Skip to content

Commit 8aa96d3

Browse files
joshlfjoshlf
authored
[byte_slice] Add Kani proofs (#2451)
gherrit-pr-id: Ide939969b8d0c3bc117aa9f1dba06e6d570f262f
1 parent 855c237 commit 8aa96d3

File tree

3 files changed

+46
-3
lines changed

3 files changed

+46
-3
lines changed

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -595,7 +595,7 @@ jobs:
595595
args: "--package zerocopy --features __internal_use_only_features_that_work_on_stable --output-format=terse -Zfunction-contracts --randomize-layout --memory-safety-checks --overflow-checks --undefined-function-checks --unwinding-checks"
596596
# This version is automatically rolled by
597597
# `roll-pinned-toolchain-versions.yml`.
598-
kani-version: 0.55.0
598+
kani-version: 0.60.0
599599

600600
# NEON intrinsics are currently broken on big-endian platforms. [1] This test ensures
601601
# that we don't accidentally attempt to compile these intrinsics on such platforms. We

src/byte_slice.rs

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -353,3 +353,46 @@ unsafe impl SplitByteSlice for cell::RefMut<'_, [u8]> {
353353
})
354354
}
355355
}
356+
357+
#[cfg(kani)]
358+
mod proofs {
359+
use super::*;
360+
361+
fn any_vec() -> Vec<u8> {
362+
let len = kani::any();
363+
kani::assume(len <= isize::MAX as usize);
364+
vec![0u8; len]
365+
}
366+
367+
#[kani::proof]
368+
fn prove_split_at_unchecked() {
369+
let v = any_vec();
370+
let slc = v.as_slice();
371+
let mid = kani::any();
372+
kani::assume(mid <= slc.len());
373+
let (l, r) = unsafe { slc.split_at_unchecked(mid) };
374+
assert_eq!(l.len() + r.len(), slc.len());
375+
376+
let slc: *const _ = slc;
377+
let l: *const _ = l;
378+
let r: *const _ = r;
379+
380+
assert_eq!(slc.cast::<u8>(), l.cast::<u8>());
381+
assert_eq!(unsafe { slc.cast::<u8>().add(mid) }, r.cast::<u8>());
382+
383+
let mut v = any_vec();
384+
let slc = v.as_mut_slice();
385+
let len = slc.len();
386+
let mid = kani::any();
387+
kani::assume(mid <= slc.len());
388+
let (l, r) = unsafe { slc.split_at_unchecked(mid) };
389+
assert_eq!(l.len() + r.len(), len);
390+
391+
let l: *mut _ = l;
392+
let r: *mut _ = r;
393+
let slc: *mut _ = slc;
394+
395+
assert_eq!(slc.cast::<u8>(), l.cast::<u8>());
396+
assert_eq!(unsafe { slc.cast::<u8>().add(mid) }, r.cast::<u8>());
397+
}
398+
}

src/lib.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -302,7 +302,7 @@
302302
clippy::arithmetic_side_effects,
303303
clippy::indexing_slicing,
304304
))]
305-
#![cfg_attr(not(any(test, feature = "std")), no_std)]
305+
#![cfg_attr(not(any(test, kani, feature = "std")), no_std)]
306306
#![cfg_attr(
307307
all(feature = "simd-nightly", any(target_arch = "x86", target_arch = "x86_64")),
308308
feature(stdarch_x86_avx512)
@@ -377,7 +377,7 @@ use std::io;
377377

378378
use crate::pointer::invariant::{self, BecauseExclusive};
379379

380-
#[cfg(any(feature = "alloc", test))]
380+
#[cfg(any(feature = "alloc", test, kani))]
381381
extern crate alloc;
382382
#[cfg(any(feature = "alloc", test))]
383383
use alloc::{boxed::Box, vec::Vec};

0 commit comments

Comments
 (0)