-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kani misses out of bounds index for get_unchecked
with raw pointer to slice
#3707
Comments
This can be reproduced without #[kani::proof]
fn out_of_bounds_get_unchecked() {
const ARR_SIZE: usize = 10;
let mut arr: [i32; ARR_SIZE] = kani::any();
let ptr = std::ptr::slice_from_raw_parts_mut(
arr.as_mut_ptr(),
ARR_SIZE,
);
unsafe {
let _ = ptr.get_unchecked_mut(100);
}
}
|
get_unchecked
get_unchecked
with slice_from_raw_parts
pointer
This doesn't seem related to slice_from_raw_parts though.
|
@celinval I'm confused -- this example also calls |
oops... wrong copy and paste. #[kani::proof]
fn out_of_bounds_get_unchecked() {
const ARR_SIZE: usize = 10;
let mut arr: [i32; ARR_SIZE] = kani::any();
let ptr = &mut arr as *mut _;
unsafe {
let i = ptr.get_unchecked_mut(100);
}
} |
get_unchecked
with slice_from_raw_parts
pointerget_unchecked
with raw pointer to slice
I believe the issue here is similar to #1233. We had disabled bounds checks in some intrinsics a long time ago because the semantics were still up in the air when handling offset operations with count 0 and dangling pointers. However, the behavior is well defined, and we need enable those bounds checks again. In the implementation of |
I've confirmed that #3755 fixed this. The tests in that PR are already quite robust, so I don't think we need to add another one just for this particular example. |
I tried this code:
with Kani version: 0.56.0
I expected to see this happen: Verification failed because the index is out of bounds
Instead, this happened: Verification succeeded
The text was updated successfully, but these errors were encountered: