RFC for cover ctatement

[zhassan-aws]

Description of changes:

An RFC for adding a new cover API to Kani.

A rendered version can be found here.

Resolved issues:

Resolves #1905

Related RFC:

Optional #ISSUE-NUMBER.

Call-outs:

Testing:

• How is this change tested?

• Is this a refactor change?

Checklist

• Each commit message has a non-empty body, explaining why the change was made
• Methods or procedures are documented
• Regression or unit tests are included, or existing tests cover the modified code
• My PR is restricted to a single feature or bugfix

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

[celinval]

Awesome! I have 2 questions about UX:

1. What will be the Description: of a cover statement?
2. What about the summary message?

[celinval]

What about UNDETERMINED?

[zhassan-aws]

Added a sentence to clarify.

[celinval]

What about COVERED and UNREACHABLE?

[zhassan-aws]

That was my original plan, but rethinking about it, it makes sense to consider an unsatisfiable cover a verification failure, in which case SUCCESS and FAILURE would fit well with the current summary, i.e. the summary line would include the failure in the ** 1 of 15 failed line.

If we were to add separate results, e.g. SATISFIABLE/UNSATISFIABLE or COVERED/UNCOVERABLE, the summary would be

** 0 of 15 failed (1 unsatisfiable)
VERIFICATION:- FAILED

which might be less clear.

[celinval]

I think SUCCESS and FAILURE are rather confusing today, so I was hoping to avoid that for covers. I'm OK with leaving as is for now though. @tedinski are you thinking about improving these statuses as part of #1690?

[celinval]

+1

[aaronbembenek-aws]

Not for this RFC, but food for thought: How could we help users debug cases where a cover statement is not coverable? I suppose this would be similar to helping users understand why a program is in fact safe (i.e., why no bad state is reachable).

[celinval]

Would it make sense to add a message now?

[zhassan-aws]

I debated this a bit. If we make the message a required part of the basic cover API, then the user may end up doing lots of kani::cover(c, "") or kani::cover(c, None), so it seems desirable to not make the message a mandatory argument. The alternatives are:

1. Add a separate function that takes a custom message.
2. Make cover a macro instead of a function, similar to the assert macro.

Thoughts?

[celinval]

I like the idea of adding the function and the macro. The function takes a str and the macro generates one using the user expression if no message was provided.

[zhassan-aws]

Done

[tedinski]

IMO we need better results here. There's three cases:

1. Success: reachable, satisfiable
2. Failure: reachable, not satisfiable
3. Failure: unreachable

I think it's very important for debugging to distinguish these.

[zhassan-aws]

That's a good point! This would require that we generate a "cover current location" check for every cover property the user writes. I'll add that.

[zhassan-aws]

Done

[adpaco-aws]

While I agree it's an important detail for debugging, I think this would complicate our verification output by adding another "status". Perhaps it would be simpler to just generate two checks for each cover statement, one for satisfiability and another one for reachability.

[tedinski]

Please comment on the ability to deprecate the current expect_fail. I think we could deprecate and replace this with cover, right?

[zhassan-aws]

Good point. I'll add that.

[zhassan-aws]

Done

[camshaft]

How does this all work with with linker slicing and multiple harnesses? Say for example I have the following code

fn my_function() {
    kani::cover!(true):
}

#[kani::proof]
fn proof_a() {
    // Calls my function 
    my_function();
}

#[kani::proof]
fn proof_b() {
    // Doesn't call my function - the cover isn't reachable from this proof. 
    // Should it fail?
}

For proof_b I imagine it's possible to want two different answers to if it should fail or not, depending on what you're trying to accomplish.

On the one hand, if I know proof_b will never call my_function, then I definitely don't want it to fail because they're unrelated. If it failed that would mean that I need to include every single cover statement in every single proof in the codebase.

On the other hand, what if I want to make sure that my_function is always reachable by proof_b? Let's say my_function is some critical code that must be called at some point in relation to another function. proof_b would pass and the only way I would know it's proving what I think it's proving is doing an audit of the properties output. And even if you see it at the time of writing the proof, there could be a change in the future where it's no longer reachable but the proof still passes.

[zhassan-aws]

Good questions @camshaft!

I would expect cover properties to be primarily used within proof harnesses since cover is only interpreted by Kani. But in the example you gave, the cover property won't fail for proof_b because slicing (more specifically CBMC's --drop-unused-functions) is applied to each harness separately, so the cover property won't be checked for proof_b.

But if a function is not "obviously" unused, e.g.:

fn my_function() {
    kani::cover!(true):
}

fn foo(x: bool) {
    if x {
        my_function();
    }
}

#[kani::proof]
fn proof_a() {
    my_function(true);
}

#[kani::proof]
fn proof_b() {
    my_function(false);
}

The cover property will fail for proof_b.

[aaronbembenek-aws]

Good questions @camshaft!

I would expect cover properties to be primarily used within proof harnesses since cover is only interpreted by Kani. But in the example you gave, the cover property won't fail for proof_b because slicing (more specifically CBMC's --drop-unused-functions) is applied to each harness separately, so the cover property won't be checked for proof_b.

But if a function is not "obviously" unused, e.g.:

fn my_function() {
    kani::cover!(true):
}

fn foo(x: bool) {
    if x {
        my_function();
    }
}

#[kani::proof]
fn proof_a() {
    my_function(true);
}

#[kani::proof]
fn proof_b() {
    my_function(false);
}

The cover property will fail for proof_b.

Hm, this is sort of tricky. For example, what if CBMC changed the way it does program slicing? That could change whether a proof harness passes or fails, right? If so, that behavior strikes me as surprising.

Maybe we could restrict kani::cover to be only in harnesses. Or alternatively we could add another argument to kani::cover identifying the harnesses it is applicable to, and make sure that CBMC considers the relevant code to be reachable when handling those harnesses.

[camshaft]

Yes this is a bit tricky. These cover! statements should ideally be properties of a particular proof, not the general code base. And I think that's OK as long as we document this aspect.

As a side note, this got me thinking about how to reason about coverage of a program in relation to its inputs. I wrote up a quick sketch of what it could look like: https://gist.github.com/camshaft/9cc5e93c1bfdf96ec7dddfd1264a8b5d

[celinval]

I don't know if we should limit cover statements to only be used inside a harness although I do agree that the current behavior would be rather cryptic. Ideally, we should report all properties that were dropped by CBMC as unreachable, and that should be the case for assertions and cover statements.

This discussion made me wonder if we should really fail the verification because a cover statement.

[adpaco-aws]

Something that isn't clear to me after reading this section is how cover is different from assert. If my understanding is correct, assert checks a condition, while cover checks a condition AND ensures that the statement itself is reachable.

If we agree on that, then the "can" in this sentence should be "will" instead.

[camshaft]

I think conceptually they are similar. assert says this condition must hold for all executions. cover says this condition must hold for at least one execution.

[adpaco-aws]

While I agree it's an important detail for debugging, I think this would complicate our verification output by adding another "status". Perhaps it would be simpler to just generate two checks for each cover statement, one for satisfiability and another one for reachability.

[zhassan-aws]

Good discussion. How about we make an unsatisfiable cover property non-failing by default, but add an option, e.g. --fail-uncoverable that makes it a failure?

[zhassan-aws]

Good discussion. How about we make an unsatisfiable cover property non-failing by default, but add an option, e.g. --fail-uncoverable that makes it a failure?

Updated RFC to reflect this discussion.

[celinval]

Since this is a macro, could we just allow users to do kani::cover!()?

[zhassan-aws]

Good idea! I'll update the RFC.

[zhassan-aws]

Done.

[celinval]

Impact overall verification results

[zhassan-aws]

What I meant is that they won't cause an otherwise successful verification run to fail (i.e. if all normal checks are passing). Should I clarify the sentence a bit, or did you mean something else?

[celinval]

I think it's OK

[celinval]

Is this part of the RFC or open questions?

[zhassan-aws]

I'll move it to the open questions.

[zhassan-aws]

Done.

[celinval]

I'm OK with the initial proposal. I think we can tune it as we try it out. Please don't forget to get a second approval.

Thanks!

[adpaco-aws]

My main concern with the current proposal is the fact that unsatisfiable/unreachable cover statements don't affect overall verification results, leading to surprises later. An alternative is to switch the proposal so the option becomes --allow-uncoverable instead (think of it as a sign-off from the user).

However, there's no way to know if that's what we want at the moment, let's get an initial version out and see where it goes from here.

[adpaco-aws]

Just a few suggestions in this paragraph:

1. "statements" (1st occurrence) -> "statement"
2. Dots at the end of each sentence.
3. Maybe use cover condition `<cond>` ?

[zhassan-aws]

Fixed the first two.

For the third, I changed it to:

cover condition: cond

to mimic the assert message:

assertion failed: 1 + 1 == 3

I hope this is OK.

[adpaco-aws]

Point 3 in my previous comment (use cover condition `<cond>` ) also applies here, because otherwise you end up with "" at the end.