Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add kani::spawn and an executor to the Kani library #1659

Merged
merged 46 commits into from
Jul 6, 2023
Merged

Add kani::spawn and an executor to the Kani library #1659

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
c95f710
Add kani::spawn and an executor to the Kani library
fzaiser Sep 5, 2022
1e626b8
Add test
fzaiser Sep 9, 2022
13c01b8
Merge branch 'main' into spawn-lib
fzaiser Sep 9, 2022
2006673
Merge branch 'main' into spawn-lib
fzaiser Oct 31, 2022
b36737b
Address review comments
fzaiser Oct 31, 2022
6fe4f8e
Check bound of num_tasks
fzaiser Oct 31, 2022
0d529f6
Improve documentation and remove unnecessary code
fzaiser Nov 1, 2022
7fd9a5b
Merge branch 'main' into spawn-lib
fzaiser Nov 1, 2022
31d8115
Fix clippy
fzaiser Nov 1, 2022
c7f5a73
Introduce enum for scheduling assumption and improve docs
fzaiser Nov 4, 2022
1db9f81
Disable proof harness to improve CI times
fzaiser Nov 4, 2022
f51186a
Merge branch 'main' into spawn-lib
fzaiser Nov 4, 2022
e65595e
Merge branch 'main' into spawn-lib
fzaiser Nov 7, 2022
9ababc9
Remove nondeterministic harness
fzaiser Nov 8, 2022
6f2ad12
Use the exact same code in manual_spawn.rs and spawn.rs to reproduce …
fzaiser Nov 9, 2022
b4b205e
Merge branch 'main' into spawn-lib
fzaiser Dec 16, 2022
4601765
Fix formatting
fzaiser Dec 16, 2022
cf6af18
Fix submodule
fzaiser Dec 16, 2022
7f88bd1
Use vectors instead of arrays
fzaiser Dec 16, 2022
ffe2374
Fix clippy
fzaiser Dec 16, 2022
71e9ab1
Fix test
fzaiser Dec 16, 2022
2806c40
Make the GLOBAL_EXECUTOR an option.
fzaiser Dec 16, 2022
2b44665
Merge branch 'main' into spawn-lib
fzaiser Dec 16, 2022
3c24fe3
Fix test
fzaiser Dec 20, 2022
eb9a260
Merge branch 'main' into spawn-lib
fzaiser Dec 20, 2022
c6c08ed
Merge branch 'main' into spawn-lib
fzaiser Dec 22, 2022
f6eb352
Remove nondeterministic scheduling strategy
fzaiser Dec 23, 2022
269a080
Merge branch 'main' into spawn-lib
fzaiser Dec 23, 2022
d51ccd0
Merge branch 'main' into spawn-lib
fzaiser Feb 13, 2023
333e51a
Select harness using flags instead of commenting
fzaiser Feb 13, 2023
351ee66
Merge branch 'main' into spawn-lib
fzaiser Feb 13, 2023
fdfb45b
Fix test
fzaiser Feb 13, 2023
2e38a6a
Fix test
fzaiser Feb 13, 2023
a24c117
Merge branch 'main' into spawn-lib
fzaiser Feb 14, 2023
54abbe3
Add additional checks to round-robin test
fzaiser Feb 14, 2023
0bbd42a
Remove manual tests
fzaiser Feb 14, 2023
2ac7346
Rename method to `block_on_with_spawn`
fzaiser Feb 15, 2023
07b4330
Merge branch 'main' into spawn-lib
fzaiser Feb 15, 2023
baed1d1
Update doc comments and add a check
fzaiser Feb 15, 2023
bc948a7
Merge branch 'main' into spawn-lib
fzaiser Jun 23, 2023
ff3f99b
Add unstable attributes
fzaiser Jun 23, 2023
e432a1a
Add -Z async-lib flag
fzaiser Jun 23, 2023
1b8ff44
Merge branch 'main' into spawn-lib
fzaiser Jun 25, 2023
407c435
Merge branch 'main' into spawn-lib
fzaiser Jul 5, 2023
00c64d5
Add reason to unstable APIs
celinval Jul 6, 2023
fd477f8
Merge branch 'main' into spawn-lib
celinval Jul 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
216 changes: 216 additions & 0 deletions library/kani/src/futures.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ use std::{
/// Whereas a clever executor like `block_on` in `futures` or `tokio` would interact with the OS scheduler
/// to be woken up when a resource becomes available, this is not supported by Kani.
/// As a consequence, this function completely ignores the waker infrastructure and just polls the given future in a busy loop.
///
/// Note that spawn is not supported with this function. Use [`spawnable_block_on`] if you need it.
// TODO: Give an error if spawn is used in the future passed to this function.
pub fn block_on<T>(mut fut: impl Future<Output = T>) -> T {
let waker = unsafe { Waker::from_raw(NOOP_RAW_WAKER) };
let cx = &mut Context::from_waker(&waker);
Expand All @@ -41,3 +44,216 @@ const NOOP_RAW_WAKER: RawWaker = {

RawWaker::new(std::ptr::null(), &RawWakerVTable::new(clone_waker, noop, noop, noop))
};

static mut EXECUTOR: Scheduler = Scheduler::new();
const MAX_TASKS: usize = 16;
fzaiser marked this conversation as resolved.
Show resolved Hide resolved

type BoxFuture = Pin<Box<dyn Future<Output = ()> + Sync + 'static>>;

/// Allows to parameterize how the scheduler picks the next task to poll in `spawnable_block_on`
pub trait SchedulingStrategy {
fzaiser marked this conversation as resolved.
Show resolved Hide resolved
/// Picks the next task to be scheduled whenever the scheduler needs to pick a task to run next, and whether it can be assumed that the picked task is still running
fzaiser marked this conversation as resolved.
Show resolved Hide resolved
///
/// Tasks are numbered `0..num_tasks`.
/// For example, if pick_task(4) returns (2, true) than it picked the task with index 2 and allows Kani to `assume` that this task is still running.
/// This is useful if the task is chosen nondeterministicall (`kani::any()`) and allows the verifier to discard useless execution branches (such as polling a completed task again).
fn pick_task(&mut self, num_tasks: usize) -> (usize, bool);
}

impl<F: FnMut(usize) -> usize> SchedulingStrategy for F {
#[inline]
fn pick_task(&mut self, num_tasks: usize) -> (usize, bool) {
(self(num_tasks), false)
}
}

/// Keeps cycling through the tasks in a deterministic order
#[derive(Default)]
pub struct RoundRobin {
index: usize,
}

impl SchedulingStrategy for RoundRobin {
#[inline]
fn pick_task(&mut self, num_tasks: usize) -> (usize, bool) {
self.index = (self.index + 1) % num_tasks;
(self.index, false)
}
}

/// Picks the next task nondeterministically
#[derive(Default)]
pub struct NondeterministicScheduling;

impl SchedulingStrategy for NondeterministicScheduling {
#[cfg(kani)]
fzaiser marked this conversation as resolved.
Show resolved Hide resolved
fn pick_task(&mut self, num_tasks: usize) -> (usize, bool) {
let index = crate::any();
crate::assume(index < num_tasks);
(index, true)
}

#[cfg(not(kani))]
fn pick_task(&mut self, _num_tasks: usize) -> (usize, bool) {
panic!("Nondeterministic scheduling is only available when running Kani.")
}
}

/// A restricted form of nondeterministic scheduling to have some fairness.
///
/// Each task has a counter that is increased when it is scheduled.
/// If a task has reached a provided limit, it cannot be scheduled anymore until all other tasks have reached the limit too,
/// at which point all the counters are reset to zero.
pub struct NondetFairScheduling {
counters: [u8; MAX_TASKS],
limit: u8,
}

impl NondetFairScheduling {
#[inline]
pub fn new(limit: u8) -> Self {
Self { counters: [limit; MAX_TASKS], limit }
}
}

impl SchedulingPlan for NondetFairScheduling {
#[cfg(kani)]
fn pick_task(&mut self, num_tasks: usize) -> (usize, bool) {
if self.counters[0..num_tasks] == [0; MAX_TASKS][0..num_tasks] {
self.counters = [self.limit; MAX_TASKS];
}
let index = kani::any();
kani::assume(index < num_tasks);
kani::assume(self.counters[index] > 0);
self.counters[index] -= 1;
(index, true)
}

#[cfg(not(kani))]
fn pick_task(&mut self, _num_tasks: usize) -> (usize, bool) {
panic!("Nondeterministic scheduling is only available when running Kani.")
}
}

pub(crate) struct Scheduler {
/// Using a Vec instead of an array makes the runtime jump from 40s to almost 10min if using Vec::with_capacity and leads to out of memory with Vec::new (even with 64 GB RAM).
tasks: [Option<BoxFuture>; MAX_TASKS],
num_tasks: usize,
num_running: usize,
}

impl Scheduler {
/// Creates a scheduler with an empty task list
#[inline]
pub(crate) const fn new() -> Scheduler {
const INIT: Option<BoxFuture> = None;
Scheduler { tasks: [INIT; MAX_TASKS], num_tasks: 0, num_running: 0 }
}

/// Adds a future to the scheduler's task list, returning a JoinHandle
#[inline] // to work around linking issue
pub(crate) fn spawn<F: Future<Output = ()> + Sync + 'static>(&mut self, fut: F) -> JoinHandle {
let index = self.num_tasks;
self.tasks[index] = Some(Box::pin(fut));
self.num_tasks += 1;
self.num_running += 1;
JoinHandle { index }
}

/// Runs the scheduler with the given scheduling plan until all tasks have completed
#[inline] // to work around linking issue
fzaiser marked this conversation as resolved.
Show resolved Hide resolved
fn run(&mut self, mut scheduling_plan: impl SchedulingStrategy) {
let waker = unsafe { Waker::from_raw(NOOP_RAW_WAKER) };
fzaiser marked this conversation as resolved.
Show resolved Hide resolved
let cx = &mut Context::from_waker(&waker);
while self.num_running > 0 {
let (index, can_assume_running) = scheduling_plan.pick_task(self.num_tasks);
let task = &mut self.tasks[index];
if let Some(fut) = task.as_mut() {
match fut.as_mut().poll(cx) {
std::task::Poll::Ready(()) => {
self.num_running -= 1;
let _prev = std::mem::replace(task, None);
}
std::task::Poll::Pending => (),
}
} else if can_assume_running {
crate::assume(false); // useful so that we can assume that a nondeterministically picked task is still running
}
}
}

/// Polls the given future and the tasks it may spawn until all of them complete
#[inline] // to work around linking issue
fn block_on<F: Future<Output = ()> + Sync + 'static>(
&mut self,
fut: F,
scheduling_plan: impl SchedulingStrategy,
) {
self.spawn(fut);
self.run(scheduling_plan);
}
}

/// Result of spawning a task.
///
/// If you `.await` a JoinHandle, this will wait for the spawned task to complete.
pub struct JoinHandle {
index: usize,
}

impl Future for JoinHandle {
type Output = ();

fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> std::task::Poll<Self::Output> {
if unsafe { EXECUTOR.tasks[self.index].is_some() } {
std::task::Poll::Pending
} else {
cx.waker().wake_by_ref(); // For completeness. But Kani currently ignores wakers.
std::task::Poll::Ready(())
}
}
}

#[inline] // to work around linking issue
pub fn spawn<F: Future<Output = ()> + Sync + 'static>(fut: F) -> JoinHandle {
unsafe { EXECUTOR.spawn(fut) }
}

/// Polls the given future and the tasks it may spawn until all of them complete
///
/// Contrary to [`block_on`], this allows `spawn`ing other futures
#[inline] // to work around linking issue
pub fn spawnable_block_on<F: Future<Output = ()> + Sync + 'static>(
fut: F,
scheduling_plan: impl SchedulingStrategy,
) {
unsafe {
EXECUTOR.block_on(fut, scheduling_plan);
}
}

/// Suspends execution of the current future, to allow the scheduler to poll another future
///
/// Specifically, it returns a future that
#[inline] // to work around linking issue
pub fn yield_now() -> impl Future<Output = ()> {
struct YieldNow {
yielded: bool,
}

impl Future for YieldNow {
type Output = ();

fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> std::task::Poll<Self::Output> {
if self.yielded {
cx.waker().wake_by_ref(); // For completeness. But Kani currently ignores wakers.
std::task::Poll::Ready(())
} else {
self.yielded = true;
std::task::Poll::Pending
}
}
}

YieldNow { yielded: false }
}
4 changes: 3 additions & 1 deletion library/kani/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ pub mod vec;
pub use arbitrary::Arbitrary;
#[cfg(feature = "concrete_playback")]
pub use concrete_playback::concrete_playback_run;
pub use futures::block_on;
pub use futures::{
block_on, spawn, spawnable_block_on, yield_now, NondeterministicScheduling, RoundRobin,
};

/// Creates an assumption that will be valid after this statement run. Note that the assumption
/// will only be applied for paths that follow the assumption. If the assumption doesn't hold, the
Expand Down
49 changes: 49 additions & 0 deletions tests/kani/AsyncAwait/spawn.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
// Copyright Kani Contributors
// SPDX-License-Identifier: Apache-2.0 OR MIT
//
// compile-flags: --edition 2018

//! This file tests the executor and spawn infrastructure from the Kani library.

use std::sync::{
atomic::{AtomicI64, Ordering},
Arc,
};

#[kani::proof]
#[kani::unwind(4)]
fn deterministic_schedule() {
fzaiser marked this conversation as resolved.
Show resolved Hide resolved
let x = Arc::new(AtomicI64::new(0)); // Surprisingly, Arc verified faster than Rc
let x2 = x.clone();
spawnable_block_on(
async move {
let x3 = x2.clone();
spawn(async move {
x3.fetch_add(1, Ordering::Relaxed);
fzaiser marked this conversation as resolved.
Show resolved Hide resolved
});
yield_now().await;
x2.fetch_add(1, Ordering::Relaxed);
fzaiser marked this conversation as resolved.
Show resolved Hide resolved
},
RoundRobin::default(),
fzaiser marked this conversation as resolved.
Show resolved Hide resolved
);
assert_eq!(x.load(Ordering::Relaxed), 2);
}

#[kani::proof]
#[kani::unwind(4)]
fn nondeterministic_schedule() {
let x = Arc::new(AtomicI64::new(0)); // Surprisingly, Arc verified faster than Rc
let x2 = x.clone();
spawnable_block_on(
async move {
let x3 = x2.clone();
spawn(async move {
x3.fetch_add(1, Ordering::Relaxed);
});
yield_now().await;
x2.fetch_add(1, Ordering::Relaxed);
},
NondetFairScheduling::new(2),
);
assert_eq!(x.load(Ordering::Relaxed), 2);
}