model-checking / kani Goto Github PK

View Code? Open in Web Editor NEW

2.1K 23.0 84.0 30.73 MB

Kani Rust Verifier

Home Page: https://model-checking.github.io/kani

License: Apache License 2.0

Rust 94.56% Python 3.27% Shell 1.87% C 0.26% C++ 0.04%

rust model-checking verification

kani's People

Contributors

Stargazers

Watchers

Forkers

adpaco-aws danielsn vecchiot-aws bdalrhm markrtuttle avanhatt chinmaydd tedinski celinval zhassan-aws nchong-at-aws nrdg42 jaisnan icodein fabiomadge seanchen1991 ronakfof tautschnig mrcodechef laplacekorea drtychai zeta1999 justusadam cardosaum djazouli voskh0d diagprov fzaiser monal sanjit-bhat yoshikitakashima giltho ssoudan isgasho nickcao crackercat lequangloc jansvejda aaronbembenek-aws pnkfelix gg-big-org qilol tetragaze rahulku feliperodri zpzigi754 qinheping karkhaz remi-delmas-3000 qsphan camshaft zulinx86 carlkcarlk kinddevil x0f5c3 phayes reisnera eternalerrors corsair-cxs binarynewts arctic-alpaca matthiaskrgr jswrenn ouz-a 5l1v3r1 bennofs muqsit-azeem v0rts jamestiotio shabbirhasan1 arbersephirotheca doytsujin scottopell tcharding nspin alexander-aghili grigorenkopv pi314mm artemagvanian jsalzbergedu cvick32 nsrknth carolynzech

kani's Issues

Regression suite: add per-test commandline options

Not implemented: gotoc-dynamic-trait-box

Dynamic trait inside a box. Test implemented: gotoc-dynamic-trait-box but currently failing/not parsing through rustc.

RMC-rustc interface: Summarize SSA interface

Summarize current SSA interface, how we might use it, what might need to be fixed.

Ensure we are using volatile correctly

According to @danielsn:

volatile has two meanings: one is just that we can't reorder or drop the access, which CBMC never does.
It might also mean that reads should return nondet, which we don't currently model.

The code for this would be in intrinsics.rs

Codegen issue: box mut dyn trait unhandled codegen_pointer_cast

use std::io::{sink, Write};

fn main() {
    let mut log : Box<dyn Write + Send> = Box::new(sink());
    let dest : Box<dyn Write + Send> = Box::new(log.as_mut());
}

Fails with an unhandled pointer cast exception.

Find a more elegant replacement for the `codegen_simple_intrinsic` macro

Relevant comment in intrinsics.rs

        // Codegens a simple intrinsic: ie. one which maps directly to a matching goto construct
        // We need to use this macro form because of a known limitation in rust
        // `codegen_simple_intrinsic!(self.get_sqrt(), Type::float())` gives the error message:
        //   error[E0499]: cannot borrow `*self` as mutable more than once at a time
        //    --> src/librustc_codegen_llvm/gotoc/intrinsic.rs:76:63
        //    |
        // 76 |                 codegen_simple_intrinsic!(self.get_sqrt(), Type::double())
        //    |                 ---- ------------------------                 ^^^^ second mutable borrow occurs here
        //    |                 |    |
        //    |                 |    first borrow later used by call
        //    |                 first mutable borrow occurs here

        //  To solve this, we need to store the `self.get_sqrt()` into a temporary variable.
        //  Using the macro form allows us to keep the call as a oneliner, while still making rust happy.

CI for regression testing

GitHub actions for regression testing and PR blocking

Implement intrinsic `assert_uninit_valid`

Determine if dynamic vtable variable should be dynamically scoped

Coordinate with SMACK team on potential shared infrastructure

Refactor: review `codegen_alloc_in_memory`

The intended semantics of the function codegen_alloc_in_memory are difficult to infer from the code and the documentation. The semantics of the Allocation type is hard to understand, so the codegen of the Allocation data is hard to trust. The definition of codegen_alloc_in_memory allows the function to be called with an Allocation and a String name, but the name may or may not be present in the symbol table. It is hard to understand why any invocation would call with the name already in the symbol table. Consider rewriting this function to do nothing but create a new symbol in the table with the bit pattern type and a bit pattern value. Consider another function that transmutes the value to the type of a symbol already in the symbol table.

Codegen issue: Cast to fat pointer

#![feature(layout_for_ptr)]                                                                        
use std::mem;                                                                                      
use std::sync::Arc;                                                                                
use std::sync::Mutex;                                                                              

pub trait Subscriber {                                                                             
    fn process(&mut self);                                                                         
    fn interest_list(&self);                                                                       
}                                                                                                  

struct DummySubscriber {                                                                           
}                                                                                                  

impl DummySubscriber {                                                                             
    fn new() -> Self {                                                                             
        DummySubscriber {}                                                                         
    }                                                                                              
}                                                                                                  

impl Subscriber for DummySubscriber {                                                              
    fn process(&mut self) {}                                                                       
    fn interest_list(&self) {}                                                                     
}                                                                                                  

fn main() {                                                                                        
    let v = unsafe { mem::size_of_val_raw(&5i32) };                                                
    assert!(v == 4);                                                                               

    let x : [u8;13] = [0; 13];                                                                     
    let y: &[u8] = &x;                                                                             
    let v = unsafe { mem::size_of_val_raw(y) };                                                    
    assert!(v == 13);                                                                              

    let s : Arc<Mutex<dyn Subscriber>> = Arc::new(Mutex::new(DummySubscriber::new()));             
}

Add support for inline ASM

Codegen issue: vtable struct with duplicate components

This test requires an additional check in struct_type() of cbmc/goto_program/typ.rs to ensure that the struct's components are unique. In this case, the vtable contains two foo fn pointers.

trait A {
    fn foo(&self) -> i32;
}

trait B {
    fn foo(&self) -> i32;
}

trait T : A + B {
}

struct S {
    x : i32,
    y : i32,
}

impl S {
    fn new(a:i32, b:i32) -> S {
        S {x:a, y:b}
    }
    fn new_box(a:i32, b:i32) -> Box<dyn T> { 
        Box::new(S::new(a,b))
    }
}


impl A for S {
    fn foo(&self) -> i32{
        self.x
    }
}

impl B for S {
    fn foo(&self) -> i32{
        self.y
    }
}

impl T for S {
}

fn main() {
    let t = S::new_box(1,2);
    let a = <dyn T as A>::foo(&*t);
    assert!(a == 1);
    let b = <dyn T as B>::foo(&*t);
    assert!(b == 2);
}

Review documentation before flipping public

Design a mechanism to assign confidence scores

For the Electrolysis-style dashboard.

Transmute sizeof failure

const SIZE1: usize = 1;
const SIZE2: usize = 2;

pub static TABLE1: [(u64, u64); SIZE1] = [
    (0, 0),
];

pub static TABLE2: [(u64, u64); SIZE2] = [
    (0, 0),
    (0, 0),
];

fn main() {
    assert!(TABLE1[0].0 == 0);
}

Fails with:

thread 'rustc' panicked at 'assertion failed: `(left == right)`
  left: `256`,
 right: `128`', compiler/rustc_codegen_llvm/src/gotoc/cbmc/goto_program/expr.rs:686

Codegen issue: Can't cast error Expr to StructTag

use std::path::Path;

fn main() {
    let path = Path::new("./foo/bar.txt");
}

Fails with a can't cast exception

We need to redesign how we handle stubbing rust code

Demangling of variable names

Can we track the name of variables so we get
main::square::vol instead of main::Shape[0]::vtable main$$Shape[0]$$vtable_impl_for_&main$$Rectangle[0]?

Cleanup: replace `location::none()` whenever possible

Grep for it, and see if there is a span we can use instead

RMC-rustc interface: prusti rustc interface

2021 week 16: rebase off upstream

`codegen_unimplemented` should assume validity constraints for its nondet return value

Ensure that every `codegen_unimplemented` feature has a matching run-make test

RMC-rustc interface: Existing proof tool interfaces to rustc

Summarize API for

Cranelift (#55)
Prusti (#56)
Crux-mir (#53)

in collaboration with their authors.

Maintain a map from functions to integers to generate fresh variables

Instead of taking a c in gen_function_local_variable, maintain a map from fname to int, and generate fresh variables that way. Actually: why is this index needed at all? It seems to be part of constructing a name, but unique names shouldn't rely on someone hand-picking the right index. Instead, a map of names should be kept, and the next available slot should be chosen.

`assert_eq!` causes 1kloc of generated code code

See the comments on gotoc-assert-eq/main.rs

Cleanup: consistent names for typing contexts

Rename typing contexts to be consistent with:

mcx = MIR typing context
gcx = GOTO typing context

Simplify code for count intrinsics in next CBMC version

There are a couple of PRs that will add support for count builtins in CBMC. This will allow the count intrinsics code in RMC to be simplified and its regression tests to be enabled.

RMC-rustc interface: Existing RMC interface to rustc

Inventory of how we're currently hooked in (what features we use)

Compiler interface: remove need to patch upstream API

Vector sort not supported

Needed in firecracker/balloon-compact example

`codegen_unimplemented` should have a parameter that decides whether to `assume(0)` to block further traces or not

Develop a prototype implementation for source-based coverage report generation

Source-based coverage report generation is an experimental feature of the Rust compiler that we need to explore further. A prototype implementation will allow us to discover any limitations that may influence the way we plan to structure the RMC testing suite.