Challenge 13: Safety of CStr
#150
Comments
|
Edit: After discussion, we were recommended to implement the Invariant manually using @celinval We (Team 2) decided to work on this challenge for a week while waiting for Kani issue #3711 to unblock #59 Part 3. For Part 1, we are writing a safety invariant for CStr. From the doc and Kani PR#3270 we found that #[cfg(kani)]
use crate::kani;
// Struct-level CStr safety invariant
#[derive(kani::Arbitrary)] // Might be useful when verifying methods that take a CStr as input
#[derive(kani::Invariant)]
#[safety_constraint(inner.len() > 0 && inner[inner.len() - 1] == 0 && !inner[..inner.len() - 1].contains(&0))]
pub struct CStr {
// comments omitted
inner: [c_char],
}
// Test harness
// pub const fn from_bytes_until_nul(bytes: &[u8]) -> Result<&CStr, FromBytesUntilNulError>
#[kani::proof]
#[kani::unwind(16)] // Proof bounded by array length
fn check_from_bytes_until_nul() {
const ARR_LEN: usize = 16;
let mut string: [u8; ARR_LEN] = kani::any();
// ensure that there is at least one null byte
let idx: usize = kani::any_where(|x| *x >= 0 && *x < ARR_LEN);
string[idx] = 0;
let c_str = CStr::from_bytes_until_nul(&string).unwrap();
assert!(c_str.is_safe());
}However, the compilation of We thought that this should be supported in Kani 0.54.0, but we were not able to compile. How could we fix it? @rajathkotyal, @lanfeima, @MWDZ for visibility. |
|
Upon some research, The compilation error could be due to the fact we are trying to include an external dep There seems to be some ambiguity in the code / with my understanding. Some insight on this would help. |
Towards #150 ### Changes * Added a `CStr` Safety Invariant * Added a harness for `from_bytes_until_nul`, the harness covers: * The input slice contains a single null byte at the end; * The input slice contains no null bytes; * The input slice contains intermediate null bytes ### Discussion * [Safety invariant implementation](#150 (comment)) * [Input array generation](#181) ### Verification Result `./scripts/run-kani.sh --kani-args --harness ffi::c_str::verify` ``` // array size 16 Checking harness ffi::c_str::verify::check_from_bytes_until_nul... VERIFICATION RESULT: ** 0 of 140 failed (5 unreachable) VERIFICATION:- SUCCESSFUL Verification Time: 7.3023376s Complete - 1 successfully verified harnesses, 0 failures, 1 total. ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.
Towards #150 Changes Added harnesses for count_bytes Verification Result ``` Checking harness ffi::c_str::verify::check_count_bytes... VERIFICATION RESULT: ** 0 of 241 failed (5 unreachable) VERIFICATION:- SUCCESSFUL Verification Time: 5.377671s ```
Towards #150 ### Changes * Added harnesses for `to_bytes` and `to_bytes_with_nul` * Added a small fix to `count_bytes` Verification Result: ``` Checking harness ffi::c_str::verify::check_to_bytes_with_nul... VERIFICATION RESULT: ** 0 of 179 failed (5 unreachable) VERIFICATION:- SUCCESSFUL Verification Time: 88.397385s Checking harness ffi::c_str::verify::check_to_bytes... VERIFICATION RESULT: ** 0 of 180 failed (5 unreachable) VERIFICATION:- SUCCESSFUL Verification Time: 79.66312s Checking harness ffi::c_str::verify::check_from_bytes_until_nul... VERIFICATION RESULT: ** 0 of 132 failed (5 unreachable) VERIFICATION:- SUCCESSFUL Verification Time: 28.593569s Complete - 3 successfully verified harnesses, 0 failures, 3 total. ```
Towards #150 ### Changes * Added a harness for `is_empty` * Added a small optimization for `arbitray_cstr` ### Verification Result ``` SUMMARY: ** 0 of 193 failed (5 unreachable) VERIFICATION:- SUCCESSFUL Verification Time: 51.462265s Complete - 1 successfully verified harnesses, 0 failures, 1 total. ```
Towards #150 Verifies that the CStr safety invariant holds after calling : from_bytes_with_nul --> core::ffi::c_str module
Challenge link: https://model-checking.github.io/verify-rust-std/challenges/0013-cstr.html
The text was updated successfully, but these errors were encountered: