Verify safety of slice functions (Challenge 17)#540
Open
jrey8343 wants to merge 2 commits intomodel-checking:mainfrom
Open
Verify safety of slice functions (Challenge 17)#540jrey8343 wants to merge 2 commits intomodel-checking:mainfrom
jrey8343 wants to merge 2 commits intomodel-checking:mainfrom
Conversation
Add contracts and proof harnesses for 34 slice functions covering: - Chunk operations (first_chunk, last_chunk, as_chunks, as_rchunks, as_flattened) - Unsafe accessors (get_unchecked, swap_unchecked, split_at_unchecked) - Safe wrappers with pointer ops (copy_from_slice, swap_with_slice, copy_within) - Complex functions (reverse, rotate_left/right, binary_search_by, partition_dedup_by, as_simd) - Disjoint mutable access (get_disjoint_mut, get_disjoint_unchecked_mut) Contracts added to: swap_unchecked, as_chunks_unchecked, as_chunks_unchecked_mut, split_at_unchecked, split_at_mut_unchecked. All 37 new harnesses verified with Kani 0.65.0.
Author
|
CI is passing — ready for review. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds 37 Kani verification harnesses proving the safety of all unsafe operations in
library/core/src/slice/mod.rs, covering all 37 functions listed in Challenge 17. Also adds#[requires]safety contracts to 5 unsafe functions (the remaining 2 unsafe functions,align_to/align_to_mut, had pre-existing contracts and harnesses).Unsafe function contracts added
swap_unchecked#[requires(a < self.len() && b < self.len())]as_chunks_unchecked#[requires(N != 0 && self.len() % N == 0)]as_chunks_unchecked_mut#[requires(N != 0 && self.len() % N == 0)]split_at_unchecked#[requires(mid <= self.len())]split_at_mut_unchecked#[requires(mid <= self.len())]Functions verified
first_chunkcheck_first_chunkfirst_chunk_mutcheck_first_chunk_mutsplit_first_chunkcheck_split_first_chunksplit_at_uncheckedsplit_first_chunk_mutcheck_split_first_chunk_mutsplit_at_unchecked(mut)split_last_chunkcheck_split_last_chunksplit_at_uncheckedsplit_last_chunk_mutcheck_split_last_chunk_mutsplit_at_unchecked(mut)last_chunkcheck_last_chunklast_chunk_mutcheck_last_chunk_mutas_chunkscheck_as_chunksas_chunks_unchecked+split_at_uncheckedas_chunks_mutcheck_as_chunks_mutas_chunks_unchecked_mut+split_at_mut_uncheckedas_rchunkscheck_as_rchunksas_chunks_unchecked+split_at_uncheckedas_rchunks_mutcheck_as_rchunks_mutas_chunks_unchecked_mut+split_at_mut_uncheckedas_flattenedcheck_as_flattenedfrom_raw_partswithunchecked_mulas_flattened_mutcheck_as_flattened_mutfrom_raw_parts_mutwithunchecked_mulswap_uncheckedcheck_swap_uncheckedget_unchecked+ptr::swapas_chunks_uncheckedcheck_as_chunks_uncheckedfrom_raw_partspointer castas_chunks_unchecked_mutcheck_as_chunks_unchecked_mutfrom_raw_parts_mutpointer castsplit_at_uncheckedcheck_split_at_uncheckedget_unchecked+get_unchecked_mutsplit_at_mut_uncheckedcheck_split_at_mut_uncheckedsplit_at_mut_uncheckedget_unchecked(usize)check_get_unchecked_usizeSliceIndex::get_uncheckedget_unchecked_mut(usize)check_get_unchecked_mut_usizeSliceIndex::get_unchecked(mut)get_unchecked(Range)check_get_unchecked_rangeSliceIndex::get_uncheckedget_unchecked_mut(Range)check_get_unchecked_mut_rangeSliceIndex::get_unchecked(mut)get_disjoint_unchecked_mutcheck_get_disjoint_unchecked_mutget_unchecked_mutcallssplit_at_checkedcheck_split_at_checkedsplit_at_uncheckedsplit_at_mut_checkedcheck_split_at_mut_checkedsplit_at_mut_uncheckedcopy_from_slicecheck_copy_from_sliceptr::copy_nonoverlappingswap_with_slicecheck_swap_with_sliceptr::swap_nonoverlappingcopy_withincheck_copy_withinptr::copyget_disjoint_mutcheck_get_disjoint_mutget_disjoint_unchecked_mutget_disjoint_check_validcheck_get_disjoint_check_validrotate_leftcheck_rotate_leftrotate::ptr_rotaterotate_rightcheck_rotate_rightrotate::ptr_rotatebinary_search_bycheck_binary_search_byget_uncheckedin binary search looppartition_dedup_bycheck_partition_dedup_byptr::read,ptr::copy_nonoverlapping,ptr::writeas_simdcheck_as_simdalign_to+from_raw_partsas_simd_mutcheck_as_simd_mutalign_to_mut+from_raw_parts_mutreversecheck_reverseptr::read,ptr::copy_nonoverlapping,ptr::writealign_toalign_to_mutVerification approach
kani::slice::any_slice_of_arraywith small backing arrays (4-8 elements), proving all pointer casts and unchecked splits are in bounds.#[kani::proof_for_contract]harnesses foras_chunks_unchecked,as_chunks_unchecked_mut,split_at_unchecked,split_at_mut_unchecked. Plain#[kani::proof]forswap_unchecked(CBMC assigns clause interference with memmove builtins).usizeandRange<usize>index types, with symbolic indices constrained to valid bounds.ptr_rotatestub (CBMC-intractableBufType = [usize; 32]stack buffer).swap_nonoverlappingstub (CBMC-intractable byte-level swapping with symbolic lengths).#[kani::unwind(8)].f32arrays verifying SIMD alignment and casting.All 37 new harnesses verified locally (45 total including 8 pre-existing harnesses).
Test plan
kani verify-stdusing-Z loop-contracts --cbmc-args --object-bits 12rustfmt