Skip to content

Conversation

@SahithiMV
Copy link

Working on #71 (Safety of NonZero)

We are looking for feedback on our proof_for_contracts for unchecked_mul and unchecked_add.
This is the initial logic; we will add a macro to extrapolate for data types.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@SahithiMV SahithiMV requested a review from a team as a code owner November 24, 2024 22:57
@carolynzech carolynzech self-assigned this Nov 25, 2024
@tautschnig tautschnig assigned SahithiMV and unassigned carolynzech Nov 27, 2024
@SahithiMV
Copy link
Author

@carolynzech Can you please review the changes?


macro_rules! nonzero_check_add {
($t:ty, $nonzero_type:ty, $nonzero_check_unchecked_add_for:ident) => {
#[kani::proof_for_contract(<$t>::unchecked_add)]

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#[kani::proof_for_contract(<$t>::unchecked_add)]
#[kani::proof_for_contract(<$nonzero_type>::unchecked_add)]

Comment on lines +2355 to +2359
let x: $nonzero_type = kani::any();
let y: $nonzero_type = kani::any();

unsafe {
x.get().unchecked_add(y.get());

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let x: $nonzero_type = kani::any();
let y: $nonzero_type = kani::any();
unsafe {
x.get().unchecked_add(y.get());
let x: $nonzero_type = kani::any();
let y: $t = kani::any();
unsafe {
x.unchecked_add(y);

See the documentation for unchecked_add -- self (x, in this case) should be a NonZero, and other (y) should be a primitive type. (Calling get on x gets its primitive type, so this harness as of now calls the primitive type's unchecked_add instead of the NonZero version.

@carolynzech
Copy link

carolynzech commented Dec 11, 2024

Hi @SahithiMV,

I did some debugging to figure out why Kani was failing on these new versions of the contracts. Turns out it's a Kani bug. See this issue: model-checking/kani#3773. This happens because of the phenomenon I described in the issue: Kani picks the first implementation that it finds when it resolves the function name inside the proof_for_contract attribute. In the case of your unchecked_add harness, for example, it happens to find the one for u8, so when you actually invoke the unchecked_add macro on u8, everything works fine, but it doesn't work for the other types.

In other words, you can think about it as Kani replacing this:

#[kani::proof_for_contract(NonZero::unchecked_add)]

with this:

#[kani::proof_for_contract(NonZero::<u8>::unchecked_add)]

every time, which of course only makes sense if your harness happens to call unchecked_add on u8s.

So in terms of what this means for you: you should still be able to write the contracts, even if they won't successfully verify because of this issue. So please get your harnesses to a place where they only fail because of this issue. That way, we can merge your contracts unchanged once we fix the issue on our end. (You can tell if it's the same issue by seeing if the error message is the same).

Please let me know if there's anything I can clarify, or if I can help further writing the harnesses.

@tautschnig
Copy link
Member

@SahithiMV Would you be able to take another look at this PR? We have now updated Kani to a version that includes the fix for model-checking/kani#3773.

@tautschnig
Copy link
Member

Work continues in #338.

@tautschnig tautschnig closed this Apr 23, 2025
github-merge-queue bot pushed a commit that referenced this pull request Jun 14, 2025
Towards #71 

These are the changes contributed by
[SahithiMV](https://github.com/SahithiMV) in #184 plus the proposed
changes in that PR.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.

---------

Co-authored-by: aaluna <[email protected]>
Co-authored-by: SahithiMV <[email protected]>
Co-authored-by: aaluna <[email protected]>
Co-authored-by: Carolyn Zech <[email protected]>
Co-authored-by: Zyad Hassan <[email protected]>
Co-authored-by: Carolyn Zech <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants