-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define a struct-level #[safety_constraint(...)]
attribute
#3270
Conversation
I've decided to add the helper attribute
Therefore, this PR only needs a little better error handling (we should parse expressions like we're doing in #3283) and some cleanup. |
f68ada0
to
dd2206d
Compare
Marking this as ready for review after the last changes. This is now rebased on top of #3283 so we can take advantage of some of the functions included there. A major change is that we now generate both the For example, if we wrote something like this:
The harness would fail to verify because the value generated with Aside from that change, I've added a few more tests and moved the code from |
kani::invariant
attribute#[safety_constraint(...)]
attribute
This is ready for review again. I have renamed the attribute and changed it so its behavior is very similar to the |
tests/expected/safety-constraint-attribute/abstract-value/abstract-value.rs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. The only thing I'm unsure about is that Invariant
is not derived automatically when the attribute is specified. There's also no warning or error message if neither Invariant
or Arbitrary
is derived.
tests/expected/safety-constraint-attribute/check-invariant/check-invariant.rs
Outdated
Show resolved
Hide resolved
tests/expected/safety-constraint-attribute/check-invariant/expected
Outdated
Show resolved
Hide resolved
tests/ui/safety-constraint-attribute/double-attribute/double-attribute.rs
Outdated
Show resolved
Hide resolved
This is also a concern of mine, especially the second case where there isn't any feedback when using the attribute without deriving
I believe the best option would be to generate some sort of marker from the derive macros. In other words, if we are generating an The rest of comments have been addressed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I wonder if it's possible to check from a proc macro whether a type implements a trait.
As far as I know, there aren't great solutions to this because |
… attribute for structs (#3405) This PR updates the crates documentation we already had for the `#[safety_constraint(...)]` attribute to account for the changes in #3270. The proposal includes notes/guidelines on where to use the attribute (i.e., the struct or its fields) depending on the type safety condition to be specified. Also, it removes the `rs` annotations on the code blocks that appear in the documentation because they don't seem to have the intended effect (the blocks are not being highlighted at all). The current version of this documentation can be found [here](https://model-checking.github.io/kani/crates/doc/kani/derive.Arbitrary.html) and [here](https://model-checking.github.io/kani/crates/doc/kani/derive.Invariant.html). Related #3095
## 0.54.0 ### Major Changes * We added support for slices in the `#[kani::modifies(...)]` clauses when using function contracts. * We introduce an `#[safety_constraint(...)]` attribute helper for the `Arbitrary` and `Invariant` macros. * We enabled support for concrete playback for harness that contains stubs or function contracts. * We added support for log2*, log10*, powif*, fma*, and sqrt* intrisincs. ### Breaking Changes * The `-Z ptr-to-ref-cast-checks` option has been removed, and pointer validity checks when casting raw pointers to references are now run by default. ## What's Changed * Make Kani reject mutable pointer casts if padding is incompatible and memory initialization is checked by @artemagvanian in #3332 * Fix visibility of some Kani intrinsics by @artemagvanian in #3323 * Function Contracts: Modify Slices by @pi314mm in #3295 * Support for disabling automatically generated pointer checks to avoid reinstrumentation by @artemagvanian in #3344 * Add support for global transformations by @artemagvanian in #3348 * Enable an `#[safety_constraint(...)]` attribute helper for the `Arbitrary` and `Invariant` macros by @adpaco-aws in #3283 * Fix contract handling of promoted constants and constant static by @celinval in #3305 * Bump CBMC Viewer to 3.9 by @tautschnig in #3373 * Update to CBMC version 6.1.1 by @tautschnig in #2995 * Define a struct-level `#[safety_constraint(...)]` attribute by @adpaco-aws in #3270 * Enable concrete playback for contract and stubs by @celinval in #3389 * Add code scanner tool by @celinval in #3120 * Enable contracts in associated functions by @celinval in #3363 * Enable log2*, log10* intrinsics by @tautschnig in #3001 * Enable powif* intrinsics by @tautschnig in #2999 * Enable fma* intrinsics by @tautschnig in #3002 * Enable sqrt* intrinsics by @tautschnig in #3000 * Remove assigns clause for ZST pointers by @carolynzech in #3417 * Instrumentation for delayed UB stemming from uninitialized memory by @artemagvanian in #3374 * Unify kani library and kani core logic by @jaisnan in #3333 * Stabilize pointer-to-reference cast validity checks by @artemagvanian in #3426 * Rust toolchain upgraded to `nightly-2024-08-07` by @jaisnan @qinheping @tautschnig @feliperodri ## New Contributors * @carolynzech made their first contribution in #3387 **Full Changelog**: kani-0.53.0...kani-0.54.0 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses. Signed-off-by: Felipe R. Monteiro <felisous@amazon.com>
This PR defines a struct-level
#[safety_constraint(<pred>)]
macro attribute that allows users to define the type invariant as the predicate passed as an argument to the attribute. This safety constraint is picked up when derivingArbitrary
andInvariant
implementations so that the values generated withany()
or checked withis_safe()
satisfy the constraint.This attribute is similar to the helper attribute introduced in #3283, and they cannot be used together. It's preferable to use this attribute when the constraint implies some relation between different fields. But, at the moment, there's no practical difference between them because the helper attribute allows users to refer to any fields. If we imposed that restriction, this attribute would be the only way to specify struct-wide invariants.
An example:
Resolves #3095
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.