Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Compilation Error When Stubbing Functions That Return Pointers Using Function Contracts #3732

Open
xsxszab opened this issue Nov 23, 2024 · 1 comment
Labels
[C] Bug This is a bug. Something isn't working.

Comments

@xsxszab
Copy link

xsxszab commented Nov 23, 2024

Problem Description
When attempting to stub a function with a verified function contract using kani::stub_verified, a compilation error occurs if the function's return value is a pointer.

Example
The following code is executed using kani 0.56.0 and command kani -Zfunction-contracts <filename>

// This function contract performs no meaningful checks.
// Its sole purpose is to enable stubbing of the `get_same_ptr` function.
#[kani::requires(true)]
#[kani::ensures(|result| true)]
fn get_same_ptr(ptr: *const u8) -> *const u8 {
    ptr
}

fn test_func() {
    let s: &str = "123";
    let ptr: *const u8 = s.as_ptr();    
    get_same_ptr(ptr);
}

#[kani::proof]
#[kani::stub_verified(get_same_ptr)]
fn check_test_func() {
    test_func();    
}

Running this code generates the following error:

error: `*const u8` doesn't implement `kani::Arbitrary`.
  --> /Users/xsxsz/github_repos/kani/library/kani/src/lib.rs:52:1
   |
52 | kani_core::kani_lib!(kani);
   | ^^^^^^^^^^^^^^^^^^^^^^^^^^
   |
   = help: All objects in the modifies clause must implement the Arbitrary. The return type must also implement the Arbitrary trait if you are checking recursion or using verified stub.
   = note: this error originates in the macro `kani_core::kani_intrinsics` which comes from the expansion of the macro `kani_core::kani_lib` (in Nightly builds, run with -Z macro-backtrace for more info)

error: aborting due to 1 previous error

Possible Cause of the Issue
According to Kani's blog post, the issue can be explained as follows: When stubbing a function with its contracts, Kani performs these steps:

  1. Convert preconditions into an assert!() clause.
  2. Define a kani::any() variable to represent the output.
  3. Constrain the output range using kani::assume() based on the postconditions.

In this case, the Arbitrary trait (required by kani::any) is not implemented for pointers, this makes sense as generating a random pointer without memory allocation context is pointless. As a result, Step 2 causes compilation errors. Is there any workaround for stubbing function with pointer return values?

@xsxszab xsxszab added the [C] Bug This is a bug. Something isn't working. label Nov 23, 2024
@xsxszab
Copy link
Author

xsxszab commented Nov 23, 2024

@feliperodri Hi Felipe, this is the issue we discussed in today's meeting. It's currently blocking our efforts to verify functions using function contracts for pointer arithmetic operations.

github-merge-queue bot pushed a commit to model-checking/verify-rust-std that referenced this issue Dec 12, 2024
…p` (#212)

Resolves: #76

### Changes
* Adds proofs for the following functions using raw pointer operations:
  * `Vec::swap_remove`
  * `Option::as_slice`
  * `VecDeque::swap`
* ideally the usages should have been verified by stubbing the contracts
for reaw pointer operations like `byte_add`, `add` and `offset`, but
stubbing cannot be done for these functions at this time due to
model-checking/kani#3732
* Marks Challenge 3 as Resolved and changes its end date.
* Adds contributors.

#### PoCs:
* `Vec::swap_remove`: @MayureshJoshi25
* `Option::as_slice`, `VecDeque::swap`: @stogaru 

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.

---------

Co-authored-by: Yifei Wang <1277495324@qq.com>
Co-authored-by: MayureshJoshi25 <jmayuresh25@gmail.com>
Co-authored-by: Yifei Wang <40480373+xsxszab@users.noreply.github.com>
Co-authored-by: Michael Tautschnig <tautschn@amazon.com>
Co-authored-by: szlee118 <szlee118@gmail.com>
Co-authored-by: szlee118 <33711285+szlee118@users.noreply.github.com>
Co-authored-by: Felipe R. Monteiro <rms.felipe@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
[C] Bug This is a bug. Something isn't working.
Projects
None yet
Development

No branches or pull requests

1 participant