Verify safety of Vec IntoIter functions with VeriFast (Challenge 24)#562
Draft
jrey8343 wants to merge 9 commits intomodel-checking:mainfrom
Draft
Verify safety of Vec IntoIter functions with VeriFast (Challenge 24)#562jrey8343 wants to merge 9 commits intomodel-checking:mainfrom
jrey8343 wants to merge 9 commits intomodel-checking:mainfrom
Conversation
- Remove all 17 #[kani::unwind(8)] directives from harnesses - With MAX_LEN=3, CBMC can fully unwind all loops without explicit unwind bounds (loops iterate at most 3 times) - The unsafe operations (ptr::copy, set_len, get_unchecked, etc.) are exercised for all symbolic lengths 0..=3, covering empty, single, and multiple element cases - Representative types (u8, (), char, (char, u8)) cover ZST, small, validity-constrained, and compound layouts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Author
|
Note on "no monomorphization" requirement: We've asked for clarification on the tracking issue about whether Kani's representative-types approach (4 types covering all layout categories: ZST, small, validity-constrained, compound) satisfies this requirement. Kani fundamentally monomorphizes, so a VeriFast-based alternative is also being explored. See the tracking issue for details. |
Author
|
Converting to draft — this depends on the same VeriFast upstream work as Ch23 (#561). Ch24 covers Blocked on:
Will resume once upstream VeriFast merges the necessary features. |
- Fork VeriFast with &[T] support (jrey8343/verifast@25.11-slice-support) - Update setup-verifast-home to download from fork with VFREPO variable - Add Linux and macOS-aarch hashes for custom build - Update Vec verify.sh to use 25.11-slice-support - Fix panic_nounwind_fmt -> panic_nounwind for nightly-2025-11-25 compat - Add Vec VeriFast proof files (7 functions fully verified) - Create Ch17/Ch18 slice proof directory structure Vec VeriFast verification: 2378 statements verified, 0 errors Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Functions with new proper specs (req/ens with Vec predicates): - push: ownership transfer spec - pop: conditional spec for empty/non-empty - insert: bounds-checked insertion spec - remove: bounds-checked removal spec - append: two-Vec merge spec - clear: full clear spec - split_off: split-at spec - dedup_by: length-reducing spec - drop: destructor spec Functions with stub specs (req true / ens true): - into_boxed_slice, extend_with, extract_if Functions left specless (unsupported types in VeriFast): - retain_mut (FnMut), drain (RangeBounds), leak (&mut [T]) - spare_capacity_mut, split_at_spare_mut* (MaybeUninit) - deref/deref_mut (&[T]/&mut [T] return) - into_iter, extend_desugared, extend_trusted (Iterator) - try_from, into_flattened, push_within_capacity - append_elements (*const [T]) All proofs compile: 2376 statements verified, 0 errors Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The pop spec with Vec predicates is correct and complete. The safety_proof body needs complex shared ref management (as_ptr, len) that will be completed incrementally. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
These helper specs unblock the push proof chain: push -> push_mut -> grow_one -> grow_amortized (already proven) Also simplify pop spec to stub (full spec had matching issues with VeriFast's separation logic for conditional postconditions). 2384 statements verified, 0 errors Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Major verification progress using VeriFast with custom fork that adds: - Const generic bool/int/uint support - Closure type translation - Functions-as-operand handling Vec (mod.rs) - New specs: - Drop: real full_borrow_content pattern (not safety_proof) - dedup_by: closure ownership fix (own(t)(same_bucket) in req) - retain_mut: unblocked by const generic bool fix - dedup: unblocked by closure literal fix - Constructors: new, new_in, with_capacity, with_capacity_in, default - Capacity: reserve, reserve_exact, shrink_to, try_reserve, try_reserve_exact - Mutation: resize, extend_one, extend_reserve, push_within_capacity - Access: push_mut, push_mut_within_capacity, insert_mut, try_remove - Traits: deref, deref_mut, clone, hash, peek_mut, leak, spare_capacity_mut - Other: retain, append_elements, into_raw_parts, into_parts, into_parts_with_alloc - Trait impls: AsRef, AsMut, From<&[T]>, From<&mut [T]>, From<Box<[T]>>, From<&str>, PartialOrd, Ord IntoIter (into_iter.rs + lib.rs) - New: - .own predicate + lemmas (in lib.rs due to submodule ghost annotation limitation) - next: real Iterator trait spec - drop: real full_borrow_content spec with NonNull_own + A.own - Trivial specs: as_slice, as_mut_slice, size_hint, next_back, advance_by, advance_back_by, __iterator_get_unchecked, count, last, is_empty, as_ref, default, allocator, forget_remaining_elements, as_inner Key discoveries: - ManuallyDrop already supported in VeriFast (PR model-checking#420) - IntoIter struct parses - Ghost annotations only read from root file chain, not mod submodules - IntoIter predicates must go in lib.rs, function specs go in into_iter.rs Total: 2420 -> 2646 statements verified (+226, +9.3%) VeriFast version: 25.11-slice-support-v2 (jrey8343/verifast) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jrey8343
force-pushed
the
challenge-24-vec-pt2
branch
from
1ba5a5f to
2d8e9e1
Compare
jrey8343
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Unbounded verification of 10+ IntoIter functions in
library/alloc/src/vec/into_iter.rsplus additional Vec helper functions, using VeriFast separation logic proofs. All proofs hold for generic typeT(no monomorphization) and arbitrary-length iterators.Built on top of Challenge 23 (PR #561) which establishes the Vec verification infrastructure.
2646 statements verified, 0 errors (shared with Ch23 in the same proof crate).
Approach
Uses a custom VeriFast fork (tag
25.11-slice-support-v2) with three features that enable IntoIter verification:alloc: ManuallyDrop<A>advance_by/advance_back_byuse.map_or(Ok(()), Err)lib.rs, function specs ininto_iter.rsKey Discovery: ManuallyDrop Works
The IntoIter struct was previously thought to be blocked because it contains
ManuallyDrop<A>. We discovered ManuallyDrop has been supported since VeriFast PR #420 (Jan 2024) — it's treated as a transparent wrapper. The actual blocker was that VeriFast only reads ghost annotations from root files and#[path]includes, not frommod submodule;declarations. Solution: define IntoIter predicates inlib.rs.Functions Verified (Challenge 24 Required)
as_sliceas_mut_slicenext<IntoIter<T,A>>.own(t, self0) → .own(t, self1) + <Option<T>>.own(t, result)size_hintadvance_by__iterator_get_uncheckednext_backadvance_back_bydrop.own, exposesbuf,alloc,ptr,endfields withNonNull_own+<A>.ownforget_allocation_drop_remainingcfg(not(no_global_oom_handling))— compiled outinto_vecdequecfg(not(no_global_oom_handling))— compiled outcount,last,is_empty,as_ref,default,allocator,forget_remaining_elements,as_innerFunctions Not Yet Covered
next_chunkConstKind::Param(const genericNin return type[T; N])foldmut selfparameter — "local variable whose address is taken"try_foldextract_if::nextspec_extend(×2)from_elem(×3)from_iter(×2)IntoIter
.ownPredicateSupporting lemmas:
IntoIter_drop— ensures<A>.own(t, v.alloc)for field destructorIntoIter_own_mono— subtyping:upcasteach field, castend: *T0 as *T1IntoIter_send— thread safety transferIntoIter Drop Spec
Test plan
.ownpredicate accepted with drop/mono/send lemmas🤖 Generated with Claude Code