Support for inductively verifying contracts of recursive functions #2809
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JustusAdam
changed the title
JustusAdam
added
the
[C] Feature / Enhancement
|
BTW, I have the following pre-commit hook to avoid all the whitespace issues: #!/usr/bin/env bash
# Copyright Kani Contributors
# SPDX-License-Identifier: Apache-2.0 OR MIT
set -e
# source: https://github.com/awslabs/git-secrets
git secrets --pre_commit_hook -- "$@"
TOP_DIR=$(git rev-parse --show-toplevel)
check_rust_style() {
pushd ${TOP_DIR}
./scripts/kani-fmt.sh --check
cargo clippy --all -- -D warnings
popd
}
check_rust_style |
zhassan-aws
reviewed
Oct 9, 2023
Co-authored-by: Zyad Hassan <88045115+zhassan-aws@users.noreply.github.com>
zhassan-aws
reviewed
Oct 10, 2023
|
Hmm, my formatting was wrong even though I ran |
zhassan-aws
reviewed
Oct 11, 2023
zhassan-aws
approved these changes
Oct 11, 2023
There was a problem hiding this comment.
Thanks @JustusAdam! It's great to be able to support recursive functions!
Thanks. Yeah I'll do that. |
zhassan-aws
reviewed
Oct 17, 2023
Co-authored-by: Zyad Hassan <88045115+zhassan-aws@users.noreply.github.com>
zhassan-aws
approved these changes
Oct 17, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for verifying the contracts of recursive functions inductively.
The idea is quite simple. We use a global variable to track whether we're reentering a function and depending on that value we either continue with checking the contract or assume the hypothesis by using its replacement.
The precise mechanism that I implemented is explained in the documentation here
Resolves #2724
Open Question: to facilitate induction the return type of the function must implement
kani::Arbitrary. Since we can't discriminate between recursive and non-recursive functions in the proc-macro this means that this applies to all functions with contracts, not just recursive ones. This may be an unacceptable restriction. We could consider making inductive verification explicit with an annotation like#[kani::inductive]or conversely make inductive the default and let users opt-out with#[kani::no_inductive]. This is now tracked in #2823I had to remove the names of the functions in which the messages occur in the test cases, since they are now generated, hard to read names
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.