Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify the analysis technique used by Kani #2195

Merged
merged 1 commit into from
Feb 14, 2023

Conversation

tautschnig
Copy link
Member

We use model checking - make clear what its limitations are when talking about what we may be able to prove.

Description of changes:

Clarification of what Kani is in our documentation.

Resolved issues:

n/a

Related RFC:

n/a

Call-outs:

n/a

Testing:

n/a

Checklist

  • Each commit message has a non-empty body, explaining why the change was made
  • n/a Methods or procedures are documented
  • n/a Regression or unit tests are included, or existing tests cover the modified code
  • My PR is restricted to a single feature or bugfix

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@tautschnig tautschnig requested a review from a team as a code owner February 7, 2023 10:43
docs/src/getting-started.md Outdated Show resolved Hide resolved
docs/src/getting-started.md Outdated Show resolved Hide resolved
Kani is particularly useful for verifying unsafe code in Rust, where many of the Rust’s usual guarantees are no longer checked by the compiler.
Some example properties you can prove with Kani include memory safety properties (e.g., null pointer dereferences, use-after-free, etc.), the absence of certain runtime errors (i.e., index out of bounds, panics), and the absence of some types of unexpected behavior (e.g., arithmetic overflows).
Kani can also prove custom properties provided in the form of user-specified assertions.
Many of these properties are undecidable in the general case.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel this is a bit too heavy for the getting started section. I suggest we move it to the the comparison with other tools section or paraphrase it a bit, e.g.:

Kani may not be able to solve all properties, in which case it may not terminate or may run out of memory.
Otherwise, Kani will either prove the property, or find a trace that leads to the violation of the property (e.g. the failure of an assertion).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to moving this to a different section. I was also wondering if we should call out here that the proof is under some constraints and add a link to the limitations section.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to moving it.

This paragraph should focus on what Kani can do, as opposed to what it cannot do. All tools have their limitations and it's OK with me to explain it in other sections, but we should keep it brief in order to keep readers engaged.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have removed the mention of "undecidable," and generalised the link to the Limitations section so as not to link into just a subsection.

Kani is particularly useful for verifying unsafe code in Rust, where many of the Rust’s usual guarantees are no longer checked by the compiler.
Some example properties you can prove with Kani include memory safety properties (e.g., null pointer dereferences, use-after-free, etc.), the absence of certain runtime errors (i.e., index out of bounds, panics), and the absence of some types of unexpected behavior (e.g., arithmetic overflows).
Kani can also prove custom properties provided in the form of user-specified assertions.
Many of these properties are undecidable in the general case.
As Kani uses model checking, Kani will either prove the property, disprove the
property (with a counterexample), or may run out of resources.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
property (with a counterexample), or may run out of resources.
property (providing you with a trace showing what input led to the property violation), or may run out of resources.

I wonder if "trace" is more familiar to the reader than "counterexample"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't mind counterexample, since we are talking about what not how. Trace is one way of representing a counterexample. We also offer the concrete playback in which case the counterexample will be represented as a unit test.

Copy link
Contributor

@jaisnan jaisnan Feb 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I like counterexample but not as a technical word, just as a phrase i.e disprove the property (with the example that fails the proof) or may run out of resources. Too many technical words in a page causes reading fatigue imo.

Copy link
Contributor

@zhassan-aws zhassan-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A small typo. Otherwise looks good.

@@ -1,9 +1,11 @@
# Getting started

Kani is an open-source verification tool that uses automated reasoning to analyze Rust programs.
Kani is an open-source verification tool that uses [model checking](./tool-comparison.md) analyze Rust programs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Kani is an open-source verification tool that uses [model checking](./tool-comparison.md) analyze Rust programs.
Kani is an open-source verification tool that uses [model checking](./tool-comparison.md) to analyze Rust programs.

We use model checking - make clear what its limitations are when talking
about what we may be able to prove.
@tautschnig tautschnig merged commit 9439a54 into model-checking:main Feb 14, 2023
@tautschnig tautschnig deleted the wording branch February 14, 2023 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants