Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CStr Safety invariant & Harnesses for from_bytes_until_nul #180

Merged
merged 12 commits into from
Nov 26, 2024
Merged

CStr Safety invariant & Harnesses for from_bytes_until_nul #180

Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
bf613a0
Test CStr safety invariant
Yenyun035 Nov 22, 2024
cf6aab1
Merge branch 'model-checking:main' into c-0013-yenyunw-cstr
Yenyun035 Nov 22, 2024
63d53fb
Merge branch 'model-checking:main' into c-0013-yenyunw-cstr
Yenyun035 Nov 22, 2024
90ae7a5
Add CStr safety invariant && from_bytes_until_null harnesses
Yenyun035 Nov 22, 2024
e111145
Merge branch 'model-checking:main' into c-0013-yenyunw-cstr
Yenyun035 Nov 22, 2024
55dfaaf
Add comments
Yenyun035 Nov 22, 2024
5db0f1b
Merge branch 'main' into c-0013-yenyunw-cstr
Yenyun035 Nov 23, 2024
31c1d02
Fix from_bytes_until_nul harness
Yenyun035 Nov 25, 2024
667b76f
Merge branch 'main' into c-0013-yenyunw-cstr
Yenyun035 Nov 25, 2024
2d734df
Change array size to 32 && Add is_safe function doc && Fix harness
Yenyun035 Nov 26, 2024
021c59f
Fix typo and invariant
Yenyun035 Nov 26, 2024
0486200
Fix invariant return
Yenyun035 Nov 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions library/core/src/ffi/c_str.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ use crate::ptr::NonNull;
use crate::slice::memchr;
use crate::{fmt, intrinsics, ops, slice, str};

use crate::ub_checks::Invariant;

#[cfg(kani)]
use crate::kani;

// FIXME: because this is doc(inline)d, we *have* to use intra-doc links because the actual link
// depends on where the item is being documented. however, since this is libcore, we can't
// actually reference libstd or liballoc in intra-doc links. so, the best we can do is remove the
Expand Down Expand Up @@ -207,6 +212,22 @@ impl fmt::Display for FromBytesWithNulError {
}
}

#[unstable(feature = "ub_checks", issue = "none")]
impl Invariant for &CStr {
/**
* Safety invariant of a valid CStr:
* 1. An empty CStr should have a null byte.
* 2. A valid CStr should end with a null-terminator and contains
* no intermediate null bytes.
*/
fn is_safe(&self) -> bool {
let bytes: &[c_char] = &self.inner;
let len = bytes.len();

!bytes.is_empty() && bytes[len - 1] == 0 && !bytes[..len-1].contains(&0)
}
}

impl CStr {
/// Wraps a raw C string with a safe C string wrapper.
///
Expand Down Expand Up @@ -833,3 +854,25 @@ impl Iterator for Bytes<'_> {

#[unstable(feature = "cstr_bytes", issue = "112115")]
impl FusedIterator for Bytes<'_> {}

#[cfg(kani)]
#[unstable(feature = "kani", issue = "none")]
mod verify {
use super::*;

// pub const fn from_bytes_until_nul(bytes: &[u8]) -> Result<&CStr, FromBytesUntilNulError>
#[kani::proof]
#[kani::unwind(32)] // 7.3 seconds when 16; 33.1 seconds when 32
fn check_from_bytes_until_nul() {
const MAX_SIZE: usize = 32;
let string: [u8; MAX_SIZE] = kani::any();
// Covers the case of a single null byte at the end, no null bytes, as
// well as intermediate null bytes
let slice = kani::slice::any_slice_of_array(&string);

let result = CStr::from_bytes_until_nul(slice);
if let Ok(c_str) = result {
assert!(c_str.is_safe());
}
}
}
Loading