Verify safety of NonZero operations (Challenge 12)#544
Open
jrey8343 wants to merge 4 commits intomodel-checking:mainfrom
Open
Verify safety of NonZero operations (Challenge 12)#544jrey8343 wants to merge 4 commits intomodel-checking:mainfrom
jrey8343 wants to merge 4 commits intomodel-checking:mainfrom
Conversation
Add verification harnesses for all remaining NonZero functions: bit operations (count_ones, swap_bytes, reverse_bits, rotate_left, rotate_right), byte order (from_be, from_le, to_be, to_le), bitor (all 3 impls), checked/saturating arithmetic (checked_mul, saturating_mul, checked_add, saturating_add, checked_pow, saturating_pow), power of two (checked_next_power_of_two), midpoint, isqrt, signed operations (neg, abs, checked_abs, overflowing_abs, saturating_abs, wrapping_abs, unsigned_abs, checked_neg, overflowing_neg, wrapping_neg), and from_mut. Remove trivial loop_invariant(true) annotations from primitive checked_pow that caused CBMC assigns check interference with NonZero::new_unchecked verification. Total: 385 harnesses pass (376 new + 9 existing).
The 128-bit saturating_pow harnesses with unbounded u32 exponents hit CBMC's 10-minute timeout because 128-bit bitvector multiplication is extremely expensive. Add a dedicated macro that constrains exp <= 10 with unwind(5), sufficient to cover both the non-saturating and saturating code paths while keeping verification tractable.
…sion Same fix as saturating_pow_128: use a dedicated macro with exp <= 10 and #[kani::unwind(5)] for the 128-bit checked_pow harnesses.
jrey8343
force-pushed
the
challenge-12-nonzero
branch
from
d41f3ea to
9d26114
Compare
Author
|
CI is passing — ready for review. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves #71 (Challenge 12: Safety of NonZero)
Adds 376 new Kani verification harnesses for all remaining NonZero functions specified in the challenge, covering:
count_ones,swap_bytes,reverse_bits,rotate_left,rotate_right(12 types each)from_be,from_le,to_be,to_le(12 types each)NonZero|NonZero,NonZero|T,T|NonZero(12 types each)checked_mul,saturating_mul,checked_add,saturating_add(unsigned-only for add)checked_pow,saturating_pow(12 types each)checked_next_power_of_two,midpoint,isqrtneg,abs,checked_abs,overflowing_abs,saturating_abs,wrapping_abs,unsigned_abs,checked_neg,overflowing_neg,wrapping_negfrom_mutChanges
library/core/src/num/nonzero.rs: 376 new verification harnesses inmod verifylibrary/core/src/num/uint_macros.rs: Remove trivial#[safety::loop_invariant(true)]fromchecked_powthat caused CBMC assigns check interference withNonZero::new_uncheckedverificationlibrary/core/src/num/int_macros.rs: Same loop_invariant removal for signed typesVerification
All 385 harnesses pass (376 new + 9 existing):
Run with: