Unwind Attribute without Python Changes

[jaisnan]

Description of changes:

Adds Unwind Attribute without Python Changes. The kani-metadata.json file now has the following structure

{
    "proof_harnesses": [
        {
            "pretty_name": "harness",
            "mangled_name": "harness",
            "original_file": "/home/ubuntu/kani/tests/cargo-kani/simple-unwind-annotation/src/main.rs",
            "original_line": "17",
            "unwind_value": 10
        },
        {
            "pretty_name": "harness_2",
            "mangled_name": "harness_2",
            "original_file": "/home/ubuntu/kani/tests/cargo-kani/simple-unwind-annotation/src/main.rs",
            "original_line": "26",
            "unwind_value": null
        }
    ]
}

Given that the rust library looks like -

#[kani::proof]
#[kani::unwind(10)]
fn harness() {
...
}

#[kani::proof]
fn harness_2() {
...
}

Update - The PR has been updated to include handling for the following scenarios, all of which produce user errors which point to suggestions on how to fix the attribute.

#[kani::proof]
#[kani::unwind(10,5)]
fn harness_3() {
...
}

#[kani::unwind(8)]
fn harness_4() {
...
}

#[kani::proof]
#[kani::proof]
fn harness_5() {
...
}

#[kani::proof(some, argument2)]
fn harness_6() {
...
}

Resolved issues:

Resolves - partly #600 and #689.

Call-outs:

The scripting needs to parse the metadata file and apply the unwind value to the target function.

Testing:

• How is this change tested? Somewhat

• Is this a refactor change? No

Checklist

• Each commit message has a non-empty body, explaining why the change was made
• Methods or procedures are documented
• Regression or unit tests are included, or existing tests cover the modified code
• My PR is restricted to a single feature or bugfix

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

[adpaco-aws]

Unwinding values should be part of the harness metadata and not a separate struct. For me it is okay to keep it a struct (not just a u32 value) since long term we want to support unwinding values for individual loops in addition to this one.

[jaisnan]

Updated the PR as per suggestions.

[adpaco-aws]

These cases do not seem to overlap so I am not sure why you are using if-then-else statements here. I would also recommend handling them in small functions if possible.

[jaisnan]

They do overlap as it's necessary to check to how many proof attributes have been declared per harness and depending on the number, there's different handling that needs to happen. The entire function has a single purpose so it didn't seem necessary to factor it out into smaller functions.

[celinval]

@jaisnan, if I understand this code correctly, you are trying to restrict any other kani attribute to things that are tagged with the proof attribute, right?

If that is the case, I would recommend to change this to have something like the following structure:

        let attrs: kani_attributes(self.tcx.get_attrs(instance.def_id()));  // BTreeMap<&str, &rustc_ast::Attribute>
        if attrs.contains_key("proof") {
            // Handle attributes here.
        } else {
            if attrs.len() > 0 {
                // Warning: We currently only support attributes on proof harnesses. The attribute {} will be ignored.
            }
        }

[jaisnan]

So, I am trying to restrict it to kani attribute but also use count information for each of the attributes.

I think using a BTreeMap would prevent us from checking if there are duplicate attributes in the same harness or not. If someone calls two unwind annotations then, the last one is going to be read and parsed if we use a BTreeMap I think.

We ideally should not just check if a key exists but also how many instances of them. Maybe I can use a multimap? https://docs.rs/btreemultimap/latest/btreemultimap/ ? I think using two vectors and a match statement serves these purposes well enough. If we add more options as attributes, we'd just have to expand the match statement and add a handler and that's it.

[celinval]

Let's talk offline about this one. There are other things we can go to simplify the code.

[adpaco-aws]

I thought we agreed having a specific struct for unwind data where this would be an optional value. Also, Option<u32> should be enough.

[jaisnan]

A struct didn't seem necessary for now as we're just targeting a default value for the entire harness. The struct and related changes will be added with the changes to map each loop to it's own harness.

[celinval]

Maybe create a type alias here that we can extend later.

type UnwindMetadata = usize;

[jaisnan]

do we wantusize or u32/64. Doesnt usize tie the limit of the unwind value to the target architecture?

[celinval]

I suggested usize because that's usually used to restrict structure sizes, but in practice, I highly doubt someone is going to use a large unwind parameter. So u32 is fine too.

[tedinski]

IMO stay an integer. Any future unwinding information (e.g. unwindset) can be provided in separate fields. We're never going to change unwind_value because it's just the thing we pass to cbmc as --unwind and that's it.

[celinval]

CBMC supports min and max unwind notation as well. But I do agree that if we are going to add a type, we should also change this to unwind.

Since min / max is an obvious extension here, maybe we should just add the struct and encode this as a map right away.

[tedinski]

I don't know why any future support for those wouldn't just add an unwind_max_value as well. There doesn't seem to be a value to nesting it. We control the producer (kani-compiler) and consumer (cargo-kani) of this structure, so if it's looks like a mistake later, we can just fix it. So simplest choice seems best to me.

But I don't feel strongly about it.

[adpaco-aws]

Why is this commented code included? If there is a reason to, add a comment explaining why.

[celinval]

Can we change these to be UI tests that we ensure that Kani prints the correct error message?

[jaisnan]

sure

[celinval]

Thanks for doing this! I have a few suggestions to clean the code a bit. Let me know if you disagree with any of them. :)

[celinval]

When do we expect to hit this else? Should we trigger an error?

[jaisnan]

When neither proof or any other attributes are used. This function handle_kanitool_attributes is called on all instances in codegen_function so raising an error might break a lot of cases. Hence, the empty handling.

[celinval]

Please, either remove the else or add a comment to explain what cases it is covering.

[jaisnan]

Sure

[celinval]

@jaisnan, if I understand this code correctly, you are trying to restrict any other kani attribute to things that are tagged with the proof attribute, right?

If that is the case, I would recommend to change this to have something like the following structure:

        let attrs: kani_attributes(self.tcx.get_attrs(instance.def_id()));  // BTreeMap<&str, &rustc_ast::Attribute>
        if attrs.contains_key("proof") {
            // Handle attributes here.
        } else {
            if attrs.len() > 0 {
                // Warning: We currently only support attributes on proof harnesses. The attribute {} will be ignored.
            }
        }

[celinval]

Can we change these to be UI tests that we ensure that Kani prints the correct error message?

[celinval]

maybe this should return Option<&str> since we keep converting it to &str.

[jaisnan]

Returning Option<&str> would return a dangling pointer as the original string would be destroyed once the function returns. We need to return an Owned String so I don't think we can replace the return type.
Reference - https://stackoverflow.com/questions/43079077/proper-way-to-return-a-new-string-in-rust

[celinval]

Indeed, I didn't notice that you changed the code to join the segments. For the original code, the return value would have the same lifetime as the argument attr.

BTW, why did you change it? This code might actually be doing the wrong thing. I.e., let's say you have the following attribute:

#[kanitool::type::sub_type]

I believe that you are going to return the string typesub_type.

[jaisnan]

Maybe so, but I don't see the need to modify it to potential future attributes when there's no clear consensus on what attributes we're planning on supporting. Imo we can always change this later to adapt to future annotations.

Let me check about the scenario you've posted however.

[celinval]

Talked offline, this is no longer needed. Going to revert the change.

[celinval]

BTW, shouldn't this be a boolean?

[jaisnan]

We need to maintain a count of the instances apart from the attributes themselves, hence vectors.

[celinval]

Here are some notes from our chat.

[celinval]

Reduce this to warning.

[celinval]

unwind comment in the generic function.

[celinval]

Anyway, not a biggie. Let's move on.

[celinval]

Talked offline, this is no longer needed. Going to revert the change.

[jaisnan]

1. Removed no_mangle
2. Refactored the parsing into functions, added utility functions
3. Added documentation for all user cases
4. Added a test to check failure of harness assert instead of main.

[tedinski]

Almost there!

[tedinski]

was this necessary?

[tedinski]

Doc-comments in Rust use 3 /s not 2, check all your function comments for this.

[tedinski]

Naming suggestion: don't put the type into the name really.

IMO, these names are clearer as "all_attributes" "proof_attributes" "other_attributes".

[tedinski]

There's a very common programming convention to write functions like:

fn foo() {
  if error condition {
    // bail, whatever
  }
  if other error {
    // bail
  }
  // etc
  // no errors:
  the conventional, expected case.
}

So try that. Spot errors, raise them and return. Then just unconditionally create_proof_harness at the end of the function (no need for any empty else). By following the convention, functions are usually a lot easier to read (if only because people expect it)

[jaisnan]

For the no-op case, can we now early return with the empty parenthesis?

[tedinski]

Function doc comment needs updating. Also, we should rename this, maybe. "default_kanitool_proof" maybe?

[tedinski]

Same suggestion as previous comment on handling errors, then the expected case.

[jaisnan]

Going to wrap the behavior with a match statement.

[tedinski]

Good call. But we might want to span_err instead of assert.

[tedinski]

Rename partition_kanitool_attributes maybe?

Second suggestion: try improving the doc-comment enough that all the comments in the body aren't necessary anymore. This function is small enough this is possible and would very likely be an improvement.

[tedinski]

unnecessary if

[tedinski]

maybe we could error or warn?

[tedinski]

FYI: this isn't testing your code, you'd have to write kanitool:: for that

[tedinski]

typo

[tedinski]

Assuming CI passes, looks largely good. Maybe one last typo.

addressed changes requested