diff --git a/doc/src/challenges/0026-rc.md b/doc/src/challenges/0026-rc.md new file mode 100644 index 0000000000000..cc05a82c7df11 --- /dev/null +++ b/doc/src/challenges/0026-rc.md @@ -0,0 +1,129 @@ +# Challenge 26: Verify reference-counted Cell implementation + +- **Status:** Open +- **Solution:** *Option field to point to the PR that solved this challenge.* +- **Tracking Issue:** [#382](https://github.com/model-checking/verify-rust-std/issues/382) +- **Start date:** *2025/06/01* +- **End date:** *2025/12/31* +- **Reward:** *5,000 USD* + +------------------- + + +## Goal + +The goal of this challenge is to verify [Rc](https://github.com/rust-lang/rust/blob/master/library/alloc/src/rc.rs) (meaning "Reference counted") and its related [Weak](https://github.com/rust-lang/rust/blob/master/library/alloc/src/rc.rs) implementation. Rc is the library-provided building block that enables safe multiple ownership of data through reference counting for single-threaded cases, as opposed to the usual ownership types used by Rust. A related challenge verifies the Arc implementation, which is atomic multi-threaded. + +## Motivation + +The Rc (for single-threaded code) and Arc (atomic multi-threaded) cell types are widely used in Rust programs to enable shared ownership of data through reference counting. Since shared ownership is generally not permitted by Rust's type system, these implementations use unsafe code to bypass Rust's usual compile-time checks. Verifying the Rust standard library thus fundamentally requires verification of these types. + +## Description + +This challenge verifies a number of Rc methods that encapsulate unsafety, as well as providing contracts for unsafe methods that impose safety conditions on their callers for correct use. + +A key part of the Rc implementation is the Weak struct, which allows keeping a temporary reference to an Rc without creating circular references and without protecting the inner value from being dropped. + +### Assumptions + +Some properties needed for safety are beyond the ability of the Rust type system to express. This is true for all challenges, but we point out some of the properties that are relevant for this challenge. + +* It may be possible to use a new construct analogous to the [can_dereference API](https://model-checking.github.io/kani/crates/doc/kani/mem/fn.can_dereference.html). Our new construct would track that a pointer indeed originates from `into_raw`. + +* It is unclear how to show the reference count is greater than 0 when it is being decremented; the proposed `linked_list` [challenge](0005-linked-list.md) solution does not appear to check list length before performing operations either. + +* Showing that something is initialized, as required by `assume_init`, appears to be beyond the current state of the art for type systems, so it may be impossible to express the full safety property required there. + +### Success Criteria + +All the following pub unsafe functions must be annotated with safety contracts and the contracts have been verified: + +| Function | Location | +|---------|---------| +| Rc,A>::assume_init | alloc::rc | +| Rc<[mem::MaybeUninit],A>::assume_init | alloc::rc | +| Rc::from_raw | alloc::rc | +| Rc::increment_strong_count | alloc::rc | +| Rc::decrement_strong_count | alloc::rc | +| Rc::from_raw_in | alloc::rc | +| Rc::increment_strong_count_in | alloc::rc | +| Rc::decrement_strong_count_in | alloc::rc | +| Rc::get_mut_unchecked | alloc::rc | +| Rc::downcast_unchecked | alloc::rc | +| Weak::from_raw | alloc::rc | +| Weak::from_raw_in | alloc::rc | + +These (not necessarily public) functions contain unsafe code in their bodies but are not themselves marked unsafe. At least 75% of these should be proven unconditionally safe, or safety contracts should be added. + +| Function | Location | +|---------|---------| +| Rc::inner | alloc::rc | +| Rc::into_inner_with_allocator | alloc::rc | +| Rc::new | alloc::rc | +| Rc::new_uninit | alloc::rc | +| Rc::new_zeroed | alloc::rc | +| Rc::try_new | alloc::rc | +| Rc::try_new_uninit | alloc::rc | +| Rc::try_new_zeroed | alloc::rc | +| Rc::pin | alloc::rc | +| Rc::new_uninit_in | alloc::rc | +| Rc::new_zeroed_in | alloc::rc | +| Rc::new_cyclic_in | alloc::rc | +| Rc::try_new_in | alloc::rc | +| Rc::try_new_uninit_in | alloc::rc | +| Rc::try_new_zeroed_in | alloc::rc | +| Rc::pin_in | alloc::rc | +| Rc::try_unwrap | alloc::rc | +| Rc<[T]>::new_uninit_slice | alloc::rc | +| Rc<[T]>::new_zeroed_slice | alloc::rc | +| Rc<[T]>::into_array | alloc::rc | +| Rc<[T],A:Allocator>::new_uninit_slice_in | alloc::rc | +| Rc<[T],A:Allocator>::new_zeroed_slice_in | alloc::rc | +| Rc::into_raw_with_allocator | alloc::rc | +| Rc::as_ptr | alloc::rc | +| Rc::get_mut | alloc::rc | +| Rc::make_mut | alloc::rc | +| Rc::downcast | alloc::rc | +| Rc::from_box_in | alloc::rc | +| RcFromSlice::from_slice | alloc::rc | +| RcFromSlice::from_slice | alloc::rc | +| Drop::drop for Rc | alloc::rc | +| Clone::clone for Rc | alloc::rc | +| Default::default | alloc::rc | +| Default::default | alloc::rc | +| From<&Str>::from | alloc::rc | +| From>::from | alloc::rc | +| From>::from | alloc::rc | +| TryFrom::try_from | alloc::rc | +| ToRcSlice::to_rc_slice | alloc::rc | +| Weak::as_ptr | alloc::rc | +| Weak::into_raw_with_allocator | alloc::rc | +| Weak::upgrade | alloc::rc | +| Weak::inner | alloc::rc | +| Drop::drop for Weak | alloc::rc | +| RcInnerPtr::inc_strong | alloc::rc | +| RcInnerPtr::inc_weak | alloc::rc | +| UniqueRc::into_rc | alloc::rc | +| UniqueRc::downgrade | alloc::rc | +| Deref::deref | alloc::rc | +| DerefMut::deref_mut | alloc::rc | +| Drop::drop for UniqueRc | alloc::rc | +| UniqueRcUninit::new | alloc::rc | +| UniqueRcUninit::data_ptr | alloc::rc | +| Drop::drop for UniqueRcUninit | alloc::rc | + +This list excludes non-public unsafe functions; relevant ones should be called from public unsafe functions. + +For functions taking inputs of generic type 'T', the proofs can be limited to primitive types only. Moreover, for functions taking allocators as input, the proofs can be limited to only the allocators implemented in the standard library (Global/System). + +## List of UBs + +In addition to any properties called out as SAFETY comments in the source code, all proofs must automatically ensure the absence of the following [undefined behaviors](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md): + +* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer. +* Invoking undefined behavior via compiler intrinsics. +* Mutating immutable bytes. +* Producing an invalid value. + +Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md) +in addition to the ones listed above. diff --git a/doc/src/challenges/0027-arc.md b/doc/src/challenges/0027-arc.md new file mode 100644 index 0000000000000..9696f41093614 --- /dev/null +++ b/doc/src/challenges/0027-arc.md @@ -0,0 +1,138 @@ +# Challenge 27: Verify atomically reference-counted Cell implementation + +- **Status:** Open +- **Solution:** *Option field to point to the PR that solved this challenge.* +- **Tracking Issue:** [#383](https://github.com/model-checking/verify-rust-std/issues/383) +- **Start date:** *2025/06/01* +- **End date:** *2025/12/31* +- **Reward:** *5,000 USD* + +------------------- + + +## Goal + +The goal of this challenge is to verify [Arc](https://github.com/rust-lang/rust/blob/master/library/alloc/src/sync.rs) (meaning "Atomically reference counted") and its related [Weak](https://github.com/rust-lang/rust/blob/master/library/alloc/src/sync.rs) implementation. Arc is the library-provided building block that enables safe multiple ownership of data through reference counting for multi-threaded code, as opposed to the usual ownership types used by Rust. The Rc implementation is the subject of a related challenge. + +## Motivation + +The Rc (for single-threaded code) and Arc (atomic multi-threaded) cell types are widely used in Rust programs to enable shared ownership of data through reference counting. Since shared ownership is generally not permitted by Rust's type system, these implementations use unsafe code to bypass Rust's usual compile-time checks. Verifying the Rust standard library thus fundamentally requires verification of these types. + +## Description + +This challenge verifies a number of Arc methods that encapsulate unsafety, as well as providing contracts for unsafe methods that impose safety conditions on their callers for correct use. + +A key part of the Arc implementation is the Weak struct, which allows keeping a temporary reference to an Arc without creating circular references and without protecting the inner value from being dropped. + +### Assumptions + +Some properties needed for safety are beyond the ability of the Rust type system to express. This is true for all challenges, but we point out some of the properties that are relevant for this challenge. + +* It may be possible to use a new construct analogous to the [can_dereference API](https://model-checking.github.io/kani/crates/doc/kani/mem/fn.can_dereference.html). Our new construct would track that a pointer indeed originates from `into_raw`. + +* It is unclear how to show that the reference count is greater than 0 when it is being decremented; the proposed `linked_list` [challenge](0005-linked-list.md) solution does not appear to check list length before performing operations either. + +* Showing that something is initialized, as required by `assume_init`, appears to be beyond the current state of the art for type systems, so it may be impossible to express the full safety property required there. + +### Success Criteria + +All the following pub unsafe functions must be annotated with safety contracts and the contracts have been verified: + +| Function | Location | +|---------|---------| +| Arc,A>::assume_init | alloc::sync | +| Arc<[mem::MaybeUninit],A>::assume_init | alloc::sync | +| Arc::from_raw | alloc::sync | +| Arc::increment_strong_count | alloc::sync | +| Arc::decrement_strong_count | alloc::sync | +| Arc::from_raw_in | alloc::sync | +| Arc::increment_strong_count_in | alloc::sync | +| Arc::decrement_strong_count_in | alloc::sync | +| Arc::get_mut_unchecked | alloc::sync | +| Arc::downcast_unchecked | alloc::sync | +| Weak::from_raw | alloc::sync | +| Weak::from_raw_in | alloc::sync | + +These (not necessarily public) functions contain unsafe code in their bodies but are not themselves marked unsafe. At least 75% of these should be proven unconditionally safe, or safety contracts should be added. + +| Function | Location | +|---------|---------| +| Arc::into_inner_with_allocator | alloc::sync | +| Arc::new | alloc::sync | +| Arc::new_uninit | alloc::sync | +| Arc::new_zeroed | alloc::sync | +| Arc::pin | alloc::sync | +| Arc::try_pin | alloc::sync | +| Arc::try_new | alloc::sync | +| Arc::try_new_uninit | alloc::sync | +| Arc::try_new_zeroed | alloc::sync | +| Arc::new_in | alloc::sync | +| Arc::new_uninit_in | alloc::sync | +| Arc::new_zeroed_in | alloc::sync | +| Arc::new_cyclic_in | alloc::sync | +| Arc::pin_in | alloc::sync | +| Arc::try_pin_in | alloc::sync | +| Arc::try_new_in | alloc::sync | +| Arc::try_new_uninit_in | alloc::sync | +| Arc::try_new_zeroed_in | alloc::sync | +| Arc::try_unwrap | alloc::sync | +| Arc::into_inner | alloc::sync | +| Arc<[T]>::new_uninit_slice | alloc::sync | +| Arc<[T]>::new_zeroed_slice | alloc::sync | +| Arc<[T]>::into_array | alloc::sync | +| Arc<[T],A:Allocator>::new_uninit_slice_in | alloc::sync | +| Arc<[T],A:Allocator>::new_zeroed_slice_in | alloc::sync | +| Arc::into_raw_with_allocator | alloc::sync | +| Arc::as_ptr | alloc::sync | +| Arc::inner | alloc::sync | +| Arc::from_box_in | alloc::sync | +| ArcFromSlice::from_slice | alloc::sync | +| ArcFromSlice::from_slice | alloc::sync | +| Clone::clone for Arc | alloc::sync | +| Arc::make_mut | alloc::sync | +| Arc::get_mut | alloc::sync | +| Drop::drop for Arc | alloc::sync | +| Arc::downcast | alloc::sync | +| Weak::as_ptr | alloc::sync | +| Weak::into_raw_with_allocator | alloc::sync | +| Weak::upgrade | alloc::sync | +| Weak::inner | alloc::sync | +| Drop::drop for Weak | alloc::sync | +| Default::default | alloc::sync | +| Default::default | alloc::sync | +| Default::default | alloc::sync | +| Default<[T]>::default | alloc::sync | +| From<&Str>::from | alloc::sync | +| From>::from | alloc::sync | +| From>::from | alloc::sync | +| TryFrom::try_from | alloc::sync | +| ToArcSlice::to_arc_slice | alloc::sync | +| UniqueArcUninit::new | alloc::sync | +| UniqueArcUninit::data_ptr | alloc::sync | +| Drop::drop for UniqueArcUninit | alloc::sync | +| UniqueArc::into_arc | alloc::sync | +| UniqueArc::downgrade | alloc::sync | +| Deref::deref | alloc::sync | +| DerefMut::deref_mut | alloc::sync | +| Drop::drop for UniqueArc | alloc::sync | + + +This list excludes non-public unsafe functions; relevant ones should be called from public unsafe functions. + +For functions taking inputs of generic type 'T', the proofs can be limited to primitive types o +nly. Moreover, for functions taking allocators as input, the proofs can be limited to only the allocators implemented in the standard library (Global/System). + +Note that solving this challenge will in part require proving an absence of data races from methods using atomic types (in this case Arc). This is also one of the main difficulties of [Challenge 7](0007-atomic-types.md). It's likely that a technique to do this for one challenge could be used for the other, with some adaptation. + +## List of UBs + +In addition to any properties called out as SAFETY comments in the source code, all proofs must automatically ensure the absence of the following [undefined behaviors](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md): + +* Data races. +* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer. +* Invoking undefined behavior via compiler intrinsics. +* Mutating immutable bytes. +* Producing an invalid value. + +Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md) +in addition to the ones listed above.