You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
//! Converting a raw pointer to a reference should trigger UB if the metadata is not valid.#![feature(set_ptr_value)]// Generate invalid fat pointer by incrementing the pointer address without adjusting the metadata.#[kani::proof]fncheck_invalid_read(){let data = "hello";let ptr = data as*conststr;// This should trigger UB since the metadata does not get adjusted.let val = unsafe{&*ptr.byte_add(1)};assert_eq!(val.len(), data.len());}// Generate invalid fat pointer by combining the metadata.#[kani::proof]fncheck_with_metadata(){let short = [0u32;2];let long = [0u32;10];let ptr = &short as*const[u32];// This should trigger UB since the slice is not valid for the new length.let fake_long = unsafe{&*ptr.with_metadata_of(&long)};assert_eq!(fake_long.len(), long.len());}
using the following command line invocation:
kani invalid_fat_reference.rs
with Kani version: 0.54.0-dev
I expected to see this happen: Both harnesses should fail due to UB. Note that both cases fail in MIRI.
Instead, this happened: Verification succeeds
The text was updated successfully, but these errors were encountered:
Actually, Kani does find an error with the version of check_with_metadata described in the issue. But if you replace the array by a string slice, verification succeeds. 😮
#[kani::proof]fncheck_with_metadata(){let short = "sh";let long = "longer";let ptr = short as*conststr;// This should trigger UB since the slice is not valid for the new length.let fake_long = unsafe{&*ptr.with_metadata_of(long)};assert_eq!(fake_long.len(), long.len());}
…and str's (#3513)
As pointed out in #3498, validity checks for pointer to reference casts
(added in #3221) were not instrumented in the case of fat pointers (e.g.
array and string slices). This PR extends the instrumentation of
validity checks to handle those cases.
Resolves#3498
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.
---------
Co-authored-by: Celina G. Val <celinval@amazon.com>
I tried this code:
using the following command line invocation:
with Kani version: 0.54.0-dev
I expected to see this happen: Both harnesses should fail due to UB. Note that both cases fail in MIRI.
Instead, this happened: Verification succeeds
The text was updated successfully, but these errors were encountered: