Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contract and harness for copy_to, copy_to_nonoverlapping, copy_from, and copy_from_nonoverlapping #149

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Contract and harness for copy_to, copy_to_nonoverlapping, copy_from, and copy_from_nonoverlapping #149

wants to merge 8 commits into from

Conversation

Dhvani-Kapadia
Copy link

@Dhvani-Kapadia Dhvani-Kapadia commented Nov 2, 2024
edited
Loading

Description

This PR includes contracts and proof harnesses for the four APIs copy_to, copy_to_nonoverlapping, copy_from, and copy_from_nonoverlapping which are part of the NonNull library in Rust.

Changes Overview:

Covered APIs:
NonNull::copy_to
NonNull::copy_to_nonoverlapping
NonNull::copy_from
NonNull::opy_from_nonoverlapping

Proof harness:
non_null_check_copy_to
non_null_check_copy_to_nonoverlapping
non_null_check_copy_from
non_null_check_copy_from_nonoverlapping,

Revalidation

To revalidate the verification results, run path_to/kani/scripts/kani verify-std -Z unstable-options "path/to/library" -Z function-contracts -Z mem-predicates --harness ptr::non_null::verify. This will run all four harnesses in the module. All default checks should pass:

SUMMARY:
** 0 of 141 failed

VERIFICATION:- SUCCESSFUL
Verification Time: 0.62114185s

Complete - 6 successfully verified harnesses, 0 failures, 6 total.

Resolves #53

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@Dhvani-Kapadia Dhvani-Kapadia requested a review from a team as a code owner November 2, 2024 19:32
celinval
celinval reviewed Nov 7, 2024
View reviewed changes
Copy link

@celinval celinval left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

library/core/src/ptr/non_null.rs Outdated Show resolved Hide resolved
library/core/src/ptr/non_null.rs Outdated Show resolved Hide resolved
library/core/src/ptr/non_null.rs Outdated Show resolved Hide resolved
library/core/src/ptr/non_null.rs Outdated Show resolved Hide resolved
library/core/src/ptr/non_null.rs Outdated Show resolved Hide resolved
library/core/src/ptr/non_null.rs Outdated Show resolved Hide resolved
library/core/src/ptr/non_null.rs Show resolved Hide resolved
qinheping
qinheping reviewed Nov 14, 2024
View reviewed changes
library/core/src/ptr/non_null.rs
Comment on lines +1000 to +1002
#[ensures(|result: &()| ub_checks::can_dereference(self.as_ptr() as *const u8)
&& ub_checks::can_dereference(dest.as_ptr() as *const u8))]
#[kani::modifies(dest.as_ptr())]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#[ensures(|result: &()| ub_checks::can_dereference(self.as_ptr() as *const u8)
&& ub_checks::can_dereference(dest.as_ptr() as *const u8))]
#[kani::modifies(dest.as_ptr())]
#[ensures(|result: &()| ub_checks::can_dereference(self.as_ptr() as *const u8)
&& ub_checks::can_dereference(dest.as_ptr() as *const u8))]
#[kani::modifies(dest.as_ptr())]

library/core/src/ptr/non_null.rs
#[kani::proof_for_contract(NonNull::<T>::copy_to)]
pub fn non_null_check_copy_to() {
// PointerGenerator instance
let mut generator = PointerGenerator::<16>::new();
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How the capacity of the generator affect the running time of the proof? Can we use the maximum capacity, e.g., isize::MAX / size_of::<i32>() here?

@Dhvani-Kapadia
Copy link
Author

This is my contract and harness for fn copy_to,I run into these two failed checks.could you please help me understand where I am going wrong?

#[requires(
        count.checked_mul(core::mem::size_of::<T>()).map_or(false, |size| size <= isize::MAX as usize) &&        
ub_checks::can_dereference(self.as_ptr()) &&
       (count == 0 || ub_checks::can_dereference(self.as_ptr().wrapping_add(count - 1))) &&  
       ub_checks::can_write(dest.as_ptr()) &&

        (count == 0 || ub_checks::can_write(dest.as_ptr().wrapping_add(count - 1))) &&

        kani::mem::same_allocation(self.as_ptr(), self.as_ptr().wrapping_add(count - 1)) &&

        kani::mem::same_allocation(dest.as_ptr(), dest.as_ptr().wrapping_add(count - 1))
    )]
    #[ensures(|_: &()| 
        ub_checks::can_dereference(self.as_ptr()) &&
        ub_checks::can_dereference(dest.as_ptr()))]
    #[kani::modifies(self.as_ptr(), dest.as_ptr())]
    pub const unsafe fn copy_to(self, dest: NonNull<T>, count: usize)
    where
        T: Sized,
    {
        // SAFETY: the caller must uphold the safety contract for `copy`.
        unsafe { ptr::copy(self.pointer, dest.as_ptr(), count) }
    }
 

#[kani::proof_for_contract(NonNull::<T>::copy_to)]
    pub fn non_null_check_copy_to() {
        // Generate arbitrary raw pointers for src and dest
        const SIZE: usize = mem::size_of::<i32>() * 100;
        let mut generator = PointerGenerator::<SIZE>::new();  
        let src_ptr: *mut i32 =  generator.any_in_bounds().ptr as *mut i32;
        let dest_ptr: *mut i32 =  generator.any_in_bounds().ptr as *mut i32;
        let src_nonnull = NonNull::new(src_ptr).unwrap();
        let dest_nonnull = NonNull::new(dest_ptr).unwrap();
        let max_count = SIZE / mem::size_of::<i32>();
        let count: usize = kani::any_where(|&x| x > 0 && x <= max_count);
        unsafe { src_nonnull.copy_to(dest_nonnull, count); }
            }
        }


check 39: memmove.assigns.2
	 - Status: FAILURE
	 - Description: "Check that array_replace((const void *)(char *)dest, ...) is allowed by the assigns clause"
	 - Location: <builtin-library-memmove>:34 in function memmove //ADD modifies clause

     Check 28: kani::mem::is_inbounds::<(), i32>.assertion.1
	 - Status: FAILURE
	 - Description: "Kani does not support reasoning about pointer to unallocated memory"
	 - Location: library/core/src/lib.rs:421:1 in function kani::mem::is_inbounds::<(), i32> ,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@celinval celinval Awaiting requested review from celinval

@qinheping qinheping Awaiting requested review from qinheping

At least 1 approving review is required to merge this pull request.

Assignees

@qinheping qinheping

@celinval celinval

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Challenge 6: Safety of NonNull
3 participants
@Dhvani-Kapadia @qinheping @celinval