Enable powf*, exp*, log* intrinsics (#2996)

CBMC provides approximating implementations of these. Resolves: #2966
model-checking · Feb 7, 2024 · f08a3e9 · f08a3e9
1 parent 129375f
commit f08a3e9
Show file tree

Hide file tree

Showing 7 changed files with 129 additions and 16 deletions.
diff --git a/docs/src/rust-feature-support/intrinsics.md b/docs/src/rust-feature-support/intrinsics.md
@@ -148,10 +148,10 @@ cttz_nonzero | Yes | |
 discriminant_value | Yes | |
 drop_in_place | No | |
 exact_div | Yes | |
-exp2f32 | No | |
-exp2f64 | No | |
-expf32 | No | |
-expf64 | No | |
+exp2f32 | Partial | Results are overapproximated |
+exp2f64 | Partial | Results are overapproximated |
+expf32 | Partial | Results are overapproximated |
+expf64 | Partial | Results are overapproximated |
 fabsf32 | Yes | |
 fabsf64 | Yes | |
 fadd_fast | Yes | |
@@ -170,8 +170,8 @@ log10f32 | No | |
 log10f64 | No | |
 log2f32 | No | |
 log2f64 | No | |
-logf32 | No | |
-logf64 | No | |
+logf32 | Partial | Results are overapproximated |
+logf64 | Partial | Results are overapproximated |
 maxnumf32 | Yes | |
 maxnumf64 | Yes | |
 min_align_of | Yes | |
@@ -185,8 +185,8 @@ nearbyintf64 | Yes | |
 needs_drop | Yes | |
 nontemporal_store | No | |
 offset | Partial | Doesn't check [all UB conditions](https://doc.rust-lang.org/std/primitive.pointer.html#safety-2) |
-powf32 | No | |
-powf64 | No | |
+powf32 | Partial | Results are overapproximated |
+powf64 | Partial | Results are overapproximated |
 powif32 | No | |
 powif64 | No | |
 pref_align_of | Yes | |

diff --git a/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs b/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs
@@ -420,10 +420,10 @@ impl<'tcx> GotocCtx<'tcx> {
  self.codegen_expr_to_place_stable(place, e)
  }
  "exact_div" => self.codegen_exact_div(fargs, place, loc),
- "exp2f32" => unstable_codegen!(codegen_simple_intrinsic!(Exp2f)),
- "exp2f64" => unstable_codegen!(codegen_simple_intrinsic!(Exp2)),
- "expf32" => unstable_codegen!(codegen_simple_intrinsic!(Expf)),
- "expf64" => unstable_codegen!(codegen_simple_intrinsic!(Exp)),
+ "exp2f32" => codegen_simple_intrinsic!(Exp2f),
+ "exp2f64" => codegen_simple_intrinsic!(Exp2),
+ "expf32" => codegen_simple_intrinsic!(Expf),
+ "expf64" => codegen_simple_intrinsic!(Exp),
  "fabsf32" => codegen_simple_intrinsic!(Fabsf),
  "fabsf64" => codegen_simple_intrinsic!(Fabs),
  "fadd_fast" => {
@@ -456,8 +456,8 @@ impl<'tcx> GotocCtx<'tcx> {
  "log10f64" => unstable_codegen!(codegen_simple_intrinsic!(Log10)),
  "log2f32" => unstable_codegen!(codegen_simple_intrinsic!(Log2f)),
  "log2f64" => unstable_codegen!(codegen_simple_intrinsic!(Log2)),
- "logf32" => unstable_codegen!(codegen_simple_intrinsic!(Logf)),
- "logf64" => unstable_codegen!(codegen_simple_intrinsic!(Log)),
+ "logf32" => codegen_simple_intrinsic!(Logf),
+ "logf64" => codegen_simple_intrinsic!(Log),
  "maxnumf32" => codegen_simple_intrinsic!(Fmaxf),
  "maxnumf64" => codegen_simple_intrinsic!(Fmax),
  "min_align_of" => codegen_intrinsic_const!(),
@@ -474,8 +474,8 @@ impl<'tcx> GotocCtx<'tcx> {
  "offset" => unreachable!(
  "Expected `core::intrinsics::unreachable` to be handled by `BinOp::OffSet`"
  ),
- "powf32" => unstable_codegen!(codegen_simple_intrinsic!(Powf)),
- "powf64" => unstable_codegen!(codegen_simple_intrinsic!(Pow)),
+ "powf32" => codegen_simple_intrinsic!(Powf),
+ "powf64" => codegen_simple_intrinsic!(Pow),
  "powif32" => unstable_codegen!(codegen_simple_intrinsic!(Powif)),
  "powif64" => unstable_codegen!(codegen_simple_intrinsic!(Powi)),
  "pref_align_of" => codegen_intrinsic_const!(),

diff --git a/tests/kani/Intrinsics/Math/Arith/exp.rs b/tests/kani/Intrinsics/Math/Arith/exp.rs
@@ -0,0 +1,24 @@
+// Copyright Kani Contributors
+// SPDX-License-Identifier: Apache-2.0 OR MIT
+//
+// This test will trigger use of the `expf32` and `expf64` intrinsics, which in turn invoke
+// functions modelled in CBMC's math library. These models use approximations as documented in
+// CBMC's source code: https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c.
+
+#[kani::proof]
+fn verify_exp32() {
+ let two = 2.0_f32;
+ let two_sq = std::f32::consts::E * std::f32::consts::E;
+ let two_exp = two.exp();
+
+ assert!((two_sq - two_exp).abs() <= 0.192);
+}
+
+#[kani::proof]
+fn verify_exp64() {
+ let two = 2.0_f64;
+ let two_sq = std::f64::consts::E * std::f64::consts::E;
+ let two_exp = two.exp();
+
+ assert!((two_sq - two_exp).abs() <= 0.192);
+}
diff --git a/tests/kani/Intrinsics/Math/Arith/exp2.rs b/tests/kani/Intrinsics/Math/Arith/exp2.rs
@@ -0,0 +1,22 @@
+// Copyright Kani Contributors
+// SPDX-License-Identifier: Apache-2.0 OR MIT
+//
+// This test will trigger use of the `exp2f32` and `exp2f64` intrinsics, which in turn invoke
+// functions modelled in CBMC's math library. These models use approximations as documented in
+// CBMC's source code: https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c.
+
+#[kani::proof]
+fn verify_exp2_32() {
+ let two = 2.0_f32;
+ let two_two = two.exp2();
+
+ assert!((two_two - 4.0).abs() <= 0.345);
+}
+
+#[kani::proof]
+fn verify_exp2_64() {
+ let two = 2.0_f64;
+ let two_two = two.exp2();
+
+ assert!((two_two - 4.0).abs() <= 0.345);
+}
diff --git a/tests/kani/Intrinsics/Math/Arith/log.rs b/tests/kani/Intrinsics/Math/Arith/log.rs
@@ -0,0 +1,22 @@
+// Copyright Kani Contributors
+// SPDX-License-Identifier: Apache-2.0 OR MIT
+//
+// This test will trigger use of the `logf32` and `logf64` intrinsics, which in turn invoke
+// functions modelled in CBMC's math library. These models use approximations as documented in
+// CBMC's source code: https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c.
+
+#[kani::proof]
+fn verify_logf32() {
+ let e = std::f32::consts::E;
+ let e_log = e.ln();
+
+ assert!((e_log - 1.0).abs() <= 0.058);
+}
+
+#[kani::proof]
+fn verify_logf64() {
+ let e = std::f64::consts::E;
+ let e_log = e.ln();
+
+ assert!((e_log - 1.0).abs() <= 0.058);
+}
diff --git a/tests/kani/Intrinsics/Math/Arith/powf32.rs b/tests/kani/Intrinsics/Math/Arith/powf32.rs
@@ -0,0 +1,15 @@
+// Copyright Kani Contributors
+// SPDX-License-Identifier: Apache-2.0 OR MIT
+//
+// This test will trigger use of the `powf32` intrinsic, which in turn invoke functions modelled in
+// CBMC's math library. These models use approximations as documented in CBMC's source code:
+// https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c.
+
+#[kani::proof]
+fn verify_pow() {
+ let x: f32 = kani::any();
+ kani::assume(x.is_normal());
+ kani::assume(x > 1.0 && x < u16::MAX.into());
+ let x2 = x.powf(2.0);
+ assert!(x2 >= 0.0);
+}
diff --git a/tests/kani/Intrinsics/Math/Arith/powf64.rs b/tests/kani/Intrinsics/Math/Arith/powf64.rs
@@ -0,0 +1,30 @@
+// Copyright Kani Contributors
+// SPDX-License-Identifier: Apache-2.0 OR MIT
+//
+// This test will trigger use of the `powf64` intrinsic, which in turn invoke functions modelled in
+// CBMC's math library. These models use approximations as documented in CBMC's source code:
+// https://github.com/diffblue/cbmc/blob/develop/src/ansi-c/library/math.c.
+
+pub fn f(a: u64) -> u64 {
+ const C: f64 = 0.618;
+ (a as f64).powf(C) as u64
+}
+
+#[cfg(kani)]
+mod verification {
+ use super::*;
+
+ #[kani::proof]
+ fn verify_f() {
+ const LIMIT: u64 = 10;
+ let x: u64 = kani::any();
+ let y: u64 = kani::any();
+ // outside these limits our approximation may yield spurious results
+ kani::assume(x > LIMIT && x < LIMIT * 3);
+ kani::assume(y > LIMIT && y < LIMIT * 3);
+ kani::assume(x > y);
+ let x_ = f(x);
+ let y_ = f(y);
+ assert!(x_ >= y_);
+ }
+}