-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kani does not flag out-of-bounds dereference with kani::vec::any_vec
#2759
Comments
This unsoundness is similar to the one reported in #1009. |
Adding |
It should actually be possible to remove the unsafe part of Current impl: pub fn any_vec<T, const MAX_LENGTH: usize>() -> Vec<T>
where
T: Arbitrary,
[(); std::mem::size_of::<[T; MAX_LENGTH]>()]:,
{
let mut v = exact_vec::<T, MAX_LENGTH>();
let real_length: usize = any();
assume(real_length <= MAX_LENGTH);
unsafe { v.set_len(real_length) };
v
} Proposed impl: pub fn any_vec<T, const MAX_LENGTH: usize>() -> Vec<T>
where
T: Arbitrary,
[(); std::mem::size_of::<[T; MAX_LENGTH]>()]:,
{
let mut v = exact_vec::<T, MAX_LENGTH>();
let real_length: usize = any();
assume(real_length <= MAX_LENGTH);
v.truncate(real_length);
v.shrink_to(real_length)
v
} Again only tested with the code from the first post in this issue. |
Thanks @arctic-alpaca. The diff that I was going to propose is doing exactly that: $ git diff
diff --git a/library/kani/src/vec.rs b/library/kani/src/vec.rs
index 5deb90d0ec1..4df6fafe457 100644
--- a/library/kani/src/vec.rs
+++ b/library/kani/src/vec.rs
@@ -11,7 +11,8 @@ pub fn any_vec<T, const MAX_LENGTH: usize>() -> Vec<T>
let mut v = exact_vec::<T, MAX_LENGTH>();
let real_length: usize = any();
assume(real_length <= MAX_LENGTH);
- unsafe { v.set_len(real_length) };
+ v.truncate(real_length);
+ v.shrink_to_fit();
v
} |
I tried this code:
using the following command line invocation:
with Kani version: 7136495
I expected to see this happen: Kani flags the out-of-bounds pointer dereference.
Instead, this happened: Verification is successful.
The text was updated successfully, but these errors were encountered: