Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

C data types (structs, unions, arrays) for Steel #2349

Closed
wants to merge 568 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
568 commits
Select commit Hold shift + click to select a range
49dac2f
Steel.C.Array -> Steel.C.Array.Base, except index and upd
tahina-pro Oct 23, 2021
49b166a
snap
tahina-pro Oct 23, 2021
6cc129a
Merge branch 'master' of github.com:FStarLang/FStar into john_ml_steel_c
tahina-pro Nov 10, 2021
328c599
Merge branch 'master' of github.com:FStarLang/FStar into john_ml_steel_c
tahina-pro Dec 7, 2021
d546af9
post-merge
tahina-pro Dec 7, 2021
9e5ef9b
Merge branch 'master' of github.com:FStarLang/FStar into john_ml_steel_c
tahina-pro Dec 7, 2021
4e93f48
"s vrefine (equals x)" as a "generic pts_to" pattern
tahina-pro Jan 14, 2022
b59399a
pts_to ~ vptr `vrefine` equals
tahina-pro Jan 15, 2022
24e4b98
vrefine_equals_injective
tahina-pro Jan 16, 2022
e7d9aa9
Merge branch 'taramana_steel_st' of github.com:FStarLang/FStar into j…
tahina-pro Jan 16, 2022
0f806f5
reset src/ocaml-output/FStar_Extraction_Kremlin.ml
tahina-pro Mar 29, 2022
d6e2a17
Merge commit '7dea970b4f3eb51a4881e5cb72e8d478d6f85797' into john_ml_…
tahina-pro Mar 29, 2022
46934d0
Merge branch 'master' of github.com:FStarLang/FStar into john_ml_steel_c
tahina-pro Mar 29, 2022
fc9f232
krml rename
tahina-pro Mar 29, 2022
a10cd37
post-merge
tahina-pro Mar 29, 2022
57d57f9
snap
tahina-pro Mar 29, 2022
817d255
rlimit
tahina-pro Mar 29, 2022
b3e7e61
Revert "snap"
tahina-pro Sep 2, 2022
cfee280
Merge branch 'master' of github.com:FStarLang/FStar into taramana_ste…
tahina-pro Sep 2, 2022
3df5e66
post-merge
tahina-pro Sep 2, 2022
e003df9
snap
tahina-pro Sep 2, 2022
f6cde91
do not extract \*MST\* effect definitions
tahina-pro Sep 2, 2022
d5c2cea
Revert "snap"
tahina-pro Sep 3, 2022
1363725
remove base type, thanks to an invariant and indefinite description
tahina-pro Sep 3, 2022
b0e03e2
snap
tahina-pro Sep 3, 2022
69e35bb
Merge branch 'taramana_steel_c' into john_ml_steel_c
tahina-pro Sep 3, 2022
af07517
Revert "snap"
tahina-pro Oct 18, 2022
513636f
Merge branch 'master' of github.com:FStarLang/FStar into john_ml_steel_c
tahina-pro Oct 18, 2022
d141e88
snap
tahina-pro Oct 18, 2022
2d55a62
separate model modules
tahina-pro Oct 18, 2022
b76d680
fix examples
tahina-pro Oct 18, 2022
989ea24
rename struct fields
tahina-pro Oct 19, 2022
cfbd27f
renaming vs. id, compose
tahina-pro Oct 19, 2022
a00e4e6
substruct_field
tahina-pro Oct 20, 2022
8cf82c0
substruct_pts_to
tahina-pro Oct 21, 2022
e2faca5
g_addr_of_struct_field, ghost unaddr_of_struct_field
tahina-pro Oct 21, 2022
25338a3
arrays reloaded, generic on element pcm. join missing
tahina-pro Oct 22, 2022
e28d984
simplify g_split
tahina-pro Oct 22, 2022
d1393ee
join
tahina-pro Oct 22, 2022
47c281b
Merge branch 'master' of github.com:FStarLang/FStar into taramana_ste…
tahina-pro Oct 22, 2022
d26506b
rlimit
tahina-pro Oct 24, 2022
b9e69da
Revert "snap"
tahina-pro Oct 24, 2022
2658a65
remove old unused case (pre struct literal refactoring)
tahina-pro Oct 24, 2022
096261c
snap
tahina-pro Oct 24, 2022
706999a
spec and impl for an integrated C type hierarchy: scalars and structs
tahina-pro Oct 27, 2022
a3836b7
re-enable extraction of PointStruct2 (CI failed anyway)
tahina-pro Oct 27, 2022
b7e1762
Revert "snap"
tahina-pro Oct 27, 2022
c658407
extract scalars and pointers
tahina-pro Oct 27, 2022
33ae7f2
test scalars and pointers
tahina-pro Oct 27, 2022
e556ec7
snap
tahina-pro Oct 27, 2022
cd60386
fix bundle
tahina-pro Oct 28, 2022
744182f
Revert "snap"
tahina-pro Oct 28, 2022
8354076
extract structs
tahina-pro Oct 28, 2022
3f93f7a
remove field pointer cast at extraction
tahina-pro Oct 28, 2022
c579dfa
snap
tahina-pro Oct 28, 2022
53e5874
make uninitialized fractionable
tahina-pro Oct 28, 2022
dc9002f
unions
tahina-pro Oct 29, 2022
5f4762d
weaken precond for scalar write
tahina-pro Oct 29, 2022
a56d7b2
lower universe for typedef
tahina-pro Oct 31, 2022
426a5f3
Merge branch '_taramana_steel_gmref' of github.com:FStarLang/FStar in…
tahina-pro Oct 31, 2022
cd3f716
post-merge: rlimit
tahina-pro Oct 31, 2022
a8163f0
type dictionary
tahina-pro Nov 1, 2022
0b0c0ce
Merge branch '_taramana_steel_gmref' of github.com:FStarLang/FStar in…
tahina-pro Nov 1, 2022
241bdd7
remove useless Ghost.erased
tahina-pro Nov 1, 2022
30c45ae
TypeDictionary fsti
tahina-pro Nov 1, 2022
bbe5953
Merge branch '_taramana_steel_top' of github.com:FStarLang/FStar into…
tahina-pro Nov 1, 2022
93a6890
top-level definition for the dictionary
tahina-pro Nov 1, 2022
b036669
model void*
tahina-pro Nov 1, 2022
210bc10
model is_null, alloc, free
tahina-pro Nov 1, 2022
7a88cf7
Revert "snap"
tahina-pro Nov 1, 2022
6056e05
extract alloc, free, is_null
tahina-pro Nov 1, 2022
858078b
snap
tahina-pro Nov 2, 2022
f3d6a93
linked lists with void*
tahina-pro Nov 1, 2022
546a6a7
stopgap measure to extract void* without krml support/branch
tahina-pro Nov 1, 2022
39200aa
precompute struct typename (halves F* verification memory consumption)
tahina-pro Nov 2, 2022
002b84f
Revert "snap"
tahina-pro Nov 2, 2022
db12af2
Merge branch 'master' of github.com:FStarLang/FStar into taramana_ste…
tahina-pro Nov 2, 2022
8e242ba
snap
tahina-pro Nov 2, 2022
f97cfd2
move new array model to size_t
tahina-pro Nov 2, 2022
bf5979e
ref as array
tahina-pro Nov 2, 2022
76a1856
make array operations atomic
tahina-pro Nov 3, 2022
49b9ed0
all structs must have at least one field
tahina-pro Nov 3, 2022
1bf0a8b
generalize struct typedef
tahina-pro Nov 3, 2022
c28b7b2
pcm extensionality
tahina-pro Nov 3, 2022
90fa951
WIP arrays
tahina-pro Nov 9, 2022
f3726ec
Revert "snap"
tahina-pro Nov 10, 2022
d2472b6
Merge branch 'master' of github.com:FStarLang/FStar into taramana_ste…
tahina-pro Nov 10, 2022
95a4eb3
Merge branch 'master' of github.com:FStarLang/FStar into taramana_ste…
tahina-pro Nov 11, 2022
a38ae8e
snap
tahina-pro Nov 11, 2022
0614b08
Revert "snap"
tahina-pro Jan 11, 2023
d2240ae
Merge branch 'master' of github.com:FStarLang/FStar into taramana_ste…
tahina-pro Jan 11, 2023
99909a6
move definition of vrefine_vrewrite_equals_intro into .fst
tahina-pro Jan 11, 2023
8169041
use EBufNull to extract null (from FStarLang/karamel#318)
tahina-pro Jan 12, 2023
4c2d979
snap
tahina-pro Jan 12, 2023
bce72d3
arraystructs examples still need `--compat_pre_typed_indexed_effects`
tahina-pro Jan 12, 2023
ba15cb0
Merge branch 'master' of github.com:FStarLang/FStar into taramana_ste…
tahina-pro Jan 12, 2023
9991b7b
Merge branch 'taramana_steel_c' of github.com:FStarLang/FStar into ta…
tahina-pro Jan 12, 2023
dc6da53
bore holes
tahina-pro Jan 12, 2023
91af9fb
Revert "snap"
tahina-pro Feb 7, 2023
06701c9
Merge commit '238756b0d87cf9b22bede8ecd1498469261067f1' into taramana…
tahina-pro Feb 7, 2023
b3bd8ae
snap
tahina-pro Feb 7, 2023
7d5144b
Revert "remove base type, thanks to an invariant and indefinite descr…
tahina-pro Feb 13, 2023
6e055a3
Merge commit 'b0e03e2' into taramana_steel_c_no_inv
tahina-pro Feb 13, 2023
4accacb
Merge branch 'taramana_steel_c' into taramana_steel_c_no_inv
tahina-pro Feb 13, 2023
3b82def
post-merge
tahina-pro Feb 16, 2023
b6e1dec
add base type to arrays
tahina-pro Feb 16, 2023
ae2ac25
Merge branch 'master' of github.com:FStarLang/FStar into taramana_ste…
tahina-pro Feb 16, 2023
d7ec819
move types and pure funs on Steel.C.Model.Ref to new Base module
tahina-pro Feb 17, 2023
02583cb
Steel.ST.C.Model.Ref
tahina-pro Feb 17, 2023
79c9feb
Steel.ST.HigherReference
tahina-pro Feb 17, 2023
b161d4d
upgrade GenElim to universe 1
tahina-pro Feb 17, 2023
a78ff9d
type dictionary no longer works
tahina-pro Feb 24, 2023
30c43d2
WIP
tahina-pro Feb 24, 2023
92a7f7e
upgrade GenElim to universe 1
tahina-pro Feb 17, 2023
32d0129
snap
tahina-pro Feb 24, 2023
017599c
Revert "snap"
tahina-pro Feb 24, 2023
c30d4b7
Merge branch '_taramana_dune_step_2' of github.com:FStarLang/FStar in…
tahina-pro Feb 24, 2023
2cde4e8
ocamlbuild snap
tahina-pro Feb 24, 2023
d4cbe65
dune snap
tahina-pro Feb 24, 2023
b52e145
remove ocamlbuild snapshot
tahina-pro Feb 24, 2023
df9072a
Merge branch 'taramana_gen_elim_u1' of github.com:FStarLang/FStar int…
tahina-pro Feb 24, 2023
330ef46
do not use `trivial`, which normalizes too much and blows up
tahina-pro Feb 25, 2023
99f2d51
snap
tahina-pro Feb 27, 2023
6273952
Merge branch 'taramana_gen_elim_u1' into _taramana_steel_c_inv_202302…
tahina-pro Feb 27, 2023
3445a74
WIP; solved gen_elim issue
tahina-pro Feb 25, 2023
0638457
returned squash needs explicit let binding
tahina-pro Feb 27, 2023
68a6174
explicit lemmas to reveal ghost_ref, ghost_pts_to
tahina-pro Feb 27, 2023
d6b9445
WIP
tahina-pro Feb 27, 2023
b535609
Steel.ST.GhostHigherReference
tahina-pro Feb 28, 2023
9523c0f
ghost_struct_field
tahina-pro Feb 28, 2023
8befbab
explicit lemmas to reveal ghost_ref, ghost_pts_to
tahina-pro Feb 27, 2023
82e4da6
Steel.ST.HigherReference
tahina-pro Feb 17, 2023
3988c65
Steel.ST.GhostHigherReference
tahina-pro Feb 28, 2023
d5a7608
Merge branch 'taramana_steel_st_higher_ref' of github.com:FStarLang/F…
tahina-pro Feb 28, 2023
083877d
make ref_focus Tot (it's a model anyway)
tahina-pro Feb 28, 2023
d773a16
structs and unions
tahina-pro Feb 28, 2023
fa82ba6
define arrays
tahina-pro Mar 2, 2023
849abfe
wip: need annotations on .fsti otherwise .fst fails to verify
tahina-pro Mar 2, 2023
e00be4a
arrays: split, join, share, gather
tahina-pro Mar 8, 2023
4360336
array_cell
tahina-pro Mar 9, 2023
5c360ff
solve last admits on arrays (except array_of_ref)
tahina-pro Mar 9, 2023
c3aec71
ununion_field
tahina-pro Mar 9, 2023
10a3a48
revert snap for FStar_Extraction_Krml.ml
tahina-pro Mar 9, 2023
f0e5440
Merge branch 'master' of github.com:FStarLang/FStar into _taramana_st…
tahina-pro Mar 9, 2023
e3f7ac4
snap
tahina-pro Mar 9, 2023
259957e
rlimit
tahina-pro Mar 10, 2023
3215e33
Steel vs. Steel.ST: Ref
tahina-pro Mar 10, 2023
7727837
frac
tahina-pro Mar 10, 2023
636bee7
opt
tahina-pro Mar 10, 2023
d5f4318
struct
tahina-pro Mar 10, 2023
6ba13bb
union
tahina-pro Mar 10, 2023
dde259f
array
tahina-pro Mar 10, 2023
c791688
Types
tahina-pro Mar 10, 2023
b9dc48d
enable smt_fallback
tahina-pro Mar 11, 2023
75bd0b7
start removing legacy StructLiteral
tahina-pro Mar 11, 2023
afcc8e5
convert PointStruct2
tahina-pro Mar 11, 2023
e0af7ad
(TEMP) disable extraction of arraystruct examples
tahina-pro Mar 11, 2023
ca34b82
(TEMP) disable LList
tahina-pro Mar 11, 2023
210af9d
Revert "(TEMP) disable LList"
tahina-pro Mar 13, 2023
ba7c73a
Revert "(TEMP) disable extraction of arraystruct examples"
tahina-pro Mar 13, 2023
f8b0910
Revert "snap"
tahina-pro Mar 13, 2023
7dee5c4
extraction: Steel.C.Types -> Steel.ST.C.Types, remove some opened args
tahina-pro Mar 13, 2023
ac51d95
snap
tahina-pro Mar 13, 2023
abf0403
disable extraction for old-style examples
tahina-pro Mar 13, 2023
92f44aa
Revert "snap"
tahina-pro Mar 13, 2023
ed28eca
full_not_unknown
tahina-pro Mar 13, 2023
b8b988e
extract unions
tahina-pro Mar 13, 2023
0a7e8fd
snap
tahina-pro Mar 13, 2023
83c19b4
port ScalarUnion example
tahina-pro Mar 13, 2023
3d326c3
some adjustments for structs and arrays
tahina-pro Mar 14, 2023
3b6d23e
port HaclExample (except array alloc)
tahina-pro Mar 14, 2023
68612ea
Revert "snap"
tahina-pro Mar 14, 2023
f58ea72
extract arrays
tahina-pro Mar 14, 2023
0c443ed
snap
tahina-pro Mar 14, 2023
9947816
split Steel.ST.C.Types into one module per C type construct
tahina-pro Mar 14, 2023
7699082
(TEMP) disable extraction of arraystruct examples
tahina-pro Mar 14, 2023
c6643f4
Revert "snap"
tahina-pro Mar 14, 2023
b6873af
move Steel.C extraction away, make FStar.Extraction.Krml "extensible"
tahina-pro Mar 15, 2023
5a0dff9
snap
tahina-pro Mar 15, 2023
fd608c6
compile my own F* for arraystruct examples
tahina-pro Mar 14, 2023
04fdc44
Revert "(TEMP) disable extraction of arraystruct examples"
tahina-pro Mar 14, 2023
5b2f139
update extraction of Steel.ST.C.Types primitives with base qualifiers
tahina-pro Mar 14, 2023
2010ec0
explicit registration needed?
tahina-pro Mar 14, 2023
9583954
my fstar.exe depends on main.ml
tahina-pro Mar 14, 2023
d4c3417
what if Karamel is not installed?
tahina-pro Mar 14, 2023
551125b
Revert "snap"
tahina-pro Mar 15, 2023
d04cad0
avoid `let _ =` in FStar.Extraction.Krml
tahina-pro Mar 15, 2023
bf9a3eb
snap
tahina-pro Mar 15, 2023
4352728
arrays can be null
tahina-pro Mar 15, 2023
9a56e34
array_is_null
tahina-pro Mar 15, 2023
9e3c618
array_alloc
tahina-pro Mar 15, 2023
fad847a
array_free
tahina-pro Mar 15, 2023
5df6e82
array_ptr_is_null
tahina-pro Mar 16, 2023
2cc789f
dfst -> inline_for_extraction array_ptr_of
tahina-pro Mar 16, 2023
ba6f3e4
extract array operations
tahina-pro Mar 16, 2023
81e08ef
restore array alloc example
tahina-pro Mar 16, 2023
8315ed1
support void*
tahina-pro Mar 17, 2023
b911669
extract ptr_gen, null_gen instead of ptr, null
tahina-pro Mar 17, 2023
db58eaa
restore LList example (with void*)
tahina-pro Mar 17, 2023
fc65b5d
rewrite pcm
tahina-pro Mar 17, 2023
14b16bf
rewrite typedefs
tahina-pro Mar 17, 2023
4e597d0
specify user structs
tahina-pro Mar 17, 2023
5474dc0
some positivity annotations, typedef-independent array_ptr_gen
tahina-pro Mar 18, 2023
1431ef1
extract user structs; array_ptr_gen instead of array_ptr
tahina-pro Mar 18, 2023
bf224f3
linked lists without void*
tahina-pro Mar 18, 2023
67023e5
has_ref_focus: generalize has_struct_field, etc. to any connections
tahina-pro Mar 20, 2023
8e5ca98
Struct.Aux: use generic focus_ref
tahina-pro Mar 20, 2023
45ede4b
use focus_ref with unions
tahina-pro Mar 20, 2023
696eedd
an interface for Model.Rewrite
tahina-pro Mar 21, 2023
56f9600
general C ref lemmas on connections
tahina-pro Mar 21, 2023
6796530
prove UserStruct
tahina-pro Mar 21, 2023
0d6bd30
Hacl example with user struct
tahina-pro Mar 21, 2023
79de29e
do not decay F* struct/union field types, universes
tahina-pro Mar 21, 2023
cb49c86
Revert "snap"
tahina-pro Mar 21, 2023
848eedc
snap
tahina-pro Mar 21, 2023
c59eff9
Revert "snap"
tahina-pro Mar 21, 2023
21822f4
Revert "snap"
tahina-pro Mar 21, 2023
0810aff
Revert "snap"
tahina-pro Mar 21, 2023
98a9491
Merge branch 'master' of github.com:FStarLang/FStar into taramana_ste…
tahina-pro Mar 21, 2023
1a8c308
snap
tahina-pro Mar 21, 2023
826100b
move slow .fst to examples
tahina-pro Mar 21, 2023
17e49ba
ignore branch for CI, already covered by PR
tahina-pro Mar 21, 2023
3ced567
Revert "snap"
tahina-pro Mar 28, 2023
58dca1b
Merge branch 'master' of github.com:FStarLang/FStar into john_ml_steel_c
tahina-pro Mar 28, 2023
e7259a5
snap
tahina-pro Mar 28, 2023
49c397f
Revert "pts_to ~ vptr `vrefine` equals"
tahina-pro Mar 28, 2023
b6d8d46
array_ref_shift_zero, array_ref_shift_assoc
tahina-pro Mar 28, 2023
eeb2d34
mk_fraction_seq_split_gen: allow empty sequences
tahina-pro Mar 28, 2023
df0d53e
ghost_pts_to_perm
tahina-pro Mar 29, 2023
6bd4d58
fractional permissions theorem
tahina-pro Mar 29, 2023
5f2b500
build and dynamically load a plugin instead of a custom fstar.exe
tahina-pro Apr 4, 2023
ca7a91f
Revert "snap"
tahina-pro Apr 10, 2023
28530a5
Merge branch 'master' of github.com:FStarLang/FStar into john_ml_steel_c
tahina-pro Apr 10, 2023
5c2ed8d
snap
tahina-pro Apr 10, 2023
f5fd0d4
do not extract Low* (except C._zero_for_deref)
tahina-pro Apr 10, 2023
4e0aabe
Karamel AST: add union and array types
tahina-pro Apr 12, 2023
a16763c
translate_type_without_decay; make C extraction modular
tahina-pro Apr 12, 2023
7ef4eab
use `let _ =`
tahina-pro Apr 12, 2023
38cef8c
snap
tahina-pro Apr 12, 2023
849368d
Revert "snap"
tahina-pro Apr 12, 2023
e68afb4
Merge branch 'taramana_modular_c_extraction' of github.com:FStarLang/…
tahina-pro Apr 12, 2023
f426c83
FStar.Extraction.Krml.init () no longer exists
tahina-pro Apr 12, 2023
d79793f
snap
tahina-pro Apr 12, 2023
57e1ab8
also make translate_let extensible
tahina-pro Apr 12, 2023
b012c90
Revert "snap"
tahina-pro Apr 12, 2023
17acd9e
snap
tahina-pro Apr 12, 2023
92b495c
Revert "snap"
tahina-pro Apr 12, 2023
e0a4da8
split off the Steel extraction rules
tahina-pro Apr 12, 2023
52183ff
snap
tahina-pro Apr 12, 2023
b52a9d1
Merge branch 'taramana_migrate_steel' of github.com:FStarLang/FStar i…
tahina-pro Apr 12, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/linux-x64.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ on:
push:
branches-ignore:
- _**
- john_ml_steel_c
pull_request:
workflow_dispatch:
inputs:
Expand Down
7 changes: 5 additions & 2 deletions examples/steel/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@ EXCLUDED_FSTAR_FILES=ParDivWP.fst Semantics.WP.fst $(wildcard DList*)
OTHERFLAGS+=--already_cached 'Prims FStar LowStar Steel NMST MST NMSTTotal MSTTotal' --compat_pre_typed_indexed_effects
FSTAR_FILES = DList1.fst $(filter-out $(EXCLUDED_FSTAR_FILES), $(wildcard *.fst))

all: verify-all counter llist2 llist3
all: verify-all counter llist2 llist3 arraystructs

arraystructs:
+$(MAKE) -C $@

$(CACHE_DIR):
mkdir -p $@
Expand Down Expand Up @@ -41,4 +44,4 @@ llist3:

endif

.PHONY: all verify-all counter llist2 llist3
.PHONY: all verify-all counter llist2 llist3 arraystructs
4 changes: 4 additions & 0 deletions examples/steel/arraystructs/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
*.h
*.c
*.krml
extract
131 changes: 131 additions & 0 deletions examples/steel/arraystructs/Basetypes.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
The Steel heap maps addresses to cells, and each cell holds both a value `v` and its type `a`:
```fst
noeq
type cell : Type u#(a + 1) =
| Ref : a:Type u#a ->
p:pcm a ->
frac:Frac.perm{ frac `Frac.lesser_equal_perm` Frac.full_perm } ->
v:a { frac == Frac.full_perm ==> p.refine v } ->
cell
```
If we would like to model references to substructures `w:b` of `v`
without having to add new constructors to `cell` specifically for structs and arrays,
it seems inevitable that the model will have to keep track of both the
type `b` of the substructure and the type `a` of its base object.
AggregateRef.fst defines a type of such references `ref a b`.
Because ref has to keep track of the type of its base object, code
that works with references has to carry around extra parameters.
The model runs into trouble when the number of references isn't known
statically; for example, if one wants to specify the contents of an array
of references, each with possibly different base objects.
Unfortunately it's not possible to solve this by hiding `a` behind
an existential, because that would increase `ref`'s universe level.

One idea could be to hide `a` inside a closure, exposing only a record of basic operations:
```fstar
let operations =
let r: ref a b = .. in {
read = (fun () -> .. r ..);
write = (fun () -> .. r ..);
}
```
This would work if we just wanted simply typed versions of `read` and `write`,
but there is no way to give dependently-typed specifications to these
functions without talking about the base object `a`.

Here are some ideas on how to resolve this:

### Hide `a` in a closure, then carry along proofs extrinsically

Construct a record `{read = .., write = ..}` hiding the base type `a`
and the raw `ref a b` inside closures, and give `read` and `write` simple types.
Return, with it, a proof of `exists a. read spec /\ write spec`.
This would allow the record to live in universe `0` (the record is
simply typed and the proof is squashed), so refs could safely be stored in the Steel heap.

However, giving the operations simple types means that they have to return some bogus
value (or be partial) on inputs which don't satisfy their preconditions;
this seems tricky, or maybe even impossible if the preconditions aren't decidable.

### Represent refs just as addresses

The heap stores the types and PCMs along with values.
Is it possible, then, to avoid storing those same types and PCMs inside the ref?
If so, we could store refs in the heap, and only mention base types/PCMs
in predicates like `pts_to`. Unfortunately, this doesn't seem possible
either, because the base type is needed to give a type to the lens.

### Store the lens in the heap

Can we treat a reference like an addressable stack-local and store
its lens in the heap? For example, if we start with
```
p `pts_to` {x, y}
```
and take a pointer to the first field of `{x, y}`, we get
```
(p `pts_to` {x, y}) `star`
(r `pts_to` {base_type & lens for field x of base_type})
r: Steel.Memory.ref _
```
This loses a lot of equalities. For example, if we take
a second pointer to the first field of `{x, y}` we get
```
(p `pts_to` {x, y}) `star`
(r `pts_to` {base_type & lens for field x of base_type})
(s `pts_to` {base_type & lens for field x of base_type})
r, s: Steel.Memory.ref _
```
If we would like to use the fact that `r` and `s` alias later on,
we need to use separation logic to prove that any code between then
and when the pointers were taken didn't modify either of the lenses.

### Store lenses along with base objects

Instead of just storing values v in the heap, store (v, [l1, .., ln])
where [l1, .., ln] are a (heterogenous) list of lenses into
v. Represent references as (addr, k) where k is an index into this
list. (This may not necessarily mean modifying Steel.Heap---it could
be possible to design a PCM to carry along these lists of lenses.)

This would fix the universe issue, but it's very complicated..
Also, in order to nicely support reasoning about aliasing, we would
want that the list of lenses not contain any duplicates; to maintain
that invariant, we'd need decidable equality on lenses, which isn't guaranteed.

### Give up on hiding the base object

Though the model in AggregateRef.fst is designed for writing C-like code,
the representation of a reference as a lens + Steel memory ref
suggests that there could be more high-level applications of references as well.
For example, it might be possible to construct a "reference" to a linked list
which allows viewing it as an ordinary F* list of its elements, or to
construct a "reference" to a u32 from the upper 16 bits of two other u32 references.
These things aren't possible with the current model because an AggregateRef.ref
contains only one Steel.Memory.ref, and therefore can only point to
one piece of memory; in order to support these fancy applications,
we'd need to allow an AggregateRef.ref to point to parts of multiple
different pieces at once.

We could address this and somewhat get around the base object issue by
representing references as a lens + a family of `Steel.Memory.ref`s
instead of just a single `Steel.Memory.ref`.
Then:
- It would be possible to write a function like
`ref u32 u16 -> ref u32 u16 -> ref (u32 & u32) u32`
to combine two refs for the upper 16 bits of two `u32`s into
a 32-bit ref
- It would be possible to write a function like
`cons: ref 'a 'c -> ref 'b (list 'c) -> ref ('a & 'b) (list 'c)`
to build up a "reference" to a linked list
- An array of pointers `t *a[n]` could be represented by a
`ref base_type_at (i:nat{i<n} -> ref (base_type_at i) t)`
For example, if I have two references `p: ref ('a1 * .. * 'am) 'c`
and `q: ref ('b1 * .. * 'bn) 'c` then an array containing `p` and `q`
could be represented by

```fstar
let base_type is_p =
if is_p then 'a1*..*'am else 'b1*..*'bn
in r: ref base_type (is_q:bool -> ref (base_type is_q) 'c)
```
145 changes: 145 additions & 0 deletions examples/steel/arraystructs/HaclExample.fst
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
module HaclExample

open Steel.C.Model.PCM
open Steel.C.Opt
open Steel.C.Model.Connection
open Steel.C.StructLiteral
open Steel.C.Typedef
open FStar.FunctionalExtensionality
open Steel.Effect
open Steel.Effect.Atomic
open Steel.C.Fields
open Steel.C.Opt
open Steel.C.Model.Ref
open Steel.C.Reference
open Steel.C.TypedefNorm
open Steel.C.Array

open FStar.FSet
open Steel.C.Typenat
open Steel.C.Typestring

module U64 = FStar.UInt64
module I = Steel.C.StdInt

(** In this file we demonstrate how Steel could be used to manipulate the following data type used in Hacl*:
https://github.com/project-everest/hacl-star/blob/master/code/poly1305/Hacl.Impl.Poly1305.fsti#L18
This Low* definition amounts to the struct definition
struct poly1305_ctx { uint64_t limbs[5]; uint64_t precomp[20]; };
and, with our new model of structs and arrays and pointer-to-field, can be expresesd directly in Steel.

See PointStruct.fst for more detailed explanations of the various definitions needed below.
*)

module T = FStar.Tactics

noextract inline_for_extraction
//[@@FStar.Tactics.Effect.postprocess_for_extraction_with(fun () ->
// T.norm [delta; iota; zeta_full; primops]; T.trefl ())]
let comp_tag = normalize (mk_string_t "HaclExample.comp")

module U32 = FStar.UInt32

#push-options "--z3rlimit 30 --fuel 30"
noextract inline_for_extraction let five' = normalize (nat_t_of_nat 5)
noextract inline_for_extraction let five: size_t_of five' = mk_size_t (U32.uint_to_t 5)
noextract inline_for_extraction let twenty' = normalize (nat_t_of_nat 20)
noextract inline_for_extraction let twenty: size_t_of twenty' = mk_size_t (U32.uint_to_t 20)
#pop-options

(** uint64_t[5] *)
[@@c_struct]
noextract inline_for_extraction
let five_u64s: typedef = array_typedef_sized U64.t five' five

(** uint64_t[20] *)
[@@c_struct]
noextract inline_for_extraction
let twenty_u64s: typedef = array_typedef_sized U64.t twenty' twenty

(** struct comp { uint64_t limbs[5]; uint64_t precomp[20]; }; *)

[@@c_struct]//;c_typedef]
noextract inline_for_extraction
let comp_fields: c_fields =
fields_cons "limbs" five_u64s (
fields_cons "precomp" twenty_u64s (
fields_nil))

noextract inline_for_extraction
let comp = struct comp_tag comp_fields

noextract inline_for_extraction
let comp_view = struct_view comp_tag comp_fields

noextract inline_for_extraction
let comp_pcm = struct_pcm comp_tag comp_fields

[@@c_typedef]
noextract inline_for_extraction
let c_comp: typedef = typedef_struct comp_tag comp_fields

let _ = norm norm_c_typedef (mk_c_struct comp_tag comp_fields)

(** To demonstrate how our model could be used, we write a simple
function that takes pointers to the limbs and precomp fields and
passes them to helper functions (which in this case simply set on
element of the corresponding array to zero) *)

let do_something_with_limbs
(a: array 'a U64.t)
: Steel unit
(varray a)
(fun _ -> varray a)
(requires fun _ -> length a == 5)
(ensures fun _ _ _ -> True)
= upd a (mk_size_t (U32.uint_to_t 2)) (U64.uint_to_t 0);
return ()

let do_something_with_precomp
(a: array 'a U64.t)
: Steel (array_or_null 'a U64.t)
(varray a)
(fun _ -> varray a)
(requires fun _ -> length a == 20)
(ensures fun _ _ _ -> True)
= upd a (mk_size_t (U32.uint_to_t 19)) (U64.uint_to_t 0);
return (null _ _)

let test_alloc_free
()
: SteelT unit
emp
(fun _ -> emp)
=
let a = malloc true (mk_size_t 42ul) in
if Steel.C.Array.is_null a
then begin
Steel.C.Array.elim_varray_or_null_none a
end else begin
Steel.C.Array.elim_varray_or_null_some a;
free a
end;
return ()

#push-options "--fuel 0 --print_universes --print_implicits --z3rlimit 30"

let test
(p: ref 'a comp comp_pcm)
: SteelT unit
(p `pts_to_view` comp_view emptyset)
(fun _ -> p `pts_to_view` comp_view emptyset)
= let q = addr_of_struct_field "limbs" p in
let a = intro_varray q () in
let r = addr_of_struct_field "precomp" p in
let b = intro_varray r () in
do_something_with_limbs a;
let _ = do_something_with_precomp b in
elim_varray q a ();
elim_varray r b ();
unaddr_of_struct_field "precomp" p r;
unaddr_of_struct_field "limbs" p q;
change_equal_slprop (p `pts_to_view` _) (p `pts_to_view` _);
return ()

#pop-options
Loading