-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stacked Borrows in Kani #3406
Stacked Borrows in Kani #3406
Conversation
This instrumentation also does not target optimal performance; there is no plan to use CBMC's shadow memory despite the fact that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Having Stacked Borrows instrumentation in Kani is very cool!
It seems like the code uses a version of body mutation that is quite similar to MutableBody
that we already have. I think integrating with current instrumentation (and improving it) is better than creating a different version of it. Moreover, I am not sure the instrumentation introduced in this PR actually works for any non-trivial CFG and there are no tests to convince me of the opposite.
I also added several small comments here and there.
kani-compiler/src/kani_middle/transform/check_aliasing/cached_body_mutator.rs
Outdated
Show resolved
Hide resolved
kani-compiler/src/kani_middle/transform/check_aliasing/body_mutator.rs
Outdated
Show resolved
Hide resolved
kani-compiler/src/kani_middle/transform/check_aliasing/body_mutation.rs
Outdated
Show resolved
Hide resolved
kani-compiler/src/kani_middle/transform/check_aliasing/function_cache.rs
Outdated
Show resolved
Hide resolved
kani-compiler/src/kani_middle/transform/check_aliasing/instrumentation.rs
Outdated
Show resolved
Hide resolved
kani-compiler/src/kani_middle/transform/check_aliasing/local_collection.rs
Outdated
Show resolved
Hide resolved
The control flow graph of the MIR produced from the control_flow.rs file appears correct on manual inspection.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. I think I'm almost done reviewing the library changes. Thanks for your patience!
I think it will be very helpful if you add more tests with things like structure fields, arrays, more elaborated tests as well. Even if they don't pass today, it will be helpful to know how these cases are mitigated. It will also be helpful if you can add tests where the alias analysis finds no error and one that it finds multiple errors.
kani-compiler/src/kani_middle/transform/check_aliasing/instrumentation.rs
Outdated
Show resolved
Hide resolved
ffaa0bd
into
model-checking:aliasing-checks
This PR adds stacked borrows to Kani, strengthening its model of pointers to detect violations of Rust's aliasing model.
It does this by automatically instrumenting code with hooks at every stack and heap allocation, ensuring that a live mutable pointer is never aliased.
This instrumentation is subject to several limitations:
Two phase borrows:
The rust compiler will desugar the following:
to
Marking the borrow into y as "two phase."
This may be enabled in the future via a hack (ref: https://www.ralfj.de/blog/2023/06/02/tree-borrows.html) and so the aliasing model may in the future change to accommodate these differently.
These constructs must be handled in the future to say that we have ported stacked borrows to Kani.
Currently, print statements are made; these constructs are expected to do pointer manipulation, but to no effect.
In the future, we will want to instrument all of these.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.