Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Challenge 12: Safety of NonZero #71

Open
carolynzech opened this issue Aug 23, 2024 · 6 comments
Open

Challenge 12: Safety of NonZero #71

carolynzech opened this issue Aug 23, 2024 · 6 comments
Assignees
Labels
Challenge Used to tag a challenge

Comments

@carolynzech
Copy link

carolynzech commented Aug 23, 2024

Challenge link: https://model-checking.github.io/verify-rust-std/challenges/0012-nonzero.html

@carolynzech carolynzech added the Challenge Used to tag a challenge label Aug 23, 2024
@feliperodri feliperodri changed the title Tracking Issue for Verification of NonZero Challenge 12: Safety of NonZero Sep 5, 2024
@aa-luna
Copy link

aa-luna commented Sep 15, 2024

We are Team 1 and currently working on this challenge.

PM: Shivani
TL: @aa-luna
Devs: @SahithiMV ; @lang280

@aa-luna
Copy link

aa-luna commented Sep 20, 2024

Team,

We are currently trying to test an initial harness but are having some issues. We confirmed it has a unique name and qualified name, it is under mod verify, and follows the similar syntax of AsciiChar. Appreciate any feedback.

Commands:

verify-rust-std/library$ kani verify-std -Z unstable-options "." -Z function-contracts -Z mem-predicates --harness nonzero_check_new_unchecked

and received:

error: no harnesses matched the harness filter: `nonzero_check_new_unchecked`

We also tested:

kani verify-std -Z unstable-options "." -Z function-contracts -Z mem-predicates --harness core::num::nonzero::nonzero_check_new_unchecked

and received:

error: no harnesses matched the harness filter: `core::num::nonzero::nonzero_check_new_unchecked`

Our current contract function:

#[requires(n != T::zero())]
#[ensures(|result: Self| result.get() == n)]
pub const unsafe fn new_unchecked(n: T) -> Self {
	match Self::new(n) {
		Some(n) => n,
		None => {
			// SAFETY: The caller guarantees that `n` is non-zero, so this is unreachable.
			unsafe {
				ub_checks::assert_unsafe_precondition!(
					check_language_ub,
					"NonZero::new_unchecked requires the argument to be non-zero",
					() => false,
				);
				intrinsics::unreachable()
			}
		}
	}
}

Proof for contract:

#[unstable(feature="kani", issue="none")]
#[cfg(kani)]
mod verify {
use core::num::NonZeroI32; // Use core::num instead of std::num

// pub const unsafe fn newunchecked(n: T) -> Self
#[kani::proof_for_contract(NonZero::new_unchecked)]
pub fn nonzero_check_new_unchecked() {
    let x: i32 = kani::any();  // Generates a symbolic value of type i32

    // Only proceed if x is not zero, because passing zero would violate the precondition
    kani::assume(x != 0);

    unsafe {
        let _ = NonZeroI32::new_unchecked(x);  // Calls NonZero::new_unchecked
        }
    }
}

@QinyuanWu
Copy link

QinyuanWu commented Sep 20, 2024

@aa-luna try --harness num::nonzero::verify::nonzero_check_new_unchecked Also could you point me to the location of your harness?

@aa-luna
Copy link

aa-luna commented Sep 20, 2024

Thanks, @QinyuanWu, but still did not find. I'm guessing it's a placement issue. We will keep looking around to resolve this.
https://github.com/RustyRelic/verify-rust-std/blob/main/library/core/src/num/nonzero.rs

@carolynzech
Copy link
Author

@aa-luna I cloned your repository, and when I do the following:

  1. Build Kani from the features/verify-rust-std branch (see here)
  2. Run export PATH=../kani/scripts:$PATH in a terminal window for the verify-rust-std repo (substitute the path to Kani appropriately depending on where yours lives)
  3. Run kani verify-std -Z unstable-options ./library --target-dir /tmp/verify-rust-std -Z function-contracts -Z mem-predicates --harness nonzero_check_new_unchecked 2>&1

I get some compilation errors about your contracts:

error[E0599]: no function or associated item named `zero` found for type parameter `T` in the current scope
   --> /Users/cmzech/student/library/core/src/num/nonzero.rs:371:24
    |
345 | impl<T> NonZero<T>
    |      - function or associated item `zero` not found for this type parameter
...
371 |     #[requires(n != T::zero())]
    |                        ^^^^ function or associated item not found in `T`
    |
    = help: items from traits can only be used if the type parameter is bounded by the trait
help: the following trait defines an item `zero`, perhaps you need to restrict type parameter `T` with it:
    |
347 |     T: ZeroablePrimitive + fmt::num::DisplayInt,
    |                          ++++++++++++++++++++++

error[E0369]: binary operation `==` cannot be applied to type `T`
   --> /Users/cmzech/student/library/core/src/num/nonzero.rs:372:43
    |
372 |     #[ensures(|result: Self| result.get() == n)]
    |                              ------------ ^^ - T
    |                              |
    |                              T
    |
help: consider further restricting this bound
    |
347 |     T: ZeroablePrimitive + cmp::PartialEq,
    |                          ++++++++++++++++

error: aborting due to 2 previous errors

These compilation errors would happen earlier in the pipeline than a harness location issue. I would make sure that you're following the steps above so that rustc is compiling the version of your code with contracts attached. Once you fix these compilation errors, you should be able to run the command in step 3 to run your harness.

@aa-luna
Copy link

aa-luna commented Sep 22, 2024

Issue resolved. Thank you.

carolynzech added a commit that referenced this issue Nov 11, 2024
Working on #71 (Safety of NonZero)

We are looking for feedback on our proof_for_contract. We have
implemented it for all the data types.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.

---------

Co-authored-by: aaluna <aaluna@andrew.cmu.edu>
Co-authored-by: aaluna <166172412+MooniniteErr@users.noreply.github.com>
Co-authored-by: Carolyn Zech <cmzech@amazon.com>
Co-authored-by: Zyad Hassan <88045115+zhassan-aws@users.noreply.github.com>
github-merge-queue bot pushed a commit that referenced this issue Dec 11, 2024
… Proofs (#202)

Working on
[#71](#71)
(Safety of NonZero)

We are looking for feedback on our proof for rotate_left & rotate_right.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Challenge Used to tag a challenge
Projects
None yet
Development

No branches or pull requests

3 participants