Skip to content

Users should be able to create contracts suitable for verification but not stubbing #2997

@celinval

Description

@celinval

Requested feature: Enable contract verification for functions that Kani cannot use as stub today.
Use case: Verification of functions that return types that do not implement Arbitrary.
Link to relevant documentation (Rust reference, Nomicon, RFC):

Test case:

impl<T> NonNull<T> {
    pub unsafe fn as_ref<'a>(&self) -> &'a T { /* body */ }

Context

Kani today automatically synthesize the contract into a verification wrapper and a stub. The stub, however, rely on the fact that the return value, and the target for the modifies clauses, to implement Arbitrary trait. Thus, writing a simple contract for the example above would fail to compile.

Possible solution

As discussed with @JustusAdam, one possible solution is to create a new intrinsic for Kani, which tries to instantiate kani::any() for the return / modifies type. If the instantiation fails, we can trigger a compilation error. This will only fails if a harness tries to instantiate the generated stub.

Metadata

Metadata

Assignees

Labels

[C] Feature / EnhancementA new feature request or enhancement to an existing feature.

Type

No type

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions