[proofs] Initial commit #652

joshlf · 2023-11-28T17:44:38Z

Add axioms and lemmas which are useful in proving the soundness of some trait impls.

Makes progress on #429

jswrenn · 2023-11-28T18:17:37Z

src/lib.rs

-    /// field, which is `pub`. Per the reference [2], this means that the
-    /// `#[repr(transparent)]` attribute is "considered part of the public ABI".
+    /// `Wrapping<T>` is `#[repr(transparent)]` and has a single `T` field,
+    /// which is `pub`. [1] Per axiom-repr-transparent-layout-validity, we may


Should axiom-repr-transparent-layout-validity perhaps be a intradoc link? It'd give us a modest defense against proof rot.

Oooh good idea. I'll also need to make sure that our safety doc comments are actually being parsed by rustdoc.

jswrenn · 2023-11-28T18:22:02Z

src/proof_utils.rs

+//! ## transparent-layout-validity
+//!
+//! A type, `T`, has the property `transparent-layout-validity(U)` if the
+//! following all hold:
+//! - `T` and `U` have the same alignment
+//! - For all `t: *const T`, `let u = t as *const U` is valid and
+//!   `size_of_val_raw(t) == size_of_val_raw(u)`.
+//! - For all `u: *const U`, `let t = *const T` is valid and `size_of_val_raw(u)
+//!   == size_of_val_raw(t)`.
+//! - For all `(t, u): (*const T, *const U)` where `size_of_val_raw(t) ==
+//!   size_of_val_raw(u)`:
+//!   - `t` and `u` refer to `UnsafeCell`s at the same byte ranges.
+//!   - If `*t` contains a valid `T`, that implies that `*u` contains a valid
+//!     `U`.
+//!   - If `*u` contains a valid `U`, that implies that `*t` contains a valid
+//!     `T`.


Concretely:

/// A type, `T`, has the property `transparent-layout-validity(U)` if the /// following all hold: /// - `T` and `U` have the same alignment /// - For all `t: *const T`, `let u = t as *const U` is valid and /// `size_of_val_raw(t) == size_of_val_raw(u)`. /// - For all `u: *const U`, `let t = *const T` is valid and `size_of_val_raw(u) /// == size_of_val_raw(t)`. /// - For all `(t, u): (*const T, *const U)` where `size_of_val_raw(t) == /// size_of_val_raw(u)`: /// - `t` and `u` refer to `UnsafeCell`s at the same byte ranges. /// - If `*t` contains a valid `T`, that implies that `*u` contains a valid /// `U`. /// - If `*u` contains a valid `U`, that implies that `*t` contains a valid /// `T`. #[allow(unsused)] // This only exists as an anchor for intradoc links. const TRANSPARENT_LAYOUT_VALIDIDTY: () = ();

src/proof_utils.rs

Add axioms and lemmas which are useful in proving the soundness of some trait impls. Makes progress on #429

joshlf requested a review from jswrenn November 28, 2023 17:44

joshlf force-pushed the proof-cleanup branch 2 times, most recently from 2a7f1b4 to 0ccf1e2 Compare November 28, 2023 17:59

jswrenn requested changes Nov 28, 2023

View reviewed changes

joshlf force-pushed the proof-cleanup branch from 0ccf1e2 to 06e53b1 Compare November 28, 2023 19:43

[proofs] Initial commit

55cdd4d

Add axioms and lemmas which are useful in proving the soundness of some trait impls. Makes progress on #429

joshlf force-pushed the proof-cleanup branch from 06e53b1 to 55cdd4d Compare November 28, 2023 19:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[proofs] Initial commit #652

[proofs] Initial commit #652

joshlf commented Nov 28, 2023

jswrenn Nov 28, 2023

joshlf Nov 28, 2023

jswrenn Nov 28, 2023

[proofs] Initial commit #652

Are you sure you want to change the base?

[proofs] Initial commit #652

Conversation

joshlf commented Nov 28, 2023

jswrenn Nov 28, 2023

Choose a reason for hiding this comment

joshlf Nov 28, 2023

Choose a reason for hiding this comment

jswrenn Nov 28, 2023

Choose a reason for hiding this comment