Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for pointer validity when casting raw pointer to reference. #2975

Closed
celinval opened this issue Jan 15, 2024 · 1 comment · Fixed by #3221
Closed

Check for pointer validity when casting raw pointer to reference. #2975

celinval opened this issue Jan 15, 2024 · 1 comment · Fixed by #3221
Assignees
@artemagvanian
Labels
[C] Feature / Enhancement A new feature request or enhancement to an existing feature. [E] Unsupported UB Undefined behavior that Kani does not detect T-High Priority Tag issues that have high priority Z-Kani Compiler Issues that require some changes to the compiler

Comments

@celinval
Copy link
Contributor

celinval commented Jan 15, 2024
edited
Loading

Requested feature: Kani should automatically check if a raw pointer is valid before any conversion to a reference, strengthening the verification of unsafe code.
Use case: This will help enable modular verification of safe abstractions. Kani detects invalid memory access only when the reference or dangling pointer is used.
Link to relevant documentation (Rust reference, Nomicon, RFC):

Test case:

struct Store<'a, const LEN: usize> {
    data: [&'a i128; LEN],
}

impl<'a, const LEN: usize> Store<'a, LEN> {
    pub fn from(var: &i64) -> Self {
        let ref1: *const i64 = var;
        let ref2: *const i128 = ref1 as *const i128;
        unsafe {
            Store { data: [&*ref2; LEN] }  // ---- THIS LINE SHOULD FAIL
        }
    }
}

#[cfg_attr(kani, kani::proof)]
#[cfg_attr(not(kani), test)]
pub fn check_store() {
    let val = 1;
    let broken = Store::<3>::from(&val);
    assert_eq!(broken.data.len(), 3)
}

Note: The harness above succeeds under playground run (version 1.75.0), and with Kani, but it correctly fails under MIRI.
@celinval celinval added T-High Priority Tag issues that have high priority [C] Feature / Enhancement A new feature request or enhancement to an existing feature. [E] Unsupported UB Undefined behavior that Kani does not detect labels Jan 15, 2024
@celinval
Copy link
Contributor Author

I.e.: The pointer is not dangling and the allocation size is greater or equal to the reference type.

@celinval celinval added the Z-Kani Compiler Issues that require some changes to the compiler label Jan 15, 2024
@celinval celinval self-assigned this Feb 29, 2024
@celinval celinval assigned artemagvanian and unassigned celinval May 28, 2024
@artemagvanian artemagvanian mentioned this issue Jun 3, 2024
Merged
artemagvanian added a commit that referenced this issue Jun 7, 2024
@artemagvanian
Inject pointer validity check when casting raw pointers to references (
ffcb5ad 
…#3221)

Resolves #2975

This PR makes Kani able to check if a raw pointer is valid before
casting it to a reference.

To check for the pointer validity when casting it to a reference, inject
asserting `__CPROVER_r_ok(ptr, sz)` into places where a raw pointer is
dereferenced and a reference is immediately taken.

Since this check seems to cause some of the CIs to run out of memory, it
is only enabled under `-Z ptr-to-ref-cast-checks` flag.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.
@celinval celinval mentioned this issue Sep 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@artemagvanian artemagvanian

Labels
[C] Feature / Enhancement A new feature request or enhancement to an existing feature. [E] Unsupported UB Undefined behavior that Kani does not detect T-High Priority Tag issues that have high priority Z-Kani Compiler Issues that require some changes to the compiler
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Inject pointer validity check when casting raw pointers to references artemagvanian/kani
2 participants
@artemagvanian @celinval