Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kani crashes when handling code related to AtomicPtr #3042

Closed
jaisnan opened this issue Feb 22, 2024 · 4 comments · Fixed by #3047
Closed

Kani crashes when handling code related to AtomicPtr #3042

jaisnan opened this issue Feb 22, 2024 · 4 comments · Fixed by #3047
Assignees
@qinheping
Labels
[C] Bug This is a bug. Something isn't working.

Comments

@jaisnan
Copy link
Contributor

jaisnan commented Feb 22, 2024

Caught by the M1 regression, Kani seems to crash when handling harness that use atomic pointers.

Here is a minimal example that causes the crash, in both linux and mac versions of Kani

#![feature(strict_provenance_atomic_ptr, strict_provenance)]
use std::sync::atomic::{AtomicPtr, Ordering};

#[kani::proof]
fn check_fetch_byte() {
    let atom = AtomicPtr::<i64>::new(core::ptr::invalid_mut(1));
    assert_eq!(atom.fetch_byte_sub(1, Ordering::Relaxed).addr(), 1);
    assert_eq!(atom.load(Ordering::Relaxed).addr(), 0);
}

This is the crash

Kani Rust Verifier 0.42.0 (standalone)
thread 'rustc' panicked at cprover_bindings/src/goto_program/stmt.rs:170:9:
assertion `left == right` failed: Error: assign statement with unequal types lhs Pointer { typ: Signedbv { width: 64 } } rhs CInteger(SSizeT)
  left: Pointer { typ: Signedbv { width: 64 } }
 right: CInteger(SSizeT)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Kani unexpectedly panicked during compilation.
Please file an issue here: https://github.com/model-checking/kani/issues/new?labels=bug&template=bug_report.md

[Kani] current codegen item: codegen_function: std::sync::atomic::atomic_sub::<*mut i64>
_RINvNtNtCslE7LfYgGyNS_4core4sync6atomic10atomic_subOxECsgohT1pLHQU2_4main
[Kani] current codegen location: Loc { file: "./.rustup/toolchains/nightly-2023-11-28-aarch64-apple-darwin/lib/rustlib/src/rust/library/core/src/sync/atomic.rs", function: None, start_line: 3334, start_col: Some(1), end_line: 3334, end_col: Some(73) }
error: ./.kani/kani-0.42.0/bin/kani-compiler exited with status exit status: 101

using the following command line invocation:

kani main.rs

with Kani version: 0.46.0, 0.45.0, 0.42.0 (and possible older versions).
@jaisnan jaisnan added the [C] Bug This is a bug. Something isn't working. label Feb 22, 2024
@jaisnan
Copy link
Contributor Author

jaisnan commented Feb 22, 2024

Found by @zhassan-aws , this seems to be the change commit in rust that likely caused the panic: rust-lang/rust@b17491c

@celinval
Copy link
Contributor

FYI, the test case was based on the test here: https://doc.rust-lang.org/std/sync/atomic/struct.AtomicPtr.html#method.fetch_byte_sub

@celinval
Copy link
Contributor

Hi @qinheping, did you make any progress in this issue? I would be fantastic if we could fix the M1 job sooner rather than later. Let me know if you have any questions.

@qinheping
Copy link
Contributor

The atomic intrinsics such us atomic_xsub_relaxed allow arguments of the type (*mut *mut T, *mut T) while it is not supported in Kani codegen_atomic_binop. An minimal example to reproduce the issue:

#![feature(core_intrinsics)]
use std::intrinsics::{
    atomic_xsub_relaxed
};


#[kani::proof]
fn main() {
    let mut a = 1 as u8;

    let mut ptr: *mut u8 = &mut a;
    let ptr_ptr: *mut *mut u8 = &mut ptr;

    unsafe {
        let x = atomic_xsub_relaxed(ptr_ptr, ptr);

    }
}

We might need to also support such arguments in https://github.com/model-checking/kani/blob/main/kani-compiler/src/codegen_cprover_gotoc/codegen/intrinsic.rs#L243

qinheping added a commit to qinheping/kani that referenced this issue Feb 28, 2024
@qinheping
Fix codegen_atomic_binop for atomic_ptr
7fa9cce 
Fetch functions of atomic_ptr calls atomic intrinsics functions with pointer-type arguments (invalid_mut), which will cause typecheck failures.
The change in this commit add support of pointer-type arguments into codegen_atomic_binop to fix the issue.
The new codegen_atomic_binop will cast pointer arguments to size_t, apply op on them, and then cast the op result back to the pointer type.

Fix the issue model-checking#3042.
@qinheping qinheping mentioned this issue Feb 28, 2024
Merged
adpaco-aws added a commit that referenced this issue Feb 29, 2024
@qinheping @adpaco-aws @zhassan-aws
Fix codegen_atomic_binop for atomic_ptr (#3047)
73b4c47 
Fetch functions of `atomic_ptr` calls atomic intrinsic functions with
pointer-type arguments (`invalid_mut`), which will cause typecheck
failures. The change in this commit add support of pointer-type
arguments into `codegen_atomic_binop` to fix the issue. The new
`codegen_atomic_binop` will cast pointer arguments to `size_t`, apply op
on them, and then cast the op result back to the pointer type.

The new test include all fetch functions of `atomic_ptr` except for
`fetch_ptr_add` and `fetch_ptr_sub`, which do not call intrinsic
functions.

Resolves #3042.

---------

Co-authored-by: Adrian Palacios <[email protected]>
Co-authored-by: Zyad Hassan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qinheping qinheping

Labels
[C] Bug This is a bug. Something isn't working.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix codegen_atomic_binop for atomic_ptr qinheping/kani
3 participants
@qinheping @celinval @jaisnan