Contract requirement not respected #3370

celinval · 2024-07-22T20:57:21Z

I tried this code:

// indirect.rs
extern crate kani;

use std::convert::TryFrom;

/// Constrain `val` to be a valid character.
#[kani::requires(u32::from(_char) == val)]
#[kani::ensures(|res| *res == _char)]
pub fn indirect_assumption(val: u32, _char: char) -> char {
    char::try_from(val).unwrap()
}

mod verify {
    use super::*;
    use kani::Arbitrary;

    #[kani::proof_for_contract(indirect_assumption)]
    fn check_indirect_contract() {
        indirect_assumption(kani::any(), kani::any());
    }

    /// This harness that encodes the pre-condition using`kani::assume` succeeds
    #[kani::proof]
    fn check_indirect() {
        let val = kani::any();
        let c = kani::any();
        kani::assume(u32::from(c) == val);
        indirect_assumption(val, c);
    }
}

using the following command line invocation:

kani indirect.rs -Z function-contracts

with Kani version: 0.53.0-dev

I expected to see this happen: Verification should succeed

Instead, this happened: Verification failed.

Failed Checks: This is a placeholder message; Kani doesn't support message formatted at runtime
 File: "/home/ubuntu/.rustup/toolchains/nightly-2024-07-18-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/result.rs", line 1679, in std::result::unwrap_failed

The text was updated successfully, but these errors were encountered:

celinval · 2024-07-22T21:08:06Z

Note that this contract also fails:

#[kani::requires(char::try_from(val) == Ok(_char))]
#[kani::ensures(|res| *res == _char)]
pub fn indirect_assumption(val: u32, _char: char) -> char {
    char::try_from(val).unwrap()
}

but this one succeeds 🤯

#[kani::requires(char::try_from(val).is_ok())] // ** New requires **
#[kani::requires(char::try_from(val) == Ok(_char))]
#[kani::ensures(|res| *res == _char)]
pub fn indirect_assumption(val: u32, _char: char) -> char {
    char::try_from(val).unwrap()
}

carolynzech · 2024-10-18T16:18:53Z

Verification succeeds in Kani v0.56. git bisect revealed that #3305 fixed the issue. @celinval I can go ahead and close, but I see you have an open PR for fixme tests that references this issue, so wanted to loop you in first. (It doesn't seem like #3305 was meant to fix this problem, so I can do some investigation as to why it did if we think it's worth it).

celinval · 2024-10-18T21:09:26Z

Do you mind updating the PR and changing the test to no longer be fixme test? We can close this once we merge the PR to avoid any future regression

I'm adding a few fix-me tests that I bumped into while working on #3363. Most of them will be fixed by #3363, except the one related to #3370. The original PR is already quite large, so I decided to just push all of these as fixme tests for now. This is now ready for review! By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses. --------- Co-authored-by: Felipe R. Monteiro <felisous@amazon.com> Co-authored-by: Zyad Hassan <88045115+zhassan-aws@users.noreply.github.com> Co-authored-by: Carolyn Zech <cmzech@amazon.com>

celinval added the [C] Bug This is a bug. Something isn't working. label Jul 22, 2024

celinval added this to the Function Contracts milestone Jul 22, 2024

celinval mentioned this issue Jul 26, 2024

Add regular & fixme tests for function contracts #3371

Merged

tautschnig added the Z-Contracts Issue related to code contracts label Aug 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Contract requirement not respected #3370

Contract requirement not respected #3370

celinval commented Jul 22, 2024

celinval commented Jul 22, 2024

carolynzech commented Oct 18, 2024

celinval commented Oct 18, 2024

Contract requirement not respected #3370

Contract requirement not respected #3370

Comments

celinval commented Jul 22, 2024

celinval commented Jul 22, 2024

carolynzech commented Oct 18, 2024

celinval commented Oct 18, 2024