Skip to content

Add panics_if precondition to express panic-freedom #4230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add panics_if precondition to express panic-freedom #4230

wants to merge 1 commit into from

Conversation

tautschnig
Copy link
Member

Implements a solution towards #3567, following up on the RFC discussion in #3893.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@tautschnig
Add panics_if precondition to express panic-freedom
5710b26 
Implements a solution towards model-checking#3567, following up on the RFC discussion
in model-checking#3893.
@tautschnig tautschnig self-assigned this Jul 16, 2025
@github-actions github-actions bot added Z-EndToEndBenchCI Tag a PR to run benchmark CI Z-CompilerBenchCI Tag a PR to run benchmark CI labels Jul 16, 2025
remi-delmas-3000
remi-delmas-3000 requested changes Jul 21, 2025
View reviewed changes
library/kani_macros/src/sysroot/contracts/check.rs
@@ -29,6 +29,12 @@ impl<'a> ContractConditionsHandler<'a> {
#(#body_stmts)*
})
}
ContractConditionsData::PanicsIf { attr } => {
quote!({
kani::assume(!(#attr));
Copy link
Contributor

@remi-delmas-3000 remi-delmas-3000 Jul 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we instead name that clause may_panic_if ? the current encoding checks that the function does not panic when the negation of the condition holds, not that it panics when the condition holds. The function may or may not panic when this condition does not hold.

Suggestion: add two clauses:

  • no_panic_if(P), specifies panic-freedom conditions (passes if function does not panic whenever the condition holds)

    • verified by checking that function does not panic under kani::assume(P);
    • or by checking that when function panics then !P held initially on inputs

  • panic_if(Q): specifies panic conditions (passes if function panics whenever the condition holds)

    • verified by checking that function panics under kani::assume(Q);
      • or by check that when function does not panics then !Q held initially on inputs

  • consistency check: assert!(!P || !Q); (are the conditions disjoint?)

  • completeness check : assert!(P || Q); (are we covering the whole input space?)

  • if both consistency and completeness hold we have a partition of the input domain

@tautschnig tautschnig mentioned this pull request Jul 28, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jul 30, 2025
@tautschnig
Add unstable option prove-safety-only (#4239)
05b6252 
Compute verification results under the assumption that no panic occurs.
This enables safety verification, i.e., proving the absence of undefined
behavior without being distracted by panics which Kani, otherwise, also
reports as verification failures. #4230 was an efforts towards the same
goal, but required manual annotation of the conditions under which a
panic may occur (and may hide undefined behavior when either the given
specifications are too broad or when undefined behavior arises on a path
to a panic).

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 and MIT licenses.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@remi-delmas-3000 remi-delmas-3000 remi-delmas-3000 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@tautschnig tautschnig

Labels
Z-CompilerBenchCI Tag a PR to run benchmark CI Z-EndToEndBenchCI Tag a PR to run benchmark CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tautschnig @remi-delmas-3000