Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kani internal panic when calling somehwat complex library path with no symbolic inputs #3312

Closed
aaronjeline opened this issue Jul 1, 2024 · 6 comments · Fixed by #3448
Closed

Kani internal panic when calling somehwat complex library path with no symbolic inputs #3312

aaronjeline opened this issue Jul 1, 2024 · 6 comments · Fixed by #3448
Assignees
@celinval
Labels
[C] Bug This is a bug. Something isn't working. [F] Crash Kani crashed T-User Tag user issues / requests

Comments

@aaronjeline
Copy link

I tried this code:

    #[kani::proof]
    #[kani::unwind(101)]
    fn safe_indexing() {
        let args_len: usize = kani::any();
        kani::assume(args_len < 100);
        let mut args: Vec<i32> = vec![];
        for _ in 0..args_len {
            args.push(kani::any());
        }
        let name = "foo".parse().unwrap();

        // All we care is that this doesn't panic
        let _ = CedarValueJson::extract_arg(&args, &name);
    }

Where .parse() is created a value of type Name from cedar-policy-core

using the following command line invocation:

cargo kani

with Kani version:

I expected to see this happen: either proof succeeds or fails

Instead, this happened:

error: internal compiler error: Kani unexpectedly panicked at panicked at cprover_bindings/src/goto_program/stmt.rs:172:9:
                                assertion `left == right` failed: Error: assign statement with unequal types lhs StructTag("tag-refstr") rhs Pointer { typ: FlexibleArray { typ: Unsignedbv { width: 8 } } }
                                  left: StructTag("tag-refstr")
                                 right: Pointer { typ: FlexibleArray { typ: Unsignedbv { width: 8 } } }.

thread 'rustc' panicked at cprover_bindings/src/goto_program/stmt.rs:172:9:
assertion `left == right` failed: Error: assign statement with unequal types lhs StructTag("tag-refstr") rhs Pointer { typ: FlexibleArray { typ: Unsignedbv { width: 8 } } }
  left: StructTag("tag-refstr")
 right: Pointer { typ: FlexibleArray { typ: Unsignedbv { width: 8 } } }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Kani unexpectedly panicked during compilation.
Please file an issue here: https://github.com/model-checking/kani/issues/new?labels=bug&template=bug_report.md

[Kani] current codegen item: codegen_function: std::ptr::from_raw_parts::<str>
_RINvNtNtCscBmSNMcqgUz_4core3ptr8metadata14from_raw_partseECs9jBWyIwnR1b_14regex_automata
[Kani] current codegen location: Loc { file: "/github/home/.rustup/toolchains/nightly-2024-05-28-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/metadata.rs", function: None, start_line: 113, start_col: Some(1), end_line: 116, end_col: Some(14) }
error: could not compile `cedar-policy-core` (lib); 8 warnings emitted
error: Failed to compile `cedar_policy_core` due to an internal compiler error.: error: internal compiler error: Kani unexpectedly panicked at panicked at cprover_bindings/src/goto_program/stmt.rs:172:9:
                                assertion `left == right` failed: Error: assign statement with unequal types lhs StructTag("tag-refstr") rhs Pointer { typ: FlexibleArray { typ: Unsignedbv { width: 8 } } }
                                  left: StructTag("tag-refstr")
                                 right: Pointer { typ: FlexibleArray { typ: Unsignedbv { width: 8 } } }.
@aaronjeline aaronjeline added the [C] Bug This is a bug. Something isn't working. label Jul 1, 2024
@adpaco-aws
Copy link
Contributor

Hi @aaronjeline , thanks for opening this issue! Do you recall in which scope were you defining the safe_indexing harness? Or a branch that allows me to directly reproduce the issue?

@adpaco-aws adpaco-aws added [F] Crash Kani crashed T-User Tag user issues / requests labels Jul 1, 2024
@aaronjeline
Copy link
Author

Yes. I managed to minimize the test case:

    #[kani::proof]
    fn foo() {
        smol_str::SmolStr::new("foo");
    }

Causes:

error: could not compile `cedar-policy-core` (lib); 7 warnings emitted
error: Failed to compile `cedar_policy_core` due to an internal compiler error.: error: internal compiler error: Kani unexpectedly panicked at panicked at cprover_bindings/src/goto_program/stmt.rs:172:9:
                                assertion `left == right` failed: Error: assign statement with unequal types lhs StructTag("tag-refstr") rhs Pointer { typ: FlexibleArray { typ: Unsignedbv { width: 8 } } }
                                  left: StructTag("tag-refstr")
                                 right: Pointer { typ: FlexibleArray { typ: Unsignedbv { width: 8 } } }.

@aaronjeline
Copy link
Author

(Note that Name uses smolstr internally)

@adpaco-aws
Copy link
Contributor

I see, this test did indeed crash for me too. Thank you for submitting this reproducer!

@celinval celinval self-assigned this Jul 24, 2024
@celinval
Copy link
Contributor

celinval commented Aug 16, 2024
edited
Loading

This seems to happen due to casting *const str <-> *const u8 that happens inside byte_sub. Here is a tiny reproducer:

#![feature(set_ptr_value)]

#[kani::proof]
fn check_cast() {
    let data = "hello";
    let ptr = data as *const str;
    // This cast is done inside byte_sub
    let _ = ptr.cast::<u8>().with_metadata_of(ptr);
}

@celinval celinval mentioned this issue Aug 17, 2024
Merged
@celinval
Copy link
Contributor

I tried this code:

    #[kani::proof]
    #[kani::unwind(101)]
    fn safe_indexing() {
        let args_len: usize = kani::any();
        kani::assume(args_len < 100);
        let mut args: Vec<i32> = vec![];
        for _ in 0..args_len {
            args.push(kani::any());
        }
        let name = "foo".parse().unwrap();

        // All we care is that this doesn't panic
        let _ = CedarValueJson::extract_arg(&args, &name);
    }

@aaronjeline I created a fix, but I couldn't verify it with your original example, since it fails to find the extract_args function.

github-merge-queue bot pushed a commit that referenced this issue Aug 23, 2024
@celinval
Fix ICE due to mishandling of Aggregate rvalue for raw pointers to `s…
7a28667 
…tr` (#3448)

We were missing a match arm for the case where a raw pointer to a string
slice was created from a thin pointer and the string size.

Resolves #3312 

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@celinval celinval

Labels
[C] Bug This is a bug. Something isn't working. [F] Crash Kani crashed T-User Tag user issues / requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix ICE due to mishandling of Aggregate rvalue for raw pointers to str celinval/kani-dev
3 participants
@aaronjeline @celinval @adpaco-aws