Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add harnesses for all functions in Alignment #42

Merged
merged 15 commits into from
Aug 20, 2024
Merged

Add harnesses for all functions in Alignment #42

Changes from 9 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
44824f1
Add harness for Alignment::new_unchecked
tautschnig Jul 23, 2024
25c9cca
Combine requires clauses to avoid spurious overflow error
tautschnig Jul 23, 2024
e795a44
Add harnesses for all Alignment public functions
tautschnig Jul 24, 2024
9c1738c
Add more clauses per feedback
tautschnig Aug 5, 2024
7fdbc77
Add ensures where possible
tautschnig Aug 8, 2024
a91dcad
Merge remote-tracking branch 'origin/main' into align-harness
tautschnig Aug 8, 2024
79f2d79
Merge remote-tracking branch 'origin/main' into align-harness
tautschnig Aug 16, 2024
16f40c7
Try to use Arbitrary
tautschnig Aug 16, 2024
729fbc0
Revert "Try to use Arbitrary"
tautschnig Aug 16, 2024
a480419
Merge remote-tracking branch 'origin/main' into align-harness
tautschnig Aug 20, 2024
974be23
Reapply "Try to use Arbitrary"
tautschnig Aug 20, 2024
c08b98d
Consistently use kani::any
tautschnig Aug 20, 2024
fe4ba88
Add contract to of<T>
tautschnig Aug 20, 2024
69e7594
Fixup submodules
tautschnig Aug 20, 2024
4d4a211
Merge branch 'main' into align-harness
tautschnig Aug 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 80 additions & 3 deletions library/core/src/ptr/alignment.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use safety::requires;
use safety::{ensures, requires};
use crate::num::NonZero;
#[cfg(debug_assertions)]
use crate::ub_checks::assert_unsafe_precondition;
Expand Down Expand Up @@ -60,6 +60,8 @@ impl Alignment {
#[unstable(feature = "ptr_alignment_type", issue = "102070")]
#[rustc_const_unstable(feature = "ptr_alignment_type", issue = "102070")]
#[inline]
#[ensures(|result| align.is_power_of_two() == result.is_some())]
#[ensures(|result| result.is_none() || result.unwrap().as_usize() == align)]
pub const fn new(align: usize) -> Option<Self> {
if align.is_power_of_two() {
// SAFETY: Just checked it only has one bit set
Expand All @@ -80,8 +82,9 @@ impl Alignment {
#[unstable(feature = "ptr_alignment_type", issue = "102070")]
#[rustc_const_unstable(feature = "ptr_alignment_type", issue = "102070")]
#[inline]
#[requires(align > 0)]
#[requires((align & (align - 1)) == 0)]
#[requires(align > 0 && (align & (align - 1)) == 0)]
#[ensures(|result| result.as_usize() == align)]
#[ensures(|result| result.as_usize().is_power_of_two())]
pub const unsafe fn new_unchecked(align: usize) -> Self {
#[cfg(debug_assertions)]
assert_unsafe_precondition!(
Expand All @@ -99,6 +102,7 @@ impl Alignment {
#[unstable(feature = "ptr_alignment_type", issue = "102070")]
#[rustc_const_unstable(feature = "ptr_alignment_type", issue = "102070")]
#[inline]
#[ensures(|result| result.is_power_of_two())]
pub const fn as_usize(self) -> usize {
self.0 as usize
}
Expand All @@ -107,6 +111,8 @@ impl Alignment {
#[unstable(feature = "ptr_alignment_type", issue = "102070")]
#[rustc_const_unstable(feature = "ptr_alignment_type", issue = "102070")]
#[inline]
#[ensures(|result| result.get().is_power_of_two())]
#[ensures(|result| result.get() == self.as_usize())]
pub const fn as_nonzero(self) -> NonZero<usize> {
// SAFETY: All the discriminants are non-zero.
unsafe { NonZero::new_unchecked(self.as_usize()) }
Expand All @@ -128,6 +134,9 @@ impl Alignment {
#[unstable(feature = "ptr_alignment_type", issue = "102070")]
#[rustc_const_unstable(feature = "ptr_alignment_type", issue = "102070")]
#[inline]
#[requires(self.as_usize().is_power_of_two())]
#[ensures(|result| (*result as usize) < mem::size_of::<usize>() * 8)]
#[ensures(|result| 1usize << *result == self.as_usize())]
tautschnig marked this conversation as resolved.
Show resolved Hide resolved
pub const fn log2(self) -> u32 {
self.as_nonzero().trailing_zeros()
}
Expand Down Expand Up @@ -158,6 +167,9 @@ impl Alignment {
#[unstable(feature = "ptr_alignment_type", issue = "102070")]
#[rustc_const_unstable(feature = "ptr_alignment_type", issue = "102070")]
#[inline]
#[ensures(|result| *result > 0)]
#[ensures(|result| *result == !(self.as_usize() -1))]
tautschnig marked this conversation as resolved.
Show resolved Hide resolved
#[ensures(|result| self.as_usize() & *result == self.as_usize())]
pub const fn mask(self) -> usize {
// SAFETY: The alignment is always nonzero, and therefore decrementing won't overflow.
!(unsafe { self.as_usize().unchecked_sub(1) })
Expand Down Expand Up @@ -370,3 +382,68 @@ enum AlignmentEnum {
_Align1Shl62 = 1 << 62,
_Align1Shl63 = 1 << 63,
}

#[cfg(kani)]
#[unstable(feature="kani", issue="none")]
mod verify {
use super::*;

// pub const fn of<T>() -> Self
#[kani::proof]
pub fn check_of_i32() {
let alignment = Alignment::of::<i32>();
assert!(alignment.as_usize().is_power_of_two());
tautschnig marked this conversation as resolved.
Show resolved Hide resolved
}

// pub const fn new(align: usize) -> Option<Self>
#[kani::proof_for_contract(Alignment::new)]
pub fn check_new() {
let a = kani::any::<usize>();
let _ = Alignment::new(a);
}

// pub const unsafe fn new_unchecked(align: usize) -> Self
#[kani::proof_for_contract(Alignment::new_unchecked)]
pub fn check_new_unchecked() {
let a = kani::any::<usize>();
unsafe {
let _ = Alignment::new_unchecked(a);
}
}

// pub const fn as_usize(self) -> usize
#[kani::proof_for_contract(Alignment::as_usize)]
pub fn check_as_usize() {
let a = kani::any::<usize>();
if let Some(alignment) = Alignment::new(a) {
assert_eq!(alignment.as_usize(), a);
celinval marked this conversation as resolved.
Show resolved Hide resolved
}
}

// pub const fn as_nonzero(self) -> NonZero<usize>
#[kani::proof_for_contract(Alignment::as_nonzero)]
pub fn check_as_nonzero() {
let a = kani::any::<usize>();
if let Some(alignment) = Alignment::new(a) {
let _ = alignment.as_nonzero();
}
}

// pub const fn log2(self) -> u32
#[kani::proof_for_contract(Alignment::log2)]
pub fn check_log2() {
let a = kani::any::<usize>();
if let Some(alignment) = Alignment::new(a) {
let _ = alignment.log2();
}
}

// pub const fn mask(self) -> usize
#[kani::proof_for_contract(Alignment::mask)]
pub fn check_mask() {
let a = kani::any::<usize>();
if let Some(alignment) = Alignment::new(a) {
let _ = alignment.mask();
}
}
}
Loading