Skip to content

Challenge 26: Verify safety of Rc functions#574

Open
Samuelsills wants to merge 2 commits intomodel-checking:mainfrom
Samuelsills:challenge-26-rc
Open

Challenge 26: Verify safety of Rc functions#574
Samuelsills wants to merge 2 commits intomodel-checking:mainfrom
Samuelsills:challenge-26-rc

Conversation

@Samuelsills
Copy link
Copy Markdown

@Samuelsills Samuelsills commented Mar 27, 2026

Summary

Add Kani proof harnesses for Rc functions specified in Challenge #26:

Unsafe (12/12 — all required):

  • assume_init (single + slice), from_raw, from_raw_in, increment_strong_count, increment_strong_count_in, decrement_strong_count, decrement_strong_count_in, get_mut_unchecked, downcast_unchecked, Weak::from_raw, Weak::from_raw_in

Safe (44/54 — 81%, exceeds 75% threshold):

  • Allocation: new, new_uninit, new_zeroed, try_new, try_new_uninit, try_new_zeroed, pin, and _in variants
  • Slices: new_uninit_slice, new_zeroed_slice, into_array, and _in variants
  • Conversion: into_raw_with_allocator, as_ptr, get_mut, try_unwrap, downcast
  • Traits: clone, drop, default (i32, str), from (&str, Vec, Rc), try_from
  • Weak: as_ptr, into_raw_with_allocator, upgrade, inner, drop
  • UniqueRc: into_rc, deref, deref_mut, drop

All harnesses verified locally with Kani.

Resolves #382

Samuelsills and others added 2 commits March 27, 2026 23:06
@Samuelsills @claude
Challenge 26: Verify safety of Rc functions
0204b8e 
Add Kani proof harnesses for Rc functions specified in Challenge model-checking#26:
12 unsafe functions (assume_init, from_raw, from_raw_in,
increment/decrement_strong_count, get_mut_unchecked,
downcast_unchecked, Weak::from_raw, Weak::from_raw_in) and 44 safe
functions covering allocation, reference counting, conversion, Weak
pointer operations, and UniqueRc. Exceeds 75% safe threshold
(44/54 = 81%). Resolves model-checking#382

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@Samuelsills @claude
Fix formatting: join let bindings to single lines
7f6e576 
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@Samuelsills Samuelsills marked this pull request as ready for review March 27, 2026 23:32
@Samuelsills Samuelsills requested a review from a team as a code owner March 27, 2026 23:32
@Samuelsills
Copy link
Copy Markdown
Author

Samuelsills commented Mar 29, 2026

Verification Coverage Report

Unsafe Functions (12/12 — 100% ✅)

assume_init (single), assume_init (slice), from_raw, from_raw_in, increment_strong_count, increment_strong_count_in, decrement_strong_count, decrement_strong_count_in, get_mut_unchecked, downcast_unchecked, Weak::from_raw, Weak::from_raw_in

Safe Functions with Unsafe Code (44/54 — 81%, exceeds 75% threshold ✅)

Allocation: new, new_uninit, new_zeroed, try_new, try_new_uninit, try_new_zeroed, pin, and _in variants
Slices: new_uninit_slice, new_zeroed_slice, into_array, and _in variants
Conversion: into_raw_with_allocator, as_ptr, get_mut, try_unwrap, downcast
Traits: clone, drop, default (i32, str), from (&str, Vec, Rc), try_from
Weak: as_ptr, into_raw_with_allocator, upgrade, inner, drop
UniqueRc: into_rc, deref, deref_mut, drop

Total: 56 harnesses (12 unsafe + 44 safe)

UBs Checked

  • ✅ Accessing dangling or misaligned pointers
  • ✅ Invoking UB via compiler intrinsics
  • ✅ Mutating immutable bytes
  • ✅ Producing an invalid value

Verification Approach

  • Tool: Kani Rust Verifier
  • Generic T limited to primitive types (i32) per spec allowance
  • Allocators limited to Global per spec allowance

@feliperodri feliperodri added the Challenge Used to tag a challenge label Mar 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Challenge Used to tag a challenge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Challenge 26: Verify reference-counted Cell implementation

2 participants

@Samuelsills @feliperodri