diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7647990dd685..7f78dab1ece0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,10 @@ updates: directory: "/" schedule: interval: "weekly" + + - package-ecosystem: "gitsubmodule" + directory: "/" + allow: + - dependency-name: "tests/perf/s2n-quic" + schedule: + interval: "weekly" diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index ad0bbf81f2c2..12b08eba7c9c 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -55,12 +55,6 @@ jobs: os: ubuntu-20.04 kani_dir: new - - name: Build Kani (new variant) - run: pushd new && cargo build-dev - - - name: Build Kani (old variant) - run: pushd old && cargo build-dev - - name: Copy benchmarks from new to old run: rm -rf ./old/tests/perf ; cp -r ./new/tests/perf ./old/tests/ diff --git a/.github/workflows/cbmc-latest.yml b/.github/workflows/cbmc-latest.yml index d8da02d21840..f707c5d558a5 100644 --- a/.github/workflows/cbmc-latest.yml +++ b/.github/workflows/cbmc-latest.yml @@ -32,10 +32,6 @@ jobs: os: ${{ matrix.os }} kani_dir: 'kani' - - name: Build Kani - working-directory: ./kani - run: cargo build-dev - - name: Checkout CBMC under "cbmc" uses: actions/checkout@v4 with: diff --git a/.github/workflows/cbmc-update.yml b/.github/workflows/cbmc-update.yml index 74d9caeb0fcf..5fe8a866c0e4 100644 --- a/.github/workflows/cbmc-update.yml +++ b/.github/workflows/cbmc-update.yml @@ -30,7 +30,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: | - grep ^CBMC_VERSION kani-dependencies >> $GITHUB_ENV + grep ^CBMC_VERSION kani-dependencies | sed 's/"//g' >> $GITHUB_ENV CBMC_LATEST=$(gh -R diffblue/cbmc release list | grep Latest | awk '{print $1}' | cut -f2 -d-) echo "CBMC_LATEST=$CBMC_LATEST" >> $GITHUB_ENV # check whether the version has changed at all @@ -47,8 +47,8 @@ jobs: elif ! git ls-remote --exit-code origin cbmc-$CBMC_LATEST ; then CBMC_LATEST_MAJOR=$(echo $CBMC_LATEST | cut -f1 -d.) CBMC_LATEST_MINOR=$(echo $CBMC_LATEST | cut -f2 -d.) - sed -i "s/^CBMC_MAJOR=.*/CBMC_MAJOR=\"$CBMC_MAJOR\"/" kani-dependencies - sed -i "s/^CBMC_MINOR=.*/CBMC_MINOR=\"$CBMC_MINOR\"/" kani-dependencies + sed -i "s/^CBMC_MAJOR=.*/CBMC_MAJOR=\"$CBMC_LATEST_MAJOR\"/" kani-dependencies + sed -i "s/^CBMC_MINOR=.*/CBMC_MINOR=\"$CBMC_LATEST_MINOR\"/" kani-dependencies sed -i "s/^CBMC_VERSION=.*/CBMC_VERSION=\"$CBMC_LATEST\"/" kani-dependencies git diff if ! ./scripts/kani-regression.sh ; then @@ -79,7 +79,7 @@ jobs: token: ${{ github.token }} title: 'CBMC upgrade to ${{ env.CBMC_LATEST }} failed' body: > - Updating CBMC from ${{ evn.CBMC_VERSION }} to ${{ env.CBMC_LATEST }} failed. + Updating CBMC from ${{ env.CBMC_VERSION }} to ${{ env.CBMC_LATEST }} failed. The failed automated run [can be found here.](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) diff --git a/.github/workflows/kani-m1.yml b/.github/workflows/kani-m1.yml deleted file mode 100644 index 36f2b615c4aa..000000000000 --- a/.github/workflows/kani-m1.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -# Run the regression job on Apple M1 only on commits to `main` -name: Kani CI M1 -on: - push: - branches: - - 'main' - -env: - RUST_BACKTRACE: 1 - -jobs: - regression: - runs-on: macos-13-xlarge - steps: - - name: Checkout Kani - uses: actions/checkout@v4 - - - name: Setup Kani Dependencies - uses: ./.github/actions/setup - with: - os: macos-13-xlarge - - - name: Build Kani - run: cargo build-dev - - - name: Execute Kani regression - run: ./scripts/kani-regression.sh diff --git a/.github/workflows/kani.yml b/.github/workflows/kani.yml index abdc4ee46216..dd077eff25e1 100644 --- a/.github/workflows/kani.yml +++ b/.github/workflows/kani.yml @@ -17,7 +17,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [macos-13, ubuntu-20.04, ubuntu-22.04] + os: [macos-13, ubuntu-20.04, ubuntu-22.04, macos-14] steps: - name: Checkout Kani uses: actions/checkout@v4 @@ -27,9 +27,6 @@ jobs: with: os: ${{ matrix.os }} - - name: Build Kani - run: cargo build-dev - - name: Execute Kani regression run: ./scripts/kani-regression.sh @@ -88,15 +85,12 @@ jobs: with: os: ubuntu-20.04 - - name: Build Kani using release mode - run: cargo build-dev -- --release - - name: Execute Kani performance tests run: ./scripts/kani-perf.sh env: RUST_TEST_THREADS: 1 - bookrunner: + documentation: runs-on: ubuntu-20.04 permissions: contents: write @@ -104,31 +98,6 @@ jobs: - name: Checkout Kani uses: actions/checkout@v4 - - name: Setup Kani Dependencies - uses: ./.github/actions/setup - with: - os: ubuntu-20.04 - - - name: Build Kani - run: cargo build-dev - - - name: Install book runner dependencies - run: ./scripts/setup/install_bookrunner_deps.sh - - - name: Generate book runner report - run: cargo run -p bookrunner - env: - DOC_RUST_LANG_ORG_CHANNEL: nightly - - - name: Print book runner text results - run: cat build/output/latest/html/bookrunner.txt - - - name: Print book runner failures grouped by stage - run: python3 scripts/ci/bookrunner_failures_by_stage.py build/output/latest/html/index.html - - - name: Detect unexpected book runner failures - run: ./scripts/ci/detect_bookrunner_failures.sh build/output/latest/html/bookrunner.txt - - name: Install book dependencies run: ./scripts/setup/ubuntu/install_doc_deps.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 56cb99bac960..fc8728eb308e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,6 +44,32 @@ jobs: os: macos-13 arch: x86_64-apple-darwin + build_bundle_macos_aarch64: + name: BuildBundle-MacOs-ARM + runs-on: macos-14 + permissions: + contents: write + outputs: + version: ${{ steps.bundle.outputs.version }} + bundle: ${{ steps.bundle.outputs.bundle }} + package: ${{ steps.bundle.outputs.package }} + crate_version: ${{ steps.bundle.outputs.crate_version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Kani Dependencies + uses: ./.github/actions/setup + with: + os: macos-14 + + - name: Build bundle + id: bundle + uses: ./.github/actions/build-bundle + with: + os: macos-14 + arch: aarch64-apple-darwin + build_bundle_linux: name: BuildBundle-Linux runs-on: ubuntu-20.04 @@ -101,6 +127,106 @@ jobs: os: linux arch: x86_64-unknown-linux-gnu + test-use-local-toolchain: + name: TestLocalToolchain + needs: [build_bundle_macos, build_bundle_linux] + strategy: + matrix: + os: [macos-13, ubuntu-20.04, ubuntu-22.04] + include: + - os: macos-13 + rust_target: x86_64-apple-darwin + prev_job: ${{ needs.build_bundle_macos.outputs }} + - os: ubuntu-20.04 + rust_target: x86_64-unknown-linux-gnu + prev_job: ${{ needs.build_bundle_linux.outputs }} + - os: ubuntu-22.04 + rust_target: x86_64-unknown-linux-gnu + prev_job: ${{ needs.build_bundle_linux.outputs }} + runs-on: ${{ matrix.os }} + steps: + - name: Download bundle + uses: actions/download-artifact@v3 + with: + name: ${{ matrix.prev_job.bundle }} + + - name: Download kani-verifier crate + uses: actions/download-artifact@v3 + with: + name: ${{ matrix.prev_job.package }} + + - name: Check download + run: | + ls -lh . + + - name: Get toolchain version used to setup kani + run: | + tar zxvf ${{ matrix.prev_job.bundle }} + DATE=$(cat ./kani-${{ matrix.prev_job.version }}/rust-toolchain-version | cut -d'-' -f2,3,4) + echo "Nightly date: $DATE" + echo "DATE=$DATE" >> $GITHUB_ENV + + - name: Install Kani from path + run: | + tar zxvf ${{ matrix.prev_job.package }} + cargo install --locked --path kani-verifier-${{ matrix.prev_job.crate_version }} + + - name: Create a custom toolchain directory + run: mkdir -p ${{ github.workspace }}/../custom_toolchain + + - name: Fetch the nightly tarball + run: | + echo "Downloading Rust toolchain from rust server." + curl --proto '=https' --tlsv1.2 -O https://static.rust-lang.org/dist/$DATE/rust-nightly-${{ matrix.rust_target }}.tar.gz + tar -xzf rust-nightly-${{ matrix.rust_target }}.tar.gz + ./rust-nightly-${{ matrix.rust_target }}/install.sh --prefix=${{ github.workspace }}/../custom_toolchain + + - name: Ensure installation is correct + run: | + cargo kani setup --use-local-bundle ./${{ matrix.prev_job.bundle }} --use-local-toolchain ${{ github.workspace }}/../custom_toolchain/ + + - name: Ensure that the rustup toolchain is not present + run: | + if [ ! -e "~/.rustup/toolchains/" ]; then + echo "Default toolchain file does not exist. Proceeding with running tests." + else + echo "::error::Default toolchain exists despite not installing." + exit 1 + fi + + - name: Checkout tests + uses: actions/checkout@v4 + + - name: Move rust-toolchain file to outside kani + run: | + mkdir -p ${{ github.workspace }}/../post-setup-tests + cp -r tests/cargo-ui ${{ github.workspace }}/../post-setup-tests + cp -r tests/kani/Assert ${{ github.workspace }}/../post-setup-tests + ls ${{ github.workspace }}/../post-setup-tests + + - name: Run cargo-kani tests after moving + run: | + for dir in function multiple-harnesses verbose; do + >&2 echo "Running test $dir" + pushd ${{ github.workspace }}/../post-setup-tests/cargo-ui/$dir + cargo kani + popd + done + + - name: Check --help and --version + run: | + >&2 echo "Running cargo kani --help and --version" + pushd ${{ github.workspace }}/../post-setup-tests/Assert + cargo kani --help && cargo kani --version + popd + + - name: Run standalone kani test + run: | + >&2 echo "Running test on file bool_ref" + pushd ${{ github.workspace }}/../post-setup-tests/Assert + kani bool_ref.rs + popd + test_bundle: name: TestBundle needs: [build_bundle_macos, build_bundle_linux] @@ -235,7 +361,7 @@ jobs: - name: Create release id: create_release - uses: ncipollo/release-action@v1.13.0 + uses: ncipollo/release-action@v1.14.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -284,7 +410,7 @@ jobs: OWNER: '${{ github.repository_owner }}' - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . file: scripts/ci/Dockerfile.bundle-release-20-04 diff --git a/.github/workflows/toolchain-upgrade.yml b/.github/workflows/toolchain-upgrade.yml index 8252bfb826e6..a4b95ea195f0 100644 --- a/.github/workflows/toolchain-upgrade.yml +++ b/.github/workflows/toolchain-upgrade.yml @@ -30,42 +30,11 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: | - current_toolchain_date=$(grep ^channel rust-toolchain.toml | sed 's/.*nightly-\(.*\)"/\1/') - echo "current_toolchain_date=$current_toolchain_date" >> $GITHUB_ENV - current_toolchain_epoch=$(date --date $current_toolchain_date +%s) - next_toolchain_date=$(date --date "@$(($current_toolchain_epoch + 86400))" +%Y-%m-%d) - echo "next_toolchain_date=$next_toolchain_date" >> $GITHUB_ENV - if gh issue list -S \ - "Toolchain upgrade to nightly-$next_toolchain_date failed" \ - --json number,title | grep title ; then - echo "next_step=none" >> $GITHUB_ENV - elif ! git ls-remote --exit-code origin toolchain-$next_toolchain_date ; then - echo "next_step=create_pr" >> $GITHUB_ENV - sed -i "/^channel/ s/$current_toolchain_date/$next_toolchain_date/" rust-toolchain.toml - git diff - git clone --filter=tree:0 https://github.com/rust-lang/rust rust.git - cd rust.git - current_toolchain_hash=$(curl https://static.rust-lang.org/dist/$current_toolchain_date/channel-rust-nightly-git-commit-hash.txt) - echo "current_toolchain_hash=$current_toolchain_hash" >> $GITHUB_ENV - next_toolchain_hash=$(curl https://static.rust-lang.org/dist/$next_toolchain_date/channel-rust-nightly-git-commit-hash.txt) - echo "next_toolchain_hash=$next_toolchain_hash" >> $GITHUB_ENV - EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) - echo "git_log<<$EOF" >> $GITHUB_ENV - git log --oneline $current_toolchain_hash..$next_toolchain_hash | \ - sed 's#^#https://github.com/rust-lang/rust/commit/#' >> $GITHUB_ENV - echo "$EOF" >> $GITHUB_ENV - cd .. - rm -rf rust.git - if ! cargo build-dev ; then - echo "next_step=create_issue" >> $GITHUB_ENV - else - if ! ./scripts/kani-regression.sh ; then - echo "next_step=create_issue" >> $GITHUB_ENV - fi - fi - else - echo "next_step=none" >> $GITHUB_ENV - fi + source scripts/toolchain_update.sh + + - name: Clean untracked files + run: git clean -f + - name: Create Pull Request if: ${{ env.next_step == 'create_pr' }} uses: peter-evans/create-pull-request@v6 diff --git a/.gitignore b/.gitignore index a31c86965494..a2defc0df119 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ desktop.ini Session.vim .cproject .idea +toolchains/ *.iml .vscode .project @@ -47,6 +48,10 @@ no_llvm_build /tmp/ # Created by default with `src/ci/docker/run.sh` /obj/ +# Created by kani-compiler +*.rlib +*.rmeta +*.mir ## Temporary files *~ @@ -73,10 +78,8 @@ package-lock.json tests/rustdoc-gui/src/**.lock # Before adding new lines, see the comment at the top. -/.litani_cache_dir /.ninja_deps /.ninja_log -/tests/bookrunner *Cargo.lock tests/kani-dependency-test/diamond-dependency/build tests/kani-multicrate/type-mismatch/mismatch/target diff --git a/.gitmodules b/.gitmodules index 7246d4c1e60b..b02c263a898e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,12 +1,3 @@ -[submodule "src/doc/nomicon"] - path = tools/bookrunner/rust-doc/nomicon - url = https://github.com/rust-lang/nomicon.git -[submodule "src/doc/reference"] - path = tools/bookrunner/rust-doc/reference - url = https://github.com/rust-lang/reference.git -[submodule "src/doc/rust-by-example"] - path = tools/bookrunner/rust-doc/rust-by-example - url = https://github.com/rust-lang/rust-by-example.git [submodule "firecracker"] path = firecracker url = https://github.com/firecracker-microvm/firecracker.git diff --git a/CHANGELOG.md b/CHANGELOG.md index 33baeb1ef5af..9b4acbb284aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,92 @@ This file contains notable changes (e.g. breaking changes, major changes, etc.) This file was introduced starting Kani 0.23.0, so it only contains changes from version 0.23.0 onwards. +## [0.52.0] + +## What's Changed +* New section about linter configuraton checking in the doc by @remi-delmas-3000 in https://github.com/model-checking/kani/pull/3198 +* Fix `{,e}println!()` by @GrigorenkoPV in https://github.com/model-checking/kani/pull/3209 +* Contracts for a few core functions by @celinval in https://github.com/model-checking/kani/pull/3107 +* Add simple API for shadow memory by @zhassan-aws in https://github.com/model-checking/kani/pull/3200 +* Upgrade Rust toolchain to 2024-05-28 by @zhassan-aws @remi-delmas-3000 @qinheping + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.51.0...kani-0.52.0 + +## [0.51.0] + +### What's Changed + +* Do not assume that ZST-typed symbols refer to unique objects by @tautschnig in https://github.com/model-checking/kani/pull/3134 +* Remove `kani::Arbitrary` from the `modifies` contract instrumentation by @feliperodri in https://github.com/model-checking/kani/pull/3169 +* Emit source locations whenever possible to ease debugging and coverage reporting by @tautschnig in https://github.com/model-checking/kani/pull/3173 +* Rust toolchain upgraded to `nightly-2024-04-21` by @celinval + + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.50.0...kani-0.51.0 + + +## [0.50.0] + +### Major Changes +* Fix compilation issue with proc_macro2 (v1.0.80+) and Kani v0.49.0 +(https://github.com/model-checking/kani/issues/3138). + +### What's Changed +* Implement valid value check for `write_bytes` by @celinval in +https://github.com/model-checking/kani/pull/3108 +* Rust toolchain upgraded to 2024-04-15 by @tautschnig @celinval + +**Full Changelog**: +https://github.com/model-checking/kani/compare/kani-0.49.0...kani-0.50.0 + +## [0.49.0] + +### What's Changed +* Disable removal of storage markers by @zhassan-aws in https://github.com/model-checking/kani/pull/3083 +* Ensure storage markers are kept in std code by @zhassan-aws in https://github.com/model-checking/kani/pull/3080 +* Implement validity checks by @celinval in https://github.com/model-checking/kani/pull/3085 +* Allow modifies clause for verification only by @feliperodri in https://github.com/model-checking/kani/pull/3098 +* Add optional scatterplot to benchcomp output by @tautschnig in https://github.com/model-checking/kani/pull/3077 +* Expand ${var} in benchcomp variant `env` by @karkhaz in https://github.com/model-checking/kani/pull/3090 +* Add `benchcomp filter` command by @karkhaz in https://github.com/model-checking/kani/pull/3105 +* Upgrade Rust toolchain to 2024-03-29 by @zhassan-aws @celinval @adpaco-aws @feliperodri + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.48.0...kani-0.49.0 + +## [0.48.0] + +### Major Changes +* We fixed a soundness bug that in some cases may cause Kani to not detect a use-after-free issue in https://github.com/model-checking/kani/pull/3063 + +### What's Changed +* Fix `codegen_atomic_binop` for `atomic_ptr` by @qinheping in https://github.com/model-checking/kani/pull/3047 +* Retrieve info for recursion tracker reliably by @feliperodri in https://github.com/model-checking/kani/pull/3045 +* Add `--use-local-toolchain` to Kani setup by @jaisnan in https://github.com/model-checking/kani/pull/3056 +* Replace internal reverse_postorder by a stable one by @celinval in https://github.com/model-checking/kani/pull/3064 +* Add option to override `--crate-name` from `kani` by @adpaco-aws in https://github.com/model-checking/kani/pull/3054 +* Rust toolchain upgraded to 2024-03-11 by @adpaco-ws @celinval @zyadh + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.47.0...kani-0.48.0 + +## [0.47.0] + +### What's Changed +* Upgrade toolchain to 2024-02-14 by @zhassan-aws in https://github.com/model-checking/kani/pull/3036 + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.46.0...kani-0.47.0 + +## [0.46.0] + +## What's Changed +* `modifies` Clauses for Function Contracts by @JustusAdam in https://github.com/model-checking/kani/pull/2800 +* Fix ICEs due to mismatched arguments by @celinval in https://github.com/model-checking/kani/pull/2994. Resolves the following issues: + * https://github.com/model-checking/kani/issues/2260 + * https://github.com/model-checking/kani/issues/2312 +* Enable powf*, exp*, log* intrinsics by @tautschnig in https://github.com/model-checking/kani/pull/2996 +* Upgrade Rust toolchain to nightly-2024-01-24 by @celinval @feliperodri @qinheping + +**Full Changelog**: https://github.com/model-checking/kani/compare/kani-0.45.0...kani-0.46.0 + ## [0.45.0] ## What's Changed diff --git a/Cargo.lock b/Cargo.lock index 13594113134e..8de76caa816d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2,124 +2,97 @@ # It is not intended for manual editing. version = 3 -[[package]] -name = "Inflector" -version = "0.11.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe438c63458706e03479442743baae6c88256498e6431708f6dfc520a26515d3" -dependencies = [ - "lazy_static", - "regex", -] - [[package]] name = "ahash" -version = "0.7.7" +version = "0.8.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a824f2aa7e75a0c98c5a504fceb80649e9c35265d44525b5f94de4771a395cd" +checksum = "e89da841a80418a9b391ebaea17f5c112ffaaa96f621d2c285b5174da76b9011" dependencies = [ - "getrandom", + "cfg-if", "once_cell", "version_check", + "zerocopy", ] [[package]] name = "aho-corasick" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0" +checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916" dependencies = [ "memchr", ] [[package]] name = "anstream" -version = "0.6.11" +version = "0.6.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e2e1ebcb11de5c03c67de28a7df593d32191b44939c482e97702baaaa6ab6a5" +checksum = "418c75fa768af9c03be99d17643f93f79bbba589895012a80e3452a19ddda15b" dependencies = [ "anstyle", "anstyle-parse", "anstyle-query", "anstyle-wincon", "colorchoice", + "is_terminal_polyfill", "utf8parse", ] [[package]] name = "anstyle" -version = "1.0.5" +version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2faccea4cc4ab4a667ce676a30e8ec13922a692c99bb8f5b11f1502c72e04220" +checksum = "038dfcf04a5feb68e9c60b21c9625a54c2c0616e79b72b0fd87075a056ae1d1b" [[package]] name = "anstyle-parse" -version = "0.2.3" +version = "0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c" +checksum = "c03a11a9034d92058ceb6ee011ce58af4a9bf61491aa7e1e59ecd24bd40d22d4" dependencies = [ "utf8parse", ] [[package]] name = "anstyle-query" -version = "1.0.2" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648" +checksum = "ad186efb764318d35165f1758e7dcef3b10628e26d41a44bc5550652e6804391" dependencies = [ - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "anstyle-wincon" -version = "3.0.2" +version = "3.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7" +checksum = "61a38449feb7068f52bb06c12759005cf459ee52bb4adc1d5a7c4322d716fb19" dependencies = [ "anstyle", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "anyhow" -version = "1.0.79" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "080e9890a082662b09c1ad45f567faeeb47f22b5fb23895fbe1e651e718e25ca" +checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da" [[package]] name = "autocfg" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" - -[[package]] -name = "bitflags" -version = "1.3.2" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" +checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "bitflags" -version = "2.4.2" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" - -[[package]] -name = "bookrunner" -version = "0.1.0" -dependencies = [ - "Inflector", - "pulldown-cmark", - "rustdoc", - "serde", - "serde_json", - "toml", - "walkdir", -] +checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "build-kani" -version = "0.45.0" +version = "0.52.0" dependencies = [ "anyhow", "cargo_metadata", @@ -129,18 +102,18 @@ dependencies = [ [[package]] name = "camino" -version = "1.1.6" +version = "1.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c59e92b5a388f549b863a7bea62612c09f24c8393560709a54558a9abdfb3b9c" +checksum = "e0ec6b951b160caa93cc0c7b209e5a3bff7aae9062213451ac99493cd844c239" dependencies = [ "serde", ] [[package]] name = "cargo-platform" -version = "0.1.6" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ceed8ef69d8518a5dda55c07425450b58a4e1946f4951eab6d7191ee86c2443d" +checksum = "24b1f0365a6c6bb4020cd05806fd0d33c44d38046b8bd7f0e40814b9763cabfc" dependencies = [ "serde", ] @@ -167,9 +140,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "clap" -version = "4.4.18" +version = "4.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e578d6ec4194633722ccf9544794b71b1385c3c027efe0c55db226fc880865c" +checksum = "5db83dced34638ad474f39f250d7fea9598bdd239eaced1bdf45d597da0f433f" dependencies = [ "clap_builder", "clap_derive", @@ -177,9 +150,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.4.18" +version = "4.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4df4df40ec50c46000231c914968278b1eb05098cf8f1b3a518a95030e71d1c7" +checksum = "f7e204572485eb3fbf28f871612191521df159bc3e15a9f5064c66dba3a8c05f" dependencies = [ "anstream", "anstyle", @@ -189,33 +162,33 @@ dependencies = [ [[package]] name = "clap_derive" -version = "4.4.7" +version = "4.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf9804afaaf59a91e75b022a30fb7229a7901f60c755489cc61c9b423b836442" +checksum = "c780290ccf4fb26629baa7a1081e68ced113f1d3ec302fa5948f1c381ebf06c6" dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.66", ] [[package]] name = "clap_lex" -version = "0.6.0" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "702fc72eb24e5a1e48ce58027a675bc24edd52096d5397d4aea7c6dd9eca0bd1" +checksum = "4b82cf0babdbd58558212896d1a4272303a57bdb245c2bf1147185fb45640e70" [[package]] name = "colorchoice" -version = "1.0.0" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7" +checksum = "0b6a852b24ab71dffc585bcb46eaf7959d175cb865a7152e35b348d1b2960422" [[package]] name = "comfy-table" -version = "7.1.0" +version = "7.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c64043d6c7b7a4c58e39e7efccfdea7b93d885a795d0c054a69dbbf4dd52686" +checksum = "b34115915337defe99b2aff5c2ce6771e5fbc4079f4b506301f5cf394c8452f7" dependencies = [ "crossterm", "strum", @@ -250,12 +223,12 @@ dependencies = [ "lazy_static", "libc", "unicode-width", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "cprover_bindings" -version = "0.45.0" +version = "0.52.0" dependencies = [ "lazy_static", "linear-map", @@ -289,9 +262,9 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.19" +version = "0.8.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "248e3bacc7dc6baa3b21e405ee045c3047101a49145e7e9eca583ab4c2ca5345" +checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80" [[package]] name = "crossterm" @@ -299,7 +272,7 @@ version = "0.27.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f476fe445d41c9e991fd07515a6f463074b782242ccf4a5b7b1d1012e70824df" dependencies = [ - "bitflags 2.4.2", + "bitflags", "crossterm_winapi", "libc", "parking_lot", @@ -317,9 +290,9 @@ dependencies = [ [[package]] name = "either" -version = "1.9.0" +version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07" +checksum = "3dca9240753cf90908d7e4aac30f630662b02aebaa1b58a3cadabdb23385b58b" [[package]] name = "encode_unicode" @@ -335,19 +308,19 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.8" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" +checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "fastrand" -version = "2.0.1" +version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5" +checksum = "9fc0510504f03c51ada170672ac806f1f105a88aa97a5281117e1ddc3368e51a" [[package]] name = "getopts" @@ -360,9 +333,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.12" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "190092ea657667030ac6a35e305e62fc4dd69fd98ac98631e5d3a2b1575a12b5" +checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" dependencies = [ "cfg-if", "libc", @@ -377,24 +350,18 @@ checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" [[package]] name = "hashbrown" -version = "0.11.2" +version = "0.14.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e" +checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" dependencies = [ "ahash", ] -[[package]] -name = "hashbrown" -version = "0.14.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" - [[package]] name = "heck" -version = "0.4.1" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" +checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" [[package]] name = "home" @@ -402,44 +369,50 @@ version = "0.5.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5" dependencies = [ - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "indexmap" -version = "2.2.2" +version = "2.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "824b2ae422412366ba479e8111fd301f7b5faece8149317bb81925979a53f520" +checksum = "168fb715dda47215e360912c096649d23d58bf392ac62f73919e831745e40f26" dependencies = [ "equivalent", - "hashbrown 0.14.3", + "hashbrown", ] +[[package]] +name = "is_terminal_polyfill" +version = "1.70.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8478577c03552c21db0e2724ffb8986a5ce7af88107e6be5d2ee6e158c12800" + [[package]] name = "itertools" -version = "0.12.1" +version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569" +checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186" dependencies = [ "either", ] [[package]] name = "itoa" -version = "1.0.10" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" +checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" [[package]] name = "kani" -version = "0.45.0" +version = "0.52.0" dependencies = [ "kani_macros", ] [[package]] name = "kani-compiler" -version = "0.45.0" +version = "0.52.0" dependencies = [ "clap", "cprover_bindings", @@ -460,7 +433,7 @@ dependencies = [ [[package]] name = "kani-driver" -version = "0.45.0" +version = "0.52.0" dependencies = [ "anyhow", "cargo_metadata", @@ -488,26 +461,33 @@ dependencies = [ [[package]] name = "kani-verifier" -version = "0.45.0" +version = "0.52.0" dependencies = [ "anyhow", "home", "os_info", ] +[[package]] +name = "kani_core" +version = "0.52.0" +dependencies = [ + "kani_macros", +] + [[package]] name = "kani_macros" -version = "0.45.0" +version = "0.52.0" dependencies = [ "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.66", ] [[package]] name = "kani_metadata" -version = "0.45.0" +version = "0.52.0" dependencies = [ "clap", "cprover_bindings", @@ -524,9 +504,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.153" +version = "0.2.155" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" +checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c" [[package]] name = "linear-map" @@ -540,15 +520,15 @@ dependencies = [ [[package]] name = "linux-raw-sys" -version = "0.4.13" +version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" +checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" [[package]] name = "lock_api" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45" +checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17" dependencies = [ "autocfg", "scopeguard", @@ -556,9 +536,9 @@ dependencies = [ [[package]] name = "log" -version = "0.4.20" +version = "0.4.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f" +checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c" [[package]] name = "matchers" @@ -571,9 +551,9 @@ dependencies = [ [[package]] name = "memchr" -version = "2.7.1" +version = "2.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149" +checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" [[package]] name = "memuse" @@ -593,9 +573,9 @@ dependencies = [ [[package]] name = "num" -version = "0.4.1" +version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b05180d69e3da0e530ba2a1dae5110317e49e3b7f3d41be227dc5f92e49ee7af" +checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23" dependencies = [ "num-bigint", "num-complex", @@ -607,39 +587,37 @@ dependencies = [ [[package]] name = "num-bigint" -version = "0.4.4" +version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0" +checksum = "c165a9ab64cf766f73521c0dd2cfdff64f488b8f0b3e621face3462d3db536d7" dependencies = [ - "autocfg", "num-integer", "num-traits", ] [[package]] name = "num-complex" -version = "0.4.4" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ba157ca0885411de85d6ca030ba7e2a83a28636056c7c699b07c8b6f7383214" +checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495" dependencies = [ "num-traits", ] [[package]] name = "num-integer" -version = "0.1.45" +version = "0.1.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" +checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f" dependencies = [ - "autocfg", "num-traits", ] [[package]] name = "num-iter" -version = "0.1.43" +version = "0.1.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252" +checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" dependencies = [ "autocfg", "num-integer", @@ -648,11 +626,10 @@ dependencies = [ [[package]] name = "num-rational" -version = "0.4.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0" +checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824" dependencies = [ - "autocfg", "num-bigint", "num-integer", "num-traits", @@ -660,9 +637,9 @@ dependencies = [ [[package]] name = "num-traits" -version = "0.2.17" +version = "0.2.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c" +checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", ] @@ -675,12 +652,12 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "os_info" -version = "3.7.0" +version = "3.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "006e42d5b888366f1880eda20371fedde764ed2213dc8496f49622fa0c99cd5e" +checksum = "ae99c7fa6dd38c7cafe1ec085e804f8f555a2f8659b0dbe03f1f9963a9b51092" dependencies = [ "log", - "winapi", + "windows-sys", ] [[package]] @@ -691,9 +668,9 @@ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39" [[package]] name = "parking_lot" -version = "0.12.1" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" +checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27" dependencies = [ "lock_api", "parking_lot_core", @@ -701,15 +678,15 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.9" +version = "0.9.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e" +checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" dependencies = [ "cfg-if", "libc", "redox_syscall", "smallvec", - "windows-targets 0.48.5", + "windows-targets", ] [[package]] @@ -720,9 +697,9 @@ checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd" [[package]] name = "pin-project-lite" -version = "0.2.13" +version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58" +checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02" [[package]] name = "ppv-lite86" @@ -756,29 +733,18 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.78" +version = "1.0.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" +checksum = "22244ce15aa966053a896d1accb3a6e68469b97c7f33f284b99f0d576879fc23" dependencies = [ "unicode-ident", ] -[[package]] -name = "pulldown-cmark" -version = "0.9.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57206b407293d2bcd3af849ce869d52068623f19e1b5ff8e8778e3309439682b" -dependencies = [ - "bitflags 2.4.2", - "memchr", - "unicase", -] - [[package]] name = "quote" -version = "1.0.35" +version = "1.0.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" +checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" dependencies = [ "proc-macro2", ] @@ -815,9 +781,9 @@ dependencies = [ [[package]] name = "rayon" -version = "1.8.1" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa7237101a77a10773db45d62004a272517633fbcc3df19d96455ede1122e051" +checksum = "b418a60154510ca1a002a752ca9714984e21e4241e804d32555251faf8b78ffa" dependencies = [ "either", "rayon-core", @@ -835,23 +801,23 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.4.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" +checksum = "c82cf8cff14456045f55ec4241383baeff27af886adb72ffb2162f99911de0fd" dependencies = [ - "bitflags 1.3.2", + "bitflags", ] [[package]] name = "regex" -version = "1.10.3" +version = "1.10.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b62dbe01f0b06f9d8dc7d49e05a0785f153b00b2c227856282f671e0318c9b15" +checksum = "b91213439dad192326a0d7c6ee3955910425f441d7038e0d6933b0aec5c4517f" dependencies = [ "aho-corasick", "memchr", - "regex-automata 0.4.5", - "regex-syntax 0.8.2", + "regex-automata 0.4.7", + "regex-syntax 0.8.4", ] [[package]] @@ -865,13 +831,13 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.5" +version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5bb987efffd3c6d0d8f5f89510bb458559eab11e4f869acb20bf845e016259cd" +checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df" dependencies = [ "aho-corasick", "memchr", - "regex-syntax 0.8.2", + "regex-syntax 0.8.4", ] [[package]] @@ -882,47 +848,40 @@ checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" [[package]] name = "regex-syntax" -version = "0.8.2" +version = "0.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f" +checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b" [[package]] name = "rustc-demangle" -version = "0.1.23" +version = "0.1.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76" - -[[package]] -name = "rustdoc" -version = "0.0.0" -dependencies = [ - "pulldown-cmark", -] +checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f" [[package]] name = "rustix" -version = "0.38.31" +version = "0.38.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ea3e1a662af26cd7a3ba09c0297a31af215563ecf42817c98df621387f4e949" +checksum = "70dc5ec042f7a43c4a73241207cecc9873a06d45debb38b329f8541d85c2730f" dependencies = [ - "bitflags 2.4.2", + "bitflags", "errno", "libc", "linux-raw-sys", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "rustversion" -version = "1.0.14" +version = "1.0.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" +checksum = "955d28af4278de8121b7ebeb796b6a45735dc01436d898801014aced2773a3d6" [[package]] name = "ryu" -version = "1.0.16" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f98d2aa92eebf49b69786be48e4477826b256916e84a57ff2a4f21923b48eb4c" +checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" [[package]] name = "same-file" @@ -941,38 +900,38 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "semver" -version = "1.0.21" +version = "1.0.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b97ed7a9823b74f99c7742f5336af7be5ecd3eeafcb1507d1fa93347b1d589b0" +checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" dependencies = [ "serde", ] [[package]] name = "serde" -version = "1.0.196" +version = "1.0.203" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "870026e60fa08c69f064aa766c10f10b1d62db9ccd4d0abb206472bee0ce3b32" +checksum = "7253ab4de971e72fb7be983802300c30b5a7f0c2e56fab8abfc6a214307c0094" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.196" +version = "1.0.203" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33c85360c95e7d137454dc81d9a4ed2b8efd8fbe19cee57357b32b9771fccb67" +checksum = "500cbc0ebeb6f46627f50f3f5811ccf6bf00643be300b4c3eabc0ef55dc5b5ba" dependencies = [ "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.66", ] [[package]] name = "serde_json" -version = "1.0.113" +version = "1.0.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69801b70b1c3dac963ecb03a364ba0ceda9cf60c71cfe475e99864759c8b8a79" +checksum = "455182ea6142b14f93f4bc5320a2b31c1f266b66a4a5c858b013302a5d8cbfc3" dependencies = [ "itoa", "ryu", @@ -981,9 +940,9 @@ dependencies = [ [[package]] name = "serde_spanned" -version = "0.6.5" +version = "0.6.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb3622f419d1296904700073ea6cc23ad690adbd66f13ea683df73298736f0c1" +checksum = "79e674e01f999af37c49f70a6ede167a8a60b2503e56c5599532a65baa5969a0" dependencies = [ "serde", ] @@ -999,9 +958,9 @@ dependencies = [ [[package]] name = "serde_yaml" -version = "0.9.31" +version = "0.9.34+deprecated" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "adf8a49373e98a4c5f0ceb5d05aa7c648d75f63774981ed95b7c7443bbd50c6e" +checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47" dependencies = [ "indexmap", "itoa", @@ -1027,51 +986,51 @@ checksum = "24188a676b6ae68c3b2cb3a01be17fbf7240ce009799bb56d5b1409051e78fde" [[package]] name = "smallvec" -version = "1.13.1" +version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" +checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "std" -version = "0.45.0" +version = "0.52.0" dependencies = [ "kani", ] [[package]] name = "string-interner" -version = "0.14.0" +version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91e2531d8525b29b514d25e275a43581320d587b86db302b9a7e464bac579648" +checksum = "1c6a0d765f5807e98a091107bae0a56ea3799f66a5de47b2c84c94a39c09974e" dependencies = [ "cfg-if", - "hashbrown 0.11.2", + "hashbrown", "serde", ] [[package]] name = "strsim" -version = "0.10.0" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" [[package]] name = "strum" -version = "0.25.0" +version = "0.26.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125" +checksum = "5d8cec3501a5194c432b2b7976db6b7d10ec95c253208b45f83f7136aa985e29" [[package]] name = "strum_macros" -version = "0.25.3" +version = "0.26.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23dc1fa9ac9c169a78ba62f0b841814b7abae11bdd047b9c58f893439e309ea0" +checksum = "4c6bee85a5a24955dc440386795aa378cd9cf82acd5f764469152d2270e581be" dependencies = [ "heck", "proc-macro2", "quote", "rustversion", - "syn 2.0.48", + "syn 2.0.66", ] [[package]] @@ -1086,9 +1045,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.48" +version = "2.0.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f3531638e407dfc0814761abb7c00a5b54992b849452a0646b7f65c9f770f3f" +checksum = "c42f3f41a2de00b01c0aaad383c5a45241efc8b2d1eda5661812fda5f3cdcff5" dependencies = [ "proc-macro2", "quote", @@ -1097,42 +1056,41 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.9.0" +version = "3.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01ce4141aa927a6d1bd34a041795abd0db1cccba5d5f24b009f694bdf3a1f3fa" +checksum = "85b77fafb263dd9d05cbeac119526425676db3784113aa9295c88498cbf8bff1" dependencies = [ "cfg-if", "fastrand", - "redox_syscall", "rustix", - "windows-sys 0.52.0", + "windows-sys", ] [[package]] name = "thiserror" -version = "1.0.56" +version = "1.0.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d54378c645627613241d077a3a79db965db602882668f9136ac42af9ecb730ad" +checksum = "c546c80d6be4bc6a00c0f01730c08df82eaa7a7a61f11d656526506112cc1709" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.56" +version = "1.0.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa0faa943b50f3db30a20aa7e265dbc66076993efed8463e8de414e5d06d3471" +checksum = "46c3384250002a6d5af4d114f2845d37b57521033f30d5c3f46c4d70e1197533" dependencies = [ "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.66", ] [[package]] name = "thread_local" -version = "1.1.7" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdd6f064ccff2d6567adcb3873ca630700f00b5ad3f060c25b5dcfd9a4ce152" +checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c" dependencies = [ "cfg-if", "once_cell", @@ -1140,9 +1098,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.8.9" +version = "0.8.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c6a4b9e8023eb94392d3dca65d717c53abc5dad49c07cb65bb8fcd87115fa325" +checksum = "6f49eb2ab21d2f26bd6db7bf383edc527a7ebaee412d17af4d40fdccd442f335" dependencies = [ "serde", "serde_spanned", @@ -1152,18 +1110,18 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.6.5" +version = "0.6.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3550f4e9685620ac18a50ed434eb3aec30db8ba93b0287467bca5826ea25baf1" +checksum = "4badfd56924ae69bcc9039335b2e017639ce3f9b001c393c1b2d1ef846ce2cbf" dependencies = [ "serde", ] [[package]] name = "toml_edit" -version = "0.21.1" +version = "0.22.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a8534fd7f78b5405e860340ad6575217ce99f38d4d5c8f2442cb5ecb50090e1" +checksum = "f21c7aaf97f1bd9ca9d4f9e73b0a6c74bd5afef56f2bc931943a6e1c37e04e38" dependencies = [ "indexmap", "serde", @@ -1191,7 +1149,7 @@ checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.48", + "syn 2.0.66", ] [[package]] @@ -1247,15 +1205,6 @@ dependencies = [ "tracing-serde", ] -[[package]] -name = "unicase" -version = "2.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f7d2d4dafb69621809a81864c9c1b864479e1235c0dd4e199924b9742439ed89" -dependencies = [ - "version_check", -] - [[package]] name = "unicode-ident" version = "1.0.12" @@ -1264,21 +1213,21 @@ checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" [[package]] name = "unicode-width" -version = "0.1.11" +version = "0.1.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85" +checksum = "0336d538f7abc86d282a4189614dfaa90810dfc2c6f6427eaf88e16311dd225d" [[package]] name = "unsafe-libyaml" -version = "0.2.10" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab4c90930b95a82d00dc9e9ac071b4991924390d46cbd0dfe566148667605e4b" +checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861" [[package]] name = "utf8parse" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a" +checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "valuable" @@ -1303,9 +1252,9 @@ dependencies = [ [[package]] name = "walkdir" -version = "2.4.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d71d857dc86794ca4c280d616f7da00d2dbfd8cd788846559a6813e6aa4b54ee" +checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b" dependencies = [ "same-file", "winapi-util", @@ -1319,15 +1268,14 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "which" -version = "5.0.0" +version = "6.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9bf3ea8596f3a0dd5980b46430f2058dfe2c36a27ccfbb1845d6fbfcd9ba6e14" +checksum = "8211e4f58a2b2805adfbefbc07bab82958fc91e3836339b1ab7ae32465dce0d7" dependencies = [ "either", "home", - "once_cell", "rustix", - "windows-sys 0.48.0", + "winsafe", ] [[package]] @@ -1348,11 +1296,11 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" [[package]] name = "winapi-util" -version = "0.1.6" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596" +checksum = "4d4cc384e1e73b93bafa6fb4f1df8c41695c8a91cf9c4c64358067d15a7b6c6b" dependencies = [ - "winapi", + "windows-sys", ] [[package]] @@ -1361,143 +1309,110 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" -[[package]] -name = "windows-sys" -version = "0.48.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" -dependencies = [ - "windows-targets 0.48.5", -] - [[package]] name = "windows-sys" version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" dependencies = [ - "windows-targets 0.52.0", -] - -[[package]] -name = "windows-targets" -version = "0.48.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" -dependencies = [ - "windows_aarch64_gnullvm 0.48.5", - "windows_aarch64_msvc 0.48.5", - "windows_i686_gnu 0.48.5", - "windows_i686_msvc 0.48.5", - "windows_x86_64_gnu 0.48.5", - "windows_x86_64_gnullvm 0.48.5", - "windows_x86_64_msvc 0.48.5", + "windows-targets", ] [[package]] name = "windows-targets" -version = "0.52.0" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd" +checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb" dependencies = [ - "windows_aarch64_gnullvm 0.52.0", - "windows_aarch64_msvc 0.52.0", - "windows_i686_gnu 0.52.0", - "windows_i686_msvc 0.52.0", - "windows_x86_64_gnu 0.52.0", - "windows_x86_64_gnullvm 0.52.0", - "windows_x86_64_msvc 0.52.0", + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_gnullvm", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", ] [[package]] name = "windows_aarch64_gnullvm" -version = "0.48.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" - -[[package]] -name = "windows_aarch64_gnullvm" -version = "0.52.0" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea" +checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263" [[package]] name = "windows_aarch64_msvc" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" - -[[package]] -name = "windows_aarch64_msvc" -version = "0.52.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef" - -[[package]] -name = "windows_i686_gnu" -version = "0.48.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" +checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6" [[package]] name = "windows_i686_gnu" -version = "0.52.0" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313" +checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670" [[package]] -name = "windows_i686_msvc" -version = "0.48.5" +name = "windows_i686_gnullvm" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" +checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9" [[package]] name = "windows_i686_msvc" -version = "0.52.0" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a" +checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf" [[package]] name = "windows_x86_64_gnu" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" +checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9" [[package]] -name = "windows_x86_64_gnu" -version = "0.52.0" +name = "windows_x86_64_gnullvm" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd" +checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596" [[package]] -name = "windows_x86_64_gnullvm" -version = "0.48.5" +name = "windows_x86_64_msvc" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" +checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" [[package]] -name = "windows_x86_64_gnullvm" -version = "0.52.0" +name = "winnow" +version = "0.6.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e" +checksum = "59b5e5f6c299a3c7890b876a2a587f3115162487e704907d9b6cd29473052ba1" +dependencies = [ + "memchr", +] [[package]] -name = "windows_x86_64_msvc" -version = "0.48.5" +name = "winsafe" +version = "0.0.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" +checksum = "d135d17ab770252ad95e9a872d365cf3090e3be864a34ab46f48555993efc904" [[package]] -name = "windows_x86_64_msvc" -version = "0.52.0" +name = "zerocopy" +version = "0.7.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" +checksum = "ae87e3fcd617500e5d106f0380cf7b77f3c6092aae37191433159dda23cfb087" +dependencies = [ + "zerocopy-derive", +] [[package]] -name = "winnow" -version = "0.5.37" +name = "zerocopy-derive" +version = "0.7.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7cad8365489051ae9f054164e459304af2e7e9bb407c958076c8bf4aef52da5" +checksum = "15e934569e47891f7d9411f1a451d947a60e000ab3bd24fbb970f000387d1b3b" dependencies = [ - "memchr", + "proc-macro2", + "quote", + "syn 2.0.66", ] diff --git a/Cargo.toml b/Cargo.toml index df9559e378b6..641cbaf961be 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani-verifier" -version = "0.45.0" +version = "0.52.0" edition = "2021" description = "A bit-precise model checker for Rust." readme = "README.md" @@ -38,14 +38,12 @@ strip = "debuginfo" members = [ "library/kani", "library/std", - "tools/bookrunner", "tools/compiletest", "tools/build-kani", "kani-driver", "kani-compiler", "kani_metadata", - # `librustdoc` is still needed by bookrunner. - "tools/bookrunner/librustdoc", + "library/kani_core", ] # This indicates what package to e.g. build with 'cargo build' without --workspace @@ -65,8 +63,10 @@ exclude = [ "tests/perf", "tests/cargo-ui", "tests/slow", + "tests/std-checks", "tests/assess-scan-test-scaffold", "tests/script-based-pre", "tests/script-based-pre/build-cache-bin/target/new_dep", "tests/script-based-pre/build-cache-dirty/target/new_dep", + "tests/script-based-pre/verify_std_cmd/tmp_dir/target/kani_verify_std", ] diff --git a/cprover_bindings/Cargo.toml b/cprover_bindings/Cargo.toml index 5205872f6788..63dfbf6781cd 100644 --- a/cprover_bindings/Cargo.toml +++ b/cprover_bindings/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "cprover_bindings" -version = "0.45.0" +version = "0.52.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false @@ -17,7 +17,7 @@ lazy_static = "1.4.0" num = "0.4.0" num-traits = "0.2" serde = {version = "1", features = ["derive"]} -string-interner = "0.14.0" +string-interner = "0.17.0" tracing = "0.1" linear-map = {version = "1.2", features = ["serde_impl"]} diff --git a/cprover_bindings/src/cbmc_string.rs b/cprover_bindings/src/cbmc_string.rs index b487b7615122..4c392f647759 100644 --- a/cprover_bindings/src/cbmc_string.rs +++ b/cprover_bindings/src/cbmc_string.rs @@ -3,6 +3,7 @@ use lazy_static::lazy_static; use std::sync::Mutex; +use string_interner::backend::StringBackend; use string_interner::symbol::SymbolU32; use string_interner::StringInterner; @@ -24,7 +25,8 @@ pub struct InternedString(SymbolU32); // Use a `Mutex` to make this thread safe. lazy_static! { - static ref INTERNER: Mutex = Mutex::new(StringInterner::default()); + static ref INTERNER: Mutex> = + Mutex::new(StringInterner::default()); } impl InternedString { diff --git a/cprover_bindings/src/goto_program/builtin.rs b/cprover_bindings/src/goto_program/builtin.rs index 438bc2eea1e9..a0c1f211b5e2 100644 --- a/cprover_bindings/src/goto_program/builtin.rs +++ b/cprover_bindings/src/goto_program/builtin.rs @@ -4,6 +4,8 @@ use self::BuiltinFn::*; use super::{Expr, Location, Symbol, Type}; +use std::fmt::Display; + #[derive(Debug, Clone, Copy)] pub enum BuiltinFn { Abort, @@ -67,9 +69,9 @@ pub enum BuiltinFn { Unlink, } -impl ToString for BuiltinFn { - fn to_string(&self) -> String { - match self { +impl Display for BuiltinFn { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + let func = match self { Abort => "abort", Assert => "assert", CProverAssume => "__CPROVER_assume", @@ -129,8 +131,8 @@ impl ToString for BuiltinFn { Trunc => "trunc", Truncf => "truncf", Unlink => "unlink", - } - .to_string() + }; + write!(f, "{func}") } } diff --git a/cprover_bindings/src/goto_program/expr.rs b/cprover_bindings/src/goto_program/expr.rs index b6ad7a041d11..75eb18df0abb 100644 --- a/cprover_bindings/src/goto_program/expr.rs +++ b/cprover_bindings/src/goto_program/expr.rs @@ -126,6 +126,10 @@ pub enum ExprValue { Nondet, /// `NULL` PointerConstant(u64), + ReadOk { + ptr: Expr, + size: Expr, + }, // `op++` etc SelfOp { op: SelfOperator, @@ -136,6 +140,7 @@ pub enum ExprValue { /// `({ op1; op2; ...})` StatementExpression { statements: Vec, + location: Location, }, /// A raw string constant. Note that you normally actually want a pointer to the first element. /// `"s"` @@ -385,6 +390,7 @@ impl Expr { source.is_integer() || source.is_pointer() || source.is_bool() } else if target.is_integer() { source.is_c_bool() + || source.is_bool() || source.is_integer() || source.is_floating_point() || source.is_pointer() @@ -508,13 +514,13 @@ impl Expr { /// `(typ) self`. pub fn cast_to(self, typ: Type) -> Self { - assert!(self.can_cast_to(&typ), "Can't cast\n\n{self:?} ({:?})\n\n{typ:?}", self.typ); if self.typ == typ { self } else if typ.is_bool() { let zero = self.typ.zero(); self.neq(zero) } else { + assert!(self.can_cast_to(&typ), "Can't cast\n\n{self:?} ({:?})\n\n{typ:?}", self.typ); expr!(Typecast(self), typ) } } @@ -688,7 +694,8 @@ impl Expr { pub fn call(self, arguments: Vec) -> Self { assert!( Expr::typecheck_call(&self, &arguments), - "Function call does not type check:\nfunc: {self:?}\nargs: {arguments:?}" + "Function call does not type check:\nfunc params: {:?}\nargs: {arguments:?}", + self.typ().parameters().unwrap_or(&vec![]) ); let typ = self.typ().return_type().unwrap().clone(); expr!(FunctionCall { function: self, arguments }, typ) @@ -716,6 +723,14 @@ impl Expr { expr!(Nondet, typ) } + /// `read_ok(ptr, size)` + pub fn read_ok(ptr: Expr, size: Expr) -> Self { + assert_eq!(*ptr.typ(), Type::void_pointer()); + assert_eq!(*size.typ(), Type::size_t()); + + expr!(ReadOk { ptr, size }, Type::bool()) + } + /// `e.g. NULL` pub fn pointer_constant(c: u64, typ: Type) -> Self { assert!(typ.is_pointer()); @@ -725,10 +740,10 @@ impl Expr { /// /// e.g. `({ int y = foo (); int z; if (y > 0) z = y; else z = - y; z; })` /// `({ op1; op2; ...})` - pub fn statement_expression(ops: Vec, typ: Type) -> Self { + pub fn statement_expression(ops: Vec, typ: Type, loc: Location) -> Self { assert!(!ops.is_empty()); assert_eq!(ops.last().unwrap().get_expression().unwrap().typ, typ); - expr!(StatementExpression { statements: ops }, typ) + expr!(StatementExpression { statements: ops, location: loc }, typ).with_location(loc) } /// Internal helper function for Struct initalizer @@ -1041,6 +1056,7 @@ impl Expr { /// ). /// The signedness doesn't matter, as the result for each element is /// either "all ones" (true) or "all zeros" (false). + /// /// For example, one can use `simd_eq` on two `f64x4` vectors and assign the /// result to a `u64x4` vector. But it's not possible to assign it to: (1) a /// `u64x2` because they don't have the same length; or (2) another `f64x4` @@ -1317,11 +1333,11 @@ impl Expr { fn unop_return_type(op: UnaryOperator, arg: &Expr) -> Type { match op { Bitnot | BitReverse | Bswap | UnaryMinus => arg.typ.clone(), - CountLeadingZeros { .. } | CountTrailingZeros { .. } => arg.typ.clone(), + CountLeadingZeros { .. } | CountTrailingZeros { .. } => Type::unsigned_int(32), ObjectSize | PointerObject => Type::size_t(), PointerOffset => Type::ssize_t(), IsDynamicObject | IsFinite | Not => Type::bool(), - Popcount => arg.typ.clone(), + Popcount => Type::unsigned_int(32), } } /// Private helper function to make unary operators @@ -1651,7 +1667,7 @@ impl Expr { continue; } let name = field.name(); - exprs.insert(name, self.clone().member(&name.to_string(), symbol_table)); + exprs.insert(name, self.clone().member(name.to_string(), symbol_table)); } } } diff --git a/cprover_bindings/src/goto_program/location.rs b/cprover_bindings/src/goto_program/location.rs index 79b123ad8b0e..4097d075276d 100644 --- a/cprover_bindings/src/goto_program/location.rs +++ b/cprover_bindings/src/goto_program/location.rs @@ -1,7 +1,6 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT use crate::cbmc_string::{InternStringOption, InternedString}; -use std::convert::TryInto; use std::fmt::Debug; /// A `Location` represents a source location. diff --git a/cprover_bindings/src/goto_program/stmt.rs b/cprover_bindings/src/goto_program/stmt.rs index 58755a0bffae..951e58f9a954 100644 --- a/cprover_bindings/src/goto_program/stmt.rs +++ b/cprover_bindings/src/goto_program/stmt.rs @@ -57,6 +57,8 @@ pub enum StmtBody { Break, /// `continue;` Continue, + /// End-of-life of a local variable + Dead(Expr), /// `lhs.typ lhs = value;` or `lhs.typ lhs;` Decl { lhs: Expr, // SymbolExpr @@ -232,6 +234,11 @@ impl Stmt { BuiltinFn::CProverCover.call(vec![cond], loc).as_stmt(loc) } + /// Local variable goes out of scope + pub fn dead(symbol: Expr, loc: Location) -> Self { + stmt!(Dead(symbol), loc) + } + /// `lhs.typ lhs = value;` or `lhs.typ lhs;` pub fn decl(lhs: Expr, value: Option, loc: Location) -> Self { assert!(lhs.is_symbol()); diff --git a/cprover_bindings/src/goto_program/symbol.rs b/cprover_bindings/src/goto_program/symbol.rs index b1082a8f1f80..ad71b0f84346 100644 --- a/cprover_bindings/src/goto_program/symbol.rs +++ b/cprover_bindings/src/goto_program/symbol.rs @@ -4,6 +4,8 @@ use super::super::utils::aggr_tag; use super::{DatatypeComponent, Expr, Location, Parameter, Stmt, Type}; use crate::{InternStringOption, InternedString}; +use std::fmt::Display; + /// Based off the CBMC symbol implementation here: /// #[derive(Clone, Debug)] @@ -452,14 +454,13 @@ impl SymbolValues { } } -/// ToString - -impl ToString for SymbolModes { - fn to_string(&self) -> String { - match self { +/// Display +impl Display for SymbolModes { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + let mode = match self { SymbolModes::C => "C", SymbolModes::Rust => "Rust", - } - .to_string() + }; + write!(f, "{mode}") } } diff --git a/cprover_bindings/src/goto_program/typ.rs b/cprover_bindings/src/goto_program/typ.rs index dd07c150bb3f..da943b26ab19 100644 --- a/cprover_bindings/src/goto_program/typ.rs +++ b/cprover_bindings/src/goto_program/typ.rs @@ -7,7 +7,6 @@ use super::super::MachineModel; use super::{Expr, SymbolTable}; use crate::cbmc_string::InternedString; use std::collections::BTreeMap; -use std::convert::TryInto; use std::fmt::Debug; /////////////////////////////////////////////////////////////////////////////////////////////// diff --git a/cprover_bindings/src/irep/goto_binary_serde.rs b/cprover_bindings/src/irep/goto_binary_serde.rs index 42c054b94e75..6f821768f996 100644 --- a/cprover_bindings/src/irep/goto_binary_serde.rs +++ b/cprover_bindings/src/irep/goto_binary_serde.rs @@ -78,11 +78,9 @@ pub fn read_goto_binary_file(filename: &Path) -> io::Result<()> { /// [NumberedIrep] from its unique number. /// /// In practice: -/// - the forward directon from [IrepKey] to unique numbers is -/// implemented using a `HashMap` -/// - the inverse direction from unique numbers to [NumberedIrep] is implemented -/// using a `Vec` called the `index` that stores [NumberedIrep] -/// under their unique number. +/// - the forward directon from [IrepKey] to unique numbers is implemented using a `HashMap` +/// - the inverse direction from unique numbers to [NumberedIrep] is implemented usign a `Vec` +/// called the `index` that stores [NumberedIrep] under their unique number. /// /// Earlier we said that an [NumberedIrep] is conceptually a pair formed of /// an [IrepKey] and its unique number. It is represented using only diff --git a/cprover_bindings/src/irep/irep_id.rs b/cprover_bindings/src/irep/irep_id.rs index c267801b0b1b..b03a91639aa8 100644 --- a/cprover_bindings/src/irep/irep_id.rs +++ b/cprover_bindings/src/irep/irep_id.rs @@ -8,6 +8,8 @@ use crate::cbmc_string::InternedString; use crate::utils::NumUtils; use num::bigint::{BigInt, BigUint, Sign}; +use std::fmt::Display; + #[derive(PartialEq, Eq, PartialOrd, Ord, Clone, Debug)] pub enum IrepId { /// In addition to the standard enums defined below, CBMC also allows ids to be strings. @@ -872,15 +874,19 @@ impl IrepId { } } -impl ToString for IrepId { - fn to_string(&self) -> String { +impl Display for IrepId { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { match self { - IrepId::FreeformString(s) => return s.to_string(), - IrepId::FreeformInteger(i) => return i.to_string(), + IrepId::FreeformString(s) => { + return write!(f, "{s}"); + } + IrepId::FreeformInteger(i) => { + return write!(f, "{i}"); + } IrepId::FreeformBitPattern(i) => { - return format!("{i:X}"); + return write!(f, "{i:X}"); } - _ => (), + _ => {} } let s = match self { @@ -1708,7 +1714,7 @@ impl ToString for IrepId { IrepId::VectorGt => "vector->", IrepId::VectorLt => "vector-<", }; - s.to_string() + write!(f, "{s}") } } diff --git a/cprover_bindings/src/irep/to_irep.rs b/cprover_bindings/src/irep/to_irep.rs index 874cca2d4a50..81ca9ca10313 100644 --- a/cprover_bindings/src/irep/to_irep.rs +++ b/cprover_bindings/src/irep/to_irep.rs @@ -293,10 +293,15 @@ impl ToIrep for ExprValue { Irep::just_bitpattern_id(*i, mm.pointer_width, false) )], }, + ExprValue::ReadOk { ptr, size } => Irep { + id: IrepId::ROk, + sub: vec![ptr.to_irep(mm), size.to_irep(mm)], + named_sub: linear_map![], + }, ExprValue::SelfOp { op, e } => side_effect_irep(op.to_irep_id(), vec![e.to_irep(mm)]), - ExprValue::StatementExpression { statements: ops } => side_effect_irep( + ExprValue::StatementExpression { statements: ops, location: loc } => side_effect_irep( IrepId::StatementExpression, - vec![Stmt::block(ops.to_vec(), Location::none()).to_irep(mm)], + vec![Stmt::block(ops.to_vec(), *loc).to_irep(mm)], ), ExprValue::StringConstant { s } => Irep { id: IrepId::StringConstant, @@ -433,6 +438,7 @@ impl ToIrep for StmtBody { } StmtBody::Break => code_irep(IrepId::Break, vec![]), StmtBody::Continue => code_irep(IrepId::Continue, vec![]), + StmtBody::Dead(symbol) => code_irep(IrepId::Dead, vec![symbol.to_irep(mm)]), StmtBody::Decl { lhs, value } => { if value.is_some() { code_irep( diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 69be21a07ff5..ff7914c1a07a 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -31,7 +31,6 @@ - [cargo kani assess](./dev-assess.md) - [Testing](./testing.md) - [Regression testing](./regression-testing.md) - - [Book runner](./bookrunner.md) - [(Experimental) Testing with a Large Number of Repositories](./repo-crawl.md) - [Performance comparisons](./performance-comparisons.md) - [`benchcomp` command line](./benchcomp-cli.md) diff --git a/docs/src/benchcomp-conf.md b/docs/src/benchcomp-conf.md index 77236d0917bf..065143a39c2c 100644 --- a/docs/src/benchcomp-conf.md +++ b/docs/src/benchcomp-conf.md @@ -4,6 +4,45 @@ This page lists the different visualizations that are available. +## Variants + +A *variant* is a single invocation of a benchmark suite. Benchcomp runs several +variants, so that their performance can be compared later. A variant consists of +a command-line argument, working directory, and environment. Benchcomp invokes +the command using the operating system environment, updated with the keys and +values in `env`. If any values in `env` contain strings of the form `${var}`, +Benchcomp expands them to the value of the environment variable `$var`. + +```yaml +variants: + variant_1: + config: + command_line: echo "Hello, world" + directory: /tmp + env: + PATH: /my/local/directory:${PATH} +``` + + +## Filters + +After benchcomp has finished parsing the results, it writes the results to `results.yaml` by default. +Before visualizing the results (see below), benchcomp can *filter* the results by piping them into an external program. + +To filter results before visualizing them, add `filters` to the configuration file. + +```yaml +filters: + - command_line: ./scripts/remove-redundant-results.py + - command_line: cat +``` + +The value of `filters` is a list of dicts. +Currently the only legal key for each of the dicts is `command_line`. +Benchcomp invokes each `command_line` in order, passing the results as a JSON file on stdin, and interprets the stdout as a YAML-formatted modified set of results. +Filter scripts can emit either YAML (which might be more readable while developing the script), or JSON (which benchcomp will parse as a subset of YAML). + + ## Built-in visualizations The following visualizations are available; these can be added to the `visualize` list of `benchcomp.yaml`. diff --git a/docs/src/bookrunner.md b/docs/src/bookrunner.md deleted file mode 100644 index c9e647dd6552..000000000000 --- a/docs/src/bookrunner.md +++ /dev/null @@ -1,81 +0,0 @@ -# Book runner - -The [book runner](./bookrunner/index.html) is a testing tool based on [Litani](https://github.com/awslabs/aws-build-accumulator). - -The purpose of the book runner is to get data about feature coverage in Kani. -To this end, we use Rust code snippet examples from the following general Rust documentation books: - * The Rust Reference - * The Rustonomicon - * The Rust Unstable Book - * Rust By Example - -However, not all examples from these books are suited for verification. -For instance, some of them are only included to show what is valid Rust code (or what is not). - -Because of that, we run up to three different types of jobs when generating the report: - * `check` jobs: This check uses the Rust front-end to detect if the example is valid Rust code. - * `codegen` jobs: This check uses the Kani back-end to determine if we can generate GotoC code. - * `verification` jobs: This check uses CBMC to obtain a verification result. - -Note that these are incremental: A `verification` job depends on a previous `codegen` job. -Similary, a `codegen` job depends on a `check` job. - -> **NOTE**: [Litani](https://github.com/awslabs/aws-build-accumulator) does not -> support hierarchical views at the moment. For this reason, we are publishing a -> [text version of the book runner report](./bookrunner/bookrunner.txt) which -> displays the same results in a hierarchical way while we work on [improvements -> for the visualization and navigation of book runner -> results](https://github.com/model-checking/kani/issues/699). - -Before running the above mentioned jobs, we pre-process the examples to: - 1. Set the expected output according to flags present in the code snippet. - 2. Add any required compiler/Kani flags (e.g., unwinding). - -Finally, we run all jobs, collect their outputs and compare them against the expected outputs. -The results are summarized as follows: If the obtained and expected outputs differ, -the color of the stage bar will be red. Otherwise, it will be blue. -If an example shows one red bar, it's considered a failed example that cannot be handled by Kani. - -The [book runner report](./bookrunner/index.html) and [its text version](./bookrunner/bookrunner.txt) are -automatically updated whenever a PR gets merged into Kani. - -## The book running procedure - -This section describes how the book runner operates at a high level. - -To kick off the book runner process use: - -```bash -cargo run -p bookrunner -``` - -The main function of the bookrunner is `generate_run()` (code available -[here](https://github.com/model-checking/kani/blob/main/tools/bookrunner/src/books.rs)) -which follows these steps: - 1. Sets up all the books, including data about their summaries. - 2. Then, for each book: - * Calls the `parse_hierarchy()` method to parse its summary - files. - * Calls the `extract_examples()` method to extract all - examples from the book. Note that `extract_examples()` uses `rustdoc` - functions to ensure the extracted examples are runnable. - * Checks if there is a corresponding `.props` file - in `src/tools/bookrunner/configs/`. If there is, prepends the contents of these files - ([testing options](./regression-testing.md#testing-options)) to the example. - * The resulting examples are written to the `src/test/bookrunner/books/` folder. - -> In general, the path to a given example is -> `src/test/bookrunner/books///
//.rs` -> where `` is the line number where the example appears in the markdown -> file where it's written. The `.props` files mentioned above follow the same -> naming scheme in order to match them and detect conflicts. - - 3. Runs all examples using - [Litani](https://github.com/awslabs/aws-build-accumulator) with the - `litani_run_tests()` function. - 4. Parses the Litani log file with `parse_litani_output(...)`. - 5. Generates the [text version of the bookrunner](./bookrunner/bookrunner.txt) - with `generate_text_bookrunner(...)`. - -> **NOTE**: Any changes done to the examples in `src/test/bookrunner/books/` may -> be overwritten if the bookrunner is executed. diff --git a/docs/src/cheat-sheets.md b/docs/src/cheat-sheets.md index 95cc9991e46f..9b42d313ede2 100644 --- a/docs/src/cheat-sheets.md +++ b/docs/src/cheat-sheets.md @@ -19,7 +19,7 @@ cargo build-dev ### Test ```bash -# Full regression suite (does not run bookrunner) +# Full regression suite ./scripts/kani-regression.sh ``` @@ -39,12 +39,6 @@ rm -r build/x86_64-apple-darwin/tests/ cargo run -p compiletest -- --suite kani --mode kani ``` -```bash -# Run bookrunner -./scripts/setup/install_bookrunner_deps.sh -cargo run -p bookrunner -``` - ```bash # Build documentation cd docs diff --git a/docs/src/getting-started/verification-results/src/main.rs b/docs/src/getting-started/verification-results/src/main.rs index 7a03b34f0f9e..72653cf4dc8f 100644 --- a/docs/src/getting-started/verification-results/src/main.rs +++ b/docs/src/getting-started/verification-results/src/main.rs @@ -2,6 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT #[kani::proof] +#[kani::unwind(4)] // ANCHOR: success_example fn success_example() { let mut sum = 0; diff --git a/docs/src/rust-feature-support/intrinsics.md b/docs/src/rust-feature-support/intrinsics.md index 0705d3b00f1b..49a1f0845ecc 100644 --- a/docs/src/rust-feature-support/intrinsics.md +++ b/docs/src/rust-feature-support/intrinsics.md @@ -148,10 +148,10 @@ cttz_nonzero | Yes | | discriminant_value | Yes | | drop_in_place | No | | exact_div | Yes | | -exp2f32 | No | | -exp2f64 | No | | -expf32 | No | | -expf64 | No | | +exp2f32 | Partial | Results are overapproximated | +exp2f64 | Partial | Results are overapproximated | +expf32 | Partial | Results are overapproximated | +expf64 | Partial | Results are overapproximated | fabsf32 | Yes | | fabsf64 | Yes | | fadd_fast | Yes | | @@ -170,8 +170,8 @@ log10f32 | No | | log10f64 | No | | log2f32 | No | | log2f64 | No | | -logf32 | No | | -logf64 | No | | +logf32 | Partial | Results are overapproximated | +logf64 | Partial | Results are overapproximated | maxnumf32 | Yes | | maxnumf64 | Yes | | min_align_of | Yes | | @@ -185,8 +185,8 @@ nearbyintf64 | Yes | | needs_drop | Yes | | nontemporal_store | No | | offset | Partial | Doesn't check [all UB conditions](https://doc.rust-lang.org/std/primitive.pointer.html#safety-2) | -powf32 | No | | -powf64 | No | | +powf32 | Partial | Results are overapproximated | +powf64 | Partial | Results are overapproximated | powif32 | No | | powif64 | No | | pref_align_of | Yes | | @@ -220,6 +220,7 @@ truncf64 | Yes | | try | No | [#267](https://github.com/model-checking/kani/issues/267) | type_id | Yes | | type_name | Yes | | +typed_swap | Yes | | unaligned_volatile_load | No | See [Notes - Concurrency](#concurrency) | unaligned_volatile_store | No | See [Notes - Concurrency](#concurrency) | unchecked_add | Yes | | diff --git a/docs/src/testing.md b/docs/src/testing.md index 21438e861444..85e1a46838bf 100644 --- a/docs/src/testing.md +++ b/docs/src/testing.md @@ -15,6 +15,5 @@ two very good reasons to do it: We recommend reading our section on [Regression Testing](./regression-testing.md) if you're interested in Kani -development. At present, we obtain metrics based on the [book -runner](./bookrunner.md). To run kani on a large number of remotely +development. To run kani on a large number of remotely hosted crates, please see [Repository Crawl](./repo-crawl.md). diff --git a/docs/src/usage.md b/docs/src/usage.md index 77def63d3651..459916c87222 100644 --- a/docs/src/usage.md +++ b/docs/src/usage.md @@ -68,12 +68,23 @@ default-unwind = 1 The options here are the same as on the command line (`cargo kani --help`), and flags (that is, command line arguments that don't take a value) are enabled by setting them to `true`. +Starting with Rust 1.80 (or nightly-2024-05-05), every reachable #[cfg] will be automatically checked that they match the expected config names and values. +To avoid warnings on `cfg(kani)`, we recommend adding the `check-cfg` lint config in your crate's `Cargo.toml` as follows: + +```toml +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } +``` + +For more information please consult this [blog post](https://blog.rust-lang.org/2024/05/06/check-cfg.html). + ## The build process -When Kani builds your code, it does two important things: +When Kani builds your code, it does three important things: -1. It sets `cfg(kani)`. +1. It sets `cfg(kani)` for target crate compilation (including dependencies). 2. It injects the `kani` crate. +3. It sets `cfg(kani_host)` for host build targets such as any build script and procedural macro crates. A proof harness (which you can [learn more about in the tutorial](./kani-tutorial.md)), is a function annotated with `#[kani::proof]` much like a test is annotated with `#[test]`. But you may experience a similar problem using Kani as you would with `dev-dependencies`: if you try writing `#[kani::proof]` directly in your code, `cargo build` will fail because it doesn't know what the `kani` crate is. diff --git a/kani-compiler/Cargo.toml b/kani-compiler/Cargo.toml index b93ce2d135b8..05002ed1eb27 100644 --- a/kani-compiler/Cargo.toml +++ b/kani-compiler/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani-compiler" -version = "0.45.0" +version = "0.52.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false @@ -12,15 +12,15 @@ publish = false cbmc = { path = "../cprover_bindings", package = "cprover_bindings", optional = true } clap = { version = "4.4.11", features = ["derive", "cargo"] } home = "0.5" -itertools = "0.12" +itertools = "0.13" kani_metadata = {path = "../kani_metadata"} lazy_static = "1.4.0" num = { version = "0.4.0", optional = true } regex = "1.7.0" serde = { version = "1", optional = true } serde_json = "1" -strum = "0.25.0" -strum_macros = "0.25.2" +strum = "0.26" +strum_macros = "0.26" shell-words = "1.0.0" tracing = {version = "0.1", features = ["max_level_trace", "release_max_level_debug"]} tracing-subscriber = {version = "0.3.8", features = ["env-filter", "json", "fmt"]} diff --git a/kani-compiler/build.rs b/kani-compiler/build.rs index 37a9471a167d..497e9dfa13d2 100644 --- a/kani-compiler/build.rs +++ b/kani-compiler/build.rs @@ -20,6 +20,8 @@ macro_rules! path_str { /// kani-compiler with nightly only. We also link to the rustup rustc_driver library for now. pub fn main() { // Add rustup to the rpath in order to properly link with the correct rustc version. + + // This is for dev purposes only, if dev point/search toolchain in .rustup/toolchains/ let rustup_home = env::var("RUSTUP_HOME").unwrap(); let rustup_tc = env::var("RUSTUP_TOOLCHAIN").unwrap(); let rustup_lib = path_str!([&rustup_home, "toolchains", &rustup_tc, "lib"]); diff --git a/kani-compiler/src/args.rs b/kani-compiler/src/args.rs index b174795b7259..b4d4eb3718d8 100644 --- a/kani-compiler/src/args.rs +++ b/kani-compiler/src/args.rs @@ -1,10 +1,10 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -use strum_macros::{AsRefStr, EnumString, EnumVariantNames}; +use strum_macros::{AsRefStr, EnumString, VariantNames}; use tracing_subscriber::filter::Directive; -#[derive(Debug, Default, Clone, Copy, AsRefStr, EnumString, EnumVariantNames, PartialEq, Eq)] +#[derive(Debug, Default, Clone, Copy, AsRefStr, EnumString, VariantNames, PartialEq, Eq)] #[strum(serialize_all = "snake_case")] pub enum ReachabilityType { /// Start the cross-crate reachability analysis from all harnesses in the local crate. @@ -71,4 +71,21 @@ pub struct Arguments { #[clap(long)] /// A legacy flag that is now ignored. goto_c: bool, + /// Enable specific checks. + #[clap(long)] + pub ub_check: Vec, + /// Ignore storage markers. + #[clap(long)] + pub ignore_storage_markers: bool, +} + +#[derive(Debug, Clone, Copy, AsRefStr, EnumString, VariantNames, PartialEq, Eq)] +#[strum(serialize_all = "snake_case")] +pub enum ExtraChecks { + /// Check that produced values are valid except for uninitialized values. + /// See https://github.com/model-checking/kani/issues/920. + Validity, + /// Check pointer validity when casting pointers to references. + /// See https://github.com/model-checking/kani/issues/2975. + PtrToRefCast, } diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/assert.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/assert.rs index 68573cd2a1cd..f78cf3eba707 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/assert.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/assert.rs @@ -21,8 +21,8 @@ use crate::codegen_cprover_gotoc::GotocCtx; use cbmc::goto_program::{Expr, Location, Stmt, Type}; use cbmc::InternedString; -use stable_mir::ty::Span as SpanStable; -use std::convert::AsRef; +use stable_mir::mir::{Place, ProjectionElem}; +use stable_mir::ty::{Span as SpanStable, TypeAndMut}; use strum_macros::{AsRefStr, EnumString}; use tracing::debug; @@ -252,7 +252,7 @@ impl<'tcx> GotocCtx<'tcx> { t.nondet().as_stmt(loc), ]; - Expr::statement_expression(body, t).with_location(loc) + Expr::statement_expression(body, t, loc) } /// Kani does not currently support all MIR constructs. @@ -324,4 +324,63 @@ impl<'tcx> GotocCtx<'tcx> { self.codegen_assert_assume(cond, PropertyClass::SanityCheck, &assert_msg, loc) } + + /// If converting a raw pointer to a reference, &(*ptr), need to inject + /// a check to make sure that the pointer points to a valid memory location, + /// since dereferencing an invalid pointer is UB in Rust. + pub fn codegen_raw_ptr_deref_validity_check( + &mut self, + place: &Place, + loc: &Location, + ) -> Option { + if let Some(ProjectionElem::Deref) = place.projection.last() { + // Create a place without the topmost dereference projection.ß + let ptr_place = { + let mut ptr_place = place.clone(); + ptr_place.projection.pop(); + ptr_place + }; + // Only inject the check if dereferencing a raw pointer. + let ptr_place_ty = self.place_ty_stable(&ptr_place); + if ptr_place_ty.kind().is_raw_ptr() { + // Extract the size of the pointee. + let pointee_size = { + let TypeAndMut { ty: pointee_ty, .. } = + ptr_place_ty.kind().builtin_deref(true).unwrap(); + let pointee_ty_layout = pointee_ty.layout().unwrap(); + pointee_ty_layout.shape().size.bytes() + }; + + // __CPROVER_r_ok fails if size == 0, so need to explicitly avoid the check. + if pointee_size != 0 { + // Encode __CPROVER_r_ok(ptr, size). + // First, generate a CBMC expression representing the pointer. + let ptr = { + let ptr_projection = self.codegen_place_stable(&ptr_place, *loc).unwrap(); + let place_ty = self.place_ty_stable(place); + if self.use_thin_pointer_stable(place_ty) { + ptr_projection.goto_expr().clone() + } else { + ptr_projection.goto_expr().clone().member("data", &self.symbol_table) + } + }; + // Then, generate a __CPROVER_r_ok check. + let raw_ptr_read_ok_expr = Expr::read_ok( + ptr.cast_to(Type::void_pointer()), + Expr::int_constant(pointee_size, Type::size_t()), + ) + .cast_to(Type::Bool); + // Finally, assert that the pointer points to a valid memory location. + let raw_ptr_read_ok = self.codegen_assert( + raw_ptr_read_ok_expr, + PropertyClass::SafetyCheck, + "dereference failure: pointer invalid", + *loc, + ); + return Some(raw_ptr_read_ok); + } + } + } + None + } } diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/block.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/block.rs index 692fdb9c385b..5fe28097a2e0 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/block.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/block.rs @@ -2,7 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT use crate::codegen_cprover_gotoc::GotocCtx; -use stable_mir::mir::{BasicBlock, BasicBlockIdx}; +use stable_mir::mir::{BasicBlock, BasicBlockIdx, Body}; +use std::collections::HashSet; use tracing::debug; pub fn bb_label(bb: BasicBlockIdx) -> String { @@ -72,3 +73,32 @@ impl<'tcx> GotocCtx<'tcx> { } } } + +/// Iterate over the basic blocks in reverse post-order. +/// +/// The `reverse_postorder` function used before was internal to the compiler and reflected the +/// internal body representation. +/// +/// As we introduce transformations on the top of SMIR body, there will be not guarantee of a +/// 1:1 relationship between basic blocks from internal body and monomorphic body from StableMIR. +pub fn reverse_postorder(body: &Body) -> impl Iterator { + postorder(body, 0, &mut HashSet::with_capacity(body.blocks.len())).into_iter().rev() +} + +fn postorder( + body: &Body, + bb: BasicBlockIdx, + visited: &mut HashSet, +) -> Vec { + if visited.contains(&bb) { + return vec![]; + } + visited.insert(bb); + + let mut result = vec![]; + for succ in body.blocks[bb].terminator.successors() { + result.append(&mut postorder(body, succ, visited)); + } + result.push(bb); + result +} diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/contract.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/contract.rs index 964286984fc6..5494a3a666bd 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/contract.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/contract.rs @@ -3,7 +3,7 @@ use crate::codegen_cprover_gotoc::GotocCtx; use crate::kani_middle::attributes::KaniAttributes; use cbmc::goto_program::FunctionContract; -use cbmc::goto_program::Lambda; +use cbmc::goto_program::{Lambda, Location}; use kani_metadata::AssignsContract; use rustc_hir::def_id::DefId as InternalDefId; use rustc_smir::rustc_internal; @@ -35,11 +35,50 @@ impl<'tcx> GotocCtx<'tcx> { ) -> AssignsContract { let tcx = self.tcx; let function_under_contract_attrs = KaniAttributes::for_item(tcx, function_under_contract); - let wrapped_fn = function_under_contract_attrs.inner_check().unwrap().unwrap(); + let recursion_wrapper_id = + function_under_contract_attrs.checked_with_id().unwrap().unwrap(); + let expected_name = format!("{}::REENTRY", tcx.item_name(recursion_wrapper_id)); + let mut recursion_tracker = items.iter().filter_map(|i| match i { + MonoItem::Static(recursion_tracker) + if (*recursion_tracker).name().contains(expected_name.as_str()) => + { + Some(*recursion_tracker) + } + _ => None, + }); + + let recursion_tracker_def = recursion_tracker + .next() + .expect("There should be at least one recursion tracker (REENTRY) in scope"); + assert!( + recursion_tracker.next().is_none(), + "Only one recursion tracker (REENTRY) may be in scope" + ); + + let span_of_recursion_wrapper = tcx.def_span(recursion_wrapper_id); + let location_of_recursion_wrapper = self.codegen_span(&span_of_recursion_wrapper); + // The name and location for the recursion tracker should match the exact information added + // to the symbol table, otherwise our contract instrumentation will silently failed. + // This happens because Kani relies on `--nondet-static-exclude` from CBMC to properly + // handle this tracker. CBMC silently fails if there is no match in the symbol table + // that correspond to the argument of this flag. + // More details at https://github.com/model-checking/kani/pull/3045. + let full_recursion_tracker_name = format!( + "{}:{}", + location_of_recursion_wrapper + .filename() + .expect("recursion location wrapper should have a file name"), + // We must use the pretty name of the tracker instead of the mangled name. + // This restrictions comes from `--nondet-static-exclude` in CBMC. + // Mode details at https://github.com/diffblue/cbmc/issues/8225. + recursion_tracker_def.name(), + ); + + let wrapped_fn = function_under_contract_attrs.inner_check().unwrap().unwrap(); let mut instance_under_contract = items.iter().filter_map(|i| match i { MonoItem::Fn(instance @ Instance { def, .. }) - if wrapped_fn == rustc_internal::internal(def.def_id()) => + if wrapped_fn == rustc_internal::internal(tcx, def.def_id()) => { Some(*instance) } @@ -56,28 +95,21 @@ impl<'tcx> GotocCtx<'tcx> { vec![] }); self.attach_modifies_contract(instance_of_check, assigns_contract); - let wrapper_name = self.symbol_name_stable(instance_of_check); - let recursion_wrapper_id = - function_under_contract_attrs.checked_with_id().unwrap().unwrap(); - let span_of_recursion_wrapper = tcx.def_span(recursion_wrapper_id); - let location_of_recursion_wrapper = self.codegen_span(&span_of_recursion_wrapper); - - let full_name = format!( - "{}:{}::REENTRY", - location_of_recursion_wrapper - .filename() - .expect("recursion location wrapper should have a file name"), - tcx.item_name(recursion_wrapper_id), - ); - - AssignsContract { recursion_tracker: full_name, contracted_function_name: wrapper_name } + AssignsContract { + recursion_tracker: full_recursion_tracker_name, + contracted_function_name: wrapper_name, + } } /// Convert the Kani level contract into a CBMC level contract by creating a /// CBMC lambda. - fn codegen_modifies_contract(&mut self, modified_places: Vec) -> FunctionContract { + fn codegen_modifies_contract( + &mut self, + modified_places: Vec, + loc: Location, + ) -> FunctionContract { let goto_annotated_fn_name = self.current_fn().name(); let goto_annotated_fn_typ = self .symbol_table @@ -92,7 +124,7 @@ impl<'tcx> GotocCtx<'tcx> { Lambda::as_contract_for( &goto_annotated_fn_typ, None, - self.codegen_place_stable(&local.into()).unwrap().goto_expr.dereference(), + self.codegen_place_stable(&local.into(), loc).unwrap().goto_expr.dereference(), ) }) .collect(); @@ -110,7 +142,8 @@ impl<'tcx> GotocCtx<'tcx> { assert!(self.current_fn.is_none()); let body = instance.body().unwrap(); self.set_current_fn(instance, &body); - let goto_contract = self.codegen_modifies_contract(modified_places); + let goto_contract = + self.codegen_modifies_contract(modified_places, self.codegen_span_stable(body.span)); let name = self.current_fn().name(); self.symbol_table.attach_contract(name, goto_contract); diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/foreign_function.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/foreign_function.rs index 2eb1610ab4d8..9d5374ca22a8 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/foreign_function.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/foreign_function.rs @@ -11,13 +11,14 @@ use std::collections::HashSet; use crate::codegen_cprover_gotoc::codegen::PropertyClass; use crate::codegen_cprover_gotoc::GotocCtx; -use crate::kani_middle; +use crate::unwrap_or_return_codegen_unimplemented_stmt; use cbmc::goto_program::{Expr, Location, Stmt, Symbol, Type}; use cbmc::{InternString, InternedString}; use lazy_static::lazy_static; -use rustc_smir::rustc_internal; -use rustc_target::abi::call::Conv; +use stable_mir::abi::{CallConvention, PassMode}; use stable_mir::mir::mono::Instance; +use stable_mir::mir::Place; +use stable_mir::ty::{RigidTy, TyKind}; use stable_mir::CrateDef; use tracing::{debug, trace}; @@ -48,14 +49,13 @@ impl<'tcx> GotocCtx<'tcx> { /// handled later. pub fn codegen_foreign_fn(&mut self, instance: Instance) -> &Symbol { debug!(?instance, "codegen_foreign_function"); - let instance_internal = rustc_internal::internal(instance); let fn_name = self.symbol_name_stable(instance).intern(); + let loc = self.codegen_span_stable(instance.def.span()); if self.symbol_table.contains(fn_name) { // Symbol has been added (either a built-in CBMC function or a Rust allocation function). self.symbol_table.lookup(fn_name).unwrap() } else if RUST_ALLOC_FNS.contains(&fn_name) - || (self.is_cffi_enabled() - && kani_middle::fn_abi(self.tcx, instance_internal).conv == Conv::C) + || (self.is_cffi_enabled() && instance.fn_abi().unwrap().conv == CallConvention::C) { // Add a Rust alloc lib function as is declared by core. // When C-FFI feature is enabled, we just trust the rust declaration. @@ -64,8 +64,7 @@ impl<'tcx> GotocCtx<'tcx> { // https://github.com/model-checking/kani/issues/2426 self.ensure(fn_name, |gcx, _| { let typ = gcx.codegen_ffi_type(instance); - Symbol::function(fn_name, typ, None, instance.name(), Location::none()) - .with_is_extern(true) + Symbol::function(fn_name, typ, None, instance.name(), loc).with_is_extern(true) }) } else { let shim_name = format!("{fn_name}_ffi_shim"); @@ -78,12 +77,46 @@ impl<'tcx> GotocCtx<'tcx> { typ, Some(gcx.codegen_ffi_shim(shim_name.as_str().into(), instance)), instance.name(), - Location::none(), + loc, ) }) } } + /// Generate a function call to a foreign function by potentially casting arguments and return value, since + /// the external function definition may not match exactly its Rust declaration. + /// See for more details. + pub fn codegen_foreign_call( + &mut self, + fn_expr: Expr, + args: Vec, + ret_place: &Place, + loc: Location, + ) -> Stmt { + let expected_args = fn_expr + .typ() + .parameters() + .unwrap() + .iter() + .zip(args) + .map(|(param, arg)| arg.cast_to(param.typ().clone())) + .collect::>(); + let call_expr = fn_expr.call(expected_args); + + let ret_kind = self.place_ty_stable(ret_place).kind(); + if ret_kind.is_unit() || matches!(ret_kind, TyKind::RigidTy(RigidTy::Never)) { + call_expr.as_stmt(loc) + } else { + let ret_expr = unwrap_or_return_codegen_unimplemented_stmt!( + self, + self.codegen_place_stable(ret_place, loc) + ) + .goto_expr; + let ret_type = ret_expr.typ().clone(); + ret_expr.assign(call_expr.cast_to(ret_type), loc) + } + } + /// Checks whether C-FFI has been enabled or not. /// When enabled, we blindly encode the function type as is. fn is_cffi_enabled(&self) -> bool { @@ -102,24 +135,24 @@ impl<'tcx> GotocCtx<'tcx> { /// Generate type for the given foreign instance. fn codegen_ffi_type(&mut self, instance: Instance) -> Type { let fn_name = self.symbol_name_stable(instance); - let fn_abi = kani_middle::fn_abi(self.tcx, rustc_internal::internal(instance)); + let fn_abi = instance.fn_abi().unwrap(); let loc = self.codegen_span_stable(instance.def.span()); let params = fn_abi .args .iter() .enumerate() - .filter(|&(_, arg)| (!arg.is_ignore())) + .filter(|&(_, arg)| (arg.mode != PassMode::Ignore)) .map(|(idx, arg)| { let arg_name = format!("{fn_name}::param_{idx}"); let base_name = format!("param_{idx}"); - let arg_type = self.codegen_ty(arg.layout.ty); + let arg_type = self.codegen_ty_stable(arg.ty); let sym = Symbol::variable(&arg_name, &base_name, arg_type.clone(), loc) .with_is_parameter(true); self.symbol_table.insert(sym); arg_type.as_parameter(Some(arg_name.into()), Some(base_name.into())) }) .collect(); - let ret_type = self.codegen_ty(fn_abi.ret.layout.ty); + let ret_type = self.codegen_ty_stable(fn_abi.ret.ty); if fn_abi.c_variadic { Type::variadic_code(params, ret_type) @@ -140,9 +173,9 @@ impl<'tcx> GotocCtx<'tcx> { let entry = self.unsupported_constructs.entry("foreign function".into()).or_default(); entry.push(loc); - let call_conv = kani_middle::fn_abi(self.tcx, rustc_internal::internal(instance)).conv; + let call_conv = instance.fn_abi().unwrap().conv; let msg = format!("call to foreign \"{call_conv:?}\" function `{fn_name}`"); - let url = if call_conv == Conv::C { + let url = if call_conv == CallConvention::C { "https://github.com/model-checking/kani/issues/2423" } else { "https://github.com/model-checking/kani/issues/new/choose" diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/function.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/function.rs index 52bf778ab235..33ec70294d04 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/function.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/function.rs @@ -3,16 +3,15 @@ //! This file contains functions related to codegenning MIR functions into gotoc +use crate::codegen_cprover_gotoc::codegen::block::reverse_postorder; use crate::codegen_cprover_gotoc::GotocCtx; use cbmc::goto_program::{Expr, Stmt, Symbol}; use cbmc::InternString; -use rustc_middle::mir::traversal::reverse_postorder; use stable_mir::mir::mono::Instance; use stable_mir::mir::{Body, Local}; use stable_mir::ty::{RigidTy, TyKind}; use stable_mir::CrateDef; use std::collections::BTreeMap; -use std::iter::FromIterator; use tracing::{debug, debug_span}; /// Codegen MIR functions into gotoc @@ -61,16 +60,14 @@ impl<'tcx> GotocCtx<'tcx> { debug!("Double codegen of {:?}", old_sym); } else { assert!(old_sym.is_function()); - let body = instance.body().unwrap(); + let body = self.transformer.body(self.tcx, instance); self.set_current_fn(instance, &body); self.print_instance(instance, &body); self.codegen_function_prelude(&body); self.codegen_declare_variables(&body); // Get the order from internal body for now. - let internal_body = self.current_fn().body_internal(); - reverse_postorder(internal_body) - .for_each(|(bb, _)| self.codegen_block(bb.index(), &body.blocks[bb.index()])); + reverse_postorder(&body).for_each(|bb| self.codegen_block(bb, &body.blocks[bb])); let loc = self.codegen_span_stable(instance.def.span()); let stmts = self.current_fn_mut().extract_block(); @@ -204,13 +201,13 @@ impl<'tcx> GotocCtx<'tcx> { pub fn declare_function(&mut self, instance: Instance) { debug!("declaring {}; {:?}", instance.name(), instance); - let body = instance.body().unwrap(); + let body = self.transformer.body(self.tcx, instance); self.set_current_fn(instance, &body); debug!(krate=?instance.def.krate(), is_std=self.current_fn().is_std(), "declare_function"); - self.ensure(&self.symbol_name_stable(instance), |ctx, fname| { + self.ensure(self.symbol_name_stable(instance), |ctx, fname| { Symbol::function( fname, - ctx.fn_typ(&body), + ctx.fn_typ(instance, &body), None, instance.name(), ctx.codegen_span_stable(instance.def.span()), diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs index 3412cba290d2..29ea69eeb39b 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs @@ -3,7 +3,7 @@ //! this module handles intrinsics use super::typ; use super::{bb_label, PropertyClass}; -use crate::codegen_cprover_gotoc::codegen::ty_stable::{pointee_type_stable, pretty_ty}; +use crate::codegen_cprover_gotoc::codegen::ty_stable::pointee_type_stable; use crate::codegen_cprover_gotoc::{utils, GotocCtx}; use crate::unwrap_or_return_codegen_unimplemented_stmt; use cbmc::goto_program::{ @@ -12,7 +12,7 @@ use cbmc::goto_program::{ use rustc_middle::ty::layout::ValidityRequirement; use rustc_middle::ty::ParamEnv; use rustc_smir::rustc_internal; -use stable_mir::mir::mono::{Instance, InstanceKind}; +use stable_mir::mir::mono::Instance; use stable_mir::mir::{BasicBlockIdx, Operand, Place}; use stable_mir::ty::{GenericArgs, RigidTy, Span, Ty, TyKind, UintTy}; use tracing::debug; @@ -33,11 +33,12 @@ impl<'tcx> GotocCtx<'tcx> { place: &Place, mut fargs: Vec, f: F, + loc: Location, ) -> Stmt { let arg1 = fargs.remove(0); let arg2 = fargs.remove(0); let expr = f(arg1, arg2); - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) } /// Given a call to an compiler intrinsic, generate the call and the `goto` terminator @@ -45,17 +46,15 @@ impl<'tcx> GotocCtx<'tcx> { /// there is no terminator. pub fn codegen_funcall_of_intrinsic( &mut self, - func: &Operand, + instance: Instance, args: &[Operand], destination: &Place, target: Option, span: Span, ) -> Stmt { - let instance = self.get_intrinsic_instance(func).unwrap(); - if let Some(target) = target { let loc = self.codegen_span_stable(span); - let fargs = self.codegen_funcall_args(args, false); + let fargs = args.iter().map(|arg| self.codegen_operand_stable(arg)).collect::>(); Stmt::block( vec![ self.codegen_intrinsic(instance, fargs, destination, span), @@ -68,27 +67,10 @@ impl<'tcx> GotocCtx<'tcx> { } } - /// Returns `Some(instance)` if the function is an intrinsic; `None` otherwise - fn get_intrinsic_instance(&self, func: &Operand) -> Option { - let funct = self.operand_ty_stable(func); - match funct.kind() { - TyKind::RigidTy(RigidTy::FnDef(def, args)) => { - let instance = Instance::resolve(def, &args).unwrap(); - if matches!(instance.kind, InstanceKind::Intrinsic) { Some(instance) } else { None } - } - _ => None, - } - } - - /// Returns true if the `func` is a call to a compiler intrinsic; false otherwise. - pub fn is_intrinsic(&self, func: &Operand) -> bool { - self.get_intrinsic_instance(func).is_some() - } - /// Handles codegen for non returning intrinsics /// Non returning intrinsics are not associated with a destination pub fn codegen_never_return_intrinsic(&mut self, instance: Instance, span: Span) -> Stmt { - let intrinsic = instance.mangled_name(); + let intrinsic = instance.intrinsic_name().unwrap(); debug!("codegen_never_return_intrinsic:\n\tinstance {:?}\n\tspan {:?}", instance, span); @@ -131,8 +113,8 @@ impl<'tcx> GotocCtx<'tcx> { place: &Place, span: Span, ) -> Stmt { - let intrinsic_sym = instance.mangled_name(); - let intrinsic = intrinsic_sym.as_str(); + let intrinsic_name = instance.intrinsic_name().unwrap(); + let intrinsic = intrinsic_name.as_str(); let loc = self.codegen_span_stable(span); debug!(?instance, "codegen_intrinsic"); debug!(?fargs, "codegen_intrinsic"); @@ -168,7 +150,7 @@ impl<'tcx> GotocCtx<'tcx> { mm, ); let expr = BuiltinFn::$f.call(casted_fargs, loc); - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) }}; } @@ -185,7 +167,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); let res = a.$f(b); - let expr_place = self.codegen_expr_to_place_stable(place, res); + let expr_place = self.codegen_expr_to_place_stable(place, res, loc); Stmt::block(vec![div_overflow_check, expr_place], loc) }}; } @@ -197,7 +179,7 @@ impl<'tcx> GotocCtx<'tcx> { // Intrinsics which encode a simple binary operation macro_rules! codegen_intrinsic_binop { - ($f:ident) => {{ self.binop(place, fargs, |a, b| a.$f(b)) }}; + ($f:ident) => {{ self.binop(place, fargs, |a, b| a.$f(b), loc) }}; } // Intrinsics which encode a simple binary operation which need a machine model @@ -206,7 +188,7 @@ impl<'tcx> GotocCtx<'tcx> { let arg1 = fargs.remove(0); let arg2 = fargs.remove(0); let expr = arg1.$f(arg2, self.symbol_table.machine_model()); - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) }}; } @@ -215,7 +197,7 @@ impl<'tcx> GotocCtx<'tcx> { macro_rules! codegen_count_intrinsic { ($builtin: ident, $allow_zero: expr) => {{ let arg = fargs.remove(0); - self.codegen_expr_to_place_stable(place, arg.$builtin($allow_zero)) + self.codegen_expr_to_place_stable(place, arg.$builtin($allow_zero), loc) }}; } @@ -227,8 +209,8 @@ impl<'tcx> GotocCtx<'tcx> { let alloc = stable_instance.try_const_eval(place_ty).unwrap(); // We assume that the intrinsic has type checked at this point, so // we can use the place type as the expression type. - let expr = self.codegen_allocation(&alloc, place_ty, Some(span)); - self.codegen_expr_to_place_stable(&place, expr) + let expr = self.codegen_allocation(&alloc, place_ty, loc); + self.codegen_expr_to_place_stable(&place, expr, loc) }}; } @@ -239,7 +221,7 @@ impl<'tcx> GotocCtx<'tcx> { let target_ty = args.0[0].expect_ty(); let arg = fargs.remove(0); let size_align = self.size_and_align_of_dst(*target_ty, arg); - self.codegen_expr_to_place_stable(place, size_align.$which) + self.codegen_expr_to_place_stable(place, size_align.$which, loc) }}; } @@ -258,6 +240,19 @@ impl<'tcx> GotocCtx<'tcx> { // *var1 = op(*var1, var2); // var = tmp; // ------------------------- + // + // In fetch functions of atomic_ptr such as https://doc.rust-lang.org/std/sync/atomic/struct.AtomicPtr.html#method.fetch_byte_add, + // the type of var2 can be pointer (invalid_mut). + // In such case, atomic binops are transformed as follows to avoid typecheck failure. + // ------------------------- + // var = atomic_op(var1, var2) + // ------------------------- + // unsigned char tmp; + // tmp = *var1; + // *var1 = (typeof var1)op((size_t)*var1, (size_t)var2); + // var = tmp; + // ------------------------- + // // Note: Atomic arithmetic operations wrap around on overflow. macro_rules! codegen_atomic_binop { ($op: ident) => {{ @@ -268,9 +263,16 @@ impl<'tcx> GotocCtx<'tcx> { let (tmp, decl_stmt) = self.decl_temp_variable(var1.typ().clone(), Some(var1.to_owned()), loc); let var2 = fargs.remove(0); - let op_expr = (var1.clone()).$op(var2).with_location(loc); + let op_expr = if var2.typ().is_pointer() { + (var1.clone().cast_to(Type::c_size_t())) + .$op(var2.cast_to(Type::c_size_t())) + .with_location(loc) + .cast_to(var1.typ().clone()) + } else { + (var1.clone()).$op(var2).with_location(loc) + }; let assign_stmt = (var1.clone()).assign(op_expr, loc); - let res_stmt = self.codegen_expr_to_place_stable(place, tmp.clone()); + let res_stmt = self.codegen_expr_to_place_stable(place, tmp.clone(), loc); Stmt::atomic_block(vec![decl_stmt, assign_stmt, res_stmt], loc) }}; } @@ -283,7 +285,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, "https://github.com/model-checking/kani/issues/new/choose", ); - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) }}; } @@ -386,17 +388,24 @@ impl<'tcx> GotocCtx<'tcx> { "atomic_xsub_acqrel" => codegen_atomic_binop!(sub), "atomic_xsub_release" => codegen_atomic_binop!(sub), "atomic_xsub_relaxed" => codegen_atomic_binop!(sub), - "bitreverse" => self.codegen_expr_to_place_stable(place, fargs.remove(0).bitreverse()), + "bitreverse" => { + self.codegen_expr_to_place_stable(place, fargs.remove(0).bitreverse(), loc) + } // black_box is an identity function that hints to the compiler // to be maximally pessimistic to limit optimizations - "black_box" => self.codegen_expr_to_place_stable(place, fargs.remove(0)), + "black_box" => self.codegen_expr_to_place_stable(place, fargs.remove(0), loc), "breakpoint" => Stmt::skip(loc), - "bswap" => self.codegen_expr_to_place_stable(place, fargs.remove(0).bswap()), + "bswap" => self.codegen_expr_to_place_stable(place, fargs.remove(0).bswap(), loc), "caller_location" => self.codegen_unimplemented_stmt( intrinsic, loc, "https://github.com/model-checking/kani/issues/374", ), + "catch_unwind" => self.codegen_unimplemented_stmt( + intrinsic, + loc, + "https://github.com/model-checking/kani/issues/267", + ), "ceilf32" => codegen_simple_intrinsic!(Ceilf), "ceilf64" => codegen_simple_intrinsic!(Ceil), "compare_bytes" => self.codegen_compare_bytes(fargs, place, loc), @@ -417,13 +426,13 @@ impl<'tcx> GotocCtx<'tcx> { let sig = instance.ty().kind().fn_sig().unwrap().skip_binder(); let ty = pointee_type_stable(sig.inputs()[0]).unwrap(); let e = self.codegen_get_discriminant(fargs.remove(0).dereference(), ty, ret_ty); - self.codegen_expr_to_place_stable(place, e) + self.codegen_expr_to_place_stable(place, e, loc) } "exact_div" => self.codegen_exact_div(fargs, place, loc), - "exp2f32" => unstable_codegen!(codegen_simple_intrinsic!(Exp2f)), - "exp2f64" => unstable_codegen!(codegen_simple_intrinsic!(Exp2)), - "expf32" => unstable_codegen!(codegen_simple_intrinsic!(Expf)), - "expf64" => unstable_codegen!(codegen_simple_intrinsic!(Exp)), + "exp2f32" => codegen_simple_intrinsic!(Exp2f), + "exp2f64" => codegen_simple_intrinsic!(Exp2), + "expf32" => codegen_simple_intrinsic!(Expf), + "expf64" => codegen_simple_intrinsic!(Exp), "fabsf32" => codegen_simple_intrinsic!(Fabsf), "fabsf64" => codegen_simple_intrinsic!(Fabs), "fadd_fast" => { @@ -451,13 +460,18 @@ impl<'tcx> GotocCtx<'tcx> { let binop_stmt = codegen_intrinsic_binop!(sub); self.add_finite_args_checks(intrinsic, fargs_clone, binop_stmt, span) } - "likely" => self.codegen_expr_to_place_stable(place, fargs.remove(0)), + "is_val_statically_known" => { + // Returning false is sound according do this intrinsic's documentation: + // https://doc.rust-lang.org/nightly/std/intrinsics/fn.is_val_statically_known.html + self.codegen_expr_to_place_stable(place, Expr::c_false(), loc) + } + "likely" => self.codegen_expr_to_place_stable(place, fargs.remove(0), loc), "log10f32" => unstable_codegen!(codegen_simple_intrinsic!(Log10f)), "log10f64" => unstable_codegen!(codegen_simple_intrinsic!(Log10)), "log2f32" => unstable_codegen!(codegen_simple_intrinsic!(Log2f)), "log2f64" => unstable_codegen!(codegen_simple_intrinsic!(Log2)), - "logf32" => unstable_codegen!(codegen_simple_intrinsic!(Logf)), - "logf64" => unstable_codegen!(codegen_simple_intrinsic!(Log)), + "logf32" => codegen_simple_intrinsic!(Logf), + "logf64" => codegen_simple_intrinsic!(Log), "maxnumf32" => codegen_simple_intrinsic!(Fmaxf), "maxnumf64" => codegen_simple_intrinsic!(Fmax), "min_align_of" => codegen_intrinsic_const!(), @@ -474,15 +488,16 @@ impl<'tcx> GotocCtx<'tcx> { "offset" => unreachable!( "Expected `core::intrinsics::unreachable` to be handled by `BinOp::OffSet`" ), - "powf32" => unstable_codegen!(codegen_simple_intrinsic!(Powf)), - "powf64" => unstable_codegen!(codegen_simple_intrinsic!(Pow)), + "powf32" => codegen_simple_intrinsic!(Powf), + "powf64" => codegen_simple_intrinsic!(Pow), "powif32" => unstable_codegen!(codegen_simple_intrinsic!(Powif)), "powif64" => unstable_codegen!(codegen_simple_intrinsic!(Powi)), "pref_align_of" => codegen_intrinsic_const!(), - "ptr_guaranteed_cmp" => self.codegen_ptr_guaranteed_cmp(fargs, place), + "ptr_guaranteed_cmp" => self.codegen_ptr_guaranteed_cmp(fargs, place, loc), "ptr_offset_from" => self.codegen_ptr_offset_from(fargs, place, loc), "ptr_offset_from_unsigned" => self.codegen_ptr_offset_from_unsigned(fargs, place, loc), "raw_eq" => self.codegen_intrinsic_raw_eq(instance, fargs, place, loc), + "retag_box_to_raw" => self.codegen_retag_box_to_raw(fargs, place, loc), "rintf32" => codegen_simple_intrinsic!(Rintf), "rintf64" => codegen_simple_intrinsic!(Rint), "rotate_left" => codegen_intrinsic_binop!(rol), @@ -563,20 +578,18 @@ impl<'tcx> GotocCtx<'tcx> { place, loc, ), - "transmute" => self.codegen_intrinsic_transmute(fargs, ret_ty, place), + "transmute" => self.codegen_intrinsic_transmute(fargs, ret_ty, place, loc), "truncf32" => codegen_simple_intrinsic!(Truncf), "truncf64" => codegen_simple_intrinsic!(Trunc), - "try" => self.codegen_unimplemented_stmt( - intrinsic, - loc, - "https://github.com/model-checking/kani/issues/267", - ), "type_id" => codegen_intrinsic_const!(), "type_name" => codegen_intrinsic_const!(), + "typed_swap" => self.codegen_swap(fargs, farg_types, loc), "unaligned_volatile_load" => { - unstable_codegen!( - self.codegen_expr_to_place_stable(place, fargs.remove(0).dereference()) - ) + unstable_codegen!(self.codegen_expr_to_place_stable( + place, + fargs.remove(0).dereference(), + loc + )) } "unchecked_add" | "unchecked_mul" | "unchecked_shl" | "unchecked_shr" | "unchecked_sub" => { @@ -584,7 +597,7 @@ impl<'tcx> GotocCtx<'tcx> { } "unchecked_div" => codegen_op_with_div_overflow_check!(div), "unchecked_rem" => codegen_op_with_div_overflow_check!(rem), - "unlikely" => self.codegen_expr_to_place_stable(place, fargs.remove(0)), + "unlikely" => self.codegen_expr_to_place_stable(place, fargs.remove(0), loc), "unreachable" => unreachable!( "Expected `std::intrinsics::unreachable` to be handled by `TerminatorKind::Unreachable`" ), @@ -626,7 +639,8 @@ impl<'tcx> GotocCtx<'tcx> { if !arg.typ().is_integer() { self.intrinsics_typecheck_fail(span, "ctpop", "integer type", arg_rust_ty) } else { - self.codegen_expr_to_place_stable(&target_place, arg.popcount()) + let loc = self.codegen_span_stable(span); + self.codegen_expr_to_place_stable(&target_place, arg.popcount(), loc) } } @@ -646,7 +660,7 @@ impl<'tcx> GotocCtx<'tcx> { span, format!( "Type check failed for intrinsic `{name}`: Expected {expected}, found {}", - pretty_ty(actual) + self.pretty_ty(actual) ), ); self.tcx.dcx().abort_if_errors(); @@ -714,7 +728,8 @@ impl<'tcx> GotocCtx<'tcx> { let res = self.codegen_binop_with_overflow(binop, left, right, result_type.clone(), loc); self.codegen_expr_to_place_stable( place, - Expr::statement_expression(vec![res.as_stmt(loc)], result_type), + Expr::statement_expression(vec![res.as_stmt(loc)], result_type, loc), + loc, ) } @@ -748,7 +763,7 @@ impl<'tcx> GotocCtx<'tcx> { "exact_div division does not overflow", loc, ), - self.codegen_expr_to_place_stable(p, a.div(b)), + self.codegen_expr_to_place_stable(p, a.div(b), loc), ], loc, ) @@ -779,12 +794,16 @@ impl<'tcx> GotocCtx<'tcx> { if layout.abi.is_uninhabited() { return self.codegen_fatal_error( PropertyClass::SafetyCheck, - &format!("attempted to instantiate uninhabited type `{}`", pretty_ty(*target_ty)), + &format!( + "attempted to instantiate uninhabited type `{}`", + self.pretty_ty(*target_ty) + ), span, ); } - let param_env_and_type = ParamEnv::reveal_all().and(rustc_internal::internal(target_ty)); + let param_env_and_type = + ParamEnv::reveal_all().and(rustc_internal::internal(self.tcx, target_ty)); // Then we check if the type allows "raw" initialization for the cases // where memory is zero-initialized or entirely uninitialized @@ -798,7 +817,7 @@ impl<'tcx> GotocCtx<'tcx> { PropertyClass::SafetyCheck, &format!( "attempted to zero-initialize type `{}`, which is invalid", - pretty_ty(*target_ty) + self.pretty_ty(*target_ty) ), span, ); @@ -817,7 +836,7 @@ impl<'tcx> GotocCtx<'tcx> { PropertyClass::SafetyCheck, &format!( "attempted to leave type `{}` uninitialized, which is invalid", - pretty_ty(*target_ty) + self.pretty_ty(*target_ty) ), span, ); @@ -845,7 +864,7 @@ impl<'tcx> GotocCtx<'tcx> { self.store_concurrent_construct(intrinsic, loc); let var1_ref = fargs.remove(0); let var1 = var1_ref.dereference().with_location(loc); - let res_stmt = self.codegen_expr_to_place_stable(p, var1); + let res_stmt = self.codegen_expr_to_place_stable(p, var1, loc); Stmt::atomic_block(vec![res_stmt], loc) } @@ -853,6 +872,7 @@ impl<'tcx> GotocCtx<'tcx> { /// its primary argument and returns a tuple that contains: /// * the previous value /// * a boolean value indicating whether the operation was successful or not + /// /// In a sequential context, the update is always sucessful so we assume the /// second value to be true. /// ------------------------- @@ -885,7 +905,7 @@ impl<'tcx> GotocCtx<'tcx> { let tuple_expr = Expr::struct_expr_from_values(res_type, vec![tmp, Expr::c_true()], &self.symbol_table) .with_location(loc); - let res_stmt = self.codegen_expr_to_place_stable(p, tuple_expr); + let res_stmt = self.codegen_expr_to_place_stable(p, tuple_expr, loc); Stmt::atomic_block(vec![decl_stmt, cond_update_stmt, res_stmt], loc) } @@ -913,7 +933,7 @@ impl<'tcx> GotocCtx<'tcx> { self.decl_temp_variable(var1.typ().clone(), Some(var1.to_owned()), loc); let var2 = fargs.remove(0).with_location(loc); let assign_stmt = var1.assign(var2, loc); - let res_stmt = self.codegen_expr_to_place_stable(place, tmp); + let res_stmt = self.codegen_expr_to_place_stable(place, tmp, loc); Stmt::atomic_block(vec![decl_stmt, assign_stmt, res_stmt], loc) } @@ -937,9 +957,10 @@ impl<'tcx> GotocCtx<'tcx> { /// * Both `src`/`dst` must be valid for reads/writes of `count * /// size_of::()` bytes (done by calls to `memmove`) /// * (Exclusive to nonoverlapping copy) The region of memory beginning - /// at `src` with a size of `count * size_of::()` bytes must *not* - /// overlap with the region of memory beginning at `dst` with the same - /// size. + /// at `src` with a size of `count * size_of::()` bytes must *not* + /// overlap with the region of memory beginning at `dst` with the same + /// size. + /// /// In addition, we check that computing `count` in bytes (i.e., the third /// argument of the copy built-in call) would not overflow. pub fn codegen_copy( @@ -991,7 +1012,7 @@ impl<'tcx> GotocCtx<'tcx> { // fail on passing a reference to it unless we codegen this zero check. let copy_if_nontrivial = count_bytes.is_zero().ternary(dst, copy_call); let copy_expr = if let Some(p) = p { - self.codegen_expr_to_place_stable(p, copy_if_nontrivial) + self.codegen_expr_to_place_stable(p, copy_if_nontrivial, loc) } else { copy_if_nontrivial.as_stmt(loc) }; @@ -1022,9 +1043,11 @@ impl<'tcx> GotocCtx<'tcx> { let is_lhs_ok = lhs_var.clone().is_nonnull(); let is_rhs_ok = rhs_var.clone().is_nonnull(); let should_skip_pointer_checks = is_len_zero.and(is_lhs_ok).and(is_rhs_ok); - let place_expr = - unwrap_or_return_codegen_unimplemented_stmt!(self, self.codegen_place_stable(place)) - .goto_expr; + let place_expr = unwrap_or_return_codegen_unimplemented_stmt!( + self, + self.codegen_place_stable(place, loc) + ) + .goto_expr; let res = should_skip_pointer_checks.ternary( Expr::int_constant(0, place_expr.typ().clone()), // zero bytes are always equal (as long as pointers are nonnull and aligned) BuiltinFn::Memcmp @@ -1045,14 +1068,19 @@ impl<'tcx> GotocCtx<'tcx> { // // This intrinsic replaces `ptr_guaranteed_eq` and `ptr_guaranteed_ne`: // https://doc.rust-lang.org/beta/std/primitive.pointer.html#method.guaranteed_eq - fn codegen_ptr_guaranteed_cmp(&mut self, mut fargs: Vec, p: &Place) -> Stmt { + fn codegen_ptr_guaranteed_cmp( + &mut self, + mut fargs: Vec, + p: &Place, + loc: Location, + ) -> Stmt { let a = fargs.remove(0); let b = fargs.remove(0); let place_type = self.place_ty_stable(p); let res_type = self.codegen_ty_stable(place_type); let eq_expr = a.eq(b); let cmp_expr = eq_expr.ternary(res_type.one(), res_type.zero()); - self.codegen_expr_to_place_stable(p, cmp_expr) + self.codegen_expr_to_place_stable(p, cmp_expr, loc) } /// Computes the offset from a pointer. @@ -1100,7 +1128,7 @@ impl<'tcx> GotocCtx<'tcx> { // Re-compute `dst_ptr` with standard addition to avoid conversion let dst_ptr = src_ptr.plus(offset); - let expr_place = self.codegen_expr_to_place_stable(p, dst_ptr); + let expr_place = self.codegen_expr_to_place_stable(p, dst_ptr, loc); Stmt::block(vec![bytes_overflow_check, overflow_check, expr_place], loc) } @@ -1119,7 +1147,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); - let offset_expr = self.codegen_expr_to_place_stable(p, offset_expr); + let offset_expr = self.codegen_expr_to_place_stable(p, offset_expr, loc); Stmt::block(vec![overflow_check, offset_expr], loc) } @@ -1151,7 +1179,8 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); - let offset_expr = self.codegen_expr_to_place_stable(p, offset_expr.cast_to(Type::size_t())); + let offset_expr = + self.codegen_expr_to_place_stable(p, offset_expr.cast_to(Type::size_t()), loc); Stmt::block(vec![overflow_check, non_negative_check, offset_expr], loc) } @@ -1198,18 +1227,26 @@ impl<'tcx> GotocCtx<'tcx> { /// Note(std): An earlier attempt to add alignment checks for both the argument and result types /// had catastrophic results in the regression. Hence, we don't perform any additional checks /// and only encode the transmute operation here. - fn codegen_intrinsic_transmute(&mut self, mut fargs: Vec, ret_ty: Ty, p: &Place) -> Stmt { + fn codegen_intrinsic_transmute( + &mut self, + mut fargs: Vec, + ret_ty: Ty, + p: &Place, + loc: Location, + ) -> Stmt { assert!(fargs.len() == 1, "transmute had unexpected arguments {fargs:?}"); let arg = fargs.remove(0); let cbmc_ret_ty = self.codegen_ty_stable(ret_ty); let expr = arg.transmute_to(cbmc_ret_ty, &self.symbol_table); - self.codegen_expr_to_place_stable(p, expr) + self.codegen_expr_to_place_stable(p, expr, loc) } // `raw_eq` determines whether the raw bytes of two values are equal. // https://doc.rust-lang.org/core/intrinsics/fn.raw_eq.html // - // The implementation below calls `memcmp` and returns equal if the result is zero. + // The implementation below calls `memcmp` and returns equal if the result is zero, and + // immediately returns zero when ZSTs are compared to mimic what compare_bytes and our memcmp + // hook do. // // TODO: It's UB to call `raw_eq` if any of the bytes in the first or second // arguments are uninitialized. At present, we cannot detect if there is @@ -1228,13 +1265,25 @@ impl<'tcx> GotocCtx<'tcx> { let dst = fargs.remove(0).cast_to(Type::void_pointer()); let val = fargs.remove(0).cast_to(Type::void_pointer()); let layout = self.layout_of_stable(ty); - let sz = Expr::int_constant(layout.size.bytes(), Type::size_t()) - .with_size_of_annotation(self.codegen_ty_stable(ty)); - let e = BuiltinFn::Memcmp - .call(vec![dst, val, sz], loc) - .eq(Type::c_int().zero()) - .cast_to(Type::c_bool()); - self.codegen_expr_to_place_stable(p, e) + if layout.size.bytes() == 0 { + self.codegen_expr_to_place_stable(p, Expr::int_constant(1, Type::c_bool()), loc) + } else { + let sz = Expr::int_constant(layout.size.bytes(), Type::size_t()) + .with_size_of_annotation(self.codegen_ty_stable(ty)); + let e = BuiltinFn::Memcmp + .call(vec![dst, val, sz], loc) + .eq(Type::c_int().zero()) + .cast_to(Type::c_bool()); + self.codegen_expr_to_place_stable(p, e, loc) + } + } + + // This is an operation that is primarily relevant for stacked borrow + // checks. For Kani, we simply return the pointer. + fn codegen_retag_box_to_raw(&mut self, mut fargs: Vec, p: &Place, loc: Location) -> Stmt { + assert_eq!(fargs.len(), 1, "raw_box_to_box expected one argument"); + let arg = fargs.remove(0); + self.codegen_expr_to_place_stable(p, arg, loc) } fn vtable_info( @@ -1242,7 +1291,7 @@ impl<'tcx> GotocCtx<'tcx> { info: VTableInfo, mut fargs: Vec, place: &Place, - _loc: Location, + loc: Location, ) -> Stmt { assert_eq!(fargs.len(), 1, "vtable intrinsics expects one raw pointer argument"); let vtable_obj = fargs @@ -1254,7 +1303,7 @@ impl<'tcx> GotocCtx<'tcx> { VTableInfo::Size => vtable_obj.member(typ::VTABLE_SIZE_FIELD, &self.symbol_table), VTableInfo::Align => vtable_obj.member(typ::VTABLE_ALIGN_FIELD, &self.symbol_table), }; - self.codegen_expr_to_place_stable(place, expr) + self.codegen_expr_to_place_stable(place, expr, loc) } /// Gets the length for a `simd_shuffle*` instance, which comes in two @@ -1285,7 +1334,7 @@ impl<'tcx> GotocCtx<'tcx> { _ => { let err_msg = format!( "simd_shuffle index must be an array of `u32`, got `{}`", - pretty_ty(farg_types[2]) + self.pretty_ty(farg_types[2]) ); utils::span_err(self.tcx, span, err_msg); // Return a dummy value @@ -1378,7 +1427,7 @@ impl<'tcx> GotocCtx<'tcx> { // Packed types ignore the alignment of their fields. if let TyKind::RigidTy(RigidTy::Adt(def, _)) = ty.kind() { - if rustc_internal::internal(def).repr().packed() { + if rustc_internal::internal(self.tcx, def).repr().packed() { unsized_align = sized_align.clone(); } } @@ -1426,15 +1475,16 @@ impl<'tcx> GotocCtx<'tcx> { if rust_ret_type != vector_base_type { let err_msg = format!( "expected return type `{}` (element of input `{}`), found `{}`", - pretty_ty(vector_base_type), - pretty_ty(rust_arg_types[0]), - pretty_ty(rust_ret_type) + self.pretty_ty(vector_base_type), + self.pretty_ty(rust_arg_types[0]), + self.pretty_ty(rust_ret_type) ); utils::span_err(self.tcx, span, err_msg); } self.tcx.dcx().abort_if_errors(); - self.codegen_expr_to_place_stable(p, vec.index_array(index)) + let loc = self.codegen_span_stable(span); + self.codegen_expr_to_place_stable(p, vec.index_array(index), loc) } /// Insert is a generic update of a single value in a SIMD vector. @@ -1466,9 +1516,9 @@ impl<'tcx> GotocCtx<'tcx> { if vector_base_type != rust_arg_types[2] { let err_msg = format!( "expected inserted type `{}` (element of input `{}`), found `{}`", - pretty_ty(vector_base_type), - pretty_ty(rust_arg_types[0]), - pretty_ty(rust_arg_types[2]), + self.pretty_ty(vector_base_type), + self.pretty_ty(rust_arg_types[0]), + self.pretty_ty(rust_arg_types[2]), ); utils::span_err(self.tcx, span, err_msg); } @@ -1481,7 +1531,7 @@ impl<'tcx> GotocCtx<'tcx> { vec![ decl, tmp.clone().index_array(index).assign(newval.cast_to(elem_ty), loc), - self.codegen_expr_to_place_stable(p, tmp), + self.codegen_expr_to_place_stable(p, tmp, loc), ], loc, ) @@ -1534,8 +1584,8 @@ impl<'tcx> GotocCtx<'tcx> { "expected return type with length {} (same as input type `{}`), \ found `{}` with length {}", arg1.typ().len().unwrap(), - pretty_ty(rust_arg_types[0]), - pretty_ty(rust_ret_type), + self.pretty_ty(rust_arg_types[0]), + self.pretty_ty(rust_ret_type), ret_typ.len().unwrap() ); utils::span_err(self.tcx, span, err_msg); @@ -1545,8 +1595,8 @@ impl<'tcx> GotocCtx<'tcx> { let (_, rust_base_type) = self.simd_size_and_type(rust_ret_type); let err_msg = format!( "expected return type with integer elements, found `{}` with non-integer `{}`", - pretty_ty(rust_ret_type), - pretty_ty(rust_base_type), + self.pretty_ty(rust_ret_type), + self.pretty_ty(rust_base_type), ); utils::span_err(self.tcx, span, err_msg); } @@ -1554,7 +1604,8 @@ impl<'tcx> GotocCtx<'tcx> { // Create the vector comparison expression let e = f(arg1, arg2, ret_typ); - self.codegen_expr_to_place_stable(p, e) + let loc = self.codegen_span_stable(span); + self.codegen_expr_to_place_stable(p, e, loc) } /// Codegen for `simd_div` and `simd_rem` intrinsics. @@ -1586,7 +1637,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ) } else { - self.binop(p, fargs, op_fun) + self.binop(p, fargs, op_fun, loc) } } @@ -1624,7 +1675,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); let res = op_fun(a, b); - let expr_place = self.codegen_expr_to_place_stable(p, res); + let expr_place = self.codegen_expr_to_place_stable(p, res, loc); Stmt::block(vec![check_stmt, expr_place], loc) } @@ -1682,7 +1733,7 @@ impl<'tcx> GotocCtx<'tcx> { _ => unreachable!("expected a simd shift intrinsic"), }; let res = op_fun(values, distances); - let expr_place = self.codegen_expr_to_place_stable(p, res); + let expr_place = self.codegen_expr_to_place_stable(p, res, loc); if distance_is_signed { let negative_check_stmt = self.codegen_assert_assume( @@ -1740,7 +1791,7 @@ impl<'tcx> GotocCtx<'tcx> { if ret_type_len != n { let err_msg = format!( "expected return type of length {n}, found `{}` with length {ret_type_len}", - pretty_ty(rust_ret_type), + self.pretty_ty(rust_ret_type), ); utils::span_err(self.tcx, span, err_msg); } @@ -1748,10 +1799,10 @@ impl<'tcx> GotocCtx<'tcx> { let err_msg = format!( "expected return element type `{}` (element of input `{}`), \ found `{}` with element type `{}`", - pretty_ty(vec_subtype), - pretty_ty(rust_arg_types[0]), - pretty_ty(rust_ret_type), - pretty_ty(ret_type_subtype), + self.pretty_ty(vec_subtype), + self.pretty_ty(rust_arg_types[0]), + self.pretty_ty(rust_ret_type), + self.pretty_ty(ret_type_subtype), ); utils::span_err(self.tcx, span, err_msg); } @@ -1775,7 +1826,8 @@ impl<'tcx> GotocCtx<'tcx> { .collect(); self.tcx.dcx().abort_if_errors(); let cbmc_ret_ty = self.codegen_ty_stable(rust_ret_type); - self.codegen_expr_to_place_stable(p, Expr::vector_expr(cbmc_ret_ty, elems)) + let loc = self.codegen_span_stable(span); + self.codegen_expr_to_place_stable(p, Expr::vector_expr(cbmc_ret_ty, elems), loc) } /// A volatile load of a memory location: @@ -1787,7 +1839,7 @@ impl<'tcx> GotocCtx<'tcx> { /// /// TODO: Add a check for the condition: /// * `src` must point to a properly initialized value of type `T` - /// See for more details + /// See for more details fn codegen_volatile_load( &mut self, mut fargs: Vec, @@ -1805,7 +1857,7 @@ impl<'tcx> GotocCtx<'tcx> { loc, ); let expr = src.dereference(); - let res_stmt = self.codegen_expr_to_place_stable(p, expr); + let res_stmt = self.codegen_expr_to_place_stable(p, expr, loc); Stmt::block(vec![align_check, res_stmt], loc) } @@ -1831,8 +1883,13 @@ impl<'tcx> GotocCtx<'tcx> { "`dst` must be properly aligned", loc, ); - let expr = dst.dereference().assign(src, loc); - Stmt::block(vec![align_check, expr], loc) + if self.is_zst_stable(pointee_type_stable(dst_typ).unwrap()) { + // do not attempt to dereference (and assign) a ZST + align_check + } else { + let expr = dst.dereference().assign(src, loc); + Stmt::block(vec![align_check, expr], loc) + } } /// Sets `count * size_of::()` bytes of memory starting at `dst` to `val` @@ -1841,6 +1898,7 @@ impl<'tcx> GotocCtx<'tcx> { /// Undefined behavior if any of these conditions are violated: /// * `dst` must be valid for writes (done by memset writable check) /// * `dst` must be properly aligned (done by `align_check` below) + /// /// In addition, we check that computing `bytes` (i.e., the third argument /// for the `memset` call) would not overflow fn codegen_write_bytes( @@ -1919,6 +1977,59 @@ impl<'tcx> GotocCtx<'tcx> { let zero = Type::size_t().zero(); cast_ptr.rem(align).eq(zero) } + + /// Swaps the memory contents pointed to by arguments `x` and `y`, respectively, which is + /// required for the `typed_swap` intrinsic. + /// + /// The standard library API requires that `x` and `y` are readable and writable as their + /// (common) type (which auto-generated checks for dereferencing will take care of), and the + /// memory regions pointed to must be non-overlapping. + pub fn codegen_swap(&mut self, mut fargs: Vec, farg_types: &[Ty], loc: Location) -> Stmt { + // two parameters, and both must be raw pointers with the same base type + assert!(fargs.len() == 2); + assert!(farg_types[0].kind().is_raw_ptr()); + assert!(farg_types[0] == farg_types[1]); + + let x = fargs.remove(0); + let y = fargs.remove(0); + + if self.is_zst_stable(pointee_type_stable(farg_types[0]).unwrap()) { + // do not attempt to dereference (and assign) a ZST + Stmt::skip(loc) + } else { + // if(same_object(x, y)) { + // assert(x + 1 <= y || y + 1 <= x); + // assume(x + 1 <= y || y + 1 <= x); + // } + let one = Expr::int_constant(1, Type::c_int()); + let non_overlapping = x + .clone() + .plus(one.clone()) + .le(y.clone()) + .or(y.clone().plus(one.clone()).le(x.clone())); + let non_overlapping_check = self.codegen_assert_assume( + non_overlapping, + PropertyClass::SafetyCheck, + "memory regions pointed to by `x` and `y` must not overlap", + loc, + ); + let non_overlapping_stmt = Stmt::if_then_else( + x.clone().same_object(y.clone()), + non_overlapping_check, + None, + loc, + ); + + // T t = *y; *y = *x; *x = t; + let deref_y = y.clone().dereference(); + let (temp_var, assign_to_t) = + self.decl_temp_variable(deref_y.typ().clone(), Some(deref_y), loc); + let assign_to_y = y.dereference().assign(x.clone().dereference(), loc); + let assign_to_x = x.dereference().assign(temp_var, loc); + + Stmt::block(vec![non_overlapping_stmt, assign_to_t, assign_to_y, assign_to_x], loc) + } + } } fn instance_args(instance: &Instance) -> GenericArgs { diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/operand.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/operand.rs index aaec506edf6e..555fc43b8999 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/operand.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/operand.rs @@ -11,8 +11,8 @@ use stable_mir::mir::alloc::{AllocId, GlobalAlloc}; use stable_mir::mir::mono::{Instance, StaticDef}; use stable_mir::mir::Operand; use stable_mir::ty::{ - Allocation, Const, ConstantKind, FloatTy, FnDef, GenericArgs, IntTy, RigidTy, Size, Span, Ty, - TyKind, UintTy, + Allocation, ConstantKind, FloatTy, FnDef, GenericArgs, IntTy, MirConst, RigidTy, Size, Ty, + TyConst, TyConstKind, TyKind, UintTy, }; use stable_mir::{CrateDef, CrateItem}; use tracing::{debug, trace}; @@ -38,8 +38,10 @@ impl<'tcx> GotocCtx<'tcx> { Operand::Copy(place) | Operand::Move(place) => // TODO: move is an opportunity to poison/nondet the original memory. { - let projection = - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place)); + let projection = unwrap_or_return_codegen_unimplemented!( + self, + self.codegen_place_stable(place, Location::none()) + ); // If the operand itself is a Dynamic (like when passing a boxed closure), // we need to pull off the fat pointer. In that case, the rustc kind() on // both the operand and the inner type are Dynamic. @@ -51,7 +53,7 @@ impl<'tcx> GotocCtx<'tcx> { } } Operand::Constant(constant) => { - self.codegen_const(&constant.literal, Some(constant.span)) + self.codegen_const(&constant.const_, self.codegen_span_stable(constant.span)) } } } @@ -62,27 +64,30 @@ impl<'tcx> GotocCtx<'tcx> { span: Option, ) -> Expr { let stable_const = rustc_internal::stable(constant); - let stable_span = rustc_internal::stable(span); - self.codegen_const(&stable_const, stable_span) + if let Some(stable_span) = rustc_internal::stable(span) { + self.codegen_const_ty(&stable_const, self.codegen_span_stable(stable_span)) + } else { + self.codegen_const_ty(&stable_const, Location::none()) + } } - /// Generate a goto expression that represents a constant. + /// Generate a goto expression that represents a MIR-level constant. /// /// There are two possible constants included in the body of an instance: /// - Allocated: It will have its byte representation already defined. We try to eagerly /// generate code for it as simple literals or constants if possible. Otherwise, we create /// a memory allocation for them and access them indirectly. /// - ZeroSized: These are ZST constants and they just need to match the right type. - pub fn codegen_const(&mut self, constant: &Const, span: Option) -> Expr { + pub fn codegen_const(&mut self, constant: &MirConst, loc: Location) -> Expr { trace!(?constant, "codegen_constant"); match constant.kind() { - ConstantKind::Allocated(alloc) => self.codegen_allocation(alloc, constant.ty(), span), + ConstantKind::Allocated(alloc) => self.codegen_allocation(alloc, constant.ty(), loc), ConstantKind::ZeroSized => { let lit_ty = constant.ty(); match lit_ty.kind() { // Rust "function items" (not closures, not function pointers, see `codegen_fndef`) TyKind::RigidTy(RigidTy::FnDef(def, args)) => { - self.codegen_fndef(def, &args, span) + self.codegen_fndef(def, &args, loc) } _ => Expr::init_unit(self.codegen_ty_stable(lit_ty), &self.symbol_table), } @@ -90,14 +95,42 @@ impl<'tcx> GotocCtx<'tcx> { ConstantKind::Param(..) | ConstantKind::Unevaluated(..) => { unreachable!() } + ConstantKind::Ty(t) => self.codegen_const_ty(t, loc), + } + } + + /// Generate a goto expression that represents a type-level constant. + /// + /// There are two possible constants included in the body of an instance: + /// - Allocated: It will have its byte representation already defined. We try to eagerly + /// generate code for it as simple literals or constants if possible. Otherwise, we create + /// a memory allocation for them and access them indirectly. + /// - ZeroSized: These are ZST constants and they just need to match the right type. + pub fn codegen_const_ty(&mut self, constant: &TyConst, loc: Location) -> Expr { + trace!(?constant, "codegen_constant"); + match constant.kind() { + TyConstKind::ZSTValue(lit_ty) => { + match lit_ty.kind() { + // Rust "function items" (not closures, not function pointers, see `codegen_fndef`) + TyKind::RigidTy(RigidTy::FnDef(def, args)) => { + self.codegen_fndef(def, &args, loc) + } + _ => Expr::init_unit(self.codegen_ty_stable(*lit_ty), &self.symbol_table), + } + } + TyConstKind::Value(ty, alloc) => self.codegen_allocation(alloc, *ty, loc), + TyConstKind::Bound(..) => unreachable!(), + TyConstKind::Param(..) | TyConstKind::Unevaluated(..) => { + unreachable!() + } } } - pub fn codegen_allocation(&mut self, alloc: &Allocation, ty: Ty, span: Option) -> Expr { + pub fn codegen_allocation(&mut self, alloc: &Allocation, ty: Ty, loc: Location) -> Expr { // First try to generate the constant without allocating memory. - let expr = self.try_codegen_constant(alloc, ty, span).unwrap_or_else(|| { + let expr = self.try_codegen_constant(alloc, ty, loc).unwrap_or_else(|| { debug!("codegen_allocation try_fail"); - let mem_var = self.codegen_const_allocation(alloc, None); + let mem_var = self.codegen_const_allocation(alloc, None, loc); mem_var .cast_to(Type::unsigned_int(8).to_pointer()) .cast_to(self.codegen_ty_stable(ty).to_pointer()) @@ -115,12 +148,7 @@ impl<'tcx> GotocCtx<'tcx> { /// 3. enums that don't carry data /// 4. unit, tuples (may be multi-ary!), or size-0 arrays /// 5. pointers to an allocation - fn try_codegen_constant( - &mut self, - alloc: &Allocation, - ty: Ty, - span: Option, - ) -> Option { + fn try_codegen_constant(&mut self, alloc: &Allocation, ty: Ty, loc: Location) -> Option { debug!(?alloc, ?ty, "try_codegen_constant"); match ty.kind() { TyKind::RigidTy(RigidTy::Int(it)) => { @@ -166,7 +194,7 @@ impl<'tcx> GotocCtx<'tcx> { } TyKind::RigidTy(RigidTy::RawPtr(inner_ty, _)) | TyKind::RigidTy(RigidTy::Ref(_, inner_ty, _)) => { - Some(self.codegen_const_ptr(alloc, ty, inner_ty, span)) + Some(self.codegen_const_ptr(alloc, ty, inner_ty, loc)) } TyKind::RigidTy(RigidTy::Adt(adt, args)) if adt.kind().is_struct() => { // Structs only have one variant. @@ -193,7 +221,7 @@ impl<'tcx> GotocCtx<'tcx> { &self.symbol_table, )) } else { - self.try_codegen_constant(alloc, *t, span) + self.try_codegen_constant(alloc, *t, loc) } }) .collect::>>()?; @@ -210,7 +238,7 @@ impl<'tcx> GotocCtx<'tcx> { } TyKind::RigidTy(RigidTy::Tuple(tys)) if tys.len() == 1 => { let overall_t = self.codegen_ty_stable(ty); - let inner_expr = self.try_codegen_constant(alloc, tys[0], span)?; + let inner_expr = self.try_codegen_constant(alloc, tys[0], loc)?; Some(inner_expr.transmute_to(overall_t, &self.symbol_table)) } // Everything else we encode as an allocation. @@ -223,7 +251,7 @@ impl<'tcx> GotocCtx<'tcx> { alloc: &Allocation, ty: Ty, inner_ty: Ty, - span: Option, + loc: Location, ) -> Expr { debug!(?ty, ?alloc, "codegen_const_ptr"); if self.use_fat_pointer_stable(inner_ty) { @@ -240,7 +268,7 @@ impl<'tcx> GotocCtx<'tcx> { let GlobalAlloc::Memory(data) = GlobalAlloc::from(alloc_id) else { unreachable!() }; - let mem_var = self.codegen_const_allocation(&data, None); + let mem_var = self.codegen_const_allocation(&data, None, loc); // Extract identifier for static variable. // codegen_allocation_auto_imm_name returns the *address* of @@ -281,7 +309,7 @@ impl<'tcx> GotocCtx<'tcx> { let GlobalAlloc::Memory(data) = GlobalAlloc::from(alloc_id) else { unreachable!() }; - let mem_var = self.codegen_const_allocation(&data, None); + let mem_var = self.codegen_const_allocation(&data, None, loc); let inner_typ = self.codegen_ty_stable(inner_ty); let len = data.bytes.len() / inner_typ.sizeof(&self.symbol_table) as usize; let data_expr = mem_var.cast_to(inner_typ.to_pointer()); @@ -297,7 +325,6 @@ impl<'tcx> GotocCtx<'tcx> { TyKind::RigidTy(RigidTy::Adt(def, _)) if def.name().ends_with("::CStr") => { // TODO: Handle CString // - let loc = self.codegen_span_option_stable(span); let typ = self.codegen_ty_stable(ty); let operation_name = "C string literal"; self.codegen_unimplemented_expr( @@ -315,7 +342,7 @@ impl<'tcx> GotocCtx<'tcx> { let ptr = alloc.provenance.ptrs[0]; let alloc_id = ptr.1.0; let typ = self.codegen_ty_stable(ty); - self.codegen_alloc_pointer(typ, alloc_id, ptr.0, span) + self.codegen_alloc_pointer(typ, alloc_id, ptr.0, loc) } else { // If there's no provenance, just codegen the pointer address. trace!("codegen_const_ptr no_prov"); @@ -331,13 +358,13 @@ impl<'tcx> GotocCtx<'tcx> { res_t: Type, alloc_id: AllocId, offset: Size, - span: Option, + loc: Location, ) -> Expr { debug!(?res_t, ?alloc_id, "codegen_alloc_pointer"); let base_addr = match GlobalAlloc::from(alloc_id) { GlobalAlloc::Function(instance) => { // We want to return the function pointer (not to be confused with function item) - self.codegen_func_expr(instance, span).address_of() + self.codegen_func_expr(instance, loc).address_of() } GlobalAlloc::Static(def) => self.codegen_static_pointer(def), GlobalAlloc::Memory(alloc) => { @@ -345,7 +372,7 @@ impl<'tcx> GotocCtx<'tcx> { // crates do not conflict. The name alone is insufficient because Rust // allows different versions of the same crate to be used. let name = format!("{}::{alloc_id:?}", self.full_crate_name()); - self.codegen_const_allocation(&alloc, Some(name)) + self.codegen_const_allocation(&alloc, Some(name), loc) } alloc @ GlobalAlloc::VTable(..) => { // This is similar to GlobalAlloc::Memory but the type is opaque to rust and it @@ -355,7 +382,7 @@ impl<'tcx> GotocCtx<'tcx> { unreachable!() }; let name = format!("{}::{alloc_id:?}", self.full_crate_name()); - self.codegen_const_allocation(&alloc, Some(name)) + self.codegen_const_allocation(&alloc, Some(name), loc) } }; assert!(res_t.is_pointer() || res_t.is_transparent_type(&self.symbol_table)); @@ -393,7 +420,7 @@ impl<'tcx> GotocCtx<'tcx> { /// Generate a goto expression for a pointer to a static or thread-local variable. fn codegen_instance_pointer(&mut self, instance: Instance, is_thread_local: bool) -> Expr { - let sym = self.ensure(&instance.mangled_name(), |ctx, name| { + let sym = self.ensure(instance.mangled_name(), |ctx, name| { // Rust has a notion of "extern static" variables. These are in an "extern" block, // and so aren't initialized in the current codegen unit. For example (from std): // extern "C" { @@ -431,12 +458,17 @@ impl<'tcx> GotocCtx<'tcx> { /// /// These constants can be named constants which are declared by the user, or constant values /// used scattered throughout the source - fn codegen_const_allocation(&mut self, alloc: &Allocation, name: Option) -> Expr { + fn codegen_const_allocation( + &mut self, + alloc: &Allocation, + name: Option, + loc: Location, + ) -> Expr { debug!(?name, "codegen_const_allocation"); let alloc_name = match self.alloc_map.get(alloc) { None => { let alloc_name = if let Some(name) = name { name } else { self.next_global_name() }; - self.codegen_alloc_in_memory(alloc.clone(), alloc_name.clone()); + self.codegen_alloc_in_memory(alloc.clone(), alloc_name.clone(), loc); alloc_name } Some(name) => name.clone(), @@ -451,7 +483,7 @@ impl<'tcx> GotocCtx<'tcx> { /// /// This function is ultimately responsible for creating new statically initialized global variables /// in our goto binaries. - pub fn codegen_alloc_in_memory(&mut self, alloc: Allocation, name: String) { + pub fn codegen_alloc_in_memory(&mut self, alloc: Allocation, name: String, loc: Location) { debug!(?alloc, ?name, "codegen_alloc_in_memory"); let struct_name = &format!("{name}::struct"); @@ -460,7 +492,7 @@ impl<'tcx> GotocCtx<'tcx> { // initializers. For example, for a boolean static variable, the variable will have type // CBool and the initializer will be a single byte (a one-character array) representing the // bit pattern for the boolean value. - let alloc_data = self.codegen_allocation_data(&alloc); + let alloc_data = self.codegen_allocation_data(&alloc, loc); let alloc_typ_ref = self.ensure_struct(struct_name, struct_name, |_, _| { alloc_data .iter() @@ -483,7 +515,7 @@ impl<'tcx> GotocCtx<'tcx> { &name, false, //TODO is this correct? alloc_typ_ref.clone(), - Location::none(), + loc, |_, _| None, ); let var_typ = var.typ().clone(); @@ -510,13 +542,13 @@ impl<'tcx> GotocCtx<'tcx> { &self.symbol_table, ); let fn_name = Self::initializer_fn_name(&name); - let temp_var = self.gen_function_local_variable(0, &fn_name, alloc_typ_ref).to_expr(); + let temp_var = self.gen_function_local_variable(0, &fn_name, alloc_typ_ref, loc).to_expr(); let body = Stmt::block( vec![ - Stmt::decl(temp_var.clone(), Some(val), Location::none()), - var.assign(temp_var.transmute_to(var_typ, &self.symbol_table), Location::none()), + Stmt::decl(temp_var.clone(), Some(val), loc), + var.assign(temp_var.transmute_to(var_typ, &self.symbol_table), loc), ], - Location::none(), + loc, ); self.register_initializer(&name, body); @@ -528,7 +560,11 @@ impl<'tcx> GotocCtx<'tcx> { /// We codegen global statics as their own unique struct types, and this creates a field-by-field /// representation of what those fields should be initialized with. /// (A field is either bytes, or initialized with an expression.) - fn codegen_allocation_data<'a>(&mut self, alloc: &'a Allocation) -> Vec> { + fn codegen_allocation_data<'a>( + &mut self, + alloc: &'a Allocation, + loc: Location, + ) -> Vec> { let mut alloc_vals = Vec::with_capacity(alloc.provenance.ptrs.len() + 1); let pointer_size = self.symbol_table.machine_model().pointer_width_in_bytes(); @@ -543,7 +579,7 @@ impl<'tcx> GotocCtx<'tcx> { Type::signed_int(8).to_pointer(), prov.0, ptr_offset.try_into().unwrap(), - None, + loc, ))); next_offset = offset + pointer_size; @@ -557,6 +593,17 @@ impl<'tcx> GotocCtx<'tcx> { alloc_vals } + /// Returns `Some(instance)` if the function is an intrinsic; `None` otherwise + pub fn get_instance(&self, func: &Operand) -> Option { + let funct = self.operand_ty_stable(func); + match funct.kind() { + TyKind::RigidTy(RigidTy::FnDef(def, args)) => { + Some(Instance::resolve(def, &args).unwrap()) + } + _ => None, + } + } + /// Generate a goto expression for a MIR "function item" reference. /// /// A "function item" is a ZST that corresponds to a specific single function. @@ -568,20 +615,14 @@ impl<'tcx> GotocCtx<'tcx> { /// function types. /// /// See - pub fn codegen_fndef(&mut self, def: FnDef, args: &GenericArgs, span: Option) -> Expr { + pub fn codegen_fndef(&mut self, def: FnDef, args: &GenericArgs, loc: Location) -> Expr { let instance = Instance::resolve(def, args).unwrap(); - self.codegen_fn_item(instance, span) + self.codegen_fn_item(instance, loc) } /// Ensure that the given instance is in the symbol table, returning the symbol. - /// - /// FIXME: The function should not have to return the type of the function symbol as well - /// because the symbol should have the type. The problem is that the type in the symbol table - /// sometimes subtly differs from the type that codegen_function_sig returns. - /// This is tracked in . - fn codegen_func_symbol(&mut self, instance: Instance) -> (&Symbol, Type) { - let funct = self.codegen_function_sig_stable(self.fn_sig_of_instance_stable(instance)); - let sym = if instance.is_foreign_item() { + fn codegen_func_symbol(&mut self, instance: Instance) -> &Symbol { + let sym = if instance.is_foreign_item() && !instance.has_body() { // Get the symbol that represents a foreign instance. self.codegen_foreign_fn(instance) } else { @@ -592,7 +633,7 @@ impl<'tcx> GotocCtx<'tcx> { .lookup(&func) .unwrap_or_else(|| panic!("Function `{func}` should've been declared before usage")) }; - (sym, funct) + sym } /// Generate a goto expression that references the function identified by `instance`. @@ -600,10 +641,9 @@ impl<'tcx> GotocCtx<'tcx> { /// Note: In general with this `Expr` you should immediately either `.address_of()` or `.call(...)`. /// /// This should not be used where Rust expects a "function item" (See `codegen_fn_item`) - pub fn codegen_func_expr(&mut self, instance: Instance, span: Option) -> Expr { - let (func_symbol, func_typ) = self.codegen_func_symbol(instance); - Expr::symbol_expression(func_symbol.name, func_typ) - .with_location(self.codegen_span_option_stable(span)) + pub fn codegen_func_expr(&mut self, instance: Instance, loc: Location) -> Expr { + let func_symbol = self.codegen_func_symbol(instance); + Expr::symbol_expression(func_symbol.name, func_symbol.typ.clone()).with_location(loc) } /// Generate a goto expression referencing the singleton value for a MIR "function item". @@ -611,8 +651,8 @@ impl<'tcx> GotocCtx<'tcx> { /// For a given function instance, generate a ZST struct and return a singleton reference to that. /// This is the Rust "function item". See /// This is not the function pointer, for that use `codegen_func_expr`. - fn codegen_fn_item(&mut self, instance: Instance, span: Option) -> Expr { - let (func_symbol, _) = self.codegen_func_symbol(instance); + fn codegen_fn_item(&mut self, instance: Instance, loc: Location) -> Expr { + let func_symbol = self.codegen_func_symbol(instance); let mangled_name = func_symbol.name; let fn_item_struct_ty = self.codegen_fndef_type_stable(instance); // This zero-sized object that a function name refers to in Rust is globally unique, so we create such a global object. @@ -621,7 +661,7 @@ impl<'tcx> GotocCtx<'tcx> { &fn_singleton_name, false, fn_item_struct_ty, - self.codegen_span_option_stable(span), + loc, |_, _| None, // zero-sized, so no initialization necessary ) } diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/place.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/place.rs index fd9ff33e164e..d0e3fc3f442f 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/place.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/place.rs @@ -11,7 +11,7 @@ use crate::codegen_cprover_gotoc::codegen::typ::std_pointee_type; use crate::codegen_cprover_gotoc::utils::{dynamic_fat_ptr, slice_fat_ptr}; use crate::codegen_cprover_gotoc::GotocCtx; use crate::unwrap_or_return_codegen_unimplemented; -use cbmc::goto_program::{Expr, Location, Type}; +use cbmc::goto_program::{Expr, ExprValue, Location, Stmt, Type}; use rustc_middle::ty::layout::LayoutOf; use rustc_smir::rustc_internal; use rustc_target::abi::{TagEncoding, Variants}; @@ -260,7 +260,7 @@ impl<'tcx> GotocCtx<'tcx> { Ok(parent_expr.member(Self::tuple_fld_name(field_idx), &self.symbol_table)) } TyKind::RigidTy(RigidTy::Adt(def, _)) - if rustc_internal::internal(def).repr().simd() => + if rustc_internal::internal(self.tcx, def).repr().simd() => { Ok(self.codegen_simd_field( parent_expr, @@ -292,6 +292,11 @@ impl<'tcx> GotocCtx<'tcx> { "element of {parent_ty:?} is not accessed via field projection" ) } + TyKind::RigidTy(RigidTy::Pat(..)) => { + // See https://github.com/rust-lang/types-team/issues/126 + // for what is currently supported. + unreachable!("projection inside a pattern is not supported, only transmute") + } } } // if we fall here, then we are handling an enum @@ -328,8 +333,9 @@ impl<'tcx> GotocCtx<'tcx> { /// assert!(v.0 == [1, 2]); // refers to the entire array /// } /// ``` - /// * Note that projection inside SIMD structs may eventually become illegal. - /// See thread. + /// + /// Note that projection inside SIMD structs may eventually become illegal. + /// See thread . /// /// Since the goto representation for both is the same, we use the expected type to decide /// what to return. @@ -358,22 +364,20 @@ impl<'tcx> GotocCtx<'tcx> { /// a named variable. /// /// Recursively finds the actual FnDef from a pointer or box. - fn codegen_local_fndef(&mut self, ty: Ty) -> Option { + fn codegen_local_fndef(&mut self, ty: Ty, loc: Location) -> Option { match ty.kind() { // A local that is itself a FnDef, like Fn::call_once - TyKind::RigidTy(RigidTy::FnDef(def, args)) => { - Some(self.codegen_fndef(def, &args, None)) - } + TyKind::RigidTy(RigidTy::FnDef(def, args)) => Some(self.codegen_fndef(def, &args, loc)), // A local can be pointer to a FnDef, like Fn::call and Fn::call_mut TyKind::RigidTy(RigidTy::RawPtr(inner, _)) => self - .codegen_local_fndef(inner) + .codegen_local_fndef(inner, loc) .map(|f| if f.can_take_address_of() { f.address_of() } else { f }), // A local can be a boxed function pointer TyKind::RigidTy(RigidTy::Adt(def, args)) if def.is_box() => { let boxed_ty = self.codegen_ty_stable(ty); // The type of `T` for `Box` can be derived from the first definition args. let inner_ty = args.0[0].ty().unwrap(); - self.codegen_local_fndef(*inner_ty) + self.codegen_local_fndef(*inner_ty, loc) .map(|f| self.box_value(f.address_of(), boxed_ty)) } _ => None, @@ -381,10 +385,10 @@ impl<'tcx> GotocCtx<'tcx> { } /// Codegen for a local - fn codegen_local(&mut self, l: Local) -> Expr { + pub fn codegen_local(&mut self, l: Local, loc: Location) -> Expr { let local_ty = self.local_ty_stable(l); // Check if the local is a function definition (see comment above) - if let Some(fn_def) = self.codegen_local_fndef(local_ty) { + if let Some(fn_def) = self.codegen_local_fndef(local_ty, loc) { return fn_def; } @@ -402,6 +406,7 @@ impl<'tcx> GotocCtx<'tcx> { &mut self, before: Result, proj: &ProjectionElem, + loc: Location, ) -> Result { let before = before?; trace!(?before, ?proj, "codegen_projection"); @@ -415,7 +420,7 @@ impl<'tcx> GotocCtx<'tcx> { }; let inner_mir_typ_internal = - std_pointee_type(rustc_internal::internal(base_type)).unwrap(); + std_pointee_type(rustc_internal::internal(self.tcx, base_type)).unwrap(); let inner_mir_typ = rustc_internal::stable(inner_mir_typ_internal); let (fat_ptr_mir_typ, fat_ptr_goto_expr) = if self .use_thin_pointer(inner_mir_typ_internal) @@ -436,6 +441,7 @@ impl<'tcx> GotocCtx<'tcx> { ); assert!( self.use_fat_pointer(rustc_internal::internal( + self.tcx, pointee_type(fat_ptr_mir_typ.unwrap()).unwrap() )), "Unexpected type: {:?} -- {:?}", @@ -493,7 +499,7 @@ impl<'tcx> GotocCtx<'tcx> { } ProjectionElem::Index(i) => { let base_type = before.mir_typ(); - let idxe = self.codegen_local(*i); + let idxe = self.codegen_local(*i, loc); let typ = match base_type.kind() { TyKind::RigidTy(RigidTy::Array(elemt, _)) | TyKind::RigidTy(RigidTy::Slice(elemt)) => TypeOrVariant::Type(elemt), @@ -582,7 +588,7 @@ impl<'tcx> GotocCtx<'tcx> { (variant.name().into(), TypeOrVariant::Variant(variant)) } TyKind::RigidTy(RigidTy::Coroutine(..)) => { - let idx_internal = rustc_internal::internal(idx); + let idx_internal = rustc_internal::internal(self.tcx, idx); ( self.coroutine_variant_name(idx_internal), TypeOrVariant::CoroutineVariant(*idx), @@ -593,7 +599,7 @@ impl<'tcx> GotocCtx<'tcx> { &ty.kind() ), }; - let layout = self.layout_of(rustc_internal::internal(ty)); + let layout = self.layout_of(rustc_internal::internal(self.tcx, ty)); let expr = match &layout.variants { Variants::Single { .. } => before.goto_expr, Variants::Multiple { tag_encoding, .. } => match tag_encoding { @@ -630,19 +636,53 @@ impl<'tcx> GotocCtx<'tcx> { } } + fn is_zst_object(&self, expr: &Expr) -> bool { + match expr.value() { + ExprValue::Symbol { .. } => expr.typ().sizeof(&self.symbol_table) == 0, + ExprValue::Member { lhs, .. } => self.is_zst_object(lhs), + _ => false, + } + } + /// Codegen the reference to a given place. /// We currently have a somewhat weird way of handling ZST. /// - For `*(&T)` where `T: Unsized`, the projection's `goto_expr` is a thin pointer, so we /// build the fat pointer from there. /// - For `*(Wrapper)` where `T: Unsized`, the projection's `goto_expr` returns an object, /// and we need to take it's address and build the fat pointer. - pub fn codegen_place_ref_stable(&mut self, place: &Place) -> Expr { + pub fn codegen_place_ref_stable(&mut self, place: &Place, loc: Location) -> Expr { let place_ty = self.place_ty_stable(place); let projection = - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place)); + unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place, loc)); if self.use_thin_pointer_stable(place_ty) { - // Just return the address of the place dereferenced. - projection.goto_expr.address_of() + // For ZST objects rustc does not necessarily generate any actual objects. + let need_not_be_an_object = self.is_zst_object(&projection.goto_expr); + let address_of = projection.goto_expr.clone().address_of(); + if need_not_be_an_object { + // Create a non-deterministic numeric value, assume it is non-zero and (when + // interpreted as an address) of proper alignment for the type, and cast that + // numeric value to a pointer type. + let loc = projection.goto_expr.location(); + let (var, decl) = + self.decl_temp_variable(Type::size_t(), Some(Type::size_t().nondet()), *loc); + let assume_non_zero = + Stmt::assume(var.clone().neq(Expr::int_constant(0, var.typ().clone())), *loc); + let layout = self.layout_of_stable(place_ty); + let alignment = Expr::int_constant(layout.align.abi.bytes(), var.typ().clone()); + let assume_aligned = Stmt::assume( + var.clone().rem(alignment).eq(Expr::int_constant(0, var.typ().clone())), + *loc, + ); + let cast_to_pointer_type = var.cast_to(address_of.typ().clone()).as_stmt(*loc); + Expr::statement_expression( + vec![decl, assume_non_zero, assume_aligned, cast_to_pointer_type], + address_of.typ().clone(), + *loc, + ) + } else { + // Just return the address of the place dereferenced. + address_of + } } else if place_ty == pointee_type(self.local_ty_stable(place.local)).unwrap() { // Just return the fat pointer if this is a simple &(*local). projection.fat_ptr_goto_expr.unwrap() @@ -671,9 +711,10 @@ impl<'tcx> GotocCtx<'tcx> { pub fn codegen_place_stable( &mut self, place: &Place, + loc: Location, ) -> Result { debug!(?place, "codegen_place"); - let initial_expr = self.codegen_local(place.local); + let initial_expr = self.codegen_local(place.local, loc); let initial_typ = TypeOrVariant::Type(self.local_ty_stable(place.local)); debug!(?initial_typ, ?initial_expr, "codegen_place"); let initial_projection = @@ -681,7 +722,7 @@ impl<'tcx> GotocCtx<'tcx> { let result = place .projection .iter() - .fold(initial_projection, |accum, proj| self.codegen_projection(accum, proj)); + .fold(initial_projection, |accum, proj| self.codegen_projection(accum, proj, loc)); match result { Err(data) => Err(UnimplementedData::new( &data.operation, @@ -698,10 +739,11 @@ impl<'tcx> GotocCtx<'tcx> { &mut self, initial_projection: ProjectedPlace, variant_idx: VariantIdx, + loc: Location, ) -> ProjectedPlace { debug!(?initial_projection, ?variant_idx, "codegen_variant_lvalue"); let downcast = ProjectionElem::Downcast(variant_idx); - self.codegen_projection(Ok(initial_projection), &downcast).unwrap() + self.codegen_projection(Ok(initial_projection), &downcast, loc).unwrap() } // https://doc.rust-lang.org/nightly/nightly-rustc/rustc_middle/mir/enum.ProjectionElem.html diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/rvalue.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/rvalue.rs index c4ea258fe79e..31590266a7b8 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/rvalue.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/rvalue.rs @@ -1,6 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT +use crate::args::ExtraChecks; use crate::codegen_cprover_gotoc::codegen::place::ProjectedPlace; use crate::codegen_cprover_gotoc::codegen::ty_stable::pointee_type_stable; use crate::codegen_cprover_gotoc::codegen::PropertyClass; @@ -17,14 +18,15 @@ use cbmc::goto_program::{ use cbmc::MachineModel; use cbmc::{btree_string_map, InternString, InternedString}; use num::bigint::BigInt; -use rustc_middle::ty::{TyCtxt, VtblEntry}; +use rustc_middle::ty::{ParamEnv, TyCtxt, VtblEntry}; use rustc_smir::rustc_internal; use rustc_target::abi::{FieldsShape, TagEncoding, Variants}; +use stable_mir::abi::{Primitive, Scalar, ValueAbi}; use stable_mir::mir::mono::Instance; use stable_mir::mir::{ AggregateKind, BinOp, CastKind, NullOp, Operand, Place, PointerCoercion, Rvalue, UnOp, }; -use stable_mir::ty::{ClosureKind, Const, IntTy, RigidTy, Size, Ty, TyKind, UintTy, VariantIdx}; +use stable_mir::ty::{ClosureKind, IntTy, RigidTy, Size, Ty, TyConst, TyKind, UintTy, VariantIdx}; use std::collections::BTreeMap; use tracing::{debug, trace, warn}; @@ -32,9 +34,11 @@ impl<'tcx> GotocCtx<'tcx> { fn codegen_comparison(&mut self, op: &BinOp, e1: &Operand, e2: &Operand) -> Expr { let left_op = self.codegen_operand_stable(e1); let right_op = self.codegen_operand_stable(e2); - let is_float = - matches!(self.operand_ty_stable(e1).kind(), TyKind::RigidTy(RigidTy::Float(..))); - comparison_expr(op, left_op, right_op, is_float) + let left_ty = self.operand_ty_stable(e1); + let right_ty = self.operand_ty_stable(e2); + let res_ty = op.ty(left_ty, right_ty); + let is_float = matches!(left_ty.kind(), TyKind::RigidTy(RigidTy::Float(..))); + self.comparison_expr(op, left_op, right_op, res_ty, is_float) } /// This function codegen comparison for fat pointers. @@ -69,19 +73,21 @@ impl<'tcx> GotocCtx<'tcx> { ret_type.nondet().as_stmt(loc).with_location(loc), ]; - Expr::statement_expression(body, ret_type).with_location(loc) + Expr::statement_expression(body, ret_type, loc) } else { // Compare data pointer. + let res_ty = op.ty(left_typ, right_typ); let left_ptr = self.codegen_operand_stable(left_op); let left_data = left_ptr.clone().member("data", &self.symbol_table); let right_ptr = self.codegen_operand_stable(right_op); let right_data = right_ptr.clone().member("data", &self.symbol_table); - let data_cmp = comparison_expr(op, left_data.clone(), right_data.clone(), false); + let data_cmp = + self.comparison_expr(op, left_data.clone(), right_data.clone(), res_ty, false); // Compare the slice metadata (this logic could be adapted to compare vtable if needed). let left_len = left_ptr.member("len", &self.symbol_table); let right_len = right_ptr.member("len", &self.symbol_table); - let metadata_cmp = comparison_expr(op, left_len, right_len, false); + let metadata_cmp = self.comparison_expr(op, left_len, right_len, res_ty, false); // Join the results. // https://github.com/rust-lang/rust/pull/29781 @@ -93,10 +99,20 @@ impl<'tcx> GotocCtx<'tcx> { // If data is different, only compare data. // If data is equal, apply operator to metadata. BinOp::Lt | BinOp::Le | BinOp::Ge | BinOp::Gt => { - let data_eq = - comparison_expr(&BinOp::Eq, left_data.clone(), right_data.clone(), false); - let data_strict_comp = - comparison_expr(&get_strict_operator(op), left_data, right_data, false); + let data_eq = self.comparison_expr( + &BinOp::Eq, + left_data.clone(), + right_data.clone(), + res_ty, + false, + ); + let data_strict_comp = self.comparison_expr( + &get_strict_operator(op), + left_data, + right_data, + res_ty, + false, + ); data_strict_comp.or(data_eq.and(metadata_cmp)) } _ => unreachable!("Unexpected operator {:?}", op), @@ -145,18 +161,18 @@ impl<'tcx> GotocCtx<'tcx> { } /// Codegens expressions of the type `let a = [4u8; 6];` - fn codegen_rvalue_repeat(&mut self, op: &Operand, sz: &Const, loc: Location) -> Expr { + fn codegen_rvalue_repeat(&mut self, op: &Operand, sz: &TyConst, loc: Location) -> Expr { let op_expr = self.codegen_operand_stable(op); let width = sz.eval_target_usize().unwrap(); op_expr.array_constant(width).with_location(loc) } - fn codegen_rvalue_len(&mut self, p: &Place) -> Expr { + fn codegen_rvalue_len(&mut self, p: &Place, loc: Location) -> Expr { let pt = self.place_ty_stable(p); match pt.kind() { - TyKind::RigidTy(RigidTy::Array(_, sz)) => self.codegen_const(&sz, None), + TyKind::RigidTy(RigidTy::Array(_, sz)) => self.codegen_const_ty(&sz, loc), TyKind::RigidTy(RigidTy::Slice(_)) => { - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(p)) + unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(p, loc)) .fat_ptr_goto_expr .unwrap() .member("len", &self.symbol_table) @@ -208,6 +224,7 @@ impl<'tcx> GotocCtx<'tcx> { var.member(ARITH_OVERFLOW_RESULT_FIELD, &self.symbol_table).as_stmt(loc), ], ret_type, + loc, ) } @@ -238,7 +255,7 @@ impl<'tcx> GotocCtx<'tcx> { ], &self.symbol_table, ); - Expr::statement_expression(vec![decl, cast.as_stmt(loc)], expected_typ) + Expr::statement_expression(vec![decl, cast.as_stmt(loc)], expected_typ, loc) } /// Generate code for a binary arithmetic operation with UB / overflow checks in place. @@ -355,6 +372,7 @@ impl<'tcx> GotocCtx<'tcx> { Expr::statement_expression( vec![check, result.clone().as_stmt(loc)], result.typ().clone(), + loc, ) } BinOp::AddUnchecked | BinOp::MulUnchecked | BinOp::SubUnchecked => { @@ -368,6 +386,7 @@ impl<'tcx> GotocCtx<'tcx> { Expr::statement_expression( vec![check, result.clone().as_stmt(loc)], result.typ().clone(), + loc, ) } else { result @@ -376,7 +395,7 @@ impl<'tcx> GotocCtx<'tcx> { BinOp::BitXor | BinOp::BitAnd | BinOp::BitOr => { self.codegen_unchecked_scalar_binop(op, e1, e2) } - BinOp::Eq | BinOp::Lt | BinOp::Le | BinOp::Ne | BinOp::Ge | BinOp::Gt => { + BinOp::Eq | BinOp::Lt | BinOp::Le | BinOp::Ne | BinOp::Ge | BinOp::Gt | BinOp::Cmp => { let op_ty = self.operand_ty_stable(e1); if self.is_fat_pointer_stable(op_ty) { self.codegen_comparison_fat_ptr(op, e1, e2, loc) @@ -413,6 +432,7 @@ impl<'tcx> GotocCtx<'tcx> { Expr::statement_expression( vec![bytes_overflow_check, overflow_check, res.as_stmt(loc)], ce1.typ().clone(), + loc, ) } } @@ -550,12 +570,12 @@ impl<'tcx> GotocCtx<'tcx> { // 2- Initialize the members of the temporary variant. let initial_projection = ProjectedPlace::try_from_ty(temp_var.clone(), res_ty, self).unwrap(); - let variant_proj = self.codegen_variant_lvalue(initial_projection, variant_index); + let variant_proj = self.codegen_variant_lvalue(initial_projection, variant_index, loc); let variant_expr = variant_proj.goto_expr.clone(); let layout = self.layout_of_stable(res_ty); let fields = match &layout.variants { Variants::Single { index } => { - if *index != rustc_internal::internal(variant_index) { + if *index != rustc_internal::internal(self.tcx, variant_index) { // This may occur if all variants except for the one pointed by // index can never be constructed. Generic code might still try // to initialize the non-existing invariant. @@ -565,7 +585,7 @@ impl<'tcx> GotocCtx<'tcx> { &layout.fields } Variants::Multiple { variants, .. } => { - &variants[rustc_internal::internal(variant_index)].fields + &variants[rustc_internal::internal(self.tcx, variant_index)].fields } }; @@ -587,7 +607,7 @@ impl<'tcx> GotocCtx<'tcx> { stmts.push(set_discriminant); // 4- Return temporary variable. stmts.push(temp_var.as_stmt(loc)); - Expr::statement_expression(stmts, typ) + Expr::statement_expression(stmts, typ, loc) } fn codegen_rvalue_aggregate( @@ -659,6 +679,43 @@ impl<'tcx> GotocCtx<'tcx> { &self.symbol_table, ) } + AggregateKind::RawPtr(pointee_ty, _) => { + // We expect two operands: "data" and "meta" + assert!(operands.len() == 2); + let typ = self.codegen_ty_stable(res_ty); + let layout = self.layout_of_stable(res_ty); + assert!(layout.ty.is_unsafe_ptr()); + let data = self.codegen_operand_stable(&operands[0]); + match pointee_ty.kind() { + TyKind::RigidTy(RigidTy::Slice(inner_ty)) => { + let pointee_goto_typ = self.codegen_ty_stable(inner_ty); + // cast data to pointer with specified type + let data_cast = + data.cast_to(Type::Pointer { typ: Box::new(pointee_goto_typ) }); + let meta = self.codegen_operand_stable(&operands[1]); + slice_fat_ptr(typ, data_cast, meta, &self.symbol_table) + } + TyKind::RigidTy(RigidTy::Adt(..)) => { + let pointee_goto_typ = self.codegen_ty_stable(pointee_ty); + let data_cast = + data.cast_to(Type::Pointer { typ: Box::new(pointee_goto_typ) }); + let meta = self.codegen_operand_stable(&operands[1]); + if meta.typ().sizeof(&self.symbol_table) == 0 { + data_cast + } else { + let vtable_expr = + meta.member("_vtable_ptr", &self.symbol_table).cast_to( + typ.lookup_field_type("vtable", &self.symbol_table).unwrap(), + ); + dynamic_fat_ptr(typ, data_cast, vtable_expr, &self.symbol_table) + } + } + _ => { + let pointee_goto_typ = self.codegen_ty_stable(pointee_ty); + data.cast_to(Type::Pointer { typ: Box::new(pointee_goto_typ) }) + } + } + } AggregateKind::Coroutine(_, _, _) => self.codegen_rvalue_coroutine(&operands, res_ty), } } @@ -669,8 +726,23 @@ impl<'tcx> GotocCtx<'tcx> { match rv { Rvalue::Use(p) => self.codegen_operand_stable(p), Rvalue::Repeat(op, sz) => self.codegen_rvalue_repeat(op, sz, loc), - Rvalue::Ref(_, _, p) | Rvalue::AddressOf(_, p) => self.codegen_place_ref_stable(&p), - Rvalue::Len(p) => self.codegen_rvalue_len(p), + Rvalue::Ref(_, _, p) | Rvalue::AddressOf(_, p) => { + let place_ref = self.codegen_place_ref_stable(&p, loc); + if self.queries.args().ub_check.contains(&ExtraChecks::PtrToRefCast) { + let place_ref_type = place_ref.typ().clone(); + match self.codegen_raw_ptr_deref_validity_check(&p, &loc) { + Some(ptr_validity_check_expr) => Expr::statement_expression( + vec![ptr_validity_check_expr, place_ref.as_stmt(loc)], + place_ref_type, + loc, + ), + None => place_ref, + } + } else { + place_ref + } + } + Rvalue::Len(p) => self.codegen_rvalue_len(p, loc), // Rust has begun distinguishing "ptr -> num" and "num -> ptr" (providence-relevant casts) but we do not yet: // Should we? Tracking ticket: https://github.com/model-checking/kani/issues/1274 Rvalue::Cast( @@ -681,7 +753,7 @@ impl<'tcx> GotocCtx<'tcx> { | CastKind::FnPtrToPtr | CastKind::PtrToPtr | CastKind::PointerExposeAddress - | CastKind::PointerFromExposedAddress, + | CastKind::PointerWithExposedProvenance, e, t, ) => self.codegen_misc_cast(e, *t), @@ -712,16 +784,21 @@ impl<'tcx> GotocCtx<'tcx> { .with_size_of_annotation(self.codegen_ty_stable(*t)), NullOp::AlignOf => Expr::int_constant(layout.align.abi.bytes(), Type::size_t()), NullOp::OffsetOf(fields) => Expr::int_constant( - layout + self.tcx .offset_of_subfield( - self, + ParamEnv::reveal_all(), + layout, fields.iter().map(|(var_idx, field_idx)| { - (rustc_internal::internal(var_idx), (*field_idx).into()) + ( + rustc_internal::internal(self.tcx, var_idx), + (*field_idx).into(), + ) }), ) .bytes(), Type::size_t(), ), + NullOp::UbChecks => Expr::c_false(), } } Rvalue::ShallowInitBox(ref operand, content_ty) => { @@ -743,11 +820,58 @@ impl<'tcx> GotocCtx<'tcx> { } } UnOp::Neg => self.codegen_operand_stable(e).neg(), + UnOp::PtrMetadata => { + let src_goto_expr = self.codegen_operand_stable(e); + let dst_goto_typ = self.codegen_ty_stable(res_ty); + debug!( + "PtrMetadata |{:?}| with result type |{:?}|", + src_goto_expr, dst_goto_typ + ); + if let Some(_vtable_typ) = + src_goto_expr.typ().lookup_field_type("vtable", &self.symbol_table) + { + let vtable_expr = src_goto_expr.member("vtable", &self.symbol_table); + let dst_components = + dst_goto_typ.lookup_components(&self.symbol_table).unwrap(); + assert_eq!(dst_components.len(), 2); + assert_eq!(dst_components[0].name(), "_vtable_ptr"); + assert!(dst_components[0].typ().is_pointer()); + assert_eq!(dst_components[1].name(), "_phantom"); + self.assert_is_rust_phantom_data_like(&dst_components[1].typ()); + Expr::struct_expr( + dst_goto_typ, + btree_string_map![ + ("_vtable_ptr", vtable_expr.cast_to(dst_components[0].typ())), + ( + "_phantom", + Expr::struct_expr( + dst_components[1].typ(), + [].into(), + &self.symbol_table + ) + ) + ], + &self.symbol_table, + ) + } else if let Some(len_typ) = + src_goto_expr.typ().lookup_field_type("len", &self.symbol_table) + { + assert_eq!(len_typ, dst_goto_typ); + src_goto_expr.member("len", &self.symbol_table) + } else { + unreachable!( + "fat pointer with neither vtable nor len: {:?}", + src_goto_expr + ); + } + } }, Rvalue::Discriminant(p) => { - let place = - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(p)) - .goto_expr; + let place = unwrap_or_return_codegen_unimplemented!( + self, + self.codegen_place_stable(p, loc) + ) + .goto_expr; let pt = self.place_ty_stable(p); self.codegen_get_discriminant(place, pt, res_ty) } @@ -762,7 +886,7 @@ impl<'tcx> GotocCtx<'tcx> { // A CopyForDeref is equivalent to a read from a place at the codegen level. // https://github.com/rust-lang/rust/blob/1673f1450eeaf4a5452e086db0fe2ae274a0144f/compiler/rustc_middle/src/mir/syntax.rs#L1055 Rvalue::CopyForDeref(place) => { - unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place)) + unwrap_or_return_codegen_unimplemented!(self, self.codegen_place_stable(place, loc)) .goto_expr } } @@ -1013,7 +1137,7 @@ impl<'tcx> GotocCtx<'tcx> { let instance = Instance::resolve(def, &args).unwrap(); // We need to handle this case in a special way because `codegen_operand_stable` compiles FnDefs to dummy structs. // (cf. the function documentation) - self.codegen_func_expr(instance, None).address_of() + self.codegen_func_expr(instance, loc).address_of() } _ => unreachable!(), }, @@ -1024,7 +1148,7 @@ impl<'tcx> GotocCtx<'tcx> { { let instance = Instance::resolve_closure(def, &args, ClosureKind::FnOnce) .expect("failed to normalize and resolve closure during codegen"); - self.codegen_func_expr(instance, None).address_of() + self.codegen_func_expr(instance, loc).address_of() } else { unreachable!("{:?} cannot be cast to a fn ptr", operand) } @@ -1056,7 +1180,7 @@ impl<'tcx> GotocCtx<'tcx> { let src_goto_expr = self.codegen_operand_stable(operand); let src_mir_type = self.operand_ty_stable(operand); let dst_mir_type = t; - self.codegen_unsized_cast(src_goto_expr, src_mir_type, dst_mir_type) + self.codegen_unsized_cast(src_goto_expr, src_mir_type, dst_mir_type, loc) } } } @@ -1074,6 +1198,7 @@ impl<'tcx> GotocCtx<'tcx> { src_goto_expr: Expr, src_mir_type: Ty, dst_mir_type: Ty, + loc: Location, ) -> Expr { // The MIR may include casting that isn't necessary. Detect this early on and return the // expression for the RHS. @@ -1087,7 +1212,7 @@ impl<'tcx> GotocCtx<'tcx> { // Handle the leaf which should always be a pointer. let (ptr_cast_info, ptr_src_expr) = path.pop().unwrap(); - let initial_expr = self.codegen_cast_to_fat_pointer(ptr_src_expr, ptr_cast_info); + let initial_expr = self.codegen_cast_to_fat_pointer(ptr_src_expr, ptr_cast_info, loc); // Iterate from the back of the path initializing each struct that requires the coercion. // This code is required for handling smart pointers. @@ -1180,7 +1305,7 @@ impl<'tcx> GotocCtx<'tcx> { if self.vtable_ctx.emit_vtable_restrictions { // Add to the possible method names for this trait type self.vtable_ctx.add_possible_method( - self.normalized_trait_name(rustc_internal::internal(ty)).into(), + self.normalized_trait_name(rustc_internal::internal(self.tcx, ty)).into(), idx, fn_name.into(), ); @@ -1205,7 +1330,7 @@ impl<'tcx> GotocCtx<'tcx> { /// Generate a function pointer to drop_in_place for entry into the vtable fn codegen_vtable_drop_in_place(&mut self, ty: Ty, trait_ty: Ty) -> Expr { - let trait_ty = rustc_internal::internal(trait_ty); + let trait_ty = rustc_internal::internal(self.tcx, trait_ty); let drop_instance = Instance::resolve_drop_in_place(ty); let drop_sym_name: InternedString = drop_instance.mangled_name().into(); @@ -1253,17 +1378,17 @@ impl<'tcx> GotocCtx<'tcx> { // Check the size are inserting in to the vtable against two sources of // truth: (1) the compile-time rustc sizeof functions, and (2) the CBMC // __CPROVER_OBJECT_SIZE function. - fn check_vtable_size(&mut self, operand_type: Ty, vt_size: Expr) -> Stmt { + fn check_vtable_size(&mut self, operand_type: Ty, vt_size: Expr, loc: Location) -> Stmt { // Check against the size we get from the layout from the what we // get constructing a value of that type - let ty: Type = self.codegen_ty_stable(operand_type); + let ty = self.codegen_ty_stable(operand_type); let codegen_size = ty.sizeof(&self.symbol_table); assert_eq!(vt_size.int_constant_value().unwrap(), BigInt::from(codegen_size)); // Insert a CBMC-time size check, roughly: // local_temp = nondet(); // assert(__CPROVER_OBJECT_SIZE(&local_temp) == vt_size); - let (temp_var, decl) = self.decl_temp_variable(ty.clone(), None, Location::none()); + let (temp_var, decl) = self.decl_temp_variable(ty.clone(), None, loc); let cbmc_size = if ty.is_empty() { // CBMC errors on passing a pointer to void to __CPROVER_OBJECT_SIZE. // In practice, we have seen this with the Never type, which has size 0: @@ -1279,11 +1404,11 @@ impl<'tcx> GotocCtx<'tcx> { let check = Expr::eq(cbmc_size, vt_size); let assert_msg = format!("Correct CBMC vtable size for {ty:?} (MIR type {:?})", operand_type.kind()); - let size_assert = self.codegen_sanity(check, &assert_msg, Location::none()); - Stmt::block(vec![decl, size_assert], Location::none()) + let size_assert = self.codegen_sanity(check, &assert_msg, loc); + Stmt::block(vec![decl, size_assert], loc) } - fn codegen_vtable(&mut self, src_mir_type: Ty, dst_mir_type: Ty) -> Expr { + fn codegen_vtable(&mut self, src_mir_type: Ty, dst_mir_type: Ty, loc: Location) -> Expr { let trait_type = match dst_mir_type.kind() { // DST is pointer type TyKind::RigidTy(RigidTy::Ref(_, pointee_type, ..)) => pointee_type, @@ -1296,7 +1421,7 @@ impl<'tcx> GotocCtx<'tcx> { _ => unreachable!("Cannot codegen_vtable for type {:?}", dst_mir_type.kind()), }; - let src_name = self.ty_mangled_name(rustc_internal::internal(src_mir_type)); + let src_name = self.ty_mangled_name(rustc_internal::internal(self.tcx, src_mir_type)); // The name needs to be the same as inserted in typ.rs let vtable_name = self.vtable_name_stable(trait_type).intern(); let vtable_impl_name = format!("{vtable_name}_impl_for_{src_name}"); @@ -1305,18 +1430,18 @@ impl<'tcx> GotocCtx<'tcx> { vtable_impl_name, true, Type::struct_tag(vtable_name), - Location::none(), + loc, |ctx, var| { // Build the vtable, using Rust's vtable_entries to determine field order let vtable_entries = if let Some(principal) = trait_type.kind().trait_principal() { let trait_ref_binder = principal.with_self_ty(src_mir_type); - ctx.tcx.vtable_entries(rustc_internal::internal(trait_ref_binder)) + ctx.tcx.vtable_entries(rustc_internal::internal(ctx.tcx, trait_ref_binder)) } else { TyCtxt::COMMON_VTABLE_ENTRIES }; let (vt_size, vt_align) = ctx.codegen_vtable_size_and_align(src_mir_type); - let size_assert = ctx.check_vtable_size(src_mir_type, vt_size.clone()); + let size_assert = ctx.check_vtable_size(src_mir_type, vt_size.clone(), loc); let vtable_fields: Vec = vtable_entries .iter() @@ -1344,8 +1469,8 @@ impl<'tcx> GotocCtx<'tcx> { vtable_fields, &ctx.symbol_table, ); - let body = var.assign(vtable, Location::none()); - let block = Stmt::block(vec![size_assert, body], Location::none()); + let body = var.assign(vtable, loc); + let block = Stmt::block(vec![size_assert, body], loc); Some(block) }, ) @@ -1359,6 +1484,7 @@ impl<'tcx> GotocCtx<'tcx> { &mut self, src_goto_expr: Expr, coerce_info: CoerceUnsizedInfo, + loc: Location, ) -> Expr { assert_ne!(coerce_info.src_ty.kind(), coerce_info.dst_ty.kind()); @@ -1382,7 +1508,7 @@ impl<'tcx> GotocCtx<'tcx> { ) => { // Cast to a slice fat pointer. assert_eq!(src_elt_type, dst_elt_type); - let dst_goto_len = self.codegen_const(&src_elt_count, None); + let dst_goto_len = self.codegen_const_ty(&src_elt_count, loc); let src_pointee_ty = pointee_type_stable(coerce_info.src_ty).unwrap(); let dst_data_expr = if src_pointee_ty.kind().is_array() { src_goto_expr.cast_to(self.codegen_ty_stable(src_elt_type).to_pointer()) @@ -1410,7 +1536,7 @@ impl<'tcx> GotocCtx<'tcx> { (_, TyKind::RigidTy(RigidTy::Dynamic(..))) => { // Generate the data and vtable pointer that will be stored in the fat pointer. let dst_data_expr = src_goto_expr.cast_to(dst_data_type); - let vtable = self.codegen_vtable(metadata_src_type, metadata_dst_type); + let vtable = self.codegen_vtable(metadata_src_type, metadata_dst_type, loc); let vtable_expr = vtable.address_of(); dynamic_fat_ptr(fat_ptr_type, dst_data_expr, vtable_expr, &self.symbol_table) } @@ -1419,6 +1545,65 @@ impl<'tcx> GotocCtx<'tcx> { } } } + + fn comparison_expr( + &mut self, + op: &BinOp, + left: Expr, + right: Expr, + res_ty: Ty, + is_float: bool, + ) -> Expr { + match op { + BinOp::Eq => { + if is_float { + left.feq(right) + } else { + left.eq(right) + } + } + BinOp::Lt => left.lt(right), + BinOp::Le => left.le(right), + BinOp::Ne => { + if is_float { + left.fneq(right) + } else { + left.neq(right) + } + } + BinOp::Ge => left.ge(right), + BinOp::Gt => left.gt(right), + BinOp::Cmp => { + // Implement https://doc.rust-lang.org/core/cmp/trait.Ord.html as done in cranelift, + // i.e., (left > right) - (left < right) + // Return value is the Ordering enumeration: + // ``` + // #[repr(i8)] + // pub enum Ordering { + // Less = -1, + // Equal = 0, + // Greater = 1, + // } + // ``` + let res_typ = self.codegen_ty_stable(res_ty); + let ValueAbi::Scalar(Scalar::Initialized { value, valid_range }) = + res_ty.layout().unwrap().shape().abi + else { + unreachable!("Unexpected layout") + }; + assert_eq!(valid_range.start, -1i8 as u8 as u128); + assert_eq!(valid_range.end, 1); + let Primitive::Int { length, signed: true } = value else { unreachable!() }; + let scalar_typ = Type::signed_int(length.bits()); + left.clone() + .gt(right.clone()) + .cast_to(scalar_typ.clone()) + .sub(left.lt(right).cast_to(scalar_typ)) + .transmute_to(res_typ, &self.symbol_table) + } + _ => unreachable!(), + } + } } /// Perform a wrapping subtraction of an Expr with a constant "expr - constant" @@ -1441,30 +1626,6 @@ fn wrapping_sub(expr: &Expr, constant: u64) -> Expr { } } -fn comparison_expr(op: &BinOp, left: Expr, right: Expr, is_float: bool) -> Expr { - match op { - BinOp::Eq => { - if is_float { - left.feq(right) - } else { - left.eq(right) - } - } - BinOp::Lt => left.lt(right), - BinOp::Le => left.le(right), - BinOp::Ne => { - if is_float { - left.fneq(right) - } else { - left.neq(right) - } - } - BinOp::Ge => left.ge(right), - BinOp::Gt => left.gt(right), - _ => unreachable!(), - } -} - /// Remove the equality from an operator. Translates `<=` to `<` and `>=` to `>` fn get_strict_operator(op: &BinOp) -> BinOp { match op { diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/span.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/span.rs index c06d64d298c4..aadb4fbebed9 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/span.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/span.rs @@ -26,12 +26,8 @@ impl<'tcx> GotocCtx<'tcx> { ) } - pub fn codegen_span_option_stable(&self, sp: Option) -> Location { - sp.map_or(Location::none(), |span| self.codegen_span_stable(span)) - } - pub fn codegen_caller_span_stable(&self, sp: SpanStable) -> Location { - self.codegen_caller_span(&rustc_internal::internal(sp)) + self.codegen_caller_span(&rustc_internal::internal(self.tcx, sp)) } /// Get the location of the caller. This will attempt to reach the macro caller. diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/statement.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/statement.rs index e7b7ee5a376a..c606ae13d095 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/statement.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/statement.rs @@ -7,14 +7,16 @@ use crate::codegen_cprover_gotoc::{GotocCtx, VtableCtx}; use crate::unwrap_or_return_codegen_unimplemented_stmt; use cbmc::goto_program::{Expr, Location, Stmt, Type}; use rustc_middle::ty::layout::LayoutOf; +use rustc_middle::ty::{List, ParamEnv}; use rustc_smir::rustc_internal; use rustc_target::abi::{FieldsShape, Primitive, TagEncoding, Variants}; +use stable_mir::abi::{ArgAbi, FnAbi, PassMode}; use stable_mir::mir::mono::{Instance, InstanceKind}; use stable_mir::mir::{ AssertMessage, BasicBlockIdx, CopyNonOverlapping, NonDivergingIntrinsic, Operand, Place, Statement, StatementKind, SwitchTargets, Terminator, TerminatorKind, RETURN_LOCAL, }; -use stable_mir::ty::{RigidTy, Span, Ty, TyKind, VariantIdx}; +use stable_mir::ty::{Abi, RigidTy, Span, Ty, TyKind, VariantIdx}; use tracing::{debug, debug_span, trace}; impl<'tcx> GotocCtx<'tcx> { @@ -40,14 +42,14 @@ impl<'tcx> GotocCtx<'tcx> { // where the reference is implicit. unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(lhs) + self.codegen_place_stable(lhs, location) ) .goto_expr .assign(self.codegen_rvalue_stable(rhs, location).address_of(), location) } else if rty.kind().is_bool() { unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(lhs) + self.codegen_place_stable(lhs, location) ) .goto_expr .assign( @@ -57,7 +59,7 @@ impl<'tcx> GotocCtx<'tcx> { } else { unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(lhs) + self.codegen_place_stable(lhs, location) ) .goto_expr .assign(self.codegen_rvalue_stable(rhs, location), location) @@ -68,13 +70,25 @@ impl<'tcx> GotocCtx<'tcx> { let dest_ty = self.place_ty_stable(place); let dest_expr = unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(place) + self.codegen_place_stable(place, location) ) .goto_expr; self.codegen_set_discriminant(dest_ty, dest_expr, *variant_index, location) } - StatementKind::StorageLive(_) => Stmt::skip(location), // TODO: fix me - StatementKind::StorageDead(_) => Stmt::skip(location), // TODO: fix me + StatementKind::StorageLive(var_id) => { + if self.queries.args().ignore_storage_markers { + Stmt::skip(location) + } else { + Stmt::decl(self.codegen_local(*var_id, location), None, location) + } + } + StatementKind::StorageDead(var_id) => { + if self.queries.args().ignore_storage_markers { + Stmt::skip(location) + } else { + Stmt::dead(self.codegen_local(*var_id, location), location) + } + } StatementKind::Intrinsic(NonDivergingIntrinsic::CopyNonOverlapping( CopyNonOverlapping { src, dst, count }, )) => { @@ -135,17 +149,18 @@ impl<'tcx> GotocCtx<'tcx> { "https://github.com/model-checking/kani/issues/692", ), TerminatorKind::Return => { - let rty = self.current_fn().sig().output(); + let rty = self.current_fn().instance_stable().fn_abi().unwrap().ret.ty; if rty.kind().is_unit() { - self.codegen_ret_unit() + self.codegen_ret_unit(loc) } else { let place = Place::from(RETURN_LOCAL); let place_expr = unwrap_or_return_codegen_unimplemented_stmt!( self, - self.codegen_place_stable(&place) + self.codegen_place_stable(&place, loc) ) .goto_expr; - if self.place_ty_stable(&place).kind().is_bool() { + assert_eq!(rty, self.place_ty_stable(&place), "Unexpected return type"); + if rty.kind().is_bool() { place_expr.cast_to(Type::c_bool()).ret(loc) } else { place_expr.ret(loc) @@ -219,8 +234,8 @@ impl<'tcx> GotocCtx<'tcx> { location: Location, ) -> Stmt { // this requires place points to an enum type. - let dest_ty_internal = rustc_internal::internal(dest_ty); - let variant_index_internal = rustc_internal::internal(variant_index); + let dest_ty_internal = rustc_internal::internal(self.tcx, dest_ty); + let variant_index_internal = rustc_internal::internal(self.tcx, variant_index); let layout = self.layout_of(dest_ty_internal); match &layout.variants { Variants::Single { .. } => Stmt::skip(location), @@ -289,24 +304,22 @@ impl<'tcx> GotocCtx<'tcx> { // We ignore assignment for all zero size types Stmt::skip(loc) } else { - unwrap_or_return_codegen_unimplemented_stmt!(self, self.codegen_place_stable(place)) - .goto_expr - .deinit(loc) + unwrap_or_return_codegen_unimplemented_stmt!( + self, + self.codegen_place_stable(place, loc) + ) + .goto_expr + .deinit(loc) } } /// A special case handler to codegen `return ();` - fn codegen_ret_unit(&mut self) -> Stmt { + fn codegen_ret_unit(&mut self, loc: Location) -> Stmt { let is_file_local = false; let ty = self.codegen_ty_unit(); - let var = self.ensure_global_var( - FN_RETURN_VOID_VAR_NAME, - is_file_local, - ty, - Location::none(), - |_, _| None, - ); - Stmt::ret(Some(var), Location::none()) + let var = + self.ensure_global_var(FN_RETURN_VOID_VAR_NAME, is_file_local, ty, loc, |_, _| None); + Stmt::ret(Some(var), loc) } /// Generates Goto-C for MIR [TerminatorKind::Drop] calls. We only handle code _after_ Rust's "drop elaboration" @@ -327,7 +340,8 @@ impl<'tcx> GotocCtx<'tcx> { Stmt::skip(loc) } InstanceKind::Shim => { - let place_ref = self.codegen_place_ref_stable(place); + // Since the reference is used right away here, no need to inject a check for pointer validity. + let place_ref = self.codegen_place_ref_stable(place, loc); match place_ty.kind() { TyKind::RigidTy(RigidTy::Dynamic(..)) => { // Virtual drop via a vtable lookup. @@ -353,7 +367,7 @@ impl<'tcx> GotocCtx<'tcx> { // Non-virtual, direct drop_in_place call assert!(!matches!(drop_instance.kind, InstanceKind::Virtual { .. })); - let func = self.codegen_func_expr(drop_instance, None); + let func = self.codegen_func_expr(drop_instance, loc); // The only argument should be a self reference let args = vec![place_ref]; @@ -431,31 +445,21 @@ impl<'tcx> GotocCtx<'tcx> { /// as subsequent parameters. /// /// See [GotocCtx::ty_needs_untupled_args] for more details. - fn codegen_untupled_args( - &mut self, - instance: Instance, - fargs: &mut Vec, - last_mir_arg: Option<&Operand>, - ) { - debug!("codegen_untuple_closure_args instance: {:?}, fargs {:?}", instance.name(), fargs); - if !fargs.is_empty() { - let tuple_ty = self.operand_ty_stable(last_mir_arg.unwrap()); - if self.is_zst_stable(tuple_ty) { - // Don't pass anything if all tuple elements are ZST. - // ZST arguments are ignored. - return; - } - let tupe = fargs.remove(fargs.len() - 1); - if let TyKind::RigidTy(RigidTy::Tuple(tupled_args)) = tuple_ty.kind() { - for (idx, arg_ty) in tupled_args.iter().enumerate() { - if !self.is_zst_stable(*arg_ty) { - // Access the tupled parameters through the `member` operation - let idx_expr = tupe.clone().member(&idx.to_string(), &self.symbol_table); - fargs.push(idx_expr); - } - } - } - } + fn codegen_untupled_args(&mut self, op: &Operand, args_abi: &[ArgAbi]) -> Vec { + let tuple_ty = self.operand_ty_stable(op); + let tuple_expr = self.codegen_operand_stable(op); + let TyKind::RigidTy(RigidTy::Tuple(tupled_args)) = tuple_ty.kind() else { unreachable!() }; + tupled_args + .iter() + .enumerate() + .filter_map(|(idx, _)| { + let arg_abi = &args_abi[idx]; + (arg_abi.mode != PassMode::Ignore).then(|| { + // Access the tupled parameters through the `member` operation + tuple_expr.clone().member(idx.to_string(), &self.symbol_table) + }) + }) + .collect() } /// Because function calls terminate basic blocks, to "end" a function call, we @@ -471,25 +475,24 @@ impl<'tcx> GotocCtx<'tcx> { /// Generate Goto-C for each argument to a function call. /// /// N.B. public only because instrinsics use this directly, too. - /// When `skip_zst` is set to `true`, the return value will not include any argument that is ZST. - /// This is used because we ignore ZST arguments, except for intrinsics. - pub(crate) fn codegen_funcall_args(&mut self, args: &[Operand], skip_zst: bool) -> Vec { - let fargs = args + pub(crate) fn codegen_funcall_args(&mut self, fn_abi: &FnAbi, args: &[Operand]) -> Vec { + let fargs: Vec = args .iter() - .filter_map(|op| { - let op_ty = self.operand_ty_stable(op); - if op_ty.kind().is_bool() { + .enumerate() + .filter_map(|(i, op)| { + // Functions that require caller info will have an extra parameter. + let arg_abi = &fn_abi.args.get(i); + let ty = self.operand_ty_stable(op); + if ty.kind().is_bool() { Some(self.codegen_operand_stable(op).cast_to(Type::c_bool())) - } else if !self.is_zst_stable(op_ty) || !skip_zst { + } else if arg_abi.map_or(true, |abi| abi.mode != PassMode::Ignore) { Some(self.codegen_operand_stable(op)) } else { - // We ignore ZST types. - debug!(arg=?op, "codegen_funcall_args ignore"); None } }) .collect(); - debug!(?fargs, "codegen_funcall_args"); + debug!(?fargs, args_abi=?fn_abi.args, "codegen_funcall_args"); fargs } @@ -514,27 +517,45 @@ impl<'tcx> GotocCtx<'tcx> { span: Span, ) -> Stmt { debug!(?func, ?args, ?destination, ?span, "codegen_funcall"); - if self.is_intrinsic(&func) { - return self.codegen_funcall_of_intrinsic( - &func, - &args, - &destination, - target.map(|bb| bb), - span, - ); + let instance_opt = self.get_instance(func); + if let Some(instance) = instance_opt + && matches!(instance.kind, InstanceKind::Intrinsic) + { + let TyKind::RigidTy(RigidTy::FnDef(def, _)) = instance.ty().kind() else { + unreachable!("Expected function type for intrinsic: {instance:?}") + }; + // The compiler is currently transitioning how to handle intrinsic fallback body. + // Until https://github.com/rust-lang/project-stable-mir/issues/79 is implemented + // we have to check `must_be_overridden` and `has_body`. + if def.as_intrinsic().unwrap().must_be_overridden() || !instance.has_body() { + return self.codegen_funcall_of_intrinsic( + instance, + &args, + &destination, + target.map(|bb| bb), + span, + ); + } } let loc = self.codegen_span_stable(span); - let funct = self.operand_ty_stable(func); - let mut fargs = self.codegen_funcall_args(&args, true); - match funct.kind() { - TyKind::RigidTy(RigidTy::FnDef(def, subst)) => { - let instance = Instance::resolve(def, &subst).unwrap(); - - // TODO(celina): Move this check to be inside codegen_funcall_args. - if self.ty_needs_untupled_args(rustc_internal::internal(funct)) { - self.codegen_untupled_args(instance, &mut fargs, args.last()); - } + let fn_ty = self.operand_ty_stable(func); + match fn_ty.kind() { + fn_def @ TyKind::RigidTy(RigidTy::FnDef(..)) => { + let instance = instance_opt.unwrap(); + let fn_abi = instance.fn_abi().unwrap(); + let mut fargs = if args.is_empty() + || fn_def.fn_sig().unwrap().value.abi != Abi::RustCall + { + self.codegen_funcall_args(&fn_abi, &args) + } else { + let (untupled, first_args) = args.split_last().unwrap(); + let mut fargs = self.codegen_funcall_args(&fn_abi, &first_args); + fargs.append( + &mut self.codegen_untupled_args(untupled, &fn_abi.args[first_args.len()..]), + ); + fargs + }; if let Some(hk) = self.hooks.hook_applies(self.tcx, instance) { return hk.handle(self, instance, fargs, destination, *target, span); @@ -554,24 +575,37 @@ impl<'tcx> GotocCtx<'tcx> { InstanceKind::Item | InstanceKind::Intrinsic | InstanceKind::Shim => { // We need to handle FnDef items in a special way because `codegen_operand` compiles them to dummy structs. // (cf. the function documentation) - let func_exp = self.codegen_func_expr(instance, None); - vec![ - self.codegen_expr_to_place_stable(destination, func_exp.call(fargs)) - .with_location(loc), - ] + let func_exp = self.codegen_func_expr(instance, loc); + if instance.is_foreign_item() { + vec![self.codegen_foreign_call(func_exp, fargs, destination, loc)] + } else { + vec![self.codegen_expr_to_place_stable( + destination, + func_exp.call(fargs), + loc, + )] + } } }; stmts.push(self.codegen_end_call(*target, loc)); Stmt::block(stmts, loc) } // Function call through a pointer - TyKind::RigidTy(RigidTy::FnPtr(_)) => { + TyKind::RigidTy(RigidTy::FnPtr(fn_sig)) => { + let fn_sig_internal = rustc_internal::internal(self.tcx, fn_sig); + let fn_ptr_abi = rustc_internal::stable( + self.tcx + .fn_abi_of_fn_ptr( + ParamEnv::reveal_all().and((fn_sig_internal, &List::empty())), + ) + .unwrap(), + ); + let fargs = self.codegen_funcall_args(&fn_ptr_abi, &args); let func_expr = self.codegen_operand_stable(func).dereference(); // Actually generate the function call and return. Stmt::block( vec![ - self.codegen_expr_to_place_stable(destination, func_expr.call(fargs)) - .with_location(loc), + self.codegen_expr_to_place_stable(destination, func_expr.call(fargs), loc), Stmt::goto(bb_label(target.unwrap()), loc), ], loc, @@ -587,7 +621,7 @@ impl<'tcx> GotocCtx<'tcx> { fn extract_ptr(&self, arg_expr: Expr, arg_ty: Ty) -> Expr { // Generate an expression that indexes the pointer. let expr = self - .receiver_data_path(rustc_internal::internal(arg_ty)) + .receiver_data_path(rustc_internal::internal(self.tcx, arg_ty)) .fold(arg_expr, |curr_expr, (name, _)| curr_expr.member(name, &self.symbol_table)); trace!(?arg_ty, gotoc_ty=?expr.typ(), gotoc_expr=?expr.value(), "extract_ptr"); @@ -668,7 +702,7 @@ impl<'tcx> GotocCtx<'tcx> { // Virtual function call and corresponding nonnull assertion. let call = fn_ptr.dereference().call(fargs.to_vec()); - let call_stmt = self.codegen_expr_to_place_stable(place, call).with_location(loc); + let call_stmt = self.codegen_expr_to_place_stable(place, call, loc); let call_stmt = if self.vtable_ctx.emit_vtable_restrictions { self.virtual_call_with_restricted_fn_ptr(trait_fat_ptr.typ().clone(), idx, call_stmt) } else { @@ -683,13 +717,21 @@ impl<'tcx> GotocCtx<'tcx> { /// A MIR [Place] is an L-value (i.e. the LHS of an assignment). /// /// In Kani, we slightly optimize the special case for Unit and don't assign anything. - pub(crate) fn codegen_expr_to_place_stable(&mut self, place: &Place, expr: Expr) -> Stmt { + pub(crate) fn codegen_expr_to_place_stable( + &mut self, + place: &Place, + expr: Expr, + loc: Location, + ) -> Stmt { if self.place_ty_stable(place).kind().is_unit() { - expr.as_stmt(Location::none()) + expr.as_stmt(loc) } else { - unwrap_or_return_codegen_unimplemented_stmt!(self, self.codegen_place_stable(place)) - .goto_expr - .assign(expr, Location::none()) + unwrap_or_return_codegen_unimplemented_stmt!( + self, + self.codegen_place_stable(place, loc) + ) + .goto_expr + .assign(expr, loc) } } } diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/static_var.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/static_var.rs index cf4c6173637b..e05da3f7f622 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/static_var.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/static_var.rs @@ -19,7 +19,7 @@ impl<'tcx> GotocCtx<'tcx> { debug!("codegen_static"); let alloc = def.eval_initializer().unwrap(); let symbol_name = Instance::from(def).mangled_name(); - self.codegen_alloc_in_memory(alloc, symbol_name); + self.codegen_alloc_in_memory(alloc, symbol_name, self.codegen_span_stable(def.span())); } /// Mutates the Goto-C symbol table to add a forward-declaration of the static variable. @@ -33,6 +33,10 @@ impl<'tcx> GotocCtx<'tcx> { let typ = self.codegen_ty_stable(instance.ty()); let location = self.codegen_span_stable(def.span()); + // Contracts instrumentation relies on `--nondet-static-exclude` to properly + // havoc static variables. Kani uses the location and pretty name to identify + // the correct variables. If the wrong name is used, CBMC may fail silently. + // More details at https://github.com/diffblue/cbmc/issues/8225. let symbol = Symbol::static_variable(symbol_name.clone(), symbol_name, typ, location) .with_is_hidden(false) // Static items are always user defined. .with_pretty_name(pretty_name); diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/ty_stable.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/ty_stable.rs index 2213676d5a63..7ba2ff9c53c8 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/ty_stable.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/ty_stable.rs @@ -9,7 +9,6 @@ use crate::codegen_cprover_gotoc::GotocCtx; use cbmc::goto_program::Type; use rustc_middle::ty::layout::{LayoutOf, TyAndLayout}; -use rustc_middle::ty::{self}; use rustc_smir::rustc_internal; use stable_mir::mir::mono::Instance; use stable_mir::mir::{Local, Operand, Place, Rvalue}; @@ -21,11 +20,11 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn codegen_ty_stable(&mut self, ty: Ty) -> Type { - self.codegen_ty(rustc_internal::internal(ty)) + self.codegen_ty(rustc_internal::internal(self.tcx, ty)) } pub fn codegen_ty_ref_stable(&mut self, ty: Ty) -> Type { - self.codegen_ty_ref(rustc_internal::internal(ty)) + self.codegen_ty_ref(rustc_internal::internal(self.tcx, ty)) } pub fn local_ty_stable(&self, local: Local) -> Ty { @@ -37,11 +36,11 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn is_zst_stable(&self, ty: Ty) -> bool { - self.is_zst(rustc_internal::internal(ty)) + self.is_zst(rustc_internal::internal(self.tcx, ty)) } pub fn layout_of_stable(&self, ty: Ty) -> TyAndLayout<'tcx> { - self.layout_of(rustc_internal::internal(ty)) + self.layout_of(rustc_internal::internal(self.tcx, ty)) } pub fn codegen_fndef_type_stable(&mut self, instance: Instance) -> Type { @@ -53,35 +52,28 @@ impl<'tcx> GotocCtx<'tcx> { ) } - pub fn fn_sig_of_instance_stable(&self, instance: Instance) -> FnSig { - let fn_sig = self.fn_sig_of_instance(rustc_internal::internal(instance)); - let fn_sig = - self.tcx.normalize_erasing_late_bound_regions(ty::ParamEnv::reveal_all(), fn_sig); - rustc_internal::stable(fn_sig) - } - pub fn use_fat_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.use_fat_pointer(rustc_internal::internal(pointer_ty)) + self.use_fat_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn use_thin_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.use_thin_pointer(rustc_internal::internal(pointer_ty)) + self.use_thin_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn is_fat_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.is_fat_pointer(rustc_internal::internal(pointer_ty)) + self.is_fat_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn is_vtable_fat_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.is_vtable_fat_pointer(rustc_internal::internal(pointer_ty)) + self.is_vtable_fat_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn use_vtable_fat_pointer_stable(&self, pointer_ty: Ty) -> bool { - self.use_vtable_fat_pointer(rustc_internal::internal(pointer_ty)) + self.use_vtable_fat_pointer(rustc_internal::internal(self.tcx, pointer_ty)) } pub fn vtable_name_stable(&self, ty: Ty) -> String { - self.vtable_name(rustc_internal::internal(ty)) + self.vtable_name(rustc_internal::internal(self.tcx, ty)) } pub fn rvalue_ty_stable(&self, rvalue: &Rvalue) -> Ty { @@ -89,12 +81,12 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn simd_size_and_type(&self, ty: Ty) -> (u64, Ty) { - let (sz, ty) = rustc_internal::internal(ty).simd_size_and_type(self.tcx); + let (sz, ty) = rustc_internal::internal(self.tcx, ty).simd_size_and_type(self.tcx); (sz, rustc_internal::stable(ty)) } pub fn codegen_enum_discr_typ_stable(&self, ty: Ty) -> Ty { - rustc_internal::stable(self.codegen_enum_discr_typ(rustc_internal::internal(ty))) + rustc_internal::stable(self.codegen_enum_discr_typ(rustc_internal::internal(self.tcx, ty))) } pub fn codegen_function_sig_stable(&mut self, sig: FnSig) -> Type { @@ -115,6 +107,19 @@ impl<'tcx> GotocCtx<'tcx> { Type::code_with_unnamed_parameters(params, self.codegen_ty_stable(sig.output())) } } + + /// Convert a type into a user readable type representation. + /// + /// This should be replaced by StableMIR `pretty_ty()` after + /// is merged. + pub fn pretty_ty(&self, ty: Ty) -> String { + rustc_internal::internal(self.tcx, ty).to_string() + } + + pub fn requires_caller_location(&self, instance: Instance) -> bool { + let instance_internal = rustc_internal::internal(self.tcx, instance); + instance_internal.def.requires_caller_location(self.tcx) + } } /// If given type is a Ref / Raw ref, return the pointee type. pub fn pointee_type(mir_type: Ty) -> Option { @@ -125,14 +130,6 @@ pub fn pointee_type(mir_type: Ty) -> Option { } } -/// Convert a type into a user readable type representation. -/// -/// This should be replaced by StableMIR `pretty_ty()` after -/// is merged. -pub fn pretty_ty(ty: Ty) -> String { - rustc_internal::internal(ty).to_string() -} - pub fn pointee_type_stable(ty: Ty) -> Option { match ty.kind() { TyKind::RigidTy(RigidTy::Ref(_, pointee_ty, _)) diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/typ.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/typ.rs index 7694feb0dbbf..6d00bda5bce4 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/codegen/typ.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/codegen/typ.rs @@ -1,31 +1,29 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT use crate::codegen_cprover_gotoc::GotocCtx; -use cbmc::btree_map; use cbmc::goto_program::{DatatypeComponent, Expr, Location, Parameter, Symbol, SymbolTable, Type}; use cbmc::utils::aggr_tag; use cbmc::{InternString, InternedString}; use rustc_ast::ast::Mutability; -use rustc_hir::{LangItem, Unsafety}; use rustc_index::IndexVec; use rustc_middle::ty::layout::LayoutOf; use rustc_middle::ty::print::with_no_trimmed_paths; use rustc_middle::ty::print::FmtPrinter; use rustc_middle::ty::GenericArgsRef; use rustc_middle::ty::{ - self, AdtDef, Const, CoroutineArgs, FloatTy, Instance, IntTy, PolyFnSig, Ty, TyCtxt, TyKind, - UintTy, VariantDef, VtblEntry, + self, AdtDef, Const, CoroutineArgs, CoroutineArgsExt, FloatTy, Instance, IntTy, PolyFnSig, Ty, + TyCtxt, TyKind, UintTy, VariantDef, VtblEntry, }; use rustc_middle::ty::{List, TypeFoldable}; use rustc_smir::rustc_internal; use rustc_span::def_id::DefId; use rustc_target::abi::{ - Abi::Vector, FieldIdx, FieldsShape, Integer, LayoutS, Primitive, Size, TagEncoding, + Abi::Vector, FieldIdx, FieldsShape, Float, Integer, LayoutS, Primitive, Size, TagEncoding, TyAndLayout, VariantIdx, Variants, }; -use rustc_target::spec::abi::Abi; +use stable_mir::abi::{ArgAbi, FnAbi, PassMode}; +use stable_mir::mir::mono::Instance as InstanceStable; use stable_mir::mir::Body; -use std::iter; use tracing::{debug, trace, warn}; /// Map the unit type to an empty struct @@ -51,8 +49,6 @@ pub trait TypeExt { fn is_rust_fat_ptr(&self, st: &SymbolTable) -> bool; fn is_rust_slice_fat_ptr(&self, st: &SymbolTable) -> bool; fn is_rust_trait_fat_ptr(&self, st: &SymbolTable) -> bool; - fn is_unit(&self) -> bool; - fn is_unit_pointer(&self) -> bool; fn unit() -> Self; } @@ -77,7 +73,7 @@ impl TypeExt for Type { && components.iter().any(|x| x.name() == "vtable" && x.typ().is_pointer()) } Type::StructTag(tag) => { - st.lookup(&tag.to_string()).unwrap().typ.is_rust_trait_fat_ptr(st) + st.lookup(tag.to_string()).unwrap().typ.is_rust_trait_fat_ptr(st) } _ => false, } @@ -92,42 +88,6 @@ impl TypeExt for Type { // We don't have access to the symbol table here to do it ourselves. Type::struct_tag(UNIT_TYPE_EMPTY_STRUCT_NAME) } - - fn is_unit(&self) -> bool { - match self { - Type::StructTag(name) => *name == aggr_tag(UNIT_TYPE_EMPTY_STRUCT_NAME), - _ => false, - } - } - - fn is_unit_pointer(&self) -> bool { - match self { - Type::Pointer { typ } => typ.is_unit(), - _ => false, - } - } -} - -trait ExprExt { - fn unit(symbol_table: &SymbolTable) -> Self; - - fn is_unit(&self) -> bool; - - fn is_unit_pointer(&self) -> bool; -} - -impl ExprExt for Expr { - fn unit(symbol_table: &SymbolTable) -> Self { - Expr::struct_expr(Type::unit(), btree_map![], symbol_table) - } - - fn is_unit(&self) -> bool { - self.typ().is_unit() - } - - fn is_unit_pointer(&self) -> bool { - self.typ().is_unit_pointer() - } } /// Function signatures @@ -256,169 +216,6 @@ impl<'tcx> GotocCtx<'tcx> { debug_write_type(self, ty, &mut out, 0).unwrap(); out } - - /// Function shims and closures expect their last arg untupled at call site, see comment at - /// ty_needs_untupled_args. - fn sig_with_untupled_args(&self, sig: ty::PolyFnSig<'tcx>) -> ty::PolyFnSig<'tcx> { - debug!("sig_with_closure_untupled sig: {:?}", sig); - let fn_sig = sig.skip_binder(); - if let Some((tupe, prev_args)) = fn_sig.inputs().split_last() { - let args = match *tupe.kind() { - ty::Tuple(args) => args, - _ => unreachable!("the final argument of a closure must be a tuple"), - }; - - // The leading argument should be exactly the environment - assert!(prev_args.len() == 1); - let env = prev_args[0]; - - // Recombine arguments: environment first, then the flattened tuple elements - let recombined_args = iter::once(env).chain(args); - - return ty::Binder::bind_with_vars( - self.tcx.mk_fn_sig( - recombined_args, - fn_sig.output(), - fn_sig.c_variadic, - fn_sig.unsafety, - fn_sig.abi, - ), - sig.bound_vars(), - ); - } - sig - } - - fn closure_sig(&self, def_id: DefId, args: ty::GenericArgsRef<'tcx>) -> ty::PolyFnSig<'tcx> { - let sig = self.monomorphize(args.as_closure().sig()); - - // In addition to `def_id` and `args`, we need to provide the kind of region `env_region` - // in `closure_env_ty`, which we can build from the bound variables as follows - let bound_vars = self.tcx.mk_bound_variable_kinds_from_iter( - sig.bound_vars().iter().chain(iter::once(ty::BoundVariableKind::Region(ty::BrEnv))), - ); - let br = ty::BoundRegion { - var: ty::BoundVar::from_usize(bound_vars.len() - 1), - kind: ty::BoundRegionKind::BrEnv, - }; - let env_region = ty::Region::new_bound(self.tcx, ty::INNERMOST, br); - let env_ty = self.tcx.closure_env_ty( - Ty::new_closure(self.tcx, def_id, args), - args.as_closure().kind(), - env_region, - ); - - let sig = sig.skip_binder(); - - // We build a binder from `sig` where: - // * `inputs` contains a sequence with the closure and parameter types - // * the rest of attributes are obtained from `sig` - let sig = ty::Binder::bind_with_vars( - self.tcx.mk_fn_sig( - [env_ty, sig.inputs()[0]], - sig.output(), - sig.c_variadic, - sig.unsafety, - sig.abi, - ), - bound_vars, - ); - - // The parameter types are tupled, but we want to have them in a vector - self.sig_with_untupled_args(sig) - } - - // Adapted from `fn_sig_for_fn_abi` in - // https://github.com/rust-lang/rust/blob/739d68a76e35b22341d9930bb6338bf202ba05ba/compiler/rustc_ty_utils/src/abi.rs#L88 - // Code duplication tracked here: https://github.com/model-checking/kani/issues/1365 - fn coroutine_sig( - &self, - did: &DefId, - ty: Ty<'tcx>, - args: ty::GenericArgsRef<'tcx>, - ) -> ty::PolyFnSig<'tcx> { - let sig = args.as_coroutine().sig(); - - let bound_vars = self.tcx.mk_bound_variable_kinds_from_iter(iter::once( - ty::BoundVariableKind::Region(ty::BrEnv), - )); - let br = ty::BoundRegion { - var: ty::BoundVar::from_usize(bound_vars.len() - 1), - kind: ty::BoundRegionKind::BrEnv, - }; - let env_region = ty::ReBound(ty::INNERMOST, br); - let env_ty = Ty::new_mut_ref(self.tcx, ty::Region::new_from_kind(self.tcx, env_region), ty); - - let pin_did = self.tcx.require_lang_item(LangItem::Pin, None); - let pin_adt_ref = self.tcx.adt_def(pin_did); - let pin_args = self.tcx.mk_args(&[env_ty.into()]); - let env_ty = Ty::new_adt(self.tcx, pin_adt_ref, pin_args); - - // The `FnSig` and the `ret_ty` here is for a coroutines main - // `coroutine::resume(...) -> CoroutineState` function in case we - // have an ordinary coroutine, or the `Future::poll(...) -> Poll` - // function in case this is a special coroutine backing an async construct. - let tcx = self.tcx; - let (resume_ty, ret_ty) = if tcx.coroutine_is_async(*did) { - // The signature should be `Future::poll(_, &mut Context<'_>) -> Poll` - let poll_did = tcx.require_lang_item(LangItem::Poll, None); - let poll_adt_ref = tcx.adt_def(poll_did); - let poll_args = tcx.mk_args(&[sig.return_ty.into()]); - // TODO figure out where this one went - let ret_ty = Ty::new_adt(tcx, poll_adt_ref, poll_args); - - // We have to replace the `ResumeTy` that is used for type and borrow checking - // with `&mut Context<'_>` which is used in codegen. - #[cfg(debug_assertions)] - { - if let ty::Adt(resume_ty_adt, _) = sig.resume_ty.kind() { - let expected_adt = tcx.adt_def(tcx.require_lang_item(LangItem::ResumeTy, None)); - assert_eq!(*resume_ty_adt, expected_adt); - } else { - panic!("expected `ResumeTy`, found `{:?}`", sig.resume_ty); - }; - } - let context_mut_ref = Ty::new_task_context(tcx); - - (context_mut_ref, ret_ty) - } else { - // The signature should be `Coroutine::resume(_, Resume) -> CoroutineState` - let state_did = tcx.require_lang_item(LangItem::CoroutineState, None); - let state_adt_ref = tcx.adt_def(state_did); - let state_args = tcx.mk_args(&[sig.yield_ty.into(), sig.return_ty.into()]); - let ret_ty = Ty::new_adt(tcx, state_adt_ref, state_args); - - (sig.resume_ty, ret_ty) - }; - - ty::Binder::bind_with_vars( - tcx.mk_fn_sig( - [env_ty, resume_ty], - ret_ty, - false, - Unsafety::Normal, - rustc_target::spec::abi::Abi::Rust, - ), - bound_vars, - ) - } - - pub fn fn_sig_of_instance(&self, instance: Instance<'tcx>) -> ty::PolyFnSig<'tcx> { - let fntyp = instance.ty(self.tcx, ty::ParamEnv::reveal_all()); - self.monomorphize(match fntyp.kind() { - ty::Closure(def_id, subst) => self.closure_sig(*def_id, subst), - ty::FnPtr(..) | ty::FnDef(..) => { - let sig = fntyp.fn_sig(self.tcx); - // Calls through vtable or Fn pointer for an ABI that may require untupled arguments. - if self.ty_needs_untupled_args(fntyp) { - return self.sig_with_untupled_args(sig); - } - sig - } - ty::Coroutine(did, args) => self.coroutine_sig(did, fntyp, args), - _ => unreachable!("Can't get function signature of type: {:?}", fntyp), - }) - } } impl<'tcx> GotocCtx<'tcx> { @@ -463,10 +260,10 @@ impl<'tcx> GotocCtx<'tcx> { idx: usize, ) -> DatatypeComponent { // Gives a binder with function signature - let sig = self.fn_sig_of_instance(instance); + let instance = rustc_internal::stable(instance); // Gives an Irep Pointer object for the signature - let fn_ty = self.codegen_dynamic_function_sig(sig); + let fn_ty = self.codegen_dynamic_function_sig(instance); let fn_ptr = fn_ty.to_pointer(); // vtable field name, i.e., 3_vol (idx_method) @@ -745,6 +542,9 @@ impl<'tcx> GotocCtx<'tcx> { ty::Float(k) => match k { FloatTy::F32 => Type::float(), FloatTy::F64 => Type::double(), + // `F16` and `F128` are not yet handled. + // Tracked here: + FloatTy::F16 | FloatTy::F128 => unimplemented!(), }, ty::Adt(def, _) if def.repr().simd() => self.codegen_vector(ty), ty::Adt(def, subst) => { @@ -770,7 +570,7 @@ impl<'tcx> GotocCtx<'tcx> { // Note: This is not valid C but CBMC seems to be ok with it. ty::Slice(e) => self.codegen_ty(*e).flexible_array_of(), ty::Str => Type::unsigned_int(8).flexible_array_of(), - ty::Ref(_, t, _) | ty::RawPtr(ty::TypeAndMut { ty: t, .. }) => self.codegen_ty_ref(*t), + ty::Ref(_, t, _) | ty::RawPtr(t, _) => self.codegen_ty_ref(*t), ty::FnDef(def_id, args) => { let instance = Instance::resolve(self.tcx, ty::ParamEnv::reveal_all(), *def_id, args) @@ -795,6 +595,13 @@ impl<'tcx> GotocCtx<'tcx> { ) } } + // This object has the same layout as base. For now, translate this into `(base)`. + // The only difference is the niche. + ty::Pat(base_ty, ..) => { + self.ensure_struct(self.ty_mangled_name(ty), self.ty_pretty_name(ty), |tcx, _| { + tcx.codegen_ty_tuple_like(ty, vec![*base_ty]) + }) + } ty::Alias(..) => { unreachable!("Type should've been normalized already") } @@ -803,7 +610,11 @@ impl<'tcx> GotocCtx<'tcx> { ty::Bound(_, _) | ty::Param(_) => unreachable!("monomorphization bug"), // type checking remnants which shouldn't be reachable - ty::CoroutineWitness(_, _) | ty::Infer(_) | ty::Placeholder(_) | ty::Error(_) => { + ty::CoroutineWitness(_, _) + | ty::CoroutineClosure(_, _) + | ty::Infer(_) + | ty::Placeholder(_) + | ty::Error(_) => { unreachable!("remnants of type checking") } } @@ -929,39 +740,6 @@ impl<'tcx> GotocCtx<'tcx> { self.codegen_struct_fields(flds, &layout.layout.0, Size::ZERO) } - /// A closure / some shims in Rust MIR takes two arguments: - /// - /// 0. a struct representing the environment - /// 1. a tuple containing the parameters - /// - /// However, during codegen/lowering from MIR, the 2nd tuple of parameters - /// is flattened into subsequent parameters. - /// - /// Checking whether the type's kind is a closure is insufficient, because - /// a virtual method call through a vtable can have the trait's non-closure - /// type. For example: - /// - /// ``` - /// let p: &dyn Fn(i32) = &|x| assert!(x == 1); - /// p(1); - /// ``` - /// - /// Here, the call `p(1)` desugars to an MIR trait call `Fn::call(&p, (1,))`, - /// where the second argument is a tuple. The instance type kind for - /// `Fn::call` is not a closure, because dynamically, the pointer may be to - /// a function definition instead. We still need to untuple in this case, - /// so we follow the example elsewhere in Rust to use the ABI call type. - /// - /// See `make_call_args` in `rustc_mir_transform/src/inline.rs` - pub fn ty_needs_untupled_args(&self, ty: Ty<'tcx>) -> bool { - // Note that [Abi::RustCall] is not [Abi::Rust]. - // Documentation is sparse, but it does seem to correspond to the need for untupling. - match ty.kind() { - ty::FnDef(..) | ty::FnPtr(..) => ty.fn_sig(self.tcx).abi() == Abi::RustCall, - _ => unreachable!("Can't treat type as a function: {:?}", ty), - } - } - /// A closure is a struct of all its environments. That is, a closure is /// just a tuple with a unique type identifier, so that Fn related traits /// can find its impl. @@ -1222,8 +1000,9 @@ impl<'tcx> GotocCtx<'tcx> { | ty::Foreign(_) | ty::Coroutine(..) | ty::Int(_) - | ty::RawPtr(_) + | ty::RawPtr(_, _) | ty::Ref(..) + | ty::Pat(..) | ty::Tuple(_) | ty::Uint(_) => self.codegen_ty(pointee_type).to_pointer(), @@ -1241,6 +1020,7 @@ impl<'tcx> GotocCtx<'tcx> { ty::Bound(_, _) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::Error(_) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::CoroutineWitness(_, _) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), + ty::CoroutineClosure(_, _) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::Infer(_) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::Param(_) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), ty::Placeholder(_) => todo!("{:?} {:?}", pointee_type, pointee_type.kind()), @@ -1256,36 +1036,37 @@ impl<'tcx> GotocCtx<'tcx> { /// `S = P | Pin

` /// /// See for more details. - fn codegen_dynamic_function_sig(&mut self, sig: PolyFnSig<'tcx>) -> Type { - let sig = self.monomorphize(sig); - let sig = self.tcx.normalize_erasing_late_bound_regions(ty::ParamEnv::reveal_all(), sig); + fn codegen_dynamic_function_sig(&mut self, instance: InstanceStable) -> Type { let mut is_first = true; - let params = sig - .inputs() - .iter() - .map(|arg_type| { + let fn_abi = instance.fn_abi().unwrap(); + let args = self.codegen_args(instance, &fn_abi); + let params = args + .map(|(_, arg_abi)| { + let arg_ty_stable = arg_abi.ty; + let kind = arg_ty_stable.kind(); + let arg_ty = rustc_internal::internal(self.tcx, arg_ty_stable); if is_first { is_first = false; - debug!(self_type=?arg_type, fn_signature=?sig, "codegen_dynamic_function_sig"); - if arg_type.is_ref() { + debug!(self_type=?arg_ty, ?fn_abi, "codegen_dynamic_function_sig"); + if kind.is_ref() { // Convert fat pointer to thin pointer to data portion. - let first_ty = pointee_type(*arg_type).unwrap(); + let first_ty = pointee_type(arg_ty).unwrap(); self.codegen_trait_data_pointer(first_ty) - } else if arg_type.is_trait() { + } else if kind.is_trait() { // Convert dyn T to thin pointer. - self.codegen_trait_data_pointer(*arg_type) + self.codegen_trait_data_pointer(arg_ty) } else { // Codegen type with thin pointer (E.g.: Box -> Box). - self.codegen_trait_receiver(*arg_type) + self.codegen_trait_receiver(arg_ty) } } else { - debug!("Using type {:?} in function signature", arg_type); - self.codegen_ty(*arg_type) + debug!("Using type {:?} in function signature", arg_ty); + self.codegen_ty(arg_ty) } }) .collect(); - Type::code_with_unnamed_parameters(params, self.codegen_ty(sig.output())) + Type::code_with_unnamed_parameters(params, self.codegen_ty_stable(fn_abi.ret.ty)) } /// one can only apply this function to a monomorphized signature @@ -1359,7 +1140,7 @@ impl<'tcx> GotocCtx<'tcx> { /// Mapping enums to CBMC types is rather complicated. There are a few cases to consider: /// 1. When there is only 0 or 1 variant, this is straightforward as the code shows /// 2. When there are more variants, rust might decides to apply the typical encoding which - /// regard enums as tagged union, or an optimized form, called niche encoding. + /// regard enums as tagged union, or an optimized form, called niche encoding. /// /// The direct encoding is straightforward. Enums are just mapped to C as a struct of union of structs. /// e.g. @@ -1573,13 +1354,18 @@ impl<'tcx> GotocCtx<'tcx> { } } }, + Primitive::Float(f) => self.codegen_float_type(f), + Primitive::Pointer(_) => Ty::new_ptr(self.tcx, self.tcx.types.u8, Mutability::Not), + } + } - Primitive::F32 => self.tcx.types.f32, - Primitive::F64 => self.tcx.types.f64, - Primitive::Pointer(_) => Ty::new_ptr( - self.tcx, - ty::TypeAndMut { ty: self.tcx.types.u8, mutbl: Mutability::Not }, - ), + pub fn codegen_float_type(&self, f: Float) -> Ty<'tcx> { + match f { + Float::F32 => self.tcx.types.f32, + Float::F64 => self.tcx.types.f64, + // `F16` and `F128` are not yet handled. + // Tracked here: + Float::F16 | Float::F128 => unimplemented!(), } } @@ -1660,18 +1446,14 @@ impl<'tcx> GotocCtx<'tcx> { } /// the function type of the current instance - pub fn fn_typ(&mut self, body: &Body) -> Type { - let sig = self.current_fn().sig().clone(); - let internal_instance = self.current_fn().instance(); - let is_vtable_shim = matches!(internal_instance.def, ty::InstanceDef::VTableShim(..)); - let mut params: Vec = sig - .inputs() - .iter() - .enumerate() - .filter_map(|(i, ty)| { - debug!(?i, ?ty, "fn_typ"); - let is_vtable_shim_self = i == 0 && is_vtable_shim; - if self.is_zst_stable(*ty) && !is_vtable_shim_self { + pub fn fn_typ(&mut self, instance: InstanceStable, body: &Body) -> Type { + let fn_abi = instance.fn_abi().unwrap(); + let params: Vec = self + .codegen_args(instance, &fn_abi) + .filter_map(|(i, arg_abi)| { + let ty = arg_abi.ty; + debug!(?i, ?arg_abi, "fn_typ"); + if arg_abi.mode == PassMode::Ignore { // We ignore zero-sized parameters. // See https://github.com/model-checking/kani/issues/274 for more details. None @@ -1692,30 +1474,19 @@ impl<'tcx> GotocCtx<'tcx> { } } Some( - self.codegen_ty_stable(*ty) + self.codegen_ty_stable(ty) .as_parameter(Some(ident.clone().into()), Some(ident.into())), ) } }) .collect(); - // For vtable shims, we need to modify fn(self, ...) to fn(self: *mut Self, ...), - // since the vtable functions expect a pointer as the first argument. See the comment - // and similar code in compiler/rustc_mir/src/shim.rs. - // TODO(celina): Use fn_abi_of_instance instead of sig so we don't need to do this manually. - if is_vtable_shim { - if let Some(self_param) = params.first() { - let ident = self_param.identifier(); - let ty = self_param.typ().clone(); - params[0] = ty.to_pointer().as_parameter(ident, ident); - } - } - - debug!(?params, signature=?sig, "function_type"); - if sig.c_variadic { - Type::variadic_code(params, self.codegen_ty_stable(sig.output())) + debug!(?params, ?fn_abi, "function_type"); + let ret_type = self.codegen_ty_stable(fn_abi.ret.ty); + if fn_abi.c_variadic { + Type::variadic_code(params, ret_type) } else { - Type::code(params, self.codegen_ty_stable(sig.output())) + Type::code(params, ret_type) } } @@ -1852,6 +1623,23 @@ impl<'tcx> GotocCtx<'tcx> { ReceiverIter { ctx: self, curr: typ } } + + /// Allow us to retrieve the instance arguments in a consistent way. + /// There are two corner cases that we currently handle: + /// 1. In some cases, an argument can be ignored (e.g.: ZST arguments in regular Rust calls). + /// 2. We currently don't support `track_caller`, so we ignore the extra argument that is added to support that. + /// Tracked here: + pub fn codegen_args<'a>( + &self, + instance: InstanceStable, + fn_abi: &'a FnAbi, + ) -> impl Iterator { + let requires_caller_location = self.requires_caller_location(instance); + let num_args = fn_abi.args.len(); + fn_abi.args.iter().enumerate().filter(move |(idx, arg_abi)| { + arg_abi.mode != PassMode::Ignore && !(requires_caller_location && idx + 1 == num_args) + }) + } } /// Return the datatype components for fields are present in every vtable struct. @@ -1881,7 +1669,7 @@ fn common_vtable_fields(drop_in_place: Type) -> Vec { pub fn pointee_type(mir_type: Ty) -> Option { match mir_type.kind() { ty::Ref(_, pointee_type, _) => Some(*pointee_type), - ty::RawPtr(ty::TypeAndMut { ty: pointee_type, .. }) => Some(*pointee_type), + ty::RawPtr(pointee_type, _) => Some(*pointee_type), _ => None, } } @@ -1889,7 +1677,7 @@ pub fn pointee_type(mir_type: Ty) -> Option { /// Extracts the pointee type if the given mir type is either a known smart pointer (Box, Rc, ..) /// or a regular pointer. pub fn std_pointee_type(mir_type: Ty) -> Option { - mir_type.builtin_deref(true).map(|tm| tm.ty) + mir_type.builtin_deref(true) } /// This is a place holder function that should normalize the given type. @@ -1907,8 +1695,10 @@ impl<'tcx> GotocCtx<'tcx> { /// metadata associated with it. pub fn use_thin_pointer(&self, mir_type: Ty<'tcx>) -> bool { // ptr_metadata_ty is not defined on all types, the projection of an associated type - let (metadata, _check_is_sized) = mir_type.ptr_metadata_ty(self.tcx, normalize_type); - !self.is_unsized(mir_type) || metadata == self.tcx.types.unit + let metadata = mir_type.ptr_metadata_ty_or_tail(self.tcx, normalize_type); + !self.is_unsized(mir_type) + || metadata.is_err() + || (metadata.unwrap() == self.tcx.types.unit) } /// We use fat pointer if not thin pointer. @@ -1919,14 +1709,14 @@ impl<'tcx> GotocCtx<'tcx> { /// A pointer to the mir type should be a slice fat pointer. /// We use a slice fat pointer if the metadata is the slice length (type usize). pub fn use_slice_fat_pointer(&self, mir_type: Ty<'tcx>) -> bool { - let (metadata, _check_is_sized) = mir_type.ptr_metadata_ty(self.tcx, normalize_type); + let metadata = mir_type.ptr_metadata_ty(self.tcx, normalize_type); metadata == self.tcx.types.usize } /// A pointer to the mir type should be a vtable fat pointer. /// We use a vtable fat pointer if this is a fat pointer to anything that is not a slice ptr. /// I.e.: The metadata is not length (type usize). pub fn use_vtable_fat_pointer(&self, mir_type: Ty<'tcx>) -> bool { - let (metadata, _check_is_sized) = mir_type.ptr_metadata_ty(self.tcx, normalize_type); + let metadata = mir_type.ptr_metadata_ty(self.tcx, normalize_type); metadata != self.tcx.types.unit && metadata != self.tcx.types.usize } diff --git a/kani-compiler/src/codegen_cprover_gotoc/compiler_interface.rs b/kani-compiler/src/codegen_cprover_gotoc/compiler_interface.rs index 1cfff307f856..6e2d5cb46e96 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/compiler_interface.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/compiler_interface.rs @@ -7,16 +7,18 @@ use crate::args::ReachabilityType; use crate::codegen_cprover_gotoc::GotocCtx; use crate::kani_middle::analysis; use crate::kani_middle::attributes::{is_test_harness_description, KaniAttributes}; -use crate::kani_middle::metadata::{canonical_mangled_name, gen_test_metadata}; +use crate::kani_middle::codegen_units::{CodegenUnit, CodegenUnits}; +use crate::kani_middle::metadata::gen_test_metadata; use crate::kani_middle::provide; use crate::kani_middle::reachability::{ collect_reachable_items, filter_const_crate_items, filter_crate_items, }; +use crate::kani_middle::transform::BodyTransformation; use crate::kani_middle::{check_reachable_items, dump_mir_items}; use crate::kani_queries::QueryDb; use cbmc::goto_program::Location; use cbmc::irep::goto_binary_serde::write_goto_binary_file; -use cbmc::{InternString, RoundingMode}; +use cbmc::RoundingMode; use cbmc::{InternedString, MachineModel}; use kani_metadata::artifact::convert_type; use kani_metadata::UnsupportedFeature; @@ -48,12 +50,10 @@ use stable_mir::mir::mono::{Instance, MonoItem}; use stable_mir::{CrateDef, DefId}; use std::any::Any; use std::collections::BTreeMap; -use std::collections::HashSet; use std::ffi::OsString; use std::fmt::Write; use std::fs::File; use std::io::BufWriter; -use std::iter::FromIterator; use std::path::{Path, PathBuf}; use std::process::Command; use std::sync::{Arc, Mutex}; @@ -87,16 +87,18 @@ impl GotocCodegenBackend { symtab_goto: &Path, machine_model: &MachineModel, check_contract: Option, + mut transformer: BodyTransformation, ) -> (GotocCtx<'tcx>, Vec, Option) { let items = with_timer( - || collect_reachable_items(tcx, starting_items), + || collect_reachable_items(tcx, &mut transformer, starting_items), "codegen reachability analysis", ); - dump_mir_items(tcx, &items, &symtab_goto.with_extension("kani.mir")); + dump_mir_items(tcx, &mut transformer, &items, &symtab_goto.with_extension("kani.mir")); // Follow rustc naming convention (cx is abbrev for context). // https://rustc-dev-guide.rust-lang.org/conventions.html#naming-conventions - let mut gcx = GotocCtx::new(tcx, (*self.queries.lock().unwrap()).clone(), machine_model); + let mut gcx = + GotocCtx::new(tcx, (*self.queries.lock().unwrap()).clone(), machine_model, transformer); check_reachable_items(gcx.tcx, &gcx.queries, &items); let contract_info = with_timer( @@ -226,45 +228,48 @@ impl CodegenBackend for GotocCodegenBackend { // - Tests: Generate one model per test harnesses. // - PubFns: Generate code for all reachable logic starting from the local public functions. // - None: Don't generate code. This is used to compile dependencies. - let base_filename = tcx.output_filenames(()).output_path(OutputType::Object); + let base_filepath = tcx.output_filenames(()).path(OutputType::Object); + let base_filename = base_filepath.as_path(); let reachability = queries.args().reachability_analysis; let mut results = GotoCodegenResults::new(tcx, reachability); match reachability { ReachabilityType::Harnesses => { + let mut units = CodegenUnits::new(&queries, tcx); + let mut modifies_instances = vec![]; // Cross-crate collecting of all items that are reachable from the crate harnesses. - let harnesses = queries.target_harnesses(); - let mut items: HashSet<_> = HashSet::with_capacity(harnesses.len()); - items.extend(harnesses); - let harnesses = filter_crate_items(tcx, |_, instance| { - items.contains(&instance.mangled_name().intern()) - }); - for harness in harnesses { - let model_path = - queries.harness_model_path(&harness.mangled_name()).unwrap(); - let contract_metadata = - contract_metadata_for_harness(tcx, harness.def.def_id()).unwrap(); - let (gcx, items, contract_info) = self.codegen_items( - tcx, - &[MonoItem::Fn(harness)], - model_path, - &results.machine_model, - contract_metadata, - ); - results.extend(gcx, items, None); - if let Some(assigns_contract) = contract_info { - self.queries.lock().unwrap().register_assigns_contract( - canonical_mangled_name(harness).intern(), - assigns_contract, + for unit in units.iter() { + // We reset the body cache for now because each codegen unit has different + // configurations that affect how we transform the instance body. + let mut transformer = BodyTransformation::new(&queries, tcx, &unit); + for harness in &unit.harnesses { + let model_path = units.harness_model_path(*harness).unwrap(); + let contract_metadata = + contract_metadata_for_harness(tcx, harness.def.def_id()).unwrap(); + let (gcx, items, contract_info) = self.codegen_items( + tcx, + &[MonoItem::Fn(*harness)], + model_path, + &results.machine_model, + contract_metadata, + transformer, ); + transformer = results.extend(gcx, items, None); + if let Some(assigns_contract) = contract_info { + modifies_instances.push((*harness, assigns_contract)); + } } } + units.store_modifies(&modifies_instances); + units.write_metadata(&queries, tcx); } ReachabilityType::Tests => { // We're iterating over crate items here, so what we have to codegen is the "test description" containing the // test closure that we want to execute // TODO: Refactor this code so we can guarantee that the pair (test_fn, test_desc) actually match. + let unit = CodegenUnit::default(); + let mut transformer = BodyTransformation::new(&queries, tcx, &unit); let mut descriptions = vec![]; - let harnesses = filter_const_crate_items(tcx, |_, item| { + let harnesses = filter_const_crate_items(tcx, &mut transformer, |_, item| { if is_test_harness_description(tcx, item.def) { descriptions.push(item.def); true @@ -283,6 +288,7 @@ impl CodegenBackend for GotocCodegenBackend { &model_path, &results.machine_model, Default::default(), + transformer, ); results.extend(gcx, items, None); @@ -304,10 +310,12 @@ impl CodegenBackend for GotocCodegenBackend { } ReachabilityType::None => {} ReachabilityType::PubFns => { + let unit = CodegenUnit::default(); + let transformer = BodyTransformation::new(&queries, tcx, &unit); let main_instance = stable_mir::entry_fn().map(|main_fn| Instance::try_from(main_fn).unwrap()); let local_reachable = filter_crate_items(tcx, |_, instance| { - let def_id = rustc_internal::internal(instance.def.def_id()); + let def_id = rustc_internal::internal(tcx, instance.def.def_id()); Some(instance) == main_instance || tcx.is_reachable_non_generic(def_id) }) .into_iter() @@ -320,9 +328,10 @@ impl CodegenBackend for GotocCodegenBackend { &model_path, &results.machine_model, Default::default(), + transformer, ); assert!(contract_info.is_none()); - results.extend(gcx, items, None); + let _ = results.extend(gcx, items, None); } } @@ -353,10 +362,10 @@ impl CodegenBackend for GotocCodegenBackend { ongoing_codegen: Box, _sess: &Session, _filenames: &OutputFilenames, - ) -> Result<(CodegenResults, FxIndexMap), ErrorGuaranteed> { + ) -> (CodegenResults, FxIndexMap) { match ongoing_codegen.downcast::<(CodegenResults, FxIndexMap)>() { - Ok(val) => Ok(*val), + Ok(val) => *val, Err(val) => panic!("unexpected error: {:?}", (*val).type_id()), } } @@ -398,7 +407,7 @@ impl CodegenBackend for GotocCodegenBackend { let path = MaybeTempDir::new(tmp_dir, sess.opts.cg.save_temps); let (metadata, _metadata_position) = create_wrapper_file( sess, - b".rmeta".to_vec(), + ".rmeta".to_string(), codegen_results.metadata.raw_data(), ); let metadata = emit_wrapper_file(sess, &metadata, &path, METADATA_FILENAME); @@ -406,7 +415,8 @@ impl CodegenBackend for GotocCodegenBackend { builder.build(&out_path); } else { // Write the location of the kani metadata file in the requested compiler output file. - let base_filename = outputs.output_path(OutputType::Object); + let base_filepath = outputs.path(OutputType::Object); + let base_filename = base_filepath.as_path(); let content_stub = CompilerArtifactStub { metadata_path: base_filename.with_extension(ArtifactType::Metadata), }; @@ -614,12 +624,18 @@ impl GotoCodegenResults { } } - fn extend(&mut self, gcx: GotocCtx, items: Vec, metadata: Option) { + fn extend( + &mut self, + gcx: GotocCtx, + items: Vec, + metadata: Option, + ) -> BodyTransformation { let mut items = items; self.harnesses.extend(metadata); self.concurrent_constructs.extend(gcx.concurrent_constructs); self.unsupported_constructs.extend(gcx.unsupported_constructs); self.items.append(&mut items); + gcx.transformer } /// Prints a report at the end of the compilation. diff --git a/kani-compiler/src/codegen_cprover_gotoc/context/current_fn.rs b/kani-compiler/src/codegen_cprover_gotoc/context/current_fn.rs index e73a4756a581..5a542ca07cd2 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/context/current_fn.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/context/current_fn.rs @@ -4,12 +4,10 @@ use crate::codegen_cprover_gotoc::GotocCtx; use cbmc::goto_program::Stmt; use cbmc::InternedString; -use rustc_middle::mir::Body as InternalBody; -use rustc_middle::ty::Instance as InternalInstance; +use rustc_middle::ty::Instance as InstanceInternal; use rustc_smir::rustc_internal; use stable_mir::mir::mono::Instance; use stable_mir::mir::{Body, Local, LocalDecl}; -use stable_mir::ty::FnSig; use stable_mir::CrateDef; use std::collections::HashMap; @@ -20,12 +18,10 @@ pub struct CurrentFnCtx<'tcx> { block: Vec, /// The codegen instance for the current function instance: Instance, - /// The current function signature. - fn_sig: FnSig, /// The crate this function is from krate: String, - /// The MIR for the current instance. This is using the internal representation. - mir: &'tcx InternalBody<'tcx>, + /// The current instance. This is using the internal representation. + instance_internal: InstanceInternal<'tcx>, /// A list of local declarations used to retrieve MIR component types. locals: Vec, /// A list of pretty names for locals that corrspond to user variables. @@ -41,7 +37,7 @@ pub struct CurrentFnCtx<'tcx> { /// Constructor impl<'tcx> CurrentFnCtx<'tcx> { pub fn new(instance: Instance, gcx: &GotocCtx<'tcx>, body: &Body) -> Self { - let internal_instance = rustc_internal::internal(instance); + let instance_internal = rustc_internal::internal(gcx.tcx, instance); let readable_name = instance.name(); let name = if &readable_name == "main" { readable_name.clone() } else { instance.mangled_name() }; @@ -51,12 +47,10 @@ impl<'tcx> CurrentFnCtx<'tcx> { .iter() .filter_map(|info| info.local().map(|local| (local, (&info.name).into()))) .collect::>(); - let fn_sig = gcx.fn_sig_of_instance_stable(instance); Self { block: vec![], instance, - fn_sig, - mir: gcx.tcx.instance_mir(internal_instance.def), + instance_internal, krate: instance.def.krate().name, locals, local_names, @@ -88,19 +82,14 @@ impl<'tcx> CurrentFnCtx<'tcx> { /// Getters impl<'tcx> CurrentFnCtx<'tcx> { /// The function we are currently compiling - pub fn instance(&self) -> InternalInstance<'tcx> { - rustc_internal::internal(self.instance) + pub fn instance(&self) -> InstanceInternal<'tcx> { + self.instance_internal } pub fn instance_stable(&self) -> Instance { self.instance } - /// The internal MIR for the function we are currently compiling using internal APIs. - pub fn body_internal(&self) -> &'tcx InternalBody<'tcx> { - self.mir - } - /// The name of the function we are currently compiling pub fn name(&self) -> String { self.name.clone() @@ -111,11 +100,6 @@ impl<'tcx> CurrentFnCtx<'tcx> { &self.readable_name } - /// The signature of the function we are currently compiling - pub fn sig(&self) -> &FnSig { - &self.fn_sig - } - pub fn locals(&self) -> &[LocalDecl] { &self.locals } diff --git a/kani-compiler/src/codegen_cprover_gotoc/context/goto_ctx.rs b/kani-compiler/src/codegen_cprover_gotoc/context/goto_ctx.rs index 10ee6a876588..7d51cff037c6 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/context/goto_ctx.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/context/goto_ctx.rs @@ -11,6 +11,7 @@ //! This file is for defining the data-structure itself. //! 1. Defines `GotocCtx<'tcx>` //! 2. Provides constructors, getters and setters for the context. +//! //! Any MIR specific functionality (e.g. codegen etc) should live in specialized files that use //! this structure as input. use super::current_fn::CurrentFnCtx; @@ -18,11 +19,11 @@ use super::vtable_ctx::VtableCtx; use crate::codegen_cprover_gotoc::overrides::{fn_hooks, GotocHooks}; use crate::codegen_cprover_gotoc::utils::full_crate_name; use crate::codegen_cprover_gotoc::UnsupportedConstructs; +use crate::kani_middle::transform::BodyTransformation; use crate::kani_queries::QueryDb; use cbmc::goto_program::{DatatypeComponent, Expr, Location, Stmt, Symbol, SymbolTable, Type}; use cbmc::utils::aggr_tag; use cbmc::{InternedString, MachineModel}; -use kani_metadata::HarnessMetadata; use rustc_data_structures::fx::FxHashMap; use rustc_middle::span_bug; use rustc_middle::ty::layout::{ @@ -60,8 +61,6 @@ pub struct GotocCtx<'tcx> { /// map from symbol identifier to string literal /// TODO: consider making the map from Expr to String instead pub str_literals: FxHashMap, - pub proof_harnesses: Vec, - pub test_harnesses: Vec, /// a global counter for generating unique IDs for checks pub global_checks_count: u64, /// A map of unsupported constructs that were found while codegen @@ -70,6 +69,8 @@ pub struct GotocCtx<'tcx> { /// We collect them and print one warning at the end if not empty instead of printing one /// warning at each occurrence. pub concurrent_constructs: UnsupportedConstructs, + /// The body transformation agent. + pub transformer: BodyTransformation, } /// Constructor @@ -78,6 +79,7 @@ impl<'tcx> GotocCtx<'tcx> { tcx: TyCtxt<'tcx>, queries: QueryDb, machine_model: &MachineModel, + transformer: BodyTransformation, ) -> GotocCtx<'tcx> { let fhks = fn_hooks(); let symbol_table = SymbolTable::new(machine_model.clone()); @@ -94,11 +96,10 @@ impl<'tcx> GotocCtx<'tcx> { current_fn: None, type_map: FxHashMap::default(), str_literals: FxHashMap::default(), - proof_harnesses: vec![], - test_harnesses: vec![], global_checks_count: 0, unsupported_constructs: FxHashMap::default(), concurrent_constructs: FxHashMap::default(), + transformer, } } } @@ -136,8 +137,14 @@ impl<'tcx> GotocCtx<'tcx> { } // Generate a Symbol Expression representing a function variable from the MIR - pub fn gen_function_local_variable(&mut self, c: u64, fname: &str, t: Type) -> Symbol { - self.gen_stack_variable(c, fname, "var", t, Location::none(), false) + pub fn gen_function_local_variable( + &mut self, + c: u64, + fname: &str, + t: Type, + loc: Location, + ) -> Symbol { + self.gen_stack_variable(c, fname, "var", t, loc) } /// Given a counter `c` a function name `fname, and a prefix `prefix`, generates a new function local variable @@ -149,11 +156,10 @@ impl<'tcx> GotocCtx<'tcx> { prefix: &str, t: Type, loc: Location, - is_param: bool, ) -> Symbol { let base_name = format!("{prefix}_{c}"); let name = format!("{fname}::1::{base_name}"); - let symbol = Symbol::variable(name, base_name, t, loc).with_is_parameter(is_param); + let symbol = Symbol::variable(name, base_name, t, loc); self.symbol_table.insert(symbol.clone()); symbol } @@ -167,8 +173,7 @@ impl<'tcx> GotocCtx<'tcx> { loc: Location, ) -> (Expr, Stmt) { let c = self.current_fn_mut().get_and_incr_counter(); - let var = - self.gen_stack_variable(c, &self.current_fn().name(), "temp", t, loc, false).to_expr(); + let var = self.gen_stack_variable(c, &self.current_fn().name(), "temp", t, loc).to_expr(); let value = value.or_else(|| self.codegen_default_initializer(&var)); let decl = Stmt::decl(var.clone(), value, loc); (var, decl) @@ -284,13 +289,14 @@ impl<'tcx> GotocCtx<'tcx> { pub fn register_initializer(&mut self, var_name: &str, body: Stmt) -> &Symbol { let fn_name = Self::initializer_fn_name(var_name); let pretty_name = format!("{var_name}::init"); + let loc = *body.location(); self.ensure(&fn_name, |_tcx, _| { Symbol::function( &fn_name, Type::code(vec![], Type::constructor()), - Some(Stmt::block(vec![body], Location::none())), //TODO is this block needed? + Some(Stmt::block(vec![body], loc)), //TODO is this block needed? &pretty_name, - Location::none(), + loc, ) .with_is_file_local(true) }) diff --git a/kani-compiler/src/codegen_cprover_gotoc/overrides/hooks.rs b/kani-compiler/src/codegen_cprover_gotoc/overrides/hooks.rs index 97606688d1ed..fc245fc6f4c9 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/overrides/hooks.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/overrides/hooks.rs @@ -10,8 +10,9 @@ use crate::codegen_cprover_gotoc::codegen::{bb_label, PropertyClass}; use crate::codegen_cprover_gotoc::GotocCtx; +use crate::kani_middle::attributes::matches_diagnostic as matches_function; use crate::unwrap_or_return_codegen_unimplemented_stmt; -use cbmc::goto_program::{BuiltinFn, Expr, Location, Stmt, Type}; +use cbmc::goto_program::{BuiltinFn, Expr, Stmt, Type}; use rustc_middle::ty::TyCtxt; use rustc_smir::rustc_internal; use stable_mir::mir::mono::Instance; @@ -35,17 +36,6 @@ pub trait GotocHook { ) -> Stmt; } -fn matches_function(tcx: TyCtxt, instance: Instance, attr_name: &str) -> bool { - let attr_sym = rustc_span::symbol::Symbol::intern(attr_name); - if let Some(attr_id) = tcx.all_diagnostic_items(()).name_to_id.get(&attr_sym) { - if rustc_internal::internal(instance.def.def_id()) == *attr_id { - debug!("matched: {:?} {:?}", attr_id, attr_sym); - return true; - } - } - false -} - /// A hook for Kani's `cover` function (declared in `library/kani/src/lib.rs`). /// The function takes two arguments: a condition expression (bool) and a /// message (&'static str). @@ -57,7 +47,7 @@ fn matches_function(tcx: TyCtxt, instance: Instance, attr_name: &str) -> bool { struct Cover; impl GotocHook for Cover { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniCover") + matches_function(tcx, instance.def, "KaniCover") } fn handle( @@ -92,7 +82,7 @@ impl GotocHook for Cover { struct Assume; impl GotocHook for Assume { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniAssume") + matches_function(tcx, instance.def, "KaniAssume") } fn handle( @@ -116,7 +106,7 @@ impl GotocHook for Assume { struct Assert; impl GotocHook for Assert { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniAssert") + matches_function(tcx, instance.def, "KaniAssert") } fn handle( @@ -157,7 +147,7 @@ struct Nondet; impl GotocHook for Nondet { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniAnyRaw") + matches_function(tcx, instance.def, "KaniAnyRaw") } fn handle( @@ -178,7 +168,7 @@ impl GotocHook for Nondet { } else { let pe = unwrap_or_return_codegen_unimplemented_stmt!( gcx, - gcx.codegen_place_stable(assign_to) + gcx.codegen_place_stable(assign_to, loc) ) .goto_expr; Stmt::block( @@ -196,12 +186,12 @@ struct Panic; impl GotocHook for Panic { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - let def_id = rustc_internal::internal(instance.def.def_id()); + let def_id = rustc_internal::internal(tcx, instance.def.def_id()); Some(def_id) == tcx.lang_items().panic_fn() || tcx.has_attr(def_id, rustc_span::sym::rustc_const_panic_str) || Some(def_id) == tcx.lang_items().panic_fmt() || Some(def_id) == tcx.lang_items().begin_panic_fn() - || matches_function(tcx, instance, "KaniPanic") + || matches_function(tcx, instance.def, "KaniPanic") } fn handle( @@ -217,6 +207,115 @@ impl GotocHook for Panic { } } +/// Encodes __CPROVER_r_ok(ptr, size) +struct IsAllocated; +impl GotocHook for IsAllocated { + fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { + matches_function(tcx, instance.def, "KaniIsAllocated") + } + + fn handle( + &self, + gcx: &mut GotocCtx, + _instance: Instance, + mut fargs: Vec, + assign_to: &Place, + target: Option, + span: Span, + ) -> Stmt { + assert_eq!(fargs.len(), 2); + let size = fargs.pop().unwrap(); + let ptr = fargs.pop().unwrap().cast_to(Type::void_pointer()); + let target = target.unwrap(); + let loc = gcx.codegen_caller_span_stable(span); + let ret_place = unwrap_or_return_codegen_unimplemented_stmt!( + gcx, + gcx.codegen_place_stable(assign_to, loc) + ); + let ret_type = ret_place.goto_expr.typ().clone(); + + Stmt::block( + vec![ + ret_place.goto_expr.assign(Expr::read_ok(ptr, size).cast_to(ret_type), loc), + Stmt::goto(bb_label(target), loc), + ], + loc, + ) + } +} + +/// Encodes __CPROVER_pointer_object(ptr) +struct PointerObject; +impl GotocHook for PointerObject { + fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { + matches_function(tcx, instance.def, "KaniPointerObject") + } + + fn handle( + &self, + gcx: &mut GotocCtx, + _instance: Instance, + mut fargs: Vec, + assign_to: &Place, + target: Option, + span: Span, + ) -> Stmt { + assert_eq!(fargs.len(), 1); + let ptr = fargs.pop().unwrap().cast_to(Type::void_pointer()); + let target = target.unwrap(); + let loc = gcx.codegen_caller_span_stable(span); + let ret_place = unwrap_or_return_codegen_unimplemented_stmt!( + gcx, + gcx.codegen_place_stable(assign_to, loc) + ); + let ret_type = ret_place.goto_expr.typ().clone(); + + Stmt::block( + vec![ + ret_place.goto_expr.assign(Expr::pointer_object(ptr).cast_to(ret_type), loc), + Stmt::goto(bb_label(target), loc), + ], + loc, + ) + } +} + +/// Encodes __CPROVER_pointer_offset(ptr) +struct PointerOffset; +impl GotocHook for PointerOffset { + fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { + matches_function(tcx, instance.def, "KaniPointerOffset") + } + + fn handle( + &self, + gcx: &mut GotocCtx, + _instance: Instance, + mut fargs: Vec, + assign_to: &Place, + target: Option, + span: Span, + ) -> Stmt { + assert_eq!(fargs.len(), 1); + let ptr = fargs.pop().unwrap().cast_to(Type::void_pointer()); + let target = target.unwrap(); + let loc = gcx.codegen_caller_span_stable(span); + let ret_place = unwrap_or_return_codegen_unimplemented_stmt!( + gcx, + gcx.codegen_place_stable(assign_to, loc) + ); + let ret_type = ret_place.goto_expr.typ().clone(); + + Stmt::block( + vec![ + ret_place.goto_expr.assign(Expr::pointer_offset(ptr).cast_to(ret_type), loc), + Stmt::goto(bb_label(target), loc), + ], + loc, + ) + } +} + struct RustAlloc; // Removing this hook causes regression failures. // https://github.com/model-checking/kani/issues/1170 @@ -243,7 +342,7 @@ impl GotocHook for RustAlloc { vec![ unwrap_or_return_codegen_unimplemented_stmt!( gcx, - gcx.codegen_place_stable(assign_to) + gcx.codegen_place_stable(assign_to, loc) ) .goto_expr .assign( @@ -252,9 +351,9 @@ impl GotocHook for RustAlloc { .cast_to(Type::unsigned_int(8).to_pointer()), loc, ), - Stmt::goto(bb_label(target), Location::none()), + Stmt::goto(bb_label(target), loc), ], - Location::none(), + loc, ) } } @@ -303,13 +402,14 @@ impl GotocHook for MemCmp { let is_first_ok = first_var.clone().is_nonnull(); let is_second_ok = second_var.clone().is_nonnull(); let should_skip_pointer_checks = is_count_zero.and(is_first_ok).and(is_second_ok); - let place_expr = - unwrap_or_return_codegen_unimplemented_stmt!(gcx, gcx.codegen_place_stable(assign_to)) - .goto_expr; + let place_expr = unwrap_or_return_codegen_unimplemented_stmt!( + gcx, + gcx.codegen_place_stable(assign_to, loc) + ) + .goto_expr; let rhs = should_skip_pointer_checks.ternary( Expr::int_constant(0, place_expr.typ().clone()), // zero bytes are always equal (as long as pointers are nonnull and aligned) - gcx.codegen_func_expr(instance, Some(span)) - .call(vec![first_var, second_var, count_var]), + gcx.codegen_func_expr(instance, loc).call(vec![first_var, second_var, count_var]), ); let code = place_expr.assign(rhs, loc).with_location(loc); Stmt::block( @@ -330,7 +430,7 @@ struct UntrackedDeref; impl GotocHook for UntrackedDeref { fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { - matches_function(tcx, instance, "KaniUntrackedDeref") + matches_function(tcx, instance.def, "KaniUntrackedDeref") } fn handle( @@ -354,7 +454,7 @@ impl GotocHook for UntrackedDeref { vec![Stmt::assign( unwrap_or_return_codegen_unimplemented_stmt!( gcx, - gcx.codegen_place_stable(assign_to) + gcx.codegen_place_stable(assign_to, loc) ) .goto_expr, fargs.pop().unwrap().dereference(), @@ -365,6 +465,45 @@ impl GotocHook for UntrackedDeref { } } +struct InitContracts; + +/// CBMC contracts currently has a limitation where `free` has to be in scope. +/// However, if there is no dynamic allocation in the harness, slicing removes `free` from the +/// scope. +/// +/// Thus, this function will basically translate into: +/// ```c +/// // This is a no-op. +/// free(NULL); +/// ``` +impl GotocHook for InitContracts { + fn hook_applies(&self, tcx: TyCtxt, instance: Instance) -> bool { + matches_function(tcx, instance.def, "KaniInitContracts") + } + + fn handle( + &self, + gcx: &mut GotocCtx, + _instance: Instance, + fargs: Vec, + _assign_to: &Place, + target: Option, + span: Span, + ) -> Stmt { + assert_eq!(fargs.len(), 0,); + let loc = gcx.codegen_span_stable(span); + Stmt::block( + vec![ + BuiltinFn::Free + .call(vec![Expr::pointer_constant(0, Type::void_pointer())], loc) + .as_stmt(loc), + Stmt::goto(bb_label(target.unwrap()), loc), + ], + loc, + ) + } +} + pub fn fn_hooks() -> GotocHooks { GotocHooks { hooks: vec![ @@ -373,9 +512,13 @@ pub fn fn_hooks() -> GotocHooks { Rc::new(Assert), Rc::new(Cover), Rc::new(Nondet), + Rc::new(IsAllocated), + Rc::new(PointerObject), + Rc::new(PointerOffset), Rc::new(RustAlloc), Rc::new(MemCmp), Rc::new(UntrackedDeref), + Rc::new(InitContracts), ], } } diff --git a/kani-compiler/src/codegen_cprover_gotoc/utils/utils.rs b/kani-compiler/src/codegen_cprover_gotoc/utils/utils.rs index d81839ea097c..16edca2a826c 100644 --- a/kani-compiler/src/codegen_cprover_gotoc/utils/utils.rs +++ b/kani-compiler/src/codegen_cprover_gotoc/utils/utils.rs @@ -125,7 +125,7 @@ impl<'tcx> GotocCtx<'tcx> { } /// Best effort check if the struct represents a rust `std::marker::PhantomData` - fn assert_is_rust_phantom_data_like(&self, t: &Type) { + pub fn assert_is_rust_phantom_data_like(&self, t: &Type) { // TODO: A `std::marker::PhantomData` appears to be an empty struct, in the cases we've seen. // Is there something smarter we can do here? assert!(t.is_struct_like()); @@ -194,5 +194,5 @@ impl<'tcx> GotocCtx<'tcx> { } pub fn span_err(tcx: TyCtxt, span: Span, msg: String) { - tcx.dcx().span_err(rustc_internal::internal(span), msg); + tcx.dcx().span_err(rustc_internal::internal(tcx, span), msg); } diff --git a/kani-compiler/src/kani_compiler.rs b/kani-compiler/src/kani_compiler.rs index 118821f5995f..58c22f940352 100644 --- a/kani-compiler/src/kani_compiler.rs +++ b/kani-compiler/src/kani_compiler.rs @@ -15,34 +15,19 @@ //! in order to apply the stubs. For the subsequent runs, we add the stub configuration to //! `-C llvm-args`. -use crate::args::{Arguments, ReachabilityType}; +use crate::args::Arguments; #[cfg(feature = "cprover")] use crate::codegen_cprover_gotoc::GotocCodegenBackend; -use crate::kani_middle::attributes::is_proof_harness; use crate::kani_middle::check_crate_items; -use crate::kani_middle::metadata::gen_proof_metadata; -use crate::kani_middle::reachability::filter_crate_items; -use crate::kani_middle::stubbing::{self, harness_stub_map}; use crate::kani_queries::QueryDb; use crate::session::init_session; -use cbmc::{InternString, InternedString}; use clap::Parser; -use kani_metadata::{ArtifactType, HarnessMetadata, KaniMetadata}; use rustc_codegen_ssa::traits::CodegenBackend; -use rustc_data_structures::fx::FxHashMap; use rustc_driver::{Callbacks, Compilation, RunCompiler}; -use rustc_hir::def_id::LOCAL_CRATE; -use rustc_hir::definitions::DefPathHash; use rustc_interface::Config; -use rustc_middle::ty::TyCtxt; -use rustc_session::config::{ErrorOutputType, OutputType}; +use rustc_session::config::ErrorOutputType; use rustc_smir::rustc_internal; use rustc_span::ErrorGuaranteed; -use std::collections::{BTreeMap, HashMap}; -use std::fs::File; -use std::io::BufWriter; -use std::mem; -use std::path::{Path, PathBuf}; use std::process::ExitCode; use std::sync::{Arc, Mutex}; use tracing::debug; @@ -69,537 +54,64 @@ fn backend(queries: Arc>) -> Box { compile_error!("No backend is available. Only supported value today is `cprover`"); } -/// A stable (across compilation sessions) identifier for the harness function. -type HarnessId = InternedString; - -/// A set of stubs. -type Stubs = BTreeMap; - -#[derive(Clone, Debug)] -struct HarnessInfo { - pub metadata: HarnessMetadata, - pub stub_map: Stubs, -} - -/// Store some relevant information about the crate compilation. -#[derive(Clone, Debug)] -struct CrateInfo { - /// The name of the crate being compiled. - pub name: String, - /// The metadata output path that shall be generated as part of the crate compilation. - pub output_path: PathBuf, -} - -/// Represents the current compilation stage. -/// -/// The Kani compiler may run the Rust compiler multiple times since stubbing has to be applied -/// to the entire Rust compiler session. -/// -/// - We always start in the [CompilationStage::Init]. -/// - After [CompilationStage::Init] we transition to either -/// - [CompilationStage::CodegenNoStubs] on a regular crate compilation, this will follow Init. -/// - [CompilationStage::CompilationSkipped], running the compiler to gather information, such as -/// `--version` will skip code generation completely, and there is no work to be done. -/// - After the [CompilationStage::CodegenNoStubs], we transition to either -/// - [CompilationStage::CodegenWithStubs] when there is at least one harness with stubs. -/// - [CompilationStage::Done] where there is no harness left to process. -/// - The [CompilationStage::CodegenWithStubs] can last multiple Rust compiler runs. Once there is -/// no harness left, we move to [CompilationStage::Done]. -/// - The final stages are either [CompilationStage::Done] or [CompilationStage::CompilationSkipped]. -/// - [CompilationStage::Done] represents the final state of the compiler after a successful -/// compilation. The crate metadata is stored here (even if no codegen was actually performed). -/// - [CompilationStage::CompilationSkipped] no compilation was actually performed. -/// No work needs to be done. -/// - Note: In a scenario where the compilation fails, the compiler will exit immediately, -/// independent on the stage. Any artifact produced shouldn't be used. -/// I.e.: -/// ```dot -/// graph CompilationStage { -/// Init -> {CodegenNoStubs, CompilationSkipped} -/// CodegenNoStubs -> {CodegenStubs, Done} -/// // Loop up to N harnesses times. -/// CodegenStubs -> {CodegenStubs, Done} -/// CompilationSkipped -/// Done -/// } -/// ``` -#[allow(dead_code)] -#[derive(Debug)] -enum CompilationStage { - /// Initial state that the compiler is always instantiated with. - /// In this stage, we initialize the Query and collect all harnesses. - Init, - /// State where the compiler ran but didn't actually compile anything (e.g.: --version). - CompilationSkipped, - /// Stage where the compiler will perform codegen of all harnesses that don't use stub. - CodegenNoStubs { - target_harnesses: Vec, - next_harnesses: Vec>, - all_harnesses: HashMap, - crate_info: CrateInfo, - }, - /// Stage where the compiler will codegen harnesses that use stub, one group at a time. - /// The harnesses at this stage are grouped according to the stubs they are using. For now, - /// we ensure they have the exact same set of stubs. - CodegenWithStubs { - target_harnesses: Vec, - next_harnesses: Vec>, - all_harnesses: HashMap, - crate_info: CrateInfo, - }, - Done { - metadata: Option<(KaniMetadata, CrateInfo)>, - }, -} - -impl CompilationStage { - pub fn is_init(&self) -> bool { - matches!(self, CompilationStage::Init) - } -} - /// This object controls the compiler behavior. /// /// It is responsible for initializing the query database, as well as controlling the compiler -/// state machine. For stubbing, we may require multiple iterations of the rustc driver, which is -/// controlled and configured via KaniCompiler. +/// state machine. struct KaniCompiler { - /// Store the queries database. The queries should be initialized as part of `config` when the + /// Store the query database. The queries should be initialized as part of `config` when the /// compiler state is Init. /// Note that we need to share the queries with the backend before `config` is called. pub queries: Arc>, - /// The state which the compiler is at. - stage: CompilationStage, } impl KaniCompiler { /// Create a new [KaniCompiler] instance. pub fn new() -> KaniCompiler { - KaniCompiler { queries: QueryDb::new(), stage: CompilationStage::Init } + KaniCompiler { queries: QueryDb::new() } } /// Compile the current crate with the given arguments. /// /// Since harnesses may have different attributes that affect compilation, Kani compiler can /// actually invoke the rust compiler multiple times. - pub fn run(&mut self, orig_args: Vec) -> Result<(), ErrorGuaranteed> { - loop { - debug!(next=?self.stage, "run"); - // Because this modifies `self.stage` we need to run this before - // borrowing `&self.stage` immutably - if let CompilationStage::Done { metadata: Some((metadata, _)), .. } = &mut self.stage { - let mut contracts = self - .queries - .lock() - .unwrap() - .assigns_contracts() - .map(|(k, v)| (*k, v.clone())) - .collect::>(); - for harness in - metadata.proof_harnesses.iter_mut().chain(metadata.test_harnesses.iter_mut()) - { - if let Some(modifies_contract) = - contracts.remove(&(&harness.mangled_name).intern()) - { - harness.contract = modifies_contract.into(); - } - } - assert!( - contracts.is_empty(), - "Invariant broken: not all contracts have been handled." - ) - } - match &self.stage { - CompilationStage::Init => self.run_compilation_session(&orig_args)?, - CompilationStage::CodegenNoStubs { .. } => { - unreachable!("This stage should always run in the same session as Init"); - } - CompilationStage::CodegenWithStubs { target_harnesses, all_harnesses, .. } => { - assert!(!target_harnesses.is_empty(), "expected at least one target harness"); - let target_harness_name = &target_harnesses[0]; - let target_harness = &all_harnesses[target_harness_name]; - let extra_arg = stubbing::mk_rustc_arg(&target_harness.stub_map); - let mut args = orig_args.clone(); - args.push(extra_arg); - self.run_compilation_session(&args)? - } - CompilationStage::Done { metadata: Some((kani_metadata, crate_info)) } => { - // Only store metadata for harnesses for now. - // TODO: This should only skip None. - // https://github.com/model-checking/kani/issues/2493 - if self.queries.lock().unwrap().args().reachability_analysis - == ReachabilityType::Harnesses - { - // Store metadata file. - // We delay storing the metadata so we can include information collected - // during codegen. - self.store_metadata(&kani_metadata, &crate_info.output_path); - } - return Ok(()); - } - CompilationStage::Done { metadata: None } - | CompilationStage::CompilationSkipped => { - return Ok(()); - } - }; - - self.next_stage(); - } - } - - /// Set up the next compilation stage after a `rustc` run. - fn next_stage(&mut self) { - self.stage = match &mut self.stage { - CompilationStage::Init => { - // This may occur when user passes arguments like --version or --help. - CompilationStage::Done { metadata: None } - } - CompilationStage::CodegenNoStubs { - next_harnesses, all_harnesses, crate_info, .. - } - | CompilationStage::CodegenWithStubs { - next_harnesses, - all_harnesses, - crate_info, - .. - } => { - if let Some(target_harnesses) = next_harnesses.pop() { - assert!(!target_harnesses.is_empty(), "expected at least one target harness"); - CompilationStage::CodegenWithStubs { - target_harnesses, - next_harnesses: mem::take(next_harnesses), - all_harnesses: mem::take(all_harnesses), - crate_info: crate_info.clone(), - } - } else { - CompilationStage::Done { - metadata: Some(( - generate_metadata(&crate_info, &all_harnesses), - crate_info.clone(), - )), - } - } - } - CompilationStage::Done { .. } | CompilationStage::CompilationSkipped => { - unreachable!() - } - }; - } - - /// Run the Rust compiler with the given arguments and pass `&mut self` to handle callbacks. - fn run_compilation_session(&mut self, args: &[String]) -> Result<(), ErrorGuaranteed> { + pub fn run(&mut self, args: Vec) -> Result<(), ErrorGuaranteed> { debug!(?args, "run_compilation_session"); let queries = self.queries.clone(); - let mut compiler = RunCompiler::new(args, self); + let mut compiler = RunCompiler::new(&args, self); compiler.set_make_codegen_backend(Some(Box::new(move |_cfg| backend(queries)))); compiler.run()?; Ok(()) } - - /// Gather and process all harnesses from this crate that shall be compiled. - fn process_harnesses(&self, tcx: TyCtxt) -> CompilationStage { - let crate_info = CrateInfo { - name: tcx.crate_name(LOCAL_CRATE).as_str().into(), - output_path: metadata_output_path(tcx), - }; - if self.queries.lock().unwrap().args().reachability_analysis == ReachabilityType::Harnesses - { - let base_filename = tcx.output_filenames(()).output_path(OutputType::Object); - let harnesses = filter_crate_items(tcx, |_, instance| is_proof_harness(tcx, instance)); - let all_harnesses = harnesses - .into_iter() - .map(|harness| { - let def_path = harness.mangled_name().intern(); - let metadata = gen_proof_metadata(tcx, harness, &base_filename); - let stub_map = harness_stub_map(tcx, harness, &metadata); - (def_path, HarnessInfo { metadata, stub_map }) - }) - .collect::>(); - - let (no_stubs, with_stubs): (Vec<_>, Vec<_>) = - if self.queries.lock().unwrap().args().stubbing_enabled { - // Partition harnesses that don't have stub with the ones with stub. - all_harnesses - .keys() - .cloned() - .partition(|harness| all_harnesses[harness].stub_map.is_empty()) - } else { - // Generate code without stubs. - (all_harnesses.keys().cloned().collect(), vec![]) - }; - - // Even if no_stubs is empty we still need to store rustc metadata. - CompilationStage::CodegenNoStubs { - target_harnesses: no_stubs, - next_harnesses: group_by_stubs(with_stubs, &all_harnesses), - all_harnesses, - crate_info, - } - } else { - // Leave other reachability type handling as is for now. - CompilationStage::CodegenNoStubs { - target_harnesses: vec![], - next_harnesses: vec![], - all_harnesses: HashMap::default(), - crate_info, - } - } - } - - /// Prepare the query for the next codegen stage. - fn prepare_codegen(&mut self) -> Compilation { - debug!(stage=?self.stage, "prepare_codegen"); - match &self.stage { - CompilationStage::CodegenNoStubs { target_harnesses, all_harnesses, .. } - | CompilationStage::CodegenWithStubs { target_harnesses, all_harnesses, .. } => { - debug!( - harnesses=?target_harnesses - .iter() - .map(|h| &all_harnesses[h].metadata.pretty_name) - .collect::>(), - "prepare_codegen" - ); - let queries = &mut (*self.queries.lock().unwrap()); - queries.harnesses_info = target_harnesses - .iter() - .map(|harness| { - (*harness, all_harnesses[harness].metadata.goto_file.clone().unwrap()) - }) - .collect(); - Compilation::Continue - } - CompilationStage::Init - | CompilationStage::Done { .. } - | CompilationStage::CompilationSkipped => unreachable!(), - } - } - - /// Write the metadata to a file - fn store_metadata(&self, metadata: &KaniMetadata, filename: &Path) { - debug!(?filename, "write_metadata"); - let out_file = File::create(filename).unwrap(); - let writer = BufWriter::new(out_file); - if self.queries.lock().unwrap().args().output_pretty_json { - serde_json::to_writer_pretty(writer, &metadata).unwrap(); - } else { - serde_json::to_writer(writer, &metadata).unwrap(); - } - } -} - -/// Group the harnesses by their stubs. -fn group_by_stubs( - harnesses: Vec, - all_harnesses: &HashMap, -) -> Vec> { - let mut per_stubs: BTreeMap<&Stubs, Vec> = BTreeMap::default(); - for harness in harnesses { - per_stubs.entry(&all_harnesses[&harness].stub_map).or_default().push(harness) - } - per_stubs.into_values().collect() } /// Use default function implementations. impl Callbacks for KaniCompiler { /// Configure the [KaniCompiler] `self` object during the [CompilationStage::Init]. fn config(&mut self, config: &mut Config) { - if self.stage.is_init() { - let mut args = vec!["kani-compiler".to_string()]; - args.extend(config.opts.cg.llvm_args.iter().cloned()); - let args = Arguments::parse_from(args); - init_session(&args, matches!(config.opts.error_format, ErrorOutputType::Json { .. })); - // Configure queries. - let queries = &mut (*self.queries.lock().unwrap()); - - queries.set_args(args); + let mut args = vec!["kani-compiler".to_string()]; + args.extend(config.opts.cg.llvm_args.iter().cloned()); + let args = Arguments::parse_from(args); + init_session(&args, matches!(config.opts.error_format, ErrorOutputType::Json { .. })); - debug!(?queries, "config end"); - } + // Configure queries. + let queries = &mut (*self.queries.lock().unwrap()); + queries.set_args(args); + debug!(?queries, "config end"); } - /// During the initialization state, we collect the crate harnesses and prepare for codegen. + /// After analysis, we check the crate items for Kani API misuse or configuration issues. fn after_analysis<'tcx>( &mut self, _compiler: &rustc_interface::interface::Compiler, rustc_queries: &'tcx rustc_interface::Queries<'tcx>, ) -> Compilation { - if self.stage.is_init() { - self.stage = rustc_queries.global_ctxt().unwrap().enter(|tcx| { - rustc_internal::run(tcx, || { - check_crate_items(tcx, self.queries.lock().unwrap().args().ignore_global_asm); - self.process_harnesses(tcx) - }) - .unwrap() + rustc_queries.global_ctxt().unwrap().enter(|tcx| { + rustc_internal::run(tcx, || { + check_crate_items(tcx, self.queries.lock().unwrap().args().ignore_global_asm); }) - } - - self.prepare_codegen() - } -} - -/// Generate [KaniMetadata] for the target crate. -fn generate_metadata( - crate_info: &CrateInfo, - all_harnesses: &HashMap, -) -> KaniMetadata { - let (proof_harnesses, test_harnesses) = all_harnesses - .values() - .map(|info| &info.metadata) - .cloned() - .partition(|md| md.attributes.proof); - KaniMetadata { - crate_name: crate_info.name.clone(), - proof_harnesses, - unsupported_features: vec![], - test_harnesses, - } -} - -/// Extract the filename for the metadata file. -fn metadata_output_path(tcx: TyCtxt) -> PathBuf { - let mut filename = tcx.output_filenames(()).output_path(OutputType::Object); - filename.set_extension(ArtifactType::Metadata); - filename -} - -#[cfg(test)] -mod tests { - use super::*; - use kani_metadata::{HarnessAttributes, HarnessMetadata}; - use rustc_data_structures::fingerprint::Fingerprint; - use rustc_hir::definitions::DefPathHash; - use std::collections::HashMap; - - fn mock_next_harness_id() -> HarnessId { - static mut COUNTER: u64 = 0; - unsafe { COUNTER += 1 }; - let id = unsafe { COUNTER }; - format!("mod::harness-{id}").intern() - } - - fn mock_next_stub_id() -> DefPathHash { - static mut COUNTER: u64 = 0; - unsafe { COUNTER += 1 }; - let id = unsafe { COUNTER }; - DefPathHash(Fingerprint::new(id, 0)) - } - - fn mock_metadata(name: String, krate: String) -> HarnessMetadata { - HarnessMetadata { - pretty_name: name.clone(), - mangled_name: name.clone(), - original_file: format!("{}.rs", krate), - crate_name: krate, - original_start_line: 10, - original_end_line: 20, - goto_file: None, - attributes: HarnessAttributes::default(), - contract: Default::default(), - } - } - - fn mock_info_with_stubs(stub_map: Stubs) -> HarnessInfo { - HarnessInfo { metadata: mock_metadata("dummy".to_string(), "crate".to_string()), stub_map } - } - - #[test] - fn test_group_by_stubs_works() { - // Set up the inputs - let harness_1 = mock_next_harness_id(); - let harness_2 = mock_next_harness_id(); - let harness_3 = mock_next_harness_id(); - let harnesses = vec![harness_1, harness_2, harness_3]; - - let stub_1 = (mock_next_stub_id(), mock_next_stub_id()); - let stub_2 = (mock_next_stub_id(), mock_next_stub_id()); - let stub_3 = (mock_next_stub_id(), mock_next_stub_id()); - let stub_4 = (stub_3.0, mock_next_stub_id()); - - let set_1 = Stubs::from([stub_1, stub_2, stub_3]); - let set_2 = Stubs::from([stub_1, stub_2, stub_4]); - let set_3 = Stubs::from([stub_1, stub_3, stub_2]); - assert_eq!(set_1, set_3); - assert_ne!(set_1, set_2); - - let harnesses_info = HashMap::from([ - (harness_1, mock_info_with_stubs(set_1)), - (harness_2, mock_info_with_stubs(set_2)), - (harness_3, mock_info_with_stubs(set_3)), - ]); - assert_eq!(harnesses_info.len(), 3); - - // Run the function under test. - let grouped = group_by_stubs(harnesses, &harnesses_info); - - // Verify output. - assert_eq!(grouped.len(), 2); - assert!( - grouped.contains(&vec![harness_1, harness_3]) - || grouped.contains(&vec![harness_3, harness_1]) - ); - assert!(grouped.contains(&vec![harness_2])); - } - - #[test] - fn test_generate_metadata() { - // Mock inputs. - let name = "my_crate".to_string(); - let crate_info = CrateInfo { name: name.clone(), output_path: PathBuf::default() }; - - let mut info = mock_info_with_stubs(Stubs::default()); - info.metadata.attributes.proof = true; - let id = mock_next_harness_id(); - let all_harnesses = HashMap::from([(id, info.clone())]); - - // Call generate metadata. - let metadata = generate_metadata(&crate_info, &all_harnesses); - - // Check output. - assert_eq!(metadata.crate_name, name); - assert_eq!(metadata.proof_harnesses.len(), 1); - assert_eq!(*metadata.proof_harnesses.first().unwrap(), info.metadata); - } - - #[test] - fn test_generate_empty_metadata() { - // Mock inputs. - let name = "my_crate".to_string(); - let crate_info = CrateInfo { name: name.clone(), output_path: PathBuf::default() }; - let all_harnesses = HashMap::new(); - - // Call generate metadata. - let metadata = generate_metadata(&crate_info, &all_harnesses); - - // Check output. - assert_eq!(metadata.crate_name, name); - assert_eq!(metadata.proof_harnesses.len(), 0); - } - - #[test] - fn test_generate_metadata_with_multiple_harness() { - // Mock inputs. - let krate = "my_crate".to_string(); - let crate_info = CrateInfo { name: krate.clone(), output_path: PathBuf::default() }; - - let harnesses = ["h1", "h2", "h3"]; - let infos = harnesses.map(|harness| { - let mut metadata = mock_metadata(harness.to_string(), krate.clone()); - metadata.attributes.proof = true; - (mock_next_harness_id(), HarnessInfo { stub_map: Stubs::default(), metadata }) + .unwrap() }); - let all_harnesses = HashMap::from(infos.clone()); - - // Call generate metadata. - let metadata = generate_metadata(&crate_info, &all_harnesses); - - // Check output. - assert_eq!(metadata.crate_name, krate); - assert_eq!(metadata.proof_harnesses.len(), infos.len()); - assert!( - metadata - .proof_harnesses - .iter() - .all(|harness| harnesses.contains(&&*harness.pretty_name)) - ); + Compilation::Continue } } diff --git a/kani-compiler/src/kani_middle/attributes.rs b/kani-compiler/src/kani_middle/attributes.rs index e9edbedfcd82..c74f0c744093 100644 --- a/kani-compiler/src/kani_middle/attributes.rs +++ b/kani-compiler/src/kani_middle/attributes.rs @@ -70,6 +70,10 @@ enum KaniAttributeKind { /// expanded with additional pointer arguments that are not used in the function /// but referenced by the `modifies` annotation. InnerCheck, + /// Attribute used to mark contracts for functions with recursion. + /// We use this attribute to properly instantiate `kani::any_modifies` in + /// cases when recursion is present given our contracts instrumentation. + Recursion, } impl KaniAttributeKind { @@ -84,6 +88,7 @@ impl KaniAttributeKind { | KaniAttributeKind::StubVerified | KaniAttributeKind::Unwind => true, KaniAttributeKind::Unstable + | KaniAttributeKind::Recursion | KaniAttributeKind::ReplacedWith | KaniAttributeKind::CheckedWith | KaniAttributeKind::Modifies @@ -102,13 +107,6 @@ impl KaniAttributeKind { pub fn demands_function_contract_use(self) -> bool { matches!(self, KaniAttributeKind::ProofForContract) } - - /// Would this attribute be placed on a function as part of a function - /// contract. E.g. created by `requires`, `ensures`. - pub fn is_function_contract(self) -> bool { - use KaniAttributeKind::*; - matches!(self, CheckedWith | IsContractGenerated) - } } /// Bundles together common data used when evaluating the attributes of a given @@ -141,7 +139,7 @@ impl<'tcx> KaniAttributes<'tcx> { /// Look up the attributes by a stable MIR DefID pub fn for_def_id(tcx: TyCtxt<'tcx>, def_id: StableDefId) -> Self { - KaniAttributes::for_item(tcx, rustc_internal::internal(def_id)) + KaniAttributes::for_item(tcx, rustc_internal::internal(tcx, def_id)) } pub fn for_item(tcx: TyCtxt<'tcx>, def_id: DefId) -> Self { @@ -200,6 +198,10 @@ impl<'tcx> KaniAttributes<'tcx> { .collect() } + pub(crate) fn has_recursion(&self) -> bool { + self.map.contains_key(&KaniAttributeKind::Recursion) + } + /// Parse and extract the `proof_for_contract(TARGET)` attribute. The /// returned symbol and DefId are respectively the name and id of `TARGET`, /// the span in the span for the attribute (contents). @@ -232,6 +234,11 @@ impl<'tcx> KaniAttributes<'tcx> { .map(|target| expect_key_string_value(self.tcx.sess, target)) } + pub fn proof_for_contract(&self) -> Option> { + self.expect_maybe_one(KaniAttributeKind::ProofForContract) + .map(|target| expect_key_string_value(self.tcx.sess, target)) + } + pub fn inner_check(&self) -> Option> { self.eval_sibling_attribute(KaniAttributeKind::InnerCheck) } @@ -268,7 +275,7 @@ impl<'tcx> KaniAttributes<'tcx> { .hir_id() }; - let result = match hir_map.get_parent(hir_id) { + let result = match self.tcx.parent_hir_node(hir_id) { Node::Item(Item { kind, .. }) => match kind { ItemKind::Mod(m) => find_in_mod(m), ItemKind::Impl(imp) => { @@ -316,6 +323,12 @@ impl<'tcx> KaniAttributes<'tcx> { expect_no_args(self.tcx, kind, attr); }) } + KaniAttributeKind::Recursion => { + expect_single(self.tcx, kind, &attrs); + attrs.iter().for_each(|attr| { + expect_no_args(self.tcx, kind, attr); + }) + } KaniAttributeKind::Solver => { expect_single(self.tcx, kind, &attrs); attrs.iter().for_each(|attr| { @@ -452,6 +465,9 @@ impl<'tcx> KaniAttributes<'tcx> { self.map.iter().fold(HarnessAttributes::default(), |mut harness, (kind, attributes)| { match kind { KaniAttributeKind::ShouldPanic => harness.should_panic = true, + KaniAttributeKind::Recursion => { + self.tcx.dcx().span_err(self.tcx.def_span(self.item), "The attribute `kani::recursion` should only be used in combination with function contracts."); + }, KaniAttributeKind::Solver => { harness.solver = parse_solver(self.tcx, attributes[0]); } @@ -611,14 +627,13 @@ fn parse_modify_values<'a>( let mut iter = t.trees(); std::iter::from_fn(move || { let tree = iter.next()?; - let wrong_token_err = || { - tcx.sess.parse_sess.dcx.span_err(tree.span(), "Unexpected token. Expected identifier.") - }; + let wrong_token_err = + || tcx.sess.psess.dcx.span_err(tree.span(), "Unexpected token. Expected identifier."); let result = match tree { TokenTree::Token(token, _) => { if let TokenKind::Ident(id, _) = &token.kind { let hir = tcx.hir(); - let bid = hir.body_owned_by(local_def_id); + let bid = hir.body_owned_by(local_def_id).id(); Some( hir.body_param_names(bid) .zip(mir.args_iter()) @@ -640,7 +655,7 @@ fn parse_modify_values<'a>( match iter.next() { None | Some(comma_tok!()) => (), Some(not_comma) => { - tcx.sess.parse_sess.dcx.span_err( + tcx.sess.psess.dcx.span_err( not_comma.span(), "Unexpected token, expected end of attribute or comma", ); @@ -662,16 +677,10 @@ fn has_kani_attribute bool>( tcx.get_attrs_unchecked(def_id).iter().filter_map(|a| attr_kind(tcx, a)).any(predicate) } -/// Test if this function was generated by expanding a contract attribute like -/// `requires` and `ensures`. -pub fn is_function_contract_generated(tcx: TyCtxt, def_id: DefId) -> bool { - has_kani_attribute(tcx, def_id, KaniAttributeKind::is_function_contract) -} - /// Same as [`KaniAttributes::is_harness`] but more efficient because less /// attribute parsing is performed. pub fn is_proof_harness(tcx: TyCtxt, instance: InstanceStable) -> bool { - let def_id = rustc_internal::internal(instance.def.def_id()); + let def_id = rustc_internal::internal(tcx, instance.def.def_id()); has_kani_attribute(tcx, def_id, |a| { matches!(a, KaniAttributeKind::Proof | KaniAttributeKind::ProofForContract) }) @@ -679,14 +688,14 @@ pub fn is_proof_harness(tcx: TyCtxt, instance: InstanceStable) -> bool { /// Does this `def_id` have `#[rustc_test_marker]`? pub fn is_test_harness_description(tcx: TyCtxt, item: impl CrateDef) -> bool { - let def_id = rustc_internal::internal(item.def_id()); + let def_id = rustc_internal::internal(tcx, item.def_id()); let attrs = tcx.get_attrs_unchecked(def_id); attr::contains_name(attrs, rustc_span::symbol::sym::rustc_test_marker) } /// Extract the test harness name from the `#[rustc_test_maker]` pub fn test_harness_name(tcx: TyCtxt, def: &impl CrateDef) -> String { - let def_id = rustc_internal::internal(def.def_id()); + let def_id = rustc_internal::internal(tcx, def.def_id()); let attrs = tcx.get_attrs_unchecked(def_id); let marker = attr::find_by_name(attrs, rustc_span::symbol::sym::rustc_test_marker).unwrap(); parse_str_value(&marker).unwrap() @@ -773,10 +782,10 @@ impl<'a> UnstableAttrParseError<'a> { tcx.dcx() .struct_span_err( self.attr.span, - format!("failed to parse `#[kani::unstable]`: {}", self.reason), + format!("failed to parse `#[kani::unstable_feature]`: {}", self.reason), ) .with_note(format!( - "expected format: #[kani::unstable({}, {}, {})]", + "expected format: #[kani::unstable_feature({}, {}, {})]", r#"feature="""#, r#"issue="""#, r#"reason="""# )) .emit() @@ -944,7 +953,7 @@ fn parse_integer(attr: &Attribute) -> Option { if attr_args.len() == 1 { let x = attr_args[0].lit()?; match x.kind { - LitKind::Int(y, ..) => Some(y), + LitKind::Int(y, ..) => Some(y.get()), _ => None, } } @@ -1038,3 +1047,14 @@ fn attr_kind(tcx: TyCtxt, attr: &Attribute) -> Option { _ => None, } } + +pub fn matches_diagnostic(tcx: TyCtxt, def: T, attr_name: &str) -> bool { + let attr_sym = rustc_span::symbol::Symbol::intern(attr_name); + if let Some(attr_id) = tcx.all_diagnostic_items(()).name_to_id.get(&attr_sym) { + if rustc_internal::internal(tcx, def.def_id()) == *attr_id { + debug!("matched: {:?} {:?}", attr_id, attr_sym); + return true; + } + } + false +} diff --git a/kani-compiler/src/kani_middle/codegen_units.rs b/kani-compiler/src/kani_middle/codegen_units.rs new file mode 100644 index 000000000000..260b363a868a --- /dev/null +++ b/kani-compiler/src/kani_middle/codegen_units.rs @@ -0,0 +1,213 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This module is responsible for extracting grouping harnesses that can be processed together +//! by codegen. +//! +//! Today, only stub / contracts can affect the harness codegen. Thus, we group the harnesses +//! according to their stub configuration. + +use crate::args::ReachabilityType; +use crate::kani_middle::attributes::is_proof_harness; +use crate::kani_middle::metadata::gen_proof_metadata; +use crate::kani_middle::reachability::filter_crate_items; +use crate::kani_middle::stubbing::{check_compatibility, harness_stub_map}; +use crate::kani_queries::QueryDb; +use kani_metadata::{ArtifactType, AssignsContract, HarnessMetadata, KaniMetadata}; +use rustc_hir::def_id::{DefId, DefPathHash}; +use rustc_middle::ty::TyCtxt; +use rustc_session::config::OutputType; +use rustc_smir::rustc_internal; +use stable_mir::mir::mono::Instance; +use stable_mir::ty::{FnDef, RigidTy, TyKind}; +use stable_mir::CrateDef; +use std::collections::{BTreeMap, HashMap, HashSet}; +use std::fs::File; +use std::io::BufWriter; +use std::path::{Path, PathBuf}; +use tracing::debug; + +/// A stable (across compilation sessions) identifier for the harness function. +type Harness = Instance; + +/// A set of stubs. +pub type Stubs = HashMap; + +/// Store some relevant information about the crate compilation. +#[derive(Clone, Debug)] +struct CrateInfo { + /// The name of the crate being compiled. + pub name: String, +} + +/// We group the harnesses that have the same stubs. +pub struct CodegenUnits { + units: Vec, + harness_info: HashMap, + crate_info: CrateInfo, +} + +#[derive(Clone, Default, Debug)] +pub struct CodegenUnit { + pub harnesses: Vec, + pub stubs: Stubs, +} + +impl CodegenUnits { + pub fn new(queries: &QueryDb, tcx: TyCtxt) -> Self { + let crate_info = CrateInfo { name: stable_mir::local_crate().name.as_str().into() }; + if queries.args().reachability_analysis == ReachabilityType::Harnesses { + let base_filepath = tcx.output_filenames(()).path(OutputType::Object); + let base_filename = base_filepath.as_path(); + let harnesses = filter_crate_items(tcx, |_, instance| is_proof_harness(tcx, instance)); + let all_harnesses = harnesses + .into_iter() + .map(|harness| { + let metadata = gen_proof_metadata(tcx, harness, &base_filename); + (harness, metadata) + }) + .collect::>(); + + // Even if no_stubs is empty we still need to store rustc metadata. + let units = group_by_stubs(tcx, &all_harnesses); + validate_units(tcx, &units); + debug!(?units, "CodegenUnits::new"); + CodegenUnits { units, harness_info: all_harnesses, crate_info } + } else { + // Leave other reachability type handling as is for now. + CodegenUnits { units: vec![], harness_info: HashMap::default(), crate_info } + } + } + + pub fn iter(&self) -> impl Iterator { + self.units.iter() + } + + /// We store which instance of modifies was generated. + pub fn store_modifies(&mut self, harness_modifies: &[(Harness, AssignsContract)]) { + for (harness, modifies) in harness_modifies { + self.harness_info.get_mut(harness).unwrap().contract = Some(modifies.clone()); + } + } + + /// Write compilation metadata into a file. + pub fn write_metadata(&self, queries: &QueryDb, tcx: TyCtxt) { + let metadata = self.generate_metadata(); + let outpath = metadata_output_path(tcx); + store_metadata(queries, &metadata, &outpath); + } + + pub fn harness_model_path(&self, harness: Harness) -> Option<&PathBuf> { + self.harness_info[&harness].goto_file.as_ref() + } + + /// Generate [KaniMetadata] for the target crate. + fn generate_metadata(&self) -> KaniMetadata { + let (proof_harnesses, test_harnesses) = + self.harness_info.values().cloned().partition(|md| md.attributes.proof); + KaniMetadata { + crate_name: self.crate_info.name.clone(), + proof_harnesses, + unsupported_features: vec![], + test_harnesses, + } + } +} + +fn stub_def(tcx: TyCtxt, def_id: DefId) -> FnDef { + let ty_internal = tcx.type_of(def_id).instantiate_identity(); + let ty = rustc_internal::stable(ty_internal); + if let TyKind::RigidTy(RigidTy::FnDef(def, _)) = ty.kind() { + def + } else { + unreachable!("Expected stub function for `{:?}`, but found: {ty}", tcx.def_path(def_id)) + } +} + +/// Group the harnesses by their stubs. +fn group_by_stubs( + tcx: TyCtxt, + all_harnesses: &HashMap, +) -> Vec { + let mut per_stubs: HashMap, CodegenUnit> = + HashMap::default(); + for (harness, metadata) in all_harnesses { + let stub_ids = harness_stub_map(tcx, *harness, metadata); + let stub_map = stub_ids + .iter() + .map(|(k, v)| (tcx.def_path_hash(*k), tcx.def_path_hash(*v))) + .collect::>(); + if let Some(unit) = per_stubs.get_mut(&stub_map) { + unit.harnesses.push(*harness); + } else { + let stubs = stub_ids + .iter() + .map(|(from, to)| (stub_def(tcx, *from), stub_def(tcx, *to))) + .collect::>(); + let stubs = apply_transitivity(tcx, *harness, stubs); + per_stubs.insert(stub_map, CodegenUnit { stubs, harnesses: vec![*harness] }); + } + } + per_stubs.into_values().collect() +} + +/// Extract the filename for the metadata file. +fn metadata_output_path(tcx: TyCtxt) -> PathBuf { + let filepath = tcx.output_filenames(()).path(OutputType::Object); + let filename = filepath.as_path(); + filename.with_extension(ArtifactType::Metadata).to_path_buf() +} + +/// Write the metadata to a file +fn store_metadata(queries: &QueryDb, metadata: &KaniMetadata, filename: &Path) { + debug!(?filename, "store_metadata"); + let out_file = File::create(filename).unwrap(); + let writer = BufWriter::new(out_file); + if queries.args().output_pretty_json { + serde_json::to_writer_pretty(writer, &metadata).unwrap(); + } else { + serde_json::to_writer(writer, &metadata).unwrap(); + } +} + +/// Validate the unit configuration. +fn validate_units(tcx: TyCtxt, units: &[CodegenUnit]) { + for unit in units { + for (from, to) in &unit.stubs { + // We use harness span since we don't keep the attribute span. + let Err(msg) = check_compatibility(tcx, *from, *to) else { continue }; + let span = unit.harnesses.first().unwrap().def.span(); + tcx.dcx().span_err(rustc_internal::internal(tcx, span), msg); + } + } + tcx.dcx().abort_if_errors(); +} + +/// Apply stub transitivity operations. +/// +/// If `fn1` is stubbed by `fn2`, and `fn2` is stubbed by `fn3`, `f1` is in fact stubbed by `fn3`. +fn apply_transitivity(tcx: TyCtxt, harness: Harness, stubs: Stubs) -> Stubs { + let mut new_stubs = Stubs::with_capacity(stubs.len()); + for (orig, new) in stubs.iter() { + let mut new_fn = *new; + let mut visited = HashSet::new(); + while let Some(stub) = stubs.get(&new_fn) { + if !visited.insert(stub) { + // Visiting the same stub, i.e. found cycle. + let span = harness.def.span(); + tcx.dcx().span_err( + rustc_internal::internal(tcx, span), + format!( + "Cannot stub `{}`. Stub configuration for harness `{}` has a cycle", + orig.name(), + harness.def.name(), + ), + ); + break; + } + new_fn = *stub; + } + new_stubs.insert(*orig, new_fn); + } + new_stubs +} diff --git a/kani-compiler/src/kani_middle/coercion.rs b/kani-compiler/src/kani_middle/coercion.rs index 85d59215d661..822f32631e0c 100644 --- a/kani-compiler/src/kani_middle/coercion.rs +++ b/kani-compiler/src/kani_middle/coercion.rs @@ -16,8 +16,8 @@ use rustc_hir::lang_items::LangItem; use rustc_middle::traits::{ImplSource, ImplSourceUserDefinedData}; use rustc_middle::ty::adjustment::CustomCoerceUnsized; +use rustc_middle::ty::TraitRef; use rustc_middle::ty::{ParamEnv, Ty, TyCtxt}; -use rustc_middle::ty::{TraitRef, TypeAndMut}; use rustc_smir::rustc_internal; use stable_mir::ty::{RigidTy, Ty as TyStable, TyKind}; use stable_mir::Symbol; @@ -66,8 +66,8 @@ pub fn extract_unsize_casting_stable( ) -> CoercionBaseStable { let CoercionBase { src_ty, dst_ty } = extract_unsize_casting( tcx, - rustc_internal::internal(src_ty), - rustc_internal::internal(dst_ty), + rustc_internal::internal(tcx, src_ty), + rustc_internal::internal(tcx, dst_ty), ); CoercionBaseStable { src_ty: rustc_internal::stable(src_ty), @@ -90,11 +90,11 @@ pub fn extract_unsize_casting<'tcx>( .last() .unwrap(); // Extract the pointee type that is being coerced. - let src_pointee_ty = extract_pointee(coerce_info.src_ty).expect(&format!( + let src_pointee_ty = extract_pointee(tcx, coerce_info.src_ty).expect(&format!( "Expected source to be a pointer. Found {:?} instead", coerce_info.src_ty )); - let dst_pointee_ty = extract_pointee(coerce_info.dst_ty).expect(&format!( + let dst_pointee_ty = extract_pointee(tcx, coerce_info.dst_ty).expect(&format!( "Expected destination to be a pointer. Found {:?} instead", coerce_info.dst_ty )); @@ -216,8 +216,8 @@ impl<'tcx> Iterator for CoerceUnsizedIterator<'tcx> { let CustomCoerceUnsized::Struct(coerce_index) = custom_coerce_unsize_info( self.tcx, - rustc_internal::internal(src_ty), - rustc_internal::internal(dst_ty), + rustc_internal::internal(self.tcx, src_ty), + rustc_internal::internal(self.tcx, dst_ty), ); let coerce_index = coerce_index.as_usize(); assert!(coerce_index < src_fields.len()); @@ -229,7 +229,7 @@ impl<'tcx> Iterator for CoerceUnsizedIterator<'tcx> { _ => { // Base case is always a pointer (Box, raw_pointer or reference). assert!( - extract_pointee(src_ty).is_some(), + extract_pointee(self.tcx, src_ty).is_some(), "Expected a pointer, but found {src_ty:?}" ); None @@ -253,7 +253,7 @@ fn custom_coerce_unsize_info<'tcx>( match tcx.codegen_select_candidate((ParamEnv::reveal_all(), trait_ref)) { Ok(ImplSource::UserDefined(ImplSourceUserDefinedData { impl_def_id, .. })) => { - tcx.coerce_unsized_info(impl_def_id).custom_kind.unwrap() + tcx.coerce_unsized_info(impl_def_id).unwrap().custom_kind.unwrap() } impl_source => { unreachable!("invalid `CoerceUnsized` impl_source: {:?}", impl_source); @@ -262,6 +262,6 @@ fn custom_coerce_unsize_info<'tcx>( } /// Extract pointee type from builtin pointer types. -fn extract_pointee<'tcx>(typ: TyStable) -> Option> { - rustc_internal::internal(typ).builtin_deref(true).map(|TypeAndMut { ty, .. }| ty) +fn extract_pointee(tcx: TyCtxt<'_>, typ: TyStable) -> Option> { + rustc_internal::internal(tcx, typ).builtin_deref(true) } diff --git a/kani-compiler/src/kani_middle/intrinsics.rs b/kani-compiler/src/kani_middle/intrinsics.rs index 8a7fc16d8e9f..82a75a91f1ad 100644 --- a/kani-compiler/src/kani_middle/intrinsics.rs +++ b/kani-compiler/src/kani_middle/intrinsics.rs @@ -6,7 +6,7 @@ use rustc_index::IndexVec; use rustc_middle::mir::{Body, Const as mirConst, ConstValue, Operand, TerminatorKind}; use rustc_middle::mir::{Local, LocalDecl}; use rustc_middle::ty::{self, Ty, TyCtxt}; -use rustc_middle::ty::{Const, GenericArgsRef}; +use rustc_middle::ty::{Const, GenericArgsRef, IntrinsicDef}; use rustc_span::source_map::Spanned; use rustc_span::symbol::{sym, Symbol}; use tracing::{debug, trace}; @@ -33,8 +33,8 @@ impl<'tcx> ModelIntrinsics<'tcx> { let terminator = block.terminator_mut(); if let TerminatorKind::Call { func, args, .. } = &mut terminator.kind { let func_ty = func.ty(&self.local_decls, self.tcx); - if let Some((intrinsic_name, generics)) = resolve_rust_intrinsic(self.tcx, func_ty) - { + if let Some((intrinsic, generics)) = resolve_rust_intrinsic(self.tcx, func_ty) { + let intrinsic_name = intrinsic.name; trace!(?func, ?intrinsic_name, "run_pass"); if intrinsic_name == sym::simd_bitmask { self.replace_simd_bitmask(func, args, generics) @@ -57,7 +57,12 @@ impl<'tcx> ModelIntrinsics<'tcx> { let arg_ty = args[0].node.ty(&self.local_decls, tcx); if arg_ty.is_simd() { // Get the stub definition. - let stub_id = tcx.get_diagnostic_item(Symbol::intern("KaniModelSimdBitmask")).unwrap(); + let Some(stub_id) = tcx.get_diagnostic_item(Symbol::intern("KaniModelSimdBitmask")) + else { + // This should only happen when verifying the standard library. + // We don't need to warn here, since the backend will print unsupported constructs. + return; + }; debug!(?func, ?stub_id, "replace_simd_bitmask"); // Get SIMD information from the type. @@ -99,10 +104,10 @@ fn simd_len_and_type<'tcx>(tcx: TyCtxt<'tcx>, simd_ty: Ty<'tcx>) -> (Const<'tcx> fn resolve_rust_intrinsic<'tcx>( tcx: TyCtxt<'tcx>, func_ty: Ty<'tcx>, -) -> Option<(Symbol, GenericArgsRef<'tcx>)> { +) -> Option<(IntrinsicDef, GenericArgsRef<'tcx>)> { if let ty::FnDef(def_id, args) = *func_ty.kind() { - if tcx.is_intrinsic(def_id) { - return Some((tcx.item_name(def_id), args)); + if let Some(symbol) = tcx.intrinsic(def_id) { + return Some((symbol, args)); } } None diff --git a/kani-compiler/src/kani_middle/metadata.rs b/kani-compiler/src/kani_middle/metadata.rs index 02f5da107556..2bf1531a2a1a 100644 --- a/kani-compiler/src/kani_middle/metadata.rs +++ b/kani-compiler/src/kani_middle/metadata.rs @@ -3,7 +3,6 @@ //! This module handles Kani metadata generation. For example, generating HarnessMetadata for a //! given function. -use std::default::Default; use std::path::Path; use crate::kani_middle::attributes::test_harness_name; @@ -24,7 +23,7 @@ pub fn canonical_mangled_name(instance: Instance) -> String { /// Create the harness metadata for a proof harness for a given function. pub fn gen_proof_metadata(tcx: TyCtxt, instance: Instance, base_name: &Path) -> HarnessMetadata { let def = instance.def; - let attributes = KaniAttributes::for_instance(tcx, instance).harness_attributes(); + let kani_attributes = KaniAttributes::for_instance(tcx, instance); let pretty_name = instance.name(); let mangled_name = canonical_mangled_name(instance); @@ -41,7 +40,7 @@ pub fn gen_proof_metadata(tcx: TyCtxt, instance: Instance, base_name: &Path) -> original_file: loc.filename, original_start_line: loc.start_line, original_end_line: loc.end_line, - attributes, + attributes: kani_attributes.harness_attributes(), // TODO: This no longer needs to be an Option. goto_file: Some(model_file), contract: Default::default(), diff --git a/kani-compiler/src/kani_middle/mod.rs b/kani-compiler/src/kani_middle/mod.rs index 66fb2ca0aa33..ce9a80fe1f80 100644 --- a/kani-compiler/src/kani_middle/mod.rs +++ b/kani-compiler/src/kani_middle/mod.rs @@ -6,9 +6,9 @@ use std::collections::HashSet; use std::path::Path; +use crate::kani_middle::transform::BodyTransformation; use crate::kani_queries::QueryDb; use rustc_hir::{def::DefKind, def_id::LOCAL_CRATE}; -use rustc_middle::mir::write_mir_pretty; use rustc_middle::span_bug; use rustc_middle::ty::layout::{ FnAbiError, FnAbiOf, FnAbiOfHelpers, FnAbiRequest, HasParamEnv, HasTyCtxt, LayoutError, @@ -21,11 +21,9 @@ use rustc_span::source_map::respan; use rustc_span::Span; use rustc_target::abi::call::FnAbi; use rustc_target::abi::{HasDataLayout, TargetDataLayout}; -use stable_mir::mir::mono::{Instance, InstanceKind, MonoItem}; -use stable_mir::mir::pretty::pretty_ty; -use stable_mir::ty::{BoundVariableKind, RigidTy, Span as SpanStable, Ty, TyKind}; -use stable_mir::visitor::{Visitable, Visitor as TypeVisitor}; -use stable_mir::{CrateDef, DefId}; +use stable_mir::mir::mono::{Instance, MonoItem}; +use stable_mir::ty::{FnDef, RigidTy, Span as SpanStable, TyKind}; +use stable_mir::CrateDef; use std::fs::File; use std::io::BufWriter; use std::io::Write; @@ -34,6 +32,7 @@ use self::attributes::KaniAttributes; pub mod analysis; pub mod attributes; +pub mod codegen_units; pub mod coercion; mod intrinsics; pub mod metadata; @@ -41,13 +40,14 @@ pub mod provide; pub mod reachability; pub mod resolve; pub mod stubbing; +pub mod transform; /// Check that all crate items are supported and there's no misconfiguration. /// This method will exhaustively print any error / warning and it will abort at the end if any /// error was found. pub fn check_crate_items(tcx: TyCtxt, ignore_asm: bool) { let krate = tcx.crate_name(LOCAL_CRATE); - for item in tcx.hir_crate_items(()).items() { + for item in tcx.hir().items() { let def_id = item.owner_id.def_id.to_def_id(); KaniAttributes::for_item(tcx, def_id).check_attributes(); if tcx.def_kind(def_id) == DefKind::GlobalAsm { @@ -88,117 +88,24 @@ pub fn check_reachable_items(tcx: TyCtxt, queries: &QueryDb, items: &[MonoItem]) .check_unstable_features(&queries.args().unstable_features); def_ids.insert(def_id); } - - // We don't short circuit here since this is a type check and can shake - // out differently depending on generic parameters. - if let MonoItem::Fn(instance) = item { - if attributes::is_function_contract_generated(tcx, rustc_internal::internal(def_id)) { - check_is_contract_safe(tcx, *instance); - } - } } tcx.dcx().abort_if_errors(); } -/// A basic check that ensures a function with a contract does not receive -/// mutable pointers in its input and does not return raw pointers of any kind. -/// -/// This is a temporary safety measure because contracts cannot yet reason -/// about the heap. -fn check_is_contract_safe(tcx: TyCtxt, instance: Instance) { - struct NoMutPtr<'tcx> { - tcx: TyCtxt<'tcx>, - is_prohibited: fn(Ty) -> bool, - /// Where (top level) did the type we're analyzing come from. Used for - /// composing error messages. - r#where: &'static str, - /// Adjective to describe the kind of pointer we're prohibiting. - /// Essentially `is_prohibited` but in English. - what: &'static str, - } - - impl<'tcx> TypeVisitor for NoMutPtr<'tcx> { - type Break = (); - fn visit_ty(&mut self, ty: &Ty) -> std::ops::ControlFlow { - if (self.is_prohibited)(*ty) { - // TODO make this more user friendly - self.tcx.dcx().err(format!( - "{} contains a {}pointer ({}). This is prohibited for functions with contracts, \ - as they cannot yet reason about the pointer behavior.", self.r#where, self.what, - pretty_ty(ty.kind()))); - } - - // Rust's type visitor only recurses into type arguments, (e.g. - // `generics` in this match). This is enough for many types, but it - // won't look at the field types of structs or enums. So we override - // it here and do that ourselves. - // - // Since the field types also must contain in some form all the type - // arguments the visitor will see them as it inspects the fields and - // we don't need to call back to `super`. - if let TyKind::RigidTy(RigidTy::Adt(adt_def, generics)) = ty.kind() { - for variant in adt_def.variants() { - for field in &variant.fields() { - self.visit_ty(&field.ty_with_args(&generics))?; - } - } - std::ops::ControlFlow::Continue(()) - } else { - // For every other type. - ty.super_visit(self) - } - } - } - - fn is_raw_mutable_ptr(ty: Ty) -> bool { - let kind = ty.kind(); - kind.is_raw_ptr() && kind.is_mutable_ptr() - } - - fn is_raw_ptr(ty: Ty) -> bool { - let kind = ty.kind(); - kind.is_raw_ptr() - } - - // TODO: Replace this with fn_abi. - // https://github.com/model-checking/kani/issues/1365 - let bound_fn_sig = instance.ty().kind().fn_sig().unwrap(); - - for var in &bound_fn_sig.bound_vars { - if let BoundVariableKind::Ty(t) = var { - tcx.dcx().span_err( - rustc_internal::internal(instance.def.span()), - format!("Found a bound type variable {t:?} after monomorphization"), - ); - } - } - - let fn_typ = bound_fn_sig.skip_binder(); - - for (input_ty, (is_prohibited, r#where, what)) in fn_typ - .inputs() - .iter() - .copied() - .zip(std::iter::repeat((is_raw_mutable_ptr as fn(_) -> _, "This argument", "mutable "))) - .chain([(fn_typ.output(), (is_raw_ptr as fn(_) -> _, "The return", ""))]) - { - let mut v = NoMutPtr { tcx, is_prohibited, r#where, what }; - v.visit_ty(&input_ty); - } -} - /// Print MIR for the reachable items if the `--emit mir` option was provided to rustc. -pub fn dump_mir_items(tcx: TyCtxt, items: &[MonoItem], output: &Path) { +pub fn dump_mir_items( + tcx: TyCtxt, + transformer: &mut BodyTransformation, + items: &[MonoItem], + output: &Path, +) { /// Convert MonoItem into a DefId. /// Skip stuff that we cannot generate the MIR items. - fn visible_item(item: &MonoItem) -> Option<(MonoItem, DefId)> { + fn get_instance(item: &MonoItem) -> Option { match item { // Exclude FnShims and others that cannot be dumped. - MonoItem::Fn(instance) if matches!(instance.kind, InstanceKind::Item) => { - Some((item.clone(), instance.def.def_id())) - } - MonoItem::Fn(..) => None, - MonoItem::Static(def) => Some((item.clone(), def.def_id())), + MonoItem::Fn(instance) => Some(*instance), + MonoItem::Static(def) => Some((*def).into()), MonoItem::GlobalAsm(_) => None, } } @@ -209,9 +116,10 @@ pub fn dump_mir_items(tcx: TyCtxt, items: &[MonoItem], output: &Path) { let mut writer = BufWriter::new(out_file); // For each def_id, dump their MIR - for (item, def_id) in items.iter().filter_map(visible_item) { - writeln!(writer, "// Item: {item:?}").unwrap(); - write_mir_pretty(tcx, Some(rustc_internal::internal(def_id)), &mut writer).unwrap(); + for instance in items.iter().filter_map(get_instance) { + writeln!(writer, "// Item: {} ({})", instance.name(), instance.mangled_name()).unwrap(); + let body = transformer.body(tcx, instance); + let _ = body.dump(&mut writer, &instance.name()); } } } @@ -222,9 +130,11 @@ pub fn dump_mir_items(tcx: TyCtxt, items: &[MonoItem], output: &Path) { pub struct SourceLocation { pub filename: String, pub start_line: usize, - pub start_col: usize, + #[allow(dead_code)] + pub start_col: usize, // set, but not currently used in Goto output pub end_line: usize, - pub end_col: usize, + #[allow(dead_code)] + pub end_col: usize, // set, but not currently used in Goto output } impl SourceLocation { @@ -312,3 +222,18 @@ impl<'tcx> FnAbiOfHelpers<'tcx> for CompilerHelpers<'tcx> { } } } + +/// Find an instance of a function from the given crate that has been annotated with `diagnostic` +/// item. +fn find_fn_def(tcx: TyCtxt, diagnostic: &str) -> Option { + let attr_id = tcx + .all_diagnostic_items(()) + .name_to_id + .get(&rustc_span::symbol::Symbol::intern(diagnostic))?; + let TyKind::RigidTy(RigidTy::FnDef(def, _)) = + rustc_internal::stable(tcx.type_of(attr_id)).value.kind() + else { + return None; + }; + Some(def) +} diff --git a/kani-compiler/src/kani_middle/provide.rs b/kani-compiler/src/kani_middle/provide.rs index 70e046d6f9d6..91b830a2349b 100644 --- a/kani-compiler/src/kani_middle/provide.rs +++ b/kani-compiler/src/kani_middle/provide.rs @@ -6,14 +6,10 @@ use crate::args::{Arguments, ReachabilityType}; use crate::kani_middle::intrinsics::ModelIntrinsics; -use crate::kani_middle::reachability::{collect_reachable_items, filter_crate_items}; -use crate::kani_middle::stubbing; use crate::kani_queries::QueryDb; use rustc_hir::def_id::{DefId, LocalDefId}; -use rustc_interface; use rustc_middle::util::Providers; -use rustc_middle::{mir::Body, query::queries, ty::TyCtxt}; -use stable_mir::mir::mono::MonoItem; +use rustc_middle::{mir::Body, ty::TyCtxt}; /// Sets up rustc's query mechanism to apply Kani's custom queries to code from /// a crate. @@ -23,10 +19,6 @@ pub fn provide(providers: &mut Providers, queries: &QueryDb) { // Don't override queries if we are only compiling our dependencies. providers.optimized_mir = run_mir_passes; providers.extern_queries.optimized_mir = run_mir_passes_extern; - if args.stubbing_enabled { - // TODO: Check if there's at least one stub being applied. - providers.collect_and_partition_mono_items = collect_and_partition_mono_items; - } } } @@ -59,30 +51,8 @@ fn run_kani_mir_passes<'tcx>( body: &'tcx Body<'tcx>, ) -> &'tcx Body<'tcx> { tracing::debug!(?def_id, "Run Kani transformation passes"); - let mut transformed_body = stubbing::transform(tcx, def_id, body); - stubbing::transform_foreign_functions(tcx, &mut transformed_body); + let mut transformed_body = body.clone(); // This should be applied after stubbing so user stubs take precedence. ModelIntrinsics::run_pass(tcx, &mut transformed_body); tcx.arena.alloc(transformed_body) } - -/// Runs a reachability analysis before running the default -/// `collect_and_partition_mono_items` query. The reachability analysis finds -/// trait mismatches introduced by stubbing and performs a graceful exit in -/// these cases. Left to its own devices, the default query panics. -/// This is an issue when compiling a library, since the crate metadata is -/// generated (using this query) before code generation begins (which is -/// when we normally run the reachability analysis). -fn collect_and_partition_mono_items( - tcx: TyCtxt, - key: (), -) -> queries::collect_and_partition_mono_items::ProvidedValue { - rustc_smir::rustc_internal::run(tcx, || { - let local_reachable = - filter_crate_items(tcx, |_, _| true).into_iter().map(MonoItem::Fn).collect::>(); - // We do not actually need the value returned here. - collect_reachable_items(tcx, &local_reachable); - }) - .unwrap(); - (rustc_interface::DEFAULT_QUERY_PROVIDERS.collect_and_partition_mono_items)(tcx, key) -} diff --git a/kani-compiler/src/kani_middle/reachability.rs b/kani-compiler/src/kani_middle/reachability.rs index 424077a622f9..279dcf8cc107 100644 --- a/kani-compiler/src/kani_middle/reachability.rs +++ b/kani-compiler/src/kani_middle/reachability.rs @@ -25,24 +25,27 @@ use rustc_middle::ty::{TyCtxt, VtblEntry}; use rustc_smir::rustc_internal; use stable_mir::mir::alloc::{AllocId, GlobalAlloc}; use stable_mir::mir::mono::{Instance, InstanceKind, MonoItem, StaticDef}; -use stable_mir::mir::pretty::pretty_ty; use stable_mir::mir::{ - visit::Location, Body, CastKind, Constant, MirVisitor, PointerCoercion, Rvalue, Terminator, + visit::Location, Body, CastKind, ConstOperand, MirVisitor, PointerCoercion, Rvalue, Terminator, TerminatorKind, }; use stable_mir::ty::{Allocation, ClosureKind, ConstantKind, RigidTy, Ty, TyKind}; -use stable_mir::{self, CrateItem}; +use stable_mir::CrateItem; use stable_mir::{CrateDef, ItemKind}; use crate::kani_middle::coercion; use crate::kani_middle::coercion::CoercionBase; -use crate::kani_middle::stubbing::{get_stub, validate_instance}; +use crate::kani_middle::transform::BodyTransformation; /// Collect all reachable items starting from the given starting points. -pub fn collect_reachable_items(tcx: TyCtxt, starting_points: &[MonoItem]) -> Vec { +pub fn collect_reachable_items( + tcx: TyCtxt, + transformer: &mut BodyTransformation, + starting_points: &[MonoItem], +) -> Vec { // For each harness, collect items using the same collector. // I.e.: This will return any item that is reachable from one or more of the starting points. - let mut collector = MonoItemsCollector::new(tcx); + let mut collector = MonoItemsCollector::new(tcx, transformer); for item in starting_points { collector.collect(item.clone()); } @@ -75,7 +78,7 @@ where .filter_map(|item| { // Only collect monomorphic items. // TODO: Remove the def_kind check once https://github.com/rust-lang/rust/pull/119135 has been released. - let def_id = rustc_internal::internal(item.def_id()); + let def_id = rustc_internal::internal(tcx, item.def_id()); (matches!(tcx.def_kind(def_id), rustc_hir::def::DefKind::Ctor(..)) || matches!(item.kind(), ItemKind::Fn)) .then(|| { @@ -92,7 +95,11 @@ where /// /// Probably only specifically useful with a predicate to find `TestDescAndFn` const declarations from /// tests and extract the closures from them. -pub fn filter_const_crate_items(tcx: TyCtxt, mut predicate: F) -> Vec +pub fn filter_const_crate_items( + tcx: TyCtxt, + transformer: &mut BodyTransformation, + mut predicate: F, +) -> Vec where F: FnMut(TyCtxt, Instance) -> bool, { @@ -103,13 +110,9 @@ where // Only collect monomorphic items. if let Ok(instance) = Instance::try_from(item) { if predicate(tcx, instance) { - let body = instance.body().unwrap(); - let mut collector = MonoItemsFnCollector { - tcx, - body: &body, - collected: FxHashSet::default(), - instance: &instance, - }; + let body = transformer.body(tcx, instance); + let mut collector = + MonoItemsFnCollector { tcx, body: &body, collected: FxHashSet::default() }; collector.visit_body(&body); roots.extend(collector.collected.into_iter()); } @@ -118,9 +121,11 @@ where roots } -struct MonoItemsCollector<'tcx> { +struct MonoItemsCollector<'tcx, 'a> { /// The compiler context. tcx: TyCtxt<'tcx>, + /// The body transformation object used to retrieve a transformed body. + transformer: &'a mut BodyTransformation, /// Set of collected items used to avoid entering recursion loops. collected: FxHashSet, /// Items enqueued for visiting. @@ -129,14 +134,15 @@ struct MonoItemsCollector<'tcx> { call_graph: debug::CallGraph, } -impl<'tcx> MonoItemsCollector<'tcx> { - pub fn new(tcx: TyCtxt<'tcx>) -> Self { +impl<'tcx, 'a> MonoItemsCollector<'tcx, 'a> { + pub fn new(tcx: TyCtxt<'tcx>, transformer: &'a mut BodyTransformation) -> Self { MonoItemsCollector { tcx, collected: FxHashSet::default(), queue: vec![], #[cfg(debug_assertions)] call_graph: debug::CallGraph::default(), + transformer, } } @@ -173,19 +179,11 @@ impl<'tcx> MonoItemsCollector<'tcx> { /// Visit a function and collect all mono-items reachable from its instructions. fn visit_fn(&mut self, instance: Instance) -> Vec { let _guard = debug_span!("visit_fn", function=?instance).entered(); - if validate_instance(self.tcx, instance) { - let body = instance.body().unwrap(); - let mut collector = MonoItemsFnCollector { - tcx: self.tcx, - collected: FxHashSet::default(), - body: &body, - instance: &instance, - }; - collector.visit_body(&body); - collector.collected.into_iter().collect() - } else { - vec![] - } + let body = self.transformer.body(self.tcx, instance); + let mut collector = + MonoItemsFnCollector { tcx: self.tcx, collected: FxHashSet::default(), body: &body }; + collector.visit_body(&body); + collector.collected.into_iter().collect() } /// Visit a static object and collect drop / initialization functions. @@ -217,7 +215,6 @@ struct MonoItemsFnCollector<'a, 'tcx> { tcx: TyCtxt<'tcx>, collected: FxHashSet, body: &'a Body, - instance: &'a Instance, } impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { @@ -237,7 +234,8 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { let poly_trait_ref = principal.with_self_ty(concrete_ty); // Walk all methods of the trait, including those of its supertraits - let entries = self.tcx.vtable_entries(rustc_internal::internal(&poly_trait_ref)); + let entries = + self.tcx.vtable_entries(rustc_internal::internal(self.tcx, &poly_trait_ref)); let methods = entries.iter().filter_map(|entry| match entry { VtblEntry::MetadataAlign | VtblEntry::MetadataDropInPlace @@ -264,11 +262,22 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { /// Collect an instance depending on how it is used (invoked directly or via fn_ptr). fn collect_instance(&mut self, instance: Instance, is_direct_call: bool) { let should_collect = match instance.kind { - InstanceKind::Virtual { .. } | InstanceKind::Intrinsic => { + InstanceKind::Virtual { .. } => { // Instance definition has no body. assert!(is_direct_call, "Expected direct call {instance:?}"); false } + InstanceKind::Intrinsic => { + // Intrinsics may have a fallback body. + assert!(is_direct_call, "Expected direct call {instance:?}"); + let TyKind::RigidTy(RigidTy::FnDef(def, _)) = instance.ty().kind() else { + unreachable!("Expected function type for intrinsic: {instance:?}") + }; + // The compiler is currently transitioning how to handle intrinsic fallback body. + // Until https://github.com/rust-lang/project-stable-mir/issues/79 is implemented + // we have to check `must_be_overridden` and `has_body`. + !def.as_intrinsic().unwrap().must_be_overridden() && instance.has_body() + } InstanceKind::Shim | InstanceKind::Item => true, }; if should_collect && should_codegen_locally(&instance) { @@ -290,7 +299,7 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { /// 1. Every function / method / closures that may be directly invoked. /// 2. Every function / method / closures that may have their address taken. /// 3. Every method that compose the impl of a trait for a given type when there's a conversion -/// from the type to the trait. +/// from the type to the trait. /// - I.e.: If we visit the following code: /// ``` /// let var = MyType::new(); @@ -300,7 +309,8 @@ impl<'a, 'tcx> MonoItemsFnCollector<'a, 'tcx> { /// 4. Every Static variable that is referenced in the function or constant used in the function. /// 5. Drop glue. /// 6. Static Initialization -/// This code has been mostly taken from `rustc_monomorphize::collector::MirNeighborCollector`. +/// +/// Remark: This code has been mostly taken from `rustc_monomorphize::collector::MirNeighborCollector`. impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { /// Collect the following: /// - Trait implementations when casting from concrete to dyn Trait. @@ -365,9 +375,9 @@ impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { } /// Collect constants that are represented as static variables. - fn visit_constant(&mut self, constant: &Constant, location: Location) { - debug!(?constant, ?location, literal=?constant.literal, "visit_constant"); - let allocation = match constant.literal.kind() { + fn visit_const_operand(&mut self, constant: &ConstOperand, location: Location) { + debug!(?constant, ?location, literal=?constant.const_, "visit_constant"); + let allocation = match constant.const_.kind() { ConstantKind::Allocated(allocation) => allocation, ConstantKind::Unevaluated(_) => { unreachable!("Instance with polymorphic constant: `{constant:?}`") @@ -377,6 +387,10 @@ impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { // Nothing to do here. return; } + ConstantKind::Ty(_) => { + // Nothing to do here. + return; + } }; self.collect_allocation(&allocation); } @@ -389,49 +403,8 @@ impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { TerminatorKind::Call { ref func, .. } => { let fn_ty = func.ty(self.body.locals()).unwrap(); if let TyKind::RigidTy(RigidTy::FnDef(fn_def, args)) = fn_ty.kind() { - let instance_opt = Instance::resolve(fn_def, &args).ok(); - match instance_opt { - None => { - let caller = CrateItem::try_from(*self.instance).unwrap().name(); - let callee = fn_def.name(); - // Check if the current function has been stubbed. - if let Some(stub) = - get_stub(self.tcx, rustc_internal::internal(self.instance).def_id()) - { - // During the MIR stubbing transformation, we do not - // force type variables in the stub's signature to - // implement the same traits as those in the - // original function/method. A trait mismatch shows - // up here, when we try to resolve a trait method - - // FIXME: This assumes the type resolving the - // trait is the first argument, but that isn't - // necessarily true. It could be any argument or - // even the return type, for instance for a - // trait like `FromIterator`. - let receiver_ty = args.0[0].expect_ty(); - let sep = callee.rfind("::").unwrap(); - let trait_ = &callee[..sep]; - self.tcx.dcx().span_err( - rustc_internal::internal(terminator.span), - format!( - "`{}` doesn't implement \ - `{}`. The function `{}` \ - cannot be stubbed by `{}` due to \ - generic bounds not being met. Callee: {}", - pretty_ty(receiver_ty.kind()), - trait_, - caller, - self.tcx.def_path_str(stub), - callee, - ), - ); - } else { - panic!("unable to resolve call to `{callee}` in `{caller}`") - } - } - Some(instance) => self.collect_instance(instance, true), - }; + let instance = Instance::resolve(fn_def, &args).unwrap(); + self.collect_instance(instance, true); } else { assert!( matches!(fn_ty.kind().rigid(), Some(RigidTy::FnPtr(..))), @@ -465,8 +438,8 @@ impl<'a, 'tcx> MirVisitor for MonoItemsFnCollector<'a, 'tcx> { fn extract_unsize_coercion(tcx: TyCtxt, orig_ty: Ty, dst_trait: Ty) -> (Ty, Ty) { let CoercionBase { src_ty, dst_ty } = coercion::extract_unsize_casting( tcx, - rustc_internal::internal(orig_ty), - rustc_internal::internal(dst_trait), + rustc_internal::internal(tcx, orig_ty), + rustc_internal::internal(tcx, dst_trait), ); (rustc_internal::stable(src_ty), rustc_internal::stable(dst_ty)) } @@ -476,7 +449,7 @@ fn extract_unsize_coercion(tcx: TyCtxt, orig_ty: Ty, dst_trait: Ty) -> (Ty, Ty) fn to_fingerprint(tcx: TyCtxt, item: &MonoItem) -> Fingerprint { tcx.with_stable_hashing_context(|mut hcx| { let mut hasher = StableHasher::new(); - rustc_internal::internal(item).hash_stable(&mut hcx, &mut hasher); + rustc_internal::internal(tcx, item).hash_stable(&mut hcx, &mut hasher); hasher.finish() }) } @@ -513,8 +486,8 @@ fn collect_alloc_items(alloc_id: AllocId) -> Vec { } #[cfg(debug_assertions)] +#[allow(dead_code)] mod debug { - #![allow(dead_code)] use std::fmt::{Display, Formatter}; use std::{ @@ -570,7 +543,8 @@ mod debug { if let Ok(target) = std::env::var("KANI_REACH_DEBUG") { debug!(?target, "dump_dot"); let outputs = tcx.output_filenames(()); - let path = outputs.output_path(OutputType::Metadata).with_extension("dot"); + let base_path = outputs.path(OutputType::Metadata); + let path = base_path.as_path().with_extension("dot"); let out_file = File::create(path)?; let mut writer = BufWriter::new(out_file); writeln!(writer, "digraph ReachabilityGraph {{")?; diff --git a/kani-compiler/src/kani_middle/resolve.rs b/kani-compiler/src/kani_middle/resolve.rs index e88485ebc6d7..816f25343fe3 100644 --- a/kani-compiler/src/kani_middle/resolve.rs +++ b/kani-compiler/src/kani_middle/resolve.rs @@ -247,7 +247,7 @@ where /// Resolves an external crate name. fn resolve_external(tcx: TyCtxt, name: &str) -> Option { debug!(?name, "resolve_external"); - tcx.crates(()).iter().find_map(|crate_num| { + tcx.used_crates(()).iter().find_map(|crate_num| { let crate_name = tcx.crate_name(*crate_num); if crate_name.as_str() == name { Some(DefId { index: CRATE_DEF_INDEX, krate: *crate_num }) @@ -399,8 +399,11 @@ fn resolve_in_type<'tcx>( name: &str, ) -> Result> { debug!(?name, ?type_id, "resolve_in_type"); + let missing_item_err = + || ResolveError::MissingItem { tcx, base: type_id, unresolved: name.to_string() }; // Try the inherent `impl` blocks (i.e., non-trait `impl`s). tcx.inherent_impls(type_id) + .map_err(|_| missing_item_err())? .iter() .flat_map(|impl_id| tcx.associated_item_def_ids(impl_id)) .cloned() @@ -409,9 +412,5 @@ fn resolve_in_type<'tcx>( let last = item_path.split("::").last().unwrap(); last == name }) - .ok_or_else(|| ResolveError::MissingItem { - tcx, - base: type_id, - unresolved: name.to_string(), - }) + .ok_or_else(missing_item_err) } diff --git a/kani-compiler/src/kani_middle/stubbing/annotations.rs b/kani-compiler/src/kani_middle/stubbing/annotations.rs index 52b994ab97d2..9fc7be491d85 100644 --- a/kani-compiler/src/kani_middle/stubbing/annotations.rs +++ b/kani-compiler/src/kani_middle/stubbing/annotations.rs @@ -2,11 +2,10 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! This file contains code for extracting stubbing-related attributes. -use std::collections::BTreeMap; +use std::collections::HashMap; use kani_metadata::Stub; use rustc_hir::def_id::{DefId, LocalDefId}; -use rustc_hir::definitions::DefPathHash; use rustc_middle::ty::TyCtxt; use crate::kani_middle::resolve::resolve_fn; @@ -42,21 +41,19 @@ pub fn update_stub_mapping( tcx: TyCtxt, harness: LocalDefId, stub: &Stub, - stub_pairs: &mut BTreeMap, + stub_pairs: &mut HashMap, ) { if let Some((orig_id, stub_id)) = stub_def_ids(tcx, harness, stub) { - let orig_hash = tcx.def_path_hash(orig_id); - let stub_hash = tcx.def_path_hash(stub_id); - let other_opt = stub_pairs.insert(orig_hash, stub_hash); + let other_opt = stub_pairs.insert(orig_id, stub_id); if let Some(other) = other_opt { - if other != stub_hash { + if other != stub_id { tcx.dcx().span_err( tcx.def_span(harness), format!( "duplicate stub mapping: {} mapped to {} and {}", tcx.def_path_str(orig_id), tcx.def_path_str(stub_id), - tcx.def_path_str(tcx.def_path_hash_to_def_id(other, &mut || panic!())) + tcx.def_path_str(other) ), ); } diff --git a/kani-compiler/src/kani_middle/stubbing/mod.rs b/kani-compiler/src/kani_middle/stubbing/mod.rs index 9dda0144eda4..f145a4d105e2 100644 --- a/kani-compiler/src/kani_middle/stubbing/mod.rs +++ b/kani-compiler/src/kani_middle/stubbing/mod.rs @@ -3,20 +3,21 @@ //! This module contains code for implementing stubbing. mod annotations; -mod transform; -use std::collections::BTreeMap; +use itertools::Itertools; +use rustc_span::DUMMY_SP; +use std::collections::HashMap; use tracing::{debug, trace}; -pub use self::transform::*; use kani_metadata::HarnessMetadata; -use rustc_hir::definitions::DefPathHash; +use rustc_hir::def_id::DefId; use rustc_middle::mir::Const; use rustc_middle::ty::{self, EarlyBinder, ParamEnv, TyCtxt, TypeFoldable}; use rustc_smir::rustc_internal; use stable_mir::mir::mono::Instance; use stable_mir::mir::visit::{Location, MirVisitor}; -use stable_mir::mir::Constant; +use stable_mir::mir::ConstOperand; +use stable_mir::ty::{FnDef, RigidTy, TyKind}; use stable_mir::{CrateDef, CrateItem}; use self::annotations::update_stub_mapping; @@ -26,16 +27,118 @@ pub fn harness_stub_map( tcx: TyCtxt, harness: Instance, metadata: &HarnessMetadata, -) -> BTreeMap { - let def_id = rustc_internal::internal(harness.def.def_id()); +) -> HashMap { + let def_id = rustc_internal::internal(tcx, harness.def.def_id()); let attrs = &metadata.attributes; - let mut stub_pairs = BTreeMap::default(); + let mut stub_pairs = HashMap::default(); for stubs in &attrs.stubs { update_stub_mapping(tcx, def_id.expect_local(), stubs, &mut stub_pairs); } stub_pairs } +/// Retrieve the index of the host parameter if old definition has one, but not the new definition. +/// +/// This is to allow constant functions to be stubbed by non-constant functions when the +/// `effect` feature is on. +/// +/// Note that the opposite is not supported today, but users should be able to change their stubs. +/// +/// Note that this has no effect at runtime. +pub fn contract_host_param(tcx: TyCtxt, old_def: FnDef, new_def: FnDef) -> Option { + let old_generics = tcx.generics_of(rustc_internal::internal(tcx, old_def.def_id())); + let new_generics = tcx.generics_of(rustc_internal::internal(tcx, new_def.def_id())); + if old_generics.host_effect_index.is_some() && new_generics.host_effect_index.is_none() { + old_generics.host_effect_index + } else { + None + } +} + +/// Checks whether the stub is compatible with the original function/method: do +/// the arities and types (of the parameters and return values) match up? This +/// does **NOT** check whether the type variables are constrained to implement +/// the same traits; trait mismatches are checked during monomorphization. +pub fn check_compatibility(tcx: TyCtxt, old_def: FnDef, new_def: FnDef) -> Result<(), String> { + // TODO: Validate stubs that do not have body. + // We could potentially look at the function signature to see if they match. + // However, they will include region information which can make types different. + let Some(old_body) = old_def.body() else { return Ok(()) }; + let Some(new_body) = new_def.body() else { return Ok(()) }; + // Check whether the arities match. + if old_body.arg_locals().len() != new_body.arg_locals().len() { + let msg = format!( + "arity mismatch: original function/method `{}` takes {} argument(s), stub `{}` takes {}", + old_def.name(), + old_body.arg_locals().len(), + new_def.name(), + new_body.arg_locals().len(), + ); + return Err(msg); + } + // Check whether the numbers of generic parameters match. + let old_def_id = rustc_internal::internal(tcx, old_def.def_id()); + let new_def_id = rustc_internal::internal(tcx, new_def.def_id()); + let old_ty = rustc_internal::stable(tcx.type_of(old_def_id)).value; + let new_ty = rustc_internal::stable(tcx.type_of(new_def_id)).value; + let TyKind::RigidTy(RigidTy::FnDef(_, mut old_args)) = old_ty.kind() else { + unreachable!("Expected function, but found {old_ty}") + }; + let TyKind::RigidTy(RigidTy::FnDef(_, new_args)) = new_ty.kind() else { + unreachable!("Expected function, but found {new_ty}") + }; + if let Some(idx) = contract_host_param(tcx, old_def, new_def) { + old_args.0.remove(idx); + } + + // TODO: We should check for the parameter type too or replacement will fail. + if old_args.0.len() != new_args.0.len() { + let msg = format!( + "mismatch in the number of generic parameters: original function/method `{}` takes {} generic parameters(s), stub `{}` takes {}", + old_def.name(), + old_args.0.len(), + new_def.name(), + new_args.0.len(), + ); + return Err(msg); + } + // Check whether the types match. Index 0 refers to the returned value, + // indices [1, `arg_count`] refer to the parameters. + // TODO: We currently force generic parameters in the stub to have exactly + // the same names as their counterparts in the original function/method; + // instead, we should be checking for the equivalence of types up to the + // renaming of generic parameters. + // + let old_ret_ty = old_body.ret_local().ty; + let new_ret_ty = new_body.ret_local().ty; + let mut diff = vec![]; + if old_ret_ty != new_ret_ty { + diff.push(format!("Expected return type `{old_ret_ty}`, but found `{new_ret_ty}`")); + } + for (i, (old_arg, new_arg)) in + old_body.arg_locals().iter().zip(new_body.arg_locals().iter()).enumerate() + { + if old_arg.ty != new_arg.ty { + diff.push(format!( + "Expected type `{}` for parameter {}, but found `{}`", + old_arg.ty, + i + 1, + new_arg.ty + )); + } + } + if !diff.is_empty() { + Err(format!( + "Cannot stub `{}` by `{}`.\n - {}", + old_def.name(), + new_def.name(), + diff.iter().join("\n - ") + )) + } else { + Ok(()) + } +} + /// Validate that an instance body can be instantiated. /// /// Stubbing may cause an instance to not be correctly instantiated since we delay checking its @@ -43,17 +146,13 @@ pub fn harness_stub_map( /// /// In stable MIR, trying to retrieve an `Instance::body()` will ICE if we cannot evaluate a /// constant as expected. For now, use internal APIs to anticipate this issue. -pub fn validate_instance(tcx: TyCtxt, instance: Instance) -> bool { - let internal_instance = rustc_internal::internal(instance); - if get_stub(tcx, internal_instance.def_id()).is_some() { - debug!(?instance, "validate_instance"); - let item = CrateItem::try_from(instance).unwrap(); - let mut checker = StubConstChecker::new(tcx, internal_instance, item); - checker.visit_body(&item.body()); - checker.is_valid() - } else { - true - } +pub fn validate_stub_const(tcx: TyCtxt, instance: Instance) -> bool { + debug!(?instance, "validate_instance"); + let item = CrateItem::try_from(instance).unwrap(); + let internal_instance = rustc_internal::internal(tcx, instance); + let mut checker = StubConstChecker::new(tcx, internal_instance, item); + checker.visit_body(&item.body()); + checker.is_valid() } struct StubConstChecker<'tcx> { @@ -86,14 +185,14 @@ impl<'tcx> StubConstChecker<'tcx> { impl<'tcx> MirVisitor for StubConstChecker<'tcx> { /// Collect constants that are represented as static variables. - fn visit_constant(&mut self, constant: &Constant, location: Location) { - let const_ = self.monomorphize(rustc_internal::internal(&constant.literal)); + fn visit_const_operand(&mut self, constant: &ConstOperand, location: Location) { + let const_ = self.monomorphize(rustc_internal::internal(self.tcx, &constant.const_)); debug!(?constant, ?location, ?const_, "visit_constant"); match const_ { Const::Val(..) | Const::Ty(..) => {} Const::Unevaluated(un_eval, _) => { // Thread local fall into this category. - if self.tcx.const_eval_resolve(ParamEnv::reveal_all(), un_eval, None).is_err() { + if self.tcx.const_eval_resolve(ParamEnv::reveal_all(), un_eval, DUMMY_SP).is_err() { // The `monomorphize` call should have evaluated that constant already. let tcx = self.tcx; let mono_const = &un_eval; @@ -109,7 +208,7 @@ impl<'tcx> MirVisitor for StubConstChecker<'tcx> { tcx.def_path_str(trait_), self.source.name() ); - tcx.dcx().span_err(rustc_internal::internal(location.span()), msg); + tcx.dcx().span_err(rustc_internal::internal(self.tcx, location.span()), msg); self.is_valid = false; } } diff --git a/kani-compiler/src/kani_middle/stubbing/transform.rs b/kani-compiler/src/kani_middle/stubbing/transform.rs deleted file mode 100644 index ff845b188dca..000000000000 --- a/kani-compiler/src/kani_middle/stubbing/transform.rs +++ /dev/null @@ -1,214 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! This module contains code related to the MIR-to-MIR pass that performs the -//! stubbing of functions and methods. The primary function of the module is -//! `transform`, which takes the `DefId` of a function/method and returns the -//! body of its stub, if appropriate. The stub mapping it uses is set via rustc -//! arguments. - -use std::collections::{BTreeMap, HashMap}; - -use lazy_static::lazy_static; -use regex::Regex; -use rustc_data_structures::fingerprint::Fingerprint; -use rustc_hir::{def_id::DefId, definitions::DefPathHash}; -use rustc_index::IndexVec; -use rustc_middle::mir::{ - visit::MutVisitor, Body, Const, ConstValue, Local, LocalDecl, Location, Operand, -}; -use rustc_middle::ty::{self, TyCtxt}; - -use tracing::debug; - -/// Returns the `DefId` of the stub for the function/method identified by the -/// parameter `def_id`, and `None` if the function/method is not stubbed. -pub fn get_stub(tcx: TyCtxt, def_id: DefId) -> Option { - let mapping = get_stub_mapping(tcx)?; - mapping.get(&def_id).copied() -} - -/// Returns the new body of a function/method if it has been stubbed out; -/// otherwise, returns the old body. -pub fn transform<'tcx>(tcx: TyCtxt<'tcx>, def_id: DefId, old_body: &'tcx Body<'tcx>) -> Body<'tcx> { - if let Some(replacement) = get_stub(tcx, def_id) { - debug!( - original = tcx.def_path_debug_str(def_id), - replaced = tcx.def_path_debug_str(replacement), - "transform" - ); - let new_body = tcx.optimized_mir(replacement).clone(); - if check_compatibility(tcx, def_id, old_body, replacement, &new_body) { - return new_body; - } - } - old_body.clone() -} - -/// Traverse `body` searching for calls to foreing functions and, whevever there is -/// a stub available, replace the call to the foreign function with a call -/// to its correspondent stub. This happens as a separate step because there is no -/// body available to foreign functions at this stage. -pub fn transform_foreign_functions<'tcx>(tcx: TyCtxt<'tcx>, body: &mut Body<'tcx>) { - if let Some(stub_map) = get_stub_mapping(tcx) { - let mut visitor = - ForeignFunctionTransformer { tcx, local_decls: body.clone().local_decls, stub_map }; - visitor.visit_body(body); - } -} - -struct ForeignFunctionTransformer<'tcx> { - /// The compiler context. - tcx: TyCtxt<'tcx>, - /// Local declarations of the callee function. Kani searches here for foreign functions. - local_decls: IndexVec>, - /// Map of functions/methods to their correspondent stubs. - stub_map: HashMap, -} - -impl<'tcx> MutVisitor<'tcx> for ForeignFunctionTransformer<'tcx> { - fn tcx(&self) -> TyCtxt<'tcx> { - self.tcx - } - - fn visit_operand(&mut self, operand: &mut Operand<'tcx>, _location: Location) { - let func_ty = operand.ty(&self.local_decls, self.tcx); - if let ty::FnDef(reachable_function, arguments) = *func_ty.kind() { - if self.tcx.is_foreign_item(reachable_function) { - if let Some(stub) = self.stub_map.get(&reachable_function) { - let Operand::Constant(function_definition) = operand else { - return; - }; - function_definition.const_ = Const::from_value( - ConstValue::ZeroSized, - self.tcx.type_of(stub).instantiate(self.tcx, arguments), - ); - } - } - } - } -} - -/// Checks whether the stub is compatible with the original function/method: do -/// the arities and types (of the parameters and return values) match up? This -/// does **NOT** check whether the type variables are constrained to implement -/// the same traits; trait mismatches are checked during monomorphization. -fn check_compatibility<'a, 'tcx>( - tcx: TyCtxt, - old_def_id: DefId, - old_body: &'a Body<'tcx>, - stub_def_id: DefId, - stub_body: &'a Body<'tcx>, -) -> bool { - // Check whether the arities match. - if old_body.arg_count != stub_body.arg_count { - tcx.dcx().span_err( - tcx.def_span(stub_def_id), - format!( - "arity mismatch: original function/method `{}` takes {} argument(s), stub `{}` takes {}", - tcx.def_path_str(old_def_id), - old_body.arg_count, - tcx.def_path_str(stub_def_id), - stub_body.arg_count - ), - ); - return false; - } - // Check whether the numbers of generic parameters match. - let old_num_generics = tcx.generics_of(old_def_id).count(); - let stub_num_generics = tcx.generics_of(stub_def_id).count(); - if old_num_generics != stub_num_generics { - tcx.dcx().span_err( - tcx.def_span(stub_def_id), - format!( - "mismatch in the number of generic parameters: original function/method `{}` takes {} generic parameters(s), stub `{}` takes {}", - tcx.def_path_str(old_def_id), - old_num_generics, - tcx.def_path_str(stub_def_id), - stub_num_generics - ), - ); - return false; - } - // Check whether the types match. Index 0 refers to the returned value, - // indices [1, `arg_count`] refer to the parameters. - // TODO: We currently force generic parameters in the stub to have exactly - // the same names as their counterparts in the original function/method; - // instead, we should be checking for the equivalence of types up to the - // renaming of generic parameters. - // - let mut matches = true; - for i in 0..=old_body.arg_count { - let old_arg = old_body.local_decls.get(i.into()).unwrap(); - let new_arg = stub_body.local_decls.get(i.into()).unwrap(); - if old_arg.ty != new_arg.ty { - let prefix = if i == 0 { - "return type differs".to_string() - } else { - format!("type of parameter {} differs", i - 1) - }; - tcx.dcx().span_err( - new_arg.source_info.span, - format!( - "{prefix}: stub `{}` has type `{}` where original function/method `{}` has type `{}`", - tcx.def_path_str(stub_def_id), - new_arg.ty, - tcx.def_path_str(old_def_id), - old_arg.ty - ), - ); - matches = false; - } - } - matches -} - -/// The prefix we will use when serializing the stub mapping as a rustc argument. -const RUSTC_ARG_PREFIX: &str = "kani_stubs="; - -/// Serializes the stub mapping into a rustc argument. -pub fn mk_rustc_arg(stub_mapping: &BTreeMap) -> String { - // Serialize each `DefPathHash` as a pair of `u64`s, and the whole mapping - // as an association list. - let mut pairs = Vec::new(); - for (k, v) in stub_mapping { - let (k_a, k_b) = k.0.split(); - let kparts = (k_a.as_u64(), k_b.as_u64()); - let (v_a, v_b) = v.0.split(); - let vparts = (v_a.as_u64(), v_b.as_u64()); - pairs.push((kparts, vparts)); - } - // Store our serialized mapping as a fake LLVM argument (safe to do since - // LLVM will never see them). - format!("-Cllvm-args='{RUSTC_ARG_PREFIX}{}'", serde_json::to_string(&pairs).unwrap()) -} - -/// Deserializes the stub mapping from the rustc argument value. -fn deserialize_mapping(tcx: TyCtxt, val: &str) -> HashMap { - type Item = (u64, u64); - let item_to_def_id = |item: Item| -> DefId { - let hash = DefPathHash(Fingerprint::new(item.0, item.1)); - tcx.def_path_hash_to_def_id(hash, &mut || panic!()) - }; - let pairs: Vec<(Item, Item)> = serde_json::from_str(val).unwrap(); - let mut m = HashMap::default(); - for (k, v) in pairs { - let kid = item_to_def_id(k); - let vid = item_to_def_id(v); - m.insert(kid, vid); - } - m -} - -/// Retrieves the stub mapping from the compiler configuration. -fn get_stub_mapping(tcx: TyCtxt) -> Option> { - // Use a static so that we compile the regex only once. - lazy_static! { - static ref RE: Regex = Regex::new(&format!("'{RUSTC_ARG_PREFIX}(.*)'")).unwrap(); - } - for arg in &tcx.sess.opts.cg.llvm_args { - if let Some(captures) = RE.captures(arg) { - return Some(deserialize_mapping(tcx, captures.get(1).unwrap().as_str())); - } - } - None -} diff --git a/kani-compiler/src/kani_middle/transform/body.rs b/kani-compiler/src/kani_middle/transform/body.rs new file mode 100644 index 000000000000..2bf424a1332d --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/body.rs @@ -0,0 +1,421 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Utility functions that allow us to modify a function body. + +use crate::kani_middle::find_fn_def; +use rustc_middle::ty::TyCtxt; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::*; +use stable_mir::ty::{GenericArgs, MirConst, Span, Ty, UintTy}; +use std::fmt::Debug; +use std::mem; + +/// This structure mimics a Body that can actually be modified. +pub struct MutableBody { + blocks: Vec, + + /// Declarations of locals within the function. + /// + /// The first local is the return value pointer, followed by `arg_count` + /// locals for the function arguments, followed by any user-declared + /// variables and temporaries. + locals: Vec, + + /// The number of arguments this function takes. + arg_count: usize, + + /// Debug information pertaining to user variables, including captures. + var_debug_info: Vec, + + /// Mark an argument (which must be a tuple) as getting passed as its individual components. + /// + /// This is used for the "rust-call" ABI such as closures. + spread_arg: Option, + + /// The span that covers the entire function body. + span: Span, +} + +impl MutableBody { + /// Get the basic blocks of this builder. + pub fn blocks(&self) -> &[BasicBlock] { + &self.blocks + } + + pub fn locals(&self) -> &[LocalDecl] { + &self.locals + } + + /// Create a mutable body from the original MIR body. + pub fn from(body: Body) -> Self { + MutableBody { + locals: body.locals().to_vec(), + arg_count: body.arg_locals().len(), + spread_arg: body.spread_arg(), + blocks: body.blocks, + var_debug_info: body.var_debug_info, + span: body.span, + } + } + + /// Create the new body consuming this mutable body. + pub fn into(self) -> Body { + Body::new( + self.blocks, + self.locals, + self.arg_count, + self.var_debug_info, + self.spread_arg, + self.span, + ) + } + + /// Add a new local to the body with the given attributes. + pub fn new_local(&mut self, ty: Ty, span: Span, mutability: Mutability) -> Local { + let decl = LocalDecl { ty, span, mutability }; + let local = self.locals.len(); + self.locals.push(decl); + local + } + + pub fn new_str_operand(&mut self, msg: &str, span: Span) -> Operand { + let literal = MirConst::from_str(msg); + Operand::Constant(ConstOperand { span, user_ty: None, const_: literal }) + } + + pub fn new_const_operand(&mut self, val: u128, uint_ty: UintTy, span: Span) -> Operand { + let literal = MirConst::try_from_uint(val, uint_ty).unwrap(); + Operand::Constant(ConstOperand { span, user_ty: None, const_: literal }) + } + + /// Create a raw pointer of `*mut type` and return a new local where that value is stored. + pub fn new_cast_ptr( + &mut self, + from: Operand, + pointee_ty: Ty, + mutability: Mutability, + before: &mut SourceInstruction, + ) -> Local { + assert!(from.ty(self.locals()).unwrap().kind().is_raw_ptr()); + let target_ty = Ty::new_ptr(pointee_ty, mutability); + let rvalue = Rvalue::Cast(CastKind::PtrToPtr, from, target_ty); + self.new_assignment(rvalue, before) + } + + /// Add a new assignment for the given binary operation. + /// + /// Return the local where the result is saved. + pub fn new_binary_op( + &mut self, + bin_op: BinOp, + lhs: Operand, + rhs: Operand, + before: &mut SourceInstruction, + ) -> Local { + let rvalue = Rvalue::BinaryOp(bin_op, lhs, rhs); + self.new_assignment(rvalue, before) + } + + /// Add a new assignment. + /// + /// Return local where the result is saved. + pub fn new_assignment(&mut self, rvalue: Rvalue, before: &mut SourceInstruction) -> Local { + let span = before.span(&self.blocks); + let ret_ty = rvalue.ty(&self.locals).unwrap(); + let result = self.new_local(ret_ty, span, Mutability::Not); + let stmt = Statement { kind: StatementKind::Assign(Place::from(result), rvalue), span }; + self.insert_stmt(stmt, before); + result + } + + /// Add a new assert to the basic block indicated by the given index. + /// + /// The new assertion will have the same span as the source instruction, and the basic block + /// will be split. The source instruction will be adjusted to point to the first instruction in + /// the new basic block. + pub fn add_check( + &mut self, + tcx: TyCtxt, + check_type: &CheckType, + source: &mut SourceInstruction, + value: Local, + msg: &str, + ) { + assert_eq!( + self.locals[value].ty, + Ty::bool_ty(), + "Expected boolean value as the assert input" + ); + let new_bb = self.blocks.len(); + let span = source.span(&self.blocks); + match check_type { + CheckType::Assert(assert_fn) => { + let assert_op = Operand::Copy(Place::from(self.new_local( + assert_fn.ty(), + span, + Mutability::Not, + ))); + let msg_op = self.new_str_operand(msg, span); + let kind = TerminatorKind::Call { + func: assert_op, + args: vec![Operand::Move(Place::from(value)), msg_op], + destination: Place { + local: self.new_local(Ty::new_tuple(&[]), span, Mutability::Not), + projection: vec![], + }, + target: Some(new_bb), + unwind: UnwindAction::Terminate, + }; + let terminator = Terminator { kind, span }; + self.split_bb(source, terminator); + } + CheckType::Panic | CheckType::NoCore => { + tcx.sess + .dcx() + .struct_err("Failed to instrument the code. Cannot find `kani::assert`") + .with_note("Kani requires `kani` library in order to verify a crate.") + .emit(); + tcx.sess.dcx().abort_if_errors(); + unreachable!(); + } + } + } + + /// Split a basic block right before the source location and use the new terminator + /// in the basic block that was split. + /// + /// The source is updated to point to the same instruction which is now in the new basic block. + pub fn split_bb(&mut self, source: &mut SourceInstruction, new_term: Terminator) { + let new_bb_idx = self.blocks.len(); + let (idx, bb) = match source { + SourceInstruction::Statement { idx, bb } => { + let (orig_idx, orig_bb) = (*idx, *bb); + *idx = 0; + *bb = new_bb_idx; + (orig_idx, orig_bb) + } + SourceInstruction::Terminator { bb } => { + let orig_bb = *bb; + *bb = new_bb_idx; + (self.blocks[orig_bb].statements.len(), orig_bb) + } + }; + let old_term = mem::replace(&mut self.blocks[bb].terminator, new_term); + let bb_stmts = &mut self.blocks[bb].statements; + let remaining = bb_stmts.split_off(idx); + let new_bb = BasicBlock { statements: remaining, terminator: old_term }; + self.blocks.push(new_bb); + } + + /// Insert statement before the source instruction and update the source as needed. + pub fn insert_stmt(&mut self, new_stmt: Statement, before: &mut SourceInstruction) { + match before { + SourceInstruction::Statement { idx, bb } => { + self.blocks[*bb].statements.insert(*idx, new_stmt); + *idx += 1; + } + SourceInstruction::Terminator { bb } => { + // Append statements at the end of the basic block. + self.blocks[*bb].statements.push(new_stmt); + } + } + } + + /// Clear all the existing logic of this body and turn it into a simple `return`. + /// + /// This function can be used when a new implementation of the body is needed. + /// For example, Kani intrinsics usually have a dummy body, which is replaced + /// by the compiler. This function allow us to delete the dummy body before + /// creating a new one. + /// + /// Note: We do not prune the local variables today for simplicity. + pub fn clear_body(&mut self) { + self.blocks.clear(); + let terminator = Terminator { kind: TerminatorKind::Return, span: self.span }; + self.blocks.push(BasicBlock { statements: Vec::default(), terminator }) + } +} + +#[derive(Clone, Debug)] +pub enum CheckType { + /// This is used by default when the `kani` crate is available. + Assert(Instance), + /// When the `kani` crate is not available, we have to model the check as an `if { panic!() }`. + Panic, + /// When building non-core crate, such as `rustc-std-workspace-core`, we cannot + /// instrument code, but we can still compile them. + NoCore, +} + +impl CheckType { + /// This will create the type of check that is available in the current crate. + /// + /// If `kani` crate is available, this will return [CheckType::Assert], and the instance will + /// point to `kani::assert`. Otherwise, we will collect the `core::panic_str` method and return + /// [CheckType::Panic]. + pub fn new(tcx: TyCtxt) -> CheckType { + if let Some(instance) = find_instance(tcx, "KaniAssert") { + CheckType::Assert(instance) + } else if find_instance(tcx, "panic_str").is_some() { + CheckType::Panic + } else { + CheckType::NoCore + } + } +} + +/// We store the index of an instruction to avoid borrow checker issues and unnecessary copies. +#[derive(Copy, Clone, Debug)] +pub enum SourceInstruction { + Statement { idx: usize, bb: BasicBlockIdx }, + Terminator { bb: BasicBlockIdx }, +} + +impl SourceInstruction { + pub fn span(&self, blocks: &[BasicBlock]) -> Span { + match *self { + SourceInstruction::Statement { idx, bb } => blocks[bb].statements[idx].span, + SourceInstruction::Terminator { bb } => blocks[bb].terminator.span, + } + } +} + +fn find_instance(tcx: TyCtxt, diagnostic: &str) -> Option { + Instance::resolve(find_fn_def(tcx, diagnostic)?, &GenericArgs(vec![])).ok() +} + +/// Basic mutable body visitor. +/// +/// We removed many methods for simplicity. +/// +/// TODO: Contribute this to stable_mir. +/// +/// +/// This code was based on the existing MirVisitor: +/// +pub trait MutMirVisitor { + fn visit_body(&mut self, body: &mut MutableBody) { + self.super_body(body) + } + + fn visit_basic_block(&mut self, bb: &mut BasicBlock) { + self.super_basic_block(bb) + } + + fn visit_statement(&mut self, stmt: &mut Statement) { + self.super_statement(stmt) + } + + fn visit_terminator(&mut self, term: &mut Terminator) { + self.super_terminator(term) + } + + fn visit_rvalue(&mut self, rvalue: &mut Rvalue) { + self.super_rvalue(rvalue) + } + + fn visit_operand(&mut self, _operand: &mut Operand) {} + + fn super_body(&mut self, body: &mut MutableBody) { + for bb in body.blocks.iter_mut() { + self.visit_basic_block(bb); + } + } + + fn super_basic_block(&mut self, bb: &mut BasicBlock) { + for stmt in &mut bb.statements { + self.visit_statement(stmt); + } + self.visit_terminator(&mut bb.terminator); + } + + fn super_statement(&mut self, stmt: &mut Statement) { + match &mut stmt.kind { + StatementKind::Assign(_, rvalue) => { + self.visit_rvalue(rvalue); + } + StatementKind::Intrinsic(intrisic) => match intrisic { + NonDivergingIntrinsic::Assume(operand) => { + self.visit_operand(operand); + } + NonDivergingIntrinsic::CopyNonOverlapping(CopyNonOverlapping { + src, + dst, + count, + }) => { + self.visit_operand(src); + self.visit_operand(dst); + self.visit_operand(count); + } + }, + StatementKind::FakeRead(_, _) + | StatementKind::SetDiscriminant { .. } + | StatementKind::Deinit(_) + | StatementKind::StorageLive(_) + | StatementKind::StorageDead(_) + | StatementKind::Retag(_, _) + | StatementKind::PlaceMention(_) + | StatementKind::AscribeUserType { .. } + | StatementKind::Coverage(_) + | StatementKind::ConstEvalCounter + | StatementKind::Nop => {} + } + } + + fn super_terminator(&mut self, term: &mut Terminator) { + let Terminator { kind, .. } = term; + match kind { + TerminatorKind::Assert { cond, .. } => { + self.visit_operand(cond); + } + TerminatorKind::Call { func, args, .. } => { + self.visit_operand(func); + for arg in args { + self.visit_operand(arg); + } + } + TerminatorKind::SwitchInt { discr, .. } => { + self.visit_operand(discr); + } + TerminatorKind::InlineAsm { .. } => { + // we don't support inline assembly. + } + TerminatorKind::Return + | TerminatorKind::Goto { .. } + | TerminatorKind::Resume + | TerminatorKind::Abort + | TerminatorKind::Drop { .. } + | TerminatorKind::Unreachable => {} + } + } + + fn super_rvalue(&mut self, rvalue: &mut Rvalue) { + match rvalue { + Rvalue::Aggregate(_, operands) => { + for op in operands { + self.visit_operand(op); + } + } + Rvalue::BinaryOp(_, lhs, rhs) | Rvalue::CheckedBinaryOp(_, lhs, rhs) => { + self.visit_operand(lhs); + self.visit_operand(rhs); + } + Rvalue::Cast(_, op, _) => { + self.visit_operand(op); + } + Rvalue::Repeat(op, _) => { + self.visit_operand(op); + } + Rvalue::ShallowInitBox(op, _) => self.visit_operand(op), + Rvalue::UnaryOp(_, op) | Rvalue::Use(op) => { + self.visit_operand(op); + } + Rvalue::AddressOf(..) => {} + Rvalue::CopyForDeref(_) | Rvalue::Discriminant(_) | Rvalue::Len(_) => {} + Rvalue::Ref(..) => {} + Rvalue::ThreadLocalRef(_) => {} + Rvalue::NullaryOp(..) => {} + } + } +} diff --git a/kani-compiler/src/kani_middle/transform/check_values.rs b/kani-compiler/src/kani_middle/transform/check_values.rs new file mode 100644 index 000000000000..4ecb16fab023 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/check_values.rs @@ -0,0 +1,951 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Implement a transformation pass that instrument the code to detect possible UB due to +//! the generation of an invalid value. +//! +//! This pass highly depend on Rust type layouts. For more details, see: +//! +//! +//! For that, we traverse the function body and look for unsafe operations that may generate +//! invalid values. For each operation found, we add checks to ensure the value is valid. +//! +//! Note: There is some redundancy in the checks that could be optimized. Example: +//! 1. We could merge the invalid values by the offset. +//! 2. We could avoid checking places that have been checked before. +use crate::args::ExtraChecks; +use crate::kani_middle::transform::body::{CheckType, MutableBody, SourceInstruction}; +use crate::kani_middle::transform::check_values::SourceOp::UnsupportedCheck; +use crate::kani_middle::transform::{TransformPass, TransformationType}; +use crate::kani_queries::QueryDb; +use rustc_middle::ty::{Const, TyCtxt}; +use rustc_smir::rustc_internal; +use stable_mir::abi::{FieldsShape, Scalar, TagEncoding, ValueAbi, VariantsShape, WrappingRange}; +use stable_mir::mir::mono::{Instance, InstanceKind}; +use stable_mir::mir::visit::{Location, PlaceContext, PlaceRef}; +use stable_mir::mir::{ + AggregateKind, BasicBlockIdx, BinOp, Body, CastKind, ConstOperand, FieldIdx, Local, LocalDecl, + MirVisitor, Mutability, NonDivergingIntrinsic, Operand, Place, ProjectionElem, Rvalue, + Statement, StatementKind, Terminator, TerminatorKind, +}; +use stable_mir::target::{MachineInfo, MachineSize}; +use stable_mir::ty::{AdtKind, IndexedVal, MirConst, RigidTy, Ty, TyKind, UintTy}; +use stable_mir::CrateDef; +use std::fmt::Debug; +use strum_macros::AsRefStr; +use tracing::{debug, trace}; + +/// Instrument the code with checks for invalid values. +#[derive(Debug)] +pub struct ValidValuePass { + pub check_type: CheckType, +} + +impl TransformPass for ValidValuePass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Instrumentation + } + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized, + { + let args = query_db.args(); + args.ub_check.contains(&ExtraChecks::Validity) + } + + /// Transform the function body by inserting checks one-by-one. + /// For every unsafe dereference or a transmute operation, we check all values are valid. + fn transform(&self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "transform"); + let mut new_body = MutableBody::from(body); + let orig_len = new_body.blocks().len(); + // Do not cache body.blocks().len() since it will change as we add new checks. + for bb_idx in 0..new_body.blocks().len() { + let Some(candidate) = + CheckValueVisitor::find_next(tcx, &new_body, bb_idx, bb_idx >= orig_len) + else { + continue; + }; + self.build_check(tcx, &mut new_body, candidate); + } + (orig_len != new_body.blocks().len(), new_body.into()) + } +} + +impl ValidValuePass { + fn build_check(&self, tcx: TyCtxt, body: &mut MutableBody, instruction: UnsafeInstruction) { + debug!(?instruction, "build_check"); + let mut source = instruction.source; + for operation in instruction.operations { + match operation { + SourceOp::BytesValidity { ranges, target_ty, rvalue } => { + let value = body.new_assignment(rvalue, &mut source); + let rvalue_ptr = Rvalue::AddressOf(Mutability::Not, Place::from(value)); + for range in ranges { + let result = build_limits(body, &range, rvalue_ptr.clone(), &mut source); + let msg = + format!("Undefined Behavior: Invalid value of type `{target_ty}`",); + body.add_check(tcx, &self.check_type, &mut source, result, &msg); + } + } + SourceOp::DerefValidity { pointee_ty, rvalue, ranges } => { + for range in ranges { + let result = build_limits(body, &range, rvalue.clone(), &mut source); + let msg = + format!("Undefined Behavior: Invalid value of type `{pointee_ty}`",); + body.add_check(tcx, &self.check_type, &mut source, result, &msg); + } + } + SourceOp::UnsupportedCheck { check, ty } => { + let reason = format!( + "Kani currently doesn't support checking validity of `{check}` for `{ty}`", + ); + self.unsupported_check(tcx, body, &mut source, &reason); + } + } + } + } + + fn unsupported_check( + &self, + tcx: TyCtxt, + body: &mut MutableBody, + source: &mut SourceInstruction, + reason: &str, + ) { + let span = source.span(body.blocks()); + let rvalue = Rvalue::Use(Operand::Constant(ConstOperand { + const_: MirConst::from_bool(false), + span, + user_ty: None, + })); + let result = body.new_assignment(rvalue, source); + body.add_check(tcx, &self.check_type, source, result, reason); + } +} + +fn move_local(local: Local) -> Operand { + Operand::Move(Place::from(local)) +} + +fn uint_ty(bytes: usize) -> UintTy { + match bytes { + 1 => UintTy::U8, + 2 => UintTy::U16, + 4 => UintTy::U32, + 8 => UintTy::U64, + 16 => UintTy::U128, + _ => unreachable!("Unexpected size: {bytes}"), + } +} + +/// Represent a requirement for the value stored in the given offset. +#[derive(Clone, Debug, Eq, PartialEq, Hash)] +pub struct ValidValueReq { + /// Offset in bytes. + offset: usize, + /// Size of this requirement. + size: MachineSize, + /// The range restriction is represented by a Scalar. + valid_range: WrappingRange, +} + +// TODO: Optimize checks by merging requirements whenever possible. +// There are a few cases that would need to be cover: +// 1- Ranges intersection is the same as one of the ranges (or both). +// 2- Ranges intersection is a new valid range. +// 3- Ranges intersection is a combination of two new ranges. +// 4- Intersection is empty. +impl ValidValueReq { + /// Only a type with `ValueAbi::Scalar` and `ValueAbi::ScalarPair` can be directly assigned an + /// invalid value directly. + /// + /// It's not possible to define a `rustc_layout_scalar_valid_range_*` to any other structure. + /// Note that this annotation only applies to the first scalar in the layout. + pub fn try_from_ty(machine_info: &MachineInfo, ty: Ty) -> Option { + let shape = ty.layout().unwrap().shape(); + match shape.abi { + ValueAbi::Scalar(Scalar::Initialized { value, valid_range }) + | ValueAbi::ScalarPair(Scalar::Initialized { value, valid_range }, _) => { + Some(ValidValueReq { offset: 0, size: value.size(machine_info), valid_range }) + } + ValueAbi::Scalar(_) + | ValueAbi::ScalarPair(_, _) + | ValueAbi::Uninhabited + | ValueAbi::Vector { .. } + | ValueAbi::Aggregate { .. } => None, + } + } + + /// Check if range is full. + pub fn is_full(&self) -> bool { + self.valid_range.is_full(self.size).unwrap() + } + + /// Check if this range contains `other` range. + /// + /// I.e., `scalar_2` ⊆ `scalar_1` + pub fn contains(&self, other: &ValidValueReq) -> bool { + assert_eq!(self.size, other.size); + match (self.valid_range.wraps_around(), other.valid_range.wraps_around()) { + (true, true) | (false, false) => { + self.valid_range.start <= other.valid_range.start + && self.valid_range.end >= other.valid_range.end + } + (true, false) => { + self.valid_range.start <= other.valid_range.start + || self.valid_range.end >= other.valid_range.end + } + (false, true) => self.is_full(), + } + } +} + +#[derive(AsRefStr, Clone, Debug)] +enum SourceOp { + /// Validity checks are done on a byte level when the Rvalue can generate invalid value. + /// + /// This variant tracks a location that is valid for its current type, but it may not be + /// valid for the given location in target type. This happens for: + /// - Transmute + /// - Field assignment + /// - Aggregate assignment + /// - Union Access + /// + /// Each range is a pair of offset and scalar that represents the valid values. + /// Note that the same offset may have multiple ranges that may require being joined. + BytesValidity { target_ty: Ty, rvalue: Rvalue, ranges: Vec }, + + /// Similar to BytesValidity, but it stores any dereference that may be unsafe. + /// + /// This can happen for: + /// - Raw pointer dereference + DerefValidity { pointee_ty: Ty, rvalue: Rvalue, ranges: Vec }, + + /// Represents a range check Kani currently does not support. + /// + /// This will translate into an assertion failure with an unsupported message. + /// There are many corner cases with the usage of #[rustc_layout_scalar_valid_range_*] + /// attribute. Such as valid ranges that do not intersect or enumeration with variants + /// with niche. + /// + /// Supporting all cases require significant work, and it is unlikely to exist in real world + /// code. To be on the sound side, we just emit an unsupported check, and users will need to + /// disable the check in person, and create a feature request for their case. + /// + /// TODO: Consider replacing the assertion(false) by an unsupported operation that emits a + /// compilation warning. + UnsupportedCheck { check: String, ty: Ty }, +} + +/// The unsafe instructions that may generate invalid values. +/// We need to instrument all operations to ensure the instruction is safe. +#[derive(Clone, Debug)] +struct UnsafeInstruction { + /// The instruction that depends on the potentially invalid value. + source: SourceInstruction, + /// The unsafe operations that may cause an invalid value in this instruction. + operations: Vec, +} + +/// Extract any source that may potentially trigger UB due to the generation of an invalid value. +/// +/// Generating an invalid value requires an unsafe operation, however, in MIR, it +/// may just be represented as a regular assignment. +/// +/// Thus, we have to instrument every assignment to an object that has niche and that the source +/// is an object of a different source, e.g.: +/// - Aggregate assignment +/// - Transmute +/// - MemCopy +/// - Cast +struct CheckValueVisitor<'a, 'b> { + tcx: TyCtxt<'b>, + locals: &'a [LocalDecl], + /// Whether we should skip the next instruction, since it might've been instrumented already. + /// When we instrument an instruction, we partition the basic block, and the instruction that + /// may trigger UB becomes the first instruction of the basic block, which we need to skip + /// later. + skip_next: bool, + /// The instruction being visited at a given point. + current: SourceInstruction, + /// The target instruction that should be verified. + pub target: Option, + /// The basic block being visited. + bb: BasicBlockIdx, + /// Machine information needed to calculate Niche. + machine: MachineInfo, +} + +impl<'a, 'b> CheckValueVisitor<'a, 'b> { + fn find_next( + tcx: TyCtxt<'b>, + body: &'a MutableBody, + bb: BasicBlockIdx, + skip_first: bool, + ) -> Option { + let mut visitor = CheckValueVisitor { + tcx, + locals: body.locals(), + skip_next: skip_first, + current: SourceInstruction::Statement { idx: 0, bb }, + target: None, + bb, + machine: MachineInfo::target(), + }; + visitor.visit_basic_block(&body.blocks()[bb]); + visitor.target + } + + fn push_target(&mut self, op: SourceOp) { + let target = self + .target + .get_or_insert_with(|| UnsafeInstruction { source: self.current, operations: vec![] }); + target.operations.push(op); + } +} + +impl<'a, 'b> MirVisitor for CheckValueVisitor<'a, 'b> { + fn visit_statement(&mut self, stmt: &Statement, location: Location) { + if self.skip_next { + self.skip_next = false; + } else if self.target.is_none() { + // Leave it as an exhaustive match to be notified when a new kind is added. + match &stmt.kind { + StatementKind::Intrinsic(NonDivergingIntrinsic::CopyNonOverlapping(copy)) => { + // Source is a *const T and it must be safe for read. + // TODO: Implement value check. + self.push_target(SourceOp::UnsupportedCheck { + check: "copy_nonoverlapping".to_string(), + ty: copy.src.ty(self.locals).unwrap(), + }); + } + StatementKind::Assign(place, rvalue) => { + // First check rvalue. + self.super_statement(stmt, location); + // Then check the destination place. + let ranges = assignment_check_points( + &self.machine, + self.locals, + place, + rvalue.ty(self.locals).unwrap(), + ); + if !ranges.is_empty() { + self.push_target(SourceOp::BytesValidity { + target_ty: self.locals[place.local].ty, + rvalue: rvalue.clone(), + ranges, + }); + } + } + StatementKind::FakeRead(_, _) + | StatementKind::SetDiscriminant { .. } + | StatementKind::Deinit(_) + | StatementKind::StorageLive(_) + | StatementKind::StorageDead(_) + | StatementKind::Retag(_, _) + | StatementKind::PlaceMention(_) + | StatementKind::AscribeUserType { .. } + | StatementKind::Coverage(_) + | StatementKind::ConstEvalCounter + | StatementKind::Intrinsic(NonDivergingIntrinsic::Assume(_)) + | StatementKind::Nop => self.super_statement(stmt, location), + } + } + + let SourceInstruction::Statement { idx, bb } = self.current else { unreachable!() }; + self.current = SourceInstruction::Statement { idx: idx + 1, bb }; + } + fn visit_terminator(&mut self, term: &Terminator, location: Location) { + if !(self.skip_next || self.target.is_some()) { + self.current = SourceInstruction::Terminator { bb: self.bb }; + // Leave it as an exhaustive match to be notified when a new kind is added. + match &term.kind { + TerminatorKind::Call { func, args, .. } => { + // Note: For transmute, both Src and Dst must be valid type. + // In this case, we need to save the Dst, and invoke super_terminator. + self.super_terminator(term, location); + let instance = expect_instance(self.locals, func); + if instance.kind == InstanceKind::Intrinsic { + match instance.intrinsic_name().unwrap().as_str() { + "write_bytes" => { + // The write bytes intrinsic may trigger UB in safe code. + // pub unsafe fn write_bytes(dst: *mut T, val: u8, count: usize) + // + // This is an over-approximation since writing an invalid value is + // not UB, only reading it will be. + assert_eq!( + args.len(), + 3, + "Unexpected number of arguments for `write_bytes`" + ); + let TyKind::RigidTy(RigidTy::RawPtr(target_ty, Mutability::Mut)) = + args[0].ty(self.locals).unwrap().kind() + else { + unreachable!() + }; + let validity = ty_validity_per_offset(&self.machine, target_ty, 0); + match validity { + Ok(ranges) if ranges.is_empty() => {} + Ok(ranges) => { + let sz = rustc_internal::stable(Const::from_target_usize( + self.tcx, + target_ty.layout().unwrap().shape().size.bytes() as u64, + )); + self.push_target(SourceOp::BytesValidity { + target_ty, + rvalue: Rvalue::Repeat(args[1].clone(), sz), + ranges, + }) + } + _ => self.push_target(SourceOp::UnsupportedCheck { + check: "write_bytes".to_string(), + ty: target_ty, + }), + } + } + "transmute" | "transmute_copy" => { + unreachable!("Should've been lowered") + } + _ => {} + } + } + } + TerminatorKind::Goto { .. } + | TerminatorKind::SwitchInt { .. } + | TerminatorKind::Resume + | TerminatorKind::Abort + | TerminatorKind::Return + | TerminatorKind::Unreachable + | TerminatorKind::Drop { .. } + | TerminatorKind::Assert { .. } + | TerminatorKind::InlineAsm { .. } => self.super_terminator(term, location), + } + } + } + + fn visit_place(&mut self, place: &Place, ptx: PlaceContext, location: Location) { + for (idx, elem) in place.projection.iter().enumerate() { + let place_ref = PlaceRef { local: place.local, projection: &place.projection[..idx] }; + match elem { + ProjectionElem::Deref => { + let ptr_ty = place_ref.ty(self.locals).unwrap(); + if ptr_ty.kind().is_raw_ptr() { + let target_ty = elem.ty(ptr_ty).unwrap(); + let validity = ty_validity_per_offset(&self.machine, target_ty, 0); + match validity { + Ok(ranges) if !ranges.is_empty() => { + self.push_target(SourceOp::DerefValidity { + pointee_ty: target_ty, + rvalue: Rvalue::Use( + Operand::Copy(Place { + local: place_ref.local, + projection: place_ref.projection.to_vec(), + }) + .clone(), + ), + ranges, + }) + } + Err(_msg) => self.push_target(SourceOp::UnsupportedCheck { + check: "raw pointer dereference".to_string(), + ty: target_ty, + }), + _ => {} + } + } + } + ProjectionElem::Field(idx, target_ty) => { + if target_ty.kind().is_union() + && (!ptx.is_mutating() || place.projection.len() > idx + 1) + { + let validity = ty_validity_per_offset(&self.machine, *target_ty, 0); + match validity { + Ok(ranges) if !ranges.is_empty() => { + self.push_target(SourceOp::BytesValidity { + target_ty: *target_ty, + rvalue: Rvalue::Use(Operand::Copy(Place { + local: place_ref.local, + projection: place_ref.projection.to_vec(), + })), + ranges, + }) + } + Err(_msg) => self.push_target(SourceOp::UnsupportedCheck { + check: "union access".to_string(), + ty: *target_ty, + }), + _ => {} + } + } + } + ProjectionElem::Downcast(_) => {} + ProjectionElem::OpaqueCast(_) => {} + ProjectionElem::Subtype(_) => {} + ProjectionElem::Index(_) + | ProjectionElem::ConstantIndex { .. } + | ProjectionElem::Subslice { .. } => { /* safe */ } + } + } + self.super_place(place, ptx, location) + } + + fn visit_rvalue(&mut self, rvalue: &Rvalue, location: Location) { + match rvalue { + Rvalue::Cast(kind, op, dest_ty) => match kind { + CastKind::PtrToPtr => { + // For mutable raw pointer, if the type we are casting to is less restrictive + // than the original type, writing to the pointer could generate UB if the + // value is ever read again using the original pointer. + let TyKind::RigidTy(RigidTy::RawPtr(dest_pointee_ty, Mutability::Mut)) = + dest_ty.kind() + else { + // We only care about *mut T as *mut U + return; + }; + if dest_pointee_ty.kind().is_unit() { + // Ignore cast to *mut () since nothing can be written to it. + // This is a common pattern + return; + } + + let src_ty = op.ty(self.locals).unwrap(); + debug!(?src_ty, ?dest_ty, "visit_rvalue mutcast"); + let TyKind::RigidTy(RigidTy::RawPtr(src_pointee_ty, _)) = src_ty.kind() else { + unreachable!() + }; + + if src_pointee_ty.kind().is_unit() { + // We cannot track what was the initial type. Thus, fail. + self.push_target(SourceOp::UnsupportedCheck { + check: "mutable cast".to_string(), + ty: src_ty, + }); + return; + } + + if let Ok(src_validity) = + ty_validity_per_offset(&self.machine, src_pointee_ty, 0) + { + if !src_validity.is_empty() { + if let Ok(dest_validity) = + ty_validity_per_offset(&self.machine, dest_pointee_ty, 0) + { + if dest_validity != src_validity { + self.push_target(SourceOp::UnsupportedCheck { + check: "mutable cast".to_string(), + ty: src_ty, + }) + } + } else { + self.push_target(SourceOp::UnsupportedCheck { + check: "mutable cast".to_string(), + ty: *dest_ty, + }) + } + } + } else { + self.push_target(SourceOp::UnsupportedCheck { + check: "mutable cast".to_string(), + ty: src_ty, + }) + } + } + CastKind::Transmute => { + debug!(?dest_ty, "transmute"); + // For transmute, we care about the destination type only. + // This could be optimized to only add a check if the requirements of the + // destination type are stricter than the source. + if let Ok(dest_validity) = ty_validity_per_offset(&self.machine, *dest_ty, 0) { + trace!(?dest_validity, "transmute"); + if !dest_validity.is_empty() { + self.push_target(SourceOp::BytesValidity { + target_ty: *dest_ty, + rvalue: rvalue.clone(), + ranges: dest_validity, + }) + } + } else { + self.push_target(SourceOp::UnsupportedCheck { + check: "transmute".to_string(), + ty: *dest_ty, + }) + } + } + // `DynStar` is not currently supported in Kani. + // TODO: https://github.com/model-checking/kani/issues/1784 + CastKind::DynStar => self.push_target(UnsupportedCheck { + check: "Dyn*".to_string(), + ty: (rvalue.ty(self.locals).unwrap()), + }), + CastKind::PointerExposeAddress + | CastKind::PointerWithExposedProvenance + | CastKind::PointerCoercion(_) + | CastKind::IntToInt + | CastKind::FloatToInt + | CastKind::FloatToFloat + | CastKind::IntToFloat + | CastKind::FnPtrToPtr => {} + }, + Rvalue::ShallowInitBox(_, _) => { + // The contents of the box is considered uninitialized. + // This should already be covered by the Assign detection. + } + Rvalue::Aggregate(kind, operands) => match kind { + // If the aggregated structure has invalid value, this could generate invalid value. + // But only if the operands don't have the exact same restrictions. + // This happens today with the usage of `rustc_layout_scalar_valid_range_*` + // attributes. + // In this case, only the value of the first member in memory can be restricted, + // thus, we only need to check the operand used to assign to the first in memory + // field. + AggregateKind::Adt(def, _variant, args, _, _) => { + if def.kind() == AdtKind::Struct { + let dest_ty = Ty::from_rigid_kind(RigidTy::Adt(*def, args.clone())); + if let Some(req) = ValidValueReq::try_from_ty(&self.machine, dest_ty) + && !req.is_full() + { + let dest_layout = dest_ty.layout().unwrap().shape(); + let first_op = + first_aggregate_operand(dest_ty, &dest_layout.fields, operands); + let first_ty = first_op.ty(self.locals).unwrap(); + // Rvalue must have same Abi layout except for range. + if !req.contains( + &ValidValueReq::try_from_ty(&self.machine, first_ty).unwrap(), + ) { + self.push_target(SourceOp::BytesValidity { + target_ty: dest_ty, + rvalue: Rvalue::Use(first_op), + ranges: vec![req], + }) + } + } + } + } + // Only aggregate value. + AggregateKind::Array(_) + | AggregateKind::Closure(_, _) + | AggregateKind::Coroutine(_, _, _) + | AggregateKind::RawPtr(_, _) + | AggregateKind::Tuple => {} + }, + Rvalue::AddressOf(_, _) + | Rvalue::BinaryOp(_, _, _) + | Rvalue::CheckedBinaryOp(_, _, _) + | Rvalue::CopyForDeref(_) + | Rvalue::Discriminant(_) + | Rvalue::Len(_) + | Rvalue::Ref(_, _, _) + | Rvalue::Repeat(_, _) + | Rvalue::ThreadLocalRef(_) + | Rvalue::NullaryOp(_, _) + | Rvalue::UnaryOp(_, _) + | Rvalue::Use(_) => {} + } + self.super_rvalue(rvalue, location); + } +} + +/// Gets the operand that corresponds to the assignment of the first sized field in memory. +/// +/// The first field of a structure is the only one that can have extra value restrictions imposed +/// by `rustc_layout_scalar_valid_range_*` attributes. +/// +/// Note: This requires at least one operand to be sized and there's a 1:1 match between operands +/// and field types. +fn first_aggregate_operand(dest_ty: Ty, dest_shape: &FieldsShape, operands: &[Operand]) -> Operand { + let Some(first) = first_sized_field_idx(dest_ty, dest_shape) else { unreachable!() }; + operands[first].clone() +} + +/// Index of the first non_1zst fields in memory order. +fn first_sized_field_idx(ty: Ty, shape: &FieldsShape) -> Option { + if let TyKind::RigidTy(RigidTy::Adt(adt_def, args)) = ty.kind() + && adt_def.kind() == AdtKind::Struct + { + let offset_order = shape.fields_by_offset_order(); + let fields = adt_def.variants_iter().next().unwrap().fields(); + offset_order + .into_iter() + .find(|idx| !fields[*idx].ty_with_args(&args).layout().unwrap().shape().is_1zst()) + } else { + None + } +} + +/// An assignment to a field with invalid values is unsafe, and it may trigger UB if +/// the assigned value is invalid. +/// +/// This can only happen to the first in memory sized field of a struct, and only if the field +/// type invalid range is a valid value for the rvalue type. +fn assignment_check_points( + machine_info: &MachineInfo, + locals: &[LocalDecl], + place: &Place, + rvalue_ty: Ty, +) -> Vec { + let mut ty = locals[place.local].ty; + let Some(rvalue_range) = ValidValueReq::try_from_ty(machine_info, rvalue_ty) else { + // Rvalue Abi must be Scalar / ScalarPair since destination must be Scalar / ScalarPair. + return vec![]; + }; + let mut invalid_ranges = vec![]; + for proj in &place.projection { + match proj { + ProjectionElem::Field(field_idx, field_ty) => { + let shape = ty.layout().unwrap().shape(); + if first_sized_field_idx(ty, &shape.fields) == Some(*field_idx) + && let Some(dest_valid) = ValidValueReq::try_from_ty(machine_info, ty) + && !dest_valid.is_full() + && dest_valid.size == rvalue_range.size + { + if !dest_valid.contains(&rvalue_range) { + invalid_ranges.push(dest_valid) + } + } else { + // Invalidate collected ranges so far since we are no longer in the path of + // the first element. + invalid_ranges.clear(); + } + ty = *field_ty; + } + ProjectionElem::Deref + | ProjectionElem::Index(_) + | ProjectionElem::ConstantIndex { .. } + | ProjectionElem::Subslice { .. } + | ProjectionElem::Downcast(_) + | ProjectionElem::OpaqueCast(_) + | ProjectionElem::Subtype(_) => ty = proj.ty(ty).unwrap(), + }; + } + invalid_ranges +} + +/// Retrieve instance for the given function operand. +/// +/// This will panic if the operand is not a function or if it cannot be resolved. +fn expect_instance(locals: &[LocalDecl], func: &Operand) -> Instance { + let ty = func.ty(locals).unwrap(); + match ty.kind() { + TyKind::RigidTy(RigidTy::FnDef(def, args)) => Instance::resolve(def, &args).unwrap(), + TyKind::RigidTy(RigidTy::FnPtr(sig)) => todo!("Add support to FnPtr: {sig:?}"), + _ => unreachable!("Found: {func:?}"), + } +} + +/// Instrument MIR to check the value pointed by `rvalue_ptr` satisfies requirement `req`. +/// +/// The MIR will do something equivalent to: +/// ```rust +/// let ptr = rvalue_ptr.byte_offset(req.offset); +/// let typed_ptr = ptr as *const Unsigned; // Some unsigned type with length req.size +/// let value = unsafe { *typed_ptr }; +/// req.valid_range.contains(value) +/// ``` +pub fn build_limits( + body: &mut MutableBody, + req: &ValidValueReq, + rvalue_ptr: Rvalue, + source: &mut SourceInstruction, +) -> Local { + let span = source.span(body.blocks()); + debug!(?req, ?rvalue_ptr, ?span, "build_limits"); + let primitive_ty = uint_ty(req.size.bytes()); + let start_const = body.new_const_operand(req.valid_range.start, primitive_ty, span); + let end_const = body.new_const_operand(req.valid_range.end, primitive_ty, span); + let orig_ptr = if req.offset != 0 { + let start_ptr = move_local(body.new_assignment(rvalue_ptr, source)); + let byte_ptr = move_local(body.new_cast_ptr( + start_ptr, + Ty::unsigned_ty(UintTy::U8), + Mutability::Not, + source, + )); + let offset_const = body.new_const_operand(req.offset as _, UintTy::Usize, span); + let offset = move_local(body.new_assignment(Rvalue::Use(offset_const), source)); + move_local(body.new_binary_op(BinOp::Offset, byte_ptr, offset, source)) + } else { + move_local(body.new_assignment(rvalue_ptr, source)) + }; + let value_ptr = + body.new_cast_ptr(orig_ptr, Ty::unsigned_ty(primitive_ty), Mutability::Not, source); + let value = Operand::Copy(Place { local: value_ptr, projection: vec![ProjectionElem::Deref] }); + let start_result = body.new_binary_op(BinOp::Ge, value.clone(), start_const, source); + let end_result = body.new_binary_op(BinOp::Le, value, end_const, source); + if req.valid_range.wraps_around() { + // valid >= start || valid <= end + body.new_binary_op(BinOp::BitOr, move_local(start_result), move_local(end_result), source) + } else { + // valid >= start && valid <= end + body.new_binary_op(BinOp::BitAnd, move_local(start_result), move_local(end_result), source) + } +} + +/// Traverse the type and find all invalid values and their location in memory. +/// +/// Not all values are currently supported. For those not supported, we return Error. +pub fn ty_validity_per_offset( + machine_info: &MachineInfo, + ty: Ty, + current_offset: usize, +) -> Result, String> { + let layout = ty.layout().unwrap().shape(); + let ty_req = || { + if let Some(mut req) = ValidValueReq::try_from_ty(machine_info, ty) + && !req.is_full() + { + req.offset = current_offset; + vec![req] + } else { + vec![] + } + }; + match layout.fields { + FieldsShape::Primitive => Ok(ty_req()), + FieldsShape::Array { stride, count } if count > 0 => { + let TyKind::RigidTy(RigidTy::Array(elem_ty, _)) = ty.kind() else { unreachable!() }; + let elem_validity = ty_validity_per_offset(machine_info, elem_ty, current_offset)?; + let mut result = vec![]; + if !elem_validity.is_empty() { + for idx in 0..count { + let idx: usize = idx.try_into().unwrap(); + let elem_offset = idx * stride.bytes(); + let mut next_validity = elem_validity + .iter() + .cloned() + .map(|mut req| { + req.offset += elem_offset; + req + }) + .collect::>(); + result.append(&mut next_validity) + } + } + Ok(result) + } + FieldsShape::Arbitrary { ref offsets } => { + match ty.kind().rigid().expect(&format!("unexpected type: {ty:?}")) { + RigidTy::Adt(def, args) => { + match def.kind() { + AdtKind::Enum => { + // Support basic enumeration forms + let ty_variants = def.variants(); + match layout.variants { + VariantsShape::Single { index } => { + // Only one variant is reachable. This behaves like a struct. + let fields = ty_variants[index.to_index()].fields(); + let mut fields_validity = vec![]; + for idx in layout.fields.fields_by_offset_order() { + let field_offset = offsets[idx].bytes(); + let field_ty = fields[idx].ty_with_args(&args); + fields_validity.append(&mut ty_validity_per_offset( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + Ok(fields_validity) + } + VariantsShape::Multiple { + tag_encoding: TagEncoding::Niche { .. }, + .. + } => { + Err(format!("Unsupported Enum `{}` check", def.trimmed_name()))? + } + VariantsShape::Multiple { variants, .. } => { + let enum_validity = ty_req(); + let mut fields_validity = vec![]; + for (index, variant) in variants.iter().enumerate() { + let fields = ty_variants[index].fields(); + for field_idx in variant.fields.fields_by_offset_order() { + let field_offset = offsets[field_idx].bytes(); + let field_ty = fields[field_idx].ty_with_args(&args); + fields_validity.append(&mut ty_validity_per_offset( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + } + if fields_validity.is_empty() { + Ok(enum_validity) + } else { + Err(format!( + "Unsupported Enum `{}` check", + def.trimmed_name() + )) + } + } + } + } + AdtKind::Union => unreachable!(), + AdtKind::Struct => { + // If the struct range has niche add that. + let mut struct_validity = ty_req(); + let fields = def.variants_iter().next().unwrap().fields(); + for idx in layout.fields.fields_by_offset_order() { + let field_offset = offsets[idx].bytes(); + let field_ty = fields[idx].ty_with_args(&args); + struct_validity.append(&mut ty_validity_per_offset( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + Ok(struct_validity) + } + } + } + RigidTy::Pat(base_ty, ..) => { + // This is similar to a structure with one field and with niche defined. + let mut pat_validity = ty_req(); + pat_validity.append(&mut ty_validity_per_offset(machine_info, *base_ty, 0)?); + Ok(pat_validity) + } + RigidTy::Tuple(tys) => { + let mut tuple_validity = vec![]; + for idx in layout.fields.fields_by_offset_order() { + let field_offset = offsets[idx].bytes(); + let field_ty = tys[idx]; + tuple_validity.append(&mut ty_validity_per_offset( + machine_info, + field_ty, + field_offset + current_offset, + )?); + } + Ok(tuple_validity) + } + RigidTy::Bool + | RigidTy::Char + | RigidTy::Int(_) + | RigidTy::Uint(_) + | RigidTy::Float(_) + | RigidTy::Never => { + unreachable!("Expected primitive layout for {ty:?}") + } + RigidTy::Str | RigidTy::Slice(_) | RigidTy::Array(_, _) => { + unreachable!("Expected array layout for {ty:?}") + } + RigidTy::RawPtr(_, _) | RigidTy::Ref(_, _, _) => { + // Fat pointer has arbitrary shape. + Ok(ty_req()) + } + RigidTy::FnDef(_, _) + | RigidTy::FnPtr(_) + | RigidTy::Closure(_, _) + | RigidTy::Coroutine(_, _, _) + | RigidTy::CoroutineWitness(_, _) + | RigidTy::Foreign(_) + | RigidTy::Dynamic(_, _, _) => Err(format!("Unsupported {ty:?}")), + } + } + FieldsShape::Union(_) | FieldsShape::Array { .. } => { + /* Anything is valid */ + Ok(vec![]) + } + } +} diff --git a/kani-compiler/src/kani_middle/transform/contracts.rs b/kani-compiler/src/kani_middle/transform/contracts.rs new file mode 100644 index 000000000000..f5760bd4d829 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/contracts.rs @@ -0,0 +1,168 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This module contains code related to the MIR-to-MIR pass to enable contracts. +use crate::kani_middle::attributes::KaniAttributes; +use crate::kani_middle::codegen_units::CodegenUnit; +use crate::kani_middle::transform::body::MutableBody; +use crate::kani_middle::transform::{TransformPass, TransformationType}; +use crate::kani_queries::QueryDb; +use cbmc::{InternString, InternedString}; +use rustc_middle::ty::TyCtxt; +use rustc_smir::rustc_internal; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::{Body, ConstOperand, Operand, TerminatorKind}; +use stable_mir::ty::{FnDef, MirConst, RigidTy, TyKind}; +use stable_mir::{CrateDef, DefId}; +use std::collections::HashSet; +use std::fmt::Debug; +use tracing::{debug, trace}; + +/// Check if we can replace calls to any_modifies. +/// +/// This pass will replace the entire body, and it should only be applied to stubs +/// that have a body. +#[derive(Debug)] +pub struct AnyModifiesPass { + kani_any: Option, + kani_any_modifies: Option, + stubbed: HashSet, + target_fn: Option, +} + +impl TransformPass for AnyModifiesPass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Stubbing + } + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized, + { + // TODO: Check if this is the harness has proof_for_contract + query_db.args().unstable_features.contains(&"function-contracts".to_string()) + && self.kani_any.is_some() + } + + /// Transform the function body by replacing it with the stub body. + fn transform(&self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "AnyModifiesPass::transform"); + + if instance.def.def_id() == self.kani_any.unwrap().def_id() { + // Ensure kani::any is valid. + self.any_body(tcx, body) + } else if self.should_apply(tcx, instance) { + // Replace any modifies occurrences. + self.replace_any_modifies(body) + } else { + (false, body) + } + } +} + +impl AnyModifiesPass { + /// Build the pass with non-extern function stubs. + pub fn new(tcx: TyCtxt, unit: &CodegenUnit) -> AnyModifiesPass { + let item_fn_def = |item| { + let TyKind::RigidTy(RigidTy::FnDef(def, _)) = + rustc_internal::stable(tcx.type_of(item)).value.kind() + else { + unreachable!("Expected function, but found `{:?}`", tcx.def_path_str(item)) + }; + def + }; + let kani_any = + tcx.get_diagnostic_item(rustc_span::symbol::Symbol::intern("KaniAny")).map(item_fn_def); + let kani_any_modifies = tcx + .get_diagnostic_item(rustc_span::symbol::Symbol::intern("KaniAnyModifies")) + .map(item_fn_def); + let (target_fn, stubbed) = if let Some(harness) = unit.harnesses.first() { + let attributes = KaniAttributes::for_instance(tcx, *harness); + let target_fn = + attributes.proof_for_contract().map(|symbol| symbol.unwrap().as_str().intern()); + (target_fn, unit.stubs.keys().map(|from| from.def_id()).collect::>()) + } else { + (None, HashSet::new()) + }; + AnyModifiesPass { kani_any, kani_any_modifies, target_fn, stubbed } + } + + /// If we apply `transform_any_modifies` in all contract-generated items, + /// we will end up instantiating `kani::any_modifies` for the replace function + /// every time, even if we are only checking the contract, because the function + /// is always included during contract instrumentation. Thus, we must only apply + /// the transformation if we are using a verified stub or in the presence of recursion. + fn should_apply(&self, tcx: TyCtxt, instance: Instance) -> bool { + let item_attributes = + KaniAttributes::for_item(tcx, rustc_internal::internal(tcx, instance.def.def_id())); + self.stubbed.contains(&instance.def.def_id()) || item_attributes.has_recursion() + } + + /// Replace calls to `any_modifies` by calls to `any`. + fn replace_any_modifies(&self, mut body: Body) -> (bool, Body) { + let mut changed = false; + let locals = body.locals().to_vec(); + for bb in body.blocks.iter_mut() { + let TerminatorKind::Call { func, .. } = &mut bb.terminator.kind else { continue }; + if let TyKind::RigidTy(RigidTy::FnDef(def, instance_args)) = + func.ty(&locals).unwrap().kind() + && Some(def) == self.kani_any_modifies + { + let instance = Instance::resolve(self.kani_any.unwrap(), &instance_args).unwrap(); + let literal = MirConst::try_new_zero_sized(instance.ty()).unwrap(); + let span = bb.terminator.span; + let new_func = ConstOperand { span, user_ty: None, const_: literal }; + *func = Operand::Constant(new_func); + changed = true; + } + } + (changed, body) + } + + /// Check if T::Arbitrary requirement for `kani::any()` is met after replacement. + /// + /// If it T does not implement arbitrary, generate error and delete body to interrupt analysis. + fn any_body(&self, tcx: TyCtxt, mut body: Body) -> (bool, Body) { + let mut valid = true; + let locals = body.locals().to_vec(); + for bb in body.blocks.iter_mut() { + let TerminatorKind::Call { func, .. } = &mut bb.terminator.kind else { continue }; + if let TyKind::RigidTy(RigidTy::FnDef(def, args)) = func.ty(&locals).unwrap().kind() { + match Instance::resolve(def, &args) { + Ok(_) => {} + Err(e) => { + valid = false; + debug!(?e, "AnyModifiesPass::any_body failed"); + let receiver_ty = args.0[0].expect_ty(); + let msg = if self.target_fn.is_some() { + format!( + "`{receiver_ty}` doesn't implement `kani::Arbitrary`.\ + Please, check `{}` contract.", + self.target_fn.unwrap(), + ) + } else { + format!("`{receiver_ty}` doesn't implement `kani::Arbitrary`.") + }; + tcx.dcx() + .struct_span_err(rustc_internal::internal(tcx, bb.terminator.span), msg) + .with_help( + "All objects in the modifies clause must implement the Arbitrary. \ + The return type must also implement the Arbitrary trait if you \ + are checking recursion or using verified stub.", + ) + .emit(); + } + } + } + } + if valid { + (true, body) + } else { + let mut new_body = MutableBody::from(body); + new_body.clear_body(); + (false, new_body.into()) + } + } +} diff --git a/kani-compiler/src/kani_middle/transform/kani_intrinsics.rs b/kani-compiler/src/kani_middle/transform/kani_intrinsics.rs new file mode 100644 index 000000000000..53bbd52086ac --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/kani_intrinsics.rs @@ -0,0 +1,138 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! Module responsible for generating code for a few Kani intrinsics. +//! +//! These intrinsics have code that depend on information from the compiler, such as type layout +//! information; thus, they are implemented as a transformation pass where their body get generated +//! by the transformation. + +use crate::kani_middle::attributes::matches_diagnostic; +use crate::kani_middle::transform::body::{CheckType, MutableBody, SourceInstruction}; +use crate::kani_middle::transform::check_values::{build_limits, ty_validity_per_offset}; +use crate::kani_middle::transform::{TransformPass, TransformationType}; +use crate::kani_queries::QueryDb; +use rustc_middle::ty::TyCtxt; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::{ + BinOp, Body, ConstOperand, Operand, Place, Rvalue, Statement, StatementKind, RETURN_LOCAL, +}; +use stable_mir::target::MachineInfo; +use stable_mir::ty::{MirConst, RigidTy, TyKind}; +use std::fmt::Debug; +use strum_macros::AsRefStr; +use tracing::trace; + +/// Generate the body for a few Kani intrinsics. +#[derive(Debug)] +pub struct IntrinsicGeneratorPass { + pub check_type: CheckType, +} + +impl TransformPass for IntrinsicGeneratorPass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Instrumentation + } + + fn is_enabled(&self, _query_db: &QueryDb) -> bool + where + Self: Sized, + { + true + } + + /// Transform the function body by inserting checks one-by-one. + /// For every unsafe dereference or a transmute operation, we check all values are valid. + fn transform(&self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "transform"); + if matches_diagnostic(tcx, instance.def, Intrinsics::KaniValidValue.as_ref()) { + (true, self.valid_value_body(tcx, body)) + } else { + (false, body) + } + } +} + +impl IntrinsicGeneratorPass { + /// Generate the body for valid value. Which should be something like: + /// + /// ``` + /// pub fn has_valid_value(ptr: *const T) -> bool { + /// let mut ret = true; + /// let bytes = ptr as *const u8; + /// for req in requirements { + /// ret &= in_range(bytes, req); + /// } + /// ret + /// } + /// ``` + fn valid_value_body(&self, tcx: TyCtxt, body: Body) -> Body { + let mut new_body = MutableBody::from(body); + new_body.clear_body(); + + // Initialize return variable with True. + let ret_var = RETURN_LOCAL; + let mut terminator = SourceInstruction::Terminator { bb: 0 }; + let span = new_body.locals()[ret_var].span; + let assign = StatementKind::Assign( + Place::from(ret_var), + Rvalue::Use(Operand::Constant(ConstOperand { + span, + user_ty: None, + const_: MirConst::from_bool(true), + })), + ); + let stmt = Statement { kind: assign, span }; + new_body.insert_stmt(stmt, &mut terminator); + let machine_info = MachineInfo::target(); + + // The first and only argument type. + let arg_ty = new_body.locals()[1].ty; + let TyKind::RigidTy(RigidTy::RawPtr(target_ty, _)) = arg_ty.kind() else { unreachable!() }; + let validity = ty_validity_per_offset(&machine_info, target_ty, 0); + match validity { + Ok(ranges) if ranges.is_empty() => { + // Nothing to check + } + Ok(ranges) => { + // Given the pointer argument, check for possible invalid ranges. + let rvalue = Rvalue::Use(Operand::Move(Place::from(1))); + for range in ranges { + let result = + build_limits(&mut new_body, &range, rvalue.clone(), &mut terminator); + let rvalue = Rvalue::BinaryOp( + BinOp::BitAnd, + Operand::Move(Place::from(ret_var)), + Operand::Move(Place::from(result)), + ); + let assign = StatementKind::Assign(Place::from(ret_var), rvalue); + let stmt = Statement { kind: assign, span }; + new_body.insert_stmt(stmt, &mut terminator); + } + } + Err(msg) => { + // We failed to retrieve all the valid ranges. + let rvalue = Rvalue::Use(Operand::Constant(ConstOperand { + const_: MirConst::from_bool(false), + span, + user_ty: None, + })); + let result = new_body.new_assignment(rvalue, &mut terminator); + let reason = format!( + "Kani currently doesn't support checking validity of `{target_ty}`. {msg}" + ); + new_body.add_check(tcx, &self.check_type, &mut terminator, result, &reason); + } + } + new_body.into() + } +} + +#[derive(Debug, Copy, Clone, Eq, PartialEq, AsRefStr)] +#[strum(serialize_all = "PascalCase")] +enum Intrinsics { + KaniValidValue, +} diff --git a/kani-compiler/src/kani_middle/transform/mod.rs b/kani-compiler/src/kani_middle/transform/mod.rs new file mode 100644 index 000000000000..8d5c61f55c92 --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/mod.rs @@ -0,0 +1,139 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +//! This module is responsible for optimizing and instrumenting function bodies. +//! +//! We make transformations on bodies already monomorphized, which allow us to make stronger +//! decisions based on the instance types and constants. +//! +//! The main downside is that some transformation that don't depend on the specialized type may be +//! applied multiple times, one per specialization. +//! +//! Another downside is that these modifications cannot be applied to concrete playback, since they +//! are applied on the top of StableMIR body, which cannot be propagated back to rustc's backend. +//! +//! # Warn +//! +//! For all instrumentation passes, always use exhaustive matches to ensure soundness in case a new +//! case is added. +use crate::kani_middle::codegen_units::CodegenUnit; +use crate::kani_middle::transform::body::CheckType; +use crate::kani_middle::transform::check_values::ValidValuePass; +use crate::kani_middle::transform::contracts::AnyModifiesPass; +use crate::kani_middle::transform::kani_intrinsics::IntrinsicGeneratorPass; +use crate::kani_middle::transform::stubs::{ExternFnStubPass, FnStubPass}; +use crate::kani_queries::QueryDb; +use rustc_middle::ty::TyCtxt; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::Body; +use std::collections::HashMap; +use std::fmt::Debug; + +pub(crate) mod body; +mod check_values; +mod contracts; +mod kani_intrinsics; +mod stubs; + +/// Object used to retrieve a transformed instance body. +/// The transformations to be applied may be controlled by user options. +/// +/// The order however is always the same, we run optimizations first, and instrument the code +/// after. +#[derive(Debug)] +pub struct BodyTransformation { + /// The passes that may change the function body according to harness configuration. + /// The stubbing passes should be applied before so user stubs take precedence. + stub_passes: Vec>, + /// The passes that may add safety checks to the function body. + inst_passes: Vec>, + /// Cache transformation results. + cache: HashMap, +} + +impl BodyTransformation { + pub fn new(queries: &QueryDb, tcx: TyCtxt, unit: &CodegenUnit) -> Self { + let mut transformer = BodyTransformation { + stub_passes: vec![], + inst_passes: vec![], + cache: Default::default(), + }; + let check_type = CheckType::new(tcx); + transformer.add_pass(queries, FnStubPass::new(&unit.stubs)); + transformer.add_pass(queries, ExternFnStubPass::new(&unit.stubs)); + // This has to come after stubs since we want this to replace the stubbed body. + transformer.add_pass(queries, AnyModifiesPass::new(tcx, &unit)); + transformer.add_pass(queries, ValidValuePass { check_type: check_type.clone() }); + transformer.add_pass(queries, IntrinsicGeneratorPass { check_type }); + transformer + } + + /// Retrieve the body of an instance. + /// + /// Note that this assumes that the instance does have a body since existing consumers already + /// assume that. Use `instance.has_body()` to check if an instance has a body. + pub fn body(&mut self, tcx: TyCtxt, instance: Instance) -> Body { + match self.cache.get(&instance) { + Some(TransformationResult::Modified(body)) => body.clone(), + Some(TransformationResult::NotModified) => instance.body().unwrap(), + None => { + let mut body = instance.body().unwrap(); + let mut modified = false; + for pass in self.stub_passes.iter().chain(self.inst_passes.iter()) { + let result = pass.transform(tcx, body, instance); + modified |= result.0; + body = result.1; + } + + let result = if modified { + TransformationResult::Modified(body.clone()) + } else { + TransformationResult::NotModified + }; + self.cache.insert(instance, result); + body + } + } + } + + fn add_pass(&mut self, query_db: &QueryDb, pass: P) { + if pass.is_enabled(&query_db) { + match P::transformation_type() { + TransformationType::Instrumentation => self.inst_passes.push(Box::new(pass)), + TransformationType::Stubbing => self.stub_passes.push(Box::new(pass)), + } + } + } +} + +/// The type of transformation that a pass may perform. +#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)] +pub(crate) enum TransformationType { + /// Should only add assertion checks to ensure the program is correct. + Instrumentation, + /// Apply some sort of stubbing. + Stubbing, +} + +/// A trait to represent transformation passes that can be used to modify the body of a function. +pub(crate) trait TransformPass: Debug { + /// The type of transformation that this pass implements. + fn transformation_type() -> TransformationType + where + Self: Sized; + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized; + + /// Run a transformation pass in the function body. + fn transform(&self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body); +} + +/// The transformation result. +/// We currently only cache the body of functions that were instrumented. +#[derive(Clone, Debug)] +enum TransformationResult { + Modified(Body), + NotModified, +} diff --git a/kani-compiler/src/kani_middle/transform/stubs.rs b/kani-compiler/src/kani_middle/transform/stubs.rs new file mode 100644 index 000000000000..4f249afdd45a --- /dev/null +++ b/kani-compiler/src/kani_middle/transform/stubs.rs @@ -0,0 +1,226 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This module contains code related to the MIR-to-MIR pass that performs the +//! stubbing of functions and methods. +use crate::kani_middle::codegen_units::Stubs; +use crate::kani_middle::stubbing::{contract_host_param, validate_stub_const}; +use crate::kani_middle::transform::body::{MutMirVisitor, MutableBody}; +use crate::kani_middle::transform::{TransformPass, TransformationType}; +use crate::kani_queries::QueryDb; +use rustc_middle::ty::TyCtxt; +use rustc_smir::rustc_internal; +use stable_mir::mir::mono::Instance; +use stable_mir::mir::visit::{Location, MirVisitor}; +use stable_mir::mir::{Body, ConstOperand, LocalDecl, Operand, Terminator, TerminatorKind}; +use stable_mir::ty::{FnDef, MirConst, RigidTy, TyKind}; +use stable_mir::CrateDef; +use std::collections::HashMap; +use std::fmt::Debug; +use tracing::{debug, trace}; + +/// Replace the body of a function that is stubbed by the other. +/// +/// This pass will replace the entire body, and it should only be applied to stubs +/// that have a body. +#[derive(Debug)] +pub struct FnStubPass { + stubs: Stubs, +} + +impl TransformPass for FnStubPass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Stubbing + } + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized, + { + query_db.args().stubbing_enabled && !self.stubs.is_empty() + } + + /// Transform the function body by replacing it with the stub body. + fn transform(&self, tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "transform"); + let ty = instance.ty(); + if let TyKind::RigidTy(RigidTy::FnDef(fn_def, mut args)) = ty.kind() { + if let Some(replace) = self.stubs.get(&fn_def) { + if let Some(idx) = contract_host_param(tcx, fn_def, *replace) { + debug!(?idx, "FnStubPass::transform remove_host_param"); + args.0.remove(idx); + } + let new_instance = Instance::resolve(*replace, &args).unwrap(); + debug!(from=?instance.name(), to=?new_instance.name(), "FnStubPass::transform"); + if let Some(body) = FnStubValidator::validate(tcx, (fn_def, *replace), new_instance) + { + return (true, body); + } + } + } + (false, body) + } +} + +impl FnStubPass { + /// Build the pass with non-extern function stubs. + pub fn new(all_stubs: &Stubs) -> FnStubPass { + let stubs = all_stubs + .iter() + .filter_map(|(from, to)| (has_body(*from) && has_body(*to)).then_some((*from, *to))) + .collect::>(); + FnStubPass { stubs } + } +} + +/// Replace the body of a function that is stubbed by the other. +/// +/// This pass will replace the function call, since one of the functions do not have a body to +/// replace. +#[derive(Debug)] +pub struct ExternFnStubPass { + pub stubs: Stubs, +} + +impl TransformPass for ExternFnStubPass { + fn transformation_type() -> TransformationType + where + Self: Sized, + { + TransformationType::Stubbing + } + + fn is_enabled(&self, query_db: &QueryDb) -> bool + where + Self: Sized, + { + query_db.args().stubbing_enabled && !self.stubs.is_empty() + } + + /// Search for calls to extern functions that should be stubbed. + /// + /// We need to find function calls and function pointers. + /// We should replace this with a visitor once StableMIR includes a mutable one. + fn transform(&self, _tcx: TyCtxt, body: Body, instance: Instance) -> (bool, Body) { + trace!(function=?instance.name(), "transform"); + let mut new_body = MutableBody::from(body); + let changed = false; + let locals = new_body.locals().to_vec(); + let mut visitor = ExternFnStubVisitor { changed, locals, stubs: &self.stubs }; + visitor.visit_body(&mut new_body); + (visitor.changed, new_body.into()) + } +} + +impl ExternFnStubPass { + /// Build the pass with the extern function stubs. + /// + /// This will cover any case where the stub doesn't have a body. + pub fn new(all_stubs: &Stubs) -> ExternFnStubPass { + let stubs = all_stubs + .iter() + .filter_map(|(from, to)| (!has_body(*from) || !has_body(*to)).then_some((*from, *to))) + .collect::>(); + ExternFnStubPass { stubs } + } +} + +fn has_body(def: FnDef) -> bool { + def.body().is_some() +} + +/// Validate that the body of the stub is valid for the given instantiation +struct FnStubValidator<'a, 'tcx> { + stub: (FnDef, FnDef), + tcx: TyCtxt<'tcx>, + locals: &'a [LocalDecl], + is_valid: bool, +} + +impl<'a, 'tcx> FnStubValidator<'a, 'tcx> { + fn validate(tcx: TyCtxt, stub: (FnDef, FnDef), new_instance: Instance) -> Option { + if validate_stub_const(tcx, new_instance) { + let body = new_instance.body().unwrap(); + let mut validator = + FnStubValidator { stub, tcx, locals: body.locals(), is_valid: true }; + validator.visit_body(&body); + validator.is_valid.then_some(body) + } else { + None + } + } +} + +impl<'a, 'tcx> MirVisitor for FnStubValidator<'a, 'tcx> { + fn visit_operand(&mut self, op: &Operand, loc: Location) { + let op_ty = op.ty(self.locals).unwrap(); + if let TyKind::RigidTy(RigidTy::FnDef(def, args)) = op_ty.kind() { + if Instance::resolve(def, &args).is_err() { + self.is_valid = false; + let callee = def.name(); + let receiver_ty = args.0[0].expect_ty(); + let sep = callee.rfind("::").unwrap(); + let trait_ = &callee[..sep]; + self.tcx.dcx().span_err( + rustc_internal::internal(self.tcx, loc.span()), + format!( + "`{}` doesn't implement \ + `{}`. The function `{}` \ + cannot be stubbed by `{}` due to \ + generic bounds not being met. Callee: {}", + receiver_ty, + trait_, + self.stub.0.name(), + self.stub.1.name(), + callee, + ), + ); + } + } + } +} + +struct ExternFnStubVisitor<'a> { + changed: bool, + locals: Vec, + stubs: &'a Stubs, +} + +impl<'a> MutMirVisitor for ExternFnStubVisitor<'a> { + fn visit_terminator(&mut self, term: &mut Terminator) { + // Replace direct calls + if let TerminatorKind::Call { func, .. } = &mut term.kind { + if let TyKind::RigidTy(RigidTy::FnDef(def, args)) = + func.ty(&self.locals).unwrap().kind() + { + if let Some(new_def) = self.stubs.get(&def) { + let instance = Instance::resolve(*new_def, &args).unwrap(); + let literal = MirConst::try_new_zero_sized(instance.ty()).unwrap(); + let span = term.span; + let new_func = ConstOperand { span, user_ty: None, const_: literal }; + *func = Operand::Constant(new_func); + self.changed = true; + } + } + } + self.super_terminator(term); + } + + fn visit_operand(&mut self, operand: &mut Operand) { + let func_ty = operand.ty(&self.locals).unwrap(); + if let TyKind::RigidTy(RigidTy::FnDef(orig_def, args)) = func_ty.kind() { + if let Some(new_def) = self.stubs.get(&orig_def) { + let Operand::Constant(ConstOperand { span, .. }) = operand else { + unreachable!(); + }; + let instance = Instance::resolve_for_fn_ptr(*new_def, &args).unwrap(); + let literal = MirConst::try_new_zero_sized(instance.ty()).unwrap(); + let new_func = ConstOperand { span: *span, user_ty: None, const_: literal }; + *operand = Operand::Constant(new_func); + self.changed = true; + } + } + } +} diff --git a/kani-compiler/src/kani_queries/mod.rs b/kani-compiler/src/kani_queries/mod.rs index e918bf1b8a73..bb28237248d3 100644 --- a/kani-compiler/src/kani_queries/mod.rs +++ b/kani-compiler/src/kani_queries/mod.rs @@ -2,24 +2,16 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Define the communication between KaniCompiler and the codegen implementation. -use cbmc::{InternString, InternedString}; -use kani_metadata::AssignsContract; -use std::fmt::{Display, Formatter, Write}; -use std::{ - collections::HashMap, - path::PathBuf, - sync::{Arc, Mutex}, -}; +use std::sync::{Arc, Mutex}; use crate::args::Arguments; /// This structure should only be used behind a synchronized reference or a snapshot. +/// +/// TODO: Merge this with arguments #[derive(Debug, Default, Clone)] pub struct QueryDb { args: Option, - /// Information about all target harnesses. - pub harnesses_info: HashMap, - modifies_contracts: HashMap, } impl QueryDb { @@ -27,16 +19,6 @@ impl QueryDb { Arc::new(Mutex::new(QueryDb::default())) } - /// Get the definition hash for all harnesses that are being compiled in this compilation stage. - pub fn target_harnesses(&self) -> Vec { - self.harnesses_info.keys().cloned().collect() - } - - /// Get the model path for a given harness. - pub fn harness_model_path(&self, harness: &String) -> Option<&PathBuf> { - self.harnesses_info.get(&harness.intern()) - } - pub fn set_args(&mut self, args: Arguments) { self.args = Some(args); } @@ -44,41 +26,4 @@ impl QueryDb { pub fn args(&self) -> &Arguments { self.args.as_ref().expect("Arguments have not been initialized") } - - /// Register that a CBMC-level `assigns` contract for a function that is - /// called from this harness. - pub fn register_assigns_contract( - &mut self, - harness_name: InternedString, - contract: AssignsContract, - ) { - let replaced = self.modifies_contracts.insert(harness_name, contract); - assert!( - replaced.is_none(), - "Invariant broken, tried adding second modifies contracts to: {harness_name}", - ) - } - - /// Lookup all CBMC-level `assigns` contract were registered with - /// [`Self::add_assigns_contract`]. - pub fn assigns_contracts(&self) -> impl Iterator { - self.modifies_contracts.iter() - } -} - -struct PrintList(I); - -impl + Clone> Display for PrintList { - fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { - f.write_char('[')?; - let mut is_first = true; - for e in self.0.clone() { - if is_first { - f.write_str(", ")?; - is_first = false; - } - e.fmt(f)?; - } - f.write_char(']') - } } diff --git a/kani-compiler/src/main.rs b/kani-compiler/src/main.rs index 4316d188c02d..a5cfa347a85e 100644 --- a/kani-compiler/src/main.rs +++ b/kani-compiler/src/main.rs @@ -10,9 +10,9 @@ #![recursion_limit = "256"] #![feature(box_patterns)] #![feature(rustc_private)] -#![feature(lazy_cell)] #![feature(more_qualified_paths)] #![feature(iter_intersperse)] +#![feature(let_chains)] extern crate rustc_abi; extern crate rustc_ast; extern crate rustc_ast_pretty; diff --git a/kani-compiler/src/session.rs b/kani-compiler/src/session.rs index a1c3af20bb06..bc0930eb9e4b 100644 --- a/kani-compiler/src/session.rs +++ b/kani-compiler/src/session.rs @@ -4,12 +4,17 @@ //! Module used to configure a compiler session. use crate::args::Arguments; +use rustc_data_structures::sync::Lrc; +use rustc_errors::emitter::Emitter; use rustc_errors::{ - emitter::Emitter, emitter::HumanReadableErrorType, fallback_fluent_bundle, json::JsonEmitter, - ColorConfig, Diagnostic, TerminalUrl, + emitter::HumanReadableErrorType, fallback_fluent_bundle, json::JsonEmitter, ColorConfig, + DiagInner, }; use rustc_session::config::ErrorOutputType; use rustc_session::EarlyDiagCtxt; +use rustc_span::source_map::FilePathMapping; +use rustc_span::source_map::SourceMap; +use std::io; use std::io::IsTerminal; use std::panic; use std::sync::LazyLock; @@ -49,18 +54,16 @@ static JSON_PANIC_HOOK: LazyLock) + Sync + Send let msg = format!("Kani unexpectedly panicked at {info}.",); let fallback_bundle = fallback_fluent_bundle(rustc_driver::DEFAULT_LOCALE_RESOURCES.to_vec(), false); - let mut emitter = JsonEmitter::basic( - false, - HumanReadableErrorType::Default(ColorConfig::Never), - None, + let mut emitter = JsonEmitter::new( + Box::new(io::BufWriter::new(io::stderr())), + #[allow(clippy::arc_with_non_send_sync)] + Lrc::new(SourceMap::new(FilePathMapping::empty())), fallback_bundle, - None, false, - false, - TerminalUrl::No, + HumanReadableErrorType::Default(ColorConfig::Never), ); - let diagnostic = Diagnostic::new(rustc_errors::Level::Bug, msg); - emitter.emit_diagnostic(&diagnostic); + let diagnostic = DiagInner::new(rustc_errors::Level::Bug, msg); + emitter.emit_diagnostic(diagnostic); (*JSON_PANIC_HOOK)(info); })); hook diff --git a/kani-driver/Cargo.toml b/kani-driver/Cargo.toml index 2a19030840d2..2263e39792e2 100644 --- a/kani-driver/Cargo.toml +++ b/kani-driver/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani-driver" -version = "0.45.0" +version = "0.52.0" edition = "2021" description = "Build a project with Kani and run all proof harnesses" license = "MIT OR Apache-2.0" @@ -27,13 +27,13 @@ rustc-demangle = "0.1.21" pathdiff = "0.2.1" rayon = "1.5.3" comfy-table = "7.0.1" -strum = {version = "0.25.0"} -strum_macros = {version = "0.25.2"} +strum = {version = "0.26"} +strum_macros = {version = "0.26"} tempfile = "3" tracing = {version = "0.1", features = ["max_level_trace", "release_max_level_debug"]} tracing-subscriber = {version = "0.3.8", features = ["env-filter", "json", "fmt"]} rand = "0.8" -which = "5.0.0" +which = "6" # A good set of suggested dependencies can be found in rustup: # https://github.com/rust-lang/rustup/blob/master/Cargo.toml diff --git a/kani-driver/src/args/common.rs b/kani-driver/src/args/common.rs index d4ac0a61bd17..3333ee67badf 100644 --- a/kani-driver/src/args/common.rs +++ b/kani-driver/src/args/common.rs @@ -51,6 +51,7 @@ pub trait Verbosity { /// Note that `debug() == true` must imply `verbose() == true`. fn verbose(&self) -> bool; /// Whether we should emit debug messages. + #[allow(unused)] fn debug(&self) -> bool; /// Whether any verbosity was selected. fn is_set(&self) -> bool; diff --git a/kani-driver/src/args/mod.rs b/kani-driver/src/args/mod.rs index 39b3c1fd025f..f0c9cb0c4e8d 100644 --- a/kani-driver/src/args/mod.rs +++ b/kani-driver/src/args/mod.rs @@ -6,6 +6,7 @@ pub mod assess_args; pub mod cargo; pub mod common; pub mod playback_args; +pub mod std_args; pub use assess_args::*; @@ -79,6 +80,9 @@ pub struct StandaloneArgs { #[command(subcommand)] pub command: Option, + + #[arg(long, hide = true)] + pub crate_name: Option, } /// Kani takes optional subcommands to request specialized behavior. @@ -87,6 +91,8 @@ pub struct StandaloneArgs { pub enum StandaloneSubcommand { /// Execute concrete playback testcases of a local crate. Playback(Box), + /// Verify the rust standard library. + VerifyStd(Box), } #[derive(Debug, clap::Parser)] @@ -249,6 +255,14 @@ pub struct VerificationArgs { #[arg(long, hide_short_help = true, requires("enable_unstable"))] pub ignore_global_asm: bool, + /// Ignore lifetimes of local variables. This effectively extends their + /// lifetimes to the function scope, and hence may cause Kani to miss + /// undefined behavior resulting from using the variable after it dies. + /// This option may impact the soundness of the analysis and may cause false + /// proofs and/or counterexamples + #[arg(long, hide_short_help = true, requires("enable_unstable"))] + pub ignore_locals_lifetime: bool, + /// Write the GotoC symbol table to a file in JSON format instead of goto binary format. #[arg(long, hide_short_help = true)] pub write_json_symtab: bool, @@ -437,6 +451,13 @@ fn check_no_cargo_opt(is_set: bool, name: &str) -> Result<(), Error> { impl ValidateArgs for StandaloneArgs { fn validate(&self) -> Result<(), Error> { self.verify_opts.validate()?; + + match &self.command { + Some(StandaloneSubcommand::VerifyStd(args)) => args.validate()?, + // TODO: Invoke PlaybackArgs::validate() + None | Some(StandaloneSubcommand::Playback(..)) => {} + }; + // Cargo target arguments. check_no_cargo_opt(self.verify_opts.target.bins, "--bins")?; check_no_cargo_opt(self.verify_opts.target.lib, "--lib")?; diff --git a/kani-driver/src/args/playback_args.rs b/kani-driver/src/args/playback_args.rs index bdad446a1158..ad82d9632a7a 100644 --- a/kani-driver/src/args/playback_args.rs +++ b/kani-driver/src/args/playback_args.rs @@ -100,8 +100,6 @@ impl ValidateArgs for PlaybackArgs { #[cfg(test)] mod tests { - use clap::Parser; - use super::*; #[test] diff --git a/kani-driver/src/args/std_args.rs b/kani-driver/src/args/std_args.rs new file mode 100644 index 000000000000..3818b6261010 --- /dev/null +++ b/kani-driver/src/args/std_args.rs @@ -0,0 +1,77 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Implements the `verify-std` subcommand handling. + +use crate::args::{ValidateArgs, VerificationArgs}; +use clap::error::ErrorKind; +use clap::{Error, Parser}; +use kani_metadata::UnstableFeature; +use std::path::PathBuf; + +/// Verify a local version of the Rust standard library. +/// +/// This is an **unstable option** and it the standard library version must be compatible with +/// Kani's toolchain version. +#[derive(Debug, Parser)] +pub struct VerifyStdArgs { + /// The path to the folder containing the crates for the Rust standard library. + /// Note that this directory must be named `library` as used in the Rust toolchain and + /// repository. + pub std_path: PathBuf, + + #[command(flatten)] + pub verify_opts: VerificationArgs, +} + +impl ValidateArgs for VerifyStdArgs { + fn validate(&self) -> Result<(), Error> { + self.verify_opts.validate()?; + + if !self + .verify_opts + .common_args + .unstable_features + .contains(UnstableFeature::UnstableOptions) + { + return Err(Error::raw( + ErrorKind::MissingRequiredArgument, + "The `verify-std` subcommand is unstable and requires -Z unstable-options", + )); + } + + if !self.std_path.exists() { + Err(Error::raw( + ErrorKind::InvalidValue, + format!( + "Invalid argument: `` argument `{}` does not exist", + self.std_path.display() + ), + )) + } else if !self.std_path.is_dir() { + Err(Error::raw( + ErrorKind::InvalidValue, + format!( + "Invalid argument: `` argument `{}` is not a directory", + self.std_path.display() + ), + )) + } else { + let full_path = self.std_path.canonicalize()?; + let dir = full_path.file_stem().unwrap(); + if dir != "library" { + Err(Error::raw( + ErrorKind::InvalidValue, + format!( + "Invalid argument: Expected `` to point to the `library` folder \ + containing the standard library crates.\n\ + Found `{}` folder instead", + dir.to_string_lossy() + ), + )) + } else { + Ok(()) + } + } + } +} diff --git a/kani-driver/src/args_toml.rs b/kani-driver/src/args_toml.rs index aaa5b3260083..37b38a425597 100644 --- a/kani-driver/src/args_toml.rs +++ b/kani-driver/src/args_toml.rs @@ -90,8 +90,11 @@ fn cargo_locate_project(input_args: &[OsString]) -> Result { /// We currently support the following entries: /// - flags: Flags that get directly passed to Kani. /// - unstable: Unstable features (it will be passed using `-Z` flag). +/// /// The tables supported are: -/// "workspace.metadata.kani", "package.metadata.kani", "kani" +/// - "workspace.metadata.kani" +/// - "package.metadata.kani" +/// - "kani" fn toml_to_args(tomldata: &str) -> Result<(Vec, Vec)> { let config = tomldata.parse::()?; // To make testing easier, our function contract is to produce a stable ordering of flags for a given input. @@ -312,6 +315,6 @@ mod tests { #[test] fn check_unstable_entry_invalid() { let name = String::from("feature"); - assert!(matches!(unstable_entry(&name, &Value::String("".to_string())), Err(_))); + assert!(unstable_entry(&name, &Value::String("".to_string())).is_err()); } } diff --git a/kani-driver/src/assess/mod.rs b/kani-driver/src/assess/mod.rs index d183e880d8b2..2df4d993d2d7 100644 --- a/kani-driver/src/assess/mod.rs +++ b/kani-driver/src/assess/mod.rs @@ -170,7 +170,7 @@ fn reconstruct_metadata_structure( } if !package_artifacts.is_empty() { let mut merged = crate::metadata::merge_kani_metadata(package_artifacts); - merged.crate_name = package.name.clone(); + merged.crate_name.clone_from(&package.name); package_metas.push(merged); } } diff --git a/kani-driver/src/assess/scan.rs b/kani-driver/src/assess/scan.rs index 5e4dc81d7e2a..ef33f91eb522 100644 --- a/kani-driver/src/assess/scan.rs +++ b/kani-driver/src/assess/scan.rs @@ -4,12 +4,12 @@ use std::collections::HashSet; use std::path::Path; use std::path::PathBuf; -use std::process::Command; use std::time::Instant; use anyhow::Result; use cargo_metadata::Package; +use crate::session::setup_cargo_command; use crate::session::KaniSession; use super::metadata::AssessMetadata; @@ -168,7 +168,8 @@ fn invoke_assess( ) -> Result<()> { let dir = manifest.parent().expect("file not in a directory?"); let log = std::fs::File::create(logfile)?; - let mut cmd = Command::new("cargo"); + + let mut cmd = setup_cargo_command()?; cmd.arg("kani"); // Use of options before 'assess' subcommand is a hack, these should be factored out. // TODO: --only-codegen should be outright an option to assess. (perhaps tests too?) diff --git a/kani-driver/src/call_cargo.rs b/kani-driver/src/call_cargo.rs index 66166913c9cb..4e8e83b562af 100644 --- a/kani-driver/src/call_cargo.rs +++ b/kani-driver/src/call_cargo.rs @@ -2,20 +2,22 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT use crate::args::VerificationArgs; -use crate::call_single_file::to_rustc_arg; +use crate::call_single_file::{to_rustc_arg, LibConfig}; use crate::project::Artifact; -use crate::session::KaniSession; -use crate::{session, util}; +use crate::session::{lib_folder, lib_no_core_folder, setup_cargo_command, KaniSession}; +use crate::util; use anyhow::{bail, Context, Result}; use cargo_metadata::diagnostic::{Diagnostic, DiagnosticLevel}; -use cargo_metadata::{Message, Metadata, MetadataCommand, Package, Target}; +use cargo_metadata::{ + Artifact as RustcArtifact, Message, Metadata, MetadataCommand, Package, Target, +}; use kani_metadata::{ArtifactType, CompilerArtifactStub}; use std::ffi::{OsStr, OsString}; use std::fmt::{self, Display}; use std::fs::{self, File}; use std::io::BufReader; use std::io::IsTerminal; -use std::path::PathBuf; +use std::path::{Path, PathBuf}; use std::process::Command; use tracing::{debug, trace}; @@ -43,6 +45,60 @@ pub struct CargoOutputs { } impl KaniSession { + /// Create a new cargo library in the given path. + pub fn cargo_init_lib(&self, path: &Path) -> Result<()> { + let mut cmd = setup_cargo_command()?; + cmd.args(["init", "--lib", path.to_string_lossy().as_ref()]); + self.run_terminal(cmd) + } + + pub fn cargo_build_std(&self, std_path: &Path, krate_path: &Path) -> Result> { + let lib_path = lib_no_core_folder().unwrap(); + let mut rustc_args = self.kani_rustc_flags(LibConfig::new_no_core(lib_path)); + rustc_args.push(to_rustc_arg(self.kani_compiler_flags()).into()); + rustc_args.push(self.reachability_arg().into()); + // Ignore global assembly, since `compiler_builtins` has some. + rustc_args.push(to_rustc_arg(vec!["--ignore-global-asm".to_string()]).into()); + + let mut cargo_args: Vec = vec!["build".into()]; + cargo_args.append(&mut cargo_config_args()); + + // Configuration needed to parse cargo compilation status. + cargo_args.push("--message-format".into()); + cargo_args.push("json-diagnostic-rendered-ansi".into()); + cargo_args.push("-Z".into()); + cargo_args.push("build-std=panic_abort,core,std".into()); + + if self.args.common_args.verbose { + cargo_args.push("-v".into()); + } + + // Since we are verifying the standard library, we set the reachability to all crates. + let mut cmd = setup_cargo_command()?; + cmd.args(&cargo_args) + .current_dir(krate_path) + .env("RUSTC", &self.kani_compiler) + // Use CARGO_ENCODED_RUSTFLAGS instead of RUSTFLAGS is preferred. See + // https://doc.rust-lang.org/cargo/reference/environment-variables.html + .env("CARGO_ENCODED_RUSTFLAGS", rustc_args.join(OsStr::new("\x1f"))) + .env("CARGO_TERM_PROGRESS_WHEN", "never") + .env("__CARGO_TESTS_ONLY_SRC_ROOT", std_path.as_os_str()); + + Ok(self + .run_build(cmd)? + .into_iter() + .filter_map(|artifact| { + if artifact.target.crate_types.contains(&CRATE_TYPE_LIB.to_string()) + || artifact.target.crate_types.contains(&CRATE_TYPE_RLIB.to_string()) + { + map_kani_artifact(artifact) + } else { + None + } + }) + .collect()) + } + /// Calls `cargo_build` to generate `*.symtab.json` files in `target_dir` pub fn cargo_build(&self, keep_going: bool) -> Result { let build_target = env!("TARGET"); // see build.rs @@ -60,7 +116,8 @@ impl KaniSession { fs::remove_dir_all(&target_dir)?; } - let mut rustc_args = self.kani_rustc_flags(); + let lib_path = lib_folder().unwrap(); + let mut rustc_args = self.kani_rustc_flags(LibConfig::new(lib_path)); rustc_args.push(to_rustc_arg(self.kani_compiler_flags()).into()); let mut cargo_args: Vec = vec!["rustc".into()]; @@ -109,11 +166,10 @@ impl KaniSession { let mut failed_targets = vec![]; for package in packages { for verification_target in package_targets(&self.args, package) { - let mut cmd = Command::new("cargo"); - cmd.arg(session::toolchain_shorthand()) - .args(&cargo_args) + let mut cmd = setup_cargo_command()?; + cmd.args(&cargo_args) .args(vec!["-p", &package.name]) - .args(&verification_target.to_args()) + .args(verification_target.to_args()) .args(&pkg_args) .env("RUSTC", &self.kani_compiler) // Use CARGO_ENCODED_RUSTFLAGS instead of RUSTFLAGS is preferred. See @@ -121,7 +177,7 @@ impl KaniSession { .env("CARGO_ENCODED_RUSTFLAGS", rustc_args.join(OsStr::new("\x1f"))) .env("CARGO_TERM_PROGRESS_WHEN", "never"); - match self.run_cargo(cmd, verification_target.target()) { + match self.run_build_target(cmd, verification_target.target()) { Err(err) => { if keep_going { let target_str = format!("{verification_target}"); @@ -180,9 +236,9 @@ impl KaniSession { /// Run cargo and collect any error found. /// We also collect the metadata file generated during compilation if any. - fn run_cargo(&self, cargo_cmd: Command, target: &Target) -> Result> { + fn run_build(&self, cargo_cmd: Command) -> Result> { let support_color = std::io::stdout().is_terminal(); - let mut artifact = None; + let mut artifacts = vec![]; if let Some(mut cargo_process) = self.run_piped(cargo_cmd)? { let reader = BufReader::new(cargo_process.stdout.take().unwrap()); let mut error_count = 0; @@ -212,13 +268,9 @@ impl KaniSession { } }, Message::CompilerArtifact(rustc_artifact) => { - if rustc_artifact.target == *target { - debug_assert!( - artifact.is_none(), - "expected only one artifact for `{target:?}`", - ); - artifact = Some(rustc_artifact); - } + // Compares two targets, and falls back to a weaker + // comparison where we avoid dashes in their names. + artifacts.push(rustc_artifact) } Message::BuildScriptExecuted(_) | Message::BuildFinished(_) => { // do nothing @@ -244,11 +296,40 @@ impl KaniSession { ); } } + Ok(artifacts) + } + + /// Run cargo and collect any error found. + /// We also collect the metadata file generated during compilation if any for the given target. + fn run_build_target(&self, cargo_cmd: Command, target: &Target) -> Result> { + /// This used to be `rustc_artifact == *target`, but it + /// started to fail after the `cargo` change in + /// + /// + /// We should revisit this check after a while to see if + /// it's not needed anymore or it can be restricted to + /// certain cases. + /// TODO: + fn same_target(t1: &Target, t2: &Target) -> bool { + (t1 == t2) + || (t1.name.replace('-', "_") == t2.name.replace('-', "_") + && t1.kind == t2.kind + && t1.src_path == t2.src_path + && t1.edition == t2.edition + && t1.doctest == t2.doctest + && t1.test == t2.test + && t1.doc == t2.doc) + } + + let artifacts = self.run_build(cargo_cmd)?; + debug!(?artifacts, "run_build_target"); + // We generate kani specific artifacts only for the build target. The build target is // always the last artifact generated in a build, and all the other artifacts are related - // to dependencies or build scripts. Hence, we need to invoke `map_kani_artifact` only - // for the last compiler artifact. - Ok(artifact.and_then(map_kani_artifact)) + // to dependencies or build scripts. + Ok(artifacts.into_iter().rev().find_map(|artifact| { + if same_target(&artifact.target, target) { map_kani_artifact(artifact) } else { None } + })) } } @@ -256,10 +337,10 @@ pub fn cargo_config_args() -> Vec { [ "--target", env!("TARGET"), - // Propagate `--cfg=kani` to build scripts. + // Propagate `--cfg=kani_host` to build scripts. "-Zhost-config", "-Ztarget-applies-to-host", - "--config=host.rustflags=[\"--cfg=kani\"]", + "--config=host.rustflags=[\"--cfg=kani_host\"]", ] .map(OsString::from) .to_vec() @@ -296,13 +377,16 @@ fn validate_package_names(package_names: &[String], packages: &[Package]) -> Res } /// Extract the packages that should be verified. -/// If `--package ` is given, return the list of packages selected. -/// If `--exclude ` is given, return the list of packages not excluded. -/// If `--workspace` is given, return the list of workspace members. -/// If no argument provided, return the root package if there's one or all members. +/// +/// The result is build following these rules: +/// - If `--package ` is given, return the list of packages selected. +/// - If `--exclude ` is given, return the list of packages not excluded. +/// - If `--workspace` is given, return the list of workspace members. +/// - If no argument provided, return the root package if there's one or all members. /// - I.e.: Do whatever cargo does when there's no `default_members`. /// - This is because `default_members` is not available in cargo metadata. /// See . +/// /// In addition, if either `--package ` or `--exclude ` is given, /// validate that `` is a package name in the workspace, or return an error /// otherwise. @@ -488,7 +572,7 @@ fn package_targets(args: &VerificationArgs, package: &Package) -> Vec>, /// The `Result` properties in detail or the exit_status of CBMC. /// Note: CBMC process exit status is only potentially useful if `status` is `Failure`. /// Kani will see CBMC report "failure" that's actually success (interpreting "failed" @@ -185,7 +182,9 @@ impl KaniSession { } if self.args.checks.unwinding_on() { + // TODO: With CBMC v6 the below can be removed as those are defaults. args.push("--unwinding-assertions".into()); + args.push("--no-self-loops-to-assumptions".into()); } if self.args.extra_pointer_checks { @@ -254,7 +253,7 @@ impl VerificationResult { start_time: Instant, ) -> VerificationResult { let runtime = start_time.elapsed(); - let (items, results) = extract_results(output.processed_items); + let (_, results) = extract_results(output.processed_items); if let Some(results) = results { let (status, failed_properties) = @@ -262,7 +261,6 @@ impl VerificationResult { VerificationResult { status, failed_properties, - messages: Some(items), results: Ok(results), runtime, generated_concrete_test: false, @@ -272,7 +270,6 @@ impl VerificationResult { VerificationResult { status: VerificationStatus::Failure, failed_properties: FailedProperties::Other, - messages: Some(items), results: Err(output.process_status), runtime, generated_concrete_test: false, @@ -284,7 +281,6 @@ impl VerificationResult { VerificationResult { status: VerificationStatus::Success, failed_properties: FailedProperties::None, - messages: None, results: Ok(vec![]), runtime: Duration::from_secs(0), generated_concrete_test: false, @@ -295,7 +291,6 @@ impl VerificationResult { VerificationResult { status: VerificationStatus::Failure, failed_properties: FailedProperties::Other, - messages: None, // on failure, exit codes in theory might be used, // but `mock_failure` should never be used in a context where they will, // so again use something weird: diff --git a/kani-driver/src/call_single_file.rs b/kani-driver/src/call_single_file.rs index 9b6e0598daa5..7992543cdaa1 100644 --- a/kani-driver/src/call_single_file.rs +++ b/kani-driver/src/call_single_file.rs @@ -2,12 +2,46 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT use anyhow::Result; +use kani_metadata::UnstableFeature; use std::ffi::OsString; use std::path::{Path, PathBuf}; use std::process::Command; use crate::session::{lib_folder, KaniSession}; +pub struct LibConfig { + args: Vec, +} + +impl LibConfig { + pub fn new(path: PathBuf) -> LibConfig { + let sysroot = &path.parent().unwrap(); + let kani_std_rlib = path.join("libstd.rlib"); + let kani_std_wrapper = format!("noprelude:std={}", kani_std_rlib.to_str().unwrap()); + let args = [ + "--sysroot", + sysroot.to_str().unwrap(), + "-L", + path.to_str().unwrap(), + "--extern", + "kani", + "--extern", + kani_std_wrapper.as_str(), + ] + .map(OsString::from) + .to_vec(); + LibConfig { args } + } + + pub fn new_no_core(path: PathBuf) -> LibConfig { + LibConfig { + args: ["-L", path.to_str().unwrap(), "--extern", "kani_core"] + .map(OsString::from) + .to_vec(), + } + } +} + impl KaniSession { /// Used by `kani` and not `cargo-kani` to process a single Rust file into a `.symtab.json` // TODO: Move these functions to be part of the builder. @@ -20,7 +54,8 @@ impl KaniSession { let mut kani_args = self.kani_compiler_flags(); kani_args.push(format!("--reachability={}", self.reachability_mode())); - let mut rustc_args = self.kani_rustc_flags(); + let lib_path = lib_folder().unwrap(); + let mut rustc_args = self.kani_rustc_flags(LibConfig::new(lib_path)); rustc_args.push(file.into()); rustc_args.push("--out-dir".into()); rustc_args.push(OsString::from(outdir.as_os_str())); @@ -100,6 +135,18 @@ impl KaniSession { flags.push("--coverage-checks".into()); } + if self.args.common_args.unstable_features.contains(UnstableFeature::ValidValueChecks) { + flags.push("--ub-check=validity".into()) + } + + if self.args.common_args.unstable_features.contains(UnstableFeature::PtrToRefCastChecks) { + flags.push("--ub-check=ptr_to_ref_cast".into()) + } + + if self.args.ignore_locals_lifetime { + flags.push("--ignore-storage-markers".into()) + } + flags.extend(self.args.common_args.unstable_features.as_arguments().map(str::to_string)); // This argument will select the Kani flavour of the compiler. It will be removed before @@ -110,9 +157,8 @@ impl KaniSession { } /// This function generates all rustc configurations required by our goto-c codegen. - pub fn kani_rustc_flags(&self) -> Vec { - let lib_path = lib_folder().unwrap(); - let mut flags: Vec<_> = base_rustc_flags(lib_path); + pub fn kani_rustc_flags(&self, lib_config: LibConfig) -> Vec { + let mut flags: Vec<_> = base_rustc_flags(lib_config); // We only use panic abort strategy for verification since we cannot handle unwind logic. flags.extend_from_slice( &[ @@ -122,6 +168,9 @@ impl KaniSession { "symbol-mangling-version=v0", "-Z", "panic_abort_tests=yes", + "-Z", + "mir-enable-passes=-RemoveStorageMarkers", + "--check-cfg=cfg(kani)", ] .map(OsString::from), ); @@ -135,6 +184,10 @@ impl KaniSession { } } + if self.args.coverage { + flags.push("-Zmir-enable-passes=-SingleUseConsts".into()); + } + // This argument will select the Kani flavour of the compiler. It will be removed before // rustc driver is invoked. flags.push("--kani-compiler".into()); @@ -144,10 +197,7 @@ impl KaniSession { } /// Common flags used for compiling user code for verification and playback flow. -pub fn base_rustc_flags(lib_path: PathBuf) -> Vec { - let kani_std_rlib = lib_path.join("libstd.rlib"); - let kani_std_wrapper = format!("noprelude:std={}", kani_std_rlib.to_str().unwrap()); - let sysroot = lib_path.parent().unwrap(); +pub fn base_rustc_flags(lib_config: LibConfig) -> Vec { let mut flags = [ "-C", "overflow-checks=on", @@ -164,18 +214,12 @@ pub fn base_rustc_flags(lib_path: PathBuf) -> Vec { "crate-attr=feature(register_tool)", "-Z", "crate-attr=register_tool(kanitool)", - "--sysroot", - sysroot.to_str().unwrap(), - "-L", - lib_path.to_str().unwrap(), - "--extern", - "kani", - "--extern", - kani_std_wrapper.as_str(), ] .map(OsString::from) .to_vec(); + flags.extend(lib_config.args); + // e.g. compiletest will set 'compile-flags' here and we should pass those down to rustc // and we fail in `tests/kani/Match/match_bool.rs` if let Ok(str) = std::env::var("RUSTFLAGS") { diff --git a/kani-driver/src/cbmc_output_parser.rs b/kani-driver/src/cbmc_output_parser.rs index 1bb353d7d4c0..127f98beab56 100644 --- a/kani-driver/src/cbmc_output_parser.rs +++ b/kani-driver/src/cbmc_output_parser.rs @@ -287,9 +287,7 @@ fn filepath(file: String) -> String { #[derive(Clone, Debug, Deserialize)] #[serde(rename_all = "camelCase")] pub struct TraceItem { - pub thread: u32, pub step_type: String, - pub hidden: bool, pub lhs: Option, pub source_location: Option, pub value: Option, @@ -301,7 +299,6 @@ pub struct TraceItem { /// The fields included right now are relevant to primitive types. #[derive(Clone, Debug, Deserialize)] pub struct TraceValue { - pub name: String, pub binary: Option, pub data: Option, pub width: Option, diff --git a/kani-driver/src/cbmc_property_renderer.rs b/kani-driver/src/cbmc_property_renderer.rs index 62ef748a1ad5..4f32028b5866 100644 --- a/kani-driver/src/cbmc_property_renderer.rs +++ b/kani-driver/src/cbmc_property_renderer.rs @@ -162,7 +162,7 @@ enum CoverageStatus { const UNSUPPORTED_CONSTRUCT_DESC: &str = "is not currently supported by Kani"; const UNWINDING_ASSERT_DESC: &str = "unwinding assertion loop"; const UNWINDING_ASSERT_REC_DESC: &str = "recursion unwinding assertion"; -const DEFAULT_ASSERTION: &str = "assertion"; +const UNDEFINED_FUNCTION_DESC: &str = "undefined function should be unreachable"; impl ParserItem { /// Determines if an item must be skipped or not. @@ -618,8 +618,7 @@ fn modify_undefined_function_checks(mut properties: Vec) -> (Vec `UNCOVERED` /// - `FAILURE` -> `COVERED` +/// /// Note that these statuses are intermediate statuses that aren't reported to /// users but rather internally consumed and reported finally as `PARTIAL`, `FULL` /// or `NONE` based on aggregated line coverage results. @@ -720,9 +720,10 @@ fn update_results_of_code_covererage_checks(mut properties: Vec) -> Ve /// Update the results of cover properties. /// We encode cover(cond) as assert(!cond), so if the assertion -/// fails, then the cover property is satisfied and vice versa. +/// fails, then the cover property is satisfied and vice versa: /// - SUCCESS -> UNSATISFIABLE /// - FAILURE -> SATISFIED +/// /// Note that if the cover property was unreachable, its status at this point /// will be `CheckStatus::Unreachable` and not `CheckStatus::Success` since /// `update_properties_with_reach_status` is called beforehand @@ -837,7 +838,7 @@ fn annotate_properties_with_reach_results( let prop_match_id = check_marker_pat.captures(description.as_str()).unwrap().get(0).unwrap().as_str(); // Get the status associated to the ID we captured - let reach_status_opt = reach_map.get(&prop_match_id.to_string()); + let reach_status_opt = reach_map.get(prop_match_id); // Update the reachability status of the property if let Some(reach_status) = reach_status_opt { prop.reach = Some(*reach_status); diff --git a/kani-driver/src/concrete_playback/playback.rs b/kani-driver/src/concrete_playback/playback.rs index 96ed30da904d..c56694ad32fd 100644 --- a/kani-driver/src/concrete_playback/playback.rs +++ b/kani-driver/src/concrete_playback/playback.rs @@ -6,8 +6,8 @@ use crate::args::common::Verbosity; use crate::args::playback_args::{CargoPlaybackArgs, KaniPlaybackArgs, MessageFormat}; use crate::call_cargo::cargo_config_args; -use crate::call_single_file::base_rustc_flags; -use crate::session::{lib_playback_folder, InstallType}; +use crate::call_single_file::{base_rustc_flags, LibConfig}; +use crate::session::{lib_playback_folder, setup_cargo_command, InstallType}; use crate::{session, util}; use anyhow::Result; use std::ffi::OsString; @@ -17,8 +17,7 @@ use std::process::Command; use tracing::debug; pub fn playback_cargo(args: CargoPlaybackArgs) -> Result<()> { - let install = InstallType::new()?; - cargo_test(&install, args) + cargo_test(args) } pub fn playback_standalone(args: KaniPlaybackArgs) -> Result<()> { @@ -71,7 +70,7 @@ fn build_test(install: &InstallType, args: &KaniPlaybackArgs) -> Result util::info_operation("Building", args.input.to_string_lossy().deref()); } - let mut rustc_args = base_rustc_flags(lib_playback_folder()?); + let mut rustc_args = base_rustc_flags(LibConfig::new(lib_playback_folder()?)); rustc_args.push("--test".into()); rustc_args.push(OsString::from(&args.input)); rustc_args.push(format!("--crate-name={TEST_BIN_NAME}").into()); @@ -93,10 +92,11 @@ fn build_test(install: &InstallType, args: &KaniPlaybackArgs) -> Result } /// Invokes cargo test using Kani compiler and the provided arguments. -/// TODO: This should likely be inside KaniSession, but KaniSession requires `VerificationArgs` today. -/// For now, we just use InstallType directly. -fn cargo_test(install: &InstallType, args: CargoPlaybackArgs) -> Result<()> { - let rustc_args = base_rustc_flags(lib_playback_folder()?); +fn cargo_test(args: CargoPlaybackArgs) -> Result<()> { + let install = InstallType::new()?; + let mut cmd = setup_cargo_command()?; + + let rustc_args = base_rustc_flags(LibConfig::new(lib_playback_folder()?)); let mut cargo_args: Vec = vec!["test".into()]; if args.playback.common_opts.verbose() { @@ -123,9 +123,7 @@ fn cargo_test(install: &InstallType, args: CargoPlaybackArgs) -> Result<()> { } // Arguments that will only be passed to the target package. - let mut cmd = Command::new("cargo"); - cmd.arg(session::toolchain_shorthand()) - .args(&cargo_args) + cmd.args(&cargo_args) .env("RUSTC", &install.kani_compiler()?) // Use CARGO_ENCODED_RUSTFLAGS instead of RUSTFLAGS is preferred. See // https://doc.rust-lang.org/cargo/reference/environment-variables.html diff --git a/kani-driver/src/concrete_playback/test_generator.rs b/kani-driver/src/concrete_playback/test_generator.rs index 53c3a92dd94c..dbd2fb9e03d2 100644 --- a/kani-driver/src/concrete_playback/test_generator.rs +++ b/kani-driver/src/concrete_playback/test_generator.rs @@ -588,9 +588,7 @@ mod tests { line: None, }, trace: Some(vec![TraceItem { - thread: 0, step_type: "assignment".to_string(), - hidden: false, lhs: Some("goto_symex$$return_value".to_string()), source_location: Some(SourceLocation { column: None, @@ -599,7 +597,6 @@ mod tests { line: None, }), value: Some(TraceValue { - name: "".to_string(), binary: Some("0000001100000001".to_string()), data: Some(TraceData::NonBool("385".to_string())), width: Some(16), diff --git a/kani-driver/src/main.rs b/kani-driver/src/main.rs index 1d2afa177ca9..3bb38ed1294c 100644 --- a/kani-driver/src/main.rs +++ b/kani-driver/src/main.rs @@ -1,7 +1,6 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT #![feature(let_chains)] -#![feature(array_methods)] use std::ffi::OsString; use std::process::ExitCode; @@ -95,17 +94,28 @@ fn standalone_main() -> Result<()> { let args = args::StandaloneArgs::parse(); check_is_valid(&args); - if let Some(StandaloneSubcommand::Playback(args)) = args.command { - return playback_standalone(*args); - } - - let session = session::KaniSession::new(args.verify_opts)?; + let (session, project) = match args.command { + Some(StandaloneSubcommand::Playback(args)) => return playback_standalone(*args), + Some(StandaloneSubcommand::VerifyStd(args)) => { + let session = KaniSession::new(args.verify_opts)?; + if !session.args.common_args.quiet { + print_kani_version(InvocationType::Standalone); + } - if !session.args.common_args.quiet { - print_kani_version(InvocationType::Standalone); - } - - let project = project::standalone_project(&args.input.unwrap(), &session)?; + let project = project::std_project(&args.std_path, &session)?; + (session, project) + } + None => { + let session = KaniSession::new(args.verify_opts)?; + if !session.args.common_args.quiet { + print_kani_version(InvocationType::Standalone); + } + + let project = + project::standalone_project(&args.input.unwrap(), args.crate_name, &session)?; + (session, project) + } + }; if session.args.only_codegen { Ok(()) } else { verify_project(project, session) } } diff --git a/kani-driver/src/project.rs b/kani-driver/src/project.rs index b99a7e9aff07..dfcc9eb3ac46 100644 --- a/kani-driver/src/project.rs +++ b/kani-driver/src/project.rs @@ -18,11 +18,13 @@ use crate::metadata::{from_json, merge_kani_metadata, mock_proof_harness}; use crate::session::KaniSession; -use crate::util::{crate_name, guess_rlib_name}; +use crate::util::crate_name; use anyhow::{Context, Result}; use kani_metadata::{ artifact::convert_type, ArtifactType, ArtifactType::*, HarnessMetadata, KaniMetadata, }; +use std::env::current_dir; +use std::fs; use std::fs::File; use std::io::BufWriter; use std::ops::Deref; @@ -270,8 +272,12 @@ pub fn cargo_project(session: &KaniSession, keep_going: bool) -> Result } /// Generate a project directly using `kani-compiler` on a single crate. -pub fn standalone_project(input: &Path, session: &KaniSession) -> Result { - StandaloneProjectBuilder::try_new(input, session)?.build() +pub fn standalone_project( + input: &Path, + crate_name: Option, + session: &KaniSession, +) -> Result { + StandaloneProjectBuilder::try_new(input, crate_name, session)?.build() } /// Builder for a standalone project. @@ -291,7 +297,7 @@ struct StandaloneProjectBuilder<'a> { impl<'a> StandaloneProjectBuilder<'a> { /// Create a `StandaloneProjectBuilder` from the given input and session. /// This will perform a few validations before the build. - fn try_new(input: &Path, session: &'a KaniSession) -> Result { + fn try_new(input: &Path, krate_name: Option, session: &'a KaniSession) -> Result { // Ensure the directory exist and it's in its canonical form. let outdir = if let Some(target_dir) = &session.args.target_dir { std::fs::create_dir_all(target_dir)?; // This is a no-op if directory exists. @@ -299,7 +305,7 @@ impl<'a> StandaloneProjectBuilder<'a> { } else { input.canonicalize().unwrap().parent().unwrap().to_path_buf() }; - let crate_name = crate_name(&input); + let crate_name = if let Some(name) = krate_name { name } else { crate_name(&input) }; let metadata = standalone_artifact(&outdir, &crate_name, Metadata); Ok(StandaloneProjectBuilder { outdir, @@ -313,7 +319,7 @@ impl<'a> StandaloneProjectBuilder<'a> { /// Build a project by compiling `self.input` file. fn build(self) -> Result { // Register artifacts that may be generated by the compiler / linker for future deletion. - let rlib_path = guess_rlib_name(&self.outdir.join(self.input.file_name().unwrap())); + let rlib_path = self.rlib_name(); self.session.record_temporary_file(&rlib_path); self.session.record_temporary_file(&self.metadata.path); @@ -339,6 +345,17 @@ impl<'a> StandaloneProjectBuilder<'a> { } result } + + /// Build the rlib name from the crate name. + /// This is only used by 'kani', never 'cargo-kani', so we hopefully don't have too many corner + /// cases to deal with. + fn rlib_name(&self) -> PathBuf { + let path = &self.outdir.join(self.input.file_name().unwrap()); + let basedir = path.parent().unwrap_or(Path::new(".")); + let rlib_name = format!("lib{}.rlib", self.crate_name); + + basedir.join(rlib_name) + } } /// Generate a `KaniMetadata` by extending the original metadata to contain the function under @@ -368,3 +385,33 @@ fn standalone_artifact(out_dir: &Path, crate_name: &String, typ: ArtifactType) - let _ = path.set_extension(typ); Artifact { path, typ } } + +/// Verify the custom version of the standard library in the given path. +/// +/// Note that we assume that `std_path` points to a directory named "library". +/// This should be checked as part of the argument validation. +pub(crate) fn std_project(std_path: &Path, session: &KaniSession) -> Result { + // Create output directory + let outdir = if let Some(target_dir) = &session.args.target_dir { + target_dir.clone() + } else { + current_dir()?.join("target") + }; + fs::create_dir_all(&outdir)?; // This is a no-op if directory exists. + let outdir = outdir.canonicalize()?; + + // Create dummy crate needed to build using `cargo -Z build-std` + let dummy_crate = outdir.join("kani_verify_std"); + if dummy_crate.exists() { + fs::remove_dir_all(&dummy_crate)?; + } + session.cargo_init_lib(&dummy_crate)?; + + // Build cargo project for dummy crate. + let std_path = std_path.canonicalize()?; + let outputs = session.cargo_build_std(std_path.parent().unwrap(), &dummy_crate)?; + + // Get the metadata and return a Kani project. + let metadata = outputs.iter().map(|md_file| from_json(md_file)).collect::>>()?; + Project::try_new(session, outdir, metadata, None, None) +} diff --git a/kani-driver/src/session.rs b/kani-driver/src/session.rs index 5b9b90854789..bf02aaef7426 100644 --- a/kani-driver/src/session.rs +++ b/kani-driver/src/session.rs @@ -280,6 +280,11 @@ pub fn lib_playback_folder() -> Result { Ok(base_folder()?.join("playback/lib")) } +/// Return the path for the folder where the pre-compiled rust libraries with no_core. +pub fn lib_no_core_folder() -> Result { + Ok(base_folder()?.join("no_core/lib")) +} + /// Return the base folder for the entire kani installation. pub fn base_folder() -> Result { Ok(bin_folder()? @@ -379,3 +384,25 @@ fn init_logger(args: &VerificationArgs) { ); tracing::subscriber::set_global_default(subscriber).unwrap(); } + +// Setup the default version of cargo being run, based on the type/mode of installation for kani +// If kani is being run in developer mode, then we use the one provided by rustup as we can assume that the developer will have rustup installed +// For release versions of Kani, we use a version of cargo that's in the toolchain that's been symlinked during `cargo-kani` setup. This will allow +// Kani to remove the runtime dependency on rustup later on. +pub fn setup_cargo_command() -> Result { + let install_type = InstallType::new()?; + + let cmd = match install_type { + InstallType::DevRepo(_) => { + let mut cmd = Command::new("cargo"); + cmd.arg(self::toolchain_shorthand()); + cmd + } + InstallType::Release(kani_dir) => { + let cargo_path = kani_dir.join("toolchain").join("bin").join("cargo"); + Command::new(cargo_path) + } + }; + + Ok(cmd) +} diff --git a/kani-driver/src/util.rs b/kani-driver/src/util.rs index 1e0957dc7726..bfbf9e8d04e1 100644 --- a/kani-driver/src/util.rs +++ b/kani-driver/src/util.rs @@ -26,18 +26,6 @@ pub fn crate_name(path: &Path) -> String { stem.replace(['-', '.'], "_") } -/// Attempt to guess the rlib name for rust source file. -/// This is only used by 'kani', never 'cargo-kani', so we hopefully don't have too many corner -/// cases to deal with. -/// In rustc, you can find some code dealing this this naming in: -/// compiler/rustc_codegen_ssa/src/back/link.rs -pub fn guess_rlib_name(path: &Path) -> PathBuf { - let basedir = path.parent().unwrap_or(Path::new(".")); - let rlib_name = format!("lib{}.rlib", crate_name(path)); - - basedir.join(rlib_name) -} - /// Given a path of some sort (usually from argv0), this attempts to extract the basename / stem /// of the executable. e.g. "/path/foo -> foo" "./foo.exe -> foo" "foo -> foo" pub fn executable_basename(argv0: &Option<&OsString>) -> Option { @@ -117,14 +105,6 @@ mod tests { assert_eq!(alter_extension(&q, "symtab.json"), PathBuf::from("file.more.symtab.json")); } - #[test] - fn check_guess_rlib_name() { - assert_eq!(guess_rlib_name(Path::new("mycrate.rs")), PathBuf::from("libmycrate.rlib")); - assert_eq!(guess_rlib_name(Path::new("my-crate.rs")), PathBuf::from("libmy_crate.rlib")); - assert_eq!(guess_rlib_name(Path::new("./foo.rs")), PathBuf::from("./libfoo.rlib")); - assert_eq!(guess_rlib_name(Path::new("a/b/foo.rs")), PathBuf::from("a/b/libfoo.rlib")); - } - #[test] fn check_exe_basename() { assert_eq!( diff --git a/kani_metadata/Cargo.toml b/kani_metadata/Cargo.toml index 2d40d61c898b..f9d701018367 100644 --- a/kani_metadata/Cargo.toml +++ b/kani_metadata/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani_metadata" -version = "0.45.0" +version = "0.52.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false @@ -13,6 +13,6 @@ publish = false [dependencies] serde = {version = "1", features = ["derive"]} cbmc = { path = "../cprover_bindings", package = "cprover_bindings" } -strum = "0.25.0" -strum_macros = "0.25.2" +strum = "0.26" +strum_macros = "0.26" clap = { version = "4.4.11", features = ["derive"] } diff --git a/kani_metadata/src/cbmc_solver.rs b/kani_metadata/src/cbmc_solver.rs index f6c5c0a54dc4..5265c6f17fa7 100644 --- a/kani_metadata/src/cbmc_solver.rs +++ b/kani_metadata/src/cbmc_solver.rs @@ -2,22 +2,12 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT use serde::{Deserialize, Serialize}; -use strum_macros::{AsRefStr, EnumString, EnumVariantNames}; +use strum_macros::{AsRefStr, EnumString, VariantNames}; /// An enum for CBMC solver options. All variants are handled by Kani, except for /// the `Binary` one, which it passes as is to CBMC's `--external-sat-solver` /// option. -#[derive( - Debug, - Clone, - AsRefStr, - EnumString, - EnumVariantNames, - PartialEq, - Eq, - Serialize, - Deserialize -)] +#[derive(Debug, Clone, AsRefStr, EnumString, VariantNames, PartialEq, Eq, Serialize, Deserialize)] #[strum(serialize_all = "snake_case")] pub enum CbmcSolver { /// CaDiCaL which is available in CBMC as of version 5.77.0 diff --git a/kani_metadata/src/unstable.rs b/kani_metadata/src/unstable.rs index 060508666735..9f82e4b02a64 100644 --- a/kani_metadata/src/unstable.rs +++ b/kani_metadata/src/unstable.rs @@ -82,6 +82,17 @@ pub enum UnstableFeature { LineCoverage, /// Enable function contracts [RFC 9](https://model-checking.github.io/kani/rfc/rfcs/0009-function-contracts.html) FunctionContracts, + /// Memory predicate APIs. + MemPredicates, + /// Automatically check that no invalid value is produced which is considered UB in Rust. + /// Note that this does not include checking uninitialized value. + ValidValueChecks, + /// Ghost state and shadow memory APIs. + GhostState, + /// Automatically check that pointers are valid when casting them to references. + PtrToRefCastChecks, + /// Enable an unstable option or subcommand. + UnstableOptions, } impl UnstableFeature { diff --git a/library/kani/Cargo.toml b/library/kani/Cargo.toml index d50717ca97c6..c0f783e65315 100644 --- a/library/kani/Cargo.toml +++ b/library/kani/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani" -version = "0.45.0" +version = "0.52.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false diff --git a/library/kani/build.rs b/library/kani/build.rs new file mode 100644 index 000000000000..c094cc0254c6 --- /dev/null +++ b/library/kani/build.rs @@ -0,0 +1,7 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +fn main() { + // Make sure `kani_sysroot` is a recognized config + println!("cargo::rustc-check-cfg=cfg(kani_sysroot)"); +} diff --git a/library/kani/src/arbitrary.rs b/library/kani/src/arbitrary.rs index 938f3c30968f..3f1adc787b79 100644 --- a/library/kani/src/arbitrary.rs +++ b/library/kani/src/arbitrary.rs @@ -1,8 +1,8 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -//! This module introduces the Arbitrary trait as well as implementation for primitive types and -//! other std containers. +//! This module introduces the `Arbitrary` trait as well as implementation for +//! primitive types and other std containers. use std::{ marker::{PhantomData, PhantomPinned}, @@ -66,7 +66,7 @@ trivial_arbitrary!(i64); trivial_arbitrary!(i128); trivial_arbitrary!(isize); -// We do not constraint floating points values per type spec. Users must add assumptions to their +// We do not constrain floating points values per type spec. Users must add assumptions to their // verification code if they want to eliminate NaN, infinite, or subnormal. trivial_arbitrary!(f32); trivial_arbitrary!(f64); diff --git a/library/kani/src/contracts.rs b/library/kani/src/contracts.rs index 4f963038cab9..65b9ec7c01cc 100644 --- a/library/kani/src/contracts.rs +++ b/library/kani/src/contracts.rs @@ -51,14 +51,14 @@ //! approximation of the result of division for instance could be this: //! //! ``` -//! #[ensures(result <= dividend)] +//! #[ensures(|result : &u32| *result <= dividend)] //! ``` //! //! This is called a postcondition and it also has access to the arguments and //! is expressed in regular Rust code. The same restrictions apply as did for -//! [`requires`][macro@requires]. In addition to the arguments the postcondition -//! also has access to the value returned from the function in a variable called -//! `result`. +//! [`requires`][macro@requires]. In addition to the postcondition is expressed +//! as a closure where the value returned from the function is passed to this +//! closure by reference. //! //! You may combine as many [`requires`][macro@requires] and //! [`ensures`][macro@ensures] attributes on a single function as you please. @@ -67,7 +67,7 @@ //! //! ``` //! #[kani::requires(divisor != 0)] -//! #[kani::ensures(result <= dividend)] +//! #[kani::ensures(|result : &u32| *result <= dividend)] //! fn my_div(dividend: u32, divisor: u32) -> u32 { //! dividend / divisor //! } diff --git a/library/kani/src/internal.rs b/library/kani/src/internal.rs index d2f2970d1c05..a910c333b112 100644 --- a/library/kani/src/internal.rs +++ b/library/kani/src/internal.rs @@ -76,3 +76,17 @@ impl<'a, T> Pointer<'a> for *mut T { pub fn untracked_deref(_: &T) -> T { todo!() } + +/// CBMC contracts currently has a limitation where `free` has to be in scope. +/// However, if there is no dynamic allocation in the harness, slicing removes `free` from the +/// scope. +/// +/// Thus, this function will basically translate into: +/// ```c +/// // This is a no-op. +/// free(NULL); +/// ``` +#[inline(never)] +#[doc(hidden)] +#[rustc_diagnostic_item = "KaniInitContracts"] +pub fn init_contracts() {} diff --git a/library/kani/src/invariant.rs b/library/kani/src/invariant.rs new file mode 100644 index 000000000000..f118f94e995c --- /dev/null +++ b/library/kani/src/invariant.rs @@ -0,0 +1,102 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This module introduces the `Invariant` trait as well as its implementation +//! for primitive types. + +/// This trait should be used to specify and check type safety invariants for a +/// type. For type invariants, we refer to the definitions in the Rust's Unsafe +/// Code Guidelines Reference: +/// +/// +/// In summary, the reference distinguishes two kinds of type invariants: +/// - *Validity invariant*: An invariant that all data must uphold any time +/// it's accessed or copied in a typed manner. This invariant is exploited by +/// the compiler to perform optimizations. +/// - *Safety invariant*: An invariant that safe code may assume all data to +/// uphold. This invariant can be temporarily violated by unsafe code, but +/// must always be upheld when interfacing with unknown safe code. +/// +/// Therefore, validity invariants must be upheld at all times, while safety +/// invariants only need to be upheld at the boundaries to safe code. +/// +/// Safety invariants are particularly interesting for user-defined types, and +/// the `Invariant` trait allows you to check them with Kani. +/// +/// It can also be used in tests. It's a programmatic way to specify (in Rust) +/// properties over your data types. Since it's written in Rust, it can be used +/// for static and dynamic checking. +/// +/// For example, let's say you're creating a type that represents a date: +/// +/// ```rust +/// #[derive(kani::Arbitrary)] +/// pub struct MyDate { +/// day: u8, +/// month: u8, +/// year: i64, +/// } +/// ``` +/// You can specify its safety invariant as: +/// ```rust +/// impl kani::Invariant for MyDate { +/// fn is_safe(&self) -> bool { +/// self.month > 0 +/// && self.month <= 12 +/// && self.day > 0 +/// && self.day <= days_in_month(self.year, self.month) +/// } +/// } +/// ``` +/// And use it to check that your APIs are safe: +/// ```rust +/// #[kani::proof] +/// fn check_increase_date() { +/// let mut date: MyDate = kani::any(); +/// // Increase date by one day +/// increase_date(date, 1); +/// assert!(date.is_safe()); +/// } +/// ``` +pub trait Invariant +where + Self: Sized, +{ + fn is_safe(&self) -> bool; +} + +/// Any value is considered safe for the type +macro_rules! trivial_invariant { + ( $type: ty ) => { + impl Invariant for $type { + #[inline(always)] + fn is_safe(&self) -> bool { + true + } + } + }; +} + +trivial_invariant!(u8); +trivial_invariant!(u16); +trivial_invariant!(u32); +trivial_invariant!(u64); +trivial_invariant!(u128); +trivial_invariant!(usize); + +trivial_invariant!(i8); +trivial_invariant!(i16); +trivial_invariant!(i32); +trivial_invariant!(i64); +trivial_invariant!(i128); +trivial_invariant!(isize); + +// We do not constrain the safety invariant for floating points types. +// Users can create a new type wrapping the floating point type and define an +// invariant that checks for NaN, infinite, or subnormal values. +trivial_invariant!(f32); +trivial_invariant!(f64); + +trivial_invariant!(()); +trivial_invariant!(bool); +trivial_invariant!(char); diff --git a/library/kani/src/lib.rs b/library/kani/src/lib.rs index e3456f69fbb3..acf1e08e0441 100644 --- a/library/kani/src/lib.rs +++ b/library/kani/src/lib.rs @@ -13,14 +13,19 @@ // Used to model simd. #![feature(repr_simd)] // Features used for tests only. -#![cfg_attr(test, feature(platform_intrinsics, portable_simd))] -// Required for rustc_diagnostic_item +#![cfg_attr(test, feature(core_intrinsics, portable_simd))] +// Required for `rustc_diagnostic_item` and `core_intrinsics` #![allow(internal_features)] +// Required for implementing memory predicates. +#![feature(ptr_metadata)] pub mod arbitrary; #[cfg(feature = "concrete_playback")] mod concrete_playback; pub mod futures; +pub mod invariant; +pub mod mem; +pub mod shadow; pub mod slice; pub mod tuple; pub mod vec; @@ -33,6 +38,8 @@ mod models; pub use arbitrary::Arbitrary; #[cfg(feature = "concrete_playback")] pub use concrete_playback::concrete_playback_run; +pub use invariant::Invariant; + #[cfg(not(feature = "concrete_playback"))] /// NOP `concrete_playback` for type checking during verification mode. pub fn concrete_playback_run(_: Vec>, _: F) { @@ -80,18 +87,12 @@ pub fn assume(cond: bool) { /// `implies!(premise => conclusion)` means that if the `premise` is true, so /// must be the `conclusion`. /// -/// This simply expands to `!premise || conclusion` and is intended to be used -/// in function contracts to make them more readable, as the concept of an -/// implication is more natural to think about than its expansion. -/// -/// For further convenience multiple comma separated premises are allowed, and -/// are joined with `||` in the expansion. E.g. `implies!(a, b => c)` expands to -/// `!a || !b || c` and says that `c` is true if both `a` and `b` are true (see -/// also [Horn Clauses](https://en.wikipedia.org/wiki/Horn_clause)). +/// This simply expands to `!premise || conclusion` and is intended to make checks more readable, +/// as the concept of an implication is more natural to think about than its expansion. #[macro_export] macro_rules! implies { - ($($premise:expr),+ => $conclusion:expr) => { - $(!$premise)||+ || ($conclusion) + ($premise:expr => $conclusion:expr) => { + !($premise) || ($conclusion) }; } @@ -158,11 +159,27 @@ pub const fn cover(_cond: bool, _msg: &'static str) {} /// Note: This is a safe construct and can only be used with types that implement the `Arbitrary` /// trait. The Arbitrary trait is used to build a symbolic value that represents all possible /// valid values for type `T`. +#[rustc_diagnostic_item = "KaniAny"] #[inline(always)] pub fn any() -> T { T::any() } +/// This function is only used for function contract instrumentation. +/// It behaves exaclty like `kani::any()`, except it will check for the trait bounds +/// at compilation time. It allows us to avoid type checking errors while using function +/// contracts only for verification. +#[rustc_diagnostic_item = "KaniAnyModifies"] +#[inline(never)] +#[doc(hidden)] +pub fn any_modifies() -> T { + // This function should not be reacheable. + // Users must include `#[kani::recursion]` in any function contracts for recursive functions; + // otherwise, this might not be properly instantiate. We mark this as unreachable to make + // sure Kani doesn't report any false positives. + unreachable!() +} + /// This creates a symbolic *valid* value of type `T`. /// The value is constrained to be a value accepted by the predicate passed to the filter. /// You can assign the return value of this function to a variable that you want to make symbolic. @@ -217,13 +234,7 @@ pub(crate) unsafe fn any_raw_internal() -> T { #[inline(never)] #[allow(dead_code)] fn any_raw_inner() -> T { - // while we could use `unreachable!()` or `panic!()` as the body of this - // function, both cause Kani to produce a warning on any program that uses - // kani::any() (see https://github.com/model-checking/kani/issues/2010). - // This function is handled via a hook anyway, so we just need to put a body - // that rustc does not complain about. An infinite loop works out nicely. - #[allow(clippy::empty_loop)] - loop {} + kani_intrinsic() } /// Function used to generate panic with a static message as this is the only one currently @@ -239,6 +250,20 @@ pub const fn panic(message: &'static str) -> ! { panic!("{}", message) } +/// An empty body that can be used to define Kani intrinsic functions. +/// +/// A Kani intrinsic is a function that is interpreted by Kani compiler. +/// While we could use `unreachable!()` or `panic!()` as the body of a kani intrinsic +/// function, both cause Kani to produce a warning since we don't support caller location. +/// (see https://github.com/model-checking/kani/issues/2010). +/// +/// This function is dead, since its caller is always handled via a hook anyway, +/// so we just need to put a body that rustc does not complain about. +/// An infinite loop works out nicely. +fn kani_intrinsic() -> T { + #[allow(clippy::empty_loop)] + loop {} +} /// A macro to check if a condition is satisfiable at a specific location in the /// code. /// @@ -298,4 +323,6 @@ pub use core::assert as __kani__workaround_core_assert; // Kani proc macros must be in a separate crate pub use kani_macros::*; +pub(crate) use kani_macros::unstable_feature as unstable; + pub mod contracts; diff --git a/library/kani/src/mem.rs b/library/kani/src/mem.rs new file mode 100644 index 000000000000..c40a1aa696e3 --- /dev/null +++ b/library/kani/src/mem.rs @@ -0,0 +1,401 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This module contains functions useful for checking unsafe memory access. +//! +//! Given the following validity rules provided in the Rust documentation: +//! (accessed Feb 6th, 2024) +//! +//! 1. A null pointer is never valid, not even for accesses of size zero. +//! 2. For a pointer to be valid, it is necessary, but not always sufficient, that the pointer +//! be dereferenceable: the memory range of the given size starting at the pointer must all be +//! within the bounds of a single allocated object. Note that in Rust, every (stack-allocated) +//! variable is considered a separate allocated object. +//! ~~Even for operations of size zero, the pointer must not be pointing to deallocated memory, +//! i.e., deallocation makes pointers invalid even for zero-sized operations.~~ +//! ZST access is not OK for any pointer. +//! See: +//! 3. However, casting any non-zero integer literal to a pointer is valid for zero-sized +//! accesses, even if some memory happens to exist at that address and gets deallocated. +//! This corresponds to writing your own allocator: allocating zero-sized objects is not very +//! hard. The canonical way to obtain a pointer that is valid for zero-sized accesses is +//! `NonNull::dangling`. +//! 4. All accesses performed by functions in this module are non-atomic in the sense of atomic +//! operations used to synchronize between threads. +//! This means it is undefined behavior to perform two concurrent accesses to the same location +//! from different threads unless both accesses only read from memory. +//! Notice that this explicitly includes `read_volatile` and `write_volatile`: +//! Volatile accesses cannot be used for inter-thread synchronization. +//! 5. The result of casting a reference to a pointer is valid for as long as the underlying +//! object is live and no reference (just raw pointers) is used to access the same memory. +//! That is, reference and pointer accesses cannot be interleaved. +//! +//! Kani is able to verify #1 and #2 today. +//! +//! For #3, we are overly cautious, and Kani will only consider zero-sized pointer access safe if +//! the address matches `NonNull::<()>::dangling()`. +//! The way Kani tracks provenance is not enough to check if the address was the result of a cast +//! from a non-zero integer literal. + +use crate::kani_intrinsic; +use crate::mem::private::Internal; +use std::mem::{align_of, size_of}; +use std::ptr::{DynMetadata, NonNull, Pointee}; + +/// Check if the pointer is valid for write access according to [crate::mem] conditions 1, 2 +/// and 3. +/// +/// Note this function also checks for pointer alignment. Use [self::can_write_unaligned] +/// if you don't want to fail for unaligned pointers. +/// +/// This function does not check if the value stored is valid for the given type. Use +/// [self::can_dereference] for that. +/// +/// This function will panic today if the pointer is not null, and it points to an unallocated or +/// deallocated memory location. This is an existing Kani limitation. +/// See for more details. +#[crate::unstable( + feature = "mem-predicates", + issue = 2690, + reason = "experimental memory predicate API" +)] +pub fn can_write(ptr: *mut T) -> bool +where + T: ?Sized, + ::Metadata: PtrProperties, +{ + // The interface takes a mutable pointer to improve readability of the signature. + // However, using constant pointer avoid unnecessary instrumentation, and it is as powerful. + // Hence, cast to `*const T`. + let ptr: *const T = ptr; + let (thin_ptr, metadata) = ptr.to_raw_parts(); + metadata.is_ptr_aligned(thin_ptr, Internal) && is_inbounds(&metadata, thin_ptr) +} + +/// Check if the pointer is valid for unaligned write access according to [crate::mem] conditions +/// 1, 2 and 3. +/// +/// Note this function succeeds for unaligned pointers. See [self::can_write] if you also +/// want to check pointer alignment. +/// +/// This function will panic today if the pointer is not null, and it points to an unallocated or +/// deallocated memory location. This is an existing Kani limitation. +/// See for more details. +#[crate::unstable( + feature = "mem-predicates", + issue = 2690, + reason = "experimental memory predicate API" +)] +pub fn can_write_unaligned(ptr: *const T) -> bool +where + T: ?Sized, + ::Metadata: PtrProperties, +{ + let (thin_ptr, metadata) = ptr.to_raw_parts(); + is_inbounds(&metadata, thin_ptr) +} + +/// Checks that pointer `ptr` point to a valid value of type `T`. +/// +/// For that, the pointer has to be a valid pointer according to [crate::mem] conditions 1, 2 +/// and 3, +/// and the value stored must respect the validity invariants for type `T`. +/// +/// TODO: Kani should automatically add those checks when a de-reference happens. +/// +/// +/// This function will panic today if the pointer is not null, and it points to an unallocated or +/// deallocated memory location. This is an existing Kani limitation. +/// See for more details. +#[crate::unstable( + feature = "mem-predicates", + issue = 2690, + reason = "experimental memory predicate API" +)] +#[allow(clippy::not_unsafe_ptr_arg_deref)] +pub fn can_dereference(ptr: *const T) -> bool +where + T: ?Sized, + ::Metadata: PtrProperties, +{ + let (thin_ptr, metadata) = ptr.to_raw_parts(); + metadata.is_ptr_aligned(thin_ptr, Internal) + && is_inbounds(&metadata, thin_ptr) + && unsafe { has_valid_value(ptr) } +} + +/// Checks that pointer `ptr` point to a valid value of type `T`. +/// +/// For that, the pointer has to be a valid pointer according to [crate::mem] conditions 1, 2 +/// and 3, +/// and the value stored must respect the validity invariants for type `T`. +/// +/// Note this function succeeds for unaligned pointers. See [self::can_dereference] if you also +/// want to check pointer alignment. +/// +/// This function will panic today if the pointer is not null, and it points to an unallocated or +/// deallocated memory location. This is an existing Kani limitation. +/// See for more details. +#[crate::unstable( + feature = "mem-predicates", + issue = 2690, + reason = "experimental memory predicate API" +)] +#[allow(clippy::not_unsafe_ptr_arg_deref)] +pub fn can_read_unaligned(ptr: *const T) -> bool +where + T: ?Sized, + ::Metadata: PtrProperties, +{ + let (thin_ptr, metadata) = ptr.to_raw_parts(); + is_inbounds(&metadata, thin_ptr) && unsafe { has_valid_value(ptr) } +} + +/// Checks that `data_ptr` points to an allocation that can hold data of size calculated from `T`. +/// +/// This will panic if `data_ptr` points to an invalid `non_null` +fn is_inbounds(metadata: &M, data_ptr: *const ()) -> bool +where + M: PtrProperties, + T: ?Sized, +{ + let sz = metadata.pointee_size(Internal); + if sz == 0 { + true // ZST pointers are always valid including nullptr. + } else if data_ptr.is_null() { + false + } else { + // Note that this branch can't be tested in concrete execution as `is_read_ok` needs to be + // stubbed. + // We first assert that the data_ptr + crate::assert( + unsafe { is_allocated(data_ptr, 0) }, + "Kani does not support reasoning about pointer to unallocated memory", + ); + unsafe { is_allocated(data_ptr, sz) } + } +} + +mod private { + /// Define like this to restrict usage of PtrProperties functions outside Kani. + #[derive(Copy, Clone)] + pub struct Internal; +} + +/// Trait that allow us to extract information from pointers without de-referencing them. +#[doc(hidden)] +pub trait PtrProperties { + fn pointee_size(&self, _: Internal) -> usize; + + /// A pointer is aligned if its address is a multiple of its minimum alignment. + fn is_ptr_aligned(&self, ptr: *const (), internal: Internal) -> bool { + let min = self.min_alignment(internal); + ptr as usize % min == 0 + } + + fn min_alignment(&self, _: Internal) -> usize; + + fn dangling(&self, _: Internal) -> *const (); +} + +/// Get the information for sized types (they don't have metadata). +impl PtrProperties for () { + fn pointee_size(&self, _: Internal) -> usize { + size_of::() + } + + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as *const _ + } +} + +/// Get the information from the str metadata. +impl PtrProperties for usize { + #[inline(always)] + fn pointee_size(&self, _: Internal) -> usize { + *self + } + + /// String slices are a UTF-8 representation of characters that have the same layout as slices + /// of type [u8]. + /// + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as _ + } +} + +/// Get the information from the slice metadata. +impl PtrProperties<[T]> for usize { + fn pointee_size(&self, _: Internal) -> usize { + *self * size_of::() + } + + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as _ + } +} + +/// Get the information from the vtable. +impl PtrProperties for DynMetadata +where + T: ?Sized, +{ + fn pointee_size(&self, _: Internal) -> usize { + self.size_of() + } + + fn min_alignment(&self, _: Internal) -> usize { + self.align_of() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::<&T>::dangling().as_ptr() as _ + } +} + +/// Check if the pointer `_ptr` contains an allocated address of size equal or greater than `_size`. +/// +/// # Safety +/// +/// This function should only be called to ensure a pointer is always valid, i.e., in an assertion +/// context. +/// +/// I.e.: This function always returns `true` if the pointer is valid. +/// Otherwise, it returns non-det boolean. +#[rustc_diagnostic_item = "KaniIsAllocated"] +#[inline(never)] +unsafe fn is_allocated(_ptr: *const (), _size: usize) -> bool { + kani_intrinsic() +} + +/// Check if the value stored in the given location satisfies type `T` validity requirements. +/// +/// # Safety +/// +/// - Users have to ensure that the pointer is aligned the pointed memory is allocated. +#[rustc_diagnostic_item = "KaniValidValue"] +#[inline(never)] +unsafe fn has_valid_value(_ptr: *const T) -> bool { + kani_intrinsic() +} + +/// Get the object ID of the given pointer. +#[rustc_diagnostic_item = "KaniPointerObject"] +#[inline(never)] +pub fn pointer_object(_ptr: *const T) -> usize { + kani_intrinsic() +} + +/// Get the object offset of the given pointer. +#[rustc_diagnostic_item = "KaniPointerOffset"] +#[inline(never)] +pub fn pointer_offset(_ptr: *const T) -> usize { + kani_intrinsic() +} + +#[cfg(test)] +mod tests { + use super::{can_dereference, can_write, PtrProperties}; + use crate::mem::private::Internal; + use std::fmt::Debug; + use std::intrinsics::size_of; + use std::mem::{align_of, align_of_val, size_of_val}; + use std::ptr; + use std::ptr::{NonNull, Pointee}; + + fn size_of_t(ptr: *const T) -> usize + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (_, metadata) = ptr.to_raw_parts(); + metadata.pointee_size(Internal) + } + + fn align_of_t(ptr: *const T) -> usize + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (_, metadata) = ptr.to_raw_parts(); + metadata.min_alignment(Internal) + } + + #[test] + fn test_size_of() { + assert_eq!(size_of_t("hi"), size_of_val("hi")); + assert_eq!(size_of_t(&0u8), size_of_val(&0u8)); + assert_eq!(size_of_t(&0u8 as *const dyn std::fmt::Display), size_of_val(&0u8)); + assert_eq!(size_of_t(&[0u8, 1u8] as &[u8]), size_of_val(&[0u8, 1u8])); + assert_eq!(size_of_t(&[] as &[u8]), size_of_val::<[u8; 0]>(&[])); + assert_eq!( + size_of_t(NonNull::::dangling().as_ptr() as *const dyn std::fmt::Display), + size_of::() + ); + } + + #[test] + fn test_alignment() { + assert_eq!(align_of_t("hi"), align_of_val("hi")); + assert_eq!(align_of_t(&0u8), align_of_val(&0u8)); + assert_eq!(align_of_t(&0u32 as *const dyn std::fmt::Display), align_of_val(&0u32)); + assert_eq!(align_of_t(&[0isize, 1isize] as &[isize]), align_of_val(&[0isize, 1isize])); + assert_eq!(align_of_t(&[] as &[u8]), align_of_val::<[u8; 0]>(&[])); + assert_eq!( + align_of_t(NonNull::::dangling().as_ptr() as *const dyn std::fmt::Display), + align_of::() + ); + } + + #[test] + pub fn test_empty_slice() { + let slice_ptr = Vec::::new().as_mut_slice() as *mut [char]; + assert!(can_write(slice_ptr)); + } + + #[test] + pub fn test_empty_str() { + let slice_ptr = String::new().as_mut_str() as *mut str; + assert!(can_write(slice_ptr)); + } + + #[test] + fn test_dangling_zst() { + test_dangling_of_zst::<()>(); + test_dangling_of_zst::<[(); 10]>(); + } + + fn test_dangling_of_zst() { + let dangling: *mut T = NonNull::::dangling().as_ptr(); + assert!(can_write(dangling)); + + let vec_ptr = Vec::::new().as_mut_ptr(); + assert!(can_write(vec_ptr)); + } + + #[test] + fn test_null_fat_ptr() { + assert!(!can_dereference(ptr::null::() as *const dyn Debug)); + } + + #[test] + fn test_null_char() { + assert!(!can_dereference(ptr::null::())); + } + + #[test] + fn test_null_mut() { + assert!(!can_write(ptr::null_mut::())); + } +} diff --git a/library/kani/src/models/mod.rs b/library/kani/src/models/mod.rs index 194f220595c0..2081ddf639df 100644 --- a/library/kani/src/models/mod.rs +++ b/library/kani/src/models/mod.rs @@ -127,12 +127,9 @@ mod intrinsics { #[cfg(test)] mod test { use super::intrinsics as kani_intrinsic; + use std::intrinsics::simd::*; use std::{fmt::Debug, simd::*}; - extern "platform-intrinsic" { - fn simd_bitmask(x: T) -> U; - } - /// Test that the `simd_bitmask` model is equivalent to the intrinsic for all true and all false /// masks with lanes represented using i16. #[test] diff --git a/library/kani/src/shadow.rs b/library/kani/src/shadow.rs new file mode 100644 index 000000000000..a7ea57c6fd40 --- /dev/null +++ b/library/kani/src/shadow.rs @@ -0,0 +1,83 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This module contains an API for shadow memory. +//! Shadow memory is a mechanism by which we can store metadata on memory +//! locations, e.g. whether a memory location is initialized. +//! +//! The main data structure provided by this module is the `ShadowMem` struct, +//! which allows us to store metadata on a given memory location. +//! +//! # Example +//! +//! ``` +//! use kani::shadow::ShadowMem; +//! use std::alloc::{alloc, Layout}; +//! +//! let mut sm = ShadowMem::new(false); +//! +//! unsafe { +//! let ptr = alloc(Layout::new::()); +//! // assert the memory location is not initialized +//! assert!(!sm.get(ptr)); +//! // write to the memory location +//! *ptr = 42; +//! // update the shadow memory to indicate that this location is now initialized +//! sm.set(ptr, true); +//! } +//! ``` + +const MAX_NUM_OBJECTS: usize = 1024; +const MAX_OBJECT_SIZE: usize = 64; + +const MAX_NUM_OBJECTS_ASSERT_MSG: &str = "The number of objects exceeds the maximum number supported by Kani's shadow memory model (1024)"; +const MAX_OBJECT_SIZE_ASSERT_MSG: &str = + "The object size exceeds the maximum size supported by Kani's shadow memory model (64)"; + +/// A shadow memory data structure that contains a two-dimensional array of a +/// generic type `T`. +/// Each element of the outer array represents an object, and each element of +/// the inner array represents a byte in the object. +pub struct ShadowMem { + mem: [[T; MAX_OBJECT_SIZE]; MAX_NUM_OBJECTS], +} + +impl ShadowMem { + /// Create a new shadow memory instance initialized with the given value + #[crate::unstable( + feature = "ghost-state", + issue = 3184, + reason = "experimental ghost state/shadow memory API" + )] + pub const fn new(val: T) -> Self { + Self { mem: [[val; MAX_OBJECT_SIZE]; MAX_NUM_OBJECTS] } + } + + /// Get the shadow memory value of the given pointer + #[crate::unstable( + feature = "ghost-state", + issue = 3184, + reason = "experimental ghost state/shadow memory API" + )] + pub fn get(&self, ptr: *const U) -> T { + let obj = crate::mem::pointer_object(ptr); + let offset = crate::mem::pointer_offset(ptr); + crate::assert(obj < MAX_NUM_OBJECTS, MAX_NUM_OBJECTS_ASSERT_MSG); + crate::assert(offset < MAX_OBJECT_SIZE, MAX_OBJECT_SIZE_ASSERT_MSG); + self.mem[obj][offset] + } + + /// Set the shadow memory value of the given pointer + #[crate::unstable( + feature = "ghost-state", + issue = 3184, + reason = "experimental ghost state/shadow memory API" + )] + pub fn set(&mut self, ptr: *const U, val: T) { + let obj = crate::mem::pointer_object(ptr); + let offset = crate::mem::pointer_offset(ptr); + crate::assert(obj < MAX_NUM_OBJECTS, MAX_NUM_OBJECTS_ASSERT_MSG); + crate::assert(offset < MAX_OBJECT_SIZE, MAX_OBJECT_SIZE_ASSERT_MSG); + self.mem[obj][offset] = val; + } +} diff --git a/library/kani_core/Cargo.toml b/library/kani_core/Cargo.toml new file mode 100644 index 000000000000..6f5230c6d19b --- /dev/null +++ b/library/kani_core/Cargo.toml @@ -0,0 +1,16 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +[package] +name = "kani_core" +version = "0.52.0" +edition = "2021" +license = "MIT OR Apache-2.0" +publish = false +description = "Define core constructs to use with Kani" + +[dependencies] +kani_macros = { path = "../kani_macros", features = ["no_core"] } + +[features] +no_core=["kani_macros/no_core"] diff --git a/library/kani_core/src/arbitrary.rs b/library/kani_core/src/arbitrary.rs new file mode 100644 index 000000000000..d202df4ead1d --- /dev/null +++ b/library/kani_core/src/arbitrary.rs @@ -0,0 +1,170 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This macro generates implementations of the `Arbitrary` trait for various types. The `Arbitrary` trait defines +//! methods for generating arbitrary (unconstrained) values of the implementing type. +//! trivial_arbitrary and nonzero_arbitrary are implementations of Arbitrary for types that can be represented +//! by an unconstrained symbolic value of their size (e.g., `u8`, `u16`, `u32`, etc.). +//! +//! TODO: Use this inside kani library so that we dont have to maintain two copies of the same proc macro for arbitrary. +#[macro_export] +macro_rules! generate_arbitrary { + ($core:path) => { + use core_path::marker::{PhantomData, PhantomPinned}; + use $core as core_path; + + pub trait Arbitrary + where + Self: Sized, + { + fn any() -> Self; + #[cfg(kani_sysroot)] + fn any_array() -> [Self; MAX_ARRAY_LENGTH] + // the requirement defined in the where clause must appear on the `impl`'s method `any_array` + // but also on the corresponding trait's method + where + [(); core_path::mem::size_of::<[Self; MAX_ARRAY_LENGTH]>()]:, + { + [(); MAX_ARRAY_LENGTH].map(|_| Self::any()) + } + } + + /// The given type can be represented by an unconstrained symbolic value of size_of::. + macro_rules! trivial_arbitrary { + ( $type: ty ) => { + impl Arbitrary for $type { + #[inline(always)] + fn any() -> Self { + // This size_of call does not use generic_const_exprs feature. It's inside a macro, and Self isn't generic. + unsafe { any_raw_internal::() }>() } + } + // Disable this for standard library since we cannot enable generic constant expr. + #[cfg(kani_sysroot)] + fn any_array() -> [Self; MAX_ARRAY_LENGTH] + where + // `generic_const_exprs` requires all potential errors to be reflected in the signature/header. + // We must repeat the expression in the header, to make sure that if the body can fail the header will also fail. + [(); { core_path::mem::size_of::<[$type; MAX_ARRAY_LENGTH]>() }]:, + { + unsafe { + any_raw_internal::< + [Self; MAX_ARRAY_LENGTH], + { core_path::mem::size_of::<[Self; MAX_ARRAY_LENGTH]>() }, + >() + } + } + } + }; + } + + macro_rules! nonzero_arbitrary { + ( $type: ty, $base: ty ) => { + use core_path::num::*; + impl Arbitrary for $type { + #[inline(always)] + fn any() -> Self { + let val = <$base>::any(); + assume(val != 0); + unsafe { <$type>::new_unchecked(val) } + } + } + }; + } + + // Generate trivial arbitrary values + trivial_arbitrary!(()); + + trivial_arbitrary!(u8); + trivial_arbitrary!(u16); + trivial_arbitrary!(u32); + trivial_arbitrary!(u64); + trivial_arbitrary!(u128); + trivial_arbitrary!(usize); + + trivial_arbitrary!(i8); + trivial_arbitrary!(i16); + trivial_arbitrary!(i32); + trivial_arbitrary!(i64); + trivial_arbitrary!(i128); + trivial_arbitrary!(isize); + + nonzero_arbitrary!(NonZeroU8, u8); + nonzero_arbitrary!(NonZeroU16, u16); + nonzero_arbitrary!(NonZeroU32, u32); + nonzero_arbitrary!(NonZeroU64, u64); + nonzero_arbitrary!(NonZeroU128, u128); + nonzero_arbitrary!(NonZeroUsize, usize); + + nonzero_arbitrary!(NonZeroI8, i8); + nonzero_arbitrary!(NonZeroI16, i16); + nonzero_arbitrary!(NonZeroI32, i32); + nonzero_arbitrary!(NonZeroI64, i64); + nonzero_arbitrary!(NonZeroI128, i128); + nonzero_arbitrary!(NonZeroIsize, isize); + + // Implement arbitrary for non-trivial types + impl Arbitrary for bool { + #[inline(always)] + fn any() -> Self { + let byte = u8::any(); + assume(byte < 2); + byte == 1 + } + } + + /// Validate that a char is not outside the ranges [0x0, 0xD7FF] and [0xE000, 0x10FFFF] + /// Ref: + impl Arbitrary for char { + #[inline(always)] + fn any() -> Self { + // Generate an arbitrary u32 and constrain it to make it a valid representation of char. + + let val = u32::any(); + assume(val <= 0xD7FF || (0xE000..=0x10FFFF).contains(&val)); + unsafe { char::from_u32_unchecked(val) } + } + } + + impl Arbitrary for Option + where + T: Arbitrary, + { + fn any() -> Self { + if bool::any() { Some(T::any()) } else { None } + } + } + + impl Arbitrary for Result + where + T: Arbitrary, + E: Arbitrary, + { + fn any() -> Self { + if bool::any() { Ok(T::any()) } else { Err(E::any()) } + } + } + + impl Arbitrary for PhantomData { + fn any() -> Self { + PhantomData + } + } + + impl Arbitrary for PhantomPinned { + fn any() -> Self { + PhantomPinned + } + } + + #[cfg(kani_sysroot)] + impl Arbitrary for [T; N] + where + T: Arbitrary, + [(); core_path::mem::size_of::<[T; N]>()]:, + { + fn any() -> Self { + T::any_array() + } + } + }; +} diff --git a/library/kani_core/src/lib.rs b/library/kani_core/src/lib.rs new file mode 100644 index 000000000000..de808ffaf918 --- /dev/null +++ b/library/kani_core/src/lib.rs @@ -0,0 +1,363 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This crate is a macro_only crate. It is designed to be used in `no_core` and `no_std` +//! environment. +//! +//! It will contain macros that generate core components of Kani. +//! +//! For regular usage, the kani library will invoke these macros to generate its components as if +//! they were declared in that library. +//! +//! For `no_core` and `no_std` crates, they will have to directly invoke those macros inside a +//! `kani` module in order to generate all the required components. +//! I.e., the components will be part of the crate being compiled. +//! +//! Note that any crate level attribute should be added by kani_driver as RUSTC_FLAGS. +//! E.g.: `register_tool(kanitool)` + +#![feature(no_core)] +#![no_core] + +mod arbitrary; +mod mem; + +pub use kani_macros::*; + +/// Users should only need to invoke this. +/// +/// Options are: +/// - `kani`: Add definitions needed for Kani library. +/// - `core`: Define a `kani` module inside `core` crate. +/// - `std`: TODO: Define a `kani` module inside `std` crate. Users must define kani inside core. +#[macro_export] +macro_rules! kani_lib { + (core) => { + #[cfg(kani)] + #[unstable(feature = "kani", issue = "none")] + pub mod kani { + // We need to list them all today because there is conflict with unstable. + pub use kani_core::*; + kani_core::kani_intrinsics!(core); + kani_core::generate_arbitrary!(core); + + pub mod mem { + kani_core::kani_mem!(core); + } + } + }; + + (kani) => { + pub use kani_core::*; + kani_core::kani_intrinsics!(std); + kani_core::generate_arbitrary!(std); + }; +} + +/// Kani intrinsics contains the public APIs used by users to verify their harnesses. +/// This macro is a part of kani_core as that allows us to verify even libraries that are no_core +/// such as core in rust's std library itself. +/// +/// TODO: Use this inside kani library so that we dont have to maintain two copies of the same intrinsics. +#[macro_export] +macro_rules! kani_intrinsics { + ($core:tt) => { + /// Creates an assumption that will be valid after this statement run. Note that the assumption + /// will only be applied for paths that follow the assumption. If the assumption doesn't hold, the + /// program will exit successfully. + /// + /// # Example: + /// + /// The code snippet below should never panic. + /// + /// ```rust + /// let i : i32 = kani::any(); + /// kani::assume(i > 10); + /// if i < 0 { + /// panic!("This will never panic"); + /// } + /// ``` + /// + /// The following code may panic though: + /// + /// ```rust + /// let i : i32 = kani::any(); + /// assert!(i < 0, "This may panic and verification should fail."); + /// kani::assume(i > 10); + /// ``` + #[inline(never)] + #[rustc_diagnostic_item = "KaniAssume"] + #[cfg(not(feature = "concrete_playback"))] + pub fn assume(cond: bool) { + let _ = cond; + } + + #[inline(never)] + #[rustc_diagnostic_item = "KaniAssume"] + #[cfg(feature = "concrete_playback")] + pub fn assume(cond: bool) { + assert!(cond, "`kani::assume` should always hold"); + } + + /// Creates an assertion of the specified condition and message. + /// + /// # Example: + /// + /// ```rust + /// let x: bool = kani::any(); + /// let y = !x; + /// kani::assert(x || y, "ORing a boolean variable with its negation must be true") + /// ``` + #[cfg(not(feature = "concrete_playback"))] + #[inline(never)] + #[rustc_diagnostic_item = "KaniAssert"] + pub const fn assert(cond: bool, msg: &'static str) { + let _ = cond; + let _ = msg; + } + + #[cfg(feature = "concrete_playback")] + #[inline(never)] + #[rustc_diagnostic_item = "KaniAssert"] + pub const fn assert(cond: bool, msg: &'static str) { + assert!(cond, "{}", msg); + } + + /// Creates a cover property with the specified condition and message. + /// + /// # Example: + /// + /// ```rust + /// kani::cover(slice.len() == 0, "The slice may have a length of 0"); + /// ``` + /// + /// A cover property checks if there is at least one execution that satisfies + /// the specified condition at the location in which the function is called. + /// + /// Cover properties are reported as: + /// - SATISFIED: if Kani found an execution that satisfies the condition + /// - UNSATISFIABLE: if Kani proved that the condition cannot be satisfied + /// - UNREACHABLE: if Kani proved that the cover property itself is unreachable (i.e. it is vacuously UNSATISFIABLE) + /// + /// This function is called by the [`cover!`] macro. The macro is more + /// convenient to use. + /// + #[inline(never)] + #[rustc_diagnostic_item = "KaniCover"] + pub const fn cover(_cond: bool, _msg: &'static str) {} + + /// This creates an symbolic *valid* value of type `T`. You can assign the return value of this + /// function to a variable that you want to make symbolic. + /// + /// # Example: + /// + /// In the snippet below, we are verifying the behavior of the function `fn_under_verification` + /// under all possible `NonZeroU8` input values, i.e., all possible `u8` values except zero. + /// + /// ```rust + /// let inputA = kani::any::(); + /// fn_under_verification(inputA); + /// ``` + /// + /// Note: This is a safe construct and can only be used with types that implement the `Arbitrary` + /// trait. The Arbitrary trait is used to build a symbolic value that represents all possible + /// valid values for type `T`. + #[rustc_diagnostic_item = "KaniAny"] + #[inline(always)] + pub fn any() -> T { + T::any() + } + + /// This function is only used for function contract instrumentation. + /// It behaves exaclty like `kani::any()`, except it will check for the trait bounds + /// at compilation time. It allows us to avoid type checking errors while using function + /// contracts only for verification. + #[rustc_diagnostic_item = "KaniAnyModifies"] + #[inline(never)] + #[doc(hidden)] + pub fn any_modifies() -> T { + // This function should not be reacheable. + // Users must include `#[kani::recursion]` in any function contracts for recursive functions; + // otherwise, this might not be properly instantiate. We mark this as unreachable to make + // sure Kani doesn't report any false positives. + unreachable!() + } + + /// This creates a symbolic *valid* value of type `T`. + /// The value is constrained to be a value accepted by the predicate passed to the filter. + /// You can assign the return value of this function to a variable that you want to make symbolic. + /// + /// # Example: + /// + /// In the snippet below, we are verifying the behavior of the function `fn_under_verification` + /// under all possible `u8` input values between 0 and 12. + /// + /// ```rust + /// let inputA: u8 = kani::any_where(|x| *x < 12); + /// fn_under_verification(inputA); + /// ``` + /// + /// Note: This is a safe construct and can only be used with types that implement the `Arbitrary` + /// trait. The Arbitrary trait is used to build a symbolic value that represents all possible + /// valid values for type `T`. + #[inline(always)] + pub fn any_where bool>(f: F) -> T { + let result = T::any(); + assume(f(&result)); + result + } + + /// This function creates a symbolic value of type `T`. This may result in an invalid value. + /// + /// # Safety + /// + /// This function is unsafe and it may represent invalid `T` values which can lead to many + /// undesirable undefined behaviors. Because of that, this function can only be used + /// internally when we can guarantee that the type T has no restriction regarding its bit level + /// representation. + /// + /// This function is also used to find concrete values in the CBMC output trace + /// and return those concrete values in concrete playback mode. + /// + /// Note that SIZE_T must be equal the size of type T in bytes. + #[inline(never)] + #[cfg(not(feature = "concrete_playback"))] + pub(crate) unsafe fn any_raw_internal() -> T { + any_raw_inner::() + } + + #[inline(never)] + #[cfg(feature = "concrete_playback")] + pub(crate) unsafe fn any_raw_internal() -> T { + concrete_playback::any_raw_internal::() + } + + /// This low-level function returns nondet bytes of size T. + #[rustc_diagnostic_item = "KaniAnyRaw"] + #[inline(never)] + #[allow(dead_code)] + pub fn any_raw_inner() -> T { + kani_intrinsic() + } + + /// Function used to generate panic with a static message as this is the only one currently + /// supported by Kani display. + /// + /// During verification this will get replaced by `assert(false)`. For concrete executions, we just + /// invoke the regular `std::panic!()` function. This function is used by our standard library + /// overrides, but not the other way around. + #[inline(never)] + #[rustc_diagnostic_item = "KaniPanic"] + #[doc(hidden)] + pub const fn panic(message: &'static str) -> ! { + panic!("{}", message) + } + + /// An empty body that can be used to define Kani intrinsic functions. + /// + /// A Kani intrinsic is a function that is interpreted by Kani compiler. + /// While we could use `unreachable!()` or `panic!()` as the body of a kani intrinsic + /// function, both cause Kani to produce a warning since we don't support caller location. + /// (see https://github.com/model-checking/kani/issues/2010). + /// + /// This function is dead, since its caller is always handled via a hook anyway, + /// so we just need to put a body that rustc does not complain about. + /// An infinite loop works out nicely. + fn kani_intrinsic() -> T { + #[allow(clippy::empty_loop)] + loop {} + } + + pub mod internal { + + /// Helper trait for code generation for `modifies` contracts. + /// + /// We allow the user to provide us with a pointer-like object that we convert as needed. + #[doc(hidden)] + pub trait Pointer<'a> { + /// Type of the pointed-to data + type Inner; + + /// Used for checking assigns contracts where we pass immutable references to the function. + /// + /// We're using a reference to self here, because the user can use just a plain function + /// argument, for instance one of type `&mut _`, in the `modifies` clause which would move it. + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner; + + /// used for havocking on replecement of a `modifies` clause. + unsafe fn assignable(self) -> &'a mut Self::Inner; + } + + impl<'a, 'b, T> Pointer<'a> for &'b T { + type Inner = T; + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { + $core::mem::transmute(*self) + } + + #[allow(clippy::transmute_ptr_to_ref)] + unsafe fn assignable(self) -> &'a mut Self::Inner { + $core::mem::transmute(self as *const T) + } + } + + impl<'a, 'b, T> Pointer<'a> for &'b mut T { + type Inner = T; + + #[allow(clippy::transmute_ptr_to_ref)] + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { + $core::mem::transmute::<_, &&'a T>(self) + } + + unsafe fn assignable(self) -> &'a mut Self::Inner { + $core::mem::transmute(self) + } + } + + impl<'a, T> Pointer<'a> for *const T { + type Inner = T; + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { + &**self as &'a T + } + + #[allow(clippy::transmute_ptr_to_ref)] + unsafe fn assignable(self) -> &'a mut Self::Inner { + $core::mem::transmute(self) + } + } + + impl<'a, T> Pointer<'a> for *mut T { + type Inner = T; + unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { + &**self as &'a T + } + + #[allow(clippy::transmute_ptr_to_ref)] + unsafe fn assignable(self) -> &'a mut Self::Inner { + $core::mem::transmute(self) + } + } + + /// A way to break the ownerhip rules. Only used by contracts where we can + /// guarantee it is done safely. + #[inline(never)] + #[doc(hidden)] + #[rustc_diagnostic_item = "KaniUntrackedDeref"] + pub fn untracked_deref(_: &T) -> T { + todo!() + } + + /// CBMC contracts currently has a limitation where `free` has to be in scope. + /// However, if there is no dynamic allocation in the harness, slicing removes `free` from the + /// scope. + /// + /// Thus, this function will basically translate into: + /// ```c + /// // This is a no-op. + /// free(NULL); + /// ``` + #[inline(never)] + #[doc(hidden)] + #[rustc_diagnostic_item = "KaniInitContracts"] + pub fn init_contracts() {} + } + }; +} diff --git a/library/kani_core/src/mem.rs b/library/kani_core/src/mem.rs new file mode 100644 index 000000000000..8dd4a27cb03a --- /dev/null +++ b/library/kani_core/src/mem.rs @@ -0,0 +1,313 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! This module contains functions useful for checking unsafe memory access. +//! +//! Given the following validity rules provided in the Rust documentation: +//! (accessed Feb 6th, 2024) +//! +//! 1. A null pointer is never valid, not even for accesses of size zero. +//! 2. For a pointer to be valid, it is necessary, but not always sufficient, that the pointer +//! be dereferenceable: the memory range of the given size starting at the pointer must all be +//! within the bounds of a single allocated object. Note that in Rust, every (stack-allocated) +//! variable is considered a separate allocated object. +//! ~~Even for operations of size zero, the pointer must not be pointing to deallocated memory, +//! i.e., deallocation makes pointers invalid even for zero-sized operations.~~ +//! ZST access is not OK for any pointer. +//! See: +//! 3. However, casting any non-zero integer literal to a pointer is valid for zero-sized +//! accesses, even if some memory happens to exist at that address and gets deallocated. +//! This corresponds to writing your own allocator: allocating zero-sized objects is not very +//! hard. The canonical way to obtain a pointer that is valid for zero-sized accesses is +//! `NonNull::dangling`. +//! 4. All accesses performed by functions in this module are non-atomic in the sense of atomic +//! operations used to synchronize between threads. +//! This means it is undefined behavior to perform two concurrent accesses to the same location +//! from different threads unless both accesses only read from memory. +//! Notice that this explicitly includes `read_volatile` and `write_volatile`: +//! Volatile accesses cannot be used for inter-thread synchronization. +//! 5. The result of casting a reference to a pointer is valid for as long as the underlying +//! object is live and no reference (just raw pointers) is used to access the same memory. +//! That is, reference and pointer accesses cannot be interleaved. +//! +//! Kani is able to verify #1 and #2 today. +//! +//! For #3, we are overly cautious, and Kani will only consider zero-sized pointer access safe if +//! the address matches `NonNull::<()>::dangling()`. +//! The way Kani tracks provenance is not enough to check if the address was the result of a cast +//! from a non-zero integer literal. + +#[macro_export] +macro_rules! kani_mem { + ($core:tt) => { + use super::kani_intrinsic; + use private::Internal; + use $core::mem::{align_of, size_of}; + use $core::ptr::{DynMetadata, NonNull, Pointee}; + + /// Check if the pointer is valid for write access according to [crate::mem] conditions 1, 2 + /// and 3. + /// + /// Note this function also checks for pointer alignment. Use [self::can_write_unaligned] + /// if you don't want to fail for unaligned pointers. + /// + /// This function does not check if the value stored is valid for the given type. Use + /// [self::can_dereference] for that. + /// + /// This function will panic today if the pointer is not null, and it points to an unallocated or + /// deallocated memory location. This is an existing Kani limitation. + /// See for more details. + // TODO: Add this back! We might need to rename the attribute. + //#[crate::unstable( + // feature = "mem-predicates", + // issue = 2690, + // reason = "experimental memory predicate API" + //)] + pub fn can_write(ptr: *mut T) -> bool + where + T: ?Sized, + ::Metadata: PtrProperties, + { + // The interface takes a mutable pointer to improve readability of the signature. + // However, using constant pointer avoid unnecessary instrumentation, and it is as powerful. + // Hence, cast to `*const T`. + let ptr: *const T = ptr; + let (thin_ptr, metadata) = ptr.to_raw_parts(); + metadata.is_ptr_aligned(thin_ptr, Internal) && is_inbounds(&metadata, thin_ptr) + } + + /// Check if the pointer is valid for unaligned write access according to [crate::mem] conditions + /// 1, 2 and 3. + /// + /// Note this function succeeds for unaligned pointers. See [self::can_write] if you also + /// want to check pointer alignment. + /// + /// This function will panic today if the pointer is not null, and it points to an unallocated or + /// deallocated memory location. This is an existing Kani limitation. + /// See for more details. + // TODO: Add this back! We might need to rename the attribute. + //#[crate::unstable( + // feature = "mem-predicates", + // issue = 2690, + // reason = "experimental memory predicate API" + //)] + pub fn can_write_unaligned(ptr: *const T) -> bool + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (thin_ptr, metadata) = ptr.to_raw_parts(); + is_inbounds(&metadata, thin_ptr) + } + + /// Checks that pointer `ptr` point to a valid value of type `T`. + /// + /// For that, the pointer has to be a valid pointer according to [crate::mem] conditions 1, 2 + /// and 3, + /// and the value stored must respect the validity invariants for type `T`. + /// + /// TODO: Kani should automatically add those checks when a de-reference happens. + /// + /// + /// This function will panic today if the pointer is not null, and it points to an unallocated or + /// deallocated memory location. This is an existing Kani limitation. + /// See for more details. + //#[crate::unstable( + // feature = "mem-predicates", + // issue = 2690, + // reason = "experimental memory predicate API" + //)] + #[allow(clippy::not_unsafe_ptr_arg_deref)] + pub fn can_dereference(ptr: *const T) -> bool + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (thin_ptr, metadata) = ptr.to_raw_parts(); + metadata.is_ptr_aligned(thin_ptr, Internal) + && is_inbounds(&metadata, thin_ptr) + && unsafe { has_valid_value(ptr) } + } + + /// Checks that pointer `ptr` point to a valid value of type `T`. + /// + /// For that, the pointer has to be a valid pointer according to [crate::mem] conditions 1, 2 + /// and 3, + /// and the value stored must respect the validity invariants for type `T`. + /// + /// Note this function succeeds for unaligned pointers. See [self::can_dereference] if you also + /// want to check pointer alignment. + /// + /// This function will panic today if the pointer is not null, and it points to an unallocated or + /// deallocated memory location. This is an existing Kani limitation. + /// See for more details. + // TODO: Add this back! We might need to rename the attribute. + //#[crate::unstable( + // feature = "mem-predicates", + // issue = 2690, + // reason = "experimental memory predicate API" + //)] + #[allow(clippy::not_unsafe_ptr_arg_deref)] + pub fn can_read_unaligned(ptr: *const T) -> bool + where + T: ?Sized, + ::Metadata: PtrProperties, + { + let (thin_ptr, metadata) = ptr.to_raw_parts(); + is_inbounds(&metadata, thin_ptr) && unsafe { has_valid_value(ptr) } + } + + /// Checks that `data_ptr` points to an allocation that can hold data of size calculated from `T`. + /// + /// This will panic if `data_ptr` points to an invalid `non_null` + fn is_inbounds(metadata: &M, data_ptr: *const ()) -> bool + where + M: PtrProperties, + T: ?Sized, + { + let sz = metadata.pointee_size(Internal); + if sz == 0 { + true // ZST pointers are always valid including nullptr. + } else if data_ptr.is_null() { + false + } else { + // Note that this branch can't be tested in concrete execution as `is_read_ok` needs to be + // stubbed. + // We first assert that the data_ptr + assert!( + unsafe { is_allocated(data_ptr, 0) }, + "Kani does not support reasoning about pointer to unallocated memory", + ); + unsafe { is_allocated(data_ptr, sz) } + } + } + + mod private { + /// Define like this to restrict usage of PtrProperties functions outside Kani. + #[derive(Copy, Clone)] + pub struct Internal; + } + + /// Trait that allow us to extract information from pointers without de-referencing them. + #[doc(hidden)] + pub trait PtrProperties { + fn pointee_size(&self, _: Internal) -> usize; + + /// A pointer is aligned if its address is a multiple of its minimum alignment. + fn is_ptr_aligned(&self, ptr: *const (), internal: Internal) -> bool { + let min = self.min_alignment(internal); + ptr as usize % min == 0 + } + + fn min_alignment(&self, _: Internal) -> usize; + + fn dangling(&self, _: Internal) -> *const (); + } + + /// Get the information for sized types (they don't have metadata). + impl PtrProperties for () { + fn pointee_size(&self, _: Internal) -> usize { + size_of::() + } + + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as *const _ + } + } + + /// Get the information from the str metadata. + impl PtrProperties for usize { + #[inline(always)] + fn pointee_size(&self, _: Internal) -> usize { + *self + } + + /// String slices are a UTF-8 representation of characters that have the same layout as slices + /// of type [u8]. + /// + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as _ + } + } + + /// Get the information from the slice metadata. + impl PtrProperties<[T]> for usize { + fn pointee_size(&self, _: Internal) -> usize { + *self * size_of::() + } + + fn min_alignment(&self, _: Internal) -> usize { + align_of::() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::::dangling().as_ptr() as _ + } + } + + /// Get the information from the vtable. + impl PtrProperties for DynMetadata + where + T: ?Sized, + { + fn pointee_size(&self, _: Internal) -> usize { + self.size_of() + } + + fn min_alignment(&self, _: Internal) -> usize { + self.align_of() + } + + fn dangling(&self, _: Internal) -> *const () { + NonNull::<&T>::dangling().as_ptr() as _ + } + } + + /// Check if the pointer `_ptr` contains an allocated address of size equal or greater than `_size`. + /// + /// # Safety + /// + /// This function should only be called to ensure a pointer is always valid, i.e., in an assertion + /// context. + /// + /// I.e.: This function always returns `true` if the pointer is valid. + /// Otherwise, it returns non-det boolean. + #[rustc_diagnostic_item = "KaniIsAllocated"] + #[inline(never)] + unsafe fn is_allocated(_ptr: *const (), _size: usize) -> bool { + kani_intrinsic() + } + + /// Check if the value stored in the given location satisfies type `T` validity requirements. + /// + /// # Safety + /// + /// - Users have to ensure that the pointer is aligned the pointed memory is allocated. + #[rustc_diagnostic_item = "KaniValidValue"] + #[inline(never)] + unsafe fn has_valid_value(_ptr: *const T) -> bool { + kani_intrinsic() + } + + /// Get the object ID of the given pointer. + #[rustc_diagnostic_item = "KaniPointerObject"] + #[inline(never)] + pub fn pointer_object(_ptr: *const T) -> usize { + kani_intrinsic() + } + + /// Get the object offset of the given pointer. + #[rustc_diagnostic_item = "KaniPointerOffset"] + #[inline(never)] + pub fn pointer_offset(_ptr: *const T) -> usize { + kani_intrinsic() + } + }; +} diff --git a/library/kani_macros/Cargo.toml b/library/kani_macros/Cargo.toml index 473d0fc7e5b6..dbe2126d0458 100644 --- a/library/kani_macros/Cargo.toml +++ b/library/kani_macros/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "kani_macros" -version = "0.45.0" +version = "0.52.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false @@ -16,3 +16,10 @@ proc-macro2 = "1.0" proc-macro-error = "1.0.4" quote = "1.0.20" syn = { version = "2.0.18", features = ["full", "visit-mut", "visit"] } + +[package.metadata.rust-analyzer] +# This package uses rustc crates. +rustc_private = true + +[features] +no_core = [] \ No newline at end of file diff --git a/library/kani_macros/build.rs b/library/kani_macros/build.rs new file mode 100644 index 000000000000..c094cc0254c6 --- /dev/null +++ b/library/kani_macros/build.rs @@ -0,0 +1,7 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +fn main() { + // Make sure `kani_sysroot` is a recognized config + println!("cargo::rustc-check-cfg=cfg(kani_sysroot)"); +} diff --git a/library/kani_macros/src/derive.rs b/library/kani_macros/src/derive.rs index 7e3dee390330..4e99590fc6a3 100644 --- a/library/kani_macros/src/derive.rs +++ b/library/kani_macros/src/derive.rs @@ -23,7 +23,7 @@ pub fn expand_derive_arbitrary(item: proc_macro::TokenStream) -> proc_macro::Tok let item_name = &derive_item.ident; // Add a bound `T: Arbitrary` to every type parameter T. - let generics = add_trait_bound(derive_item.generics); + let generics = add_trait_bound_arbitrary(derive_item.generics); // Generate an expression to sum up the heap size of each field. let (impl_generics, ty_generics, where_clause) = generics.split_for_impl(); @@ -40,7 +40,7 @@ pub fn expand_derive_arbitrary(item: proc_macro::TokenStream) -> proc_macro::Tok } /// Add a bound `T: Arbitrary` to every type parameter T. -fn add_trait_bound(mut generics: Generics) -> Generics { +fn add_trait_bound_arbitrary(mut generics: Generics) -> Generics { generics.params.iter_mut().for_each(|param| { if let GenericParam::Type(type_param) = param { type_param.bounds.push(parse_quote!(kani::Arbitrary)); @@ -165,3 +165,93 @@ fn fn_any_enum(ident: &Ident, data: &DataEnum) -> TokenStream { } } } + +pub fn expand_derive_invariant(item: proc_macro::TokenStream) -> proc_macro::TokenStream { + let derive_item = parse_macro_input!(item as DeriveInput); + let item_name = &derive_item.ident; + + // Add a bound `T: Invariant` to every type parameter T. + let generics = add_trait_bound_invariant(derive_item.generics); + // Generate an expression to sum up the heap size of each field. + let (impl_generics, ty_generics, where_clause) = generics.split_for_impl(); + + let body = is_safe_body(&item_name, &derive_item.data); + let expanded = quote! { + // The generated implementation. + impl #impl_generics kani::Invariant for #item_name #ty_generics #where_clause { + fn is_safe(&self) -> bool { + #body + } + } + }; + proc_macro::TokenStream::from(expanded) +} + +/// Add a bound `T: Invariant` to every type parameter T. +fn add_trait_bound_invariant(mut generics: Generics) -> Generics { + generics.params.iter_mut().for_each(|param| { + if let GenericParam::Type(type_param) = param { + type_param.bounds.push(parse_quote!(kani::Invariant)); + } + }); + generics +} + +fn is_safe_body(ident: &Ident, data: &Data) -> TokenStream { + match data { + Data::Struct(struct_data) => struct_safe_conjunction(ident, &struct_data.fields), + Data::Enum(_) => { + abort!(Span::call_site(), "Cannot derive `Invariant` for `{}` enum", ident; + note = ident.span() => + "`#[derive(Invariant)]` cannot be used for enums such as `{}`", ident + ) + } + Data::Union(_) => { + abort!(Span::call_site(), "Cannot derive `Invariant` for `{}` union", ident; + note = ident.span() => + "`#[derive(Invariant)]` cannot be used for unions such as `{}`", ident + ) + } + } +} + +/// Generates an expression that is the conjunction of `is_safe` calls for each field in the struct. +fn struct_safe_conjunction(_ident: &Ident, fields: &Fields) -> TokenStream { + match fields { + // Expands to the expression + // `true && self.field1.is_safe() && self.field2.is_safe() && ..` + Fields::Named(ref fields) => { + let safe_calls = fields.named.iter().map(|field| { + let name = &field.ident; + quote_spanned! {field.span()=> + self.#name.is_safe() + } + }); + // An initial value is required for empty structs + safe_calls.fold(quote! { true }, |acc, call| { + quote! { #acc && #call } + }) + } + Fields::Unnamed(ref fields) => { + // Expands to the expression + // `true && self.0.is_safe() && self.1.is_safe() && ..` + let safe_calls = fields.unnamed.iter().enumerate().map(|(i, field)| { + let idx = syn::Index::from(i); + quote_spanned! {field.span()=> + self.#idx.is_safe() + } + }); + // An initial value is required for empty structs + safe_calls.fold(quote! { true }, |acc, call| { + quote! { #acc && #call } + }) + } + // Expands to the expression + // `true` + Fields::Unit => { + quote! { + true + } + } + } +} diff --git a/library/kani_macros/src/lib.rs b/library/kani_macros/src/lib.rs index 32bd44d2ea38..b10b8a74cdc5 100644 --- a/library/kani_macros/src/lib.rs +++ b/library/kani_macros/src/lib.rs @@ -52,6 +52,16 @@ pub fn should_panic(attr: TokenStream, item: TokenStream) -> TokenStream { attr_impl::should_panic(attr, item) } +/// Specifies that a function contains recursion for contract instrumentation.** +/// +/// This attribute is only used for function-contract instrumentation. Kani uses +/// this annotation to identify recursive functions and properly instantiate +/// `kani::any_modifies` to check such functions using induction. +#[proc_macro_attribute] +pub fn recursion(attr: TokenStream, item: TokenStream) -> TokenStream { + attr_impl::recursion(attr, item) +} + /// Set Loop unwind limit for proof harnesses /// The attribute `#[kani::unwind(arg)]` can only be called alongside `#[kani::proof]`. /// arg - Takes in a integer value (u32) that represents the unwind value for the harness. @@ -86,7 +96,7 @@ pub fn solver(attr: TokenStream, item: TokenStream) -> TokenStream { /// See https://model-checking.github.io/kani/rfc/rfcs/0006-unstable-api.html for more details. #[doc(hidden)] #[proc_macro_attribute] -pub fn unstable(attr: TokenStream, item: TokenStream) -> TokenStream { +pub fn unstable_feature(attr: TokenStream, item: TokenStream) -> TokenStream { attr_impl::unstable(attr, item) } @@ -97,6 +107,13 @@ pub fn derive_arbitrary(item: TokenStream) -> TokenStream { derive::expand_derive_arbitrary(item) } +/// Allow users to auto generate Invariant implementations by using `#[derive(Invariant)]` macro. +#[proc_macro_error] +#[proc_macro_derive(Invariant)] +pub fn derive_invariant(item: TokenStream) -> TokenStream { + derive::expand_derive_invariant(item) +} + /// Add a precondition to this function. /// /// This is part of the function contract API, for more general information see @@ -121,11 +138,11 @@ pub fn requires(attr: TokenStream, item: TokenStream) -> TokenStream { /// This is part of the function contract API, for more general information see /// the [module-level documentation](../kani/contracts/index.html). /// -/// The contents of the attribute is a condition over the input values to the -/// annotated function *and* its return value, accessible as a variable called -/// `result`. All Rust syntax is supported, even calling other functions, but -/// the computations must be side effect free, e.g. it cannot perform I/O or use -/// mutable memory. +/// The contents of the attribute is a closure that captures the input values to +/// the annotated function and the input to the function is the return value of +/// the function passed by reference. All Rust syntax is supported, even calling +/// other functions, but the computations must be side effect free, e.g. it +/// cannot perform I/O or use mutable memory. /// /// Kani requires each function that uses a contract (this attribute or /// [`requires`][macro@requires]) to have at least one designated @@ -331,6 +348,7 @@ mod sysroot { } kani_attribute!(should_panic, no_args); + kani_attribute!(recursion, no_args); kani_attribute!(solver); kani_attribute!(stub); kani_attribute!(unstable); @@ -363,6 +381,7 @@ mod regular { } no_op!(should_panic); + no_op!(recursion); no_op!(solver); no_op!(stub); no_op!(unstable); diff --git a/library/kani_macros/src/sysroot/contracts.rs b/library/kani_macros/src/sysroot/contracts.rs deleted file mode 100644 index 3aeb8c1788d9..000000000000 --- a/library/kani_macros/src/sysroot/contracts.rs +++ /dev/null @@ -1,1509 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT - -//! Implementation of the function contracts code generation. -//! -//! The most exciting part is the handling of `requires` and `ensures`, the main -//! entry point to which is [`requires_ensures_main`]. Most of the code -//! generation for that is implemented on [`ContractConditionsHandler`] with -//! [`ContractFunctionState`] steering the code generation. The function state -//! implements a state machine in order to be able to handle multiple attributes -//! on the same function correctly. -//! -//! ## How the handling for `requires` and `ensures` works. -//! -//! Our aim is to generate a "check" function that can be used to verify the -//! validity of the contract and a "replace" function that can be used as a -//! stub, generated from the contract that can be used instead of the original -//! function. -//! -//! Let me first introduce the constraints which we are operating under to -//! explain why we need the somewhat involved state machine to achieve this. -//! -//! Proc-macros are expanded one-at-a-time, outside-in and they can also be -//! renamed. Meaning the user can do `use kani::requires as precondition` and -//! then use `precondition` everywhere. We want to support this functionality -//! instead of throwing a hard error but this means we cannot detect if a given -//! function has further contract attributes placed on it during any given -//! expansion. As a result every expansion needs to leave the code in a valid -//! state that could be used for all contract functionality but it must alow -//! further contract attributes to compose with what was already generated. In -//! addition we also want to make sure to support non-contract attributes on -//! functions with contracts. -//! -//! To this end we use a state machine. The initial state is an "untouched" -//! function with possibly multiple contract attributes, none of which have been -//! expanded. When we expand the first (outermost) `requires` or `ensures` -//! attribute on such a function we re-emit the function unchanged but we also -//! generate fresh "check" and "replace" functions that enforce the condition -//! carried by the attribute currently being expanded. We copy all additional -//! attributes from the original function to both the "check" and the "replace". -//! This allows us to deal both with renaming and also support non-contract -//! attributes. -//! -//! In addition to copying attributes we also add new marker attributes to -//! advance the state machine. The "check" function gets a -//! `kanitool::is_contract_generated(check)` attributes and analogous for -//! replace. The re-emitted original meanwhile is decorated with -//! `kanitool::checked_with(name_of_generated_check_function)` and an analogous -//! `kanittool::replaced_with` attribute also. The next contract attribute that -//! is expanded will detect the presence of these markers in the attributes of -//! the item and be able to determine their position in the state machine this -//! way. If the state is either a "check" or "replace" then the body of the -//! function is augmented with the additional conditions carried by the macro. -//! If the state is the "original" function, no changes are performed. -//! -//! We place marker attributes at the bottom of the attribute stack (innermost), -//! otherwise they would not be visible to the future macro expansions. -//! -//! Below you can see a graphical rendering where boxes are states and each -//! arrow represents the expansion of a `requires` or `ensures` macro. -//! -//! ```plain -//! │ Start -//! ▼ -//! ┌───────────┐ -//! │ Untouched │ -//! │ Function │ -//! └─────┬─────┘ -//! │ -//! Emit │ Generate + Copy Attributes -//! ┌─────────────────┴─────┬──────────┬─────────────────┐ -//! │ │ │ │ -//! │ │ │ │ -//! ▼ ▼ ▼ ▼ -//! ┌──────────┐ ┌───────────┐ ┌───────┐ ┌─────────┐ -//! │ Original │◄─┐ │ Recursion │ │ Check │◄─┐ │ Replace │◄─┐ -//! └──┬───────┘ │ │ Wrapper │ └───┬───┘ │ └────┬────┘ │ -//! │ │ Ignore └───────────┘ │ │ Augment │ │ Augment -//! └──────────┘ └──────┘ └───────┘ -//! -//! │ │ │ │ -//! └───────────────┘ └─────────────────────────────────────────────┘ -//! -//! Presence of Presence of -//! "checked_with" "is_contract_generated" -//! -//! State is detected via -//! ``` -//! -//! All named arguments of the annotated function are unsafely shallow-copied -//! with the `kani::internal::untracked_deref` function to circumvent the borrow checker -//! for postconditions. The case where this is relevant is if you want to return -//! a mutable borrow from the function which means any immutable borrow in the -//! postcondition would be illegal. We must ensure that those copies are not -//! dropped (causing a double-free) so after the postconditions we call -//! `mem::forget` on each copy. -//! -//! ## Check function -//! -//! Generates a `_check_` function that assumes preconditions -//! and asserts postconditions. The check function is also marked as generated -//! with the `#[kanitool::is_contract_generated(check)]` attribute. -//! -//! Decorates the original function with `#[kanitool::checked_by = -//! "_check_"]`. -//! -//! The check function is a copy of the original function with preconditions -//! added before the body and postconditions after as well as injected before -//! every `return` (see [`PostconditionInjector`]). Attributes on the original -//! function are also copied to the check function. -//! -//! ## Replace Function -//! -//! As the mirror to that also generates a `_replace_` -//! function that asserts preconditions and assumes postconditions. The replace -//! function is also marked as generated with the -//! `#[kanitool::is_contract_generated(replace)]` attribute. -//! -//! Decorates the original function with `#[kanitool::replaced_by = -//! "_replace_"]`. -//! -//! The replace function has the same signature as the original function but its -//! body is replaced by `kani::any()`, which generates a non-deterministic -//! value. -//! -//! ## Inductive Verification -//! -//! To efficiently check recursive functions we verify them inductively. To -//! be able to do this we need both the check and replace functions we have seen -//! before. -//! -//! Inductive verification is comprised of a hypothesis and an induction step. -//! The hypothesis in this case is the replace function. It represents the -//! assumption that the contracts holds if the preconditions are satisfied. The -//! induction step is the check function, which ensures that the contract holds, -//! assuming the preconditions hold. -//! -//! Since the induction revolves around the recursive call we can simply set it -//! up upon entry into the body of the function under verification. We use a -//! global variable that tracks whether we are re-entering the function -//! recursively and starts off as `false`. On entry to the function we flip the -//! variable to `true` and dispatch to the check (induction step). If the check -//! recursively calls our function our re-entry tracker now reads `true` and we -//! dispatch to the replacement (application of induction hypothesis). Because -//! the replacement function only checks the conditions and does not perform -//! other computation we will only ever go "one recursion level deep", making -//! inductive verification very efficient. Once the check function returns we -//! flip the tracker variable back to `false` in case the function is called -//! more than once in its harness. -//! -//! To facilitate all this we generate a `_recursion_wrapper_` -//! function with the following shape: -//! -//! ```ignored -//! fn recursion_wrapper_...(fn args ...) { -//! static mut REENTRY: bool = false; -//! -//! if unsafe { REENTRY } { -//! call_replace(fn args...) -//! } else { -//! unsafe { reentry = true }; -//! let result = call_check(fn args...); -//! unsafe { reentry = false }; -//! result -//! } -//! } -//! ``` -//! -//! We register this function as `#[kanitool::checked_with = -//! "recursion_wrapper_..."]` instead of the check function. -//! -//! # Complete example -//! -//! ``` -//! #[kani::requires(divisor != 0)] -//! #[kani::ensures(result <= dividend)] -//! fn div(dividend: u32, divisor: u32) -> u32 { -//! dividend / divisor -//! } -//! ``` -//! -//! Turns into -//! -//! ``` -//! #[kanitool::checked_with = "div_recursion_wrapper_965916"] -//! #[kanitool::replaced_with = "div_replace_965916"] -//! fn div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } -//! -//! #[allow(dead_code)] -//! #[allow(unused_variables)] -//! #[kanitool::is_contract_generated(check)] -//! fn div_check_965916(dividend: u32, divisor: u32) -> u32 { -//! let dividend_renamed = kani::internal::untracked_deref(÷nd); -//! let divisor_renamed = kani::internal::untracked_deref(&divisor); -//! let result = { kani::assume(divisor != 0); { dividend / divisor } }; -//! kani::assert(result <= dividend_renamed, "result <= dividend"); -//! std::mem::forget(dividend_renamed); -//! std::mem::forget(divisor_renamed); -//! result -//! } -//! -//! #[allow(dead_code)] -//! #[allow(unused_variables)] -//! #[kanitool::is_contract_generated(replace)] -//! fn div_replace_965916(dividend: u32, divisor: u32) -> u32 { -//! kani::assert(divisor != 0, "divisor != 0"); -//! let dividend_renamed = kani::internal::untracked_deref(÷nd); -//! let divisor_renamed = kani::internal::untracked_deref(&divisor); -//! let result = kani::any(); -//! kani::assume(result <= dividend_renamed, "result <= dividend"); -//! std::mem::forget(dividend_renamed); -//! std::mem::forget(divisor_renamed); -//! result -//! } -//! -//! #[allow(dead_code)] -//! #[allow(unused_variables)] -//! #[kanitool::is_contract_generated(recursion_wrapper)] -//! fn div_recursion_wrapper_965916(dividend: u32, divisor: u32) -> u32 { -//! static mut REENTRY: bool = false; -//! -//! if unsafe { REENTRY } { -//! div_replace_965916(dividend, divisor) -//! } else { -//! unsafe { reentry = true }; -//! let result = div_check_965916(dividend, divisor); -//! unsafe { reentry = false }; -//! result -//! } -//! } -//! ``` - -use proc_macro::{Diagnostic, TokenStream}; -use proc_macro2::{Ident, Span, TokenStream as TokenStream2}; -use quote::{quote, ToTokens}; -use std::{ - borrow::Cow, - collections::{HashMap, HashSet}, -}; -use syn::{ - parse_macro_input, spanned::Spanned, visit::Visit, visit_mut::VisitMut, Attribute, Expr, FnArg, - ItemFn, PredicateType, ReturnType, Signature, Token, TraitBound, TypeParamBound, WhereClause, -}; - -#[allow(dead_code)] -pub fn requires(attr: TokenStream, item: TokenStream) -> TokenStream { - requires_ensures_main(attr, item, ContractConditionsType::Requires) -} - -#[allow(dead_code)] -pub fn ensures(attr: TokenStream, item: TokenStream) -> TokenStream { - requires_ensures_main(attr, item, ContractConditionsType::Ensures) -} - -#[allow(dead_code)] -pub fn modifies(attr: TokenStream, item: TokenStream) -> TokenStream { - requires_ensures_main(attr, item, ContractConditionsType::Modifies) -} - -/// This is very similar to the kani_attribute macro, but it instead creates -/// key-value style attributes which I find a little easier to parse. -macro_rules! passthrough { - ($name:ident, $allow_dead_code:ident) => { - pub fn $name(attr: TokenStream, item: TokenStream) -> TokenStream { - let args = proc_macro2::TokenStream::from(attr); - let fn_item = proc_macro2::TokenStream::from(item); - let name = Ident::new(stringify!($name), proc_macro2::Span::call_site()); - let extra_attrs = if $allow_dead_code { - quote!(#[allow(dead_code)]) - } else { - quote!() - }; - quote!( - #extra_attrs - #[kanitool::#name = stringify!(#args)] - #fn_item - ) - .into() - } - } -} - -passthrough!(stub_verified, false); - -pub fn proof_for_contract(attr: TokenStream, item: TokenStream) -> TokenStream { - let args = proc_macro2::TokenStream::from(attr); - let ItemFn { attrs, vis, sig, block } = parse_macro_input!(item as ItemFn); - quote!( - #[allow(dead_code)] - #[kanitool::proof_for_contract = stringify!(#args)] - #(#attrs)* - #vis #sig { - let _ = std::boxed::Box::new(0_usize); - #block - } - ) - .into() -} - -/// Classifies the state a function is in in the contract handling pipeline. -#[derive(Clone, Copy, PartialEq, Eq)] -enum ContractFunctionState { - /// This is the original code, re-emitted from a contract attribute. - Original, - /// This is the first time a contract attribute is evaluated on this - /// function. - Untouched, - /// This is a check function that was generated from a previous evaluation - /// of a contract attribute. - Check, - /// This is a replace function that was generated from a previous evaluation - /// of a contract attribute. - Replace, - ModifiesWrapper, -} - -impl<'a> TryFrom<&'a syn::Attribute> for ContractFunctionState { - type Error = Option; - - /// Find out if this attribute could be describing a "contract handling" - /// state and if so return it. - fn try_from(attribute: &'a syn::Attribute) -> Result { - if let syn::Meta::List(lst) = &attribute.meta { - if matches_path(&lst.path, &["kanitool", "is_contract_generated"]) { - let ident = syn::parse2::(lst.tokens.clone()) - .map_err(|e| Some(lst.span().unwrap().error(format!("{e}"))))?; - let ident_str = ident.to_string(); - return match ident_str.as_str() { - "check" => Ok(Self::Check), - "replace" => Ok(Self::Replace), - "wrapper" => Ok(Self::ModifiesWrapper), - _ => { - Err(Some(lst.span().unwrap().error("Expected `check` or `replace` ident"))) - } - }; - } - } - if let syn::Meta::NameValue(nv) = &attribute.meta { - if matches_path(&nv.path, &["kanitool", "checked_with"]) { - return Ok(ContractFunctionState::Original); - } - } - Err(None) - } -} - -impl ContractFunctionState { - // If we didn't find any other contract handling related attributes we - // assume this function has not been touched by a contract before. - fn from_attributes(attributes: &[syn::Attribute]) -> Self { - attributes - .iter() - .find_map(|attr| { - let state = ContractFunctionState::try_from(attr); - if let Err(Some(diag)) = state { - diag.emit(); - None - } else { - state.ok() - } - }) - .unwrap_or(ContractFunctionState::Untouched) - } - - /// Do we need to emit the `is_contract_generated` tag attribute on the - /// generated function(s)? - fn emit_tag_attr(self) -> bool { - matches!(self, ContractFunctionState::Untouched) - } -} - -/// The information needed to generate the bodies of check and replacement -/// functions that integrate the conditions from this contract attribute. -struct ContractConditionsHandler<'a> { - function_state: ContractFunctionState, - /// Information specific to the type of contract attribute we're expanding. - condition_type: ContractConditionsData, - /// Body of the function this attribute was found on. - annotated_fn: &'a mut ItemFn, - /// An unparsed, unmodified copy of `attr`, used in the error messages. - attr_copy: TokenStream2, - /// The stream to which we should write the generated code. - output: &'a mut TokenStream2, - hash: Option, -} - -/// Which kind of contract attribute are we dealing with? -/// -/// Pre-parsing version of [`ContractConditionsData`]. -#[derive(Copy, Clone, Eq, PartialEq)] -enum ContractConditionsType { - Requires, - Ensures, - Modifies, -} - -/// Clause-specific information mostly generated by parsing the attribute. -/// -/// [`ContractConditionsType`] is the corresponding pre-parse version. -enum ContractConditionsData { - Requires { - /// The contents of the attribute. - attr: Expr, - }, - Ensures { - /// Translation map from original argument names to names of the copies - /// we will be emitting. - argument_names: HashMap, - /// The contents of the attribute. - attr: Expr, - }, - Modifies { - attr: Vec, - }, -} - -impl ContractConditionsData { - /// Constructs a [`Self::Ensures`] from the signature of the decorated - /// function and the contents of the decorating attribute. - /// - /// Renames the [`Ident`]s used in `attr` and stores the translation map in - /// `argument_names`. - fn new_ensures(sig: &Signature, mut attr: Expr) -> Self { - let argument_names = rename_argument_occurrences(sig, &mut attr); - ContractConditionsData::Ensures { argument_names, attr } - } - - /// Constructs a [`Self::Modifies`] from the contents of the decorating attribute. - /// - /// Responsible for parsing the attribute. - fn new_modifies(attr: TokenStream, output: &mut TokenStream2) -> Self { - let attr = chunks_by(TokenStream2::from(attr), is_token_stream_2_comma) - .map(syn::parse2) - .filter_map(|expr| match expr { - Err(e) => { - output.extend(e.into_compile_error()); - None - } - Ok(expr) => Some(expr), - }) - .collect(); - - ContractConditionsData::Modifies { attr } - } -} - -impl<'a> ContractConditionsHandler<'a> { - fn is_first_emit(&self) -> bool { - matches!(self.function_state, ContractFunctionState::Untouched) - } - - /// Initialize the handler. Constructs the required - /// [`ContractConditionsType`] depending on `is_requires`. - fn new( - function_state: ContractFunctionState, - is_requires: ContractConditionsType, - attr: TokenStream, - annotated_fn: &'a mut ItemFn, - attr_copy: TokenStream2, - output: &'a mut TokenStream2, - hash: Option, - ) -> Result { - let condition_type = match is_requires { - ContractConditionsType::Requires => { - ContractConditionsData::Requires { attr: syn::parse(attr)? } - } - ContractConditionsType::Ensures => { - ContractConditionsData::new_ensures(&annotated_fn.sig, syn::parse(attr)?) - } - ContractConditionsType::Modifies => ContractConditionsData::new_modifies(attr, output), - }; - - Ok(Self { function_state, condition_type, annotated_fn, attr_copy, output, hash }) - } - - /// Create the body of a check function. - /// - /// Wraps the conditions from this attribute around `self.body`. - /// - /// Mutable because a `modifies` clause may need to extend the inner call to - /// the wrapper with new arguments. - fn make_check_body(&mut self) -> TokenStream2 { - let mut inner = self.ensure_bootstrapped_check_body(); - let Self { attr_copy, .. } = self; - - match &self.condition_type { - ContractConditionsData::Requires { attr } => { - quote!( - kani::assume(#attr); - #(#inner)* - ) - } - ContractConditionsData::Ensures { argument_names, attr } => { - let (arg_copies, copy_clean) = make_unsafe_argument_copies(&argument_names); - - // The code that enforces the postconditions and cleans up the shallow - // argument copies (with `mem::forget`). - let exec_postconditions = quote!( - kani::assert(#attr, stringify!(#attr_copy)); - #copy_clean - ); - - assert!(matches!( - inner.pop(), - Some(syn::Stmt::Expr(syn::Expr::Path(pexpr), None)) - if pexpr.path.get_ident().map_or(false, |id| id == "result") - )); - - quote!( - #arg_copies - #(#inner)* - #exec_postconditions - result - ) - } - ContractConditionsData::Modifies { attr } => { - let wrapper_name = self.make_wrapper_name().to_string(); - - let wrapper_args = if let Some(wrapper_call_args) = - inner.iter_mut().find_map(|stmt| try_as_wrapper_call_args(stmt, &wrapper_name)) - { - let wrapper_args = make_wrapper_args(wrapper_call_args.len(), attr.len()); - wrapper_call_args - .extend(wrapper_args.clone().map(|a| Expr::Verbatim(quote!(#a)))); - wrapper_args - } else { - unreachable!( - "Invariant broken, check function did not contain a call to the wrapper function" - ) - }; - - quote!( - #(let #wrapper_args = unsafe { kani::internal::Pointer::decouple_lifetime(&#attr) };)* - #(#inner)* - ) - } - } - } - - /// Create a new name for the assigns wrapper function *or* get the name of - /// the wrapper we must have already generated. This is so that we can - /// recognize a call to that wrapper inside the check function. - fn make_wrapper_name(&self) -> Ident { - if let Some(hash) = self.hash { - identifier_for_generated_function(&self.annotated_fn.sig.ident, "wrapper", hash) - } else { - let str_name = self.annotated_fn.sig.ident.to_string(); - let splits = str_name.rsplitn(3, '_').collect::>(); - let [hash, _, base] = splits.as_slice() else { - unreachable!("Odd name for function {str_name}, splits were {}", splits.len()); - }; - - Ident::new(&format!("{base}_wrapper_{hash}"), Span::call_site()) - } - } - - /// Get the sequence of statements of the previous check body or create the default one. - fn ensure_bootstrapped_check_body(&self) -> Vec { - let wrapper_name = self.make_wrapper_name(); - let return_type = return_type_to_type(&self.annotated_fn.sig.output); - if self.is_first_emit() { - let args = exprs_for_args(&self.annotated_fn.sig.inputs); - let wrapper_call = if is_probably_impl_fn(self.annotated_fn) { - quote!(Self::#wrapper_name) - } else { - quote!(#wrapper_name) - }; - syn::parse_quote!( - let result : #return_type = #wrapper_call(#(#args),*); - result - ) - } else { - self.annotated_fn.block.stmts.clone() - } - } - - /// Split an existing replace body of the form - /// - /// ```ignore - /// // multiple preconditions and argument copies like like - /// kani::assert(.. precondition); - /// let arg_name = kani::internal::untracked_deref(&arg_value); - /// // single result havoc - /// let result : ResultType = kani::any(); - /// - /// // multiple argument havockings - /// *unsafe { kani::internal::Pointer::assignable(argument) } = kani::any(); - /// // multiple postconditions - /// kani::assume(postcond); - /// // multiple argument copy (used in postconditions) cleanups - /// std::mem::forget(arg_name); - /// // single return - /// result - /// ``` - /// - /// Such that the first vector contains everything up to and including the single result havoc - /// and the second one the rest, excluding the return. - /// - /// If this is the first time we're emitting replace we create the return havoc and nothing else. - fn ensure_bootstrapped_replace_body(&self) -> (Vec, Vec) { - if self.is_first_emit() { - let return_type = return_type_to_type(&self.annotated_fn.sig.output); - (vec![syn::parse_quote!(let result : #return_type = kani::any();)], vec![]) - } else { - let stmts = &self.annotated_fn.block.stmts; - let idx = stmts - .iter() - .enumerate() - .find_map(|(i, elem)| is_replace_return_havoc(elem).then_some(i)) - .unwrap_or_else(|| { - panic!("ICE: Could not find result let binding in statement sequence") - }); - // We want the result assign statement to end up as the last statement in the first - // vector, hence the `+1`. - let (before, after) = stmts.split_at(idx + 1); - (before.to_vec(), after.split_last().unwrap().1.to_vec()) - } - } - - /// Create the body of a stub for this contract. - /// - /// Wraps the conditions from this attribute around a prior call. If - /// `use_nondet_result` is `true` we will use `kani::any()` to create a - /// result, otherwise whatever the `body` of our annotated function was. - /// - /// `use_nondet_result` will only be true if this is the first time we are - /// generating a replace function. - fn make_replace_body(&self) -> TokenStream2 { - let (before, after) = self.ensure_bootstrapped_replace_body(); - - match &self.condition_type { - ContractConditionsData::Requires { attr } => { - let Self { attr_copy, .. } = self; - quote!( - kani::assert(#attr, stringify!(#attr_copy)); - #(#before)* - #(#after)* - result - ) - } - ContractConditionsData::Ensures { attr, argument_names } => { - let (arg_copies, copy_clean) = make_unsafe_argument_copies(&argument_names); - quote!( - #arg_copies - #(#before)* - #(#after)* - kani::assume(#attr); - #copy_clean - result - ) - } - ContractConditionsData::Modifies { attr } => { - quote!( - #(#before)* - #(*unsafe { kani::internal::Pointer::assignable(#attr) } = kani::any();)* - #(#after)* - result - ) - } - } - } - - /// Emit the check function into the output stream. - /// - /// See [`Self::make_check_body`] for the most interesting parts of this - /// function. - fn emit_check_function(&mut self, check_function_ident: Ident) { - self.emit_common_header(); - - if self.function_state.emit_tag_attr() { - // If it's the first time we also emit this marker. Again, order is - // important so this happens as the last emitted attribute. - self.output.extend(quote!(#[kanitool::is_contract_generated(check)])); - } - let body = self.make_check_body(); - let mut sig = self.annotated_fn.sig.clone(); - sig.ident = check_function_ident; - self.output.extend(quote!( - #sig { - #body - } - )) - } - - /// Emit the replace funtion into the output stream. - /// - /// See [`Self::make_replace_body`] for the most interesting parts of this - /// function. - fn emit_replace_function(&mut self, replace_function_ident: Ident) { - self.emit_common_header(); - - if self.function_state.emit_tag_attr() { - // If it's the first time we also emit this marker. Again, order is - // important so this happens as the last emitted attribute. - self.output.extend(quote!(#[kanitool::is_contract_generated(replace)])); - } - let mut sig = self.annotated_fn.sig.clone(); - if self.is_first_emit() { - attach_require_kani_any(&mut sig); - } - let body = self.make_replace_body(); - sig.ident = replace_function_ident; - - // Finally emit the check function itself. - self.output.extend(quote!( - #sig { - #body - } - )); - } - - /// Emit attributes common to check or replace function into the output - /// stream. - fn emit_common_header(&mut self) { - if self.function_state.emit_tag_attr() { - self.output.extend(quote!( - #[allow(dead_code, unused_variables)] - )); - } - self.output.extend(self.annotated_fn.attrs.iter().flat_map(Attribute::to_token_stream)); - } - - /// Emit a modifies wrapper, possibly augmenting a prior, existing one. - /// - /// We only augment if this clause is a `modifies` clause. In that case we - /// expand its signature with one new argument of type `&impl Arbitrary` for - /// each expression in the clause. - fn emit_augmented_modifies_wrapper(&mut self) { - if let ContractConditionsData::Modifies { attr } = &self.condition_type { - let wrapper_args = make_wrapper_args(self.annotated_fn.sig.inputs.len(), attr.len()); - let sig = &mut self.annotated_fn.sig; - for arg in wrapper_args.clone() { - let lifetime = syn::Lifetime { apostrophe: Span::call_site(), ident: arg.clone() }; - sig.inputs.push(FnArg::Typed(syn::PatType { - attrs: vec![], - colon_token: Token![:](Span::call_site()), - pat: Box::new(syn::Pat::Verbatim(quote!(#arg))), - ty: Box::new(syn::Type::Verbatim(quote!(&#lifetime impl kani::Arbitrary))), - })); - sig.generics.params.push(syn::GenericParam::Lifetime(syn::LifetimeParam { - lifetime, - colon_token: None, - bounds: Default::default(), - attrs: vec![], - })); - } - self.output.extend(quote!(#[kanitool::modifies(#(#wrapper_args),*)])) - } - self.emit_common_header(); - - if self.function_state.emit_tag_attr() { - // If it's the first time we also emit this marker. Again, order is - // important so this happens as the last emitted attribute. - self.output.extend(quote!(#[kanitool::is_contract_generated(wrapper)])); - } - - let name = self.make_wrapper_name(); - let ItemFn { vis, sig, block, .. } = self.annotated_fn; - - let mut sig = sig.clone(); - sig.ident = name; - self.output.extend(quote!( - #vis #sig #block - )); - } -} - -/// Used as the "single source of truth" for [`try_as_result_assign`] and [`try_as_result_assign_mut`] -/// since we can't abstract over mutability. Input is the object to match on and the name of the -/// function used to convert an `Option` into the result type (e.g. `as_ref` and `as_mut` -/// respectively). -/// -/// We start with a `match` as a top-level here, since if we made this a pattern macro (the "clean" -/// thing to do) then we cant use the `if` inside there which we need because box patterns are -/// unstable. -macro_rules! try_as_result_assign_pat { - ($input:expr, $convert:ident) => { - match $input { - syn::Stmt::Local(syn::Local { - pat: syn::Pat::Type(syn::PatType { - pat: inner_pat, - attrs, - .. - }), - init, - .. - }) if attrs.is_empty() - && matches!( - inner_pat.as_ref(), - syn::Pat::Ident(syn::PatIdent { - by_ref: None, - mutability: None, - ident: result_ident, - subpat: None, - .. - }) if result_ident == "result" - ) => init.$convert(), - _ => None, - } - }; -} - -/// Try to parse this statement as `let result : <...> = ;` and return `init`. -/// -/// This is the shape of statement we create in replace functions to havoc (with `init` being -/// `kani::any()`) and we need to recognize it for when we edit the replace function and integrate -/// additional conditions. -/// -/// It's a thin wrapper around [`try_as_result_assign_pat!`] to create an immutable match. -fn try_as_result_assign(stmt: &syn::Stmt) -> Option<&syn::LocalInit> { - try_as_result_assign_pat!(stmt, as_ref) -} - -/// Try to parse this statement as `let result : <...> = ;` and return a mutable reference to -/// `init`. -/// -/// This is the shape of statement we create in check functions (with `init` being a call to check -/// function with additional pointer arguments for the `modifies` clause) and we need to recognize -/// it to then edit this call if we find another `modifies` clause and add its additional arguments. -/// additional conditions. -/// -/// It's a thin wrapper around [`try_as_result_assign_pat!`] to create a mutable match. -fn try_as_result_assign_mut(stmt: &mut syn::Stmt) -> Option<&mut syn::LocalInit> { - try_as_result_assign_pat!(stmt, as_mut) -} - -/// Is this statement `let result : <...> = kani::any();`. -fn is_replace_return_havoc(stmt: &syn::Stmt) -> bool { - let Some(syn::LocalInit { diverge: None, expr: e, .. }) = try_as_result_assign(stmt) else { - return false; - }; - - matches!( - e.as_ref(), - Expr::Call(syn::ExprCall { - func, - args, - .. - }) - if args.is_empty() - && matches!( - func.as_ref(), - Expr::Path(syn::ExprPath { - qself: None, - path, - attrs, - }) - if path.segments.len() == 2 - && path.segments[0].ident == "kani" - && path.segments[1].ident == "any" - && attrs.is_empty() - ) - ) -} - -/// For each argument create an expression that passes this argument along unmodified. -/// -/// Reconstructs structs that may have been deconstructed with patterns. -fn exprs_for_args( - args: &syn::punctuated::Punctuated, -) -> impl Iterator + Clone + '_ { - args.iter().map(|arg| match arg { - FnArg::Receiver(_) => Expr::Verbatim(quote!(self)), - FnArg::Typed(typed) => pat_to_expr(&typed.pat), - }) -} - -/// Create an expression that reconstructs a struct that was matched in a pattern. -/// -/// Does not support enums, wildcards, pattern alternatives (`|`), range patterns, or verbatim. -fn pat_to_expr(pat: &syn::Pat) -> Expr { - use syn::Pat; - let mk_err = |typ| { - pat.span() - .unwrap() - .error(format!("`{typ}` patterns are not supported for functions with contracts")) - .emit(); - unreachable!() - }; - match pat { - Pat::Const(c) => Expr::Const(c.clone()), - Pat::Ident(id) => Expr::Verbatim(id.ident.to_token_stream()), - Pat::Lit(lit) => Expr::Lit(lit.clone()), - Pat::Reference(rf) => Expr::Reference(syn::ExprReference { - attrs: vec![], - and_token: rf.and_token, - mutability: rf.mutability, - expr: Box::new(pat_to_expr(&rf.pat)), - }), - Pat::Tuple(tup) => Expr::Tuple(syn::ExprTuple { - attrs: vec![], - paren_token: tup.paren_token, - elems: tup.elems.iter().map(pat_to_expr).collect(), - }), - Pat::Slice(slice) => Expr::Reference(syn::ExprReference { - attrs: vec![], - and_token: syn::Token!(&)(Span::call_site()), - mutability: None, - expr: Box::new(Expr::Array(syn::ExprArray { - attrs: vec![], - bracket_token: slice.bracket_token, - elems: slice.elems.iter().map(pat_to_expr).collect(), - })), - }), - Pat::Path(pth) => Expr::Path(pth.clone()), - Pat::Or(_) => mk_err("or"), - Pat::Rest(_) => mk_err("rest"), - Pat::Wild(_) => mk_err("wildcard"), - Pat::Paren(inner) => pat_to_expr(&inner.pat), - Pat::Range(_) => mk_err("range"), - Pat::Struct(strct) => { - if strct.rest.is_some() { - mk_err(".."); - } - Expr::Struct(syn::ExprStruct { - attrs: vec![], - path: strct.path.clone(), - brace_token: strct.brace_token, - dot2_token: None, - rest: None, - qself: strct.qself.clone(), - fields: strct - .fields - .iter() - .map(|field_pat| syn::FieldValue { - attrs: vec![], - member: field_pat.member.clone(), - colon_token: field_pat.colon_token, - expr: pat_to_expr(&field_pat.pat), - }) - .collect(), - }) - } - Pat::Verbatim(_) => mk_err("verbatim"), - Pat::Type(pt) => pat_to_expr(pt.pat.as_ref()), - Pat::TupleStruct(_) => mk_err("tuple struct"), - _ => mk_err("unknown"), - } -} - -/// Try to interpret this statement as `let result : <...> = (args ...);` and -/// return a mutable reference to the parameter list. -fn try_as_wrapper_call_args<'a>( - stmt: &'a mut syn::Stmt, - wrapper_fn_name: &str, -) -> Option<&'a mut syn::punctuated::Punctuated> { - let syn::LocalInit { diverge: None, expr: init_expr, .. } = try_as_result_assign_mut(stmt)? - else { - return None; - }; - - match init_expr.as_mut() { - Expr::Call(syn::ExprCall { func: box_func, args, .. }) => match box_func.as_ref() { - syn::Expr::Path(syn::ExprPath { qself: None, path, .. }) - if path.get_ident().map_or(false, |id| id == wrapper_fn_name) => - { - Some(args) - } - _ => None, - }, - _ => None, - } -} - -/// Make `num` [`Ident`]s with the names `_wrapper_arg_{i}` with `i` starting at `low` and -/// increasing by one each time. -fn make_wrapper_args(low: usize, num: usize) -> impl Iterator + Clone { - (low..).map(|i| Ident::new(&format!("_wrapper_arg_{i}"), Span::mixed_site())).take(num) -} - -/// If an explicit return type was provided it is returned, otherwise `()`. -fn return_type_to_type(return_type: &syn::ReturnType) -> Cow { - match return_type { - syn::ReturnType::Default => Cow::Owned(syn::Type::Tuple(syn::TypeTuple { - paren_token: syn::token::Paren::default(), - elems: Default::default(), - })), - syn::ReturnType::Type(_, typ) => Cow::Borrowed(typ.as_ref()), - } -} - -/// Looks complicated but does something very simple: attach a bound for -/// `kani::Arbitrary` on the return type to the provided signature. Pushes it -/// onto a preexisting where condition, initializing a new `where` condition if -/// it doesn't already exist. -/// -/// Very simple example: `fn foo() -> usize { .. }` would be rewritten `fn foo() -/// -> usize where usize: kani::Arbitrary { .. }`. -/// -/// This is called when we first emit a replace function. Later we can rely on -/// this bound already being present. -fn attach_require_kani_any(sig: &mut Signature) { - if matches!(sig.output, ReturnType::Default) { - // It's the default return type, e.g. `()` so we can skip adding the - // constraint. - return; - } - let return_ty = return_type_to_type(&sig.output); - let where_clause = sig.generics.where_clause.get_or_insert_with(|| WhereClause { - where_token: syn::Token![where](Span::call_site()), - predicates: Default::default(), - }); - - where_clause.predicates.push(syn::WherePredicate::Type(PredicateType { - lifetimes: None, - bounded_ty: return_ty.into_owned(), - colon_token: syn::Token![:](Span::call_site()), - bounds: [TypeParamBound::Trait(TraitBound { - paren_token: None, - modifier: syn::TraitBoundModifier::None, - lifetimes: None, - path: syn::Path { - leading_colon: None, - segments: [ - syn::PathSegment { - ident: Ident::new("kani", Span::call_site()), - arguments: syn::PathArguments::None, - }, - syn::PathSegment { - ident: Ident::new("Arbitrary", Span::call_site()), - arguments: syn::PathArguments::None, - }, - ] - .into_iter() - .collect(), - }, - })] - .into_iter() - .collect(), - })) -} - -/// We make shallow copies of the argument for the postconditions in both -/// `requires` and `ensures` clauses and later clean them up. -/// -/// This function creates the code necessary to both make the copies (first -/// tuple elem) and to clean them (second tuple elem). -fn make_unsafe_argument_copies( - renaming_map: &HashMap, -) -> (TokenStream2, TokenStream2) { - let arg_names = renaming_map.values(); - let also_arg_names = renaming_map.values(); - let arg_values = renaming_map.keys(); - ( - quote!(#(let #arg_names = kani::internal::untracked_deref(&#arg_values);)*), - quote!(#(std::mem::forget(#also_arg_names);)*), - ) -} - -/// The main meat of handling requires/ensures contracts. -/// -/// See the [module level documentation][self] for a description of how the code -/// generation works. -fn requires_ensures_main( - attr: TokenStream, - item: TokenStream, - is_requires: ContractConditionsType, -) -> TokenStream { - let attr_copy = TokenStream2::from(attr.clone()); - - let mut output = proc_macro2::TokenStream::new(); - let item_stream_clone = item.clone(); - let mut item_fn = parse_macro_input!(item as ItemFn); - - let function_state = ContractFunctionState::from_attributes(&item_fn.attrs); - - if matches!(function_state, ContractFunctionState::Original) { - // If we're the original function that means we're *not* the first time - // that a contract attribute is handled on this function. This means - // there must exist a generated check function somewhere onto which the - // attributes have been copied and where they will be expanded into more - // checks. So we just return ourselves unchanged. - // - // Since this is the only function state case that doesn't need a - // handler to be constructed, we do this match early, separately. - return item_fn.into_token_stream().into(); - } - - let hash = matches!(function_state, ContractFunctionState::Untouched) - .then(|| short_hash_of_token_stream(&item_stream_clone)); - - let original_function_name = item_fn.sig.ident.clone(); - - let mut handler = match ContractConditionsHandler::new( - function_state, - is_requires, - attr, - &mut item_fn, - attr_copy, - &mut output, - hash, - ) { - Ok(handler) => handler, - Err(e) => return e.into_compile_error().into(), - }; - - match function_state { - ContractFunctionState::ModifiesWrapper => handler.emit_augmented_modifies_wrapper(), - ContractFunctionState::Check => { - // The easy cases first: If we are on a check or replace function - // emit them again but with additional conditions layered on. - // - // Since we are already on the check function, it will have an - // appropriate, unique generated name which we are just going to - // pass on. - handler.emit_check_function(original_function_name); - } - ContractFunctionState::Replace => { - // Analogous to above - handler.emit_replace_function(original_function_name); - } - ContractFunctionState::Original => { - unreachable!("Impossible: This is handled via short circuiting earlier.") - } - ContractFunctionState::Untouched => { - // The complex case. We are the first time a contract is handled on this function, so - // we're responsible for - // - // 1. Generating a name for the check function - // 2. Emitting the original, unchanged item and register the check - // function on it via attribute - // 3. Renaming our item to the new name - // 4. And (minor point) adding #[allow(dead_code)] and - // #[allow(unused_variables)] to the check function attributes - - // We'll be using this to postfix the generated names for the "check" - // and "replace" functions. - let item_hash = hash.unwrap(); - - let check_fn_name = - identifier_for_generated_function(&original_function_name, "check", item_hash); - let replace_fn_name = - identifier_for_generated_function(&original_function_name, "replace", item_hash); - let recursion_wrapper_name = identifier_for_generated_function( - &original_function_name, - "recursion_wrapper", - item_hash, - ); - - // Constructing string literals explicitly here, because `stringify!` - // doesn't work. Let's say we have an identifier `check_fn` and we were - // to do `quote!(stringify!(check_fn))` to try to have it expand to - // `"check_fn"` in the generated code. Then when the next macro parses - // this it will *not* see the literal `"check_fn"` as you may expect but - // instead the *expression* `stringify!(check_fn)`. - let replace_fn_name_str = - syn::LitStr::new(&replace_fn_name.to_string(), Span::call_site()); - let wrapper_fn_name_str = - syn::LitStr::new(&handler.make_wrapper_name().to_string(), Span::call_site()); - let recursion_wrapper_name_str = - syn::LitStr::new(&recursion_wrapper_name.to_string(), Span::call_site()); - - // The order of `attrs` and `kanitool::{checked_with, - // is_contract_generated}` is important here, because macros are - // expanded outside in. This way other contract annotations in `attrs` - // sees those attributes and can use them to determine - // `function_state`. - // - // The same care is taken when we emit check and replace functions. - // emit the check function. - let is_impl_fn = is_probably_impl_fn(&handler.annotated_fn); - let ItemFn { attrs, vis, sig, block } = &handler.annotated_fn; - handler.output.extend(quote!( - #(#attrs)* - #[kanitool::checked_with = #recursion_wrapper_name_str] - #[kanitool::replaced_with = #replace_fn_name_str] - #[kanitool::inner_check = #wrapper_fn_name_str] - #vis #sig { - #block - } - )); - - let mut wrapper_sig = sig.clone(); - attach_require_kani_any(&mut wrapper_sig); - wrapper_sig.ident = recursion_wrapper_name; - - let args = pats_to_idents(&mut wrapper_sig.inputs).collect::>(); - let also_args = args.iter(); - let (call_check, call_replace) = if is_impl_fn { - (quote!(Self::#check_fn_name), quote!(Self::#replace_fn_name)) - } else { - (quote!(#check_fn_name), quote!(#replace_fn_name)) - }; - - handler.output.extend(quote!( - #[allow(dead_code, unused_variables)] - #[kanitool::is_contract_generated(recursion_wrapper)] - #wrapper_sig { - static mut REENTRY: bool = false; - if unsafe { REENTRY } { - #call_replace(#(#args),*) - } else { - unsafe { REENTRY = true }; - let result = #call_check(#(#also_args),*); - unsafe { REENTRY = false }; - result - } - } - )); - - handler.emit_check_function(check_fn_name); - handler.emit_replace_function(replace_fn_name); - handler.emit_augmented_modifies_wrapper(); - } - } - - output.into() -} - -/// Convert every use of a pattern in this signature to a simple, fresh, binding-only -/// argument ([`syn::PatIdent`]) and return the [`Ident`] that was generated. -fn pats_to_idents

( - sig: &mut syn::punctuated::Punctuated, -) -> impl Iterator + '_ { - sig.iter_mut().enumerate().map(|(i, arg)| match arg { - syn::FnArg::Receiver(_) => Ident::from(syn::Token![self](Span::call_site())), - syn::FnArg::Typed(syn::PatType { pat, .. }) => { - let ident = Ident::new(&format!("arg{i}"), Span::mixed_site()); - *pat.as_mut() = syn::Pat::Ident(syn::PatIdent { - attrs: vec![], - by_ref: None, - mutability: None, - ident: ident.clone(), - subpat: None, - }); - ident - } - }) -} - -/// The visitor used by [`is_probably_impl_fn`]. See function documentation for -/// more information. -struct SelfDetector(bool); - -impl<'ast> Visit<'ast> for SelfDetector { - fn visit_ident(&mut self, i: &'ast syn::Ident) { - self.0 |= i == &Ident::from(syn::Token![Self](Span::mixed_site())) - } - - fn visit_receiver(&mut self, _node: &'ast syn::Receiver) { - self.0 = true; - } -} - -/// Try to determine if this function is part of an `impl`. -/// -/// Detects *methods* by the presence of a receiver argument. Heuristically -/// detects *associated functions* by the use of `Self` anywhere. -/// -/// Why do we need this? It's because if we want to call this `fn`, or any other -/// `fn` we generate into the same context we need to use `foo()` or -/// `Self::foo()` respectively depending on whether this is a plain or -/// associated function or Rust will complain. For the contract machinery we -/// need to generate and then call various functions we generate as well as the -/// original contracted function and so we need to determine how to call them -/// correctly. -/// -/// We can only solve this heuristically. The fundamental problem with Rust -/// macros is that they only see the syntax that's given to them and no other -/// context. It is however that context (of an `impl` block) that definitively -/// determines whether the `fn` is a plain function or an associated function. -/// -/// The heuristic itself is flawed, but it's the best we can do. For instance -/// this is perfectly legal -/// -/// ``` -/// struct S; -/// impl S { -/// #[i_want_to_call_you] -/// fn helper(u: usize) -> bool { -/// u < 8 -/// } -/// } -/// ``` -/// -/// This function would have to be called `S::helper()` but to the -/// `#[i_want_to_call_you]` attribute this function looks just like a bare -/// function because it never mentions `self` or `Self`. While this is a rare -/// case, the following is much more likely and suffers from the same problem, -/// because we can't know that `Vec == Self`. -/// -/// ``` -/// impl Vec { -/// fn new() -> Vec { -/// Vec { cap: 0, buf: NonNull::dangling() } -/// } -/// } -/// ``` -/// -/// **Side note:** You may be tempted to suggest that we could try and parse -/// `syn::ImplItemFn` and distinguish that from `syn::ItemFn` to distinguish -/// associated function from plain functions. However parsing in an attribute -/// placed on *any* `fn` will always succeed for *both* `syn::ImplItemFn` and -/// `syn::ItemFn`, thus not letting us distinguish between the two. -fn is_probably_impl_fn(fun: &ItemFn) -> bool { - let mut self_detector = SelfDetector(false); - self_detector.visit_item_fn(fun); - self_detector.0 -} - -/// Create a unique hash for a token stream (basically a [`std::hash::Hash`] -/// impl for `proc_macro2::TokenStream`). -fn hash_of_token_stream(hasher: &mut H, stream: proc_macro2::TokenStream) { - use proc_macro2::TokenTree; - use std::hash::Hash; - for token in stream { - match token { - TokenTree::Ident(i) => i.hash(hasher), - TokenTree::Punct(p) => p.as_char().hash(hasher), - TokenTree::Group(g) => { - std::mem::discriminant(&g.delimiter()).hash(hasher); - hash_of_token_stream(hasher, g.stream()); - } - TokenTree::Literal(lit) => lit.to_string().hash(hasher), - } - } -} - -/// Hash this `TokenStream` and return an integer that is at most digits -/// long when hex formatted. -fn short_hash_of_token_stream(stream: &proc_macro::TokenStream) -> u64 { - const SIX_HEX_DIGITS_MASK: u64 = 0x1_000_000; - use std::hash::Hasher; - let mut hasher = std::collections::hash_map::DefaultHasher::default(); - hash_of_token_stream(&mut hasher, proc_macro2::TokenStream::from(stream.clone())); - let long_hash = hasher.finish(); - long_hash % SIX_HEX_DIGITS_MASK -} - -/// Makes consistent names for a generated function which was created for -/// `purpose`, from an attribute that decorates `related_function` with the -/// hash `hash`. -fn identifier_for_generated_function( - related_function_name: &Ident, - purpose: &str, - hash: u64, -) -> Ident { - let identifier = format!("{}_{purpose}_{hash:x}", related_function_name); - Ident::new(&identifier, proc_macro2::Span::mixed_site()) -} - -fn is_token_stream_2_comma(t: &proc_macro2::TokenTree) -> bool { - matches!(t, proc_macro2::TokenTree::Punct(p) if p.as_char() == ',') -} - -fn chunks_by<'a, T, C: Default + Extend>( - i: impl IntoIterator + 'a, - mut pred: impl FnMut(&T) -> bool + 'a, -) -> impl Iterator + 'a { - let mut iter = i.into_iter(); - std::iter::from_fn(move || { - let mut new = C::default(); - let mut empty = true; - for tok in iter.by_ref() { - empty = false; - if pred(&tok) { - break; - } else { - new.extend([tok]) - } - } - (!empty).then_some(new) - }) -} - -/// Collect all named identifiers used in the argument patterns of a function. -struct ArgumentIdentCollector(HashSet); - -impl ArgumentIdentCollector { - fn new() -> Self { - Self(HashSet::new()) - } -} - -impl<'ast> Visit<'ast> for ArgumentIdentCollector { - fn visit_pat_ident(&mut self, i: &'ast syn::PatIdent) { - self.0.insert(i.ident.clone()); - syn::visit::visit_pat_ident(self, i) - } - fn visit_receiver(&mut self, _: &'ast syn::Receiver) { - self.0.insert(Ident::new("self", proc_macro2::Span::call_site())); - } -} - -/// Applies the contained renaming (key renamed to value) to every ident pattern -/// and ident expr visited. -struct Renamer<'a>(&'a HashMap); - -impl<'a> VisitMut for Renamer<'a> { - fn visit_expr_path_mut(&mut self, i: &mut syn::ExprPath) { - if i.path.segments.len() == 1 { - i.path - .segments - .first_mut() - .and_then(|p| self.0.get(&p.ident).map(|new| p.ident = new.clone())); - } - } - - /// This restores shadowing. Without this we would rename all ident - /// occurrences, but not rebinding location. This is because our - /// [`Self::visit_expr_path_mut`] is scope-unaware. - fn visit_pat_ident_mut(&mut self, i: &mut syn::PatIdent) { - if let Some(new) = self.0.get(&i.ident) { - i.ident = new.clone(); - } - } -} - -/// A supporting function for creating shallow, unsafe copies of the arguments -/// for the postconditions. -/// -/// This function: -/// - Collects all [`Ident`]s found in the argument patterns; -/// - Creates new names for them; -/// - Replaces all occurrences of those idents in `attrs` with the new names and; -/// - Returns the mapping of old names to new names. -fn rename_argument_occurrences(sig: &syn::Signature, attr: &mut Expr) -> HashMap { - let mut arg_ident_collector = ArgumentIdentCollector::new(); - arg_ident_collector.visit_signature(&sig); - - let mk_new_ident_for = |id: &Ident| Ident::new(&format!("{}_renamed", id), Span::mixed_site()); - let arg_idents = arg_ident_collector - .0 - .into_iter() - .map(|i| { - let new = mk_new_ident_for(&i); - (i, new) - }) - .collect::>(); - - let mut ident_rewriter = Renamer(&arg_idents); - ident_rewriter.visit_expr_mut(attr); - arg_idents -} - -/// Does the provided path have the same chain of identifiers as `mtch` (match) -/// and no arguments anywhere? -/// -/// So for instance (using some pseudo-syntax for the [`syn::Path`]s) -/// `matches_path(std::vec::Vec, &["std", "vec", "Vec"]) == true` but -/// `matches_path(std::Vec::::contains, &["std", "Vec", "contains"]) != -/// true`. -/// -/// This is intended to be used to match the internal `kanitool` family of -/// attributes which we know to have a regular structure and no arguments. -fn matches_path(path: &syn::Path, mtch: &[E]) -> bool -where - Ident: std::cmp::PartialEq, -{ - path.segments.len() == mtch.len() - && path.segments.iter().all(|s| s.arguments.is_empty()) - && path.leading_colon.is_none() - && path.segments.iter().zip(mtch).all(|(actual, expected)| actual.ident == *expected) -} - -#[cfg(test)] -mod test { - macro_rules! detect_impl_fn { - ($expect_pass:expr, $($tt:tt)*) => {{ - let syntax = stringify!($($tt)*); - let ast = syn::parse_str(syntax).unwrap(); - assert!($expect_pass == super::is_probably_impl_fn(&ast), - "Incorrect detection.\nExpected is_impl_fun: {}\nInput Expr; {}\nParsed: {:?}", - $expect_pass, - syntax, - ast - ); - }} - } - - #[test] - fn detect_impl_fn_by_receiver() { - detect_impl_fn!(true, fn self_by_ref(&self, u: usize) -> bool {}); - - detect_impl_fn!(true, fn self_by_self(self, u: usize) -> bool {}); - } - - #[test] - fn detect_impl_fn_by_self_ty() { - detect_impl_fn!(true, fn self_by_construct(u: usize) -> Self {}); - detect_impl_fn!(true, fn self_by_wrapped_construct(u: usize) -> Arc {}); - - detect_impl_fn!(true, fn self_by_other_arg(u: usize, slf: Self) {}); - - detect_impl_fn!(true, fn self_by_other_wrapped_arg(u: usize, slf: Vec) {}) - } - - #[test] - fn detect_impl_fn_by_qself() { - detect_impl_fn!( - true, - fn self_by_mention(u: usize) { - Self::other(u) - } - ); - } - - #[test] - fn detect_no_impl_fn() { - detect_impl_fn!( - false, - fn self_by_mention(u: usize) { - let self_name = 18; - let self_lit = "self"; - let self_lit = "Self"; - } - ); - } -} diff --git a/library/kani_macros/src/sysroot/contracts/bootstrap.rs b/library/kani_macros/src/sysroot/contracts/bootstrap.rs new file mode 100644 index 000000000000..dee0bca42c54 --- /dev/null +++ b/library/kani_macros/src/sysroot/contracts/bootstrap.rs @@ -0,0 +1,109 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Special way we handle the first time we encounter a contract attribute on a +//! function. + +use proc_macro2::{Ident, Span}; +use quote::quote; +use syn::ItemFn; + +use super::{ + helpers::*, shared::identifier_for_generated_function, ContractConditionsHandler, + INTERNAL_RESULT_IDENT, +}; + +impl<'a> ContractConditionsHandler<'a> { + /// The complex case. We are the first time a contract is handled on this function, so + /// we're responsible for + /// + /// 1. Generating a name for the check function + /// 2. Emitting the original, unchanged item and register the check + /// function on it via attribute + /// 3. Renaming our item to the new name + /// 4. And (minor point) adding #[allow(dead_code)] and + /// #[allow(unused_variables)] to the check function attributes + pub fn handle_untouched(&mut self) { + // We'll be using this to postfix the generated names for the "check" + // and "replace" functions. + let item_hash = self.hash.unwrap(); + + let original_function_name = self.annotated_fn.sig.ident.clone(); + + let check_fn_name = + identifier_for_generated_function(&original_function_name, "check", item_hash); + let replace_fn_name = + identifier_for_generated_function(&original_function_name, "replace", item_hash); + let recursion_wrapper_name = identifier_for_generated_function( + &original_function_name, + "recursion_wrapper", + item_hash, + ); + + // Constructing string literals explicitly here, because `stringify!` + // doesn't work. Let's say we have an identifier `check_fn` and we were + // to do `quote!(stringify!(check_fn))` to try to have it expand to + // `"check_fn"` in the generated code. Then when the next macro parses + // this it will *not* see the literal `"check_fn"` as you may expect but + // instead the *expression* `stringify!(check_fn)`. + let replace_fn_name_str = syn::LitStr::new(&replace_fn_name.to_string(), Span::call_site()); + let wrapper_fn_name_str = + syn::LitStr::new(&self.make_wrapper_name().to_string(), Span::call_site()); + let recursion_wrapper_name_str = + syn::LitStr::new(&recursion_wrapper_name.to_string(), Span::call_site()); + + // The order of `attrs` and `kanitool::{checked_with, + // is_contract_generated}` is important here, because macros are + // expanded outside in. This way other contract annotations in `attrs` + // sees those attributes and can use them to determine + // `function_state`. + // + // The same care is taken when we emit check and replace functions. + // emit the check function. + let is_impl_fn = is_probably_impl_fn(&self.annotated_fn); + let ItemFn { attrs, vis, sig, block } = &self.annotated_fn; + self.output.extend(quote!( + #(#attrs)* + #[kanitool::checked_with = #recursion_wrapper_name_str] + #[kanitool::replaced_with = #replace_fn_name_str] + #[kanitool::inner_check = #wrapper_fn_name_str] + #vis #sig { + #block + } + )); + + let mut wrapper_sig = sig.clone(); + wrapper_sig.ident = recursion_wrapper_name; + // We use non-constant functions, thus, the wrapper cannot be constant. + wrapper_sig.constness = None; + + let args = pats_to_idents(&mut wrapper_sig.inputs).collect::>(); + let also_args = args.iter(); + let (call_check, call_replace) = if is_impl_fn { + (quote!(Self::#check_fn_name), quote!(Self::#replace_fn_name)) + } else { + (quote!(#check_fn_name), quote!(#replace_fn_name)) + }; + + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + self.output.extend(quote!( + #[allow(dead_code, unused_variables, unused_mut)] + #[kanitool::is_contract_generated(recursion_wrapper)] + #wrapper_sig { + static mut REENTRY: bool = false; + if unsafe { REENTRY } { + #call_replace(#(#args),*) + } else { + unsafe { REENTRY = true }; + let #result = #call_check(#(#also_args),*); + unsafe { REENTRY = false }; + #result + } + } + )); + + self.emit_check_function(Some(check_fn_name)); + self.emit_replace_function(Some(replace_fn_name)); + self.emit_augmented_modifies_wrapper(); + } +} diff --git a/library/kani_macros/src/sysroot/contracts/check.rs b/library/kani_macros/src/sysroot/contracts/check.rs new file mode 100644 index 000000000000..bd4c09b07796 --- /dev/null +++ b/library/kani_macros/src/sysroot/contracts/check.rs @@ -0,0 +1,291 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Logic used for generating the code that checks a contract. + +use proc_macro2::{Ident, Span, TokenStream as TokenStream2}; +use quote::quote; +use syn::{Expr, FnArg, ItemFn, Token}; + +use super::{ + helpers::*, + shared::{make_unsafe_argument_copies, try_as_result_assign_mut}, + ContractConditionsData, ContractConditionsHandler, INTERNAL_RESULT_IDENT, +}; + +const WRAPPER_ARG_PREFIX: &str = "_wrapper_arg_"; + +impl<'a> ContractConditionsHandler<'a> { + /// Create the body of a check function. + /// + /// Wraps the conditions from this attribute around `self.body`. + /// + /// Mutable because a `modifies` clause may need to extend the inner call to + /// the wrapper with new arguments. + pub fn make_check_body(&mut self) -> TokenStream2 { + let mut inner = self.ensure_bootstrapped_check_body(); + let Self { attr_copy, .. } = self; + + match &self.condition_type { + ContractConditionsData::Requires { attr } => { + quote!( + kani::assume(#attr); + #(#inner)* + ) + } + ContractConditionsData::Ensures { argument_names, attr } => { + let (arg_copies, copy_clean) = make_unsafe_argument_copies(&argument_names); + + // The code that enforces the postconditions and cleans up the shallow + // argument copies (with `mem::forget`). + let exec_postconditions = quote!( + kani::assert(#attr, stringify!(#attr_copy)); + #copy_clean + ); + + assert!(matches!( + inner.pop(), + Some(syn::Stmt::Expr(syn::Expr::Path(pexpr), None)) + if pexpr.path.get_ident().map_or(false, |id| id == INTERNAL_RESULT_IDENT) + )); + + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + quote!( + #arg_copies + #(#inner)* + #exec_postconditions + #result + ) + } + ContractConditionsData::Modifies { attr } => { + let wrapper_name = self.make_wrapper_name().to_string(); + + let wrapper_args = if let Some(wrapper_call_args) = + inner.iter_mut().find_map(|stmt| try_as_wrapper_call_args(stmt, &wrapper_name)) + { + let wrapper_args = make_wrapper_idents( + wrapper_call_args.len(), + attr.len(), + WRAPPER_ARG_PREFIX, + ); + wrapper_call_args + .extend(wrapper_args.clone().map(|a| Expr::Verbatim(quote!(#a)))); + wrapper_args + } else { + unreachable!( + "Invariant broken, check function did not contain a call to the wrapper function" + ) + }; + + quote!( + #(let #wrapper_args = unsafe { kani::internal::Pointer::decouple_lifetime(&#attr) };)* + #(#inner)* + ) + } + } + } + + /// Get the sequence of statements of the previous check body or create the default one. + fn ensure_bootstrapped_check_body(&self) -> Vec { + let wrapper_name = self.make_wrapper_name(); + let return_type = return_type_to_type(&self.annotated_fn.sig.output); + if self.is_first_emit() { + let args = exprs_for_args(&self.annotated_fn.sig.inputs); + let wrapper_call = if is_probably_impl_fn(self.annotated_fn) { + quote!(Self::#wrapper_name) + } else { + quote!(#wrapper_name) + }; + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + syn::parse_quote!( + let #result : #return_type = #wrapper_call(#(#args),*); + #result + ) + } else { + self.annotated_fn.block.stmts.clone() + } + } + + /// Emit the check function into the output stream. + /// + /// See [`Self::make_check_body`] for the most interesting parts of this + /// function. + pub fn emit_check_function(&mut self, override_function_dent: Option) { + self.emit_common_header(); + + if self.function_state.emit_tag_attr() { + // If it's the first time we also emit this marker. Again, order is + // important so this happens as the last emitted attribute. + self.output.extend(quote!(#[kanitool::is_contract_generated(check)])); + } + let body = self.make_check_body(); + let mut sig = self.annotated_fn.sig.clone(); + // We use non-constant functions, thus, the wrapper cannot be constant. + sig.constness = None; + if let Some(ident) = override_function_dent { + sig.ident = ident; + } + self.output.extend(quote!( + #sig { + #body + } + )) + } + + /// Emit a modifies wrapper, possibly augmenting a prior, existing one. + /// + /// We only augment if this clause is a `modifies` clause. Before, + /// we annotated the wrapper arguments with `impl kani::Arbitrary`, + /// so Rust would infer the proper types for each argument. + /// We want to remove the restriction that these arguments must + /// implement `kani::Arbitrary` for checking. Now, we annotate each + /// argument with a generic type parameter, so the compiler can + /// continue inferring the correct types. + pub fn emit_augmented_modifies_wrapper(&mut self) { + if let ContractConditionsData::Modifies { attr } = &self.condition_type { + let wrapper_args = make_wrapper_idents( + self.annotated_fn.sig.inputs.len(), + attr.len(), + WRAPPER_ARG_PREFIX, + ); + // Generate a unique type parameter identifier + let type_params = make_wrapper_idents( + self.annotated_fn.sig.inputs.len(), + attr.len(), + "WrapperArgType", + ); + let sig = &mut self.annotated_fn.sig; + for (arg, arg_type) in wrapper_args.clone().zip(type_params) { + // Add the type parameter to the function signature's generic parameters list + sig.generics.params.push(syn::GenericParam::Type(syn::TypeParam { + attrs: vec![], + ident: arg_type.clone(), + colon_token: None, + bounds: Default::default(), + eq_token: None, + default: None, + })); + let lifetime = syn::Lifetime { apostrophe: Span::call_site(), ident: arg.clone() }; + sig.inputs.push(FnArg::Typed(syn::PatType { + attrs: vec![], + colon_token: Token![:](Span::call_site()), + pat: Box::new(syn::Pat::Verbatim(quote!(#arg))), + ty: Box::new(syn::parse_quote! { &#arg_type }), + })); + sig.generics.params.push(syn::GenericParam::Lifetime(syn::LifetimeParam { + lifetime, + colon_token: None, + bounds: Default::default(), + attrs: vec![], + })); + } + + self.output.extend(quote!(#[kanitool::modifies(#(#wrapper_args),*)])) + } + self.emit_common_header(); + + if self.function_state.emit_tag_attr() { + // If it's the first time we also emit this marker. Again, order is + // important so this happens as the last emitted attribute. + self.output.extend(quote!(#[kanitool::is_contract_generated(wrapper)])); + } + + let name = self.make_wrapper_name(); + let ItemFn { vis, sig, block, .. } = self.annotated_fn; + + let mut sig = sig.clone(); + sig.ident = name; + self.output.extend(quote!( + #vis #sig #block + )); + } +} + +/// Try to interpret this statement as `let result : <...> = (args ...);` and +/// return a mutable reference to the parameter list. +fn try_as_wrapper_call_args<'a>( + stmt: &'a mut syn::Stmt, + wrapper_fn_name: &str, +) -> Option<&'a mut syn::punctuated::Punctuated> { + let syn::LocalInit { diverge: None, expr: init_expr, .. } = try_as_result_assign_mut(stmt)? + else { + return None; + }; + + match init_expr.as_mut() { + Expr::Call(syn::ExprCall { func: box_func, args, .. }) => match box_func.as_ref() { + syn::Expr::Path(syn::ExprPath { qself: None, path, .. }) + if path.get_ident().map_or(false, |id| id == wrapper_fn_name) => + { + Some(args) + } + _ => None, + }, + _ => None, + } +} + +/// Make `num` [`Ident`]s with the names `prefix{i}` with `i` starting at `low` and +/// increasing by one each time. +fn make_wrapper_idents( + low: usize, + num: usize, + prefix: &'static str, +) -> impl Iterator + Clone + 'static { + (low..).map(move |i| Ident::new(&format!("{prefix}{i}"), Span::mixed_site())).take(num) +} + +#[cfg(test)] +mod test { + macro_rules! detect_impl_fn { + ($expect_pass:expr, $($tt:tt)*) => {{ + let syntax = stringify!($($tt)*); + let ast = syn::parse_str(syntax).unwrap(); + assert!($expect_pass == super::is_probably_impl_fn(&ast), + "Incorrect detection.\nExpected is_impl_fun: {}\nInput Expr; {}\nParsed: {:?}", + $expect_pass, + syntax, + ast + ); + }} + } + + #[test] + fn detect_impl_fn_by_receiver() { + detect_impl_fn!(true, fn self_by_ref(&self, u: usize) -> bool {}); + + detect_impl_fn!(true, fn self_by_self(self, u: usize) -> bool {}); + } + + #[test] + fn detect_impl_fn_by_self_ty() { + detect_impl_fn!(true, fn self_by_construct(u: usize) -> Self {}); + detect_impl_fn!(true, fn self_by_wrapped_construct(u: usize) -> Arc {}); + + detect_impl_fn!(true, fn self_by_other_arg(u: usize, slf: Self) {}); + + detect_impl_fn!(true, fn self_by_other_wrapped_arg(u: usize, slf: Vec) {}) + } + + #[test] + fn detect_impl_fn_by_qself() { + detect_impl_fn!( + true, + fn self_by_mention(u: usize) { + Self::other(u) + } + ); + } + + #[test] + fn detect_no_impl_fn() { + detect_impl_fn!( + false, + fn self_by_mention(u: usize) { + let self_name = 18; + let self_lit = "self"; + let self_lit = "Self"; + } + ); + } +} diff --git a/library/kani_macros/src/sysroot/contracts/helpers.rs b/library/kani_macros/src/sysroot/contracts/helpers.rs new file mode 100644 index 000000000000..baa25b8104e8 --- /dev/null +++ b/library/kani_macros/src/sysroot/contracts/helpers.rs @@ -0,0 +1,270 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Functions that operate third party data structures with no logic that is +//! specific to Kani and contracts. + +use proc_macro2::{Ident, Span}; +use quote::{quote, ToTokens}; +use std::borrow::Cow; +use syn::{spanned::Spanned, visit::Visit, Expr, FnArg, ItemFn}; + +/// If an explicit return type was provided it is returned, otherwise `()`. +pub fn return_type_to_type(return_type: &syn::ReturnType) -> Cow { + match return_type { + syn::ReturnType::Default => Cow::Owned(syn::Type::Tuple(syn::TypeTuple { + paren_token: syn::token::Paren::default(), + elems: Default::default(), + })), + syn::ReturnType::Type(_, typ) => Cow::Borrowed(typ.as_ref()), + } +} + +/// Create an expression that reconstructs a struct that was matched in a pattern. +/// +/// Does not support enums, wildcards, pattern alternatives (`|`), range patterns, or verbatim. +pub fn pat_to_expr(pat: &syn::Pat) -> Expr { + use syn::Pat; + let mk_err = |typ| { + pat.span() + .unwrap() + .error(format!("`{typ}` patterns are not supported for functions with contracts")) + .emit(); + unreachable!() + }; + match pat { + Pat::Const(c) => Expr::Const(c.clone()), + Pat::Ident(id) => Expr::Verbatim(id.ident.to_token_stream()), + Pat::Lit(lit) => Expr::Lit(lit.clone()), + Pat::Reference(rf) => Expr::Reference(syn::ExprReference { + attrs: vec![], + and_token: rf.and_token, + mutability: rf.mutability, + expr: Box::new(pat_to_expr(&rf.pat)), + }), + Pat::Tuple(tup) => Expr::Tuple(syn::ExprTuple { + attrs: vec![], + paren_token: tup.paren_token, + elems: tup.elems.iter().map(pat_to_expr).collect(), + }), + Pat::Slice(slice) => Expr::Reference(syn::ExprReference { + attrs: vec![], + and_token: syn::Token!(&)(Span::call_site()), + mutability: None, + expr: Box::new(Expr::Array(syn::ExprArray { + attrs: vec![], + bracket_token: slice.bracket_token, + elems: slice.elems.iter().map(pat_to_expr).collect(), + })), + }), + Pat::Path(pth) => Expr::Path(pth.clone()), + Pat::Or(_) => mk_err("or"), + Pat::Rest(_) => mk_err("rest"), + Pat::Wild(_) => mk_err("wildcard"), + Pat::Paren(inner) => pat_to_expr(&inner.pat), + Pat::Range(_) => mk_err("range"), + Pat::Struct(strct) => { + if strct.rest.is_some() { + mk_err(".."); + } + Expr::Struct(syn::ExprStruct { + attrs: vec![], + path: strct.path.clone(), + brace_token: strct.brace_token, + dot2_token: None, + rest: None, + qself: strct.qself.clone(), + fields: strct + .fields + .iter() + .map(|field_pat| syn::FieldValue { + attrs: vec![], + member: field_pat.member.clone(), + colon_token: field_pat.colon_token, + expr: pat_to_expr(&field_pat.pat), + }) + .collect(), + }) + } + Pat::Verbatim(_) => mk_err("verbatim"), + Pat::Type(pt) => pat_to_expr(pt.pat.as_ref()), + Pat::TupleStruct(_) => mk_err("tuple struct"), + _ => mk_err("unknown"), + } +} + +/// For each argument create an expression that passes this argument along unmodified. +/// +/// Reconstructs structs that may have been deconstructed with patterns. +pub fn exprs_for_args( + args: &syn::punctuated::Punctuated, +) -> impl Iterator + Clone + '_ { + args.iter().map(|arg| match arg { + FnArg::Receiver(_) => Expr::Verbatim(quote!(self)), + FnArg::Typed(typed) => pat_to_expr(&typed.pat), + }) +} + +/// The visitor used by [`is_probably_impl_fn`]. See function documentation for +/// more information. +struct SelfDetector(bool); + +impl<'ast> Visit<'ast> for SelfDetector { + fn visit_ident(&mut self, i: &'ast syn::Ident) { + self.0 |= i == &Ident::from(syn::Token![Self](Span::mixed_site())) + } + + fn visit_receiver(&mut self, _node: &'ast syn::Receiver) { + self.0 = true; + } +} + +/// Try to determine if this function is part of an `impl`. +/// +/// Detects *methods* by the presence of a receiver argument. Heuristically +/// detects *associated functions* by the use of `Self` anywhere. +/// +/// Why do we need this? It's because if we want to call this `fn`, or any other +/// `fn` we generate into the same context we need to use `foo()` or +/// `Self::foo()` respectively depending on whether this is a plain or +/// associated function or Rust will complain. For the contract machinery we +/// need to generate and then call various functions we generate as well as the +/// original contracted function and so we need to determine how to call them +/// correctly. +/// +/// We can only solve this heuristically. The fundamental problem with Rust +/// macros is that they only see the syntax that's given to them and no other +/// context. It is however that context (of an `impl` block) that definitively +/// determines whether the `fn` is a plain function or an associated function. +/// +/// The heuristic itself is flawed, but it's the best we can do. For instance +/// this is perfectly legal +/// +/// ``` +/// struct S; +/// impl S { +/// #[i_want_to_call_you] +/// fn helper(u: usize) -> bool { +/// u < 8 +/// } +/// } +/// ``` +/// +/// This function would have to be called `S::helper()` but to the +/// `#[i_want_to_call_you]` attribute this function looks just like a bare +/// function because it never mentions `self` or `Self`. While this is a rare +/// case, the following is much more likely and suffers from the same problem, +/// because we can't know that `Vec == Self`. +/// +/// ``` +/// impl Vec { +/// fn new() -> Vec { +/// Vec { cap: 0, buf: NonNull::dangling() } +/// } +/// } +/// ``` +/// +/// **Side note:** You may be tempted to suggest that we could try and parse +/// `syn::ImplItemFn` and distinguish that from `syn::ItemFn` to distinguish +/// associated function from plain functions. However parsing in an attribute +/// placed on *any* `fn` will always succeed for *both* `syn::ImplItemFn` and +/// `syn::ItemFn`, thus not letting us distinguish between the two. +pub fn is_probably_impl_fn(fun: &ItemFn) -> bool { + let mut self_detector = SelfDetector(false); + self_detector.visit_item_fn(fun); + self_detector.0 +} + +/// Convert every use of a pattern in this signature to a simple, fresh, binding-only +/// argument ([`syn::PatIdent`]) and return the [`Ident`] that was generated. +pub fn pats_to_idents

( + sig: &mut syn::punctuated::Punctuated, +) -> impl Iterator + '_ { + sig.iter_mut().enumerate().map(|(i, arg)| match arg { + syn::FnArg::Receiver(_) => Ident::from(syn::Token![self](Span::call_site())), + syn::FnArg::Typed(syn::PatType { pat, .. }) => { + let ident = Ident::new(&format!("arg{i}"), Span::mixed_site()); + *pat.as_mut() = syn::Pat::Ident(syn::PatIdent { + attrs: vec![], + by_ref: None, + mutability: None, + ident: ident.clone(), + subpat: None, + }); + ident + } + }) +} + +/// Does the provided path have the same chain of identifiers as `mtch` (match) +/// and no arguments anywhere? +/// +/// So for instance (using some pseudo-syntax for the [`syn::Path`]s) +/// `matches_path(std::vec::Vec, &["std", "vec", "Vec"]) == true` but +/// `matches_path(std::Vec::::contains, &["std", "Vec", "contains"]) != +/// true`. +/// +/// This is intended to be used to match the internal `kanitool` family of +/// attributes which we know to have a regular structure and no arguments. +pub fn matches_path(path: &syn::Path, mtch: &[E]) -> bool +where + Ident: std::cmp::PartialEq, +{ + path.segments.len() == mtch.len() + && path.segments.iter().all(|s| s.arguments.is_empty()) + && path.leading_colon.is_none() + && path.segments.iter().zip(mtch).all(|(actual, expected)| actual.ident == *expected) +} + +pub fn is_token_stream_2_comma(t: &proc_macro2::TokenTree) -> bool { + matches!(t, proc_macro2::TokenTree::Punct(p) if p.as_char() == ',') +} + +pub fn chunks_by<'a, T, C: Default + Extend>( + i: impl IntoIterator + 'a, + mut pred: impl FnMut(&T) -> bool + 'a, +) -> impl Iterator + 'a { + let mut iter = i.into_iter(); + std::iter::from_fn(move || { + let mut new = C::default(); + let mut empty = true; + for tok in iter.by_ref() { + empty = false; + if pred(&tok) { + break; + } else { + new.extend([tok]) + } + } + (!empty).then_some(new) + }) +} + +/// Create a unique hash for a token stream (basically a [`std::hash::Hash`] +/// impl for `proc_macro2::TokenStream`). +fn hash_of_token_stream(hasher: &mut H, stream: proc_macro2::TokenStream) { + use proc_macro2::TokenTree; + use std::hash::Hash; + for token in stream { + match token { + TokenTree::Ident(i) => i.hash(hasher), + TokenTree::Punct(p) => p.as_char().hash(hasher), + TokenTree::Group(g) => { + std::mem::discriminant(&g.delimiter()).hash(hasher); + hash_of_token_stream(hasher, g.stream()); + } + TokenTree::Literal(lit) => lit.to_string().hash(hasher), + } + } +} + +/// Hash this `TokenStream` and return an integer that is at most digits +/// long when hex formatted. +pub fn short_hash_of_token_stream(stream: &proc_macro::TokenStream) -> u64 { + const SIX_HEX_DIGITS_MASK: u64 = 0x1_000_000; + use std::hash::Hasher; + let mut hasher = std::collections::hash_map::DefaultHasher::default(); + hash_of_token_stream(&mut hasher, proc_macro2::TokenStream::from(stream.clone())); + let long_hash = hasher.finish(); + long_hash % SIX_HEX_DIGITS_MASK +} diff --git a/library/kani_macros/src/sysroot/contracts/initialize.rs b/library/kani_macros/src/sysroot/contracts/initialize.rs new file mode 100644 index 000000000000..aee0c21bc82d --- /dev/null +++ b/library/kani_macros/src/sysroot/contracts/initialize.rs @@ -0,0 +1,190 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Initialization routine for the contract handler + +use std::collections::{HashMap, HashSet}; + +use proc_macro::{Diagnostic, TokenStream}; +use proc_macro2::{Ident, Span, TokenStream as TokenStream2}; +use quote::quote; +use syn::{spanned::Spanned, visit::Visit, visit_mut::VisitMut, Expr, ExprClosure, ItemFn}; + +use super::{ + helpers::{chunks_by, is_token_stream_2_comma, matches_path}, + ContractConditionsData, ContractConditionsHandler, ContractConditionsType, + ContractFunctionState, INTERNAL_RESULT_IDENT, +}; + +impl<'a> TryFrom<&'a syn::Attribute> for ContractFunctionState { + type Error = Option; + + /// Find out if this attribute could be describing a "contract handling" + /// state and if so return it. + fn try_from(attribute: &'a syn::Attribute) -> Result { + if let syn::Meta::List(lst) = &attribute.meta { + if matches_path(&lst.path, &["kanitool", "is_contract_generated"]) { + let ident = syn::parse2::(lst.tokens.clone()) + .map_err(|e| Some(lst.span().unwrap().error(format!("{e}"))))?; + let ident_str = ident.to_string(); + return match ident_str.as_str() { + "check" => Ok(Self::Check), + "replace" => Ok(Self::Replace), + "wrapper" => Ok(Self::ModifiesWrapper), + _ => { + Err(Some(lst.span().unwrap().error("Expected `check` or `replace` ident"))) + } + }; + } + } + if let syn::Meta::NameValue(nv) = &attribute.meta { + if matches_path(&nv.path, &["kanitool", "checked_with"]) { + return Ok(ContractFunctionState::Original); + } + } + Err(None) + } +} + +impl ContractFunctionState { + // If we didn't find any other contract handling related attributes we + // assume this function has not been touched by a contract before. + pub fn from_attributes(attributes: &[syn::Attribute]) -> Self { + attributes + .iter() + .find_map(|attr| { + let state = ContractFunctionState::try_from(attr); + if let Err(Some(diag)) = state { + diag.emit(); + None + } else { + state.ok() + } + }) + .unwrap_or(ContractFunctionState::Untouched) + } +} + +impl<'a> ContractConditionsHandler<'a> { + /// Initialize the handler. Constructs the required + /// [`ContractConditionsType`] depending on `is_requires`. + pub fn new( + function_state: ContractFunctionState, + is_requires: ContractConditionsType, + attr: TokenStream, + annotated_fn: &'a mut ItemFn, + attr_copy: TokenStream2, + hash: Option, + ) -> Result { + let mut output = TokenStream2::new(); + let condition_type = match is_requires { + ContractConditionsType::Requires => { + ContractConditionsData::Requires { attr: syn::parse(attr)? } + } + ContractConditionsType::Ensures => { + let mut data: ExprClosure = syn::parse(attr)?; + let argument_names = rename_argument_occurrences(&annotated_fn.sig, &mut data); + let result: Ident = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + let app: Expr = Expr::Verbatim(quote!((#data)(&#result))); + ContractConditionsData::Ensures { argument_names, attr: app } + } + ContractConditionsType::Modifies => { + ContractConditionsData::new_modifies(attr, &mut output) + } + }; + + Ok(Self { function_state, condition_type, annotated_fn, attr_copy, output, hash }) + } +} +impl ContractConditionsData { + /// Constructs a [`Self::Modifies`] from the contents of the decorating attribute. + /// + /// Responsible for parsing the attribute. + fn new_modifies(attr: TokenStream, output: &mut TokenStream2) -> Self { + let attr = chunks_by(TokenStream2::from(attr), is_token_stream_2_comma) + .map(syn::parse2) + .filter_map(|expr| match expr { + Err(e) => { + output.extend(e.into_compile_error()); + None + } + Ok(expr) => Some(expr), + }) + .collect(); + + ContractConditionsData::Modifies { attr } + } +} + +/// A supporting function for creating shallow, unsafe copies of the arguments +/// for the postconditions. +/// +/// This function: +/// - Collects all [`Ident`]s found in the argument patterns; +/// - Creates new names for them; +/// - Replaces all occurrences of those idents in `attrs` with the new names and; +/// - Returns the mapping of old names to new names. +fn rename_argument_occurrences( + sig: &syn::Signature, + attr: &mut ExprClosure, +) -> HashMap { + let mut arg_ident_collector = ArgumentIdentCollector::new(); + arg_ident_collector.visit_signature(&sig); + + let mk_new_ident_for = |id: &Ident| Ident::new(&format!("{}_renamed", id), Span::mixed_site()); + let arg_idents = arg_ident_collector + .0 + .into_iter() + .map(|i| { + let new = mk_new_ident_for(&i); + (i, new) + }) + .collect::>(); + + let mut ident_rewriter = Renamer(&arg_idents); + ident_rewriter.visit_expr_closure_mut(attr); + arg_idents +} + +/// Collect all named identifiers used in the argument patterns of a function. +struct ArgumentIdentCollector(HashSet); + +impl ArgumentIdentCollector { + fn new() -> Self { + Self(HashSet::new()) + } +} + +impl<'ast> Visit<'ast> for ArgumentIdentCollector { + fn visit_pat_ident(&mut self, i: &'ast syn::PatIdent) { + self.0.insert(i.ident.clone()); + syn::visit::visit_pat_ident(self, i) + } + fn visit_receiver(&mut self, _: &'ast syn::Receiver) { + self.0.insert(Ident::new("self", proc_macro2::Span::call_site())); + } +} + +/// Applies the contained renaming (key renamed to value) to every ident pattern +/// and ident expr visited. +struct Renamer<'a>(&'a HashMap); + +impl<'a> VisitMut for Renamer<'a> { + fn visit_expr_path_mut(&mut self, i: &mut syn::ExprPath) { + if i.path.segments.len() == 1 { + i.path + .segments + .first_mut() + .and_then(|p| self.0.get(&p.ident).map(|new| p.ident = new.clone())); + } + } + + /// This restores shadowing. Without this we would rename all ident + /// occurrences, but not rebinding location. This is because our + /// [`Self::visit_expr_path_mut`] is scope-unaware. + fn visit_pat_ident_mut(&mut self, i: &mut syn::PatIdent) { + if let Some(new) = self.0.get(&i.ident) { + i.ident = new.clone(); + } + } +} diff --git a/library/kani_macros/src/sysroot/contracts/mod.rs b/library/kani_macros/src/sysroot/contracts/mod.rs new file mode 100644 index 000000000000..7a25cc390100 --- /dev/null +++ b/library/kani_macros/src/sysroot/contracts/mod.rs @@ -0,0 +1,437 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Implementation of the function contracts code generation. +//! +//! The most exciting part is the handling of `requires` and `ensures`, the main +//! entry point to which is [`requires_ensures_main`]. Most of the code +//! generation for that is implemented on [`ContractConditionsHandler`] with +//! [`ContractFunctionState`] steering the code generation. The function state +//! implements a state machine in order to be able to handle multiple attributes +//! on the same function correctly. +//! +//! ## How the handling for `requires` and `ensures` works. +//! +//! Our aim is to generate a "check" function that can be used to verify the +//! validity of the contract and a "replace" function that can be used as a +//! stub, generated from the contract that can be used instead of the original +//! function. +//! +//! Let me first introduce the constraints which we are operating under to +//! explain why we need the somewhat involved state machine to achieve this. +//! +//! Proc-macros are expanded one-at-a-time, outside-in and they can also be +//! renamed. Meaning the user can do `use kani::requires as precondition` and +//! then use `precondition` everywhere. We want to support this functionality +//! instead of throwing a hard error but this means we cannot detect if a given +//! function has further contract attributes placed on it during any given +//! expansion. As a result every expansion needs to leave the code in a valid +//! state that could be used for all contract functionality but it must alow +//! further contract attributes to compose with what was already generated. In +//! addition we also want to make sure to support non-contract attributes on +//! functions with contracts. +//! +//! To this end we use a state machine. The initial state is an "untouched" +//! function with possibly multiple contract attributes, none of which have been +//! expanded. When we expand the first (outermost) `requires` or `ensures` +//! attribute on such a function we re-emit the function unchanged but we also +//! generate fresh "check" and "replace" functions that enforce the condition +//! carried by the attribute currently being expanded. +//! +//! We don't copy all attributes from the original function since they may have +//! unintended consequences for the stubs, such as `inline` or `rustc_diagnostic_item`. +//! +//! We also add new marker attributes to +//! advance the state machine. The "check" function gets a +//! `kanitool::is_contract_generated(check)` attributes and analogous for +//! replace. The re-emitted original meanwhile is decorated with +//! `kanitool::checked_with(name_of_generated_check_function)` and an analogous +//! `kanittool::replaced_with` attribute also. The next contract attribute that +//! is expanded will detect the presence of these markers in the attributes of +//! the item and be able to determine their position in the state machine this +//! way. If the state is either a "check" or "replace" then the body of the +//! function is augmented with the additional conditions carried by the macro. +//! If the state is the "original" function, no changes are performed. +//! +//! We place marker attributes at the bottom of the attribute stack (innermost), +//! otherwise they would not be visible to the future macro expansions. +//! +//! Below you can see a graphical rendering where boxes are states and each +//! arrow represents the expansion of a `requires` or `ensures` macro. +//! +//! ```plain +//! │ Start +//! ▼ +//! ┌───────────┐ +//! │ Untouched │ +//! │ Function │ +//! └─────┬─────┘ +//! │ +//! Emit │ Generate + Copy Attributes +//! ┌─────────────────┴─────┬──────────┬─────────────────┐ +//! │ │ │ │ +//! │ │ │ │ +//! ▼ ▼ ▼ ▼ +//! ┌──────────┐ ┌───────────┐ ┌───────┐ ┌─────────┐ +//! │ Original │◄─┐ │ Recursion │ │ Check │◄─┐ │ Replace │◄─┐ +//! └──┬───────┘ │ │ Wrapper │ └───┬───┘ │ └────┬────┘ │ +//! │ │ Ignore └───────────┘ │ │ Augment │ │ Augment +//! └──────────┘ └──────┘ └───────┘ +//! +//! │ │ │ │ +//! └───────────────┘ └─────────────────────────────────────────────┘ +//! +//! Presence of Presence of +//! "checked_with" "is_contract_generated" +//! +//! State is detected via +//! ``` +//! +//! All named arguments of the annotated function are unsafely shallow-copied +//! with the `kani::internal::untracked_deref` function to circumvent the borrow checker +//! for postconditions. The case where this is relevant is if you want to return +//! a mutable borrow from the function which means any immutable borrow in the +//! postcondition would be illegal. We must ensure that those copies are not +//! dropped (causing a double-free) so after the postconditions we call +//! `mem::forget` on each copy. +//! +//! ## Check function +//! +//! Generates a `_check_` function that assumes preconditions +//! and asserts postconditions. The check function is also marked as generated +//! with the `#[kanitool::is_contract_generated(check)]` attribute. +//! +//! Decorates the original function with `#[kanitool::checked_by = +//! "_check_"]`. +//! +//! The check function is a copy of the original function with preconditions +//! added before the body and postconditions after as well as injected before +//! every `return` (see [`PostconditionInjector`]). Attributes on the original +//! function are also copied to the check function. +//! +//! ## Replace Function +//! +//! As the mirror to that also generates a `_replace_` +//! function that asserts preconditions and assumes postconditions. The replace +//! function is also marked as generated with the +//! `#[kanitool::is_contract_generated(replace)]` attribute. +//! +//! Decorates the original function with `#[kanitool::replaced_by = +//! "_replace_"]`. +//! +//! The replace function has the same signature as the original function but its +//! body is replaced by `kani::any()`, which generates a non-deterministic +//! value. +//! +//! ## Inductive Verification +//! +//! To efficiently check recursive functions we verify them inductively. To +//! be able to do this we need both the check and replace functions we have seen +//! before. +//! +//! Inductive verification is comprised of a hypothesis and an induction step. +//! The hypothesis in this case is the replace function. It represents the +//! assumption that the contracts holds if the preconditions are satisfied. The +//! induction step is the check function, which ensures that the contract holds, +//! assuming the preconditions hold. +//! +//! Since the induction revolves around the recursive call we can simply set it +//! up upon entry into the body of the function under verification. We use a +//! global variable that tracks whether we are re-entering the function +//! recursively and starts off as `false`. On entry to the function we flip the +//! variable to `true` and dispatch to the check (induction step). If the check +//! recursively calls our function our re-entry tracker now reads `true` and we +//! dispatch to the replacement (application of induction hypothesis). Because +//! the replacement function only checks the conditions and does not perform +//! other computation we will only ever go "one recursion level deep", making +//! inductive verification very efficient. Once the check function returns we +//! flip the tracker variable back to `false` in case the function is called +//! more than once in its harness. +//! +//! To facilitate all this we generate a `_recursion_wrapper_` +//! function with the following shape: +//! +//! ```ignored +//! fn recursion_wrapper_...(fn args ...) { +//! static mut REENTRY: bool = false; +//! +//! if unsafe { REENTRY } { +//! call_replace(fn args...) +//! } else { +//! unsafe { reentry = true }; +//! let result_kani_internal = call_check(fn args...); +//! unsafe { reentry = false }; +//! result_kani_internal +//! } +//! } +//! ``` +//! +//! We register this function as `#[kanitool::checked_with = +//! "recursion_wrapper_..."]` instead of the check function. +//! +//! # Complete example +//! +//! ``` +//! #[kani::requires(divisor != 0)] +//! #[kani::ensures(|result : &u32| *result <= dividend)] +//! fn div(dividend: u32, divisor: u32) -> u32 { +//! dividend / divisor +//! } +//! ``` +//! +//! Turns into +//! +//! ``` +//! #[kanitool::checked_with = "div_recursion_wrapper_965916"] +//! #[kanitool::replaced_with = "div_replace_965916"] +//! fn div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } +//! +//! #[allow(dead_code, unused_variables)] +//! #[kanitool :: is_contract_generated(check)] fn +//! div_check_b97df2(dividend : u32, divisor : u32) -> u32 +//! { +//! let dividend_renamed = kani::internal::untracked_deref(& dividend); +//! let divisor_renamed = kani::internal::untracked_deref(& divisor); +//! kani::assume(divisor != 0); +//! let result_kani_internal : u32 = div_wrapper_b97df2(dividend, divisor); +//! kani::assert( +//! (| result : & u32 | *result <= dividend_renamed)(& result_kani_internal), +//! stringify!(|result : &u32| *result <= dividend)); +//! std::mem::forget(dividend_renamed); +//! std::mem::forget(divisor_renamed); +//! result_kani_internal +//! } +//! +//! #[allow(dead_code, unused_variables)] +//! #[kanitool :: is_contract_generated(replace)] fn +//! div_replace_b97df2(dividend : u32, divisor : u32) -> u32 +//! { +//! let divisor_renamed = kani::internal::untracked_deref(& divisor); +//! let dividend_renamed = kani::internal::untracked_deref(& dividend); +//! kani::assert(divisor != 0, stringify! (divisor != 0)); +//! let result_kani_internal : u32 = kani::any_modifies(); +//! kani::assume( +//! (|result : & u32| *result <= dividend_renamed)(&result_kani_internal)); +//! std::mem::forget(divisor_renamed); +//! std::mem::forget(dividend_renamed); +//! result_kani_internal +//! } +//! +//! #[allow(dead_code)] +//! #[allow(unused_variables)] +//! #[kanitool::is_contract_generated(recursion_wrapper)] +//! fn div_recursion_wrapper_965916(dividend: u32, divisor: u32) -> u32 { +//! static mut REENTRY: bool = false; +//! +//! if unsafe { REENTRY } { +//! div_replace_b97df2(dividend, divisor) +//! } else { +//! unsafe { reentry = true }; +//! let result_kani_internal = div_check_b97df2(dividend, divisor); +//! unsafe { reentry = false }; +//! result_kani_internal +//! } +//! } +//! ``` + +use proc_macro::TokenStream; +use proc_macro2::{Ident, TokenStream as TokenStream2}; +use quote::{quote, ToTokens}; +use std::collections::HashMap; +use syn::{parse_macro_input, Expr, ItemFn}; + +mod bootstrap; +mod check; +mod helpers; +mod initialize; +mod replace; +mod shared; + +const INTERNAL_RESULT_IDENT: &str = "result_kani_internal"; + +pub fn requires(attr: TokenStream, item: TokenStream) -> TokenStream { + contract_main(attr, item, ContractConditionsType::Requires) +} + +pub fn ensures(attr: TokenStream, item: TokenStream) -> TokenStream { + contract_main(attr, item, ContractConditionsType::Ensures) +} + +pub fn modifies(attr: TokenStream, item: TokenStream) -> TokenStream { + contract_main(attr, item, ContractConditionsType::Modifies) +} + +/// This is very similar to the kani_attribute macro, but it instead creates +/// key-value style attributes which I find a little easier to parse. +macro_rules! passthrough { + ($name:ident, $allow_dead_code:ident) => { + pub fn $name(attr: TokenStream, item: TokenStream) -> TokenStream { + let args = proc_macro2::TokenStream::from(attr); + let fn_item = proc_macro2::TokenStream::from(item); + let name = Ident::new(stringify!($name), proc_macro2::Span::call_site()); + let extra_attrs = if $allow_dead_code { + quote!(#[allow(dead_code)]) + } else { + quote!() + }; + quote!( + #extra_attrs + #[kanitool::#name = stringify!(#args)] + #fn_item + ) + .into() + } + } +} + +passthrough!(stub_verified, false); + +pub fn proof_for_contract(attr: TokenStream, item: TokenStream) -> TokenStream { + let args = proc_macro2::TokenStream::from(attr); + let ItemFn { attrs, vis, sig, block } = parse_macro_input!(item as ItemFn); + quote!( + #[allow(dead_code)] + #[kanitool::proof_for_contract = stringify!(#args)] + #(#attrs)* + #vis #sig { + kani::internal::init_contracts(); + #block + } + ) + .into() +} + +/// Classifies the state a function is in in the contract handling pipeline. +#[derive(Clone, Copy, PartialEq, Eq)] +enum ContractFunctionState { + /// This is the original code, re-emitted from a contract attribute. + Original, + /// This is the first time a contract attribute is evaluated on this + /// function. + Untouched, + /// This is a check function that was generated from a previous evaluation + /// of a contract attribute. + Check, + /// This is a replace function that was generated from a previous evaluation + /// of a contract attribute. + Replace, + ModifiesWrapper, +} + +/// The information needed to generate the bodies of check and replacement +/// functions that integrate the conditions from this contract attribute. +struct ContractConditionsHandler<'a> { + function_state: ContractFunctionState, + /// Information specific to the type of contract attribute we're expanding. + condition_type: ContractConditionsData, + /// Body of the function this attribute was found on. + annotated_fn: &'a mut ItemFn, + /// An unparsed, unmodified copy of `attr`, used in the error messages. + attr_copy: TokenStream2, + /// The stream to which we should write the generated code. + output: TokenStream2, + hash: Option, +} + +/// Which kind of contract attribute are we dealing with? +/// +/// Pre-parsing version of [`ContractConditionsData`]. +#[derive(Copy, Clone, Eq, PartialEq)] +enum ContractConditionsType { + Requires, + Ensures, + Modifies, +} + +/// Clause-specific information mostly generated by parsing the attribute. +/// +/// [`ContractConditionsType`] is the corresponding pre-parse version. +enum ContractConditionsData { + Requires { + /// The contents of the attribute. + attr: Expr, + }, + Ensures { + /// Translation map from original argument names to names of the copies + /// we will be emitting. + argument_names: HashMap, + /// The contents of the attribute. + attr: Expr, + }, + Modifies { + attr: Vec, + }, +} + +impl<'a> ContractConditionsHandler<'a> { + /// Handle the contract state and return the generated code + fn dispatch_on(mut self, state: ContractFunctionState) -> TokenStream2 { + match state { + ContractFunctionState::ModifiesWrapper => self.emit_augmented_modifies_wrapper(), + ContractFunctionState::Check => { + // The easy cases first: If we are on a check or replace function + // emit them again but with additional conditions layered on. + // + // Since we are already on the check function, it will have an + // appropriate, unique generated name which we are just going to + // pass on. + self.emit_check_function(None); + } + ContractFunctionState::Replace => { + // Analogous to above + self.emit_replace_function(None); + } + ContractFunctionState::Original => { + unreachable!("Impossible: This is handled via short circuiting earlier.") + } + ContractFunctionState::Untouched => self.handle_untouched(), + } + self.output + } +} + +/// The main meat of handling requires/ensures contracts. +/// +/// See the [module level documentation][self] for a description of how the code +/// generation works. +fn contract_main( + attr: TokenStream, + item: TokenStream, + is_requires: ContractConditionsType, +) -> TokenStream { + let attr_copy = TokenStream2::from(attr.clone()); + + let item_stream_clone = item.clone(); + let mut item_fn = parse_macro_input!(item as ItemFn); + + let function_state = ContractFunctionState::from_attributes(&item_fn.attrs); + + if matches!(function_state, ContractFunctionState::Original) { + // If we're the original function that means we're *not* the first time + // that a contract attribute is handled on this function. This means + // there must exist a generated check function somewhere onto which the + // attributes have been copied and where they will be expanded into more + // checks. So we just return ourselves unchanged. + // + // Since this is the only function state case that doesn't need a + // handler to be constructed, we do this match early, separately. + return item_fn.into_token_stream().into(); + } + + let hash = matches!(function_state, ContractFunctionState::Untouched) + .then(|| helpers::short_hash_of_token_stream(&item_stream_clone)); + + let handler = match ContractConditionsHandler::new( + function_state, + is_requires, + attr, + &mut item_fn, + attr_copy, + hash, + ) { + Ok(handler) => handler, + Err(e) => return e.into_compile_error().into(), + }; + + handler.dispatch_on(function_state).into() +} diff --git a/library/kani_macros/src/sysroot/contracts/replace.rs b/library/kani_macros/src/sysroot/contracts/replace.rs new file mode 100644 index 000000000000..1a84e40523c2 --- /dev/null +++ b/library/kani_macros/src/sysroot/contracts/replace.rs @@ -0,0 +1,162 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Logic used for generating the code that replaces a function with its contract. + +use proc_macro2::{Ident, Span, TokenStream as TokenStream2}; +use quote::quote; + +use super::{ + helpers::*, + shared::{make_unsafe_argument_copies, try_as_result_assign}, + ContractConditionsData, ContractConditionsHandler, INTERNAL_RESULT_IDENT, +}; + +impl<'a> ContractConditionsHandler<'a> { + /// Split an existing replace body of the form + /// + /// ```ignore + /// // multiple preconditions and argument copies like like + /// kani::assert(.. precondition); + /// let arg_name = kani::internal::untracked_deref(&arg_value); + /// // single result havoc + /// let result : ResultType = kani::any(); + /// + /// // multiple argument havockings + /// *unsafe { kani::internal::Pointer::assignable(argument) } = kani::any(); + /// // multiple postconditions + /// kani::assume(postcond); + /// // multiple argument copy (used in postconditions) cleanups + /// std::mem::forget(arg_name); + /// // single return + /// result + /// ``` + /// + /// Such that the first vector contains everything up to and including the single result havoc + /// and the second one the rest, excluding the return. + /// + /// If this is the first time we're emitting replace we create the return havoc and nothing else. + fn ensure_bootstrapped_replace_body(&self) -> (Vec, Vec) { + if self.is_first_emit() { + let return_type = return_type_to_type(&self.annotated_fn.sig.output); + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + (vec![syn::parse_quote!(let #result : #return_type = kani::any_modifies();)], vec![]) + } else { + let stmts = &self.annotated_fn.block.stmts; + let idx = stmts + .iter() + .enumerate() + .find_map(|(i, elem)| is_replace_return_havoc(elem).then_some(i)) + .unwrap_or_else(|| { + panic!("ICE: Could not find result let binding in statement sequence") + }); + // We want the result assign statement to end up as the last statement in the first + // vector, hence the `+1`. + let (before, after) = stmts.split_at(idx + 1); + (before.to_vec(), after.split_last().unwrap().1.to_vec()) + } + } + + /// Create the body of a stub for this contract. + /// + /// Wraps the conditions from this attribute around a prior call. If + /// `use_nondet_result` is `true` we will use `kani::any()` to create a + /// result, otherwise whatever the `body` of our annotated function was. + /// + /// `use_nondet_result` will only be true if this is the first time we are + /// generating a replace function. + fn make_replace_body(&self) -> TokenStream2 { + let (before, after) = self.ensure_bootstrapped_replace_body(); + + match &self.condition_type { + ContractConditionsData::Requires { attr } => { + let Self { attr_copy, .. } = self; + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + quote!( + kani::assert(#attr, stringify!(#attr_copy)); + #(#before)* + #(#after)* + #result + ) + } + ContractConditionsData::Ensures { attr, argument_names } => { + let (arg_copies, copy_clean) = make_unsafe_argument_copies(&argument_names); + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + quote!( + #arg_copies + #(#before)* + #(#after)* + kani::assume(#attr); + #copy_clean + #result + ) + } + ContractConditionsData::Modifies { attr } => { + let result = Ident::new(INTERNAL_RESULT_IDENT, Span::call_site()); + quote!( + #(#before)* + #(*unsafe { kani::internal::Pointer::assignable(#attr) } = kani::any_modifies();)* + #(#after)* + #result + ) + } + } + } + + /// Emit the replace funtion into the output stream. + /// + /// See [`Self::make_replace_body`] for the most interesting parts of this + /// function. + pub fn emit_replace_function(&mut self, override_function_ident: Option) { + self.emit_common_header(); + + if self.function_state.emit_tag_attr() { + // If it's the first time we also emit this marker. Again, order is + // important so this happens as the last emitted attribute. + self.output.extend(quote!(#[kanitool::is_contract_generated(replace)])); + } + let mut sig = self.annotated_fn.sig.clone(); + // We use non-constant functions, thus, the wrapper cannot be constant. + sig.constness = None; + let body = self.make_replace_body(); + if let Some(ident) = override_function_ident { + sig.ident = ident; + } + + // Finally emit the check function itself. + self.output.extend(quote!( + #sig { + #body + } + )); + } +} + +/// Is this statement `let result_kani_internal : <...> = kani::any_modifies();`. +fn is_replace_return_havoc(stmt: &syn::Stmt) -> bool { + let Some(syn::LocalInit { diverge: None, expr: e, .. }) = try_as_result_assign(stmt) else { + return false; + }; + + matches!( + e.as_ref(), + syn::Expr::Call(syn::ExprCall { + func, + args, + .. + }) + if args.is_empty() + && matches!( + func.as_ref(), + syn::Expr::Path(syn::ExprPath { + qself: None, + path, + attrs, + }) + if path.segments.len() == 2 + && path.segments[0].ident == "kani" + && path.segments[1].ident == "any_modifies" + && attrs.is_empty() + ) + ) +} diff --git a/library/kani_macros/src/sysroot/contracts/shared.rs b/library/kani_macros/src/sysroot/contracts/shared.rs new file mode 100644 index 000000000000..bf204e6bca32 --- /dev/null +++ b/library/kani_macros/src/sysroot/contracts/shared.rs @@ -0,0 +1,178 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Logic that is shared between [`super::initialize`], [`super::check`] and +//! [`super::replace`]. +//! +//! This is so we can keep [`super`] distraction-free as the definitions of data +//! structures and the entry point for contract handling. + +use std::collections::HashMap; + +use proc_macro2::{Ident, Span, TokenStream as TokenStream2}; +use quote::{quote, ToTokens}; +use syn::Attribute; + +use super::{ContractConditionsHandler, ContractFunctionState, INTERNAL_RESULT_IDENT}; + +impl ContractFunctionState { + /// Do we need to emit the `is_contract_generated` tag attribute on the + /// generated function(s)? + pub fn emit_tag_attr(self) -> bool { + matches!(self, ContractFunctionState::Untouched) + } +} + +impl<'a> ContractConditionsHandler<'a> { + pub fn is_first_emit(&self) -> bool { + matches!(self.function_state, ContractFunctionState::Untouched) + } + + /// Create a new name for the assigns wrapper function *or* get the name of + /// the wrapper we must have already generated. This is so that we can + /// recognize a call to that wrapper inside the check function. + pub fn make_wrapper_name(&self) -> Ident { + if let Some(hash) = self.hash { + identifier_for_generated_function(&self.annotated_fn.sig.ident, "wrapper", hash) + } else { + let str_name = self.annotated_fn.sig.ident.to_string(); + let splits = str_name.rsplitn(3, '_').collect::>(); + let [hash, _, base] = splits.as_slice() else { + unreachable!("Odd name for function {str_name}, splits were {}", splits.len()); + }; + + Ident::new(&format!("{base}_wrapper_{hash}"), Span::call_site()) + } + } + + /// Emit attributes common to check or replace function into the output + /// stream. + pub fn emit_common_header(&mut self) { + if self.function_state.emit_tag_attr() { + self.output.extend(quote!( + #[allow(dead_code, unused_variables, unused_mut)] + )); + } + + #[cfg(not(feature = "no_core"))] + self.output.extend(self.annotated_fn.attrs.iter().flat_map(Attribute::to_token_stream)); + + // When verifying core and standard library, we need to add an unstable attribute to + // the functions generated by Kani. + // We also need to filter `rustc_diagnostic_item` attribute. + // We should consider a better strategy than just duplicating all attributes. + #[cfg(feature = "no_core")] + { + self.output.extend(quote!( + #[unstable(feature="kani", issue="none")] + )); + self.output.extend( + self.annotated_fn + .attrs + .iter() + .filter(|attr| { + if let Some(ident) = attr.path().get_ident() { + let name = ident.to_string(); + !name.starts_with("rustc") + && !(name == "stable") + && !(name == "unstable") + } else { + true + } + }) + .flat_map(Attribute::to_token_stream), + ); + } + } +} + +/// Makes consistent names for a generated function which was created for +/// `purpose`, from an attribute that decorates `related_function` with the +/// hash `hash`. +pub fn identifier_for_generated_function( + related_function_name: &Ident, + purpose: &str, + hash: u64, +) -> Ident { + let identifier = format!("{}_{purpose}_{hash:x}", related_function_name); + Ident::new(&identifier, proc_macro2::Span::mixed_site()) +} + +/// We make shallow copies of the argument for the postconditions in both +/// `requires` and `ensures` clauses and later clean them up. +/// +/// This function creates the code necessary to both make the copies (first +/// tuple elem) and to clean them (second tuple elem). +pub fn make_unsafe_argument_copies( + renaming_map: &HashMap, +) -> (TokenStream2, TokenStream2) { + let arg_names = renaming_map.values(); + let also_arg_names = renaming_map.values(); + let arg_values = renaming_map.keys(); + ( + quote!(#(let #arg_names = kani::internal::untracked_deref(&#arg_values);)*), + #[cfg(not(feature = "no_core"))] + quote!(#(std::mem::forget(#also_arg_names);)*), + #[cfg(feature = "no_core")] + quote!(#(core::mem::forget(#also_arg_names);)*), + ) +} + +/// Used as the "single source of truth" for [`try_as_result_assign`] and [`try_as_result_assign_mut`] +/// since we can't abstract over mutability. Input is the object to match on and the name of the +/// function used to convert an `Option` into the result type (e.g. `as_ref` and `as_mut` +/// respectively). +/// +/// We start with a `match` as a top-level here, since if we made this a pattern macro (the "clean" +/// thing to do) then we cant use the `if` inside there which we need because box patterns are +/// unstable. +macro_rules! try_as_result_assign_pat { + ($input:expr, $convert:ident) => { + match $input { + syn::Stmt::Local(syn::Local { + pat: syn::Pat::Type(syn::PatType { + pat: inner_pat, + attrs, + .. + }), + init, + .. + }) if attrs.is_empty() + && matches!( + inner_pat.as_ref(), + syn::Pat::Ident(syn::PatIdent { + by_ref: None, + mutability: None, + ident: result_ident, + subpat: None, + .. + }) if result_ident == INTERNAL_RESULT_IDENT + ) => init.$convert(), + _ => None, + } + }; +} + +/// Try to parse this statement as `let result : <...> = ;` and return `init`. +/// +/// This is the shape of statement we create in replace functions to havoc (with `init` being +/// `kani::any()`) and we need to recognize it for when we edit the replace function and integrate +/// additional conditions. +/// +/// It's a thin wrapper around [`try_as_result_assign_pat!`] to create an immutable match. +pub fn try_as_result_assign(stmt: &syn::Stmt) -> Option<&syn::LocalInit> { + try_as_result_assign_pat!(stmt, as_ref) +} + +/// Try to parse this statement as `let result : <...> = ;` and return a mutable reference to +/// `init`. +/// +/// This is the shape of statement we create in check functions (with `init` being a call to check +/// function with additional pointer arguments for the `modifies` clause) and we need to recognize +/// it to then edit this call if we find another `modifies` clause and add its additional arguments. +/// additional conditions. +/// +/// It's a thin wrapper around [`try_as_result_assign_pat!`] to create a mutable match. +pub fn try_as_result_assign_mut(stmt: &mut syn::Stmt) -> Option<&mut syn::LocalInit> { + try_as_result_assign_pat!(stmt, as_mut) +} diff --git a/library/std/Cargo.toml b/library/std/Cargo.toml index b37ea4de7d4c..fcc2739dc606 100644 --- a/library/std/Cargo.toml +++ b/library/std/Cargo.toml @@ -5,7 +5,7 @@ # Note: this package is intentionally named std to make sure the names of # standard library symbols are preserved name = "std" -version = "0.45.0" +version = "0.52.0" edition = "2021" license = "MIT OR Apache-2.0" publish = false diff --git a/library/std/src/lib.rs b/library/std/src/lib.rs index 37e0e5a21518..3f8427ffff13 100644 --- a/library/std/src/lib.rs +++ b/library/std/src/lib.rs @@ -135,14 +135,14 @@ macro_rules! eprint { #[cfg(not(feature = "concrete_playback"))] #[macro_export] macro_rules! println { - () => { }; + () => { $crate::print!("\n") }; ($($x:tt)*) => {{ let _ = format_args!($($x)*); }}; } #[cfg(not(feature = "concrete_playback"))] #[macro_export] macro_rules! eprintln { - () => { }; + () => { $crate::eprint!("\n") }; ($($x:tt)*) => {{ let _ = format_args!($($x)*); }}; } diff --git a/rfc/src/rfcs/0003-cover-statement.md b/rfc/src/rfcs/0003-cover-statement.md index 6839af22f929..de452654392b 100644 --- a/rfc/src/rfcs/0003-cover-statement.md +++ b/rfc/src/rfcs/0003-cover-statement.md @@ -1,8 +1,8 @@ - **Feature Name:** Cover statement (`cover-statement`) - **Feature Request Issue:** - **RFC PR:** -- **Status:** Unstable -- **Version:** 1 +- **Status:** Stable +- **Version:** 2 ------------------- @@ -138,8 +138,12 @@ However, if the condition can indeed be covered, verification would fail due to ## Open questions -Should we allow format arguments in the macro, e.g. `kani::cover!(x > y, "{} can be greater than {}", x, y)`? -Users may expect this to be supported since the macro looks similar to the `assert` macro, but Kani doesn't include the formatted string in the message description, since it's not available at compile time. +- ~Should we allow format arguments in the macro, e.g. `kani::cover!(x > y, "{} can be greater than {}", x, y)`? +Users may expect this to be supported since the macro looks similar to the `assert` macro, but Kani doesn't include the formatted string in the message description, since it's not available at compile time.~ + - For now, this macro will not accept format arguments, since this + is not well handled by Kani. + This is an extesion to this API that can be easily added later on if Kani + ever supports runtime formatting. ## Other Considerations diff --git a/rfc/src/rfcs/0009-function-contracts.md b/rfc/src/rfcs/0009-function-contracts.md index e26592080822..deeeca66ab7a 100644 --- a/rfc/src/rfcs/0009-function-contracts.md +++ b/rfc/src/rfcs/0009-function-contracts.md @@ -1,8 +1,8 @@ - **Feature Name:** Function Contracts - **Feature Request Issue:** [#2652](https://github.com/model-checking/kani/issues/2652) and [Milestone](https://github.com/model-checking/kani/milestone/31) - **RFC PR:** [#2620](https://github.com/model-checking/kani/pull/2620) -- **Status:** Under Review -- **Version:** 0 +- **Status:** Unstable +- **Version:** 1 - **Proof-of-concept:** [features/contracts](https://github.com/model-checking/kani/tree/features/contracts) - **Feature Gate:** `-Zfunction-contracts`, enforced by compile time error[^gate] @@ -65,7 +65,7 @@ fn my_div(dividend: u32, divisor: u32) -> u32 { ```rs #[kani::requires(divisor != 0)] - #[kani::ensures(result <= dividend)] + #[kani::ensures(|result : &u32| *result <= dividend)] fn my_div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } @@ -79,8 +79,7 @@ fn my_div(dividend: u32, divisor: u32) -> u32 { Conditions in contracts are Rust expressions which reference the function arguments and, in case of `ensures`, the return value of the - function. The return value is a special variable called `result` (see [open - questions](#open-questions) on a discussion about (re)naming). Syntactically + function. The return value is passed into the ensures closure statement by reference. Syntactically Kani supports any Rust expression, including function calls, defining types etc. However they must be side-effect free (see also side effects [here](#changes-to-other-components)) or Kani will throw a compile error. @@ -132,8 +131,8 @@ fn my_div(dividend: u32, divisor: u32) -> u32 { let dividend = kani::any(); let divisor = kani::any(); kani::assume(divisor != 0); // requires - let result = my_div(dividend, divisor); - kani::assert(result <= dividend); // ensures + let result_kani_internal = my_div(dividend, divisor); + kani::assert((|result : &u32| *result <= dividend)(result_kani_internal)); // ensures } ``` @@ -306,7 +305,7 @@ available to `ensures`. It is used like so: ```rs impl Vec { - #[kani::ensures(old(self.is_empty()) || result.is_some())] + #[kani::ensures(|result : &Option| old(self.is_empty()) || result.is_some())] fn pop(&mut self) -> Option { ... } @@ -324,8 +323,8 @@ Note also that `old` is syntax, not a function and implemented as an extraction and lifting during code generation. It can reference e.g. `pop`'s arguments but not local variables. Compare the following -**Invalid ❌:** `#[kani::ensures({ let x = self.is_empty(); old(x) } || result.is_some())]`
-**Valid ✅:** `#[kani::ensures(old({ let x = self.is_empty(); x }) || result.is_some())]` +**Invalid ❌:** `#[kani::ensures(|result : &Option| { let x = self.is_empty(); old(x) } || result.is_some())]`
+**Valid ✅:** `#[kani::ensures(|result : &Option| old({ let x = self.is_empty(); x }) || result.is_some())]` And it will only be recognized as `old(...)`, not as `let old1 = old; old1(...)` etc. @@ -410,7 +409,7 @@ the below example: ```rs impl Vec { - #[kani::ensures(self.is_empty() || self.len() == old(self.len()) - 1)] + #[kani::ensures(|result : &Option| self.is_empty() || self.len() == old(self.len()) - 1)] fn pop(&mut self) -> Option { ... } @@ -425,8 +424,8 @@ following: impl Vec { fn check_pop(&mut self) -> Option { let old_1 = self.len(); - let result = Self::pop(self); - kani::assert(self.is_empty() || self.len() == old_1 - 1) + let result_kani_internal = Self::pop(self); + kani::assert((|result : &Option| self.is_empty() || self.len() == old_1 - 1)(result_kani_internal)) } } ``` @@ -450,7 +449,7 @@ sensible contract for it might look as follows: ```rs impl Vec { - #[ensures(self.len() == result.0.len() + result.1.len())] + #[ensures(|result : &(&mut [T], &mut [T])| self.len() == result.0.len() + result.1.len())] fn split_at_mut(&mut self, i: usize) -> (&mut [T], &mut [T]) { ... } @@ -893,4 +892,5 @@ times larger than what they expect the function will touch). [^stubcheck]: Kani cannot report the occurrence of a contract function to check in abstracted functions as errors, because the mechanism is needed to verify - mutually recursive functions. \ No newline at end of file + mutually recursive functions. + diff --git a/rust-toolchain.toml b/rust-toolchain.toml index 2914c0609c1a..ce876507640a 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -2,5 +2,5 @@ # SPDX-License-Identifier: Apache-2.0 OR MIT [toolchain] -channel = "nightly-2024-01-17" -components = ["llvm-tools-preview", "rustc-dev", "rust-src", "rustfmt"] +channel = "nightly-2024-06-18" +components = ["llvm-tools", "rustc-dev", "rust-src", "rustfmt"] diff --git a/rustfmt.toml b/rustfmt.toml index 32ff2d638c56..95988ef7f52a 100644 --- a/rustfmt.toml +++ b/rustfmt.toml @@ -15,5 +15,4 @@ ignore = [ # For some reason, this is not working without the directory wildcard. "**/firecracker", "**/tests/perf/s2n-quic/", - "**/tools/bookrunner/rust-doc/", ] diff --git a/scripts/build-docs.sh b/scripts/build-docs.sh index 3400e2849b53..2e2c10b052f6 100755 --- a/scripts/build-docs.sh +++ b/scripts/build-docs.sh @@ -28,37 +28,18 @@ else curl -sSL -o "$FILE" "$URL" echo "$EXPECTED_HASH $FILE" | sha256sum -c - tar zxf $FILE + MDBOOK=${SCRIPT_DIR}/mdbook + else + MDBOOK=mdbook fi - MDBOOK=${SCRIPT_DIR}/mdbook fi -# Publish bookrunner report into our documentation KANI_DIR=$SCRIPT_DIR/.. DOCS_DIR=$KANI_DIR/docs RFC_DIR=$KANI_DIR/rfc -HTML_DIR=$KANI_DIR/build/output/latest/html/ cd $DOCS_DIR -if [ -d $HTML_DIR ]; then - # Litani run is copied into `src` to avoid deletion by `mdbook` - cp -r $HTML_DIR src/bookrunner/ - # Replace artifacts by examples under test - BOOKS_DIR=$KANI_DIR/tests/bookrunner/books - rm -r src/bookrunner/artifacts - # Remove any json files that Kani might've left behind due to crash or timeout. - find $BOOKS_DIR -name '*.json' -exec rm {} \; - find $BOOKS_DIR -name '*.out' -exec rm {} \; - cp -r $BOOKS_DIR src/bookrunner/artifacts - # Update paths in HTML report - python $KANI_DIR/scripts/ci/update_bookrunner_report.py src/bookrunner/index.html new_index.html - mv new_index.html src/bookrunner/index.html - - # rm src/bookrunner/run.json -else - echo "WARNING: Could not find the latest bookrunner run." -fi - echo "Building user documentation..." # Generate benchcomp documentation from source code mkdir -p gen_src diff --git a/scripts/ci/bookrunner_failures_by_stage.py b/scripts/ci/bookrunner_failures_by_stage.py deleted file mode 100644 index 941cc62ae2e5..000000000000 --- a/scripts/ci/bookrunner_failures_by_stage.py +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/python3 -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -import argparse -from bs4 import BeautifulSoup - -def main(): - parser = argparse.ArgumentParser( - description='Scans an HTML dashboard file and prints' - 'the number of failures grouped by stage') - parser.add_argument('input') - args = parser.parse_args() - - with open(args.input) as fp: - run = BeautifulSoup(fp, 'html.parser') - - failures = [0] * 3 - - for row in run.find_all('div', attrs={'class': 'pipeline-row'}): - stages = row.find_all('div', attrs={'class': 'pipeline-stage'}) - i = 0 - for stage in stages: - if stage.a['class'][1] == 'fail': - failures[i] += 1 - break - i += 1 - - print('bookrunner failures grouped by stage:') - print(' * rustc-compilation: ' + str(failures[0])) - print(' * kani-codegen: ' + str(failures[1])) - print(' * cbmc-verification: ' + str(failures[2])) - - -if __name__ == "__main__": - main() diff --git a/scripts/ci/copyright-exclude b/scripts/ci/copyright-exclude index 358edc372af2..157d88fbc379 100644 --- a/scripts/ci/copyright-exclude +++ b/scripts/ci/copyright-exclude @@ -10,7 +10,7 @@ Cargo.lock LICENSE-APACHE LICENSE-MIT editorconfig -expected +expected$ gitattributes gitignore gitmodules diff --git a/scripts/ci/detect_bookrunner_failures.sh b/scripts/ci/detect_bookrunner_failures.sh deleted file mode 100755 index 027ea8174b5d..000000000000 --- a/scripts/ci/detect_bookrunner_failures.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -set -eu - -# This script checks that the number of failures in a bookrunner run are below -# the threshold computed below. -# -# The threshold is roughly computed as: `1.05 * ` -# The extra 5% allows us to account for occasional timeouts. It is reviewed and -# updated whenever the Rust toolchain version is updated. -EXPECTED=82 -THRESHOLD=$(expr ${EXPECTED} \* 105 / 100) # Add 5% threshold - -if [[ $# -ne 1 ]]; then - echo "$0: Error: Specify the bookrunner text report" - exit 1 -fi - -# Get the summary line, which looks like: -# `# of tests: ✔️ ` -SUMMARY_LINE=`head -n 1 $1` - -# Parse the summary line and extract the number of failures -read -a strarr <<< $SUMMARY_LINE -NUM_FAILURES=${strarr[-1]} - -# Print a message and return a nonzero code if the threshold is exceeded -if [[ $NUM_FAILURES -ge $THRESHOLD ]]; then - echo "Error: The number of failures from bookrunner is higher than expected!" - echo - echo "Found $NUM_FAILURES which is higher than the threshold of $THRESHOLD" - echo "This means that your changes are causing at least 5% more failures than in previous bookrunner runs." - echo "To check these failures locally, run \`cargo run -p bookrunner\` and inspect the report in \`build/output/latest/html/index.html\`." - echo "For more details on bookrunner, go to https://model-checking.github.io/kani/bookrunner.html" - exit 1 -fi diff --git a/scripts/ci/update_bookrunner_report.py b/scripts/ci/update_bookrunner_report.py deleted file mode 100644 index fc1c47ad78c4..000000000000 --- a/scripts/ci/update_bookrunner_report.py +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/python3 -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -import argparse -from bs4 import BeautifulSoup - -def update_path(run, path): - ''' - Shortens a path referring to an example and adds a link to the file. - - By default, the path to an example follows this pattern: - - `tests/bookrunner/books///

//.rs` - - However, only the first part is shown since these paths are enclosed - in paragraph markers (`

` and `

`). So they are often rendered as: - - `tests/bookrunner/books///... - - This update removes `tests/bookrunner/books/` from the path (common to - all examples) and transforms them into anchor elements with a link to - the example, so the path to the example is shown as: - - `//
//.rs` - ''' - orig_path = path.p.string - new_string = '/'.join(orig_path.split('/')[4:]) - new_tag = run.new_tag('a') - new_tag.string = new_string - # Add link to the example - new_tag['href'] = "artifacts/" + new_string - path.p.replace_with(new_tag) - -def main(): - parser = argparse.ArgumentParser( - description='Produces an updated HTML report file from the ' - 'contents of an HTML file generated with `litani`') - parser.add_argument('input') - parser.add_argument('output') - args = parser.parse_args() - - with open(args.input) as fp: - run = BeautifulSoup(fp, 'html.parser') - - # Update pipeline names to link to the example under test - for row in run.find_all(lambda tag: tag.name == 'div' and - tag.get('class') == ['pipeline-row']): - path = row.find('div', attrs={'class': 'pipeline-name'}) - # Some paths here may be `None` - skip them - if path.p: - update_path(run, path) - - # Delete links to empty artifacts folder from progress bars - for bar in run.find_all('a', attrs={'class': 'stage-artifacts-link fail'}): - del bar['href'] - for bar in run.find_all('a', attrs={'class': 'stage-artifacts-link success'}): - del bar['href'] - - with open(args.output, "w") as file: - file.write(str(run)) - - -if __name__ == "__main__": - main() diff --git a/scripts/kani-regression.sh b/scripts/kani-regression.sh index 20782abe5cbc..b1de293d533c 100755 --- a/scripts/kani-regression.sh +++ b/scripts/kani-regression.sh @@ -33,31 +33,33 @@ check_kissat_version.sh # Formatting check ${SCRIPT_DIR}/kani-fmt.sh --check -# Build all packages in the workspace and ensure no warning is emitted. -RUSTFLAGS="-D warnings" cargo build-dev +# Build kani +cargo build-dev # Unit tests cargo test -p cprover_bindings cargo test -p kani-compiler cargo test -p kani-driver cargo test -p kani_metadata -cargo test -p kani --lib # skip doc tests. +# skip doc tests and enable assertions to fail +cargo test -p kani --lib --features concrete_playback # Test the actual macros, skipping doc tests and enabling extra traits for "syn" # so we can debug print AST RUSTFLAGS=--cfg=kani_sysroot cargo test -p kani_macros --features syn/extra-traits --lib # Declare testing suite information (suite and mode) TESTS=( - "script-based-pre exec" - "coverage coverage-based" "kani kani" "expected expected" "ui expected" + "std-checks cargo-kani" "firecracker kani" "prusti kani" "smack kani" "cargo-kani cargo-kani" "cargo-ui cargo-kani" + "script-based-pre exec" + "coverage coverage-based" "kani-docs cargo-kani" "kani-fixme kani-fixme" ) @@ -100,6 +102,13 @@ FEATURES_MANIFEST_PATH="$KANI_DIR/tests/cargo-kani/cargo-features-flag/Cargo.tom cargo kani --manifest-path "$FEATURES_MANIFEST_PATH" --harness trivial_success cargo clean --manifest-path "$FEATURES_MANIFEST_PATH" +# Build all packages in the workspace and ensure no warning is emitted. +# Please don't replace `cargo build-dev` above with this command. +# Setting RUSTFLAGS like this always resets cargo's build cache resulting in +# all tests to be re-run. I.e., cannot keep re-runing the regression from where +# we stopped. +RUSTFLAGS="-D warnings" cargo build --target-dir /tmp/kani_build_warnings + echo echo "All Kani regression tests completed successfully." echo diff --git a/scripts/setup/install_bookrunner_deps.sh b/scripts/setup/install_bookrunner_deps.sh deleted file mode 100755 index f1457c1e9c4d..000000000000 --- a/scripts/setup/install_bookrunner_deps.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -set -eu - -# The book runner report is generated using [Litani](https://github.com/awslabs/aws-build-accumulator) -FILE="litani-1.22.0.deb" -URL="https://github.com/awslabs/aws-build-accumulator/releases/download/1.22.0/$FILE" - -set -x - -# Install Litani -wget -O "$FILE" "$URL" -sudo DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes ./"$FILE" - -PYTHON_DEPS=( - bs4 # Used for report updates -) - -python3 -m pip install "${PYTHON_DEPS[@]}" \ No newline at end of file diff --git a/scripts/setup/macos-13-xlarge b/scripts/setup/macos-14 similarity index 100% rename from scripts/setup/macos-13-xlarge rename to scripts/setup/macos-14 diff --git a/scripts/setup/macos/install_deps.sh b/scripts/setup/macos/install_deps.sh index c544846b403f..429eb200541a 100755 --- a/scripts/setup/macos/install_deps.sh +++ b/scripts/setup/macos/install_deps.sh @@ -9,16 +9,14 @@ set -eux # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software #brew update +# Install Python separately to workround recurring homebrew CI issue. +# See https://github.com/actions/runner-images/issues/9471 for more details. +brew install python@3 || true +brew link --overwrite python@3 + # Install dependencies via `brew` brew install universal-ctags wget jq -# Add Python package dependencies -PYTHON_DEPS=( - autopep8 -) - -python3 -m pip install "${PYTHON_DEPS[@]}" - # Get the directory containing this script SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" diff --git a/scripts/setup/ubuntu/install_deps.sh b/scripts/setup/ubuntu/install_deps.sh index 2830d0280498..b93602691222 100755 --- a/scripts/setup/ubuntu/install_deps.sh +++ b/scripts/setup/ubuntu/install_deps.sh @@ -16,6 +16,7 @@ DEPS=( gpg-agent jq libssl-dev + lld lsb-release make ninja-build diff --git a/scripts/toolchain_update.sh b/scripts/toolchain_update.sh new file mode 100755 index 000000000000..856c346e542c --- /dev/null +++ b/scripts/toolchain_update.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +# This script is part of our CI nightly job to bump the toolchain version. +# It will potentially update the rust-toolchain.toml file, and run the +# regression. +# +# In order to manually run this script, you will need to do the following: +# +# 1. Set $GITHUB_ENV to point to an output file. +# 2. Install and configure GitHub CLI + +set -eu + +current_toolchain_date=$(grep ^channel rust-toolchain.toml | sed 's/.*nightly-\(.*\)"/\1/') +echo "current_toolchain_date=$current_toolchain_date" >> $GITHUB_ENV + +current_toolchain_epoch=$(date --date $current_toolchain_date +%s) +next_toolchain_date=$(date --date "@$(($current_toolchain_epoch + 86400))" +%Y-%m-%d) +echo "next_toolchain_date=$next_toolchain_date" >> $GITHUB_ENV + +echo "------ Start upgrade ------" +echo "- current: ${current_toolchain_date}" +echo "- next: ${next_toolchain_date}" +echo "---------------------------" + +if gh issue list -S \ + "Toolchain upgrade to nightly-$next_toolchain_date failed" \ + --json number,title | grep title +then + echo "Skip update: Found existing issue" + echo "next_step=none" >> $GITHUB_ENV +elif ! git ls-remote --exit-code origin toolchain-$next_toolchain_date +then + echo "next_step=create_pr" >> $GITHUB_ENV + + # Modify rust-toolchain file + sed -i "/^channel/ s/$current_toolchain_date/$next_toolchain_date/" rust-toolchain.toml + + git diff + git clone --filter=tree:0 https://github.com/rust-lang/rust rust.git + cd rust.git + current_toolchain_hash=$(curl https://static.rust-lang.org/dist/$current_toolchain_date/channel-rust-nightly-git-commit-hash.txt) + echo "current_toolchain_hash=$current_toolchain_hash" >> $GITHUB_ENV + + next_toolchain_hash=$(curl https://static.rust-lang.org/dist/$next_toolchain_date/channel-rust-nightly-git-commit-hash.txt) + echo "next_toolchain_hash=$next_toolchain_hash" >> $GITHUB_ENV + + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "git_log<<$EOF" >> $GITHUB_ENV + + git log --oneline $current_toolchain_hash..$next_toolchain_hash | \ + sed 's#^#https://github.com/rust-lang/rust/commit/#' >> $GITHUB_ENV + echo "$EOF" >> $GITHUB_ENV + + cd .. + rm -rf rust.git + if ! ./scripts/kani-regression.sh ; then + echo "next_step=create_issue" >> $GITHUB_ENV + fi +else + echo "Skip update: Found existing branch" + echo "next_step=none" >> $GITHUB_ENV +fi diff --git a/src/lib.rs b/src/lib.rs index 9a1ac90f5dda..0015829f61d3 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -28,16 +28,18 @@ use anyhow::{bail, Context, Result}; /// `bin` should be either `kani` or `cargo-kani` pub fn proxy(bin: &str) -> Result<()> { match parse_args(env::args_os().collect()) { - ArgsResult::ExplicitSetup { use_local_bundle } => setup::setup(use_local_bundle), + ArgsResult::ExplicitSetup { use_local_bundle, use_local_toolchain } => { + setup::setup(use_local_bundle, use_local_toolchain) + } ArgsResult::Default => { fail_if_in_dev_environment()?; if !setup::appears_setup() { - setup::setup(None)?; + setup::setup(None, None)?; } else { // This handles cases where the setup was left incomplete due to an interrupt // For example - https://github.com/model-checking/kani/issues/1545 if let Some(path_to_bundle) = setup::appears_incomplete() { - setup::setup(Some(path_to_bundle.clone().into_os_string()))?; + setup::setup(Some(path_to_bundle.clone().into_os_string()), None)?; // Suppress warning with unused assignment // and remove the bundle if it still exists let _ = fs::remove_file(path_to_bundle); @@ -51,7 +53,7 @@ pub fn proxy(bin: &str) -> Result<()> { /// Minimalist argument parsing result type #[derive(PartialEq, Eq, Debug)] enum ArgsResult { - ExplicitSetup { use_local_bundle: Option }, + ExplicitSetup { use_local_bundle: Option, use_local_toolchain: Option }, Default, } @@ -63,14 +65,46 @@ fn parse_args(args: Vec) -> ArgsResult { // "cargo kani setup" comes in as "cargo-kani kani setup" // "cargo-kani setup" comes in as "cargo-kani setup" match &args_ez[..] { - &[_, Some("setup"), Some("--use-local-bundle"), _] => { - ArgsResult::ExplicitSetup { use_local_bundle: Some(args[3].clone()) } + &[_, Some("setup"), Some("--use-local-bundle"), _, Some("--use-local-toolchain"), _] => { + ArgsResult::ExplicitSetup { + use_local_bundle: Some(args[3].clone()), + use_local_toolchain: Some(args[5].clone()), + } } + &[ + _, + Some("kani"), + Some("setup"), + Some("--use-local-bundle"), + _, + Some("--use-local-toolchain"), + _, + ] => ArgsResult::ExplicitSetup { + use_local_bundle: Some(args[4].clone()), + use_local_toolchain: Some(args[6].clone()), + }, + &[_, Some("setup"), Some("--use-local-bundle"), _] => ArgsResult::ExplicitSetup { + use_local_bundle: Some(args[3].clone()), + use_local_toolchain: None, + }, &[_, Some("kani"), Some("setup"), Some("--use-local-bundle"), _] => { - ArgsResult::ExplicitSetup { use_local_bundle: Some(args[4].clone()) } + ArgsResult::ExplicitSetup { + use_local_bundle: Some(args[4].clone()), + use_local_toolchain: None, + } + } + &[_, Some("setup"), Some("--use-local-toolchain"), _] => ArgsResult::ExplicitSetup { + use_local_bundle: None, + use_local_toolchain: Some(args[3].clone()), + }, + &[_, Some("kani"), Some("setup"), Some("--use-local-toolchain"), _] => { + ArgsResult::ExplicitSetup { + use_local_bundle: None, + use_local_toolchain: Some(args[4].clone()), + } } &[_, Some("setup")] | &[_, Some("kani"), Some("setup")] => { - ArgsResult::ExplicitSetup { use_local_bundle: None } + ArgsResult::ExplicitSetup { use_local_bundle: None, use_local_toolchain: None } } _ => ArgsResult::Default, } @@ -223,16 +257,72 @@ mod tests { assert_eq!(e, trial(&[])); } { - let e = ArgsResult::ExplicitSetup { use_local_bundle: None }; + let e = ArgsResult::ExplicitSetup { use_local_bundle: None, use_local_toolchain: None }; assert_eq!(e, trial(&["cargo-kani", "kani", "setup"])); assert_eq!(e, trial(&["cargo", "kani", "setup"])); assert_eq!(e, trial(&["cargo-kani", "setup"])); } { - let e = ArgsResult::ExplicitSetup { use_local_bundle: Some(OsString::from("FILE")) }; + let e = ArgsResult::ExplicitSetup { + use_local_bundle: Some(OsString::from("FILE")), + use_local_toolchain: None, + }; assert_eq!(e, trial(&["cargo-kani", "kani", "setup", "--use-local-bundle", "FILE"])); assert_eq!(e, trial(&["cargo", "kani", "setup", "--use-local-bundle", "FILE"])); assert_eq!(e, trial(&["cargo-kani", "setup", "--use-local-bundle", "FILE"])); } + { + let e = ArgsResult::ExplicitSetup { + use_local_bundle: None, + use_local_toolchain: Some(OsString::from("TOOLCHAIN")), + }; + assert_eq!( + e, + trial(&["cargo-kani", "kani", "setup", "--use-local-toolchain", "TOOLCHAIN"]) + ); + assert_eq!(e, trial(&["cargo", "kani", "setup", "--use-local-toolchain", "TOOLCHAIN"])); + assert_eq!(e, trial(&["cargo-kani", "setup", "--use-local-toolchain", "TOOLCHAIN"])); + } + { + let e = ArgsResult::ExplicitSetup { + use_local_bundle: Some(OsString::from("FILE")), + use_local_toolchain: Some(OsString::from("TOOLCHAIN")), + }; + assert_eq!( + e, + trial(&[ + "cargo-kani", + "kani", + "setup", + "--use-local-bundle", + "FILE", + "--use-local-toolchain", + "TOOLCHAIN" + ]) + ); + assert_eq!( + e, + trial(&[ + "cargo", + "kani", + "setup", + "--use-local-bundle", + "FILE", + "--use-local-toolchain", + "TOOLCHAIN" + ]) + ); + assert_eq!( + e, + trial(&[ + "cargo-kani", + "setup", + "--use-local-bundle", + "FILE", + "--use-local-toolchain", + "TOOLCHAIN" + ]) + ); + } } } diff --git a/src/setup.rs b/src/setup.rs index ffdcf340e336..730679f06c10 100644 --- a/src/setup.rs +++ b/src/setup.rs @@ -70,7 +70,10 @@ pub fn appears_incomplete() -> Option { } /// Sets up Kani by unpacking/installing to `~/.kani/kani-VERSION` -pub fn setup(use_local_bundle: Option) -> Result<()> { +pub fn setup( + use_local_bundle: Option, + use_local_toolchain: Option, +) -> Result<()> { let kani_dir = kani_dir()?; let os = os_info::get(); @@ -81,7 +84,7 @@ pub fn setup(use_local_bundle: Option) -> Result<()> { setup_kani_bundle(&kani_dir, use_local_bundle)?; - setup_rust_toolchain(&kani_dir)?; + setup_rust_toolchain(&kani_dir, use_local_toolchain)?; setup_python_deps(&kani_dir)?; @@ -138,15 +141,44 @@ pub(crate) fn get_rust_toolchain_version(kani_dir: &Path) -> Result { .context("Reading release bundle rust-toolchain-version") } +pub(crate) fn get_rustc_version_from_build(kani_dir: &Path) -> Result { + std::fs::read_to_string(kani_dir.join("rustc-version")) + .context("Reading release bundle rustc-version") +} + /// Install the Rust toolchain version we require -fn setup_rust_toolchain(kani_dir: &Path) -> Result { +fn setup_rust_toolchain(kani_dir: &Path, use_local_toolchain: Option) -> Result { // Currently this means we require the bundle to have been unpacked first! let toolchain_version = get_rust_toolchain_version(kani_dir)?; + let rustc_version = get_rustc_version_from_build(kani_dir)?.trim().to_string(); + + // Symlink to a local toolchain if the user explicitly requests + if let Some(local_toolchain_path) = use_local_toolchain { + let toolchain_path = Path::new(&local_toolchain_path); + + let custom_toolchain_rustc_version = + get_rustc_version_from_local_toolchain(local_toolchain_path.clone())?; + + if rustc_version == custom_toolchain_rustc_version { + symlink_rust_toolchain(toolchain_path, kani_dir)?; + println!( + "[3/5] Installing rust toolchain from path provided: {}", + &toolchain_path.to_string_lossy() + ); + return Ok(toolchain_version); + } else { + bail!( + "The toolchain with rustc {:?} being used to setup is not the same as the one Kani used in its release bundle {:?}. Try to setup with the same version as the bundle.", + custom_toolchain_rustc_version, + rustc_version, + ); + } + } + + // This is the default behaviour when no explicit path to a toolchain is mentioned println!("[3/5] Installing rust toolchain version: {}", &toolchain_version); Command::new("rustup").args(["toolchain", "install", &toolchain_version]).run()?; - let toolchain = home::rustup_home()?.join("toolchains").join(&toolchain_version); - symlink_rust_toolchain(&toolchain, kani_dir)?; Ok(toolchain_version) } @@ -177,6 +209,27 @@ fn download_filename() -> String { format!("kani-{VERSION}-{TARGET}.tar.gz") } +/// Get the version of rustc that is being used to setup kani by the user +fn get_rustc_version_from_local_toolchain(path: OsString) -> Result { + let path = Path::new(&path); + let rustc_path = path.join("bin").join("rustc"); + + let output = Command::new(rustc_path).arg("--version").output(); + + match output { + Ok(output) => { + if output.status.success() { + Ok(String::from_utf8(output.stdout).map(|s| s.trim().to_string())?) + } else { + bail!( + "Could not parse rustc version string. Toolchain installation likely invalid. " + ); + } + } + Err(_) => bail!("Could not get rustc version. Toolchain installation likely invalid"), + } +} + /// The download URL for this version of Kani fn download_url() -> String { let tag: &str = &format!("kani-{VERSION}"); diff --git a/tests/cargo-kani/assess-artifacts/expected b/tests/cargo-kani/assess-artifacts/expected index c1d3acbfd531..b8a25c834ab6 100644 --- a/tests/cargo-kani/assess-artifacts/expected +++ b/tests/cargo-kani/assess-artifacts/expected @@ -3,7 +3,7 @@ Analyzed 1 packages Unsupported feature | Crates | Instances | impacted | of use ---------------------+----------+----------- - try | 1 | 2 + catch_unwind | 1 | 2 ============================================ ========================================= Reason for failure | Number of tests diff --git a/tests/cargo-kani/assess-workspace-artifacts/expected b/tests/cargo-kani/assess-workspace-artifacts/expected index 4e9a26f89c27..fba2cd94f212 100644 --- a/tests/cargo-kani/assess-workspace-artifacts/expected +++ b/tests/cargo-kani/assess-workspace-artifacts/expected @@ -3,7 +3,7 @@ Analyzed 2 packages Unsupported feature | Crates | Instances | impacted | of use ---------------------+----------+----------- - try | 2 | 3 + catch_unwind | 2 | 3 ============================================ ========================================= Reason for failure | Number of tests diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/README.md b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/README.md new file mode 100644 index 000000000000..971e385fa819 --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/README.md @@ -0,0 +1,2 @@ +This repo contains contains a minimal example that used to break compilation +when using Kani. See https://github.com/model-checking/kani/issues/3101. diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/Cargo.toml b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/Cargo.toml new file mode 100644 index 000000000000..5953dd85a56b --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/Cargo.toml @@ -0,0 +1,14 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[package] +name = "binary" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +constants = { path = "../constants" } + +[build-dependencies] +constants = { path = "../constants" } diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/build.rs b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/build.rs new file mode 100644 index 000000000000..927461a01817 --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/build.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// From https://github.com/model-checking/kani/issues/3101 + +use constants::SOME_CONSTANT; + +fn main() { + // build.rs changes should trigger rebuild + println!("cargo:rerun-if-changed=build.rs"); + + #[cfg(not(kani_host))] + assert_eq!(constants::SOME_CONSTANT, 0); + #[cfg(kani_host)] + assert_eq!(constants::SOME_CONSTANT, 2); +} diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/src/main.rs b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/src/main.rs new file mode 100644 index 000000000000..268d311e3853 --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/binary/src/main.rs @@ -0,0 +1,32 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// From https://github.com/model-checking/kani/issues/3101 +// This file demonstrates that Kani is working on the `binary` crate itself. + +use constants::SomeStruct; + +fn function_that_does_something(b: bool) -> SomeStruct { + SomeStruct { some_field: if b { 42 } else { 24 } } +} + +fn main() { + println!("The constant is {}", constants::SOME_CONSTANT); + + let some_struct = function_that_does_something(true); + + println!("some_field is {:?}", some_struct.some_field); +} + +#[cfg(kani)] +mod verification { + use super::*; + + #[kani::proof] + fn function_never_returns_zero_struct() { + let input: bool = kani::any(); + let output = function_that_does_something(input); + + assert!(output.some_field != 0); + } +} diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/Cargo.toml b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/Cargo.toml new file mode 100644 index 000000000000..cf2d84dcf946 --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/Cargo.toml @@ -0,0 +1,9 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[package] +name = "constants" +version = "0.1.0" +edition = "2021" + + +[dependencies] diff --git a/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/src/lib.rs b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/src/lib.rs new file mode 100644 index 000000000000..e485182b24ba --- /dev/null +++ b/tests/cargo-kani/build-rs-plus-host-with-kani-proofs/constants/src/lib.rs @@ -0,0 +1,32 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// From https://github.com/model-checking/kani/issues/3101 + +#[cfg(not(any(kani, kani_host)))] +pub const SOME_CONSTANT: u32 = 0; +#[cfg(kani)] +pub const SOME_CONSTANT: u32 = 1; +#[cfg(kani_host)] +pub const SOME_CONSTANT: u32 = 2; + +pub struct SomeStruct { + pub some_field: u32, +} + +#[cfg(kani)] +impl kani::Arbitrary for SomeStruct { + fn any() -> Self { + SomeStruct { some_field: kani::any() } + } +} + +#[cfg(kani)] +mod verification { + use super::*; + + #[kani::proof] + fn one() { + assert_eq!(constants::SOME_CONSTANT, 1); + } +} diff --git a/tests/cargo-kani/simple-extern/src/lib.rs b/tests/cargo-kani/simple-extern/src/lib.rs index d2016d8bd7b2..33ca290a2d30 100644 --- a/tests/cargo-kani/simple-extern/src/lib.rs +++ b/tests/cargo-kani/simple-extern/src/lib.rs @@ -2,6 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT pub mod externs; pub use externs::external_c_assertion; +// TODO: our reachability analysis does not see through C functions +pub use externs::rust_add1; #[cfg(test)] mod tests { @@ -24,6 +26,7 @@ mod kani_tests { if a < 100 { unsafe { external_c_assertion(a); + rust_add1(a); } } } diff --git a/tests/cargo-kani/storage-markers/Cargo.toml b/tests/cargo-kani/storage-markers/Cargo.toml new file mode 100644 index 000000000000..cb98b6df5835 --- /dev/null +++ b/tests/cargo-kani/storage-markers/Cargo.toml @@ -0,0 +1,5 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[workspace] +members = ["crate-with-bug", "crate-with-harness"] +resolver = "2" diff --git a/tests/cargo-kani/storage-markers/crate-with-bug/Cargo.toml b/tests/cargo-kani/storage-markers/crate-with-bug/Cargo.toml new file mode 100644 index 000000000000..3cec8dac16b0 --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-bug/Cargo.toml @@ -0,0 +1,8 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[package] +name = "crate-with-bug" +version = "0.1.0" +edition = "2021" + +[dependencies] diff --git a/tests/cargo-kani/storage-markers/crate-with-bug/src/lib.rs b/tests/cargo-kani/storage-markers/crate-with-bug/src/lib.rs new file mode 100644 index 000000000000..3e6967bdbfe4 --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-bug/src/lib.rs @@ -0,0 +1,12 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This function contains a use-after-free bug. + +pub fn fn_with_bug() -> i32 { + let raw_ptr = { + let var = 10; + &var as *const i32 + }; + unsafe { *raw_ptr } +} diff --git a/tests/cargo-kani/storage-markers/crate-with-harness/Cargo.toml b/tests/cargo-kani/storage-markers/crate-with-harness/Cargo.toml new file mode 100644 index 000000000000..7cfe7126d845 --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-harness/Cargo.toml @@ -0,0 +1,9 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[package] +name = "crate-with-harness" +version = "0.1.0" +edition = "2021" + +[dependencies] +crate-with-bug = { path = "../crate-with-bug" } diff --git a/tests/cargo-kani/storage-markers/crate-with-harness/call_fn_with_bug.expected b/tests/cargo-kani/storage-markers/crate-with-harness/call_fn_with_bug.expected new file mode 100644 index 000000000000..68ef53cc06ec --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-harness/call_fn_with_bug.expected @@ -0,0 +1,3 @@ +Status: FAILURE\ +Description: "dereference failure: dead object"\ +in function crate_with_bug::fn_with_bug diff --git a/tests/cargo-kani/storage-markers/crate-with-harness/src/lib.rs b/tests/cargo-kani/storage-markers/crate-with-harness/src/lib.rs new file mode 100644 index 000000000000..a44cfaf976be --- /dev/null +++ b/tests/cargo-kani/storage-markers/crate-with-harness/src/lib.rs @@ -0,0 +1,11 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This test checks that Kani captures the case of a use-after-free issue as +// described in https://github.com/model-checking/kani/issues/3061 even across +// crates. The test calls a function from another crate that has the bug. + +#[kani::proof] +pub fn call_fn_with_bug() { + let _x = crate_with_bug::fn_with_bug(); +} diff --git a/tests/cargo-kani/stubbing-double-extern-path/harness/expected b/tests/cargo-kani/stubbing-double-extern-path/harness/expected index adbbf31d49bd..dbca159f92d5 100644 --- a/tests/cargo-kani/stubbing-double-extern-path/harness/expected +++ b/tests/cargo-kani/stubbing-double-extern-path/harness/expected @@ -1 +1,2 @@ -error[E0391]: cycle detected when optimizing MIR for `crate_b::assert_false` +error: Cannot stub `crate_b::assert_false`. Stub configuration for harness `check_inverted` has a cycle +error: Cannot stub `crate_b::assert_true`. Stub configuration for harness `check_inverted` has a cycle diff --git a/tests/cargo-kani/unexpected_cfgs/Cargo.toml b/tests/cargo-kani/unexpected_cfgs/Cargo.toml new file mode 100644 index 000000000000..c70a4cbec7dc --- /dev/null +++ b/tests/cargo-kani/unexpected_cfgs/Cargo.toml @@ -0,0 +1,9 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +[package] +name = "unexpected_cfgs" +version = "0.1.0" +edition = "2021" + +[dependencies] diff --git a/tests/perf/overlays/s2n-quic/tools/xdp/s2n-quic-xdp/expected b/tests/cargo-kani/unexpected_cfgs/expected similarity index 100% rename from tests/perf/overlays/s2n-quic/tools/xdp/s2n-quic-xdp/expected rename to tests/cargo-kani/unexpected_cfgs/expected diff --git a/tests/cargo-kani/unexpected_cfgs/src/main.rs b/tests/cargo-kani/unexpected_cfgs/src/main.rs new file mode 100644 index 000000000000..e864756c6be9 --- /dev/null +++ b/tests/cargo-kani/unexpected_cfgs/src/main.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This test checks that the `unexpected_cfgs` lint (enabled by default as of +// the 2024-05-05 toolchain) does not cause `cargo kani` to emit warnings when +// the code has `#[cfg(kani)]`. Kani avoids the warning by adding +// `--check-cfg=cfg(kani)` to the rust flags. + +#![deny(unexpected_cfgs)] + +fn main() {} + +#[cfg(kani)] +mod kani_checks { + #[kani::proof] + fn check_unexpected_cfg() { + assert_eq!(1, 1); + } +} diff --git a/tests/cargo-ui/assess-error/expected b/tests/cargo-ui/assess-error/expected index 70754ddea192..213d811ae577 100644 --- a/tests/cargo-ui/assess-error/expected +++ b/tests/cargo-ui/assess-error/expected @@ -1,2 +1,2 @@ -error: Failed to compile lib `compilation-error` +error: Failed to compile lib `compilation_error` error: Failed to assess project: Failed to build all targets diff --git a/tests/cargo-ui/unstable-attr/defs/src/lib.rs b/tests/cargo-ui/unstable-attr/defs/src/lib.rs index 9515cf1d48a8..91b5a4d539bf 100644 --- a/tests/cargo-ui/unstable-attr/defs/src/lib.rs +++ b/tests/cargo-ui/unstable-attr/defs/src/lib.rs @@ -1,13 +1,13 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -#[kani::unstable(feature = "always_fails", reason = "do not enable", issue = "")] +#[kani::unstable_feature(feature = "always_fails", reason = "do not enable", issue = "")] pub fn always_fails() { assert!(false, "don't call me"); } /// We use "gen-c" since it has to be an existing feature. -#[kani::unstable(feature = "gen-c", reason = "internal fake api", issue = "")] +#[kani::unstable_feature(feature = "gen-c", reason = "internal fake api", issue = "")] pub fn no_op() { kani::cover!(true); } diff --git a/tests/cargo-ui/unstable-attr/invalid/expected b/tests/cargo-ui/unstable-attr/invalid/expected index 49db2367b832..fd6ee1c694c2 100644 --- a/tests/cargo-ui/unstable-attr/invalid/expected +++ b/tests/cargo-ui/unstable-attr/invalid/expected @@ -1,32 +1,32 @@ -error: failed to parse `#[kani::unstable]`: missing `feature` field\ +error: failed to parse `#[kani::unstable_feature]`: missing `feature` field\ lib.rs |\ -9 | #[kani::unstable(reason = "just checking", issue = "")]\ - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ +9 | #[kani::unstable_feature(reason = "just checking", issue = "")]\ + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ |\ - = note: expected format: #[kani::unstable(feature="", issue="", reason="")]\ - = note: this error originates in the attribute macro `kani::unstable` (in Nightly builds, run with -Z macro-backtrace for more info) + = note: expected format: #[kani::unstable_feature(feature="", issue="", reason="")]\ + = note: this error originates in the attribute macro `kani::unstable_feature` (in Nightly builds, run with -Z macro-backtrace for more info) -error: failed to parse `#[kani::unstable]`: expected "key = value" pair, but found `feature("invalid_args")`\ +error: failed to parse `#[kani::unstable_feature]`: expected "key = value" pair, but found `feature("invalid_args")`\ lib.rs\ |\ -| #[kani::unstable(feature("invalid_args"))]\ -| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ +| #[kani::unstable_feature(feature("invalid_args"))]\ +| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ |\ - = note: expected format: #[kani::unstable(feature="", issue="", reason="")] + = note: expected format: #[kani::unstable_feature(feature="", issue="", reason="")] -error: failed to parse `#[kani::unstable]`: expected "key = value" pair, but found `feature`\ +error: failed to parse `#[kani::unstable_feature]`: expected "key = value" pair, but found `feature`\ lib.rs\ |\ -| #[kani::unstable(feature, issue)]\ -| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ +| #[kani::unstable_feature(feature, issue)]\ +| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ |\ - = note: expected format: #[kani::unstable(feature="", issue="", reason="")] + = note: expected format: #[kani::unstable_feature(feature="", issue="", reason="")] -error: failed to parse `#[kani::unstable]`: expected "key = value" pair, but found `1010`\ +error: failed to parse `#[kani::unstable_feature]`: expected "key = value" pair, but found `1010`\ lib.rs\ |\ -| #[kani::unstable(1010)]\ -| ^^^^^^^^^^^^^^^^^^^^^^^\ +| #[kani::unstable_feature(1010)]\ +| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ |\ - = note: expected format: #[kani::unstable(feature="", issue="", reason="")] + = note: expected format: #[kani::unstable_feature(feature="", issue="", reason="")] diff --git a/tests/cargo-ui/unstable-attr/invalid/src/lib.rs b/tests/cargo-ui/unstable-attr/invalid/src/lib.rs index 5fbfc768c883..f0d92f0882d7 100644 --- a/tests/cargo-ui/unstable-attr/invalid/src/lib.rs +++ b/tests/cargo-ui/unstable-attr/invalid/src/lib.rs @@ -6,18 +6,18 @@ //! we don't guarantee the order that these will be evaluated. //! TODO: We should break down this test to ensure all of these fail. -#[kani::unstable(reason = "just checking", issue = "")] +#[kani::unstable_feature(reason = "just checking", issue = "")] pub fn missing_feature() { todo!() } -#[kani::unstable(feature("invalid_args"))] +#[kani::unstable_feature(feature("invalid_args"))] pub fn invalid_fn_style() {} -#[kani::unstable(feature, issue)] +#[kani::unstable_feature(feature, issue)] pub fn invalid_list() {} -#[kani::unstable(1010)] +#[kani::unstable_feature(1010)] pub fn invalid_argument() {} #[kani::proof] diff --git a/tests/cargo-ui/unsupported-lib-types/proc-macro/expected b/tests/cargo-ui/unsupported-lib-types/proc-macro/expected index 2a7badb42720..9703300da1c2 100644 --- a/tests/cargo-ui/unsupported-lib-types/proc-macro/expected +++ b/tests/cargo-ui/unsupported-lib-types/proc-macro/expected @@ -1,2 +1,2 @@ -Skipped the following unsupported targets: 'lib'. +Skipped verification of the following unsupported targets: 'lib'. error: No supported targets were found. diff --git a/tests/coverage/reachable/assert-false/expected b/tests/coverage/reachable/assert-false/expected index 7a9fef1ca77c..97ffbe1d96e4 100644 --- a/tests/coverage/reachable/assert-false/expected +++ b/tests/coverage/reachable/assert-false/expected @@ -1,8 +1,8 @@ coverage/reachable/assert-false/main.rs, 6, FULL coverage/reachable/assert-false/main.rs, 7, FULL -coverage/reachable/assert-false/main.rs, 11, FULL -coverage/reachable/assert-false/main.rs, 12, FULL -coverage/reachable/assert-false/main.rs, 15, FULL +coverage/reachable/assert-false/main.rs, 11, PARTIAL +coverage/reachable/assert-false/main.rs, 12, PARTIAL +coverage/reachable/assert-false/main.rs, 15, PARTIAL coverage/reachable/assert-false/main.rs, 16, FULL coverage/reachable/assert-false/main.rs, 17, PARTIAL coverage/reachable/assert-false/main.rs, 19, FULL diff --git a/tests/coverage/reachable/assert/reachable_pass/expected b/tests/coverage/reachable/assert/reachable_pass/expected index 67ae085a3e83..9d21185b3a83 100644 --- a/tests/coverage/reachable/assert/reachable_pass/expected +++ b/tests/coverage/reachable/assert/reachable_pass/expected @@ -1,4 +1,4 @@ coverage/reachable/assert/reachable_pass/test.rs, 6, FULL -coverage/reachable/assert/reachable_pass/test.rs, 7, FULL +coverage/reachable/assert/reachable_pass/test.rs, 7, PARTIAL coverage/reachable/assert/reachable_pass/test.rs, 8, FULL coverage/reachable/assert/reachable_pass/test.rs, 10, FULL diff --git a/tests/coverage/reachable/bounds/reachable_fail/expected b/tests/coverage/reachable/bounds/reachable_fail/expected index af2f30e51fe2..fedfec8b2a1e 100644 --- a/tests/coverage/reachable/bounds/reachable_fail/expected +++ b/tests/coverage/reachable/bounds/reachable_fail/expected @@ -1,4 +1,4 @@ coverage/reachable/bounds/reachable_fail/test.rs, 5, PARTIAL coverage/reachable/bounds/reachable_fail/test.rs, 6, NONE -coverage/reachable/bounds/reachable_fail/test.rs, 10, FULL +coverage/reachable/bounds/reachable_fail/test.rs, 10, PARTIAL coverage/reachable/bounds/reachable_fail/test.rs, 11, NONE diff --git a/tests/coverage/reachable/div-zero/reachable_fail/expected b/tests/coverage/reachable/div-zero/reachable_fail/expected index 1ec1abefffd8..c1ac77404680 100644 --- a/tests/coverage/reachable/div-zero/reachable_fail/expected +++ b/tests/coverage/reachable/div-zero/reachable_fail/expected @@ -1,4 +1,4 @@ coverage/reachable/div-zero/reachable_fail/test.rs, 5, PARTIAL coverage/reachable/div-zero/reachable_fail/test.rs, 6, NONE -coverage/reachable/div-zero/reachable_fail/test.rs, 10, FULL +coverage/reachable/div-zero/reachable_fail/test.rs, 10, PARTIAL coverage/reachable/div-zero/reachable_fail/test.rs, 11, NONE diff --git a/tests/coverage/reachable/overflow/reachable_fail/expected b/tests/coverage/reachable/overflow/reachable_fail/expected index f20826fb1a8e..d45edcc37a63 100644 --- a/tests/coverage/reachable/overflow/reachable_fail/expected +++ b/tests/coverage/reachable/overflow/reachable_fail/expected @@ -1,5 +1,5 @@ coverage/reachable/overflow/reachable_fail/test.rs, 8, PARTIAL coverage/reachable/overflow/reachable_fail/test.rs, 9, FULL coverage/reachable/overflow/reachable_fail/test.rs, 13, FULL -coverage/reachable/overflow/reachable_fail/test.rs, 14, FULL +coverage/reachable/overflow/reachable_fail/test.rs, 14, PARTIAL coverage/reachable/overflow/reachable_fail/test.rs, 15, NONE diff --git a/tests/coverage/reachable/rem-zero/reachable_fail/expected b/tests/coverage/reachable/rem-zero/reachable_fail/expected index f7fa6ed7efeb..7852461e4f57 100644 --- a/tests/coverage/reachable/rem-zero/reachable_fail/expected +++ b/tests/coverage/reachable/rem-zero/reachable_fail/expected @@ -1,4 +1,4 @@ coverage/reachable/rem-zero/reachable_fail/test.rs, 5, PARTIAL coverage/reachable/rem-zero/reachable_fail/test.rs, 6, NONE -coverage/reachable/rem-zero/reachable_fail/test.rs, 10, FULL +coverage/reachable/rem-zero/reachable_fail/test.rs, 10, PARTIAL coverage/reachable/rem-zero/reachable_fail/test.rs, 11, NONE diff --git a/tests/coverage/unreachable/abort/main.rs b/tests/coverage/unreachable/abort/main.rs index 2941ec126f3c..39c0b0efb54f 100644 --- a/tests/coverage/unreachable/abort/main.rs +++ b/tests/coverage/unreachable/abort/main.rs @@ -5,7 +5,7 @@ use std::process; -#[kani::proof] +#[cfg_attr(kani, kani::proof, kani::unwind(5))] fn main() { for i in 0..4 { if i == 1 { diff --git a/tests/coverage/unreachable/assert/expected b/tests/coverage/unreachable/assert/expected index f5b5f8044769..9bc6d8faa4f9 100644 --- a/tests/coverage/unreachable/assert/expected +++ b/tests/coverage/unreachable/assert/expected @@ -1,6 +1,6 @@ coverage/unreachable/assert/test.rs, 6, FULL -coverage/unreachable/assert/test.rs, 7, FULL -coverage/unreachable/assert/test.rs, 9, FULL +coverage/unreachable/assert/test.rs, 7, PARTIAL +coverage/unreachable/assert/test.rs, 9, PARTIAL coverage/unreachable/assert/test.rs, 10, NONE coverage/unreachable/assert/test.rs, 12, NONE coverage/unreachable/assert/test.rs, 16, FULL diff --git a/tests/coverage/unreachable/assert_eq/expected b/tests/coverage/unreachable/assert_eq/expected index f4e7608b2c13..9b13c3c96ded 100644 --- a/tests/coverage/unreachable/assert_eq/expected +++ b/tests/coverage/unreachable/assert_eq/expected @@ -1,5 +1,5 @@ coverage/unreachable/assert_eq/test.rs, 6, FULL coverage/unreachable/assert_eq/test.rs, 7, FULL -coverage/unreachable/assert_eq/test.rs, 8, FULL +coverage/unreachable/assert_eq/test.rs, 8, PARTIAL coverage/unreachable/assert_eq/test.rs, 9, NONE coverage/unreachable/assert_eq/test.rs, 11, FULL diff --git a/tests/coverage/unreachable/assert_ne/expected b/tests/coverage/unreachable/assert_ne/expected index 3b57defb4c36..f027f432e280 100644 --- a/tests/coverage/unreachable/assert_ne/expected +++ b/tests/coverage/unreachable/assert_ne/expected @@ -1,6 +1,6 @@ coverage/unreachable/assert_ne/test.rs, 6, FULL coverage/unreachable/assert_ne/test.rs, 7, FULL coverage/unreachable/assert_ne/test.rs, 8, FULL -coverage/unreachable/assert_ne/test.rs, 10, FULL +coverage/unreachable/assert_ne/test.rs, 10, PARTIAL coverage/unreachable/assert_ne/test.rs, 11, NONE coverage/unreachable/assert_ne/test.rs, 14, FULL diff --git a/tests/coverage/unreachable/check_id/expected b/tests/coverage/unreachable/check_id/expected index 214cbfa827bd..a2d296f0f9a3 100644 --- a/tests/coverage/unreachable/check_id/expected +++ b/tests/coverage/unreachable/check_id/expected @@ -1,5 +1,5 @@ coverage/unreachable/check_id/main.rs, 5, FULL -coverage/unreachable/check_id/main.rs, 6, FULL +coverage/unreachable/check_id/main.rs, 6, PARTIAL coverage/unreachable/check_id/main.rs, 8, NONE coverage/unreachable/check_id/main.rs, 10, FULL coverage/unreachable/check_id/main.rs, 14, FULL @@ -12,5 +12,5 @@ coverage/unreachable/check_id/main.rs, 20, FULL coverage/unreachable/check_id/main.rs, 21, FULL coverage/unreachable/check_id/main.rs, 22, FULL coverage/unreachable/check_id/main.rs, 23, FULL -coverage/unreachable/check_id/main.rs, 24, FULL +coverage/unreachable/check_id/main.rs, 24, PARTIAL coverage/unreachable/check_id/main.rs, 25, NONE diff --git a/tests/coverage/unreachable/if-statement/expected b/tests/coverage/unreachable/if-statement/expected index 4460f23a80de..8b481863a163 100644 --- a/tests/coverage/unreachable/if-statement/expected +++ b/tests/coverage/unreachable/if-statement/expected @@ -1,4 +1,4 @@ -coverage/unreachable/if-statement/main.rs, 5, FULL +coverage/unreachable/if-statement/main.rs, 5, PARTIAL coverage/unreachable/if-statement/main.rs, 7, PARTIAL coverage/unreachable/if-statement/main.rs, 8, NONE coverage/unreachable/if-statement/main.rs, 9, NONE diff --git a/tests/coverage/unreachable/tutorial_unreachable/expected b/tests/coverage/unreachable/tutorial_unreachable/expected index cf45a502d295..624aa520edc9 100644 --- a/tests/coverage/unreachable/tutorial_unreachable/expected +++ b/tests/coverage/unreachable/tutorial_unreachable/expected @@ -1,5 +1,5 @@ coverage/unreachable/tutorial_unreachable/main.rs, 6, FULL coverage/unreachable/tutorial_unreachable/main.rs, 7, FULL -coverage/unreachable/tutorial_unreachable/main.rs, 8, FULL +coverage/unreachable/tutorial_unreachable/main.rs, 8, PARTIAL coverage/unreachable/tutorial_unreachable/main.rs, 9, NONE coverage/unreachable/tutorial_unreachable/main.rs, 11, FULL diff --git a/tests/coverage/unreachable/variant/expected b/tests/coverage/unreachable/variant/expected index 08a2f824da83..8fa3ec8b870f 100644 --- a/tests/coverage/unreachable/variant/expected +++ b/tests/coverage/unreachable/variant/expected @@ -1,4 +1,4 @@ -coverage/unreachable/variant/main.rs, 15, PARTIAL +coverage/unreachable/variant/main.rs, 15, FULL coverage/unreachable/variant/main.rs, 16, NONE coverage/unreachable/variant/main.rs, 17, NONE coverage/unreachable/variant/main.rs, 18, FULL diff --git a/tests/coverage/unreachable/while-loop-break/expected b/tests/coverage/unreachable/while-loop-break/expected index a0e43c183846..dc66d3e823d3 100644 --- a/tests/coverage/unreachable/while-loop-break/expected +++ b/tests/coverage/unreachable/while-loop-break/expected @@ -1,5 +1,5 @@ coverage/unreachable/while-loop-break/main.rs, 8, FULL -coverage/unreachable/while-loop-break/main.rs, 9, FULL +coverage/unreachable/while-loop-break/main.rs, 9, PARTIAL coverage/unreachable/while-loop-break/main.rs, 10, FULL coverage/unreachable/while-loop-break/main.rs, 11, FULL coverage/unreachable/while-loop-break/main.rs, 13, FULL diff --git a/tests/expected/abort/main.rs b/tests/expected/abort/main.rs index 2941ec126f3c..9e2f5b7a808c 100644 --- a/tests/expected/abort/main.rs +++ b/tests/expected/abort/main.rs @@ -6,6 +6,7 @@ use std::process; #[kani::proof] +#[kani::unwind(5)] fn main() { for i in 0..4 { if i == 1 { diff --git a/tests/expected/any_vec/exact_length.expected b/tests/expected/any_vec/exact_length.expected index 082f3fb61570..f64d2830a7b8 100644 --- a/tests/expected/any_vec/exact_length.expected +++ b/tests/expected/any_vec/exact_length.expected @@ -1,7 +1,7 @@ Checking harness check_access_length_17... Failed Checks: assumption failed\ -in >::get_unchecked +in >::get_unchecked Checking harness check_access_length_zero... diff --git a/tests/expected/coroutines/as_parameter/main.rs b/tests/expected/coroutines/as_parameter/main.rs index 7c0b9aed0373..33f56d04b2ae 100644 --- a/tests/expected/coroutines/as_parameter/main.rs +++ b/tests/expected/coroutines/as_parameter/main.rs @@ -21,8 +21,11 @@ where #[kani::proof] fn main() { - foo(|| { - yield 1; - return 2; - }); + foo( + #[coroutine] + || { + yield 1; + return 2; + }, + ); } diff --git a/tests/expected/coroutines/main.rs b/tests/expected/coroutines/main.rs index a49d9944d0f1..9b76e6e4302e 100644 --- a/tests/expected/coroutines/main.rs +++ b/tests/expected/coroutines/main.rs @@ -1,7 +1,8 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -10,7 +11,8 @@ use std::pin::Pin; #[kani::unwind(2)] fn main() { let val: bool = kani::any(); - let mut coroutine = move || { + let mut coroutine = #[coroutine] + move || { let x = val; yield x; return !x; diff --git a/tests/expected/coroutines/pin/main.rs b/tests/expected/coroutines/pin/main.rs index 0052715377ec..fc97e57761e0 100644 --- a/tests/expected/coroutines/pin/main.rs +++ b/tests/expected/coroutines/pin/main.rs @@ -1,17 +1,19 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // Test contains a call to a coroutine via a Pin // from https://github.com/model-checking/kani/issues/416 #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] fn main() { - let mut coroutine = || { + let mut coroutine = #[coroutine] + || { yield 1; return true; }; diff --git a/tests/expected/dead-invalid-access-via-raw/main.expected b/tests/expected/dead-invalid-access-via-raw/main.expected new file mode 100644 index 000000000000..1d464eb5f031 --- /dev/null +++ b/tests/expected/dead-invalid-access-via-raw/main.expected @@ -0,0 +1,16 @@ +SUCCESS\ +address must be a multiple of its type's alignment +FAILURE\ +unsafe { *raw_ptr } == 10 +SUCCESS\ +pointer NULL +SUCCESS\ +pointer invalid +SUCCESS\ +deallocated dynamic object +FAILURE\ +dead object +SUCCESS\ +pointer outside object bounds +SUCCESS\ +invalid integer address diff --git a/tests/expected/dead-invalid-access-via-raw/main.rs b/tests/expected/dead-invalid-access-via-raw/main.rs new file mode 100644 index 000000000000..ed3ea655839e --- /dev/null +++ b/tests/expected/dead-invalid-access-via-raw/main.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test checks an issue reported in github.com/model-checking/kani#3063. +// The access of the raw pointer should fail because the value being dereferenced has gone out of +// scope at the time of access. + +#[kani::proof] +pub fn check_invalid_ptr() { + let raw_ptr = { + let var = 10; + &var as *const _ + }; + + // This should fail since it is de-referencing a dead object. + assert_eq!(unsafe { *raw_ptr }, 10); +} diff --git a/tests/expected/dead-invalid-access-via-raw/value.expected b/tests/expected/dead-invalid-access-via-raw/value.expected new file mode 100644 index 000000000000..858d44d54ea4 --- /dev/null +++ b/tests/expected/dead-invalid-access-via-raw/value.expected @@ -0,0 +1,2 @@ +Failed Checks: assertion failed: *p_subscoped == 7 +Failed Checks: dereference failure: dead object diff --git a/tests/kani/Pointers_OutOfScopeFail/fixme_main.rs b/tests/expected/dead-invalid-access-via-raw/value.rs similarity index 96% rename from tests/kani/Pointers_OutOfScopeFail/fixme_main.rs rename to tests/expected/dead-invalid-access-via-raw/value.rs index 5bbcb93930bb..6160325174b7 100644 --- a/tests/kani/Pointers_OutOfScopeFail/fixme_main.rs +++ b/tests/expected/dead-invalid-access-via-raw/value.rs @@ -1,6 +1,5 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// kani-verify-fail #[kani::proof] fn main() { diff --git a/tests/expected/derive-invariant/empty_struct/empty_struct.rs b/tests/expected/derive-invariant/empty_struct/empty_struct.rs new file mode 100644 index 000000000000..4c931ce8aedc --- /dev/null +++ b/tests/expected/derive-invariant/empty_struct/empty_struct.rs @@ -0,0 +1,37 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that Kani can automatically derive `Invariant` for empty structs. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Void; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Void2(()); + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct VoidOfVoid(Void, Void2); + +#[kani::proof] +fn check_empty_struct_invariant_1() { + let void1: Void = kani::any(); + assert!(void1.is_safe()); +} + +#[kani::proof] +fn check_empty_struct_invariant_2() { + let void2: Void2 = kani::any(); + assert!(void2.is_safe()); +} + +#[kani::proof] +fn check_empty_struct_invariant_3() { + let void3: VoidOfVoid = kani::any(); + assert!(void3.is_safe()); +} diff --git a/tests/expected/derive-invariant/empty_struct/expected b/tests/expected/derive-invariant/empty_struct/expected new file mode 100644 index 000000000000..8fdca72b1ead --- /dev/null +++ b/tests/expected/derive-invariant/empty_struct/expected @@ -0,0 +1,8 @@ + - Status: SUCCESS\ + - Description: "assertion failed: void1.is_safe()" + + - Status: SUCCESS\ + - Description: "assertion failed: void2.is_safe()" + + - Status: SUCCESS\ + - Description: "assertion failed: void3.is_safe()" diff --git a/tests/expected/derive-invariant/generic_struct/expected b/tests/expected/derive-invariant/generic_struct/expected new file mode 100644 index 000000000000..5e5886bb3e45 --- /dev/null +++ b/tests/expected/derive-invariant/generic_struct/expected @@ -0,0 +1,2 @@ + - Status: SUCCESS\ + - Description: "assertion failed: point.is_safe()" diff --git a/tests/expected/derive-invariant/generic_struct/generic_struct.rs b/tests/expected/derive-invariant/generic_struct/generic_struct.rs new file mode 100644 index 000000000000..91c62fac8ece --- /dev/null +++ b/tests/expected/derive-invariant/generic_struct/generic_struct.rs @@ -0,0 +1,20 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that Kani can automatically derive `Invariant` for structs with generics. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Point { + x: X, + y: Y, +} + +#[kani::proof] +fn check_generic_struct_invariant() { + let point: Point = kani::any(); + assert!(point.is_safe()); +} diff --git a/tests/expected/derive-invariant/invariant_fail/expected b/tests/expected/derive-invariant/invariant_fail/expected new file mode 100644 index 000000000000..511d5901e154 --- /dev/null +++ b/tests/expected/derive-invariant/invariant_fail/expected @@ -0,0 +1,4 @@ + - Status: FAILURE\ + - Description: "assertion failed: wrapper.is_safe()" + +Verification failed for - check_invariant_fail diff --git a/tests/expected/derive-invariant/invariant_fail/invariant_fail.rs b/tests/expected/derive-invariant/invariant_fail/invariant_fail.rs new file mode 100644 index 000000000000..b1d6f8679835 --- /dev/null +++ b/tests/expected/derive-invariant/invariant_fail/invariant_fail.rs @@ -0,0 +1,33 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that a verification failure is triggered when the derived `Invariant` +//! method is checked but not satisfied. + +extern crate kani; +use kani::Invariant; +// Note: This represents an incorrect usage of `Arbitrary` and `Invariant`. +// +// The `Arbitrary` implementation should respect the type invariant, +// but Kani does not enforce this in any way at the moment. +// +#[derive(kani::Arbitrary)] +struct NotNegative(i32); + +impl kani::Invariant for NotNegative { + fn is_safe(&self) -> bool { + self.0 >= 0 + } +} + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct NotNegativeWrapper { + x: NotNegative, +} + +#[kani::proof] +fn check_invariant_fail() { + let wrapper: NotNegativeWrapper = kani::any(); + assert!(wrapper.is_safe()); +} diff --git a/tests/expected/derive-invariant/named_struct/expected b/tests/expected/derive-invariant/named_struct/expected new file mode 100644 index 000000000000..5e5886bb3e45 --- /dev/null +++ b/tests/expected/derive-invariant/named_struct/expected @@ -0,0 +1,2 @@ + - Status: SUCCESS\ + - Description: "assertion failed: point.is_safe()" diff --git a/tests/expected/derive-invariant/named_struct/named_struct.rs b/tests/expected/derive-invariant/named_struct/named_struct.rs new file mode 100644 index 000000000000..7e27404bda11 --- /dev/null +++ b/tests/expected/derive-invariant/named_struct/named_struct.rs @@ -0,0 +1,20 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that Kani can automatically derive `Invariant` for structs with named fields. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Point { + x: i32, + y: i32, +} + +#[kani::proof] +fn check_generic_struct_invariant() { + let point: Point = kani::any(); + assert!(point.is_safe()); +} diff --git a/tests/expected/derive-invariant/unnamed_struct/expected b/tests/expected/derive-invariant/unnamed_struct/expected new file mode 100644 index 000000000000..5e5886bb3e45 --- /dev/null +++ b/tests/expected/derive-invariant/unnamed_struct/expected @@ -0,0 +1,2 @@ + - Status: SUCCESS\ + - Description: "assertion failed: point.is_safe()" diff --git a/tests/expected/derive-invariant/unnamed_struct/unnamed_struct.rs b/tests/expected/derive-invariant/unnamed_struct/unnamed_struct.rs new file mode 100644 index 000000000000..5dee718d05a6 --- /dev/null +++ b/tests/expected/derive-invariant/unnamed_struct/unnamed_struct.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that Kani can automatically derive `Invariant` for structs with unnamed fields. + +extern crate kani; +use kani::Invariant; + +#[derive(kani::Arbitrary)] +#[derive(kani::Invariant)] +struct Point(i32, i32); + +#[kani::proof] +fn check_generic_struct_invariant() { + let point: Point = kani::any(); + assert!(point.is_safe()); +} diff --git a/tests/expected/function-contract/arbitrary_ensures_fail.expected b/tests/expected/function-contract/arbitrary_ensures_fail.expected index 0a59d2cea5eb..4b70f8364e05 100644 --- a/tests/expected/function-contract/arbitrary_ensures_fail.expected +++ b/tests/expected/function-contract/arbitrary_ensures_fail.expected @@ -1,6 +1,6 @@ assertion\ - Status: FAILURE\ -- Description: "result == x"\ +- Description: "|result : &u32| *result == x"\ in function max VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/arbitrary_ensures_fail.rs b/tests/expected/function-contract/arbitrary_ensures_fail.rs index 91638b1cc037..8d66402180d7 100644 --- a/tests/expected/function-contract/arbitrary_ensures_fail.rs +++ b/tests/expected/function-contract/arbitrary_ensures_fail.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result == x)] +#[kani::ensures(|result : &u32| *result == x)] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/arbitrary_ensures_pass.expected b/tests/expected/function-contract/arbitrary_ensures_pass.expected index 85619fa84c22..9eee213789b9 100644 --- a/tests/expected/function-contract/arbitrary_ensures_pass.expected +++ b/tests/expected/function-contract/arbitrary_ensures_pass.expected @@ -1,6 +1,6 @@ assertion\ - Status: SUCCESS\ -- Description: "result == x || result == y"\ +- Description: "|result : &u32| *result == x || *result == y"\ in function max VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/arbitrary_ensures_pass.rs b/tests/expected/function-contract/arbitrary_ensures_pass.rs index df8d3a2361fb..86302f705925 100644 --- a/tests/expected/function-contract/arbitrary_ensures_pass.rs +++ b/tests/expected/function-contract/arbitrary_ensures_pass.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result == x || result == y)] +#[kani::ensures(|result : &u32| *result == x || *result == y)] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/arbitrary_requires_fail.rs b/tests/expected/function-contract/arbitrary_requires_fail.rs index d052e19b0335..78ab1b77bf10 100644 --- a/tests/expected/function-contract/arbitrary_requires_fail.rs +++ b/tests/expected/function-contract/arbitrary_requires_fail.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result <= dividend)] +#[kani::ensures(|result : &u32| *result <= dividend)] fn div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } diff --git a/tests/expected/function-contract/attribute_complain.rs b/tests/expected/function-contract/attribute_complain.rs index f16e975c2001..8532889e1eca 100644 --- a/tests/expected/function-contract/attribute_complain.rs +++ b/tests/expected/function-contract/attribute_complain.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn always() {} #[kani::proof_for_contract(always)] diff --git a/tests/expected/function-contract/attribute_no_complain.rs b/tests/expected/function-contract/attribute_no_complain.rs index bcf1f0cadafd..b3004b24f4d4 100644 --- a/tests/expected/function-contract/attribute_no_complain.rs +++ b/tests/expected/function-contract/attribute_no_complain.rs @@ -1,7 +1,7 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn always() {} #[kani::proof] diff --git a/tests/expected/function-contract/checking_from_external_mod.expected b/tests/expected/function-contract/checking_from_external_mod.expected index c31b5c389fc8..e181e6b2ad17 100644 --- a/tests/expected/function-contract/checking_from_external_mod.expected +++ b/tests/expected/function-contract/checking_from_external_mod.expected @@ -1,5 +1,5 @@ - Status: SUCCESS\ -- Description: "(result == x) | (result == y)"\ +- Description: "|result : &u32| (*result == x) | (*result == y)"\ in function max VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/checking_from_external_mod.rs b/tests/expected/function-contract/checking_from_external_mod.rs index 43d1551f9aef..ea01cfadd511 100644 --- a/tests/expected/function-contract/checking_from_external_mod.rs +++ b/tests/expected/function-contract/checking_from_external_mod.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures((result == x) | (result == y))] +#[kani::ensures(|result : &u32| (*result == x) | (*result == y))] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/checking_in_impl.expected b/tests/expected/function-contract/checking_in_impl.expected index d5a390be8425..cfe84c06fc85 100644 --- a/tests/expected/function-contract/checking_in_impl.expected +++ b/tests/expected/function-contract/checking_in_impl.expected @@ -1,5 +1,5 @@ - Status: SUCCESS\ -- Description: "(result == self) | (result == y)"\ +- Description: "|result : &WrappedInt| (*result == self) | (*result == y)"\ in function WrappedInt::max VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/checking_in_impl.rs b/tests/expected/function-contract/checking_in_impl.rs index 7d5c0506d9df..8721e7fffb7f 100644 --- a/tests/expected/function-contract/checking_in_impl.rs +++ b/tests/expected/function-contract/checking_in_impl.rs @@ -8,7 +8,7 @@ extern crate kani; struct WrappedInt(u32); impl WrappedInt { - #[kani::ensures((result == self) | (result == y))] + #[kani::ensures(|result : &WrappedInt| (*result == self) | (*result == y))] fn max(self, y: WrappedInt) -> WrappedInt { Self(if self.0 > y.0 { self.0 } else { y.0 }) } diff --git a/tests/expected/function-contract/const_fn.expected b/tests/expected/function-contract/const_fn.expected new file mode 100644 index 000000000000..10cf9fe451f0 --- /dev/null +++ b/tests/expected/function-contract/const_fn.expected @@ -0,0 +1,2 @@ +Checking harness check... +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/const_fn.rs b/tests/expected/function-contract/const_fn.rs new file mode 100644 index 000000000000..44b937cedce4 --- /dev/null +++ b/tests/expected/function-contract/const_fn.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts -Zmem-predicates + +//! Check that Kani contract can be applied to a constant function. +//! + +#[kani::requires(kani::mem::can_dereference(arg))] +const unsafe fn dummy(arg: *const T) -> T { + std::ptr::read(arg) +} + +#[kani::proof_for_contract(dummy)] +fn check() { + unsafe { dummy(&kani::any::()) }; +} diff --git a/tests/expected/function-contract/const_fn_with_effect.expected b/tests/expected/function-contract/const_fn_with_effect.expected new file mode 100644 index 000000000000..10cf9fe451f0 --- /dev/null +++ b/tests/expected/function-contract/const_fn_with_effect.expected @@ -0,0 +1,2 @@ +Checking harness check... +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/const_fn_with_effect.rs b/tests/expected/function-contract/const_fn_with_effect.rs new file mode 100644 index 000000000000..d57c1f42fe16 --- /dev/null +++ b/tests/expected/function-contract/const_fn_with_effect.rs @@ -0,0 +1,18 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts -Zmem-predicates + +//! Check that Kani contract can be applied to a constant function. +//! + +#![feature(effects)] + +#[kani::requires(kani::mem::can_dereference(arg))] +const unsafe fn dummy(arg: *const T) -> T { + std::ptr::read(arg) +} + +#[kani::proof_for_contract(dummy)] +fn check() { + unsafe { dummy(&kani::any::()) }; +} diff --git a/tests/expected/function-contract/diverging_loop.expected b/tests/expected/function-contract/diverging_loop.expected new file mode 100644 index 000000000000..05c2856a7c31 --- /dev/null +++ b/tests/expected/function-contract/diverging_loop.expected @@ -0,0 +1,3 @@ +Failed Checks: unwinding assertion loop 0 + +VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/diverging_loop.rs b/tests/expected/function-contract/diverging_loop.rs new file mode 100644 index 000000000000..219f723494f7 --- /dev/null +++ b/tests/expected/function-contract/diverging_loop.rs @@ -0,0 +1,15 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +#[kani::ensures(|result : &i32| *result == 1)] +fn foo() -> i32 { + loop {} + 2 +} + +#[kani::proof_for_contract(foo)] +#[kani::unwind(1)] +fn check_foo() { + let _ = foo(); +} diff --git a/tests/expected/function-contract/fail_on_two.expected b/tests/expected/function-contract/fail_on_two.expected index 32fc28012d3a..79cc3d572af0 100644 --- a/tests/expected/function-contract/fail_on_two.expected +++ b/tests/expected/function-contract/fail_on_two.expected @@ -7,6 +7,6 @@ Failed Checks: internal error: entered unreachable code: fail on two assertion\ - Status: FAILURE\ -- Description: "result < 3" +- Description: "|result : &i32| *result < 3" -Failed Checks: result < 3 +Failed Checks: |result : &i32| *result < 3 diff --git a/tests/expected/function-contract/fail_on_two.rs b/tests/expected/function-contract/fail_on_two.rs index 4302cdc7da33..32ad74c31cd9 100644 --- a/tests/expected/function-contract/fail_on_two.rs +++ b/tests/expected/function-contract/fail_on_two.rs @@ -16,7 +16,8 @@ //! once because the postcondition is violated). If instead the hypothesis (e.g. //! contract replacement) is used we'd expect the verification to succeed. -#[kani::ensures(result < 3)] +#[kani::ensures(|result : &i32| *result < 3)] +#[kani::recursion] fn fail_on_two(i: i32) -> i32 { match i { 0 => fail_on_two(i + 1), @@ -31,7 +32,8 @@ fn harness() { let _ = fail_on_two(first); } -#[kani::ensures(result < 3)] +#[kani::ensures(|result : &i32| *result < 3)] +#[kani::recursion] fn fail_on_two_in_postcondition(i: i32) -> i32 { let j = i + 1; if i < 2 { fail_on_two_in_postcondition(j) } else { j } diff --git a/tests/expected/function-contract/gcd_failure_code.expected b/tests/expected/function-contract/gcd_failure_code.expected index c7fe5a721abb..ca21817c8329 100644 --- a/tests/expected/function-contract/gcd_failure_code.expected +++ b/tests/expected/function-contract/gcd_failure_code.expected @@ -1,8 +1,8 @@ assertion\ - Status: FAILURE\ -- Description: "result != 0 && x % result == 0 && y % result == 0"\ +- Description: "|result : &T| *result != 0 && x % *result == 0 && y % *result == 0"\ in function gcd -Failed Checks: result != 0 && x % result == 0 && y % result == 0 +Failed Checks: |result : &T| *result != 0 && x % *result == 0 && y % *result == 0 VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/gcd_failure_code.rs b/tests/expected/function-contract/gcd_failure_code.rs index f76e04b75fee..118cc3c930e5 100644 --- a/tests/expected/function-contract/gcd_failure_code.rs +++ b/tests/expected/function-contract/gcd_failure_code.rs @@ -5,7 +5,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_failure_contract.expected b/tests/expected/function-contract/gcd_failure_contract.expected index aeadfb563ab9..4bb02ab36f49 100644 --- a/tests/expected/function-contract/gcd_failure_contract.expected +++ b/tests/expected/function-contract/gcd_failure_contract.expected @@ -1,8 +1,8 @@ assertion\ - Status: FAILURE\ -- Description: "result != 0 && x % result == 1 && y % result == 0"\ +- Description: "|result : &T| *result != 0 && x % *result == 1 && y % *result == 0"\ in function gcd\ -Failed Checks: result != 0 && x % result == 1 && y % result == 0 +Failed Checks: |result : &T| *result != 0 && x % *result == 1 && y % *result == 0 VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/gcd_failure_contract.rs b/tests/expected/function-contract/gcd_failure_contract.rs index 6b835466c5a0..d4eea8ceb98c 100644 --- a/tests/expected/function-contract/gcd_failure_contract.rs +++ b/tests/expected/function-contract/gcd_failure_contract.rs @@ -5,8 +5,8 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -// Changed `0` to `1` in `x % result == 0` to mess with this contract -#[kani::ensures(result != 0 && x % result == 1 && y % result == 0)] +// Changed `0` to `1` in `x % *result == 0` to mess with this contract +#[kani::ensures(|result : &T| *result != 0 && x % *result == 1 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_code_fail.expected b/tests/expected/function-contract/gcd_rec_code_fail.expected index 80dbaadbf4c7..863392098be4 100644 --- a/tests/expected/function-contract/gcd_rec_code_fail.expected +++ b/tests/expected/function-contract/gcd_rec_code_fail.expected @@ -1,3 +1,3 @@ -Failed Checks: result != 0 && x % result == 0 && y % result == 0 +Failed Checks: |result : &T| *result != 0 && x % *result == 0 && y % *result == 0 VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/gcd_rec_code_fail.rs b/tests/expected/function-contract/gcd_rec_code_fail.rs index 5f63cb247ebf..90260f56d4dc 100644 --- a/tests/expected/function-contract/gcd_rec_code_fail.rs +++ b/tests/expected/function-contract/gcd_rec_code_fail.rs @@ -5,7 +5,8 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] +#[kani::recursion] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_comparison_pass.expected b/tests/expected/function-contract/gcd_rec_comparison_pass.expected index da647dfd40aa..0556bfc50204 100644 --- a/tests/expected/function-contract/gcd_rec_comparison_pass.expected +++ b/tests/expected/function-contract/gcd_rec_comparison_pass.expected @@ -4,6 +4,6 @@ assertion\ assertion\ - Status: SUCCESS\ -- Description: "result != 0 && x % result == 0 && y % result == 0" +- Description: "|result : &T| *result != 0 && x % *result == 0 && y % *result == 0" VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/gcd_rec_comparison_pass.rs b/tests/expected/function-contract/gcd_rec_comparison_pass.rs index b08d94504bf7..ae5fbbe9b60f 100644 --- a/tests/expected/function-contract/gcd_rec_comparison_pass.rs +++ b/tests/expected/function-contract/gcd_rec_comparison_pass.rs @@ -5,7 +5,8 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] +#[kani::recursion] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_contract_fail.expected b/tests/expected/function-contract/gcd_rec_contract_fail.expected index bfb470192a39..6cc0354ca89a 100644 --- a/tests/expected/function-contract/gcd_rec_contract_fail.expected +++ b/tests/expected/function-contract/gcd_rec_contract_fail.expected @@ -1,3 +1,3 @@ -Failed Checks: result != 0 && x % result == 1 && y % result == 0 +Failed Checks: |result : &T| *result != 0 && x % *result == 1 && y % *result == 0 VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/gcd_rec_contract_fail.rs b/tests/expected/function-contract/gcd_rec_contract_fail.rs index 3fe34cb2effc..2306db0e9353 100644 --- a/tests/expected/function-contract/gcd_rec_contract_fail.rs +++ b/tests/expected/function-contract/gcd_rec_contract_fail.rs @@ -6,7 +6,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] // Changed `0` to `1` in `x % result == 0` to mess with this contract -#[kani::ensures(result != 0 && x % result == 1 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 1 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_replacement_pass.rs b/tests/expected/function-contract/gcd_rec_replacement_pass.rs index d8a5bbd234ed..0fd04b0076ba 100644 --- a/tests/expected/function-contract/gcd_rec_replacement_pass.rs +++ b/tests/expected/function-contract/gcd_rec_replacement_pass.rs @@ -5,7 +5,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_rec_simple_pass.expected b/tests/expected/function-contract/gcd_rec_simple_pass.expected index da647dfd40aa..0556bfc50204 100644 --- a/tests/expected/function-contract/gcd_rec_simple_pass.expected +++ b/tests/expected/function-contract/gcd_rec_simple_pass.expected @@ -4,6 +4,6 @@ assertion\ assertion\ - Status: SUCCESS\ -- Description: "result != 0 && x % result == 0 && y % result == 0" +- Description: "|result : &T| *result != 0 && x % *result == 0 && y % *result == 0" VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/gcd_rec_simple_pass.rs b/tests/expected/function-contract/gcd_rec_simple_pass.rs index ae55efa62b45..626a48aa5ec2 100644 --- a/tests/expected/function-contract/gcd_rec_simple_pass.rs +++ b/tests/expected/function-contract/gcd_rec_simple_pass.rs @@ -5,7 +5,8 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] +#[kani::recursion] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_replacement_fail.rs b/tests/expected/function-contract/gcd_replacement_fail.rs index 8bd59c5c14fe..0186a369c3b2 100644 --- a/tests/expected/function-contract/gcd_replacement_fail.rs +++ b/tests/expected/function-contract/gcd_replacement_fail.rs @@ -5,7 +5,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_replacement_pass.rs b/tests/expected/function-contract/gcd_replacement_pass.rs index 9827dd3a1512..b45241198737 100644 --- a/tests/expected/function-contract/gcd_replacement_pass.rs +++ b/tests/expected/function-contract/gcd_replacement_pass.rs @@ -5,7 +5,7 @@ type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] fn gcd(x: T, y: T) -> T { let mut max = x; let mut min = y; diff --git a/tests/expected/function-contract/gcd_success.expected b/tests/expected/function-contract/gcd_success.expected index 73b531d424b9..e5885dd11179 100644 --- a/tests/expected/function-contract/gcd_success.expected +++ b/tests/expected/function-contract/gcd_success.expected @@ -1,6 +1,6 @@ assertion\ - Status: SUCCESS\ -- Description: "result != 0 && x % result == 0 && y % result == 0"\ +- Description: "|result : &T| *result != 0 && x % *result == 0 && y % *result == 0"\ in function gcd VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/gcd_success.rs b/tests/expected/function-contract/gcd_success.rs index d3a2c75b7d20..61d8fea8ec80 100644 --- a/tests/expected/function-contract/gcd_success.rs +++ b/tests/expected/function-contract/gcd_success.rs @@ -1,28 +1,22 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts +#![deny(warnings)] type T = u8; /// Euclid's algorithm for calculating the GCD of two numbers #[kani::requires(x != 0 && y != 0)] -#[kani::ensures(result != 0 && x % result == 0 && y % result == 0)] -fn gcd(x: T, y: T) -> T { - let mut max = x; - let mut min = y; - if min > max { - let val = max; - max = min; - min = val; - } - +#[kani::ensures(|result : &T| *result != 0 && x % *result == 0 && y % *result == 0)] +fn gcd(mut x: T, mut y: T) -> T { + (x, y) = (if x > y { x } else { y }, if x > y { y } else { x }); loop { - let res = max % min; + let res = x % y; if res == 0 { - return min; + return y; } - max = min; - min = res; + x = y; + y = res; } } diff --git a/tests/expected/function-contract/generic_infinity_recursion.expected b/tests/expected/function-contract/generic_infinity_recursion.expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/function-contract/generic_infinity_recursion.expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/generic_infinity_recursion.rs b/tests/expected/function-contract/generic_infinity_recursion.rs new file mode 100644 index 000000000000..7512b4e1e461 --- /dev/null +++ b/tests/expected/function-contract/generic_infinity_recursion.rs @@ -0,0 +1,18 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check Kani handling of generics and recursion with function contracts. + +#[kani::requires(x != 0)] +#[kani::recursion] +fn foo>(x: T) { + assert_ne!(x, 0); + foo(x); +} + +#[kani::proof_for_contract(foo)] +fn foo_harness() { + let input: i32 = kani::any(); + foo(input); +} diff --git a/tests/expected/function-contract/modifies/check_invalid_modifies.expected b/tests/expected/function-contract/modifies/check_invalid_modifies.expected new file mode 100644 index 000000000000..660430705aa2 --- /dev/null +++ b/tests/expected/function-contract/modifies/check_invalid_modifies.expected @@ -0,0 +1,7 @@ +error: `&str` doesn't implement `kani::Arbitrary`\ + -->\ +| +| T::any() +| ^^^^^^^^ +| += help: All objects in the modifies clause must implement the Arbitrary. The return type must also implement the Arbitrary trait if you are checking recursion or using verified stub. diff --git a/tests/expected/function-contract/modifies/check_invalid_modifies.rs b/tests/expected/function-contract/modifies/check_invalid_modifies.rs new file mode 100644 index 000000000000..5cd832d0f456 --- /dev/null +++ b/tests/expected/function-contract/modifies/check_invalid_modifies.rs @@ -0,0 +1,27 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check that Kani reports the correct error message when modifies clause +//! includes objects of types that do not implement `kani::Arbitrary`. +//! This restriction is only applied when using contracts as verified stubs. + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) -> &'static str { + *ptr += 1; + let msg: &'static str = "done"; + msg +} + +fn use_modify(ptr: &mut u32) { + *ptr = 99; + assert!(modify(ptr) == "done"); +} + +#[kani::proof] +#[kani::stub_verified(modify)] +fn harness() { + let mut i = kani::any_where(|x| *x < 100); + use_modify(&mut i); +} diff --git a/tests/expected/function-contract/modifies/check_only_verification.expected b/tests/expected/function-contract/modifies/check_only_verification.expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/function-contract/modifies/check_only_verification.expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies/check_only_verification.rs b/tests/expected/function-contract/modifies/check_only_verification.rs new file mode 100644 index 000000000000..9f3fb3614733 --- /dev/null +++ b/tests/expected/function-contract/modifies/check_only_verification.rs @@ -0,0 +1,34 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check that Kani does not report any error when unused modifies clauses +//! includes objects of types that do not implement `kani::Arbitrary`. + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +#[kani::ensures(|result : &u32| *result == 100)] +fn modify(ptr: &mut u32) -> u32 { + *ptr += 1; + *ptr +} + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn wrong_modify(ptr: &mut u32) -> &'static str { + *ptr += 1; + let msg: &'static str = "done"; + msg +} + +fn use_modify(ptr: &mut u32) { + *ptr = 99; + assert!(modify(ptr) == 100); +} + +#[kani::proof] +#[kani::stub_verified(modify)] +fn harness() { + let mut i = kani::any_where(|x| *x < 100); + use_modify(&mut i); +} diff --git a/tests/expected/function-contract/modifies/expr_pass.rs b/tests/expected/function-contract/modifies/expr_pass.rs index 65e561df48a2..9a6f46a6aaaa 100644 --- a/tests/expected/function-contract/modifies/expr_pass.rs +++ b/tests/expected/function-contract/modifies/expr_pass.rs @@ -7,7 +7,7 @@ #[kani::requires(**ptr < 100)] #[kani::modifies(ptr.as_ref())] -#[kani::ensures(**ptr < 101)] +#[kani::ensures(|result| **ptr < 101)] fn modify(ptr: &mut Box) { *ptr.as_mut() += 1; } diff --git a/tests/expected/function-contract/modifies/expr_replace_pass.rs b/tests/expected/function-contract/modifies/expr_replace_pass.rs index 8be1ef2cbaee..779280dd46b4 100644 --- a/tests/expected/function-contract/modifies/expr_replace_pass.rs +++ b/tests/expected/function-contract/modifies/expr_replace_pass.rs @@ -4,7 +4,7 @@ #[kani::requires(**ptr < 100)] #[kani::modifies(ptr.as_ref())] -#[kani::ensures(**ptr == prior + 1)] +#[kani::ensures(|result| **ptr == prior + 1)] fn modify(ptr: &mut Box, prior: u32) { *ptr.as_mut() += 1; } diff --git a/tests/expected/function-contract/modifies/fail_missing_recursion_attr.expected b/tests/expected/function-contract/modifies/fail_missing_recursion_attr.expected new file mode 100644 index 000000000000..6591cf27a8db --- /dev/null +++ b/tests/expected/function-contract/modifies/fail_missing_recursion_attr.expected @@ -0,0 +1 @@ +VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/modifies/fail_missing_recursion_attr.rs b/tests/expected/function-contract/modifies/fail_missing_recursion_attr.rs new file mode 100644 index 000000000000..5e9b96e021f7 --- /dev/null +++ b/tests/expected/function-contract/modifies/fail_missing_recursion_attr.rs @@ -0,0 +1,21 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check whether Kani fails if users forgot to annotate recursive +//! functions with `#[kani::recursion]` when using function contracts. + +#[kani::ensures(|result : &i32| *result < 3)] +fn fail_on_two(i: i32) -> i32 { + match i { + 0 => fail_on_two(i + 1), + 1 => 2, + _ => unreachable!("fail on two"), + } +} + +#[kani::proof_for_contract(fail_on_two)] +fn harness() { + let first = fail_on_two(0); + let _ = fail_on_two(first); +} diff --git a/tests/expected/function-contract/modifies/field_replace_pass.rs b/tests/expected/function-contract/modifies/field_replace_pass.rs index a6ae4ea4a7e0..1bbbaf31121a 100644 --- a/tests/expected/function-contract/modifies/field_replace_pass.rs +++ b/tests/expected/function-contract/modifies/field_replace_pass.rs @@ -8,7 +8,7 @@ struct S<'a> { } #[kani::requires(*s.target < 100)] #[kani::modifies(s.target)] -#[kani::ensures(*s.target == prior + 1)] +#[kani::ensures(|result| *s.target == prior + 1)] fn modify(s: S, prior: u32) { *s.target += 1; } diff --git a/tests/expected/function-contract/modifies/global_replace_pass.rs b/tests/expected/function-contract/modifies/global_replace_pass.rs index 333348f25ce4..69d36bd96033 100644 --- a/tests/expected/function-contract/modifies/global_replace_pass.rs +++ b/tests/expected/function-contract/modifies/global_replace_pass.rs @@ -5,7 +5,7 @@ static mut PTR: u32 = 0; #[kani::modifies(&mut PTR)] -#[kani::ensures(PTR == src)] +#[kani::ensures(|result| PTR == src)] unsafe fn modify(src: u32) { PTR = src; } diff --git a/tests/expected/function-contract/modifies/havoc_pass.rs b/tests/expected/function-contract/modifies/havoc_pass.rs index aa5bcada1a26..ebdd139727d3 100644 --- a/tests/expected/function-contract/modifies/havoc_pass.rs +++ b/tests/expected/function-contract/modifies/havoc_pass.rs @@ -3,7 +3,7 @@ // kani-flags: -Zfunction-contracts #[kani::modifies(dst)] -#[kani::ensures(*dst == src)] +#[kani::ensures(|result| *dst == src)] fn copy(src: u32, dst: &mut u32) { *dst = src; } diff --git a/tests/expected/function-contract/modifies/havoc_pass_reordered.rs b/tests/expected/function-contract/modifies/havoc_pass_reordered.rs index dc5f370179e5..43581ee677a6 100644 --- a/tests/expected/function-contract/modifies/havoc_pass_reordered.rs +++ b/tests/expected/function-contract/modifies/havoc_pass_reordered.rs @@ -3,7 +3,7 @@ // kani-flags: -Zfunction-contracts // These two are reordered in comparison to `havoc_pass` and we expect the test case to pass still -#[kani::ensures(*dst == src)] +#[kani::ensures(|result| *dst == src)] #[kani::modifies(dst)] fn copy(src: u32, dst: &mut u32) { *dst = src; diff --git a/tests/expected/function-contract/modifies/mistake_condition_return.expected b/tests/expected/function-contract/modifies/mistake_condition_return.expected new file mode 100644 index 000000000000..ad1cbf4f72d2 --- /dev/null +++ b/tests/expected/function-contract/modifies/mistake_condition_return.expected @@ -0,0 +1,3 @@ +Failed Checks: assertion failed: res == 100 + +VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/modifies/mistake_condition_return.rs b/tests/expected/function-contract/modifies/mistake_condition_return.rs new file mode 100644 index 000000000000..b2d6ad6a8a55 --- /dev/null +++ b/tests/expected/function-contract/modifies/mistake_condition_return.rs @@ -0,0 +1,39 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Provide an example where users might get confuse on how to constrain +//! the return value of functions when writing function contracts. +//! In this case, users must remember that when using contracts as +//! verified stubs, the return value will be havoced. To retrict the return +//! value of a function, users may use the `result` keyword in their +//! ensures clauses. + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +// In this case, one may think that by assuming `*ptr == 100`, automatically +// we can assume the return value of this function will also be equal to 100. +// However, contract instrumentation will create a separate non-deterministic +// value to return in this function that can only be constrained by using the +// `result` keyword. Thus the correct condition would be +// `#[kani::ensures(|result| result == 100)]`. +#[kani::ensures(|result| *ptr == 100)] +fn modify(ptr: &mut u32) -> u32 { + *ptr += 1; + *ptr +} + +fn use_modify(ptr: &mut u32) { + *ptr = 99; + let res = modify(ptr); + // This assertion won't hold because the return + // value of `modify` is unconstrained. + assert!(res == 100); +} + +#[kani::proof] +#[kani::stub_verified(modify)] +fn harness() { + let mut i = kani::any(); + use_modify(&mut i); +} diff --git a/tests/expected/function-contract/modifies/refcell_fixme.rs b/tests/expected/function-contract/modifies/refcell_fixme.rs index 8ae9cb390eb7..9cfac8777959 100644 --- a/tests/expected/function-contract/modifies/refcell_fixme.rs +++ b/tests/expected/function-contract/modifies/refcell_fixme.rs @@ -1,3 +1,5 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT use std::cell::RefCell; use std::ops::Deref; diff --git a/tests/expected/function-contract/modifies/simple_only_verification.expected b/tests/expected/function-contract/modifies/simple_only_verification.expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/function-contract/modifies/simple_only_verification.expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies/simple_only_verification.rs b/tests/expected/function-contract/modifies/simple_only_verification.rs new file mode 100644 index 000000000000..34d625485817 --- /dev/null +++ b/tests/expected/function-contract/modifies/simple_only_verification.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check that is possible to use `modifies` clause for verifciation, but not stubbing. +//! Using contracts as verified stubs require users to ensure the type of any object in +//! the modifies clause (including return types) to implement `kani::Arbitrary`. +//! This requirement is not necessary if the contract is only used for verification. + +#[kani::requires(*ptr < 100)] +#[kani::modifies(ptr)] +fn modify(ptr: &mut u32) -> &'static str { + *ptr += 1; + let msg: &'static str = "done"; + msg +} + +#[kani::proof_for_contract(modify)] +fn harness() { + let mut i = kani::any_where(|x| *x < 100); + modify(&mut i); +} diff --git a/tests/expected/function-contract/modifies/simple_only_verification_modifies.expected b/tests/expected/function-contract/modifies/simple_only_verification_modifies.expected new file mode 100644 index 000000000000..34c886c358cb --- /dev/null +++ b/tests/expected/function-contract/modifies/simple_only_verification_modifies.expected @@ -0,0 +1 @@ +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies/simple_only_verification_modifies.rs b/tests/expected/function-contract/modifies/simple_only_verification_modifies.rs new file mode 100644 index 000000000000..4988dcb69c56 --- /dev/null +++ b/tests/expected/function-contract/modifies/simple_only_verification_modifies.rs @@ -0,0 +1,28 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts + +//! Check that is possible to use `modifies` clause for verification, but not stubbing. +//! Here, we cover the case when the modifies clause contains references to function +//! parameters of generic types. Noticed that here the type T is not annotated with +//! `kani::Arbitrary` since this is no longer a requirement if the contract is only +//! use for verification. + +pub mod contracts { + #[kani::modifies(x)] + #[kani::modifies(y)] + pub fn swap(x: &mut T, y: &mut T) { + core::mem::swap(x, y) + } +} + +mod verify { + use super::*; + + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_primitive() { + let mut x: u8 = kani::any(); + let mut y: u8 = kani::any(); + contracts::swap(&mut x, &mut y) + } +} diff --git a/tests/expected/function-contract/modifies/unique_arguments.rs b/tests/expected/function-contract/modifies/unique_arguments.rs index 396ba4c5b036..ea4502bde2ad 100644 --- a/tests/expected/function-contract/modifies/unique_arguments.rs +++ b/tests/expected/function-contract/modifies/unique_arguments.rs @@ -4,8 +4,8 @@ #[kani::modifies(a)] #[kani::modifies(b)] -#[kani::ensures(*a == 1)] -#[kani::ensures(*b == 2)] +#[kani::ensures(|result| *a == 1)] +#[kani::ensures(|result| *b == 2)] fn two_pointers(a: &mut u32, b: &mut u32) { *a = 1; *b = 2; diff --git a/tests/expected/function-contract/modifies/vec_pass.expected b/tests/expected/function-contract/modifies/vec_pass.expected index d31486f2dcc6..4d5407fdd850 100644 --- a/tests/expected/function-contract/modifies/vec_pass.expected +++ b/tests/expected/function-contract/modifies/vec_pass.expected @@ -15,6 +15,6 @@ in function modify_replace assertion\ - Status: SUCCESS\ -- Description: "v[0] == src" +- Description: "|result| v[0] == src" VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/modifies/vec_pass.rs b/tests/expected/function-contract/modifies/vec_pass.rs index 1e40a2a08eb7..e3ac28ac3b3d 100644 --- a/tests/expected/function-contract/modifies/vec_pass.rs +++ b/tests/expected/function-contract/modifies/vec_pass.rs @@ -4,7 +4,7 @@ #[kani::requires(v.len() > 0)] #[kani::modifies(&v[0])] -#[kani::ensures(v[0] == src)] +#[kani::ensures(|result| v[0] == src)] fn modify(v: &mut Vec, src: u32) { v[0] = src } diff --git a/tests/expected/function-contract/pattern_use.rs b/tests/expected/function-contract/pattern_use.rs index a51312acd2f0..ead1c1538b4d 100644 --- a/tests/expected/function-contract/pattern_use.rs +++ b/tests/expected/function-contract/pattern_use.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result <= dividend)] +#[kani::ensures(|result : &u32| *result <= dividend)] fn div((dividend, divisor): (u32, u32)) -> u32 { dividend / divisor } diff --git a/tests/expected/function-contract/prohibit-pointers/allowed_const_ptr.rs b/tests/expected/function-contract/prohibit-pointers/allowed_const_ptr.rs index 3d88fc0926ed..1b3653951ad1 100644 --- a/tests/expected/function-contract/prohibit-pointers/allowed_const_ptr.rs +++ b/tests/expected/function-contract/prohibit-pointers/allowed_const_ptr.rs @@ -4,7 +4,7 @@ #![allow(unreachable_code, unused_variables)] -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn allowed_pointer(t: *const bool) {} #[kani::proof_for_contract(allowed_pointer)] diff --git a/tests/expected/function-contract/prohibit-pointers/allowed_mut_ref.rs b/tests/expected/function-contract/prohibit-pointers/allowed_mut_ref.rs index 22771f76632d..2c41bf28d741 100644 --- a/tests/expected/function-contract/prohibit-pointers/allowed_mut_ref.rs +++ b/tests/expected/function-contract/prohibit-pointers/allowed_mut_ref.rs @@ -4,7 +4,7 @@ #![allow(unreachable_code, unused_variables)] -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn allowed_mut_ref(t: &mut bool) {} #[kani::proof_for_contract(allowed_mut_ref)] diff --git a/tests/expected/function-contract/prohibit-pointers/allowed_mut_return_ref.rs b/tests/expected/function-contract/prohibit-pointers/allowed_mut_return_ref.rs index e5151396898d..fdab681e0c05 100644 --- a/tests/expected/function-contract/prohibit-pointers/allowed_mut_return_ref.rs +++ b/tests/expected/function-contract/prohibit-pointers/allowed_mut_return_ref.rs @@ -17,7 +17,7 @@ impl<'a> kani::Arbitrary for ArbitraryPointer<&'a mut bool> { } } -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn allowed_mut_return_ref<'a>() -> ArbitraryPointer<&'a mut bool> { ArbitraryPointer(unsafe { &mut B as &'a mut bool }) } diff --git a/tests/expected/function-contract/prohibit-pointers/allowed_ref.rs b/tests/expected/function-contract/prohibit-pointers/allowed_ref.rs index 3dd4145eff9c..cef3e87ee0f2 100644 --- a/tests/expected/function-contract/prohibit-pointers/allowed_ref.rs +++ b/tests/expected/function-contract/prohibit-pointers/allowed_ref.rs @@ -4,7 +4,7 @@ #![allow(unreachable_code, unused_variables)] -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn allowed_ref(t: &bool) {} #[kani::proof_for_contract(allowed_ref)] diff --git a/tests/expected/function-contract/prohibit-pointers/hidden.expected b/tests/expected/function-contract/prohibit-pointers/hidden.expected index 59e40d5aadc8..34c886c358cb 100644 --- a/tests/expected/function-contract/prohibit-pointers/hidden.expected +++ b/tests/expected/function-contract/prohibit-pointers/hidden.expected @@ -1 +1 @@ -error: This argument contains a mutable pointer (*mut u32). This is prohibited for functions with contracts, as they cannot yet reason about the pointer behavior. +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/prohibit-pointers/hidden.rs b/tests/expected/function-contract/prohibit-pointers/hidden.rs index 9ca23fe6b2e1..1a9b7a475479 100644 --- a/tests/expected/function-contract/prohibit-pointers/hidden.rs +++ b/tests/expected/function-contract/prohibit-pointers/hidden.rs @@ -6,7 +6,7 @@ struct HidesAPointer(*mut u32); -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn hidden_pointer(h: HidesAPointer) {} #[kani::proof_for_contract(hidden_pointer)] diff --git a/tests/expected/function-contract/prohibit-pointers/plain_pointer.expected b/tests/expected/function-contract/prohibit-pointers/plain_pointer.expected index 916854aa3131..34c886c358cb 100644 --- a/tests/expected/function-contract/prohibit-pointers/plain_pointer.expected +++ b/tests/expected/function-contract/prohibit-pointers/plain_pointer.expected @@ -1 +1 @@ -error: This argument contains a mutable pointer (*mut i32). This is prohibited for functions with contracts, as they cannot yet reason about the pointer behavior. +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/prohibit-pointers/plain_pointer.rs b/tests/expected/function-contract/prohibit-pointers/plain_pointer.rs index 24e9d006a9c0..868327e15046 100644 --- a/tests/expected/function-contract/prohibit-pointers/plain_pointer.rs +++ b/tests/expected/function-contract/prohibit-pointers/plain_pointer.rs @@ -4,7 +4,7 @@ #![allow(unreachable_code, unused_variables)] -#[kani::ensures(true)] +#[kani::ensures(|result| true)] fn plain_pointer(t: *mut i32) {} #[kani::proof_for_contract(plain_pointer)] diff --git a/tests/expected/function-contract/prohibit-pointers/return_pointer.expected b/tests/expected/function-contract/prohibit-pointers/return_pointer.expected index 8f3689888d92..34c886c358cb 100644 --- a/tests/expected/function-contract/prohibit-pointers/return_pointer.expected +++ b/tests/expected/function-contract/prohibit-pointers/return_pointer.expected @@ -1 +1 @@ -error: The return contains a pointer (*const usize). This is prohibited for functions with contracts, as they cannot yet reason about the pointer behavior. +VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/prohibit-pointers/return_pointer.rs b/tests/expected/function-contract/prohibit-pointers/return_pointer.rs index fc279667ad13..6314129ddf89 100644 --- a/tests/expected/function-contract/prohibit-pointers/return_pointer.rs +++ b/tests/expected/function-contract/prohibit-pointers/return_pointer.rs @@ -2,24 +2,16 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#![allow(unreachable_code, unused_variables)] - -/// This only exists so I can fake a [`kani::Arbitrary`] instance for `*const -/// usize`. -struct ArbitraryPointer

(P); - -impl kani::Arbitrary for ArbitraryPointer<*const usize> { - fn any() -> Self { - unreachable!() - } -} - -#[kani::ensures(true)] -fn return_pointer() -> ArbitraryPointer<*const usize> { - unreachable!() +#[kani::ensures(|result : &*const usize| unsafe{ **result == *input })] +fn return_pointer(input: *const usize) -> *const usize { + input } #[kani::proof_for_contract(return_pointer)] fn return_ptr_harness() { - return_pointer(); + let input: usize = 10; + let input_ptr = &input as *const usize; + unsafe { + assert!(*(return_pointer(input_ptr)) == input); + } } diff --git a/tests/expected/function-contract/simple_ensures_fail.expected b/tests/expected/function-contract/simple_ensures_fail.expected index 8e9b42d42640..360242d07daf 100644 --- a/tests/expected/function-contract/simple_ensures_fail.expected +++ b/tests/expected/function-contract/simple_ensures_fail.expected @@ -1,8 +1,8 @@ assertion\ - Status: FAILURE\ -- Description: "result == x"\ +- Description: "|result : &u32| *result == x"\ in function max -Failed Checks: result == x +Failed Checks: |result : &u32| *result == x VERIFICATION:- FAILED diff --git a/tests/expected/function-contract/simple_ensures_fail.rs b/tests/expected/function-contract/simple_ensures_fail.rs index 687853612dcc..43521b171ea7 100644 --- a/tests/expected/function-contract/simple_ensures_fail.rs +++ b/tests/expected/function-contract/simple_ensures_fail.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result == x)] +#[kani::ensures(|result : &u32| *result == x)] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/simple_ensures_pass.expected b/tests/expected/function-contract/simple_ensures_pass.expected index 5a7874964413..bdcde74c3bfe 100644 --- a/tests/expected/function-contract/simple_ensures_pass.expected +++ b/tests/expected/function-contract/simple_ensures_pass.expected @@ -1,6 +1,6 @@ assertion\ - Status: SUCCESS\ -- Description: "(result == x) | (result == y)"\ +- Description: "|result : &u32| (*result == x) | (*result == y)"\ in function max VERIFICATION:- SUCCESSFUL diff --git a/tests/expected/function-contract/simple_ensures_pass.rs b/tests/expected/function-contract/simple_ensures_pass.rs index 2d36f5c96e88..7be58fef3b04 100644 --- a/tests/expected/function-contract/simple_ensures_pass.rs +++ b/tests/expected/function-contract/simple_ensures_pass.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures((result == x) | (result == y))] +#[kani::ensures(|result : &u32| (*result == x) | (*result == y))] fn max(x: u32, y: u32) -> u32 { if x > y { x } else { y } } diff --git a/tests/expected/function-contract/simple_replace_fail.rs b/tests/expected/function-contract/simple_replace_fail.rs index 33a531a3aef7..dd448d2cdee6 100644 --- a/tests/expected/function-contract/simple_replace_fail.rs +++ b/tests/expected/function-contract/simple_replace_fail.rs @@ -3,7 +3,7 @@ // kani-flags: -Zfunction-contracts #[kani::requires(divisor != 0)] -#[kani::ensures(result <= dividend)] +#[kani::ensures(|result : &u32| *result <= dividend)] fn div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } diff --git a/tests/expected/function-contract/simple_replace_pass.rs b/tests/expected/function-contract/simple_replace_pass.rs index 0dcc6cd59fe3..7c57cc6a0b7f 100644 --- a/tests/expected/function-contract/simple_replace_pass.rs +++ b/tests/expected/function-contract/simple_replace_pass.rs @@ -3,7 +3,7 @@ // kani-flags: -Zfunction-contracts #[kani::requires(divisor != 0)] -#[kani::ensures(result <= dividend)] +#[kani::ensures(|result : &u32| *result <= dividend)] fn div(dividend: u32, divisor: u32) -> u32 { dividend / divisor } diff --git a/tests/expected/function-contract/type_annotation_needed.rs b/tests/expected/function-contract/type_annotation_needed.rs index 09b20443d47b..5a3b9fbae5b0 100644 --- a/tests/expected/function-contract/type_annotation_needed.rs +++ b/tests/expected/function-contract/type_annotation_needed.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT // kani-flags: -Zfunction-contracts -#[kani::ensures(result.is_some())] +#[kani::ensures(|result : &Option| result.is_some())] fn or_default(opt: Option) -> Option { opt.or(Some(T::default())) } diff --git a/tests/expected/function-contract/valid_ptr.expected b/tests/expected/function-contract/valid_ptr.expected new file mode 100644 index 000000000000..1b62781adaaf --- /dev/null +++ b/tests/expected/function-contract/valid_ptr.expected @@ -0,0 +1,11 @@ +Checking harness pre_condition::harness_invalid_ptr... +Failed Checks: Kani does not support reasoning about pointer to unallocated memory +VERIFICATION:- SUCCESSFUL (encountered one or more panics as expected) + +Checking harness pre_condition::harness_stack_ptr... +VERIFICATION:- SUCCESSFUL + +Checking harness pre_condition::harness_head_ptr... +VERIFICATION:- SUCCESSFUL + +Complete - 3 successfully verified harnesses, 0 failures, 3 total diff --git a/tests/expected/function-contract/valid_ptr.rs b/tests/expected/function-contract/valid_ptr.rs new file mode 100644 index 000000000000..2047a46caf4f --- /dev/null +++ b/tests/expected/function-contract/valid_ptr.rs @@ -0,0 +1,61 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zfunction-contracts -Zmem-predicates + +//! Test that it is sound to use memory predicates inside a contract pre-condition. +//! We cannot validate post-condition yet. This can be done once we fix: +//! + +mod pre_condition { + /// This contract should succeed only if the input is a valid pointer. + #[kani::requires(kani::mem::can_dereference(ptr))] + unsafe fn read_ptr(ptr: *const i32) -> i32 { + *ptr + } + + #[kani::proof_for_contract(read_ptr)] + fn harness_head_ptr() { + let boxed = Box::new(10); + let raw_ptr = Box::into_raw(boxed); + assert_eq!(unsafe { read_ptr(raw_ptr) }, 10); + let _ = unsafe { Box::from_raw(raw_ptr) }; + } + + #[kani::proof_for_contract(read_ptr)] + fn harness_stack_ptr() { + let val = -20; + assert_eq!(unsafe { read_ptr(&val) }, -20); + } + + #[kani::proof_for_contract(read_ptr)] + #[kani::should_panic] + fn harness_invalid_ptr() { + let ptr = std::ptr::NonNull::::dangling().as_ptr(); + assert_eq!(unsafe { read_ptr(ptr) }, -20); + } +} + +/// TODO: Enable once we fix: +#[cfg(not_supported)] +mod post_condition { + + /// This contract should fail since we are creating a dangling pointer. + #[kani::ensures(kani::mem::can_dereference(result.0))] + unsafe fn new_invalid_ptr() -> PtrWrapper { + let var = 'c'; + PtrWrapper(&var as *const _) + } + + #[kani::proof_for_contract(new_invalid_ptr)] + fn harness() { + let _ = unsafe { new_invalid_ptr() }; + } + + struct PtrWrapper(*const T); + + impl kani::Arbitrary for PtrWrapper { + fn any() -> Self { + unreachable!("Do not invoke stubbing") + } + } +} diff --git a/tests/expected/intrinsics/ctpop-ice/ctpop_ice.rs b/tests/expected/intrinsics/ctpop-ice/ctpop_ice.rs deleted file mode 100644 index ea11400e8161..000000000000 --- a/tests/expected/intrinsics/ctpop-ice/ctpop_ice.rs +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Check that we correctly handle type mistmatch when the argument is a ZST type. -//! The compiler crashes today: https://github.com/model-checking/kani/issues/2121 - -#![feature(core_intrinsics)] -use std::intrinsics::ctpop; - -// These shouldn't compile. -#[kani::proof] -pub fn check_zst_ctpop() { - let n = ctpop(()); - assert!(n == ()); -} diff --git a/tests/expected/intrinsics/ctpop-ice/expected b/tests/expected/intrinsics/ctpop-ice/expected deleted file mode 100644 index 1ac989525f36..000000000000 --- a/tests/expected/intrinsics/ctpop-ice/expected +++ /dev/null @@ -1,6 +0,0 @@ -error: Type check failed for intrinsic `ctpop`: Expected integer type, found () - | -12 | let n = ctpop(()); - | ^^^^^^^^^ - -error: aborting due to 1 previous error \ No newline at end of file diff --git a/tests/expected/intrinsics/simd-arith-overflows/main.rs b/tests/expected/intrinsics/simd-arith-overflows/main.rs index 74cfe8ae878f..fc710645fd66 100644 --- a/tests/expected/intrinsics/simd-arith-overflows/main.rs +++ b/tests/expected/intrinsics/simd-arith-overflows/main.rs @@ -2,19 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! This test ensures we detect overflows in SIMD arithmetic operations -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_add, simd_mul, simd_sub}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq, Debug)] pub struct i8x2(i8, i8); -extern "platform-intrinsic" { - fn simd_add(x: T, y: T) -> T; - fn simd_sub(x: T, y: T) -> T; - fn simd_mul(x: T, y: T) -> T; -} - #[kani::proof] fn main() { let a = kani::any(); diff --git a/tests/expected/intrinsics/simd-cmp-result-type-is-diff-size/main.rs b/tests/expected/intrinsics/simd-cmp-result-type-is-diff-size/main.rs index f826ae92f3b7..f84cf1d8b9aa 100644 --- a/tests/expected/intrinsics/simd-cmp-result-type-is-diff-size/main.rs +++ b/tests/expected/intrinsics/simd-cmp-result-type-is-diff-size/main.rs @@ -3,7 +3,8 @@ //! Checks that storing the result of a vector operation in a vector of //! size different to the operands' sizes causes an error. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_eq; #[repr(simd)] #[allow(non_camel_case_types)] @@ -20,14 +21,6 @@ pub struct u64x2(u64, u64); #[derive(Clone, Copy, PartialEq, Eq)] pub struct u32x4(u32, u32, u32, u32); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; -} - #[kani::proof] fn main() { let x = u64x2(0, 0); diff --git a/tests/expected/intrinsics/simd-div-div-zero/main.rs b/tests/expected/intrinsics/simd-div-div-zero/main.rs index 4f613e362947..148ae62a252c 100644 --- a/tests/expected/intrinsics/simd-div-div-zero/main.rs +++ b/tests/expected/intrinsics/simd-div-div-zero/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_div` triggers a failure when the divisor is zero. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_div; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_div(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_div() { let dividend = kani::any(); diff --git a/tests/expected/intrinsics/simd-div-rem-overflow/main.rs b/tests/expected/intrinsics/simd-div-rem-overflow/main.rs index e7f2e9fbc48f..5f49e7db6154 100644 --- a/tests/expected/intrinsics/simd-div-rem-overflow/main.rs +++ b/tests/expected/intrinsics/simd-div-rem-overflow/main.rs @@ -1,20 +1,15 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// Checks that the `simd_div` and `simd_rem` intrinsics check for integer overflows. - -#![feature(repr_simd, platform_intrinsics)] +//! Checks that the `simd_div` and `simd_rem` intrinsics check for integer overflows. +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_div, simd_rem}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_div(x: T, y: T) -> T; - fn simd_rem(x: T, y: T) -> T; -} - unsafe fn do_simd_div(dividends: i32x2, divisors: i32x2) -> i32x2 { simd_div(dividends, divisors) } diff --git a/tests/expected/intrinsics/simd-extract-wrong-type/main.rs b/tests/expected/intrinsics/simd-extract-wrong-type/main.rs index 5d32f1ed9de8..b8fb5a3ffc6f 100644 --- a/tests/expected/intrinsics/simd-extract-wrong-type/main.rs +++ b/tests/expected/intrinsics/simd-extract-wrong-type/main.rs @@ -4,17 +4,14 @@ //! This test checks that we emit an error when the return type for //! `simd_extract` has a type different to the first argument's (i.e., the //! vector) base type. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_extract; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -extern "platform-intrinsic" { - fn simd_extract(x: T, idx: u32) -> U; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/intrinsics/simd-insert-wrong-type/main.rs b/tests/expected/intrinsics/simd-insert-wrong-type/main.rs index ec2edfc110dd..6c4946a051b6 100644 --- a/tests/expected/intrinsics/simd-insert-wrong-type/main.rs +++ b/tests/expected/intrinsics/simd-insert-wrong-type/main.rs @@ -4,17 +4,14 @@ //! This test checks that we emit an error when the third argument for //! `simd_insert` (the value to be inserted) has a type different to the first //! argument's (i.e., the vector) base type. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_insert; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -extern "platform-intrinsic" { - fn simd_insert(x: T, idx: u32, b: U) -> T; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/intrinsics/simd-rem-div-zero/main.rs b/tests/expected/intrinsics/simd-rem-div-zero/main.rs index 715de058154b..4393808ac039 100644 --- a/tests/expected/intrinsics/simd-rem-div-zero/main.rs +++ b/tests/expected/intrinsics/simd-rem-div-zero/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_rem` triggers a failure when the divisor is zero -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_rem; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_rem(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_rem() { let dividend = kani::any(); diff --git a/tests/expected/intrinsics/simd-result-type-is-float/main.rs b/tests/expected/intrinsics/simd-result-type-is-float/main.rs index 18a2152b93c5..01286de9cdd8 100644 --- a/tests/expected/intrinsics/simd-result-type-is-float/main.rs +++ b/tests/expected/intrinsics/simd-result-type-is-float/main.rs @@ -3,7 +3,8 @@ //! Checks that storing the result of a vector comparison in a vector of floats //! causes an error. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_eq; #[repr(simd)] #[allow(non_camel_case_types)] @@ -25,14 +26,6 @@ pub struct u32x4(u32, u32, u32, u32); #[derive(Clone, Copy, PartialEq)] pub struct f32x2(f32, f32); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; -} - #[kani::proof] fn main() { let x = u64x2(0, 0); diff --git a/tests/expected/intrinsics/simd-shl-shift-negative/main.rs b/tests/expected/intrinsics/simd-shl-shift-negative/main.rs index 0c7116b30567..2b7b2a418e19 100644 --- a/tests/expected/intrinsics/simd-shl-shift-negative/main.rs +++ b/tests/expected/intrinsics/simd-shl-shift-negative/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_shl` returns a failure if the shift distance is negative. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shl; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_shl(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shl() { let value = kani::any(); diff --git a/tests/expected/intrinsics/simd-shl-shift-too-large/main.rs b/tests/expected/intrinsics/simd-shl-shift-too-large/main.rs index fff9aadf1900..dada7a5a8b84 100644 --- a/tests/expected/intrinsics/simd-shl-shift-too-large/main.rs +++ b/tests/expected/intrinsics/simd-shl-shift-too-large/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_shl` returns a failure if the shift distance is too large. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shl; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_shl(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shl() { let value = kani::any(); diff --git a/tests/expected/intrinsics/simd-shr-shift-negative/main.rs b/tests/expected/intrinsics/simd-shr-shift-negative/main.rs index 580f0337db25..dc38955099a2 100644 --- a/tests/expected/intrinsics/simd-shr-shift-negative/main.rs +++ b/tests/expected/intrinsics/simd-shr-shift-negative/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_shr` returns a failure if the shift distance is negative. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shr; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_shr(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shr() { let value = kani::any(); diff --git a/tests/expected/intrinsics/simd-shr-shift-too-large/main.rs b/tests/expected/intrinsics/simd-shr-shift-too-large/main.rs index 3d9cd5e0c919..70ae0ad0da45 100644 --- a/tests/expected/intrinsics/simd-shr-shift-too-large/main.rs +++ b/tests/expected/intrinsics/simd-shr-shift-too-large/main.rs @@ -2,17 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that `simd_shr` returns a failure if the shift distance is too large. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shr; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_shr(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shr() { let value = kani::any(); diff --git a/tests/expected/intrinsics/simd-shuffle-indexes-out/main.rs b/tests/expected/intrinsics/simd-shuffle-indexes-out/main.rs index d8a4c22de85f..0f7c42d2d46c 100644 --- a/tests/expected/intrinsics/simd-shuffle-indexes-out/main.rs +++ b/tests/expected/intrinsics/simd-shuffle-indexes-out/main.rs @@ -3,17 +3,14 @@ //! Checks that `simd_shuffle` triggers an out-of-bounds failure when any of the //! indexes supplied is greater than the combined size of the input vectors. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shuffle; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -extern "platform-intrinsic" { - fn simd_shuffle(x: T, y: T, idx: U) -> V; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-size/main.rs b/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-size/main.rs index 25796f6c22e7..6345f5516101 100644 --- a/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-size/main.rs +++ b/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-size/main.rs @@ -3,7 +3,8 @@ //! Checks that Kani triggers an error when the result type doesn't have the //! length expected from a `simd_shuffle` call. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shuffle; #[repr(simd)] #[allow(non_camel_case_types)] @@ -15,10 +16,6 @@ pub struct i64x2(i64, i64); #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x4(i64, i64, i64, i64); -extern "platform-intrinsic" { - fn simd_shuffle(x: T, y: T, idx: I) -> U; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-type/main.rs b/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-type/main.rs index 6bdadae159f8..81f176700152 100644 --- a/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-type/main.rs +++ b/tests/expected/intrinsics/simd-shuffle-result-type-is-diff-type/main.rs @@ -3,7 +3,8 @@ //! Checks that Kani triggers an error when the result type doesn't have the //! subtype expected from a `simd_shuffle` call. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shuffle; #[repr(simd)] #[allow(non_camel_case_types)] @@ -15,10 +16,6 @@ pub struct i64x2(i64, i64); #[derive(Clone, Copy, PartialEq)] pub struct f64x2(f64, f64); -extern "platform-intrinsic" { - fn simd_shuffle(x: T, y: T, idx: I) -> U; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/expected/issue-2589/issue_2589.expected b/tests/expected/issue-2589/issue_2589.expected index 0352a8933b6d..a753bc7390a0 100644 --- a/tests/expected/issue-2589/issue_2589.expected +++ b/tests/expected/issue-2589/issue_2589.expected @@ -1 +1 @@ -error: Type `std::string::String` does not implement trait `Dummy`. This is likely because `original` is used as a stub but its generic bounds are not being met. +error: Type `std::string::String` does not implement trait `Dummy`. This is likely because `stub` is used as a stub but its generic bounds are not being met. diff --git a/tests/expected/iterator/main.rs b/tests/expected/iterator/main.rs index b1cb4a89cfbf..5cf9402bcb23 100644 --- a/tests/expected/iterator/main.rs +++ b/tests/expected/iterator/main.rs @@ -2,6 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT #[kani::proof] +#[kani::unwind(4)] fn main() { let mut z = 1; for i in 1..4 { diff --git a/tests/expected/offset-wraps-around/main.rs b/tests/expected/offset-wraps-around/main.rs index 62ec6902020b..3e83eacc4c2d 100644 --- a/tests/expected/offset-wraps-around/main.rs +++ b/tests/expected/offset-wraps-around/main.rs @@ -1,4 +1,4 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT // Check that a high offset causes a "wrapping around" behavior in CBMC. diff --git a/tests/expected/ptr_to_ref_cast/expected b/tests/expected/ptr_to_ref_cast/expected new file mode 100644 index 000000000000..1b449911af11 --- /dev/null +++ b/tests/expected/ptr_to_ref_cast/expected @@ -0,0 +1,75 @@ +Checking harness check_zst_deref... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function zst_deref + +VERIFICATION:- FAILED + +Checking harness check_equal_size_deref... + +Status: SUCCESS\ +Description: "dereference failure: pointer invalid"\ +in function equal_size_deref + +Status: SUCCESS\ +Description: "dereference failure: pointer invalid"\ +in function equal_size_deref + +VERIFICATION:- SUCCESSFUL + +Checking harness check_smaller_deref... + +Status: SUCCESS\ +Description: "dereference failure: pointer invalid"\ +in function smaller_deref + +Status: SUCCESS\ +Description: "dereference failure: pointer invalid"\ +in function smaller_deref + +VERIFICATION:- SUCCESSFUL + +Checking harness check_larger_deref_struct... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function larger_deref_struct + +VERIFICATION:- FAILED + +Checking harness check_larger_deref_into_ptr... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function larger_deref_into_ptr + +VERIFICATION:- FAILED + +Checking harness check_larger_deref... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function larger_deref + +VERIFICATION:- FAILED + +Checking harness check_store... + +Status: FAILURE\ +Description: "dereference failure: pointer invalid"\ +in function Store::<'_, 3>::from + +Status: SUCCESS\ +Description: "assertion failed: broken.data.len() == 3"\ +in function check_store + +VERIFICATION:- FAILED + +Summary: +Verification failed for - check_zst_deref +Verification failed for - check_larger_deref_struct +Verification failed for - check_larger_deref_into_ptr +Verification failed for - check_larger_deref +Verification failed for - check_store +Complete - 2 successfully verified harnesses, 5 failures, 7 total. \ No newline at end of file diff --git a/tests/expected/ptr_to_ref_cast/ptr_to_ref_cast.rs b/tests/expected/ptr_to_ref_cast/ptr_to_ref_cast.rs new file mode 100644 index 000000000000..3b713a34d967 --- /dev/null +++ b/tests/expected/ptr_to_ref_cast/ptr_to_ref_cast.rs @@ -0,0 +1,140 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z ptr-to-ref-cast-checks + +//! This test case checks that raw pointer validity is checked before converting it to a reference, e.g., &(*ptr). + +// 1. Original example. + +struct Store<'a, const LEN: usize> { + data: [&'a i128; LEN], +} + +impl<'a, const LEN: usize> Store<'a, LEN> { + pub fn from(var: &i64) -> Self { + let ref1: *const i64 = var; + let ref2: *const i128 = ref1 as *const i128; + unsafe { + Store { data: [&*ref2; LEN] } // ---- THIS LINE SHOULD FAIL + } + } +} + +#[kani::proof] +pub fn check_store() { + let val = 1; + let broken = Store::<3>::from(&val); + assert_eq!(broken.data.len(), 3) +} + +// 2. Make sure the error is raised when casting to a simple type of a larger size. + +pub fn larger_deref(var: &i64) { + let ref1: *const i64 = var; + let ref2: *const i128 = ref1 as *const i128; + let ref3: &i128 = unsafe { &*ref2 }; // ---- THIS LINE SHOULD FAIL +} + +#[kani::proof] +pub fn check_larger_deref() { + let var: i64 = kani::any(); + larger_deref(&var); +} + +// 3. Make sure the error is raised when casting to a simple type of a larger size and storing the result in a pointer. + +pub fn larger_deref_into_ptr(var: &i64) { + let ref1: *const i64 = var; + let ref2: *const i128 = ref1 as *const i128; + let ref3: *const i128 = unsafe { &*ref2 }; // ---- THIS LINE SHOULD FAIL +} + +#[kani::proof] +pub fn check_larger_deref_into_ptr() { + let var: i64 = kani::any(); + larger_deref_into_ptr(&var); +} + +// 4. Make sure the error is raised when casting to a struct of a larger size. + +#[derive(kani::Arbitrary)] +struct Foo { + a: u8, +} + +#[derive(kani::Arbitrary)] +struct Bar { + a: u8, + b: u64, + c: u64, +} + +pub fn larger_deref_struct(var: &Foo) { + let ref1: *const Foo = var; + let ref2: *const Bar = ref1 as *const Bar; + let ref3: &Bar = unsafe { &*ref2 }; // ---- THIS LINE SHOULD FAIL +} + +#[kani::proof] +pub fn check_larger_deref_struct() { + let var: Foo = kani::any(); + larger_deref_struct(&var); +} + +// 5. Make sure the error is not raised if the target size is smaller. + +pub fn smaller_deref(var: &i64, var_struct: &Bar) { + let ref1: *const i64 = var; + let ref2: *const i32 = ref1 as *const i32; + let ref3: &i32 = unsafe { &*ref2 }; + + let ref1_struct: *const Bar = var_struct; + let ref2_struct: *const Foo = ref1_struct as *const Foo; + let ref3_struct: &Foo = unsafe { &*ref2_struct }; +} + +#[kani::proof] +pub fn check_smaller_deref() { + let var: i64 = kani::any(); + let var_struct: Bar = kani::any(); + smaller_deref(&var, &var_struct); +} + +// 6. Make sure the error is not raised if the target size is the same. + +pub fn equal_size_deref(var: &i64, var_struct: &Foo) { + let ref1: *const i64 = var; + let ref2: &i64 = unsafe { &*ref1 }; + + let ref1_struct: *const Foo = var_struct; + let ref2_struct: &Foo = unsafe { &*ref1_struct }; +} + +#[kani::proof] +pub fn check_equal_size_deref() { + let var: i64 = kani::any(); + let var_struct: Foo = kani::any(); + equal_size_deref(&var, &var_struct); +} + +// 7. Make sure the check works with ZSTs. + +#[derive(kani::Arbitrary)] +struct Zero; + +pub fn zst_deref(var_struct: &Foo, var_zst: &Zero) { + let ref1_struct: *const Foo = var_struct; + let ref2_struct: *const Zero = ref1_struct as *const Zero; + let ref3_struct: &Zero = unsafe { &*ref2_struct }; + + let ref1_zst: *const Zero = var_zst; + let ref2_zst: *const Foo = ref1_zst as *const Foo; + let ref3_zst: &Foo = unsafe { &*ref2_zst }; // ---- THIS LINE SHOULD FAIL +} + +#[kani::proof] +pub fn check_zst_deref() { + let var_struct: Foo = kani::any(); + let var_zst: Zero = kani::any(); + zst_deref(&var_struct, &var_zst); +} diff --git a/tests/expected/shadow/uninit_array/expected b/tests/expected/shadow/uninit_array/expected new file mode 100644 index 000000000000..1d5f70698010 --- /dev/null +++ b/tests/expected/shadow/uninit_array/expected @@ -0,0 +1,3 @@ +Failed Checks: assertion failed: SM.get(p) +Verification failed for - check_init_any +Complete - 1 successfully verified harnesses, 1 failures, 2 total. diff --git a/tests/expected/shadow/uninit_array/test.rs b/tests/expected/shadow/uninit_array/test.rs new file mode 100644 index 000000000000..8a9536e5a8e8 --- /dev/null +++ b/tests/expected/shadow/uninit_array/test.rs @@ -0,0 +1,59 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zghost-state + +// This is a basic test for the shadow memory implementation. +// It checks that shadow memory can be used to track whether a memory location +// is initialized. + +use std::alloc::{alloc, dealloc, Layout}; + +static mut SM: kani::shadow::ShadowMem = kani::shadow::ShadowMem::new(false); + +fn write(ptr: *mut i8, offset: usize, x: i8) { + unsafe { + let p = ptr.offset(offset as isize); + p.write(x); + SM.set(p as *const i8, true); + }; +} + +fn check_init(b: bool) { + // allocate an array of 5 i8's + let layout = Layout::array::(5).unwrap(); + let ptr = unsafe { alloc(layout) as *mut i8 }; + + // unconditionally write to all 5 locations except for the middle element + write(ptr, 0, 0); + write(ptr, 1, 1); + if b { + write(ptr, 2, 2) + }; + write(ptr, 3, 3); + write(ptr, 4, 4); + + // non-deterministically read from any of the elements and assert that: + // 1. The memory location is initialized + // 2. It has the expected value + // This would fail if `b` is false and `index == 2` + let index: usize = kani::any(); + if index < 5 { + unsafe { + let p = ptr.offset(index as isize); + let x = p.read(); + assert!(SM.get(p)); + assert_eq!(x, index as i8); + } + } + unsafe { dealloc(ptr as *mut u8, layout) }; +} + +#[kani::proof] +fn check_init_true() { + check_init(true); +} + +#[kani::proof] +fn check_init_any() { + check_init(kani::any()); +} diff --git a/tests/expected/shadow/unsupported_num_objects/expected b/tests/expected/shadow/unsupported_num_objects/expected new file mode 100644 index 000000000000..da3b5a671969 --- /dev/null +++ b/tests/expected/shadow/unsupported_num_objects/expected @@ -0,0 +1,3 @@ +Failed Checks: The number of objects exceeds the maximum number supported by Kani's shadow memory model (1024) +Verification failed for - check_max_objects_fail +Complete - 1 successfully verified harnesses, 1 failures, 2 total. diff --git a/tests/expected/shadow/unsupported_num_objects/test.rs b/tests/expected/shadow/unsupported_num_objects/test.rs new file mode 100644 index 000000000000..f60d0020e989 --- /dev/null +++ b/tests/expected/shadow/unsupported_num_objects/test.rs @@ -0,0 +1,41 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zghost-state + +// This test checks the maximum number of objects supported by Kani's shadow +// memory model (currently 1024) + +static mut SM: kani::shadow::ShadowMem = kani::shadow::ShadowMem::new(false); + +fn check_max_objects() { + let mut i = 0; + // A dummy loop that creates `N`` objects. + // After the loop, CBMC's object ID counter should be at `N` + 2: + // - `N` created in the loop + + // - the NULL pointer whose object ID is 0, and + // - the object ID for `i` + while i < N { + let x = i; + assert_eq!(kani::mem::pointer_object(&x as *const usize), i + 2); + i += 1; + } + + // create a new object whose ID is `N` + 2 + let x = 42; + assert_eq!(kani::mem::pointer_object(&x as *const i32), N + 2); + // the following call to `set` would fail if the object ID for `x` exceeds + // the maximum allowed by Kani's shadow memory model + unsafe { + SM.set(&x as *const i32, true); + } +} + +#[kani::proof] +fn check_max_objects_pass() { + check_max_objects::<1021>(); +} + +#[kani::proof] +fn check_max_objects_fail() { + check_max_objects::<1022>(); +} diff --git a/tests/expected/shadow/unsupported_object_size/expected b/tests/expected/shadow/unsupported_object_size/expected new file mode 100644 index 000000000000..a4598b5aac82 --- /dev/null +++ b/tests/expected/shadow/unsupported_object_size/expected @@ -0,0 +1,3 @@ +Failed Checks: The object size exceeds the maximum size supported by Kani's shadow memory model (64) +Verification failed for - check_max_object_size_fail +Complete - 1 successfully verified harnesses, 1 failures, 2 total. diff --git a/tests/expected/shadow/unsupported_object_size/test.rs b/tests/expected/shadow/unsupported_object_size/test.rs new file mode 100644 index 000000000000..d22ff1a6ca41 --- /dev/null +++ b/tests/expected/shadow/unsupported_object_size/test.rs @@ -0,0 +1,29 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Zghost-state + +// This test checks the maximum object size supported by Kani's shadow +// memory model (currently 64) + +static mut SM: kani::shadow::ShadowMem = kani::shadow::ShadowMem::new(false); + +fn check_max_objects() { + let arr: [u8; N] = [0; N]; + let last = &arr[N - 1]; + assert_eq!(kani::mem::pointer_offset(last as *const u8), N - 1); + // the following call to `set_init` would fail if the object offset for + // `last` exceeds the maximum allowed by Kani's shadow memory model + unsafe { + SM.set(last as *const u8, true); + } +} + +#[kani::proof] +fn check_max_object_size_pass() { + check_max_objects::<64>(); +} + +#[kani::proof] +fn check_max_object_size_fail() { + check_max_objects::<65>(); +} diff --git a/tests/expected/slice_c_str/c_str_fixme.rs b/tests/expected/slice_c_str/c_str_fixme.rs index 894746772100..ede6c814e1a0 100644 --- a/tests/expected/slice_c_str/c_str_fixme.rs +++ b/tests/expected/slice_c_str/c_str_fixme.rs @@ -1,3 +1,5 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT #![feature(rustc_private)] #![feature(c_str_literals)] //! FIXME: diff --git a/tests/expected/stubbing-different-sets/stubbing.expected b/tests/expected/stubbing-different-sets/stubbing.expected new file mode 100644 index 000000000000..cf362d974f2e --- /dev/null +++ b/tests/expected/stubbing-different-sets/stubbing.expected @@ -0,0 +1,19 @@ +Checking harness check_indirect_all_identity... +VERIFICATION:- SUCCESSFUL + +Checking harness check_all_identity_2... +VERIFICATION:- SUCCESSFUL + +Checking harness check_all_identity... +VERIFICATION:- SUCCESSFUL + +Checking harness check_decrement_is_increment... +VERIFICATION:- SUCCESSFUL + +Checking harness check_decrement... +VERIFICATION:- SUCCESSFUL + +Checking harness check_identity... +VERIFICATION:- SUCCESSFUL + +Complete - 6 successfully verified harnesses, 0 failures, 6 total. diff --git a/tests/script-based-pre/stubbing_compiler_sessions/stubbing.rs b/tests/expected/stubbing-different-sets/stubbing.rs similarity index 88% rename from tests/script-based-pre/stubbing_compiler_sessions/stubbing.rs rename to tests/expected/stubbing-different-sets/stubbing.rs index cde1902c3558..90905baa5bb6 100644 --- a/tests/script-based-pre/stubbing_compiler_sessions/stubbing.rs +++ b/tests/expected/stubbing-different-sets/stubbing.rs @@ -1,8 +1,8 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Check that Kani handles different sets of stubbing correctly. -// I.e., not correctly replacing the stubs will cause a harness to fail. +// kani-flags: -Z stubbing +//! Check that Kani handles different sets of stubbing correctly. +//! I.e., not correctly replacing the stubs will cause a harness to fail. fn identity(i: i8) -> i8 { i diff --git a/tests/expected/zst/expected b/tests/expected/zst/expected new file mode 100644 index 000000000000..bec891bea92c --- /dev/null +++ b/tests/expected/zst/expected @@ -0,0 +1,4 @@ +Status: FAILURE\ +Description: "dereference failure: pointer NULL" + +VERIFICATION:- FAILED diff --git a/tests/expected/zst/main.rs b/tests/expected/zst/main.rs new file mode 100644 index 000000000000..587e2608c870 --- /dev/null +++ b/tests/expected/zst/main.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This example demonstrates that rustc may choose not to allocate unique locations to ZST objects. +#[repr(C)] +#[derive(Copy, Clone)] +struct Z(i8, i64); + +struct Y; + +#[kani::proof] +fn test_z() -> Z { + let m = Y; + let n = Y; + let zz = Z(1, -1); + + let ptr: *const Z = if &n as *const _ == &m as *const _ { std::ptr::null() } else { &zz }; + unsafe { *ptr } +} diff --git a/tests/kani/Closure/zst_param.rs b/tests/kani/Closure/zst_param.rs index 3eee1e5ac672..7a93619a9e16 100644 --- a/tests/kani/Closure/zst_param.rs +++ b/tests/kani/Closure/zst_param.rs @@ -17,7 +17,8 @@ fn check_zst_param() { let input = kani::any(); let closure = |a: Void, out: usize, b: Void| { kani::cover!(); - assert!(&a as *const Void != &b as *const Void, "Should succeed"); + assert!(&a as *const Void != std::ptr::null(), "Should succeed"); + assert!(&b as *const Void != std::ptr::null(), "Should succeed"); out }; let output = invoke(input, closure); diff --git a/tests/kani/Closure/zst_unwrap.rs b/tests/kani/Closure/zst_unwrap.rs new file mode 100644 index 000000000000..4c755e08abc7 --- /dev/null +++ b/tests/kani/Closure/zst_unwrap.rs @@ -0,0 +1,16 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Test that Kani can properly handle closure to fn ptr when an argument type is Never (`!`). +//! See for more details. +#![feature(never_type)] + +pub struct Foo { + _x: i32, + _never: !, +} + +#[kani::proof] +fn check_unwrap_never() { + let res = Result::::Ok(3); + let _x = res.unwrap_or_else(|_f| 5); +} diff --git a/tests/kani/Coroutines/main.rs b/tests/kani/Coroutines/main.rs index 10d92571aaa6..e059305a6da2 100644 --- a/tests/kani/Coroutines/main.rs +++ b/tests/kani/Coroutines/main.rs @@ -4,13 +4,16 @@ // This tests that coroutines work, even with a non-() resume type. #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] +#[kani::unwind(3)] fn main() { - let mut add_one = |mut resume: u8| { + let mut add_one = #[coroutine] + |mut resume: u8| { loop { resume = yield resume.saturating_add(1); } diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/conditional-drop.rs b/tests/kani/Coroutines/rustc-coroutine-tests/conditional-drop.rs index 81036a8f1238..a52f711fa52b 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/conditional-drop.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/conditional-drop.rs @@ -12,6 +12,7 @@ //[nomiropt]compile-flags: -Z mir-opt-level=0 #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::Coroutine; use std::pin::Pin; @@ -41,7 +42,8 @@ fn main() { } fn t1() { - let mut a = || { + let mut a = #[coroutine] + || { let b = B; if test() { drop(b); @@ -57,7 +59,8 @@ fn t1() { } fn t2() { - let mut a = || { + let mut a = #[coroutine] + || { let b = B; if test2() { drop(b); diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/control-flow.rs b/tests/kani/Coroutines/rustc-coroutine-tests/control-flow.rs index 6e48b96e1d2a..af8d8a2250a4 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/control-flow.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/control-flow.rs @@ -35,32 +35,52 @@ where #[kani::proof] #[kani::unwind(16)] fn main() { - finish(1, || yield); - finish(8, || { - for _ in 0..8 { - yield; - } - }); - finish(1, || { - if true { - yield; - } else { - } - }); - finish(1, || { - if false { - } else { - yield; - } - }); - finish(2, || { - if { - yield; - false - } { - yield; - panic!() - } - yield - }); + finish( + 1, + #[coroutine] + || yield, + ); + finish( + 8, + #[coroutine] + || { + for _ in 0..8 { + yield; + } + }, + ); + finish( + 1, + #[coroutine] + || { + if true { + yield; + } else { + } + }, + ); + finish( + 1, + #[coroutine] + || { + if false { + } else { + yield; + } + }, + ); + finish( + 2, + #[coroutine] + || { + if { + yield; + false + } { + yield; + panic!() + } + yield + }, + ); } diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/env-drop.rs b/tests/kani/Coroutines/rustc-coroutine-tests/env-drop.rs index a6420aca283b..e1de81c9b081 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/env-drop.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/env-drop.rs @@ -12,6 +12,7 @@ //[nomiropt]compile-flags: -Z mir-opt-level=0 #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::Coroutine; use std::pin::Pin; @@ -36,7 +37,8 @@ fn main() { fn t1() { let b = B; - let mut foo = || { + let mut foo = #[coroutine] + || { yield; drop(b); }; @@ -50,7 +52,8 @@ fn t1() { fn t2() { let b = B; - let mut foo = || { + let mut foo = #[coroutine] + || { yield b; }; @@ -63,7 +66,8 @@ fn t2() { fn t3() { let b = B; - let foo = || { + let foo = #[coroutine] + || { yield; drop(b); }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/iterator-count.rs b/tests/kani/Coroutines/rustc-coroutine-tests/iterator-count.rs index caa2efec216f..8a9b26262e5d 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/iterator-count.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/iterator-count.rs @@ -30,6 +30,7 @@ impl + Unpin> Iterator for W { } fn test() -> impl Coroutine<(), Return = (), Yield = u8> + Unpin { + #[coroutine] || { for i in 1..6 { yield i @@ -43,6 +44,7 @@ fn main() { let end = 11; let closure_test = |start| { + #[coroutine] move || { for i in start..end { yield i diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/live-upvar-across-yield.rs b/tests/kani/Coroutines/rustc-coroutine-tests/live-upvar-across-yield.rs index 9bce8679464f..d9aae2e95322 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/live-upvar-across-yield.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/live-upvar-across-yield.rs @@ -9,6 +9,7 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::Coroutine; use std::pin::Pin; @@ -16,7 +17,8 @@ use std::pin::Pin; #[kani::proof] fn main() { let b = |_| 3; - let mut a = || { + let mut a = #[coroutine] + || { b(yield); }; Pin::new(&mut a).resume(()); diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals-size.rs b/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals-size.rs index d63d34427ca6..3c2b9dc16ae1 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals-size.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals-size.rs @@ -41,6 +41,7 @@ impl Drop for Foo { } fn move_before_yield() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); let _second = first; @@ -52,6 +53,7 @@ fn move_before_yield() -> impl Coroutine { fn noop() {} fn move_before_yield_with_noop() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); noop(); @@ -64,6 +66,7 @@ fn move_before_yield_with_noop() -> impl Coroutine { // Today we don't have NRVO (we allocate space for both `first` and `second`,) // but we can overlap `first` with `_third`. fn overlap_move_points() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); yield; @@ -75,6 +78,7 @@ fn overlap_move_points() -> impl Coroutine { } fn overlap_x_and_y() -> impl Coroutine { + #[coroutine] static || { let x = Foo([0; FOO_SIZE]); yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals.rs b/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals.rs index b3b6c4cc6767..6d54a54190e1 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/moved-locals.rs @@ -34,6 +34,7 @@ impl Drop for Foo { } fn move_before_yield() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); let _second = first; @@ -45,6 +46,7 @@ fn move_before_yield() -> impl Coroutine { fn noop() {} fn move_before_yield_with_noop() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); noop(); @@ -57,6 +59,7 @@ fn move_before_yield_with_noop() -> impl Coroutine { // Today we don't have NRVO (we allocate space for both `first` and `second`,) // but we can overlap `first` with `_third`. fn overlap_move_points() -> impl Coroutine { + #[coroutine] static || { let first = Foo([0; FOO_SIZE]); yield; @@ -68,6 +71,7 @@ fn overlap_move_points() -> impl Coroutine { } fn overlap_x_and_y() -> impl Coroutine { + #[coroutine] static || { let x = Foo([0; FOO_SIZE]); yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/nested-generators.rs b/tests/kani/Coroutines/rustc-coroutine-tests/nested-generators.rs index 0d770380e2b9..8dfd8cdf065c 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/nested-generators.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/nested-generators.rs @@ -9,14 +9,17 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] fn main() { - let _coroutine = || { - let mut sub_coroutine = || { + let _coroutine = #[coroutine] + || { + let mut sub_coroutine = #[coroutine] + || { yield 2; }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator-size.rs b/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator-size.rs index 5de21166c318..68b0a8589d3c 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator-size.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator-size.rs @@ -11,6 +11,7 @@ // run-pass #![feature(coroutines)] +#![feature(stmt_expr_attributes)] use std::mem::size_of_val; @@ -19,7 +20,8 @@ fn take(_: T) {} #[kani::proof] fn main() { let x = false; - let gen1 = || { + let gen1 = #[coroutine] + || { yield; take(x); }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator.rs b/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator.rs index 170a356fb318..f882459910ec 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/niche-in-generator.rs @@ -11,6 +11,7 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -22,7 +23,8 @@ fn take(_: T) {} #[kani::proof] fn main() { let x = false; - let mut gen1 = || { + let mut gen1 = #[coroutine] + || { yield; take(x); }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals-size.rs b/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals-size.rs index d22ed53f8b60..d7be6ba706f5 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals-size.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals-size.rs @@ -9,10 +9,12 @@ // run-pass #![feature(coroutines)] +#![feature(stmt_expr_attributes)] #[kani::proof] fn main() { - let a = || { + let a = #[coroutine] + || { { let w: i32 = 4; yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals.rs b/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals.rs index 6033b2f06a99..56ba9d346d33 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/overlap-locals.rs @@ -9,13 +9,15 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] fn main() { - let mut a = || { + let mut a = #[coroutine] + || { { let w: i32 = 4; yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg-size.rs b/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg-size.rs index f59ef260bcda..958c3ea81d22 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg-size.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg-size.rs @@ -7,6 +7,7 @@ // See GitHub history for details. #![feature(coroutines)] +#![feature(stmt_expr_attributes)] // run-pass @@ -15,7 +16,8 @@ use std::mem::size_of_val; #[kani::proof] fn main() { // Coroutine taking a `Copy`able resume arg. - let gen_copy = |mut x: usize| { + let gen_copy = #[coroutine] + |mut x: usize| { loop { drop(x); x = yield; @@ -23,7 +25,8 @@ fn main() { }; // Coroutine taking a non-`Copy` resume arg. - let gen_move = |mut x: Box| { + let gen_move = #[coroutine] + |mut x: Box| { loop { drop(x); x = yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg.rs b/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg.rs index 0c2c87f5eb2e..c514ebf03eb7 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/resume-arg.rs @@ -7,6 +7,7 @@ // See GitHub history for details. #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -18,7 +19,8 @@ use std::mem::size_of_val; #[kani::proof] fn main() { // Coroutine taking a `Copy`able resume arg. - let mut gen_copy = |mut x: usize| { + let mut gen_copy = #[coroutine] + |mut x: usize| { loop { drop(x); x = yield; @@ -26,7 +28,8 @@ fn main() { }; // Coroutine taking a non-`Copy` resume arg. - let mut gen_move = |mut x: Box| { + let mut gen_move = #[coroutine] + |mut x: Box| { loop { drop(x); x = yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/resume-live-across-yield.rs b/tests/kani/Coroutines/rustc-coroutine-tests/resume-live-across-yield.rs index 10d4d36223d5..48c07a1a1fe8 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/resume-live-across-yield.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/resume-live-across-yield.rs @@ -9,6 +9,7 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -28,7 +29,8 @@ impl Drop for Dropper { #[kani::proof] #[kani::unwind(16)] fn main() { - let mut g = |mut _d| { + let mut g = #[coroutine] + |mut _d| { _d = yield; _d }; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/smoke-resume-args.rs b/tests/kani/Coroutines/rustc-coroutine-tests/smoke-resume-args.rs index 85c75bc8147d..cc63b6b21186 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/smoke-resume-args.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/smoke-resume-args.rs @@ -12,6 +12,7 @@ //[nomiropt]compile-flags: -Z mir-opt-level=0 #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::fmt::Debug; use std::marker::Unpin; @@ -61,7 +62,8 @@ fn expect_drops(expected_drops: usize, f: impl FnOnce() -> T) -> T { #[kani::unwind(8)] fn main() { drain( - &mut |mut b| { + &mut #[coroutine] + |mut b| { while b != 0 { b = yield (b + 1); } @@ -70,21 +72,35 @@ fn main() { vec![(1, Yielded(2)), (-45, Yielded(-44)), (500, Yielded(501)), (0, Complete(-1))], ); - expect_drops(2, || drain(&mut |a| yield a, vec![(DropMe, Yielded(DropMe))])); + expect_drops(2, || { + drain( + &mut #[coroutine] + |a| yield a, + vec![(DropMe, Yielded(DropMe))], + ) + }); expect_drops(6, || { drain( - &mut |a| yield yield a, + &mut #[coroutine] + |a| yield yield a, vec![(DropMe, Yielded(DropMe)), (DropMe, Yielded(DropMe)), (DropMe, Complete(DropMe))], ) }); #[allow(unreachable_code)] - expect_drops(2, || drain(&mut |a| yield return a, vec![(DropMe, Complete(DropMe))])); + expect_drops(2, || { + drain( + &mut #[coroutine] + |a| yield return a, + vec![(DropMe, Complete(DropMe))], + ) + }); expect_drops(2, || { drain( - &mut |a: DropMe| { + &mut #[coroutine] + |a: DropMe| { if false { yield () } else { a } }, vec![(DropMe, Complete(DropMe))], @@ -94,7 +110,8 @@ fn main() { expect_drops(4, || { drain( #[allow(unused_assignments, unused_variables)] - &mut |mut a: DropMe| { + &mut #[coroutine] + |mut a: DropMe| { a = yield; a = yield; a = yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/smoke.rs b/tests/kani/Coroutines/rustc-coroutine-tests/smoke.rs index 2b9aa40a06c0..c69513d00d99 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/smoke.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/smoke.rs @@ -15,6 +15,7 @@ // compile-flags: --test #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; @@ -22,7 +23,8 @@ use std::thread; #[kani::proof] fn simple() { - let mut foo = || { + let mut foo = #[coroutine] + || { if false { yield; } @@ -38,7 +40,8 @@ fn simple() { #[kani::unwind(4)] fn return_capture() { let a = String::from("foo"); - let mut foo = || { + let mut foo = #[coroutine] + || { if false { yield; } @@ -53,7 +56,8 @@ fn return_capture() { #[kani::proof] fn simple_yield() { - let mut foo = || { + let mut foo = #[coroutine] + || { yield; }; @@ -71,7 +75,8 @@ fn simple_yield() { #[kani::unwind(4)] fn yield_capture() { let b = String::from("foo"); - let mut foo = || { + let mut foo = #[coroutine] + || { yield b; }; @@ -88,7 +93,8 @@ fn yield_capture() { #[kani::proof] #[kani::unwind(4)] fn simple_yield_value() { - let mut foo = || { + let mut foo = #[coroutine] + || { yield String::from("bar"); return String::from("foo"); }; @@ -107,7 +113,8 @@ fn simple_yield_value() { #[kani::unwind(4)] fn return_after_yield() { let a = String::from("foo"); - let mut foo = || { + let mut foo = #[coroutine] + || { yield; return a; }; @@ -124,43 +131,65 @@ fn return_after_yield() { // This test is useless for Kani fn send_and_sync() { - assert_send_sync(|| yield); - assert_send_sync(|| { - yield String::from("foo"); - }); - assert_send_sync(|| { - yield; - return String::from("foo"); - }); + assert_send_sync( + #[coroutine] + || yield, + ); + assert_send_sync( + #[coroutine] + || { + yield String::from("foo"); + }, + ); + assert_send_sync( + #[coroutine] + || { + yield; + return String::from("foo"); + }, + ); let a = 3; - assert_send_sync(|| { - yield a; - return; - }); + assert_send_sync( + #[coroutine] + || { + yield a; + return; + }, + ); let a = 3; - assert_send_sync(move || { - yield a; - return; - }); + assert_send_sync( + #[coroutine] + move || { + yield a; + return; + }, + ); let a = String::from("a"); - assert_send_sync(|| { - yield; - drop(a); - return; - }); + assert_send_sync( + #[coroutine] + || { + yield; + drop(a); + return; + }, + ); let a = String::from("a"); - assert_send_sync(move || { - yield; - drop(a); - return; - }); + assert_send_sync( + #[coroutine] + move || { + yield; + drop(a); + return; + }, + ); fn assert_send_sync(_: T) {} } // Kani does not support threads, so we cannot run this test: fn send_over_threads() { - let mut foo = || yield; + let mut foo = #[coroutine] + || yield; thread::spawn(move || { match Pin::new(&mut foo).resume(()) { CoroutineState::Yielded(()) => {} @@ -175,7 +204,8 @@ fn send_over_threads() { .unwrap(); let a = String::from("a"); - let mut foo = || yield a; + let mut foo = #[coroutine] + || yield a; thread::spawn(move || { match Pin::new(&mut foo).resume(()) { CoroutineState::Yielded(ref s) if *s == "a" => {} diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/static-generator.rs b/tests/kani/Coroutines/rustc-coroutine-tests/static-generator.rs index 52f89438255a..9b8ca468f9ee 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/static-generator.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/static-generator.rs @@ -9,13 +9,15 @@ // run-pass #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::{Coroutine, CoroutineState}; use std::pin::Pin; #[kani::proof] fn main() { - let mut coroutine = static || { + let mut coroutine = #[coroutine] + static || { let a = true; let b = &a; yield; diff --git a/tests/kani/Coroutines/rustc-coroutine-tests/yield-in-box.rs b/tests/kani/Coroutines/rustc-coroutine-tests/yield-in-box.rs index 5dbf580f5f57..79d6798855ff 100644 --- a/tests/kani/Coroutines/rustc-coroutine-tests/yield-in-box.rs +++ b/tests/kani/Coroutines/rustc-coroutine-tests/yield-in-box.rs @@ -10,6 +10,7 @@ // Test that box-statements with yields in them work. #![feature(coroutines, coroutine_trait)] +#![feature(stmt_expr_attributes)] use std::ops::Coroutine; use std::ops::CoroutineState; use std::pin::Pin; @@ -17,6 +18,7 @@ use std::pin::Pin; #[kani::proof] fn main() { let x = 0i32; + #[coroutine] || { //~ WARN unused coroutine that must be used let y = 2u32; @@ -28,7 +30,8 @@ fn main() { } }; - let mut g = |_| Box::new(yield); + let mut g = #[coroutine] + |_| Box::new(yield); assert_eq!(Pin::new(&mut g).resume(1), CoroutineState::Yielded(())); assert_eq!(Pin::new(&mut g).resume(2), CoroutineState::Complete(Box::new(2))); } diff --git a/tests/kani/FatPointers/metadata.rs b/tests/kani/FatPointers/metadata.rs new file mode 100644 index 000000000000..f76798e0f9f4 --- /dev/null +++ b/tests/kani/FatPointers/metadata.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +#![feature(ptr_metadata)] + +struct S { + x: i32, +} + +trait T {} + +impl T for S {} + +#[kani::proof] +fn ptr_metadata() { + assert_eq!(std::ptr::metadata("foo"), 3_usize); + + let s = S { x: 42 }; + let p: &dyn T = &s; + assert_eq!(std::ptr::metadata(p).size_of(), 4_usize); + + let c: char = 'c'; + assert_eq!(std::ptr::metadata(&c), ()); +} diff --git a/tests/kani/FunctionCall/marker_tuple.rs b/tests/kani/FunctionCall/marker_tuple.rs new file mode 100644 index 000000000000..ec8b98a9d640 --- /dev/null +++ b/tests/kani/FunctionCall/marker_tuple.rs @@ -0,0 +1,13 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Test that Kani can properly handle the "rust-call" ABI with an empty tuple. +//! Issue first reported here: + +#![feature(unboxed_closures, tuple_trait)] + +extern "rust-call" fn foo(_: T) {} + +#[kani::proof] +fn main() { + foo(()); +} diff --git a/tests/kani/FunctionCall/type_check.rs b/tests/kani/FunctionCall/type_check.rs new file mode 100644 index 000000000000..6694cabdbb94 --- /dev/null +++ b/tests/kani/FunctionCall/type_check.rs @@ -0,0 +1,31 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Test that Kani can properly handle the ABI of virtual calls with ZST arguments. +//! Issue first reported here: +use std::any::TypeId; +use std::error::Error; +use std::fmt::{Debug, Display, Formatter}; + +struct MyError; + +impl Debug for MyError { + fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { + todo!() + } +} + +impl Display for MyError { + fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { + todo!() + } +} + +impl Error for MyError {} + +#[kani::proof] +fn is_same_error() { + let e = MyError; + let d = &e as &(dyn Error); + assert!(d.is::()); + assert!(!d.is::()); +} diff --git a/tests/kani/Intrinsics/AlignOfVal/align_of_basic.rs b/tests/kani/Intrinsics/AlignOfVal/align_of_basic.rs index 9e76a55a2cb3..ba482248898c 100644 --- a/tests/kani/Intrinsics/AlignOfVal/align_of_basic.rs +++ b/tests/kani/Intrinsics/AlignOfVal/align_of_basic.rs @@ -30,13 +30,13 @@ fn main() { assert!(min_align_of_val(&0i16) == 2); assert!(min_align_of_val(&0i32) == 4); assert!(min_align_of_val(&0i64) == 8); - assert!(min_align_of_val(&0i128) == 8); + assert!(min_align_of_val(&0i128) == 16); assert!(min_align_of_val(&0isize) == 8); assert!(min_align_of_val(&0u8) == 1); assert!(min_align_of_val(&0u16) == 2); assert!(min_align_of_val(&0u32) == 4); assert!(min_align_of_val(&0u64) == 8); - assert!(min_align_of_val(&0u128) == 8); + assert!(min_align_of_val(&0u128) == 16); assert!(min_align_of_val(&0usize) == 8); assert!(min_align_of_val(&0f32) == 4); assert!(min_align_of_val(&0f64) == 8); diff --git a/tests/kani/Intrinsics/AlignOfVal/align_of_fat_ptr.rs b/tests/kani/Intrinsics/AlignOfVal/align_of_fat_ptr.rs index e1b3e1dd4491..426f09de1a59 100644 --- a/tests/kani/Intrinsics/AlignOfVal/align_of_fat_ptr.rs +++ b/tests/kani/Intrinsics/AlignOfVal/align_of_fat_ptr.rs @@ -19,7 +19,7 @@ fn check_align_simple() { let a = A { id: 0 }; let t: &dyn T = &a; #[cfg(target_arch = "x86_64")] - assert_eq!(align_of_val(t), 8); + assert_eq!(align_of_val(t), 16); #[cfg(target_arch = "aarch64")] assert_eq!(align_of_val(t), 16); assert_eq!(align_of_val(&t), 8); diff --git a/tests/kani/Intrinsics/Atomic/Stable/AtomicPtr/main.rs b/tests/kani/Intrinsics/Atomic/Stable/AtomicPtr/main.rs new file mode 100644 index 000000000000..4e9d68619fd7 --- /dev/null +++ b/tests/kani/Intrinsics/Atomic/Stable/AtomicPtr/main.rs @@ -0,0 +1,72 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// Test atomic intrinsics through the stable interface of atomic_ptr. +// Specifically, it checks that Kani correctly handles atomic_ptr's fetch methods, in which the second argument is a pointer type. +// These methods were not correctly handled as explained in https://github.com/model-checking/kani/issues/3042. + +#![feature(strict_provenance_atomic_ptr, strict_provenance)] +use std::sync::atomic::{AtomicPtr, Ordering}; + +#[kani::proof] +fn check_fetch_byte_add() { + let atom = AtomicPtr::::new(core::ptr::null_mut()); + assert_eq!(atom.fetch_byte_add(1, Ordering::Relaxed).addr(), 0); + // Note: in units of bytes, not `size_of::()`. + assert_eq!(atom.load(Ordering::Relaxed).addr(), 1); +} + +#[kani::proof] +fn check_fetch_byte_sub() { + let atom = AtomicPtr::::new(core::ptr::without_provenance_mut(1)); + assert_eq!(atom.fetch_byte_sub(1, Ordering::Relaxed).addr(), 1); + assert_eq!(atom.load(Ordering::Relaxed).addr(), 0); +} + +#[kani::proof] +fn check_fetch_and() { + let pointer = &mut 3i64 as *mut i64; + // A tagged pointer + let atom = AtomicPtr::::new(pointer.map_addr(|a| a | 1)); + assert_eq!(atom.fetch_or(1, Ordering::Relaxed).addr() & 1, 1); + // Untag, and extract the previously tagged pointer. + let untagged = atom.fetch_and(!1, Ordering::Relaxed).map_addr(|a| a & !1); + assert_eq!(untagged, pointer); +} + +#[kani::proof] +fn check_fetch_or() { + let pointer = &mut 3i64 as *mut i64; + + let atom = AtomicPtr::::new(pointer); + // Tag the bottom bit of the pointer. + assert_eq!(atom.fetch_or(1, Ordering::Relaxed).addr() & 1, 0); + // Extract and untag. + let tagged = atom.load(Ordering::Relaxed); + assert_eq!(tagged.addr() & 1, 1); + assert_eq!(tagged.map_addr(|p| p & !1), pointer); +} + +#[kani::proof] +fn check_fetch_update() { + let ptr: *mut _ = &mut 5; + let some_ptr = AtomicPtr::new(ptr); + + let new: *mut _ = &mut 10; + assert_eq!(some_ptr.fetch_update(Ordering::SeqCst, Ordering::SeqCst, |_| None), Err(ptr)); + let result = some_ptr.fetch_update(Ordering::SeqCst, Ordering::SeqCst, |x| { + if x == ptr { Some(new) } else { None } + }); + assert_eq!(result, Ok(ptr)); + assert_eq!(some_ptr.load(Ordering::SeqCst), new); +} + +#[kani::proof] +fn check_fetch_xor() { + let pointer = &mut 3i64 as *mut i64; + let atom = AtomicPtr::::new(pointer); + + // Toggle a tag bit on the pointer. + atom.fetch_xor(1, Ordering::Relaxed); + assert_eq!(atom.load(Ordering::Relaxed).addr() & 1, 1); +} diff --git a/tests/kani/Intrinsics/ConstEval/min_align_of.rs b/tests/kani/Intrinsics/ConstEval/min_align_of.rs index eed572b8dc9f..425f27084076 100644 --- a/tests/kani/Intrinsics/ConstEval/min_align_of.rs +++ b/tests/kani/Intrinsics/ConstEval/min_align_of.rs @@ -19,13 +19,13 @@ fn main() { assert!(min_align_of::() == 2); assert!(min_align_of::() == 4); assert!(min_align_of::() == 8); - assert!(min_align_of::() == 8); + assert!(min_align_of::() == 16); assert!(min_align_of::() == 8); assert!(min_align_of::() == 1); assert!(min_align_of::() == 2); assert!(min_align_of::() == 4); assert!(min_align_of::() == 8); - assert!(min_align_of::() == 8); + assert!(min_align_of::() == 16); assert!(min_align_of::() == 8); assert!(min_align_of::() == 4); assert!(min_align_of::() == 8); diff --git a/tests/kani/Intrinsics/ConstEval/pref_align_of.rs b/tests/kani/Intrinsics/ConstEval/pref_align_of.rs index 22ff342a8198..d495bffef5f8 100644 --- a/tests/kani/Intrinsics/ConstEval/pref_align_of.rs +++ b/tests/kani/Intrinsics/ConstEval/pref_align_of.rs @@ -19,13 +19,13 @@ fn main() { assert!(unsafe { pref_align_of::() } == 2); assert!(unsafe { pref_align_of::() } == 4); assert!(unsafe { pref_align_of::() } == 8); - assert!(unsafe { pref_align_of::() } == 8); + assert!(unsafe { pref_align_of::() } == 16); assert!(unsafe { pref_align_of::() } == 8); assert!(unsafe { pref_align_of::() } == 1); assert!(unsafe { pref_align_of::() } == 2); assert!(unsafe { pref_align_of::() } == 4); assert!(unsafe { pref_align_of::() } == 8); - assert!(unsafe { pref_align_of::() } == 8); + assert!(unsafe { pref_align_of::() } == 16); assert!(unsafe { pref_align_of::() } == 8); assert!(unsafe { pref_align_of::() } == 4); assert!(unsafe { pref_align_of::() } == 8); diff --git a/tests/kani/Intrinsics/Count/ctlz.rs b/tests/kani/Intrinsics/Count/ctlz.rs index 6c709137e5f4..9149b5bc8f54 100644 --- a/tests/kani/Intrinsics/Count/ctlz.rs +++ b/tests/kani/Intrinsics/Count/ctlz.rs @@ -11,7 +11,7 @@ use std::intrinsics::{ctlz, ctlz_nonzero}; // the same for any value macro_rules! test_ctlz { ( $fn_name:ident, $ty:ty ) => { - fn $fn_name(x: $ty) -> $ty { + fn $fn_name(x: $ty) -> u32 { let mut count = 0; let num_bits = <$ty>::BITS; for i in 0..num_bits { diff --git a/tests/kani/Intrinsics/Count/ctpop.rs b/tests/kani/Intrinsics/Count/ctpop.rs index d2eb972f83aa..19d3ac4fd5a6 100644 --- a/tests/kani/Intrinsics/Count/ctpop.rs +++ b/tests/kani/Intrinsics/Count/ctpop.rs @@ -10,7 +10,7 @@ use std::intrinsics::ctpop; // the same for any value macro_rules! test_ctpop { ( $fn_name:ident, $ty:ty ) => { - fn $fn_name(x: $ty) -> $ty { + fn $fn_name(x: $ty) -> u32 { let mut count = 0; let num_bits = <$ty>::BITS; for i in 0..num_bits { diff --git a/tests/kani/Intrinsics/Count/cttz.rs b/tests/kani/Intrinsics/Count/cttz.rs index fa7c5f6a03e5..0429c6efce08 100644 --- a/tests/kani/Intrinsics/Count/cttz.rs +++ b/tests/kani/Intrinsics/Count/cttz.rs @@ -11,7 +11,7 @@ use std::intrinsics::{cttz, cttz_nonzero}; // the same for any value macro_rules! test_cttz { ( $fn_name:ident, $ty:ty ) => { - fn $fn_name(x: $ty) -> $ty { + fn $fn_name(x: $ty) -> u32 { let mut count = 0; let num_bits = <$ty>::BITS; for i in 0..num_bits { diff --git a/tests/kani/Intrinsics/Likely/main.rs b/tests/kani/Intrinsics/Likely/main.rs index 524fbd18ddc8..14643241ef90 100644 --- a/tests/kani/Intrinsics/Likely/main.rs +++ b/tests/kani/Intrinsics/Likely/main.rs @@ -28,9 +28,15 @@ fn check_unlikely(x: i32, y: i32) { } #[kani::proof] -fn main() { +fn check_likely_main() { let x = kani::any(); let y = kani::any(); check_likely(x, y); +} + +#[kani::proof] +fn check_unlikely_main() { + let x = kani::any(); + let y = kani::any(); check_unlikely(x, y); } diff --git a/tests/kani/Intrinsics/Math/Arith/exp.rs b/tests/kani/Intrinsics/Math/Arith/exp.rs new file mode 100644 index 000000000000..4f26fc5b5b96 --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/exp.rs @@ -0,0 +1,24 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `expf32` and `expf64` intrinsics, which in turn invoke +// functions modelled in CBMC's math library. These models use approximations as documented in +// CBMC's source code: https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +#[kani::proof] +fn verify_exp32() { + let two = 2.0_f32; + let two_sq = std::f32::consts::E * std::f32::consts::E; + let two_exp = two.exp(); + + assert!((two_sq - two_exp).abs() <= 0.192); +} + +#[kani::proof] +fn verify_exp64() { + let two = 2.0_f64; + let two_sq = std::f64::consts::E * std::f64::consts::E; + let two_exp = two.exp(); + + assert!((two_sq - two_exp).abs() <= 0.192); +} diff --git a/tests/kani/Intrinsics/Math/Arith/exp2.rs b/tests/kani/Intrinsics/Math/Arith/exp2.rs new file mode 100644 index 000000000000..91244a383a0a --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/exp2.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `exp2f32` and `exp2f64` intrinsics, which in turn invoke +// functions modelled in CBMC's math library. These models use approximations as documented in +// CBMC's source code: https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +#[kani::proof] +fn verify_exp2_32() { + let two = 2.0_f32; + let two_two = two.exp2(); + + assert!((two_two - 4.0).abs() <= 0.345); +} + +#[kani::proof] +fn verify_exp2_64() { + let two = 2.0_f64; + let two_two = two.exp2(); + + assert!((two_two - 4.0).abs() <= 0.345); +} diff --git a/tests/kani/Intrinsics/Math/Arith/log.rs b/tests/kani/Intrinsics/Math/Arith/log.rs new file mode 100644 index 000000000000..1185e8ae4d82 --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/log.rs @@ -0,0 +1,22 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `logf32` and `logf64` intrinsics, which in turn invoke +// functions modelled in CBMC's math library. These models use approximations as documented in +// CBMC's source code: https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +#[kani::proof] +fn verify_logf32() { + let e = std::f32::consts::E; + let e_log = e.ln(); + + assert!((e_log - 1.0).abs() <= 0.058); +} + +#[kani::proof] +fn verify_logf64() { + let e = std::f64::consts::E; + let e_log = e.ln(); + + assert!((e_log - 1.0).abs() <= 0.058); +} diff --git a/tests/kani/Intrinsics/Math/Arith/powf32.rs b/tests/kani/Intrinsics/Math/Arith/powf32.rs new file mode 100644 index 000000000000..f289171b64b8 --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/powf32.rs @@ -0,0 +1,15 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `powf32` intrinsic, which in turn invoke functions modelled in +// CBMC's math library. These models use approximations as documented in CBMC's source code: +// https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +#[kani::proof] +fn verify_pow() { + let x: f32 = kani::any(); + kani::assume(x.is_normal()); + kani::assume(x > 1.0 && x < u16::MAX.into()); + let x2 = x.powf(2.0); + assert!(x2 >= 0.0); +} diff --git a/tests/kani/Intrinsics/Math/Arith/powf64.rs b/tests/kani/Intrinsics/Math/Arith/powf64.rs new file mode 100644 index 000000000000..e80ad777c09a --- /dev/null +++ b/tests/kani/Intrinsics/Math/Arith/powf64.rs @@ -0,0 +1,30 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// This test will trigger use of the `powf64` intrinsic, which in turn invoke functions modelled in +// CBMC's math library. These models use approximations as documented in CBMC's source code: +// https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c. + +pub fn f(a: u64) -> u64 { + const C: f64 = 0.618; + (a as f64).powf(C) as u64 +} + +#[cfg(kani)] +mod verification { + use super::*; + + #[kani::proof] + fn verify_f() { + const LIMIT: u64 = 10; + let x: u64 = kani::any(); + let y: u64 = kani::any(); + // outside these limits our approximation may yield spurious results + kani::assume(x > LIMIT && x < LIMIT * 3); + kani::assume(y > LIMIT && y < LIMIT * 3); + kani::assume(x > y); + let x_ = f(x); + let y_ = f(y); + assert!(x_ >= y_); + } +} diff --git a/tests/kani/Intrinsics/Rotate/rotate_left.rs b/tests/kani/Intrinsics/Rotate/rotate_left.rs index d44ef1347745..eac46f968b03 100644 --- a/tests/kani/Intrinsics/Rotate/rotate_left.rs +++ b/tests/kani/Intrinsics/Rotate/rotate_left.rs @@ -24,7 +24,7 @@ macro_rules! test_rotate_left { let n: u32 = kani::any(); // Limit `n` to `u8::MAX` to avoid overflows kani::assume(n <= u8::MAX as u32); - let y: $ty = rotate_left(x, n as $ty); + let y: $ty = rotate_left(x, n); // Check that the rotation is correct $fn_name(x, y, n); // Check that the stable version returns the same value diff --git a/tests/kani/Intrinsics/Rotate/rotate_right.rs b/tests/kani/Intrinsics/Rotate/rotate_right.rs index 584821e5784f..9b88b1250b2f 100644 --- a/tests/kani/Intrinsics/Rotate/rotate_right.rs +++ b/tests/kani/Intrinsics/Rotate/rotate_right.rs @@ -31,7 +31,7 @@ macro_rules! test_rotate_right { let n: u32 = kani::any(); // Limit `n` to `u8::MAX` to avoid overflows kani::assume(n <= u8::MAX as u32); - let y: $ty = rotate_right(x, n as $ty); + let y: $ty = rotate_right(x, n); // Check that the rotation is correct $fn_name(x, y, n); // Check that the stable version returns the same value diff --git a/tests/kani/Intrinsics/SIMD/Compare/float.rs b/tests/kani/Intrinsics/SIMD/Compare/float.rs index 6d2113beb3a0..cc5765ef226b 100644 --- a/tests/kani/Intrinsics/SIMD/Compare/float.rs +++ b/tests/kani/Intrinsics/SIMD/Compare/float.rs @@ -2,7 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that intrinsics for SIMD vectors of signed integers are supported -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::*; #[repr(simd)] #[allow(non_camel_case_types)] @@ -19,17 +20,6 @@ pub struct i64x2(i64, i64); #[derive(Clone, Copy, PartialEq)] pub struct i32x2(i32, i32); -// The predicate type U in the functions below must -// be a SIMD type, otherwise we get a compilation error -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; - fn simd_ne(x: T, y: T) -> U; - fn simd_lt(x: T, y: T) -> U; - fn simd_le(x: T, y: T) -> U; - fn simd_gt(x: T, y: T) -> U; - fn simd_ge(x: T, y: T) -> U; -} - macro_rules! assert_cmp { ($res_cmp: ident, $simd_cmp: ident, $x: expr, $y: expr, $($res: expr),+) => { let $res_cmp: i32x2 = $simd_cmp($x, $y); diff --git a/tests/kani/Intrinsics/SIMD/Compare/result_type_is_same_size.rs b/tests/kani/Intrinsics/SIMD/Compare/result_type_is_same_size.rs index cc38ad81864d..d3582057fd00 100644 --- a/tests/kani/Intrinsics/SIMD/Compare/result_type_is_same_size.rs +++ b/tests/kani/Intrinsics/SIMD/Compare/result_type_is_same_size.rs @@ -3,7 +3,8 @@ //! Checks that storing the result of a vector operation in a vector of //! size equal to the operands' sizes works. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_eq; #[repr(simd)] #[allow(non_camel_case_types)] @@ -20,14 +21,6 @@ pub struct u64x2(u64, u64); #[derive(Clone, Copy, PartialEq, Eq)] pub struct u32x2(u32, u32); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; -} - #[kani::proof] fn main() { let x = u64x2(0, 0); diff --git a/tests/kani/Intrinsics/SIMD/Compare/signed.rs b/tests/kani/Intrinsics/SIMD/Compare/signed.rs index be93395fd2d9..cfd781fa64c7 100644 --- a/tests/kani/Intrinsics/SIMD/Compare/signed.rs +++ b/tests/kani/Intrinsics/SIMD/Compare/signed.rs @@ -2,26 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that intrinsics for SIMD vectors of signed integers are supported -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::*; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; - fn simd_ne(x: T, y: T) -> U; - fn simd_lt(x: T, y: T) -> U; - fn simd_le(x: T, y: T) -> U; - fn simd_gt(x: T, y: T) -> U; - fn simd_ge(x: T, y: T) -> U; -} - macro_rules! assert_cmp { ($res_cmp: ident, $simd_cmp: ident, $x: expr, $y: expr, $($res: expr),+) => { let $res_cmp: i64x2 = $simd_cmp($x, $y); diff --git a/tests/kani/Intrinsics/SIMD/Compare/unsigned.rs b/tests/kani/Intrinsics/SIMD/Compare/unsigned.rs index d30640f123d2..ee39f750c8a2 100644 --- a/tests/kani/Intrinsics/SIMD/Compare/unsigned.rs +++ b/tests/kani/Intrinsics/SIMD/Compare/unsigned.rs @@ -2,26 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that intrinsics for SIMD vectors of unsigned integers are supported -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::*; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct u64x2(u64, u64); -// From : -// > The type checker ensures that `T` and `U` have the same length, and that -// > `U` is appropriately "boolean"-y. -// This means that `U` is allowed to be `i64` or `u64`, but not `f64`. -extern "platform-intrinsic" { - fn simd_eq(x: T, y: T) -> U; - fn simd_ne(x: T, y: T) -> U; - fn simd_lt(x: T, y: T) -> U; - fn simd_le(x: T, y: T) -> U; - fn simd_gt(x: T, y: T) -> U; - fn simd_ge(x: T, y: T) -> U; -} - macro_rules! assert_cmp { ($res_cmp: ident, $simd_cmp: ident, $x: expr, $y: expr, $($res: expr),+) => { let $res_cmp: u64x2 = $simd_cmp($x, $y); diff --git a/tests/kani/Intrinsics/SIMD/Construction/main.rs b/tests/kani/Intrinsics/SIMD/Construction/main.rs index 6e9116e4dc15..5de3ae20d868 100644 --- a/tests/kani/Intrinsics/SIMD/Construction/main.rs +++ b/tests/kani/Intrinsics/SIMD/Construction/main.rs @@ -3,18 +3,14 @@ //! Checks that the `simd_extract` and `simd_insert` intrinsics are supported //! and return the expected results. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_extract, simd_insert}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x2(i64, i64); -extern "platform-intrinsic" { - fn simd_extract(x: T, idx: u32) -> U; - fn simd_insert(x: T, idx: u32, b: U) -> T; -} - #[kani::proof] fn main() { let y = i64x2(0, 1); diff --git a/tests/kani/Intrinsics/SIMD/Operators/arith.rs b/tests/kani/Intrinsics/SIMD/Operators/arith.rs index 6af147b826e0..d9f442a659ba 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/arith.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/arith.rs @@ -1,22 +1,16 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -//! This test doesn't work because support for SIMD intrinsics isn't available -//! at the moment in Kani. Support to be added in -//! -#![feature(repr_simd, platform_intrinsics)] +//! Checks that the SIMD intrinsics `simd_add`, `simd_sub` and +//! `simd_mul` are supported and return the expected results. +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_add, simd_mul, simd_sub}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i8x2(i8, i8); -extern "platform-intrinsic" { - fn simd_add(x: T, y: T) -> T; - fn simd_sub(x: T, y: T) -> T; - fn simd_mul(x: T, y: T) -> T; -} - macro_rules! verify_no_overflow { ($cf: ident, $uf: ident) => {{ let a: i8 = kani::any(); diff --git a/tests/kani/Intrinsics/SIMD/Operators/bitmask.rs b/tests/kani/Intrinsics/SIMD/Operators/bitmask.rs index 4d3293264b6e..6992408436b9 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/bitmask.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/bitmask.rs @@ -6,16 +6,11 @@ //! This is done by initializing vectors with the contents of 2-member tuples //! with symbolic values. The result of using each of the intrinsics is compared //! against the result of using the associated bitwise operator on the tuples. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] #![feature(generic_const_exprs)] #![feature(portable_simd)] -#![feature(core_intrinsics)] - use std::fmt::Debug; - -extern "platform-intrinsic" { - fn simd_bitmask(x: T) -> U; -} +use std::intrinsics::simd::simd_bitmask; #[repr(simd)] #[derive(Clone, Debug)] diff --git a/tests/kani/Intrinsics/SIMD/Operators/bitshift.rs b/tests/kani/Intrinsics/SIMD/Operators/bitshift.rs index 1041f918123f..fa2cd3c52cd6 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/bitshift.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/bitshift.rs @@ -3,7 +3,8 @@ //! Checks that the `simd_shl` and `simd_shr` intrinsics are supported and they //! return the expected results. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_shl, simd_shr}; #[repr(simd)] #[allow(non_camel_case_types)] @@ -15,11 +16,6 @@ pub struct i32x2(i32, i32); #[derive(Clone, Copy, PartialEq, Eq)] pub struct u32x2(u32, u32); -extern "platform-intrinsic" { - fn simd_shl(x: T, y: T) -> T; - fn simd_shr(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_shl() { let value = kani::any(); diff --git a/tests/kani/Intrinsics/SIMD/Operators/bitwise.rs b/tests/kani/Intrinsics/SIMD/Operators/bitwise.rs index aa53bb6ac9ea..b18410088f18 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/bitwise.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/bitwise.rs @@ -8,7 +8,8 @@ //! This is done by initializing vectors with the contents of 2-member tuples //! with symbolic values. The result of using each of the intrinsics is compared //! against the result of using the associated bitwise operator on the tuples. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_and, simd_or, simd_xor}; #[repr(simd)] #[allow(non_camel_case_types)] @@ -50,11 +51,6 @@ pub struct u32x2(u32, u32); #[derive(Clone, Copy, PartialEq, Eq)] pub struct u64x2(u64, u64); -extern "platform-intrinsic" { - fn simd_and(x: T, y: T) -> T; - fn simd_or(x: T, y: T) -> T; - fn simd_xor(x: T, y: T) -> T; -} macro_rules! compare_simd_op_with_normal_op { ($simd_op: ident, $normal_op: tt, $simd_type: ident) => { let tup_x: (_,_) = kani::any(); diff --git a/tests/kani/Intrinsics/SIMD/Operators/division.rs b/tests/kani/Intrinsics/SIMD/Operators/division.rs index 593ac3fdfe7b..e1e8dab39cca 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/division.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/division.rs @@ -3,18 +3,14 @@ //! Checks that the `simd_div` and `simd_rem` intrinsics are supported and they //! return the expected results. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::{simd_div, simd_rem}; #[repr(simd)] #[allow(non_camel_case_types)] #[derive(Clone, Copy, PartialEq, Eq)] pub struct i32x2(i32, i32); -extern "platform-intrinsic" { - fn simd_div(x: T, y: T) -> T; - fn simd_rem(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_div() { let dividend = kani::any(); diff --git a/tests/kani/Intrinsics/SIMD/Operators/division_float.rs b/tests/kani/Intrinsics/SIMD/Operators/division_float.rs index 97ea2e6e7ca7..711b67b87116 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/division_float.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/division_float.rs @@ -2,7 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that the `simd_div` intrinsic returns the expected results for floating point numbers. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_div; #[repr(simd)] #[allow(non_camel_case_types)] @@ -19,10 +20,6 @@ impl f32x2 { } } -extern "platform-intrinsic" { - fn simd_div(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_div() { let dividends = f32x2::new_with(|| { diff --git a/tests/kani/Intrinsics/SIMD/Operators/remainder_float_fixme.rs b/tests/kani/Intrinsics/SIMD/Operators/remainder_float_fixme.rs index c97e96896bcf..e64498e20242 100644 --- a/tests/kani/Intrinsics/SIMD/Operators/remainder_float_fixme.rs +++ b/tests/kani/Intrinsics/SIMD/Operators/remainder_float_fixme.rs @@ -2,7 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT //! Checks that the `simd_rem` intrinsic returns the expected results for floating point numbers. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_rem; #[repr(simd)] #[allow(non_camel_case_types)] @@ -19,10 +20,6 @@ impl f32x2 { } } -extern "platform-intrinsic" { - fn simd_rem(x: T, y: T) -> T; -} - #[kani::proof] fn test_simd_rem() { let dividends = f32x2::new_with(|| { diff --git a/tests/kani/Intrinsics/SIMD/Shuffle/main.rs b/tests/kani/Intrinsics/SIMD/Shuffle/main.rs index 6d822a18bdc1..9b6870e40004 100644 --- a/tests/kani/Intrinsics/SIMD/Shuffle/main.rs +++ b/tests/kani/Intrinsics/SIMD/Shuffle/main.rs @@ -3,7 +3,8 @@ //! Checks that `simd_shuffle` and `simd_shuffleN` (where `N` is a length) are //! supported and return the expected results. -#![feature(repr_simd, platform_intrinsics)] +#![feature(repr_simd, core_intrinsics)] +use std::intrinsics::simd::simd_shuffle; #[repr(simd)] #[allow(non_camel_case_types)] @@ -15,10 +16,6 @@ pub struct i64x2(i64, i64); #[derive(Clone, Copy, PartialEq, Eq)] pub struct i64x4(i64, i64, i64, i64); -extern "platform-intrinsic" { - fn simd_shuffle(x: T, y: T, idx: U) -> V; -} - #[kani::proof] fn main() { { diff --git a/tests/kani/Intrinsics/typed_swap.rs b/tests/kani/Intrinsics/typed_swap.rs new file mode 100644 index 000000000000..996784b5181d --- /dev/null +++ b/tests/kani/Intrinsics/typed_swap.rs @@ -0,0 +1,28 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// Check that `typed_swap` yields the expected results. +// https://doc.rust-lang.org/nightly/std/intrinsics/fn.typed_swap.html + +#![feature(core_intrinsics)] +#![allow(internal_features)] + +#[kani::proof] +fn test_typed_swap_u32() { + let mut a: u32 = kani::any(); + let a_before = a; + let mut b: u32 = kani::any(); + let b_before = b; + unsafe { + std::intrinsics::typed_swap(&mut a, &mut b); + } + assert!(b == a_before); + assert!(a == b_before); +} + +#[kani::proof] +pub fn check_swap_unit() { + let mut x: () = kani::any(); + let mut y: () = kani::any(); + std::mem::swap(&mut x, &mut y) +} diff --git a/tests/kani/Invariant/invariant_impls.rs b/tests/kani/Invariant/invariant_impls.rs new file mode 100644 index 000000000000..4f00f4134956 --- /dev/null +++ b/tests/kani/Invariant/invariant_impls.rs @@ -0,0 +1,38 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check the `Invariant` implementations that we include in the Kani library +//! with respect to the underlying type invariants. +extern crate kani; +use kani::Invariant; + +macro_rules! check_safe_type { + ( $type: ty ) => { + let value: $type = kani::any(); + assert!(value.is_safe()); + }; +} + +#[kani::proof] +fn check_safe_impls() { + check_safe_type!(u8); + check_safe_type!(u16); + check_safe_type!(u32); + check_safe_type!(u64); + check_safe_type!(u128); + check_safe_type!(usize); + + check_safe_type!(i8); + check_safe_type!(i16); + check_safe_type!(i32); + check_safe_type!(i64); + check_safe_type!(i128); + check_safe_type!(isize); + + check_safe_type!(f32); + check_safe_type!(f64); + + check_safe_type!(()); + check_safe_type!(bool); + check_safe_type!(char); +} diff --git a/tests/kani/Invariant/percentage.rs b/tests/kani/Invariant/percentage.rs new file mode 100644 index 000000000000..f3976f48e249 --- /dev/null +++ b/tests/kani/Invariant/percentage.rs @@ -0,0 +1,62 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Check that the `Invariant` implementation behaves as expected when used on a +//! custom type. + +extern crate kani; +use kani::Invariant; + +// We use the default `Arbitrary` implementation, which allows values that +// shouldn't be considered safe for the `Percentage` type. +#[derive(kani::Arbitrary)] +struct Percentage(u8); + +impl Percentage { + pub fn try_new(val: u8) -> Result { + if val <= 100 { + Ok(Self(val)) + } else { + Err(String::from("error: invalid percentage value")) + } + } + + pub fn value(&self) -> u8 { + self.0 + } + + pub fn increase(&self, other: u8) -> Percentage { + let amount = self.0 + other; + Percentage::try_new(amount.min(100)).unwrap() + } +} + +impl kani::Invariant for Percentage { + fn is_safe(&self) -> bool { + self.0 <= 100 + } +} + +#[kani::proof] +fn check_assume_safe() { + let percentage: Percentage = kani::any(); + kani::assume(percentage.is_safe()); + assert!(percentage.value() <= 100); +} + +#[kani::proof] +#[kani::should_panic] +fn check_assert_safe() { + let percentage: Percentage = kani::any(); + assert!(percentage.is_safe()); +} + +#[kani::proof] +fn check_increase_safe() { + let percentage: Percentage = kani::any(); + kani::assume(percentage.is_safe()); + let amount = kani::any(); + kani::assume(amount <= 100); + let new_percentage = percentage.increase(amount); + assert!(new_percentage.is_safe()); +} diff --git a/tests/kani/MemPredicates/fat_ptr_validity.rs b/tests/kani/MemPredicates/fat_ptr_validity.rs new file mode 100644 index 000000000000..c4f037f3a646 --- /dev/null +++ b/tests/kani/MemPredicates/fat_ptr_validity.rs @@ -0,0 +1,67 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z mem-predicates +//! Check that Kani's memory predicates work for fat pointers. + +extern crate kani; + +use kani::mem::{can_dereference, can_write}; + +mod valid_access { + use super::*; + #[kani::proof] + pub fn check_valid_dyn_ptr() { + let mut var = 10u8; + let fat_ptr: *mut dyn PartialEq = &mut var as *mut _; + assert!(can_write(fat_ptr)); + } + + #[kani::proof] + pub fn check_valid_slice_ptr() { + let array = ['a', 'b', 'c']; + let slice = &array as *const [char]; + assert!(can_dereference(slice)); + assert_eq!(unsafe { &*slice }[0], 'a'); + assert_eq!(unsafe { &*slice }[2], 'c'); + } + + #[kani::proof] + pub fn check_valid_zst() { + let slice_ptr = Vec::::new().as_slice() as *const [char]; + assert!(can_dereference(slice_ptr)); + + let str_ptr = String::new().as_str() as *const str; + assert!(can_dereference(str_ptr)); + } +} + +mod invalid_access { + use super::*; + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_dyn_ptr() { + let raw_ptr: *const dyn PartialEq = unsafe { new_dead_ptr::(0) }; + assert!(can_dereference(raw_ptr)); + } + + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_slice_ptr() { + let raw_ptr: *const [char] = unsafe { new_dead_ptr::<[char; 2]>(['a', 'b']) }; + assert!(can_dereference(raw_ptr)); + } + + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_slice_len() { + let array = [10usize; 10]; + let invalid: *const [usize; 11] = &array as *const [usize; 10] as *const [usize; 11]; + let ptr: *const [usize] = invalid as *const _; + assert!(can_dereference(ptr)); + } + + unsafe fn new_dead_ptr(val: T) -> *const T { + let local = val; + &local as *const _ + } +} diff --git a/tests/kani/MemPredicates/thin_ptr_validity.rs b/tests/kani/MemPredicates/thin_ptr_validity.rs new file mode 100644 index 000000000000..553c5beab9f8 --- /dev/null +++ b/tests/kani/MemPredicates/thin_ptr_validity.rs @@ -0,0 +1,60 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z mem-predicates +//! Check that Kani's memory predicates work for thin pointers. + +extern crate kani; + +use kani::mem::can_dereference; +use std::ptr::NonNull; + +mod valid_access { + use super::*; + #[kani::proof] + pub fn check_dangling_zst() { + let dangling = NonNull::<()>::dangling().as_ptr(); + assert!(can_dereference(dangling)); + + let vec_ptr = Vec::<()>::new().as_ptr(); + assert!(can_dereference(vec_ptr)); + + let dangling = NonNull::<[char; 0]>::dangling().as_ptr(); + assert!(can_dereference(dangling)); + } + + #[kani::proof] + pub fn check_valid_array() { + let array = ['a', 'b', 'c']; + assert!(can_dereference(&array)); + } +} + +mod invalid_access { + use super::*; + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_ptr() { + let raw_ptr = unsafe { new_dead_ptr::(0) }; + assert!(!can_dereference(raw_ptr)); + } + + #[kani::proof] + #[kani::should_panic] + pub fn check_invalid_array() { + let raw_ptr = unsafe { new_dead_ptr::<[char; 2]>(['a', 'b']) }; + assert!(can_dereference(raw_ptr)); + } + + #[kani::proof] + pub fn check_invalid_zst() { + let raw_ptr: *const [char; 0] = + unsafe { new_dead_ptr::<[char; 2]>(['a', 'b']) } as *const _; + // ZST pointer are always valid + assert!(can_dereference(raw_ptr)); + } + + unsafe fn new_dead_ptr(val: T) -> *const T { + let local = val; + &local as *const _ + } +} diff --git a/tests/kani/Print/no_semicolon.rs b/tests/kani/Print/no_semicolon.rs new file mode 100644 index 000000000000..bee09e628472 --- /dev/null +++ b/tests/kani/Print/no_semicolon.rs @@ -0,0 +1,17 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +// This test checks that the (e)println with no arguments do not require a trailing semicolon + +fn println() { + println!() +} +fn eprintln() { + eprintln!() +} + +#[kani::proof] +fn main() { + println(); + eprintln(); +} diff --git a/tests/kani/SIMD/simd_float_ops_fixme.rs b/tests/kani/SIMD/simd_float_ops_fixme.rs index d258a2119eca..6b53d95d554a 100644 --- a/tests/kani/SIMD/simd_float_ops_fixme.rs +++ b/tests/kani/SIMD/simd_float_ops_fixme.rs @@ -4,14 +4,10 @@ //! Ensure we can handle SIMD defined in the standard library //! FIXME: #![allow(non_camel_case_types)] -#![feature(repr_simd, platform_intrinsics, portable_simd)] +#![feature(repr_simd, core_intrinsics, portable_simd)] +use std::intrinsics::simd::simd_add; use std::simd::f32x4; -extern "platform-intrinsic" { - fn simd_add(x: T, y: T) -> T; - fn simd_eq(x: T, y: T) -> U; -} - #[repr(simd)] #[derive(Clone, PartialEq, kani::Arbitrary)] pub struct f32x2(f32, f32); diff --git a/tests/kani/SizeAndAlignOfDst/main_assert.rs b/tests/kani/SizeAndAlignOfDst/main_assert.rs new file mode 100644 index 000000000000..09f7b1b0c774 --- /dev/null +++ b/tests/kani/SizeAndAlignOfDst/main_assert.rs @@ -0,0 +1,58 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! This is a regression test for size_and_align_of_dst computing the +//! size and alignment of a dynamically-sized type like +//! Arc>. +//! + +/// This test fails on macos but not in other platforms. +/// Thus only enable it for platforms where this shall succeed. +#[cfg(not(target_os = "macos"))] +mod not_macos { + use std::sync::Arc; + use std::sync::Mutex; + + pub trait Subscriber { + fn process(&self); + fn increment(&mut self); + fn get(&self) -> u32; + } + + struct DummySubscriber { + val: u32, + } + + impl DummySubscriber { + fn new() -> Self { + DummySubscriber { val: 0 } + } + } + + impl Subscriber for DummySubscriber { + fn process(&self) {} + fn increment(&mut self) { + self.val = self.val + 1; + } + fn get(&self) -> u32 { + self.val + } + } + + #[kani::proof] + #[kani::unwind(2)] + fn simplified() { + let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); + let data = s.lock().unwrap(); + assert!(data.get() == 0); + } + + #[kani::proof] + #[kani::unwind(1)] + fn original() { + let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); + let mut data = s.lock().unwrap(); + data.increment(); + assert!(data.get() == 1); + } +} diff --git a/tests/kani/SizeAndAlignOfDst/main_assert_fixme.rs b/tests/kani/SizeAndAlignOfDst/main_assert_fixme.rs index 9173eca7db3c..25075bc910d9 100644 --- a/tests/kani/SizeAndAlignOfDst/main_assert_fixme.rs +++ b/tests/kani/SizeAndAlignOfDst/main_assert_fixme.rs @@ -8,51 +8,64 @@ //! Arc>. //! We added a simplified version of the original harness from: //! -//! This currently fails due to -//! +//! This currently fails on MacOS instances due to unsupported foreign function: +//! `pthread_mutexattr_init`. -use std::sync::Arc; -use std::sync::Mutex; +#[cfg(target_os = "macos")] +mod macos { + use std::sync::Arc; + use std::sync::Mutex; -pub trait Subscriber { - fn process(&self); - fn increment(&mut self); - fn get(&self) -> u32; -} + pub trait Subscriber { + fn process(&self); + fn increment(&mut self); + fn get(&self) -> u32; + } -struct DummySubscriber { - val: u32, -} + struct DummySubscriber { + val: u32, + } -impl DummySubscriber { - fn new() -> Self { - DummySubscriber { val: 0 } + impl DummySubscriber { + fn new() -> Self { + DummySubscriber { val: 0 } + } } -} -impl Subscriber for DummySubscriber { - fn process(&self) {} - fn increment(&mut self) { - self.val = self.val + 1; + impl Subscriber for DummySubscriber { + fn process(&self) {} + fn increment(&mut self) { + self.val = self.val + 1; + } + fn get(&self) -> u32 { + self.val + } } - fn get(&self) -> u32 { - self.val + + #[kani::proof] + #[kani::unwind(2)] + fn simplified() { + let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); + let data = s.lock().unwrap(); + assert!(data.get() == 0); } -} -#[kani::proof] -#[kani::unwind(2)] -fn simplified() { - let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); - let data = s.lock().unwrap(); - assert!(data.get() == 0); + #[kani::proof] + #[kani::unwind(1)] + fn original() { + let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); + let mut data = s.lock().unwrap(); + data.increment(); + assert!(data.get() == 1); + } } -#[kani::proof] -#[kani::unwind(1)] -fn original() { - let s: Arc> = Arc::new(Mutex::new(DummySubscriber::new())); - let mut data = s.lock().unwrap(); - data.increment(); - assert!(data.get() == 1); +#[cfg(not(target_os = "macos"))] +mod not_macos { + /// Since this is a fixme test, it must also fail in other platforms. + /// Remove this once we fix the issue above. + #[kani::proof] + fn fail() { + assert!(false); + } } diff --git a/tests/kani/Spurious/storage_fixme.rs b/tests/kani/Spurious/storage_fixme.rs new file mode 100644 index 000000000000..51d13f31bcef --- /dev/null +++ b/tests/kani/Spurious/storage_fixme.rs @@ -0,0 +1,652 @@ +// SPDX-License-Identifier: Apache-2.0 OR MIT +// +// Modifications Copyright Kani Contributors +// See GitHub history for details. + +// Our handling of storage markers causes spurious failures in this test. +// https://github.com/model-checking/kani/issues/3099 +// The code is extracted from the implementation of `BTreeMap` which is where we +// originally saw the spurious failures while trying to enable storage markers +// for `std` in https://github.com/model-checking/kani/pull/3080 + +use std::alloc::Layout; +use std::marker::PhantomData; +use std::mem::ManuallyDrop; + +use std::ptr::{self, NonNull}; + +/// This replaces the value behind the `v` unique reference by calling the +/// relevant function, and returns a result obtained along the way. +/// +/// If a panic occurs in the `change` closure, the entire process will be aborted. +#[inline] +fn replace(v: &mut T, change: impl FnOnce(T) -> (T, R)) -> R { + let value = unsafe { ptr::read(v) }; + let (new_value, ret) = change(value); + unsafe { + ptr::write(v, new_value); + } + ret +} + +const B: usize = 6; +const CAPACITY: usize = 2 * B - 1; + +/// The underlying representation of leaf nodes and part of the representation of internal nodes. +struct LeafNode { + /// We want to be covariant in `K` and `V`. + parent: Option>, + + /// This node's index into the parent node's `edges` array. + /// `*node.parent.edges[node.parent_idx]` should be the same thing as `node`. + /// This is only guaranteed to be initialized when `parent` is non-null. + parent_idx: u16, + + /// The number of keys and values this node stores. + len: u16, +} + +impl LeafNode { + /// Creates a new boxed `LeafNode`. + fn new() -> Box { + Box::new(LeafNode { parent: None, parent_idx: 0, len: 0 }) + } +} + +/// The underlying representation of internal nodes. As with `LeafNode`s, these should be hidden +/// behind `BoxedNode`s to prevent dropping uninitialized keys and values. Any pointer to an +/// `InternalNode` can be directly cast to a pointer to the underlying `LeafNode` portion of the +/// node, allowing code to act on leaf and internal nodes generically without having to even check +/// which of the two a pointer is pointing at. This property is enabled by the use of `repr(C)`. +// gdb_providers.py uses this type name for introspection. +struct InternalNode {} + +// N.B. `NodeRef` is always covariant in `K` and `V`, even when the `BorrowType` +// is `Mut`. This is technically wrong, but cannot result in any unsafety due to +// internal use of `NodeRef` because we stay completely generic over `K` and `V`. +// However, whenever a public type wraps `NodeRef`, make sure that it has the +// correct variance. +/// +/// A reference to a node. +/// +/// This type has a number of parameters that controls how it acts: +/// - `BorrowType`: A dummy type that describes the kind of borrow and carries a lifetime. +/// - When this is `Immut<'a>`, the `NodeRef` acts roughly like `&'a Node`. +/// - When this is `ValMut<'a>`, the `NodeRef` acts roughly like `&'a Node` +/// with respect to keys and tree structure, but also allows many +/// mutable references to values throughout the tree to coexist. +/// - When this is `Mut<'a>`, the `NodeRef` acts roughly like `&'a mut Node`, +/// although insert methods allow a mutable pointer to a value to coexist. +/// - When this is `Owned`, the `NodeRef` acts roughly like `Box`, +/// but does not have a destructor, and must be cleaned up manually. +/// - When this is `Dying`, the `NodeRef` still acts roughly like `Box`, +/// but has methods to destroy the tree bit by bit, and ordinary methods, +/// while not marked as unsafe to call, can invoke UB if called incorrectly. +/// Since any `NodeRef` allows navigating through the tree, `BorrowType` +/// effectively applies to the entire tree, not just to the node itself. +/// - `K` and `V`: These are the types of keys and values stored in the nodes. +/// - `Type`: This can be `Leaf`, `Internal`, or `LeafOrInternal`. When this is +/// `Leaf`, the `NodeRef` points to a leaf node, when this is `Internal` the +/// `NodeRef` points to an internal node, and when this is `LeafOrInternal` the +/// `NodeRef` could be pointing to either type of node. +/// `Type` is named `NodeType` when used outside `NodeRef`. +/// +/// Both `BorrowType` and `NodeType` restrict what methods we implement, to +/// exploit static type safety. There are limitations in the way we can apply +/// such restrictions: +/// - For each type parameter, we can only define a method either generically +/// or for one particular type. For example, we cannot define a method like +/// `into_kv` generically for all `BorrowType`, or once for all types that +/// carry a lifetime, because we want it to return `&'a` references. +/// Therefore, we define it only for the least powerful type `Immut<'a>`. +/// - We cannot get implicit coercion from say `Mut<'a>` to `Immut<'a>`. +/// Therefore, we have to explicitly call `reborrow` on a more powerful +/// `NodeRef` in order to reach a method like `into_kv`. +/// +/// All methods on `NodeRef` that return some kind of reference, either: +/// - Take `self` by value, and return the lifetime carried by `BorrowType`. +/// Sometimes, to invoke such a method, we need to call `reborrow_mut`. +/// - Take `self` by reference, and (implicitly) return that reference's +/// lifetime, instead of the lifetime carried by `BorrowType`. That way, +/// the borrow checker guarantees that the `NodeRef` remains borrowed as long +/// as the returned reference is used. +/// The methods supporting insert bend this rule by returning a raw pointer, +/// i.e., a reference without any lifetime. +struct NodeRef { + /// The number of levels that the node and the level of leaves are apart, a + /// constant of the node that cannot be entirely described by `Type`, and that + /// the node itself does not store. We only need to store the height of the root + /// node, and derive every other node's height from it. + /// Must be zero if `Type` is `Leaf` and non-zero if `Type` is `Internal`. + height: usize, + /// The pointer to the leaf or internal node. The definition of `InternalNode` + /// ensures that the pointer is valid either way. + node: NonNull, + _marker: PhantomData<(BorrowType, Type)>, +} + +/// The root node of an owned tree. +/// +/// Note that this does not have a destructor, and must be cleaned up manually. +type Root = NodeRef; + +impl NodeRef { + fn new_leaf() -> Self { + Self::from_new_leaf(LeafNode::new()) + } + + fn from_new_leaf(leaf: Box) -> Self { + NodeRef { height: 0, node: NonNull::from(Box::leak(leaf)), _marker: PhantomData } + } +} + +impl NodeRef { + /// Unpack a node reference that was packed as `NodeRef::parent`. + fn from_internal(node: NonNull, height: usize) -> Self { + debug_assert!(height > 0); + NodeRef { height, node: node.cast(), _marker: PhantomData } + } +} + +impl NodeRef { + /// Finds the length of the node. This is the number of keys or values. + /// The number of edges is `len() + 1`. + /// Note that, despite being safe, calling this function can have the side effect + /// of invalidating mutable references that unsafe code has created. + fn len(&self) -> usize { + // Crucially, we only access the `len` field here. If BorrowType is marker::ValMut, + // there might be outstanding mutable references to values that we must not invalidate. + unsafe { usize::from((*Self::as_leaf_ptr(self)).len) } + } + + /// Exposes the leaf portion of any leaf or internal node. + /// + /// Returns a raw ptr to avoid invalidating other references to this node. + fn as_leaf_ptr(this: &Self) -> *mut LeafNode { + // The node must be valid for at least the LeafNode portion. + // This is not a reference in the NodeRef type because we don't know if + // it should be unique or shared. + this.node.as_ptr() + } +} + +impl NodeRef { + /// Finds the parent of the current node. Returns `Ok(handle)` if the current + /// node actually has a parent, where `handle` points to the edge of the parent + /// that points to the current node. Returns `Err(self)` if the current node has + /// no parent, giving back the original `NodeRef`. + /// + /// The method name assumes you picture trees with the root node on top. + /// + /// `edge.descend().ascend().unwrap()` and `node.ascend().unwrap().descend()` should + /// both, upon success, do nothing. + fn ascend(self) -> Result, marker::Edge>, Self> { + // We need to use raw pointers to nodes because, if BorrowType is marker::ValMut, + // there might be outstanding mutable references to values that we must not invalidate. + let leaf_ptr: *const _ = Self::as_leaf_ptr(&self); + unsafe { (*leaf_ptr).parent } + .as_ref() + .map(|parent| Handle { + node: NodeRef::from_internal(*parent, self.height + 1), + idx: unsafe { usize::from((*leaf_ptr).parent_idx) }, + _marker: PhantomData, + }) + .ok_or(self) + } + + fn first_edge(self) -> Handle { + unsafe { Handle::new_edge(self, 0) } + } +} + +impl NodeRef { + /// Similar to `ascend`, gets a reference to a node's parent node, but also + /// deallocates the current node in the process. This is unsafe because the + /// current node will still be accessible despite being deallocated. + unsafe fn deallocate_and_ascend( + self, + ) -> Option, marker::Edge>> { + let height = self.height; + let node = self.node; + let ret = self.ascend().ok(); + unsafe { + std::alloc::dealloc( + node.as_ptr() as *mut u8, + if height > 0 { Layout::new::() } else { Layout::new::() }, + ); + } + ret + } +} + +impl<'a, Type> NodeRef, Type> { + /// Borrows exclusive access to the leaf portion of a leaf or internal node. + fn as_leaf_mut(&mut self) -> &mut LeafNode { + let ptr = Self::as_leaf_ptr(self); + // SAFETY: we have exclusive access to the entire node. + unsafe { &mut *ptr } + } +} + +impl<'a, Type> NodeRef, Type> { + /// Borrows exclusive access to the length of the node. + fn len_mut(&mut self) -> &mut u16 { + &mut self.as_leaf_mut().len + } +} + +impl NodeRef { + /// Mutably borrows the owned root node. Unlike `reborrow_mut`, this is safe + /// because the return value cannot be used to destroy the root, and there + /// cannot be other references to the tree. + fn borrow_mut(&mut self) -> NodeRef, Type> { + NodeRef { height: self.height, node: self.node, _marker: PhantomData } + } + + /// Irreversibly transitions to a reference that permits traversal and offers + /// destructive methods and little else. + fn into_dying(self) -> NodeRef { + NodeRef { height: self.height, node: self.node, _marker: PhantomData } + } +} + +impl<'a> NodeRef, marker::Leaf> { + /// Adds a key-value pair to the end of the node, and returns + /// a handle to the inserted value. + /// + /// # Safety + /// + /// The returned handle has an unbound lifetime. + unsafe fn push_with_handle<'b>( + &mut self, + ) -> Handle, marker::Leaf>, marker::KV> { + let len = self.len_mut(); + let idx = usize::from(*len); + assert!(idx < CAPACITY); + *len += 1; + unsafe { + Handle::new_kv( + NodeRef { height: self.height, node: self.node, _marker: PhantomData }, + idx, + ) + } + } + + /// Adds a key-value pair to the end of the node, and returns + /// the mutable reference of the inserted value. + fn push(&mut self) -> i32 { + // SAFETY: The unbound handle is no longer accessible. + let _ = unsafe { self.push_with_handle() }; + 0 + } +} + +impl NodeRef { + /// Removes any static information asserting that this node is a `Leaf` node. + fn forget_type(self) -> NodeRef { + NodeRef { height: self.height, node: self.node, _marker: PhantomData } + } +} + +impl NodeRef { + /// Removes any static information asserting that this node is an `Internal` node. + fn forget_type(self) -> NodeRef { + NodeRef { height: self.height, node: self.node, _marker: PhantomData } + } +} + +impl NodeRef { + /// Checks whether a node is an `Internal` node or a `Leaf` node. + fn force(self) -> ForceResult> { + if self.height == 0 { + ForceResult::Leaf(NodeRef { + height: self.height, + node: self.node, + _marker: PhantomData, + }) + } else { + panic!() + } + } +} + +/// A reference to a specific key-value pair or edge within a node. The `Node` parameter +/// must be a `NodeRef`, while the `Type` can either be `KV` (signifying a handle on a key-value +/// pair) or `Edge` (signifying a handle on an edge). +/// +/// Note that even `Leaf` nodes can have `Edge` handles. Instead of representing a pointer to +/// a child node, these represent the spaces where child pointers would go between the key-value +/// pairs. For example, in a node with length 2, there would be 3 possible edge locations - one +/// to the left of the node, one between the two pairs, and one at the right of the node. +struct Handle { + node: Node, + idx: usize, + _marker: PhantomData, +} + +impl Handle { + /// Retrieves the node that contains the edge or key-value pair this handle points to. + fn into_node(self) -> Node { + self.node + } +} + +impl Handle, marker::KV> { + /// Creates a new handle to a key-value pair in `node`. + /// Unsafe because the caller must ensure that `idx < node.len()`. + unsafe fn new_kv(node: NodeRef, idx: usize) -> Self { + debug_assert!(idx < node.len()); + + Handle { node, idx, _marker: PhantomData } + } + + fn right_edge(self) -> Handle, marker::Edge> { + unsafe { Handle::new_edge(self.node, self.idx + 1) } + } +} + +impl Handle, marker::Edge> { + /// Creates a new handle to an edge in `node`. + /// Unsafe because the caller must ensure that `idx <= node.len()`. + unsafe fn new_edge(node: NodeRef, idx: usize) -> Self { + debug_assert!(idx <= node.len()); + + Handle { node, idx, _marker: PhantomData } + } + + fn right_kv(self) -> Result, marker::KV>, Self> { + if self.idx < self.node.len() { + Ok(unsafe { Handle::new_kv(self.node, self.idx) }) + } else { + Err(self) + } + } +} + +impl Handle, marker::Edge> { + fn forget_node_type(self) -> Handle, marker::Edge> { + unsafe { Handle::new_edge(self.node.forget_type(), self.idx) } + } +} + +impl Handle, marker::Edge> { + fn forget_node_type(self) -> Handle, marker::Edge> { + unsafe { Handle::new_edge(self.node.forget_type(), self.idx) } + } +} + +impl Handle, Type> { + /// Checks whether the underlying node is an `Internal` node or a `Leaf` node. + fn force(self) -> ForceResult, Type>> { + match self.node.force() { + ForceResult::Leaf(node) => { + ForceResult::Leaf(Handle { node, idx: self.idx, _marker: PhantomData }) + } + } + } +} +enum ForceResult { + Leaf(Leaf), +} + +mod marker { + use std::marker::PhantomData; + + pub enum Leaf {} + pub enum Internal {} + pub enum Owned {} + pub enum Dying {} + pub struct Mut<'a>(PhantomData<&'a mut ()>); + + pub trait BorrowType { + /// If node references of this borrow type allow traversing to other + /// nodes in the tree, this constant is set to `true`. It can be used + /// for a compile-time assertion. + const TRAVERSAL_PERMIT: bool = true; + } + impl BorrowType for Owned { + /// Reject traversal, because it isn't needed. Instead traversal + /// happens using the result of `borrow_mut`. + /// By disabling traversal, and only creating new references to roots, + /// we know that every reference of the `Owned` type is to a root node. + const TRAVERSAL_PERMIT: bool = false; + } + impl BorrowType for Dying {} + impl<'a> BorrowType for Mut<'a> {} + + pub enum KV {} + pub enum Edge {} +} + +enum LazyLeafHandle { + Root(NodeRef), // not yet descended + Edge(Handle, marker::Edge>), +} + +// `front` and `back` are always both `None` or both `Some`. +struct LazyLeafRange { + front: Option>, +} + +impl LazyLeafRange { + fn none() -> Self { + LazyLeafRange { front: None } + } +} + +impl LazyLeafRange { + fn take_front(&mut self) -> Option, marker::Edge>> { + match self.front.take()? { + LazyLeafHandle::Root(root) => Some(root.first_leaf_edge()), + LazyLeafHandle::Edge(edge) => Some(edge), + } + } + + #[inline] + unsafe fn deallocating_next_unchecked( + &mut self, + ) -> Handle, marker::KV> { + debug_assert!(self.front.is_some()); + let front = self.init_front().unwrap(); + unsafe { front.deallocating_next_unchecked() } + } + + #[inline] + fn deallocating_end(&mut self) { + if let Some(front) = self.take_front() { + front.deallocating_end() + } + } +} + +impl LazyLeafRange { + fn init_front( + &mut self, + ) -> Option<&mut Handle, marker::Edge>> { + if let Some(LazyLeafHandle::Root(root)) = &self.front { + self.front = Some(LazyLeafHandle::Edge(unsafe { ptr::read(root) }.first_leaf_edge())); + } + match &mut self.front { + None => None, + Some(LazyLeafHandle::Edge(edge)) => Some(edge), + // SAFETY: the code above would have replaced it. + Some(LazyLeafHandle::Root(_)) => panic!(), + } + } +} + +fn full_range( + root1: NodeRef, +) -> LazyLeafRange { + LazyLeafRange { front: Some(LazyLeafHandle::Root(root1)) } +} + +impl NodeRef { + /// Splits a unique reference into a pair of leaf edges delimiting the full range of the tree. + /// The results are non-unique references allowing massively destructive mutation, so must be + /// used with the utmost care. + fn full_range(self) -> LazyLeafRange { + // We duplicate the root NodeRef here -- we will never access it in a way + // that overlaps references obtained from the root. + full_range(self) + } +} + +impl Handle, marker::Edge> { + /// Given a leaf edge handle into a dying tree, returns the next leaf edge + /// on the right side, and the key-value pair in between, if they exist. + /// + /// If the given edge is the last one in a leaf, this method deallocates + /// the leaf, as well as any ancestor nodes whose last edge was reached. + /// This implies that if no more key-value pair follows, the entire tree + /// will have been deallocated and there is nothing left to return. + /// + /// # Safety + /// - The given edge must not have been previously returned by counterpart + /// `deallocating_next_back`. + /// - The returned KV handle is only valid to access the key and value, + /// and only valid until the next call to a `deallocating_` method. + unsafe fn deallocating_next( + self, + ) -> Option<(Self, Handle, marker::KV>)> { + let mut edge = self.forget_node_type(); + loop { + edge = match edge.right_kv() { + Ok(kv) => return Some((unsafe { ptr::read(&kv) }.next_leaf_edge(), kv)), + Err(last_edge) => match unsafe { last_edge.into_node().deallocate_and_ascend() } { + Some(parent_edge) => parent_edge.forget_node_type(), + None => return None, + }, + } + } + } + + /// Deallocates a pile of nodes from the leaf up to the root. + /// This is the only way to deallocate the remainder of a tree after + /// `deallocating_next` and `deallocating_next_back` have been nibbling at + /// both sides of the tree, and have hit the same edge. As it is intended + /// only to be called when all keys and values have been returned, + /// no cleanup is done on any of the keys or values. + fn deallocating_end(self) { + let mut edge = self.forget_node_type(); + while let Some(parent_edge) = unsafe { edge.into_node().deallocate_and_ascend() } { + edge = parent_edge.forget_node_type(); + } + } +} + +impl Handle, marker::Edge> { + /// Moves the leaf edge handle to the next leaf edge and returns the key and value + /// in between, deallocating any node left behind while leaving the corresponding + /// edge in its parent node dangling. + /// + /// # Safety + /// - There must be another KV in the direction travelled. + /// - That KV was not previously returned by counterpart + /// `deallocating_next_back_unchecked` on any copy of the handles + /// being used to traverse the tree. + /// + /// The only safe way to proceed with the updated handle is to compare it, drop it, + /// or call this method or counterpart `deallocating_next_back_unchecked` again. + unsafe fn deallocating_next_unchecked( + &mut self, + ) -> Handle, marker::KV> { + replace(self, |leaf_edge| unsafe { leaf_edge.deallocating_next().unwrap() }) + } +} + +impl NodeRef { + /// Returns the leftmost leaf edge in or underneath a node - in other words, the edge + /// you need first when navigating forward (or last when navigating backward). + #[inline] + fn first_leaf_edge(self) -> Handle, marker::Edge> { + let node = self; + match node.force() { + ForceResult::Leaf(leaf) => return leaf.first_edge(), + } + } +} + +impl Handle, marker::KV> { + /// Returns the leaf edge closest to a KV for forward navigation. + fn next_leaf_edge(self) -> Handle, marker::Edge> { + match self.force() { + ForceResult::Leaf(leaf_kv) => leaf_kv.right_edge(), + } + } +} + +struct Foo { + root: Option, + length: usize, +} + +impl Drop for Foo { + fn drop(&mut self) { + drop(unsafe { core::ptr::read(self) }.into_iter()) + } +} + +impl IntoIterator for Foo { + type Item = (); + type IntoIter = IntoIter; + + fn into_iter(self) -> IntoIter { + let mut me = ManuallyDrop::new(self); + if let Some(root) = me.root.take() { + let full_range = root.into_dying().full_range(); + + IntoIter { range: full_range, length: me.length } + } else { + IntoIter { range: LazyLeafRange::none(), length: 0 } + } + } +} + +impl Drop for IntoIter { + fn drop(&mut self) { + while let Some(_kv) = self.dying_next() {} + } +} + +impl IntoIter { + /// Core of a `next` method returning a dying KV handle, + /// invalidated by further calls to this function and some others. + fn dying_next(&mut self) -> Option, marker::KV>> { + if self.length == 0 { + self.range.deallocating_end(); + None + } else { + self.length -= 1; + Some(unsafe { self.range.deallocating_next_unchecked() }) + } + } +} + +impl Iterator for IntoIter { + type Item = (); + + fn next(&mut self) -> Option<()> { + None + } +} + +/// An owning iterator over the entries of a `BTreeMap`. +/// +/// This `struct` is created by the [`into_iter`] method on [`BTreeMap`] +/// (provided by the [`IntoIterator`] trait). See its documentation for more. +/// +/// [`into_iter`]: IntoIterator::into_iter +struct IntoIter { + range: LazyLeafRange, + length: usize, +} + +#[cfg_attr(kani, kani::proof, kani::unwind(3))] +fn check_storagemarker_btreemap() { + let mut f = Foo { root: None, length: 0 }; + let mut root: NodeRef = NodeRef::new_leaf(); + root.borrow_mut().push(); + f.root = Some(root.forget_type()); + f.length = 1; +} diff --git a/tests/kani/Tuple/tuple_trait.rs b/tests/kani/Tuple/tuple_trait.rs new file mode 100644 index 000000000000..d775b393b0b8 --- /dev/null +++ b/tests/kani/Tuple/tuple_trait.rs @@ -0,0 +1,19 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Tests support for functions declared with "rust-call" ABI and an empty set of arguments. +#![feature(unboxed_closures, tuple_trait)] + +extern "rust-call" fn foo(_: T) -> usize { + static mut COUNTER: usize = 0; + unsafe { + COUNTER += 1; + COUNTER + } +} + +#[kani::proof] +fn main() { + assert_eq!(foo(()), 1); + assert_eq!(foo(()), 2); +} diff --git a/tests/kani/ValidValues/constants.rs b/tests/kani/ValidValues/constants.rs new file mode 100644 index 000000000000..5230e6e5e6cb --- /dev/null +++ b/tests/kani/ValidValues/constants.rs @@ -0,0 +1,40 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when it is reading from a constant. +//! Note that this UB will be removed for `-Z mir-opt-level=2` + +#[kani::proof] +fn transmute_valid_bool() { + let _b = unsafe { std::mem::transmute::(1) }; +} + +#[kani::proof] +fn cast_to_valid_char() { + let _c = unsafe { *(&100u32 as *const u32 as *const char) }; +} + +#[kani::proof] +fn cast_to_valid_offset() { + let val = [100u32, 80u32]; + let _c = unsafe { *(&val as *const [u32; 2] as *const [char; 2]) }; +} + +#[kani::proof] +#[kani::should_panic] +fn transmute_invalid_bool() { + let _b = unsafe { std::mem::transmute::(2) }; +} + +#[kani::proof] +#[kani::should_panic] +fn cast_to_invalid_char() { + let _c = unsafe { *(&u32::MAX as *const u32 as *const char) }; +} + +#[kani::proof] +#[kani::should_panic] +fn cast_to_invalid_offset() { + let val = [100u32, u32::MAX]; + let _c = unsafe { *(&val as *const [u32; 2] as *const [char; 2]) }; +} diff --git a/tests/kani/ValidValues/custom_niche.rs b/tests/kani/ValidValues/custom_niche.rs new file mode 100644 index 000000000000..b282fec3c645 --- /dev/null +++ b/tests/kani/ValidValues/custom_niche.rs @@ -0,0 +1,119 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when using niche attribute for a custom operation. +#![feature(rustc_attrs)] + +use std::mem::size_of; +use std::{mem, ptr}; + +/// A possible implementation for a system of rating that defines niche. +/// A Rating represents the number of stars of a given product (1..=5). +#[rustc_layout_scalar_valid_range_start(1)] +#[rustc_layout_scalar_valid_range_end(5)] +#[derive(Copy, Clone, Debug, PartialEq, Eq)] +pub struct Rating { + stars: u8, +} + +impl kani::Arbitrary for Rating { + fn any() -> Self { + let stars = kani::any_where(|s: &u8| *s >= 1 && *s <= 5); + unsafe { Rating { stars } } + } +} + +impl Rating { + /// Buggy version of new. Note that this still creates an invalid Rating. + /// + /// This is because `then_some` eagerly create the Rating value before assessing the condition. + /// Even though the value is never used, it is still considered UB. + pub fn new(value: u8) -> Option { + (value > 0 && value <= 5).then_some(unsafe { Rating { stars: value } }) + } + + pub unsafe fn new_unchecked(stars: u8) -> Rating { + Rating { stars } + } +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_new_with_ub() { + assert_eq!(Rating::new(10), None); +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_unchecked_new_ub() { + let val = kani::any(); + assert_eq!(unsafe { Rating::new_unchecked(val).stars }, val); +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_new_with_ub_limits() { + let stars = kani::any_where(|s: &u8| *s == 0 || *s > 5); + let _ = Rating::new(stars); +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_dereference() { + let any: u8 = kani::any(); + let _rating: Rating = unsafe { *(&any as *const _ as *const _) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_transmute() { + let any: u8 = kani::any(); + let _rating: Rating = unsafe { mem::transmute(any) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_transmute_copy() { + let any: u8 = kani::any(); + let _rating: Rating = unsafe { mem::transmute_copy(&any) }; +} + +/// This code does not trigger UB, and verification should succeed. +/// +/// FIX-ME: This is not supported today, and we fail due to unsupported check. +#[kani::proof] +#[kani::should_panic] +pub fn check_copy_nonoverlap() { + let stars = kani::any_where(|s: &u8| *s == 0 || *s > 5); + let mut rating: Rating = kani::any(); + unsafe { ptr::copy_nonoverlapping(&stars as *const _ as *const Rating, &mut rating, 1) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_copy_nonoverlap_ub() { + let any: u8 = kani::any(); + let mut rating: Rating = kani::any(); + unsafe { ptr::copy_nonoverlapping(&any as *const _ as *const Rating, &mut rating, 1) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_increment() { + let mut orig: Rating = kani::any(); + unsafe { orig.stars += 1 }; +} + +#[kani::proof] +pub fn check_valid_increment() { + let mut orig: Rating = kani::any(); + kani::assume(orig.stars < 5); + unsafe { orig.stars += 1 }; +} + +/// Check that the compiler relies on valid value range of Rating to implement niche optimization. +#[kani::proof] +pub fn check_niche() { + assert_eq!(size_of::(), size_of::>()); + assert_eq!(size_of::(), size_of::>>()); +} diff --git a/tests/kani/ValidValues/maybe_uninit.rs b/tests/kani/ValidValues/maybe_uninit.rs new file mode 100644 index 000000000000..620ad8ef5ba3 --- /dev/null +++ b/tests/kani/ValidValues/maybe_uninit.rs @@ -0,0 +1,21 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when converting from a maybe uninit(). + +use std::mem::MaybeUninit; +use std::num::NonZeroI64; + +#[kani::proof] +pub fn check_valid_zeroed() { + let maybe = MaybeUninit::zeroed(); + let val: u128 = unsafe { maybe.assume_init() }; + assert_eq!(val, 0); +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_zeroed() { + let maybe = MaybeUninit::zeroed(); + let _val: NonZeroI64 = unsafe { maybe.assume_init() }; +} diff --git a/tests/kani/ValidValues/non_null.rs b/tests/kani/ValidValues/non_null.rs new file mode 100644 index 000000000000..4874b61bf2d0 --- /dev/null +++ b/tests/kani/ValidValues/non_null.rs @@ -0,0 +1,26 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when unsafely writing to NonNull. + +use std::num::NonZeroU8; +use std::ptr::{self, NonNull}; + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_value() { + let _ = unsafe { NonNull::new_unchecked(ptr::null_mut::()) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_value_cfg() { + let nn = unsafe { NonNull::new_unchecked(ptr::null_mut::()) }; + // This should be unreachable. TODO: Make this expected test. + assert_ne!(unsafe { nn.as_ref() }, &10); +} + +#[kani::proof] +pub fn check_valid_dangling() { + let _ = unsafe { NonNull::new_unchecked(4 as *mut u32) }; +} diff --git a/tests/kani/ValidValues/write_bytes.rs b/tests/kani/ValidValues/write_bytes.rs new file mode 100644 index 000000000000..e4f73b1f3479 --- /dev/null +++ b/tests/kani/ValidValues/write_bytes.rs @@ -0,0 +1,21 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks +//! Check that Kani can identify UB when using write_bytes for initializing a variable. +#![feature(core_intrinsics)] + +#[kani::proof] +#[kani::should_panic] +pub fn check_invalid_write() { + let mut val = 'a'; + let ptr = &mut val as *mut char; + // Should fail given that we wrote invalid value to array of char. + unsafe { std::intrinsics::write_bytes(ptr, kani::any(), 1) }; +} + +#[kani::proof] +pub fn check_valid_write() { + let mut val = 10u128; + let ptr = &mut val as *mut _; + unsafe { std::intrinsics::write_bytes(ptr, kani::any(), 1) }; +} diff --git a/tests/kani/ValidValues/write_invalid.rs b/tests/kani/ValidValues/write_invalid.rs new file mode 100644 index 000000000000..05d3705bd69a --- /dev/null +++ b/tests/kani/ValidValues/write_invalid.rs @@ -0,0 +1,37 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +// kani-flags: -Z valid-value-checks + +//! Check that Kani can identify UB after writing an invalid value. +//! Writing invalid bytes is not UB as long as the incorrect value is not read. +//! However, we over-approximate for sake of simplicity and performance. + +use std::num::NonZeroU8; + +#[kani::proof] +#[kani::should_panic] +pub fn write_invalid_bytes_no_ub_with_spurious_cex() { + let mut non_zero: NonZeroU8 = kani::any(); + let dest = &mut non_zero as *mut _; + unsafe { std::intrinsics::write_bytes(dest, 0, 1) }; +} + +#[kani::proof] +#[kani::should_panic] +pub fn write_valid_before_read() { + let mut non_zero: NonZeroU8 = kani::any(); + let mut non_zero_2: NonZeroU8 = kani::any(); + let dest = &mut non_zero as *mut _; + unsafe { std::intrinsics::write_bytes(dest, 0, 1) }; + unsafe { std::intrinsics::write_bytes(dest, non_zero_2.get(), 1) }; + assert_eq!(non_zero, non_zero_2) +} + +#[kani::proof] +#[kani::should_panic] +pub fn read_invalid_is_ub() { + let mut non_zero: NonZeroU8 = kani::any(); + let dest = &mut non_zero as *mut _; + unsafe { std::intrinsics::write_bytes(dest, 0, 1) }; + assert_eq!(non_zero.get(), 0) +} diff --git a/tests/perf/btreeset/insert_any/Cargo.toml b/tests/perf/btreeset/insert_any/Cargo.toml index 41fa0a2db3ba..66d8ecdddeb1 100644 --- a/tests/perf/btreeset/insert_any/Cargo.toml +++ b/tests/perf/btreeset/insert_any/Cargo.toml @@ -9,3 +9,8 @@ edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] + +# Temporarily ignore the handling of storage markers till +# https://github.com/model-checking/kani/issues/3099 is fixed +[package.metadata.kani] +flags = { ignore-locals-lifetime = true, enable-unstable = true } diff --git a/tests/perf/btreeset/insert_multi/Cargo.toml b/tests/perf/btreeset/insert_multi/Cargo.toml index bdd2f4e3528a..44028f8c842d 100644 --- a/tests/perf/btreeset/insert_multi/Cargo.toml +++ b/tests/perf/btreeset/insert_multi/Cargo.toml @@ -9,3 +9,8 @@ edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] + +# Temporarily ignore the handling of storage markers till +# https://github.com/model-checking/kani/issues/3099 is fixed +[package.metadata.kani] +flags = { ignore-locals-lifetime = true, enable-unstable = true } diff --git a/tests/perf/btreeset/insert_same/Cargo.toml b/tests/perf/btreeset/insert_same/Cargo.toml index 0a4e0f7ee037..465119c74fbe 100644 --- a/tests/perf/btreeset/insert_same/Cargo.toml +++ b/tests/perf/btreeset/insert_same/Cargo.toml @@ -9,3 +9,8 @@ edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] + +# Temporarily ignore the handling of storage markers till +# https://github.com/model-checking/kani/issues/3099 is fixed +[package.metadata.kani] +flags = { ignore-locals-lifetime = true, enable-unstable = true } diff --git a/tests/perf/hashset/Cargo.toml b/tests/perf/hashset/Cargo.toml index d0757e11154b..464fba412e6d 100644 --- a/tests/perf/hashset/Cargo.toml +++ b/tests/perf/hashset/Cargo.toml @@ -12,3 +12,8 @@ description = "Verify HashSet basic behavior" [package.metadata.kani.unstable] stubbing = true + +# Temporarily ignore the handling of storage markers till +# https://github.com/model-checking/kani/issues/3099 is fixed +[package.metadata.kani] +flags = { ignore-locals-lifetime = true, enable-unstable = true } diff --git a/tests/perf/hashset/expected b/tests/perf/hashset/expected index 8ba783d580f9..1fbcbbd13c25 100644 --- a/tests/perf/hashset/expected +++ b/tests/perf/hashset/expected @@ -1 +1 @@ -4 successfully verified harnesses, 0 failures, 4 total +3 successfully verified harnesses, 0 failures, 3 total diff --git a/tests/perf/hashset/src/lib.rs b/tests/perf/hashset/src/lib.rs index fb29db5c7ed6..e2f1fc16666a 100644 --- a/tests/perf/hashset/src/lib.rs +++ b/tests/perf/hashset/src/lib.rs @@ -1,11 +1,12 @@ // Copyright Kani Contributors // SPDX-License-Identifier: Apache-2.0 OR MIT -// kani-flags: --enable-stubbing --enable-unstable +// kani-flags: -Z stubbing //! Try to verify HashSet basic behavior. use std::collections::{hash_map::RandomState, HashSet}; use std::mem::{size_of, size_of_val, transmute}; +#[allow(dead_code)] fn concrete_state() -> RandomState { let keys: [u64; 2] = [0, 0]; assert_eq!(size_of_val(&keys), size_of::()); @@ -14,7 +15,7 @@ fn concrete_state() -> RandomState { #[kani::proof] #[kani::stub(RandomState::new, concrete_state)] -#[kani::unwind(2)] +#[kani::unwind(5)] #[kani::solver(kissat)] fn check_insert() { let mut set: HashSet = HashSet::default(); @@ -26,41 +27,29 @@ fn check_insert() { #[kani::proof] #[kani::stub(RandomState::new, concrete_state)] -#[kani::unwind(2)] +#[kani::unwind(5)] #[kani::solver(kissat)] fn check_contains() { let first = kani::any(); - let mut set: HashSet = HashSet::from([first]); + let set: HashSet = HashSet::from([first]); assert!(set.contains(&first)); } #[kani::proof] #[kani::stub(RandomState::new, concrete_state)] -#[kani::unwind(2)] +#[kani::unwind(5)] +#[kani::solver(kissat)] fn check_contains_str() { - let mut set = HashSet::from(["s"]); + let set = HashSet::from(["s"]); assert!(set.contains(&"s")); } -#[kani::proof] -#[kani::stub(RandomState::new, concrete_state)] -#[kani::unwind(2)] -#[kani::solver(kissat)] -fn check_insert_two_concrete() { - let mut set: HashSet = HashSet::default(); - let first = 10; - let second = 20; - set.insert(first); - set.insert(second); - assert_eq!(set.len(), 2); -} - // too slow so don't run in the regression for now #[cfg(slow)] mod slow { #[kani::proof] #[kani::stub(RandomState::new, concrete_state)] - #[kani::unwind(3)] + #[kani::unwind(5)] fn check_insert_two_elements() { let mut set: HashSet = HashSet::default(); let first = kani::any(); @@ -71,4 +60,17 @@ mod slow { if first == second { assert_eq!(set.len(), 1) } else { assert_eq!(set.len(), 2) } } + + #[kani::proof] + #[kani::stub(RandomState::new, concrete_state)] + #[kani::unwind(5)] + #[kani::solver(kissat)] + fn check_insert_two_concrete() { + let mut set: HashSet = HashSet::default(); + let first = 10; + let second = 20; + set.insert(first); + set.insert(second); + assert_eq!(set.len(), 2); + } } diff --git a/tests/perf/overlays/s2n-quic/common/s2n-codec/expected b/tests/perf/overlays/s2n-quic/common/s2n-codec/expected new file mode 100644 index 000000000000..610b05dc4e67 --- /dev/null +++ b/tests/perf/overlays/s2n-quic/common/s2n-codec/expected @@ -0,0 +1 @@ +successfully verified harnesses, 0 failures diff --git a/tests/perf/s2n-quic b/tests/perf/s2n-quic index f1df2d64083e..7495f7b43c27 160000 --- a/tests/perf/s2n-quic +++ b/tests/perf/s2n-quic @@ -1 +1 @@ -Subproject commit f1df2d64083e4d1b0f56dc0a298066fdef062bcb +Subproject commit 7495f7b43c271ebf3d467409c43fc3cc864bdcc6 diff --git a/tests/script-based-pre/build-rs-conditional/Cargo.toml b/tests/script-based-pre/build-rs-conditional/Cargo.toml index 136bae92250e..8f9a7794f325 100644 --- a/tests/script-based-pre/build-rs-conditional/Cargo.toml +++ b/tests/script-based-pre/build-rs-conditional/Cargo.toml @@ -7,3 +7,5 @@ edition = "2021" [dependencies] +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)', 'cfg(kani_host)'] } diff --git a/tests/script-based-pre/build-rs-conditional/build.rs b/tests/script-based-pre/build-rs-conditional/build.rs index 0b083ff95f02..4b13475ec510 100644 --- a/tests/script-based-pre/build-rs-conditional/build.rs +++ b/tests/script-based-pre/build-rs-conditional/build.rs @@ -3,7 +3,7 @@ //! Verify that build scripts can check if they are running under `kani`. fn main() { - if cfg!(kani) { + if cfg!(kani_host) { println!("cargo:rustc-env=RUNNING_KANI=Yes"); } else { println!("cargo:rustc-env=RUNNING_KANI=No"); diff --git a/tests/script-based-pre/cargo_playback_build/sample_crate/Cargo.toml b/tests/script-based-pre/cargo_playback_build/sample_crate/Cargo.toml index c00d0ccc4bdb..99dfd67443f5 100644 --- a/tests/script-based-pre/cargo_playback_build/sample_crate/Cargo.toml +++ b/tests/script-based-pre/cargo_playback_build/sample_crate/Cargo.toml @@ -4,3 +4,6 @@ name = "sample_crate" version = "0.1.0" edition = "2021" + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } diff --git a/tests/script-based-pre/cargo_playback_opts/playback_opts.expected b/tests/script-based-pre/cargo_playback_opts/playback_opts.expected index 68b7daa3ee03..b68f0b355029 100644 --- a/tests/script-based-pre/cargo_playback_opts/playback_opts.expected +++ b/tests/script-based-pre/cargo_playback_opts/playback_opts.expected @@ -1,6 +1,6 @@ [TEST] Only codegen test... Executable unittests src/lib.rs [TEST] Only codegen test... - Finished test + Finished `test` [TEST] Executable debug/deps/sample_crate- diff --git a/tests/script-based-pre/cargo_playback_opts/sample_crate/Cargo.toml b/tests/script-based-pre/cargo_playback_opts/sample_crate/Cargo.toml index c00d0ccc4bdb..99dfd67443f5 100644 --- a/tests/script-based-pre/cargo_playback_opts/sample_crate/Cargo.toml +++ b/tests/script-based-pre/cargo_playback_opts/sample_crate/Cargo.toml @@ -4,3 +4,6 @@ name = "sample_crate" version = "0.1.0" edition = "2021" + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } diff --git a/tests/script-based-pre/cargo_playback_target/sample_crate/Cargo.toml b/tests/script-based-pre/cargo_playback_target/sample_crate/Cargo.toml index 30949391c0c7..5ece6c5e0f60 100644 --- a/tests/script-based-pre/cargo_playback_target/sample_crate/Cargo.toml +++ b/tests/script-based-pre/cargo_playback_target/sample_crate/Cargo.toml @@ -15,3 +15,5 @@ doctest = false name = "bar" doctest = false +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } diff --git a/tests/script-based-pre/concrete_playback_e2e/sample_crate/Cargo.toml b/tests/script-based-pre/concrete_playback_e2e/sample_crate/Cargo.toml index 4a7016cb51ed..39cfab289878 100644 --- a/tests/script-based-pre/concrete_playback_e2e/sample_crate/Cargo.toml +++ b/tests/script-based-pre/concrete_playback_e2e/sample_crate/Cargo.toml @@ -10,3 +10,6 @@ concrete-playback = "inplace" [package.metadata.kani.unstable] concrete-playback = true + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(kani)'] } diff --git a/tests/script-based-pre/crate-name/a/src/lib.rs b/tests/script-based-pre/crate-name/a/src/lib.rs new file mode 100644 index 000000000000..bff1d17f864a --- /dev/null +++ b/tests/script-based-pre/crate-name/a/src/lib.rs @@ -0,0 +1,6 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +pub fn add_a(left: usize, right: usize) -> usize { + left + right +} diff --git a/tests/script-based-pre/crate-name/b/src/lib.rs b/tests/script-based-pre/crate-name/b/src/lib.rs new file mode 100644 index 000000000000..5a1a11687fcf --- /dev/null +++ b/tests/script-based-pre/crate-name/b/src/lib.rs @@ -0,0 +1,7 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +extern crate a; + +pub fn add_b(left: usize, right: usize) -> usize { + a::add_a(left, right) +} diff --git a/tests/script-based-pre/crate-name/c/src/lib.rs b/tests/script-based-pre/crate-name/c/src/lib.rs new file mode 100644 index 000000000000..b4dadd69e1be --- /dev/null +++ b/tests/script-based-pre/crate-name/c/src/lib.rs @@ -0,0 +1,8 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +extern crate a; +extern crate b; + +pub fn add_c(left: usize, right: usize) -> usize { + b::add_b(left, right) +} diff --git a/tests/script-based-pre/crate-name/config.yml b/tests/script-based-pre/crate-name/config.yml new file mode 100644 index 000000000000..f022a9c03732 --- /dev/null +++ b/tests/script-based-pre/crate-name/config.yml @@ -0,0 +1,4 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +script: crate-name.sh +expected: crate-name.expected diff --git a/tests/script-based-pre/crate-name/crate-name.expected b/tests/script-based-pre/crate-name/crate-name.expected new file mode 100644 index 000000000000..1a4e02d1ff62 --- /dev/null +++ b/tests/script-based-pre/crate-name/crate-name.expected @@ -0,0 +1 @@ +No proof harnesses (functions with #[kani::proof]) were found to verify. diff --git a/tests/script-based-pre/crate-name/crate-name.sh b/tests/script-based-pre/crate-name/crate-name.sh new file mode 100755 index 000000000000..229cc36938f9 --- /dev/null +++ b/tests/script-based-pre/crate-name/crate-name.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +# This test performs multiple checks focused on crate names. The first steps +# check expected results with the default naming scheme. The remaining ones +# check expected results with the `--crate-name=` feature which allows +# users to specify the crate name used for compilation with standalone `kani`. +set -eu + +check_file_exists() { + local file=$1 + if ! [ -e "${file}" ] + then + echo "error: expected \`${file}\` to have been generated" + exit 1 + fi +} + +# 1. Check expected results with the default naming scheme. +# Note: The assumed crate name is `lib`, so we generate `liblib.rlib`. +kani --only-codegen --keep-temps a/src/lib.rs +check_file_exists a/src/liblib.rlib +check_file_exists a/src/lib.kani-metadata.json +rm a/src/liblib.rlib +rm a/src/lib.kani-metadata.json + +# 2. Check expected results with the default naming scheme, which replaces +# some characters. +# Note: The assumed crate name is `my-code`, so we generate `libmy_code.rlib`. +kani --only-codegen --keep-temps my-code.rs +check_file_exists libmy_code.rlib +check_file_exists my_code.kani-metadata.json + +# 3. Check expected results with the `--crate-name=` feature. This feature +# allows users to specify the crate name used for compilation with standalone +# `kani`, enabling the compilation of multiple dependencies with similar +# names. +# Note: In the example below, compiling without `--crate-name=` would +# result in files named `liblib.rlib` for each dependency. +kani --only-codegen --keep-temps a/src/lib.rs --crate-name="a" +check_file_exists a/src/liba.rlib +check_file_exists a/src/a.kani-metadata.json + +RUSTFLAGS="--extern a=a/src/liba.rlib" kani --only-codegen --keep-temps b/src/lib.rs --crate-name="b" +check_file_exists b/src/libb.rlib +check_file_exists b/src/b.kani-metadata.json + +RUSTFLAGS="--extern b=b/src/libb.rlib --extern a=a/src/liba.rlib" kani c/src/lib.rs + +rm a/src/liba.rlib +rm a/src/a.kani-metadata.json +rm b/src/libb.rlib +rm b/src/b.kani-metadata.json diff --git a/tests/script-based-pre/crate-name/my-code.rs b/tests/script-based-pre/crate-name/my-code.rs new file mode 100644 index 000000000000..bff1d17f864a --- /dev/null +++ b/tests/script-based-pre/crate-name/my-code.rs @@ -0,0 +1,6 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +pub fn add_a(left: usize, right: usize) -> usize { + left + right +} diff --git a/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.expected b/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.expected deleted file mode 100644 index 9c6b0f53778f..000000000000 --- a/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.expected +++ /dev/null @@ -1,3 +0,0 @@ -Complete - 6 successfully verified harnesses, 0 failures, 6 total. - -Rust compiler sessions: 4 diff --git a/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.sh b/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.sh deleted file mode 100755 index 9e4afff0b09c..000000000000 --- a/tests/script-based-pre/stubbing_compiler_sessions/check_compiler_sessions.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT -# -# Checks that the Kani compiler can encode harnesses with the same set of stubs -# in one rustc session. - -set +e - -log_file=output.log - -kani stubbing.rs --enable-unstable --enable-stubbing --verbose >& ${log_file} - -echo "------- Raw output ---------" -cat $log_file -echo "----------------------------" - -# We print the reachability analysis results once for each session. -# This is the only reliable way to get the number of sessions from the compiler. -# The other option would be to use debug comments. -# Ideally, the compiler should only print one set of statistics at the end of its run. -# In that case, we should include number of sessions to those stats. -runs=$(grep -c "Reachability Analysis Result" ${log_file}) -echo "Rust compiler sessions: ${runs}" - -# Cleanup -rm ${log_file} diff --git a/tests/script-based-pre/stubbing_compiler_sessions/config.yml b/tests/script-based-pre/stubbing_compiler_sessions/config.yml deleted file mode 100644 index b1e83ed011c7..000000000000 --- a/tests/script-based-pre/stubbing_compiler_sessions/config.yml +++ /dev/null @@ -1,4 +0,0 @@ -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT -script: check_compiler_sessions.sh -expected: check_compiler_sessions.expected diff --git a/tests/script-based-pre/verify_std_cmd/config.yml b/tests/script-based-pre/verify_std_cmd/config.yml new file mode 100644 index 000000000000..f6e398303b79 --- /dev/null +++ b/tests/script-based-pre/verify_std_cmd/config.yml @@ -0,0 +1,4 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +script: verify_std.sh +expected: verify_std.expected diff --git a/tests/script-based-pre/verify_std_cmd/verify_std.expected b/tests/script-based-pre/verify_std_cmd/verify_std.expected new file mode 100644 index 000000000000..aa30da375dd3 --- /dev/null +++ b/tests/script-based-pre/verify_std_cmd/verify_std.expected @@ -0,0 +1,15 @@ +[TEST] Run kani verify-std + +Checking harness verify::dummy_proof... +VERIFICATION:- SUCCESSFUL + +Checking harness verify::harness... +VERIFICATION:- SUCCESSFUL + +Checking harness verify::check_dummy_read... +VERIFICATION:- SUCCESSFUL + +Checking harness num::verify::check_non_zero... +VERIFICATION:- SUCCESSFUL + +Complete - 4 successfully verified harnesses, 0 failures, 4 total. diff --git a/tests/script-based-pre/verify_std_cmd/verify_std.sh b/tests/script-based-pre/verify_std_cmd/verify_std.sh new file mode 100755 index 000000000000..3253ad29756e --- /dev/null +++ b/tests/script-based-pre/verify_std_cmd/verify_std.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env bash +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT + +# Test `kani verify-std` subcommand. +# 1. Make a copy of the rust standard library. +# 2. Add a few Kani definitions to it + a few harnesses +# 3. Execute Kani + +set +e + +TMP_DIR="tmp_dir" + +rm -rf ${TMP_DIR} +mkdir ${TMP_DIR} + +# Create a custom standard library. +echo "[TEST] Copy standard library from the current toolchain" +SYSROOT=$(rustc --print sysroot) +STD_PATH="${SYSROOT}/lib/rustlib/src/rust/library" +cp -r "${STD_PATH}" "${TMP_DIR}" + +# Insert a small harness in one of the standard library modules. +CORE_CODE=' +#[cfg(kani)] +kani_core::kani_lib!(core); + +#[cfg(kani)] +#[unstable(feature = "kani", issue = "none")] +pub mod verify { + use crate::kani; + + #[kani::proof] + pub fn harness() { + kani::assert(true, "yay"); + } + + #[kani::proof_for_contract(fake_function)] + fn dummy_proof() { + fake_function(true); + } + + /// Add a `rustc_diagnostic_item` to ensure this works. + /// See for more details. + #[kani::requires(x == true)] + #[rustc_diagnostic_item = "fake_function"] + fn fake_function(x: bool) -> bool { + x + } + + #[kani::proof_for_contract(dummy_read)] + fn check_dummy_read() { + let val: char = kani::any(); + assert_eq!(unsafe { dummy_read(&val) }, val); + } + + /// Ensure we can verify constant functions. + #[kani::requires(kani::mem::can_dereference(ptr))] + #[rustc_diagnostic_item = "dummy_read"] + const unsafe fn dummy_read(ptr: *const T) -> T { + *ptr + } +} +' + +STD_CODE=' +#[cfg(kani)] +mod verify { + use core::kani; + #[kani::proof] + fn check_non_zero() { + let orig: u32 = kani::any_raw_inner(); + if let Some(val) = core::num::NonZeroU32::new(orig) { + assert!(orig == val.into()); + } else { + assert!(orig == 0); + }; + } +} +' + +echo "[TEST] Modify library" +echo "${CORE_CODE}" >> ${TMP_DIR}/library/core/src/lib.rs +echo "${STD_CODE}" >> ${TMP_DIR}/library/std/src/num.rs + +# Note: Prepending with sed doesn't work on MacOs the same way it does in linux. +# sed -i '1s/^/#![cfg_attr(kani, feature(kani))]\n/' ${TMP_DIR}/library/std/src/lib.rs +cp ${TMP_DIR}/library/std/src/lib.rs ${TMP_DIR}/std_lib.rs +echo '#![cfg_attr(kani, feature(kani))]' > ${TMP_DIR}/library/std/src/lib.rs +cat ${TMP_DIR}/std_lib.rs >> ${TMP_DIR}/library/std/src/lib.rs + +echo "[TEST] Run kani verify-std" +export RUST_BACKTRACE=1 +kani verify-std -Z unstable-options "${TMP_DIR}/library" --target-dir "${TMP_DIR}/target" -Z function-contracts -Z stubbing + +# Cleanup +rm -r ${TMP_DIR} diff --git a/tests/std-checks/core/Cargo.toml b/tests/std-checks/core/Cargo.toml new file mode 100644 index 000000000000..f6e1645c3a39 --- /dev/null +++ b/tests/std-checks/core/Cargo.toml @@ -0,0 +1,13 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +[package] +name = "verify-core" +version = "0.1.0" +edition = "2021" +description = "This crate contains contracts and harnesses for core library" + +[package.metadata.kani] +unstable = { function-contracts = true, mem-predicates = true, ptr-to-ref-cast-checks = true } + +[package.metadata.kani.flags] +output-format = "terse" diff --git a/tests/std-checks/core/mem.expected b/tests/std-checks/core/mem.expected new file mode 100644 index 000000000000..8a3b89a8f66a --- /dev/null +++ b/tests/std-checks/core/mem.expected @@ -0,0 +1,3 @@ +Summary: +Verification failed for - mem::verify::check_swap_unit +Complete - 3 successfully verified harnesses, 1 failures, 4 total. diff --git a/tests/std-checks/core/ptr.expected b/tests/std-checks/core/ptr.expected new file mode 100644 index 000000000000..43d3bd6baf60 --- /dev/null +++ b/tests/std-checks/core/ptr.expected @@ -0,0 +1,4 @@ +Summary: +Verification failed for - ptr::verify::check_replace_unit +Verification failed for - ptr::verify::check_as_ref_dangling +Complete - 4 successfully verified harnesses, 2 failures, 6 total. diff --git a/tests/std-checks/core/src/lib.rs b/tests/std-checks/core/src/lib.rs new file mode 100644 index 000000000000..f0e5b480a2d2 --- /dev/null +++ b/tests/std-checks/core/src/lib.rs @@ -0,0 +1,9 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! Top file that includes all sub-modules mimicking core structure. + +extern crate kani; + +pub mod mem; +pub mod ptr; diff --git a/tests/std-checks/core/src/mem.rs b/tests/std-checks/core/src/mem.rs new file mode 100644 index 000000000000..4f41d176a73a --- /dev/null +++ b/tests/std-checks/core/src/mem.rs @@ -0,0 +1,73 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Verify a few std::ptr::NonNull functions. + +/// Create wrapper functions to standard library functions that contains their contract. +pub mod contracts { + /// Swaps the values at two mutable locations, without deinitializing either one. + /// + /// TODO: Once history variable has been added, add a post-condition. + /// Also add a function to do a bitwise value comparison between arguments (ignore paddings). + /// + /// ```ignore + /// #[kani::ensures(kani::equals(kani::old(x), y))] + /// #[kani::ensures(kani::equals(kani::old(y), x))] + /// ``` + #[kani::modifies(x)] + #[kani::modifies(y)] + pub fn swap(x: &mut T, y: &mut T) { + std::mem::swap(x, y) + } +} + +#[cfg(kani)] +mod verify { + use super::*; + + /// Use this type to ensure that mem swap does not drop the value. + #[derive(kani::Arbitrary)] + struct CannotDrop { + inner: T, + } + + impl Drop for CannotDrop { + fn drop(&mut self) { + unreachable!("Cannot drop") + } + } + + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_primitive() { + let mut x: u8 = kani::any(); + let mut y: u8 = kani::any(); + contracts::swap(&mut x, &mut y) + } + + /// FIX-ME: Modifies clause fail with pointer to ZST. + /// + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_unit() { + let mut x: () = kani::any(); + let mut y: () = kani::any(); + contracts::swap(&mut x, &mut y) + } + + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_adt_no_drop() { + let mut x: CannotDrop = kani::any(); + let mut y: CannotDrop = kani::any(); + contracts::swap(&mut x, &mut y); + std::mem::forget(x); + std::mem::forget(y); + } + + /// Memory swap logic is optimized according to the size and alignment of a type. + #[kani::proof_for_contract(contracts::swap)] + pub fn check_swap_large_adt_no_drop() { + let mut x: CannotDrop<[u128; 5]> = kani::any(); + let mut y: CannotDrop<[u128; 5]> = kani::any(); + contracts::swap(&mut x, &mut y); + std::mem::forget(x); + std::mem::forget(y); + } +} diff --git a/tests/std-checks/core/src/ptr.rs b/tests/std-checks/core/src/ptr.rs new file mode 100644 index 000000000000..49cf9e168214 --- /dev/null +++ b/tests/std-checks/core/src/ptr.rs @@ -0,0 +1,112 @@ +// Copyright Kani Contributors +// SPDX-License-Identifier: Apache-2.0 OR MIT +//! Add contracts for functions from std::ptr. + +use std::ptr::NonNull; + +/// Create wrapper functions to standard library functions that contains their contract. +pub mod contracts { + use super::*; + use kani::{ensures, implies, mem::*, modifies, requires}; + + #[ensures(|result : &Option>| implies!(ptr.is_null() => result.is_none()))] + #[ensures(|result : &Option>| implies!(!ptr.is_null() => result.is_some()))] + pub fn new(ptr: *mut T) -> Option> { + NonNull::new(ptr) + } + + /// # Safety: + /// When calling this method, you have to ensure that all the following is true: + /// + /// - The pointer must be properly aligned. + /// - It must be “dereferenceable” in the sense defined in the module documentation. + /// - TODO: The pointer must point to an initialized instance of T. + /// - We check for value validity, but not initialization yet. + /// + /// TODO: How to ensure aliasing rules?? + /// You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not + /// necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory + /// the pointer points to must not get mutated (except inside UnsafeCell). + /// Taken from: + #[requires(can_dereference(obj.as_ptr()))] + pub unsafe fn as_ref<'a, T>(obj: &NonNull) -> &'a T { + obj.as_ref() + } + + #[requires(!ptr.is_null())] + pub unsafe fn new_unchecked(ptr: *mut T) -> NonNull { + NonNull::::new_unchecked(ptr) + } + + /// Safety + /// + /// Behavior is undefined if any of the following conditions are violated: + /// - `dst` must be valid for both reads and writes. + /// - `dst` must be properly aligned. + /// - TODO: `dst` must point to a properly initialized value of type `T`. + /// - We check validity but not initialization. + /// + /// Note that even if `T` has size 0, the pointer must be non-null and properly aligned. + #[requires(can_dereference(dst))] + #[modifies(dst)] + pub unsafe fn replace(dst: *mut T, src: T) -> T { + std::ptr::replace(dst, src) + } +} + +#[cfg(kani)] +mod verify { + use super::*; + use kani::cover; + + #[kani::proof_for_contract(contracts::new)] + pub fn check_new() { + let ptr = kani::any::() as *mut (); + let res = contracts::new(ptr); + cover!(res.is_none()); + cover!(res.is_some()); + } + + #[kani::proof_for_contract(contracts::new_unchecked)] + pub fn check_new_unchecked() { + let ptr = kani::any::() as *mut (); + let _ = unsafe { contracts::new_unchecked(ptr) }; + } + + #[kani::proof_for_contract(contracts::as_ref)] + pub fn check_as_ref() { + let ptr = kani::any::>(); + let non_null = NonNull::new(Box::into_raw(ptr)).unwrap(); + let _rf = unsafe { contracts::as_ref(&non_null) }; + } + + #[kani::proof_for_contract(contracts::as_ref)] + #[kani::should_panic] + pub fn check_as_ref_dangling() { + let ptr = kani::any::() as *mut u8; + kani::assume(!ptr.is_null()); + let non_null = NonNull::new(ptr).unwrap(); + let _rf = unsafe { contracts::as_ref(&non_null) }; + } + + /// FIX-ME: Modifies clause fail with pointer to ZST. + /// + #[kani::proof_for_contract(contracts::replace)] + pub fn check_replace_unit() { + check_replace_impl::<()>(); + } + + #[kani::proof_for_contract(contracts::replace)] + pub fn check_replace_char() { + check_replace_impl::(); + } + + fn check_replace_impl() { + let mut dst = T::any(); + let orig = dst.clone(); + let src = T::any(); + let ret = unsafe { contracts::replace(&mut dst, src.clone()) }; + assert_eq!(ret, orig); + assert_eq!(dst, src); + } +} diff --git a/tests/ui/derive-arbitrary/non_arbitrary_param/expected b/tests/ui/derive-arbitrary/non_arbitrary_param/expected index e74643f3bdb6..55f12678cf9a 100644 --- a/tests/ui/derive-arbitrary/non_arbitrary_param/expected +++ b/tests/ui/derive-arbitrary/non_arbitrary_param/expected @@ -1,5 +1,4 @@ error[E0277]: the trait bound `Void: kani::Arbitrary` is not satisfied - -|\ -| let _wrapper: Wrapper = kani::any();\ -| ^^^^^^^^^ the trait `kani::Arbitrary` is not implemented for `Void`\ + |\ +14 | let _wrapper: Wrapper = kani::any();\ + | ^^^^^^^^^^^ the trait `kani::Arbitrary` is not implemented for `Void`, which is required by `Wrapper: kani::Arbitrary`\ diff --git a/tests/ui/stubbing/stubbing-type-validation/expected b/tests/ui/stubbing/stubbing-type-validation/expected index 5c56ad015a79..177375b4f4ba 100644 --- a/tests/ui/stubbing/stubbing-type-validation/expected +++ b/tests/ui/stubbing/stubbing-type-validation/expected @@ -1,8 +1,11 @@ -error: arity mismatch: original function/method `f1` takes 1 argument(s), stub `f2` takes 0 -error: return type differs: stub `g2` has type `i32` where original function/method `g1` has type `bool` -error: type of parameter 1 differs: stub `g2` has type `u32` where original function/method `g1` has type `i32` -error: type of parameter 2 differs: stub `g2` has type `&mut bool` where original function/method `g1` has type `&bool` error: mismatch in the number of generic parameters: original function/method `h1` takes 1 generic parameters(s), stub `h2` takes 2 -error: return type differs: stub `i2` has type `Y` where original function/method `i1` has type `X` -error: type of parameter 1 differs: stub `j2` has type `&X` where original function/method `j1` has type `&Y` -error: aborting due to 7 previous errors \ No newline at end of file + +error: Cannot stub `g1` by `g2`.\ + - Expected return type `bool`, but found `i32`\ + - Expected type `i32` for parameter 2, but found `u32`\ + - Expected type `&bool` for parameter 3, but found `&mut bool`\ + +error: Cannot stub `i1` by `i2`.\ + - Expected return type `X`, but found `Y` + +error: arity mismatch: original function/method `f1` takes 1 argument(s), stub `f2` takes 0 diff --git a/tools/benchcomp/benchcomp/__init__.py b/tools/benchcomp/benchcomp/__init__.py index eedd6ebc1f32..a82e50aae412 100644 --- a/tools/benchcomp/benchcomp/__init__.py +++ b/tools/benchcomp/benchcomp/__init__.py @@ -62,7 +62,16 @@ class ConfigFile(collections.UserDict): anyof: - schema: type: {} -filter: {} +filters: + type: list + default: [] + schema: + type: dict + keysrules: + type: string + allowed: ["command_line"] + valuesrules: + type: string visualize: {} """) diff --git a/tools/benchcomp/benchcomp/cmd_args.py b/tools/benchcomp/benchcomp/cmd_args.py index d8b7e735824f..8dd85f71080b 100644 --- a/tools/benchcomp/benchcomp/cmd_args.py +++ b/tools/benchcomp/benchcomp/cmd_args.py @@ -170,7 +170,13 @@ def _get_args_dict(): }, "filter": { "help": "transform a result by piping it through a program", - "args": [], + "args": [{ + "flags": ["--result-file"], + "metavar": "F", + "default": pathlib.Path("result.yaml"), + "type": pathlib.Path, + "help": "read result from F instead of %(default)s." + }], }, "visualize": { "help": "render a result in various formats", @@ -180,7 +186,7 @@ def _get_args_dict(): "default": pathlib.Path("result.yaml"), "type": pathlib.Path, "help": - "read result from F instead of %(default)s. " + "read result from F instead of %(default)s." }, { "flags": ["--only"], "nargs": "+", @@ -234,6 +240,11 @@ def get(): subparsers = ad["subparsers"].pop("parsers") subs = parser.add_subparsers(**ad["subparsers"]) + + # Add all subcommand-specific flags to the top-level argument parser, + # but only add them once. + flag_set = set() + for subcommand, info in subparsers.items(): args = info.pop("args") subparser = subs.add_parser(name=subcommand, **info) @@ -246,7 +257,9 @@ def get(): for arg in args: flags = arg.pop("flags") subparser.add_argument(*flags, **arg) - if arg not in global_args: + long_flag = flags[-1] + if arg not in global_args and long_flag not in flag_set: + flag_set.add(long_flag) parser.add_argument(*flags, **arg) return parser.parse_args() diff --git a/tools/benchcomp/benchcomp/entry/benchcomp.py b/tools/benchcomp/benchcomp/entry/benchcomp.py index e64f9699b3eb..9b8c1443c01d 100644 --- a/tools/benchcomp/benchcomp/entry/benchcomp.py +++ b/tools/benchcomp/benchcomp/entry/benchcomp.py @@ -16,4 +16,6 @@ def main(args): args.suites_dir = run_result.out_prefix / run_result.out_symlink results = benchcomp.entry.collate.main(args) + results = benchcomp.entry.filter.main(args) + benchcomp.entry.visualize.main(args) diff --git a/tools/benchcomp/benchcomp/entry/filter.py b/tools/benchcomp/benchcomp/entry/filter.py index 8523a198ce6a..c29a1795194b 100644 --- a/tools/benchcomp/benchcomp/entry/filter.py +++ b/tools/benchcomp/benchcomp/entry/filter.py @@ -4,5 +4,91 @@ # Entrypoint for `benchcomp filter` -def main(_): - raise NotImplementedError # TODO +import json +import logging +import pathlib +import subprocess +import sys +import tempfile + +import yaml + + +def main(args): + """Filter the results file by piping it into a list of scripts""" + + with open(args.result_file) as handle: + old_results = yaml.safe_load(handle) + + if "filters" not in args.config: + return old_results + + tmp_root = pathlib.Path(tempfile.gettempdir()) / "benchcomp" / "filter" + tmp_root.mkdir(parents=True, exist_ok=True) + tmpdir = pathlib.Path(tempfile.mkdtemp(dir=str(tmp_root))) + + for idx, filt in enumerate(args.config["filters"]): + with open(args.result_file) as handle: + old_results = yaml.safe_load(handle) + + json_results = json.dumps(old_results, indent=2) + in_file = tmpdir / f"{idx}.in.json" + out_file = tmpdir / f"{idx}.out.json" + cmd_out = _pipe( + filt["command_line"], json_results, in_file, out_file) + + try: + new_results = yaml.safe_load(cmd_out) + except yaml.YAMLError as exc: + logging.exception( + "Filter command '%s' produced invalid YAML. Stdin of" + " the command is saved in %s, stdout is saved in %s.", + filt["command_line"], in_file, out_file) + if hasattr(exc, "problem_mark"): + logging.error( + "Parse error location: line %d, column %d", + exc.problem_mark.line+1, exc.problem_mark.column+1) + sys.exit(1) + + with open(args.result_file, "w") as handle: + yaml.dump(new_results, handle, default_flow_style=False, indent=2) + + return new_results + + +def _pipe(shell_command, in_text, in_file, out_file): + """Pipe `in_text` into `shell_command` and return the output text + + Save the in and out text into files for later inspection if necessary. + """ + + with open(in_file, "w") as handle: + print(in_text, file=handle) + + logging.debug( + "Piping the contents of '%s' into '%s', saving into '%s'", + in_file, shell_command, out_file) + + timeout = 60 + with subprocess.Popen( + shell_command, shell=True, text=True, stdin=subprocess.PIPE, + stdout=subprocess.PIPE) as proc: + try: + out, _ = proc.communicate(input=in_text, timeout=timeout) + except subprocess.TimeoutExpired: + logging.error( + "Filter command failed to terminate after %ds: '%s'", + timeout, shell_command) + sys.exit(1) + + with open(out_file, "w") as handle: + print(out, file=handle) + + if proc.returncode: + logging.error( + "Filter command '%s' exited with code %d. Stdin of" + " the command is saved in %s, stdout is saved in %s.", + shell_command, proc.returncode, in_file, out_file) + sys.exit(1) + + return out diff --git a/tools/benchcomp/benchcomp/entry/run.py b/tools/benchcomp/benchcomp/entry/run.py index a870e7e9a1b0..28457381da2b 100644 --- a/tools/benchcomp/benchcomp/entry/run.py +++ b/tools/benchcomp/benchcomp/entry/run.py @@ -13,6 +13,7 @@ import logging import os import pathlib +import re import shutil import subprocess import typing @@ -53,9 +54,10 @@ def __post_init__(self): else: self.working_copy = pathlib.Path(self.directory) + def __call__(self): - env = dict(os.environ) - env.update(self.env) + update_environment_with = _EnvironmentUpdater() + env = update_environment_with(self.env) if self.copy_benchmarks_dir: shutil.copytree( @@ -128,6 +130,44 @@ def __call__(self): tmp_symlink.rename(self.out_symlink) + +@dataclasses.dataclass +class _EnvironmentUpdater: + """Update the OS environment with keys and values containing variables + + When called, this class returns the operating environment updated with new + keys and values. The values can contain variables of the form '${var_name}'. + The class evaluates those variables using values already in the environment. + """ + + os_environment: dict = dataclasses.field( + default_factory=lambda : dict(os.environ)) + pattern: re.Pattern = re.compile(r"\$\{(\w+?)\}") + + + def _evaluate(self, key, value): + """Evaluate all ${var} in value using self.os_environment""" + old_value = value + + for variable in re.findall(self.pattern, value): + if variable not in self.os_environment: + logging.error( + "Couldn't evaluate ${%s} in the value '%s' for environment " + "variable '%s'. Ensure the environment variable $%s is set", + variable, old_value, key, variable) + sys.exit(1) + value = re.sub( + r"\$\{" + variable + "\}", self.os_environment[variable], value) + return value + + + def __call__(self, new_environment): + ret = dict(self.os_environment) + for key, value in new_environment.items(): + ret[key] = self._evaluate(key, value) + return ret + + def get_default_out_symlink(): return "latest" diff --git a/tools/benchcomp/benchcomp/visualizers/__init__.py b/tools/benchcomp/benchcomp/visualizers/__init__.py index f9987832ad62..865386900639 100644 --- a/tools/benchcomp/benchcomp/visualizers/__init__.py +++ b/tools/benchcomp/benchcomp/visualizers/__init__.py @@ -3,8 +3,10 @@ import dataclasses +import enum import json import logging +import math import subprocess import sys import textwrap @@ -125,11 +127,21 @@ def __call__(self, results): +class Plot(enum.Enum): + """Scatterplot configuration options + """ + OFF = 1 + LINEAR = 2 + LOG = 3 + + + class dump_markdown_results_table: """Print Markdown-formatted tables displaying benchmark results For each metric, this visualization prints out a table of benchmarks, - showing the value of the metric for each variant. + showing the value of the metric for each variant, combined with an optional + scatterplot. The 'out_file' key is mandatory; specify '-' to print to stdout. @@ -145,12 +157,16 @@ class dump_markdown_results_table: particular combinations of values for different variants, such as regressions or performance improvements. + 'scatterplot' takes the values 'off' (default), 'linear' (linearly scaled + axes), or 'log' (logarithmically scaled axes). + Sample configuration: ``` visualize: - type: dump_markdown_results_table out_file: "-" + scatterplot: linear extra_columns: runtime: - column_name: ratio @@ -187,9 +203,10 @@ class dump_markdown_results_table: """ - def __init__(self, out_file, extra_columns=None): + def __init__(self, out_file, extra_columns=None, scatterplot=None): self.get_out_file = benchcomp.Outfile(out_file) self.extra_columns = self._eval_column_text(extra_columns or {}) + self.scatterplot = self._parse_scatterplot_config(scatterplot) @staticmethod @@ -206,12 +223,48 @@ def _eval_column_text(column_spec): return column_spec + @staticmethod + def _parse_scatterplot_config(scatterplot_config_string): + if (scatterplot_config_string is None or + scatterplot_config_string == "off"): + return Plot.OFF + elif scatterplot_config_string == "linear": + return Plot.LINEAR + elif scatterplot_config_string == "log": + return Plot.LOG + else: + logging.error( + "Invalid scatterplot configuration '%s'", + scatterplot_config_string) + sys.exit(1) + + @staticmethod def _get_template(): return textwrap.dedent("""\ {% for metric, benchmarks in d["metrics"].items() %} ## {{ metric }} + {% if scatterplot and metric in d["scaled_metrics"] and d["scaled_variants"][metric]|length == 2 -%} + ```mermaid + %%{init: { "quadrantChart": { "titlePadding": 15, "xAxisLabelPadding": 20, "yAxisLabelPadding": 20, "quadrantLabelFontSize": 0, "pointRadius": 2, "pointLabelFontSize": 2 }, "themeVariables": { "quadrant1Fill": "#FFFFFF", "quadrant2Fill": "#FFFFFF", "quadrant3Fill": "#FFFFFF", "quadrant4Fill": "#FFFFFF", "quadrant1TextFill": "#FFFFFF", "quadrant2TextFill": "#FFFFFF", "quadrant3TextFill": "#FFFFFF", "quadrant4TextFill": "#FFFFFF", "quadrantInternalBorderStrokeFill": "#FFFFFF" } } }%% + quadrantChart + title {{ metric }} + x-axis "{{ d["scaled_variants"][metric][0] }}" + y-axis "{{ d["scaled_variants"][metric][1] }}" + quadrant-1 1 + quadrant-2 2 + quadrant-3 3 + quadrant-4 4 + {%- for bench_name, bench_variants in d["scaled_metrics"][metric]["benchmarks"].items () %} + {% set v0 = bench_variants[d["scaled_variants"][metric][0]] -%} + {% set v1 = bench_variants[d["scaled_variants"][metric][1]] -%} + "{{ bench_name }}": [{{ v0|safe_round(3) }}, {{ v1|safe_round(3) }}] + {%- endfor %} + ``` + Scatterplot axis ranges are {{ d["scaled_metrics"][metric]["min_value"] }} (bottom/left) to {{ d["scaled_metrics"][metric]["max_value"] }} (top/right). + + {% endif -%} | Benchmark | {% for variant in d["variants"][metric] %} {{ variant }} |{% endfor %} | --- |{% for variant in d["variants"][metric] %} --- |{% endfor -%} {% for bench_name, bench_variants in benchmarks.items () %} @@ -222,13 +275,62 @@ def _get_template(): """) + @staticmethod + def _safe_round(value, precision): + try: + return round(value, precision) + except TypeError: + return 0 + + @staticmethod def _get_variant_names(results): return results.values()[0]["variants"] @staticmethod - def _organize_results_into_metrics(results): + def _compute_scaled_metric(data_for_metric, log_scaling): + min_value = math.inf + max_value = -math.inf + for bench, bench_result in data_for_metric.items(): + for variant, variant_result in bench_result.items(): + if isinstance(variant_result, (bool, str)): + return None + if not isinstance(variant_result, (int, float)): + return None + if variant_result < min_value: + min_value = variant_result + if variant_result > max_value: + max_value = variant_result + ret = { + "benchmarks": {bench: {} for bench in data_for_metric.keys()}, + "min_value": "log({})".format(min_value) if log_scaling else min_value, + "max_value": "log({})".format(max_value) if log_scaling else max_value, + } + # 1.0 is not a permissible value for mermaid, so make sure all scaled + # results stay below that by use 0.99 as hard-coded value or + # artificially increasing the range by 10 per cent + if min_value == math.inf or min_value == max_value: + for bench, bench_result in data_for_metric.items(): + ret["benchmarks"][bench] = {variant: 0.99 for variant in bench_result.keys()} + else: + if log_scaling: + min_value = math.log(min_value, 10) + max_value = math.log(max_value, 10) + value_range = max_value - min_value + value_range = value_range * 1.1 + for bench, bench_result in data_for_metric.items(): + for variant, variant_result in bench_result.items(): + if log_scaling: + abs_value = math.log(variant_result, 10) + else: + abs_value = variant_result + ret["benchmarks"][bench][variant] = (abs_value - min_value) / value_range + return ret + + + @staticmethod + def _organize_results_into_metrics(results, log_scaling): ret = {metric: {} for metric in results["metrics"]} for bench, bench_result in results["benchmarks"].items(): for variant, variant_result in bench_result["variants"].items(): @@ -246,7 +348,13 @@ def _organize_results_into_metrics(results): ret[metric][bench] = { variant: variant_result["metrics"][metric] } - return ret + ret_scaled = {} + for metric, bench_result in ret.items(): + scaled = dump_markdown_results_table._compute_scaled_metric( + bench_result, log_scaling) + if scaled is not None: + ret_scaled[metric] = scaled + return (ret, ret_scaled) def _add_extra_columns(self, metrics): @@ -258,7 +366,20 @@ def _add_extra_columns(self, metrics): for bench, variants in benches.items(): tmp_variants = dict(variants) for column in columns: - variants[column["column_name"]] = column["text"](tmp_variants) + if "column_name" not in column: + logging.error( + "A column specification for metric %s did not " + "contain a column_name field. Each column should " + "have a column name and column text", metric) + sys.exit(1) + try: + variants[column["column_name"]] = column["text"](tmp_variants) + except BaseException: + # This may be reached when evaluating the column text + # throws an exception. The column text is written in a + # YAML file and is typically a simple lambda so can't + # contain sophisticated error handling. + variants[column["column_name"]] = "**ERROR**" @staticmethod @@ -271,20 +392,35 @@ def _get_variants(metrics): return ret + @staticmethod + def _get_scaled_variants(metrics): + ret = {} + for metric, entries in metrics.items(): + for bench, variants in entries["benchmarks"].items(): + ret[metric] = list(variants.keys()) + break + return ret + + def __call__(self, results): - metrics = self._organize_results_into_metrics(results) + (metrics, scaled) = self._organize_results_into_metrics( + results, self.scatterplot == Plot.LOG) self._add_extra_columns(metrics) data = { "metrics": metrics, "variants": self._get_variants(metrics), + "scaled_metrics": scaled, + "scaled_variants": self._get_scaled_variants(scaled), } env = jinja2.Environment( loader=jinja2.BaseLoader, autoescape=jinja2.select_autoescape( enabled_extensions=("html"), default_for_string=True)) + env.filters["safe_round"] = self._safe_round template = env.from_string(self._get_template()) - output = template.render(d=data)[:-1] + include_scatterplot = self.scatterplot != Plot.OFF + output = template.render(d=data, scatterplot=include_scatterplot)[:-1] with self.get_out_file() as handle: print(output, file=handle) diff --git a/tools/benchcomp/configs/perf-regression.yaml b/tools/benchcomp/configs/perf-regression.yaml index a0d88e0558db..c938b3dd861f 100644 --- a/tools/benchcomp/configs/perf-regression.yaml +++ b/tools/benchcomp/configs/perf-regression.yaml @@ -33,6 +33,7 @@ visualize: - type: dump_markdown_results_table out_file: '-' + scatterplot: linear extra_columns: # For these two metrics, display the difference between old and new and diff --git a/tools/benchcomp/test/test_regression.py b/tools/benchcomp/test/test_regression.py index 87df67a071cc..ccf2259f7f0b 100644 --- a/tools/benchcomp/test/test_regression.py +++ b/tools/benchcomp/test/test_regression.py @@ -436,6 +436,7 @@ def test_markdown_results_table(self): "visualize": [{ "type": "dump_markdown_results_table", "out_file": "-", + "scatterplot": "linear", "extra_columns": { "runtime": [{ "column_name": "ratio", @@ -461,6 +462,21 @@ def test_markdown_results_table(self): run_bc.stdout, textwrap.dedent(""" ## runtime + ```mermaid + %%{init: { "quadrantChart": { "titlePadding": 15, "xAxisLabelPadding": 20, "yAxisLabelPadding": 20, "quadrantLabelFontSize": 0, "pointRadius": 2, "pointLabelFontSize": 2 }, "themeVariables": { "quadrant1Fill": "#FFFFFF", "quadrant2Fill": "#FFFFFF", "quadrant3Fill": "#FFFFFF", "quadrant4Fill": "#FFFFFF", "quadrant1TextFill": "#FFFFFF", "quadrant2TextFill": "#FFFFFF", "quadrant3TextFill": "#FFFFFF", "quadrant4TextFill": "#FFFFFF", "quadrantInternalBorderStrokeFill": "#FFFFFF" } } }%% + quadrantChart + title runtime + x-axis "variant_1" + y-axis "variant_2" + quadrant-1 1 + quadrant-2 2 + quadrant-3 3 + quadrant-4 4 + "bench_1": [0.0, 0.909] + "bench_2": [0.909, 0.0] + ``` + Scatterplot axis ranges are 5 (bottom/left) to 10 (top/right). + | Benchmark | variant_1 | variant_2 | ratio | | --- | --- | --- | --- | | bench_1 | 5 | 10 | **2.0** | @@ -646,6 +662,135 @@ def test_return_0_on_fail(self): result = yaml.safe_load(handle) + def test_bad_filters(self): + """Ensure that bad filters terminate benchcomp""" + + with tempfile.TemporaryDirectory() as tmp: + run_bc = Benchcomp({ + "variants": { + "variant-1": { + "config": { + "command_line": "true", + "directory": tmp, + "env": {}, + } + }, + }, + "run": { + "suites": { + "suite_1": { + "parser": { + "command": textwrap.dedent("""\ + echo '{ + "benchmarks": { }, + "metrics": { } + }' + """) + }, + "variants": ["variant-1"] + } + } + }, + "filters": [{ + "command_line": "false" + }], + "visualize": [], + }) + run_bc() + self.assertEqual(run_bc.proc.returncode, 1, msg=run_bc.stderr) + + + def test_two_filters(self): + """Ensure that the output can be filtered""" + + with tempfile.TemporaryDirectory() as tmp: + run_bc = Benchcomp({ + "variants": { + "variant-1": { + "config": { + "command_line": "true", + "directory": tmp, + "env": {}, + } + }, + }, + "run": { + "suites": { + "suite_1": { + "parser": { + "command": textwrap.dedent("""\ + echo '{ + "benchmarks": { + "bench-1": { + "variants": { + "variant-1": { + "metrics": { + "runtime": 10, + "memory": 5 + } + } + } + } + }, + "metrics": { + "runtime": {}, + "memory": {}, + } + }' + """) + }, + "variants": ["variant-1"] + } + } + }, + "filters": [{ + "command_line": "sed -e 's/10/20/;s/5/10/'" + }, { + "command_line": """grep '"runtime": 20'""" + }], + "visualize": [], + }) + run_bc() + self.assertEqual(run_bc.proc.returncode, 0, msg=run_bc.stderr) + + + def test_env_expansion(self): + """Ensure that config parser expands '${}' in env key""" + + with tempfile.TemporaryDirectory() as tmp: + run_bc = Benchcomp({ + "variants": { + "env_set": { + "config": { + "command_line": 'echo "$__BENCHCOMP_ENV_VAR" > out', + "directory": tmp, + "env": {"__BENCHCOMP_ENV_VAR": "foo:${PATH}"} + } + }, + }, + "run": { + "suites": { + "suite_1": { + "parser": { + # The word 'bin' typically appears in $PATH, so + # check that what was echoed contains 'bin'. + "command": textwrap.dedent("""\ + grep bin out && grep '^foo:' out && echo '{ + "benchmarks": {}, + "metrics": {} + }' + """) + }, + "variants": ["env_set"] + } + } + }, + "visualize": [], + }) + run_bc() + self.assertEqual(run_bc.proc.returncode, 0, msg=run_bc.stderr) + + def test_env(self): """Ensure that benchcomp reads the 'env' key of variant config""" diff --git a/tools/benchcomp/test/test_unit.py b/tools/benchcomp/test/test_unit.py new file mode 100644 index 000000000000..12320116f217 --- /dev/null +++ b/tools/benchcomp/test/test_unit.py @@ -0,0 +1,66 @@ +# Copyright Kani Contributors +# SPDX-License-Identifier: Apache-2.0 OR MIT +# +# Benchcomp regression testing suite. This suite uses Python's stdlib unittest +# module, but nevertheless actually runs the binary rather than running unit +# tests. + +import unittest +import uuid + +import benchcomp.entry.run + + + +class TestEnvironmentUpdater(unittest.TestCase): + def test_environment_construction(self): + """Test that the default constructor reads the OS environment""" + + update_environment = benchcomp.entry.run._EnvironmentUpdater() + environment = update_environment({}) + self.assertIn("PATH", environment) + + + def test_placeholder_construction(self): + """Test that the placeholder constructor reads the placeholder""" + + key, value = [str(uuid.uuid4()) for _ in range(2)] + update_environment = benchcomp.entry.run._EnvironmentUpdater({ + key: value, + }) + environment = update_environment({}) + self.assertIn(key, environment) + self.assertEqual(environment[key], value) + + + def test_environment_update(self): + """Test that the environment is updated""" + + key, value, update = [str(uuid.uuid4()) for _ in range(3)] + update_environment = benchcomp.entry.run._EnvironmentUpdater({ + key: value, + }) + environment = update_environment({ + key: update + }) + self.assertIn(key, environment) + self.assertEqual(environment[key], update) + + + def test_environment_update_variable(self): + """Test that the environment is updated""" + + old_env = { + "key1": str(uuid.uuid4()), + "key2": str(uuid.uuid4()), + } + + actual_update = "${key2}xxx${key1}" + expected_update = f"{old_env['key2']}xxx{old_env['key1']}" + + update_environment = benchcomp.entry.run._EnvironmentUpdater(old_env) + environment = update_environment({ + "key1": actual_update, + }) + self.assertIn("key1", environment) + self.assertEqual(environment["key1"], expected_update) diff --git a/tools/bookrunner/Cargo.toml b/tools/bookrunner/Cargo.toml deleted file mode 100644 index 6c602ce05fd0..000000000000 --- a/tools/bookrunner/Cargo.toml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -[package] -name = "bookrunner" -version = "0.1.0" -edition = "2018" -license = "MIT OR Apache-2.0" -publish = false - -[dependencies] -Inflector = "0.11.4" -pulldown-cmark = { version = "0.9", default-features = false } -rustdoc = { path = "librustdoc" } -walkdir = "2.3.2" -serde = { version = "1.0", features = ["derive"] } -serde_json = "1.0" -toml = "0.8" - -[package.metadata.rust-analyzer] -# This package uses rustc crates. -rustc_private=true diff --git a/tools/bookrunner/README.md b/tools/bookrunner/README.md deleted file mode 100644 index 560f2a73c3e4..000000000000 --- a/tools/bookrunner/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Book Runner - -This tool extracts examples from different Rust books, runs Kani on them, and -displays the results in a report. - -Run the following command to build this tool and generate the report: -```bash -./x.py run -i --stage 1 bookrunner -``` diff --git a/tools/bookrunner/configs/books/Rust by Example/Custom Types/Enums/Testcase: linked-list/5.props b/tools/bookrunner/configs/books/Rust by Example/Custom Types/Enums/Testcase: linked-list/5.props deleted file mode 100644 index 1fb5bcc55586..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Custom Types/Enums/Testcase: linked-list/5.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 3 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/22.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/22.props deleted file mode 100644 index 55a4254aa3a2..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/22.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 --object-bits 9 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/39.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/39.props deleted file mode 100644 index 55a4254aa3a2..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/39.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 --object-bits 9 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/5.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/5.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/5.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/54.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/54.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/54.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/69.props b/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/69.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Error handling/Iterating over Results/69.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/102.props b/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/102.props deleted file mode 100644 index 2f4921c863e9..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/102.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 7 diff --git a/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/63.props b/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/63.props deleted file mode 100644 index 2f4921c863e9..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Flow of Control/for and range/63.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 7 diff --git a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Capturing/89.props b/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Capturing/89.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Capturing/89.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Iterator::any/22.props b/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Iterator::any/22.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Iterator::any/22.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/22.props b/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/22.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/22.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/52.props b/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/52.props deleted file mode 100644 index 2f4921c863e9..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Functions/Closures/Examples in std/Searching through iterators/52.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 7 diff --git a/tools/bookrunner/configs/books/Rust by Example/Hello World/Formatted print/Formatting/17.props b/tools/bookrunner/configs/books/Rust by Example/Hello World/Formatted print/Formatting/17.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Hello World/Formatted print/Formatting/17.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/14.props b/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/14.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/14.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/Alternate_custom key types/29.props b/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/Alternate_custom key types/29.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std library types/HashMap/Alternate_custom key types/29.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std library types/Strings/12.props b/tools/bookrunner/configs/books/Rust by Example/Std library types/Strings/12.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std library types/Strings/12.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Channels/7.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Channels/7.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Channels/7.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/File I_O/read lines/9.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/File I_O/read lines/9.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/File I_O/read lines/9.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/8.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/8.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/8.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/Argument parsing/5.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/Argument parsing/5.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Program arguments/Argument parsing/5.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/6.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/6.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/6.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/Testcase: map-reduce/24.props b/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/Testcase: map-reduce/24.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Std misc/Threads/Testcase: map-reduce/24.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/Rust by Example/Traits/Disambiguating overlapping traits/11.props b/tools/bookrunner/configs/books/Rust by Example/Traits/Disambiguating overlapping traits/11.props deleted file mode 100644 index c8d448e9c718..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Traits/Disambiguating overlapping traits/11.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 10 diff --git a/tools/bookrunner/configs/books/Rust by Example/Traits/Iterators/12.props b/tools/bookrunner/configs/books/Rust by Example/Traits/Iterators/12.props deleted file mode 100644 index d55948277f51..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Traits/Iterators/12.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 5 diff --git a/tools/bookrunner/configs/books/Rust by Example/Traits/impl Trait/115.props b/tools/bookrunner/configs/books/Rust by Example/Traits/impl Trait/115.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/Rust by Example/Traits/impl Trait/115.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.diff b/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.diff deleted file mode 100644 index f8eff2a40536..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.diff +++ /dev/null @@ -1,4 +0,0 @@ -- 1 -+ 1 let ok_num = Ok::<_, ()>(5); -+ 2 assert!(!ok_num.is_err()); -+ 4 assert!([2, 4, 6][..] == vec[..]); diff --git a/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.props b/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Appendices/Glossary/263.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Attributes/Limits/45.props b/tools/bookrunner/configs/books/The Rust Reference/Attributes/Limits/45.props deleted file mode 100644 index 5fc51f2a8212..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Attributes/Limits/45.props +++ /dev/null @@ -1 +0,0 @@ -// kani-codegen-fail diff --git a/tools/bookrunner/configs/books/The Rust Reference/Linkage/190.props b/tools/bookrunner/configs/books/The Rust Reference/Linkage/190.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Linkage/190.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Patterns/367.props b/tools/bookrunner/configs/books/The Rust Reference/Patterns/367.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Patterns/367.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Loop expressions/133.props b/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Loop expressions/133.props deleted file mode 100644 index a12b6d6b639f..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Loop expressions/133.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 4 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Method call expressions/10.props b/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Method call expressions/10.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Statements and expressions/Expressions/Method call expressions/10.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rust Reference/Type system/Types/113.props b/tools/bookrunner/configs/books/The Rust Reference/Type system/Types/113.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rust Reference/Type system/Types/113.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Rustonomicon/Concurrency/Atomics/198.props b/tools/bookrunner/configs/books/The Rustonomicon/Concurrency/Atomics/198.props deleted file mode 100644 index 41f1f747f90d..000000000000 --- a/tools/bookrunner/configs/books/The Rustonomicon/Concurrency/Atomics/198.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 0 diff --git a/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/165.props b/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/165.props deleted file mode 100644 index ef7a7cac2c14..000000000000 --- a/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/165.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 3 \ No newline at end of file diff --git a/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/28.props b/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/28.props deleted file mode 100644 index f69c62f168c6..000000000000 --- a/tools/bookrunner/configs/books/The Unstable Book/Language Features/generators/28.props +++ /dev/null @@ -1 +0,0 @@ -// kani-flags: --enable-unstable --cbmc-args --unwind 5 \ No newline at end of file diff --git a/tools/bookrunner/librustdoc/Cargo.toml b/tools/bookrunner/librustdoc/Cargo.toml deleted file mode 100644 index f83c6e25803c..000000000000 --- a/tools/bookrunner/librustdoc/Cargo.toml +++ /dev/null @@ -1,26 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 OR MIT -# -# Modifications Copyright Kani Contributors -# See GitHub history for details. -[package] -name = "rustdoc" -version = "0.0.0" -edition = "2021" -license = "MIT OR Apache-2.0" -publish = false - -# From upstream librustdoc: -# https://github.com/rust-lang/rust/tree/master/src/librustdoc -# Upstream crate does not list license but Rust statues: -# Rust is primarily distributed under the terms of both the MIT -# license and the Apache License (Version 2.0), with portions -# covered by various BSD-like licenses. - -[lib] -path = "lib.rs" - -[dependencies] -pulldown-cmark = { version = "0.9", default-features = false } - -[package.metadata.rust-analyzer] -rustc_private = true diff --git a/tools/bookrunner/librustdoc/README.md b/tools/bookrunner/librustdoc/README.md deleted file mode 100644 index 5a5f547068d6..000000000000 --- a/tools/bookrunner/librustdoc/README.md +++ /dev/null @@ -1,3 +0,0 @@ -For more information about how `librustdoc` works, see the [rustc dev guide]. - -[rustc dev guide]: https://rustc-dev-guide.rust-lang.org/rustdoc.html diff --git a/tools/bookrunner/librustdoc/build.rs b/tools/bookrunner/librustdoc/build.rs deleted file mode 100644 index bca0827fbc46..000000000000 --- a/tools/bookrunner/librustdoc/build.rs +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT - -//! Build script that allows us to build this dependency without bootstrap script. -pub(crate) fn main() { - // Hard code nightly configuration to build librustdoc. - println!("cargo:rustc-env=DOC_RUST_LANG_ORG_CHANNEL=nightly"); -} diff --git a/tools/bookrunner/librustdoc/doctest.rs b/tools/bookrunner/librustdoc/doctest.rs deleted file mode 100644 index cf0fdc106e38..000000000000 --- a/tools/bookrunner/librustdoc/doctest.rs +++ /dev/null @@ -1,321 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Modifications Copyright Kani Contributors -// See GitHub history for details. -use rustc_ast as ast; -use rustc_data_structures::sync::Lrc; -use rustc_driver::DEFAULT_LOCALE_RESOURCES; -use rustc_errors::ColorConfig; -use rustc_span::edition::Edition; -use rustc_span::source_map::SourceMap; -use rustc_span::symbol::sym; -use rustc_span::FileName; - -use std::io::{self}; -use std::str; - -use crate::html::markdown::LangString; - -/// Options that apply to all doctests in a crate or Markdown file (for `rustdoc foo.md`). -#[derive(Clone, Default)] -pub struct GlobalTestOptions { - /// Whether to disable the default `extern crate my_crate;` when creating doctests. - pub(crate) no_crate_inject: bool, - /// Additional crate-level attributes to add to doctests. - pub(crate) attrs: Vec, -} - -/// Transforms a test into code that can be compiled into a Rust binary, and returns the number of -/// lines before the test code begins as well as if the output stream supports colors or not. -pub fn make_test( - s: &str, - crate_name: Option<&str>, - dont_insert_main: bool, - opts: &GlobalTestOptions, - edition: Edition, - test_id: Option<&str>, -) -> (String, usize, bool) { - let (crate_attrs, everything_else, crates) = partition_source(s); - let everything_else = everything_else.trim(); - let mut line_offset = 0; - let mut prog = String::new(); - let mut supports_color = false; - - if opts.attrs.is_empty() { - // If there aren't any attributes supplied by #![doc(test(attr(...)))], then allow some - // lints that are commonly triggered in doctests. The crate-level test attributes are - // commonly used to make tests fail in case they trigger warnings, so having this there in - // that case may cause some tests to pass when they shouldn't have. - prog.push_str("#![allow(unused)]\n"); - line_offset += 1; - } - - // Next, any attributes that came from the crate root via #![doc(test(attr(...)))]. - for attr in &opts.attrs { - prog.push_str(&format!("#![{attr}]\n")); - line_offset += 1; - } - - // Now push any outer attributes from the example, assuming they - // are intended to be crate attributes. - prog.push_str(&crate_attrs); - prog.push_str(&crates); - - // Uses librustc_ast to parse the doctest and find if there's a main fn and the extern - // crate already is included. - let result = rustc_driver::catch_fatal_errors(|| { - rustc_span::create_session_if_not_set_then(edition, |_| { - use rustc_errors::emitter::{Emitter, HumanEmitter}; - use rustc_errors::DiagCtxt; - use rustc_parse::maybe_new_parser_from_source_str; - use rustc_parse::parser::ForceCollect; - use rustc_session::parse::ParseSess; - use rustc_span::source_map::FilePathMapping; - - let filename = FileName::anon_source_code(s); - let source = crates + everything_else; - - // Any errors in parsing should also appear when the doctest is compiled for real, so just - // send all the errors that librustc_ast emits directly into a `Sink` instead of stderr. - let sm = Lrc::new(SourceMap::new(FilePathMapping::empty())); - - let fallback_bundle = - rustc_errors::fallback_fluent_bundle(DEFAULT_LOCALE_RESOURCES.to_vec(), false); - supports_color = HumanEmitter::stderr(ColorConfig::Auto, fallback_bundle.clone()) - .diagnostic_width(Some(80)) - .supports_color(); - - let emitter = HumanEmitter::new(Box::new(io::sink()), fallback_bundle); - - // FIXME(misdreavus): pass `-Z treat-err-as-bug` to the doctest parser - let handler = DiagCtxt::with_emitter(Box::new(emitter)); - let sess = ParseSess::with_dcx(handler, sm); - - let mut found_main = false; - let mut found_extern_crate = crate_name.is_none(); - let mut found_macro = false; - - let mut parser = match maybe_new_parser_from_source_str(&sess, filename, source) { - Ok(p) => p, - Err(_errs) => { - return (found_main, found_extern_crate, found_macro); - } - }; - - loop { - match parser.parse_item(ForceCollect::No) { - Ok(Some(item)) => { - if !found_main { - if let ast::ItemKind::Fn(..) = item.kind { - if item.ident.name == sym::main { - found_main = true; - } - } - } - - if !found_extern_crate { - if let ast::ItemKind::ExternCrate(original) = item.kind { - // This code will never be reached if `crate_name` is none because - // `found_extern_crate` is initialized to `true` if it is none. - let crate_name = crate_name.unwrap(); - - match original { - Some(name) => found_extern_crate = name.as_str() == crate_name, - None => found_extern_crate = item.ident.as_str() == crate_name, - } - } - } - - if !found_macro { - if let ast::ItemKind::MacCall(..) = item.kind { - found_macro = true; - } - } - - if found_main && found_extern_crate { - break; - } - } - Ok(None) => break, - Err(e) => { - e.cancel(); - break; - } - } - - // The supplied slice is only used for diagnostics, - // which are swallowed here anyway. - parser.maybe_consume_incorrect_semicolon(&[]); - } - - // Reset errors so that they won't be reported as compiler bugs when dropping the - // handler. Any errors in the tests will be reported when the test file is compiled, - // Note that we still need to cancel the errors above otherwise `DiagnosticBuilder` - // will panic on drop. - sess.dcx.reset_err_count(); - - (found_main, found_extern_crate, found_macro) - }) - }); - let (already_has_main, already_has_extern_crate, found_macro) = match result { - Ok(result) => result, - Err(_) => { - // If the parser panicked due to a fatal error, pass the test code through unchanged. - // The error will be reported during compilation. - return (s.to_owned(), 0, false); - } - }; - - // If a doctest's `fn main` is being masked by a wrapper macro, the parsing loop above won't - // see it. In that case, run the old text-based scan to see if they at least have a main - // function written inside a macro invocation. See - // https://github.com/rust-lang/rust/issues/56898 - let already_has_main = if found_macro && !already_has_main { - s.lines() - .map(|line| { - let comment = line.find("//"); - if let Some(comment_begins) = comment { &line[0..comment_begins] } else { line } - }) - .any(|code| code.contains("fn main")) - } else { - already_has_main - }; - - // Don't inject `extern crate std` because it's already injected by the - // compiler. - if !already_has_extern_crate && !opts.no_crate_inject && crate_name != Some("std") { - if let Some(crate_name) = crate_name { - // Don't inject `extern crate` if the crate is never used. - // NOTE: this is terribly inaccurate because it doesn't actually - // parse the source, but only has false positives, not false - // negatives. - if s.contains(crate_name) { - prog.push_str(&format!("extern crate r#{crate_name};\n")); - line_offset += 1; - } - } - } - - // FIXME: This code cannot yet handle no_std test cases yet - if dont_insert_main || already_has_main || prog.contains("![no_std]") { - prog.push_str(everything_else); - } else { - let returns_result = everything_else.trim_end().ends_with("(())"); - // Give each doctest main function a unique name. - // This is for example needed for the tooling around `-Z instrument-coverage`. - let inner_fn_name = if let Some(test_id) = test_id { - format!("_doctest_main_{test_id}") - } else { - "_inner".into() - }; - let inner_attr = if test_id.is_some() { "#[allow(non_snake_case)] " } else { "" }; - let (main_pre, main_post) = if returns_result { - ( - format!( - "fn main() {{ {inner_attr}fn {inner_fn_name}() -> Result<(), impl core::fmt::Debug> {{\n" - ), - format!("\n}} {inner_fn_name}().unwrap() }}"), - ) - } else if test_id.is_some() { - ( - format!("fn main() {{ {inner_attr}fn {inner_fn_name}() {{\n"), - format!("\n}} {inner_fn_name}() }}"), - ) - } else { - ("fn main() {\n".into(), "\n}".into()) - }; - // Note on newlines: We insert a line/newline *before*, and *after* - // the doctest and adjust the `line_offset` accordingly. - // In the case of `-Z instrument-coverage`, this means that the generated - // inner `main` function spans from the doctest opening codeblock to the - // closing one. For example - // /// ``` <- start of the inner main - // /// <- code under doctest - // /// ``` <- end of the inner main - line_offset += 1; - - prog.extend([&main_pre, everything_else, &main_post].iter().cloned()); - } - - debug!("final doctest:\n{}", prog); - - (prog, line_offset, supports_color) -} - -// FIXME(aburka): use a real parser to deal with multiline attributes -fn partition_source(s: &str) -> (String, String, String) { - #[derive(Copy, Clone, PartialEq)] - enum PartitionState { - Attrs, - Crates, - Other, - } - let mut state = PartitionState::Attrs; - let mut before = String::new(); - let mut crates = String::new(); - let mut after = String::new(); - - for line in s.lines() { - let trimline = line.trim(); - - // FIXME(misdreavus): if a doc comment is placed on an extern crate statement, it will be - // shunted into "everything else" - match state { - PartitionState::Attrs => { - state = if trimline.starts_with("#![") - || trimline.chars().all(|c| c.is_whitespace()) - || (trimline.starts_with("//") && !trimline.starts_with("///")) - { - PartitionState::Attrs - } else if trimline.starts_with("extern crate") - || trimline.starts_with("#[macro_use] extern crate") - { - PartitionState::Crates - } else { - PartitionState::Other - }; - } - PartitionState::Crates => { - state = if trimline.starts_with("extern crate") - || trimline.starts_with("#[macro_use] extern crate") - || trimline.chars().all(|c| c.is_whitespace()) - || (trimline.starts_with("//") && !trimline.starts_with("///")) - { - PartitionState::Crates - } else { - PartitionState::Other - }; - } - PartitionState::Other => {} - } - - match state { - PartitionState::Attrs => { - before.push_str(line); - before.push('\n'); - } - PartitionState::Crates => { - crates.push_str(line); - crates.push('\n'); - } - PartitionState::Other => { - after.push_str(line); - after.push('\n'); - } - } - } - - debug!("before:\n{}", before); - debug!("crates:\n{}", crates); - debug!("after:\n{}", after); - - (before, after, crates) -} - -pub trait Tester { - fn add_test(&mut self, test: String, config: LangString, line: usize); - fn get_line(&self) -> usize { - 0 - } - fn register_header(&mut self, _name: &str, _level: u32) {} -} diff --git a/tools/bookrunner/librustdoc/html/markdown.rs b/tools/bookrunner/librustdoc/html/markdown.rs deleted file mode 100644 index 85235a5bcc6b..000000000000 --- a/tools/bookrunner/librustdoc/html/markdown.rs +++ /dev/null @@ -1,339 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Modifications Copyright Kani Contributors -// See GitHub history for details. -//! Markdown formatting for rustdoc. -//! - -use rustc_span::edition::Edition; - -use std::default::Default; -use std::str; -use std::{borrow::Cow, marker::PhantomData}; - -use crate::doctest; - -use pulldown_cmark::{CodeBlockKind, Event, Parser, Tag}; - -#[derive(Copy, Clone, Eq, PartialEq, Debug)] -pub /* via find_testable_code */ enum ErrorCodes { - Yes, - No, -} - -impl ErrorCodes { - pub(crate) fn as_bool(self) -> bool { - match self { - ErrorCodes::Yes => true, - ErrorCodes::No => false, - } - } -} - -/// Controls whether a line will be hidden or shown in HTML output. -/// -/// All lines are used in documentation tests. -enum Line<'a> { - Hidden(&'a str), - Shown(Cow<'a, str>), -} - -impl<'a> Line<'a> { - fn for_code(self) -> Cow<'a, str> { - match self { - Line::Shown(l) => l, - Line::Hidden(l) => Cow::Borrowed(l), - } - } -} - -// FIXME: There is a minor inconsistency here. For lines that start with ##, we -// have no easy way of removing a potential single space after the hashes, which -// is done in the single # case. This inconsistency seems okay, if non-ideal. In -// order to fix it we'd have to iterate to find the first non-# character, and -// then reallocate to remove it; which would make us return a String. -fn map_line(s: &str) -> Line<'_> { - let trimmed = s.trim(); - if trimmed.starts_with("##") { - Line::Shown(Cow::Owned(s.replacen("##", "#", 1))) - } else if let Some(stripped) = trimmed.strip_prefix("# ") { - // # text - Line::Hidden(stripped) - } else if trimmed == "#" { - // We cannot handle '#text' because it could be #[attr]. - Line::Hidden("") - } else { - Line::Shown(Cow::Borrowed(s)) - } -} - -pub fn find_testable_code( - doc: &str, - tests: &mut T, - error_codes: ErrorCodes, - enable_per_target_ignores: bool, - extra_info: Option<&ExtraInfo<'_>>, -) { - let mut parser = Parser::new(doc).into_offset_iter(); - let mut prev_offset = 0; - let mut nb_lines = 0; - let mut register_header = None; - while let Some((event, offset)) = parser.next() { - match event { - Event::Start(Tag::CodeBlock(kind)) => { - let block_info = match kind { - CodeBlockKind::Fenced(ref lang) => { - if lang.is_empty() { - Default::default() - } else { - LangString::parse( - lang, - error_codes, - enable_per_target_ignores, - extra_info, - ) - } - } - CodeBlockKind::Indented => Default::default(), - }; - if !block_info.rust { - continue; - } - - let mut test_s = String::new(); - - while let Some((Event::Text(s), _)) = parser.next() { - test_s.push_str(&s); - } - let text = test_s - .lines() - .map(|l| map_line(l).for_code()) - .collect::>>() - .join("\n"); - - nb_lines += doc[prev_offset..offset.start].lines().count(); - // If there are characters between the preceding line ending and - // this code block, `str::lines` will return an additional line, - // which we subtract here. - if nb_lines != 0 && !&doc[prev_offset..offset.start].ends_with('\n') { - nb_lines -= 1; - } - let line = tests.get_line() + nb_lines + 1; - tests.add_test(text, block_info, line); - prev_offset = offset.start; - } - Event::Start(Tag::Heading(level, _, _)) => { - register_header = Some(level as u32); - } - Event::Text(ref s) if register_header.is_some() => { - let level = register_header.unwrap(); - if s.is_empty() { - tests.register_header("", level); - } else { - tests.register_header(s, level); - } - register_header = None; - } - _ => {} - } - } -} - -// We never pass an actual ExtraInfo, only None for Option -pub struct ExtraInfo<'tcx> { - _unused: PhantomData<&'tcx ()>, -} - -impl<'tcx> ExtraInfo<'tcx> { - fn error_invalid_codeblock_attr(&self, msg: &str, _help: &str) { - unreachable!("{}", msg); - } -} - -#[derive(Eq, PartialEq, Clone, Debug)] -pub struct LangString { - original: String, - pub should_panic: bool, - pub(crate) no_run: bool, - pub ignore: Ignore, - pub(crate) rust: bool, - pub(crate) test_harness: bool, - pub compile_fail: bool, - pub(crate) error_codes: Vec, - pub(crate) allow_fail: bool, - pub edition: Option, -} - -#[derive(Eq, PartialEq, Clone, Debug)] -pub enum Ignore { - All, - None, - Some(Vec), -} - -impl Default for LangString { - fn default() -> Self { - Self { - original: String::new(), - should_panic: false, - no_run: false, - ignore: Ignore::None, - rust: true, - test_harness: false, - compile_fail: false, - error_codes: Vec::new(), - allow_fail: false, - edition: None, - } - } -} - -impl LangString { - fn tokens(string: &str) -> impl Iterator { - // Pandoc, which Rust once used for generating documentation, - // expects lang strings to be surrounded by `{}` and for each token - // to be proceeded by a `.`. Since some of these lang strings are still - // loose in the wild, we strip a pair of surrounding `{}` from the lang - // string and a leading `.` from each token. - - let string = string.trim(); - - let first = string.chars().next(); - let last = string.chars().last(); - - let string = if first == Some('{') && last == Some('}') { - &string[1..string.len() - 1] - } else { - string - }; - - string - .split(|c| c == ',' || c == ' ' || c == '\t') - .map(str::trim) - .map(|token| token.strip_prefix('.').unwrap_or(token)) - .filter(|token| !token.is_empty()) - } - - fn parse( - string: &str, - allow_error_code_check: ErrorCodes, - enable_per_target_ignores: bool, - extra: Option<&ExtraInfo<'_>>, - ) -> LangString { - let allow_error_code_check = allow_error_code_check.as_bool(); - let mut seen_rust_tags = false; - let mut seen_other_tags = false; - let mut data = LangString::default(); - let mut ignores = vec![]; - - data.original = string.to_owned(); - - for token in Self::tokens(string) { - match token { - "should_panic" => { - data.should_panic = true; - seen_rust_tags = !seen_other_tags; - } - "no_run" => { - data.no_run = true; - seen_rust_tags = !seen_other_tags; - } - "ignore" => { - data.ignore = Ignore::All; - seen_rust_tags = !seen_other_tags; - } - x if x.starts_with("ignore-") => { - if enable_per_target_ignores { - ignores.push(x.trim_start_matches("ignore-").to_owned()); - seen_rust_tags = !seen_other_tags; - } - } - "allow_fail" => { - data.allow_fail = true; - seen_rust_tags = !seen_other_tags; - } - "rust" => { - data.rust = true; - seen_rust_tags = true; - } - "test_harness" => { - data.test_harness = true; - seen_rust_tags = !seen_other_tags || seen_rust_tags; - } - "compile_fail" => { - data.compile_fail = true; - seen_rust_tags = !seen_other_tags || seen_rust_tags; - data.no_run = true; - } - x if x.starts_with("edition") => { - data.edition = x[7..].parse::().ok(); - } - x if allow_error_code_check && x.starts_with('E') && x.len() == 5 => { - if x[1..].parse::().is_ok() { - data.error_codes.push(x.to_owned()); - seen_rust_tags = !seen_other_tags || seen_rust_tags; - } else { - seen_other_tags = true; - } - } - x if extra.is_some() => { - let s = x.to_lowercase(); - if let Some((flag, help)) = if s == "compile-fail" - || s == "compile_fail" - || s == "compilefail" - { - Some(( - "compile_fail", - "the code block will either not be tested if not marked as a rust one \ - or won't fail if it compiles successfully", - )) - } else if s == "should-panic" || s == "should_panic" || s == "shouldpanic" { - Some(( - "should_panic", - "the code block will either not be tested if not marked as a rust one \ - or won't fail if it doesn't panic when running", - )) - } else if s == "no-run" || s == "no_run" || s == "norun" { - Some(( - "no_run", - "the code block will either not be tested if not marked as a rust one \ - or will be run (which you might not want)", - )) - } else if s == "allow-fail" || s == "allow_fail" || s == "allowfail" { - Some(( - "allow_fail", - "the code block will either not be tested if not marked as a rust one \ - or will be run (which you might not want)", - )) - } else if s == "test-harness" || s == "test_harness" || s == "testharness" { - Some(( - "test_harness", - "the code block will either not be tested if not marked as a rust one \ - or the code will be wrapped inside a main function", - )) - } else { - None - } { - if let Some(extra) = extra { - extra.error_invalid_codeblock_attr( - &format!("unknown attribute `{x}`. Did you mean `{flag}`?"), - help, - ); - } - } - seen_other_tags = true; - } - _ => seen_other_tags = true, - } - } - - // ignore-foo overrides ignore - if !ignores.is_empty() { - data.ignore = Ignore::Some(ignores); - } - - data.rust &= !seen_other_tags || seen_rust_tags; - - data - } -} diff --git a/tools/bookrunner/librustdoc/html/mod.rs b/tools/bookrunner/librustdoc/html/mod.rs deleted file mode 100644 index bb4c77e39854..000000000000 --- a/tools/bookrunner/librustdoc/html/mod.rs +++ /dev/null @@ -1,6 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Modifications Copyright Kani Contributors -// See GitHub history for details. -// used by the error-index generator, so it needs to be public -pub mod markdown; diff --git a/tools/bookrunner/librustdoc/lib.rs b/tools/bookrunner/librustdoc/lib.rs deleted file mode 100644 index 68bc77fa14e8..000000000000 --- a/tools/bookrunner/librustdoc/lib.rs +++ /dev/null @@ -1,66 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 OR MIT -// -// Modifications Copyright Kani Contributors -// See GitHub history for details. -#![doc( - html_root_url = "https://doc.rust-lang.org/nightly/", - html_playground_url = "https://play.rust-lang.org/" -)] -#![feature(rustc_private)] -#![feature(array_methods)] -#![feature(assert_matches)] -#![feature(box_patterns)] -#![feature(control_flow_enum)] -#![feature(test)] -#![feature(never_type)] -#![feature(type_ascription)] -#![feature(iter_intersperse)] -#![recursion_limit = "256"] -#![warn(rustc::internal)] -#![allow(clippy::collapsible_if, clippy::collapsible_else_if, clippy::arc_with_non_send_sync)] - -#[macro_use] -extern crate tracing; - -// N.B. these need `extern crate` even in 2018 edition -// because they're loaded implicitly from the sysroot. -// The reason they're loaded from the sysroot is because -// the rustdoc artifacts aren't stored in rustc's cargo target directory. -// So if `rustc` was specified in Cargo.toml, this would spuriously rebuild crates. -// -// Dependencies listed in Cargo.toml do not need `extern crate`. - -extern crate rustc_ast; -extern crate rustc_ast_lowering; -extern crate rustc_ast_pretty; -extern crate rustc_attr; -extern crate rustc_const_eval; -extern crate rustc_data_structures; -extern crate rustc_driver; -extern crate rustc_errors; -extern crate rustc_expand; -extern crate rustc_feature; -extern crate rustc_hir; -extern crate rustc_hir_pretty; -extern crate rustc_index; -extern crate rustc_infer; -extern crate rustc_interface; -extern crate rustc_lexer; -extern crate rustc_lint; -extern crate rustc_lint_defs; -extern crate rustc_macros; -extern crate rustc_metadata; -extern crate rustc_middle; -extern crate rustc_parse; -extern crate rustc_passes; -extern crate rustc_resolve; -extern crate rustc_serialize; -extern crate rustc_session; -extern crate rustc_span; -extern crate rustc_target; -extern crate rustc_trait_selection; -extern crate test; - -pub mod doctest; -// used by the error-index generator, so it needs to be public -pub mod html; diff --git a/tools/bookrunner/print.sh b/tools/bookrunner/print.sh deleted file mode 100755 index 904409ee1c87..000000000000 --- a/tools/bookrunner/print.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -# Copyright Kani Contributors -# SPDX-License-Identifier: Apache-2.0 OR MIT - -# `rustdoc` treats this script as `rustc` and sends code extracted from markdown -# files to stdin of this script. Instead of compiling the code, this scripts -# simply copies the contents of stdin to the location where `rustdoc` caches the -# "compiled" output. - -FILE="$6" -BASE=`basename "$FILE"` -mkdir -p "$BASE" -cp "/dev/stdin" "$FILE" diff --git a/tools/bookrunner/rust-doc/nomicon b/tools/bookrunner/rust-doc/nomicon deleted file mode 160000 index c05c452b3635..000000000000 --- a/tools/bookrunner/rust-doc/nomicon +++ /dev/null @@ -1 +0,0 @@ -Subproject commit c05c452b36358821bf4122f9c418674edd1d713d diff --git a/tools/bookrunner/rust-doc/reference b/tools/bookrunner/rust-doc/reference deleted file mode 160000 index f8ba2f12df60..000000000000 --- a/tools/bookrunner/rust-doc/reference +++ /dev/null @@ -1 +0,0 @@ -Subproject commit f8ba2f12df60ee19b96de24ae5b73af3de8a446b diff --git a/tools/bookrunner/rust-doc/rust-by-example b/tools/bookrunner/rust-doc/rust-by-example deleted file mode 160000 index 43f82530210b..000000000000 --- a/tools/bookrunner/rust-doc/rust-by-example +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 43f82530210b83cf888282b207ed13d5893da9b2 diff --git a/tools/bookrunner/rust-doc/unstable-book/.gitignore b/tools/bookrunner/rust-doc/unstable-book/.gitignore deleted file mode 100644 index 7585238efedf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/.gitignore +++ /dev/null @@ -1 +0,0 @@ -book diff --git a/tools/bookrunner/rust-doc/unstable-book/book.toml b/tools/bookrunner/rust-doc/unstable-book/book.toml deleted file mode 100644 index dfbd8311dae4..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/book.toml +++ /dev/null @@ -1,10 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 OR MIT -# -# Modifications Copyright Kani Contributors -# See GitHub history for details. -[book] -title = "The Rust Unstable Book" -author = "The Rust Community" - -[output.html] -git-repository-url = "https://github.com/rust-lang/rust/tree/master/src/doc/unstable-book" diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags.md deleted file mode 100644 index 43eadb351016..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags.md +++ /dev/null @@ -1 +0,0 @@ -# Compiler flags diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/branch-protection.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/branch-protection.md deleted file mode 100644 index 85403748e1dc..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/branch-protection.md +++ /dev/null @@ -1,18 +0,0 @@ -# `branch-protection` - -This option lets you enable branch authentication instructions on AArch64. -This option is ignored for non-AArch64 architectures. -It takes some combination of the following values, separated by a `,`. - -- `pac-ret` - Enable pointer authentication for non-leaf functions. -- `leaf` - Enable pointer authentication for all functions, including leaf functions. -- `b-key` - Sign return addresses with key B, instead of the default key A. -- `bti` - Enable branch target identification. - -`leaf` and `b-key` are only valid if `pac-ret` was previously specified. -For example, `-Z branch-protection=bti,pac-ret,leaf` is valid, but -`-Z branch-protection=bti,leaf,pac-ret` is not. - -Rust's standard library does not ship with BTI or pointer authentication enabled by default. -In Cargo projects the standard library can be recompiled with pointer authentication using the nightly -[build-std](https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#build-std) feature. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/codegen-backend.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/codegen-backend.md deleted file mode 100644 index 3c0cd32fae17..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/codegen-backend.md +++ /dev/null @@ -1,31 +0,0 @@ -# `codegen-backend` - -The tracking issue for this feature is: [#77933](https://github.com/rust-lang/rust/issues/77933). - ------------------------- - -This feature allows you to specify a path to a dynamic library to use as rustc's -code generation backend at runtime. - -Set the `-Zcodegen-backend=` compiler flag to specify the location of the -backend. The library must be of crate type `dylib` and must contain a function -named `__rustc_codegen_backend` with a signature of `fn() -> Box`. - -## Example -See also the [`hotplug_codegen_backend`](https://github.com/rust-lang/rust/tree/master/src/test/run-make-fulldeps/hotplug_codegen_backend) test -for a full example. - -```rust,ignore (partial-example) -use rustc_codegen_ssa::traits::CodegenBackend; - -struct MyBackend; - -impl CodegenBackend for MyBackend { - // Implement codegen methods -} - -#[no_mangle] -pub fn __rustc_codegen_backend() -> Box { - Box::new(MyBackend) -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/control-flow-guard.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/control-flow-guard.md deleted file mode 100644 index 08c16d95f467..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/control-flow-guard.md +++ /dev/null @@ -1,59 +0,0 @@ -# `control-flow-guard` - -The tracking issue for this feature is: [#68793](https://github.com/rust-lang/rust/issues/68793). - ------------------------- - -The rustc flag `-Z control-flow-guard` enables the Windows [Control Flow Guard](https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard) (CFG) platform security feature. - -CFG is an exploit mitigation designed to enforce control-flow integrity for software running on supported [Windows platforms (Windows 8.1 onwards)](https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard). Specifically, CFG uses runtime checks to validate the target address of every indirect call/jump before allowing the call to complete. - -During compilation, the compiler identifies all indirect calls/jumps and adds CFG checks. It also emits metadata containing the relative addresses of all address-taken functions. At runtime, if the binary is run on a CFG-aware operating system, the loader uses the CFG metadata to generate a bitmap of the address space and marks those addresses that contain valid targets. On each indirect call, the inserted check determines whether the target address is marked in this bitmap. If the target is not valid, the process is terminated. - -In terms of interoperability: -- Code compiled with CFG enabled can be linked with libraries and object files that are not compiled with CFG. In this case, a CFG-aware linker can identify address-taken functions in the non-CFG libraries. -- Libraries compiled with CFG can linked into non-CFG programs. In this case, the CFG runtime checks in the libraries are not used (i.e. the mitigation is completely disabled). - -CFG functionality is completely implemented in the LLVM backend and is supported for X86 (32-bit and 64-bit), ARM, and Aarch64 targets. The rustc flag adds the relevant LLVM module flags to enable the feature. This flag will be ignored for all non-Windows targets. - - -## When to use Control Flow Guard - -The primary motivation for enabling CFG in Rust is to enhance security when linking against non-Rust code, especially C/C++ code. To achieve full CFG protection, all indirect calls (including any from Rust code) must have the appropriate CFG checks, as added by this flag. CFG can also improve security for Rust code that uses the `unsafe` keyword. - -Another motivation behind CFG is to harden programs against [return-oriented programming (ROP)](https://en.wikipedia.org/wiki/Return-oriented_programming) attacks. CFG disallows an attacker from taking advantage of the program's own instructions while redirecting control flow in unexpected ways. - -## Overhead of Control Flow Guard - -The CFG checks and metadata can potentially increase binary size and runtime overhead. The magnitude of any increase depends on the number and frequency of indirect calls. For example, enabling CFG for the Rust standard library increases binary size by approximately 0.14%. Enabling CFG in the SPEC CPU 2017 Integer Speed benchmark suite (compiled with Clang/LLVM) incurs approximate runtime overheads of between 0% and 8%, with a geometric mean of 2.9%. - - -## Testing Control Flow Guard - -The rustc flag `-Z control-flow-guard=nochecks` instructs LLVM to emit the list of valid call targets without inserting runtime checks. This flag should only be used for testing purposes as it does not provide security enforcement. - - -## Control Flow Guard in libraries - -It is strongly recommended to also enable CFG checks for all linked libraries, including the standard library. - -To enable CFG in the standard library, use the [cargo `-Z build-std` functionality][build-std] to recompile the standard library with the same configuration options as the main program. - -[build-std]: https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#build-std - -For example: -```cmd -rustup toolchain install --force nightly -rustup component add rust-src -SET RUSTFLAGS=-Z control-flow-guard -cargo +nightly build -Z build-std --target x86_64-pc-windows-msvc -``` - -```PowerShell -rustup toolchain install --force nightly -rustup component add rust-src -$Env:RUSTFLAGS = "-Z control-flow-guard" -cargo +nightly build -Z build-std --target x86_64-pc-windows-msvc -``` - -Alternatively, if you are building the standard library from source, you can set `control-flow-guard = true` in the config.toml file. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/debug_info_for_profiling.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/debug_info_for_profiling.md deleted file mode 100644 index 44bd3baeeedf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/debug_info_for_profiling.md +++ /dev/null @@ -1,35 +0,0 @@ -# `debug-info-for-profiling - ---- - -## Introduction - -Automatic Feedback Directed Optimization (AFDO) is a method for using sampling -based profiles to guide optimizations. This is contrasted with other methods of -FDO or profile-guided optimization (PGO) which use instrumented profiling. - -Unlike PGO (controlled by the `rustc` flags `-Cprofile-generate` and -`-Cprofile-use`), a binary being profiled does not perform significantly worse, -and thus it's possible to profile binaries used in real workflows and not -necessary to construct artificial workflows. - -## Use - -In order to use AFDO, the target platform must be Linux running on an `x86_64` -architecture with the performance profiler `perf` available. In addition, the -external tool `create_llvm_prof` from [this repository] must be used. - -Given a Rust file `main.rs`, we can produce an optimized binary as follows: - -```shell -rustc -O -Zdebug-info-for-profiling main.rs -o main -perf record -b ./main -create_llvm_prof --binary=main --out=code.prof -rustc -O -Zprofile-sample-use=code.prof main.rs -o main2 -``` - -The `perf` command produces a profile `perf.data`, which is then used by the -`create_llvm_prof` command to create `code.prof`. This final profile is then -used by `rustc` to guide optimizations in producing the binary `main2`. - -[this repository]: https://github.com/google/autofdo diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/emit-stack-sizes.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/emit-stack-sizes.md deleted file mode 100644 index 47f45a0b91f8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/emit-stack-sizes.md +++ /dev/null @@ -1,167 +0,0 @@ -# `emit-stack-sizes` - -The tracking issue for this feature is: [#54192] - -[#54192]: https://github.com/rust-lang/rust/issues/54192 - ------------------------- - -The rustc flag `-Z emit-stack-sizes` makes LLVM emit stack size metadata. - -> **NOTE**: This LLVM feature only supports the ELF object format as of LLVM -> 8.0. Using this flag with targets that use other object formats (e.g. macOS -> and Windows) will result in it being ignored. - -Consider this crate: - -``` -#![crate_type = "lib"] - -use std::ptr; - -pub fn foo() { - // this function doesn't use the stack -} - -pub fn bar() { - let xs = [0u32; 2]; - - // force LLVM to allocate `xs` on the stack - unsafe { ptr::read_volatile(&xs.as_ptr()); } -} -``` - -Using the `-Z emit-stack-sizes` flag produces extra linker sections in the -output *object file*. - -``` console -$ rustc -C opt-level=3 --emit=obj foo.rs - -$ size -A foo.o -foo.o : -section size addr -.text 0 0 -.text._ZN3foo3foo17he211d7b4a3a0c16eE 1 0 -.text._ZN3foo3bar17h1acb594305f70c2eE 22 0 -.note.GNU-stack 0 0 -.eh_frame 72 0 -Total 95 - -$ rustc -C opt-level=3 --emit=obj -Z emit-stack-sizes foo.rs - -$ size -A foo.o -foo.o : -section size addr -.text 0 0 -.text._ZN3foo3foo17he211d7b4a3a0c16eE 1 0 -.stack_sizes 9 0 -.text._ZN3foo3bar17h1acb594305f70c2eE 22 0 -.stack_sizes 9 0 -.note.GNU-stack 0 0 -.eh_frame 72 0 -Total 113 -``` - -As of LLVM 7.0 the data will be written into a section named `.stack_sizes` and -the format is "an array of pairs of function symbol values (pointer size) and -stack sizes (unsigned LEB128)". - -``` console -$ objdump -d foo.o - -foo.o: file format elf64-x86-64 - -Disassembly of section .text._ZN3foo3foo17he211d7b4a3a0c16eE: - -0000000000000000 <_ZN3foo3foo17he211d7b4a3a0c16eE>: - 0: c3 retq - -Disassembly of section .text._ZN3foo3bar17h1acb594305f70c2eE: - -0000000000000000 <_ZN3foo3bar17h1acb594305f70c2eE>: - 0: 48 83 ec 10 sub $0x10,%rsp - 4: 48 8d 44 24 08 lea 0x8(%rsp),%rax - 9: 48 89 04 24 mov %rax,(%rsp) - d: 48 8b 04 24 mov (%rsp),%rax - 11: 48 83 c4 10 add $0x10,%rsp - 15: c3 retq - -$ objdump -s -j .stack_sizes foo.o - -foo.o: file format elf64-x86-64 - -Contents of section .stack_sizes: - 0000 00000000 00000000 00 ......... -Contents of section .stack_sizes: - 0000 00000000 00000000 10 ......... -``` - -It's important to note that linkers will discard this linker section by default. -To preserve the section you can use a linker script like the one shown below. - -``` text -/* file: keep-stack-sizes.x */ -SECTIONS -{ - /* `INFO` makes the section not allocatable so it won't be loaded into memory */ - .stack_sizes (INFO) : - { - KEEP(*(.stack_sizes)); - } -} -``` - -The linker script must be passed to the linker using a rustc flag like `-C -link-arg`. - -``` -// file: src/main.rs -use std::ptr; - -#[inline(never)] -fn main() { - let xs = [0u32; 2]; - - // force LLVM to allocate `xs` on the stack - unsafe { ptr::read_volatile(&xs.as_ptr()); } -} -``` - -``` console -$ RUSTFLAGS="-Z emit-stack-sizes" cargo build --release - -$ size -A target/release/hello | grep stack_sizes || echo section was not found -section was not found - -$ RUSTFLAGS="-Z emit-stack-sizes" cargo rustc --release -- \ - -C link-arg=-Wl,-Tkeep-stack-sizes.x \ - -C link-arg=-N - -$ size -A target/release/hello | grep stack_sizes -.stack_sizes 90 176272 - -$ # non-allocatable section (flags don't contain the "A" (alloc) flag) -$ readelf -S target/release/hello -Section Headers: - [Nr] Name Type Address Offset - Size EntSize Flags Link Info Align -(..) - [1031] .stack_sizes PROGBITS 000000000002b090 0002b0f0 - 000000000000005a 0000000000000000 L 5 0 1 - -$ objdump -s -j .stack_sizes target/release/hello - -target/release/hello: file format elf64-x86-64 - -Contents of section .stack_sizes: - 2b090 c0040000 00000000 08f00400 00000000 ................ - 2b0a0 00080005 00000000 00000810 05000000 ................ - 2b0b0 00000000 20050000 00000000 10400500 .... ........@.. - 2b0c0 00000000 00087005 00000000 00000080 ......p......... - 2b0d0 05000000 00000000 90050000 00000000 ................ - 2b0e0 00a00500 00000000 0000 .......... -``` - -> Author note: I'm not entirely sure why, in *this* case, `-N` is required in -> addition to `-Tkeep-stack-sizes.x`. For example, it's not required when -> producing statically linked files for the ARM Cortex-M architecture. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/extern-location.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/extern-location.md deleted file mode 100644 index 1c80d5426bf7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/extern-location.md +++ /dev/null @@ -1,31 +0,0 @@ -# `extern-location` - -MCP for this feature: [#303] - -[#303]: https://github.com/rust-lang/compiler-team/issues/303 - ------------------------- - -The `unused-extern-crates` lint reports when a crate was specified on the rustc -command-line with `--extern name=path` but no symbols were referenced in it. -This is useful to know, but it's hard to map that back to a specific place a user -or tool could fix (ie, to remove the unused dependency). - -The `--extern-location` flag allows the build system to associate a location with -the `--extern` option, which is then emitted as part of the diagnostics. This location -is abstract and just round-tripped through rustc; the compiler never attempts to -interpret it in any way. - -There are two supported forms of location: a bare string, or a blob of json: -- `--extern-location foo=raw:Makefile:123` would associate the raw string `Makefile:123` -- `--extern-location 'bar=json:{"target":"//my_project:library","dep":"//common:serde"}` would - associate the json structure with `--extern bar=`, indicating which dependency of - which rule introduced the unused extern crate. - -This primarily intended to be used with tooling - for example a linter which can automatically -remove unused dependencies - rather than being directly presented to users. - -`raw` locations are presented as part of the normal rendered diagnostics and included in -the json form. `json` locations are only included in the json form of diagnostics, -as a `tool_metadata` field. For `raw` locations `tool_metadata` is simply a json string, -whereas `json` allows the rustc invoker to fully control its form and content. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/img/llvm-cov-show-01.png b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/img/llvm-cov-show-01.png deleted file mode 100644 index 35f04594347a..000000000000 Binary files a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/img/llvm-cov-show-01.png and /dev/null differ diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/instrument-coverage.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/instrument-coverage.md deleted file mode 100644 index 39eb407269c1..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/instrument-coverage.md +++ /dev/null @@ -1,346 +0,0 @@ -# `instrument-coverage` - -The tracking issue for this feature is: [#79121]. - -[#79121]: https://github.com/rust-lang/rust/issues/79121 - ---- - -## Introduction - -The Rust compiler includes two code coverage implementations: - -- A GCC-compatible, gcov-based coverage implementation, enabled with `-Z profile`, which derives coverage data based on DebugInfo. -- A source-based code coverage implementation, enabled with `-Z instrument-coverage`, which uses LLVM's native, efficient coverage instrumentation to generate very precise coverage data. - -This document describes how to enable and use the LLVM instrumentation-based coverage, via the `-Z instrument-coverage` compiler flag. - -## How it works - -When `-Z instrument-coverage` is enabled, the Rust compiler enhances rust-based libraries and binaries by: - -- Automatically injecting calls to an LLVM intrinsic ([`llvm.instrprof.increment`]), at functions and branches in compiled code, to increment counters when conditional sections of code are executed. -- Embedding additional information in the data section of each library and binary (using the [LLVM Code Coverage Mapping Format] _Version 5_, if compiling with LLVM 12, or _Version 6_, if compiling with LLVM 13 or higher), to define the code regions (start and end positions in the source code) being counted. - -When running a coverage-instrumented program, the counter values are written to a `profraw` file at program termination. LLVM bundles tools that read the counter results, combine those results with the coverage map (embedded in the program binary), and generate coverage reports in multiple formats. - -[`llvm.instrprof.increment`]: https://llvm.org/docs/LangRef.html#llvm-instrprof-increment-intrinsic -[llvm code coverage mapping format]: https://llvm.org/docs/CoverageMappingFormat.html - -> **Note**: `-Z instrument-coverage` also automatically enables `-C symbol-mangling-version=v0` (tracking issue [#60705]). The `v0` symbol mangler is strongly recommended, but be aware that this demangler is also experimental. The `v0` demangler can be overridden by explicitly adding `-Z unstable-options -C symbol-mangling-version=legacy`. - -[#60705]: https://github.com/rust-lang/rust/issues/60705 - -## Enable coverage profiling in the Rust compiler - -Rust's source-based code coverage requires the Rust "profiler runtime". Without it, compiling with `-Z instrument-coverage` generates an error that the profiler runtime is missing. - -The Rust `nightly` distribution channel includes the profiler runtime, by default. - -> **Important**: If you are building the Rust compiler from the source distribution, the profiler runtime is _not_ enabled in the default `config.toml.example`. Edit your `config.toml` file and ensure the `profiler` feature is set it to `true` (either under the `[build]` section, or under the settings for an individual `[target.]`): -> -> ```toml -> # Build the profiler runtime (required when compiling with options that depend -> # on this runtime, such as `-C profile-generate` or `-Z instrument-coverage`). -> profiler = true -> ``` - -### Building the demangler - -LLVM coverage reporting tools generate results that can include function names and other symbol references, and the raw coverage results report symbols using the compiler's "mangled" version of the symbol names, which can be difficult to interpret. To work around this issue, LLVM coverage tools also support a user-specified symbol name demangler. - -One option for a Rust demangler is [`rustfilt`], which can be installed with: - -```shell -cargo install rustfilt -``` - -Another option, if you are building from the Rust compiler source distribution, is to use the `rust-demangler` tool included in the Rust source distribution, which can be built with: - -```shell -$ ./x.py build rust-demangler -``` - -[`rustfilt`]: https://crates.io/crates/rustfilt - -## Compiling with coverage enabled - -Set the `-Z instrument-coverage` compiler flag in order to enable LLVM source-based code coverage profiling. - -The default option generates coverage for all functions, including unused (never called) functions and generics. The compiler flag supports an optional value to tailor this behavior. (See [`-Z instrument-coverage=`](#-z-instrument-coverageoptions), below.) - -With `cargo`, you can instrument your program binary _and_ dependencies at the same time. - -For example (if your project's Cargo.toml builds a binary by default): - -```shell -$ cd your-project -$ cargo clean -$ RUSTFLAGS="-Z instrument-coverage" cargo build -``` - -If `cargo` is not configured to use your `profiler`-enabled version of `rustc`, set the path explicitly via the `RUSTC` environment variable. Here is another example, using a `stage1` build of `rustc` to compile an `example` binary (from the [`json5format`] crate): - -```shell -$ RUSTC=$HOME/rust/build/x86_64-unknown-linux-gnu/stage1/bin/rustc \ - RUSTFLAGS="-Z instrument-coverage" \ - cargo build --example formatjson5 -``` - -> **Note**: that some compiler options, combined with `-Z instrument-coverage`, can produce LLVM IR and/or linked binaries that are incompatible with LLVM coverage maps. For example, coverage requires references to actual functions in LLVM IR. If any covered function is optimized out, the coverage tools may not be able to process the coverage results. If you need to pass additional options, with coverage enabled, test them early, to confirm you will get the coverage results you expect. - -## Running the instrumented binary to generate raw coverage profiling data - -In the previous example, `cargo` generated the coverage-instrumented binary `formatjson5`: - -```shell -$ echo "{some: 'thing'}" | target/debug/examples/formatjson5 - -``` - -```json5 -{ - some: "thing", -} -``` - -After running this program, a new file, `default.profraw`, should be in the current working directory. It's often preferable to set a specific file name or path. You can change the output file using the environment variable `LLVM_PROFILE_FILE`: - -```shell -$ echo "{some: 'thing'}" \ - | LLVM_PROFILE_FILE="formatjson5.profraw" target/debug/examples/formatjson5 - -... -$ ls formatjson5.profraw -formatjson5.profraw -``` - -If `LLVM_PROFILE_FILE` contains a path to a non-existent directory, the missing directory structure will be created. Additionally, the following special pattern strings are rewritten: - -- `%p` - The process ID. -- `%h` - The hostname of the machine running the program. -- `%t` - The value of the TMPDIR environment variable. -- `%Nm` - the instrumented binary’s signature: The runtime creates a pool of N raw profiles, used for on-line profile merging. The runtime takes care of selecting a raw profile from the pool, locking it, and updating it before the program exits. `N` must be between `1` and `9`, and defaults to `1` if omitted (with simply `%m`). -- `%c` - Does not add anything to the filename, but enables a mode (on some platforms, including Darwin) in which profile counter updates are continuously synced to a file. This means that if the instrumented program crashes, or is killed by a signal, perfect coverage information can still be recovered. - -## Installing LLVM coverage tools - -LLVM's supplies two tools—`llvm-profdata` and `llvm-cov`—that process coverage data and generate reports. There are several ways to find and/or install these tools, but note that the coverage mapping data generated by the Rust compiler requires LLVM version 12 or higher. (`llvm-cov --version` typically shows the tool's LLVM version number.): - -- The LLVM tools may be installed (or installable) directly to your OS (such as via `apt-get`, for Linux). -- If you are building the Rust compiler from source, you can optionally use the bundled LLVM tools, built from source. Those tool binaries can typically be found in your build platform directory at something like: `rust/build/x86_64-unknown-linux-gnu/llvm/bin/llvm-*`. -- You can install compatible versions of these tools via `rustup`. - -The `rustup` option is guaranteed to install a compatible version of the LLVM tools, but they can be hard to find. We recommend [`cargo-binutils`], which installs Rust-specific wrappers around these and other LLVM tools, so you can invoke them via `cargo` commands! - -```shell -$ rustup component add llvm-tools-preview -$ cargo install cargo-binutils -$ cargo profdata -- --help # note the additional "--" preceding the tool-specific arguments -``` - -[`cargo-binutils`]: https://crates.io/crates/cargo-binutils - -## Creating coverage reports - -Raw profiles have to be indexed before they can be used to generate coverage reports. This is done using [`llvm-profdata merge`] (or `cargo profdata -- merge`), which can combine multiple raw profiles and index them at the same time: - -```shell -$ llvm-profdata merge -sparse formatjson5.profraw -o formatjson5.profdata -``` - -Finally, the `.profdata` file is used, in combination with the coverage map (from the program binary) to generate coverage reports using [`llvm-cov report`] (or `cargo cov -- report`), for a coverage summaries; and [`llvm-cov show`] (or `cargo cov -- show`), to see detailed coverage of lines and regions (character ranges) overlaid on the original source code. - -These commands have several display and filtering options. For example: - -```shell -$ llvm-cov show -Xdemangler=rustfilt target/debug/examples/formatjson5 \ - -instr-profile=formatjson5.profdata \ - -show-line-counts-or-regions \ - -show-instantiations \ - -name=add_quoted_string -``` - -Screenshot of sample `llvm-cov show` result, for function add_quoted_string -
-
- -Some of the more notable options in this example include: - -- `--Xdemangler=rustfilt` - the command name or path used to demangle Rust symbols (`rustfilt` in the example, but this could also be a path to the `rust-demangler` tool) -- `target/debug/examples/formatjson5` - the instrumented binary (from which to extract the coverage map) -- `--instr-profile=.profdata` - the location of the `.profdata` file created by `llvm-profdata merge` (from the `.profraw` file generated by the instrumented binary) -- `--name=` - to show coverage for a specific function (or, consider using another filter option, such as `--name-regex=`) - -[`llvm-profdata merge`]: https://llvm.org/docs/CommandGuide/llvm-profdata.html#profdata-merge -[`llvm-cov report`]: https://llvm.org/docs/CommandGuide/llvm-cov.html#llvm-cov-report -[`llvm-cov show`]: https://llvm.org/docs/CommandGuide/llvm-cov.html#llvm-cov-show - -> **Note**: Coverage can also be disabled on an individual function by annotating the function with the [`no_coverage` attribute] (which requires the feature flag `#![feature(no_coverage)]`). - -[`no_coverage` attribute]: ../language-features/no-coverage.md - -## Interpreting reports - -There are four statistics tracked in a coverage summary: - -- Function coverage is the percentage of functions that have been executed at least once. A function is considered to be executed if any of its instantiations are executed. -- Instantiation coverage is the percentage of function instantiations that have been executed at least once. Generic functions and functions generated from macros are two kinds of functions that may have multiple instantiations. -- Line coverage is the percentage of code lines that have been executed at least once. Only executable lines within function bodies are considered to be code lines. -- Region coverage is the percentage of code regions that have been executed at least once. A code region may span multiple lines: for example, in a large function body with no control flow. In other cases, a single line can contain multiple code regions: `return x || (y && z)` has countable code regions for `x` (which may resolve the expression, if `x` is `true`), `|| (y && z)` (executed only if `x` was `false`), and `return` (executed in either situation). - -Of these four statistics, function coverage is usually the least granular while region coverage is the most granular. The project-wide totals for each statistic are listed in the summary. - -## Test coverage - -A typical use case for coverage analysis is test coverage. Rust's source-based coverage tools can both measure your tests' code coverage as percentage, and pinpoint functions and branches not tested. - -The following example (using the [`json5format`] crate, for demonstration purposes) show how to generate and analyze coverage results for all tests in a crate. - -Since `cargo test` both builds and runs the tests, we set both the additional `RUSTFLAGS`, to add the `-Z instrument-coverage` flag, and `LLVM_PROFILE_FILE`, to set a custom filename for the raw profiling data generated during the test runs. Since there may be more than one test binary, apply `%m` in the filename pattern. This generates unique names for each test binary. (Otherwise, each executed test binary would overwrite the coverage results from the previous binary.) - -```shell -$ RUSTFLAGS="-Z instrument-coverage" \ - LLVM_PROFILE_FILE="json5format-%m.profraw" \ - cargo test --tests -``` - -Make note of the test binary file paths, displayed after the word "`Running`" in the test output: - -```text - ... - Compiling json5format v0.1.3 ($HOME/json5format) - Finished test [unoptimized + debuginfo] target(s) in 14.60s - - Running target/debug/deps/json5format-fececd4653271682 -running 25 tests -... -test result: ok. 25 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out - - Running target/debug/deps/lib-30768f9c53506dc5 -running 31 tests -... -test result: ok. 31 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out -``` - -You should have one or more `.profraw` files now, one for each test binary. Run the `profdata` tool to merge them: - -```shell -$ cargo profdata -- merge \ - -sparse json5format-*.profraw -o json5format.profdata -``` - -Then run the `cov` tool, with the `profdata` file and all test binaries: - -```shell -$ cargo cov -- report \ - --use-color --ignore-filename-regex='/.cargo/registry' \ - --instr-profile=json5format.profdata \ - --object target/debug/deps/lib-30768f9c53506dc5 \ - --object target/debug/deps/json5format-fececd4653271682 -$ cargo cov -- show \ - --use-color --ignore-filename-regex='/.cargo/registry' \ - --instr-profile=json5format.profdata \ - --object target/debug/deps/lib-30768f9c53506dc5 \ - --object target/debug/deps/json5format-fececd4653271682 \ - --show-instantiations --show-line-counts-or-regions \ - --Xdemangler=rustfilt | less -R -``` - -> **Note**: The command line option `--ignore-filename-regex=/.cargo/registry`, which excludes the sources for dependencies from the coverage results.\_ - -### Tips for listing the binaries automatically - -For `bash` users, one suggested way to automatically complete the `cov` command with the list of binaries is with a command like: - -```bash -$ cargo cov -- report \ - $( \ - for file in \ - $( \ - RUSTFLAGS="-Z instrument-coverage" \ - cargo test --tests --no-run --message-format=json \ - | jq -r "select(.profile.test == true) | .filenames[]" \ - | grep -v dSYM - \ - ); \ - do \ - printf "%s %s " -object $file; \ - done \ - ) \ - --instr-profile=json5format.profdata --summary-only # and/or other options -``` - -Adding `--no-run --message-format=json` to the _same_ `cargo test` command used to run -the tests (including the same environment variables and flags) generates output in a JSON -format that `jq` can easily query. - -The `printf` command takes this list and generates the `--object ` arguments -for each listed test binary. - -### Including doc tests - -The previous examples run `cargo test` with `--tests`, which excludes doc tests.[^79417] - -To include doc tests in the coverage results, drop the `--tests` flag, and apply the -`-Z instrument-coverage` flag, and some doc-test-specific options in the -`RUSTDOCFLAGS` environment variable. (The `cargo profdata` command does not change.) - -```bash -$ RUSTFLAGS="-Z instrument-coverage" \ - RUSTDOCFLAGS="-Z instrument-coverage -Z unstable-options --persist-doctests target/debug/doctestbins" \ - LLVM_PROFILE_FILE="json5format-%m.profraw" \ - cargo test -$ cargo profdata -- merge \ - -sparse json5format-*.profraw -o json5format.profdata -``` - -The `-Z unstable-options --persist-doctests` flag is required, to save the test binaries -(with their coverage maps) for `llvm-cov`. - -```bash -$ cargo cov -- report \ - $( \ - for file in \ - $( \ - RUSTFLAGS="-Z instrument-coverage" \ - RUSTDOCFLAGS="-Z instrument-coverage -Z unstable-options --persist-doctests target/debug/doctestbins" \ - cargo test --no-run --message-format=json \ - | jq -r "select(.profile.test == true) | .filenames[]" \ - | grep -v dSYM - \ - ) \ - target/debug/doctestbins/*/rust_out; \ - do \ - [[ -x $file ]] && printf "%s %s " -object $file; \ - done \ - ) \ - --instr-profile=json5format.profdata --summary-only # and/or other options -``` - -> **Note**: The differences in this `cargo cov` command, compared with the version without -> doc tests, include: - -- The `cargo test ... --no-run` command is updated with the same environment variables - and flags used to _build_ the tests, _including_ the doc tests. (`LLVM_PROFILE_FILE` - is only used when _running_ the tests.) -- The file glob pattern `target/debug/doctestbins/*/rust_out` adds the `rust_out` - binaries generated for doc tests (note, however, that some `rust_out` files may not - be executable binaries). -- `[[ -x $file ]] &&` filters the files passed on to the `printf`, to include only - executable binaries. - -[^79417]: - There is ongoing work to resolve a known issue - [(#79417)](https://github.com/rust-lang/rust/issues/79417) that doc test coverage - generates incorrect source line numbers in `llvm-cov show` results. - -## `-Z instrument-coverage=` - -- `-Z instrument-coverage=all`: Instrument all functions, including unused functions and unused generics. (This is the same as `-Z instrument-coverage`, with no value.) -- `-Z instrument-coverage=except-unused-generics`: Instrument all functions except unused generics. -- `-Z instrument-coverage=except-unused-functions`: Instrument only used (called) functions and instantiated generic functions. -- `-Z instrument-coverage=off`: Do not instrument any functions. (This is the same as simply not including the `-Z instrument-coverage` option.) - -## Other references - -Rust's implementation and workflow for source-based code coverage is based on the same library and tools used to implement [source-based code coverage in Clang]. (This document is partially based on the Clang guide.) - -[source-based code coverage in clang]: https://clang.llvm.org/docs/SourceBasedCodeCoverage.html -[`json5format`]: https://crates.io/crates/json5format diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/location-detail.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/location-detail.md deleted file mode 100644 index 08d937cc2820..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/location-detail.md +++ /dev/null @@ -1,43 +0,0 @@ -# `location-detail` - -The tracking issue for this feature is: [#70580](https://github.com/rust-lang/rust/issues/70580). - ------------------------- - -Option `-Z location-detail=val` controls what location details are tracked when -using `caller_location`. This allows users to control what location details -are printed as part of panic messages, by allowing them to exclude any combination -of filenames, line numbers, and column numbers. This option is intended to provide -users with a way to mitigate the size impact of `#[track_caller]`. - -This option supports a comma separated list of location details to be included. Valid options -within this list are: - -- `file` - the filename of the panic will be included in the panic output -- `line` - the source line of the panic will be included in the panic output -- `column` - the source column of the panic will be included in the panic output - -Any combination of these three options are supported. If this option is not specified, -all three are included by default. - -An example of a panic output when using `-Z location-detail=line`: -```text -panicked at 'Process blink had a fault', :323:0 -``` - -The code size savings from this option are two-fold. First, the `&'static str` values -for each path to a file containing a panic are removed from the binary. For projects -with deep directory structures and many files with panics, this can add up. This category -of savings can only be realized by excluding filenames from the panic output. Second, -savings can be realized by allowing multiple panics to be fused into a single panicking -branch. It is often the case that within a single file, multiple panics with the same -panic message exist -- e.g. two calls to `Option::unwrap()` in a single line, or -two calls to `Result::expect()` on adjacent lines. If column and line information -are included in the `Location` struct passed to the panic handler, these branches cannot -be fused, as the output is different depending on which panic occurs. However if line -and column information is identical for all panics, these branches can be fused, which -can lead to substantial code size savings, especially for small embedded binaries with -many panics. - -The savings from this option are amplified when combined with the use of `-Zbuild-std`, as -otherwise paths for panics within the standard library are still included in your binary. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/move-size-limit.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/move-size-limit.md deleted file mode 100644 index 88f022af2ecf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/move-size-limit.md +++ /dev/null @@ -1,10 +0,0 @@ -# `move_size_limit` - --------------------- - -The `-Zmove-size-limit=N` compiler flag enables `large_assignments` lints which -will warn when moving objects whose size exceeds `N` bytes. - -Lint warns only about moves in functions that participate in code generation. -Consequently it will be ineffective for compiler invocatation that emit -metadata only, i.e., `cargo check` like workflows. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/no-unique-section-names.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/no-unique-section-names.md deleted file mode 100644 index 5c1c7cda7013..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/no-unique-section-names.md +++ /dev/null @@ -1,9 +0,0 @@ -# `no-unique-section-names` - ------------------------- - -This flag currently applies only to ELF-based targets using the LLVM codegen backend. It prevents the generation of unique ELF section names for each separate code and data item when `-Z function-sections` is also in use, which is the default for most targets. This option can reduce the size of object files, and depending on the linker, the final ELF binary as well. - -For example, a function `func` will by default generate a code section called `.text.func`. Normally this is fine because the linker will merge all those `.text.*` sections into a single one in the binary. However, starting with [LLVM 12](https://github.com/llvm/llvm-project/commit/ee5d1a04), the backend will also generate unique section names for exception handling, so you would see a section name of `.gcc_except_table.func` in the object file and potentially in the final ELF binary, which could add significant bloat to programs that contain many functions. - -This flag instructs LLVM to use the same `.text` and `.gcc_except_table` section name for each function, and it is analogous to Clang's `-fno-unique-section-names` option. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile.md deleted file mode 100644 index 71303bfaff20..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile.md +++ /dev/null @@ -1,27 +0,0 @@ -# `profile` - -The tracking issue for this feature is: [#42524](https://github.com/rust-lang/rust/issues/42524). - ------------------------- - -This feature allows the generation of code coverage reports. - -Set the `-Zprofile` compiler flag in order to enable gcov profiling. - -For example: -```Bash -cargo new testgcov --bin -cd testgcov -export RUSTFLAGS="-Zprofile -Ccodegen-units=1 -Copt-level=0 -Clink-dead-code -Coverflow-checks=off -Zpanic_abort_tests -Cpanic=abort" -export CARGO_INCREMENTAL=0 -cargo build -cargo run -``` - -Once you've built and run your program, files with the `gcno` (after build) and `gcda` (after execution) extensions will be created. -You can parse them with [llvm-cov gcov](https://llvm.org/docs/CommandGuide/llvm-cov.html#llvm-cov-gcov) or [grcov](https://github.com/mozilla/grcov). - -Please note that `RUSTFLAGS` by default applies to everything that cargo builds and runs during a build! -When the `--target` flag is explicitly passed to cargo, the `RUSTFLAGS` no longer apply to build scripts and procedural macros. -For more fine-grained control consider passing a `RUSTC_WRAPPER` program to cargo that only adds the profiling flags to -rustc for the specific crates you want to profile. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile_sample_use.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile_sample_use.md deleted file mode 100644 index ce894ce6ac7f..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/profile_sample_use.md +++ /dev/null @@ -1,10 +0,0 @@ -# `profile-sample-use - ---- - -`-Zprofile-sample-use=code.prof` directs `rustc` to use the profile -`code.prof` as a source for Automatic Feedback Directed Optimization (AFDO). -See the documentation of [`-Zdebug-info-for-profiling`] for more information -on using AFDO. - -[`-Zdebug-info-for-profiling`]: debug_info_for_profiling.html diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/remap-cwd-prefix.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/remap-cwd-prefix.md deleted file mode 100644 index 977d258529f8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/remap-cwd-prefix.md +++ /dev/null @@ -1,24 +0,0 @@ -# `remap-cwd-prefix` - -The tracking issue for this feature is: [#87325](https://github.com/rust-lang/rust/issues/87325). - ------------------------- - -This flag will rewrite absolute paths under the current working directory, -replacing the current working directory prefix with a specified value. - -The given value may be absolute or relative, or empty. This switch takes -precidence over `--remap-path-prefix` in case they would both match a given -path. - -This flag helps to produce deterministic output, by removing the current working -directory from build output, while allowing the command line to be universally -reproducible, such that the same execution will work on all machines, regardless -of build environment. - -## Example -```sh -# This would produce an absolute path to main.rs in build outputs of -# "./main.rs". -rustc -Z remap-cwd-prefix=. main.rs -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/report-time.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/report-time.md deleted file mode 100644 index ac0093f77aec..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/report-time.md +++ /dev/null @@ -1,80 +0,0 @@ -# `report-time` - -The tracking issue for this feature is: [#64888] - -[#64888]: https://github.com/rust-lang/rust/issues/64888 - ------------------------- - -The `report-time` feature adds a possibility to report execution time of the -tests generated via `libtest`. - -This is unstable feature, so you have to provide `-Zunstable-options` to get -this feature working. - -Sample usage command: - -```sh -./test_executable -Zunstable-options --report-time -``` - -Available options: - -```sh ---report-time [plain|colored] - Show execution time of each test. Available values: - plain = do not colorize the execution time (default); - colored = colorize output according to the `color` - parameter value; - Threshold values for colorized output can be - configured via - `RUST_TEST_TIME_UNIT`, `RUST_TEST_TIME_INTEGRATION` - and - `RUST_TEST_TIME_DOCTEST` environment variables. - Expected format of environment variable is - `VARIABLE=WARN_TIME,CRITICAL_TIME`. - Not available for --format=terse ---ensure-time - Treat excess of the test execution time limit as - error. - Threshold values for this option can be configured via - `RUST_TEST_TIME_UNIT`, `RUST_TEST_TIME_INTEGRATION` - and - `RUST_TEST_TIME_DOCTEST` environment variables. - Expected format of environment variable is - `VARIABLE=WARN_TIME,CRITICAL_TIME`. - `CRITICAL_TIME` here means the limit that should not be - exceeded by test. -``` - -Example of the environment variable format: - -```sh -RUST_TEST_TIME_UNIT=100,200 -``` - -where 100 stands for warn time, and 200 stands for critical time. - -## Examples - -```sh -cargo test --tests -- -Zunstable-options --report-time - Finished dev [unoptimized + debuginfo] target(s) in 0.02s - Running target/debug/deps/example-27fb188025bec02c - -running 3 tests -test tests::unit_test_quick ... ok <0.000s> -test tests::unit_test_warn ... ok <0.055s> -test tests::unit_test_critical ... ok <0.110s> - -test result: ok. 3 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out - - Running target/debug/deps/tests-cedb06f6526d15d9 - -running 3 tests -test unit_test_quick ... ok <0.000s> -test unit_test_warn ... ok <0.550s> -test unit_test_critical ... ok <1.100s> - -test result: ok. 3 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/sanitizer.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/sanitizer.md deleted file mode 100644 index d630f4ecb7b2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/sanitizer.md +++ /dev/null @@ -1,594 +0,0 @@ -# `sanitizer` - -The tracking issues for this feature are: - -* [#39699](https://github.com/rust-lang/rust/issues/39699). -* [#89653](https://github.com/rust-lang/rust/issues/89653). - ------------------------- - -This feature allows for use of one of following sanitizers: - -* [AddressSanitizer][clang-asan] a fast memory error detector. -* [ControlFlowIntegrity][clang-cfi] LLVM Control Flow Integrity (CFI) provides - forward-edge control flow protection. -* [HWAddressSanitizer][clang-hwasan] a memory error detector similar to - AddressSanitizer, but based on partial hardware assistance. -* [LeakSanitizer][clang-lsan] a run-time memory leak detector. -* [MemorySanitizer][clang-msan] a detector of uninitialized reads. -* [ThreadSanitizer][clang-tsan] a fast data race detector. - -To enable a sanitizer compile with `-Zsanitizer=address`,`-Zsanitizer=cfi`, -`-Zsanitizer=hwaddress`, `-Zsanitizer=leak`, `-Zsanitizer=memory` or -`-Zsanitizer=thread`. - -# AddressSanitizer - -AddressSanitizer is a memory error detector. It can detect the following types -of bugs: - -* Out of bound accesses to heap, stack and globals -* Use after free -* Use after return (runtime flag `ASAN_OPTIONS=detect_stack_use_after_return=1`) -* Use after scope -* Double-free, invalid free -* Memory leaks - -The memory leak detection is enabled by default on Linux, and can be enabled -with runtime flag `ASAN_OPTIONS=detect_leaks=1` on macOS. - -AddressSanitizer is supported on the following targets: - -* `aarch64-apple-darwin` -* `aarch64-fuchsia` -* `aarch64-unknown-linux-gnu` -* `x86_64-apple-darwin` -* `x86_64-fuchsia` -* `x86_64-unknown-freebsd` -* `x86_64-unknown-linux-gnu` - -AddressSanitizer works with non-instrumented code although it will impede its -ability to detect some bugs. It is not expected to produce false positive -reports. - -## Examples - -Stack buffer overflow: - -```rust -fn main() { - let xs = [0, 1, 2, 3]; - let _y = unsafe { *xs.as_ptr().offset(4) }; -} -``` - -```shell -$ export RUSTFLAGS=-Zsanitizer=address RUSTDOCFLAGS=-Zsanitizer=address -$ cargo run -Zbuild-std --target x86_64-unknown-linux-gnu -==37882==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe400e6250 at pc 0x5609a841fb20 bp 0x7ffe400e6210 sp 0x7ffe400e6208 -READ of size 4 at 0x7ffe400e6250 thread T0 - #0 0x5609a841fb1f in example::main::h628ffc6626ed85b2 /.../src/main.rs:3:23 - ... - -Address 0x7ffe400e6250 is located in stack of thread T0 at offset 48 in frame - #0 0x5609a841f8af in example::main::h628ffc6626ed85b2 /.../src/main.rs:1 - - This frame has 1 object(s): - [32, 48) 'xs' (line 2) <== Memory access at offset 48 overflows this variable -HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork - (longjmp and C++ exceptions *are* supported) -SUMMARY: AddressSanitizer: stack-buffer-overflow /.../src/main.rs:3:23 in example::main::h628ffc6626ed85b2 -Shadow bytes around the buggy address: - 0x100048014bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -=>0x100048014c40: 00 00 00 00 f1 f1 f1 f1 00 00[f3]f3 00 00 00 00 - 0x100048014c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100048014c70: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00 - 0x100048014c80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 - 0x100048014c90: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 -Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - Shadow gap: cc -==37882==ABORTING -``` - -Use of a stack object after its scope has already ended: - -```rust -static mut P: *mut usize = std::ptr::null_mut(); - -fn main() { - unsafe { - { - let mut x = 0; - P = &mut x; - } - std::ptr::write_volatile(P, 123); - } -} -``` - -```shell -$ export RUSTFLAGS=-Zsanitizer=address RUSTDOCFLAGS=-Zsanitizer=address -$ cargo run -Zbuild-std --target x86_64-unknown-linux-gnu -================================================================= -==39249==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffc7ed3e1a0 at pc 0x55c98b262a8e bp 0x7ffc7ed3e050 sp 0x7ffc7ed3e048 -WRITE of size 8 at 0x7ffc7ed3e1a0 thread T0 - #0 0x55c98b262a8d in core::ptr::write_volatile::he21f1df5a82f329a /.../src/rust/src/libcore/ptr/mod.rs:1048:5 - #1 0x55c98b262cd2 in example::main::h628ffc6626ed85b2 /.../src/main.rs:9:9 - ... - -Address 0x7ffc7ed3e1a0 is located in stack of thread T0 at offset 32 in frame - #0 0x55c98b262bdf in example::main::h628ffc6626ed85b2 /.../src/main.rs:3 - - This frame has 1 object(s): - [32, 40) 'x' (line 6) <== Memory access at offset 32 is inside this variable -HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork - (longjmp and C++ exceptions *are* supported) -SUMMARY: AddressSanitizer: stack-use-after-scope /.../src/rust/src/libcore/ptr/mod.rs:1048:5 in core::ptr::write_volatile::he21f1df5a82f329a -Shadow bytes around the buggy address: - 0x10000fd9fbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fc00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 - 0x10000fd9fc10: f8 f8 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -=>0x10000fd9fc30: f1 f1 f1 f1[f8]f3 f3 f3 00 00 00 00 00 00 00 00 - 0x10000fd9fc40: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 - 0x10000fd9fc50: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fc60: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 - 0x10000fd9fc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10000fd9fc80: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 -Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - Shadow gap: cc -==39249==ABORTING -``` - -# ControlFlowIntegrity - -The LLVM Control Flow Integrity (CFI) support in the Rust compiler initially -provides forward-edge control flow protection for Rust-compiled code only by -aggregating function pointers in groups identified by their number of arguments. - -Forward-edge control flow protection for C or C++ and Rust -compiled code "mixed -binaries" (i.e., for when C or C++ and Rust -compiled code share the same -virtual address space) will be provided in later work by defining and using -compatible type identifiers (see Type metadata in the design document in the -tracking issue [#89653](https://github.com/rust-lang/rust/issues/89653)). - -LLVM CFI can be enabled with -Zsanitizer=cfi and requires LTO (i.e., -Clto). - -## Example - -```text -#![feature(naked_functions)] - -use std::arch::asm; -use std::mem; - -fn add_one(x: i32) -> i32 { - x + 1 -} - -#[naked] -pub extern "C" fn add_two(x: i32) { - // x + 2 preceeded by a landing pad/nop block - unsafe { - asm!( - " - nop - nop - nop - nop - nop - nop - nop - nop - nop - lea rax, [rdi+2] - ret - ", - options(noreturn) - ); - } -} - -fn do_twice(f: fn(i32) -> i32, arg: i32) -> i32 { - f(arg) + f(arg) -} - -fn main() { - let answer = do_twice(add_one, 5); - - println!("The answer is: {}", answer); - - println!("With CFI enabled, you should not see the next answer"); - let f: fn(i32) -> i32 = unsafe { - // Offsets 0-8 make it land in the landing pad/nop block, and offsets 1-8 are - // invalid branch/call destinations (i.e., within the body of the function). - mem::transmute::<*const u8, fn(i32) -> i32>((add_two as *const u8).offset(5)) - }; - let next_answer = do_twice(f, 5); - - println!("The next answer is: {}", next_answer); -} -``` -Fig. 1. Modified example from the [Advanced Functions and -Closures][rust-book-ch19-05] chapter of the [The Rust Programming -Language][rust-book] book. - -[//]: # (FIXME: Replace with output from cargo using nightly when #89652 is merged) - -```shell -$ rustc rust_cfi.rs -o rust_cfi -$ ./rust_cfi -The answer is: 12 -With CFI enabled, you should not see the next answer -The next answer is: 14 -$ -``` -Fig. 2. Build and execution of the modified example with LLVM CFI disabled. - -[//]: # (FIXME: Replace with output from cargo using nightly when #89652 is merged) - -```shell -$ rustc -Clto -Zsanitizer=cfi rust_cfi.rs -o rust_cfi -$ ./rust_cfi -The answer is: 12 -With CFI enabled, you should not see the next answer -Illegal instruction -$ -``` -Fig. 3. Build and execution of the modified example with LLVM CFI enabled. - -When LLVM CFI is enabled, if there are any attempts to change/hijack control -flow using an indirect branch/call to an invalid destination, the execution is -terminated (see Fig. 3). - -```rust -use std::mem; - -fn add_one(x: i32) -> i32 { - x + 1 -} - -fn add_two(x: i32, _y: i32) -> i32 { - x + 2 -} - -fn do_twice(f: fn(i32) -> i32, arg: i32) -> i32 { - f(arg) + f(arg) -} - -fn main() { - let answer = do_twice(add_one, 5); - - println!("The answer is: {}", answer); - - println!("With CFI enabled, you should not see the next answer"); - let f: fn(i32) -> i32 = - unsafe { mem::transmute::<*const u8, fn(i32) -> i32>(add_two as *const u8) }; - let next_answer = do_twice(f, 5); - - println!("The next answer is: {}", next_answer); -} -``` -Fig. 4. Another modified example from the [Advanced Functions and -Closures][rust-book-ch19-05] chapter of the [The Rust Programming -Language][rust-book] book. - -[//]: # (FIXME: Replace with output from cargo using nightly when #89652 is merged) - -```shell -$ rustc rust_cfi.rs -o rust_cfi -$ ./rust_cfi -The answer is: 12 -With CFI enabled, you should not see the next answer -The next answer is: 14 -$ -``` -Fig. 5. Build and execution of the modified example with LLVM CFI disabled. - -[//]: # (FIXME: Replace with output from cargo using nightly when #89652 is merged) - -```shell -$ rustc -Clto -Zsanitizer=cfi rust_cfi.rs -o rust_cfi -$ ./rust_cfi -The answer is: 12 -With CFI enabled, you should not see the next answer -Illegal instruction -$ -``` -Fig. 6. Build and execution of the modified example with LLVM CFI enabled. - -When LLVM CFI is enabled, if there are any attempts to change/hijack control -flow using an indirect branch/call to a function with different number of -arguments than intended/passed in the call/branch site, the execution is also -terminated (see Fig. 6). - -Forward-edge control flow protection not only by aggregating function pointers -in groups identified by their number of arguments, but also their argument -types, will also be provided in later work by defining and using compatible type -identifiers (see Type metadata in the design document in the tracking -issue [#89653](https://github.com/rust-lang/rust/issues/89653)). - -[rust-book-ch19-05]: https://doc.rust-lang.org/book/ch19-05-advanced-functions-and-closures.html -[rust-book]: https://doc.rust-lang.org/book/title-page.html - -# HWAddressSanitizer - -HWAddressSanitizer is a newer variant of AddressSanitizer that consumes much -less memory. - -HWAddressSanitizer is supported on the following targets: - -* `aarch64-linux-android` -* `aarch64-unknown-linux-gnu` - -HWAddressSanitizer requires `tagged-globals` target feature to instrument -globals. To enable this target feature compile with `-C -target-feature=+tagged-globals` - -## Example - -Heap buffer overflow: - -```rust -fn main() { - let xs = vec![0, 1, 2, 3]; - let _y = unsafe { *xs.as_ptr().offset(4) }; -} -``` - -```shell -$ rustc main.rs -Zsanitizer=hwaddress -C target-feature=+tagged-globals -C -linker=aarch64-linux-gnu-gcc -C link-arg=-fuse-ld=lld --target -aarch64-unknown-linux-gnu -``` - -```shell -$ ./main -==241==ERROR: HWAddressSanitizer: tag-mismatch on address 0xefdeffff0050 at pc 0xaaaae0ae4a98 -READ of size 4 at 0xefdeffff0050 tags: 2c/00 (ptr/mem) in thread T0 - #0 0xaaaae0ae4a94 (/.../main+0x54a94) - ... - -[0xefdeffff0040,0xefdeffff0060) is a small allocated heap chunk; size: 32 offset: 16 -0xefdeffff0050 is located 0 bytes to the right of 16-byte region [0xefdeffff0040,0xefdeffff0050) -allocated here: - #0 0xaaaae0acb80c (/.../main+0x3b80c) - ... - -Thread: T0 0xeffe00002000 stack: [0xffffc28ad000,0xffffc30ad000) sz: 8388608 tls: [0xffffaa10a020,0xffffaa10a7d0) -Memory tags around the buggy address (one tag corresponds to 16 bytes): - 0xfefcefffef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffef90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffefe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefcefffeff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -=>0xfefceffff000: d7 d7 05 00 2c [00] 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0xfefceffff080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -Tags for short granules around the buggy address (one tag corresponds to 16 bytes): - 0xfefcefffeff0: .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. -=>0xfefceffff000: .. .. 8c .. .. [..] .. .. .. .. .. .. .. .. .. .. - 0xfefceffff010: .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. -See https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html#short-granules for a description of short granule tags -Registers where the failure occurred (pc 0xaaaae0ae4a98): - x0 2c00efdeffff0050 x1 0000000000000004 x2 0000000000000004 x3 0000000000000000 - x4 0000fffefc30ac37 x5 000000000000005d x6 00000ffffc30ac37 x7 0000efff00000000 - x8 2c00efdeffff0050 x9 0200efff00000000 x10 0000000000000000 x11 0200efff00000000 - x12 0200effe00000310 x13 0200effe00000310 x14 0000000000000008 x15 5d00ffffc30ac360 - x16 0000aaaae0ad062c x17 0000000000000003 x18 0000000000000001 x19 0000ffffc30ac658 - x20 4e00ffffc30ac6e0 x21 0000aaaae0ac5e10 x22 0000000000000000 x23 0000000000000000 - x24 0000000000000000 x25 0000000000000000 x26 0000000000000000 x27 0000000000000000 - x28 0000000000000000 x29 0000ffffc30ac5a0 x30 0000aaaae0ae4a98 -SUMMARY: HWAddressSanitizer: tag-mismatch (/.../main+0x54a94) -``` - -# LeakSanitizer - -LeakSanitizer is run-time memory leak detector. - -LeakSanitizer is supported on the following targets: - -* `aarch64-apple-darwin` -* `aarch64-unknown-linux-gnu` -* `x86_64-apple-darwin` -* `x86_64-unknown-linux-gnu` - -# MemorySanitizer - -MemorySanitizer is detector of uninitialized reads. - -MemorySanitizer is supported on the following targets: - -* `aarch64-unknown-linux-gnu` -* `x86_64-unknown-freebsd` -* `x86_64-unknown-linux-gnu` - -MemorySanitizer requires all program code to be instrumented. C/C++ dependencies -need to be recompiled using Clang with `-fsanitize=memory` option. Failing to -achieve that will result in false positive reports. - -## Example - -Detecting the use of uninitialized memory. The `-Zbuild-std` flag rebuilds and -instruments the standard library, and is strictly necessary for the correct -operation of the tool. The `-Zsanitizer-memory-track-origins` enables tracking -of the origins of uninitialized memory: - -```rust -use std::mem::MaybeUninit; - -fn main() { - unsafe { - let a = MaybeUninit::<[usize; 4]>::uninit(); - let a = a.assume_init(); - println!("{}", a[2]); - } -} -``` - -```shell -$ export \ - RUSTFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' \ - RUSTDOCFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' -$ cargo clean -$ cargo run -Zbuild-std --target x86_64-unknown-linux-gnu -==9416==WARNING: MemorySanitizer: use-of-uninitialized-value - #0 0x560c04f7488a in core::fmt::num::imp::fmt_u64::haa293b0b098501ca $RUST/build/x86_64-unknown-linux-gnu/stage1/lib/rustlib/src/rust/src/libcore/fmt/num.rs:202:16 -... - Uninitialized value was stored to memory at - #0 0x560c04ae898a in __msan_memcpy.part.0 $RUST/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cc:1558:3 - #1 0x560c04b2bf88 in memory::main::hd2333c1899d997f5 $CWD/src/main.rs:6:16 - - Uninitialized value was created by an allocation of 'a' in the stack frame of function '_ZN6memory4main17hd2333c1899d997f5E' - #0 0x560c04b2bc50 in memory::main::hd2333c1899d997f5 $CWD/src/main.rs:3 -``` - -# ThreadSanitizer - -ThreadSanitizer is a data race detection tool. It is supported on the following -targets: - -* `aarch64-apple-darwin` -* `aarch64-unknown-linux-gnu` -* `x86_64-apple-darwin` -* `x86_64-unknown-freebsd` -* `x86_64-unknown-linux-gnu` - -To work correctly ThreadSanitizer needs to be "aware" of all synchronization -operations in a program. It generally achieves that through combination of -library interception (for example synchronization performed through -`pthread_mutex_lock` / `pthread_mutex_unlock`) and compile time instrumentation -(e.g. atomic operations). Using it without instrumenting all the program code -can lead to false positive reports. - -ThreadSanitizer does not support atomic fences `std::sync::atomic::fence`, -nor synchronization performed using inline assembly code. - -## Example - -```rust -static mut A: usize = 0; - -fn main() { - let t = std::thread::spawn(|| { - unsafe { A += 1 }; - }); - unsafe { A += 1 }; - - t.join().unwrap(); -} -``` - -```shell -$ export RUSTFLAGS=-Zsanitizer=thread RUSTDOCFLAGS=-Zsanitizer=thread -$ cargo run -Zbuild-std --target x86_64-unknown-linux-gnu -================== -WARNING: ThreadSanitizer: data race (pid=10574) - Read of size 8 at 0x5632dfe3d030 by thread T1: - #0 example::main::_$u7b$$u7b$closure$u7d$$u7d$::h23f64b0b2f8c9484 ../src/main.rs:5:18 (example+0x86cec) - ... - - Previous write of size 8 at 0x5632dfe3d030 by main thread: - #0 example::main::h628ffc6626ed85b2 /.../src/main.rs:7:14 (example+0x868c8) - ... - #11 main (example+0x86a1a) - - Location is global 'example::A::h43ac149ddf992709' of size 8 at 0x5632dfe3d030 (example+0x000000bd9030) -``` - -# Instrumentation of external dependencies and std - -The sanitizers to varying degrees work correctly with partially instrumented -code. On the one extreme is LeakSanitizer that doesn't use any compile time -instrumentation, on the other is MemorySanitizer that requires that all program -code to be instrumented (failing to achieve that will inevitably result in -false positives). - -It is strongly recommended to combine sanitizers with recompiled and -instrumented standard library, for example using [cargo `-Zbuild-std` -functionality][build-std]. - -[build-std]: https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#build-std - -# Build scripts and procedural macros - -Use of sanitizers together with build scripts and procedural macros is -technically possible, but in almost all cases it would be best avoided. This -is especially true for procedural macros which would require an instrumented -version of rustc. - -In more practical terms when using cargo always remember to pass `--target` -flag, so that rustflags will not be applied to build scripts and procedural -macros. - -# Symbolizing the Reports - -Sanitizers produce symbolized stacktraces when llvm-symbolizer binary is in `PATH`. - -# Additional Information - -* [Sanitizers project page](https://github.com/google/sanitizers/wiki/) -* [AddressSanitizer in Clang][clang-asan] -* [ControlFlowIntegrity in Clang][clang-cfi] -* [HWAddressSanitizer in Clang][clang-hwasan] -* [LeakSanitizer in Clang][clang-lsan] -* [MemorySanitizer in Clang][clang-msan] -* [ThreadSanitizer in Clang][clang-tsan] - -[clang-asan]: https://clang.llvm.org/docs/AddressSanitizer.html -[clang-cfi]: https://clang.llvm.org/docs/ControlFlowIntegrity.html -[clang-hwasan]: https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html -[clang-lsan]: https://clang.llvm.org/docs/LeakSanitizer.html -[clang-msan]: https://clang.llvm.org/docs/MemorySanitizer.html -[clang-tsan]: https://clang.llvm.org/docs/ThreadSanitizer.html diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile-events.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile-events.md deleted file mode 100644 index 3ce18743be50..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile-events.md +++ /dev/null @@ -1,74 +0,0 @@ -# `self-profile-events` - ---------------------- - -The `-Zself-profile-events` compiler flag controls what events are recorded by the self-profiler when it is enabled via the `-Zself-profile` flag. - -This flag takes a comma delimited list of event types to record. - -For example: - -```console -$ rustc -Zself-profile -Zself-profile-events=default,args -``` - -## Event types - -- `query-provider` - - Traces each query used internally by the compiler. - -- `generic-activity` - - Traces other parts of the compiler not covered by the query system. - -- `query-cache-hit` - - Adds tracing information that records when the in-memory query cache is "hit" and does not need to re-execute a query which has been cached. - - Disabled by default because this significantly increases the trace file size. - -- `query-blocked` - - Tracks time that a query tries to run but is blocked waiting on another thread executing the same query to finish executing. - - Query blocking only occurs when the compiler is built with parallel mode support. - -- `incr-cache-load` - - Tracks time that is spent loading and deserializing query results from the incremental compilation on-disk cache. - -- `query-keys` - - Adds a serialized representation of each query's query key to the tracing data. - - Disabled by default because this significantly increases the trace file size. - -- `function-args` - - Adds additional tracing data to some `generic-activity` events. - - Disabled by default for parity with `query-keys`. - -- `llvm` - - Adds tracing information about LLVM passes and codegeneration. - - Disabled by default because this only works when `-Znew-llvm-pass-manager` is enabled. - -## Event synonyms - -- `none` - - Disables all events. - Equivalent to the self-profiler being disabled. - -- `default` - - The default set of events which stikes a balance between providing detailed tracing data and adding additional overhead to the compilation. - -- `args` - - Equivalent to `query-keys` and `function-args`. - -- `all` - - Enables all events. - -## Examples - -Enable the profiler and capture the default set of events (both invocations are equivalent): - -```console -$ rustc -Zself-profile -$ rustc -Zself-profile -Zself-profile-events=default -``` - -Enable the profiler and capture the default events and their arguments: - -```console -$ rustc -Zself-profile -Zself-profile-events=default,args -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile.md deleted file mode 100644 index 7305141a4271..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/self-profile.md +++ /dev/null @@ -1,47 +0,0 @@ -# `self-profile` - --------------------- - -The `-Zself-profile` compiler flag enables rustc's internal profiler. -When enabled, the compiler will output three binary files in the specified directory (or the current working directory if no directory is specified). -These files can be analyzed by using the tools in the [`measureme`] repository. - -To control the data recorded in the trace files, use the `-Zself-profile-events` flag. - -For example: - -First, run a compilation session and provide the `-Zself-profile` flag: - -```console -$ rustc --crate-name foo -Zself-profile -``` - -This will generate three files in the working directory such as: - -- `foo-1234.events` -- `foo-1234.string_data` -- `foo-1234.string_index` - -Where `foo` is the name of the crate and `1234` is the process id of the rustc process. - -To get a summary of where the compiler is spending its time: - -```console -$ ../measureme/target/release/summarize summarize foo-1234 -``` - -To generate a flamegraph of the same data: - -```console -$ ../measureme/target/release/inferno foo-1234 -``` - -To dump the event data in a Chromium-profiler compatible format: - -```console -$ ../measureme/target/release/crox foo-1234 -``` - -For more information, consult the [`measureme`] documentation. - -[`measureme`]: https://github.com/rust-lang/measureme.git diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/source-based-code-coverage.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/source-based-code-coverage.md deleted file mode 100644 index cb65978e0a07..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/source-based-code-coverage.md +++ /dev/null @@ -1,5 +0,0 @@ -# `source-based-code-coverage` - -See compiler flag [`-Z instrument-coverage`]. - -[`-z instrument-coverage`]: ./instrument-coverage.html diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/src-hash-algorithm.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/src-hash-algorithm.md deleted file mode 100644 index ff776741b212..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/src-hash-algorithm.md +++ /dev/null @@ -1,11 +0,0 @@ -# `src-hash-algorithm` - -The tracking issue for this feature is: [#70401](https://github.com/rust-lang/rust/issues/70401). - ------------------------- - -The `-Z src-hash-algorithm` compiler flag controls which algorithm is used when hashing each source file. The hash is stored in the debug info and can be used by a debugger to verify the source code matches the executable. - -Supported hash algorithms are: `md5`, `sha1`, and `sha256`. Note that not all hash algorithms are supported by all debug info formats. - -By default, the compiler chooses the hash algorithm based on the target specification. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/temps-dir.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/temps-dir.md deleted file mode 100644 index e25011f71197..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/temps-dir.md +++ /dev/null @@ -1,10 +0,0 @@ -# `temps-dir` - --------------------- - -The `-Ztemps-dir` compiler flag specifies the directory to write the -intermediate files in. If not set, the output directory is used. This option is -useful if you are running more than one instance of `rustc` (e.g. with different -`--crate-type` settings), and you need to make sure they are not overwriting -each other's intermediate files. No files are kept unless `-C save-temps=yes` is -also set. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/tls-model.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/tls-model.md deleted file mode 100644 index 8b19e785c6a5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/tls-model.md +++ /dev/null @@ -1,25 +0,0 @@ -# `tls_model` - -The tracking issue for this feature is: None. - ------------------------- - -Option `-Z tls-model` controls [TLS model](https://www.akkadia.org/drepper/tls.pdf) used to -generate code for accessing `#[thread_local]` `static` items. - -Supported values for this option are: - -- `global-dynamic` - General Dynamic TLS Model (alternatively called Global Dynamic) is the most -general option usable in all circumstances, even if the TLS data is defined in a shared library -loaded at runtime and is accessed from code outside of that library. -This is the default for most targets. -- `local-dynamic` - model usable if the TLS data is only accessed from the shared library or -executable it is defined in. The TLS data may be in a library loaded after startup (via `dlopen`). -- `initial-exec` - model usable if the TLS data is defined in the executable or in a shared library -loaded at program startup. -The TLS data must not be in a library loaded after startup (via `dlopen`). -- `local-exec` - model usable only if the TLS data is defined directly in the executable, -but not in a shared library, and is accessed only from that executable. - -`rustc` and LLVM may use a more optimized model than specified if they know that we are producing -an executable rather than a library, or that the `static` item is private enough. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/unsound-mir-opts.md b/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/unsound-mir-opts.md deleted file mode 100644 index 8e46e227c25b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/compiler-flags/unsound-mir-opts.md +++ /dev/null @@ -1,8 +0,0 @@ -# `unsound-mir-opts` - --------------------- - -The `-Zunsound-mir-opts` compiler flag enables [MIR optimization passes] which can cause unsound behavior. -This flag should only be used by MIR optimization tests in the rustc test suite. - -[MIR optimization passes]: https://rustc-dev-guide.rust-lang.org/mir/optimizations.html diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features.md deleted file mode 100644 index a27514df97d6..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features.md +++ /dev/null @@ -1 +0,0 @@ -# Language features diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-c-cmse-nonsecure-call.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-c-cmse-nonsecure-call.md deleted file mode 100644 index 79a177cb28b1..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-c-cmse-nonsecure-call.md +++ /dev/null @@ -1,88 +0,0 @@ -# `abi_c_cmse_nonsecure_call` - -The tracking issue for this feature is: [#81391] - -[#81391]: https://github.com/rust-lang/rust/issues/81391 - ------------------------- - -The [TrustZone-M -feature](https://developer.arm.com/documentation/100690/latest/) is available -for targets with the Armv8-M architecture profile (`thumbv8m` in their target -name). -LLVM, the Rust compiler and the linker are providing -[support](https://developer.arm.com/documentation/ecm0359818/latest/) for the -TrustZone-M feature. - -One of the things provided, with this unstable feature, is the -`C-cmse-nonsecure-call` function ABI. This ABI is used on function pointers to -non-secure code to mark a non-secure function call (see [section -5.5](https://developer.arm.com/documentation/ecm0359818/latest/) for details). - -With this ABI, the compiler will do the following to perform the call: -* save registers needed after the call to Secure memory -* clear all registers that might contain confidential information -* clear the Least Significant Bit of the function address -* branches using the BLXNS instruction - -To avoid using the non-secure stack, the compiler will constrain the number and -type of parameters/return value. - -The `extern "C-cmse-nonsecure-call"` ABI is otherwise equivalent to the -`extern "C"` ABI. - - - -``` rust,ignore -#![no_std] -#![feature(abi_c_cmse_nonsecure_call)] - -#[no_mangle] -pub fn call_nonsecure_function(addr: usize) -> u32 { - let non_secure_function = - unsafe { core::mem::transmute:: u32>(addr) }; - non_secure_function() -} -``` - -``` text -$ rustc --emit asm --crate-type lib --target thumbv8m.main-none-eabi function.rs - -call_nonsecure_function: - .fnstart - .save {r7, lr} - push {r7, lr} - .setfp r7, sp - mov r7, sp - .pad #16 - sub sp, #16 - str r0, [sp, #12] - ldr r0, [sp, #12] - str r0, [sp, #8] - b .LBB0_1 -.LBB0_1: - ldr r0, [sp, #8] - push.w {r4, r5, r6, r7, r8, r9, r10, r11} - bic r0, r0, #1 - mov r1, r0 - mov r2, r0 - mov r3, r0 - mov r4, r0 - mov r5, r0 - mov r6, r0 - mov r7, r0 - mov r8, r0 - mov r9, r0 - mov r10, r0 - mov r11, r0 - mov r12, r0 - msr apsr_nzcvq, r0 - blxns r0 - pop.w {r4, r5, r6, r7, r8, r9, r10, r11} - str r0, [sp, #4] - b .LBB0_2 -.LBB0_2: - ldr r0, [sp, #4] - add sp, #16 - pop {r7, pc} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-msp430-interrupt.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-msp430-interrupt.md deleted file mode 100644 index b10bc41cb143..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-msp430-interrupt.md +++ /dev/null @@ -1,42 +0,0 @@ -# `abi_msp430_interrupt` - -The tracking issue for this feature is: [#38487] - -[#38487]: https://github.com/rust-lang/rust/issues/38487 - ------------------------- - -In the MSP430 architecture, interrupt handlers have a special calling -convention. You can use the `"msp430-interrupt"` ABI to make the compiler apply -the right calling convention to the interrupt handlers you define. - - - -``` rust,ignore -#![feature(abi_msp430_interrupt)] -#![no_std] - -// Place the interrupt handler at the appropriate memory address -// (Alternatively, you can use `#[used]` and remove `pub` and `#[no_mangle]`) -#[link_section = "__interrupt_vector_10"] -#[no_mangle] -pub static TIM0_VECTOR: extern "msp430-interrupt" fn() = tim0; - -// The interrupt handler -extern "msp430-interrupt" fn tim0() { - // .. -} -``` - -``` text -$ msp430-elf-objdump -CD ./target/msp430/release/app -Disassembly of section __interrupt_vector_10: - -0000fff2 : - fff2: 00 c0 interrupt service routine at 0xc000 - -Disassembly of section .text: - -0000c000 : - c000: 00 13 reti -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-ptx.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-ptx.md deleted file mode 100644 index 0ded3ceeaef2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-ptx.md +++ /dev/null @@ -1,60 +0,0 @@ -# `abi_ptx` - -The tracking issue for this feature is: [#38788] - -[#38788]: https://github.com/rust-lang/rust/issues/38788 - ------------------------- - -When emitting PTX code, all vanilla Rust functions (`fn`) get translated to -"device" functions. These functions are *not* callable from the host via the -CUDA API so a crate with only device functions is not too useful! - -OTOH, "global" functions *can* be called by the host; you can think of them -as the real public API of your crate. To produce a global function use the -`"ptx-kernel"` ABI. - - - -``` rust,ignore -#![feature(abi_ptx)] -#![no_std] - -pub unsafe extern "ptx-kernel" fn global_function() { - device_function(); -} - -pub fn device_function() { - // .. -} -``` - -``` text -$ xargo rustc --target nvptx64-nvidia-cuda --release -- --emit=asm - -$ cat $(find -name '*.s') -// -// Generated by LLVM NVPTX Back-End -// - -.version 3.2 -.target sm_20 -.address_size 64 - - // .globl _ZN6kernel15global_function17h46111ebe6516b382E - -.visible .entry _ZN6kernel15global_function17h46111ebe6516b382E() -{ - - - ret; -} - - // .globl _ZN6kernel15device_function17hd6a0e4993bbf3f78E -.visible .func _ZN6kernel15device_function17hd6a0e4993bbf3f78E() -{ - - - ret; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-thiscall.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-thiscall.md deleted file mode 100644 index 73bc6eacf42c..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/abi-thiscall.md +++ /dev/null @@ -1,12 +0,0 @@ -# `abi_thiscall` - -The tracking issue for this feature is: [#42202] - -[#42202]: https://github.com/rust-lang/rust/issues/42202 - ------------------------- - -The MSVC ABI on x86 Windows uses the `thiscall` calling convention for C++ -instance methods by default; it is identical to the usual (C) calling -convention on x86 Windows except that the first parameter of the method, -the `this` pointer, is passed in the ECX register. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/allocator-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/allocator-internals.md deleted file mode 100644 index 2023d758fe3d..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/allocator-internals.md +++ /dev/null @@ -1,7 +0,0 @@ -# `allocator_internals` - -This feature does not have a tracking issue, it is an unstable implementation -detail of the `global_allocator` feature not intended for use outside the -compiler. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/arbitrary-enum-discriminant.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/arbitrary-enum-discriminant.md deleted file mode 100644 index e0bb782270e2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/arbitrary-enum-discriminant.md +++ /dev/null @@ -1,37 +0,0 @@ -# `arbitrary_enum_discriminant` - -The tracking issue for this feature is: [#60553] - -[#60553]: https://github.com/rust-lang/rust/issues/60553 - ------------------------- - -The `arbitrary_enum_discriminant` feature permits tuple-like and -struct-like enum variants with `#[repr()]` to have explicit discriminants. - -## Examples - -```rust -#![feature(arbitrary_enum_discriminant)] - -#[allow(dead_code)] -#[repr(u8)] -enum Enum { - Unit = 3, - Tuple(u16) = 2, - Struct { - a: u8, - b: u16, - } = 1, -} - -impl Enum { - fn tag(&self) -> u8 { - unsafe { *(self as *const Self as *const u8) } - } -} - -assert_eq!(3, Enum::Unit.tag()); -assert_eq!(2, Enum::Tuple(5).tag()); -assert_eq!(1, Enum::Struct{a: 7, b: 11}.tag()); -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-const.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-const.md deleted file mode 100644 index 1063c23b6dfb..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-const.md +++ /dev/null @@ -1,11 +0,0 @@ -# `asm_const` - -The tracking issue for this feature is: [#72016] - -[#72016]: https://github.com/rust-lang/rust/issues/72016 - ------------------------- - -This feature adds a `const ` operand type to `asm!` and `global_asm!`. -- `` must be an integer constant expression. -- The value of the expression is formatted as a string and substituted directly into the asm template string. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-experimental-arch.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-experimental-arch.md deleted file mode 100644 index ec97eaa8b2b5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-experimental-arch.md +++ /dev/null @@ -1,117 +0,0 @@ -# `asm_experimental_arch` - -The tracking issue for this feature is: [#72016] - -[#72016]: https://github.com/rust-lang/rust/issues/72016 - ------------------------- - -This feature tracks `asm!` and `global_asm!` support for the following architectures: -- NVPTX -- PowerPC -- Hexagon -- MIPS32r2 and MIPS64r2 -- wasm32 -- BPF -- SPIR-V -- AVR - -## Register classes - -| Architecture | Register class | Registers | LLVM constraint code | -| ------------ | -------------- | ---------------------------------- | -------------------- | -| MIPS | `reg` | `$[2-25]` | `r` | -| MIPS | `freg` | `$f[0-31]` | `f` | -| NVPTX | `reg16` | None\* | `h` | -| NVPTX | `reg32` | None\* | `r` | -| NVPTX | `reg64` | None\* | `l` | -| Hexagon | `reg` | `r[0-28]` | `r` | -| PowerPC | `reg` | `r[0-31]` | `r` | -| PowerPC | `reg_nonzero` | `r[1-31]` | `b` | -| PowerPC | `freg` | `f[0-31]` | `f` | -| PowerPC | `cr` | `cr[0-7]`, `cr` | Only clobbers | -| PowerPC | `xer` | `xer` | Only clobbers | -| wasm32 | `local` | None\* | `r` | -| BPF | `reg` | `r[0-10]` | `r` | -| BPF | `wreg` | `w[0-10]` | `w` | -| AVR | `reg` | `r[2-25]`, `XH`, `XL`, `ZH`, `ZL` | `r` | -| AVR | `reg_upper` | `r[16-25]`, `XH`, `XL`, `ZH`, `ZL` | `d` | -| AVR | `reg_pair` | `r3r2` .. `r25r24`, `X`, `Z` | `r` | -| AVR | `reg_iw` | `r25r24`, `X`, `Z` | `w` | -| AVR | `reg_ptr` | `X`, `Z` | `e` | - -> **Notes**: -> - NVPTX doesn't have a fixed register set, so named registers are not supported. -> -> - WebAssembly doesn't have registers, so named registers are not supported. - -# Register class supported types - -| Architecture | Register class | Target feature | Allowed types | -| ------------ | ------------------------------- | -------------- | --------------------------------------- | -| MIPS32 | `reg` | None | `i8`, `i16`, `i32`, `f32` | -| MIPS32 | `freg` | None | `f32`, `f64` | -| MIPS64 | `reg` | None | `i8`, `i16`, `i32`, `i64`, `f32`, `f64` | -| MIPS64 | `freg` | None | `f32`, `f64` | -| NVPTX | `reg16` | None | `i8`, `i16` | -| NVPTX | `reg32` | None | `i8`, `i16`, `i32`, `f32` | -| NVPTX | `reg64` | None | `i8`, `i16`, `i32`, `f32`, `i64`, `f64` | -| Hexagon | `reg` | None | `i8`, `i16`, `i32`, `f32` | -| PowerPC | `reg` | None | `i8`, `i16`, `i32` | -| PowerPC | `reg_nonzero` | None | `i8`, `i16`, `i32` | -| PowerPC | `freg` | None | `f32`, `f64` | -| PowerPC | `cr` | N/A | Only clobbers | -| PowerPC | `xer` | N/A | Only clobbers | -| wasm32 | `local` | None | `i8` `i16` `i32` `i64` `f32` `f64` | -| BPF | `reg` | None | `i8` `i16` `i32` `i64` | -| BPF | `wreg` | `alu32` | `i8` `i16` `i32` | -| AVR | `reg`, `reg_upper` | None | `i8` | -| AVR | `reg_pair`, `reg_iw`, `reg_ptr` | None | `i16` | - -## Register aliases - -| Architecture | Base register | Aliases | -| ------------ | ------------- | --------- | -| Hexagon | `r29` | `sp` | -| Hexagon | `r30` | `fr` | -| Hexagon | `r31` | `lr` | -| BPF | `r[0-10]` | `w[0-10]` | -| AVR | `XH` | `r27` | -| AVR | `XL` | `r26` | -| AVR | `ZH` | `r31` | -| AVR | `ZL` | `r30` | - -## Unsupported registers - -| Architecture | Unsupported register | Reason | -| ------------ | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| All | `sp` | The stack pointer must be restored to its original value at the end of an asm code block. | -| All | `fr` (Hexagon), `$fp` (MIPS), `Y` (AVR) | The frame pointer cannot be used as an input or output. | -| All | `r19` (Hexagon) | This is used internally by LLVM as a "base pointer" for functions with complex stack frames. | -| MIPS | `$0` or `$zero` | This is a constant zero register which can't be modified. | -| MIPS | `$1` or `$at` | Reserved for assembler. | -| MIPS | `$26`/`$k0`, `$27`/`$k1` | OS-reserved registers. | -| MIPS | `$28`/`$gp` | Global pointer cannot be used as inputs or outputs. | -| MIPS | `$ra` | Return address cannot be used as inputs or outputs. | -| Hexagon | `lr` | This is the link register which cannot be used as an input or output. | -| AVR | `r0`, `r1`, `r1r0` | Due to an issue in LLVM, the `r0` and `r1` registers cannot be used as inputs or outputs. If modified, they must be restored to their original values before the end of the block. | - -## Template modifiers - -| Architecture | Register class | Modifier | Example output | LLVM modifier | -| ------------ | -------------- | -------- | -------------- | ------------- | -| MIPS | `reg` | None | `$2` | None | -| MIPS | `freg` | None | `$f0` | None | -| NVPTX | `reg16` | None | `rs0` | None | -| NVPTX | `reg32` | None | `r0` | None | -| NVPTX | `reg64` | None | `rd0` | None | -| Hexagon | `reg` | None | `r0` | None | -| PowerPC | `reg` | None | `0` | None | -| PowerPC | `reg_nonzero` | None | `3` | `b` | -| PowerPC | `freg` | None | `0` | None | - -# Flags covered by `preserves_flags` - -These flags registers must be restored upon exiting the asm block if the `preserves_flags` option is set: -- AVR - - The status register `SREG`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-sym.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-sym.md deleted file mode 100644 index 7544e20807e9..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-sym.md +++ /dev/null @@ -1,13 +0,0 @@ -# `asm_sym` - -The tracking issue for this feature is: [#72016] - -[#72016]: https://github.com/rust-lang/rust/issues/72016 - ------------------------- - -This feature adds a `sym ` operand type to `asm!` and `global_asm!`. -- `` must refer to a `fn` or `static`. -- A mangled symbol name referring to the item is substituted into the asm template string. -- The substituted string does not include any modifiers (e.g. GOT, PLT, relocations, etc). -- `` is allowed to point to a `#[thread_local]` static, in which case the asm code can combine the symbol with relocations (e.g. `@plt`, `@TPOFF`) to read from thread-local data. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-unwind.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-unwind.md deleted file mode 100644 index 414193fe8017..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/asm-unwind.md +++ /dev/null @@ -1,9 +0,0 @@ -# `asm_unwind` - -The tracking issue for this feature is: [#72016] - -[#72016]: https://github.com/rust-lang/rust/issues/72016 - ------------------------- - -This feature adds a `may_unwind` option to `asm!` which allows an `asm` block to unwind stack and be part of the stack unwinding process. This option is only supported by the LLVM backend right now. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/auto-traits.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/auto-traits.md deleted file mode 100644 index f967c11fc4d0..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/auto-traits.md +++ /dev/null @@ -1,106 +0,0 @@ -# `auto_traits` - -The tracking issue for this feature is [#13231] - -[#13231]: https://github.com/rust-lang/rust/issues/13231 - ----- - -The `auto_traits` feature gate allows you to define auto traits. - -Auto traits, like [`Send`] or [`Sync`] in the standard library, are marker traits -that are automatically implemented for every type, unless the type, or a type it contains, -has explicitly opted out via a negative impl. (Negative impls are separately controlled -by the `negative_impls` feature.) - -[`Send`]: https://doc.rust-lang.org/std/marker/trait.Send.html -[`Sync`]: https://doc.rust-lang.org/std/marker/trait.Sync.html - -```rust,ignore (partial-example) -impl !Trait for Type {} -``` - -Example: - -```rust -#![feature(negative_impls)] -#![feature(auto_traits)] - -auto trait Valid {} - -struct True; -struct False; - -impl !Valid for False {} - -struct MaybeValid(T); - -fn must_be_valid(_t: T) { } - -fn main() { - // works - must_be_valid( MaybeValid(True) ); - - // compiler error - trait bound not satisfied - // must_be_valid( MaybeValid(False) ); -} -``` - -## Automatic trait implementations - -When a type is declared as an `auto trait`, we will automatically -create impls for every struct/enum/union, unless an explicit impl is -provided. These automatic impls contain a where clause for each field -of the form `T: AutoTrait`, where `T` is the type of the field and -`AutoTrait` is the auto trait in question. As an example, consider the -struct `List` and the auto trait `Send`: - -```rust -struct List { - data: T, - next: Option>>, -} -``` - -Presuming that there is no explicit impl of `Send` for `List`, the -compiler will supply an automatic impl of the form: - -```rust -struct List { - data: T, - next: Option>>, -} - -unsafe impl Send for List -where - T: Send, // from the field `data` - Option>>: Send, // from the field `next` -{ } -``` - -Explicit impls may be either positive or negative. They take the form: - -```rust,ignore (partial-example) -impl<...> AutoTrait for StructName<..> { } -impl<...> !AutoTrait for StructName<..> { } -``` - -## Coinduction: Auto traits permit cyclic matching - -Unlike ordinary trait matching, auto traits are **coinductive**. This -means, in short, that cycles which occur in trait matching are -considered ok. As an example, consider the recursive struct `List` -introduced in the previous section. In attempting to determine whether -`List: Send`, we would wind up in a cycle: to apply the impl, we must -show that `Option>: Send`, which will in turn require -`Box: Send` and then finally `List: Send` again. Under ordinary -trait matching, this cycle would be an error, but for an auto trait it -is considered a successful match. - -## Items - -Auto traits cannot have any trait items, such as methods or associated types. This ensures that we can generate default implementations. - -## Supertraits - -Auto traits cannot have supertraits. This is for soundness reasons, as the interaction of coinduction with implied bounds is difficult to reconcile. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-patterns.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-patterns.md deleted file mode 100644 index bf0819ec920b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-patterns.md +++ /dev/null @@ -1,32 +0,0 @@ -# `box_patterns` - -The tracking issue for this feature is: [#29641] - -[#29641]: https://github.com/rust-lang/rust/issues/29641 - -See also [`box_syntax`](box-syntax.md) - ------------------------- - -Box patterns let you match on `Box`s: - - -```rust -#![feature(box_patterns)] - -fn main() { - let b = Some(Box::new(5)); - match b { - Some(box n) if n < 0 => { - println!("Box contains negative number {}", n); - }, - Some(box n) if n >= 0 => { - println!("Box contains non-negative number {}", n); - }, - None => { - println!("No box"); - }, - _ => unreachable!() - } -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-syntax.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-syntax.md deleted file mode 100644 index 9569974d22ca..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/box-syntax.md +++ /dev/null @@ -1,22 +0,0 @@ -# `box_syntax` - -The tracking issue for this feature is: [#49733] - -[#49733]: https://github.com/rust-lang/rust/issues/49733 - -See also [`box_patterns`](box-patterns.md) - ------------------------- - -Currently the only stable way to create a `Box` is via the `Box::new` method. -Also it is not possible in stable Rust to destructure a `Box` in a match -pattern. The unstable `box` keyword can be used to create a `Box`. An example -usage would be: - -```rust -#![feature(box_syntax)] - -fn main() { - let b = box 5; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-unwind.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-unwind.md deleted file mode 100644 index 2801d9b5e777..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-unwind.md +++ /dev/null @@ -1,15 +0,0 @@ -# `c_unwind` - -The tracking issue for this feature is: [#74990] - -[#74990]: https://github.com/rust-lang/rust/issues/74990 - ------------------------- - -Introduces four new ABI strings: "C-unwind", "stdcall-unwind", -"thiscall-unwind", and "system-unwind". These enable unwinding from other -languages (such as C++) into Rust frames and from Rust into other languages. - -See [RFC 2945] for more information. - -[RFC 2945]: https://github.com/rust-lang/rfcs/blob/master/text/2945-c-unwind-abi.md diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-variadic.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-variadic.md deleted file mode 100644 index 9e7968d906fb..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/c-variadic.md +++ /dev/null @@ -1,24 +0,0 @@ -# `c_variadic` - -The tracking issue for this feature is: [#44930] - -[#44930]: https://github.com/rust-lang/rust/issues/44930 - ------------------------- - -The `c_variadic` language feature enables C-variadic functions to be -defined in Rust. The may be called both from within Rust and via FFI. - -## Examples - -```rust -#![feature(c_variadic)] - -pub unsafe extern "C" fn add(n: usize, mut args: ...) -> usize { - let mut sum = 0; - for _ in 0..n { - sum += args.arg::(); - } - sum -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-panic.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-panic.md deleted file mode 100644 index f5b73128ad6c..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-panic.md +++ /dev/null @@ -1,38 +0,0 @@ -# `cfg_panic` - -The tracking issue for this feature is: [#77443] - -[#77443]: https://github.com/rust-lang/rust/issues/77443 - ------------------------- - -The `cfg_panic` feature makes it possible to execute different code -depending on the panic strategy. - -Possible values at the moment are `"unwind"` or `"abort"`, although -it is possible that new panic strategies may be added to Rust in the -future. - -## Examples - -```rust -#![feature(cfg_panic)] - -#[cfg(panic = "unwind")] -fn a() { - // ... -} - -#[cfg(not(panic = "unwind"))] -fn a() { - // ... -} - -fn b() { - if cfg!(panic = "abort") { - // ... - } else { - // ... - } -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-sanitize.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-sanitize.md deleted file mode 100644 index 3442abf46df8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-sanitize.md +++ /dev/null @@ -1,34 +0,0 @@ -# `cfg_sanitize` - -The tracking issue for this feature is: [#39699] - -[#39699]: https://github.com/rust-lang/rust/issues/39699 - ------------------------- - -The `cfg_sanitize` feature makes it possible to execute different code -depending on whether a particular sanitizer is enabled or not. - -## Examples - -```rust -#![feature(cfg_sanitize)] - -#[cfg(sanitize = "thread")] -fn a() { - // ... -} - -#[cfg(not(sanitize = "thread"))] -fn a() { - // ... -} - -fn b() { - if cfg!(sanitize = "leak") { - // ... - } else { - // ... - } -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-version.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-version.md deleted file mode 100644 index a6ec42cecba8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cfg-version.md +++ /dev/null @@ -1,35 +0,0 @@ -# `cfg_version` - -The tracking issue for this feature is: [#64796] - -[#64796]: https://github.com/rust-lang/rust/issues/64796 - ------------------------- - -The `cfg_version` feature makes it possible to execute different code -depending on the compiler version. It will return true if the compiler -version is greater than or equal to the specified version. - -## Examples - -```rust -#![feature(cfg_version)] - -#[cfg(version("1.42"))] // 1.42 and above -fn a() { - // ... -} - -#[cfg(not(version("1.42")))] // 1.41 and below -fn a() { - // ... -} - -fn b() { - if cfg!(version("1.42")) { - // ... - } else { - // ... - } -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/closure-track-caller.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/closure-track-caller.md deleted file mode 100644 index c948810d3e5a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/closure-track-caller.md +++ /dev/null @@ -1,12 +0,0 @@ -# `closure_track_caller` - -The tracking issue for this feature is: [#87417] - -[#87417]: https://github.com/rust-lang/rust/issues/87417 - ------------------------- - -Allows using the `#[track_caller]` attribute on closures and generators. -Calls made to the closure or generator will have caller information -available through `std::panic::Location::caller()`, just like using -`#[track_caller]` on a function. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cmse-nonsecure-entry.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/cmse-nonsecure-entry.md deleted file mode 100644 index 338fbc4b2bfc..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/cmse-nonsecure-entry.md +++ /dev/null @@ -1,81 +0,0 @@ -# `cmse_nonsecure_entry` - -The tracking issue for this feature is: [#75835] - -[#75835]: https://github.com/rust-lang/rust/issues/75835 - ------------------------- - -The [TrustZone-M -feature](https://developer.arm.com/documentation/100690/latest/) is available -for targets with the Armv8-M architecture profile (`thumbv8m` in their target -name). -LLVM, the Rust compiler and the linker are providing -[support](https://developer.arm.com/documentation/ecm0359818/latest/) for the -TrustZone-M feature. - -One of the things provided, with this unstable feature, is the -`cmse_nonsecure_entry` attribute. This attribute marks a Secure function as an -entry function (see [section -5.4](https://developer.arm.com/documentation/ecm0359818/latest/) for details). -With this attribute, the compiler will do the following: -* add a special symbol on the function which is the `__acle_se_` prefix and the - standard function name -* constrain the number of parameters to avoid using the Non-Secure stack -* before returning from the function, clear registers that might contain Secure - information -* use the `BXNS` instruction to return - -Because the stack can not be used to pass parameters, there will be compilation -errors if: -* the total size of all parameters is too big (for example more than four 32 - bits integers) -* the entry function is not using a C ABI - -The special symbol `__acle_se_` will be used by the linker to generate a secure -gateway veneer. - - - -``` rust,ignore -#![feature(cmse_nonsecure_entry)] - -#[no_mangle] -#[cmse_nonsecure_entry] -pub extern "C" fn entry_function(input: u32) -> u32 { - input + 6 -} -``` - -``` text -$ rustc --emit obj --crate-type lib --target thumbv8m.main-none-eabi function.rs -$ arm-none-eabi-objdump -D function.o - -00000000 : - 0: b580 push {r7, lr} - 2: 466f mov r7, sp - 4: b082 sub sp, #8 - 6: 9001 str r0, [sp, #4] - 8: 1d81 adds r1, r0, #6 - a: 460a mov r2, r1 - c: 4281 cmp r1, r0 - e: 9200 str r2, [sp, #0] - 10: d30b bcc.n 2a - 12: e7ff b.n 14 - 14: 9800 ldr r0, [sp, #0] - 16: b002 add sp, #8 - 18: e8bd 4080 ldmia.w sp!, {r7, lr} - 1c: 4671 mov r1, lr - 1e: 4672 mov r2, lr - 20: 4673 mov r3, lr - 22: 46f4 mov ip, lr - 24: f38e 8800 msr CPSR_f, lr - 28: 4774 bxns lr - 2a: f240 0000 movw r0, #0 - 2e: f2c0 0000 movt r0, #0 - 32: f240 0200 movw r2, #0 - 36: f2c0 0200 movt r2, #0 - 3a: 211c movs r1, #28 - 3c: f7ff fffe bl 0 <_ZN4core9panicking5panic17h5c028258ca2fb3f5E> - 40: defe udf #254 ; 0xfe -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/compiler-builtins.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/compiler-builtins.md deleted file mode 100644 index 52fac575b6e8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/compiler-builtins.md +++ /dev/null @@ -1,5 +0,0 @@ -# `compiler_builtins` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/const-eval-limit.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/const-eval-limit.md deleted file mode 100644 index df68e83bcac7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/const-eval-limit.md +++ /dev/null @@ -1,7 +0,0 @@ -# `const_eval_limit` - -The tracking issue for this feature is: [#67217] - -[#67217]: https://github.com/rust-lang/rust/issues/67217 - -The `const_eval_limit` allows someone to limit the evaluation steps the CTFE undertakes to evaluate a `const fn`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/crate-visibility-modifier.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/crate-visibility-modifier.md deleted file mode 100644 index b59859dd348e..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/crate-visibility-modifier.md +++ /dev/null @@ -1,20 +0,0 @@ -# `crate_visibility_modifier` - -The tracking issue for this feature is: [#53120] - -[#53120]: https://github.com/rust-lang/rust/issues/53120 - ------ - -The `crate_visibility_modifier` feature allows the `crate` keyword to be used -as a visibility modifier synonymous to `pub(crate)`, indicating that a type -(function, _&c._) is to be visible to the entire enclosing crate, but not to -other crates. - -```rust -#![feature(crate_visibility_modifier)] - -crate struct Foo { - bar: usize, -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/custom-test-frameworks.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/custom-test-frameworks.md deleted file mode 100644 index 53ecac9314d7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/custom-test-frameworks.md +++ /dev/null @@ -1,32 +0,0 @@ -# `custom_test_frameworks` - -The tracking issue for this feature is: [#50297] - -[#50297]: https://github.com/rust-lang/rust/issues/50297 - ------------------------- - -The `custom_test_frameworks` feature allows the use of `#[test_case]` and `#![test_runner]`. -Any function, const, or static can be annotated with `#[test_case]` causing it to be aggregated (like `#[test]`) -and be passed to the test runner determined by the `#![test_runner]` crate attribute. - -```rust -#![feature(custom_test_frameworks)] -#![test_runner(my_runner)] - -fn my_runner(tests: &[&i32]) { - for t in tests { - if **t == 0 { - println!("PASSED"); - } else { - println!("FAILED"); - } - } -} - -#[test_case] -const WILL_PASS: i32 = 0; - -#[test_case] -const WILL_FAIL: i32 = 4; -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-cfg.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-cfg.md deleted file mode 100644 index e75f1aea9922..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-cfg.md +++ /dev/null @@ -1,46 +0,0 @@ -# `doc_cfg` - -The tracking issue for this feature is: [#43781] - ------- - -The `doc_cfg` feature allows an API be documented as only available in some specific platforms. -This attribute has two effects: - -1. In the annotated item's documentation, there will be a message saying "This is supported on - (platform) only". - -2. The item's doc-tests will only run on the specific platform. - -In addition to allowing the use of the `#[doc(cfg)]` attribute, this feature enables the use of a -special conditional compilation flag, `#[cfg(doc)]`, set whenever building documentation on your -crate. - -This feature was introduced as part of PR [#43348] to allow the platform-specific parts of the -standard library be documented. - -```rust -#![feature(doc_cfg)] - -#[cfg(any(windows, doc))] -#[doc(cfg(windows))] -/// The application's icon in the notification area (a.k.a. system tray). -/// -/// # Examples -/// -/// ```no_run -/// extern crate my_awesome_ui_library; -/// use my_awesome_ui_library::current_app; -/// use my_awesome_ui_library::windows::notification; -/// -/// let icon = current_app().get::(); -/// icon.show(); -/// icon.show_message("Hello"); -/// ``` -pub struct Icon { - // ... -} -``` - -[#43781]: https://github.com/rust-lang/rust/issues/43781 -[#43348]: https://github.com/rust-lang/rust/issues/43348 diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-masked.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-masked.md deleted file mode 100644 index 609939bfc22f..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-masked.md +++ /dev/null @@ -1,24 +0,0 @@ -# `doc_masked` - -The tracking issue for this feature is: [#44027] - ------ - -The `doc_masked` feature allows a crate to exclude types from a given crate from appearing in lists -of trait implementations. The specifics of the feature are as follows: - -1. When rustdoc encounters an `extern crate` statement annotated with a `#[doc(masked)]` attribute, - it marks the crate as being masked. - -2. When listing traits a given type implements, rustdoc ensures that traits from masked crates are - not emitted into the documentation. - -3. When listing types that implement a given trait, rustdoc ensures that types from masked crates - are not emitted into the documentation. - -This feature was introduced in PR [#44026] to ensure that compiler-internal and -implementation-specific types and traits were not included in the standard library's documentation. -Such types would introduce broken links into the documentation. - -[#44026]: https://github.com/rust-lang/rust/pull/44026 -[#44027]: https://github.com/rust-lang/rust/pull/44027 diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-notable-trait.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-notable-trait.md deleted file mode 100644 index dc402ed4253a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/doc-notable-trait.md +++ /dev/null @@ -1,33 +0,0 @@ -# `doc_notable_trait` - -The tracking issue for this feature is: [#45040] - -The `doc_notable_trait` feature allows the use of the `#[doc(notable_trait)]` -attribute, which will display the trait in a "Notable traits" dialog for -functions returning types that implement the trait. For example, this attribute -is applied to the `Iterator`, `Future`, `io::Read`, and `io::Write` traits in -the standard library. - -You can do this on your own traits like so: - -``` -#![feature(doc_notable_trait)] - -#[doc(notable_trait)] -pub trait MyTrait {} - -pub struct MyStruct; -impl MyTrait for MyStruct {} - -/// The docs for this function will have a button that displays a dialog about -/// `MyStruct` implementing `MyTrait`. -pub fn my_fn() -> MyStruct { MyStruct } -``` - -This feature was originally implemented in PR [#45039]. - -See also its documentation in [the rustdoc book][rustdoc-book-notable_trait]. - -[#45040]: https://github.com/rust-lang/rust/issues/45040 -[#45039]: https://github.com/rust-lang/rust/pull/45039 -[rustdoc-book-notable_trait]: ../../rustdoc/unstable-features.html#adding-your-trait-to-the-notable-traits-dialog diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/exclusive-range-pattern.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/exclusive-range-pattern.md deleted file mode 100644 index d26512703f49..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/exclusive-range-pattern.md +++ /dev/null @@ -1,26 +0,0 @@ -# `exclusive_range_pattern` - -The tracking issue for this feature is: [#37854]. - - -[#67264]: https://github.com/rust-lang/rust/issues/67264 -[#37854]: https://github.com/rust-lang/rust/issues/37854 ------ - -The `exclusive_range_pattern` feature allows non-inclusive range -patterns (`0..10`) to be used in appropriate pattern matching -contexts. It also can be combined with `#![feature(half_open_range_patterns]` -to be able to use RangeTo patterns (`..10`). - -It also enabled RangeFrom patterns but that has since been -stabilized. - -```rust -#![feature(exclusive_range_pattern)] - let x = 5; - match x { - 0..10 => println!("single digit"), - 10 => println!("ten isn't part of the above range"), - _ => println!("nor is everything else.") - } -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/explicit-generic-args-with-impl-trait.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/explicit-generic-args-with-impl-trait.md deleted file mode 100644 index 479571d85fe0..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/explicit-generic-args-with-impl-trait.md +++ /dev/null @@ -1,53 +0,0 @@ -# `explicit_generic_args_with_impl_trait` - -The tracking issue for this feature is: [#83701] - -[#83701]: https://github.com/rust-lang/rust/issues/83701 - ------------------------- - -The `explicit_generic_args_with_impl_trait` feature gate lets you specify generic arguments even -when `impl Trait` is used in argument position. - -A simple example is: - -```rust -#![feature(explicit_generic_args_with_impl_trait)] - -fn foo(_f: impl AsRef) {} - -fn main() { - foo::("".to_string()); -} -``` - -This is currently rejected: - -```text -error[E0632]: cannot provide explicit generic arguments when `impl Trait` is used in argument position - --> src/main.rs:6:11 - | -6 | foo::("".to_string()); - | ^^^ explicit generic argument not allowed - -``` - -However it would compile if `explicit_generic_args_with_impl_trait` is enabled. - -Note that the synthetic type parameters from `impl Trait` are still implicit and you -cannot explicitly specify these: - -```rust,compile_fail -#![feature(explicit_generic_args_with_impl_trait)] - -fn foo(_f: impl AsRef) {} -fn bar>(_f: F) {} - -fn main() { - bar::("".to_string()); // Okay - bar::("".to_string()); // Okay - - foo::("".to_string()); // Okay - foo::("".to_string()); // Error, you cannot specify `impl Trait` explicitly -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-const.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-const.md deleted file mode 100644 index 24a304437542..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-const.md +++ /dev/null @@ -1,52 +0,0 @@ -# `ffi_const` - -The tracking issue for this feature is: [#58328] - ------- - -The `#[ffi_const]` attribute applies clang's `const` attribute to foreign -functions declarations. - -That is, `#[ffi_const]` functions shall have no effects except for its return -value, which can only depend on the values of the function parameters, and is -not affected by changes to the observable state of the program. - -Applying the `#[ffi_const]` attribute to a function that violates these -requirements is undefined behaviour. - -This attribute enables Rust to perform common optimizations, like sub-expression -elimination, and it can avoid emitting some calls in repeated invocations of the -function with the same argument values regardless of other operations being -performed in between these functions calls (as opposed to `#[ffi_pure]` -functions). - -## Pitfalls - -A `#[ffi_const]` function can only read global memory that would not affect -its return value for the whole execution of the program (e.g. immutable global -memory). `#[ffi_const]` functions are referentially-transparent and therefore -more strict than `#[ffi_pure]` functions. - -A common pitfall involves applying the `#[ffi_const]` attribute to a -function that reads memory through pointer arguments which do not necessarily -point to immutable global memory. - -A `#[ffi_const]` function that returns unit has no effect on the abstract -machine's state, and a `#[ffi_const]` function cannot be `#[ffi_pure]`. - -A `#[ffi_const]` function must not diverge, neither via a side effect (e.g. a -call to `abort`) nor by infinite loops. - -When translating C headers to Rust FFI, it is worth verifying for which targets -the `const` attribute is enabled in those headers, and using the appropriate -`cfg` macros in the Rust side to match those definitions. While the semantics of -`const` are implemented identically by many C and C++ compilers, e.g., clang, -[GCC], [ARM C/C++ compiler], [IBM ILE C/C++], etc. they are not necessarily -implemented in this way on all of them. It is therefore also worth verifying -that the semantics of the C toolchain used to compile the binary being linked -against are compatible with those of the `#[ffi_const]`. - -[#58328]: https://github.com/rust-lang/rust/issues/58328 -[ARM C/C++ compiler]: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0491c/Cacgigch.html -[GCC]: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-const-function-attribute -[IBM ILE C/C++]: https://www.ibm.com/support/knowledgecenter/fr/ssw_ibm_i_71/rzarg/fn_attrib_const.htm diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-pure.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-pure.md deleted file mode 100644 index 236ccb9f9053..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/ffi-pure.md +++ /dev/null @@ -1,56 +0,0 @@ -# `ffi_pure` - -The tracking issue for this feature is: [#58329] - ------- - -The `#[ffi_pure]` attribute applies clang's `pure` attribute to foreign -functions declarations. - -That is, `#[ffi_pure]` functions shall have no effects except for its return -value, which shall not change across two consecutive function calls with -the same parameters. - -Applying the `#[ffi_pure]` attribute to a function that violates these -requirements is undefined behavior. - -This attribute enables Rust to perform common optimizations, like sub-expression -elimination and loop optimizations. Some common examples of pure functions are -`strlen` or `memcmp`. - -These optimizations are only applicable when the compiler can prove that no -program state observable by the `#[ffi_pure]` function has changed between calls -of the function, which could alter the result. See also the `#[ffi_const]` -attribute, which provides stronger guarantees regarding the allowable behavior -of a function, enabling further optimization. - -## Pitfalls - -A `#[ffi_pure]` function can read global memory through the function -parameters (e.g. pointers), globals, etc. `#[ffi_pure]` functions are not -referentially-transparent, and are therefore more relaxed than `#[ffi_const]` -functions. - -However, accessing global memory through volatile or atomic reads can violate the -requirement that two consecutive function calls shall return the same value. - -A `pure` function that returns unit has no effect on the abstract machine's -state. - -A `#[ffi_pure]` function must not diverge, neither via a side effect (e.g. a -call to `abort`) nor by infinite loops. - -When translating C headers to Rust FFI, it is worth verifying for which targets -the `pure` attribute is enabled in those headers, and using the appropriate -`cfg` macros in the Rust side to match those definitions. While the semantics of -`pure` are implemented identically by many C and C++ compilers, e.g., clang, -[GCC], [ARM C/C++ compiler], [IBM ILE C/C++], etc. they are not necessarily -implemented in this way on all of them. It is therefore also worth verifying -that the semantics of the C toolchain used to compile the binary being linked -against are compatible with those of the `#[ffi_pure]`. - - -[#58329]: https://github.com/rust-lang/rust/issues/58329 -[ARM C/C++ compiler]: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0491c/Cacigdac.html -[GCC]: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-pure-function-attribute -[IBM ILE C/C++]: https://www.ibm.com/support/knowledgecenter/fr/ssw_ibm_i_71/rzarg/fn_attrib_pure.htm diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/generators.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/generators.md deleted file mode 100644 index 7b865c9c679b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/generators.md +++ /dev/null @@ -1,246 +0,0 @@ -# `generators` - -The tracking issue for this feature is: [#43122] - -[#43122]: https://github.com/rust-lang/rust/issues/43122 - ------------------------- - -The `generators` feature gate in Rust allows you to define generator or -coroutine literals. A generator is a "resumable function" that syntactically -resembles a closure but compiles to much different semantics in the compiler -itself. The primary feature of a generator is that it can be suspended during -execution to be resumed at a later date. Generators use the `yield` keyword to -"return", and then the caller can `resume` a generator to resume execution just -after the `yield` keyword. - -Generators are an extra-unstable feature in the compiler right now. Added in -[RFC 2033] they're mostly intended right now as a information/constraint -gathering phase. The intent is that experimentation can happen on the nightly -compiler before actual stabilization. A further RFC will be required to -stabilize generators/coroutines and will likely contain at least a few small -tweaks to the overall design. - -[RFC 2033]: https://github.com/rust-lang/rfcs/pull/2033 - -A syntactical example of a generator is: - -```rust -#![feature(generators, generator_trait)] - -use std::ops::{Generator, GeneratorState}; -use std::pin::Pin; - -fn main() { - let mut generator = || { - yield 1; - return "foo" - }; - - match Pin::new(&mut generator).resume(()) { - GeneratorState::Yielded(1) => {} - _ => panic!("unexpected value from resume"), - } - match Pin::new(&mut generator).resume(()) { - GeneratorState::Complete("foo") => {} - _ => panic!("unexpected value from resume"), - } -} -``` - -Generators are closure-like literals which can contain a `yield` statement. The -`yield` statement takes an optional expression of a value to yield out of the -generator. All generator literals implement the `Generator` trait in the -`std::ops` module. The `Generator` trait has one main method, `resume`, which -resumes execution of the generator at the previous suspension point. - -An example of the control flow of generators is that the following example -prints all numbers in order: - -```rust -#![feature(generators, generator_trait)] - -use std::ops::Generator; -use std::pin::Pin; - -fn main() { - let mut generator = || { - println!("2"); - yield; - println!("4"); - }; - - println!("1"); - Pin::new(&mut generator).resume(()); - println!("3"); - Pin::new(&mut generator).resume(()); - println!("5"); -} -``` - -At this time the main intended use case of generators is an implementation -primitive for async/await syntax, but generators will likely be extended to -ergonomic implementations of iterators and other primitives in the future. -Feedback on the design and usage is always appreciated! - -### The `Generator` trait - -The `Generator` trait in `std::ops` currently looks like: - -```rust -# #![feature(arbitrary_self_types, generator_trait)] -# use std::ops::GeneratorState; -# use std::pin::Pin; - -pub trait Generator { - type Yield; - type Return; - fn resume(self: Pin<&mut Self>, resume: R) -> GeneratorState; -} -``` - -The `Generator::Yield` type is the type of values that can be yielded with the -`yield` statement. The `Generator::Return` type is the returned type of the -generator. This is typically the last expression in a generator's definition or -any value passed to `return` in a generator. The `resume` function is the entry -point for executing the `Generator` itself. - -The return value of `resume`, `GeneratorState`, looks like: - -```rust -pub enum GeneratorState { - Yielded(Y), - Complete(R), -} -``` - -The `Yielded` variant indicates that the generator can later be resumed. This -corresponds to a `yield` point in a generator. The `Complete` variant indicates -that the generator is complete and cannot be resumed again. Calling `resume` -after a generator has returned `Complete` will likely result in a panic of the -program. - -### Closure-like semantics - -The closure-like syntax for generators alludes to the fact that they also have -closure-like semantics. Namely: - -* When created, a generator executes no code. A closure literal does not - actually execute any of the closure's code on construction, and similarly a - generator literal does not execute any code inside the generator when - constructed. - -* Generators can capture outer variables by reference or by move, and this can - be tweaked with the `move` keyword at the beginning of the closure. Like - closures all generators will have an implicit environment which is inferred by - the compiler. Outer variables can be moved into a generator for use as the - generator progresses. - -* Generator literals produce a value with a unique type which implements the - `std::ops::Generator` trait. This allows actual execution of the generator - through the `Generator::resume` method as well as also naming it in return - types and such. - -* Traits like `Send` and `Sync` are automatically implemented for a `Generator` - depending on the captured variables of the environment. Unlike closures, - generators also depend on variables live across suspension points. This means - that although the ambient environment may be `Send` or `Sync`, the generator - itself may not be due to internal variables live across `yield` points being - not-`Send` or not-`Sync`. Note that generators do - not implement traits like `Copy` or `Clone` automatically. - -* Whenever a generator is dropped it will drop all captured environment - variables. - -### Generators as state machines - -In the compiler, generators are currently compiled as state machines. Each -`yield` expression will correspond to a different state that stores all live -variables over that suspension point. Resumption of a generator will dispatch on -the current state and then execute internally until a `yield` is reached, at -which point all state is saved off in the generator and a value is returned. - -Let's take a look at an example to see what's going on here: - -```rust -#![feature(generators, generator_trait)] - -use std::ops::Generator; -use std::pin::Pin; - -fn main() { - let ret = "foo"; - let mut generator = move || { - yield 1; - return ret - }; - - Pin::new(&mut generator).resume(()); - Pin::new(&mut generator).resume(()); -} -``` - -This generator literal will compile down to something similar to: - -```rust -#![feature(arbitrary_self_types, generators, generator_trait)] - -use std::ops::{Generator, GeneratorState}; -use std::pin::Pin; - -fn main() { - let ret = "foo"; - let mut generator = { - enum __Generator { - Start(&'static str), - Yield1(&'static str), - Done, - } - - impl Generator for __Generator { - type Yield = i32; - type Return = &'static str; - - fn resume(mut self: Pin<&mut Self>, resume: ()) -> GeneratorState { - use std::mem; - match mem::replace(&mut *self, __Generator::Done) { - __Generator::Start(s) => { - *self = __Generator::Yield1(s); - GeneratorState::Yielded(1) - } - - __Generator::Yield1(s) => { - *self = __Generator::Done; - GeneratorState::Complete(s) - } - - __Generator::Done => { - panic!("generator resumed after completion") - } - } - } - } - - __Generator::Start(ret) - }; - - Pin::new(&mut generator).resume(()); - Pin::new(&mut generator).resume(()); -} -``` - -Notably here we can see that the compiler is generating a fresh type, -`__Generator` in this case. This type has a number of states (represented here -as an `enum`) corresponding to each of the conceptual states of the generator. -At the beginning we're closing over our outer variable `foo` and then that -variable is also live over the `yield` point, so it's stored in both states. - -When the generator starts it'll immediately yield 1, but it saves off its state -just before it does so indicating that it has reached the yield point. Upon -resuming again we'll execute the `return ret` which returns the `Complete` -state. - -Here we can also note that the `Done` state, if resumed, panics immediately as -it's invalid to resume a completed generator. It's also worth noting that this -is just a rough desugaring, not a normative specification for what the compiler -does. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/half-open-range-patterns.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/half-open-range-patterns.md deleted file mode 100644 index 3b16dd049ce3..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/half-open-range-patterns.md +++ /dev/null @@ -1,27 +0,0 @@ -# `half_open_range_patterns` - -The tracking issue for this feature is: [#67264] -It is part of the `#![exclusive_range_pattern]` feature, -tracked at [#37854]. - -[#67264]: https://github.com/rust-lang/rust/issues/67264 -[#37854]: https://github.com/rust-lang/rust/issues/37854 ------ - -The `half_open_range_patterns` feature allows RangeTo patterns -(`..10`) to be used in appropriate pattern matching contexts. -This requires also enabling the `exclusive_range_pattern` feature. - -It also enabled RangeFrom patterns but that has since been -stabilized. - -```rust -#![feature(half_open_range_patterns)] -#![feature(exclusive_range_pattern)] - let x = 5; - match x { - ..0 => println!("negative!"), // "RangeTo" pattern. Unstable. - 0 => println!("zero!"), - 1.. => println!("positive!"), // "RangeFrom" pattern. Stable. - } -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/infer-static-outlives-requirements.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/infer-static-outlives-requirements.md deleted file mode 100644 index 5f3f1b4dd8a3..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/infer-static-outlives-requirements.md +++ /dev/null @@ -1,44 +0,0 @@ -# `infer_static_outlives_requirements` - -The tracking issue for this feature is: [#54185] - -[#54185]: https://github.com/rust-lang/rust/issues/54185 - ------------------------- -The `infer_static_outlives_requirements` feature indicates that certain -`'static` outlives requirements can be inferred by the compiler rather than -stating them explicitly. - -Note: It is an accompanying feature to `infer_outlives_requirements`, -which must be enabled to infer outlives requirements. - -For example, currently generic struct definitions that contain -references, require where-clauses of the form T: 'static. By using -this feature the outlives predicates will be inferred, although -they may still be written explicitly. - -```rust,ignore (pseudo-Rust) -struct Foo where U: 'static { // <-- currently required - bar: Bar -} -struct Bar { - x: T, -} -``` - - -## Examples: - -```rust,ignore (pseudo-Rust) -#![feature(infer_outlives_requirements)] -#![feature(infer_static_outlives_requirements)] - -#[rustc_outlives] -// Implicitly infer U: 'static -struct Foo { - bar: Bar -} -struct Bar { - x: T, -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const-pat.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const-pat.md deleted file mode 100644 index 5f0f7547a0a8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const-pat.md +++ /dev/null @@ -1,24 +0,0 @@ -# `inline_const_pat` - -The tracking issue for this feature is: [#76001] - -See also [`inline_const`](inline-const.md) - ------- - -This feature allows you to use inline constant expressions in pattern position: - -```rust -#![feature(inline_const_pat)] - -const fn one() -> i32 { 1 } - -let some_int = 3; -match some_int { - const { 1 + 2 } => println!("Matched 1 + 2"), - const { one() } => println!("Matched const fn returning 1"), - _ => println!("Didn't match anything :("), -} -``` - -[#76001]: https://github.com/rust-lang/rust/issues/76001 diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const.md deleted file mode 100644 index 7be70eed6ced..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/inline-const.md +++ /dev/null @@ -1,32 +0,0 @@ -# `inline_const` - -The tracking issue for this feature is: [#76001] - -See also [`inline_const_pat`](inline-const-pat.md) - ------- - -This feature allows you to use inline constant expressions. For example, you can -turn this code: - -```rust -# fn add_one(x: i32) -> i32 { x + 1 } -const MY_COMPUTATION: i32 = 1 + 2 * 3 / 4; - -fn main() { - let x = add_one(MY_COMPUTATION); -} -``` - -into this code: - -```rust -#![feature(inline_const)] - -# fn add_one(x: i32) -> i32 { x + 1 } -fn main() { - let x = add_one(const { 1 + 2 * 3 / 4 }); -} -``` - -[#76001]: https://github.com/rust-lang/rust/issues/76001 diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/intra-doc-pointers.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/intra-doc-pointers.md deleted file mode 100644 index fbc83f4b4f48..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/intra-doc-pointers.md +++ /dev/null @@ -1,15 +0,0 @@ -# `intra-doc-pointers` - -The tracking issue for this feature is: [#80896] - -[#80896]: https://github.com/rust-lang/rust/issues/80896 - ------------------------- - -Rustdoc does not currently allow disambiguating between `*const` and `*mut`, and -raw pointers in intra-doc links are unstable until it does. - -```rust -#![feature(intra_doc_pointers)] -//! [pointer::add] -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/intrinsics.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/intrinsics.md deleted file mode 100644 index a0fb4e743d3f..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/intrinsics.md +++ /dev/null @@ -1,29 +0,0 @@ -# `intrinsics` - -The tracking issue for this feature is: None. - -Intrinsics are never intended to be stable directly, but intrinsics are often -exported in some sort of stable manner. Prefer using the stable interfaces to -the intrinsic directly when you can. - ------------------------- - - -These are imported as if they were FFI functions, with the special -`rust-intrinsic` ABI. For example, if one was in a freestanding -context, but wished to be able to `transmute` between types, and -perform efficient pointer arithmetic, one would import those functions -via a declaration like - -```rust -#![feature(intrinsics)] -# fn main() {} - -extern "rust-intrinsic" { - fn transmute(x: T) -> U; - - fn offset(dst: *const T, offset: isize) -> *const T; -} -``` - -As with any other FFI functions, these are always `unsafe` to call. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/lang-items.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/lang-items.md deleted file mode 100644 index 86bedb51538b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/lang-items.md +++ /dev/null @@ -1,295 +0,0 @@ -# `lang_items` - -The tracking issue for this feature is: None. - ------------------------- - -The `rustc` compiler has certain pluggable operations, that is, -functionality that isn't hard-coded into the language, but is -implemented in libraries, with a special marker to tell the compiler -it exists. The marker is the attribute `#[lang = "..."]` and there are -various different values of `...`, i.e. various different 'lang -items'. - -For example, `Box` pointers require two lang items, one for allocation -and one for deallocation. A freestanding program that uses the `Box` -sugar for dynamic allocations via `malloc` and `free`: - -```rust,ignore (libc-is-finicky) -#![feature(lang_items, box_syntax, start, libc, core_intrinsics, rustc_private)] -#![no_std] -use core::intrinsics; -use core::panic::PanicInfo; - -extern crate libc; - -#[lang = "owned_box"] -pub struct Box(*mut T); - -#[lang = "exchange_malloc"] -unsafe fn allocate(size: usize, _align: usize) -> *mut u8 { - let p = libc::malloc(size as libc::size_t) as *mut u8; - - // Check if `malloc` failed: - if p as usize == 0 { - intrinsics::abort(); - } - - p -} - -#[lang = "box_free"] -unsafe fn box_free(ptr: *mut T) { - libc::free(ptr as *mut libc::c_void) -} - -#[start] -fn main(_argc: isize, _argv: *const *const u8) -> isize { - let _x = box 1; - - 0 -} - -#[lang = "eh_personality"] extern fn rust_eh_personality() {} -#[lang = "panic_impl"] extern fn rust_begin_panic(info: &PanicInfo) -> ! { unsafe { intrinsics::abort() } } -#[no_mangle] pub extern fn rust_eh_register_frames () {} -#[no_mangle] pub extern fn rust_eh_unregister_frames () {} -``` - -Note the use of `abort`: the `exchange_malloc` lang item is assumed to -return a valid pointer, and so needs to do the check internally. - -Other features provided by lang items include: - -- overloadable operators via traits: the traits corresponding to the - `==`, `<`, dereferencing (`*`) and `+` (etc.) operators are all - marked with lang items; those specific four are `eq`, `ord`, - `deref`, and `add` respectively. -- stack unwinding and general failure; the `eh_personality`, - `panic` and `panic_bounds_check` lang items. -- the traits in `std::marker` used to indicate types of - various kinds; lang items `send`, `sync` and `copy`. -- the marker types and variance indicators found in - `std::marker`; lang items `covariant_type`, - `contravariant_lifetime`, etc. - -Lang items are loaded lazily by the compiler; e.g. if one never uses -`Box` then there is no need to define functions for `exchange_malloc` -and `box_free`. `rustc` will emit an error when an item is needed -but not found in the current crate or any that it depends on. - -Most lang items are defined by `libcore`, but if you're trying to build -an executable without the standard library, you'll run into the need -for lang items. The rest of this page focuses on this use-case, even though -lang items are a bit broader than that. - -### Using libc - -In order to build a `#[no_std]` executable we will need libc as a dependency. -We can specify this using our `Cargo.toml` file: - -```toml -[dependencies] -libc = { version = "0.2.14", default-features = false } -``` - -Note that the default features have been disabled. This is a critical step - -**the default features of libc include the standard library and so must be -disabled.** - -### Writing an executable without stdlib - -Controlling the entry point is possible in two ways: the `#[start]` attribute, -or overriding the default shim for the C `main` function with your own. - -The function marked `#[start]` is passed the command line parameters -in the same format as C: - -```rust,ignore (libc-is-finicky) -#![feature(lang_items, core_intrinsics, rustc_private)] -#![feature(start)] -#![no_std] -use core::intrinsics; -use core::panic::PanicInfo; - -// Pull in the system libc library for what crt0.o likely requires. -extern crate libc; - -// Entry point for this program. -#[start] -fn start(_argc: isize, _argv: *const *const u8) -> isize { - 0 -} - -// These functions are used by the compiler, but not -// for a bare-bones hello world. These are normally -// provided by libstd. -#[lang = "eh_personality"] -#[no_mangle] -pub extern fn rust_eh_personality() { -} - -#[lang = "panic_impl"] -#[no_mangle] -pub extern fn rust_begin_panic(info: &PanicInfo) -> ! { - unsafe { intrinsics::abort() } -} -``` - -To override the compiler-inserted `main` shim, one has to disable it -with `#![no_main]` and then create the appropriate symbol with the -correct ABI and the correct name, which requires overriding the -compiler's name mangling too: - -```rust,ignore (libc-is-finicky) -#![feature(lang_items, core_intrinsics, rustc_private)] -#![feature(start)] -#![no_std] -#![no_main] -use core::intrinsics; -use core::panic::PanicInfo; - -// Pull in the system libc library for what crt0.o likely requires. -extern crate libc; - -// Entry point for this program. -#[no_mangle] // ensure that this symbol is called `main` in the output -pub extern fn main(_argc: i32, _argv: *const *const u8) -> i32 { - 0 -} - -// These functions are used by the compiler, but not -// for a bare-bones hello world. These are normally -// provided by libstd. -#[lang = "eh_personality"] -#[no_mangle] -pub extern fn rust_eh_personality() { -} - -#[lang = "panic_impl"] -#[no_mangle] -pub extern fn rust_begin_panic(info: &PanicInfo) -> ! { - unsafe { intrinsics::abort() } -} -``` - -In many cases, you may need to manually link to the `compiler_builtins` crate -when building a `no_std` binary. You may observe this via linker error messages -such as "```undefined reference to `__rust_probestack'```". - -## More about the language items - -The compiler currently makes a few assumptions about symbols which are -available in the executable to call. Normally these functions are provided by -the standard library, but without it you must define your own. These symbols -are called "language items", and they each have an internal name, and then a -signature that an implementation must conform to. - -The first of these functions, `rust_eh_personality`, is used by the failure -mechanisms of the compiler. This is often mapped to GCC's personality function -(see the [libstd implementation][unwind] for more information), but crates -which do not trigger a panic can be assured that this function is never -called. The language item's name is `eh_personality`. - -[unwind]: https://github.com/rust-lang/rust/blob/master/library/panic_unwind/src/gcc.rs - -The second function, `rust_begin_panic`, is also used by the failure mechanisms of the -compiler. When a panic happens, this controls the message that's displayed on -the screen. While the language item's name is `panic_impl`, the symbol name is -`rust_begin_panic`. - -Finally, a `eh_catch_typeinfo` static is needed for certain targets which -implement Rust panics on top of C++ exceptions. - -## List of all language items - -This is a list of all language items in Rust along with where they are located in -the source code. - -- Primitives - - `i8`: `libcore/num/mod.rs` - - `i16`: `libcore/num/mod.rs` - - `i32`: `libcore/num/mod.rs` - - `i64`: `libcore/num/mod.rs` - - `i128`: `libcore/num/mod.rs` - - `isize`: `libcore/num/mod.rs` - - `u8`: `libcore/num/mod.rs` - - `u16`: `libcore/num/mod.rs` - - `u32`: `libcore/num/mod.rs` - - `u64`: `libcore/num/mod.rs` - - `u128`: `libcore/num/mod.rs` - - `usize`: `libcore/num/mod.rs` - - `f32`: `libstd/f32.rs` - - `f64`: `libstd/f64.rs` - - `char`: `libcore/char.rs` - - `slice`: `liballoc/slice.rs` - - `str`: `liballoc/str.rs` - - `const_ptr`: `libcore/ptr.rs` - - `mut_ptr`: `libcore/ptr.rs` - - `unsafe_cell`: `libcore/cell.rs` -- Runtime - - `start`: `libstd/rt.rs` - - `eh_personality`: `libpanic_unwind/emcc.rs` (EMCC) - - `eh_personality`: `libpanic_unwind/gcc.rs` (GNU) - - `eh_personality`: `libpanic_unwind/seh.rs` (SEH) - - `eh_catch_typeinfo`: `libpanic_unwind/emcc.rs` (EMCC) - - `panic`: `libcore/panicking.rs` - - `panic_bounds_check`: `libcore/panicking.rs` - - `panic_impl`: `libcore/panicking.rs` - - `panic_impl`: `libstd/panicking.rs` -- Allocations - - `owned_box`: `liballoc/boxed.rs` - - `exchange_malloc`: `liballoc/heap.rs` - - `box_free`: `liballoc/heap.rs` -- Operands - - `not`: `libcore/ops/bit.rs` - - `bitand`: `libcore/ops/bit.rs` - - `bitor`: `libcore/ops/bit.rs` - - `bitxor`: `libcore/ops/bit.rs` - - `shl`: `libcore/ops/bit.rs` - - `shr`: `libcore/ops/bit.rs` - - `bitand_assign`: `libcore/ops/bit.rs` - - `bitor_assign`: `libcore/ops/bit.rs` - - `bitxor_assign`: `libcore/ops/bit.rs` - - `shl_assign`: `libcore/ops/bit.rs` - - `shr_assign`: `libcore/ops/bit.rs` - - `deref`: `libcore/ops/deref.rs` - - `deref_mut`: `libcore/ops/deref.rs` - - `index`: `libcore/ops/index.rs` - - `index_mut`: `libcore/ops/index.rs` - - `add`: `libcore/ops/arith.rs` - - `sub`: `libcore/ops/arith.rs` - - `mul`: `libcore/ops/arith.rs` - - `div`: `libcore/ops/arith.rs` - - `rem`: `libcore/ops/arith.rs` - - `neg`: `libcore/ops/arith.rs` - - `add_assign`: `libcore/ops/arith.rs` - - `sub_assign`: `libcore/ops/arith.rs` - - `mul_assign`: `libcore/ops/arith.rs` - - `div_assign`: `libcore/ops/arith.rs` - - `rem_assign`: `libcore/ops/arith.rs` - - `eq`: `libcore/cmp.rs` - - `ord`: `libcore/cmp.rs` -- Functions - - `fn`: `libcore/ops/function.rs` - - `fn_mut`: `libcore/ops/function.rs` - - `fn_once`: `libcore/ops/function.rs` - - `generator_state`: `libcore/ops/generator.rs` - - `generator`: `libcore/ops/generator.rs` -- Other - - `coerce_unsized`: `libcore/ops/unsize.rs` - - `drop`: `libcore/ops/drop.rs` - - `drop_in_place`: `libcore/ptr.rs` - - `clone`: `libcore/clone.rs` - - `copy`: `libcore/marker.rs` - - `send`: `libcore/marker.rs` - - `sized`: `libcore/marker.rs` - - `unsize`: `libcore/marker.rs` - - `sync`: `libcore/marker.rs` - - `phantom_data`: `libcore/marker.rs` - - `discriminant_kind`: `libcore/marker.rs` - - `freeze`: `libcore/marker.rs` - - `debug_trait`: `libcore/fmt/mod.rs` - - `non_zero`: `libcore/nonzero.rs` - - `arc`: `liballoc/sync.rs` - - `rc`: `liballoc/rc.rs` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/link-cfg.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/link-cfg.md deleted file mode 100644 index ee0fd5bf8698..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/link-cfg.md +++ /dev/null @@ -1,5 +0,0 @@ -# `link_cfg` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/marker-trait-attr.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/marker-trait-attr.md deleted file mode 100644 index be350cd61696..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/marker-trait-attr.md +++ /dev/null @@ -1,35 +0,0 @@ -# `marker_trait_attr` - -The tracking issue for this feature is: [#29864] - -[#29864]: https://github.com/rust-lang/rust/issues/29864 - ------------------------- - -Normally, Rust keeps you from adding trait implementations that could -overlap with each other, as it would be ambiguous which to use. This -feature, however, carves out an exception to that rule: a trait can -opt-in to having overlapping implementations, at the cost that those -implementations are not allowed to override anything (and thus the -trait itself cannot have any associated items, as they're pointless -when they'd need to do the same thing for every type anyway). - -```rust -#![feature(marker_trait_attr)] - -#[marker] trait CheapToClone: Clone {} - -impl CheapToClone for T {} - -// These could potentially overlap with the blanket implementation above, -// so are only allowed because CheapToClone is a marker trait. -impl CheapToClone for (T, U) {} -impl CheapToClone for std::ops::Range {} - -fn cheap_clone(t: T) -> T { - t.clone() -} -``` - -This is expected to replace the unstable `overlapping_marker_traits` -feature, which applied to all empty traits (without needing an opt-in). diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/more-qualified-paths.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/more-qualified-paths.md deleted file mode 100644 index 857af577a6cf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/more-qualified-paths.md +++ /dev/null @@ -1,29 +0,0 @@ -# `more_qualified_paths` - -The `more_qualified_paths` feature can be used in order to enable the -use of qualified paths in patterns. - -## Example - -```rust -#![feature(more_qualified_paths)] - -fn main() { - // destructure through a qualified path - let ::Assoc { br } = StructStruct { br: 2 }; -} - -struct StructStruct { - br: i8, -} - -struct Foo; - -trait A { - type Assoc; -} - -impl A for Foo { - type Assoc = StructStruct; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-as-needed.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-as-needed.md deleted file mode 100644 index 1757673612c4..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-as-needed.md +++ /dev/null @@ -1,18 +0,0 @@ -# `native_link_modifiers_as_needed` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers_as_needed` feature allows you to use the `as-needed` modifier. - -`as-needed` is only compatible with the `dynamic` and `framework` linking kinds. Using any other kind will result in a compiler error. - -`+as-needed` means that the library will be actually linked only if it satisfies some undefined symbols at the point at which it is specified on the command line, making it similar to static libraries in this regard. - -This modifier translates to `--as-needed` for ld-like linkers, and to `-dead_strip_dylibs` / `-needed_library` / `-needed_framework` for ld64. -The modifier does nothing for linkers that don't support it (e.g. `link.exe`). - -The default for this modifier is unclear, some targets currently specify it as `+as-needed`, some do not. We may want to try making `+as-needed` a default for all targets. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-bundle.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-bundle.md deleted file mode 100644 index ac192cff13a3..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-bundle.md +++ /dev/null @@ -1,19 +0,0 @@ -# `native_link_modifiers_bundle` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers_bundle` feature allows you to use the `bundle` modifier. - -Only compatible with the `static` linking kind. Using any other kind will result in a compiler error. - -`+bundle` means objects from the static library are bundled into the produced crate (a rlib, for example) and are used from this crate later during linking of the final binary. - -`-bundle` means the static library is included into the produced rlib "by name" and object files from it are included only during linking of the final binary, the file search by that name is also performed during final linking. - -This modifier is supposed to supersede the `static-nobundle` linking kind defined by [RFC 1717](https://github.com/rust-lang/rfcs/pull/1717). - -The default for this modifier is currently `+bundle`, but it could be changed later on some future edition boundary. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-verbatim.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-verbatim.md deleted file mode 100644 index 02bd87e50956..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-verbatim.md +++ /dev/null @@ -1,20 +0,0 @@ -# `native_link_modifiers_verbatim` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers_verbatim` feature allows you to use the `verbatim` modifier. - -`+verbatim` means that rustc itself won't add any target-specified library prefixes or suffixes (like `lib` or `.a`) to the library name, and will try its best to ask for the same thing from the linker. - -For `ld`-like linkers rustc will use the `-l:filename` syntax (note the colon) when passing the library, so the linker won't add any prefixes or suffixes as well. -See [`-l namespec`](https://sourceware.org/binutils/docs/ld/Options.html) in ld documentation for more details. -For linkers not supporting any verbatim modifiers (e.g. `link.exe` or `ld64`) the library name will be passed as is. - -The default for this modifier is `-verbatim`. - -This RFC changes the behavior of `raw-dylib` linking kind specified by [RFC 2627](https://github.com/rust-lang/rfcs/pull/2627). The `.dll` suffix (or other target-specified suffixes for other targets) is now added automatically. -If your DLL doesn't have the `.dll` suffix, it can be specified with `+verbatim`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-whole-archive.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-whole-archive.md deleted file mode 100644 index 4961e88cad1e..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers-whole-archive.md +++ /dev/null @@ -1,18 +0,0 @@ -# `native_link_modifiers_whole_archive` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers_whole_archive` feature allows you to use the `whole-archive` modifier. - -Only compatible with the `static` linking kind. Using any other kind will result in a compiler error. - -`+whole-archive` means that the static library is linked as a whole archive without throwing any object files away. - -This modifier translates to `--whole-archive` for `ld`-like linkers, to `/WHOLEARCHIVE` for `link.exe`, and to `-force_load` for `ld64`. -The modifier does nothing for linkers that don't support it. - -The default for this modifier is `-whole-archive`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers.md deleted file mode 100644 index fc8b57546217..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/native-link-modifiers.md +++ /dev/null @@ -1,11 +0,0 @@ -# `native_link_modifiers` - -The tracking issue for this feature is: [#81490] - -[#81490]: https://github.com/rust-lang/rust/issues/81490 - ------------------------- - -The `native_link_modifiers` feature allows you to use the `modifiers` syntax with the `#[link(..)]` attribute. - -Modifiers are specified as a comma-delimited string with each modifier prefixed with either a `+` or `-` to indicate that the modifier is enabled or disabled, respectively. The last boolean value specified for a given modifier wins. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/negative-impls.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/negative-impls.md deleted file mode 100644 index 151520f0e4ab..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/negative-impls.md +++ /dev/null @@ -1,57 +0,0 @@ -# `negative_impls` - -The tracking issue for this feature is [#68318]. - -[#68318]: https://github.com/rust-lang/rust/issues/68318 - ----- - -With the feature gate `negative_impls`, you can write negative impls as well as positive ones: - -```rust -#![feature(negative_impls)] -trait DerefMut { } -impl !DerefMut for &T { } -``` - -Negative impls indicate a semver guarantee that the given trait will not be implemented for the given types. Negative impls play an additional purpose for auto traits, described below. - -Negative impls have the following characteristics: - -* They do not have any items. -* They must obey the orphan rules as if they were a positive impl. -* They cannot "overlap" with any positive impls. - -## Semver interaction - -It is a breaking change to remove a negative impl. Negative impls are a commitment not to implement the given trait for the named types. - -## Orphan and overlap rules - -Negative impls must obey the same orphan rules as a positive impl. This implies you cannot add a negative impl for types defined in upstream crates and so forth. - -Similarly, negative impls cannot overlap with positive impls, again using the same "overlap" check that we ordinarily use to determine if two impls overlap. (Note that positive impls typically cannot overlap with one another either, except as permitted by specialization.) - -## Interaction with auto traits - -Declaring a negative impl `impl !SomeAutoTrait for SomeType` for an -auto-trait serves two purposes: - -* as with any trait, it declares that `SomeType` will never implement `SomeAutoTrait`; -* it disables the automatic `SomeType: SomeAutoTrait` impl that would otherwise have been generated. - -Note that, at present, there is no way to indicate that a given type -does not implement an auto trait *but that it may do so in the -future*. For ordinary types, this is done by simply not declaring any -impl at all, but that is not an option for auto traits. A workaround -is that one could embed a marker type as one of the fields, where the -marker type is `!AutoTrait`. - -## Immediate uses - -Negative impls are used to declare that `&T: !DerefMut` and `&mut T: !Clone`, as required to fix the soundness of `Pin` described in [#66544](https://github.com/rust-lang/rust/issues/66544). - -This serves two purposes: - -* For proving the correctness of unsafe code, we can use that impl as evidence that no `DerefMut` or `Clone` impl exists. -* It prevents downstream crates from creating such impls. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-coverage.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-coverage.md deleted file mode 100644 index 327cdb39791a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-coverage.md +++ /dev/null @@ -1,30 +0,0 @@ -# `no_coverage` - -The tracking issue for this feature is: [#84605] - -[#84605]: https://github.com/rust-lang/rust/issues/84605 - ---- - -The `no_coverage` attribute can be used to selectively disable coverage -instrumentation in an annotated function. This might be useful to: - -- Avoid instrumentation overhead in a performance critical function -- Avoid generating coverage for a function that is not meant to be executed, - but still target 100% coverage for the rest of the program. - -## Example - -```rust -#![feature(no_coverage)] - -// `foo()` will get coverage instrumentation (by default) -fn foo() { - // ... -} - -#[no_coverage] -fn bar() { - // ... -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-sanitize.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-sanitize.md deleted file mode 100644 index 28c683934d4e..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/no-sanitize.md +++ /dev/null @@ -1,29 +0,0 @@ -# `no_sanitize` - -The tracking issue for this feature is: [#39699] - -[#39699]: https://github.com/rust-lang/rust/issues/39699 - ------------------------- - -The `no_sanitize` attribute can be used to selectively disable sanitizer -instrumentation in an annotated function. This might be useful to: avoid -instrumentation overhead in a performance critical function, or avoid -instrumenting code that contains constructs unsupported by given sanitizer. - -The precise effect of this annotation depends on particular sanitizer in use. -For example, with `no_sanitize(thread)`, the thread sanitizer will no longer -instrument non-atomic store / load operations, but it will instrument atomic -operations to avoid reporting false positives and provide meaning full stack -traces. - -## Examples - -``` rust -#![feature(no_sanitize)] - -#[no_sanitize(address)] -fn foo() { - // ... -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/plugin.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/plugin.md deleted file mode 100644 index 040f46f8b7c7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/plugin.md +++ /dev/null @@ -1,116 +0,0 @@ -# `plugin` - -The tracking issue for this feature is: [#29597] - -[#29597]: https://github.com/rust-lang/rust/issues/29597 - - -This feature is part of "compiler plugins." It will often be used with the -`rustc_private` feature. - ------------------------- - -`rustc` can load compiler plugins, which are user-provided libraries that -extend the compiler's behavior with new lint checks, etc. - -A plugin is a dynamic library crate with a designated *registrar* function that -registers extensions with `rustc`. Other crates can load these extensions using -the crate attribute `#![plugin(...)]`. See the -`rustc_driver::plugin` documentation for more about the -mechanics of defining and loading a plugin. - -In the vast majority of cases, a plugin should *only* be used through -`#![plugin]` and not through an `extern crate` item. Linking a plugin would -pull in all of librustc_ast and librustc as dependencies of your crate. This is -generally unwanted unless you are building another plugin. - -The usual practice is to put compiler plugins in their own crate, separate from -any `macro_rules!` macros or ordinary Rust code meant to be used by consumers -of a library. - -# Lint plugins - -Plugins can extend [Rust's lint -infrastructure](../../reference/attributes/diagnostics.md#lint-check-attributes) with -additional checks for code style, safety, etc. Now let's write a plugin -[`lint-plugin-test.rs`](https://github.com/rust-lang/rust/blob/master/src/test/ui-fulldeps/auxiliary/lint-plugin-test.rs) -that warns about any item named `lintme`. - -```rust,ignore (requires-stage-2) -#![feature(box_syntax, rustc_private)] - -extern crate rustc_ast; - -// Load rustc as a plugin to get macros -extern crate rustc_driver; -#[macro_use] -extern crate rustc_lint; -#[macro_use] -extern crate rustc_session; - -use rustc_driver::plugin::Registry; -use rustc_lint::{EarlyContext, EarlyLintPass, LintArray, LintContext, LintPass}; -use rustc_ast::ast; -declare_lint!(TEST_LINT, Warn, "Warn about items named 'lintme'"); - -declare_lint_pass!(Pass => [TEST_LINT]); - -impl EarlyLintPass for Pass { - fn check_item(&mut self, cx: &EarlyContext, it: &ast::Item) { - if it.ident.name.as_str() == "lintme" { - cx.lint(TEST_LINT, |lint| { - lint.build("item is named 'lintme'").set_span(it.span).emit() - }); - } - } -} - -#[no_mangle] -fn __rustc_plugin_registrar(reg: &mut Registry) { - reg.lint_store.register_lints(&[&TEST_LINT]); - reg.lint_store.register_early_pass(|| box Pass); -} -``` - -Then code like - -```rust,ignore (requires-plugin) -#![feature(plugin)] -#![plugin(lint_plugin_test)] - -fn lintme() { } -``` - -will produce a compiler warning: - -```txt -foo.rs:4:1: 4:16 warning: item is named 'lintme', #[warn(test_lint)] on by default -foo.rs:4 fn lintme() { } - ^~~~~~~~~~~~~~~ -``` - -The components of a lint plugin are: - -* one or more `declare_lint!` invocations, which define static `Lint` structs; - -* a struct holding any state needed by the lint pass (here, none); - -* a `LintPass` - implementation defining how to check each syntax element. A single - `LintPass` may call `span_lint` for several different `Lint`s, but should - register them all through the `get_lints` method. - -Lint passes are syntax traversals, but they run at a late stage of compilation -where type information is available. `rustc`'s [built-in -lints](https://github.com/rust-lang/rust/blob/master/src/librustc_session/lint/builtin.rs) -mostly use the same infrastructure as lint plugins, and provide examples of how -to access type information. - -Lints defined by plugins are controlled by the usual [attributes and compiler -flags](../../reference/attributes/diagnostics.md#lint-check-attributes), e.g. -`#[allow(test_lint)]` or `-A test-lint`. These identifiers are derived from the -first argument to `declare_lint!`, with appropriate case and punctuation -conversion. - -You can run `rustc -W help foo.rs` to see a list of lints known to `rustc`, -including those provided by plugins loaded by `foo.rs`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/profiler-runtime.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/profiler-runtime.md deleted file mode 100644 index aee86f63952a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/profiler-runtime.md +++ /dev/null @@ -1,5 +0,0 @@ -# `profiler_runtime` - -The tracking issue for this feature is: [#42524](https://github.com/rust-lang/rust/issues/42524). - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/raw-dylib.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/raw-dylib.md deleted file mode 100644 index 23fc5b3052d8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/raw-dylib.md +++ /dev/null @@ -1,34 +0,0 @@ -# `raw_dylib` - -The tracking issue for this feature is: [#58713] - -[#58713]: https://github.com/rust-lang/rust/issues/58713 - ------------------------- - -The `raw_dylib` feature allows you to link against the implementations of functions in an `extern` -block without, on Windows, linking against an import library. - -```rust,ignore (partial-example) -#![feature(raw_dylib)] - -#[link(name="library", kind="raw-dylib")] -extern { - fn extern_function(x: i32); -} - -fn main() { - unsafe { - extern_function(14); - } -} -``` - -## Limitations - -Currently, this feature is only supported on `-windows-msvc` targets. Non-Windows platforms don't have import -libraries, and an incompatibility between LLVM and the BFD linker means that it is not currently supported on -`-windows-gnu` targets. - -On the `i686-pc-windows-msvc` target, this feature supports only the `cdecl`, `stdcall`, `system`, and `fastcall` -calling conventions. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/repr128.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/repr128.md deleted file mode 100644 index 146f50ee67b5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/repr128.md +++ /dev/null @@ -1,18 +0,0 @@ -# `repr128` - -The tracking issue for this feature is: [#56071] - -[#56071]: https://github.com/rust-lang/rust/issues/56071 - ------------------------- - -The `repr128` feature adds support for `#[repr(u128)]` on `enum`s. - -```rust -#![feature(repr128)] - -#[repr(u128)] -enum Foo { - Bar(u64), -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/rustc-attrs.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/rustc-attrs.md deleted file mode 100644 index c67b806f06af..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/rustc-attrs.md +++ /dev/null @@ -1,53 +0,0 @@ -# `rustc_attrs` - -This feature has no tracking issue, and is therefore internal to -the compiler, not being intended for general use. - -Note: `rustc_attrs` enables many rustc-internal attributes and this page -only discuss a few of them. - ------------------------- - -The `rustc_attrs` feature allows debugging rustc type layouts by using -`#[rustc_layout(...)]` to debug layout at compile time (it even works -with `cargo check`) as an alternative to `rustc -Z print-type-sizes` -that is way more verbose. - -Options provided by `#[rustc_layout(...)]` are `debug`, `size`, `align`, -`abi`. Note that it only works on sized types without generics. - -## Examples - -```rust,compile_fail -#![feature(rustc_attrs)] - -#[rustc_layout(abi, size)] -pub enum X { - Y(u8, u8, u8), - Z(isize), -} -``` - -When that is compiled, the compiler will error with something like - -```text -error: abi: Aggregate { sized: true } - --> src/lib.rs:4:1 - | -4 | / pub enum T { -5 | | Y(u8, u8, u8), -6 | | Z(isize), -7 | | } - | |_^ - -error: size: Size { raw: 16 } - --> src/lib.rs:4:1 - | -4 | / pub enum T { -5 | | Y(u8, u8, u8), -6 | | Z(isize), -7 | | } - | |_^ - -error: aborting due to 2 previous errors -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-alias.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-alias.md deleted file mode 100644 index f1be053ddc42..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-alias.md +++ /dev/null @@ -1,34 +0,0 @@ -# `trait_alias` - -The tracking issue for this feature is: [#41517] - -[#41517]: https://github.com/rust-lang/rust/issues/41517 - ------------------------- - -The `trait_alias` feature adds support for trait aliases. These allow aliases -to be created for one or more traits (currently just a single regular trait plus -any number of auto-traits), and used wherever traits would normally be used as -either bounds or trait objects. - -```rust -#![feature(trait_alias)] - -trait Foo = std::fmt::Debug + Send; -trait Bar = Foo + Sync; - -// Use trait alias as bound on type parameter. -fn foo(v: &T) { - println!("{:?}", v); -} - -pub fn main() { - foo(&1); - - // Use trait alias for trait objects. - let a: &Bar = &123; - println!("{:?}", a); - let b = Box::new(456) as Box; - println!("{:?}", b); -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-upcasting.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-upcasting.md deleted file mode 100644 index 3697ae38f9d8..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/trait-upcasting.md +++ /dev/null @@ -1,27 +0,0 @@ -# `trait_upcasting` - -The tracking issue for this feature is: [#65991] - -[#65991]: https://github.com/rust-lang/rust/issues/65991 - ------------------------- - -The `trait_upcasting` feature adds support for trait upcasting coercion. This allows a -trait object of type `dyn Bar` to be cast to a trait object of type `dyn Foo` -so long as `Bar: Foo`. - -```rust,edition2018 -#![feature(trait_upcasting)] -#![allow(incomplete_features)] - -trait Foo {} - -trait Bar: Foo {} - -impl Foo for i32 {} - -impl Bar for T {} - -let bar: &dyn Bar = &123; -let foo: &dyn Foo = bar; -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/transparent-unions.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/transparent-unions.md deleted file mode 100644 index 9b39b8971644..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/transparent-unions.md +++ /dev/null @@ -1,83 +0,0 @@ -# `transparent_unions` - -The tracking issue for this feature is [#60405] - -[#60405]: https://github.com/rust-lang/rust/issues/60405 - ----- - -The `transparent_unions` feature allows you mark `union`s as -`#[repr(transparent)]`. A `union` may be `#[repr(transparent)]` in exactly the -same conditions in which a `struct` may be `#[repr(transparent)]` (generally, -this means the `union` must have exactly one non-zero-sized field). Some -concrete illustrations follow. - -```rust -#![feature(transparent_unions)] - -// This union has the same representation as `f32`. -#[repr(transparent)] -union SingleFieldUnion { - field: f32, -} - -// This union has the same representation as `usize`. -#[repr(transparent)] -union MultiFieldUnion { - field: usize, - nothing: (), -} -``` - -For consistency with transparent `struct`s, `union`s must have exactly one -non-zero-sized field. If all fields are zero-sized, the `union` must not be -`#[repr(transparent)]`: - -```rust -#![feature(transparent_unions)] - -// This (non-transparent) union is already valid in stable Rust: -pub union GoodUnion { - pub nothing: (), -} - -// Error: transparent union needs exactly one non-zero-sized field, but has 0 -// #[repr(transparent)] -// pub union BadUnion { -// pub nothing: (), -// } -``` - -The one exception is if the `union` is generic over `T` and has a field of type -`T`, it may be `#[repr(transparent)]` even if `T` is a zero-sized type: - -```rust -#![feature(transparent_unions)] - -// This union has the same representation as `T`. -#[repr(transparent)] -pub union GenericUnion { // Unions with non-`Copy` fields are unstable. - pub field: T, - pub nothing: (), -} - -// This is okay even though `()` is a zero-sized type. -pub const THIS_IS_OKAY: GenericUnion<()> = GenericUnion { field: () }; -``` - -Like transarent `struct`s, a transparent `union` of type `U` has the same -layout, size, and ABI as its single non-ZST field. If it is generic over a type -`T`, and all its fields are ZSTs except for exactly one field of type `T`, then -it has the same layout and ABI as `T` (even if `T` is a ZST when monomorphized). - -Like transparent `struct`s, transparent `union`s are FFI-safe if and only if -their underlying representation type is also FFI-safe. - -A `union` may not be eligible for the same nonnull-style optimizations that a -`struct` or `enum` (with the same fields) are eligible for. Adding -`#[repr(transparent)]` to `union` does not change this. To give a more concrete -example, it is unspecified whether `size_of::()` is equal to -`size_of::>()`, where `T` is a `union` (regardless of whether or not -it is transparent). The Rust compiler is free to perform this optimization if -possible, but is not required to, and different compiler versions may differ in -their application of these optimizations. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/try-blocks.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/try-blocks.md deleted file mode 100644 index e342c260a739..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/try-blocks.md +++ /dev/null @@ -1,30 +0,0 @@ -# `try_blocks` - -The tracking issue for this feature is: [#31436] - -[#31436]: https://github.com/rust-lang/rust/issues/31436 - ------------------------- - -The `try_blocks` feature adds support for `try` blocks. A `try` -block creates a new scope one can use the `?` operator in. - -```rust,edition2018 -#![feature(try_blocks)] - -use std::num::ParseIntError; - -let result: Result = try { - "1".parse::()? - + "2".parse::()? - + "3".parse::()? -}; -assert_eq!(result, Ok(6)); - -let result: Result = try { - "1".parse::()? - + "foo".parse::()? - + "3".parse::()? -}; -assert!(result.is_err()); -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/type-changing-struct-update.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/type-changing-struct-update.md deleted file mode 100644 index 9909cf35b5b5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/type-changing-struct-update.md +++ /dev/null @@ -1,33 +0,0 @@ -# `type_changing_struct_update` - -The tracking issue for this feature is: [#86555] - -[#86555]: https://github.com/rust-lang/rust/issues/86555 - ------------------------- - -This implements [RFC2528]. When turned on, you can create instances of the same struct -that have different generic type or lifetime parameters. - -[RFC2528]: https://github.com/rust-lang/rfcs/blob/master/text/2528-type-changing-struct-update-syntax.md - -```rust -#![allow(unused_variables, dead_code)] -#![feature(type_changing_struct_update)] - -fn main () { - struct Foo { - field1: T, - field2: U, - } - - let base: Foo = Foo { - field1: String::from("hello"), - field2: 1234, - }; - let updated: Foo = Foo { - field1: 3.14, - ..base - }; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unboxed-closures.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/unboxed-closures.md deleted file mode 100644 index e4113d72d091..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unboxed-closures.md +++ /dev/null @@ -1,25 +0,0 @@ -# `unboxed_closures` - -The tracking issue for this feature is [#29625] - -See Also: [`fn_traits`](../library-features/fn-traits.md) - -[#29625]: https://github.com/rust-lang/rust/issues/29625 - ----- - -The `unboxed_closures` feature allows you to write functions using the `"rust-call"` ABI, -required for implementing the [`Fn*`] family of traits. `"rust-call"` functions must have -exactly one (non self) argument, a tuple representing the argument list. - -[`Fn*`]: https://doc.rust-lang.org/std/ops/trait.Fn.html - -```rust -#![feature(unboxed_closures)] - -extern "rust-call" fn add_args(args: (u32, u32)) -> u32 { - args.0 + args.1 -} - -fn main() {} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-locals.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-locals.md deleted file mode 100644 index d5b01a3d6168..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-locals.md +++ /dev/null @@ -1,175 +0,0 @@ -# `unsized_locals` - -The tracking issue for this feature is: [#48055] - -[#48055]: https://github.com/rust-lang/rust/issues/48055 - ------------------------- - -This implements [RFC1909]. When turned on, you can have unsized arguments and locals: - -[RFC1909]: https://github.com/rust-lang/rfcs/blob/master/text/1909-unsized-rvalues.md - -```rust -#![allow(incomplete_features)] -#![feature(unsized_locals, unsized_fn_params)] - -use std::any::Any; - -fn main() { - let x: Box = Box::new(42); - let x: dyn Any = *x; - // ^ unsized local variable - // ^^ unsized temporary - foo(x); -} - -fn foo(_: dyn Any) {} -// ^^^^^^ unsized argument -``` - -The RFC still forbids the following unsized expressions: - -```rust,compile_fail -#![feature(unsized_locals)] - -use std::any::Any; - -struct MyStruct { - content: T, -} - -struct MyTupleStruct(T); - -fn answer() -> Box { - Box::new(42) -} - -fn main() { - // You CANNOT have unsized statics. - static X: dyn Any = *answer(); // ERROR - const Y: dyn Any = *answer(); // ERROR - - // You CANNOT have struct initialized unsized. - MyStruct { content: *answer() }; // ERROR - MyTupleStruct(*answer()); // ERROR - (42, *answer()); // ERROR - - // You CANNOT have unsized return types. - fn my_function() -> dyn Any { *answer() } // ERROR - - // You CAN have unsized local variables... - let mut x: dyn Any = *answer(); // OK - // ...but you CANNOT reassign to them. - x = *answer(); // ERROR - - // You CANNOT even initialize them separately. - let y: dyn Any; // OK - y = *answer(); // ERROR - - // Not mentioned in the RFC, but by-move captured variables are also Sized. - let x: dyn Any = *answer(); - (move || { // ERROR - let y = x; - })(); - - // You CAN create a closure with unsized arguments, - // but you CANNOT call it. - // This is an implementation detail and may be changed in the future. - let f = |x: dyn Any| {}; - f(*answer()); // ERROR -} -``` - -## By-value trait objects - -With this feature, you can have by-value `self` arguments without `Self: Sized` bounds. - -```rust -#![feature(unsized_fn_params)] - -trait Foo { - fn foo(self) {} -} - -impl Foo for T {} - -fn main() { - let slice: Box<[i32]> = Box::new([1, 2, 3]); - <[i32] as Foo>::foo(*slice); -} -``` - -And `Foo` will also be object-safe. - -```rust -#![feature(unsized_fn_params)] - -trait Foo { - fn foo(self) {} -} - -impl Foo for T {} - -fn main () { - let slice: Box = Box::new([1, 2, 3]); - // doesn't compile yet - ::foo(*slice); -} -``` - -One of the objectives of this feature is to allow `Box`. - -## Variable length arrays - -The RFC also describes an extension to the array literal syntax: `[e; dyn n]`. In the syntax, `n` isn't necessarily a constant expression. The array is dynamically allocated on the stack and has the type of `[T]`, instead of `[T; n]`. - -```rust,ignore (not-yet-implemented) -#![feature(unsized_locals)] - -fn mergesort(a: &mut [T]) { - let mut tmp = [T; dyn a.len()]; - // ... -} - -fn main() { - let mut a = [3, 1, 5, 6]; - mergesort(&mut a); - assert_eq!(a, [1, 3, 5, 6]); -} -``` - -VLAs are not implemented yet. The syntax isn't final, either. We may need an alternative syntax for Rust 2015 because, in Rust 2015, expressions like `[e; dyn(1)]` would be ambiguous. One possible alternative proposed in the RFC is `[e; n]`: if `n` captures one or more local variables, then it is considered as `[e; dyn n]`. - -## Advisory on stack usage - -It's advised not to casually use the `#![feature(unsized_locals)]` feature. Typical use-cases are: - -- When you need a by-value trait objects. -- When you really need a fast allocation of small temporary arrays. - -Another pitfall is repetitive allocation and temporaries. Currently the compiler simply extends the stack frame every time it encounters an unsized assignment. So for example, the code - -```rust -#![feature(unsized_locals)] - -fn main() { - let x: Box<[i32]> = Box::new([1, 2, 3, 4, 5]); - let _x = {{{{{{{{{{*x}}}}}}}}}}; -} -``` - -and the code - -```rust -#![feature(unsized_locals)] - -fn main() { - for _ in 0..10 { - let x: Box<[i32]> = Box::new([1, 2, 3, 4, 5]); - let _x = *x; - } -} -``` - -will unnecessarily extend the stack frame. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-tuple-coercion.md b/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-tuple-coercion.md deleted file mode 100644 index 310c8d962948..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/language-features/unsized-tuple-coercion.md +++ /dev/null @@ -1,27 +0,0 @@ -# `unsized_tuple_coercion` - -The tracking issue for this feature is: [#42877] - -[#42877]: https://github.com/rust-lang/rust/issues/42877 - ------------------------- - -This is a part of [RFC0401]. According to the RFC, there should be an implementation like this: - -```rust,ignore (partial-example) -impl<..., T, U: ?Sized> Unsized<(..., U)> for (..., T) where T: Unsized {} -``` - -This implementation is currently gated behind `#[feature(unsized_tuple_coercion)]` to avoid insta-stability. Therefore you can use it like this: - -```rust -#![feature(unsized_tuple_coercion)] - -fn main() { - let x : ([i32; 3], [i32; 3]) = ([1, 2, 3], [4, 5, 6]); - let y : &([i32; 3], [i32]) = &x; - assert_eq!(y.1[0], 4); -} -``` - -[RFC0401]: https://github.com/rust-lang/rfcs/blob/master/text/0401-coercions.md diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features.md deleted file mode 100644 index 9f537e26132b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features.md +++ /dev/null @@ -1 +0,0 @@ -# Library Features diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/allocator-api.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/allocator-api.md deleted file mode 100644 index 9f045ce08a43..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/allocator-api.md +++ /dev/null @@ -1,15 +0,0 @@ -# `allocator_api` - -The tracking issue for this feature is [#32838] - -[#32838]: https://github.com/rust-lang/rust/issues/32838 - ------------------------- - -Sometimes you want the memory for one collection to use a different -allocator than the memory for another collection. In this case, -replacing the global allocator is not a workable option. Instead, -you need to pass in an instance of an `AllocRef` to each collection -for which you want a custom allocator. - -TBD diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-variadic.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-variadic.md deleted file mode 100644 index 77762116e6b1..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-variadic.md +++ /dev/null @@ -1,26 +0,0 @@ -# `c_variadic` - -The tracking issue for this feature is: [#44930] - -[#44930]: https://github.com/rust-lang/rust/issues/44930 - ------------------------- - -The `c_variadic` library feature exposes the `VaList` structure, -Rust's analogue of C's `va_list` type. - -## Examples - -```rust -#![feature(c_variadic)] - -use std::ffi::VaList; - -pub unsafe extern "C" fn vadd(n: usize, mut args: VaList) -> usize { - let mut sum = 0; - for _ in 0..n { - sum += args.arg::(); - } - sum -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-void-variant.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-void-variant.md deleted file mode 100644 index a2fdc9936300..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/c-void-variant.md +++ /dev/null @@ -1,5 +0,0 @@ -# `c_void_variant` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/char-error-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/char-error-internals.md deleted file mode 100644 index 8013b4988e14..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/char-error-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `char_error_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/concat-idents.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/concat-idents.md deleted file mode 100644 index 73f6cfa21787..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/concat-idents.md +++ /dev/null @@ -1,22 +0,0 @@ -# `concat_idents` - -The tracking issue for this feature is: [#29599] - -[#29599]: https://github.com/rust-lang/rust/issues/29599 - ------------------------- - -The `concat_idents` feature adds a macro for concatenating multiple identifiers -into one identifier. - -## Examples - -```rust -#![feature(concat_idents)] - -fn main() { - fn foobar() -> u32 { 23 } - let f = concat_idents!(foo, bar); - assert_eq!(f(), 23); -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-intrinsics.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-intrinsics.md deleted file mode 100644 index 28ad3525ef7a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-intrinsics.md +++ /dev/null @@ -1,5 +0,0 @@ -# `core_intrinsics` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-panic.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-panic.md deleted file mode 100644 index c197588404c9..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-panic.md +++ /dev/null @@ -1,5 +0,0 @@ -# `core_panic` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-bignum.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-bignum.md deleted file mode 100644 index f85811c545e4..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-bignum.md +++ /dev/null @@ -1,5 +0,0 @@ -# `core_private_bignum` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-diy-float.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-diy-float.md deleted file mode 100644 index 8465921d673b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/core-private-diy-float.md +++ /dev/null @@ -1,5 +0,0 @@ -# `core_private_diy_float` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/dec2flt.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/dec2flt.md deleted file mode 100644 index 311ab4adcfd7..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/dec2flt.md +++ /dev/null @@ -1,5 +0,0 @@ -# `dec2flt` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/default-free-fn.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/default-free-fn.md deleted file mode 100644 index d40a27dddf36..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/default-free-fn.md +++ /dev/null @@ -1,47 +0,0 @@ -# `default_free_fn` - -The tracking issue for this feature is: [#73014] - -[#73014]: https://github.com/rust-lang/rust/issues/73014 - ------------------------- - -Adds a free `default()` function to the `std::default` module. This function -just forwards to [`Default::default()`], but may remove repetition of the word -"default" from the call site. - -[`Default::default()`]: https://doc.rust-lang.org/nightly/std/default/trait.Default.html#tymethod.default - -Here is an example: - -```rust -#![feature(default_free_fn)] -use std::default::default; - -#[derive(Default)] -struct AppConfig { - foo: FooConfig, - bar: BarConfig, -} - -#[derive(Default)] -struct FooConfig { - foo: i32, -} - -#[derive(Default)] -struct BarConfig { - bar: f32, - baz: u8, -} - -fn main() { - let options = AppConfig { - foo: default(), - bar: BarConfig { - bar: 10.1, - ..default() - }, - }; -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-clone-copy.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-clone-copy.md deleted file mode 100644 index cc603911cbd2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-clone-copy.md +++ /dev/null @@ -1,5 +0,0 @@ -# `derive_clone_copy` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-eq.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-eq.md deleted file mode 100644 index 68a275f5419d..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/derive-eq.md +++ /dev/null @@ -1,5 +0,0 @@ -# `derive_eq` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd-read.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd-read.md deleted file mode 100644 index e78d4330abfc..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd-read.md +++ /dev/null @@ -1,5 +0,0 @@ -# `fd_read` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd.md deleted file mode 100644 index 0414244285ba..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fd.md +++ /dev/null @@ -1,5 +0,0 @@ -# `fd` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/flt2dec.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/flt2dec.md deleted file mode 100644 index 15e62a3a7dad..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/flt2dec.md +++ /dev/null @@ -1,5 +0,0 @@ -# `flt2dec` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fmt-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/fmt-internals.md deleted file mode 100644 index 7cbe3c89a644..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fmt-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `fmt_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fn-traits.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/fn-traits.md deleted file mode 100644 index 29a8aecee6c2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/fn-traits.md +++ /dev/null @@ -1,35 +0,0 @@ -# `fn_traits` - -The tracking issue for this feature is [#29625] - -See Also: [`unboxed_closures`](../language-features/unboxed-closures.md) - -[#29625]: https://github.com/rust-lang/rust/issues/29625 - ----- - -The `fn_traits` feature allows for implementation of the [`Fn*`] traits -for creating custom closure-like types. - -[`Fn*`]: https://doc.rust-lang.org/std/ops/trait.Fn.html - -```rust -#![feature(unboxed_closures)] -#![feature(fn_traits)] - -struct Adder { - a: u32 -} - -impl FnOnce<(u32, )> for Adder { - type Output = u32; - extern "rust-call" fn call_once(self, b: (u32, )) -> Self::Output { - self.a + b.0 - } -} - -fn main() { - let adder = Adder { a: 3 }; - assert_eq!(adder(2), 5); -} -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/int-error-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/int-error-internals.md deleted file mode 100644 index 402e4fa5ef6d..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/int-error-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `int_error_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/internal-output-capture.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/internal-output-capture.md deleted file mode 100644 index 7e1241fce985..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/internal-output-capture.md +++ /dev/null @@ -1,5 +0,0 @@ -# `internal_output_capture` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/is-sorted.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/is-sorted.md deleted file mode 100644 index e3b7dc3b28eb..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/is-sorted.md +++ /dev/null @@ -1,11 +0,0 @@ -# `is_sorted` - -The tracking issue for this feature is: [#53485] - -[#53485]: https://github.com/rust-lang/rust/issues/53485 - ------------------------- - -Add the methods `is_sorted`, `is_sorted_by` and `is_sorted_by_key` to `[T]`; -add the methods `is_sorted`, `is_sorted_by` and `is_sorted_by_key` to -`Iterator`. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-sys-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-sys-internals.md deleted file mode 100644 index 1b53faa8a007..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-sys-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `libstd_sys_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-thread-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-thread-internals.md deleted file mode 100644 index b682d12e7cdd..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/libstd-thread-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `libstd_thread_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/print-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/print-internals.md deleted file mode 100644 index a68557872af5..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/print-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `print_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/profiler-runtime-lib.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/profiler-runtime-lib.md deleted file mode 100644 index a01f1e73ab40..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/profiler-runtime-lib.md +++ /dev/null @@ -1,5 +0,0 @@ -# `profiler_runtime_lib` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/rt.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/rt.md deleted file mode 100644 index 007acc207a65..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/rt.md +++ /dev/null @@ -1,5 +0,0 @@ -# `rt` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/sort-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/sort-internals.md deleted file mode 100644 index 6f2385e53008..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/sort-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `sort_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/str-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/str-internals.md deleted file mode 100644 index af8ef056dbe2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/str-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `str_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/test.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/test.md deleted file mode 100644 index c99584e5fb39..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/test.md +++ /dev/null @@ -1,158 +0,0 @@ -# `test` - -The tracking issue for this feature is: None. - ------------------------- - -The internals of the `test` crate are unstable, behind the `test` flag. The -most widely used part of the `test` crate are benchmark tests, which can test -the performance of your code. Let's make our `src/lib.rs` look like this -(comments elided): - -```rust,no_run -#![feature(test)] - -extern crate test; - -pub fn add_two(a: i32) -> i32 { - a + 2 -} - -#[cfg(test)] -mod tests { - use super::*; - use test::Bencher; - - #[test] - fn it_works() { - assert_eq!(4, add_two(2)); - } - - #[bench] - fn bench_add_two(b: &mut Bencher) { - b.iter(|| add_two(2)); - } -} -``` - -Note the `test` feature gate, which enables this unstable feature. - -We've imported the `test` crate, which contains our benchmarking support. -We have a new function as well, with the `bench` attribute. Unlike regular -tests, which take no arguments, benchmark tests take a `&mut Bencher`. This -`Bencher` provides an `iter` method, which takes a closure. This closure -contains the code we'd like to benchmark. - -We can run benchmark tests with `cargo bench`: - -```bash -$ cargo bench - Compiling adder v0.0.1 (file:///home/steve/tmp/adder) - Running target/release/adder-91b3e234d4ed382a - -running 2 tests -test tests::it_works ... ignored -test tests::bench_add_two ... bench: 1 ns/iter (+/- 0) - -test result: ok. 0 passed; 0 failed; 1 ignored; 1 measured -``` - -Our non-benchmark test was ignored. You may have noticed that `cargo bench` -takes a bit longer than `cargo test`. This is because Rust runs our benchmark -a number of times, and then takes the average. Because we're doing so little -work in this example, we have a `1 ns/iter (+/- 0)`, but this would show -the variance if there was one. - -Advice on writing benchmarks: - - -* Move setup code outside the `iter` loop; only put the part you want to measure inside -* Make the code do "the same thing" on each iteration; do not accumulate or change state -* Make the outer function idempotent too; the benchmark runner is likely to run - it many times -* Make the inner `iter` loop short and fast so benchmark runs are fast and the - calibrator can adjust the run-length at fine resolution -* Make the code in the `iter` loop do something simple, to assist in pinpointing - performance improvements (or regressions) - -## Gotcha: optimizations - -There's another tricky part to writing benchmarks: benchmarks compiled with -optimizations activated can be dramatically changed by the optimizer so that -the benchmark is no longer benchmarking what one expects. For example, the -compiler might recognize that some calculation has no external effects and -remove it entirely. - -```rust,no_run -#![feature(test)] - -extern crate test; -use test::Bencher; - -#[bench] -fn bench_xor_1000_ints(b: &mut Bencher) { - b.iter(|| { - (0..1000).fold(0, |old, new| old ^ new); - }); -} -``` - -gives the following results - -```text -running 1 test -test bench_xor_1000_ints ... bench: 0 ns/iter (+/- 0) - -test result: ok. 0 passed; 0 failed; 0 ignored; 1 measured -``` - -The benchmarking runner offers two ways to avoid this. Either, the closure that -the `iter` method receives can return an arbitrary value which forces the -optimizer to consider the result used and ensures it cannot remove the -computation entirely. This could be done for the example above by adjusting the -`b.iter` call to - -```rust -# struct X; -# impl X { fn iter(&self, _: F) where F: FnMut() -> T {} } let b = X; -b.iter(|| { - // Note lack of `;` (could also use an explicit `return`). - (0..1000).fold(0, |old, new| old ^ new) -}); -``` - -Or, the other option is to call the generic `test::black_box` function, which -is an opaque "black box" to the optimizer and so forces it to consider any -argument as used. - -```rust -#![feature(test)] - -extern crate test; - -# fn main() { -# struct X; -# impl X { fn iter(&self, _: F) where F: FnMut() -> T {} } let b = X; -b.iter(|| { - let n = test::black_box(1000); - - (0..n).fold(0, |a, b| a ^ b) -}) -# } -``` - -Neither of these read or modify the value, and are very cheap for small values. -Larger values can be passed indirectly to reduce overhead (e.g. -`black_box(&huge_struct)`). - -Performing either of the above changes gives the following benchmarking results - -```text -running 1 test -test bench_xor_1000_ints ... bench: 131 ns/iter (+/- 3) - -test result: ok. 0 passed; 0 failed; 0 ignored; 1 measured -``` - -However, the optimizer can still modify a testcase in an undesirable manner -even when using either of the above. diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/thread-local-internals.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/thread-local-internals.md deleted file mode 100644 index e1cdcc339d22..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/thread-local-internals.md +++ /dev/null @@ -1,5 +0,0 @@ -# `thread_local_internals` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/trace-macros.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/trace-macros.md deleted file mode 100644 index 41aa286e69bf..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/trace-macros.md +++ /dev/null @@ -1,39 +0,0 @@ -# `trace_macros` - -The tracking issue for this feature is [#29598]. - -[#29598]: https://github.com/rust-lang/rust/issues/29598 - ------------------------- - -With `trace_macros` you can trace the expansion of macros in your code. - -## Examples - -```rust -#![feature(trace_macros)] - -fn main() { - trace_macros!(true); - println!("Hello, Rust!"); - trace_macros!(false); -} -``` - -The `cargo build` output: - -```txt -note: trace_macro - --> src/main.rs:5:5 - | -5 | println!("Hello, Rust!"); - | ^^^^^^^^^^^^^^^^^^^^^^^^^ - | - = note: expanding `println! { "Hello, Rust!" }` - = note: to `print ! ( concat ! ( "Hello, Rust!" , "\n" ) )` - = note: expanding `print! { concat ! ( "Hello, Rust!" , "\n" ) }` - = note: to `$crate :: io :: _print ( format_args ! ( concat ! ( "Hello, Rust!" , "\n" ) ) - )` - - Finished dev [unoptimized + debuginfo] target(s) in 0.60 secs -``` diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/update-panic-count.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/update-panic-count.md deleted file mode 100644 index d315647ba104..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/update-panic-count.md +++ /dev/null @@ -1,5 +0,0 @@ -# `update_panic_count` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-c.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-c.md deleted file mode 100644 index 3f833eb3d093..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-c.md +++ /dev/null @@ -1,5 +0,0 @@ -# `windows_c` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-handle.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-handle.md deleted file mode 100644 index f47a8425045b..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-handle.md +++ /dev/null @@ -1,5 +0,0 @@ -# `windows_handle` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-net.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-net.md deleted file mode 100644 index 174960d4f004..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-net.md +++ /dev/null @@ -1,5 +0,0 @@ -# `windows_net` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-stdio.md b/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-stdio.md deleted file mode 100644 index 4d361442386a..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/library-features/windows-stdio.md +++ /dev/null @@ -1,5 +0,0 @@ -# `windows_stdio` - -This feature is internal to the Rust compiler and is not intended for general use. - ------------------------- diff --git a/tools/bookrunner/rust-doc/unstable-book/src/the-unstable-book.md b/tools/bookrunner/rust-doc/unstable-book/src/the-unstable-book.md deleted file mode 100644 index 554c52c3c9c2..000000000000 --- a/tools/bookrunner/rust-doc/unstable-book/src/the-unstable-book.md +++ /dev/null @@ -1,22 +0,0 @@ -# The Unstable Book - -Welcome to the Unstable Book! This book consists of a number of chapters, -each one organized by a "feature flag." That is, when using an unstable -feature of Rust, you must use a flag, like this: - -```rust -#![feature(box_syntax)] - -fn main() { - let five = box 5; -} -``` - -The `box_syntax` feature [has a chapter][box] describing how to use it. - -[box]: language-features/box-syntax.md - -Because this documentation relates to unstable features, we make no guarantees -that what is contained here is accurate or up to date. It's developed on a -best-effort basis. Each page will have a link to its tracking issue with the -latest developments; you might want to check those as well. diff --git a/tools/bookrunner/src/bookrunner.rs b/tools/bookrunner/src/bookrunner.rs deleted file mode 100644 index ecce5bd3e779..000000000000 --- a/tools/bookrunner/src/bookrunner.rs +++ /dev/null @@ -1,95 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Data structures representing the book report and their utilities. - -use std::fmt::{Display, Formatter, Result, Write}; - -/// This data structure holds the results of running a test or a suite. -#[derive(Clone, Debug)] -pub struct Node { - pub name: String, - pub num_pass: u32, - pub num_fail: u32, -} - -impl Node { - /// Creates a new test [`Node`]. - pub fn new(name: String, num_pass: u32, num_fail: u32) -> Node { - Node { name, num_pass, num_fail } - } -} - -/// Tree data structure representing a book report. `children` -/// represent sub-tests and sub-suites of the current test suite. This tree -/// structure allows us to collect and display a summary for test results in an -/// organized manner. -#[derive(Clone, Debug)] -pub struct Tree { - pub data: Node, - pub children: Vec, -} - -impl Tree { - /// Creates a new [`Tree`] representing a book report or a part of it. - pub fn new(data: Node, children: Vec) -> Tree { - Tree { data, children } - } - - /// Merges two trees, if their root have equal node names, and returns the - /// merged tree. - pub fn merge(mut l: Tree, r: Tree) -> Option { - if l.data.name != r.data.name { - return None; - } - // For each subtree of `r`... - for cnr in r.children { - // Look for a subtree of `l` with an equal root node name. - let index = l.children.iter().position(|cnl| cnl.data.name == cnr.data.name); - if let Some(index) = index { - // If you find one, merge it with `r`'s subtree. - let cnl = l.children.remove(index); - l.children.insert(index, Tree::merge(cnl, cnr)?); - } else { - // Otherwise, `r`'s subtree is new. So, add it to `l`'s - // list of subtrees. - l.children.push(cnr); - } - } - Some(Tree::new( - Node::new( - l.data.name, - l.data.num_pass + r.data.num_pass, - l.data.num_fail + r.data.num_fail, - ), - l.children, - )) - } - - /// A helper format function that indents each level of the tree. - fn fmt_aux(&self, p: usize, f: &mut Formatter<'_>) -> Result { - // Do not print line numbers. - if self.children.is_empty() { - return Ok(()); - } - // Write `p` spaces into the formatter. - f.write_fmt(format_args!("{:p$}", ""))?; - f.write_str(&self.data.name)?; - if self.data.num_pass > 0 { - f.write_fmt(format_args!(" ✔️ {}", self.data.num_pass))?; - } - if self.data.num_fail > 0 { - f.write_fmt(format_args!(" ❌ {}", self.data.num_fail))?; - } - f.write_char('\n')?; - for cn in &self.children { - cn.fmt_aux(p + 2, f)?; - } - Ok(()) - } -} - -impl Display for Tree { - fn fmt(&self, f: &mut Formatter<'_>) -> Result { - self.fmt_aux(0, f) - } -} diff --git a/tools/bookrunner/src/books.rs b/tools/bookrunner/src/books.rs deleted file mode 100644 index 0e8b8fb8857d..000000000000 --- a/tools/bookrunner/src/books.rs +++ /dev/null @@ -1,571 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Utilities to extract examples from Rust books, run them through Kani, and -//! display their results. - -extern crate rustc_span; - -use crate::{ - bookrunner, - litani::{Litani, LitaniPipeline, LitaniRun}, - util::{self, FailStep, TestProps}, -}; -use inflector::cases::{snakecase::to_snake_case, titlecase::to_title_case}; -use pulldown_cmark::{Event, Parser, Tag}; -use rustc_span::edition::Edition; -use rustdoc::{ - doctest::{make_test, Tester}, - html::markdown::{find_testable_code, ErrorCodes, Ignore, LangString}, -}; -use std::{ - collections::{HashMap, HashSet}, - ffi::OsStr, - fmt::Write, - fs, - io::BufReader, - iter::FromIterator, - path::{Path, PathBuf}, - str::FromStr, -}; -use walkdir::WalkDir; - -// Books may include a `SUMMARY.md` file or not. If they do, the info in -// `SummaryData` is helpful to parse the hierarchy, otherwise we use a -// `DirectoryData` structure - -// Data needed for parsing a book with a summary file -struct SummaryData { - // Path to the summary file - summary_path: PathBuf, - // Line that indicates the start of the summary section - summary_start: String, -} - -// Data needed for parsing book without a summary file -struct DirectoryData { - // Directory to be processed, starting from root of the book - src: PathBuf, - // Directory where the examples extracted from the book should reside - dest: PathBuf, -} - -// Data structure representing a Rust book -struct Book { - // Name of the book - name: String, - // Default Rust edition - default_edition: Edition, - // Data about the summary file - summary_data: Option, - // Data about the source/destination directories - directory_data: Option, - // Path to the `book.toml` file - toml_path: PathBuf, - // The hierarchy map used for example extraction - hierarchy: HashMap, -} - -impl Book { - /// Parse the chapter/section hierarchy and set the default edition - fn parse_hierarchy(&mut self) { - if self.summary_data.is_some() { - assert!(self.directory_data.is_none()); - self.parse_hierarchy_with_summary(); - } else { - assert!(self.directory_data.is_some()); - self.parse_hierarchy_without_summary(); - } - self.default_edition = self.get_rust_edition().unwrap_or(Edition::Edition2015); - } - - /// Parses the chapter/section hierarchy in the markdown file specified by - /// `summary_path` and returns a mapping from markdown files containing rust - /// code to corresponding directories where the extracted rust code should - /// reside. - fn parse_hierarchy_with_summary(&mut self) { - let summary_path = &self.summary_data.as_ref().unwrap().summary_path; - let summary_start = &self.summary_data.as_ref().unwrap().summary_start; - let summary_dir = summary_path.parent().unwrap().to_path_buf(); - let summary = fs::read_to_string(summary_path.clone()).unwrap(); - assert!( - summary.starts_with(summary_start.as_str()), - "Error: The start of {} summary file changed.", - self.name - ); - // Skip the `start` of the summary. - let n = Parser::new(summary_start.as_str()).count(); - let parser = Parser::new(&summary).skip(n); - // Set `self.name` as the root of the hierarchical path. - let mut hierarchy_path: PathBuf = - ["tests", "bookrunner", "books", self.name.as_str()].iter().collect(); - let mut prev_event_is_text_or_code = false; - for event in parser { - match event { - Event::End(Tag::Item) => { - // Pop the current chapter/section from the hierarchy once - // we are done processing it and its subsections. - hierarchy_path.pop(); - prev_event_is_text_or_code = false; - } - Event::End(Tag::Link(_, path, _)) => { - // At the start of the link tag, the hierarchy does not yet - // contain the title of the current chapter/section. So, we wait - // for the end of the link tag before adding the path and - // hierarchy of the current chapter/section to the map. - let mut full_path = summary_dir.clone(); - full_path.extend(path.split('/')); - self.hierarchy.insert(full_path, hierarchy_path.clone()); - prev_event_is_text_or_code = false; - } - Event::Text(text) | Event::Code(text) => { - // Remove characters that are problematic to the file system or - // terminal. - let text = text.replace(&['/', '(', ')', '\''][..], "_"); - // Does the chapter/section title contain normal text and inline - // code? - if prev_event_is_text_or_code { - // If so, we combine them into one hierarchy level. - let prev_text = - hierarchy_path.file_name().unwrap().to_str().unwrap().to_string(); - hierarchy_path.pop(); - hierarchy_path.push(format!("{prev_text}{text}")); - } else { - // If not, add the current title to the hierarchy. - hierarchy_path.push(&text); - } - prev_event_is_text_or_code = true; - } - _ => (), - } - } - } - - /// Parses books that do not have a `SUMMARY.md` file (i.e., a table of - /// contents). We parse them manually and make a "best effort" to make it - /// look like the online version. - fn parse_hierarchy_without_summary(&mut self) { - let directory_data = self.directory_data.as_ref().unwrap(); - let src = &directory_data.src; - let dest = &directory_data.dest; - let mut src_prefix: PathBuf = src.clone(); - let mut dest_prefix: PathBuf = dest.clone(); - for entry in WalkDir::new(&src_prefix) { - let entry = entry.unwrap().into_path(); - // `WalkDir` returns entries in a depth-first fashion. Once we are done - // processing a directory, it will jump to a different child entry of a - // predecessor. To copy examples to the correct location, we need to - // know how far back we jumped and update `dest_prefix` accordingly. - while !entry.starts_with(&src_prefix) { - src_prefix.pop(); - dest_prefix.pop(); - } - if entry.is_dir() { - src_prefix.push(entry.file_name().unwrap()); - // Follow the book's title case format for directories. - dest_prefix.push(to_title_case(entry.file_name().unwrap().to_str().unwrap())); - } else { - // Only process markdown files. - if entry.extension() == Some(OsStr::new("md")) { - let entry_stem = entry.file_stem().unwrap().to_str().unwrap(); - // If a file has the stem name as a sibling directory... - if src_prefix.join(entry.file_stem().unwrap()).exists() { - // Its extracted examples should reside under that - // directory. - self.hierarchy - .insert(entry.clone(), dest_prefix.join(to_title_case(entry_stem))); - } else { - // Otherwise, follow the book's snake case format for files. - self.hierarchy - .insert(entry.clone(), dest_prefix.join(to_snake_case(entry_stem))); - } - } - } - } - } - - // Get the Rust edition from the `book.toml` file - fn get_rust_edition(&self) -> Option { - let file = fs::read_to_string(&self.toml_path).unwrap(); - let toml_data: toml::Value = toml::from_str(&file).unwrap(); - // The Rust edition is specified in the `rust.edition` attribute - let rust_block = toml_data.get("rust")?; - let edition_attr = rust_block.get("edition")?; - let edition_str = edition_attr.as_str()?; - Some(Edition::from_str(edition_str).unwrap()) - } - - /// Extracts examples from the markdown files specified by each key in the given - /// `map`, pre-processes those examples, and saves them in the directory - /// specified by the corresponding value. - fn extract_examples(&self) { - let mut config_paths = get_config_paths(self.name.as_str()); - for (par_from, par_to) in &self.hierarchy { - extract(par_from, par_to, &mut config_paths, self.default_edition); - } - if !config_paths.is_empty() { - panic!( - "Error: The examples corresponding to the following config files \ - were not encountered in the pre-processing step:\n{}This is most \ - likely because the line numbers of the config files are not in \ - sync with the line numbers of the corresponding code blocks in \ - the latest versions of the Rust books. Please update the line \ - numbers of the config files and rerun the program.", - paths_to_string(config_paths) - ); - } - } -} -/// Set up [The Rust Reference](https://doc.rust-lang.org/nightly/reference) -/// book. -fn setup_reference_book() -> Book { - let summary_data = SummaryData { - summary_start: "# The Rust Reference\n\n[Introduction](introduction.md)".to_string(), - summary_path: ["tools", "bookrunner", "rust-doc", "reference", "src", "SUMMARY.md"] - .iter() - .collect(), - }; - Book { - name: "The Rust Reference".to_string(), - summary_data: Some(summary_data), - directory_data: None, - toml_path: ["tools", "bookrunner", "rust-doc", "reference", "book.toml"].iter().collect(), - hierarchy: HashMap::from_iter([( - ["tools", "bookrunner", "rust-doc", "reference", "src", "introduction.md"] - .iter() - .collect(), - ["tests", "bookrunner", "books", "The Rust Reference", "Introduction"].iter().collect(), - )]), - default_edition: Edition::Edition2015, - } -} - -/// Set up [The Rustonomicon](https://doc.rust-lang.org/nightly/nomicon) book. -fn setup_nomicon_book() -> Book { - let summary_data = SummaryData { - summary_path: ["tools", "bookrunner", "rust-doc", "nomicon", "src", "SUMMARY.md"] - .iter() - .collect(), - summary_start: "# Summary\n\n[Introduction](intro.md)".to_string(), - }; - Book { - name: "The Rustonomicon".to_string(), - summary_data: Some(summary_data), - directory_data: None, - toml_path: ["tools", "bookrunner", "rust-doc", "nomicon", "book.toml"].iter().collect(), - hierarchy: HashMap::from_iter([( - ["tools", "bookrunner", "rust-doc", "nomicon", "src", "intro.md"].iter().collect(), - ["tests", "bookrunner", "books", "The Rustonomicon", "Introduction"].iter().collect(), - )]), - default_edition: Edition::Edition2015, - } -} - -/// Set up the -/// [Rust Unstable Book](https://doc.rust-lang.org/beta/unstable-book/). -fn setup_unstable_book() -> Book { - let directory_data = DirectoryData { - src: ["tools", "bookrunner", "rust-doc", "unstable-book", "src"].iter().collect(), - dest: ["tests", "bookrunner", "books", "The Unstable Book"].iter().collect(), - }; - Book { - name: "The Rust Unstable Book".to_string(), - summary_data: None, - directory_data: Some(directory_data), - toml_path: ["tools", "bookrunner", "rust-doc", "unstable-book", "book.toml"] - .iter() - .collect(), - hierarchy: HashMap::new(), - default_edition: Edition::Edition2015, - } -} - -/// Set up the -/// [Rust by Example](https://doc.rust-lang.org/nightly/rust-by-example) book. -fn setup_rust_by_example_book() -> Book { - let summary_data = SummaryData { - summary_path: ["tools", "bookrunner", "rust-doc", "rust-by-example", "src", "SUMMARY.md"] - .iter() - .collect(), - summary_start: "# Summary\n\n[Introduction](index.md)".to_string(), - }; - Book { - name: "Rust by Example".to_string(), - summary_data: Some(summary_data), - directory_data: None, - toml_path: ["tools", "bookrunner", "rust-doc", "rust-by-example", "book.toml"] - .iter() - .collect(), - hierarchy: HashMap::from_iter([( - ["tools", "bookrunner", "rust-doc", "rust-by-example", "src", "index.md"] - .iter() - .collect(), - ["tests", "bookrunner", "books", "Rust by Example", "Introduction"].iter().collect(), - )]), - default_edition: Edition::Edition2015, - } -} - -/// This data structure contains the code and configs of an example in the Rust books. -struct Example { - /// The example code extracted from a codeblock. - code: String, - // Line number of the code block. - line: usize, - // Configurations in the header of the codeblock. - config: LangString, -} - -/// Data structure representing a list of examples. Mainly for implementing the -/// [`Tester`] trait. -struct Examples(Vec); - -impl Tester for Examples { - fn add_test(&mut self, test: String, config: LangString, line: usize) { - if config.ignore != Ignore::All { - self.0.push(Example { code: test, line, config }) - } - } -} - -/// Applies the diff corresponding to `example` with parent `path` (if it exists). -fn apply_diff(path: &Path, example: &mut Example, config_paths: &mut HashSet) { - let config_dir: PathBuf = ["tools", "bookrunner", "configs"].iter().collect(); - let test_dir: PathBuf = ["tests", "bookrunner"].iter().collect(); - // `path` has the following form: - // `tests/bookrunner/books/ - // If `example` has a custom diff file, the path to the diff file will have - // the following form: - // `tools/bookrunner/configs/books//.diff` - // where is the same for both paths. - let mut diff_path = config_dir.join(path.strip_prefix(&test_dir).unwrap()); - diff_path.extend_one(format!("{}.diff", example.line)); - if diff_path.exists() { - config_paths.remove(&diff_path); - let mut code_lines: Vec<_> = example.code.lines().collect(); - let diff = fs::read_to_string(diff_path).unwrap(); - for line in diff.lines() { - // `*.diff` files have a simple format: - // `- ` for removing lines. - // `+ ` for inserting lines. - // Notice that for a series of `+` and `-`, the developer must keep - // track of the changing line numbers. - let mut split = line.splitn(3, ' '); - let symbol = split.next().unwrap(); - let line = split.next().unwrap().parse::().unwrap() - 1; - if symbol == "+" { - let diff = split.next().unwrap(); - code_lines.insert(line, diff); - } else { - code_lines.remove(line); - } - } - example.code = code_lines.join("\n"); - } -} - -/// Prepends example properties in `example.config` to the code in `example.code`. -fn prepend_props(path: &Path, example: &mut Example, config_paths: &mut HashSet) { - let config_dir: PathBuf = ["tools", "bookrunner", "configs"].iter().collect(); - let test_dir: PathBuf = ["tests", "bookrunner"].iter().collect(); - // `path` has the following form: - // `tests/bookrunner/books/ - // If `example` has a custom props file, the path to the props file will - // have the following form: - // `tools/bookrunner/configs/books//.props` - // where is the same for both paths. - let mut props_path = config_dir.join(path.strip_prefix(&test_dir).unwrap()); - props_path.extend_one(format!("{}.props", example.line)); - let mut props = if props_path.exists() { - config_paths.remove(&props_path); - util::parse_test_header(&props_path) - } else { - TestProps::new(path.to_path_buf(), None, Vec::new(), Vec::new()) - }; - // Add edition flag to the example - let edition_year = format!("{}", example.config.edition.unwrap()); - props.rustc_args.push(String::from("--edition")); - props.rustc_args.push(edition_year); - - if props.fail_step.is_none() { - if example.config.compile_fail { - // Most examples with `compile_fail` annotation fail because of - // check errors. This heuristic can be overridden by manually - //specifying the fail step in the corresponding config file. - props.fail_step = Some(FailStep::Check); - } else if example.config.should_panic { - // Kani should catch run-time errors. - props.fail_step = Some(FailStep::Verification); - } - } - example.code = format!("{props}{}", example.code); -} - -/// Extracts examples from the markdown file specified by `par_from`, -/// pre-processes those examples, and saves them in the directory specified by -/// `par_to`. -fn extract( - par_from: &Path, - par_to: &Path, - config_paths: &mut HashSet, - default_edition: Edition, -) { - let code = fs::read_to_string(par_from).unwrap(); - let mut examples = Examples(Vec::new()); - find_testable_code(&code, &mut examples, ErrorCodes::No, false, None); - for mut example in examples.0 { - apply_diff(par_to, &mut example, config_paths); - example.config.edition = Some(example.config.edition.unwrap_or(default_edition)); - example.code = make_test( - &example.code, - None, - false, - &Default::default(), - example.config.edition.unwrap(), - None, - ) - .0; - prepend_props(par_to, &mut example, config_paths); - let rs_path = par_to.join(format!("{}.rs", example.line)); - fs::create_dir_all(rs_path.parent().unwrap()).unwrap(); - fs::write(rs_path, example.code).unwrap(); - } -} - -/// Returns a set of paths to the config files for examples in the Rust books. -fn get_config_paths(book_name: &str) -> HashSet { - let config_dir: PathBuf = - ["tools", "bookrunner", "configs", "books", book_name].iter().collect(); - let mut config_paths = HashSet::new(); - if config_dir.exists() { - for entry in WalkDir::new(config_dir) { - let entry = entry.unwrap().into_path(); - if entry.is_file() { - config_paths.insert(entry); - } - } - } - config_paths -} - -/// Pretty prints the `paths` set. -fn paths_to_string(paths: HashSet) -> String { - let mut f = String::new(); - for path in paths { - f.write_fmt(format_args!(" {:?}\n", path.to_str().unwrap())).unwrap(); - } - f -} - -/// Creates a new [`bookrunner::Tree`] from `path`, and a test `result`. -fn tree_from_path(mut path: Vec, result: bool) -> bookrunner::Tree { - assert!(!path.is_empty(), "Error: `path` must contain at least 1 element."); - let mut tree = bookrunner::Tree::new( - bookrunner::Node::new( - path.pop().unwrap(), - if result { 1 } else { 0 }, - if result { 0 } else { 1 }, - ), - vec![], - ); - for _ in 0..path.len() { - tree = bookrunner::Tree::new( - bookrunner::Node::new(path.pop().unwrap(), tree.data.num_pass, tree.data.num_fail), - vec![tree], - ); - } - tree -} - -/// Parses a `litani` run and generates a bookrunner tree from it -fn parse_litani_output(path: &Path) -> bookrunner::Tree { - let file = fs::File::open(path).unwrap(); - let reader = BufReader::new(file); - let run: LitaniRun = serde_json::from_reader(reader).unwrap(); - let mut tests = - bookrunner::Tree::new(bookrunner::Node::new(String::from("bookrunner"), 0, 0), vec![]); - let pipelines = run.get_pipelines(); - for pipeline in pipelines { - let (ns, l) = parse_log_line(&pipeline); - tests = bookrunner::Tree::merge(tests, tree_from_path(ns, l)).unwrap(); - } - tests -} - -/// Parses a `litani` pipeline and returns a pair containing -/// the path to a test and its result. -fn parse_log_line(pipeline: &LitaniPipeline) -> (Vec, bool) { - let l = pipeline.get_status(); - let name = pipeline.get_name(); - let mut ns: Vec = name.split(&['/', '.'][..]).map(String::from).collect(); - // Remove unnecessary items from the path until "bookrunner" - let dash_index = ns.iter().position(|item| item == "bookrunner").unwrap(); - ns.drain(..dash_index); - // Remove unnecessary "rs" suffix. - ns.pop(); - (ns, l) -} - -/// Format and write a text version of the bookrunner report -fn generate_text_bookrunner(bookrunner: bookrunner::Tree, path: &Path) { - let bookrunner_str = format!( - "# of tests: {}\t✔️ {}\t❌ {}\n{}", - bookrunner.data.num_pass + bookrunner.data.num_fail, - bookrunner.data.num_pass, - bookrunner.data.num_fail, - bookrunner - ); - fs::write(path, bookrunner_str).expect("Error: Unable to write bookrunner results"); -} - -/// Runs examples using Litani build. -fn litani_run_tests() { - let output_prefix: PathBuf = ["build", "output"].iter().collect(); - let output_symlink: PathBuf = output_prefix.join("latest"); - let bookrunner_dir: PathBuf = ["tests", "bookrunner"].iter().collect(); - let stage_names = ["check", "codegen", "verification"]; - - util::add_kani_to_path(); - let mut litani = Litani::init("Book Runner", &stage_names, &output_prefix, &output_symlink); - - // Run all tests under the `tests/bookrunner` directory. - for entry in WalkDir::new(bookrunner_dir) { - let entry = entry.unwrap().into_path(); - if entry.is_file() { - // Ensure that we parse only Rust files by checking their extension - let entry_ext = &entry.extension().and_then(OsStr::to_str); - if let Some("rs") = entry_ext { - let test_props = util::parse_test_header(&entry); - util::add_test_pipeline(&mut litani, &test_props); - } - } - } - litani.run_build(); -} - -/// Extracts examples from the Rust books, run them through Kani, and displays -/// their results in a HTML webpage. -pub fn generate_run() { - let litani_log: PathBuf = ["build", "output", "latest", "run.json"].iter().collect(); - let text_dash: PathBuf = - ["build", "output", "latest", "html", "bookrunner.txt"].iter().collect(); - // Set up books - let books: Vec = vec![ - setup_reference_book(), - setup_nomicon_book(), - setup_unstable_book(), - setup_rust_by_example_book(), - ]; - for mut book in books { - // Parse the chapter/section hierarchy - book.parse_hierarchy(); - // Extract examples, pre-process them, and save them according to the - // parsed hierarchy - book.extract_examples(); - } - // Generate Litani's HTML bookrunner - litani_run_tests(); - // Parse Litani's output - let bookrunner = parse_litani_output(&litani_log); - // Generate text version - generate_text_bookrunner(bookrunner, &text_dash); -} diff --git a/tools/bookrunner/src/litani.rs b/tools/bookrunner/src/litani.rs deleted file mode 100644 index cefe1c4b437e..000000000000 --- a/tools/bookrunner/src/litani.rs +++ /dev/null @@ -1,249 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Utilities to interact with the `Litani` build accumulator. - -use pulldown_cmark::escape::StrWrite; -use serde::Deserialize; -use std::collections::HashMap; -use std::path::Path; -use std::process::{Child, Command}; - -/// Data structure representing a full `litani` run. -/// The same representation is used to represent a run -/// in the `run.json` (cache) file generated by `litani` -/// -/// Deserialization is performed automatically for most -/// attributes in such files, but it may require you to -/// extend it if advanced features are used (e.g., pools) -#[derive(Debug, Deserialize)] -pub struct LitaniRun { - pub aux: Option>, - pub project: String, - pub version: String, - pub version_major: u32, - pub version_minor: u32, - pub version_patch: u32, - pub release_candidate: bool, - pub run_id: String, - pub start_time: String, - pub parallelism: LitaniParalellism, - pub latest_symlink: Option, - pub end_time: String, - pub pipelines: Vec, -} - -impl LitaniRun { - pub fn get_pipelines(self) -> Vec { - self.pipelines - } -} - -#[derive(Debug, Deserialize)] -pub struct LitaniParalellism { - pub trace: Vec, - pub max_paralellism: Option, - pub n_proc: u32, -} - -#[derive(Debug, Deserialize)] -pub struct LitaniTrace { - pub running: u32, - pub finished: u32, - pub total: u32, - pub time: String, -} - -#[derive(Debug, Deserialize)] -pub struct LitaniPipeline { - pub name: String, - pub ci_stages: Vec, - pub url: String, - pub status: String, -} - -impl LitaniPipeline { - pub fn get_name(&self) -> &String { - &self.name - } - - pub fn get_status(&self) -> bool { - match self.status.as_str() { - "fail" => false, - "success" => true, - _ => panic!("pipeline status is not \"fail\" nor \"success\""), - } - } -} - -#[derive(Debug, Deserialize)] -pub struct LitaniStage { - pub jobs: Vec, - pub progress: u32, - pub complete: bool, - pub status: String, - pub url: String, - pub name: String, -} - -// Some attributes in litani's `jobs` are not always included -// or they are null, so we use `Option<...>` to deserialize them -#[derive(Debug, Deserialize)] -pub struct LitaniJob { - pub wrapper_arguments: LitaniWrapperArguments, - pub complete: bool, - pub start_time: Option, - pub timeout_reached: Option, - pub command_return_code: Option, - pub memory_trace: Option>, - pub loaded_outcome_dict: Option>, - pub outcome: Option, - pub wrapper_return_code: Option, - pub stdout: Option>, - pub stderr: Option>, - pub end_time: Option, - pub duration_str: Option, - pub duration: Option, -} - -// Some attributes in litani's `wrapper_arguments` are not always included -// or they are null, so we use `Option<...>` to deserialize them -#[derive(Debug, Deserialize)] -pub struct LitaniWrapperArguments { - pub subcommand: String, - pub verbose: bool, - pub very_verbose: bool, - pub inputs: Vec, - pub command: String, - pub outputs: Option>, - pub pipeline_name: String, - pub ci_stage: String, - pub cwd: Option, - pub timeout: Option, - pub timeout_ok: Option, - pub timeout_ignore: Option, - pub ignore_returns: Option, - pub ok_returns: Vec, - pub outcome_table: Option>, - pub interleave_stdout_stderr: bool, - pub stdout_file: Option, - pub stderr_file: Option, - pub pool: Option, - pub description: String, - pub profile_memory: bool, - pub profile_memory_interval: u32, - pub phony_outputs: Option>, - pub tags: Option, - pub status_file: String, - pub job_id: String, -} - -/// Data structure representing a `Litani` build. -pub struct Litani { - /// A buffer of the `spawn`ed Litani jobs so far. `Litani` takes some time - /// to execute each `add-job` command and executing thousands of them - /// sequentially takes a considerable amount of time. To speed up the - /// execution of those commands, we spawn those commands sequentially (as - /// normal). However, instead of `wait`ing for each process to terminate, - /// we add its handle to a buffer of the `spawn`ed processes and continue - /// with our program. Once we are done adding jobs, we wait for all of them - /// to terminate before we run the `run-build` command. - spawned_commands: Vec, -} - -impl Litani { - /// Sets up a new [`Litani`] run. - pub fn init( - project_name: &str, - stage_names: &[&str], - output_prefix: &Path, - output_symlink: &Path, - ) -> Self { - Command::new("litani") - .args([ - "init", - "--project-name", - project_name, - "--output-prefix", - output_prefix.to_str().unwrap(), - "--output-symlink", - output_symlink.to_str().unwrap(), - "--stages", - ]) - .args(stage_names) - .spawn() - .unwrap() - .wait() - .unwrap(); - Self { spawned_commands: Vec::new() } - } - - /// Adds a single command with its dependencies. - #[allow(clippy::too_many_arguments)] - pub fn add_job( - &mut self, - command: &Command, - inputs: &[&Path], - outputs: &[&Path], - description: &str, - pipeline: &str, - stage: &str, - exit_status: i32, - timeout: u32, - ) { - let mut job = Command::new("litani"); - // The given command may contain additional env vars. Prepend those vars - // to the command before passing it to Litani. - let job_envs: HashMap<_, _> = job.get_envs().collect(); - let mut new_envs = String::new(); - command.get_envs().fold(&mut new_envs, |fmt, (k, v)| { - if !job_envs.contains_key(k) { - fmt.write_fmt(format_args!( - "{}=\"{}\" ", - k.to_str().unwrap(), - v.unwrap().to_str().unwrap() - )) - .unwrap(); - } - fmt - }); - job.args([ - "add-job", - "--command", - &format!("{new_envs}{command:?}"), - "--description", - description, - "--pipeline-name", - pipeline, - "--ci-stage", - stage, - "--ok-returns", - &exit_status.to_string(), - "--timeout", - &timeout.to_string(), - ]); - if !inputs.is_empty() { - job.arg("--inputs").args(inputs); - } - if !outputs.is_empty() { - job.arg("--outputs").args(outputs).arg("--phony-outputs").args(outputs); - } - // Start executing the command, but do not wait for it to terminate. - self.spawned_commands.push(job.spawn().unwrap()); - } - - /// Starts a [`Litani`] run. - pub fn run_build(&mut self) { - // Wait for all spawned processes to terminate. - for command in self.spawned_commands.iter_mut() { - command.wait().unwrap(); - } - self.spawned_commands.clear(); - // Run `run-build` command and wait for it to finish. - Command::new("litani") - .args(["run-build", "--no-pipeline-dep-graph"]) - .spawn() - .unwrap() - .wait() - .unwrap(); - } -} diff --git a/tools/bookrunner/src/main.rs b/tools/bookrunner/src/main.rs deleted file mode 100644 index 65fd9196b365..000000000000 --- a/tools/bookrunner/src/main.rs +++ /dev/null @@ -1,13 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -#![feature(extend_one)] -#![feature(rustc_private)] - -mod bookrunner; -mod books; -mod litani; -mod util; - -fn main() { - books::generate_run(); -} diff --git a/tools/bookrunner/src/util.rs b/tools/bookrunner/src/util.rs deleted file mode 100644 index 542ad70dbc96..000000000000 --- a/tools/bookrunner/src/util.rs +++ /dev/null @@ -1,246 +0,0 @@ -// Copyright Kani Contributors -// SPDX-License-Identifier: Apache-2.0 OR MIT -//! Utilities types and procedures to parse and run tests. -//! -//! TODO: The types and procedures in this modules are similar to the ones in -//! `compiletest`. Consider using `Litani` to run the test suites (see -//! [issue #390](https://github.com/model-checking/kani/issues/390)). - -use crate::litani::Litani; -use std::{ - env, - fmt::{self, Display, Formatter, Write}, - fs::File, - io::{BufRead, BufReader}, - path::{Path, PathBuf}, - process::Command, -}; - -/// Step at which Kani should panic. -#[derive(PartialEq, Eq)] -pub enum FailStep { - /// Kani panics before the codegen step (up to MIR generation). This step - /// runs the same checks on the test code as `cargo check` including syntax, - /// type, name resolution, and borrow checks. - Check, - /// Kani panics at the codegen step because the test code uses unimplemented - /// and/or unsupported features. - Codegen, - /// Kani panics after the codegen step because of verification failures or - /// other CBMC errors. - Verification, -} - -impl Display for FailStep { - fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { - let str = match self { - FailStep::Check => "check", - FailStep::Codegen => "codegen", - FailStep::Verification => "verify", - }; - f.write_str(str) - } -} - -/// Data structure representing properties specific to each test. -pub struct TestProps { - pub path: PathBuf, - /// How far this test should proceed to start failing. - pub fail_step: Option, - /// Extra arguments to pass to `rustc`. - pub rustc_args: Vec, - /// Extra arguments to pass to Kani. - pub kani_args: Vec, -} - -impl TestProps { - /// Creates a new instance of [`TestProps`] for a test. - pub fn new( - path: PathBuf, - fail_step: Option, - rustc_args: Vec, - kani_args: Vec, - ) -> Self { - Self { path, fail_step, rustc_args, kani_args } - } -} - -impl Display for TestProps { - fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { - if let Some(fail_step) = &self.fail_step { - f.write_fmt(format_args!("// kani-{fail_step}-fail\n"))?; - } - if !self.rustc_args.is_empty() { - f.write_str("// compile-flags:")?; - for arg in &self.rustc_args { - f.write_fmt(format_args!(" {arg}"))?; - } - f.write_char('\n')?; - } - if !self.kani_args.is_empty() { - f.write_str("// kani-flags:")?; - for arg in &self.kani_args { - f.write_fmt(format_args!(" {arg}"))?; - } - f.write_char('\n')?; - } - Ok(()) - } -} - -/// Parses strings of the form `kani-*-fail` and returns the step at which Kani is -/// expected to panic. -fn try_parse_fail_step(cur_fail_step: Option, line: &str) -> Option { - let fail_step = if line.contains("kani-check-fail") { - Some(FailStep::Check) - } else if line.contains("kani-codegen-fail") { - Some(FailStep::Codegen) - } else if line.contains("kani-verify-fail") { - Some(FailStep::Verification) - } else { - None - }; - match (cur_fail_step.is_some(), fail_step.is_some()) { - (true, true) => panic!("Error: multiple `kani-*-fail` headers in a single test."), - (false, true) => fail_step, - _ => cur_fail_step, - } -} - -/// Parses strings of the form `-flags: ...` and returns the list of -/// arguments. -fn try_parse_args(cur_args: Vec, name: &str, line: &str) -> Vec { - let name = format!("{name}-flags:"); - let mut split = line.split(&name).skip(1); - let args: Vec = if let Some(rest) = split.next() { - rest.split_whitespace().map(String::from).collect() - } else { - Vec::new() - }; - match (cur_args.is_empty(), args.is_empty()) { - (false, false) => panic!("Error: multiple `{}-flags: ...` headers in a single test.", name), - (true, false) => args, - _ => cur_args, - } -} - -/// Parses and returns the properties in a test file. -pub fn parse_test_header(path: &Path) -> TestProps { - let mut fail_step = None; - let mut rustc_args = Vec::new(); - let mut kani_args = Vec::new(); - let it = BufReader::new(File::open(path).unwrap()); - for line in it.lines() { - let line = line.unwrap(); - let line = line.trim_start(); - if line.is_empty() { - continue; - } - if !line.starts_with("//") { - break; - } - fail_step = try_parse_fail_step(fail_step, line); - rustc_args = try_parse_args(rustc_args, "compile", line); - kani_args = try_parse_args(kani_args, "kani", line); - } - TestProps::new(path.to_path_buf(), fail_step, rustc_args, kani_args) -} - -/// Adds Kani to the current `PATH` environment variable. -pub fn add_kani_to_path() { - let cwd = env::current_dir().unwrap(); - let kani_bin = cwd.join("target").join("kani").join("bin"); - let kani_scripts = cwd.join("scripts"); - env::set_var( - "PATH", - format!("{}:{}:{}", kani_scripts.display(), kani_bin.display(), env::var("PATH").unwrap()), - ); -} - -/// Does Kani catch syntax, type, and borrow errors (if any)? -pub fn add_check_job(litani: &mut Litani, test_props: &TestProps) { - let exit_status = if test_props.fail_step == Some(FailStep::Check) { 1 } else { 0 }; - let mut kani_rustc = Command::new("kani-compiler"); - kani_rustc.args(&test_props.rustc_args).args(["-Z", "no-codegen"]).arg(&test_props.path); - - let mut phony_out = test_props.path.clone(); - phony_out.set_extension("check"); - litani.add_job( - &kani_rustc, - &[&test_props.path], - &[&phony_out], - "Is this valid Rust code?", - test_props.path.to_str().unwrap(), - "check", - exit_status, - 5, - ); -} - -/// Is Kani expected to codegen all the Rust features in the test? -pub fn add_codegen_job(litani: &mut Litani, test_props: &TestProps) { - let exit_status = if test_props.fail_step == Some(FailStep::Codegen) { 1 } else { 0 }; - let mut kani_rustc = Command::new("kani-compiler"); - kani_rustc.args(&test_props.rustc_args).args(["--out-dir", "build/tmp"]).arg(&test_props.path); - - let mut phony_in = test_props.path.clone(); - phony_in.set_extension("check"); - let mut phony_out = test_props.path.clone(); - phony_out.set_extension("codegen"); - litani.add_job( - &kani_rustc, - &[&phony_in], - &[&phony_out], - "Does Kani support all the Rust features used in it?", - test_props.path.to_str().unwrap(), - "codegen", - exit_status, - 10, - ); -} - -// Does verification pass/fail as it is expected to? -pub fn add_verification_job(litani: &mut Litani, test_props: &TestProps) { - let exit_status = if test_props.fail_step == Some(FailStep::Verification) { 10 } else { 0 }; - let mut kani = Command::new("kani"); - // Add `--function main` so we can run these without having to amend them to add `#[kani::proof]`. - // Some of test_props.kani_args will contains `--cbmc-args` so we should always put that last. - kani.arg(&test_props.path) - .args(["--enable-unstable", "--function", "main"]) - .args(&test_props.kani_args); - if !test_props.rustc_args.is_empty() { - kani.env("RUSTFLAGS", test_props.rustc_args.join(" ")); - } - - let mut phony_in = test_props.path.clone(); - phony_in.set_extension("codegen"); - litani.add_job( - &kani, - &[&phony_in], - &[], - "Can Kani reason about it?", - test_props.path.to_str().unwrap(), - "verification", - exit_status, - 60, - ); -} - -/// Creates a new pipeline for the test specified by `path` consisting of 3 -/// jobs/steps: `check`, `codegen`, and `verification`. -pub fn add_test_pipeline(litani: &mut Litani, test_props: &TestProps) { - // The first step ensures that the Rust code in the test compiles (if it is - // expected to). - add_check_job(litani, test_props); - if test_props.fail_step == Some(FailStep::Check) { - return; - } - // The second step ensures that we can codegen the code in the test. - add_codegen_job(litani, test_props); - if test_props.fail_step == Some(FailStep::Codegen) { - return; - } - // The final step ensures that CBMC can verify the code in the test. - // Notice that 10 is the expected error code for verification failure. - add_verification_job(litani, test_props); -} diff --git a/tools/build-kani/Cargo.toml b/tools/build-kani/Cargo.toml index cfaa4a6c48ad..30c2807aa323 100644 --- a/tools/build-kani/Cargo.toml +++ b/tools/build-kani/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "build-kani" -version = "0.45.0" +version = "0.52.0" edition = "2021" description = "Builds Kani, Sysroot and release bundle." license = "MIT OR Apache-2.0" @@ -13,4 +13,4 @@ publish = false anyhow = "1" cargo_metadata = "0.18.0" clap = { version = "4.4.11", features=["derive"] } -which = "5" +which = "6" diff --git a/tools/build-kani/src/main.rs b/tools/build-kani/src/main.rs index b94e951fe178..2c181d69d6e5 100644 --- a/tools/build-kani/src/main.rs +++ b/tools/build-kani/src/main.rs @@ -10,7 +10,7 @@ mod parser; mod sysroot; -use crate::sysroot::{build_bin, build_lib, kani_playback_lib, kani_sysroot_lib}; +use crate::sysroot::{build_bin, build_lib, kani_no_core_lib, kani_playback_lib, kani_sysroot_lib}; use anyhow::{bail, Result}; use clap::Parser; use std::{ffi::OsString, path::Path, process::Command}; @@ -19,7 +19,13 @@ fn main() -> Result<()> { let args = parser::ArgParser::parse(); match args.subcommand { - parser::Commands::BuildDev(build_parser) => build_lib(&build_bin(&build_parser.args)?), + parser::Commands::BuildDev(build_parser) => { + let bin_folder = &build_bin(&build_parser.args)?; + if !build_parser.skip_libs { + build_lib(&bin_folder)?; + } + Ok(()) + } parser::Commands::Bundle(bundle_parser) => { let version_string = bundle_parser.version; let kani_string = format!("kani-{version_string}"); @@ -96,9 +102,11 @@ fn bundle_kani(dir: &Path) -> Result<()> { // 4. Pre-compiled library files cp_dir(&kani_sysroot_lib(), dir)?; cp_dir(&kani_playback_lib().parent().unwrap(), dir)?; + cp_dir(&kani_no_core_lib().parent().unwrap(), dir)?; - // 5. Record the exact toolchain we use + // 5. Record the exact toolchain and rustc version we use std::fs::write(dir.join("rust-toolchain-version"), env!("RUSTUP_TOOLCHAIN"))?; + std::fs::write(dir.join("rustc-version"), get_rustc_version()?)?; // 6. Include a licensing note cp(Path::new("tools/build-kani/license-notes.txt"), dir)?; @@ -181,6 +189,13 @@ fn cp(src: &Path, dst: &Path) -> Result<()> { Ok(()) } +/// Record version of rustc being used to build Kani +fn get_rustc_version() -> Result { + let output = Command::new("rustc").arg("--version").output(); + let rustc_version = String::from_utf8(output.unwrap().stdout)?; + Ok(rustc_version) +} + /// Copy files from `src` to `dst` that respect the given pattern. pub fn cp_files

(src: &Path, dst: &Path, predicate: P) -> Result<()> where diff --git a/tools/build-kani/src/parser.rs b/tools/build-kani/src/parser.rs index 3f9dfa0a1d42..718cbb00bcb4 100644 --- a/tools/build-kani/src/parser.rs +++ b/tools/build-kani/src/parser.rs @@ -17,6 +17,10 @@ pub struct BuildDevParser { /// Arguments to be passed down to cargo when building cargo binaries. #[clap(value_name = "ARG", allow_hyphen_values = true)] pub args: Vec, + /// Do not re-build Kani libraries. Only use this if you know there has been no changes to Kani + /// libraries or the underlying Rust compiler. + #[clap(long)] + pub skip_libs: bool, } #[derive(Args, Debug, Eq, PartialEq)] diff --git a/tools/build-kani/src/sysroot.rs b/tools/build-kani/src/sysroot.rs index 3a6239106826..ca42fea3f441 100644 --- a/tools/build-kani/src/sysroot.rs +++ b/tools/build-kani/src/sysroot.rs @@ -55,16 +55,27 @@ pub fn kani_playback_lib() -> PathBuf { path_buf!(kani_sysroot(), "playback/lib") } +/// Returns the path to where Kani libraries for no_core is kept. +pub fn kani_no_core_lib() -> PathBuf { + path_buf!(kani_sysroot(), "no_core/lib") +} + /// Returns the path to where Kani's pre-compiled binaries are stored. fn kani_sysroot_bin() -> PathBuf { path_buf!(kani_sysroot(), "bin") } +/// Returns the build target +fn build_target() -> &'static str { + env!("TARGET") +} + /// Build the `lib/` folder and `lib-playback/` for the new sysroot. /// - The `lib/` folder contains the sysroot for verification. /// - The `lib-playback/` folder contains the sysroot used for playback. pub fn build_lib(bin_folder: &Path) -> Result<()> { let compiler_path = bin_folder.join("kani-compiler"); + build_no_core_lib(&compiler_path)?; build_verification_lib(&compiler_path)?; build_playback_lib(&compiler_path) } @@ -75,7 +86,9 @@ fn build_verification_lib(compiler_path: &Path) -> Result<()> { let extra_args = ["-Z", "build-std=panic_abort,std,test", "--config", "profile.dev.panic=\"abort\""]; let compiler_args = ["--kani-compiler", "-Cllvm-args=--ignore-global-asm --build-std"]; - build_kani_lib(compiler_path, &kani_sysroot_lib(), &extra_args, &compiler_args) + let packages = ["std", "kani", "kani_macros"]; + let artifacts = build_kani_lib(compiler_path, &packages, &extra_args, &compiler_args)?; + copy_artifacts(&artifacts, &kani_sysroot_lib(), true) } /// Build the `lib-playback/` folder that will be used during counter example playback. @@ -83,26 +96,30 @@ fn build_verification_lib(compiler_path: &Path) -> Result<()> { fn build_playback_lib(compiler_path: &Path) -> Result<()> { let extra_args = ["--features=std/concrete_playback,kani/concrete_playback", "-Z", "build-std=std,test"]; - build_kani_lib(compiler_path, &kani_playback_lib(), &extra_args, &[]) + let packages = ["std", "kani", "kani_macros"]; + let artifacts = build_kani_lib(compiler_path, &packages, &extra_args, &[])?; + copy_artifacts(&artifacts, &kani_playback_lib(), true) +} + +/// Build the no core library folder that will be used during std verification. +fn build_no_core_lib(compiler_path: &Path) -> Result<()> { + let extra_args = ["--features=kani_macros/no_core", "--features=kani_core/no_core"]; + let packages = ["kani_core", "kani_macros"]; + let artifacts = build_kani_lib(compiler_path, &packages, &extra_args, &[])?; + copy_artifacts(&artifacts, &kani_no_core_lib(), false) } fn build_kani_lib( compiler_path: &Path, - output_path: &Path, + packages: &[&str], extra_cargo_args: &[&str], extra_rustc_args: &[&str], -) -> Result<()> { +) -> Result> { // Run cargo build with -Z build-std - let target = env!("TARGET"); + let target = build_target(); let target_dir = env!("KANI_BUILD_LIBS"); let args = [ "build", - "-p", - "std", - "-p", - "kani", - "-p", - "kani_macros", "-Z", "unstable-options", "--target-dir", @@ -124,12 +141,20 @@ fn build_kani_lib( "--message-format", "json-diagnostic-rendered-ansi", ]; - let mut rustc_args = vec!["--cfg=kani", "--cfg=kani_sysroot", "-Z", "always-encode-mir"]; + let mut rustc_args = vec![ + "--cfg=kani", + "--cfg=kani_sysroot", + "-Z", + "always-encode-mir", + "-Z", + "mir-enable-passes=-RemoveStorageMarkers", + ]; rustc_args.extend_from_slice(extra_rustc_args); let mut cmd = Command::new("cargo") .env("CARGO_ENCODED_RUSTFLAGS", rustc_args.join("\x1f")) .env("RUSTC", compiler_path) .args(args) + .args(packages.iter().copied().flat_map(|pkg| ["-p", pkg])) .args(extra_cargo_args) .stdout(Stdio::piped()) .spawn() @@ -145,20 +170,24 @@ fn build_kani_lib( } // Create sysroot folder hierarchy. - copy_artifacts(&artifacts, output_path, target) + Ok(artifacts) } /// Copy all the artifacts to their correct place to generate a valid sysroot. -fn copy_artifacts(artifacts: &[Artifact], sysroot_lib: &Path, target: &str) -> Result<()> { - // Create sysroot folder hierarchy. +fn copy_artifacts(artifacts: &[Artifact], sysroot_lib: &Path, copy_std: bool) -> Result<()> { + // Create sysroot folder. sysroot_lib.exists().then(|| fs::remove_dir_all(sysroot_lib)); - let std_path = path_buf!(&sysroot_lib, "rustlib", target, "lib"); - fs::create_dir_all(&std_path).expect(&format!("Failed to create {std_path:?}")); + fs::create_dir_all(sysroot_lib)?; // Copy Kani libraries into sysroot top folder. copy_libs(&artifacts, &sysroot_lib, &is_kani_lib); + // Copy standard libraries into rustlib//lib/ folder. - copy_libs(&artifacts, &std_path, &is_std_lib); + if copy_std { + let std_path = path_buf!(&sysroot_lib, "rustlib", build_target(), "lib"); + fs::create_dir_all(&std_path).expect(&format!("Failed to create {std_path:?}")); + copy_libs(&artifacts, &std_path, &is_std_lib); + } Ok(()) } @@ -236,11 +265,11 @@ fn build_artifacts(cargo_cmd: &mut Child) -> Vec { /// Extra arguments to be given to `cargo build` while building Kani's binaries. /// Note that the following arguments are always provided: /// ```bash -/// cargo build --bins -Z unstable-options --out-dir $KANI_SYSROOT/bin/ +/// cargo build --bins -Z unstable-options --artifact-dir $KANI_SYSROOT/bin/ /// ``` pub fn build_bin>(extra_args: &[T]) -> Result { let out_dir = kani_sysroot_bin(); - let args = ["--bins", "-Z", "unstable-options", "--out-dir", out_dir.to_str().unwrap()]; + let args = ["--bins", "-Z", "unstable-options", "--artifact-dir", out_dir.to_str().unwrap()]; Command::new("cargo") .arg("build") .args(extra_args) diff --git a/tools/compiletest/src/main.rs b/tools/compiletest/src/main.rs index 5418ad47f7fa..94cbd561aa51 100644 --- a/tools/compiletest/src/main.rs +++ b/tools/compiletest/src/main.rs @@ -388,7 +388,7 @@ fn collect_expected_tests_from_dir( && (file_path.to_str().unwrap().ends_with(".expected") || "expected" == file_path.file_name().unwrap()) { - fs::create_dir_all(&build_dir.join(file_path.file_stem().unwrap())).unwrap(); + fs::create_dir_all(build_dir.join(file_path.file_stem().unwrap())).unwrap(); let paths = TestPaths { file: file_path, relative_dir: relative_dir_path.to_path_buf() }; tests.push(make_test(config, &paths, inputs)); @@ -446,7 +446,7 @@ fn collect_exec_tests_from_dir( } // Create directory for test and add it to the tests to be run - fs::create_dir_all(&build_dir.join(file_path.file_stem().unwrap())).unwrap(); + fs::create_dir_all(build_dir.join(file_path.file_stem().unwrap())).unwrap(); let paths = TestPaths { file: file_path, relative_dir: relative_dir_path.to_path_buf() }; tests.push(make_test(config, &paths, inputs)); } diff --git a/tools/compiletest/src/runtest.rs b/tools/compiletest/src/runtest.rs index ee89c252dc4f..7925ed83e6e5 100644 --- a/tools/compiletest/src/runtest.rs +++ b/tools/compiletest/src/runtest.rs @@ -23,7 +23,6 @@ use std::process::{Command, ExitStatus, Output, Stdio}; use std::str; use serde::{Deserialize, Serialize}; -use serde_yaml; use tracing::*; use wait_timeout::ChildExt;