Length of frames about coq-http2 HOT 14 CLOSED

I think 16M is a reasonable constant limit here. The static bound-checking tells if the frame can be valid in any context, and the runtime checking decides whether this frame is valid under current context.

from coq-http2.

Does Coq have a bounded integer library? I'm a bit reluctant to depend on external packages.

from coq-http2.

One way to encode bounded integers in Coq is using subset types {n: nat | n < ... }. Then by using Program Definition, etc., you can reuse most of the functions provided by nat, with obligations to prove that if the result is also a bounded integer, it is within the bound.

However, many people would suggest reconsidering the options before using that because reasoning about dependent types (for example, when doing unification, etc.) in Coq can be painful...

from coq-http2.

Also, considering that SETTINGS_MAX_FRAME_SIZE can go up to 16M, we should use binary numbers rather than nat in most cases.

from coq-http2.

I think that Sigma type encoding {nat | ...} should work, even if not the best solution.

Re: 16M: maybe we can also define 16K and 16M to be some large enough unknown constants.

from coq-http2.

SETTINGS_MAX_FRAME_SIZE varies during runtime. Is this a reason against limiting the frame size at type level? A frame cannot be guaranteed to be valid at compile time at all.

from coq-http2.

Well, our client or server can always fix the bound to exactly 16384, the default value.

from coq-http2.

If we treat SETTINGS_MAX_FRAME_SIZE as an opaque value, it should not matter how big it is, right? Or am I missing something?

from coq-http2.

But anyway, I do not have a strong opinion on this. If you decided to use the binary format N, remember to check out peano_ind...

from coq-http2.

If we treat SETTINGS_MAX_FRAME_SIZE as an opaque value, it should not matter how big it is, right? Or am I missing something?

I believe that is the case. We only have to make sure proper bound-checking is enforced with respect to some "reasonable" constants.

from coq-http2.

This value can be modified by SETTINGS frames. I don't think it's proper to make it opaque.
I'm somehow ambitious to make this library general enough to reason about all implementations rather than ours.

from coq-http2.

You will want to say something like, for all values we can give to the settings, some properties hold. And reasoning about the setting should not rely on it being a particular value. Therefore, the values of settings remain abstract all the time and there is no concrete number that we need to worry about.

I am not suggesting to keep using nat though, I just don't think this should be the reason behind the decision.

from coq-http2.

And although I have heard a lot of arguments against using sigma types, I would actually be interested to see how they would play out here...

from coq-http2.

You will want to say something like, for all values we can give to the settings, some properties hold.

To be concrete, what would a running checker look like?

from coq-http2.