Skip to content

NonZero (unchecked_mul & unchecked_add) Proof for Contracts #338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 45 commits into
base: main
Choose a base branch
from
Open

NonZero (unchecked_mul & unchecked_add) Proof for Contracts #338

Changes from all commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
dffe30b
Initial proof/contract/harness for nonzero:
aa-luna Sep 20, 2024
daf1576
Bytewise comparision (new_unchecked contract)
SahithiMV Oct 6, 2024
21ae29e
Removed kani assumes removed from proof_for_contract
aa-luna Oct 8, 2024
4241687
Macros for data types
SahithiMV Oct 13, 2024
801f9a4
Adding i32 and isize
SahithiMV Oct 13, 2024
eafef0b
Pull Request fixes
aa-luna Oct 20, 2024
3015feb
Pull Request fixes
aa-luna Oct 21, 2024
ce918f8
Update library/core/src/num/nonzero.rs
MooniniteErr Oct 27, 2024
2304fad
Update library/core/src/num/nonzero.rs
MooniniteErr Oct 27, 2024
14a50e2
Update library/core/src/num/nonzero.rs
aa-luna Oct 27, 2024
acef65a
Update library/core/src/num/nonzero.rs
aa-luna Oct 27, 2024
4d3efd1
Update library/core/src/num/nonzero.rs
aa-luna Oct 27, 2024
7bc64eb
doc: add explanations for const function attribute
aa-luna Nov 3, 2024
82ff59c
Merge branch 'main' into main
aa-luna Nov 8, 2024
4ce34b5
Merge branch 'main' into main
aa-luna Nov 9, 2024
f81aa80
Merge branch 'model-checking:main' into main
aa-luna Nov 12, 2024
b2b534b
Merge branch 'model-checking:main' into main
aa-luna Nov 16, 2024
dcbf4f5
Merge branch 'model-checking:main' into unchecked_mull_add
aa-luna Nov 24, 2024
d67be7e
Unchecked Add and Mul: Init
SahithiMV Nov 24, 2024
36e75be
Unchecked Mul and Add: Adding Macros & cleanup
SahithiMV Nov 26, 2024
4f945c8
Fixes
SahithiMV Dec 9, 2024
fb30e98
Merge remote-tracking branch 'origin/main' into unchecked_mull_add
tautschnig Apr 23, 2025
71e57fa
Apply suggestions
tautschnig Apr 23, 2025
fcfd000
Arrange lines
tautschnig Apr 23, 2025
7603984
Add contract to from_mut_unchecked
tautschnig Apr 23, 2025
6dab042
Fix syntax error, naming
tautschnig Apr 23, 2025
06fad10
Disable what does not currently compile
tautschnig Apr 23, 2025
d8e3977
Proof target names
tautschnig Apr 23, 2025
014a44e
Contracts lookup, again
tautschnig Apr 23, 2025
0a7a3c6
Lookup, once more
tautschnig Apr 24, 2025
fb8ad3e
rustfmt
tautschnig Apr 24, 2025
0c0318f
Merge remote-tracking branch 'origin/main' into unchecked_mull_add
tautschnig Apr 24, 2025
3b69e21
rustfmt 2
tautschnig Apr 24, 2025
8bd1151
Remove stray space
tautschnig Apr 24, 2025
233c41c
Update library/core/src/num/nonzero.rs
tautschnig Apr 28, 2025
d21fdf2
Update library/core/src/num/nonzero.rs
tautschnig Apr 28, 2025
5f13ef4
Update library/core/src/num/nonzero.rs
tautschnig Apr 28, 2025
36030a8
Update library/core/src/num/nonzero.rs
tautschnig Apr 28, 2025
1c5b394
Update library/core/src/num/nonzero.rs
tautschnig Apr 28, 2025
f2667db
Merge remote-tracking branch 'origin/main' into unchecked_mull_add
tautschnig Apr 29, 2025
ebfd876
Remove from_mut_unchecked contract/harnesses (commented out)
tautschnig Apr 29, 2025
cc23429
Merge remote-tracking branch 'tautschnig/unchecked_mull_add' into unc…
tautschnig Apr 29, 2025
2e6ccae
Adjust target lookup
tautschnig Apr 30, 2025
cd7db54
Merge branch 'main' into unchecked_mull_add
tautschnig May 20, 2025
f67539e
Add comment
tautschnig May 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
315 changes: 315 additions & 0 deletions library/core/src/num/nonzero.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1115,6 +1115,12 @@ macro_rules! nonzero_integer {
#[must_use = "this returns the result of the operation, \
without modifying the original"]
#[inline]
#[requires({
self.get().checked_mul(other.get()).is_some()
})]
#[ensures(|result: &Self| {
self.get().checked_mul(other.get()).is_some_and(|product| product == result.get())
})]
pub const unsafe fn unchecked_mul(self, other: Self) -> Self {
// SAFETY: The caller ensures there is no overflow.
unsafe { Self::new_unchecked(self.get().unchecked_mul(other.get())) }
Expand Down Expand Up @@ -1517,6 +1523,13 @@ macro_rules! nonzero_integer_signedness_dependent_methods {
#[must_use = "this returns the result of the operation, \
without modifying the original"]
#[inline]
#[requires({
self.get().checked_add(other).is_some()
})]
#[ensures(|result: &Self| {
// Postcondition: the result matches the expected addition
self.get().checked_add(other).is_some_and(|sum| sum == result.get())
})]
pub const unsafe fn unchecked_add(self, other: $Int) -> Self {
// SAFETY: The caller ensures there is no overflow.
unsafe { Self::new_unchecked(self.get().unchecked_add(other)) }
Expand Down Expand Up @@ -2578,4 +2591,306 @@ mod verify {
nonzero_check_clamp_panic!(core::num::NonZeroU64, nonzero_check_clamp_panic_for_u64);
nonzero_check_clamp_panic!(core::num::NonZeroU128, nonzero_check_clamp_panic_for_u128);
nonzero_check_clamp_panic!(core::num::NonZeroUsize, nonzero_check_clamp_panic_for_usize);

macro_rules! check_mul_unchecked_small {
($t:ty, $nonzero_type:ty, $nonzero_check_unchecked_mul_for:ident) => {
#[kani::proof_for_contract(NonZero::<$t>::unchecked_mul)]
pub fn $nonzero_check_unchecked_mul_for() {
let x: $nonzero_type = kani::any();
let y: $nonzero_type = kani::any();

unsafe {
x.unchecked_mul(y);
}
}
};
}

// Use for NonZero what already worked well for general numeric types (see num/mod.rs)
macro_rules! check_mul_unchecked_intervals {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am curious how this interval trick works for 16 and 32-bit int types (without smt backend?), and how did you pick those interval? Could you please add some comments here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is effectively a copy of what was previously introduced in #96 for the types without non-zero restriction by @rajath-mk. Comment added. I believe this trick works for it triggers Boolean constraint propagation (of leading zeros), thereby reducing the size of multiplier circuits.

($t:ty, $nonzero_type:ty, $nonzero_check_mul_for:ident, $min:expr, $max:expr) => {
#[kani::proof_for_contract(NonZero::<$t>::unchecked_mul)]
pub fn $nonzero_check_mul_for() {
let x = kani::any::<$t>();
let y = kani::any::<$t>();

kani::assume(x != 0 && x >= $min && x <= $max);
kani::assume(y != 0 && y >= $min && y <= $max);

let x = <$nonzero_type>::new(x).unwrap();
let y = <$nonzero_type>::new(y).unwrap();

unsafe {
x.unchecked_mul(y);
}
}
};
}

//Calls for i32
check_mul_unchecked_intervals!(
i32,
NonZeroI32,
check_mul_i32_small,
NonZeroI32::new(-10i32).unwrap().into(),
NonZeroI32::new(10i32).unwrap().into()
);
check_mul_unchecked_intervals!(
i32,
NonZeroI32,
check_mul_i32_large_pos,
NonZeroI32::new(i32::MAX - 1000i32).unwrap().into(),
NonZeroI32::new(i32::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
i32,
NonZeroI32,
check_mul_i32_large_neg,
NonZeroI32::new(i32::MIN + 1000i32).unwrap().into(),
NonZeroI32::new(i32::MIN + 1).unwrap().into()
);
check_mul_unchecked_intervals!(
i32,
NonZeroI32,
check_mul_i32_edge_pos,
NonZeroI32::new(i32::MAX / 2).unwrap().into(),
NonZeroI32::new(i32::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
i32,
NonZeroI32,
check_mul_i32_edge_neg,
NonZeroI32::new(i32::MIN / 2).unwrap().into(),
NonZeroI32::new(i32::MIN + 1).unwrap().into()
);

//Calls for i64
check_mul_unchecked_intervals!(
i64,
NonZeroI64,
check_mul_i64_small,
NonZeroI64::new(-10i64).unwrap().into(),
NonZeroI64::new(10i64).unwrap().into()
);
check_mul_unchecked_intervals!(
i64,
NonZeroI64,
check_mul_i64_large_pos,
NonZeroI64::new(i64::MAX - 1000i64).unwrap().into(),
NonZeroI64::new(i64::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
i64,
NonZeroI64,
check_mul_i64_large_neg,
NonZeroI64::new(i64::MIN + 1000i64).unwrap().into(),
NonZeroI64::new(i64::MIN + 1).unwrap().into()
);
check_mul_unchecked_intervals!(
i64,
NonZeroI64,
check_mul_i64_edge_pos,
NonZeroI64::new(i64::MAX / 2).unwrap().into(),
NonZeroI64::new(i64::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
i64,
NonZeroI64,
check_mul_i64_edge_neg,
NonZeroI64::new(i64::MIN / 2).unwrap().into(),
NonZeroI64::new(i64::MIN + 1).unwrap().into()
);

//calls for i128
check_mul_unchecked_intervals!(
i128,
NonZeroI128,
check_mul_i128_small,
NonZeroI128::new(-10i128).unwrap().into(),
NonZeroI128::new(10i128).unwrap().into()
);
check_mul_unchecked_intervals!(
i128,
NonZeroI128,
check_mul_i128_large_pos,
NonZeroI128::new(i128::MAX - 1000i128).unwrap().into(),
NonZeroI128::new(i128::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
i128,
NonZeroI128,
check_mul_i128_large_neg,
NonZeroI128::new(i128::MIN + 1000i128).unwrap().into(),
NonZeroI128::new(i128::MIN + 1).unwrap().into()
);
check_mul_unchecked_intervals!(
i128,
NonZeroI128,
check_mul_i128_edge_pos,
NonZeroI128::new(i128::MAX / 2).unwrap().into(),
NonZeroI128::new(i128::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
i128,
NonZeroI128,
check_mul_i128_edge_neg,
NonZeroI128::new(i128::MIN / 2).unwrap().into(),
NonZeroI128::new(i128::MIN + 1).unwrap().into()
);

//calls for isize
check_mul_unchecked_intervals!(
isize,
NonZeroIsize,
check_mul_isize_small,
NonZeroIsize::new(-10isize).unwrap().into(),
NonZeroIsize::new(10isize).unwrap().into()
);
check_mul_unchecked_intervals!(
isize,
NonZeroIsize,
check_mul_isize_large_pos,
NonZeroIsize::new(isize::MAX - 1000isize).unwrap().into(),
NonZeroIsize::new(isize::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
isize,
NonZeroIsize,
check_mul_isize_large_neg,
NonZeroIsize::new(isize::MIN + 1000isize).unwrap().into(),
NonZeroIsize::new(isize::MIN + 1).unwrap().into()
);
check_mul_unchecked_intervals!(
isize,
NonZeroIsize,
check_mul_isize_edge_pos,
NonZeroIsize::new(isize::MAX / 2).unwrap().into(),
NonZeroIsize::new(isize::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
isize,
NonZeroIsize,
check_mul_isize_edge_neg,
NonZeroIsize::new(isize::MIN / 2).unwrap().into(),
NonZeroIsize::new(isize::MIN + 1).unwrap().into()
);

//calls for u32
check_mul_unchecked_intervals!(
u32,
NonZeroU32,
check_mul_u32_small,
NonZeroU32::new(1u32).unwrap().into(),
NonZeroU32::new(10u32).unwrap().into()
);
check_mul_unchecked_intervals!(
u32,
NonZeroU32,
check_mul_u32_large,
NonZeroU32::new(u32::MAX - 1000u32).unwrap().into(),
NonZeroU32::new(u32::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
u32,
NonZeroU32,
check_mul_u32_edge,
NonZeroU32::new(u32::MAX / 2).unwrap().into(),
NonZeroU32::new(u32::MAX).unwrap().into()
);

//calls for u64
check_mul_unchecked_intervals!(
u64,
NonZeroU64,
check_mul_u64_small,
NonZeroU64::new(1u64).unwrap().into(),
NonZeroU64::new(10u64).unwrap().into()
);
check_mul_unchecked_intervals!(
u64,
NonZeroU64,
check_mul_u64_large,
NonZeroU64::new(u64::MAX - 1000u64).unwrap().into(),
NonZeroU64::new(u64::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
u64,
NonZeroU64,
check_mul_u64_edge,
NonZeroU64::new(u64::MAX / 2).unwrap().into(),
NonZeroU64::new(u64::MAX).unwrap().into()
);

//calls for u128
check_mul_unchecked_intervals!(
u128,
NonZeroU128,
check_mul_u128_small,
NonZeroU128::new(1u128).unwrap().into(),
NonZeroU128::new(10u128).unwrap().into()
);
check_mul_unchecked_intervals!(
u128,
NonZeroU128,
check_mul_u128_large,
NonZeroU128::new(u128::MAX - 1000u128).unwrap().into(),
NonZeroU128::new(u128::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
u128,
NonZeroU128,
check_mul_u128_edge,
NonZeroU128::new(u128::MAX / 2).unwrap().into(),
NonZeroU128::new(u128::MAX).unwrap().into()
);

//calls for usize
check_mul_unchecked_intervals!(
usize,
NonZeroUsize,
check_mul_usize_small,
NonZeroUsize::new(1usize).unwrap().into(),
NonZeroUsize::new(10usize).unwrap().into()
);
check_mul_unchecked_intervals!(
usize,
NonZeroUsize,
check_mul_usize_large,
NonZeroUsize::new(usize::MAX - 1000usize).unwrap().into(),
NonZeroUsize::new(usize::MAX).unwrap().into()
);
check_mul_unchecked_intervals!(
usize,
NonZeroUsize,
check_mul_usize_edge,
NonZeroUsize::new(usize::MAX / 2).unwrap().into(),
NonZeroUsize::new(usize::MAX).unwrap().into()
);

//calls for i8, i16, u8, u16
check_mul_unchecked_small!(i8, NonZeroI8, nonzero_check_mul_for_i8);
check_mul_unchecked_small!(i16, NonZeroI16, nonzero_check_mul_for_i16);
check_mul_unchecked_small!(u8, NonZeroU8, nonzero_check_mul_for_u8);
check_mul_unchecked_small!(u16, NonZeroU16, nonzero_check_mul_for_u16);

macro_rules! nonzero_check_add {
($t:ty, $nonzero_type:ty, $nonzero_check_unchecked_add_for:ident) => {
#[kani::proof_for_contract(NonZero::<$t>::unchecked_add)]
pub fn $nonzero_check_unchecked_add_for() {
let x: $nonzero_type = kani::any();
let y: $t = kani::any();

unsafe {
x.unchecked_add(y);
}
}
};
}

nonzero_check_add!(u8, core::num::NonZeroU8, nonzero_check_unchecked_add_for_u8);
nonzero_check_add!(u16, core::num::NonZeroU16, nonzero_check_unchecked_add_for_u16);
nonzero_check_add!(u32, core::num::NonZeroU32, nonzero_check_unchecked_add_for_u32);
nonzero_check_add!(u64, core::num::NonZeroU64, nonzero_check_unchecked_add_for_u64);
nonzero_check_add!(u128, core::num::NonZeroU128, nonzero_check_unchecked_add_for_u128);
nonzero_check_add!(usize, core::num::NonZeroUsize, nonzero_check_unchecked_add_for_usize);
}
Loading