Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a few examples of using shadow memory to check initialization of slices #3237

Merged
merged 7 commits into from
Jul 16, 2024

Conversation

zhassan-aws
Copy link
Contributor

@zhassan-aws zhassan-aws commented Jun 6, 2024

A follow-up on #3200: use API to check that slices produced by some slice operations that internally use unsafe are properly initialized.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@zhassan-aws zhassan-aws requested a review from a team as a code owner June 6, 2024 23:59
@artemagvanian
Copy link
Contributor

Nice! Those are interesting examples, although I am a bit confused about the semantics of the checks.

Right now, the only thing that is actually checked is that the underlying memory of the slices points to the same memory objects that were previously tagged as initialized. In other words, if the methods under verification somehow deinitialized the memory or allocated and initialized new memory, the checks wouldn't catch it.

Maybe we should add some comments explaining the limitations of the checks?

@zhassan-aws
Copy link
Contributor Author

Thanks for taking a look @artemagvanian.

Right now, the only thing that is actually checked is that the underlying memory of the slices points to the same memory objects that were previously tagged as initialized.

Correct. The purpose of the tests is to check that those unsafe methods do not mess up the start/end of the slices produced in a way that makes them go out of bounds of the original arrays/slices.

In other words, if the methods under verification somehow deinitialized the memory or allocated and initialized new memory, the checks wouldn't catch it.

Correct. The proper way to check for such cases is what you did in #3264. The main purpose of the tests in this PR is to demonstrate a possible usage of the shadow memory APIs. They're not really verifying those methods. I can add a comment that clarifies that.

@zhassan-aws
Copy link
Contributor Author

@artemagvanian I added clarifying comments in those tests.

Copy link
Contributor

@artemagvanian artemagvanian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@zhassan-aws zhassan-aws enabled auto-merge (squash) July 16, 2024 23:26
@zhassan-aws zhassan-aws merged commit 053f45c into model-checking:main Jul 16, 2024
25 checks passed
@zhassan-aws zhassan-aws deleted the slice-init-shadow branch July 16, 2024 23:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants