-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Remove uses of :|
#618
Changes from 5 commits
3732a7a
b7e3b48
3263c42
1a240ee
53d3508
a79e9f5
05d7945
55c9f38
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,6 +16,7 @@ module RequiredEncryptionContextCMM { | |
import UTF8 | ||
import Types = AwsCryptographyMaterialProvidersTypes | ||
import Seq | ||
import SortedSets | ||
|
||
class RequiredEncryptionContextCMM | ||
extends CMM.VerifiableInterface | ||
|
@@ -52,16 +53,7 @@ module RequiredEncryptionContextCMM { | |
ensures Modifies == { History } + underlyingCMM.Modifies | ||
{ | ||
var keySet := inputKeys; | ||
var keySeq := []; | ||
while keySet != {} | ||
invariant |keySeq| + |keySet| == |inputKeys| | ||
invariant forall k <- keySeq | ||
:: k in inputKeys | ||
{ | ||
var key :| key in keySet; | ||
keySeq := keySeq + [key]; | ||
keySet := keySet - {key}; | ||
} | ||
var keySeq := SortedSets.ComputeSetToSequence(keySet); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Similarly here, I think that we could see the diff more clearly as invariant by writing it this way. var keySeq := SortedSets.ComputeSetToSequence(inputKeys);
assert |keySeq| == |inputKeys|;
assert forall k <- keySeq :: k in inputKeys; |
||
|
||
underlyingCMM := inputCMM; | ||
requiredEncryptionContextKeys := keySeq; | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,7 @@ module CanonicalEncryptionContext { | |
import Types = AwsCryptographyMaterialProvidersTypes | ||
import opened Wrappers | ||
import Seq | ||
import SortedSets | ||
|
||
//= aws-encryption-sdk-specification/framework/raw-aes-keyring.md#onencrypt | ||
//# The keyring MUST attempt to serialize the [encryption materials'] | ||
|
@@ -25,7 +26,7 @@ module CanonicalEncryptionContext { | |
{ | ||
:- Need(|encryptionContext| < UINT16_LIMIT, | ||
Types.AwsCryptographicMaterialProvidersException( message := "Encryption Context is too large" )); | ||
var keys := SetToOrderedSequence(encryptionContext.Keys, UInt.UInt8Less); | ||
var keys := SortedSets.ComputeSetToOrderedSequence2(encryptionContext.Keys, UInt.UInt8Less); | ||
Comment on lines
-28
to
+29
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Looking at |
||
|
||
if |keys| == 0 then | ||
Success([]) | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These testing changes look fine. |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -335,7 +335,7 @@ module StandardLibrary { | |
* The function is compilable, but will not exhibit enviable performance. | ||
*/ | ||
|
||
function method {:tailrecursion} SetToOrderedSequence<T(!new,==)>(s: set<seq<T>>, less: (T, T) -> bool): (q: seq<seq<T>>) | ||
function SetToOrderedSequence<T(!new,==)>(s: set<seq<T>>, less: (T, T) -> bool): (q: seq<seq<T>>) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will be breaking for consumers of the MPL, since you're changing it from compiled to ghost, but there are compiled references to it already, e.g. https://github.com/aws/aws-database-encryption-sdk-dynamodb/blob/main/DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoToStruct.dfy#L1091 Are you relying on assuming we can replace all such references with There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, I removed internal compiled references to it but didn't realize it was part of the exported API. I suspect we should be able to replace them all, though it's possible there are complexities I'm not thinking of. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think the two instances in that file are the only place it's used in a compiled context, and I think it can be replaced by the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. While we can logically replace them, we cannot assume that the code on our customers computer will i.e: Our customers will still have references to the old version, and rely on the references being provided by the MPL. Unless both of the references in the DB-ESDK, and any references in the ESDK, are only in ghost code and have ALWAYS been in only in ghost code. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @atomb Could you make this a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually I don't think you have to change this anyway, I don't get an error when I do Since this There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh, you are indeed correct. I've changed it back. |
||
requires Trichotomous(less) && Transitive(less) | ||
ensures |s| == |q| | ||
ensures forall i :: 0 <= i < |q| ==> q[i] in s | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Slight nit, adjusting the verification makes it a little hard to verify the lack of change :)
This way would have made it clear that the only actual change was to change the invariant to use the ghost value.
and that everything else was additions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Those changes are an artifact of attempting to reduce brittleness, before I realized that it was actually missing information leading to failure here. They're not necessary, and I'd be happy to undo them.