Challenge 11: Safety of Methods for Numeric Primitive Types #59
Comments
carolynzech
changed the title
feliperodri
changed the title
|
Hello! We are CMU Team 2 and will be working on this challenge :) Our team:
|
|
Hello, this is Team 2 :) We have a question regarding how to write proofs. Per Part 1 of the challenge, we will need to write proofs for unchecked_* methods. We referred to other harnesses in the repo and found that all of them use the
Thank you for any guidance and clarifications! @rahulku @feliperodri |
|
@Yenyun035 Good question! We recommend writing contracts and applying them directly to the functions. So, close to what you have for option 1, but omitting the wrapper. For example: // your contracts go here!
pub const unsafe fn unchecked_add(self, rhs: Self) -> Self { ... }You can then go ahead and write harnesses for the methods directly, e.g. #[kani::proof_for_contract(i8::unchecked_add)]
fn harness() {...}It seems like you have a good handle on how contracts work, but if you are looking for more resources, we recommend looking at the contracts section of our tutorial. |
|
@carolynzech Appreciate it for your response! I just tried to add contracts and write a corresponding harness as you stated. However, I encountered this error: How could this be resolved? |
@Yenyun035 Ensure that you're running Kani from the |
|
@carolynzech Hello! Recently our team has been writing proofs for
What could be the reason? @Yenyun035 and @lanfeima seemed to be using the same toolchain version (nightly-09-08). |
@Yenyun035 It could be because you're running on different machines--different architectures can perhaps produce different checks. Could you check which versions of Kani and CBMC you're using? |
|
@Yenyun035 - Mac Pro M1; Kani 0.55.0 and CBMC 6.3.1. |
|
Hi @carolynzech , Our very trivial speculation right now for this is the machine architecture and amount of cpu cores / RAM that is allowed by the system for the verifier to utilize, which in turn could have made cbmc perform lesser checks to accommodate the respective proofs. To test this out, we are planning to create a Ubuntu docker image with all modules pre installed and run it on different architectures to see if we obtain different results. But if you think we are missing something, or if you have faced a similar kind of issue prior to this with other proofs, please advice. Thanks! Versions :
|
|
@rajathkotyal I suspect that this is just caused by architecture differences. As long as you're all running the same versions of Kani and CBMC (and the same harnesses), I wouldn't worry about the different number of checks. I'd recommend focusing on writing other harnesses or contracts for now. |
Towards #59 * Added contracts for `unchecked_add` (located in `library/core/src/num/int_macros.rs` and `uint_macros.rs`) * Added a harness for `unchecked_add` of each integer type * `i8`, `i16`, `i32`, `i64`, `i128`, `isize`, `u8`, `u16`, `u32`, `u64`, `u128`, `usize` --- 12 harnesses in total. --------- Co-authored-by: yew005 <yew005@ucsd.edu> Co-authored-by: Rajath Kotyal <53811196+rajathkotyal@users.noreply.github.com> Co-authored-by: rajathmCMU <rajathkotyal@gmail.com>
…ed_shl` and `unchecked_shr` (#96) Towards : issue #59 Parent branch : [c-0011-core-nums-yenyunw-unsafe-ints](https://github.com/rajathkotyal/verify-rust-std/tree/c-0011-core-nums-yenyunw-unsafe-ints ) - Tracking PR #91 --------- Co-authored-by: yew005 <yew005@ucsd.edu> Co-authored-by: MWDZ <jinjunfeng721@gmail.com> Co-authored-by: Lanfei Ma <99311320+lanfeima@users.noreply.github.com> Co-authored-by: Yenyun035 <yenyunw@andrew.cmu.edu>
Towards #59 ### Changes * Added contracts for `unchecked_neg` (located in `library/core/src/num/int_macros.rs`) * Added a harness for `unchecked_neg` of each signed integer type * `i8`, `i16`, `i32`, `i64`, `i128`, `isize` --- 6 harnesses in total. * Fixed comments. ### Revalidation 1. Per the discussion in #59, we have to **build and run Kani from `feature/verify-rust-std` branch**. 2. To revalidate the verification results, run the following command. `<harness_to_run>` can be either `num::verify` to run all harnesses or `num::verify::<harness_name>` (e.g. `check_unchecked_neg_i8`) to run a specific harness. ``` kani verify-std "path/to/library" \ --harness <harness_to_run> \ -Z unstable-options \ -Z function-contracts \ -Z mem-predicates ``` All default harnesses should pass. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses. --------- Co-authored-by: yew005 <yew005@ucsd.edu> Co-authored-by: Rajath Kotyal <53811196+rajathkotyal@users.noreply.github.com> Co-authored-by: rajathmCMU <rajathkotyal@gmail.com>
Towards : issue #59 Parent branch : main Revalidation : Per the discussion in #59, we have to build and run Kani from feature/verify-rust-std branch. To revalidate the verification results, run the following command. <harness_to_run> can be either num::verify to run all harnesses or num::verify::<harness_name> (e.g. widening_mul_u16_small) to run a specific harness. ``` kani verify-std "path/to/library" \ --harness <harness_to_run> \ -Z unstable-options \ -Z function-contracts \ -Z mem-predicates ```
Towards #59 ### Changes * Added contracts for `wrapping_shl` (located in `library/core/src/num/int_macros.rs` and `uint_macros.rs`) * Added a macro for generating wrapping_{shl, shr} harnesses * Added harnesses for `wrapping_shl` of each integer type * `i8`, `i16`, `i32`, `i64`, `i128`, `isize`, `u8`, `u16`, `u32`, `u64`, `u128`, `usize` --- 12 harnesses in total. ### Revalidation 1. Per the discussion in #59, we have to **build and run Kani from `feature/verify-rust-std` branch**. 2. To revalidate the verification results, run the following command. `<harness_to_run>` can be either `num::verify` to run all harnesses or `num::verify::<harness_name>` (e.g. `checked_wrapping_shl_i8`) to run a specific harness. ``` kani verify-std "path/to/library" \ --harness <harness_to_run> \ -Z unstable-options \ -Z function-contracts \ -Z mem-predicates ``` All harnesses should pass the default checks (1251 checks where 1 unreachable). ``` SUMMARY: ** 0 of 1251 failed (1 unreachable) VERIFICATION:- SUCCESSFUL Verification Time: 2.4682913s Complete - 1 successfully verified harnesses, 0 failures, 1 total. ``` Example of the unreachable check: ``` Check 123: num::<impl i8>::wrapping_shl.assertion.1 - Status: UNREACHABLE - Description: "attempt to subtract with overflow" - Location: library/core/src/num/int_macros.rs:2172:42 in function num::<impl i8>::wrapping_shl ``` ### Questions 1. Should we add `requires` (and `ensures`) for `wrapping_shl` given that `unchecked_shl` already has a `requires`? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.
Towards #59 Changes Added contracts for wrapping_shr (located in library/core/src/num/int_macros.rs and uint_macros.rs) Added harnesses for wrapping_shr of each integer type i8, i16, i32, i64, i128, isize, u8, u16, u32, u64, u128, usize --- 12 harnesses in total. Revalidation Per the discussion in #59, we have to build and run Kani from feature/verify-rust-std branch. To revalidate the verification results, run the following command. <harness_to_run> can be either num::verify to run all harnesses or num::verify::<harness_name> (e.g. checked_wrapping_shl_i8) to run a specific harness. ``` kani verify-std "path/to/library" \ --harness <harness_to_run> \ -Z unstable-options \ -Z function-contracts \ -Z mem-predicates ``` All harnesses should pass the default checks (1251 checks where 1 unreachable). ``` SUMMARY: ** 0 of 161 failed (1 unreachable) VERIFICATION:- SUCCESSFUL Verification Time: 0.32086188s Complete - 12 successfully verified harnesses, 0 failures, 12 total. ``` Example of the unreachable check: ``` Check 9: num::<impl i8>::wrapping_shr.assertion.1 - Status: UNREACHABLE - Description: "attempt to subtract with overflow" - Location: library/core/src/num/int_macros.rs:2199:42 in function num::<impl i8>::wrapping_shr ``` --------- Co-authored-by: Yenyun035 <yew005eng@gmail.com>
|
Hi @carolynzech @celinval @feliperodri @zhassan-aws When I was testing my harness for
20 macro_rules! impl_float_to_int {
21 ($Float:ty => $($Int:ty),+) => {
22 #[unstable(feature = "convert_float_to_int", issue = "67057")]
23 impl private::Sealed for $Float {}
24 $(
25 #[unstable(feature = "convert_float_to_int", issue = "67057")]
26 impl FloatToInt<$Int> for $Float {
27 #[inline]
28 unsafe fn to_int_unchecked(self) -> $Int {
29 // SAFETY: the safety contract must be upheld by the caller.
30 unsafe { crate::intrinsics::float_to_int_unchecked(self) }
31 }
32 }
33 )+
34 }
35 }Test harness: #[kani::proof_for_contract(f32::to_int_unchecked)]
pub fn checked_to_int_unchecked_f32() {
let num1: f32 = kani::any::<f32>();
let result = unsafe { num1.to_int_unchecked::<i32>() };
assert_eq!(result, num1 as i32);
}Contracts added to /// # Safety
///
/// The value must:
///
/// * Not be `NaN`
/// * Not be infinite
/// * Be representable in the return type `Int`, after truncating off its fractional part
/// ...
#[requires(!self.is_nan() && !self.is_infinite())]
#[requires(self >= Self::MIN && self <= Self::MAX)]
pub unsafe fn to_int_unchecked<Int>(self) -> Int
where
Self: FloatToInt<Int>,
{ ... }Thank you very much! |
## Towards: Issue #59 ### Parent branch: main --- ### Changes - Added macros for generating `carrying_mul` harnesses - Added harnesses for `carrying_mul` for the following integer types: - `u8`, `u16`, `u32`, `u64` --------- Co-authored-by: yew005 <yew005@ucsd.edu> Co-authored-by: MWDZ <jinjunfeng721@gmail.com> Co-authored-by: Yenyun035 <yenyunw@andrew.cmu.edu> Co-authored-by: Rajath <rajathkotyal@gmail.com> Co-authored-by: Rajath Kotyal <53811196+rajathkotyal@users.noreply.github.com>
Link to challenge: https://model-checking.github.io/verify-rust-std/challenges/0011-floats-ints.html
The text was updated successfully, but these errors were encountered: