-
Notifications
You must be signed in to change notification settings - Fork 100
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Extra tests and bug fixes to the delayed UB instrumentation (#3419)
This PR is a follow-up to #3374. It introduces the following changes: - Instrument more writes to avoid the case when points-to analysis overapproximates too much. - Add extra tests featuring safe abstractions from standard library. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.
- Loading branch information
1 parent
5aad1a9
commit fd8d844
Showing
12 changed files
with
295 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Complete - 1 successfully verified harnesses, 0 failures, 1 total. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
// Copyright Kani Contributors | ||
// SPDX-License-Identifier: Apache-2.0 OR MIT | ||
// kani-flags: -Z uninit-checks | ||
|
||
//! Make sure that no false positives are generated when points-to analysis overapproximates | ||
//! aliasing. | ||
#[kani::proof] | ||
fn check_delayed_ub_overapprox() { | ||
unsafe { | ||
let mut value: u128 = 0; | ||
let value_ref = &mut value; | ||
// Perform a call to the helper before mutable pointer cast. This way, a check inserted into | ||
// the helper will pass. | ||
helper(value_ref); | ||
// Cast between two pointers of different padding, which will mark `value` as a possible | ||
// delayed UB analysis target. | ||
let ptr = value_ref as *mut _ as *mut (u8, u32, u64); | ||
*ptr = (4, 4, 4); // Note that since we never read from `value` after overwriting it, no delayed UB occurs. | ||
// Create another `value` and call helper. Note that since helper could potentially | ||
// dereference a delayed-UB pointer, an initialization check will be added to the helper. | ||
// Hence, delayed UB analysis needs to mark the value as properly initialized in shadow | ||
// memory to avoid the spurious failure. | ||
let mut value2: u128 = 0; | ||
helper(&value2); | ||
} | ||
} | ||
|
||
/// A helper that could trigger delayed UB. | ||
fn helper(reference: &u128) -> bool { | ||
*reference == 42 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Copyright Kani Contributors | ||
# SPDX-License-Identifier: Apache-2.0 OR MIT | ||
[package] | ||
name = "verify-std" | ||
version = "0.1.0" | ||
edition = "2021" | ||
description = "This crate contains contracts and harnesses for std library" | ||
|
||
[package.metadata.kani] | ||
unstable = { function-contracts = true, mem-predicates = true, uninit-checks = true } | ||
|
||
[package.metadata.kani.flags] | ||
output-format = "terse" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Complete - 5 successfully verified harnesses, 0 failures, 5 total. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Complete - 2 successfully verified harnesses, 0 failures, 2 total. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
// Copyright Kani Contributors | ||
// SPDX-License-Identifier: Apache-2.0 OR MIT | ||
|
||
extern crate kani; | ||
|
||
/// Create wrapper functions to standard library functions that contains their contract. | ||
pub mod contracts { | ||
use kani::{mem::*, requires}; | ||
|
||
/// The actual pre-condition is more complicated: | ||
/// | ||
/// "For non-zero-sized values, ... a value: *mut T that has been allocated with the Global | ||
/// allocator with Layout::for_value(&*value) may be converted into a box using | ||
/// Box::<T>::from_raw(value)." | ||
/// | ||
/// "For zero-sized values, the Box pointer still has to be valid for reads and writes and | ||
/// sufficiently aligned." | ||
#[requires(can_dereference(raw))] | ||
pub unsafe fn from_raw<T>(raw: *mut T) -> Box<T> { | ||
std::boxed::Box::from_raw(raw) | ||
} | ||
} | ||
|
||
#[cfg(kani)] | ||
mod verify { | ||
use super::*; | ||
|
||
#[kani::proof_for_contract(contracts::from_raw)] | ||
pub fn check_from_raw_u32() { | ||
let ptr = unsafe { std::alloc::alloc(std::alloc::Layout::new::<u32>()) as *mut u32 }; | ||
unsafe { ptr.write(kani::any()) }; | ||
let _ = unsafe { contracts::from_raw(ptr) }; | ||
} | ||
|
||
#[kani::proof_for_contract(contracts::from_raw)] | ||
pub fn check_from_raw_unit() { | ||
let ptr = kani::any::<usize>() as *mut (); | ||
let _ = unsafe { contracts::from_raw(ptr) }; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
// Copyright Kani Contributors | ||
// SPDX-License-Identifier: Apache-2.0 OR MIT | ||
|
||
//! Top file that includes all sub-modules mimicking std structure. | ||
extern crate kani; | ||
|
||
mod boxed; | ||
mod sync; |
Oops, something went wrong.