virtio-queue: add verify_add_used and stub memory region

[priyasiddharth]

Summary of the PR

virtio-queue: add verification for add_used operation

Kani proofs like verify_add_used do not finish in practical time if we use the production memory region. So we implement a stub region with a simple vector backing it. This will help subsequent proofs work and also enable stateful proofs.

Note that unsafe code is added only for StubRegion that will run in Kani.
Kani verifies all unsafe accesses do not cause undefined behaviour (in the context of unit proof execution).

Requirements

Before submitting your PR, please make sure you addressed the following
requirements:

• All commits in this PR have Signed-Off-By trailers (with
  git commit -s), and the commit message has max 60 characters for the
  summary and max 75 characters for each description line.
• All added/changed functionality has a corresponding unit/integration
  test.
• All added/changed public-facing functionality has entries in the "Upcoming
  Release" section of CHANGELOG.md (if no such section exists, please create one).
• Any newly added unsafe code is properly documented.

[MatiasVara]

LGTM!

[stefano-garzarella]

Please for the commit description, follow the style of other commits, using the crate as prefix, something like this:

virtio-queue: add unit proof for add_used method (sec 2.8.22)

[stefano-garzarella]

I'd split this patch in 2 patches, one where you introduce StubRegion (explaining why we need to do that) using it in the existing proofs and another patch where you add the new proof.

[MatiasVara]

I can add that we needed to rely on a StubRegion otherwise Kani won't finish if GuestRegionMmap is used. I agree that this needs to be explained.

[priyasiddharth]

done

[stefano-garzarella]

@priyasiddharth I meant 2 patches in this PR, why removing the other changes from this PR?

[priyasiddharth]

fixed

[MatiasVara]

I think section 2.8 is for packed virtqueues whereas here we are only dealing with split virtqueues. I think the section should be 2.7.14 (see https://docs.oasis-open.org/virtio/virtio/v1.3/csd01/virtio-v1.3-csd01.html#x1-7100014)

[MatiasVara]

Also, I could not find what the spec says about using a descriptor id that is out of bonds. I think that the spec may let the implementation decide that.

[MatiasVara]

I think what we try to enforce here is 2.7.8.2 Device Requirements: The Virtqueue Used Ring. I think we may need a comment like in firecraker in which we state all the things we do not verify, e.g., the order in which the used-ring indexes are updated.

[priyasiddharth]

We are not enforcing any of the following in the current proof therefore I don't think 2.7.8.2 applies:

1. The device MUST set len prior to updating the used idx.
2. The device MUST write at least len bytes to descriptor, beginning at the first device-writable buffer, prior to updating the used idx.
3. The device MAY write more than len bytes to descriptor. Note: There are potential error cases where a device might not know what parts of the buffers have been written. This is why len is permitted to be an underestimate: that’s preferable to the driver believing that uninitialized memory has been overwritten when it has not.

[MatiasVara]

I think this last sentence is not part of the specification. There is no requirement about what to do when the index in the descriptor is out of bonds. I think it is a decision of the implementation what to do in this case.

[priyasiddharth]

closing as not relevant to this PR

[stefano-garzarella]

@priyasiddharth this means that we will lose all the comments of that code, so we need to review again the same changes. Why you removed that changes completely from this PR?

Maybe I was unclear, but I meant just to split the changes in multiple patches but still in the same PR.

[priyasiddharth]

Ok I will add it back. I interpreted the word patch to mean different PRs but perhaps you meant commit: #346 (comment)

[stefano-garzarella]

@priyasiddharth sorry, just to be clear, in my mind commit = patch + description.
PR (or series) is a set of commits/patches.

[priyasiddharth]

I clarified in the function doc

[MatiasVara]

I think different that the proof in firecraker (see https://sourcegraph.com/github.com/firecracker-microvm/firecracker/-/blob/src/vmm/src/devices/virtio/queue.rs?L982) we are checking that the memory values has not changed, right?

[priyasiddharth]

I don't understand the link. But to answer your question, firecracker proof does not check guestmemory (because of path explosion), we add this extra check cause kani seems to be able to handle it.