You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem Description
When attempting to stub a function with a verified function contract using kani::stub_verified, a compilation error occurs if the function's return value is a pointer.
Example
The following code is executed using kani 0.56.0 and command kani -Zfunction-contracts <filename>
// This function contract performs no meaningful checks.// Its sole purpose is to enable stubbing of the `get_same_ptr` function.#[kani::requires(true)]#[kani::ensures(|result| true)]fnget_same_ptr(ptr:*constu8) -> *constu8{
ptr
}fntest_func(){let s:&str = "123";let ptr:*constu8 = s.as_ptr();get_same_ptr(ptr);}#[kani::proof]#[kani::stub_verified(get_same_ptr)]fncheck_test_func(){test_func();}
Running this code generates the following error:
error: `*const u8` doesn't implement `kani::Arbitrary`.
--> /Users/xsxsz/github_repos/kani/library/kani/src/lib.rs:52:1
|
52 | kani_core::kani_lib!(kani);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: All objects in the modifies clause must implement the Arbitrary. The return type must also implement the Arbitrary trait if you are checking recursion or using verified stub.
= note: this error originates in the macro `kani_core::kani_intrinsics` which comes from the expansion of the macro `kani_core::kani_lib` (in Nightly builds, run with -Z macro-backtrace for more info)
error: aborting due to 1 previous error
Possible Cause of the Issue
According to Kani's blog post, the issue can be explained as follows: When stubbing a function with its contracts, Kani performs these steps:
Convert preconditions into an assert!() clause.
Define a kani::any() variable to represent the output.
Constrain the output range using kani::assume() based on the postconditions.
In this case, the Arbitrary trait (required by kani::any) is not implemented for pointers, this makes sense as generating a random pointer without memory allocation context is pointless. As a result, Step 2 causes compilation errors. Is there any workaround for stubbing function with pointer return values?
The text was updated successfully, but these errors were encountered:
@feliperodri Hi Felipe, this is the issue we discussed in today's meeting. It's currently blocking our efforts to verify functions using function contracts for pointer arithmetic operations.
…p` (#212)
Resolves: #76
### Changes
* Adds proofs for the following functions using raw pointer operations:
* `Vec::swap_remove`
* `Option::as_slice`
* `VecDeque::swap`
* ideally the usages should have been verified by stubbing the contracts
for reaw pointer operations like `byte_add`, `add` and `offset`, but
stubbing cannot be done for these functions at this time due to
model-checking/kani#3732
* Marks Challenge 3 as Resolved and changes its end date.
* Adds contributors.
#### PoCs:
* `Vec::swap_remove`: @MayureshJoshi25
* `Option::as_slice`, `VecDeque::swap`: @stogaru
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.
---------
Co-authored-by: Yifei Wang <1277495324@qq.com>
Co-authored-by: MayureshJoshi25 <jmayuresh25@gmail.com>
Co-authored-by: Yifei Wang <40480373+xsxszab@users.noreply.github.com>
Co-authored-by: Michael Tautschnig <tautschn@amazon.com>
Co-authored-by: szlee118 <szlee118@gmail.com>
Co-authored-by: szlee118 <33711285+szlee118@users.noreply.github.com>
Co-authored-by: Felipe R. Monteiro <rms.felipe@gmail.com>
Problem Description
When attempting to stub a function with a verified function contract using
kani::stub_verified
, a compilation error occurs if the function's return value is a pointer.Example
The following code is executed using kani 0.56.0 and command
kani -Zfunction-contracts <filename>
Running this code generates the following error:
Possible Cause of the Issue
According to Kani's blog post, the issue can be explained as follows: When stubbing a function with its contracts, Kani performs these steps:
assert!()
clause.kani::any()
variable to represent the output.kani::assume()
based on the postconditions.In this case, the Arbitrary trait (required by
kani::any
) is not implemented for pointers, this makes sense as generating a random pointer without memory allocation context is pointless. As a result, Step 2 causes compilation errors. Is there any workaround for stubbing function with pointer return values?The text was updated successfully, but these errors were encountered: