Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add harnesses for safety of primitive conversions #233

Merged
merged 11 commits into from
Feb 11, 2025
Merged

Add harnesses for safety of primitive conversions #233

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
4b65e21
Add harnesses for safety of primitive conversions
ShoyuVanilla Dec 21, 2024
5851327
Clean up the codes a bit
ShoyuVanilla Dec 23, 2024
9c5889c
Clean the codes a bit
ShoyuVanilla Dec 28, 2024
579a257
Apply reviews
ShoyuVanilla Jan 3, 2025
f719688
Handle some infallible cases
ShoyuVanilla Jan 4, 2025
fa12ca7
fmt
ShoyuVanilla Jan 4, 2025
bd26c0b
fix
ShoyuVanilla Jan 4, 2025
8b1ead2
Remove redundant requirement condition
ShoyuVanilla Jan 8, 2025
5326b61
Simplify harness generations with more macros
ShoyuVanilla Jan 22, 2025
b8bd58b
Fix mistakes and errors
ShoyuVanilla Feb 11, 2025
f3cbade
Supplement comments to the harness generating macros
ShoyuVanilla Feb 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
337 changes: 337 additions & 0 deletions library/core/src/convert/num.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
use safety::requires;

#[cfg(kani)]
use crate::kani;
use crate::num::TryFromIntError;
#[allow(unused_imports)]
use crate::ub_checks::float_to_int_in_range;

mod private {
/// This trait being unreachable from outside the crate
Expand All @@ -25,6 +31,9 @@ macro_rules! impl_float_to_int {
#[unstable(feature = "convert_float_to_int", issue = "67057")]
impl FloatToInt<$Int> for $Float {
#[inline]
#[requires(
self.is_finite() && float_to_int_in_range::<$Float, $Int>(self)
)]
unsafe fn to_int_unchecked(self) -> $Int {
// SAFETY: the safety contract must be upheld by the caller.
unsafe { crate::intrinsics::float_to_int_unchecked(self) }
Expand Down Expand Up @@ -540,3 +549,331 @@ impl_nonzero_int_try_from_nonzero_int!(i32 => u8, u16, u32, u64, u128, usize);
impl_nonzero_int_try_from_nonzero_int!(i64 => u8, u16, u32, u64, u128, usize);
impl_nonzero_int_try_from_nonzero_int!(i128 => u8, u16, u32, u64, u128, usize);
impl_nonzero_int_try_from_nonzero_int!(isize => u8, u16, u32, u64, u128, usize);

#[cfg(kani)]
#[unstable(feature = "kani", issue = "none")]
mod verify {
use super::*;

// Generate harnesses for `NonZero::<Large>::from(NonZero<Small>)`.
macro_rules! generate_nonzero_int_from_nonzero_int_harness {
($Small:ty => $Large:ty, $harness:ident) => {
#[kani::proof]
pub fn $harness() {
let x: NonZero<$Small> = kani::any();
let _ = NonZero::<$Large>::from(x);
}
};
}

// This bundles the calls to `generate_nonzero_int_from_nonzero_int_harness`
// macro into segregated namespaces for better organization and usability.
macro_rules! generate_nonzero_int_from_nonzero_int_harnesses {
($ns:ident, $Small:ty => $($Large:tt),+ $(,)?) => {
mod $ns {
use super::*;

$(
mod $Large {
use super::*;

generate_nonzero_int_from_nonzero_int_harness!(
$Small => $Large,
check_nonzero_int_from_nonzero_int
);
}
)+
}
};
}

// non-zero unsigned integer -> non-zero integer, infallible
generate_nonzero_int_from_nonzero_int_harnesses!(
check_nonzero_int_from_u8,
u8 => u16, u32, u64, u128, usize, i16, i32, i64, i128, isize,
);
generate_nonzero_int_from_nonzero_int_harnesses!(
check_nonzero_int_from_u16,
u16 => u32, u64, u128, usize, i32, i64, i128,
);
generate_nonzero_int_from_nonzero_int_harnesses!(
check_nonzero_int_from_u32,
u32 => u64, u128, i64, i128,
);
generate_nonzero_int_from_nonzero_int_harnesses!(
check_nonzero_int_from_u64,
u64 => u128, i128,
);

// non-zero signed integer -> non-zero signed integer, infallible
generate_nonzero_int_from_nonzero_int_harnesses!(
check_nonzero_int_from_i8,
i8 => i16, i32, i64, i128, isize,
);
generate_nonzero_int_from_nonzero_int_harnesses!(
check_nonzero_int_from_i16,
i16 => i32, i64, i128, isize,
);
generate_nonzero_int_from_nonzero_int_harnesses!(
check_nonzero_int_from_i32,
i32 => i64, i128,
);
generate_nonzero_int_from_nonzero_int_harnesses!(
check_nonzero_int_from_i64,
i64 => i128,
);

// Generates harnesses for `NonZero::<target>::try_from(NonZero<source>)`.
// Since the function may be fallible or infallible depending on `source` and `target`,
// this macro supports generating both cases.
macro_rules! generate_nonzero_int_try_from_nonzero_int_harness {
// Passing two identities - one for pass and one for panic - generates harnesses
// for fallible cases.
($source:ty => $target:ty, $harness_pass:ident, $harness_panic:ident $(,)?) => {
#[kani::proof]
pub fn $harness_pass() {
let x_inner: $source = kani::any_where(|&v| {
(v > 0 && (v as u128) <= (<$target>::MAX as u128))
|| (v < 0 && (v as i128) >= (<$target>::MIN as i128))
});
let x = NonZero::new(x_inner).unwrap();
let _ = NonZero::<$target>::try_from(x).unwrap();
}

#[kani::proof]
#[kani::should_panic]
pub fn $harness_panic() {
let x_inner: $source = kani::any_where(|&v| {
(v > 0 && (v as u128) > (<$target>::MAX as u128))
|| (v < 0 && (v as i128) < (<$target>::MIN as i128))
|| (v == 0)
});
let x = NonZero::new(x_inner).unwrap();
let _ = NonZero::<$target>::try_from(x).unwrap();
}
};
// Passing a single identity generates harnesses for infallible cases.
($source:ty => $target:ty, $harness_infallible:ident $(,)?) => {
#[kani::proof]
pub fn $harness_infallible() {
let x: NonZero<$source> = kani::any();
let _ = NonZero::<$target>::try_from(x).unwrap();
}
};
}

// This bundles the calls to `generate_nonzero_int_try_from_nonzero_int_harness`
// macro into segregated namespaces for better organization and usability.
// Conversions from the source type to the target types inside the first pair
// of square brackets are fallible, while those to the second pairs are
// infallible.
macro_rules! generate_nonzero_int_try_from_nonzero_int_harnesses {
($ns:ident, $source:ty => ([$($target:tt),* $(,)?], [$($infallible:tt),* $(,)?] $(,)?)) => {
mod $ns {
use super::*;

$(
mod $target {
use super::*;

generate_nonzero_int_try_from_nonzero_int_harness!(
$source => $target,
check_nonzero_int_try_from_nonzero_int,
check_nonzero_int_try_from_nonzero_int_should_panic,
);
}
)*
$(
mod $infallible {
use super::*;

generate_nonzero_int_try_from_nonzero_int_harness!(
$source => $infallible,
check_nonzero_int_try_from_nonzero_int_infallible,
);
}
)*
}
};
}

// unsigned non-zero integer -> non-zero integer fallible
#[cfg(any(target_pointer_width = "32", target_pointer_width = "64"))]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_u16,
u16 => (
[u8, i8, i16],
[isize],
)
);

#[cfg(target_pointer_width = "16")]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_u16,
u16 => (
[u8, i8, i16, isize],
[],
)
);

#[cfg(target_pointer_width = "64")]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_u32,
u32 => (
[u8, u16, i8, i16, i32],
[usize, isize],
)
);

#[cfg(target_pointer_width = "32")]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_u32,
u32 => (
[u8, u16, i8, i16, i32, isize],
[usize],
)
);

#[cfg(target_pointer_width = "16")]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_u32,
u32 => (
[u8, u16, usize, i8, i16, i32, isize],
[],
)
);

#[cfg(target_pointer_width = "64")]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_u64,
u64 => (
[u8, u16, u32, i8, i16, i32, i64, isize],
[usize],
)
);

#[cfg(any(target_pointer_width = "16", target_pointer_width = "32"))]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_u64,
u64 => (
[u8, u16, u32, usize, i8, i16, i32, i64, isize],
[],
)
);

generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_u128,
u128 => (
[u8, u16, u32, u64, usize, i8, i16, i32, i64, i128, isize],
[],
)
);

// signed non-zero integer -> non-zero integer fallible
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_i8,
i8 => (
[u8, u16, u32, u64, u128, usize],
[],
)
);

generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_i16,
i16 => (
[u8, u16, u32, u64, u128, usize, i8],
[],
)
);

#[cfg(any(target_pointer_width = "32", target_pointer_width = "64"))]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_i32,
i32 => (
[u8, u16, u32, u64, u128, usize, i8, i16],
[isize],
)
);

#[cfg(target_pointer_width = "16")]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_i32,
i32 => (
[u8, u16, u32, u64, u128, usize, i8, i16, isize],
[],
)
);

#[cfg(target_pointer_width = "64")]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_i64,
i64 => (
[u8, u16, u32, u64, u128, usize, i8, i16, i32],
[isize],
)
);

#[cfg(any(target_pointer_width = "16", target_pointer_width = "32"))]
generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_i64,
i64 => (
[u8, u16, u32, u64, u128, usize, i8, i16, i32, isize],
[],
)
);

generate_nonzero_int_try_from_nonzero_int_harnesses!(
check_nonzero_int_try_from_i128,
i128 => (
[u8, u16, u32, u64, u128, usize, i8, i16, i32, i64, isize],
[],
)
);

// Generate harnesses for `<Float as FloatToInt<Int>>::to_int_unchecked(self)`.
macro_rules! generate_float_to_int_harness {
($Float:ty => $Int:ty, $harness:ident) => {
#[kani::proof_for_contract(<$Float>::to_int_unchecked)]
pub fn $harness() {
let x: $Float = kani::any();
let _: $Int = unsafe { x.to_int_unchecked() };
}
};
}

// This bundles the calls to `generate_float_to_int_harness` macro into segregated
// namespaces for better organization and usability.
macro_rules! generate_float_to_int_harnesses {
($ns:ident, $(($Float:tt => $($Int:tt),+ $(,)?)),+ $(,)?) => {
mod $ns {
use super::*;

$(
mod $Float {
use super::*;

$(
mod $Int {
use super::*;

generate_float_to_int_harness!(
$Float => $Int,
check_float_to_int_unchecked
);
}
)+
}
)+
}
};
}

// float -> integer unchecked
generate_float_to_int_harnesses!(
check_f16_to_int_unchecked,
(f16 => u8, u16, u32, u64, u128, usize, i8, i16, i32, i64, i128, isize),
(f32 => u8, u16, u32, u64, u128, usize, i8, i16, i32, i64, i128, isize),
(f64 => u8, u16, u32, u64, u128, usize, i8, i16, i32, i64, i128, isize),
(f128 => u8, u16, u32, u64, u128, usize, i8, i16, i32, i64, i128, isize),
);
}
Loading