Verify CStr CloneToUninit and Index<RangeFrom> safety (Challenge 13)#543
Verify CStr CloneToUninit and Index<RangeFrom> safety (Challenge 13)#543jrey8343 wants to merge 3 commits intomodel-checking:mainfrom
Conversation
Add the final 2 verification harnesses to complete Challenge 13: - check_clone_to_uninit: Verifies the unsafe CloneToUninit impl for CStr correctly copies all bytes (including NUL terminator) and produces a valid CStr at the destination. Includes safety contract on clone_to_uninit requiring non-null dest pointer. - check_index_from: Verifies ops::Index<RangeFrom<usize>> for CStr produces a valid CStr that maintains the safety invariant and matches the expected tail of the original bytes. Both harnesses are bounded (MAX_SIZE=16/32) with appropriate unwind limits and verify the CStr is_safe() invariant holds.
The harness was timing out (10 min CBMC limit) due to expensive symbolic pointer arithmetic in clone_to_uninit combined with a symbolic-length verification loop. Fix: reduce MAX_SIZE from 16 to 8 bytes (sufficient to cover empty, single-char, and multi-char C strings) and remove the byte-by-byte verification loop (the CStr reconstruction check still validates the safety invariant).
jrey8343
force-pushed
the
challenge-13-cstr
branch
from
b3f7293 to
f0e5049
Compare
|
CI is passing — ready for review. |
There was a problem hiding this comment.
Pull request overview
Completes Challenge 13 by adding Kani verification coverage for CStr’s CloneToUninit and Index<RangeFrom<usize>> safety properties, and by annotating the CStr CloneToUninit impl with an explicit precondition.
Changes:
- Added Kani harness
check_index_fromto verify&c_str[idx..]preservesCStr::is_safe()and matches the expected byte tail. - Added Kani harness
check_clone_to_uninitto exerciseCStr’sCloneToUninitimplementation. - Added a
#[requires(!dest.is_null())]contract onCStr’sclone_to_uninitimplementation.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
library/core/src/ffi/c_str.rs |
Adds two new Kani harnesses for CStr indexing safety and CloneToUninit behavior. |
library/core/src/clone.rs |
Adds a requires precondition to the CloneToUninit impl for CStr (plus supporting imports). |
| let len = c_str.to_bytes_with_nul().len(); | ||
|
|
||
| // Allocate destination buffer (len <= MAX_SIZE since slice.len() <= MAX_SIZE) | ||
| let mut buf = [core::mem::MaybeUninit::<u8>::uninit(); MAX_SIZE]; | ||
| let dest = buf.as_mut_ptr() as *mut u8; | ||
|
|
There was a problem hiding this comment.
check_clone_to_uninit only checks that the cloned buffer parses as a valid CStr, but it doesn’t verify that clone_to_uninit copied the exact bytes (including the NUL terminator) from the source. This could pass even if the implementation writes a different (but still valid) C string. Consider asserting that the destination bytes match c_str.to_bytes_with_nul().
| // Allocate destination buffer (len <= MAX_SIZE since slice.len() <= MAX_SIZE) | ||
| let mut buf = [core::mem::MaybeUninit::<u8>::uninit(); MAX_SIZE]; | ||
| let dest = buf.as_mut_ptr() as *mut u8; | ||
|
|
||
| // Safety: dest is non-null (stack allocation), valid for len writes | ||
| unsafe { | ||
| c_str.clone_to_uninit(dest); | ||
| } | ||
|
|
||
| // Verify the cloned bytes form a valid CStr | ||
| let cloned_slice = unsafe { core::slice::from_raw_parts(dest, len) }; | ||
| let cloned_cstr = CStr::from_bytes_with_nul(cloned_slice); | ||
| assert!(cloned_cstr.is_ok()); |
There was a problem hiding this comment.
The harness creates a &[u8] over MaybeUninit<u8> memory via from_raw_parts(dest, len) and then reads it in CStr::from_bytes_with_nul. If clone_to_uninit were buggy and failed to initialize all len bytes, the harness itself would perform an uninitialized read (UB), making the proof unsound. Consider using an already-initialized u8 buffer (still valid to pass to clone_to_uninit) so the harness remains defined even under partial writes.
| #[cfg_attr(debug_assertions, track_caller)] | ||
| #[requires(!dest.is_null())] | ||
| unsafe fn clone_to_uninit(&self, dest: *mut u8) { | ||
| // SAFETY: For now, CStr is just a #[repr(trasnsparent)] [c_char] with some invariants. | ||
| // And we can cast [c_char] to [u8] on all supported platforms (see: to_bytes_with_nul). |
There was a problem hiding this comment.
The new #[requires(!dest.is_null())] precondition is weaker than the documented safety requirements for CloneToUninit::clone_to_uninit (destination must be valid for size_of_val(self) writes and properly aligned). For consistency with other contracts in core (e.g. pointer APIs using ub_checks::can_write), consider strengthening this contract to reflect the full safety requirements, not just non-nullness.
| #[cfg_attr(debug_assertions, track_caller)] | ||
| #[requires(!dest.is_null())] | ||
| unsafe fn clone_to_uninit(&self, dest: *mut u8) { | ||
| // SAFETY: For now, CStr is just a #[repr(trasnsparent)] [c_char] with some invariants. |
There was a problem hiding this comment.
Typo in comment: #[repr(trasnsparent)] should be #[repr(transparent)].
| // SAFETY: For now, CStr is just a #[repr(trasnsparent)] [c_char] with some invariants. | |
| // SAFETY: For now, CStr is just a #[repr(transparent)] [c_char] with some invariants. |
Summary
check_clone_to_uninit: Verifies the unsafeCloneToUninitimpl forCStrcorrectly copies all bytes including NUL terminator, with safety contract requiring non-null destcheck_index_from: Verifiesops::Index<RangeFrom<usize>>forCStrmaintains theis_safe()invariant on the resulting sub-CStrChanges
library/core/src/clone.rs: Added#[requires(!dest.is_null())]safety contract onCloneToUninit::clone_to_uninitforCStr, plususe crate::kanianduse safety::requiresimportslibrary/core/src/ffi/c_str.rs: Addedcheck_clone_to_uninitandcheck_index_fromharnesses in the existingmod verifyblockVerification
Both harnesses pass with Kani 0.65.0:
check_clone_to_uninit(MAX_SIZE=16, unwind=17): ~159scheck_index_from(MAX_SIZE=32, unwind=33): ~189sResolves
Challenge 13: Safety of
CStr(#150)Test plan
check_clone_to_uninitpasses Kani verificationcheck_index_frompasses Kani verification