-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add safety preconditions to alloc/src/alloc.rs #118
base: main
Are you sure you want to change the base?
Add safety preconditions to alloc/src/alloc.rs #118
Conversation
These changes add code contracts in the form of `#[requires(...)]` attributes to various methods in the `Global` allocator implementation. These contracts ensure that the safety conditions mentioned in the comments are explicitly stated as preconditions for the functions.
Just as previously done for core: this will enable future use of `safety::{ensures,requires}` in those crates.
How does one do contracts for traits? kani complains that it cannot find any of the contracts that have been added to functions in |
AFAIK, this is currently not supported: model-checking/kani#1997 We have a test that is disabled till support is added: https://github.com/model-checking/kani/blob/main/tests/expected/function-contract/trait_impls/methods.rs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think all these contracts are missing information about the pointer allocation. The pointer needs to be allocated for the given size for all these operations to be safe.
Also, CI is failing.
#[requires(layout.size() == 0 || layout.align() != 0)] | ||
#[requires(ptr.as_ptr() as usize % layout.align() == 0)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't we need to require that the pointer is actually allocated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We actually need an even stronger precondition (and Kani correctly detects this via the grow_impl
harness): we'd need to express that ptr
either points to a ZST (that's doable) or is a valid heap allocation (I don't know how we could currently express this).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We would need ghost state. 😄
Yes, see #118 (comment). |
#[requires(new_layout.size() >= old_layout.size())] | ||
#[requires(old_layout.size() == 0 || old_layout.align() != 0)] | ||
#[requires(new_layout.size() == 0 || new_layout.align() != 0)] | ||
#[requires(ptr.as_ptr() as usize % old_layout.align() == 0)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#[requires(ptr.as_ptr() as usize % old_layout.align() == 0)] | |
#[requires(ptr.as_ptr().addr() % old_layout.align() == 0)] |
#[requires(new_layout.size() >= old_layout.size())] | ||
#[requires(old_layout.size() == 0 || old_layout.align() != 0)] | ||
#[requires(new_layout.size() == 0 || new_layout.align() != 0)] | ||
#[requires(ptr.as_ptr() as usize % old_layout.align() == 0)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#[requires(ptr.as_ptr() as usize % old_layout.align() == 0)] | |
#[requires(ptr.as_ptr().addr() % old_layout.align() == 0)] |
#[requires(new_layout.size() >= old_layout.size())] | ||
#[requires(old_layout.size() == 0 || old_layout.align() != 0)] | ||
#[requires(new_layout.size() == 0 || new_layout.align() != 0)] | ||
#[requires(ptr.as_ptr() as usize % old_layout.align() == 0)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#[requires(ptr.as_ptr() as usize % old_layout.align() == 0)] | |
#[requires(ptr.as_ptr().addr() % old_layout.align() == 0)] |
These changes add code contracts in the form of
#[requires(...)]
attributes to various methods in theGlobal
allocator implementation. These contracts ensure that the safety conditions mentioned in the comments are explicitly stated as preconditions for the functions.