Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added harnesses for c_str: is_empty #195

Closed
wants to merge 93 commits into from
Closed

added harnesses for c_str: is_empty #195

wants to merge 93 commits into from

Conversation

lanfeima
Copy link

@lanfeima lanfeima commented Nov 28, 2024
edited
Loading

Update:

I noticed that PR #194 leverages arbitrary_cstr (introduced in #189) to simplify the harness CStr::is_empty. Please also check that PR for additional context.

Towards: Issue #150

Parent branch: main

Changes

  • added harnesses. for CStr:: is_empty

This version of C

To revalidate the verification results, run ./scripts/run-kani.sh --kani-args --harness ffi::c_str::verify::check_is_empty

Example output:

Checking harness ffi::c_str::verify::check_is_empty...

VERIFICATION RESULT:
 ** 0 of 216 failed (5 unreachable)

VERIFICATION:- SUCCESSFUL
Verification Time: 1121.6111s

Complete - 1 successfully verified harnesses, 0 failures, 1 total.

yew005 and others added 30 commits September 10, 2024 17:11
Add Kani proofs of unchecked_add for all integer types
1ae4c6d
Format proof files & Add verification function templates
b553678
@MWDZ
feat: add i8 uncheck shl verification
4db34e4
@MWDZ
feat: add i16 and i32 uncheck shl verification
54f5507
@lanfeima
added unsafe integer i8 unchecked sub following the template
472da0e
Experiment with two verification approaches in mod.rs of core::num
daaaf7e
@Yenyun035
Merge branch 'model-checking:main' into c-0011-core-nums-yenyunw-unsa…
7bd0e3c 
…fe-ints
Add contracts to unchecked_add && Add i8::unchecked_add proof
1c9dbde
Format core::num mod.rs
894231f
Add comment for unchecked_add proofs
2bc4faf
Add harnesses for i16,i32,i64,i128 unchecked_add
d9d4b5f
Add harnesses for u8,u16,u32,u64,u128 unchecked_add
07c8b4a
Cleanup misplaced proofs
1fd4c6a
Clean up comment
b360311
Format comment
8cbca87
Remove before contracts. Fix import in
0eef858
Fix comment
4858a53
@MWDZ
Merge remote-tracking branch 'origin/c-0011-core-nums-yenyunw-unsafe-…
8ce3381 
…ints' into c-0011-core-nums-junfengj-unchecked-shl
@rajathkotyal
unchecked multiplication and shift right
bbd75f7
@Yenyun035
Merge branch 'main' into c-0011-core-nums-yenyunw-unsafe-ints
483bdf5
@lanfeima
Merge branch 'c-0011-core-nums-yenyunw-unsafe-ints' into c-0011-core-…
71ffd37 
…nums-lanfeima-unsafe-ints
@MWDZ
feat: add contract and test case for unchecked_shl in type int and unit
a7d3cc2
@lanfeima
added preconditions and postconditions
271afad
@lanfeima
add proof functions for unchecked_sub
c7762c2
@Yenyun035
Merge branch 'model-checking:main' into c-0011-core-nums-yenyunw-unsa…
ce35002 
…fe-ints
Remove ensures contracts && Undo formatting on existing code
d99844d
Add {isize, usize}::unchecked_add harnesses
fbcf49e
@rajathkotyal
Small fix typo
864afa6
@Yenyun035
Merge branch 'model-checking:main' into c-0011-core-nums-yenyunw-unsa…
457a2b5 
…fe-ints
Add harness generation macros for unchecked methods && Update uncheck…
54a03ef 
…ed_add harnesses
Yenyun035 and others added 17 commits November 21, 2024 22:51
@Yenyun035
Merge branch 'model-checking:main' into c-0013-yenyunw-cstr
cf6aab1
@Yenyun035
Merge branch 'model-checking:main' into c-0013-yenyunw-cstr
63d53fb
@Yenyun035
Add CStr safety invariant && from_bytes_until_null harnesses
90ae7a5
@Yenyun035
Merge branch 'model-checking:main' into c-0013-yenyunw-cstr
e111145
@Yenyun035
Add comments
55dfaaf
@lanfeima
Merge remote-tracking branch 'origin/c-0013-yenyunw-cstr' into c-0013…
3b01c6b 
…-lanfeima-cstr
@lanfeima
merge recent cstr
b49f4ee
@lanfeima
added harnesses for is_empty
f03b418
@Yenyun035
Add to_bytes and to_bytes_with_nul harnesses
64ddbff
@lanfeima
Merge remote-tracking branch 'origin/c-0013-yenyunw-cstr-to-bytes' in…
90865ea 
…to c-0013-lanfeima-cstr
@lanfeima
combined the is_empty with the latest repo
1fc9540
@lanfeima
finished testing for is_empty
7e75de1
@lanfeima
used kani_anywhere to generate the values
ae7af7c
@lanfeima
edited the documentation
43e588c
@lanfeima
remove the irrelevant kani folder and cargo file
fdefcc0
@lanfeima
reverted Cargo.lock to the stable one
1f5e28a
@lanfeima
Reset stdarch submodule to commit ff9a444
8cc0b12
@lanfeima lanfeima requested a review from a team as a code owner November 28, 2024 12:33
@lanfeima lanfeima changed the title added harnesses for C_str: is_empty added harnesses for c_str: is_empty Nov 28, 2024
@Yenyun035
Copy link

Duplicate with #194. Will resolve later.

@lanfeima lanfeima marked this pull request as draft November 28, 2024 20:24
@lanfeima
Copy link
Author

lanfeima commented Nov 29, 2024
edited
Loading

I see that PR #194 takes an efficient approach by leveraging arbitrary_cstr. The main difference is that PR #195 explores handling invalid cases during the construction phase (e.g., how is_empty behaves under invalid input), which takes a long time and might not be necessary given that is_empty can only be invoked on valid CStr instances. I now realize that focusing on valid inputs may be more aligned with the project goals.

Would it make sense to address invalid cases elsewhere, or should we focus solely on valid instances here? Feedback from reviewers would be helpful. I’d be happy to close this PR or contribute to refining #194 if needed. Thank you!

@lanfeima lanfeima marked this pull request as ready for review November 29, 2024 08:54
@celinval
Copy link

Can we merge the ideas by optimizing the arbitrary_str by adding byte 0 to the end of the slice?

@Yenyun035
Copy link

Yenyun035 commented Nov 30, 2024
edited
Loading

Can we merge the ideas by optimizing the arbitrary_str by adding byte 0 to the end of the slice?

@celinval If I understand correctly, do you mean that we ensure the input slice is null-terminated before passing it to arbitrary_cstr? This sounds equivalent to the idea that we assume the input slice is null-terminated within arbitrary_cstr, e.g.

fn arbitrary_cstr(slice: &[u8]) -> &CStr {
    // At a minimum, the slice contains a null byte to form a valid CStr.
    kani::assume(slice.len() > 0 && slice[slice.len() - 1] == 0);
    let result = CStr::from_bytes_until_nul(&slice);
    // Given the assumption, from_bytes_until_nul should never fail
    kani::assume(result.is_ok()); // maybe change to assert!(result.is_ok());
    let c_str = result.unwrap();
    assert!(c_str.is_safe());
    c_str
}

I updated PR#194 accordingly.

@Yenyun035
Copy link

PR #194 was merged. This PR can be closed. @lanfeima

@tautschnig
Copy link
Member

Closing per #195 (comment).

@tautschnig tautschnig closed this Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@celinval celinval

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@lanfeima @Yenyun035 @celinval @tautschnig @MWDZ @rajathkotyal