diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7647990dd685..7f78dab1ece0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,10 @@ updates: directory: "/" schedule: interval: "weekly" + + - package-ecosystem: "gitsubmodule" + directory: "/" + allow: + - dependency-name: "tests/perf/s2n-quic" + schedule: + interval: "weekly" diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index ad0bbf81f2c2..12b08eba7c9c 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -55,12 +55,6 @@ jobs: os: ubuntu-20.04 kani_dir: new - - name: Build Kani (new variant) - run: pushd new && cargo build-dev - - - name: Build Kani (old variant) - run: pushd old && cargo build-dev - - name: Copy benchmarks from new to old run: rm -rf ./old/tests/perf ; cp -r ./new/tests/perf ./old/tests/ diff --git a/.github/workflows/cbmc-latest.yml b/.github/workflows/cbmc-latest.yml index d8da02d21840..696f08fd44b8 100644 --- a/.github/workflows/cbmc-latest.yml +++ b/.github/workflows/cbmc-latest.yml @@ -32,17 +32,14 @@ jobs: os: ${{ matrix.os }} kani_dir: 'kani' - - name: Build Kani - working-directory: ./kani - run: cargo build-dev - - name: Checkout CBMC under "cbmc" uses: actions/checkout@v4 with: repository: diffblue/cbmc path: cbmc - - name: Build CBMC + - name: Build CBMC (Linux) + if: ${{ startsWith(matrix.os, 'ubuntu') }} working-directory: ./cbmc run: | cmake -S . -Bbuild -DWITH_JBMC=OFF -Dsat_impl="minisat2;cadical" @@ -50,6 +47,15 @@ jobs: # Prepend the bin directory to $PATH echo "${GITHUB_WORKSPACE}/cbmc/build/bin" >> $GITHUB_PATH + - name: Build CBMC (macOS) + if: ${{ startsWith(matrix.os, 'macos') }} + working-directory: ./cbmc + run: | + cmake -S . -Bbuild -DWITH_JBMC=OFF -Dsat_impl="minisat2;cadical" -DCMAKE_CXX_COMPILER=$(which clang++) + cmake --build build -- -j 4 + # Prepend the bin directory to $PATH + echo "${GITHUB_WORKSPACE}/cbmc/build/bin" >> $GITHUB_PATH + - name: Execute Kani regressions working-directory: ./kani run: ./scripts/kani-regression.sh diff --git a/.github/workflows/cbmc-update.yml b/.github/workflows/cbmc-update.yml index 74d9caeb0fcf..5fe8a866c0e4 100644 --- a/.github/workflows/cbmc-update.yml +++ b/.github/workflows/cbmc-update.yml @@ -30,7 +30,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: | - grep ^CBMC_VERSION kani-dependencies >> $GITHUB_ENV + grep ^CBMC_VERSION kani-dependencies | sed 's/"//g' >> $GITHUB_ENV CBMC_LATEST=$(gh -R diffblue/cbmc release list | grep Latest | awk '{print $1}' | cut -f2 -d-) echo "CBMC_LATEST=$CBMC_LATEST" >> $GITHUB_ENV # check whether the version has changed at all @@ -47,8 +47,8 @@ jobs: elif ! git ls-remote --exit-code origin cbmc-$CBMC_LATEST ; then CBMC_LATEST_MAJOR=$(echo $CBMC_LATEST | cut -f1 -d.) CBMC_LATEST_MINOR=$(echo $CBMC_LATEST | cut -f2 -d.) - sed -i "s/^CBMC_MAJOR=.*/CBMC_MAJOR=\"$CBMC_MAJOR\"/" kani-dependencies - sed -i "s/^CBMC_MINOR=.*/CBMC_MINOR=\"$CBMC_MINOR\"/" kani-dependencies + sed -i "s/^CBMC_MAJOR=.*/CBMC_MAJOR=\"$CBMC_LATEST_MAJOR\"/" kani-dependencies + sed -i "s/^CBMC_MINOR=.*/CBMC_MINOR=\"$CBMC_LATEST_MINOR\"/" kani-dependencies sed -i "s/^CBMC_VERSION=.*/CBMC_VERSION=\"$CBMC_LATEST\"/" kani-dependencies git diff if ! ./scripts/kani-regression.sh ; then @@ -79,7 +79,7 @@ jobs: token: ${{ github.token }} title: 'CBMC upgrade to ${{ env.CBMC_LATEST }} failed' body: > - Updating CBMC from ${{ evn.CBMC_VERSION }} to ${{ env.CBMC_LATEST }} failed. + Updating CBMC from ${{ env.CBMC_VERSION }} to ${{ env.CBMC_LATEST }} failed. The failed automated run [can be found here.](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) diff --git a/.github/workflows/kani-m1.yml b/.github/workflows/kani-m1.yml deleted file mode 100644 index 36f2b615c4aa..000000000000 --- a/.github/workflows/kani-m1.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -# Run the regression job on Apple M1 only on commits to `main` -name: Kani CI M1 -on: - push: - branches: - - 'main' - -env: - RUST_BACKTRACE: 1 - -jobs: - regression: - runs-on: macos-13-xlarge - steps: - - name: Checkout Kani - uses: actions/checkout@v4 - - - name: Setup Kani Dependencies - uses: ./.github/actions/setup - with: - os: macos-13-xlarge - - - name: Build Kani - run: cargo build-dev - - - name: Execute Kani regression - run: ./scripts/kani-regression.sh diff --git a/.github/workflows/kani.yml b/.github/workflows/kani.yml index abdc4ee46216..dd077eff25e1 100644 --- a/.github/workflows/kani.yml +++ b/.github/workflows/kani.yml @@ -17,7 +17,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [macos-13, ubuntu-20.04, ubuntu-22.04] + os: [macos-13, ubuntu-20.04, ubuntu-22.04, macos-14] steps: - name: Checkout Kani uses: actions/checkout@v4 @@ -27,9 +27,6 @@ jobs: with: os: ${{ matrix.os }} - - name: Build Kani - run: cargo build-dev - - name: Execute Kani regression run: ./scripts/kani-regression.sh @@ -88,15 +85,12 @@ jobs: with: os: ubuntu-20.04 - - name: Build Kani using release mode - run: cargo build-dev -- --release - - name: Execute Kani performance tests run: ./scripts/kani-perf.sh env: RUST_TEST_THREADS: 1 - bookrunner: + documentation: runs-on: ubuntu-20.04 permissions: contents: write @@ -104,31 +98,6 @@ jobs: - name: Checkout Kani uses: actions/checkout@v4 - - name: Setup Kani Dependencies - uses: ./.github/actions/setup - with: - os: ubuntu-20.04 - - - name: Build Kani - run: cargo build-dev - - - name: Install book runner dependencies - run: ./scripts/setup/install_bookrunner_deps.sh - - - name: Generate book runner report - run: cargo run -p bookrunner - env: - DOC_RUST_LANG_ORG_CHANNEL: nightly - - - name: Print book runner text results - run: cat build/output/latest/html/bookrunner.txt - - - name: Print book runner failures grouped by stage - run: python3 scripts/ci/bookrunner_failures_by_stage.py build/output/latest/html/index.html - - - name: Detect unexpected book runner failures - run: ./scripts/ci/detect_bookrunner_failures.sh build/output/latest/html/bookrunner.txt - - name: Install book dependencies run: ./scripts/setup/ubuntu/install_doc_deps.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 56cb99bac960..72ef4e2de889 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,7 @@ on: env: RUST_BACKTRACE: 1 + ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true jobs: build_bundle_macos: @@ -44,6 +45,32 @@ jobs: os: macos-13 arch: x86_64-apple-darwin + build_bundle_macos_aarch64: + name: BuildBundle-MacOs-ARM + runs-on: macos-14 + permissions: + contents: write + outputs: + version: ${{ steps.bundle.outputs.version }} + bundle: ${{ steps.bundle.outputs.bundle }} + package: ${{ steps.bundle.outputs.package }} + crate_version: ${{ steps.bundle.outputs.crate_version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Kani Dependencies + uses: ./.github/actions/setup + with: + os: macos-14 + + - name: Build bundle + id: bundle + uses: ./.github/actions/build-bundle + with: + os: macos-14 + arch: aarch64-apple-darwin + build_bundle_linux: name: BuildBundle-Linux runs-on: ubuntu-20.04 @@ -77,12 +104,16 @@ jobs: apt-get install -y software-properties-common apt-utils add-apt-repository ppa:git-core/ppa add-apt-repository ppa:deadsnakes/ppa + add-apt-repository ppa:ubuntu-toolchain-r/test apt-get update apt-get install -y \ - build-essential bash-completion curl lsb-release sudo g++ gcc flex \ + build-essential bash-completion curl lsb-release sudo g++-9 gcc-9 flex \ bison make patch git python3.7 python3.7-dev python3.7-distutils + update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 110 \ + --slave /usr/bin/g++ g++ /usr/bin/g++-9 + ln -sf cpp-9 /usr/bin/cpp update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.7 1 - curl -s https://bootstrap.pypa.io/get-pip.py -o get-pip.py + curl -s https://bootstrap.pypa.io/pip/3.7/get-pip.py -o get-pip.py python3 get-pip.py --force-reinstall rm get-pip.py @@ -101,6 +132,106 @@ jobs: os: linux arch: x86_64-unknown-linux-gnu + test-use-local-toolchain: + name: TestLocalToolchain + needs: [build_bundle_macos, build_bundle_linux] + strategy: + matrix: + os: [macos-13, ubuntu-20.04, ubuntu-22.04] + include: + - os: macos-13 + rust_target: x86_64-apple-darwin + prev_job: ${{ needs.build_bundle_macos.outputs }} + - os: ubuntu-20.04 + rust_target: x86_64-unknown-linux-gnu + prev_job: ${{ needs.build_bundle_linux.outputs }} + - os: ubuntu-22.04 + rust_target: x86_64-unknown-linux-gnu + prev_job: ${{ needs.build_bundle_linux.outputs }} + runs-on: ${{ matrix.os }} + steps: + - name: Download bundle + uses: actions/download-artifact@v3 + with: + name: ${{ matrix.prev_job.bundle }} + + - name: Download kani-verifier crate + uses: actions/download-artifact@v3 + with: + name: ${{ matrix.prev_job.package }} + + - name: Check download + run: | + ls -lh . + + - name: Get toolchain version used to setup kani + run: | + tar zxvf ${{ matrix.prev_job.bundle }} + DATE=$(cat ./kani-${{ matrix.prev_job.version }}/rust-toolchain-version | cut -d'-' -f2,3,4) + echo "Nightly date: $DATE" + echo "DATE=$DATE" >> $GITHUB_ENV + + - name: Install Kani from path + run: | + tar zxvf ${{ matrix.prev_job.package }} + cargo install --locked --path kani-verifier-${{ matrix.prev_job.crate_version }} + + - name: Create a custom toolchain directory + run: mkdir -p ${{ github.workspace }}/../custom_toolchain + + - name: Fetch the nightly tarball + run: | + echo "Downloading Rust toolchain from rust server." + curl --proto '=https' --tlsv1.2 -O https://static.rust-lang.org/dist/$DATE/rust-nightly-${{ matrix.rust_target }}.tar.gz + tar -xzf rust-nightly-${{ matrix.rust_target }}.tar.gz + ./rust-nightly-${{ matrix.rust_target }}/install.sh --prefix=${{ github.workspace }}/../custom_toolchain + + - name: Ensure installation is correct + run: | + cargo kani setup --use-local-bundle ./${{ matrix.prev_job.bundle }} --use-local-toolchain ${{ github.workspace }}/../custom_toolchain/ + + - name: Ensure that the rustup toolchain is not present + run: | + if [ ! -e "~/.rustup/toolchains/" ]; then + echo "Default toolchain file does not exist. Proceeding with running tests." + else + echo "::error::Default toolchain exists despite not installing." + exit 1 + fi + + - name: Checkout tests + uses: actions/checkout@v4 + + - name: Move rust-toolchain file to outside kani + run: | + mkdir -p ${{ github.workspace }}/../post-setup-tests + cp -r tests/cargo-ui ${{ github.workspace }}/../post-setup-tests + cp -r tests/kani/Assert ${{ github.workspace }}/../post-setup-tests + ls ${{ github.workspace }}/../post-setup-tests + + - name: Run cargo-kani tests after moving + run: | + for dir in supported-lib-types/rlib multiple-harnesses verbose; do + >&2 echo "Running test $dir" + pushd ${{ github.workspace }}/../post-setup-tests/cargo-ui/$dir + cargo kani + popd + done + + - name: Check --help and --version + run: | + >&2 echo "Running cargo kani --help and --version" + pushd ${{ github.workspace }}/../post-setup-tests/Assert + cargo kani --help && cargo kani --version + popd + + - name: Run standalone kani test + run: | + >&2 echo "Running test on file bool_ref" + pushd ${{ github.workspace }}/../post-setup-tests/Assert + kani bool_ref.rs + popd + test_bundle: name: TestBundle needs: [build_bundle_macos, build_bundle_linux] @@ -196,7 +327,7 @@ jobs: if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/kani-') }} name: Release runs-on: ubuntu-20.04 - needs: [build_bundle_macos, build_bundle_linux, test_bundle, test_alt_platform] + needs: [build_bundle_macos, build_bundle_macos_aarch64, build_bundle_linux, test_bundle, test_alt_platform] permissions: contents: write outputs: @@ -228,6 +359,11 @@ jobs: with: name: ${{ needs.build_bundle_macos.outputs.bundle }} + - name: Download MacOS ARM bundle + uses: actions/download-artifact@v3 + with: + name: ${{ needs.build_bundle_macos_aarch64.outputs.bundle }} + - name: Download Linux bundle uses: actions/download-artifact@v3 with: @@ -235,13 +371,13 @@ jobs: - name: Create release id: create_release - uses: ncipollo/release-action@v1.13.0 + uses: ncipollo/release-action@v1.14.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: name: kani-${{ env.TAG_VERSION }} tag: kani-${{ env.TAG_VERSION }} - artifacts: "${{ needs.build_bundle_linux.outputs.bundle }},${{ needs.build_bundle_macos.outputs.bundle }}" + artifacts: "${{ needs.build_bundle_linux.outputs.bundle }},${{ needs.build_bundle_macos.outputs.bundle }},${{ needs.build_bundle_macos_aarch64.outputs.bundle }}" body: | Kani Rust verifier release bundle version ${{ env.TAG_VERSION }}. draft: true @@ -284,7 +420,7 @@ jobs: OWNER: '${{ github.repository_owner }}' - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . file: scripts/ci/Dockerfile.bundle-release-20-04 diff --git a/.github/workflows/toolchain-upgrade.yml b/.github/workflows/toolchain-upgrade.yml index 8252bfb826e6..a4b95ea195f0 100644 --- a/.github/workflows/toolchain-upgrade.yml +++ b/.github/workflows/toolchain-upgrade.yml @@ -30,42 +30,11 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: | - current_toolchain_date=$(grep ^channel rust-toolchain.toml | sed 's/.*nightly-\(.*\)"/\1/') - echo "current_toolchain_date=$current_toolchain_date" >> $GITHUB_ENV - current_toolchain_epoch=$(date --date $current_toolchain_date +%s) - next_toolchain_date=$(date --date "@$(($current_toolchain_epoch + 86400))" +%Y-%m-%d) - echo "next_toolchain_date=$next_toolchain_date" >> $GITHUB_ENV - if gh issue list -S \ - "Toolchain upgrade to nightly-$next_toolchain_date failed" \ - --json number,title | grep title ; then - echo "next_step=none" >> $GITHUB_ENV - elif ! git ls-remote --exit-code origin toolchain-$next_toolchain_date ; then - echo "next_step=create_pr" >> $GITHUB_ENV - sed -i "/^channel/ s/$current_toolchain_date/$next_toolchain_date/" rust-toolchain.toml - git diff - git clone --filter=tree:0 https://github.com/rust-lang/rust rust.git - cd rust.git - current_toolchain_hash=$(curl https://static.rust-lang.org/dist/$current_toolchain_date/channel-rust-nightly-git-commit-hash.txt) - echo "current_toolchain_hash=$current_toolchain_hash" >> $GITHUB_ENV - next_toolchain_hash=$(curl https://static.rust-lang.org/dist/$next_toolchain_date/channel-rust-nightly-git-commit-hash.txt) - echo "next_toolchain_hash=$next_toolchain_hash" >> $GITHUB_ENV - EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) - echo "git_log<<$EOF" >> $GITHUB_ENV - git log --oneline $current_toolchain_hash..$next_toolchain_hash | \ - sed 's#^#https://github.com/rust-lang/rust/commit/#' >> $GITHUB_ENV - echo "$EOF" >> $GITHUB_ENV - cd .. - rm -rf rust.git - if ! cargo build-dev ; then - echo "next_step=create_issue" >> $GITHUB_ENV - else - if ! ./scripts/kani-regression.sh ; then - echo "next_step=create_issue" >> $GITHUB_ENV - fi - fi - else - echo "next_step=none" >> $GITHUB_ENV - fi + source scripts/toolchain_update.sh + + - name: Clean untracked files + run: git clean -f + - name: Create Pull Request if: ${{ env.next_step == 'create_pr' }} uses: peter-evans/create-pull-request@v6 diff --git a/.github/workflows/verify-std-check.yml b/.github/workflows/verify-std-check.yml new file mode 100644 index 000000000000..1bad09cd3c6d --- /dev/null +++ b/.github/workflows/verify-std-check.yml @@ -0,0 +1,89 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +# +# This workflow will try to build and run the `verify-rust-std` repository. +# +# This check should be optional, but it has been added to help provide +# visibility to when a PR may break the `verify-rust-std` repository. +# +# We expect toolchain updates to potentially break this workflow in cases where +# the version tracked in the `verify-rust-std` is not compatible with newer +# versions of the Rust toolchain. +# +# Changes unrelated to the toolchain should match the current status of main. + +name: Check Std Verification +on: + pull_request: + workflow_call: + +env: + RUST_BACKTRACE: 1 + +jobs: + verify-std: + runs-on: ${{ matrix.os }} + strategy: + matrix: + # Kani does not support windows. + os: [ ubuntu-22.04, macos-14 ] + steps: + - name: Checkout Library + uses: actions/checkout@v4 + with: + repository: model-checking/verify-rust-std + path: verify-rust-std + submodules: true + + - name: Checkout `Kani` + uses: actions/checkout@v4 + with: + path: kani + fetch-depth: 0 + + - name: Setup Kani Dependencies + uses: ./kani/.github/actions/setup + with: + os: ${{ matrix.os }} + kani_dir: kani + + - name: Build Kani + working-directory: kani + run: | + cargo build-dev + echo "$(pwd)/scripts" >> $GITHUB_PATH + + - name: Run verification with HEAD + id: check-head + working-directory: verify-rust-std + continue-on-error: true + run: | + kani verify-std -Z unstable-options ./library --target-dir ${{ runner.temp }} -Z function-contracts \ + -Z mem-predicates -Z ptr-to-ref-cast-checks + + # If the head failed, check if it's a new failure. + - name: Checkout base + working-directory: kani + if: steps.check-head.outcome != 'success' && github.event_name == 'pull_request' + run: | + BASE_REF=${{ github.event.pull_request.base.sha }} + git checkout ${BASE_REF} + cargo build-dev + + - name: Run verification with BASE + id: check-base + if: steps.check-head.outcome != 'success' && github.event_name == 'pull_request' + working-directory: verify-rust-std + continue-on-error: true + run: | + kani verify-std -Z unstable-options ./library --target-dir ${{ runner.temp }} -Z function-contracts \ + -Z mem-predicates -Z ptr-to-ref-cast-checks + + - name: Compare PR results + if: steps.check-head.outcome != 'success' && steps.check-head.outcome != steps.check-base.outcome + run: | + echo "New failure introduced by this change" + echo "HEAD: ${{ steps.check-head.outcome }}" + echo "BASE: ${{ steps.check-base.outcome }}" + exit 1 + diff --git a/.github/workflows/verify-std-update.yml b/.github/workflows/verify-std-update.yml new file mode 100644 index 000000000000..518f80ecd1b8 --- /dev/null +++ b/.github/workflows/verify-std-update.yml @@ -0,0 +1,35 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +# +# This workflow will try to update the verify std branch. + +name: Update "features/verify-rust-std" +on: + schedule: + - cron: "30 3 * * *" # Run this every day at 03:30 UTC + workflow_dispatch: # Allow manual dispatching. + +env: + RUST_BACKTRACE: 1 + +jobs: + # First ensure the HEAD is compatible with the `verify-rust-std` repository. + verify-std: + name: Verify Std + permissions: { } + uses: ./.github/workflows/verify-std-check.yml + + # Push changes to the features branch. + update-branch: + needs: verify-std + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: Checkout Kani + uses: actions/checkout@v4 + + - name: Update feature branch + run: | + git push origin HEAD:features/verify-rust-std + diff --git a/.gitignore b/.gitignore index a31c86965494..a2defc0df119 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ desktop.ini Session.vim .cproject .idea +toolchains/ *.iml .vscode .project @@ -47,6 +48,10 @@ no_llvm_build /tmp/ # Created by default with `src/ci/docker/run.sh` /obj/ +# Created by kani-compiler +*.rlib +*.rmeta +*.mir ## Temporary files *~ @@ -73,10 +78,8 @@ package-lock.json tests/rustdoc-gui/src/**.lock # Before adding new lines, see the comment at the top. -/.litani_cache_dir /.ninja_deps /.ninja_log -/tests/bookrunner *Cargo.lock tests/kani-dependency-test/diamond-dependency/build tests/kani-multicrate/type-mismatch/mismatch/target diff --git a/.gitmodules b/.gitmodules index 7246d4c1e60b..b02c263a898e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,12 +1,3 @@ -[submodule "src/doc/nomicon"] - path = tools/bookrunner/rust-doc/nomicon - url = https://github.com/rust-lang/nomicon.git -[submodule "src/doc/reference"] - path = tools/bookrunner/rust-doc/reference - url = https://github.com/rust-lang/reference.git -[submodule "src/doc/rust-by-example"] - path = tools/bookrunner/rust-doc/rust-by-example - url = https://github.com/rust-lang/rust-by-example.git [submodule "firecracker"] path = firecracker url = https://github.com/firecracker-microvm/firecracker.git diff --git a/CHANGELOG.md b/CHANGELOG.md index 33baeb1ef5af..47ae290853a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,130 @@ This file contains notable changes (e.g. breaking changes, major changes, etc.) This file was introduced starting Kani 0.23.0, so it only contains changes from version 0.23.0 onwards. +## [0.53.0] + +### Major Changes +* The `--visualize` option is being deprecated and will be removed in a future release. Consider using the `--concrete-playback` option instead. +* The `-Z ptr-to-ref-cast-checks` option is being introduced to check pointer validity when casting raw pointers to references. The feature is currently behind an unstable flag but is expected to be stabilized in a future release once remaining performance issues have been resolved. +* The `-Z uninit-checks` option is being introduced to check memory initialization. The feature is currently behind an unstable flag and also requires the `-Z ghost-state` option. + +### Breaking Changes +* Remove support for the unstable argument `--function` by @celinval in https://github.com/model-checking/kani/pull/3278 +* Remove deprecated `--enable-stubbing` by @celinval in https://github.com/model-checking/kani/pull/3309 + +### What's Changed + +* Change ensures into closures by @pi314mm in https://github.com/model-checking/kani/pull/3207 +* (Re)introduce `Invariant` trait by @adpaco-aws in https://github.com/model-checking/kani/pull/3190 +* Remove empty box creation from contracts impl by @celinval in https://github.com/model-checking/kani/pull/3233 +* Add a new verify-std subcommand to Kani by @celinval in https://github.com/model-checking/kani/pull/3231 +* Inject pointer validity check when casting raw pointers to references by @artemagvanian in https://github.com/model-checking/kani/pull/3221 +* Do not turn trivially diverging loops into assume(false) by @tautschnig in https://github.com/model-checking/kani/pull/3223 +* Fix "unused mut" warnings created by generated code. by @jsalzbergedu in https://github.com/model-checking/kani/pull/3247 +* Refactor stubbing so Kani compiler only invoke rustc once per crate by @celinval in https://github.com/model-checking/kani/pull/3245 +* Use cfg=kani_host for host crates by @tautschnig in https://github.com/model-checking/kani/pull/3244 +* Add intrinsics and Arbitrary support for no_core by @jaisnan in https://github.com/model-checking/kani/pull/3230 +* Contracts: Avoid attribute duplication and `const` function generation for constant function by @celinval in https://github.com/model-checking/kani/pull/3255 +* Fix contract of constant fn with effect feature by @celinval in https://github.com/model-checking/kani/pull/3259 +* Fix typed_swap for ZSTs by @tautschnig in https://github.com/model-checking/kani/pull/3256 +* Add a `#[derive(Invariant)]` macro by @adpaco-aws in https://github.com/model-checking/kani/pull/3250 +* Contracts: History Expressions via "old" monad by @pi314mm in https://github.com/model-checking/kani/pull/3232 +* Function Contracts: remove instances of _renamed by @pi314mm in https://github.com/model-checking/kani/pull/3274 +* Deprecate `--visualize` in favor of concrete playback by @celinval in https://github.com/model-checking/kani/pull/3281 +* Fix operand in fat pointer comparison by @pi314mm in https://github.com/model-checking/kani/pull/3297 +* Function Contracts: Closure Type Inference by @pi314mm in https://github.com/model-checking/kani/pull/3307 +* Add support for f16 and f128 for toolchain upgrade to 6/28 by @jaisnan in https://github.com/model-checking/kani/pull/3306 +* Towards Proving Memory Initialization by @artemagvanian in https://github.com/model-checking/kani/pull/3264 +* Rust toolchain upgraded to `nightly-2024-07-01` by @tautschnig @celinval @jaisnan @adpaco-aws + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.52.0...kani-0.53.0 + +## [0.52.0] + +## What's Changed +* New section about linter configuraton checking in the doc by @remi-delmas-3000 in https://github.com/model-checking/kani/pull/3198 +* Fix `{,e}println!()` by @GrigorenkoPV in https://github.com/model-checking/kani/pull/3209 +* Contracts for a few core functions by @celinval in https://github.com/model-checking/kani/pull/3107 +* Add simple API for shadow memory by @zhassan-aws in https://github.com/model-checking/kani/pull/3200 +* Upgrade Rust toolchain to 2024-05-28 by @zhassan-aws @remi-delmas-3000 @qinheping + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.51.0...kani-0.52.0 + +## [0.51.0] + +### What's Changed + +* Do not assume that ZST-typed symbols refer to unique objects by @tautschnig in https://github.com/model-checking/kani/pull/3134 +* Remove `kani::Arbitrary` from the `modifies` contract instrumentation by @feliperodri in https://github.com/model-checking/kani/pull/3169 +* Emit source locations whenever possible to ease debugging and coverage reporting by @tautschnig in https://github.com/model-checking/kani/pull/3173 +* Rust toolchain upgraded to `nightly-2024-04-21` by @celinval + + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.50.0...kani-0.51.0 + + +## [0.50.0] + +### Major Changes +* Fix compilation issue with proc_macro2 (v1.0.80+) and Kani v0.49.0 +(https://github.com/model-checking/kani/issues/3138). + +### What's Changed +* Implement valid value check for `write_bytes` by @celinval in +https://github.com/model-checking/kani/pull/3108 +* Rust toolchain upgraded to 2024-04-15 by @tautschnig @celinval + +**Full Changelog**: +https://github.com/model-checking/kani/compare/kani-0.49.0...kani-0.50.0 + +## [0.49.0] + +### What's Changed +* Disable removal of storage markers by @zhassan-aws in https://github.com/model-checking/kani/pull/3083 +* Ensure storage markers are kept in std code by @zhassan-aws in https://github.com/model-checking/kani/pull/3080 +* Implement validity checks by @celinval in https://github.com/model-checking/kani/pull/3085 +* Allow modifies clause for verification only by @feliperodri in https://github.com/model-checking/kani/pull/3098 +* Add optional scatterplot to benchcomp output by @tautschnig in https://github.com/model-checking/kani/pull/3077 +* Expand ${var} in benchcomp variant `env` by @karkhaz in https://github.com/model-checking/kani/pull/3090 +* Add `benchcomp filter` command by @karkhaz in https://github.com/model-checking/kani/pull/3105 +* Upgrade Rust toolchain to 2024-03-29 by @zhassan-aws @celinval @adpaco-aws @feliperodri + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.48.0...kani-0.49.0 + +## [0.48.0] + +### Major Changes +* We fixed a soundness bug that in some cases may cause Kani to not detect a use-after-free issue in https://github.com/model-checking/kani/pull/3063 + +### What's Changed +* Fix `codegen_atomic_binop` for `atomic_ptr` by @qinheping in https://github.com/model-checking/kani/pull/3047 +* Retrieve info for recursion tracker reliably by @feliperodri in https://github.com/model-checking/kani/pull/3045 +* Add `--use-local-toolchain` to Kani setup by @jaisnan in https://github.com/model-checking/kani/pull/3056 +* Replace internal reverse_postorder by a stable one by @celinval in https://github.com/model-checking/kani/pull/3064 +* Add option to override `--crate-name` from `kani` by @adpaco-aws in https://github.com/model-checking/kani/pull/3054 +* Rust toolchain upgraded to 2024-03-11 by @adpaco-ws @celinval @zyadh + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.47.0...kani-0.48.0 + +## [0.47.0] + +### What's Changed +* Upgrade toolchain to 2024-02-14 by @zhassan-aws in https://github.com/model-checking/kani/pull/3036 + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.46.0...kani-0.47.0 + +## [0.46.0] + +## What's Changed +* `modifies` Clauses for Function Contracts by @JustusAdam in https://github.com/model-checking/kani/pull/2800 +* Fix ICEs due to mismatched arguments by @celinval in https://github.com/model-checking/kani/pull/2994. Resolves the following issues: + * https://github.com/model-checking/kani/issues/2260 + * https://github.com/model-checking/kani/issues/2312 +* Enable powf*, exp*, log* intrinsics by @tautschnig in https://github.com/model-checking/kani/pull/2996 +* Upgrade Rust toolchain to nightly-2024-01-24 by @celinval @feliperodri @qinheping + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.45.0...kani-0.46.0 + ## [0.45.0] ## What's Changed diff --git a/Cargo.lock b/Cargo.lock index 13594113134e..d68b8db21918 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2,124 +2,97 @@ # It is not intended for manual editing. version = 3 -[[package]] -name = "Inflector" -version = "0.11.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe438c63458706e03479442743baae6c88256498e6431708f6dfc520a26515d3" -dependencies = [ - "lazy_static", - "regex", -] - [[package]] name = "ahash" -version = "0.7.7" +version = "0.8.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a824f2aa7e75a0c98c5a504fceb80649e9c35265d44525b5f94de4771a395cd" +checksum = "e89da841a80418a9b391ebaea17f5c112ffaaa96f621d2c285b5174da76b9011" dependencies = [ - "getrandom", + "cfg-if", "once_cell", "version_check", + "zerocopy", ] [[package]] name = "aho-corasick" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0" +checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916" dependencies = [ "memchr", ] [[package]] name = "anstream" -version = "0.6.11" +version = "0.6.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e2e1ebcb11de5c03c67de28a7df593d32191b44939c482e97702baaaa6ab6a5" +checksum = "64e15c1ab1f89faffbf04a634d5e1962e9074f2741eef6d97f3c4e322426d526" dependencies = [ "anstyle", "anstyle-parse", "anstyle-query", "anstyle-wincon", "colorchoice", + "is_terminal_polyfill", "utf8parse", ] [[package]] name = "anstyle" -version = "1.0.5" +version = "1.0.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2faccea4cc4ab4a667ce676a30e8ec13922a692c99bb8f5b11f1502c72e04220" +checksum = "1bec1de6f59aedf83baf9ff929c98f2ad654b97c9510f4e70cf6f661d49fd5b1" [[package]] name = "anstyle-parse" -version = "0.2.3" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c" +checksum = "eb47de1e80c2b463c735db5b217a0ddc39d612e7ac9e2e96a5aed1f57616c1cb" dependencies = [ "utf8parse", ] [[package]] name = "anstyle-query" -version = "1.0.2" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648" +checksum = "6d36fc52c7f6c869915e99412912f22093507da8d9e942ceaf66fe4b7c14422a" dependencies = [ - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "anstyle-wincon" -version = "3.0.2" +version = "3.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7" +checksum = "5bf74e1b6e971609db8ca7a9ce79fd5768ab6ae46441c572e46cf596f59e57f8" dependencies = [ "anstyle", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "anyhow" -version = "1.0.79" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "080e9890a082662b09c1ad45f567faeeb47f22b5fb23895fbe1e651e718e25ca" +checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da" [[package]] name = "autocfg" -version = "1.1.0" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "bitflags" -version = "1.3.2" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" - -[[package]] -name = "bitflags" -version = "2.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" - -[[package]] -name = "bookrunner" -version = "0.1.0" -dependencies = [ - "Inflector", - "pulldown-cmark", - "rustdoc", - "serde", - "serde_json", - "toml", - "walkdir", -] +checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "build-kani" -version = "0.45.0" +version = "0.53.0" dependencies = [ "anyhow", "cargo_metadata", @@ -129,18 +102,18 @@ dependencies = [ [[package]] name = "camino" -version = "1.1.6" +version = "1.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c59e92b5a388f549b863a7bea62612c09f24c8393560709a54558a9abdfb3b9c" +checksum = "e0ec6b951b160caa93cc0c7b209e5a3bff7aae9062213451ac99493cd844c239" dependencies = [ "serde", ] [[package]] name = "cargo-platform" -version = "0.1.6" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ceed8ef69d8518a5dda55c07425450b58a4e1946f4951eab6d7191ee86c2443d" +checksum = "24b1f0365a6c6bb4020cd05806fd0d33c44d38046b8bd7f0e40814b9763cabfc" dependencies = [ "serde", ] @@ -167,9 +140,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "clap" -version = "4.4.18" +version = "4.5.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e578d6ec4194633722ccf9544794b71b1385c3c027efe0c55db226fc880865c" +checksum = "35723e6a11662c2afb578bcf0b88bf6ea8e21282a953428f240574fcc3a2b5b3" dependencies = [ "clap_builder", "clap_derive", @@ -177,9 +150,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.4.18" +version = "4.5.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4df4df40ec50c46000231c914968278b1eb05098cf8f1b3a518a95030e71d1c7" +checksum = "49eb96cbfa7cfa35017b7cd548c75b14c3118c98b423041d70562665e07fb0fa" dependencies = [ "anstream", "anstyle", @@ -189,33 +162,33 @@ dependencies = [ [[package]] name = "clap_derive" -version = "4.4.7" +version = "4.5.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf9804afaaf59a91e75b022a30fb7229a7901f60c755489cc61c9b423b836442" +checksum = "5d029b67f89d30bbb547c89fd5161293c0aec155fc691d7924b64550662db93e" dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.72", ] [[package]] name = "clap_lex" -version = "0.6.0" +version = "0.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "702fc72eb24e5a1e48ce58027a675bc24edd52096d5397d4aea7c6dd9eca0bd1" +checksum = "1462739cb27611015575c0c11df5df7601141071f07518d56fcc1be504cbec97" [[package]] name = "colorchoice" -version = "1.0.0" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7" +checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0" [[package]] name = "comfy-table" -version = "7.1.0" +version = "7.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c64043d6c7b7a4c58e39e7efccfdea7b93d885a795d0c054a69dbbf4dd52686" +checksum = "b34115915337defe99b2aff5c2ce6771e5fbc4079f4b506301f5cf394c8452f7" dependencies = [ "crossterm", "strum", @@ -250,12 +223,12 @@ dependencies = [ "lazy_static", "libc", "unicode-width", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "cprover_bindings" -version = "0.45.0" +version = "0.53.0" dependencies = [ "lazy_static", "linear-map", @@ -289,9 +262,9 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.19" +version = "0.8.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "248e3bacc7dc6baa3b21e405ee045c3047101a49145e7e9eca583ab4c2ca5345" +checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80" [[package]] name = "crossterm" @@ -299,7 +272,7 @@ version = "0.27.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f476fe445d41c9e991fd07515a6f463074b782242ccf4a5b7b1d1012e70824df" dependencies = [ - "bitflags 2.4.2", + "bitflags", "crossterm_winapi", "libc", "parking_lot", @@ -315,11 +288,32 @@ dependencies = [ "winapi", ] +[[package]] +name = "csv" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac574ff4d437a7b5ad237ef331c17ccca63c46479e5b5453eb8e10bb99a759fe" +dependencies = [ + "csv-core", + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "csv-core" +version = "0.1.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5efa2b3d7902f4b634a20cae3c9c4e6209dc4779feb6863329607560143efa70" +dependencies = [ + "memchr", +] + [[package]] name = "either" -version = "1.9.0" +version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07" +checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0" [[package]] name = "encode_unicode" @@ -335,19 +329,19 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.8" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" +checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "fastrand" -version = "2.0.1" +version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5" +checksum = "9fc0510504f03c51ada170672ac806f1f105a88aa97a5281117e1ddc3368e51a" [[package]] name = "getopts" @@ -360,9 +354,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.12" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "190092ea657667030ac6a35e305e62fc4dd69fd98ac98631e5d3a2b1575a12b5" +checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" dependencies = [ "cfg-if", "libc", @@ -377,24 +371,18 @@ checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" [[package]] name = "hashbrown" -version = "0.11.2" +version = "0.14.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e" +checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" dependencies = [ "ahash", ] -[[package]] -name = "hashbrown" -version = "0.14.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" - [[package]] name = "heck" -version = "0.4.1" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" +checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" [[package]] name = "home" @@ -402,44 +390,50 @@ version = "0.5.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5" dependencies = [ - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "indexmap" -version = "2.2.2" +version = "2.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "824b2ae422412366ba479e8111fd301f7b5faece8149317bb81925979a53f520" +checksum = "168fb715dda47215e360912c096649d23d58bf392ac62f73919e831745e40f26" dependencies = [ "equivalent", - "hashbrown 0.14.3", + "hashbrown", ] +[[package]] +name = "is_terminal_polyfill" +version = "1.70.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" + [[package]] name = "itertools" -version = "0.12.1" +version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569" +checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186" dependencies = [ "either", ] [[package]] name = "itoa" -version = "1.0.10" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" +checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" [[package]] name = "kani" -version = "0.45.0" +version = "0.53.0" dependencies = [ "kani_macros", ] [[package]] name = "kani-compiler" -version = "0.45.0" +version = "0.53.0" dependencies = [ "clap", "cprover_bindings", @@ -460,7 +454,7 @@ dependencies = [ [[package]] name = "kani-driver" -version = "0.45.0" +version = "0.53.0" dependencies = [ "anyhow", "cargo_metadata", @@ -488,26 +482,33 @@ dependencies = [ [[package]] name = "kani-verifier" -version = "0.45.0" +version = "0.53.0" dependencies = [ "anyhow", "home", "os_info", ] +[[package]] +name = "kani_core" +version = "0.53.0" +dependencies = [ + "kani_macros", +] + [[package]] name = "kani_macros" -version = "0.45.0" +version = "0.53.0" dependencies = [ "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.72", ] [[package]] name = "kani_metadata" -version = "0.45.0" +version = "0.53.0" dependencies = [ "clap", "cprover_bindings", @@ -518,15 +519,15 @@ dependencies = [ [[package]] name = "lazy_static" -version = "1.4.0" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" [[package]] name = "libc" -version = "0.2.153" +version = "0.2.155" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" +checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c" [[package]] name = "linear-map" @@ -540,15 +541,15 @@ dependencies = [ [[package]] name = "linux-raw-sys" -version = "0.4.13" +version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" +checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" [[package]] name = "lock_api" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45" +checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17" dependencies = [ "autocfg", "scopeguard", @@ -556,9 +557,9 @@ dependencies = [ [[package]] name = "log" -version = "0.4.20" +version = "0.4.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f" +checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24" [[package]] name = "matchers" @@ -571,9 +572,9 @@ dependencies = [ [[package]] name = "memchr" -version = "2.7.1" +version = "2.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149" +checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" [[package]] name = "memuse" @@ -593,9 +594,9 @@ dependencies = [ [[package]] name = "num" -version = "0.4.1" +version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b05180d69e3da0e530ba2a1dae5110317e49e3b7f3d41be227dc5f92e49ee7af" +checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23" dependencies = [ "num-bigint", "num-complex", @@ -607,39 +608,37 @@ dependencies = [ [[package]] name = "num-bigint" -version = "0.4.4" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0" +checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9" dependencies = [ - "autocfg", "num-integer", "num-traits", ] [[package]] name = "num-complex" -version = "0.4.4" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ba157ca0885411de85d6ca030ba7e2a83a28636056c7c699b07c8b6f7383214" +checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495" dependencies = [ "num-traits", ] [[package]] name = "num-integer" -version = "0.1.45" +version = "0.1.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" +checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f" dependencies = [ - "autocfg", "num-traits", ] [[package]] name = "num-iter" -version = "0.1.43" +version = "0.1.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252" +checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" dependencies = [ "autocfg", "num-integer", @@ -648,11 +647,10 @@ dependencies = [ [[package]] name = "num-rational" -version = "0.4.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0" +checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824" dependencies = [ - "autocfg", "num-bigint", "num-integer", "num-traits", @@ -660,9 +658,9 @@ dependencies = [ [[package]] name = "num-traits" -version = "0.2.17" +version = "0.2.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c" +checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", ] @@ -675,12 +673,12 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "os_info" -version = "3.7.0" +version = "3.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "006e42d5b888366f1880eda20371fedde764ed2213dc8496f49622fa0c99cd5e" +checksum = "ae99c7fa6dd38c7cafe1ec085e804f8f555a2f8659b0dbe03f1f9963a9b51092" dependencies = [ "log", - "winapi", + "windows-sys", ] [[package]] @@ -691,9 +689,9 @@ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39" [[package]] name = "parking_lot" -version = "0.12.1" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" +checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27" dependencies = [ "lock_api", "parking_lot_core", @@ -701,15 +699,15 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.9" +version = "0.9.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e" +checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" dependencies = [ "cfg-if", "libc", "redox_syscall", "smallvec", - "windows-targets 0.48.5", + "windows-targets", ] [[package]] @@ -720,9 +718,9 @@ checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd" [[package]] name = "pin-project-lite" -version = "0.2.13" +version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58" +checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02" [[package]] name = "ppv-lite86" @@ -756,29 +754,18 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.78" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" +checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" dependencies = [ "unicode-ident", ] -[[package]] -name = "pulldown-cmark" -version = "0.9.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57206b407293d2bcd3af849ce869d52068623f19e1b5ff8e8778e3309439682b" -dependencies = [ - "bitflags 2.4.2", - "memchr", - "unicase", -] - [[package]] name = "quote" -version = "1.0.35" +version = "1.0.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" +checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" dependencies = [ "proc-macro2", ] @@ -815,9 +802,9 @@ dependencies = [ [[package]] name = "rayon" -version = "1.8.1" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa7237101a77a10773db45d62004a272517633fbcc3df19d96455ede1122e051" +checksum = "b418a60154510ca1a002a752ca9714984e21e4241e804d32555251faf8b78ffa" dependencies = [ "either", "rayon-core", @@ -835,23 +822,23 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.4.1" +version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" +checksum = "2a908a6e00f1fdd0dfd9c0eb08ce85126f6d8bbda50017e74bc4a4b7d4a926a4" dependencies = [ - "bitflags 1.3.2", + "bitflags", ] [[package]] name = "regex" -version = "1.10.3" +version = "1.10.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b62dbe01f0b06f9d8dc7d49e05a0785f153b00b2c227856282f671e0318c9b15" +checksum = "b91213439dad192326a0d7c6ee3955910425f441d7038e0d6933b0aec5c4517f" dependencies = [ "aho-corasick", "memchr", - "regex-automata 0.4.5", - "regex-syntax 0.8.2", + "regex-automata 0.4.7", + "regex-syntax 0.8.4", ] [[package]] @@ -865,13 +852,13 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.5" +version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5bb987efffd3c6d0d8f5f89510bb458559eab11e4f869acb20bf845e016259cd" +checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df" dependencies = [ "aho-corasick", "memchr", - "regex-syntax 0.8.2", + "regex-syntax 0.8.4", ] [[package]] @@ -882,47 +869,40 @@ checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" [[package]] name = "regex-syntax" -version = "0.8.2" +version = "0.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f" +checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b" [[package]] name = "rustc-demangle" -version = "0.1.23" +version = "0.1.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76" - -[[package]] -name = "rustdoc" -version = "0.0.0" -dependencies = [ - "pulldown-cmark", -] +checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f" [[package]] name = "rustix" -version = "0.38.31" +version = "0.38.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ea3e1a662af26cd7a3ba09c0297a31af215563ecf42817c98df621387f4e949" +checksum = "70dc5ec042f7a43c4a73241207cecc9873a06d45debb38b329f8541d85c2730f" dependencies = [ - "bitflags 2.4.2", + "bitflags", "errno", "libc", "linux-raw-sys", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "rustversion" -version = "1.0.14" +version = "1.0.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" +checksum = "955d28af4278de8121b7ebeb796b6a45735dc01436d898801014aced2773a3d6" [[package]] name = "ryu" -version = "1.0.16" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f98d2aa92eebf49b69786be48e4477826b256916e84a57ff2a4f21923b48eb4c" +checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" [[package]] name = "same-file" @@ -933,6 +913,16 @@ dependencies = [ "winapi-util", ] +[[package]] +name = "scanner" +version = "0.0.0" +dependencies = [ + "csv", + "serde", + "strum", + "strum_macros", +] + [[package]] name = "scopeguard" version = "1.2.0" @@ -941,49 +931,50 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "semver" -version = "1.0.21" +version = "1.0.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b97ed7a9823b74f99c7742f5336af7be5ecd3eeafcb1507d1fa93347b1d589b0" +checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" dependencies = [ "serde", ] [[package]] name = "serde" -version = "1.0.196" +version = "1.0.204" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "870026e60fa08c69f064aa766c10f10b1d62db9ccd4d0abb206472bee0ce3b32" +checksum = "bc76f558e0cbb2a839d37354c575f1dc3fdc6546b5be373ba43d95f231bf7c12" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.196" +version = "1.0.204" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33c85360c95e7d137454dc81d9a4ed2b8efd8fbe19cee57357b32b9771fccb67" +checksum = "e0cd7e117be63d3c3678776753929474f3b04a43a080c744d6b0ae2a8c28e222" dependencies = [ "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.72", ] [[package]] name = "serde_json" -version = "1.0.113" +version = "1.0.121" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69801b70b1c3dac963ecb03a364ba0ceda9cf60c71cfe475e99864759c8b8a79" +checksum = "4ab380d7d9f22ef3f21ad3e6c1ebe8e4fc7a2000ccba2e4d71fc96f15b2cb609" dependencies = [ "itoa", + "memchr", "ryu", "serde", ] [[package]] name = "serde_spanned" -version = "0.6.5" +version = "0.6.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb3622f419d1296904700073ea6cc23ad690adbd66f13ea683df73298736f0c1" +checksum = "eb5b1b31579f3811bf615c144393417496f152e12ac8b7663bf664f4a815306d" dependencies = [ "serde", ] @@ -999,9 +990,9 @@ dependencies = [ [[package]] name = "serde_yaml" -version = "0.9.31" +version = "0.9.34+deprecated" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "adf8a49373e98a4c5f0ceb5d05aa7c648d75f63774981ed95b7c7443bbd50c6e" +checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47" dependencies = [ "indexmap", "itoa", @@ -1027,51 +1018,51 @@ checksum = "24188a676b6ae68c3b2cb3a01be17fbf7240ce009799bb56d5b1409051e78fde" [[package]] name = "smallvec" -version = "1.13.1" +version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" +checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "std" -version = "0.45.0" +version = "0.53.0" dependencies = [ "kani", ] [[package]] name = "string-interner" -version = "0.14.0" +version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91e2531d8525b29b514d25e275a43581320d587b86db302b9a7e464bac579648" +checksum = "1c6a0d765f5807e98a091107bae0a56ea3799f66a5de47b2c84c94a39c09974e" dependencies = [ "cfg-if", - "hashbrown 0.11.2", + "hashbrown", "serde", ] [[package]] name = "strsim" -version = "0.10.0" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" [[package]] name = "strum" -version = "0.25.0" +version = "0.26.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125" +checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06" [[package]] name = "strum_macros" -version = "0.25.3" +version = "0.26.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23dc1fa9ac9c169a78ba62f0b841814b7abae11bdd047b9c58f893439e309ea0" +checksum = "4c6bee85a5a24955dc440386795aa378cd9cf82acd5f764469152d2270e581be" dependencies = [ "heck", "proc-macro2", "quote", "rustversion", - "syn 2.0.48", + "syn 2.0.72", ] [[package]] @@ -1086,9 +1077,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.48" +version = "2.0.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f3531638e407dfc0814761abb7c00a5b54992b849452a0646b7f65c9f770f3f" +checksum = "dc4b9b9bf2add8093d3f2c0204471e951b2285580335de42f9d2534f3ae7a8af" dependencies = [ "proc-macro2", "quote", @@ -1097,42 +1088,41 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.9.0" +version = "3.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01ce4141aa927a6d1bd34a041795abd0db1cccba5d5f24b009f694bdf3a1f3fa" +checksum = "85b77fafb263dd9d05cbeac119526425676db3784113aa9295c88498cbf8bff1" dependencies = [ "cfg-if", "fastrand", - "redox_syscall", "rustix", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "thiserror" -version = "1.0.56" +version = "1.0.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d54378c645627613241d077a3a79db965db602882668f9136ac42af9ecb730ad" +checksum = "c0342370b38b6a11b6cc11d6a805569958d54cfa061a29969c3b5ce2ea405724" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.56" +version = "1.0.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa0faa943b50f3db30a20aa7e265dbc66076993efed8463e8de414e5d06d3471" +checksum = "a4558b58466b9ad7ca0f102865eccc95938dca1a74a856f2b57b6629050da261" dependencies = [ "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.72", ] [[package]] name = "thread_local" -version = "1.1.7" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdd6f064ccff2d6567adcb3873ca630700f00b5ad3f060c25b5dcfd9a4ce152" +checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c" dependencies = [ "cfg-if", "once_cell", @@ -1140,9 +1130,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.8.9" +version = "0.8.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c6a4b9e8023eb94392d3dca65d717c53abc5dad49c07cb65bb8fcd87115fa325" +checksum = "81967dd0dd2c1ab0bc3468bd7caecc32b8a4aa47d0c8c695d8c2b2108168d62c" dependencies = [ "serde", "serde_spanned", @@ -1152,18 +1142,18 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.6.5" +version = "0.6.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3550f4e9685620ac18a50ed434eb3aec30db8ba93b0287467bca5826ea25baf1" +checksum = "f8fb9f64314842840f1d940ac544da178732128f1c78c21772e876579e0da1db" dependencies = [ "serde", ] [[package]] name = "toml_edit" -version = "0.21.1" +version = "0.22.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a8534fd7f78b5405e860340ad6575217ce99f38d4d5c8f2442cb5ecb50090e1" +checksum = "8d9f8729f5aea9562aac1cc0441f5d6de3cff1ee0c5d67293eeca5eb36ee7c16" dependencies = [ "indexmap", "serde", @@ -1191,7 +1181,7 @@ checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.72", ] [[package]] @@ -1247,15 +1237,6 @@ dependencies = [ "tracing-serde", ] -[[package]] -name = "unicase" -version = "2.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f7d2d4dafb69621809a81864c9c1b864479e1235c0dd4e199924b9742439ed89" -dependencies = [ - "version_check", -] - [[package]] name = "unicode-ident" version = "1.0.12" @@ -1264,21 +1245,21 @@ checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" [[package]] name = "unicode-width" -version = "0.1.11" +version = "0.1.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85" +checksum = "0336d538f7abc86d282a4189614dfaa90810dfc2c6f6427eaf88e16311dd225d" [[package]] name = "unsafe-libyaml" -version = "0.2.10" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab4c90930b95a82d00dc9e9ac071b4991924390d46cbd0dfe566148667605e4b" +checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861" [[package]] name = "utf8parse" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a" +checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "valuable" @@ -1288,9 +1269,9 @@ checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" [[package]] name = "version_check" -version = "0.9.4" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" +checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" [[package]] name = "wait-timeout" @@ -1303,9 +1284,9 @@ dependencies = [ [[package]] name = "walkdir" -version = "2.4.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d71d857dc86794ca4c280d616f7da00d2dbfd8cd788846559a6813e6aa4b54ee" +checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b" dependencies = [ "same-file", "winapi-util", @@ -1319,15 +1300,14 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "which" -version = "5.0.0" +version = "6.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9bf3ea8596f3a0dd5980b46430f2058dfe2c36a27ccfbb1845d6fbfcd9ba6e14" +checksum = "8211e4f58a2b2805adfbefbc07bab82958fc91e3836339b1ab7ae32465dce0d7" dependencies = [ "either", "home", - "once_cell", "rustix", - "windows-sys 0.48.0", + "winsafe", ] [[package]] @@ -1348,11 +1328,11 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" [[package]] name = "winapi-util" -version = "0.1.6" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596" +checksum = "4d4cc384e1e73b93bafa6fb4f1df8c41695c8a91cf9c4c64358067d15a7b6c6b" dependencies = [ - "winapi", + "windows-sys", ] [[package]] @@ -1361,143 +1341,110 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" -[[package]] -name = "windows-sys" -version = "0.48.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" -dependencies = [ - "windows-targets 0.48.5", -] - [[package]] name = "windows-sys" version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" dependencies = [ - "windows-targets 0.52.0", + "windows-targets", ] [[package]] name = "windows-targets" -version = "0.48.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" +checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" dependencies = [ - "windows_aarch64_gnullvm 0.48.5", - "windows_aarch64_msvc 0.48.5", - "windows_i686_gnu 0.48.5", - "windows_i686_msvc 0.48.5", - "windows_x86_64_gnu 0.48.5", - "windows_x86_64_gnullvm 0.48.5", - "windows_x86_64_msvc 0.48.5", + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_gnullvm", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", ] -[[package]] -name = "windows-targets" -version = "0.52.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd" -dependencies = [ - "windows_aarch64_gnullvm 0.52.0", - "windows_aarch64_msvc 0.52.0", - "windows_i686_gnu 0.52.0", - "windows_i686_msvc 0.52.0", - "windows_x86_64_gnu 0.52.0", - "windows_x86_64_gnullvm 0.52.0", - "windows_x86_64_msvc 0.52.0", -] - -[[package]] -name = "windows_aarch64_gnullvm" -version = "0.48.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" - [[package]] name = "windows_aarch64_gnullvm" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea" +checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" [[package]] name = "windows_aarch64_msvc" -version = "0.48.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" - -[[package]] -name = "windows_aarch64_msvc" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef" +checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" [[package]] name = "windows_i686_gnu" -version = "0.48.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" +checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" [[package]] -name = "windows_i686_gnu" -version = "0.52.0" +name = "windows_i686_gnullvm" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313" +checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" [[package]] name = "windows_i686_msvc" -version = "0.48.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" - -[[package]] -name = "windows_i686_msvc" -version = "0.52.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a" +checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" [[package]] name = "windows_x86_64_gnu" -version = "0.48.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" +checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" [[package]] -name = "windows_x86_64_gnu" -version = "0.52.0" +name = "windows_x86_64_gnullvm" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd" +checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" [[package]] -name = "windows_x86_64_gnullvm" -version = "0.48.5" +name = "windows_x86_64_msvc" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" +checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] -name = "windows_x86_64_gnullvm" -version = "0.52.0" +name = "winnow" +version = "0.6.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e" +checksum = "b480ae9340fc261e6be3e95a1ba86d54ae3f9171132a73ce8d4bbaf68339507c" +dependencies = [ + "memchr", +] [[package]] -name = "windows_x86_64_msvc" -version = "0.48.5" +name = "winsafe" +version = "0.0.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" +checksum = "d135d17ab770252ad95e9a872d365cf3090e3be864a34ab46f48555993efc904" [[package]] -name = "windows_x86_64_msvc" -version = "0.52.0" +name = "zerocopy" +version = "0.7.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" +checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0" +dependencies = [ + "zerocopy-derive", +] [[package]] -name = "winnow" -version = "0.5.37" +name = "zerocopy-derive" +version = "0.7.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7cad8365489051ae9f054164e459304af2e7e9bb407c958076c8bf4aef52da5" +checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ - "memchr", + "proc-macro2", + "quote", + "syn 2.0.72", ] diff --git a/Cargo.toml b/Cargo.toml index df9559e378b6..68b5bcc20ff3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani-verifier" -version = "0.45.0" +version = "0.53.0" edition = "2021" description = "A bit-precise model checker for Rust." readme = "README.md" @@ -38,14 +38,13 @@ strip = "debuginfo" members = [ "library/kani", "library/std", - "tools/bookrunner", "tools/compiletest", "tools/build-kani", + "tools/scanner", "kani-driver", "kani-compiler", "kani_metadata", - # `librustdoc` is still needed by bookrunner. - "tools/bookrunner/librustdoc", + "library/kani_core", ] # This indicates what package to e.g. build with 'cargo build' without --workspace @@ -65,8 +64,10 @@ exclude = [ "tests/perf", "tests/cargo-ui", "tests/slow", + "tests/std-checks", "tests/assess-scan-test-scaffold", "tests/script-based-pre", "tests/script-based-pre/build-cache-bin/target/new_dep", "tests/script-based-pre/build-cache-dirty/target/new_dep", + "tests/script-based-pre/verify_std_cmd/tmp_dir/target/kani_verify_std", ] diff --git a/cprover_bindings/Cargo.toml b/cprover_bindings/Cargo.toml index 5205872f6788..aced9e5b9b65 100644 --- a/cprover_bindings/Cargo.toml +++ b/cprover_bindings/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "cprover_bindings" -version = "0.45.0" +version = "0.53.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false @@ -17,7 +17,7 @@ lazy_static = "1.4.0" num = "0.4.0" num-traits = "0.2" serde = {version = "1", features = ["derive"]} -string-interner = "0.14.0" +string-interner = "0.17.0" tracing = "0.1" linear-map = {version = "1.2", features = ["serde_impl"]} diff --git a/cprover_bindings/src/cbmc_string.rs b/cprover_bindings/src/cbmc_string.rs index b487b7615122..4c392f647759 100644 --- a/cprover_bindings/src/cbmc_string.rs +++ b/cprover_bindings/src/cbmc_string.rs @@ -3,6 +3,7 @@ use lazy_static::lazy_static; use std::sync::Mutex; +use string_interner::backend::StringBackend; use string_interner::symbol::SymbolU32; use string_interner::StringInterner; @@ -24,7 +25,8 @@ pub struct InternedString(SymbolU32); // Use a `Mutex` to make this thread safe. lazy_static! { - static ref INTERNER: Mutex = Mutex::new(StringInterner::default()); + static ref INTERNER: Mutex> = + Mutex::new(StringInterner::default()); } impl InternedString { diff --git a/cprover_bindings/src/env.rs b/cprover_bindings/src/env.rs index 42080e52119a..d31d213aa7d2 100644 --- a/cprover_bindings/src/env.rs +++ b/cprover_bindings/src/env.rs @@ -8,7 +8,7 @@ //! c.f. CBMC code [src/ansi-c/ansi_c_internal_additions.cpp]. //! One possible invocation of this insertion in CBMC can be found in \[ansi_c_languaget::parse\]. -use super::goto_program::{Expr, Location, Symbol, Type}; +use super::goto_program::{Expr, Location, Symbol, SymbolTable, Type}; use super::MachineModel; use num::bigint::BigInt; fn int_constant(name: &str, value: T) -> Symbol @@ -71,6 +71,8 @@ pub fn machine_model_symbols(mm: &MachineModel) -> Vec { ] } +const DEAD_OBJECT_IDENTIFIER: &str = "__CPROVER_dead_object"; + pub fn additional_env_symbols() -> Vec { vec![ Symbol::builtin_function("__CPROVER_initialize", vec![], Type::empty()), @@ -82,5 +84,16 @@ pub fn additional_env_symbols() -> Vec { Location::none(), ) .with_is_extern(true), + Symbol::static_variable( + DEAD_OBJECT_IDENTIFIER, + DEAD_OBJECT_IDENTIFIER, + Type::void_pointer(), + Location::none(), + ) + .with_is_extern(true), ] } + +pub fn global_dead_object(symbol_table: &SymbolTable) -> Expr { + symbol_table.lookup(DEAD_OBJECT_IDENTIFIER).unwrap().to_expr() +} diff --git a/cprover_bindings/src/goto_program/builtin.rs b/cprover_bindings/src/goto_program/builtin.rs index 438bc2eea1e9..a0c1f211b5e2 100644 --- a/cprover_bindings/src/goto_program/builtin.rs +++ b/cprover_bindings/src/goto_program/builtin.rs @@ -4,6 +4,8 @@ use self::BuiltinFn::*; use super::{Expr, Location, Symbol, Type}; +use std::fmt::Display; + #[derive(Debug, Clone, Copy)] pub enum BuiltinFn { Abort, @@ -67,9 +69,9 @@ pub enum BuiltinFn { Unlink, } -impl ToString for BuiltinFn { - fn to_string(&self) -> String { - match self { +impl Display for BuiltinFn { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + let func = match self { Abort => "abort", Assert => "assert", CProverAssume => "__CPROVER_assume", @@ -129,8 +131,8 @@ impl ToString for BuiltinFn { Trunc => "trunc", Truncf => "truncf", Unlink => "unlink", - } - .to_string() + }; + write!(f, "{func}") } } diff --git a/cprover_bindings/src/goto_program/expr.rs b/cprover_bindings/src/goto_program/expr.rs index 09adbdb20df3..16f33115e0ff 100644 --- a/cprover_bindings/src/goto_program/expr.rs +++ b/cprover_bindings/src/goto_program/expr.rs @@ -98,7 +98,11 @@ pub enum ExprValue { // {} EmptyUnion, /// `1.0f` + Float16Constant(f16), + /// `1.0f` FloatConstant(f32), + /// `Float 128 example` + Float128Constant(f128), /// `function(arguments)` FunctionCall { function: Expr, @@ -126,6 +130,10 @@ pub enum ExprValue { Nondet, /// `NULL` PointerConstant(u64), + ReadOk { + ptr: Expr, + size: Expr, + }, // `op++` etc SelfOp { op: SelfOperator, @@ -136,6 +144,7 @@ pub enum ExprValue { /// `({ op1; op2; ...})` StatementExpression { statements: Vec, + location: Location, }, /// A raw string constant. Note that you normally actually want a pointer to the first element. /// `"s"` @@ -385,6 +394,7 @@ impl Expr { source.is_integer() || source.is_pointer() || source.is_bool() } else if target.is_integer() { source.is_c_bool() + || source.is_bool() || source.is_integer() || source.is_floating_point() || source.is_pointer() @@ -575,6 +585,28 @@ impl Expr { expr!(EmptyUnion, typ) } + /// `3.14f` + pub fn float16_constant(c: f16) -> Self { + expr!(Float16Constant(c), Type::float16()) + } + + /// `union {_Float16 f; uint16_t bp} u = {.bp = 0x1234}; >>> u.f <<<` + pub fn float16_constant_from_bitpattern(bp: u16) -> Self { + let c = f16::from_bits(bp); + Self::float16_constant(c) + } + + /// `3.14159265358979323846264338327950288L` + pub fn float128_constant(c: f128) -> Self { + expr!(Float128Constant(c), Type::float128()) + } + + /// `union {_Float128 f; __uint128_t bp} u = {.bp = 0x1234}; >>> u.f <<<` + pub fn float128_constant_from_bitpattern(bp: u128) -> Self { + let c = f128::from_bits(bp); + Self::float128_constant(c) + } + /// `1.0f` pub fn float_constant(c: f32) -> Self { expr!(FloatConstant(c), Type::float()) @@ -717,6 +749,14 @@ impl Expr { expr!(Nondet, typ) } + /// `read_ok(ptr, size)` + pub fn read_ok(ptr: Expr, size: Expr) -> Self { + assert_eq!(*ptr.typ(), Type::void_pointer()); + assert_eq!(*size.typ(), Type::size_t()); + + expr!(ReadOk { ptr, size }, Type::bool()) + } + /// `e.g. NULL` pub fn pointer_constant(c: u64, typ: Type) -> Self { assert!(typ.is_pointer()); @@ -726,10 +766,10 @@ impl Expr { /// /// e.g. `({ int y = foo (); int z; if (y > 0) z = y; else z = - y; z; })` /// `({ op1; op2; ...})` - pub fn statement_expression(ops: Vec, typ: Type) -> Self { + pub fn statement_expression(ops: Vec, typ: Type, loc: Location) -> Self { assert!(!ops.is_empty()); assert_eq!(ops.last().unwrap().get_expression().unwrap().typ, typ); - expr!(StatementExpression { statements: ops }, typ) + expr!(StatementExpression { statements: ops, location: loc }, typ).with_location(loc) } /// Internal helper function for Struct initalizer @@ -1042,6 +1082,7 @@ impl Expr { /// ). /// The signedness doesn't matter, as the result for each element is /// either "all ones" (true) or "all zeros" (false). + /// /// For example, one can use `simd_eq` on two `f64x4` vectors and assign the /// result to a `u64x4` vector. But it's not possible to assign it to: (1) a /// `u64x2` because they don't have the same length; or (2) another `f64x4` @@ -1318,11 +1359,11 @@ impl Expr { fn unop_return_type(op: UnaryOperator, arg: &Expr) -> Type { match op { Bitnot | BitReverse | Bswap | UnaryMinus => arg.typ.clone(), - CountLeadingZeros { .. } | CountTrailingZeros { .. } => arg.typ.clone(), + CountLeadingZeros { .. } | CountTrailingZeros { .. } => Type::unsigned_int(32), ObjectSize | PointerObject => Type::size_t(), PointerOffset => Type::ssize_t(), IsDynamicObject | IsFinite | Not => Type::bool(), - Popcount => arg.typ.clone(), + Popcount => Type::unsigned_int(32), } } /// Private helper function to make unary operators @@ -1652,7 +1693,7 @@ impl Expr { continue; } let name = field.name(); - exprs.insert(name, self.clone().member(&name.to_string(), symbol_table)); + exprs.insert(name, self.clone().member(name.to_string(), symbol_table)); } } } diff --git a/cprover_bindings/src/goto_program/location.rs b/cprover_bindings/src/goto_program/location.rs index 79b123ad8b0e..9a2a046f6387 100644 --- a/cprover_bindings/src/goto_program/location.rs +++ b/cprover_bindings/src/goto_program/location.rs @@ -1,7 +1,6 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT use crate::cbmc_string::{InternStringOption, InternedString}; -use std::convert::TryInto; use std::fmt::Debug; /// A `Location` represents a source location. @@ -20,6 +19,7 @@ pub enum Location { start_col: Option, end_line: u64, end_col: Option, + pragmas: &'static [&'static str], // CBMC `#pragma check` statements per location. }, /// Location for Statements that use Property Class and Description - Assert, Assume, Cover etc. Property { @@ -29,6 +29,7 @@ pub enum Location { col: Option, comment: InternedString, property_class: InternedString, + pragmas: &'static [&'static str], // CBMC `#pragma check` statements per location. }, /// Covers cases where Location Details are unknown or set as None but Property Class is needed. PropertyUnknownLocation { comment: InternedString, property_class: InternedString }, @@ -100,6 +101,7 @@ impl Location { start_col: Option, end_line: T, end_col: Option, + pragmas: &'static [&'static str], ) -> Location where T: TryInto, @@ -118,6 +120,7 @@ impl Location { start_col: start_col_into, end_line: end_line_into, end_col: end_col_into, + pragmas, } } @@ -129,6 +132,7 @@ impl Location { col: Option, comment: U, property_name: U, + pragmas: &'static [&'static str], ) -> Location where T: TryInto, @@ -141,7 +145,7 @@ impl Location { let function = function.intern(); let property_class = property_name.into(); let comment = comment.into(); - Location::Property { file, function, line, col, comment, property_class } + Location::Property { file, function, line, col, comment, property_class, pragmas } } /// Create a Property type Location from an already existing Location type @@ -158,17 +162,25 @@ impl Location { None, comment.into(), property_name.into(), + &[], + ), + Location::Loc { + file, + function, + start_line, + start_col, + end_line: _, + end_col: _, + pragmas, + } => Location::property_location( + file.into(), + function.intern(), + start_line, + start_col, + comment.into(), + property_name.into(), + pragmas, ), - Location::Loc { file, function, start_line, start_col, end_line: _, end_col: _ } => { - Location::property_location( - file.into(), - function.intern(), - start_line, - start_col, - comment.into(), - property_name.into(), - ) - } Location::Property { .. } => location, Location::PropertyUnknownLocation { .. } => location, // This converts None type Locations to PropertyUnknownLocation type which inserts Property Class and Description diff --git a/cprover_bindings/src/goto_program/stmt.rs b/cprover_bindings/src/goto_program/stmt.rs index 58755a0bffae..951e58f9a954 100644 --- a/cprover_bindings/src/goto_program/stmt.rs +++ b/cprover_bindings/src/goto_program/stmt.rs @@ -57,6 +57,8 @@ pub enum StmtBody { Break, /// `continue;` Continue, + /// End-of-life of a local variable + Dead(Expr), /// `lhs.typ lhs = value;` or `lhs.typ lhs;` Decl { lhs: Expr, // SymbolExpr @@ -232,6 +234,11 @@ impl Stmt { BuiltinFn::CProverCover.call(vec![cond], loc).as_stmt(loc) } + /// Local variable goes out of scope + pub fn dead(symbol: Expr, loc: Location) -> Self { + stmt!(Dead(symbol), loc) + } + /// `lhs.typ lhs = value;` or `lhs.typ lhs;` pub fn decl(lhs: Expr, value: Option, loc: Location) -> Self { assert!(lhs.is_symbol()); diff --git a/cprover_bindings/src/goto_program/symbol.rs b/cprover_bindings/src/goto_program/symbol.rs index b1082a8f1f80..457be1163a3a 100644 --- a/cprover_bindings/src/goto_program/symbol.rs +++ b/cprover_bindings/src/goto_program/symbol.rs @@ -4,8 +4,12 @@ use super::super::utils::aggr_tag; use super::{DatatypeComponent, Expr, Location, Parameter, Stmt, Type}; use crate::{InternStringOption, InternedString}; +use std::fmt::Display; + /// Based off the CBMC symbol implementation here: /// +/// +/// TODO: We should consider using BitFlags for all the boolean flags. #[derive(Clone, Debug)] pub struct Symbol { /// Unique identifier. Mangled name from compiler `foo12_bar17_x@1` @@ -44,6 +48,14 @@ pub struct Symbol { pub is_thread_local: bool, pub is_volatile: bool, pub is_weak: bool, + + /// This flag marks a variable as constant (IrepId: `ID_C_constant`). + /// + /// In CBMC, this is a property of the type or expression. However, we keep it here to avoid + /// having to propagate the attribute to all variants of `Type` and `Expr`. + /// + /// During contract verification, CBMC will not havoc static variables marked as constant. + pub is_static_const: bool, } /// The equivalent of a "mathematical function" in CBMC. Semantically this is an @@ -155,6 +167,7 @@ impl Symbol { is_lvalue: false, is_parameter: false, is_static_lifetime: false, + is_static_const: false, is_thread_local: false, is_volatile: false, is_weak: false, @@ -361,6 +374,11 @@ impl Symbol { self } + pub fn set_is_static_const(&mut self, v: bool) -> &mut Symbol { + self.is_static_const = v; + self + } + pub fn with_is_state_var(mut self, v: bool) -> Symbol { self.is_state_var = v; self @@ -381,11 +399,21 @@ impl Symbol { self } + pub fn set_pretty_name>(&mut self, pretty_name: T) -> &mut Symbol { + self.pretty_name = Some(pretty_name.into()); + self + } + pub fn with_is_hidden(mut self, hidden: bool) -> Symbol { self.is_auxiliary = hidden; self } + pub fn set_is_hidden(&mut self, hidden: bool) -> &mut Symbol { + self.is_auxiliary = hidden; + self + } + /// Set `is_property`. pub fn with_is_property(mut self, v: bool) -> Self { self.is_property = v; @@ -452,14 +480,13 @@ impl SymbolValues { } } -/// ToString - -impl ToString for SymbolModes { - fn to_string(&self) -> String { - match self { +/// Display +impl Display for SymbolModes { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + let mode = match self { SymbolModes::C => "C", SymbolModes::Rust => "Rust", - } - .to_string() + }; + write!(f, "{mode}") } } diff --git a/cprover_bindings/src/goto_program/symbol_table.rs b/cprover_bindings/src/goto_program/symbol_table.rs index 8125c8df3cd9..cd5bd8a6d967 100644 --- a/cprover_bindings/src/goto_program/symbol_table.rs +++ b/cprover_bindings/src/goto_program/symbol_table.rs @@ -107,6 +107,11 @@ impl SymbolTable { self.symbol_table.get(&name) } + pub fn lookup_mut>(&mut self, name: T) -> Option<&mut Symbol> { + let name = name.into(); + self.symbol_table.get_mut(&name) + } + pub fn machine_model(&self) -> &MachineModel { &self.machine_model } diff --git a/cprover_bindings/src/goto_program/typ.rs b/cprover_bindings/src/goto_program/typ.rs index dd07c150bb3f..d0cc8821a447 100644 --- a/cprover_bindings/src/goto_program/typ.rs +++ b/cprover_bindings/src/goto_program/typ.rs @@ -7,7 +7,6 @@ use super::super::MachineModel; use super::{Expr, SymbolTable}; use crate::cbmc_string::InternedString; use std::collections::BTreeMap; -use std::convert::TryInto; use std::fmt::Debug; /////////////////////////////////////////////////////////////////////////////////////////////// @@ -42,6 +41,10 @@ pub enum Type { FlexibleArray { typ: Box }, /// `float` Float, + /// `_Float16` + Float16, + /// `_Float128` + Float128, /// `struct x {}` IncompleteStruct { tag: InternedString }, /// `union x {}` @@ -167,6 +170,8 @@ impl DatatypeComponent { | Double | FlexibleArray { .. } | Float + | Float16 + | Float128 | Integer | Pointer { .. } | Signedbv { .. } @@ -364,6 +369,8 @@ impl Type { Double => st.machine_model().double_width, Empty => 0, FlexibleArray { .. } => 0, + Float16 => 16, + Float128 => 128, Float => st.machine_model().float_width, IncompleteStruct { .. } => unreachable!("IncompleteStruct doesn't have a sizeof"), IncompleteUnion { .. } => unreachable!("IncompleteUnion doesn't have a sizeof"), @@ -533,6 +540,22 @@ impl Type { } } + pub fn is_float_16(&self) -> bool { + let concrete = self.unwrap_typedef(); + match concrete { + Float16 => true, + _ => false, + } + } + + pub fn is_float_128(&self) -> bool { + let concrete = self.unwrap_typedef(); + match concrete { + Float128 => true, + _ => false, + } + } + pub fn is_float(&self) -> bool { let concrete = self.unwrap_typedef(); match concrete { @@ -544,7 +567,7 @@ impl Type { pub fn is_floating_point(&self) -> bool { let concrete = self.unwrap_typedef(); match concrete { - Double | Float => true, + Double | Float | Float16 | Float128 => true, _ => false, } } @@ -578,6 +601,8 @@ impl Type { | CInteger(_) | Double | Float + | Float16 + | Float128 | Integer | Pointer { .. } | Signedbv { .. } @@ -633,6 +658,8 @@ impl Type { | Double | Empty | Float + | Float16 + | Float128 | Integer | Pointer { .. } | Signedbv { .. } @@ -919,6 +946,8 @@ impl Type { | CInteger(_) | Double | Float + | Float16 + | Float128 | Integer | Pointer { .. } | Signedbv { .. } @@ -1043,6 +1072,14 @@ impl Type { FlexibleArray { typ: Box::new(self) } } + pub fn float16() -> Self { + Float16 + } + + pub fn float128() -> Self { + Float128 + } + pub fn float() -> Self { Float } @@ -1276,6 +1313,10 @@ impl Type { Expr::c_true() } else if self.is_float() { Expr::float_constant(1.0) + } else if self.is_float_16() { + Expr::float16_constant(1.0) + } else if self.is_float_128() { + Expr::float128_constant(1.0) } else if self.is_double() { Expr::double_constant(1.0) } else { @@ -1292,6 +1333,10 @@ impl Type { Expr::c_false() } else if self.is_float() { Expr::float_constant(0.0) + } else if self.is_float_16() { + Expr::float16_constant(0.0) + } else if self.is_float_128() { + Expr::float128_constant(0.0) } else if self.is_double() { Expr::double_constant(0.0) } else if self.is_pointer() { @@ -1310,6 +1355,8 @@ impl Type { | CInteger(_) | Double | Float + | Float16 + | Float128 | Integer | Pointer { .. } | Signedbv { .. } @@ -1414,6 +1461,8 @@ impl Type { Type::Empty => "empty".to_string(), Type::FlexibleArray { typ } => format!("flexarray_of_{}", typ.to_identifier()), Type::Float => "float".to_string(), + Type::Float16 => "float16".to_string(), + Type::Float128 => "float128".to_string(), Type::IncompleteStruct { tag } => tag.to_string(), Type::IncompleteUnion { tag } => tag.to_string(), Type::InfiniteArray { typ } => { @@ -1513,6 +1562,8 @@ mod type_tests { assert_eq!(type_def.is_unsigned(&mm), src_type.is_unsigned(&mm)); assert_eq!(type_def.is_scalar(), src_type.is_scalar()); assert_eq!(type_def.is_float(), src_type.is_float()); + assert_eq!(type_def.is_float_16(), src_type.is_float_16()); + assert_eq!(type_def.is_float_128(), src_type.is_float_128()); assert_eq!(type_def.is_floating_point(), src_type.is_floating_point()); assert_eq!(type_def.width(), src_type.width()); assert_eq!(type_def.can_be_lvalue(), src_type.can_be_lvalue()); diff --git a/cprover_bindings/src/irep/goto_binary_serde.rs b/cprover_bindings/src/irep/goto_binary_serde.rs index 4eb1a0720f22..6f821768f996 100644 --- a/cprover_bindings/src/irep/goto_binary_serde.rs +++ b/cprover_bindings/src/irep/goto_binary_serde.rs @@ -11,7 +11,7 @@ use std::io::{self, BufReader}; use std::io::{BufWriter, Bytes, Error, ErrorKind, Read, Write}; use std::path::Path; -/// Writes a symbol table to a file in goto binary format in version 5. +/// Writes a symbol table to a file in goto binary format in version 6. /// /// In CBMC, the serialization rules are defined in : /// - src/goto-programs/write_goto_binary.h @@ -26,7 +26,7 @@ pub fn write_goto_binary_file(filename: &Path, source: &crate::goto_program::Sym serializer.write_file(irep_symbol_table); } -/// Reads a symbol table from a file expected to be in goto binary format in version 5. +/// Reads a symbol table from a file expected to be in goto binary format in version 6. // /// In CBMC, the deserialization rules are defined in : /// - src/goto-programs/read_goto_binary.h @@ -78,11 +78,9 @@ pub fn read_goto_binary_file(filename: &Path) -> io::Result<()> { /// [NumberedIrep] from its unique number. /// /// In practice: -/// - the forward directon from [IrepKey] to unique numbers is -/// implemented using a `HashMap` -/// - the inverse direction from unique numbers to [NumberedIrep] is implemented -/// using a `Vec` called the `index` that stores [NumberedIrep] -/// under their unique number. +/// - the forward directon from [IrepKey] to unique numbers is implemented using a `HashMap` +/// - the inverse direction from unique numbers to [NumberedIrep] is implemented usign a `Vec` +/// called the `index` that stores [NumberedIrep] under their unique number. /// /// Earlier we said that an [NumberedIrep] is conceptually a pair formed of /// an [IrepKey] and its unique number. It is represented using only @@ -542,7 +540,7 @@ where assert!(written == 4); // Write goto binary version - self.write_usize_varenc(5); + self.write_usize_varenc(6); } /// Writes the symbol table using the GOTO binary file format to the byte stream. @@ -923,12 +921,12 @@ where // Read goto binary version let goto_binary_version = self.read_usize_varenc()?; - if goto_binary_version != 5 { + if goto_binary_version != 6 { return Err(Error::new( ErrorKind::Other, format!( "Unsupported GOTO binary version: {}. Supported version: {}", - goto_binary_version, 5 + goto_binary_version, 6 ), )); } diff --git a/cprover_bindings/src/irep/irep_id.rs b/cprover_bindings/src/irep/irep_id.rs index cad6eb563bf4..69962edf150e 100644 --- a/cprover_bindings/src/irep/irep_id.rs +++ b/cprover_bindings/src/irep/irep_id.rs @@ -8,6 +8,8 @@ use crate::cbmc_string::InternedString; use crate::utils::NumUtils; use num::bigint::{BigInt, BigUint, Sign}; +use std::fmt::Display; + #[derive(PartialEq, Eq, PartialOrd, Ord, Clone, Debug)] pub enum IrepId { /// In addition to the standard enums defined below, CBMC also allows ids to be strings. @@ -281,6 +283,8 @@ pub enum IrepId { Short, Long, Float, + Float16, + Float128, Double, Byte, Boolean, @@ -362,7 +366,7 @@ pub enum IrepId { Div, Power, FactorialPower, - PrettyName, + CPrettyName, CClass, CField, CInterface, @@ -872,15 +876,19 @@ impl IrepId { } } -impl ToString for IrepId { - fn to_string(&self) -> String { +impl Display for IrepId { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { match self { - IrepId::FreeformString(s) => return s.to_string(), - IrepId::FreeformInteger(i) => return i.to_string(), + IrepId::FreeformString(s) => { + return write!(f, "{s}"); + } + IrepId::FreeformInteger(i) => { + return write!(f, "{i}"); + } IrepId::FreeformBitPattern(i) => { - return format!("{i:X}"); + return write!(f, "{i:X}"); } - _ => (), + _ => {} } let s = match self { @@ -1151,6 +1159,8 @@ impl ToString for IrepId { IrepId::Short => "short", IrepId::Long => "long", IrepId::Float => "float", + IrepId::Float16 => "float16", + IrepId::Float128 => "float128", IrepId::Double => "double", IrepId::Byte => "byte", IrepId::Boolean => "boolean", @@ -1232,7 +1242,7 @@ impl ToString for IrepId { IrepId::Div => "/", IrepId::Power => "**", IrepId::FactorialPower => "factorial_power", - IrepId::PrettyName => "pretty_name", + IrepId::CPrettyName => "#pretty_name", IrepId::CClass => "#class", IrepId::CField => "#field", IrepId::CInterface => "#interface", @@ -1708,7 +1718,7 @@ impl ToString for IrepId { IrepId::VectorGt => "vector->", IrepId::VectorLt => "vector-<", }; - s.to_string() + write!(f, "{s}") } } diff --git a/cprover_bindings/src/irep/to_irep.rs b/cprover_bindings/src/irep/to_irep.rs index 16b8b69c8fe7..bf0b8ce862dd 100644 --- a/cprover_bindings/src/irep/to_irep.rs +++ b/cprover_bindings/src/irep/to_irep.rs @@ -132,7 +132,7 @@ impl ToIrep for DatatypeComponent { match self { DatatypeComponent::Field { name, typ } => Irep::just_named_sub(linear_map![ (IrepId::Name, Irep::just_string_id(name.to_string())), - (IrepId::PrettyName, Irep::just_string_id(name.to_string())), + (IrepId::CPrettyName, Irep::just_string_id(name.to_string())), (IrepId::Type, typ.to_irep(mm)), ]), DatatypeComponent::Padding { name, bits } => Irep::just_named_sub(linear_map![ @@ -254,6 +254,25 @@ impl ToIrep for ExprValue { )], } } + ExprValue::Float16Constant(i) => { + let c: u16 = i.to_bits(); + Irep { + id: IrepId::Constant, + sub: vec![], + named_sub: linear_map![(IrepId::Value, Irep::just_bitpattern_id(c, 16, false))], + } + } + ExprValue::Float128Constant(i) => { + let c: u128 = i.to_bits(); + Irep { + id: IrepId::Constant, + sub: vec![], + named_sub: linear_map![( + IrepId::Value, + Irep::just_bitpattern_id(c, 128, false) + )], + } + } ExprValue::FunctionCall { function, arguments } => side_effect_irep( IrepId::FunctionCall, vec![function.to_irep(mm), arguments_irep(arguments.iter(), mm)], @@ -293,10 +312,15 @@ impl ToIrep for ExprValue { Irep::just_bitpattern_id(*i, mm.pointer_width, false) )], }, + ExprValue::ReadOk { ptr, size } => Irep { + id: IrepId::ROk, + sub: vec![ptr.to_irep(mm), size.to_irep(mm)], + named_sub: linear_map![], + }, ExprValue::SelfOp { op, e } => side_effect_irep(op.to_irep_id(), vec![e.to_irep(mm)]), - ExprValue::StatementExpression { statements: ops } => side_effect_irep( + ExprValue::StatementExpression { statements: ops, location: loc } => side_effect_irep( IrepId::StatementExpression, - vec![Stmt::block(ops.to_vec(), Location::none()).to_irep(mm)], + vec![Stmt::block(ops.to_vec(), *loc).to_irep(mm)], ), ExprValue::StringConstant { s } => Irep { id: IrepId::StringConstant, @@ -365,15 +389,32 @@ impl ToIrep for Location { (IrepId::Function, Irep::just_string_id(function_name.to_string())), ]) .with_named_sub_option(IrepId::Line, line.map(Irep::just_int_id)), - Location::Loc { file, function, start_line, start_col, end_line: _, end_col: _ } => { - Irep::just_named_sub(linear_map![ - (IrepId::File, Irep::just_string_id(file.to_string())), - (IrepId::Line, Irep::just_int_id(*start_line)), - ]) - .with_named_sub_option(IrepId::Column, start_col.map(Irep::just_int_id)) - .with_named_sub_option(IrepId::Function, function.map(Irep::just_string_id)) - } - Location::Property { file, function, line, col, property_class, comment } => { + Location::Loc { + file, + function, + start_line, + start_col, + end_line: _, + end_col: _, + pragmas, + } => Irep::just_named_sub(linear_map![ + (IrepId::File, Irep::just_string_id(file.to_string())), + (IrepId::Line, Irep::just_int_id(*start_line)), + ]) + .with_named_sub_option(IrepId::Column, start_col.map(Irep::just_int_id)) + .with_named_sub_option(IrepId::Function, function.map(Irep::just_string_id)) + .with_named_sub_option( + IrepId::Pragma, + Some(Irep::just_named_sub( + pragmas + .iter() + .map(|pragma| { + (IrepId::from_string(*pragma), Irep::just_id(IrepId::EmptyString)) + }) + .collect(), + )), + ), + Location::Property { file, function, line, col, property_class, comment, pragmas } => { Irep::just_named_sub(linear_map![ (IrepId::File, Irep::just_string_id(file.to_string())), (IrepId::Line, Irep::just_int_id(*line)), @@ -385,6 +426,17 @@ impl ToIrep for Location { IrepId::PropertyClass, Irep::just_string_id(property_class.to_string()), ) + .with_named_sub_option( + IrepId::Pragma, + Some(Irep::just_named_sub( + pragmas + .iter() + .map(|pragma| { + (IrepId::from_string(*pragma), Irep::just_id(IrepId::EmptyString)) + }) + .collect(), + )), + ) } Location::PropertyUnknownLocation { property_class, comment } => { Irep::just_named_sub(linear_map![ @@ -433,6 +485,7 @@ impl ToIrep for StmtBody { } StmtBody::Break => code_irep(IrepId::Break, vec![]), StmtBody::Continue => code_irep(IrepId::Continue, vec![]), + StmtBody::Dead(symbol) => code_irep(IrepId::Dead, vec![symbol.to_irep(mm)]), StmtBody::Decl { lhs, value } => { if value.is_some() { code_irep( @@ -545,6 +598,10 @@ impl goto_program::Symbol { Irep::just_sub(contract.assigns.iter().map(|req| req.to_irep(mm)).collect()), ); } + if self.is_static_const { + // Add a `const` to the type. + typ = typ.with_named_sub(IrepId::CConstant, Irep::just_id(IrepId::from_int(1))) + } super::Symbol { typ, value: match &self.value { @@ -689,6 +746,30 @@ impl ToIrep for Type { (IrepId::CCType, Irep::just_id(IrepId::Float)), ], }, + Type::Float16 => Irep { + id: IrepId::Floatbv, + sub: vec![], + // Fraction bits: 10 + // Exponent width bits: 5 + // Sign bit: 1 + named_sub: linear_map![ + (IrepId::F, Irep::just_int_id(10)), + (IrepId::Width, Irep::just_int_id(16)), + (IrepId::CCType, Irep::just_id(IrepId::Float16)), + ], + }, + Type::Float128 => Irep { + id: IrepId::Floatbv, + sub: vec![], + // Fraction bits: 112 + // Exponent width bits: 15 + // Sign bit: 1 + named_sub: linear_map![ + (IrepId::F, Irep::just_int_id(112)), + (IrepId::Width, Irep::just_int_id(128)), + (IrepId::CCType, Irep::just_id(IrepId::Float128)), + ], + }, Type::IncompleteStruct { tag } => Irep { id: IrepId::Struct, sub: vec![], diff --git a/cprover_bindings/src/lib.rs b/cprover_bindings/src/lib.rs index cd87dffd75a6..a5901afbac2d 100644 --- a/cprover_bindings/src/lib.rs +++ b/cprover_bindings/src/lib.rs @@ -29,7 +29,11 @@ //! Speical [irep::Irep::id]s include: //! 1. [irep::IrepId::Empty] and [irep::IrepId::Nil] behaves like \[null\]. +#![feature(f128)] +#![feature(f16)] + mod env; +pub use env::global_dead_object; pub mod goto_program; pub mod irep; mod machine_model; diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 69be21a07ff5..784ec075d183 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -12,12 +12,13 @@ - [Failures that Kani can spot](./tutorial-kinds-of-failure.md) - [Loop unwinding](./tutorial-loop-unwinding.md) - [Nondeterministic variables](./tutorial-nondeterministic-variables.md) - - [Debugging verification failures](./debugging-verification-failures.md) - [Reference](./reference.md) - [Attributes](./reference/attributes.md) - - [Stubbing](./reference/stubbing.md) - + - [Experimental features](./reference/experimental/experimental-features.md) + - [Coverage](./reference/experimental/coverage.md) + - [Stubbing](./reference/experimental/stubbing.md) + - [Concrete Playback](./reference/experimental/concrete-playback.md) - [Application](./application.md) - [Comparison with other tools](./tool-comparison.md) - [Where to start on real code](./tutorial-real-code.md) @@ -31,7 +32,6 @@ - [cargo kani assess](./dev-assess.md) - [Testing](./testing.md) - [Regression testing](./regression-testing.md) - - [Book runner](./bookrunner.md) - [(Experimental) Testing with a Large Number of Repositories](./repo-crawl.md) - [Performance comparisons](./performance-comparisons.md) - [`benchcomp` command line](./benchcomp-cli.md) diff --git a/docs/src/benchcomp-conf.md b/docs/src/benchcomp-conf.md index 77236d0917bf..065143a39c2c 100644 --- a/docs/src/benchcomp-conf.md +++ b/docs/src/benchcomp-conf.md @@ -4,6 +4,45 @@ This page lists the different visualizations that are available. +## Variants + +A *variant* is a single invocation of a benchmark suite. Benchcomp runs several +variants, so that their performance can be compared later. A variant consists of +a command-line argument, working directory, and environment. Benchcomp invokes +the command using the operating system environment, updated with the keys and +values in `env`. If any values in `env` contain strings of the form `${var}`, +Benchcomp expands them to the value of the environment variable `$var`. + +```yaml +variants: + variant_1: + config: + command_line: echo "Hello, world" + directory: /tmp + env: + PATH: /my/local/directory:${PATH} +``` + + +## Filters + +After benchcomp has finished parsing the results, it writes the results to `results.yaml` by default. +Before visualizing the results (see below), benchcomp can *filter* the results by piping them into an external program. + +To filter results before visualizing them, add `filters` to the configuration file. + +```yaml +filters: + - command_line: ./scripts/remove-redundant-results.py + - command_line: cat +``` + +The value of `filters` is a list of dicts. +Currently the only legal key for each of the dicts is `command_line`. +Benchcomp invokes each `command_line` in order, passing the results as a JSON file on stdin, and interprets the stdout as a YAML-formatted modified set of results. +Filter scripts can emit either YAML (which might be more readable while developing the script), or JSON (which benchcomp will parse as a subset of YAML). + + ## Built-in visualizations The following visualizations are available; these can be added to the `visualize` list of `benchcomp.yaml`. diff --git a/docs/src/bookrunner.md b/docs/src/bookrunner.md deleted file mode 100644 index c9e647dd6552..000000000000 --- a/docs/src/bookrunner.md +++ /dev/null @@ -1,81 +0,0 @@ -# Book runner - -The [book runner](./bookrunner/index.html) is a testing tool based on [Litani](https://github.com/awslabs/aws-build-accumulator). - -The purpose of the book runner is to get data about feature coverage in Kani. -To this end, we use Rust code snippet examples from the following general Rust documentation books: - * The Rust Reference - * The Rustonomicon - * The Rust Unstable Book - * Rust By Example - -However, not all examples from these books are suited for verification. -For instance, some of them are only included to show what is valid Rust code (or what is not). - -Because of that, we run up to three different types of jobs when generating the report: - * `check` jobs: This check uses the Rust front-end to detect if the example is valid Rust code. - * `codegen` jobs: This check uses the Kani back-end to determine if we can generate GotoC code. - * `verification` jobs: This check uses CBMC to obtain a verification result. - -Note that these are incremental: A `verification` job depends on a previous `codegen` job. -Similary, a `codegen` job depends on a `check` job. - -> **NOTE**: [Litani](https://github.com/awslabs/aws-build-accumulator) does not -> support hierarchical views at the moment. For this reason, we are publishing a -> [text version of the book runner report](./bookrunner/bookrunner.txt) which -> displays the same results in a hierarchical way while we work on [improvements -> for the visualization and navigation of book runner -> results](https://github.com/model-checking/kani/issues/699). - -Before running the above mentioned jobs, we pre-process the examples to: - 1. Set the expected output according to flags present in the code snippet. - 2. Add any required compiler/Kani flags (e.g., unwinding). - -Finally, we run all jobs, collect their outputs and compare them against the expected outputs. -The results are summarized as follows: If the obtained and expected outputs differ, -the color of the stage bar will be red. Otherwise, it will be blue. -If an example shows one red bar, it's considered a failed example that cannot be handled by Kani. - -The [book runner report](./bookrunner/index.html) and [its text version](./bookrunner/bookrunner.txt) are -automatically updated whenever a PR gets merged into Kani. - -## The book running procedure - -This section describes how the book runner operates at a high level. - -To kick off the book runner process use: - -```bash -cargo run -p bookrunner -``` - -The main function of the bookrunner is `generate_run()` (code available -[here](https://github.com/model-checking/kani/blob/main/tools/bookrunner/src/books.rs)) -which follows these steps: - 1. Sets up all the books, including data about their summaries. - 2. Then, for each book: - * Calls the `parse_hierarchy()` method to parse its summary - files. - * Calls the `extract_examples()` method to extract all - examples from the book. Note that `extract_examples()` uses `rustdoc` - functions to ensure the extracted examples are runnable. - * Checks if there is a corresponding `.props` file - in `src/tools/bookrunner/configs/`. If there is, prepends the contents of these files - ([testing options](./regression-testing.md#testing-options)) to the example. - * The resulting examples are written to the `src/test/bookrunner/books/` folder. - -> In general, the path to a given example is -> `src/test/bookrunner/books///
//.rs` -> where `` is the line number where the example appears in the markdown -> file where it's written. The `.props` files mentioned above follow the same -> naming scheme in order to match them and detect conflicts. - - 3. Runs all examples using - [Litani](https://github.com/awslabs/aws-build-accumulator) with the - `litani_run_tests()` function. - 4. Parses the Litani log file with `parse_litani_output(...)`. - 5. Generates the [text version of the bookrunner](./bookrunner/bookrunner.txt) - with `generate_text_bookrunner(...)`. - -> **NOTE**: Any changes done to the examples in `src/test/bookrunner/books/` may -> be overwritten if the bookrunner is executed. diff --git a/docs/src/cheat-sheets.md b/docs/src/cheat-sheets.md index 95cc9991e46f..9b42d313ede2 100644 --- a/docs/src/cheat-sheets.md +++ b/docs/src/cheat-sheets.md @@ -19,7 +19,7 @@ cargo build-dev ### Test ```bash -# Full regression suite (does not run bookrunner) +# Full regression suite ./scripts/kani-regression.sh ``` @@ -39,12 +39,6 @@ rm -r build/x86_64-apple-darwin/tests/ cargo run -p compiletest -- --suite kani --mode kani ``` -```bash -# Run bookrunner -./scripts/setup/install_bookrunner_deps.sh -cargo run -p bookrunner -``` - ```bash # Build documentation cd docs diff --git a/docs/src/getting-started/verification-results/src/main.rs b/docs/src/getting-started/verification-results/src/main.rs index 7a03b34f0f9e..72653cf4dc8f 100644 --- a/docs/src/getting-started/verification-results/src/main.rs +++ b/docs/src/getting-started/verification-results/src/main.rs @@ -2,6 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT #[kani::proof] +#[kani::unwind(4)] // ANCHOR: success_example fn success_example() { let mut sum = 0; diff --git a/docs/src/reference/attributes.md b/docs/src/reference/attributes.md index bd8b80cbbdaa..4556077911fc 100644 --- a/docs/src/reference/attributes.md +++ b/docs/src/reference/attributes.md @@ -60,7 +60,7 @@ For example, the class in `Check 1: my_harness.assertion.1` is `assertion`, so t > **NOTE**: The `#[kani::should_panic]` is only recommended for writing > harnesses which complement existing harnesses that don't use the same -> attribute. In order words, it's only recommended to write *negative harnesses* +> attribute. In other words, it's only recommended to write *negative harnesses* > after having written *positive* harnesses that successfully verify interesting > properties about the function under verification. diff --git a/docs/src/debugging-verification-failures.md b/docs/src/reference/experimental/concrete-playback.md similarity index 87% rename from docs/src/debugging-verification-failures.md rename to docs/src/reference/experimental/concrete-playback.md index c5dae6e74308..237f5673caf0 100644 --- a/docs/src/debugging-verification-failures.md +++ b/docs/src/reference/experimental/concrete-playback.md @@ -1,20 +1,13 @@ -# Debugging verification failures +# Concrete Playback -When the result of a certain check comes back as a `FAILURE`, -Kani offers different options to help debug: -* `--concrete-playback`. This _experimental_ feature generates a Rust unit test case that plays back a failing -proof harness using a concrete counterexample. -* `--visualize`. This feature generates an HTML text-based trace that -enumerates the execution steps leading to the check failure. - -## Concrete playback +When the result of a certain check comes back as a `FAILURE`, Kani offers the `concrete-playback` option to help debug. This feature generates a Rust unit test case that plays back a failing proof harness using a concrete counterexample. When concrete playback is enabled, Kani will generate unit tests for assertions that failed during verification, as well as cover statements that are reachable. These tests can then be executed using Kani's playback subcommand. -### Usage +## Usage In order to enable this feature, run Kani with the `-Z concrete-playback --concrete-playback=[print|inplace]` flag. After getting a verification failure, Kani will generate a Rust unit test case that plays back a failing @@ -46,7 +39,7 @@ The output will have a line in the beginning like You can further debug the binary with tools like `rust-gdb` or `lldb`. -### Example +## Example Running `kani -Z concrete-playback --concrete-playback=print` on the following source file: ```rust @@ -75,7 +68,7 @@ Here, `133` and `35207` are the concrete values that, when substituted for `a` a cause an assertion failure. `vec![135, 137]` is the byte array representation of `35207`. -### Request for comments +## Request for comments This feature is experimental and is therefore subject to change. If you have ideas for improving the user experience of this feature, @@ -83,7 +76,7 @@ please add them to [this GitHub issue](https://github.com/model-checking/kani/is We are tracking the existing feature requests in [this GitHub milestone](https://github.com/model-checking/kani/milestone/10). -### Limitations +## Limitations * This feature does not generate unit tests for failing non-panic checks (e.g., UB checks). This is because checks would not trigger runtime errors during concrete playback. diff --git a/docs/src/reference/experimental/coverage.md b/docs/src/reference/experimental/coverage.md new file mode 100644 index 000000000000..fb73d5f7c05b --- /dev/null +++ b/docs/src/reference/experimental/coverage.md @@ -0,0 +1,32 @@ +## Coverage + +Recall our `estimate_size` example from [First steps](../../tutorial-first-steps.md), +where we wrote a proof harness constraining the range of inputs to integers less than 4096: + +```rust +{{#include ../../tutorial/first-steps-v2/src/lib.rs:kani}} +``` + +We must wonder if we've really fully tested our function. +What if we revise the function, but forget to update the assumption in our proof harness to cover the new range of inputs? + +Fortunately, Kani is able to report a coverage metric for each proof harness. +In the `first-steps-v2` directory, try running: + +``` +cargo kani --coverage -Z line-coverage --harness verify_success +``` + +which verifies the harness, then prints coverage information for each line. +In this case, we see that each line of `estimate_size` is followed by `FULL`, indicating that our proof harness provides full coverage. + +Try changing the assumption in the proof harness to `x < 2048`. +Now the harness won't be testing all possible cases. +Rerun the command. +You'll see this line: + +``` +src/lib.rs, 24, NONE +``` + +which indicates that the proof no longer covers line 24, which addresses the case where `x >= 2048`. diff --git a/docs/src/reference/experimental/experimental-features.md b/docs/src/reference/experimental/experimental-features.md new file mode 100644 index 000000000000..bd9fb6cd8572 --- /dev/null +++ b/docs/src/reference/experimental/experimental-features.md @@ -0,0 +1,5 @@ +# Experimental Features + +We elaborate on some of the more commonly used experimental features in Kani. +This is not an exhaustive list; to see all of Kani's experimental features, run `cargo kani --help`. +To use an experimental feature, invoke Kani with the `--unstable` or `-Z` flag followed by the name of the feature. \ No newline at end of file diff --git a/docs/src/reference/stubbing.md b/docs/src/reference/experimental/stubbing.md similarity index 99% rename from docs/src/reference/stubbing.md rename to docs/src/reference/experimental/stubbing.md index b4eeb4fe6b98..0ffbba5f0b0b 100644 --- a/docs/src/reference/stubbing.md +++ b/docs/src/reference/experimental/stubbing.md @@ -113,7 +113,7 @@ In the following, we describe all the limitations of the stubbing feature. The usage of stubbing is limited to the verification of a single harness. Therefore, users are **required to pass the `--harness` option** when using the stubbing feature. -In addition, this feature **isn't compatible with [concrete playback](../debugging-verification-failures.md#concrete-playback)**. +In addition, this feature **isn't compatible with [concrete playback](./concrete-playback.md)**. ### Support diff --git a/docs/src/rust-feature-support/intrinsics.md b/docs/src/rust-feature-support/intrinsics.md index d4e47a866f00..d4dd458efb4c 100644 --- a/docs/src/rust-feature-support/intrinsics.md +++ b/docs/src/rust-feature-support/intrinsics.md @@ -148,10 +148,10 @@ cttz_nonzero | Yes | | discriminant_value | Yes | | drop_in_place | No | | exact_div | Yes | | -exp2f32 | No | | -exp2f64 | No | | -expf32 | No | | -expf64 | No | | +exp2f32 | Partial | Results are overapproximated | +exp2f64 | Partial | Results are overapproximated | +expf32 | Partial | Results are overapproximated | +expf64 | Partial | Results are overapproximated | fabsf32 | Yes | | fabsf64 | Yes | | fadd_fast | Yes | | @@ -170,8 +170,8 @@ log10f32 | No | | log10f64 | No | | log2f32 | No | | log2f64 | No | | -logf32 | No | | -logf64 | No | | +logf32 | Partial | Results are overapproximated | +logf64 | Partial | Results are overapproximated | maxnumf32 | Yes | | maxnumf64 | Yes | | min_align_of | Yes | | @@ -185,8 +185,8 @@ nearbyintf64 | Yes | | needs_drop | Yes | | nontemporal_store | No | | offset | Partial | Doesn't check [all UB conditions](https://doc.rust-lang.org/std/primitive.pointer.html#safety-2) | -powf32 | No | | -powf64 | No | | +powf32 | Partial | Results are overapproximated | +powf64 | Partial | Results are overapproximated | powif32 | No | | powif64 | No | | pref_align_of | Yes | | @@ -220,6 +220,7 @@ truncf64 | Yes | | try | No | [#267](https://github.com/model-checking/kani/issues/267) | type_id | Yes | | type_name | Yes | | +typed_swap | Yes | | unaligned_volatile_load | No | See [Notes - Concurrency](#concurrency) | unaligned_volatile_store | No | See [Notes - Concurrency](#concurrency) | unchecked_add | Yes | | diff --git a/docs/src/testing.md b/docs/src/testing.md index 21438e861444..85e1a46838bf 100644 --- a/docs/src/testing.md +++ b/docs/src/testing.md @@ -15,6 +15,5 @@ two very good reasons to do it: We recommend reading our section on [Regression Testing](./regression-testing.md) if you're interested in Kani -development. At present, we obtain metrics based on the [book -runner](./bookrunner.md). To run kani on a large number of remotely +development. To run kani on a large number of remotely hosted crates, please see [Repository Crawl](./repo-crawl.md). diff --git a/docs/src/tutorial-first-steps.md b/docs/src/tutorial-first-steps.md index 57e70edb96dd..bbfd236c6b58 100644 --- a/docs/src/tutorial-first-steps.md +++ b/docs/src/tutorial-first-steps.md @@ -53,40 +53,11 @@ Kani has immediately found a failure. Notably, we haven't had to write explicit assertions in our proof harness: by default, Kani will find a host of erroneous conditions which include a reachable call to `panic` or a failing `assert`. If Kani had run successfully on this harness, this amounts to a mathematical proof that there is no input that could cause a panic in `estimate_size`. -### Getting a trace +> By default, Kani only reports failures, not how the failure happened. +> In this example, it would be nice to get a concrete example of a value of `x` that triggers the failure. +> Kani offers an (experimental) [concrete playback](reference/experimental/concrete-playback.md) feature that serves this purpose. +> As an exercise, try applying concrete playback to this example and see what Kani outputs. -By default, Kani only reports failures, not how the failure happened. -In this running example, it seems obvious what we're interested in (the value of `x` that caused the failure) because we just have one unknown input at the start (similar to the property test), but that's kind of a special case. -In general, understanding how a failure happened requires exploring a full (potentially large) _execution trace_. - -An execution trace is a record of exactly how a failure can occur. -Nondeterminism (like a call to `kani::any()`, which could return any value) can appear in the middle of its execution. -A trace is a record of exactly how execution proceeded, including concrete choices (like `1023`) for all of these nondeterministic values. - -To get a trace for a failing check in Kani, run: - -``` -cargo kani --visualize --enable-unstable -``` - -This command runs Kani and generates an HTML report that includes a trace. -Open the report with your preferred browser. -Under the "Errors" heading, click on the "trace" link to find the trace for this failure. - -From this trace report, we can filter through it to find relevant lines. -A good rule of thumb is to search for either `kani::any()` or assignments to variables you're interested in. -At present time, an unfortunate amount of generated code is present in the trace. -This code isn't a part of the Rust code you wrote, but is an internal implementation detail of how Kani runs proof harnesses. -Still, searching for `kani::any()` quickly finds us these lines: - -``` -let x: u32 = kani::any(); -x = 1023u -``` - -Here we're seeing the line of code and the value assigned in this particular trace. -Like property testing, this is just one **example** of a failure. -To proceed, we recommend fixing the code to avoid this particular issue and then re-running Kani to see if you find more issues. ### Exercise: Try other failures @@ -193,25 +164,6 @@ Here's a revised example of the proof harness, one that now succeeds: {{#include tutorial/first-steps-v2/src/lib.rs:kani}} ``` -But now we must wonder if we've really fully tested our function. -What if we revise the function, but forget to update the assumption in our proof harness to cover the new range of inputs? - -Fortunately, Kani is able to report a coverage metric for each proof harness. -Try running: - -``` -cargo kani --visualize --harness verify_success -``` - -The beginning of the report includes coverage information. -Clicking through to the file will show fully-covered lines in green. -Lines not covered by our proof harness will show in red. - -Try changing the assumption in the proof harness to `x < 2048`. -Now the harness won't be testing all possible cases. -Rerun `cargo kani --visualize`. -Look at the report: you'll see we no longer have 100% coverage of the function. - ## Summary In this section: @@ -219,6 +171,4 @@ In this section: 1. We saw Kani find panics, assertion failures, and even some other failures like unsafe dereferencing of null pointers. 2. We saw Kani find failures that testing could not easily find. 3. We saw how to write a proof harness and use `kani::any()`. -4. We saw how to get a failing **trace** using `kani --visualize` -5. We saw how proof harnesses are used to set up preconditions with `kani::assume()`. -6. We saw how to obtain **coverage** metrics and use them to ensure our proofs are covering as much as they should be. +4. We saw how proof harnesses are used to set up preconditions with `kani::assume()`. diff --git a/docs/src/tutorial-kinds-of-failure.md b/docs/src/tutorial-kinds-of-failure.md index 29236b95db0c..00f9408ca709 100644 --- a/docs/src/tutorial-kinds-of-failure.md +++ b/docs/src/tutorial-kinds-of-failure.md @@ -25,7 +25,7 @@ This property test will immediately find a failing case, thanks to Rust's built- But what if we change this function to use unsafe Rust? ```rust -return unsafe { *a.get_unchecked(i % a.len() + 1) }; +return unsafe { *a.as_ptr().add(i % a.len() + 1) }; ``` Now the error becomes invisible to this test: @@ -55,7 +55,7 @@ cargo kani --harness bound_check We still see a failure from Kani, even without Rust's runtime bounds checking. > Also, notice there were many checks in the verification output. -> (At time of writing, 351.) +> (At time of writing, 345.) > This is a result of using the standard library `Vec` implementation, which means our harness actually used quite a bit of code, short as it looks. > Kani is inserting a lot more checks than appear as asserts in our code, so the output can be large. @@ -63,7 +63,7 @@ We get the following summary at the end: ``` SUMMARY: - ** 1 of 351 failed + ** 1 of 345 failed (8 unreachable) Failed Checks: dereference failure: pointer outside object bounds File: "./src/bounds_check.rs", line 11, in bounds_check::get_wrapped @@ -79,71 +79,44 @@ Consider trying a few more small exercises with this example: 1. Exercise: Switch back to the normal/safe indexing operation and re-try Kani. How does Kani's output change, compared to the unsafe operation? (Try predicting the answer, then seeing if you got it right.) -2. Exercise: [Remember how to get a trace from Kani?](./tutorial-first-steps.md#getting-a-trace) Find out what inputs it failed on. +2. Exercise: Try Kani's experimental [concrete playback](reference/experimental/concrete-playback.md) feature on this example. 3. Exercise: Fix the error, run Kani, and see a successful verification. 4. Exercise: Try switching back to the unsafe code (now with the error fixed) and re-run Kani. Does it still verify successfully?
Click to see explanation for exercise 1 -Having switched back to the safe indexing operation, Kani reports two failures: +Having switched back to the safe indexing operation, Kani reports a bounds check failure: ``` -SUMMARY: - ** 2 of 350 failed +SUMMARY: + ** 1 of 343 failed (8 unreachable) Failed Checks: index out of bounds: the length is less than or equal to the given index - File: "./src/bounds_check.rs", line 11, in bounds_check::get_wrapped -Failed Checks: dereference failure: pointer outside object bounds - File: "./src/bounds_check.rs", line 11, in bounds_check::get_wrapped + File: "src/bounds_check.rs", line 11, in bounds_check::get_wrapped VERIFICATION:- FAILED ``` -The first is Rust's runtime bounds checking for the safe indexing operation. -The second is Kani's check to ensure the pointer operation is actually safe. -This pattern (two checks for similar issues in safe Rust code) is common to see, and we'll see it again in the next section. - -> **NOTE**: While Kani will always be checking for both properties, [in the future the output here may change](https://github.com/model-checking/kani/issues/1349). -> You might have noticed that the bad pointer dereference can't happen, since the bounds check would panic first. -> In the future, Kani's output may report only the bounds checking failure in this example. -
Click to see explanation for exercise 2 -Having run `cargo kani --harness bound_check --visualize` and clicked on one of the failures to see a trace, there are three things to immediately notice: - -1. This trace is huge. Because the standard library `Vec` is involved, there's a lot going on. -2. The top of the trace file contains some "trace navigation tips" that might be helpful in navigating the trace. -3. There's a lot of generated code and it's really hard to just read the trace itself. - -To navigate this trace to find the information you need, we again recommend searching for things you expect to be somewhere in the trace: - -1. Search the page for `kani::any` or ` =` such as `size =` or `let size`. -We can use this to find out what example values lead to a problem. -In this case, where we just have a couple of `kani::any` values in our proof harness, we can learn a lot just by seeing what these are. -In this trace we find (and the values you get may be different): - -``` -Step 36: Function bound_check, File src/bounds_check.rs, Line 37 -let size: usize = kani::any(); -size = 2464ul - -Step 39: Function bound_check, File src/bounds_check.rs, Line 39 -let index: usize = kani::any(); -index = 2463ul +`cargo kani -Z concrete-playback --concrete-playback=inplace --harness bound_check` produces the following test: +``` +rust +#[test] +fn kani_concrete_playback_bound_check_4752536404478138800() { + let concrete_vals: Vec> = vec![ + // 1ul + vec![1, 0, 0, 0, 0, 0, 0, 0], + // 18446744073709551615ul + vec![255, 255, 255, 255, 255, 255, 255, 255], + ]; + kani::concrete_playback_run(concrete_vals, bound_check); +} ``` - -You may see different values here, as it depends on the solver's behavior. - -2. Try searching for `failure:`. This will be near the end of the page. -You can now search upwards from a failure to see what values certain variables had. -Sometimes it can be helpful to change the source code to add intermediate variables, so their value is visible in the trace. -For instance, you might want to compute the index before indexing into the array. -That way you'd see in the trace exactly what value is being used. - -These two techniques should help you find both the nondeterministic inputs, and the values that were involved in the failing assertion. +which indicates that substituting the concrete values `size = 1` and `index = 2^64` in our proof harness will produce the out of bounds access.
@@ -247,6 +220,5 @@ In this section: 1. We saw Kani spot out-of-bounds accesses. 2. We saw Kani spot actually-unsafe dereferencing of a raw pointer to invalid memory. -3. We got more experience reading the traces that Kani generates, to debug a failing proof harness. 3. We saw Kani spot a division by zero error and an overflowing addition. -5. As an exercise, we tried proving an assertion (finding the midpoint) that was not completely trivial. +4. As an exercise, we tried proving an assertion (finding the midpoint) that was not completely trivial. diff --git a/docs/src/tutorial-real-code.md b/docs/src/tutorial-real-code.md index c4bad5a2d82e..3dd216cd6258 100644 --- a/docs/src/tutorial-real-code.md +++ b/docs/src/tutorial-real-code.md @@ -74,7 +74,7 @@ A first proof will likely start in the following form: Running Kani on this simple starting point will help figure out: 1. What unexpected constraints might be needed on your inputs (using `kani::assume`) to avoid "expected" failures. -2. Whether you're over-constrained. Check the coverage report using `--visualize`. Ideally you'd see 100% coverage, and if not, it's usually because you've assumed too much (thus over-constraining the inputs). +2. Whether you're over-constrained. Check the coverage report using `--coverage -Z line-coverage`. Ideally you'd see 100% coverage, and if not, it's usually because you've assumed too much (thus over-constraining the inputs). 3. Whether Kani will support all the Rust features involved. 4. Whether you've started with a tractable problem. (Remember to try setting `#[kani::unwind(1)]` to force early termination and work up from there.) diff --git a/docs/src/tutorial/kinds-of-failure/src/bounds_check.rs b/docs/src/tutorial/kinds-of-failure/src/bounds_check.rs index 9204d8f0f17e..c4a30982c95d 100644 --- a/docs/src/tutorial/kinds-of-failure/src/bounds_check.rs +++ b/docs/src/tutorial/kinds-of-failure/src/bounds_check.rs @@ -13,7 +13,7 @@ fn get_wrapped(i: usize, a: &[u32]) -> u32 { // ANCHOR_END: code // Alternative unsafe return for the above function: -// return unsafe { *a.get_unchecked(i % a.len() + 1) }; +// return unsafe { *a.as_ptr().add(i % a.len() + 1) }; #[cfg(test)] mod tests { diff --git a/docs/src/usage.md b/docs/src/usage.md index 77def63d3651..aaa5d3fa234c 100644 --- a/docs/src/usage.md +++ b/docs/src/usage.md @@ -26,7 +26,7 @@ Common to both `kani` and `cargo kani` are many command-line flags: * `--concrete-playback=[print|inplace]`: _Experimental_, `--enable-unstable` feature that generates a Rust unit test case that plays back a failing proof harness using a concrete counterexample. If used with `print`, Kani will only print the unit test to stdout. - If used with `inplace`, Kani will automatically add the unit test to the user's source code, next to the proof harness. For more detailed instructions, see the [debugging verification failures](./debugging-verification-failures.md) section. + If used with `inplace`, Kani will automatically add the unit test to the user's source code, next to the proof harness. For more detailed instructions, see the [concrete playback](./experimental/concrete-playback.md) section. * `--visualize`: _Experimental_, `--enable-unstable` feature that generates an HTML report providing traces (i.e., counterexamples) for each failure found by Kani. @@ -68,12 +68,23 @@ default-unwind = 1 The options here are the same as on the command line (`cargo kani --help`), and flags (that is, command line arguments that don't take a value) are enabled by setting them to `true`. +Starting with Rust 1.80 (or nightly-2024-05-05), every reachable #[cfg] will be automatically checked that they match the expected config names and values. +To avoid warnings on `cfg(kani)`, we recommend adding the `check-cfg` lint config in your crate's `Cargo.toml` as follows: + +```toml +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } +``` + +For more information please consult this [blog post](https://blog.rust-lang.org/2024/05/06/check-cfg.html). + ## The build process -When Kani builds your code, it does two important things: +When Kani builds your code, it does three important things: -1. It sets `cfg(kani)`. +1. It sets `cfg(kani)` for target crate compilation (including dependencies). 2. It injects the `kani` crate. +3. It sets `cfg(kani_host)` for host build targets such as any build script and procedural macro crates. A proof harness (which you can [learn more about in the tutorial](./kani-tutorial.md)), is a function annotated with `#[kani::proof]` much like a test is annotated with `#[test]`. But you may experience a similar problem using Kani as you would with `dev-dependencies`: if you try writing `#[kani::proof]` directly in your code, `cargo build` will fail because it doesn't know what the `kani` crate is. diff --git a/docs/src/verification-results.md b/docs/src/verification-results.md index a8187163d41b..100c9ed554be 100644 --- a/docs/src/verification-results.md +++ b/docs/src/verification-results.md @@ -38,7 +38,7 @@ Check 4: success_example.assertion.4 ``` 2. `FAILURE`: This indicates that the check failed (i.e., the property doesn't -hold). In this case, please see the [debugging verification failures](./debugging-verification-failures.md) +hold). In this case, please see the [concrete playback](./experimental/concrete-playback.md) section for more help. Example: diff --git a/kani-compiler/Cargo.toml b/kani-compiler/Cargo.toml index b93ce2d135b8..23389c156302 100644 --- a/kani-compiler/Cargo.toml +++ b/kani-compiler/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani-compiler" -version = "0.45.0" +version = "0.53.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false @@ -12,15 +12,15 @@ publish = false cbmc = { path = "../cprover_bindings", package = "cprover_bindings", optional = true } clap = { version = "4.4.11", features = ["derive", "cargo"] } home = "0.5" -itertools = "0.12" +itertools = "0.13" kani_metadata = {path = "../kani_metadata"} lazy_static = "1.4.0" num = { version = "0.4.0", optional = true } regex = "1.7.0" serde = { version = "1", optional = true } serde_json = "1" -strum = "0.25.0" -strum_macros = "0.25.2" +strum = "0.26" +strum_macros = "0.26" shell-words = "1.0.0" tracing = {version = "0.1", features = ["max_level_trace", "release_max_level_debug"]} tracing-subscriber = {version = "0.3.8", features = ["env-filter", "json", "fmt"]} diff --git a/kani-compiler/build.rs b/kani-compiler/build.rs index 37a9471a167d..497e9dfa13d2 100644 --- a/kani-compiler/build.rs +++ b/kani-compiler/build.rs @@ -20,6 +20,8 @@ macro_rules! path_str { /// kani-compiler with nightly only. We also link to the rustup rustc_driver library for now. pub fn main() { // Add rustup to the rpath in order to properly link with the correct rustc version. + + // This is for dev purposes only, if dev point/search toolchain in .rustup/toolchains/ let rustup_home = env::var("RUSTUP_HOME").unwrap(); let rustup_tc = env::var("RUSTUP_TOOLCHAIN").unwrap(); let rustup_lib = path_str!([&rustup_home, "toolchains", &rustup_tc, "lib"]); diff --git a/kani-compiler/src/args.rs b/kani-compiler/src/args.rs index b174795b7259..3efc5c0f4f61 100644 --- a/kani-compiler/src/args.rs +++ b/kani-compiler/src/args.rs @@ -1,10 +1,10 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -use strum_macros::{AsRefStr, EnumString, EnumVariantNames}; +use strum_macros::{AsRefStr, EnumString, VariantNames}; use tracing_subscriber::filter::Directive; -#[derive(Debug, Default, Clone, Copy, AsRefStr, EnumString, EnumVariantNames, PartialEq, Eq)] +#[derive(Debug, Default, Clone, Copy, AsRefStr, EnumString, VariantNames, PartialEq, Eq)] #[strum(serialize_all = "snake_case")] pub enum ReachabilityType { /// Start the cross-crate reachability analysis from all harnesses in the local crate. @@ -71,4 +71,20 @@ pub struct Arguments { #[clap(long)] /// A legacy flag that is now ignored. goto_c: bool, + /// Enable specific checks. + #[clap(long)] + pub ub_check: Vec, +} + +#[derive(Debug, Clone, Copy, AsRefStr, EnumString, VariantNames, PartialEq, Eq)] +#[strum(serialize_all = "snake_case")] +pub enum ExtraChecks { + /// Check that produced values are valid except for uninitialized values. + /// See https://github.com/model-checking/kani/issues/920. + Validity, + /// Check pointer validity when casting pointers to references. + /// See https://github.com/model-checking/kani/issues/2975. + PtrToRefCast, + /// Check for using uninitialized memory. + Uninit, } diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/assert.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/assert.rs index 68573cd2a1cd..f78cf3eba707 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/assert.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/assert.rs @@ -21,8 +21,8 @@ use crate::codegen_cprover_gotoc::GotocCtx; use cbmc::goto_program::{Expr, Location, Stmt, Type}; use cbmc::InternedString; -use stable_mir::ty::Span as SpanStable; -use std::convert::AsRef; +use stable_mir::mir::{Place, ProjectionElem}; +use stable_mir::ty::{Span as SpanStable, TypeAndMut}; use strum_macros::{AsRefStr, EnumString}; use tracing::debug; @@ -252,7 +252,7 @@ impl<'tcx> GotocCtx<'tcx> { t.nondet().as_stmt(loc), ]; - Expr::statement_expression(body, t).with_location(loc) + Expr::statement_expression(body, t, loc) } /// Kani does not currently support all MIR constructs. @@ -324,4 +324,63 @@ impl<'tcx> GotocCtx<'tcx> { self.codegen_assert_assume(cond, PropertyClass::SanityCheck, &assert_msg, loc) } + + /// If converting a raw pointer to a reference, &(*ptr), need to inject + /// a check to make sure that the pointer points to a valid memory location, + /// since dereferencing an invalid pointer is UB in Rust. + pub fn codegen_raw_ptr_deref_validity_check( + &mut self, + place: &Place, + loc: &Location, + ) -> Option { + if let Some(ProjectionElem::Deref) = place.projection.last() { + // Create a place without the topmost dereference projection.ß + let ptr_place = { + let mut ptr_place = place.clone(); + ptr_place.projection.pop(); + ptr_place + }; + // Only inject the check if dereferencing a raw pointer. + let ptr_place_ty = self.place_ty_stable(&ptr_place); + if ptr_place_ty.kind().is_raw_ptr() { + // Extract the size of the pointee. + let pointee_size = { + let TypeAndMut { ty: pointee_ty, .. } = + ptr_place_ty.kind().builtin_deref(true).unwrap(); + let pointee_ty_layout = pointee_ty.layout().unwrap(); + pointee_ty_layout.shape().size.bytes() + }; + + // __CPROVER_r_ok fails if size == 0, so need to explicitly avoid the check. + if pointee_size != 0 { + // Encode __CPROVER_r_ok(ptr, size). + // First, generate a CBMC expression representing the pointer. + let ptr = { + let ptr_projection = self.codegen_place_stable(&ptr_place, *loc).unwrap(); + let place_ty = self.place_ty_stable(place); + if self.use_thin_pointer_stable(place_ty) { + ptr_projection.goto_expr().clone() + } else { + ptr_projection.goto_expr().clone().member("data", &self.symbol_table) + } + }; + // Then, generate a __CPROVER_r_ok check. + let raw_ptr_read_ok_expr = Expr::read_ok( + ptr.cast_to(Type::void_pointer()), + Expr::int_constant(pointee_size, Type::size_t()), + ) + .cast_to(Type::Bool); + // Finally, assert that the pointer points to a valid memory location. + let raw_ptr_read_ok = self.codegen_assert( + raw_ptr_read_ok_expr, + PropertyClass::SafetyCheck, + "dereference failure: pointer invalid", + *loc, + ); + return Some(raw_ptr_read_ok); + } + } + } + None + } } diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/block.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/block.rs index 692fdb9c385b..5fe28097a2e0 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/block.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/block.rs @@ -2,7 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT use crate::codegen_cprover_gotoc::GotocCtx; -use stable_mir::mir::{BasicBlock, BasicBlockIdx}; +use stable_mir::mir::{BasicBlock, BasicBlockIdx, Body}; +use std::collections::HashSet; use tracing::debug; pub fn bb_label(bb: BasicBlockIdx) -> String { @@ -72,3 +73,32 @@ impl<'tcx> GotocCtx<'tcx> { } } } + +/// Iterate over the basic blocks in reverse post-order. +/// +/// The `reverse_postorder` function used before was internal to the compiler and reflected the +/// internal body representation. +/// +/// As we introduce transformations on the top of SMIR body, there will be not guarantee of a +/// 1:1 relationship between basic blocks from internal body and monomorphic body from StableMIR. +pub fn reverse_postorder(body: &Body) -> impl Iterator { + postorder(body, 0, &mut HashSet::with_capacity(body.blocks.len())).into_iter().rev() +} + +fn postorder( + body: &Body, + bb: BasicBlockIdx, + visited: &mut HashSet, +) -> Vec { + if visited.contains(&bb) { + return vec![]; + } + visited.insert(bb); + + let mut result = vec![]; + for succ in body.blocks[bb].terminator.successors() { + result.append(&mut postorder(body, succ, visited)); + } + result.push(bb); + result +} diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/contract.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/contract.rs index 964286984fc6..7f19e5814ce0 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/contract.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/contract.rs @@ -3,7 +3,7 @@ use crate::codegen_cprover_gotoc::GotocCtx; use crate::kani_middle::attributes::KaniAttributes; use cbmc::goto_program::FunctionContract; -use cbmc::goto_program::Lambda; +use cbmc::goto_program::{Expr, Lambda, Location, Type}; use kani_metadata::AssignsContract; use rustc_hir::def_id::DefId as InternalDefId; use rustc_smir::rustc_internal; @@ -12,6 +12,8 @@ use stable_mir::mir::Local; use stable_mir::CrateDef; use tracing::debug; +use stable_mir::ty::{RigidTy, TyKind}; + impl<'tcx> GotocCtx<'tcx> { /// Given the `proof_for_contract` target `function_under_contract` and the reachable `items`, /// find or create the `AssignsContract` that needs to be enforced and attach it to the symbol @@ -35,11 +37,50 @@ impl<'tcx> GotocCtx<'tcx> { ) -> AssignsContract { let tcx = self.tcx; let function_under_contract_attrs = KaniAttributes::for_item(tcx, function_under_contract); - let wrapped_fn = function_under_contract_attrs.inner_check().unwrap().unwrap(); + let recursion_wrapper_id = + function_under_contract_attrs.checked_with_id().unwrap().unwrap(); + let expected_name = format!("{}::REENTRY", tcx.item_name(recursion_wrapper_id)); + let mut recursion_tracker = items.iter().filter_map(|i| match i { + MonoItem::Static(recursion_tracker) + if (*recursion_tracker).name().contains(expected_name.as_str()) => + { + Some(*recursion_tracker) + } + _ => None, + }); + + let recursion_tracker_def = recursion_tracker + .next() + .expect("There should be at least one recursion tracker (REENTRY) in scope"); + assert!( + recursion_tracker.next().is_none(), + "Only one recursion tracker (REENTRY) may be in scope" + ); + + let span_of_recursion_wrapper = tcx.def_span(recursion_wrapper_id); + let location_of_recursion_wrapper = self.codegen_span(&span_of_recursion_wrapper); + // The name and location for the recursion tracker should match the exact information added + // to the symbol table, otherwise our contract instrumentation will silently failed. + // This happens because Kani relies on `--nondet-static-exclude` from CBMC to properly + // handle this tracker. CBMC silently fails if there is no match in the symbol table + // that correspond to the argument of this flag. + // More details at https://github.com/model-checking/kani/pull/3045. + let full_recursion_tracker_name = format!( + "{}:{}", + location_of_recursion_wrapper + .filename() + .expect("recursion location wrapper should have a file name"), + // We must use the pretty name of the tracker instead of the mangled name. + // This restrictions comes from `--nondet-static-exclude` in CBMC. + // Mode details at https://github.com/diffblue/cbmc/issues/8225. + recursion_tracker_def.name(), + ); + + let wrapped_fn = function_under_contract_attrs.inner_check().unwrap().unwrap(); let mut instance_under_contract = items.iter().filter_map(|i| match i { MonoItem::Fn(instance @ Instance { def, .. }) - if wrapped_fn == rustc_internal::internal(def.def_id()) => + if wrapped_fn == rustc_internal::internal(tcx, def.def_id()) => { Some(*instance) } @@ -56,28 +97,21 @@ impl<'tcx> GotocCtx<'tcx> { vec![] }); self.attach_modifies_contract(instance_of_check, assigns_contract); + let wrapper_name = instance_of_check.mangled_name(); - let wrapper_name = self.symbol_name_stable(instance_of_check); - - let recursion_wrapper_id = - function_under_contract_attrs.checked_with_id().unwrap().unwrap(); - let span_of_recursion_wrapper = tcx.def_span(recursion_wrapper_id); - let location_of_recursion_wrapper = self.codegen_span(&span_of_recursion_wrapper); - - let full_name = format!( - "{}:{}::REENTRY", - location_of_recursion_wrapper - .filename() - .expect("recursion location wrapper should have a file name"), - tcx.item_name(recursion_wrapper_id), - ); - - AssignsContract { recursion_tracker: full_name, contracted_function_name: wrapper_name } + AssignsContract { + recursion_tracker: full_recursion_tracker_name, + contracted_function_name: wrapper_name, + } } /// Convert the Kani level contract into a CBMC level contract by creating a /// CBMC lambda. - fn codegen_modifies_contract(&mut self, modified_places: Vec) -> FunctionContract { + fn codegen_modifies_contract( + &mut self, + modified_places: Vec, + loc: Location, + ) -> FunctionContract { let goto_annotated_fn_name = self.current_fn().name(); let goto_annotated_fn_typ = self .symbol_table @@ -86,15 +120,89 @@ impl<'tcx> GotocCtx<'tcx> { .typ .clone(); + let shadow_memory_assign = self + .tcx + .all_diagnostic_items(()) + .name_to_id + .get(&rustc_span::symbol::Symbol::intern("KaniMemoryInitializationState")) + .map(|attr_id| { + self.tcx + .symbol_name(rustc_middle::ty::Instance::mono(self.tcx, *attr_id)) + .name + .to_string() + }) + .and_then(|shadow_memory_table| self.symbol_table.lookup(&shadow_memory_table).cloned()) + .map(|shadow_memory_symbol| { + vec![Lambda::as_contract_for( + &goto_annotated_fn_typ, + None, + shadow_memory_symbol.to_expr(), + )] + }) + .unwrap_or_default(); + let assigns = modified_places .into_iter() .map(|local| { - Lambda::as_contract_for( - &goto_annotated_fn_typ, - None, - self.codegen_place_stable(&local.into()).unwrap().goto_expr.dereference(), - ) + if self.is_fat_pointer_stable(self.local_ty_stable(local)) { + let unref = match self.local_ty_stable(local).kind() { + TyKind::RigidTy(RigidTy::Ref(_, ty, _)) => ty, + kind => unreachable!("{:?} is not a reference", kind), + }; + let size = match unref.kind() { + TyKind::RigidTy(RigidTy::Slice(elt_type)) => { + elt_type.layout().unwrap().shape().size.bytes() + } + TyKind::RigidTy(RigidTy::Str) => 1, + // For adt, see https://rust-lang.zulipchat.com/#narrow/stream/182449-t-compiler.2Fhelp + TyKind::RigidTy(RigidTy::Adt(..)) => { + todo!("Adt fat pointers not implemented") + } + kind => unreachable!("Generating a slice fat pointer to {:?}", kind), + }; + Lambda::as_contract_for( + &goto_annotated_fn_typ, + None, + Expr::symbol_expression( + "__CPROVER_object_upto", + Type::code( + vec![ + Type::empty() + .to_pointer() + .as_parameter(None, Some("ptr".into())), + Type::size_t().as_parameter(None, Some("size".into())), + ], + Type::empty(), + ), + ) + .call(vec![ + self.codegen_place_stable(&local.into(), loc) + .unwrap() + .goto_expr + .member("data", &self.symbol_table) + .cast_to(Type::empty().to_pointer()), + self.codegen_place_stable(&local.into(), loc) + .unwrap() + .goto_expr + .member("len", &self.symbol_table) + .mul(Expr::size_constant( + size.try_into().unwrap(), + &self.symbol_table, + )), + ]), + ) + } else { + Lambda::as_contract_for( + &goto_annotated_fn_typ, + None, + self.codegen_place_stable(&local.into(), loc) + .unwrap() + .goto_expr + .dereference(), + ) + } }) + .chain(shadow_memory_assign) .collect(); FunctionContract::new(assigns) @@ -110,7 +218,8 @@ impl<'tcx> GotocCtx<'tcx> { assert!(self.current_fn.is_none()); let body = instance.body().unwrap(); self.set_current_fn(instance, &body); - let goto_contract = self.codegen_modifies_contract(modified_places); + let goto_contract = + self.codegen_modifies_contract(modified_places, self.codegen_span_stable(body.span)); let name = self.current_fn().name(); self.symbol_table.attach_contract(name, goto_contract); diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/foreign_function.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/foreign_function.rs index 4ab72eb3a705..386a50bc7ebc 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/foreign_function.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/foreign_function.rs @@ -49,7 +49,8 @@ impl<'tcx> GotocCtx<'tcx> { /// handled later. pub fn codegen_foreign_fn(&mut self, instance: Instance) -> &Symbol { debug!(?instance, "codegen_foreign_function"); - let fn_name = self.symbol_name_stable(instance).intern(); + let fn_name = instance.mangled_name().intern(); + let loc = self.codegen_span_stable(instance.def.span()); if self.symbol_table.contains(fn_name) { // Symbol has been added (either a built-in CBMC function or a Rust allocation function). self.symbol_table.lookup(fn_name).unwrap() @@ -63,8 +64,7 @@ impl<'tcx> GotocCtx<'tcx> { // https://github.com/model-checking/kani/issues/2426 self.ensure(fn_name, |gcx, _| { let typ = gcx.codegen_ffi_type(instance); - Symbol::function(fn_name, typ, None, instance.name(), Location::none()) - .with_is_extern(true) + Symbol::function(fn_name, typ, None, instance.name(), loc).with_is_extern(true) }) } else { let shim_name = format!("{fn_name}_ffi_shim"); @@ -77,7 +77,7 @@ impl<'tcx> GotocCtx<'tcx> { typ, Some(gcx.codegen_ffi_shim(shim_name.as_str().into(), instance)), instance.name(), - Location::none(), + loc, ) }) } @@ -109,7 +109,7 @@ impl<'tcx> GotocCtx<'tcx> { } else { let ret_expr = unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(ret_place) + self.codegen_place_stable(ret_place, loc) ) .goto_expr; let ret_type = ret_expr.typ().clone(); @@ -134,7 +134,7 @@ impl<'tcx> GotocCtx<'tcx> { /// Generate type for the given foreign instance. fn codegen_ffi_type(&mut self, instance: Instance) -> Type { - let fn_name = self.symbol_name_stable(instance); + let fn_name = instance.mangled_name(); let fn_abi = instance.fn_abi().unwrap(); let loc = self.codegen_span_stable(instance.def.span()); let params = fn_abi @@ -166,7 +166,7 @@ impl<'tcx> GotocCtx<'tcx> { /// This will behave like `codegen_unimplemented_stmt` but print a message that includes /// the name of the function not supported and the calling convention. fn codegen_ffi_unsupported(&mut self, instance: Instance, loc: Location) -> Stmt { - let fn_name = &self.symbol_name_stable(instance); + let fn_name = &instance.mangled_name(); debug!(?fn_name, ?loc, "codegen_ffi_unsupported"); // Save this occurrence so we can emit a warning in the compilation report. diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/function.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/function.rs index d4061d4271db..a1afa343a6e7 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/function.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/function.rs @@ -3,16 +3,15 @@ //! This file contains functions related to codegenning MIR functions into gotoc +use crate::codegen_cprover_gotoc::codegen::block::reverse_postorder; use crate::codegen_cprover_gotoc::GotocCtx; use cbmc::goto_program::{Expr, Stmt, Symbol}; use cbmc::InternString; -use rustc_middle::mir::traversal::reverse_postorder; use stable_mir::mir::mono::Instance; use stable_mir::mir::{Body, Local}; use stable_mir::ty::{RigidTy, TyKind}; use stable_mir::CrateDef; use std::collections::BTreeMap; -use std::iter::FromIterator; use tracing::{debug, debug_span}; /// Codegen MIR functions into gotoc @@ -53,7 +52,7 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn codegen_function(&mut self, instance: Instance) { - let name = self.symbol_name_stable(instance); + let name = instance.mangled_name(); let old_sym = self.symbol_table.lookup(&name).unwrap(); let _trace_span = debug_span!("CodegenFunction", name = instance.name()).entered(); @@ -61,16 +60,14 @@ impl<'tcx> GotocCtx<'tcx> { debug!("Double codegen of {:?}", old_sym); } else { assert!(old_sym.is_function()); - let body = instance.body().unwrap(); + let body = self.transformer.body(self.tcx, instance); self.set_current_fn(instance, &body); self.print_instance(instance, &body); self.codegen_function_prelude(&body); self.codegen_declare_variables(&body); // Get the order from internal body for now. - let internal_body = self.current_fn().body_internal(); - reverse_postorder(internal_body) - .for_each(|(bb, _)| self.codegen_block(bb.index(), &body.blocks[bb.index()])); + reverse_postorder(&body).for_each(|bb| self.codegen_block(bb, &body.blocks[bb])); let loc = self.codegen_span_stable(instance.def.span()); let stmts = self.current_fn_mut().extract_block(); @@ -204,10 +201,10 @@ impl<'tcx> GotocCtx<'tcx> { pub fn declare_function(&mut self, instance: Instance) { debug!("declaring {}; {:?}", instance.name(), instance); - let body = instance.body().unwrap(); + let body = self.transformer.body(self.tcx, instance); self.set_current_fn(instance, &body); debug!(krate=?instance.def.krate(), is_std=self.current_fn().is_std(), "declare_function"); - self.ensure(&self.symbol_name_stable(instance), |ctx, fname| { + self.ensure(instance.mangled_name(), |ctx, fname| { Symbol::function( fname, ctx.fn_typ(instance, &body), diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs index d7345f30fadf..d8efef070a95 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs @@ -3,7 +3,7 @@ //! this module handles intrinsics use super::typ; use super::{bb_label, PropertyClass}; -use crate::codegen_cprover_gotoc::codegen::ty_stable::{pointee_type_stable, pretty_ty}; +use crate::codegen_cprover_gotoc::codegen::ty_stable::pointee_type_stable; use crate::codegen_cprover_gotoc::{utils, GotocCtx}; use crate::unwrap_or_return_codegen_unimplemented_stmt; use cbmc::goto_program::{ @@ -12,7 +12,7 @@ use cbmc::goto_program::{ use rustc_middle::ty::layout::ValidityRequirement; use rustc_middle::ty::ParamEnv; use rustc_smir::rustc_internal; -use stable_mir::mir::mono::{Instance, InstanceKind}; +use stable_mir::mir::mono::Instance; use stable_mir::mir::{BasicBlockIdx, Operand, Place}; use stable_mir::ty::{GenericArgs, RigidTy, Span, Ty, TyKind, UintTy}; use tracing::debug; @@ -33,11 +33,12 @@ impl<'tcx> GotocCtx<'tcx> { place: &Place, mut fargs: Vec, f: F, + loc: Location, ) -> Stmt { let arg1 = fargs.remove(0); let arg2 = fargs.remove(0); let expr = f(arg1, arg2); - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) } /// Given a call to an compiler intrinsic, generate the call and the `goto` terminator @@ -45,17 +46,15 @@ impl<'tcx> GotocCtx<'tcx> { /// there is no terminator. pub fn codegen_funcall_of_intrinsic( &mut self, - func: &Operand, + instance: Instance, args: &[Operand], destination: &Place, target: Option, span: Span, ) -> Stmt { - let instance = self.get_intrinsic_instance(func).unwrap(); - if let Some(target) = target { let loc = self.codegen_span_stable(span); - let fargs = self.codegen_funcall_args(args, false); + let fargs = args.iter().map(|arg| self.codegen_operand_stable(arg)).collect::>(); Stmt::block( vec![ self.codegen_intrinsic(instance, fargs, destination, span), @@ -68,27 +67,10 @@ impl<'tcx> GotocCtx<'tcx> { } } - /// Returns `Some(instance)` if the function is an intrinsic; `None` otherwise - fn get_intrinsic_instance(&self, func: &Operand) -> Option { - let funct = self.operand_ty_stable(func); - match funct.kind() { - TyKind::RigidTy(RigidTy::FnDef(def, args)) => { - let instance = Instance::resolve(def, &args).unwrap(); - if matches!(instance.kind, InstanceKind::Intrinsic) { Some(instance) } else { None } - } - _ => None, - } - } - - /// Returns true if the `func` is a call to a compiler intrinsic; false otherwise. - pub fn is_intrinsic(&self, func: &Operand) -> bool { - self.get_intrinsic_instance(func).is_some() - } - /// Handles codegen for non returning intrinsics /// Non returning intrinsics are not associated with a destination pub fn codegen_never_return_intrinsic(&mut self, instance: Instance, span: Span) -> Stmt { - let intrinsic = instance.mangled_name(); + let intrinsic = instance.intrinsic_name().unwrap(); debug!("codegen_never_return_intrinsic:\n\tinstance {:?}\n\tspan {:?}", instance, span); @@ -131,8 +113,8 @@ impl<'tcx> GotocCtx<'tcx> { place: &Place, span: Span, ) -> Stmt { - let intrinsic_sym = instance.mangled_name(); - let intrinsic = intrinsic_sym.as_str(); + let intrinsic_name = instance.intrinsic_name().unwrap(); + let intrinsic = intrinsic_name.as_str(); let loc = self.codegen_span_stable(span); debug!(?instance, "codegen_intrinsic"); debug!(?fargs, "codegen_intrinsic"); @@ -168,7 +150,7 @@ impl<'tcx> GotocCtx<'tcx> { mm, ); let expr = BuiltinFn::$f.call(casted_fargs, loc); - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) }}; } @@ -185,7 +167,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); let res = a.$f(b); - let expr_place = self.codegen_expr_to_place_stable(place, res); + let expr_place = self.codegen_expr_to_place_stable(place, res, loc); Stmt::block(vec![div_overflow_check, expr_place], loc) }}; } @@ -197,7 +179,7 @@ impl<'tcx> GotocCtx<'tcx> { // Intrinsics which encode a simple binary operation macro_rules! codegen_intrinsic_binop { - ($f:ident) => {{ self.binop(place, fargs, |a, b| a.$f(b)) }}; + ($f:ident) => {{ self.binop(place, fargs, |a, b| a.$f(b), loc) }}; } // Intrinsics which encode a simple binary operation which need a machine model @@ -206,7 +188,7 @@ impl<'tcx> GotocCtx<'tcx> { let arg1 = fargs.remove(0); let arg2 = fargs.remove(0); let expr = arg1.$f(arg2, self.symbol_table.machine_model()); - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) }}; } @@ -215,7 +197,7 @@ impl<'tcx> GotocCtx<'tcx> { macro_rules! codegen_count_intrinsic { ($builtin: ident, $allow_zero: expr) => {{ let arg = fargs.remove(0); - self.codegen_expr_to_place_stable(place, arg.$builtin($allow_zero)) + self.codegen_expr_to_place_stable(place, arg.$builtin($allow_zero), loc) }}; } @@ -227,8 +209,8 @@ impl<'tcx> GotocCtx<'tcx> { let alloc = stable_instance.try_const_eval(place_ty).unwrap(); // We assume that the intrinsic has type checked at this point, so // we can use the place type as the expression type. - let expr = self.codegen_allocation(&alloc, place_ty, Some(span)); - self.codegen_expr_to_place_stable(&place, expr) + let expr = self.codegen_allocation(&alloc, place_ty, loc); + self.codegen_expr_to_place_stable(&place, expr, loc) }}; } @@ -239,7 +221,7 @@ impl<'tcx> GotocCtx<'tcx> { let target_ty = args.0[0].expect_ty(); let arg = fargs.remove(0); let size_align = self.size_and_align_of_dst(*target_ty, arg); - self.codegen_expr_to_place_stable(place, size_align.$which) + self.codegen_expr_to_place_stable(place, size_align.$which, loc) }}; } @@ -258,6 +240,19 @@ impl<'tcx> GotocCtx<'tcx> { // *var1 = op(*var1, var2); // var = tmp; // ------------------------- + // + // In fetch functions of atomic_ptr such as https://doc.rust-lang.org/std/sync/atomic/struct.AtomicPtr.html#method.fetch_byte_add, + // the type of var2 can be pointer (invalid_mut). + // In such case, atomic binops are transformed as follows to avoid typecheck failure. + // ------------------------- + // var = atomic_op(var1, var2) + // ------------------------- + // unsigned char tmp; + // tmp = *var1; + // *var1 = (typeof var1)op((size_t)*var1, (size_t)var2); + // var = tmp; + // ------------------------- + // // Note: Atomic arithmetic operations wrap around on overflow. macro_rules! codegen_atomic_binop { ($op: ident) => {{ @@ -268,9 +263,16 @@ impl<'tcx> GotocCtx<'tcx> { let (tmp, decl_stmt) = self.decl_temp_variable(var1.typ().clone(), Some(var1.to_owned()), loc); let var2 = fargs.remove(0); - let op_expr = (var1.clone()).$op(var2).with_location(loc); + let op_expr = if var2.typ().is_pointer() { + (var1.clone().cast_to(Type::c_size_t())) + .$op(var2.cast_to(Type::c_size_t())) + .with_location(loc) + .cast_to(var1.typ().clone()) + } else { + (var1.clone()).$op(var2).with_location(loc) + }; let assign_stmt = (var1.clone()).assign(op_expr, loc); - let res_stmt = self.codegen_expr_to_place_stable(place, tmp.clone()); + let res_stmt = self.codegen_expr_to_place_stable(place, tmp.clone(), loc); Stmt::atomic_block(vec![decl_stmt, assign_stmt, res_stmt], loc) }}; } @@ -283,7 +285,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, "https://github.com/model-checking/kani/issues/new/choose", ); - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) }}; } @@ -386,17 +388,24 @@ impl<'tcx> GotocCtx<'tcx> { "atomic_xsub_acqrel" => codegen_atomic_binop!(sub), "atomic_xsub_release" => codegen_atomic_binop!(sub), "atomic_xsub_relaxed" => codegen_atomic_binop!(sub), - "bitreverse" => self.codegen_expr_to_place_stable(place, fargs.remove(0).bitreverse()), + "bitreverse" => { + self.codegen_expr_to_place_stable(place, fargs.remove(0).bitreverse(), loc) + } // black_box is an identity function that hints to the compiler // to be maximally pessimistic to limit optimizations - "black_box" => self.codegen_expr_to_place_stable(place, fargs.remove(0)), + "black_box" => self.codegen_expr_to_place_stable(place, fargs.remove(0), loc), "breakpoint" => Stmt::skip(loc), - "bswap" => self.codegen_expr_to_place_stable(place, fargs.remove(0).bswap()), + "bswap" => self.codegen_expr_to_place_stable(place, fargs.remove(0).bswap(), loc), "caller_location" => self.codegen_unimplemented_stmt( intrinsic, loc, "https://github.com/model-checking/kani/issues/374", ), + "catch_unwind" => self.codegen_unimplemented_stmt( + intrinsic, + loc, + "https://github.com/model-checking/kani/issues/267", + ), "ceilf32" => codegen_simple_intrinsic!(Ceilf), "ceilf64" => codegen_simple_intrinsic!(Ceil), "compare_bytes" => self.codegen_compare_bytes(fargs, place, loc), @@ -417,13 +426,13 @@ impl<'tcx> GotocCtx<'tcx> { let sig = instance.ty().kind().fn_sig().unwrap().skip_binder(); let ty = pointee_type_stable(sig.inputs()[0]).unwrap(); let e = self.codegen_get_discriminant(fargs.remove(0).dereference(), ty, ret_ty); - self.codegen_expr_to_place_stable(place, e) + self.codegen_expr_to_place_stable(place, e, loc) } "exact_div" => self.codegen_exact_div(fargs, place, loc), - "exp2f32" => unstable_codegen!(codegen_simple_intrinsic!(Exp2f)), - "exp2f64" => unstable_codegen!(codegen_simple_intrinsic!(Exp2)), - "expf32" => unstable_codegen!(codegen_simple_intrinsic!(Expf)), - "expf64" => unstable_codegen!(codegen_simple_intrinsic!(Exp)), + "exp2f32" => codegen_simple_intrinsic!(Exp2f), + "exp2f64" => codegen_simple_intrinsic!(Exp2), + "expf32" => codegen_simple_intrinsic!(Expf), + "expf64" => codegen_simple_intrinsic!(Exp), "fabsf32" => codegen_simple_intrinsic!(Fabsf), "fabsf64" => codegen_simple_intrinsic!(Fabs), "fadd_fast" => { @@ -451,13 +460,18 @@ impl<'tcx> GotocCtx<'tcx> { let binop_stmt = codegen_intrinsic_binop!(sub); self.add_finite_args_checks(intrinsic, fargs_clone, binop_stmt, span) } - "likely" => self.codegen_expr_to_place_stable(place, fargs.remove(0)), + "is_val_statically_known" => { + // Returning false is sound according do this intrinsic's documentation: + // https://doc.rust-lang.org/nightly/std/intrinsics/fn.is_val_statically_known.html + self.codegen_expr_to_place_stable(place, Expr::c_false(), loc) + } + "likely" => self.codegen_expr_to_place_stable(place, fargs.remove(0), loc), "log10f32" => unstable_codegen!(codegen_simple_intrinsic!(Log10f)), "log10f64" => unstable_codegen!(codegen_simple_intrinsic!(Log10)), "log2f32" => unstable_codegen!(codegen_simple_intrinsic!(Log2f)), "log2f64" => unstable_codegen!(codegen_simple_intrinsic!(Log2)), - "logf32" => unstable_codegen!(codegen_simple_intrinsic!(Logf)), - "logf64" => unstable_codegen!(codegen_simple_intrinsic!(Log)), + "logf32" => codegen_simple_intrinsic!(Logf), + "logf64" => codegen_simple_intrinsic!(Log), "maxnumf32" => codegen_simple_intrinsic!(Fmaxf), "maxnumf64" => codegen_simple_intrinsic!(Fmax), "min_align_of" => codegen_intrinsic_const!(), @@ -474,15 +488,16 @@ impl<'tcx> GotocCtx<'tcx> { "offset" => unreachable!( "Expected `core::intrinsics::unreachable` to be handled by `BinOp::OffSet`" ), - "powf32" => unstable_codegen!(codegen_simple_intrinsic!(Powf)), - "powf64" => unstable_codegen!(codegen_simple_intrinsic!(Pow)), + "powf32" => codegen_simple_intrinsic!(Powf), + "powf64" => codegen_simple_intrinsic!(Pow), "powif32" => unstable_codegen!(codegen_simple_intrinsic!(Powif)), "powif64" => unstable_codegen!(codegen_simple_intrinsic!(Powi)), "pref_align_of" => codegen_intrinsic_const!(), - "ptr_guaranteed_cmp" => self.codegen_ptr_guaranteed_cmp(fargs, place), + "ptr_guaranteed_cmp" => self.codegen_ptr_guaranteed_cmp(fargs, place, loc), "ptr_offset_from" => self.codegen_ptr_offset_from(fargs, place, loc), "ptr_offset_from_unsigned" => self.codegen_ptr_offset_from_unsigned(fargs, place, loc), "raw_eq" => self.codegen_intrinsic_raw_eq(instance, fargs, place, loc), + "retag_box_to_raw" => self.codegen_retag_box_to_raw(fargs, place, loc), "rintf32" => codegen_simple_intrinsic!(Rintf), "rintf64" => codegen_simple_intrinsic!(Rint), "rotate_left" => codegen_intrinsic_binop!(rol), @@ -563,20 +578,18 @@ impl<'tcx> GotocCtx<'tcx> { place, loc, ), - "transmute" => self.codegen_intrinsic_transmute(fargs, ret_ty, place), + "transmute" => self.codegen_intrinsic_transmute(fargs, ret_ty, place, loc), "truncf32" => codegen_simple_intrinsic!(Truncf), "truncf64" => codegen_simple_intrinsic!(Trunc), - "try" => self.codegen_unimplemented_stmt( - intrinsic, - loc, - "https://github.com/model-checking/kani/issues/267", - ), "type_id" => codegen_intrinsic_const!(), "type_name" => codegen_intrinsic_const!(), + "typed_swap" => self.codegen_swap(fargs, farg_types, loc), "unaligned_volatile_load" => { - unstable_codegen!( - self.codegen_expr_to_place_stable(place, fargs.remove(0).dereference()) - ) + unstable_codegen!(self.codegen_expr_to_place_stable( + place, + fargs.remove(0).dereference(), + loc + )) } "unchecked_add" | "unchecked_mul" | "unchecked_shl" | "unchecked_shr" | "unchecked_sub" => { @@ -584,7 +597,7 @@ impl<'tcx> GotocCtx<'tcx> { } "unchecked_div" => codegen_op_with_div_overflow_check!(div), "unchecked_rem" => codegen_op_with_div_overflow_check!(rem), - "unlikely" => self.codegen_expr_to_place_stable(place, fargs.remove(0)), + "unlikely" => self.codegen_expr_to_place_stable(place, fargs.remove(0), loc), "unreachable" => unreachable!( "Expected `std::intrinsics::unreachable` to be handled by `TerminatorKind::Unreachable`" ), @@ -626,7 +639,8 @@ impl<'tcx> GotocCtx<'tcx> { if !arg.typ().is_integer() { self.intrinsics_typecheck_fail(span, "ctpop", "integer type", arg_rust_ty) } else { - self.codegen_expr_to_place_stable(&target_place, arg.popcount()) + let loc = self.codegen_span_stable(span); + self.codegen_expr_to_place_stable(&target_place, arg.popcount(), loc) } } @@ -646,7 +660,7 @@ impl<'tcx> GotocCtx<'tcx> { span, format!( "Type check failed for intrinsic `{name}`: Expected {expected}, found {}", - pretty_ty(actual) + self.pretty_ty(actual) ), ); self.tcx.dcx().abort_if_errors(); @@ -714,7 +728,8 @@ impl<'tcx> GotocCtx<'tcx> { let res = self.codegen_binop_with_overflow(binop, left, right, result_type.clone(), loc); self.codegen_expr_to_place_stable( place, - Expr::statement_expression(vec![res.as_stmt(loc)], result_type), + Expr::statement_expression(vec![res.as_stmt(loc)], result_type, loc), + loc, ) } @@ -748,7 +763,7 @@ impl<'tcx> GotocCtx<'tcx> { "exact_div division does not overflow", loc, ), - self.codegen_expr_to_place_stable(p, a.div(b)), + self.codegen_expr_to_place_stable(p, a.div(b), loc), ], loc, ) @@ -779,12 +794,16 @@ impl<'tcx> GotocCtx<'tcx> { if layout.abi.is_uninhabited() { return self.codegen_fatal_error( PropertyClass::SafetyCheck, - &format!("attempted to instantiate uninhabited type `{}`", pretty_ty(*target_ty)), + &format!( + "attempted to instantiate uninhabited type `{}`", + self.pretty_ty(*target_ty) + ), span, ); } - let param_env_and_type = ParamEnv::reveal_all().and(rustc_internal::internal(target_ty)); + let param_env_and_type = + ParamEnv::reveal_all().and(rustc_internal::internal(self.tcx, target_ty)); // Then we check if the type allows "raw" initialization for the cases // where memory is zero-initialized or entirely uninitialized @@ -798,7 +817,7 @@ impl<'tcx> GotocCtx<'tcx> { PropertyClass::SafetyCheck, &format!( "attempted to zero-initialize type `{}`, which is invalid", - pretty_ty(*target_ty) + self.pretty_ty(*target_ty) ), span, ); @@ -817,7 +836,7 @@ impl<'tcx> GotocCtx<'tcx> { PropertyClass::SafetyCheck, &format!( "attempted to leave type `{}` uninitialized, which is invalid", - pretty_ty(*target_ty) + self.pretty_ty(*target_ty) ), span, ); @@ -845,7 +864,7 @@ impl<'tcx> GotocCtx<'tcx> { self.store_concurrent_construct(intrinsic, loc); let var1_ref = fargs.remove(0); let var1 = var1_ref.dereference().with_location(loc); - let res_stmt = self.codegen_expr_to_place_stable(p, var1); + let res_stmt = self.codegen_expr_to_place_stable(p, var1, loc); Stmt::atomic_block(vec![res_stmt], loc) } @@ -853,6 +872,7 @@ impl<'tcx> GotocCtx<'tcx> { /// its primary argument and returns a tuple that contains: /// * the previous value /// * a boolean value indicating whether the operation was successful or not + /// /// In a sequential context, the update is always sucessful so we assume the /// second value to be true. /// ------------------------- @@ -885,7 +905,7 @@ impl<'tcx> GotocCtx<'tcx> { let tuple_expr = Expr::struct_expr_from_values(res_type, vec![tmp, Expr::c_true()], &self.symbol_table) .with_location(loc); - let res_stmt = self.codegen_expr_to_place_stable(p, tuple_expr); + let res_stmt = self.codegen_expr_to_place_stable(p, tuple_expr, loc); Stmt::atomic_block(vec![decl_stmt, cond_update_stmt, res_stmt], loc) } @@ -913,7 +933,7 @@ impl<'tcx> GotocCtx<'tcx> { self.decl_temp_variable(var1.typ().clone(), Some(var1.to_owned()), loc); let var2 = fargs.remove(0).with_location(loc); let assign_stmt = var1.assign(var2, loc); - let res_stmt = self.codegen_expr_to_place_stable(place, tmp); + let res_stmt = self.codegen_expr_to_place_stable(place, tmp, loc); Stmt::atomic_block(vec![decl_stmt, assign_stmt, res_stmt], loc) } @@ -937,9 +957,10 @@ impl<'tcx> GotocCtx<'tcx> { /// * Both `src`/`dst` must be valid for reads/writes of `count * /// size_of::()` bytes (done by calls to `memmove`) /// * (Exclusive to nonoverlapping copy) The region of memory beginning - /// at `src` with a size of `count * size_of::()` bytes must *not* - /// overlap with the region of memory beginning at `dst` with the same - /// size. + /// at `src` with a size of `count * size_of::()` bytes must *not* + /// overlap with the region of memory beginning at `dst` with the same + /// size. + /// /// In addition, we check that computing `count` in bytes (i.e., the third /// argument of the copy built-in call) would not overflow. pub fn codegen_copy( @@ -991,7 +1012,7 @@ impl<'tcx> GotocCtx<'tcx> { // fail on passing a reference to it unless we codegen this zero check. let copy_if_nontrivial = count_bytes.is_zero().ternary(dst, copy_call); let copy_expr = if let Some(p) = p { - self.codegen_expr_to_place_stable(p, copy_if_nontrivial) + self.codegen_expr_to_place_stable(p, copy_if_nontrivial, loc) } else { copy_if_nontrivial.as_stmt(loc) }; @@ -1022,9 +1043,11 @@ impl<'tcx> GotocCtx<'tcx> { let is_lhs_ok = lhs_var.clone().is_nonnull(); let is_rhs_ok = rhs_var.clone().is_nonnull(); let should_skip_pointer_checks = is_len_zero.and(is_lhs_ok).and(is_rhs_ok); - let place_expr = - unwrap_or_return_codegen_unimplemented_stmt!(self, self.codegen_place_stable(place)) - .goto_expr; + let place_expr = unwrap_or_return_codegen_unimplemented_stmt!( + self, + self.codegen_place_stable(place, loc) + ) + .goto_expr; let res = should_skip_pointer_checks.ternary( Expr::int_constant(0, place_expr.typ().clone()), // zero bytes are always equal (as long as pointers are nonnull and aligned) BuiltinFn::Memcmp @@ -1045,14 +1068,19 @@ impl<'tcx> GotocCtx<'tcx> { // // This intrinsic replaces `ptr_guaranteed_eq` and `ptr_guaranteed_ne`: // https://doc.rust-lang.org/beta/std/primitive.pointer.html#method.guaranteed_eq - fn codegen_ptr_guaranteed_cmp(&mut self, mut fargs: Vec, p: &Place) -> Stmt { + fn codegen_ptr_guaranteed_cmp( + &mut self, + mut fargs: Vec, + p: &Place, + loc: Location, + ) -> Stmt { let a = fargs.remove(0); let b = fargs.remove(0); let place_type = self.place_ty_stable(p); let res_type = self.codegen_ty_stable(place_type); let eq_expr = a.eq(b); let cmp_expr = eq_expr.ternary(res_type.one(), res_type.zero()); - self.codegen_expr_to_place_stable(p, cmp_expr) + self.codegen_expr_to_place_stable(p, cmp_expr, loc) } /// Computes the offset from a pointer. @@ -1100,7 +1128,7 @@ impl<'tcx> GotocCtx<'tcx> { // Re-compute `dst_ptr` with standard addition to avoid conversion let dst_ptr = src_ptr.plus(offset); - let expr_place = self.codegen_expr_to_place_stable(p, dst_ptr); + let expr_place = self.codegen_expr_to_place_stable(p, dst_ptr, loc); Stmt::block(vec![bytes_overflow_check, overflow_check, expr_place], loc) } @@ -1119,7 +1147,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); - let offset_expr = self.codegen_expr_to_place_stable(p, offset_expr); + let offset_expr = self.codegen_expr_to_place_stable(p, offset_expr, loc); Stmt::block(vec![overflow_check, offset_expr], loc) } @@ -1151,7 +1179,8 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); - let offset_expr = self.codegen_expr_to_place_stable(p, offset_expr.cast_to(Type::size_t())); + let offset_expr = + self.codegen_expr_to_place_stable(p, offset_expr.cast_to(Type::size_t()), loc); Stmt::block(vec![overflow_check, non_negative_check, offset_expr], loc) } @@ -1198,18 +1227,26 @@ impl<'tcx> GotocCtx<'tcx> { /// Note(std): An earlier attempt to add alignment checks for both the argument and result types /// had catastrophic results in the regression. Hence, we don't perform any additional checks /// and only encode the transmute operation here. - fn codegen_intrinsic_transmute(&mut self, mut fargs: Vec, ret_ty: Ty, p: &Place) -> Stmt { + fn codegen_intrinsic_transmute( + &mut self, + mut fargs: Vec, + ret_ty: Ty, + p: &Place, + loc: Location, + ) -> Stmt { assert!(fargs.len() == 1, "transmute had unexpected arguments {fargs:?}"); let arg = fargs.remove(0); let cbmc_ret_ty = self.codegen_ty_stable(ret_ty); let expr = arg.transmute_to(cbmc_ret_ty, &self.symbol_table); - self.codegen_expr_to_place_stable(p, expr) + self.codegen_expr_to_place_stable(p, expr, loc) } // `raw_eq` determines whether the raw bytes of two values are equal. // https://doc.rust-lang.org/core/intrinsics/fn.raw_eq.html // - // The implementation below calls `memcmp` and returns equal if the result is zero. + // The implementation below calls `memcmp` and returns equal if the result is zero, and + // immediately returns zero when ZSTs are compared to mimic what compare_bytes and our memcmp + // hook do. // // TODO: It's UB to call `raw_eq` if any of the bytes in the first or second // arguments are uninitialized. At present, we cannot detect if there is @@ -1228,13 +1265,25 @@ impl<'tcx> GotocCtx<'tcx> { let dst = fargs.remove(0).cast_to(Type::void_pointer()); let val = fargs.remove(0).cast_to(Type::void_pointer()); let layout = self.layout_of_stable(ty); - let sz = Expr::int_constant(layout.size.bytes(), Type::size_t()) - .with_size_of_annotation(self.codegen_ty_stable(ty)); - let e = BuiltinFn::Memcmp - .call(vec![dst, val, sz], loc) - .eq(Type::c_int().zero()) - .cast_to(Type::c_bool()); - self.codegen_expr_to_place_stable(p, e) + if layout.size.bytes() == 0 { + self.codegen_expr_to_place_stable(p, Expr::int_constant(1, Type::c_bool()), loc) + } else { + let sz = Expr::int_constant(layout.size.bytes(), Type::size_t()) + .with_size_of_annotation(self.codegen_ty_stable(ty)); + let e = BuiltinFn::Memcmp + .call(vec![dst, val, sz], loc) + .eq(Type::c_int().zero()) + .cast_to(Type::c_bool()); + self.codegen_expr_to_place_stable(p, e, loc) + } + } + + // This is an operation that is primarily relevant for stacked borrow + // checks. For Kani, we simply return the pointer. + fn codegen_retag_box_to_raw(&mut self, mut fargs: Vec, p: &Place, loc: Location) -> Stmt { + assert_eq!(fargs.len(), 1, "raw_box_to_box expected one argument"); + let arg = fargs.remove(0); + self.codegen_expr_to_place_stable(p, arg, loc) } fn vtable_info( @@ -1242,7 +1291,7 @@ impl<'tcx> GotocCtx<'tcx> { info: VTableInfo, mut fargs: Vec, place: &Place, - _loc: Location, + loc: Location, ) -> Stmt { assert_eq!(fargs.len(), 1, "vtable intrinsics expects one raw pointer argument"); let vtable_obj = fargs @@ -1254,7 +1303,7 @@ impl<'tcx> GotocCtx<'tcx> { VTableInfo::Size => vtable_obj.member(typ::VTABLE_SIZE_FIELD, &self.symbol_table), VTableInfo::Align => vtable_obj.member(typ::VTABLE_ALIGN_FIELD, &self.symbol_table), }; - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) } /// Gets the length for a `simd_shuffle*` instance, which comes in two @@ -1285,7 +1334,7 @@ impl<'tcx> GotocCtx<'tcx> { _ => { let err_msg = format!( "simd_shuffle index must be an array of `u32`, got `{}`", - pretty_ty(farg_types[2]) + self.pretty_ty(farg_types[2]) ); utils::span_err(self.tcx, span, err_msg); // Return a dummy value @@ -1378,7 +1427,7 @@ impl<'tcx> GotocCtx<'tcx> { // Packed types ignore the alignment of their fields. if let TyKind::RigidTy(RigidTy::Adt(def, _)) = ty.kind() { - if rustc_internal::internal(def).repr().packed() { + if rustc_internal::internal(self.tcx, def).repr().packed() { unsized_align = sized_align.clone(); } } @@ -1426,15 +1475,16 @@ impl<'tcx> GotocCtx<'tcx> { if rust_ret_type != vector_base_type { let err_msg = format!( "expected return type `{}` (element of input `{}`), found `{}`", - pretty_ty(vector_base_type), - pretty_ty(rust_arg_types[0]), - pretty_ty(rust_ret_type) + self.pretty_ty(vector_base_type), + self.pretty_ty(rust_arg_types[0]), + self.pretty_ty(rust_ret_type) ); utils::span_err(self.tcx, span, err_msg); } self.tcx.dcx().abort_if_errors(); - self.codegen_expr_to_place_stable(p, vec.index_array(index)) + let loc = self.codegen_span_stable(span); + self.codegen_expr_to_place_stable(p, vec.index_array(index), loc) } /// Insert is a generic update of a single value in a SIMD vector. @@ -1466,9 +1516,9 @@ impl<'tcx> GotocCtx<'tcx> { if vector_base_type != rust_arg_types[2] { let err_msg = format!( "expected inserted type `{}` (element of input `{}`), found `{}`", - pretty_ty(vector_base_type), - pretty_ty(rust_arg_types[0]), - pretty_ty(rust_arg_types[2]), + self.pretty_ty(vector_base_type), + self.pretty_ty(rust_arg_types[0]), + self.pretty_ty(rust_arg_types[2]), ); utils::span_err(self.tcx, span, err_msg); } @@ -1481,7 +1531,7 @@ impl<'tcx> GotocCtx<'tcx> { vec![ decl, tmp.clone().index_array(index).assign(newval.cast_to(elem_ty), loc), - self.codegen_expr_to_place_stable(p, tmp), + self.codegen_expr_to_place_stable(p, tmp, loc), ], loc, ) @@ -1534,8 +1584,8 @@ impl<'tcx> GotocCtx<'tcx> { "expected return type with length {} (same as input type `{}`), \ found `{}` with length {}", arg1.typ().len().unwrap(), - pretty_ty(rust_arg_types[0]), - pretty_ty(rust_ret_type), + self.pretty_ty(rust_arg_types[0]), + self.pretty_ty(rust_ret_type), ret_typ.len().unwrap() ); utils::span_err(self.tcx, span, err_msg); @@ -1545,8 +1595,8 @@ impl<'tcx> GotocCtx<'tcx> { let (_, rust_base_type) = self.simd_size_and_type(rust_ret_type); let err_msg = format!( "expected return type with integer elements, found `{}` with non-integer `{}`", - pretty_ty(rust_ret_type), - pretty_ty(rust_base_type), + self.pretty_ty(rust_ret_type), + self.pretty_ty(rust_base_type), ); utils::span_err(self.tcx, span, err_msg); } @@ -1554,7 +1604,8 @@ impl<'tcx> GotocCtx<'tcx> { // Create the vector comparison expression let e = f(arg1, arg2, ret_typ); - self.codegen_expr_to_place_stable(p, e) + let loc = self.codegen_span_stable(span); + self.codegen_expr_to_place_stable(p, e, loc) } /// Codegen for `simd_div` and `simd_rem` intrinsics. @@ -1586,7 +1637,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ) } else { - self.binop(p, fargs, op_fun) + self.binop(p, fargs, op_fun, loc) } } @@ -1624,7 +1675,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); let res = op_fun(a, b); - let expr_place = self.codegen_expr_to_place_stable(p, res); + let expr_place = self.codegen_expr_to_place_stable(p, res, loc); Stmt::block(vec![check_stmt, expr_place], loc) } @@ -1682,7 +1733,7 @@ impl<'tcx> GotocCtx<'tcx> { _ => unreachable!("expected a simd shift intrinsic"), }; let res = op_fun(values, distances); - let expr_place = self.codegen_expr_to_place_stable(p, res); + let expr_place = self.codegen_expr_to_place_stable(p, res, loc); if distance_is_signed { let negative_check_stmt = self.codegen_assert_assume( @@ -1740,7 +1791,7 @@ impl<'tcx> GotocCtx<'tcx> { if ret_type_len != n { let err_msg = format!( "expected return type of length {n}, found `{}` with length {ret_type_len}", - pretty_ty(rust_ret_type), + self.pretty_ty(rust_ret_type), ); utils::span_err(self.tcx, span, err_msg); } @@ -1748,10 +1799,10 @@ impl<'tcx> GotocCtx<'tcx> { let err_msg = format!( "expected return element type `{}` (element of input `{}`), \ found `{}` with element type `{}`", - pretty_ty(vec_subtype), - pretty_ty(rust_arg_types[0]), - pretty_ty(rust_ret_type), - pretty_ty(ret_type_subtype), + self.pretty_ty(vec_subtype), + self.pretty_ty(rust_arg_types[0]), + self.pretty_ty(rust_ret_type), + self.pretty_ty(ret_type_subtype), ); utils::span_err(self.tcx, span, err_msg); } @@ -1775,7 +1826,8 @@ impl<'tcx> GotocCtx<'tcx> { .collect(); self.tcx.dcx().abort_if_errors(); let cbmc_ret_ty = self.codegen_ty_stable(rust_ret_type); - self.codegen_expr_to_place_stable(p, Expr::vector_expr(cbmc_ret_ty, elems)) + let loc = self.codegen_span_stable(span); + self.codegen_expr_to_place_stable(p, Expr::vector_expr(cbmc_ret_ty, elems), loc) } /// A volatile load of a memory location: @@ -1787,7 +1839,7 @@ impl<'tcx> GotocCtx<'tcx> { /// /// TODO: Add a check for the condition: /// * `src` must point to a properly initialized value of type `T` - /// See for more details + /// See for more details fn codegen_volatile_load( &mut self, mut fargs: Vec, @@ -1805,7 +1857,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); let expr = src.dereference(); - let res_stmt = self.codegen_expr_to_place_stable(p, expr); + let res_stmt = self.codegen_expr_to_place_stable(p, expr, loc); Stmt::block(vec![align_check, res_stmt], loc) } @@ -1831,8 +1883,13 @@ impl<'tcx> GotocCtx<'tcx> { "`dst` must be properly aligned", loc, ); - let expr = dst.dereference().assign(src, loc); - Stmt::block(vec![align_check, expr], loc) + if self.is_zst_stable(pointee_type_stable(dst_typ).unwrap()) { + // do not attempt to dereference (and assign) a ZST + align_check + } else { + let expr = dst.dereference().assign(src, loc); + Stmt::block(vec![align_check, expr], loc) + } } /// Sets `count * size_of::()` bytes of memory starting at `dst` to `val` @@ -1841,6 +1898,7 @@ impl<'tcx> GotocCtx<'tcx> { /// Undefined behavior if any of these conditions are violated: /// * `dst` must be valid for writes (done by memset writable check) /// * `dst` must be properly aligned (done by `align_check` below) + /// /// In addition, we check that computing `bytes` (i.e., the third argument /// for the `memset` call) would not overflow fn codegen_write_bytes( @@ -1919,6 +1977,59 @@ impl<'tcx> GotocCtx<'tcx> { let zero = Type::size_t().zero(); cast_ptr.rem(align).eq(zero) } + + /// Swaps the memory contents pointed to by arguments `x` and `y`, respectively, which is + /// required for the `typed_swap` intrinsic. + /// + /// The standard library API requires that `x` and `y` are readable and writable as their + /// (common) type (which auto-generated checks for dereferencing will take care of), and the + /// memory regions pointed to must be non-overlapping. + pub fn codegen_swap(&mut self, mut fargs: Vec, farg_types: &[Ty], loc: Location) -> Stmt { + // two parameters, and both must be raw pointers with the same base type + assert!(fargs.len() == 2); + assert!(farg_types[0].kind().is_raw_ptr()); + assert!(farg_types[0] == farg_types[1]); + + let x = fargs.remove(0); + let y = fargs.remove(0); + + if self.is_zst_stable(pointee_type_stable(farg_types[0]).unwrap()) { + // do not attempt to dereference (and assign) a ZST + Stmt::skip(loc) + } else { + // if(same_object(x, y)) { + // assert(x + 1 <= y || y + 1 <= x); + // assume(x + 1 <= y || y + 1 <= x); + // } + let one = Expr::int_constant(1, Type::c_int()); + let non_overlapping = x + .clone() + .plus(one.clone()) + .le(y.clone()) + .or(y.clone().plus(one.clone()).le(x.clone())); + let non_overlapping_check = self.codegen_assert_assume( + non_overlapping, + PropertyClass::SafetyCheck, + "memory regions pointed to by `x` and `y` must not overlap", + loc, + ); + let non_overlapping_stmt = Stmt::if_then_else( + x.clone().same_object(y.clone()), + non_overlapping_check, + None, + loc, + ); + + // T t = *y; *y = *x; *x = t; + let deref_y = y.clone().dereference(); + let (temp_var, assign_to_t) = + self.decl_temp_variable(deref_y.typ().clone(), Some(deref_y), loc); + let assign_to_y = y.dereference().assign(x.clone().dereference(), loc); + let assign_to_x = x.dereference().assign(temp_var, loc); + + Stmt::block(vec![non_overlapping_stmt, assign_to_t, assign_to_y, assign_to_x], loc) + } + } } fn instance_args(instance: &Instance) -> GenericArgs { diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/operand.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/operand.rs index 517609bb0b4c..85bb8292ec67 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/operand.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/operand.rs @@ -3,16 +3,16 @@ use crate::codegen_cprover_gotoc::utils::slice_fat_ptr; use crate::codegen_cprover_gotoc::GotocCtx; use crate::unwrap_or_return_codegen_unimplemented; -use cbmc::goto_program::{DatatypeComponent, Expr, ExprValue, Location, Stmt, Symbol, Type}; +use cbmc::goto_program::{DatatypeComponent, Expr, ExprValue, Location, Symbol, Type}; use rustc_middle::ty::Const as ConstInternal; use rustc_smir::rustc_internal; use rustc_span::Span as SpanInternal; use stable_mir::mir::alloc::{AllocId, GlobalAlloc}; use stable_mir::mir::mono::{Instance, StaticDef}; -use stable_mir::mir::Operand; +use stable_mir::mir::{Mutability, Operand}; use stable_mir::ty::{ - Allocation, Const, ConstantKind, FloatTy, FnDef, GenericArgs, IntTy, RigidTy, Size, Span, Ty, - TyKind, UintTy, + Allocation, ConstantKind, FloatTy, FnDef, GenericArgs, IntTy, MirConst, RigidTy, Size, Ty, + TyConst, TyConstKind, TyKind, UintTy, }; use stable_mir::{CrateDef, CrateItem}; use tracing::{debug, trace}; @@ -38,8 +38,10 @@ impl<'tcx> GotocCtx<'tcx> { Operand::Copy(place) | Operand::Move(place) => // TODO: move is an opportunity to poison/nondet the original memory. { - let projection = - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place)); + let projection = unwrap_or_return_codegen_unimplemented!( + self, + self.codegen_place_stable(place, Location::none()) + ); // If the operand itself is a Dynamic (like when passing a boxed closure), // we need to pull off the fat pointer. In that case, the rustc kind() on // both the operand and the inner type are Dynamic. @@ -51,7 +53,7 @@ impl<'tcx> GotocCtx<'tcx> { } } Operand::Constant(constant) => { - self.codegen_const(&constant.literal, Some(constant.span)) + self.codegen_const(&constant.const_, self.codegen_span_stable(constant.span)) } } } @@ -62,27 +64,30 @@ impl<'tcx> GotocCtx<'tcx> { span: Option, ) -> Expr { let stable_const = rustc_internal::stable(constant); - let stable_span = rustc_internal::stable(span); - self.codegen_const(&stable_const, stable_span) + if let Some(stable_span) = rustc_internal::stable(span) { + self.codegen_const_ty(&stable_const, self.codegen_span_stable(stable_span)) + } else { + self.codegen_const_ty(&stable_const, Location::none()) + } } - /// Generate a goto expression that represents a constant. + /// Generate a goto expression that represents a MIR-level constant. /// /// There are two possible constants included in the body of an instance: /// - Allocated: It will have its byte representation already defined. We try to eagerly /// generate code for it as simple literals or constants if possible. Otherwise, we create /// a memory allocation for them and access them indirectly. /// - ZeroSized: These are ZST constants and they just need to match the right type. - pub fn codegen_const(&mut self, constant: &Const, span: Option) -> Expr { + pub fn codegen_const(&mut self, constant: &MirConst, loc: Location) -> Expr { trace!(?constant, "codegen_constant"); match constant.kind() { - ConstantKind::Allocated(alloc) => self.codegen_allocation(alloc, constant.ty(), span), + ConstantKind::Allocated(alloc) => self.codegen_allocation(alloc, constant.ty(), loc), ConstantKind::ZeroSized => { let lit_ty = constant.ty(); match lit_ty.kind() { // Rust "function items" (not closures, not function pointers, see `codegen_fndef`) TyKind::RigidTy(RigidTy::FnDef(def, args)) => { - self.codegen_fndef(def, &args, span) + self.codegen_fndef(def, &args, loc) } _ => Expr::init_unit(self.codegen_ty_stable(lit_ty), &self.symbol_table), } @@ -90,14 +95,42 @@ impl<'tcx> GotocCtx<'tcx> { ConstantKind::Param(..) | ConstantKind::Unevaluated(..) => { unreachable!() } + ConstantKind::Ty(t) => self.codegen_const_ty(t, loc), + } + } + + /// Generate a goto expression that represents a type-level constant. + /// + /// There are two possible constants included in the body of an instance: + /// - Allocated: It will have its byte representation already defined. We try to eagerly + /// generate code for it as simple literals or constants if possible. Otherwise, we create + /// a memory allocation for them and access them indirectly. + /// - ZeroSized: These are ZST constants and they just need to match the right type. + pub fn codegen_const_ty(&mut self, constant: &TyConst, loc: Location) -> Expr { + trace!(?constant, "codegen_constant"); + match constant.kind() { + TyConstKind::ZSTValue(lit_ty) => { + match lit_ty.kind() { + // Rust "function items" (not closures, not function pointers, see `codegen_fndef`) + TyKind::RigidTy(RigidTy::FnDef(def, args)) => { + self.codegen_fndef(def, &args, loc) + } + _ => Expr::init_unit(self.codegen_ty_stable(*lit_ty), &self.symbol_table), + } + } + TyConstKind::Value(ty, alloc) => self.codegen_allocation(alloc, *ty, loc), + TyConstKind::Bound(..) => unreachable!(), + TyConstKind::Param(..) | TyConstKind::Unevaluated(..) => { + unreachable!() + } } } - pub fn codegen_allocation(&mut self, alloc: &Allocation, ty: Ty, span: Option) -> Expr { + pub fn codegen_allocation(&mut self, alloc: &Allocation, ty: Ty, loc: Location) -> Expr { // First try to generate the constant without allocating memory. - let expr = self.try_codegen_constant(alloc, ty, span).unwrap_or_else(|| { + let expr = self.try_codegen_constant(alloc, ty, loc).unwrap_or_else(|| { debug!("codegen_allocation try_fail"); - let mem_var = self.codegen_const_allocation(alloc, None); + let mem_var = self.codegen_const_allocation(alloc, None, loc); mem_var .cast_to(Type::unsigned_int(8).to_pointer()) .cast_to(self.codegen_ty_stable(ty).to_pointer()) @@ -115,12 +148,7 @@ impl<'tcx> GotocCtx<'tcx> { /// 3. enums that don't carry data /// 4. unit, tuples (may be multi-ary!), or size-0 arrays /// 5. pointers to an allocation - fn try_codegen_constant( - &mut self, - alloc: &Allocation, - ty: Ty, - span: Option, - ) -> Option { + fn try_codegen_constant(&mut self, alloc: &Allocation, ty: Ty, loc: Location) -> Option { debug!(?alloc, ?ty, "try_codegen_constant"); match ty.kind() { TyKind::RigidTy(RigidTy::Int(it)) => { @@ -156,17 +184,23 @@ impl<'tcx> GotocCtx<'tcx> { // Instead, we use integers with the right width to represent the bit pattern. { match k { + FloatTy::F16 => Some(Expr::float16_constant_from_bitpattern( + alloc.read_uint().unwrap() as u16, + )), FloatTy::F32 => Some(Expr::float_constant_from_bitpattern( alloc.read_uint().unwrap() as u32, )), FloatTy::F64 => Some(Expr::double_constant_from_bitpattern( alloc.read_uint().unwrap() as u64, )), + FloatTy::F128 => { + Some(Expr::float128_constant_from_bitpattern(alloc.read_uint().unwrap())) + } } } TyKind::RigidTy(RigidTy::RawPtr(inner_ty, _)) | TyKind::RigidTy(RigidTy::Ref(_, inner_ty, _)) => { - Some(self.codegen_const_ptr(alloc, ty, inner_ty, span)) + Some(self.codegen_const_ptr(alloc, ty, inner_ty, loc)) } TyKind::RigidTy(RigidTy::Adt(adt, args)) if adt.kind().is_struct() => { // Structs only have one variant. @@ -193,7 +227,7 @@ impl<'tcx> GotocCtx<'tcx> { &self.symbol_table, )) } else { - self.try_codegen_constant(alloc, *t, span) + self.try_codegen_constant(alloc, *t, loc) } }) .collect::>>()?; @@ -210,7 +244,7 @@ impl<'tcx> GotocCtx<'tcx> { } TyKind::RigidTy(RigidTy::Tuple(tys)) if tys.len() == 1 => { let overall_t = self.codegen_ty_stable(ty); - let inner_expr = self.try_codegen_constant(alloc, tys[0], span)?; + let inner_expr = self.try_codegen_constant(alloc, tys[0], loc)?; Some(inner_expr.transmute_to(overall_t, &self.symbol_table)) } // Everything else we encode as an allocation. @@ -223,7 +257,7 @@ impl<'tcx> GotocCtx<'tcx> { alloc: &Allocation, ty: Ty, inner_ty: Ty, - span: Option, + loc: Location, ) -> Expr { debug!(?ty, ?alloc, "codegen_const_ptr"); if self.use_fat_pointer_stable(inner_ty) { @@ -240,7 +274,7 @@ impl<'tcx> GotocCtx<'tcx> { let GlobalAlloc::Memory(data) = GlobalAlloc::from(alloc_id) else { unreachable!() }; - let mem_var = self.codegen_const_allocation(&data, None); + let mem_var = self.codegen_const_allocation(&data, None, loc); // Extract identifier for static variable. // codegen_allocation_auto_imm_name returns the *address* of @@ -281,7 +315,7 @@ impl<'tcx> GotocCtx<'tcx> { let GlobalAlloc::Memory(data) = GlobalAlloc::from(alloc_id) else { unreachable!() }; - let mem_var = self.codegen_const_allocation(&data, None); + let mem_var = self.codegen_const_allocation(&data, None, loc); let inner_typ = self.codegen_ty_stable(inner_ty); let len = data.bytes.len() / inner_typ.sizeof(&self.symbol_table) as usize; let data_expr = mem_var.cast_to(inner_typ.to_pointer()); @@ -297,7 +331,6 @@ impl<'tcx> GotocCtx<'tcx> { TyKind::RigidTy(RigidTy::Adt(def, _)) if def.name().ends_with("::CStr") => { // TODO: Handle CString // - let loc = self.codegen_span_option_stable(span); let typ = self.codegen_ty_stable(ty); let operation_name = "C string literal"; self.codegen_unimplemented_expr( @@ -315,7 +348,7 @@ impl<'tcx> GotocCtx<'tcx> { let ptr = alloc.provenance.ptrs[0]; let alloc_id = ptr.1.0; let typ = self.codegen_ty_stable(ty); - self.codegen_alloc_pointer(typ, alloc_id, ptr.0, span) + self.codegen_alloc_pointer(typ, alloc_id, ptr.0, loc) } else { // If there's no provenance, just codegen the pointer address. trace!("codegen_const_ptr no_prov"); @@ -331,13 +364,13 @@ impl<'tcx> GotocCtx<'tcx> { res_t: Type, alloc_id: AllocId, offset: Size, - span: Option, + loc: Location, ) -> Expr { debug!(?res_t, ?alloc_id, "codegen_alloc_pointer"); let base_addr = match GlobalAlloc::from(alloc_id) { GlobalAlloc::Function(instance) => { // We want to return the function pointer (not to be confused with function item) - self.codegen_func_expr(instance, span).address_of() + self.codegen_func_expr(instance, loc).address_of() } GlobalAlloc::Static(def) => self.codegen_static_pointer(def), GlobalAlloc::Memory(alloc) => { @@ -345,7 +378,7 @@ impl<'tcx> GotocCtx<'tcx> { // crates do not conflict. The name alone is insufficient because Rust // allows different versions of the same crate to be used. let name = format!("{}::{alloc_id:?}", self.full_crate_name()); - self.codegen_const_allocation(&alloc, Some(name)) + self.codegen_const_allocation(&alloc, Some(name), loc) } alloc @ GlobalAlloc::VTable(..) => { // This is similar to GlobalAlloc::Memory but the type is opaque to rust and it @@ -355,7 +388,7 @@ impl<'tcx> GotocCtx<'tcx> { unreachable!() }; let name = format!("{}::{alloc_id:?}", self.full_crate_name()); - self.codegen_const_allocation(&alloc, Some(name)) + self.codegen_const_allocation(&alloc, Some(name), loc) } }; assert!(res_t.is_pointer() || res_t.is_transparent_type(&self.symbol_table)); @@ -393,7 +426,7 @@ impl<'tcx> GotocCtx<'tcx> { /// Generate a goto expression for a pointer to a static or thread-local variable. fn codegen_instance_pointer(&mut self, instance: Instance, is_thread_local: bool) -> Expr { - let sym = self.ensure(&instance.mangled_name(), |ctx, name| { + let sym = self.ensure(instance.mangled_name(), |ctx, name| { // Rust has a notion of "extern static" variables. These are in an "extern" block, // and so aren't initialized in the current codegen unit. For example (from std): // extern "C" { @@ -431,12 +464,23 @@ impl<'tcx> GotocCtx<'tcx> { /// /// These constants can be named constants which are declared by the user, or constant values /// used scattered throughout the source - fn codegen_const_allocation(&mut self, alloc: &Allocation, name: Option) -> Expr { - debug!(?name, "codegen_const_allocation"); + fn codegen_const_allocation( + &mut self, + alloc: &Allocation, + name: Option, + loc: Location, + ) -> Expr { + debug!(?name, ?alloc, "codegen_const_allocation"); let alloc_name = match self.alloc_map.get(alloc) { None => { let alloc_name = if let Some(name) = name { name } else { self.next_global_name() }; - self.codegen_alloc_in_memory(alloc.clone(), alloc_name.clone()); + let has_interior_mutabity = false; // Constants cannot be mutated. + self.codegen_alloc_in_memory( + alloc.clone(), + alloc_name.clone(), + loc, + has_interior_mutabity, + ); alloc_name } Some(name) => name.clone(), @@ -446,13 +490,18 @@ impl<'tcx> GotocCtx<'tcx> { mem_place.address_of() } - /// Insert an allocation into the goto symbol table, and generate a goto function that will - /// initialize it. + /// Insert an allocation into the goto symbol table, and generate an init value. /// - /// This function is ultimately responsible for creating new statically initialized global variables - /// in our goto binaries. - pub fn codegen_alloc_in_memory(&mut self, alloc: Allocation, name: String) { - debug!(?alloc, ?name, "codegen_alloc_in_memory"); + /// This function is ultimately responsible for creating new statically initialized global + /// variables. + pub fn codegen_alloc_in_memory( + &mut self, + alloc: Allocation, + name: String, + loc: Location, + has_interior_mutabity: bool, + ) { + debug!(?name, ?alloc, "codegen_alloc_in_memory"); let struct_name = &format!("{name}::struct"); // The declaration of a static variable may have one type and the constant initializer for @@ -460,7 +509,7 @@ impl<'tcx> GotocCtx<'tcx> { // initializers. For example, for a boolean static variable, the variable will have type // CBool and the initializer will be a single byte (a one-character array) representing the // bit pattern for the boolean value. - let alloc_data = self.codegen_allocation_data(&alloc); + let alloc_data = self.codegen_allocation_data(&alloc, loc); let alloc_typ_ref = self.ensure_struct(struct_name, struct_name, |_, _| { alloc_data .iter() @@ -475,50 +524,40 @@ impl<'tcx> GotocCtx<'tcx> { .collect() }); + // Create the allocation from a byte array. + let init_fn = |gcx: &mut GotocCtx, var: Symbol| { + let val = Expr::struct_expr_from_values( + alloc_typ_ref.clone(), + alloc_data + .iter() + .map(|d| match d { + AllocData::Bytes(bytes) => Expr::array_expr( + Type::unsigned_int(8).array_of(bytes.len()), + bytes + .iter() + // We should consider adding a poison / undet where we have none + // This mimics the behaviour before StableMIR though. + .map(|b| Expr::int_constant(b.unwrap_or(0), Type::unsigned_int(8))) + .collect(), + ), + AllocData::Expr(e) => e.clone(), + }) + .collect(), + &gcx.symbol_table, + ); + if val.typ() == &var.typ { val } else { val.transmute_to(var.typ, &gcx.symbol_table) } + }; + // The global static variable may not be in the symbol table if we are dealing - // with a literal that can be statically allocated. - // We need to make a constructor whether it was in the table or not, so we can't use the - // closure argument to ensure_global_var to do that here. - let var = self.ensure_global_var( + // with a promoted constant. + let _var = self.ensure_global_var_init( &name, false, //TODO is this correct? + alloc.mutability == Mutability::Not && !has_interior_mutabity, alloc_typ_ref.clone(), - Location::none(), - |_, _| None, + loc, + init_fn, ); - let var_typ = var.typ().clone(); - - // Assign the initial value `val` to `var` via an intermediate `temp_var` to allow for - // transmuting the allocation type to the global static variable type. - let val = Expr::struct_expr_from_values( - alloc_typ_ref.clone(), - alloc_data - .iter() - .map(|d| match d { - AllocData::Bytes(bytes) => Expr::array_expr( - Type::unsigned_int(8).array_of(bytes.len()), - bytes - .iter() - // We should consider adding a poison / undet where we have none - // This mimics the behaviour before StableMIR though. - .map(|b| Expr::int_constant(b.unwrap_or(0), Type::unsigned_int(8))) - .collect(), - ), - AllocData::Expr(e) => e.clone(), - }) - .collect(), - &self.symbol_table, - ); - let fn_name = Self::initializer_fn_name(&name); - let temp_var = self.gen_function_local_variable(0, &fn_name, alloc_typ_ref).to_expr(); - let body = Stmt::block( - vec![ - Stmt::decl(temp_var.clone(), Some(val), Location::none()), - var.assign(temp_var.transmute_to(var_typ, &self.symbol_table), Location::none()), - ], - Location::none(), - ); - self.register_initializer(&name, body); self.alloc_map.insert(alloc, name); } @@ -528,7 +567,11 @@ impl<'tcx> GotocCtx<'tcx> { /// We codegen global statics as their own unique struct types, and this creates a field-by-field /// representation of what those fields should be initialized with. /// (A field is either bytes, or initialized with an expression.) - fn codegen_allocation_data<'a>(&mut self, alloc: &'a Allocation) -> Vec> { + fn codegen_allocation_data<'a>( + &mut self, + alloc: &'a Allocation, + loc: Location, + ) -> Vec> { let mut alloc_vals = Vec::with_capacity(alloc.provenance.ptrs.len() + 1); let pointer_size = self.symbol_table.machine_model().pointer_width_in_bytes(); @@ -543,7 +586,7 @@ impl<'tcx> GotocCtx<'tcx> { Type::signed_int(8).to_pointer(), prov.0, ptr_offset.try_into().unwrap(), - None, + loc, ))); next_offset = offset + pointer_size; @@ -557,6 +600,17 @@ impl<'tcx> GotocCtx<'tcx> { alloc_vals } + /// Returns `Some(instance)` if the function is an intrinsic; `None` otherwise + pub fn get_instance(&self, func: &Operand) -> Option { + let funct = self.operand_ty_stable(func); + match funct.kind() { + TyKind::RigidTy(RigidTy::FnDef(def, args)) => { + Some(Instance::resolve(def, &args).unwrap()) + } + _ => None, + } + } + /// Generate a goto expression for a MIR "function item" reference. /// /// A "function item" is a ZST that corresponds to a specific single function. @@ -568,20 +622,20 @@ impl<'tcx> GotocCtx<'tcx> { /// function types. /// /// See - pub fn codegen_fndef(&mut self, def: FnDef, args: &GenericArgs, span: Option) -> Expr { + pub fn codegen_fndef(&mut self, def: FnDef, args: &GenericArgs, loc: Location) -> Expr { let instance = Instance::resolve(def, args).unwrap(); - self.codegen_fn_item(instance, span) + self.codegen_fn_item(instance, loc) } /// Ensure that the given instance is in the symbol table, returning the symbol. fn codegen_func_symbol(&mut self, instance: Instance) -> &Symbol { - let sym = if instance.is_foreign_item() { + let sym = if instance.is_foreign_item() && !instance.has_body() { // Get the symbol that represents a foreign instance. self.codegen_foreign_fn(instance) } else { // All non-foreign functions should've been declared beforehand. trace!(func=?instance, "codegen_func_symbol"); - let func = self.symbol_name_stable(instance); + let func = instance.mangled_name(); self.symbol_table .lookup(&func) .unwrap_or_else(|| panic!("Function `{func}` should've been declared before usage")) @@ -594,10 +648,9 @@ impl<'tcx> GotocCtx<'tcx> { /// Note: In general with this `Expr` you should immediately either `.address_of()` or `.call(...)`. /// /// This should not be used where Rust expects a "function item" (See `codegen_fn_item`) - pub fn codegen_func_expr(&mut self, instance: Instance, span: Option) -> Expr { + pub fn codegen_func_expr(&mut self, instance: Instance, loc: Location) -> Expr { let func_symbol = self.codegen_func_symbol(instance); - Expr::symbol_expression(func_symbol.name, func_symbol.typ.clone()) - .with_location(self.codegen_span_option_stable(span)) + Expr::symbol_expression(func_symbol.name, func_symbol.typ.clone()).with_location(loc) } /// Generate a goto expression referencing the singleton value for a MIR "function item". @@ -605,18 +658,12 @@ impl<'tcx> GotocCtx<'tcx> { /// For a given function instance, generate a ZST struct and return a singleton reference to that. /// This is the Rust "function item". See /// This is not the function pointer, for that use `codegen_func_expr`. - fn codegen_fn_item(&mut self, instance: Instance, span: Option) -> Expr { + fn codegen_fn_item(&mut self, instance: Instance, loc: Location) -> Expr { let func_symbol = self.codegen_func_symbol(instance); let mangled_name = func_symbol.name; let fn_item_struct_ty = self.codegen_fndef_type_stable(instance); // This zero-sized object that a function name refers to in Rust is globally unique, so we create such a global object. let fn_singleton_name = format!("{mangled_name}::FnDefSingleton"); - self.ensure_global_var( - &fn_singleton_name, - false, - fn_item_struct_ty, - self.codegen_span_option_stable(span), - |_, _| None, // zero-sized, so no initialization necessary - ) + self.ensure_global_var(&fn_singleton_name, false, fn_item_struct_ty, loc).to_expr() } } diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/place.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/place.rs index fd9ff33e164e..d0e3fc3f442f 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/place.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/place.rs @@ -11,7 +11,7 @@ use crate::codegen_cprover_gotoc::codegen::typ::std_pointee_type; use crate::codegen_cprover_gotoc::utils::{dynamic_fat_ptr, slice_fat_ptr}; use crate::codegen_cprover_gotoc::GotocCtx; use crate::unwrap_or_return_codegen_unimplemented; -use cbmc::goto_program::{Expr, Location, Type}; +use cbmc::goto_program::{Expr, ExprValue, Location, Stmt, Type}; use rustc_middle::ty::layout::LayoutOf; use rustc_smir::rustc_internal; use rustc_target::abi::{TagEncoding, Variants}; @@ -260,7 +260,7 @@ impl<'tcx> GotocCtx<'tcx> { Ok(parent_expr.member(Self::tuple_fld_name(field_idx), &self.symbol_table)) } TyKind::RigidTy(RigidTy::Adt(def, _)) - if rustc_internal::internal(def).repr().simd() => + if rustc_internal::internal(self.tcx, def).repr().simd() => { Ok(self.codegen_simd_field( parent_expr, @@ -292,6 +292,11 @@ impl<'tcx> GotocCtx<'tcx> { "element of {parent_ty:?} is not accessed via field projection" ) } + TyKind::RigidTy(RigidTy::Pat(..)) => { + // See https://github.com/rust-lang/types-team/issues/126 + // for what is currently supported. + unreachable!("projection inside a pattern is not supported, only transmute") + } } } // if we fall here, then we are handling an enum @@ -328,8 +333,9 @@ impl<'tcx> GotocCtx<'tcx> { /// assert!(v.0 == [1, 2]); // refers to the entire array /// } /// ``` - /// * Note that projection inside SIMD structs may eventually become illegal. - /// See thread. + /// + /// Note that projection inside SIMD structs may eventually become illegal. + /// See thread . /// /// Since the goto representation for both is the same, we use the expected type to decide /// what to return. @@ -358,22 +364,20 @@ impl<'tcx> GotocCtx<'tcx> { /// a named variable. /// /// Recursively finds the actual FnDef from a pointer or box. - fn codegen_local_fndef(&mut self, ty: Ty) -> Option { + fn codegen_local_fndef(&mut self, ty: Ty, loc: Location) -> Option { match ty.kind() { // A local that is itself a FnDef, like Fn::call_once - TyKind::RigidTy(RigidTy::FnDef(def, args)) => { - Some(self.codegen_fndef(def, &args, None)) - } + TyKind::RigidTy(RigidTy::FnDef(def, args)) => Some(self.codegen_fndef(def, &args, loc)), // A local can be pointer to a FnDef, like Fn::call and Fn::call_mut TyKind::RigidTy(RigidTy::RawPtr(inner, _)) => self - .codegen_local_fndef(inner) + .codegen_local_fndef(inner, loc) .map(|f| if f.can_take_address_of() { f.address_of() } else { f }), // A local can be a boxed function pointer TyKind::RigidTy(RigidTy::Adt(def, args)) if def.is_box() => { let boxed_ty = self.codegen_ty_stable(ty); // The type of `T` for `Box` can be derived from the first definition args. let inner_ty = args.0[0].ty().unwrap(); - self.codegen_local_fndef(*inner_ty) + self.codegen_local_fndef(*inner_ty, loc) .map(|f| self.box_value(f.address_of(), boxed_ty)) } _ => None, @@ -381,10 +385,10 @@ impl<'tcx> GotocCtx<'tcx> { } /// Codegen for a local - fn codegen_local(&mut self, l: Local) -> Expr { + pub fn codegen_local(&mut self, l: Local, loc: Location) -> Expr { let local_ty = self.local_ty_stable(l); // Check if the local is a function definition (see comment above) - if let Some(fn_def) = self.codegen_local_fndef(local_ty) { + if let Some(fn_def) = self.codegen_local_fndef(local_ty, loc) { return fn_def; } @@ -402,6 +406,7 @@ impl<'tcx> GotocCtx<'tcx> { &mut self, before: Result, proj: &ProjectionElem, + loc: Location, ) -> Result { let before = before?; trace!(?before, ?proj, "codegen_projection"); @@ -415,7 +420,7 @@ impl<'tcx> GotocCtx<'tcx> { }; let inner_mir_typ_internal = - std_pointee_type(rustc_internal::internal(base_type)).unwrap(); + std_pointee_type(rustc_internal::internal(self.tcx, base_type)).unwrap(); let inner_mir_typ = rustc_internal::stable(inner_mir_typ_internal); let (fat_ptr_mir_typ, fat_ptr_goto_expr) = if self .use_thin_pointer(inner_mir_typ_internal) @@ -436,6 +441,7 @@ impl<'tcx> GotocCtx<'tcx> { ); assert!( self.use_fat_pointer(rustc_internal::internal( + self.tcx, pointee_type(fat_ptr_mir_typ.unwrap()).unwrap() )), "Unexpected type: {:?} -- {:?}", @@ -493,7 +499,7 @@ impl<'tcx> GotocCtx<'tcx> { } ProjectionElem::Index(i) => { let base_type = before.mir_typ(); - let idxe = self.codegen_local(*i); + let idxe = self.codegen_local(*i, loc); let typ = match base_type.kind() { TyKind::RigidTy(RigidTy::Array(elemt, _)) | TyKind::RigidTy(RigidTy::Slice(elemt)) => TypeOrVariant::Type(elemt), @@ -582,7 +588,7 @@ impl<'tcx> GotocCtx<'tcx> { (variant.name().into(), TypeOrVariant::Variant(variant)) } TyKind::RigidTy(RigidTy::Coroutine(..)) => { - let idx_internal = rustc_internal::internal(idx); + let idx_internal = rustc_internal::internal(self.tcx, idx); ( self.coroutine_variant_name(idx_internal), TypeOrVariant::CoroutineVariant(*idx), @@ -593,7 +599,7 @@ impl<'tcx> GotocCtx<'tcx> { &ty.kind() ), }; - let layout = self.layout_of(rustc_internal::internal(ty)); + let layout = self.layout_of(rustc_internal::internal(self.tcx, ty)); let expr = match &layout.variants { Variants::Single { .. } => before.goto_expr, Variants::Multiple { tag_encoding, .. } => match tag_encoding { @@ -630,19 +636,53 @@ impl<'tcx> GotocCtx<'tcx> { } } + fn is_zst_object(&self, expr: &Expr) -> bool { + match expr.value() { + ExprValue::Symbol { .. } => expr.typ().sizeof(&self.symbol_table) == 0, + ExprValue::Member { lhs, .. } => self.is_zst_object(lhs), + _ => false, + } + } + /// Codegen the reference to a given place. /// We currently have a somewhat weird way of handling ZST. /// - For `*(&T)` where `T: Unsized`, the projection's `goto_expr` is a thin pointer, so we /// build the fat pointer from there. /// - For `*(Wrapper)` where `T: Unsized`, the projection's `goto_expr` returns an object, /// and we need to take it's address and build the fat pointer. - pub fn codegen_place_ref_stable(&mut self, place: &Place) -> Expr { + pub fn codegen_place_ref_stable(&mut self, place: &Place, loc: Location) -> Expr { let place_ty = self.place_ty_stable(place); let projection = - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place)); + unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place, loc)); if self.use_thin_pointer_stable(place_ty) { - // Just return the address of the place dereferenced. - projection.goto_expr.address_of() + // For ZST objects rustc does not necessarily generate any actual objects. + let need_not_be_an_object = self.is_zst_object(&projection.goto_expr); + let address_of = projection.goto_expr.clone().address_of(); + if need_not_be_an_object { + // Create a non-deterministic numeric value, assume it is non-zero and (when + // interpreted as an address) of proper alignment for the type, and cast that + // numeric value to a pointer type. + let loc = projection.goto_expr.location(); + let (var, decl) = + self.decl_temp_variable(Type::size_t(), Some(Type::size_t().nondet()), *loc); + let assume_non_zero = + Stmt::assume(var.clone().neq(Expr::int_constant(0, var.typ().clone())), *loc); + let layout = self.layout_of_stable(place_ty); + let alignment = Expr::int_constant(layout.align.abi.bytes(), var.typ().clone()); + let assume_aligned = Stmt::assume( + var.clone().rem(alignment).eq(Expr::int_constant(0, var.typ().clone())), + *loc, + ); + let cast_to_pointer_type = var.cast_to(address_of.typ().clone()).as_stmt(*loc); + Expr::statement_expression( + vec![decl, assume_non_zero, assume_aligned, cast_to_pointer_type], + address_of.typ().clone(), + *loc, + ) + } else { + // Just return the address of the place dereferenced. + address_of + } } else if place_ty == pointee_type(self.local_ty_stable(place.local)).unwrap() { // Just return the fat pointer if this is a simple &(*local). projection.fat_ptr_goto_expr.unwrap() @@ -671,9 +711,10 @@ impl<'tcx> GotocCtx<'tcx> { pub fn codegen_place_stable( &mut self, place: &Place, + loc: Location, ) -> Result { debug!(?place, "codegen_place"); - let initial_expr = self.codegen_local(place.local); + let initial_expr = self.codegen_local(place.local, loc); let initial_typ = TypeOrVariant::Type(self.local_ty_stable(place.local)); debug!(?initial_typ, ?initial_expr, "codegen_place"); let initial_projection = @@ -681,7 +722,7 @@ impl<'tcx> GotocCtx<'tcx> { let result = place .projection .iter() - .fold(initial_projection, |accum, proj| self.codegen_projection(accum, proj)); + .fold(initial_projection, |accum, proj| self.codegen_projection(accum, proj, loc)); match result { Err(data) => Err(UnimplementedData::new( &data.operation, @@ -698,10 +739,11 @@ impl<'tcx> GotocCtx<'tcx> { &mut self, initial_projection: ProjectedPlace, variant_idx: VariantIdx, + loc: Location, ) -> ProjectedPlace { debug!(?initial_projection, ?variant_idx, "codegen_variant_lvalue"); let downcast = ProjectionElem::Downcast(variant_idx); - self.codegen_projection(Ok(initial_projection), &downcast).unwrap() + self.codegen_projection(Ok(initial_projection), &downcast, loc).unwrap() } // https://doc.rust-lang.org/nightly/nightly-rustc/rustc_middle/mir/enum.ProjectionElem.html diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/rvalue.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/rvalue.rs index c4ea258fe79e..4883c608f482 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/rvalue.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/rvalue.rs @@ -1,6 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT +use crate::args::ExtraChecks; use crate::codegen_cprover_gotoc::codegen::place::ProjectedPlace; use crate::codegen_cprover_gotoc::codegen::ty_stable::pointee_type_stable; use crate::codegen_cprover_gotoc::codegen::PropertyClass; @@ -17,14 +18,15 @@ use cbmc::goto_program::{ use cbmc::MachineModel; use cbmc::{btree_string_map, InternString, InternedString}; use num::bigint::BigInt; -use rustc_middle::ty::{TyCtxt, VtblEntry}; +use rustc_middle::ty::{ParamEnv, TyCtxt, VtblEntry}; use rustc_smir::rustc_internal; use rustc_target::abi::{FieldsShape, TagEncoding, Variants}; +use stable_mir::abi::{Primitive, Scalar, ValueAbi}; use stable_mir::mir::mono::Instance; use stable_mir::mir::{ AggregateKind, BinOp, CastKind, NullOp, Operand, Place, PointerCoercion, Rvalue, UnOp, }; -use stable_mir::ty::{ClosureKind, Const, IntTy, RigidTy, Size, Ty, TyKind, UintTy, VariantIdx}; +use stable_mir::ty::{ClosureKind, IntTy, RigidTy, Size, Ty, TyConst, TyKind, UintTy, VariantIdx}; use std::collections::BTreeMap; use tracing::{debug, trace, warn}; @@ -32,9 +34,11 @@ impl<'tcx> GotocCtx<'tcx> { fn codegen_comparison(&mut self, op: &BinOp, e1: &Operand, e2: &Operand) -> Expr { let left_op = self.codegen_operand_stable(e1); let right_op = self.codegen_operand_stable(e2); - let is_float = - matches!(self.operand_ty_stable(e1).kind(), TyKind::RigidTy(RigidTy::Float(..))); - comparison_expr(op, left_op, right_op, is_float) + let left_ty = self.operand_ty_stable(e1); + let right_ty = self.operand_ty_stable(e2); + let res_ty = op.ty(left_ty, right_ty); + let is_float = matches!(left_ty.kind(), TyKind::RigidTy(RigidTy::Float(..))); + self.comparison_expr(op, left_op, right_op, res_ty, is_float) } /// This function codegen comparison for fat pointers. @@ -53,7 +57,7 @@ impl<'tcx> GotocCtx<'tcx> { ) -> Expr { debug!(?op, ?left_op, ?right_op, "codegen_comparison_fat_ptr"); let left_typ = self.operand_ty_stable(left_op); - let right_typ = self.operand_ty_stable(left_op); + let right_typ = self.operand_ty_stable(right_op); assert_eq!(left_typ, right_typ, "Cannot compare pointers of different types"); assert!(self.is_fat_pointer_stable(left_typ)); @@ -69,19 +73,21 @@ impl<'tcx> GotocCtx<'tcx> { ret_type.nondet().as_stmt(loc).with_location(loc), ]; - Expr::statement_expression(body, ret_type).with_location(loc) + Expr::statement_expression(body, ret_type, loc) } else { // Compare data pointer. + let res_ty = op.ty(left_typ, right_typ); let left_ptr = self.codegen_operand_stable(left_op); let left_data = left_ptr.clone().member("data", &self.symbol_table); let right_ptr = self.codegen_operand_stable(right_op); let right_data = right_ptr.clone().member("data", &self.symbol_table); - let data_cmp = comparison_expr(op, left_data.clone(), right_data.clone(), false); + let data_cmp = + self.comparison_expr(op, left_data.clone(), right_data.clone(), res_ty, false); // Compare the slice metadata (this logic could be adapted to compare vtable if needed). let left_len = left_ptr.member("len", &self.symbol_table); let right_len = right_ptr.member("len", &self.symbol_table); - let metadata_cmp = comparison_expr(op, left_len, right_len, false); + let metadata_cmp = self.comparison_expr(op, left_len, right_len, res_ty, false); // Join the results. // https://github.com/rust-lang/rust/pull/29781 @@ -93,10 +99,20 @@ impl<'tcx> GotocCtx<'tcx> { // If data is different, only compare data. // If data is equal, apply operator to metadata. BinOp::Lt | BinOp::Le | BinOp::Ge | BinOp::Gt => { - let data_eq = - comparison_expr(&BinOp::Eq, left_data.clone(), right_data.clone(), false); - let data_strict_comp = - comparison_expr(&get_strict_operator(op), left_data, right_data, false); + let data_eq = self.comparison_expr( + &BinOp::Eq, + left_data.clone(), + right_data.clone(), + res_ty, + false, + ); + let data_strict_comp = self.comparison_expr( + &get_strict_operator(op), + left_data, + right_data, + res_ty, + false, + ); data_strict_comp.or(data_eq.and(metadata_cmp)) } _ => unreachable!("Unexpected operator {:?}", op), @@ -145,18 +161,18 @@ impl<'tcx> GotocCtx<'tcx> { } /// Codegens expressions of the type `let a = [4u8; 6];` - fn codegen_rvalue_repeat(&mut self, op: &Operand, sz: &Const, loc: Location) -> Expr { + fn codegen_rvalue_repeat(&mut self, op: &Operand, sz: &TyConst, loc: Location) -> Expr { let op_expr = self.codegen_operand_stable(op); let width = sz.eval_target_usize().unwrap(); op_expr.array_constant(width).with_location(loc) } - fn codegen_rvalue_len(&mut self, p: &Place) -> Expr { + fn codegen_rvalue_len(&mut self, p: &Place, loc: Location) -> Expr { let pt = self.place_ty_stable(p); match pt.kind() { - TyKind::RigidTy(RigidTy::Array(_, sz)) => self.codegen_const(&sz, None), + TyKind::RigidTy(RigidTy::Array(_, sz)) => self.codegen_const_ty(&sz, loc), TyKind::RigidTy(RigidTy::Slice(_)) => { - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(p)) + unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(p, loc)) .fat_ptr_goto_expr .unwrap() .member("len", &self.symbol_table) @@ -208,6 +224,7 @@ impl<'tcx> GotocCtx<'tcx> { var.member(ARITH_OVERFLOW_RESULT_FIELD, &self.symbol_table).as_stmt(loc), ], ret_type, + loc, ) } @@ -238,7 +255,7 @@ impl<'tcx> GotocCtx<'tcx> { ], &self.symbol_table, ); - Expr::statement_expression(vec![decl, cast.as_stmt(loc)], expected_typ) + Expr::statement_expression(vec![decl, cast.as_stmt(loc)], expected_typ, loc) } /// Generate code for a binary arithmetic operation with UB / overflow checks in place. @@ -355,6 +372,7 @@ impl<'tcx> GotocCtx<'tcx> { Expr::statement_expression( vec![check, result.clone().as_stmt(loc)], result.typ().clone(), + loc, ) } BinOp::AddUnchecked | BinOp::MulUnchecked | BinOp::SubUnchecked => { @@ -368,6 +386,7 @@ impl<'tcx> GotocCtx<'tcx> { Expr::statement_expression( vec![check, result.clone().as_stmt(loc)], result.typ().clone(), + loc, ) } else { result @@ -376,7 +395,7 @@ impl<'tcx> GotocCtx<'tcx> { BinOp::BitXor | BinOp::BitAnd | BinOp::BitOr => { self.codegen_unchecked_scalar_binop(op, e1, e2) } - BinOp::Eq | BinOp::Lt | BinOp::Le | BinOp::Ne | BinOp::Ge | BinOp::Gt => { + BinOp::Eq | BinOp::Lt | BinOp::Le | BinOp::Ne | BinOp::Ge | BinOp::Gt | BinOp::Cmp => { let op_ty = self.operand_ty_stable(e1); if self.is_fat_pointer_stable(op_ty) { self.codegen_comparison_fat_ptr(op, e1, e2, loc) @@ -413,6 +432,7 @@ impl<'tcx> GotocCtx<'tcx> { Expr::statement_expression( vec![bytes_overflow_check, overflow_check, res.as_stmt(loc)], ce1.typ().clone(), + loc, ) } } @@ -550,12 +570,12 @@ impl<'tcx> GotocCtx<'tcx> { // 2- Initialize the members of the temporary variant. let initial_projection = ProjectedPlace::try_from_ty(temp_var.clone(), res_ty, self).unwrap(); - let variant_proj = self.codegen_variant_lvalue(initial_projection, variant_index); + let variant_proj = self.codegen_variant_lvalue(initial_projection, variant_index, loc); let variant_expr = variant_proj.goto_expr.clone(); let layout = self.layout_of_stable(res_ty); let fields = match &layout.variants { Variants::Single { index } => { - if *index != rustc_internal::internal(variant_index) { + if *index != rustc_internal::internal(self.tcx, variant_index) { // This may occur if all variants except for the one pointed by // index can never be constructed. Generic code might still try // to initialize the non-existing invariant. @@ -565,7 +585,7 @@ impl<'tcx> GotocCtx<'tcx> { &layout.fields } Variants::Multiple { variants, .. } => { - &variants[rustc_internal::internal(variant_index)].fields + &variants[rustc_internal::internal(self.tcx, variant_index)].fields } }; @@ -587,7 +607,7 @@ impl<'tcx> GotocCtx<'tcx> { stmts.push(set_discriminant); // 4- Return temporary variable. stmts.push(temp_var.as_stmt(loc)); - Expr::statement_expression(stmts, typ) + Expr::statement_expression(stmts, typ, loc) } fn codegen_rvalue_aggregate( @@ -659,6 +679,45 @@ impl<'tcx> GotocCtx<'tcx> { &self.symbol_table, ) } + AggregateKind::RawPtr(pointee_ty, _) => { + // We expect two operands: "data" and "meta" + assert!(operands.len() == 2); + let typ = self.codegen_ty_stable(res_ty); + let layout = self.layout_of_stable(res_ty); + assert!(layout.ty.is_unsafe_ptr()); + let data = self.codegen_operand_stable(&operands[0]); + match pointee_ty.kind() { + TyKind::RigidTy(RigidTy::Slice(inner_ty)) => { + let pointee_goto_typ = self.codegen_ty_stable(inner_ty); + // cast data to pointer with specified type + let data_cast = + data.cast_to(Type::Pointer { typ: Box::new(pointee_goto_typ) }); + let meta = self.codegen_operand_stable(&operands[1]); + slice_fat_ptr(typ, data_cast, meta, &self.symbol_table) + } + TyKind::RigidTy(RigidTy::Adt(..)) => { + let pointee_goto_typ = self.codegen_ty_stable(pointee_ty); + let data_cast = + data.cast_to(Type::Pointer { typ: Box::new(pointee_goto_typ) }); + let meta = self.codegen_operand_stable(&operands[1]); + if meta.typ().sizeof(&self.symbol_table) == 0 { + data_cast + } else { + let vtable_expr = meta + .member("_vtable_ptr", &self.symbol_table) + .member("pointer", &self.symbol_table) + .cast_to( + typ.lookup_field_type("vtable", &self.symbol_table).unwrap(), + ); + dynamic_fat_ptr(typ, data_cast, vtable_expr, &self.symbol_table) + } + } + _ => { + let pointee_goto_typ = self.codegen_ty_stable(pointee_ty); + data.cast_to(Type::Pointer { typ: Box::new(pointee_goto_typ) }) + } + } + } AggregateKind::Coroutine(_, _, _) => self.codegen_rvalue_coroutine(&operands, res_ty), } } @@ -669,8 +728,23 @@ impl<'tcx> GotocCtx<'tcx> { match rv { Rvalue::Use(p) => self.codegen_operand_stable(p), Rvalue::Repeat(op, sz) => self.codegen_rvalue_repeat(op, sz, loc), - Rvalue::Ref(_, _, p) | Rvalue::AddressOf(_, p) => self.codegen_place_ref_stable(&p), - Rvalue::Len(p) => self.codegen_rvalue_len(p), + Rvalue::Ref(_, _, p) | Rvalue::AddressOf(_, p) => { + let place_ref = self.codegen_place_ref_stable(&p, loc); + if self.queries.args().ub_check.contains(&ExtraChecks::PtrToRefCast) { + let place_ref_type = place_ref.typ().clone(); + match self.codegen_raw_ptr_deref_validity_check(&p, &loc) { + Some(ptr_validity_check_expr) => Expr::statement_expression( + vec![ptr_validity_check_expr, place_ref.as_stmt(loc)], + place_ref_type, + loc, + ), + None => place_ref, + } + } else { + place_ref + } + } + Rvalue::Len(p) => self.codegen_rvalue_len(p, loc), // Rust has begun distinguishing "ptr -> num" and "num -> ptr" (providence-relevant casts) but we do not yet: // Should we? Tracking ticket: https://github.com/model-checking/kani/issues/1274 Rvalue::Cast( @@ -681,7 +755,7 @@ impl<'tcx> GotocCtx<'tcx> { | CastKind::FnPtrToPtr | CastKind::PtrToPtr | CastKind::PointerExposeAddress - | CastKind::PointerFromExposedAddress, + | CastKind::PointerWithExposedProvenance, e, t, ) => self.codegen_misc_cast(e, *t), @@ -712,16 +786,21 @@ impl<'tcx> GotocCtx<'tcx> { .with_size_of_annotation(self.codegen_ty_stable(*t)), NullOp::AlignOf => Expr::int_constant(layout.align.abi.bytes(), Type::size_t()), NullOp::OffsetOf(fields) => Expr::int_constant( - layout + self.tcx .offset_of_subfield( - self, + ParamEnv::reveal_all(), + layout, fields.iter().map(|(var_idx, field_idx)| { - (rustc_internal::internal(var_idx), (*field_idx).into()) + ( + rustc_internal::internal(self.tcx, var_idx), + (*field_idx).into(), + ) }), ) .bytes(), Type::size_t(), ), + NullOp::UbChecks => Expr::c_false(), } } Rvalue::ShallowInitBox(ref operand, content_ty) => { @@ -743,11 +822,74 @@ impl<'tcx> GotocCtx<'tcx> { } } UnOp::Neg => self.codegen_operand_stable(e).neg(), + UnOp::PtrMetadata => { + let src_goto_expr = self.codegen_operand_stable(e); + let dst_goto_typ = self.codegen_ty_stable(res_ty); + debug!( + "PtrMetadata |{:?}| with result type |{:?}|", + src_goto_expr, dst_goto_typ + ); + if let Some(_vtable_typ) = + src_goto_expr.typ().lookup_field_type("vtable", &self.symbol_table) + { + let vtable_expr = src_goto_expr.member("vtable", &self.symbol_table); + let dst_components = + dst_goto_typ.lookup_components(&self.symbol_table).unwrap(); + assert_eq!(dst_components.len(), 2); + assert_eq!(dst_components[0].name(), "_vtable_ptr"); + assert!(dst_components[0].typ().is_struct_like()); + assert_eq!(dst_components[1].name(), "_phantom"); + self.assert_is_rust_phantom_data_like(&dst_components[1].typ()); + // accessing pointer type of _vtable_ptr, which is wrapped in NonNull + let vtable_ptr_typ = dst_goto_typ + .lookup_field_type("_vtable_ptr", &self.symbol_table) + .unwrap() + .lookup_components(&self.symbol_table) + .unwrap()[0] + .typ(); + Expr::struct_expr( + dst_goto_typ.clone(), + btree_string_map![ + ( + "_vtable_ptr", + Expr::struct_expr_from_values( + dst_goto_typ + .lookup_field_type("_vtable_ptr", &self.symbol_table) + .unwrap(), + vec![vtable_expr.clone().cast_to(vtable_ptr_typ)], + &self.symbol_table + ) + ), + ( + "_phantom", + Expr::struct_expr( + dst_components[1].typ(), + [].into(), + &self.symbol_table + ) + ) + ], + &self.symbol_table, + ) + } else if let Some(len_typ) = + src_goto_expr.typ().lookup_field_type("len", &self.symbol_table) + { + assert_eq!(len_typ, dst_goto_typ); + src_goto_expr.member("len", &self.symbol_table) + } else { + unreachable!( + "fat pointer with neither vtable nor len: {:?}", + src_goto_expr + ); + } + } }, Rvalue::Discriminant(p) => { - let place = - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(p)) - .goto_expr; + let place = unwrap_or_return_codegen_unimplemented!( + self, + self.codegen_place_stable(p, loc) + ) + .goto_expr; let pt = self.place_ty_stable(p); self.codegen_get_discriminant(place, pt, res_ty) } @@ -762,7 +904,7 @@ impl<'tcx> GotocCtx<'tcx> { // A CopyForDeref is equivalent to a read from a place at the codegen level. // https://github.com/rust-lang/rust/blob/1673f1450eeaf4a5452e086db0fe2ae274a0144f/compiler/rustc_middle/src/mir/syntax.rs#L1055 Rvalue::CopyForDeref(place) => { - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place)) + unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place, loc)) .goto_expr } } @@ -1013,7 +1155,7 @@ impl<'tcx> GotocCtx<'tcx> { let instance = Instance::resolve(def, &args).unwrap(); // We need to handle this case in a special way because `codegen_operand_stable` compiles FnDefs to dummy structs. // (cf. the function documentation) - self.codegen_func_expr(instance, None).address_of() + self.codegen_func_expr(instance, loc).address_of() } _ => unreachable!(), }, @@ -1024,7 +1166,7 @@ impl<'tcx> GotocCtx<'tcx> { { let instance = Instance::resolve_closure(def, &args, ClosureKind::FnOnce) .expect("failed to normalize and resolve closure during codegen"); - self.codegen_func_expr(instance, None).address_of() + self.codegen_func_expr(instance, loc).address_of() } else { unreachable!("{:?} cannot be cast to a fn ptr", operand) } @@ -1056,7 +1198,7 @@ impl<'tcx> GotocCtx<'tcx> { let src_goto_expr = self.codegen_operand_stable(operand); let src_mir_type = self.operand_ty_stable(operand); let dst_mir_type = t; - self.codegen_unsized_cast(src_goto_expr, src_mir_type, dst_mir_type) + self.codegen_unsized_cast(src_goto_expr, src_mir_type, dst_mir_type, loc) } } } @@ -1074,6 +1216,7 @@ impl<'tcx> GotocCtx<'tcx> { src_goto_expr: Expr, src_mir_type: Ty, dst_mir_type: Ty, + loc: Location, ) -> Expr { // The MIR may include casting that isn't necessary. Detect this early on and return the // expression for the RHS. @@ -1087,7 +1230,7 @@ impl<'tcx> GotocCtx<'tcx> { // Handle the leaf which should always be a pointer. let (ptr_cast_info, ptr_src_expr) = path.pop().unwrap(); - let initial_expr = self.codegen_cast_to_fat_pointer(ptr_src_expr, ptr_cast_info); + let initial_expr = self.codegen_cast_to_fat_pointer(ptr_src_expr, ptr_cast_info, loc); // Iterate from the back of the path initializing each struct that requires the coercion. // This code is required for handling smart pointers. @@ -1174,13 +1317,13 @@ impl<'tcx> GotocCtx<'tcx> { debug!(?vtable_field_name, ?vtable_type, "codegen_vtable_method_field"); // Lookup in the symbol table using the full symbol table name/key - let fn_name = self.symbol_name_stable(instance); + let fn_name = instance.mangled_name(); if let Some(fn_symbol) = self.symbol_table.lookup(&fn_name) { if self.vtable_ctx.emit_vtable_restrictions { // Add to the possible method names for this trait type self.vtable_ctx.add_possible_method( - self.normalized_trait_name(rustc_internal::internal(ty)).into(), + self.normalized_trait_name(rustc_internal::internal(self.tcx, ty)).into(), idx, fn_name.into(), ); @@ -1205,7 +1348,7 @@ impl<'tcx> GotocCtx<'tcx> { /// Generate a function pointer to drop_in_place for entry into the vtable fn codegen_vtable_drop_in_place(&mut self, ty: Ty, trait_ty: Ty) -> Expr { - let trait_ty = rustc_internal::internal(trait_ty); + let trait_ty = rustc_internal::internal(self.tcx, trait_ty); let drop_instance = Instance::resolve_drop_in_place(ty); let drop_sym_name: InternedString = drop_instance.mangled_name().into(); @@ -1253,17 +1396,17 @@ impl<'tcx> GotocCtx<'tcx> { // Check the size are inserting in to the vtable against two sources of // truth: (1) the compile-time rustc sizeof functions, and (2) the CBMC // __CPROVER_OBJECT_SIZE function. - fn check_vtable_size(&mut self, operand_type: Ty, vt_size: Expr) -> Stmt { + fn check_vtable_size(&mut self, operand_type: Ty, vt_size: Expr, loc: Location) -> Stmt { // Check against the size we get from the layout from the what we // get constructing a value of that type - let ty: Type = self.codegen_ty_stable(operand_type); + let ty = self.codegen_ty_stable(operand_type); let codegen_size = ty.sizeof(&self.symbol_table); assert_eq!(vt_size.int_constant_value().unwrap(), BigInt::from(codegen_size)); // Insert a CBMC-time size check, roughly: // local_temp = nondet(); // assert(__CPROVER_OBJECT_SIZE(&local_temp) == vt_size); - let (temp_var, decl) = self.decl_temp_variable(ty.clone(), None, Location::none()); + let (temp_var, decl) = self.decl_temp_variable(ty.clone(), None, loc); let cbmc_size = if ty.is_empty() { // CBMC errors on passing a pointer to void to __CPROVER_OBJECT_SIZE. // In practice, we have seen this with the Never type, which has size 0: @@ -1279,11 +1422,11 @@ impl<'tcx> GotocCtx<'tcx> { let check = Expr::eq(cbmc_size, vt_size); let assert_msg = format!("Correct CBMC vtable size for {ty:?} (MIR type {:?})", operand_type.kind()); - let size_assert = self.codegen_sanity(check, &assert_msg, Location::none()); - Stmt::block(vec![decl, size_assert], Location::none()) + let size_assert = self.codegen_sanity(check, &assert_msg, loc); + Stmt::block(vec![decl, size_assert], loc) } - fn codegen_vtable(&mut self, src_mir_type: Ty, dst_mir_type: Ty) -> Expr { + fn codegen_vtable(&mut self, src_mir_type: Ty, dst_mir_type: Ty, loc: Location) -> Expr { let trait_type = match dst_mir_type.kind() { // DST is pointer type TyKind::RigidTy(RigidTy::Ref(_, pointee_type, ..)) => pointee_type, @@ -1296,27 +1439,28 @@ impl<'tcx> GotocCtx<'tcx> { _ => unreachable!("Cannot codegen_vtable for type {:?}", dst_mir_type.kind()), }; - let src_name = self.ty_mangled_name(rustc_internal::internal(src_mir_type)); + let src_name = self.ty_mangled_name(rustc_internal::internal(self.tcx, src_mir_type)); // The name needs to be the same as inserted in typ.rs let vtable_name = self.vtable_name_stable(trait_type).intern(); let vtable_impl_name = format!("{vtable_name}_impl_for_{src_name}"); - self.ensure_global_var( + self.ensure_global_var_init( vtable_impl_name, true, + true, Type::struct_tag(vtable_name), - Location::none(), + loc, |ctx, var| { // Build the vtable, using Rust's vtable_entries to determine field order let vtable_entries = if let Some(principal) = trait_type.kind().trait_principal() { let trait_ref_binder = principal.with_self_ty(src_mir_type); - ctx.tcx.vtable_entries(rustc_internal::internal(trait_ref_binder)) + ctx.tcx.vtable_entries(rustc_internal::internal(ctx.tcx, trait_ref_binder)) } else { TyCtxt::COMMON_VTABLE_ENTRIES }; let (vt_size, vt_align) = ctx.codegen_vtable_size_and_align(src_mir_type); - let size_assert = ctx.check_vtable_size(src_mir_type, vt_size.clone()); + let size_assert = ctx.check_vtable_size(src_mir_type, vt_size.clone(), loc); let vtable_fields: Vec = vtable_entries .iter() @@ -1344,11 +1488,10 @@ impl<'tcx> GotocCtx<'tcx> { vtable_fields, &ctx.symbol_table, ); - let body = var.assign(vtable, Location::none()); - let block = Stmt::block(vec![size_assert, body], Location::none()); - Some(block) + Expr::statement_expression(vec![size_assert, vtable.as_stmt(loc)], var.typ, loc) }, ) + .to_expr() } /// Cast a pointer to a fat pointer. @@ -1359,6 +1502,7 @@ impl<'tcx> GotocCtx<'tcx> { &mut self, src_goto_expr: Expr, coerce_info: CoerceUnsizedInfo, + loc: Location, ) -> Expr { assert_ne!(coerce_info.src_ty.kind(), coerce_info.dst_ty.kind()); @@ -1382,7 +1526,7 @@ impl<'tcx> GotocCtx<'tcx> { ) => { // Cast to a slice fat pointer. assert_eq!(src_elt_type, dst_elt_type); - let dst_goto_len = self.codegen_const(&src_elt_count, None); + let dst_goto_len = self.codegen_const_ty(&src_elt_count, loc); let src_pointee_ty = pointee_type_stable(coerce_info.src_ty).unwrap(); let dst_data_expr = if src_pointee_ty.kind().is_array() { src_goto_expr.cast_to(self.codegen_ty_stable(src_elt_type).to_pointer()) @@ -1410,7 +1554,7 @@ impl<'tcx> GotocCtx<'tcx> { (_, TyKind::RigidTy(RigidTy::Dynamic(..))) => { // Generate the data and vtable pointer that will be stored in the fat pointer. let dst_data_expr = src_goto_expr.cast_to(dst_data_type); - let vtable = self.codegen_vtable(metadata_src_type, metadata_dst_type); + let vtable = self.codegen_vtable(metadata_src_type, metadata_dst_type, loc); let vtable_expr = vtable.address_of(); dynamic_fat_ptr(fat_ptr_type, dst_data_expr, vtable_expr, &self.symbol_table) } @@ -1419,6 +1563,65 @@ impl<'tcx> GotocCtx<'tcx> { } } } + + fn comparison_expr( + &mut self, + op: &BinOp, + left: Expr, + right: Expr, + res_ty: Ty, + is_float: bool, + ) -> Expr { + match op { + BinOp::Eq => { + if is_float { + left.feq(right) + } else { + left.eq(right) + } + } + BinOp::Lt => left.lt(right), + BinOp::Le => left.le(right), + BinOp::Ne => { + if is_float { + left.fneq(right) + } else { + left.neq(right) + } + } + BinOp::Ge => left.ge(right), + BinOp::Gt => left.gt(right), + BinOp::Cmp => { + // Implement https://doc.rust-lang.org/core/cmp/trait.Ord.html as done in cranelift, + // i.e., (left > right) - (left < right) + // Return value is the Ordering enumeration: + // ``` + // #[repr(i8)] + // pub enum Ordering { + // Less = -1, + // Equal = 0, + // Greater = 1, + // } + // ``` + let res_typ = self.codegen_ty_stable(res_ty); + let ValueAbi::Scalar(Scalar::Initialized { value, valid_range }) = + res_ty.layout().unwrap().shape().abi + else { + unreachable!("Unexpected layout") + }; + assert_eq!(valid_range.start, -1i8 as u8 as u128); + assert_eq!(valid_range.end, 1); + let Primitive::Int { length, signed: true } = value else { unreachable!() }; + let scalar_typ = Type::signed_int(length.bits()); + left.clone() + .gt(right.clone()) + .cast_to(scalar_typ.clone()) + .sub(left.lt(right).cast_to(scalar_typ)) + .transmute_to(res_typ, &self.symbol_table) + } + _ => unreachable!(), + } + } } /// Perform a wrapping subtraction of an Expr with a constant "expr - constant" @@ -1441,30 +1644,6 @@ fn wrapping_sub(expr: &Expr, constant: u64) -> Expr { } } -fn comparison_expr(op: &BinOp, left: Expr, right: Expr, is_float: bool) -> Expr { - match op { - BinOp::Eq => { - if is_float { - left.feq(right) - } else { - left.eq(right) - } - } - BinOp::Lt => left.lt(right), - BinOp::Le => left.le(right), - BinOp::Ne => { - if is_float { - left.fneq(right) - } else { - left.neq(right) - } - } - BinOp::Ge => left.ge(right), - BinOp::Gt => left.gt(right), - _ => unreachable!(), - } -} - /// Remove the equality from an operator. Translates `<=` to `<` and `>=` to `>` fn get_strict_operator(op: &BinOp) -> BinOp { match op { diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/span.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/span.rs index c06d64d298c4..41a3da11324b 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/span.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/span.rs @@ -5,9 +5,31 @@ use crate::codegen_cprover_gotoc::GotocCtx; use cbmc::goto_program::Location; +use lazy_static::lazy_static; +use rustc_ast::Attribute; use rustc_smir::rustc_internal; use rustc_span::Span; use stable_mir::ty::Span as SpanStable; +use std::collections::HashMap; + +lazy_static! { + /// Pragmas key-value store to prevent CBMC from generating automatic checks. + /// This list is taken from https://github.com/diffblue/cbmc/blob/develop/regression/cbmc/pragma_cprover_enable_all/main.c. + static ref PRAGMAS: HashMap<&'static str, &'static str> = + [("bounds", "disable:bounds-check"), + ("pointer", "disable:pointer-check"), + ("div-by-zero", "disable:div-by-zero-check"), + ("float-div-by-zero", "disable:float-div-by-zero-check"), + ("enum-range", "disable:enum-range-check"), + ("signed-overflow", "disable:signed-overflow-check"), + ("unsigned-overflow", "disable:unsigned-overflow-check"), + ("pointer-overflow", "disable:pointer-overflow-check"), + ("float-overflow", "disable:float-overflow-check"), + ("conversion", "disable:conversion-check"), + ("undefined-shift", "disable:undefined-shift-check"), + ("nan", "disable:nan-check"), + ("pointer-primitive", "disable:pointer-primitive-check")].iter().copied().collect(); +} impl<'tcx> GotocCtx<'tcx> { pub fn codegen_span(&self, sp: &Span) -> Location { @@ -15,6 +37,36 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn codegen_span_stable(&self, sp: SpanStable) -> Location { + // Attribute to mark functions as where automatic pointer checks should not be generated. + let should_skip_ptr_checks_attr = vec![ + rustc_span::symbol::Symbol::intern("kanitool"), + rustc_span::symbol::Symbol::intern("disable_checks"), + ]; + let pragmas: &'static [&str] = { + let disabled_checks: Vec<_> = self + .current_fn + .as_ref() + .map(|current_fn| { + let instance = current_fn.instance(); + self.tcx + .get_attrs_by_path(instance.def.def_id(), &should_skip_ptr_checks_attr) + .collect() + }) + .unwrap_or_default(); + disabled_checks + .iter() + .map(|attr| { + let arg = parse_word(attr).expect( + "incorrect value passed to `disable_checks`, expected a single identifier", + ); + *PRAGMAS.get(arg.as_str()).expect(format!( + "attempting to disable an unexisting check, the possible options are {:?}", + PRAGMAS.keys() + ).as_str()) + }) + .collect::>() + .leak() // This is to preserve `Location` being Copy, but could blow up the memory utilization of compiler. + }; let loc = sp.get_lines(); Location::new( sp.get_filename().to_string(), @@ -23,15 +75,12 @@ impl<'tcx> GotocCtx<'tcx> { Some(loc.start_col), loc.end_line, Some(loc.end_col), + pragmas, ) } - pub fn codegen_span_option_stable(&self, sp: Option) -> Location { - sp.map_or(Location::none(), |span| self.codegen_span_stable(span)) - } - pub fn codegen_caller_span_stable(&self, sp: SpanStable) -> Location { - self.codegen_caller_span(&rustc_internal::internal(sp)) + self.codegen_caller_span(&rustc_internal::internal(self.tcx, sp)) } /// Get the location of the caller. This will attempt to reach the macro caller. @@ -43,3 +92,18 @@ impl<'tcx> GotocCtx<'tcx> { self.codegen_span(&topmost) } } + +/// Extracts the single argument from the attribute provided as a string. +/// For example, `disable_checks(foo)` return `Some("foo")` +fn parse_word(attr: &Attribute) -> Option { + // Vector of meta items , that contain the arguments given the attribute + let attr_args = attr.meta_item_list()?; + // Only extracts one string ident as a string + if attr_args.len() == 1 { + attr_args[0].ident().map(|ident| ident.to_string()) + } + // Return none if there are no attributes or if there's too many attributes + else { + None + } +} diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/statement.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/statement.rs index 3a62a3f91d1a..b8db1a3d52b6 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/statement.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/statement.rs @@ -7,14 +7,16 @@ use crate::codegen_cprover_gotoc::{GotocCtx, VtableCtx}; use crate::unwrap_or_return_codegen_unimplemented_stmt; use cbmc::goto_program::{Expr, Location, Stmt, Type}; use rustc_middle::ty::layout::LayoutOf; +use rustc_middle::ty::{List, ParamEnv}; use rustc_smir::rustc_internal; use rustc_target::abi::{FieldsShape, Primitive, TagEncoding, Variants}; +use stable_mir::abi::{ArgAbi, FnAbi, PassMode}; use stable_mir::mir::mono::{Instance, InstanceKind}; use stable_mir::mir::{ AssertMessage, BasicBlockIdx, CopyNonOverlapping, NonDivergingIntrinsic, Operand, Place, Statement, StatementKind, SwitchTargets, Terminator, TerminatorKind, RETURN_LOCAL, }; -use stable_mir::ty::{RigidTy, Span, Ty, TyKind, VariantIdx}; +use stable_mir::ty::{Abi, RigidTy, Span, Ty, TyKind, VariantIdx}; use tracing::{debug, debug_span, trace}; impl<'tcx> GotocCtx<'tcx> { @@ -40,14 +42,14 @@ impl<'tcx> GotocCtx<'tcx> { // where the reference is implicit. unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(lhs) + self.codegen_place_stable(lhs, location) ) .goto_expr .assign(self.codegen_rvalue_stable(rhs, location).address_of(), location) } else if rty.kind().is_bool() { unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(lhs) + self.codegen_place_stable(lhs, location) ) .goto_expr .assign( @@ -57,7 +59,7 @@ impl<'tcx> GotocCtx<'tcx> { } else { unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(lhs) + self.codegen_place_stable(lhs, location) ) .goto_expr .assign(self.codegen_rvalue_stable(rhs, location), location) @@ -68,13 +70,75 @@ impl<'tcx> GotocCtx<'tcx> { let dest_ty = self.place_ty_stable(place); let dest_expr = unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(place) + self.codegen_place_stable(place, location) ) .goto_expr; self.codegen_set_discriminant(dest_ty, dest_expr, *variant_index, location) } - StatementKind::StorageLive(_) => Stmt::skip(location), // TODO: fix me - StatementKind::StorageDead(_) => Stmt::skip(location), // TODO: fix me + // StorageLive and StorageDead are modelled via CBMC's internal means of detecting + // accesses to dangling pointers, which uses demonic non-determinism. That is, CBMC + // non-deterministically chooses a single object's address to be tracked in a + // pointer-typed global instrumentation variable __CPROVER_dead_object. Any dereference + // entails a check that the pointer being dereferenced is not equal to the pointer held + // in __CPROVER_dead_object. We use this to bridge the difference between Rust and MIR + // semantics as follows: + // + // 1. (At the time of writing) MIR declares all function-local variables at function + // scope, irrespective of the scope/block that Rust code originally used. + // 2. In MIR, StorageLive and StorageDead markers are inserted at the beginning and end + // of the Rust block to record the Rust-level lifetime of the object. + // 3. We translate MIR declarations into GOTO declarations, implying that we will have + // a single object per function for a local variable, even when Rust had a variable + // declared in a sub-scope of the function where said scope was entered multiple + // times (e.g., a loop body). + // 4. To enable detection of use of dangling pointers, we now use + // __CPROVER_dead_object, unless the address of the local object is never taken + // (implying that there cannot be a use of a dangling pointer with respect to said + // object). We update __CPROVER_dead_object as follows: + // * StorageLive is set to NULL when __CPROVER_dead_object pointed to the object + // (re-)entering scope, or else is left unchanged. + // * StorageDead non-deterministically updates (or leaves unchanged) + // __CPROVER_dead_object to point to the object going out of scope. (This is the + // same update approach as used within CBMC.) + // + // This approach will also work when there are multiple occurrences of StorageLive (or + // StorageDead) on a path, or across control-flow branches, and even when StorageDead + // occurs without a preceding StorageLive. + StatementKind::StorageLive(var_id) => { + if !self.current_fn().is_address_taken_local(*var_id) { + Stmt::skip(location) + } else { + let global_dead_object = cbmc::global_dead_object(&self.symbol_table); + Stmt::assign( + global_dead_object.clone(), + global_dead_object + .clone() + .eq(self + .codegen_local(*var_id, location) + .address_of() + .cast_to(global_dead_object.typ().clone())) + .ternary(global_dead_object.typ().null(), global_dead_object), + location, + ) + } + } + StatementKind::StorageDead(var_id) => { + if !self.current_fn().is_address_taken_local(*var_id) { + Stmt::skip(location) + } else { + let global_dead_object = cbmc::global_dead_object(&self.symbol_table); + Stmt::assign( + global_dead_object.clone(), + Type::bool().nondet().ternary( + self.codegen_local(*var_id, location) + .address_of() + .cast_to(global_dead_object.typ().clone()), + global_dead_object, + ), + location, + ) + } + } StatementKind::Intrinsic(NonDivergingIntrinsic::CopyNonOverlapping( CopyNonOverlapping { src, dst, count }, )) => { @@ -137,12 +201,12 @@ impl<'tcx> GotocCtx<'tcx> { TerminatorKind::Return => { let rty = self.current_fn().instance_stable().fn_abi().unwrap().ret.ty; if rty.kind().is_unit() { - self.codegen_ret_unit() + self.codegen_ret_unit(loc) } else { let place = Place::from(RETURN_LOCAL); let place_expr = unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(&place) + self.codegen_place_stable(&place, loc) ) .goto_expr; assert_eq!(rty, self.place_ty_stable(&place), "Unexpected return type"); @@ -220,8 +284,8 @@ impl<'tcx> GotocCtx<'tcx> { location: Location, ) -> Stmt { // this requires place points to an enum type. - let dest_ty_internal = rustc_internal::internal(dest_ty); - let variant_index_internal = rustc_internal::internal(variant_index); + let dest_ty_internal = rustc_internal::internal(self.tcx, dest_ty); + let variant_index_internal = rustc_internal::internal(self.tcx, variant_index); let layout = self.layout_of(dest_ty_internal); match &layout.variants { Variants::Single { .. } => Stmt::skip(location), @@ -290,24 +354,21 @@ impl<'tcx> GotocCtx<'tcx> { // We ignore assignment for all zero size types Stmt::skip(loc) } else { - unwrap_or_return_codegen_unimplemented_stmt!(self, self.codegen_place_stable(place)) - .goto_expr - .deinit(loc) + unwrap_or_return_codegen_unimplemented_stmt!( + self, + self.codegen_place_stable(place, loc) + ) + .goto_expr + .deinit(loc) } } /// A special case handler to codegen `return ();` - fn codegen_ret_unit(&mut self) -> Stmt { + fn codegen_ret_unit(&mut self, loc: Location) -> Stmt { let is_file_local = false; let ty = self.codegen_ty_unit(); - let var = self.ensure_global_var( - FN_RETURN_VOID_VAR_NAME, - is_file_local, - ty, - Location::none(), - |_, _| None, - ); - Stmt::ret(Some(var), Location::none()) + let var = self.ensure_global_var(FN_RETURN_VOID_VAR_NAME, is_file_local, ty, loc); + Stmt::ret(Some(var.to_expr()), loc) } /// Generates Goto-C for MIR [TerminatorKind::Drop] calls. We only handle code _after_ Rust's "drop elaboration" @@ -328,7 +389,8 @@ impl<'tcx> GotocCtx<'tcx> { Stmt::skip(loc) } InstanceKind::Shim => { - let place_ref = self.codegen_place_ref_stable(place); + // Since the reference is used right away here, no need to inject a check for pointer validity. + let place_ref = self.codegen_place_ref_stable(place, loc); match place_ty.kind() { TyKind::RigidTy(RigidTy::Dynamic(..)) => { // Virtual drop via a vtable lookup. @@ -354,7 +416,7 @@ impl<'tcx> GotocCtx<'tcx> { // Non-virtual, direct drop_in_place call assert!(!matches!(drop_instance.kind, InstanceKind::Virtual { .. })); - let func = self.codegen_func_expr(drop_instance, None); + let func = self.codegen_func_expr(drop_instance, loc); // The only argument should be a self reference let args = vec![place_ref]; @@ -412,6 +474,7 @@ impl<'tcx> GotocCtx<'tcx> { .branches() .map(|(c, bb)| { Expr::int_constant(c, switch_ty.clone()) + .with_location(loc) .switch_case(Stmt::goto(bb_label(bb), loc)) }) .collect(); @@ -432,31 +495,21 @@ impl<'tcx> GotocCtx<'tcx> { /// as subsequent parameters. /// /// See [GotocCtx::ty_needs_untupled_args] for more details. - fn codegen_untupled_args( - &mut self, - instance: Instance, - fargs: &mut Vec, - last_mir_arg: Option<&Operand>, - ) { - debug!("codegen_untuple_closure_args instance: {:?}, fargs {:?}", instance.name(), fargs); - if !fargs.is_empty() { - let tuple_ty = self.operand_ty_stable(last_mir_arg.unwrap()); - if self.is_zst_stable(tuple_ty) { - // Don't pass anything if all tuple elements are ZST. - // ZST arguments are ignored. - return; - } - let tupe = fargs.remove(fargs.len() - 1); - if let TyKind::RigidTy(RigidTy::Tuple(tupled_args)) = tuple_ty.kind() { - for (idx, arg_ty) in tupled_args.iter().enumerate() { - if !self.is_zst_stable(*arg_ty) { - // Access the tupled parameters through the `member` operation - let idx_expr = tupe.clone().member(&idx.to_string(), &self.symbol_table); - fargs.push(idx_expr); - } - } - } - } + fn codegen_untupled_args(&mut self, op: &Operand, args_abi: &[ArgAbi]) -> Vec { + let tuple_ty = self.operand_ty_stable(op); + let tuple_expr = self.codegen_operand_stable(op); + let TyKind::RigidTy(RigidTy::Tuple(tupled_args)) = tuple_ty.kind() else { unreachable!() }; + tupled_args + .iter() + .enumerate() + .filter_map(|(idx, _)| { + let arg_abi = &args_abi[idx]; + (arg_abi.mode != PassMode::Ignore).then(|| { + // Access the tupled parameters through the `member` operation + tuple_expr.clone().member(idx.to_string(), &self.symbol_table) + }) + }) + .collect() } /// Because function calls terminate basic blocks, to "end" a function call, we @@ -472,25 +525,24 @@ impl<'tcx> GotocCtx<'tcx> { /// Generate Goto-C for each argument to a function call. /// /// N.B. public only because instrinsics use this directly, too. - /// When `skip_zst` is set to `true`, the return value will not include any argument that is ZST. - /// This is used because we ignore ZST arguments, except for intrinsics. - pub(crate) fn codegen_funcall_args(&mut self, args: &[Operand], skip_zst: bool) -> Vec { - let fargs = args + pub(crate) fn codegen_funcall_args(&mut self, fn_abi: &FnAbi, args: &[Operand]) -> Vec { + let fargs: Vec = args .iter() - .filter_map(|op| { - let op_ty = self.operand_ty_stable(op); - if op_ty.kind().is_bool() { + .enumerate() + .filter_map(|(i, op)| { + // Functions that require caller info will have an extra parameter. + let arg_abi = &fn_abi.args.get(i); + let ty = self.operand_ty_stable(op); + if ty.kind().is_bool() { Some(self.codegen_operand_stable(op).cast_to(Type::c_bool())) - } else if !self.is_zst_stable(op_ty) || !skip_zst { + } else if arg_abi.map_or(true, |abi| abi.mode != PassMode::Ignore) { Some(self.codegen_operand_stable(op)) } else { - // We ignore ZST types. - debug!(arg=?op, "codegen_funcall_args ignore"); None } }) .collect(); - debug!(?fargs, "codegen_funcall_args"); + debug!(?fargs, args_abi=?fn_abi.args, "codegen_funcall_args"); fargs } @@ -515,27 +567,45 @@ impl<'tcx> GotocCtx<'tcx> { span: Span, ) -> Stmt { debug!(?func, ?args, ?destination, ?span, "codegen_funcall"); - if self.is_intrinsic(&func) { - return self.codegen_funcall_of_intrinsic( - &func, - &args, - &destination, - target.map(|bb| bb), - span, - ); + let instance_opt = self.get_instance(func); + if let Some(instance) = instance_opt + && matches!(instance.kind, InstanceKind::Intrinsic) + { + let TyKind::RigidTy(RigidTy::FnDef(def, _)) = instance.ty().kind() else { + unreachable!("Expected function type for intrinsic: {instance:?}") + }; + // The compiler is currently transitioning how to handle intrinsic fallback body. + // Until https://github.com/rust-lang/project-stable-mir/issues/79 is implemented + // we have to check `must_be_overridden` and `has_body`. + if def.as_intrinsic().unwrap().must_be_overridden() || !instance.has_body() { + return self.codegen_funcall_of_intrinsic( + instance, + &args, + &destination, + target.map(|bb| bb), + span, + ); + } } let loc = self.codegen_span_stable(span); - let funct = self.operand_ty_stable(func); - let mut fargs = self.codegen_funcall_args(&args, true); - match funct.kind() { - TyKind::RigidTy(RigidTy::FnDef(def, subst)) => { - let instance = Instance::resolve(def, &subst).unwrap(); - - // TODO(celina): Move this check to be inside codegen_funcall_args. - if self.ty_needs_untupled_args(rustc_internal::internal(funct)) { - self.codegen_untupled_args(instance, &mut fargs, args.last()); - } + let fn_ty = self.operand_ty_stable(func); + match fn_ty.kind() { + fn_def @ TyKind::RigidTy(RigidTy::FnDef(..)) => { + let instance = instance_opt.unwrap(); + let fn_abi = instance.fn_abi().unwrap(); + let mut fargs = if args.is_empty() + || fn_def.fn_sig().unwrap().value.abi != Abi::RustCall + { + self.codegen_funcall_args(&fn_abi, &args) + } else { + let (untupled, first_args) = args.split_last().unwrap(); + let mut fargs = self.codegen_funcall_args(&fn_abi, &first_args); + fargs.append( + &mut self.codegen_untupled_args(untupled, &fn_abi.args[first_args.len()..]), + ); + fargs + }; if let Some(hk) = self.hooks.hook_applies(self.tcx, instance) { return hk.handle(self, instance, fargs, destination, *target, span); @@ -555,17 +625,15 @@ impl<'tcx> GotocCtx<'tcx> { InstanceKind::Item | InstanceKind::Intrinsic | InstanceKind::Shim => { // We need to handle FnDef items in a special way because `codegen_operand` compiles them to dummy structs. // (cf. the function documentation) - let func_exp = self.codegen_func_expr(instance, None); + let func_exp = self.codegen_func_expr(instance, loc); if instance.is_foreign_item() { vec![self.codegen_foreign_call(func_exp, fargs, destination, loc)] } else { - vec![ - self.codegen_expr_to_place_stable( - destination, - func_exp.call(fargs), - ) - .with_location(loc), - ] + vec![self.codegen_expr_to_place_stable( + destination, + func_exp.call(fargs), + loc, + )] } } }; @@ -573,13 +641,21 @@ impl<'tcx> GotocCtx<'tcx> { Stmt::block(stmts, loc) } // Function call through a pointer - TyKind::RigidTy(RigidTy::FnPtr(_)) => { + TyKind::RigidTy(RigidTy::FnPtr(fn_sig)) => { + let fn_sig_internal = rustc_internal::internal(self.tcx, fn_sig); + let fn_ptr_abi = rustc_internal::stable( + self.tcx + .fn_abi_of_fn_ptr( + ParamEnv::reveal_all().and((fn_sig_internal, &List::empty())), + ) + .unwrap(), + ); + let fargs = self.codegen_funcall_args(&fn_ptr_abi, &args); let func_expr = self.codegen_operand_stable(func).dereference(); // Actually generate the function call and return. Stmt::block( vec![ - self.codegen_expr_to_place_stable(destination, func_expr.call(fargs)) - .with_location(loc), + self.codegen_expr_to_place_stable(destination, func_expr.call(fargs), loc), Stmt::goto(bb_label(target.unwrap()), loc), ], loc, @@ -595,7 +671,7 @@ impl<'tcx> GotocCtx<'tcx> { fn extract_ptr(&self, arg_expr: Expr, arg_ty: Ty) -> Expr { // Generate an expression that indexes the pointer. let expr = self - .receiver_data_path(rustc_internal::internal(arg_ty)) + .receiver_data_path(rustc_internal::internal(self.tcx, arg_ty)) .fold(arg_expr, |curr_expr, (name, _)| curr_expr.member(name, &self.symbol_table)); trace!(?arg_ty, gotoc_ty=?expr.typ(), gotoc_expr=?expr.value(), "extract_ptr"); @@ -676,7 +752,7 @@ impl<'tcx> GotocCtx<'tcx> { // Virtual function call and corresponding nonnull assertion. let call = fn_ptr.dereference().call(fargs.to_vec()); - let call_stmt = self.codegen_expr_to_place_stable(place, call).with_location(loc); + let call_stmt = self.codegen_expr_to_place_stable(place, call, loc); let call_stmt = if self.vtable_ctx.emit_vtable_restrictions { self.virtual_call_with_restricted_fn_ptr(trait_fat_ptr.typ().clone(), idx, call_stmt) } else { @@ -691,13 +767,21 @@ impl<'tcx> GotocCtx<'tcx> { /// A MIR [Place] is an L-value (i.e. the LHS of an assignment). /// /// In Kani, we slightly optimize the special case for Unit and don't assign anything. - pub(crate) fn codegen_expr_to_place_stable(&mut self, place: &Place, expr: Expr) -> Stmt { + pub(crate) fn codegen_expr_to_place_stable( + &mut self, + place: &Place, + expr: Expr, + loc: Location, + ) -> Stmt { if self.place_ty_stable(place).kind().is_unit() { - expr.as_stmt(Location::none()) + expr.as_stmt(loc) } else { - unwrap_or_return_codegen_unimplemented_stmt!(self, self.codegen_place_stable(place)) - .goto_expr - .assign(expr, Location::none()) + unwrap_or_return_codegen_unimplemented_stmt!( + self, + self.codegen_place_stable(place, loc) + ) + .goto_expr + .assign(expr, loc) } } } diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/static_var.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/static_var.rs index cf4c6173637b..537fbcb63fbb 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/static_var.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/static_var.rs @@ -4,7 +4,7 @@ //! This file contains functions related to codegenning MIR static variables into gotoc use crate::codegen_cprover_gotoc::GotocCtx; -use cbmc::goto_program::Symbol; +use crate::kani_middle::is_interior_mut; use stable_mir::mir::mono::{Instance, StaticDef}; use stable_mir::CrateDef; use tracing::debug; @@ -19,7 +19,12 @@ impl<'tcx> GotocCtx<'tcx> { debug!("codegen_static"); let alloc = def.eval_initializer().unwrap(); let symbol_name = Instance::from(def).mangled_name(); - self.codegen_alloc_in_memory(alloc, symbol_name); + self.codegen_alloc_in_memory( + alloc, + symbol_name, + self.codegen_span_stable(def.span()), + is_interior_mut(self.tcx, def.ty()), + ); } /// Mutates the Goto-C symbol table to add a forward-declaration of the static variable. @@ -33,9 +38,12 @@ impl<'tcx> GotocCtx<'tcx> { let typ = self.codegen_ty_stable(instance.ty()); let location = self.codegen_span_stable(def.span()); - let symbol = Symbol::static_variable(symbol_name.clone(), symbol_name, typ, location) - .with_is_hidden(false) // Static items are always user defined. - .with_pretty_name(pretty_name); - self.symbol_table.insert(symbol); + // Contracts instrumentation relies on `--nondet-static-exclude` to properly + // havoc static variables. Kani uses the location and pretty name to identify + // the correct variables. If the wrong name is used, CBMC may fail silently. + // More details at https://github.com/diffblue/cbmc/issues/8225. + self.ensure_global_var(symbol_name, false, typ, location) + .set_is_hidden(false) // Static items are always user defined. + .set_pretty_name(pretty_name); } } diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/ty_stable.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/ty_stable.rs index c4f03e6c2cef..7e644cdecb77 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/ty_stable.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/ty_stable.rs @@ -20,11 +20,11 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn codegen_ty_stable(&mut self, ty: Ty) -> Type { - self.codegen_ty(rustc_internal::internal(ty)) + self.codegen_ty(rustc_internal::internal(self.tcx, ty)) } pub fn codegen_ty_ref_stable(&mut self, ty: Ty) -> Type { - self.codegen_ty_ref(rustc_internal::internal(ty)) + self.codegen_ty_ref(rustc_internal::internal(self.tcx, ty)) } pub fn local_ty_stable(&self, local: Local) -> Ty { @@ -36,15 +36,15 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn is_zst_stable(&self, ty: Ty) -> bool { - self.is_zst(rustc_internal::internal(ty)) + self.is_zst(rustc_internal::internal(self.tcx, ty)) } pub fn layout_of_stable(&self, ty: Ty) -> TyAndLayout<'tcx> { - self.layout_of(rustc_internal::internal(ty)) + self.layout_of(rustc_internal::internal(self.tcx, ty)) } pub fn codegen_fndef_type_stable(&mut self, instance: Instance) -> Type { - let func = self.symbol_name_stable(instance); + let func = instance.mangled_name(); self.ensure_struct( format!("{func}::FnDefStruct"), format!("{}::FnDefStruct", instance.name()), @@ -53,27 +53,27 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn use_fat_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.use_fat_pointer(rustc_internal::internal(pointer_ty)) + self.use_fat_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn use_thin_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.use_thin_pointer(rustc_internal::internal(pointer_ty)) + self.use_thin_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn is_fat_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.is_fat_pointer(rustc_internal::internal(pointer_ty)) + self.is_fat_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn is_vtable_fat_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.is_vtable_fat_pointer(rustc_internal::internal(pointer_ty)) + self.is_vtable_fat_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn use_vtable_fat_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.use_vtable_fat_pointer(rustc_internal::internal(pointer_ty)) + self.use_vtable_fat_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn vtable_name_stable(&self, ty: Ty) -> String { - self.vtable_name(rustc_internal::internal(ty)) + self.vtable_name(rustc_internal::internal(self.tcx, ty)) } pub fn rvalue_ty_stable(&self, rvalue: &Rvalue) -> Ty { @@ -81,12 +81,12 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn simd_size_and_type(&self, ty: Ty) -> (u64, Ty) { - let (sz, ty) = rustc_internal::internal(ty).simd_size_and_type(self.tcx); + let (sz, ty) = rustc_internal::internal(self.tcx, ty).simd_size_and_type(self.tcx); (sz, rustc_internal::stable(ty)) } pub fn codegen_enum_discr_typ_stable(&self, ty: Ty) -> Ty { - rustc_internal::stable(self.codegen_enum_discr_typ(rustc_internal::internal(ty))) + rustc_internal::stable(self.codegen_enum_discr_typ(rustc_internal::internal(self.tcx, ty))) } pub fn codegen_function_sig_stable(&mut self, sig: FnSig) -> Type { @@ -107,6 +107,19 @@ impl<'tcx> GotocCtx<'tcx> { Type::code_with_unnamed_parameters(params, self.codegen_ty_stable(sig.output())) } } + + /// Convert a type into a user readable type representation. + /// + /// This should be replaced by StableMIR `pretty_ty()` after + /// is merged. + pub fn pretty_ty(&self, ty: Ty) -> String { + rustc_internal::internal(self.tcx, ty).to_string() + } + + pub fn requires_caller_location(&self, instance: Instance) -> bool { + let instance_internal = rustc_internal::internal(self.tcx, instance); + instance_internal.def.requires_caller_location(self.tcx) + } } /// If given type is a Ref / Raw ref, return the pointee type. pub fn pointee_type(mir_type: Ty) -> Option { @@ -117,14 +130,6 @@ pub fn pointee_type(mir_type: Ty) -> Option { } } -/// Convert a type into a user readable type representation. -/// -/// This should be replaced by StableMIR `pretty_ty()` after -/// is merged. -pub fn pretty_ty(ty: Ty) -> String { - rustc_internal::internal(ty).to_string() -} - pub fn pointee_type_stable(ty: Ty) -> Option { match ty.kind() { TyKind::RigidTy(RigidTy::Ref(_, pointee_ty, _)) diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/typ.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/typ.rs index 83ec6c3374ae..1703335dda51 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/typ.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/typ.rs @@ -1,7 +1,6 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT use crate::codegen_cprover_gotoc::GotocCtx; -use cbmc::btree_map; use cbmc::goto_program::{DatatypeComponent, Expr, Location, Parameter, Symbol, SymbolTable, Type}; use cbmc::utils::aggr_tag; use cbmc::{InternString, InternedString}; @@ -12,17 +11,16 @@ use rustc_middle::ty::print::with_no_trimmed_paths; use rustc_middle::ty::print::FmtPrinter; use rustc_middle::ty::GenericArgsRef; use rustc_middle::ty::{ - self, AdtDef, Const, CoroutineArgs, FloatTy, Instance, IntTy, PolyFnSig, Ty, TyCtxt, TyKind, - UintTy, VariantDef, VtblEntry, + self, AdtDef, Const, CoroutineArgs, CoroutineArgsExt, FloatTy, Instance, IntTy, PolyFnSig, Ty, + TyCtxt, TyKind, UintTy, VariantDef, VtblEntry, }; use rustc_middle::ty::{List, TypeFoldable}; use rustc_smir::rustc_internal; use rustc_span::def_id::DefId; use rustc_target::abi::{ - Abi::Vector, FieldIdx, FieldsShape, Integer, LayoutS, Primitive, Size, TagEncoding, + Abi::Vector, FieldIdx, FieldsShape, Float, Integer, LayoutS, Primitive, Size, TagEncoding, TyAndLayout, VariantIdx, Variants, }; -use rustc_target::spec::abi::Abi; use stable_mir::abi::{ArgAbi, FnAbi, PassMode}; use stable_mir::mir::mono::Instance as InstanceStable; use stable_mir::mir::Body; @@ -51,8 +49,6 @@ pub trait TypeExt { fn is_rust_fat_ptr(&self, st: &SymbolTable) -> bool; fn is_rust_slice_fat_ptr(&self, st: &SymbolTable) -> bool; fn is_rust_trait_fat_ptr(&self, st: &SymbolTable) -> bool; - fn is_unit(&self) -> bool; - fn is_unit_pointer(&self) -> bool; fn unit() -> Self; } @@ -77,7 +73,7 @@ impl TypeExt for Type { && components.iter().any(|x| x.name() == "vtable" && x.typ().is_pointer()) } Type::StructTag(tag) => { - st.lookup(&tag.to_string()).unwrap().typ.is_rust_trait_fat_ptr(st) + st.lookup(tag.to_string()).unwrap().typ.is_rust_trait_fat_ptr(st) } _ => false, } @@ -92,42 +88,6 @@ impl TypeExt for Type { // We don't have access to the symbol table here to do it ourselves. Type::struct_tag(UNIT_TYPE_EMPTY_STRUCT_NAME) } - - fn is_unit(&self) -> bool { - match self { - Type::StructTag(name) => *name == aggr_tag(UNIT_TYPE_EMPTY_STRUCT_NAME), - _ => false, - } - } - - fn is_unit_pointer(&self) -> bool { - match self { - Type::Pointer { typ } => typ.is_unit(), - _ => false, - } - } -} - -trait ExprExt { - fn unit(symbol_table: &SymbolTable) -> Self; - - fn is_unit(&self) -> bool; - - fn is_unit_pointer(&self) -> bool; -} - -impl ExprExt for Expr { - fn unit(symbol_table: &SymbolTable) -> Self { - Expr::struct_expr(Type::unit(), btree_map![], symbol_table) - } - - fn is_unit(&self) -> bool { - self.typ().is_unit() - } - - fn is_unit_pointer(&self) -> bool { - self.typ().is_unit_pointer() - } } /// Function signatures @@ -170,6 +130,8 @@ impl<'tcx> GotocCtx<'tcx> { Type::Empty => todo!(), Type::FlexibleArray { .. } => todo!(), Type::Float => write!(out, "f32")?, + Type::Float16 => write!(out, "f16")?, + Type::Float128 => write!(out, "f128")?, Type::IncompleteStruct { .. } => todo!(), Type::IncompleteUnion { .. } => todo!(), Type::InfiniteArray { .. } => todo!(), @@ -582,6 +544,8 @@ impl<'tcx> GotocCtx<'tcx> { ty::Float(k) => match k { FloatTy::F32 => Type::float(), FloatTy::F64 => Type::double(), + FloatTy::F16 => Type::float16(), + FloatTy::F128 => Type::float128(), }, ty::Adt(def, _) if def.repr().simd() => self.codegen_vector(ty), ty::Adt(def, subst) => { @@ -607,10 +571,10 @@ impl<'tcx> GotocCtx<'tcx> { // Note: This is not valid C but CBMC seems to be ok with it. ty::Slice(e) => self.codegen_ty(*e).flexible_array_of(), ty::Str => Type::unsigned_int(8).flexible_array_of(), - ty::Ref(_, t, _) | ty::RawPtr(ty::TypeAndMut { ty: t, .. }) => self.codegen_ty_ref(*t), + ty::Ref(_, t, _) | ty::RawPtr(t, _) => self.codegen_ty_ref(*t), ty::FnDef(def_id, args) => { let instance = - Instance::resolve(self.tcx, ty::ParamEnv::reveal_all(), *def_id, args) + Instance::try_resolve(self.tcx, ty::ParamEnv::reveal_all(), *def_id, args) .unwrap() .unwrap(); self.codegen_fndef_type(instance) @@ -632,6 +596,13 @@ impl<'tcx> GotocCtx<'tcx> { ) } } + // This object has the same layout as base. For now, translate this into `(base)`. + // The only difference is the niche. + ty::Pat(base_ty, ..) => { + self.ensure_struct(self.ty_mangled_name(ty), self.ty_pretty_name(ty), |tcx, _| { + tcx.codegen_ty_tuple_like(ty, vec![*base_ty]) + }) + } ty::Alias(..) => { unreachable!("Type should've been normalized already") } @@ -640,7 +611,11 @@ impl<'tcx> GotocCtx<'tcx> { ty::Bound(_, _) | ty::Param(_) => unreachable!("monomorphization bug"), // type checking remnants which shouldn't be reachable - ty::CoroutineWitness(_, _) | ty::Infer(_) | ty::Placeholder(_) | ty::Error(_) => { + ty::CoroutineWitness(_, _) + | ty::CoroutineClosure(_, _) + | ty::Infer(_) + | ty::Placeholder(_) + | ty::Error(_) => { unreachable!("remnants of type checking") } } @@ -766,39 +741,6 @@ impl<'tcx> GotocCtx<'tcx> { self.codegen_struct_fields(flds, &layout.layout.0, Size::ZERO) } - /// A closure / some shims in Rust MIR takes two arguments: - /// - /// 0. a struct representing the environment - /// 1. a tuple containing the parameters - /// - /// However, during codegen/lowering from MIR, the 2nd tuple of parameters - /// is flattened into subsequent parameters. - /// - /// Checking whether the type's kind is a closure is insufficient, because - /// a virtual method call through a vtable can have the trait's non-closure - /// type. For example: - /// - /// ``` - /// let p: &dyn Fn(i32) = &|x| assert!(x == 1); - /// p(1); - /// ``` - /// - /// Here, the call `p(1)` desugars to an MIR trait call `Fn::call(&p, (1,))`, - /// where the second argument is a tuple. The instance type kind for - /// `Fn::call` is not a closure, because dynamically, the pointer may be to - /// a function definition instead. We still need to untuple in this case, - /// so we follow the example elsewhere in Rust to use the ABI call type. - /// - /// See `make_call_args` in `rustc_mir_transform/src/inline.rs` - pub fn ty_needs_untupled_args(&self, ty: Ty<'tcx>) -> bool { - // Note that [Abi::RustCall] is not [Abi::Rust]. - // Documentation is sparse, but it does seem to correspond to the need for untupling. - match ty.kind() { - ty::FnDef(..) | ty::FnPtr(..) => ty.fn_sig(self.tcx).abi() == Abi::RustCall, - _ => unreachable!("Can't treat type as a function: {:?}", ty), - } - } - /// A closure is a struct of all its environments. That is, a closure is /// just a tuple with a unique type identifier, so that Fn related traits /// can find its impl. @@ -1059,8 +1001,9 @@ impl<'tcx> GotocCtx<'tcx> { | ty::Foreign(_) | ty::Coroutine(..) | ty::Int(_) - | ty::RawPtr(_) + | ty::RawPtr(_, _) | ty::Ref(..) + | ty::Pat(..) | ty::Tuple(_) | ty::Uint(_) => self.codegen_ty(pointee_type).to_pointer(), @@ -1078,6 +1021,7 @@ impl<'tcx> GotocCtx<'tcx> { ty::Bound(_, _) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::Error(_) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::CoroutineWitness(_, _) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), + ty::CoroutineClosure(_, _) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::Infer(_) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::Param(_) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::Placeholder(_) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), @@ -1101,7 +1045,7 @@ impl<'tcx> GotocCtx<'tcx> { .map(|(_, arg_abi)| { let arg_ty_stable = arg_abi.ty; let kind = arg_ty_stable.kind(); - let arg_ty = rustc_internal::internal(arg_ty_stable); + let arg_ty = rustc_internal::internal(self.tcx, arg_ty_stable); if is_first { is_first = false; debug!(self_type=?arg_ty, ?fn_abi, "codegen_dynamic_function_sig"); @@ -1197,7 +1141,7 @@ impl<'tcx> GotocCtx<'tcx> { /// Mapping enums to CBMC types is rather complicated. There are a few cases to consider: /// 1. When there is only 0 or 1 variant, this is straightforward as the code shows /// 2. When there are more variants, rust might decides to apply the typical encoding which - /// regard enums as tagged union, or an optimized form, called niche encoding. + /// regard enums as tagged union, or an optimized form, called niche encoding. /// /// The direct encoding is straightforward. Enums are just mapped to C as a struct of union of structs. /// e.g. @@ -1411,13 +1355,18 @@ impl<'tcx> GotocCtx<'tcx> { } } }, + Primitive::Float(f) => self.codegen_float_type(f), + Primitive::Pointer(_) => Ty::new_ptr(self.tcx, self.tcx.types.u8, Mutability::Not), + } + } - Primitive::F32 => self.tcx.types.f32, - Primitive::F64 => self.tcx.types.f64, - Primitive::Pointer(_) => Ty::new_ptr( - self.tcx, - ty::TypeAndMut { ty: self.tcx.types.u8, mutbl: Mutability::Not }, - ), + pub fn codegen_float_type(&self, f: Float) -> Ty<'tcx> { + match f { + Float::F32 => self.tcx.types.f32, + Float::F64 => self.tcx.types.f64, + // `F16` and `F128` are not yet handled. + // Tracked here: + Float::F16 | Float::F128 => unimplemented!(), } } @@ -1681,13 +1630,12 @@ impl<'tcx> GotocCtx<'tcx> { /// 1. In some cases, an argument can be ignored (e.g.: ZST arguments in regular Rust calls). /// 2. We currently don't support `track_caller`, so we ignore the extra argument that is added to support that. /// Tracked here: - fn codegen_args<'a>( + pub fn codegen_args<'a>( &self, instance: InstanceStable, fn_abi: &'a FnAbi, ) -> impl Iterator { - let instance_internal = rustc_internal::internal(instance); - let requires_caller_location = instance_internal.def.requires_caller_location(self.tcx); + let requires_caller_location = self.requires_caller_location(instance); let num_args = fn_abi.args.len(); fn_abi.args.iter().enumerate().filter(move |(idx, arg_abi)| { arg_abi.mode != PassMode::Ignore && !(requires_caller_location && idx + 1 == num_args) @@ -1722,7 +1670,7 @@ fn common_vtable_fields(drop_in_place: Type) -> Vec { pub fn pointee_type(mir_type: Ty) -> Option { match mir_type.kind() { ty::Ref(_, pointee_type, _) => Some(*pointee_type), - ty::RawPtr(ty::TypeAndMut { ty: pointee_type, .. }) => Some(*pointee_type), + ty::RawPtr(pointee_type, _) => Some(*pointee_type), _ => None, } } @@ -1730,7 +1678,7 @@ pub fn pointee_type(mir_type: Ty) -> Option { /// Extracts the pointee type if the given mir type is either a known smart pointer (Box, Rc, ..) /// or a regular pointer. pub fn std_pointee_type(mir_type: Ty) -> Option { - mir_type.builtin_deref(true).map(|tm| tm.ty) + mir_type.builtin_deref(true) } /// This is a place holder function that should normalize the given type. @@ -1748,8 +1696,10 @@ impl<'tcx> GotocCtx<'tcx> { /// metadata associated with it. pub fn use_thin_pointer(&self, mir_type: Ty<'tcx>) -> bool { // ptr_metadata_ty is not defined on all types, the projection of an associated type - let (metadata, _check_is_sized) = mir_type.ptr_metadata_ty(self.tcx, normalize_type); - !self.is_unsized(mir_type) || metadata == self.tcx.types.unit + let metadata = mir_type.ptr_metadata_ty_or_tail(self.tcx, normalize_type); + !self.is_unsized(mir_type) + || metadata.is_err() + || (metadata.unwrap() == self.tcx.types.unit) } /// We use fat pointer if not thin pointer. @@ -1760,14 +1710,14 @@ impl<'tcx> GotocCtx<'tcx> { /// A pointer to the mir type should be a slice fat pointer. /// We use a slice fat pointer if the metadata is the slice length (type usize). pub fn use_slice_fat_pointer(&self, mir_type: Ty<'tcx>) -> bool { - let (metadata, _check_is_sized) = mir_type.ptr_metadata_ty(self.tcx, normalize_type); + let metadata = mir_type.ptr_metadata_ty(self.tcx, normalize_type); metadata == self.tcx.types.usize } /// A pointer to the mir type should be a vtable fat pointer. /// We use a vtable fat pointer if this is a fat pointer to anything that is not a slice ptr. /// I.e.: The metadata is not length (type usize). pub fn use_vtable_fat_pointer(&self, mir_type: Ty<'tcx>) -> bool { - let (metadata, _check_is_sized) = mir_type.ptr_metadata_ty(self.tcx, normalize_type); + let metadata = mir_type.ptr_metadata_ty(self.tcx, normalize_type); metadata != self.tcx.types.unit && metadata != self.tcx.types.usize } diff --git a/kani-compiler/src/codegen_cprover_gotoc/compiler_interface.rs b/kani-compiler/src/codegen_cprover_gotoc/compiler_interface.rs index 1cfff307f856..986cd00e32a5 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/compiler_interface.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/compiler_interface.rs @@ -7,24 +7,24 @@ use crate::args::ReachabilityType; use crate::codegen_cprover_gotoc::GotocCtx; use crate::kani_middle::analysis; use crate::kani_middle::attributes::{is_test_harness_description, KaniAttributes}; -use crate::kani_middle::metadata::{canonical_mangled_name, gen_test_metadata}; +use crate::kani_middle::check_reachable_items; +use crate::kani_middle::codegen_units::{CodegenUnit, CodegenUnits}; +use crate::kani_middle::metadata::gen_test_metadata; use crate::kani_middle::provide; use crate::kani_middle::reachability::{ collect_reachable_items, filter_const_crate_items, filter_crate_items, }; -use crate::kani_middle::{check_reachable_items, dump_mir_items}; +use crate::kani_middle::transform::{BodyTransformation, GlobalPasses}; use crate::kani_queries::QueryDb; use cbmc::goto_program::Location; use cbmc::irep::goto_binary_serde::write_goto_binary_file; -use cbmc::{InternString, RoundingMode}; +use cbmc::RoundingMode; use cbmc::{InternedString, MachineModel}; use kani_metadata::artifact::convert_type; use kani_metadata::UnsupportedFeature; use kani_metadata::{ArtifactType, HarnessMetadata, KaniMetadata}; use kani_metadata::{AssignsContract, CompilerArtifactStub}; -use rustc_codegen_ssa::back::archive::{ - get_native_object_symbols, ArArchiveBuilder, ArchiveBuilder, -}; +use rustc_codegen_ssa::back::archive::{ArArchiveBuilder, ArchiveBuilder, DEFAULT_OBJECT_READER}; use rustc_codegen_ssa::back::metadata::create_wrapper_file; use rustc_codegen_ssa::traits::CodegenBackend; use rustc_codegen_ssa::{CodegenResults, CrateInfo}; @@ -48,12 +48,10 @@ use stable_mir::mir::mono::{Instance, MonoItem}; use stable_mir::{CrateDef, DefId}; use std::any::Any; use std::collections::BTreeMap; -use std::collections::HashSet; use std::ffi::OsString; use std::fmt::Write; use std::fs::File; use std::io::BufWriter; -use std::iter::FromIterator; use std::path::{Path, PathBuf}; use std::process::Command; use std::sync::{Arc, Mutex}; @@ -87,16 +85,40 @@ impl GotocCodegenBackend { symtab_goto: &Path, machine_model: &MachineModel, check_contract: Option, + mut transformer: BodyTransformation, ) -> (GotocCtx<'tcx>, Vec, Option) { - let items = with_timer( - || collect_reachable_items(tcx, starting_items), + let (items, call_graph) = with_timer( + || collect_reachable_items(tcx, &mut transformer, starting_items), "codegen reachability analysis", ); - dump_mir_items(tcx, &items, &symtab_goto.with_extension("kani.mir")); + + // Retrieve all instances from the currently codegened items. + let instances = items + .iter() + .filter_map(|item| match item { + MonoItem::Fn(instance) => Some(*instance), + MonoItem::Static(static_def) => { + let instance: Instance = (*static_def).into(); + instance.has_body().then_some(instance) + } + MonoItem::GlobalAsm(_) => None, + }) + .collect(); + + // Apply all transformation passes, including global passes. + let mut global_passes = GlobalPasses::new(&self.queries.lock().unwrap(), tcx); + global_passes.run_global_passes( + &mut transformer, + tcx, + starting_items, + instances, + call_graph, + ); // Follow rustc naming convention (cx is abbrev for context). // https://rustc-dev-guide.rust-lang.org/conventions.html#naming-conventions - let mut gcx = GotocCtx::new(tcx, (*self.queries.lock().unwrap()).clone(), machine_model); + let mut gcx = + GotocCtx::new(tcx, (*self.queries.lock().unwrap()).clone(), machine_model, transformer); check_reachable_items(gcx.tcx, &gcx.queries, &items); let contract_info = with_timer( @@ -131,7 +153,7 @@ impl GotocCodegenBackend { format!( "codegen_function: {}\n{}", instance.name(), - gcx.symbol_name_stable(instance) + instance.mangled_name() ), instance.def, ); @@ -226,45 +248,48 @@ impl CodegenBackend for GotocCodegenBackend { // - Tests: Generate one model per test harnesses. // - PubFns: Generate code for all reachable logic starting from the local public functions. // - None: Don't generate code. This is used to compile dependencies. - let base_filename = tcx.output_filenames(()).output_path(OutputType::Object); + let base_filepath = tcx.output_filenames(()).path(OutputType::Object); + let base_filename = base_filepath.as_path(); let reachability = queries.args().reachability_analysis; let mut results = GotoCodegenResults::new(tcx, reachability); match reachability { ReachabilityType::Harnesses => { + let mut units = CodegenUnits::new(&queries, tcx); + let mut modifies_instances = vec![]; // Cross-crate collecting of all items that are reachable from the crate harnesses. - let harnesses = queries.target_harnesses(); - let mut items: HashSet<_> = HashSet::with_capacity(harnesses.len()); - items.extend(harnesses); - let harnesses = filter_crate_items(tcx, |_, instance| { - items.contains(&instance.mangled_name().intern()) - }); - for harness in harnesses { - let model_path = - queries.harness_model_path(&harness.mangled_name()).unwrap(); - let contract_metadata = - contract_metadata_for_harness(tcx, harness.def.def_id()).unwrap(); - let (gcx, items, contract_info) = self.codegen_items( - tcx, - &[MonoItem::Fn(harness)], - model_path, - &results.machine_model, - contract_metadata, - ); - results.extend(gcx, items, None); - if let Some(assigns_contract) = contract_info { - self.queries.lock().unwrap().register_assigns_contract( - canonical_mangled_name(harness).intern(), - assigns_contract, + for unit in units.iter() { + // We reset the body cache for now because each codegen unit has different + // configurations that affect how we transform the instance body. + let mut transformer = BodyTransformation::new(&queries, tcx, &unit); + for harness in &unit.harnesses { + let model_path = units.harness_model_path(*harness).unwrap(); + let contract_metadata = + contract_metadata_for_harness(tcx, harness.def.def_id()).unwrap(); + let (gcx, items, contract_info) = self.codegen_items( + tcx, + &[MonoItem::Fn(*harness)], + model_path, + &results.machine_model, + contract_metadata, + transformer, ); + transformer = results.extend(gcx, items, None); + if let Some(assigns_contract) = contract_info { + modifies_instances.push((*harness, assigns_contract)); + } } } + units.store_modifies(&modifies_instances); + units.write_metadata(&queries, tcx); } ReachabilityType::Tests => { // We're iterating over crate items here, so what we have to codegen is the "test description" containing the // test closure that we want to execute // TODO: Refactor this code so we can guarantee that the pair (test_fn, test_desc) actually match. + let unit = CodegenUnit::default(); + let mut transformer = BodyTransformation::new(&queries, tcx, &unit); let mut descriptions = vec![]; - let harnesses = filter_const_crate_items(tcx, |_, item| { + let harnesses = filter_const_crate_items(tcx, &mut transformer, |_, item| { if is_test_harness_description(tcx, item.def) { descriptions.push(item.def); true @@ -283,6 +308,7 @@ impl CodegenBackend for GotocCodegenBackend { &model_path, &results.machine_model, Default::default(), + transformer, ); results.extend(gcx, items, None); @@ -304,10 +330,12 @@ impl CodegenBackend for GotocCodegenBackend { } ReachabilityType::None => {} ReachabilityType::PubFns => { + let unit = CodegenUnit::default(); + let transformer = BodyTransformation::new(&queries, tcx, &unit); let main_instance = stable_mir::entry_fn().map(|main_fn| Instance::try_from(main_fn).unwrap()); let local_reachable = filter_crate_items(tcx, |_, instance| { - let def_id = rustc_internal::internal(instance.def.def_id()); + let def_id = rustc_internal::internal(tcx, instance.def.def_id()); Some(instance) == main_instance || tcx.is_reachable_non_generic(def_id) }) .into_iter() @@ -320,9 +348,10 @@ impl CodegenBackend for GotocCodegenBackend { &model_path, &results.machine_model, Default::default(), + transformer, ); assert!(contract_info.is_none()); - results.extend(gcx, items, None); + let _ = results.extend(gcx, items, None); } } @@ -353,10 +382,10 @@ impl CodegenBackend for GotocCodegenBackend { ongoing_codegen: Box, _sess: &Session, _filenames: &OutputFilenames, - ) -> Result<(CodegenResults, FxIndexMap), ErrorGuaranteed> { + ) -> (CodegenResults, FxIndexMap) { match ongoing_codegen.downcast::<(CodegenResults, FxIndexMap)>() { - Ok(val) => Ok(*val), + Ok(val) => *val, Err(val) => panic!("unexpected error: {:?}", (*val).type_id()), } } @@ -393,12 +422,12 @@ impl CodegenBackend for GotocCodegenBackend { debug!(?crate_type, ?out_path, "link"); if *crate_type == CrateType::Rlib { // Emit the `rlib` that contains just one file: `.rmeta` - let mut builder = Box::new(ArArchiveBuilder::new(sess, get_native_object_symbols)); + let mut builder = Box::new(ArArchiveBuilder::new(sess, &DEFAULT_OBJECT_READER)); let tmp_dir = TempFileBuilder::new().prefix("kani").tempdir().unwrap(); let path = MaybeTempDir::new(tmp_dir, sess.opts.cg.save_temps); let (metadata, _metadata_position) = create_wrapper_file( sess, - b".rmeta".to_vec(), + ".rmeta".to_string(), codegen_results.metadata.raw_data(), ); let metadata = emit_wrapper_file(sess, &metadata, &path, METADATA_FILENAME); @@ -406,7 +435,8 @@ impl CodegenBackend for GotocCodegenBackend { builder.build(&out_path); } else { // Write the location of the kani metadata file in the requested compiler output file. - let base_filename = outputs.output_path(OutputType::Object); + let base_filepath = outputs.path(OutputType::Object); + let base_filename = base_filepath.as_path(); let content_stub = CompilerArtifactStub { metadata_path: base_filename.with_extension(ArtifactType::Metadata), }; @@ -614,12 +644,18 @@ impl GotoCodegenResults { } } - fn extend(&mut self, gcx: GotocCtx, items: Vec, metadata: Option) { + fn extend( + &mut self, + gcx: GotocCtx, + items: Vec, + metadata: Option, + ) -> BodyTransformation { let mut items = items; self.harnesses.extend(metadata); self.concurrent_constructs.extend(gcx.concurrent_constructs); self.unsupported_constructs.extend(gcx.unsupported_constructs); self.items.append(&mut items); + gcx.transformer } /// Prints a report at the end of the compilation. diff --git a/kani-compiler/src/codegen_cprover_gotoc/context/current_fn.rs b/kani-compiler/src/codegen_cprover_gotoc/context/current_fn.rs index b8251b153e5a..ea3c9e909eb6 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/context/current_fn.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/context/current_fn.rs @@ -4,13 +4,12 @@ use crate::codegen_cprover_gotoc::GotocCtx; use cbmc::goto_program::Stmt; use cbmc::InternedString; -use rustc_middle::mir::Body as InternalBody; -use rustc_middle::ty::Instance as InternalInstance; +use rustc_middle::ty::Instance as InstanceInternal; use rustc_smir::rustc_internal; use stable_mir::mir::mono::Instance; -use stable_mir::mir::{Body, Local, LocalDecl}; +use stable_mir::mir::{visit::Location, visit::MirVisitor, Body, Local, LocalDecl, Rvalue}; use stable_mir::CrateDef; -use std::collections::HashMap; +use std::collections::{HashMap, HashSet}; /// This structure represents useful data about the function we are currently compiling. #[derive(Debug)] @@ -21,12 +20,14 @@ pub struct CurrentFnCtx<'tcx> { instance: Instance, /// The crate this function is from krate: String, - /// The MIR for the current instance. This is using the internal representation. - mir: &'tcx InternalBody<'tcx>, + /// The current instance. This is using the internal representation. + instance_internal: InstanceInternal<'tcx>, /// A list of local declarations used to retrieve MIR component types. locals: Vec, /// A list of pretty names for locals that corrspond to user variables. local_names: HashMap, + /// Collection of variables that are used in a reference or address-of expression. + address_taken_locals: HashSet, /// The symbol name of the current function name: String, /// A human readable pretty name for the current function @@ -35,26 +36,46 @@ pub struct CurrentFnCtx<'tcx> { temp_var_counter: u64, } +struct AddressTakenLocalsCollector { + /// Locals that appear in `Rvalue::Ref` or `Rvalue::AddressOf` expressions. + address_taken_locals: HashSet, +} + +impl MirVisitor for AddressTakenLocalsCollector { + fn visit_rvalue(&mut self, rvalue: &Rvalue, _location: Location) { + match rvalue { + Rvalue::Ref(_, _, p) | Rvalue::AddressOf(_, p) => { + if p.projection.is_empty() { + self.address_taken_locals.insert(p.local); + } + } + _ => (), + } + } +} + /// Constructor impl<'tcx> CurrentFnCtx<'tcx> { pub fn new(instance: Instance, gcx: &GotocCtx<'tcx>, body: &Body) -> Self { - let internal_instance = rustc_internal::internal(instance); + let instance_internal = rustc_internal::internal(gcx.tcx, instance); let readable_name = instance.name(); - let name = - if &readable_name == "main" { readable_name.clone() } else { instance.mangled_name() }; + let name = instance.mangled_name(); let locals = body.locals().to_vec(); let local_names = body .var_debug_info .iter() .filter_map(|info| info.local().map(|local| (local, (&info.name).into()))) .collect::>(); + let mut visitor = AddressTakenLocalsCollector { address_taken_locals: HashSet::new() }; + visitor.visit_body(body); Self { block: vec![], instance, - mir: gcx.tcx.instance_mir(internal_instance.def), + instance_internal, krate: instance.def.krate().name, locals, local_names, + address_taken_locals: visitor.address_taken_locals, name, readable_name, temp_var_counter: 0, @@ -83,19 +104,14 @@ impl<'tcx> CurrentFnCtx<'tcx> { /// Getters impl<'tcx> CurrentFnCtx<'tcx> { /// The function we are currently compiling - pub fn instance(&self) -> InternalInstance<'tcx> { - rustc_internal::internal(self.instance) + pub fn instance(&self) -> InstanceInternal<'tcx> { + self.instance_internal } pub fn instance_stable(&self) -> Instance { self.instance } - /// The internal MIR for the function we are currently compiling using internal APIs. - pub fn body_internal(&self) -> &'tcx InternalBody<'tcx> { - self.mir - } - /// The name of the function we are currently compiling pub fn name(&self) -> String { self.name.clone() @@ -113,6 +129,10 @@ impl<'tcx> CurrentFnCtx<'tcx> { pub fn local_name(&self, local: Local) -> Option { self.local_names.get(&local).copied() } + + pub fn is_address_taken_local(&self, local: Local) -> bool { + self.address_taken_locals.contains(&local) + } } /// Utility functions diff --git a/kani-compiler/src/codegen_cprover_gotoc/context/goto_ctx.rs b/kani-compiler/src/codegen_cprover_gotoc/context/goto_ctx.rs index 10ee6a876588..e360cd491edd 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/context/goto_ctx.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/context/goto_ctx.rs @@ -11,6 +11,7 @@ //! This file is for defining the data-structure itself. //! 1. Defines `GotocCtx<'tcx>` //! 2. Provides constructors, getters and setters for the context. +//! //! Any MIR specific functionality (e.g. codegen etc) should live in specialized files that use //! this structure as input. use super::current_fn::CurrentFnCtx; @@ -18,11 +19,13 @@ use super::vtable_ctx::VtableCtx; use crate::codegen_cprover_gotoc::overrides::{fn_hooks, GotocHooks}; use crate::codegen_cprover_gotoc::utils::full_crate_name; use crate::codegen_cprover_gotoc::UnsupportedConstructs; +use crate::kani_middle::transform::BodyTransformation; use crate::kani_queries::QueryDb; -use cbmc::goto_program::{DatatypeComponent, Expr, Location, Stmt, Symbol, SymbolTable, Type}; +use cbmc::goto_program::{ + DatatypeComponent, Expr, Location, Stmt, Symbol, SymbolTable, SymbolValues, Type, +}; use cbmc::utils::aggr_tag; use cbmc::{InternedString, MachineModel}; -use kani_metadata::HarnessMetadata; use rustc_data_structures::fx::FxHashMap; use rustc_middle::span_bug; use rustc_middle::ty::layout::{ @@ -37,6 +40,7 @@ use rustc_target::abi::{HasDataLayout, TargetDataLayout}; use stable_mir::mir::mono::Instance; use stable_mir::mir::Body; use stable_mir::ty::Allocation; +use std::fmt::Debug; pub struct GotocCtx<'tcx> { /// the typing context @@ -60,8 +64,6 @@ pub struct GotocCtx<'tcx> { /// map from symbol identifier to string literal /// TODO: consider making the map from Expr to String instead pub str_literals: FxHashMap, - pub proof_harnesses: Vec, - pub test_harnesses: Vec, /// a global counter for generating unique IDs for checks pub global_checks_count: u64, /// A map of unsupported constructs that were found while codegen @@ -70,6 +72,8 @@ pub struct GotocCtx<'tcx> { /// We collect them and print one warning at the end if not empty instead of printing one /// warning at each occurrence. pub concurrent_constructs: UnsupportedConstructs, + /// The body transformation agent. + pub transformer: BodyTransformation, } /// Constructor @@ -78,6 +82,7 @@ impl<'tcx> GotocCtx<'tcx> { tcx: TyCtxt<'tcx>, queries: QueryDb, machine_model: &MachineModel, + transformer: BodyTransformation, ) -> GotocCtx<'tcx> { let fhks = fn_hooks(); let symbol_table = SymbolTable::new(machine_model.clone()); @@ -94,11 +99,10 @@ impl<'tcx> GotocCtx<'tcx> { current_fn: None, type_map: FxHashMap::default(), str_literals: FxHashMap::default(), - proof_harnesses: vec![], - test_harnesses: vec![], global_checks_count: 0, unsupported_constructs: FxHashMap::default(), concurrent_constructs: FxHashMap::default(), + transformer, } } } @@ -136,8 +140,14 @@ impl<'tcx> GotocCtx<'tcx> { } // Generate a Symbol Expression representing a function variable from the MIR - pub fn gen_function_local_variable(&mut self, c: u64, fname: &str, t: Type) -> Symbol { - self.gen_stack_variable(c, fname, "var", t, Location::none(), false) + pub fn gen_function_local_variable( + &mut self, + c: u64, + fname: &str, + t: Type, + loc: Location, + ) -> Symbol { + self.gen_stack_variable(c, fname, "var", t, loc) } /// Given a counter `c` a function name `fname, and a prefix `prefix`, generates a new function local variable @@ -149,11 +159,10 @@ impl<'tcx> GotocCtx<'tcx> { prefix: &str, t: Type, loc: Location, - is_param: bool, ) -> Symbol { let base_name = format!("{prefix}_{c}"); let name = format!("{fname}::1::{base_name}"); - let symbol = Symbol::variable(name, base_name, t, loc).with_is_parameter(is_param); + let symbol = Symbol::variable(name, base_name, t, loc); self.symbol_table.insert(symbol.clone()); symbol } @@ -167,8 +176,7 @@ impl<'tcx> GotocCtx<'tcx> { loc: Location, ) -> (Expr, Stmt) { let c = self.current_fn_mut().get_and_incr_counter(); - let var = - self.gen_stack_variable(c, &self.current_fn().name(), "temp", t, loc, false).to_expr(); + let var = self.gen_stack_variable(c, &self.current_fn().name(), "temp", t, loc).to_expr(); let value = value.or_else(|| self.codegen_default_initializer(&var)); let decl = Stmt::decl(var.clone(), value, loc); (var, decl) @@ -195,34 +203,58 @@ impl<'tcx> GotocCtx<'tcx> { self.symbol_table.lookup(name).unwrap() } + /// Ensures that a global variable `name` appears in the Symbol table and is initialized. + /// + /// This will add the symbol to the Symbol Table if not inserted yet. + /// This will register the initialization function if not initialized yet. + /// - This case can happen for static variables, since they are declared first. + pub fn ensure_global_var_init( + &mut self, + name: T, + is_file_local: bool, + is_const: bool, + t: Type, + loc: Location, + init: F, + ) -> &mut Symbol + where + T: Into + Clone + Debug, + F: Fn(&mut GotocCtx, Symbol) -> Expr, + { + let sym = self.ensure_global_var(name.clone(), is_file_local, t, loc); + sym.set_is_static_const(is_const); + if matches!(sym.value, SymbolValues::None) { + // Clone sym so we can use `&mut self`. + let sym = sym.clone(); + let init_expr = SymbolValues::Expr(init(self, sym)); + // Need to lookup again since symbol table might've changed. + let sym = self.symbol_table.lookup_mut(name).unwrap(); + sym.value = init_expr; + sym + } else { + self.symbol_table.lookup_mut(name).unwrap() + } + } + /// Ensures that a global variable `name` appears in the Symbol table. - /// If it doesn't, inserts it. - /// If `init_fn` returns `Some(body)`, creates an initializer for the variable using `body`. - /// Otherwise, leaves the variable uninitialized . - pub fn ensure_global_var< - F: FnOnce(&mut GotocCtx<'tcx>, Expr) -> Option, - T: Into, - >( + /// + /// This will add the symbol to the Symbol Table if not inserted yet. + pub fn ensure_global_var + Clone>( &mut self, name: T, is_file_local: bool, t: Type, loc: Location, - init_fn: F, - ) -> Expr { - let name = name.into(); - if !self.symbol_table.contains(name) { - tracing::debug!(?name, "Ensure global variable"); - let sym = Symbol::static_variable(name, name, t, loc) + ) -> &mut Symbol { + let sym_name = name.clone().into(); + if !self.symbol_table.contains(sym_name) { + tracing::debug!(?sym_name, "ensure_global_var insert"); + let sym = Symbol::static_variable(sym_name, sym_name, t, loc) .with_is_file_local(is_file_local) .with_is_hidden(false); - let var = sym.to_expr(); - self.symbol_table.insert(sym); - if let Some(body) = init_fn(self, var) { - self.register_initializer(&name.to_string(), body); - } + self.symbol_table.insert(sym.clone()); } - self.symbol_table.lookup(name).unwrap().to_expr() + self.symbol_table.lookup_mut(sym_name).unwrap() } /// Ensures that a struct with name `struct_name` appears in the symbol table. @@ -279,22 +311,6 @@ impl<'tcx> GotocCtx<'tcx> { } Type::union_tag(union_name) } - - /// Makes a `__attribute__((constructor)) fnname() {body}` initalizer function - pub fn register_initializer(&mut self, var_name: &str, body: Stmt) -> &Symbol { - let fn_name = Self::initializer_fn_name(var_name); - let pretty_name = format!("{var_name}::init"); - self.ensure(&fn_name, |_tcx, _| { - Symbol::function( - &fn_name, - Type::code(vec![], Type::constructor()), - Some(Stmt::block(vec![body], Location::none())), //TODO is this block needed? - &pretty_name, - Location::none(), - ) - .with_is_file_local(true) - }) - } } /// Mutators diff --git a/kani-compiler/src/codegen_cprover_gotoc/overrides/hooks.rs b/kani-compiler/src/codegen_cprover_gotoc/overrides/hooks.rs index 97606688d1ed..c0df279932f6 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/overrides/hooks.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/overrides/hooks.rs @@ -10,8 +10,9 @@ use crate::codegen_cprover_gotoc::codegen::{bb_label, PropertyClass}; use crate::codegen_cprover_gotoc::GotocCtx; +use crate::kani_middle::attributes::matches_diagnostic as matches_function; use crate::unwrap_or_return_codegen_unimplemented_stmt; -use cbmc::goto_program::{BuiltinFn, Expr, Location, Stmt, Type}; +use cbmc::goto_program::{BuiltinFn, Expr, Stmt, Type}; use rustc_middle::ty::TyCtxt; use rustc_smir::rustc_internal; use stable_mir::mir::mono::Instance; @@ -35,17 +36,6 @@ pub trait GotocHook { ) -> Stmt; } -fn matches_function(tcx: TyCtxt, instance: Instance, attr_name: &str) -> bool { - let attr_sym = rustc_span::symbol::Symbol::intern(attr_name); - if let Some(attr_id) = tcx.all_diagnostic_items(()).name_to_id.get(&attr_sym) { - if rustc_internal::internal(instance.def.def_id()) == *attr_id { - debug!("matched: {:?} {:?}", attr_id, attr_sym); - return true; - } - } - false -} - /// A hook for Kani's `cover` function (declared in `library/kani/src/lib.rs`). /// The function takes two arguments: a condition expression (bool) and a /// message (&'static str). @@ -57,7 +47,7 @@ fn matches_function(tcx: TyCtxt, instance: Instance, attr_name: &str) -> bool { struct Cover; impl GotocHook for Cover { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniCover") + matches_function(tcx, instance.def, "KaniCover") } fn handle( @@ -92,7 +82,7 @@ impl GotocHook for Cover { struct Assume; impl GotocHook for Assume { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniAssume") + matches_function(tcx, instance.def, "KaniAssume") } fn handle( @@ -116,7 +106,7 @@ impl GotocHook for Assume { struct Assert; impl GotocHook for Assert { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniAssert") + matches_function(tcx, instance.def, "KaniAssert") } fn handle( @@ -153,11 +143,46 @@ impl GotocHook for Assert { } } +struct Check; +impl GotocHook for Check { + fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { + matches_function(tcx, instance.def, "KaniCheck") + } + + fn handle( + &self, + gcx: &mut GotocCtx, + _instance: Instance, + mut fargs: Vec, + _assign_to: &Place, + target: Option, + span: Span, + ) -> Stmt { + assert_eq!(fargs.len(), 2); + let cond = fargs.remove(0).cast_to(Type::bool()); + let msg = fargs.remove(0); + let msg = gcx.extract_const_message(&msg).unwrap(); + let target = target.unwrap(); + let caller_loc = gcx.codegen_caller_span_stable(span); + + let (msg, reach_stmt) = gcx.codegen_reachability_check(msg, span); + + Stmt::block( + vec![ + reach_stmt, + gcx.codegen_assert(cond, PropertyClass::Assertion, &msg, caller_loc), + Stmt::goto(bb_label(target), caller_loc), + ], + caller_loc, + ) + } +} + struct Nondet; impl GotocHook for Nondet { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniAnyRaw") + matches_function(tcx, instance.def, "KaniAnyRaw") } fn handle( @@ -178,7 +203,7 @@ impl GotocHook for Nondet { } else { let pe = unwrap_or_return_codegen_unimplemented_stmt!( gcx, - gcx.codegen_place_stable(assign_to) + gcx.codegen_place_stable(assign_to, loc) ) .goto_expr; Stmt::block( @@ -196,12 +221,12 @@ struct Panic; impl GotocHook for Panic { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - let def_id = rustc_internal::internal(instance.def.def_id()); + let def_id = rustc_internal::internal(tcx, instance.def.def_id()); Some(def_id) == tcx.lang_items().panic_fn() || tcx.has_attr(def_id, rustc_span::sym::rustc_const_panic_str) || Some(def_id) == tcx.lang_items().panic_fmt() || Some(def_id) == tcx.lang_items().begin_panic_fn() - || matches_function(tcx, instance, "KaniPanic") + || matches_function(tcx, instance.def, "KaniPanic") } fn handle( @@ -217,6 +242,115 @@ impl GotocHook for Panic { } } +/// Encodes __CPROVER_r_ok(ptr, size) +struct IsAllocated; +impl GotocHook for IsAllocated { + fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { + matches_function(tcx, instance.def, "KaniIsAllocated") + } + + fn handle( + &self, + gcx: &mut GotocCtx, + _instance: Instance, + mut fargs: Vec, + assign_to: &Place, + target: Option, + span: Span, + ) -> Stmt { + assert_eq!(fargs.len(), 2); + let size = fargs.pop().unwrap(); + let ptr = fargs.pop().unwrap().cast_to(Type::void_pointer()); + let target = target.unwrap(); + let loc = gcx.codegen_caller_span_stable(span); + let ret_place = unwrap_or_return_codegen_unimplemented_stmt!( + gcx, + gcx.codegen_place_stable(assign_to, loc) + ); + let ret_type = ret_place.goto_expr.typ().clone(); + + Stmt::block( + vec![ + ret_place.goto_expr.assign(Expr::read_ok(ptr, size).cast_to(ret_type), loc), + Stmt::goto(bb_label(target), loc), + ], + loc, + ) + } +} + +/// Encodes __CPROVER_pointer_object(ptr) +struct PointerObject; +impl GotocHook for PointerObject { + fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { + matches_function(tcx, instance.def, "KaniPointerObject") + } + + fn handle( + &self, + gcx: &mut GotocCtx, + _instance: Instance, + mut fargs: Vec, + assign_to: &Place, + target: Option, + span: Span, + ) -> Stmt { + assert_eq!(fargs.len(), 1); + let ptr = fargs.pop().unwrap().cast_to(Type::void_pointer()); + let target = target.unwrap(); + let loc = gcx.codegen_caller_span_stable(span); + let ret_place = unwrap_or_return_codegen_unimplemented_stmt!( + gcx, + gcx.codegen_place_stable(assign_to, loc) + ); + let ret_type = ret_place.goto_expr.typ().clone(); + + Stmt::block( + vec![ + ret_place.goto_expr.assign(Expr::pointer_object(ptr).cast_to(ret_type), loc), + Stmt::goto(bb_label(target), loc), + ], + loc, + ) + } +} + +/// Encodes __CPROVER_pointer_offset(ptr) +struct PointerOffset; +impl GotocHook for PointerOffset { + fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { + matches_function(tcx, instance.def, "KaniPointerOffset") + } + + fn handle( + &self, + gcx: &mut GotocCtx, + _instance: Instance, + mut fargs: Vec, + assign_to: &Place, + target: Option, + span: Span, + ) -> Stmt { + assert_eq!(fargs.len(), 1); + let ptr = fargs.pop().unwrap().cast_to(Type::void_pointer()); + let target = target.unwrap(); + let loc = gcx.codegen_caller_span_stable(span); + let ret_place = unwrap_or_return_codegen_unimplemented_stmt!( + gcx, + gcx.codegen_place_stable(assign_to, loc) + ); + let ret_type = ret_place.goto_expr.typ().clone(); + + Stmt::block( + vec![ + ret_place.goto_expr.assign(Expr::pointer_offset(ptr).cast_to(ret_type), loc), + Stmt::goto(bb_label(target), loc), + ], + loc, + ) + } +} + struct RustAlloc; // Removing this hook causes regression failures. // https://github.com/model-checking/kani/issues/1170 @@ -243,7 +377,7 @@ impl GotocHook for RustAlloc { vec![ unwrap_or_return_codegen_unimplemented_stmt!( gcx, - gcx.codegen_place_stable(assign_to) + gcx.codegen_place_stable(assign_to, loc) ) .goto_expr .assign( @@ -252,9 +386,9 @@ impl GotocHook for RustAlloc { .cast_to(Type::unsigned_int(8).to_pointer()), loc, ), - Stmt::goto(bb_label(target), Location::none()), + Stmt::goto(bb_label(target), loc), ], - Location::none(), + loc, ) } } @@ -303,13 +437,14 @@ impl GotocHook for MemCmp { let is_first_ok = first_var.clone().is_nonnull(); let is_second_ok = second_var.clone().is_nonnull(); let should_skip_pointer_checks = is_count_zero.and(is_first_ok).and(is_second_ok); - let place_expr = - unwrap_or_return_codegen_unimplemented_stmt!(gcx, gcx.codegen_place_stable(assign_to)) - .goto_expr; + let place_expr = unwrap_or_return_codegen_unimplemented_stmt!( + gcx, + gcx.codegen_place_stable(assign_to, loc) + ) + .goto_expr; let rhs = should_skip_pointer_checks.ternary( Expr::int_constant(0, place_expr.typ().clone()), // zero bytes are always equal (as long as pointers are nonnull and aligned) - gcx.codegen_func_expr(instance, Some(span)) - .call(vec![first_var, second_var, count_var]), + gcx.codegen_func_expr(instance, loc).call(vec![first_var, second_var, count_var]), ); let code = place_expr.assign(rhs, loc).with_location(loc); Stmt::block( @@ -330,7 +465,7 @@ struct UntrackedDeref; impl GotocHook for UntrackedDeref { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniUntrackedDeref") + matches_function(tcx, instance.def, "KaniUntrackedDeref") } fn handle( @@ -354,7 +489,7 @@ impl GotocHook for UntrackedDeref { vec![Stmt::assign( unwrap_or_return_codegen_unimplemented_stmt!( gcx, - gcx.codegen_place_stable(assign_to) + gcx.codegen_place_stable(assign_to, loc) ) .goto_expr, fargs.pop().unwrap().dereference(), @@ -365,17 +500,61 @@ impl GotocHook for UntrackedDeref { } } +struct InitContracts; + +/// CBMC contracts currently has a limitation where `free` has to be in scope. +/// However, if there is no dynamic allocation in the harness, slicing removes `free` from the +/// scope. +/// +/// Thus, this function will basically translate into: +/// ```c +/// // This is a no-op. +/// free(NULL); +/// ``` +impl GotocHook for InitContracts { + fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { + matches_function(tcx, instance.def, "KaniInitContracts") + } + + fn handle( + &self, + gcx: &mut GotocCtx, + _instance: Instance, + fargs: Vec, + _assign_to: &Place, + target: Option, + span: Span, + ) -> Stmt { + assert_eq!(fargs.len(), 0,); + let loc = gcx.codegen_span_stable(span); + Stmt::block( + vec![ + BuiltinFn::Free + .call(vec![Expr::pointer_constant(0, Type::void_pointer())], loc) + .as_stmt(loc), + Stmt::goto(bb_label(target.unwrap()), loc), + ], + loc, + ) + } +} + pub fn fn_hooks() -> GotocHooks { GotocHooks { hooks: vec![ Rc::new(Panic), Rc::new(Assume), Rc::new(Assert), + Rc::new(Check), Rc::new(Cover), Rc::new(Nondet), + Rc::new(IsAllocated), + Rc::new(PointerObject), + Rc::new(PointerOffset), Rc::new(RustAlloc), Rc::new(MemCmp), Rc::new(UntrackedDeref), + Rc::new(InitContracts), ], } } diff --git a/kani-compiler/src/codegen_cprover_gotoc/utils/debug.rs b/kani-compiler/src/codegen_cprover_gotoc/utils/debug.rs index aeaf8e0e2d10..0c69cb30b37f 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/utils/debug.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/utils/debug.rs @@ -25,7 +25,7 @@ pub fn init() { /// Custom panic hook to add more information when panic occurs during goto-c codegen. #[allow(clippy::type_complexity)] -static DEFAULT_HOOK: LazyLock) + Sync + Send + 'static>> = +static DEFAULT_HOOK: LazyLock) + Sync + Send + 'static>> = LazyLock::new(|| { let hook = panic::take_hook(); panic::set_hook(Box::new(|info| { diff --git a/kani-compiler/src/codegen_cprover_gotoc/utils/names.rs b/kani-compiler/src/codegen_cprover_gotoc/utils/names.rs index e75182f99afb..c290f2bf6428 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/utils/names.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/utils/names.rs @@ -8,7 +8,6 @@ use cbmc::InternedString; use rustc_hir::def_id::LOCAL_CRATE; use rustc_middle::mir::mono::CodegenUnitNameBuilder; use rustc_middle::ty::TyCtxt; -use stable_mir::mir::mono::Instance; use stable_mir::mir::Local; impl<'tcx> GotocCtx<'tcx> { @@ -50,15 +49,6 @@ impl<'tcx> GotocCtx<'tcx> { format!("{var_name}_init") } - /// Return the mangled name to be used in the symbol table. - /// - /// We special case main function in order to support `--function main`. - // TODO: Get rid of this: https://github.com/model-checking/kani/issues/2129 - pub fn symbol_name_stable(&self, instance: Instance) -> String { - let pretty = instance.name(); - if pretty == "main" { pretty } else { instance.mangled_name() } - } - /// The name for a tuple field pub fn tuple_fld_name(n: usize) -> String { format!("{n}") diff --git a/kani-compiler/src/codegen_cprover_gotoc/utils/utils.rs b/kani-compiler/src/codegen_cprover_gotoc/utils/utils.rs index d81839ea097c..16edca2a826c 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/utils/utils.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/utils/utils.rs @@ -125,7 +125,7 @@ impl<'tcx> GotocCtx<'tcx> { } /// Best effort check if the struct represents a rust `std::marker::PhantomData` - fn assert_is_rust_phantom_data_like(&self, t: &Type) { + pub fn assert_is_rust_phantom_data_like(&self, t: &Type) { // TODO: A `std::marker::PhantomData` appears to be an empty struct, in the cases we've seen. // Is there something smarter we can do here? assert!(t.is_struct_like()); @@ -194,5 +194,5 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn span_err(tcx: TyCtxt, span: Span, msg: String) { - tcx.dcx().span_err(rustc_internal::internal(span), msg); + tcx.dcx().span_err(rustc_internal::internal(tcx, span), msg); } diff --git a/kani-compiler/src/kani_compiler.rs b/kani-compiler/src/kani_compiler.rs index 118821f5995f..58c22f940352 100644 --- a/kani-compiler/src/kani_compiler.rs +++ b/kani-compiler/src/kani_compiler.rs @@ -15,34 +15,19 @@ //! in order to apply the stubs. For the subsequent runs, we add the stub configuration to //! `-C llvm-args`. -use crate::args::{Arguments, ReachabilityType}; +use crate::args::Arguments; #[cfg(feature = "cprover")] use crate::codegen_cprover_gotoc::GotocCodegenBackend; -use crate::kani_middle::attributes::is_proof_harness; use crate::kani_middle::check_crate_items; -use crate::kani_middle::metadata::gen_proof_metadata; -use crate::kani_middle::reachability::filter_crate_items; -use crate::kani_middle::stubbing::{self, harness_stub_map}; use crate::kani_queries::QueryDb; use crate::session::init_session; -use cbmc::{InternString, InternedString}; use clap::Parser; -use kani_metadata::{ArtifactType, HarnessMetadata, KaniMetadata}; use rustc_codegen_ssa::traits::CodegenBackend; -use rustc_data_structures::fx::FxHashMap; use rustc_driver::{Callbacks, Compilation, RunCompiler}; -use rustc_hir::def_id::LOCAL_CRATE; -use rustc_hir::definitions::DefPathHash; use rustc_interface::Config; -use rustc_middle::ty::TyCtxt; -use rustc_session::config::{ErrorOutputType, OutputType}; +use rustc_session::config::ErrorOutputType; use rustc_smir::rustc_internal; use rustc_span::ErrorGuaranteed; -use std::collections::{BTreeMap, HashMap}; -use std::fs::File; -use std::io::BufWriter; -use std::mem; -use std::path::{Path, PathBuf}; use std::process::ExitCode; use std::sync::{Arc, Mutex}; use tracing::debug; @@ -69,537 +54,64 @@ fn backend(queries: Arc>) -> Box { compile_error!("No backend is available. Only supported value today is `cprover`"); } -/// A stable (across compilation sessions) identifier for the harness function. -type HarnessId = InternedString; - -/// A set of stubs. -type Stubs = BTreeMap; - -#[derive(Clone, Debug)] -struct HarnessInfo { - pub metadata: HarnessMetadata, - pub stub_map: Stubs, -} - -/// Store some relevant information about the crate compilation. -#[derive(Clone, Debug)] -struct CrateInfo { - /// The name of the crate being compiled. - pub name: String, - /// The metadata output path that shall be generated as part of the crate compilation. - pub output_path: PathBuf, -} - -/// Represents the current compilation stage. -/// -/// The Kani compiler may run the Rust compiler multiple times since stubbing has to be applied -/// to the entire Rust compiler session. -/// -/// - We always start in the [CompilationStage::Init]. -/// - After [CompilationStage::Init] we transition to either -/// - [CompilationStage::CodegenNoStubs] on a regular crate compilation, this will follow Init. -/// - [CompilationStage::CompilationSkipped], running the compiler to gather information, such as -/// `--version` will skip code generation completely, and there is no work to be done. -/// - After the [CompilationStage::CodegenNoStubs], we transition to either -/// - [CompilationStage::CodegenWithStubs] when there is at least one harness with stubs. -/// - [CompilationStage::Done] where there is no harness left to process. -/// - The [CompilationStage::CodegenWithStubs] can last multiple Rust compiler runs. Once there is -/// no harness left, we move to [CompilationStage::Done]. -/// - The final stages are either [CompilationStage::Done] or [CompilationStage::CompilationSkipped]. -/// - [CompilationStage::Done] represents the final state of the compiler after a successful -/// compilation. The crate metadata is stored here (even if no codegen was actually performed). -/// - [CompilationStage::CompilationSkipped] no compilation was actually performed. -/// No work needs to be done. -/// - Note: In a scenario where the compilation fails, the compiler will exit immediately, -/// independent on the stage. Any artifact produced shouldn't be used. -/// I.e.: -/// ```dot -/// graph CompilationStage { -/// Init -> {CodegenNoStubs, CompilationSkipped} -/// CodegenNoStubs -> {CodegenStubs, Done} -/// // Loop up to N harnesses times. -/// CodegenStubs -> {CodegenStubs, Done} -/// CompilationSkipped -/// Done -/// } -/// ``` -#[allow(dead_code)] -#[derive(Debug)] -enum CompilationStage { - /// Initial state that the compiler is always instantiated with. - /// In this stage, we initialize the Query and collect all harnesses. - Init, - /// State where the compiler ran but didn't actually compile anything (e.g.: --version). - CompilationSkipped, - /// Stage where the compiler will perform codegen of all harnesses that don't use stub. - CodegenNoStubs { - target_harnesses: Vec, - next_harnesses: Vec>, - all_harnesses: HashMap, - crate_info: CrateInfo, - }, - /// Stage where the compiler will codegen harnesses that use stub, one group at a time. - /// The harnesses at this stage are grouped according to the stubs they are using. For now, - /// we ensure they have the exact same set of stubs. - CodegenWithStubs { - target_harnesses: Vec, - next_harnesses: Vec>, - all_harnesses: HashMap, - crate_info: CrateInfo, - }, - Done { - metadata: Option<(KaniMetadata, CrateInfo)>, - }, -} - -impl CompilationStage { - pub fn is_init(&self) -> bool { - matches!(self, CompilationStage::Init) - } -} - /// This object controls the compiler behavior. /// /// It is responsible for initializing the query database, as well as controlling the compiler -/// state machine. For stubbing, we may require multiple iterations of the rustc driver, which is -/// controlled and configured via KaniCompiler. +/// state machine. struct KaniCompiler { - /// Store the queries database. The queries should be initialized as part of `config` when the + /// Store the query database. The queries should be initialized as part of `config` when the /// compiler state is Init. /// Note that we need to share the queries with the backend before `config` is called. pub queries: Arc>, - /// The state which the compiler is at. - stage: CompilationStage, } impl KaniCompiler { /// Create a new [KaniCompiler] instance. pub fn new() -> KaniCompiler { - KaniCompiler { queries: QueryDb::new(), stage: CompilationStage::Init } + KaniCompiler { queries: QueryDb::new() } } /// Compile the current crate with the given arguments. /// /// Since harnesses may have different attributes that affect compilation, Kani compiler can /// actually invoke the rust compiler multiple times. - pub fn run(&mut self, orig_args: Vec) -> Result<(), ErrorGuaranteed> { - loop { - debug!(next=?self.stage, "run"); - // Because this modifies `self.stage` we need to run this before - // borrowing `&self.stage` immutably - if let CompilationStage::Done { metadata: Some((metadata, _)), .. } = &mut self.stage { - let mut contracts = self - .queries - .lock() - .unwrap() - .assigns_contracts() - .map(|(k, v)| (*k, v.clone())) - .collect::>(); - for harness in - metadata.proof_harnesses.iter_mut().chain(metadata.test_harnesses.iter_mut()) - { - if let Some(modifies_contract) = - contracts.remove(&(&harness.mangled_name).intern()) - { - harness.contract = modifies_contract.into(); - } - } - assert!( - contracts.is_empty(), - "Invariant broken: not all contracts have been handled." - ) - } - match &self.stage { - CompilationStage::Init => self.run_compilation_session(&orig_args)?, - CompilationStage::CodegenNoStubs { .. } => { - unreachable!("This stage should always run in the same session as Init"); - } - CompilationStage::CodegenWithStubs { target_harnesses, all_harnesses, .. } => { - assert!(!target_harnesses.is_empty(), "expected at least one target harness"); - let target_harness_name = &target_harnesses[0]; - let target_harness = &all_harnesses[target_harness_name]; - let extra_arg = stubbing::mk_rustc_arg(&target_harness.stub_map); - let mut args = orig_args.clone(); - args.push(extra_arg); - self.run_compilation_session(&args)? - } - CompilationStage::Done { metadata: Some((kani_metadata, crate_info)) } => { - // Only store metadata for harnesses for now. - // TODO: This should only skip None. - // https://github.com/model-checking/kani/issues/2493 - if self.queries.lock().unwrap().args().reachability_analysis - == ReachabilityType::Harnesses - { - // Store metadata file. - // We delay storing the metadata so we can include information collected - // during codegen. - self.store_metadata(&kani_metadata, &crate_info.output_path); - } - return Ok(()); - } - CompilationStage::Done { metadata: None } - | CompilationStage::CompilationSkipped => { - return Ok(()); - } - }; - - self.next_stage(); - } - } - - /// Set up the next compilation stage after a `rustc` run. - fn next_stage(&mut self) { - self.stage = match &mut self.stage { - CompilationStage::Init => { - // This may occur when user passes arguments like --version or --help. - CompilationStage::Done { metadata: None } - } - CompilationStage::CodegenNoStubs { - next_harnesses, all_harnesses, crate_info, .. - } - | CompilationStage::CodegenWithStubs { - next_harnesses, - all_harnesses, - crate_info, - .. - } => { - if let Some(target_harnesses) = next_harnesses.pop() { - assert!(!target_harnesses.is_empty(), "expected at least one target harness"); - CompilationStage::CodegenWithStubs { - target_harnesses, - next_harnesses: mem::take(next_harnesses), - all_harnesses: mem::take(all_harnesses), - crate_info: crate_info.clone(), - } - } else { - CompilationStage::Done { - metadata: Some(( - generate_metadata(&crate_info, &all_harnesses), - crate_info.clone(), - )), - } - } - } - CompilationStage::Done { .. } | CompilationStage::CompilationSkipped => { - unreachable!() - } - }; - } - - /// Run the Rust compiler with the given arguments and pass `&mut self` to handle callbacks. - fn run_compilation_session(&mut self, args: &[String]) -> Result<(), ErrorGuaranteed> { + pub fn run(&mut self, args: Vec) -> Result<(), ErrorGuaranteed> { debug!(?args, "run_compilation_session"); let queries = self.queries.clone(); - let mut compiler = RunCompiler::new(args, self); + let mut compiler = RunCompiler::new(&args, self); compiler.set_make_codegen_backend(Some(Box::new(move |_cfg| backend(queries)))); compiler.run()?; Ok(()) } - - /// Gather and process all harnesses from this crate that shall be compiled. - fn process_harnesses(&self, tcx: TyCtxt) -> CompilationStage { - let crate_info = CrateInfo { - name: tcx.crate_name(LOCAL_CRATE).as_str().into(), - output_path: metadata_output_path(tcx), - }; - if self.queries.lock().unwrap().args().reachability_analysis == ReachabilityType::Harnesses - { - let base_filename = tcx.output_filenames(()).output_path(OutputType::Object); - let harnesses = filter_crate_items(tcx, |_, instance| is_proof_harness(tcx, instance)); - let all_harnesses = harnesses - .into_iter() - .map(|harness| { - let def_path = harness.mangled_name().intern(); - let metadata = gen_proof_metadata(tcx, harness, &base_filename); - let stub_map = harness_stub_map(tcx, harness, &metadata); - (def_path, HarnessInfo { metadata, stub_map }) - }) - .collect::>(); - - let (no_stubs, with_stubs): (Vec<_>, Vec<_>) = - if self.queries.lock().unwrap().args().stubbing_enabled { - // Partition harnesses that don't have stub with the ones with stub. - all_harnesses - .keys() - .cloned() - .partition(|harness| all_harnesses[harness].stub_map.is_empty()) - } else { - // Generate code without stubs. - (all_harnesses.keys().cloned().collect(), vec![]) - }; - - // Even if no_stubs is empty we still need to store rustc metadata. - CompilationStage::CodegenNoStubs { - target_harnesses: no_stubs, - next_harnesses: group_by_stubs(with_stubs, &all_harnesses), - all_harnesses, - crate_info, - } - } else { - // Leave other reachability type handling as is for now. - CompilationStage::CodegenNoStubs { - target_harnesses: vec![], - next_harnesses: vec![], - all_harnesses: HashMap::default(), - crate_info, - } - } - } - - /// Prepare the query for the next codegen stage. - fn prepare_codegen(&mut self) -> Compilation { - debug!(stage=?self.stage, "prepare_codegen"); - match &self.stage { - CompilationStage::CodegenNoStubs { target_harnesses, all_harnesses, .. } - | CompilationStage::CodegenWithStubs { target_harnesses, all_harnesses, .. } => { - debug!( - harnesses=?target_harnesses - .iter() - .map(|h| &all_harnesses[h].metadata.pretty_name) - .collect::>(), - "prepare_codegen" - ); - let queries = &mut (*self.queries.lock().unwrap()); - queries.harnesses_info = target_harnesses - .iter() - .map(|harness| { - (*harness, all_harnesses[harness].metadata.goto_file.clone().unwrap()) - }) - .collect(); - Compilation::Continue - } - CompilationStage::Init - | CompilationStage::Done { .. } - | CompilationStage::CompilationSkipped => unreachable!(), - } - } - - /// Write the metadata to a file - fn store_metadata(&self, metadata: &KaniMetadata, filename: &Path) { - debug!(?filename, "write_metadata"); - let out_file = File::create(filename).unwrap(); - let writer = BufWriter::new(out_file); - if self.queries.lock().unwrap().args().output_pretty_json { - serde_json::to_writer_pretty(writer, &metadata).unwrap(); - } else { - serde_json::to_writer(writer, &metadata).unwrap(); - } - } -} - -/// Group the harnesses by their stubs. -fn group_by_stubs( - harnesses: Vec, - all_harnesses: &HashMap, -) -> Vec> { - let mut per_stubs: BTreeMap<&Stubs, Vec> = BTreeMap::default(); - for harness in harnesses { - per_stubs.entry(&all_harnesses[&harness].stub_map).or_default().push(harness) - } - per_stubs.into_values().collect() } /// Use default function implementations. impl Callbacks for KaniCompiler { /// Configure the [KaniCompiler] `self` object during the [CompilationStage::Init]. fn config(&mut self, config: &mut Config) { - if self.stage.is_init() { - let mut args = vec!["kani-compiler".to_string()]; - args.extend(config.opts.cg.llvm_args.iter().cloned()); - let args = Arguments::parse_from(args); - init_session(&args, matches!(config.opts.error_format, ErrorOutputType::Json { .. })); - // Configure queries. - let queries = &mut (*self.queries.lock().unwrap()); - - queries.set_args(args); + let mut args = vec!["kani-compiler".to_string()]; + args.extend(config.opts.cg.llvm_args.iter().cloned()); + let args = Arguments::parse_from(args); + init_session(&args, matches!(config.opts.error_format, ErrorOutputType::Json { .. })); - debug!(?queries, "config end"); - } + // Configure queries. + let queries = &mut (*self.queries.lock().unwrap()); + queries.set_args(args); + debug!(?queries, "config end"); } - /// During the initialization state, we collect the crate harnesses and prepare for codegen. + /// After analysis, we check the crate items for Kani API misuse or configuration issues. fn after_analysis<'tcx>( &mut self, _compiler: &rustc_interface::interface::Compiler, rustc_queries: &'tcx rustc_interface::Queries<'tcx>, ) -> Compilation { - if self.stage.is_init() { - self.stage = rustc_queries.global_ctxt().unwrap().enter(|tcx| { - rustc_internal::run(tcx, || { - check_crate_items(tcx, self.queries.lock().unwrap().args().ignore_global_asm); - self.process_harnesses(tcx) - }) - .unwrap() + rustc_queries.global_ctxt().unwrap().enter(|tcx| { + rustc_internal::run(tcx, || { + check_crate_items(tcx, self.queries.lock().unwrap().args().ignore_global_asm); }) - } - - self.prepare_codegen() - } -} - -/// Generate [KaniMetadata] for the target crate. -fn generate_metadata( - crate_info: &CrateInfo, - all_harnesses: &HashMap, -) -> KaniMetadata { - let (proof_harnesses, test_harnesses) = all_harnesses - .values() - .map(|info| &info.metadata) - .cloned() - .partition(|md| md.attributes.proof); - KaniMetadata { - crate_name: crate_info.name.clone(), - proof_harnesses, - unsupported_features: vec![], - test_harnesses, - } -} - -/// Extract the filename for the metadata file. -fn metadata_output_path(tcx: TyCtxt) -> PathBuf { - let mut filename = tcx.output_filenames(()).output_path(OutputType::Object); - filename.set_extension(ArtifactType::Metadata); - filename -} - -#[cfg(test)] -mod tests { - use super::*; - use kani_metadata::{HarnessAttributes, HarnessMetadata}; - use rustc_data_structures::fingerprint::Fingerprint; - use rustc_hir::definitions::DefPathHash; - use std::collections::HashMap; - - fn mock_next_harness_id() -> HarnessId { - static mut COUNTER: u64 = 0; - unsafe { COUNTER += 1 }; - let id = unsafe { COUNTER }; - format!("mod::harness-{id}").intern() - } - - fn mock_next_stub_id() -> DefPathHash { - static mut COUNTER: u64 = 0; - unsafe { COUNTER += 1 }; - let id = unsafe { COUNTER }; - DefPathHash(Fingerprint::new(id, 0)) - } - - fn mock_metadata(name: String, krate: String) -> HarnessMetadata { - HarnessMetadata { - pretty_name: name.clone(), - mangled_name: name.clone(), - original_file: format!("{}.rs", krate), - crate_name: krate, - original_start_line: 10, - original_end_line: 20, - goto_file: None, - attributes: HarnessAttributes::default(), - contract: Default::default(), - } - } - - fn mock_info_with_stubs(stub_map: Stubs) -> HarnessInfo { - HarnessInfo { metadata: mock_metadata("dummy".to_string(), "crate".to_string()), stub_map } - } - - #[test] - fn test_group_by_stubs_works() { - // Set up the inputs - let harness_1 = mock_next_harness_id(); - let harness_2 = mock_next_harness_id(); - let harness_3 = mock_next_harness_id(); - let harnesses = vec![harness_1, harness_2, harness_3]; - - let stub_1 = (mock_next_stub_id(), mock_next_stub_id()); - let stub_2 = (mock_next_stub_id(), mock_next_stub_id()); - let stub_3 = (mock_next_stub_id(), mock_next_stub_id()); - let stub_4 = (stub_3.0, mock_next_stub_id()); - - let set_1 = Stubs::from([stub_1, stub_2, stub_3]); - let set_2 = Stubs::from([stub_1, stub_2, stub_4]); - let set_3 = Stubs::from([stub_1, stub_3, stub_2]); - assert_eq!(set_1, set_3); - assert_ne!(set_1, set_2); - - let harnesses_info = HashMap::from([ - (harness_1, mock_info_with_stubs(set_1)), - (harness_2, mock_info_with_stubs(set_2)), - (harness_3, mock_info_with_stubs(set_3)), - ]); - assert_eq!(harnesses_info.len(), 3); - - // Run the function under test. - let grouped = group_by_stubs(harnesses, &harnesses_info); - - // Verify output. - assert_eq!(grouped.len(), 2); - assert!( - grouped.contains(&vec![harness_1, harness_3]) - || grouped.contains(&vec![harness_3, harness_1]) - ); - assert!(grouped.contains(&vec![harness_2])); - } - - #[test] - fn test_generate_metadata() { - // Mock inputs. - let name = "my_crate".to_string(); - let crate_info = CrateInfo { name: name.clone(), output_path: PathBuf::default() }; - - let mut info = mock_info_with_stubs(Stubs::default()); - info.metadata.attributes.proof = true; - let id = mock_next_harness_id(); - let all_harnesses = HashMap::from([(id, info.clone())]); - - // Call generate metadata. - let metadata = generate_metadata(&crate_info, &all_harnesses); - - // Check output. - assert_eq!(metadata.crate_name, name); - assert_eq!(metadata.proof_harnesses.len(), 1); - assert_eq!(*metadata.proof_harnesses.first().unwrap(), info.metadata); - } - - #[test] - fn test_generate_empty_metadata() { - // Mock inputs. - let name = "my_crate".to_string(); - let crate_info = CrateInfo { name: name.clone(), output_path: PathBuf::default() }; - let all_harnesses = HashMap::new(); - - // Call generate metadata. - let metadata = generate_metadata(&crate_info, &all_harnesses); - - // Check output. - assert_eq!(metadata.crate_name, name); - assert_eq!(metadata.proof_harnesses.len(), 0); - } - - #[test] - fn test_generate_metadata_with_multiple_harness() { - // Mock inputs. - let krate = "my_crate".to_string(); - let crate_info = CrateInfo { name: krate.clone(), output_path: PathBuf::default() }; - - let harnesses = ["h1", "h2", "h3"]; - let infos = harnesses.map(|harness| { - let mut metadata = mock_metadata(harness.to_string(), krate.clone()); - metadata.attributes.proof = true; - (mock_next_harness_id(), HarnessInfo { stub_map: Stubs::default(), metadata }) + .unwrap() }); - let all_harnesses = HashMap::from(infos.clone()); - - // Call generate metadata. - let metadata = generate_metadata(&crate_info, &all_harnesses); - - // Check output. - assert_eq!(metadata.crate_name, krate); - assert_eq!(metadata.proof_harnesses.len(), infos.len()); - assert!( - metadata - .proof_harnesses - .iter() - .all(|harness| harnesses.contains(&&*harness.pretty_name)) - ); + Compilation::Continue } } diff --git a/kani-compiler/src/kani_middle/attributes.rs b/kani-compiler/src/kani_middle/attributes.rs index e9edbedfcd82..8c729bbdec9f 100644 --- a/kani-compiler/src/kani_middle/attributes.rs +++ b/kani-compiler/src/kani_middle/attributes.rs @@ -4,7 +4,7 @@ use std::collections::BTreeMap; -use kani_metadata::{CbmcSolver, HarnessAttributes, Stub}; +use kani_metadata::{CbmcSolver, HarnessAttributes, HarnessKind, Stub}; use rustc_ast::{ attr, token::Token, @@ -70,6 +70,13 @@ enum KaniAttributeKind { /// expanded with additional pointer arguments that are not used in the function /// but referenced by the `modifies` annotation. InnerCheck, + /// Attribute used to mark contracts for functions with recursion. + /// We use this attribute to properly instantiate `kani::any_modifies` in + /// cases when recursion is present given our contracts instrumentation. + Recursion, + /// Used to mark functions where generating automatic pointer checks should be disabled. This is + /// used later to automatically attach pragma statements to locations. + DisableChecks, } impl KaniAttributeKind { @@ -84,11 +91,13 @@ impl KaniAttributeKind { | KaniAttributeKind::StubVerified | KaniAttributeKind::Unwind => true, KaniAttributeKind::Unstable + | KaniAttributeKind::Recursion | KaniAttributeKind::ReplacedWith | KaniAttributeKind::CheckedWith | KaniAttributeKind::Modifies | KaniAttributeKind::InnerCheck - | KaniAttributeKind::IsContractGenerated => false, + | KaniAttributeKind::IsContractGenerated + | KaniAttributeKind::DisableChecks => false, } } @@ -102,13 +111,6 @@ impl KaniAttributeKind { pub fn demands_function_contract_use(self) -> bool { matches!(self, KaniAttributeKind::ProofForContract) } - - /// Would this attribute be placed on a function as part of a function - /// contract. E.g. created by `requires`, `ensures`. - pub fn is_function_contract(self) -> bool { - use KaniAttributeKind::*; - matches!(self, CheckedWith | IsContractGenerated) - } } /// Bundles together common data used when evaluating the attributes of a given @@ -141,7 +143,7 @@ impl<'tcx> KaniAttributes<'tcx> { /// Look up the attributes by a stable MIR DefID pub fn for_def_id(tcx: TyCtxt<'tcx>, def_id: StableDefId) -> Self { - KaniAttributes::for_item(tcx, rustc_internal::internal(def_id)) + KaniAttributes::for_item(tcx, rustc_internal::internal(tcx, def_id)) } pub fn for_item(tcx: TyCtxt<'tcx>, def_id: DefId) -> Self { @@ -200,6 +202,10 @@ impl<'tcx> KaniAttributes<'tcx> { .collect() } + pub(crate) fn has_recursion(&self) -> bool { + self.map.contains_key(&KaniAttributeKind::Recursion) + } + /// Parse and extract the `proof_for_contract(TARGET)` attribute. The /// returned symbol and DefId are respectively the name and id of `TARGET`, /// the span in the span for the attribute (contents). @@ -232,6 +238,11 @@ impl<'tcx> KaniAttributes<'tcx> { .map(|target| expect_key_string_value(self.tcx.sess, target)) } + pub fn proof_for_contract(&self) -> Option> { + self.expect_maybe_one(KaniAttributeKind::ProofForContract) + .map(|target| expect_key_string_value(self.tcx.sess, target)) + } + pub fn inner_check(&self) -> Option> { self.eval_sibling_attribute(KaniAttributeKind::InnerCheck) } @@ -268,7 +279,7 @@ impl<'tcx> KaniAttributes<'tcx> { .hir_id() }; - let result = match hir_map.get_parent(hir_id) { + let result = match self.tcx.parent_hir_node(hir_id) { Node::Item(Item { kind, .. }) => match kind { ItemKind::Mod(m) => find_in_mod(m), ItemKind::Impl(imp) => { @@ -299,7 +310,7 @@ impl<'tcx> KaniAttributes<'tcx> { /// the session and emit all errors found. pub(super) fn check_attributes(&self) { // Check that all attributes are correctly used and well formed. - let is_harness = self.is_harness(); + let is_harness = self.is_proof_harness(); for (&kind, attrs) in self.map.iter() { let local_error = |msg| self.tcx.dcx().span_err(attrs[0].span, msg); @@ -316,6 +327,12 @@ impl<'tcx> KaniAttributes<'tcx> { expect_no_args(self.tcx, kind, attr); }) } + KaniAttributeKind::Recursion => { + expect_single(self.tcx, kind, &attrs); + attrs.iter().for_each(|attr| { + expect_no_args(self.tcx, kind, attr); + }) + } KaniAttributeKind::Solver => { expect_single(self.tcx, kind, &attrs); attrs.iter().for_each(|attr| { @@ -369,6 +386,10 @@ impl<'tcx> KaniAttributes<'tcx> { KaniAttributeKind::InnerCheck => { self.inner_check(); } + KaniAttributeKind::DisableChecks => { + // Ignored here, because it should be an internal attribute. Actual validation + // happens when pragmas are generated. + } } } } @@ -433,7 +454,7 @@ impl<'tcx> KaniAttributes<'tcx> { /// Is this item a harness? (either `proof` or `proof_for_contract` /// attribute are present) - fn is_harness(&self) -> bool { + fn is_proof_harness(&self) -> bool { self.map.contains_key(&KaniAttributeKind::Proof) || self.map.contains_key(&KaniAttributeKind::ProofForContract) } @@ -448,10 +469,18 @@ impl<'tcx> KaniAttributes<'tcx> { panic!("Expected a local item, but got: {:?}", self.item); }; trace!(?self, "extract_harness_attributes"); - assert!(self.is_harness()); - self.map.iter().fold(HarnessAttributes::default(), |mut harness, (kind, attributes)| { + assert!(self.is_proof_harness()); + let harness_attrs = if let Some(Ok(harness)) = self.proof_for_contract() { + HarnessAttributes::new(HarnessKind::ProofForContract { target_fn: harness.to_string() }) + } else { + HarnessAttributes::new(HarnessKind::Proof) + }; + self.map.iter().fold(harness_attrs, |mut harness, (kind, attributes)| { match kind { KaniAttributeKind::ShouldPanic => harness.should_panic = true, + KaniAttributeKind::Recursion => { + self.tcx.dcx().span_err(self.tcx.def_span(self.item), "The attribute `kani::recursion` should only be used in combination with function contracts."); + } KaniAttributeKind::Solver => { harness.solver = parse_solver(self.tcx, attributes[0]); } @@ -461,7 +490,7 @@ impl<'tcx> KaniAttributes<'tcx> { KaniAttributeKind::Unwind => { harness.unwind_value = parse_unwind(self.tcx, attributes[0]) } - KaniAttributeKind::Proof => harness.proof = true, + KaniAttributeKind::Proof => { /* no-op */ } KaniAttributeKind::ProofForContract => self.handle_proof_for_contract(&mut harness), KaniAttributeKind::StubVerified => self.handle_stub_verified(&mut harness), KaniAttributeKind::Unstable => { @@ -475,6 +504,10 @@ impl<'tcx> KaniAttributes<'tcx> { | KaniAttributeKind::ReplacedWith => { self.tcx.dcx().span_err(self.tcx.def_span(self.item), format!("Contracts are not supported on harnesses. (Found the kani-internal contract attribute `{}`)", kind.as_ref())); } + KaniAttributeKind::DisableChecks => { + // Internal attribute which shouldn't exist here. + unreachable!() + } }; harness }) @@ -524,14 +557,14 @@ impl<'tcx> KaniAttributes<'tcx> { self.item_name(), ), ) - .with_span_note( - self.tcx.def_span(def_id), - format!( - "Try adding a contract to this function or use the unsound `{}` attribute instead.", - KaniAttributeKind::Stub.as_ref(), + .with_span_note( + self.tcx.def_span(def_id), + format!( + "Try adding a contract to this function or use the unsound `{}` attribute instead.", + KaniAttributeKind::Stub.as_ref(), + ), ) - ) - .emit(); + .emit(); continue; } Some(Ok(replacement_name)) => replacement_name, @@ -611,14 +644,13 @@ fn parse_modify_values<'a>( let mut iter = t.trees(); std::iter::from_fn(move || { let tree = iter.next()?; - let wrong_token_err = || { - tcx.sess.parse_sess.dcx.span_err(tree.span(), "Unexpected token. Expected identifier.") - }; + let wrong_token_err = + || tcx.sess.dcx().span_err(tree.span(), "Unexpected token. Expected identifier."); let result = match tree { TokenTree::Token(token, _) => { if let TokenKind::Ident(id, _) = &token.kind { let hir = tcx.hir(); - let bid = hir.body_owned_by(local_def_id); + let bid = hir.body_owned_by(local_def_id).id(); Some( hir.body_param_names(bid) .zip(mir.args_iter()) @@ -640,7 +672,7 @@ fn parse_modify_values<'a>( match iter.next() { None | Some(comma_tok!()) => (), Some(not_comma) => { - tcx.sess.parse_sess.dcx.span_err( + tcx.sess.dcx().span_err( not_comma.span(), "Unexpected token, expected end of attribute or comma", ); @@ -662,16 +694,10 @@ fn has_kani_attribute bool>( tcx.get_attrs_unchecked(def_id).iter().filter_map(|a| attr_kind(tcx, a)).any(predicate) } -/// Test if this function was generated by expanding a contract attribute like -/// `requires` and `ensures`. -pub fn is_function_contract_generated(tcx: TyCtxt, def_id: DefId) -> bool { - has_kani_attribute(tcx, def_id, KaniAttributeKind::is_function_contract) -} - -/// Same as [`KaniAttributes::is_harness`] but more efficient because less +/// Same as [`KaniAttributes::is_proof_harness`] but more efficient because less /// attribute parsing is performed. pub fn is_proof_harness(tcx: TyCtxt, instance: InstanceStable) -> bool { - let def_id = rustc_internal::internal(instance.def.def_id()); + let def_id = rustc_internal::internal(tcx, instance.def.def_id()); has_kani_attribute(tcx, def_id, |a| { matches!(a, KaniAttributeKind::Proof | KaniAttributeKind::ProofForContract) }) @@ -679,14 +705,14 @@ pub fn is_proof_harness(tcx: TyCtxt, instance: InstanceStable) -> bool { /// Does this `def_id` have `#[rustc_test_marker]`? pub fn is_test_harness_description(tcx: TyCtxt, item: impl CrateDef) -> bool { - let def_id = rustc_internal::internal(item.def_id()); + let def_id = rustc_internal::internal(tcx, item.def_id()); let attrs = tcx.get_attrs_unchecked(def_id); attr::contains_name(attrs, rustc_span::symbol::sym::rustc_test_marker) } /// Extract the test harness name from the `#[rustc_test_maker]` pub fn test_harness_name(tcx: TyCtxt, def: &impl CrateDef) -> String { - let def_id = rustc_internal::internal(def.def_id()); + let def_id = rustc_internal::internal(tcx, def.def_id()); let attrs = tcx.get_attrs_unchecked(def_id); let marker = attr::find_by_name(attrs, rustc_span::symbol::sym::rustc_test_marker).unwrap(); parse_str_value(&marker).unwrap() @@ -773,10 +799,10 @@ impl<'a> UnstableAttrParseError<'a> { tcx.dcx() .struct_span_err( self.attr.span, - format!("failed to parse `#[kani::unstable]`: {}", self.reason), + format!("failed to parse `#[kani::unstable_feature]`: {}", self.reason), ) .with_note(format!( - "expected format: #[kani::unstable({}, {}, {})]", + "expected format: #[kani::unstable_feature({}, {}, {})]", r#"feature="""#, r#"issue="""#, r#"reason="""# )) .emit() @@ -875,7 +901,7 @@ fn parse_stubs(tcx: TyCtxt, harness: DefId, attributes: &[&Attribute]) -> Vec { tcx.dcx().span_err( error_span, - "attribute `kani::stub` takes two path arguments; found argument that is not a path", + "attribute `kani::stub` takes two path arguments; found argument that is not a path", ); None } @@ -889,9 +915,9 @@ fn parse_solver(tcx: TyCtxt, attr: &Attribute) -> Option { const ATTRIBUTE: &str = "#[kani::solver]"; let invalid_arg_err = |attr: &Attribute| { tcx.dcx().span_err( - attr.span, - format!("invalid argument for `{ATTRIBUTE}` attribute, expected one of the supported solvers (e.g. `kissat`) or a SAT solver binary (e.g. `bin=\"\"`)") - ) + attr.span, + format!("invalid argument for `{ATTRIBUTE}` attribute, expected one of the supported solvers (e.g. `kissat`) or a SAT solver binary (e.g. `bin=\"\"`)"), + ) }; let attr_args = attr.meta_item_list().unwrap(); @@ -944,7 +970,7 @@ fn parse_integer(attr: &Attribute) -> Option { if attr_args.len() == 1 { let x = attr_args[0].lit()?; match x.kind { - LitKind::Int(y, ..) => Some(y), + LitKind::Int(y, ..) => Some(y.get()), _ => None, } } @@ -1025,10 +1051,9 @@ fn attr_kind(tcx: TyCtxt, attr: &Attribute) -> Option { .intersperse("::") .collect::(); KaniAttributeKind::try_from(ident_str.as_str()) - .map_err(|err| { + .inspect_err(|&err| { debug!(?err, "attr_kind_failed"); tcx.dcx().span_err(attr.span, format!("unknown attribute `{ident_str}`")); - err }) .ok() } else { @@ -1038,3 +1063,14 @@ fn attr_kind(tcx: TyCtxt, attr: &Attribute) -> Option { _ => None, } } + +pub fn matches_diagnostic(tcx: TyCtxt, def: T, attr_name: &str) -> bool { + let attr_sym = rustc_span::symbol::Symbol::intern(attr_name); + if let Some(attr_id) = tcx.all_diagnostic_items(()).name_to_id.get(&attr_sym) { + if rustc_internal::internal(tcx, def.def_id()) == *attr_id { + debug!("matched: {:?} {:?}", attr_id, attr_sym); + return true; + } + } + false +} diff --git a/kani-compiler/src/kani_middle/codegen_units.rs b/kani-compiler/src/kani_middle/codegen_units.rs new file mode 100644 index 000000000000..b4ea06c8d5db --- /dev/null +++ b/kani-compiler/src/kani_middle/codegen_units.rs @@ -0,0 +1,213 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This module is responsible for extracting grouping harnesses that can be processed together +//! by codegen. +//! +//! Today, only stub / contracts can affect the harness codegen. Thus, we group the harnesses +//! according to their stub configuration. + +use crate::args::ReachabilityType; +use crate::kani_middle::attributes::is_proof_harness; +use crate::kani_middle::metadata::gen_proof_metadata; +use crate::kani_middle::reachability::filter_crate_items; +use crate::kani_middle::stubbing::{check_compatibility, harness_stub_map}; +use crate::kani_queries::QueryDb; +use kani_metadata::{ArtifactType, AssignsContract, HarnessMetadata, KaniMetadata}; +use rustc_hir::def_id::{DefId, DefPathHash}; +use rustc_middle::ty::TyCtxt; +use rustc_session::config::OutputType; +use rustc_smir::rustc_internal; +use stable_mir::mir::mono::Instance; +use stable_mir::ty::{FnDef, RigidTy, TyKind}; +use stable_mir::CrateDef; +use std::collections::{BTreeMap, HashMap, HashSet}; +use std::fs::File; +use std::io::BufWriter; +use std::path::{Path, PathBuf}; +use tracing::debug; + +/// A stable (across compilation sessions) identifier for the harness function. +type Harness = Instance; + +/// A set of stubs. +pub type Stubs = HashMap; + +/// Store some relevant information about the crate compilation. +#[derive(Clone, Debug)] +struct CrateInfo { + /// The name of the crate being compiled. + pub name: String, +} + +/// We group the harnesses that have the same stubs. +pub struct CodegenUnits { + units: Vec, + harness_info: HashMap, + crate_info: CrateInfo, +} + +#[derive(Clone, Default, Debug)] +pub struct CodegenUnit { + pub harnesses: Vec, + pub stubs: Stubs, +} + +impl CodegenUnits { + pub fn new(queries: &QueryDb, tcx: TyCtxt) -> Self { + let crate_info = CrateInfo { name: stable_mir::local_crate().name.as_str().into() }; + if queries.args().reachability_analysis == ReachabilityType::Harnesses { + let base_filepath = tcx.output_filenames(()).path(OutputType::Object); + let base_filename = base_filepath.as_path(); + let harnesses = filter_crate_items(tcx, |_, instance| is_proof_harness(tcx, instance)); + let all_harnesses = harnesses + .into_iter() + .map(|harness| { + let metadata = gen_proof_metadata(tcx, harness, &base_filename); + (harness, metadata) + }) + .collect::>(); + + // Even if no_stubs is empty we still need to store rustc metadata. + let units = group_by_stubs(tcx, &all_harnesses); + validate_units(tcx, &units); + debug!(?units, "CodegenUnits::new"); + CodegenUnits { units, harness_info: all_harnesses, crate_info } + } else { + // Leave other reachability type handling as is for now. + CodegenUnits { units: vec![], harness_info: HashMap::default(), crate_info } + } + } + + pub fn iter(&self) -> impl Iterator { + self.units.iter() + } + + /// We store which instance of modifies was generated. + pub fn store_modifies(&mut self, harness_modifies: &[(Harness, AssignsContract)]) { + for (harness, modifies) in harness_modifies { + self.harness_info.get_mut(harness).unwrap().contract = Some(modifies.clone()); + } + } + + /// Write compilation metadata into a file. + pub fn write_metadata(&self, queries: &QueryDb, tcx: TyCtxt) { + let metadata = self.generate_metadata(); + let outpath = metadata_output_path(tcx); + store_metadata(queries, &metadata, &outpath); + } + + pub fn harness_model_path(&self, harness: Harness) -> Option<&PathBuf> { + self.harness_info[&harness].goto_file.as_ref() + } + + /// Generate [KaniMetadata] for the target crate. + fn generate_metadata(&self) -> KaniMetadata { + let (proof_harnesses, test_harnesses) = + self.harness_info.values().cloned().partition(|md| md.attributes.is_proof_harness()); + KaniMetadata { + crate_name: self.crate_info.name.clone(), + proof_harnesses, + unsupported_features: vec![], + test_harnesses, + } + } +} + +fn stub_def(tcx: TyCtxt, def_id: DefId) -> FnDef { + let ty_internal = tcx.type_of(def_id).instantiate_identity(); + let ty = rustc_internal::stable(ty_internal); + if let TyKind::RigidTy(RigidTy::FnDef(def, _)) = ty.kind() { + def + } else { + unreachable!("Expected stub function for `{:?}`, but found: {ty}", tcx.def_path(def_id)) + } +} + +/// Group the harnesses by their stubs. +fn group_by_stubs( + tcx: TyCtxt, + all_harnesses: &HashMap, +) -> Vec { + let mut per_stubs: HashMap, CodegenUnit> = + HashMap::default(); + for (harness, metadata) in all_harnesses { + let stub_ids = harness_stub_map(tcx, *harness, metadata); + let stub_map = stub_ids + .iter() + .map(|(k, v)| (tcx.def_path_hash(*k), tcx.def_path_hash(*v))) + .collect::>(); + if let Some(unit) = per_stubs.get_mut(&stub_map) { + unit.harnesses.push(*harness); + } else { + let stubs = stub_ids + .iter() + .map(|(from, to)| (stub_def(tcx, *from), stub_def(tcx, *to))) + .collect::>(); + let stubs = apply_transitivity(tcx, *harness, stubs); + per_stubs.insert(stub_map, CodegenUnit { stubs, harnesses: vec![*harness] }); + } + } + per_stubs.into_values().collect() +} + +/// Extract the filename for the metadata file. +fn metadata_output_path(tcx: TyCtxt) -> PathBuf { + let filepath = tcx.output_filenames(()).path(OutputType::Object); + let filename = filepath.as_path(); + filename.with_extension(ArtifactType::Metadata).to_path_buf() +} + +/// Write the metadata to a file +fn store_metadata(queries: &QueryDb, metadata: &KaniMetadata, filename: &Path) { + debug!(?filename, "store_metadata"); + let out_file = File::create(filename).unwrap(); + let writer = BufWriter::new(out_file); + if queries.args().output_pretty_json { + serde_json::to_writer_pretty(writer, &metadata).unwrap(); + } else { + serde_json::to_writer(writer, &metadata).unwrap(); + } +} + +/// Validate the unit configuration. +fn validate_units(tcx: TyCtxt, units: &[CodegenUnit]) { + for unit in units { + for (from, to) in &unit.stubs { + // We use harness span since we don't keep the attribute span. + let Err(msg) = check_compatibility(tcx, *from, *to) else { continue }; + let span = unit.harnesses.first().unwrap().def.span(); + tcx.dcx().span_err(rustc_internal::internal(tcx, span), msg); + } + } + tcx.dcx().abort_if_errors(); +} + +/// Apply stub transitivity operations. +/// +/// If `fn1` is stubbed by `fn2`, and `fn2` is stubbed by `fn3`, `f1` is in fact stubbed by `fn3`. +fn apply_transitivity(tcx: TyCtxt, harness: Harness, stubs: Stubs) -> Stubs { + let mut new_stubs = Stubs::with_capacity(stubs.len()); + for (orig, new) in stubs.iter() { + let mut new_fn = *new; + let mut visited = HashSet::new(); + while let Some(stub) = stubs.get(&new_fn) { + if !visited.insert(stub) { + // Visiting the same stub, i.e. found cycle. + let span = harness.def.span(); + tcx.dcx().span_err( + rustc_internal::internal(tcx, span), + format!( + "Cannot stub `{}`. Stub configuration for harness `{}` has a cycle", + orig.name(), + harness.def.name(), + ), + ); + break; + } + new_fn = *stub; + } + new_stubs.insert(*orig, new_fn); + } + new_stubs +} diff --git a/kani-compiler/src/kani_middle/coercion.rs b/kani-compiler/src/kani_middle/coercion.rs index 85d59215d661..822f32631e0c 100644 --- a/kani-compiler/src/kani_middle/coercion.rs +++ b/kani-compiler/src/kani_middle/coercion.rs @@ -16,8 +16,8 @@ use rustc_hir::lang_items::LangItem; use rustc_middle::traits::{ImplSource, ImplSourceUserDefinedData}; use rustc_middle::ty::adjustment::CustomCoerceUnsized; +use rustc_middle::ty::TraitRef; use rustc_middle::ty::{ParamEnv, Ty, TyCtxt}; -use rustc_middle::ty::{TraitRef, TypeAndMut}; use rustc_smir::rustc_internal; use stable_mir::ty::{RigidTy, Ty as TyStable, TyKind}; use stable_mir::Symbol; @@ -66,8 +66,8 @@ pub fn extract_unsize_casting_stable( ) -> CoercionBaseStable { let CoercionBase { src_ty, dst_ty } = extract_unsize_casting( tcx, - rustc_internal::internal(src_ty), - rustc_internal::internal(dst_ty), + rustc_internal::internal(tcx, src_ty), + rustc_internal::internal(tcx, dst_ty), ); CoercionBaseStable { src_ty: rustc_internal::stable(src_ty), @@ -90,11 +90,11 @@ pub fn extract_unsize_casting<'tcx>( .last() .unwrap(); // Extract the pointee type that is being coerced. - let src_pointee_ty = extract_pointee(coerce_info.src_ty).expect(&format!( + let src_pointee_ty = extract_pointee(tcx, coerce_info.src_ty).expect(&format!( "Expected source to be a pointer. Found {:?} instead", coerce_info.src_ty )); - let dst_pointee_ty = extract_pointee(coerce_info.dst_ty).expect(&format!( + let dst_pointee_ty = extract_pointee(tcx, coerce_info.dst_ty).expect(&format!( "Expected destination to be a pointer. Found {:?} instead", coerce_info.dst_ty )); @@ -216,8 +216,8 @@ impl<'tcx> Iterator for CoerceUnsizedIterator<'tcx> { let CustomCoerceUnsized::Struct(coerce_index) = custom_coerce_unsize_info( self.tcx, - rustc_internal::internal(src_ty), - rustc_internal::internal(dst_ty), + rustc_internal::internal(self.tcx, src_ty), + rustc_internal::internal(self.tcx, dst_ty), ); let coerce_index = coerce_index.as_usize(); assert!(coerce_index < src_fields.len()); @@ -229,7 +229,7 @@ impl<'tcx> Iterator for CoerceUnsizedIterator<'tcx> { _ => { // Base case is always a pointer (Box, raw_pointer or reference). assert!( - extract_pointee(src_ty).is_some(), + extract_pointee(self.tcx, src_ty).is_some(), "Expected a pointer, but found {src_ty:?}" ); None @@ -253,7 +253,7 @@ fn custom_coerce_unsize_info<'tcx>( match tcx.codegen_select_candidate((ParamEnv::reveal_all(), trait_ref)) { Ok(ImplSource::UserDefined(ImplSourceUserDefinedData { impl_def_id, .. })) => { - tcx.coerce_unsized_info(impl_def_id).custom_kind.unwrap() + tcx.coerce_unsized_info(impl_def_id).unwrap().custom_kind.unwrap() } impl_source => { unreachable!("invalid `CoerceUnsized` impl_source: {:?}", impl_source); @@ -262,6 +262,6 @@ fn custom_coerce_unsize_info<'tcx>( } /// Extract pointee type from builtin pointer types. -fn extract_pointee<'tcx>(typ: TyStable) -> Option> { - rustc_internal::internal(typ).builtin_deref(true).map(|TypeAndMut { ty, .. }| ty) +fn extract_pointee(tcx: TyCtxt<'_>, typ: TyStable) -> Option> { + rustc_internal::internal(tcx, typ).builtin_deref(true) } diff --git a/kani-compiler/src/kani_middle/intrinsics.rs b/kani-compiler/src/kani_middle/intrinsics.rs index 8a7fc16d8e9f..73e42be00e7b 100644 --- a/kani-compiler/src/kani_middle/intrinsics.rs +++ b/kani-compiler/src/kani_middle/intrinsics.rs @@ -6,7 +6,7 @@ use rustc_index::IndexVec; use rustc_middle::mir::{Body, Const as mirConst, ConstValue, Operand, TerminatorKind}; use rustc_middle::mir::{Local, LocalDecl}; use rustc_middle::ty::{self, Ty, TyCtxt}; -use rustc_middle::ty::{Const, GenericArgsRef}; +use rustc_middle::ty::{Const, GenericArgsRef, IntrinsicDef}; use rustc_span::source_map::Spanned; use rustc_span::symbol::{sym, Symbol}; use tracing::{debug, trace}; @@ -33,8 +33,8 @@ impl<'tcx> ModelIntrinsics<'tcx> { let terminator = block.terminator_mut(); if let TerminatorKind::Call { func, args, .. } = &mut terminator.kind { let func_ty = func.ty(&self.local_decls, self.tcx); - if let Some((intrinsic_name, generics)) = resolve_rust_intrinsic(self.tcx, func_ty) - { + if let Some((intrinsic, generics)) = resolve_rust_intrinsic(self.tcx, func_ty) { + let intrinsic_name = intrinsic.name; trace!(?func, ?intrinsic_name, "run_pass"); if intrinsic_name == sym::simd_bitmask { self.replace_simd_bitmask(func, args, generics) @@ -57,7 +57,12 @@ impl<'tcx> ModelIntrinsics<'tcx> { let arg_ty = args[0].node.ty(&self.local_decls, tcx); if arg_ty.is_simd() { // Get the stub definition. - let stub_id = tcx.get_diagnostic_item(Symbol::intern("KaniModelSimdBitmask")).unwrap(); + let Some(stub_id) = tcx.get_diagnostic_item(Symbol::intern("KaniModelSimdBitmask")) + else { + // This should only happen when verifying the standard library. + // We don't need to warn here, since the backend will print unsupported constructs. + return; + }; debug!(?func, ?stub_id, "replace_simd_bitmask"); // Get SIMD information from the type. @@ -72,7 +77,7 @@ impl<'tcx> ModelIntrinsics<'tcx> { let Operand::Constant(fn_def) = func else { unreachable!() }; fn_def.const_ = mirConst::from_value( ConstValue::ZeroSized, - tcx.type_of(stub_id).instantiate(tcx, &new_gen_args), + tcx.type_of(stub_id).instantiate(tcx, &*new_gen_args), ); } else { debug!(?arg_ty, "replace_simd_bitmask failed"); @@ -99,10 +104,10 @@ fn simd_len_and_type<'tcx>(tcx: TyCtxt<'tcx>, simd_ty: Ty<'tcx>) -> (Const<'tcx> fn resolve_rust_intrinsic<'tcx>( tcx: TyCtxt<'tcx>, func_ty: Ty<'tcx>, -) -> Option<(Symbol, GenericArgsRef<'tcx>)> { +) -> Option<(IntrinsicDef, GenericArgsRef<'tcx>)> { if let ty::FnDef(def_id, args) = *func_ty.kind() { - if tcx.is_intrinsic(def_id) { - return Some((tcx.item_name(def_id), args)); + if let Some(symbol) = tcx.intrinsic(def_id) { + return Some((symbol, args)); } } None diff --git a/kani-compiler/src/kani_middle/metadata.rs b/kani-compiler/src/kani_middle/metadata.rs index 02f5da107556..2f0f22d49e1c 100644 --- a/kani-compiler/src/kani_middle/metadata.rs +++ b/kani-compiler/src/kani_middle/metadata.rs @@ -3,30 +3,22 @@ //! This module handles Kani metadata generation. For example, generating HarnessMetadata for a //! given function. -use std::default::Default; use std::path::Path; use crate::kani_middle::attributes::test_harness_name; -use kani_metadata::{ArtifactType, HarnessAttributes, HarnessMetadata}; +use kani_metadata::{ArtifactType, HarnessAttributes, HarnessKind, HarnessMetadata}; use rustc_middle::ty::TyCtxt; use stable_mir::mir::mono::Instance; use stable_mir::CrateDef; use super::{attributes::KaniAttributes, SourceLocation}; -pub fn canonical_mangled_name(instance: Instance) -> String { - let pretty_name = instance.name(); - // Main function a special case in order to support `--function main` - // TODO: Get rid of this: https://github.com/model-checking/kani/issues/2129 - if pretty_name == "main" { pretty_name } else { instance.mangled_name() } -} - /// Create the harness metadata for a proof harness for a given function. pub fn gen_proof_metadata(tcx: TyCtxt, instance: Instance, base_name: &Path) -> HarnessMetadata { let def = instance.def; - let attributes = KaniAttributes::for_instance(tcx, instance).harness_attributes(); + let kani_attributes = KaniAttributes::for_instance(tcx, instance); let pretty_name = instance.name(); - let mangled_name = canonical_mangled_name(instance); + let mangled_name = instance.mangled_name(); // We get the body span to include the entire function definition. // This is required for concrete playback to properly position the generated test. @@ -41,7 +33,7 @@ pub fn gen_proof_metadata(tcx: TyCtxt, instance: Instance, base_name: &Path) -> original_file: loc.filename, original_start_line: loc.start_line, original_end_line: loc.end_line, - attributes, + attributes: kani_attributes.harness_attributes(), // TODO: This no longer needs to be an Option. goto_file: Some(model_file), contract: Default::default(), @@ -69,7 +61,7 @@ pub fn gen_test_metadata( original_file: loc.filename, original_start_line: loc.start_line, original_end_line: loc.end_line, - attributes: HarnessAttributes::default(), + attributes: HarnessAttributes::new(HarnessKind::Test), // TODO: This no longer needs to be an Option. goto_file: Some(model_file), contract: Default::default(), diff --git a/kani-compiler/src/kani_middle/mod.rs b/kani-compiler/src/kani_middle/mod.rs index 66fb2ca0aa33..a7a512c86de3 100644 --- a/kani-compiler/src/kani_middle/mod.rs +++ b/kani-compiler/src/kani_middle/mod.rs @@ -4,36 +4,31 @@ //! and transformations. use std::collections::HashSet; -use std::path::Path; use crate::kani_queries::QueryDb; use rustc_hir::{def::DefKind, def_id::LOCAL_CRATE}; -use rustc_middle::mir::write_mir_pretty; use rustc_middle::span_bug; use rustc_middle::ty::layout::{ FnAbiError, FnAbiOf, FnAbiOfHelpers, FnAbiRequest, HasParamEnv, HasTyCtxt, LayoutError, LayoutOfHelpers, TyAndLayout, }; use rustc_middle::ty::{self, Instance as InstanceInternal, Ty as TyInternal, TyCtxt}; -use rustc_session::config::OutputType; use rustc_smir::rustc_internal; use rustc_span::source_map::respan; use rustc_span::Span; use rustc_target::abi::call::FnAbi; use rustc_target::abi::{HasDataLayout, TargetDataLayout}; -use stable_mir::mir::mono::{Instance, InstanceKind, MonoItem}; -use stable_mir::mir::pretty::pretty_ty; -use stable_mir::ty::{BoundVariableKind, RigidTy, Span as SpanStable, Ty, TyKind}; -use stable_mir::visitor::{Visitable, Visitor as TypeVisitor}; -use stable_mir::{CrateDef, DefId}; -use std::fs::File; -use std::io::BufWriter; -use std::io::Write; +use stable_mir::mir::mono::MonoItem; +use stable_mir::ty::{FnDef, RigidTy, Span as SpanStable, Ty, TyKind}; +use stable_mir::visitor::{Visitable, Visitor as TyVisitor}; +use stable_mir::CrateDef; +use std::ops::ControlFlow; use self::attributes::KaniAttributes; pub mod analysis; pub mod attributes; +pub mod codegen_units; pub mod coercion; mod intrinsics; pub mod metadata; @@ -41,13 +36,14 @@ pub mod provide; pub mod reachability; pub mod resolve; pub mod stubbing; +pub mod transform; /// Check that all crate items are supported and there's no misconfiguration. /// This method will exhaustively print any error / warning and it will abort at the end if any /// error was found. pub fn check_crate_items(tcx: TyCtxt, ignore_asm: bool) { let krate = tcx.crate_name(LOCAL_CRATE); - for item in tcx.hir_crate_items(()).items() { + for item in tcx.hir().items() { let def_id = item.owner_id.def_id.to_def_id(); KaniAttributes::for_item(tcx, def_id).check_attributes(); if tcx.def_kind(def_id) == DefKind::GlobalAsm { @@ -68,6 +64,36 @@ pub fn check_crate_items(tcx: TyCtxt, ignore_asm: bool) { tcx.dcx().abort_if_errors(); } +/// Traverse the type definition to see if the type contains interior mutability. +/// +/// See for more details. +pub fn is_interior_mut(tcx: TyCtxt, ty: Ty) -> bool { + let mut visitor = FindUnsafeCell { tcx }; + visitor.visit_ty(&ty) == ControlFlow::Break(()) +} + +struct FindUnsafeCell<'tcx> { + tcx: TyCtxt<'tcx>, +} + +impl<'tcx> TyVisitor for FindUnsafeCell<'tcx> { + type Break = (); + fn visit_ty(&mut self, ty: &Ty) -> ControlFlow { + match ty.kind() { + TyKind::RigidTy(RigidTy::Adt(def, _)) + if rustc_internal::internal(self.tcx, def).is_unsafe_cell() => + { + ControlFlow::Break(()) + } + TyKind::RigidTy(RigidTy::Ref(..) | RigidTy::RawPtr(..)) => { + // We only care about the current memory space. + ControlFlow::Continue(()) + } + _ => ty.super_visit(self), + } + } +} + /// Check that all given items are supported and there's no misconfiguration. /// This method will exhaustively print any error / warning and it will abort at the end if any /// error was found. @@ -88,143 +114,21 @@ pub fn check_reachable_items(tcx: TyCtxt, queries: &QueryDb, items: &[MonoItem]) .check_unstable_features(&queries.args().unstable_features); def_ids.insert(def_id); } - - // We don't short circuit here since this is a type check and can shake - // out differently depending on generic parameters. - if let MonoItem::Fn(instance) = item { - if attributes::is_function_contract_generated(tcx, rustc_internal::internal(def_id)) { - check_is_contract_safe(tcx, *instance); - } - } } tcx.dcx().abort_if_errors(); } -/// A basic check that ensures a function with a contract does not receive -/// mutable pointers in its input and does not return raw pointers of any kind. -/// -/// This is a temporary safety measure because contracts cannot yet reason -/// about the heap. -fn check_is_contract_safe(tcx: TyCtxt, instance: Instance) { - struct NoMutPtr<'tcx> { - tcx: TyCtxt<'tcx>, - is_prohibited: fn(Ty) -> bool, - /// Where (top level) did the type we're analyzing come from. Used for - /// composing error messages. - r#where: &'static str, - /// Adjective to describe the kind of pointer we're prohibiting. - /// Essentially `is_prohibited` but in English. - what: &'static str, - } - - impl<'tcx> TypeVisitor for NoMutPtr<'tcx> { - type Break = (); - fn visit_ty(&mut self, ty: &Ty) -> std::ops::ControlFlow { - if (self.is_prohibited)(*ty) { - // TODO make this more user friendly - self.tcx.dcx().err(format!( - "{} contains a {}pointer ({}). This is prohibited for functions with contracts, \ - as they cannot yet reason about the pointer behavior.", self.r#where, self.what, - pretty_ty(ty.kind()))); - } - - // Rust's type visitor only recurses into type arguments, (e.g. - // `generics` in this match). This is enough for many types, but it - // won't look at the field types of structs or enums. So we override - // it here and do that ourselves. - // - // Since the field types also must contain in some form all the type - // arguments the visitor will see them as it inspects the fields and - // we don't need to call back to `super`. - if let TyKind::RigidTy(RigidTy::Adt(adt_def, generics)) = ty.kind() { - for variant in adt_def.variants() { - for field in &variant.fields() { - self.visit_ty(&field.ty_with_args(&generics))?; - } - } - std::ops::ControlFlow::Continue(()) - } else { - // For every other type. - ty.super_visit(self) - } - } - } - - fn is_raw_mutable_ptr(ty: Ty) -> bool { - let kind = ty.kind(); - kind.is_raw_ptr() && kind.is_mutable_ptr() - } - - fn is_raw_ptr(ty: Ty) -> bool { - let kind = ty.kind(); - kind.is_raw_ptr() - } - - // TODO: Replace this with fn_abi. - // https://github.com/model-checking/kani/issues/1365 - let bound_fn_sig = instance.ty().kind().fn_sig().unwrap(); - - for var in &bound_fn_sig.bound_vars { - if let BoundVariableKind::Ty(t) = var { - tcx.dcx().span_err( - rustc_internal::internal(instance.def.span()), - format!("Found a bound type variable {t:?} after monomorphization"), - ); - } - } - - let fn_typ = bound_fn_sig.skip_binder(); - - for (input_ty, (is_prohibited, r#where, what)) in fn_typ - .inputs() - .iter() - .copied() - .zip(std::iter::repeat((is_raw_mutable_ptr as fn(_) -> _, "This argument", "mutable "))) - .chain([(fn_typ.output(), (is_raw_ptr as fn(_) -> _, "The return", ""))]) - { - let mut v = NoMutPtr { tcx, is_prohibited, r#where, what }; - v.visit_ty(&input_ty); - } -} - -/// Print MIR for the reachable items if the `--emit mir` option was provided to rustc. -pub fn dump_mir_items(tcx: TyCtxt, items: &[MonoItem], output: &Path) { - /// Convert MonoItem into a DefId. - /// Skip stuff that we cannot generate the MIR items. - fn visible_item(item: &MonoItem) -> Option<(MonoItem, DefId)> { - match item { - // Exclude FnShims and others that cannot be dumped. - MonoItem::Fn(instance) if matches!(instance.kind, InstanceKind::Item) => { - Some((item.clone(), instance.def.def_id())) - } - MonoItem::Fn(..) => None, - MonoItem::Static(def) => Some((item.clone(), def.def_id())), - MonoItem::GlobalAsm(_) => None, - } - } - - if tcx.sess.opts.output_types.contains_key(&OutputType::Mir) { - // Create output buffer. - let out_file = File::create(output).unwrap(); - let mut writer = BufWriter::new(out_file); - - // For each def_id, dump their MIR - for (item, def_id) in items.iter().filter_map(visible_item) { - writeln!(writer, "// Item: {item:?}").unwrap(); - write_mir_pretty(tcx, Some(rustc_internal::internal(def_id)), &mut writer).unwrap(); - } - } -} - /// Structure that represents the source location of a definition. /// TODO: Use `InternedString` once we move it out of the cprover_bindings. /// pub struct SourceLocation { pub filename: String, pub start_line: usize, - pub start_col: usize, + #[allow(dead_code)] + pub start_col: usize, // set, but not currently used in Goto output pub end_line: usize, - pub end_col: usize, + #[allow(dead_code)] + pub end_col: usize, // set, but not currently used in Goto output } impl SourceLocation { @@ -312,3 +216,18 @@ impl<'tcx> FnAbiOfHelpers<'tcx> for CompilerHelpers<'tcx> { } } } + +/// Find an instance of a function from the given crate that has been annotated with `diagnostic` +/// item. +fn find_fn_def(tcx: TyCtxt, diagnostic: &str) -> Option { + let attr_id = tcx + .all_diagnostic_items(()) + .name_to_id + .get(&rustc_span::symbol::Symbol::intern(diagnostic))?; + let TyKind::RigidTy(RigidTy::FnDef(def, _)) = + rustc_internal::stable(tcx.type_of(attr_id)).value.kind() + else { + return None; + }; + Some(def) +} diff --git a/kani-compiler/src/kani_middle/provide.rs b/kani-compiler/src/kani_middle/provide.rs index 70e046d6f9d6..91b830a2349b 100644 --- a/kani-compiler/src/kani_middle/provide.rs +++ b/kani-compiler/src/kani_middle/provide.rs @@ -6,14 +6,10 @@ use crate::args::{Arguments, ReachabilityType}; use crate::kani_middle::intrinsics::ModelIntrinsics; -use crate::kani_middle::reachability::{collect_reachable_items, filter_crate_items}; -use crate::kani_middle::stubbing; use crate::kani_queries::QueryDb; use rustc_hir::def_id::{DefId, LocalDefId}; -use rustc_interface; use rustc_middle::util::Providers; -use rustc_middle::{mir::Body, query::queries, ty::TyCtxt}; -use stable_mir::mir::mono::MonoItem; +use rustc_middle::{mir::Body, ty::TyCtxt}; /// Sets up rustc's query mechanism to apply Kani's custom queries to code from /// a crate. @@ -23,10 +19,6 @@ pub fn provide(providers: &mut Providers, queries: &QueryDb) { // Don't override queries if we are only compiling our dependencies. providers.optimized_mir = run_mir_passes; providers.extern_queries.optimized_mir = run_mir_passes_extern; - if args.stubbing_enabled { - // TODO: Check if there's at least one stub being applied. - providers.collect_and_partition_mono_items = collect_and_partition_mono_items; - } } } @@ -59,30 +51,8 @@ fn run_kani_mir_passes<'tcx>( body: &'tcx Body<'tcx>, ) -> &'tcx Body<'tcx> { tracing::debug!(?def_id, "Run Kani transformation passes"); - let mut transformed_body = stubbing::transform(tcx, def_id, body); - stubbing::transform_foreign_functions(tcx, &mut transformed_body); + let mut transformed_body = body.clone(); // This should be applied after stubbing so user stubs take precedence. ModelIntrinsics::run_pass(tcx, &mut transformed_body); tcx.arena.alloc(transformed_body) } - -/// Runs a reachability analysis before running the default -/// `collect_and_partition_mono_items` query. The reachability analysis finds -/// trait mismatches introduced by stubbing and performs a graceful exit in -/// these cases. Left to its own devices, the default query panics. -/// This is an issue when compiling a library, since the crate metadata is -/// generated (using this query) before code generation begins (which is -/// when we normally run the reachability analysis). -fn collect_and_partition_mono_items( - tcx: TyCtxt, - key: (), -) -> queries::collect_and_partition_mono_items::ProvidedValue { - rustc_smir::rustc_internal::run(tcx, || { - let local_reachable = - filter_crate_items(tcx, |_, _| true).into_iter().map(MonoItem::Fn).collect::>(); - // We do not actually need the value returned here. - collect_reachable_items(tcx, &local_reachable); - }) - .unwrap(); - (rustc_interface::DEFAULT_QUERY_PROVIDERS.collect_and_partition_mono_items)(tcx, key) -} diff --git a/kani-compiler/src/kani_middle/reachability.rs b/kani-compiler/src/kani_middle/reachability.rs index 424077a622f9..d2c9d50515c4 100644 --- a/kani-compiler/src/kani_middle/reachability.rs +++ b/kani-compiler/src/kani_middle/reachability.rs @@ -22,27 +22,37 @@ use rustc_data_structures::fingerprint::Fingerprint; use rustc_data_structures::fx::FxHashSet; use rustc_data_structures::stable_hasher::{HashStable, StableHasher}; use rustc_middle::ty::{TyCtxt, VtblEntry}; +use rustc_session::config::OutputType; use rustc_smir::rustc_internal; use stable_mir::mir::alloc::{AllocId, GlobalAlloc}; use stable_mir::mir::mono::{Instance, InstanceKind, MonoItem, StaticDef}; -use stable_mir::mir::pretty::pretty_ty; use stable_mir::mir::{ - visit::Location, Body, CastKind, Constant, MirVisitor, PointerCoercion, Rvalue, Terminator, + visit::Location, Body, CastKind, ConstOperand, MirVisitor, PointerCoercion, Rvalue, Terminator, TerminatorKind, }; use stable_mir::ty::{Allocation, ClosureKind, ConstantKind, RigidTy, Ty, TyKind}; -use stable_mir::{self, CrateItem}; +use stable_mir::CrateItem; use stable_mir::{CrateDef, ItemKind}; +use std::fmt::{Display, Formatter}; +use std::{ + collections::{HashMap, HashSet}, + fs::File, + io::{BufWriter, Write}, +}; use crate::kani_middle::coercion; use crate::kani_middle::coercion::CoercionBase; -use crate::kani_middle::stubbing::{get_stub, validate_instance}; +use crate::kani_middle::transform::BodyTransformation; /// Collect all reachable items starting from the given starting points. -pub fn collect_reachable_items(tcx: TyCtxt, starting_points: &[MonoItem]) -> Vec { +pub fn collect_reachable_items( + tcx: TyCtxt, + transformer: &mut BodyTransformation, + starting_points: &[MonoItem], +) -> (Vec, CallGraph) { // For each harness, collect items using the same collector. // I.e.: This will return any item that is reachable from one or more of the starting points. - let mut collector = MonoItemsCollector::new(tcx); + let mut collector = MonoItemsCollector::new(tcx, transformer); for item in starting_points { collector.collect(item.clone()); } @@ -59,7 +69,7 @@ pub fn collect_reachable_items(tcx: TyCtxt, starting_points: &[MonoItem]) -> Vec // order of the errors and warnings is stable. let mut sorted_items: Vec<_> = collector.collected.into_iter().collect(); sorted_items.sort_by_cached_key(|item| to_fingerprint(tcx, item)); - sorted_items + (sorted_items, collector.call_graph) } /// Collect all (top-level) items in the crate that matches the given predicate. @@ -75,7 +85,7 @@ where .filter_map(|item| { // Only collect monomorphic items. // TODO: Remove the def_kind check once https://github.com/rust-lang/rust/pull/119135 has been released. - let def_id = rustc_internal::internal(item.def_id()); + let def_id = rustc_internal::internal(tcx, item.def_id()); (matches!(tcx.def_kind(def_id), rustc_hir::def::DefKind::Ctor(..)) || matches!(item.kind(), ItemKind::Fn)) .then(|| { @@ -92,7 +102,11 @@ where /// /// Probably only specifically useful with a predicate to find `TestDescAndFn` const declarations from /// tests and extract the closures from them. -pub fn filter_const_crate_items(tcx: TyCtxt, mut predicate: F) -> Vec +pub fn filter_const_crate_items( + tcx: TyCtxt, + transformer: &mut BodyTransformation, + mut predicate: F, +) -> Vec where F: FnMut(TyCtxt, Instance) -> bool, { @@ -103,40 +117,55 @@ where // Only collect monomorphic items. if let Ok(instance) = Instance::try_from(item) { if predicate(tcx, instance) { - let body = instance.body().unwrap(); - let mut collector = MonoItemsFnCollector { - tcx, - body: &body, - collected: FxHashSet::default(), - instance: &instance, - }; + let body = transformer.body(tcx, instance); + let mut collector = + MonoItemsFnCollector { tcx, body: &body, collected: FxHashSet::default() }; collector.visit_body(&body); roots.extend(collector.collected.into_iter()); } } } - roots + roots.into_iter().map(|root| root.item).collect() +} + +/// Reason for introducing an edge in the call graph. +#[derive(Clone, Copy, Debug, Eq, PartialEq, Hash)] +enum CollectionReason { + DirectCall, + IndirectCall, + VTableMethod, + Static, + StaticDrop, +} + +/// A destination of the edge in the call graph. +#[derive(Clone, Debug, Eq, PartialEq, Hash)] +struct CollectedItem { + item: MonoItem, + reason: CollectionReason, } -struct MonoItemsCollector<'tcx> { +struct MonoItemsCollector<'tcx, 'a> { /// The compiler context. tcx: TyCtxt<'tcx>, + /// The body transformation object used to retrieve a transformed body. + transformer: &'a mut BodyTransformation, /// Set of collected items used to avoid entering recursion loops. collected: FxHashSet, /// Items enqueued for visiting. queue: Vec, - #[cfg(debug_assertions)] - call_graph: debug::CallGraph, + /// Call graph used for dataflow analysis. + call_graph: CallGraph, } -impl<'tcx> MonoItemsCollector<'tcx> { - pub fn new(tcx: TyCtxt<'tcx>) -> Self { +impl<'tcx, 'a> MonoItemsCollector<'tcx, 'a> { + pub fn new(tcx: TyCtxt<'tcx>, transformer: &'a mut BodyTransformation) -> Self { MonoItemsCollector { tcx, collected: FxHashSet::default(), queue: vec![], - #[cfg(debug_assertions)] - call_graph: debug::CallGraph::default(), + call_graph: CallGraph::default(), + transformer, } } @@ -161,47 +190,44 @@ impl<'tcx> MonoItemsCollector<'tcx> { vec![] } }; - #[cfg(debug_assertions)] self.call_graph.add_edges(to_visit, &next_items); - self.queue - .extend(next_items.into_iter().filter(|item| !self.collected.contains(item))); + self.queue.extend(next_items.into_iter().filter_map( + |CollectedItem { item, .. }| (!self.collected.contains(&item)).then_some(item), + )); } } } /// Visit a function and collect all mono-items reachable from its instructions. - fn visit_fn(&mut self, instance: Instance) -> Vec { + fn visit_fn(&mut self, instance: Instance) -> Vec { let _guard = debug_span!("visit_fn", function=?instance).entered(); - if validate_instance(self.tcx, instance) { - let body = instance.body().unwrap(); - let mut collector = MonoItemsFnCollector { - tcx: self.tcx, - collected: FxHashSet::default(), - body: &body, - instance: &instance, - }; - collector.visit_body(&body); - collector.collected.into_iter().collect() - } else { - vec![] - } + let body = self.transformer.body(self.tcx, instance); + let mut collector = + MonoItemsFnCollector { tcx: self.tcx, collected: FxHashSet::default(), body: &body }; + collector.visit_body(&body); + collector.collected.into_iter().collect() } /// Visit a static object and collect drop / initialization functions. - fn visit_static(&mut self, def: StaticDef) -> Vec { + fn visit_static(&mut self, def: StaticDef) -> Vec { let _guard = debug_span!("visit_static", ?def).entered(); let mut next_items = vec![]; // Collect drop function. let static_ty = def.ty(); let instance = Instance::resolve_drop_in_place(static_ty); - next_items.push(instance.into()); + next_items + .push(CollectedItem { item: instance.into(), reason: CollectionReason::StaticDrop }); // Collect initialization. let alloc = def.eval_initializer().unwrap(); for (_, prov) in alloc.provenance.ptrs { - next_items.extend(collect_alloc_items(prov.0).into_iter()); + next_items.extend( + collect_alloc_items(prov.0) + .into_iter() + .map(|item| CollectedItem { item, reason: CollectionReason::Static }), + ); } next_items @@ -215,9 +241,8 @@ impl<'tcx> MonoItemsCollector<'tcx> { struct MonoItemsFnCollector<'a, 'tcx> { tcx: TyCtxt<'tcx>, - collected: FxHashSet, + collected: FxHashSet, body: &'a Body, - instance: &'a Instance, } impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { @@ -237,7 +262,8 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { let poly_trait_ref = principal.with_self_ty(concrete_ty); // Walk all methods of the trait, including those of its supertraits - let entries = self.tcx.vtable_entries(rustc_internal::internal(&poly_trait_ref)); + let entries = + self.tcx.vtable_entries(rustc_internal::internal(self.tcx, &poly_trait_ref)); let methods = entries.iter().filter_map(|entry| match entry { VtblEntry::MetadataAlign | VtblEntry::MetadataDropInPlace @@ -253,7 +279,9 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { } }); trace!(methods=?methods.clone().collect::>(), "collect_vtable_methods"); - self.collected.extend(methods); + self.collected.extend( + methods.map(|item| CollectedItem { item, reason: CollectionReason::VTableMethod }), + ); } // Add the destructor for the concrete type. @@ -264,16 +292,32 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { /// Collect an instance depending on how it is used (invoked directly or via fn_ptr). fn collect_instance(&mut self, instance: Instance, is_direct_call: bool) { let should_collect = match instance.kind { - InstanceKind::Virtual { .. } | InstanceKind::Intrinsic => { + InstanceKind::Virtual { .. } => { // Instance definition has no body. assert!(is_direct_call, "Expected direct call {instance:?}"); false } + InstanceKind::Intrinsic => { + // Intrinsics may have a fallback body. + assert!(is_direct_call, "Expected direct call {instance:?}"); + let TyKind::RigidTy(RigidTy::FnDef(def, _)) = instance.ty().kind() else { + unreachable!("Expected function type for intrinsic: {instance:?}") + }; + // The compiler is currently transitioning how to handle intrinsic fallback body. + // Until https://github.com/rust-lang/project-stable-mir/issues/79 is implemented + // we have to check `must_be_overridden` and `has_body`. + !def.as_intrinsic().unwrap().must_be_overridden() && instance.has_body() + } InstanceKind::Shim | InstanceKind::Item => true, }; if should_collect && should_codegen_locally(&instance) { trace!(?instance, "collect_instance"); - self.collected.insert(instance.into()); + let reason = if is_direct_call { + CollectionReason::DirectCall + } else { + CollectionReason::IndirectCall + }; + self.collected.insert(CollectedItem { item: instance.into(), reason }); } } @@ -281,7 +325,11 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { fn collect_allocation(&mut self, alloc: &Allocation) { debug!(?alloc, "collect_allocation"); for (_, id) in &alloc.provenance.ptrs { - self.collected.extend(collect_alloc_items(id.0).into_iter()) + self.collected.extend( + collect_alloc_items(id.0) + .into_iter() + .map(|item| CollectedItem { item, reason: CollectionReason::Static }), + ) } } } @@ -290,7 +338,7 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { /// 1. Every function / method / closures that may be directly invoked. /// 2. Every function / method / closures that may have their address taken. /// 3. Every method that compose the impl of a trait for a given type when there's a conversion -/// from the type to the trait. +/// from the type to the trait. /// - I.e.: If we visit the following code: /// ``` /// let var = MyType::new(); @@ -300,7 +348,8 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { /// 4. Every Static variable that is referenced in the function or constant used in the function. /// 5. Drop glue. /// 6. Static Initialization -/// This code has been mostly taken from `rustc_monomorphize::collector::MirNeighborCollector`. +/// +/// Remark: This code has been mostly taken from `rustc_monomorphize::collector::MirNeighborCollector`. impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { /// Collect the following: /// - Trait implementations when casting from concrete to dyn Trait. @@ -356,7 +405,8 @@ impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { } Rvalue::ThreadLocalRef(item) => { trace!(?item, "visit_rvalue thread_local"); - self.collected.insert(MonoItem::Static(StaticDef::try_from(item).unwrap())); + let item = MonoItem::Static(StaticDef::try_from(item).unwrap()); + self.collected.insert(CollectedItem { item, reason: CollectionReason::Static }); } _ => { /* not interesting */ } } @@ -365,9 +415,9 @@ impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { } /// Collect constants that are represented as static variables. - fn visit_constant(&mut self, constant: &Constant, location: Location) { - debug!(?constant, ?location, literal=?constant.literal, "visit_constant"); - let allocation = match constant.literal.kind() { + fn visit_const_operand(&mut self, constant: &ConstOperand, location: Location) { + debug!(?constant, ?location, literal=?constant.const_, "visit_constant"); + let allocation = match constant.const_.kind() { ConstantKind::Allocated(allocation) => allocation, ConstantKind::Unevaluated(_) => { unreachable!("Instance with polymorphic constant: `{constant:?}`") @@ -377,6 +427,10 @@ impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { // Nothing to do here. return; } + ConstantKind::Ty(_) => { + // Nothing to do here. + return; + } }; self.collect_allocation(&allocation); } @@ -389,49 +443,8 @@ impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { TerminatorKind::Call { ref func, .. } => { let fn_ty = func.ty(self.body.locals()).unwrap(); if let TyKind::RigidTy(RigidTy::FnDef(fn_def, args)) = fn_ty.kind() { - let instance_opt = Instance::resolve(fn_def, &args).ok(); - match instance_opt { - None => { - let caller = CrateItem::try_from(*self.instance).unwrap().name(); - let callee = fn_def.name(); - // Check if the current function has been stubbed. - if let Some(stub) = - get_stub(self.tcx, rustc_internal::internal(self.instance).def_id()) - { - // During the MIR stubbing transformation, we do not - // force type variables in the stub's signature to - // implement the same traits as those in the - // original function/method. A trait mismatch shows - // up here, when we try to resolve a trait method - - // FIXME: This assumes the type resolving the - // trait is the first argument, but that isn't - // necessarily true. It could be any argument or - // even the return type, for instance for a - // trait like `FromIterator`. - let receiver_ty = args.0[0].expect_ty(); - let sep = callee.rfind("::").unwrap(); - let trait_ = &callee[..sep]; - self.tcx.dcx().span_err( - rustc_internal::internal(terminator.span), - format!( - "`{}` doesn't implement \ - `{}`. The function `{}` \ - cannot be stubbed by `{}` due to \ - generic bounds not being met. Callee: {}", - pretty_ty(receiver_ty.kind()), - trait_, - caller, - self.tcx.def_path_str(stub), - callee, - ), - ); - } else { - panic!("unable to resolve call to `{callee}` in `{caller}`") - } - } - Some(instance) => self.collect_instance(instance, true), - }; + let instance = Instance::resolve(fn_def, &args).unwrap(); + self.collect_instance(instance, true); } else { assert!( matches!(fn_ty.kind().rigid(), Some(RigidTy::FnPtr(..))), @@ -465,8 +478,8 @@ impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { fn extract_unsize_coercion(tcx: TyCtxt, orig_ty: Ty, dst_trait: Ty) -> (Ty, Ty) { let CoercionBase { src_ty, dst_ty } = coercion::extract_unsize_casting( tcx, - rustc_internal::internal(orig_ty), - rustc_internal::internal(dst_trait), + rustc_internal::internal(tcx, orig_ty), + rustc_internal::internal(tcx, dst_trait), ); (rustc_internal::stable(src_ty), rustc_internal::stable(dst_ty)) } @@ -476,7 +489,7 @@ fn extract_unsize_coercion(tcx: TyCtxt, orig_ty: Ty, dst_trait: Ty) -> (Ty, Ty) fn to_fingerprint(tcx: TyCtxt, item: &MonoItem) -> Fingerprint { tcx.with_stable_hashing_context(|mut hcx| { let mut hasher = StableHasher::new(); - rustc_internal::internal(item).hash_stable(&mut hcx, &mut hasher); + rustc_internal::internal(tcx, item).hash_stable(&mut hcx, &mut hasher); hasher.finish() }) } @@ -512,127 +525,150 @@ fn collect_alloc_items(alloc_id: AllocId) -> Vec { items } -#[cfg(debug_assertions)] -mod debug { - #![allow(dead_code)] - - use std::fmt::{Display, Formatter}; - use std::{ - collections::{HashMap, HashSet}, - fs::File, - io::{BufWriter, Write}, - }; - - use rustc_session::config::OutputType; - - use super::*; +/// Call graph with edges annotated with the reason why they were added to the graph. +#[derive(Debug, Default)] +pub struct CallGraph { + /// Nodes of the graph. + nodes: HashSet, + /// Edges of the graph. + edges: HashMap>, + /// Since the graph is directed, we also store back edges. + back_edges: HashMap>, +} - #[derive(Debug, Default)] - pub struct CallGraph { - // Nodes of the graph. - nodes: HashSet, - edges: HashMap>, - back_edges: HashMap>, +/// Newtype around MonoItem. +#[derive(Clone, Debug, Eq, PartialEq, Hash)] +struct Node(pub MonoItem); + +/// Newtype around CollectedItem. +#[derive(Clone, Debug, Eq, PartialEq, Hash)] +struct CollectedNode(pub CollectedItem); + +impl CallGraph { + /// Add a new node into a graph. + fn add_node(&mut self, item: MonoItem) { + let node = Node(item); + self.nodes.insert(node.clone()); + self.edges.entry(node.clone()).or_default(); + self.back_edges.entry(node).or_default(); } - #[derive(Clone, Debug, Eq, PartialEq, Hash)] - struct Node(pub MonoItem); - - impl CallGraph { - pub fn add_node(&mut self, item: MonoItem) { - let node = Node(item); - self.nodes.insert(node.clone()); - self.edges.entry(node.clone()).or_default(); - self.back_edges.entry(node).or_default(); - } + /// Add a new edge "from" -> "to". + fn add_edge(&mut self, from: MonoItem, to: MonoItem, collection_reason: CollectionReason) { + let from_node = Node(from.clone()); + let to_node = Node(to.clone()); + self.add_node(from.clone()); + self.add_node(to.clone()); + self.edges + .get_mut(&from_node) + .unwrap() + .push(CollectedNode(CollectedItem { item: to, reason: collection_reason })); + self.back_edges + .get_mut(&to_node) + .unwrap() + .push(CollectedNode(CollectedItem { item: from, reason: collection_reason })); + } - /// Add a new edge "from" -> "to". - pub fn add_edge(&mut self, from: MonoItem, to: MonoItem) { - let from_node = Node(from.clone()); - let to_node = Node(to.clone()); - self.add_node(from); - self.add_node(to); - self.edges.get_mut(&from_node).unwrap().push(to_node.clone()); - self.back_edges.get_mut(&to_node).unwrap().push(from_node); + /// Add multiple new edges for the "from" node. + fn add_edges(&mut self, from: MonoItem, to: &[CollectedItem]) { + self.add_node(from.clone()); + for CollectedItem { item, reason } in to { + self.add_edge(from.clone(), item.clone(), *reason); } + } - /// Add multiple new edges for the "from" node. - pub fn add_edges(&mut self, from: MonoItem, to: &[MonoItem]) { - self.add_node(from.clone()); - for item in to { - self.add_edge(from.clone(), item.clone()); + /// Print the graph in DOT format to a file. + /// See for more information. + fn dump_dot(&self, tcx: TyCtxt) -> std::io::Result<()> { + if let Ok(target) = std::env::var("KANI_REACH_DEBUG") { + debug!(?target, "dump_dot"); + let outputs = tcx.output_filenames(()); + let base_path = outputs.path(OutputType::Metadata); + let path = base_path.as_path().with_extension("dot"); + let out_file = File::create(path)?; + let mut writer = BufWriter::new(out_file); + writeln!(writer, "digraph ReachabilityGraph {{")?; + if target.is_empty() { + self.dump_all(&mut writer)?; + } else { + // Only dump nodes that led the reachability analysis to the target node. + self.dump_reason(&mut writer, &target)?; } + writeln!(writer, "}}")?; } - /// Print the graph in DOT format to a file. - /// See for more information. - pub fn dump_dot(&self, tcx: TyCtxt) -> std::io::Result<()> { - if let Ok(target) = std::env::var("KANI_REACH_DEBUG") { - debug!(?target, "dump_dot"); - let outputs = tcx.output_filenames(()); - let path = outputs.output_path(OutputType::Metadata).with_extension("dot"); - let out_file = File::create(path)?; - let mut writer = BufWriter::new(out_file); - writeln!(writer, "digraph ReachabilityGraph {{")?; - if target.is_empty() { - self.dump_all(&mut writer)?; - } else { - // Only dump nodes that led the reachability analysis to the target node. - self.dump_reason(&mut writer, &target)?; - } - writeln!(writer, "}}")?; - } + Ok(()) + } - Ok(()) + /// Write all notes to the given writer. + fn dump_all(&self, writer: &mut W) -> std::io::Result<()> { + tracing::info!(nodes=?self.nodes.len(), edges=?self.edges.len(), "dump_all"); + for node in &self.nodes { + writeln!(writer, r#""{node}""#)?; + for succ in self.edges.get(node).unwrap() { + let reason = succ.0.reason; + writeln!(writer, r#""{node}" -> "{succ}" [label={reason:?}] "#)?; + } } + Ok(()) + } - /// Write all notes to the given writer. - fn dump_all(&self, writer: &mut W) -> std::io::Result<()> { - tracing::info!(nodes=?self.nodes.len(), edges=?self.edges.len(), "dump_all"); - for node in &self.nodes { - writeln!(writer, r#""{node}""#)?; - for succ in self.edges.get(node).unwrap() { - writeln!(writer, r#""{node}" -> "{succ}" "#)?; - } + /// Write all notes that may have led to the discovery of the given target. + fn dump_reason(&self, writer: &mut W, target: &str) -> std::io::Result<()> { + let mut queue: Vec = + self.nodes.iter().filter(|item| item.to_string().contains(target)).cloned().collect(); + let mut visited: HashSet = HashSet::default(); + tracing::info!(target=?queue, nodes=?self.nodes.len(), edges=?self.edges.len(), "dump_reason"); + while let Some(to_visit) = queue.pop() { + if !visited.contains(&to_visit) { + visited.insert(to_visit.clone()); + queue.extend( + self.back_edges + .get(&to_visit) + .unwrap() + .iter() + .map(|item| Node::from(item.clone())), + ); } - Ok(()) } - /// Write all notes that may have led to the discovery of the given target. - fn dump_reason(&self, writer: &mut W, target: &str) -> std::io::Result<()> { - let mut queue = self - .nodes - .iter() - .filter(|item| item.to_string().contains(target)) - .collect::>(); - let mut visited: HashSet<&Node> = HashSet::default(); - tracing::info!(target=?queue, nodes=?self.nodes.len(), edges=?self.edges.len(), "dump_reason"); - while let Some(to_visit) = queue.pop() { - if !visited.contains(to_visit) { - visited.insert(to_visit); - queue.extend(self.back_edges.get(to_visit).unwrap()); - } + for node in &visited { + writeln!(writer, r#""{node}""#)?; + let edges = self.edges.get(node).unwrap(); + for succ in edges.iter().filter(|item| { + let node = Node::from((*item).clone()); + visited.contains(&node) + }) { + let reason = succ.0.reason; + writeln!(writer, r#""{node}" -> "{succ}" [label={reason:?}] "#)?; } + } + Ok(()) + } +} - for node in &visited { - writeln!(writer, r#""{node}""#)?; - for succ in - self.edges.get(node).unwrap().iter().filter(|item| visited.contains(item)) - { - writeln!(writer, r#""{node}" -> "{succ}" "#)?; - } - } - Ok(()) +impl Display for Node { + fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { + match &self.0 { + MonoItem::Fn(instance) => write!(f, "{}", instance.name()), + MonoItem::Static(def) => write!(f, "{}", def.name()), + MonoItem::GlobalAsm(asm) => write!(f, "{asm:?}"), } } +} - impl Display for Node { - fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { - match &self.0 { - MonoItem::Fn(instance) => write!(f, "{}", instance.name()), - MonoItem::Static(def) => write!(f, "{}", def.name()), - MonoItem::GlobalAsm(asm) => write!(f, "{asm:?}"), - } +impl Display for CollectedNode { + fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { + match &self.0.item { + MonoItem::Fn(instance) => write!(f, "{}", instance.name()), + MonoItem::Static(def) => write!(f, "{}", def.name()), + MonoItem::GlobalAsm(asm) => write!(f, "{asm:?}"), } } } + +impl From for Node { + fn from(value: CollectedNode) -> Self { + Node(value.0.item) + } +} diff --git a/kani-compiler/src/kani_middle/resolve.rs b/kani-compiler/src/kani_middle/resolve.rs index e88485ebc6d7..816f25343fe3 100644 --- a/kani-compiler/src/kani_middle/resolve.rs +++ b/kani-compiler/src/kani_middle/resolve.rs @@ -247,7 +247,7 @@ where /// Resolves an external crate name. fn resolve_external(tcx: TyCtxt, name: &str) -> Option { debug!(?name, "resolve_external"); - tcx.crates(()).iter().find_map(|crate_num| { + tcx.used_crates(()).iter().find_map(|crate_num| { let crate_name = tcx.crate_name(*crate_num); if crate_name.as_str() == name { Some(DefId { index: CRATE_DEF_INDEX, krate: *crate_num }) @@ -399,8 +399,11 @@ fn resolve_in_type<'tcx>( name: &str, ) -> Result> { debug!(?name, ?type_id, "resolve_in_type"); + let missing_item_err = + || ResolveError::MissingItem { tcx, base: type_id, unresolved: name.to_string() }; // Try the inherent `impl` blocks (i.e., non-trait `impl`s). tcx.inherent_impls(type_id) + .map_err(|_| missing_item_err())? .iter() .flat_map(|impl_id| tcx.associated_item_def_ids(impl_id)) .cloned() @@ -409,9 +412,5 @@ fn resolve_in_type<'tcx>( let last = item_path.split("::").last().unwrap(); last == name }) - .ok_or_else(|| ResolveError::MissingItem { - tcx, - base: type_id, - unresolved: name.to_string(), - }) + .ok_or_else(missing_item_err) } diff --git a/kani-compiler/src/kani_middle/stubbing/annotations.rs b/kani-compiler/src/kani_middle/stubbing/annotations.rs index 52b994ab97d2..9fc7be491d85 100644 --- a/kani-compiler/src/kani_middle/stubbing/annotations.rs +++ b/kani-compiler/src/kani_middle/stubbing/annotations.rs @@ -2,11 +2,10 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! This file contains code for extracting stubbing-related attributes. -use std::collections::BTreeMap; +use std::collections::HashMap; use kani_metadata::Stub; use rustc_hir::def_id::{DefId, LocalDefId}; -use rustc_hir::definitions::DefPathHash; use rustc_middle::ty::TyCtxt; use crate::kani_middle::resolve::resolve_fn; @@ -42,21 +41,19 @@ pub fn update_stub_mapping( tcx: TyCtxt, harness: LocalDefId, stub: &Stub, - stub_pairs: &mut BTreeMap, + stub_pairs: &mut HashMap, ) { if let Some((orig_id, stub_id)) = stub_def_ids(tcx, harness, stub) { - let orig_hash = tcx.def_path_hash(orig_id); - let stub_hash = tcx.def_path_hash(stub_id); - let other_opt = stub_pairs.insert(orig_hash, stub_hash); + let other_opt = stub_pairs.insert(orig_id, stub_id); if let Some(other) = other_opt { - if other != stub_hash { + if other != stub_id { tcx.dcx().span_err( tcx.def_span(harness), format!( "duplicate stub mapping: {} mapped to {} and {}", tcx.def_path_str(orig_id), tcx.def_path_str(stub_id), - tcx.def_path_str(tcx.def_path_hash_to_def_id(other, &mut || panic!())) + tcx.def_path_str(other) ), ); } diff --git a/kani-compiler/src/kani_middle/stubbing/mod.rs b/kani-compiler/src/kani_middle/stubbing/mod.rs index 9dda0144eda4..f145a4d105e2 100644 --- a/kani-compiler/src/kani_middle/stubbing/mod.rs +++ b/kani-compiler/src/kani_middle/stubbing/mod.rs @@ -3,20 +3,21 @@ //! This module contains code for implementing stubbing. mod annotations; -mod transform; -use std::collections::BTreeMap; +use itertools::Itertools; +use rustc_span::DUMMY_SP; +use std::collections::HashMap; use tracing::{debug, trace}; -pub use self::transform::*; use kani_metadata::HarnessMetadata; -use rustc_hir::definitions::DefPathHash; +use rustc_hir::def_id::DefId; use rustc_middle::mir::Const; use rustc_middle::ty::{self, EarlyBinder, ParamEnv, TyCtxt, TypeFoldable}; use rustc_smir::rustc_internal; use stable_mir::mir::mono::Instance; use stable_mir::mir::visit::{Location, MirVisitor}; -use stable_mir::mir::Constant; +use stable_mir::mir::ConstOperand; +use stable_mir::ty::{FnDef, RigidTy, TyKind}; use stable_mir::{CrateDef, CrateItem}; use self::annotations::update_stub_mapping; @@ -26,16 +27,118 @@ pub fn harness_stub_map( tcx: TyCtxt, harness: Instance, metadata: &HarnessMetadata, -) -> BTreeMap { - let def_id = rustc_internal::internal(harness.def.def_id()); +) -> HashMap { + let def_id = rustc_internal::internal(tcx, harness.def.def_id()); let attrs = &metadata.attributes; - let mut stub_pairs = BTreeMap::default(); + let mut stub_pairs = HashMap::default(); for stubs in &attrs.stubs { update_stub_mapping(tcx, def_id.expect_local(), stubs, &mut stub_pairs); } stub_pairs } +/// Retrieve the index of the host parameter if old definition has one, but not the new definition. +/// +/// This is to allow constant functions to be stubbed by non-constant functions when the +/// `effect` feature is on. +/// +/// Note that the opposite is not supported today, but users should be able to change their stubs. +/// +/// Note that this has no effect at runtime. +pub fn contract_host_param(tcx: TyCtxt, old_def: FnDef, new_def: FnDef) -> Option { + let old_generics = tcx.generics_of(rustc_internal::internal(tcx, old_def.def_id())); + let new_generics = tcx.generics_of(rustc_internal::internal(tcx, new_def.def_id())); + if old_generics.host_effect_index.is_some() && new_generics.host_effect_index.is_none() { + old_generics.host_effect_index + } else { + None + } +} + +/// Checks whether the stub is compatible with the original function/method: do +/// the arities and types (of the parameters and return values) match up? This +/// does **NOT** check whether the type variables are constrained to implement +/// the same traits; trait mismatches are checked during monomorphization. +pub fn check_compatibility(tcx: TyCtxt, old_def: FnDef, new_def: FnDef) -> Result<(), String> { + // TODO: Validate stubs that do not have body. + // We could potentially look at the function signature to see if they match. + // However, they will include region information which can make types different. + let Some(old_body) = old_def.body() else { return Ok(()) }; + let Some(new_body) = new_def.body() else { return Ok(()) }; + // Check whether the arities match. + if old_body.arg_locals().len() != new_body.arg_locals().len() { + let msg = format!( + "arity mismatch: original function/method `{}` takes {} argument(s), stub `{}` takes {}", + old_def.name(), + old_body.arg_locals().len(), + new_def.name(), + new_body.arg_locals().len(), + ); + return Err(msg); + } + // Check whether the numbers of generic parameters match. + let old_def_id = rustc_internal::internal(tcx, old_def.def_id()); + let new_def_id = rustc_internal::internal(tcx, new_def.def_id()); + let old_ty = rustc_internal::stable(tcx.type_of(old_def_id)).value; + let new_ty = rustc_internal::stable(tcx.type_of(new_def_id)).value; + let TyKind::RigidTy(RigidTy::FnDef(_, mut old_args)) = old_ty.kind() else { + unreachable!("Expected function, but found {old_ty}") + }; + let TyKind::RigidTy(RigidTy::FnDef(_, new_args)) = new_ty.kind() else { + unreachable!("Expected function, but found {new_ty}") + }; + if let Some(idx) = contract_host_param(tcx, old_def, new_def) { + old_args.0.remove(idx); + } + + // TODO: We should check for the parameter type too or replacement will fail. + if old_args.0.len() != new_args.0.len() { + let msg = format!( + "mismatch in the number of generic parameters: original function/method `{}` takes {} generic parameters(s), stub `{}` takes {}", + old_def.name(), + old_args.0.len(), + new_def.name(), + new_args.0.len(), + ); + return Err(msg); + } + // Check whether the types match. Index 0 refers to the returned value, + // indices [1, `arg_count`] refer to the parameters. + // TODO: We currently force generic parameters in the stub to have exactly + // the same names as their counterparts in the original function/method; + // instead, we should be checking for the equivalence of types up to the + // renaming of generic parameters. + // + let old_ret_ty = old_body.ret_local().ty; + let new_ret_ty = new_body.ret_local().ty; + let mut diff = vec![]; + if old_ret_ty != new_ret_ty { + diff.push(format!("Expected return type `{old_ret_ty}`, but found `{new_ret_ty}`")); + } + for (i, (old_arg, new_arg)) in + old_body.arg_locals().iter().zip(new_body.arg_locals().iter()).enumerate() + { + if old_arg.ty != new_arg.ty { + diff.push(format!( + "Expected type `{}` for parameter {}, but found `{}`", + old_arg.ty, + i + 1, + new_arg.ty + )); + } + } + if !diff.is_empty() { + Err(format!( + "Cannot stub `{}` by `{}`.\n - {}", + old_def.name(), + new_def.name(), + diff.iter().join("\n - ") + )) + } else { + Ok(()) + } +} + /// Validate that an instance body can be instantiated. /// /// Stubbing may cause an instance to not be correctly instantiated since we delay checking its @@ -43,17 +146,13 @@ pub fn harness_stub_map( /// /// In stable MIR, trying to retrieve an `Instance::body()` will ICE if we cannot evaluate a /// constant as expected. For now, use internal APIs to anticipate this issue. -pub fn validate_instance(tcx: TyCtxt, instance: Instance) -> bool { - let internal_instance = rustc_internal::internal(instance); - if get_stub(tcx, internal_instance.def_id()).is_some() { - debug!(?instance, "validate_instance"); - let item = CrateItem::try_from(instance).unwrap(); - let mut checker = StubConstChecker::new(tcx, internal_instance, item); - checker.visit_body(&item.body()); - checker.is_valid() - } else { - true - } +pub fn validate_stub_const(tcx: TyCtxt, instance: Instance) -> bool { + debug!(?instance, "validate_instance"); + let item = CrateItem::try_from(instance).unwrap(); + let internal_instance = rustc_internal::internal(tcx, instance); + let mut checker = StubConstChecker::new(tcx, internal_instance, item); + checker.visit_body(&item.body()); + checker.is_valid() } struct StubConstChecker<'tcx> { @@ -86,14 +185,14 @@ impl<'tcx> StubConstChecker<'tcx> { impl<'tcx> MirVisitor for StubConstChecker<'tcx> { /// Collect constants that are represented as static variables. - fn visit_constant(&mut self, constant: &Constant, location: Location) { - let const_ = self.monomorphize(rustc_internal::internal(&constant.literal)); + fn visit_const_operand(&mut self, constant: &ConstOperand, location: Location) { + let const_ = self.monomorphize(rustc_internal::internal(self.tcx, &constant.const_)); debug!(?constant, ?location, ?const_, "visit_constant"); match const_ { Const::Val(..) | Const::Ty(..) => {} Const::Unevaluated(un_eval, _) => { // Thread local fall into this category. - if self.tcx.const_eval_resolve(ParamEnv::reveal_all(), un_eval, None).is_err() { + if self.tcx.const_eval_resolve(ParamEnv::reveal_all(), un_eval, DUMMY_SP).is_err() { // The `monomorphize` call should have evaluated that constant already. let tcx = self.tcx; let mono_const = &un_eval; @@ -109,7 +208,7 @@ impl<'tcx> MirVisitor for StubConstChecker<'tcx> { tcx.def_path_str(trait_), self.source.name() ); - tcx.dcx().span_err(rustc_internal::internal(location.span()), msg); + tcx.dcx().span_err(rustc_internal::internal(self.tcx, location.span()), msg); self.is_valid = false; } } diff --git a/kani-compiler/src/kani_middle/stubbing/transform.rs b/kani-compiler/src/kani_middle/stubbing/transform.rs deleted file mode 100644 index ff845b188dca..000000000000 --- a/kani-compiler/src/kani_middle/stubbing/transform.rs +++ /dev/null @@ -1,214 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! This module contains code related to the MIR-to-MIR pass that performs the -//! stubbing of functions and methods. The primary function of the module is -//! `transform`, which takes the `DefId` of a function/method and returns the -//! body of its stub, if appropriate. The stub mapping it uses is set via rustc -//! arguments. - -use std::collections::{BTreeMap, HashMap}; - -use lazy_static::lazy_static; -use regex::Regex; -use rustc_data_structures::fingerprint::Fingerprint; -use rustc_hir::{def_id::DefId, definitions::DefPathHash}; -use rustc_index::IndexVec; -use rustc_middle::mir::{ - visit::MutVisitor, Body, Const, ConstValue, Local, LocalDecl, Location, Operand, -}; -use rustc_middle::ty::{self, TyCtxt}; - -use tracing::debug; - -/// Returns the `DefId` of the stub for the function/method identified by the -/// parameter `def_id`, and `None` if the function/method is not stubbed. -pub fn get_stub(tcx: TyCtxt, def_id: DefId) -> Option { - let mapping = get_stub_mapping(tcx)?; - mapping.get(&def_id).copied() -} - -/// Returns the new body of a function/method if it has been stubbed out; -/// otherwise, returns the old body. -pub fn transform<'tcx>(tcx: TyCtxt<'tcx>, def_id: DefId, old_body: &'tcx Body<'tcx>) -> Body<'tcx> { - if let Some(replacement) = get_stub(tcx, def_id) { - debug!( - original = tcx.def_path_debug_str(def_id), - replaced = tcx.def_path_debug_str(replacement), - "transform" - ); - let new_body = tcx.optimized_mir(replacement).clone(); - if check_compatibility(tcx, def_id, old_body, replacement, &new_body) { - return new_body; - } - } - old_body.clone() -} - -/// Traverse `body` searching for calls to foreing functions and, whevever there is -/// a stub available, replace the call to the foreign function with a call -/// to its correspondent stub. This happens as a separate step because there is no -/// body available to foreign functions at this stage. -pub fn transform_foreign_functions<'tcx>(tcx: TyCtxt<'tcx>, body: &mut Body<'tcx>) { - if let Some(stub_map) = get_stub_mapping(tcx) { - let mut visitor = - ForeignFunctionTransformer { tcx, local_decls: body.clone().local_decls, stub_map }; - visitor.visit_body(body); - } -} - -struct ForeignFunctionTransformer<'tcx> { - /// The compiler context. - tcx: TyCtxt<'tcx>, - /// Local declarations of the callee function. Kani searches here for foreign functions. - local_decls: IndexVec>, - /// Map of functions/methods to their correspondent stubs. - stub_map: HashMap, -} - -impl<'tcx> MutVisitor<'tcx> for ForeignFunctionTransformer<'tcx> { - fn tcx(&self) -> TyCtxt<'tcx> { - self.tcx - } - - fn visit_operand(&mut self, operand: &mut Operand<'tcx>, _location: Location) { - let func_ty = operand.ty(&self.local_decls, self.tcx); - if let ty::FnDef(reachable_function, arguments) = *func_ty.kind() { - if self.tcx.is_foreign_item(reachable_function) { - if let Some(stub) = self.stub_map.get(&reachable_function) { - let Operand::Constant(function_definition) = operand else { - return; - }; - function_definition.const_ = Const::from_value( - ConstValue::ZeroSized, - self.tcx.type_of(stub).instantiate(self.tcx, arguments), - ); - } - } - } - } -} - -/// Checks whether the stub is compatible with the original function/method: do -/// the arities and types (of the parameters and return values) match up? This -/// does **NOT** check whether the type variables are constrained to implement -/// the same traits; trait mismatches are checked during monomorphization. -fn check_compatibility<'a, 'tcx>( - tcx: TyCtxt, - old_def_id: DefId, - old_body: &'a Body<'tcx>, - stub_def_id: DefId, - stub_body: &'a Body<'tcx>, -) -> bool { - // Check whether the arities match. - if old_body.arg_count != stub_body.arg_count { - tcx.dcx().span_err( - tcx.def_span(stub_def_id), - format!( - "arity mismatch: original function/method `{}` takes {} argument(s), stub `{}` takes {}", - tcx.def_path_str(old_def_id), - old_body.arg_count, - tcx.def_path_str(stub_def_id), - stub_body.arg_count - ), - ); - return false; - } - // Check whether the numbers of generic parameters match. - let old_num_generics = tcx.generics_of(old_def_id).count(); - let stub_num_generics = tcx.generics_of(stub_def_id).count(); - if old_num_generics != stub_num_generics { - tcx.dcx().span_err( - tcx.def_span(stub_def_id), - format!( - "mismatch in the number of generic parameters: original function/method `{}` takes {} generic parameters(s), stub `{}` takes {}", - tcx.def_path_str(old_def_id), - old_num_generics, - tcx.def_path_str(stub_def_id), - stub_num_generics - ), - ); - return false; - } - // Check whether the types match. Index 0 refers to the returned value, - // indices [1, `arg_count`] refer to the parameters. - // TODO: We currently force generic parameters in the stub to have exactly - // the same names as their counterparts in the original function/method; - // instead, we should be checking for the equivalence of types up to the - // renaming of generic parameters. - // - let mut matches = true; - for i in 0..=old_body.arg_count { - let old_arg = old_body.local_decls.get(i.into()).unwrap(); - let new_arg = stub_body.local_decls.get(i.into()).unwrap(); - if old_arg.ty != new_arg.ty { - let prefix = if i == 0 { - "return type differs".to_string() - } else { - format!("type of parameter {} differs", i - 1) - }; - tcx.dcx().span_err( - new_arg.source_info.span, - format!( - "{prefix}: stub `{}` has type `{}` where original function/method `{}` has type `{}`", - tcx.def_path_str(stub_def_id), - new_arg.ty, - tcx.def_path_str(old_def_id), - old_arg.ty - ), - ); - matches = false; - } - } - matches -} - -/// The prefix we will use when serializing the stub mapping as a rustc argument. -const RUSTC_ARG_PREFIX: &str = "kani_stubs="; - -/// Serializes the stub mapping into a rustc argument. -pub fn mk_rustc_arg(stub_mapping: &BTreeMap) -> String { - // Serialize each `DefPathHash` as a pair of `u64`s, and the whole mapping - // as an association list. - let mut pairs = Vec::new(); - for (k, v) in stub_mapping { - let (k_a, k_b) = k.0.split(); - let kparts = (k_a.as_u64(), k_b.as_u64()); - let (v_a, v_b) = v.0.split(); - let vparts = (v_a.as_u64(), v_b.as_u64()); - pairs.push((kparts, vparts)); - } - // Store our serialized mapping as a fake LLVM argument (safe to do since - // LLVM will never see them). - format!("-Cllvm-args='{RUSTC_ARG_PREFIX}{}'", serde_json::to_string(&pairs).unwrap()) -} - -/// Deserializes the stub mapping from the rustc argument value. -fn deserialize_mapping(tcx: TyCtxt, val: &str) -> HashMap { - type Item = (u64, u64); - let item_to_def_id = |item: Item| -> DefId { - let hash = DefPathHash(Fingerprint::new(item.0, item.1)); - tcx.def_path_hash_to_def_id(hash, &mut || panic!()) - }; - let pairs: Vec<(Item, Item)> = serde_json::from_str(val).unwrap(); - let mut m = HashMap::default(); - for (k, v) in pairs { - let kid = item_to_def_id(k); - let vid = item_to_def_id(v); - m.insert(kid, vid); - } - m -} - -/// Retrieves the stub mapping from the compiler configuration. -fn get_stub_mapping(tcx: TyCtxt) -> Option> { - // Use a static so that we compile the regex only once. - lazy_static! { - static ref RE: Regex = Regex::new(&format!("'{RUSTC_ARG_PREFIX}(.*)'")).unwrap(); - } - for arg in &tcx.sess.opts.cg.llvm_args { - if let Some(captures) = RE.captures(arg) { - return Some(deserialize_mapping(tcx, captures.get(1).unwrap().as_str())); - } - } - None -} diff --git a/kani-compiler/src/kani_middle/transform/body.rs b/kani-compiler/src/kani_middle/transform/body.rs new file mode 100644 index 000000000000..d3f2afc15d31 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/body.rs @@ -0,0 +1,623 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Utility functions that allow us to modify a function body. + +use crate::kani_middle::find_fn_def; +use rustc_middle::ty::TyCtxt; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::*; +use stable_mir::ty::{GenericArgs, MirConst, Span, Ty, UintTy}; +use std::fmt::Debug; +use std::mem; + +/// This structure mimics a Body that can actually be modified. +pub struct MutableBody { + blocks: Vec, + + /// Declarations of locals within the function. + /// + /// The first local is the return value pointer, followed by `arg_count` + /// locals for the function arguments, followed by any user-declared + /// variables and temporaries. + locals: Vec, + + /// The number of arguments this function takes. + arg_count: usize, + + /// Debug information pertaining to user variables, including captures. + var_debug_info: Vec, + + /// Mark an argument (which must be a tuple) as getting passed as its individual components. + /// + /// This is used for the "rust-call" ABI such as closures. + spread_arg: Option, + + /// The span that covers the entire function body. + span: Span, +} + +/// Denotes whether instrumentation should be inserted before or after the statement. +#[derive(Debug, Clone, Copy, PartialEq, Eq)] +pub enum InsertPosition { + Before, + After, +} + +impl MutableBody { + /// Get the basic blocks of this builder. + pub fn blocks(&self) -> &[BasicBlock] { + &self.blocks + } + + pub fn locals(&self) -> &[LocalDecl] { + &self.locals + } + + /// Create a mutable body from the original MIR body. + pub fn from(body: Body) -> Self { + MutableBody { + locals: body.locals().to_vec(), + arg_count: body.arg_locals().len(), + spread_arg: body.spread_arg(), + blocks: body.blocks, + var_debug_info: body.var_debug_info, + span: body.span, + } + } + + /// Create the new body consuming this mutable body. + pub fn into(self) -> Body { + Body::new( + self.blocks, + self.locals, + self.arg_count, + self.var_debug_info, + self.spread_arg, + self.span, + ) + } + + /// Add a new local to the body with the given attributes. + pub fn new_local(&mut self, ty: Ty, span: Span, mutability: Mutability) -> Local { + let decl = LocalDecl { ty, span, mutability }; + let local = self.locals.len(); + self.locals.push(decl); + local + } + + pub fn new_str_operand(&mut self, msg: &str, span: Span) -> Operand { + let literal = MirConst::from_str(msg); + self.new_const_operand(literal, span) + } + + pub fn new_uint_operand(&mut self, val: u128, uint_ty: UintTy, span: Span) -> Operand { + let literal = MirConst::try_from_uint(val, uint_ty).unwrap(); + self.new_const_operand(literal, span) + } + + fn new_const_operand(&mut self, literal: MirConst, span: Span) -> Operand { + Operand::Constant(ConstOperand { span, user_ty: None, const_: literal }) + } + + /// Create a raw pointer of `*mut type` and return a new local where that value is stored. + pub fn insert_ptr_cast( + &mut self, + from: Operand, + pointee_ty: Ty, + mutability: Mutability, + source: &mut SourceInstruction, + position: InsertPosition, + ) -> Local { + assert!(from.ty(self.locals()).unwrap().kind().is_raw_ptr()); + let target_ty = Ty::new_ptr(pointee_ty, mutability); + let rvalue = Rvalue::Cast(CastKind::PtrToPtr, from, target_ty); + self.insert_assignment(rvalue, source, position) + } + + /// Add a new assignment for the given binary operation. + /// + /// Return the local where the result is saved. + pub fn insert_binary_op( + &mut self, + bin_op: BinOp, + lhs: Operand, + rhs: Operand, + source: &mut SourceInstruction, + position: InsertPosition, + ) -> Local { + let rvalue = Rvalue::BinaryOp(bin_op, lhs, rhs); + self.insert_assignment(rvalue, source, position) + } + + /// Add a new assignment. + /// + /// Return the local where the result is saved. + pub fn insert_assignment( + &mut self, + rvalue: Rvalue, + source: &mut SourceInstruction, + position: InsertPosition, + ) -> Local { + let span = source.span(&self.blocks); + let ret_ty = rvalue.ty(&self.locals).unwrap(); + let result = self.new_local(ret_ty, span, Mutability::Not); + let stmt = Statement { kind: StatementKind::Assign(Place::from(result), rvalue), span }; + self.insert_stmt(stmt, source, position); + result + } + + /// Add a new assert to the basic block indicated by the given index. + /// + /// The new assertion will have the same span as the source instruction, and the basic block + /// will be split. If `InsertPosition` is `InsertPosition::Before`, `source` will point to the + /// same instruction as before. If `InsertPosition` is `InsertPosition::After`, `source` will + /// point to the new terminator. + pub fn insert_check( + &mut self, + tcx: TyCtxt, + check_type: &CheckType, + source: &mut SourceInstruction, + position: InsertPosition, + value: Local, + msg: &str, + ) { + assert_eq!( + self.locals[value].ty, + Ty::bool_ty(), + "Expected boolean value as the assert input" + ); + let new_bb = self.blocks.len(); + let span = source.span(&self.blocks); + match check_type { + CheckType::Assert(assert_fn) => { + let assert_op = Operand::Copy(Place::from(self.new_local( + assert_fn.ty(), + span, + Mutability::Not, + ))); + let msg_op = self.new_str_operand(msg, span); + let kind = TerminatorKind::Call { + func: assert_op, + args: vec![Operand::Move(Place::from(value)), msg_op], + destination: Place { + local: self.new_local(Ty::new_tuple(&[]), span, Mutability::Not), + projection: vec![], + }, + target: Some(new_bb), + unwind: UnwindAction::Terminate, + }; + let terminator = Terminator { kind, span }; + self.insert_terminator(source, position, terminator); + } + CheckType::Panic | CheckType::NoCore => { + tcx.sess + .dcx() + .struct_err("Failed to instrument the code. Cannot find `kani::assert`") + .with_note("Kani requires `kani` library in order to verify a crate.") + .emit(); + tcx.sess.dcx().abort_if_errors(); + unreachable!(); + } + } + } + + /// Add a new call to the basic block indicated by the given index. + /// + /// The new call will have the same span as the source instruction, and the basic block will be + /// split. If `InsertPosition` is `InsertPosition::Before`, `source` will point to the same + /// instruction as before. If `InsertPosition` is `InsertPosition::After`, `source` will point + /// to the new terminator. + pub fn insert_call( + &mut self, + callee: &Instance, + source: &mut SourceInstruction, + position: InsertPosition, + args: Vec, + destination: Place, + ) { + let new_bb = self.blocks.len(); + let span = source.span(&self.blocks); + let callee_op = + Operand::Copy(Place::from(self.new_local(callee.ty(), span, Mutability::Not))); + let kind = TerminatorKind::Call { + func: callee_op, + args, + destination, + target: Some(new_bb), + unwind: UnwindAction::Terminate, + }; + let terminator = Terminator { kind, span }; + self.insert_terminator(source, position, terminator); + } + + /// Split a basic block and use the new terminator in the basic block that was split. If + /// `InsertPosition` is `InsertPosition::Before`, `source` will point to the same instruction as + /// before. If `InsertPosition` is `InsertPosition::After`, `source` will point to the new + /// terminator. + fn split_bb( + &mut self, + source: &mut SourceInstruction, + position: InsertPosition, + new_term: Terminator, + ) { + match position { + InsertPosition::Before => { + self.split_bb_before(source, new_term); + } + InsertPosition::After => { + self.split_bb_after(source, new_term); + } + } + } + + /// Split a basic block right before the source location. + /// `source` will point to the same instruction as before after the function is done. + fn split_bb_before(&mut self, source: &mut SourceInstruction, new_term: Terminator) { + let new_bb_idx = self.blocks.len(); + let (idx, bb) = match source { + SourceInstruction::Statement { idx, bb } => { + let (orig_idx, orig_bb) = (*idx, *bb); + *idx = 0; + *bb = new_bb_idx; + (orig_idx, orig_bb) + } + SourceInstruction::Terminator { bb } => { + let (orig_idx, orig_bb) = (self.blocks[*bb].statements.len(), *bb); + *bb = new_bb_idx; + (orig_idx, orig_bb) + } + }; + let old_term = mem::replace(&mut self.blocks[bb].terminator, new_term); + let bb_stmts = &mut self.blocks[bb].statements; + let remaining = bb_stmts.split_off(idx); + let new_bb = BasicBlock { statements: remaining, terminator: old_term }; + self.blocks.push(new_bb); + } + + /// Split a basic block right after the source location. + /// `source` will point to the new terminator after the function is done. + fn split_bb_after(&mut self, source: &mut SourceInstruction, mut new_term: Terminator) { + let new_bb_idx = self.blocks.len(); + match source { + // Split the current block after the statement located at `source` + // and move the remaining statements into the new one. + SourceInstruction::Statement { idx, bb } => { + let (orig_idx, orig_bb) = (*idx, *bb); + let old_term = mem::replace(&mut self.blocks[orig_bb].terminator, new_term); + let bb_stmts = &mut self.blocks[orig_bb].statements; + let remaining = bb_stmts.split_off(orig_idx + 1); + let new_bb = BasicBlock { statements: remaining, terminator: old_term }; + self.blocks.push(new_bb); + // Update the source to point at the terminator. + *source = SourceInstruction::Terminator { bb: orig_bb }; + } + // Make the terminator at `source` point at the new block, + // the terminator of which is a simple Goto instruction. + SourceInstruction::Terminator { bb } => { + let current_term = &mut self.blocks.get_mut(*bb).unwrap().terminator; + let target_bb = get_mut_target_ref(current_term); + let new_target_bb = get_mut_target_ref(&mut new_term); + // Set the new terminator to point where previous terminator pointed. + *new_target_bb = *target_bb; + // Point the current terminator to the new terminator's basic block. + *target_bb = new_bb_idx; + // Update the source to point at the terminator. + *bb = new_bb_idx; + self.blocks.push(BasicBlock { statements: vec![], terminator: new_term }); + } + }; + } + + /// Insert basic block before or after the source instruction and update `source` accordingly. If + /// `InsertPosition` is `InsertPosition::Before`, `source` will point to the same instruction as + /// before. If `InsertPosition` is `InsertPosition::After`, `source` will point to the + /// terminator of the newly inserted basic block. + pub fn insert_bb( + &mut self, + mut bb: BasicBlock, + source: &mut SourceInstruction, + position: InsertPosition, + ) { + // Splitting adds 1 block, so the added block index is len + 1; + let split_bb_idx = self.blocks().len(); + let inserted_bb_idx = self.blocks().len() + 1; + // Update the terminator of the basic block to point at the remaining part of the split + // basic block. + let target = get_mut_target_ref(&mut bb.terminator); + *target = split_bb_idx; + let new_term = Terminator { + kind: TerminatorKind::Goto { target: inserted_bb_idx }, + span: source.span(&self.blocks), + }; + self.split_bb(source, position, new_term); + self.blocks.push(bb); + } + + pub fn insert_terminator( + &mut self, + source: &mut SourceInstruction, + position: InsertPosition, + terminator: Terminator, + ) { + self.split_bb(source, position, terminator); + } + + /// Insert statement before or after the source instruction and update the source as needed. If + /// `InsertPosition` is `InsertPosition::Before`, `source` will point to the same instruction as + /// before. If `InsertPosition` is `InsertPosition::After`, `source` will point to the + /// newly inserted statement. + pub fn insert_stmt( + &mut self, + new_stmt: Statement, + source: &mut SourceInstruction, + position: InsertPosition, + ) { + match position { + InsertPosition::Before => { + match source { + SourceInstruction::Statement { idx, bb } => { + self.blocks[*bb].statements.insert(*idx, new_stmt); + *idx += 1; + } + SourceInstruction::Terminator { bb } => { + // Append statements at the end of the basic block. + self.blocks[*bb].statements.push(new_stmt); + } + } + } + InsertPosition::After => { + let new_bb_idx = self.blocks.len(); + let span = source.span(&self.blocks); + match source { + SourceInstruction::Statement { idx, bb } => { + self.blocks[*bb].statements.insert(*idx + 1, new_stmt); + *idx += 1; + } + SourceInstruction::Terminator { bb } => { + // Create a new basic block, as we need to append a statement after the terminator. + let current_terminator = &mut self.blocks.get_mut(*bb).unwrap().terminator; + // Update target of the terminator. + let target_bb = get_mut_target_ref(current_terminator); + *source = SourceInstruction::Statement { idx: 0, bb: new_bb_idx }; + let new_bb = BasicBlock { + statements: vec![new_stmt], + terminator: Terminator { + kind: TerminatorKind::Goto { target: *target_bb }, + span, + }, + }; + *target_bb = new_bb_idx; + self.blocks.push(new_bb); + } + } + } + } + } + + /// Clear all the existing logic of this body and turn it into a simple `return`. + /// + /// This function can be used when a new implementation of the body is needed. + /// For example, Kani intrinsics usually have a dummy body, which is replaced + /// by the compiler. This function allow us to delete the dummy body before + /// creating a new one. + /// + /// Note: We do not prune the local variables today for simplicity. + pub fn clear_body(&mut self) { + self.blocks.clear(); + let terminator = Terminator { kind: TerminatorKind::Return, span: self.span }; + self.blocks.push(BasicBlock { statements: Vec::default(), terminator }) + } +} + +#[derive(Clone, Debug)] +pub enum CheckType { + /// This is used by default when the `kani` crate is available. + Assert(Instance), + /// When the `kani` crate is not available, we have to model the check as an `if { panic!() }`. + Panic, + /// When building non-core crate, such as `rustc-std-workspace-core`, we cannot + /// instrument code, but we can still compile them. + NoCore, +} + +impl CheckType { + /// This will create the type of check that is available in the current crate, attempting to + /// create a check that generates an assertion following by an assumption of the same assertion. + /// + /// If `kani` crate is available, this will return [CheckType::Assert], and the instance will + /// point to `kani::assert`. Otherwise, we will collect the `core::panic_str` method and return + /// [CheckType::Panic]. + pub fn new_assert_assume(tcx: TyCtxt) -> CheckType { + if let Some(instance) = find_instance(tcx, "KaniAssert") { + CheckType::Assert(instance) + } else if find_instance(tcx, "panic_str").is_some() { + CheckType::Panic + } else { + CheckType::NoCore + } + } + + /// This will create the type of check that is available in the current crate, attempting to + /// create a check that generates an assertion, without assuming the condition afterwards. + /// + /// If `kani` crate is available, this will return [CheckType::Assert], and the instance will + /// point to `kani::assert`. Otherwise, we will collect the `core::panic_str` method and return + /// [CheckType::Panic]. + pub fn new_assert(tcx: TyCtxt) -> CheckType { + if let Some(instance) = find_instance(tcx, "KaniCheck") { + CheckType::Assert(instance) + } else if find_instance(tcx, "panic_str").is_some() { + CheckType::Panic + } else { + CheckType::NoCore + } + } +} + +/// We store the index of an instruction to avoid borrow checker issues and unnecessary copies. +#[derive(Copy, Clone, Debug)] +pub enum SourceInstruction { + Statement { idx: usize, bb: BasicBlockIdx }, + Terminator { bb: BasicBlockIdx }, +} + +impl SourceInstruction { + pub fn span(&self, blocks: &[BasicBlock]) -> Span { + match *self { + SourceInstruction::Statement { idx, bb } => blocks[bb].statements[idx].span, + SourceInstruction::Terminator { bb } => blocks[bb].terminator.span, + } + } +} + +fn find_instance(tcx: TyCtxt, diagnostic: &str) -> Option { + Instance::resolve(find_fn_def(tcx, diagnostic)?, &GenericArgs(vec![])).ok() +} + +/// Basic mutable body visitor. +/// +/// We removed many methods for simplicity. +/// +/// TODO: Contribute this to stable_mir. +/// +/// +/// This code was based on the existing MirVisitor: +/// +pub trait MutMirVisitor { + fn visit_body(&mut self, body: &mut MutableBody) { + self.super_body(body) + } + + fn visit_basic_block(&mut self, bb: &mut BasicBlock) { + self.super_basic_block(bb) + } + + fn visit_statement(&mut self, stmt: &mut Statement) { + self.super_statement(stmt) + } + + fn visit_terminator(&mut self, term: &mut Terminator) { + self.super_terminator(term) + } + + fn visit_rvalue(&mut self, rvalue: &mut Rvalue) { + self.super_rvalue(rvalue) + } + + fn visit_operand(&mut self, _operand: &mut Operand) {} + + fn super_body(&mut self, body: &mut MutableBody) { + for bb in body.blocks.iter_mut() { + self.visit_basic_block(bb); + } + } + + fn super_basic_block(&mut self, bb: &mut BasicBlock) { + for stmt in &mut bb.statements { + self.visit_statement(stmt); + } + self.visit_terminator(&mut bb.terminator); + } + + fn super_statement(&mut self, stmt: &mut Statement) { + match &mut stmt.kind { + StatementKind::Assign(_, rvalue) => { + self.visit_rvalue(rvalue); + } + StatementKind::Intrinsic(intrisic) => match intrisic { + NonDivergingIntrinsic::Assume(operand) => { + self.visit_operand(operand); + } + NonDivergingIntrinsic::CopyNonOverlapping(CopyNonOverlapping { + src, + dst, + count, + }) => { + self.visit_operand(src); + self.visit_operand(dst); + self.visit_operand(count); + } + }, + StatementKind::FakeRead(_, _) + | StatementKind::SetDiscriminant { .. } + | StatementKind::Deinit(_) + | StatementKind::StorageLive(_) + | StatementKind::StorageDead(_) + | StatementKind::Retag(_, _) + | StatementKind::PlaceMention(_) + | StatementKind::AscribeUserType { .. } + | StatementKind::Coverage(_) + | StatementKind::ConstEvalCounter + | StatementKind::Nop => {} + } + } + + fn super_terminator(&mut self, term: &mut Terminator) { + let Terminator { kind, .. } = term; + match kind { + TerminatorKind::Assert { cond, .. } => { + self.visit_operand(cond); + } + TerminatorKind::Call { func, args, .. } => { + self.visit_operand(func); + for arg in args { + self.visit_operand(arg); + } + } + TerminatorKind::SwitchInt { discr, .. } => { + self.visit_operand(discr); + } + TerminatorKind::InlineAsm { .. } => { + // we don't support inline assembly. + } + TerminatorKind::Return + | TerminatorKind::Goto { .. } + | TerminatorKind::Resume + | TerminatorKind::Abort + | TerminatorKind::Drop { .. } + | TerminatorKind::Unreachable => {} + } + } + + fn super_rvalue(&mut self, rvalue: &mut Rvalue) { + match rvalue { + Rvalue::Aggregate(_, operands) => { + for op in operands { + self.visit_operand(op); + } + } + Rvalue::BinaryOp(_, lhs, rhs) | Rvalue::CheckedBinaryOp(_, lhs, rhs) => { + self.visit_operand(lhs); + self.visit_operand(rhs); + } + Rvalue::Cast(_, op, _) => { + self.visit_operand(op); + } + Rvalue::Repeat(op, _) => { + self.visit_operand(op); + } + Rvalue::ShallowInitBox(op, _) => self.visit_operand(op), + Rvalue::UnaryOp(_, op) | Rvalue::Use(op) => { + self.visit_operand(op); + } + Rvalue::AddressOf(..) => {} + Rvalue::CopyForDeref(_) | Rvalue::Discriminant(_) | Rvalue::Len(_) => {} + Rvalue::Ref(..) => {} + Rvalue::ThreadLocalRef(_) => {} + Rvalue::NullaryOp(..) => {} + } + } +} + +fn get_mut_target_ref(terminator: &mut Terminator) -> &mut BasicBlockIdx { + match &mut terminator.kind { + TerminatorKind::Assert { target, .. } + | TerminatorKind::Drop { target, .. } + | TerminatorKind::Goto { target } + | TerminatorKind::Call { target: Some(target), .. } => target, + _ => unimplemented!( + "Kani can only insert instructions after terminators that have a `target` field." + ), + } +} diff --git a/kani-compiler/src/kani_middle/transform/check_uninit/mod.rs b/kani-compiler/src/kani_middle/transform/check_uninit/mod.rs new file mode 100644 index 000000000000..f46c143f16d1 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/check_uninit/mod.rs @@ -0,0 +1,541 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Implement a transformation pass that instruments the code to detect possible UB due to +//! the accesses to uninitialized memory. + +use crate::args::ExtraChecks; +use crate::kani_middle::find_fn_def; +use crate::kani_middle::transform::body::{ + CheckType, InsertPosition, MutableBody, SourceInstruction, +}; +use crate::kani_middle::transform::{TransformPass, TransformationType}; +use crate::kani_queries::QueryDb; +use rustc_middle::ty::TyCtxt; +use rustc_smir::rustc_internal; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::{AggregateKind, Body, ConstOperand, Mutability, Operand, Place, Rvalue}; +use stable_mir::ty::{ + FnDef, GenericArgKind, GenericArgs, MirConst, RigidTy, Ty, TyConst, TyKind, UintTy, +}; +use stable_mir::CrateDef; +use std::collections::{HashMap, HashSet}; +use std::fmt::Debug; +use tracing::{debug, trace}; + +mod ty_layout; +mod uninit_visitor; + +pub use ty_layout::{PointeeInfo, PointeeLayout}; +use uninit_visitor::{CheckUninitVisitor, InitRelevantInstruction, MemoryInitOp}; + +// Function bodies of those functions will not be instrumented as not to cause infinite recursion. +const SKIPPED_DIAGNOSTIC_ITEMS: &[&str] = &[ + "KaniIsPtrInitialized", + "KaniSetPtrInitialized", + "KaniIsSliceChunkPtrInitialized", + "KaniSetSliceChunkPtrInitialized", + "KaniIsSlicePtrInitialized", + "KaniSetSlicePtrInitialized", + "KaniIsStrPtrInitialized", + "KaniSetStrPtrInitialized", +]; + +/// Instrument the code with checks for uninitialized memory. +#[derive(Debug)] +pub struct UninitPass { + pub check_type: CheckType, + /// Used to cache FnDef lookups of injected memory initialization functions. + pub mem_init_fn_cache: HashMap<&'static str, FnDef>, +} + +impl TransformPass for UninitPass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Instrumentation + } + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized, + { + let args = query_db.args(); + args.ub_check.contains(&ExtraChecks::Uninit) + } + + fn transform(&mut self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "transform"); + + // Need to break infinite recursion when memory initialization checks are inserted, so the + // internal functions responsible for memory initialization are skipped. + if tcx + .get_diagnostic_name(rustc_internal::internal(tcx, instance.def.def_id())) + .map(|diagnostic_name| { + SKIPPED_DIAGNOSTIC_ITEMS.contains(&diagnostic_name.to_ident_string().as_str()) + }) + .unwrap_or(false) + { + return (false, body); + } + + let mut new_body = MutableBody::from(body); + let orig_len = new_body.blocks().len(); + + // Inject a call to set-up memory initialization state if the function is a harness. + if is_harness(instance, tcx) { + inject_memory_init_setup(&mut new_body, tcx, &mut self.mem_init_fn_cache); + } + + // Set of basic block indices for which analyzing first statement should be skipped. + // + // This is necessary because some checks are inserted before the source instruction, which, in + // turn, gets moved to the next basic block. Hence, we would not need to look at the + // instruction again as a part of new basic block. However, if the check is inserted after the + // source instruction, we still need to look at the first statement of the new basic block, so + // we need to keep track of which basic blocks were created as a part of injecting checks after + // the source instruction. + let mut skip_first = HashSet::new(); + + // Do not cache body.blocks().len() since it will change as we add new checks. + let mut bb_idx = 0; + while bb_idx < new_body.blocks().len() { + if let Some(candidate) = + CheckUninitVisitor::find_next(&new_body, bb_idx, skip_first.contains(&bb_idx)) + { + self.build_check_for_instruction(tcx, &mut new_body, candidate, &mut skip_first); + bb_idx += 1 + } else { + bb_idx += 1; + }; + } + (orig_len != new_body.blocks().len(), new_body.into()) + } +} + +impl UninitPass { + /// Inject memory initialization checks for each operation in an instruction. + fn build_check_for_instruction( + &mut self, + tcx: TyCtxt, + body: &mut MutableBody, + instruction: InitRelevantInstruction, + skip_first: &mut HashSet, + ) { + debug!(?instruction, "build_check"); + let mut source = instruction.source; + for operation in instruction.before_instruction { + self.build_check_for_operation(tcx, body, &mut source, operation, skip_first); + } + for operation in instruction.after_instruction { + self.build_check_for_operation(tcx, body, &mut source, operation, skip_first); + } + } + + /// Inject memory initialization check for an operation. + fn build_check_for_operation( + &mut self, + tcx: TyCtxt, + body: &mut MutableBody, + source: &mut SourceInstruction, + operation: MemoryInitOp, + skip_first: &mut HashSet, + ) { + if let MemoryInitOp::Unsupported { reason } | MemoryInitOp::TriviallyUnsafe { reason } = + &operation + { + collect_skipped(&operation, body, skip_first); + self.inject_assert_false(tcx, body, source, operation.position(), reason); + return; + }; + + let pointee_ty_info = { + let ptr_operand = operation.mk_operand(body, source); + let ptr_operand_ty = ptr_operand.ty(body.locals()).unwrap(); + let pointee_ty = match ptr_operand_ty.kind() { + TyKind::RigidTy(RigidTy::RawPtr(pointee_ty, _)) => pointee_ty, + _ => { + unreachable!( + "Should only build checks for raw pointers, `{ptr_operand_ty}` encountered." + ) + } + }; + match PointeeInfo::from_ty(pointee_ty) { + Ok(type_info) => type_info, + Err(_) => { + let reason = format!( + "Kani currently doesn't support checking memory initialization for pointers to `{pointee_ty}.", + ); + collect_skipped(&operation, body, skip_first); + self.inject_assert_false(tcx, body, source, operation.position(), &reason); + return; + } + } + }; + + match operation { + MemoryInitOp::CheckSliceChunk { .. } | MemoryInitOp::Check { .. } => { + self.build_get_and_check(tcx, body, source, operation, pointee_ty_info, skip_first) + } + MemoryInitOp::SetSliceChunk { .. } + | MemoryInitOp::Set { .. } + | MemoryInitOp::SetRef { .. } => { + self.build_set(tcx, body, source, operation, pointee_ty_info, skip_first) + } + MemoryInitOp::Unsupported { .. } | MemoryInitOp::TriviallyUnsafe { .. } => { + unreachable!() + } + } + } + + /// Inject a load from memory initialization state and an assertion that all non-padding bytes + /// are initialized. + fn build_get_and_check( + &mut self, + tcx: TyCtxt, + body: &mut MutableBody, + source: &mut SourceInstruction, + operation: MemoryInitOp, + pointee_info: PointeeInfo, + skip_first: &mut HashSet, + ) { + let ret_place = Place { + local: body.new_local(Ty::bool_ty(), source.span(body.blocks()), Mutability::Not), + projection: vec![], + }; + let ptr_operand = operation.mk_operand(body, source); + match pointee_info.layout() { + PointeeLayout::Sized { layout } => { + let layout_operand = mk_layout_operand(body, source, operation.position(), &layout); + // Depending on whether accessing the known number of elements in the slice, need to + // pass is as an argument. + let (diagnostic, args) = match &operation { + MemoryInitOp::Check { .. } => { + let diagnostic = "KaniIsPtrInitialized"; + let args = vec![ptr_operand.clone(), layout_operand]; + (diagnostic, args) + } + MemoryInitOp::CheckSliceChunk { .. } => { + let diagnostic = "KaniIsSliceChunkPtrInitialized"; + let args = + vec![ptr_operand.clone(), layout_operand, operation.expect_count()]; + (diagnostic, args) + } + _ => unreachable!(), + }; + let is_ptr_initialized_instance = resolve_mem_init_fn( + get_mem_init_fn_def(tcx, diagnostic, &mut self.mem_init_fn_cache), + layout.len(), + *pointee_info.ty(), + ); + collect_skipped(&operation, body, skip_first); + body.insert_call( + &is_ptr_initialized_instance, + source, + operation.position(), + args, + ret_place.clone(), + ); + } + PointeeLayout::Slice { element_layout } => { + // Since `str`` is a separate type, need to differentiate between [T] and str. + let (slicee_ty, diagnostic) = match pointee_info.ty().kind() { + TyKind::RigidTy(RigidTy::Slice(slicee_ty)) => { + (slicee_ty, "KaniIsSlicePtrInitialized") + } + TyKind::RigidTy(RigidTy::Str) => { + (Ty::unsigned_ty(UintTy::U8), "KaniIsStrPtrInitialized") + } + _ => unreachable!(), + }; + let is_ptr_initialized_instance = resolve_mem_init_fn( + get_mem_init_fn_def(tcx, diagnostic, &mut self.mem_init_fn_cache), + element_layout.len(), + slicee_ty, + ); + let layout_operand = + mk_layout_operand(body, source, operation.position(), &element_layout); + collect_skipped(&operation, body, skip_first); + body.insert_call( + &is_ptr_initialized_instance, + source, + operation.position(), + vec![ptr_operand.clone(), layout_operand], + ret_place.clone(), + ); + } + PointeeLayout::TraitObject => { + collect_skipped(&operation, body, skip_first); + let reason = "Kani does not support reasoning about memory initialization of pointers to trait objects."; + self.inject_assert_false(tcx, body, source, operation.position(), reason); + return; + } + }; + + // Make sure all non-padding bytes are initialized. + collect_skipped(&operation, body, skip_first); + let ptr_operand_ty = ptr_operand.ty(body.locals()).unwrap(); + body.insert_check( + tcx, + &self.check_type, + source, + operation.position(), + ret_place.local, + &format!("Undefined Behavior: Reading from an uninitialized pointer of type `{ptr_operand_ty}`"), + ) + } + + /// Inject a store into memory initialization state to initialize or deinitialize all + /// non-padding bytes. + fn build_set( + &mut self, + tcx: TyCtxt, + body: &mut MutableBody, + source: &mut SourceInstruction, + operation: MemoryInitOp, + pointee_info: PointeeInfo, + skip_first: &mut HashSet, + ) { + let ret_place = Place { + local: body.new_local(Ty::new_tuple(&[]), source.span(body.blocks()), Mutability::Not), + projection: vec![], + }; + let ptr_operand = operation.mk_operand(body, source); + let value = operation.expect_value(); + + match pointee_info.layout() { + PointeeLayout::Sized { layout } => { + let layout_operand = mk_layout_operand(body, source, operation.position(), &layout); + // Depending on whether writing to the known number of elements in the slice, need to + // pass is as an argument. + let (diagnostic, args) = match &operation { + MemoryInitOp::Set { .. } | MemoryInitOp::SetRef { .. } => { + let diagnostic = "KaniSetPtrInitialized"; + let args = vec![ + ptr_operand, + layout_operand, + Operand::Constant(ConstOperand { + span: source.span(body.blocks()), + user_ty: None, + const_: MirConst::from_bool(value), + }), + ]; + (diagnostic, args) + } + MemoryInitOp::SetSliceChunk { .. } => { + let diagnostic = "KaniSetSliceChunkPtrInitialized"; + let args = vec![ + ptr_operand, + layout_operand, + operation.expect_count(), + Operand::Constant(ConstOperand { + span: source.span(body.blocks()), + user_ty: None, + const_: MirConst::from_bool(value), + }), + ]; + (diagnostic, args) + } + _ => unreachable!(), + }; + let set_ptr_initialized_instance = resolve_mem_init_fn( + get_mem_init_fn_def(tcx, diagnostic, &mut self.mem_init_fn_cache), + layout.len(), + *pointee_info.ty(), + ); + collect_skipped(&operation, body, skip_first); + body.insert_call( + &set_ptr_initialized_instance, + source, + operation.position(), + args, + ret_place, + ); + } + PointeeLayout::Slice { element_layout } => { + // Since `str`` is a separate type, need to differentiate between [T] and str. + let (slicee_ty, diagnostic) = match pointee_info.ty().kind() { + TyKind::RigidTy(RigidTy::Slice(slicee_ty)) => { + (slicee_ty, "KaniSetSlicePtrInitialized") + } + TyKind::RigidTy(RigidTy::Str) => { + (Ty::unsigned_ty(UintTy::U8), "KaniSetStrPtrInitialized") + } + _ => unreachable!(), + }; + let set_ptr_initialized_instance = resolve_mem_init_fn( + get_mem_init_fn_def(tcx, diagnostic, &mut self.mem_init_fn_cache), + element_layout.len(), + slicee_ty, + ); + let layout_operand = + mk_layout_operand(body, source, operation.position(), &element_layout); + collect_skipped(&operation, body, skip_first); + body.insert_call( + &set_ptr_initialized_instance, + source, + operation.position(), + vec![ + ptr_operand, + layout_operand, + Operand::Constant(ConstOperand { + span: source.span(body.blocks()), + user_ty: None, + const_: MirConst::from_bool(value), + }), + ], + ret_place, + ); + } + PointeeLayout::TraitObject => { + unreachable!("Cannot change the initialization state of a trait object directly."); + } + }; + } + + fn inject_assert_false( + &self, + tcx: TyCtxt, + body: &mut MutableBody, + source: &mut SourceInstruction, + position: InsertPosition, + reason: &str, + ) { + let span = source.span(body.blocks()); + let rvalue = Rvalue::Use(Operand::Constant(ConstOperand { + const_: MirConst::from_bool(false), + span, + user_ty: None, + })); + let result = body.insert_assignment(rvalue, source, position); + body.insert_check(tcx, &self.check_type, source, position, result, reason); + } +} + +/// Create an operand from a bit array that represents a byte mask for a type layout where padding +/// bytes are marked as `false` and data bytes are marked as `true`. +/// +/// For example, the layout for: +/// ``` +/// [repr(C)] +/// struct { +/// a: u16, +/// b: u8 +/// } +/// ``` +/// will have the following byte mask `[true, true, true, false]`. +pub fn mk_layout_operand( + body: &mut MutableBody, + source: &mut SourceInstruction, + position: InsertPosition, + layout_byte_mask: &[bool], +) -> Operand { + Operand::Move(Place { + local: body.insert_assignment( + Rvalue::Aggregate( + AggregateKind::Array(Ty::bool_ty()), + layout_byte_mask + .iter() + .map(|byte| { + Operand::Constant(ConstOperand { + span: source.span(body.blocks()), + user_ty: None, + const_: MirConst::from_bool(*byte), + }) + }) + .collect(), + ), + source, + position, + ), + projection: vec![], + }) +} + +/// If injecting a new call to the function before the current statement, need to skip the original +/// statement when analyzing it as a part of the new basic block. +fn collect_skipped(operation: &MemoryInitOp, body: &MutableBody, skip_first: &mut HashSet) { + if operation.position() == InsertPosition::Before { + let new_bb_idx = body.blocks().len(); + skip_first.insert(new_bb_idx); + } +} + +/// Retrieve a function definition by diagnostic string, caching the result. +pub fn get_mem_init_fn_def( + tcx: TyCtxt, + diagnostic: &'static str, + cache: &mut HashMap<&'static str, FnDef>, +) -> FnDef { + let entry = cache.entry(diagnostic).or_insert_with(|| find_fn_def(tcx, diagnostic).unwrap()); + *entry +} + +/// Resolves a given memory initialization function with passed type parameters. +pub fn resolve_mem_init_fn(fn_def: FnDef, layout_size: usize, associated_type: Ty) -> Instance { + Instance::resolve( + fn_def, + &GenericArgs(vec![ + GenericArgKind::Const(TyConst::try_from_target_usize(layout_size as u64).unwrap()), + GenericArgKind::Type(associated_type), + ]), + ) + .unwrap() +} + +/// Checks if the instance is a harness -- an entry point of Kani analysis. +fn is_harness(instance: Instance, tcx: TyCtxt) -> bool { + let harness_identifiers = [ + vec![ + rustc_span::symbol::Symbol::intern("kanitool"), + rustc_span::symbol::Symbol::intern("proof_for_contract"), + ], + vec![ + rustc_span::symbol::Symbol::intern("kanitool"), + rustc_span::symbol::Symbol::intern("proof"), + ], + ]; + harness_identifiers.iter().any(|attr_path| { + tcx.has_attrs_with_path(rustc_internal::internal(tcx, instance.def.def_id()), attr_path) + }) +} + +/// Inject an initial call to set-up memory initialization tracking. +fn inject_memory_init_setup( + new_body: &mut MutableBody, + tcx: TyCtxt, + mem_init_fn_cache: &mut HashMap<&'static str, FnDef>, +) { + // First statement or terminator in the harness. + let mut source = if !new_body.blocks()[0].statements.is_empty() { + SourceInstruction::Statement { idx: 0, bb: 0 } + } else { + SourceInstruction::Terminator { bb: 0 } + }; + + // Dummy return place. + let ret_place = Place { + local: new_body.new_local( + Ty::new_tuple(&[]), + source.span(new_body.blocks()), + Mutability::Not, + ), + projection: vec![], + }; + + // Resolve the instance and inject a call to set-up the memory initialization state. + let memory_initialization_init = Instance::resolve( + get_mem_init_fn_def(tcx, "KaniInitializeMemoryInitializationState", mem_init_fn_cache), + &GenericArgs(vec![]), + ) + .unwrap(); + + new_body.insert_call( + &memory_initialization_init, + &mut source, + InsertPosition::Before, + vec![], + ret_place, + ); +} diff --git a/kani-compiler/src/kani_middle/transform/check_uninit/ty_layout.rs b/kani-compiler/src/kani_middle/transform/check_uninit/ty_layout.rs new file mode 100644 index 000000000000..09116230af80 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/check_uninit/ty_layout.rs @@ -0,0 +1,334 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Utility functions that help calculate type layout. + +use stable_mir::abi::{FieldsShape, Scalar, TagEncoding, ValueAbi, VariantsShape}; +use stable_mir::target::{MachineInfo, MachineSize}; +use stable_mir::ty::{AdtKind, IndexedVal, RigidTy, Ty, TyKind, UintTy}; +use stable_mir::CrateDef; + +/// Represents a chunk of data bytes in a data structure. +#[derive(Clone, Debug, Eq, PartialEq, Hash)] +struct DataBytes { + /// Offset in bytes. + offset: usize, + /// Size of this data chunk. + size: MachineSize, +} + +/// Bytewise mask, representing which bytes of a type are data and which are padding. Here, `false` +/// represents padding bytes and `true` represents data bytes. +type Layout = Vec; + +/// Create a byte-wise mask from known chunks of data bytes. +fn generate_byte_mask(size_in_bytes: usize, data_chunks: Vec) -> Vec { + let mut layout_mask = vec![false; size_in_bytes]; + for data_bytes in data_chunks.iter() { + for layout_item in + layout_mask.iter_mut().skip(data_bytes.offset).take(data_bytes.size.bytes()) + { + *layout_item = true; + } + } + layout_mask +} + +// Depending on whether the type is statically or dynamically sized, +// the layout of the element or the layout of the actual type is returned. +pub enum PointeeLayout { + /// Layout of sized objects. + Sized { layout: Layout }, + /// Layout of slices, *const/mut str is included in this case and treated as *const/mut [u8]. + Slice { element_layout: Layout }, + /// Trait objects have an arbitrary layout. + TraitObject, +} + +pub struct PointeeInfo { + pointee_ty: Ty, + layout: PointeeLayout, +} + +impl PointeeInfo { + pub fn from_ty(ty: Ty) -> Result { + match ty.kind() { + TyKind::RigidTy(rigid_ty) => match rigid_ty { + RigidTy::Str => { + let slicee_ty = Ty::unsigned_ty(UintTy::U8); + let size_in_bytes = slicee_ty.layout().unwrap().shape().size.bytes(); + let data_chunks = data_bytes_for_ty(&MachineInfo::target(), slicee_ty, 0)?; + let layout = PointeeLayout::Slice { + element_layout: generate_byte_mask(size_in_bytes, data_chunks), + }; + Ok(PointeeInfo { pointee_ty: ty, layout }) + } + RigidTy::Slice(slicee_ty) => { + let size_in_bytes = slicee_ty.layout().unwrap().shape().size.bytes(); + let data_chunks = data_bytes_for_ty(&MachineInfo::target(), slicee_ty, 0)?; + let layout = PointeeLayout::Slice { + element_layout: generate_byte_mask(size_in_bytes, data_chunks), + }; + Ok(PointeeInfo { pointee_ty: ty, layout }) + } + RigidTy::Dynamic(..) => { + Ok(PointeeInfo { pointee_ty: ty, layout: PointeeLayout::TraitObject }) + } + _ => { + if ty.layout().unwrap().shape().is_sized() { + let size_in_bytes = ty.layout().unwrap().shape().size.bytes(); + let data_chunks = data_bytes_for_ty(&MachineInfo::target(), ty, 0)?; + let layout = PointeeLayout::Sized { + layout: generate_byte_mask(size_in_bytes, data_chunks), + }; + Ok(PointeeInfo { pointee_ty: ty, layout }) + } else { + Err(format!("Cannot determine type layout for type `{ty}`")) + } + } + }, + TyKind::Alias(..) | TyKind::Param(..) | TyKind::Bound(..) => { + unreachable!("Should only encounter monomorphized types at this point.") + } + } + } + + pub fn ty(&self) -> &Ty { + &self.pointee_ty + } + + pub fn layout(&self) -> &PointeeLayout { + &self.layout + } +} + +/// Retrieve a set of data bytes with offsets for a type. +fn data_bytes_for_ty( + machine_info: &MachineInfo, + ty: Ty, + current_offset: usize, +) -> Result, String> { + let layout = ty.layout().unwrap().shape(); + + match layout.fields { + FieldsShape::Primitive => Ok(vec![match layout.abi { + ValueAbi::Scalar(Scalar::Initialized { value, .. }) => { + DataBytes { offset: current_offset, size: value.size(machine_info) } + } + _ => unreachable!("FieldsShape::Primitive with a different ABI than ValueAbi::Scalar"), + }]), + FieldsShape::Array { stride, count } if count > 0 => { + let TyKind::RigidTy(RigidTy::Array(elem_ty, _)) = ty.kind() else { unreachable!() }; + let elem_data_bytes = data_bytes_for_ty(machine_info, elem_ty, current_offset)?; + let mut result = vec![]; + if !elem_data_bytes.is_empty() { + for idx in 0..count { + let idx: usize = idx.try_into().unwrap(); + let elem_offset = idx * stride.bytes(); + let mut next_data_bytes = elem_data_bytes + .iter() + .cloned() + .map(|mut req| { + req.offset += elem_offset; + req + }) + .collect::>(); + result.append(&mut next_data_bytes) + } + } + Ok(result) + } + FieldsShape::Arbitrary { ref offsets } => { + match ty.kind().rigid().expect(&format!("unexpected type: {ty:?}")) { + RigidTy::Adt(def, args) => { + match def.kind() { + AdtKind::Enum => { + // Support basic enumeration forms + let ty_variants = def.variants(); + match layout.variants { + VariantsShape::Single { index } => { + // Only one variant is reachable. This behaves like a struct. + let fields = ty_variants[index.to_index()].fields(); + let mut fields_data_bytes = vec![]; + for idx in layout.fields.fields_by_offset_order() { + let field_offset = offsets[idx].bytes(); + let field_ty = fields[idx].ty_with_args(&args); + fields_data_bytes.append(&mut data_bytes_for_ty( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + Ok(fields_data_bytes) + } + VariantsShape::Multiple { + tag_encoding: TagEncoding::Niche { .. }, + .. + } => { + Err(format!("Unsupported Enum `{}` check", def.trimmed_name()))? + } + VariantsShape::Multiple { variants, tag, .. } => { + // Retrieve data bytes for the tag. + let tag_size = match tag { + Scalar::Initialized { value, .. } => { + value.size(&machine_info) + } + Scalar::Union { .. } => { + unreachable!("Enum tag should not be a union.") + } + }; + // For enums, tag is the only field and should have offset of 0. + assert!(offsets.len() == 1 && offsets[0].bytes() == 0); + let tag_data_bytes = + vec![DataBytes { offset: current_offset, size: tag_size }]; + + // Retrieve data bytes for the fields. + let mut fields_data_bytes = vec![]; + // Iterate over all variants for the enum. + for (index, variant) in variants.iter().enumerate() { + let mut field_data_bytes_for_variant = vec![]; + let fields = ty_variants[index].fields(); + // Get offsets of all fields in a variant. + let FieldsShape::Arbitrary { offsets: field_offsets } = + variant.fields.clone() + else { + unreachable!() + }; + for field_idx in variant.fields.fields_by_offset_order() { + let field_offset = field_offsets[field_idx].bytes(); + let field_ty = fields[field_idx].ty_with_args(&args); + field_data_bytes_for_variant.append( + &mut data_bytes_for_ty( + machine_info, + field_ty, + field_offset + current_offset, + )?, + ); + } + fields_data_bytes.push(field_data_bytes_for_variant); + } + + if fields_data_bytes.is_empty() { + // If there are no fields, return the tag data bytes. + Ok(tag_data_bytes) + } else if fields_data_bytes.iter().all( + |data_bytes_for_variant| { + // Byte layout for variant N. + let byte_mask_for_variant = generate_byte_mask( + layout.size.bytes(), + data_bytes_for_variant.clone(), + ); + // Byte layout for variant 0. + let byte_mask_for_first = generate_byte_mask( + layout.size.bytes(), + fields_data_bytes.first().unwrap().clone(), + ); + byte_mask_for_variant == byte_mask_for_first + }, + ) { + // If all fields have the same layout, return fields data + // bytes. + let mut total_data_bytes = tag_data_bytes; + let mut field_data_bytes = + fields_data_bytes.first().unwrap().clone(); + total_data_bytes.append(&mut field_data_bytes); + Ok(total_data_bytes) + } else { + // Struct has multiple padding variants, Kani cannot + // differentiate between them. + Err(format!( + "Unsupported Enum `{}` check", + def.trimmed_name() + )) + } + } + } + } + AdtKind::Union => unreachable!(), + AdtKind::Struct => { + let mut struct_data_bytes = vec![]; + let fields = def.variants_iter().next().unwrap().fields(); + for idx in layout.fields.fields_by_offset_order() { + let field_offset = offsets[idx].bytes(); + let field_ty = fields[idx].ty_with_args(&args); + struct_data_bytes.append(&mut data_bytes_for_ty( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + Ok(struct_data_bytes) + } + } + } + RigidTy::Pat(base_ty, ..) => { + // This is similar to a structure with one field and with niche defined. + let mut pat_data_bytes = vec![]; + pat_data_bytes.append(&mut data_bytes_for_ty(machine_info, *base_ty, 0)?); + Ok(pat_data_bytes) + } + RigidTy::Tuple(tys) => { + let mut tuple_data_bytes = vec![]; + for idx in layout.fields.fields_by_offset_order() { + let field_offset = offsets[idx].bytes(); + let field_ty = tys[idx]; + tuple_data_bytes.append(&mut data_bytes_for_ty( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + Ok(tuple_data_bytes) + } + RigidTy::Bool + | RigidTy::Char + | RigidTy::Int(_) + | RigidTy::Uint(_) + | RigidTy::Float(_) + | RigidTy::Never => { + unreachable!("Expected primitive layout for {ty:?}") + } + RigidTy::Str | RigidTy::Slice(_) | RigidTy::Array(_, _) => { + unreachable!("Expected array layout for {ty:?}") + } + RigidTy::RawPtr(_, _) | RigidTy::Ref(_, _, _) => Ok(match layout.abi { + ValueAbi::Scalar(Scalar::Initialized { value, .. }) => { + // Thin pointer, ABI is a single scalar. + vec![DataBytes { offset: current_offset, size: value.size(machine_info) }] + } + ValueAbi::ScalarPair( + Scalar::Initialized { value: value_first, .. }, + Scalar::Initialized { value: value_second, .. }, + ) => { + // Fat pointer, ABI is a scalar pair. + let FieldsShape::Arbitrary { offsets } = layout.fields else { + unreachable!() + }; + // Since this is a scalar pair, only 2 elements are in the offsets vec. + assert!(offsets.len() == 2); + vec![ + DataBytes { + offset: current_offset + offsets[0].bytes(), + size: value_first.size(machine_info), + }, + DataBytes { + offset: current_offset + offsets[1].bytes(), + size: value_second.size(machine_info), + }, + ] + } + _ => unreachable!("RigidTy::RawPtr | RigidTy::Ref with a non-scalar ABI."), + }), + RigidTy::FnDef(_, _) + | RigidTy::FnPtr(_) + | RigidTy::Closure(_, _) + | RigidTy::Coroutine(_, _, _) + | RigidTy::CoroutineWitness(_, _) + | RigidTy::Foreign(_) + | RigidTy::Dynamic(_, _, _) => Err(format!("Unsupported {ty:?}")), + } + } + FieldsShape::Union(_) => Err(format!("Unsupported {ty:?}")), + FieldsShape::Array { .. } => Ok(vec![]), + } +} diff --git a/kani-compiler/src/kani_middle/transform/check_uninit/uninit_visitor.rs b/kani-compiler/src/kani_middle/transform/check_uninit/uninit_visitor.rs new file mode 100644 index 000000000000..10a93b727a77 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/check_uninit/uninit_visitor.rs @@ -0,0 +1,808 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Visitor that collects all instructions relevant to uninitialized memory access. + +use crate::kani_middle::transform::body::{InsertPosition, MutableBody, SourceInstruction}; +use stable_mir::mir::alloc::GlobalAlloc; +use stable_mir::mir::mono::{Instance, InstanceKind}; +use stable_mir::mir::visit::{Location, PlaceContext}; +use stable_mir::mir::{ + BasicBlockIdx, CastKind, LocalDecl, MirVisitor, Mutability, NonDivergingIntrinsic, Operand, + Place, PointerCoercion, ProjectionElem, Rvalue, Statement, StatementKind, Terminator, + TerminatorKind, +}; +use stable_mir::ty::{ConstantKind, RigidTy, Ty, TyKind}; +use strum_macros::AsRefStr; + +use super::{PointeeInfo, PointeeLayout}; + +/// Memory initialization operations: set or get memory initialization state for a given pointer. +#[derive(AsRefStr, Clone, Debug)] +pub enum MemoryInitOp { + /// Check memory initialization of data bytes in a memory region starting from the pointer + /// `operand` and of length `sizeof(operand)` bytes. + Check { operand: Operand }, + /// Set memory initialization state of data bytes in a memory region starting from the pointer + /// `operand` and of length `sizeof(operand)` bytes. + Set { operand: Operand, value: bool, position: InsertPosition }, + /// Check memory initialization of data bytes in a memory region starting from the pointer + /// `operand` and of length `count * sizeof(operand)` bytes. + CheckSliceChunk { operand: Operand, count: Operand }, + /// Set memory initialization state of data bytes in a memory region starting from the pointer + /// `operand` and of length `count * sizeof(operand)` bytes. + SetSliceChunk { operand: Operand, count: Operand, value: bool, position: InsertPosition }, + /// Set memory initialization of data bytes in a memory region starting from the reference to + /// `operand` and of length `sizeof(operand)` bytes. + SetRef { operand: Operand, value: bool, position: InsertPosition }, + /// Unsupported memory initialization operation. + Unsupported { reason: String }, + /// Operation that trivially accesses uninitialized memory, results in injecting `assert!(false)`. + TriviallyUnsafe { reason: String }, +} + +impl MemoryInitOp { + /// Produce an operand for the relevant memory initialization related operation. This is mostly + /// required so that the analysis can create a new local to take a reference in + /// `MemoryInitOp::SetRef`. + pub fn mk_operand(&self, body: &mut MutableBody, source: &mut SourceInstruction) -> Operand { + match self { + MemoryInitOp::Check { operand, .. } + | MemoryInitOp::Set { operand, .. } + | MemoryInitOp::CheckSliceChunk { operand, .. } + | MemoryInitOp::SetSliceChunk { operand, .. } => operand.clone(), + MemoryInitOp::SetRef { operand, .. } => Operand::Copy(Place { + local: { + let place = match operand { + Operand::Copy(place) | Operand::Move(place) => place, + Operand::Constant(_) => unreachable!(), + }; + body.insert_assignment( + Rvalue::AddressOf(Mutability::Not, place.clone()), + source, + self.position(), + ) + }, + projection: vec![], + }), + MemoryInitOp::Unsupported { .. } | MemoryInitOp::TriviallyUnsafe { .. } => { + unreachable!() + } + } + } + + pub fn expect_count(&self) -> Operand { + match self { + MemoryInitOp::CheckSliceChunk { count, .. } + | MemoryInitOp::SetSliceChunk { count, .. } => count.clone(), + MemoryInitOp::Check { .. } + | MemoryInitOp::Set { .. } + | MemoryInitOp::SetRef { .. } + | MemoryInitOp::Unsupported { .. } + | MemoryInitOp::TriviallyUnsafe { .. } => unreachable!(), + } + } + + pub fn expect_value(&self) -> bool { + match self { + MemoryInitOp::Set { value, .. } + | MemoryInitOp::SetSliceChunk { value, .. } + | MemoryInitOp::SetRef { value, .. } => *value, + MemoryInitOp::Check { .. } + | MemoryInitOp::CheckSliceChunk { .. } + | MemoryInitOp::Unsupported { .. } + | MemoryInitOp::TriviallyUnsafe { .. } => unreachable!(), + } + } + + pub fn position(&self) -> InsertPosition { + match self { + MemoryInitOp::Set { position, .. } + | MemoryInitOp::SetSliceChunk { position, .. } + | MemoryInitOp::SetRef { position, .. } => *position, + MemoryInitOp::Check { .. } + | MemoryInitOp::CheckSliceChunk { .. } + | MemoryInitOp::Unsupported { .. } + | MemoryInitOp::TriviallyUnsafe { .. } => InsertPosition::Before, + } + } +} + +/// Represents an instruction in the source code together with all memory initialization checks/sets +/// that are connected to the memory used in this instruction and whether they should be inserted +/// before or after the instruction. +#[derive(Clone, Debug)] +pub struct InitRelevantInstruction { + /// The instruction that affects the state of the memory. + pub source: SourceInstruction, + /// All memory-related operations that should happen after the instruction. + pub before_instruction: Vec, + /// All memory-related operations that should happen after the instruction. + pub after_instruction: Vec, +} + +impl InitRelevantInstruction { + pub fn push_operation(&mut self, source_op: MemoryInitOp) { + match source_op.position() { + InsertPosition::Before => self.before_instruction.push(source_op), + InsertPosition::After => self.after_instruction.push(source_op), + } + } +} + +pub struct CheckUninitVisitor<'a> { + locals: &'a [LocalDecl], + /// Whether we should skip the next instruction, since it might've been instrumented already. + /// When we instrument an instruction, we partition the basic block, and the instruction that + /// may trigger UB becomes the first instruction of the basic block, which we need to skip + /// later. + skip_next: bool, + /// The instruction being visited at a given point. + current: SourceInstruction, + /// The target instruction that should be verified. + pub target: Option, + /// The basic block being visited. + bb: BasicBlockIdx, +} + +impl<'a> CheckUninitVisitor<'a> { + pub fn find_next( + body: &'a MutableBody, + bb: BasicBlockIdx, + skip_first: bool, + ) -> Option { + let mut visitor = CheckUninitVisitor { + locals: body.locals(), + skip_next: skip_first, + current: SourceInstruction::Statement { idx: 0, bb }, + target: None, + bb, + }; + visitor.visit_basic_block(&body.blocks()[bb]); + visitor.target + } + + fn push_target(&mut self, source_op: MemoryInitOp) { + let target = self.target.get_or_insert_with(|| InitRelevantInstruction { + source: self.current, + after_instruction: vec![], + before_instruction: vec![], + }); + target.push_operation(source_op); + } +} + +impl<'a> MirVisitor for CheckUninitVisitor<'a> { + fn visit_statement(&mut self, stmt: &Statement, location: Location) { + if self.skip_next { + self.skip_next = false; + } else if self.target.is_none() { + // Leave it as an exhaustive match to be notified when a new kind is added. + match &stmt.kind { + StatementKind::Intrinsic(NonDivergingIntrinsic::CopyNonOverlapping(copy)) => { + self.super_statement(stmt, location); + // Source is a *const T and it must be initialized. + self.push_target(MemoryInitOp::CheckSliceChunk { + operand: copy.src.clone(), + count: copy.count.clone(), + }); + // Destimation is a *mut T so it gets initialized. + self.push_target(MemoryInitOp::SetSliceChunk { + operand: copy.dst.clone(), + count: copy.count.clone(), + value: true, + position: InsertPosition::After, + }); + } + StatementKind::Assign(place, rvalue) => { + // First check rvalue. + self.visit_rvalue(rvalue, location); + // Check whether we are assigning into a dereference (*ptr = _). + if let Some(place_without_deref) = try_remove_topmost_deref(place) { + // First, check that we are not dereferencing extra pointers along the way + // (e.g., **ptr = _). If yes, check whether these pointers are initialized. + let mut place_to_add_projections = + Place { local: place_without_deref.local, projection: vec![] }; + for projection_elem in place_without_deref.projection.iter() { + // If the projection is Deref and the current type is raw pointer, check + // if it points to initialized memory. + if *projection_elem == ProjectionElem::Deref { + if let TyKind::RigidTy(RigidTy::RawPtr(..)) = + place_to_add_projections.ty(&self.locals).unwrap().kind() + { + self.push_target(MemoryInitOp::Check { + operand: Operand::Copy(place_to_add_projections.clone()), + }); + }; + } + place_to_add_projections.projection.push(projection_elem.clone()); + } + if place_without_deref.ty(&self.locals).unwrap().kind().is_raw_ptr() { + self.push_target(MemoryInitOp::Set { + operand: Operand::Copy(place_without_deref), + value: true, + position: InsertPosition::After, + }); + } + } + // Check whether Rvalue creates a new initialized pointer previously not captured inside shadow memory. + if place.ty(&self.locals).unwrap().kind().is_raw_ptr() { + if let Rvalue::AddressOf(..) = rvalue { + self.push_target(MemoryInitOp::Set { + operand: Operand::Copy(place.clone()), + value: true, + position: InsertPosition::After, + }); + } + } + } + StatementKind::Deinit(place) => { + self.super_statement(stmt, location); + self.push_target(MemoryInitOp::Set { + operand: Operand::Copy(place.clone()), + value: false, + position: InsertPosition::After, + }); + } + StatementKind::FakeRead(_, _) + | StatementKind::SetDiscriminant { .. } + | StatementKind::StorageLive(_) + | StatementKind::StorageDead(_) + | StatementKind::Retag(_, _) + | StatementKind::PlaceMention(_) + | StatementKind::AscribeUserType { .. } + | StatementKind::Coverage(_) + | StatementKind::ConstEvalCounter + | StatementKind::Intrinsic(NonDivergingIntrinsic::Assume(_)) + | StatementKind::Nop => self.super_statement(stmt, location), + } + } + let SourceInstruction::Statement { idx, bb } = self.current else { unreachable!() }; + self.current = SourceInstruction::Statement { idx: idx + 1, bb }; + } + + fn visit_terminator(&mut self, term: &Terminator, location: Location) { + if !(self.skip_next || self.target.is_some()) { + self.current = SourceInstruction::Terminator { bb: self.bb }; + // Leave it as an exhaustive match to be notified when a new kind is added. + match &term.kind { + TerminatorKind::Call { func, args, destination, .. } => { + self.super_terminator(term, location); + let instance = match try_resolve_instance(self.locals, func) { + Ok(instance) => instance, + Err(reason) => { + self.super_terminator(term, location); + self.push_target(MemoryInitOp::Unsupported { reason }); + return; + } + }; + match instance.kind { + InstanceKind::Intrinsic => { + match instance.intrinsic_name().unwrap().as_str() { + intrinsic_name if can_skip_intrinsic(intrinsic_name) => { + /* Intrinsics that can be safely skipped */ + } + name if name.starts_with("atomic") => { + let num_args = match name { + // All `atomic_cxchg` intrinsics take `dst, old, src` as arguments. + name if name.starts_with("atomic_cxchg") => 3, + // All `atomic_load` intrinsics take `src` as an argument. + name if name.starts_with("atomic_load") => 1, + // All other `atomic` intrinsics take `dst, src` as arguments. + _ => 2, + }; + assert_eq!( + args.len(), + num_args, + "Unexpected number of arguments for `{name}`" + ); + assert!(matches!( + args[0].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(..)) + )); + self.push_target(MemoryInitOp::Check { + operand: args[0].clone(), + }); + } + "compare_bytes" => { + assert_eq!( + args.len(), + 3, + "Unexpected number of arguments for `compare_bytes`" + ); + assert!(matches!( + args[0].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(_, Mutability::Not)) + )); + assert!(matches!( + args[1].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(_, Mutability::Not)) + )); + self.push_target(MemoryInitOp::CheckSliceChunk { + operand: args[0].clone(), + count: args[2].clone(), + }); + self.push_target(MemoryInitOp::CheckSliceChunk { + operand: args[1].clone(), + count: args[2].clone(), + }); + } + "copy" + | "volatile_copy_memory" + | "volatile_copy_nonoverlapping_memory" => { + assert_eq!( + args.len(), + 3, + "Unexpected number of arguments for `copy`" + ); + assert!(matches!( + args[0].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(_, Mutability::Not)) + )); + assert!(matches!( + args[1].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(_, Mutability::Mut)) + )); + self.push_target(MemoryInitOp::CheckSliceChunk { + operand: args[0].clone(), + count: args[2].clone(), + }); + self.push_target(MemoryInitOp::SetSliceChunk { + operand: args[1].clone(), + count: args[2].clone(), + value: true, + position: InsertPosition::After, + }); + } + "typed_swap" => { + assert_eq!( + args.len(), + 2, + "Unexpected number of arguments for `typed_swap`" + ); + assert!(matches!( + args[0].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(_, Mutability::Mut)) + )); + assert!(matches!( + args[1].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(_, Mutability::Mut)) + )); + self.push_target(MemoryInitOp::Check { + operand: args[0].clone(), + }); + self.push_target(MemoryInitOp::Check { + operand: args[1].clone(), + }); + } + "volatile_load" | "unaligned_volatile_load" => { + assert_eq!( + args.len(), + 1, + "Unexpected number of arguments for `volatile_load`" + ); + assert!(matches!( + args[0].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(_, Mutability::Not)) + )); + self.push_target(MemoryInitOp::Check { + operand: args[0].clone(), + }); + } + "volatile_store" => { + assert_eq!( + args.len(), + 2, + "Unexpected number of arguments for `volatile_store`" + ); + assert!(matches!( + args[0].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(_, Mutability::Mut)) + )); + self.push_target(MemoryInitOp::Set { + operand: args[0].clone(), + value: true, + position: InsertPosition::After, + }); + } + "write_bytes" => { + assert_eq!( + args.len(), + 3, + "Unexpected number of arguments for `write_bytes`" + ); + assert!(matches!( + args[0].ty(self.locals).unwrap().kind(), + TyKind::RigidTy(RigidTy::RawPtr(_, Mutability::Mut)) + )); + self.push_target(MemoryInitOp::SetSliceChunk { + operand: args[0].clone(), + count: args[2].clone(), + value: true, + position: InsertPosition::After, + }) + } + intrinsic => { + self.push_target(MemoryInitOp::Unsupported { + reason: format!("Kani does not support reasoning about memory initialization of intrinsic `{intrinsic}`."), + }); + } + } + } + InstanceKind::Item => { + if instance.is_foreign_item() { + match instance.name().as_str() { + "alloc::alloc::__rust_alloc" + | "alloc::alloc::__rust_realloc" => { + /* Memory is uninitialized, nothing to do here. */ + } + "alloc::alloc::__rust_alloc_zeroed" => { + /* Memory is initialized here, need to update shadow memory. */ + self.push_target(MemoryInitOp::SetSliceChunk { + operand: Operand::Copy(destination.clone()), + count: args[0].clone(), + value: true, + position: InsertPosition::After, + }); + } + "alloc::alloc::__rust_dealloc" => { + /* Memory is uninitialized here, need to update shadow memory. */ + self.push_target(MemoryInitOp::SetSliceChunk { + operand: args[0].clone(), + count: args[1].clone(), + value: false, + position: InsertPosition::After, + }); + } + _ => {} + } + } + } + _ => {} + } + } + TerminatorKind::Drop { place, .. } => { + self.super_terminator(term, location); + let place_ty = place.ty(&self.locals).unwrap(); + + // When drop is codegen'ed for types that could define their own dropping + // behavior, a reference is taken to the place which is later implicitly coerced + // to a pointer. Hence, we need to bless this pointer as initialized. + match place + .ty(&self.locals) + .unwrap() + .kind() + .rigid() + .expect("should be working with monomorphized code") + { + RigidTy::Adt(..) | RigidTy::Dynamic(_, _, _) => { + self.push_target(MemoryInitOp::SetRef { + operand: Operand::Copy(place.clone()), + value: true, + position: InsertPosition::Before, + }); + } + _ => {} + } + + if place_ty.kind().is_raw_ptr() { + self.push_target(MemoryInitOp::Set { + operand: Operand::Copy(place.clone()), + value: false, + position: InsertPosition::After, + }); + } + } + TerminatorKind::Goto { .. } + | TerminatorKind::SwitchInt { .. } + | TerminatorKind::Resume + | TerminatorKind::Abort + | TerminatorKind::Return + | TerminatorKind::Unreachable + | TerminatorKind::Assert { .. } + | TerminatorKind::InlineAsm { .. } => self.super_terminator(term, location), + } + } + } + + fn visit_place(&mut self, place: &Place, ptx: PlaceContext, location: Location) { + for (idx, elem) in place.projection.iter().enumerate() { + let intermediate_place = + Place { local: place.local, projection: place.projection[..idx].to_vec() }; + match elem { + ProjectionElem::Deref => { + let ptr_ty = intermediate_place.ty(self.locals).unwrap(); + if ptr_ty.kind().is_raw_ptr() { + self.push_target(MemoryInitOp::Check { + operand: Operand::Copy(intermediate_place.clone()), + }); + } + } + ProjectionElem::Field(idx, target_ty) => { + if target_ty.kind().is_union() + && (!ptx.is_mutating() || place.projection.len() > idx + 1) + { + self.push_target(MemoryInitOp::Unsupported { + reason: "Kani does not support reasoning about memory initialization of unions.".to_string(), + }); + } + } + ProjectionElem::Index(_) + | ProjectionElem::ConstantIndex { .. } + | ProjectionElem::Subslice { .. } => { + /* For a slice to be indexed, it should be valid first. */ + } + ProjectionElem::Downcast(_) => {} + ProjectionElem::OpaqueCast(_) => {} + ProjectionElem::Subtype(_) => {} + } + } + self.super_place(place, ptx, location) + } + + fn visit_operand(&mut self, operand: &Operand, location: Location) { + if let Operand::Constant(constant) = operand { + if let ConstantKind::Allocated(allocation) = constant.const_.kind() { + for (_, prov) in &allocation.provenance.ptrs { + if let GlobalAlloc::Static(_) = GlobalAlloc::from(prov.0) { + if constant.ty().kind().is_raw_ptr() { + // If a static is a raw pointer, need to mark it as initialized. + self.push_target(MemoryInitOp::Set { + operand: Operand::Constant(constant.clone()), + value: true, + position: InsertPosition::Before, + }); + } + }; + } + } + } + self.super_operand(operand, location); + } + + fn visit_rvalue(&mut self, rvalue: &Rvalue, location: Location) { + if let Rvalue::Cast(cast_kind, operand, ty) = rvalue { + match cast_kind { + CastKind::PointerCoercion(PointerCoercion::Unsize) => { + if let TyKind::RigidTy(RigidTy::RawPtr(pointee_ty, _)) = ty.kind() { + if pointee_ty.kind().is_trait() { + self.push_target(MemoryInitOp::Unsupported { + reason: "Kani does not support reasoning about memory initialization of unsized pointers.".to_string(), + }); + } + } + } + CastKind::PtrToPtr => { + let operand_ty = operand.ty(&self.locals).unwrap(); + if let ( + RigidTy::RawPtr(from_ty, Mutability::Mut), + RigidTy::RawPtr(to_ty, Mutability::Mut), + ) = (operand_ty.kind().rigid().unwrap(), ty.kind().rigid().unwrap()) + { + if !tys_layout_compatible(from_ty, to_ty) { + // If casting from a mutable pointer to a mutable pointer with + // different layouts, delayed UB could occur. + self.push_target(MemoryInitOp::Unsupported { + reason: "Kani does not support reasoning about memory initialization in presence of mutable raw pointer casts that could cause delayed UB.".to_string(), + }); + } + } + } + CastKind::Transmute => { + let operand_ty = operand.ty(&self.locals).unwrap(); + if let ( + RigidTy::RawPtr(from_ty, Mutability::Mut), + RigidTy::RawPtr(to_ty, Mutability::Mut), + ) = (operand_ty.kind().rigid().unwrap(), ty.kind().rigid().unwrap()) + { + if !tys_layout_compatible(from_ty, to_ty) { + // If casting from a mutable pointer to a mutable pointer with different + // layouts, delayed UB could occur. + self.push_target(MemoryInitOp::Unsupported { + reason: "Kani does not support reasoning about memory initialization in presence of mutable raw pointer casts that could cause delayed UB.".to_string(), + }); + } + } else if !tys_layout_compatible(&operand_ty, &ty) { + // If transmuting between two types of incompatible layouts, padding + // bytes are exposed, which is UB. + self.push_target(MemoryInitOp::TriviallyUnsafe { + reason: "Transmuting between types of incompatible layouts." + .to_string(), + }); + } + } + _ => {} + } + }; + self.super_rvalue(rvalue, location); + } +} + +/// Determines if the intrinsic has no memory initialization related function and hence can be +/// safely skipped. +fn can_skip_intrinsic(intrinsic_name: &str) -> bool { + match intrinsic_name { + "add_with_overflow" + | "arith_offset" + | "assert_inhabited" + | "assert_mem_uninitialized_valid" + | "assert_zero_valid" + | "assume" + | "bitreverse" + | "black_box" + | "breakpoint" + | "bswap" + | "caller_location" + | "ceilf32" + | "ceilf64" + | "copysignf32" + | "copysignf64" + | "cosf32" + | "cosf64" + | "ctlz" + | "ctlz_nonzero" + | "ctpop" + | "cttz" + | "cttz_nonzero" + | "discriminant_value" + | "exact_div" + | "exp2f32" + | "exp2f64" + | "expf32" + | "expf64" + | "fabsf32" + | "fabsf64" + | "fadd_fast" + | "fdiv_fast" + | "floorf32" + | "floorf64" + | "fmaf32" + | "fmaf64" + | "fmul_fast" + | "forget" + | "fsub_fast" + | "is_val_statically_known" + | "likely" + | "log10f32" + | "log10f64" + | "log2f32" + | "log2f64" + | "logf32" + | "logf64" + | "maxnumf32" + | "maxnumf64" + | "min_align_of" + | "min_align_of_val" + | "minnumf32" + | "minnumf64" + | "mul_with_overflow" + | "nearbyintf32" + | "nearbyintf64" + | "needs_drop" + | "powf32" + | "powf64" + | "powif32" + | "powif64" + | "pref_align_of" + | "raw_eq" + | "rintf32" + | "rintf64" + | "rotate_left" + | "rotate_right" + | "roundf32" + | "roundf64" + | "saturating_add" + | "saturating_sub" + | "sinf32" + | "sinf64" + | "sqrtf32" + | "sqrtf64" + | "sub_with_overflow" + | "truncf32" + | "truncf64" + | "type_id" + | "type_name" + | "unchecked_div" + | "unchecked_rem" + | "unlikely" + | "vtable_size" + | "vtable_align" + | "wrapping_add" + | "wrapping_mul" + | "wrapping_sub" => { + /* Intrinsics that do not interact with memory initialization. */ + true + } + "ptr_guaranteed_cmp" | "ptr_offset_from" | "ptr_offset_from_unsigned" | "size_of_val" => { + /* AFAICS from the documentation, none of those require the pointer arguments to be actually initialized. */ + true + } + name if name.starts_with("simd") => { + /* SIMD operations */ + true + } + name if name.starts_with("atomic_fence") + || name.starts_with("atomic_singlethreadfence") => + { + /* Atomic fences */ + true + } + "copy_nonoverlapping" => unreachable!( + "Expected `core::intrinsics::unreachable` to be handled by `StatementKind::CopyNonOverlapping`" + ), + "offset" => unreachable!( + "Expected `core::intrinsics::unreachable` to be handled by `BinOp::OffSet`" + ), + "unreachable" => unreachable!( + "Expected `std::intrinsics::unreachable` to be handled by `TerminatorKind::Unreachable`" + ), + "transmute" | "transmute_copy" | "unchecked_add" | "unchecked_mul" | "unchecked_shl" + | "size_of" | "unchecked_shr" | "unchecked_sub" => { + unreachable!("Expected intrinsic to be lowered before codegen") + } + "catch_unwind" => { + unimplemented!("") + } + "retag_box_to_raw" => { + unreachable!("This was removed in the latest Rust version.") + } + _ => { + /* Everything else */ + false + } + } +} + +/// Try removing a topmost deref projection from a place if it exists, returning a place without it. +fn try_remove_topmost_deref(place: &Place) -> Option { + let mut new_place = place.clone(); + if let Some(ProjectionElem::Deref) = new_place.projection.pop() { + Some(new_place) + } else { + None + } +} + +/// Try retrieving instance for the given function operand. +fn try_resolve_instance(locals: &[LocalDecl], func: &Operand) -> Result { + let ty = func.ty(locals).unwrap(); + match ty.kind() { + TyKind::RigidTy(RigidTy::FnDef(def, args)) => Ok(Instance::resolve(def, &args).unwrap()), + _ => Err(format!( + "Kani does not support reasoning about memory initialization of arguments to `{ty:?}`." + )), + } +} + +/// Returns true if `to_ty` has a smaller or equal size and the same padding bytes as `from_ty` up until +/// its size. +fn tys_layout_compatible(from_ty: &Ty, to_ty: &Ty) -> bool { + // Retrieve layouts to assess compatibility. + let from_ty_info = PointeeInfo::from_ty(*from_ty); + let to_ty_info = PointeeInfo::from_ty(*to_ty); + if let (Ok(from_ty_info), Ok(to_ty_info)) = (from_ty_info, to_ty_info) { + let from_ty_layout = match from_ty_info.layout() { + PointeeLayout::Sized { layout } => layout, + PointeeLayout::Slice { element_layout } => element_layout, + PointeeLayout::TraitObject => return false, + }; + let to_ty_layout = match to_ty_info.layout() { + PointeeLayout::Sized { layout } => layout, + PointeeLayout::Slice { element_layout } => element_layout, + PointeeLayout::TraitObject => return false, + }; + // Ensure `to_ty_layout` does not have a larger size. + if to_ty_layout.len() <= from_ty_layout.len() { + // Check data and padding bytes pair-wise. + if from_ty_layout.iter().zip(to_ty_layout.iter()).all( + |(from_ty_layout_byte, to_ty_layout_byte)| { + // Make sure all data and padding bytes match. + from_ty_layout_byte == to_ty_layout_byte + }, + ) { + return true; + } + } + }; + false +} diff --git a/kani-compiler/src/kani_middle/transform/check_values.rs b/kani-compiler/src/kani_middle/transform/check_values.rs new file mode 100644 index 000000000000..a81f76d25393 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/check_values.rs @@ -0,0 +1,1003 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Implement a transformation pass that instrument the code to detect possible UB due to +//! the generation of an invalid value. +//! +//! This pass highly depend on Rust type layouts. For more details, see: +//! +//! +//! For that, we traverse the function body and look for unsafe operations that may generate +//! invalid values. For each operation found, we add checks to ensure the value is valid. +//! +//! Note: There is some redundancy in the checks that could be optimized. Example: +//! 1. We could merge the invalid values by the offset. +//! 2. We could avoid checking places that have been checked before. +use crate::args::ExtraChecks; +use crate::kani_middle::transform::body::{ + CheckType, InsertPosition, MutableBody, SourceInstruction, +}; +use crate::kani_middle::transform::check_values::SourceOp::UnsupportedCheck; +use crate::kani_middle::transform::{TransformPass, TransformationType}; +use crate::kani_queries::QueryDb; +use rustc_middle::ty::{Const, TyCtxt}; +use rustc_smir::rustc_internal; +use stable_mir::abi::{FieldsShape, Scalar, TagEncoding, ValueAbi, VariantsShape, WrappingRange}; +use stable_mir::mir::mono::{Instance, InstanceKind}; +use stable_mir::mir::visit::{Location, PlaceContext, PlaceRef}; +use stable_mir::mir::{ + AggregateKind, BasicBlockIdx, BinOp, Body, CastKind, ConstOperand, FieldIdx, Local, LocalDecl, + MirVisitor, Mutability, NonDivergingIntrinsic, Operand, Place, ProjectionElem, Rvalue, + Statement, StatementKind, Terminator, TerminatorKind, +}; +use stable_mir::target::{MachineInfo, MachineSize}; +use stable_mir::ty::{AdtKind, IndexedVal, MirConst, RigidTy, Ty, TyKind, UintTy}; +use stable_mir::CrateDef; +use std::fmt::Debug; +use strum_macros::AsRefStr; +use tracing::{debug, trace}; + +/// Instrument the code with checks for invalid values. +#[derive(Debug)] +pub struct ValidValuePass { + pub check_type: CheckType, +} + +impl TransformPass for ValidValuePass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Instrumentation + } + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized, + { + let args = query_db.args(); + args.ub_check.contains(&ExtraChecks::Validity) + } + + /// Transform the function body by inserting checks one-by-one. + /// For every unsafe dereference or a transmute operation, we check all values are valid. + fn transform(&mut self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "transform"); + let mut new_body = MutableBody::from(body); + let orig_len = new_body.blocks().len(); + // Do not cache body.blocks().len() since it will change as we add new checks. + for bb_idx in 0..new_body.blocks().len() { + let Some(candidate) = + CheckValueVisitor::find_next(tcx, &new_body, bb_idx, bb_idx >= orig_len) + else { + continue; + }; + self.build_check(tcx, &mut new_body, candidate); + } + (orig_len != new_body.blocks().len(), new_body.into()) + } +} + +impl ValidValuePass { + fn build_check(&self, tcx: TyCtxt, body: &mut MutableBody, instruction: UnsafeInstruction) { + debug!(?instruction, "build_check"); + let mut source = instruction.source; + for operation in instruction.operations { + match operation { + SourceOp::BytesValidity { ranges, target_ty, rvalue } => { + let value = body.insert_assignment(rvalue, &mut source, InsertPosition::Before); + let rvalue_ptr = Rvalue::AddressOf(Mutability::Not, Place::from(value)); + for range in ranges { + let result = build_limits(body, &range, rvalue_ptr.clone(), &mut source); + let msg = + format!("Undefined Behavior: Invalid value of type `{target_ty}`",); + body.insert_check( + tcx, + &self.check_type, + &mut source, + InsertPosition::Before, + result, + &msg, + ); + } + } + SourceOp::DerefValidity { pointee_ty, rvalue, ranges } => { + for range in ranges { + let result = build_limits(body, &range, rvalue.clone(), &mut source); + let msg = + format!("Undefined Behavior: Invalid value of type `{pointee_ty}`",); + body.insert_check( + tcx, + &self.check_type, + &mut source, + InsertPosition::Before, + result, + &msg, + ); + } + } + SourceOp::UnsupportedCheck { check, ty } => { + let reason = format!( + "Kani currently doesn't support checking validity of `{check}` for `{ty}`", + ); + self.unsupported_check(tcx, body, &mut source, &reason); + } + } + } + } + + fn unsupported_check( + &self, + tcx: TyCtxt, + body: &mut MutableBody, + source: &mut SourceInstruction, + reason: &str, + ) { + let span = source.span(body.blocks()); + let rvalue = Rvalue::Use(Operand::Constant(ConstOperand { + const_: MirConst::from_bool(false), + span, + user_ty: None, + })); + let result = body.insert_assignment(rvalue, source, InsertPosition::Before); + body.insert_check(tcx, &self.check_type, source, InsertPosition::Before, result, reason); + } +} + +fn move_local(local: Local) -> Operand { + Operand::Move(Place::from(local)) +} + +fn uint_ty(bytes: usize) -> UintTy { + match bytes { + 1 => UintTy::U8, + 2 => UintTy::U16, + 4 => UintTy::U32, + 8 => UintTy::U64, + 16 => UintTy::U128, + _ => unreachable!("Unexpected size: {bytes}"), + } +} + +/// Represent a requirement for the value stored in the given offset. +#[derive(Clone, Debug, Eq, PartialEq, Hash)] +pub struct ValidValueReq { + /// Offset in bytes. + offset: usize, + /// Size of this requirement. + size: MachineSize, + /// The range restriction is represented by a Scalar. + valid_range: WrappingRange, +} + +// TODO: Optimize checks by merging requirements whenever possible. +// There are a few cases that would need to be cover: +// 1- Ranges intersection is the same as one of the ranges (or both). +// 2- Ranges intersection is a new valid range. +// 3- Ranges intersection is a combination of two new ranges. +// 4- Intersection is empty. +impl ValidValueReq { + /// Only a type with `ValueAbi::Scalar` and `ValueAbi::ScalarPair` can be directly assigned an + /// invalid value directly. + /// + /// It's not possible to define a `rustc_layout_scalar_valid_range_*` to any other structure. + /// Note that this annotation only applies to the first scalar in the layout. + pub fn try_from_ty(machine_info: &MachineInfo, ty: Ty) -> Option { + let shape = ty.layout().unwrap().shape(); + match shape.abi { + ValueAbi::Scalar(Scalar::Initialized { value, valid_range }) + | ValueAbi::ScalarPair(Scalar::Initialized { value, valid_range }, _) => { + Some(ValidValueReq { offset: 0, size: value.size(machine_info), valid_range }) + } + ValueAbi::Scalar(_) + | ValueAbi::ScalarPair(_, _) + | ValueAbi::Uninhabited + | ValueAbi::Vector { .. } + | ValueAbi::Aggregate { .. } => None, + } + } + + /// Check if range is full. + pub fn is_full(&self) -> bool { + self.valid_range.is_full(self.size).unwrap() + } + + /// Check if this range contains `other` range. + /// + /// I.e., `scalar_2` ⊆ `scalar_1` + pub fn contains(&self, other: &ValidValueReq) -> bool { + assert_eq!(self.size, other.size); + match (self.valid_range.wraps_around(), other.valid_range.wraps_around()) { + (true, true) | (false, false) => { + self.valid_range.start <= other.valid_range.start + && self.valid_range.end >= other.valid_range.end + } + (true, false) => { + self.valid_range.start <= other.valid_range.start + || self.valid_range.end >= other.valid_range.end + } + (false, true) => self.is_full(), + } + } +} + +#[derive(AsRefStr, Clone, Debug)] +enum SourceOp { + /// Validity checks are done on a byte level when the Rvalue can generate invalid value. + /// + /// This variant tracks a location that is valid for its current type, but it may not be + /// valid for the given location in target type. This happens for: + /// - Transmute + /// - Field assignment + /// - Aggregate assignment + /// - Union Access + /// + /// Each range is a pair of offset and scalar that represents the valid values. + /// Note that the same offset may have multiple ranges that may require being joined. + BytesValidity { target_ty: Ty, rvalue: Rvalue, ranges: Vec }, + + /// Similar to BytesValidity, but it stores any dereference that may be unsafe. + /// + /// This can happen for: + /// - Raw pointer dereference + DerefValidity { pointee_ty: Ty, rvalue: Rvalue, ranges: Vec }, + + /// Represents a range check Kani currently does not support. + /// + /// This will translate into an assertion failure with an unsupported message. + /// There are many corner cases with the usage of #[rustc_layout_scalar_valid_range_*] + /// attribute. Such as valid ranges that do not intersect or enumeration with variants + /// with niche. + /// + /// Supporting all cases require significant work, and it is unlikely to exist in real world + /// code. To be on the sound side, we just emit an unsupported check, and users will need to + /// disable the check in person, and create a feature request for their case. + /// + /// TODO: Consider replacing the assertion(false) by an unsupported operation that emits a + /// compilation warning. + UnsupportedCheck { check: String, ty: Ty }, +} + +/// The unsafe instructions that may generate invalid values. +/// We need to instrument all operations to ensure the instruction is safe. +#[derive(Clone, Debug)] +struct UnsafeInstruction { + /// The instruction that depends on the potentially invalid value. + source: SourceInstruction, + /// The unsafe operations that may cause an invalid value in this instruction. + operations: Vec, +} + +/// Extract any source that may potentially trigger UB due to the generation of an invalid value. +/// +/// Generating an invalid value requires an unsafe operation, however, in MIR, it +/// may just be represented as a regular assignment. +/// +/// Thus, we have to instrument every assignment to an object that has niche and that the source +/// is an object of a different source, e.g.: +/// - Aggregate assignment +/// - Transmute +/// - MemCopy +/// - Cast +struct CheckValueVisitor<'a, 'b> { + tcx: TyCtxt<'b>, + locals: &'a [LocalDecl], + /// Whether we should skip the next instruction, since it might've been instrumented already. + /// When we instrument an instruction, we partition the basic block, and the instruction that + /// may trigger UB becomes the first instruction of the basic block, which we need to skip + /// later. + skip_next: bool, + /// The instruction being visited at a given point. + current: SourceInstruction, + /// The target instruction that should be verified. + pub target: Option, + /// The basic block being visited. + bb: BasicBlockIdx, + /// Machine information needed to calculate Niche. + machine: MachineInfo, +} + +impl<'a, 'b> CheckValueVisitor<'a, 'b> { + fn find_next( + tcx: TyCtxt<'b>, + body: &'a MutableBody, + bb: BasicBlockIdx, + skip_first: bool, + ) -> Option { + let mut visitor = CheckValueVisitor { + tcx, + locals: body.locals(), + skip_next: skip_first, + current: SourceInstruction::Statement { idx: 0, bb }, + target: None, + bb, + machine: MachineInfo::target(), + }; + visitor.visit_basic_block(&body.blocks()[bb]); + visitor.target + } + + fn push_target(&mut self, op: SourceOp) { + let target = self + .target + .get_or_insert_with(|| UnsafeInstruction { source: self.current, operations: vec![] }); + target.operations.push(op); + } +} + +impl<'a, 'b> MirVisitor for CheckValueVisitor<'a, 'b> { + fn visit_statement(&mut self, stmt: &Statement, location: Location) { + if self.skip_next { + self.skip_next = false; + } else if self.target.is_none() { + // Leave it as an exhaustive match to be notified when a new kind is added. + match &stmt.kind { + StatementKind::Intrinsic(NonDivergingIntrinsic::CopyNonOverlapping(copy)) => { + // Source is a *const T and it must be safe for read. + // TODO: Implement value check. + self.push_target(SourceOp::UnsupportedCheck { + check: "copy_nonoverlapping".to_string(), + ty: copy.src.ty(self.locals).unwrap(), + }); + } + StatementKind::Assign(place, rvalue) => { + // First check rvalue. + self.super_statement(stmt, location); + // Then check the destination place. + let ranges = assignment_check_points( + &self.machine, + self.locals, + place, + rvalue.ty(self.locals).unwrap(), + ); + if !ranges.is_empty() { + self.push_target(SourceOp::BytesValidity { + target_ty: self.locals[place.local].ty, + rvalue: rvalue.clone(), + ranges, + }); + } + } + StatementKind::FakeRead(_, _) + | StatementKind::SetDiscriminant { .. } + | StatementKind::Deinit(_) + | StatementKind::StorageLive(_) + | StatementKind::StorageDead(_) + | StatementKind::Retag(_, _) + | StatementKind::PlaceMention(_) + | StatementKind::AscribeUserType { .. } + | StatementKind::Coverage(_) + | StatementKind::ConstEvalCounter + | StatementKind::Intrinsic(NonDivergingIntrinsic::Assume(_)) + | StatementKind::Nop => self.super_statement(stmt, location), + } + } + + let SourceInstruction::Statement { idx, bb } = self.current else { unreachable!() }; + self.current = SourceInstruction::Statement { idx: idx + 1, bb }; + } + fn visit_terminator(&mut self, term: &Terminator, location: Location) { + if !(self.skip_next || self.target.is_some()) { + self.current = SourceInstruction::Terminator { bb: self.bb }; + // Leave it as an exhaustive match to be notified when a new kind is added. + match &term.kind { + TerminatorKind::Call { func, args, .. } => { + // Note: For transmute, both Src and Dst must be valid type. + // In this case, we need to save the Dst, and invoke super_terminator. + self.super_terminator(term, location); + let instance = expect_instance(self.locals, func); + if instance.kind == InstanceKind::Intrinsic { + match instance.intrinsic_name().unwrap().as_str() { + "write_bytes" => { + // The write bytes intrinsic may trigger UB in safe code. + // pub unsafe fn write_bytes(dst: *mut T, val: u8, count: usize) + // + // This is an over-approximation since writing an invalid value is + // not UB, only reading it will be. + assert_eq!( + args.len(), + 3, + "Unexpected number of arguments for `write_bytes`" + ); + let TyKind::RigidTy(RigidTy::RawPtr(target_ty, Mutability::Mut)) = + args[0].ty(self.locals).unwrap().kind() + else { + unreachable!() + }; + let validity = ty_validity_per_offset(&self.machine, target_ty, 0); + match validity { + Ok(ranges) if ranges.is_empty() => {} + Ok(ranges) => { + let sz = rustc_internal::stable(Const::from_target_usize( + self.tcx, + target_ty.layout().unwrap().shape().size.bytes() as u64, + )); + self.push_target(SourceOp::BytesValidity { + target_ty, + rvalue: Rvalue::Repeat(args[1].clone(), sz), + ranges, + }) + } + _ => self.push_target(SourceOp::UnsupportedCheck { + check: "write_bytes".to_string(), + ty: target_ty, + }), + } + } + "transmute" | "transmute_copy" => { + unreachable!("Should've been lowered") + } + _ => {} + } + } + } + TerminatorKind::Goto { .. } + | TerminatorKind::SwitchInt { .. } + | TerminatorKind::Resume + | TerminatorKind::Abort + | TerminatorKind::Return + | TerminatorKind::Unreachable + | TerminatorKind::Drop { .. } + | TerminatorKind::Assert { .. } + | TerminatorKind::InlineAsm { .. } => self.super_terminator(term, location), + } + } + } + + fn visit_place(&mut self, place: &Place, ptx: PlaceContext, location: Location) { + for (idx, elem) in place.projection.iter().enumerate() { + let place_ref = PlaceRef { local: place.local, projection: &place.projection[..idx] }; + match elem { + ProjectionElem::Deref => { + let ptr_ty = place_ref.ty(self.locals).unwrap(); + if ptr_ty.kind().is_raw_ptr() { + let target_ty = elem.ty(ptr_ty).unwrap(); + let validity = ty_validity_per_offset(&self.machine, target_ty, 0); + match validity { + Ok(ranges) if !ranges.is_empty() => { + self.push_target(SourceOp::DerefValidity { + pointee_ty: target_ty, + rvalue: Rvalue::Use( + Operand::Copy(Place { + local: place_ref.local, + projection: place_ref.projection.to_vec(), + }) + .clone(), + ), + ranges, + }) + } + Err(_msg) => self.push_target(SourceOp::UnsupportedCheck { + check: "raw pointer dereference".to_string(), + ty: target_ty, + }), + _ => {} + } + } + } + ProjectionElem::Field(idx, target_ty) => { + if target_ty.kind().is_union() + && (!ptx.is_mutating() || place.projection.len() > idx + 1) + { + let validity = ty_validity_per_offset(&self.machine, *target_ty, 0); + match validity { + Ok(ranges) if !ranges.is_empty() => { + self.push_target(SourceOp::BytesValidity { + target_ty: *target_ty, + rvalue: Rvalue::Use(Operand::Copy(Place { + local: place_ref.local, + projection: place_ref.projection.to_vec(), + })), + ranges, + }) + } + Err(_msg) => self.push_target(SourceOp::UnsupportedCheck { + check: "union access".to_string(), + ty: *target_ty, + }), + _ => {} + } + } + } + ProjectionElem::Downcast(_) => {} + ProjectionElem::OpaqueCast(_) => {} + ProjectionElem::Subtype(_) => {} + ProjectionElem::Index(_) + | ProjectionElem::ConstantIndex { .. } + | ProjectionElem::Subslice { .. } => { /* safe */ } + } + } + self.super_place(place, ptx, location) + } + + fn visit_rvalue(&mut self, rvalue: &Rvalue, location: Location) { + match rvalue { + Rvalue::Cast(kind, op, dest_ty) => match kind { + CastKind::PtrToPtr => { + // For mutable raw pointer, if the type we are casting to is less restrictive + // than the original type, writing to the pointer could generate UB if the + // value is ever read again using the original pointer. + let TyKind::RigidTy(RigidTy::RawPtr(dest_pointee_ty, Mutability::Mut)) = + dest_ty.kind() + else { + // We only care about *mut T as *mut U + return; + }; + if dest_pointee_ty.kind().is_unit() { + // Ignore cast to *mut () since nothing can be written to it. + // This is a common pattern + return; + } + + let src_ty = op.ty(self.locals).unwrap(); + debug!(?src_ty, ?dest_ty, "visit_rvalue mutcast"); + let TyKind::RigidTy(RigidTy::RawPtr(src_pointee_ty, _)) = src_ty.kind() else { + unreachable!() + }; + + if src_pointee_ty.kind().is_unit() { + // We cannot track what was the initial type. Thus, fail. + self.push_target(SourceOp::UnsupportedCheck { + check: "mutable cast".to_string(), + ty: src_ty, + }); + return; + } + + if let Ok(src_validity) = + ty_validity_per_offset(&self.machine, src_pointee_ty, 0) + { + if !src_validity.is_empty() { + if let Ok(dest_validity) = + ty_validity_per_offset(&self.machine, dest_pointee_ty, 0) + { + if dest_validity != src_validity { + self.push_target(SourceOp::UnsupportedCheck { + check: "mutable cast".to_string(), + ty: src_ty, + }) + } + } else { + self.push_target(SourceOp::UnsupportedCheck { + check: "mutable cast".to_string(), + ty: *dest_ty, + }) + } + } + } else { + self.push_target(SourceOp::UnsupportedCheck { + check: "mutable cast".to_string(), + ty: src_ty, + }) + } + } + CastKind::Transmute => { + debug!(?dest_ty, "transmute"); + // For transmute, we care about the destination type only. + // This could be optimized to only add a check if the requirements of the + // destination type are stricter than the source. + if let Ok(dest_validity) = ty_validity_per_offset(&self.machine, *dest_ty, 0) { + trace!(?dest_validity, "transmute"); + if !dest_validity.is_empty() { + self.push_target(SourceOp::BytesValidity { + target_ty: *dest_ty, + rvalue: rvalue.clone(), + ranges: dest_validity, + }) + } + } else { + self.push_target(SourceOp::UnsupportedCheck { + check: "transmute".to_string(), + ty: *dest_ty, + }) + } + } + // `DynStar` is not currently supported in Kani. + // TODO: https://github.com/model-checking/kani/issues/1784 + CastKind::DynStar => self.push_target(UnsupportedCheck { + check: "Dyn*".to_string(), + ty: (rvalue.ty(self.locals).unwrap()), + }), + CastKind::PointerExposeAddress + | CastKind::PointerWithExposedProvenance + | CastKind::PointerCoercion(_) + | CastKind::IntToInt + | CastKind::FloatToInt + | CastKind::FloatToFloat + | CastKind::IntToFloat + | CastKind::FnPtrToPtr => {} + }, + Rvalue::ShallowInitBox(_, _) => { + // The contents of the box is considered uninitialized. + // This should already be covered by the Assign detection. + } + Rvalue::Aggregate(kind, operands) => match kind { + // If the aggregated structure has invalid value, this could generate invalid value. + // But only if the operands don't have the exact same restrictions. + // This happens today with the usage of `rustc_layout_scalar_valid_range_*` + // attributes. + // In this case, only the value of the first member in memory can be restricted, + // thus, we only need to check the operand used to assign to the first in memory + // field. + AggregateKind::Adt(def, _variant, args, _, _) => { + if def.kind() == AdtKind::Struct { + let dest_ty = Ty::from_rigid_kind(RigidTy::Adt(*def, args.clone())); + if let Some(req) = ValidValueReq::try_from_ty(&self.machine, dest_ty) + && !req.is_full() + { + let dest_layout = dest_ty.layout().unwrap().shape(); + let first_op = + first_aggregate_operand(dest_ty, &dest_layout.fields, operands); + let first_ty = first_op.ty(self.locals).unwrap(); + // Rvalue must have same Abi layout except for range. + if !req.contains( + &ValidValueReq::try_from_ty(&self.machine, first_ty).unwrap(), + ) { + self.push_target(SourceOp::BytesValidity { + target_ty: dest_ty, + rvalue: Rvalue::Use(first_op), + ranges: vec![req], + }) + } + } + } + } + // Only aggregate value. + AggregateKind::Array(_) + | AggregateKind::Closure(_, _) + | AggregateKind::Coroutine(_, _, _) + | AggregateKind::RawPtr(_, _) + | AggregateKind::Tuple => {} + }, + Rvalue::AddressOf(_, _) + | Rvalue::BinaryOp(_, _, _) + | Rvalue::CheckedBinaryOp(_, _, _) + | Rvalue::CopyForDeref(_) + | Rvalue::Discriminant(_) + | Rvalue::Len(_) + | Rvalue::Ref(_, _, _) + | Rvalue::Repeat(_, _) + | Rvalue::ThreadLocalRef(_) + | Rvalue::NullaryOp(_, _) + | Rvalue::UnaryOp(_, _) + | Rvalue::Use(_) => {} + } + self.super_rvalue(rvalue, location); + } +} + +/// Gets the operand that corresponds to the assignment of the first sized field in memory. +/// +/// The first field of a structure is the only one that can have extra value restrictions imposed +/// by `rustc_layout_scalar_valid_range_*` attributes. +/// +/// Note: This requires at least one operand to be sized and there's a 1:1 match between operands +/// and field types. +fn first_aggregate_operand(dest_ty: Ty, dest_shape: &FieldsShape, operands: &[Operand]) -> Operand { + let Some(first) = first_sized_field_idx(dest_ty, dest_shape) else { unreachable!() }; + operands[first].clone() +} + +/// Index of the first non_1zst fields in memory order. +fn first_sized_field_idx(ty: Ty, shape: &FieldsShape) -> Option { + if let TyKind::RigidTy(RigidTy::Adt(adt_def, args)) = ty.kind() + && adt_def.kind() == AdtKind::Struct + { + let offset_order = shape.fields_by_offset_order(); + let fields = adt_def.variants_iter().next().unwrap().fields(); + offset_order + .into_iter() + .find(|idx| !fields[*idx].ty_with_args(&args).layout().unwrap().shape().is_1zst()) + } else { + None + } +} + +/// An assignment to a field with invalid values is unsafe, and it may trigger UB if +/// the assigned value is invalid. +/// +/// This can only happen to the first in memory sized field of a struct, and only if the field +/// type invalid range is a valid value for the rvalue type. +fn assignment_check_points( + machine_info: &MachineInfo, + locals: &[LocalDecl], + place: &Place, + rvalue_ty: Ty, +) -> Vec { + let mut ty = locals[place.local].ty; + let Some(rvalue_range) = ValidValueReq::try_from_ty(machine_info, rvalue_ty) else { + // Rvalue Abi must be Scalar / ScalarPair since destination must be Scalar / ScalarPair. + return vec![]; + }; + let mut invalid_ranges = vec![]; + for proj in &place.projection { + match proj { + ProjectionElem::Field(field_idx, field_ty) => { + let shape = ty.layout().unwrap().shape(); + if first_sized_field_idx(ty, &shape.fields) == Some(*field_idx) + && let Some(dest_valid) = ValidValueReq::try_from_ty(machine_info, ty) + && !dest_valid.is_full() + && dest_valid.size == rvalue_range.size + { + if !dest_valid.contains(&rvalue_range) { + invalid_ranges.push(dest_valid) + } + } else { + // Invalidate collected ranges so far since we are no longer in the path of + // the first element. + invalid_ranges.clear(); + } + ty = *field_ty; + } + ProjectionElem::Deref + | ProjectionElem::Index(_) + | ProjectionElem::ConstantIndex { .. } + | ProjectionElem::Subslice { .. } + | ProjectionElem::Downcast(_) + | ProjectionElem::OpaqueCast(_) + | ProjectionElem::Subtype(_) => ty = proj.ty(ty).unwrap(), + }; + } + invalid_ranges +} + +/// Retrieve instance for the given function operand. +/// +/// This will panic if the operand is not a function or if it cannot be resolved. +fn expect_instance(locals: &[LocalDecl], func: &Operand) -> Instance { + let ty = func.ty(locals).unwrap(); + match ty.kind() { + TyKind::RigidTy(RigidTy::FnDef(def, args)) => Instance::resolve(def, &args).unwrap(), + TyKind::RigidTy(RigidTy::FnPtr(sig)) => todo!("Add support to FnPtr: {sig:?}"), + _ => unreachable!("Found: {func:?}"), + } +} + +/// Instrument MIR to check the value pointed by `rvalue_ptr` satisfies requirement `req`. +/// +/// The MIR will do something equivalent to: +/// ```rust +/// let ptr = rvalue_ptr.byte_offset(req.offset); +/// let typed_ptr = ptr as *const Unsigned; // Some unsigned type with length req.size +/// let value = unsafe { *typed_ptr }; +/// req.valid_range.contains(value) +/// ``` +pub fn build_limits( + body: &mut MutableBody, + req: &ValidValueReq, + rvalue_ptr: Rvalue, + source: &mut SourceInstruction, +) -> Local { + let span = source.span(body.blocks()); + debug!(?req, ?rvalue_ptr, ?span, "build_limits"); + let primitive_ty = uint_ty(req.size.bytes()); + let start_const = body.new_uint_operand(req.valid_range.start, primitive_ty, span); + let end_const = body.new_uint_operand(req.valid_range.end, primitive_ty, span); + let orig_ptr = if req.offset != 0 { + let start_ptr = + move_local(body.insert_assignment(rvalue_ptr, source, InsertPosition::Before)); + let byte_ptr = move_local(body.insert_ptr_cast( + start_ptr, + Ty::unsigned_ty(UintTy::U8), + Mutability::Not, + source, + InsertPosition::Before, + )); + let offset_const = body.new_uint_operand(req.offset as _, UintTy::Usize, span); + let offset = move_local(body.insert_assignment( + Rvalue::Use(offset_const), + source, + InsertPosition::Before, + )); + move_local(body.insert_binary_op( + BinOp::Offset, + byte_ptr, + offset, + source, + InsertPosition::Before, + )) + } else { + move_local(body.insert_assignment(rvalue_ptr, source, InsertPosition::Before)) + }; + let value_ptr = body.insert_ptr_cast( + orig_ptr, + Ty::unsigned_ty(primitive_ty), + Mutability::Not, + source, + InsertPosition::Before, + ); + let value = Operand::Copy(Place { local: value_ptr, projection: vec![ProjectionElem::Deref] }); + let start_result = body.insert_binary_op( + BinOp::Ge, + value.clone(), + start_const, + source, + InsertPosition::Before, + ); + let end_result = + body.insert_binary_op(BinOp::Le, value, end_const, source, InsertPosition::Before); + if req.valid_range.wraps_around() { + // valid >= start || valid <= end + body.insert_binary_op( + BinOp::BitOr, + move_local(start_result), + move_local(end_result), + source, + InsertPosition::Before, + ) + } else { + // valid >= start && valid <= end + body.insert_binary_op( + BinOp::BitAnd, + move_local(start_result), + move_local(end_result), + source, + InsertPosition::Before, + ) + } +} + +/// Traverse the type and find all invalid values and their location in memory. +/// +/// Not all values are currently supported. For those not supported, we return Error. +pub fn ty_validity_per_offset( + machine_info: &MachineInfo, + ty: Ty, + current_offset: usize, +) -> Result, String> { + let layout = ty.layout().unwrap().shape(); + let ty_req = || { + if let Some(mut req) = ValidValueReq::try_from_ty(machine_info, ty) + && !req.is_full() + { + req.offset = current_offset; + vec![req] + } else { + vec![] + } + }; + match layout.fields { + FieldsShape::Primitive => Ok(ty_req()), + FieldsShape::Array { stride, count } if count > 0 => { + let TyKind::RigidTy(RigidTy::Array(elem_ty, _)) = ty.kind() else { unreachable!() }; + let elem_validity = ty_validity_per_offset(machine_info, elem_ty, current_offset)?; + let mut result = vec![]; + if !elem_validity.is_empty() { + for idx in 0..count { + let idx: usize = idx.try_into().unwrap(); + let elem_offset = idx * stride.bytes(); + let mut next_validity = elem_validity + .iter() + .cloned() + .map(|mut req| { + req.offset += elem_offset; + req + }) + .collect::>(); + result.append(&mut next_validity) + } + } + Ok(result) + } + FieldsShape::Arbitrary { ref offsets } => { + match ty.kind().rigid().expect(&format!("unexpected type: {ty:?}")) { + RigidTy::Adt(def, args) => { + match def.kind() { + AdtKind::Enum => { + // Support basic enumeration forms + let ty_variants = def.variants(); + match layout.variants { + VariantsShape::Single { index } => { + // Only one variant is reachable. This behaves like a struct. + let fields = ty_variants[index.to_index()].fields(); + let mut fields_validity = vec![]; + for idx in layout.fields.fields_by_offset_order() { + let field_offset = offsets[idx].bytes(); + let field_ty = fields[idx].ty_with_args(&args); + fields_validity.append(&mut ty_validity_per_offset( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + Ok(fields_validity) + } + VariantsShape::Multiple { + tag_encoding: TagEncoding::Niche { .. }, + .. + } => { + Err(format!("Unsupported Enum `{}` check", def.trimmed_name()))? + } + VariantsShape::Multiple { variants, .. } => { + let enum_validity = ty_req(); + let mut fields_validity = vec![]; + for (index, variant) in variants.iter().enumerate() { + let fields = ty_variants[index].fields(); + for field_idx in variant.fields.fields_by_offset_order() { + let field_offset = offsets[field_idx].bytes(); + let field_ty = fields[field_idx].ty_with_args(&args); + fields_validity.append(&mut ty_validity_per_offset( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + } + if fields_validity.is_empty() { + Ok(enum_validity) + } else { + Err(format!( + "Unsupported Enum `{}` check", + def.trimmed_name() + )) + } + } + } + } + AdtKind::Union => unreachable!(), + AdtKind::Struct => { + // If the struct range has niche add that. + let mut struct_validity = ty_req(); + let fields = def.variants_iter().next().unwrap().fields(); + for idx in layout.fields.fields_by_offset_order() { + let field_offset = offsets[idx].bytes(); + let field_ty = fields[idx].ty_with_args(&args); + struct_validity.append(&mut ty_validity_per_offset( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + Ok(struct_validity) + } + } + } + RigidTy::Pat(base_ty, ..) => { + // This is similar to a structure with one field and with niche defined. + let mut pat_validity = ty_req(); + pat_validity.append(&mut ty_validity_per_offset(machine_info, *base_ty, 0)?); + Ok(pat_validity) + } + RigidTy::Tuple(tys) => { + let mut tuple_validity = vec![]; + for idx in layout.fields.fields_by_offset_order() { + let field_offset = offsets[idx].bytes(); + let field_ty = tys[idx]; + tuple_validity.append(&mut ty_validity_per_offset( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + Ok(tuple_validity) + } + RigidTy::Bool + | RigidTy::Char + | RigidTy::Int(_) + | RigidTy::Uint(_) + | RigidTy::Float(_) + | RigidTy::Never => { + unreachable!("Expected primitive layout for {ty:?}") + } + RigidTy::Str | RigidTy::Slice(_) | RigidTy::Array(_, _) => { + unreachable!("Expected array layout for {ty:?}") + } + RigidTy::RawPtr(_, _) | RigidTy::Ref(_, _, _) => { + // Fat pointer has arbitrary shape. + Ok(ty_req()) + } + RigidTy::FnDef(_, _) + | RigidTy::FnPtr(_) + | RigidTy::Closure(_, _) + | RigidTy::Coroutine(_, _, _) + | RigidTy::CoroutineWitness(_, _) + | RigidTy::Foreign(_) + | RigidTy::Dynamic(_, _, _) => Err(format!("Unsupported {ty:?}")), + } + } + FieldsShape::Union(_) | FieldsShape::Array { .. } => { + /* Anything is valid */ + Ok(vec![]) + } + } +} diff --git a/kani-compiler/src/kani_middle/transform/contracts.rs b/kani-compiler/src/kani_middle/transform/contracts.rs new file mode 100644 index 000000000000..3a835c7f3cb6 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/contracts.rs @@ -0,0 +1,239 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This module contains code related to the MIR-to-MIR pass to enable contracts. +use crate::kani_middle::attributes::KaniAttributes; +use crate::kani_middle::codegen_units::CodegenUnit; +use crate::kani_middle::transform::body::MutableBody; +use crate::kani_middle::transform::{TransformPass, TransformationType}; +use crate::kani_queries::QueryDb; +use cbmc::{InternString, InternedString}; +use rustc_middle::ty::TyCtxt; +use rustc_smir::rustc_internal; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::{Body, ConstOperand, Operand, TerminatorKind}; +use stable_mir::ty::{FnDef, MirConst, RigidTy, TyKind, TypeAndMut}; +use stable_mir::{CrateDef, DefId}; +use std::collections::HashSet; +use std::fmt::Debug; +use tracing::{debug, trace}; + +/// Check if we can replace calls to any_modifies or write_any. +/// +/// This pass will replace the entire body, and it should only be applied to stubs +/// that have a body. +/// +/// write_any is replaced with one of write_any_slim, write_any_slice, or write_any_str +/// depending on what the type of the input it +/// +/// any_modifies is replaced with any +#[derive(Debug)] +pub struct AnyModifiesPass { + kani_any: Option, + kani_any_modifies: Option, + kani_write_any: Option, + kani_write_any_slim: Option, + kani_write_any_slice: Option, + kani_write_any_str: Option, + stubbed: HashSet, + target_fn: Option, +} + +impl TransformPass for AnyModifiesPass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Stubbing + } + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized, + { + // TODO: Check if this is the harness has proof_for_contract + query_db.args().unstable_features.contains(&"function-contracts".to_string()) + && self.kani_any.is_some() + } + + /// Transform the function body by replacing it with the stub body. + fn transform(&mut self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "AnyModifiesPass::transform"); + + if instance.def.def_id() == self.kani_any.unwrap().def_id() { + // Ensure kani::any is valid. + self.any_body(tcx, body) + } else if self.should_apply(tcx, instance) { + // Replace any modifies occurrences. + self.replace_any_modifies(body) + } else { + (false, body) + } + } +} + +impl AnyModifiesPass { + /// Build the pass with non-extern function stubs. + pub fn new(tcx: TyCtxt, unit: &CodegenUnit) -> AnyModifiesPass { + let item_fn_def = |item| { + let TyKind::RigidTy(RigidTy::FnDef(def, _)) = + rustc_internal::stable(tcx.type_of(item)).value.kind() + else { + unreachable!("Expected function, but found `{:?}`", tcx.def_path_str(item)) + }; + def + }; + let kani_any = + tcx.get_diagnostic_item(rustc_span::symbol::Symbol::intern("KaniAny")).map(item_fn_def); + let kani_any_modifies = tcx + .get_diagnostic_item(rustc_span::symbol::Symbol::intern("KaniAnyModifies")) + .map(item_fn_def); + let kani_write_any = tcx + .get_diagnostic_item(rustc_span::symbol::Symbol::intern("KaniWriteAny")) + .map(item_fn_def); + let kani_write_any_slim = tcx + .get_diagnostic_item(rustc_span::symbol::Symbol::intern("KaniWriteAnySlim")) + .map(item_fn_def); + let kani_write_any_slice = tcx + .get_diagnostic_item(rustc_span::symbol::Symbol::intern("KaniWriteAnySlice")) + .map(item_fn_def); + let kani_write_any_str = tcx + .get_diagnostic_item(rustc_span::symbol::Symbol::intern("KaniWriteAnyStr")) + .map(item_fn_def); + let (target_fn, stubbed) = if let Some(harness) = unit.harnesses.first() { + let attributes = KaniAttributes::for_instance(tcx, *harness); + let target_fn = + attributes.proof_for_contract().map(|symbol| symbol.unwrap().as_str().intern()); + (target_fn, unit.stubs.keys().map(|from| from.def_id()).collect::>()) + } else { + (None, HashSet::new()) + }; + AnyModifiesPass { + kani_any, + kani_any_modifies, + kani_write_any, + kani_write_any_slim, + kani_write_any_slice, + kani_write_any_str, + target_fn, + stubbed, + } + } + + /// If we apply `transform_any_modifies` in all contract-generated items, + /// we will end up instantiating `kani::any_modifies` for the replace function + /// every time, even if we are only checking the contract, because the function + /// is always included during contract instrumentation. Thus, we must only apply + /// the transformation if we are using a verified stub or in the presence of recursion. + fn should_apply(&self, tcx: TyCtxt, instance: Instance) -> bool { + let item_attributes = + KaniAttributes::for_item(tcx, rustc_internal::internal(tcx, instance.def.def_id())); + self.stubbed.contains(&instance.def.def_id()) || item_attributes.has_recursion() + } + + /// Replace calls to `any_modifies` by calls to `any`. + fn replace_any_modifies(&self, mut body: Body) -> (bool, Body) { + let mut changed = false; + let locals = body.locals().to_vec(); + for bb in body.blocks.iter_mut() { + let TerminatorKind::Call { func, args, .. } = &mut bb.terminator.kind else { continue }; + if let TyKind::RigidTy(RigidTy::FnDef(def, instance_args)) = + func.ty(&locals).unwrap().kind() + && Some(def) == self.kani_any_modifies + { + let instance = Instance::resolve(self.kani_any.unwrap(), &instance_args).unwrap(); + let literal = MirConst::try_new_zero_sized(instance.ty()).unwrap(); + let span = bb.terminator.span; + let new_func = ConstOperand { span, user_ty: None, const_: literal }; + *func = Operand::Constant(new_func); + changed = true; + } + + // if this is a valid kani::write_any function + if let TyKind::RigidTy(RigidTy::FnDef(def, instance_args)) = + func.ty(&locals).unwrap().kind() + && Some(def) == self.kani_write_any + && args.len() == 1 + && let Some(fn_sig) = func.ty(&locals).unwrap().kind().fn_sig() + && let Some(TypeAndMut { ty: internal_type, mutability: _ }) = + fn_sig.skip_binder().inputs()[0].kind().builtin_deref(true) + { + // case on the type of the input + if let TyKind::RigidTy(RigidTy::Slice(_)) = internal_type.kind() { + //if the input is a slice, use write_any_slice + let instance = + Instance::resolve(self.kani_write_any_slice.unwrap(), &instance_args) + .unwrap(); + let literal = MirConst::try_new_zero_sized(instance.ty()).unwrap(); + let span = bb.terminator.span; + let new_func = ConstOperand { span, user_ty: None, const_: literal }; + *func = Operand::Constant(new_func); + } else if let TyKind::RigidTy(RigidTy::Str) = internal_type.kind() { + //if the input is a str, use write_any_str + let instance = + Instance::resolve(self.kani_write_any_str.unwrap(), &instance_args) + .unwrap(); + let literal = MirConst::try_new_zero_sized(instance.ty()).unwrap(); + let span = bb.terminator.span; + let new_func = ConstOperand { span, user_ty: None, const_: literal }; + *func = Operand::Constant(new_func); + } else { + //otherwise, use write_any_slim + let instance = + Instance::resolve(self.kani_write_any_slim.unwrap(), &instance_args) + .unwrap(); + let literal = MirConst::try_new_zero_sized(instance.ty()).unwrap(); + let span = bb.terminator.span; + let new_func = ConstOperand { span, user_ty: None, const_: literal }; + *func = Operand::Constant(new_func); + } + changed = true; + } + } + (changed, body) + } + + /// Check if T::Arbitrary requirement for `kani::any()` is met after replacement. + /// + /// If it T does not implement arbitrary, generate error and delete body to interrupt analysis. + fn any_body(&self, tcx: TyCtxt, mut body: Body) -> (bool, Body) { + let mut valid = true; + let locals = body.locals().to_vec(); + for bb in body.blocks.iter_mut() { + let TerminatorKind::Call { func, .. } = &mut bb.terminator.kind else { continue }; + if let TyKind::RigidTy(RigidTy::FnDef(def, args)) = func.ty(&locals).unwrap().kind() { + match Instance::resolve(def, &args) { + Ok(_) => {} + Err(e) => { + valid = false; + debug!(?e, "AnyModifiesPass::any_body failed"); + let receiver_ty = args.0[0].expect_ty(); + let msg = if self.target_fn.is_some() { + format!( + "`{receiver_ty}` doesn't implement `kani::Arbitrary`.\ + Please, check `{}` contract.", + self.target_fn.unwrap(), + ) + } else { + format!("`{receiver_ty}` doesn't implement `kani::Arbitrary`.") + }; + tcx.dcx() + .struct_span_err(rustc_internal::internal(tcx, bb.terminator.span), msg) + .with_help( + "All objects in the modifies clause must implement the Arbitrary. \ + The return type must also implement the Arbitrary trait if you \ + are checking recursion or using verified stub.", + ) + .emit(); + } + } + } + } + if valid { + (true, body) + } else { + let mut new_body = MutableBody::from(body); + new_body.clear_body(); + (false, new_body.into()) + } + } +} diff --git a/kani-compiler/src/kani_middle/transform/dump_mir_pass.rs b/kani-compiler/src/kani_middle/transform/dump_mir_pass.rs new file mode 100644 index 000000000000..9393ec0d88c9 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/dump_mir_pass.rs @@ -0,0 +1,69 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Global transformation pass, which does not modify bodies but dumps MIR whenever the appropriate debug flag is passed. + +use crate::kani_middle::reachability::CallGraph; +use crate::kani_middle::transform::GlobalPass; +use crate::kani_queries::QueryDb; +use kani_metadata::ArtifactType; +use rustc_middle::ty::TyCtxt; +use rustc_session::config::OutputType; +use stable_mir::mir::mono::{Instance, MonoItem}; +use std::fs::File; +use std::io::BufWriter; +use std::io::Write; + +use super::BodyTransformation; + +/// Dump all MIR bodies. +#[derive(Debug)] +pub struct DumpMirPass { + enabled: bool, +} + +impl DumpMirPass { + pub fn new(tcx: TyCtxt) -> Self { + Self { enabled: tcx.sess.opts.output_types.contains_key(&OutputType::Mir) } + } +} + +impl GlobalPass for DumpMirPass { + fn is_enabled(&self, _query_db: &QueryDb) -> bool { + self.enabled + } + + fn transform( + &mut self, + tcx: TyCtxt, + _call_graph: &CallGraph, + starting_items: &[MonoItem], + instances: Vec, + transformer: &mut BodyTransformation, + ) { + // Create output buffer. + let file_path = { + let base_path = tcx.output_filenames(()).path(OutputType::Object); + let base_name = base_path.as_path(); + let entry_point = (starting_items.len() == 1).then_some(starting_items[0].clone()); + // If there is a single entry point, use it as a file name. + if let Some(MonoItem::Fn(starting_instance)) = entry_point { + let mangled_name = starting_instance.mangled_name(); + let file_stem = + format!("{}_{mangled_name}", base_name.file_stem().unwrap().to_str().unwrap()); + base_name.with_file_name(file_stem).with_extension(ArtifactType::SymTabGoto) + } else { + // Otherwise, use the object output path from the compiler. + base_name.with_extension(ArtifactType::SymTabGoto) + } + }; + let out_file = File::create(file_path.with_extension("kani.mir")).unwrap(); + let mut writer = BufWriter::new(out_file); + + // For each def_id, dump their MIR. + for instance in instances.iter() { + writeln!(writer, "// Item: {} ({})", instance.name(), instance.mangled_name()).unwrap(); + let _ = transformer.body(tcx, *instance).dump(&mut writer, &instance.name()); + } + } +} diff --git a/kani-compiler/src/kani_middle/transform/kani_intrinsics.rs b/kani-compiler/src/kani_middle/transform/kani_intrinsics.rs new file mode 100644 index 000000000000..d6475465d1b1 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/kani_intrinsics.rs @@ -0,0 +1,308 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Module responsible for generating code for a few Kani intrinsics. +//! +//! These intrinsics have code that depend on information from the compiler, such as type layout +//! information; thus, they are implemented as a transformation pass where their body get generated +//! by the transformation. + +use crate::args::{Arguments, ExtraChecks}; +use crate::kani_middle::attributes::matches_diagnostic; +use crate::kani_middle::transform::body::{ + CheckType, InsertPosition, MutableBody, SourceInstruction, +}; +use crate::kani_middle::transform::check_uninit::PointeeInfo; +use crate::kani_middle::transform::check_values::{build_limits, ty_validity_per_offset}; +use crate::kani_middle::transform::{TransformPass, TransformationType}; +use crate::kani_queries::QueryDb; +use rustc_middle::ty::TyCtxt; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::{ + BinOp, Body, ConstOperand, Operand, Place, Rvalue, Statement, StatementKind, RETURN_LOCAL, +}; +use stable_mir::target::MachineInfo; +use stable_mir::ty::{FnDef, MirConst, RigidTy, Ty, TyKind, UintTy}; +use std::collections::HashMap; +use std::fmt::Debug; +use strum_macros::AsRefStr; +use tracing::trace; + +use super::check_uninit::{ + get_mem_init_fn_def, mk_layout_operand, resolve_mem_init_fn, PointeeLayout, +}; + +/// Generate the body for a few Kani intrinsics. +#[derive(Debug)] +pub struct IntrinsicGeneratorPass { + pub check_type: CheckType, + /// Used to cache FnDef lookups of injected memory initialization functions. + pub mem_init_fn_cache: HashMap<&'static str, FnDef>, + /// Used to enable intrinsics depending on the flags passed. + pub arguments: Arguments, +} + +impl TransformPass for IntrinsicGeneratorPass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Instrumentation + } + + fn is_enabled(&self, _query_db: &QueryDb) -> bool + where + Self: Sized, + { + true + } + + /// Transform the function body by inserting checks one-by-one. + /// For every unsafe dereference or a transmute operation, we check all values are valid. + fn transform(&mut self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "transform"); + if matches_diagnostic(tcx, instance.def, Intrinsics::KaniValidValue.as_ref()) { + (true, self.valid_value_body(tcx, body)) + } else if matches_diagnostic(tcx, instance.def, Intrinsics::KaniIsInitialized.as_ref()) { + (true, self.is_initialized_body(tcx, body)) + } else { + (false, body) + } + } +} + +impl IntrinsicGeneratorPass { + /// Generate the body for valid value. Which should be something like: + /// + /// ``` + /// pub fn has_valid_value(ptr: *const T) -> bool { + /// let mut ret = true; + /// let bytes = ptr as *const u8; + /// for req in requirements { + /// ret &= in_range(bytes, req); + /// } + /// ret + /// } + /// ``` + fn valid_value_body(&self, tcx: TyCtxt, body: Body) -> Body { + let mut new_body = MutableBody::from(body); + new_body.clear_body(); + + // Initialize return variable with True. + let ret_var = RETURN_LOCAL; + let mut terminator = SourceInstruction::Terminator { bb: 0 }; + let span = new_body.locals()[ret_var].span; + let assign = StatementKind::Assign( + Place::from(ret_var), + Rvalue::Use(Operand::Constant(ConstOperand { + span, + user_ty: None, + const_: MirConst::from_bool(true), + })), + ); + let stmt = Statement { kind: assign, span }; + new_body.insert_stmt(stmt, &mut terminator, InsertPosition::Before); + let machine_info = MachineInfo::target(); + + // The first and only argument type. + let arg_ty = new_body.locals()[1].ty; + let TyKind::RigidTy(RigidTy::RawPtr(target_ty, _)) = arg_ty.kind() else { unreachable!() }; + let validity = ty_validity_per_offset(&machine_info, target_ty, 0); + match validity { + Ok(ranges) if ranges.is_empty() => { + // Nothing to check + } + Ok(ranges) => { + // Given the pointer argument, check for possible invalid ranges. + let rvalue = Rvalue::Use(Operand::Move(Place::from(1))); + for range in ranges { + let result = + build_limits(&mut new_body, &range, rvalue.clone(), &mut terminator); + let rvalue = Rvalue::BinaryOp( + BinOp::BitAnd, + Operand::Move(Place::from(ret_var)), + Operand::Move(Place::from(result)), + ); + let assign = StatementKind::Assign(Place::from(ret_var), rvalue); + let stmt = Statement { kind: assign, span }; + new_body.insert_stmt(stmt, &mut terminator, InsertPosition::Before); + } + } + Err(msg) => { + // We failed to retrieve all the valid ranges. + let rvalue = Rvalue::Use(Operand::Constant(ConstOperand { + const_: MirConst::from_bool(false), + span, + user_ty: None, + })); + let result = + new_body.insert_assignment(rvalue, &mut terminator, InsertPosition::Before); + let reason = format!( + "Kani currently doesn't support checking validity of `{target_ty}`. {msg}" + ); + new_body.insert_check( + tcx, + &self.check_type, + &mut terminator, + InsertPosition::Before, + result, + &reason, + ); + } + } + new_body.into() + } + + /// Generate the body for `is_initialized`, which looks like the following + /// + /// ``` + /// pub fn is_initialized(ptr: *const T, len: usize) -> bool { + /// let layout = ... // Byte mask representing the layout of T. + /// __kani_mem_init_sm_get(ptr, layout, len) + /// } + /// ``` + fn is_initialized_body(&mut self, tcx: TyCtxt, body: Body) -> Body { + let mut new_body = MutableBody::from(body); + new_body.clear_body(); + + // Initialize return variable with True. + let ret_var = RETURN_LOCAL; + let mut terminator = SourceInstruction::Terminator { bb: 0 }; + let span = new_body.locals()[ret_var].span; + let assign = StatementKind::Assign( + Place::from(ret_var), + Rvalue::Use(Operand::Constant(ConstOperand { + span, + user_ty: None, + const_: MirConst::from_bool(true), + })), + ); + let stmt = Statement { kind: assign, span }; + new_body.insert_stmt(stmt, &mut terminator, InsertPosition::Before); + + if !self.arguments.ub_check.contains(&ExtraChecks::Uninit) { + // Short-circut if uninitialized memory checks are not enabled. + return new_body.into(); + } + + // The first argument type. + let arg_ty = new_body.locals()[1].ty; + let TyKind::RigidTy(RigidTy::RawPtr(target_ty, _)) = arg_ty.kind() else { unreachable!() }; + let pointee_info = PointeeInfo::from_ty(target_ty); + match pointee_info { + Ok(pointee_info) => { + match pointee_info.layout() { + PointeeLayout::Sized { layout } => { + if layout.is_empty() { + // Encountered a ZST, so we can short-circut here. + return new_body.into(); + } + let is_ptr_initialized_instance = resolve_mem_init_fn( + get_mem_init_fn_def( + tcx, + "KaniIsPtrInitialized", + &mut self.mem_init_fn_cache, + ), + layout.len(), + *pointee_info.ty(), + ); + let layout_operand = mk_layout_operand( + &mut new_body, + &mut terminator, + InsertPosition::Before, + &layout, + ); + new_body.insert_call( + &is_ptr_initialized_instance, + &mut terminator, + InsertPosition::Before, + vec![Operand::Copy(Place::from(1)), layout_operand], + Place::from(ret_var), + ); + } + PointeeLayout::Slice { element_layout } => { + // Since `str`` is a separate type, need to differentiate between [T] and str. + let (slicee_ty, diagnostic) = match pointee_info.ty().kind() { + TyKind::RigidTy(RigidTy::Slice(slicee_ty)) => { + (slicee_ty, "KaniIsSlicePtrInitialized") + } + TyKind::RigidTy(RigidTy::Str) => { + (Ty::unsigned_ty(UintTy::U8), "KaniIsStrPtrInitialized") + } + _ => unreachable!(), + }; + let is_ptr_initialized_instance = resolve_mem_init_fn( + get_mem_init_fn_def(tcx, diagnostic, &mut self.mem_init_fn_cache), + element_layout.len(), + slicee_ty, + ); + let layout_operand = mk_layout_operand( + &mut new_body, + &mut terminator, + InsertPosition::Before, + &element_layout, + ); + new_body.insert_call( + &is_ptr_initialized_instance, + &mut terminator, + InsertPosition::Before, + vec![Operand::Copy(Place::from(1)), layout_operand], + Place::from(ret_var), + ); + } + PointeeLayout::TraitObject => { + let rvalue = Rvalue::Use(Operand::Constant(ConstOperand { + const_: MirConst::from_bool(false), + span, + user_ty: None, + })); + let result = new_body.insert_assignment( + rvalue, + &mut terminator, + InsertPosition::Before, + ); + let reason: &str = "Kani does not support reasoning about memory initialization of pointers to trait objects."; + + new_body.insert_check( + tcx, + &self.check_type, + &mut terminator, + InsertPosition::Before, + result, + &reason, + ); + } + }; + } + Err(msg) => { + // We failed to retrieve the type layout. + let rvalue = Rvalue::Use(Operand::Constant(ConstOperand { + const_: MirConst::from_bool(false), + span, + user_ty: None, + })); + let result = + new_body.insert_assignment(rvalue, &mut terminator, InsertPosition::Before); + let reason = format!( + "Kani currently doesn't support checking memory initialization of `{target_ty}`. {msg}" + ); + new_body.insert_check( + tcx, + &self.check_type, + &mut terminator, + InsertPosition::Before, + result, + &reason, + ); + } + } + new_body.into() + } +} + +#[derive(Debug, Copy, Clone, Eq, PartialEq, AsRefStr)] +#[strum(serialize_all = "PascalCase")] +enum Intrinsics { + KaniValidValue, + KaniIsInitialized, +} diff --git a/kani-compiler/src/kani_middle/transform/mod.rs b/kani-compiler/src/kani_middle/transform/mod.rs new file mode 100644 index 000000000000..5b497b09619d --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/mod.rs @@ -0,0 +1,216 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! This module is responsible for optimizing and instrumenting function bodies. +//! +//! We make transformations on bodies already monomorphized, which allow us to make stronger +//! decisions based on the instance types and constants. +//! +//! The main downside is that some transformation that don't depend on the specialized type may be +//! applied multiple times, one per specialization. +//! +//! Another downside is that these modifications cannot be applied to concrete playback, since they +//! are applied on the top of StableMIR body, which cannot be propagated back to rustc's backend. +//! +//! # Warn +//! +//! For all instrumentation passes, always use exhaustive matches to ensure soundness in case a new +//! case is added. +use crate::kani_middle::codegen_units::CodegenUnit; +use crate::kani_middle::reachability::CallGraph; +use crate::kani_middle::transform::body::CheckType; +use crate::kani_middle::transform::check_uninit::UninitPass; +use crate::kani_middle::transform::check_values::ValidValuePass; +use crate::kani_middle::transform::contracts::AnyModifiesPass; +use crate::kani_middle::transform::kani_intrinsics::IntrinsicGeneratorPass; +use crate::kani_middle::transform::stubs::{ExternFnStubPass, FnStubPass}; +use crate::kani_queries::QueryDb; +use dump_mir_pass::DumpMirPass; +use rustc_middle::ty::TyCtxt; +use stable_mir::mir::mono::{Instance, MonoItem}; +use stable_mir::mir::Body; +use std::collections::HashMap; +use std::fmt::Debug; + +pub(crate) mod body; +mod check_uninit; +mod check_values; +mod contracts; +mod dump_mir_pass; +mod kani_intrinsics; +mod stubs; + +/// Object used to retrieve a transformed instance body. +/// The transformations to be applied may be controlled by user options. +/// +/// The order however is always the same, we run optimizations first, and instrument the code +/// after. +#[derive(Debug)] +pub struct BodyTransformation { + /// The passes that may change the function body according to harness configuration. + /// The stubbing passes should be applied before so user stubs take precedence. + stub_passes: Vec>, + /// The passes that may add safety checks to the function body. + inst_passes: Vec>, + /// Cache transformation results. + cache: HashMap, +} + +impl BodyTransformation { + pub fn new(queries: &QueryDb, tcx: TyCtxt, unit: &CodegenUnit) -> Self { + let mut transformer = BodyTransformation { + stub_passes: vec![], + inst_passes: vec![], + cache: Default::default(), + }; + let check_type = CheckType::new_assert_assume(tcx); + transformer.add_pass(queries, FnStubPass::new(&unit.stubs)); + transformer.add_pass(queries, ExternFnStubPass::new(&unit.stubs)); + // This has to come after stubs since we want this to replace the stubbed body. + transformer.add_pass(queries, AnyModifiesPass::new(tcx, &unit)); + transformer.add_pass(queries, ValidValuePass { check_type: check_type.clone() }); + // Putting `UninitPass` after `ValidValuePass` makes sure that the code generated by + // `UninitPass` does not get unnecessarily instrumented by valid value checks. However, it + // would also make sense to check that the values are initialized before checking their + // validity. In the future, it would be nice to have a mechanism to skip automatically + // generated code for future instrumentation passes. + transformer.add_pass( + queries, + UninitPass { + // Since this uses demonic non-determinism under the hood, should not assume the assertion. + check_type: CheckType::new_assert(tcx), + mem_init_fn_cache: HashMap::new(), + }, + ); + transformer.add_pass( + queries, + IntrinsicGeneratorPass { + check_type, + mem_init_fn_cache: HashMap::new(), + arguments: queries.args().clone(), + }, + ); + transformer + } + + /// Retrieve the body of an instance. This does not apply global passes, but will retrieve the + /// body after global passes running if they were previously applied. + /// + /// Note that this assumes that the instance does have a body since existing consumers already + /// assume that. Use `instance.has_body()` to check if an instance has a body. + pub fn body(&mut self, tcx: TyCtxt, instance: Instance) -> Body { + match self.cache.get(&instance) { + Some(TransformationResult::Modified(body)) => body.clone(), + Some(TransformationResult::NotModified) => instance.body().unwrap(), + None => { + let mut body = instance.body().unwrap(); + let mut modified = false; + for pass in self.stub_passes.iter_mut().chain(self.inst_passes.iter_mut()) { + let result = pass.transform(tcx, body, instance); + modified |= result.0; + body = result.1; + } + + let result = if modified { + TransformationResult::Modified(body.clone()) + } else { + TransformationResult::NotModified + }; + self.cache.insert(instance, result); + body + } + } + } + + fn add_pass(&mut self, query_db: &QueryDb, pass: P) { + if pass.is_enabled(&query_db) { + match P::transformation_type() { + TransformationType::Instrumentation => self.inst_passes.push(Box::new(pass)), + TransformationType::Stubbing => self.stub_passes.push(Box::new(pass)), + } + } + } +} + +/// The type of transformation that a pass may perform. +#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)] +pub(crate) enum TransformationType { + /// Should only add assertion checks to ensure the program is correct. + Instrumentation, + /// Apply some sort of stubbing. + Stubbing, +} + +/// A trait to represent transformation passes that can be used to modify the body of a function. +pub(crate) trait TransformPass: Debug { + /// The type of transformation that this pass implements. + fn transformation_type() -> TransformationType + where + Self: Sized; + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized; + + /// Run a transformation pass in the function body. + fn transform(&mut self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body); +} + +/// A trait to represent transformation passes that operate on the whole codegen unit. +pub(crate) trait GlobalPass: Debug { + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized; + + /// Run a transformation pass on the whole codegen unit. + fn transform( + &mut self, + tcx: TyCtxt, + call_graph: &CallGraph, + starting_items: &[MonoItem], + instances: Vec, + transformer: &mut BodyTransformation, + ); +} + +/// The transformation result. +/// We currently only cache the body of functions that were instrumented. +#[derive(Clone, Debug)] +enum TransformationResult { + Modified(Body), + NotModified, +} + +pub struct GlobalPasses { + /// The passes that operate on the whole codegen unit, they run after all previous passes are + /// done. + global_passes: Vec>, +} + +impl GlobalPasses { + pub fn new(queries: &QueryDb, tcx: TyCtxt) -> Self { + let mut global_passes = GlobalPasses { global_passes: vec![] }; + global_passes.add_global_pass(queries, DumpMirPass::new(tcx)); + global_passes + } + + fn add_global_pass(&mut self, query_db: &QueryDb, pass: P) { + if pass.is_enabled(&query_db) { + self.global_passes.push(Box::new(pass)) + } + } + + /// Run all global passes and store the results in a cache that can later be queried by `body`. + pub fn run_global_passes( + &mut self, + transformer: &mut BodyTransformation, + tcx: TyCtxt, + starting_items: &[MonoItem], + instances: Vec, + call_graph: CallGraph, + ) { + for global_pass in self.global_passes.iter_mut() { + global_pass.transform(tcx, &call_graph, starting_items, instances.clone(), transformer); + } + } +} diff --git a/kani-compiler/src/kani_middle/transform/stubs.rs b/kani-compiler/src/kani_middle/transform/stubs.rs new file mode 100644 index 000000000000..3dbd667c3943 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/stubs.rs @@ -0,0 +1,226 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This module contains code related to the MIR-to-MIR pass that performs the +//! stubbing of functions and methods. +use crate::kani_middle::codegen_units::Stubs; +use crate::kani_middle::stubbing::{contract_host_param, validate_stub_const}; +use crate::kani_middle::transform::body::{MutMirVisitor, MutableBody}; +use crate::kani_middle::transform::{TransformPass, TransformationType}; +use crate::kani_queries::QueryDb; +use rustc_middle::ty::TyCtxt; +use rustc_smir::rustc_internal; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::visit::{Location, MirVisitor}; +use stable_mir::mir::{Body, ConstOperand, LocalDecl, Operand, Terminator, TerminatorKind}; +use stable_mir::ty::{FnDef, MirConst, RigidTy, TyKind}; +use stable_mir::CrateDef; +use std::collections::HashMap; +use std::fmt::Debug; +use tracing::{debug, trace}; + +/// Replace the body of a function that is stubbed by the other. +/// +/// This pass will replace the entire body, and it should only be applied to stubs +/// that have a body. +#[derive(Debug)] +pub struct FnStubPass { + stubs: Stubs, +} + +impl TransformPass for FnStubPass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Stubbing + } + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized, + { + query_db.args().stubbing_enabled && !self.stubs.is_empty() + } + + /// Transform the function body by replacing it with the stub body. + fn transform(&mut self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "transform"); + let ty = instance.ty(); + if let TyKind::RigidTy(RigidTy::FnDef(fn_def, mut args)) = ty.kind() { + if let Some(replace) = self.stubs.get(&fn_def) { + if let Some(idx) = contract_host_param(tcx, fn_def, *replace) { + debug!(?idx, "FnStubPass::transform remove_host_param"); + args.0.remove(idx); + } + let new_instance = Instance::resolve(*replace, &args).unwrap(); + debug!(from=?instance.name(), to=?new_instance.name(), "FnStubPass::transform"); + if let Some(body) = FnStubValidator::validate(tcx, (fn_def, *replace), new_instance) + { + return (true, body); + } + } + } + (false, body) + } +} + +impl FnStubPass { + /// Build the pass with non-extern function stubs. + pub fn new(all_stubs: &Stubs) -> FnStubPass { + let stubs = all_stubs + .iter() + .filter_map(|(from, to)| (has_body(*from) && has_body(*to)).then_some((*from, *to))) + .collect::>(); + FnStubPass { stubs } + } +} + +/// Replace the body of a function that is stubbed by the other. +/// +/// This pass will replace the function call, since one of the functions do not have a body to +/// replace. +#[derive(Debug)] +pub struct ExternFnStubPass { + pub stubs: Stubs, +} + +impl TransformPass for ExternFnStubPass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Stubbing + } + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized, + { + query_db.args().stubbing_enabled && !self.stubs.is_empty() + } + + /// Search for calls to extern functions that should be stubbed. + /// + /// We need to find function calls and function pointers. + /// We should replace this with a visitor once StableMIR includes a mutable one. + fn transform(&mut self, _tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "transform"); + let mut new_body = MutableBody::from(body); + let changed = false; + let locals = new_body.locals().to_vec(); + let mut visitor = ExternFnStubVisitor { changed, locals, stubs: &self.stubs }; + visitor.visit_body(&mut new_body); + (visitor.changed, new_body.into()) + } +} + +impl ExternFnStubPass { + /// Build the pass with the extern function stubs. + /// + /// This will cover any case where the stub doesn't have a body. + pub fn new(all_stubs: &Stubs) -> ExternFnStubPass { + let stubs = all_stubs + .iter() + .filter_map(|(from, to)| (!has_body(*from) || !has_body(*to)).then_some((*from, *to))) + .collect::>(); + ExternFnStubPass { stubs } + } +} + +fn has_body(def: FnDef) -> bool { + def.body().is_some() +} + +/// Validate that the body of the stub is valid for the given instantiation +struct FnStubValidator<'a, 'tcx> { + stub: (FnDef, FnDef), + tcx: TyCtxt<'tcx>, + locals: &'a [LocalDecl], + is_valid: bool, +} + +impl<'a, 'tcx> FnStubValidator<'a, 'tcx> { + fn validate(tcx: TyCtxt, stub: (FnDef, FnDef), new_instance: Instance) -> Option { + if validate_stub_const(tcx, new_instance) { + let body = new_instance.body().unwrap(); + let mut validator = + FnStubValidator { stub, tcx, locals: body.locals(), is_valid: true }; + validator.visit_body(&body); + validator.is_valid.then_some(body) + } else { + None + } + } +} + +impl<'a, 'tcx> MirVisitor for FnStubValidator<'a, 'tcx> { + fn visit_operand(&mut self, op: &Operand, loc: Location) { + let op_ty = op.ty(self.locals).unwrap(); + if let TyKind::RigidTy(RigidTy::FnDef(def, args)) = op_ty.kind() { + if Instance::resolve(def, &args).is_err() { + self.is_valid = false; + let callee = def.name(); + let receiver_ty = args.0[0].expect_ty(); + let sep = callee.rfind("::").unwrap(); + let trait_ = &callee[..sep]; + self.tcx.dcx().span_err( + rustc_internal::internal(self.tcx, loc.span()), + format!( + "`{}` doesn't implement \ + `{}`. The function `{}` \ + cannot be stubbed by `{}` due to \ + generic bounds not being met. Callee: {}", + receiver_ty, + trait_, + self.stub.0.name(), + self.stub.1.name(), + callee, + ), + ); + } + } + } +} + +struct ExternFnStubVisitor<'a> { + changed: bool, + locals: Vec, + stubs: &'a Stubs, +} + +impl<'a> MutMirVisitor for ExternFnStubVisitor<'a> { + fn visit_terminator(&mut self, term: &mut Terminator) { + // Replace direct calls + if let TerminatorKind::Call { func, .. } = &mut term.kind { + if let TyKind::RigidTy(RigidTy::FnDef(def, args)) = + func.ty(&self.locals).unwrap().kind() + { + if let Some(new_def) = self.stubs.get(&def) { + let instance = Instance::resolve(*new_def, &args).unwrap(); + let literal = MirConst::try_new_zero_sized(instance.ty()).unwrap(); + let span = term.span; + let new_func = ConstOperand { span, user_ty: None, const_: literal }; + *func = Operand::Constant(new_func); + self.changed = true; + } + } + } + self.super_terminator(term); + } + + fn visit_operand(&mut self, operand: &mut Operand) { + let func_ty = operand.ty(&self.locals).unwrap(); + if let TyKind::RigidTy(RigidTy::FnDef(orig_def, args)) = func_ty.kind() { + if let Some(new_def) = self.stubs.get(&orig_def) { + let Operand::Constant(ConstOperand { span, .. }) = operand else { + unreachable!(); + }; + let instance = Instance::resolve_for_fn_ptr(*new_def, &args).unwrap(); + let literal = MirConst::try_new_zero_sized(instance.ty()).unwrap(); + let new_func = ConstOperand { span: *span, user_ty: None, const_: literal }; + *operand = Operand::Constant(new_func); + self.changed = true; + } + } + } +} diff --git a/kani-compiler/src/kani_queries/mod.rs b/kani-compiler/src/kani_queries/mod.rs index e918bf1b8a73..bb28237248d3 100644 --- a/kani-compiler/src/kani_queries/mod.rs +++ b/kani-compiler/src/kani_queries/mod.rs @@ -2,24 +2,16 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Define the communication between KaniCompiler and the codegen implementation. -use cbmc::{InternString, InternedString}; -use kani_metadata::AssignsContract; -use std::fmt::{Display, Formatter, Write}; -use std::{ - collections::HashMap, - path::PathBuf, - sync::{Arc, Mutex}, -}; +use std::sync::{Arc, Mutex}; use crate::args::Arguments; /// This structure should only be used behind a synchronized reference or a snapshot. +/// +/// TODO: Merge this with arguments #[derive(Debug, Default, Clone)] pub struct QueryDb { args: Option, - /// Information about all target harnesses. - pub harnesses_info: HashMap, - modifies_contracts: HashMap, } impl QueryDb { @@ -27,16 +19,6 @@ impl QueryDb { Arc::new(Mutex::new(QueryDb::default())) } - /// Get the definition hash for all harnesses that are being compiled in this compilation stage. - pub fn target_harnesses(&self) -> Vec { - self.harnesses_info.keys().cloned().collect() - } - - /// Get the model path for a given harness. - pub fn harness_model_path(&self, harness: &String) -> Option<&PathBuf> { - self.harnesses_info.get(&harness.intern()) - } - pub fn set_args(&mut self, args: Arguments) { self.args = Some(args); } @@ -44,41 +26,4 @@ impl QueryDb { pub fn args(&self) -> &Arguments { self.args.as_ref().expect("Arguments have not been initialized") } - - /// Register that a CBMC-level `assigns` contract for a function that is - /// called from this harness. - pub fn register_assigns_contract( - &mut self, - harness_name: InternedString, - contract: AssignsContract, - ) { - let replaced = self.modifies_contracts.insert(harness_name, contract); - assert!( - replaced.is_none(), - "Invariant broken, tried adding second modifies contracts to: {harness_name}", - ) - } - - /// Lookup all CBMC-level `assigns` contract were registered with - /// [`Self::add_assigns_contract`]. - pub fn assigns_contracts(&self) -> impl Iterator { - self.modifies_contracts.iter() - } -} - -struct PrintList(I); - -impl + Clone> Display for PrintList { - fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { - f.write_char('[')?; - let mut is_first = true; - for e in self.0.clone() { - if is_first { - f.write_str(", ")?; - is_first = false; - } - e.fmt(f)?; - } - f.write_char(']') - } } diff --git a/kani-compiler/src/main.rs b/kani-compiler/src/main.rs index 4316d188c02d..d2f8cf17e9e7 100644 --- a/kani-compiler/src/main.rs +++ b/kani-compiler/src/main.rs @@ -10,9 +10,11 @@ #![recursion_limit = "256"] #![feature(box_patterns)] #![feature(rustc_private)] -#![feature(lazy_cell)] #![feature(more_qualified_paths)] #![feature(iter_intersperse)] +#![feature(let_chains)] +#![feature(f128)] +#![feature(f16)] extern crate rustc_abi; extern crate rustc_ast; extern crate rustc_ast_pretty; diff --git a/kani-compiler/src/session.rs b/kani-compiler/src/session.rs index a1c3af20bb06..7ec2b79a0469 100644 --- a/kani-compiler/src/session.rs +++ b/kani-compiler/src/session.rs @@ -4,12 +4,17 @@ //! Module used to configure a compiler session. use crate::args::Arguments; +use rustc_data_structures::sync::Lrc; +use rustc_errors::emitter::Emitter; use rustc_errors::{ - emitter::Emitter, emitter::HumanReadableErrorType, fallback_fluent_bundle, json::JsonEmitter, - ColorConfig, Diagnostic, TerminalUrl, + emitter::HumanReadableErrorType, fallback_fluent_bundle, json::JsonEmitter, ColorConfig, + DiagInner, }; use rustc_session::config::ErrorOutputType; use rustc_session::EarlyDiagCtxt; +use rustc_span::source_map::FilePathMapping; +use rustc_span::source_map::SourceMap; +use std::io; use std::io::IsTerminal; use std::panic; use std::sync::LazyLock; @@ -24,7 +29,7 @@ const BUG_REPORT_URL: &str = // Custom panic hook when running under user friendly message format. #[allow(clippy::type_complexity)] -static PANIC_HOOK: LazyLock) + Sync + Send + 'static>> = +static PANIC_HOOK: LazyLock) + Sync + Send + 'static>> = LazyLock::new(|| { let hook = panic::take_hook(); panic::set_hook(Box::new(|info| { @@ -41,7 +46,7 @@ static PANIC_HOOK: LazyLock) + Sync + Send + 's // Custom panic hook when executing under json error format `--error-format=json`. #[allow(clippy::type_complexity)] -static JSON_PANIC_HOOK: LazyLock) + Sync + Send + 'static>> = +static JSON_PANIC_HOOK: LazyLock) + Sync + Send + 'static>> = LazyLock::new(|| { let hook = panic::take_hook(); panic::set_hook(Box::new(|info| { @@ -49,18 +54,16 @@ static JSON_PANIC_HOOK: LazyLock) + Sync + Send let msg = format!("Kani unexpectedly panicked at {info}.",); let fallback_bundle = fallback_fluent_bundle(rustc_driver::DEFAULT_LOCALE_RESOURCES.to_vec(), false); - let mut emitter = JsonEmitter::basic( - false, - HumanReadableErrorType::Default(ColorConfig::Never), - None, + let mut emitter = JsonEmitter::new( + Box::new(io::BufWriter::new(io::stderr())), + #[allow(clippy::arc_with_non_send_sync)] + Lrc::new(SourceMap::new(FilePathMapping::empty())), fallback_bundle, - None, false, - false, - TerminalUrl::No, + HumanReadableErrorType::Default(ColorConfig::Never), ); - let diagnostic = Diagnostic::new(rustc_errors::Level::Bug, msg); - emitter.emit_diagnostic(&diagnostic); + let diagnostic = DiagInner::new(rustc_errors::Level::Bug, msg); + emitter.emit_diagnostic(diagnostic); (*JSON_PANIC_HOOK)(info); })); hook diff --git a/kani-dependencies b/kani-dependencies index 200755839284..421188a08762 100644 --- a/kani-dependencies +++ b/kani-dependencies @@ -1,10 +1,10 @@ -CBMC_MAJOR="5" -CBMC_MINOR="95" -CBMC_VERSION="5.95.1" +CBMC_MAJOR="6" +CBMC_MINOR="1" +CBMC_VERSION="6.1.1" # If you update this version number, remember to bump it in `src/setup.rs` too CBMC_VIEWER_MAJOR="3" -CBMC_VIEWER_MINOR="8" -CBMC_VIEWER_VERSION="3.8" +CBMC_VIEWER_MINOR="9" +CBMC_VIEWER_VERSION="3.9" KISSAT_VERSION="3.1.1" diff --git a/kani-driver/Cargo.toml b/kani-driver/Cargo.toml index 2a19030840d2..d58d686d7d43 100644 --- a/kani-driver/Cargo.toml +++ b/kani-driver/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani-driver" -version = "0.45.0" +version = "0.53.0" edition = "2021" description = "Build a project with Kani and run all proof harnesses" license = "MIT OR Apache-2.0" @@ -27,13 +27,13 @@ rustc-demangle = "0.1.21" pathdiff = "0.2.1" rayon = "1.5.3" comfy-table = "7.0.1" -strum = {version = "0.25.0"} -strum_macros = {version = "0.25.2"} +strum = {version = "0.26"} +strum_macros = {version = "0.26"} tempfile = "3" tracing = {version = "0.1", features = ["max_level_trace", "release_max_level_debug"]} tracing-subscriber = {version = "0.3.8", features = ["env-filter", "json", "fmt"]} rand = "0.8" -which = "5.0.0" +which = "6" # A good set of suggested dependencies can be found in rustup: # https://github.com/rust-lang/rustup/blob/master/Cargo.toml diff --git a/kani-driver/src/args/common.rs b/kani-driver/src/args/common.rs index d4ac0a61bd17..3333ee67badf 100644 --- a/kani-driver/src/args/common.rs +++ b/kani-driver/src/args/common.rs @@ -51,6 +51,7 @@ pub trait Verbosity { /// Note that `debug() == true` must imply `verbose() == true`. fn verbose(&self) -> bool; /// Whether we should emit debug messages. + #[allow(unused)] fn debug(&self) -> bool; /// Whether any verbosity was selected. fn is_set(&self) -> bool; diff --git a/kani-driver/src/args/mod.rs b/kani-driver/src/args/mod.rs index 39b3c1fd025f..2d7593e8050a 100644 --- a/kani-driver/src/args/mod.rs +++ b/kani-driver/src/args/mod.rs @@ -6,6 +6,7 @@ pub mod assess_args; pub mod cargo; pub mod common; pub mod playback_args; +pub mod std_args; pub use assess_args::*; @@ -79,6 +80,9 @@ pub struct StandaloneArgs { #[command(subcommand)] pub command: Option, + + #[arg(long, hide = true)] + pub crate_name: Option, } /// Kani takes optional subcommands to request specialized behavior. @@ -87,6 +91,8 @@ pub struct StandaloneArgs { pub enum StandaloneSubcommand { /// Execute concrete playback testcases of a local crate. Playback(Box), + /// Verify the rust standard library. + VerifyStd(Box), } #[derive(Debug, clap::Parser)] @@ -144,8 +150,7 @@ pub struct VerificationArgs { /// Generate C file equivalent to inputted program. /// This feature is unstable and it requires `--enable-unstable` to be used - #[arg(long, hide_short_help = true, requires("enable_unstable"), - conflicts_with_all(&["function"]))] + #[arg(long, hide_short_help = true, requires("enable_unstable"))] pub gen_c: bool, /// Directory for all generated artifacts. @@ -163,19 +168,10 @@ pub struct VerificationArgs { #[command(flatten)] pub checks: CheckArgs, - /// Entry point for verification (symbol name). - /// This is an unstable feature. Consider using --harness instead - #[arg(long, hide = true, requires("enable_unstable"))] - pub function: Option, /// If specified, only run harnesses that match this filter. This option can be provided /// multiple times, which will run all tests matching any of the filters. /// If used with --exact, the harness filter will only match the exact fully qualified name of a harness. - #[arg( - long = "harness", - conflicts_with = "function", - num_args(1), - value_name = "HARNESS_FILTER" - )] + #[arg(long = "harness", num_args(1), value_name = "HARNESS_FILTER")] pub harnesses: Vec, /// When specified, the harness filter will only match the exact fully qualified name of a harness @@ -278,17 +274,6 @@ pub struct VerificationArgs { #[arg(long)] pub randomize_layout: Option>, - /// Enable the stubbing of functions and methods. - // TODO: Stubbing should in principle work with concrete playback. - // - #[arg( - long, - hide_short_help = true, - requires("enable_unstable"), - conflicts_with("concrete_playback") - )] - enable_stubbing: bool, - /// Enable Kani coverage output alongside verification result #[arg(long, hide_short_help = true)] pub coverage: bool, @@ -341,8 +326,7 @@ impl VerificationArgs { /// Is experimental stubbing enabled? pub fn is_stubbing_enabled(&self) -> bool { - self.enable_stubbing - || self.common_args.unstable_features.contains(UnstableFeature::Stubbing) + self.common_args.unstable_features.contains(UnstableFeature::Stubbing) || self.is_function_contracts_enabled() } } @@ -437,6 +421,13 @@ fn check_no_cargo_opt(is_set: bool, name: &str) -> Result<(), Error> { impl ValidateArgs for StandaloneArgs { fn validate(&self) -> Result<(), Error> { self.verify_opts.validate()?; + + match &self.command { + Some(StandaloneSubcommand::VerifyStd(args)) => args.validate()?, + // TODO: Invoke PlaybackArgs::validate() + None | Some(StandaloneSubcommand::Playback(..)) => {} + }; + // Cargo target arguments. check_no_cargo_opt(self.verify_opts.target.bins, "--bins")?; check_no_cargo_opt(self.verify_opts.target.lib, "--lib")?; @@ -521,12 +512,16 @@ impl ValidateArgs for VerificationArgs { ); } - if self.visualize && !self.common_args.enable_unstable { - return Err(Error::raw( - ErrorKind::MissingRequiredArgument, - "Missing argument: --visualize now requires --enable-unstable + if self.visualize { + if !self.common_args.enable_unstable { + return Err(Error::raw( + ErrorKind::MissingRequiredArgument, + "Missing argument: --visualize now requires --enable-unstable due to open issues involving incorrect results.", - )); + )); + } else { + print_deprecated(&self.common_args, "--visualize", "--concrete-playback"); + } } if self.mir_linker { @@ -548,7 +543,7 @@ impl ValidateArgs for VerificationArgs { if self.cbmc_args.contains(&OsString::from("--function")) { return Err(Error::raw( ErrorKind::ArgumentConflict, - "Invalid flag: --function should be provided to Kani directly, not via --cbmc-args.", + "Invalid flag: --function is not supported in Kani.", )); } if self.common_args.quiet && self.concrete_playback == Some(ConcretePlaybackMode::Print) { @@ -591,10 +586,6 @@ impl ValidateArgs for VerificationArgs { } } - if self.enable_stubbing { - print_deprecated(&self.common_args, "--enable-stubbing", "-Z stubbing"); - } - if self.concrete_playback.is_some() && !self.common_args.unstable_features.contains(UnstableFeature::ConcretePlayback) { @@ -865,15 +856,19 @@ mod tests { #[test] fn check_enable_stubbing() { - check_unstable_flag!("--enable-stubbing --harness foo", enable_stubbing); + let res = parse_unstable_disabled("--harness foo").unwrap(); + assert!(!res.verify_opts.is_stubbing_enabled()); - check_unstable_flag!("--enable-stubbing", enable_stubbing); + let res = parse_unstable_disabled("--harness foo -Z stubbing").unwrap(); + assert!(res.verify_opts.is_stubbing_enabled()); - // `--enable-stubbing` cannot be called with `--concrete-playback` - let err = - parse_unstable_enabled("--enable-stubbing --harness foo --concrete-playback=print") - .unwrap_err(); - assert_eq!(err.kind(), ErrorKind::ArgumentConflict); + // `-Z stubbing` can now be called with concrete playback. + let res = parse_unstable_disabled( + "--harness foo --concrete-playback=print -Z concrete-playback -Z stubbing", + ) + .unwrap(); + // Note that `res.validate()` fails because input file does not exist. + assert!(matches!(res.verify_opts.validate(), Ok(()))); } #[test] diff --git a/kani-driver/src/args/playback_args.rs b/kani-driver/src/args/playback_args.rs index bdad446a1158..ad82d9632a7a 100644 --- a/kani-driver/src/args/playback_args.rs +++ b/kani-driver/src/args/playback_args.rs @@ -100,8 +100,6 @@ impl ValidateArgs for PlaybackArgs { #[cfg(test)] mod tests { - use clap::Parser; - use super::*; #[test] diff --git a/kani-driver/src/args/std_args.rs b/kani-driver/src/args/std_args.rs new file mode 100644 index 000000000000..3818b6261010 --- /dev/null +++ b/kani-driver/src/args/std_args.rs @@ -0,0 +1,77 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Implements the `verify-std` subcommand handling. + +use crate::args::{ValidateArgs, VerificationArgs}; +use clap::error::ErrorKind; +use clap::{Error, Parser}; +use kani_metadata::UnstableFeature; +use std::path::PathBuf; + +/// Verify a local version of the Rust standard library. +/// +/// This is an **unstable option** and it the standard library version must be compatible with +/// Kani's toolchain version. +#[derive(Debug, Parser)] +pub struct VerifyStdArgs { + /// The path to the folder containing the crates for the Rust standard library. + /// Note that this directory must be named `library` as used in the Rust toolchain and + /// repository. + pub std_path: PathBuf, + + #[command(flatten)] + pub verify_opts: VerificationArgs, +} + +impl ValidateArgs for VerifyStdArgs { + fn validate(&self) -> Result<(), Error> { + self.verify_opts.validate()?; + + if !self + .verify_opts + .common_args + .unstable_features + .contains(UnstableFeature::UnstableOptions) + { + return Err(Error::raw( + ErrorKind::MissingRequiredArgument, + "The `verify-std` subcommand is unstable and requires -Z unstable-options", + )); + } + + if !self.std_path.exists() { + Err(Error::raw( + ErrorKind::InvalidValue, + format!( + "Invalid argument: `` argument `{}` does not exist", + self.std_path.display() + ), + )) + } else if !self.std_path.is_dir() { + Err(Error::raw( + ErrorKind::InvalidValue, + format!( + "Invalid argument: `` argument `{}` is not a directory", + self.std_path.display() + ), + )) + } else { + let full_path = self.std_path.canonicalize()?; + let dir = full_path.file_stem().unwrap(); + if dir != "library" { + Err(Error::raw( + ErrorKind::InvalidValue, + format!( + "Invalid argument: Expected `` to point to the `library` folder \ + containing the standard library crates.\n\ + Found `{}` folder instead", + dir.to_string_lossy() + ), + )) + } else { + Ok(()) + } + } + } +} diff --git a/kani-driver/src/args_toml.rs b/kani-driver/src/args_toml.rs index aaa5b3260083..37b38a425597 100644 --- a/kani-driver/src/args_toml.rs +++ b/kani-driver/src/args_toml.rs @@ -90,8 +90,11 @@ fn cargo_locate_project(input_args: &[OsString]) -> Result { /// We currently support the following entries: /// - flags: Flags that get directly passed to Kani. /// - unstable: Unstable features (it will be passed using `-Z` flag). +/// /// The tables supported are: -/// "workspace.metadata.kani", "package.metadata.kani", "kani" +/// - "workspace.metadata.kani" +/// - "package.metadata.kani" +/// - "kani" fn toml_to_args(tomldata: &str) -> Result<(Vec, Vec)> { let config = tomldata.parse::()?; // To make testing easier, our function contract is to produce a stable ordering of flags for a given input. @@ -312,6 +315,6 @@ mod tests { #[test] fn check_unstable_entry_invalid() { let name = String::from("feature"); - assert!(matches!(unstable_entry(&name, &Value::String("".to_string())), Err(_))); + assert!(unstable_entry(&name, &Value::String("".to_string())).is_err()); } } diff --git a/kani-driver/src/assess/mod.rs b/kani-driver/src/assess/mod.rs index d183e880d8b2..f5b2ccb63035 100644 --- a/kani-driver/src/assess/mod.rs +++ b/kani-driver/src/assess/mod.rs @@ -56,14 +56,8 @@ fn assess_project(mut session: KaniSession) -> Result { let project = project::cargo_project(&session, true)?; let cargo_metadata = project.cargo_metadata.as_ref().expect("built with cargo"); - let packages_metadata = if project.merged_artifacts { - // With the legacy linker we can't expect to find the metadata structure we'd expect - // so we just use it as-is. This does mean the "package count" will be wrong, but - // we will at least continue to see everything. - project.metadata.clone() - } else { - reconstruct_metadata_structure(&session, cargo_metadata, &project.metadata)? - }; + let packages_metadata = + reconstruct_metadata_structure(&session, cargo_metadata, &project.metadata)?; // We don't really have a list of crates that went into building our various targets, // so we can't easily count them. @@ -170,7 +164,7 @@ fn reconstruct_metadata_structure( } if !package_artifacts.is_empty() { let mut merged = crate::metadata::merge_kani_metadata(package_artifacts); - merged.crate_name = package.name.clone(); + merged.crate_name.clone_from(&package.name); package_metas.push(merged); } } diff --git a/kani-driver/src/assess/scan.rs b/kani-driver/src/assess/scan.rs index 5e4dc81d7e2a..ef33f91eb522 100644 --- a/kani-driver/src/assess/scan.rs +++ b/kani-driver/src/assess/scan.rs @@ -4,12 +4,12 @@ use std::collections::HashSet; use std::path::Path; use std::path::PathBuf; -use std::process::Command; use std::time::Instant; use anyhow::Result; use cargo_metadata::Package; +use crate::session::setup_cargo_command; use crate::session::KaniSession; use super::metadata::AssessMetadata; @@ -168,7 +168,8 @@ fn invoke_assess( ) -> Result<()> { let dir = manifest.parent().expect("file not in a directory?"); let log = std::fs::File::create(logfile)?; - let mut cmd = Command::new("cargo"); + + let mut cmd = setup_cargo_command()?; cmd.arg("kani"); // Use of options before 'assess' subcommand is a hack, these should be factored out. // TODO: --only-codegen should be outright an option to assess. (perhaps tests too?) diff --git a/kani-driver/src/call_cargo.rs b/kani-driver/src/call_cargo.rs index 66166913c9cb..4e8e83b562af 100644 --- a/kani-driver/src/call_cargo.rs +++ b/kani-driver/src/call_cargo.rs @@ -2,20 +2,22 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT use crate::args::VerificationArgs; -use crate::call_single_file::to_rustc_arg; +use crate::call_single_file::{to_rustc_arg, LibConfig}; use crate::project::Artifact; -use crate::session::KaniSession; -use crate::{session, util}; +use crate::session::{lib_folder, lib_no_core_folder, setup_cargo_command, KaniSession}; +use crate::util; use anyhow::{bail, Context, Result}; use cargo_metadata::diagnostic::{Diagnostic, DiagnosticLevel}; -use cargo_metadata::{Message, Metadata, MetadataCommand, Package, Target}; +use cargo_metadata::{ + Artifact as RustcArtifact, Message, Metadata, MetadataCommand, Package, Target, +}; use kani_metadata::{ArtifactType, CompilerArtifactStub}; use std::ffi::{OsStr, OsString}; use std::fmt::{self, Display}; use std::fs::{self, File}; use std::io::BufReader; use std::io::IsTerminal; -use std::path::PathBuf; +use std::path::{Path, PathBuf}; use std::process::Command; use tracing::{debug, trace}; @@ -43,6 +45,60 @@ pub struct CargoOutputs { } impl KaniSession { + /// Create a new cargo library in the given path. + pub fn cargo_init_lib(&self, path: &Path) -> Result<()> { + let mut cmd = setup_cargo_command()?; + cmd.args(["init", "--lib", path.to_string_lossy().as_ref()]); + self.run_terminal(cmd) + } + + pub fn cargo_build_std(&self, std_path: &Path, krate_path: &Path) -> Result> { + let lib_path = lib_no_core_folder().unwrap(); + let mut rustc_args = self.kani_rustc_flags(LibConfig::new_no_core(lib_path)); + rustc_args.push(to_rustc_arg(self.kani_compiler_flags()).into()); + rustc_args.push(self.reachability_arg().into()); + // Ignore global assembly, since `compiler_builtins` has some. + rustc_args.push(to_rustc_arg(vec!["--ignore-global-asm".to_string()]).into()); + + let mut cargo_args: Vec = vec!["build".into()]; + cargo_args.append(&mut cargo_config_args()); + + // Configuration needed to parse cargo compilation status. + cargo_args.push("--message-format".into()); + cargo_args.push("json-diagnostic-rendered-ansi".into()); + cargo_args.push("-Z".into()); + cargo_args.push("build-std=panic_abort,core,std".into()); + + if self.args.common_args.verbose { + cargo_args.push("-v".into()); + } + + // Since we are verifying the standard library, we set the reachability to all crates. + let mut cmd = setup_cargo_command()?; + cmd.args(&cargo_args) + .current_dir(krate_path) + .env("RUSTC", &self.kani_compiler) + // Use CARGO_ENCODED_RUSTFLAGS instead of RUSTFLAGS is preferred. See + // https://doc.rust-lang.org/cargo/reference/environment-variables.html + .env("CARGO_ENCODED_RUSTFLAGS", rustc_args.join(OsStr::new("\x1f"))) + .env("CARGO_TERM_PROGRESS_WHEN", "never") + .env("__CARGO_TESTS_ONLY_SRC_ROOT", std_path.as_os_str()); + + Ok(self + .run_build(cmd)? + .into_iter() + .filter_map(|artifact| { + if artifact.target.crate_types.contains(&CRATE_TYPE_LIB.to_string()) + || artifact.target.crate_types.contains(&CRATE_TYPE_RLIB.to_string()) + { + map_kani_artifact(artifact) + } else { + None + } + }) + .collect()) + } + /// Calls `cargo_build` to generate `*.symtab.json` files in `target_dir` pub fn cargo_build(&self, keep_going: bool) -> Result { let build_target = env!("TARGET"); // see build.rs @@ -60,7 +116,8 @@ impl KaniSession { fs::remove_dir_all(&target_dir)?; } - let mut rustc_args = self.kani_rustc_flags(); + let lib_path = lib_folder().unwrap(); + let mut rustc_args = self.kani_rustc_flags(LibConfig::new(lib_path)); rustc_args.push(to_rustc_arg(self.kani_compiler_flags()).into()); let mut cargo_args: Vec = vec!["rustc".into()]; @@ -109,11 +166,10 @@ impl KaniSession { let mut failed_targets = vec![]; for package in packages { for verification_target in package_targets(&self.args, package) { - let mut cmd = Command::new("cargo"); - cmd.arg(session::toolchain_shorthand()) - .args(&cargo_args) + let mut cmd = setup_cargo_command()?; + cmd.args(&cargo_args) .args(vec!["-p", &package.name]) - .args(&verification_target.to_args()) + .args(verification_target.to_args()) .args(&pkg_args) .env("RUSTC", &self.kani_compiler) // Use CARGO_ENCODED_RUSTFLAGS instead of RUSTFLAGS is preferred. See @@ -121,7 +177,7 @@ impl KaniSession { .env("CARGO_ENCODED_RUSTFLAGS", rustc_args.join(OsStr::new("\x1f"))) .env("CARGO_TERM_PROGRESS_WHEN", "never"); - match self.run_cargo(cmd, verification_target.target()) { + match self.run_build_target(cmd, verification_target.target()) { Err(err) => { if keep_going { let target_str = format!("{verification_target}"); @@ -180,9 +236,9 @@ impl KaniSession { /// Run cargo and collect any error found. /// We also collect the metadata file generated during compilation if any. - fn run_cargo(&self, cargo_cmd: Command, target: &Target) -> Result> { + fn run_build(&self, cargo_cmd: Command) -> Result> { let support_color = std::io::stdout().is_terminal(); - let mut artifact = None; + let mut artifacts = vec![]; if let Some(mut cargo_process) = self.run_piped(cargo_cmd)? { let reader = BufReader::new(cargo_process.stdout.take().unwrap()); let mut error_count = 0; @@ -212,13 +268,9 @@ impl KaniSession { } }, Message::CompilerArtifact(rustc_artifact) => { - if rustc_artifact.target == *target { - debug_assert!( - artifact.is_none(), - "expected only one artifact for `{target:?}`", - ); - artifact = Some(rustc_artifact); - } + // Compares two targets, and falls back to a weaker + // comparison where we avoid dashes in their names. + artifacts.push(rustc_artifact) } Message::BuildScriptExecuted(_) | Message::BuildFinished(_) => { // do nothing @@ -244,11 +296,40 @@ impl KaniSession { ); } } + Ok(artifacts) + } + + /// Run cargo and collect any error found. + /// We also collect the metadata file generated during compilation if any for the given target. + fn run_build_target(&self, cargo_cmd: Command, target: &Target) -> Result> { + /// This used to be `rustc_artifact == *target`, but it + /// started to fail after the `cargo` change in + /// + /// + /// We should revisit this check after a while to see if + /// it's not needed anymore or it can be restricted to + /// certain cases. + /// TODO: + fn same_target(t1: &Target, t2: &Target) -> bool { + (t1 == t2) + || (t1.name.replace('-', "_") == t2.name.replace('-', "_") + && t1.kind == t2.kind + && t1.src_path == t2.src_path + && t1.edition == t2.edition + && t1.doctest == t2.doctest + && t1.test == t2.test + && t1.doc == t2.doc) + } + + let artifacts = self.run_build(cargo_cmd)?; + debug!(?artifacts, "run_build_target"); + // We generate kani specific artifacts only for the build target. The build target is // always the last artifact generated in a build, and all the other artifacts are related - // to dependencies or build scripts. Hence, we need to invoke `map_kani_artifact` only - // for the last compiler artifact. - Ok(artifact.and_then(map_kani_artifact)) + // to dependencies or build scripts. + Ok(artifacts.into_iter().rev().find_map(|artifact| { + if same_target(&artifact.target, target) { map_kani_artifact(artifact) } else { None } + })) } } @@ -256,10 +337,10 @@ pub fn cargo_config_args() -> Vec { [ "--target", env!("TARGET"), - // Propagate `--cfg=kani` to build scripts. + // Propagate `--cfg=kani_host` to build scripts. "-Zhost-config", "-Ztarget-applies-to-host", - "--config=host.rustflags=[\"--cfg=kani\"]", + "--config=host.rustflags=[\"--cfg=kani_host\"]", ] .map(OsString::from) .to_vec() @@ -296,13 +377,16 @@ fn validate_package_names(package_names: &[String], packages: &[Package]) -> Res } /// Extract the packages that should be verified. -/// If `--package ` is given, return the list of packages selected. -/// If `--exclude ` is given, return the list of packages not excluded. -/// If `--workspace` is given, return the list of workspace members. -/// If no argument provided, return the root package if there's one or all members. +/// +/// The result is build following these rules: +/// - If `--package ` is given, return the list of packages selected. +/// - If `--exclude ` is given, return the list of packages not excluded. +/// - If `--workspace` is given, return the list of workspace members. +/// - If no argument provided, return the root package if there's one or all members. /// - I.e.: Do whatever cargo does when there's no `default_members`. /// - This is because `default_members` is not available in cargo metadata. /// See . +/// /// In addition, if either `--package ` or `--exclude ` is given, /// validate that `` is a package name in the workspace, or return an error /// otherwise. @@ -488,7 +572,7 @@ fn package_targets(args: &VerificationArgs, package: &Package) -> Vec>, /// The `Result` properties in detail or the exit_status of CBMC. /// Note: CBMC process exit status is only potentially useful if `status` is `Failure`. /// Kani will see CBMC report "failure" that's actually success (interpreting "failed" @@ -156,6 +153,11 @@ impl KaniSession { args.push(file.to_owned().into_os_string()); + // Make CBMC verbose by default to tell users about unwinding progress. This should be + // reviewed as CBMC's verbosity defaults evolve. + args.push("--verbosity".into()); + args.push("9".into()); + Ok(args) } @@ -163,18 +165,25 @@ impl KaniSession { pub fn cbmc_check_flags(&self) -> Vec { let mut args = Vec::new(); - if self.args.checks.memory_safety_on() { - args.push("--bounds-check".into()); - args.push("--pointer-check".into()); + // We assume that malloc cannot fail, see https://github.com/model-checking/kani/issues/891 + args.push("--no-malloc-may-fail".into()); + + // With PR #2630 we generate the appropriate checks directly rather than relying on CBMC's + // checks (which are for C semantics). + args.push("--no-undefined-shift-check".into()); + // With PR #647 we use Rust's `-C overflow-checks=on` instead of: + // --unsigned-overflow-check + // --signed-overflow-check + // So these options are deliberately skipped to avoid erroneously re-checking operations. + args.push("--no-signed-overflow-check".into()); + + if !self.args.checks.memory_safety_on() { + args.push("--no-bounds-check".into()); + args.push("--no-pointer-check".into()); } if self.args.checks.overflow_on() { - args.push("--div-by-zero-check".into()); args.push("--float-overflow-check".into()); args.push("--nan-check".into()); - // With PR #647 we use Rust's `-C overflow-checks=on` instead of: - // --unsigned-overflow-check - // --signed-overflow-check - // So these options are deliberately skipped to avoid erroneously re-checking operations. // TODO: Implement conversion checks as an optional check. // They are a well defined operation in rust, but they may yield unexpected results to @@ -182,10 +191,14 @@ impl KaniSession { // We might want to create a transformation pass instead of enabling CBMC since Kani // compiler sometimes rely on the bitwise conversion of signed <-> unsigned. // args.push("--conversion-check".into()); + } else { + args.push("--no-div-by-zero-check".into()); } - if self.args.checks.unwinding_on() { - args.push("--unwinding-assertions".into()); + if !self.args.checks.unwinding_on() { + args.push("--no-unwinding-assertions".into()); + } else { + args.push("--no-self-loops-to-assumptions".into()); } if self.args.extra_pointer_checks { @@ -193,7 +206,8 @@ impl KaniSession { // still catch any invalid dereference with --pointer-check. Thus, only enable them // if the user explicitly request them. args.push("--pointer-overflow-check".into()); - args.push("--pointer-primitive-check".into()); + } else { + args.push("--no-pointer-primitive-check".into()); } args @@ -254,7 +268,7 @@ impl VerificationResult { start_time: Instant, ) -> VerificationResult { let runtime = start_time.elapsed(); - let (items, results) = extract_results(output.processed_items); + let (_, results) = extract_results(output.processed_items); if let Some(results) = results { let (status, failed_properties) = @@ -262,7 +276,6 @@ impl VerificationResult { VerificationResult { status, failed_properties, - messages: Some(items), results: Ok(results), runtime, generated_concrete_test: false, @@ -272,7 +285,6 @@ impl VerificationResult { VerificationResult { status: VerificationStatus::Failure, failed_properties: FailedProperties::Other, - messages: Some(items), results: Err(output.process_status), runtime, generated_concrete_test: false, @@ -284,7 +296,6 @@ impl VerificationResult { VerificationResult { status: VerificationStatus::Success, failed_properties: FailedProperties::None, - messages: None, results: Ok(vec![]), runtime: Duration::from_secs(0), generated_concrete_test: false, @@ -295,7 +306,6 @@ impl VerificationResult { VerificationResult { status: VerificationStatus::Failure, failed_properties: FailedProperties::Other, - messages: None, // on failure, exit codes in theory might be used, // but `mock_failure` should never be used in a context where they will, // so again use something weird: @@ -407,7 +417,7 @@ pub fn resolve_unwind_value( #[cfg(test)] mod tests { use crate::args; - use crate::metadata::mock_proof_harness; + use crate::metadata::tests::mock_proof_harness; use clap::Parser; use super::*; diff --git a/kani-driver/src/call_goto_instrument.rs b/kani-driver/src/call_goto_instrument.rs index 83744eddabfd..ae76be150871 100644 --- a/kani-driver/src/call_goto_instrument.rs +++ b/kani-driver/src/call_goto_instrument.rs @@ -93,6 +93,7 @@ impl KaniSession { fn add_library(&self, file: &Path) -> Result<()> { let args: Vec = vec![ "--add-library".into(), + "--no-malloc-may-fail".into(), file.to_owned().into_os_string(), // input file.to_owned().into_os_string(), // output ]; @@ -173,6 +174,7 @@ impl KaniSession { assigns.contracted_function_name.as_str().into(), "--nondet-static-exclude".into(), assigns.recursion_tracker.as_str().into(), + "--no-malloc-may-fail".into(), file.into(), file.into(), ]; diff --git a/kani-driver/src/call_single_file.rs b/kani-driver/src/call_single_file.rs index 9b6e0598daa5..bbeb5bfa417d 100644 --- a/kani-driver/src/call_single_file.rs +++ b/kani-driver/src/call_single_file.rs @@ -2,12 +2,46 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT use anyhow::Result; +use kani_metadata::UnstableFeature; use std::ffi::OsString; use std::path::{Path, PathBuf}; use std::process::Command; use crate::session::{lib_folder, KaniSession}; +pub struct LibConfig { + args: Vec, +} + +impl LibConfig { + pub fn new(path: PathBuf) -> LibConfig { + let sysroot = &path.parent().unwrap(); + let kani_std_rlib = path.join("libstd.rlib"); + let kani_std_wrapper = format!("noprelude:std={}", kani_std_rlib.to_str().unwrap()); + let args = [ + "--sysroot", + sysroot.to_str().unwrap(), + "-L", + path.to_str().unwrap(), + "--extern", + "kani", + "--extern", + kani_std_wrapper.as_str(), + ] + .map(OsString::from) + .to_vec(); + LibConfig { args } + } + + pub fn new_no_core(path: PathBuf) -> LibConfig { + LibConfig { + args: ["-L", path.to_str().unwrap(), "--extern", "kani_core"] + .map(OsString::from) + .to_vec(), + } + } +} + impl KaniSession { /// Used by `kani` and not `cargo-kani` to process a single Rust file into a `.symtab.json` // TODO: Move these functions to be part of the builder. @@ -20,7 +54,8 @@ impl KaniSession { let mut kani_args = self.kani_compiler_flags(); kani_args.push(format!("--reachability={}", self.reachability_mode())); - let mut rustc_args = self.kani_rustc_flags(); + let lib_path = lib_folder().unwrap(); + let mut rustc_args = self.kani_rustc_flags(LibConfig::new(lib_path)); rustc_args.push(file.into()); rustc_args.push("--out-dir".into()); rustc_args.push(OsString::from(outdir.as_os_str())); @@ -35,14 +70,10 @@ impl KaniSession { rustc_args.push(t); } } else { - // If we specifically request "--function main" then don't override crate type - if Some("main".to_string()) != self.args.function { - // We only run against proof harnesses normally, and this change - // 1. Means we do not require a `fn main` to exist - // 2. Don't forget it also changes visibility rules. - rustc_args.push("--crate-type".into()); - rustc_args.push("lib".into()); - } + // We only run against proof harnesses, so always compile as a library. + // This ensures compilation passes if the crate does not have a `main` function. + rustc_args.push("--crate-type".into()); + rustc_args.push("lib".into()); } // Note that the order of arguments is important. Kani specific flags should precede @@ -100,6 +131,21 @@ impl KaniSession { flags.push("--coverage-checks".into()); } + if self.args.common_args.unstable_features.contains(UnstableFeature::ValidValueChecks) { + flags.push("--ub-check=validity".into()) + } + + if self.args.common_args.unstable_features.contains(UnstableFeature::PtrToRefCastChecks) { + flags.push("--ub-check=ptr_to_ref_cast".into()) + } + + if self.args.common_args.unstable_features.contains(UnstableFeature::UninitChecks) { + // Automatically enable shadow memory, since the version of uninitialized memory checks + // without non-determinism depends on it. + flags.push("-Z ghost-state".into()); + flags.push("--ub-check=uninit".into()); + } + flags.extend(self.args.common_args.unstable_features.as_arguments().map(str::to_string)); // This argument will select the Kani flavour of the compiler. It will be removed before @@ -110,9 +156,8 @@ impl KaniSession { } /// This function generates all rustc configurations required by our goto-c codegen. - pub fn kani_rustc_flags(&self) -> Vec { - let lib_path = lib_folder().unwrap(); - let mut flags: Vec<_> = base_rustc_flags(lib_path); + pub fn kani_rustc_flags(&self, lib_config: LibConfig) -> Vec { + let mut flags: Vec<_> = base_rustc_flags(lib_config); // We only use panic abort strategy for verification since we cannot handle unwind logic. flags.extend_from_slice( &[ @@ -122,6 +167,9 @@ impl KaniSession { "symbol-mangling-version=v0", "-Z", "panic_abort_tests=yes", + "-Z", + "mir-enable-passes=-RemoveStorageMarkers", + "--check-cfg=cfg(kani)", ] .map(OsString::from), ); @@ -135,6 +183,10 @@ impl KaniSession { } } + if self.args.coverage { + flags.push("-Zmir-enable-passes=-SingleUseConsts".into()); + } + // This argument will select the Kani flavour of the compiler. It will be removed before // rustc driver is invoked. flags.push("--kani-compiler".into()); @@ -144,10 +196,7 @@ impl KaniSession { } /// Common flags used for compiling user code for verification and playback flow. -pub fn base_rustc_flags(lib_path: PathBuf) -> Vec { - let kani_std_rlib = lib_path.join("libstd.rlib"); - let kani_std_wrapper = format!("noprelude:std={}", kani_std_rlib.to_str().unwrap()); - let sysroot = lib_path.parent().unwrap(); +pub fn base_rustc_flags(lib_config: LibConfig) -> Vec { let mut flags = [ "-C", "overflow-checks=on", @@ -164,18 +213,12 @@ pub fn base_rustc_flags(lib_path: PathBuf) -> Vec { "crate-attr=feature(register_tool)", "-Z", "crate-attr=register_tool(kanitool)", - "--sysroot", - sysroot.to_str().unwrap(), - "-L", - lib_path.to_str().unwrap(), - "--extern", - "kani", - "--extern", - kani_std_wrapper.as_str(), ] .map(OsString::from) .to_vec(); + flags.extend(lib_config.args); + // e.g. compiletest will set 'compile-flags' here and we should pass those down to rustc // and we fail in `tests/kani/Match/match_bool.rs` if let Ok(str) = std::env::var("RUSTFLAGS") { diff --git a/kani-driver/src/cbmc_output_parser.rs b/kani-driver/src/cbmc_output_parser.rs index 1bb353d7d4c0..b3a78e8d03e2 100644 --- a/kani-driver/src/cbmc_output_parser.rs +++ b/kani-driver/src/cbmc_output_parser.rs @@ -287,9 +287,7 @@ fn filepath(file: String) -> String { #[derive(Clone, Debug, Deserialize)] #[serde(rename_all = "camelCase")] pub struct TraceItem { - pub thread: u32, pub step_type: String, - pub hidden: bool, pub lhs: Option, pub source_location: Option, pub value: Option, @@ -301,7 +299,6 @@ pub struct TraceItem { /// The fields included right now are relevant to primitive types. #[derive(Clone, Debug, Deserialize)] pub struct TraceValue { - pub name: String, pub binary: Option, pub data: Option, pub width: Option, @@ -332,6 +329,7 @@ pub enum CheckStatus { Satisfied, // for `cover` properties only Success, Undetermined, + Unknown, Unreachable, Uncovered, // for `code_coverage` properties only Unsatisfiable, // for `cover` properties only @@ -347,6 +345,9 @@ impl std::fmt::Display for CheckStatus { CheckStatus::Failure => style("FAILURE").red(), CheckStatus::Unreachable => style("UNREACHABLE").yellow(), CheckStatus::Undetermined => style("UNDETERMINED").yellow(), + // CBMC 6+ uses UNKNOWN when another property of undefined behavior failed, making it + // impossible to definitively conclude whether other properties hold or not. + CheckStatus::Unknown => style("UNDETERMINED").yellow(), CheckStatus::Unsatisfiable => style("UNSATISFIABLE").yellow(), }; write!(f, "{check_str}") diff --git a/kani-driver/src/cbmc_property_renderer.rs b/kani-driver/src/cbmc_property_renderer.rs index 62ef748a1ad5..4f32028b5866 100644 --- a/kani-driver/src/cbmc_property_renderer.rs +++ b/kani-driver/src/cbmc_property_renderer.rs @@ -162,7 +162,7 @@ enum CoverageStatus { const UNSUPPORTED_CONSTRUCT_DESC: &str = "is not currently supported by Kani"; const UNWINDING_ASSERT_DESC: &str = "unwinding assertion loop"; const UNWINDING_ASSERT_REC_DESC: &str = "recursion unwinding assertion"; -const DEFAULT_ASSERTION: &str = "assertion"; +const UNDEFINED_FUNCTION_DESC: &str = "undefined function should be unreachable"; impl ParserItem { /// Determines if an item must be skipped or not. @@ -618,8 +618,7 @@ fn modify_undefined_function_checks(mut properties: Vec) -> (Vec `UNCOVERED` /// - `FAILURE` -> `COVERED` +/// /// Note that these statuses are intermediate statuses that aren't reported to /// users but rather internally consumed and reported finally as `PARTIAL`, `FULL` /// or `NONE` based on aggregated line coverage results. @@ -720,9 +720,10 @@ fn update_results_of_code_covererage_checks(mut properties: Vec) -> Ve /// Update the results of cover properties. /// We encode cover(cond) as assert(!cond), so if the assertion -/// fails, then the cover property is satisfied and vice versa. +/// fails, then the cover property is satisfied and vice versa: /// - SUCCESS -> UNSATISFIABLE /// - FAILURE -> SATISFIED +/// /// Note that if the cover property was unreachable, its status at this point /// will be `CheckStatus::Unreachable` and not `CheckStatus::Success` since /// `update_properties_with_reach_status` is called beforehand @@ -837,7 +838,7 @@ fn annotate_properties_with_reach_results( let prop_match_id = check_marker_pat.captures(description.as_str()).unwrap().get(0).unwrap().as_str(); // Get the status associated to the ID we captured - let reach_status_opt = reach_map.get(&prop_match_id.to_string()); + let reach_status_opt = reach_map.get(prop_match_id); // Update the reachability status of the property if let Some(reach_status) = reach_status_opt { prop.reach = Some(*reach_status); diff --git a/kani-driver/src/concrete_playback/playback.rs b/kani-driver/src/concrete_playback/playback.rs index 96ed30da904d..c56694ad32fd 100644 --- a/kani-driver/src/concrete_playback/playback.rs +++ b/kani-driver/src/concrete_playback/playback.rs @@ -6,8 +6,8 @@ use crate::args::common::Verbosity; use crate::args::playback_args::{CargoPlaybackArgs, KaniPlaybackArgs, MessageFormat}; use crate::call_cargo::cargo_config_args; -use crate::call_single_file::base_rustc_flags; -use crate::session::{lib_playback_folder, InstallType}; +use crate::call_single_file::{base_rustc_flags, LibConfig}; +use crate::session::{lib_playback_folder, setup_cargo_command, InstallType}; use crate::{session, util}; use anyhow::Result; use std::ffi::OsString; @@ -17,8 +17,7 @@ use std::process::Command; use tracing::debug; pub fn playback_cargo(args: CargoPlaybackArgs) -> Result<()> { - let install = InstallType::new()?; - cargo_test(&install, args) + cargo_test(args) } pub fn playback_standalone(args: KaniPlaybackArgs) -> Result<()> { @@ -71,7 +70,7 @@ fn build_test(install: &InstallType, args: &KaniPlaybackArgs) -> Result util::info_operation("Building", args.input.to_string_lossy().deref()); } - let mut rustc_args = base_rustc_flags(lib_playback_folder()?); + let mut rustc_args = base_rustc_flags(LibConfig::new(lib_playback_folder()?)); rustc_args.push("--test".into()); rustc_args.push(OsString::from(&args.input)); rustc_args.push(format!("--crate-name={TEST_BIN_NAME}").into()); @@ -93,10 +92,11 @@ fn build_test(install: &InstallType, args: &KaniPlaybackArgs) -> Result } /// Invokes cargo test using Kani compiler and the provided arguments. -/// TODO: This should likely be inside KaniSession, but KaniSession requires `VerificationArgs` today. -/// For now, we just use InstallType directly. -fn cargo_test(install: &InstallType, args: CargoPlaybackArgs) -> Result<()> { - let rustc_args = base_rustc_flags(lib_playback_folder()?); +fn cargo_test(args: CargoPlaybackArgs) -> Result<()> { + let install = InstallType::new()?; + let mut cmd = setup_cargo_command()?; + + let rustc_args = base_rustc_flags(LibConfig::new(lib_playback_folder()?)); let mut cargo_args: Vec = vec!["test".into()]; if args.playback.common_opts.verbose() { @@ -123,9 +123,7 @@ fn cargo_test(install: &InstallType, args: CargoPlaybackArgs) -> Result<()> { } // Arguments that will only be passed to the target package. - let mut cmd = Command::new("cargo"); - cmd.arg(session::toolchain_shorthand()) - .args(&cargo_args) + cmd.args(&cargo_args) .env("RUSTC", &install.kani_compiler()?) // Use CARGO_ENCODED_RUSTFLAGS instead of RUSTFLAGS is preferred. See // https://doc.rust-lang.org/cargo/reference/environment-variables.html diff --git a/kani-driver/src/concrete_playback/test_generator.rs b/kani-driver/src/concrete_playback/test_generator.rs index 53c3a92dd94c..5faa6299a5d3 100644 --- a/kani-driver/src/concrete_playback/test_generator.rs +++ b/kani-driver/src/concrete_playback/test_generator.rs @@ -6,10 +6,11 @@ use crate::args::ConcretePlaybackMode; use crate::call_cbmc::VerificationResult; +use crate::cbmc_output_parser::Property; use crate::session::KaniSession; use anyhow::{Context, Result}; use concrete_vals_extractor::{extract_harness_values, ConcreteVal}; -use kani_metadata::HarnessMetadata; +use kani_metadata::{HarnessKind, HarnessMetadata}; use std::collections::hash_map::DefaultHasher; use std::ffi::OsString; use std::fs::{read_to_string, File}; @@ -32,7 +33,7 @@ impl KaniSession { }; if let Ok(result_items) = &verification_result.results { - let harness_values: Vec> = extract_harness_values(result_items); + let harness_values = extract_harness_values(result_items); if harness_values.is_empty() { println!( @@ -43,9 +44,9 @@ impl KaniSession { } else { let mut unit_tests: Vec = harness_values .iter() - .map(|concrete_vals| { + .map(|(prop, concrete_vals)| { let pretty_name = harness.get_harness_name_unqualified(); - format_unit_test(&pretty_name, &concrete_vals) + format_unit_test(&pretty_name, &concrete_vals, gen_test_doc(harness, prop)) }) .collect(); unit_tests.dedup_by(|a, b| a.name == b.name); @@ -168,6 +169,9 @@ impl KaniSession { writeln!(temp_file, "{line}")?; if curr_line_num == proof_harness_end_line { for unit_test in unit_tests.iter() { + // Write an empty line before the unit test. + writeln!(temp_file)?; + for unit_test_line in unit_test.code.iter() { curr_line_num += 1; writeln!(temp_file, "{unit_test_line}")?; @@ -176,7 +180,7 @@ impl KaniSession { } } - // Renames are usually automic, so we won't corrupt the user's source file during a + // Renames are usually atomic, so we won't corrupt the user's source file during a // crash; but first flush all updates to disk, which persist wouldn't take care of. temp_file.as_file().sync_all()?; temp_file.persist(source_path).expect("Could not rename file"); @@ -231,8 +235,52 @@ impl KaniSession { } } +fn gen_test_doc(harness: &HarnessMetadata, property: &Property) -> String { + let mut doc_str = match &harness.attributes.kind { + HarnessKind::Proof => { + format!("/// Test generated for harness `{}` \n", harness.pretty_name) + } + HarnessKind::ProofForContract { target_fn } => { + format!( + "/// Test generated for harness `{}` that checks contract for `{target_fn}`\n", + harness.pretty_name + ) + } + HarnessKind::Test => { + unreachable!("Concrete playback for tests is not supported") + } + }; + doc_str.push_str("///\n"); + doc_str.push_str(&format!( + "/// Check for `{}`: \"{}\"\n", + property.property_class(), + property.description + )); + if !harness.attributes.stubs.is_empty() { + doc_str.push_str( + r#"/// +/// # Warning +/// +/// Concrete playback tests combined with stubs or contracts is highly +/// experimental, and subject to change. +/// +/// The original harness has stubs which are not applied to this test. +/// This may cause a mismatch of non-deterministic values if the stub +/// creates any non-deterministic value. +/// The execution path may also differ, which can be used to refine the stub +/// logic. +"#, + ); + } + doc_str +} + /// Generate a formatted unit test from a list of concrete values. -fn format_unit_test(harness_name: &str, concrete_vals: &[ConcreteVal]) -> UnitTest { +fn format_unit_test( + harness_name: &str, + concrete_vals: &[ConcreteVal], + doc_str: String, +) -> UnitTest { // Hash the concrete values along with the proof harness name. let mut hasher = DefaultHasher::new(); harness_name.hash(&mut hasher); @@ -241,6 +289,7 @@ fn format_unit_test(harness_name: &str, concrete_vals: &[ConcreteVal]) -> UnitTe let func_name = format!("kani_concrete_playback_{harness_name}_{hash}"); let func_before_concrete_vals = [ + doc_str, "#[test]".to_string(), format!("fn {func_name}() {{"), format!("{:<4}let concrete_vals: Vec> = vec![", " "), @@ -324,7 +373,7 @@ mod concrete_vals_extractor { /// Extract a set of concrete values that trigger one assertion /// failure. Each element of the outer vector corresponds to /// inputs triggering one assertion failure or cover statement. - pub fn extract_harness_values(result_items: &[Property]) -> Vec> { + pub fn extract_harness_values(result_items: &[Property]) -> Vec<(&Property, Vec)> { result_items .iter() .filter(|prop| { @@ -340,7 +389,7 @@ mod concrete_vals_extractor { let concrete_vals: Vec = trace.iter().filter_map(&extract_from_trace_item).collect(); - concrete_vals + (property, concrete_vals) }) .collect() } @@ -359,7 +408,7 @@ mod concrete_vals_extractor { { if trace_item.step_type == "assignment" && lhs.starts_with("goto_symex$$return_value") - && func.starts_with("kani::any_raw_internal") + && func.starts_with("kani::any_raw_") { let declared_width = width_u64 as usize; let actual_width = bit_concrete_val.len(); @@ -484,9 +533,10 @@ mod tests { /// Since hashes can not be relied on in tests, this compares all parts of a unit test except the hash. #[test] fn format_unit_test_full_func() { + let doc_str = "/// Test documentation"; let harness_name = "test_proof_harness"; let concrete_vals = [ConcreteVal { byte_arr: vec![0, 0], interp_val: "0".to_string() }]; - let unit_test = format_unit_test(harness_name, &concrete_vals); + let unit_test = format_unit_test(harness_name, &concrete_vals, doc_str.to_string()); let full_func = unit_test.code; let split_unit_test_name = split_unit_test_name(&unit_test.name); let expected_after_func_name = vec![ @@ -498,18 +548,23 @@ mod tests { "}".to_string(), ]; - assert_eq!(full_func[0], "#[test]"); + assert_eq!(full_func[0], doc_str); + assert_eq!(full_func[1], "#[test]"); assert_eq!( split_unit_test_name.before_hash, format!("kani_concrete_playback_{harness_name}") ); - assert_eq!(full_func[1], format!("fn {}() {{", unit_test.name)); - assert_eq!(full_func[2..], expected_after_func_name); + assert_eq!(full_func[2], format!("fn {}() {{", unit_test.name)); + assert_eq!(full_func[3..], expected_after_func_name); } /// Generates a unit test and returns its hash. fn extract_hash_from_unit_test(harness_name: &str, concrete_vals: &[ConcreteVal]) -> String { - let unit_test = format_unit_test(harness_name, concrete_vals); + let unit_test = format_unit_test( + harness_name, + concrete_vals, + "/// Harness created for unit test".to_string(), + ); split_unit_test_name(&unit_test.name).hash } @@ -588,9 +643,7 @@ mod tests { line: None, }, trace: Some(vec![TraceItem { - thread: 0, step_type: "assignment".to_string(), - hidden: false, lhs: Some("goto_symex$$return_value".to_string()), source_location: Some(SourceLocation { column: None, @@ -599,14 +652,13 @@ mod tests { line: None, }), value: Some(TraceValue { - name: "".to_string(), binary: Some("0000001100000001".to_string()), data: Some(TraceData::NonBool("385".to_string())), width: Some(16), }), }]), }]; - let concrete_vals = extract_harness_values(&processed_items).pop().unwrap(); + let (_, concrete_vals) = extract_harness_values(&processed_items).pop().unwrap(); let concrete_val = &concrete_vals[0]; assert_eq!(concrete_val.byte_arr, vec![1, 3]); diff --git a/kani-driver/src/harness_runner.rs b/kani-driver/src/harness_runner.rs index f0a7def68d32..992e226e45db 100644 --- a/kani-driver/src/harness_runner.rs +++ b/kani-driver/src/harness_runner.rs @@ -10,7 +10,6 @@ use crate::args::OutputFormat; use crate::call_cbmc::{VerificationResult, VerificationStatus}; use crate::project::Project; use crate::session::KaniSession; -use crate::util::error; /// A HarnessRunner is responsible for checking all proof harnesses. The data in this structure represents /// "background information" that the controlling driver (e.g. cargo-kani or kani) computed. @@ -173,8 +172,8 @@ impl KaniSession { "Complete - {succeeding} successfully verified harnesses, {failing} failures, {total} total." ); } else { - match (self.args.harnesses.as_slice(), &self.args.function) { - ([], None) => + match self.args.harnesses.as_slice() { + [] => // TODO: This could use a better message, possibly with links to Kani documentation. // New users may encounter this and could use a pointer to how to write proof harnesses. { @@ -182,17 +181,13 @@ impl KaniSession { "No proof harnesses (functions with #[kani::proof]) were found to verify." ) } - ([harness], None) => { + [harness] => { bail!("no harnesses matched the harness filter: `{harness}`") } - (harnesses, None) => bail!( + harnesses => bail!( "no harnesses matched the harness filters: `{}`", harnesses.join("`, `") ), - ([], Some(func)) => error(&format!("No function named {func} was found")), - _ => unreachable!( - "invalid configuration. Cannot specify harness and function at the same time" - ), }; } } diff --git a/kani-driver/src/main.rs b/kani-driver/src/main.rs index 1d2afa177ca9..3bb38ed1294c 100644 --- a/kani-driver/src/main.rs +++ b/kani-driver/src/main.rs @@ -1,7 +1,6 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT #![feature(let_chains)] -#![feature(array_methods)] use std::ffi::OsString; use std::process::ExitCode; @@ -95,17 +94,28 @@ fn standalone_main() -> Result<()> { let args = args::StandaloneArgs::parse(); check_is_valid(&args); - if let Some(StandaloneSubcommand::Playback(args)) = args.command { - return playback_standalone(*args); - } - - let session = session::KaniSession::new(args.verify_opts)?; + let (session, project) = match args.command { + Some(StandaloneSubcommand::Playback(args)) => return playback_standalone(*args), + Some(StandaloneSubcommand::VerifyStd(args)) => { + let session = KaniSession::new(args.verify_opts)?; + if !session.args.common_args.quiet { + print_kani_version(InvocationType::Standalone); + } - if !session.args.common_args.quiet { - print_kani_version(InvocationType::Standalone); - } - - let project = project::standalone_project(&args.input.unwrap(), &session)?; + let project = project::std_project(&args.std_path, &session)?; + (session, project) + } + None => { + let session = KaniSession::new(args.verify_opts)?; + if !session.args.common_args.quiet { + print_kani_version(InvocationType::Standalone); + } + + let project = + project::standalone_project(&args.input.unwrap(), args.crate_name, &session)?; + (session, project) + } + }; if session.args.only_codegen { Ok(()) } else { verify_project(project, session) } } diff --git a/kani-driver/src/metadata.rs b/kani-driver/src/metadata.rs index fabf5dacf3e8..3f9cd8f2bf84 100644 --- a/kani-driver/src/metadata.rs +++ b/kani-driver/src/metadata.rs @@ -2,12 +2,11 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT use anyhow::{bail, Result}; -use std::path::{Path, PathBuf}; +use std::path::Path; use tracing::{debug, trace}; use kani_metadata::{ - HarnessAttributes, HarnessMetadata, InternedString, KaniMetadata, TraitDefinedMethod, - VtableCtxResults, + HarnessMetadata, InternedString, KaniMetadata, TraitDefinedMethod, VtableCtxResults, }; use std::collections::{BTreeSet, HashMap}; use std::fs::File; @@ -115,12 +114,7 @@ impl KaniSession { &self, all_harnesses: &[&'a HarnessMetadata], ) -> Result> { - let harnesses = if self.args.harnesses.is_empty() { - BTreeSet::from_iter(self.args.function.iter()) - } else { - BTreeSet::from_iter(self.args.harnesses.iter()) - }; - + let harnesses = BTreeSet::from_iter(self.args.harnesses.iter()); let total_harnesses = harnesses.len(); let all_targets = &harnesses; @@ -169,25 +163,6 @@ pub fn sort_harnesses_by_loc<'a>(harnesses: &[&'a HarnessMetadata]) -> Vec<&'a H harnesses_clone } -pub fn mock_proof_harness( - name: &str, - unwind_value: Option, - krate: Option<&str>, - model_file: Option, -) -> HarnessMetadata { - HarnessMetadata { - pretty_name: name.into(), - mangled_name: name.into(), - crate_name: krate.unwrap_or("").into(), - original_file: "".into(), - original_start_line: 0, - original_end_line: 0, - attributes: HarnessAttributes { unwind_value, proof: true, ..Default::default() }, - goto_file: model_file, - contract: Default::default(), - } -} - /// Search for a proof harness with a particular name. /// At the present time, we use `no_mangle` so collisions shouldn't happen, /// but this function is written to be robust against that changing in the future. @@ -223,8 +198,31 @@ fn find_proof_harnesses<'a>( } #[cfg(test)] -mod tests { +pub mod tests { use super::*; + use kani_metadata::{HarnessAttributes, HarnessKind}; + use std::path::PathBuf; + + pub fn mock_proof_harness( + name: &str, + unwind_value: Option, + krate: Option<&str>, + model_file: Option, + ) -> HarnessMetadata { + let mut attributes = HarnessAttributes::new(HarnessKind::Proof); + attributes.unwind_value = unwind_value; + HarnessMetadata { + pretty_name: name.into(), + mangled_name: name.into(), + crate_name: krate.unwrap_or("").into(), + original_file: "".into(), + original_start_line: 0, + original_end_line: 0, + attributes, + goto_file: model_file, + contract: Default::default(), + } + } #[test] fn check_find_proof_harness_without_exact() { @@ -240,7 +238,7 @@ mod tests { find_proof_harnesses( &BTreeSet::from([&"check_three".to_string()]), &ref_harnesses, - false + false, ) .len(), 1 @@ -249,7 +247,7 @@ mod tests { find_proof_harnesses( &BTreeSet::from([&"check_two".to_string()]), &ref_harnesses, - false + false, ) .first() .unwrap() @@ -260,7 +258,7 @@ mod tests { find_proof_harnesses( &BTreeSet::from([&"check_one".to_string()]), &ref_harnesses, - false + false, ) .first() .unwrap() @@ -284,7 +282,7 @@ mod tests { find_proof_harnesses( &BTreeSet::from([&"check_three".to_string()]), &ref_harnesses, - true + true, ) .is_empty() ); @@ -303,7 +301,7 @@ mod tests { find_proof_harnesses( &BTreeSet::from([&"module::not_check_three".to_string()]), &ref_harnesses, - true + true, ) .first() .unwrap() diff --git a/kani-driver/src/project.rs b/kani-driver/src/project.rs index b99a7e9aff07..2bc0845cdb46 100644 --- a/kani-driver/src/project.rs +++ b/kani-driver/src/project.rs @@ -3,28 +3,16 @@ //! This module defines the structure for a Kani project. //! The goal is to provide one project view independent on the build system (cargo / standalone //! rustc) and its configuration (e.g.: linker type). -//! -//! For `--function`, we still have a hack in-place that merges all the artifacts together. -//! The reason is the following: -//! - For `--function`, the compiler doesn't generate any metadata that indicates which -//! functions each goto model includes. Thus, we don't have an easy way to tell which goto -//! files are relevant for the function verification. This is also another flag that we don't -//! expect to stabilize, so we also opted to use the same hack as implemented before the MIR -//! Linker was introduced to merge everything together. -//! -//! Note that for `--function` we also inject a mock `HarnessMetadata` to the project. This -//! allows the rest of the driver to handle a function under verification the same way it handle -//! other harnesses. -use crate::metadata::{from_json, merge_kani_metadata, mock_proof_harness}; +use crate::metadata::from_json; use crate::session::KaniSession; -use crate::util::{crate_name, guess_rlib_name}; +use crate::util::crate_name; use anyhow::{Context, Result}; use kani_metadata::{ artifact::convert_type, ArtifactType, ArtifactType::*, HarnessMetadata, KaniMetadata, }; -use std::fs::File; -use std::io::BufWriter; +use std::env::current_dir; +use std::fs; use std::ops::Deref; use std::path::{Path, PathBuf}; use tracing::{debug, trace}; @@ -47,15 +35,6 @@ pub struct Project { pub outdir: PathBuf, /// The collection of artifacts kept as part of this project. artifacts: Vec, - /// A flag that indicated whether all artifacts have been merged or not. - /// - /// This allow us to provide a consistent behavior for `--function`. - /// For this option, we still merge all the artifacts together, so the - /// `merged_artifacts` flag will be set to `true`. - /// When this flag is `true`, there should only be up to one artifact of any given type. - /// When this flag is `false`, there may be multiple artifacts for any given type. However, - /// only up to one artifact for each - pub merged_artifacts: bool, /// Records the cargo metadata from the build, if there was any pub cargo_metadata: Option, /// For build `keep_going` mode, we collect the targets that we failed to compile. @@ -85,14 +64,10 @@ impl Project { harness: &HarnessMetadata, typ: ArtifactType, ) -> Option<&Artifact> { - let expected_path = if self.merged_artifacts { - None - } else { - harness - .goto_file - .as_ref() - .and_then(|goto_file| convert_type(goto_file, SymTabGoto, typ).canonicalize().ok()) - }; + let expected_path = harness + .goto_file + .as_ref() + .and_then(|goto_file| convert_type(goto_file, SymTabGoto, typ).canonicalize().ok()); trace!(?harness.goto_file, ?expected_path, ?typ, "get_harness_artifact"); self.artifacts.iter().find(|artifact| { artifact.has_type(typ) @@ -140,14 +115,7 @@ impl Project { } } - Ok(Project { - outdir, - metadata, - artifacts, - merged_artifacts: false, - cargo_metadata, - failed_targets, - }) + Ok(Project { outdir, metadata, artifacts, cargo_metadata, failed_targets }) } } @@ -198,80 +166,31 @@ impl Artifact { } } -/// Store the KaniMetadata into a file. -fn dump_metadata(metadata: &KaniMetadata, path: &Path) { - let out_file = File::create(path).unwrap(); - let writer = BufWriter::new(out_file); - serde_json::to_writer_pretty(writer, &metadata).unwrap(); -} - /// Generate a project using `cargo`. /// Accept a boolean to build as many targets as possible. The number of failures in that case can /// be collected from the project. pub fn cargo_project(session: &KaniSession, keep_going: bool) -> Result { let outputs = session.cargo_build(keep_going)?; let outdir = outputs.outdir.canonicalize()?; - if session.args.function.is_some() { - let mut artifacts = vec![]; - // For the `--function` support, we still use a glob to link everything. - // Yes, this is broken, but it has been broken for quite some time. :( - // Merge goto files. - // https://github.com/model-checking/kani/issues/2129 - let joined_name = "cbmc-linked"; - let base_name = outdir.join(joined_name); - let goto = base_name.with_extension(Goto); - let all_gotos = outputs - .metadata - .iter() - .map(|artifact| convert_type(&artifact, Metadata, SymTabGoto)) - .collect::>(); - - session.link_goto_binary(&all_gotos, &goto)?; - let goto_artifact = Artifact::try_new(&goto, Goto)?; - - // Merge metadata files. - let per_crate: Vec<_> = - outputs.metadata.iter().filter_map(|f| from_json::(f).ok()).collect(); - let merged_metadata = merge_kani_metadata(per_crate); - let metadata = metadata_with_function( - session, - joined_name, - merged_metadata, - goto_artifact.with_extension(SymTabGoto), - ); - let metadata_file = base_name.with_extension(Metadata); - dump_metadata(&metadata, &metadata_file); - artifacts.push(goto_artifact); - artifacts.push(Artifact::try_new(&metadata_file, Metadata)?); - - Ok(Project { - outdir, - artifacts, - metadata: vec![metadata], - merged_artifacts: true, - cargo_metadata: Some(outputs.cargo_metadata), - failed_targets: outputs.failed_targets, - }) - } else { - // For the MIR Linker we know there is only one metadata per crate. Use that in our favor. - let metadata = outputs - .metadata - .iter() - .map(|md_file| from_json(md_file)) - .collect::>>()?; - Project::try_new( - session, - outdir, - metadata, - Some(outputs.cargo_metadata), - outputs.failed_targets, - ) - } + // For the MIR Linker we know there is only one metadata per crate. Use that in our favor. + let metadata = + outputs.metadata.iter().map(|md_file| from_json(md_file)).collect::>>()?; + Project::try_new( + session, + outdir, + metadata, + Some(outputs.cargo_metadata), + outputs.failed_targets, + ) } /// Generate a project directly using `kani-compiler` on a single crate. -pub fn standalone_project(input: &Path, session: &KaniSession) -> Result { - StandaloneProjectBuilder::try_new(input, session)?.build() +pub fn standalone_project( + input: &Path, + crate_name: Option, + session: &KaniSession, +) -> Result { + StandaloneProjectBuilder::try_new(input, crate_name, session)?.build() } /// Builder for a standalone project. @@ -291,7 +210,7 @@ struct StandaloneProjectBuilder<'a> { impl<'a> StandaloneProjectBuilder<'a> { /// Create a `StandaloneProjectBuilder` from the given input and session. /// This will perform a few validations before the build. - fn try_new(input: &Path, session: &'a KaniSession) -> Result { + fn try_new(input: &Path, krate_name: Option, session: &'a KaniSession) -> Result { // Ensure the directory exist and it's in its canonical form. let outdir = if let Some(target_dir) = &session.args.target_dir { std::fs::create_dir_all(target_dir)?; // This is a no-op if directory exists. @@ -299,7 +218,7 @@ impl<'a> StandaloneProjectBuilder<'a> { } else { input.canonicalize().unwrap().parent().unwrap().to_path_buf() }; - let crate_name = crate_name(&input); + let crate_name = if let Some(name) = krate_name { name } else { crate_name(&input) }; let metadata = standalone_artifact(&outdir, &crate_name, Metadata); Ok(StandaloneProjectBuilder { outdir, @@ -313,7 +232,7 @@ impl<'a> StandaloneProjectBuilder<'a> { /// Build a project by compiling `self.input` file. fn build(self) -> Result { // Register artifacts that may be generated by the compiler / linker for future deletion. - let rlib_path = guess_rlib_name(&self.outdir.join(self.input.file_name().unwrap())); + let rlib_path = self.rlib_name(); self.session.record_temporary_file(&rlib_path); self.session.record_temporary_file(&self.metadata.path); @@ -321,16 +240,7 @@ impl<'a> StandaloneProjectBuilder<'a> { debug!(krate=?self.crate_name, input=?self.input, ?rlib_path, "build compile"); self.session.compile_single_rust_file(&self.input, &self.crate_name, &self.outdir)?; - let metadata = if let Ok(goto_model) = Artifact::try_from(&self.metadata, SymTabGoto) { - metadata_with_function( - self.session, - &self.crate_name, - from_json(&self.metadata)?, - goto_model.path, - ) - } else { - from_json(&self.metadata)? - }; + let metadata = from_json(&self.metadata)?; // Create the project with the artifacts built by the compiler. let result = Project::try_new(self.session, self.outdir, vec![metadata], None, None); @@ -339,26 +249,17 @@ impl<'a> StandaloneProjectBuilder<'a> { } result } -} -/// Generate a `KaniMetadata` by extending the original metadata to contain the function under -/// verification, when there is one. -fn metadata_with_function( - session: &KaniSession, - crate_name: &str, - mut metadata: KaniMetadata, - model_file: PathBuf, -) -> KaniMetadata { - if let Some(name) = &session.args.function { - // --function is untranslated, create a mock harness - metadata.proof_harnesses.push(mock_proof_harness( - name, - None, - Some(crate_name), - Some(model_file), - )); + /// Build the rlib name from the crate name. + /// This is only used by 'kani', never 'cargo-kani', so we hopefully don't have too many corner + /// cases to deal with. + fn rlib_name(&self) -> PathBuf { + let path = &self.outdir.join(self.input.file_name().unwrap()); + let basedir = path.parent().unwrap_or(Path::new(".")); + let rlib_name = format!("lib{}.rlib", self.crate_name); + + basedir.join(rlib_name) } - metadata } /// Generate the expected path of a standalone artifact of the given type. @@ -368,3 +269,33 @@ fn standalone_artifact(out_dir: &Path, crate_name: &String, typ: ArtifactType) - let _ = path.set_extension(typ); Artifact { path, typ } } + +/// Verify the custom version of the standard library in the given path. +/// +/// Note that we assume that `std_path` points to a directory named "library". +/// This should be checked as part of the argument validation. +pub(crate) fn std_project(std_path: &Path, session: &KaniSession) -> Result { + // Create output directory + let outdir = if let Some(target_dir) = &session.args.target_dir { + target_dir.clone() + } else { + current_dir()?.join("target") + }; + fs::create_dir_all(&outdir)?; // This is a no-op if directory exists. + let outdir = outdir.canonicalize()?; + + // Create dummy crate needed to build using `cargo -Z build-std` + let dummy_crate = outdir.join("kani_verify_std"); + if dummy_crate.exists() { + fs::remove_dir_all(&dummy_crate)?; + } + session.cargo_init_lib(&dummy_crate)?; + + // Build cargo project for dummy crate. + let std_path = std_path.canonicalize()?; + let outputs = session.cargo_build_std(std_path.parent().unwrap(), &dummy_crate)?; + + // Get the metadata and return a Kani project. + let metadata = outputs.iter().map(|md_file| from_json(md_file)).collect::>>()?; + Project::try_new(session, outdir, metadata, None, None) +} diff --git a/kani-driver/src/session.rs b/kani-driver/src/session.rs index 5b9b90854789..03cfb108e324 100644 --- a/kani-driver/src/session.rs +++ b/kani-driver/src/session.rs @@ -82,13 +82,7 @@ impl KaniSession { /// Determine which symbols Kani should codegen (i.e. by slicing away symbols /// that are considered unreachable.) pub fn reachability_mode(&self) -> ReachabilityMode { - if self.codegen_tests { - ReachabilityMode::Tests - } else if self.args.function.is_some() { - ReachabilityMode::AllPubFns - } else { - ReachabilityMode::ProofHarnesses - } + if self.codegen_tests { ReachabilityMode::Tests } else { ReachabilityMode::ProofHarnesses } } } @@ -97,8 +91,6 @@ impl KaniSession { pub enum ReachabilityMode { #[strum(to_string = "harnesses")] ProofHarnesses, - #[strum(to_string = "pub_fns")] - AllPubFns, Tests, } @@ -280,6 +272,11 @@ pub fn lib_playback_folder() -> Result { Ok(base_folder()?.join("playback/lib")) } +/// Return the path for the folder where the pre-compiled rust libraries with no_core. +pub fn lib_no_core_folder() -> Result { + Ok(base_folder()?.join("no_core/lib")) +} + /// Return the base folder for the entire kani installation. pub fn base_folder() -> Result { Ok(bin_folder()? @@ -379,3 +376,25 @@ fn init_logger(args: &VerificationArgs) { ); tracing::subscriber::set_global_default(subscriber).unwrap(); } + +// Setup the default version of cargo being run, based on the type/mode of installation for kani +// If kani is being run in developer mode, then we use the one provided by rustup as we can assume that the developer will have rustup installed +// For release versions of Kani, we use a version of cargo that's in the toolchain that's been symlinked during `cargo-kani` setup. This will allow +// Kani to remove the runtime dependency on rustup later on. +pub fn setup_cargo_command() -> Result { + let install_type = InstallType::new()?; + + let cmd = match install_type { + InstallType::DevRepo(_) => { + let mut cmd = Command::new("cargo"); + cmd.arg(self::toolchain_shorthand()); + cmd + } + InstallType::Release(kani_dir) => { + let cargo_path = kani_dir.join("toolchain").join("bin").join("cargo"); + Command::new(cargo_path) + } + }; + + Ok(cmd) +} diff --git a/kani-driver/src/util.rs b/kani-driver/src/util.rs index 1e0957dc7726..bfbf9e8d04e1 100644 --- a/kani-driver/src/util.rs +++ b/kani-driver/src/util.rs @@ -26,18 +26,6 @@ pub fn crate_name(path: &Path) -> String { stem.replace(['-', '.'], "_") } -/// Attempt to guess the rlib name for rust source file. -/// This is only used by 'kani', never 'cargo-kani', so we hopefully don't have too many corner -/// cases to deal with. -/// In rustc, you can find some code dealing this this naming in: -/// compiler/rustc_codegen_ssa/src/back/link.rs -pub fn guess_rlib_name(path: &Path) -> PathBuf { - let basedir = path.parent().unwrap_or(Path::new(".")); - let rlib_name = format!("lib{}.rlib", crate_name(path)); - - basedir.join(rlib_name) -} - /// Given a path of some sort (usually from argv0), this attempts to extract the basename / stem /// of the executable. e.g. "/path/foo -> foo" "./foo.exe -> foo" "foo -> foo" pub fn executable_basename(argv0: &Option<&OsString>) -> Option { @@ -117,14 +105,6 @@ mod tests { assert_eq!(alter_extension(&q, "symtab.json"), PathBuf::from("file.more.symtab.json")); } - #[test] - fn check_guess_rlib_name() { - assert_eq!(guess_rlib_name(Path::new("mycrate.rs")), PathBuf::from("libmycrate.rlib")); - assert_eq!(guess_rlib_name(Path::new("my-crate.rs")), PathBuf::from("libmy_crate.rlib")); - assert_eq!(guess_rlib_name(Path::new("./foo.rs")), PathBuf::from("./libfoo.rlib")); - assert_eq!(guess_rlib_name(Path::new("a/b/foo.rs")), PathBuf::from("a/b/libfoo.rlib")); - } - #[test] fn check_exe_basename() { assert_eq!( diff --git a/kani_metadata/Cargo.toml b/kani_metadata/Cargo.toml index 2d40d61c898b..816752a58e03 100644 --- a/kani_metadata/Cargo.toml +++ b/kani_metadata/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani_metadata" -version = "0.45.0" +version = "0.53.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false @@ -13,6 +13,6 @@ publish = false [dependencies] serde = {version = "1", features = ["derive"]} cbmc = { path = "../cprover_bindings", package = "cprover_bindings" } -strum = "0.25.0" -strum_macros = "0.25.2" +strum = "0.26" +strum_macros = "0.26" clap = { version = "4.4.11", features = ["derive"] } diff --git a/kani_metadata/src/cbmc_solver.rs b/kani_metadata/src/cbmc_solver.rs index f6c5c0a54dc4..5265c6f17fa7 100644 --- a/kani_metadata/src/cbmc_solver.rs +++ b/kani_metadata/src/cbmc_solver.rs @@ -2,22 +2,12 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT use serde::{Deserialize, Serialize}; -use strum_macros::{AsRefStr, EnumString, EnumVariantNames}; +use strum_macros::{AsRefStr, EnumString, VariantNames}; /// An enum for CBMC solver options. All variants are handled by Kani, except for /// the `Binary` one, which it passes as is to CBMC's `--external-sat-solver` /// option. -#[derive( - Debug, - Clone, - AsRefStr, - EnumString, - EnumVariantNames, - PartialEq, - Eq, - Serialize, - Deserialize -)] +#[derive(Debug, Clone, AsRefStr, EnumString, VariantNames, PartialEq, Eq, Serialize, Deserialize)] #[strum(serialize_all = "snake_case")] pub enum CbmcSolver { /// CaDiCaL which is available in CBMC as of version 5.77.0 diff --git a/kani_metadata/src/harness.rs b/kani_metadata/src/harness.rs index 3dd6c82ebd39..41eb4eb20919 100644 --- a/kani_metadata/src/harness.rs +++ b/kani_metadata/src/harness.rs @@ -38,10 +38,10 @@ pub struct HarnessMetadata { } /// The attributes added by the user to control how a harness is executed. -#[derive(Debug, Clone, Serialize, Deserialize, Default, PartialEq)] +#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)] pub struct HarnessAttributes { /// Whether the harness has been annotated with proof. - pub proof: bool, + pub kind: HarnessKind, /// Whether the harness is expected to panic or not. pub should_panic: bool, /// Optional data to store solver. @@ -52,6 +52,34 @@ pub struct HarnessAttributes { pub stubs: Vec, } +#[derive(Clone, Eq, PartialEq, Debug, Serialize, Deserialize)] +pub enum HarnessKind { + /// Function was annotated with `#[kani::proof]`. + Proof, + /// Function was annotated with `#[kani::proof_for_contract(target_fn)]`. + ProofForContract { target_fn: String }, + /// This is a test harness annotated with `#[test]`. + Test, +} + +impl HarnessAttributes { + /// Create a new harness of the provided kind. + pub fn new(kind: HarnessKind) -> HarnessAttributes { + HarnessAttributes { + kind, + should_panic: false, + solver: None, + unwind_value: None, + stubs: vec![], + } + } + + /// Return whether this is a proof harness. + pub fn is_proof_harness(&self) -> bool { + matches!(self.kind, HarnessKind::Proof | HarnessKind::ProofForContract { .. }) + } +} + /// The stubbing type. #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)] pub struct Stub { diff --git a/kani_metadata/src/unstable.rs b/kani_metadata/src/unstable.rs index 060508666735..68e4fba28819 100644 --- a/kani_metadata/src/unstable.rs +++ b/kani_metadata/src/unstable.rs @@ -82,6 +82,19 @@ pub enum UnstableFeature { LineCoverage, /// Enable function contracts [RFC 9](https://model-checking.github.io/kani/rfc/rfcs/0009-function-contracts.html) FunctionContracts, + /// Memory predicate APIs. + MemPredicates, + /// Automatically check that no invalid value is produced which is considered UB in Rust. + /// Note that this does not include checking uninitialized value. + ValidValueChecks, + /// Ghost state and shadow memory APIs. + GhostState, + /// Automatically check that pointers are valid when casting them to references. + PtrToRefCastChecks, + /// Automatically check that uninitialized memory is not used. + UninitChecks, + /// Enable an unstable option or subcommand. + UnstableOptions, } impl UnstableFeature { diff --git a/library/kani/Cargo.toml b/library/kani/Cargo.toml index d50717ca97c6..91fee3dabf30 100644 --- a/library/kani/Cargo.toml +++ b/library/kani/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani" -version = "0.45.0" +version = "0.53.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false diff --git a/library/kani/build.rs b/library/kani/build.rs new file mode 100644 index 000000000000..c094cc0254c6 --- /dev/null +++ b/library/kani/build.rs @@ -0,0 +1,7 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +fn main() { + // Make sure `kani_sysroot` is a recognized config + println!("cargo::rustc-check-cfg=cfg(kani_sysroot)"); +} diff --git a/library/kani/kani_lib.c b/library/kani/kani_lib.c index b077547b10d7..eca17a3abb0e 100644 --- a/library/kani/kani_lib.c +++ b/library/kani/kani_lib.c @@ -8,6 +8,7 @@ void free(void *ptr); void *memcpy(void *dst, const void *src, size_t n); void *calloc(size_t nmemb, size_t size); +void *malloc(size_t size); typedef __CPROVER_bool bool; diff --git a/library/kani/src/arbitrary.rs b/library/kani/src/arbitrary.rs index 938f3c30968f..83b113d64927 100644 --- a/library/kani/src/arbitrary.rs +++ b/library/kani/src/arbitrary.rs @@ -1,8 +1,8 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -//! This module introduces the Arbitrary trait as well as implementation for primitive types and -//! other std containers. +//! This module introduces the `Arbitrary` trait as well as implementation for +//! primitive types and other std containers. use std::{ marker::{PhantomData, PhantomPinned}, @@ -16,12 +16,7 @@ where Self: Sized, { fn any() -> Self; - fn any_array() -> [Self; MAX_ARRAY_LENGTH] - // the requirement defined in the where clause must appear on the `impl`'s method `any_array` - // but also on the corresponding trait's method - where - [(); std::mem::size_of::<[Self; MAX_ARRAY_LENGTH]>()]:, - { + fn any_array() -> [Self; MAX_ARRAY_LENGTH] { [(); MAX_ARRAY_LENGTH].map(|_| Self::any()) } } @@ -33,20 +28,10 @@ macro_rules! trivial_arbitrary { #[inline(always)] fn any() -> Self { // This size_of call does not use generic_const_exprs feature. It's inside a macro, and Self isn't generic. - unsafe { crate::any_raw_internal::() }>() } + unsafe { crate::any_raw_internal::() } } - fn any_array() -> [Self; MAX_ARRAY_LENGTH] - where - // `generic_const_exprs` requires all potential errors to be reflected in the signature/header. - // We must repeat the expression in the header, to make sure that if the body can fail the header will also fail. - [(); { std::mem::size_of::<[$type; MAX_ARRAY_LENGTH]>() }]:, - { - unsafe { - crate::any_raw_internal::< - [Self; MAX_ARRAY_LENGTH], - { std::mem::size_of::<[Self; MAX_ARRAY_LENGTH]>() }, - >() - } + fn any_array() -> [Self; MAX_ARRAY_LENGTH] { + unsafe { crate::any_raw_array::() } } } }; @@ -66,11 +51,15 @@ trivial_arbitrary!(i64); trivial_arbitrary!(i128); trivial_arbitrary!(isize); -// We do not constraint floating points values per type spec. Users must add assumptions to their +// We do not constrain floating points values per type spec. Users must add assumptions to their // verification code if they want to eliminate NaN, infinite, or subnormal. trivial_arbitrary!(f32); trivial_arbitrary!(f64); +// Similarly, we do not constraint values for non-standard floating types. +trivial_arbitrary!(f16); +trivial_arbitrary!(f128); + trivial_arbitrary!(()); impl Arbitrary for bool { @@ -124,7 +113,6 @@ nonzero_arbitrary!(NonZeroIsize, isize); impl Arbitrary for [T; N] where T: Arbitrary, - [(); std::mem::size_of::<[T; N]>()]:, { fn any() -> Self { T::any_array() diff --git a/library/kani/src/concrete_playback.rs b/library/kani/src/concrete_playback.rs index 711b9b005624..0de51862b7d8 100644 --- a/library/kani/src/concrete_playback.rs +++ b/library/kani/src/concrete_playback.rs @@ -40,6 +40,11 @@ pub fn concrete_playback_run(mut local_concrete_vals: Vec>, pro }); } +/// Iterate over `any_raw_internal` since CBMC produces assignment per element. +pub(crate) unsafe fn any_raw_array() -> [T; N] { + [(); N].map(|_| crate::any_raw_internal::()) +} + /// Concrete playback implementation of /// kani::any_raw_internal. Because CBMC does not bother putting in /// Zero-Sized Types, those are defaulted to an empty vector. @@ -47,19 +52,17 @@ pub fn concrete_playback_run(mut local_concrete_vals: Vec>, pro /// # Safety /// /// The semantics of this function require that SIZE_T equals the size of type T. -pub(crate) unsafe fn any_raw_internal() -> T { +pub(crate) unsafe fn any_raw_internal() -> T { + let sz = size_of::(); let mut next_concrete_val: Vec = Vec::new(); CONCRETE_VALS.with(|glob_concrete_vals| { let mut_ref_glob_concrete_vals = &mut *glob_concrete_vals.borrow_mut(); - next_concrete_val = if SIZE_T > 0 { + next_concrete_val = if sz > 0 { mut_ref_glob_concrete_vals.pop().expect("Not enough det vals found") } else { vec![] }; }); - let next_concrete_val_len = next_concrete_val.len(); - let bytes_t: [u8; SIZE_T] = next_concrete_val.try_into().expect(&format!( - "Expected {SIZE_T} bytes instead of {next_concrete_val_len} bytes in the following det vals vec" - )); - std::mem::transmute_copy::<[u8; SIZE_T], T>(&bytes_t) + assert_eq!(next_concrete_val.len(), sz, "Expected {sz} bytes in the following det vals vec"); + unsafe { *(next_concrete_val.as_ptr() as *mut T) } } diff --git a/library/kani/src/contracts.rs b/library/kani/src/contracts.rs index 4f963038cab9..beddd7cc580e 100644 --- a/library/kani/src/contracts.rs +++ b/library/kani/src/contracts.rs @@ -51,14 +51,14 @@ //! approximation of the result of division for instance could be this: //! //! ``` -//! #[ensures(result <= dividend)] +//! #[ensures(|result : &u32| *result <= dividend)] //! ``` //! //! This is called a postcondition and it also has access to the arguments and //! is expressed in regular Rust code. The same restrictions apply as did for -//! [`requires`][macro@requires]. In addition to the arguments the postcondition -//! also has access to the value returned from the function in a variable called -//! `result`. +//! [`requires`][macro@requires]. In addition to the postcondition is expressed +//! as a closure where the value returned from the function is passed to this +//! closure by reference. //! //! You may combine as many [`requires`][macro@requires] and //! [`ensures`][macro@ensures] attributes on a single function as you please. @@ -67,7 +67,7 @@ //! //! ``` //! #[kani::requires(divisor != 0)] -//! #[kani::ensures(result <= dividend)] +//! #[kani::ensures(|result : &u32| *result <= dividend)] //! fn my_div(dividend: u32, divisor: u32) -> u32 { //! dividend / divisor //! } @@ -225,4 +225,27 @@ //! Rust pointer type (`&T`, `&mut T`, `*const T` or `*mut T`). In addition `T` //! must implement [`Arbitrary`](super::Arbitrary). This is used to assign //! `kani::any()` to the location when the function is used in a `stub_verified`. +//! +//! ## History Expressions +//! +//! Additionally, an ensures clause is allowed to refer to the state of the function arguments before function execution and perform simple computations on them +//! via an `old` monad. Any instance of `old(computation)` will evaluate the +//! computation before the function is called. It is required that this computation +//! is effect free and closed with respect to the function arguments. +//! +//! For example, the following code passes kani tests: +//! +//! ``` +//! #[kani::modifies(a)] +//! #[kani::ensures(|result| old(*a).wrapping_add(1) == *a)] +//! #[kani::ensures(|result : &u32| old(*a).wrapping_add(1) == *result)] +//! fn add1(a : &mut u32) -> u32 { +//! *a=a.wrapping_add(1); +//! *a +//! } +//! ``` +//! +//! Here, the value stored in `a` is precomputed and remembered after the function +//! is called, even though the contents of `a` changed during the function execution. +//! pub use super::{ensures, modifies, proof_for_contract, requires, stub_verified}; diff --git a/library/kani/src/internal.rs b/library/kani/src/internal.rs index d2f2970d1c05..22026065106a 100644 --- a/library/kani/src/internal.rs +++ b/library/kani/src/internal.rs @@ -1,13 +1,16 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT +use crate::arbitrary::Arbitrary; +use std::ptr; + /// Helper trait for code generation for `modifies` contracts. /// /// We allow the user to provide us with a pointer-like object that we convert as needed. #[doc(hidden)] pub trait Pointer<'a> { /// Type of the pointed-to data - type Inner; + type Inner: ?Sized; /// Used for checking assigns contracts where we pass immutable references to the function. /// @@ -15,23 +18,21 @@ pub trait Pointer<'a> { /// argument, for instance one of type `&mut _`, in the `modifies` clause which would move it. unsafe fn decouple_lifetime(&self) -> &'a Self::Inner; - /// used for havocking on replecement of a `modifies` clause. - unsafe fn assignable(self) -> &'a mut Self::Inner; + unsafe fn assignable(self) -> *mut Self::Inner; } -impl<'a, 'b, T> Pointer<'a> for &'b T { +impl<'a, 'b, T: ?Sized> Pointer<'a> for &'b T { type Inner = T; unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { std::mem::transmute(*self) } - #[allow(clippy::transmute_ptr_to_ref)] - unsafe fn assignable(self) -> &'a mut Self::Inner { + unsafe fn assignable(self) -> *mut Self::Inner { std::mem::transmute(self as *const T) } } -impl<'a, 'b, T> Pointer<'a> for &'b mut T { +impl<'a, 'b, T: ?Sized> Pointer<'a> for &'b mut T { type Inner = T; #[allow(clippy::transmute_ptr_to_ref)] @@ -39,32 +40,30 @@ impl<'a, 'b, T> Pointer<'a> for &'b mut T { std::mem::transmute::<_, &&'a T>(self) } - unsafe fn assignable(self) -> &'a mut Self::Inner { - std::mem::transmute(self) + unsafe fn assignable(self) -> *mut Self::Inner { + self as *mut T } } -impl<'a, T> Pointer<'a> for *const T { +impl<'a, T: ?Sized> Pointer<'a> for *const T { type Inner = T; unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { &**self as &'a T } - #[allow(clippy::transmute_ptr_to_ref)] - unsafe fn assignable(self) -> &'a mut Self::Inner { + unsafe fn assignable(self) -> *mut Self::Inner { std::mem::transmute(self) } } -impl<'a, T> Pointer<'a> for *mut T { +impl<'a, T: ?Sized> Pointer<'a> for *mut T { type Inner = T; unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { &**self as &'a T } - #[allow(clippy::transmute_ptr_to_ref)] - unsafe fn assignable(self) -> &'a mut Self::Inner { - std::mem::transmute(self) + unsafe fn assignable(self) -> *mut Self::Inner { + self } } @@ -76,3 +75,70 @@ impl<'a, T> Pointer<'a> for *mut T { pub fn untracked_deref(_: &T) -> T { todo!() } + +/// CBMC contracts currently has a limitation where `free` has to be in scope. +/// However, if there is no dynamic allocation in the harness, slicing removes `free` from the +/// scope. +/// +/// Thus, this function will basically translate into: +/// ```c +/// // This is a no-op. +/// free(NULL); +/// ``` +#[inline(never)] +#[doc(hidden)] +#[rustc_diagnostic_item = "KaniInitContracts"] +pub fn init_contracts() {} + +/// This should only be used within contracts. The intent is to +/// perform type inference on a closure's argument +#[doc(hidden)] +pub fn apply_closure bool>(f: U, x: &T) -> bool { + f(x) +} + +/// Recieves a reference to a pointer-like object and assigns kani::any_modifies to that object. +/// Only for use within function contracts and will not be replaced if the recursive or function stub +/// replace contracts are not used. +#[crate::unstable(feature = "function-contracts", issue = "none", reason = "function-contracts")] +#[rustc_diagnostic_item = "KaniWriteAny"] +#[inline(never)] +#[doc(hidden)] +pub unsafe fn write_any(_pointer: *mut T) { + // This function should not be reacheable. + // Users must include `#[kani::recursion]` in any function contracts for recursive functions; + // otherwise, this might not be properly instantiate. We mark this as unreachable to make + // sure Kani doesn't report any false positives. + unreachable!() +} + +/// Fill in a slice with kani::any. +/// Intended as a post compilation replacement for write_any +#[crate::unstable(feature = "function-contracts", issue = "none", reason = "function-contracts")] +#[rustc_diagnostic_item = "KaniWriteAnySlice"] +#[inline(always)] +pub unsafe fn write_any_slice(slice: *mut [T]) { + (*slice).fill_with(T::any) +} + +/// Fill in a pointer with kani::any. +/// Intended as a post compilation replacement for write_any +#[crate::unstable(feature = "function-contracts", issue = "none", reason = "function-contracts")] +#[rustc_diagnostic_item = "KaniWriteAnySlim"] +#[inline(always)] +pub unsafe fn write_any_slim(pointer: *mut T) { + ptr::write(pointer, T::any()) +} + +/// Fill in a str with kani::any. +/// Intended as a post compilation replacement for write_any. +/// Not yet implemented +#[crate::unstable(feature = "function-contracts", issue = "none", reason = "function-contracts")] +#[rustc_diagnostic_item = "KaniWriteAnyStr"] +#[inline(always)] +pub unsafe fn write_any_str(_s: *mut str) { + //TODO: strings introduce new UB + //(*s).as_bytes_mut().fill_with(u8::any) + //TODO: String validation + unimplemented!("Kani does not support creating arbitrary `str`") +} diff --git a/library/kani/src/invariant.rs b/library/kani/src/invariant.rs new file mode 100644 index 000000000000..068cdedc277e --- /dev/null +++ b/library/kani/src/invariant.rs @@ -0,0 +1,104 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This module introduces the `Invariant` trait as well as its implementation +//! for primitive types. + +/// This trait should be used to specify and check type safety invariants for a +/// type. For type invariants, we refer to the definitions in the Rust's Unsafe +/// Code Guidelines Reference: +/// +/// +/// In summary, the reference distinguishes two kinds of type invariants: +/// - *Validity invariant*: An invariant that all data must uphold any time +/// it's accessed or copied in a typed manner. This invariant is exploited by +/// the compiler to perform optimizations. +/// - *Safety invariant*: An invariant that safe code may assume all data to +/// uphold. This invariant can be temporarily violated by unsafe code, but +/// must always be upheld when interfacing with unknown safe code. +/// +/// Therefore, validity invariants must be upheld at all times, while safety +/// invariants only need to be upheld at the boundaries to safe code. +/// +/// Safety invariants are particularly interesting for user-defined types, and +/// the `Invariant` trait allows you to check them with Kani. +/// +/// It can also be used in tests. It's a programmatic way to specify (in Rust) +/// properties over your data types. Since it's written in Rust, it can be used +/// for static and dynamic checking. +/// +/// For example, let's say you're creating a type that represents a date: +/// +/// ```rust +/// #[derive(kani::Arbitrary)] +/// pub struct MyDate { +/// day: u8, +/// month: u8, +/// year: i64, +/// } +/// ``` +/// You can specify its safety invariant as: +/// ```rust +/// impl kani::Invariant for MyDate { +/// fn is_safe(&self) -> bool { +/// self.month > 0 +/// && self.month <= 12 +/// && self.day > 0 +/// && self.day <= days_in_month(self.year, self.month) +/// } +/// } +/// ``` +/// And use it to check that your APIs are safe: +/// ```rust +/// #[kani::proof] +/// fn check_increase_date() { +/// let mut date: MyDate = kani::any(); +/// // Increase date by one day +/// increase_date(date, 1); +/// assert!(date.is_safe()); +/// } +/// ``` +pub trait Invariant +where + Self: Sized, +{ + fn is_safe(&self) -> bool; +} + +/// Any value is considered safe for the type +macro_rules! trivial_invariant { + ( $type: ty ) => { + impl Invariant for $type { + #[inline(always)] + fn is_safe(&self) -> bool { + true + } + } + }; +} + +trivial_invariant!(u8); +trivial_invariant!(u16); +trivial_invariant!(u32); +trivial_invariant!(u64); +trivial_invariant!(u128); +trivial_invariant!(usize); + +trivial_invariant!(i8); +trivial_invariant!(i16); +trivial_invariant!(i32); +trivial_invariant!(i64); +trivial_invariant!(i128); +trivial_invariant!(isize); + +// We do not constrain the safety invariant for floating points types. +// Users can create a new type wrapping the floating point type and define an +// invariant that checks for NaN, infinite, or subnormal values. +trivial_invariant!(f32); +trivial_invariant!(f64); +trivial_invariant!(f16); +trivial_invariant!(f128); + +trivial_invariant!(()); +trivial_invariant!(bool); +trivial_invariant!(char); diff --git a/library/kani/src/lib.rs b/library/kani/src/lib.rs index e3456f69fbb3..046c6e7a0667 100644 --- a/library/kani/src/lib.rs +++ b/library/kani/src/lib.rs @@ -7,20 +7,29 @@ // Used for rustc_diagnostic_item. // Note: We could use a kanitool attribute instead. #![feature(rustc_attrs)] -// This is required for the optimized version of `any_array()` -#![feature(generic_const_exprs)] -#![allow(incomplete_features)] // Used to model simd. #![feature(repr_simd)] +#![feature(generic_const_exprs)] +#![allow(incomplete_features)] // Features used for tests only. -#![cfg_attr(test, feature(platform_intrinsics, portable_simd))] -// Required for rustc_diagnostic_item +#![cfg_attr(test, feature(core_intrinsics, portable_simd))] +// Required for `rustc_diagnostic_item` and `core_intrinsics` #![allow(internal_features)] +// Required for implementing memory predicates. +#![feature(ptr_metadata)] +#![feature(f16)] +#![feature(f128)] + +// Allow us to use `kani::` to access crate features. +extern crate self as kani; pub mod arbitrary; #[cfg(feature = "concrete_playback")] mod concrete_playback; pub mod futures; +pub mod invariant; +pub mod mem; +pub mod shadow; pub mod slice; pub mod tuple; pub mod vec; @@ -28,16 +37,20 @@ pub mod vec; #[doc(hidden)] pub mod internal; +mod mem_init; mod models; pub use arbitrary::Arbitrary; #[cfg(feature = "concrete_playback")] pub use concrete_playback::concrete_playback_run; +pub use invariant::Invariant; + #[cfg(not(feature = "concrete_playback"))] /// NOP `concrete_playback` for type checking during verification mode. pub fn concrete_playback_run(_: Vec>, _: F) { unreachable!("Concrete playback does not work during verification") } + pub use futures::{block_on, block_on_with_spawn, spawn, yield_now, RoundRobin}; /// Creates an assumption that will be valid after this statement run. Note that the assumption @@ -80,18 +93,12 @@ pub fn assume(cond: bool) { /// `implies!(premise => conclusion)` means that if the `premise` is true, so /// must be the `conclusion`. /// -/// This simply expands to `!premise || conclusion` and is intended to be used -/// in function contracts to make them more readable, as the concept of an -/// implication is more natural to think about than its expansion. -/// -/// For further convenience multiple comma separated premises are allowed, and -/// are joined with `||` in the expansion. E.g. `implies!(a, b => c)` expands to -/// `!a || !b || c` and says that `c` is true if both `a` and `b` are true (see -/// also [Horn Clauses](https://en.wikipedia.org/wiki/Horn_clause)). +/// This simply expands to `!premise || conclusion` and is intended to make checks more readable, +/// as the concept of an implication is more natural to think about than its expansion. #[macro_export] macro_rules! implies { - ($($premise:expr),+ => $conclusion:expr) => { - $(!$premise)||+ || ($conclusion) + ($premise:expr => $conclusion:expr) => { + !($premise) || ($conclusion) }; } @@ -119,6 +126,30 @@ pub const fn assert(cond: bool, msg: &'static str) { assert!(cond, "{}", msg); } +/// Creates an assertion of the specified condition, but does not assume it afterwards. +/// +/// # Example: +/// +/// ```rust +/// let x: bool = kani::any(); +/// let y = !x; +/// kani::check(x || y, "ORing a boolean variable with its negation must be true") +/// ``` +#[cfg(not(feature = "concrete_playback"))] +#[inline(never)] +#[rustc_diagnostic_item = "KaniCheck"] +pub const fn check(cond: bool, msg: &'static str) { + let _ = cond; + let _ = msg; +} + +#[cfg(feature = "concrete_playback")] +#[inline(never)] +#[rustc_diagnostic_item = "KaniCheck"] +pub const fn check(cond: bool, msg: &'static str) { + assert!(cond, "{}", msg); +} + /// Creates a cover property with the specified condition and message. /// /// # Example: @@ -158,11 +189,27 @@ pub const fn cover(_cond: bool, _msg: &'static str) {} /// Note: This is a safe construct and can only be used with types that implement the `Arbitrary` /// trait. The Arbitrary trait is used to build a symbolic value that represents all possible /// valid values for type `T`. +#[rustc_diagnostic_item = "KaniAny"] #[inline(always)] pub fn any() -> T { T::any() } +/// This function is only used for function contract instrumentation. +/// It behaves exaclty like `kani::any()`, except it will check for the trait bounds +/// at compilation time. It allows us to avoid type checking errors while using function +/// contracts only for verification. +#[rustc_diagnostic_item = "KaniAnyModifies"] +#[inline(never)] +#[doc(hidden)] +pub fn any_modifies() -> T { + // This function should not be reacheable. + // Users must include `#[kani::recursion]` in any function contracts for recursive functions; + // otherwise, this might not be properly instantiate. We mark this as unreachable to make + // sure Kani doesn't report any false positives. + unreachable!() +} + /// This creates a symbolic *valid* value of type `T`. /// The value is constrained to be a value accepted by the predicate passed to the filter. /// You can assign the return value of this function to a variable that you want to make symbolic. @@ -202,28 +249,26 @@ pub fn any_where bool>(f: F) -> T { /// Note that SIZE_T must be equal the size of type T in bytes. #[inline(never)] #[cfg(not(feature = "concrete_playback"))] -pub(crate) unsafe fn any_raw_internal() -> T { - any_raw_inner::() +unsafe fn any_raw_internal() -> T { + any_raw::() } +/// This is the same as [any_raw_internal] for verification flow, but not for concrete playback. #[inline(never)] -#[cfg(feature = "concrete_playback")] -pub(crate) unsafe fn any_raw_internal() -> T { - concrete_playback::any_raw_internal::() +#[cfg(not(feature = "concrete_playback"))] +unsafe fn any_raw_array() -> [T; N] { + any_raw::<[T; N]>() } +#[cfg(feature = "concrete_playback")] +use concrete_playback::{any_raw_array, any_raw_internal}; + /// This low-level function returns nondet bytes of size T. #[rustc_diagnostic_item = "KaniAnyRaw"] #[inline(never)] #[allow(dead_code)] -fn any_raw_inner() -> T { - // while we could use `unreachable!()` or `panic!()` as the body of this - // function, both cause Kani to produce a warning on any program that uses - // kani::any() (see https://github.com/model-checking/kani/issues/2010). - // This function is handled via a hook anyway, so we just need to put a body - // that rustc does not complain about. An infinite loop works out nicely. - #[allow(clippy::empty_loop)] - loop {} +fn any_raw() -> T { + kani_intrinsic() } /// Function used to generate panic with a static message as this is the only one currently @@ -239,6 +284,20 @@ pub const fn panic(message: &'static str) -> ! { panic!("{}", message) } +/// An empty body that can be used to define Kani intrinsic functions. +/// +/// A Kani intrinsic is a function that is interpreted by Kani compiler. +/// While we could use `unreachable!()` or `panic!()` as the body of a kani intrinsic +/// function, both cause Kani to produce a warning since we don't support caller location. +/// (see https://github.com/model-checking/kani/issues/2010). +/// +/// This function is dead, since its caller is always handled via a hook anyway, +/// so we just need to put a body that rustc does not complain about. +/// An infinite loop works out nicely. +fn kani_intrinsic() -> T { + #[allow(clippy::empty_loop)] + loop {} +} /// A macro to check if a condition is satisfiable at a specific location in the /// code. /// @@ -298,4 +357,6 @@ pub use core::assert as __kani__workaround_core_assert; // Kani proc macros must be in a separate crate pub use kani_macros::*; +pub(crate) use kani_macros::unstable_feature as unstable; + pub mod contracts; diff --git a/library/kani/src/mem.rs b/library/kani/src/mem.rs new file mode 100644 index 000000000000..f718c09ec38d --- /dev/null +++ b/library/kani/src/mem.rs @@ -0,0 +1,433 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This module contains functions useful for checking unsafe memory access. +//! +//! Given the following validity rules provided in the Rust documentation: +//! (accessed Feb 6th, 2024) +//! +//! 1. A null pointer is never valid, not even for accesses of size zero. +//! 2. For a pointer to be valid, it is necessary, but not always sufficient, that the pointer +//! be dereferenceable: the memory range of the given size starting at the pointer must all be +//! within the bounds of a single allocated object. Note that in Rust, every (stack-allocated) +//! variable is considered a separate allocated object. +//! ~~Even for operations of size zero, the pointer must not be pointing to deallocated memory, +//! i.e., deallocation makes pointers invalid even for zero-sized operations.~~ +//! ZST access is not OK for any pointer. +//! See: +//! 3. However, casting any non-zero integer literal to a pointer is valid for zero-sized +//! accesses, even if some memory happens to exist at that address and gets deallocated. +//! This corresponds to writing your own allocator: allocating zero-sized objects is not very +//! hard. The canonical way to obtain a pointer that is valid for zero-sized accesses is +//! `NonNull::dangling`. +//! 4. All accesses performed by functions in this module are non-atomic in the sense of atomic +//! operations used to synchronize between threads. +//! This means it is undefined behavior to perform two concurrent accesses to the same location +//! from different threads unless both accesses only read from memory. +//! Notice that this explicitly includes `read_volatile` and `write_volatile`: +//! Volatile accesses cannot be used for inter-thread synchronization. +//! 5. The result of casting a reference to a pointer is valid for as long as the underlying +//! object is live and no reference (just raw pointers) is used to access the same memory. +//! That is, reference and pointer accesses cannot be interleaved. +//! +//! Kani is able to verify #1 and #2 today. +//! +//! For #3, we are overly cautious, and Kani will only consider zero-sized pointer access safe if +//! the address matches `NonNull::<()>::dangling()`. +//! The way Kani tracks provenance is not enough to check if the address was the result of a cast +//! from a non-zero integer literal. + +use crate::kani_intrinsic; +use crate::mem::private::Internal; +use std::mem::{align_of, size_of}; +use std::ptr::{DynMetadata, NonNull, Pointee}; + +/// Check if the pointer is valid for write access according to [crate::mem] conditions 1, 2 +/// and 3. +/// +/// Note this function also checks for pointer alignment. Use [self::can_write_unaligned] +/// if you don't want to fail for unaligned pointers. +/// +/// This function does not check if the value stored is valid for the given type. Use +/// [self::can_dereference] for that. +/// +/// This function will panic today if the pointer is not null, and it points to an unallocated or +/// deallocated memory location. This is an existing Kani limitation. +/// See for more details. +#[crate::unstable( + feature = "mem-predicates", + issue = 2690, + reason = "experimental memory predicate API" +)] +pub fn can_write(ptr: *mut T) -> bool +where + T: ?Sized, + ::Metadata: PtrProperties, +{ + // The interface takes a mutable pointer to improve readability of the signature. + // However, using constant pointer avoid unnecessary instrumentation, and it is as powerful. + // Hence, cast to `*const T`. + let ptr: *const T = ptr; + let (thin_ptr, metadata) = ptr.to_raw_parts(); + metadata.is_ptr_aligned(thin_ptr, Internal) && is_inbounds(&metadata, thin_ptr) +} + +/// Check if the pointer is valid for unaligned write access according to [crate::mem] conditions +/// 1, 2 and 3. +/// +/// Note this function succeeds for unaligned pointers. See [self::can_write] if you also +/// want to check pointer alignment. +/// +/// This function will panic today if the pointer is not null, and it points to an unallocated or +/// deallocated memory location. This is an existing Kani limitation. +/// See for more details. +#[crate::unstable( + feature = "mem-predicates", + issue = 2690, + reason = "experimental memory predicate API" +)] +pub fn can_write_unaligned(ptr: *const T) -> bool +where + T: ?Sized, + ::Metadata: PtrProperties, +{ + let (thin_ptr, metadata) = ptr.to_raw_parts(); + is_inbounds(&metadata, thin_ptr) +} + +/// Checks that pointer `ptr` point to a valid value of type `T`. +/// +/// For that, the pointer has to be a valid pointer according to [crate::mem] conditions 1, 2 +/// and 3, +/// and the value stored must respect the validity invariants for type `T`. +/// +/// TODO: Kani should automatically add those checks when a de-reference happens. +/// +/// +/// This function will panic today if the pointer is not null, and it points to an unallocated or +/// deallocated memory location. This is an existing Kani limitation. +/// See for more details. +#[crate::unstable( + feature = "mem-predicates", + issue = 2690, + reason = "experimental memory predicate API" +)] +#[allow(clippy::not_unsafe_ptr_arg_deref)] +pub fn can_dereference(ptr: *const T) -> bool +where + T: ?Sized, + ::Metadata: PtrProperties, +{ + let (thin_ptr, metadata) = ptr.to_raw_parts(); + // Need to assert `is_initialized` because non-determinism is used under the hood, so it does + // not make sense to use it inside assumption context. + metadata.is_ptr_aligned(thin_ptr, Internal) + && is_inbounds(&metadata, thin_ptr) + && assert_is_initialized(ptr) + && unsafe { has_valid_value(ptr) } +} + +/// Checks that pointer `ptr` point to a valid value of type `T`. +/// +/// For that, the pointer has to be a valid pointer according to [crate::mem] conditions 1, 2 +/// and 3, +/// and the value stored must respect the validity invariants for type `T`. +/// +/// Note this function succeeds for unaligned pointers. See [self::can_dereference] if you also +/// want to check pointer alignment. +/// +/// This function will panic today if the pointer is not null, and it points to an unallocated or +/// deallocated memory location. This is an existing Kani limitation. +/// See for more details. +#[crate::unstable( + feature = "mem-predicates", + issue = 2690, + reason = "experimental memory predicate API" +)] +#[allow(clippy::not_unsafe_ptr_arg_deref)] +pub fn can_read_unaligned(ptr: *const T) -> bool +where + T: ?Sized, + ::Metadata: PtrProperties, +{ + let (thin_ptr, metadata) = ptr.to_raw_parts(); + // Need to assert `is_initialized` because non-determinism is used under the hood, so it does + // not make sense to use it inside assumption context. + is_inbounds(&metadata, thin_ptr) + && assert_is_initialized(ptr) + && unsafe { has_valid_value(ptr) } +} + +/// Checks that `data_ptr` points to an allocation that can hold data of size calculated from `T`. +/// +/// This will panic if `data_ptr` points to an invalid `non_null` +fn is_inbounds(metadata: &M, data_ptr: *const ()) -> bool +where + M: PtrProperties, + T: ?Sized, +{ + let sz = metadata.pointee_size(Internal); + if sz == 0 { + true // ZST pointers are always valid including nullptr. + } else if data_ptr.is_null() { + false + } else { + // Note that this branch can't be tested in concrete execution as `is_read_ok` needs to be + // stubbed. + // We first assert that the data_ptr + crate::assert( + unsafe { is_allocated(data_ptr, 0) }, + "Kani does not support reasoning about pointer to unallocated memory", + ); + unsafe { is_allocated(data_ptr, sz) } + } +} + +mod private { + /// Define like this to restrict usage of PtrProperties functions outside Kani. + #[derive(Copy, Clone)] + pub struct Internal; +} + +/// Trait that allow us to extract information from pointers without de-referencing them. +#[doc(hidden)] +pub trait PtrProperties { + fn pointee_size(&self, _: Internal) -> usize; + + /// A pointer is aligned if its address is a multiple of its minimum alignment. + fn is_ptr_aligned(&self, ptr: *const (), internal: Internal) -> bool { + let min = self.min_alignment(internal); + ptr as usize % min == 0 + } + + fn min_alignment(&self, _: Internal) -> usize; + + fn dangling(&self, _: Internal) -> *const (); +} + +/// Get the information for sized types (they don't have metadata). +impl PtrProperties for () { + fn pointee_size(&self, _: Internal) -> usize { + size_of::() + } + + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as *const _ + } +} + +/// Get the information from the str metadata. +impl PtrProperties for usize { + #[inline(always)] + fn pointee_size(&self, _: Internal) -> usize { + *self + } + + /// String slices are a UTF-8 representation of characters that have the same layout as slices + /// of type [u8]. + /// + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as _ + } +} + +/// Get the information from the slice metadata. +impl PtrProperties<[T]> for usize { + fn pointee_size(&self, _: Internal) -> usize { + *self * size_of::() + } + + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as _ + } +} + +/// Get the information from the vtable. +impl PtrProperties for DynMetadata +where + T: ?Sized, +{ + fn pointee_size(&self, _: Internal) -> usize { + self.size_of() + } + + fn min_alignment(&self, _: Internal) -> usize { + self.align_of() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::<&T>::dangling().as_ptr() as _ + } +} + +/// Check if the pointer `_ptr` contains an allocated address of size equal or greater than `_size`. +/// +/// # Safety +/// +/// This function should only be called to ensure a pointer is always valid, i.e., in an assertion +/// context. +/// +/// I.e.: This function always returns `true` if the pointer is valid. +/// Otherwise, it returns non-det boolean. +#[rustc_diagnostic_item = "KaniIsAllocated"] +#[inline(never)] +unsafe fn is_allocated(_ptr: *const (), _size: usize) -> bool { + kani_intrinsic() +} + +/// Check if the value stored in the given location satisfies type `T` validity requirements. +/// +/// # Safety +/// +/// - Users have to ensure that the pointer is aligned the pointed memory is allocated. +#[rustc_diagnostic_item = "KaniValidValue"] +#[inline(never)] +unsafe fn has_valid_value(_ptr: *const T) -> bool { + kani_intrinsic() +} + +/// Check whether `len * size_of::()` bytes are initialized starting from `ptr`. +#[rustc_diagnostic_item = "KaniIsInitialized"] +#[inline(never)] +pub(crate) fn is_initialized(_ptr: *const T) -> bool { + kani_intrinsic() +} + +/// A helper to assert `is_initialized` to use it as a part of other predicates. +fn assert_is_initialized(ptr: *const T) -> bool { + crate::check(is_initialized(ptr), "Undefined Behavior: Reading from an uninitialized pointer"); + true +} + +/// Get the object ID of the given pointer. +#[doc(hidden)] +#[crate::unstable( + feature = "ghost-state", + issue = 3184, + reason = "experimental ghost state/shadow memory API" +)] +#[rustc_diagnostic_item = "KaniPointerObject"] +#[inline(never)] +pub fn pointer_object(_ptr: *const T) -> usize { + kani_intrinsic() +} + +/// Get the object offset of the given pointer. +#[doc(hidden)] +#[crate::unstable( + feature = "ghost-state", + issue = 3184, + reason = "experimental ghost state/shadow memory API" +)] +#[rustc_diagnostic_item = "KaniPointerOffset"] +#[inline(never)] +pub fn pointer_offset(_ptr: *const T) -> usize { + kani_intrinsic() +} + +#[cfg(test)] +mod tests { + use super::{can_dereference, can_write, PtrProperties}; + use crate::mem::private::Internal; + use std::fmt::Debug; + use std::intrinsics::size_of; + use std::mem::{align_of, align_of_val, size_of_val}; + use std::ptr; + use std::ptr::{NonNull, Pointee}; + + fn size_of_t(ptr: *const T) -> usize + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (_, metadata) = ptr.to_raw_parts(); + metadata.pointee_size(Internal) + } + + fn align_of_t(ptr: *const T) -> usize + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (_, metadata) = ptr.to_raw_parts(); + metadata.min_alignment(Internal) + } + + #[test] + fn test_size_of() { + assert_eq!(size_of_t("hi"), size_of_val("hi")); + assert_eq!(size_of_t(&0u8), size_of_val(&0u8)); + assert_eq!(size_of_t(&0u8 as *const dyn std::fmt::Display), size_of_val(&0u8)); + assert_eq!(size_of_t(&[0u8, 1u8] as &[u8]), size_of_val(&[0u8, 1u8])); + assert_eq!(size_of_t(&[] as &[u8]), size_of_val::<[u8; 0]>(&[])); + assert_eq!( + size_of_t(NonNull::::dangling().as_ptr() as *const dyn std::fmt::Display), + size_of::() + ); + } + + #[test] + fn test_alignment() { + assert_eq!(align_of_t("hi"), align_of_val("hi")); + assert_eq!(align_of_t(&0u8), align_of_val(&0u8)); + assert_eq!(align_of_t(&0u32 as *const dyn std::fmt::Display), align_of_val(&0u32)); + assert_eq!(align_of_t(&[0isize, 1isize] as &[isize]), align_of_val(&[0isize, 1isize])); + assert_eq!(align_of_t(&[] as &[u8]), align_of_val::<[u8; 0]>(&[])); + assert_eq!( + align_of_t(NonNull::::dangling().as_ptr() as *const dyn std::fmt::Display), + align_of::() + ); + } + + #[test] + pub fn test_empty_slice() { + let slice_ptr = Vec::::new().as_mut_slice() as *mut [char]; + assert!(can_write(slice_ptr)); + } + + #[test] + pub fn test_empty_str() { + let slice_ptr = String::new().as_mut_str() as *mut str; + assert!(can_write(slice_ptr)); + } + + #[test] + fn test_dangling_zst() { + test_dangling_of_zst::<()>(); + test_dangling_of_zst::<[(); 10]>(); + } + + fn test_dangling_of_zst() { + let dangling: *mut T = NonNull::::dangling().as_ptr(); + assert!(can_write(dangling)); + + let vec_ptr = Vec::::new().as_mut_ptr(); + assert!(can_write(vec_ptr)); + } + + #[test] + fn test_null_fat_ptr() { + assert!(!can_dereference(ptr::null::() as *const dyn Debug)); + } + + #[test] + fn test_null_char() { + assert!(!can_dereference(ptr::null::())); + } + + #[test] + fn test_null_mut() { + assert!(!can_write(ptr::null_mut::())); + } +} diff --git a/library/kani/src/mem_init.rs b/library/kani/src/mem_init.rs new file mode 100644 index 000000000000..88847e9c4f3c --- /dev/null +++ b/library/kani/src/mem_init.rs @@ -0,0 +1,283 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This module provides instrumentation for tracking memory initialization of raw pointers. +//! +//! Currently, memory initialization is tracked on per-byte basis, so each byte of memory pointed to +//! by raw pointers could be either initialized or uninitialized. Padding bytes are always +//! considered uninitialized when read as data bytes. Each type has a type layout to specify which +//! bytes are considered to be data and which -- padding. This is determined at compile time and +//! statically injected into the program (see `Layout`). +//! +//! Compiler automatically inserts calls to `is_xxx_initialized` and `set_xxx_initialized` at +//! appropriate locations to get or set the initialization status of the memory pointed to. +//! +//! Note that for each harness, tracked object and tracked offset are chosen non-deterministically, +//! so calls to `is_xxx_initialized` should be only used in assertion contexts. + +// Definitions in this module are not meant to be visible to the end user, only the compiler. +#![allow(dead_code)] + +/// Bytewise mask, representing which bytes of a type are data and which are padding. +/// For example, for a type like this: +/// ``` +/// #[repr(C)] +/// struct Foo { +/// a: u16, +/// b: u8, +/// } +/// ``` +/// the layout would be [true, true, true, false]; +type Layout = [bool; LAYOUT_SIZE]; + +/// Currently tracked non-deterministically chosen memory initialization state. +struct MemoryInitializationState { + pub tracked_object_id: usize, + pub tracked_offset: usize, + pub value: bool, +} + +impl MemoryInitializationState { + /// This is a dummy initialization function -- the values will be eventually overwritten by a + /// call to `initialize_memory_initialization_state`. + pub const fn new() -> Self { + Self { tracked_object_id: 0, tracked_offset: 0, value: false } + } + + /// Return currently tracked memory initialization state if `ptr` points to the currently + /// tracked object and the tracked offset lies within `LAYOUT_SIZE` bytes of `ptr`. Return + /// `true` otherwise. + /// + /// Such definition is necessary since both tracked object and tracked offset are chosen + /// non-deterministically. + #[kanitool::disable_checks(pointer)] + pub fn get( + &mut self, + ptr: *const u8, + layout: Layout, + ) -> bool { + let obj = crate::mem::pointer_object(ptr); + let offset = crate::mem::pointer_offset(ptr); + if self.tracked_object_id == obj + && self.tracked_offset >= offset + && self.tracked_offset < offset + LAYOUT_SIZE + { + !layout[self.tracked_offset - offset] || self.value + } else { + true + } + } + + /// Set currently tracked memory initialization state if `ptr` points to the currently tracked + /// object and the tracked offset lies within `LAYOUT_SIZE` bytes of `ptr`. Do nothing + /// otherwise. + /// + /// Such definition is necessary since both tracked object and tracked offset are chosen + /// non-deterministically. + #[kanitool::disable_checks(pointer)] + pub fn set( + &mut self, + ptr: *const u8, + layout: Layout, + value: bool, + ) { + let obj = crate::mem::pointer_object(ptr); + let offset = crate::mem::pointer_offset(ptr); + if self.tracked_object_id == obj + && self.tracked_offset >= offset + && self.tracked_offset < offset + LAYOUT_SIZE + { + self.value = layout[self.tracked_offset - offset] && value; + } + } + + /// Return currently tracked memory initialization state if `ptr` points to the currently + /// tracked object and the tracked offset lies within `LAYOUT_SIZE * num_elts` bytes of `ptr`. + /// Return `true` otherwise. + /// + /// Such definition is necessary since both tracked object and tracked offset are chosen + /// non-deterministically. + #[kanitool::disable_checks(pointer)] + pub fn get_slice( + &mut self, + ptr: *const u8, + layout: Layout, + num_elts: usize, + ) -> bool { + let obj = crate::mem::pointer_object(ptr); + let offset = crate::mem::pointer_offset(ptr); + if self.tracked_object_id == obj + && self.tracked_offset >= offset + && self.tracked_offset < offset + num_elts * LAYOUT_SIZE + { + !layout[(self.tracked_offset - offset) % LAYOUT_SIZE] || self.value + } else { + true + } + } + + /// Set currently tracked memory initialization state if `ptr` points to the currently tracked + /// object and the tracked offset lies within `LAYOUT_SIZE * num_elts` bytes of `ptr`. Do + /// nothing otherwise. + /// + /// Such definition is necessary since both tracked object and tracked offset are chosen + /// non-deterministically. + #[kanitool::disable_checks(pointer)] + pub fn set_slice( + &mut self, + ptr: *const u8, + layout: Layout, + num_elts: usize, + value: bool, + ) { + let obj = crate::mem::pointer_object(ptr); + let offset = crate::mem::pointer_offset(ptr); + if self.tracked_object_id == obj + && self.tracked_offset >= offset + && self.tracked_offset < offset + num_elts * LAYOUT_SIZE + { + self.value = layout[(self.tracked_offset - offset) % LAYOUT_SIZE] && value; + } + } +} + +/// Global object for tracking memory initialization state. +#[rustc_diagnostic_item = "KaniMemoryInitializationState"] +static mut MEM_INIT_STATE: MemoryInitializationState = MemoryInitializationState::new(); + +/// Set tracked object and tracked offset to a non-deterministic value. +#[kanitool::disable_checks(pointer)] +#[rustc_diagnostic_item = "KaniInitializeMemoryInitializationState"] +fn initialize_memory_initialization_state() { + unsafe { + MEM_INIT_STATE.tracked_object_id = crate::any(); + MEM_INIT_STATE.tracked_offset = crate::any(); + MEM_INIT_STATE.value = false; + } +} + +/// Get initialization state of `num_elts` items laid out according to the `layout` starting at address `ptr`. +#[kanitool::disable_checks(pointer)] +#[rustc_diagnostic_item = "KaniIsPtrInitialized"] +fn is_ptr_initialized( + ptr: *const T, + layout: Layout, +) -> bool { + if LAYOUT_SIZE == 0 { + return true; + } + let (ptr, _) = ptr.to_raw_parts(); + unsafe { MEM_INIT_STATE.get(ptr as *const u8, layout) } +} + +/// Set initialization state to `value` for `num_elts` items laid out according to the `layout` starting at address `ptr`. +#[kanitool::disable_checks(pointer)] +#[rustc_diagnostic_item = "KaniSetPtrInitialized"] +fn set_ptr_initialized( + ptr: *const T, + layout: Layout, + value: bool, +) { + if LAYOUT_SIZE == 0 { + return; + } + let (ptr, _) = ptr.to_raw_parts(); + unsafe { + MEM_INIT_STATE.set(ptr as *const u8, layout, value); + } +} + +/// Get initialization state of `num_elts` items laid out according to the `layout` starting at address `ptr`. +#[kanitool::disable_checks(pointer)] +#[rustc_diagnostic_item = "KaniIsSliceChunkPtrInitialized"] +fn is_slice_chunk_ptr_initialized( + ptr: *const T, + layout: Layout, + num_elts: usize, +) -> bool { + if LAYOUT_SIZE == 0 { + return true; + } + let (ptr, _) = ptr.to_raw_parts(); + unsafe { MEM_INIT_STATE.get_slice(ptr as *const u8, layout, num_elts) } +} + +/// Set initialization state to `value` for `num_elts` items laid out according to the `layout` starting at address `ptr`. +#[kanitool::disable_checks(pointer)] +#[rustc_diagnostic_item = "KaniSetSliceChunkPtrInitialized"] +fn set_slice_chunk_ptr_initialized( + ptr: *const T, + layout: Layout, + num_elts: usize, + value: bool, +) { + if LAYOUT_SIZE == 0 { + return; + } + let (ptr, _) = ptr.to_raw_parts(); + unsafe { + MEM_INIT_STATE.set_slice(ptr as *const u8, layout, num_elts, value); + } +} + +/// Get initialization state of the slice, items of which are laid out according to the `layout` starting at address `ptr`. +#[kanitool::disable_checks(pointer)] +#[rustc_diagnostic_item = "KaniIsSlicePtrInitialized"] +fn is_slice_ptr_initialized( + ptr: *const [T], + layout: Layout, +) -> bool { + if LAYOUT_SIZE == 0 { + return true; + } + let (ptr, num_elts) = ptr.to_raw_parts(); + unsafe { MEM_INIT_STATE.get_slice(ptr as *const u8, layout, num_elts) } +} + +/// Set initialization state of the slice, items of which are laid out according to the `layout` starting at address `ptr` to `value`. +#[kanitool::disable_checks(pointer)] +#[rustc_diagnostic_item = "KaniSetSlicePtrInitialized"] +fn set_slice_ptr_initialized( + ptr: *const [T], + layout: Layout, + value: bool, +) { + if LAYOUT_SIZE == 0 { + return; + } + let (ptr, num_elts) = ptr.to_raw_parts(); + unsafe { + MEM_INIT_STATE.set_slice(ptr as *const u8, layout, num_elts, value); + } +} + +/// Get initialization state of the string slice, items of which are laid out according to the `layout` starting at address `ptr`. +#[kanitool::disable_checks(pointer)] +#[rustc_diagnostic_item = "KaniIsStrPtrInitialized"] +fn is_str_ptr_initialized( + ptr: *const str, + layout: Layout, +) -> bool { + if LAYOUT_SIZE == 0 { + return true; + } + let (ptr, num_elts) = ptr.to_raw_parts(); + unsafe { MEM_INIT_STATE.get_slice(ptr as *const u8, layout, num_elts) } +} + +/// Set initialization state of the string slice, items of which are laid out according to the `layout` starting at address `ptr` to `value`. +#[kanitool::disable_checks(pointer)] +#[rustc_diagnostic_item = "KaniSetStrPtrInitialized"] +fn set_str_ptr_initialized( + ptr: *const str, + layout: Layout, + value: bool, +) { + if LAYOUT_SIZE == 0 { + return; + } + let (ptr, num_elts) = ptr.to_raw_parts(); + unsafe { + MEM_INIT_STATE.set_slice(ptr as *const u8, layout, num_elts, value); + } +} diff --git a/library/kani/src/models/mod.rs b/library/kani/src/models/mod.rs index 194f220595c0..2081ddf639df 100644 --- a/library/kani/src/models/mod.rs +++ b/library/kani/src/models/mod.rs @@ -127,12 +127,9 @@ mod intrinsics { #[cfg(test)] mod test { use super::intrinsics as kani_intrinsic; + use std::intrinsics::simd::*; use std::{fmt::Debug, simd::*}; - extern "platform-intrinsic" { - fn simd_bitmask(x: T) -> U; - } - /// Test that the `simd_bitmask` model is equivalent to the intrinsic for all true and all false /// masks with lanes represented using i16. #[test] diff --git a/library/kani/src/shadow.rs b/library/kani/src/shadow.rs new file mode 100644 index 000000000000..a7ea57c6fd40 --- /dev/null +++ b/library/kani/src/shadow.rs @@ -0,0 +1,83 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This module contains an API for shadow memory. +//! Shadow memory is a mechanism by which we can store metadata on memory +//! locations, e.g. whether a memory location is initialized. +//! +//! The main data structure provided by this module is the `ShadowMem` struct, +//! which allows us to store metadata on a given memory location. +//! +//! # Example +//! +//! ``` +//! use kani::shadow::ShadowMem; +//! use std::alloc::{alloc, Layout}; +//! +//! let mut sm = ShadowMem::new(false); +//! +//! unsafe { +//! let ptr = alloc(Layout::new::()); +//! // assert the memory location is not initialized +//! assert!(!sm.get(ptr)); +//! // write to the memory location +//! *ptr = 42; +//! // update the shadow memory to indicate that this location is now initialized +//! sm.set(ptr, true); +//! } +//! ``` + +const MAX_NUM_OBJECTS: usize = 1024; +const MAX_OBJECT_SIZE: usize = 64; + +const MAX_NUM_OBJECTS_ASSERT_MSG: &str = "The number of objects exceeds the maximum number supported by Kani's shadow memory model (1024)"; +const MAX_OBJECT_SIZE_ASSERT_MSG: &str = + "The object size exceeds the maximum size supported by Kani's shadow memory model (64)"; + +/// A shadow memory data structure that contains a two-dimensional array of a +/// generic type `T`. +/// Each element of the outer array represents an object, and each element of +/// the inner array represents a byte in the object. +pub struct ShadowMem { + mem: [[T; MAX_OBJECT_SIZE]; MAX_NUM_OBJECTS], +} + +impl ShadowMem { + /// Create a new shadow memory instance initialized with the given value + #[crate::unstable( + feature = "ghost-state", + issue = 3184, + reason = "experimental ghost state/shadow memory API" + )] + pub const fn new(val: T) -> Self { + Self { mem: [[val; MAX_OBJECT_SIZE]; MAX_NUM_OBJECTS] } + } + + /// Get the shadow memory value of the given pointer + #[crate::unstable( + feature = "ghost-state", + issue = 3184, + reason = "experimental ghost state/shadow memory API" + )] + pub fn get(&self, ptr: *const U) -> T { + let obj = crate::mem::pointer_object(ptr); + let offset = crate::mem::pointer_offset(ptr); + crate::assert(obj < MAX_NUM_OBJECTS, MAX_NUM_OBJECTS_ASSERT_MSG); + crate::assert(offset < MAX_OBJECT_SIZE, MAX_OBJECT_SIZE_ASSERT_MSG); + self.mem[obj][offset] + } + + /// Set the shadow memory value of the given pointer + #[crate::unstable( + feature = "ghost-state", + issue = 3184, + reason = "experimental ghost state/shadow memory API" + )] + pub fn set(&mut self, ptr: *const U, val: T) { + let obj = crate::mem::pointer_object(ptr); + let offset = crate::mem::pointer_offset(ptr); + crate::assert(obj < MAX_NUM_OBJECTS, MAX_NUM_OBJECTS_ASSERT_MSG); + crate::assert(offset < MAX_OBJECT_SIZE, MAX_OBJECT_SIZE_ASSERT_MSG); + self.mem[obj][offset] = val; + } +} diff --git a/library/kani/src/vec.rs b/library/kani/src/vec.rs index 626d152f02d4..a3ec05a9c953 100644 --- a/library/kani/src/vec.rs +++ b/library/kani/src/vec.rs @@ -6,7 +6,6 @@ use crate::{any, any_where, Arbitrary}; pub fn any_vec() -> Vec where T: Arbitrary, - [(); std::mem::size_of::<[T; MAX_LENGTH]>()]:, { let real_length: usize = any_where(|sz| *sz <= MAX_LENGTH); match real_length { @@ -26,7 +25,6 @@ where pub fn exact_vec() -> Vec where T: Arbitrary, - [(); std::mem::size_of::<[T; EXACT_LENGTH]>()]:, { let boxed_array: Box<[T; EXACT_LENGTH]> = Box::new(any()); <[T]>::into_vec(boxed_array) diff --git a/library/kani_core/Cargo.toml b/library/kani_core/Cargo.toml new file mode 100644 index 000000000000..ec12209f0e08 --- /dev/null +++ b/library/kani_core/Cargo.toml @@ -0,0 +1,16 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +[package] +name = "kani_core" +version = "0.53.0" +edition = "2021" +license = "MIT OR Apache-2.0" +publish = false +description = "Define core constructs to use with Kani" + +[dependencies] +kani_macros = { path = "../kani_macros", features = ["no_core"] } + +[features] +no_core=["kani_macros/no_core"] diff --git a/library/kani_core/src/arbitrary.rs b/library/kani_core/src/arbitrary.rs new file mode 100644 index 000000000000..8c6cfd335104 --- /dev/null +++ b/library/kani_core/src/arbitrary.rs @@ -0,0 +1,189 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This macro generates implementations of the `Arbitrary` trait for various types. The `Arbitrary` trait defines +//! methods for generating arbitrary (unconstrained) values of the implementing type. +//! trivial_arbitrary and nonzero_arbitrary are implementations of Arbitrary for types that can be represented +//! by an unconstrained symbolic value of their size (e.g., `u8`, `u16`, `u32`, etc.). +//! +//! TODO: Use this inside kani library so that we dont have to maintain two copies of the same proc macro for arbitrary. +#[macro_export] +#[allow(clippy::crate_in_macro_def)] +macro_rules! generate_arbitrary { + ($core:path) => { + use core_path::marker::{PhantomData, PhantomPinned}; + use $core as core_path; + + pub trait Arbitrary + where + Self: Sized, + { + fn any() -> Self; + fn any_array() -> [Self; MAX_ARRAY_LENGTH] { + [(); MAX_ARRAY_LENGTH].map(|_| Self::any()) + } + } + + /// The given type can be represented by an unconstrained symbolic value of size_of::. + macro_rules! trivial_arbitrary { + ( $type: ty ) => { + impl Arbitrary for $type { + #[inline(always)] + fn any() -> Self { + // This size_of call does not use generic_const_exprs feature. It's inside a macro, and Self isn't generic. + unsafe { crate::kani::any_raw_internal::() } + } + fn any_array() -> [Self; MAX_ARRAY_LENGTH] { + unsafe { crate::kani::any_raw_array::() } + } + } + }; + } + + macro_rules! nonzero_arbitrary { + ( $type: ty, $base: ty ) => { + use core_path::num::*; + impl Arbitrary for $type { + #[inline(always)] + fn any() -> Self { + let val = <$base>::any(); + assume(val != 0); + unsafe { <$type>::new_unchecked(val) } + } + } + }; + } + + // Generate trivial arbitrary values + trivial_arbitrary!(()); + + trivial_arbitrary!(u8); + trivial_arbitrary!(u16); + trivial_arbitrary!(u32); + trivial_arbitrary!(u64); + trivial_arbitrary!(u128); + trivial_arbitrary!(usize); + + trivial_arbitrary!(i8); + trivial_arbitrary!(i16); + trivial_arbitrary!(i32); + trivial_arbitrary!(i64); + trivial_arbitrary!(i128); + trivial_arbitrary!(isize); + + // We do not constrain floating points values per type spec. Users must add assumptions to their + // verification code if they want to eliminate NaN, infinite, or subnormal. + trivial_arbitrary!(f32); + trivial_arbitrary!(f64); + + // Similarly, we do not constraint values for non-standard floating types. + trivial_arbitrary!(f16); + trivial_arbitrary!(f128); + + nonzero_arbitrary!(NonZeroU8, u8); + nonzero_arbitrary!(NonZeroU16, u16); + nonzero_arbitrary!(NonZeroU32, u32); + nonzero_arbitrary!(NonZeroU64, u64); + nonzero_arbitrary!(NonZeroU128, u128); + nonzero_arbitrary!(NonZeroUsize, usize); + + nonzero_arbitrary!(NonZeroI8, i8); + nonzero_arbitrary!(NonZeroI16, i16); + nonzero_arbitrary!(NonZeroI32, i32); + nonzero_arbitrary!(NonZeroI64, i64); + nonzero_arbitrary!(NonZeroI128, i128); + nonzero_arbitrary!(NonZeroIsize, isize); + + // Implement arbitrary for non-trivial types + impl Arbitrary for bool { + #[inline(always)] + fn any() -> Self { + let byte = u8::any(); + assume(byte < 2); + byte == 1 + } + } + + /// Validate that a char is not outside the ranges [0x0, 0xD7FF] and [0xE000, 0x10FFFF] + /// Ref: + impl Arbitrary for char { + #[inline(always)] + fn any() -> Self { + // Generate an arbitrary u32 and constrain it to make it a valid representation of char. + + let val = u32::any(); + assume(val <= 0xD7FF || (0xE000..=0x10FFFF).contains(&val)); + unsafe { char::from_u32_unchecked(val) } + } + } + + impl Arbitrary for [T; N] + where + T: Arbitrary, + { + fn any() -> Self { + T::any_array::() + } + } + + impl Arbitrary for Option + where + T: Arbitrary, + { + fn any() -> Self { + if bool::any() { Some(T::any()) } else { None } + } + } + + impl Arbitrary for Result + where + T: Arbitrary, + E: Arbitrary, + { + fn any() -> Self { + if bool::any() { Ok(T::any()) } else { Err(E::any()) } + } + } + + impl Arbitrary for PhantomData { + fn any() -> Self { + PhantomData + } + } + + impl Arbitrary for PhantomPinned { + fn any() -> Self { + PhantomPinned + } + } + + arbitrary_tuple!(A); + arbitrary_tuple!(A, B); + arbitrary_tuple!(A, B, C); + arbitrary_tuple!(A, B, C, D); + arbitrary_tuple!(A, B, C, D, E); + arbitrary_tuple!(A, B, C, D, E, F); + arbitrary_tuple!(A, B, C, D, E, F, G); + arbitrary_tuple!(A, B, C, D, E, F, G, H); + arbitrary_tuple!(A, B, C, D, E, F, G, H, I); + arbitrary_tuple!(A, B, C, D, E, F, G, H, I, J); + arbitrary_tuple!(A, B, C, D, E, F, G, H, I, J, K); + arbitrary_tuple!(A, B, C, D, E, F, G, H, I, J, K, L); + }; +} + +/// This macro implements `kani::Arbitrary` on a tuple whose elements +/// already implement `kani::Arbitrary` by running `kani::any()` on +/// each index of the tuple. +#[allow(clippy::crate_in_macro_def)] +#[macro_export] +macro_rules! arbitrary_tuple { + ($($type:ident),*) => { + impl<$($type : Arbitrary),*> Arbitrary for ($($type,)*) { + #[inline(always)] + fn any() -> Self { + ($(crate::kani::any::<$type>(),)*) + } + } + } +} diff --git a/library/kani_core/src/lib.rs b/library/kani_core/src/lib.rs new file mode 100644 index 000000000000..9baba1abe886 --- /dev/null +++ b/library/kani_core/src/lib.rs @@ -0,0 +1,441 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This crate is a macro_only crate. It is designed to be used in `no_core` and `no_std` +//! environment. +//! +//! It will contain macros that generate core components of Kani. +//! +//! For regular usage, the kani library will invoke these macros to generate its components as if +//! they were declared in that library. +//! +//! For `no_core` and `no_std` crates, they will have to directly invoke those macros inside a +//! `kani` module in order to generate all the required components. +//! I.e., the components will be part of the crate being compiled. +//! +//! Note that any crate level attribute should be added by kani_driver as RUSTC_FLAGS. +//! E.g.: `register_tool(kanitool)` + +#![feature(no_core)] +#![no_core] +#![feature(f16)] +#![feature(f128)] + +mod arbitrary; +mod mem; + +pub use kani_macros::*; + +/// Users should only need to invoke this. +/// +/// Options are: +/// - `kani`: Add definitions needed for Kani library. +/// - `core`: Define a `kani` module inside `core` crate. +/// - `std`: TODO: Define a `kani` module inside `std` crate. Users must define kani inside core. +#[macro_export] +macro_rules! kani_lib { + (core) => { + #[cfg(kani)] + #[unstable(feature = "kani", issue = "none")] + pub mod kani { + // We need to list them all today because there is conflict with unstable. + pub use kani_core::*; + kani_core::kani_intrinsics!(core); + kani_core::generate_arbitrary!(core); + + pub mod mem { + kani_core::kani_mem!(core); + } + } + }; + + (kani) => { + pub use kani_core::*; + kani_core::kani_intrinsics!(std); + kani_core::generate_arbitrary!(std); + }; +} + +/// Kani intrinsics contains the public APIs used by users to verify their harnesses. +/// This macro is a part of kani_core as that allows us to verify even libraries that are no_core +/// such as core in rust's std library itself. +/// +/// TODO: Use this inside kani library so that we dont have to maintain two copies of the same intrinsics. +#[allow(clippy::crate_in_macro_def)] +#[macro_export] +macro_rules! kani_intrinsics { + ($core:tt) => { + /// Creates an assumption that will be valid after this statement run. Note that the assumption + /// will only be applied for paths that follow the assumption. If the assumption doesn't hold, the + /// program will exit successfully. + /// + /// # Example: + /// + /// The code snippet below should never panic. + /// + /// ```rust + /// let i : i32 = kani::any(); + /// kani::assume(i > 10); + /// if i < 0 { + /// panic!("This will never panic"); + /// } + /// ``` + /// + /// The following code may panic though: + /// + /// ```rust + /// let i : i32 = kani::any(); + /// assert!(i < 0, "This may panic and verification should fail."); + /// kani::assume(i > 10); + /// ``` + #[inline(never)] + #[rustc_diagnostic_item = "KaniAssume"] + #[cfg(not(feature = "concrete_playback"))] + pub fn assume(cond: bool) { + let _ = cond; + } + + #[inline(never)] + #[rustc_diagnostic_item = "KaniAssume"] + #[cfg(feature = "concrete_playback")] + pub fn assume(cond: bool) { + assert!(cond, "`kani::assume` should always hold"); + } + + /// Creates an assertion of the specified condition and message. + /// + /// # Example: + /// + /// ```rust + /// let x: bool = kani::any(); + /// let y = !x; + /// kani::assert(x || y, "ORing a boolean variable with its negation must be true") + /// ``` + #[cfg(not(feature = "concrete_playback"))] + #[inline(never)] + #[rustc_diagnostic_item = "KaniAssert"] + pub const fn assert(cond: bool, msg: &'static str) { + let _ = cond; + let _ = msg; + } + + #[cfg(feature = "concrete_playback")] + #[inline(never)] + #[rustc_diagnostic_item = "KaniAssert"] + pub const fn assert(cond: bool, msg: &'static str) { + assert!(cond, "{}", msg); + } + + /// Creates an assertion of the specified condition and message, but does not assume it afterwards. + /// + /// # Example: + /// + /// ```rust + /// let x: bool = kani::any(); + /// let y = !x; + /// kani::check(x || y, "ORing a boolean variable with its negation must be true") + /// ``` + #[cfg(not(feature = "concrete_playback"))] + #[inline(never)] + #[rustc_diagnostic_item = "KaniCheck"] + pub const fn check(cond: bool, msg: &'static str) { + let _ = cond; + let _ = msg; + } + + #[cfg(feature = "concrete_playback")] + #[inline(never)] + #[rustc_diagnostic_item = "KaniCheck"] + pub const fn check(cond: bool, msg: &'static str) { + assert!(cond, "{}", msg); + } + + /// Creates a cover property with the specified condition and message. + /// + /// # Example: + /// + /// ```rust + /// kani::cover(slice.len() == 0, "The slice may have a length of 0"); + /// ``` + /// + /// A cover property checks if there is at least one execution that satisfies + /// the specified condition at the location in which the function is called. + /// + /// Cover properties are reported as: + /// - SATISFIED: if Kani found an execution that satisfies the condition + /// - UNSATISFIABLE: if Kani proved that the condition cannot be satisfied + /// - UNREACHABLE: if Kani proved that the cover property itself is unreachable (i.e. it is vacuously UNSATISFIABLE) + /// + /// This function is called by the [`cover!`] macro. The macro is more + /// convenient to use. + /// + #[inline(never)] + #[rustc_diagnostic_item = "KaniCover"] + pub const fn cover(_cond: bool, _msg: &'static str) {} + + /// This creates an symbolic *valid* value of type `T`. You can assign the return value of this + /// function to a variable that you want to make symbolic. + /// + /// # Example: + /// + /// In the snippet below, we are verifying the behavior of the function `fn_under_verification` + /// under all possible `NonZeroU8` input values, i.e., all possible `u8` values except zero. + /// + /// ```rust + /// let inputA = kani::any::(); + /// fn_under_verification(inputA); + /// ``` + /// + /// Note: This is a safe construct and can only be used with types that implement the `Arbitrary` + /// trait. The Arbitrary trait is used to build a symbolic value that represents all possible + /// valid values for type `T`. + #[rustc_diagnostic_item = "KaniAny"] + #[inline(always)] + pub fn any() -> T { + T::any() + } + + /// This function is only used for function contract instrumentation. + /// It behaves exaclty like `kani::any()`, except it will check for the trait bounds + /// at compilation time. It allows us to avoid type checking errors while using function + /// contracts only for verification. + #[rustc_diagnostic_item = "KaniAnyModifies"] + #[inline(never)] + #[doc(hidden)] + pub fn any_modifies() -> T { + // This function should not be reacheable. + // Users must include `#[kani::recursion]` in any function contracts for recursive functions; + // otherwise, this might not be properly instantiate. We mark this as unreachable to make + // sure Kani doesn't report any false positives. + unreachable!() + } + + /// This creates a symbolic *valid* value of type `T`. + /// The value is constrained to be a value accepted by the predicate passed to the filter. + /// You can assign the return value of this function to a variable that you want to make symbolic. + /// + /// # Example: + /// + /// In the snippet below, we are verifying the behavior of the function `fn_under_verification` + /// under all possible `u8` input values between 0 and 12. + /// + /// ```rust + /// let inputA: u8 = kani::any_where(|x| *x < 12); + /// fn_under_verification(inputA); + /// ``` + /// + /// Note: This is a safe construct and can only be used with types that implement the `Arbitrary` + /// trait. The Arbitrary trait is used to build a symbolic value that represents all possible + /// valid values for type `T`. + #[inline(always)] + pub fn any_where bool>(f: F) -> T { + let result = T::any(); + assume(f(&result)); + result + } + + /// This function creates a symbolic value of type `T`. This may result in an invalid value. + /// + /// # Safety + /// + /// This function is unsafe and it may represent invalid `T` values which can lead to many + /// undesirable undefined behaviors. Because of that, this function can only be used + /// internally when we can guarantee that the type T has no restriction regarding its bit level + /// representation. + /// + /// This function is also used to find concrete values in the CBMC output trace + /// and return those concrete values in concrete playback mode. + /// + /// Note that SIZE_T must be equal the size of type T in bytes. + #[inline(never)] + #[cfg(not(feature = "concrete_playback"))] + unsafe fn any_raw_internal() -> T { + any_raw::() + } + + /// This is the same as [any_raw_internal] for verification flow, but not for concrete playback. + #[inline(never)] + #[cfg(not(feature = "concrete_playback"))] + unsafe fn any_raw_array() -> [T; N] { + any_raw::<[T; N]>() + } + + #[cfg(feature = "concrete_playback")] + use concrete_playback::{any_raw_array, any_raw_internal}; + + /// This low-level function returns nondet bytes of size T. + #[rustc_diagnostic_item = "KaniAnyRaw"] + #[inline(never)] + #[allow(dead_code)] + fn any_raw() -> T { + kani_intrinsic() + } + + /// Function used to generate panic with a static message as this is the only one currently + /// supported by Kani display. + /// + /// During verification this will get replaced by `assert(false)`. For concrete executions, we just + /// invoke the regular `core::panic!()` function. This function is used by our standard library + /// overrides, but not the other way around. + #[inline(never)] + #[rustc_diagnostic_item = "KaniPanic"] + #[doc(hidden)] + pub const fn panic(message: &'static str) -> ! { + panic!("{}", message) + } + + /// An empty body that can be used to define Kani intrinsic functions. + /// + /// A Kani intrinsic is a function that is interpreted by Kani compiler. + /// While we could use `unreachable!()` or `panic!()` as the body of a kani intrinsic + /// function, both cause Kani to produce a warning since we don't support caller location. + /// (see https://github.com/model-checking/kani/issues/2010). + /// + /// This function is dead, since its caller is always handled via a hook anyway, + /// so we just need to put a body that rustc does not complain about. + /// An infinite loop works out nicely. + fn kani_intrinsic() -> T { + #[allow(clippy::empty_loop)] + loop {} + } + + pub mod internal { + use crate::kani::Arbitrary; + use core::ptr; + + /// Helper trait for code generation for `modifies` contracts. + /// + /// We allow the user to provide us with a pointer-like object that we convert as needed. + #[doc(hidden)] + pub trait Pointer<'a> { + /// Type of the pointed-to data + type Inner: ?Sized; + + /// Used for checking assigns contracts where we pass immutable references to the function. + /// + /// We're using a reference to self here, because the user can use just a plain function + /// argument, for instance one of type `&mut _`, in the `modifies` clause which would move it. + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner; + + unsafe fn assignable(self) -> *mut Self::Inner; + } + + impl<'a, 'b, T: ?Sized> Pointer<'a> for &'b T { + type Inner = T; + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { + core::mem::transmute(*self) + } + + unsafe fn assignable(self) -> *mut Self::Inner { + core::mem::transmute(self as *const T) + } + } + + impl<'a, 'b, T: ?Sized> Pointer<'a> for &'b mut T { + type Inner = T; + + #[allow(clippy::transmute_ptr_to_ref)] + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { + core::mem::transmute::<_, &&'a T>(self) + } + + unsafe fn assignable(self) -> *mut Self::Inner { + self as *mut T + } + } + + impl<'a, T: ?Sized> Pointer<'a> for *const T { + type Inner = T; + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { + &**self as &'a T + } + + unsafe fn assignable(self) -> *mut Self::Inner { + core::mem::transmute(self) + } + } + + impl<'a, T: ?Sized> Pointer<'a> for *mut T { + type Inner = T; + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { + &**self as &'a T + } + + unsafe fn assignable(self) -> *mut Self::Inner { + self + } + } + + /// A way to break the ownerhip rules. Only used by contracts where we can + /// guarantee it is done safely. + #[inline(never)] + #[doc(hidden)] + #[rustc_diagnostic_item = "KaniUntrackedDeref"] + pub fn untracked_deref(_: &T) -> T { + todo!() + } + + /// CBMC contracts currently has a limitation where `free` has to be in scope. + /// However, if there is no dynamic allocation in the harness, slicing removes `free` from the + /// scope. + /// + /// Thus, this function will basically translate into: + /// ```c + /// // This is a no-op. + /// free(NULL); + /// ``` + #[inline(never)] + #[doc(hidden)] + #[rustc_diagnostic_item = "KaniInitContracts"] + pub fn init_contracts() {} + + /// This should only be used within contracts. The intent is to + /// perform type inference on a closure's argument + #[doc(hidden)] + pub fn apply_closure bool>(f: U, x: &T) -> bool { + f(x) + } + + /// Recieves a reference to a pointer-like object and assigns kani::any_modifies to that object. + /// Only for use within function contracts and will not be replaced if the recursive or function stub + /// replace contracts are not used. + #[rustc_diagnostic_item = "KaniWriteAny"] + #[inline(never)] + #[doc(hidden)] + pub unsafe fn write_any(_pointer: *mut T) { + // This function should not be reacheable. + // Users must include `#[kani::recursion]` in any function contracts for recursive functions; + // otherwise, this might not be properly instantiate. We mark this as unreachable to make + // sure Kani doesn't report any false positives. + unreachable!() + } + + /// Fill in a slice with kani::any. + /// Intended as a post compilation replacement for write_any + #[rustc_diagnostic_item = "KaniWriteAnySlice"] + #[inline(always)] + pub unsafe fn write_any_slice(slice: *mut [T]) { + (*slice).fill_with(T::any) + } + + /// Fill in a pointer with kani::any. + /// Intended as a post compilation replacement for write_any + #[rustc_diagnostic_item = "KaniWriteAnySlim"] + #[inline(always)] + pub unsafe fn write_any_slim(pointer: *mut T) { + ptr::write(pointer, T::any()) + } + + /// Fill in a str with kani::any. + /// Intended as a post compilation replacement for write_any. + /// Not yet implemented + #[rustc_diagnostic_item = "KaniWriteAnyStr"] + #[inline(always)] + pub unsafe fn write_any_str(_s: *mut str) { + //TODO: strings introduce new UB + //(*s).as_bytes_mut().fill_with(u8::any) + //TODO: String validation + unimplemented!("Kani does not support creating arbitrary `str`") + } + } + }; +} diff --git a/library/kani_core/src/mem.rs b/library/kani_core/src/mem.rs new file mode 100644 index 000000000000..0b029ad53089 --- /dev/null +++ b/library/kani_core/src/mem.rs @@ -0,0 +1,350 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This module contains functions useful for checking unsafe memory access. +//! +//! Given the following validity rules provided in the Rust documentation: +//! (accessed Feb 6th, 2024) +//! +//! 1. A null pointer is never valid, not even for accesses of size zero. +//! 2. For a pointer to be valid, it is necessary, but not always sufficient, that the pointer +//! be dereferenceable: the memory range of the given size starting at the pointer must all be +//! within the bounds of a single allocated object. Note that in Rust, every (stack-allocated) +//! variable is considered a separate allocated object. +//! ~~Even for operations of size zero, the pointer must not be pointing to deallocated memory, +//! i.e., deallocation makes pointers invalid even for zero-sized operations.~~ +//! ZST access is not OK for any pointer. +//! See: +//! 3. However, casting any non-zero integer literal to a pointer is valid for zero-sized +//! accesses, even if some memory happens to exist at that address and gets deallocated. +//! This corresponds to writing your own allocator: allocating zero-sized objects is not very +//! hard. The canonical way to obtain a pointer that is valid for zero-sized accesses is +//! `NonNull::dangling`. +//! 4. All accesses performed by functions in this module are non-atomic in the sense of atomic +//! operations used to synchronize between threads. +//! This means it is undefined behavior to perform two concurrent accesses to the same location +//! from different threads unless both accesses only read from memory. +//! Notice that this explicitly includes `read_volatile` and `write_volatile`: +//! Volatile accesses cannot be used for inter-thread synchronization. +//! 5. The result of casting a reference to a pointer is valid for as long as the underlying +//! object is live and no reference (just raw pointers) is used to access the same memory. +//! That is, reference and pointer accesses cannot be interleaved. +//! +//! Kani is able to verify #1 and #2 today. +//! +//! For #3, we are overly cautious, and Kani will only consider zero-sized pointer access safe if +//! the address matches `NonNull::<()>::dangling()`. +//! The way Kani tracks provenance is not enough to check if the address was the result of a cast +//! from a non-zero integer literal. + +#[macro_export] +macro_rules! kani_mem { + ($core:tt) => { + use super::kani_intrinsic; + use private::Internal; + use $core::mem::{align_of, size_of}; + use $core::ptr::{DynMetadata, NonNull, Pointee}; + + /// Check if the pointer is valid for write access according to [crate::mem] conditions 1, 2 + /// and 3. + /// + /// Note this function also checks for pointer alignment. Use [self::can_write_unaligned] + /// if you don't want to fail for unaligned pointers. + /// + /// This function does not check if the value stored is valid for the given type. Use + /// [self::can_dereference] for that. + /// + /// This function will panic today if the pointer is not null, and it points to an unallocated or + /// deallocated memory location. This is an existing Kani limitation. + /// See for more details. + // TODO: Add this back! We might need to rename the attribute. + //#[crate::unstable( + // feature = "mem-predicates", + // issue = 2690, + // reason = "experimental memory predicate API" + //)] + pub fn can_write(ptr: *mut T) -> bool + where + T: ?Sized, + ::Metadata: PtrProperties, + { + // The interface takes a mutable pointer to improve readability of the signature. + // However, using constant pointer avoid unnecessary instrumentation, and it is as powerful. + // Hence, cast to `*const T`. + let ptr: *const T = ptr; + let (thin_ptr, metadata) = ptr.to_raw_parts(); + metadata.is_ptr_aligned(thin_ptr, Internal) && is_inbounds(&metadata, thin_ptr) + } + + /// Check if the pointer is valid for unaligned write access according to [crate::mem] conditions + /// 1, 2 and 3. + /// + /// Note this function succeeds for unaligned pointers. See [self::can_write] if you also + /// want to check pointer alignment. + /// + /// This function will panic today if the pointer is not null, and it points to an unallocated or + /// deallocated memory location. This is an existing Kani limitation. + /// See for more details. + // TODO: Add this back! We might need to rename the attribute. + //#[crate::unstable( + // feature = "mem-predicates", + // issue = 2690, + // reason = "experimental memory predicate API" + //)] + pub fn can_write_unaligned(ptr: *const T) -> bool + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (thin_ptr, metadata) = ptr.to_raw_parts(); + is_inbounds(&metadata, thin_ptr) + } + + /// Checks that pointer `ptr` point to a valid value of type `T`. + /// + /// For that, the pointer has to be a valid pointer according to [crate::mem] conditions 1, 2 + /// and 3, + /// and the value stored must respect the validity invariants for type `T`. + /// + /// TODO: Kani should automatically add those checks when a de-reference happens. + /// + /// + /// This function will panic today if the pointer is not null, and it points to an unallocated or + /// deallocated memory location. This is an existing Kani limitation. + /// See for more details. + //#[crate::unstable( + // feature = "mem-predicates", + // issue = 2690, + // reason = "experimental memory predicate API" + //)] + #[allow(clippy::not_unsafe_ptr_arg_deref)] + pub fn can_dereference(ptr: *const T) -> bool + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (thin_ptr, metadata) = ptr.to_raw_parts(); + // Need to assert `is_initialized` because non-determinism is used under the hood, so it + // does not make sense to use it inside assumption context. + metadata.is_ptr_aligned(thin_ptr, Internal) + && is_inbounds(&metadata, thin_ptr) + && assert_is_initialized(ptr) + && unsafe { has_valid_value(ptr) } + } + + /// Checks that pointer `ptr` point to a valid value of type `T`. + /// + /// For that, the pointer has to be a valid pointer according to [crate::mem] conditions 1, 2 + /// and 3, + /// and the value stored must respect the validity invariants for type `T`. + /// + /// Note this function succeeds for unaligned pointers. See [self::can_dereference] if you also + /// want to check pointer alignment. + /// + /// This function will panic today if the pointer is not null, and it points to an unallocated or + /// deallocated memory location. This is an existing Kani limitation. + /// See for more details. + // TODO: Add this back! We might need to rename the attribute. + //#[crate::unstable( + // feature = "mem-predicates", + // issue = 2690, + // reason = "experimental memory predicate API" + //)] + #[allow(clippy::not_unsafe_ptr_arg_deref)] + pub fn can_read_unaligned(ptr: *const T) -> bool + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (thin_ptr, metadata) = ptr.to_raw_parts(); + // Need to assert `is_initialized` because non-determinism is used under the hood, so it + // does not make sense to use it inside assumption context. + is_inbounds(&metadata, thin_ptr) + && assert_is_initialized(ptr) + && unsafe { has_valid_value(ptr) } + } + + /// Checks that `data_ptr` points to an allocation that can hold data of size calculated from `T`. + /// + /// This will panic if `data_ptr` points to an invalid `non_null` + fn is_inbounds(metadata: &M, data_ptr: *const ()) -> bool + where + M: PtrProperties, + T: ?Sized, + { + let sz = metadata.pointee_size(Internal); + if sz == 0 { + true // ZST pointers are always valid including nullptr. + } else if data_ptr.is_null() { + false + } else { + // Note that this branch can't be tested in concrete execution as `is_read_ok` needs to be + // stubbed. + // We first assert that the data_ptr + assert!( + unsafe { is_allocated(data_ptr, 0) }, + "Kani does not support reasoning about pointer to unallocated memory", + ); + unsafe { is_allocated(data_ptr, sz) } + } + } + + mod private { + /// Define like this to restrict usage of PtrProperties functions outside Kani. + #[derive(Copy, Clone)] + pub struct Internal; + } + + /// Trait that allow us to extract information from pointers without de-referencing them. + #[doc(hidden)] + pub trait PtrProperties { + fn pointee_size(&self, _: Internal) -> usize; + + /// A pointer is aligned if its address is a multiple of its minimum alignment. + fn is_ptr_aligned(&self, ptr: *const (), internal: Internal) -> bool { + let min = self.min_alignment(internal); + ptr as usize % min == 0 + } + + fn min_alignment(&self, _: Internal) -> usize; + + fn dangling(&self, _: Internal) -> *const (); + } + + /// Get the information for sized types (they don't have metadata). + impl PtrProperties for () { + fn pointee_size(&self, _: Internal) -> usize { + size_of::() + } + + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as *const _ + } + } + + /// Get the information from the str metadata. + impl PtrProperties for usize { + #[inline(always)] + fn pointee_size(&self, _: Internal) -> usize { + *self + } + + /// String slices are a UTF-8 representation of characters that have the same layout as slices + /// of type [u8]. + /// + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as _ + } + } + + /// Get the information from the slice metadata. + impl PtrProperties<[T]> for usize { + fn pointee_size(&self, _: Internal) -> usize { + *self * size_of::() + } + + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as _ + } + } + + /// Get the information from the vtable. + impl PtrProperties for DynMetadata + where + T: ?Sized, + { + fn pointee_size(&self, _: Internal) -> usize { + self.size_of() + } + + fn min_alignment(&self, _: Internal) -> usize { + self.align_of() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::<&T>::dangling().as_ptr() as _ + } + } + + /// Check if the pointer `_ptr` contains an allocated address of size equal or greater than `_size`. + /// + /// # Safety + /// + /// This function should only be called to ensure a pointer is always valid, i.e., in an assertion + /// context. + /// + /// I.e.: This function always returns `true` if the pointer is valid. + /// Otherwise, it returns non-det boolean. + #[rustc_diagnostic_item = "KaniIsAllocated"] + #[inline(never)] + unsafe fn is_allocated(_ptr: *const (), _size: usize) -> bool { + kani_intrinsic() + } + + /// Check if the value stored in the given location satisfies type `T` validity requirements. + /// + /// # Safety + /// + /// - Users have to ensure that the pointer is aligned the pointed memory is allocated. + #[rustc_diagnostic_item = "KaniValidValue"] + #[inline(never)] + unsafe fn has_valid_value(_ptr: *const T) -> bool { + kani_intrinsic() + } + + /// Check whether `len * size_of::()` bytes are initialized starting from `ptr`. + #[rustc_diagnostic_item = "KaniIsInitialized"] + #[inline(never)] + pub(crate) fn is_initialized(_ptr: *const T) -> bool { + kani_intrinsic() + } + + /// A helper to assert `is_initialized` to use it as a part of other predicates. + fn assert_is_initialized(ptr: *const T) -> bool { + super::check( + is_initialized(ptr), + "Undefined Behavior: Reading from an uninitialized pointer", + ); + true + } + + /// Get the object ID of the given pointer. + // TODO: Add this back later, as there is no unstable attribute here. + // #[doc(hidden)] + // #[crate::unstable( + // feature = "ghost-state", + // issue = 3184, + // reason = "experimental ghost state/shadow memory API" + // )] + #[rustc_diagnostic_item = "KaniPointerObject"] + #[inline(never)] + pub(crate) fn pointer_object(_ptr: *const T) -> usize { + kani_intrinsic() + } + + /// Get the object offset of the given pointer. + // TODO: Add this back later, as there is no unstable attribute here. + // #[doc(hidden)] + // #[crate::unstable( + // feature = "ghost-state", + // issue = 3184, + // reason = "experimental ghost state/shadow memory API" + // )] + #[rustc_diagnostic_item = "KaniPointerOffset"] + #[inline(never)] + pub(crate) fn pointer_offset(_ptr: *const T) -> usize { + kani_intrinsic() + } + }; +} diff --git a/library/kani_macros/Cargo.toml b/library/kani_macros/Cargo.toml index 473d0fc7e5b6..5917c322729e 100644 --- a/library/kani_macros/Cargo.toml +++ b/library/kani_macros/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani_macros" -version = "0.45.0" +version = "0.53.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false @@ -15,4 +15,11 @@ proc-macro = true proc-macro2 = "1.0" proc-macro-error = "1.0.4" quote = "1.0.20" -syn = { version = "2.0.18", features = ["full", "visit-mut", "visit"] } +syn = { version = "2.0.18", features = ["full", "visit-mut", "visit", "extra-traits"] } + +[package.metadata.rust-analyzer] +# This package uses rustc crates. +rustc_private = true + +[features] +no_core = [] \ No newline at end of file diff --git a/library/kani_macros/build.rs b/library/kani_macros/build.rs new file mode 100644 index 000000000000..c094cc0254c6 --- /dev/null +++ b/library/kani_macros/build.rs @@ -0,0 +1,7 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +fn main() { + // Make sure `kani_sysroot` is a recognized config + println!("cargo::rustc-check-cfg=cfg(kani_sysroot)"); +} diff --git a/library/kani_macros/src/derive.rs b/library/kani_macros/src/derive.rs index 7e3dee390330..cc936560e510 100644 --- a/library/kani_macros/src/derive.rs +++ b/library/kani_macros/src/derive.rs @@ -19,20 +19,39 @@ use syn::{ }; pub fn expand_derive_arbitrary(item: proc_macro::TokenStream) -> proc_macro::TokenStream { + let trait_name = "Arbitrary"; let derive_item = parse_macro_input!(item as DeriveInput); let item_name = &derive_item.ident; + let body = fn_any_body(&item_name, &derive_item.data); + // Get the safety constraints (if any) to produce type-safe values + let safety_conds_opt = safety_conds_opt(&item_name, &derive_item, trait_name); + // Add a bound `T: Arbitrary` to every type parameter T. - let generics = add_trait_bound(derive_item.generics); + let generics = add_trait_bound_arbitrary(derive_item.generics); // Generate an expression to sum up the heap size of each field. let (impl_generics, ty_generics, where_clause) = generics.split_for_impl(); - let body = fn_any_body(&item_name, &derive_item.data); - let expanded = quote! { - // The generated implementation. - impl #impl_generics kani::Arbitrary for #item_name #ty_generics #where_clause { - fn any() -> Self { - #body + let expanded = if let Some(safety_conds) = safety_conds_opt { + let field_refs = field_refs(&item_name, &derive_item.data); + quote! { + // The generated implementation. + impl #impl_generics kani::Arbitrary for #item_name #ty_generics #where_clause { + fn any() -> Self { + let obj = #body; + #field_refs + kani::assume(#safety_conds); + obj + } + } + } + } else { + quote! { + // The generated implementation. + impl #impl_generics kani::Arbitrary for #item_name #ty_generics #where_clause { + fn any() -> Self { + #body + } } } }; @@ -40,7 +59,7 @@ pub fn expand_derive_arbitrary(item: proc_macro::TokenStream) -> proc_macro::Tok } /// Add a bound `T: Arbitrary` to every type parameter T. -fn add_trait_bound(mut generics: Generics) -> Generics { +fn add_trait_bound_arbitrary(mut generics: Generics) -> Generics { generics.params.iter_mut().for_each(|param| { if let GenericParam::Type(type_param) = param { type_param.bounds.push(parse_quote!(kani::Arbitrary)); @@ -75,6 +94,110 @@ fn fn_any_body(ident: &Ident, data: &Data) -> TokenStream { } } +/// Generates the sequence of expressions to initialize the variables used as +/// references to the struct fields. +/// +/// For example, if we're deriving implementations for the struct +/// ``` +/// #[derive(Arbitrary)] +/// #[derive(Invariant)] +/// struct PositivePoint { +/// #[safety_constraint(*x >= 0)] +/// x: i32, +/// #[safety_constraint(*y >= 0)] +/// y: i32, +/// } +/// ``` +/// this function will generate the `TokenStream` +/// ``` +/// let x = &obj.x; +/// let y = &obj.y; +/// ``` +/// which allows us to refer to the struct fields without using `self`. +/// Note that the actual stream is generated in the `field_refs_inner` function. +fn field_refs(ident: &Ident, data: &Data) -> TokenStream { + match data { + Data::Struct(struct_data) => field_refs_inner(ident, &struct_data.fields), + Data::Enum(_) => unreachable!(), + Data::Union(_) => unreachable!(), + } +} + +/// Generates the sequence of expressions to initialize the variables used as +/// references to the struct fields. See `field_refs` for more details. +fn field_refs_inner(_ident: &Ident, fields: &Fields) -> TokenStream { + match fields { + Fields::Named(ref fields) => { + let field_refs: Vec = fields + .named + .iter() + .map(|field| { + let name = &field.ident; + quote_spanned! {field.span()=> + let #name = &obj.#name; + } + }) + .collect(); + if !field_refs.is_empty() { + quote! { #( #field_refs )* } + } else { + quote! {} + } + } + Fields::Unnamed(_) => quote! {}, + Fields::Unit => quote! {}, + } +} + +fn safe_body_default(ident: &Ident, data: &Data) -> TokenStream { + match data { + Data::Struct(struct_data) => safe_body_default_inner(ident, &struct_data.fields), + Data::Enum(_) => unreachable!(), + Data::Union(_) => unreachable!(), + } +} + +fn safe_body_default_inner(_ident: &Ident, fields: &Fields) -> TokenStream { + match fields { + Fields::Named(ref fields) => { + let field_safe_calls: Vec = fields + .named + .iter() + .map(|field| { + let name = &field.ident; + quote_spanned! {field.span()=> + #name.is_safe() + } + }) + .collect(); + if !field_safe_calls.is_empty() { + quote! { #( #field_safe_calls )&&* } + } else { + quote! { true } + } + } + Fields::Unnamed(ref fields) => { + let field_safe_calls: Vec = fields + .unnamed + .iter() + .enumerate() + .map(|(idx, field)| { + let field_idx = Index::from(idx); + quote_spanned! {field.span()=> + #field_idx.is_safe() + } + }) + .collect(); + if !field_safe_calls.is_empty() { + quote! { #( #field_safe_calls )&&* } + } else { + quote! { true } + } + } + Fields::Unit => quote! { true }, + } +} + /// Generate an item initialization where an item can be a struct or a variant. /// For named fields, this will generate: `Item { field1: kani::any(), field2: kani::any(), .. }` /// For unnamed fields, this will generate: `Item (kani::any(), kani::any(), ..)` @@ -115,6 +238,74 @@ fn init_symbolic_item(ident: &Ident, fields: &Fields) -> TokenStream { } } +/// Extract, parse and return the expression `cond` (i.e., `Some(cond)`) in the +/// `#[safety_constraint()]` attribute helper associated with a given field. +/// Return `None` if the attribute isn't specified. +fn parse_safety_expr(ident: &Ident, field: &syn::Field) -> Option { + let name = &field.ident; + let mut safety_helper_attr = None; + + // Keep the helper attribute if we find it + for attr in &field.attrs { + if attr.path().is_ident("safety_constraint") { + safety_helper_attr = Some(attr); + } + } + + // Parse the arguments in the `#[safety_constraint(...)]` attribute + if let Some(attr) = safety_helper_attr { + let expr_args: Result = attr.parse_args(); + + // Check if there was an error parsing the arguments + if let Err(err) = expr_args { + abort!(Span::call_site(), "Cannot derive impl for `{}`", ident; + note = attr.span() => + "safety constraint in field `{}` could not be parsed: {}", name.as_ref().unwrap().to_string(), err + ) + } + + // Return the expression associated to the safety constraint + let safety_expr = expr_args.unwrap(); + Some(quote_spanned! {field.span()=> + #safety_expr + }) + } else { + None + } +} + +fn parse_safety_expr_input(ident: &Ident, derive_input: &DeriveInput) -> Option { + let name = ident; + let mut safety_attr = None; + + // Keep the attribute if we find it + for attr in &derive_input.attrs { + if attr.path().is_ident("safety_constraint") { + safety_attr = Some(attr); + } + } + + // Parse the arguments in the `#[safety_constraint(...)]` attribute + if let Some(attr) = safety_attr { + let expr_args: Result = attr.parse_args(); + + // Check if there was an error parsing the arguments + if let Err(err) = expr_args { + abort!(Span::call_site(), "Cannot derive impl for `{}`", ident; + note = attr.span() => + "safety constraint in `{}` could not be parsed: {}", name.to_string(), err + ) + } + + // Return the expression associated to the safety constraint + let safety_expr = expr_args.unwrap(); + Some(quote_spanned! {derive_input.span()=> + #safety_expr + }) + } else { + None + } +} /// Generate the body of the function `any()` for enums. The cases are: /// 1. For zero-variants enumerations, this will encode a `panic!()` statement. /// 2. For one or more variants, the code will be something like: @@ -165,3 +356,197 @@ fn fn_any_enum(ident: &Ident, data: &DataEnum) -> TokenStream { } } } + +fn safe_body_with_calls( + item_name: &Ident, + derive_input: &DeriveInput, + trait_name: &str, +) -> TokenStream { + let safety_conds_opt = safety_conds_opt(&item_name, &derive_input, trait_name); + let safe_body_default = safe_body_default(&item_name, &derive_input.data); + + if let Some(safety_conds) = safety_conds_opt { + quote! { #safe_body_default && #safety_conds } + } else { + safe_body_default + } +} + +pub fn expand_derive_invariant(item: proc_macro::TokenStream) -> proc_macro::TokenStream { + let trait_name = "Invariant"; + let derive_item = parse_macro_input!(item as DeriveInput); + let item_name = &derive_item.ident; + + let safe_body = safe_body_with_calls(&item_name, &derive_item, trait_name); + let field_refs = field_refs(&item_name, &derive_item.data); + + // Add a bound `T: Invariant` to every type parameter T. + let generics = add_trait_bound_invariant(derive_item.generics); + // Generate an expression to sum up the heap size of each field. + let (impl_generics, ty_generics, where_clause) = generics.split_for_impl(); + + let expanded = quote! { + // The generated implementation. + impl #impl_generics kani::Invariant for #item_name #ty_generics #where_clause { + fn is_safe(&self) -> bool { + let obj = self; + #field_refs + #safe_body + } + } + }; + proc_macro::TokenStream::from(expanded) +} + +/// Looks for `#[safety_constraint(...)]` attributes used in the struct or its +/// fields, and returns the constraints if there were any, otherwise returns +/// `None`. +/// Note: Errors out if the attribute is used in both the struct and its fields. +fn safety_conds_opt( + item_name: &Ident, + derive_input: &DeriveInput, + trait_name: &str, +) -> Option { + let has_item_safety_constraint = + has_item_safety_constraint(&item_name, &derive_input, trait_name); + + let has_field_safety_constraints = has_field_safety_constraints(&item_name, &derive_input.data); + + if has_item_safety_constraint && has_field_safety_constraints { + abort!(Span::call_site(), "Cannot derive `{}` for `{}`", trait_name, item_name; + note = item_name.span() => + "`#[safety_constraint(...)]` cannot be used in struct and its fields simultaneously" + ) + } + + if has_item_safety_constraint { + Some(safe_body_from_struct_attr(&item_name, &derive_input, trait_name)) + } else if has_field_safety_constraints { + Some(safe_body_from_fields_attr(&item_name, &derive_input.data, trait_name)) + } else { + None + } +} + +fn has_item_safety_constraint(ident: &Ident, derive_input: &DeriveInput, trait_name: &str) -> bool { + let safety_constraints_in_item = + derive_input.attrs.iter().filter(|attr| attr.path().is_ident("safety_constraint")).count(); + if safety_constraints_in_item > 1 { + abort!(Span::call_site(), "Cannot derive `{}` for `{}`", trait_name, ident; + note = ident.span() => + "`#[safety_constraint(...)]` cannot be used more than once." + ) + } + safety_constraints_in_item == 1 +} + +fn has_field_safety_constraints(ident: &Ident, data: &Data) -> bool { + match data { + Data::Struct(struct_data) => has_field_safety_constraints_inner(ident, &struct_data.fields), + Data::Enum(_) => false, + Data::Union(_) => false, + } +} + +/// Checks if the `#[safety_constraint(...)]` attribute is attached to any +/// field. +fn has_field_safety_constraints_inner(_ident: &Ident, fields: &Fields) -> bool { + match fields { + Fields::Named(ref fields) => fields + .named + .iter() + .any(|field| field.attrs.iter().any(|attr| attr.path().is_ident("safety_constraint"))), + Fields::Unnamed(_) => false, + Fields::Unit => false, + } +} + +/// Add a bound `T: Invariant` to every type parameter T. +pub fn add_trait_bound_invariant(mut generics: Generics) -> Generics { + generics.params.iter_mut().for_each(|param| { + if let GenericParam::Type(type_param) = param { + type_param.bounds.push(parse_quote!(kani::Invariant)); + } + }); + generics +} + +fn safe_body_from_struct_attr( + ident: &Ident, + derive_input: &DeriveInput, + trait_name: &str, +) -> TokenStream { + if !matches!(derive_input.data, Data::Struct(_)) { + abort!(Span::call_site(), "Cannot derive `{}` for `{}`", trait_name, ident; + note = ident.span() => + "`#[safety_constraint(...)]` can only be used in structs" + ) + }; + parse_safety_expr_input(ident, derive_input).unwrap() +} + +/// Parse the condition expressions in `#[safety_constraint()]` attached to struct +/// fields and, it at least one was found, generate a conjunction to be assumed. +/// +/// For example, if we're deriving implementations for the struct +/// ``` +/// #[derive(Arbitrary)] +/// #[derive(Invariant)] +/// struct PositivePoint { +/// #[safety_constraint(*x >= 0)] +/// x: i32, +/// #[safety_constraint(*y >= 0)] +/// y: i32, +/// } +/// ``` +/// this function will generate the `TokenStream` +/// ``` +/// *x >= 0 && *y >= 0 +/// ``` +/// which can be used by the `Arbitrary` and `Invariant` to generate and check +/// type-safe values for the struct, respectively. +fn safe_body_from_fields_attr(ident: &Ident, data: &Data, trait_name: &str) -> TokenStream { + match data { + Data::Struct(struct_data) => safe_body_from_fields_attr_inner(ident, &struct_data.fields), + Data::Enum(_) => { + abort!(Span::call_site(), "Cannot derive `{}` for `{}` enum", trait_name, ident; + note = ident.span() => + "`#[derive(Invariant)]` cannot be used for enums such as `{}`", ident + ) + } + Data::Union(_) => { + abort!(Span::call_site(), "Cannot derive `{}` for `{}` union", trait_name, ident; + note = ident.span() => + "`#[derive(Invariant)]` cannot be used for unions such as `{}`", ident + ) + } + } +} + +/// Generates an expression resulting from the conjunction of conditions +/// specified as safety constraints for each field. +/// See `safe_body_from_fields_attr` for more details. +fn safe_body_from_fields_attr_inner(ident: &Ident, fields: &Fields) -> TokenStream { + match fields { + // Expands to the expression + // ` && && ..` + // where `` is the safety condition specified for the N-th field. + Fields::Named(ref fields) => { + let safety_conds: Vec = + fields.named.iter().filter_map(|field| parse_safety_expr(ident, field)).collect(); + quote! { #(#safety_conds)&&* } + } + Fields::Unnamed(_) => { + quote! { + true + } + } + // Expands to the expression + // `true` + Fields::Unit => { + quote! { + true + } + } + } +} diff --git a/library/kani_macros/src/lib.rs b/library/kani_macros/src/lib.rs index 32bd44d2ea38..4e3a8d6f9f5b 100644 --- a/library/kani_macros/src/lib.rs +++ b/library/kani_macros/src/lib.rs @@ -52,6 +52,16 @@ pub fn should_panic(attr: TokenStream, item: TokenStream) -> TokenStream { attr_impl::should_panic(attr, item) } +/// Specifies that a function contains recursion for contract instrumentation.** +/// +/// This attribute is only used for function-contract instrumentation. Kani uses +/// this annotation to identify recursive functions and properly instantiate +/// `kani::any_modifies` to check such functions using induction. +#[proc_macro_attribute] +pub fn recursion(attr: TokenStream, item: TokenStream) -> TokenStream { + attr_impl::recursion(attr, item) +} + /// Set Loop unwind limit for proof harnesses /// The attribute `#[kani::unwind(arg)]` can only be called alongside `#[kani::proof]`. /// arg - Takes in a integer value (u32) that represents the unwind value for the harness. @@ -86,17 +96,128 @@ pub fn solver(attr: TokenStream, item: TokenStream) -> TokenStream { /// See https://model-checking.github.io/kani/rfc/rfcs/0006-unstable-api.html for more details. #[doc(hidden)] #[proc_macro_attribute] -pub fn unstable(attr: TokenStream, item: TokenStream) -> TokenStream { +pub fn unstable_feature(attr: TokenStream, item: TokenStream) -> TokenStream { attr_impl::unstable(attr, item) } -/// Allow users to auto generate Arbitrary implementations by using `#[derive(Arbitrary)]` macro. +/// Allow users to auto generate `Arbitrary` implementations by using +/// `#[derive(Arbitrary)]` macro. +/// +/// When using `#[derive(Arbitrary)]` on a struct, the `#[safety_constraint()]` +/// attribute can be added to its fields to indicate a type safety invariant +/// condition ``. Since `kani::any()` is always expected to produce +/// type-safe values, **adding `#[safety_constraint(...)]` to any fields will further +/// constrain the objects generated with `kani::any()`**. +/// +/// For example, the `check_positive` harness in this code is expected to +/// pass: +/// +/// ```rs +/// #[derive(kani::Arbitrary)] +/// struct AlwaysPositive { +/// #[safety_constraint(*inner >= 0)] +/// inner: i32, +/// } +/// +/// #[kani::proof] +/// fn check_positive() { +/// let val: AlwaysPositive = kani::any(); +/// assert!(val.inner >= 0); +/// } +/// ``` +/// +/// Therefore, using the `#[safety_constraint(...)]` attribute can lead to vacuous +/// results when the values are over-constrained. For example, in this code +/// the `check_positive` harness will pass too: +/// +/// ```rs +/// #[derive(kani::Arbitrary)] +/// struct AlwaysPositive { +/// #[safety_constraint(*inner >= 0 && *inner < i32::MIN)] +/// inner: i32, +/// } +/// +/// #[kani::proof] +/// fn check_positive() { +/// let val: AlwaysPositive = kani::any(); +/// assert!(val.inner >= 0); +/// } +/// ``` +/// +/// Unfortunately, we made a mistake when specifying the condition because +/// `*inner >= 0 && *inner < i32::MIN` is equivalent to `false`. This results +/// in the relevant assertion being unreachable: +/// +/// ``` +/// Check 1: check_positive.assertion.1 +/// - Status: UNREACHABLE +/// - Description: "assertion failed: val.inner >= 0" +/// - Location: src/main.rs:22:5 in function check_positive +/// ``` +/// +/// As usual, we recommend users to defend against these behaviors by using +/// `kani::cover!(...)` checks and watching out for unreachable assertions in +/// their project's code. #[proc_macro_error] -#[proc_macro_derive(Arbitrary)] +#[proc_macro_derive(Arbitrary, attributes(safety_constraint))] pub fn derive_arbitrary(item: TokenStream) -> TokenStream { derive::expand_derive_arbitrary(item) } +/// Allow users to auto generate `Invariant` implementations by using +/// `#[derive(Invariant)]` macro. +/// +/// When using `#[derive(Invariant)]` on a struct, the `#[safety_constraint()]` +/// attribute can be added to its fields to indicate a type safety invariant +/// condition ``. This will ensure that the gets additionally checked when +/// using the `is_safe()` method generated by the `#[derive(Invariant)]` macro. +/// +/// For example, the `check_positive` harness in this code is expected to +/// fail: +/// +/// ```rs +/// #[derive(kani::Invariant)] +/// struct AlwaysPositive { +/// #[safety_constraint(*inner >= 0)] +/// inner: i32, +/// } +/// +/// #[kani::proof] +/// fn check_positive() { +/// let val = AlwaysPositive { inner: -1 }; +/// assert!(val.is_safe()); +/// } +/// ``` +/// +/// This is not too surprising since the type safety invariant that we indicated +/// is not being taken into account when we create the `AlwaysPositive` object. +/// +/// As mentioned, the `is_safe()` methods generated by the +/// `#[derive(Invariant)]` macro check the corresponding `is_safe()` method for +/// each field in addition to any type safety invariants specified through the +/// `#[safety_constraint(...)]` attribute. +/// +/// For example, for the `AlwaysPositive` struct from above, we will generate +/// the following implementation: +/// +/// ```rs +/// impl kani::Invariant for AlwaysPositive { +/// fn is_safe(&self) -> bool { +/// let obj = self; +/// let inner = &obj.inner; +/// true && *inner >= 0 && inner.is_safe() +/// } +/// } +/// ``` +/// +/// Note: the assignments to `obj` and `inner` are made so that we can treat the +/// fields as if they were references. +#[proc_macro_error] +#[proc_macro_derive(Invariant, attributes(safety_constraint))] +pub fn derive_invariant(item: TokenStream) -> TokenStream { + derive::expand_derive_invariant(item) +} + /// Add a precondition to this function. /// /// This is part of the function contract API, for more general information see @@ -121,11 +242,11 @@ pub fn requires(attr: TokenStream, item: TokenStream) -> TokenStream { /// This is part of the function contract API, for more general information see /// the [module-level documentation](../kani/contracts/index.html). /// -/// The contents of the attribute is a condition over the input values to the -/// annotated function *and* its return value, accessible as a variable called -/// `result`. All Rust syntax is supported, even calling other functions, but -/// the computations must be side effect free, e.g. it cannot perform I/O or use -/// mutable memory. +/// The contents of the attribute is a closure that captures the input values to +/// the annotated function and the input to the function is the return value of +/// the function passed by reference. All Rust syntax is supported, even calling +/// other functions, but the computations must be side effect free, e.g. it +/// cannot perform I/O or use mutable memory. /// /// Kani requires each function that uses a contract (this attribute or /// [`requires`][macro@requires]) to have at least one designated @@ -331,6 +452,7 @@ mod sysroot { } kani_attribute!(should_panic, no_args); + kani_attribute!(recursion, no_args); kani_attribute!(solver); kani_attribute!(stub); kani_attribute!(unstable); @@ -363,6 +485,7 @@ mod regular { } no_op!(should_panic); + no_op!(recursion); no_op!(solver); no_op!(stub); no_op!(unstable); diff --git a/library/kani_macros/src/sysroot/contracts/bootstrap.rs b/library/kani_macros/src/sysroot/contracts/bootstrap.rs index f02eaa627477..dee0bca42c54 100644 --- a/library/kani_macros/src/sysroot/contracts/bootstrap.rs +++ b/library/kani_macros/src/sysroot/contracts/bootstrap.rs @@ -4,14 +4,13 @@ //! Special way we handle the first time we encounter a contract attribute on a //! function. -use proc_macro2::Span; +use proc_macro2::{Ident, Span}; use quote::quote; use syn::ItemFn; use super::{ - helpers::*, - shared::{attach_require_kani_any, identifier_for_generated_function}, - ContractConditionsData, ContractConditionsHandler, + helpers::*, shared::identifier_for_generated_function, ContractConditionsHandler, + INTERNAL_RESULT_IDENT, }; impl<'a> ContractConditionsHandler<'a> { @@ -74,8 +73,9 @@ impl<'a> ContractConditionsHandler<'a> { )); let mut wrapper_sig = sig.clone(); - attach_require_kani_any(&mut wrapper_sig); wrapper_sig.ident = recursion_wrapper_name; + // We use non-constant functions, thus, the wrapper cannot be constant. + wrapper_sig.constness = None; let args = pats_to_idents(&mut wrapper_sig.inputs).collect::>(); let also_args = args.iter(); @@ -85,8 +85,9 @@ impl<'a> ContractConditionsHandler<'a> { (quote!(#check_fn_name), quote!(#replace_fn_name)) }; + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); self.output.extend(quote!( - #[allow(dead_code, unused_variables)] + #[allow(dead_code, unused_variables, unused_mut)] #[kanitool::is_contract_generated(recursion_wrapper)] #wrapper_sig { static mut REENTRY: bool = false; @@ -94,9 +95,9 @@ impl<'a> ContractConditionsHandler<'a> { #call_replace(#(#args),*) } else { unsafe { REENTRY = true }; - let result = #call_check(#(#also_args),*); + let #result = #call_check(#(#also_args),*); unsafe { REENTRY = false }; - result + #result } } )); diff --git a/library/kani_macros/src/sysroot/contracts/check.rs b/library/kani_macros/src/sysroot/contracts/check.rs index f18b56f934ea..f804fc70c5f5 100644 --- a/library/kani_macros/src/sysroot/contracts/check.rs +++ b/library/kani_macros/src/sysroot/contracts/check.rs @@ -9,10 +9,12 @@ use syn::{Expr, FnArg, ItemFn, Token}; use super::{ helpers::*, - shared::{make_unsafe_argument_copies, try_as_result_assign_mut}, - ContractConditionsData, ContractConditionsHandler, + shared::{build_ensures, try_as_result_assign_mut}, + ContractConditionsData, ContractConditionsHandler, INTERNAL_RESULT_IDENT, }; +const WRAPPER_ARG_PREFIX: &str = "_wrapper_arg_"; + impl<'a> ContractConditionsHandler<'a> { /// Create the body of a check function. /// @@ -31,27 +33,27 @@ impl<'a> ContractConditionsHandler<'a> { #(#inner)* ) } - ContractConditionsData::Ensures { argument_names, attr } => { - let (arg_copies, copy_clean) = make_unsafe_argument_copies(&argument_names); + ContractConditionsData::Ensures { attr } => { + let (remembers, ensures_clause) = build_ensures(attr); // The code that enforces the postconditions and cleans up the shallow // argument copies (with `mem::forget`). let exec_postconditions = quote!( - kani::assert(#attr, stringify!(#attr_copy)); - #copy_clean + kani::assert(#ensures_clause, stringify!(#attr_copy)); ); assert!(matches!( inner.pop(), Some(syn::Stmt::Expr(syn::Expr::Path(pexpr), None)) - if pexpr.path.get_ident().map_or(false, |id| id == "result") + if pexpr.path.get_ident().map_or(false, |id| id == INTERNAL_RESULT_IDENT) )); + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); quote!( - #arg_copies + #remembers #(#inner)* #exec_postconditions - result + #result ) } ContractConditionsData::Modifies { attr } => { @@ -60,7 +62,11 @@ impl<'a> ContractConditionsHandler<'a> { let wrapper_args = if let Some(wrapper_call_args) = inner.iter_mut().find_map(|stmt| try_as_wrapper_call_args(stmt, &wrapper_name)) { - let wrapper_args = make_wrapper_args(wrapper_call_args.len(), attr.len()); + let wrapper_args = make_wrapper_idents( + wrapper_call_args.len(), + attr.len(), + WRAPPER_ARG_PREFIX, + ); wrapper_call_args .extend(wrapper_args.clone().map(|a| Expr::Verbatim(quote!(#a)))); wrapper_args @@ -89,9 +95,10 @@ impl<'a> ContractConditionsHandler<'a> { } else { quote!(#wrapper_name) }; + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); syn::parse_quote!( - let result : #return_type = #wrapper_call(#(#args),*); - result + let #result : #return_type = #wrapper_call(#(#args),*); + #result ) } else { self.annotated_fn.block.stmts.clone() @@ -112,6 +119,8 @@ impl<'a> ContractConditionsHandler<'a> { } let body = self.make_check_body(); let mut sig = self.annotated_fn.sig.clone(); + // We use non-constant functions, thus, the wrapper cannot be constant. + sig.constness = None; if let Some(ident) = override_function_dent { sig.ident = ident; } @@ -124,20 +133,51 @@ impl<'a> ContractConditionsHandler<'a> { /// Emit a modifies wrapper, possibly augmenting a prior, existing one. /// - /// We only augment if this clause is a `modifies` clause. In that case we - /// expand its signature with one new argument of type `&impl Arbitrary` for - /// each expression in the clause. + /// We only augment if this clause is a `modifies` clause. Before, + /// we annotated the wrapper arguments with `impl kani::Arbitrary`, + /// so Rust would infer the proper types for each argument. + /// We want to remove the restriction that these arguments must + /// implement `kani::Arbitrary` for checking. Now, we annotate each + /// argument with a generic type parameter, so the compiler can + /// continue inferring the correct types. pub fn emit_augmented_modifies_wrapper(&mut self) { if let ContractConditionsData::Modifies { attr } = &self.condition_type { - let wrapper_args = make_wrapper_args(self.annotated_fn.sig.inputs.len(), attr.len()); + let wrapper_args = make_wrapper_idents( + self.annotated_fn.sig.inputs.len(), + attr.len(), + WRAPPER_ARG_PREFIX, + ); + // Generate a unique type parameter identifier + let type_params = make_wrapper_idents( + self.annotated_fn.sig.inputs.len(), + attr.len(), + "WrapperArgType", + ); let sig = &mut self.annotated_fn.sig; - for arg in wrapper_args.clone() { + for (arg, arg_type) in wrapper_args.clone().zip(type_params) { + // Add the type parameter to the function signature's generic parameters list + let mut bounds: syn::punctuated::Punctuated = + syn::punctuated::Punctuated::new(); + bounds.push(syn::TypeParamBound::Trait(syn::TraitBound { + paren_token: None, + modifier: syn::TraitBoundModifier::Maybe(Token![?](Span::call_site())), + lifetimes: None, + path: syn::Ident::new("Sized", Span::call_site()).into(), + })); + sig.generics.params.push(syn::GenericParam::Type(syn::TypeParam { + attrs: vec![], + ident: arg_type.clone(), + colon_token: Some(Token![:](Span::call_site())), + bounds: bounds, + eq_token: None, + default: None, + })); let lifetime = syn::Lifetime { apostrophe: Span::call_site(), ident: arg.clone() }; sig.inputs.push(FnArg::Typed(syn::PatType { attrs: vec![], colon_token: Token![:](Span::call_site()), pat: Box::new(syn::Pat::Verbatim(quote!(#arg))), - ty: Box::new(syn::Type::Verbatim(quote!(&#lifetime impl kani::Arbitrary))), + ty: Box::new(syn::parse_quote! { &#arg_type }), })); sig.generics.params.push(syn::GenericParam::Lifetime(syn::LifetimeParam { lifetime, @@ -146,6 +186,7 @@ impl<'a> ContractConditionsHandler<'a> { attrs: vec![], })); } + self.output.extend(quote!(#[kanitool::modifies(#(#wrapper_args),*)])) } self.emit_common_header(); @@ -191,10 +232,14 @@ fn try_as_wrapper_call_args<'a>( } } -/// Make `num` [`Ident`]s with the names `_wrapper_arg_{i}` with `i` starting at `low` and +/// Make `num` [`Ident`]s with the names `prefix{i}` with `i` starting at `low` and /// increasing by one each time. -fn make_wrapper_args(low: usize, num: usize) -> impl Iterator + Clone { - (low..).map(|i| Ident::new(&format!("_wrapper_arg_{i}"), Span::mixed_site())).take(num) +fn make_wrapper_idents( + low: usize, + num: usize, + prefix: &'static str, +) -> impl Iterator + Clone + 'static { + (low..).map(move |i| Ident::new(&format!("{prefix}{i}"), Span::mixed_site())).take(num) } #[cfg(test)] diff --git a/library/kani_macros/src/sysroot/contracts/helpers.rs b/library/kani_macros/src/sysroot/contracts/helpers.rs index baa25b8104e8..174f0f9483d7 100644 --- a/library/kani_macros/src/sysroot/contracts/helpers.rs +++ b/library/kani_macros/src/sysroot/contracts/helpers.rs @@ -268,3 +268,21 @@ pub fn short_hash_of_token_stream(stream: &proc_macro::TokenStream) -> u64 { let long_hash = hasher.finish(); long_hash % SIX_HEX_DIGITS_MASK } + +macro_rules! assert_spanned_err { + ($condition:expr, $span_source:expr, $msg:expr, $($args:expr),+) => { + if !$condition { + $span_source.span().unwrap().error(format!($msg, $($args),*)).emit(); + assert!(false); + } + }; + ($condition:expr, $span_source:expr, $msg:expr $(,)?) => { + if !$condition { + $span_source.span().unwrap().error($msg).emit(); + assert!(false); + } + }; + ($condition:expr, $span_source:expr) => { + assert_spanned_err!($condition, $span_source, concat!("Failed assertion ", stringify!($condition))) + }; +} diff --git a/library/kani_macros/src/sysroot/contracts/initialize.rs b/library/kani_macros/src/sysroot/contracts/initialize.rs index 6452ab9ace62..73621b2aeec5 100644 --- a/library/kani_macros/src/sysroot/contracts/initialize.rs +++ b/library/kani_macros/src/sysroot/contracts/initialize.rs @@ -3,11 +3,9 @@ //! Initialization routine for the contract handler -use std::collections::{HashMap, HashSet}; - use proc_macro::{Diagnostic, TokenStream}; -use proc_macro2::{Ident, Span, TokenStream as TokenStream2}; -use syn::{spanned::Spanned, visit::Visit, visit_mut::VisitMut, Expr, ItemFn, Signature}; +use proc_macro2::{Ident, TokenStream as TokenStream2}; +use syn::{spanned::Spanned, ItemFn}; use super::{ helpers::{chunks_by, is_token_stream_2_comma, matches_path}, @@ -81,7 +79,7 @@ impl<'a> ContractConditionsHandler<'a> { ContractConditionsData::Requires { attr: syn::parse(attr)? } } ContractConditionsType::Ensures => { - ContractConditionsData::new_ensures(&annotated_fn.sig, syn::parse(attr)?) + ContractConditionsData::Ensures { attr: syn::parse(attr)? } } ContractConditionsType::Modifies => { ContractConditionsData::new_modifies(attr, &mut output) @@ -92,16 +90,6 @@ impl<'a> ContractConditionsHandler<'a> { } } impl ContractConditionsData { - /// Constructs a [`Self::Ensures`] from the signature of the decorated - /// function and the contents of the decorating attribute. - /// - /// Renames the [`Ident`]s used in `attr` and stores the translation map in - /// `argument_names`. - fn new_ensures(sig: &Signature, mut attr: Expr) -> Self { - let argument_names = rename_argument_occurrences(sig, &mut attr); - ContractConditionsData::Ensures { argument_names, attr } - } - /// Constructs a [`Self::Modifies`] from the contents of the decorating attribute. /// /// Responsible for parsing the attribute. @@ -120,73 +108,3 @@ impl ContractConditionsData { ContractConditionsData::Modifies { attr } } } - -/// A supporting function for creating shallow, unsafe copies of the arguments -/// for the postconditions. -/// -/// This function: -/// - Collects all [`Ident`]s found in the argument patterns; -/// - Creates new names for them; -/// - Replaces all occurrences of those idents in `attrs` with the new names and; -/// - Returns the mapping of old names to new names. -fn rename_argument_occurrences(sig: &syn::Signature, attr: &mut Expr) -> HashMap { - let mut arg_ident_collector = ArgumentIdentCollector::new(); - arg_ident_collector.visit_signature(&sig); - - let mk_new_ident_for = |id: &Ident| Ident::new(&format!("{}_renamed", id), Span::mixed_site()); - let arg_idents = arg_ident_collector - .0 - .into_iter() - .map(|i| { - let new = mk_new_ident_for(&i); - (i, new) - }) - .collect::>(); - - let mut ident_rewriter = Renamer(&arg_idents); - ident_rewriter.visit_expr_mut(attr); - arg_idents -} - -/// Collect all named identifiers used in the argument patterns of a function. -struct ArgumentIdentCollector(HashSet); - -impl ArgumentIdentCollector { - fn new() -> Self { - Self(HashSet::new()) - } -} - -impl<'ast> Visit<'ast> for ArgumentIdentCollector { - fn visit_pat_ident(&mut self, i: &'ast syn::PatIdent) { - self.0.insert(i.ident.clone()); - syn::visit::visit_pat_ident(self, i) - } - fn visit_receiver(&mut self, _: &'ast syn::Receiver) { - self.0.insert(Ident::new("self", proc_macro2::Span::call_site())); - } -} - -/// Applies the contained renaming (key renamed to value) to every ident pattern -/// and ident expr visited. -struct Renamer<'a>(&'a HashMap); - -impl<'a> VisitMut for Renamer<'a> { - fn visit_expr_path_mut(&mut self, i: &mut syn::ExprPath) { - if i.path.segments.len() == 1 { - i.path - .segments - .first_mut() - .and_then(|p| self.0.get(&p.ident).map(|new| p.ident = new.clone())); - } - } - - /// This restores shadowing. Without this we would rename all ident - /// occurrences, but not rebinding location. This is because our - /// [`Self::visit_expr_path_mut`] is scope-unaware. - fn visit_pat_ident_mut(&mut self, i: &mut syn::PatIdent) { - if let Some(new) = self.0.get(&i.ident) { - i.ident = new.clone(); - } - } -} diff --git a/library/kani_macros/src/sysroot/contracts/mod.rs b/library/kani_macros/src/sysroot/contracts/mod.rs index 02d2b98eb8db..12a1215de2c7 100644 --- a/library/kani_macros/src/sysroot/contracts/mod.rs +++ b/library/kani_macros/src/sysroot/contracts/mod.rs @@ -36,12 +36,12 @@ //! expanded. When we expand the first (outermost) `requires` or `ensures` //! attribute on such a function we re-emit the function unchanged but we also //! generate fresh "check" and "replace" functions that enforce the condition -//! carried by the attribute currently being expanded. We copy all additional -//! attributes from the original function to both the "check" and the "replace". -//! This allows us to deal both with renaming and also support non-contract -//! attributes. +//! carried by the attribute currently being expanded. //! -//! In addition to copying attributes we also add new marker attributes to +//! We don't copy all attributes from the original function since they may have +//! unintended consequences for the stubs, such as `inline` or `rustc_diagnostic_item`. +//! +//! We also add new marker attributes to //! advance the state machine. The "check" function gets a //! `kanitool::is_contract_generated(check)` attributes and analogous for //! replace. The re-emitted original meanwhile is decorated with @@ -159,9 +159,9 @@ //! call_replace(fn args...) //! } else { //! unsafe { reentry = true }; -//! let result = call_check(fn args...); +//! let result_kani_internal = call_check(fn args...); //! unsafe { reentry = false }; -//! result +//! result_kani_internal //! } //! } //! ``` @@ -173,7 +173,7 @@ //! //! ``` //! #[kani::requires(divisor != 0)] -//! #[kani::ensures(result <= dividend)] +//! #[kani::ensures(|result : &u32| *result <= dividend)] //! fn div(dividend: u32, divisor: u32) -> u32 { //! dividend / divisor //! } @@ -186,31 +186,35 @@ //! #[kanitool::replaced_with = "div_replace_965916"] //! fn div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } //! -//! #[allow(dead_code)] -//! #[allow(unused_variables)] -//! #[kanitool::is_contract_generated(check)] -//! fn div_check_965916(dividend: u32, divisor: u32) -> u32 { -//! let dividend_renamed = kani::internal::untracked_deref(÷nd); -//! let divisor_renamed = kani::internal::untracked_deref(&divisor); -//! let result = { kani::assume(divisor != 0); { dividend / divisor } }; -//! kani::assert(result <= dividend_renamed, "result <= dividend"); +//! #[allow(dead_code, unused_variables)] +//! #[kanitool :: is_contract_generated(check)] fn +//! div_check_b97df2(dividend : u32, divisor : u32) -> u32 +//! { +//! let dividend_renamed = kani::internal::untracked_deref(& dividend); +//! let divisor_renamed = kani::internal::untracked_deref(& divisor); +//! kani::assume(divisor != 0); +//! let result_kani_internal : u32 = div_wrapper_b97df2(dividend, divisor); +//! kani::assert( +//! (| result : & u32 | *result <= dividend_renamed)(& result_kani_internal), +//! stringify!(|result : &u32| *result <= dividend)); //! std::mem::forget(dividend_renamed); //! std::mem::forget(divisor_renamed); -//! result +//! result_kani_internal //! } //! -//! #[allow(dead_code)] -//! #[allow(unused_variables)] -//! #[kanitool::is_contract_generated(replace)] -//! fn div_replace_965916(dividend: u32, divisor: u32) -> u32 { -//! kani::assert(divisor != 0, "divisor != 0"); -//! let dividend_renamed = kani::internal::untracked_deref(÷nd); -//! let divisor_renamed = kani::internal::untracked_deref(&divisor); -//! let result = kani::any(); -//! kani::assume(result <= dividend_renamed, "result <= dividend"); -//! std::mem::forget(dividend_renamed); +//! #[allow(dead_code, unused_variables)] +//! #[kanitool :: is_contract_generated(replace)] fn +//! div_replace_b97df2(dividend : u32, divisor : u32) -> u32 +//! { +//! let divisor_renamed = kani::internal::untracked_deref(& divisor); +//! let dividend_renamed = kani::internal::untracked_deref(& dividend); +//! kani::assert(divisor != 0, stringify! (divisor != 0)); +//! let result_kani_internal : u32 = kani::any_modifies(); +//! kani::assume( +//! (|result : & u32| *result <= dividend_renamed)(&result_kani_internal)); //! std::mem::forget(divisor_renamed); -//! result +//! std::mem::forget(dividend_renamed); +//! result_kani_internal //! } //! //! #[allow(dead_code)] @@ -220,29 +224,130 @@ //! static mut REENTRY: bool = false; //! //! if unsafe { REENTRY } { -//! div_replace_965916(dividend, divisor) +//! div_replace_b97df2(dividend, divisor) //! } else { //! unsafe { reentry = true }; -//! let result = div_check_965916(dividend, divisor); +//! let result_kani_internal = div_check_b97df2(dividend, divisor); //! unsafe { reentry = false }; -//! result +//! result_kani_internal //! } //! } //! ``` +//! +//! Additionally, there is functionality that allows the referencing of +//! history values within the ensures statement. This means we can +//! precompute a value before the function is called and have access to +//! this value in the later ensures statement. This is done via the +//! `old` monad which lets you access the old state within the present +//! state. Each occurrence of `old` is lifted, so is is necessary that +//! each lifted occurrence is closed with respect to the function arguments. +//! The results of these old computations are placed into +//! `remember_kani_internal_XXX` variables which are hashed. Consider the following example: +//! +//! ``` +//! #[kani::ensures(|result| old(*ptr + 1) == *ptr)] +//! #[kani::ensures(|result| old(*ptr + 1) == *ptr)] +//! #[kani::requires(*ptr < 100)] +//! #[kani::modifies(ptr)] +//! fn modify(ptr: &mut u32) { +//! *ptr += 1; +//! } +//! +//! #[kani::proof_for_contract(modify)] +//! fn main() { +//! let mut i = kani::any(); +//! modify(&mut i); +//! } +//! +//! ``` +//! +//! This expands to +//! +//! ``` +//! #[kanitool::checked_with = "modify_recursion_wrapper_633496"] +//! #[kanitool::replaced_with = "modify_replace_633496"] +//! #[kanitool::inner_check = "modify_wrapper_633496"] +//! fn modify(ptr: &mut u32) { { *ptr += 1; } } +//! #[allow(dead_code, unused_variables, unused_mut)] +//! #[kanitool::is_contract_generated(recursion_wrapper)] +//! fn modify_recursion_wrapper_633496(arg0: &mut u32) { +//! static mut REENTRY: bool = false; +//! if unsafe { REENTRY } { +//! modify_replace_633496(arg0) +//! } else { +//! unsafe { REENTRY = true }; +//! let result_kani_internal = modify_check_633496(arg0); +//! unsafe { REENTRY = false }; +//! result_kani_internal +//! } +//! } +//! #[allow(dead_code, unused_variables, unused_mut)] +//! #[kanitool::is_contract_generated(check)] +//! fn modify_check_633496(ptr: &mut u32) { +//! let _wrapper_arg_1 = +//! unsafe { kani::internal::Pointer::decouple_lifetime(&ptr) }; +//! kani::assume(*ptr < 100); +//! let remember_kani_internal_92cc419d8aca576c = *ptr + 1; +//! let remember_kani_internal_92cc419d8aca576c = *ptr + 1; +//! let result_kani_internal: () = modify_wrapper_633496(ptr, _wrapper_arg_1); +//! kani::assert((|result| +//! (remember_kani_internal_92cc419d8aca576c) == +//! *ptr)(&result_kani_internal), +//! "|result| old(*ptr + 1) == *ptr"); +//! kani::assert((|result| +//! (remember_kani_internal_92cc419d8aca576c) == +//! *ptr)(&result_kani_internal), +//! "|result| old(*ptr + 1) == *ptr"); +//! result_kani_internal +//! } +//! #[allow(dead_code, unused_variables, unused_mut)] +//! #[kanitool::is_contract_generated(replace)] +//! fn modify_replace_633496(ptr: &mut u32) { +//! kani::assert(*ptr < 100, "*ptr < 100"); +//! let remember_kani_internal_92cc419d8aca576c = *ptr + 1; +//! let remember_kani_internal_92cc419d8aca576c = *ptr + 1; +//! let result_kani_internal: () = kani::any_modifies(); +//! *unsafe { +//! kani::internal::Pointer::assignable(kani::internal::untracked_deref(&(ptr))) +//! } = kani::any_modifies(); +//! kani::assume((|result| +//! (remember_kani_internal_92cc419d8aca576c) == +//! *ptr)(&result_kani_internal)); +//! kani::assume((|result| +//! (remember_kani_internal_92cc419d8aca576c) == +//! *ptr)(&result_kani_internal)); +//! result_kani_internal +//! } +//! #[kanitool::modifies(_wrapper_arg_1)] +//! #[allow(dead_code, unused_variables, unused_mut)] +//! #[kanitool::is_contract_generated(wrapper)] +//! fn modify_wrapper_633496<'_wrapper_arg_1, +//! WrapperArgType1>(ptr: &mut u32, _wrapper_arg_1: &WrapperArgType1) { +//! *ptr += 1; +//! } +//! #[allow(dead_code)] +//! #[kanitool::proof_for_contract = "modify"] +//! fn main() { +//! kani::internal::init_contracts(); +//! { let mut i = kani::any(); modify(&mut i); } +//! } +//! ``` use proc_macro::TokenStream; use proc_macro2::{Ident, TokenStream as TokenStream2}; use quote::{quote, ToTokens}; -use std::collections::HashMap; -use syn::{parse_macro_input, Expr, ItemFn}; +use syn::{parse_macro_input, parse_quote, Expr, ExprClosure, ItemFn}; mod bootstrap; mod check; +#[macro_use] mod helpers; mod initialize; mod replace; mod shared; +const INTERNAL_RESULT_IDENT: &str = "result_kani_internal"; + pub fn requires(attr: TokenStream, item: TokenStream) -> TokenStream { contract_main(attr, item, ContractConditionsType::Requires) } @@ -282,15 +387,12 @@ passthrough!(stub_verified, false); pub fn proof_for_contract(attr: TokenStream, item: TokenStream) -> TokenStream { let args = proc_macro2::TokenStream::from(attr); - let ItemFn { attrs, vis, sig, block } = parse_macro_input!(item as ItemFn); + let mut fn_item = parse_macro_input!(item as ItemFn); + fn_item.block.stmts.insert(0, parse_quote!(kani::internal::init_contracts();)); quote!( #[allow(dead_code)] #[kanitool::proof_for_contract = stringify!(#args)] - #(#attrs)* - #vis #sig { - let _ = std::boxed::Box::new(0_usize); - #block - } + #fn_item ) .into() } @@ -346,11 +448,8 @@ enum ContractConditionsData { attr: Expr, }, Ensures { - /// Translation map from original argument names to names of the copies - /// we will be emitting. - argument_names: HashMap, /// The contents of the attribute. - attr: Expr, + attr: ExprClosure, }, Modifies { attr: Vec, diff --git a/library/kani_macros/src/sysroot/contracts/replace.rs b/library/kani_macros/src/sysroot/contracts/replace.rs index 0b3e1bae5b26..280839dcafca 100644 --- a/library/kani_macros/src/sysroot/contracts/replace.rs +++ b/library/kani_macros/src/sysroot/contracts/replace.rs @@ -3,13 +3,13 @@ //! Logic used for generating the code that replaces a function with its contract. -use proc_macro2::{Ident, TokenStream as TokenStream2}; +use proc_macro2::{Ident, Span, TokenStream as TokenStream2}; use quote::quote; use super::{ helpers::*, - shared::{attach_require_kani_any, make_unsafe_argument_copies, try_as_result_assign}, - ContractConditionsData, ContractConditionsHandler, + shared::{build_ensures, try_as_result_assign}, + ContractConditionsData, ContractConditionsHandler, INTERNAL_RESULT_IDENT, }; impl<'a> ContractConditionsHandler<'a> { @@ -39,7 +39,8 @@ impl<'a> ContractConditionsHandler<'a> { fn ensure_bootstrapped_replace_body(&self) -> (Vec, Vec) { if self.is_first_emit() { let return_type = return_type_to_type(&self.annotated_fn.sig.output); - (vec![syn::parse_quote!(let result : #return_type = kani::any();)], vec![]) + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + (vec![syn::parse_quote!(let #result : #return_type = kani::any_modifies();)], vec![]) } else { let stmts = &self.annotated_fn.block.stmts; let idx = stmts @@ -70,30 +71,32 @@ impl<'a> ContractConditionsHandler<'a> { match &self.condition_type { ContractConditionsData::Requires { attr } => { let Self { attr_copy, .. } = self; + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); quote!( kani::assert(#attr, stringify!(#attr_copy)); #(#before)* #(#after)* - result + #result ) } - ContractConditionsData::Ensures { attr, argument_names } => { - let (arg_copies, copy_clean) = make_unsafe_argument_copies(&argument_names); + ContractConditionsData::Ensures { attr } => { + let (remembers, ensures_clause) = build_ensures(attr); + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); quote!( - #arg_copies + #remembers #(#before)* #(#after)* - kani::assume(#attr); - #copy_clean - result + kani::assume(#ensures_clause); + #result ) } ContractConditionsData::Modifies { attr } => { + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); quote!( #(#before)* - #(*unsafe { kani::internal::Pointer::assignable(#attr) } = kani::any();)* + #(unsafe{kani::internal::write_any(kani::internal::Pointer::assignable(kani::internal::untracked_deref(&#attr)))};)* #(#after)* - result + #result ) } } @@ -112,9 +115,8 @@ impl<'a> ContractConditionsHandler<'a> { self.output.extend(quote!(#[kanitool::is_contract_generated(replace)])); } let mut sig = self.annotated_fn.sig.clone(); - if self.is_first_emit() { - attach_require_kani_any(&mut sig); - } + // We use non-constant functions, thus, the wrapper cannot be constant. + sig.constness = None; let body = self.make_replace_body(); if let Some(ident) = override_function_ident { sig.ident = ident; @@ -129,7 +131,7 @@ impl<'a> ContractConditionsHandler<'a> { } } -/// Is this statement `let result : <...> = kani::any();`. +/// Is this statement `let result_kani_internal : <...> = kani::any_modifies();`. fn is_replace_return_havoc(stmt: &syn::Stmt) -> bool { let Some(syn::LocalInit { diverge: None, expr: e, .. }) = try_as_result_assign(stmt) else { return false; @@ -152,7 +154,7 @@ fn is_replace_return_havoc(stmt: &syn::Stmt) -> bool { }) if path.segments.len() == 2 && path.segments[0].ident == "kani" - && path.segments[1].ident == "any" + && path.segments[1].ident == "any_modifies" && attrs.is_empty() ) ) diff --git a/library/kani_macros/src/sysroot/contracts/shared.rs b/library/kani_macros/src/sysroot/contracts/shared.rs index 4c52cd35a69f..1ab791d9a117 100644 --- a/library/kani_macros/src/sysroot/contracts/shared.rs +++ b/library/kani_macros/src/sysroot/contracts/shared.rs @@ -11,11 +11,12 @@ use std::collections::HashMap; use proc_macro2::{Ident, Span, TokenStream as TokenStream2}; use quote::{quote, ToTokens}; +use std::hash::{DefaultHasher, Hash, Hasher}; use syn::{ - Attribute, PredicateType, ReturnType, Signature, TraitBound, TypeParamBound, WhereClause, + spanned::Spanned, visit_mut::VisitMut, Attribute, Expr, ExprCall, ExprClosure, ExprPath, Path, }; -use super::{helpers::return_type_to_type, ContractConditionsHandler, ContractFunctionState}; +use super::{ContractConditionsHandler, ContractFunctionState, INTERNAL_RESULT_IDENT}; impl ContractFunctionState { /// Do we need to emit the `is_contract_generated` tag attribute on the @@ -52,10 +53,39 @@ impl<'a> ContractConditionsHandler<'a> { pub fn emit_common_header(&mut self) { if self.function_state.emit_tag_attr() { self.output.extend(quote!( - #[allow(dead_code, unused_variables)] + #[allow(dead_code, unused_variables, unused_mut)] )); } + + #[cfg(not(feature = "no_core"))] self.output.extend(self.annotated_fn.attrs.iter().flat_map(Attribute::to_token_stream)); + + // When verifying core and standard library, we need to add an unstable attribute to + // the functions generated by Kani. + // We also need to filter `rustc_diagnostic_item` attribute. + // We should consider a better strategy than just duplicating all attributes. + #[cfg(feature = "no_core")] + { + self.output.extend(quote!( + #[unstable(feature="kani", issue="none")] + )); + self.output.extend( + self.annotated_fn + .attrs + .iter() + .filter(|attr| { + if let Some(ident) = attr.path().get_ident() { + let name = ident.to_string(); + !name.starts_with("rustc") + && !(name == "stable") + && !(name == "unstable") + } else { + true + } + }) + .flat_map(Attribute::to_token_stream), + ); + } } } @@ -71,74 +101,6 @@ pub fn identifier_for_generated_function( Ident::new(&identifier, proc_macro2::Span::mixed_site()) } -/// We make shallow copies of the argument for the postconditions in both -/// `requires` and `ensures` clauses and later clean them up. -/// -/// This function creates the code necessary to both make the copies (first -/// tuple elem) and to clean them (second tuple elem). -pub fn make_unsafe_argument_copies( - renaming_map: &HashMap, -) -> (TokenStream2, TokenStream2) { - let arg_names = renaming_map.values(); - let also_arg_names = renaming_map.values(); - let arg_values = renaming_map.keys(); - ( - quote!(#(let #arg_names = kani::internal::untracked_deref(&#arg_values);)*), - quote!(#(std::mem::forget(#also_arg_names);)*), - ) -} - -/// Looks complicated but does something very simple: attach a bound for -/// `kani::Arbitrary` on the return type to the provided signature. Pushes it -/// onto a preexisting where condition, initializing a new `where` condition if -/// it doesn't already exist. -/// -/// Very simple example: `fn foo() -> usize { .. }` would be rewritten `fn foo() -/// -> usize where usize: kani::Arbitrary { .. }`. -/// -/// This is called when we first emit a replace function. Later we can rely on -/// this bound already being present. -pub fn attach_require_kani_any(sig: &mut Signature) { - if matches!(sig.output, ReturnType::Default) { - // It's the default return type, e.g. `()` so we can skip adding the - // constraint. - return; - } - let return_ty = return_type_to_type(&sig.output); - let where_clause = sig.generics.where_clause.get_or_insert_with(|| WhereClause { - where_token: syn::Token![where](Span::call_site()), - predicates: Default::default(), - }); - - where_clause.predicates.push(syn::WherePredicate::Type(PredicateType { - lifetimes: None, - bounded_ty: return_ty.into_owned(), - colon_token: syn::Token![:](Span::call_site()), - bounds: [TypeParamBound::Trait(TraitBound { - paren_token: None, - modifier: syn::TraitBoundModifier::None, - lifetimes: None, - path: syn::Path { - leading_colon: None, - segments: [ - syn::PathSegment { - ident: Ident::new("kani", Span::call_site()), - arguments: syn::PathArguments::None, - }, - syn::PathSegment { - ident: Ident::new("Arbitrary", Span::call_site()), - arguments: syn::PathArguments::None, - }, - ] - .into_iter() - .collect(), - }, - })] - .into_iter() - .collect(), - })) -} - /// Used as the "single source of truth" for [`try_as_result_assign`] and [`try_as_result_assign_mut`] /// since we can't abstract over mutability. Input is the object to match on and the name of the /// function used to convert an `Option` into the result type (e.g. `as_ref` and `as_mut` @@ -167,7 +129,7 @@ macro_rules! try_as_result_assign_pat { ident: result_ident, subpat: None, .. - }) if result_ident == "result" + }) if result_ident == INTERNAL_RESULT_IDENT ) => init.$convert(), _ => None, } @@ -197,3 +159,119 @@ pub fn try_as_result_assign(stmt: &syn::Stmt) -> Option<&syn::LocalInit> { pub fn try_as_result_assign_mut(stmt: &mut syn::Stmt) -> Option<&mut syn::LocalInit> { try_as_result_assign_pat!(stmt, as_mut) } + +/// When a `#[kani::ensures(|result|expr)]` is expanded, this function is called on with `build_ensures(|result|expr)`. +/// This function goes through the expr and extracts out all the `old` expressions and creates a sequence +/// of statements that instantiate these expressions as `let remember_kani_internal_x = old_expr;` +/// where x is a unique hash. This is returned as the first return parameter. The second +/// return parameter is the expression formed by passing in the result variable into the input closure. +pub fn build_ensures(data: &ExprClosure) -> (TokenStream2, Expr) { + let mut remembers_exprs = HashMap::new(); + let mut vis = OldVisitor { t: OldLifter::new(), remembers_exprs: &mut remembers_exprs }; + let mut expr = &mut data.clone(); + vis.visit_expr_closure_mut(&mut expr); + + let remembers_stmts: TokenStream2 = remembers_exprs + .iter() + .fold(quote!(), |collect, (ident, expr)| quote!(let #ident = #expr; #collect)); + + let result: Ident = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + (remembers_stmts, Expr::Verbatim(quote!(kani::internal::apply_closure(#expr, &#result)))) +} + +trait OldTrigger { + /// You are provided with the expression that is the first argument of the + /// `old()` call. You may modify it as you see fit. The return value + /// indicates whether the entire `old()` call should be replaced by the + /// (potentially altered) first argument. + /// + /// The second argument is the span of the original `old` expression. + /// + /// The third argument is a collection of all the expressions that need to be lifted + /// into the past environment as new remember variables. + fn trigger(&mut self, e: &mut Expr, s: Span, output: &mut HashMap) -> bool; +} + +struct OldLifter; + +impl OldLifter { + fn new() -> Self { + Self + } +} + +struct OldDenier; + +impl OldTrigger for OldDenier { + fn trigger(&mut self, _: &mut Expr, s: Span, _: &mut HashMap) -> bool { + s.unwrap().error("Nested calls to `old` are prohibited").emit(); + false + } +} + +struct OldVisitor<'a, T> { + t: T, + remembers_exprs: &'a mut HashMap, +} + +impl syn::visit_mut::VisitMut for OldVisitor<'_, T> { + fn visit_expr_mut(&mut self, ex: &mut Expr) { + let trigger = match &*ex { + Expr::Call(call @ ExprCall { func, attrs, args, .. }) => match func.as_ref() { + Expr::Path(ExprPath { + attrs: func_attrs, + qself: None, + path: Path { leading_colon: None, segments }, + }) if segments.len() == 1 + && segments.first().map_or(false, |sgm| sgm.ident == "old") => + { + let first_segment = segments.first().unwrap(); + assert_spanned_err!(first_segment.arguments.is_empty(), first_segment); + assert_spanned_err!(attrs.is_empty(), call); + assert_spanned_err!(func_attrs.is_empty(), func); + assert_spanned_err!(args.len() == 1, call); + true + } + _ => false, + }, + _ => false, + }; + if trigger { + let span = ex.span(); + let new_expr = if let Expr::Call(ExprCall { ref mut args, .. }) = ex { + self.t + .trigger(args.iter_mut().next().unwrap(), span, self.remembers_exprs) + .then(|| args.pop().unwrap().into_value()) + } else { + unreachable!() + }; + if let Some(new) = new_expr { + let _ = std::mem::replace(ex, new); + } + } else { + syn::visit_mut::visit_expr_mut(self, ex) + } + } +} + +impl OldTrigger for OldLifter { + fn trigger( + &mut self, + e: &mut Expr, + _: Span, + remembers_exprs: &mut HashMap, + ) -> bool { + let mut denier = OldVisitor { t: OldDenier, remembers_exprs }; + // This ensures there are no nested calls to `old` + denier.visit_expr_mut(e); + let mut hasher = DefaultHasher::new(); + e.hash(&mut hasher); + let ident = + Ident::new(&format!("remember_kani_internal_{:x}", hasher.finish()), Span::call_site()); + // save the original expression to be lifted into the past remember environment + remembers_exprs.insert(ident.clone(), (*e).clone()); + // change the expression to refer to the new remember variable + let _ = std::mem::replace(e, Expr::Verbatim(quote!((#ident)))); + true + } +} diff --git a/library/std/Cargo.toml b/library/std/Cargo.toml index b37ea4de7d4c..ae70767f6781 100644 --- a/library/std/Cargo.toml +++ b/library/std/Cargo.toml @@ -5,7 +5,7 @@ # Note: this package is intentionally named std to make sure the names of # standard library symbols are preserved name = "std" -version = "0.45.0" +version = "0.53.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false diff --git a/library/std/src/lib.rs b/library/std/src/lib.rs index 37e0e5a21518..3f8427ffff13 100644 --- a/library/std/src/lib.rs +++ b/library/std/src/lib.rs @@ -135,14 +135,14 @@ macro_rules! eprint { #[cfg(not(feature = "concrete_playback"))] #[macro_export] macro_rules! println { - () => { }; + () => { $crate::print!("\n") }; ($($x:tt)*) => {{ let _ = format_args!($($x)*); }}; } #[cfg(not(feature = "concrete_playback"))] #[macro_export] macro_rules! eprintln { - () => { }; + () => { $crate::eprint!("\n") }; ($($x:tt)*) => {{ let _ = format_args!($($x)*); }}; } diff --git a/rfc/src/SUMMARY.md b/rfc/src/SUMMARY.md index f8d5dc5639f5..e0b31761ae62 100644 --- a/rfc/src/SUMMARY.md +++ b/rfc/src/SUMMARY.md @@ -15,3 +15,4 @@ - [0007-global-conditions](rfcs/0007-global-conditions.md) - [0008-line-coverage](rfcs/0008-line-coverage.md) - [0009-function-contracts](rfcs/0009-function-contracts.md) +- [0010-quantifiers](rfcs/0010-quantifiers.md) diff --git a/rfc/src/rfcs/0003-cover-statement.md b/rfc/src/rfcs/0003-cover-statement.md index 6839af22f929..de452654392b 100644 --- a/rfc/src/rfcs/0003-cover-statement.md +++ b/rfc/src/rfcs/0003-cover-statement.md @@ -1,8 +1,8 @@ - **Feature Name:** Cover statement (`cover-statement`) - **Feature Request Issue:** - **RFC PR:** -- **Status:** Unstable -- **Version:** 1 +- **Status:** Stable +- **Version:** 2 ------------------- @@ -138,8 +138,12 @@ However, if the condition can indeed be covered, verification would fail due to ## Open questions -Should we allow format arguments in the macro, e.g. `kani::cover!(x > y, "{} can be greater than {}", x, y)`? -Users may expect this to be supported since the macro looks similar to the `assert` macro, but Kani doesn't include the formatted string in the message description, since it's not available at compile time. +- ~Should we allow format arguments in the macro, e.g. `kani::cover!(x > y, "{} can be greater than {}", x, y)`? +Users may expect this to be supported since the macro looks similar to the `assert` macro, but Kani doesn't include the formatted string in the message description, since it's not available at compile time.~ + - For now, this macro will not accept format arguments, since this + is not well handled by Kani. + This is an extesion to this API that can be easily added later on if Kani + ever supports runtime formatting. ## Other Considerations diff --git a/rfc/src/rfcs/0009-function-contracts.md b/rfc/src/rfcs/0009-function-contracts.md index e26592080822..a8bd7bf66041 100644 --- a/rfc/src/rfcs/0009-function-contracts.md +++ b/rfc/src/rfcs/0009-function-contracts.md @@ -1,8 +1,8 @@ - **Feature Name:** Function Contracts - **Feature Request Issue:** [#2652](https://github.com/model-checking/kani/issues/2652) and [Milestone](https://github.com/model-checking/kani/milestone/31) - **RFC PR:** [#2620](https://github.com/model-checking/kani/pull/2620) -- **Status:** Under Review -- **Version:** 0 +- **Status:** Unstable +- **Version:** 1 - **Proof-of-concept:** [features/contracts](https://github.com/model-checking/kani/tree/features/contracts) - **Feature Gate:** `-Zfunction-contracts`, enforced by compile time error[^gate] @@ -65,7 +65,7 @@ fn my_div(dividend: u32, divisor: u32) -> u32 { ```rs #[kani::requires(divisor != 0)] - #[kani::ensures(result <= dividend)] + #[kani::ensures(|result : &u32| *result <= dividend)] fn my_div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } @@ -79,8 +79,7 @@ fn my_div(dividend: u32, divisor: u32) -> u32 { Conditions in contracts are Rust expressions which reference the function arguments and, in case of `ensures`, the return value of the - function. The return value is a special variable called `result` (see [open - questions](#open-questions) on a discussion about (re)naming). Syntactically + function. The return value is passed into the ensures closure statement by reference. Syntactically Kani supports any Rust expression, including function calls, defining types etc. However they must be side-effect free (see also side effects [here](#changes-to-other-components)) or Kani will throw a compile error. @@ -132,8 +131,8 @@ fn my_div(dividend: u32, divisor: u32) -> u32 { let dividend = kani::any(); let divisor = kani::any(); kani::assume(divisor != 0); // requires - let result = my_div(dividend, divisor); - kani::assert(result <= dividend); // ensures + let result_kani_internal = my_div(dividend, divisor); + kani::assert((|result : &u32| *result <= dividend)(result_kani_internal)); // ensures } ``` @@ -306,7 +305,7 @@ available to `ensures`. It is used like so: ```rs impl Vec { - #[kani::ensures(old(self.is_empty()) || result.is_some())] + #[kani::ensures(|result : &Option| old(self.is_empty()) || result.is_some())] fn pop(&mut self) -> Option { ... } @@ -324,8 +323,8 @@ Note also that `old` is syntax, not a function and implemented as an extraction and lifting during code generation. It can reference e.g. `pop`'s arguments but not local variables. Compare the following -**Invalid ❌:** `#[kani::ensures({ let x = self.is_empty(); old(x) } || result.is_some())]`
-**Valid ✅:** `#[kani::ensures(old({ let x = self.is_empty(); x }) || result.is_some())]` +**Invalid ❌:** `#[kani::ensures(|result : &Option| { let x = self.is_empty(); old(x) } || result.is_some())]`
+**Valid ✅:** `#[kani::ensures(|result : &Option| old({ let x = self.is_empty(); x }) || result.is_some())]` And it will only be recognized as `old(...)`, not as `let old1 = old; old1(...)` etc. @@ -410,7 +409,7 @@ the below example: ```rs impl Vec { - #[kani::ensures(self.is_empty() || self.len() == old(self.len()) - 1)] + #[kani::ensures(|result : &Option| self.is_empty() || self.len() == old(self.len()) - 1)] fn pop(&mut self) -> Option { ... } @@ -425,8 +424,8 @@ following: impl Vec { fn check_pop(&mut self) -> Option { let old_1 = self.len(); - let result = Self::pop(self); - kani::assert(self.is_empty() || self.len() == old_1 - 1) + let result_kani_internal = Self::pop(self); + kani::assert((|result : &Option| self.is_empty() || self.len() == old_1 - 1)(result_kani_internal)) } } ``` @@ -450,7 +449,7 @@ sensible contract for it might look as follows: ```rs impl Vec { - #[ensures(self.len() == result.0.len() + result.1.len())] + #[ensures(|result : &(&mut [T], &mut [T])| self.len() == result.0.len() + result.1.len())] fn split_at_mut(&mut self, i: usize) -> (&mut [T], &mut [T]) { ... } @@ -550,6 +549,49 @@ This is the technical portion of the RFC. Please provide high level details of t +We developed the `old` contract for history expressions via understanding it as a [modality](https://en.wikipedia.org/wiki/Monad_(functional_programming)) originating from [Moggi 1991](https://www.sciencedirect.com/science/article/pii/0890540191900524). +The `old` monad links the "language of the past" to the "language of the present". +Implementing the full generality of the monad is rather difficult, so we focus on a particular usage of the monad. + +We have an external syntax representation which is what the user inputs. We then parse this and logically manipulate it as a monad, prefixing all the `bind` operations. We then output the final compiled macro output as Rust code. + +In particular, if we have an ensures statement like +```rust +#[kani::ensures(old(*ptr)+1==*ptr)] +``` +Then we comprehend this as syntax for the statement (not within Rust) +``` +bind (*ptr : O(u32)) (|remember : u32| remember + 1 == *ptr) +``` +Here, the `O(u32)` is taking the type of the past `u32` and converting it into a type in the present `O(u32)` while the bind operation lets you use the value of the past `u32` to express a type in the present `bool`. + +This then gets compiled to (within Rust) +```rust +let remember = *ptr; +let result = ...; +kani::assert(remember + 1 == *ptr) +``` +This means that the underlying principle of the monad is there, but external syntax appears to be less like a monad because otherwise it would be too difficult to implement, and the user most likely only cares about this particular construction of prefixing all the `bind` operations. + +This construction requires that `old` expressions are closed with resprect to the input parameters. This is due to the lifting into the prefixed `bind` operations. + +A major drawback is that eta expansion fails. If we eta expand a function f, it becomes |x|f(x). Note that eta expansions guarantee that the original f and the |x|f(x) are equivalent which makes a lot of sense since you’re just calling the same function. However, we have that `old(y)` is not equivalent to `(|x|old(x))(y)`. `y` is a closed expression, so the first statement works. `x` is a bound variable, so it is an open expression, so compilation will fail. + +The reason for this restriction is that the user will most likely only want to use this particular prefixed `bind` structure for their code, so exposing the concept of monads to the user level would only confuse the user. It is also simpler from an implementation perspective to limit the monad to this particular usage. + +As for nested old, such as `old(old(*ptr)+*ptr)`, it is reasonable to interpret this as syntax representing +``` +bind (bind(*ptr)(|remember_1| remember_1 + *ptr)) (|remember_0| ...) +``` +which compiles to +```rust +let remember_1 = *ptr; +let remember_0 = remember_1 + *ptr; +let result = ...; +... +``` +so the restriction is just a matter of there not being implementation support for this kind of statement rather than the theory itself. It is not particularly useful to implement this because we claim that there should be no effectful computation within the contracts, so you can substitute the `remember_1` into the second line without worrying about the effects. Hence, we opt for simply restricting this behavior instead of implementing it. (Note: it can be implemented by changing `denier.visit_expr_mut(e);` into `self.visit_expr_mut(e);`) + + +Kani should have the same support that CBMC has for quantifiers. For more details, see [Quantifiers](https://github.com/diffblue/cbmc/blob/0a69a64e4481473d62496f9975730d24f194884a/doc/cprover-manual/contracts-quantifiers.md). + + +## Open questions + + +- **Function Contracts RFC** - CBMC has support for both `exists` and `forall`, but the + code generation is difficult. The most ergonomic and easy way to implement + quantifiers on the Rust side is as higher-order functions taking `Fn(T) -> + bool`, where `T` is some arbitrary type that can be quantified over. This + interface is familiar to developers, but the code generation is tricky, as + CBMC level quantifiers only allow certain kinds of expressions. This + necessitates a rewrite of the `Fn` closure to a compliant expression. + - Which kind of expressions should be accepted as a "compliant expression"? + + +## Future possibilities + + +- CBMC has an SMT backend which allows the use of quantifiers with arbitrary Boolean expressions. Kani must include an option for users to experiment with this backend. + +--- diff --git a/rust-toolchain.toml b/rust-toolchain.toml index 2914c0609c1a..8753157827b5 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -2,5 +2,5 @@ # SPDX-License-Identifier: Apache-2.0 OR MIT [toolchain] -channel = "nightly-2024-01-17" -components = ["llvm-tools-preview", "rustc-dev", "rust-src", "rustfmt"] +channel = "nightly-2024-08-01" +components = ["llvm-tools", "rustc-dev", "rust-src", "rustfmt"] diff --git a/rustfmt.toml b/rustfmt.toml index 32ff2d638c56..95988ef7f52a 100644 --- a/rustfmt.toml +++ b/rustfmt.toml @@ -15,5 +15,4 @@ ignore = [ # For some reason, this is not working without the directory wildcard. "**/firecracker", "**/tests/perf/s2n-quic/", - "**/tools/bookrunner/rust-doc/", ] diff --git a/scripts/build-docs.sh b/scripts/build-docs.sh index 3400e2849b53..2e2c10b052f6 100755 --- a/scripts/build-docs.sh +++ b/scripts/build-docs.sh @@ -28,37 +28,18 @@ else curl -sSL -o "$FILE" "$URL" echo "$EXPECTED_HASH $FILE" | sha256sum -c - tar zxf $FILE + MDBOOK=${SCRIPT_DIR}/mdbook + else + MDBOOK=mdbook fi - MDBOOK=${SCRIPT_DIR}/mdbook fi -# Publish bookrunner report into our documentation KANI_DIR=$SCRIPT_DIR/.. DOCS_DIR=$KANI_DIR/docs RFC_DIR=$KANI_DIR/rfc -HTML_DIR=$KANI_DIR/build/output/latest/html/ cd $DOCS_DIR -if [ -d $HTML_DIR ]; then - # Litani run is copied into `src` to avoid deletion by `mdbook` - cp -r $HTML_DIR src/bookrunner/ - # Replace artifacts by examples under test - BOOKS_DIR=$KANI_DIR/tests/bookrunner/books - rm -r src/bookrunner/artifacts - # Remove any json files that Kani might've left behind due to crash or timeout. - find $BOOKS_DIR -name '*.json' -exec rm {} \; - find $BOOKS_DIR -name '*.out' -exec rm {} \; - cp -r $BOOKS_DIR src/bookrunner/artifacts - # Update paths in HTML report - python $KANI_DIR/scripts/ci/update_bookrunner_report.py src/bookrunner/index.html new_index.html - mv new_index.html src/bookrunner/index.html - - # rm src/bookrunner/run.json -else - echo "WARNING: Could not find the latest bookrunner run." -fi - echo "Building user documentation..." # Generate benchcomp documentation from source code mkdir -p gen_src diff --git a/scripts/ci/Dockerfile.bundle-test-ubuntu-18-04 b/scripts/ci/Dockerfile.bundle-test-ubuntu-18-04 index d3ddfd20fdbf..c3f89fec1259 100644 --- a/scripts/ci/Dockerfile.bundle-test-ubuntu-18-04 +++ b/scripts/ci/Dockerfile.bundle-test-ubuntu-18-04 @@ -18,7 +18,7 @@ RUN apt-get update && \ RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.7 1 -RUN curl -s https://bootstrap.pypa.io/get-pip.py -o get-pip.py && \ +RUN curl -s https://bootstrap.pypa.io/pip/3.7/get-pip.py -o get-pip.py && \ python3 get-pip.py --force-reinstall && \ rm get-pip.py diff --git a/scripts/ci/bookrunner_failures_by_stage.py b/scripts/ci/bookrunner_failures_by_stage.py deleted file mode 100644 index 941cc62ae2e5..000000000000 --- a/scripts/ci/bookrunner_failures_by_stage.py +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/python3 -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -import argparse -from bs4 import BeautifulSoup - -def main(): - parser = argparse.ArgumentParser( - description='Scans an HTML dashboard file and prints' - 'the number of failures grouped by stage') - parser.add_argument('input') - args = parser.parse_args() - - with open(args.input) as fp: - run = BeautifulSoup(fp, 'html.parser') - - failures = [0] * 3 - - for row in run.find_all('div', attrs={'class': 'pipeline-row'}): - stages = row.find_all('div', attrs={'class': 'pipeline-stage'}) - i = 0 - for stage in stages: - if stage.a['class'][1] == 'fail': - failures[i] += 1 - break - i += 1 - - print('bookrunner failures grouped by stage:') - print(' * rustc-compilation: ' + str(failures[0])) - print(' * kani-codegen: ' + str(failures[1])) - print(' * cbmc-verification: ' + str(failures[2])) - - -if __name__ == "__main__": - main() diff --git a/scripts/ci/copyright-exclude b/scripts/ci/copyright-exclude index 358edc372af2..157d88fbc379 100644 --- a/scripts/ci/copyright-exclude +++ b/scripts/ci/copyright-exclude @@ -10,7 +10,7 @@ Cargo.lock LICENSE-APACHE LICENSE-MIT editorconfig -expected +expected$ gitattributes gitignore gitmodules diff --git a/scripts/ci/detect_bookrunner_failures.sh b/scripts/ci/detect_bookrunner_failures.sh deleted file mode 100755 index 027ea8174b5d..000000000000 --- a/scripts/ci/detect_bookrunner_failures.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -set -eu - -# This script checks that the number of failures in a bookrunner run are below -# the threshold computed below. -# -# The threshold is roughly computed as: `1.05 * ` -# The extra 5% allows us to account for occasional timeouts. It is reviewed and -# updated whenever the Rust toolchain version is updated. -EXPECTED=82 -THRESHOLD=$(expr ${EXPECTED} \* 105 / 100) # Add 5% threshold - -if [[ $# -ne 1 ]]; then - echo "$0: Error: Specify the bookrunner text report" - exit 1 -fi - -# Get the summary line, which looks like: -# `# of tests: ✔️ ` -SUMMARY_LINE=`head -n 1 $1` - -# Parse the summary line and extract the number of failures -read -a strarr <<< $SUMMARY_LINE -NUM_FAILURES=${strarr[-1]} - -# Print a message and return a nonzero code if the threshold is exceeded -if [[ $NUM_FAILURES -ge $THRESHOLD ]]; then - echo "Error: The number of failures from bookrunner is higher than expected!" - echo - echo "Found $NUM_FAILURES which is higher than the threshold of $THRESHOLD" - echo "This means that your changes are causing at least 5% more failures than in previous bookrunner runs." - echo "To check these failures locally, run \`cargo run -p bookrunner\` and inspect the report in \`build/output/latest/html/index.html\`." - echo "For more details on bookrunner, go to https://model-checking.github.io/kani/bookrunner.html" - exit 1 -fi diff --git a/scripts/ci/update_bookrunner_report.py b/scripts/ci/update_bookrunner_report.py deleted file mode 100644 index fc1c47ad78c4..000000000000 --- a/scripts/ci/update_bookrunner_report.py +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/python3 -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -import argparse -from bs4 import BeautifulSoup - -def update_path(run, path): - ''' - Shortens a path referring to an example and adds a link to the file. - - By default, the path to an example follows this pattern: - - `tests/bookrunner/books///
//.rs` - - However, only the first part is shown since these paths are enclosed - in paragraph markers (`

` and `

`). So they are often rendered as: - - `tests/bookrunner/books///... - - This update removes `tests/bookrunner/books/` from the path (common to - all examples) and transforms them into anchor elements with a link to - the example, so the path to the example is shown as: - - `//
//.rs` - ''' - orig_path = path.p.string - new_string = '/'.join(orig_path.split('/')[4:]) - new_tag = run.new_tag('a') - new_tag.string = new_string - # Add link to the example - new_tag['href'] = "artifacts/" + new_string - path.p.replace_with(new_tag) - -def main(): - parser = argparse.ArgumentParser( - description='Produces an updated HTML report file from the ' - 'contents of an HTML file generated with `litani`') - parser.add_argument('input') - parser.add_argument('output') - args = parser.parse_args() - - with open(args.input) as fp: - run = BeautifulSoup(fp, 'html.parser') - - # Update pipeline names to link to the example under test - for row in run.find_all(lambda tag: tag.name == 'div' and - tag.get('class') == ['pipeline-row']): - path = row.find('div', attrs={'class': 'pipeline-name'}) - # Some paths here may be `None` - skip them - if path.p: - update_path(run, path) - - # Delete links to empty artifacts folder from progress bars - for bar in run.find_all('a', attrs={'class': 'stage-artifacts-link fail'}): - del bar['href'] - for bar in run.find_all('a', attrs={'class': 'stage-artifacts-link success'}): - del bar['href'] - - with open(args.output, "w") as file: - file.write(str(run)) - - -if __name__ == "__main__": - main() diff --git a/scripts/kani-regression.sh b/scripts/kani-regression.sh index 20782abe5cbc..b1de293d533c 100755 --- a/scripts/kani-regression.sh +++ b/scripts/kani-regression.sh @@ -33,31 +33,33 @@ check_kissat_version.sh # Formatting check ${SCRIPT_DIR}/kani-fmt.sh --check -# Build all packages in the workspace and ensure no warning is emitted. -RUSTFLAGS="-D warnings" cargo build-dev +# Build kani +cargo build-dev # Unit tests cargo test -p cprover_bindings cargo test -p kani-compiler cargo test -p kani-driver cargo test -p kani_metadata -cargo test -p kani --lib # skip doc tests. +# skip doc tests and enable assertions to fail +cargo test -p kani --lib --features concrete_playback # Test the actual macros, skipping doc tests and enabling extra traits for "syn" # so we can debug print AST RUSTFLAGS=--cfg=kani_sysroot cargo test -p kani_macros --features syn/extra-traits --lib # Declare testing suite information (suite and mode) TESTS=( - "script-based-pre exec" - "coverage coverage-based" "kani kani" "expected expected" "ui expected" + "std-checks cargo-kani" "firecracker kani" "prusti kani" "smack kani" "cargo-kani cargo-kani" "cargo-ui cargo-kani" + "script-based-pre exec" + "coverage coverage-based" "kani-docs cargo-kani" "kani-fixme kani-fixme" ) @@ -100,6 +102,13 @@ FEATURES_MANIFEST_PATH="$KANI_DIR/tests/cargo-kani/cargo-features-flag/Cargo.tom cargo kani --manifest-path "$FEATURES_MANIFEST_PATH" --harness trivial_success cargo clean --manifest-path "$FEATURES_MANIFEST_PATH" +# Build all packages in the workspace and ensure no warning is emitted. +# Please don't replace `cargo build-dev` above with this command. +# Setting RUSTFLAGS like this always resets cargo's build cache resulting in +# all tests to be re-run. I.e., cannot keep re-runing the regression from where +# we stopped. +RUSTFLAGS="-D warnings" cargo build --target-dir /tmp/kani_build_warnings + echo echo "All Kani regression tests completed successfully." echo diff --git a/scripts/setup/install_bookrunner_deps.sh b/scripts/setup/install_bookrunner_deps.sh deleted file mode 100755 index f1457c1e9c4d..000000000000 --- a/scripts/setup/install_bookrunner_deps.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -set -eu - -# The book runner report is generated using [Litani](https://github.com/awslabs/aws-build-accumulator) -FILE="litani-1.22.0.deb" -URL="https://github.com/awslabs/aws-build-accumulator/releases/download/1.22.0/$FILE" - -set -x - -# Install Litani -wget -O "$FILE" "$URL" -sudo DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes ./"$FILE" - -PYTHON_DEPS=( - bs4 # Used for report updates -) - -python3 -m pip install "${PYTHON_DEPS[@]}" \ No newline at end of file diff --git a/scripts/setup/macos-13-xlarge b/scripts/setup/macos-14 similarity index 100% rename from scripts/setup/macos-13-xlarge rename to scripts/setup/macos-14 diff --git a/scripts/setup/macos/install_deps.sh b/scripts/setup/macos/install_deps.sh index c544846b403f..179bf8c1237f 100755 --- a/scripts/setup/macos/install_deps.sh +++ b/scripts/setup/macos/install_deps.sh @@ -4,21 +4,19 @@ set -eux -# Github promises weekly build image updates, so we can skip the update step and +# Github promises weekly build image updates, so we could skip the update step and # worst case we should only be 1-2 weeks behind upstream brew. # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software -#brew update +brew update + +# Install Python separately to workround recurring homebrew CI issue. +# See https://github.com/actions/runner-images/issues/9471 for more details. +brew install python@3 || true +brew link --overwrite python@3 # Install dependencies via `brew` brew install universal-ctags wget jq -# Add Python package dependencies -PYTHON_DEPS=( - autopep8 -) - -python3 -m pip install "${PYTHON_DEPS[@]}" - # Get the directory containing this script SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" diff --git a/scripts/setup/ubuntu/install_cbmc.sh b/scripts/setup/ubuntu/install_cbmc.sh index f37aafcd6327..31015ab9de7a 100755 --- a/scripts/setup/ubuntu/install_cbmc.sh +++ b/scripts/setup/ubuntu/install_cbmc.sh @@ -42,7 +42,8 @@ pushd "${WORK_DIR}" mkdir build git submodule update --init -cmake -S . -Bbuild -DWITH_JBMC=OFF -Dsat_impl="minisat2;cadical" +cmake -S . -Bbuild -DWITH_JBMC=OFF -Dsat_impl="minisat2;cadical" \ + -DBUILD_SHARED_LIBS=OFF -DCMAKE_EXE_LINKER_FLAGS=-static make -C build -j$(nproc) cpack -G DEB --config build/CPackConfig.cmake sudo dpkg -i ./cbmc-*.deb diff --git a/scripts/setup/ubuntu/install_deps.sh b/scripts/setup/ubuntu/install_deps.sh index 2830d0280498..b93602691222 100755 --- a/scripts/setup/ubuntu/install_deps.sh +++ b/scripts/setup/ubuntu/install_deps.sh @@ -16,6 +16,7 @@ DEPS=( gpg-agent jq libssl-dev + lld lsb-release make ninja-build diff --git a/scripts/std-analysis.sh b/scripts/std-analysis.sh new file mode 100755 index 000000000000..87ac991cb00d --- /dev/null +++ b/scripts/std-analysis.sh @@ -0,0 +1,115 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +# Collect some metrics related to the crates that compose the standard library. +# +# Files generates so far: +# +# - ${crate}_scan_overall.csv: Summary of function metrics, such as safe vs unsafe. +# - ${crate}_scan_input_tys.csv: Detailed information about the inputs' type of each +# function found in this crate. +# +# How we collect metrics: +# +# - Compile the standard library using the `scan` tool to collect some metrics. +# - After compilation, move all CSV files that were generated by the scanner, +# to the results folder. +set -eu + +# Test for platform +PLATFORM=$(uname -sp) +if [[ $PLATFORM == "Linux x86_64" ]] +then + TARGET="x86_64-unknown-linux-gnu" + # 'env' necessary to avoid bash built-in 'time' + WRAPPER="env time -v" +elif [[ $PLATFORM == "Darwin i386" ]] +then + TARGET="x86_64-apple-darwin" + # mac 'time' doesn't have -v + WRAPPER="time" +elif [[ $PLATFORM == "Darwin arm" ]] +then + TARGET="aarch64-apple-darwin" + # mac 'time' doesn't have -v + WRAPPER="time" +else + echo + echo "Std-Lib codegen regression only works on Linux or OSX x86 platforms, skipping..." + echo + exit 0 +fi + +# Get Kani root +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +KANI_DIR=$(dirname "$SCRIPT_DIR") + +echo "-------------------------------------------------------" +echo "-- Starting analysis of the Rust standard library... --" +echo "-------------------------------------------------------" + +echo "-- Build scanner" +cd $KANI_DIR +cargo build -p scanner + +echo "-- Build std" +cd /tmp +if [ -d std_lib_analysis ] +then + rm -rf std_lib_analysis +fi +cargo new std_lib_analysis --lib +cd std_lib_analysis + +echo ' +pub fn dummy() { +} +' > src/lib.rs + +# Use same nightly toolchain used to build Kani +cp ${KANI_DIR}/rust-toolchain.toml . + +export RUST_BACKTRACE=1 +export RUSTC_LOG=error + +RUST_FLAGS=( + "-Cpanic=abort" + "-Zalways-encode-mir" +) +export RUSTFLAGS="${RUST_FLAGS[@]}" +export RUSTC="$KANI_DIR/target/debug/scan" +# Compile rust with our extension +$WRAPPER cargo build --verbose -Z build-std --lib --target $TARGET + +echo "-- Process results" + +# Move files to results folder +results=/tmp/std_lib_analysis/results +mkdir $results +find /tmp/std_lib_analysis/target -name "*.csv" -exec mv {} $results \; + +# Create a summary table +summary=$results/summary.csv + +# write header +echo -n "crate," > $summary +tr -d "[:digit:],;" < $results/alloc_scan_overall.csv \ + | tr -s '\n' ',' >> $summary +echo "" >> $summary + +# write body +for f in $results/*overall.csv; do + # Join all crate summaries into one table + fname=$(basename $f) + crate=${fname%_scan_overall.csv} + echo -n "$crate," >> $summary + tr -d [:alpha:]_,; < $f | tr -s '\n' ',' \ + >> $summary + echo "" >> $summary +done + +echo "-------------------------------------------------------" +echo "Finished analysis successfully..." +echo "- See results at ${results}" +echo "-------------------------------------------------------" diff --git a/scripts/toolchain_update.sh b/scripts/toolchain_update.sh new file mode 100755 index 000000000000..856c346e542c --- /dev/null +++ b/scripts/toolchain_update.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +# This script is part of our CI nightly job to bump the toolchain version. +# It will potentially update the rust-toolchain.toml file, and run the +# regression. +# +# In order to manually run this script, you will need to do the following: +# +# 1. Set $GITHUB_ENV to point to an output file. +# 2. Install and configure GitHub CLI + +set -eu + +current_toolchain_date=$(grep ^channel rust-toolchain.toml | sed 's/.*nightly-\(.*\)"/\1/') +echo "current_toolchain_date=$current_toolchain_date" >> $GITHUB_ENV + +current_toolchain_epoch=$(date --date $current_toolchain_date +%s) +next_toolchain_date=$(date --date "@$(($current_toolchain_epoch + 86400))" +%Y-%m-%d) +echo "next_toolchain_date=$next_toolchain_date" >> $GITHUB_ENV + +echo "------ Start upgrade ------" +echo "- current: ${current_toolchain_date}" +echo "- next: ${next_toolchain_date}" +echo "---------------------------" + +if gh issue list -S \ + "Toolchain upgrade to nightly-$next_toolchain_date failed" \ + --json number,title | grep title +then + echo "Skip update: Found existing issue" + echo "next_step=none" >> $GITHUB_ENV +elif ! git ls-remote --exit-code origin toolchain-$next_toolchain_date +then + echo "next_step=create_pr" >> $GITHUB_ENV + + # Modify rust-toolchain file + sed -i "/^channel/ s/$current_toolchain_date/$next_toolchain_date/" rust-toolchain.toml + + git diff + git clone --filter=tree:0 https://github.com/rust-lang/rust rust.git + cd rust.git + current_toolchain_hash=$(curl https://static.rust-lang.org/dist/$current_toolchain_date/channel-rust-nightly-git-commit-hash.txt) + echo "current_toolchain_hash=$current_toolchain_hash" >> $GITHUB_ENV + + next_toolchain_hash=$(curl https://static.rust-lang.org/dist/$next_toolchain_date/channel-rust-nightly-git-commit-hash.txt) + echo "next_toolchain_hash=$next_toolchain_hash" >> $GITHUB_ENV + + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "git_log<<$EOF" >> $GITHUB_ENV + + git log --oneline $current_toolchain_hash..$next_toolchain_hash | \ + sed 's#^#https://github.com/rust-lang/rust/commit/#' >> $GITHUB_ENV + echo "$EOF" >> $GITHUB_ENV + + cd .. + rm -rf rust.git + if ! ./scripts/kani-regression.sh ; then + echo "next_step=create_issue" >> $GITHUB_ENV + fi +else + echo "Skip update: Found existing branch" + echo "next_step=none" >> $GITHUB_ENV +fi diff --git a/src/lib.rs b/src/lib.rs index 9a1ac90f5dda..0015829f61d3 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -28,16 +28,18 @@ use anyhow::{bail, Context, Result}; /// `bin` should be either `kani` or `cargo-kani` pub fn proxy(bin: &str) -> Result<()> { match parse_args(env::args_os().collect()) { - ArgsResult::ExplicitSetup { use_local_bundle } => setup::setup(use_local_bundle), + ArgsResult::ExplicitSetup { use_local_bundle, use_local_toolchain } => { + setup::setup(use_local_bundle, use_local_toolchain) + } ArgsResult::Default => { fail_if_in_dev_environment()?; if !setup::appears_setup() { - setup::setup(None)?; + setup::setup(None, None)?; } else { // This handles cases where the setup was left incomplete due to an interrupt // For example - https://github.com/model-checking/kani/issues/1545 if let Some(path_to_bundle) = setup::appears_incomplete() { - setup::setup(Some(path_to_bundle.clone().into_os_string()))?; + setup::setup(Some(path_to_bundle.clone().into_os_string()), None)?; // Suppress warning with unused assignment // and remove the bundle if it still exists let _ = fs::remove_file(path_to_bundle); @@ -51,7 +53,7 @@ pub fn proxy(bin: &str) -> Result<()> { /// Minimalist argument parsing result type #[derive(PartialEq, Eq, Debug)] enum ArgsResult { - ExplicitSetup { use_local_bundle: Option }, + ExplicitSetup { use_local_bundle: Option, use_local_toolchain: Option }, Default, } @@ -63,14 +65,46 @@ fn parse_args(args: Vec) -> ArgsResult { // "cargo kani setup" comes in as "cargo-kani kani setup" // "cargo-kani setup" comes in as "cargo-kani setup" match &args_ez[..] { - &[_, Some("setup"), Some("--use-local-bundle"), _] => { - ArgsResult::ExplicitSetup { use_local_bundle: Some(args[3].clone()) } + &[_, Some("setup"), Some("--use-local-bundle"), _, Some("--use-local-toolchain"), _] => { + ArgsResult::ExplicitSetup { + use_local_bundle: Some(args[3].clone()), + use_local_toolchain: Some(args[5].clone()), + } } + &[ + _, + Some("kani"), + Some("setup"), + Some("--use-local-bundle"), + _, + Some("--use-local-toolchain"), + _, + ] => ArgsResult::ExplicitSetup { + use_local_bundle: Some(args[4].clone()), + use_local_toolchain: Some(args[6].clone()), + }, + &[_, Some("setup"), Some("--use-local-bundle"), _] => ArgsResult::ExplicitSetup { + use_local_bundle: Some(args[3].clone()), + use_local_toolchain: None, + }, &[_, Some("kani"), Some("setup"), Some("--use-local-bundle"), _] => { - ArgsResult::ExplicitSetup { use_local_bundle: Some(args[4].clone()) } + ArgsResult::ExplicitSetup { + use_local_bundle: Some(args[4].clone()), + use_local_toolchain: None, + } + } + &[_, Some("setup"), Some("--use-local-toolchain"), _] => ArgsResult::ExplicitSetup { + use_local_bundle: None, + use_local_toolchain: Some(args[3].clone()), + }, + &[_, Some("kani"), Some("setup"), Some("--use-local-toolchain"), _] => { + ArgsResult::ExplicitSetup { + use_local_bundle: None, + use_local_toolchain: Some(args[4].clone()), + } } &[_, Some("setup")] | &[_, Some("kani"), Some("setup")] => { - ArgsResult::ExplicitSetup { use_local_bundle: None } + ArgsResult::ExplicitSetup { use_local_bundle: None, use_local_toolchain: None } } _ => ArgsResult::Default, } @@ -223,16 +257,72 @@ mod tests { assert_eq!(e, trial(&[])); } { - let e = ArgsResult::ExplicitSetup { use_local_bundle: None }; + let e = ArgsResult::ExplicitSetup { use_local_bundle: None, use_local_toolchain: None }; assert_eq!(e, trial(&["cargo-kani", "kani", "setup"])); assert_eq!(e, trial(&["cargo", "kani", "setup"])); assert_eq!(e, trial(&["cargo-kani", "setup"])); } { - let e = ArgsResult::ExplicitSetup { use_local_bundle: Some(OsString::from("FILE")) }; + let e = ArgsResult::ExplicitSetup { + use_local_bundle: Some(OsString::from("FILE")), + use_local_toolchain: None, + }; assert_eq!(e, trial(&["cargo-kani", "kani", "setup", "--use-local-bundle", "FILE"])); assert_eq!(e, trial(&["cargo", "kani", "setup", "--use-local-bundle", "FILE"])); assert_eq!(e, trial(&["cargo-kani", "setup", "--use-local-bundle", "FILE"])); } + { + let e = ArgsResult::ExplicitSetup { + use_local_bundle: None, + use_local_toolchain: Some(OsString::from("TOOLCHAIN")), + }; + assert_eq!( + e, + trial(&["cargo-kani", "kani", "setup", "--use-local-toolchain", "TOOLCHAIN"]) + ); + assert_eq!(e, trial(&["cargo", "kani", "setup", "--use-local-toolchain", "TOOLCHAIN"])); + assert_eq!(e, trial(&["cargo-kani", "setup", "--use-local-toolchain", "TOOLCHAIN"])); + } + { + let e = ArgsResult::ExplicitSetup { + use_local_bundle: Some(OsString::from("FILE")), + use_local_toolchain: Some(OsString::from("TOOLCHAIN")), + }; + assert_eq!( + e, + trial(&[ + "cargo-kani", + "kani", + "setup", + "--use-local-bundle", + "FILE", + "--use-local-toolchain", + "TOOLCHAIN" + ]) + ); + assert_eq!( + e, + trial(&[ + "cargo", + "kani", + "setup", + "--use-local-bundle", + "FILE", + "--use-local-toolchain", + "TOOLCHAIN" + ]) + ); + assert_eq!( + e, + trial(&[ + "cargo-kani", + "setup", + "--use-local-bundle", + "FILE", + "--use-local-toolchain", + "TOOLCHAIN" + ]) + ); + } } } diff --git a/src/setup.rs b/src/setup.rs index ffdcf340e336..58387f7031b7 100644 --- a/src/setup.rs +++ b/src/setup.rs @@ -70,7 +70,10 @@ pub fn appears_incomplete() -> Option { } /// Sets up Kani by unpacking/installing to `~/.kani/kani-VERSION` -pub fn setup(use_local_bundle: Option) -> Result<()> { +pub fn setup( + use_local_bundle: Option, + use_local_toolchain: Option, +) -> Result<()> { let kani_dir = kani_dir()?; let os = os_info::get(); @@ -81,7 +84,7 @@ pub fn setup(use_local_bundle: Option) -> Result<()> { setup_kani_bundle(&kani_dir, use_local_bundle)?; - setup_rust_toolchain(&kani_dir)?; + setup_rust_toolchain(&kani_dir, use_local_toolchain)?; setup_python_deps(&kani_dir)?; @@ -138,15 +141,44 @@ pub(crate) fn get_rust_toolchain_version(kani_dir: &Path) -> Result { .context("Reading release bundle rust-toolchain-version") } +pub(crate) fn get_rustc_version_from_build(kani_dir: &Path) -> Result { + std::fs::read_to_string(kani_dir.join("rustc-version")) + .context("Reading release bundle rustc-version") +} + /// Install the Rust toolchain version we require -fn setup_rust_toolchain(kani_dir: &Path) -> Result { +fn setup_rust_toolchain(kani_dir: &Path, use_local_toolchain: Option) -> Result { // Currently this means we require the bundle to have been unpacked first! let toolchain_version = get_rust_toolchain_version(kani_dir)?; + let rustc_version = get_rustc_version_from_build(kani_dir)?.trim().to_string(); + + // Symlink to a local toolchain if the user explicitly requests + if let Some(local_toolchain_path) = use_local_toolchain { + let toolchain_path = Path::new(&local_toolchain_path); + + let custom_toolchain_rustc_version = + get_rustc_version_from_local_toolchain(local_toolchain_path.clone())?; + + if rustc_version == custom_toolchain_rustc_version { + symlink_rust_toolchain(toolchain_path, kani_dir)?; + println!( + "[3/5] Installing rust toolchain from path provided: {}", + &toolchain_path.to_string_lossy() + ); + return Ok(toolchain_version); + } else { + bail!( + "The toolchain with rustc {:?} being used to setup is not the same as the one Kani used in its release bundle {:?}. Try to setup with the same version as the bundle.", + custom_toolchain_rustc_version, + rustc_version, + ); + } + } + + // This is the default behaviour when no explicit path to a toolchain is mentioned println!("[3/5] Installing rust toolchain version: {}", &toolchain_version); Command::new("rustup").args(["toolchain", "install", &toolchain_version]).run()?; - let toolchain = home::rustup_home()?.join("toolchains").join(&toolchain_version); - symlink_rust_toolchain(&toolchain, kani_dir)?; Ok(toolchain_version) } @@ -157,7 +189,7 @@ fn setup_python_deps(kani_dir: &Path) -> Result<()> { let pyroot = kani_dir.join("pyroot"); // TODO: this is a repetition of versions from kani/kani-dependencies - let pkg_versions = &["cbmc-viewer==3.8"]; + let pkg_versions = &["cbmc-viewer==3.9"]; Command::new("python3") .args(["-m", "pip", "install", "--target"]) @@ -177,6 +209,27 @@ fn download_filename() -> String { format!("kani-{VERSION}-{TARGET}.tar.gz") } +/// Get the version of rustc that is being used to setup kani by the user +fn get_rustc_version_from_local_toolchain(path: OsString) -> Result { + let path = Path::new(&path); + let rustc_path = path.join("bin").join("rustc"); + + let output = Command::new(rustc_path).arg("--version").output(); + + match output { + Ok(output) => { + if output.status.success() { + Ok(String::from_utf8(output.stdout).map(|s| s.trim().to_string())?) + } else { + bail!( + "Could not parse rustc version string. Toolchain installation likely invalid. " + ); + } + } + Err(_) => bail!("Could not get rustc version. Toolchain installation likely invalid"), + } +} + /// The download URL for this version of Kani fn download_url() -> String { let tag: &str = &format!("kani-{VERSION}"); diff --git a/tests/cargo-kani/assess-artifacts/expected b/tests/cargo-kani/assess-artifacts/expected index c1d3acbfd531..b8a25c834ab6 100644 --- a/tests/cargo-kani/assess-artifacts/expected +++ b/tests/cargo-kani/assess-artifacts/expected @@ -3,7 +3,7 @@ Analyzed 1 packages Unsupported feature | Crates | Instances | impacted | of use ---------------------+----------+----------- - try | 1 | 2 + catch_unwind | 1 | 2 ============================================ ========================================= Reason for failure | Number of tests diff --git a/tests/cargo-kani/assess-workspace-artifacts/expected b/tests/cargo-kani/assess-workspace-artifacts/expected index 4e9a26f89c27..fba2cd94f212 100644 --- a/tests/cargo-kani/assess-workspace-artifacts/expected +++ b/tests/cargo-kani/assess-workspace-artifacts/expected @@ -3,7 +3,7 @@ Analyzed 2 packages Unsupported feature | Crates | Instances | impacted | of use ---------------------+----------+----------- - try | 2 | 3 + catch_unwind | 2 | 3 ============================================ ========================================= Reason for failure | Number of tests diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/README.md b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/README.md new file mode 100644 index 000000000000..971e385fa819 --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/README.md @@ -0,0 +1,2 @@ +This repo contains contains a minimal example that used to break compilation +when using Kani. See https://github.com/model-checking/kani/issues/3101. diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/Cargo.toml b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/Cargo.toml new file mode 100644 index 000000000000..5953dd85a56b --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/Cargo.toml @@ -0,0 +1,14 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[package] +name = "binary" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +constants = { path = "../constants" } + +[build-dependencies] +constants = { path = "../constants" } diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/build.rs b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/build.rs new file mode 100644 index 000000000000..927461a01817 --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/build.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// From https://github.com/model-checking/kani/issues/3101 + +use constants::SOME_CONSTANT; + +fn main() { + // build.rs changes should trigger rebuild + println!("cargo:rerun-if-changed=build.rs"); + + #[cfg(not(kani_host))] + assert_eq!(constants::SOME_CONSTANT, 0); + #[cfg(kani_host)] + assert_eq!(constants::SOME_CONSTANT, 2); +} diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/src/main.rs b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/src/main.rs new file mode 100644 index 000000000000..268d311e3853 --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/src/main.rs @@ -0,0 +1,32 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// From https://github.com/model-checking/kani/issues/3101 +// This file demonstrates that Kani is working on the `binary` crate itself. + +use constants::SomeStruct; + +fn function_that_does_something(b: bool) -> SomeStruct { + SomeStruct { some_field: if b { 42 } else { 24 } } +} + +fn main() { + println!("The constant is {}", constants::SOME_CONSTANT); + + let some_struct = function_that_does_something(true); + + println!("some_field is {:?}", some_struct.some_field); +} + +#[cfg(kani)] +mod verification { + use super::*; + + #[kani::proof] + fn function_never_returns_zero_struct() { + let input: bool = kani::any(); + let output = function_that_does_something(input); + + assert!(output.some_field != 0); + } +} diff --git a/tests/cargo-ui/function/Cargo.toml b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/Cargo.toml similarity index 56% rename from tests/cargo-ui/function/Cargo.toml rename to tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/Cargo.toml index 7ff48ca61cd3..cf2d84dcf946 100644 --- a/tests/cargo-ui/function/Cargo.toml +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/Cargo.toml @@ -1,13 +1,9 @@ # Copyright Kani Contributors # SPDX-License-Identifier: Apache-2.0 OR MIT [package] -name = "function" +name = "constants" version = "0.1.0" edition = "2021" -[dependencies] -[package.metadata.kani.flags] -enable-unstable=true -mir-linker=true -function="harness" +[dependencies] diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/src/lib.rs b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/src/lib.rs new file mode 100644 index 000000000000..e485182b24ba --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/src/lib.rs @@ -0,0 +1,32 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// From https://github.com/model-checking/kani/issues/3101 + +#[cfg(not(any(kani, kani_host)))] +pub const SOME_CONSTANT: u32 = 0; +#[cfg(kani)] +pub const SOME_CONSTANT: u32 = 1; +#[cfg(kani_host)] +pub const SOME_CONSTANT: u32 = 2; + +pub struct SomeStruct { + pub some_field: u32, +} + +#[cfg(kani)] +impl kani::Arbitrary for SomeStruct { + fn any() -> Self { + SomeStruct { some_field: kani::any() } + } +} + +#[cfg(kani)] +mod verification { + use super::*; + + #[kani::proof] + fn one() { + assert_eq!(constants::SOME_CONSTANT, 1); + } +} diff --git a/tests/cargo-kani/simple-extern/src/lib.rs b/tests/cargo-kani/simple-extern/src/lib.rs index d2016d8bd7b2..33ca290a2d30 100644 --- a/tests/cargo-kani/simple-extern/src/lib.rs +++ b/tests/cargo-kani/simple-extern/src/lib.rs @@ -2,6 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT pub mod externs; pub use externs::external_c_assertion; +// TODO: our reachability analysis does not see through C functions +pub use externs::rust_add1; #[cfg(test)] mod tests { @@ -24,6 +26,7 @@ mod kani_tests { if a < 100 { unsafe { external_c_assertion(a); + rust_add1(a); } } } diff --git a/tests/cargo-kani/simple-visualize/main.expected b/tests/cargo-kani/simple-visualize/main.expected index a863a195a4ff..1d0839175310 100644 --- a/tests/cargo-kani/simple-visualize/main.expected +++ b/tests/cargo-kani/simple-visualize/main.expected @@ -1 +1,2 @@ +warning: The `--visualize` option is deprecated. This option will be removed soon. Consider using `--concrete-playback` instead report-main/html/index.html diff --git a/tests/cargo-kani/storage-markers/Cargo.toml b/tests/cargo-kani/storage-markers/Cargo.toml new file mode 100644 index 000000000000..cb98b6df5835 --- /dev/null +++ b/tests/cargo-kani/storage-markers/Cargo.toml @@ -0,0 +1,5 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[workspace] +members = ["crate-with-bug", "crate-with-harness"] +resolver = "2" diff --git a/tests/cargo-kani/storage-markers/crate-with-bug/Cargo.toml b/tests/cargo-kani/storage-markers/crate-with-bug/Cargo.toml new file mode 100644 index 000000000000..3cec8dac16b0 --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-bug/Cargo.toml @@ -0,0 +1,8 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[package] +name = "crate-with-bug" +version = "0.1.0" +edition = "2021" + +[dependencies] diff --git a/tests/cargo-kani/storage-markers/crate-with-bug/src/lib.rs b/tests/cargo-kani/storage-markers/crate-with-bug/src/lib.rs new file mode 100644 index 000000000000..3e6967bdbfe4 --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-bug/src/lib.rs @@ -0,0 +1,12 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This function contains a use-after-free bug. + +pub fn fn_with_bug() -> i32 { + let raw_ptr = { + let var = 10; + &var as *const i32 + }; + unsafe { *raw_ptr } +} diff --git a/tests/cargo-kani/storage-markers/crate-with-harness/Cargo.toml b/tests/cargo-kani/storage-markers/crate-with-harness/Cargo.toml new file mode 100644 index 000000000000..7cfe7126d845 --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-harness/Cargo.toml @@ -0,0 +1,9 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[package] +name = "crate-with-harness" +version = "0.1.0" +edition = "2021" + +[dependencies] +crate-with-bug = { path = "../crate-with-bug" } diff --git a/tests/cargo-kani/storage-markers/crate-with-harness/call_fn_with_bug.expected b/tests/cargo-kani/storage-markers/crate-with-harness/call_fn_with_bug.expected new file mode 100644 index 000000000000..68ef53cc06ec --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-harness/call_fn_with_bug.expected @@ -0,0 +1,3 @@ +Status: FAILURE\ +Description: "dereference failure: dead object"\ +in function crate_with_bug::fn_with_bug diff --git a/tests/cargo-kani/storage-markers/crate-with-harness/src/lib.rs b/tests/cargo-kani/storage-markers/crate-with-harness/src/lib.rs new file mode 100644 index 000000000000..a44cfaf976be --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-harness/src/lib.rs @@ -0,0 +1,11 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This test checks that Kani captures the case of a use-after-free issue as +// described in https://github.com/model-checking/kani/issues/3061 even across +// crates. The test calls a function from another crate that has the bug. + +#[kani::proof] +pub fn call_fn_with_bug() { + let _x = crate_with_bug::fn_with_bug(); +} diff --git a/tests/cargo-kani/stubbing-double-extern-path/harness/expected b/tests/cargo-kani/stubbing-double-extern-path/harness/expected index adbbf31d49bd..dbca159f92d5 100644 --- a/tests/cargo-kani/stubbing-double-extern-path/harness/expected +++ b/tests/cargo-kani/stubbing-double-extern-path/harness/expected @@ -1 +1,2 @@ -error[E0391]: cycle detected when optimizing MIR for `crate_b::assert_false` +error: Cannot stub `crate_b::assert_false`. Stub configuration for harness `check_inverted` has a cycle +error: Cannot stub `crate_b::assert_true`. Stub configuration for harness `check_inverted` has a cycle diff --git a/tests/cargo-kani/unexpected_cfgs/Cargo.toml b/tests/cargo-kani/unexpected_cfgs/Cargo.toml new file mode 100644 index 000000000000..c70a4cbec7dc --- /dev/null +++ b/tests/cargo-kani/unexpected_cfgs/Cargo.toml @@ -0,0 +1,9 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +[package] +name = "unexpected_cfgs" +version = "0.1.0" +edition = "2021" + +[dependencies] diff --git a/tests/perf/overlays/s2n-quic/tools/xdp/s2n-quic-xdp/expected b/tests/cargo-kani/unexpected_cfgs/expected similarity index 100% rename from tests/perf/overlays/s2n-quic/tools/xdp/s2n-quic-xdp/expected rename to tests/cargo-kani/unexpected_cfgs/expected diff --git a/tests/cargo-kani/unexpected_cfgs/src/main.rs b/tests/cargo-kani/unexpected_cfgs/src/main.rs new file mode 100644 index 000000000000..e864756c6be9 --- /dev/null +++ b/tests/cargo-kani/unexpected_cfgs/src/main.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This test checks that the `unexpected_cfgs` lint (enabled by default as of +// the 2024-05-05 toolchain) does not cause `cargo kani` to emit warnings when +// the code has `#[cfg(kani)]`. Kani avoids the warning by adding +// `--check-cfg=cfg(kani)` to the rust flags. + +#![deny(unexpected_cfgs)] + +fn main() {} + +#[cfg(kani)] +mod kani_checks { + #[kani::proof] + fn check_unexpected_cfg() { + assert_eq!(1, 1); + } +} diff --git a/tests/cargo-ui/assess-error/expected b/tests/cargo-ui/assess-error/expected index 70754ddea192..213d811ae577 100644 --- a/tests/cargo-ui/assess-error/expected +++ b/tests/cargo-ui/assess-error/expected @@ -1,2 +1,2 @@ -error: Failed to compile lib `compilation-error` +error: Failed to compile lib `compilation_error` error: Failed to assess project: Failed to build all targets diff --git a/tests/cargo-ui/function/expected b/tests/cargo-ui/function/expected deleted file mode 100644 index 0c7037b06b4e..000000000000 --- a/tests/cargo-ui/function/expected +++ /dev/null @@ -1,4 +0,0 @@ -Status: SUCCESS\ -"assertion failed: 1 + 2 == 3" - -VERIFICATION:- SUCCESSFUL diff --git a/tests/cargo-ui/function/src/lib.rs b/tests/cargo-ui/function/src/lib.rs deleted file mode 100644 index 92c3ab31dbb4..000000000000 --- a/tests/cargo-ui/function/src/lib.rs +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -// -//! This is just to test that cargo kani --debug works. - -#[no_mangle] -pub fn harness() { - assert_eq!(1 + 2, 3); -} diff --git a/tests/cargo-ui/stubbing-flag/src/main.rs b/tests/cargo-ui/stubbing-flag/src/main.rs index db26e366005e..1ef312b852ff 100644 --- a/tests/cargo-ui/stubbing-flag/src/main.rs +++ b/tests/cargo-ui/stubbing-flag/src/main.rs @@ -1,7 +1,8 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -//! This tests that the `--enable-stubbing` and `--harness` arguments flow from `kani-driver` to `kani-compiler`. +//! This tests that enabling stubbing and using `--harness` arguments flow from +//! `kani-driver` to `kani-compiler`. #[kani::proof] fn main() {} diff --git a/tests/cargo-ui/unstable-attr/defs/src/lib.rs b/tests/cargo-ui/unstable-attr/defs/src/lib.rs index 9515cf1d48a8..91b5a4d539bf 100644 --- a/tests/cargo-ui/unstable-attr/defs/src/lib.rs +++ b/tests/cargo-ui/unstable-attr/defs/src/lib.rs @@ -1,13 +1,13 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -#[kani::unstable(feature = "always_fails", reason = "do not enable", issue = "")] +#[kani::unstable_feature(feature = "always_fails", reason = "do not enable", issue = "")] pub fn always_fails() { assert!(false, "don't call me"); } /// We use "gen-c" since it has to be an existing feature. -#[kani::unstable(feature = "gen-c", reason = "internal fake api", issue = "")] +#[kani::unstable_feature(feature = "gen-c", reason = "internal fake api", issue = "")] pub fn no_op() { kani::cover!(true); } diff --git a/tests/cargo-ui/unstable-attr/invalid/expected b/tests/cargo-ui/unstable-attr/invalid/expected index 49db2367b832..fd6ee1c694c2 100644 --- a/tests/cargo-ui/unstable-attr/invalid/expected +++ b/tests/cargo-ui/unstable-attr/invalid/expected @@ -1,32 +1,32 @@ -error: failed to parse `#[kani::unstable]`: missing `feature` field\ +error: failed to parse `#[kani::unstable_feature]`: missing `feature` field\ lib.rs |\ -9 | #[kani::unstable(reason = "just checking", issue = "")]\ - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ +9 | #[kani::unstable_feature(reason = "just checking", issue = "")]\ + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ |\ - = note: expected format: #[kani::unstable(feature="", issue="", reason="")]\ - = note: this error originates in the attribute macro `kani::unstable` (in Nightly builds, run with -Z macro-backtrace for more info) + = note: expected format: #[kani::unstable_feature(feature="", issue="", reason="")]\ + = note: this error originates in the attribute macro `kani::unstable_feature` (in Nightly builds, run with -Z macro-backtrace for more info) -error: failed to parse `#[kani::unstable]`: expected "key = value" pair, but found `feature("invalid_args")`\ +error: failed to parse `#[kani::unstable_feature]`: expected "key = value" pair, but found `feature("invalid_args")`\ lib.rs\ |\ -| #[kani::unstable(feature("invalid_args"))]\ -| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ +| #[kani::unstable_feature(feature("invalid_args"))]\ +| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ |\ - = note: expected format: #[kani::unstable(feature="", issue="", reason="")] + = note: expected format: #[kani::unstable_feature(feature="", issue="", reason="")] -error: failed to parse `#[kani::unstable]`: expected "key = value" pair, but found `feature`\ +error: failed to parse `#[kani::unstable_feature]`: expected "key = value" pair, but found `feature`\ lib.rs\ |\ -| #[kani::unstable(feature, issue)]\ -| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ +| #[kani::unstable_feature(feature, issue)]\ +| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ |\ - = note: expected format: #[kani::unstable(feature="", issue="", reason="")] + = note: expected format: #[kani::unstable_feature(feature="", issue="", reason="")] -error: failed to parse `#[kani::unstable]`: expected "key = value" pair, but found `1010`\ +error: failed to parse `#[kani::unstable_feature]`: expected "key = value" pair, but found `1010`\ lib.rs\ |\ -| #[kani::unstable(1010)]\ -| ^^^^^^^^^^^^^^^^^^^^^^^\ +| #[kani::unstable_feature(1010)]\ +| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ |\ - = note: expected format: #[kani::unstable(feature="", issue="", reason="")] + = note: expected format: #[kani::unstable_feature(feature="", issue="", reason="")] diff --git a/tests/cargo-ui/unstable-attr/invalid/src/lib.rs b/tests/cargo-ui/unstable-attr/invalid/src/lib.rs index 5fbfc768c883..f0d92f0882d7 100644 --- a/tests/cargo-ui/unstable-attr/invalid/src/lib.rs +++ b/tests/cargo-ui/unstable-attr/invalid/src/lib.rs @@ -6,18 +6,18 @@ //! we don't guarantee the order that these will be evaluated. //! TODO: We should break down this test to ensure all of these fail. -#[kani::unstable(reason = "just checking", issue = "")] +#[kani::unstable_feature(reason = "just checking", issue = "")] pub fn missing_feature() { todo!() } -#[kani::unstable(feature("invalid_args"))] +#[kani::unstable_feature(feature("invalid_args"))] pub fn invalid_fn_style() {} -#[kani::unstable(feature, issue)] +#[kani::unstable_feature(feature, issue)] pub fn invalid_list() {} -#[kani::unstable(1010)] +#[kani::unstable_feature(1010)] pub fn invalid_argument() {} #[kani::proof] diff --git a/tests/cargo-ui/unsupported-lib-types/proc-macro/expected b/tests/cargo-ui/unsupported-lib-types/proc-macro/expected index 2a7badb42720..9703300da1c2 100644 --- a/tests/cargo-ui/unsupported-lib-types/proc-macro/expected +++ b/tests/cargo-ui/unsupported-lib-types/proc-macro/expected @@ -1,2 +1,2 @@ -Skipped the following unsupported targets: 'lib'. +Skipped verification of the following unsupported targets: 'lib'. error: No supported targets were found. diff --git a/tests/coverage/reachable/assert-false/expected b/tests/coverage/reachable/assert-false/expected index 7a9fef1ca77c..97ffbe1d96e4 100644 --- a/tests/coverage/reachable/assert-false/expected +++ b/tests/coverage/reachable/assert-false/expected @@ -1,8 +1,8 @@ coverage/reachable/assert-false/main.rs, 6, FULL coverage/reachable/assert-false/main.rs, 7, FULL -coverage/reachable/assert-false/main.rs, 11, FULL -coverage/reachable/assert-false/main.rs, 12, FULL -coverage/reachable/assert-false/main.rs, 15, FULL +coverage/reachable/assert-false/main.rs, 11, PARTIAL +coverage/reachable/assert-false/main.rs, 12, PARTIAL +coverage/reachable/assert-false/main.rs, 15, PARTIAL coverage/reachable/assert-false/main.rs, 16, FULL coverage/reachable/assert-false/main.rs, 17, PARTIAL coverage/reachable/assert-false/main.rs, 19, FULL diff --git a/tests/coverage/reachable/assert/reachable_pass/expected b/tests/coverage/reachable/assert/reachable_pass/expected index 67ae085a3e83..9d21185b3a83 100644 --- a/tests/coverage/reachable/assert/reachable_pass/expected +++ b/tests/coverage/reachable/assert/reachable_pass/expected @@ -1,4 +1,4 @@ coverage/reachable/assert/reachable_pass/test.rs, 6, FULL -coverage/reachable/assert/reachable_pass/test.rs, 7, FULL +coverage/reachable/assert/reachable_pass/test.rs, 7, PARTIAL coverage/reachable/assert/reachable_pass/test.rs, 8, FULL coverage/reachable/assert/reachable_pass/test.rs, 10, FULL diff --git a/tests/coverage/reachable/bounds/reachable_fail/expected b/tests/coverage/reachable/bounds/reachable_fail/expected index af2f30e51fe2..fedfec8b2a1e 100644 --- a/tests/coverage/reachable/bounds/reachable_fail/expected +++ b/tests/coverage/reachable/bounds/reachable_fail/expected @@ -1,4 +1,4 @@ coverage/reachable/bounds/reachable_fail/test.rs, 5, PARTIAL coverage/reachable/bounds/reachable_fail/test.rs, 6, NONE -coverage/reachable/bounds/reachable_fail/test.rs, 10, FULL +coverage/reachable/bounds/reachable_fail/test.rs, 10, PARTIAL coverage/reachable/bounds/reachable_fail/test.rs, 11, NONE diff --git a/tests/coverage/reachable/div-zero/reachable_fail/expected b/tests/coverage/reachable/div-zero/reachable_fail/expected index 1ec1abefffd8..c1ac77404680 100644 --- a/tests/coverage/reachable/div-zero/reachable_fail/expected +++ b/tests/coverage/reachable/div-zero/reachable_fail/expected @@ -1,4 +1,4 @@ coverage/reachable/div-zero/reachable_fail/test.rs, 5, PARTIAL coverage/reachable/div-zero/reachable_fail/test.rs, 6, NONE -coverage/reachable/div-zero/reachable_fail/test.rs, 10, FULL +coverage/reachable/div-zero/reachable_fail/test.rs, 10, PARTIAL coverage/reachable/div-zero/reachable_fail/test.rs, 11, NONE diff --git a/tests/coverage/reachable/overflow/reachable_fail/expected b/tests/coverage/reachable/overflow/reachable_fail/expected index f20826fb1a8e..d45edcc37a63 100644 --- a/tests/coverage/reachable/overflow/reachable_fail/expected +++ b/tests/coverage/reachable/overflow/reachable_fail/expected @@ -1,5 +1,5 @@ coverage/reachable/overflow/reachable_fail/test.rs, 8, PARTIAL coverage/reachable/overflow/reachable_fail/test.rs, 9, FULL coverage/reachable/overflow/reachable_fail/test.rs, 13, FULL -coverage/reachable/overflow/reachable_fail/test.rs, 14, FULL +coverage/reachable/overflow/reachable_fail/test.rs, 14, PARTIAL coverage/reachable/overflow/reachable_fail/test.rs, 15, NONE diff --git a/tests/coverage/reachable/rem-zero/reachable_fail/expected b/tests/coverage/reachable/rem-zero/reachable_fail/expected index f7fa6ed7efeb..7852461e4f57 100644 --- a/tests/coverage/reachable/rem-zero/reachable_fail/expected +++ b/tests/coverage/reachable/rem-zero/reachable_fail/expected @@ -1,4 +1,4 @@ coverage/reachable/rem-zero/reachable_fail/test.rs, 5, PARTIAL coverage/reachable/rem-zero/reachable_fail/test.rs, 6, NONE -coverage/reachable/rem-zero/reachable_fail/test.rs, 10, FULL +coverage/reachable/rem-zero/reachable_fail/test.rs, 10, PARTIAL coverage/reachable/rem-zero/reachable_fail/test.rs, 11, NONE diff --git a/tests/coverage/unreachable/abort/main.rs b/tests/coverage/unreachable/abort/main.rs index 2941ec126f3c..39c0b0efb54f 100644 --- a/tests/coverage/unreachable/abort/main.rs +++ b/tests/coverage/unreachable/abort/main.rs @@ -5,7 +5,7 @@ use std::process; -#[kani::proof] +#[cfg_attr(kani, kani::proof, kani::unwind(5))] fn main() { for i in 0..4 { if i == 1 { diff --git a/tests/coverage/unreachable/assert/expected b/tests/coverage/unreachable/assert/expected index f5b5f8044769..9bc6d8faa4f9 100644 --- a/tests/coverage/unreachable/assert/expected +++ b/tests/coverage/unreachable/assert/expected @@ -1,6 +1,6 @@ coverage/unreachable/assert/test.rs, 6, FULL -coverage/unreachable/assert/test.rs, 7, FULL -coverage/unreachable/assert/test.rs, 9, FULL +coverage/unreachable/assert/test.rs, 7, PARTIAL +coverage/unreachable/assert/test.rs, 9, PARTIAL coverage/unreachable/assert/test.rs, 10, NONE coverage/unreachable/assert/test.rs, 12, NONE coverage/unreachable/assert/test.rs, 16, FULL diff --git a/tests/coverage/unreachable/assert_eq/expected b/tests/coverage/unreachable/assert_eq/expected index f4e7608b2c13..9b13c3c96ded 100644 --- a/tests/coverage/unreachable/assert_eq/expected +++ b/tests/coverage/unreachable/assert_eq/expected @@ -1,5 +1,5 @@ coverage/unreachable/assert_eq/test.rs, 6, FULL coverage/unreachable/assert_eq/test.rs, 7, FULL -coverage/unreachable/assert_eq/test.rs, 8, FULL +coverage/unreachable/assert_eq/test.rs, 8, PARTIAL coverage/unreachable/assert_eq/test.rs, 9, NONE coverage/unreachable/assert_eq/test.rs, 11, FULL diff --git a/tests/coverage/unreachable/assert_ne/expected b/tests/coverage/unreachable/assert_ne/expected index 3b57defb4c36..f027f432e280 100644 --- a/tests/coverage/unreachable/assert_ne/expected +++ b/tests/coverage/unreachable/assert_ne/expected @@ -1,6 +1,6 @@ coverage/unreachable/assert_ne/test.rs, 6, FULL coverage/unreachable/assert_ne/test.rs, 7, FULL coverage/unreachable/assert_ne/test.rs, 8, FULL -coverage/unreachable/assert_ne/test.rs, 10, FULL +coverage/unreachable/assert_ne/test.rs, 10, PARTIAL coverage/unreachable/assert_ne/test.rs, 11, NONE coverage/unreachable/assert_ne/test.rs, 14, FULL diff --git a/tests/coverage/unreachable/check_id/expected b/tests/coverage/unreachable/check_id/expected index 214cbfa827bd..a2d296f0f9a3 100644 --- a/tests/coverage/unreachable/check_id/expected +++ b/tests/coverage/unreachable/check_id/expected @@ -1,5 +1,5 @@ coverage/unreachable/check_id/main.rs, 5, FULL -coverage/unreachable/check_id/main.rs, 6, FULL +coverage/unreachable/check_id/main.rs, 6, PARTIAL coverage/unreachable/check_id/main.rs, 8, NONE coverage/unreachable/check_id/main.rs, 10, FULL coverage/unreachable/check_id/main.rs, 14, FULL @@ -12,5 +12,5 @@ coverage/unreachable/check_id/main.rs, 20, FULL coverage/unreachable/check_id/main.rs, 21, FULL coverage/unreachable/check_id/main.rs, 22, FULL coverage/unreachable/check_id/main.rs, 23, FULL -coverage/unreachable/check_id/main.rs, 24, FULL +coverage/unreachable/check_id/main.rs, 24, PARTIAL coverage/unreachable/check_id/main.rs, 25, NONE diff --git a/tests/coverage/unreachable/if-statement/expected b/tests/coverage/unreachable/if-statement/expected index 4460f23a80de..8b481863a163 100644 --- a/tests/coverage/unreachable/if-statement/expected +++ b/tests/coverage/unreachable/if-statement/expected @@ -1,4 +1,4 @@ -coverage/unreachable/if-statement/main.rs, 5, FULL +coverage/unreachable/if-statement/main.rs, 5, PARTIAL coverage/unreachable/if-statement/main.rs, 7, PARTIAL coverage/unreachable/if-statement/main.rs, 8, NONE coverage/unreachable/if-statement/main.rs, 9, NONE diff --git a/tests/coverage/unreachable/tutorial_unreachable/expected b/tests/coverage/unreachable/tutorial_unreachable/expected index cf45a502d295..624aa520edc9 100644 --- a/tests/coverage/unreachable/tutorial_unreachable/expected +++ b/tests/coverage/unreachable/tutorial_unreachable/expected @@ -1,5 +1,5 @@ coverage/unreachable/tutorial_unreachable/main.rs, 6, FULL coverage/unreachable/tutorial_unreachable/main.rs, 7, FULL -coverage/unreachable/tutorial_unreachable/main.rs, 8, FULL +coverage/unreachable/tutorial_unreachable/main.rs, 8, PARTIAL coverage/unreachable/tutorial_unreachable/main.rs, 9, NONE coverage/unreachable/tutorial_unreachable/main.rs, 11, FULL diff --git a/tests/coverage/unreachable/variant/expected b/tests/coverage/unreachable/variant/expected index 08a2f824da83..8fa3ec8b870f 100644 --- a/tests/coverage/unreachable/variant/expected +++ b/tests/coverage/unreachable/variant/expected @@ -1,4 +1,4 @@ -coverage/unreachable/variant/main.rs, 15, PARTIAL +coverage/unreachable/variant/main.rs, 15, FULL coverage/unreachable/variant/main.rs, 16, NONE coverage/unreachable/variant/main.rs, 17, NONE coverage/unreachable/variant/main.rs, 18, FULL diff --git a/tests/coverage/unreachable/while-loop-break/expected b/tests/coverage/unreachable/while-loop-break/expected index a0e43c183846..dc66d3e823d3 100644 --- a/tests/coverage/unreachable/while-loop-break/expected +++ b/tests/coverage/unreachable/while-loop-break/expected @@ -1,5 +1,5 @@ coverage/unreachable/while-loop-break/main.rs, 8, FULL -coverage/unreachable/while-loop-break/main.rs, 9, FULL +coverage/unreachable/while-loop-break/main.rs, 9, PARTIAL coverage/unreachable/while-loop-break/main.rs, 10, FULL coverage/unreachable/while-loop-break/main.rs, 11, FULL coverage/unreachable/while-loop-break/main.rs, 13, FULL diff --git a/tests/expected/abort/main.rs b/tests/expected/abort/main.rs index 2941ec126f3c..9e2f5b7a808c 100644 --- a/tests/expected/abort/main.rs +++ b/tests/expected/abort/main.rs @@ -6,6 +6,7 @@ use std::process; #[kani::proof] +#[kani::unwind(5)] fn main() { for i in 0..4 { if i == 1 { diff --git a/tests/expected/any_vec/exact_length.expected b/tests/expected/any_vec/exact_length.expected index 082f3fb61570..f64d2830a7b8 100644 --- a/tests/expected/any_vec/exact_length.expected +++ b/tests/expected/any_vec/exact_length.expected @@ -1,7 +1,7 @@ Checking harness check_access_length_17... Failed Checks: assumption failed\ -in >::get_unchecked +in >::get_unchecked Checking harness check_access_length_zero... diff --git a/tests/expected/arbitrary/floats/non_standard_floats/expected b/tests/expected/arbitrary/floats/non_standard_floats/expected new file mode 100644 index 000000000000..26db615201a6 --- /dev/null +++ b/tests/expected/arbitrary/floats/non_standard_floats/expected @@ -0,0 +1,31 @@ +Checking harness check_f128... + +Status: SATISFIED\ +Description: "This may be true"\ +in function check_f128 + +Status: SATISFIED\ +Description: "This may also be true"\ +in function check_f128 + +Status: SATISFIED\ +Description: "NaN should be valid float"\ +in function check_f128 + +Checking harness check_f16... + +Status: SATISFIED\ +Description: "This may be true"\ +in function check_f16 + +Status: SATISFIED\ +Description: "This may also be true"\ +in function check_f16 + +Status: SATISFIED\ +Description: "NaN should be valid float"\ +in function check_f16 + +VERIFICATION:- SUCCESSFUL + +Complete - 2 successfully verified harnesses, 0 failures, 2 total. diff --git a/tests/expected/arbitrary/floats/non_standard_floats/main.rs b/tests/expected/arbitrary/floats/non_standard_floats/main.rs new file mode 100644 index 000000000000..ebea6535b3d5 --- /dev/null +++ b/tests/expected/arbitrary/floats/non_standard_floats/main.rs @@ -0,0 +1,27 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// Ensure that kani::any and kani::any_raw can be used with non-standard floats i.e f16 and f128. + +#![feature(f16)] +#![feature(f128)] + +macro_rules! test_non_standard_floats { + ( $type: ty ) => {{ + let v1 = kani::any::<$type>(); + let v2 = kani::any::<$type>(); + kani::cover!(v1 == v2, "This may be true"); + kani::cover!(v1 != v2, "This may also be true"); + kani::cover!(v1.is_nan(), "NaN should be valid float"); + }}; +} + +#[kani::proof] +fn check_f16() { + test_non_standard_floats!(f16); +} + +#[kani::proof] +fn check_f128() { + test_non_standard_floats!(f128); +} diff --git a/tests/expected/arbitrary/floats/expected b/tests/expected/arbitrary/floats/standard_floats/expected similarity index 99% rename from tests/expected/arbitrary/floats/expected rename to tests/expected/arbitrary/floats/standard_floats/expected index 4bb2fadacd7f..de3b67f28578 100644 --- a/tests/expected/arbitrary/floats/expected +++ b/tests/expected/arbitrary/floats/standard_floats/expected @@ -51,10 +51,8 @@ Status: SATISFIED\ Description: "Non-finite numbers are valid float"\ in function check_f32 - ** 6 of 6 cover properties satisfied - VERIFICATION:- SUCCESSFUL Complete - 2 successfully verified harnesses, 0 failures, 2 total. diff --git a/tests/expected/arbitrary/floats/main.rs b/tests/expected/arbitrary/floats/standard_floats/main.rs similarity index 74% rename from tests/expected/arbitrary/floats/main.rs rename to tests/expected/arbitrary/floats/standard_floats/main.rs index 1ad4de3ef3f7..c204643e9ab8 100644 --- a/tests/expected/arbitrary/floats/main.rs +++ b/tests/expected/arbitrary/floats/standard_floats/main.rs @@ -1,9 +1,12 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// Ensure that kani::any and kani::any_raw can be used with floats. +// Ensure that kani::any and kani::any_raw can be used with standard floats i.e f32 and f64. -macro_rules! test { +#![feature(f16)] +#![feature(f128)] + +macro_rules! test_standard_floats { ( $type: ty ) => {{ let v1 = kani::any::<$type>(); let v2 = kani::any::<$type>(); @@ -18,10 +21,10 @@ macro_rules! test { #[kani::proof] fn check_f32() { - test!(f32); + test_standard_floats!(f32); } #[kani::proof] fn check_f64() { - test!(f64); + test_standard_floats!(f64); } diff --git a/tests/expected/associated-fn/associated_fn.rs b/tests/expected/associated-fn/associated_fn.rs index 9a2834a7949b..419ef6ccc719 100644 --- a/tests/expected/associated-fn/associated_fn.rs +++ b/tests/expected/associated-fn/associated_fn.rs @@ -1,14 +1,14 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// kani-flags: --enable-unstable --function new -//! This ensures our public functions reachability module works for associated functions. +//! This ensures a harness can be an associated function. We don't have any oficial restriction +//! today. struct Dummy { c: char, } impl Dummy { - #[no_mangle] + #[kani::proof] pub fn new() -> Self { Dummy { c: ' ' } } diff --git a/tests/expected/associated-fn/expected b/tests/expected/associated-fn/expected index 4ba5a49eaf85..8fb6a04f3cd2 100644 --- a/tests/expected/associated-fn/expected +++ b/tests/expected/associated-fn/expected @@ -1,3 +1,3 @@ -Checking harness new... +Checking harness Dummy::new... VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/coroutines/as_parameter/main.rs b/tests/expected/coroutines/as_parameter/main.rs index 7c0b9aed0373..33f56d04b2ae 100644 --- a/tests/expected/coroutines/as_parameter/main.rs +++ b/tests/expected/coroutines/as_parameter/main.rs @@ -21,8 +21,11 @@ where #[kani::proof] fn main() { - foo(|| { - yield 1; - return 2; - }); + foo( + #[coroutine] + || { + yield 1; + return 2; + }, + ); } diff --git a/tests/expected/coroutines/main.rs b/tests/expected/coroutines/main.rs index a49d9944d0f1..9b76e6e4302e 100644 --- a/tests/expected/coroutines/main.rs +++ b/tests/expected/coroutines/main.rs @@ -1,7 +1,8 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -10,7 +11,8 @@ use std::pin::Pin; #[kani::unwind(2)] fn main() { let val: bool = kani::any(); - let mut coroutine = move || { + let mut coroutine = #[coroutine] + move || { let x = val; yield x; return !x; diff --git a/tests/expected/coroutines/pin/main.rs b/tests/expected/coroutines/pin/main.rs index 0052715377ec..fc97e57761e0 100644 --- a/tests/expected/coroutines/pin/main.rs +++ b/tests/expected/coroutines/pin/main.rs @@ -1,17 +1,19 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // Test contains a call to a coroutine via a Pin // from https://github.com/model-checking/kani/issues/416 #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] fn main() { - let mut coroutine = || { + let mut coroutine = #[coroutine] + || { yield 1; return true; }; diff --git a/tests/expected/dangling-ptr-println/main.expected b/tests/expected/dangling-ptr-println/main.expected new file mode 100644 index 000000000000..64ba33e7d563 --- /dev/null +++ b/tests/expected/dangling-ptr-println/main.expected @@ -0,0 +1,29 @@ +Checking harness unsafe_block... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function unsafe_block + +VERIFICATION:- FAILED + +Checking harness general_unsafe... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function general_unsafe + +VERIFICATION:- FAILED + +Checking harness local_unsafe... + +Status: FAILURE\ +Description: "dereference failure: dead object"\ +in function local_unsafe + +VERIFICATION:- FAILED + +Summary: +Verification failed for - unsafe_block +Verification failed for - general_unsafe +Verification failed for - local_unsafe +Complete - 0 successfully verified harnesses, 3 failures, 3 total. \ No newline at end of file diff --git a/tests/expected/dangling-ptr-println/main.rs b/tests/expected/dangling-ptr-println/main.rs new file mode 100644 index 000000000000..a83afa6f8313 --- /dev/null +++ b/tests/expected/dangling-ptr-println/main.rs @@ -0,0 +1,31 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z ptr-to-ref-cast-checks + +//! These tests check that Kani correctly detects dangling pointer dereference inside println macro. +//! Related issue: . + +fn reference_dies() -> *mut i32 { + let mut x: i32 = 2; + &mut x as *mut i32 +} + +#[kani::proof] +fn local_unsafe() { + let x = reference_dies(); + println!("My pointer, {}", unsafe { *x }); +} + +#[kani::proof] +unsafe fn general_unsafe() { + let x = reference_dies(); + println!("My pointer, {}", *x); +} + +#[kani::proof] +fn unsafe_block() { + let x = reference_dies(); + unsafe { + println!("{}", *x); + } +} diff --git a/tests/expected/dead-invalid-access-via-raw/main.expected b/tests/expected/dead-invalid-access-via-raw/main.expected new file mode 100644 index 000000000000..1cdbd0547226 --- /dev/null +++ b/tests/expected/dead-invalid-access-via-raw/main.expected @@ -0,0 +1,10 @@ +SUCCESS\ +address must be a multiple of its type's alignment +SUCCESS\ +pointer NULL +SUCCESS\ +pointer invalid +SUCCESS\ +deallocated dynamic object +FAILURE\ +dead object diff --git a/tests/expected/dead-invalid-access-via-raw/main.rs b/tests/expected/dead-invalid-access-via-raw/main.rs new file mode 100644 index 000000000000..ed3ea655839e --- /dev/null +++ b/tests/expected/dead-invalid-access-via-raw/main.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test checks an issue reported in github.com/model-checking/kani#3063. +// The access of the raw pointer should fail because the value being dereferenced has gone out of +// scope at the time of access. + +#[kani::proof] +pub fn check_invalid_ptr() { + let raw_ptr = { + let var = 10; + &var as *const _ + }; + + // This should fail since it is de-referencing a dead object. + assert_eq!(unsafe { *raw_ptr }, 10); +} diff --git a/tests/expected/dead-invalid-access-via-raw/value.expected b/tests/expected/dead-invalid-access-via-raw/value.expected new file mode 100644 index 000000000000..525e5e40a3b2 --- /dev/null +++ b/tests/expected/dead-invalid-access-via-raw/value.expected @@ -0,0 +1 @@ +Failed Checks: dereference failure: dead object diff --git a/tests/kani/Pointers_OutOfScopeFail/fixme_main.rs b/tests/expected/dead-invalid-access-via-raw/value.rs similarity index 96% rename from tests/kani/Pointers_OutOfScopeFail/fixme_main.rs rename to tests/expected/dead-invalid-access-via-raw/value.rs index 5bbcb93930bb..6160325174b7 100644 --- a/tests/kani/Pointers_OutOfScopeFail/fixme_main.rs +++ b/tests/expected/dead-invalid-access-via-raw/value.rs @@ -1,6 +1,5 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// kani-verify-fail #[kani::proof] fn main() { diff --git a/tests/expected/derive-arbitrary/safety_constraint_helper/expected b/tests/expected/derive-arbitrary/safety_constraint_helper/expected new file mode 100644 index 000000000000..f35f18084911 --- /dev/null +++ b/tests/expected/derive-arbitrary/safety_constraint_helper/expected @@ -0,0 +1,17 @@ +Check 1: check_invariant_helper_ok.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.x >= 0" + +Check 2: check_invariant_helper_ok.assertion.2\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.y >= 0" + +Check 1: check_invariant_helper_fail.assertion.1\ + - Status: FAILURE\ + - Description: "assertion failed: pos_point.x >= 0" + +Check 2: check_invariant_helper_fail.assertion.2\ + - Status: FAILURE\ + - Description: "assertion failed: pos_point.y >= 0" + +Complete - 2 successfully verified harnesses, 0 failures, 2 total. diff --git a/tests/expected/derive-arbitrary/safety_constraint_helper/safety_constraint_helper.rs b/tests/expected/derive-arbitrary/safety_constraint_helper/safety_constraint_helper.rs new file mode 100644 index 000000000000..5b608aa2a3c0 --- /dev/null +++ b/tests/expected/derive-arbitrary/safety_constraint_helper/safety_constraint_helper.rs @@ -0,0 +1,31 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that the `#[safety_constraint(...)]` attribute helper adds the conditions provided to +//! the attribute to the derived `Arbitrary` implementation. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +struct PositivePoint { + #[safety_constraint(*x >= 0)] + x: i32, + #[safety_constraint(*y >= 0)] + y: i32, +} + +#[kani::proof] +fn check_invariant_helper_ok() { + let pos_point: PositivePoint = kani::any(); + assert!(pos_point.x >= 0); + assert!(pos_point.y >= 0); +} + +#[kani::proof] +#[kani::should_panic] +fn check_invariant_helper_fail() { + let pos_point: PositivePoint = PositivePoint { x: kani::any(), y: kani::any() }; + assert!(pos_point.x >= 0); + assert!(pos_point.y >= 0); +} diff --git a/tests/expected/derive-invariant/attrs_cfg_guard/attrs_cfg_guard.rs b/tests/expected/derive-invariant/attrs_cfg_guard/attrs_cfg_guard.rs new file mode 100644 index 000000000000..546695bf3731 --- /dev/null +++ b/tests/expected/derive-invariant/attrs_cfg_guard/attrs_cfg_guard.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that the `#[safety_constraint(...)]` attribute helper is picked up +//! when it's used with `cfg_attr(kani, ...)]`. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct PositivePoint { + #[cfg_attr(kani, safety_constraint(*x >= 0))] + x: i32, + #[cfg_attr(kani, safety_constraint(*y >= 0))] + y: i32, +} + +#[kani::proof] +fn check_safety_constraint_cfg() { + let pos_point: PositivePoint = kani::any(); + assert!(pos_point.x >= 0); + assert!(pos_point.y >= 0); +} diff --git a/tests/expected/derive-invariant/attrs_cfg_guard/expected b/tests/expected/derive-invariant/attrs_cfg_guard/expected new file mode 100644 index 000000000000..edb3e256975d --- /dev/null +++ b/tests/expected/derive-invariant/attrs_cfg_guard/expected @@ -0,0 +1,9 @@ +Check 1: check_safety_constraint_cfg.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.x >= 0" + +Check 2: check_safety_constraint_cfg.assertion.2\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.y >= 0" + +Complete - 1 successfully verified harnesses, 0 failures, 1 total. diff --git a/tests/expected/derive-invariant/attrs_mixed/attrs_mixed.rs b/tests/expected/derive-invariant/attrs_mixed/attrs_mixed.rs new file mode 100644 index 000000000000..ff58ff846c67 --- /dev/null +++ b/tests/expected/derive-invariant/attrs_mixed/attrs_mixed.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that in the `#[safety_constraint(...)]` attribute helper it is +//! possible to refer to other struct fields, not just the one associated with +//! the attribute. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct PositivePoint { + #[safety_constraint(*x >= 0 && *y >= 0)] + x: i32, + y: i32, +} + +#[kani::proof] +fn check_safety_constraint_cfg() { + let pos_point: PositivePoint = kani::any(); + assert!(pos_point.x >= 0); + assert!(pos_point.y >= 0); +} diff --git a/tests/expected/derive-invariant/attrs_mixed/expected b/tests/expected/derive-invariant/attrs_mixed/expected new file mode 100644 index 000000000000..edb3e256975d --- /dev/null +++ b/tests/expected/derive-invariant/attrs_mixed/expected @@ -0,0 +1,9 @@ +Check 1: check_safety_constraint_cfg.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.x >= 0" + +Check 2: check_safety_constraint_cfg.assertion.2\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.y >= 0" + +Complete - 1 successfully verified harnesses, 0 failures, 1 total. diff --git a/tests/expected/derive-invariant/empty_struct/empty_struct.rs b/tests/expected/derive-invariant/empty_struct/empty_struct.rs new file mode 100644 index 000000000000..4c931ce8aedc --- /dev/null +++ b/tests/expected/derive-invariant/empty_struct/empty_struct.rs @@ -0,0 +1,37 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that Kani can automatically derive `Invariant` for empty structs. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Void; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Void2(()); + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct VoidOfVoid(Void, Void2); + +#[kani::proof] +fn check_empty_struct_invariant_1() { + let void1: Void = kani::any(); + assert!(void1.is_safe()); +} + +#[kani::proof] +fn check_empty_struct_invariant_2() { + let void2: Void2 = kani::any(); + assert!(void2.is_safe()); +} + +#[kani::proof] +fn check_empty_struct_invariant_3() { + let void3: VoidOfVoid = kani::any(); + assert!(void3.is_safe()); +} diff --git a/tests/expected/derive-invariant/empty_struct/expected b/tests/expected/derive-invariant/empty_struct/expected new file mode 100644 index 000000000000..8fdca72b1ead --- /dev/null +++ b/tests/expected/derive-invariant/empty_struct/expected @@ -0,0 +1,8 @@ + - Status: SUCCESS\ + - Description: "assertion failed: void1.is_safe()" + + - Status: SUCCESS\ + - Description: "assertion failed: void2.is_safe()" + + - Status: SUCCESS\ + - Description: "assertion failed: void3.is_safe()" diff --git a/tests/expected/derive-invariant/generic_struct/expected b/tests/expected/derive-invariant/generic_struct/expected new file mode 100644 index 000000000000..5e5886bb3e45 --- /dev/null +++ b/tests/expected/derive-invariant/generic_struct/expected @@ -0,0 +1,2 @@ + - Status: SUCCESS\ + - Description: "assertion failed: point.is_safe()" diff --git a/tests/expected/derive-invariant/generic_struct/generic_struct.rs b/tests/expected/derive-invariant/generic_struct/generic_struct.rs new file mode 100644 index 000000000000..91c62fac8ece --- /dev/null +++ b/tests/expected/derive-invariant/generic_struct/generic_struct.rs @@ -0,0 +1,20 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that Kani can automatically derive `Invariant` for structs with generics. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Point { + x: X, + y: Y, +} + +#[kani::proof] +fn check_generic_struct_invariant() { + let point: Point = kani::any(); + assert!(point.is_safe()); +} diff --git a/tests/expected/derive-invariant/named_struct/expected b/tests/expected/derive-invariant/named_struct/expected new file mode 100644 index 000000000000..5e5886bb3e45 --- /dev/null +++ b/tests/expected/derive-invariant/named_struct/expected @@ -0,0 +1,2 @@ + - Status: SUCCESS\ + - Description: "assertion failed: point.is_safe()" diff --git a/tests/expected/derive-invariant/named_struct/named_struct.rs b/tests/expected/derive-invariant/named_struct/named_struct.rs new file mode 100644 index 000000000000..7e27404bda11 --- /dev/null +++ b/tests/expected/derive-invariant/named_struct/named_struct.rs @@ -0,0 +1,20 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that Kani can automatically derive `Invariant` for structs with named fields. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Point { + x: i32, + y: i32, +} + +#[kani::proof] +fn check_generic_struct_invariant() { + let point: Point = kani::any(); + assert!(point.is_safe()); +} diff --git a/tests/expected/derive-invariant/safety_constraint_helper/expected b/tests/expected/derive-invariant/safety_constraint_helper/expected new file mode 100644 index 000000000000..31b6de54c647 --- /dev/null +++ b/tests/expected/derive-invariant/safety_constraint_helper/expected @@ -0,0 +1,13 @@ +Check 1: check_invariant_helper_ok.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.is_safe()" + +Check 1: check_invariant_helper_ok_manual.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.is_safe()" + +Check 1: check_invariant_helper_fail.assertion.1\ + - Status: FAILURE\ + - Description: "assertion failed: pos_point.is_safe()" + +Complete - 3 successfully verified harnesses, 0 failures, 3 total. diff --git a/tests/expected/derive-invariant/safety_constraint_helper/safety_constraint_helper.rs b/tests/expected/derive-invariant/safety_constraint_helper/safety_constraint_helper.rs new file mode 100644 index 000000000000..44a218f8fa63 --- /dev/null +++ b/tests/expected/derive-invariant/safety_constraint_helper/safety_constraint_helper.rs @@ -0,0 +1,43 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that the `#[safety_constraint(...)]` attribute helper adds the conditions provided to +//! the attribute to the derived `Invariant` implementation. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct PositivePoint { + #[safety_constraint(*x >= 0)] + x: i32, + #[safety_constraint(*y >= 0)] + y: i32, +} + +#[kani::proof] +fn check_invariant_helper_ok() { + let pos_point: PositivePoint = kani::any(); + assert!(pos_point.is_safe()); +} + +#[kani::proof] +#[kani::should_panic] +fn check_invariant_helper_fail() { + // In this case, we build the struct from unconstrained arbitrary values + // that do not respect `PositivePoint`'s safety constraints. + let pos_point: PositivePoint = PositivePoint { x: kani::any(), y: kani::any() }; + assert!(pos_point.is_safe()); +} + +#[kani::proof] +fn check_invariant_helper_ok_manual() { + // In this case, we build the struct from unconstrained arbitrary values + // that do not respect `PositivePoint`'s safety constraints. However, we + // manually constrain them later. + let pos_point: PositivePoint = PositivePoint { x: kani::any(), y: kani::any() }; + kani::assume(pos_point.x >= 0); + kani::assume(pos_point.y >= 0); + assert!(pos_point.is_safe()); +} diff --git a/tests/expected/derive-invariant/safety_constraint_helper_funs/expected b/tests/expected/derive-invariant/safety_constraint_helper_funs/expected new file mode 100644 index 000000000000..31b6de54c647 --- /dev/null +++ b/tests/expected/derive-invariant/safety_constraint_helper_funs/expected @@ -0,0 +1,13 @@ +Check 1: check_invariant_helper_ok.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.is_safe()" + +Check 1: check_invariant_helper_ok_manual.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.is_safe()" + +Check 1: check_invariant_helper_fail.assertion.1\ + - Status: FAILURE\ + - Description: "assertion failed: pos_point.is_safe()" + +Complete - 3 successfully verified harnesses, 0 failures, 3 total. diff --git a/tests/expected/derive-invariant/safety_constraint_helper_funs/safety_constraint_helper_funs.rs b/tests/expected/derive-invariant/safety_constraint_helper_funs/safety_constraint_helper_funs.rs new file mode 100644 index 000000000000..a2c4600eb208 --- /dev/null +++ b/tests/expected/derive-invariant/safety_constraint_helper_funs/safety_constraint_helper_funs.rs @@ -0,0 +1,48 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that functions can be called in the `#[safety_constraint(...)]` attribute helpers. +//! This is like the `invariant_helper` test but using a function instead +//! of passing in a predicate. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct PositivePoint { + #[safety_constraint(is_coordinate_safe(x))] + x: i32, + #[safety_constraint(is_coordinate_safe(y))] + y: i32, +} + +fn is_coordinate_safe(val: &i32) -> bool { + *val >= 0 +} + +#[kani::proof] +fn check_invariant_helper_ok() { + let pos_point: PositivePoint = kani::any(); + assert!(pos_point.is_safe()); +} + +#[kani::proof] +#[kani::should_panic] +fn check_invariant_helper_fail() { + // In this case, we build the struct from unconstrained arbitrary values + // that do not respect `PositivePoint`'s safety constraints. + let pos_point: PositivePoint = PositivePoint { x: kani::any(), y: kani::any() }; + assert!(pos_point.is_safe()); +} + +#[kani::proof] +fn check_invariant_helper_ok_manual() { + // In this case, we build the struct from unconstrained arbitrary values + // that do not respect `PositivePoint`'s safety constraints. However, we + // manually constrain them later. + let pos_point: PositivePoint = PositivePoint { x: kani::any(), y: kani::any() }; + kani::assume(pos_point.x >= 0); + kani::assume(pos_point.y >= 0); + assert!(pos_point.is_safe()); +} diff --git a/tests/expected/derive-invariant/safety_invariant_fail/expected b/tests/expected/derive-invariant/safety_invariant_fail/expected new file mode 100644 index 000000000000..511d5901e154 --- /dev/null +++ b/tests/expected/derive-invariant/safety_invariant_fail/expected @@ -0,0 +1,4 @@ + - Status: FAILURE\ + - Description: "assertion failed: wrapper.is_safe()" + +Verification failed for - check_invariant_fail diff --git a/tests/expected/derive-invariant/safety_invariant_fail/safety_invariant_fail.rs b/tests/expected/derive-invariant/safety_invariant_fail/safety_invariant_fail.rs new file mode 100644 index 000000000000..b1d6f8679835 --- /dev/null +++ b/tests/expected/derive-invariant/safety_invariant_fail/safety_invariant_fail.rs @@ -0,0 +1,33 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that a verification failure is triggered when the derived `Invariant` +//! method is checked but not satisfied. + +extern crate kani; +use kani::Invariant; +// Note: This represents an incorrect usage of `Arbitrary` and `Invariant`. +// +// The `Arbitrary` implementation should respect the type invariant, +// but Kani does not enforce this in any way at the moment. +// +#[derive(kani::Arbitrary)] +struct NotNegative(i32); + +impl kani::Invariant for NotNegative { + fn is_safe(&self) -> bool { + self.0 >= 0 + } +} + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct NotNegativeWrapper { + x: NotNegative, +} + +#[kani::proof] +fn check_invariant_fail() { + let wrapper: NotNegativeWrapper = kani::any(); + assert!(wrapper.is_safe()); +} diff --git a/tests/expected/derive-invariant/safety_invariant_fail_mut/expected b/tests/expected/derive-invariant/safety_invariant_fail_mut/expected new file mode 100644 index 000000000000..0853a68fa79e --- /dev/null +++ b/tests/expected/derive-invariant/safety_invariant_fail_mut/expected @@ -0,0 +1,11 @@ +Check 1: check_invariant_fail_mut.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: pos_point.is_safe()" + +Check 2: check_invariant_fail_mut.assertion.2\ + - Status: FAILURE\ + - Description: "assertion failed: pos_point.is_safe()" + +VERIFICATION:- SUCCESSFUL (encountered one or more panics as expected) + +Complete - 1 successfully verified harnesses, 0 failures, 1 total. diff --git a/tests/expected/derive-invariant/safety_invariant_fail_mut/safety_invariant_fail_mut.rs b/tests/expected/derive-invariant/safety_invariant_fail_mut/safety_invariant_fail_mut.rs new file mode 100644 index 000000000000..dc659ec66dd6 --- /dev/null +++ b/tests/expected/derive-invariant/safety_invariant_fail_mut/safety_invariant_fail_mut.rs @@ -0,0 +1,28 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that a verification failure is triggered if we check the invariant +//! after mutating an object to violate it. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct PositivePoint { + #[safety_constraint(*x >= 0)] + x: i32, + #[safety_constraint(*y >= 0)] + y: i32, +} + +#[kani::proof] +#[kani::should_panic] +fn check_invariant_fail_mut() { + let mut pos_point: PositivePoint = kani::any(); + assert!(pos_point.is_safe()); + // Set the `x` field to an unsafe value + pos_point.x = -1; + // The object's invariant isn't preserved anymore so the next check fails + assert!(pos_point.is_safe()); +} diff --git a/tests/expected/derive-invariant/unnamed_struct/expected b/tests/expected/derive-invariant/unnamed_struct/expected new file mode 100644 index 000000000000..5e5886bb3e45 --- /dev/null +++ b/tests/expected/derive-invariant/unnamed_struct/expected @@ -0,0 +1,2 @@ + - Status: SUCCESS\ + - Description: "assertion failed: point.is_safe()" diff --git a/tests/expected/derive-invariant/unnamed_struct/unnamed_struct.rs b/tests/expected/derive-invariant/unnamed_struct/unnamed_struct.rs new file mode 100644 index 000000000000..5dee718d05a6 --- /dev/null +++ b/tests/expected/derive-invariant/unnamed_struct/unnamed_struct.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that Kani can automatically derive `Invariant` for structs with unnamed fields. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Point(i32, i32); + +#[kani::proof] +fn check_generic_struct_invariant() { + let point: Point = kani::any(); + assert!(point.is_safe()); +} diff --git a/tests/expected/function-contract/arbitrary_ensures_fail.expected b/tests/expected/function-contract/arbitrary_ensures_fail.expected index 0a59d2cea5eb..4b70f8364e05 100644 --- a/tests/expected/function-contract/arbitrary_ensures_fail.expected +++ b/tests/expected/function-contract/arbitrary_ensures_fail.expected @@ -1,6 +1,6 @@ assertion\ - Status: FAILURE\ -- Description: "result == x"\ +- Description: "|result : &u32| *result == x"\ in function max VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/arbitrary_ensures_fail.rs b/tests/expected/function-contract/arbitrary_ensures_fail.rs index 91638b1cc037..8d66402180d7 100644 --- a/tests/expected/function-contract/arbitrary_ensures_fail.rs +++ b/tests/expected/function-contract/arbitrary_ensures_fail.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result == x)] +#[kani::ensures(|result : &u32| *result == x)] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/arbitrary_ensures_pass.expected b/tests/expected/function-contract/arbitrary_ensures_pass.expected index 85619fa84c22..9eee213789b9 100644 --- a/tests/expected/function-contract/arbitrary_ensures_pass.expected +++ b/tests/expected/function-contract/arbitrary_ensures_pass.expected @@ -1,6 +1,6 @@ assertion\ - Status: SUCCESS\ -- Description: "result == x || result == y"\ +- Description: "|result : &u32| *result == x || *result == y"\ in function max VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/arbitrary_ensures_pass.rs b/tests/expected/function-contract/arbitrary_ensures_pass.rs index df8d3a2361fb..86302f705925 100644 --- a/tests/expected/function-contract/arbitrary_ensures_pass.rs +++ b/tests/expected/function-contract/arbitrary_ensures_pass.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result == x || result == y)] +#[kani::ensures(|result : &u32| *result == x || *result == y)] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/arbitrary_requires_fail.rs b/tests/expected/function-contract/arbitrary_requires_fail.rs index d052e19b0335..78ab1b77bf10 100644 --- a/tests/expected/function-contract/arbitrary_requires_fail.rs +++ b/tests/expected/function-contract/arbitrary_requires_fail.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result <= dividend)] +#[kani::ensures(|result : &u32| *result <= dividend)] fn div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } diff --git a/tests/expected/function-contract/attribute_complain.rs b/tests/expected/function-contract/attribute_complain.rs index f16e975c2001..8532889e1eca 100644 --- a/tests/expected/function-contract/attribute_complain.rs +++ b/tests/expected/function-contract/attribute_complain.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn always() {} #[kani::proof_for_contract(always)] diff --git a/tests/expected/function-contract/attribute_no_complain.rs b/tests/expected/function-contract/attribute_no_complain.rs index bcf1f0cadafd..b3004b24f4d4 100644 --- a/tests/expected/function-contract/attribute_no_complain.rs +++ b/tests/expected/function-contract/attribute_no_complain.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn always() {} #[kani::proof] diff --git a/tests/expected/function-contract/checking_from_external_mod.expected b/tests/expected/function-contract/checking_from_external_mod.expected index c31b5c389fc8..e181e6b2ad17 100644 --- a/tests/expected/function-contract/checking_from_external_mod.expected +++ b/tests/expected/function-contract/checking_from_external_mod.expected @@ -1,5 +1,5 @@ - Status: SUCCESS\ -- Description: "(result == x) | (result == y)"\ +- Description: "|result : &u32| (*result == x) | (*result == y)"\ in function max VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/checking_from_external_mod.rs b/tests/expected/function-contract/checking_from_external_mod.rs index 43d1551f9aef..ea01cfadd511 100644 --- a/tests/expected/function-contract/checking_from_external_mod.rs +++ b/tests/expected/function-contract/checking_from_external_mod.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures((result == x) | (result == y))] +#[kani::ensures(|result : &u32| (*result == x) | (*result == y))] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/checking_in_impl.expected b/tests/expected/function-contract/checking_in_impl.expected index d5a390be8425..cfe84c06fc85 100644 --- a/tests/expected/function-contract/checking_in_impl.expected +++ b/tests/expected/function-contract/checking_in_impl.expected @@ -1,5 +1,5 @@ - Status: SUCCESS\ -- Description: "(result == self) | (result == y)"\ +- Description: "|result : &WrappedInt| (*result == self) | (*result == y)"\ in function WrappedInt::max VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/checking_in_impl.rs b/tests/expected/function-contract/checking_in_impl.rs index 7d5c0506d9df..8721e7fffb7f 100644 --- a/tests/expected/function-contract/checking_in_impl.rs +++ b/tests/expected/function-contract/checking_in_impl.rs @@ -8,7 +8,7 @@ extern crate kani; struct WrappedInt(u32); impl WrappedInt { - #[kani::ensures((result == self) | (result == y))] + #[kani::ensures(|result : &WrappedInt| (*result == self) | (*result == y))] fn max(self, y: WrappedInt) -> WrappedInt { Self(if self.0 > y.0 { self.0 } else { y.0 }) } diff --git a/tests/expected/function-contract/const_fn.expected b/tests/expected/function-contract/const_fn.expected new file mode 100644 index 000000000000..10cf9fe451f0 --- /dev/null +++ b/tests/expected/function-contract/const_fn.expected @@ -0,0 +1,2 @@ +Checking harness check... +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/const_fn.rs b/tests/expected/function-contract/const_fn.rs new file mode 100644 index 000000000000..44b937cedce4 --- /dev/null +++ b/tests/expected/function-contract/const_fn.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts -Zmem-predicates + +//! Check that Kani contract can be applied to a constant function. +//! + +#[kani::requires(kani::mem::can_dereference(arg))] +const unsafe fn dummy(arg: *const T) -> T { + std::ptr::read(arg) +} + +#[kani::proof_for_contract(dummy)] +fn check() { + unsafe { dummy(&kani::any::()) }; +} diff --git a/tests/expected/function-contract/const_fn_with_effect.expected b/tests/expected/function-contract/const_fn_with_effect.expected new file mode 100644 index 000000000000..10cf9fe451f0 --- /dev/null +++ b/tests/expected/function-contract/const_fn_with_effect.expected @@ -0,0 +1,2 @@ +Checking harness check... +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/const_fn_with_effect.rs b/tests/expected/function-contract/const_fn_with_effect.rs new file mode 100644 index 000000000000..070c44482a80 --- /dev/null +++ b/tests/expected/function-contract/const_fn_with_effect.rs @@ -0,0 +1,20 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts -Zmem-predicates +// compile-flags: -Znext-solver + +//! Check that Kani contract can be applied to a constant function. +//! + +#![feature(effects)] +#![allow(incomplete_features)] + +#[kani::requires(kani::mem::can_dereference(arg))] +const unsafe fn dummy(arg: *const T) -> T { + std::ptr::read(arg) +} + +#[kani::proof_for_contract(dummy)] +fn check() { + unsafe { dummy(&kani::any::()) }; +} diff --git a/tests/expected/function-contract/diverging_loop.expected b/tests/expected/function-contract/diverging_loop.expected new file mode 100644 index 000000000000..05c2856a7c31 --- /dev/null +++ b/tests/expected/function-contract/diverging_loop.expected @@ -0,0 +1,3 @@ +Failed Checks: unwinding assertion loop 0 + +VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/diverging_loop.rs b/tests/expected/function-contract/diverging_loop.rs new file mode 100644 index 000000000000..219f723494f7 --- /dev/null +++ b/tests/expected/function-contract/diverging_loop.rs @@ -0,0 +1,15 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|result : &i32| *result == 1)] +fn foo() -> i32 { + loop {} + 2 +} + +#[kani::proof_for_contract(foo)] +#[kani::unwind(1)] +fn check_foo() { + let _ = foo(); +} diff --git a/tests/expected/function-contract/fail_on_two.expected b/tests/expected/function-contract/fail_on_two.expected index 32fc28012d3a..79cc3d572af0 100644 --- a/tests/expected/function-contract/fail_on_two.expected +++ b/tests/expected/function-contract/fail_on_two.expected @@ -7,6 +7,6 @@ Failed Checks: internal error: entered unreachable code: fail on two assertion\ - Status: FAILURE\ -- Description: "result < 3" +- Description: "|result : &i32| *result < 3" -Failed Checks: result < 3 +Failed Checks: |result : &i32| *result < 3 diff --git a/tests/expected/function-contract/fail_on_two.rs b/tests/expected/function-contract/fail_on_two.rs index 4302cdc7da33..32ad74c31cd9 100644 --- a/tests/expected/function-contract/fail_on_two.rs +++ b/tests/expected/function-contract/fail_on_two.rs @@ -16,7 +16,8 @@ //! once because the postcondition is violated). If instead the hypothesis (e.g. //! contract replacement) is used we'd expect the verification to succeed. -#[kani::ensures(result < 3)] +#[kani::ensures(|result : &i32| *result < 3)] +#[kani::recursion] fn fail_on_two(i: i32) -> i32 { match i { 0 => fail_on_two(i + 1), @@ -31,7 +32,8 @@ fn harness() { let _ = fail_on_two(first); } -#[kani::ensures(result < 3)] +#[kani::ensures(|result : &i32| *result < 3)] +#[kani::recursion] fn fail_on_two_in_postcondition(i: i32) -> i32 { let j = i + 1; if i < 2 { fail_on_two_in_postcondition(j) } else { j } diff --git a/tests/expected/function-contract/gcd_failure_code.expected b/tests/expected/function-contract/gcd_failure_code.expected index c7fe5a721abb..ca21817c8329 100644 --- a/tests/expected/function-contract/gcd_failure_code.expected +++ b/tests/expected/function-contract/gcd_failure_code.expected @@ -1,8 +1,8 @@ assertion\ - Status: FAILURE\ -- Description: "result != 0 && x % result == 0 && y % result == 0"\ +- Description: "|result : &T| *result != 0 && x % *result == 0 && y % *result == 0"\ in function gcd -Failed Checks: result != 0 && x % result == 0 && y % result == 0 +Failed Checks: |result : &T| *result != 0 && x % *result == 0 && y % *result == 0 VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/gcd_failure_code.rs b/tests/expected/function-contract/gcd_failure_code.rs index f76e04b75fee..118cc3c930e5 100644 --- a/tests/expected/function-contract/gcd_failure_code.rs +++ b/tests/expected/function-contract/gcd_failure_code.rs @@ -5,7 +5,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_failure_contract.expected b/tests/expected/function-contract/gcd_failure_contract.expected index aeadfb563ab9..4bb02ab36f49 100644 --- a/tests/expected/function-contract/gcd_failure_contract.expected +++ b/tests/expected/function-contract/gcd_failure_contract.expected @@ -1,8 +1,8 @@ assertion\ - Status: FAILURE\ -- Description: "result != 0 && x % result == 1 && y % result == 0"\ +- Description: "|result : &T| *result != 0 && x % *result == 1 && y % *result == 0"\ in function gcd\ -Failed Checks: result != 0 && x % result == 1 && y % result == 0 +Failed Checks: |result : &T| *result != 0 && x % *result == 1 && y % *result == 0 VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/gcd_failure_contract.rs b/tests/expected/function-contract/gcd_failure_contract.rs index 6b835466c5a0..d4eea8ceb98c 100644 --- a/tests/expected/function-contract/gcd_failure_contract.rs +++ b/tests/expected/function-contract/gcd_failure_contract.rs @@ -5,8 +5,8 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -// Changed `0` to `1` in `x % result == 0` to mess with this contract -#[kani::ensures(result != 0 && x % result == 1 && y % result == 0)] +// Changed `0` to `1` in `x % *result == 0` to mess with this contract +#[kani::ensures(|result : &T| *result != 0 && x % *result == 1 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_code_fail.expected b/tests/expected/function-contract/gcd_rec_code_fail.expected index 80dbaadbf4c7..863392098be4 100644 --- a/tests/expected/function-contract/gcd_rec_code_fail.expected +++ b/tests/expected/function-contract/gcd_rec_code_fail.expected @@ -1,3 +1,3 @@ -Failed Checks: result != 0 && x % result == 0 && y % result == 0 +Failed Checks: |result : &T| *result != 0 && x % *result == 0 && y % *result == 0 VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/gcd_rec_code_fail.rs b/tests/expected/function-contract/gcd_rec_code_fail.rs index 5f63cb247ebf..90260f56d4dc 100644 --- a/tests/expected/function-contract/gcd_rec_code_fail.rs +++ b/tests/expected/function-contract/gcd_rec_code_fail.rs @@ -5,7 +5,8 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] +#[kani::recursion] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_comparison_pass.expected b/tests/expected/function-contract/gcd_rec_comparison_pass.expected index da647dfd40aa..0556bfc50204 100644 --- a/tests/expected/function-contract/gcd_rec_comparison_pass.expected +++ b/tests/expected/function-contract/gcd_rec_comparison_pass.expected @@ -4,6 +4,6 @@ assertion\ assertion\ - Status: SUCCESS\ -- Description: "result != 0 && x % result == 0 && y % result == 0" +- Description: "|result : &T| *result != 0 && x % *result == 0 && y % *result == 0" VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/gcd_rec_comparison_pass.rs b/tests/expected/function-contract/gcd_rec_comparison_pass.rs index b08d94504bf7..ae5fbbe9b60f 100644 --- a/tests/expected/function-contract/gcd_rec_comparison_pass.rs +++ b/tests/expected/function-contract/gcd_rec_comparison_pass.rs @@ -5,7 +5,8 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] +#[kani::recursion] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_contract_fail.expected b/tests/expected/function-contract/gcd_rec_contract_fail.expected index bfb470192a39..6cc0354ca89a 100644 --- a/tests/expected/function-contract/gcd_rec_contract_fail.expected +++ b/tests/expected/function-contract/gcd_rec_contract_fail.expected @@ -1,3 +1,3 @@ -Failed Checks: result != 0 && x % result == 1 && y % result == 0 +Failed Checks: |result : &T| *result != 0 && x % *result == 1 && y % *result == 0 VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/gcd_rec_contract_fail.rs b/tests/expected/function-contract/gcd_rec_contract_fail.rs index 3fe34cb2effc..2306db0e9353 100644 --- a/tests/expected/function-contract/gcd_rec_contract_fail.rs +++ b/tests/expected/function-contract/gcd_rec_contract_fail.rs @@ -6,7 +6,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] // Changed `0` to `1` in `x % result == 0` to mess with this contract -#[kani::ensures(result != 0 && x % result == 1 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 1 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_replacement_pass.rs b/tests/expected/function-contract/gcd_rec_replacement_pass.rs index d8a5bbd234ed..0fd04b0076ba 100644 --- a/tests/expected/function-contract/gcd_rec_replacement_pass.rs +++ b/tests/expected/function-contract/gcd_rec_replacement_pass.rs @@ -5,7 +5,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_simple_pass.expected b/tests/expected/function-contract/gcd_rec_simple_pass.expected index da647dfd40aa..0556bfc50204 100644 --- a/tests/expected/function-contract/gcd_rec_simple_pass.expected +++ b/tests/expected/function-contract/gcd_rec_simple_pass.expected @@ -4,6 +4,6 @@ assertion\ assertion\ - Status: SUCCESS\ -- Description: "result != 0 && x % result == 0 && y % result == 0" +- Description: "|result : &T| *result != 0 && x % *result == 0 && y % *result == 0" VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/gcd_rec_simple_pass.rs b/tests/expected/function-contract/gcd_rec_simple_pass.rs index ae55efa62b45..626a48aa5ec2 100644 --- a/tests/expected/function-contract/gcd_rec_simple_pass.rs +++ b/tests/expected/function-contract/gcd_rec_simple_pass.rs @@ -5,7 +5,8 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] +#[kani::recursion] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_replacement_fail.rs b/tests/expected/function-contract/gcd_replacement_fail.rs index 8bd59c5c14fe..0186a369c3b2 100644 --- a/tests/expected/function-contract/gcd_replacement_fail.rs +++ b/tests/expected/function-contract/gcd_replacement_fail.rs @@ -5,7 +5,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_replacement_pass.rs b/tests/expected/function-contract/gcd_replacement_pass.rs index 9827dd3a1512..b45241198737 100644 --- a/tests/expected/function-contract/gcd_replacement_pass.rs +++ b/tests/expected/function-contract/gcd_replacement_pass.rs @@ -5,7 +5,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_success.expected b/tests/expected/function-contract/gcd_success.expected index 73b531d424b9..e5885dd11179 100644 --- a/tests/expected/function-contract/gcd_success.expected +++ b/tests/expected/function-contract/gcd_success.expected @@ -1,6 +1,6 @@ assertion\ - Status: SUCCESS\ -- Description: "result != 0 && x % result == 0 && y % result == 0"\ +- Description: "|result : &T| *result != 0 && x % *result == 0 && y % *result == 0"\ in function gcd VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/gcd_success.rs b/tests/expected/function-contract/gcd_success.rs index d3a2c75b7d20..61d8fea8ec80 100644 --- a/tests/expected/function-contract/gcd_success.rs +++ b/tests/expected/function-contract/gcd_success.rs @@ -1,28 +1,22 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts +#![deny(warnings)] type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] -fn gcd(x: T, y: T) -> T { - let mut max = x; - let mut min = y; - if min > max { - let val = max; - max = min; - min = val; - } - +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] +fn gcd(mut x: T, mut y: T) -> T { + (x, y) = (if x > y { x } else { y }, if x > y { y } else { x }); loop { - let res = max % min; + let res = x % y; if res == 0 { - return min; + return y; } - max = min; - min = res; + x = y; + y = res; } } diff --git a/tests/expected/function-contract/generic_infinity_recursion.expected b/tests/expected/function-contract/generic_infinity_recursion.expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/function-contract/generic_infinity_recursion.expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/generic_infinity_recursion.rs b/tests/expected/function-contract/generic_infinity_recursion.rs new file mode 100644 index 000000000000..7512b4e1e461 --- /dev/null +++ b/tests/expected/function-contract/generic_infinity_recursion.rs @@ -0,0 +1,18 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check Kani handling of generics and recursion with function contracts. + +#[kani::requires(x != 0)] +#[kani::recursion] +fn foo>(x: T) { + assert_ne!(x, 0); + foo(x); +} + +#[kani::proof_for_contract(foo)] +fn foo_harness() { + let input: i32 = kani::any(); + foo(input); +} diff --git a/tests/expected/function-contract/history/block.expected b/tests/expected/function-contract/history/block.expected new file mode 100644 index 000000000000..83e958f52d77 --- /dev/null +++ b/tests/expected/function-contract/history/block.expected @@ -0,0 +1,5 @@ +assertion\ + - Status: SUCCESS\ + - Description: "|result| old({ let x = &ptr; let y = **x; y + 1 }) == *ptr"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/history/block.rs b/tests/expected/function-contract/history/block.rs new file mode 100644 index 000000000000..a38e980fffad --- /dev/null +++ b/tests/expected/function-contract/history/block.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +// testing block computation within `old` expression +#[kani::ensures(|result| old({let x = &ptr; let y = **x; y + 1}) == *ptr)] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/clone_pass.expected b/tests/expected/function-contract/history/clone_pass.expected new file mode 100644 index 000000000000..bebbe1ae8834 --- /dev/null +++ b/tests/expected/function-contract/history/clone_pass.expected @@ -0,0 +1,5 @@ +assertion\ + - Status: SUCCESS\ + - Description: "|result| old(ptr.clone()).0 + 1 == ptr.0"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/history/clone_pass.rs b/tests/expected/function-contract/history/clone_pass.rs new file mode 100644 index 000000000000..8f6c73b8309e --- /dev/null +++ b/tests/expected/function-contract/history/clone_pass.rs @@ -0,0 +1,28 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[derive(Clone)] +struct NoCopy(T); + +impl kani::Arbitrary for NoCopy { + fn any() -> Self { + Self(kani::any()) + } +} + +/// This test includes `derive(Clone)` and demonstrates that +/// you can precompute the clone to copy and save the struct +/// so that, in the future, we can access the old contents via the `.0`. +#[kani::ensures(|result| old(ptr.clone()).0 + 1 == ptr.0)] +#[kani::requires(ptr.0 < 100)] +#[kani::modifies(&mut ptr.0)] +fn modify(ptr: &mut NoCopy) { + ptr.0 += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/copy_pass.expected b/tests/expected/function-contract/history/copy_pass.expected new file mode 100644 index 000000000000..40f15ebf64fa --- /dev/null +++ b/tests/expected/function-contract/history/copy_pass.expected @@ -0,0 +1,5 @@ +assertion\ + - Status: SUCCESS\ + - Description: "|result| old(ptr.0) + 1 == ptr.0"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/history/copy_pass.rs b/tests/expected/function-contract/history/copy_pass.rs new file mode 100644 index 000000000000..e9864f6b79f8 --- /dev/null +++ b/tests/expected/function-contract/history/copy_pass.rs @@ -0,0 +1,28 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +struct NoCopy(T); + +impl kani::Arbitrary for NoCopy { + fn any() -> Self { + Self(kani::any()) + } +} + +/// In this test, the `NoCopy` struct cannot be copied +/// to be accessed in the future, but we can still copy +/// the `u32` stored inside it to be accessed in the future. +/// The precomputation of `ptr.0` gets passed to the future. +#[kani::ensures(|result| old(ptr.0) + 1 == ptr.0)] +#[kani::requires(ptr.0 < 100)] +#[kani::modifies(&mut ptr.0)] +fn modify(ptr: &mut NoCopy) { + ptr.0 += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/function_call.expected b/tests/expected/function-contract/history/function_call.expected new file mode 100644 index 000000000000..cba9ece7ed26 --- /dev/null +++ b/tests/expected/function-contract/history/function_call.expected @@ -0,0 +1,5 @@ +assertion\ + - Status: SUCCESS\ + - Description: "|result| old(add1(dereference(ptr))) == *ptr"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/history/function_call.rs b/tests/expected/function-contract/history/function_call.rs new file mode 100644 index 000000000000..72b1b3e59eca --- /dev/null +++ b/tests/expected/function-contract/history/function_call.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +fn dereference(x: &u32) -> u32 { + *x +} + +fn add1(x: u32) -> u32 { + x + 1 +} + +#[kani::ensures(|result| old(add1(dereference(ptr))) == *ptr)] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/no_modifies.expected b/tests/expected/function-contract/history/no_modifies.expected new file mode 100644 index 000000000000..eb0178186987 --- /dev/null +++ b/tests/expected/function-contract/history/no_modifies.expected @@ -0,0 +1,5 @@ +assertion\ + - Status: SUCCESS\ + - Description: "|result : &u32| old(val) == val && old(val.wrapping_add(1)) == *result"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/history/no_modifies.rs b/tests/expected/function-contract/history/no_modifies.rs new file mode 100644 index 000000000000..8d5292b5a74c --- /dev/null +++ b/tests/expected/function-contract/history/no_modifies.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +/// This test shows you can use `old` without the modifies contract. +/// It precomputes the desired expression, but this precomputation should +/// be equivalent to the postcomputation as it remains unchanged. +#[kani::ensures(|result : &u32| old(val) == val && old(val.wrapping_add(1)) == *result)] +fn add1(val: u32) -> u32 { + val.wrapping_add(1) +} + +#[kani::proof_for_contract(add1)] +fn main() { + let i = kani::any(); + add1(i); +} diff --git a/tests/expected/function-contract/history/old_old.expected b/tests/expected/function-contract/history/old_old.expected new file mode 100644 index 000000000000..07e53ecb37ff --- /dev/null +++ b/tests/expected/function-contract/history/old_old.expected @@ -0,0 +1,2 @@ +error: Nested calls to `old` are prohibited +#[kani::ensures(|result| old(*ptr + old(1)) == *ptr)] diff --git a/tests/expected/function-contract/history/old_old.rs b/tests/expected/function-contract/history/old_old.rs new file mode 100644 index 000000000000..a9fc430a576b --- /dev/null +++ b/tests/expected/function-contract/history/old_old.rs @@ -0,0 +1,18 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +/// We prohibit nested calls to old since this should be +/// unobservable to the user. +#[kani::ensures(|result| old(*ptr + old(1)) == *ptr)] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/side_effect.expected b/tests/expected/function-contract/history/side_effect.expected new file mode 100644 index 000000000000..386399c67941 --- /dev/null +++ b/tests/expected/function-contract/history/side_effect.expected @@ -0,0 +1,2 @@ +Failed Checks: |result| old({ *ptr+=1; *ptr }) == _val +VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/history/side_effect.rs b/tests/expected/function-contract/history/side_effect.rs new file mode 100644 index 000000000000..98091da93c13 --- /dev/null +++ b/tests/expected/function-contract/history/side_effect.rs @@ -0,0 +1,23 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +/// This test performs a side effect within the `old` expression +/// which leads to confusion in the ensures clause. There are +/// currently no checks to prevent side effects within `old` +/// expressions. +/// See https://github.com/model-checking/kani/issues/3213 +#[kani::ensures(|result| old({*ptr+=1; *ptr}) == _val)] +#[kani::requires(*ptr < 100)] +#[kani::requires(*ptr == _val)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32, _val: u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let x = kani::any(); + let mut i = x; + modify(&mut i, x); +} diff --git a/tests/expected/function-contract/history/simple_fail.expected b/tests/expected/function-contract/history/simple_fail.expected new file mode 100644 index 000000000000..29e2af7cf7fa --- /dev/null +++ b/tests/expected/function-contract/history/simple_fail.expected @@ -0,0 +1,7 @@ +assertion\ +- Status: FAILURE\ +- Description: "|_| old(*ptr) == *ptr" + +Failed Checks: |_| old(*ptr) == *ptr + +VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/history/simple_fail.rs b/tests/expected/function-contract/history/simple_fail.rs new file mode 100644 index 000000000000..348eddacfdb1 --- /dev/null +++ b/tests/expected/function-contract/history/simple_fail.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|_| old(*ptr) == *ptr)] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/simple_pass.expected b/tests/expected/function-contract/history/simple_pass.expected new file mode 100644 index 000000000000..8c3d786e1909 --- /dev/null +++ b/tests/expected/function-contract/history/simple_pass.expected @@ -0,0 +1,5 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|result| old(*ptr + 1) == *ptr"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/history/simple_pass.rs b/tests/expected/function-contract/history/simple_pass.rs new file mode 100644 index 000000000000..0d8058fec944 --- /dev/null +++ b/tests/expected/function-contract/history/simple_pass.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|result| old(*ptr + 1) == *ptr)] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/simple_pass_twice.expected b/tests/expected/function-contract/history/simple_pass_twice.expected new file mode 100644 index 000000000000..7d0cb9bfa18d --- /dev/null +++ b/tests/expected/function-contract/history/simple_pass_twice.expected @@ -0,0 +1,9 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|result| old(*ptr + 1) == *ptr"\ + +assertion\ +- Status: SUCCESS\ +- Description: "|result| old(*ptr + 1) == *ptr"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/history/simple_pass_twice.rs b/tests/expected/function-contract/history/simple_pass_twice.rs new file mode 100644 index 000000000000..32221020ed2a --- /dev/null +++ b/tests/expected/function-contract/history/simple_pass_twice.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|result| old(*ptr + 1) == *ptr)] +#[kani::ensures(|result| old(*ptr + 1) == *ptr)] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/stub.expected b/tests/expected/function-contract/history/stub.expected new file mode 100644 index 000000000000..1d354c1cdf6c --- /dev/null +++ b/tests/expected/function-contract/history/stub.expected @@ -0,0 +1,9 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|result| old(*ptr + *ptr) == *ptr"\ + +assertion\ +- Status: SUCCESS\ +- Description: "|result| old(*ptr + *ptr + *ptr + *ptr) == *ptr"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/history/stub.rs b/tests/expected/function-contract/history/stub.rs new file mode 100644 index 000000000000..77c590134f41 --- /dev/null +++ b/tests/expected/function-contract/history/stub.rs @@ -0,0 +1,31 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|result| old(*ptr + *ptr) == *ptr)] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn double(ptr: &mut u32) { + *ptr += *ptr; +} + +#[kani::proof_for_contract(double)] +fn double_harness() { + let mut i = kani::any(); + double(&mut i); +} + +#[kani::ensures(|result| old(*ptr + *ptr + *ptr + *ptr) == *ptr)] +#[kani::requires(*ptr < 50)] +#[kani::modifies(ptr)] +fn quadruple(ptr: &mut u32) { + double(ptr); + double(ptr) +} + +#[kani::proof_for_contract(quadruple)] +#[kani::stub_verified(double)] +fn quadruple_harness() { + let mut i = kani::any(); + quadruple(&mut i); +} diff --git a/tests/expected/function-contract/history/ui/no_args.expected b/tests/expected/function-contract/history/ui/no_args.expected new file mode 100644 index 000000000000..2f2a94a2158c --- /dev/null +++ b/tests/expected/function-contract/history/ui/no_args.expected @@ -0,0 +1 @@ +Failed assertion args.len() == 1 diff --git a/tests/expected/function-contract/history/ui/no_args.rs b/tests/expected/function-contract/history/ui/no_args.rs new file mode 100644 index 000000000000..44c0eef11927 --- /dev/null +++ b/tests/expected/function-contract/history/ui/no_args.rs @@ -0,0 +1,18 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +/// Tests the error message when the number of arguments to +/// `old` is not equal to 1 +#[kani::ensures(|result| {let x = old(); true})] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/ui/noncopy_ignore.expected b/tests/expected/function-contract/history/ui/noncopy_ignore.expected new file mode 100644 index 000000000000..1145721c86f5 --- /dev/null +++ b/tests/expected/function-contract/history/ui/noncopy_ignore.expected @@ -0,0 +1 @@ +use of moved value: `ptr` diff --git a/tests/expected/function-contract/history/ui/noncopy_ignore.rs b/tests/expected/function-contract/history/ui/noncopy_ignore.rs new file mode 100644 index 000000000000..492713adde2e --- /dev/null +++ b/tests/expected/function-contract/history/ui/noncopy_ignore.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|result| old(*ptr + 1) == *old(ptr))] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/ui/old_result.expected b/tests/expected/function-contract/history/ui/old_result.expected new file mode 100644 index 000000000000..2b25d3fd3f2c --- /dev/null +++ b/tests/expected/function-contract/history/ui/old_result.expected @@ -0,0 +1 @@ +cannot find value `result` in this scope diff --git a/tests/expected/function-contract/history/ui/old_result.rs b/tests/expected/function-contract/history/ui/old_result.rs new file mode 100644 index 000000000000..1c99a6257642 --- /dev/null +++ b/tests/expected/function-contract/history/ui/old_result.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|result| old(*result) == () && old(*ptr + 1) == *ptr)] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/history/ui/statement.expected b/tests/expected/function-contract/history/ui/statement.expected new file mode 100644 index 000000000000..8276753746b1 --- /dev/null +++ b/tests/expected/function-contract/history/ui/statement.expected @@ -0,0 +1 @@ +error diff --git a/tests/expected/function-contract/history/ui/statement.rs b/tests/expected/function-contract/history/ui/statement.rs new file mode 100644 index 000000000000..0edb3759c8f7 --- /dev/null +++ b/tests/expected/function-contract/history/ui/statement.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|result| old(let x = 1+1;) old(*ptr + 1) == *ptr)] +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) { + *ptr += 1; +} + +#[kani::proof_for_contract(modify)] +fn main() { + let mut i = kani::any(); + modify(&mut i); +} diff --git a/tests/expected/function-contract/interior-mutability/api/cell.expected b/tests/expected/function-contract/interior-mutability/api/cell.expected new file mode 100644 index 000000000000..d9b0f5d51e5c --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/api/cell.expected @@ -0,0 +1,6 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| im.x.get() < 101"\ +in function modify + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/interior-mutability/api/cell.rs b/tests/expected/function-contract/interior-mutability/api/cell.rs new file mode 100644 index 000000000000..671b6b206ef3 --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/api/cell.rs @@ -0,0 +1,25 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +/// Mutating Cell via `as_ptr` in contracts +use std::cell::Cell; + +/// This struct contains Cell which can be mutated +struct InteriorMutability { + x: Cell, +} + +#[kani::requires(im.x.get() < 100)] +#[kani::modifies(im.x.as_ptr())] +#[kani::ensures(|_| im.x.get() < 101)] +///im is an immutable reference with interior mutability +fn modify(im: &InteriorMutability) { + im.x.set(im.x.get() + 1) +} + +#[kani::proof_for_contract(modify)] +fn harness_for_modify() { + let im: InteriorMutability = InteriorMutability { x: Cell::new(kani::any()) }; + modify(&im) +} diff --git a/tests/expected/function-contract/interior-mutability/api/cell_stub.expected b/tests/expected/function-contract/interior-mutability/api/cell_stub.expected new file mode 100644 index 000000000000..b8da35411e53 --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/api/cell_stub.expected @@ -0,0 +1,9 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| old(im.x.get() + im.x.get()) == im.x.get()"\ + +assertion\ +- Status: SUCCESS\ +- Description: "|_| old(im.x.get() + im.x.get() + im.x.get() + im.x.get()) == im.x.get()"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/interior-mutability/api/cell_stub.rs b/tests/expected/function-contract/interior-mutability/api/cell_stub.rs new file mode 100644 index 000000000000..9752bec5d272 --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/api/cell_stub.rs @@ -0,0 +1,40 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts --solver minisat + +/// The objective of this test is to show that the contracts for double can be replaced as a stub within the contracts for quadruple. +/// This shows that we can generate `kani::any()` for Cell. +use std::cell::Cell; + +/// This struct contains Cell which can be mutated +struct InteriorMutability { + x: Cell, +} + +#[kani::ensures(|_| old(im.x.get() + im.x.get()) == im.x.get())] +#[kani::requires(im.x.get() < 100)] +#[kani::modifies(im.x.as_ptr())] +fn double(im: &InteriorMutability) { + im.x.set(im.x.get() + im.x.get()) +} + +#[kani::proof_for_contract(double)] +fn double_harness() { + let im: InteriorMutability = InteriorMutability { x: Cell::new(kani::any()) }; + double(&im); +} + +#[kani::ensures(|_| old(im.x.get() + im.x.get() + im.x.get() + im.x.get()) == im.x.get())] +#[kani::requires(im.x.get() < 50)] +#[kani::modifies(im.x.as_ptr())] +fn quadruple(im: &InteriorMutability) { + double(im); + double(im) +} + +#[kani::proof_for_contract(quadruple)] +#[kani::stub_verified(double)] +fn quadruple_harness() { + let im: InteriorMutability = InteriorMutability { x: Cell::new(kani::any()) }; + quadruple(&im); +} diff --git a/tests/expected/function-contract/interior-mutability/api/unsafecell.expected b/tests/expected/function-contract/interior-mutability/api/unsafecell.expected new file mode 100644 index 000000000000..1646a8a78e7f --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/api/unsafecell.expected @@ -0,0 +1,6 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| unsafe{ *im.x.get() } < 101"\ +in function modify + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/interior-mutability/api/unsafecell.rs b/tests/expected/function-contract/interior-mutability/api/unsafecell.rs new file mode 100644 index 000000000000..8125e3e3c077 --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/api/unsafecell.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +use std::cell::UnsafeCell; + +/// This struct contains UnsafeCell which can be mutated +struct InteriorMutability { + x: UnsafeCell, +} + +#[kani::requires(unsafe{*im.x.get()} < 100)] +#[kani::modifies(im.x.get())] +#[kani::ensures(|_| unsafe{*im.x.get()} < 101)] +/// `im` is an immutable reference with interior mutability +fn modify(im: &InteriorMutability) { + unsafe { *im.x.get() += 1 } +} + +#[kani::proof_for_contract(modify)] +fn harness_for_modify() { + let im: InteriorMutability = InteriorMutability { x: UnsafeCell::new(kani::any()) }; + modify(&im) +} diff --git a/tests/expected/function-contract/interior-mutability/whole-struct/cell.expected b/tests/expected/function-contract/interior-mutability/whole-struct/cell.expected new file mode 100644 index 000000000000..d9b0f5d51e5c --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/whole-struct/cell.expected @@ -0,0 +1,6 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| im.x.get() < 101"\ +in function modify + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/interior-mutability/whole-struct/cell.rs b/tests/expected/function-contract/interior-mutability/whole-struct/cell.rs new file mode 100644 index 000000000000..9f42f6fa1f6c --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/whole-struct/cell.rs @@ -0,0 +1,25 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +/// The objective of this test is to check the modification of a Cell used as interior mutability in an immutable struct +use std::cell::Cell; + +/// This struct contains Cell which can be mutated +struct InteriorMutability { + x: Cell, +} + +#[kani::requires(im.x.get() < 100)] +#[kani::modifies(&im.x)] +#[kani::ensures(|_| im.x.get() < 101)] +/// `im` is an immutable reference with interior mutability +fn modify(im: &InteriorMutability) { + im.x.set(im.x.get() + 1) +} + +#[kani::proof_for_contract(modify)] +fn harness_for_modify() { + let im: InteriorMutability = InteriorMutability { x: Cell::new(kani::any()) }; + modify(&im) +} diff --git a/tests/expected/function-contract/interior-mutability/whole-struct/oncecell.expected b/tests/expected/function-contract/interior-mutability/whole-struct/oncecell.expected new file mode 100644 index 000000000000..a367bcd9fb95 --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/whole-struct/oncecell.expected @@ -0,0 +1,6 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| im.x.get().is_some()"\ +in function modify + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/interior-mutability/whole-struct/oncecell.rs b/tests/expected/function-contract/interior-mutability/whole-struct/oncecell.rs new file mode 100644 index 000000000000..6ca32251b60c --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/whole-struct/oncecell.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +/// The objective of this test is to check the modification of an OnceCell used as interior mutability in an immutable struct +use std::cell::OnceCell; + +/// This struct contains OnceCell which can be mutated +struct InteriorMutability { + x: OnceCell, +} + +#[kani::requires(im.x.get().is_none())] +#[kani::modifies(&im.x)] +#[kani::ensures(|_| im.x.get().is_some())] +fn modify(im: &InteriorMutability) { + im.x.set(5).expect("") +} + +#[kani::proof_for_contract(modify)] +fn harness_for_modify() { + let im: InteriorMutability = InteriorMutability { x: OnceCell::new() }; + modify(&im) +} diff --git a/tests/expected/function-contract/interior-mutability/whole-struct/refcell.expected b/tests/expected/function-contract/interior-mutability/whole-struct/refcell.expected new file mode 100644 index 000000000000..225c290a171e --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/whole-struct/refcell.expected @@ -0,0 +1,6 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| unsafe{ *im.x.as_ptr() } < 101"\ +in function modify + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/interior-mutability/whole-struct/refcell.rs b/tests/expected/function-contract/interior-mutability/whole-struct/refcell.rs new file mode 100644 index 000000000000..1cce5e2364c3 --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/whole-struct/refcell.rs @@ -0,0 +1,25 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +/// The objective of this test is to check the modification of a RefCell used as interior mutability in an immutable struct +use std::cell::RefCell; + +/// This struct contains Cell which can be mutated +struct InteriorMutability { + x: RefCell, +} + +#[kani::requires(unsafe{*im.x.as_ptr()} < 100)] +#[kani::modifies(&im.x)] +#[kani::ensures(|_| unsafe{*im.x.as_ptr()} < 101)] +/// `im` is an immutable reference with interior mutability +fn modify(im: &InteriorMutability) { + im.x.replace_with(|&mut old| old + 1); +} + +#[kani::proof_for_contract(modify)] +fn harness_for_modify() { + let im: InteriorMutability = InteriorMutability { x: RefCell::new(kani::any()) }; + modify(&im) +} diff --git a/tests/expected/function-contract/interior-mutability/whole-struct/unsafecell.expected b/tests/expected/function-contract/interior-mutability/whole-struct/unsafecell.expected new file mode 100644 index 000000000000..1646a8a78e7f --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/whole-struct/unsafecell.expected @@ -0,0 +1,6 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| unsafe{ *im.x.get() } < 101"\ +in function modify + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/interior-mutability/whole-struct/unsafecell.rs b/tests/expected/function-contract/interior-mutability/whole-struct/unsafecell.rs new file mode 100644 index 000000000000..6adb7b12c8b1 --- /dev/null +++ b/tests/expected/function-contract/interior-mutability/whole-struct/unsafecell.rs @@ -0,0 +1,25 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +/// The objective of this test is to check the modification of an UnsafeCell used as interior mutability in an immutable struct +use std::cell::UnsafeCell; + +/// This struct contains UnsafeCell which can be mutated +struct InteriorMutability { + x: UnsafeCell, +} + +#[kani::requires(unsafe{*im.x.get()} < 100)] +#[kani::modifies(im.x.get())] +#[kani::ensures(|_| unsafe{*im.x.get()} < 101)] +/// `im` is an immutable reference with interior mutability +fn modify(im: &InteriorMutability) { + unsafe { *im.x.get() += 1 } +} + +#[kani::proof_for_contract(modify)] +fn harness_for_modify() { + let im: InteriorMutability = InteriorMutability { x: UnsafeCell::new(kani::any()) }; + modify(&im) +} diff --git a/tests/expected/function-contract/modifies/check_invalid_modifies.expected b/tests/expected/function-contract/modifies/check_invalid_modifies.expected new file mode 100644 index 000000000000..660430705aa2 --- /dev/null +++ b/tests/expected/function-contract/modifies/check_invalid_modifies.expected @@ -0,0 +1,7 @@ +error: `&str` doesn't implement `kani::Arbitrary`\ + -->\ +| +| T::any() +| ^^^^^^^^ +| += help: All objects in the modifies clause must implement the Arbitrary. The return type must also implement the Arbitrary trait if you are checking recursion or using verified stub. diff --git a/tests/expected/function-contract/modifies/check_invalid_modifies.rs b/tests/expected/function-contract/modifies/check_invalid_modifies.rs new file mode 100644 index 000000000000..5cd832d0f456 --- /dev/null +++ b/tests/expected/function-contract/modifies/check_invalid_modifies.rs @@ -0,0 +1,27 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check that Kani reports the correct error message when modifies clause +//! includes objects of types that do not implement `kani::Arbitrary`. +//! This restriction is only applied when using contracts as verified stubs. + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) -> &'static str { + *ptr += 1; + let msg: &'static str = "done"; + msg +} + +fn use_modify(ptr: &mut u32) { + *ptr = 99; + assert!(modify(ptr) == "done"); +} + +#[kani::proof] +#[kani::stub_verified(modify)] +fn harness() { + let mut i = kani::any_where(|x| *x < 100); + use_modify(&mut i); +} diff --git a/tests/expected/function-contract/modifies/check_only_verification.expected b/tests/expected/function-contract/modifies/check_only_verification.expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/function-contract/modifies/check_only_verification.expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies/check_only_verification.rs b/tests/expected/function-contract/modifies/check_only_verification.rs new file mode 100644 index 000000000000..9f3fb3614733 --- /dev/null +++ b/tests/expected/function-contract/modifies/check_only_verification.rs @@ -0,0 +1,34 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check that Kani does not report any error when unused modifies clauses +//! includes objects of types that do not implement `kani::Arbitrary`. + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +#[kani::ensures(|result : &u32| *result == 100)] +fn modify(ptr: &mut u32) -> u32 { + *ptr += 1; + *ptr +} + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn wrong_modify(ptr: &mut u32) -> &'static str { + *ptr += 1; + let msg: &'static str = "done"; + msg +} + +fn use_modify(ptr: &mut u32) { + *ptr = 99; + assert!(modify(ptr) == 100); +} + +#[kani::proof] +#[kani::stub_verified(modify)] +fn harness() { + let mut i = kani::any_where(|x| *x < 100); + use_modify(&mut i); +} diff --git a/tests/expected/function-contract/modifies/expr_pass.rs b/tests/expected/function-contract/modifies/expr_pass.rs index 65e561df48a2..9a6f46a6aaaa 100644 --- a/tests/expected/function-contract/modifies/expr_pass.rs +++ b/tests/expected/function-contract/modifies/expr_pass.rs @@ -7,7 +7,7 @@ #[kani::requires(**ptr < 100)] #[kani::modifies(ptr.as_ref())] -#[kani::ensures(**ptr < 101)] +#[kani::ensures(|result| **ptr < 101)] fn modify(ptr: &mut Box) { *ptr.as_mut() += 1; } diff --git a/tests/expected/function-contract/modifies/expr_replace_pass.rs b/tests/expected/function-contract/modifies/expr_replace_pass.rs index 8be1ef2cbaee..779280dd46b4 100644 --- a/tests/expected/function-contract/modifies/expr_replace_pass.rs +++ b/tests/expected/function-contract/modifies/expr_replace_pass.rs @@ -4,7 +4,7 @@ #[kani::requires(**ptr < 100)] #[kani::modifies(ptr.as_ref())] -#[kani::ensures(**ptr == prior + 1)] +#[kani::ensures(|result| **ptr == prior + 1)] fn modify(ptr: &mut Box, prior: u32) { *ptr.as_mut() += 1; } diff --git a/tests/expected/function-contract/modifies/fail_missing_recursion_attr.expected b/tests/expected/function-contract/modifies/fail_missing_recursion_attr.expected new file mode 100644 index 000000000000..6591cf27a8db --- /dev/null +++ b/tests/expected/function-contract/modifies/fail_missing_recursion_attr.expected @@ -0,0 +1 @@ +VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/modifies/fail_missing_recursion_attr.rs b/tests/expected/function-contract/modifies/fail_missing_recursion_attr.rs new file mode 100644 index 000000000000..5e9b96e021f7 --- /dev/null +++ b/tests/expected/function-contract/modifies/fail_missing_recursion_attr.rs @@ -0,0 +1,21 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check whether Kani fails if users forgot to annotate recursive +//! functions with `#[kani::recursion]` when using function contracts. + +#[kani::ensures(|result : &i32| *result < 3)] +fn fail_on_two(i: i32) -> i32 { + match i { + 0 => fail_on_two(i + 1), + 1 => 2, + _ => unreachable!("fail on two"), + } +} + +#[kani::proof_for_contract(fail_on_two)] +fn harness() { + let first = fail_on_two(0); + let _ = fail_on_two(first); +} diff --git a/tests/expected/function-contract/modifies/field_replace_pass.rs b/tests/expected/function-contract/modifies/field_replace_pass.rs index a6ae4ea4a7e0..b73af85d9597 100644 --- a/tests/expected/function-contract/modifies/field_replace_pass.rs +++ b/tests/expected/function-contract/modifies/field_replace_pass.rs @@ -8,8 +8,8 @@ struct S<'a> { } #[kani::requires(*s.target < 100)] #[kani::modifies(s.target)] -#[kani::ensures(*s.target == prior + 1)] -fn modify(s: S, prior: u32) { +#[kani::ensures(|result| *s.target == prior + 1)] +fn modify(s: &mut S, prior: u32) { *s.target += 1; } @@ -20,8 +20,8 @@ fn main() { let i_copy = i; let mut distraction = kani::any(); let distraction_copy = distraction; - let s = S { distraction: &mut distraction, target: &mut i }; - modify(s, i_copy); + let mut s = S { distraction: &mut distraction, target: &mut i }; + modify(&mut s, i_copy); kani::assert(i == i_copy + 1, "Increment"); kani::assert(distraction == distraction_copy, "Unchanged"); } diff --git a/tests/expected/function-contract/modifies/global_replace_pass.rs b/tests/expected/function-contract/modifies/global_replace_pass.rs index 333348f25ce4..69d36bd96033 100644 --- a/tests/expected/function-contract/modifies/global_replace_pass.rs +++ b/tests/expected/function-contract/modifies/global_replace_pass.rs @@ -5,7 +5,7 @@ static mut PTR: u32 = 0; #[kani::modifies(&mut PTR)] -#[kani::ensures(PTR == src)] +#[kani::ensures(|result| PTR == src)] unsafe fn modify(src: u32) { PTR = src; } diff --git a/tests/expected/function-contract/modifies/havoc_pass.rs b/tests/expected/function-contract/modifies/havoc_pass.rs index aa5bcada1a26..ebdd139727d3 100644 --- a/tests/expected/function-contract/modifies/havoc_pass.rs +++ b/tests/expected/function-contract/modifies/havoc_pass.rs @@ -3,7 +3,7 @@ // kani-flags: -Zfunction-contracts #[kani::modifies(dst)] -#[kani::ensures(*dst == src)] +#[kani::ensures(|result| *dst == src)] fn copy(src: u32, dst: &mut u32) { *dst = src; } diff --git a/tests/expected/function-contract/modifies/havoc_pass_reordered.rs b/tests/expected/function-contract/modifies/havoc_pass_reordered.rs index dc5f370179e5..43581ee677a6 100644 --- a/tests/expected/function-contract/modifies/havoc_pass_reordered.rs +++ b/tests/expected/function-contract/modifies/havoc_pass_reordered.rs @@ -3,7 +3,7 @@ // kani-flags: -Zfunction-contracts // These two are reordered in comparison to `havoc_pass` and we expect the test case to pass still -#[kani::ensures(*dst == src)] +#[kani::ensures(|result| *dst == src)] #[kani::modifies(dst)] fn copy(src: u32, dst: &mut u32) { *dst = src; diff --git a/tests/expected/function-contract/modifies/mistake_condition_return.expected b/tests/expected/function-contract/modifies/mistake_condition_return.expected new file mode 100644 index 000000000000..ad1cbf4f72d2 --- /dev/null +++ b/tests/expected/function-contract/modifies/mistake_condition_return.expected @@ -0,0 +1,3 @@ +Failed Checks: assertion failed: res == 100 + +VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/modifies/mistake_condition_return.rs b/tests/expected/function-contract/modifies/mistake_condition_return.rs new file mode 100644 index 000000000000..b2d6ad6a8a55 --- /dev/null +++ b/tests/expected/function-contract/modifies/mistake_condition_return.rs @@ -0,0 +1,39 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Provide an example where users might get confuse on how to constrain +//! the return value of functions when writing function contracts. +//! In this case, users must remember that when using contracts as +//! verified stubs, the return value will be havoced. To retrict the return +//! value of a function, users may use the `result` keyword in their +//! ensures clauses. + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +// In this case, one may think that by assuming `*ptr == 100`, automatically +// we can assume the return value of this function will also be equal to 100. +// However, contract instrumentation will create a separate non-deterministic +// value to return in this function that can only be constrained by using the +// `result` keyword. Thus the correct condition would be +// `#[kani::ensures(|result| result == 100)]`. +#[kani::ensures(|result| *ptr == 100)] +fn modify(ptr: &mut u32) -> u32 { + *ptr += 1; + *ptr +} + +fn use_modify(ptr: &mut u32) { + *ptr = 99; + let res = modify(ptr); + // This assertion won't hold because the return + // value of `modify` is unconstrained. + assert!(res == 100); +} + +#[kani::proof] +#[kani::stub_verified(modify)] +fn harness() { + let mut i = kani::any(); + use_modify(&mut i); +} diff --git a/tests/expected/function-contract/modifies/refcell_fixme.rs b/tests/expected/function-contract/modifies/refcell_fixme.rs index 8ae9cb390eb7..9cfac8777959 100644 --- a/tests/expected/function-contract/modifies/refcell_fixme.rs +++ b/tests/expected/function-contract/modifies/refcell_fixme.rs @@ -1,3 +1,5 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT use std::cell::RefCell; use std::ops::Deref; diff --git a/tests/expected/function-contract/modifies/simple_only_verification.expected b/tests/expected/function-contract/modifies/simple_only_verification.expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/function-contract/modifies/simple_only_verification.expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies/simple_only_verification.rs b/tests/expected/function-contract/modifies/simple_only_verification.rs new file mode 100644 index 000000000000..34d625485817 --- /dev/null +++ b/tests/expected/function-contract/modifies/simple_only_verification.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check that is possible to use `modifies` clause for verifciation, but not stubbing. +//! Using contracts as verified stubs require users to ensure the type of any object in +//! the modifies clause (including return types) to implement `kani::Arbitrary`. +//! This requirement is not necessary if the contract is only used for verification. + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) -> &'static str { + *ptr += 1; + let msg: &'static str = "done"; + msg +} + +#[kani::proof_for_contract(modify)] +fn harness() { + let mut i = kani::any_where(|x| *x < 100); + modify(&mut i); +} diff --git a/tests/expected/function-contract/modifies/simple_only_verification_modifies.expected b/tests/expected/function-contract/modifies/simple_only_verification_modifies.expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/function-contract/modifies/simple_only_verification_modifies.expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies/simple_only_verification_modifies.rs b/tests/expected/function-contract/modifies/simple_only_verification_modifies.rs new file mode 100644 index 000000000000..4988dcb69c56 --- /dev/null +++ b/tests/expected/function-contract/modifies/simple_only_verification_modifies.rs @@ -0,0 +1,28 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check that is possible to use `modifies` clause for verification, but not stubbing. +//! Here, we cover the case when the modifies clause contains references to function +//! parameters of generic types. Noticed that here the type T is not annotated with +//! `kani::Arbitrary` since this is no longer a requirement if the contract is only +//! use for verification. + +pub mod contracts { + #[kani::modifies(x)] + #[kani::modifies(y)] + pub fn swap(x: &mut T, y: &mut T) { + core::mem::swap(x, y) + } +} + +mod verify { + use super::*; + + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_primitive() { + let mut x: u8 = kani::any(); + let mut y: u8 = kani::any(); + contracts::swap(&mut x, &mut y) + } +} diff --git a/tests/expected/function-contract/modifies/unique_arguments.rs b/tests/expected/function-contract/modifies/unique_arguments.rs index 396ba4c5b036..ea4502bde2ad 100644 --- a/tests/expected/function-contract/modifies/unique_arguments.rs +++ b/tests/expected/function-contract/modifies/unique_arguments.rs @@ -4,8 +4,8 @@ #[kani::modifies(a)] #[kani::modifies(b)] -#[kani::ensures(*a == 1)] -#[kani::ensures(*b == 2)] +#[kani::ensures(|result| *a == 1)] +#[kani::ensures(|result| *b == 2)] fn two_pointers(a: &mut u32, b: &mut u32) { *a = 1; *b = 2; diff --git a/tests/expected/function-contract/modifies/vec_pass.expected b/tests/expected/function-contract/modifies/vec_pass.expected index d31486f2dcc6..4d5407fdd850 100644 --- a/tests/expected/function-contract/modifies/vec_pass.expected +++ b/tests/expected/function-contract/modifies/vec_pass.expected @@ -15,6 +15,6 @@ in function modify_replace assertion\ - Status: SUCCESS\ -- Description: "v[0] == src" +- Description: "|result| v[0] == src" VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies/vec_pass.rs b/tests/expected/function-contract/modifies/vec_pass.rs index 1e40a2a08eb7..e3ac28ac3b3d 100644 --- a/tests/expected/function-contract/modifies/vec_pass.rs +++ b/tests/expected/function-contract/modifies/vec_pass.rs @@ -4,7 +4,7 @@ #[kani::requires(v.len() > 0)] #[kani::modifies(&v[0])] -#[kani::ensures(v[0] == src)] +#[kani::ensures(|result| v[0] == src)] fn modify(v: &mut Vec, src: u32) { v[0] = src } diff --git a/tests/expected/function-contract/modifies_fat_pointer/nondeterministic_size.expected b/tests/expected/function-contract/modifies_fat_pointer/nondeterministic_size.expected new file mode 100644 index 000000000000..2fab679b5cba --- /dev/null +++ b/tests/expected/function-contract/modifies_fat_pointer/nondeterministic_size.expected @@ -0,0 +1,5 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| x.iter().map(|v| *v == 0).fold(true,|a,b|a&b)"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies_fat_pointer/nondeterministic_size.rs b/tests/expected/function-contract/modifies_fat_pointer/nondeterministic_size.rs new file mode 100644 index 000000000000..faf1d9d44581 --- /dev/null +++ b/tests/expected/function-contract/modifies_fat_pointer/nondeterministic_size.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +// Test that modifies a slice of nondeterministic size + +#[kani::modifies(x)] +#[kani::ensures(|_| x.iter().map(|v| *v == 0).fold(true,|a,b|a&b))] +fn zero(x: &mut [u8]) { + x.fill(0) +} + +#[kani::proof_for_contract(zero)] +fn harness() { + let mut x = [0..kani::any()].map(|_| kani::any()); + zero(&mut x); +} diff --git a/tests/expected/function-contract/modifies_fat_pointer/slice_of_array.expected b/tests/expected/function-contract/modifies_fat_pointer/slice_of_array.expected new file mode 100644 index 000000000000..d0fc296ef4d7 --- /dev/null +++ b/tests/expected/function-contract/modifies_fat_pointer/slice_of_array.expected @@ -0,0 +1,5 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| x[0..3].iter().map(|v| *v == 0).fold(true,|a,b|a&b)"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies_fat_pointer/slice_of_array.rs b/tests/expected/function-contract/modifies_fat_pointer/slice_of_array.rs new file mode 100644 index 000000000000..a0f6c10ad694 --- /dev/null +++ b/tests/expected/function-contract/modifies_fat_pointer/slice_of_array.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +// Test that modifies a slice containing u32 size data + +#[kani::modifies(&x[0..3])] +#[kani::ensures(|_| x[0..3].iter().map(|v| *v == 0).fold(true,|a,b|a&b))] +fn zero(x: &mut [u32; 6]) { + x[0..3].fill(0) +} + +#[kani::proof_for_contract(zero)] +fn harness() { + let mut x = [kani::any(), kani::any(), kani::any(), kani::any(), kani::any(), kani::any()]; + zero(&mut x); +} diff --git a/tests/expected/function-contract/modifies_fat_pointer/string_rewrite_ignore.rs b/tests/expected/function-contract/modifies_fat_pointer/string_rewrite_ignore.rs new file mode 100644 index 000000000000..d8780068a0da --- /dev/null +++ b/tests/expected/function-contract/modifies_fat_pointer/string_rewrite_ignore.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +// Test that modifies a string + +#[kani::requires(x == "aaa")] +#[kani::modifies(x)] +#[kani::ensures(|_| x == "AAA")] +fn to_upper(x: &mut str) { + x.make_ascii_uppercase(); +} + +#[kani::proof_for_contract(to_upper)] +fn harness() { + let mut s = String::from("aaa"); + let x: &mut str = s.as_mut_str(); + to_upper(x); +} diff --git a/tests/expected/function-contract/modifies_fat_pointer/u32slice.expected b/tests/expected/function-contract/modifies_fat_pointer/u32slice.expected new file mode 100644 index 000000000000..2fab679b5cba --- /dev/null +++ b/tests/expected/function-contract/modifies_fat_pointer/u32slice.expected @@ -0,0 +1,5 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| x.iter().map(|v| *v == 0).fold(true,|a,b|a&b)"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies_fat_pointer/u32slice.rs b/tests/expected/function-contract/modifies_fat_pointer/u32slice.rs new file mode 100644 index 000000000000..ea61de83e969 --- /dev/null +++ b/tests/expected/function-contract/modifies_fat_pointer/u32slice.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +// Test that modifies a slice containing u32 size data + +#[kani::modifies(x)] +#[kani::ensures(|_| x.iter().map(|v| *v == 0).fold(true,|a,b|a&b))] +fn zero(x: &mut [u32]) { + x.fill(0) +} + +#[kani::proof_for_contract(zero)] +fn harness() { + let mut x = [kani::any(), kani::any(), kani::any()]; + zero(&mut x); +} diff --git a/tests/expected/function-contract/modifies_fat_pointer/u8slice.expected b/tests/expected/function-contract/modifies_fat_pointer/u8slice.expected new file mode 100644 index 000000000000..2fab679b5cba --- /dev/null +++ b/tests/expected/function-contract/modifies_fat_pointer/u8slice.expected @@ -0,0 +1,5 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|_| x.iter().map(|v| *v == 0).fold(true,|a,b|a&b)"\ + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies_fat_pointer/u8slice.rs b/tests/expected/function-contract/modifies_fat_pointer/u8slice.rs new file mode 100644 index 000000000000..07e213db0adc --- /dev/null +++ b/tests/expected/function-contract/modifies_fat_pointer/u8slice.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +// Test that modifies a slice containing bytesize data + +#[kani::modifies(x)] +#[kani::ensures(|_| x.iter().map(|v| *v == 0).fold(true,|a,b|a&b))] +fn zero(x: &mut [u8]) { + x.fill(0) +} + +#[kani::proof_for_contract(zero)] +fn harness() { + let mut x = [kani::any(), kani::any(), kani::any()]; + zero(&mut x); +} diff --git a/tests/expected/function-contract/pattern_use.rs b/tests/expected/function-contract/pattern_use.rs index a51312acd2f0..ead1c1538b4d 100644 --- a/tests/expected/function-contract/pattern_use.rs +++ b/tests/expected/function-contract/pattern_use.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result <= dividend)] +#[kani::ensures(|result : &u32| *result <= dividend)] fn div((dividend, divisor): (u32, u32)) -> u32 { dividend / divisor } diff --git a/tests/expected/function-contract/prohibit-pointers/allowed_const_ptr.rs b/tests/expected/function-contract/prohibit-pointers/allowed_const_ptr.rs index 3d88fc0926ed..1b3653951ad1 100644 --- a/tests/expected/function-contract/prohibit-pointers/allowed_const_ptr.rs +++ b/tests/expected/function-contract/prohibit-pointers/allowed_const_ptr.rs @@ -4,7 +4,7 @@ #![allow(unreachable_code, unused_variables)] -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn allowed_pointer(t: *const bool) {} #[kani::proof_for_contract(allowed_pointer)] diff --git a/tests/expected/function-contract/prohibit-pointers/allowed_mut_ref.rs b/tests/expected/function-contract/prohibit-pointers/allowed_mut_ref.rs index 22771f76632d..2c41bf28d741 100644 --- a/tests/expected/function-contract/prohibit-pointers/allowed_mut_ref.rs +++ b/tests/expected/function-contract/prohibit-pointers/allowed_mut_ref.rs @@ -4,7 +4,7 @@ #![allow(unreachable_code, unused_variables)] -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn allowed_mut_ref(t: &mut bool) {} #[kani::proof_for_contract(allowed_mut_ref)] diff --git a/tests/expected/function-contract/prohibit-pointers/allowed_mut_return_ref.rs b/tests/expected/function-contract/prohibit-pointers/allowed_mut_return_ref.rs index e5151396898d..fdab681e0c05 100644 --- a/tests/expected/function-contract/prohibit-pointers/allowed_mut_return_ref.rs +++ b/tests/expected/function-contract/prohibit-pointers/allowed_mut_return_ref.rs @@ -17,7 +17,7 @@ impl<'a> kani::Arbitrary for ArbitraryPointer<&'a mut bool> { } } -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn allowed_mut_return_ref<'a>() -> ArbitraryPointer<&'a mut bool> { ArbitraryPointer(unsafe { &mut B as &'a mut bool }) } diff --git a/tests/expected/function-contract/prohibit-pointers/allowed_ref.rs b/tests/expected/function-contract/prohibit-pointers/allowed_ref.rs index 3dd4145eff9c..cef3e87ee0f2 100644 --- a/tests/expected/function-contract/prohibit-pointers/allowed_ref.rs +++ b/tests/expected/function-contract/prohibit-pointers/allowed_ref.rs @@ -4,7 +4,7 @@ #![allow(unreachable_code, unused_variables)] -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn allowed_ref(t: &bool) {} #[kani::proof_for_contract(allowed_ref)] diff --git a/tests/expected/function-contract/prohibit-pointers/hidden.expected b/tests/expected/function-contract/prohibit-pointers/hidden.expected index 59e40d5aadc8..34c886c358cb 100644 --- a/tests/expected/function-contract/prohibit-pointers/hidden.expected +++ b/tests/expected/function-contract/prohibit-pointers/hidden.expected @@ -1 +1 @@ -error: This argument contains a mutable pointer (*mut u32). This is prohibited for functions with contracts, as they cannot yet reason about the pointer behavior. +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/prohibit-pointers/hidden.rs b/tests/expected/function-contract/prohibit-pointers/hidden.rs index 9ca23fe6b2e1..1a9b7a475479 100644 --- a/tests/expected/function-contract/prohibit-pointers/hidden.rs +++ b/tests/expected/function-contract/prohibit-pointers/hidden.rs @@ -6,7 +6,7 @@ struct HidesAPointer(*mut u32); -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn hidden_pointer(h: HidesAPointer) {} #[kani::proof_for_contract(hidden_pointer)] diff --git a/tests/expected/function-contract/prohibit-pointers/plain_pointer.expected b/tests/expected/function-contract/prohibit-pointers/plain_pointer.expected index 916854aa3131..34c886c358cb 100644 --- a/tests/expected/function-contract/prohibit-pointers/plain_pointer.expected +++ b/tests/expected/function-contract/prohibit-pointers/plain_pointer.expected @@ -1 +1 @@ -error: This argument contains a mutable pointer (*mut i32). This is prohibited for functions with contracts, as they cannot yet reason about the pointer behavior. +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/prohibit-pointers/plain_pointer.rs b/tests/expected/function-contract/prohibit-pointers/plain_pointer.rs index 24e9d006a9c0..868327e15046 100644 --- a/tests/expected/function-contract/prohibit-pointers/plain_pointer.rs +++ b/tests/expected/function-contract/prohibit-pointers/plain_pointer.rs @@ -4,7 +4,7 @@ #![allow(unreachable_code, unused_variables)] -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn plain_pointer(t: *mut i32) {} #[kani::proof_for_contract(plain_pointer)] diff --git a/tests/expected/function-contract/prohibit-pointers/return_pointer.expected b/tests/expected/function-contract/prohibit-pointers/return_pointer.expected index 8f3689888d92..34c886c358cb 100644 --- a/tests/expected/function-contract/prohibit-pointers/return_pointer.expected +++ b/tests/expected/function-contract/prohibit-pointers/return_pointer.expected @@ -1 +1 @@ -error: The return contains a pointer (*const usize). This is prohibited for functions with contracts, as they cannot yet reason about the pointer behavior. +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/prohibit-pointers/return_pointer.rs b/tests/expected/function-contract/prohibit-pointers/return_pointer.rs index fc279667ad13..6314129ddf89 100644 --- a/tests/expected/function-contract/prohibit-pointers/return_pointer.rs +++ b/tests/expected/function-contract/prohibit-pointers/return_pointer.rs @@ -2,24 +2,16 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#![allow(unreachable_code, unused_variables)] - -/// This only exists so I can fake a [`kani::Arbitrary`] instance for `*const -/// usize`. -struct ArbitraryPointer

(P); - -impl kani::Arbitrary for ArbitraryPointer<*const usize> { - fn any() -> Self { - unreachable!() - } -} - -#[kani::ensures(true)] -fn return_pointer() -> ArbitraryPointer<*const usize> { - unreachable!() +#[kani::ensures(|result : &*const usize| unsafe{ **result == *input })] +fn return_pointer(input: *const usize) -> *const usize { + input } #[kani::proof_for_contract(return_pointer)] fn return_ptr_harness() { - return_pointer(); + let input: usize = 10; + let input_ptr = &input as *const usize; + unsafe { + assert!(*(return_pointer(input_ptr)) == input); + } } diff --git a/tests/expected/function-contract/simple_ensures_fail.expected b/tests/expected/function-contract/simple_ensures_fail.expected index 8e9b42d42640..360242d07daf 100644 --- a/tests/expected/function-contract/simple_ensures_fail.expected +++ b/tests/expected/function-contract/simple_ensures_fail.expected @@ -1,8 +1,8 @@ assertion\ - Status: FAILURE\ -- Description: "result == x"\ +- Description: "|result : &u32| *result == x"\ in function max -Failed Checks: result == x +Failed Checks: |result : &u32| *result == x VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/simple_ensures_fail.rs b/tests/expected/function-contract/simple_ensures_fail.rs index 687853612dcc..43521b171ea7 100644 --- a/tests/expected/function-contract/simple_ensures_fail.rs +++ b/tests/expected/function-contract/simple_ensures_fail.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result == x)] +#[kani::ensures(|result : &u32| *result == x)] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/simple_ensures_pass.expected b/tests/expected/function-contract/simple_ensures_pass.expected index 5a7874964413..bdcde74c3bfe 100644 --- a/tests/expected/function-contract/simple_ensures_pass.expected +++ b/tests/expected/function-contract/simple_ensures_pass.expected @@ -1,6 +1,6 @@ assertion\ - Status: SUCCESS\ -- Description: "(result == x) | (result == y)"\ +- Description: "|result : &u32| (*result == x) | (*result == y)"\ in function max VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/simple_ensures_pass.rs b/tests/expected/function-contract/simple_ensures_pass.rs index 2d36f5c96e88..7be58fef3b04 100644 --- a/tests/expected/function-contract/simple_ensures_pass.rs +++ b/tests/expected/function-contract/simple_ensures_pass.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures((result == x) | (result == y))] +#[kani::ensures(|result : &u32| (*result == x) | (*result == y))] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/simple_ensures_pass_no_annotation.expected b/tests/expected/function-contract/simple_ensures_pass_no_annotation.expected new file mode 100644 index 000000000000..0779b6dc88f8 --- /dev/null +++ b/tests/expected/function-contract/simple_ensures_pass_no_annotation.expected @@ -0,0 +1,6 @@ +assertion\ +- Status: SUCCESS\ +- Description: "|result| (*result == x) | (*result == y)"\ +in function max + +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/simple_ensures_pass_no_annotation.rs b/tests/expected/function-contract/simple_ensures_pass_no_annotation.rs new file mode 100644 index 000000000000..a3bf30e1c0f7 --- /dev/null +++ b/tests/expected/function-contract/simple_ensures_pass_no_annotation.rs @@ -0,0 +1,14 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|result| (*result == x) | (*result == y))] +fn max(x: u32, y: u32) -> u32 { + if x > y { x } else { y } +} + +#[kani::proof_for_contract(max)] +fn max_harness() { + let _ = Box::new(9_usize); + max(7, 6); +} diff --git a/tests/expected/function-contract/simple_replace_fail.rs b/tests/expected/function-contract/simple_replace_fail.rs index 33a531a3aef7..dd448d2cdee6 100644 --- a/tests/expected/function-contract/simple_replace_fail.rs +++ b/tests/expected/function-contract/simple_replace_fail.rs @@ -3,7 +3,7 @@ // kani-flags: -Zfunction-contracts #[kani::requires(divisor != 0)] -#[kani::ensures(result <= dividend)] +#[kani::ensures(|result : &u32| *result <= dividend)] fn div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } diff --git a/tests/expected/function-contract/simple_replace_pass.rs b/tests/expected/function-contract/simple_replace_pass.rs index 0dcc6cd59fe3..7c57cc6a0b7f 100644 --- a/tests/expected/function-contract/simple_replace_pass.rs +++ b/tests/expected/function-contract/simple_replace_pass.rs @@ -3,7 +3,7 @@ // kani-flags: -Zfunction-contracts #[kani::requires(divisor != 0)] -#[kani::ensures(result <= dividend)] +#[kani::ensures(|result : &u32| *result <= dividend)] fn div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } diff --git a/tests/expected/function-contract/type_annotation_needed.rs b/tests/expected/function-contract/type_annotation_needed.rs index 09b20443d47b..5a3b9fbae5b0 100644 --- a/tests/expected/function-contract/type_annotation_needed.rs +++ b/tests/expected/function-contract/type_annotation_needed.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result.is_some())] +#[kani::ensures(|result : &Option| result.is_some())] fn or_default(opt: Option) -> Option { opt.or(Some(T::default())) } diff --git a/tests/expected/function-contract/valid_ptr.expected b/tests/expected/function-contract/valid_ptr.expected new file mode 100644 index 000000000000..1b62781adaaf --- /dev/null +++ b/tests/expected/function-contract/valid_ptr.expected @@ -0,0 +1,11 @@ +Checking harness pre_condition::harness_invalid_ptr... +Failed Checks: Kani does not support reasoning about pointer to unallocated memory +VERIFICATION:- SUCCESSFUL (encountered one or more panics as expected) + +Checking harness pre_condition::harness_stack_ptr... +VERIFICATION:- SUCCESSFUL + +Checking harness pre_condition::harness_head_ptr... +VERIFICATION:- SUCCESSFUL + +Complete - 3 successfully verified harnesses, 0 failures, 3 total diff --git a/tests/expected/function-contract/valid_ptr.rs b/tests/expected/function-contract/valid_ptr.rs new file mode 100644 index 000000000000..2047a46caf4f --- /dev/null +++ b/tests/expected/function-contract/valid_ptr.rs @@ -0,0 +1,61 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts -Zmem-predicates + +//! Test that it is sound to use memory predicates inside a contract pre-condition. +//! We cannot validate post-condition yet. This can be done once we fix: +//! + +mod pre_condition { + /// This contract should succeed only if the input is a valid pointer. + #[kani::requires(kani::mem::can_dereference(ptr))] + unsafe fn read_ptr(ptr: *const i32) -> i32 { + *ptr + } + + #[kani::proof_for_contract(read_ptr)] + fn harness_head_ptr() { + let boxed = Box::new(10); + let raw_ptr = Box::into_raw(boxed); + assert_eq!(unsafe { read_ptr(raw_ptr) }, 10); + let _ = unsafe { Box::from_raw(raw_ptr) }; + } + + #[kani::proof_for_contract(read_ptr)] + fn harness_stack_ptr() { + let val = -20; + assert_eq!(unsafe { read_ptr(&val) }, -20); + } + + #[kani::proof_for_contract(read_ptr)] + #[kani::should_panic] + fn harness_invalid_ptr() { + let ptr = std::ptr::NonNull::::dangling().as_ptr(); + assert_eq!(unsafe { read_ptr(ptr) }, -20); + } +} + +/// TODO: Enable once we fix: +#[cfg(not_supported)] +mod post_condition { + + /// This contract should fail since we are creating a dangling pointer. + #[kani::ensures(kani::mem::can_dereference(result.0))] + unsafe fn new_invalid_ptr() -> PtrWrapper { + let var = 'c'; + PtrWrapper(&var as *const _) + } + + #[kani::proof_for_contract(new_invalid_ptr)] + fn harness() { + let _ = unsafe { new_invalid_ptr() }; + } + + struct PtrWrapper(*const T); + + impl kani::Arbitrary for PtrWrapper { + fn any() -> Self { + unreachable!("Do not invoke stubbing") + } + } +} diff --git a/tests/expected/function-stubbing-no-harness/main.rs b/tests/expected/function-stubbing-no-harness/main.rs index 1819c8dce862..d69192ae2180 100644 --- a/tests/expected/function-stubbing-no-harness/main.rs +++ b/tests/expected/function-stubbing-no-harness/main.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// kani-flags: --harness foo --enable-unstable --enable-stubbing +// kani-flags: --harness foo -Z stubbing // //! This tests whether we detect missing harnesses during stubbing. diff --git a/tests/expected/intrinsics/ctpop-ice/ctpop_ice.rs b/tests/expected/intrinsics/ctpop-ice/ctpop_ice.rs deleted file mode 100644 index ea11400e8161..000000000000 --- a/tests/expected/intrinsics/ctpop-ice/ctpop_ice.rs +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Check that we correctly handle type mistmatch when the argument is a ZST type. -//! The compiler crashes today: https://github.com/model-checking/kani/issues/2121 - -#![feature(core_intrinsics)] -use std::intrinsics::ctpop; - -// These shouldn't compile. -#[kani::proof] -pub fn check_zst_ctpop() { - let n = ctpop(()); - assert!(n == ()); -} diff --git a/tests/expected/intrinsics/ctpop-ice/expected b/tests/expected/intrinsics/ctpop-ice/expected deleted file mode 100644 index 1ac989525f36..000000000000 --- a/tests/expected/intrinsics/ctpop-ice/expected +++ /dev/null @@ -1,6 +0,0 @@ -error: Type check failed for intrinsic `ctpop`: Expected integer type, found () - | -12 | let n = ctpop(()); - | ^^^^^^^^^ - -error: aborting due to 1 previous error \ No newline at end of file diff --git a/tests/expected/intrinsics/simd-arith-overflows/main.rs b/tests/expected/intrinsics/simd-arith-overflows/main.rs index 74cfe8ae878f..fc710645fd66 100644 --- a/tests/expected/intrinsics/simd-arith-overflows/main.rs +++ b/tests/expected/intrinsics/simd-arith-overflows/main.rs @@ -2,19 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! This test ensures we detect overflows in SIMD arithmetic operations -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_add, simd_mul, simd_sub}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq, Debug)] pub struct i8x2(i8, i8); -extern "platform-intrinsic" { - fn simd_add(x: T, y: T) -> T; - fn simd_sub(x: T, y: T) -> T; - fn simd_mul(x: T, y: T) -> T; -} - #[kani::proof] fn main() { let a = kani::any(); diff --git a/tests/expected/intrinsics/simd-cmp-result-type-is-diff-size/main.rs b/tests/expected/intrinsics/simd-cmp-result-type-is-diff-size/main.rs index f826ae92f3b7..f84cf1d8b9aa 100644 --- a/tests/expected/intrinsics/simd-cmp-result-type-is-diff-size/main.rs +++ b/tests/expected/intrinsics/simd-cmp-result-type-is-diff-size/main.rs @@ -3,7 +3,8 @@ //! Checks that storing the result of a vector operation in a vector of //! size different to the operands' sizes causes an error. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_eq; #[repr(simd)] #[allow(non_camel_case_types)] @@ -20,14 +21,6 @@ pub struct u64x2(u64, u64); #[derive(Clone, Copy, PartialEq, Eq)] pub struct u32x4(u32, u32, u32, u32); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; -} - #[kani::proof] fn main() { let x = u64x2(0, 0); diff --git a/tests/expected/intrinsics/simd-div-div-zero/main.rs b/tests/expected/intrinsics/simd-div-div-zero/main.rs index 4f613e362947..148ae62a252c 100644 --- a/tests/expected/intrinsics/simd-div-div-zero/main.rs +++ b/tests/expected/intrinsics/simd-div-div-zero/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_div` triggers a failure when the divisor is zero. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_div; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_div(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_div() { let dividend = kani::any(); diff --git a/tests/expected/intrinsics/simd-div-rem-overflow/main.rs b/tests/expected/intrinsics/simd-div-rem-overflow/main.rs index e7f2e9fbc48f..5f49e7db6154 100644 --- a/tests/expected/intrinsics/simd-div-rem-overflow/main.rs +++ b/tests/expected/intrinsics/simd-div-rem-overflow/main.rs @@ -1,20 +1,15 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// Checks that the `simd_div` and `simd_rem` intrinsics check for integer overflows. - -#![feature(repr_simd, platform_intrinsics)] +//! Checks that the `simd_div` and `simd_rem` intrinsics check for integer overflows. +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_div, simd_rem}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_div(x: T, y: T) -> T; - fn simd_rem(x: T, y: T) -> T; -} - unsafe fn do_simd_div(dividends: i32x2, divisors: i32x2) -> i32x2 { simd_div(dividends, divisors) } diff --git a/tests/expected/intrinsics/simd-extract-wrong-type/main.rs b/tests/expected/intrinsics/simd-extract-wrong-type/main.rs index 5d32f1ed9de8..b8fb5a3ffc6f 100644 --- a/tests/expected/intrinsics/simd-extract-wrong-type/main.rs +++ b/tests/expected/intrinsics/simd-extract-wrong-type/main.rs @@ -4,17 +4,14 @@ //! This test checks that we emit an error when the return type for //! `simd_extract` has a type different to the first argument's (i.e., the //! vector) base type. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_extract; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -extern "platform-intrinsic" { - fn simd_extract(x: T, idx: u32) -> U; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/intrinsics/simd-insert-wrong-type/main.rs b/tests/expected/intrinsics/simd-insert-wrong-type/main.rs index ec2edfc110dd..6c4946a051b6 100644 --- a/tests/expected/intrinsics/simd-insert-wrong-type/main.rs +++ b/tests/expected/intrinsics/simd-insert-wrong-type/main.rs @@ -4,17 +4,14 @@ //! This test checks that we emit an error when the third argument for //! `simd_insert` (the value to be inserted) has a type different to the first //! argument's (i.e., the vector) base type. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_insert; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -extern "platform-intrinsic" { - fn simd_insert(x: T, idx: u32, b: U) -> T; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/intrinsics/simd-rem-div-zero/main.rs b/tests/expected/intrinsics/simd-rem-div-zero/main.rs index 715de058154b..4393808ac039 100644 --- a/tests/expected/intrinsics/simd-rem-div-zero/main.rs +++ b/tests/expected/intrinsics/simd-rem-div-zero/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_rem` triggers a failure when the divisor is zero -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_rem; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_rem(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_rem() { let dividend = kani::any(); diff --git a/tests/expected/intrinsics/simd-result-type-is-float/main.rs b/tests/expected/intrinsics/simd-result-type-is-float/main.rs index 18a2152b93c5..01286de9cdd8 100644 --- a/tests/expected/intrinsics/simd-result-type-is-float/main.rs +++ b/tests/expected/intrinsics/simd-result-type-is-float/main.rs @@ -3,7 +3,8 @@ //! Checks that storing the result of a vector comparison in a vector of floats //! causes an error. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_eq; #[repr(simd)] #[allow(non_camel_case_types)] @@ -25,14 +26,6 @@ pub struct u32x4(u32, u32, u32, u32); #[derive(Clone, Copy, PartialEq)] pub struct f32x2(f32, f32); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; -} - #[kani::proof] fn main() { let x = u64x2(0, 0); diff --git a/tests/expected/intrinsics/simd-shl-shift-negative/main.rs b/tests/expected/intrinsics/simd-shl-shift-negative/main.rs index 0c7116b30567..2b7b2a418e19 100644 --- a/tests/expected/intrinsics/simd-shl-shift-negative/main.rs +++ b/tests/expected/intrinsics/simd-shl-shift-negative/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_shl` returns a failure if the shift distance is negative. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shl; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_shl(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shl() { let value = kani::any(); diff --git a/tests/expected/intrinsics/simd-shl-shift-too-large/main.rs b/tests/expected/intrinsics/simd-shl-shift-too-large/main.rs index fff9aadf1900..dada7a5a8b84 100644 --- a/tests/expected/intrinsics/simd-shl-shift-too-large/main.rs +++ b/tests/expected/intrinsics/simd-shl-shift-too-large/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_shl` returns a failure if the shift distance is too large. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shl; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_shl(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shl() { let value = kani::any(); diff --git a/tests/expected/intrinsics/simd-shr-shift-negative/main.rs b/tests/expected/intrinsics/simd-shr-shift-negative/main.rs index 580f0337db25..dc38955099a2 100644 --- a/tests/expected/intrinsics/simd-shr-shift-negative/main.rs +++ b/tests/expected/intrinsics/simd-shr-shift-negative/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_shr` returns a failure if the shift distance is negative. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shr; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_shr(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shr() { let value = kani::any(); diff --git a/tests/expected/intrinsics/simd-shr-shift-too-large/main.rs b/tests/expected/intrinsics/simd-shr-shift-too-large/main.rs index 3d9cd5e0c919..70ae0ad0da45 100644 --- a/tests/expected/intrinsics/simd-shr-shift-too-large/main.rs +++ b/tests/expected/intrinsics/simd-shr-shift-too-large/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_shr` returns a failure if the shift distance is too large. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shr; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_shr(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shr() { let value = kani::any(); diff --git a/tests/expected/intrinsics/simd-shuffle-indexes-out/main.rs b/tests/expected/intrinsics/simd-shuffle-indexes-out/main.rs index d8a4c22de85f..0f7c42d2d46c 100644 --- a/tests/expected/intrinsics/simd-shuffle-indexes-out/main.rs +++ b/tests/expected/intrinsics/simd-shuffle-indexes-out/main.rs @@ -3,17 +3,14 @@ //! Checks that `simd_shuffle` triggers an out-of-bounds failure when any of the //! indexes supplied is greater than the combined size of the input vectors. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shuffle; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -extern "platform-intrinsic" { - fn simd_shuffle(x: T, y: T, idx: U) -> V; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-size/main.rs b/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-size/main.rs index 25796f6c22e7..6345f5516101 100644 --- a/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-size/main.rs +++ b/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-size/main.rs @@ -3,7 +3,8 @@ //! Checks that Kani triggers an error when the result type doesn't have the //! length expected from a `simd_shuffle` call. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shuffle; #[repr(simd)] #[allow(non_camel_case_types)] @@ -15,10 +16,6 @@ pub struct i64x2(i64, i64); #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x4(i64, i64, i64, i64); -extern "platform-intrinsic" { - fn simd_shuffle(x: T, y: T, idx: I) -> U; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-type/main.rs b/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-type/main.rs index 6bdadae159f8..81f176700152 100644 --- a/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-type/main.rs +++ b/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-type/main.rs @@ -3,7 +3,8 @@ //! Checks that Kani triggers an error when the result type doesn't have the //! subtype expected from a `simd_shuffle` call. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shuffle; #[repr(simd)] #[allow(non_camel_case_types)] @@ -15,10 +16,6 @@ pub struct i64x2(i64, i64); #[derive(Clone, Copy, PartialEq)] pub struct f64x2(f64, f64); -extern "platform-intrinsic" { - fn simd_shuffle(x: T, y: T, idx: I) -> U; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/issue-2589/issue_2589.expected b/tests/expected/issue-2589/issue_2589.expected index 0352a8933b6d..a753bc7390a0 100644 --- a/tests/expected/issue-2589/issue_2589.expected +++ b/tests/expected/issue-2589/issue_2589.expected @@ -1 +1 @@ -error: Type `std::string::String` does not implement trait `Dummy`. This is likely because `original` is used as a stub but its generic bounds are not being met. +error: Type `std::string::String` does not implement trait `Dummy`. This is likely because `stub` is used as a stub but its generic bounds are not being met. diff --git a/tests/expected/iterator/main.rs b/tests/expected/iterator/main.rs index b1cb4a89cfbf..5cf9402bcb23 100644 --- a/tests/expected/iterator/main.rs +++ b/tests/expected/iterator/main.rs @@ -2,6 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT #[kani::proof] +#[kani::unwind(4)] fn main() { let mut z = 1; for i in 1..4 { diff --git a/tests/expected/offset-wraps-around/main.rs b/tests/expected/offset-wraps-around/main.rs index 62ec6902020b..3e83eacc4c2d 100644 --- a/tests/expected/offset-wraps-around/main.rs +++ b/tests/expected/offset-wraps-around/main.rs @@ -1,4 +1,4 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // Check that a high offset causes a "wrapping around" behavior in CBMC. diff --git a/tests/expected/ptr_to_ref_cast/expected b/tests/expected/ptr_to_ref_cast/expected new file mode 100644 index 000000000000..1b449911af11 --- /dev/null +++ b/tests/expected/ptr_to_ref_cast/expected @@ -0,0 +1,75 @@ +Checking harness check_zst_deref... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function zst_deref + +VERIFICATION:- FAILED + +Checking harness check_equal_size_deref... + +Status: SUCCESS\ +Description: "dereference failure: pointer invalid"\ +in function equal_size_deref + +Status: SUCCESS\ +Description: "dereference failure: pointer invalid"\ +in function equal_size_deref + +VERIFICATION:- SUCCESSFUL + +Checking harness check_smaller_deref... + +Status: SUCCESS\ +Description: "dereference failure: pointer invalid"\ +in function smaller_deref + +Status: SUCCESS\ +Description: "dereference failure: pointer invalid"\ +in function smaller_deref + +VERIFICATION:- SUCCESSFUL + +Checking harness check_larger_deref_struct... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function larger_deref_struct + +VERIFICATION:- FAILED + +Checking harness check_larger_deref_into_ptr... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function larger_deref_into_ptr + +VERIFICATION:- FAILED + +Checking harness check_larger_deref... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function larger_deref + +VERIFICATION:- FAILED + +Checking harness check_store... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function Store::<'_, 3>::from + +Status: SUCCESS\ +Description: "assertion failed: broken.data.len() == 3"\ +in function check_store + +VERIFICATION:- FAILED + +Summary: +Verification failed for - check_zst_deref +Verification failed for - check_larger_deref_struct +Verification failed for - check_larger_deref_into_ptr +Verification failed for - check_larger_deref +Verification failed for - check_store +Complete - 2 successfully verified harnesses, 5 failures, 7 total. \ No newline at end of file diff --git a/tests/expected/ptr_to_ref_cast/ptr_to_ref_cast.rs b/tests/expected/ptr_to_ref_cast/ptr_to_ref_cast.rs new file mode 100644 index 000000000000..3b713a34d967 --- /dev/null +++ b/tests/expected/ptr_to_ref_cast/ptr_to_ref_cast.rs @@ -0,0 +1,140 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z ptr-to-ref-cast-checks + +//! This test case checks that raw pointer validity is checked before converting it to a reference, e.g., &(*ptr). + +// 1. Original example. + +struct Store<'a, const LEN: usize> { + data: [&'a i128; LEN], +} + +impl<'a, const LEN: usize> Store<'a, LEN> { + pub fn from(var: &i64) -> Self { + let ref1: *const i64 = var; + let ref2: *const i128 = ref1 as *const i128; + unsafe { + Store { data: [&*ref2; LEN] } // ---- THIS LINE SHOULD FAIL + } + } +} + +#[kani::proof] +pub fn check_store() { + let val = 1; + let broken = Store::<3>::from(&val); + assert_eq!(broken.data.len(), 3) +} + +// 2. Make sure the error is raised when casting to a simple type of a larger size. + +pub fn larger_deref(var: &i64) { + let ref1: *const i64 = var; + let ref2: *const i128 = ref1 as *const i128; + let ref3: &i128 = unsafe { &*ref2 }; // ---- THIS LINE SHOULD FAIL +} + +#[kani::proof] +pub fn check_larger_deref() { + let var: i64 = kani::any(); + larger_deref(&var); +} + +// 3. Make sure the error is raised when casting to a simple type of a larger size and storing the result in a pointer. + +pub fn larger_deref_into_ptr(var: &i64) { + let ref1: *const i64 = var; + let ref2: *const i128 = ref1 as *const i128; + let ref3: *const i128 = unsafe { &*ref2 }; // ---- THIS LINE SHOULD FAIL +} + +#[kani::proof] +pub fn check_larger_deref_into_ptr() { + let var: i64 = kani::any(); + larger_deref_into_ptr(&var); +} + +// 4. Make sure the error is raised when casting to a struct of a larger size. + +#[derive(kani::Arbitrary)] +struct Foo { + a: u8, +} + +#[derive(kani::Arbitrary)] +struct Bar { + a: u8, + b: u64, + c: u64, +} + +pub fn larger_deref_struct(var: &Foo) { + let ref1: *const Foo = var; + let ref2: *const Bar = ref1 as *const Bar; + let ref3: &Bar = unsafe { &*ref2 }; // ---- THIS LINE SHOULD FAIL +} + +#[kani::proof] +pub fn check_larger_deref_struct() { + let var: Foo = kani::any(); + larger_deref_struct(&var); +} + +// 5. Make sure the error is not raised if the target size is smaller. + +pub fn smaller_deref(var: &i64, var_struct: &Bar) { + let ref1: *const i64 = var; + let ref2: *const i32 = ref1 as *const i32; + let ref3: &i32 = unsafe { &*ref2 }; + + let ref1_struct: *const Bar = var_struct; + let ref2_struct: *const Foo = ref1_struct as *const Foo; + let ref3_struct: &Foo = unsafe { &*ref2_struct }; +} + +#[kani::proof] +pub fn check_smaller_deref() { + let var: i64 = kani::any(); + let var_struct: Bar = kani::any(); + smaller_deref(&var, &var_struct); +} + +// 6. Make sure the error is not raised if the target size is the same. + +pub fn equal_size_deref(var: &i64, var_struct: &Foo) { + let ref1: *const i64 = var; + let ref2: &i64 = unsafe { &*ref1 }; + + let ref1_struct: *const Foo = var_struct; + let ref2_struct: &Foo = unsafe { &*ref1_struct }; +} + +#[kani::proof] +pub fn check_equal_size_deref() { + let var: i64 = kani::any(); + let var_struct: Foo = kani::any(); + equal_size_deref(&var, &var_struct); +} + +// 7. Make sure the check works with ZSTs. + +#[derive(kani::Arbitrary)] +struct Zero; + +pub fn zst_deref(var_struct: &Foo, var_zst: &Zero) { + let ref1_struct: *const Foo = var_struct; + let ref2_struct: *const Zero = ref1_struct as *const Zero; + let ref3_struct: &Zero = unsafe { &*ref2_struct }; + + let ref1_zst: *const Zero = var_zst; + let ref2_zst: *const Foo = ref1_zst as *const Foo; + let ref3_zst: &Foo = unsafe { &*ref2_zst }; // ---- THIS LINE SHOULD FAIL +} + +#[kani::proof] +pub fn check_zst_deref() { + let var_struct: Foo = kani::any(); + let var_zst: Zero = kani::any(); + zst_deref(&var_struct, &var_zst); +} diff --git a/tests/expected/safety-constraint-attribute/abstract-value/abstract-value.rs b/tests/expected/safety-constraint-attribute/abstract-value/abstract-value.rs new file mode 100644 index 000000000000..6e29938d4d5a --- /dev/null +++ b/tests/expected/safety-constraint-attribute/abstract-value/abstract-value.rs @@ -0,0 +1,30 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that the `#[safety_constraint(...)]` attribute works as expected when +//! deriving `Arbitrary` and `Invariant` implementations. + +//! In this case, we test the attribute on a struct with a generic type `T` +//! which requires the bound `From` because of the comparisons in the +//! `#[safety_constraint(...)]` predicate. The struct represents an abstract +//! value for which we only track its sign. The actual value is kept private. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +#[safety_constraint((*positive && *conc_value >= 0.into()) || (!*positive && *conc_value < 0.into()))] +struct AbstractValue +where + T: PartialOrd + From, +{ + pub positive: bool, + conc_value: T, +} + +#[kani::proof] +fn check_abstract_value() { + let value: AbstractValue = kani::any(); + assert!(value.is_safe()); +} diff --git a/tests/expected/safety-constraint-attribute/abstract-value/expected b/tests/expected/safety-constraint-attribute/abstract-value/expected new file mode 100644 index 000000000000..2fc76378041d --- /dev/null +++ b/tests/expected/safety-constraint-attribute/abstract-value/expected @@ -0,0 +1,7 @@ +Check 1: check_abstract_value.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: value.is_safe()" + +VERIFICATION:- SUCCESSFUL + +Complete - 1 successfully verified harnesses, 0 failures, 1 total. diff --git a/tests/expected/safety-constraint-attribute/check-arbitrary/check-arbitrary.rs b/tests/expected/safety-constraint-attribute/check-arbitrary/check-arbitrary.rs new file mode 100644 index 000000000000..6e2b3ab97812 --- /dev/null +++ b/tests/expected/safety-constraint-attribute/check-arbitrary/check-arbitrary.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that the `#[safety_constraint(...)]` attribute works as expected when +//! deriving `Arbitrary` and `Invariant` implementations. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +#[safety_constraint(*x >= 0 && *y >= 0)] +struct Point { + x: i32, + y: i32, +} + +#[kani::proof] +fn check_arbitrary() { + let point: Point = kani::any(); + assert!(point.x >= 0); + assert!(point.y >= 0); + assert!(point.is_safe()); +} diff --git a/tests/expected/safety-constraint-attribute/check-arbitrary/expected b/tests/expected/safety-constraint-attribute/check-arbitrary/expected new file mode 100644 index 000000000000..ee1e13bb726d --- /dev/null +++ b/tests/expected/safety-constraint-attribute/check-arbitrary/expected @@ -0,0 +1,11 @@ +Check 1: check_arbitrary.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: point.x >= 0" + +Check 2: check_arbitrary.assertion.2\ + - Status: SUCCESS\ + - Description: "assertion failed: point.y >= 0" + +Check 3: check_arbitrary.assertion.3\ + - Status: SUCCESS\ + - Description: "assertion failed: point.is_safe()" diff --git a/tests/expected/safety-constraint-attribute/check-invariant/check-invariant.rs b/tests/expected/safety-constraint-attribute/check-invariant/check-invariant.rs new file mode 100644 index 000000000000..fce7319779f0 --- /dev/null +++ b/tests/expected/safety-constraint-attribute/check-invariant/check-invariant.rs @@ -0,0 +1,27 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that the `#[safety_constraint(...)]` attribute works as expected when +//! deriving `Arbitrary` and `Invariant` implementations. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +#[safety_constraint(*x == *y)] +struct SameCoordsPoint { + x: i32, + y: i32, +} + +#[kani::proof] +fn check_invariant() { + let point: SameCoordsPoint = kani::any(); + assert!(point.is_safe()); + + // Assuming `point.x != point.y` here should be like assuming `false`. + // The assertion should be unreachable because we're blocking the path. + kani::assume(point.x != point.y); + assert!(false, "this assertion should be unreachable"); +} diff --git a/tests/expected/safety-constraint-attribute/check-invariant/expected b/tests/expected/safety-constraint-attribute/check-invariant/expected new file mode 100644 index 000000000000..a4605f03b7b4 --- /dev/null +++ b/tests/expected/safety-constraint-attribute/check-invariant/expected @@ -0,0 +1,7 @@ +Check 1: check_invariant.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: point.is_safe()" + +Check 2: check_invariant.assertion.2\ + - Status: UNREACHABLE\ + - Description: ""this assertion should be unreachable"" diff --git a/tests/expected/safety-constraint-attribute/grade-example/expected b/tests/expected/safety-constraint-attribute/grade-example/expected new file mode 100644 index 000000000000..fd95a713d65a --- /dev/null +++ b/tests/expected/safety-constraint-attribute/grade-example/expected @@ -0,0 +1,11 @@ +Grade::check_percentage_safety.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: self.percentage <= 100" + +check_grade_safe.assertion.1\ + - Status: SUCCESS\ + - Description: "assertion failed: grade.is_safe()" + +VERIFICATION:- SUCCESSFUL + +Complete - 1 successfully verified harnesses, 0 failures, 1 total. diff --git a/tests/expected/safety-constraint-attribute/grade-example/grade-example.rs b/tests/expected/safety-constraint-attribute/grade-example/grade-example.rs new file mode 100644 index 000000000000..7998ab27df49 --- /dev/null +++ b/tests/expected/safety-constraint-attribute/grade-example/grade-example.rs @@ -0,0 +1,43 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that the `#[safety_constraint(...)]` attribute works as expected when +//! deriving `Arbitrary` and `Invariant` implementations. + +//! In this case, we test the attribute on a struct that represents a hybrid +//! grade (letter-numerical) which should keep the following equivalences: +//! - A for 90-100% +//! - B for 80-89% +//! - C for 70-79% +//! - D for 60-69% +//! - F for 0-59% +//! +//! In addition, we explicitly test that `percentage` is 0-100% + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +#[safety_constraint((*letter == 'A' && *percentage >= 90 && *percentage <= 100) || + (*letter == 'B' && *percentage >= 80 && *percentage < 90) || + (*letter == 'C' && *percentage >= 70 && *percentage < 80) || + (*letter == 'D' && *percentage >= 60 && *percentage < 70) || + (*letter == 'F' && *percentage < 60))] +struct Grade { + letter: char, + percentage: u32, +} + +impl Grade { + pub fn check_percentage_safety(&self) { + assert!(self.percentage <= 100); + } +} + +#[kani::proof] +fn check_grade_safe() { + let grade: Grade = kani::any(); + assert!(grade.is_safe()); + grade.check_percentage_safety(); +} diff --git a/tests/expected/shadow/slices/slice_of_array/expected b/tests/expected/shadow/slices/slice_of_array/expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/shadow/slices/slice_of_array/expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/shadow/slices/slice_of_array/test.rs b/tests/expected/shadow/slices/slice_of_array/test.rs new file mode 100644 index 000000000000..b5ac3abae126 --- /dev/null +++ b/tests/expected/shadow/slices/slice_of_array/test.rs @@ -0,0 +1,34 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zghost-state + +// This test demonstrates a possible usage of the shadow memory API to check that +// every element of an arbitrary slice of an array is initialized. +// Since the instrumentation is done manually in the harness only but not inside +// the library functions, the test only verifies that the slices point to memory +// that is within the original array. + +const N: usize = 16; + +static mut SM: kani::shadow::ShadowMem = kani::shadow::ShadowMem::new(false); + +#[kani::proof] +#[kani::unwind(31)] +fn check_slice_init() { + let arr: [char; N] = kani::any(); + // tag every element of the array as initialized + for i in &arr { + unsafe { + SM.set(i as *const char, true); + } + } + // create an arbitrary slice of the array + let end: usize = kani::any_where(|x| *x <= N); + let begin: usize = kani::any_where(|x| *x < end); + let slice = &arr[begin..end]; + + // verify that all elements of the slice are initialized + for i in slice { + assert!(unsafe { SM.get(i as *const char) }); + } +} diff --git a/tests/expected/shadow/slices/slice_reverse/expected b/tests/expected/shadow/slices/slice_reverse/expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/shadow/slices/slice_reverse/expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/shadow/slices/slice_reverse/test.rs b/tests/expected/shadow/slices/slice_reverse/test.rs new file mode 100644 index 000000000000..4810958e2fe1 --- /dev/null +++ b/tests/expected/shadow/slices/slice_reverse/test.rs @@ -0,0 +1,28 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zghost-state + +// This test demonstrates a possible usage of the shadow memory API to check that +// every element of a reversed array is initialized. +// Since the instrumentation is done manually in the harness only but not inside +// the `reverse` function, the test only verifies that the resulting array +// occupies the same memory as the original one. + +const N: usize = 32; + +static mut SM: kani::shadow::ShadowMem = kani::shadow::ShadowMem::new(false); + +#[kani::proof] +fn check_reverse() { + let mut a: [u16; N] = kani::any(); + for i in &a { + unsafe { SM.set(i as *const u16, true) }; + } + a.reverse(); + + for i in &a { + unsafe { + assert!(SM.get(i as *const u16)); + } + } +} diff --git a/tests/expected/shadow/slices/slice_split/expected b/tests/expected/shadow/slices/slice_split/expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/shadow/slices/slice_split/expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/shadow/slices/slice_split/test.rs b/tests/expected/shadow/slices/slice_split/test.rs new file mode 100644 index 000000000000..273d717572d1 --- /dev/null +++ b/tests/expected/shadow/slices/slice_split/test.rs @@ -0,0 +1,35 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zghost-state + +// This test demonstrates a possible usage of the shadow memory API to check that +// every element of an array split into two slices is initialized. +// Since the instrumentation is done manually in the harness only but not inside +// the `split_at_checked` function, the test only verifies that the resulting +// slices occupy the same memory as the original array. + +const N: usize = 16; + +static mut SM: kani::shadow::ShadowMem = kani::shadow::ShadowMem::new(false); + +#[kani::proof] +#[kani::unwind(17)] +fn check_reverse() { + let a: [bool; N] = kani::any(); + for i in &a { + unsafe { SM.set(i as *const bool, true) }; + } + let index: usize = kani::any_where(|x| *x <= N); + let (s1, s2) = a.split_at_checked(index).unwrap(); + + for i in s1 { + unsafe { + assert!(SM.get(i as *const bool)); + } + } + for i in s2 { + unsafe { + assert!(SM.get(i as *const bool)); + } + } +} diff --git a/tests/expected/shadow/uninit_array/expected b/tests/expected/shadow/uninit_array/expected new file mode 100644 index 000000000000..1d5f70698010 --- /dev/null +++ b/tests/expected/shadow/uninit_array/expected @@ -0,0 +1,3 @@ +Failed Checks: assertion failed: SM.get(p) +Verification failed for - check_init_any +Complete - 1 successfully verified harnesses, 1 failures, 2 total. diff --git a/tests/expected/shadow/uninit_array/test.rs b/tests/expected/shadow/uninit_array/test.rs new file mode 100644 index 000000000000..8a9536e5a8e8 --- /dev/null +++ b/tests/expected/shadow/uninit_array/test.rs @@ -0,0 +1,59 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zghost-state + +// This is a basic test for the shadow memory implementation. +// It checks that shadow memory can be used to track whether a memory location +// is initialized. + +use std::alloc::{alloc, dealloc, Layout}; + +static mut SM: kani::shadow::ShadowMem = kani::shadow::ShadowMem::new(false); + +fn write(ptr: *mut i8, offset: usize, x: i8) { + unsafe { + let p = ptr.offset(offset as isize); + p.write(x); + SM.set(p as *const i8, true); + }; +} + +fn check_init(b: bool) { + // allocate an array of 5 i8's + let layout = Layout::array::(5).unwrap(); + let ptr = unsafe { alloc(layout) as *mut i8 }; + + // unconditionally write to all 5 locations except for the middle element + write(ptr, 0, 0); + write(ptr, 1, 1); + if b { + write(ptr, 2, 2) + }; + write(ptr, 3, 3); + write(ptr, 4, 4); + + // non-deterministically read from any of the elements and assert that: + // 1. The memory location is initialized + // 2. It has the expected value + // This would fail if `b` is false and `index == 2` + let index: usize = kani::any(); + if index < 5 { + unsafe { + let p = ptr.offset(index as isize); + let x = p.read(); + assert!(SM.get(p)); + assert_eq!(x, index as i8); + } + } + unsafe { dealloc(ptr as *mut u8, layout) }; +} + +#[kani::proof] +fn check_init_true() { + check_init(true); +} + +#[kani::proof] +fn check_init_any() { + check_init(kani::any()); +} diff --git a/tests/expected/shadow/unsupported_num_objects/expected b/tests/expected/shadow/unsupported_num_objects/expected new file mode 100644 index 000000000000..da3b5a671969 --- /dev/null +++ b/tests/expected/shadow/unsupported_num_objects/expected @@ -0,0 +1,3 @@ +Failed Checks: The number of objects exceeds the maximum number supported by Kani's shadow memory model (1024) +Verification failed for - check_max_objects_fail +Complete - 1 successfully verified harnesses, 1 failures, 2 total. diff --git a/tests/expected/shadow/unsupported_num_objects/test.rs b/tests/expected/shadow/unsupported_num_objects/test.rs new file mode 100644 index 000000000000..88b1171ef09d --- /dev/null +++ b/tests/expected/shadow/unsupported_num_objects/test.rs @@ -0,0 +1,41 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zghost-state + +// This test checks the maximum number of objects supported by Kani's shadow +// memory model (currently 1024) + +static mut SM: kani::shadow::ShadowMem = kani::shadow::ShadowMem::new(false); + +fn check_max_objects() { + let mut i = 0; + // A dummy loop that creates `N`` objects. + // After the loop, CBMC's object ID counter should be at `N` + 2: + // - `N` created in the loop + + // - the NULL pointer whose object ID is 0, and + // - the object ID for `i` + while i < N { + let x: Box = Box::new(i); + assert_eq!(kani::mem::pointer_object(&*x as *const usize), 2 * i + 2); + i += 1; + } + + // create a new object whose ID is `N` + 2 + let x = 42; + assert_eq!(kani::mem::pointer_object(&x as *const i32), 2 * N + 2); + // the following call to `set` would fail if the object ID for `x` exceeds + // the maximum allowed by Kani's shadow memory model + unsafe { + SM.set(&x as *const i32, true); + } +} + +#[kani::proof] +fn check_max_objects_pass() { + check_max_objects::<510>(); +} + +#[kani::proof] +fn check_max_objects_fail() { + check_max_objects::<511>(); +} diff --git a/tests/expected/shadow/unsupported_object_size/expected b/tests/expected/shadow/unsupported_object_size/expected new file mode 100644 index 000000000000..a4598b5aac82 --- /dev/null +++ b/tests/expected/shadow/unsupported_object_size/expected @@ -0,0 +1,3 @@ +Failed Checks: The object size exceeds the maximum size supported by Kani's shadow memory model (64) +Verification failed for - check_max_object_size_fail +Complete - 1 successfully verified harnesses, 1 failures, 2 total. diff --git a/tests/expected/shadow/unsupported_object_size/test.rs b/tests/expected/shadow/unsupported_object_size/test.rs new file mode 100644 index 000000000000..d22ff1a6ca41 --- /dev/null +++ b/tests/expected/shadow/unsupported_object_size/test.rs @@ -0,0 +1,29 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zghost-state + +// This test checks the maximum object size supported by Kani's shadow +// memory model (currently 64) + +static mut SM: kani::shadow::ShadowMem = kani::shadow::ShadowMem::new(false); + +fn check_max_objects() { + let arr: [u8; N] = [0; N]; + let last = &arr[N - 1]; + assert_eq!(kani::mem::pointer_offset(last as *const u8), N - 1); + // the following call to `set_init` would fail if the object offset for + // `last` exceeds the maximum allowed by Kani's shadow memory model + unsafe { + SM.set(last as *const u8, true); + } +} + +#[kani::proof] +fn check_max_object_size_pass() { + check_max_objects::<64>(); +} + +#[kani::proof] +fn check_max_object_size_fail() { + check_max_objects::<65>(); +} diff --git a/tests/expected/slice_c_str/c_str_fixme.rs b/tests/expected/slice_c_str/c_str_fixme.rs index 894746772100..ede6c814e1a0 100644 --- a/tests/expected/slice_c_str/c_str_fixme.rs +++ b/tests/expected/slice_c_str/c_str_fixme.rs @@ -1,3 +1,5 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT #![feature(rustc_private)] #![feature(c_str_literals)] //! FIXME: diff --git a/tests/expected/stubbing-ambiguous-path/main.rs b/tests/expected/stubbing-ambiguous-path/main.rs index 7a406d51d227..9ab25b501a44 100644 --- a/tests/expected/stubbing-ambiguous-path/main.rs +++ b/tests/expected/stubbing-ambiguous-path/main.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// kani-flags: --harness main --enable-unstable --enable-stubbing +// kani-flags: --harness main -Z stubbing // //! This tests that we raise an error if a path in a `kani::stub` attribute can //! resolve to multiple functions. diff --git a/tests/expected/stubbing-different-sets/stubbing.expected b/tests/expected/stubbing-different-sets/stubbing.expected new file mode 100644 index 000000000000..cf362d974f2e --- /dev/null +++ b/tests/expected/stubbing-different-sets/stubbing.expected @@ -0,0 +1,19 @@ +Checking harness check_indirect_all_identity... +VERIFICATION:- SUCCESSFUL + +Checking harness check_all_identity_2... +VERIFICATION:- SUCCESSFUL + +Checking harness check_all_identity... +VERIFICATION:- SUCCESSFUL + +Checking harness check_decrement_is_increment... +VERIFICATION:- SUCCESSFUL + +Checking harness check_decrement... +VERIFICATION:- SUCCESSFUL + +Checking harness check_identity... +VERIFICATION:- SUCCESSFUL + +Complete - 6 successfully verified harnesses, 0 failures, 6 total. diff --git a/tests/script-based-pre/stubbing_compiler_sessions/stubbing.rs b/tests/expected/stubbing-different-sets/stubbing.rs similarity index 88% rename from tests/script-based-pre/stubbing_compiler_sessions/stubbing.rs rename to tests/expected/stubbing-different-sets/stubbing.rs index cde1902c3558..90905baa5bb6 100644 --- a/tests/script-based-pre/stubbing_compiler_sessions/stubbing.rs +++ b/tests/expected/stubbing-different-sets/stubbing.rs @@ -1,8 +1,8 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Check that Kani handles different sets of stubbing correctly. -// I.e., not correctly replacing the stubs will cause a harness to fail. +// kani-flags: -Z stubbing +//! Check that Kani handles different sets of stubbing correctly. +//! I.e., not correctly replacing the stubs will cause a harness to fail. fn identity(i: i8) -> i8 { i diff --git a/tests/expected/uninit/access-padding-uninit/access-padding-uninit.rs b/tests/expected/uninit/access-padding-uninit/access-padding-uninit.rs new file mode 100644 index 000000000000..8e65b95aefa2 --- /dev/null +++ b/tests/expected/uninit/access-padding-uninit/access-padding-uninit.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::ptr::addr_of; + +#[repr(C)] +struct S(u32, u8); + +/// Checks that Kani catches an attempt to access padding of a struct using raw pointers. +#[kani::proof] +fn check_uninit_padding() { + let s = S(0, 0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let padding = unsafe { *(ptr.add(5)) }; // ~ERROR: padding bytes are uninitialized, so reading them is UB. +} diff --git a/tests/expected/uninit/access-padding-uninit/expected b/tests/expected/uninit/access-padding-uninit/expected new file mode 100644 index 000000000000..da8d15b2dbb9 --- /dev/null +++ b/tests/expected/uninit/access-padding-uninit/expected @@ -0,0 +1,5 @@ +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const u8` + +VERIFICATION:- FAILED + +Complete - 0 successfully verified harnesses, 1 failures, 1 total. \ No newline at end of file diff --git a/tests/expected/uninit/access-padding-via-cast/access-padding-via-cast.rs b/tests/expected/uninit/access-padding-via-cast/access-padding-via-cast.rs new file mode 100644 index 000000000000..1604625fc54c --- /dev/null +++ b/tests/expected/uninit/access-padding-via-cast/access-padding-via-cast.rs @@ -0,0 +1,20 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::ptr; +#[repr(C)] +struct S(u8, u16); + +/// Checks that Kani catches an attempt to access padding of a struct using casting to different types. +#[kani::proof] +fn check_uninit_padding_after_cast() { + unsafe { + let mut s = S(0, 0); + let sptr = ptr::addr_of_mut!(s); + let sptr2 = sptr as *mut [u8; 4]; + *sptr2 = [0; 4]; + *sptr = S(0, 0); // should reset the padding + let val = *sptr2; // ~ERROR: encountered uninitialized memory + } +} diff --git a/tests/expected/uninit/access-padding-via-cast/expected b/tests/expected/uninit/access-padding-via-cast/expected new file mode 100644 index 000000000000..e02883b26cdf --- /dev/null +++ b/tests/expected/uninit/access-padding-via-cast/expected @@ -0,0 +1,5 @@ +Failed Checks: Kani does not support reasoning about memory initialization in presence of mutable raw pointer casts that could cause delayed UB. + +VERIFICATION:- FAILED + +Complete - 0 successfully verified harnesses, 1 failures, 1 total. \ No newline at end of file diff --git a/tests/expected/uninit/access-static-padding.expected b/tests/expected/uninit/access-static-padding.expected new file mode 100644 index 000000000000..5577aa3684c5 --- /dev/null +++ b/tests/expected/uninit/access-static-padding.expected @@ -0,0 +1,12 @@ +Checking harness check_read_assoc_const_padding_fails... +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const [u8; 32]` + +Checking harness check_read_static_padding_fails... +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const [u8; 8]` + +Checking harness check_read_const_padding_fails... +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const [u8; 4]` + +Verification failed for - check_read_assoc_const_padding_fails +Verification failed for - check_read_static_padding_fails +Verification failed for - check_read_const_padding_fails diff --git a/tests/expected/uninit/access-static-padding.rs b/tests/expected/uninit/access-static-padding.rs new file mode 100644 index 000000000000..5e9edb5ff9fc --- /dev/null +++ b/tests/expected/uninit/access-static-padding.rs @@ -0,0 +1,34 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks +//! Add a check to ensure that we correctly detect reading the padding values of a static and +//! also of a constant. + +#![feature(generic_const_exprs)] + +/// Check if all the values in the buffer is equals to zero. +unsafe fn is_zeroed(orig: *const T) -> bool +where + [(); size_of::()]:, +{ + let buf = orig as *const [u8; size_of::()]; + unsafe { &*buf }.iter().all(|val| *val == 0) +} + +const CONST_PADDING: (u8, u16) = (0, 0); +static STATIC_PADDING: (u8, char) = (0, '\0'); + +#[kani::proof] +fn check_read_const_padding_fails() { + assert!(unsafe { is_zeroed(&CONST_PADDING) }); +} + +#[kani::proof] +fn check_read_static_padding_fails() { + assert!(unsafe { is_zeroed(&STATIC_PADDING) }); +} + +#[kani::proof] +fn check_read_assoc_const_padding_fails() { + assert!(unsafe { is_zeroed(&(0u128, 0u16)) }); +} diff --git a/tests/expected/uninit/alloc-to-slice/alloc-to-slice.rs b/tests/expected/uninit/alloc-to-slice/alloc-to-slice.rs new file mode 100644 index 000000000000..318f234c31be --- /dev/null +++ b/tests/expected/uninit/alloc-to-slice/alloc-to-slice.rs @@ -0,0 +1,20 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::alloc::{alloc, Layout}; +use std::slice::from_raw_parts; + +/// Checks that Kani catches an attempt to form a slice from uninitialized memory. +#[kani::proof] +fn check_uninit_slice() { + let layout = Layout::from_size_align(16, 8).unwrap(); + unsafe { + let ptr = alloc(layout); + *ptr = 0x41; + *ptr.add(1) = 0x42; + *ptr.add(2) = 0x43; + *ptr.add(3) = 0x44; + let uninit_slice = from_raw_parts(ptr, 16); // ~ERROR: forming a slice from unitialized memory is UB. + } +} diff --git a/tests/expected/uninit/alloc-to-slice/expected b/tests/expected/uninit/alloc-to-slice/expected new file mode 100644 index 000000000000..f8347a591edf --- /dev/null +++ b/tests/expected/uninit/alloc-to-slice/expected @@ -0,0 +1,5 @@ +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const [u8]` + +VERIFICATION:- FAILED + +Complete - 0 successfully verified harnesses, 1 failures, 1 total. \ No newline at end of file diff --git a/tests/expected/uninit/atomic/atomic.rs b/tests/expected/uninit/atomic/atomic.rs new file mode 100644 index 000000000000..63c85af41a3f --- /dev/null +++ b/tests/expected/uninit/atomic/atomic.rs @@ -0,0 +1,31 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +#![feature(core_intrinsics)] + +use std::alloc::{alloc, Layout}; +use std::sync::atomic::{AtomicU8, Ordering}; + +// Checks if memory initialization checks correctly fail when uninitialized memory is passed to +// atomic intrinsics. +#[kani::proof] +fn local_atomic_uninit() { + // Get a pointer to an uninitialized value + let layout = Layout::from_size_align(16, 8).unwrap(); + let ptr: *mut u8 = unsafe { alloc(layout) }; + // Try accessing `ptr` via atomic intrinsics, should be UB in each case. + unsafe { + match kani::any() { + 0 => { + std::intrinsics::atomic_store_relaxed(ptr, 1); + } + 1 => { + std::intrinsics::atomic_load_relaxed(ptr as *const u8); + } + _ => { + std::intrinsics::atomic_cxchg_relaxed_relaxed(ptr, 1, 1); + } + }; + } +} diff --git a/tests/expected/uninit/atomic/expected b/tests/expected/uninit/atomic/expected new file mode 100644 index 000000000000..c7d9593f22a7 --- /dev/null +++ b/tests/expected/uninit/atomic/expected @@ -0,0 +1,13 @@ +SUMMARY: + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*mut u8` + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const u8` + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*mut u8` + +VERIFICATION:- FAILED + +Summary:\ +Verification failed for - local_atomic_uninit\ +Complete - 0 successfully verified harnesses, 1 failures, 1 total. diff --git a/tests/expected/uninit/delayed-ub-transmute/delayed-ub-transmute.rs b/tests/expected/uninit/delayed-ub-transmute/delayed-ub-transmute.rs new file mode 100644 index 000000000000..df769e39a8b2 --- /dev/null +++ b/tests/expected/uninit/delayed-ub-transmute/delayed-ub-transmute.rs @@ -0,0 +1,14 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +/// Checks that Kani rejects mutable pointer casts between types of different padding. +#[kani::proof] +fn invalid_value() { + unsafe { + let mut value: u128 = 0; + let ptr: *mut (u8, u32, u64) = std::mem::transmute(&mut value as *mut _); + *ptr = (4, 4, 4); // This assignment itself does not cause UB... + let c: u128 = value; // ...but this reads a padding value! + } +} diff --git a/tests/expected/uninit/delayed-ub-transmute/expected b/tests/expected/uninit/delayed-ub-transmute/expected new file mode 100644 index 000000000000..e02883b26cdf --- /dev/null +++ b/tests/expected/uninit/delayed-ub-transmute/expected @@ -0,0 +1,5 @@ +Failed Checks: Kani does not support reasoning about memory initialization in presence of mutable raw pointer casts that could cause delayed UB. + +VERIFICATION:- FAILED + +Complete - 0 successfully verified harnesses, 1 failures, 1 total. \ No newline at end of file diff --git a/tests/expected/uninit/delayed-ub/delayed-ub.rs b/tests/expected/uninit/delayed-ub/delayed-ub.rs new file mode 100644 index 000000000000..bfed0a1f39a1 --- /dev/null +++ b/tests/expected/uninit/delayed-ub/delayed-ub.rs @@ -0,0 +1,14 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z ghost-state -Z uninit-checks + +/// Checks that Kani rejects mutable pointer casts between types of different padding. +#[kani::proof] +fn invalid_value() { + unsafe { + let mut value: u128 = 0; + let ptr = &mut value as *mut _ as *mut (u8, u32, u64); + *ptr = (4, 4, 4); // This assignment itself does not cause UB... + let c: u128 = value; // ...but this reads a padding value! + } +} diff --git a/tests/expected/uninit/delayed-ub/expected b/tests/expected/uninit/delayed-ub/expected new file mode 100644 index 000000000000..e02883b26cdf --- /dev/null +++ b/tests/expected/uninit/delayed-ub/expected @@ -0,0 +1,5 @@ +Failed Checks: Kani does not support reasoning about memory initialization in presence of mutable raw pointer casts that could cause delayed UB. + +VERIFICATION:- FAILED + +Complete - 0 successfully verified harnesses, 1 failures, 1 total. \ No newline at end of file diff --git a/tests/expected/uninit/intrinsics/expected b/tests/expected/uninit/intrinsics/expected new file mode 100644 index 000000000000..ffa98b6f1140 --- /dev/null +++ b/tests/expected/uninit/intrinsics/expected @@ -0,0 +1,70 @@ +Checking harness check_typed_swap_safe... + +Failed Checks: Kani does not support reasoning about memory initialization in presence of mutable raw pointer casts that could cause delayed UB. + +VERIFICATION:- FAILED + +Checking harness check_typed_swap... + +Failed Checks: Kani does not support reasoning about memory initialization in presence of mutable raw pointer casts that could cause delayed UB. + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*mut u8` + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*mut u8` + +VERIFICATION:- FAILED + +Checking harness check_volatile_store_and_load_safe... + +VERIFICATION:- SUCCESSFUL + +Checking harness check_volatile_load... + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const u8` + +VERIFICATION:- FAILED + +Checking harness check_write_bytes_safe... + +VERIFICATION:- SUCCESSFUL + +Checking harness check_compare_bytes_safe... + +VERIFICATION:- SUCCESSFUL + +Checking harness check_compare_bytes... + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const u8` + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const u8` + +VERIFICATION:- FAILED + +Checking harness check_copy_safe... + +VERIFICATION:- SUCCESSFUL + +Checking harness check_copy... + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const u8` + +VERIFICATION:- FAILED + +Checking harness check_copy_nonoverlapping_safe... + +VERIFICATION:- SUCCESSFUL + +Checking harness check_copy_nonoverlapping... + +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const u8` + +VERIFICATION:- FAILED + +Summary: +Verification failed for - check_typed_swap_safe +Verification failed for - check_typed_swap +Verification failed for - check_volatile_load +Verification failed for - check_compare_bytes +Verification failed for - check_copy +Verification failed for - check_copy_nonoverlapping +Complete - 5 successfully verified harnesses, 6 failures, 11 total. diff --git a/tests/expected/uninit/intrinsics/intrinsics.rs b/tests/expected/uninit/intrinsics/intrinsics.rs new file mode 100644 index 000000000000..aa8a89b7b959 --- /dev/null +++ b/tests/expected/uninit/intrinsics/intrinsics.rs @@ -0,0 +1,127 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks +//! Checks that Kani supports memory initialization checks via intrinsics. + +#![feature(core_intrinsics)] + +use std::alloc::{alloc, alloc_zeroed, Layout}; +use std::intrinsics::*; + +#[kani::proof] +fn check_copy_nonoverlapping() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let src: *mut u8 = alloc(layout); + let dst: *mut u8 = alloc(layout); + copy_nonoverlapping(src as *const u8, dst, 2); // ~ERROR: Accessing `src` here, which is uninitialized. + } +} + +#[kani::proof] +fn check_copy_nonoverlapping_safe() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let src: *mut u8 = alloc_zeroed(layout); + let dst: *mut u8 = alloc(layout); + // `src` is initialized here, `dst` is uninitialized, but it is fine since we are writing into it. + copy_nonoverlapping(src as *const u8, dst, 2); + } +} + +#[kani::proof] +fn check_copy() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let src: *mut u8 = alloc(layout); + let dst: *mut u8 = alloc(layout); + copy(src as *const u8, dst, 2); // ~ERROR: Accessing `src` here, which is uninitialized. + } +} + +#[kani::proof] +fn check_copy_safe() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let src: *mut u8 = alloc_zeroed(layout); + let dst: *mut u8 = alloc(layout); + // `src` is initialized here, `dst` is uninitialized, but it is fine since we are writing into it. + copy(src as *const u8, dst, 2); + } +} + +#[kani::proof] +fn check_compare_bytes() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let left: *mut u8 = alloc(layout); + let right: *mut u8 = alloc(layout); + // ~ERROR: Accessing `left` and `right` here, both of which are uninitialized. + compare_bytes(left as *const u8, right as *const u8, 2); + } +} + +#[kani::proof] +fn check_compare_bytes_safe() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let left: *mut u8 = alloc_zeroed(layout); + let right: *mut u8 = alloc_zeroed(layout); + // Both `left` and `right` are initialized here. + compare_bytes(left as *const u8, right as *const u8, 2); + } +} + +#[kani::proof] +fn check_write_bytes_safe() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let left: *mut u8 = alloc(layout); + let right: *mut u8 = alloc(layout); + write_bytes(left, 0, 2); + write_bytes(right, 0, 2); + // Both `left` and `right` are initialized here. + compare_bytes(left as *const u8, right as *const u8, 2); + } +} + +#[kani::proof] +fn check_volatile_load() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let src: *mut u8 = alloc(layout); + volatile_load(src as *const u8); // ~ERROR: Accessing `src` here, which is uninitialized. + } +} + +#[kani::proof] +fn check_volatile_store_and_load_safe() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let src: *mut u8 = alloc(layout); + volatile_store(src, 0); + volatile_load(src as *const u8); // `src` is initialized here. + } +} + +#[kani::proof] +fn check_typed_swap() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let left: *mut u8 = alloc(layout); + let right: *mut u8 = alloc(layout); + // ~ERROR: Accessing `left` and `right` here, both of which are uninitialized. + typed_swap(left, right); + } +} + +#[kani::proof] +fn check_typed_swap_safe() { + unsafe { + let layout = Layout::from_size_align(16, 8).unwrap(); + let left: *mut u8 = alloc_zeroed(layout); + let right: *mut u8 = alloc_zeroed(layout); + // Both `left` and `right` are initialized here. + typed_swap(left, right); + } +} diff --git a/tests/expected/uninit/transmute-padding/expected b/tests/expected/uninit/transmute-padding/expected new file mode 100644 index 000000000000..980a01748fc7 --- /dev/null +++ b/tests/expected/uninit/transmute-padding/expected @@ -0,0 +1,5 @@ +Failed Checks: Transmuting between types of incompatible layouts. + +VERIFICATION:- FAILED + +Complete - 0 successfully verified harnesses, 1 failures, 1 total. \ No newline at end of file diff --git a/tests/expected/uninit/transmute-padding/transmute_padding.rs b/tests/expected/uninit/transmute-padding/transmute_padding.rs new file mode 100644 index 000000000000..b74346c98160 --- /dev/null +++ b/tests/expected/uninit/transmute-padding/transmute_padding.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +// 5 bytes of data + 3 bytes of padding. +#[repr(C)] +#[derive(kani::Arbitrary)] +struct S(u32, u8); + +/// Checks that Kani catches an attempt to access padding of a struct using transmute. +#[kani::proof] +fn check_uninit_padding() { + let s = kani::any(); + access_padding(s); +} + +fn access_padding(s: S) { + let _padding: u64 = unsafe { std::mem::transmute(s) }; // ~ERROR: padding bytes are uninitialized, so reading them is UB. +} diff --git a/tests/expected/uninit/vec-read-bad-len/expected b/tests/expected/uninit/vec-read-bad-len/expected new file mode 100644 index 000000000000..f8347a591edf --- /dev/null +++ b/tests/expected/uninit/vec-read-bad-len/expected @@ -0,0 +1,5 @@ +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const [u8]` + +VERIFICATION:- FAILED + +Complete - 0 successfully verified harnesses, 1 failures, 1 total. \ No newline at end of file diff --git a/tests/expected/uninit/vec-read-bad-len/vec-read-bad-len.rs b/tests/expected/uninit/vec-read-bad-len/vec-read-bad-len.rs new file mode 100644 index 000000000000..f5cae82c5350 --- /dev/null +++ b/tests/expected/uninit/vec-read-bad-len/vec-read-bad-len.rs @@ -0,0 +1,15 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::ops::Index; + +/// Checks that Kani catches an attempt to read uninitialized memory from a vector with bad length. +#[kani::proof] +fn check_vec_read_bad_len() { + let mut v: Vec = Vec::with_capacity(10); + unsafe { + v.set_len(5); // even though length is now 5, vector is still uninitialized + } + let uninit = v.index(0); // ~ERROR: reading from unitialized memory is UB. +} diff --git a/tests/expected/uninit/vec-read-semi-init/expected b/tests/expected/uninit/vec-read-semi-init/expected new file mode 100644 index 000000000000..da8d15b2dbb9 --- /dev/null +++ b/tests/expected/uninit/vec-read-semi-init/expected @@ -0,0 +1,5 @@ +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const u8` + +VERIFICATION:- FAILED + +Complete - 0 successfully verified harnesses, 1 failures, 1 total. \ No newline at end of file diff --git a/tests/expected/uninit/vec-read-semi-init/vec-read-semi-init.rs b/tests/expected/uninit/vec-read-semi-init/vec-read-semi-init.rs new file mode 100644 index 000000000000..2e007cabaced --- /dev/null +++ b/tests/expected/uninit/vec-read-semi-init/vec-read-semi-init.rs @@ -0,0 +1,11 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +/// Checks that Kani catches an attempt to read uninitialized memory from a semi-initialized vector. +#[kani::proof] +fn check_vec_read_semi_init() { + let mut v: Vec = Vec::with_capacity(10); + unsafe { *v.as_mut_ptr().add(4) = 0x42 }; + let uninit = unsafe { *v.as_ptr().add(5) }; // ~ERROR: reading from unitialized memory is UB. +} diff --git a/tests/expected/uninit/vec-read-uninit/expected b/tests/expected/uninit/vec-read-uninit/expected new file mode 100644 index 000000000000..da8d15b2dbb9 --- /dev/null +++ b/tests/expected/uninit/vec-read-uninit/expected @@ -0,0 +1,5 @@ +Failed Checks: Undefined Behavior: Reading from an uninitialized pointer of type `*const u8` + +VERIFICATION:- FAILED + +Complete - 0 successfully verified harnesses, 1 failures, 1 total. \ No newline at end of file diff --git a/tests/expected/uninit/vec-read-uninit/vec-read-uninit.rs b/tests/expected/uninit/vec-read-uninit/vec-read-uninit.rs new file mode 100644 index 000000000000..e6daf80cd5e3 --- /dev/null +++ b/tests/expected/uninit/vec-read-uninit/vec-read-uninit.rs @@ -0,0 +1,10 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +/// Checks that Kani catches an attempt to read uninitialized memory from an uninitialized vector. +#[kani::proof] +fn check_vec_read_uninit() { + let v: Vec = Vec::with_capacity(10); + let uninit = unsafe { *v.as_ptr().add(5) }; // ~ERROR: reading from unitialized memory is UB. +} diff --git a/tests/expected/zst/expected b/tests/expected/zst/expected new file mode 100644 index 000000000000..bec891bea92c --- /dev/null +++ b/tests/expected/zst/expected @@ -0,0 +1,4 @@ +Status: FAILURE\ +Description: "dereference failure: pointer NULL" + +VERIFICATION:- FAILED diff --git a/tests/expected/zst/main.rs b/tests/expected/zst/main.rs new file mode 100644 index 000000000000..587e2608c870 --- /dev/null +++ b/tests/expected/zst/main.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This example demonstrates that rustc may choose not to allocate unique locations to ZST objects. +#[repr(C)] +#[derive(Copy, Clone)] +struct Z(i8, i64); + +struct Y; + +#[kani::proof] +fn test_z() -> Z { + let m = Y; + let n = Y; + let zz = Z(1, -1); + + let ptr: *const Z = if &n as *const _ == &m as *const _ { std::ptr::null() } else { &zz }; + unsafe { *ptr } +} diff --git a/tests/kani/Closure/boxed_closure.rs b/tests/kani/Closure/boxed_closure.rs new file mode 100644 index 000000000000..4071978d28b1 --- /dev/null +++ b/tests/kani/Closure/boxed_closure.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// compile-flags: -Zmir-opt-level=2 + +// The main function of this test moves an integer into a closure, +// boxes the value, then passes the closure to a function that calls it. +// This test covers the issue +// https://github.com/model-checking/kani/issues/2874 . + +fn call_boxed_closure(f: Box ()>) -> () { + f() +} + +// #[kani::proof] +fn main() { + let x = 1; + let closure = move || { + let _ = x; + () + }; + call_boxed_closure(Box::new(closure)); +} diff --git a/tests/kani/Closure/zst_param.rs b/tests/kani/Closure/zst_param.rs index 3eee1e5ac672..7a93619a9e16 100644 --- a/tests/kani/Closure/zst_param.rs +++ b/tests/kani/Closure/zst_param.rs @@ -17,7 +17,8 @@ fn check_zst_param() { let input = kani::any(); let closure = |a: Void, out: usize, b: Void| { kani::cover!(); - assert!(&a as *const Void != &b as *const Void, "Should succeed"); + assert!(&a as *const Void != std::ptr::null(), "Should succeed"); + assert!(&b as *const Void != std::ptr::null(), "Should succeed"); out }; let output = invoke(input, closure); diff --git a/tests/kani/Closure/zst_unwrap.rs b/tests/kani/Closure/zst_unwrap.rs new file mode 100644 index 000000000000..4c755e08abc7 --- /dev/null +++ b/tests/kani/Closure/zst_unwrap.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Test that Kani can properly handle closure to fn ptr when an argument type is Never (`!`). +//! See for more details. +#![feature(never_type)] + +pub struct Foo { + _x: i32, + _never: !, +} + +#[kani::proof] +fn check_unwrap_never() { + let res = Result::::Ok(3); + let _x = res.unwrap_or_else(|_f| 5); +} diff --git a/tests/kani/CodegenStatic/main.rs b/tests/kani/CodegenStatic/main.rs index 9731ca4fe080..7d2791268c7d 100644 --- a/tests/kani/CodegenStatic/main.rs +++ b/tests/kani/CodegenStatic/main.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT static STATIC: [&str; 1] = ["FOO"]; #[kani::proof] -fn main() { +fn check_static() { let x = STATIC[0]; let bytes = x.as_bytes(); assert!(bytes.len() == 3); diff --git a/tests/kani/CodegenStatic/struct.rs b/tests/kani/CodegenStatic/struct.rs index 441e118175b1..1801de3c7613 100644 --- a/tests/kani/CodegenStatic/struct.rs +++ b/tests/kani/CodegenStatic/struct.rs @@ -8,6 +8,24 @@ pub struct Foo { const x: Foo<3> = Foo { bytes: [1, 2, 3] }; #[kani::proof] -fn main() { +fn simple_struct() { assert!(x.bytes[0] == 1); } + +pub struct Outer { + data: char, + inner: Inner, +} + +pub struct Inner { + a: char, + b: char, + c: char, +} + +static OUTER: Outer = Outer { data: 'a', inner: Inner { a: 'a', b: 'b', c: 'c' } }; + +#[kani::proof] +fn nested_struct() { + assert!(OUTER.inner.c == 'c'); +} diff --git a/tests/kani/Coroutines/main.rs b/tests/kani/Coroutines/main.rs index 10d92571aaa6..e059305a6da2 100644 --- a/tests/kani/Coroutines/main.rs +++ b/tests/kani/Coroutines/main.rs @@ -4,13 +4,16 @@ // This tests that coroutines work, even with a non-() resume type. #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] +#[kani::unwind(3)] fn main() { - let mut add_one = |mut resume: u8| { + let mut add_one = #[coroutine] + |mut resume: u8| { loop { resume = yield resume.saturating_add(1); } diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/conditional-drop.rs b/tests/kani/Coroutines/rustc-coroutine-tests/conditional-drop.rs index 81036a8f1238..a52f711fa52b 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/conditional-drop.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/conditional-drop.rs @@ -12,6 +12,7 @@ //[nomiropt]compile-flags: -Z mir-opt-level=0 #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::Coroutine; use std::pin::Pin; @@ -41,7 +42,8 @@ fn main() { } fn t1() { - let mut a = || { + let mut a = #[coroutine] + || { let b = B; if test() { drop(b); @@ -57,7 +59,8 @@ fn t1() { } fn t2() { - let mut a = || { + let mut a = #[coroutine] + || { let b = B; if test2() { drop(b); diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/control-flow.rs b/tests/kani/Coroutines/rustc-coroutine-tests/control-flow.rs index 6e48b96e1d2a..af8d8a2250a4 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/control-flow.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/control-flow.rs @@ -35,32 +35,52 @@ where #[kani::proof] #[kani::unwind(16)] fn main() { - finish(1, || yield); - finish(8, || { - for _ in 0..8 { - yield; - } - }); - finish(1, || { - if true { - yield; - } else { - } - }); - finish(1, || { - if false { - } else { - yield; - } - }); - finish(2, || { - if { - yield; - false - } { - yield; - panic!() - } - yield - }); + finish( + 1, + #[coroutine] + || yield, + ); + finish( + 8, + #[coroutine] + || { + for _ in 0..8 { + yield; + } + }, + ); + finish( + 1, + #[coroutine] + || { + if true { + yield; + } else { + } + }, + ); + finish( + 1, + #[coroutine] + || { + if false { + } else { + yield; + } + }, + ); + finish( + 2, + #[coroutine] + || { + if { + yield; + false + } { + yield; + panic!() + } + yield + }, + ); } diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/env-drop.rs b/tests/kani/Coroutines/rustc-coroutine-tests/env-drop.rs index a6420aca283b..e1de81c9b081 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/env-drop.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/env-drop.rs @@ -12,6 +12,7 @@ //[nomiropt]compile-flags: -Z mir-opt-level=0 #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::Coroutine; use std::pin::Pin; @@ -36,7 +37,8 @@ fn main() { fn t1() { let b = B; - let mut foo = || { + let mut foo = #[coroutine] + || { yield; drop(b); }; @@ -50,7 +52,8 @@ fn t1() { fn t2() { let b = B; - let mut foo = || { + let mut foo = #[coroutine] + || { yield b; }; @@ -63,7 +66,8 @@ fn t2() { fn t3() { let b = B; - let foo = || { + let foo = #[coroutine] + || { yield; drop(b); }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/iterator-count.rs b/tests/kani/Coroutines/rustc-coroutine-tests/iterator-count.rs index caa2efec216f..8a9b26262e5d 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/iterator-count.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/iterator-count.rs @@ -30,6 +30,7 @@ impl + Unpin> Iterator for W { } fn test() -> impl Coroutine<(), Return = (), Yield = u8> + Unpin { + #[coroutine] || { for i in 1..6 { yield i @@ -43,6 +44,7 @@ fn main() { let end = 11; let closure_test = |start| { + #[coroutine] move || { for i in start..end { yield i diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/live-upvar-across-yield.rs b/tests/kani/Coroutines/rustc-coroutine-tests/live-upvar-across-yield.rs index 9bce8679464f..d9aae2e95322 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/live-upvar-across-yield.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/live-upvar-across-yield.rs @@ -9,6 +9,7 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::Coroutine; use std::pin::Pin; @@ -16,7 +17,8 @@ use std::pin::Pin; #[kani::proof] fn main() { let b = |_| 3; - let mut a = || { + let mut a = #[coroutine] + || { b(yield); }; Pin::new(&mut a).resume(()); diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals-size.rs b/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals-size.rs index d63d34427ca6..3c2b9dc16ae1 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals-size.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals-size.rs @@ -41,6 +41,7 @@ impl Drop for Foo { } fn move_before_yield() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); let _second = first; @@ -52,6 +53,7 @@ fn move_before_yield() -> impl Coroutine { fn noop() {} fn move_before_yield_with_noop() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); noop(); @@ -64,6 +66,7 @@ fn move_before_yield_with_noop() -> impl Coroutine { // Today we don't have NRVO (we allocate space for both `first` and `second`,) // but we can overlap `first` with `_third`. fn overlap_move_points() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); yield; @@ -75,6 +78,7 @@ fn overlap_move_points() -> impl Coroutine { } fn overlap_x_and_y() -> impl Coroutine { + #[coroutine] static || { let x = Foo([0; FOO_SIZE]); yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals.rs b/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals.rs index b3b6c4cc6767..6d54a54190e1 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals.rs @@ -34,6 +34,7 @@ impl Drop for Foo { } fn move_before_yield() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); let _second = first; @@ -45,6 +46,7 @@ fn move_before_yield() -> impl Coroutine { fn noop() {} fn move_before_yield_with_noop() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); noop(); @@ -57,6 +59,7 @@ fn move_before_yield_with_noop() -> impl Coroutine { // Today we don't have NRVO (we allocate space for both `first` and `second`,) // but we can overlap `first` with `_third`. fn overlap_move_points() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); yield; @@ -68,6 +71,7 @@ fn overlap_move_points() -> impl Coroutine { } fn overlap_x_and_y() -> impl Coroutine { + #[coroutine] static || { let x = Foo([0; FOO_SIZE]); yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/nested-generators.rs b/tests/kani/Coroutines/rustc-coroutine-tests/nested-generators.rs index 0d770380e2b9..8dfd8cdf065c 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/nested-generators.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/nested-generators.rs @@ -9,14 +9,17 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] fn main() { - let _coroutine = || { - let mut sub_coroutine = || { + let _coroutine = #[coroutine] + || { + let mut sub_coroutine = #[coroutine] + || { yield 2; }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator-size.rs b/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator-size.rs index 5de21166c318..68b0a8589d3c 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator-size.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator-size.rs @@ -11,6 +11,7 @@ // run-pass #![feature(coroutines)] +#![feature(stmt_expr_attributes)] use std::mem::size_of_val; @@ -19,7 +20,8 @@ fn take(_: T) {} #[kani::proof] fn main() { let x = false; - let gen1 = || { + let gen1 = #[coroutine] + || { yield; take(x); }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator.rs b/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator.rs index 170a356fb318..f882459910ec 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator.rs @@ -11,6 +11,7 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -22,7 +23,8 @@ fn take(_: T) {} #[kani::proof] fn main() { let x = false; - let mut gen1 = || { + let mut gen1 = #[coroutine] + || { yield; take(x); }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals-size.rs b/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals-size.rs index d22ed53f8b60..d7be6ba706f5 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals-size.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals-size.rs @@ -9,10 +9,12 @@ // run-pass #![feature(coroutines)] +#![feature(stmt_expr_attributes)] #[kani::proof] fn main() { - let a = || { + let a = #[coroutine] + || { { let w: i32 = 4; yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals.rs b/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals.rs index 6033b2f06a99..56ba9d346d33 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals.rs @@ -9,13 +9,15 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] fn main() { - let mut a = || { + let mut a = #[coroutine] + || { { let w: i32 = 4; yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg-size.rs b/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg-size.rs index f59ef260bcda..958c3ea81d22 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg-size.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg-size.rs @@ -7,6 +7,7 @@ // See GitHub history for details. #![feature(coroutines)] +#![feature(stmt_expr_attributes)] // run-pass @@ -15,7 +16,8 @@ use std::mem::size_of_val; #[kani::proof] fn main() { // Coroutine taking a `Copy`able resume arg. - let gen_copy = |mut x: usize| { + let gen_copy = #[coroutine] + |mut x: usize| { loop { drop(x); x = yield; @@ -23,7 +25,8 @@ fn main() { }; // Coroutine taking a non-`Copy` resume arg. - let gen_move = |mut x: Box| { + let gen_move = #[coroutine] + |mut x: Box| { loop { drop(x); x = yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg.rs b/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg.rs index 0c2c87f5eb2e..c514ebf03eb7 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg.rs @@ -7,6 +7,7 @@ // See GitHub history for details. #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -18,7 +19,8 @@ use std::mem::size_of_val; #[kani::proof] fn main() { // Coroutine taking a `Copy`able resume arg. - let mut gen_copy = |mut x: usize| { + let mut gen_copy = #[coroutine] + |mut x: usize| { loop { drop(x); x = yield; @@ -26,7 +28,8 @@ fn main() { }; // Coroutine taking a non-`Copy` resume arg. - let mut gen_move = |mut x: Box| { + let mut gen_move = #[coroutine] + |mut x: Box| { loop { drop(x); x = yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/resume-live-across-yield.rs b/tests/kani/Coroutines/rustc-coroutine-tests/resume-live-across-yield.rs index 10d4d36223d5..48c07a1a1fe8 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/resume-live-across-yield.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/resume-live-across-yield.rs @@ -9,6 +9,7 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -28,7 +29,8 @@ impl Drop for Dropper { #[kani::proof] #[kani::unwind(16)] fn main() { - let mut g = |mut _d| { + let mut g = #[coroutine] + |mut _d| { _d = yield; _d }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/smoke-resume-args.rs b/tests/kani/Coroutines/rustc-coroutine-tests/smoke-resume-args.rs index 85c75bc8147d..cc63b6b21186 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/smoke-resume-args.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/smoke-resume-args.rs @@ -12,6 +12,7 @@ //[nomiropt]compile-flags: -Z mir-opt-level=0 #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::fmt::Debug; use std::marker::Unpin; @@ -61,7 +62,8 @@ fn expect_drops(expected_drops: usize, f: impl FnOnce() -> T) -> T { #[kani::unwind(8)] fn main() { drain( - &mut |mut b| { + &mut #[coroutine] + |mut b| { while b != 0 { b = yield (b + 1); } @@ -70,21 +72,35 @@ fn main() { vec![(1, Yielded(2)), (-45, Yielded(-44)), (500, Yielded(501)), (0, Complete(-1))], ); - expect_drops(2, || drain(&mut |a| yield a, vec![(DropMe, Yielded(DropMe))])); + expect_drops(2, || { + drain( + &mut #[coroutine] + |a| yield a, + vec![(DropMe, Yielded(DropMe))], + ) + }); expect_drops(6, || { drain( - &mut |a| yield yield a, + &mut #[coroutine] + |a| yield yield a, vec![(DropMe, Yielded(DropMe)), (DropMe, Yielded(DropMe)), (DropMe, Complete(DropMe))], ) }); #[allow(unreachable_code)] - expect_drops(2, || drain(&mut |a| yield return a, vec![(DropMe, Complete(DropMe))])); + expect_drops(2, || { + drain( + &mut #[coroutine] + |a| yield return a, + vec![(DropMe, Complete(DropMe))], + ) + }); expect_drops(2, || { drain( - &mut |a: DropMe| { + &mut #[coroutine] + |a: DropMe| { if false { yield () } else { a } }, vec![(DropMe, Complete(DropMe))], @@ -94,7 +110,8 @@ fn main() { expect_drops(4, || { drain( #[allow(unused_assignments, unused_variables)] - &mut |mut a: DropMe| { + &mut #[coroutine] + |mut a: DropMe| { a = yield; a = yield; a = yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/smoke.rs b/tests/kani/Coroutines/rustc-coroutine-tests/smoke.rs index 2b9aa40a06c0..c69513d00d99 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/smoke.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/smoke.rs @@ -15,6 +15,7 @@ // compile-flags: --test #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -22,7 +23,8 @@ use std::thread; #[kani::proof] fn simple() { - let mut foo = || { + let mut foo = #[coroutine] + || { if false { yield; } @@ -38,7 +40,8 @@ fn simple() { #[kani::unwind(4)] fn return_capture() { let a = String::from("foo"); - let mut foo = || { + let mut foo = #[coroutine] + || { if false { yield; } @@ -53,7 +56,8 @@ fn return_capture() { #[kani::proof] fn simple_yield() { - let mut foo = || { + let mut foo = #[coroutine] + || { yield; }; @@ -71,7 +75,8 @@ fn simple_yield() { #[kani::unwind(4)] fn yield_capture() { let b = String::from("foo"); - let mut foo = || { + let mut foo = #[coroutine] + || { yield b; }; @@ -88,7 +93,8 @@ fn yield_capture() { #[kani::proof] #[kani::unwind(4)] fn simple_yield_value() { - let mut foo = || { + let mut foo = #[coroutine] + || { yield String::from("bar"); return String::from("foo"); }; @@ -107,7 +113,8 @@ fn simple_yield_value() { #[kani::unwind(4)] fn return_after_yield() { let a = String::from("foo"); - let mut foo = || { + let mut foo = #[coroutine] + || { yield; return a; }; @@ -124,43 +131,65 @@ fn return_after_yield() { // This test is useless for Kani fn send_and_sync() { - assert_send_sync(|| yield); - assert_send_sync(|| { - yield String::from("foo"); - }); - assert_send_sync(|| { - yield; - return String::from("foo"); - }); + assert_send_sync( + #[coroutine] + || yield, + ); + assert_send_sync( + #[coroutine] + || { + yield String::from("foo"); + }, + ); + assert_send_sync( + #[coroutine] + || { + yield; + return String::from("foo"); + }, + ); let a = 3; - assert_send_sync(|| { - yield a; - return; - }); + assert_send_sync( + #[coroutine] + || { + yield a; + return; + }, + ); let a = 3; - assert_send_sync(move || { - yield a; - return; - }); + assert_send_sync( + #[coroutine] + move || { + yield a; + return; + }, + ); let a = String::from("a"); - assert_send_sync(|| { - yield; - drop(a); - return; - }); + assert_send_sync( + #[coroutine] + || { + yield; + drop(a); + return; + }, + ); let a = String::from("a"); - assert_send_sync(move || { - yield; - drop(a); - return; - }); + assert_send_sync( + #[coroutine] + move || { + yield; + drop(a); + return; + }, + ); fn assert_send_sync(_: T) {} } // Kani does not support threads, so we cannot run this test: fn send_over_threads() { - let mut foo = || yield; + let mut foo = #[coroutine] + || yield; thread::spawn(move || { match Pin::new(&mut foo).resume(()) { CoroutineState::Yielded(()) => {} @@ -175,7 +204,8 @@ fn send_over_threads() { .unwrap(); let a = String::from("a"); - let mut foo = || yield a; + let mut foo = #[coroutine] + || yield a; thread::spawn(move || { match Pin::new(&mut foo).resume(()) { CoroutineState::Yielded(ref s) if *s == "a" => {} diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/static-generator.rs b/tests/kani/Coroutines/rustc-coroutine-tests/static-generator.rs index 52f89438255a..9b8ca468f9ee 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/static-generator.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/static-generator.rs @@ -9,13 +9,15 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] fn main() { - let mut coroutine = static || { + let mut coroutine = #[coroutine] + static || { let a = true; let b = &a; yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/yield-in-box.rs b/tests/kani/Coroutines/rustc-coroutine-tests/yield-in-box.rs index 5dbf580f5f57..79d6798855ff 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/yield-in-box.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/yield-in-box.rs @@ -10,6 +10,7 @@ // Test that box-statements with yields in them work. #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::Coroutine; use std::ops::CoroutineState; use std::pin::Pin; @@ -17,6 +18,7 @@ use std::pin::Pin; #[kani::proof] fn main() { let x = 0i32; + #[coroutine] || { //~ WARN unused coroutine that must be used let y = 2u32; @@ -28,7 +30,8 @@ fn main() { } }; - let mut g = |_| Box::new(yield); + let mut g = #[coroutine] + |_| Box::new(yield); assert_eq!(Pin::new(&mut g).resume(1), CoroutineState::Yielded(())); assert_eq!(Pin::new(&mut g).resume(2), CoroutineState::Complete(Box::new(2))); } diff --git a/tests/kani/FatPointers/metadata.rs b/tests/kani/FatPointers/metadata.rs new file mode 100644 index 000000000000..f76798e0f9f4 --- /dev/null +++ b/tests/kani/FatPointers/metadata.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +#![feature(ptr_metadata)] + +struct S { + x: i32, +} + +trait T {} + +impl T for S {} + +#[kani::proof] +fn ptr_metadata() { + assert_eq!(std::ptr::metadata("foo"), 3_usize); + + let s = S { x: 42 }; + let p: &dyn T = &s; + assert_eq!(std::ptr::metadata(p).size_of(), 4_usize); + + let c: char = 'c'; + assert_eq!(std::ptr::metadata(&c), ()); +} diff --git a/tests/kani/FloatingPoint/main.rs b/tests/kani/FloatingPoint/main.rs index c04bd9b305f8..f8ebccdac02a 100644 --- a/tests/kani/FloatingPoint/main.rs +++ b/tests/kani/FloatingPoint/main.rs @@ -1,5 +1,9 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT + +#![feature(f16)] +#![feature(f128)] + macro_rules! test_floats { ($ty:ty) => { let a: $ty = kani::any(); @@ -26,6 +30,8 @@ fn main() { assert!(1.1 == 1.1 * 1.0); assert!(1.1 != 1.11 / 1.0); + test_floats!(f16); test_floats!(f32); test_floats!(f64); + test_floats!(f128); } diff --git a/tests/kani/FunctionContracts/fixme_static_interior_mut.rs b/tests/kani/FunctionContracts/fixme_static_interior_mut.rs new file mode 100644 index 000000000000..1b18472b5590 --- /dev/null +++ b/tests/kani/FunctionContracts/fixme_static_interior_mut.rs @@ -0,0 +1,35 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts +//! This file is a duplicate of `static_interior_mut.rs` that captures the current over-approx +//! we perform for static variables with `UnsafeCell`. +//! When you fix this, please delete this file and enable the `regular_field` harness in the +//! original file. + +extern crate kani; + +use std::cell::UnsafeCell; + +pub struct WithMut { + regular_field: u8, + mut_field: UnsafeCell, +} + +/// Just for test purpose. +unsafe impl Sync for WithMut {} + +/// A static definition of `WithMut` +static ZERO_VAL: WithMut = WithMut { regular_field: 0, mut_field: UnsafeCell::new(0) }; + +/// The regular field should be 0. +#[kani::ensures(|result| *result == 0)] +pub fn regular_field() -> u8 { + ZERO_VAL.regular_field +} + +/// This harness is a copy from `static_interior_mut.rs`. +/// Once this gets fixed, please delete this file and enable the original one. +#[kani::proof_for_contract(regular_field)] +fn check_regular_field_is_const() { + assert_eq!(regular_field(), 0); // ** This should succeed since this field is constant. +} diff --git a/tests/kani/FunctionContracts/fixme_static_mut.rs b/tests/kani/FunctionContracts/fixme_static_mut.rs new file mode 100644 index 000000000000..0ee88a3e5ad5 --- /dev/null +++ b/tests/kani/FunctionContracts/fixme_static_mut.rs @@ -0,0 +1,46 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts +//! This test checks that contracts correctly handles mutable static. + +static mut WRAP_COUNTER: Option = None; + +/// This function is safe and should never crash. Counter starts at 0. +#[kani::modifies(std::ptr::addr_of!(WRAP_COUNTER))] +#[kani::ensures(|_| true)] +pub fn next() -> u32 { + // Safe in single-threaded. + unsafe { + match &WRAP_COUNTER { + Some(val) => { + WRAP_COUNTER = Some(val.wrapping_add(1)); + *val + } + None => { + WRAP_COUNTER = Some(0); + 0 + } + } + } +} + +/// This harness should succeed. +/// +/// Today, CBMC havocs WRAP_COUNTER, which includes invalid discriminants triggering UB. +#[kani::proof_for_contract(next)] +fn check_next() { + let _ret = next(); +} + +/// Without contracts, we can safely verify `next`. +#[kani::proof] +fn check_next_directly() { + // First check that initial iteration returns 0 (base case). + let first = next(); + assert_eq!(first, 0); + + // Havoc WRAP_COUNTER and invoke next. + unsafe { WRAP_COUNTER = kani::any() }; + let ret = next(); + kani::cover!(ret == 0); +} diff --git a/tests/kani/FunctionContracts/promoted_constants.rs b/tests/kani/FunctionContracts/promoted_constants.rs new file mode 100644 index 000000000000..75202f1bfedd --- /dev/null +++ b/tests/kani/FunctionContracts/promoted_constants.rs @@ -0,0 +1,54 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts +//! This test checks that contracts does not havoc +//! [promoted constants](https://github.com/rust-lang/const-eval/blob/master/promotion.md). +//! Related issue: + +extern crate kani; + +#[derive(PartialEq, Eq, kani::Arbitrary)] +pub struct Foo(u8); + +/// A named constant static should work the same way as a promoted constant. +static FOO: Foo = Foo(1); + +/// A mutable static that should be havocked before contract validation. +static mut FOO_MUT: Foo = Foo(1); + +/// Add a contract using a temporary variable that is lifted to a const static. +#[kani::requires(foo == Foo(1))] +pub fn foo_promoted(foo: Foo) -> Foo { + assert!(foo.0 == 1); + foo +} + +/// Add a contract using a const static. +#[kani::requires(foo == FOO)] +pub fn foo_static(foo: Foo) -> Foo { + assert!(foo.0 == 1); + foo +} + +/// Add a contract using a mutable static. +#[kani::requires(&foo == unsafe { &FOO_MUT })] +pub fn foo_mut_static(foo: Foo) -> Foo { + assert!(foo.0 == 1); + foo +} + +#[kani::proof_for_contract(foo_promoted)] +fn check_promoted() { + foo_promoted(kani::any()); +} + +#[kani::proof_for_contract(foo_static)] +fn check_static() { + foo_static(kani::any()); +} + +#[kani::proof_for_contract(foo_mut_static)] +#[kani::should_panic] +fn check_mut_static() { + foo_mut_static(kani::any()); +} diff --git a/tests/kani/FunctionContracts/promoted_constants_enum.rs b/tests/kani/FunctionContracts/promoted_constants_enum.rs new file mode 100644 index 000000000000..12878eee8044 --- /dev/null +++ b/tests/kani/FunctionContracts/promoted_constants_enum.rs @@ -0,0 +1,32 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts +//! This test checks that contracts does not havoc +//! [promoted constants](https://github.com/rust-lang/const-eval/blob/master/promotion.md) +//! that represents an enum variant. +//! +//! Related issue: + +extern crate kani; +#[derive(PartialEq, Eq, kani::Arbitrary)] +pub enum Foo { + A, + B, +} + +#[kani::ensures(|result: &Foo| *result == Foo::A)] +pub fn foo_a() -> Foo { + Foo::A +} + +#[kani::proof_for_contract(foo_a)] +fn check() { + let _ = foo_a(); +} + +#[kani::proof] +#[kani::stub_verified(foo_a)] +fn check_stub() { + let val = foo_a(); + assert!(val == Foo::A) +} diff --git a/tests/kani/FunctionContracts/static_interior_mut.rs b/tests/kani/FunctionContracts/static_interior_mut.rs new file mode 100644 index 000000000000..deb20e739fb3 --- /dev/null +++ b/tests/kani/FunctionContracts/static_interior_mut.rs @@ -0,0 +1,47 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts +//! This test checks that contracts havoc static variables with interior mutability. +//! For now, we over-approximate and havoc the entire static. + +extern crate kani; + +use std::cell::UnsafeCell; + +pub struct WithMut { + regular_field: u8, + mut_field: UnsafeCell, +} + +/// Just for test purpose. +unsafe impl Sync for WithMut {} + +/// A static definition of `WithMut` +static ZERO_VAL: WithMut = WithMut { regular_field: 0, mut_field: UnsafeCell::new(0) }; + +/// The regular field should be 0. +#[kani::ensures(|result| *result == 0)] +pub fn regular_field() -> u8 { + ZERO_VAL.regular_field +} + +/// The mutable field can be anything. +#[kani::ensures(|result| *result == old(unsafe { *ZERO_VAL.mut_field.get() }))] +pub unsafe fn mut_field() -> u8 { + unsafe { *ZERO_VAL.mut_field.get() } +} + +/// This harness is duplicated in `fixme_static_interior_mut.rs`. +/// Issue <> +#[cfg(fixme)] +#[kani::proof_for_contract(regular_field)] +fn check_regular_field_is_const() { + assert_eq!(regular_field(), 0); // ** This should succeed since this field is constant. +} + +// Ensure that Kani havoc the mutable field. +#[kani::should_panic] +#[kani::proof_for_contract(mut_field)] +fn check_regular_field_is_const() { + assert_eq!(unsafe { mut_field() }, 0); // ** This must fail since Kani havoc the mutable field. +} diff --git a/tests/kani/Intrinsics/AlignOfVal/align_of_basic.rs b/tests/kani/Intrinsics/AlignOfVal/align_of_basic.rs index 9e76a55a2cb3..ba482248898c 100644 --- a/tests/kani/Intrinsics/AlignOfVal/align_of_basic.rs +++ b/tests/kani/Intrinsics/AlignOfVal/align_of_basic.rs @@ -30,13 +30,13 @@ fn main() { assert!(min_align_of_val(&0i16) == 2); assert!(min_align_of_val(&0i32) == 4); assert!(min_align_of_val(&0i64) == 8); - assert!(min_align_of_val(&0i128) == 8); + assert!(min_align_of_val(&0i128) == 16); assert!(min_align_of_val(&0isize) == 8); assert!(min_align_of_val(&0u8) == 1); assert!(min_align_of_val(&0u16) == 2); assert!(min_align_of_val(&0u32) == 4); assert!(min_align_of_val(&0u64) == 8); - assert!(min_align_of_val(&0u128) == 8); + assert!(min_align_of_val(&0u128) == 16); assert!(min_align_of_val(&0usize) == 8); assert!(min_align_of_val(&0f32) == 4); assert!(min_align_of_val(&0f64) == 8); diff --git a/tests/kani/Intrinsics/AlignOfVal/align_of_fat_ptr.rs b/tests/kani/Intrinsics/AlignOfVal/align_of_fat_ptr.rs index e1b3e1dd4491..426f09de1a59 100644 --- a/tests/kani/Intrinsics/AlignOfVal/align_of_fat_ptr.rs +++ b/tests/kani/Intrinsics/AlignOfVal/align_of_fat_ptr.rs @@ -19,7 +19,7 @@ fn check_align_simple() { let a = A { id: 0 }; let t: &dyn T = &a; #[cfg(target_arch = "x86_64")] - assert_eq!(align_of_val(t), 8); + assert_eq!(align_of_val(t), 16); #[cfg(target_arch = "aarch64")] assert_eq!(align_of_val(t), 16); assert_eq!(align_of_val(&t), 8); diff --git a/tests/kani/Intrinsics/Atomic/Stable/AtomicPtr/main.rs b/tests/kani/Intrinsics/Atomic/Stable/AtomicPtr/main.rs new file mode 100644 index 000000000000..4e9d68619fd7 --- /dev/null +++ b/tests/kani/Intrinsics/Atomic/Stable/AtomicPtr/main.rs @@ -0,0 +1,72 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// Test atomic intrinsics through the stable interface of atomic_ptr. +// Specifically, it checks that Kani correctly handles atomic_ptr's fetch methods, in which the second argument is a pointer type. +// These methods were not correctly handled as explained in https://github.com/model-checking/kani/issues/3042. + +#![feature(strict_provenance_atomic_ptr, strict_provenance)] +use std::sync::atomic::{AtomicPtr, Ordering}; + +#[kani::proof] +fn check_fetch_byte_add() { + let atom = AtomicPtr::::new(core::ptr::null_mut()); + assert_eq!(atom.fetch_byte_add(1, Ordering::Relaxed).addr(), 0); + // Note: in units of bytes, not `size_of::()`. + assert_eq!(atom.load(Ordering::Relaxed).addr(), 1); +} + +#[kani::proof] +fn check_fetch_byte_sub() { + let atom = AtomicPtr::::new(core::ptr::without_provenance_mut(1)); + assert_eq!(atom.fetch_byte_sub(1, Ordering::Relaxed).addr(), 1); + assert_eq!(atom.load(Ordering::Relaxed).addr(), 0); +} + +#[kani::proof] +fn check_fetch_and() { + let pointer = &mut 3i64 as *mut i64; + // A tagged pointer + let atom = AtomicPtr::::new(pointer.map_addr(|a| a | 1)); + assert_eq!(atom.fetch_or(1, Ordering::Relaxed).addr() & 1, 1); + // Untag, and extract the previously tagged pointer. + let untagged = atom.fetch_and(!1, Ordering::Relaxed).map_addr(|a| a & !1); + assert_eq!(untagged, pointer); +} + +#[kani::proof] +fn check_fetch_or() { + let pointer = &mut 3i64 as *mut i64; + + let atom = AtomicPtr::::new(pointer); + // Tag the bottom bit of the pointer. + assert_eq!(atom.fetch_or(1, Ordering::Relaxed).addr() & 1, 0); + // Extract and untag. + let tagged = atom.load(Ordering::Relaxed); + assert_eq!(tagged.addr() & 1, 1); + assert_eq!(tagged.map_addr(|p| p & !1), pointer); +} + +#[kani::proof] +fn check_fetch_update() { + let ptr: *mut _ = &mut 5; + let some_ptr = AtomicPtr::new(ptr); + + let new: *mut _ = &mut 10; + assert_eq!(some_ptr.fetch_update(Ordering::SeqCst, Ordering::SeqCst, |_| None), Err(ptr)); + let result = some_ptr.fetch_update(Ordering::SeqCst, Ordering::SeqCst, |x| { + if x == ptr { Some(new) } else { None } + }); + assert_eq!(result, Ok(ptr)); + assert_eq!(some_ptr.load(Ordering::SeqCst), new); +} + +#[kani::proof] +fn check_fetch_xor() { + let pointer = &mut 3i64 as *mut i64; + let atom = AtomicPtr::::new(pointer); + + // Toggle a tag bit on the pointer. + atom.fetch_xor(1, Ordering::Relaxed); + assert_eq!(atom.load(Ordering::Relaxed).addr() & 1, 1); +} diff --git a/tests/kani/Intrinsics/ConstEval/min_align_of.rs b/tests/kani/Intrinsics/ConstEval/min_align_of.rs index eed572b8dc9f..425f27084076 100644 --- a/tests/kani/Intrinsics/ConstEval/min_align_of.rs +++ b/tests/kani/Intrinsics/ConstEval/min_align_of.rs @@ -19,13 +19,13 @@ fn main() { assert!(min_align_of::() == 2); assert!(min_align_of::() == 4); assert!(min_align_of::() == 8); - assert!(min_align_of::() == 8); + assert!(min_align_of::() == 16); assert!(min_align_of::() == 8); assert!(min_align_of::() == 1); assert!(min_align_of::() == 2); assert!(min_align_of::() == 4); assert!(min_align_of::() == 8); - assert!(min_align_of::() == 8); + assert!(min_align_of::() == 16); assert!(min_align_of::() == 8); assert!(min_align_of::() == 4); assert!(min_align_of::() == 8); diff --git a/tests/kani/Intrinsics/ConstEval/pref_align_of.rs b/tests/kani/Intrinsics/ConstEval/pref_align_of.rs index 22ff342a8198..d495bffef5f8 100644 --- a/tests/kani/Intrinsics/ConstEval/pref_align_of.rs +++ b/tests/kani/Intrinsics/ConstEval/pref_align_of.rs @@ -19,13 +19,13 @@ fn main() { assert!(unsafe { pref_align_of::() } == 2); assert!(unsafe { pref_align_of::() } == 4); assert!(unsafe { pref_align_of::() } == 8); - assert!(unsafe { pref_align_of::() } == 8); + assert!(unsafe { pref_align_of::() } == 16); assert!(unsafe { pref_align_of::() } == 8); assert!(unsafe { pref_align_of::() } == 1); assert!(unsafe { pref_align_of::() } == 2); assert!(unsafe { pref_align_of::() } == 4); assert!(unsafe { pref_align_of::() } == 8); - assert!(unsafe { pref_align_of::() } == 8); + assert!(unsafe { pref_align_of::() } == 16); assert!(unsafe { pref_align_of::() } == 8); assert!(unsafe { pref_align_of::() } == 4); assert!(unsafe { pref_align_of::() } == 8); diff --git a/tests/kani/Intrinsics/Count/ctlz.rs b/tests/kani/Intrinsics/Count/ctlz.rs index 6c709137e5f4..9149b5bc8f54 100644 --- a/tests/kani/Intrinsics/Count/ctlz.rs +++ b/tests/kani/Intrinsics/Count/ctlz.rs @@ -11,7 +11,7 @@ use std::intrinsics::{ctlz, ctlz_nonzero}; // the same for any value macro_rules! test_ctlz { ( $fn_name:ident, $ty:ty ) => { - fn $fn_name(x: $ty) -> $ty { + fn $fn_name(x: $ty) -> u32 { let mut count = 0; let num_bits = <$ty>::BITS; for i in 0..num_bits { diff --git a/tests/kani/Intrinsics/Count/ctpop.rs b/tests/kani/Intrinsics/Count/ctpop.rs index d2eb972f83aa..19d3ac4fd5a6 100644 --- a/tests/kani/Intrinsics/Count/ctpop.rs +++ b/tests/kani/Intrinsics/Count/ctpop.rs @@ -10,7 +10,7 @@ use std::intrinsics::ctpop; // the same for any value macro_rules! test_ctpop { ( $fn_name:ident, $ty:ty ) => { - fn $fn_name(x: $ty) -> $ty { + fn $fn_name(x: $ty) -> u32 { let mut count = 0; let num_bits = <$ty>::BITS; for i in 0..num_bits { diff --git a/tests/kani/Intrinsics/Count/cttz.rs b/tests/kani/Intrinsics/Count/cttz.rs index fa7c5f6a03e5..0429c6efce08 100644 --- a/tests/kani/Intrinsics/Count/cttz.rs +++ b/tests/kani/Intrinsics/Count/cttz.rs @@ -11,7 +11,7 @@ use std::intrinsics::{cttz, cttz_nonzero}; // the same for any value macro_rules! test_cttz { ( $fn_name:ident, $ty:ty ) => { - fn $fn_name(x: $ty) -> $ty { + fn $fn_name(x: $ty) -> u32 { let mut count = 0; let num_bits = <$ty>::BITS; for i in 0..num_bits { diff --git a/tests/kani/Intrinsics/Likely/main.rs b/tests/kani/Intrinsics/Likely/main.rs index 524fbd18ddc8..14643241ef90 100644 --- a/tests/kani/Intrinsics/Likely/main.rs +++ b/tests/kani/Intrinsics/Likely/main.rs @@ -28,9 +28,15 @@ fn check_unlikely(x: i32, y: i32) { } #[kani::proof] -fn main() { +fn check_likely_main() { let x = kani::any(); let y = kani::any(); check_likely(x, y); +} + +#[kani::proof] +fn check_unlikely_main() { + let x = kani::any(); + let y = kani::any(); check_unlikely(x, y); } diff --git a/tests/kani/Intrinsics/Math/Arith/exp.rs b/tests/kani/Intrinsics/Math/Arith/exp.rs new file mode 100644 index 000000000000..4f26fc5b5b96 --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/exp.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `expf32` and `expf64` intrinsics, which in turn invoke +// functions modelled in CBMC's math library. These models use approximations as documented in +// CBMC's source code: https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +#[kani::proof] +fn verify_exp32() { + let two = 2.0_f32; + let two_sq = std::f32::consts::E * std::f32::consts::E; + let two_exp = two.exp(); + + assert!((two_sq - two_exp).abs() <= 0.192); +} + +#[kani::proof] +fn verify_exp64() { + let two = 2.0_f64; + let two_sq = std::f64::consts::E * std::f64::consts::E; + let two_exp = two.exp(); + + assert!((two_sq - two_exp).abs() <= 0.192); +} diff --git a/tests/kani/Intrinsics/Math/Arith/exp2.rs b/tests/kani/Intrinsics/Math/Arith/exp2.rs new file mode 100644 index 000000000000..91244a383a0a --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/exp2.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `exp2f32` and `exp2f64` intrinsics, which in turn invoke +// functions modelled in CBMC's math library. These models use approximations as documented in +// CBMC's source code: https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +#[kani::proof] +fn verify_exp2_32() { + let two = 2.0_f32; + let two_two = two.exp2(); + + assert!((two_two - 4.0).abs() <= 0.345); +} + +#[kani::proof] +fn verify_exp2_64() { + let two = 2.0_f64; + let two_two = two.exp2(); + + assert!((two_two - 4.0).abs() <= 0.345); +} diff --git a/tests/kani/Intrinsics/Math/Arith/log.rs b/tests/kani/Intrinsics/Math/Arith/log.rs new file mode 100644 index 000000000000..1185e8ae4d82 --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/log.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `logf32` and `logf64` intrinsics, which in turn invoke +// functions modelled in CBMC's math library. These models use approximations as documented in +// CBMC's source code: https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +#[kani::proof] +fn verify_logf32() { + let e = std::f32::consts::E; + let e_log = e.ln(); + + assert!((e_log - 1.0).abs() <= 0.058); +} + +#[kani::proof] +fn verify_logf64() { + let e = std::f64::consts::E; + let e_log = e.ln(); + + assert!((e_log - 1.0).abs() <= 0.058); +} diff --git a/tests/kani/Intrinsics/Math/Arith/powf32.rs b/tests/kani/Intrinsics/Math/Arith/powf32.rs new file mode 100644 index 000000000000..f289171b64b8 --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/powf32.rs @@ -0,0 +1,15 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `powf32` intrinsic, which in turn invoke functions modelled in +// CBMC's math library. These models use approximations as documented in CBMC's source code: +// https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +#[kani::proof] +fn verify_pow() { + let x: f32 = kani::any(); + kani::assume(x.is_normal()); + kani::assume(x > 1.0 && x < u16::MAX.into()); + let x2 = x.powf(2.0); + assert!(x2 >= 0.0); +} diff --git a/tests/kani/Intrinsics/Math/Arith/powf64.rs b/tests/kani/Intrinsics/Math/Arith/powf64.rs new file mode 100644 index 000000000000..e80ad777c09a --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/powf64.rs @@ -0,0 +1,30 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `powf64` intrinsic, which in turn invoke functions modelled in +// CBMC's math library. These models use approximations as documented in CBMC's source code: +// https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +pub fn f(a: u64) -> u64 { + const C: f64 = 0.618; + (a as f64).powf(C) as u64 +} + +#[cfg(kani)] +mod verification { + use super::*; + + #[kani::proof] + fn verify_f() { + const LIMIT: u64 = 10; + let x: u64 = kani::any(); + let y: u64 = kani::any(); + // outside these limits our approximation may yield spurious results + kani::assume(x > LIMIT && x < LIMIT * 3); + kani::assume(y > LIMIT && y < LIMIT * 3); + kani::assume(x > y); + let x_ = f(x); + let y_ = f(y); + assert!(x_ >= y_); + } +} diff --git a/tests/kani/Intrinsics/Rotate/rotate_left.rs b/tests/kani/Intrinsics/Rotate/rotate_left.rs index d44ef1347745..eac46f968b03 100644 --- a/tests/kani/Intrinsics/Rotate/rotate_left.rs +++ b/tests/kani/Intrinsics/Rotate/rotate_left.rs @@ -24,7 +24,7 @@ macro_rules! test_rotate_left { let n: u32 = kani::any(); // Limit `n` to `u8::MAX` to avoid overflows kani::assume(n <= u8::MAX as u32); - let y: $ty = rotate_left(x, n as $ty); + let y: $ty = rotate_left(x, n); // Check that the rotation is correct $fn_name(x, y, n); // Check that the stable version returns the same value diff --git a/tests/kani/Intrinsics/Rotate/rotate_right.rs b/tests/kani/Intrinsics/Rotate/rotate_right.rs index 584821e5784f..9b88b1250b2f 100644 --- a/tests/kani/Intrinsics/Rotate/rotate_right.rs +++ b/tests/kani/Intrinsics/Rotate/rotate_right.rs @@ -31,7 +31,7 @@ macro_rules! test_rotate_right { let n: u32 = kani::any(); // Limit `n` to `u8::MAX` to avoid overflows kani::assume(n <= u8::MAX as u32); - let y: $ty = rotate_right(x, n as $ty); + let y: $ty = rotate_right(x, n); // Check that the rotation is correct $fn_name(x, y, n); // Check that the stable version returns the same value diff --git a/tests/kani/Intrinsics/SIMD/Compare/float.rs b/tests/kani/Intrinsics/SIMD/Compare/float.rs index 6d2113beb3a0..cc5765ef226b 100644 --- a/tests/kani/Intrinsics/SIMD/Compare/float.rs +++ b/tests/kani/Intrinsics/SIMD/Compare/float.rs @@ -2,7 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that intrinsics for SIMD vectors of signed integers are supported -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::*; #[repr(simd)] #[allow(non_camel_case_types)] @@ -19,17 +20,6 @@ pub struct i64x2(i64, i64); #[derive(Clone, Copy, PartialEq)] pub struct i32x2(i32, i32); -// The predicate type U in the functions below must -// be a SIMD type, otherwise we get a compilation error -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; - fn simd_ne(x: T, y: T) -> U; - fn simd_lt(x: T, y: T) -> U; - fn simd_le(x: T, y: T) -> U; - fn simd_gt(x: T, y: T) -> U; - fn simd_ge(x: T, y: T) -> U; -} - macro_rules! assert_cmp { ($res_cmp: ident, $simd_cmp: ident, $x: expr, $y: expr, $($res: expr),+) => { let $res_cmp: i32x2 = $simd_cmp($x, $y); diff --git a/tests/kani/Intrinsics/SIMD/Compare/result_type_is_same_size.rs b/tests/kani/Intrinsics/SIMD/Compare/result_type_is_same_size.rs index cc38ad81864d..d3582057fd00 100644 --- a/tests/kani/Intrinsics/SIMD/Compare/result_type_is_same_size.rs +++ b/tests/kani/Intrinsics/SIMD/Compare/result_type_is_same_size.rs @@ -3,7 +3,8 @@ //! Checks that storing the result of a vector operation in a vector of //! size equal to the operands' sizes works. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_eq; #[repr(simd)] #[allow(non_camel_case_types)] @@ -20,14 +21,6 @@ pub struct u64x2(u64, u64); #[derive(Clone, Copy, PartialEq, Eq)] pub struct u32x2(u32, u32); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; -} - #[kani::proof] fn main() { let x = u64x2(0, 0); diff --git a/tests/kani/Intrinsics/SIMD/Compare/signed.rs b/tests/kani/Intrinsics/SIMD/Compare/signed.rs index be93395fd2d9..cfd781fa64c7 100644 --- a/tests/kani/Intrinsics/SIMD/Compare/signed.rs +++ b/tests/kani/Intrinsics/SIMD/Compare/signed.rs @@ -2,26 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that intrinsics for SIMD vectors of signed integers are supported -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::*; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; - fn simd_ne(x: T, y: T) -> U; - fn simd_lt(x: T, y: T) -> U; - fn simd_le(x: T, y: T) -> U; - fn simd_gt(x: T, y: T) -> U; - fn simd_ge(x: T, y: T) -> U; -} - macro_rules! assert_cmp { ($res_cmp: ident, $simd_cmp: ident, $x: expr, $y: expr, $($res: expr),+) => { let $res_cmp: i64x2 = $simd_cmp($x, $y); diff --git a/tests/kani/Intrinsics/SIMD/Compare/unsigned.rs b/tests/kani/Intrinsics/SIMD/Compare/unsigned.rs index d30640f123d2..ee39f750c8a2 100644 --- a/tests/kani/Intrinsics/SIMD/Compare/unsigned.rs +++ b/tests/kani/Intrinsics/SIMD/Compare/unsigned.rs @@ -2,26 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that intrinsics for SIMD vectors of unsigned integers are supported -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::*; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct u64x2(u64, u64); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; - fn simd_ne(x: T, y: T) -> U; - fn simd_lt(x: T, y: T) -> U; - fn simd_le(x: T, y: T) -> U; - fn simd_gt(x: T, y: T) -> U; - fn simd_ge(x: T, y: T) -> U; -} - macro_rules! assert_cmp { ($res_cmp: ident, $simd_cmp: ident, $x: expr, $y: expr, $($res: expr),+) => { let $res_cmp: u64x2 = $simd_cmp($x, $y); diff --git a/tests/kani/Intrinsics/SIMD/Construction/main.rs b/tests/kani/Intrinsics/SIMD/Construction/main.rs index 6e9116e4dc15..5de3ae20d868 100644 --- a/tests/kani/Intrinsics/SIMD/Construction/main.rs +++ b/tests/kani/Intrinsics/SIMD/Construction/main.rs @@ -3,18 +3,14 @@ //! Checks that the `simd_extract` and `simd_insert` intrinsics are supported //! and return the expected results. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_extract, simd_insert}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -extern "platform-intrinsic" { - fn simd_extract(x: T, idx: u32) -> U; - fn simd_insert(x: T, idx: u32, b: U) -> T; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/kani/Intrinsics/SIMD/Operators/arith.rs b/tests/kani/Intrinsics/SIMD/Operators/arith.rs index 6af147b826e0..d9f442a659ba 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/arith.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/arith.rs @@ -1,22 +1,16 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -//! This test doesn't work because support for SIMD intrinsics isn't available -//! at the moment in Kani. Support to be added in -//! -#![feature(repr_simd, platform_intrinsics)] +//! Checks that the SIMD intrinsics `simd_add`, `simd_sub` and +//! `simd_mul` are supported and return the expected results. +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_add, simd_mul, simd_sub}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i8x2(i8, i8); -extern "platform-intrinsic" { - fn simd_add(x: T, y: T) -> T; - fn simd_sub(x: T, y: T) -> T; - fn simd_mul(x: T, y: T) -> T; -} - macro_rules! verify_no_overflow { ($cf: ident, $uf: ident) => {{ let a: i8 = kani::any(); diff --git a/tests/kani/Intrinsics/SIMD/Operators/bitmask.rs b/tests/kani/Intrinsics/SIMD/Operators/bitmask.rs index 4d3293264b6e..6992408436b9 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/bitmask.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/bitmask.rs @@ -6,16 +6,11 @@ //! This is done by initializing vectors with the contents of 2-member tuples //! with symbolic values. The result of using each of the intrinsics is compared //! against the result of using the associated bitwise operator on the tuples. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] #![feature(generic_const_exprs)] #![feature(portable_simd)] -#![feature(core_intrinsics)] - use std::fmt::Debug; - -extern "platform-intrinsic" { - fn simd_bitmask(x: T) -> U; -} +use std::intrinsics::simd::simd_bitmask; #[repr(simd)] #[derive(Clone, Debug)] diff --git a/tests/kani/Intrinsics/SIMD/Operators/bitshift.rs b/tests/kani/Intrinsics/SIMD/Operators/bitshift.rs index 1041f918123f..fa2cd3c52cd6 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/bitshift.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/bitshift.rs @@ -3,7 +3,8 @@ //! Checks that the `simd_shl` and `simd_shr` intrinsics are supported and they //! return the expected results. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_shl, simd_shr}; #[repr(simd)] #[allow(non_camel_case_types)] @@ -15,11 +16,6 @@ pub struct i32x2(i32, i32); #[derive(Clone, Copy, PartialEq, Eq)] pub struct u32x2(u32, u32); -extern "platform-intrinsic" { - fn simd_shl(x: T, y: T) -> T; - fn simd_shr(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shl() { let value = kani::any(); diff --git a/tests/kani/Intrinsics/SIMD/Operators/bitwise.rs b/tests/kani/Intrinsics/SIMD/Operators/bitwise.rs index aa53bb6ac9ea..b18410088f18 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/bitwise.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/bitwise.rs @@ -8,7 +8,8 @@ //! This is done by initializing vectors with the contents of 2-member tuples //! with symbolic values. The result of using each of the intrinsics is compared //! against the result of using the associated bitwise operator on the tuples. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_and, simd_or, simd_xor}; #[repr(simd)] #[allow(non_camel_case_types)] @@ -50,11 +51,6 @@ pub struct u32x2(u32, u32); #[derive(Clone, Copy, PartialEq, Eq)] pub struct u64x2(u64, u64); -extern "platform-intrinsic" { - fn simd_and(x: T, y: T) -> T; - fn simd_or(x: T, y: T) -> T; - fn simd_xor(x: T, y: T) -> T; -} macro_rules! compare_simd_op_with_normal_op { ($simd_op: ident, $normal_op: tt, $simd_type: ident) => { let tup_x: (_,_) = kani::any(); diff --git a/tests/kani/Intrinsics/SIMD/Operators/division.rs b/tests/kani/Intrinsics/SIMD/Operators/division.rs index 593ac3fdfe7b..e1e8dab39cca 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/division.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/division.rs @@ -3,18 +3,14 @@ //! Checks that the `simd_div` and `simd_rem` intrinsics are supported and they //! return the expected results. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_div, simd_rem}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_div(x: T, y: T) -> T; - fn simd_rem(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_div() { let dividend = kani::any(); diff --git a/tests/kani/Intrinsics/SIMD/Operators/division_float.rs b/tests/kani/Intrinsics/SIMD/Operators/division_float.rs index 97ea2e6e7ca7..711b67b87116 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/division_float.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/division_float.rs @@ -2,7 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that the `simd_div` intrinsic returns the expected results for floating point numbers. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_div; #[repr(simd)] #[allow(non_camel_case_types)] @@ -19,10 +20,6 @@ impl f32x2 { } } -extern "platform-intrinsic" { - fn simd_div(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_div() { let dividends = f32x2::new_with(|| { diff --git a/tests/kani/Intrinsics/SIMD/Operators/remainder_float_fixme.rs b/tests/kani/Intrinsics/SIMD/Operators/remainder_float_fixme.rs index c97e96896bcf..e64498e20242 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/remainder_float_fixme.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/remainder_float_fixme.rs @@ -2,7 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that the `simd_rem` intrinsic returns the expected results for floating point numbers. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_rem; #[repr(simd)] #[allow(non_camel_case_types)] @@ -19,10 +20,6 @@ impl f32x2 { } } -extern "platform-intrinsic" { - fn simd_rem(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_rem() { let dividends = f32x2::new_with(|| { diff --git a/tests/kani/Intrinsics/SIMD/Shuffle/main.rs b/tests/kani/Intrinsics/SIMD/Shuffle/main.rs index 6d822a18bdc1..9b6870e40004 100644 --- a/tests/kani/Intrinsics/SIMD/Shuffle/main.rs +++ b/tests/kani/Intrinsics/SIMD/Shuffle/main.rs @@ -3,7 +3,8 @@ //! Checks that `simd_shuffle` and `simd_shuffleN` (where `N` is a length) are //! supported and return the expected results. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shuffle; #[repr(simd)] #[allow(non_camel_case_types)] @@ -15,10 +16,6 @@ pub struct i64x2(i64, i64); #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x4(i64, i64, i64, i64); -extern "platform-intrinsic" { - fn simd_shuffle(x: T, y: T, idx: U) -> V; -} - #[kani::proof] fn main() { { diff --git a/tests/kani/Intrinsics/typed_swap.rs b/tests/kani/Intrinsics/typed_swap.rs new file mode 100644 index 000000000000..996784b5181d --- /dev/null +++ b/tests/kani/Intrinsics/typed_swap.rs @@ -0,0 +1,28 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// Check that `typed_swap` yields the expected results. +// https://doc.rust-lang.org/nightly/std/intrinsics/fn.typed_swap.html + +#![feature(core_intrinsics)] +#![allow(internal_features)] + +#[kani::proof] +fn test_typed_swap_u32() { + let mut a: u32 = kani::any(); + let a_before = a; + let mut b: u32 = kani::any(); + let b_before = b; + unsafe { + std::intrinsics::typed_swap(&mut a, &mut b); + } + assert!(b == a_before); + assert!(a == b_before); +} + +#[kani::proof] +pub fn check_swap_unit() { + let mut x: () = kani::any(); + let mut y: () = kani::any(); + std::mem::swap(&mut x, &mut y) +} diff --git a/tests/kani/Invariant/invariant_impls.rs b/tests/kani/Invariant/invariant_impls.rs new file mode 100644 index 000000000000..146c9731370d --- /dev/null +++ b/tests/kani/Invariant/invariant_impls.rs @@ -0,0 +1,45 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check the `Invariant` implementations that we include in the Kani library +//! with respect to the underlying type invariants. + +#![feature(f16)] +#![feature(f128)] + +extern crate kani; +use kani::Invariant; + +macro_rules! check_safe_type { + ( $type: ty ) => { + let value: $type = kani::any(); + assert!(value.is_safe()); + }; +} + +#[kani::proof] +fn check_safe_impls() { + check_safe_type!(u8); + check_safe_type!(u16); + check_safe_type!(u32); + check_safe_type!(u64); + check_safe_type!(u128); + check_safe_type!(usize); + + check_safe_type!(i8); + check_safe_type!(i16); + check_safe_type!(i32); + check_safe_type!(i64); + check_safe_type!(i128); + check_safe_type!(isize); + + check_safe_type!(f16); + check_safe_type!(f128); + + check_safe_type!(f32); + check_safe_type!(f64); + + check_safe_type!(()); + check_safe_type!(bool); + check_safe_type!(char); +} diff --git a/tests/kani/Invariant/percentage.rs b/tests/kani/Invariant/percentage.rs new file mode 100644 index 000000000000..f3976f48e249 --- /dev/null +++ b/tests/kani/Invariant/percentage.rs @@ -0,0 +1,62 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that the `Invariant` implementation behaves as expected when used on a +//! custom type. + +extern crate kani; +use kani::Invariant; + +// We use the default `Arbitrary` implementation, which allows values that +// shouldn't be considered safe for the `Percentage` type. +#[derive(kani::Arbitrary)] +struct Percentage(u8); + +impl Percentage { + pub fn try_new(val: u8) -> Result { + if val <= 100 { + Ok(Self(val)) + } else { + Err(String::from("error: invalid percentage value")) + } + } + + pub fn value(&self) -> u8 { + self.0 + } + + pub fn increase(&self, other: u8) -> Percentage { + let amount = self.0 + other; + Percentage::try_new(amount.min(100)).unwrap() + } +} + +impl kani::Invariant for Percentage { + fn is_safe(&self) -> bool { + self.0 <= 100 + } +} + +#[kani::proof] +fn check_assume_safe() { + let percentage: Percentage = kani::any(); + kani::assume(percentage.is_safe()); + assert!(percentage.value() <= 100); +} + +#[kani::proof] +#[kani::should_panic] +fn check_assert_safe() { + let percentage: Percentage = kani::any(); + assert!(percentage.is_safe()); +} + +#[kani::proof] +fn check_increase_safe() { + let percentage: Percentage = kani::any(); + kani::assume(percentage.is_safe()); + let amount = kani::any(); + kani::assume(amount <= 100); + let new_percentage = percentage.increase(amount); + assert!(new_percentage.is_safe()); +} diff --git a/tests/kani/MemPredicates/fat_ptr_validity.rs b/tests/kani/MemPredicates/fat_ptr_validity.rs new file mode 100644 index 000000000000..c4f037f3a646 --- /dev/null +++ b/tests/kani/MemPredicates/fat_ptr_validity.rs @@ -0,0 +1,67 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z mem-predicates +//! Check that Kani's memory predicates work for fat pointers. + +extern crate kani; + +use kani::mem::{can_dereference, can_write}; + +mod valid_access { + use super::*; + #[kani::proof] + pub fn check_valid_dyn_ptr() { + let mut var = 10u8; + let fat_ptr: *mut dyn PartialEq = &mut var as *mut _; + assert!(can_write(fat_ptr)); + } + + #[kani::proof] + pub fn check_valid_slice_ptr() { + let array = ['a', 'b', 'c']; + let slice = &array as *const [char]; + assert!(can_dereference(slice)); + assert_eq!(unsafe { &*slice }[0], 'a'); + assert_eq!(unsafe { &*slice }[2], 'c'); + } + + #[kani::proof] + pub fn check_valid_zst() { + let slice_ptr = Vec::::new().as_slice() as *const [char]; + assert!(can_dereference(slice_ptr)); + + let str_ptr = String::new().as_str() as *const str; + assert!(can_dereference(str_ptr)); + } +} + +mod invalid_access { + use super::*; + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_dyn_ptr() { + let raw_ptr: *const dyn PartialEq = unsafe { new_dead_ptr::(0) }; + assert!(can_dereference(raw_ptr)); + } + + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_slice_ptr() { + let raw_ptr: *const [char] = unsafe { new_dead_ptr::<[char; 2]>(['a', 'b']) }; + assert!(can_dereference(raw_ptr)); + } + + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_slice_len() { + let array = [10usize; 10]; + let invalid: *const [usize; 11] = &array as *const [usize; 10] as *const [usize; 11]; + let ptr: *const [usize] = invalid as *const _; + assert!(can_dereference(ptr)); + } + + unsafe fn new_dead_ptr(val: T) -> *const T { + let local = val; + &local as *const _ + } +} diff --git a/tests/kani/MemPredicates/thin_ptr_validity.rs b/tests/kani/MemPredicates/thin_ptr_validity.rs new file mode 100644 index 000000000000..553c5beab9f8 --- /dev/null +++ b/tests/kani/MemPredicates/thin_ptr_validity.rs @@ -0,0 +1,60 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z mem-predicates +//! Check that Kani's memory predicates work for thin pointers. + +extern crate kani; + +use kani::mem::can_dereference; +use std::ptr::NonNull; + +mod valid_access { + use super::*; + #[kani::proof] + pub fn check_dangling_zst() { + let dangling = NonNull::<()>::dangling().as_ptr(); + assert!(can_dereference(dangling)); + + let vec_ptr = Vec::<()>::new().as_ptr(); + assert!(can_dereference(vec_ptr)); + + let dangling = NonNull::<[char; 0]>::dangling().as_ptr(); + assert!(can_dereference(dangling)); + } + + #[kani::proof] + pub fn check_valid_array() { + let array = ['a', 'b', 'c']; + assert!(can_dereference(&array)); + } +} + +mod invalid_access { + use super::*; + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_ptr() { + let raw_ptr = unsafe { new_dead_ptr::(0) }; + assert!(!can_dereference(raw_ptr)); + } + + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_array() { + let raw_ptr = unsafe { new_dead_ptr::<[char; 2]>(['a', 'b']) }; + assert!(can_dereference(raw_ptr)); + } + + #[kani::proof] + pub fn check_invalid_zst() { + let raw_ptr: *const [char; 0] = + unsafe { new_dead_ptr::<[char; 2]>(['a', 'b']) } as *const _; + // ZST pointer are always valid + assert!(can_dereference(raw_ptr)); + } + + unsafe fn new_dead_ptr(val: T) -> *const T { + let local = val; + &local as *const _ + } +} diff --git a/tests/kani/Print/no_semicolon.rs b/tests/kani/Print/no_semicolon.rs new file mode 100644 index 000000000000..bee09e628472 --- /dev/null +++ b/tests/kani/Print/no_semicolon.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This test checks that the (e)println with no arguments do not require a trailing semicolon + +fn println() { + println!() +} +fn eprintln() { + eprintln!() +} + +#[kani::proof] +fn main() { + println(); + eprintln(); +} diff --git a/tests/kani/SIMD/simd_float_ops_fixme.rs b/tests/kani/SIMD/simd_float_ops_fixme.rs index d258a2119eca..6b53d95d554a 100644 --- a/tests/kani/SIMD/simd_float_ops_fixme.rs +++ b/tests/kani/SIMD/simd_float_ops_fixme.rs @@ -4,14 +4,10 @@ //! Ensure we can handle SIMD defined in the standard library //! FIXME: #![allow(non_camel_case_types)] -#![feature(repr_simd, platform_intrinsics, portable_simd)] +#![feature(repr_simd, core_intrinsics, portable_simd)] +use std::intrinsics::simd::simd_add; use std::simd::f32x4; -extern "platform-intrinsic" { - fn simd_add(x: T, y: T) -> T; - fn simd_eq(x: T, y: T) -> U; -} - #[repr(simd)] #[derive(Clone, PartialEq, kani::Arbitrary)] pub struct f32x2(f32, f32); diff --git a/tests/kani/SizeAndAlignOfDst/main_assert.rs b/tests/kani/SizeAndAlignOfDst/main_assert.rs new file mode 100644 index 000000000000..09f7b1b0c774 --- /dev/null +++ b/tests/kani/SizeAndAlignOfDst/main_assert.rs @@ -0,0 +1,58 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This is a regression test for size_and_align_of_dst computing the +//! size and alignment of a dynamically-sized type like +//! Arc>. +//! + +/// This test fails on macos but not in other platforms. +/// Thus only enable it for platforms where this shall succeed. +#[cfg(not(target_os = "macos"))] +mod not_macos { + use std::sync::Arc; + use std::sync::Mutex; + + pub trait Subscriber { + fn process(&self); + fn increment(&mut self); + fn get(&self) -> u32; + } + + struct DummySubscriber { + val: u32, + } + + impl DummySubscriber { + fn new() -> Self { + DummySubscriber { val: 0 } + } + } + + impl Subscriber for DummySubscriber { + fn process(&self) {} + fn increment(&mut self) { + self.val = self.val + 1; + } + fn get(&self) -> u32 { + self.val + } + } + + #[kani::proof] + #[kani::unwind(2)] + fn simplified() { + let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); + let data = s.lock().unwrap(); + assert!(data.get() == 0); + } + + #[kani::proof] + #[kani::unwind(1)] + fn original() { + let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); + let mut data = s.lock().unwrap(); + data.increment(); + assert!(data.get() == 1); + } +} diff --git a/tests/kani/SizeAndAlignOfDst/main_assert_fixme.rs b/tests/kani/SizeAndAlignOfDst/main_assert_fixme.rs index 9173eca7db3c..25075bc910d9 100644 --- a/tests/kani/SizeAndAlignOfDst/main_assert_fixme.rs +++ b/tests/kani/SizeAndAlignOfDst/main_assert_fixme.rs @@ -8,51 +8,64 @@ //! Arc>. //! We added a simplified version of the original harness from: //! -//! This currently fails due to -//! +//! This currently fails on MacOS instances due to unsupported foreign function: +//! `pthread_mutexattr_init`. -use std::sync::Arc; -use std::sync::Mutex; +#[cfg(target_os = "macos")] +mod macos { + use std::sync::Arc; + use std::sync::Mutex; -pub trait Subscriber { - fn process(&self); - fn increment(&mut self); - fn get(&self) -> u32; -} + pub trait Subscriber { + fn process(&self); + fn increment(&mut self); + fn get(&self) -> u32; + } -struct DummySubscriber { - val: u32, -} + struct DummySubscriber { + val: u32, + } -impl DummySubscriber { - fn new() -> Self { - DummySubscriber { val: 0 } + impl DummySubscriber { + fn new() -> Self { + DummySubscriber { val: 0 } + } } -} -impl Subscriber for DummySubscriber { - fn process(&self) {} - fn increment(&mut self) { - self.val = self.val + 1; + impl Subscriber for DummySubscriber { + fn process(&self) {} + fn increment(&mut self) { + self.val = self.val + 1; + } + fn get(&self) -> u32 { + self.val + } } - fn get(&self) -> u32 { - self.val + + #[kani::proof] + #[kani::unwind(2)] + fn simplified() { + let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); + let data = s.lock().unwrap(); + assert!(data.get() == 0); } -} -#[kani::proof] -#[kani::unwind(2)] -fn simplified() { - let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); - let data = s.lock().unwrap(); - assert!(data.get() == 0); + #[kani::proof] + #[kani::unwind(1)] + fn original() { + let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); + let mut data = s.lock().unwrap(); + data.increment(); + assert!(data.get() == 1); + } } -#[kani::proof] -#[kani::unwind(1)] -fn original() { - let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); - let mut data = s.lock().unwrap(); - data.increment(); - assert!(data.get() == 1); +#[cfg(not(target_os = "macos"))] +mod not_macos { + /// Since this is a fixme test, it must also fail in other platforms. + /// Remove this once we fix the issue above. + #[kani::proof] + fn fail() { + assert!(false); + } } diff --git a/tests/kani/Static/pub_static.rs b/tests/kani/Static/pub_static.rs index 9644519ff97d..6a795952b15e 100644 --- a/tests/kani/Static/pub_static.rs +++ b/tests/kani/Static/pub_static.rs @@ -1,13 +1,10 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// kani-flags: --enable-unstable --function harness -//! This test covers an issue we had with our public-fns implementation. -//! We were not checking if a root was a function in the first place. -//! https://github.com/model-checking/kani/issues/2047 +//! Ensures a harness can access a static variable. pub static DAYS_OF_WEEK: [char; 7] = ['s', 'm', 't', 'w', 't', 'f', 's']; -#[no_mangle] +#[kani::proof] pub fn harness() { let day: usize = kani::any(); kani::assume(day < DAYS_OF_WEEK.len()); diff --git a/tests/kani/StorageMarkers/main.rs b/tests/kani/StorageMarkers/main.rs new file mode 100644 index 000000000000..770995605ded --- /dev/null +++ b/tests/kani/StorageMarkers/main.rs @@ -0,0 +1,652 @@ +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// Modifications Copyright Kani Contributors +// See GitHub history for details. + +// Our handling of storage markers used to cause spurious failures in this test. +// https://github.com/model-checking/kani/issues/3099 +// The code is extracted from the implementation of `BTreeMap` which is where we +// originally saw the spurious failures while trying to enable storage markers +// for `std` in https://github.com/model-checking/kani/pull/3080 + +use std::alloc::Layout; +use std::marker::PhantomData; +use std::mem::ManuallyDrop; + +use std::ptr::{self, NonNull}; + +/// This replaces the value behind the `v` unique reference by calling the +/// relevant function, and returns a result obtained along the way. +/// +/// If a panic occurs in the `change` closure, the entire process will be aborted. +#[inline] +fn replace(v: &mut T, change: impl FnOnce(T) -> (T, R)) -> R { + let value = unsafe { ptr::read(v) }; + let (new_value, ret) = change(value); + unsafe { + ptr::write(v, new_value); + } + ret +} + +const B: usize = 6; +const CAPACITY: usize = 2 * B - 1; + +/// The underlying representation of leaf nodes and part of the representation of internal nodes. +struct LeafNode { + /// We want to be covariant in `K` and `V`. + parent: Option>, + + /// This node's index into the parent node's `edges` array. + /// `*node.parent.edges[node.parent_idx]` should be the same thing as `node`. + /// This is only guaranteed to be initialized when `parent` is non-null. + parent_idx: u16, + + /// The number of keys and values this node stores. + len: u16, +} + +impl LeafNode { + /// Creates a new boxed `LeafNode`. + fn new() -> Box { + Box::new(LeafNode { parent: None, parent_idx: 0, len: 0 }) + } +} + +/// The underlying representation of internal nodes. As with `LeafNode`s, these should be hidden +/// behind `BoxedNode`s to prevent dropping uninitialized keys and values. Any pointer to an +/// `InternalNode` can be directly cast to a pointer to the underlying `LeafNode` portion of the +/// node, allowing code to act on leaf and internal nodes generically without having to even check +/// which of the two a pointer is pointing at. This property is enabled by the use of `repr(C)`. +// gdb_providers.py uses this type name for introspection. +struct InternalNode {} + +// N.B. `NodeRef` is always covariant in `K` and `V`, even when the `BorrowType` +// is `Mut`. This is technically wrong, but cannot result in any unsafety due to +// internal use of `NodeRef` because we stay completely generic over `K` and `V`. +// However, whenever a public type wraps `NodeRef`, make sure that it has the +// correct variance. +/// +/// A reference to a node. +/// +/// This type has a number of parameters that controls how it acts: +/// - `BorrowType`: A dummy type that describes the kind of borrow and carries a lifetime. +/// - When this is `Immut<'a>`, the `NodeRef` acts roughly like `&'a Node`. +/// - When this is `ValMut<'a>`, the `NodeRef` acts roughly like `&'a Node` +/// with respect to keys and tree structure, but also allows many +/// mutable references to values throughout the tree to coexist. +/// - When this is `Mut<'a>`, the `NodeRef` acts roughly like `&'a mut Node`, +/// although insert methods allow a mutable pointer to a value to coexist. +/// - When this is `Owned`, the `NodeRef` acts roughly like `Box`, +/// but does not have a destructor, and must be cleaned up manually. +/// - When this is `Dying`, the `NodeRef` still acts roughly like `Box`, +/// but has methods to destroy the tree bit by bit, and ordinary methods, +/// while not marked as unsafe to call, can invoke UB if called incorrectly. +/// Since any `NodeRef` allows navigating through the tree, `BorrowType` +/// effectively applies to the entire tree, not just to the node itself. +/// - `K` and `V`: These are the types of keys and values stored in the nodes. +/// - `Type`: This can be `Leaf`, `Internal`, or `LeafOrInternal`. When this is +/// `Leaf`, the `NodeRef` points to a leaf node, when this is `Internal` the +/// `NodeRef` points to an internal node, and when this is `LeafOrInternal` the +/// `NodeRef` could be pointing to either type of node. +/// `Type` is named `NodeType` when used outside `NodeRef`. +/// +/// Both `BorrowType` and `NodeType` restrict what methods we implement, to +/// exploit static type safety. There are limitations in the way we can apply +/// such restrictions: +/// - For each type parameter, we can only define a method either generically +/// or for one particular type. For example, we cannot define a method like +/// `into_kv` generically for all `BorrowType`, or once for all types that +/// carry a lifetime, because we want it to return `&'a` references. +/// Therefore, we define it only for the least powerful type `Immut<'a>`. +/// - We cannot get implicit coercion from say `Mut<'a>` to `Immut<'a>`. +/// Therefore, we have to explicitly call `reborrow` on a more powerful +/// `NodeRef` in order to reach a method like `into_kv`. +/// +/// All methods on `NodeRef` that return some kind of reference, either: +/// - Take `self` by value, and return the lifetime carried by `BorrowType`. +/// Sometimes, to invoke such a method, we need to call `reborrow_mut`. +/// - Take `self` by reference, and (implicitly) return that reference's +/// lifetime, instead of the lifetime carried by `BorrowType`. That way, +/// the borrow checker guarantees that the `NodeRef` remains borrowed as long +/// as the returned reference is used. +/// The methods supporting insert bend this rule by returning a raw pointer, +/// i.e., a reference without any lifetime. +struct NodeRef { + /// The number of levels that the node and the level of leaves are apart, a + /// constant of the node that cannot be entirely described by `Type`, and that + /// the node itself does not store. We only need to store the height of the root + /// node, and derive every other node's height from it. + /// Must be zero if `Type` is `Leaf` and non-zero if `Type` is `Internal`. + height: usize, + /// The pointer to the leaf or internal node. The definition of `InternalNode` + /// ensures that the pointer is valid either way. + node: NonNull, + _marker: PhantomData<(BorrowType, Type)>, +} + +/// The root node of an owned tree. +/// +/// Note that this does not have a destructor, and must be cleaned up manually. +type Root = NodeRef; + +impl NodeRef { + fn new_leaf() -> Self { + Self::from_new_leaf(LeafNode::new()) + } + + fn from_new_leaf(leaf: Box) -> Self { + NodeRef { height: 0, node: NonNull::from(Box::leak(leaf)), _marker: PhantomData } + } +} + +impl NodeRef { + /// Unpack a node reference that was packed as `NodeRef::parent`. + fn from_internal(node: NonNull, height: usize) -> Self { + debug_assert!(height > 0); + NodeRef { height, node: node.cast(), _marker: PhantomData } + } +} + +impl NodeRef { + /// Finds the length of the node. This is the number of keys or values. + /// The number of edges is `len() + 1`. + /// Note that, despite being safe, calling this function can have the side effect + /// of invalidating mutable references that unsafe code has created. + fn len(&self) -> usize { + // Crucially, we only access the `len` field here. If BorrowType is marker::ValMut, + // there might be outstanding mutable references to values that we must not invalidate. + unsafe { usize::from((*Self::as_leaf_ptr(self)).len) } + } + + /// Exposes the leaf portion of any leaf or internal node. + /// + /// Returns a raw ptr to avoid invalidating other references to this node. + fn as_leaf_ptr(this: &Self) -> *mut LeafNode { + // The node must be valid for at least the LeafNode portion. + // This is not a reference in the NodeRef type because we don't know if + // it should be unique or shared. + this.node.as_ptr() + } +} + +impl NodeRef { + /// Finds the parent of the current node. Returns `Ok(handle)` if the current + /// node actually has a parent, where `handle` points to the edge of the parent + /// that points to the current node. Returns `Err(self)` if the current node has + /// no parent, giving back the original `NodeRef`. + /// + /// The method name assumes you picture trees with the root node on top. + /// + /// `edge.descend().ascend().unwrap()` and `node.ascend().unwrap().descend()` should + /// both, upon success, do nothing. + fn ascend(self) -> Result, marker::Edge>, Self> { + // We need to use raw pointers to nodes because, if BorrowType is marker::ValMut, + // there might be outstanding mutable references to values that we must not invalidate. + let leaf_ptr: *const _ = Self::as_leaf_ptr(&self); + unsafe { (*leaf_ptr).parent } + .as_ref() + .map(|parent| Handle { + node: NodeRef::from_internal(*parent, self.height + 1), + idx: unsafe { usize::from((*leaf_ptr).parent_idx) }, + _marker: PhantomData, + }) + .ok_or(self) + } + + fn first_edge(self) -> Handle { + unsafe { Handle::new_edge(self, 0) } + } +} + +impl NodeRef { + /// Similar to `ascend`, gets a reference to a node's parent node, but also + /// deallocates the current node in the process. This is unsafe because the + /// current node will still be accessible despite being deallocated. + unsafe fn deallocate_and_ascend( + self, + ) -> Option, marker::Edge>> { + let height = self.height; + let node = self.node; + let ret = self.ascend().ok(); + unsafe { + std::alloc::dealloc( + node.as_ptr() as *mut u8, + if height > 0 { Layout::new::() } else { Layout::new::() }, + ); + } + ret + } +} + +impl<'a, Type> NodeRef, Type> { + /// Borrows exclusive access to the leaf portion of a leaf or internal node. + fn as_leaf_mut(&mut self) -> &mut LeafNode { + let ptr = Self::as_leaf_ptr(self); + // SAFETY: we have exclusive access to the entire node. + unsafe { &mut *ptr } + } +} + +impl<'a, Type> NodeRef, Type> { + /// Borrows exclusive access to the length of the node. + fn len_mut(&mut self) -> &mut u16 { + &mut self.as_leaf_mut().len + } +} + +impl NodeRef { + /// Mutably borrows the owned root node. Unlike `reborrow_mut`, this is safe + /// because the return value cannot be used to destroy the root, and there + /// cannot be other references to the tree. + fn borrow_mut(&mut self) -> NodeRef, Type> { + NodeRef { height: self.height, node: self.node, _marker: PhantomData } + } + + /// Irreversibly transitions to a reference that permits traversal and offers + /// destructive methods and little else. + fn into_dying(self) -> NodeRef { + NodeRef { height: self.height, node: self.node, _marker: PhantomData } + } +} + +impl<'a> NodeRef, marker::Leaf> { + /// Adds a key-value pair to the end of the node, and returns + /// a handle to the inserted value. + /// + /// # Safety + /// + /// The returned handle has an unbound lifetime. + unsafe fn push_with_handle<'b>( + &mut self, + ) -> Handle, marker::Leaf>, marker::KV> { + let len = self.len_mut(); + let idx = usize::from(*len); + assert!(idx < CAPACITY); + *len += 1; + unsafe { + Handle::new_kv( + NodeRef { height: self.height, node: self.node, _marker: PhantomData }, + idx, + ) + } + } + + /// Adds a key-value pair to the end of the node, and returns + /// the mutable reference of the inserted value. + fn push(&mut self) -> i32 { + // SAFETY: The unbound handle is no longer accessible. + let _ = unsafe { self.push_with_handle() }; + 0 + } +} + +impl NodeRef { + /// Removes any static information asserting that this node is a `Leaf` node. + fn forget_type(self) -> NodeRef { + NodeRef { height: self.height, node: self.node, _marker: PhantomData } + } +} + +impl NodeRef { + /// Removes any static information asserting that this node is an `Internal` node. + fn forget_type(self) -> NodeRef { + NodeRef { height: self.height, node: self.node, _marker: PhantomData } + } +} + +impl NodeRef { + /// Checks whether a node is an `Internal` node or a `Leaf` node. + fn force(self) -> ForceResult> { + if self.height == 0 { + ForceResult::Leaf(NodeRef { + height: self.height, + node: self.node, + _marker: PhantomData, + }) + } else { + panic!() + } + } +} + +/// A reference to a specific key-value pair or edge within a node. The `Node` parameter +/// must be a `NodeRef`, while the `Type` can either be `KV` (signifying a handle on a key-value +/// pair) or `Edge` (signifying a handle on an edge). +/// +/// Note that even `Leaf` nodes can have `Edge` handles. Instead of representing a pointer to +/// a child node, these represent the spaces where child pointers would go between the key-value +/// pairs. For example, in a node with length 2, there would be 3 possible edge locations - one +/// to the left of the node, one between the two pairs, and one at the right of the node. +struct Handle { + node: Node, + idx: usize, + _marker: PhantomData, +} + +impl Handle { + /// Retrieves the node that contains the edge or key-value pair this handle points to. + fn into_node(self) -> Node { + self.node + } +} + +impl Handle, marker::KV> { + /// Creates a new handle to a key-value pair in `node`. + /// Unsafe because the caller must ensure that `idx < node.len()`. + unsafe fn new_kv(node: NodeRef, idx: usize) -> Self { + debug_assert!(idx < node.len()); + + Handle { node, idx, _marker: PhantomData } + } + + fn right_edge(self) -> Handle, marker::Edge> { + unsafe { Handle::new_edge(self.node, self.idx + 1) } + } +} + +impl Handle, marker::Edge> { + /// Creates a new handle to an edge in `node`. + /// Unsafe because the caller must ensure that `idx <= node.len()`. + unsafe fn new_edge(node: NodeRef, idx: usize) -> Self { + debug_assert!(idx <= node.len()); + + Handle { node, idx, _marker: PhantomData } + } + + fn right_kv(self) -> Result, marker::KV>, Self> { + if self.idx < self.node.len() { + Ok(unsafe { Handle::new_kv(self.node, self.idx) }) + } else { + Err(self) + } + } +} + +impl Handle, marker::Edge> { + fn forget_node_type(self) -> Handle, marker::Edge> { + unsafe { Handle::new_edge(self.node.forget_type(), self.idx) } + } +} + +impl Handle, marker::Edge> { + fn forget_node_type(self) -> Handle, marker::Edge> { + unsafe { Handle::new_edge(self.node.forget_type(), self.idx) } + } +} + +impl Handle, Type> { + /// Checks whether the underlying node is an `Internal` node or a `Leaf` node. + fn force(self) -> ForceResult, Type>> { + match self.node.force() { + ForceResult::Leaf(node) => { + ForceResult::Leaf(Handle { node, idx: self.idx, _marker: PhantomData }) + } + } + } +} +enum ForceResult { + Leaf(Leaf), +} + +mod marker { + use std::marker::PhantomData; + + pub enum Leaf {} + pub enum Internal {} + pub enum Owned {} + pub enum Dying {} + pub struct Mut<'a>(PhantomData<&'a mut ()>); + + pub trait BorrowType { + /// If node references of this borrow type allow traversing to other + /// nodes in the tree, this constant is set to `true`. It can be used + /// for a compile-time assertion. + const TRAVERSAL_PERMIT: bool = true; + } + impl BorrowType for Owned { + /// Reject traversal, because it isn't needed. Instead traversal + /// happens using the result of `borrow_mut`. + /// By disabling traversal, and only creating new references to roots, + /// we know that every reference of the `Owned` type is to a root node. + const TRAVERSAL_PERMIT: bool = false; + } + impl BorrowType for Dying {} + impl<'a> BorrowType for Mut<'a> {} + + pub enum KV {} + pub enum Edge {} +} + +enum LazyLeafHandle { + Root(NodeRef), // not yet descended + Edge(Handle, marker::Edge>), +} + +// `front` and `back` are always both `None` or both `Some`. +struct LazyLeafRange { + front: Option>, +} + +impl LazyLeafRange { + fn none() -> Self { + LazyLeafRange { front: None } + } +} + +impl LazyLeafRange { + fn take_front(&mut self) -> Option, marker::Edge>> { + match self.front.take()? { + LazyLeafHandle::Root(root) => Some(root.first_leaf_edge()), + LazyLeafHandle::Edge(edge) => Some(edge), + } + } + + #[inline] + unsafe fn deallocating_next_unchecked( + &mut self, + ) -> Handle, marker::KV> { + debug_assert!(self.front.is_some()); + let front = self.init_front().unwrap(); + unsafe { front.deallocating_next_unchecked() } + } + + #[inline] + fn deallocating_end(&mut self) { + if let Some(front) = self.take_front() { + front.deallocating_end() + } + } +} + +impl LazyLeafRange { + fn init_front( + &mut self, + ) -> Option<&mut Handle, marker::Edge>> { + if let Some(LazyLeafHandle::Root(root)) = &self.front { + self.front = Some(LazyLeafHandle::Edge(unsafe { ptr::read(root) }.first_leaf_edge())); + } + match &mut self.front { + None => None, + Some(LazyLeafHandle::Edge(edge)) => Some(edge), + // SAFETY: the code above would have replaced it. + Some(LazyLeafHandle::Root(_)) => panic!(), + } + } +} + +fn full_range( + root1: NodeRef, +) -> LazyLeafRange { + LazyLeafRange { front: Some(LazyLeafHandle::Root(root1)) } +} + +impl NodeRef { + /// Splits a unique reference into a pair of leaf edges delimiting the full range of the tree. + /// The results are non-unique references allowing massively destructive mutation, so must be + /// used with the utmost care. + fn full_range(self) -> LazyLeafRange { + // We duplicate the root NodeRef here -- we will never access it in a way + // that overlaps references obtained from the root. + full_range(self) + } +} + +impl Handle, marker::Edge> { + /// Given a leaf edge handle into a dying tree, returns the next leaf edge + /// on the right side, and the key-value pair in between, if they exist. + /// + /// If the given edge is the last one in a leaf, this method deallocates + /// the leaf, as well as any ancestor nodes whose last edge was reached. + /// This implies that if no more key-value pair follows, the entire tree + /// will have been deallocated and there is nothing left to return. + /// + /// # Safety + /// - The given edge must not have been previously returned by counterpart + /// `deallocating_next_back`. + /// - The returned KV handle is only valid to access the key and value, + /// and only valid until the next call to a `deallocating_` method. + unsafe fn deallocating_next( + self, + ) -> Option<(Self, Handle, marker::KV>)> { + let mut edge = self.forget_node_type(); + loop { + edge = match edge.right_kv() { + Ok(kv) => return Some((unsafe { ptr::read(&kv) }.next_leaf_edge(), kv)), + Err(last_edge) => match unsafe { last_edge.into_node().deallocate_and_ascend() } { + Some(parent_edge) => parent_edge.forget_node_type(), + None => return None, + }, + } + } + } + + /// Deallocates a pile of nodes from the leaf up to the root. + /// This is the only way to deallocate the remainder of a tree after + /// `deallocating_next` and `deallocating_next_back` have been nibbling at + /// both sides of the tree, and have hit the same edge. As it is intended + /// only to be called when all keys and values have been returned, + /// no cleanup is done on any of the keys or values. + fn deallocating_end(self) { + let mut edge = self.forget_node_type(); + while let Some(parent_edge) = unsafe { edge.into_node().deallocate_and_ascend() } { + edge = parent_edge.forget_node_type(); + } + } +} + +impl Handle, marker::Edge> { + /// Moves the leaf edge handle to the next leaf edge and returns the key and value + /// in between, deallocating any node left behind while leaving the corresponding + /// edge in its parent node dangling. + /// + /// # Safety + /// - There must be another KV in the direction travelled. + /// - That KV was not previously returned by counterpart + /// `deallocating_next_back_unchecked` on any copy of the handles + /// being used to traverse the tree. + /// + /// The only safe way to proceed with the updated handle is to compare it, drop it, + /// or call this method or counterpart `deallocating_next_back_unchecked` again. + unsafe fn deallocating_next_unchecked( + &mut self, + ) -> Handle, marker::KV> { + replace(self, |leaf_edge| unsafe { leaf_edge.deallocating_next().unwrap() }) + } +} + +impl NodeRef { + /// Returns the leftmost leaf edge in or underneath a node - in other words, the edge + /// you need first when navigating forward (or last when navigating backward). + #[inline] + fn first_leaf_edge(self) -> Handle, marker::Edge> { + let node = self; + match node.force() { + ForceResult::Leaf(leaf) => return leaf.first_edge(), + } + } +} + +impl Handle, marker::KV> { + /// Returns the leaf edge closest to a KV for forward navigation. + fn next_leaf_edge(self) -> Handle, marker::Edge> { + match self.force() { + ForceResult::Leaf(leaf_kv) => leaf_kv.right_edge(), + } + } +} + +struct Foo { + root: Option, + length: usize, +} + +impl Drop for Foo { + fn drop(&mut self) { + drop(unsafe { core::ptr::read(self) }.into_iter()) + } +} + +impl IntoIterator for Foo { + type Item = (); + type IntoIter = IntoIter; + + fn into_iter(self) -> IntoIter { + let mut me = ManuallyDrop::new(self); + if let Some(root) = me.root.take() { + let full_range = root.into_dying().full_range(); + + IntoIter { range: full_range, length: me.length } + } else { + IntoIter { range: LazyLeafRange::none(), length: 0 } + } + } +} + +impl Drop for IntoIter { + fn drop(&mut self) { + while let Some(_kv) = self.dying_next() {} + } +} + +impl IntoIter { + /// Core of a `next` method returning a dying KV handle, + /// invalidated by further calls to this function and some others. + fn dying_next(&mut self) -> Option, marker::KV>> { + if self.length == 0 { + self.range.deallocating_end(); + None + } else { + self.length -= 1; + Some(unsafe { self.range.deallocating_next_unchecked() }) + } + } +} + +impl Iterator for IntoIter { + type Item = (); + + fn next(&mut self) -> Option<()> { + None + } +} + +/// An owning iterator over the entries of a `BTreeMap`. +/// +/// This `struct` is created by the [`into_iter`] method on [`BTreeMap`] +/// (provided by the [`IntoIterator`] trait). See its documentation for more. +/// +/// [`into_iter`]: IntoIterator::into_iter +struct IntoIter { + range: LazyLeafRange, + length: usize, +} + +#[cfg_attr(kani, kani::proof, kani::unwind(3))] +fn check_storagemarker_btreemap() { + let mut f = Foo { root: None, length: 0 }; + let mut root: NodeRef = NodeRef::new_leaf(); + root.borrow_mut().push(); + f.root = Some(root.forget_type()); + f.length = 1; +} diff --git a/tests/kani/Tuple/tuple_trait.rs b/tests/kani/Tuple/tuple_trait.rs new file mode 100644 index 000000000000..d775b393b0b8 --- /dev/null +++ b/tests/kani/Tuple/tuple_trait.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Tests support for functions declared with "rust-call" ABI and an empty set of arguments. +#![feature(unboxed_closures, tuple_trait)] + +extern "rust-call" fn foo(_: T) -> usize { + static mut COUNTER: usize = 0; + unsafe { + COUNTER += 1; + COUNTER + } +} + +#[kani::proof] +fn main() { + assert_eq!(foo(()), 1); + assert_eq!(foo(()), 2); +} diff --git a/tests/kani/Uninit/access-padding-enum-diverging-variants.rs b/tests/kani/Uninit/access-padding-enum-diverging-variants.rs new file mode 100644 index 000000000000..fae491c40622 --- /dev/null +++ b/tests/kani/Uninit/access-padding-enum-diverging-variants.rs @@ -0,0 +1,34 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::ptr; +use std::ptr::addr_of; + +/// The layout of this enum is variable, so Kani cannot check memory initialization statically. +#[repr(C)] +enum E1 { + A(u16, u8), + B(u16), +} + +/// The layout of this enum is variable, but both of the arms have the same padding, so Kani should +/// support that. +#[repr(C)] +enum E2 { + A(u16), + B(u8, u8), +} + +#[kani::proof] +#[kani::should_panic] +fn access_padding_unsupported() { + let s = E1::A(0, 0); + let ptr: *const u8 = addr_of!(s) as *const u8; +} + +#[kani::proof] +fn access_padding_supported() { + let s = E2::A(0); + let ptr: *const u8 = addr_of!(s) as *const u8; +} diff --git a/tests/kani/Uninit/access-padding-enum-multiple-variants.rs b/tests/kani/Uninit/access-padding-enum-multiple-variants.rs new file mode 100644 index 000000000000..dd6942252cb2 --- /dev/null +++ b/tests/kani/Uninit/access-padding-enum-multiple-variants.rs @@ -0,0 +1,49 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::ptr; +use std::ptr::addr_of; + +/// The layout of this enum is the following (D = data, P = padding): +/// 0 1 2 3 4 5 6 7 +/// [D, D, D, D, D, D, D, P] +/// ---------- ------- +/// \_ tag (i32) \_ A|B(u16, u8) +#[repr(C)] +enum E { + A(u16, u8), + B(u16, u8), +} + +#[kani::proof] +fn access_padding_init_a() { + let s = E::A(0, 0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let at_0 = unsafe { *(ptr.add(0)) }; + let at_4 = unsafe { *(ptr.add(4)) }; +} + +#[kani::proof] +fn access_padding_init_b() { + let s = E::A(0, 0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let at_0 = unsafe { *(ptr.add(0)) }; + let at_4 = unsafe { *(ptr.add(4)) }; +} + +#[kani::proof] +#[kani::should_panic] +fn access_padding_uninit_a() { + let s = E::A(0, 0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let at_7 = unsafe { *(ptr.add(7)) }; +} + +#[kani::proof] +#[kani::should_panic] +fn access_padding_uninit_b() { + let s = E::A(0, 0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let at_7 = unsafe { *(ptr.add(7)) }; +} diff --git a/tests/kani/Uninit/access-padding-enum-single-field.rs b/tests/kani/Uninit/access-padding-enum-single-field.rs new file mode 100644 index 000000000000..63f7f6043905 --- /dev/null +++ b/tests/kani/Uninit/access-padding-enum-single-field.rs @@ -0,0 +1,34 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::ptr; +use std::ptr::addr_of; + +/// The layout of this enum is the following (D = data, P = padding): +/// 0 1 2 3 4 5 6 7 8 9 A B C D E F +/// [D, D, D, D, P, P, P, P, D, D, D, D, D, D, D, D] +/// ---------- ---------------------- +/// \_ tag (i32) \_ A(u64) +#[repr(C)] +enum E { + A(u64), +} + +#[kani::proof] +fn access_padding_init() { + let s = E::A(0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let at_0 = unsafe { *(ptr.add(0)) }; + let at_3 = unsafe { *(ptr.add(3)) }; + let at_9 = unsafe { *(ptr.add(9)) }; +} + +#[kani::proof] +#[kani::should_panic] +fn access_padding_uninit() { + let s = E::A(0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let at_4 = unsafe { *(ptr.add(4)) }; + let at_7 = unsafe { *(ptr.add(7)) }; +} diff --git a/tests/kani/Uninit/access-padding-enum-single-variant.rs b/tests/kani/Uninit/access-padding-enum-single-variant.rs new file mode 100644 index 000000000000..bb87d36d26c8 --- /dev/null +++ b/tests/kani/Uninit/access-padding-enum-single-variant.rs @@ -0,0 +1,32 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::ptr; +use std::ptr::addr_of; + +/// The layout of this enum is the following (D = data, P = padding): +/// 0 1 2 3 4 5 6 7 +/// [D, D, D, D, D, D, D, P] +/// ---------- ------- +/// \_ tag (i32) \_ A(u16, u8) +#[repr(C)] +enum E { + A(u16, u8), +} + +#[kani::proof] +fn access_padding_init() { + let s = E::A(0, 0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let at_0 = unsafe { *(ptr.add(0)) }; + let at_4 = unsafe { *(ptr.add(4)) }; +} + +#[kani::proof] +#[kani::should_panic] +fn access_padding_uninit() { + let s = E::A(0, 0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let at_7 = unsafe { *(ptr.add(7)) }; +} diff --git a/tests/kani/Uninit/access-padding-init.rs b/tests/kani/Uninit/access-padding-init.rs new file mode 100644 index 000000000000..7523622a6106 --- /dev/null +++ b/tests/kani/Uninit/access-padding-init.rs @@ -0,0 +1,15 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::ptr::addr_of; + +#[repr(C)] +struct S(u32, u8); + +#[kani::proof] +fn access_padding_init() { + let s = S(0, 0); + let ptr: *const u8 = addr_of!(s) as *const u8; + let data = unsafe { *(ptr.add(3)) }; // Accessing data bytes is valid. +} diff --git a/tests/kani/Uninit/alloc-to-slice.rs b/tests/kani/Uninit/alloc-to-slice.rs new file mode 100644 index 000000000000..863d3b40b390 --- /dev/null +++ b/tests/kani/Uninit/alloc-to-slice.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::alloc::{alloc, Layout}; + +#[kani::proof] +fn alloc_to_slice() { + let layout = Layout::from_size_align(32, 8).unwrap(); + unsafe { + let ptr = alloc(layout); + *ptr = 0x41; + *ptr.add(1) = 0x42; + *ptr.add(2) = 0x43; + *ptr.add(3) = 0x44; + *ptr.add(16) = 0x00; + let val = *(ptr.add(2)); // Accessing previously initialized byte is valid. + } +} diff --git a/tests/kani/Uninit/alloc-zeroed-to-slice.rs b/tests/kani/Uninit/alloc-zeroed-to-slice.rs new file mode 100644 index 000000000000..d00ca4c6abff --- /dev/null +++ b/tests/kani/Uninit/alloc-zeroed-to-slice.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::alloc::{alloc_zeroed, Layout}; +use std::slice::from_raw_parts; + +#[kani::proof] +fn alloc_zeroed_to_slice() { + let layout = Layout::from_size_align(32, 8).unwrap(); + unsafe { + // This returns initialized memory, so any further accesses are valid. + let ptr = alloc_zeroed(layout); + *ptr = 0x41; + *ptr.add(1) = 0x42; + *ptr.add(2) = 0x43; + *ptr.add(3) = 0x44; + *ptr.add(16) = 0x00; + let slice1 = from_raw_parts(ptr, 16); + let slice2 = from_raw_parts(ptr.add(16), 16); + } +} diff --git a/tests/kani/Uninit/atomic.rs b/tests/kani/Uninit/atomic.rs new file mode 100644 index 000000000000..376f365d408c --- /dev/null +++ b/tests/kani/Uninit/atomic.rs @@ -0,0 +1,66 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::sync::atomic::{AtomicUsize, Ordering}; + +fn any_ordering() -> Ordering { + match kani::any() { + 0 => Ordering::Relaxed, + 1 => Ordering::Release, + 2 => Ordering::Acquire, + 3 => Ordering::AcqRel, + _ => Ordering::SeqCst, + } +} + +fn store_ordering() -> Ordering { + match kani::any() { + 0 => Ordering::Relaxed, + 1 => Ordering::Release, + _ => Ordering::SeqCst, + } +} + +fn load_ordering() -> Ordering { + match kani::any() { + 0 => Ordering::Relaxed, + 1 => Ordering::Acquire, + _ => Ordering::SeqCst, + } +} + +static GLOBAL_ATOMIC: AtomicUsize = AtomicUsize::new(0); + +// Checks if memory initialization checks work with atomics defined in the global scope. +#[kani::proof] +fn global_atomic() { + let old_value = GLOBAL_ATOMIC.fetch_add(1, any_ordering()); +} + +// Checks if memory initialization checks work with atomics. +#[kani::proof] +fn local_atomic() { + // Get a pointer to an allocated value + let ptr: *mut usize = Box::into_raw(Box::new(0)); + + // Create an atomic from the allocated value + let atomic = unsafe { AtomicUsize::from_ptr(ptr) }; + + // Use `atomic` for atomic operations + atomic.store(1, store_ordering()); + let old_val = atomic.load(load_ordering()); + let old_val = atomic.swap(2, any_ordering()); + + // Deallocate the value + unsafe { drop(Box::from_raw(ptr)) } +} + +// Checks if memory initialization checks work with compare-and-swap atomics. +#[kani::proof] +fn compare_exchange_atomic() { + // Create an atomic. + let some_var = AtomicUsize::new(5); + // Perform a `compare-and-swap` operation. + some_var.compare_exchange(5, 10, any_ordering(), load_ordering()); +} diff --git a/tests/kani/Uninit/struct-padding-and-arr-init.rs b/tests/kani/Uninit/struct-padding-and-arr-init.rs new file mode 100644 index 000000000000..c67b1177bfa3 --- /dev/null +++ b/tests/kani/Uninit/struct-padding-and-arr-init.rs @@ -0,0 +1,21 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::ptr::addr_of_mut; + +#[repr(C)] +struct S(u32, u8); + +#[kani::proof] +fn struct_padding_and_arr_init() { + unsafe { + let mut s = S(0, 0); + let sptr = addr_of_mut!(s); + let sptr2 = sptr as *mut [u8; 4]; + *sptr2 = [0; 4]; + *sptr = S(0, 0); + // Both S(u32, u8) and [u8; 4] have the same layout, so the memory is initialized. + let val = *sptr2; + } +} diff --git a/tests/kani/Uninit/vec-read-init.rs b/tests/kani/Uninit/vec-read-init.rs new file mode 100644 index 000000000000..78812c59830e --- /dev/null +++ b/tests/kani/Uninit/vec-read-init.rs @@ -0,0 +1,11 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +#[kani::proof] +fn vec_read_init() { + let mut v: Vec = Vec::with_capacity(10); + unsafe { *v.as_mut_ptr().add(5) = 0x42 }; + let def = unsafe { *v.as_ptr().add(5) }; // Accessing previously initialized byte is valid. + let x = def + 1; +} diff --git a/tests/kani/ValidValues/constants.rs b/tests/kani/ValidValues/constants.rs new file mode 100644 index 000000000000..5230e6e5e6cb --- /dev/null +++ b/tests/kani/ValidValues/constants.rs @@ -0,0 +1,40 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when it is reading from a constant. +//! Note that this UB will be removed for `-Z mir-opt-level=2` + +#[kani::proof] +fn transmute_valid_bool() { + let _b = unsafe { std::mem::transmute::(1) }; +} + +#[kani::proof] +fn cast_to_valid_char() { + let _c = unsafe { *(&100u32 as *const u32 as *const char) }; +} + +#[kani::proof] +fn cast_to_valid_offset() { + let val = [100u32, 80u32]; + let _c = unsafe { *(&val as *const [u32; 2] as *const [char; 2]) }; +} + +#[kani::proof] +#[kani::should_panic] +fn transmute_invalid_bool() { + let _b = unsafe { std::mem::transmute::(2) }; +} + +#[kani::proof] +#[kani::should_panic] +fn cast_to_invalid_char() { + let _c = unsafe { *(&u32::MAX as *const u32 as *const char) }; +} + +#[kani::proof] +#[kani::should_panic] +fn cast_to_invalid_offset() { + let val = [100u32, u32::MAX]; + let _c = unsafe { *(&val as *const [u32; 2] as *const [char; 2]) }; +} diff --git a/tests/kani/ValidValues/custom_niche.rs b/tests/kani/ValidValues/custom_niche.rs new file mode 100644 index 000000000000..b282fec3c645 --- /dev/null +++ b/tests/kani/ValidValues/custom_niche.rs @@ -0,0 +1,119 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when using niche attribute for a custom operation. +#![feature(rustc_attrs)] + +use std::mem::size_of; +use std::{mem, ptr}; + +/// A possible implementation for a system of rating that defines niche. +/// A Rating represents the number of stars of a given product (1..=5). +#[rustc_layout_scalar_valid_range_start(1)] +#[rustc_layout_scalar_valid_range_end(5)] +#[derive(Copy, Clone, Debug, PartialEq, Eq)] +pub struct Rating { + stars: u8, +} + +impl kani::Arbitrary for Rating { + fn any() -> Self { + let stars = kani::any_where(|s: &u8| *s >= 1 && *s <= 5); + unsafe { Rating { stars } } + } +} + +impl Rating { + /// Buggy version of new. Note that this still creates an invalid Rating. + /// + /// This is because `then_some` eagerly create the Rating value before assessing the condition. + /// Even though the value is never used, it is still considered UB. + pub fn new(value: u8) -> Option { + (value > 0 && value <= 5).then_some(unsafe { Rating { stars: value } }) + } + + pub unsafe fn new_unchecked(stars: u8) -> Rating { + Rating { stars } + } +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_new_with_ub() { + assert_eq!(Rating::new(10), None); +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_unchecked_new_ub() { + let val = kani::any(); + assert_eq!(unsafe { Rating::new_unchecked(val).stars }, val); +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_new_with_ub_limits() { + let stars = kani::any_where(|s: &u8| *s == 0 || *s > 5); + let _ = Rating::new(stars); +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_dereference() { + let any: u8 = kani::any(); + let _rating: Rating = unsafe { *(&any as *const _ as *const _) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_transmute() { + let any: u8 = kani::any(); + let _rating: Rating = unsafe { mem::transmute(any) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_transmute_copy() { + let any: u8 = kani::any(); + let _rating: Rating = unsafe { mem::transmute_copy(&any) }; +} + +/// This code does not trigger UB, and verification should succeed. +/// +/// FIX-ME: This is not supported today, and we fail due to unsupported check. +#[kani::proof] +#[kani::should_panic] +pub fn check_copy_nonoverlap() { + let stars = kani::any_where(|s: &u8| *s == 0 || *s > 5); + let mut rating: Rating = kani::any(); + unsafe { ptr::copy_nonoverlapping(&stars as *const _ as *const Rating, &mut rating, 1) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_copy_nonoverlap_ub() { + let any: u8 = kani::any(); + let mut rating: Rating = kani::any(); + unsafe { ptr::copy_nonoverlapping(&any as *const _ as *const Rating, &mut rating, 1) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_increment() { + let mut orig: Rating = kani::any(); + unsafe { orig.stars += 1 }; +} + +#[kani::proof] +pub fn check_valid_increment() { + let mut orig: Rating = kani::any(); + kani::assume(orig.stars < 5); + unsafe { orig.stars += 1 }; +} + +/// Check that the compiler relies on valid value range of Rating to implement niche optimization. +#[kani::proof] +pub fn check_niche() { + assert_eq!(size_of::(), size_of::>()); + assert_eq!(size_of::(), size_of::>>()); +} diff --git a/tests/kani/ValidValues/maybe_uninit.rs b/tests/kani/ValidValues/maybe_uninit.rs new file mode 100644 index 000000000000..620ad8ef5ba3 --- /dev/null +++ b/tests/kani/ValidValues/maybe_uninit.rs @@ -0,0 +1,21 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when converting from a maybe uninit(). + +use std::mem::MaybeUninit; +use std::num::NonZeroI64; + +#[kani::proof] +pub fn check_valid_zeroed() { + let maybe = MaybeUninit::zeroed(); + let val: u128 = unsafe { maybe.assume_init() }; + assert_eq!(val, 0); +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_zeroed() { + let maybe = MaybeUninit::zeroed(); + let _val: NonZeroI64 = unsafe { maybe.assume_init() }; +} diff --git a/tests/kani/ValidValues/non_null.rs b/tests/kani/ValidValues/non_null.rs new file mode 100644 index 000000000000..4874b61bf2d0 --- /dev/null +++ b/tests/kani/ValidValues/non_null.rs @@ -0,0 +1,26 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when unsafely writing to NonNull. + +use std::num::NonZeroU8; +use std::ptr::{self, NonNull}; + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_value() { + let _ = unsafe { NonNull::new_unchecked(ptr::null_mut::()) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_value_cfg() { + let nn = unsafe { NonNull::new_unchecked(ptr::null_mut::()) }; + // This should be unreachable. TODO: Make this expected test. + assert_ne!(unsafe { nn.as_ref() }, &10); +} + +#[kani::proof] +pub fn check_valid_dangling() { + let _ = unsafe { NonNull::new_unchecked(4 as *mut u32) }; +} diff --git a/tests/kani/ValidValues/write_bytes.rs b/tests/kani/ValidValues/write_bytes.rs new file mode 100644 index 000000000000..e4f73b1f3479 --- /dev/null +++ b/tests/kani/ValidValues/write_bytes.rs @@ -0,0 +1,21 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when using write_bytes for initializing a variable. +#![feature(core_intrinsics)] + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_write() { + let mut val = 'a'; + let ptr = &mut val as *mut char; + // Should fail given that we wrote invalid value to array of char. + unsafe { std::intrinsics::write_bytes(ptr, kani::any(), 1) }; +} + +#[kani::proof] +pub fn check_valid_write() { + let mut val = 10u128; + let ptr = &mut val as *mut _; + unsafe { std::intrinsics::write_bytes(ptr, kani::any(), 1) }; +} diff --git a/tests/kani/ValidValues/write_invalid.rs b/tests/kani/ValidValues/write_invalid.rs new file mode 100644 index 000000000000..05d3705bd69a --- /dev/null +++ b/tests/kani/ValidValues/write_invalid.rs @@ -0,0 +1,37 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks + +//! Check that Kani can identify UB after writing an invalid value. +//! Writing invalid bytes is not UB as long as the incorrect value is not read. +//! However, we over-approximate for sake of simplicity and performance. + +use std::num::NonZeroU8; + +#[kani::proof] +#[kani::should_panic] +pub fn write_invalid_bytes_no_ub_with_spurious_cex() { + let mut non_zero: NonZeroU8 = kani::any(); + let dest = &mut non_zero as *mut _; + unsafe { std::intrinsics::write_bytes(dest, 0, 1) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn write_valid_before_read() { + let mut non_zero: NonZeroU8 = kani::any(); + let mut non_zero_2: NonZeroU8 = kani::any(); + let dest = &mut non_zero as *mut _; + unsafe { std::intrinsics::write_bytes(dest, 0, 1) }; + unsafe { std::intrinsics::write_bytes(dest, non_zero_2.get(), 1) }; + assert_eq!(non_zero, non_zero_2) +} + +#[kani::proof] +#[kani::should_panic] +pub fn read_invalid_is_ub() { + let mut non_zero: NonZeroU8 = kani::any(); + let dest = &mut non_zero as *mut _; + unsafe { std::intrinsics::write_bytes(dest, 0, 1) }; + assert_eq!(non_zero.get(), 0) +} diff --git a/tests/perf/hashset/expected b/tests/perf/hashset/expected index 8ba783d580f9..1fbcbbd13c25 100644 --- a/tests/perf/hashset/expected +++ b/tests/perf/hashset/expected @@ -1 +1 @@ -4 successfully verified harnesses, 0 failures, 4 total +3 successfully verified harnesses, 0 failures, 3 total diff --git a/tests/perf/hashset/src/lib.rs b/tests/perf/hashset/src/lib.rs index fb29db5c7ed6..e2f1fc16666a 100644 --- a/tests/perf/hashset/src/lib.rs +++ b/tests/perf/hashset/src/lib.rs @@ -1,11 +1,12 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// kani-flags: --enable-stubbing --enable-unstable +// kani-flags: -Z stubbing //! Try to verify HashSet basic behavior. use std::collections::{hash_map::RandomState, HashSet}; use std::mem::{size_of, size_of_val, transmute}; +#[allow(dead_code)] fn concrete_state() -> RandomState { let keys: [u64; 2] = [0, 0]; assert_eq!(size_of_val(&keys), size_of::()); @@ -14,7 +15,7 @@ fn concrete_state() -> RandomState { #[kani::proof] #[kani::stub(RandomState::new, concrete_state)] -#[kani::unwind(2)] +#[kani::unwind(5)] #[kani::solver(kissat)] fn check_insert() { let mut set: HashSet = HashSet::default(); @@ -26,41 +27,29 @@ fn check_insert() { #[kani::proof] #[kani::stub(RandomState::new, concrete_state)] -#[kani::unwind(2)] +#[kani::unwind(5)] #[kani::solver(kissat)] fn check_contains() { let first = kani::any(); - let mut set: HashSet = HashSet::from([first]); + let set: HashSet = HashSet::from([first]); assert!(set.contains(&first)); } #[kani::proof] #[kani::stub(RandomState::new, concrete_state)] -#[kani::unwind(2)] +#[kani::unwind(5)] +#[kani::solver(kissat)] fn check_contains_str() { - let mut set = HashSet::from(["s"]); + let set = HashSet::from(["s"]); assert!(set.contains(&"s")); } -#[kani::proof] -#[kani::stub(RandomState::new, concrete_state)] -#[kani::unwind(2)] -#[kani::solver(kissat)] -fn check_insert_two_concrete() { - let mut set: HashSet = HashSet::default(); - let first = 10; - let second = 20; - set.insert(first); - set.insert(second); - assert_eq!(set.len(), 2); -} - // too slow so don't run in the regression for now #[cfg(slow)] mod slow { #[kani::proof] #[kani::stub(RandomState::new, concrete_state)] - #[kani::unwind(3)] + #[kani::unwind(5)] fn check_insert_two_elements() { let mut set: HashSet = HashSet::default(); let first = kani::any(); @@ -71,4 +60,17 @@ mod slow { if first == second { assert_eq!(set.len(), 1) } else { assert_eq!(set.len(), 2) } } + + #[kani::proof] + #[kani::stub(RandomState::new, concrete_state)] + #[kani::unwind(5)] + #[kani::solver(kissat)] + fn check_insert_two_concrete() { + let mut set: HashSet = HashSet::default(); + let first = 10; + let second = 20; + set.insert(first); + set.insert(second); + assert_eq!(set.len(), 2); + } } diff --git a/tests/perf/overlays/s2n-quic/common/s2n-codec/expected b/tests/perf/overlays/s2n-quic/common/s2n-codec/expected new file mode 100644 index 000000000000..610b05dc4e67 --- /dev/null +++ b/tests/perf/overlays/s2n-quic/common/s2n-codec/expected @@ -0,0 +1 @@ +successfully verified harnesses, 0 failures diff --git a/tests/perf/s2n-quic b/tests/perf/s2n-quic index f1df2d64083e..2d5e891f3fdc 160000 --- a/tests/perf/s2n-quic +++ b/tests/perf/s2n-quic @@ -1 +1 @@ -Subproject commit f1df2d64083e4d1b0f56dc0a298066fdef062bcb +Subproject commit 2d5e891f3fdc8a88b2d457baceedea5751efaa0d diff --git a/tests/script-based-pre/build-rs-conditional/Cargo.toml b/tests/script-based-pre/build-rs-conditional/Cargo.toml index 136bae92250e..8f9a7794f325 100644 --- a/tests/script-based-pre/build-rs-conditional/Cargo.toml +++ b/tests/script-based-pre/build-rs-conditional/Cargo.toml @@ -7,3 +7,5 @@ edition = "2021" [dependencies] +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)', 'cfg(kani_host)'] } diff --git a/tests/script-based-pre/build-rs-conditional/build.rs b/tests/script-based-pre/build-rs-conditional/build.rs index 0b083ff95f02..4b13475ec510 100644 --- a/tests/script-based-pre/build-rs-conditional/build.rs +++ b/tests/script-based-pre/build-rs-conditional/build.rs @@ -3,7 +3,7 @@ //! Verify that build scripts can check if they are running under `kani`. fn main() { - if cfg!(kani) { + if cfg!(kani_host) { println!("cargo:rustc-env=RUNNING_KANI=Yes"); } else { println!("cargo:rustc-env=RUNNING_KANI=No"); diff --git a/tests/script-based-pre/cargo_playback_build/sample_crate/Cargo.toml b/tests/script-based-pre/cargo_playback_build/sample_crate/Cargo.toml index c00d0ccc4bdb..99dfd67443f5 100644 --- a/tests/script-based-pre/cargo_playback_build/sample_crate/Cargo.toml +++ b/tests/script-based-pre/cargo_playback_build/sample_crate/Cargo.toml @@ -4,3 +4,6 @@ name = "sample_crate" version = "0.1.0" edition = "2021" + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } diff --git a/tests/script-based-pre/cargo_playback_opts/playback_opts.expected b/tests/script-based-pre/cargo_playback_opts/playback_opts.expected index 68b7daa3ee03..b68f0b355029 100644 --- a/tests/script-based-pre/cargo_playback_opts/playback_opts.expected +++ b/tests/script-based-pre/cargo_playback_opts/playback_opts.expected @@ -1,6 +1,6 @@ [TEST] Only codegen test... Executable unittests src/lib.rs [TEST] Only codegen test... - Finished test + Finished `test` [TEST] Executable debug/deps/sample_crate- diff --git a/tests/script-based-pre/cargo_playback_opts/sample_crate/Cargo.toml b/tests/script-based-pre/cargo_playback_opts/sample_crate/Cargo.toml index c00d0ccc4bdb..99dfd67443f5 100644 --- a/tests/script-based-pre/cargo_playback_opts/sample_crate/Cargo.toml +++ b/tests/script-based-pre/cargo_playback_opts/sample_crate/Cargo.toml @@ -4,3 +4,6 @@ name = "sample_crate" version = "0.1.0" edition = "2021" + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } diff --git a/tests/script-based-pre/cargo_playback_target/sample_crate/Cargo.toml b/tests/script-based-pre/cargo_playback_target/sample_crate/Cargo.toml index 30949391c0c7..5ece6c5e0f60 100644 --- a/tests/script-based-pre/cargo_playback_target/sample_crate/Cargo.toml +++ b/tests/script-based-pre/cargo_playback_target/sample_crate/Cargo.toml @@ -15,3 +15,5 @@ doctest = false name = "bar" doctest = false +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } diff --git a/tests/script-based-pre/check-output/check-output.sh b/tests/script-based-pre/check-output/check-output.sh index 8e872079003a..5567f1a981a3 100755 --- a/tests/script-based-pre/check-output/check-output.sh +++ b/tests/script-based-pre/check-output/check-output.sh @@ -34,15 +34,15 @@ rm -rf *.c kani --gen-c --enable-unstable singlefile.rs >& kani.log || \ { ret=$?; echo "== Failed to run Kani"; cat kani.log; rm kani.log; exit 1; } rm -f kani.log -if ! [ -e singlefile_main.c ] +if ! [ -e singlefile_*main.c ] then - echo "Error: no GotoC file generated. Expected: singlefile_main.c" + echo "Error: no GotoC file generated. Expected: singlefile_*main.c" exit 1 fi -if ! [ -e singlefile_main.demangled.c ] +if ! [ -e singlefile_*main.demangled.c ] then - echo "Error: no demangled GotoC file generated. Expected singlefile_main.demangled.c." + echo "Error: no demangled GotoC file generated. Expected singlefile_*main.demangled.c." exit 1 fi @@ -57,9 +57,9 @@ declare -a PATTERNS=( ) for val in "${PATTERNS[@]}"; do - if ! grep -Fq "$val" singlefile_main.demangled.c; + if ! grep -Fq "$val" singlefile_*main.demangled.c; then - echo "Error: demangled file singlefile_main.demangled.c did not contain expected pattern '$val'." + echo "Error: demangled file singlefile_*main.demangled.c did not contain expected pattern '$val'." exit 1 fi done @@ -75,17 +75,17 @@ cargo kani --target-dir build --gen-c --enable-unstable >& kani.log || \ rm -f kani.log cd build/kani/${TARGET}/debug/deps/ -mangled=$(ls multifile*_main.c) +mangled=$(ls multifile*main.c) if ! [ -e "${mangled}" ] then - echo "Error: no GotoC file found. Expected: build/kani/${TARGET}/debug/deps/multifile*_main.c" + echo "Error: no GotoC file found. Expected: build/kani/${TARGET}/debug/deps/multifile*main.c" exit 1 fi -demangled=$(ls multifile*_main.demangled.c) +demangled=$(ls multifile*main.demangled.c) if ! [ -e "${demangled}" ] then - echo "Error: no demangled GotoC file found. Expected build/kani/${TARGET}/debug/deps/multifile*_main.demangled.c." + echo "Error: no demangled GotoC file found. Expected build/kani/${TARGET}/debug/deps/multifile*main.demangled.c." exit 1 fi diff --git a/tests/script-based-pre/concrete_playback_e2e/sample_crate/Cargo.toml b/tests/script-based-pre/concrete_playback_e2e/sample_crate/Cargo.toml index 4a7016cb51ed..39cfab289878 100644 --- a/tests/script-based-pre/concrete_playback_e2e/sample_crate/Cargo.toml +++ b/tests/script-based-pre/concrete_playback_e2e/sample_crate/Cargo.toml @@ -10,3 +10,6 @@ concrete-playback = "inplace" [package.metadata.kani.unstable] concrete-playback = true + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } diff --git a/tests/script-based-pre/crate-name/a/src/lib.rs b/tests/script-based-pre/crate-name/a/src/lib.rs new file mode 100644 index 000000000000..bff1d17f864a --- /dev/null +++ b/tests/script-based-pre/crate-name/a/src/lib.rs @@ -0,0 +1,6 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +pub fn add_a(left: usize, right: usize) -> usize { + left + right +} diff --git a/tests/script-based-pre/crate-name/b/src/lib.rs b/tests/script-based-pre/crate-name/b/src/lib.rs new file mode 100644 index 000000000000..5a1a11687fcf --- /dev/null +++ b/tests/script-based-pre/crate-name/b/src/lib.rs @@ -0,0 +1,7 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +extern crate a; + +pub fn add_b(left: usize, right: usize) -> usize { + a::add_a(left, right) +} diff --git a/tests/script-based-pre/crate-name/c/src/lib.rs b/tests/script-based-pre/crate-name/c/src/lib.rs new file mode 100644 index 000000000000..b4dadd69e1be --- /dev/null +++ b/tests/script-based-pre/crate-name/c/src/lib.rs @@ -0,0 +1,8 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +extern crate a; +extern crate b; + +pub fn add_c(left: usize, right: usize) -> usize { + b::add_b(left, right) +} diff --git a/tests/script-based-pre/crate-name/config.yml b/tests/script-based-pre/crate-name/config.yml new file mode 100644 index 000000000000..f022a9c03732 --- /dev/null +++ b/tests/script-based-pre/crate-name/config.yml @@ -0,0 +1,4 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +script: crate-name.sh +expected: crate-name.expected diff --git a/tests/script-based-pre/crate-name/crate-name.expected b/tests/script-based-pre/crate-name/crate-name.expected new file mode 100644 index 000000000000..1a4e02d1ff62 --- /dev/null +++ b/tests/script-based-pre/crate-name/crate-name.expected @@ -0,0 +1 @@ +No proof harnesses (functions with #[kani::proof]) were found to verify. diff --git a/tests/script-based-pre/crate-name/crate-name.sh b/tests/script-based-pre/crate-name/crate-name.sh new file mode 100755 index 000000000000..229cc36938f9 --- /dev/null +++ b/tests/script-based-pre/crate-name/crate-name.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +# This test performs multiple checks focused on crate names. The first steps +# check expected results with the default naming scheme. The remaining ones +# check expected results with the `--crate-name=` feature which allows +# users to specify the crate name used for compilation with standalone `kani`. +set -eu + +check_file_exists() { + local file=$1 + if ! [ -e "${file}" ] + then + echo "error: expected \`${file}\` to have been generated" + exit 1 + fi +} + +# 1. Check expected results with the default naming scheme. +# Note: The assumed crate name is `lib`, so we generate `liblib.rlib`. +kani --only-codegen --keep-temps a/src/lib.rs +check_file_exists a/src/liblib.rlib +check_file_exists a/src/lib.kani-metadata.json +rm a/src/liblib.rlib +rm a/src/lib.kani-metadata.json + +# 2. Check expected results with the default naming scheme, which replaces +# some characters. +# Note: The assumed crate name is `my-code`, so we generate `libmy_code.rlib`. +kani --only-codegen --keep-temps my-code.rs +check_file_exists libmy_code.rlib +check_file_exists my_code.kani-metadata.json + +# 3. Check expected results with the `--crate-name=` feature. This feature +# allows users to specify the crate name used for compilation with standalone +# `kani`, enabling the compilation of multiple dependencies with similar +# names. +# Note: In the example below, compiling without `--crate-name=` would +# result in files named `liblib.rlib` for each dependency. +kani --only-codegen --keep-temps a/src/lib.rs --crate-name="a" +check_file_exists a/src/liba.rlib +check_file_exists a/src/a.kani-metadata.json + +RUSTFLAGS="--extern a=a/src/liba.rlib" kani --only-codegen --keep-temps b/src/lib.rs --crate-name="b" +check_file_exists b/src/libb.rlib +check_file_exists b/src/b.kani-metadata.json + +RUSTFLAGS="--extern b=b/src/libb.rlib --extern a=a/src/liba.rlib" kani c/src/lib.rs + +rm a/src/liba.rlib +rm a/src/a.kani-metadata.json +rm b/src/libb.rlib +rm b/src/b.kani-metadata.json diff --git a/tests/script-based-pre/crate-name/my-code.rs b/tests/script-based-pre/crate-name/my-code.rs new file mode 100644 index 000000000000..bff1d17f864a --- /dev/null +++ b/tests/script-based-pre/crate-name/my-code.rs @@ -0,0 +1,6 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +pub fn add_a(left: usize, right: usize) -> usize { + left + right +} diff --git a/tests/script-based-pre/mem-init-reinstrumentation/alloc-zeroed.rs b/tests/script-based-pre/mem-init-reinstrumentation/alloc-zeroed.rs new file mode 100644 index 000000000000..891a97fd8c22 --- /dev/null +++ b/tests/script-based-pre/mem-init-reinstrumentation/alloc-zeroed.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z uninit-checks + +use std::alloc::{alloc_zeroed, Layout}; +use std::slice::from_raw_parts; + +#[kani::proof] +fn alloc_zeroed_to_slice() { + let layout = Layout::from_size_align(32, 8).unwrap(); + unsafe { + // This returns initialized memory, so any further accesses are valid. + let ptr = alloc_zeroed(layout); + *ptr = 0x41; + *ptr.add(1) = 0x42; + *ptr.add(2) = 0x43; + *ptr.add(3) = 0x44; + *ptr.add(16) = 0x00; + let _slice1 = from_raw_parts(ptr, 16); + let _slice2 = from_raw_parts(ptr.add(16), 16); + } +} diff --git a/tests/script-based-pre/mem-init-reinstrumentation/config.yml b/tests/script-based-pre/mem-init-reinstrumentation/config.yml new file mode 100644 index 000000000000..ef61a9171954 --- /dev/null +++ b/tests/script-based-pre/mem-init-reinstrumentation/config.yml @@ -0,0 +1,4 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +script: mem-init-reinstrumentation.sh +expected: mem-init-reinstrumentation.expected diff --git a/tests/script-based-pre/mem-init-reinstrumentation/mem-init-reinstrumentation.expected b/tests/script-based-pre/mem-init-reinstrumentation/mem-init-reinstrumentation.expected new file mode 100644 index 000000000000..59b64322ad50 --- /dev/null +++ b/tests/script-based-pre/mem-init-reinstrumentation/mem-init-reinstrumentation.expected @@ -0,0 +1 @@ +success: no pointer checks are detected in initialized memory instrumentaiton diff --git a/tests/script-based-pre/mem-init-reinstrumentation/mem-init-reinstrumentation.sh b/tests/script-based-pre/mem-init-reinstrumentation/mem-init-reinstrumentation.sh new file mode 100755 index 000000000000..f859864d1c9a --- /dev/null +++ b/tests/script-based-pre/mem-init-reinstrumentation/mem-init-reinstrumentation.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +set -u + +KANI_OUTPUT=`kani -Z uninit-checks alloc-zeroed.rs` +echo "$KANI_OUTPUT" | egrep -q "kani::mem_init::.*pointer_dereference" +INSTRUMENTATION_DETECTED=$? + +if [[ $INSTRUMENTATION_DETECTED == 0 ]]; then + echo "failed: pointer checks are detected in initialized memory instrumentaiton" + exit 1 +elif [[ $INSTRUMENTATION_DETECTED == 1 ]]; then + echo "success: no pointer checks are detected in initialized memory instrumentaiton" + exit 0 +else + echo "failed: error occured when runnning egrep" + exit 0 +fi diff --git a/tests/script-based-pre/playback_expected/config.yml b/tests/script-based-pre/playback_expected/config.yml new file mode 100644 index 000000000000..d15b5d277ed6 --- /dev/null +++ b/tests/script-based-pre/playback_expected/config.yml @@ -0,0 +1,4 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +script: playback.sh +expected: expected diff --git a/tests/script-based-pre/playback_expected/expected b/tests/script-based-pre/playback_expected/expected new file mode 100644 index 000000000000..bedb39581b7f --- /dev/null +++ b/tests/script-based-pre/playback_expected/expected @@ -0,0 +1,8 @@ +[TEST] Generate test for playback_contract.rs... +Verification failed for - check_modify_slice +Result for playback_contract.rs: test result: FAILED. 1 passed; 1 failed + +[TEST] Generate test for playback_stubs.rs... +Verification failed for - check_lt_0 +Verification failed for - check_bad_stub +Result for playback_stubs.rs: test result: FAILED. 1 passed; 1 failed diff --git a/tests/script-based-pre/playback_expected/playback.sh b/tests/script-based-pre/playback_expected/playback.sh new file mode 100755 index 000000000000..3b358db257a2 --- /dev/null +++ b/tests/script-based-pre/playback_expected/playback.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +# This will run Kani verification in every `src/*.rs` file followed by playback command. +# Expected output is generated from individual expected files. +set -o nounset + +run() { + local input_rs=${1:?"Missing input file"} + + echo "[TEST] Generate test for ${input_rs}..." + kani "${input_rs}" \ + -Z concrete-playback --concrete-playback=inplace \ + -Z function-contracts -Z stubbing --output-format terse + + # Note that today one of the tests will succeed since the contract pre-conditions are not inserted by Kani. + # Hopefully this will change with https://github.com/model-checking/kani/issues/3326 + echo "[TEST] Run test for ${input_rs}..." + summary=$(kani playback -Z concrete-playback "${input_rs}" -- kani_concrete_playback | grep "test result") + echo "Result for ${input_rs}: ${summary}" +} + +ROOT_DIR=$(git rev-parse --show-toplevel) +MODIFIED_DIR=modified +rm -rf "${MODIFIED_DIR}" +mkdir "${MODIFIED_DIR}" + +for rs in src/*.rs; do + if [[ -e "${rs}" ]]; then + echo "Running ${rs}" + cp "${rs}" "${MODIFIED_DIR}" + pushd "${MODIFIED_DIR}" > /dev/null + run "$(basename "${rs}")" + popd > /dev/null + else + echo "No .rs files found in src directory" + exit 1 + fi +done + + # Cleanup +rm -rf "${MODIFIED_DIR}" \ No newline at end of file diff --git a/tests/script-based-pre/playback_expected/src/playback_contract.rs b/tests/script-based-pre/playback_expected/src/playback_contract.rs new file mode 100644 index 000000000000..8271e9a3d03f --- /dev/null +++ b/tests/script-based-pre/playback_expected/src/playback_contract.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Check that Kani correctly adds tests to when the harness is a proof for contract. +extern crate kani; + +#[kani::requires(idx < slice.len())] +#[kani::modifies(slice)] +#[kani::ensures(| _ | slice[idx] == new_val)] +fn modify_slice(slice: &mut [u32], idx: usize, new_val: u32) { + // Inject bug by incrementing index first. + let new_idx = idx + 1; + *slice.get_mut(new_idx).expect("Expected valid index, but contract is wrong") = new_val; +} + +#[kani::proof_for_contract(modify_slice)] +fn check_modify_slice() { + let mut data: [u32; 4] = kani::any(); + modify_slice(&mut data, kani::any(), kani::any()) +} diff --git a/tests/script-based-pre/playback_expected/src/playback_stubs.rs b/tests/script-based-pre/playback_expected/src/playback_stubs.rs new file mode 100644 index 000000000000..ce5107949f04 --- /dev/null +++ b/tests/script-based-pre/playback_expected/src/playback_stubs.rs @@ -0,0 +1,34 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Check that Kani playback works with stubs. +#![allow(dead_code)] + +fn is_zero(val: u8) -> bool { + val == 0 +} + +fn not_zero(val: u8) -> bool { + val != 0 +} + +/// Add a harness that will fail due to incorrect stub but the test will succeed. +#[kani::proof] +#[kani::stub(is_zero, not_zero)] +fn check_bad_stub() { + assert!(is_zero(kani::any())) +} + +fn lt_zero(val: i8) -> bool { + val < 0 +} + +fn lt_ten(val: i8) -> bool { + val < 10 +} + +/// Add a harness that will fail in an equivalent way. +#[kani::proof] +#[kani::stub(lt_zero, lt_ten)] +fn check_lt_0() { + assert!(lt_zero(kani::any())) +} diff --git a/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.expected b/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.expected deleted file mode 100644 index 9c6b0f53778f..000000000000 --- a/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.expected +++ /dev/null @@ -1,3 +0,0 @@ -Complete - 6 successfully verified harnesses, 0 failures, 6 total. - -Rust compiler sessions: 4 diff --git a/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.sh b/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.sh deleted file mode 100755 index 9e4afff0b09c..000000000000 --- a/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT -# -# Checks that the Kani compiler can encode harnesses with the same set of stubs -# in one rustc session. - -set +e - -log_file=output.log - -kani stubbing.rs --enable-unstable --enable-stubbing --verbose >& ${log_file} - -echo "------- Raw output ---------" -cat $log_file -echo "----------------------------" - -# We print the reachability analysis results once for each session. -# This is the only reliable way to get the number of sessions from the compiler. -# The other option would be to use debug comments. -# Ideally, the compiler should only print one set of statistics at the end of its run. -# In that case, we should include number of sessions to those stats. -runs=$(grep -c "Reachability Analysis Result" ${log_file}) -echo "Rust compiler sessions: ${runs}" - -# Cleanup -rm ${log_file} diff --git a/tests/script-based-pre/stubbing_compiler_sessions/config.yml b/tests/script-based-pre/stubbing_compiler_sessions/config.yml deleted file mode 100644 index b1e83ed011c7..000000000000 --- a/tests/script-based-pre/stubbing_compiler_sessions/config.yml +++ /dev/null @@ -1,4 +0,0 @@ -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT -script: check_compiler_sessions.sh -expected: check_compiler_sessions.expected diff --git a/tests/script-based-pre/tool-scanner/config.yml b/tests/script-based-pre/tool-scanner/config.yml new file mode 100644 index 000000000000..6fd2895971a4 --- /dev/null +++ b/tests/script-based-pre/tool-scanner/config.yml @@ -0,0 +1,4 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +script: scanner-test.sh +expected: scanner-test.expected diff --git a/tests/script-based-pre/tool-scanner/scanner-test.expected b/tests/script-based-pre/tool-scanner/scanner-test.expected new file mode 100644 index 000000000000..c8f9af0ef1b7 --- /dev/null +++ b/tests/script-based-pre/tool-scanner/scanner-test.expected @@ -0,0 +1,6 @@ +2 test_scan_fn_loops.csv +16 test_scan_functions.csv +5 test_scan_input_tys.csv +14 test_scan_overall.csv +3 test_scan_recursion.csv +5 test_scan_unsafe_ops.csv diff --git a/tests/script-based-pre/tool-scanner/scanner-test.sh b/tests/script-based-pre/tool-scanner/scanner-test.sh new file mode 100755 index 000000000000..2cd5a33a3f8e --- /dev/null +++ b/tests/script-based-pre/tool-scanner/scanner-test.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +set -e + +# Run this inside a tmp folder in the current directory +OUT_DIR=output_dir +# Ensure output folder is clean +rm -rf ${OUT_DIR} +mkdir output_dir +# Move the original source to the output folder since it will be modified +cp test.rs ${OUT_DIR} +pushd $OUT_DIR + +cargo run -p scanner test.rs --crate-type lib +wc -l *csv + +popd +rm -rf ${OUT_DIR} diff --git a/tests/script-based-pre/tool-scanner/test.rs b/tests/script-based-pre/tool-scanner/test.rs new file mode 100644 index 000000000000..24b346e535b5 --- /dev/null +++ b/tests/script-based-pre/tool-scanner/test.rs @@ -0,0 +1,77 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Sanity check for the utility tool `scanner`. + +pub fn check_outer_coercion() { + assert!(false); +} + +unsafe fn do_nothing() {} + +pub fn generic() -> T { + unsafe { do_nothing() }; + T::default() +} + +pub struct RecursiveType { + pub inner: Option<*const RecursiveType>, +} + +pub enum RecursiveEnum { + Base, + Recursion(Box), + RefCell(std::cell::RefCell), +} + +pub fn recursive_type(input1: RecursiveType, input2: RecursiveEnum) { + let _ = (input1, input2); +} + +pub fn with_iterator(input: &[usize]) -> usize { + input + .iter() + .copied() + .find(|e| *e == 0) + .unwrap_or_else(|| input.iter().fold(0, |acc, i| acc + 1)) +} + +static mut COUNTER: Option = Some(0); +static OK: bool = true; + +pub unsafe fn next_id() -> usize { + let sum = COUNTER.unwrap() + 1; + COUNTER = Some(sum); + sum +} + +pub unsafe fn current_id() -> usize { + COUNTER.unwrap() +} + +pub fn ok() -> bool { + OK +} + +pub unsafe fn raw_to_ref<'a, T>(raw: *const T) -> &'a T { + &*raw +} + +pub fn recursion_begin(stop: bool) { + if !stop { + recursion_tail() + } +} + +pub fn recursion_tail() { + recursion_begin(false); + not_recursive(); +} + +pub fn start_recursion() { + recursion_begin(true); +} + +pub fn not_recursive() { + let _ = ok(); +} diff --git a/tests/script-based-pre/verify_std_cmd/config.yml b/tests/script-based-pre/verify_std_cmd/config.yml new file mode 100644 index 000000000000..f6e398303b79 --- /dev/null +++ b/tests/script-based-pre/verify_std_cmd/config.yml @@ -0,0 +1,4 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +script: verify_std.sh +expected: verify_std.expected diff --git a/tests/script-based-pre/verify_std_cmd/verify_core.rs b/tests/script-based-pre/verify_std_cmd/verify_core.rs new file mode 100644 index 000000000000..28cf113a9210 --- /dev/null +++ b/tests/script-based-pre/verify_std_cmd/verify_core.rs @@ -0,0 +1,75 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +/// Dummy code that gets injected into `core` for basic tests for `verify-std` subcommand. +#[cfg(kani)] +kani_core::kani_lib!(core); + +#[cfg(kani)] +#[unstable(feature = "kani", issue = "none")] +pub mod verify { + use crate::kani; + use core::num::NonZeroU8; + + #[kani::proof] + pub fn harness() { + kani::assert(true, "yay"); + } + + #[kani::proof_for_contract(fake_function)] + fn dummy_proof() { + fake_function(true); + } + + /// Add a `rustc_diagnostic_item` to ensure this works. + /// See for more details. + #[kani::requires(x == true)] + #[rustc_diagnostic_item = "fake_function"] + fn fake_function(x: bool) -> bool { + x + } + + #[kani::proof_for_contract(dummy_read)] + fn check_dummy_read() { + let val: char = kani::any(); + assert_eq!(unsafe { dummy_read(&val) }, val); + } + + /// Ensure we can verify constant functions. + #[kani::requires(kani::mem::can_dereference(ptr))] + #[rustc_diagnostic_item = "dummy_read"] + const unsafe fn dummy_read(ptr: *const T) -> T { + *ptr + } + + #[kani::proof_for_contract(swap_tuple)] + fn check_swap_tuple() { + let initial: (char, NonZeroU8) = kani::any(); + let _swapped = swap_tuple(initial); + } + + #[kani::ensures(| result | result.0 == second && result.1 == first)] + fn swap_tuple((first, second): (char, NonZeroU8)) -> (NonZeroU8, char) { + (second, first) + } + + #[kani::proof_for_contract(add_one)] + fn check_add_one() { + let mut initial: [u32; 4] = kani::any(); + unsafe { add_one(&mut initial) }; + } + + /// Function with a more elaborated contract that uses `old` and `modifies`. + #[kani::modifies(inout)] + #[kani::requires(kani::mem::can_dereference(inout) + && unsafe { inout.as_ref_unchecked().iter().all(| i | * i < u32::MAX) })] + #[kani::requires(kani::mem::can_write(inout))] + #[kani::ensures(| result | { + let (orig, i) = old({ + let i = kani::any_where(| i: & usize | * i < unsafe { inout.len() }); + (unsafe { inout.as_ref_unchecked()[i] }, i)}); + unsafe { inout.as_ref_unchecked()[i] > orig } + })] + unsafe fn add_one(inout: *mut [u32]) { + inout.as_mut_unchecked().iter_mut().for_each(|e| *e += 1) + } +} diff --git a/tests/script-based-pre/verify_std_cmd/verify_std.expected b/tests/script-based-pre/verify_std_cmd/verify_std.expected new file mode 100644 index 000000000000..22e8fb2e6375 --- /dev/null +++ b/tests/script-based-pre/verify_std_cmd/verify_std.expected @@ -0,0 +1,21 @@ +[TEST] Run kani verify-std + +Checking harness verify::dummy_proof... +VERIFICATION:- SUCCESSFUL + +Checking harness verify::harness... +VERIFICATION:- SUCCESSFUL + +Checking harness verify::check_dummy_read... +VERIFICATION:- SUCCESSFUL + +Checking harness verify::check_add_one... +VERIFICATION:- SUCCESSFUL + +Checking harness verify::check_swap_tuple... +VERIFICATION:- SUCCESSFUL + +Checking harness num::verify::check_non_zero... +VERIFICATION:- SUCCESSFUL + +Complete - 6 successfully verified harnesses, 0 failures, 6 total. diff --git a/tests/script-based-pre/verify_std_cmd/verify_std.sh b/tests/script-based-pre/verify_std_cmd/verify_std.sh new file mode 100755 index 000000000000..3a24bf15241e --- /dev/null +++ b/tests/script-based-pre/verify_std_cmd/verify_std.sh @@ -0,0 +1,57 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +# Test `kani verify-std` subcommand. +# 1. Make a copy of the rust standard library. +# 2. Add a few Kani definitions to it + a few harnesses +# 3. Execute Kani + +set +e + +TMP_DIR="tmp_dir" + +rm -rf ${TMP_DIR} +mkdir ${TMP_DIR} + +# Create a custom standard library. +echo "[TEST] Copy standard library from the current toolchain" +SYSROOT=$(rustc --print sysroot) +STD_PATH="${SYSROOT}/lib/rustlib/src/rust/library" +cp -r "${STD_PATH}" "${TMP_DIR}" + +# Insert a small harness in one of the standard library modules. +CORE_CODE=$(cat verify_core.rs) + +STD_CODE=' +#[cfg(kani)] +mod verify { + use core::kani; + #[kani::proof] + fn check_non_zero() { + let orig: u32 = kani::any(); + if let Some(val) = core::num::NonZeroU32::new(orig) { + assert!(orig == val.into()); + } else { + assert!(orig == 0); + }; + } +} +' + +echo "[TEST] Modify library" +echo "${CORE_CODE}" >> ${TMP_DIR}/library/core/src/lib.rs +echo "${STD_CODE}" >> ${TMP_DIR}/library/std/src/num.rs + +# Note: Prepending with sed doesn't work on MacOs the same way it does in linux. +# sed -i '1s/^/#![cfg_attr(kani, feature(kani))]\n/' ${TMP_DIR}/library/std/src/lib.rs +cp ${TMP_DIR}/library/std/src/lib.rs ${TMP_DIR}/std_lib.rs +echo '#![cfg_attr(kani, feature(kani))]' > ${TMP_DIR}/library/std/src/lib.rs +cat ${TMP_DIR}/std_lib.rs >> ${TMP_DIR}/library/std/src/lib.rs + +echo "[TEST] Run kani verify-std" +export RUST_BACKTRACE=1 +kani verify-std -Z unstable-options "${TMP_DIR}/library" --target-dir "${TMP_DIR}/target" -Z function-contracts -Z stubbing + +# Cleanup +rm -r ${TMP_DIR} diff --git a/tests/kani/Strings/copy_empty_string_by_intrinsic.rs b/tests/slow/kani/Strings/copy_empty_string_by_intrinsic.rs similarity index 100% rename from tests/kani/Strings/copy_empty_string_by_intrinsic.rs rename to tests/slow/kani/Strings/copy_empty_string_by_intrinsic.rs diff --git a/tests/kani/Vectors/any/push_slow.rs b/tests/slow/kani/Vectors/any/push_slow.rs similarity index 100% rename from tests/kani/Vectors/any/push_slow.rs rename to tests/slow/kani/Vectors/any/push_slow.rs diff --git a/tests/std-checks/core/Cargo.toml b/tests/std-checks/core/Cargo.toml new file mode 100644 index 000000000000..f6e1645c3a39 --- /dev/null +++ b/tests/std-checks/core/Cargo.toml @@ -0,0 +1,13 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[package] +name = "verify-core" +version = "0.1.0" +edition = "2021" +description = "This crate contains contracts and harnesses for core library" + +[package.metadata.kani] +unstable = { function-contracts = true, mem-predicates = true, ptr-to-ref-cast-checks = true } + +[package.metadata.kani.flags] +output-format = "terse" diff --git a/tests/std-checks/core/mem.expected b/tests/std-checks/core/mem.expected new file mode 100644 index 000000000000..1484c83901fc --- /dev/null +++ b/tests/std-checks/core/mem.expected @@ -0,0 +1,7 @@ +Checking harness mem::verify::check_swap_unit... + +Failed Checks: ptr NULL or writable up to size + +Summary: +Verification failed for - mem::verify::check_swap_unit +Complete - 6 successfully verified harnesses, 1 failures, 7 total. diff --git a/tests/std-checks/core/ptr.expected b/tests/std-checks/core/ptr.expected new file mode 100644 index 000000000000..43d3bd6baf60 --- /dev/null +++ b/tests/std-checks/core/ptr.expected @@ -0,0 +1,4 @@ +Summary: +Verification failed for - ptr::verify::check_replace_unit +Verification failed for - ptr::verify::check_as_ref_dangling +Complete - 4 successfully verified harnesses, 2 failures, 6 total. diff --git a/tests/std-checks/core/slice.expected b/tests/std-checks/core/slice.expected new file mode 100644 index 000000000000..4426ff6c02cd --- /dev/null +++ b/tests/std-checks/core/slice.expected @@ -0,0 +1 @@ +Complete - 2 successfully verified harnesses, 0 failures, 2 total. diff --git a/tests/std-checks/core/src/lib.rs b/tests/std-checks/core/src/lib.rs new file mode 100644 index 000000000000..b0a4fbc6154f --- /dev/null +++ b/tests/std-checks/core/src/lib.rs @@ -0,0 +1,10 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Top file that includes all sub-modules mimicking core structure. + +extern crate kani; + +pub mod mem; +pub mod ptr; +pub mod slice; diff --git a/tests/std-checks/core/src/mem.rs b/tests/std-checks/core/src/mem.rs new file mode 100644 index 000000000000..b0400d0a75f5 --- /dev/null +++ b/tests/std-checks/core/src/mem.rs @@ -0,0 +1,108 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Verify a few std::ptr::NonNull functions. + +/// Create wrapper functions to standard library functions that contains their contract. +pub mod contracts { + /// Swaps the values at two mutable locations, without deinitializing either one. + /// + /// TODO: Once history variable has been added, add a post-condition. + /// Also add a function to do a bitwise value comparison between arguments (ignore paddings). + /// + /// ```ignore + /// #[kani::ensures(kani::equals(kani::old(x), y))] + /// #[kani::ensures(kani::equals(kani::old(y), x))] + /// ``` + #[kani::modifies(x)] + #[kani::modifies(y)] + pub fn swap(x: &mut T, y: &mut T) { + std::mem::swap(x, y) + } + + #[kani::modifies(dest)] + pub fn replace(dest: &mut T, src: T) -> T { + std::mem::replace(dest, src) + } +} + +#[cfg(kani)] +mod verify { + use super::*; + + /// Use this type to ensure that mem swap does not drop the value. + #[derive(kani::Arbitrary)] + struct CannotDrop { + inner: T, + } + + impl Drop for CannotDrop { + fn drop(&mut self) { + unreachable!("Cannot drop") + } + } + + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_primitive() { + let mut x: u8 = kani::any(); + let mut y: u8 = kani::any(); + contracts::swap(&mut x, &mut y) + } + + /// FIX-ME: Modifies clause fail with pointer to ZST. + /// + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_unit() { + let mut x: () = kani::any(); + let mut y: () = kani::any(); + contracts::swap(&mut x, &mut y) + } + + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_adt_no_drop() { + let mut x: CannotDrop = kani::any(); + let mut y: CannotDrop = kani::any(); + contracts::swap(&mut x, &mut y); + std::mem::forget(x); + std::mem::forget(y); + } + + /// Memory swap logic is optimized according to the size and alignment of a type. + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_large_adt_no_drop() { + let mut x: CannotDrop<[u128; 5]> = kani::any(); + let mut y: CannotDrop<[u128; 5]> = kani::any(); + contracts::swap(&mut x, &mut y); + std::mem::forget(x); + std::mem::forget(y); + } + + #[kani::proof_for_contract(contracts::replace)] + pub fn check_replace_primitive() { + let mut x: u8 = kani::any(); + let x_before = x; + + let y: u8 = kani::any(); + let x_returned = contracts::replace(&mut x, y); + + kani::assert(x_before == x_returned, "x_before == x_returned"); + } + + #[kani::proof_for_contract(contracts::replace)] + pub fn check_replace_adt_no_drop() { + let mut x: CannotDrop = kani::any(); + let y: CannotDrop = kani::any(); + let new_x = contracts::replace(&mut x, y); + std::mem::forget(x); + std::mem::forget(new_x); + } + + /// Memory replace logic is optimized according to the size and alignment of a type. + #[kani::proof_for_contract(contracts::replace)] + pub fn check_replace_large_adt_no_drop() { + let mut x: CannotDrop<[u128; 4]> = kani::any(); + let y: CannotDrop<[u128; 4]> = kani::any(); + let new_x = contracts::replace(&mut x, y); + std::mem::forget(x); + std::mem::forget(new_x); + } +} diff --git a/tests/std-checks/core/src/ptr.rs b/tests/std-checks/core/src/ptr.rs new file mode 100644 index 000000000000..49cf9e168214 --- /dev/null +++ b/tests/std-checks/core/src/ptr.rs @@ -0,0 +1,112 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Add contracts for functions from std::ptr. + +use std::ptr::NonNull; + +/// Create wrapper functions to standard library functions that contains their contract. +pub mod contracts { + use super::*; + use kani::{ensures, implies, mem::*, modifies, requires}; + + #[ensures(|result : &Option>| implies!(ptr.is_null() => result.is_none()))] + #[ensures(|result : &Option>| implies!(!ptr.is_null() => result.is_some()))] + pub fn new(ptr: *mut T) -> Option> { + NonNull::new(ptr) + } + + /// # Safety: + /// When calling this method, you have to ensure that all the following is true: + /// + /// - The pointer must be properly aligned. + /// - It must be “dereferenceable” in the sense defined in the module documentation. + /// - TODO: The pointer must point to an initialized instance of T. + /// - We check for value validity, but not initialization yet. + /// + /// TODO: How to ensure aliasing rules?? + /// You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not + /// necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory + /// the pointer points to must not get mutated (except inside UnsafeCell). + /// Taken from: + #[requires(can_dereference(obj.as_ptr()))] + pub unsafe fn as_ref<'a, T>(obj: &NonNull) -> &'a T { + obj.as_ref() + } + + #[requires(!ptr.is_null())] + pub unsafe fn new_unchecked(ptr: *mut T) -> NonNull { + NonNull::::new_unchecked(ptr) + } + + /// Safety + /// + /// Behavior is undefined if any of the following conditions are violated: + /// - `dst` must be valid for both reads and writes. + /// - `dst` must be properly aligned. + /// - TODO: `dst` must point to a properly initialized value of type `T`. + /// - We check validity but not initialization. + /// + /// Note that even if `T` has size 0, the pointer must be non-null and properly aligned. + #[requires(can_dereference(dst))] + #[modifies(dst)] + pub unsafe fn replace(dst: *mut T, src: T) -> T { + std::ptr::replace(dst, src) + } +} + +#[cfg(kani)] +mod verify { + use super::*; + use kani::cover; + + #[kani::proof_for_contract(contracts::new)] + pub fn check_new() { + let ptr = kani::any::() as *mut (); + let res = contracts::new(ptr); + cover!(res.is_none()); + cover!(res.is_some()); + } + + #[kani::proof_for_contract(contracts::new_unchecked)] + pub fn check_new_unchecked() { + let ptr = kani::any::() as *mut (); + let _ = unsafe { contracts::new_unchecked(ptr) }; + } + + #[kani::proof_for_contract(contracts::as_ref)] + pub fn check_as_ref() { + let ptr = kani::any::>(); + let non_null = NonNull::new(Box::into_raw(ptr)).unwrap(); + let _rf = unsafe { contracts::as_ref(&non_null) }; + } + + #[kani::proof_for_contract(contracts::as_ref)] + #[kani::should_panic] + pub fn check_as_ref_dangling() { + let ptr = kani::any::() as *mut u8; + kani::assume(!ptr.is_null()); + let non_null = NonNull::new(ptr).unwrap(); + let _rf = unsafe { contracts::as_ref(&non_null) }; + } + + /// FIX-ME: Modifies clause fail with pointer to ZST. + /// + #[kani::proof_for_contract(contracts::replace)] + pub fn check_replace_unit() { + check_replace_impl::<()>(); + } + + #[kani::proof_for_contract(contracts::replace)] + pub fn check_replace_char() { + check_replace_impl::(); + } + + fn check_replace_impl() { + let mut dst = T::any(); + let orig = dst.clone(); + let src = T::any(); + let ret = unsafe { contracts::replace(&mut dst, src.clone()) }; + assert_eq!(ret, orig); + assert_eq!(dst, src); + } +} diff --git a/tests/std-checks/core/src/slice.rs b/tests/std-checks/core/src/slice.rs new file mode 100644 index 000000000000..fe627f21a5ae --- /dev/null +++ b/tests/std-checks/core/src/slice.rs @@ -0,0 +1,44 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +extern crate kani; + +/// Create wrapper functions to standard library functions that contains their contract. +pub mod contracts { + use kani::{mem::*, requires}; + + #[requires(can_dereference(std::ptr::slice_from_raw_parts(data, len)))] + pub unsafe fn from_raw_parts<'a, T>(data: *const T, len: usize) -> &'a [T] { + std::slice::from_raw_parts(data, len) + } + + #[requires(can_dereference(std::ptr::slice_from_raw_parts(data, len)))] + pub unsafe fn from_raw_parts_mut<'a, T>(data: *mut T, len: usize) -> &'a mut [T] { + std::slice::from_raw_parts_mut(data, len) + } +} + +#[cfg(kani)] +mod verify { + use super::*; + + const MAX_LEN: usize = isize::MAX as usize; + + #[kani::proof_for_contract(contracts::from_raw_parts)] + pub fn check_from_raw_parts_primitive() { + let len: usize = kani::any(); + kani::assume(len < MAX_LEN); + + let arr = vec![0u8; len]; + let _slice = unsafe { contracts::from_raw_parts(arr.as_ptr(), len) }; + } + + #[kani::proof_for_contract(contracts::from_raw_parts_mut)] + pub fn check_from_raw_parts_mut_primitive() { + let len: usize = kani::any(); + kani::assume(len < MAX_LEN); + + let mut arr = vec![0u8; len]; + let _slice = unsafe { contracts::from_raw_parts_mut(arr.as_mut_ptr(), len) }; + } +} diff --git a/tests/ui/cbmc_checks/signed-overflow/check_message.rs b/tests/ui/cbmc_checks/signed-overflow/check_message.rs index 0a1527e9a8fc..af496192ee60 100644 --- a/tests/ui/cbmc_checks/signed-overflow/check_message.rs +++ b/tests/ui/cbmc_checks/signed-overflow/check_message.rs @@ -2,7 +2,6 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // // Check we don't print temporary variables as part of CBMC messages. -// cbmc-flags: --signed-overflow-check extern crate kani; use kani::any; diff --git a/tests/ui/cbmc_checks/signed-overflow/expected b/tests/ui/cbmc_checks/signed-overflow/expected index 70669b325e9e..80d3eef3cd25 100644 --- a/tests/ui/cbmc_checks/signed-overflow/expected +++ b/tests/ui/cbmc_checks/signed-overflow/expected @@ -7,4 +7,3 @@ Failed Checks: attempt to calculate the remainder with a divisor of zero Failed Checks: attempt to calculate the remainder with overflow Failed Checks: attempt to shift left with overflow Failed Checks: attempt to shift right with overflow -Failed Checks: arithmetic overflow on signed shl diff --git a/tests/ui/derive-arbitrary/non_arbitrary_param/expected b/tests/ui/derive-arbitrary/non_arbitrary_param/expected index e74643f3bdb6..55f12678cf9a 100644 --- a/tests/ui/derive-arbitrary/non_arbitrary_param/expected +++ b/tests/ui/derive-arbitrary/non_arbitrary_param/expected @@ -1,5 +1,4 @@ error[E0277]: the trait bound `Void: kani::Arbitrary` is not satisfied - -|\ -| let _wrapper: Wrapper = kani::any();\ -| ^^^^^^^^^ the trait `kani::Arbitrary` is not implemented for `Void`\ + |\ +14 | let _wrapper: Wrapper = kani::any();\ + | ^^^^^^^^^^^ the trait `kani::Arbitrary` is not implemented for `Void`, which is required by `Wrapper: kani::Arbitrary`\ diff --git a/tests/ui/derive-invariant/helper-empty/expected b/tests/ui/derive-invariant/helper-empty/expected new file mode 100644 index 000000000000..d8590a9d22b8 --- /dev/null +++ b/tests/ui/derive-invariant/helper-empty/expected @@ -0,0 +1,6 @@ +error: Cannot derive impl for `PositivePoint` + | +| #[derive(kani::Invariant)] + | ^^^^^^^^^^^^^^^ + | +note: safety constraint in field `x` could not be parsed: expected attribute arguments in parentheses: #[safety_constraint(...)] diff --git a/tests/ui/derive-invariant/helper-empty/helper-empty.rs b/tests/ui/derive-invariant/helper-empty/helper-empty.rs new file mode 100644 index 000000000000..3086603cf5db --- /dev/null +++ b/tests/ui/derive-invariant/helper-empty/helper-empty.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check the compilation error for the `#[safety_constraint(...)]` attribute helper when an +//! argument isn't provided. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct PositivePoint { + #[safety_constraint] + x: i32, + #[safety_constraint(*y >= 0)] + y: i32, +} diff --git a/tests/ui/derive-invariant/helper-no-expr/expected b/tests/ui/derive-invariant/helper-no-expr/expected new file mode 100644 index 000000000000..e9ac7e3e1124 --- /dev/null +++ b/tests/ui/derive-invariant/helper-no-expr/expected @@ -0,0 +1,6 @@ +error: Cannot derive impl for `PositivePoint` + | +| #[derive(kani::Invariant)] + | ^^^^^^^^^^^^^^^ + | +note: safety constraint in field `x` could not be parsed: unexpected end of input, expected an expression diff --git a/tests/ui/derive-invariant/helper-no-expr/helper-no-expr.rs b/tests/ui/derive-invariant/helper-no-expr/helper-no-expr.rs new file mode 100644 index 000000000000..080c94371257 --- /dev/null +++ b/tests/ui/derive-invariant/helper-no-expr/helper-no-expr.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check the compilation error for the `#[safety_constraint(...)]` attribute helper when the +//! argument is not a proper expression. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct PositivePoint { + #[safety_constraint()] + x: i32, + #[safety_constraint(*y >= 0)] + y: i32, +} diff --git a/tests/ui/derive-invariant/helper-side-effect/expected b/tests/ui/derive-invariant/helper-side-effect/expected new file mode 100644 index 000000000000..20b3d17efd38 --- /dev/null +++ b/tests/ui/derive-invariant/helper-side-effect/expected @@ -0,0 +1,9 @@ +error[E0596]: cannot borrow `*x` as mutable, as it is behind a `&` reference + | +| #[safety_constraint({*(x.as_mut()) = 0; true})] + | ^ `x` is a `&` reference, so the data it refers to cannot be borrowed as mutable + | +help: consider specifying this binding's type + | +| x: &mut std::boxed::Box: Box, + | +++++++++++++++++++++++++++ diff --git a/tests/ui/derive-invariant/helper-side-effect/helper-side-effect.rs b/tests/ui/derive-invariant/helper-side-effect/helper-side-effect.rs new file mode 100644 index 000000000000..e80f2ff25796 --- /dev/null +++ b/tests/ui/derive-invariant/helper-side-effect/helper-side-effect.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that side effect expressions in the `#[safety_constraint(...)]` +//! attribute helpers are not allowed. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct PositivePoint { + #[safety_constraint({*(x.as_mut()) = 0; true})] + x: Box, + y: i32, +} + +#[kani::proof] +fn check_invariant_helper_ok() { + let pos_point: PositivePoint = kani::any(); + assert!(pos_point.is_safe()); +} diff --git a/tests/ui/derive-invariant/helper-wrong-expr/expected b/tests/ui/derive-invariant/helper-wrong-expr/expected new file mode 100644 index 000000000000..3f661bce9cbb --- /dev/null +++ b/tests/ui/derive-invariant/helper-wrong-expr/expected @@ -0,0 +1,9 @@ +error[E0308]: mismatched types + | +| #[safety_constraint(x >= 0)] + | ^ expected `&i32`, found integer + | +help: consider dereferencing the borrow + | +| #[safety_constraint(*x >= 0)] + | diff --git a/tests/ui/derive-invariant/helper-wrong-expr/helper-wrong-expr.rs b/tests/ui/derive-invariant/helper-wrong-expr/helper-wrong-expr.rs new file mode 100644 index 000000000000..66b42e02fd68 --- /dev/null +++ b/tests/ui/derive-invariant/helper-wrong-expr/helper-wrong-expr.rs @@ -0,0 +1,18 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check the compilation error for the `#[safety_constraint(...)]` attribute helper when the +//! argument cannot be evaluated in the struct's context. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct PositivePoint { + // Note: `x` is a reference in this context, we should refer to `*x` + #[safety_constraint(x >= 0)] + x: i32, + #[safety_constraint(*y >= 0)] + y: i32, +} diff --git a/tests/ui/entry-fn/main/function.rs b/tests/ui/entry-fn/main/function.rs index 5be95159aa96..a859406bc42c 100644 --- a/tests/ui/entry-fn/main/function.rs +++ b/tests/ui/entry-fn/main/function.rs @@ -1,9 +1,9 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// kani-flags: --enable-unstable --mir-linker --function main +// kani-flags: --harness main // -//! Checks that we can use --function with the MIR Linker +//! Checks that we can select main function as a harness. #[kani::proof] fn harness() { @@ -11,13 +11,14 @@ fn harness() { assert_eq!(1 + 1, 10); } -#[no_mangle] +#[kani::proof] pub fn target_fn() { let pos: i32 = kani::any(); kani::assume(pos > 0); assert!(pos != 0); } +#[kani::proof] fn main() { assert_eq!(Some(10).and_then(|v| Some(v * 2)), Some(20)); } diff --git a/tests/ui/entry-fn/non-main/function.rs b/tests/ui/entry-fn/non-main/function.rs index 239f0d4645c9..5702946f3683 100644 --- a/tests/ui/entry-fn/non-main/function.rs +++ b/tests/ui/entry-fn/non-main/function.rs @@ -1,9 +1,9 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// kani-flags: --enable-unstable --mir-linker --function target_fn +// kani-flags: --harness target_fn // -//! Checks that we can use --function with the MIR Linker +//! Checks that we can target the correct harness. #[kani::proof] fn harness() { @@ -11,7 +11,7 @@ fn harness() { assert_eq!(1 + 1, 10); } -#[no_mangle] +#[kani::proof] pub fn target_fn() { let pos: i32 = kani::any(); kani::assume(pos > 0); diff --git a/tests/ui/function-contracts/mutating_ensures_error.expected b/tests/ui/function-contracts/mutating_ensures_error.expected new file mode 100644 index 000000000000..4e9bb3984298 --- /dev/null +++ b/tests/ui/function-contracts/mutating_ensures_error.expected @@ -0,0 +1 @@ +cannot assign to `*_x`, as `Fn` closures cannot mutate their captured variables diff --git a/tests/ui/function-contracts/mutating_ensures_error.rs b/tests/ui/function-contracts/mutating_ensures_error.rs new file mode 100644 index 000000000000..2fc5f3c8d702 --- /dev/null +++ b/tests/ui/function-contracts/mutating_ensures_error.rs @@ -0,0 +1,12 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|_| {*_x += 1; true})] +fn unit(_x: &mut u32) {} + +#[kani::proof_for_contract(id)] +fn harness() { + let mut x = kani::any(); + unit(&mut x); +} diff --git a/tests/ui/function-stubbing-error/main.rs b/tests/ui/function-stubbing-error/main.rs index 2f5a10ff18cb..c433e352e740 100644 --- a/tests/ui/function-stubbing-error/main.rs +++ b/tests/ui/function-stubbing-error/main.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// kani-flags: --harness main --enable-unstable --enable-stubbing +// kani-flags: --harness main -Z stubbing // //! This tests whether we detect syntactically misformed `kani::stub` annotations. diff --git a/tests/ui/invalid-cbmc-function-arg/expected b/tests/ui/invalid-cbmc-function-arg/expected index 9fe2c45e6f3a..2413ff9590db 100644 --- a/tests/ui/invalid-cbmc-function-arg/expected +++ b/tests/ui/invalid-cbmc-function-arg/expected @@ -1 +1 @@ -error: Invalid flag: --function should be provided to Kani directly, not via +error: Invalid flag: --function is not supported in Kani. diff --git a/tests/ui/safety-constraint-attribute/double-attribute/double-attribute.rs b/tests/ui/safety-constraint-attribute/double-attribute/double-attribute.rs new file mode 100644 index 000000000000..ef7be7fe0e03 --- /dev/null +++ b/tests/ui/safety-constraint-attribute/double-attribute/double-attribute.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that there is a compilation error when the `#[safety_constraint(...)]` +//! attribute is used more than once on the same struct. + +extern crate kani; +use kani::Invariant; + +#[derive(Invariant)] +#[safety_constraint(*x >= 0)] +#[safety_constraint(*y >= 0)] +struct Point { + x: i32, + y: i32, +} diff --git a/tests/ui/safety-constraint-attribute/double-attribute/expected b/tests/ui/safety-constraint-attribute/double-attribute/expected new file mode 100644 index 000000000000..899b85e20e9a --- /dev/null +++ b/tests/ui/safety-constraint-attribute/double-attribute/expected @@ -0,0 +1,6 @@ +error: Cannot derive `Invariant` for `Point` + | +| #[derive(Invariant)] + | ^^^^^^^^^ + | +note: `#[safety_constraint(...)]` cannot be used more than once. diff --git a/tests/ui/safety-constraint-attribute/invalid-pred-error/expected b/tests/ui/safety-constraint-attribute/invalid-pred-error/expected new file mode 100644 index 000000000000..e15e3ff7cf7d --- /dev/null +++ b/tests/ui/safety-constraint-attribute/invalid-pred-error/expected @@ -0,0 +1,19 @@ +error[E0308]: mismatched types + | +| #[safety_constraint(x >= 0 && y >= 0)] + | ^ expected `&i32`, found integer + | +help: consider dereferencing the borrow + | +| #[safety_constraint(*x >= 0 && y >= 0)] + | + + +error[E0308]: mismatched types + | +| #[safety_constraint(x >= 0 && y >= 0)] + | ^ expected `&i32`, found integer + | +help: consider dereferencing the borrow + | +| #[safety_constraint(x >= 0 && *y >= 0)] + | diff --git a/tests/ui/safety-constraint-attribute/invalid-pred-error/invalid-pred-error.rs b/tests/ui/safety-constraint-attribute/invalid-pred-error/invalid-pred-error.rs new file mode 100644 index 000000000000..89c862bb50c3 --- /dev/null +++ b/tests/ui/safety-constraint-attribute/invalid-pred-error/invalid-pred-error.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that there is a compilation error when the predicate passed to the +//! `#[safety_constraint(...)]` attribute would result in a compiler error. +//! +//! Note: the `#[derive(kani::Invariant)]` macro is required for the compiler error, +//! otherwise the `#[safety_constraint(...)]` attribute is ignored. + +extern crate kani; + +// Note: The struct fields `x` and `y` are references in this context, we should +// refer to `*x` and `*y` instead. +#[derive(kani::Invariant)] +#[safety_constraint(x >= 0 && y >= 0)] +struct Point { + x: i32, + y: i32, +} diff --git a/tests/ui/safety-constraint-attribute/mixed-attributes/expected b/tests/ui/safety-constraint-attribute/mixed-attributes/expected new file mode 100644 index 000000000000..bca53d41bf13 --- /dev/null +++ b/tests/ui/safety-constraint-attribute/mixed-attributes/expected @@ -0,0 +1,6 @@ +error: Cannot derive `Invariant` for `Point` + | +| #[derive(Invariant)] + | ^^^^^^^^^ + | +note: `#[safety_constraint(...)]` cannot be used in struct and its fields simultaneously diff --git a/tests/ui/safety-constraint-attribute/mixed-attributes/mixed-attributes.rs b/tests/ui/safety-constraint-attribute/mixed-attributes/mixed-attributes.rs new file mode 100644 index 000000000000..931cebd4839d --- /dev/null +++ b/tests/ui/safety-constraint-attribute/mixed-attributes/mixed-attributes.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that there is a compilation error when the `#[safety_constraint(...)]` +//! attribute for struct and the `#[safety_constraint(...)]` attribute for +//! fields is used at the same time. + +extern crate kani; +use kani::Invariant; + +#[derive(Invariant)] +#[safety_constraint(*x >= 0)] +struct Point { + x: i32, + #[safety_constraint(*y >= 0)] + y: i32, +} diff --git a/tests/ui/safety-constraint-attribute/no-struct-error/expected b/tests/ui/safety-constraint-attribute/no-struct-error/expected new file mode 100644 index 000000000000..df6bd82f00d6 --- /dev/null +++ b/tests/ui/safety-constraint-attribute/no-struct-error/expected @@ -0,0 +1,6 @@ +error: Cannot derive `Invariant` for `MyEnum` + | +| #[derive(kani::Invariant)] + | ^^^^^^^^^^^^^^^ + | +note: `#[safety_constraint(...)]` can only be used in structs diff --git a/tests/ui/safety-constraint-attribute/no-struct-error/no-struct-error.rs b/tests/ui/safety-constraint-attribute/no-struct-error/no-struct-error.rs new file mode 100644 index 000000000000..092bbe1319c7 --- /dev/null +++ b/tests/ui/safety-constraint-attribute/no-struct-error/no-struct-error.rs @@ -0,0 +1,18 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that Kani raises an error when a derive macro with the +//! `#[safety_constraint(...)]` attribute is is used in items which are not a +//! struct. +//! +//! Note: the `#[derive(kani::Invariant)]` macro is required for the compiler error, +//! otherwise the `#[safety_constraint(...)]` attribute is ignored. + +extern crate kani; + +#[derive(kani::Invariant)] +#[safety_constraint(true)] +enum MyEnum { + A, + B(i32), +} diff --git a/tests/ui/stubbing/deprecated-enable-stable/deprecated.rs b/tests/ui/stubbing/deprecated-enable-stable/deprecated.rs deleted file mode 100644 index a5686af20a35..000000000000 --- a/tests/ui/stubbing/deprecated-enable-stable/deprecated.rs +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -// kani-flags: --enable-unstable --enable-stubbing -//! Checks that the `kani::stub` attribute is accepted - -fn foo() { - unreachable!(); -} - -fn bar() {} - -#[kani::proof] -#[kani::stub(foo, bar)] -fn main() { - foo(); -} diff --git a/tests/ui/stubbing/deprecated-enable-stable/expected b/tests/ui/stubbing/deprecated-enable-stable/expected deleted file mode 100644 index eb05b8cf9812..000000000000 --- a/tests/ui/stubbing/deprecated-enable-stable/expected +++ /dev/null @@ -1,2 +0,0 @@ -warning: The `--enable-stubbing` option is deprecated. This option will be removed soon. Consider using `-Z stubbing` instead -VERIFICATION:- SUCCESSFUL diff --git a/tests/ui/stubbing/invalid-path/invalid.rs b/tests/ui/stubbing/invalid-path/invalid.rs index d24c757fd0cd..04d3c786b0d7 100644 --- a/tests/ui/stubbing/invalid-path/invalid.rs +++ b/tests/ui/stubbing/invalid-path/invalid.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// kani-flags: --harness invalid_stub --enable-unstable --enable-stubbing +// kani-flags: --harness invalid_stub -Z stubbing pub mod mod_a { use crate::mod_b::noop; diff --git a/tests/ui/stubbing/stubbing-flag/main.rs b/tests/ui/stubbing/stubbing-flag/main.rs index f9b788e94d82..a5172ad9d0cd 100644 --- a/tests/ui/stubbing/stubbing-flag/main.rs +++ b/tests/ui/stubbing/stubbing-flag/main.rs @@ -1,9 +1,9 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// kani-flags: --harness main --enable-unstable --enable-stubbing +// kani-flags: --harness main -Z stubbing // -//! This tests that the `--enable-stubbing` and `--harness` arguments flow from `kani-driver` to `kani-compiler`. +//! This tests that enabling stubbing and `--harness` argument flow from `kani-driver` to `kani-compiler`. #[kani::proof] fn main() {} diff --git a/tests/ui/stubbing/stubbing-trait-validation/trait_mismatch.rs b/tests/ui/stubbing/stubbing-trait-validation/trait_mismatch.rs index e934141664bf..c49552d942e2 100644 --- a/tests/ui/stubbing/stubbing-trait-validation/trait_mismatch.rs +++ b/tests/ui/stubbing/stubbing-trait-validation/trait_mismatch.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// kani-flags: --harness harness --enable-unstable --enable-stubbing +// kani-flags: --harness harness -Z stubbing // //! This tests that we catch trait mismatches between the stub and the original //! function/method. In particular, this tests the case when the program is diff --git a/tests/ui/stubbing/stubbing-type-validation/expected b/tests/ui/stubbing/stubbing-type-validation/expected index 5c56ad015a79..177375b4f4ba 100644 --- a/tests/ui/stubbing/stubbing-type-validation/expected +++ b/tests/ui/stubbing/stubbing-type-validation/expected @@ -1,8 +1,11 @@ -error: arity mismatch: original function/method `f1` takes 1 argument(s), stub `f2` takes 0 -error: return type differs: stub `g2` has type `i32` where original function/method `g1` has type `bool` -error: type of parameter 1 differs: stub `g2` has type `u32` where original function/method `g1` has type `i32` -error: type of parameter 2 differs: stub `g2` has type `&mut bool` where original function/method `g1` has type `&bool` error: mismatch in the number of generic parameters: original function/method `h1` takes 1 generic parameters(s), stub `h2` takes 2 -error: return type differs: stub `i2` has type `Y` where original function/method `i1` has type `X` -error: type of parameter 1 differs: stub `j2` has type `&X` where original function/method `j1` has type `&Y` -error: aborting due to 7 previous errors \ No newline at end of file + +error: Cannot stub `g1` by `g2`.\ + - Expected return type `bool`, but found `i32`\ + - Expected type `i32` for parameter 2, but found `u32`\ + - Expected type `&bool` for parameter 3, but found `&mut bool`\ + +error: Cannot stub `i1` by `i2`.\ + - Expected return type `X`, but found `Y` + +error: arity mismatch: original function/method `f1` takes 1 argument(s), stub `f2` takes 0 diff --git a/tests/ui/stubbing/stubbing-type-validation/type_mismatch.rs b/tests/ui/stubbing/stubbing-type-validation/type_mismatch.rs index 9f98ae302a22..bc8343658f9e 100644 --- a/tests/ui/stubbing/stubbing-type-validation/type_mismatch.rs +++ b/tests/ui/stubbing/stubbing-type-validation/type_mismatch.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // -// kani-flags: --harness harness --enable-unstable --enable-stubbing +// kani-flags: --harness harness -Z stubbing // //! This tests that we catch type mismatches between the stub and the original //! function/method. diff --git a/tools/benchcomp/benchcomp/__init__.py b/tools/benchcomp/benchcomp/__init__.py index eedd6ebc1f32..a82e50aae412 100644 --- a/tools/benchcomp/benchcomp/__init__.py +++ b/tools/benchcomp/benchcomp/__init__.py @@ -62,7 +62,16 @@ class ConfigFile(collections.UserDict): anyof: - schema: type: {} -filter: {} +filters: + type: list + default: [] + schema: + type: dict + keysrules: + type: string + allowed: ["command_line"] + valuesrules: + type: string visualize: {} """) diff --git a/tools/benchcomp/benchcomp/cmd_args.py b/tools/benchcomp/benchcomp/cmd_args.py index d8b7e735824f..8dd85f71080b 100644 --- a/tools/benchcomp/benchcomp/cmd_args.py +++ b/tools/benchcomp/benchcomp/cmd_args.py @@ -170,7 +170,13 @@ def _get_args_dict(): }, "filter": { "help": "transform a result by piping it through a program", - "args": [], + "args": [{ + "flags": ["--result-file"], + "metavar": "F", + "default": pathlib.Path("result.yaml"), + "type": pathlib.Path, + "help": "read result from F instead of %(default)s." + }], }, "visualize": { "help": "render a result in various formats", @@ -180,7 +186,7 @@ def _get_args_dict(): "default": pathlib.Path("result.yaml"), "type": pathlib.Path, "help": - "read result from F instead of %(default)s. " + "read result from F instead of %(default)s." }, { "flags": ["--only"], "nargs": "+", @@ -234,6 +240,11 @@ def get(): subparsers = ad["subparsers"].pop("parsers") subs = parser.add_subparsers(**ad["subparsers"]) + + # Add all subcommand-specific flags to the top-level argument parser, + # but only add them once. + flag_set = set() + for subcommand, info in subparsers.items(): args = info.pop("args") subparser = subs.add_parser(name=subcommand, **info) @@ -246,7 +257,9 @@ def get(): for arg in args: flags = arg.pop("flags") subparser.add_argument(*flags, **arg) - if arg not in global_args: + long_flag = flags[-1] + if arg not in global_args and long_flag not in flag_set: + flag_set.add(long_flag) parser.add_argument(*flags, **arg) return parser.parse_args() diff --git a/tools/benchcomp/benchcomp/entry/benchcomp.py b/tools/benchcomp/benchcomp/entry/benchcomp.py index e64f9699b3eb..9b8c1443c01d 100644 --- a/tools/benchcomp/benchcomp/entry/benchcomp.py +++ b/tools/benchcomp/benchcomp/entry/benchcomp.py @@ -16,4 +16,6 @@ def main(args): args.suites_dir = run_result.out_prefix / run_result.out_symlink results = benchcomp.entry.collate.main(args) + results = benchcomp.entry.filter.main(args) + benchcomp.entry.visualize.main(args) diff --git a/tools/benchcomp/benchcomp/entry/filter.py b/tools/benchcomp/benchcomp/entry/filter.py index 8523a198ce6a..c29a1795194b 100644 --- a/tools/benchcomp/benchcomp/entry/filter.py +++ b/tools/benchcomp/benchcomp/entry/filter.py @@ -4,5 +4,91 @@ # Entrypoint for `benchcomp filter` -def main(_): - raise NotImplementedError # TODO +import json +import logging +import pathlib +import subprocess +import sys +import tempfile + +import yaml + + +def main(args): + """Filter the results file by piping it into a list of scripts""" + + with open(args.result_file) as handle: + old_results = yaml.safe_load(handle) + + if "filters" not in args.config: + return old_results + + tmp_root = pathlib.Path(tempfile.gettempdir()) / "benchcomp" / "filter" + tmp_root.mkdir(parents=True, exist_ok=True) + tmpdir = pathlib.Path(tempfile.mkdtemp(dir=str(tmp_root))) + + for idx, filt in enumerate(args.config["filters"]): + with open(args.result_file) as handle: + old_results = yaml.safe_load(handle) + + json_results = json.dumps(old_results, indent=2) + in_file = tmpdir / f"{idx}.in.json" + out_file = tmpdir / f"{idx}.out.json" + cmd_out = _pipe( + filt["command_line"], json_results, in_file, out_file) + + try: + new_results = yaml.safe_load(cmd_out) + except yaml.YAMLError as exc: + logging.exception( + "Filter command '%s' produced invalid YAML. Stdin of" + " the command is saved in %s, stdout is saved in %s.", + filt["command_line"], in_file, out_file) + if hasattr(exc, "problem_mark"): + logging.error( + "Parse error location: line %d, column %d", + exc.problem_mark.line+1, exc.problem_mark.column+1) + sys.exit(1) + + with open(args.result_file, "w") as handle: + yaml.dump(new_results, handle, default_flow_style=False, indent=2) + + return new_results + + +def _pipe(shell_command, in_text, in_file, out_file): + """Pipe `in_text` into `shell_command` and return the output text + + Save the in and out text into files for later inspection if necessary. + """ + + with open(in_file, "w") as handle: + print(in_text, file=handle) + + logging.debug( + "Piping the contents of '%s' into '%s', saving into '%s'", + in_file, shell_command, out_file) + + timeout = 60 + with subprocess.Popen( + shell_command, shell=True, text=True, stdin=subprocess.PIPE, + stdout=subprocess.PIPE) as proc: + try: + out, _ = proc.communicate(input=in_text, timeout=timeout) + except subprocess.TimeoutExpired: + logging.error( + "Filter command failed to terminate after %ds: '%s'", + timeout, shell_command) + sys.exit(1) + + with open(out_file, "w") as handle: + print(out, file=handle) + + if proc.returncode: + logging.error( + "Filter command '%s' exited with code %d. Stdin of" + " the command is saved in %s, stdout is saved in %s.", + shell_command, proc.returncode, in_file, out_file) + sys.exit(1) + + return out diff --git a/tools/benchcomp/benchcomp/entry/run.py b/tools/benchcomp/benchcomp/entry/run.py index a870e7e9a1b0..28457381da2b 100644 --- a/tools/benchcomp/benchcomp/entry/run.py +++ b/tools/benchcomp/benchcomp/entry/run.py @@ -13,6 +13,7 @@ import logging import os import pathlib +import re import shutil import subprocess import typing @@ -53,9 +54,10 @@ def __post_init__(self): else: self.working_copy = pathlib.Path(self.directory) + def __call__(self): - env = dict(os.environ) - env.update(self.env) + update_environment_with = _EnvironmentUpdater() + env = update_environment_with(self.env) if self.copy_benchmarks_dir: shutil.copytree( @@ -128,6 +130,44 @@ def __call__(self): tmp_symlink.rename(self.out_symlink) + +@dataclasses.dataclass +class _EnvironmentUpdater: + """Update the OS environment with keys and values containing variables + + When called, this class returns the operating environment updated with new + keys and values. The values can contain variables of the form '${var_name}'. + The class evaluates those variables using values already in the environment. + """ + + os_environment: dict = dataclasses.field( + default_factory=lambda : dict(os.environ)) + pattern: re.Pattern = re.compile(r"\$\{(\w+?)\}") + + + def _evaluate(self, key, value): + """Evaluate all ${var} in value using self.os_environment""" + old_value = value + + for variable in re.findall(self.pattern, value): + if variable not in self.os_environment: + logging.error( + "Couldn't evaluate ${%s} in the value '%s' for environment " + "variable '%s'. Ensure the environment variable $%s is set", + variable, old_value, key, variable) + sys.exit(1) + value = re.sub( + r"\$\{" + variable + "\}", self.os_environment[variable], value) + return value + + + def __call__(self, new_environment): + ret = dict(self.os_environment) + for key, value in new_environment.items(): + ret[key] = self._evaluate(key, value) + return ret + + def get_default_out_symlink(): return "latest" diff --git a/tools/benchcomp/benchcomp/visualizers/__init__.py b/tools/benchcomp/benchcomp/visualizers/__init__.py index f9987832ad62..865386900639 100644 --- a/tools/benchcomp/benchcomp/visualizers/__init__.py +++ b/tools/benchcomp/benchcomp/visualizers/__init__.py @@ -3,8 +3,10 @@ import dataclasses +import enum import json import logging +import math import subprocess import sys import textwrap @@ -125,11 +127,21 @@ def __call__(self, results): +class Plot(enum.Enum): + """Scatterplot configuration options + """ + OFF = 1 + LINEAR = 2 + LOG = 3 + + + class dump_markdown_results_table: """Print Markdown-formatted tables displaying benchmark results For each metric, this visualization prints out a table of benchmarks, - showing the value of the metric for each variant. + showing the value of the metric for each variant, combined with an optional + scatterplot. The 'out_file' key is mandatory; specify '-' to print to stdout. @@ -145,12 +157,16 @@ class dump_markdown_results_table: particular combinations of values for different variants, such as regressions or performance improvements. + 'scatterplot' takes the values 'off' (default), 'linear' (linearly scaled + axes), or 'log' (logarithmically scaled axes). + Sample configuration: ``` visualize: - type: dump_markdown_results_table out_file: "-" + scatterplot: linear extra_columns: runtime: - column_name: ratio @@ -187,9 +203,10 @@ class dump_markdown_results_table: """ - def __init__(self, out_file, extra_columns=None): + def __init__(self, out_file, extra_columns=None, scatterplot=None): self.get_out_file = benchcomp.Outfile(out_file) self.extra_columns = self._eval_column_text(extra_columns or {}) + self.scatterplot = self._parse_scatterplot_config(scatterplot) @staticmethod @@ -206,12 +223,48 @@ def _eval_column_text(column_spec): return column_spec + @staticmethod + def _parse_scatterplot_config(scatterplot_config_string): + if (scatterplot_config_string is None or + scatterplot_config_string == "off"): + return Plot.OFF + elif scatterplot_config_string == "linear": + return Plot.LINEAR + elif scatterplot_config_string == "log": + return Plot.LOG + else: + logging.error( + "Invalid scatterplot configuration '%s'", + scatterplot_config_string) + sys.exit(1) + + @staticmethod def _get_template(): return textwrap.dedent("""\ {% for metric, benchmarks in d["metrics"].items() %} ## {{ metric }} + {% if scatterplot and metric in d["scaled_metrics"] and d["scaled_variants"][metric]|length == 2 -%} + ```mermaid + %%{init: { "quadrantChart": { "titlePadding": 15, "xAxisLabelPadding": 20, "yAxisLabelPadding": 20, "quadrantLabelFontSize": 0, "pointRadius": 2, "pointLabelFontSize": 2 }, "themeVariables": { "quadrant1Fill": "#FFFFFF", "quadrant2Fill": "#FFFFFF", "quadrant3Fill": "#FFFFFF", "quadrant4Fill": "#FFFFFF", "quadrant1TextFill": "#FFFFFF", "quadrant2TextFill": "#FFFFFF", "quadrant3TextFill": "#FFFFFF", "quadrant4TextFill": "#FFFFFF", "quadrantInternalBorderStrokeFill": "#FFFFFF" } } }%% + quadrantChart + title {{ metric }} + x-axis "{{ d["scaled_variants"][metric][0] }}" + y-axis "{{ d["scaled_variants"][metric][1] }}" + quadrant-1 1 + quadrant-2 2 + quadrant-3 3 + quadrant-4 4 + {%- for bench_name, bench_variants in d["scaled_metrics"][metric]["benchmarks"].items () %} + {% set v0 = bench_variants[d["scaled_variants"][metric][0]] -%} + {% set v1 = bench_variants[d["scaled_variants"][metric][1]] -%} + "{{ bench_name }}": [{{ v0|safe_round(3) }}, {{ v1|safe_round(3) }}] + {%- endfor %} + ``` + Scatterplot axis ranges are {{ d["scaled_metrics"][metric]["min_value"] }} (bottom/left) to {{ d["scaled_metrics"][metric]["max_value"] }} (top/right). + + {% endif -%} | Benchmark | {% for variant in d["variants"][metric] %} {{ variant }} |{% endfor %} | --- |{% for variant in d["variants"][metric] %} --- |{% endfor -%} {% for bench_name, bench_variants in benchmarks.items () %} @@ -222,13 +275,62 @@ def _get_template(): """) + @staticmethod + def _safe_round(value, precision): + try: + return round(value, precision) + except TypeError: + return 0 + + @staticmethod def _get_variant_names(results): return results.values()[0]["variants"] @staticmethod - def _organize_results_into_metrics(results): + def _compute_scaled_metric(data_for_metric, log_scaling): + min_value = math.inf + max_value = -math.inf + for bench, bench_result in data_for_metric.items(): + for variant, variant_result in bench_result.items(): + if isinstance(variant_result, (bool, str)): + return None + if not isinstance(variant_result, (int, float)): + return None + if variant_result < min_value: + min_value = variant_result + if variant_result > max_value: + max_value = variant_result + ret = { + "benchmarks": {bench: {} for bench in data_for_metric.keys()}, + "min_value": "log({})".format(min_value) if log_scaling else min_value, + "max_value": "log({})".format(max_value) if log_scaling else max_value, + } + # 1.0 is not a permissible value for mermaid, so make sure all scaled + # results stay below that by use 0.99 as hard-coded value or + # artificially increasing the range by 10 per cent + if min_value == math.inf or min_value == max_value: + for bench, bench_result in data_for_metric.items(): + ret["benchmarks"][bench] = {variant: 0.99 for variant in bench_result.keys()} + else: + if log_scaling: + min_value = math.log(min_value, 10) + max_value = math.log(max_value, 10) + value_range = max_value - min_value + value_range = value_range * 1.1 + for bench, bench_result in data_for_metric.items(): + for variant, variant_result in bench_result.items(): + if log_scaling: + abs_value = math.log(variant_result, 10) + else: + abs_value = variant_result + ret["benchmarks"][bench][variant] = (abs_value - min_value) / value_range + return ret + + + @staticmethod + def _organize_results_into_metrics(results, log_scaling): ret = {metric: {} for metric in results["metrics"]} for bench, bench_result in results["benchmarks"].items(): for variant, variant_result in bench_result["variants"].items(): @@ -246,7 +348,13 @@ def _organize_results_into_metrics(results): ret[metric][bench] = { variant: variant_result["metrics"][metric] } - return ret + ret_scaled = {} + for metric, bench_result in ret.items(): + scaled = dump_markdown_results_table._compute_scaled_metric( + bench_result, log_scaling) + if scaled is not None: + ret_scaled[metric] = scaled + return (ret, ret_scaled) def _add_extra_columns(self, metrics): @@ -258,7 +366,20 @@ def _add_extra_columns(self, metrics): for bench, variants in benches.items(): tmp_variants = dict(variants) for column in columns: - variants[column["column_name"]] = column["text"](tmp_variants) + if "column_name" not in column: + logging.error( + "A column specification for metric %s did not " + "contain a column_name field. Each column should " + "have a column name and column text", metric) + sys.exit(1) + try: + variants[column["column_name"]] = column["text"](tmp_variants) + except BaseException: + # This may be reached when evaluating the column text + # throws an exception. The column text is written in a + # YAML file and is typically a simple lambda so can't + # contain sophisticated error handling. + variants[column["column_name"]] = "**ERROR**" @staticmethod @@ -271,20 +392,35 @@ def _get_variants(metrics): return ret + @staticmethod + def _get_scaled_variants(metrics): + ret = {} + for metric, entries in metrics.items(): + for bench, variants in entries["benchmarks"].items(): + ret[metric] = list(variants.keys()) + break + return ret + + def __call__(self, results): - metrics = self._organize_results_into_metrics(results) + (metrics, scaled) = self._organize_results_into_metrics( + results, self.scatterplot == Plot.LOG) self._add_extra_columns(metrics) data = { "metrics": metrics, "variants": self._get_variants(metrics), + "scaled_metrics": scaled, + "scaled_variants": self._get_scaled_variants(scaled), } env = jinja2.Environment( loader=jinja2.BaseLoader, autoescape=jinja2.select_autoescape( enabled_extensions=("html"), default_for_string=True)) + env.filters["safe_round"] = self._safe_round template = env.from_string(self._get_template()) - output = template.render(d=data)[:-1] + include_scatterplot = self.scatterplot != Plot.OFF + output = template.render(d=data, scatterplot=include_scatterplot)[:-1] with self.get_out_file() as handle: print(output, file=handle) diff --git a/tools/benchcomp/configs/perf-regression.yaml b/tools/benchcomp/configs/perf-regression.yaml index a0d88e0558db..d1e65b24ca2c 100644 --- a/tools/benchcomp/configs/perf-regression.yaml +++ b/tools/benchcomp/configs/perf-regression.yaml @@ -10,13 +10,13 @@ variants: kani_new: config: directory: new - command_line: scripts/kani-perf.sh + command_line: "scripts/setup/ubuntu/install_deps.sh && scripts/kani-perf.sh" env: RUST_TEST_THREADS: "1" kani_old: config: directory: old - command_line: scripts/kani-perf.sh + command_line: "scripts/setup/ubuntu/install_deps.sh && scripts/kani-perf.sh" env: RUST_TEST_THREADS: "1" @@ -33,6 +33,7 @@ visualize: - type: dump_markdown_results_table out_file: '-' + scatterplot: linear extra_columns: # For these two metrics, display the difference between old and new and diff --git a/tools/benchcomp/test/test_regression.py b/tools/benchcomp/test/test_regression.py index 87df67a071cc..ccf2259f7f0b 100644 --- a/tools/benchcomp/test/test_regression.py +++ b/tools/benchcomp/test/test_regression.py @@ -436,6 +436,7 @@ def test_markdown_results_table(self): "visualize": [{ "type": "dump_markdown_results_table", "out_file": "-", + "scatterplot": "linear", "extra_columns": { "runtime": [{ "column_name": "ratio", @@ -461,6 +462,21 @@ def test_markdown_results_table(self): run_bc.stdout, textwrap.dedent(""" ## runtime + ```mermaid + %%{init: { "quadrantChart": { "titlePadding": 15, "xAxisLabelPadding": 20, "yAxisLabelPadding": 20, "quadrantLabelFontSize": 0, "pointRadius": 2, "pointLabelFontSize": 2 }, "themeVariables": { "quadrant1Fill": "#FFFFFF", "quadrant2Fill": "#FFFFFF", "quadrant3Fill": "#FFFFFF", "quadrant4Fill": "#FFFFFF", "quadrant1TextFill": "#FFFFFF", "quadrant2TextFill": "#FFFFFF", "quadrant3TextFill": "#FFFFFF", "quadrant4TextFill": "#FFFFFF", "quadrantInternalBorderStrokeFill": "#FFFFFF" } } }%% + quadrantChart + title runtime + x-axis "variant_1" + y-axis "variant_2" + quadrant-1 1 + quadrant-2 2 + quadrant-3 3 + quadrant-4 4 + "bench_1": [0.0, 0.909] + "bench_2": [0.909, 0.0] + ``` + Scatterplot axis ranges are 5 (bottom/left) to 10 (top/right). + | Benchmark | variant_1 | variant_2 | ratio | | --- | --- | --- | --- | | bench_1 | 5 | 10 | **2.0** | @@ -646,6 +662,135 @@ def test_return_0_on_fail(self): result = yaml.safe_load(handle) + def test_bad_filters(self): + """Ensure that bad filters terminate benchcomp""" + + with tempfile.TemporaryDirectory() as tmp: + run_bc = Benchcomp({ + "variants": { + "variant-1": { + "config": { + "command_line": "true", + "directory": tmp, + "env": {}, + } + }, + }, + "run": { + "suites": { + "suite_1": { + "parser": { + "command": textwrap.dedent("""\ + echo '{ + "benchmarks": { }, + "metrics": { } + }' + """) + }, + "variants": ["variant-1"] + } + } + }, + "filters": [{ + "command_line": "false" + }], + "visualize": [], + }) + run_bc() + self.assertEqual(run_bc.proc.returncode, 1, msg=run_bc.stderr) + + + def test_two_filters(self): + """Ensure that the output can be filtered""" + + with tempfile.TemporaryDirectory() as tmp: + run_bc = Benchcomp({ + "variants": { + "variant-1": { + "config": { + "command_line": "true", + "directory": tmp, + "env": {}, + } + }, + }, + "run": { + "suites": { + "suite_1": { + "parser": { + "command": textwrap.dedent("""\ + echo '{ + "benchmarks": { + "bench-1": { + "variants": { + "variant-1": { + "metrics": { + "runtime": 10, + "memory": 5 + } + } + } + } + }, + "metrics": { + "runtime": {}, + "memory": {}, + } + }' + """) + }, + "variants": ["variant-1"] + } + } + }, + "filters": [{ + "command_line": "sed -e 's/10/20/;s/5/10/'" + }, { + "command_line": """grep '"runtime": 20'""" + }], + "visualize": [], + }) + run_bc() + self.assertEqual(run_bc.proc.returncode, 0, msg=run_bc.stderr) + + + def test_env_expansion(self): + """Ensure that config parser expands '${}' in env key""" + + with tempfile.TemporaryDirectory() as tmp: + run_bc = Benchcomp({ + "variants": { + "env_set": { + "config": { + "command_line": 'echo "$__BENCHCOMP_ENV_VAR" > out', + "directory": tmp, + "env": {"__BENCHCOMP_ENV_VAR": "foo:${PATH}"} + } + }, + }, + "run": { + "suites": { + "suite_1": { + "parser": { + # The word 'bin' typically appears in $PATH, so + # check that what was echoed contains 'bin'. + "command": textwrap.dedent("""\ + grep bin out && grep '^foo:' out && echo '{ + "benchmarks": {}, + "metrics": {} + }' + """) + }, + "variants": ["env_set"] + } + } + }, + "visualize": [], + }) + run_bc() + self.assertEqual(run_bc.proc.returncode, 0, msg=run_bc.stderr) + + def test_env(self): """Ensure that benchcomp reads the 'env' key of variant config""" diff --git a/tools/benchcomp/test/test_unit.py b/tools/benchcomp/test/test_unit.py new file mode 100644 index 000000000000..12320116f217 --- /dev/null +++ b/tools/benchcomp/test/test_unit.py @@ -0,0 +1,66 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +# +# Benchcomp regression testing suite. This suite uses Python's stdlib unittest +# module, but nevertheless actually runs the binary rather than running unit +# tests. + +import unittest +import uuid + +import benchcomp.entry.run + + + +class TestEnvironmentUpdater(unittest.TestCase): + def test_environment_construction(self): + """Test that the default constructor reads the OS environment""" + + update_environment = benchcomp.entry.run._EnvironmentUpdater() + environment = update_environment({}) + self.assertIn("PATH", environment) + + + def test_placeholder_construction(self): + """Test that the placeholder constructor reads the placeholder""" + + key, value = [str(uuid.uuid4()) for _ in range(2)] + update_environment = benchcomp.entry.run._EnvironmentUpdater({ + key: value, + }) + environment = update_environment({}) + self.assertIn(key, environment) + self.assertEqual(environment[key], value) + + + def test_environment_update(self): + """Test that the environment is updated""" + + key, value, update = [str(uuid.uuid4()) for _ in range(3)] + update_environment = benchcomp.entry.run._EnvironmentUpdater({ + key: value, + }) + environment = update_environment({ + key: update + }) + self.assertIn(key, environment) + self.assertEqual(environment[key], update) + + + def test_environment_update_variable(self): + """Test that the environment is updated""" + + old_env = { + "key1": str(uuid.uuid4()), + "key2": str(uuid.uuid4()), + } + + actual_update = "${key2}xxx${key1}" + expected_update = f"{old_env['key2']}xxx{old_env['key1']}" + + update_environment = benchcomp.entry.run._EnvironmentUpdater(old_env) + environment = update_environment({ + "key1": actual_update, + }) + self.assertIn("key1", environment) + self.assertEqual(environment["key1"], expected_update) diff --git a/tools/bookrunner/Cargo.toml b/tools/bookrunner/Cargo.toml deleted file mode 100644 index 6c602ce05fd0..000000000000 --- a/tools/bookrunner/Cargo.toml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -[package] -name = "bookrunner" -version = "0.1.0" -edition = "2018" -license = "MIT OR Apache-2.0" -publish = false - -[dependencies] -Inflector = "0.11.4" -pulldown-cmark = { version = "0.9", default-features = false } -rustdoc = { path = "librustdoc" } -walkdir = "2.3.2" -serde = { version = "1.0", features = ["derive"] } -serde_json = "1.0" -toml = "0.8" - -[package.metadata.rust-analyzer] -# This package uses rustc crates. -rustc_private=true diff --git a/tools/bookrunner/README.md b/tools/bookrunner/README.md deleted file mode 100644 index 560f2a73c3e4..000000000000 --- a/tools/bookrunner/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Book Runner - -This tool extracts examples from different Rust books, runs Kani on them, and -displays the results in a report. - -Run the following command to build this tool and generate the report: -```bash -./x.py run -i --stage 1 bookrunner -``` diff --git a/tools/bookrunner/configs/books/Rust by Example/Custom Types/Enums/Testcase: linked-list/5.props b/tools/bookrunner/configs/books/Rust by Example/Custom Types/Enums/Testcase: linked-list/5.props deleted file mode 100644 index 1fb5bcc55586..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Custom Types/Enums/Testcase: linked-list/5.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 3 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/22.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/22.props deleted file mode 100644 index 55a4254aa3a2..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/22.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 --object-bits 9 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/39.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/39.props deleted file mode 100644 index 55a4254aa3a2..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/39.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 --object-bits 9 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/5.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/5.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/5.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/54.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/54.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/54.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/69.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/69.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/69.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/102.props b/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/102.props deleted file mode 100644 index 2f4921c863e9..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/102.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 7 diff --git a/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/63.props b/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/63.props deleted file mode 100644 index 2f4921c863e9..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/63.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 7 diff --git a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Capturing/89.props b/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Capturing/89.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Capturing/89.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Iterator::any/22.props b/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Iterator::any/22.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Iterator::any/22.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/22.props b/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/22.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/22.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/52.props b/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/52.props deleted file mode 100644 index 2f4921c863e9..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/52.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 7 diff --git a/tools/bookrunner/configs/books/Rust by Example/Hello World/Formatted print/Formatting/17.props b/tools/bookrunner/configs/books/Rust by Example/Hello World/Formatted print/Formatting/17.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Hello World/Formatted print/Formatting/17.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/14.props b/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/14.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/14.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/Alternate_custom key types/29.props b/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/Alternate_custom key types/29.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/Alternate_custom key types/29.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std library types/Strings/12.props b/tools/bookrunner/configs/books/Rust by Example/Std library types/Strings/12.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std library types/Strings/12.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Channels/7.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Channels/7.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Channels/7.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/File I_O/read lines/9.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/File I_O/read lines/9.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/File I_O/read lines/9.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/8.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/8.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/8.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/Argument parsing/5.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/Argument parsing/5.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/Argument parsing/5.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/6.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/6.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/6.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/Testcase: map-reduce/24.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/Testcase: map-reduce/24.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/Testcase: map-reduce/24.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Traits/Disambiguating overlapping traits/11.props b/tools/bookrunner/configs/books/Rust by Example/Traits/Disambiguating overlapping traits/11.props deleted file mode 100644 index c8d448e9c718..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Traits/Disambiguating overlapping traits/11.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 10 diff --git a/tools/bookrunner/configs/books/Rust by Example/Traits/Iterators/12.props b/tools/bookrunner/configs/books/Rust by Example/Traits/Iterators/12.props deleted file mode 100644 index d55948277f51..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Traits/Iterators/12.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 5 diff --git a/tools/bookrunner/configs/books/Rust by Example/Traits/impl Trait/115.props b/tools/bookrunner/configs/books/Rust by Example/Traits/impl Trait/115.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Traits/impl Trait/115.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.diff b/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.diff deleted file mode 100644 index f8eff2a40536..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.diff +++ /dev/null @@ -1,4 +0,0 @@ -- 1 -+ 1 let ok_num = Ok::<_, ()>(5); -+ 2 assert!(!ok_num.is_err()); -+ 4 assert!([2, 4, 6][..] == vec[..]); diff --git a/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.props b/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Attributes/Limits/45.props b/tools/bookrunner/configs/books/The Rust Reference/Attributes/Limits/45.props deleted file mode 100644 index 5fc51f2a8212..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Attributes/Limits/45.props +++ /dev/null @@ -1 +0,0 @@ -// kani-codegen-fail diff --git a/tools/bookrunner/configs/books/The Rust Reference/Linkage/190.props b/tools/bookrunner/configs/books/The Rust Reference/Linkage/190.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Linkage/190.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Patterns/367.props b/tools/bookrunner/configs/books/The Rust Reference/Patterns/367.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Patterns/367.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Loop expressions/133.props b/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Loop expressions/133.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Loop expressions/133.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Method call expressions/10.props b/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Method call expressions/10.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Method call expressions/10.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Type system/Types/113.props b/tools/bookrunner/configs/books/The Rust Reference/Type system/Types/113.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Type system/Types/113.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rustonomicon/Concurrency/Atomics/198.props b/tools/bookrunner/configs/books/The Rustonomicon/Concurrency/Atomics/198.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rustonomicon/Concurrency/Atomics/198.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/165.props b/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/165.props deleted file mode 100644 index ef7a7cac2c14..000000000000 --- a/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/165.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 3 \ No newline at end of file diff --git a/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/28.props b/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/28.props deleted file mode 100644 index f69c62f168c6..000000000000 --- a/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/28.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 5 \ No newline at end of file diff --git a/tools/bookrunner/librustdoc/Cargo.toml b/tools/bookrunner/librustdoc/Cargo.toml deleted file mode 100644 index f83c6e25803c..000000000000 --- a/tools/bookrunner/librustdoc/Cargo.toml +++ /dev/null @@ -1,26 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 OR MIT -# -# Modifications Copyright Kani Contributors -# See GitHub history for details. -[package] -name = "rustdoc" -version = "0.0.0" -edition = "2021" -license = "MIT OR Apache-2.0" -publish = false - -# From upstream librustdoc: -# https://github.com/rust-lang/rust/tree/master/src/librustdoc -# Upstream crate does not list license but Rust statues: -# Rust is primarily distributed under the terms of both the MIT -# license and the Apache License (Version 2.0), with portions -# covered by various BSD-like licenses. - -[lib] -path = "lib.rs" - -[dependencies] -pulldown-cmark = { version = "0.9", default-features = false } - -[package.metadata.rust-analyzer] -rustc_private = true diff --git a/tools/bookrunner/librustdoc/README.md b/tools/bookrunner/librustdoc/README.md deleted file mode 100644 index 5a5f547068d6..000000000000 --- a/tools/bookrunner/librustdoc/README.md +++ /dev/null @@ -1,3 +0,0 @@ -For more information about how `librustdoc` works, see the [rustc dev guide]. - -[rustc dev guide]: https://rustc-dev-guide.rust-lang.org/rustdoc.html diff --git a/tools/bookrunner/librustdoc/build.rs b/tools/bookrunner/librustdoc/build.rs deleted file mode 100644 index bca0827fbc46..000000000000 --- a/tools/bookrunner/librustdoc/build.rs +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT - -//! Build script that allows us to build this dependency without bootstrap script. -pub(crate) fn main() { - // Hard code nightly configuration to build librustdoc. - println!("cargo:rustc-env=DOC_RUST_LANG_ORG_CHANNEL=nightly"); -} diff --git a/tools/bookrunner/librustdoc/doctest.rs b/tools/bookrunner/librustdoc/doctest.rs deleted file mode 100644 index cf0fdc106e38..000000000000 --- a/tools/bookrunner/librustdoc/doctest.rs +++ /dev/null @@ -1,321 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Modifications Copyright Kani Contributors -// See GitHub history for details. -use rustc_ast as ast; -use rustc_data_structures::sync::Lrc; -use rustc_driver::DEFAULT_LOCALE_RESOURCES; -use rustc_errors::ColorConfig; -use rustc_span::edition::Edition; -use rustc_span::source_map::SourceMap; -use rustc_span::symbol::sym; -use rustc_span::FileName; - -use std::io::{self}; -use std::str; - -use crate::html::markdown::LangString; - -/// Options that apply to all doctests in a crate or Markdown file (for `rustdoc foo.md`). -#[derive(Clone, Default)] -pub struct GlobalTestOptions { - /// Whether to disable the default `extern crate my_crate;` when creating doctests. - pub(crate) no_crate_inject: bool, - /// Additional crate-level attributes to add to doctests. - pub(crate) attrs: Vec, -} - -/// Transforms a test into code that can be compiled into a Rust binary, and returns the number of -/// lines before the test code begins as well as if the output stream supports colors or not. -pub fn make_test( - s: &str, - crate_name: Option<&str>, - dont_insert_main: bool, - opts: &GlobalTestOptions, - edition: Edition, - test_id: Option<&str>, -) -> (String, usize, bool) { - let (crate_attrs, everything_else, crates) = partition_source(s); - let everything_else = everything_else.trim(); - let mut line_offset = 0; - let mut prog = String::new(); - let mut supports_color = false; - - if opts.attrs.is_empty() { - // If there aren't any attributes supplied by #![doc(test(attr(...)))], then allow some - // lints that are commonly triggered in doctests. The crate-level test attributes are - // commonly used to make tests fail in case they trigger warnings, so having this there in - // that case may cause some tests to pass when they shouldn't have. - prog.push_str("#![allow(unused)]\n"); - line_offset += 1; - } - - // Next, any attributes that came from the crate root via #![doc(test(attr(...)))]. - for attr in &opts.attrs { - prog.push_str(&format!("#![{attr}]\n")); - line_offset += 1; - } - - // Now push any outer attributes from the example, assuming they - // are intended to be crate attributes. - prog.push_str(&crate_attrs); - prog.push_str(&crates); - - // Uses librustc_ast to parse the doctest and find if there's a main fn and the extern - // crate already is included. - let result = rustc_driver::catch_fatal_errors(|| { - rustc_span::create_session_if_not_set_then(edition, |_| { - use rustc_errors::emitter::{Emitter, HumanEmitter}; - use rustc_errors::DiagCtxt; - use rustc_parse::maybe_new_parser_from_source_str; - use rustc_parse::parser::ForceCollect; - use rustc_session::parse::ParseSess; - use rustc_span::source_map::FilePathMapping; - - let filename = FileName::anon_source_code(s); - let source = crates + everything_else; - - // Any errors in parsing should also appear when the doctest is compiled for real, so just - // send all the errors that librustc_ast emits directly into a `Sink` instead of stderr. - let sm = Lrc::new(SourceMap::new(FilePathMapping::empty())); - - let fallback_bundle = - rustc_errors::fallback_fluent_bundle(DEFAULT_LOCALE_RESOURCES.to_vec(), false); - supports_color = HumanEmitter::stderr(ColorConfig::Auto, fallback_bundle.clone()) - .diagnostic_width(Some(80)) - .supports_color(); - - let emitter = HumanEmitter::new(Box::new(io::sink()), fallback_bundle); - - // FIXME(misdreavus): pass `-Z treat-err-as-bug` to the doctest parser - let handler = DiagCtxt::with_emitter(Box::new(emitter)); - let sess = ParseSess::with_dcx(handler, sm); - - let mut found_main = false; - let mut found_extern_crate = crate_name.is_none(); - let mut found_macro = false; - - let mut parser = match maybe_new_parser_from_source_str(&sess, filename, source) { - Ok(p) => p, - Err(_errs) => { - return (found_main, found_extern_crate, found_macro); - } - }; - - loop { - match parser.parse_item(ForceCollect::No) { - Ok(Some(item)) => { - if !found_main { - if let ast::ItemKind::Fn(..) = item.kind { - if item.ident.name == sym::main { - found_main = true; - } - } - } - - if !found_extern_crate { - if let ast::ItemKind::ExternCrate(original) = item.kind { - // This code will never be reached if `crate_name` is none because - // `found_extern_crate` is initialized to `true` if it is none. - let crate_name = crate_name.unwrap(); - - match original { - Some(name) => found_extern_crate = name.as_str() == crate_name, - None => found_extern_crate = item.ident.as_str() == crate_name, - } - } - } - - if !found_macro { - if let ast::ItemKind::MacCall(..) = item.kind { - found_macro = true; - } - } - - if found_main && found_extern_crate { - break; - } - } - Ok(None) => break, - Err(e) => { - e.cancel(); - break; - } - } - - // The supplied slice is only used for diagnostics, - // which are swallowed here anyway. - parser.maybe_consume_incorrect_semicolon(&[]); - } - - // Reset errors so that they won't be reported as compiler bugs when dropping the - // handler. Any errors in the tests will be reported when the test file is compiled, - // Note that we still need to cancel the errors above otherwise `DiagnosticBuilder` - // will panic on drop. - sess.dcx.reset_err_count(); - - (found_main, found_extern_crate, found_macro) - }) - }); - let (already_has_main, already_has_extern_crate, found_macro) = match result { - Ok(result) => result, - Err(_) => { - // If the parser panicked due to a fatal error, pass the test code through unchanged. - // The error will be reported during compilation. - return (s.to_owned(), 0, false); - } - }; - - // If a doctest's `fn main` is being masked by a wrapper macro, the parsing loop above won't - // see it. In that case, run the old text-based scan to see if they at least have a main - // function written inside a macro invocation. See - // https://github.com/rust-lang/rust/issues/56898 - let already_has_main = if found_macro && !already_has_main { - s.lines() - .map(|line| { - let comment = line.find("//"); - if let Some(comment_begins) = comment { &line[0..comment_begins] } else { line } - }) - .any(|code| code.contains("fn main")) - } else { - already_has_main - }; - - // Don't inject `extern crate std` because it's already injected by the - // compiler. - if !already_has_extern_crate && !opts.no_crate_inject && crate_name != Some("std") { - if let Some(crate_name) = crate_name { - // Don't inject `extern crate` if the crate is never used. - // NOTE: this is terribly inaccurate because it doesn't actually - // parse the source, but only has false positives, not false - // negatives. - if s.contains(crate_name) { - prog.push_str(&format!("extern crate r#{crate_name};\n")); - line_offset += 1; - } - } - } - - // FIXME: This code cannot yet handle no_std test cases yet - if dont_insert_main || already_has_main || prog.contains("![no_std]") { - prog.push_str(everything_else); - } else { - let returns_result = everything_else.trim_end().ends_with("(())"); - // Give each doctest main function a unique name. - // This is for example needed for the tooling around `-Z instrument-coverage`. - let inner_fn_name = if let Some(test_id) = test_id { - format!("_doctest_main_{test_id}") - } else { - "_inner".into() - }; - let inner_attr = if test_id.is_some() { "#[allow(non_snake_case)] " } else { "" }; - let (main_pre, main_post) = if returns_result { - ( - format!( - "fn main() {{ {inner_attr}fn {inner_fn_name}() -> Result<(), impl core::fmt::Debug> {{\n" - ), - format!("\n}} {inner_fn_name}().unwrap() }}"), - ) - } else if test_id.is_some() { - ( - format!("fn main() {{ {inner_attr}fn {inner_fn_name}() {{\n"), - format!("\n}} {inner_fn_name}() }}"), - ) - } else { - ("fn main() {\n".into(), "\n}".into()) - }; - // Note on newlines: We insert a line/newline *before*, and *after* - // the doctest and adjust the `line_offset` accordingly. - // In the case of `-Z instrument-coverage`, this means that the generated - // inner `main` function spans from the doctest opening codeblock to the - // closing one. For example - // /// ``` <- start of the inner main - // /// <- code under doctest - // /// ``` <- end of the inner main - line_offset += 1; - - prog.extend([&main_pre, everything_else, &main_post].iter().cloned()); - } - - debug!("final doctest:\n{}", prog); - - (prog, line_offset, supports_color) -} - -// FIXME(aburka): use a real parser to deal with multiline attributes -fn partition_source(s: &str) -> (String, String, String) { - #[derive(Copy, Clone, PartialEq)] - enum PartitionState { - Attrs, - Crates, - Other, - } - let mut state = PartitionState::Attrs; - let mut before = String::new(); - let mut crates = String::new(); - let mut after = String::new(); - - for line in s.lines() { - let trimline = line.trim(); - - // FIXME(misdreavus): if a doc comment is placed on an extern crate statement, it will be - // shunted into "everything else" - match state { - PartitionState::Attrs => { - state = if trimline.starts_with("#![") - || trimline.chars().all(|c| c.is_whitespace()) - || (trimline.starts_with("//") && !trimline.starts_with("///")) - { - PartitionState::Attrs - } else if trimline.starts_with("extern crate") - || trimline.starts_with("#[macro_use] extern crate") - { - PartitionState::Crates - } else { - PartitionState::Other - }; - } - PartitionState::Crates => { - state = if trimline.starts_with("extern crate") - || trimline.starts_with("#[macro_use] extern crate") - || trimline.chars().all(|c| c.is_whitespace()) - || (trimline.starts_with("//") && !trimline.starts_with("///")) - { - PartitionState::Crates - } else { - PartitionState::Other - }; - } - PartitionState::Other => {} - } - - match state { - PartitionState::Attrs => { - before.push_str(line); - before.push('\n'); - } - PartitionState::Crates => { - crates.push_str(line); - crates.push('\n'); - } - PartitionState::Other => { - after.push_str(line); - after.push('\n'); - } - } - } - - debug!("before:\n{}", before); - debug!("crates:\n{}", crates); - debug!("after:\n{}", after); - - (before, after, crates) -} - -pub trait Tester { - fn add_test(&mut self, test: String, config: LangString, line: usize); - fn get_line(&self) -> usize { - 0 - } - fn register_header(&mut self, _name: &str, _level: u32) {} -} diff --git a/tools/bookrunner/librustdoc/html/markdown.rs b/tools/bookrunner/librustdoc/html/markdown.rs deleted file mode 100644 index 85235a5bcc6b..000000000000 --- a/tools/bookrunner/librustdoc/html/markdown.rs +++ /dev/null @@ -1,339 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Modifications Copyright Kani Contributors -// See GitHub history for details. -//! Markdown formatting for rustdoc. -//! - -use rustc_span::edition::Edition; - -use std::default::Default; -use std::str; -use std::{borrow::Cow, marker::PhantomData}; - -use crate::doctest; - -use pulldown_cmark::{CodeBlockKind, Event, Parser, Tag}; - -#[derive(Copy, Clone, Eq, PartialEq, Debug)] -pub /* via find_testable_code */ enum ErrorCodes { - Yes, - No, -} - -impl ErrorCodes { - pub(crate) fn as_bool(self) -> bool { - match self { - ErrorCodes::Yes => true, - ErrorCodes::No => false, - } - } -} - -/// Controls whether a line will be hidden or shown in HTML output. -/// -/// All lines are used in documentation tests. -enum Line<'a> { - Hidden(&'a str), - Shown(Cow<'a, str>), -} - -impl<'a> Line<'a> { - fn for_code(self) -> Cow<'a, str> { - match self { - Line::Shown(l) => l, - Line::Hidden(l) => Cow::Borrowed(l), - } - } -} - -// FIXME: There is a minor inconsistency here. For lines that start with ##, we -// have no easy way of removing a potential single space after the hashes, which -// is done in the single # case. This inconsistency seems okay, if non-ideal. In -// order to fix it we'd have to iterate to find the first non-# character, and -// then reallocate to remove it; which would make us return a String. -fn map_line(s: &str) -> Line<'_> { - let trimmed = s.trim(); - if trimmed.starts_with("##") { - Line::Shown(Cow::Owned(s.replacen("##", "#", 1))) - } else if let Some(stripped) = trimmed.strip_prefix("# ") { - // # text - Line::Hidden(stripped) - } else if trimmed == "#" { - // We cannot handle '#text' because it could be #[attr]. - Line::Hidden("") - } else { - Line::Shown(Cow::Borrowed(s)) - } -} - -pub fn find_testable_code( - doc: &str, - tests: &mut T, - error_codes: ErrorCodes, - enable_per_target_ignores: bool, - extra_info: Option<&ExtraInfo<'_>>, -) { - let mut parser = Parser::new(doc).into_offset_iter(); - let mut prev_offset = 0; - let mut nb_lines = 0; - let mut register_header = None; - while let Some((event, offset)) = parser.next() { - match event { - Event::Start(Tag::CodeBlock(kind)) => { - let block_info = match kind { - CodeBlockKind::Fenced(ref lang) => { - if lang.is_empty() { - Default::default() - } else { - LangString::parse( - lang, - error_codes, - enable_per_target_ignores, - extra_info, - ) - } - } - CodeBlockKind::Indented => Default::default(), - }; - if !block_info.rust { - continue; - } - - let mut test_s = String::new(); - - while let Some((Event::Text(s), _)) = parser.next() { - test_s.push_str(&s); - } - let text = test_s - .lines() - .map(|l| map_line(l).for_code()) - .collect::>>() - .join("\n"); - - nb_lines += doc[prev_offset..offset.start].lines().count(); - // If there are characters between the preceding line ending and - // this code block, `str::lines` will return an additional line, - // which we subtract here. - if nb_lines != 0 && !&doc[prev_offset..offset.start].ends_with('\n') { - nb_lines -= 1; - } - let line = tests.get_line() + nb_lines + 1; - tests.add_test(text, block_info, line); - prev_offset = offset.start; - } - Event::Start(Tag::Heading(level, _, _)) => { - register_header = Some(level as u32); - } - Event::Text(ref s) if register_header.is_some() => { - let level = register_header.unwrap(); - if s.is_empty() { - tests.register_header("", level); - } else { - tests.register_header(s, level); - } - register_header = None; - } - _ => {} - } - } -} - -// We never pass an actual ExtraInfo, only None for Option -pub struct ExtraInfo<'tcx> { - _unused: PhantomData<&'tcx ()>, -} - -impl<'tcx> ExtraInfo<'tcx> { - fn error_invalid_codeblock_attr(&self, msg: &str, _help: &str) { - unreachable!("{}", msg); - } -} - -#[derive(Eq, PartialEq, Clone, Debug)] -pub struct LangString { - original: String, - pub should_panic: bool, - pub(crate) no_run: bool, - pub ignore: Ignore, - pub(crate) rust: bool, - pub(crate) test_harness: bool, - pub compile_fail: bool, - pub(crate) error_codes: Vec, - pub(crate) allow_fail: bool, - pub edition: Option, -} - -#[derive(Eq, PartialEq, Clone, Debug)] -pub enum Ignore { - All, - None, - Some(Vec), -} - -impl Default for LangString { - fn default() -> Self { - Self { - original: String::new(), - should_panic: false, - no_run: false, - ignore: Ignore::None, - rust: true, - test_harness: false, - compile_fail: false, - error_codes: Vec::new(), - allow_fail: false, - edition: None, - } - } -} - -impl LangString { - fn tokens(string: &str) -> impl Iterator { - // Pandoc, which Rust once used for generating documentation, - // expects lang strings to be surrounded by `{}` and for each token - // to be proceeded by a `.`. Since some of these lang strings are still - // loose in the wild, we strip a pair of surrounding `{}` from the lang - // string and a leading `.` from each token. - - let string = string.trim(); - - let first = string.chars().next(); - let last = string.chars().last(); - - let string = if first == Some('{') && last == Some('}') { - &string[1..string.len() - 1] - } else { - string - }; - - string - .split(|c| c == ',' || c == ' ' || c == '\t') - .map(str::trim) - .map(|token| token.strip_prefix('.').unwrap_or(token)) - .filter(|token| !token.is_empty()) - } - - fn parse( - string: &str, - allow_error_code_check: ErrorCodes, - enable_per_target_ignores: bool, - extra: Option<&ExtraInfo<'_>>, - ) -> LangString { - let allow_error_code_check = allow_error_code_check.as_bool(); - let mut seen_rust_tags = false; - let mut seen_other_tags = false; - let mut data = LangString::default(); - let mut ignores = vec![]; - - data.original = string.to_owned(); - - for token in Self::tokens(string) { - match token { - "should_panic" => { - data.should_panic = true; - seen_rust_tags = !seen_other_tags; - } - "no_run" => { - data.no_run = true; - seen_rust_tags = !seen_other_tags; - } - "ignore" => { - data.ignore = Ignore::All; - seen_rust_tags = !seen_other_tags; - } - x if x.starts_with("ignore-") => { - if enable_per_target_ignores { - ignores.push(x.trim_start_matches("ignore-").to_owned()); - seen_rust_tags = !seen_other_tags; - } - } - "allow_fail" => { - data.allow_fail = true; - seen_rust_tags = !seen_other_tags; - } - "rust" => { - data.rust = true; - seen_rust_tags = true; - } - "test_harness" => { - data.test_harness = true; - seen_rust_tags = !seen_other_tags || seen_rust_tags; - } - "compile_fail" => { - data.compile_fail = true; - seen_rust_tags = !seen_other_tags || seen_rust_tags; - data.no_run = true; - } - x if x.starts_with("edition") => { - data.edition = x[7..].parse::().ok(); - } - x if allow_error_code_check && x.starts_with('E') && x.len() == 5 => { - if x[1..].parse::().is_ok() { - data.error_codes.push(x.to_owned()); - seen_rust_tags = !seen_other_tags || seen_rust_tags; - } else { - seen_other_tags = true; - } - } - x if extra.is_some() => { - let s = x.to_lowercase(); - if let Some((flag, help)) = if s == "compile-fail" - || s == "compile_fail" - || s == "compilefail" - { - Some(( - "compile_fail", - "the code block will either not be tested if not marked as a rust one \ - or won't fail if it compiles successfully", - )) - } else if s == "should-panic" || s == "should_panic" || s == "shouldpanic" { - Some(( - "should_panic", - "the code block will either not be tested if not marked as a rust one \ - or won't fail if it doesn't panic when running", - )) - } else if s == "no-run" || s == "no_run" || s == "norun" { - Some(( - "no_run", - "the code block will either not be tested if not marked as a rust one \ - or will be run (which you might not want)", - )) - } else if s == "allow-fail" || s == "allow_fail" || s == "allowfail" { - Some(( - "allow_fail", - "the code block will either not be tested if not marked as a rust one \ - or will be run (which you might not want)", - )) - } else if s == "test-harness" || s == "test_harness" || s == "testharness" { - Some(( - "test_harness", - "the code block will either not be tested if not marked as a rust one \ - or the code will be wrapped inside a main function", - )) - } else { - None - } { - if let Some(extra) = extra { - extra.error_invalid_codeblock_attr( - &format!("unknown attribute `{x}`. Did you mean `{flag}`?"), - help, - ); - } - } - seen_other_tags = true; - } - _ => seen_other_tags = true, - } - } - - // ignore-foo overrides ignore - if !ignores.is_empty() { - data.ignore = Ignore::Some(ignores); - } - - data.rust &= !seen_other_tags || seen_rust_tags; - - data - } -} diff --git a/tools/bookrunner/librustdoc/html/mod.rs b/tools/bookrunner/librustdoc/html/mod.rs deleted file mode 100644 index bb4c77e39854..000000000000 --- a/tools/bookrunner/librustdoc/html/mod.rs +++ /dev/null @@ -1,6 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Modifications Copyright Kani Contributors -// See GitHub history for details. -// used by the error-index generator, so it needs to be public -pub mod markdown; diff --git a/tools/bookrunner/librustdoc/lib.rs b/tools/bookrunner/librustdoc/lib.rs deleted file mode 100644 index 68bc77fa14e8..000000000000 --- a/tools/bookrunner/librustdoc/lib.rs +++ /dev/null @@ -1,66 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Modifications Copyright Kani Contributors -// See GitHub history for details. -#![doc( - html_root_url = "https://doc.rust-lang.org/nightly/", - html_playground_url = "https://play.rust-lang.org/" -)] -#![feature(rustc_private)] -#![feature(array_methods)] -#![feature(assert_matches)] -#![feature(box_patterns)] -#![feature(control_flow_enum)] -#![feature(test)] -#![feature(never_type)] -#![feature(type_ascription)] -#![feature(iter_intersperse)] -#![recursion_limit = "256"] -#![warn(rustc::internal)] -#![allow(clippy::collapsible_if, clippy::collapsible_else_if, clippy::arc_with_non_send_sync)] - -#[macro_use] -extern crate tracing; - -// N.B. these need `extern crate` even in 2018 edition -// because they're loaded implicitly from the sysroot. -// The reason they're loaded from the sysroot is because -// the rustdoc artifacts aren't stored in rustc's cargo target directory. -// So if `rustc` was specified in Cargo.toml, this would spuriously rebuild crates. -// -// Dependencies listed in Cargo.toml do not need `extern crate`. - -extern crate rustc_ast; -extern crate rustc_ast_lowering; -extern crate rustc_ast_pretty; -extern crate rustc_attr; -extern crate rustc_const_eval; -extern crate rustc_data_structures; -extern crate rustc_driver; -extern crate rustc_errors; -extern crate rustc_expand; -extern crate rustc_feature; -extern crate rustc_hir; -extern crate rustc_hir_pretty; -extern crate rustc_index; -extern crate rustc_infer; -extern crate rustc_interface; -extern crate rustc_lexer; -extern crate rustc_lint; -extern crate rustc_lint_defs; -extern crate rustc_macros; -extern crate rustc_metadata; -extern crate rustc_middle; -extern crate rustc_parse; -extern crate rustc_passes; -extern crate rustc_resolve; -extern crate rustc_serialize; -extern crate rustc_session; -extern crate rustc_span; -extern crate rustc_target; -extern crate rustc_trait_selection; -extern crate test; - -pub mod doctest; -// used by the error-index generator, so it needs to be public -pub mod html; diff --git a/tools/bookrunner/print.sh b/tools/bookrunner/print.sh deleted file mode 100755 index 904409ee1c87..000000000000 --- a/tools/bookrunner/print.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -# `rustdoc` treats this script as `rustc` and sends code extracted from markdown -# files to stdin of this script. Instead of compiling the code, this scripts -# simply copies the contents of stdin to the location where `rustdoc` caches the -# "compiled" output. - -FILE="$6" -BASE=`basename "$FILE"` -mkdir -p "$BASE" -cp "/dev/stdin" "$FILE" diff --git a/tools/bookrunner/rust-doc/nomicon b/tools/bookrunner/rust-doc/nomicon deleted file mode 160000 index c05c452b3635..000000000000 --- a/tools/bookrunner/rust-doc/nomicon +++ /dev/null @@ -1 +0,0 @@ -Subproject commit c05c452b36358821bf4122f9c418674edd1d713d diff --git a/tools/bookrunner/rust-doc/reference b/tools/bookrunner/rust-doc/reference deleted file mode 160000 index f8ba2f12df60..000000000000 --- a/tools/bookrunner/rust-doc/reference +++ /dev/null @@ -1 +0,0 @@ -Subproject commit f8ba2f12df60ee19b96de24ae5b73af3de8a446b diff --git a/tools/bookrunner/rust-doc/rust-by-example b/tools/bookrunner/rust-doc/rust-by-example deleted file mode 160000 index 43f82530210b..000000000000 --- a/tools/bookrunner/rust-doc/rust-by-example +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 43f82530210b83cf888282b207ed13d5893da9b2 diff --git a/tools/bookrunner/rust-doc/unstable-book/.gitignore b/tools/bookrunner/rust-doc/unstable-book/.gitignore deleted file mode 100644 index 7585238efedf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/.gitignore +++ /dev/null @@ -1 +0,0 @@ -book diff --git a/tools/bookrunner/rust-doc/unstable-book/book.toml b/tools/bookrunner/rust-doc/unstable-book/book.toml deleted file mode 100644 index dfbd8311dae4..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/book.toml +++ /dev/null @@ -1,10 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 OR MIT -# -# Modifications Copyright Kani Contributors -# See GitHub history for details. -[book] -title = "The Rust Unstable Book" -author = "The Rust Community" - -[output.html] -git-repository-url = "https://github.com/rust-lang/rust/tree/master/src/doc/unstable-book" diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags.md deleted file mode 100644 index 43eadb351016..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags.md +++ /dev/null @@ -1 +0,0 @@ -# Compiler flags diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/branch-protection.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/branch-protection.md deleted file mode 100644 index 85403748e1dc..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/branch-protection.md +++ /dev/null @@ -1,18 +0,0 @@ -# `branch-protection` - -This option lets you enable branch authentication instructions on AArch64. -This option is ignored for non-AArch64 architectures. -It takes some combination of the following values, separated by a `,`. - -- `pac-ret` - Enable pointer authentication for non-leaf functions. -- `leaf` - Enable pointer authentication for all functions, including leaf functions. -- `b-key` - Sign return addresses with key B, instead of the default key A. -- `bti` - Enable branch target identification. - -`leaf` and `b-key` are only valid if `pac-ret` was previously specified. -For example, `-Z branch-protection=bti,pac-ret,leaf` is valid, but -`-Z branch-protection=bti,leaf,pac-ret` is not. - -Rust's standard library does not ship with BTI or pointer authentication enabled by default. -In Cargo projects the standard library can be recompiled with pointer authentication using the nightly -[build-std](https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#build-std) feature. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/codegen-backend.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/codegen-backend.md deleted file mode 100644 index 3c0cd32fae17..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/codegen-backend.md +++ /dev/null @@ -1,31 +0,0 @@ -# `codegen-backend` - -The tracking issue for this feature is: [#77933](https://github.com/rust-lang/rust/issues/77933). - ------------------------- - -This feature allows you to specify a path to a dynamic library to use as rustc's -code generation backend at runtime. - -Set the `-Zcodegen-backend=` compiler flag to specify the location of the -backend. The library must be of crate type `dylib` and must contain a function -named `__rustc_codegen_backend` with a signature of `fn() -> Box`. - -## Example -See also the [`hotplug_codegen_backend`](https://github.com/rust-lang/rust/tree/master/src/test/run-make-fulldeps/hotplug_codegen_backend) test -for a full example. - -```rust,ignore (partial-example) -use rustc_codegen_ssa::traits::CodegenBackend; - -struct MyBackend; - -impl CodegenBackend for MyBackend { - // Implement codegen methods -} - -#[no_mangle] -pub fn __rustc_codegen_backend() -> Box { - Box::new(MyBackend) -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/control-flow-guard.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/control-flow-guard.md deleted file mode 100644 index 08c16d95f467..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/control-flow-guard.md +++ /dev/null @@ -1,59 +0,0 @@ -# `control-flow-guard` - -The tracking issue for this feature is: [#68793](https://github.com/rust-lang/rust/issues/68793). - ------------------------- - -The rustc flag `-Z control-flow-guard` enables the Windows [Control Flow Guard](https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard) (CFG) platform security feature. - -CFG is an exploit mitigation designed to enforce control-flow integrity for software running on supported [Windows platforms (Windows 8.1 onwards)](https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard). Specifically, CFG uses runtime checks to validate the target address of every indirect call/jump before allowing the call to complete. - -During compilation, the compiler identifies all indirect calls/jumps and adds CFG checks. It also emits metadata containing the relative addresses of all address-taken functions. At runtime, if the binary is run on a CFG-aware operating system, the loader uses the CFG metadata to generate a bitmap of the address space and marks those addresses that contain valid targets. On each indirect call, the inserted check determines whether the target address is marked in this bitmap. If the target is not valid, the process is terminated. - -In terms of interoperability: -- Code compiled with CFG enabled can be linked with libraries and object files that are not compiled with CFG. In this case, a CFG-aware linker can identify address-taken functions in the non-CFG libraries. -- Libraries compiled with CFG can linked into non-CFG programs. In this case, the CFG runtime checks in the libraries are not used (i.e. the mitigation is completely disabled). - -CFG functionality is completely implemented in the LLVM backend and is supported for X86 (32-bit and 64-bit), ARM, and Aarch64 targets. The rustc flag adds the relevant LLVM module flags to enable the feature. This flag will be ignored for all non-Windows targets. - - -## When to use Control Flow Guard - -The primary motivation for enabling CFG in Rust is to enhance security when linking against non-Rust code, especially C/C++ code. To achieve full CFG protection, all indirect calls (including any from Rust code) must have the appropriate CFG checks, as added by this flag. CFG can also improve security for Rust code that uses the `unsafe` keyword. - -Another motivation behind CFG is to harden programs against [return-oriented programming (ROP)](https://en.wikipedia.org/wiki/Return-oriented_programming) attacks. CFG disallows an attacker from taking advantage of the program's own instructions while redirecting control flow in unexpected ways. - -## Overhead of Control Flow Guard - -The CFG checks and metadata can potentially increase binary size and runtime overhead. The magnitude of any increase depends on the number and frequency of indirect calls. For example, enabling CFG for the Rust standard library increases binary size by approximately 0.14%. Enabling CFG in the SPEC CPU 2017 Integer Speed benchmark suite (compiled with Clang/LLVM) incurs approximate runtime overheads of between 0% and 8%, with a geometric mean of 2.9%. - - -## Testing Control Flow Guard - -The rustc flag `-Z control-flow-guard=nochecks` instructs LLVM to emit the list of valid call targets without inserting runtime checks. This flag should only be used for testing purposes as it does not provide security enforcement. - - -## Control Flow Guard in libraries - -It is strongly recommended to also enable CFG checks for all linked libraries, including the standard library. - -To enable CFG in the standard library, use the [cargo `-Z build-std` functionality][build-std] to recompile the standard library with the same configuration options as the main program. - -[build-std]: https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#build-std - -For example: -```cmd -rustup toolchain install --force nightly -rustup component add rust-src -SET RUSTFLAGS=-Z control-flow-guard -cargo +nightly build -Z build-std --target x86_64-pc-windows-msvc -``` - -```PowerShell -rustup toolchain install --force nightly -rustup component add rust-src -$Env:RUSTFLAGS = "-Z control-flow-guard" -cargo +nightly build -Z build-std --target x86_64-pc-windows-msvc -``` - -Alternatively, if you are building the standard library from source, you can set `control-flow-guard = true` in the config.toml file. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/debug_info_for_profiling.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/debug_info_for_profiling.md deleted file mode 100644 index 44bd3baeeedf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/debug_info_for_profiling.md +++ /dev/null @@ -1,35 +0,0 @@ -# `debug-info-for-profiling - ---- - -## Introduction - -Automatic Feedback Directed Optimization (AFDO) is a method for using sampling -based profiles to guide optimizations. This is contrasted with other methods of -FDO or profile-guided optimization (PGO) which use instrumented profiling. - -Unlike PGO (controlled by the `rustc` flags `-Cprofile-generate` and -`-Cprofile-use`), a binary being profiled does not perform significantly worse, -and thus it's possible to profile binaries used in real workflows and not -necessary to construct artificial workflows. - -## Use - -In order to use AFDO, the target platform must be Linux running on an `x86_64` -architecture with the performance profiler `perf` available. In addition, the -external tool `create_llvm_prof` from [this repository] must be used. - -Given a Rust file `main.rs`, we can produce an optimized binary as follows: - -```shell -rustc -O -Zdebug-info-for-profiling main.rs -o main -perf record -b ./main -create_llvm_prof --binary=main --out=code.prof -rustc -O -Zprofile-sample-use=code.prof main.rs -o main2 -``` - -The `perf` command produces a profile `perf.data`, which is then used by the -`create_llvm_prof` command to create `code.prof`. This final profile is then -used by `rustc` to guide optimizations in producing the binary `main2`. - -[this repository]: https://github.com/google/autofdo diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/emit-stack-sizes.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/emit-stack-sizes.md deleted file mode 100644 index 47f45a0b91f8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/emit-stack-sizes.md +++ /dev/null @@ -1,167 +0,0 @@ -# `emit-stack-sizes` - -The tracking issue for this feature is: [#54192] - -[#54192]: https://github.com/rust-lang/rust/issues/54192 - ------------------------- - -The rustc flag `-Z emit-stack-sizes` makes LLVM emit stack size metadata. - -> **NOTE**: This LLVM feature only supports the ELF object format as of LLVM -> 8.0. Using this flag with targets that use other object formats (e.g. macOS -> and Windows) will result in it being ignored. - -Consider this crate: - -``` -#![crate_type = "lib"] - -use std::ptr; - -pub fn foo() { - // this function doesn't use the stack -} - -pub fn bar() { - let xs = [0u32; 2]; - - // force LLVM to allocate `xs` on the stack - unsafe { ptr::read_volatile(&xs.as_ptr()); } -} -``` - -Using the `-Z emit-stack-sizes` flag produces extra linker sections in the -output *object file*. - -``` console -$ rustc -C opt-level=3 --emit=obj foo.rs - -$ size -A foo.o -foo.o : -section size addr -.text 0 0 -.text._ZN3foo3foo17he211d7b4a3a0c16eE 1 0 -.text._ZN3foo3bar17h1acb594305f70c2eE 22 0 -.note.GNU-stack 0 0 -.eh_frame 72 0 -Total 95 - -$ rustc -C opt-level=3 --emit=obj -Z emit-stack-sizes foo.rs - -$ size -A foo.o -foo.o : -section size addr -.text 0 0 -.text._ZN3foo3foo17he211d7b4a3a0c16eE 1 0 -.stack_sizes 9 0 -.text._ZN3foo3bar17h1acb594305f70c2eE 22 0 -.stack_sizes 9 0 -.note.GNU-stack 0 0 -.eh_frame 72 0 -Total 113 -``` - -As of LLVM 7.0 the data will be written into a section named `.stack_sizes` and -the format is "an array of pairs of function symbol values (pointer size) and -stack sizes (unsigned LEB128)". - -``` console -$ objdump -d foo.o - -foo.o: file format elf64-x86-64 - -Disassembly of section .text._ZN3foo3foo17he211d7b4a3a0c16eE: - -0000000000000000 <_ZN3foo3foo17he211d7b4a3a0c16eE>: - 0: c3 retq - -Disassembly of section .text._ZN3foo3bar17h1acb594305f70c2eE: - -0000000000000000 <_ZN3foo3bar17h1acb594305f70c2eE>: - 0: 48 83 ec 10 sub $0x10,%rsp - 4: 48 8d 44 24 08 lea 0x8(%rsp),%rax - 9: 48 89 04 24 mov %rax,(%rsp) - d: 48 8b 04 24 mov (%rsp),%rax - 11: 48 83 c4 10 add $0x10,%rsp - 15: c3 retq - -$ objdump -s -j .stack_sizes foo.o - -foo.o: file format elf64-x86-64 - -Contents of section .stack_sizes: - 0000 00000000 00000000 00 ......... -Contents of section .stack_sizes: - 0000 00000000 00000000 10 ......... -``` - -It's important to note that linkers will discard this linker section by default. -To preserve the section you can use a linker script like the one shown below. - -``` text -/* file: keep-stack-sizes.x */ -SECTIONS -{ - /* `INFO` makes the section not allocatable so it won't be loaded into memory */ - .stack_sizes (INFO) : - { - KEEP(*(.stack_sizes)); - } -} -``` - -The linker script must be passed to the linker using a rustc flag like `-C -link-arg`. - -``` -// file: src/main.rs -use std::ptr; - -#[inline(never)] -fn main() { - let xs = [0u32; 2]; - - // force LLVM to allocate `xs` on the stack - unsafe { ptr::read_volatile(&xs.as_ptr()); } -} -``` - -``` console -$ RUSTFLAGS="-Z emit-stack-sizes" cargo build --release - -$ size -A target/release/hello | grep stack_sizes || echo section was not found -section was not found - -$ RUSTFLAGS="-Z emit-stack-sizes" cargo rustc --release -- \ - -C link-arg=-Wl,-Tkeep-stack-sizes.x \ - -C link-arg=-N - -$ size -A target/release/hello | grep stack_sizes -.stack_sizes 90 176272 - -$ # non-allocatable section (flags don't contain the "A" (alloc) flag) -$ readelf -S target/release/hello -Section Headers: - [Nr] Name Type Address Offset - Size EntSize Flags Link Info Align -(..) - [1031] .stack_sizes PROGBITS 000000000002b090 0002b0f0 - 000000000000005a 0000000000000000 L 5 0 1 - -$ objdump -s -j .stack_sizes target/release/hello - -target/release/hello: file format elf64-x86-64 - -Contents of section .stack_sizes: - 2b090 c0040000 00000000 08f00400 00000000 ................ - 2b0a0 00080005 00000000 00000810 05000000 ................ - 2b0b0 00000000 20050000 00000000 10400500 .... ........@.. - 2b0c0 00000000 00087005 00000000 00000080 ......p......... - 2b0d0 05000000 00000000 90050000 00000000 ................ - 2b0e0 00a00500 00000000 0000 .......... -``` - -> Author note: I'm not entirely sure why, in *this* case, `-N` is required in -> addition to `-Tkeep-stack-sizes.x`. For example, it's not required when -> producing statically linked files for the ARM Cortex-M architecture. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/extern-location.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/extern-location.md deleted file mode 100644 index 1c80d5426bf7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/extern-location.md +++ /dev/null @@ -1,31 +0,0 @@ -# `extern-location` - -MCP for this feature: [#303] - -[#303]: https://github.com/rust-lang/compiler-team/issues/303 - ------------------------- - -The `unused-extern-crates` lint reports when a crate was specified on the rustc -command-line with `--extern name=path` but no symbols were referenced in it. -This is useful to know, but it's hard to map that back to a specific place a user -or tool could fix (ie, to remove the unused dependency). - -The `--extern-location` flag allows the build system to associate a location with -the `--extern` option, which is then emitted as part of the diagnostics. This location -is abstract and just round-tripped through rustc; the compiler never attempts to -interpret it in any way. - -There are two supported forms of location: a bare string, or a blob of json: -- `--extern-location foo=raw:Makefile:123` would associate the raw string `Makefile:123` -- `--extern-location 'bar=json:{"target":"//my_project:library","dep":"//common:serde"}` would - associate the json structure with `--extern bar=`, indicating which dependency of - which rule introduced the unused extern crate. - -This primarily intended to be used with tooling - for example a linter which can automatically -remove unused dependencies - rather than being directly presented to users. - -`raw` locations are presented as part of the normal rendered diagnostics and included in -the json form. `json` locations are only included in the json form of diagnostics, -as a `tool_metadata` field. For `raw` locations `tool_metadata` is simply a json string, -whereas `json` allows the rustc invoker to fully control its form and content. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/img/llvm-cov-show-01.png b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/img/llvm-cov-show-01.png deleted file mode 100644 index 35f04594347a..000000000000 Binary files a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/img/llvm-cov-show-01.png and /dev/null differ diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/instrument-coverage.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/instrument-coverage.md deleted file mode 100644 index 39eb407269c1..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/instrument-coverage.md +++ /dev/null @@ -1,346 +0,0 @@ -# `instrument-coverage` - -The tracking issue for this feature is: [#79121]. - -[#79121]: https://github.com/rust-lang/rust/issues/79121 - ---- - -## Introduction - -The Rust compiler includes two code coverage implementations: - -- A GCC-compatible, gcov-based coverage implementation, enabled with `-Z profile`, which derives coverage data based on DebugInfo. -- A source-based code coverage implementation, enabled with `-Z instrument-coverage`, which uses LLVM's native, efficient coverage instrumentation to generate very precise coverage data. - -This document describes how to enable and use the LLVM instrumentation-based coverage, via the `-Z instrument-coverage` compiler flag. - -## How it works - -When `-Z instrument-coverage` is enabled, the Rust compiler enhances rust-based libraries and binaries by: - -- Automatically injecting calls to an LLVM intrinsic ([`llvm.instrprof.increment`]), at functions and branches in compiled code, to increment counters when conditional sections of code are executed. -- Embedding additional information in the data section of each library and binary (using the [LLVM Code Coverage Mapping Format] _Version 5_, if compiling with LLVM 12, or _Version 6_, if compiling with LLVM 13 or higher), to define the code regions (start and end positions in the source code) being counted. - -When running a coverage-instrumented program, the counter values are written to a `profraw` file at program termination. LLVM bundles tools that read the counter results, combine those results with the coverage map (embedded in the program binary), and generate coverage reports in multiple formats. - -[`llvm.instrprof.increment`]: https://llvm.org/docs/LangRef.html#llvm-instrprof-increment-intrinsic -[llvm code coverage mapping format]: https://llvm.org/docs/CoverageMappingFormat.html - -> **Note**: `-Z instrument-coverage` also automatically enables `-C symbol-mangling-version=v0` (tracking issue [#60705]). The `v0` symbol mangler is strongly recommended, but be aware that this demangler is also experimental. The `v0` demangler can be overridden by explicitly adding `-Z unstable-options -C symbol-mangling-version=legacy`. - -[#60705]: https://github.com/rust-lang/rust/issues/60705 - -## Enable coverage profiling in the Rust compiler - -Rust's source-based code coverage requires the Rust "profiler runtime". Without it, compiling with `-Z instrument-coverage` generates an error that the profiler runtime is missing. - -The Rust `nightly` distribution channel includes the profiler runtime, by default. - -> **Important**: If you are building the Rust compiler from the source distribution, the profiler runtime is _not_ enabled in the default `config.toml.example`. Edit your `config.toml` file and ensure the `profiler` feature is set it to `true` (either under the `[build]` section, or under the settings for an individual `[target.]`): -> -> ```toml -> # Build the profiler runtime (required when compiling with options that depend -> # on this runtime, such as `-C profile-generate` or `-Z instrument-coverage`). -> profiler = true -> ``` - -### Building the demangler - -LLVM coverage reporting tools generate results that can include function names and other symbol references, and the raw coverage results report symbols using the compiler's "mangled" version of the symbol names, which can be difficult to interpret. To work around this issue, LLVM coverage tools also support a user-specified symbol name demangler. - -One option for a Rust demangler is [`rustfilt`], which can be installed with: - -```shell -cargo install rustfilt -``` - -Another option, if you are building from the Rust compiler source distribution, is to use the `rust-demangler` tool included in the Rust source distribution, which can be built with: - -```shell -$ ./x.py build rust-demangler -``` - -[`rustfilt`]: https://crates.io/crates/rustfilt - -## Compiling with coverage enabled - -Set the `-Z instrument-coverage` compiler flag in order to enable LLVM source-based code coverage profiling. - -The default option generates coverage for all functions, including unused (never called) functions and generics. The compiler flag supports an optional value to tailor this behavior. (See [`-Z instrument-coverage=`](#-z-instrument-coverageoptions), below.) - -With `cargo`, you can instrument your program binary _and_ dependencies at the same time. - -For example (if your project's Cargo.toml builds a binary by default): - -```shell -$ cd your-project -$ cargo clean -$ RUSTFLAGS="-Z instrument-coverage" cargo build -``` - -If `cargo` is not configured to use your `profiler`-enabled version of `rustc`, set the path explicitly via the `RUSTC` environment variable. Here is another example, using a `stage1` build of `rustc` to compile an `example` binary (from the [`json5format`] crate): - -```shell -$ RUSTC=$HOME/rust/build/x86_64-unknown-linux-gnu/stage1/bin/rustc \ - RUSTFLAGS="-Z instrument-coverage" \ - cargo build --example formatjson5 -``` - -> **Note**: that some compiler options, combined with `-Z instrument-coverage`, can produce LLVM IR and/or linked binaries that are incompatible with LLVM coverage maps. For example, coverage requires references to actual functions in LLVM IR. If any covered function is optimized out, the coverage tools may not be able to process the coverage results. If you need to pass additional options, with coverage enabled, test them early, to confirm you will get the coverage results you expect. - -## Running the instrumented binary to generate raw coverage profiling data - -In the previous example, `cargo` generated the coverage-instrumented binary `formatjson5`: - -```shell -$ echo "{some: 'thing'}" | target/debug/examples/formatjson5 - -``` - -```json5 -{ - some: "thing", -} -``` - -After running this program, a new file, `default.profraw`, should be in the current working directory. It's often preferable to set a specific file name or path. You can change the output file using the environment variable `LLVM_PROFILE_FILE`: - -```shell -$ echo "{some: 'thing'}" \ - | LLVM_PROFILE_FILE="formatjson5.profraw" target/debug/examples/formatjson5 - -... -$ ls formatjson5.profraw -formatjson5.profraw -``` - -If `LLVM_PROFILE_FILE` contains a path to a non-existent directory, the missing directory structure will be created. Additionally, the following special pattern strings are rewritten: - -- `%p` - The process ID. -- `%h` - The hostname of the machine running the program. -- `%t` - The value of the TMPDIR environment variable. -- `%Nm` - the instrumented binary’s signature: The runtime creates a pool of N raw profiles, used for on-line profile merging. The runtime takes care of selecting a raw profile from the pool, locking it, and updating it before the program exits. `N` must be between `1` and `9`, and defaults to `1` if omitted (with simply `%m`). -- `%c` - Does not add anything to the filename, but enables a mode (on some platforms, including Darwin) in which profile counter updates are continuously synced to a file. This means that if the instrumented program crashes, or is killed by a signal, perfect coverage information can still be recovered. - -## Installing LLVM coverage tools - -LLVM's supplies two tools—`llvm-profdata` and `llvm-cov`—that process coverage data and generate reports. There are several ways to find and/or install these tools, but note that the coverage mapping data generated by the Rust compiler requires LLVM version 12 or higher. (`llvm-cov --version` typically shows the tool's LLVM version number.): - -- The LLVM tools may be installed (or installable) directly to your OS (such as via `apt-get`, for Linux). -- If you are building the Rust compiler from source, you can optionally use the bundled LLVM tools, built from source. Those tool binaries can typically be found in your build platform directory at something like: `rust/build/x86_64-unknown-linux-gnu/llvm/bin/llvm-*`. -- You can install compatible versions of these tools via `rustup`. - -The `rustup` option is guaranteed to install a compatible version of the LLVM tools, but they can be hard to find. We recommend [`cargo-binutils`], which installs Rust-specific wrappers around these and other LLVM tools, so you can invoke them via `cargo` commands! - -```shell -$ rustup component add llvm-tools-preview -$ cargo install cargo-binutils -$ cargo profdata -- --help # note the additional "--" preceding the tool-specific arguments -``` - -[`cargo-binutils`]: https://crates.io/crates/cargo-binutils - -## Creating coverage reports - -Raw profiles have to be indexed before they can be used to generate coverage reports. This is done using [`llvm-profdata merge`] (or `cargo profdata -- merge`), which can combine multiple raw profiles and index them at the same time: - -```shell -$ llvm-profdata merge -sparse formatjson5.profraw -o formatjson5.profdata -``` - -Finally, the `.profdata` file is used, in combination with the coverage map (from the program binary) to generate coverage reports using [`llvm-cov report`] (or `cargo cov -- report`), for a coverage summaries; and [`llvm-cov show`] (or `cargo cov -- show`), to see detailed coverage of lines and regions (character ranges) overlaid on the original source code. - -These commands have several display and filtering options. For example: - -```shell -$ llvm-cov show -Xdemangler=rustfilt target/debug/examples/formatjson5 \ - -instr-profile=formatjson5.profdata \ - -show-line-counts-or-regions \ - -show-instantiations \ - -name=add_quoted_string -``` - -Screenshot of sample `llvm-cov show` result, for function add_quoted_string -
-
- -Some of the more notable options in this example include: - -- `--Xdemangler=rustfilt` - the command name or path used to demangle Rust symbols (`rustfilt` in the example, but this could also be a path to the `rust-demangler` tool) -- `target/debug/examples/formatjson5` - the instrumented binary (from which to extract the coverage map) -- `--instr-profile=.profdata` - the location of the `.profdata` file created by `llvm-profdata merge` (from the `.profraw` file generated by the instrumented binary) -- `--name=` - to show coverage for a specific function (or, consider using another filter option, such as `--name-regex=`) - -[`llvm-profdata merge`]: https://llvm.org/docs/CommandGuide/llvm-profdata.html#profdata-merge -[`llvm-cov report`]: https://llvm.org/docs/CommandGuide/llvm-cov.html#llvm-cov-report -[`llvm-cov show`]: https://llvm.org/docs/CommandGuide/llvm-cov.html#llvm-cov-show - -> **Note**: Coverage can also be disabled on an individual function by annotating the function with the [`no_coverage` attribute] (which requires the feature flag `#![feature(no_coverage)]`). - -[`no_coverage` attribute]: ../language-features/no-coverage.md - -## Interpreting reports - -There are four statistics tracked in a coverage summary: - -- Function coverage is the percentage of functions that have been executed at least once. A function is considered to be executed if any of its instantiations are executed. -- Instantiation coverage is the percentage of function instantiations that have been executed at least once. Generic functions and functions generated from macros are two kinds of functions that may have multiple instantiations. -- Line coverage is the percentage of code lines that have been executed at least once. Only executable lines within function bodies are considered to be code lines. -- Region coverage is the percentage of code regions that have been executed at least once. A code region may span multiple lines: for example, in a large function body with no control flow. In other cases, a single line can contain multiple code regions: `return x || (y && z)` has countable code regions for `x` (which may resolve the expression, if `x` is `true`), `|| (y && z)` (executed only if `x` was `false`), and `return` (executed in either situation). - -Of these four statistics, function coverage is usually the least granular while region coverage is the most granular. The project-wide totals for each statistic are listed in the summary. - -## Test coverage - -A typical use case for coverage analysis is test coverage. Rust's source-based coverage tools can both measure your tests' code coverage as percentage, and pinpoint functions and branches not tested. - -The following example (using the [`json5format`] crate, for demonstration purposes) show how to generate and analyze coverage results for all tests in a crate. - -Since `cargo test` both builds and runs the tests, we set both the additional `RUSTFLAGS`, to add the `-Z instrument-coverage` flag, and `LLVM_PROFILE_FILE`, to set a custom filename for the raw profiling data generated during the test runs. Since there may be more than one test binary, apply `%m` in the filename pattern. This generates unique names for each test binary. (Otherwise, each executed test binary would overwrite the coverage results from the previous binary.) - -```shell -$ RUSTFLAGS="-Z instrument-coverage" \ - LLVM_PROFILE_FILE="json5format-%m.profraw" \ - cargo test --tests -``` - -Make note of the test binary file paths, displayed after the word "`Running`" in the test output: - -```text - ... - Compiling json5format v0.1.3 ($HOME/json5format) - Finished test [unoptimized + debuginfo] target(s) in 14.60s - - Running target/debug/deps/json5format-fececd4653271682 -running 25 tests -... -test result: ok. 25 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out - - Running target/debug/deps/lib-30768f9c53506dc5 -running 31 tests -... -test result: ok. 31 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out -``` - -You should have one or more `.profraw` files now, one for each test binary. Run the `profdata` tool to merge them: - -```shell -$ cargo profdata -- merge \ - -sparse json5format-*.profraw -o json5format.profdata -``` - -Then run the `cov` tool, with the `profdata` file and all test binaries: - -```shell -$ cargo cov -- report \ - --use-color --ignore-filename-regex='/.cargo/registry' \ - --instr-profile=json5format.profdata \ - --object target/debug/deps/lib-30768f9c53506dc5 \ - --object target/debug/deps/json5format-fececd4653271682 -$ cargo cov -- show \ - --use-color --ignore-filename-regex='/.cargo/registry' \ - --instr-profile=json5format.profdata \ - --object target/debug/deps/lib-30768f9c53506dc5 \ - --object target/debug/deps/json5format-fececd4653271682 \ - --show-instantiations --show-line-counts-or-regions \ - --Xdemangler=rustfilt | less -R -``` - -> **Note**: The command line option `--ignore-filename-regex=/.cargo/registry`, which excludes the sources for dependencies from the coverage results.\_ - -### Tips for listing the binaries automatically - -For `bash` users, one suggested way to automatically complete the `cov` command with the list of binaries is with a command like: - -```bash -$ cargo cov -- report \ - $( \ - for file in \ - $( \ - RUSTFLAGS="-Z instrument-coverage" \ - cargo test --tests --no-run --message-format=json \ - | jq -r "select(.profile.test == true) | .filenames[]" \ - | grep -v dSYM - \ - ); \ - do \ - printf "%s %s " -object $file; \ - done \ - ) \ - --instr-profile=json5format.profdata --summary-only # and/or other options -``` - -Adding `--no-run --message-format=json` to the _same_ `cargo test` command used to run -the tests (including the same environment variables and flags) generates output in a JSON -format that `jq` can easily query. - -The `printf` command takes this list and generates the `--object ` arguments -for each listed test binary. - -### Including doc tests - -The previous examples run `cargo test` with `--tests`, which excludes doc tests.[^79417] - -To include doc tests in the coverage results, drop the `--tests` flag, and apply the -`-Z instrument-coverage` flag, and some doc-test-specific options in the -`RUSTDOCFLAGS` environment variable. (The `cargo profdata` command does not change.) - -```bash -$ RUSTFLAGS="-Z instrument-coverage" \ - RUSTDOCFLAGS="-Z instrument-coverage -Z unstable-options --persist-doctests target/debug/doctestbins" \ - LLVM_PROFILE_FILE="json5format-%m.profraw" \ - cargo test -$ cargo profdata -- merge \ - -sparse json5format-*.profraw -o json5format.profdata -``` - -The `-Z unstable-options --persist-doctests` flag is required, to save the test binaries -(with their coverage maps) for `llvm-cov`. - -```bash -$ cargo cov -- report \ - $( \ - for file in \ - $( \ - RUSTFLAGS="-Z instrument-coverage" \ - RUSTDOCFLAGS="-Z instrument-coverage -Z unstable-options --persist-doctests target/debug/doctestbins" \ - cargo test --no-run --message-format=json \ - | jq -r "select(.profile.test == true) | .filenames[]" \ - | grep -v dSYM - \ - ) \ - target/debug/doctestbins/*/rust_out; \ - do \ - [[ -x $file ]] && printf "%s %s " -object $file; \ - done \ - ) \ - --instr-profile=json5format.profdata --summary-only # and/or other options -``` - -> **Note**: The differences in this `cargo cov` command, compared with the version without -> doc tests, include: - -- The `cargo test ... --no-run` command is updated with the same environment variables - and flags used to _build_ the tests, _including_ the doc tests. (`LLVM_PROFILE_FILE` - is only used when _running_ the tests.) -- The file glob pattern `target/debug/doctestbins/*/rust_out` adds the `rust_out` - binaries generated for doc tests (note, however, that some `rust_out` files may not - be executable binaries). -- `[[ -x $file ]] &&` filters the files passed on to the `printf`, to include only - executable binaries. - -[^79417]: - There is ongoing work to resolve a known issue - [(#79417)](https://github.com/rust-lang/rust/issues/79417) that doc test coverage - generates incorrect source line numbers in `llvm-cov show` results. - -## `-Z instrument-coverage=` - -- `-Z instrument-coverage=all`: Instrument all functions, including unused functions and unused generics. (This is the same as `-Z instrument-coverage`, with no value.) -- `-Z instrument-coverage=except-unused-generics`: Instrument all functions except unused generics. -- `-Z instrument-coverage=except-unused-functions`: Instrument only used (called) functions and instantiated generic functions. -- `-Z instrument-coverage=off`: Do not instrument any functions. (This is the same as simply not including the `-Z instrument-coverage` option.) - -## Other references - -Rust's implementation and workflow for source-based code coverage is based on the same library and tools used to implement [source-based code coverage in Clang]. (This document is partially based on the Clang guide.) - -[source-based code coverage in clang]: https://clang.llvm.org/docs/SourceBasedCodeCoverage.html -[`json5format`]: https://crates.io/crates/json5format diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/location-detail.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/location-detail.md deleted file mode 100644 index 08d937cc2820..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/location-detail.md +++ /dev/null @@ -1,43 +0,0 @@ -# `location-detail` - -The tracking issue for this feature is: [#70580](https://github.com/rust-lang/rust/issues/70580). - ------------------------- - -Option `-Z location-detail=val` controls what location details are tracked when -using `caller_location`. This allows users to control what location details -are printed as part of panic messages, by allowing them to exclude any combination -of filenames, line numbers, and column numbers. This option is intended to provide -users with a way to mitigate the size impact of `#[track_caller]`. - -This option supports a comma separated list of location details to be included. Valid options -within this list are: - -- `file` - the filename of the panic will be included in the panic output -- `line` - the source line of the panic will be included in the panic output -- `column` - the source column of the panic will be included in the panic output - -Any combination of these three options are supported. If this option is not specified, -all three are included by default. - -An example of a panic output when using `-Z location-detail=line`: -```text -panicked at 'Process blink had a fault', :323:0 -``` - -The code size savings from this option are two-fold. First, the `&'static str` values -for each path to a file containing a panic are removed from the binary. For projects -with deep directory structures and many files with panics, this can add up. This category -of savings can only be realized by excluding filenames from the panic output. Second, -savings can be realized by allowing multiple panics to be fused into a single panicking -branch. It is often the case that within a single file, multiple panics with the same -panic message exist -- e.g. two calls to `Option::unwrap()` in a single line, or -two calls to `Result::expect()` on adjacent lines. If column and line information -are included in the `Location` struct passed to the panic handler, these branches cannot -be fused, as the output is different depending on which panic occurs. However if line -and column information is identical for all panics, these branches can be fused, which -can lead to substantial code size savings, especially for small embedded binaries with -many panics. - -The savings from this option are amplified when combined with the use of `-Zbuild-std`, as -otherwise paths for panics within the standard library are still included in your binary. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/move-size-limit.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/move-size-limit.md deleted file mode 100644 index 88f022af2ecf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/move-size-limit.md +++ /dev/null @@ -1,10 +0,0 @@ -# `move_size_limit` - --------------------- - -The `-Zmove-size-limit=N` compiler flag enables `large_assignments` lints which -will warn when moving objects whose size exceeds `N` bytes. - -Lint warns only about moves in functions that participate in code generation. -Consequently it will be ineffective for compiler invocatation that emit -metadata only, i.e., `cargo check` like workflows. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/no-unique-section-names.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/no-unique-section-names.md deleted file mode 100644 index 5c1c7cda7013..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/no-unique-section-names.md +++ /dev/null @@ -1,9 +0,0 @@ -# `no-unique-section-names` - ------------------------- - -This flag currently applies only to ELF-based targets using the LLVM codegen backend. It prevents the generation of unique ELF section names for each separate code and data item when `-Z function-sections` is also in use, which is the default for most targets. This option can reduce the size of object files, and depending on the linker, the final ELF binary as well. - -For example, a function `func` will by default generate a code section called `.text.func`. Normally this is fine because the linker will merge all those `.text.*` sections into a single one in the binary. However, starting with [LLVM 12](https://github.com/llvm/llvm-project/commit/ee5d1a04), the backend will also generate unique section names for exception handling, so you would see a section name of `.gcc_except_table.func` in the object file and potentially in the final ELF binary, which could add significant bloat to programs that contain many functions. - -This flag instructs LLVM to use the same `.text` and `.gcc_except_table` section name for each function, and it is analogous to Clang's `-fno-unique-section-names` option. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile.md deleted file mode 100644 index 71303bfaff20..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile.md +++ /dev/null @@ -1,27 +0,0 @@ -# `profile` - -The tracking issue for this feature is: [#42524](https://github.com/rust-lang/rust/issues/42524). - ------------------------- - -This feature allows the generation of code coverage reports. - -Set the `-Zprofile` compiler flag in order to enable gcov profiling. - -For example: -```Bash -cargo new testgcov --bin -cd testgcov -export RUSTFLAGS="-Zprofile -Ccodegen-units=1 -Copt-level=0 -Clink-dead-code -Coverflow-checks=off -Zpanic_abort_tests -Cpanic=abort" -export CARGO_INCREMENTAL=0 -cargo build -cargo run -``` - -Once you've built and run your program, files with the `gcno` (after build) and `gcda` (after execution) extensions will be created. -You can parse them with [llvm-cov gcov](https://llvm.org/docs/CommandGuide/llvm-cov.html#llvm-cov-gcov) or [grcov](https://github.com/mozilla/grcov). - -Please note that `RUSTFLAGS` by default applies to everything that cargo builds and runs during a build! -When the `--target` flag is explicitly passed to cargo, the `RUSTFLAGS` no longer apply to build scripts and procedural macros. -For more fine-grained control consider passing a `RUSTC_WRAPPER` program to cargo that only adds the profiling flags to -rustc for the specific crates you want to profile. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile_sample_use.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile_sample_use.md deleted file mode 100644 index ce894ce6ac7f..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile_sample_use.md +++ /dev/null @@ -1,10 +0,0 @@ -# `profile-sample-use - ---- - -`-Zprofile-sample-use=code.prof` directs `rustc` to use the profile -`code.prof` as a source for Automatic Feedback Directed Optimization (AFDO). -See the documentation of [`-Zdebug-info-for-profiling`] for more information -on using AFDO. - -[`-Zdebug-info-for-profiling`]: debug_info_for_profiling.html diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/remap-cwd-prefix.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/remap-cwd-prefix.md deleted file mode 100644 index 977d258529f8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/remap-cwd-prefix.md +++ /dev/null @@ -1,24 +0,0 @@ -# `remap-cwd-prefix` - -The tracking issue for this feature is: [#87325](https://github.com/rust-lang/rust/issues/87325). - ------------------------- - -This flag will rewrite absolute paths under the current working directory, -replacing the current working directory prefix with a specified value. - -The given value may be absolute or relative, or empty. This switch takes -precidence over `--remap-path-prefix` in case they would both match a given -path. - -This flag helps to produce deterministic output, by removing the current working -directory from build output, while allowing the command line to be universally -reproducible, such that the same execution will work on all machines, regardless -of build environment. - -## Example -```sh -# This would produce an absolute path to main.rs in build outputs of -# "./main.rs". -rustc -Z remap-cwd-prefix=. main.rs -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/report-time.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/report-time.md deleted file mode 100644 index ac0093f77aec..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/report-time.md +++ /dev/null @@ -1,80 +0,0 @@ -# `report-time` - -The tracking issue for this feature is: [#64888] - -[#64888]: https://github.com/rust-lang/rust/issues/64888 - ------------------------- - -The `report-time` feature adds a possibility to report execution time of the -tests generated via `libtest`. - -This is unstable feature, so you have to provide `-Zunstable-options` to get -this feature working. - -Sample usage command: - -```sh -./test_executable -Zunstable-options --report-time -``` - -Available options: - -```sh ---report-time [plain|colored] - Show execution time of each test. Available values: - plain = do not colorize the execution time (default); - colored = colorize output according to the `color` - parameter value; - Threshold values for colorized output can be - configured via - `RUST_TEST_TIME_UNIT`, `RUST_TEST_TIME_INTEGRATION` - and - `RUST_TEST_TIME_DOCTEST` environment variables. - Expected format of environment variable is - `VARIABLE=WARN_TIME,CRITICAL_TIME`. - Not available for --format=terse ---ensure-time - Treat excess of the test execution time limit as - error. - Threshold values for this option can be configured via - `RUST_TEST_TIME_UNIT`, `RUST_TEST_TIME_INTEGRATION` - and - `RUST_TEST_TIME_DOCTEST` environment variables. - Expected format of environment variable is - `VARIABLE=WARN_TIME,CRITICAL_TIME`. - `CRITICAL_TIME` here means the limit that should not be - exceeded by test. -``` - -Example of the environment variable format: - -```sh -RUST_TEST_TIME_UNIT=100,200 -``` - -where 100 stands for warn time, and 200 stands for critical time. - -## Examples - -```sh -cargo test --tests -- -Zunstable-options --report-time - Finished dev [unoptimized + debuginfo] target(s) in 0.02s - Running target/debug/deps/example-27fb188025bec02c - -running 3 tests -test tests::unit_test_quick ... ok <0.000s> -test tests::unit_test_warn ... ok <0.055s> -test tests::unit_test_critical ... ok <0.110s> - -test result: ok. 3 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out - - Running target/debug/deps/tests-cedb06f6526d15d9 - -running 3 tests -test unit_test_quick ... ok <0.000s> -test unit_test_warn ... ok <0.550s> -test unit_test_critical ... ok <1.100s> - -test result: ok. 3 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/sanitizer.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/sanitizer.md deleted file mode 100644 index d630f4ecb7b2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/sanitizer.md +++ /dev/null @@ -1,594 +0,0 @@ -# `sanitizer` - -The tracking issues for this feature are: - -* [#39699](https://github.com/rust-lang/rust/issues/39699). -* [#89653](https://github.com/rust-lang/rust/issues/89653). - ------------------------- - -This feature allows for use of one of following sanitizers: - -* [AddressSanitizer][clang-asan] a fast memory error detector. -* [ControlFlowIntegrity][clang-cfi] LLVM Control Flow Integrity (CFI) provides - forward-edge control flow protection. -* [HWAddressSanitizer][clang-hwasan] a memory error detector similar to - AddressSanitizer, but based on partial hardware assistance. -* [LeakSanitizer][clang-lsan] a run-time memory leak detector. -* [MemorySanitizer][clang-msan] a detector of uninitialized reads. -* [ThreadSanitizer][clang-tsan] a fast data race detector. - -To enable a sanitizer compile with `-Zsanitizer=address`,`-Zsanitizer=cfi`, -`-Zsanitizer=hwaddress`, `-Zsanitizer=leak`, `-Zsanitizer=memory` or -`-Zsanitizer=thread`. - -# AddressSanitizer - -AddressSanitizer is a memory error detector. It can detect the following types -of bugs: - -* Out of bound accesses to heap, stack and globals -* Use after free -* Use after return (runtime flag `ASAN_OPTIONS=detect_stack_use_after_return=1`) -* Use after scope -* Double-free, invalid free -* Memory leaks - -The memory leak detection is enabled by default on Linux, and can be enabled -with runtime flag `ASAN_OPTIONS=detect_leaks=1` on macOS. - -AddressSanitizer is supported on the following targets: - -* `aarch64-apple-darwin` -* `aarch64-fuchsia` -* `aarch64-unknown-linux-gnu` -* `x86_64-apple-darwin` -* `x86_64-fuchsia` -* `x86_64-unknown-freebsd` -* `x86_64-unknown-linux-gnu` - -AddressSanitizer works with non-instrumented code although it will impede its -ability to detect some bugs. It is not expected to produce false positive -reports. - -## Examples - -Stack buffer overflow: - -```rust -fn main() { - let xs = [0, 1, 2, 3]; - let _y = unsafe { *xs.as_ptr().offset(4) }; -} -``` - -```shell -$ export RUSTFLAGS=-Zsanitizer=address RUSTDOCFLAGS=-Zsanitizer=address -$ cargo run -Zbuild-std --target x86_64-unknown-linux-gnu -==37882==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe400e6250 at pc 0x5609a841fb20 bp 0x7ffe400e6210 sp 0x7ffe400e6208 -READ of size 4 at 0x7ffe400e6250 thread T0 - #0 0x5609a841fb1f in example::main::h628ffc6626ed85b2 /.../src/main.rs:3:23 - ... - -Address 0x7ffe400e6250 is located in stack of thread T0 at offset 48 in frame - #0 0x5609a841f8af in example::main::h628ffc6626ed85b2 /.../src/main.rs:1 - - This frame has 1 object(s): - [32, 48) 'xs' (line 2) <== Memory access at offset 48 overflows this variable -HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork - (longjmp and C++ exceptions *are* supported) -SUMMARY: AddressSanitizer: stack-buffer-overflow /.../src/main.rs:3:23 in example::main::h628ffc6626ed85b2 -Shadow bytes around the buggy address: - 0x100048014bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -=>0x100048014c40: 00 00 00 00 f1 f1 f1 f1 00 00[f3]f3 00 00 00 00 - 0x100048014c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c70: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00 - 0x100048014c80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 - 0x100048014c90: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 -Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - Shadow gap: cc -==37882==ABORTING -``` - -Use of a stack object after its scope has already ended: - -```rust -static mut P: *mut usize = std::ptr::null_mut(); - -fn main() { - unsafe { - { - let mut x = 0; - P = &mut x; - } - std::ptr::write_volatile(P, 123); - } -} -``` - -```shell -$ export RUSTFLAGS=-Zsanitizer=address RUSTDOCFLAGS=-Zsanitizer=address -$ cargo run -Zbuild-std --target x86_64-unknown-linux-gnu -================================================================= -==39249==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffc7ed3e1a0 at pc 0x55c98b262a8e bp 0x7ffc7ed3e050 sp 0x7ffc7ed3e048 -WRITE of size 8 at 0x7ffc7ed3e1a0 thread T0 - #0 0x55c98b262a8d in core::ptr::write_volatile::he21f1df5a82f329a /.../src/rust/src/libcore/ptr/mod.rs:1048:5 - #1 0x55c98b262cd2 in example::main::h628ffc6626ed85b2 /.../src/main.rs:9:9 - ... - -Address 0x7ffc7ed3e1a0 is located in stack of thread T0 at offset 32 in frame - #0 0x55c98b262bdf in example::main::h628ffc6626ed85b2 /.../src/main.rs:3 - - This frame has 1 object(s): - [32, 40) 'x' (line 6) <== Memory access at offset 32 is inside this variable -HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork - (longjmp and C++ exceptions *are* supported) -SUMMARY: AddressSanitizer: stack-use-after-scope /.../src/rust/src/libcore/ptr/mod.rs:1048:5 in core::ptr::write_volatile::he21f1df5a82f329a -Shadow bytes around the buggy address: - 0x10000fd9fbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fc00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 - 0x10000fd9fc10: f8 f8 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -=>0x10000fd9fc30: f1 f1 f1 f1[f8]f3 f3 f3 00 00 00 00 00 00 00 00 - 0x10000fd9fc40: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 - 0x10000fd9fc50: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fc60: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 - 0x10000fd9fc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fc80: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 -Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - Shadow gap: cc -==39249==ABORTING -``` - -# ControlFlowIntegrity - -The LLVM Control Flow Integrity (CFI) support in the Rust compiler initially -provides forward-edge control flow protection for Rust-compiled code only by -aggregating function pointers in groups identified by their number of arguments. - -Forward-edge control flow protection for C or C++ and Rust -compiled code "mixed -binaries" (i.e., for when C or C++ and Rust -compiled code share the same -virtual address space) will be provided in later work by defining and using -compatible type identifiers (see Type metadata in the design document in the -tracking issue [#89653](https://github.com/rust-lang/rust/issues/89653)). - -LLVM CFI can be enabled with -Zsanitizer=cfi and requires LTO (i.e., -Clto). - -## Example - -```text -#![feature(naked_functions)] - -use std::arch::asm; -use std::mem; - -fn add_one(x: i32) -> i32 { - x + 1 -} - -#[naked] -pub extern "C" fn add_two(x: i32) { - // x + 2 preceeded by a landing pad/nop block - unsafe { - asm!( - " - nop - nop - nop - nop - nop - nop - nop - nop - nop - lea rax, [rdi+2] - ret - ", - options(noreturn) - ); - } -} - -fn do_twice(f: fn(i32) -> i32, arg: i32) -> i32 { - f(arg) + f(arg) -} - -fn main() { - let answer = do_twice(add_one, 5); - - println!("The answer is: {}", answer); - - println!("With CFI enabled, you should not see the next answer"); - let f: fn(i32) -> i32 = unsafe { - // Offsets 0-8 make it land in the landing pad/nop block, and offsets 1-8 are - // invalid branch/call destinations (i.e., within the body of the function). - mem::transmute::<*const u8, fn(i32) -> i32>((add_two as *const u8).offset(5)) - }; - let next_answer = do_twice(f, 5); - - println!("The next answer is: {}", next_answer); -} -``` -Fig. 1. Modified example from the [Advanced Functions and -Closures][rust-book-ch19-05] chapter of the [The Rust Programming -Language][rust-book] book. - -[//]: # (FIXME: Replace with output from cargo using nightly when #89652 is merged) - -```shell -$ rustc rust_cfi.rs -o rust_cfi -$ ./rust_cfi -The answer is: 12 -With CFI enabled, you should not see the next answer -The next answer is: 14 -$ -``` -Fig. 2. Build and execution of the modified example with LLVM CFI disabled. - -[//]: # (FIXME: Replace with output from cargo using nightly when #89652 is merged) - -```shell -$ rustc -Clto -Zsanitizer=cfi rust_cfi.rs -o rust_cfi -$ ./rust_cfi -The answer is: 12 -With CFI enabled, you should not see the next answer -Illegal instruction -$ -``` -Fig. 3. Build and execution of the modified example with LLVM CFI enabled. - -When LLVM CFI is enabled, if there are any attempts to change/hijack control -flow using an indirect branch/call to an invalid destination, the execution is -terminated (see Fig. 3). - -```rust -use std::mem; - -fn add_one(x: i32) -> i32 { - x + 1 -} - -fn add_two(x: i32, _y: i32) -> i32 { - x + 2 -} - -fn do_twice(f: fn(i32) -> i32, arg: i32) -> i32 { - f(arg) + f(arg) -} - -fn main() { - let answer = do_twice(add_one, 5); - - println!("The answer is: {}", answer); - - println!("With CFI enabled, you should not see the next answer"); - let f: fn(i32) -> i32 = - unsafe { mem::transmute::<*const u8, fn(i32) -> i32>(add_two as *const u8) }; - let next_answer = do_twice(f, 5); - - println!("The next answer is: {}", next_answer); -} -``` -Fig. 4. Another modified example from the [Advanced Functions and -Closures][rust-book-ch19-05] chapter of the [The Rust Programming -Language][rust-book] book. - -[//]: # (FIXME: Replace with output from cargo using nightly when #89652 is merged) - -```shell -$ rustc rust_cfi.rs -o rust_cfi -$ ./rust_cfi -The answer is: 12 -With CFI enabled, you should not see the next answer -The next answer is: 14 -$ -``` -Fig. 5. Build and execution of the modified example with LLVM CFI disabled. - -[//]: # (FIXME: Replace with output from cargo using nightly when #89652 is merged) - -```shell -$ rustc -Clto -Zsanitizer=cfi rust_cfi.rs -o rust_cfi -$ ./rust_cfi -The answer is: 12 -With CFI enabled, you should not see the next answer -Illegal instruction -$ -``` -Fig. 6. Build and execution of the modified example with LLVM CFI enabled. - -When LLVM CFI is enabled, if there are any attempts to change/hijack control -flow using an indirect branch/call to a function with different number of -arguments than intended/passed in the call/branch site, the execution is also -terminated (see Fig. 6). - -Forward-edge control flow protection not only by aggregating function pointers -in groups identified by their number of arguments, but also their argument -types, will also be provided in later work by defining and using compatible type -identifiers (see Type metadata in the design document in the tracking -issue [#89653](https://github.com/rust-lang/rust/issues/89653)). - -[rust-book-ch19-05]: https://doc.rust-lang.org/book/ch19-05-advanced-functions-and-closures.html -[rust-book]: https://doc.rust-lang.org/book/title-page.html - -# HWAddressSanitizer - -HWAddressSanitizer is a newer variant of AddressSanitizer that consumes much -less memory. - -HWAddressSanitizer is supported on the following targets: - -* `aarch64-linux-android` -* `aarch64-unknown-linux-gnu` - -HWAddressSanitizer requires `tagged-globals` target feature to instrument -globals. To enable this target feature compile with `-C -target-feature=+tagged-globals` - -## Example - -Heap buffer overflow: - -```rust -fn main() { - let xs = vec![0, 1, 2, 3]; - let _y = unsafe { *xs.as_ptr().offset(4) }; -} -``` - -```shell -$ rustc main.rs -Zsanitizer=hwaddress -C target-feature=+tagged-globals -C -linker=aarch64-linux-gnu-gcc -C link-arg=-fuse-ld=lld --target -aarch64-unknown-linux-gnu -``` - -```shell -$ ./main -==241==ERROR: HWAddressSanitizer: tag-mismatch on address 0xefdeffff0050 at pc 0xaaaae0ae4a98 -READ of size 4 at 0xefdeffff0050 tags: 2c/00 (ptr/mem) in thread T0 - #0 0xaaaae0ae4a94 (/.../main+0x54a94) - ... - -[0xefdeffff0040,0xefdeffff0060) is a small allocated heap chunk; size: 32 offset: 16 -0xefdeffff0050 is located 0 bytes to the right of 16-byte region [0xefdeffff0040,0xefdeffff0050) -allocated here: - #0 0xaaaae0acb80c (/.../main+0x3b80c) - ... - -Thread: T0 0xeffe00002000 stack: [0xffffc28ad000,0xffffc30ad000) sz: 8388608 tls: [0xffffaa10a020,0xffffaa10a7d0) -Memory tags around the buggy address (one tag corresponds to 16 bytes): - 0xfefcefffef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffef90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffeff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -=>0xfefceffff000: d7 d7 05 00 2c [00] 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -Tags for short granules around the buggy address (one tag corresponds to 16 bytes): - 0xfefcefffeff0: .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. -=>0xfefceffff000: .. .. 8c .. .. [..] .. .. .. .. .. .. .. .. .. .. - 0xfefceffff010: .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. -See https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html#short-granules for a description of short granule tags -Registers where the failure occurred (pc 0xaaaae0ae4a98): - x0 2c00efdeffff0050 x1 0000000000000004 x2 0000000000000004 x3 0000000000000000 - x4 0000fffefc30ac37 x5 000000000000005d x6 00000ffffc30ac37 x7 0000efff00000000 - x8 2c00efdeffff0050 x9 0200efff00000000 x10 0000000000000000 x11 0200efff00000000 - x12 0200effe00000310 x13 0200effe00000310 x14 0000000000000008 x15 5d00ffffc30ac360 - x16 0000aaaae0ad062c x17 0000000000000003 x18 0000000000000001 x19 0000ffffc30ac658 - x20 4e00ffffc30ac6e0 x21 0000aaaae0ac5e10 x22 0000000000000000 x23 0000000000000000 - x24 0000000000000000 x25 0000000000000000 x26 0000000000000000 x27 0000000000000000 - x28 0000000000000000 x29 0000ffffc30ac5a0 x30 0000aaaae0ae4a98 -SUMMARY: HWAddressSanitizer: tag-mismatch (/.../main+0x54a94) -``` - -# LeakSanitizer - -LeakSanitizer is run-time memory leak detector. - -LeakSanitizer is supported on the following targets: - -* `aarch64-apple-darwin` -* `aarch64-unknown-linux-gnu` -* `x86_64-apple-darwin` -* `x86_64-unknown-linux-gnu` - -# MemorySanitizer - -MemorySanitizer is detector of uninitialized reads. - -MemorySanitizer is supported on the following targets: - -* `aarch64-unknown-linux-gnu` -* `x86_64-unknown-freebsd` -* `x86_64-unknown-linux-gnu` - -MemorySanitizer requires all program code to be instrumented. C/C++ dependencies -need to be recompiled using Clang with `-fsanitize=memory` option. Failing to -achieve that will result in false positive reports. - -## Example - -Detecting the use of uninitialized memory. The `-Zbuild-std` flag rebuilds and -instruments the standard library, and is strictly necessary for the correct -operation of the tool. The `-Zsanitizer-memory-track-origins` enables tracking -of the origins of uninitialized memory: - -```rust -use std::mem::MaybeUninit; - -fn main() { - unsafe { - let a = MaybeUninit::<[usize; 4]>::uninit(); - let a = a.assume_init(); - println!("{}", a[2]); - } -} -``` - -```shell -$ export \ - RUSTFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' \ - RUSTDOCFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' -$ cargo clean -$ cargo run -Zbuild-std --target x86_64-unknown-linux-gnu -==9416==WARNING: MemorySanitizer: use-of-uninitialized-value - #0 0x560c04f7488a in core::fmt::num::imp::fmt_u64::haa293b0b098501ca $RUST/build/x86_64-unknown-linux-gnu/stage1/lib/rustlib/src/rust/src/libcore/fmt/num.rs:202:16 -... - Uninitialized value was stored to memory at - #0 0x560c04ae898a in __msan_memcpy.part.0 $RUST/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cc:1558:3 - #1 0x560c04b2bf88 in memory::main::hd2333c1899d997f5 $CWD/src/main.rs:6:16 - - Uninitialized value was created by an allocation of 'a' in the stack frame of function '_ZN6memory4main17hd2333c1899d997f5E' - #0 0x560c04b2bc50 in memory::main::hd2333c1899d997f5 $CWD/src/main.rs:3 -``` - -# ThreadSanitizer - -ThreadSanitizer is a data race detection tool. It is supported on the following -targets: - -* `aarch64-apple-darwin` -* `aarch64-unknown-linux-gnu` -* `x86_64-apple-darwin` -* `x86_64-unknown-freebsd` -* `x86_64-unknown-linux-gnu` - -To work correctly ThreadSanitizer needs to be "aware" of all synchronization -operations in a program. It generally achieves that through combination of -library interception (for example synchronization performed through -`pthread_mutex_lock` / `pthread_mutex_unlock`) and compile time instrumentation -(e.g. atomic operations). Using it without instrumenting all the program code -can lead to false positive reports. - -ThreadSanitizer does not support atomic fences `std::sync::atomic::fence`, -nor synchronization performed using inline assembly code. - -## Example - -```rust -static mut A: usize = 0; - -fn main() { - let t = std::thread::spawn(|| { - unsafe { A += 1 }; - }); - unsafe { A += 1 }; - - t.join().unwrap(); -} -``` - -```shell -$ export RUSTFLAGS=-Zsanitizer=thread RUSTDOCFLAGS=-Zsanitizer=thread -$ cargo run -Zbuild-std --target x86_64-unknown-linux-gnu -================== -WARNING: ThreadSanitizer: data race (pid=10574) - Read of size 8 at 0x5632dfe3d030 by thread T1: - #0 example::main::_$u7b$$u7b$closure$u7d$$u7d$::h23f64b0b2f8c9484 ../src/main.rs:5:18 (example+0x86cec) - ... - - Previous write of size 8 at 0x5632dfe3d030 by main thread: - #0 example::main::h628ffc6626ed85b2 /.../src/main.rs:7:14 (example+0x868c8) - ... - #11 main (example+0x86a1a) - - Location is global 'example::A::h43ac149ddf992709' of size 8 at 0x5632dfe3d030 (example+0x000000bd9030) -``` - -# Instrumentation of external dependencies and std - -The sanitizers to varying degrees work correctly with partially instrumented -code. On the one extreme is LeakSanitizer that doesn't use any compile time -instrumentation, on the other is MemorySanitizer that requires that all program -code to be instrumented (failing to achieve that will inevitably result in -false positives). - -It is strongly recommended to combine sanitizers with recompiled and -instrumented standard library, for example using [cargo `-Zbuild-std` -functionality][build-std]. - -[build-std]: https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#build-std - -# Build scripts and procedural macros - -Use of sanitizers together with build scripts and procedural macros is -technically possible, but in almost all cases it would be best avoided. This -is especially true for procedural macros which would require an instrumented -version of rustc. - -In more practical terms when using cargo always remember to pass `--target` -flag, so that rustflags will not be applied to build scripts and procedural -macros. - -# Symbolizing the Reports - -Sanitizers produce symbolized stacktraces when llvm-symbolizer binary is in `PATH`. - -# Additional Information - -* [Sanitizers project page](https://github.com/google/sanitizers/wiki/) -* [AddressSanitizer in Clang][clang-asan] -* [ControlFlowIntegrity in Clang][clang-cfi] -* [HWAddressSanitizer in Clang][clang-hwasan] -* [LeakSanitizer in Clang][clang-lsan] -* [MemorySanitizer in Clang][clang-msan] -* [ThreadSanitizer in Clang][clang-tsan] - -[clang-asan]: https://clang.llvm.org/docs/AddressSanitizer.html -[clang-cfi]: https://clang.llvm.org/docs/ControlFlowIntegrity.html -[clang-hwasan]: https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html -[clang-lsan]: https://clang.llvm.org/docs/LeakSanitizer.html -[clang-msan]: https://clang.llvm.org/docs/MemorySanitizer.html -[clang-tsan]: https://clang.llvm.org/docs/ThreadSanitizer.html diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile-events.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile-events.md deleted file mode 100644 index 3ce18743be50..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile-events.md +++ /dev/null @@ -1,74 +0,0 @@ -# `self-profile-events` - ---------------------- - -The `-Zself-profile-events` compiler flag controls what events are recorded by the self-profiler when it is enabled via the `-Zself-profile` flag. - -This flag takes a comma delimited list of event types to record. - -For example: - -```console -$ rustc -Zself-profile -Zself-profile-events=default,args -``` - -## Event types - -- `query-provider` - - Traces each query used internally by the compiler. - -- `generic-activity` - - Traces other parts of the compiler not covered by the query system. - -- `query-cache-hit` - - Adds tracing information that records when the in-memory query cache is "hit" and does not need to re-execute a query which has been cached. - - Disabled by default because this significantly increases the trace file size. - -- `query-blocked` - - Tracks time that a query tries to run but is blocked waiting on another thread executing the same query to finish executing. - - Query blocking only occurs when the compiler is built with parallel mode support. - -- `incr-cache-load` - - Tracks time that is spent loading and deserializing query results from the incremental compilation on-disk cache. - -- `query-keys` - - Adds a serialized representation of each query's query key to the tracing data. - - Disabled by default because this significantly increases the trace file size. - -- `function-args` - - Adds additional tracing data to some `generic-activity` events. - - Disabled by default for parity with `query-keys`. - -- `llvm` - - Adds tracing information about LLVM passes and codegeneration. - - Disabled by default because this only works when `-Znew-llvm-pass-manager` is enabled. - -## Event synonyms - -- `none` - - Disables all events. - Equivalent to the self-profiler being disabled. - -- `default` - - The default set of events which stikes a balance between providing detailed tracing data and adding additional overhead to the compilation. - -- `args` - - Equivalent to `query-keys` and `function-args`. - -- `all` - - Enables all events. - -## Examples - -Enable the profiler and capture the default set of events (both invocations are equivalent): - -```console -$ rustc -Zself-profile -$ rustc -Zself-profile -Zself-profile-events=default -``` - -Enable the profiler and capture the default events and their arguments: - -```console -$ rustc -Zself-profile -Zself-profile-events=default,args -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile.md deleted file mode 100644 index 7305141a4271..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile.md +++ /dev/null @@ -1,47 +0,0 @@ -# `self-profile` - --------------------- - -The `-Zself-profile` compiler flag enables rustc's internal profiler. -When enabled, the compiler will output three binary files in the specified directory (or the current working directory if no directory is specified). -These files can be analyzed by using the tools in the [`measureme`] repository. - -To control the data recorded in the trace files, use the `-Zself-profile-events` flag. - -For example: - -First, run a compilation session and provide the `-Zself-profile` flag: - -```console -$ rustc --crate-name foo -Zself-profile -``` - -This will generate three files in the working directory such as: - -- `foo-1234.events` -- `foo-1234.string_data` -- `foo-1234.string_index` - -Where `foo` is the name of the crate and `1234` is the process id of the rustc process. - -To get a summary of where the compiler is spending its time: - -```console -$ ../measureme/target/release/summarize summarize foo-1234 -``` - -To generate a flamegraph of the same data: - -```console -$ ../measureme/target/release/inferno foo-1234 -``` - -To dump the event data in a Chromium-profiler compatible format: - -```console -$ ../measureme/target/release/crox foo-1234 -``` - -For more information, consult the [`measureme`] documentation. - -[`measureme`]: https://github.com/rust-lang/measureme.git diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/source-based-code-coverage.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/source-based-code-coverage.md deleted file mode 100644 index cb65978e0a07..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/source-based-code-coverage.md +++ /dev/null @@ -1,5 +0,0 @@ -# `source-based-code-coverage` - -See compiler flag [`-Z instrument-coverage`]. - -[`-z instrument-coverage`]: ./instrument-coverage.html diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/src-hash-algorithm.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/src-hash-algorithm.md deleted file mode 100644 index ff776741b212..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/src-hash-algorithm.md +++ /dev/null @@ -1,11 +0,0 @@ -# `src-hash-algorithm` - -The tracking issue for this feature is: [#70401](https://github.com/rust-lang/rust/issues/70401). - ------------------------- - -The `-Z src-hash-algorithm` compiler flag controls which algorithm is used when hashing each source file. The hash is stored in the debug info and can be used by a debugger to verify the source code matches the executable. - -Supported hash algorithms are: `md5`, `sha1`, and `sha256`. Note that not all hash algorithms are supported by all debug info formats. - -By default, the compiler chooses the hash algorithm based on the target specification. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/temps-dir.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/temps-dir.md deleted file mode 100644 index e25011f71197..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/temps-dir.md +++ /dev/null @@ -1,10 +0,0 @@ -# `temps-dir` - --------------------- - -The `-Ztemps-dir` compiler flag specifies the directory to write the -intermediate files in. If not set, the output directory is used. This option is -useful if you are running more than one instance of `rustc` (e.g. with different -`--crate-type` settings), and you need to make sure they are not overwriting -each other's intermediate files. No files are kept unless `-C save-temps=yes` is -also set. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/tls-model.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/tls-model.md deleted file mode 100644 index 8b19e785c6a5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/tls-model.md +++ /dev/null @@ -1,25 +0,0 @@ -# `tls_model` - -The tracking issue for this feature is: None. - ------------------------- - -Option `-Z tls-model` controls [TLS model](https://www.akkadia.org/drepper/tls.pdf) used to -generate code for accessing `#[thread_local]` `static` items. - -Supported values for this option are: - -- `global-dynamic` - General Dynamic TLS Model (alternatively called Global Dynamic) is the most -general option usable in all circumstances, even if the TLS data is defined in a shared library -loaded at runtime and is accessed from code outside of that library. -This is the default for most targets. -- `local-dynamic` - model usable if the TLS data is only accessed from the shared library or -executable it is defined in. The TLS data may be in a library loaded after startup (via `dlopen`). -- `initial-exec` - model usable if the TLS data is defined in the executable or in a shared library -loaded at program startup. -The TLS data must not be in a library loaded after startup (via `dlopen`). -- `local-exec` - model usable only if the TLS data is defined directly in the executable, -but not in a shared library, and is accessed only from that executable. - -`rustc` and LLVM may use a more optimized model than specified if they know that we are producing -an executable rather than a library, or that the `static` item is private enough. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/unsound-mir-opts.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/unsound-mir-opts.md deleted file mode 100644 index 8e46e227c25b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/unsound-mir-opts.md +++ /dev/null @@ -1,8 +0,0 @@ -# `unsound-mir-opts` - --------------------- - -The `-Zunsound-mir-opts` compiler flag enables [MIR optimization passes] which can cause unsound behavior. -This flag should only be used by MIR optimization tests in the rustc test suite. - -[MIR optimization passes]: https://rustc-dev-guide.rust-lang.org/mir/optimizations.html diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features.md deleted file mode 100644 index a27514df97d6..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features.md +++ /dev/null @@ -1 +0,0 @@ -# Language features diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-c-cmse-nonsecure-call.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-c-cmse-nonsecure-call.md deleted file mode 100644 index 79a177cb28b1..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-c-cmse-nonsecure-call.md +++ /dev/null @@ -1,88 +0,0 @@ -# `abi_c_cmse_nonsecure_call` - -The tracking issue for this feature is: [#81391] - -[#81391]: https://github.com/rust-lang/rust/issues/81391 - ------------------------- - -The [TrustZone-M -feature](https://developer.arm.com/documentation/100690/latest/) is available -for targets with the Armv8-M architecture profile (`thumbv8m` in their target -name). -LLVM, the Rust compiler and the linker are providing -[support](https://developer.arm.com/documentation/ecm0359818/latest/) for the -TrustZone-M feature. - -One of the things provided, with this unstable feature, is the -`C-cmse-nonsecure-call` function ABI. This ABI is used on function pointers to -non-secure code to mark a non-secure function call (see [section -5.5](https://developer.arm.com/documentation/ecm0359818/latest/) for details). - -With this ABI, the compiler will do the following to perform the call: -* save registers needed after the call to Secure memory -* clear all registers that might contain confidential information -* clear the Least Significant Bit of the function address -* branches using the BLXNS instruction - -To avoid using the non-secure stack, the compiler will constrain the number and -type of parameters/return value. - -The `extern "C-cmse-nonsecure-call"` ABI is otherwise equivalent to the -`extern "C"` ABI. - - - -``` rust,ignore -#![no_std] -#![feature(abi_c_cmse_nonsecure_call)] - -#[no_mangle] -pub fn call_nonsecure_function(addr: usize) -> u32 { - let non_secure_function = - unsafe { core::mem::transmute:: u32>(addr) }; - non_secure_function() -} -``` - -``` text -$ rustc --emit asm --crate-type lib --target thumbv8m.main-none-eabi function.rs - -call_nonsecure_function: - .fnstart - .save {r7, lr} - push {r7, lr} - .setfp r7, sp - mov r7, sp - .pad #16 - sub sp, #16 - str r0, [sp, #12] - ldr r0, [sp, #12] - str r0, [sp, #8] - b .LBB0_1 -.LBB0_1: - ldr r0, [sp, #8] - push.w {r4, r5, r6, r7, r8, r9, r10, r11} - bic r0, r0, #1 - mov r1, r0 - mov r2, r0 - mov r3, r0 - mov r4, r0 - mov r5, r0 - mov r6, r0 - mov r7, r0 - mov r8, r0 - mov r9, r0 - mov r10, r0 - mov r11, r0 - mov r12, r0 - msr apsr_nzcvq, r0 - blxns r0 - pop.w {r4, r5, r6, r7, r8, r9, r10, r11} - str r0, [sp, #4] - b .LBB0_2 -.LBB0_2: - ldr r0, [sp, #4] - add sp, #16 - pop {r7, pc} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-msp430-interrupt.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-msp430-interrupt.md deleted file mode 100644 index b10bc41cb143..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-msp430-interrupt.md +++ /dev/null @@ -1,42 +0,0 @@ -# `abi_msp430_interrupt` - -The tracking issue for this feature is: [#38487] - -[#38487]: https://github.com/rust-lang/rust/issues/38487 - ------------------------- - -In the MSP430 architecture, interrupt handlers have a special calling -convention. You can use the `"msp430-interrupt"` ABI to make the compiler apply -the right calling convention to the interrupt handlers you define. - - - -``` rust,ignore -#![feature(abi_msp430_interrupt)] -#![no_std] - -// Place the interrupt handler at the appropriate memory address -// (Alternatively, you can use `#[used]` and remove `pub` and `#[no_mangle]`) -#[link_section = "__interrupt_vector_10"] -#[no_mangle] -pub static TIM0_VECTOR: extern "msp430-interrupt" fn() = tim0; - -// The interrupt handler -extern "msp430-interrupt" fn tim0() { - // .. -} -``` - -``` text -$ msp430-elf-objdump -CD ./target/msp430/release/app -Disassembly of section __interrupt_vector_10: - -0000fff2 : - fff2: 00 c0 interrupt service routine at 0xc000 - -Disassembly of section .text: - -0000c000 : - c000: 00 13 reti -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-ptx.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-ptx.md deleted file mode 100644 index 0ded3ceeaef2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-ptx.md +++ /dev/null @@ -1,60 +0,0 @@ -# `abi_ptx` - -The tracking issue for this feature is: [#38788] - -[#38788]: https://github.com/rust-lang/rust/issues/38788 - ------------------------- - -When emitting PTX code, all vanilla Rust functions (`fn`) get translated to -"device" functions. These functions are *not* callable from the host via the -CUDA API so a crate with only device functions is not too useful! - -OTOH, "global" functions *can* be called by the host; you can think of them -as the real public API of your crate. To produce a global function use the -`"ptx-kernel"` ABI. - - - -``` rust,ignore -#![feature(abi_ptx)] -#![no_std] - -pub unsafe extern "ptx-kernel" fn global_function() { - device_function(); -} - -pub fn device_function() { - // .. -} -``` - -``` text -$ xargo rustc --target nvptx64-nvidia-cuda --release -- --emit=asm - -$ cat $(find -name '*.s') -// -// Generated by LLVM NVPTX Back-End -// - -.version 3.2 -.target sm_20 -.address_size 64 - - // .globl _ZN6kernel15global_function17h46111ebe6516b382E - -.visible .entry _ZN6kernel15global_function17h46111ebe6516b382E() -{ - - - ret; -} - - // .globl _ZN6kernel15device_function17hd6a0e4993bbf3f78E -.visible .func _ZN6kernel15device_function17hd6a0e4993bbf3f78E() -{ - - - ret; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-thiscall.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-thiscall.md deleted file mode 100644 index 73bc6eacf42c..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-thiscall.md +++ /dev/null @@ -1,12 +0,0 @@ -# `abi_thiscall` - -The tracking issue for this feature is: [#42202] - -[#42202]: https://github.com/rust-lang/rust/issues/42202 - ------------------------- - -The MSVC ABI on x86 Windows uses the `thiscall` calling convention for C++ -instance methods by default; it is identical to the usual (C) calling -convention on x86 Windows except that the first parameter of the method, -the `this` pointer, is passed in the ECX register. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/allocator-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/allocator-internals.md deleted file mode 100644 index 2023d758fe3d..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/allocator-internals.md +++ /dev/null @@ -1,7 +0,0 @@ -# `allocator_internals` - -This feature does not have a tracking issue, it is an unstable implementation -detail of the `global_allocator` feature not intended for use outside the -compiler. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/arbitrary-enum-discriminant.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/arbitrary-enum-discriminant.md deleted file mode 100644 index e0bb782270e2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/arbitrary-enum-discriminant.md +++ /dev/null @@ -1,37 +0,0 @@ -# `arbitrary_enum_discriminant` - -The tracking issue for this feature is: [#60553] - -[#60553]: https://github.com/rust-lang/rust/issues/60553 - ------------------------- - -The `arbitrary_enum_discriminant` feature permits tuple-like and -struct-like enum variants with `#[repr()]` to have explicit discriminants. - -## Examples - -```rust -#![feature(arbitrary_enum_discriminant)] - -#[allow(dead_code)] -#[repr(u8)] -enum Enum { - Unit = 3, - Tuple(u16) = 2, - Struct { - a: u8, - b: u16, - } = 1, -} - -impl Enum { - fn tag(&self) -> u8 { - unsafe { *(self as *const Self as *const u8) } - } -} - -assert_eq!(3, Enum::Unit.tag()); -assert_eq!(2, Enum::Tuple(5).tag()); -assert_eq!(1, Enum::Struct{a: 7, b: 11}.tag()); -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-const.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-const.md deleted file mode 100644 index 1063c23b6dfb..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-const.md +++ /dev/null @@ -1,11 +0,0 @@ -# `asm_const` - -The tracking issue for this feature is: [#72016] - -[#72016]: https://github.com/rust-lang/rust/issues/72016 - ------------------------- - -This feature adds a `const ` operand type to `asm!` and `global_asm!`. -- `` must be an integer constant expression. -- The value of the expression is formatted as a string and substituted directly into the asm template string. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-experimental-arch.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-experimental-arch.md deleted file mode 100644 index ec97eaa8b2b5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-experimental-arch.md +++ /dev/null @@ -1,117 +0,0 @@ -# `asm_experimental_arch` - -The tracking issue for this feature is: [#72016] - -[#72016]: https://github.com/rust-lang/rust/issues/72016 - ------------------------- - -This feature tracks `asm!` and `global_asm!` support for the following architectures: -- NVPTX -- PowerPC -- Hexagon -- MIPS32r2 and MIPS64r2 -- wasm32 -- BPF -- SPIR-V -- AVR - -## Register classes - -| Architecture | Register class | Registers | LLVM constraint code | -| ------------ | -------------- | ---------------------------------- | -------------------- | -| MIPS | `reg` | `$[2-25]` | `r` | -| MIPS | `freg` | `$f[0-31]` | `f` | -| NVPTX | `reg16` | None\* | `h` | -| NVPTX | `reg32` | None\* | `r` | -| NVPTX | `reg64` | None\* | `l` | -| Hexagon | `reg` | `r[0-28]` | `r` | -| PowerPC | `reg` | `r[0-31]` | `r` | -| PowerPC | `reg_nonzero` | `r[1-31]` | `b` | -| PowerPC | `freg` | `f[0-31]` | `f` | -| PowerPC | `cr` | `cr[0-7]`, `cr` | Only clobbers | -| PowerPC | `xer` | `xer` | Only clobbers | -| wasm32 | `local` | None\* | `r` | -| BPF | `reg` | `r[0-10]` | `r` | -| BPF | `wreg` | `w[0-10]` | `w` | -| AVR | `reg` | `r[2-25]`, `XH`, `XL`, `ZH`, `ZL` | `r` | -| AVR | `reg_upper` | `r[16-25]`, `XH`, `XL`, `ZH`, `ZL` | `d` | -| AVR | `reg_pair` | `r3r2` .. `r25r24`, `X`, `Z` | `r` | -| AVR | `reg_iw` | `r25r24`, `X`, `Z` | `w` | -| AVR | `reg_ptr` | `X`, `Z` | `e` | - -> **Notes**: -> - NVPTX doesn't have a fixed register set, so named registers are not supported. -> -> - WebAssembly doesn't have registers, so named registers are not supported. - -# Register class supported types - -| Architecture | Register class | Target feature | Allowed types | -| ------------ | ------------------------------- | -------------- | --------------------------------------- | -| MIPS32 | `reg` | None | `i8`, `i16`, `i32`, `f32` | -| MIPS32 | `freg` | None | `f32`, `f64` | -| MIPS64 | `reg` | None | `i8`, `i16`, `i32`, `i64`, `f32`, `f64` | -| MIPS64 | `freg` | None | `f32`, `f64` | -| NVPTX | `reg16` | None | `i8`, `i16` | -| NVPTX | `reg32` | None | `i8`, `i16`, `i32`, `f32` | -| NVPTX | `reg64` | None | `i8`, `i16`, `i32`, `f32`, `i64`, `f64` | -| Hexagon | `reg` | None | `i8`, `i16`, `i32`, `f32` | -| PowerPC | `reg` | None | `i8`, `i16`, `i32` | -| PowerPC | `reg_nonzero` | None | `i8`, `i16`, `i32` | -| PowerPC | `freg` | None | `f32`, `f64` | -| PowerPC | `cr` | N/A | Only clobbers | -| PowerPC | `xer` | N/A | Only clobbers | -| wasm32 | `local` | None | `i8` `i16` `i32` `i64` `f32` `f64` | -| BPF | `reg` | None | `i8` `i16` `i32` `i64` | -| BPF | `wreg` | `alu32` | `i8` `i16` `i32` | -| AVR | `reg`, `reg_upper` | None | `i8` | -| AVR | `reg_pair`, `reg_iw`, `reg_ptr` | None | `i16` | - -## Register aliases - -| Architecture | Base register | Aliases | -| ------------ | ------------- | --------- | -| Hexagon | `r29` | `sp` | -| Hexagon | `r30` | `fr` | -| Hexagon | `r31` | `lr` | -| BPF | `r[0-10]` | `w[0-10]` | -| AVR | `XH` | `r27` | -| AVR | `XL` | `r26` | -| AVR | `ZH` | `r31` | -| AVR | `ZL` | `r30` | - -## Unsupported registers - -| Architecture | Unsupported register | Reason | -| ------------ | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| All | `sp` | The stack pointer must be restored to its original value at the end of an asm code block. | -| All | `fr` (Hexagon), `$fp` (MIPS), `Y` (AVR) | The frame pointer cannot be used as an input or output. | -| All | `r19` (Hexagon) | This is used internally by LLVM as a "base pointer" for functions with complex stack frames. | -| MIPS | `$0` or `$zero` | This is a constant zero register which can't be modified. | -| MIPS | `$1` or `$at` | Reserved for assembler. | -| MIPS | `$26`/`$k0`, `$27`/`$k1` | OS-reserved registers. | -| MIPS | `$28`/`$gp` | Global pointer cannot be used as inputs or outputs. | -| MIPS | `$ra` | Return address cannot be used as inputs or outputs. | -| Hexagon | `lr` | This is the link register which cannot be used as an input or output. | -| AVR | `r0`, `r1`, `r1r0` | Due to an issue in LLVM, the `r0` and `r1` registers cannot be used as inputs or outputs. If modified, they must be restored to their original values before the end of the block. | - -## Template modifiers - -| Architecture | Register class | Modifier | Example output | LLVM modifier | -| ------------ | -------------- | -------- | -------------- | ------------- | -| MIPS | `reg` | None | `$2` | None | -| MIPS | `freg` | None | `$f0` | None | -| NVPTX | `reg16` | None | `rs0` | None | -| NVPTX | `reg32` | None | `r0` | None | -| NVPTX | `reg64` | None | `rd0` | None | -| Hexagon | `reg` | None | `r0` | None | -| PowerPC | `reg` | None | `0` | None | -| PowerPC | `reg_nonzero` | None | `3` | `b` | -| PowerPC | `freg` | None | `0` | None | - -# Flags covered by `preserves_flags` - -These flags registers must be restored upon exiting the asm block if the `preserves_flags` option is set: -- AVR - - The status register `SREG`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-sym.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-sym.md deleted file mode 100644 index 7544e20807e9..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-sym.md +++ /dev/null @@ -1,13 +0,0 @@ -# `asm_sym` - -The tracking issue for this feature is: [#72016] - -[#72016]: https://github.com/rust-lang/rust/issues/72016 - ------------------------- - -This feature adds a `sym ` operand type to `asm!` and `global_asm!`. -- `` must refer to a `fn` or `static`. -- A mangled symbol name referring to the item is substituted into the asm template string. -- The substituted string does not include any modifiers (e.g. GOT, PLT, relocations, etc). -- `` is allowed to point to a `#[thread_local]` static, in which case the asm code can combine the symbol with relocations (e.g. `@plt`, `@TPOFF`) to read from thread-local data. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-unwind.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-unwind.md deleted file mode 100644 index 414193fe8017..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-unwind.md +++ /dev/null @@ -1,9 +0,0 @@ -# `asm_unwind` - -The tracking issue for this feature is: [#72016] - -[#72016]: https://github.com/rust-lang/rust/issues/72016 - ------------------------- - -This feature adds a `may_unwind` option to `asm!` which allows an `asm` block to unwind stack and be part of the stack unwinding process. This option is only supported by the LLVM backend right now. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/auto-traits.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/auto-traits.md deleted file mode 100644 index f967c11fc4d0..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/auto-traits.md +++ /dev/null @@ -1,106 +0,0 @@ -# `auto_traits` - -The tracking issue for this feature is [#13231] - -[#13231]: https://github.com/rust-lang/rust/issues/13231 - ----- - -The `auto_traits` feature gate allows you to define auto traits. - -Auto traits, like [`Send`] or [`Sync`] in the standard library, are marker traits -that are automatically implemented for every type, unless the type, or a type it contains, -has explicitly opted out via a negative impl. (Negative impls are separately controlled -by the `negative_impls` feature.) - -[`Send`]: https://doc.rust-lang.org/std/marker/trait.Send.html -[`Sync`]: https://doc.rust-lang.org/std/marker/trait.Sync.html - -```rust,ignore (partial-example) -impl !Trait for Type {} -``` - -Example: - -```rust -#![feature(negative_impls)] -#![feature(auto_traits)] - -auto trait Valid {} - -struct True; -struct False; - -impl !Valid for False {} - -struct MaybeValid(T); - -fn must_be_valid(_t: T) { } - -fn main() { - // works - must_be_valid( MaybeValid(True) ); - - // compiler error - trait bound not satisfied - // must_be_valid( MaybeValid(False) ); -} -``` - -## Automatic trait implementations - -When a type is declared as an `auto trait`, we will automatically -create impls for every struct/enum/union, unless an explicit impl is -provided. These automatic impls contain a where clause for each field -of the form `T: AutoTrait`, where `T` is the type of the field and -`AutoTrait` is the auto trait in question. As an example, consider the -struct `List` and the auto trait `Send`: - -```rust -struct List { - data: T, - next: Option>>, -} -``` - -Presuming that there is no explicit impl of `Send` for `List`, the -compiler will supply an automatic impl of the form: - -```rust -struct List { - data: T, - next: Option>>, -} - -unsafe impl Send for List -where - T: Send, // from the field `data` - Option>>: Send, // from the field `next` -{ } -``` - -Explicit impls may be either positive or negative. They take the form: - -```rust,ignore (partial-example) -impl<...> AutoTrait for StructName<..> { } -impl<...> !AutoTrait for StructName<..> { } -``` - -## Coinduction: Auto traits permit cyclic matching - -Unlike ordinary trait matching, auto traits are **coinductive**. This -means, in short, that cycles which occur in trait matching are -considered ok. As an example, consider the recursive struct `List` -introduced in the previous section. In attempting to determine whether -`List: Send`, we would wind up in a cycle: to apply the impl, we must -show that `Option>: Send`, which will in turn require -`Box: Send` and then finally `List: Send` again. Under ordinary -trait matching, this cycle would be an error, but for an auto trait it -is considered a successful match. - -## Items - -Auto traits cannot have any trait items, such as methods or associated types. This ensures that we can generate default implementations. - -## Supertraits - -Auto traits cannot have supertraits. This is for soundness reasons, as the interaction of coinduction with implied bounds is difficult to reconcile. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-patterns.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-patterns.md deleted file mode 100644 index bf0819ec920b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-patterns.md +++ /dev/null @@ -1,32 +0,0 @@ -# `box_patterns` - -The tracking issue for this feature is: [#29641] - -[#29641]: https://github.com/rust-lang/rust/issues/29641 - -See also [`box_syntax`](box-syntax.md) - ------------------------- - -Box patterns let you match on `Box`s: - - -```rust -#![feature(box_patterns)] - -fn main() { - let b = Some(Box::new(5)); - match b { - Some(box n) if n < 0 => { - println!("Box contains negative number {}", n); - }, - Some(box n) if n >= 0 => { - println!("Box contains non-negative number {}", n); - }, - None => { - println!("No box"); - }, - _ => unreachable!() - } -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-syntax.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-syntax.md deleted file mode 100644 index 9569974d22ca..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-syntax.md +++ /dev/null @@ -1,22 +0,0 @@ -# `box_syntax` - -The tracking issue for this feature is: [#49733] - -[#49733]: https://github.com/rust-lang/rust/issues/49733 - -See also [`box_patterns`](box-patterns.md) - ------------------------- - -Currently the only stable way to create a `Box` is via the `Box::new` method. -Also it is not possible in stable Rust to destructure a `Box` in a match -pattern. The unstable `box` keyword can be used to create a `Box`. An example -usage would be: - -```rust -#![feature(box_syntax)] - -fn main() { - let b = box 5; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-unwind.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-unwind.md deleted file mode 100644 index 2801d9b5e777..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-unwind.md +++ /dev/null @@ -1,15 +0,0 @@ -# `c_unwind` - -The tracking issue for this feature is: [#74990] - -[#74990]: https://github.com/rust-lang/rust/issues/74990 - ------------------------- - -Introduces four new ABI strings: "C-unwind", "stdcall-unwind", -"thiscall-unwind", and "system-unwind". These enable unwinding from other -languages (such as C++) into Rust frames and from Rust into other languages. - -See [RFC 2945] for more information. - -[RFC 2945]: https://github.com/rust-lang/rfcs/blob/master/text/2945-c-unwind-abi.md diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-variadic.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-variadic.md deleted file mode 100644 index 9e7968d906fb..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-variadic.md +++ /dev/null @@ -1,24 +0,0 @@ -# `c_variadic` - -The tracking issue for this feature is: [#44930] - -[#44930]: https://github.com/rust-lang/rust/issues/44930 - ------------------------- - -The `c_variadic` language feature enables C-variadic functions to be -defined in Rust. The may be called both from within Rust and via FFI. - -## Examples - -```rust -#![feature(c_variadic)] - -pub unsafe extern "C" fn add(n: usize, mut args: ...) -> usize { - let mut sum = 0; - for _ in 0..n { - sum += args.arg::(); - } - sum -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-panic.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-panic.md deleted file mode 100644 index f5b73128ad6c..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-panic.md +++ /dev/null @@ -1,38 +0,0 @@ -# `cfg_panic` - -The tracking issue for this feature is: [#77443] - -[#77443]: https://github.com/rust-lang/rust/issues/77443 - ------------------------- - -The `cfg_panic` feature makes it possible to execute different code -depending on the panic strategy. - -Possible values at the moment are `"unwind"` or `"abort"`, although -it is possible that new panic strategies may be added to Rust in the -future. - -## Examples - -```rust -#![feature(cfg_panic)] - -#[cfg(panic = "unwind")] -fn a() { - // ... -} - -#[cfg(not(panic = "unwind"))] -fn a() { - // ... -} - -fn b() { - if cfg!(panic = "abort") { - // ... - } else { - // ... - } -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-sanitize.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-sanitize.md deleted file mode 100644 index 3442abf46df8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-sanitize.md +++ /dev/null @@ -1,34 +0,0 @@ -# `cfg_sanitize` - -The tracking issue for this feature is: [#39699] - -[#39699]: https://github.com/rust-lang/rust/issues/39699 - ------------------------- - -The `cfg_sanitize` feature makes it possible to execute different code -depending on whether a particular sanitizer is enabled or not. - -## Examples - -```rust -#![feature(cfg_sanitize)] - -#[cfg(sanitize = "thread")] -fn a() { - // ... -} - -#[cfg(not(sanitize = "thread"))] -fn a() { - // ... -} - -fn b() { - if cfg!(sanitize = "leak") { - // ... - } else { - // ... - } -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-version.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-version.md deleted file mode 100644 index a6ec42cecba8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-version.md +++ /dev/null @@ -1,35 +0,0 @@ -# `cfg_version` - -The tracking issue for this feature is: [#64796] - -[#64796]: https://github.com/rust-lang/rust/issues/64796 - ------------------------- - -The `cfg_version` feature makes it possible to execute different code -depending on the compiler version. It will return true if the compiler -version is greater than or equal to the specified version. - -## Examples - -```rust -#![feature(cfg_version)] - -#[cfg(version("1.42"))] // 1.42 and above -fn a() { - // ... -} - -#[cfg(not(version("1.42")))] // 1.41 and below -fn a() { - // ... -} - -fn b() { - if cfg!(version("1.42")) { - // ... - } else { - // ... - } -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/closure-track-caller.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/closure-track-caller.md deleted file mode 100644 index c948810d3e5a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/closure-track-caller.md +++ /dev/null @@ -1,12 +0,0 @@ -# `closure_track_caller` - -The tracking issue for this feature is: [#87417] - -[#87417]: https://github.com/rust-lang/rust/issues/87417 - ------------------------- - -Allows using the `#[track_caller]` attribute on closures and generators. -Calls made to the closure or generator will have caller information -available through `std::panic::Location::caller()`, just like using -`#[track_caller]` on a function. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cmse-nonsecure-entry.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/cmse-nonsecure-entry.md deleted file mode 100644 index 338fbc4b2bfc..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cmse-nonsecure-entry.md +++ /dev/null @@ -1,81 +0,0 @@ -# `cmse_nonsecure_entry` - -The tracking issue for this feature is: [#75835] - -[#75835]: https://github.com/rust-lang/rust/issues/75835 - ------------------------- - -The [TrustZone-M -feature](https://developer.arm.com/documentation/100690/latest/) is available -for targets with the Armv8-M architecture profile (`thumbv8m` in their target -name). -LLVM, the Rust compiler and the linker are providing -[support](https://developer.arm.com/documentation/ecm0359818/latest/) for the -TrustZone-M feature. - -One of the things provided, with this unstable feature, is the -`cmse_nonsecure_entry` attribute. This attribute marks a Secure function as an -entry function (see [section -5.4](https://developer.arm.com/documentation/ecm0359818/latest/) for details). -With this attribute, the compiler will do the following: -* add a special symbol on the function which is the `__acle_se_` prefix and the - standard function name -* constrain the number of parameters to avoid using the Non-Secure stack -* before returning from the function, clear registers that might contain Secure - information -* use the `BXNS` instruction to return - -Because the stack can not be used to pass parameters, there will be compilation -errors if: -* the total size of all parameters is too big (for example more than four 32 - bits integers) -* the entry function is not using a C ABI - -The special symbol `__acle_se_` will be used by the linker to generate a secure -gateway veneer. - - - -``` rust,ignore -#![feature(cmse_nonsecure_entry)] - -#[no_mangle] -#[cmse_nonsecure_entry] -pub extern "C" fn entry_function(input: u32) -> u32 { - input + 6 -} -``` - -``` text -$ rustc --emit obj --crate-type lib --target thumbv8m.main-none-eabi function.rs -$ arm-none-eabi-objdump -D function.o - -00000000 : - 0: b580 push {r7, lr} - 2: 466f mov r7, sp - 4: b082 sub sp, #8 - 6: 9001 str r0, [sp, #4] - 8: 1d81 adds r1, r0, #6 - a: 460a mov r2, r1 - c: 4281 cmp r1, r0 - e: 9200 str r2, [sp, #0] - 10: d30b bcc.n 2a - 12: e7ff b.n 14 - 14: 9800 ldr r0, [sp, #0] - 16: b002 add sp, #8 - 18: e8bd 4080 ldmia.w sp!, {r7, lr} - 1c: 4671 mov r1, lr - 1e: 4672 mov r2, lr - 20: 4673 mov r3, lr - 22: 46f4 mov ip, lr - 24: f38e 8800 msr CPSR_f, lr - 28: 4774 bxns lr - 2a: f240 0000 movw r0, #0 - 2e: f2c0 0000 movt r0, #0 - 32: f240 0200 movw r2, #0 - 36: f2c0 0200 movt r2, #0 - 3a: 211c movs r1, #28 - 3c: f7ff fffe bl 0 <_ZN4core9panicking5panic17h5c028258ca2fb3f5E> - 40: defe udf #254 ; 0xfe -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/compiler-builtins.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/compiler-builtins.md deleted file mode 100644 index 52fac575b6e8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/compiler-builtins.md +++ /dev/null @@ -1,5 +0,0 @@ -# `compiler_builtins` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/const-eval-limit.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/const-eval-limit.md deleted file mode 100644 index df68e83bcac7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/const-eval-limit.md +++ /dev/null @@ -1,7 +0,0 @@ -# `const_eval_limit` - -The tracking issue for this feature is: [#67217] - -[#67217]: https://github.com/rust-lang/rust/issues/67217 - -The `const_eval_limit` allows someone to limit the evaluation steps the CTFE undertakes to evaluate a `const fn`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/crate-visibility-modifier.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/crate-visibility-modifier.md deleted file mode 100644 index b59859dd348e..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/crate-visibility-modifier.md +++ /dev/null @@ -1,20 +0,0 @@ -# `crate_visibility_modifier` - -The tracking issue for this feature is: [#53120] - -[#53120]: https://github.com/rust-lang/rust/issues/53120 - ------ - -The `crate_visibility_modifier` feature allows the `crate` keyword to be used -as a visibility modifier synonymous to `pub(crate)`, indicating that a type -(function, _&c._) is to be visible to the entire enclosing crate, but not to -other crates. - -```rust -#![feature(crate_visibility_modifier)] - -crate struct Foo { - bar: usize, -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/custom-test-frameworks.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/custom-test-frameworks.md deleted file mode 100644 index 53ecac9314d7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/custom-test-frameworks.md +++ /dev/null @@ -1,32 +0,0 @@ -# `custom_test_frameworks` - -The tracking issue for this feature is: [#50297] - -[#50297]: https://github.com/rust-lang/rust/issues/50297 - ------------------------- - -The `custom_test_frameworks` feature allows the use of `#[test_case]` and `#![test_runner]`. -Any function, const, or static can be annotated with `#[test_case]` causing it to be aggregated (like `#[test]`) -and be passed to the test runner determined by the `#![test_runner]` crate attribute. - -```rust -#![feature(custom_test_frameworks)] -#![test_runner(my_runner)] - -fn my_runner(tests: &[&i32]) { - for t in tests { - if **t == 0 { - println!("PASSED"); - } else { - println!("FAILED"); - } - } -} - -#[test_case] -const WILL_PASS: i32 = 0; - -#[test_case] -const WILL_FAIL: i32 = 4; -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-cfg.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-cfg.md deleted file mode 100644 index e75f1aea9922..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-cfg.md +++ /dev/null @@ -1,46 +0,0 @@ -# `doc_cfg` - -The tracking issue for this feature is: [#43781] - ------- - -The `doc_cfg` feature allows an API be documented as only available in some specific platforms. -This attribute has two effects: - -1. In the annotated item's documentation, there will be a message saying "This is supported on - (platform) only". - -2. The item's doc-tests will only run on the specific platform. - -In addition to allowing the use of the `#[doc(cfg)]` attribute, this feature enables the use of a -special conditional compilation flag, `#[cfg(doc)]`, set whenever building documentation on your -crate. - -This feature was introduced as part of PR [#43348] to allow the platform-specific parts of the -standard library be documented. - -```rust -#![feature(doc_cfg)] - -#[cfg(any(windows, doc))] -#[doc(cfg(windows))] -/// The application's icon in the notification area (a.k.a. system tray). -/// -/// # Examples -/// -/// ```no_run -/// extern crate my_awesome_ui_library; -/// use my_awesome_ui_library::current_app; -/// use my_awesome_ui_library::windows::notification; -/// -/// let icon = current_app().get::(); -/// icon.show(); -/// icon.show_message("Hello"); -/// ``` -pub struct Icon { - // ... -} -``` - -[#43781]: https://github.com/rust-lang/rust/issues/43781 -[#43348]: https://github.com/rust-lang/rust/issues/43348 diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-masked.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-masked.md deleted file mode 100644 index 609939bfc22f..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-masked.md +++ /dev/null @@ -1,24 +0,0 @@ -# `doc_masked` - -The tracking issue for this feature is: [#44027] - ------ - -The `doc_masked` feature allows a crate to exclude types from a given crate from appearing in lists -of trait implementations. The specifics of the feature are as follows: - -1. When rustdoc encounters an `extern crate` statement annotated with a `#[doc(masked)]` attribute, - it marks the crate as being masked. - -2. When listing traits a given type implements, rustdoc ensures that traits from masked crates are - not emitted into the documentation. - -3. When listing types that implement a given trait, rustdoc ensures that types from masked crates - are not emitted into the documentation. - -This feature was introduced in PR [#44026] to ensure that compiler-internal and -implementation-specific types and traits were not included in the standard library's documentation. -Such types would introduce broken links into the documentation. - -[#44026]: https://github.com/rust-lang/rust/pull/44026 -[#44027]: https://github.com/rust-lang/rust/pull/44027 diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-notable-trait.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-notable-trait.md deleted file mode 100644 index dc402ed4253a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-notable-trait.md +++ /dev/null @@ -1,33 +0,0 @@ -# `doc_notable_trait` - -The tracking issue for this feature is: [#45040] - -The `doc_notable_trait` feature allows the use of the `#[doc(notable_trait)]` -attribute, which will display the trait in a "Notable traits" dialog for -functions returning types that implement the trait. For example, this attribute -is applied to the `Iterator`, `Future`, `io::Read`, and `io::Write` traits in -the standard library. - -You can do this on your own traits like so: - -``` -#![feature(doc_notable_trait)] - -#[doc(notable_trait)] -pub trait MyTrait {} - -pub struct MyStruct; -impl MyTrait for MyStruct {} - -/// The docs for this function will have a button that displays a dialog about -/// `MyStruct` implementing `MyTrait`. -pub fn my_fn() -> MyStruct { MyStruct } -``` - -This feature was originally implemented in PR [#45039]. - -See also its documentation in [the rustdoc book][rustdoc-book-notable_trait]. - -[#45040]: https://github.com/rust-lang/rust/issues/45040 -[#45039]: https://github.com/rust-lang/rust/pull/45039 -[rustdoc-book-notable_trait]: ../../rustdoc/unstable-features.html#adding-your-trait-to-the-notable-traits-dialog diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/exclusive-range-pattern.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/exclusive-range-pattern.md deleted file mode 100644 index d26512703f49..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/exclusive-range-pattern.md +++ /dev/null @@ -1,26 +0,0 @@ -# `exclusive_range_pattern` - -The tracking issue for this feature is: [#37854]. - - -[#67264]: https://github.com/rust-lang/rust/issues/67264 -[#37854]: https://github.com/rust-lang/rust/issues/37854 ------ - -The `exclusive_range_pattern` feature allows non-inclusive range -patterns (`0..10`) to be used in appropriate pattern matching -contexts. It also can be combined with `#![feature(half_open_range_patterns]` -to be able to use RangeTo patterns (`..10`). - -It also enabled RangeFrom patterns but that has since been -stabilized. - -```rust -#![feature(exclusive_range_pattern)] - let x = 5; - match x { - 0..10 => println!("single digit"), - 10 => println!("ten isn't part of the above range"), - _ => println!("nor is everything else.") - } -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/explicit-generic-args-with-impl-trait.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/explicit-generic-args-with-impl-trait.md deleted file mode 100644 index 479571d85fe0..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/explicit-generic-args-with-impl-trait.md +++ /dev/null @@ -1,53 +0,0 @@ -# `explicit_generic_args_with_impl_trait` - -The tracking issue for this feature is: [#83701] - -[#83701]: https://github.com/rust-lang/rust/issues/83701 - ------------------------- - -The `explicit_generic_args_with_impl_trait` feature gate lets you specify generic arguments even -when `impl Trait` is used in argument position. - -A simple example is: - -```rust -#![feature(explicit_generic_args_with_impl_trait)] - -fn foo(_f: impl AsRef) {} - -fn main() { - foo::("".to_string()); -} -``` - -This is currently rejected: - -```text -error[E0632]: cannot provide explicit generic arguments when `impl Trait` is used in argument position - --> src/main.rs:6:11 - | -6 | foo::("".to_string()); - | ^^^ explicit generic argument not allowed - -``` - -However it would compile if `explicit_generic_args_with_impl_trait` is enabled. - -Note that the synthetic type parameters from `impl Trait` are still implicit and you -cannot explicitly specify these: - -```rust,compile_fail -#![feature(explicit_generic_args_with_impl_trait)] - -fn foo(_f: impl AsRef) {} -fn bar>(_f: F) {} - -fn main() { - bar::("".to_string()); // Okay - bar::("".to_string()); // Okay - - foo::("".to_string()); // Okay - foo::("".to_string()); // Error, you cannot specify `impl Trait` explicitly -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-const.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-const.md deleted file mode 100644 index 24a304437542..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-const.md +++ /dev/null @@ -1,52 +0,0 @@ -# `ffi_const` - -The tracking issue for this feature is: [#58328] - ------- - -The `#[ffi_const]` attribute applies clang's `const` attribute to foreign -functions declarations. - -That is, `#[ffi_const]` functions shall have no effects except for its return -value, which can only depend on the values of the function parameters, and is -not affected by changes to the observable state of the program. - -Applying the `#[ffi_const]` attribute to a function that violates these -requirements is undefined behaviour. - -This attribute enables Rust to perform common optimizations, like sub-expression -elimination, and it can avoid emitting some calls in repeated invocations of the -function with the same argument values regardless of other operations being -performed in between these functions calls (as opposed to `#[ffi_pure]` -functions). - -## Pitfalls - -A `#[ffi_const]` function can only read global memory that would not affect -its return value for the whole execution of the program (e.g. immutable global -memory). `#[ffi_const]` functions are referentially-transparent and therefore -more strict than `#[ffi_pure]` functions. - -A common pitfall involves applying the `#[ffi_const]` attribute to a -function that reads memory through pointer arguments which do not necessarily -point to immutable global memory. - -A `#[ffi_const]` function that returns unit has no effect on the abstract -machine's state, and a `#[ffi_const]` function cannot be `#[ffi_pure]`. - -A `#[ffi_const]` function must not diverge, neither via a side effect (e.g. a -call to `abort`) nor by infinite loops. - -When translating C headers to Rust FFI, it is worth verifying for which targets -the `const` attribute is enabled in those headers, and using the appropriate -`cfg` macros in the Rust side to match those definitions. While the semantics of -`const` are implemented identically by many C and C++ compilers, e.g., clang, -[GCC], [ARM C/C++ compiler], [IBM ILE C/C++], etc. they are not necessarily -implemented in this way on all of them. It is therefore also worth verifying -that the semantics of the C toolchain used to compile the binary being linked -against are compatible with those of the `#[ffi_const]`. - -[#58328]: https://github.com/rust-lang/rust/issues/58328 -[ARM C/C++ compiler]: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0491c/Cacgigch.html -[GCC]: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-const-function-attribute -[IBM ILE C/C++]: https://www.ibm.com/support/knowledgecenter/fr/ssw_ibm_i_71/rzarg/fn_attrib_const.htm diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-pure.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-pure.md deleted file mode 100644 index 236ccb9f9053..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-pure.md +++ /dev/null @@ -1,56 +0,0 @@ -# `ffi_pure` - -The tracking issue for this feature is: [#58329] - ------- - -The `#[ffi_pure]` attribute applies clang's `pure` attribute to foreign -functions declarations. - -That is, `#[ffi_pure]` functions shall have no effects except for its return -value, which shall not change across two consecutive function calls with -the same parameters. - -Applying the `#[ffi_pure]` attribute to a function that violates these -requirements is undefined behavior. - -This attribute enables Rust to perform common optimizations, like sub-expression -elimination and loop optimizations. Some common examples of pure functions are -`strlen` or `memcmp`. - -These optimizations are only applicable when the compiler can prove that no -program state observable by the `#[ffi_pure]` function has changed between calls -of the function, which could alter the result. See also the `#[ffi_const]` -attribute, which provides stronger guarantees regarding the allowable behavior -of a function, enabling further optimization. - -## Pitfalls - -A `#[ffi_pure]` function can read global memory through the function -parameters (e.g. pointers), globals, etc. `#[ffi_pure]` functions are not -referentially-transparent, and are therefore more relaxed than `#[ffi_const]` -functions. - -However, accessing global memory through volatile or atomic reads can violate the -requirement that two consecutive function calls shall return the same value. - -A `pure` function that returns unit has no effect on the abstract machine's -state. - -A `#[ffi_pure]` function must not diverge, neither via a side effect (e.g. a -call to `abort`) nor by infinite loops. - -When translating C headers to Rust FFI, it is worth verifying for which targets -the `pure` attribute is enabled in those headers, and using the appropriate -`cfg` macros in the Rust side to match those definitions. While the semantics of -`pure` are implemented identically by many C and C++ compilers, e.g., clang, -[GCC], [ARM C/C++ compiler], [IBM ILE C/C++], etc. they are not necessarily -implemented in this way on all of them. It is therefore also worth verifying -that the semantics of the C toolchain used to compile the binary being linked -against are compatible with those of the `#[ffi_pure]`. - - -[#58329]: https://github.com/rust-lang/rust/issues/58329 -[ARM C/C++ compiler]: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0491c/Cacigdac.html -[GCC]: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-pure-function-attribute -[IBM ILE C/C++]: https://www.ibm.com/support/knowledgecenter/fr/ssw_ibm_i_71/rzarg/fn_attrib_pure.htm diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/generators.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/generators.md deleted file mode 100644 index 7b865c9c679b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/generators.md +++ /dev/null @@ -1,246 +0,0 @@ -# `generators` - -The tracking issue for this feature is: [#43122] - -[#43122]: https://github.com/rust-lang/rust/issues/43122 - ------------------------- - -The `generators` feature gate in Rust allows you to define generator or -coroutine literals. A generator is a "resumable function" that syntactically -resembles a closure but compiles to much different semantics in the compiler -itself. The primary feature of a generator is that it can be suspended during -execution to be resumed at a later date. Generators use the `yield` keyword to -"return", and then the caller can `resume` a generator to resume execution just -after the `yield` keyword. - -Generators are an extra-unstable feature in the compiler right now. Added in -[RFC 2033] they're mostly intended right now as a information/constraint -gathering phase. The intent is that experimentation can happen on the nightly -compiler before actual stabilization. A further RFC will be required to -stabilize generators/coroutines and will likely contain at least a few small -tweaks to the overall design. - -[RFC 2033]: https://github.com/rust-lang/rfcs/pull/2033 - -A syntactical example of a generator is: - -```rust -#![feature(generators, generator_trait)] - -use std::ops::{Generator, GeneratorState}; -use std::pin::Pin; - -fn main() { - let mut generator = || { - yield 1; - return "foo" - }; - - match Pin::new(&mut generator).resume(()) { - GeneratorState::Yielded(1) => {} - _ => panic!("unexpected value from resume"), - } - match Pin::new(&mut generator).resume(()) { - GeneratorState::Complete("foo") => {} - _ => panic!("unexpected value from resume"), - } -} -``` - -Generators are closure-like literals which can contain a `yield` statement. The -`yield` statement takes an optional expression of a value to yield out of the -generator. All generator literals implement the `Generator` trait in the -`std::ops` module. The `Generator` trait has one main method, `resume`, which -resumes execution of the generator at the previous suspension point. - -An example of the control flow of generators is that the following example -prints all numbers in order: - -```rust -#![feature(generators, generator_trait)] - -use std::ops::Generator; -use std::pin::Pin; - -fn main() { - let mut generator = || { - println!("2"); - yield; - println!("4"); - }; - - println!("1"); - Pin::new(&mut generator).resume(()); - println!("3"); - Pin::new(&mut generator).resume(()); - println!("5"); -} -``` - -At this time the main intended use case of generators is an implementation -primitive for async/await syntax, but generators will likely be extended to -ergonomic implementations of iterators and other primitives in the future. -Feedback on the design and usage is always appreciated! - -### The `Generator` trait - -The `Generator` trait in `std::ops` currently looks like: - -```rust -# #![feature(arbitrary_self_types, generator_trait)] -# use std::ops::GeneratorState; -# use std::pin::Pin; - -pub trait Generator { - type Yield; - type Return; - fn resume(self: Pin<&mut Self>, resume: R) -> GeneratorState; -} -``` - -The `Generator::Yield` type is the type of values that can be yielded with the -`yield` statement. The `Generator::Return` type is the returned type of the -generator. This is typically the last expression in a generator's definition or -any value passed to `return` in a generator. The `resume` function is the entry -point for executing the `Generator` itself. - -The return value of `resume`, `GeneratorState`, looks like: - -```rust -pub enum GeneratorState { - Yielded(Y), - Complete(R), -} -``` - -The `Yielded` variant indicates that the generator can later be resumed. This -corresponds to a `yield` point in a generator. The `Complete` variant indicates -that the generator is complete and cannot be resumed again. Calling `resume` -after a generator has returned `Complete` will likely result in a panic of the -program. - -### Closure-like semantics - -The closure-like syntax for generators alludes to the fact that they also have -closure-like semantics. Namely: - -* When created, a generator executes no code. A closure literal does not - actually execute any of the closure's code on construction, and similarly a - generator literal does not execute any code inside the generator when - constructed. - -* Generators can capture outer variables by reference or by move, and this can - be tweaked with the `move` keyword at the beginning of the closure. Like - closures all generators will have an implicit environment which is inferred by - the compiler. Outer variables can be moved into a generator for use as the - generator progresses. - -* Generator literals produce a value with a unique type which implements the - `std::ops::Generator` trait. This allows actual execution of the generator - through the `Generator::resume` method as well as also naming it in return - types and such. - -* Traits like `Send` and `Sync` are automatically implemented for a `Generator` - depending on the captured variables of the environment. Unlike closures, - generators also depend on variables live across suspension points. This means - that although the ambient environment may be `Send` or `Sync`, the generator - itself may not be due to internal variables live across `yield` points being - not-`Send` or not-`Sync`. Note that generators do - not implement traits like `Copy` or `Clone` automatically. - -* Whenever a generator is dropped it will drop all captured environment - variables. - -### Generators as state machines - -In the compiler, generators are currently compiled as state machines. Each -`yield` expression will correspond to a different state that stores all live -variables over that suspension point. Resumption of a generator will dispatch on -the current state and then execute internally until a `yield` is reached, at -which point all state is saved off in the generator and a value is returned. - -Let's take a look at an example to see what's going on here: - -```rust -#![feature(generators, generator_trait)] - -use std::ops::Generator; -use std::pin::Pin; - -fn main() { - let ret = "foo"; - let mut generator = move || { - yield 1; - return ret - }; - - Pin::new(&mut generator).resume(()); - Pin::new(&mut generator).resume(()); -} -``` - -This generator literal will compile down to something similar to: - -```rust -#![feature(arbitrary_self_types, generators, generator_trait)] - -use std::ops::{Generator, GeneratorState}; -use std::pin::Pin; - -fn main() { - let ret = "foo"; - let mut generator = { - enum __Generator { - Start(&'static str), - Yield1(&'static str), - Done, - } - - impl Generator for __Generator { - type Yield = i32; - type Return = &'static str; - - fn resume(mut self: Pin<&mut Self>, resume: ()) -> GeneratorState { - use std::mem; - match mem::replace(&mut *self, __Generator::Done) { - __Generator::Start(s) => { - *self = __Generator::Yield1(s); - GeneratorState::Yielded(1) - } - - __Generator::Yield1(s) => { - *self = __Generator::Done; - GeneratorState::Complete(s) - } - - __Generator::Done => { - panic!("generator resumed after completion") - } - } - } - } - - __Generator::Start(ret) - }; - - Pin::new(&mut generator).resume(()); - Pin::new(&mut generator).resume(()); -} -``` - -Notably here we can see that the compiler is generating a fresh type, -`__Generator` in this case. This type has a number of states (represented here -as an `enum`) corresponding to each of the conceptual states of the generator. -At the beginning we're closing over our outer variable `foo` and then that -variable is also live over the `yield` point, so it's stored in both states. - -When the generator starts it'll immediately yield 1, but it saves off its state -just before it does so indicating that it has reached the yield point. Upon -resuming again we'll execute the `return ret` which returns the `Complete` -state. - -Here we can also note that the `Done` state, if resumed, panics immediately as -it's invalid to resume a completed generator. It's also worth noting that this -is just a rough desugaring, not a normative specification for what the compiler -does. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/half-open-range-patterns.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/half-open-range-patterns.md deleted file mode 100644 index 3b16dd049ce3..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/half-open-range-patterns.md +++ /dev/null @@ -1,27 +0,0 @@ -# `half_open_range_patterns` - -The tracking issue for this feature is: [#67264] -It is part of the `#![exclusive_range_pattern]` feature, -tracked at [#37854]. - -[#67264]: https://github.com/rust-lang/rust/issues/67264 -[#37854]: https://github.com/rust-lang/rust/issues/37854 ------ - -The `half_open_range_patterns` feature allows RangeTo patterns -(`..10`) to be used in appropriate pattern matching contexts. -This requires also enabling the `exclusive_range_pattern` feature. - -It also enabled RangeFrom patterns but that has since been -stabilized. - -```rust -#![feature(half_open_range_patterns)] -#![feature(exclusive_range_pattern)] - let x = 5; - match x { - ..0 => println!("negative!"), // "RangeTo" pattern. Unstable. - 0 => println!("zero!"), - 1.. => println!("positive!"), // "RangeFrom" pattern. Stable. - } -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/infer-static-outlives-requirements.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/infer-static-outlives-requirements.md deleted file mode 100644 index 5f3f1b4dd8a3..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/infer-static-outlives-requirements.md +++ /dev/null @@ -1,44 +0,0 @@ -# `infer_static_outlives_requirements` - -The tracking issue for this feature is: [#54185] - -[#54185]: https://github.com/rust-lang/rust/issues/54185 - ------------------------- -The `infer_static_outlives_requirements` feature indicates that certain -`'static` outlives requirements can be inferred by the compiler rather than -stating them explicitly. - -Note: It is an accompanying feature to `infer_outlives_requirements`, -which must be enabled to infer outlives requirements. - -For example, currently generic struct definitions that contain -references, require where-clauses of the form T: 'static. By using -this feature the outlives predicates will be inferred, although -they may still be written explicitly. - -```rust,ignore (pseudo-Rust) -struct Foo where U: 'static { // <-- currently required - bar: Bar -} -struct Bar { - x: T, -} -``` - - -## Examples: - -```rust,ignore (pseudo-Rust) -#![feature(infer_outlives_requirements)] -#![feature(infer_static_outlives_requirements)] - -#[rustc_outlives] -// Implicitly infer U: 'static -struct Foo { - bar: Bar -} -struct Bar { - x: T, -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const-pat.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const-pat.md deleted file mode 100644 index 5f0f7547a0a8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const-pat.md +++ /dev/null @@ -1,24 +0,0 @@ -# `inline_const_pat` - -The tracking issue for this feature is: [#76001] - -See also [`inline_const`](inline-const.md) - ------- - -This feature allows you to use inline constant expressions in pattern position: - -```rust -#![feature(inline_const_pat)] - -const fn one() -> i32 { 1 } - -let some_int = 3; -match some_int { - const { 1 + 2 } => println!("Matched 1 + 2"), - const { one() } => println!("Matched const fn returning 1"), - _ => println!("Didn't match anything :("), -} -``` - -[#76001]: https://github.com/rust-lang/rust/issues/76001 diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const.md deleted file mode 100644 index 7be70eed6ced..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const.md +++ /dev/null @@ -1,32 +0,0 @@ -# `inline_const` - -The tracking issue for this feature is: [#76001] - -See also [`inline_const_pat`](inline-const-pat.md) - ------- - -This feature allows you to use inline constant expressions. For example, you can -turn this code: - -```rust -# fn add_one(x: i32) -> i32 { x + 1 } -const MY_COMPUTATION: i32 = 1 + 2 * 3 / 4; - -fn main() { - let x = add_one(MY_COMPUTATION); -} -``` - -into this code: - -```rust -#![feature(inline_const)] - -# fn add_one(x: i32) -> i32 { x + 1 } -fn main() { - let x = add_one(const { 1 + 2 * 3 / 4 }); -} -``` - -[#76001]: https://github.com/rust-lang/rust/issues/76001 diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/intra-doc-pointers.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/intra-doc-pointers.md deleted file mode 100644 index fbc83f4b4f48..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/intra-doc-pointers.md +++ /dev/null @@ -1,15 +0,0 @@ -# `intra-doc-pointers` - -The tracking issue for this feature is: [#80896] - -[#80896]: https://github.com/rust-lang/rust/issues/80896 - ------------------------- - -Rustdoc does not currently allow disambiguating between `*const` and `*mut`, and -raw pointers in intra-doc links are unstable until it does. - -```rust -#![feature(intra_doc_pointers)] -//! [pointer::add] -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/intrinsics.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/intrinsics.md deleted file mode 100644 index a0fb4e743d3f..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/intrinsics.md +++ /dev/null @@ -1,29 +0,0 @@ -# `intrinsics` - -The tracking issue for this feature is: None. - -Intrinsics are never intended to be stable directly, but intrinsics are often -exported in some sort of stable manner. Prefer using the stable interfaces to -the intrinsic directly when you can. - ------------------------- - - -These are imported as if they were FFI functions, with the special -`rust-intrinsic` ABI. For example, if one was in a freestanding -context, but wished to be able to `transmute` between types, and -perform efficient pointer arithmetic, one would import those functions -via a declaration like - -```rust -#![feature(intrinsics)] -# fn main() {} - -extern "rust-intrinsic" { - fn transmute(x: T) -> U; - - fn offset(dst: *const T, offset: isize) -> *const T; -} -``` - -As with any other FFI functions, these are always `unsafe` to call. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/lang-items.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/lang-items.md deleted file mode 100644 index 86bedb51538b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/lang-items.md +++ /dev/null @@ -1,295 +0,0 @@ -# `lang_items` - -The tracking issue for this feature is: None. - ------------------------- - -The `rustc` compiler has certain pluggable operations, that is, -functionality that isn't hard-coded into the language, but is -implemented in libraries, with a special marker to tell the compiler -it exists. The marker is the attribute `#[lang = "..."]` and there are -various different values of `...`, i.e. various different 'lang -items'. - -For example, `Box` pointers require two lang items, one for allocation -and one for deallocation. A freestanding program that uses the `Box` -sugar for dynamic allocations via `malloc` and `free`: - -```rust,ignore (libc-is-finicky) -#![feature(lang_items, box_syntax, start, libc, core_intrinsics, rustc_private)] -#![no_std] -use core::intrinsics; -use core::panic::PanicInfo; - -extern crate libc; - -#[lang = "owned_box"] -pub struct Box(*mut T); - -#[lang = "exchange_malloc"] -unsafe fn allocate(size: usize, _align: usize) -> *mut u8 { - let p = libc::malloc(size as libc::size_t) as *mut u8; - - // Check if `malloc` failed: - if p as usize == 0 { - intrinsics::abort(); - } - - p -} - -#[lang = "box_free"] -unsafe fn box_free(ptr: *mut T) { - libc::free(ptr as *mut libc::c_void) -} - -#[start] -fn main(_argc: isize, _argv: *const *const u8) -> isize { - let _x = box 1; - - 0 -} - -#[lang = "eh_personality"] extern fn rust_eh_personality() {} -#[lang = "panic_impl"] extern fn rust_begin_panic(info: &PanicInfo) -> ! { unsafe { intrinsics::abort() } } -#[no_mangle] pub extern fn rust_eh_register_frames () {} -#[no_mangle] pub extern fn rust_eh_unregister_frames () {} -``` - -Note the use of `abort`: the `exchange_malloc` lang item is assumed to -return a valid pointer, and so needs to do the check internally. - -Other features provided by lang items include: - -- overloadable operators via traits: the traits corresponding to the - `==`, `<`, dereferencing (`*`) and `+` (etc.) operators are all - marked with lang items; those specific four are `eq`, `ord`, - `deref`, and `add` respectively. -- stack unwinding and general failure; the `eh_personality`, - `panic` and `panic_bounds_check` lang items. -- the traits in `std::marker` used to indicate types of - various kinds; lang items `send`, `sync` and `copy`. -- the marker types and variance indicators found in - `std::marker`; lang items `covariant_type`, - `contravariant_lifetime`, etc. - -Lang items are loaded lazily by the compiler; e.g. if one never uses -`Box` then there is no need to define functions for `exchange_malloc` -and `box_free`. `rustc` will emit an error when an item is needed -but not found in the current crate or any that it depends on. - -Most lang items are defined by `libcore`, but if you're trying to build -an executable without the standard library, you'll run into the need -for lang items. The rest of this page focuses on this use-case, even though -lang items are a bit broader than that. - -### Using libc - -In order to build a `#[no_std]` executable we will need libc as a dependency. -We can specify this using our `Cargo.toml` file: - -```toml -[dependencies] -libc = { version = "0.2.14", default-features = false } -``` - -Note that the default features have been disabled. This is a critical step - -**the default features of libc include the standard library and so must be -disabled.** - -### Writing an executable without stdlib - -Controlling the entry point is possible in two ways: the `#[start]` attribute, -or overriding the default shim for the C `main` function with your own. - -The function marked `#[start]` is passed the command line parameters -in the same format as C: - -```rust,ignore (libc-is-finicky) -#![feature(lang_items, core_intrinsics, rustc_private)] -#![feature(start)] -#![no_std] -use core::intrinsics; -use core::panic::PanicInfo; - -// Pull in the system libc library for what crt0.o likely requires. -extern crate libc; - -// Entry point for this program. -#[start] -fn start(_argc: isize, _argv: *const *const u8) -> isize { - 0 -} - -// These functions are used by the compiler, but not -// for a bare-bones hello world. These are normally -// provided by libstd. -#[lang = "eh_personality"] -#[no_mangle] -pub extern fn rust_eh_personality() { -} - -#[lang = "panic_impl"] -#[no_mangle] -pub extern fn rust_begin_panic(info: &PanicInfo) -> ! { - unsafe { intrinsics::abort() } -} -``` - -To override the compiler-inserted `main` shim, one has to disable it -with `#![no_main]` and then create the appropriate symbol with the -correct ABI and the correct name, which requires overriding the -compiler's name mangling too: - -```rust,ignore (libc-is-finicky) -#![feature(lang_items, core_intrinsics, rustc_private)] -#![feature(start)] -#![no_std] -#![no_main] -use core::intrinsics; -use core::panic::PanicInfo; - -// Pull in the system libc library for what crt0.o likely requires. -extern crate libc; - -// Entry point for this program. -#[no_mangle] // ensure that this symbol is called `main` in the output -pub extern fn main(_argc: i32, _argv: *const *const u8) -> i32 { - 0 -} - -// These functions are used by the compiler, but not -// for a bare-bones hello world. These are normally -// provided by libstd. -#[lang = "eh_personality"] -#[no_mangle] -pub extern fn rust_eh_personality() { -} - -#[lang = "panic_impl"] -#[no_mangle] -pub extern fn rust_begin_panic(info: &PanicInfo) -> ! { - unsafe { intrinsics::abort() } -} -``` - -In many cases, you may need to manually link to the `compiler_builtins` crate -when building a `no_std` binary. You may observe this via linker error messages -such as "```undefined reference to `__rust_probestack'```". - -## More about the language items - -The compiler currently makes a few assumptions about symbols which are -available in the executable to call. Normally these functions are provided by -the standard library, but without it you must define your own. These symbols -are called "language items", and they each have an internal name, and then a -signature that an implementation must conform to. - -The first of these functions, `rust_eh_personality`, is used by the failure -mechanisms of the compiler. This is often mapped to GCC's personality function -(see the [libstd implementation][unwind] for more information), but crates -which do not trigger a panic can be assured that this function is never -called. The language item's name is `eh_personality`. - -[unwind]: https://github.com/rust-lang/rust/blob/master/library/panic_unwind/src/gcc.rs - -The second function, `rust_begin_panic`, is also used by the failure mechanisms of the -compiler. When a panic happens, this controls the message that's displayed on -the screen. While the language item's name is `panic_impl`, the symbol name is -`rust_begin_panic`. - -Finally, a `eh_catch_typeinfo` static is needed for certain targets which -implement Rust panics on top of C++ exceptions. - -## List of all language items - -This is a list of all language items in Rust along with where they are located in -the source code. - -- Primitives - - `i8`: `libcore/num/mod.rs` - - `i16`: `libcore/num/mod.rs` - - `i32`: `libcore/num/mod.rs` - - `i64`: `libcore/num/mod.rs` - - `i128`: `libcore/num/mod.rs` - - `isize`: `libcore/num/mod.rs` - - `u8`: `libcore/num/mod.rs` - - `u16`: `libcore/num/mod.rs` - - `u32`: `libcore/num/mod.rs` - - `u64`: `libcore/num/mod.rs` - - `u128`: `libcore/num/mod.rs` - - `usize`: `libcore/num/mod.rs` - - `f32`: `libstd/f32.rs` - - `f64`: `libstd/f64.rs` - - `char`: `libcore/char.rs` - - `slice`: `liballoc/slice.rs` - - `str`: `liballoc/str.rs` - - `const_ptr`: `libcore/ptr.rs` - - `mut_ptr`: `libcore/ptr.rs` - - `unsafe_cell`: `libcore/cell.rs` -- Runtime - - `start`: `libstd/rt.rs` - - `eh_personality`: `libpanic_unwind/emcc.rs` (EMCC) - - `eh_personality`: `libpanic_unwind/gcc.rs` (GNU) - - `eh_personality`: `libpanic_unwind/seh.rs` (SEH) - - `eh_catch_typeinfo`: `libpanic_unwind/emcc.rs` (EMCC) - - `panic`: `libcore/panicking.rs` - - `panic_bounds_check`: `libcore/panicking.rs` - - `panic_impl`: `libcore/panicking.rs` - - `panic_impl`: `libstd/panicking.rs` -- Allocations - - `owned_box`: `liballoc/boxed.rs` - - `exchange_malloc`: `liballoc/heap.rs` - - `box_free`: `liballoc/heap.rs` -- Operands - - `not`: `libcore/ops/bit.rs` - - `bitand`: `libcore/ops/bit.rs` - - `bitor`: `libcore/ops/bit.rs` - - `bitxor`: `libcore/ops/bit.rs` - - `shl`: `libcore/ops/bit.rs` - - `shr`: `libcore/ops/bit.rs` - - `bitand_assign`: `libcore/ops/bit.rs` - - `bitor_assign`: `libcore/ops/bit.rs` - - `bitxor_assign`: `libcore/ops/bit.rs` - - `shl_assign`: `libcore/ops/bit.rs` - - `shr_assign`: `libcore/ops/bit.rs` - - `deref`: `libcore/ops/deref.rs` - - `deref_mut`: `libcore/ops/deref.rs` - - `index`: `libcore/ops/index.rs` - - `index_mut`: `libcore/ops/index.rs` - - `add`: `libcore/ops/arith.rs` - - `sub`: `libcore/ops/arith.rs` - - `mul`: `libcore/ops/arith.rs` - - `div`: `libcore/ops/arith.rs` - - `rem`: `libcore/ops/arith.rs` - - `neg`: `libcore/ops/arith.rs` - - `add_assign`: `libcore/ops/arith.rs` - - `sub_assign`: `libcore/ops/arith.rs` - - `mul_assign`: `libcore/ops/arith.rs` - - `div_assign`: `libcore/ops/arith.rs` - - `rem_assign`: `libcore/ops/arith.rs` - - `eq`: `libcore/cmp.rs` - - `ord`: `libcore/cmp.rs` -- Functions - - `fn`: `libcore/ops/function.rs` - - `fn_mut`: `libcore/ops/function.rs` - - `fn_once`: `libcore/ops/function.rs` - - `generator_state`: `libcore/ops/generator.rs` - - `generator`: `libcore/ops/generator.rs` -- Other - - `coerce_unsized`: `libcore/ops/unsize.rs` - - `drop`: `libcore/ops/drop.rs` - - `drop_in_place`: `libcore/ptr.rs` - - `clone`: `libcore/clone.rs` - - `copy`: `libcore/marker.rs` - - `send`: `libcore/marker.rs` - - `sized`: `libcore/marker.rs` - - `unsize`: `libcore/marker.rs` - - `sync`: `libcore/marker.rs` - - `phantom_data`: `libcore/marker.rs` - - `discriminant_kind`: `libcore/marker.rs` - - `freeze`: `libcore/marker.rs` - - `debug_trait`: `libcore/fmt/mod.rs` - - `non_zero`: `libcore/nonzero.rs` - - `arc`: `liballoc/sync.rs` - - `rc`: `liballoc/rc.rs` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/link-cfg.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/link-cfg.md deleted file mode 100644 index ee0fd5bf8698..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/link-cfg.md +++ /dev/null @@ -1,5 +0,0 @@ -# `link_cfg` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/marker-trait-attr.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/marker-trait-attr.md deleted file mode 100644 index be350cd61696..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/marker-trait-attr.md +++ /dev/null @@ -1,35 +0,0 @@ -# `marker_trait_attr` - -The tracking issue for this feature is: [#29864] - -[#29864]: https://github.com/rust-lang/rust/issues/29864 - ------------------------- - -Normally, Rust keeps you from adding trait implementations that could -overlap with each other, as it would be ambiguous which to use. This -feature, however, carves out an exception to that rule: a trait can -opt-in to having overlapping implementations, at the cost that those -implementations are not allowed to override anything (and thus the -trait itself cannot have any associated items, as they're pointless -when they'd need to do the same thing for every type anyway). - -```rust -#![feature(marker_trait_attr)] - -#[marker] trait CheapToClone: Clone {} - -impl CheapToClone for T {} - -// These could potentially overlap with the blanket implementation above, -// so are only allowed because CheapToClone is a marker trait. -impl CheapToClone for (T, U) {} -impl CheapToClone for std::ops::Range {} - -fn cheap_clone(t: T) -> T { - t.clone() -} -``` - -This is expected to replace the unstable `overlapping_marker_traits` -feature, which applied to all empty traits (without needing an opt-in). diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/more-qualified-paths.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/more-qualified-paths.md deleted file mode 100644 index 857af577a6cf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/more-qualified-paths.md +++ /dev/null @@ -1,29 +0,0 @@ -# `more_qualified_paths` - -The `more_qualified_paths` feature can be used in order to enable the -use of qualified paths in patterns. - -## Example - -```rust -#![feature(more_qualified_paths)] - -fn main() { - // destructure through a qualified path - let ::Assoc { br } = StructStruct { br: 2 }; -} - -struct StructStruct { - br: i8, -} - -struct Foo; - -trait A { - type Assoc; -} - -impl A for Foo { - type Assoc = StructStruct; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-as-needed.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-as-needed.md deleted file mode 100644 index 1757673612c4..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-as-needed.md +++ /dev/null @@ -1,18 +0,0 @@ -# `native_link_modifiers_as_needed` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers_as_needed` feature allows you to use the `as-needed` modifier. - -`as-needed` is only compatible with the `dynamic` and `framework` linking kinds. Using any other kind will result in a compiler error. - -`+as-needed` means that the library will be actually linked only if it satisfies some undefined symbols at the point at which it is specified on the command line, making it similar to static libraries in this regard. - -This modifier translates to `--as-needed` for ld-like linkers, and to `-dead_strip_dylibs` / `-needed_library` / `-needed_framework` for ld64. -The modifier does nothing for linkers that don't support it (e.g. `link.exe`). - -The default for this modifier is unclear, some targets currently specify it as `+as-needed`, some do not. We may want to try making `+as-needed` a default for all targets. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-bundle.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-bundle.md deleted file mode 100644 index ac192cff13a3..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-bundle.md +++ /dev/null @@ -1,19 +0,0 @@ -# `native_link_modifiers_bundle` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers_bundle` feature allows you to use the `bundle` modifier. - -Only compatible with the `static` linking kind. Using any other kind will result in a compiler error. - -`+bundle` means objects from the static library are bundled into the produced crate (a rlib, for example) and are used from this crate later during linking of the final binary. - -`-bundle` means the static library is included into the produced rlib "by name" and object files from it are included only during linking of the final binary, the file search by that name is also performed during final linking. - -This modifier is supposed to supersede the `static-nobundle` linking kind defined by [RFC 1717](https://github.com/rust-lang/rfcs/pull/1717). - -The default for this modifier is currently `+bundle`, but it could be changed later on some future edition boundary. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-verbatim.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-verbatim.md deleted file mode 100644 index 02bd87e50956..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-verbatim.md +++ /dev/null @@ -1,20 +0,0 @@ -# `native_link_modifiers_verbatim` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers_verbatim` feature allows you to use the `verbatim` modifier. - -`+verbatim` means that rustc itself won't add any target-specified library prefixes or suffixes (like `lib` or `.a`) to the library name, and will try its best to ask for the same thing from the linker. - -For `ld`-like linkers rustc will use the `-l:filename` syntax (note the colon) when passing the library, so the linker won't add any prefixes or suffixes as well. -See [`-l namespec`](https://sourceware.org/binutils/docs/ld/Options.html) in ld documentation for more details. -For linkers not supporting any verbatim modifiers (e.g. `link.exe` or `ld64`) the library name will be passed as is. - -The default for this modifier is `-verbatim`. - -This RFC changes the behavior of `raw-dylib` linking kind specified by [RFC 2627](https://github.com/rust-lang/rfcs/pull/2627). The `.dll` suffix (or other target-specified suffixes for other targets) is now added automatically. -If your DLL doesn't have the `.dll` suffix, it can be specified with `+verbatim`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-whole-archive.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-whole-archive.md deleted file mode 100644 index 4961e88cad1e..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-whole-archive.md +++ /dev/null @@ -1,18 +0,0 @@ -# `native_link_modifiers_whole_archive` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers_whole_archive` feature allows you to use the `whole-archive` modifier. - -Only compatible with the `static` linking kind. Using any other kind will result in a compiler error. - -`+whole-archive` means that the static library is linked as a whole archive without throwing any object files away. - -This modifier translates to `--whole-archive` for `ld`-like linkers, to `/WHOLEARCHIVE` for `link.exe`, and to `-force_load` for `ld64`. -The modifier does nothing for linkers that don't support it. - -The default for this modifier is `-whole-archive`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers.md deleted file mode 100644 index fc8b57546217..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers.md +++ /dev/null @@ -1,11 +0,0 @@ -# `native_link_modifiers` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers` feature allows you to use the `modifiers` syntax with the `#[link(..)]` attribute. - -Modifiers are specified as a comma-delimited string with each modifier prefixed with either a `+` or `-` to indicate that the modifier is enabled or disabled, respectively. The last boolean value specified for a given modifier wins. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/negative-impls.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/negative-impls.md deleted file mode 100644 index 151520f0e4ab..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/negative-impls.md +++ /dev/null @@ -1,57 +0,0 @@ -# `negative_impls` - -The tracking issue for this feature is [#68318]. - -[#68318]: https://github.com/rust-lang/rust/issues/68318 - ----- - -With the feature gate `negative_impls`, you can write negative impls as well as positive ones: - -```rust -#![feature(negative_impls)] -trait DerefMut { } -impl !DerefMut for &T { } -``` - -Negative impls indicate a semver guarantee that the given trait will not be implemented for the given types. Negative impls play an additional purpose for auto traits, described below. - -Negative impls have the following characteristics: - -* They do not have any items. -* They must obey the orphan rules as if they were a positive impl. -* They cannot "overlap" with any positive impls. - -## Semver interaction - -It is a breaking change to remove a negative impl. Negative impls are a commitment not to implement the given trait for the named types. - -## Orphan and overlap rules - -Negative impls must obey the same orphan rules as a positive impl. This implies you cannot add a negative impl for types defined in upstream crates and so forth. - -Similarly, negative impls cannot overlap with positive impls, again using the same "overlap" check that we ordinarily use to determine if two impls overlap. (Note that positive impls typically cannot overlap with one another either, except as permitted by specialization.) - -## Interaction with auto traits - -Declaring a negative impl `impl !SomeAutoTrait for SomeType` for an -auto-trait serves two purposes: - -* as with any trait, it declares that `SomeType` will never implement `SomeAutoTrait`; -* it disables the automatic `SomeType: SomeAutoTrait` impl that would otherwise have been generated. - -Note that, at present, there is no way to indicate that a given type -does not implement an auto trait *but that it may do so in the -future*. For ordinary types, this is done by simply not declaring any -impl at all, but that is not an option for auto traits. A workaround -is that one could embed a marker type as one of the fields, where the -marker type is `!AutoTrait`. - -## Immediate uses - -Negative impls are used to declare that `&T: !DerefMut` and `&mut T: !Clone`, as required to fix the soundness of `Pin` described in [#66544](https://github.com/rust-lang/rust/issues/66544). - -This serves two purposes: - -* For proving the correctness of unsafe code, we can use that impl as evidence that no `DerefMut` or `Clone` impl exists. -* It prevents downstream crates from creating such impls. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-coverage.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-coverage.md deleted file mode 100644 index 327cdb39791a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-coverage.md +++ /dev/null @@ -1,30 +0,0 @@ -# `no_coverage` - -The tracking issue for this feature is: [#84605] - -[#84605]: https://github.com/rust-lang/rust/issues/84605 - ---- - -The `no_coverage` attribute can be used to selectively disable coverage -instrumentation in an annotated function. This might be useful to: - -- Avoid instrumentation overhead in a performance critical function -- Avoid generating coverage for a function that is not meant to be executed, - but still target 100% coverage for the rest of the program. - -## Example - -```rust -#![feature(no_coverage)] - -// `foo()` will get coverage instrumentation (by default) -fn foo() { - // ... -} - -#[no_coverage] -fn bar() { - // ... -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-sanitize.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-sanitize.md deleted file mode 100644 index 28c683934d4e..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-sanitize.md +++ /dev/null @@ -1,29 +0,0 @@ -# `no_sanitize` - -The tracking issue for this feature is: [#39699] - -[#39699]: https://github.com/rust-lang/rust/issues/39699 - ------------------------- - -The `no_sanitize` attribute can be used to selectively disable sanitizer -instrumentation in an annotated function. This might be useful to: avoid -instrumentation overhead in a performance critical function, or avoid -instrumenting code that contains constructs unsupported by given sanitizer. - -The precise effect of this annotation depends on particular sanitizer in use. -For example, with `no_sanitize(thread)`, the thread sanitizer will no longer -instrument non-atomic store / load operations, but it will instrument atomic -operations to avoid reporting false positives and provide meaning full stack -traces. - -## Examples - -``` rust -#![feature(no_sanitize)] - -#[no_sanitize(address)] -fn foo() { - // ... -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/plugin.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/plugin.md deleted file mode 100644 index 040f46f8b7c7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/plugin.md +++ /dev/null @@ -1,116 +0,0 @@ -# `plugin` - -The tracking issue for this feature is: [#29597] - -[#29597]: https://github.com/rust-lang/rust/issues/29597 - - -This feature is part of "compiler plugins." It will often be used with the -`rustc_private` feature. - ------------------------- - -`rustc` can load compiler plugins, which are user-provided libraries that -extend the compiler's behavior with new lint checks, etc. - -A plugin is a dynamic library crate with a designated *registrar* function that -registers extensions with `rustc`. Other crates can load these extensions using -the crate attribute `#![plugin(...)]`. See the -`rustc_driver::plugin` documentation for more about the -mechanics of defining and loading a plugin. - -In the vast majority of cases, a plugin should *only* be used through -`#![plugin]` and not through an `extern crate` item. Linking a plugin would -pull in all of librustc_ast and librustc as dependencies of your crate. This is -generally unwanted unless you are building another plugin. - -The usual practice is to put compiler plugins in their own crate, separate from -any `macro_rules!` macros or ordinary Rust code meant to be used by consumers -of a library. - -# Lint plugins - -Plugins can extend [Rust's lint -infrastructure](../../reference/attributes/diagnostics.md#lint-check-attributes) with -additional checks for code style, safety, etc. Now let's write a plugin -[`lint-plugin-test.rs`](https://github.com/rust-lang/rust/blob/master/src/test/ui-fulldeps/auxiliary/lint-plugin-test.rs) -that warns about any item named `lintme`. - -```rust,ignore (requires-stage-2) -#![feature(box_syntax, rustc_private)] - -extern crate rustc_ast; - -// Load rustc as a plugin to get macros -extern crate rustc_driver; -#[macro_use] -extern crate rustc_lint; -#[macro_use] -extern crate rustc_session; - -use rustc_driver::plugin::Registry; -use rustc_lint::{EarlyContext, EarlyLintPass, LintArray, LintContext, LintPass}; -use rustc_ast::ast; -declare_lint!(TEST_LINT, Warn, "Warn about items named 'lintme'"); - -declare_lint_pass!(Pass => [TEST_LINT]); - -impl EarlyLintPass for Pass { - fn check_item(&mut self, cx: &EarlyContext, it: &ast::Item) { - if it.ident.name.as_str() == "lintme" { - cx.lint(TEST_LINT, |lint| { - lint.build("item is named 'lintme'").set_span(it.span).emit() - }); - } - } -} - -#[no_mangle] -fn __rustc_plugin_registrar(reg: &mut Registry) { - reg.lint_store.register_lints(&[&TEST_LINT]); - reg.lint_store.register_early_pass(|| box Pass); -} -``` - -Then code like - -```rust,ignore (requires-plugin) -#![feature(plugin)] -#![plugin(lint_plugin_test)] - -fn lintme() { } -``` - -will produce a compiler warning: - -```txt -foo.rs:4:1: 4:16 warning: item is named 'lintme', #[warn(test_lint)] on by default -foo.rs:4 fn lintme() { } - ^~~~~~~~~~~~~~~ -``` - -The components of a lint plugin are: - -* one or more `declare_lint!` invocations, which define static `Lint` structs; - -* a struct holding any state needed by the lint pass (here, none); - -* a `LintPass` - implementation defining how to check each syntax element. A single - `LintPass` may call `span_lint` for several different `Lint`s, but should - register them all through the `get_lints` method. - -Lint passes are syntax traversals, but they run at a late stage of compilation -where type information is available. `rustc`'s [built-in -lints](https://github.com/rust-lang/rust/blob/master/src/librustc_session/lint/builtin.rs) -mostly use the same infrastructure as lint plugins, and provide examples of how -to access type information. - -Lints defined by plugins are controlled by the usual [attributes and compiler -flags](../../reference/attributes/diagnostics.md#lint-check-attributes), e.g. -`#[allow(test_lint)]` or `-A test-lint`. These identifiers are derived from the -first argument to `declare_lint!`, with appropriate case and punctuation -conversion. - -You can run `rustc -W help foo.rs` to see a list of lints known to `rustc`, -including those provided by plugins loaded by `foo.rs`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/profiler-runtime.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/profiler-runtime.md deleted file mode 100644 index aee86f63952a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/profiler-runtime.md +++ /dev/null @@ -1,5 +0,0 @@ -# `profiler_runtime` - -The tracking issue for this feature is: [#42524](https://github.com/rust-lang/rust/issues/42524). - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/raw-dylib.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/raw-dylib.md deleted file mode 100644 index 23fc5b3052d8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/raw-dylib.md +++ /dev/null @@ -1,34 +0,0 @@ -# `raw_dylib` - -The tracking issue for this feature is: [#58713] - -[#58713]: https://github.com/rust-lang/rust/issues/58713 - ------------------------- - -The `raw_dylib` feature allows you to link against the implementations of functions in an `extern` -block without, on Windows, linking against an import library. - -```rust,ignore (partial-example) -#![feature(raw_dylib)] - -#[link(name="library", kind="raw-dylib")] -extern { - fn extern_function(x: i32); -} - -fn main() { - unsafe { - extern_function(14); - } -} -``` - -## Limitations - -Currently, this feature is only supported on `-windows-msvc` targets. Non-Windows platforms don't have import -libraries, and an incompatibility between LLVM and the BFD linker means that it is not currently supported on -`-windows-gnu` targets. - -On the `i686-pc-windows-msvc` target, this feature supports only the `cdecl`, `stdcall`, `system`, and `fastcall` -calling conventions. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/repr128.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/repr128.md deleted file mode 100644 index 146f50ee67b5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/repr128.md +++ /dev/null @@ -1,18 +0,0 @@ -# `repr128` - -The tracking issue for this feature is: [#56071] - -[#56071]: https://github.com/rust-lang/rust/issues/56071 - ------------------------- - -The `repr128` feature adds support for `#[repr(u128)]` on `enum`s. - -```rust -#![feature(repr128)] - -#[repr(u128)] -enum Foo { - Bar(u64), -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/rustc-attrs.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/rustc-attrs.md deleted file mode 100644 index c67b806f06af..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/rustc-attrs.md +++ /dev/null @@ -1,53 +0,0 @@ -# `rustc_attrs` - -This feature has no tracking issue, and is therefore internal to -the compiler, not being intended for general use. - -Note: `rustc_attrs` enables many rustc-internal attributes and this page -only discuss a few of them. - ------------------------- - -The `rustc_attrs` feature allows debugging rustc type layouts by using -`#[rustc_layout(...)]` to debug layout at compile time (it even works -with `cargo check`) as an alternative to `rustc -Z print-type-sizes` -that is way more verbose. - -Options provided by `#[rustc_layout(...)]` are `debug`, `size`, `align`, -`abi`. Note that it only works on sized types without generics. - -## Examples - -```rust,compile_fail -#![feature(rustc_attrs)] - -#[rustc_layout(abi, size)] -pub enum X { - Y(u8, u8, u8), - Z(isize), -} -``` - -When that is compiled, the compiler will error with something like - -```text -error: abi: Aggregate { sized: true } - --> src/lib.rs:4:1 - | -4 | / pub enum T { -5 | | Y(u8, u8, u8), -6 | | Z(isize), -7 | | } - | |_^ - -error: size: Size { raw: 16 } - --> src/lib.rs:4:1 - | -4 | / pub enum T { -5 | | Y(u8, u8, u8), -6 | | Z(isize), -7 | | } - | |_^ - -error: aborting due to 2 previous errors -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-alias.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-alias.md deleted file mode 100644 index f1be053ddc42..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-alias.md +++ /dev/null @@ -1,34 +0,0 @@ -# `trait_alias` - -The tracking issue for this feature is: [#41517] - -[#41517]: https://github.com/rust-lang/rust/issues/41517 - ------------------------- - -The `trait_alias` feature adds support for trait aliases. These allow aliases -to be created for one or more traits (currently just a single regular trait plus -any number of auto-traits), and used wherever traits would normally be used as -either bounds or trait objects. - -```rust -#![feature(trait_alias)] - -trait Foo = std::fmt::Debug + Send; -trait Bar = Foo + Sync; - -// Use trait alias as bound on type parameter. -fn foo(v: &T) { - println!("{:?}", v); -} - -pub fn main() { - foo(&1); - - // Use trait alias for trait objects. - let a: &Bar = &123; - println!("{:?}", a); - let b = Box::new(456) as Box; - println!("{:?}", b); -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-upcasting.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-upcasting.md deleted file mode 100644 index 3697ae38f9d8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-upcasting.md +++ /dev/null @@ -1,27 +0,0 @@ -# `trait_upcasting` - -The tracking issue for this feature is: [#65991] - -[#65991]: https://github.com/rust-lang/rust/issues/65991 - ------------------------- - -The `trait_upcasting` feature adds support for trait upcasting coercion. This allows a -trait object of type `dyn Bar` to be cast to a trait object of type `dyn Foo` -so long as `Bar: Foo`. - -```rust,edition2018 -#![feature(trait_upcasting)] -#![allow(incomplete_features)] - -trait Foo {} - -trait Bar: Foo {} - -impl Foo for i32 {} - -impl Bar for T {} - -let bar: &dyn Bar = &123; -let foo: &dyn Foo = bar; -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/transparent-unions.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/transparent-unions.md deleted file mode 100644 index 9b39b8971644..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/transparent-unions.md +++ /dev/null @@ -1,83 +0,0 @@ -# `transparent_unions` - -The tracking issue for this feature is [#60405] - -[#60405]: https://github.com/rust-lang/rust/issues/60405 - ----- - -The `transparent_unions` feature allows you mark `union`s as -`#[repr(transparent)]`. A `union` may be `#[repr(transparent)]` in exactly the -same conditions in which a `struct` may be `#[repr(transparent)]` (generally, -this means the `union` must have exactly one non-zero-sized field). Some -concrete illustrations follow. - -```rust -#![feature(transparent_unions)] - -// This union has the same representation as `f32`. -#[repr(transparent)] -union SingleFieldUnion { - field: f32, -} - -// This union has the same representation as `usize`. -#[repr(transparent)] -union MultiFieldUnion { - field: usize, - nothing: (), -} -``` - -For consistency with transparent `struct`s, `union`s must have exactly one -non-zero-sized field. If all fields are zero-sized, the `union` must not be -`#[repr(transparent)]`: - -```rust -#![feature(transparent_unions)] - -// This (non-transparent) union is already valid in stable Rust: -pub union GoodUnion { - pub nothing: (), -} - -// Error: transparent union needs exactly one non-zero-sized field, but has 0 -// #[repr(transparent)] -// pub union BadUnion { -// pub nothing: (), -// } -``` - -The one exception is if the `union` is generic over `T` and has a field of type -`T`, it may be `#[repr(transparent)]` even if `T` is a zero-sized type: - -```rust -#![feature(transparent_unions)] - -// This union has the same representation as `T`. -#[repr(transparent)] -pub union GenericUnion { // Unions with non-`Copy` fields are unstable. - pub field: T, - pub nothing: (), -} - -// This is okay even though `()` is a zero-sized type. -pub const THIS_IS_OKAY: GenericUnion<()> = GenericUnion { field: () }; -``` - -Like transarent `struct`s, a transparent `union` of type `U` has the same -layout, size, and ABI as its single non-ZST field. If it is generic over a type -`T`, and all its fields are ZSTs except for exactly one field of type `T`, then -it has the same layout and ABI as `T` (even if `T` is a ZST when monomorphized). - -Like transparent `struct`s, transparent `union`s are FFI-safe if and only if -their underlying representation type is also FFI-safe. - -A `union` may not be eligible for the same nonnull-style optimizations that a -`struct` or `enum` (with the same fields) are eligible for. Adding -`#[repr(transparent)]` to `union` does not change this. To give a more concrete -example, it is unspecified whether `size_of::()` is equal to -`size_of::>()`, where `T` is a `union` (regardless of whether or not -it is transparent). The Rust compiler is free to perform this optimization if -possible, but is not required to, and different compiler versions may differ in -their application of these optimizations. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/try-blocks.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/try-blocks.md deleted file mode 100644 index e342c260a739..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/try-blocks.md +++ /dev/null @@ -1,30 +0,0 @@ -# `try_blocks` - -The tracking issue for this feature is: [#31436] - -[#31436]: https://github.com/rust-lang/rust/issues/31436 - ------------------------- - -The `try_blocks` feature adds support for `try` blocks. A `try` -block creates a new scope one can use the `?` operator in. - -```rust,edition2018 -#![feature(try_blocks)] - -use std::num::ParseIntError; - -let result: Result = try { - "1".parse::()? - + "2".parse::()? - + "3".parse::()? -}; -assert_eq!(result, Ok(6)); - -let result: Result = try { - "1".parse::()? - + "foo".parse::()? - + "3".parse::()? -}; -assert!(result.is_err()); -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/type-changing-struct-update.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/type-changing-struct-update.md deleted file mode 100644 index 9909cf35b5b5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/type-changing-struct-update.md +++ /dev/null @@ -1,33 +0,0 @@ -# `type_changing_struct_update` - -The tracking issue for this feature is: [#86555] - -[#86555]: https://github.com/rust-lang/rust/issues/86555 - ------------------------- - -This implements [RFC2528]. When turned on, you can create instances of the same struct -that have different generic type or lifetime parameters. - -[RFC2528]: https://github.com/rust-lang/rfcs/blob/master/text/2528-type-changing-struct-update-syntax.md - -```rust -#![allow(unused_variables, dead_code)] -#![feature(type_changing_struct_update)] - -fn main () { - struct Foo { - field1: T, - field2: U, - } - - let base: Foo = Foo { - field1: String::from("hello"), - field2: 1234, - }; - let updated: Foo = Foo { - field1: 3.14, - ..base - }; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unboxed-closures.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/unboxed-closures.md deleted file mode 100644 index e4113d72d091..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unboxed-closures.md +++ /dev/null @@ -1,25 +0,0 @@ -# `unboxed_closures` - -The tracking issue for this feature is [#29625] - -See Also: [`fn_traits`](../library-features/fn-traits.md) - -[#29625]: https://github.com/rust-lang/rust/issues/29625 - ----- - -The `unboxed_closures` feature allows you to write functions using the `"rust-call"` ABI, -required for implementing the [`Fn*`] family of traits. `"rust-call"` functions must have -exactly one (non self) argument, a tuple representing the argument list. - -[`Fn*`]: https://doc.rust-lang.org/std/ops/trait.Fn.html - -```rust -#![feature(unboxed_closures)] - -extern "rust-call" fn add_args(args: (u32, u32)) -> u32 { - args.0 + args.1 -} - -fn main() {} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-locals.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-locals.md deleted file mode 100644 index d5b01a3d6168..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-locals.md +++ /dev/null @@ -1,175 +0,0 @@ -# `unsized_locals` - -The tracking issue for this feature is: [#48055] - -[#48055]: https://github.com/rust-lang/rust/issues/48055 - ------------------------- - -This implements [RFC1909]. When turned on, you can have unsized arguments and locals: - -[RFC1909]: https://github.com/rust-lang/rfcs/blob/master/text/1909-unsized-rvalues.md - -```rust -#![allow(incomplete_features)] -#![feature(unsized_locals, unsized_fn_params)] - -use std::any::Any; - -fn main() { - let x: Box = Box::new(42); - let x: dyn Any = *x; - // ^ unsized local variable - // ^^ unsized temporary - foo(x); -} - -fn foo(_: dyn Any) {} -// ^^^^^^ unsized argument -``` - -The RFC still forbids the following unsized expressions: - -```rust,compile_fail -#![feature(unsized_locals)] - -use std::any::Any; - -struct MyStruct { - content: T, -} - -struct MyTupleStruct(T); - -fn answer() -> Box { - Box::new(42) -} - -fn main() { - // You CANNOT have unsized statics. - static X: dyn Any = *answer(); // ERROR - const Y: dyn Any = *answer(); // ERROR - - // You CANNOT have struct initialized unsized. - MyStruct { content: *answer() }; // ERROR - MyTupleStruct(*answer()); // ERROR - (42, *answer()); // ERROR - - // You CANNOT have unsized return types. - fn my_function() -> dyn Any { *answer() } // ERROR - - // You CAN have unsized local variables... - let mut x: dyn Any = *answer(); // OK - // ...but you CANNOT reassign to them. - x = *answer(); // ERROR - - // You CANNOT even initialize them separately. - let y: dyn Any; // OK - y = *answer(); // ERROR - - // Not mentioned in the RFC, but by-move captured variables are also Sized. - let x: dyn Any = *answer(); - (move || { // ERROR - let y = x; - })(); - - // You CAN create a closure with unsized arguments, - // but you CANNOT call it. - // This is an implementation detail and may be changed in the future. - let f = |x: dyn Any| {}; - f(*answer()); // ERROR -} -``` - -## By-value trait objects - -With this feature, you can have by-value `self` arguments without `Self: Sized` bounds. - -```rust -#![feature(unsized_fn_params)] - -trait Foo { - fn foo(self) {} -} - -impl Foo for T {} - -fn main() { - let slice: Box<[i32]> = Box::new([1, 2, 3]); - <[i32] as Foo>::foo(*slice); -} -``` - -And `Foo` will also be object-safe. - -```rust -#![feature(unsized_fn_params)] - -trait Foo { - fn foo(self) {} -} - -impl Foo for T {} - -fn main () { - let slice: Box = Box::new([1, 2, 3]); - // doesn't compile yet - ::foo(*slice); -} -``` - -One of the objectives of this feature is to allow `Box`. - -## Variable length arrays - -The RFC also describes an extension to the array literal syntax: `[e; dyn n]`. In the syntax, `n` isn't necessarily a constant expression. The array is dynamically allocated on the stack and has the type of `[T]`, instead of `[T; n]`. - -```rust,ignore (not-yet-implemented) -#![feature(unsized_locals)] - -fn mergesort(a: &mut [T]) { - let mut tmp = [T; dyn a.len()]; - // ... -} - -fn main() { - let mut a = [3, 1, 5, 6]; - mergesort(&mut a); - assert_eq!(a, [1, 3, 5, 6]); -} -``` - -VLAs are not implemented yet. The syntax isn't final, either. We may need an alternative syntax for Rust 2015 because, in Rust 2015, expressions like `[e; dyn(1)]` would be ambiguous. One possible alternative proposed in the RFC is `[e; n]`: if `n` captures one or more local variables, then it is considered as `[e; dyn n]`. - -## Advisory on stack usage - -It's advised not to casually use the `#![feature(unsized_locals)]` feature. Typical use-cases are: - -- When you need a by-value trait objects. -- When you really need a fast allocation of small temporary arrays. - -Another pitfall is repetitive allocation and temporaries. Currently the compiler simply extends the stack frame every time it encounters an unsized assignment. So for example, the code - -```rust -#![feature(unsized_locals)] - -fn main() { - let x: Box<[i32]> = Box::new([1, 2, 3, 4, 5]); - let _x = {{{{{{{{{{*x}}}}}}}}}}; -} -``` - -and the code - -```rust -#![feature(unsized_locals)] - -fn main() { - for _ in 0..10 { - let x: Box<[i32]> = Box::new([1, 2, 3, 4, 5]); - let _x = *x; - } -} -``` - -will unnecessarily extend the stack frame. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-tuple-coercion.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-tuple-coercion.md deleted file mode 100644 index 310c8d962948..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-tuple-coercion.md +++ /dev/null @@ -1,27 +0,0 @@ -# `unsized_tuple_coercion` - -The tracking issue for this feature is: [#42877] - -[#42877]: https://github.com/rust-lang/rust/issues/42877 - ------------------------- - -This is a part of [RFC0401]. According to the RFC, there should be an implementation like this: - -```rust,ignore (partial-example) -impl<..., T, U: ?Sized> Unsized<(..., U)> for (..., T) where T: Unsized {} -``` - -This implementation is currently gated behind `#[feature(unsized_tuple_coercion)]` to avoid insta-stability. Therefore you can use it like this: - -```rust -#![feature(unsized_tuple_coercion)] - -fn main() { - let x : ([i32; 3], [i32; 3]) = ([1, 2, 3], [4, 5, 6]); - let y : &([i32; 3], [i32]) = &x; - assert_eq!(y.1[0], 4); -} -``` - -[RFC0401]: https://github.com/rust-lang/rfcs/blob/master/text/0401-coercions.md diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features.md deleted file mode 100644 index 9f537e26132b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features.md +++ /dev/null @@ -1 +0,0 @@ -# Library Features diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/allocator-api.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/allocator-api.md deleted file mode 100644 index 9f045ce08a43..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/allocator-api.md +++ /dev/null @@ -1,15 +0,0 @@ -# `allocator_api` - -The tracking issue for this feature is [#32838] - -[#32838]: https://github.com/rust-lang/rust/issues/32838 - ------------------------- - -Sometimes you want the memory for one collection to use a different -allocator than the memory for another collection. In this case, -replacing the global allocator is not a workable option. Instead, -you need to pass in an instance of an `AllocRef` to each collection -for which you want a custom allocator. - -TBD diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-variadic.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-variadic.md deleted file mode 100644 index 77762116e6b1..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-variadic.md +++ /dev/null @@ -1,26 +0,0 @@ -# `c_variadic` - -The tracking issue for this feature is: [#44930] - -[#44930]: https://github.com/rust-lang/rust/issues/44930 - ------------------------- - -The `c_variadic` library feature exposes the `VaList` structure, -Rust's analogue of C's `va_list` type. - -## Examples - -```rust -#![feature(c_variadic)] - -use std::ffi::VaList; - -pub unsafe extern "C" fn vadd(n: usize, mut args: VaList) -> usize { - let mut sum = 0; - for _ in 0..n { - sum += args.arg::(); - } - sum -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-void-variant.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-void-variant.md deleted file mode 100644 index a2fdc9936300..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-void-variant.md +++ /dev/null @@ -1,5 +0,0 @@ -# `c_void_variant` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/char-error-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/char-error-internals.md deleted file mode 100644 index 8013b4988e14..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/char-error-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `char_error_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/concat-idents.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/concat-idents.md deleted file mode 100644 index 73f6cfa21787..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/concat-idents.md +++ /dev/null @@ -1,22 +0,0 @@ -# `concat_idents` - -The tracking issue for this feature is: [#29599] - -[#29599]: https://github.com/rust-lang/rust/issues/29599 - ------------------------- - -The `concat_idents` feature adds a macro for concatenating multiple identifiers -into one identifier. - -## Examples - -```rust -#![feature(concat_idents)] - -fn main() { - fn foobar() -> u32 { 23 } - let f = concat_idents!(foo, bar); - assert_eq!(f(), 23); -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-intrinsics.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-intrinsics.md deleted file mode 100644 index 28ad3525ef7a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-intrinsics.md +++ /dev/null @@ -1,5 +0,0 @@ -# `core_intrinsics` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-panic.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-panic.md deleted file mode 100644 index c197588404c9..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-panic.md +++ /dev/null @@ -1,5 +0,0 @@ -# `core_panic` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-bignum.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-bignum.md deleted file mode 100644 index f85811c545e4..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-bignum.md +++ /dev/null @@ -1,5 +0,0 @@ -# `core_private_bignum` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-diy-float.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-diy-float.md deleted file mode 100644 index 8465921d673b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-diy-float.md +++ /dev/null @@ -1,5 +0,0 @@ -# `core_private_diy_float` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/dec2flt.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/dec2flt.md deleted file mode 100644 index 311ab4adcfd7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/dec2flt.md +++ /dev/null @@ -1,5 +0,0 @@ -# `dec2flt` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/default-free-fn.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/default-free-fn.md deleted file mode 100644 index d40a27dddf36..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/default-free-fn.md +++ /dev/null @@ -1,47 +0,0 @@ -# `default_free_fn` - -The tracking issue for this feature is: [#73014] - -[#73014]: https://github.com/rust-lang/rust/issues/73014 - ------------------------- - -Adds a free `default()` function to the `std::default` module. This function -just forwards to [`Default::default()`], but may remove repetition of the word -"default" from the call site. - -[`Default::default()`]: https://doc.rust-lang.org/nightly/std/default/trait.Default.html#tymethod.default - -Here is an example: - -```rust -#![feature(default_free_fn)] -use std::default::default; - -#[derive(Default)] -struct AppConfig { - foo: FooConfig, - bar: BarConfig, -} - -#[derive(Default)] -struct FooConfig { - foo: i32, -} - -#[derive(Default)] -struct BarConfig { - bar: f32, - baz: u8, -} - -fn main() { - let options = AppConfig { - foo: default(), - bar: BarConfig { - bar: 10.1, - ..default() - }, - }; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-clone-copy.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-clone-copy.md deleted file mode 100644 index cc603911cbd2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-clone-copy.md +++ /dev/null @@ -1,5 +0,0 @@ -# `derive_clone_copy` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-eq.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-eq.md deleted file mode 100644 index 68a275f5419d..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-eq.md +++ /dev/null @@ -1,5 +0,0 @@ -# `derive_eq` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd-read.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd-read.md deleted file mode 100644 index e78d4330abfc..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd-read.md +++ /dev/null @@ -1,5 +0,0 @@ -# `fd_read` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd.md deleted file mode 100644 index 0414244285ba..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd.md +++ /dev/null @@ -1,5 +0,0 @@ -# `fd` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/flt2dec.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/flt2dec.md deleted file mode 100644 index 15e62a3a7dad..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/flt2dec.md +++ /dev/null @@ -1,5 +0,0 @@ -# `flt2dec` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fmt-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/fmt-internals.md deleted file mode 100644 index 7cbe3c89a644..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fmt-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `fmt_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fn-traits.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/fn-traits.md deleted file mode 100644 index 29a8aecee6c2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fn-traits.md +++ /dev/null @@ -1,35 +0,0 @@ -# `fn_traits` - -The tracking issue for this feature is [#29625] - -See Also: [`unboxed_closures`](../language-features/unboxed-closures.md) - -[#29625]: https://github.com/rust-lang/rust/issues/29625 - ----- - -The `fn_traits` feature allows for implementation of the [`Fn*`] traits -for creating custom closure-like types. - -[`Fn*`]: https://doc.rust-lang.org/std/ops/trait.Fn.html - -```rust -#![feature(unboxed_closures)] -#![feature(fn_traits)] - -struct Adder { - a: u32 -} - -impl FnOnce<(u32, )> for Adder { - type Output = u32; - extern "rust-call" fn call_once(self, b: (u32, )) -> Self::Output { - self.a + b.0 - } -} - -fn main() { - let adder = Adder { a: 3 }; - assert_eq!(adder(2), 5); -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/int-error-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/int-error-internals.md deleted file mode 100644 index 402e4fa5ef6d..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/int-error-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `int_error_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/internal-output-capture.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/internal-output-capture.md deleted file mode 100644 index 7e1241fce985..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/internal-output-capture.md +++ /dev/null @@ -1,5 +0,0 @@ -# `internal_output_capture` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/is-sorted.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/is-sorted.md deleted file mode 100644 index e3b7dc3b28eb..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/is-sorted.md +++ /dev/null @@ -1,11 +0,0 @@ -# `is_sorted` - -The tracking issue for this feature is: [#53485] - -[#53485]: https://github.com/rust-lang/rust/issues/53485 - ------------------------- - -Add the methods `is_sorted`, `is_sorted_by` and `is_sorted_by_key` to `[T]`; -add the methods `is_sorted`, `is_sorted_by` and `is_sorted_by_key` to -`Iterator`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-sys-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-sys-internals.md deleted file mode 100644 index 1b53faa8a007..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-sys-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `libstd_sys_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-thread-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-thread-internals.md deleted file mode 100644 index b682d12e7cdd..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-thread-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `libstd_thread_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/print-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/print-internals.md deleted file mode 100644 index a68557872af5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/print-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `print_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/profiler-runtime-lib.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/profiler-runtime-lib.md deleted file mode 100644 index a01f1e73ab40..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/profiler-runtime-lib.md +++ /dev/null @@ -1,5 +0,0 @@ -# `profiler_runtime_lib` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/rt.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/rt.md deleted file mode 100644 index 007acc207a65..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/rt.md +++ /dev/null @@ -1,5 +0,0 @@ -# `rt` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/sort-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/sort-internals.md deleted file mode 100644 index 6f2385e53008..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/sort-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `sort_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/str-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/str-internals.md deleted file mode 100644 index af8ef056dbe2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/str-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `str_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/test.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/test.md deleted file mode 100644 index c99584e5fb39..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/test.md +++ /dev/null @@ -1,158 +0,0 @@ -# `test` - -The tracking issue for this feature is: None. - ------------------------- - -The internals of the `test` crate are unstable, behind the `test` flag. The -most widely used part of the `test` crate are benchmark tests, which can test -the performance of your code. Let's make our `src/lib.rs` look like this -(comments elided): - -```rust,no_run -#![feature(test)] - -extern crate test; - -pub fn add_two(a: i32) -> i32 { - a + 2 -} - -#[cfg(test)] -mod tests { - use super::*; - use test::Bencher; - - #[test] - fn it_works() { - assert_eq!(4, add_two(2)); - } - - #[bench] - fn bench_add_two(b: &mut Bencher) { - b.iter(|| add_two(2)); - } -} -``` - -Note the `test` feature gate, which enables this unstable feature. - -We've imported the `test` crate, which contains our benchmarking support. -We have a new function as well, with the `bench` attribute. Unlike regular -tests, which take no arguments, benchmark tests take a `&mut Bencher`. This -`Bencher` provides an `iter` method, which takes a closure. This closure -contains the code we'd like to benchmark. - -We can run benchmark tests with `cargo bench`: - -```bash -$ cargo bench - Compiling adder v0.0.1 (file:///home/steve/tmp/adder) - Running target/release/adder-91b3e234d4ed382a - -running 2 tests -test tests::it_works ... ignored -test tests::bench_add_two ... bench: 1 ns/iter (+/- 0) - -test result: ok. 0 passed; 0 failed; 1 ignored; 1 measured -``` - -Our non-benchmark test was ignored. You may have noticed that `cargo bench` -takes a bit longer than `cargo test`. This is because Rust runs our benchmark -a number of times, and then takes the average. Because we're doing so little -work in this example, we have a `1 ns/iter (+/- 0)`, but this would show -the variance if there was one. - -Advice on writing benchmarks: - - -* Move setup code outside the `iter` loop; only put the part you want to measure inside -* Make the code do "the same thing" on each iteration; do not accumulate or change state -* Make the outer function idempotent too; the benchmark runner is likely to run - it many times -* Make the inner `iter` loop short and fast so benchmark runs are fast and the - calibrator can adjust the run-length at fine resolution -* Make the code in the `iter` loop do something simple, to assist in pinpointing - performance improvements (or regressions) - -## Gotcha: optimizations - -There's another tricky part to writing benchmarks: benchmarks compiled with -optimizations activated can be dramatically changed by the optimizer so that -the benchmark is no longer benchmarking what one expects. For example, the -compiler might recognize that some calculation has no external effects and -remove it entirely. - -```rust,no_run -#![feature(test)] - -extern crate test; -use test::Bencher; - -#[bench] -fn bench_xor_1000_ints(b: &mut Bencher) { - b.iter(|| { - (0..1000).fold(0, |old, new| old ^ new); - }); -} -``` - -gives the following results - -```text -running 1 test -test bench_xor_1000_ints ... bench: 0 ns/iter (+/- 0) - -test result: ok. 0 passed; 0 failed; 0 ignored; 1 measured -``` - -The benchmarking runner offers two ways to avoid this. Either, the closure that -the `iter` method receives can return an arbitrary value which forces the -optimizer to consider the result used and ensures it cannot remove the -computation entirely. This could be done for the example above by adjusting the -`b.iter` call to - -```rust -# struct X; -# impl X { fn iter(&self, _: F) where F: FnMut() -> T {} } let b = X; -b.iter(|| { - // Note lack of `;` (could also use an explicit `return`). - (0..1000).fold(0, |old, new| old ^ new) -}); -``` - -Or, the other option is to call the generic `test::black_box` function, which -is an opaque "black box" to the optimizer and so forces it to consider any -argument as used. - -```rust -#![feature(test)] - -extern crate test; - -# fn main() { -# struct X; -# impl X { fn iter(&self, _: F) where F: FnMut() -> T {} } let b = X; -b.iter(|| { - let n = test::black_box(1000); - - (0..n).fold(0, |a, b| a ^ b) -}) -# } -``` - -Neither of these read or modify the value, and are very cheap for small values. -Larger values can be passed indirectly to reduce overhead (e.g. -`black_box(&huge_struct)`). - -Performing either of the above changes gives the following benchmarking results - -```text -running 1 test -test bench_xor_1000_ints ... bench: 131 ns/iter (+/- 3) - -test result: ok. 0 passed; 0 failed; 0 ignored; 1 measured -``` - -However, the optimizer can still modify a testcase in an undesirable manner -even when using either of the above. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/thread-local-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/thread-local-internals.md deleted file mode 100644 index e1cdcc339d22..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/thread-local-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `thread_local_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/trace-macros.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/trace-macros.md deleted file mode 100644 index 41aa286e69bf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/trace-macros.md +++ /dev/null @@ -1,39 +0,0 @@ -# `trace_macros` - -The tracking issue for this feature is [#29598]. - -[#29598]: https://github.com/rust-lang/rust/issues/29598 - ------------------------- - -With `trace_macros` you can trace the expansion of macros in your code. - -## Examples - -```rust -#![feature(trace_macros)] - -fn main() { - trace_macros!(true); - println!("Hello, Rust!"); - trace_macros!(false); -} -``` - -The `cargo build` output: - -```txt -note: trace_macro - --> src/main.rs:5:5 - | -5 | println!("Hello, Rust!"); - | ^^^^^^^^^^^^^^^^^^^^^^^^^ - | - = note: expanding `println! { "Hello, Rust!" }` - = note: to `print ! ( concat ! ( "Hello, Rust!" , "\n" ) )` - = note: expanding `print! { concat ! ( "Hello, Rust!" , "\n" ) }` - = note: to `$crate :: io :: _print ( format_args ! ( concat ! ( "Hello, Rust!" , "\n" ) ) - )` - - Finished dev [unoptimized + debuginfo] target(s) in 0.60 secs -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/update-panic-count.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/update-panic-count.md deleted file mode 100644 index d315647ba104..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/update-panic-count.md +++ /dev/null @@ -1,5 +0,0 @@ -# `update_panic_count` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-c.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-c.md deleted file mode 100644 index 3f833eb3d093..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-c.md +++ /dev/null @@ -1,5 +0,0 @@ -# `windows_c` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-handle.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-handle.md deleted file mode 100644 index f47a8425045b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-handle.md +++ /dev/null @@ -1,5 +0,0 @@ -# `windows_handle` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-net.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-net.md deleted file mode 100644 index 174960d4f004..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-net.md +++ /dev/null @@ -1,5 +0,0 @@ -# `windows_net` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-stdio.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-stdio.md deleted file mode 100644 index 4d361442386a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-stdio.md +++ /dev/null @@ -1,5 +0,0 @@ -# `windows_stdio` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/the-unstable-book.md b/tools/bookrunner/rust-doc/unstable-book/src/the-unstable-book.md deleted file mode 100644 index 554c52c3c9c2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/the-unstable-book.md +++ /dev/null @@ -1,22 +0,0 @@ -# The Unstable Book - -Welcome to the Unstable Book! This book consists of a number of chapters, -each one organized by a "feature flag." That is, when using an unstable -feature of Rust, you must use a flag, like this: - -```rust -#![feature(box_syntax)] - -fn main() { - let five = box 5; -} -``` - -The `box_syntax` feature [has a chapter][box] describing how to use it. - -[box]: language-features/box-syntax.md - -Because this documentation relates to unstable features, we make no guarantees -that what is contained here is accurate or up to date. It's developed on a -best-effort basis. Each page will have a link to its tracking issue with the -latest developments; you might want to check those as well. diff --git a/tools/bookrunner/src/bookrunner.rs b/tools/bookrunner/src/bookrunner.rs deleted file mode 100644 index ecce5bd3e779..000000000000 --- a/tools/bookrunner/src/bookrunner.rs +++ /dev/null @@ -1,95 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Data structures representing the book report and their utilities. - -use std::fmt::{Display, Formatter, Result, Write}; - -/// This data structure holds the results of running a test or a suite. -#[derive(Clone, Debug)] -pub struct Node { - pub name: String, - pub num_pass: u32, - pub num_fail: u32, -} - -impl Node { - /// Creates a new test [`Node`]. - pub fn new(name: String, num_pass: u32, num_fail: u32) -> Node { - Node { name, num_pass, num_fail } - } -} - -/// Tree data structure representing a book report. `children` -/// represent sub-tests and sub-suites of the current test suite. This tree -/// structure allows us to collect and display a summary for test results in an -/// organized manner. -#[derive(Clone, Debug)] -pub struct Tree { - pub data: Node, - pub children: Vec, -} - -impl Tree { - /// Creates a new [`Tree`] representing a book report or a part of it. - pub fn new(data: Node, children: Vec) -> Tree { - Tree { data, children } - } - - /// Merges two trees, if their root have equal node names, and returns the - /// merged tree. - pub fn merge(mut l: Tree, r: Tree) -> Option { - if l.data.name != r.data.name { - return None; - } - // For each subtree of `r`... - for cnr in r.children { - // Look for a subtree of `l` with an equal root node name. - let index = l.children.iter().position(|cnl| cnl.data.name == cnr.data.name); - if let Some(index) = index { - // If you find one, merge it with `r`'s subtree. - let cnl = l.children.remove(index); - l.children.insert(index, Tree::merge(cnl, cnr)?); - } else { - // Otherwise, `r`'s subtree is new. So, add it to `l`'s - // list of subtrees. - l.children.push(cnr); - } - } - Some(Tree::new( - Node::new( - l.data.name, - l.data.num_pass + r.data.num_pass, - l.data.num_fail + r.data.num_fail, - ), - l.children, - )) - } - - /// A helper format function that indents each level of the tree. - fn fmt_aux(&self, p: usize, f: &mut Formatter<'_>) -> Result { - // Do not print line numbers. - if self.children.is_empty() { - return Ok(()); - } - // Write `p` spaces into the formatter. - f.write_fmt(format_args!("{:p$}", ""))?; - f.write_str(&self.data.name)?; - if self.data.num_pass > 0 { - f.write_fmt(format_args!(" ✔️ {}", self.data.num_pass))?; - } - if self.data.num_fail > 0 { - f.write_fmt(format_args!(" ❌ {}", self.data.num_fail))?; - } - f.write_char('\n')?; - for cn in &self.children { - cn.fmt_aux(p + 2, f)?; - } - Ok(()) - } -} - -impl Display for Tree { - fn fmt(&self, f: &mut Formatter<'_>) -> Result { - self.fmt_aux(0, f) - } -} diff --git a/tools/bookrunner/src/books.rs b/tools/bookrunner/src/books.rs deleted file mode 100644 index 0e8b8fb8857d..000000000000 --- a/tools/bookrunner/src/books.rs +++ /dev/null @@ -1,571 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Utilities to extract examples from Rust books, run them through Kani, and -//! display their results. - -extern crate rustc_span; - -use crate::{ - bookrunner, - litani::{Litani, LitaniPipeline, LitaniRun}, - util::{self, FailStep, TestProps}, -}; -use inflector::cases::{snakecase::to_snake_case, titlecase::to_title_case}; -use pulldown_cmark::{Event, Parser, Tag}; -use rustc_span::edition::Edition; -use rustdoc::{ - doctest::{make_test, Tester}, - html::markdown::{find_testable_code, ErrorCodes, Ignore, LangString}, -}; -use std::{ - collections::{HashMap, HashSet}, - ffi::OsStr, - fmt::Write, - fs, - io::BufReader, - iter::FromIterator, - path::{Path, PathBuf}, - str::FromStr, -}; -use walkdir::WalkDir; - -// Books may include a `SUMMARY.md` file or not. If they do, the info in -// `SummaryData` is helpful to parse the hierarchy, otherwise we use a -// `DirectoryData` structure - -// Data needed for parsing a book with a summary file -struct SummaryData { - // Path to the summary file - summary_path: PathBuf, - // Line that indicates the start of the summary section - summary_start: String, -} - -// Data needed for parsing book without a summary file -struct DirectoryData { - // Directory to be processed, starting from root of the book - src: PathBuf, - // Directory where the examples extracted from the book should reside - dest: PathBuf, -} - -// Data structure representing a Rust book -struct Book { - // Name of the book - name: String, - // Default Rust edition - default_edition: Edition, - // Data about the summary file - summary_data: Option, - // Data about the source/destination directories - directory_data: Option, - // Path to the `book.toml` file - toml_path: PathBuf, - // The hierarchy map used for example extraction - hierarchy: HashMap, -} - -impl Book { - /// Parse the chapter/section hierarchy and set the default edition - fn parse_hierarchy(&mut self) { - if self.summary_data.is_some() { - assert!(self.directory_data.is_none()); - self.parse_hierarchy_with_summary(); - } else { - assert!(self.directory_data.is_some()); - self.parse_hierarchy_without_summary(); - } - self.default_edition = self.get_rust_edition().unwrap_or(Edition::Edition2015); - } - - /// Parses the chapter/section hierarchy in the markdown file specified by - /// `summary_path` and returns a mapping from markdown files containing rust - /// code to corresponding directories where the extracted rust code should - /// reside. - fn parse_hierarchy_with_summary(&mut self) { - let summary_path = &self.summary_data.as_ref().unwrap().summary_path; - let summary_start = &self.summary_data.as_ref().unwrap().summary_start; - let summary_dir = summary_path.parent().unwrap().to_path_buf(); - let summary = fs::read_to_string(summary_path.clone()).unwrap(); - assert!( - summary.starts_with(summary_start.as_str()), - "Error: The start of {} summary file changed.", - self.name - ); - // Skip the `start` of the summary. - let n = Parser::new(summary_start.as_str()).count(); - let parser = Parser::new(&summary).skip(n); - // Set `self.name` as the root of the hierarchical path. - let mut hierarchy_path: PathBuf = - ["tests", "bookrunner", "books", self.name.as_str()].iter().collect(); - let mut prev_event_is_text_or_code = false; - for event in parser { - match event { - Event::End(Tag::Item) => { - // Pop the current chapter/section from the hierarchy once - // we are done processing it and its subsections. - hierarchy_path.pop(); - prev_event_is_text_or_code = false; - } - Event::End(Tag::Link(_, path, _)) => { - // At the start of the link tag, the hierarchy does not yet - // contain the title of the current chapter/section. So, we wait - // for the end of the link tag before adding the path and - // hierarchy of the current chapter/section to the map. - let mut full_path = summary_dir.clone(); - full_path.extend(path.split('/')); - self.hierarchy.insert(full_path, hierarchy_path.clone()); - prev_event_is_text_or_code = false; - } - Event::Text(text) | Event::Code(text) => { - // Remove characters that are problematic to the file system or - // terminal. - let text = text.replace(&['/', '(', ')', '\''][..], "_"); - // Does the chapter/section title contain normal text and inline - // code? - if prev_event_is_text_or_code { - // If so, we combine them into one hierarchy level. - let prev_text = - hierarchy_path.file_name().unwrap().to_str().unwrap().to_string(); - hierarchy_path.pop(); - hierarchy_path.push(format!("{prev_text}{text}")); - } else { - // If not, add the current title to the hierarchy. - hierarchy_path.push(&text); - } - prev_event_is_text_or_code = true; - } - _ => (), - } - } - } - - /// Parses books that do not have a `SUMMARY.md` file (i.e., a table of - /// contents). We parse them manually and make a "best effort" to make it - /// look like the online version. - fn parse_hierarchy_without_summary(&mut self) { - let directory_data = self.directory_data.as_ref().unwrap(); - let src = &directory_data.src; - let dest = &directory_data.dest; - let mut src_prefix: PathBuf = src.clone(); - let mut dest_prefix: PathBuf = dest.clone(); - for entry in WalkDir::new(&src_prefix) { - let entry = entry.unwrap().into_path(); - // `WalkDir` returns entries in a depth-first fashion. Once we are done - // processing a directory, it will jump to a different child entry of a - // predecessor. To copy examples to the correct location, we need to - // know how far back we jumped and update `dest_prefix` accordingly. - while !entry.starts_with(&src_prefix) { - src_prefix.pop(); - dest_prefix.pop(); - } - if entry.is_dir() { - src_prefix.push(entry.file_name().unwrap()); - // Follow the book's title case format for directories. - dest_prefix.push(to_title_case(entry.file_name().unwrap().to_str().unwrap())); - } else { - // Only process markdown files. - if entry.extension() == Some(OsStr::new("md")) { - let entry_stem = entry.file_stem().unwrap().to_str().unwrap(); - // If a file has the stem name as a sibling directory... - if src_prefix.join(entry.file_stem().unwrap()).exists() { - // Its extracted examples should reside under that - // directory. - self.hierarchy - .insert(entry.clone(), dest_prefix.join(to_title_case(entry_stem))); - } else { - // Otherwise, follow the book's snake case format for files. - self.hierarchy - .insert(entry.clone(), dest_prefix.join(to_snake_case(entry_stem))); - } - } - } - } - } - - // Get the Rust edition from the `book.toml` file - fn get_rust_edition(&self) -> Option { - let file = fs::read_to_string(&self.toml_path).unwrap(); - let toml_data: toml::Value = toml::from_str(&file).unwrap(); - // The Rust edition is specified in the `rust.edition` attribute - let rust_block = toml_data.get("rust")?; - let edition_attr = rust_block.get("edition")?; - let edition_str = edition_attr.as_str()?; - Some(Edition::from_str(edition_str).unwrap()) - } - - /// Extracts examples from the markdown files specified by each key in the given - /// `map`, pre-processes those examples, and saves them in the directory - /// specified by the corresponding value. - fn extract_examples(&self) { - let mut config_paths = get_config_paths(self.name.as_str()); - for (par_from, par_to) in &self.hierarchy { - extract(par_from, par_to, &mut config_paths, self.default_edition); - } - if !config_paths.is_empty() { - panic!( - "Error: The examples corresponding to the following config files \ - were not encountered in the pre-processing step:\n{}This is most \ - likely because the line numbers of the config files are not in \ - sync with the line numbers of the corresponding code blocks in \ - the latest versions of the Rust books. Please update the line \ - numbers of the config files and rerun the program.", - paths_to_string(config_paths) - ); - } - } -} -/// Set up [The Rust Reference](https://doc.rust-lang.org/nightly/reference) -/// book. -fn setup_reference_book() -> Book { - let summary_data = SummaryData { - summary_start: "# The Rust Reference\n\n[Introduction](introduction.md)".to_string(), - summary_path: ["tools", "bookrunner", "rust-doc", "reference", "src", "SUMMARY.md"] - .iter() - .collect(), - }; - Book { - name: "The Rust Reference".to_string(), - summary_data: Some(summary_data), - directory_data: None, - toml_path: ["tools", "bookrunner", "rust-doc", "reference", "book.toml"].iter().collect(), - hierarchy: HashMap::from_iter([( - ["tools", "bookrunner", "rust-doc", "reference", "src", "introduction.md"] - .iter() - .collect(), - ["tests", "bookrunner", "books", "The Rust Reference", "Introduction"].iter().collect(), - )]), - default_edition: Edition::Edition2015, - } -} - -/// Set up [The Rustonomicon](https://doc.rust-lang.org/nightly/nomicon) book. -fn setup_nomicon_book() -> Book { - let summary_data = SummaryData { - summary_path: ["tools", "bookrunner", "rust-doc", "nomicon", "src", "SUMMARY.md"] - .iter() - .collect(), - summary_start: "# Summary\n\n[Introduction](intro.md)".to_string(), - }; - Book { - name: "The Rustonomicon".to_string(), - summary_data: Some(summary_data), - directory_data: None, - toml_path: ["tools", "bookrunner", "rust-doc", "nomicon", "book.toml"].iter().collect(), - hierarchy: HashMap::from_iter([( - ["tools", "bookrunner", "rust-doc", "nomicon", "src", "intro.md"].iter().collect(), - ["tests", "bookrunner", "books", "The Rustonomicon", "Introduction"].iter().collect(), - )]), - default_edition: Edition::Edition2015, - } -} - -/// Set up the -/// [Rust Unstable Book](https://doc.rust-lang.org/beta/unstable-book/). -fn setup_unstable_book() -> Book { - let directory_data = DirectoryData { - src: ["tools", "bookrunner", "rust-doc", "unstable-book", "src"].iter().collect(), - dest: ["tests", "bookrunner", "books", "The Unstable Book"].iter().collect(), - }; - Book { - name: "The Rust Unstable Book".to_string(), - summary_data: None, - directory_data: Some(directory_data), - toml_path: ["tools", "bookrunner", "rust-doc", "unstable-book", "book.toml"] - .iter() - .collect(), - hierarchy: HashMap::new(), - default_edition: Edition::Edition2015, - } -} - -/// Set up the -/// [Rust by Example](https://doc.rust-lang.org/nightly/rust-by-example) book. -fn setup_rust_by_example_book() -> Book { - let summary_data = SummaryData { - summary_path: ["tools", "bookrunner", "rust-doc", "rust-by-example", "src", "SUMMARY.md"] - .iter() - .collect(), - summary_start: "# Summary\n\n[Introduction](index.md)".to_string(), - }; - Book { - name: "Rust by Example".to_string(), - summary_data: Some(summary_data), - directory_data: None, - toml_path: ["tools", "bookrunner", "rust-doc", "rust-by-example", "book.toml"] - .iter() - .collect(), - hierarchy: HashMap::from_iter([( - ["tools", "bookrunner", "rust-doc", "rust-by-example", "src", "index.md"] - .iter() - .collect(), - ["tests", "bookrunner", "books", "Rust by Example", "Introduction"].iter().collect(), - )]), - default_edition: Edition::Edition2015, - } -} - -/// This data structure contains the code and configs of an example in the Rust books. -struct Example { - /// The example code extracted from a codeblock. - code: String, - // Line number of the code block. - line: usize, - // Configurations in the header of the codeblock. - config: LangString, -} - -/// Data structure representing a list of examples. Mainly for implementing the -/// [`Tester`] trait. -struct Examples(Vec); - -impl Tester for Examples { - fn add_test(&mut self, test: String, config: LangString, line: usize) { - if config.ignore != Ignore::All { - self.0.push(Example { code: test, line, config }) - } - } -} - -/// Applies the diff corresponding to `example` with parent `path` (if it exists). -fn apply_diff(path: &Path, example: &mut Example, config_paths: &mut HashSet) { - let config_dir: PathBuf = ["tools", "bookrunner", "configs"].iter().collect(); - let test_dir: PathBuf = ["tests", "bookrunner"].iter().collect(); - // `path` has the following form: - // `tests/bookrunner/books/ - // If `example` has a custom diff file, the path to the diff file will have - // the following form: - // `tools/bookrunner/configs/books//.diff` - // where is the same for both paths. - let mut diff_path = config_dir.join(path.strip_prefix(&test_dir).unwrap()); - diff_path.extend_one(format!("{}.diff", example.line)); - if diff_path.exists() { - config_paths.remove(&diff_path); - let mut code_lines: Vec<_> = example.code.lines().collect(); - let diff = fs::read_to_string(diff_path).unwrap(); - for line in diff.lines() { - // `*.diff` files have a simple format: - // `- ` for removing lines. - // `+ ` for inserting lines. - // Notice that for a series of `+` and `-`, the developer must keep - // track of the changing line numbers. - let mut split = line.splitn(3, ' '); - let symbol = split.next().unwrap(); - let line = split.next().unwrap().parse::().unwrap() - 1; - if symbol == "+" { - let diff = split.next().unwrap(); - code_lines.insert(line, diff); - } else { - code_lines.remove(line); - } - } - example.code = code_lines.join("\n"); - } -} - -/// Prepends example properties in `example.config` to the code in `example.code`. -fn prepend_props(path: &Path, example: &mut Example, config_paths: &mut HashSet) { - let config_dir: PathBuf = ["tools", "bookrunner", "configs"].iter().collect(); - let test_dir: PathBuf = ["tests", "bookrunner"].iter().collect(); - // `path` has the following form: - // `tests/bookrunner/books/ - // If `example` has a custom props file, the path to the props file will - // have the following form: - // `tools/bookrunner/configs/books//.props` - // where is the same for both paths. - let mut props_path = config_dir.join(path.strip_prefix(&test_dir).unwrap()); - props_path.extend_one(format!("{}.props", example.line)); - let mut props = if props_path.exists() { - config_paths.remove(&props_path); - util::parse_test_header(&props_path) - } else { - TestProps::new(path.to_path_buf(), None, Vec::new(), Vec::new()) - }; - // Add edition flag to the example - let edition_year = format!("{}", example.config.edition.unwrap()); - props.rustc_args.push(String::from("--edition")); - props.rustc_args.push(edition_year); - - if props.fail_step.is_none() { - if example.config.compile_fail { - // Most examples with `compile_fail` annotation fail because of - // check errors. This heuristic can be overridden by manually - //specifying the fail step in the corresponding config file. - props.fail_step = Some(FailStep::Check); - } else if example.config.should_panic { - // Kani should catch run-time errors. - props.fail_step = Some(FailStep::Verification); - } - } - example.code = format!("{props}{}", example.code); -} - -/// Extracts examples from the markdown file specified by `par_from`, -/// pre-processes those examples, and saves them in the directory specified by -/// `par_to`. -fn extract( - par_from: &Path, - par_to: &Path, - config_paths: &mut HashSet, - default_edition: Edition, -) { - let code = fs::read_to_string(par_from).unwrap(); - let mut examples = Examples(Vec::new()); - find_testable_code(&code, &mut examples, ErrorCodes::No, false, None); - for mut example in examples.0 { - apply_diff(par_to, &mut example, config_paths); - example.config.edition = Some(example.config.edition.unwrap_or(default_edition)); - example.code = make_test( - &example.code, - None, - false, - &Default::default(), - example.config.edition.unwrap(), - None, - ) - .0; - prepend_props(par_to, &mut example, config_paths); - let rs_path = par_to.join(format!("{}.rs", example.line)); - fs::create_dir_all(rs_path.parent().unwrap()).unwrap(); - fs::write(rs_path, example.code).unwrap(); - } -} - -/// Returns a set of paths to the config files for examples in the Rust books. -fn get_config_paths(book_name: &str) -> HashSet { - let config_dir: PathBuf = - ["tools", "bookrunner", "configs", "books", book_name].iter().collect(); - let mut config_paths = HashSet::new(); - if config_dir.exists() { - for entry in WalkDir::new(config_dir) { - let entry = entry.unwrap().into_path(); - if entry.is_file() { - config_paths.insert(entry); - } - } - } - config_paths -} - -/// Pretty prints the `paths` set. -fn paths_to_string(paths: HashSet) -> String { - let mut f = String::new(); - for path in paths { - f.write_fmt(format_args!(" {:?}\n", path.to_str().unwrap())).unwrap(); - } - f -} - -/// Creates a new [`bookrunner::Tree`] from `path`, and a test `result`. -fn tree_from_path(mut path: Vec, result: bool) -> bookrunner::Tree { - assert!(!path.is_empty(), "Error: `path` must contain at least 1 element."); - let mut tree = bookrunner::Tree::new( - bookrunner::Node::new( - path.pop().unwrap(), - if result { 1 } else { 0 }, - if result { 0 } else { 1 }, - ), - vec![], - ); - for _ in 0..path.len() { - tree = bookrunner::Tree::new( - bookrunner::Node::new(path.pop().unwrap(), tree.data.num_pass, tree.data.num_fail), - vec![tree], - ); - } - tree -} - -/// Parses a `litani` run and generates a bookrunner tree from it -fn parse_litani_output(path: &Path) -> bookrunner::Tree { - let file = fs::File::open(path).unwrap(); - let reader = BufReader::new(file); - let run: LitaniRun = serde_json::from_reader(reader).unwrap(); - let mut tests = - bookrunner::Tree::new(bookrunner::Node::new(String::from("bookrunner"), 0, 0), vec![]); - let pipelines = run.get_pipelines(); - for pipeline in pipelines { - let (ns, l) = parse_log_line(&pipeline); - tests = bookrunner::Tree::merge(tests, tree_from_path(ns, l)).unwrap(); - } - tests -} - -/// Parses a `litani` pipeline and returns a pair containing -/// the path to a test and its result. -fn parse_log_line(pipeline: &LitaniPipeline) -> (Vec, bool) { - let l = pipeline.get_status(); - let name = pipeline.get_name(); - let mut ns: Vec = name.split(&['/', '.'][..]).map(String::from).collect(); - // Remove unnecessary items from the path until "bookrunner" - let dash_index = ns.iter().position(|item| item == "bookrunner").unwrap(); - ns.drain(..dash_index); - // Remove unnecessary "rs" suffix. - ns.pop(); - (ns, l) -} - -/// Format and write a text version of the bookrunner report -fn generate_text_bookrunner(bookrunner: bookrunner::Tree, path: &Path) { - let bookrunner_str = format!( - "# of tests: {}\t✔️ {}\t❌ {}\n{}", - bookrunner.data.num_pass + bookrunner.data.num_fail, - bookrunner.data.num_pass, - bookrunner.data.num_fail, - bookrunner - ); - fs::write(path, bookrunner_str).expect("Error: Unable to write bookrunner results"); -} - -/// Runs examples using Litani build. -fn litani_run_tests() { - let output_prefix: PathBuf = ["build", "output"].iter().collect(); - let output_symlink: PathBuf = output_prefix.join("latest"); - let bookrunner_dir: PathBuf = ["tests", "bookrunner"].iter().collect(); - let stage_names = ["check", "codegen", "verification"]; - - util::add_kani_to_path(); - let mut litani = Litani::init("Book Runner", &stage_names, &output_prefix, &output_symlink); - - // Run all tests under the `tests/bookrunner` directory. - for entry in WalkDir::new(bookrunner_dir) { - let entry = entry.unwrap().into_path(); - if entry.is_file() { - // Ensure that we parse only Rust files by checking their extension - let entry_ext = &entry.extension().and_then(OsStr::to_str); - if let Some("rs") = entry_ext { - let test_props = util::parse_test_header(&entry); - util::add_test_pipeline(&mut litani, &test_props); - } - } - } - litani.run_build(); -} - -/// Extracts examples from the Rust books, run them through Kani, and displays -/// their results in a HTML webpage. -pub fn generate_run() { - let litani_log: PathBuf = ["build", "output", "latest", "run.json"].iter().collect(); - let text_dash: PathBuf = - ["build", "output", "latest", "html", "bookrunner.txt"].iter().collect(); - // Set up books - let books: Vec = vec![ - setup_reference_book(), - setup_nomicon_book(), - setup_unstable_book(), - setup_rust_by_example_book(), - ]; - for mut book in books { - // Parse the chapter/section hierarchy - book.parse_hierarchy(); - // Extract examples, pre-process them, and save them according to the - // parsed hierarchy - book.extract_examples(); - } - // Generate Litani's HTML bookrunner - litani_run_tests(); - // Parse Litani's output - let bookrunner = parse_litani_output(&litani_log); - // Generate text version - generate_text_bookrunner(bookrunner, &text_dash); -} diff --git a/tools/bookrunner/src/litani.rs b/tools/bookrunner/src/litani.rs deleted file mode 100644 index cefe1c4b437e..000000000000 --- a/tools/bookrunner/src/litani.rs +++ /dev/null @@ -1,249 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Utilities to interact with the `Litani` build accumulator. - -use pulldown_cmark::escape::StrWrite; -use serde::Deserialize; -use std::collections::HashMap; -use std::path::Path; -use std::process::{Child, Command}; - -/// Data structure representing a full `litani` run. -/// The same representation is used to represent a run -/// in the `run.json` (cache) file generated by `litani` -/// -/// Deserialization is performed automatically for most -/// attributes in such files, but it may require you to -/// extend it if advanced features are used (e.g., pools) -#[derive(Debug, Deserialize)] -pub struct LitaniRun { - pub aux: Option>, - pub project: String, - pub version: String, - pub version_major: u32, - pub version_minor: u32, - pub version_patch: u32, - pub release_candidate: bool, - pub run_id: String, - pub start_time: String, - pub parallelism: LitaniParalellism, - pub latest_symlink: Option, - pub end_time: String, - pub pipelines: Vec, -} - -impl LitaniRun { - pub fn get_pipelines(self) -> Vec { - self.pipelines - } -} - -#[derive(Debug, Deserialize)] -pub struct LitaniParalellism { - pub trace: Vec, - pub max_paralellism: Option, - pub n_proc: u32, -} - -#[derive(Debug, Deserialize)] -pub struct LitaniTrace { - pub running: u32, - pub finished: u32, - pub total: u32, - pub time: String, -} - -#[derive(Debug, Deserialize)] -pub struct LitaniPipeline { - pub name: String, - pub ci_stages: Vec, - pub url: String, - pub status: String, -} - -impl LitaniPipeline { - pub fn get_name(&self) -> &String { - &self.name - } - - pub fn get_status(&self) -> bool { - match self.status.as_str() { - "fail" => false, - "success" => true, - _ => panic!("pipeline status is not \"fail\" nor \"success\""), - } - } -} - -#[derive(Debug, Deserialize)] -pub struct LitaniStage { - pub jobs: Vec, - pub progress: u32, - pub complete: bool, - pub status: String, - pub url: String, - pub name: String, -} - -// Some attributes in litani's `jobs` are not always included -// or they are null, so we use `Option<...>` to deserialize them -#[derive(Debug, Deserialize)] -pub struct LitaniJob { - pub wrapper_arguments: LitaniWrapperArguments, - pub complete: bool, - pub start_time: Option, - pub timeout_reached: Option, - pub command_return_code: Option, - pub memory_trace: Option>, - pub loaded_outcome_dict: Option>, - pub outcome: Option, - pub wrapper_return_code: Option, - pub stdout: Option>, - pub stderr: Option>, - pub end_time: Option, - pub duration_str: Option, - pub duration: Option, -} - -// Some attributes in litani's `wrapper_arguments` are not always included -// or they are null, so we use `Option<...>` to deserialize them -#[derive(Debug, Deserialize)] -pub struct LitaniWrapperArguments { - pub subcommand: String, - pub verbose: bool, - pub very_verbose: bool, - pub inputs: Vec, - pub command: String, - pub outputs: Option>, - pub pipeline_name: String, - pub ci_stage: String, - pub cwd: Option, - pub timeout: Option, - pub timeout_ok: Option, - pub timeout_ignore: Option, - pub ignore_returns: Option, - pub ok_returns: Vec, - pub outcome_table: Option>, - pub interleave_stdout_stderr: bool, - pub stdout_file: Option, - pub stderr_file: Option, - pub pool: Option, - pub description: String, - pub profile_memory: bool, - pub profile_memory_interval: u32, - pub phony_outputs: Option>, - pub tags: Option, - pub status_file: String, - pub job_id: String, -} - -/// Data structure representing a `Litani` build. -pub struct Litani { - /// A buffer of the `spawn`ed Litani jobs so far. `Litani` takes some time - /// to execute each `add-job` command and executing thousands of them - /// sequentially takes a considerable amount of time. To speed up the - /// execution of those commands, we spawn those commands sequentially (as - /// normal). However, instead of `wait`ing for each process to terminate, - /// we add its handle to a buffer of the `spawn`ed processes and continue - /// with our program. Once we are done adding jobs, we wait for all of them - /// to terminate before we run the `run-build` command. - spawned_commands: Vec, -} - -impl Litani { - /// Sets up a new [`Litani`] run. - pub fn init( - project_name: &str, - stage_names: &[&str], - output_prefix: &Path, - output_symlink: &Path, - ) -> Self { - Command::new("litani") - .args([ - "init", - "--project-name", - project_name, - "--output-prefix", - output_prefix.to_str().unwrap(), - "--output-symlink", - output_symlink.to_str().unwrap(), - "--stages", - ]) - .args(stage_names) - .spawn() - .unwrap() - .wait() - .unwrap(); - Self { spawned_commands: Vec::new() } - } - - /// Adds a single command with its dependencies. - #[allow(clippy::too_many_arguments)] - pub fn add_job( - &mut self, - command: &Command, - inputs: &[&Path], - outputs: &[&Path], - description: &str, - pipeline: &str, - stage: &str, - exit_status: i32, - timeout: u32, - ) { - let mut job = Command::new("litani"); - // The given command may contain additional env vars. Prepend those vars - // to the command before passing it to Litani. - let job_envs: HashMap<_, _> = job.get_envs().collect(); - let mut new_envs = String::new(); - command.get_envs().fold(&mut new_envs, |fmt, (k, v)| { - if !job_envs.contains_key(k) { - fmt.write_fmt(format_args!( - "{}=\"{}\" ", - k.to_str().unwrap(), - v.unwrap().to_str().unwrap() - )) - .unwrap(); - } - fmt - }); - job.args([ - "add-job", - "--command", - &format!("{new_envs}{command:?}"), - "--description", - description, - "--pipeline-name", - pipeline, - "--ci-stage", - stage, - "--ok-returns", - &exit_status.to_string(), - "--timeout", - &timeout.to_string(), - ]); - if !inputs.is_empty() { - job.arg("--inputs").args(inputs); - } - if !outputs.is_empty() { - job.arg("--outputs").args(outputs).arg("--phony-outputs").args(outputs); - } - // Start executing the command, but do not wait for it to terminate. - self.spawned_commands.push(job.spawn().unwrap()); - } - - /// Starts a [`Litani`] run. - pub fn run_build(&mut self) { - // Wait for all spawned processes to terminate. - for command in self.spawned_commands.iter_mut() { - command.wait().unwrap(); - } - self.spawned_commands.clear(); - // Run `run-build` command and wait for it to finish. - Command::new("litani") - .args(["run-build", "--no-pipeline-dep-graph"]) - .spawn() - .unwrap() - .wait() - .unwrap(); - } -} diff --git a/tools/bookrunner/src/main.rs b/tools/bookrunner/src/main.rs deleted file mode 100644 index 65fd9196b365..000000000000 --- a/tools/bookrunner/src/main.rs +++ /dev/null @@ -1,13 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -#![feature(extend_one)] -#![feature(rustc_private)] - -mod bookrunner; -mod books; -mod litani; -mod util; - -fn main() { - books::generate_run(); -} diff --git a/tools/bookrunner/src/util.rs b/tools/bookrunner/src/util.rs deleted file mode 100644 index 542ad70dbc96..000000000000 --- a/tools/bookrunner/src/util.rs +++ /dev/null @@ -1,246 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Utilities types and procedures to parse and run tests. -//! -//! TODO: The types and procedures in this modules are similar to the ones in -//! `compiletest`. Consider using `Litani` to run the test suites (see -//! [issue #390](https://github.com/model-checking/kani/issues/390)). - -use crate::litani::Litani; -use std::{ - env, - fmt::{self, Display, Formatter, Write}, - fs::File, - io::{BufRead, BufReader}, - path::{Path, PathBuf}, - process::Command, -}; - -/// Step at which Kani should panic. -#[derive(PartialEq, Eq)] -pub enum FailStep { - /// Kani panics before the codegen step (up to MIR generation). This step - /// runs the same checks on the test code as `cargo check` including syntax, - /// type, name resolution, and borrow checks. - Check, - /// Kani panics at the codegen step because the test code uses unimplemented - /// and/or unsupported features. - Codegen, - /// Kani panics after the codegen step because of verification failures or - /// other CBMC errors. - Verification, -} - -impl Display for FailStep { - fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { - let str = match self { - FailStep::Check => "check", - FailStep::Codegen => "codegen", - FailStep::Verification => "verify", - }; - f.write_str(str) - } -} - -/// Data structure representing properties specific to each test. -pub struct TestProps { - pub path: PathBuf, - /// How far this test should proceed to start failing. - pub fail_step: Option, - /// Extra arguments to pass to `rustc`. - pub rustc_args: Vec, - /// Extra arguments to pass to Kani. - pub kani_args: Vec, -} - -impl TestProps { - /// Creates a new instance of [`TestProps`] for a test. - pub fn new( - path: PathBuf, - fail_step: Option, - rustc_args: Vec, - kani_args: Vec, - ) -> Self { - Self { path, fail_step, rustc_args, kani_args } - } -} - -impl Display for TestProps { - fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { - if let Some(fail_step) = &self.fail_step { - f.write_fmt(format_args!("// kani-{fail_step}-fail\n"))?; - } - if !self.rustc_args.is_empty() { - f.write_str("// compile-flags:")?; - for arg in &self.rustc_args { - f.write_fmt(format_args!(" {arg}"))?; - } - f.write_char('\n')?; - } - if !self.kani_args.is_empty() { - f.write_str("// kani-flags:")?; - for arg in &self.kani_args { - f.write_fmt(format_args!(" {arg}"))?; - } - f.write_char('\n')?; - } - Ok(()) - } -} - -/// Parses strings of the form `kani-*-fail` and returns the step at which Kani is -/// expected to panic. -fn try_parse_fail_step(cur_fail_step: Option, line: &str) -> Option { - let fail_step = if line.contains("kani-check-fail") { - Some(FailStep::Check) - } else if line.contains("kani-codegen-fail") { - Some(FailStep::Codegen) - } else if line.contains("kani-verify-fail") { - Some(FailStep::Verification) - } else { - None - }; - match (cur_fail_step.is_some(), fail_step.is_some()) { - (true, true) => panic!("Error: multiple `kani-*-fail` headers in a single test."), - (false, true) => fail_step, - _ => cur_fail_step, - } -} - -/// Parses strings of the form `-flags: ...` and returns the list of -/// arguments. -fn try_parse_args(cur_args: Vec, name: &str, line: &str) -> Vec { - let name = format!("{name}-flags:"); - let mut split = line.split(&name).skip(1); - let args: Vec = if let Some(rest) = split.next() { - rest.split_whitespace().map(String::from).collect() - } else { - Vec::new() - }; - match (cur_args.is_empty(), args.is_empty()) { - (false, false) => panic!("Error: multiple `{}-flags: ...` headers in a single test.", name), - (true, false) => args, - _ => cur_args, - } -} - -/// Parses and returns the properties in a test file. -pub fn parse_test_header(path: &Path) -> TestProps { - let mut fail_step = None; - let mut rustc_args = Vec::new(); - let mut kani_args = Vec::new(); - let it = BufReader::new(File::open(path).unwrap()); - for line in it.lines() { - let line = line.unwrap(); - let line = line.trim_start(); - if line.is_empty() { - continue; - } - if !line.starts_with("//") { - break; - } - fail_step = try_parse_fail_step(fail_step, line); - rustc_args = try_parse_args(rustc_args, "compile", line); - kani_args = try_parse_args(kani_args, "kani", line); - } - TestProps::new(path.to_path_buf(), fail_step, rustc_args, kani_args) -} - -/// Adds Kani to the current `PATH` environment variable. -pub fn add_kani_to_path() { - let cwd = env::current_dir().unwrap(); - let kani_bin = cwd.join("target").join("kani").join("bin"); - let kani_scripts = cwd.join("scripts"); - env::set_var( - "PATH", - format!("{}:{}:{}", kani_scripts.display(), kani_bin.display(), env::var("PATH").unwrap()), - ); -} - -/// Does Kani catch syntax, type, and borrow errors (if any)? -pub fn add_check_job(litani: &mut Litani, test_props: &TestProps) { - let exit_status = if test_props.fail_step == Some(FailStep::Check) { 1 } else { 0 }; - let mut kani_rustc = Command::new("kani-compiler"); - kani_rustc.args(&test_props.rustc_args).args(["-Z", "no-codegen"]).arg(&test_props.path); - - let mut phony_out = test_props.path.clone(); - phony_out.set_extension("check"); - litani.add_job( - &kani_rustc, - &[&test_props.path], - &[&phony_out], - "Is this valid Rust code?", - test_props.path.to_str().unwrap(), - "check", - exit_status, - 5, - ); -} - -/// Is Kani expected to codegen all the Rust features in the test? -pub fn add_codegen_job(litani: &mut Litani, test_props: &TestProps) { - let exit_status = if test_props.fail_step == Some(FailStep::Codegen) { 1 } else { 0 }; - let mut kani_rustc = Command::new("kani-compiler"); - kani_rustc.args(&test_props.rustc_args).args(["--out-dir", "build/tmp"]).arg(&test_props.path); - - let mut phony_in = test_props.path.clone(); - phony_in.set_extension("check"); - let mut phony_out = test_props.path.clone(); - phony_out.set_extension("codegen"); - litani.add_job( - &kani_rustc, - &[&phony_in], - &[&phony_out], - "Does Kani support all the Rust features used in it?", - test_props.path.to_str().unwrap(), - "codegen", - exit_status, - 10, - ); -} - -// Does verification pass/fail as it is expected to? -pub fn add_verification_job(litani: &mut Litani, test_props: &TestProps) { - let exit_status = if test_props.fail_step == Some(FailStep::Verification) { 10 } else { 0 }; - let mut kani = Command::new("kani"); - // Add `--function main` so we can run these without having to amend them to add `#[kani::proof]`. - // Some of test_props.kani_args will contains `--cbmc-args` so we should always put that last. - kani.arg(&test_props.path) - .args(["--enable-unstable", "--function", "main"]) - .args(&test_props.kani_args); - if !test_props.rustc_args.is_empty() { - kani.env("RUSTFLAGS", test_props.rustc_args.join(" ")); - } - - let mut phony_in = test_props.path.clone(); - phony_in.set_extension("codegen"); - litani.add_job( - &kani, - &[&phony_in], - &[], - "Can Kani reason about it?", - test_props.path.to_str().unwrap(), - "verification", - exit_status, - 60, - ); -} - -/// Creates a new pipeline for the test specified by `path` consisting of 3 -/// jobs/steps: `check`, `codegen`, and `verification`. -pub fn add_test_pipeline(litani: &mut Litani, test_props: &TestProps) { - // The first step ensures that the Rust code in the test compiles (if it is - // expected to). - add_check_job(litani, test_props); - if test_props.fail_step == Some(FailStep::Check) { - return; - } - // The second step ensures that we can codegen the code in the test. - add_codegen_job(litani, test_props); - if test_props.fail_step == Some(FailStep::Codegen) { - return; - } - // The final step ensures that CBMC can verify the code in the test. - // Notice that 10 is the expected error code for verification failure. - add_verification_job(litani, test_props); -} diff --git a/tools/build-kani/Cargo.toml b/tools/build-kani/Cargo.toml index cfaa4a6c48ad..7c8e6eef122a 100644 --- a/tools/build-kani/Cargo.toml +++ b/tools/build-kani/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "build-kani" -version = "0.45.0" +version = "0.53.0" edition = "2021" description = "Builds Kani, Sysroot and release bundle." license = "MIT OR Apache-2.0" @@ -13,4 +13,4 @@ publish = false anyhow = "1" cargo_metadata = "0.18.0" clap = { version = "4.4.11", features=["derive"] } -which = "5" +which = "6" diff --git a/tools/build-kani/src/main.rs b/tools/build-kani/src/main.rs index b94e951fe178..2c181d69d6e5 100644 --- a/tools/build-kani/src/main.rs +++ b/tools/build-kani/src/main.rs @@ -10,7 +10,7 @@ mod parser; mod sysroot; -use crate::sysroot::{build_bin, build_lib, kani_playback_lib, kani_sysroot_lib}; +use crate::sysroot::{build_bin, build_lib, kani_no_core_lib, kani_playback_lib, kani_sysroot_lib}; use anyhow::{bail, Result}; use clap::Parser; use std::{ffi::OsString, path::Path, process::Command}; @@ -19,7 +19,13 @@ fn main() -> Result<()> { let args = parser::ArgParser::parse(); match args.subcommand { - parser::Commands::BuildDev(build_parser) => build_lib(&build_bin(&build_parser.args)?), + parser::Commands::BuildDev(build_parser) => { + let bin_folder = &build_bin(&build_parser.args)?; + if !build_parser.skip_libs { + build_lib(&bin_folder)?; + } + Ok(()) + } parser::Commands::Bundle(bundle_parser) => { let version_string = bundle_parser.version; let kani_string = format!("kani-{version_string}"); @@ -96,9 +102,11 @@ fn bundle_kani(dir: &Path) -> Result<()> { // 4. Pre-compiled library files cp_dir(&kani_sysroot_lib(), dir)?; cp_dir(&kani_playback_lib().parent().unwrap(), dir)?; + cp_dir(&kani_no_core_lib().parent().unwrap(), dir)?; - // 5. Record the exact toolchain we use + // 5. Record the exact toolchain and rustc version we use std::fs::write(dir.join("rust-toolchain-version"), env!("RUSTUP_TOOLCHAIN"))?; + std::fs::write(dir.join("rustc-version"), get_rustc_version()?)?; // 6. Include a licensing note cp(Path::new("tools/build-kani/license-notes.txt"), dir)?; @@ -181,6 +189,13 @@ fn cp(src: &Path, dst: &Path) -> Result<()> { Ok(()) } +/// Record version of rustc being used to build Kani +fn get_rustc_version() -> Result { + let output = Command::new("rustc").arg("--version").output(); + let rustc_version = String::from_utf8(output.unwrap().stdout)?; + Ok(rustc_version) +} + /// Copy files from `src` to `dst` that respect the given pattern. pub fn cp_files

(src: &Path, dst: &Path, predicate: P) -> Result<()> where diff --git a/tools/build-kani/src/parser.rs b/tools/build-kani/src/parser.rs index 3f9dfa0a1d42..718cbb00bcb4 100644 --- a/tools/build-kani/src/parser.rs +++ b/tools/build-kani/src/parser.rs @@ -17,6 +17,10 @@ pub struct BuildDevParser { /// Arguments to be passed down to cargo when building cargo binaries. #[clap(value_name = "ARG", allow_hyphen_values = true)] pub args: Vec, + /// Do not re-build Kani libraries. Only use this if you know there has been no changes to Kani + /// libraries or the underlying Rust compiler. + #[clap(long)] + pub skip_libs: bool, } #[derive(Args, Debug, Eq, PartialEq)] diff --git a/tools/build-kani/src/sysroot.rs b/tools/build-kani/src/sysroot.rs index 3a6239106826..ca42fea3f441 100644 --- a/tools/build-kani/src/sysroot.rs +++ b/tools/build-kani/src/sysroot.rs @@ -55,16 +55,27 @@ pub fn kani_playback_lib() -> PathBuf { path_buf!(kani_sysroot(), "playback/lib") } +/// Returns the path to where Kani libraries for no_core is kept. +pub fn kani_no_core_lib() -> PathBuf { + path_buf!(kani_sysroot(), "no_core/lib") +} + /// Returns the path to where Kani's pre-compiled binaries are stored. fn kani_sysroot_bin() -> PathBuf { path_buf!(kani_sysroot(), "bin") } +/// Returns the build target +fn build_target() -> &'static str { + env!("TARGET") +} + /// Build the `lib/` folder and `lib-playback/` for the new sysroot. /// - The `lib/` folder contains the sysroot for verification. /// - The `lib-playback/` folder contains the sysroot used for playback. pub fn build_lib(bin_folder: &Path) -> Result<()> { let compiler_path = bin_folder.join("kani-compiler"); + build_no_core_lib(&compiler_path)?; build_verification_lib(&compiler_path)?; build_playback_lib(&compiler_path) } @@ -75,7 +86,9 @@ fn build_verification_lib(compiler_path: &Path) -> Result<()> { let extra_args = ["-Z", "build-std=panic_abort,std,test", "--config", "profile.dev.panic=\"abort\""]; let compiler_args = ["--kani-compiler", "-Cllvm-args=--ignore-global-asm --build-std"]; - build_kani_lib(compiler_path, &kani_sysroot_lib(), &extra_args, &compiler_args) + let packages = ["std", "kani", "kani_macros"]; + let artifacts = build_kani_lib(compiler_path, &packages, &extra_args, &compiler_args)?; + copy_artifacts(&artifacts, &kani_sysroot_lib(), true) } /// Build the `lib-playback/` folder that will be used during counter example playback. @@ -83,26 +96,30 @@ fn build_verification_lib(compiler_path: &Path) -> Result<()> { fn build_playback_lib(compiler_path: &Path) -> Result<()> { let extra_args = ["--features=std/concrete_playback,kani/concrete_playback", "-Z", "build-std=std,test"]; - build_kani_lib(compiler_path, &kani_playback_lib(), &extra_args, &[]) + let packages = ["std", "kani", "kani_macros"]; + let artifacts = build_kani_lib(compiler_path, &packages, &extra_args, &[])?; + copy_artifacts(&artifacts, &kani_playback_lib(), true) +} + +/// Build the no core library folder that will be used during std verification. +fn build_no_core_lib(compiler_path: &Path) -> Result<()> { + let extra_args = ["--features=kani_macros/no_core", "--features=kani_core/no_core"]; + let packages = ["kani_core", "kani_macros"]; + let artifacts = build_kani_lib(compiler_path, &packages, &extra_args, &[])?; + copy_artifacts(&artifacts, &kani_no_core_lib(), false) } fn build_kani_lib( compiler_path: &Path, - output_path: &Path, + packages: &[&str], extra_cargo_args: &[&str], extra_rustc_args: &[&str], -) -> Result<()> { +) -> Result> { // Run cargo build with -Z build-std - let target = env!("TARGET"); + let target = build_target(); let target_dir = env!("KANI_BUILD_LIBS"); let args = [ "build", - "-p", - "std", - "-p", - "kani", - "-p", - "kani_macros", "-Z", "unstable-options", "--target-dir", @@ -124,12 +141,20 @@ fn build_kani_lib( "--message-format", "json-diagnostic-rendered-ansi", ]; - let mut rustc_args = vec!["--cfg=kani", "--cfg=kani_sysroot", "-Z", "always-encode-mir"]; + let mut rustc_args = vec![ + "--cfg=kani", + "--cfg=kani_sysroot", + "-Z", + "always-encode-mir", + "-Z", + "mir-enable-passes=-RemoveStorageMarkers", + ]; rustc_args.extend_from_slice(extra_rustc_args); let mut cmd = Command::new("cargo") .env("CARGO_ENCODED_RUSTFLAGS", rustc_args.join("\x1f")) .env("RUSTC", compiler_path) .args(args) + .args(packages.iter().copied().flat_map(|pkg| ["-p", pkg])) .args(extra_cargo_args) .stdout(Stdio::piped()) .spawn() @@ -145,20 +170,24 @@ fn build_kani_lib( } // Create sysroot folder hierarchy. - copy_artifacts(&artifacts, output_path, target) + Ok(artifacts) } /// Copy all the artifacts to their correct place to generate a valid sysroot. -fn copy_artifacts(artifacts: &[Artifact], sysroot_lib: &Path, target: &str) -> Result<()> { - // Create sysroot folder hierarchy. +fn copy_artifacts(artifacts: &[Artifact], sysroot_lib: &Path, copy_std: bool) -> Result<()> { + // Create sysroot folder. sysroot_lib.exists().then(|| fs::remove_dir_all(sysroot_lib)); - let std_path = path_buf!(&sysroot_lib, "rustlib", target, "lib"); - fs::create_dir_all(&std_path).expect(&format!("Failed to create {std_path:?}")); + fs::create_dir_all(sysroot_lib)?; // Copy Kani libraries into sysroot top folder. copy_libs(&artifacts, &sysroot_lib, &is_kani_lib); + // Copy standard libraries into rustlib//lib/ folder. - copy_libs(&artifacts, &std_path, &is_std_lib); + if copy_std { + let std_path = path_buf!(&sysroot_lib, "rustlib", build_target(), "lib"); + fs::create_dir_all(&std_path).expect(&format!("Failed to create {std_path:?}")); + copy_libs(&artifacts, &std_path, &is_std_lib); + } Ok(()) } @@ -236,11 +265,11 @@ fn build_artifacts(cargo_cmd: &mut Child) -> Vec { /// Extra arguments to be given to `cargo build` while building Kani's binaries. /// Note that the following arguments are always provided: /// ```bash -/// cargo build --bins -Z unstable-options --out-dir $KANI_SYSROOT/bin/ +/// cargo build --bins -Z unstable-options --artifact-dir $KANI_SYSROOT/bin/ /// ``` pub fn build_bin>(extra_args: &[T]) -> Result { let out_dir = kani_sysroot_bin(); - let args = ["--bins", "-Z", "unstable-options", "--out-dir", out_dir.to_str().unwrap()]; + let args = ["--bins", "-Z", "unstable-options", "--artifact-dir", out_dir.to_str().unwrap()]; Command::new("cargo") .arg("build") .args(extra_args) diff --git a/tools/compiletest/src/json.rs b/tools/compiletest/src/json.rs index c46c3b3225e8..89c733abc59a 100644 --- a/tools/compiletest/src/json.rs +++ b/tools/compiletest/src/json.rs @@ -35,6 +35,7 @@ struct FutureBreakageItem { } #[derive(Deserialize, Clone)] +#[allow(dead_code)] struct DiagnosticSpanMacroExpansion { /// name of macro that was applied (e.g., "foo!" or "#[derive(Eq)]") _macro_decl_name: String, diff --git a/tools/compiletest/src/main.rs b/tools/compiletest/src/main.rs index 5418ad47f7fa..94cbd561aa51 100644 --- a/tools/compiletest/src/main.rs +++ b/tools/compiletest/src/main.rs @@ -388,7 +388,7 @@ fn collect_expected_tests_from_dir( && (file_path.to_str().unwrap().ends_with(".expected") || "expected" == file_path.file_name().unwrap()) { - fs::create_dir_all(&build_dir.join(file_path.file_stem().unwrap())).unwrap(); + fs::create_dir_all(build_dir.join(file_path.file_stem().unwrap())).unwrap(); let paths = TestPaths { file: file_path, relative_dir: relative_dir_path.to_path_buf() }; tests.push(make_test(config, &paths, inputs)); @@ -446,7 +446,7 @@ fn collect_exec_tests_from_dir( } // Create directory for test and add it to the tests to be run - fs::create_dir_all(&build_dir.join(file_path.file_stem().unwrap())).unwrap(); + fs::create_dir_all(build_dir.join(file_path.file_stem().unwrap())).unwrap(); let paths = TestPaths { file: file_path, relative_dir: relative_dir_path.to_path_buf() }; tests.push(make_test(config, &paths, inputs)); } diff --git a/tools/compiletest/src/runtest.rs b/tools/compiletest/src/runtest.rs index ee89c252dc4f..50f1e3035ac8 100644 --- a/tools/compiletest/src/runtest.rs +++ b/tools/compiletest/src/runtest.rs @@ -23,7 +23,6 @@ use std::process::{Command, ExitStatus, Output, Stdio}; use std::str; use serde::{Deserialize, Serialize}; -use serde_yaml; use tracing::*; use wait_timeout::ChildExt; @@ -273,14 +272,14 @@ impl<'test> TestCx<'test> { .arg("kani") .arg("--target-dir") .arg(self.output_base_dir().join("target")) - .current_dir(parent_dir) - .args(&self.config.extra_args); + .current_dir(parent_dir); if test { cargo.arg("--tests"); } if "expected" != self.testpaths.file.file_name().unwrap() { cargo.args(["--harness", function_name]); } + cargo.args(&self.config.extra_args); let proc_res = self.compose_and_run(cargo); self.verify_output(&proc_res, &self.testpaths.file); diff --git a/tools/scanner/Cargo.toml b/tools/scanner/Cargo.toml new file mode 100644 index 000000000000..edbd330bea47 --- /dev/null +++ b/tools/scanner/Cargo.toml @@ -0,0 +1,23 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + + +[package] +name = "scanner" +description = "A rustc extension used to scan rust features in a crate" +version = "0.0.0" +edition = "2021" +license = "MIT OR Apache-2.0" +publish = false + +[dependencies] +csv = "1.3" +serde = {version = "1", features = ["derive"]} +strum = "0.26" +strum_macros = "0.26" + +[package.metadata.rust-analyzer] +# This crate uses rustc crates. +# More info: https://github.com/rust-analyzer/rust-analyzer/pull/7891 +rustc_private = true + diff --git a/tools/scanner/build.rs b/tools/scanner/build.rs new file mode 100644 index 000000000000..775a0f507a45 --- /dev/null +++ b/tools/scanner/build.rs @@ -0,0 +1,26 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +use std::env; +use std::path::PathBuf; + +macro_rules! path_str { + ($input:expr) => { + String::from( + $input + .iter() + .collect::() + .to_str() + .unwrap_or_else(|| panic!("Invalid path {}", stringify!($input))), + ) + }; +} + +/// Configure the compiler to properly link the scanner binary with rustc's library. +pub fn main() { + // Add rustup to the rpath in order to properly link with the correct rustc version. + let rustup_home = env::var("RUSTUP_HOME").unwrap(); + let rustup_tc = env::var("RUSTUP_TOOLCHAIN").unwrap(); + let rustup_lib = path_str!([&rustup_home, "toolchains", &rustup_tc, "lib"]); + println!("cargo:rustc-link-arg-bin=scan=-Wl,-rpath,{rustup_lib}"); +} diff --git a/tools/scanner/src/analysis.rs b/tools/scanner/src/analysis.rs new file mode 100644 index 000000000000..c376af9662f8 --- /dev/null +++ b/tools/scanner/src/analysis.rs @@ -0,0 +1,629 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Provide different static analysis to be performed in the crate under compilation + +use crate::info; +use csv::WriterBuilder; +use serde::{ser::SerializeStruct, Serialize, Serializer}; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::visit::{Location, PlaceContext, PlaceRef}; +use stable_mir::mir::{ + Body, MirVisitor, Mutability, ProjectionElem, Safety, Terminator, TerminatorKind, +}; +use stable_mir::ty::{AdtDef, AdtKind, FnDef, GenericArgs, MirConst, RigidTy, Ty, TyKind}; +use stable_mir::visitor::{Visitable, Visitor}; +use stable_mir::{CrateDef, CrateItem}; +use std::collections::{HashMap, HashSet}; +use std::ops::ControlFlow; +use std::path::{Path, PathBuf}; + +#[derive(Clone, Debug)] +pub struct OverallStats { + /// The key and value of each counter. + counters: Vec<(&'static str, usize)>, + /// TODO: Group stats per function. + fn_stats: HashMap, +} + +#[derive(Clone, Debug, Serialize)] +struct FnStats { + name: String, + is_unsafe: Option, + has_unsafe_ops: Option, + has_unsupported_input: Option, + has_loop: Option, +} + +impl FnStats { + fn new(fn_item: CrateItem) -> FnStats { + FnStats { + name: fn_item.name(), + is_unsafe: None, + has_unsafe_ops: None, + has_unsupported_input: None, + // TODO: Implement this. + has_loop: None, + } + } +} + +impl OverallStats { + pub fn new() -> OverallStats { + let all_items = stable_mir::all_local_items(); + let fn_stats: HashMap<_, _> = all_items + .into_iter() + .filter_map(|item| item.ty().kind().is_fn().then_some((item, FnStats::new(item)))) + .collect(); + let counters = vec![("total_fns", fn_stats.len())]; + OverallStats { counters, fn_stats } + } + + pub fn store_csv(&self, base_path: PathBuf, file_stem: &str) { + let filename = format!("{}_overall", file_stem); + let mut out_path = base_path.parent().map_or(PathBuf::default(), Path::to_path_buf); + out_path.set_file_name(filename); + dump_csv(out_path, &self.counters); + + let filename = format!("{}_functions", file_stem); + let mut out_path = base_path.parent().map_or(PathBuf::default(), Path::to_path_buf); + out_path.set_file_name(filename); + dump_csv(out_path, &self.fn_stats.values().collect::>()); + } + + /// Iterate over all functions defined in this crate and log generic vs monomorphic. + pub fn generic_fns(&mut self) { + let all_items = stable_mir::all_local_items(); + let fn_items = + all_items.into_iter().filter(|item| item.ty().kind().is_fn()).collect::>(); + let (mono_fns, generics) = fn_items + .iter() + .partition::, _>(|fn_item| Instance::try_from(**fn_item).is_ok()); + self.counters + .extend_from_slice(&[("generic_fns", generics.len()), ("mono_fns", mono_fns.len())]); + } + + /// Iterate over all functions defined in this crate and log safe vs unsafe. + pub fn safe_fns(&mut self, _base_filename: PathBuf) { + let all_items = stable_mir::all_local_items(); + let (unsafe_fns, safe_fns) = all_items + .into_iter() + .filter_map(|item| { + let kind = item.ty().kind(); + if !kind.is_fn() { + return None; + }; + let fn_sig = kind.fn_sig().unwrap(); + let is_unsafe = fn_sig.skip_binder().safety == Safety::Unsafe; + self.fn_stats.get_mut(&item).unwrap().is_unsafe = Some(is_unsafe); + Some((item, is_unsafe)) + }) + .partition::, _>(|(_, is_unsafe)| *is_unsafe); + self.counters + .extend_from_slice(&[("safe_fns", safe_fns.len()), ("unsafe_fns", unsafe_fns.len())]); + } + + /// Iterate over all functions defined in this crate and log the inputs. + pub fn supported_inputs(&mut self, filename: PathBuf) { + let all_items = stable_mir::all_local_items(); + let (supported, unsupported) = all_items + .into_iter() + .filter_map(|item| { + let kind = item.ty().kind(); + if !kind.is_fn() { + return None; + }; + let fn_sig = kind.fn_sig().unwrap(); + let props = FnInputProps::new(item.name()).collect(fn_sig.skip_binder().inputs()); + self.fn_stats.get_mut(&item).unwrap().has_unsupported_input = + Some(!props.is_supported()); + Some(props) + }) + .partition::, _>(|props| props.is_supported()); + self.counters.extend_from_slice(&[ + ("supported_inputs", supported.len()), + ("unsupported_inputs", unsupported.len()), + ]); + dump_csv(filename, &unsupported); + } + + /// Iterate over all functions defined in this crate and log any unsafe operation. + pub fn unsafe_operations(&mut self, filename: PathBuf) { + let all_items = stable_mir::all_local_items(); + let (has_unsafe, no_unsafe) = all_items + .into_iter() + .filter_map(|item| { + let kind = item.ty().kind(); + if !kind.is_fn() { + return None; + }; + let unsafe_ops = FnUnsafeOperations::new(item.name()).collect(&item.body()); + let fn_sig = kind.fn_sig().unwrap(); + let is_unsafe = fn_sig.skip_binder().safety == Safety::Unsafe; + self.fn_stats.get_mut(&item).unwrap().has_unsafe_ops = + Some(unsafe_ops.has_unsafe()); + Some((is_unsafe, unsafe_ops)) + }) + .partition::, _>(|(_, props)| props.has_unsafe()); + self.counters.extend_from_slice(&[ + ("has_unsafe_ops", has_unsafe.len()), + ("no_unsafe_ops", no_unsafe.len()), + ("safe_abstractions", has_unsafe.iter().filter(|(is_unsafe, _)| !is_unsafe).count()), + ]); + dump_csv(filename, &has_unsafe.into_iter().map(|(_, props)| props).collect::>()); + } + + /// Iterate over all functions defined in this crate and log any loop / "hidden" loop. + /// + /// A hidden loop is a call to a iterator function that has a loop inside. + pub fn loops(&mut self, filename: PathBuf) { + let all_items = stable_mir::all_local_items(); + let (has_loops, no_loops) = all_items + .into_iter() + .filter_map(|item| { + let kind = item.ty().kind(); + if !kind.is_fn() { + return None; + }; + Some(FnLoops::new(item.name()).collect(&item.body())) + }) + .partition::, _>(|props| props.has_loops()); + self.counters + .extend_from_slice(&[("has_loops", has_loops.len()), ("no_loops", no_loops.len())]); + dump_csv(filename, &has_loops); + } + + /// Create a callgraph for this crate and try to find recursive calls. + pub fn recursion(&mut self, filename: PathBuf) { + let all_items = stable_mir::all_local_items(); + let recursions = Recursion::collect(&all_items); + self.counters.extend_from_slice(&[ + ("with_recursion", recursions.with_recursion.len()), + ("recursive_fns", recursions.recursive_fns.len()), + ]); + dump_csv( + filename, + &recursions + .with_recursion + .iter() + .map(|def| { + ( + def.name(), + if recursions.recursive_fns.contains(&def) { "recursive" } else { "" }, + ) + }) + .collect::>(), + ); + } +} + +macro_rules! fn_props { + ($(#[$attr:meta])* + struct $name:ident { + $( + $(#[$prop_attr:meta])* + $prop:ident, + )+ + }) => { + #[derive(Debug)] + struct $name { + fn_name: String, + $($(#[$prop_attr])* $prop: usize,)+ + } + + impl $name { + const fn num_props() -> usize { + [$(stringify!($prop),)+].len() + } + + fn new(fn_name: String) -> Self { + Self { fn_name, $($prop: 0,)+} + } + } + + /// Need to manually implement this, since CSV serializer does not support map (i.e.: flatten). + impl Serialize for $name { + fn serialize(&self, serializer: S) -> Result + where + S: Serializer, + { + let mut state = serializer.serialize_struct("FnInputProps", Self::num_props())?; + state.serialize_field("fn_name", &self.fn_name)?; + $(state.serialize_field(stringify!($prop), &self.$prop)?;)+ + state.end() + } + } + }; +} + +fn_props! { + struct FnInputProps { + boxes, + closures, + coroutines, + floats, + fn_defs, + fn_ptrs, + generics, + interior_muts, + raw_ptrs, + recursive_types, + mut_refs, + simd, + unions, + } +} + +impl FnInputProps { + pub fn collect(mut self, inputs: &[Ty]) -> FnInputProps { + for input in inputs { + let mut visitor = TypeVisitor { metrics: &mut self, visited: HashSet::new() }; + let _ = visitor.visit_ty(input); + } + self + } + + pub fn is_supported(&self) -> bool { + (self.closures + + self.coroutines + + self.floats + + self.fn_defs + + self.fn_ptrs + + self.interior_muts + + self.raw_ptrs + + self.recursive_types + + self.mut_refs) + == 0 + } +} + +struct TypeVisitor<'a> { + metrics: &'a mut FnInputProps, + visited: HashSet, +} + +impl<'a> TypeVisitor<'a> { + pub fn visit_variants(&mut self, def: AdtDef, _args: &GenericArgs) -> ControlFlow<()> { + for variant in def.variants_iter() { + for field in variant.fields() { + self.visit_ty(&field.ty())? + } + } + ControlFlow::Continue(()) + } +} + +impl<'a> Visitor for TypeVisitor<'a> { + type Break = (); + + fn visit_ty(&mut self, ty: &Ty) -> ControlFlow { + if self.visited.contains(ty) { + self.metrics.recursive_types += 1; + ControlFlow::Continue(()) + } else { + self.visited.insert(*ty); + let kind = ty.kind(); + match kind { + TyKind::Alias(..) => {} + TyKind::Param(_) => self.metrics.generics += 1, + TyKind::RigidTy(rigid) => match rigid { + RigidTy::Coroutine(..) => self.metrics.coroutines += 1, + RigidTy::Closure(..) => self.metrics.closures += 1, + RigidTy::FnDef(..) => self.metrics.fn_defs += 1, + RigidTy::FnPtr(..) => self.metrics.fn_ptrs += 1, + RigidTy::Float(..) => self.metrics.floats += 1, + RigidTy::RawPtr(..) => self.metrics.raw_ptrs += 1, + RigidTy::Ref(_, _, Mutability::Mut) => self.metrics.mut_refs += 1, + RigidTy::Adt(def, args) => match def.kind() { + AdtKind::Union => self.metrics.unions += 1, + _ => { + let name = def.name(); + if def.is_box() { + self.metrics.boxes += 1; + } else if name.ends_with("UnsafeCell") { + self.metrics.interior_muts += 1; + } else { + self.visit_variants(def, &args)?; + } + } + }, + _ => {} + }, + kind => unreachable!("Expected rigid type, but found: {kind:?}"), + } + ty.super_visit(self) + } + } +} + +fn dump_csv(mut out_path: PathBuf, data: &[T]) { + out_path.set_extension("csv"); + info(format!("Write file: {out_path:?}")); + let mut writer = WriterBuilder::new().delimiter(b';').from_path(&out_path).unwrap(); + for d in data { + writer.serialize(d).unwrap(); + } +} + +fn_props! { + struct FnUnsafeOperations { + inline_assembly, + /// Dereference a raw pointer. + /// This is also counted when we access a static variable since it gets translated to a raw pointer. + unsafe_dereference, + /// Call an unsafe function or method. + unsafe_call, + /// Access or modify a mutable static variable. + unsafe_static_access, + /// Access fields of unions. + unsafe_union_access, + } +} + +impl FnUnsafeOperations { + pub fn collect(self, body: &Body) -> FnUnsafeOperations { + let mut visitor = BodyVisitor { props: self, body }; + visitor.visit_body(body); + visitor.props + } + + pub fn has_unsafe(&self) -> bool { + (self.inline_assembly + + self.unsafe_static_access + + self.unsafe_dereference + + self.unsafe_union_access + + self.unsafe_call) + > 0 + } +} + +struct BodyVisitor<'a> { + props: FnUnsafeOperations, + body: &'a Body, +} + +impl<'a> MirVisitor for BodyVisitor<'a> { + fn visit_terminator(&mut self, term: &Terminator, location: Location) { + match &term.kind { + TerminatorKind::Call { func, .. } => { + let fn_sig = func.ty(self.body.locals()).unwrap().kind().fn_sig().unwrap(); + if fn_sig.value.safety == Safety::Unsafe { + self.props.unsafe_call += 1; + } + } + TerminatorKind::InlineAsm { .. } => self.props.inline_assembly += 1, + _ => { /* safe */ } + } + self.super_terminator(term, location) + } + + fn visit_projection_elem( + &mut self, + place: PlaceRef, + elem: &ProjectionElem, + ptx: PlaceContext, + location: Location, + ) { + match elem { + ProjectionElem::Deref => { + if place.ty(self.body.locals()).unwrap().kind().is_raw_ptr() { + self.props.unsafe_dereference += 1; + } + } + ProjectionElem::Field(_, ty) => { + if ty.kind().is_union() { + self.props.unsafe_union_access += 1; + } + } + ProjectionElem::Downcast(_) => {} + ProjectionElem::OpaqueCast(_) => {} + ProjectionElem::Subtype(_) => {} + ProjectionElem::Index(_) + | ProjectionElem::ConstantIndex { .. } + | ProjectionElem::Subslice { .. } => { /* safe */ } + } + self.super_projection_elem(elem, ptx, location) + } + + fn visit_mir_const(&mut self, constant: &MirConst, location: Location) { + if constant.ty().kind().is_raw_ptr() { + self.props.unsafe_static_access += 1; + } + self.super_mir_const(constant, location) + } +} + +fn_props! { + struct FnLoops { + iterators, + nested_loops, + /// TODO: Collect loops. + loops, + } +} + +impl FnLoops { + pub fn collect(self, body: &Body) -> FnLoops { + let mut visitor = IteratorVisitor { props: self, body }; + visitor.visit_body(body); + visitor.props + } + + pub fn has_loops(&self) -> bool { + (self.iterators + self.loops + self.nested_loops) > 0 + } +} + +/// Try to find hidden loops by looking for calls to Iterator functions that has a loop in them. +/// +/// Note that this will not find a loop, if the iterator is called inside a closure. +/// Run with -C opt-level 2 to help with this issue (i.e.: inline). +struct IteratorVisitor<'a> { + props: FnLoops, + body: &'a Body, +} + +impl<'a> MirVisitor for IteratorVisitor<'a> { + fn visit_terminator(&mut self, term: &Terminator, location: Location) { + if let TerminatorKind::Call { func, .. } = &term.kind { + let kind = func.ty(self.body.locals()).unwrap().kind(); + if let TyKind::RigidTy(RigidTy::FnDef(def, _)) = kind { + let fullname = def.name(); + let names = fullname.split("::").collect::>(); + if let [.., s_last, last] = names.as_slice() { + if *s_last == "Iterator" + && [ + "for_each", + "collect", + "advance_by", + "all", + "any", + "partition", + "partition_in_place", + "fold", + "try_fold", + "spec_fold", + "spec_try_fold", + "try_for_each", + "for_each", + "try_reduce", + "reduce", + "find", + "find_map", + "try_find", + "position", + "rposition", + "nth", + "count", + "last", + "find", + ] + .contains(last) + { + self.props.iterators += 1; + } + } + } + } + self.super_terminator(term, location) + } +} + +#[derive(Debug, Default)] +struct Recursion { + /// Collect the functions that may lead to a recursion loop. + /// I.e., for the following control flow graph: + /// ```dot + /// A -> B + /// B -> C + /// C -> [B, D] + /// ``` + /// this field value would contain A, B, and C since they can all lead to a recursion. + with_recursion: HashSet, + /// Collect the functions that are part of a recursion loop. + /// For the following control flow graph: + /// ```dot + /// A -> [B, C] + /// B -> B + /// C -> D + /// D -> [C, E] + /// ``` + /// The recursive functions would be B, C, and D. + recursive_fns: HashSet, +} + +impl Recursion { + pub fn collect<'a>(items: impl IntoIterator) -> Recursion { + let call_graph = items + .into_iter() + .filter_map(|item| { + if let TyKind::RigidTy(RigidTy::FnDef(def, _)) = item.ty().kind() { + let body = item.body(); + let mut visitor = FnCallVisitor { body: &body, fns: vec![] }; + visitor.visit_body(&body); + Some((def, visitor.fns)) + } else { + None + } + }) + .collect::>(); + let mut recursions = Recursion::default(); + recursions.analyze(call_graph); + recursions + } + + /// DFS post-order traversal to collect all loops in our control flow graph. + /// We only include direct call recursions which can only happen within a crate. + /// + /// # How it works + /// + /// Given a call graph, [(fn_def, [fn_def]*)]*, enqueue all existing nodes together with the + /// graph distance. + /// Keep track of the current path and the visiting status of each node. + /// For those that we have visited once, store whether a loop is reachable from them. + fn analyze(&mut self, call_graph: HashMap>) { + #[derive(Copy, Clone, PartialEq, Eq)] + enum Status { + ToVisit, + Visiting, + Visited, + } + let mut visit_status = HashMap::::new(); + let mut queue: Vec<_> = call_graph.keys().map(|node| (*node, 0)).collect(); + let mut path: Vec = vec![]; + while let Some((next, level)) = queue.last().copied() { + match visit_status.get(&next).unwrap_or(&Status::ToVisit) { + Status::ToVisit => { + assert_eq!(path.len(), level); + path.push(next); + visit_status.insert(next, Status::Visiting); + let next_level = level + 1; + if let Some(callees) = call_graph.get(&next) { + queue.extend(callees.iter().map(|callee| (*callee, next_level))); + } + } + Status::Visiting => { + if level < path.len() { + // We have visited all callees in this node. + visit_status.insert(next, Status::Visited); + path.pop(); + } else { + // Found a loop. + let mut in_loop = false; + for def in &path { + in_loop |= *def == next; + if in_loop { + self.recursive_fns.insert(*def); + } + self.with_recursion.insert(*def); + } + } + queue.pop(); + } + Status::Visited => { + queue.pop(); + if self.with_recursion.contains(&next) { + self.with_recursion.extend(&path); + } + } + } + } + } +} + +struct FnCallVisitor<'a> { + body: &'a Body, + fns: Vec, +} + +impl<'a> MirVisitor for FnCallVisitor<'a> { + fn visit_terminator(&mut self, term: &Terminator, location: Location) { + if let TerminatorKind::Call { func, .. } = &term.kind { + let kind = func.ty(self.body.locals()).unwrap().kind(); + if let TyKind::RigidTy(RigidTy::FnDef(def, _)) = kind { + self.fns.push(def); + } + } + self.super_terminator(term, location) + } +} diff --git a/tools/scanner/src/bin/scan.rs b/tools/scanner/src/bin/scan.rs new file mode 100644 index 000000000000..92b5319ec780 --- /dev/null +++ b/tools/scanner/src/bin/scan.rs @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// Modifications Copyright Kani Contributors +// See GitHub history for details. + +// This is a modified version of project-stable-mir `test-drive` +// + +//! Provide a binary that can be used as a replacement to rustc. +//! +//! Besides executing the regular compilation, this binary will run a few static analyses. +//! +//! The result for each analysis will be stored in a file with the same prefix as an object file, +//! together with the name of the analysis. +//! +//! Look at each analysis documentation to see which files an analysis produces. + +use scanner::run_all; +use std::process::ExitCode; + +// ---- Arguments that should be parsed by the test-driver (w/ "scan" prefix) +/// Enable verbose mode. +const VERBOSE_ARG: &str = "--scan-verbose"; + +/// This is a wrapper that can be used to replace rustc. +fn main() -> ExitCode { + let args = std::env::args(); + let (scan_args, rustc_args): (Vec, _) = args.partition(|arg| arg.starts_with("--scan")); + let verbose = scan_args.contains(&VERBOSE_ARG.to_string()); + run_all(rustc_args, verbose) +} diff --git a/tools/scanner/src/lib.rs b/tools/scanner/src/lib.rs new file mode 100644 index 000000000000..7f9555781ccf --- /dev/null +++ b/tools/scanner/src/lib.rs @@ -0,0 +1,103 @@ +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// Modifications Copyright Kani Contributors +// See GitHub history for details. + +// This is a modified version of project-stable-mir `test-drive` +// + +//! This library provide different ways of scanning a crate. + +#![feature(rustc_private)] + +mod analysis; + +extern crate rustc_driver; +extern crate rustc_interface; +extern crate rustc_middle; +extern crate rustc_session; +#[macro_use] +extern crate rustc_smir; +extern crate stable_mir; + +use crate::analysis::OverallStats; +use rustc_middle::ty::TyCtxt; +use rustc_session::config::OutputType; +use rustc_smir::{run_with_tcx, rustc_internal}; +use stable_mir::CompilerError; +use std::ops::ControlFlow; +use std::path::{Path, PathBuf}; +use std::process::ExitCode; +use std::sync::atomic::{AtomicBool, Ordering}; +use strum::IntoEnumIterator; +use strum_macros::{AsRefStr, EnumIter}; + +// Use a static variable for simplicity. +static VERBOSE: AtomicBool = AtomicBool::new(false); + +pub fn run_all(rustc_args: Vec, verbose: bool) -> ExitCode { + run_analyses(rustc_args, &Analysis::iter().collect::>(), verbose) +} + +/// Executes a compilation and run the analysis that were requested. +pub fn run_analyses(rustc_args: Vec, analyses: &[Analysis], verbose: bool) -> ExitCode { + VERBOSE.store(verbose, Ordering::Relaxed); + let result = run_with_tcx!(rustc_args, |tcx| analyze_crate(tcx, analyses)); + if result.is_ok() || matches!(result, Err(CompilerError::Skipped)) { + ExitCode::SUCCESS + } else { + ExitCode::FAILURE + } +} + +#[derive(AsRefStr, EnumIter, Debug, PartialEq)] +#[strum(serialize_all = "snake_case")] +pub enum Analysis { + /// Collect information about generic functions. + MonoFns, + /// Collect information about function safety. + SafeFns, + /// Collect information about function inputs. + InputTys, + /// Collect information about unsafe operations. + UnsafeOps, + /// Collect information about loops inside a function. + FnLoops, + /// Collect information about recursion via direct calls. + Recursion, +} + +fn info(msg: String) { + if VERBOSE.load(Ordering::Relaxed) { + eprintln!("[INFO] {}", msg); + } +} + +/// This function invoke the required analyses in the given order. +fn analyze_crate(tcx: TyCtxt, analyses: &[Analysis]) -> ControlFlow<()> { + let object_file = tcx.output_filenames(()).path(OutputType::Object); + let base_path = object_file.as_path().to_path_buf(); + // Use name for now to make it more friendly. Change to base_path.file_stem() to avoid conflict. + // let file_stem = base_path.file_stem().unwrap(); + let file_stem = format!("{}_scan", stable_mir::local_crate().name); + let mut crate_stats = OverallStats::new(); + for analysis in analyses { + let filename = format!("{}_{}", file_stem, analysis.as_ref()); + let mut out_path = base_path.parent().map_or(PathBuf::default(), Path::to_path_buf); + out_path.set_file_name(filename); + match analysis { + Analysis::MonoFns => { + crate_stats.generic_fns(); + } + Analysis::SafeFns => { + crate_stats.safe_fns(out_path); + } + Analysis::InputTys => crate_stats.supported_inputs(out_path), + Analysis::UnsafeOps => crate_stats.unsafe_operations(out_path), + Analysis::FnLoops => crate_stats.loops(out_path), + Analysis::Recursion => crate_stats.recursion(out_path), + } + } + crate_stats.store_csv(base_path, &file_stem); + ControlFlow::<()>::Continue(()) +}