Documentation: Limitations #714
Conversation
adpaco-aws
force-pushed
the
support-table
branch
from
1b78dc5 to
81c945f
Compare
rmc-docs/src/limitations.md
Outdated
| ### Not inlined standard library functions | ||
|
|
||
| At present, RMC is able to link in functions from the standard library but the | ||
| generated code will not contain them unless they are inlined. This results in |
There was a problem hiding this comment.
We should add that we support to generic functions and macros at this point. They get monomorphized / expanded during the compilation. BTW, I don't think we are running the rustc pass to inline functions.
There was a problem hiding this comment.
Not sure why you want to add it here. I think the table already includes this information and I'm not sure what it has to do with the standard library.
Removed "unless they are inlined" from this block.
There was a problem hiding this comment.
Sorry if I wasn't clear. I was talking about the "unless they are inlined". The correct would be "unless they are generic, intrinsics, inlined or macros." :)
| verification failures if the code under verification, for example, includes a | ||
| `println!` statement. | ||
|
|
||
| We have done some experiments to embed the standard library into the generated |
There was a problem hiding this comment.
Did we run these experiments before or after enabling the code slicing?
There was a problem hiding this comment.
If you refer to --drop-unused-functions, I tried both when doing these experiments. It reduced the generated code considerably, but still kept many other functions around which made this approach unfeasible.
There was a problem hiding this comment.
did your experiments include tests with println?
There was a problem hiding this comment.
Yes, in fact they just included println.
adpaco-aws
force-pushed
the
support-table
branch
from
81c945f to
cbe1e52
Compare
|
Thanks @celinval ! Updated the PR with some of your suggestions, let me know if you have other comments 😄 |
|
Forgot to mention stack unwinding - Added a new section on panic strategies just now. |
rmc-docs/src/limitations.md
Outdated
| statement when compiling any unsupported feature. This will cause proofs to fail | ||
| if the statement is reachable during the verification stage. However, the | ||
| analysis will not affected if the statement is not reachable from the code under | ||
| verification, so users can still verify components of their code not using |
There was a problem hiding this comment.
not using that do not use
(I think your phrasing is technically fine, it is just potentially ambiguous what 'not using' refers to (the code, not the verification) until you read after it in the sentence.)
(Hopefully not too nitpicky here, but it's public facing documentation, so I'm looking for these things)
There was a problem hiding this comment.
No worries, feedback regarding these subtleties is welcome too! It's changed now.
rmc-docs/src/limitations.md
Outdated
|
|
||
| While RMC is capable of generating code for SIMD instructions. Unfortunately, | ||
| CBMC does not provide support for some operations like vector comparison (e.g., | ||
| `simd_eq`) or shuffling (e.g., `simd_shuffle8`). |
There was a problem hiding this comment.
wait, I thought I added shuffle.
There was a problem hiding this comment.
Sorry, I thought this was not supported by CBMC but after reviewing related issues I see that you implemented shuffle operations in RMC. So I removed shuffling from here.
| issue](https://github.com/model-checking/rmc/issues/581), but we have some ideas | ||
| for future work in this direction. | ||
|
|
||
| ### Advanced features |
There was a problem hiding this comment.
I worry this section might be too vague. It might be a good idea to back-reference what we say in the table? (E.g. there's a lot of links from the table to here that seem to be about projections, and I think our goal is to have to solid by 1.0.)
I think over-technical would be better than vague. If this section answered for us "what would it take for us to remove this section from this doc because we know we support it now" I think that's be better than being vague.
There was a problem hiding this comment.
I was not sure how to make this more technical, so I highlighted some outstanding issues here.
Please let me know how it looks and if it does not look good to you we can work together on this section.
rmc-docs/src/limitations.md
Outdated
| As with all software, bugs may be found anywhere regardless of the level of support. In such cases, we | ||
| would greatly appreciate that you [filed a bug report](https://github.com/model-checking/rmc/issues/new?assignees=&labels=bug&template=bug_report.md). | ||
|
|
||
| Reference | Feature | Support | Observations | |
There was a problem hiding this comment.
Would "Remarks" or "Notes" be more suitable than "Observations"?
There was a problem hiding this comment.
Replaced with "Notes".
rmc-docs/src/limitations.md
Outdated
|
|
||
| ### Code generation for unsupported features | ||
|
|
||
| RMC aims to be a industrial verification tool. Most industrial crates may |
There was a problem hiding this comment.
| RMC aims to be a industrial verification tool. Most industrial crates may | |
| RMC aims to be an industrial verification tool. Most industrial crates may |
Not sure I like the word "industrial", but can't think of an alternative.
There was a problem hiding this comment.
Done, let me know if you think of another word (I don't like it that much neither).
There was a problem hiding this comment.
One possibility (I don't feel strongly about it either): RMC is intended to be used on real-world Rust code. Most real-world crates ...
rmc-docs/src/limitations.md
Outdated
|
|
||
| RMC aims to be a industrial verification tool. Most industrial crates may | ||
| include unsupported features in parts of their code that do not need to be | ||
| verified. In general, this should not prevent users from verifying their code. |
There was a problem hiding this comment.
| verified. In general, this should not prevent users from verifying their code. | |
| verified. In general, this should not prevent users from using RMC to verify their code. |
| include unsupported features in parts of their code that do not need to be | ||
| verified. In general, this should not prevent users from verifying their code. | ||
|
|
||
| Because of that, the general rule is that RMC generates an `assert(false)` |
There was a problem hiding this comment.
Technically, it generates assert(false) followed by assume(false). I think this piece of detail is worth mentioning since it may cause some asserts to become unreachable, and hence vacuously pass.
There was a problem hiding this comment.
Alright, added both and included a short sentence to explain what they do. Let me know how it looks to you.
rmc-docs/src/limitations.md
Outdated
| verified. In general, this should not prevent users from verifying their code. | ||
|
|
||
| Because of that, the general rule is that RMC generates an `assert(false)` | ||
| statement when compiling any unsupported feature. This will cause proofs to fail |
There was a problem hiding this comment.
| statement when compiling any unsupported feature. This will cause proofs to fail | |
| statement when compiling any unsupported feature. This will cause verification to fail |
| verification, so users can still verify components of their code not using | ||
| unsupported features. | ||
|
|
||
| ### Assembly |
There was a problem hiding this comment.
I think the official term is "Inline Assembly".
There was a problem hiding this comment.
There are two options in Rust for adding assembly code: Inline and global. Note that below we link an issue for each of them, so I thought "Assembly" was a good name for this section.
rmc-docs/src/limitations.md
Outdated
|
|
||
| ### Concurrency | ||
|
|
||
| Concurrent features are out of scope for RMC. In general, the verification of |
There was a problem hiding this comment.
Should we add "currently"?
| Concurrent features are out of scope for RMC. In general, the verification of | |
| Concurrent features are currently out of scope for RMC. In general, the verification of |
rmc-docs/src/limitations.md
Outdated
| concurrent programs continues to be an open research problem where most tools | ||
| that analyze concurrent code lack support for other features. Because of this, | ||
| RMC emits a warning whenever it encounters concurrent code and compiles as if it | ||
| was sequential code. |
There was a problem hiding this comment.
Does RMC pick some order for execution of the concurrent code? If so, we should point out that this may lead to RMC missing bugs that may occur with a different execution order.
There was a problem hiding this comment.
AFAIK it assumes all code to be sequential. I think there are some CBMC options for concurrent code verification but we do not make use of them at the moment.
rmc-docs/src/limitations.md
Outdated
| ### Standard library functions | ||
|
|
||
| At present, RMC is able to link in functions from the standard library but the | ||
| generated code will not contain them. This results in verification failures if |
There was a problem hiding this comment.
but the generated code will not contain them
This sentence a bit vague. Can we clarify it? Does RMC generate these functions with an empty body?
There was a problem hiding this comment.
Added a sentence to mention these are treated in a similar way to unsupported features. Let me know what you think!
rmc-docs/src/limitations.md
Outdated
| ### Standard library functions | ||
|
|
||
| At present, RMC is able to link in functions from the standard library but the | ||
| generated code will not contain them unless they generic, intrinsics, inlined or |
There was a problem hiding this comment.
| generated code will not contain them unless they generic, intrinsics, inlined or | |
| generated code will not contain them unless they are generic, intrinsics, inlined or |
rmc-docs/src/limitations.md
Outdated
| #### Atomics | ||
|
|
||
| All atomic intrinsics are compiled as an atomic block where the operation is | ||
| performed. But as noted in [Notes - Concurrency](#concurrency), CBMC |
There was a problem hiding this comment.
Should we replace the two occurrences of CBMC in this section by RMC?
* Initial version of support table * Define support values for table * Add intrinsics table and other content * Observations on stdlib * Address Celina's comments * More comments * Add section on panic strategies * Address more comments * Minor comments
* Initial version of support table * Define support values for table * Add intrinsics table and other content * Observations on stdlib * Address Celina's comments * More comments * Add section on panic strategies * Address more comments * Minor comments
* Initial version of support table * Define support values for table * Add intrinsics table and other content * Observations on stdlib * Address Celina's comments * More comments * Add section on panic strategies * Address more comments * Minor comments
* Initial version of support table * Define support values for table * Add intrinsics table and other content * Observations on stdlib * Address Celina's comments * More comments * Add section on panic strategies * Address more comments * Minor comments
Description of changes:
No changes to RMC. Adds a new section "Limitations" to documentation in order to summarize the current status in regards to Rust feature support using a table.
Preview here
Call-outs:
Open as draft so I can get some feedback.
Testing:
How is this change tested? Running remote server for documentation.
Is this a refactor change? No.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.