Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail verification if contract is vacuous #3623

Draft
wants to merge 10 commits into
base: main
Choose a base branch
from

Conversation

carolynzech
Copy link
Contributor

@carolynzech carolynzech commented Oct 21, 2024

Description

Fail verification if a contract's preconditions are unsatisfiable or its postconditions are unreachable.
This solution introduces a new Kani intrinsic, kani::internal::cover_contract. We insert calls to this intrinsic during macro expansion after the the precondition and before the postcondition, e.g.:

kani::assume(precondition);
kani::internal::cover_contract(precondition, "The contract's precondition is satisfiable");
....
kani::internal::cover_contract(postcondition, "The contract's postcondition is reachable");
kani::assert(postcondition);

This intrinsic has the same codegen as kani::cover (i.e., assert(!cond)). Just as with kani::cover, the CBMC property renderer intercepts the results of these property checks and updates them before returning them to the user.

Call Outs

  • I'd be curious if anyone can think of a simple solution to the never type fixme test that I included--if so, I'll fix it in this PR. Otherwise, I'll create an issue about it and link it in the test before merging.
  • I'm changing the result of undetermined checks to failure if there's unwinding failures. My rationale is that in the case of code like this:
#[ensures(...)]
fn foo() { loop{} }

We know that the postcondition is unreachable, so we should say so. I think this approach makes sense, but also happy to keep it undetermined if we'd rather not treat one type of undetermined check differently from another.

Resolves #2793

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@github-actions github-actions bot added the Z-BenchCI Tag a PR to run benchmark CI label Oct 21, 2024
@carolynzech
Copy link
Contributor Author

carolynzech commented Oct 21, 2024

Note that this fails the standard library job because a number of the unchecked_mul harnesses are restricted to ranges such that the precondition empties the search space. For example, verify::unchecked_mul_usize_edge performs lhs.unchecked_mul(rhs) on usizes between [u32::MAX / 2, u32::MAX], with a precondition that the product must not overflow. However, this product will always overflow, so the contract is vacuous and verification fails.
If we decide we're happy with this behavior, I can create a PR to update those harnesses before merging this PR (or ping the CMU team who authored them).

@celinval
Copy link
Contributor

May I suggest a different approach? I think we should add 2 special cover statements to harnesses. One before we invoke the function and one after we leave the function. This would help us understand whether the pre-conditions are ever satisfied, and if the post-condition is ever checked.

Note that this fails the standard library job because a number of the unchecked_mul harnesses are restricted to ranges such that the precondition empties the search space. For example, verify::unchecked_mul_usize_edge performs lhs.unchecked_mul(rhs) on usizes between [u32::MAX / 2, u32::MAX], with a precondition that the product must not overflow. However, this product will always overflow, so the contract is vacuous and verification fails. If we decide we're happy with this behavior, I can create a PR to update those harnesses before merging this PR (or ping the CMU team who authored them).

hummm... that's an interesting point. I don't think the harness is incorrect though. I am not sure what the best approach is here to combine problem partitioning and the vacuous contract check. Maybe what we want is to combine harnesses that verify the same contract.

remi-delmas-3000 pushed a commit to remi-delmas-3000/kani that referenced this pull request Oct 22, 2024
Update Rust toolchain from nightly-2024-05-27 to nightly-2024-05-28
without any other source changes.
This is an automatically generated pull request. If any of the CI checks
fail, manual intervention is required. In such a case, review the
changes at https://github.com/rust-lang/rust from
rust-lang/rust@bdbbb6c
up to
rust-lang/rust@84b40fc.
The log for this commit range is:
rust-lang/rust@84b40fc908 Auto merge of
#125628 - matthiaskrgr:rollup-3zk9v3w, r=matthiaskrgr
rust-lang/rust@4966e1ae35 Rollup merge of
#125625 - ChrisDenton:line-endings, r=Mark-Simulacrum
rust-lang/rust@61f9d35798 Rollup merge of
#125616 - RalfJung:mir-validate-downcast-projection, r=compiler-errors
rust-lang/rust@e8dd585dd8 Rollup merge of
#125542 - GuillaumeGomez:migrate-rustdoc-verify-output-files, r=jieyouxu
rust-lang/rust@8bd15878eb Rollup merge of
#125339 - tbu-:pr_tidy_ui_tests_u32, r=clubby789
rust-lang/rust@f00b02e6bb Auto merge of
#125599 - camelid:clarify-stability, r=notriddle,GuillaumeGomez
rust-lang/rust@7a847fc4fb Use grep to
implement verify-line-endings
rust-lang/rust@b0f8618938 Auto merge of
#125413 - lcnr:ambig-drop-region-constraints, r=compiler-errors
rust-lang/rust@7d24f87068 MIR validation:
ensure that downcast projection is followed by field projection
rust-lang/rust@f6e4703e91 Auto merge of
#125611 - GuillaumeGomez:rollup-dfavpgg, r=GuillaumeGomez
rust-lang/rust@bdf3864d51 Migrate
`run-make/rustdoc-verify-output-files` to `rmake.rs`
rust-lang/rust@f0ab814aec Add
`Rustdoc::output_format`
rust-lang/rust@1551fd1202 Add file path in
case it cannot be read in `Diff::actual_file`
rust-lang/rust@90fec5a087 Add `copy_dir_all`
and `recursive_diff` functions to `run-make-support`
rust-lang/rust@7083131c92 Rollup merge of
#125607 - GuillaumeGomez:migrate-compile-stdin, r=jieyouxu
rust-lang/rust@a9c125f864 Rollup merge of
#125597 - compiler-errors:early-binder, r=jackh726
rust-lang/rust@cfa7ab474f Rollup merge of
#125535 - onur-ozkan:remove-deprecated-field, r=clubby789
rust-lang/rust@f50b4f5034 Rollup merge of
#125530 - SparrowLii:expand2, r=petrochenkov
rust-lang/rust@ad37f40355 Rollup merge of
#125522 - spastorino:fix-lint-docs-edition-handling,
r=Urgau,michaelwoerister
rust-lang/rust@86f2fa35a2 Rollup merge of
#125148 - RalfJung:codegen-sh, r=scottmcm
rust-lang/rust@6dddc888fc Rollup merge of
#124870 - Lokathor:update-result-docs, r=dtolnay
rust-lang/rust@a59072ec4f Auto merge of
#125602 - RalfJung:interpret-mir-lifetime, r=oli-obk
rust-lang/rust@e4abfaeb62 Migrate
`run-make/compile-stdin` to `rmake.rs`
rust-lang/rust@b582f807fa Auto merge of
#125410 - fmease:adj-lint-diag-api, r=nnethercote
rust-lang/rust@fec98b3bbc Auto merge of
#125468 - BoxyUwU:remove_defid_from_regionparam, r=compiler-errors
rust-lang/rust@e8379c9598 interpret: get rid
of 'mir lifetime everywhere
rust-lang/rust@36d36a3e1f interpret: the MIR
is actually at lifetime 'tcx
rust-lang/rust@699d28f968 rustdoc: Show
"const" for const-unstable if also overall unstable
rust-lang/rust@cdc509f7c0 Auto merge of
#125580 - RalfJung:miri-sync, r=RalfJung
rust-lang/rust@f92292978f Use EarlyBinder in
rustc_type_ir, simplify imports
rust-lang/rust@993553ceb8 Uplift EarlyBinder
rust-lang/rust@529bb2573a Auto merge of
#125593 - workingjubilee:rollup-67qk7di, r=workingjubilee
rust-lang/rust@bbcdb4fd3e Give EarlyBinder a
tcx parameter
rust-lang/rust@4ff78692db Rollup merge of
#125582 - scottmcm:less-from-usize, r=jieyouxu
rust-lang/rust@45507e4304 Rollup merge of
#125566 - camelid:notify-accepted, r=GuillaumeGomez
rust-lang/rust@25b079a1cf Rollup merge of
#125559 - scottmcm:simplify-shift-ubcheck, r=workingjubilee
rust-lang/rust@c51fc1d02b Rollup merge of
#125544 - Urgau:check-cfg-mention-cargo-specific, r=jieyouxu
rust-lang/rust@b65b2b6ced Rollup merge of
#125469 - compiler-errors:dont-skip-inner-const-body, r=cjgillot
rust-lang/rust@09e75921f3 Rollup merge of
#125466 - compiler-errors:dont-probe-for-ambig-in-sugg, r=jieyouxu
rust-lang/rust@5860d43af3 Rollup merge of
#125046 - bjorn3:no_mutable_static_linkage, r=cjgillot
rust-lang/rust@866630d004 Rollup merge of
#124048 - veera-sivarajan:bugfix-123773-c23-variadics, r=compiler-errors
rust-lang/rust@0aad3f64e2 Auto merge of
#125576 - lnicola:sync-from-ra, r=lnicola
rust-lang/rust@d37f456b2a Avoid a
`FieldIdx::from_usize` in InstSimplify
rust-lang/rust@0963353634 Auto merge of model-checking#3631
- RalfJung:blocking-refactor, r=RalfJung
rust-lang/rust@2e89443b93 add a macro to
declare thread unblock callbacks
rust-lang/rust@8e861c6c4c Auto merge of model-checking#3632
- RalfJung:readdir, r=RalfJung
rust-lang/rust@350f5c88db unix/fs: a bit of
cleanup in macos_fbsd_readdir_r
rust-lang/rust@e09bf5694b Auto merge of model-checking#3633
- RalfJung:target, r=RalfJung
rust-lang/rust@cbec1288a2 fix './miri run
--dep --target _'
rust-lang/rust@e6bb468b53 data_race: vector
indices can be reused immediately when the thread is gone
rust-lang/rust@a131243557 completely refactor
how we manage blocking and unblocking threads
rust-lang/rust@f7ca8a6d66 Auto merge of #17296
- mathew-horner:no-clone-target, r=Veykril
rust-lang/rust@bd9cc02d10 Auto merge of #17295
- 0xJonas:fix_passing_env_vars_to_cpptools, r=Veykril
rust-lang/rust@5fa30f7eaa make release_clock
always work on the current thread
rust-lang/rust@fa7a3f9049 rustdoc: Elide
const-unstable if also unstable overall
rust-lang/rust@91b3ef5b4a Notify T-rustdoc for
beta-accepted and stable-accepted too
rust-lang/rust@9b480da367 It seems that anchor
names are implicitly all lowercase
rust-lang/rust@0c84361342 Simplify the
`unchecked_sh[lr]` ub-checks a bit
rust-lang/rust@f8279b10c3 Fix URL target, it's
in the module not the type.
rust-lang/rust@2b2f83e5ff github showed that
weird.
rust-lang/rust@2e8f14fb37 correct for copy
paste errors when fixing wrapping.
rust-lang/rust@22668e83f6 Resolve
rust-lang/rust#124870 (comment)
rust-lang/rust@939f2671a0 revert to the
inconsistent paragraph wrapping.
rust-lang/rust@eb9894f3c9 Removed return
rust-lang/rust@afa8dfc51f Avoid clone when
constructing runnable label.
rust-lang/rust@09677b03dd Formatting
rust-lang/rust@78fe45e273 Semicolon
rust-lang/rust@2315c6b764 Use correct format
for setting environment variables when debugging with cpptools
rust-lang/rust@331bb3f10d Auto merge of model-checking#3630
- rust-lang:rustup-2024-05-25, r=saethlin
rust-lang/rust@bebcb4e4b8 Also mention my-self
for check-cfg docs changes
rust-lang/rust@c76477d909 add change entry
rust-lang/rust@56dddd4c7e Remove deprecated
field `dist.missing-tools`
rust-lang/rust@1d0ad04993 Merge from rustc
rust-lang/rust@3cfcfbf083 Preparing for merge
from rustc
rust-lang/rust@41d4a95fca Add "better" edition
handling on lint-docs tool
rust-lang/rust@278212342e cleanup dependence
of `ExtCtxt` in transcribe when macro expansion
rust-lang/rust@24b5466892 drop region
constraints for ambiguous goals
rust-lang/rust@ed8e436916 move generics_of
call outside of iter
rust-lang/rust@56d77b9048 Auto merge of #17275
- roife:fix-issue-17012, r=Veykril
rust-lang/rust@796cb8031d Remove failing tests
rust-lang/rust@f856ee357c Remove `DefId` from
`EarlyParamRegion` (clippy/smir)
rust-lang/rust@fe2d7794ca Remove `DefId` from
`EarlyParamRegion` (tedium/diagnostics)
rust-lang/rust@bd6344d829 Remove `DefId` from
`EarlyParamRegion` (type system)
rust-lang/rust@b7b350cff7 docs
rust-lang/rust@008f6b3a3f Auto merge of model-checking#3626
- devnexen:pthread_name_illumos, r=oli-obk
rust-lang/rust@7fc41d1bdf Auto merge of model-checking#3625
- Strophox:miri-allocation-fix, r=RalfJung
rust-lang/rust@b84620ff17 extend comments
rust-lang/rust@88d519f718 Auto merge of model-checking#3628
- RalfJung:tokio, r=RalfJung
rust-lang/rust@561bd9a5ec add back some tokio
features
rust-lang/rust@10d414091b Auto merge of model-checking#3627
- rust-lang:rustup-2024-05-24, r=RalfJung
rust-lang/rust@4763eaf066 fmt
rust-lang/rust@debf88ae1a Merge from rustc
rust-lang/rust@9ce95c30b2 Preparing for merge
from rustc
rust-lang/rust@c58b7c9c81 Don't skip inner
const when looking for body for suggestion
rust-lang/rust@4bc41b91d7 Don't continue
probing for method if in suggestion and autoderef hits ambiguity
rust-lang/rust@7f5e0aade8 solaris add suport
for threadname.
rust-lang/rust@3c7a13d870 tests: update test
for runnables
rust-lang/rust@c10bda5577 Update docs
rust-lang/rust@1a37cfb703 Use cwd from
runnable.args for debugger
rust-lang/rust@7b54c8231e Revert "Debug use
cargo workspace root as cwd. fixes #13022"
rust-lang/rust@d83b267bc1 Add cwd to
CargoRunnable
rust-lang/rust@6259991f04 Auto merge of #17287
- Veykril:sysroot-encode-empty, r=Veykril
rust-lang/rust@f93256ca42 Allow sysroots to
only consist of the source root dir
rust-lang/rust@1b374dfd9b differentiate
between layout and alloc_layout
rust-lang/rust@56c363b43e fix alloc_bytes
(always allocate at least 1B)
rust-lang/rust@ecadf37df4 Auto merge of #17284
- Veykril:doc-links, r=Veykril
rust-lang/rust@616fdd04bb Use correct
toolchain channel when generating builtin type doc links
rust-lang/rust@6e8646df8b Auto merge of #17174
- Kohei316:fix-infer-async-block-with-tail-return-expr, r=Veykril
rust-lang/rust@425ed6a181 Update
crates/hir-ty/src/infer/expr.rs
rust-lang/rust@68fe34a4c2 Auto merge of #17140
- harrysarson:harry-unused-self, r=Veykril
rust-lang/rust@6ea763b9e2 Auto merge of model-checking#3624
- rust-lang:rustup-2024-05-23, r=RalfJung
rust-lang/rust@400835fd11 fmt
rust-lang/rust@f1ffb8d859 Merge from rustc
rust-lang/rust@807a0f8c21 Preparing for merge
from rustc
rust-lang/rust@37bf2d2dab Delay the
construction of early lint diag structs
rust-lang/rust@9f67c50128 Remove `DelayDm`
rust-lang/rust@06bc4fc671 Remove
`LintDiagnostic::msg`
rust-lang/rust@366ef95407 Slightly clean up
some lint infra code
rust-lang/rust@ac2708a347 Auto merge of #17270
- davidbarsky:david/fix-completions-from-associated-types, r=Veykril
rust-lang/rust@f2c3ef77b1 fix: ensure implied
bounds from associated types are considered in autocomplete
rust-lang/rust@04a9a1a531 Auto merge of model-checking#3614
- devnexen:illumos_time_support, r=oli-obk
rust-lang/rust@0916e72a34 Auto merge of #17251
- roife:fix-issue-17057, r=Veykril
rust-lang/rust@56ce7e0e06 Auto merge of #17252
- davidbarsky:david/refactor-standalone-bools-into-struct, r=Veykril
rust-lang/rust@f50f8fbcb9 Simplify
rust-lang/rust@7a21dff517 internal: refactor
`prefer_no_std`/`prefer_prelude` bools into a struct
rust-lang/rust@4e9b12870c fix: check
pseudo-block by local_id instead of ModuleOrigin
rust-lang/rust@ad810a51f0 Auto merge of #17277
- Veykril:find-path-fixes, r=Veykril
rust-lang/rust@3f638a9291 solaris/illumos
localtime_r / clock_getime support enabled.
rust-lang/rust@d9dda8f84f Auto merge of #17279
- Veykril:format_args-escape, r=Veykril
rust-lang/rust@2ff9bab2eb fix: Fix format_args
lowering passing incorrect parameters to rustc_parse_format
rust-lang/rust@39e6032445 Auto merge of #17248
- mladedav:dm/delay-clear, r=Veykril
rust-lang/rust@24bf53d993 Auto merge of #17268
- Veykril:signatures, r=Veykril
rust-lang/rust@b1830a5fe6 Update assists test
fixtures
rust-lang/rust@b29c755572 expectify find_path
tests
rust-lang/rust@5992af6506 fix: Fix general
find-path inconsistencies
rust-lang/rust@7fd1429754 Auto merge of model-checking#3623
- RalfJung:rustup, r=RalfJung
rust-lang/rust@abbe244a81 clippy
rust-lang/rust@a1bc030b70 Merge from rustc
rust-lang/rust@24138f0034 Preparing for merge
from rustc
rust-lang/rust@c8b0e5b1a4 The number of tests
does not depend on the architecture's pointer width
rust-lang/rust@719eee2d82 test: add tests for
extern preludes resolving in local mods
rust-lang/rust@41c006e21a Auto merge of model-checking#3610
- marc0246:missing-error-kinds, r=RalfJung
rust-lang/rust@37a37f6ab3 Use
`throw_unsup_format` instead of returning `ENOTSUP` in the mmap shim
rust-lang/rust@6438554bce Show fn traits in
signature info for trait implementors
rust-lang/rust@f42e55dfc8 Enable linked
locations for closure param inlay hints
rust-lang/rust@4b3d7f6039 Render closure fn
trait kind in siganture help
rust-lang/rust@7045044da3 Allow hir::Param to
refer to other entity params aside from functions
rust-lang/rust@9ff4ffb817 Update builtin tool
list
rust-lang/rust@ea2a16cadb fix: resolve extern
prelude for local mods in block modules
rust-lang/rust@1287e868e9 Clear diagnostics
only after new ones were received
rust-lang/rust@17bd43cb25 codegen:
tweak/extend shift comments
rust-lang/rust@b468f21051 Don't use `T` with
both Result and Option, improve explanation.
rust-lang/rust@531dae1cdf Only allow immutable
statics with #[linkage]
rust-lang/rust@10f8d1ffef use teletype on the
attribute name
rust-lang/rust@f94fa6bee3 Some Result
combinations work like an Option.
rust-lang/rust@dd16cbcb4e braces around {self}
in UseTree are not unnecessary
rust-lang/rust@39a653f632 Fix coercion of
async block
rust-lang/rust@f005b451c2 Support C23's
Variadics Without a Named Parameter
rust-lang/rust@62a104df98 Update Tests

Co-authored-by: qinheping <16714939+qinheping@users.noreply.github.com>
@carolynzech carolynzech marked this pull request as ready for review October 30, 2024 17:04
@carolynzech carolynzech requested a review from a team as a code owner October 30, 2024 17:04
@celinval
Copy link
Contributor

* I'm changing the result of undetermined checks to failure if there's unwinding failures. My rationale is that in the case of code like this:

I would prefer if we don't do that. We can discuss this further but I think it's out of scope of this PR.

@carolynzech
Copy link
Contributor Author

Moving to draft for now -- we need to decide whether we want verification failure for these properties to be the default behavior, or a characteristic of the harness. This implementation has failure as the default behavior, but one could imagine that in the unchecked_mul case I mentioned above, you may want something like this:

#[requires(!self.overflowing_mul(rhs).1)]
pub const unsafe fn unchecked_mul(self, rhs: Self) -> Self {
  ...
}

#[kani::proof_for_contract(unchecked_mul)]
// without this attribute, verification would fail because of a vacuous proof,
// but maybe you want to sanity check your precondition
// by having a separate harness with just invalid inputs
#[kani::allow_vacuity]
fn unchecked_mul_usize_edge() {
  let lhs: u32 = kani::any_where(|num| num >= u32::MAX / 2);
  let rhs: u32 = kani::any_where(|num| num >= u32::MAX / 2);
  lhs.unchecked_mul(rhs);
}

// This harness will fail for a vacuous proof by default
#[kani::proof_for_contract(unchecked_mul)]
fn unchecked_mul_middle() { ... }

Partitioning harnesses like this is a reasonable thing to do (and in fact, an approach we recommend and would like to implement as a feature) so failing by default could produce a bad experience for users. Introducing a harness-level attribute requires further discussion, however.

@carolynzech carolynzech marked this pull request as draft November 1, 2024 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Z-BenchCI Tag a PR to run benchmark CI
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add vacuity test for contradictory requires clause
3 participants