Contract implementation is unsafe and may trigger UB #3293

celinval · 2024-06-25T20:15:46Z

Looking at the kani::internal::Pointer implementation for *mut T:

Lines 59 to 63 in 1491dd6

    
           impl<'a, T> Pointer<'a> for *mut T { 
        
               type Inner = T; 
        
               unsafe fn decouple_lifetime(&self) -> &'a Self::Inner { 
        
                   &**self as &'a T 
        
               }

This can trigger UB if the location pointed by *mut T does not contain a valid value of type T since it is converting it to a &T.
Converting *const T into &mut T and *mut T to &mut T is also unsafe, and may break aliasing rules.

The text was updated successfully, but these errors were encountered:

celinval · 2024-07-22T18:38:58Z

Note that #3363 removes the decouple_lifetime function, but untracked_deref function is still unsafe and my cause UB for arguments that are dropped inside the function.

I was wondering if we can use something similar to Prusti's snapshots: https://viperproject.github.io/prusti-dev/dev-guide/encoding/types-snap.html to replace untracked_deref.

celinval added the [C] Bug This is a bug. Something isn't working. label Jun 25, 2024

feliperodri added this to the Function Contracts milestone Jun 26, 2024

pi314mm mentioned this issue Jul 9, 2024

Function Contracts: Modify Slices #3295

Merged

tautschnig added the Z-Contracts Issue related to code contracts label Aug 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Contract implementation is unsafe and may trigger UB #3293

Contract implementation is unsafe and may trigger UB #3293

celinval commented Jun 25, 2024

celinval commented Jul 22, 2024

Contract implementation is unsafe and may trigger UB #3293

Contract implementation is unsafe and may trigger UB #3293

Comments

celinval commented Jun 25, 2024

celinval commented Jul 22, 2024