Skip to content

Commit 96f50da

Browse files
celinvalcelinval
committed
Address some of the feedback
 - Changed the example. - Improved text. - Removed restriction on unstable opt-out.
1 parent 5185c04 commit 96f50da

2 files changed

Lines changed: 27 additions & 15 deletions

File tree

rfc/src/SUMMARY.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,4 +16,4 @@
1616
- [0008-line-coverage](rfcs/0008-line-coverage.md)
1717
- [0009-function-contracts](rfcs/0009-function-contracts.md)
1818
- [0010-quantifiers](rfcs/0010-quantifiers.md)
19-
- [0011-rust-ub-checks](rfcs/0011-rust-ub-checks)
19+
- [0011-rust-ub-checks](rfcs/0011-rust-ub-checks.md)

rfc/src/rfcs/0011-rust-ub-checks.md

Lines changed: 26 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
- **Feature Name:** Rust UB Checks (`rust-ub-checks`)
22
- **Feature Request Issue:** [#3089](https://github.com/model-checking/kani/issues/3089)
3-
- **RFC PR:** [#XXXX](https://github.com/model-checking/kani/pull/3091)
4-
- **Status:** Under Review
3+
- **RFC PR:** [#3091](https://github.com/model-checking/kani/pull/3091)
4+
- **Status:** Unstable
55
- **Version:** 0
66
- **Proof-of-concept:**
77

@@ -24,11 +24,21 @@ detected undefined behavior.
2424

2525
For simplicity, we propose that all undefined behavior checks are modelled as assert-assume pairs.
2626
We propose that the status of all passing assertions that may be affected by this check to be displayed as
27-
UNDETERMINED if one or more UB checks fail. [^all-passing]
27+
`UNDETERMINED` if one or more UB checks fail.
28+
For simplicity, Kani currently over-approximate this set by marking all passing assertions as `UNDETERMINED`.
29+
Future pruning of this set can be done with further analysis, but it should not affect soundness.
2830

29-
All failing assertions should have their status preserved, unless the UB check is implemented using "demonic"
30-
non-determinism, such as CBMC's deallocated check.
31-
See [0010-rust-ub-checks.md#open-questions] for alternatives to be considered.
31+
All failing assertions will have their status preserved.
32+
This may create spurious counter examples for cases where the failing UB check is implemented using "demonic"
33+
non-determinism.[^demonic]
34+
35+
[^demonic]: Some UB checks implementation use one tracker with non-deterministic assignment to track the
36+
status of different objects.
37+
This implementation relies on the fact that an assertion will fail if there is at least one possible
38+
assignment to its tracker that violates the assertion.
39+
Picking an assignment that fails can be seen as choosing the worst possible action, known as demonic nondeterminism.
40+
41+
See [Open questions section](0010-rust-ub-checks.md#open-questions) for alternatives to be considered.
3242

3343
### Concrete playback of UB checks
3444

@@ -47,11 +57,12 @@ invalid write:
4757
#[kani::proof]
4858
fn buggy_code() {
4959
let mut value: bool = false;
60+
let ptr: *mut bool = &mut value as *mut _;
61+
let mut_ref = &mut value;
5062
unsafe {
51-
let ptr: *mut u8 = &mut value as *mut _ as *mut u8;
52-
*ptr = 8; // This assignment does not cause UB...
63+
*ptr = true; // This assignment is safe if `mut_ref` is never used!
5364
}
54-
assert!(value); // ...but this read triggers UB! ⚠️
65+
assert!(!*mut_ref); // This triggers UB ⚠️!
5566
}
5667
```
5768

@@ -69,7 +80,7 @@ In those cases, Kani check must be explicit about this failure being an over-app
6980
For that, we propose that the check message is clear about this limitation, and potentially its status
7081
(see [0010-rust-ub-checks.md#open-questions]).
7182

72-
### Opt-out a class of UB checks
83+
### Opt-out of a class of UB checks
7384

7485
Undefined behavior checks that have been stabilized should be added by default by Kani.
7586
However, Kani should provide a fine-grained control for users to choose which checks to disable.
@@ -91,8 +102,8 @@ fn harness() {}
91102

92103
Where `CHECK_NAMES` is a list of check category names in snake case, such as `memory_safety`, `valid_values`.
93104

94-
For checks that are unstable, Kani should support both opt-out mechanisms.
95-
These checks shall be included by default if their respective unstable flag are passed, i.e., `-Z[CHECK-NAME]`
105+
For checks that are unstable, they should only be included if their respective unstable flag are passed, i.e.,
106+
`-Z [CHECK-NAME]`.
96107

97108
## Software Design
98109

@@ -167,9 +178,10 @@ I.e.: It may impact the status of a previously passing harness if a new check fa
167178
- Another possibility would be to add a `unreachable!()` statement at the end of the test case with a message
168179
explaining why the statement should be unreachable.
169180
- Should we deprecate the `--no-default-checks` and all `--[CHECK-NAME]-checks` checks.
181+
- Should we add an attribute that allows us to opt-out some UB checks for a function or some code block?
182+
- I think we should at least consider adding that option for `kani` library code.
183+
- We've been adding more logic that is used by UB checks, and we may want to skip some checks for them.
170184

171185
## Out of scope / Future Improvements
172186

173187
- **List enabled checks:** Kani could include a command that list all the categories of undefined behaviors supported.
174-
175-
[^all-passing]: For simplicity, we currently over-approximate this by marking all passing assertions as UNDETERMINED.

0 commit comments

Comments
 (0)