Skip to content

Verify safety of slice iterator functions with Kani (Challenge 18)#560

Draft
jrey8343 wants to merge 1 commit intomodel-checking:mainfrom
jrey8343:challenge-18-slice-iter
Draft

Verify safety of slice iterator functions with Kani (Challenge 18)#560
jrey8343 wants to merge 1 commit intomodel-checking:mainfrom
jrey8343:challenge-18-slice-iter

Conversation

@jrey8343
Copy link

@jrey8343 jrey8343 commented Mar 15, 2026
edited
Loading

Summary

52 Kani proof harnesses verifying safety of slice iterator functions in library/core/src/slice/iter.rs and iter/macros.rs, covering Part 1 (macro-generated functions) and Part 2 (direct iterator implementations).

Part 1: Macro Functions (Iter/IterMut)

Function Iter IterMut
next
next_back
nth
nth_back
advance_by
advance_back_by
len
is_empty
size_hint
count
fold
for_each
position
rposition
last

Part 2: Iterator Type Functions

Type Functions Covered
Iter new, clone, default, as_slice, as_ref, post_inc_start, pre_dec_end, next_back_unchecked
IterMut new, into_slice, as_mut_slice
Split next, next_back
Chunks next, next_back, __iterator_get_unchecked
ChunksMut next, nth, next_back, nth_back, __iterator_get_unchecked
ChunksExact new, __iterator_get_unchecked
ChunksExactMut next, nth, next_back, nth_back
RChunks next, next_back, __iterator_get_unchecked
RChunksMut next, nth, last, next_back, nth_back, __iterator_get_unchecked
RChunksExact new, __iterator_get_unchecked
RChunksExactMut next, nth, next_back, nth_back, __iterator_get_unchecked
ArrayWindows next, next_back (N=1,2,4), nth, nth_back (N=2,4)
Windows __iterator_get_unchecked

Verification approach

  • Symbolic inputs via kani::any() and kani::slice::any_slice_of_array
  • Arbitrary subslice construction with nondeterministic bounds
  • Concrete closures for predicate-based iterators (Split)
  • Monomorphized const generics for ArrayWindows (N=1,2,4)
  • Iter safety invariant checked via iter.is_safe() assertions

Test plan

  • Kani CI: All 52 harnesses pass via kani verify-std
  • No changes to runtime logic
  • Existing Iter harnesses (18) continue to pass

🤖 Generated with Claude Code

@jrey8343 jrey8343 requested a review from a team as a code owner March 15, 2026 20:37
@jrey8343
Copy link
Author

jrey8343 commented Mar 15, 2026

Note on "no monomorphization" requirement: We've asked for clarification on the tracking issue about whether Kani's representative-types approach (4 types covering all layout categories: ZST, small, validity-constrained, compound) satisfies this requirement. Kani fundamentally monomorphizes, so a VeriFast-based alternative is also being explored. See the tracking issue for details.

@jrey8343 jrey8343 marked this pull request as draft March 15, 2026 22:04
@jrey8343
Copy link
Author

jrey8343 commented Mar 15, 2026

Update on "generic T" requirement:

Same status as #559 — awaiting committee guidance on #281 re: representative types, and pursuing VeriFast &[T] support upstream (verifast/verifast#1001) for full generic-T coverage via separation logic.

Converting to draft until the path forward is clear.

@jrey8343 @claude
Verify safety of slice iterator functions with Kani (Challenge 18)
7a49318 
52 Kani proof harnesses covering iterator types across
library/core/src/slice/iter.rs and iter/macros.rs:

## Iter (existing 18 harnesses, extended)
- new, clone, count, default, as_slice, as_ref
- next, next_back, nth, nth_back, advance_by, advance_back_by
- is_empty, len, size_hint
- post_inc_start, pre_dec_end, next_back_unchecked (unsafe)
- Verified with: (), u8, char, (char, u8)

## IterMut (5 new harnesses)
- new, into_slice, as_mut_slice, next, next_back

## Split (2 new harnesses)
- next, next_back (with concrete predicate)

## Chunks (3 new harnesses)
- next, next_back, __iterator_get_unchecked

## ChunksMut (4 new harnesses)
- next, nth, next_back, nth_back

## ChunksExact / ChunksExactMut (5 new harnesses)
- new (ChunksExact), next/nth/next_back/nth_back (ChunksExactMut)

## RChunks / RChunksMut (7 new harnesses)
- next, next_back (RChunks)
- next, nth, last, next_back, nth_back (RChunksMut)

## RChunksExact / RChunksExactMut (5 new harnesses)
- new (RChunksExact)
- next, nth, next_back, nth_back (RChunksExactMut)

## ArrayWindows (5 new harnesses, const generic)
- next/next_back (N=1,2,4), nth/nth_back (N=2,4)

## Windows (1 new harness)
- __iterator_get_unchecked

## __iterator_get_unchecked (6 new harnesses)
- ChunksMut, ChunksExact, RChunks, RChunksMut, RChunksExact, RChunksExactMut

## Macro functions: fold, for_each, position, rposition (7 new harnesses)
- Iter: fold, for_each, position, rposition
- IterMut: fold, for_each, position

Resolves model-checking#282

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jrey8343 jrey8343 force-pushed the challenge-18-slice-iter branch from 0255442 to 7a49318 Compare March 17, 2026 22:40
@jrey8343 jrey8343 changed the title Verify safety of slice iterator functions (Challenge 18) Verify safety of slice iterator functions with Kani (Challenge 18) Mar 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrey8343