Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add loop contracts and harness for BinaryHeap::sift_up #129

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Add loop contracts and harness for BinaryHeap::sift_up #129

wants to merge 3 commits into from

Conversation

qinheping
Copy link

This proof is blocked as CBMC couldn't infer the loop modifies hole.pos. We need to add support of loop modifies or improve CBMC's inference algorithm.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@qinheping qinheping changed the title Add loop contracts and harness for BinaryHeap::sift_up Add loop contracts and harness for BinaryHeap::sift_up Oct 22, 2024
@tautschnig
Copy link
Member

This proof is blocked as CBMC couldn't infer the loop modifies hole.pos. We need to add support of loop modifies or improve CBMC's inference algorithm.

Would adding a kani::modifies for the containing function do the trick? At least in CBMC we inherit the assigns set from the encompassing context if there isn't one. See https://github.com/model-checking/verify-rust-std/pull/120/files (which covers the very same file, but doesn't use loop invariants so is way more limited).

celinval
celinval reviewed Oct 23, 2024
View reviewed changes
library/alloc/src/collections/binary_heap/mod.rs
unsafe fn sift_up(&mut self, start: usize, pos: usize) -> usize {
// Take out the value at `pos` and create a hole.
// SAFETY: The caller guarantees that pos < self.len()
let mut hole = unsafe { Hole::new(&mut self.data, pos) };

#[cfg_attr(kani, kani::loop_invariant(hole.pos() <= pos))]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please loop invariants to the safety crate for now and use that instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@celinval celinval celinval left review comments

@tautschnig tautschnig tautschnig left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@qinheping @tautschnig @celinval