-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail verification if contract is vacuous #3623
base: main
Are you sure you want to change the base?
Conversation
Note that this fails the standard library job because a number of the |
May I suggest a different approach? I think we should add 2 special cover statements to harnesses. One before we invoke the function and one after we leave the function. This would help us understand whether the pre-conditions are ever satisfied, and if the post-condition is ever checked.
hummm... that's an interesting point. I don't think the harness is incorrect though. I am not sure what the best approach is here to combine problem partitioning and the vacuous contract check. Maybe what we want is to combine harnesses that verify the same contract. |
Update Rust toolchain from nightly-2024-05-27 to nightly-2024-05-28 without any other source changes. This is an automatically generated pull request. If any of the CI checks fail, manual intervention is required. In such a case, review the changes at https://github.com/rust-lang/rust from rust-lang/rust@bdbbb6c up to rust-lang/rust@84b40fc. The log for this commit range is: rust-lang/rust@84b40fc908 Auto merge of #125628 - matthiaskrgr:rollup-3zk9v3w, r=matthiaskrgr rust-lang/rust@4966e1ae35 Rollup merge of #125625 - ChrisDenton:line-endings, r=Mark-Simulacrum rust-lang/rust@61f9d35798 Rollup merge of #125616 - RalfJung:mir-validate-downcast-projection, r=compiler-errors rust-lang/rust@e8dd585dd8 Rollup merge of #125542 - GuillaumeGomez:migrate-rustdoc-verify-output-files, r=jieyouxu rust-lang/rust@8bd15878eb Rollup merge of #125339 - tbu-:pr_tidy_ui_tests_u32, r=clubby789 rust-lang/rust@f00b02e6bb Auto merge of #125599 - camelid:clarify-stability, r=notriddle,GuillaumeGomez rust-lang/rust@7a847fc4fb Use grep to implement verify-line-endings rust-lang/rust@b0f8618938 Auto merge of #125413 - lcnr:ambig-drop-region-constraints, r=compiler-errors rust-lang/rust@7d24f87068 MIR validation: ensure that downcast projection is followed by field projection rust-lang/rust@f6e4703e91 Auto merge of #125611 - GuillaumeGomez:rollup-dfavpgg, r=GuillaumeGomez rust-lang/rust@bdf3864d51 Migrate `run-make/rustdoc-verify-output-files` to `rmake.rs` rust-lang/rust@f0ab814aec Add `Rustdoc::output_format` rust-lang/rust@1551fd1202 Add file path in case it cannot be read in `Diff::actual_file` rust-lang/rust@90fec5a087 Add `copy_dir_all` and `recursive_diff` functions to `run-make-support` rust-lang/rust@7083131c92 Rollup merge of #125607 - GuillaumeGomez:migrate-compile-stdin, r=jieyouxu rust-lang/rust@a9c125f864 Rollup merge of #125597 - compiler-errors:early-binder, r=jackh726 rust-lang/rust@cfa7ab474f Rollup merge of #125535 - onur-ozkan:remove-deprecated-field, r=clubby789 rust-lang/rust@f50b4f5034 Rollup merge of #125530 - SparrowLii:expand2, r=petrochenkov rust-lang/rust@ad37f40355 Rollup merge of #125522 - spastorino:fix-lint-docs-edition-handling, r=Urgau,michaelwoerister rust-lang/rust@86f2fa35a2 Rollup merge of #125148 - RalfJung:codegen-sh, r=scottmcm rust-lang/rust@6dddc888fc Rollup merge of #124870 - Lokathor:update-result-docs, r=dtolnay rust-lang/rust@a59072ec4f Auto merge of #125602 - RalfJung:interpret-mir-lifetime, r=oli-obk rust-lang/rust@e4abfaeb62 Migrate `run-make/compile-stdin` to `rmake.rs` rust-lang/rust@b582f807fa Auto merge of #125410 - fmease:adj-lint-diag-api, r=nnethercote rust-lang/rust@fec98b3bbc Auto merge of #125468 - BoxyUwU:remove_defid_from_regionparam, r=compiler-errors rust-lang/rust@e8379c9598 interpret: get rid of 'mir lifetime everywhere rust-lang/rust@36d36a3e1f interpret: the MIR is actually at lifetime 'tcx rust-lang/rust@699d28f968 rustdoc: Show "const" for const-unstable if also overall unstable rust-lang/rust@cdc509f7c0 Auto merge of #125580 - RalfJung:miri-sync, r=RalfJung rust-lang/rust@f92292978f Use EarlyBinder in rustc_type_ir, simplify imports rust-lang/rust@993553ceb8 Uplift EarlyBinder rust-lang/rust@529bb2573a Auto merge of #125593 - workingjubilee:rollup-67qk7di, r=workingjubilee rust-lang/rust@bbcdb4fd3e Give EarlyBinder a tcx parameter rust-lang/rust@4ff78692db Rollup merge of #125582 - scottmcm:less-from-usize, r=jieyouxu rust-lang/rust@45507e4304 Rollup merge of #125566 - camelid:notify-accepted, r=GuillaumeGomez rust-lang/rust@25b079a1cf Rollup merge of #125559 - scottmcm:simplify-shift-ubcheck, r=workingjubilee rust-lang/rust@c51fc1d02b Rollup merge of #125544 - Urgau:check-cfg-mention-cargo-specific, r=jieyouxu rust-lang/rust@b65b2b6ced Rollup merge of #125469 - compiler-errors:dont-skip-inner-const-body, r=cjgillot rust-lang/rust@09e75921f3 Rollup merge of #125466 - compiler-errors:dont-probe-for-ambig-in-sugg, r=jieyouxu rust-lang/rust@5860d43af3 Rollup merge of #125046 - bjorn3:no_mutable_static_linkage, r=cjgillot rust-lang/rust@866630d004 Rollup merge of #124048 - veera-sivarajan:bugfix-123773-c23-variadics, r=compiler-errors rust-lang/rust@0aad3f64e2 Auto merge of #125576 - lnicola:sync-from-ra, r=lnicola rust-lang/rust@d37f456b2a Avoid a `FieldIdx::from_usize` in InstSimplify rust-lang/rust@0963353634 Auto merge of model-checking#3631 - RalfJung:blocking-refactor, r=RalfJung rust-lang/rust@2e89443b93 add a macro to declare thread unblock callbacks rust-lang/rust@8e861c6c4c Auto merge of model-checking#3632 - RalfJung:readdir, r=RalfJung rust-lang/rust@350f5c88db unix/fs: a bit of cleanup in macos_fbsd_readdir_r rust-lang/rust@e09bf5694b Auto merge of model-checking#3633 - RalfJung:target, r=RalfJung rust-lang/rust@cbec1288a2 fix './miri run --dep --target _' rust-lang/rust@e6bb468b53 data_race: vector indices can be reused immediately when the thread is gone rust-lang/rust@a131243557 completely refactor how we manage blocking and unblocking threads rust-lang/rust@f7ca8a6d66 Auto merge of #17296 - mathew-horner:no-clone-target, r=Veykril rust-lang/rust@bd9cc02d10 Auto merge of #17295 - 0xJonas:fix_passing_env_vars_to_cpptools, r=Veykril rust-lang/rust@5fa30f7eaa make release_clock always work on the current thread rust-lang/rust@fa7a3f9049 rustdoc: Elide const-unstable if also unstable overall rust-lang/rust@91b3ef5b4a Notify T-rustdoc for beta-accepted and stable-accepted too rust-lang/rust@9b480da367 It seems that anchor names are implicitly all lowercase rust-lang/rust@0c84361342 Simplify the `unchecked_sh[lr]` ub-checks a bit rust-lang/rust@f8279b10c3 Fix URL target, it's in the module not the type. rust-lang/rust@2b2f83e5ff github showed that weird. rust-lang/rust@2e8f14fb37 correct for copy paste errors when fixing wrapping. rust-lang/rust@22668e83f6 Resolve rust-lang/rust#124870 (comment) rust-lang/rust@939f2671a0 revert to the inconsistent paragraph wrapping. rust-lang/rust@eb9894f3c9 Removed return rust-lang/rust@afa8dfc51f Avoid clone when constructing runnable label. rust-lang/rust@09677b03dd Formatting rust-lang/rust@78fe45e273 Semicolon rust-lang/rust@2315c6b764 Use correct format for setting environment variables when debugging with cpptools rust-lang/rust@331bb3f10d Auto merge of model-checking#3630 - rust-lang:rustup-2024-05-25, r=saethlin rust-lang/rust@bebcb4e4b8 Also mention my-self for check-cfg docs changes rust-lang/rust@c76477d909 add change entry rust-lang/rust@56dddd4c7e Remove deprecated field `dist.missing-tools` rust-lang/rust@1d0ad04993 Merge from rustc rust-lang/rust@3cfcfbf083 Preparing for merge from rustc rust-lang/rust@41d4a95fca Add "better" edition handling on lint-docs tool rust-lang/rust@278212342e cleanup dependence of `ExtCtxt` in transcribe when macro expansion rust-lang/rust@24b5466892 drop region constraints for ambiguous goals rust-lang/rust@ed8e436916 move generics_of call outside of iter rust-lang/rust@56d77b9048 Auto merge of #17275 - roife:fix-issue-17012, r=Veykril rust-lang/rust@796cb8031d Remove failing tests rust-lang/rust@f856ee357c Remove `DefId` from `EarlyParamRegion` (clippy/smir) rust-lang/rust@fe2d7794ca Remove `DefId` from `EarlyParamRegion` (tedium/diagnostics) rust-lang/rust@bd6344d829 Remove `DefId` from `EarlyParamRegion` (type system) rust-lang/rust@b7b350cff7 docs rust-lang/rust@008f6b3a3f Auto merge of model-checking#3626 - devnexen:pthread_name_illumos, r=oli-obk rust-lang/rust@7fc41d1bdf Auto merge of model-checking#3625 - Strophox:miri-allocation-fix, r=RalfJung rust-lang/rust@b84620ff17 extend comments rust-lang/rust@88d519f718 Auto merge of model-checking#3628 - RalfJung:tokio, r=RalfJung rust-lang/rust@561bd9a5ec add back some tokio features rust-lang/rust@10d414091b Auto merge of model-checking#3627 - rust-lang:rustup-2024-05-24, r=RalfJung rust-lang/rust@4763eaf066 fmt rust-lang/rust@debf88ae1a Merge from rustc rust-lang/rust@9ce95c30b2 Preparing for merge from rustc rust-lang/rust@c58b7c9c81 Don't skip inner const when looking for body for suggestion rust-lang/rust@4bc41b91d7 Don't continue probing for method if in suggestion and autoderef hits ambiguity rust-lang/rust@7f5e0aade8 solaris add suport for threadname. rust-lang/rust@3c7a13d870 tests: update test for runnables rust-lang/rust@c10bda5577 Update docs rust-lang/rust@1a37cfb703 Use cwd from runnable.args for debugger rust-lang/rust@7b54c8231e Revert "Debug use cargo workspace root as cwd. fixes #13022" rust-lang/rust@d83b267bc1 Add cwd to CargoRunnable rust-lang/rust@6259991f04 Auto merge of #17287 - Veykril:sysroot-encode-empty, r=Veykril rust-lang/rust@f93256ca42 Allow sysroots to only consist of the source root dir rust-lang/rust@1b374dfd9b differentiate between layout and alloc_layout rust-lang/rust@56c363b43e fix alloc_bytes (always allocate at least 1B) rust-lang/rust@ecadf37df4 Auto merge of #17284 - Veykril:doc-links, r=Veykril rust-lang/rust@616fdd04bb Use correct toolchain channel when generating builtin type doc links rust-lang/rust@6e8646df8b Auto merge of #17174 - Kohei316:fix-infer-async-block-with-tail-return-expr, r=Veykril rust-lang/rust@425ed6a181 Update crates/hir-ty/src/infer/expr.rs rust-lang/rust@68fe34a4c2 Auto merge of #17140 - harrysarson:harry-unused-self, r=Veykril rust-lang/rust@6ea763b9e2 Auto merge of model-checking#3624 - rust-lang:rustup-2024-05-23, r=RalfJung rust-lang/rust@400835fd11 fmt rust-lang/rust@f1ffb8d859 Merge from rustc rust-lang/rust@807a0f8c21 Preparing for merge from rustc rust-lang/rust@37bf2d2dab Delay the construction of early lint diag structs rust-lang/rust@9f67c50128 Remove `DelayDm` rust-lang/rust@06bc4fc671 Remove `LintDiagnostic::msg` rust-lang/rust@366ef95407 Slightly clean up some lint infra code rust-lang/rust@ac2708a347 Auto merge of #17270 - davidbarsky:david/fix-completions-from-associated-types, r=Veykril rust-lang/rust@f2c3ef77b1 fix: ensure implied bounds from associated types are considered in autocomplete rust-lang/rust@04a9a1a531 Auto merge of model-checking#3614 - devnexen:illumos_time_support, r=oli-obk rust-lang/rust@0916e72a34 Auto merge of #17251 - roife:fix-issue-17057, r=Veykril rust-lang/rust@56ce7e0e06 Auto merge of #17252 - davidbarsky:david/refactor-standalone-bools-into-struct, r=Veykril rust-lang/rust@f50f8fbcb9 Simplify rust-lang/rust@7a21dff517 internal: refactor `prefer_no_std`/`prefer_prelude` bools into a struct rust-lang/rust@4e9b12870c fix: check pseudo-block by local_id instead of ModuleOrigin rust-lang/rust@ad810a51f0 Auto merge of #17277 - Veykril:find-path-fixes, r=Veykril rust-lang/rust@3f638a9291 solaris/illumos localtime_r / clock_getime support enabled. rust-lang/rust@d9dda8f84f Auto merge of #17279 - Veykril:format_args-escape, r=Veykril rust-lang/rust@2ff9bab2eb fix: Fix format_args lowering passing incorrect parameters to rustc_parse_format rust-lang/rust@39e6032445 Auto merge of #17248 - mladedav:dm/delay-clear, r=Veykril rust-lang/rust@24bf53d993 Auto merge of #17268 - Veykril:signatures, r=Veykril rust-lang/rust@b1830a5fe6 Update assists test fixtures rust-lang/rust@b29c755572 expectify find_path tests rust-lang/rust@5992af6506 fix: Fix general find-path inconsistencies rust-lang/rust@7fd1429754 Auto merge of model-checking#3623 - RalfJung:rustup, r=RalfJung rust-lang/rust@abbe244a81 clippy rust-lang/rust@a1bc030b70 Merge from rustc rust-lang/rust@24138f0034 Preparing for merge from rustc rust-lang/rust@c8b0e5b1a4 The number of tests does not depend on the architecture's pointer width rust-lang/rust@719eee2d82 test: add tests for extern preludes resolving in local mods rust-lang/rust@41c006e21a Auto merge of model-checking#3610 - marc0246:missing-error-kinds, r=RalfJung rust-lang/rust@37a37f6ab3 Use `throw_unsup_format` instead of returning `ENOTSUP` in the mmap shim rust-lang/rust@6438554bce Show fn traits in signature info for trait implementors rust-lang/rust@f42e55dfc8 Enable linked locations for closure param inlay hints rust-lang/rust@4b3d7f6039 Render closure fn trait kind in siganture help rust-lang/rust@7045044da3 Allow hir::Param to refer to other entity params aside from functions rust-lang/rust@9ff4ffb817 Update builtin tool list rust-lang/rust@ea2a16cadb fix: resolve extern prelude for local mods in block modules rust-lang/rust@1287e868e9 Clear diagnostics only after new ones were received rust-lang/rust@17bd43cb25 codegen: tweak/extend shift comments rust-lang/rust@b468f21051 Don't use `T` with both Result and Option, improve explanation. rust-lang/rust@531dae1cdf Only allow immutable statics with #[linkage] rust-lang/rust@10f8d1ffef use teletype on the attribute name rust-lang/rust@f94fa6bee3 Some Result combinations work like an Option. rust-lang/rust@dd16cbcb4e braces around {self} in UseTree are not unnecessary rust-lang/rust@39a653f632 Fix coercion of async block rust-lang/rust@f005b451c2 Support C23's Variadics Without a Named Parameter rust-lang/rust@62a104df98 Update Tests Co-authored-by: qinheping <[email protected]>
I would prefer if we don't do that. We can discuss this further but I think it's out of scope of this PR. |
Moving to draft for now -- we need to decide whether we want verification failure for these properties to be the default behavior, or a characteristic of the harness. This implementation has failure as the default behavior, but one could imagine that in the #[requires(!self.overflowing_mul(rhs).1)]
pub const unsafe fn unchecked_mul(self, rhs: Self) -> Self {
...
}
#[kani::proof_for_contract(unchecked_mul)]
// without this attribute, verification would fail because of a vacuous proof,
// but maybe you want to sanity check your precondition
// by having a separate harness with just invalid inputs
#[kani::allow_vacuity]
fn unchecked_mul_usize_edge() {
let lhs: u32 = kani::any_where(|num| num >= u32::MAX / 2);
let rhs: u32 = kani::any_where(|num| num >= u32::MAX / 2);
lhs.unchecked_mul(rhs);
}
// This harness will fail for a vacuous proof by default
#[kani::proof_for_contract(unchecked_mul)]
fn unchecked_mul_middle() { ... } Partitioning harnesses like this is a reasonable thing to do (and in fact, an approach we recommend and would like to implement as a feature) so failing by default could produce a bad experience for users. Introducing a harness-level attribute requires further discussion, however. |
Description
Fail verification if a contract's preconditions are unsatisfiable or its postconditions are unreachable.
This solution introduces a new Kani intrinsic,
kani::internal::cover_contract
. We insert calls to this intrinsic during macro expansion after the the precondition and before the postcondition, e.g.:This intrinsic has the same codegen as
kani::cover
(i.e.,assert(!cond)
). Just as withkani::cover
, the CBMC property renderer intercepts the results of these property checks and updates them before returning them to the user.Call Outs
We know that the postcondition is unreachable, so we should say so. I think this approach makes sense, but also happy to keep it undetermined if we'd rather not treat one type of undetermined check differently from another.
Resolves #2793
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.