Clean up arbitrary pointer

library/core/src/intrinsics.rs

@@ -3616,152 +3616,129 @@ mod verify {
  assert_eq!(x, old_y);
  }
 
- /// Note that in `core` we cannot check allocated pointers.
  #[derive(Copy, Clone, Debug, PartialEq, Eq, kani::Arbitrary)]
- enum PtrKind {
+ enum AllocationStatus {
  /// Dangling pointers
  Dangling,
+ /// Pointer to dead object
+ DeadObj,
  /// Null pointers
  Null,
- /// Stack pointers
- Stack,
- /// Overlapping pointers
- Overlap,
- /// Unaligned pointers
- Unaligned,
- /// Pointer to uninitialized memory
- Uninitialized,
+ /// In bounds pointer (it may be unaligned)
+ InBounds,
+ /// Out of bounds
+ OutBounds,
  }
 
- struct ArbitraryPointers<T> {
- src: *const T,
- dst: *mut T,
- dst_kind: PtrKind,
- src_kind: PtrKind,
+ struct PointerGenerator<T, const BUF_LEN: usize> {
+ // Internal allocation that may be used to generate valid pointers.
+ buf: MaybeUninit<[T; BUF_LEN]>,
  }
 
- impl<T: kani::Arbitrary> ArbitraryPointers<T> {
- const MAX_SIZE_T: usize = 100;
- const SIZE_T: usize = size_of::<T>();
-
- const IS_VALID: () = assert!(Self::SIZE_T < Self::MAX_SIZE_T, "Exceeded supported type size");
-
- fn with_arbitrary<F>(harness: F) where F: FnOnce(ArbitraryPointers<T>) {
+ struct ArbitraryPointer<T> {
+ pub ptr: *mut T,
+ pub status: AllocationStatus,
+ pub is_initialized: bool,
+ }
 
- #[repr(C)]
- struct WithUninit<const SIZE: usize> {
- bytes: [MaybeUninit<u8>; SIZE],
- }
+ impl<T: kani::Arbitrary, const BUF_LEN: usize> PointerGenerator<T, BUF_LEN> {
+ const SZ : usize = BUF_LEN * size_of::<T>();
 
- #[repr(C)]
- #[repr(packed)]
- #[derive(kani::Arbitrary)]
- struct Unaligned<T> {
- first: u8,
- val: T, // If alignment of T > 1, this value will be unaligned but valid otherwise.
+ pub fn new() -> Self {
+ PointerGenerator {
+ buf: MaybeUninit::uninit()
  }
+ }
 
- let mut single = kani::any::<T>();
- let single_ptr = addr_of_mut!(single);
-
- let mut array: [T; 100] = kani::any();
- let array_ptr = addr_of_mut!(array) as *mut T;
+ /// Create another ArbitraryPointer that may have the same precedence as the `other` pointer.
+ ///
+ /// I.e.: Non-deterministically derive a pointer from the given pointer or create a new
+ /// arbitrary pointer.
+ pub fn generate_ptr(&mut self) -> ArbitraryPointer<T> {
+ // Create an arbitrary pointer, but leave `ptr` as unset for now.
+ let mut arbitrary = ArbitraryPointer {
+ ptr: ptr::null_mut::<T>(),
+ is_initialized: false,
+ status: kani::any(),
+ };
 
- let mut unaligned: Unaligned<T> = kani::any();
- let unaligned_ptr = addr_of_mut!(unaligned.val) as *mut T;
+ let buf_ptr = addr_of_mut!(self.buf) as *mut T;
 
- let mut uninit = WithUninit { bytes: [MaybeUninit::zeroed(); Self::MAX_SIZE_T] };
- for i in 0..Self::SIZE_T {
- if kani::any() {
- uninit.bytes[i] = MaybeUninit::uninit();
+ // Offset is used to potentially generate unaligned pointer.
+ let offset = kani::any_where(|b: &usize| *b < size_of::<T>());
+ let ptr = match arbitrary.status {
+ AllocationStatus::Dangling => {
+ crate::ptr::dangling_mut::<T>().wrapping_add(offset)
  }
- }
- let uninit_ptr = &mut uninit as *mut _ as *mut T;
-
- let arbitrary = ArbitraryPointers::from(single_ptr, array_ptr, unaligned_ptr, uninit_ptr);
- harness(arbitrary);
- }
-
- fn from(ptr1: *mut T, ptr2: *mut T, unaligned: *mut T, uninit: *mut T) -> Self {
- let (src_kind, src) = ArbitraryPointers::any(ptr1, ptr2, unaligned, uninit);
- let (dst_kind, dst) = ArbitraryPointers::any(ptr2, ptr1, unaligned, uninit);
- ArbitraryPointers {
- src_kind,
- src,
- dst_kind,
- dst,
- }
- }
-
- fn any(unique: *mut T, overlap: *mut T, unaligned: *mut T, uninit: *mut T) -> (PtrKind, *mut T) {
- let kind = kani::any::<PtrKind>();
- let ptr = match kind {
- PtrKind::Dangling => {
- crate::ptr::dangling_mut::<T>()
+ AllocationStatus::DeadObj => {
+ let mut obj: T = kani::any();
+ &mut obj as *mut _
  }
- PtrKind::Null => {
+ AllocationStatus::Null => {
  crate::ptr::null_mut::<T>()
  }
- PtrKind::Stack => {
- unique
+ AllocationStatus::InBounds => {
+ let pos = kani::any_where(|i: &usize| *i < (BUF_LEN - 1));
+ let ptr: *mut T = buf_ptr.wrapping_add(pos).wrapping_byte_add(offset);
+ if kani::any() {
+ arbitrary.is_initialized = true;
+ // This should be in bounds of arbitrary.alloc.
+ unsafe { ptr.write_unaligned(kani::any()) };
+ }
+ ptr
  }
- PtrKind::Overlap => {
- if kani::any() { unique } else { overlap }
- }
- PtrKind::Unaligned => {
- unaligned
- }
- PtrKind::Uninitialized => {
- uninit
+ AllocationStatus::OutBounds => {
+ if kani::any() {
+ buf_ptr.wrapping_add(BUF_LEN).wrapping_byte_sub(offset)
+ } else {
+ buf_ptr.wrapping_add(BUF_LEN).wrapping_byte_add(offset)
+ }
  }
  };
- (kind, ptr)
+
+ arbitrary
  }
  }
 
- #[kani::proof_for_contract(copy)]
- fn check_copy() {
- ArbitraryPointers::<u32>::with_arbitrary(|arbitrary| {
- // Skip dangling for now since it makes Kani contract panic.
- // Verify this case in a separate harness.
- kani::assume(arbitrary.dst_kind != PtrKind::Dangling);
- kani::assume(arbitrary.src_kind != PtrKind::Dangling);
- unsafe { copy(arbitrary.src, arbitrary.dst, kani::any()) }
- });
- }
 
- /// This harness fails because Kani cannot assume a pointer is valid.
- ///
- /// The specification should ensure the pointers passed are allocated, and this harness should
- /// succeed since `copy` ensures would reject dangling pointers.
- #[cfg(ignore)]
  #[kani::proof_for_contract(copy)]
- fn check_copy_dangling() {
- ArbitraryPointers::<u32>::with_arbitrary(|arbitrary| {
- // Verify the dangling case.
- kani::assume(arbitrary.dst_kind == PtrKind::Dangling || arbitrary.src_kind == PtrKind::Dangling);
- unsafe { copy(arbitrary.src, arbitrary.dst, kani::any()) }
- });
+ fn check_copy() {
+ let mut generator = PointerGenerator::<char, 10>::new();
+ let src = generator.generate_ptr();
+ let dst = if kani::any() {
+ generator.generate_ptr();
+ } else {
+ PointerGenerator::<char, 10>::new().generate_ptr()
+ };
+ // Skip dangling for now since it makes Kani contract panic.
+ kani::assume(src.status != AllocationStatus::Dangling);
+ kani::assume(dst.status != AllocationStatus::Dangling);
+ unsafe { copy(src.ptr, dst.ptr, kani::any()) }
  }
 
  #[kani::proof_for_contract(copy_nonoverlapping)]
  fn check_copy_nonoverlapping() {
- ArbitraryPointers::<u32>::with_arbitrary(|arbitrary| {
- // Skip dangling for now since it makes Kani contract panic.
- // Verify this case in a separate harness.
- kani::assume(arbitrary.dst_kind != PtrKind::Dangling);
- kani::assume(arbitrary.src_kind != PtrKind::Dangling);
- unsafe { copy_nonoverlapping(arbitrary.src, arbitrary.dst, kani::any()) }
- });
+ let mut generator = PointerGenerator::<char, 10>::new();
+ let src = generator.generate_ptr();
+ // Destination may or may not have the same precedence as src.
+ let dst = if kani::any() {
+ generator.generate_ptr();
+ } else {
+ PointerGenerator::<char, 10>::new().generate_ptr()
+ };
+ // Skip dangling for now since it makes Kani contract panic.
+ kani::assume(src.status != AllocationStatus::Dangling);
+ kani::assume(dst.status != AllocationStatus::Dangling);
+ unsafe { copy_nonoverlapping(src.ptr, dst.ptr, kani::any()) }
  }
 
  #[kani::proof_for_contract(write_bytes)]
  fn check_write_bytes() {
- ArbitraryPointers::<u32>::with_arbitrary(|arbitrary| {
-  // Skip dangling for now since it makes Kani contract panic.
-  // Verify this case in a separate harness.
-  kani::assume(arbitrary.dst_kind != PtrKind::Dangling);
-  unsafe { write_bytes(arbitrary.dst, kani::any(), kani::any()) }
- });
+ let mut generator = PointerGenerator::<char, 10>::new();
+ let src = generator.generate_ptr();
+ kani::assume(src.status != AllocationStatus::Dangling);
+ // Skip dangling for now since it makes Kani contract panic.
+ // Verify this case in a separate harness.
+ unsafe { write_bytes(src.ptr, kani::any(), kani::any()) }
  }
 }