Skip to content

Verify safety of slice functions with VeriFast + Kani (Challenge 17)#559

Draft
jrey8343 wants to merge 1 commit intomodel-checking:mainfrom
jrey8343:challenge-17-slice
Draft

Verify safety of slice functions with VeriFast + Kani (Challenge 17)#559
jrey8343 wants to merge 1 commit intomodel-checking:mainfrom
jrey8343:challenge-17-slice

Conversation

@jrey8343
Copy link

@jrey8343 jrey8343 commented Mar 15, 2026
edited
Loading

Summary

Dual VeriFast + Kani verification of all 37 required functions in library/core/src/slice/mod.rs, covering both unsafe functions (with safety contracts) and safe functions containing unsafe code.

VeriFast (14 functions, 68 statements verified)

Separation logic proofs using VeriFast 25.11-slice-support (custom fork with &[T] support, upstream PR #1002):

Category Functions
Unsafe (5) swap_unchecked, split_at_unchecked, split_at_mut_unchecked, align_to, align_to_mut
Safe (9) reverse, split_at_checked, split_at_mut_checked, rotate_left, rotate_right, copy_from_slice, copy_within, swap_with_slice, partition_dedup_by

Kani (28 proof harnesses)

Bounded model checking for functions requiring const generics, SIMD types, or closure trait bounds:

Category Functions Variants
Const generic chunks first_chunk, first_chunk_mut, split_first_chunk, split_first_chunk_mut, split_last_chunk, split_last_chunk_mut, last_chunk, last_chunk_mut N=0,1,2,4,8
Chunk operations as_chunks, as_rchunks, as_chunks_mut, as_chunks_unchecked, as_chunks_unchecked_mut N=1,2,4,8
Flattening as_flattened, as_flattened_mut N=1,2,4
SIMD as_simd, as_simd_mut u8/u32 × LANES=2,4
Index operations get_unchecked, get_unchecked_mut, get_disjoint_mut, get_disjoint_unchecked_mut, get_disjoint_check_valid Various N
Closure-based binary_search_by u8
Range-based copy_within Symbolic ranges

Why Two Tools?

VeriFast provides separation logic proofs (strongest guarantees) but currently lacks support for:

  • Const generic parameters (ConstKind::Param)
  • Closure trait bounds (FnMut, FnOnce::Output)
  • SliceIndex trait dispatch
  • SIMD types

These limitations are being addressed upstream (PR #1002). Kani fills the gap for affected functions via bounded model checking with symbolic inputs.

Test plan

  • VeriFast CI: verifast-proofs/check-verifast-proofs.sh passes (4 proofs, 5778 statements)
  • Kani CI: All 28 harnesses pass via kani verify-std
  • No changes to runtime logic

@jrey8343 jrey8343 requested a review from a team as a code owner March 15, 2026 20:37
@jrey8343 jrey8343 marked this pull request as draft March 15, 2026 22:04
@jrey8343 jrey8343 mentioned this pull request Mar 15, 2026
Draft
3 tasks
@jrey8343 jrey8343 force-pushed the challenge-17-slice branch from 9bd0740 to a9285f5 Compare March 17, 2026 22:39
@jrey8343 jrey8343 changed the title Verify safety of slice functions (Challenge 17) Verify safety of slice functions with VeriFast + Kani (Challenge 17) Mar 17, 2026
@jrey8343 jrey8343 force-pushed the challenge-17-slice branch from a9285f5 to 723f903 Compare March 17, 2026 22:46
@jrey8343 @claude
Verify safety of slice functions (Challenge 17)
497e694 
Dual VeriFast + Kani approach covering all 37 required functions.

## VeriFast (14 functions, 68 statements verified)

Separation logic proofs with pre/postconditions for functions that
don't require const generics or complex trait bounds:

**Unsafe (5):** swap_unchecked, split_at_unchecked, split_at_mut_unchecked,
align_to, align_to_mut

**Safe (9):** reverse, split_at_checked, split_at_mut_checked, rotate_left,
rotate_right, copy_from_slice, copy_within, swap_with_slice,
partition_dedup_by

## Kani (28 proof harnesses)

Bounded model checking for const-generic, SIMD, and closure-based
functions that VeriFast's translator cannot yet handle:

- first_chunk, first_chunk_mut (N=0,1,2,4,8)
- split_first_chunk, split_first_chunk_mut (N=0,1,4)
- split_last_chunk, split_last_chunk_mut (N=0,1,4)
- last_chunk, last_chunk_mut (N=0,1,4)
- as_chunks, as_rchunks, as_chunks_mut (N=1,2,4,8)
- as_chunks_unchecked, as_chunks_unchecked_mut (N=1,2,4)
- as_flattened, as_flattened_mut (N=1,2,4)
- as_simd, as_simd_mut (u8/u32 × LANES=2,4)
- get_unchecked, get_unchecked_mut
- get_disjoint_mut (N=2,3), get_disjoint_unchecked_mut (N=2)
- get_disjoint_check_valid (N=2)
- binary_search_by, copy_within

## Tools

- VeriFast 25.11-slice-support (custom fork with &[T] support)
- Kani (pinned version from tool_config/kani-version.toml)

Resolves model-checking#281

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jrey8343 jrey8343 force-pushed the challenge-17-slice branch from 723f903 to 497e694 Compare March 17, 2026 22:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrey8343