible_ghost_value is an action in the LLVMSetup monad and it's being attempted in the TopLevel monad.

This was silently accepted and ignored by SAW until now (see #2162); it now generates a warning. This will eventually become an error, and it will need to be fixed because (in addition to being generic tech debt) it will break the CI runs.

(There also might be other similar issues later in the build.)

This is a blocker for #2167.

@sauclovian-g sauclovian-g added type: bug Issues reporting bugs or unexpected/unwanted behavior tech debt Issues that document or involve technical debt tooling: CI Issues involving CI/CD scripts or processes test assets Issues involving test programs or other test assets labels Dec 20, 2024
@sauclovian-g sauclovian-g added this to the 2025T1 milestone Dec 20, 2024
@RyanGlScott
Copy link
Contributor

For reference, here is the corresponding part of the s2n code.

If I understand correctly, the fact that the s2n proof currently succeeds means that we can just remove the crucible_ghost_value corked {{ 0 : [2] }}; and things will continue to work? That would match my understanding, given that all of the relevant specifications are careful to initialize the corked ghost value anyway (e.g., here).

@sauclovian-g
Copy link
Contributor Author

Yes. (The only other thing this might in principle do is constrain the ghost variable's type, but we don't check those statically so it has no effect that way either.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tech debt Issues that document or involve technical debt test assets Issues involving test programs or other test assets tooling: CI Issues involving CI/CD scripts or processes type: bug Issues reporting bugs or unexpected/unwanted behavior
Projects
None yet
Development

No branches or pull requests

2 participants