Skip to content

Document behavior of checked_size_of_raw and is_inbounds #3956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Mar 25, 2025
+34 −1
Merged

Document behavior of checked_size_of_raw and is_inbounds #3956

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
034b883
add documentation for use of isize::MAX
rajath-mk Mar 24, 2025
f075151
add quick test and fix doc spacing
rajath-mk Mar 25, 2025
c0ec0e4
remove extra feature
rajath-mk Mar 25, 2025
b22688a
remove extra feature-1
rajath-mk Mar 25, 2025
81cd403
formatting
rajath-mk Mar 25, 2025
25c63ab
formatting checks
rajath-mk Mar 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion library/kani_core/src/mem.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,10 @@ macro_rules! kani_mem {

/// Compute the size of the val pointed to if it is safe to do so.
///
/// Return `None` if an overflow would occur, or if alignment is not power of two.
/// Returns `None` if:
/// - An overflow occurs during the size computation.
/// - The pointer’s alignment is not a power of two.
/// - The computed size exceeds `isize::MAX` (the maximum safe Rust allocation size).
/// TODO: Optimize this if T is sized.
#[kanitool::fn_marker = "CheckedSizeOfIntrinsic"]
pub fn checked_size_of_raw<T: ?Sized>(ptr: *const T) -> Option<usize> {
Expand Down Expand Up @@ -166,6 +169,14 @@ macro_rules! kani_mem {
/// Checks that `ptr` points to an allocation that can hold data of size calculated from `T`.
///
/// This will panic if `ptr` points to an invalid `non_null`
/// Returns `false` if:
/// - The computed size overflows.
/// - The computed size exceeds `isize::MAX`.
/// - The pointer is null (except for zero-sized types).
/// - The pointer references unallocated memory.
Copy link

@joshlf joshlf Mar 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably also clarify that it doesn't apply for zero-sized types. Per the std::ptr docs:

For memory accesses of size zero, every pointer is valid, including the null pointer.

Copy link
Contributor

@carolynzech carolynzech Apr 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created #3974 to address this

///
/// This function aligns with Rust's memory safety requirements, which restrict valid allocations
/// to sizes no larger than `isize::MAX`.
fn is_inbounds<T: ?Sized>(ptr: *const T) -> bool {
// If size overflows, then pointer cannot be inbounds.
let Some(sz) = checked_size_of_raw(ptr) else { return false };
Expand Down
1 change: 1 addition & 0 deletions tests/expected/MemPredicates/ptr_size_validity.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Complete - 1 successfully verified harnesses, 0 failures, 1 total.
21 changes: 21 additions & 0 deletions tests/expected/MemPredicates/ptr_size_validity.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// Copyright Kani Contributors
// SPDX-License-Identifier: Apache-2.0 OR MIT
// kani-flags: -Z mem-predicates
#![feature(ptr_metadata)]

extern crate kani;

mod size {
use super::*;

#[kani::proof]
fn verify_checked_size_of_raw_exceeds_isize_max() {
let len_exceeding_isize_max = (isize::MAX as usize) + 1;
let data_ptr: *const [u8] =
core::ptr::from_raw_parts(core::ptr::null::<u8>(), len_exceeding_isize_max);

let size = kani::mem::checked_size_of_raw(data_ptr);

assert!(size.is_none());
}
}
Loading