From 8e6b2122db0bb8122b0fca199b5f69896c6df7bc Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <tautschn@amazon.com>
Date: Thu, 17 Oct 2024 13:22:00 +0200
Subject: [PATCH 1/6] Add safety preconditions to
 alloc/src/collections/binary_heap/mod.rs

This diff adds `#[requires(...)]` attributes to the unsafe functions, translating the "SAFETY:" comments into code contracts. These contracts specify the preconditions that must be met for the function to be safely called.
---
 .../alloc/src/collections/binary_heap/mod.rs  | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/library/alloc/src/collections/binary_heap/mod.rs b/library/alloc/src/collections/binary_heap/mod.rs
index fe9f1010d327c..0f3579d540749 100644
--- a/library/alloc/src/collections/binary_heap/mod.rs
+++ b/library/alloc/src/collections/binary_heap/mod.rs
@@ -143,6 +143,11 @@
 #![allow(missing_docs)]
 #![stable(feature = "rust1", since = "1.0.0")]
 
+use safety::requires;
+#[cfg(kani)]
+#[unstable(feature="kani", issue="none")]
+use core::kani;
+
 use core::alloc::Allocator;
 use core::iter::{FusedIterator, InPlaceIterable, SourceIter, TrustedFused, TrustedLen};
 use core::mem::{self, swap, ManuallyDrop};
@@ -672,6 +677,7 @@ impl<T: Ord, A: Allocator> BinaryHeap<T, A> {
     /// # Safety
     ///
     /// The caller must guarantee that `pos < self.len()`.
+    #[requires(pos < self.len())]
     unsafe fn sift_up(&mut self, start: usize, pos: usize) -> usize {
         // Take out the value at `pos` and create a hole.
         // SAFETY: The caller guarantees that pos < self.len()
@@ -701,6 +707,7 @@ impl<T: Ord, A: Allocator> BinaryHeap<T, A> {
     /// # Safety
     ///
     /// The caller must guarantee that `pos < end <= self.len()`.
+    #[requires(pos < end && end <= self.len())]
     unsafe fn sift_down_range(&mut self, pos: usize, end: usize) {
         // SAFETY: The caller guarantees that pos < end <= self.len().
         let mut hole = unsafe { Hole::new(&mut self.data, pos) };
@@ -741,6 +748,7 @@ impl<T: Ord, A: Allocator> BinaryHeap<T, A> {
     /// # Safety
     ///
     /// The caller must guarantee that `pos < self.len()`.
+    #[requires(pos < self.len())]
     unsafe fn sift_down(&mut self, pos: usize) {
         let len = self.len();
         // SAFETY: pos < len is guaranteed by the caller and
@@ -757,6 +765,7 @@ impl<T: Ord, A: Allocator> BinaryHeap<T, A> {
     /// # Safety
     ///
     /// The caller must guarantee that `pos < self.len()`.
+    #[requires(pos < self.len())]
     unsafe fn sift_down_to_bottom(&mut self, mut pos: usize) {
         let end = self.len();
         let start = pos;
@@ -1897,3 +1906,37 @@ impl<'a, T: 'a + Ord + Copy, A: Allocator> Extend<&'a T> for BinaryHeap<T, A> {
         self.reserve(additional);
     }
 }
+
+#[cfg(kani)]
+#[unstable(feature="kani", issue="none")]
+mod verify {
+    use super::*;
+
+    // unsafe fn sift_up(&mut self, start: usize, pos: usize) -> usize
+    #[kani::proof_for_contract(impl<T::sift_up)]
+    pub fn check_sift_up() {
+        let obj : impl<T = kani::any();
+        let _ = obj.sift_up(kani::any(), kani::any());
+    }
+
+    // unsafe fn sift_down_range(&mut self, pos: usize, end: usize)
+    #[kani::proof_for_contract(impl<T::sift_down_range)]
+    pub fn check_sift_down_range() {
+        let obj : impl<T = kani::any();
+        let _ = obj.sift_down_range(kani::any(), kani::any());
+    }
+
+    // unsafe fn sift_down(&mut self, pos: usize)
+    #[kani::proof_for_contract(impl<T::sift_down)]
+    pub fn check_sift_down() {
+        let obj : impl<T = kani::any();
+        let _ = obj.sift_down(kani::any());
+    }
+
+    // unsafe fn sift_down_to_bottom(&mut self, mut pos: usize)
+    #[kani::proof_for_contract(impl<T::sift_down_to_bottom)]
+    pub fn check_sift_down_to_bottom() {
+        let obj : impl<T = kani::any();
+        let _ = obj.sift_down_to_bottom(kani::any());
+    }
+}

From 7e7b50b04c3eb7d92410cc20b758b513004a5c79 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <tautschn@amazon.com>
Date: Thu, 17 Oct 2024 12:31:53 +0000
Subject: [PATCH 2/6] Add safety dependency to alloc and std crates

Just as previously done for core: this will enable future use of
`safety::{ensures,requires}` in those crates.
---
 library/alloc/Cargo.toml | 1 +
 library/std/Cargo.toml   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/library/alloc/Cargo.toml b/library/alloc/Cargo.toml
index 1bd4434d4f7e9..7911be6579f4e 100644
--- a/library/alloc/Cargo.toml
+++ b/library/alloc/Cargo.toml
@@ -11,6 +11,7 @@ edition = "2021"
 [dependencies]
 core = { path = "../core" }
 compiler_builtins = { version = "0.1.123", features = ['rustc-dep-of-std'] }
+safety = { path = "../contracts/safety" }
 
 [dev-dependencies]
 rand = { version = "0.8.5", default-features = false, features = ["alloc"] }
diff --git a/library/std/Cargo.toml b/library/std/Cargo.toml
index e20fe9feff114..2d75324261318 100644
--- a/library/std/Cargo.toml
+++ b/library/std/Cargo.toml
@@ -26,6 +26,7 @@ hashbrown = { version = "0.14", default-features = false, features = [
 std_detect = { path = "../stdarch/crates/std_detect", default-features = false, features = [
     'rustc-dep-of-std',
 ] }
+safety = { path = "../contracts/safety" }
 
 # Dependencies of the `backtrace` crate
 rustc-demangle = { version = "0.1.24", features = ['rustc-dep-of-std'] }

From 806ea2ab1566e1ad3086b9631202871a90ddf529 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <tautschn@amazon.com>
Date: Thu, 17 Oct 2024 13:02:41 +0000
Subject: [PATCH 3/6] fixup! Add safety dependency to alloc and std crates

---
 library/alloc/src/lib.rs | 1 +
 library/std/src/lib.rs   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/library/alloc/src/lib.rs b/library/alloc/src/lib.rs
index 7aaa4e73df72c..00eaeee3b84e0 100644
--- a/library/alloc/src/lib.rs
+++ b/library/alloc/src/lib.rs
@@ -130,6 +130,7 @@
 #![feature(inplace_iteration)]
 #![feature(iter_advance_by)]
 #![feature(iter_next_chunk)]
+#![feature(kani)]
 #![feature(layout_for_ptr)]
 #![feature(local_waker)]
 #![feature(maybe_uninit_slice)]
diff --git a/library/std/src/lib.rs b/library/std/src/lib.rs
index 60969af3e8541..14195eba48522 100644
--- a/library/std/src/lib.rs
+++ b/library/std/src/lib.rs
@@ -269,6 +269,7 @@
 #![cfg_attr(any(windows, target_os = "uefi"), feature(round_char_boundary))]
 #![cfg_attr(target_family = "wasm", feature(stdarch_wasm_atomic_wait))]
 #![cfg_attr(target_arch = "wasm64", feature(simd_wasm64))]
+#![feature(kani)]
 //
 // Language features:
 // tidy-alphabetical-start

From c2b65cf4244467e058a3f6ae78c702fc2eea33ad Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <tautschn@amazon.com>
Date: Thu, 17 Oct 2024 13:38:46 +0000
Subject: [PATCH 4/6] fixup! Add safety dependency to alloc and std crates

---
 library/alloc/src/lib.rs | 2 +-
 library/std/src/lib.rs   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/alloc/src/lib.rs b/library/alloc/src/lib.rs
index 00eaeee3b84e0..d28c5a29df2b9 100644
--- a/library/alloc/src/lib.rs
+++ b/library/alloc/src/lib.rs
@@ -91,6 +91,7 @@
 //
 // Library features:
 // tidy-alphabetical-start
+#![cfg_attr(kani, feature(kani))]
 #![cfg_attr(not(no_global_oom_handling), feature(const_alloc_error))]
 #![cfg_attr(not(no_global_oom_handling), feature(const_btree_len))]
 #![feature(alloc_layout_extra)]
@@ -130,7 +131,6 @@
 #![feature(inplace_iteration)]
 #![feature(iter_advance_by)]
 #![feature(iter_next_chunk)]
-#![feature(kani)]
 #![feature(layout_for_ptr)]
 #![feature(local_waker)]
 #![feature(maybe_uninit_slice)]
diff --git a/library/std/src/lib.rs b/library/std/src/lib.rs
index 14195eba48522..3121ee8be8722 100644
--- a/library/std/src/lib.rs
+++ b/library/std/src/lib.rs
@@ -269,7 +269,7 @@
 #![cfg_attr(any(windows, target_os = "uefi"), feature(round_char_boundary))]
 #![cfg_attr(target_family = "wasm", feature(stdarch_wasm_atomic_wait))]
 #![cfg_attr(target_arch = "wasm64", feature(simd_wasm64))]
-#![feature(kani)]
+#![cfg_attr(kani, feature(kani))]
 //
 // Language features:
 // tidy-alphabetical-start

From 2ca4ee76093933f734183289ac0ac85e40e358db Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <tautschn@amazon.com>
Date: Thu, 17 Oct 2024 15:10:12 +0000
Subject: [PATCH 5/6] Fix harnesses

---
 .../alloc/src/collections/binary_heap/mod.rs  | 40 +++++++++++++------
 1 file changed, 28 insertions(+), 12 deletions(-)

diff --git a/library/alloc/src/collections/binary_heap/mod.rs b/library/alloc/src/collections/binary_heap/mod.rs
index 0f3579d540749..a9d6d16ca02c0 100644
--- a/library/alloc/src/collections/binary_heap/mod.rs
+++ b/library/alloc/src/collections/binary_heap/mod.rs
@@ -1913,30 +1913,46 @@ mod verify {
     use super::*;
 
     // unsafe fn sift_up(&mut self, start: usize, pos: usize) -> usize
-    #[kani::proof_for_contract(impl<T::sift_up)]
+    #[kani::proof_for_contract(BinaryHeap<T, A>::sift_up)]
     pub fn check_sift_up() {
-        let obj : impl<T = kani::any();
-        let _ = obj.sift_up(kani::any(), kani::any());
+        // TODO: this isn't exactly an arbitrary heap
+        let mut heap = BinaryHeap::new_in(Global);
+        heap.push(kani::any::<usize>());
+        unsafe {
+            let _ = heap.sift_up(kani::any(), kani::any());
+        }
     }
 
     // unsafe fn sift_down_range(&mut self, pos: usize, end: usize)
-    #[kani::proof_for_contract(impl<T::sift_down_range)]
+    #[kani::proof_for_contract(BinaryHeap<T, A>::sift_down_range)]
     pub fn check_sift_down_range() {
-        let obj : impl<T = kani::any();
-        let _ = obj.sift_down_range(kani::any(), kani::any());
+        // TODO: this isn't exactly an arbitrary heap
+        let mut heap = BinaryHeap::new_in(Global);
+        heap.push(kani::any::<usize>());
+        unsafe {
+            let _ = heap.sift_down_range(kani::any(), kani::any());
+        }
     }
 
     // unsafe fn sift_down(&mut self, pos: usize)
-    #[kani::proof_for_contract(impl<T::sift_down)]
+    #[kani::proof_for_contract(BinaryHeap<T, A>::sift_down)]
     pub fn check_sift_down() {
-        let obj : impl<T = kani::any();
-        let _ = obj.sift_down(kani::any());
+        // TODO: this isn't exactly an arbitrary heap
+        let mut heap = BinaryHeap::new_in(Global);
+        heap.push(kani::any::<usize>());
+        unsafe {
+            let _ = heap.sift_down(kani::any());
+        }
     }
 
     // unsafe fn sift_down_to_bottom(&mut self, mut pos: usize)
-    #[kani::proof_for_contract(impl<T::sift_down_to_bottom)]
+    #[kani::proof_for_contract(BinaryHeap<T, A>::sift_down_to_bottom)]
     pub fn check_sift_down_to_bottom() {
-        let obj : impl<T = kani::any();
-        let _ = obj.sift_down_to_bottom(kani::any());
+        // TODO: this isn't exactly an arbitrary heap
+        let mut heap = BinaryHeap::new_in(Global);
+        heap.push(kani::any::<usize>());
+        unsafe {
+            let _ = heap.sift_down_to_bottom(kani::any());
+        }
     }
 }

From 027385aae84244de98f3778c8b1cbcf4fceb90f9 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <tautschn@amazon.com>
Date: Fri, 18 Oct 2024 15:40:22 +0000
Subject: [PATCH 6/6] Add annotations required by Kani

---
 .../alloc/src/collections/binary_heap/mod.rs  | 30 ++++++++++++-------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/library/alloc/src/collections/binary_heap/mod.rs b/library/alloc/src/collections/binary_heap/mod.rs
index a9d6d16ca02c0..c6ae674e329df 100644
--- a/library/alloc/src/collections/binary_heap/mod.rs
+++ b/library/alloc/src/collections/binary_heap/mod.rs
@@ -678,6 +678,7 @@ impl<T: Ord, A: Allocator> BinaryHeap<T, A> {
     ///
     /// The caller must guarantee that `pos < self.len()`.
     #[requires(pos < self.len())]
+    #[cfg_attr(kani, kani::modifies(self.data.as_ptr()))]
     unsafe fn sift_up(&mut self, start: usize, pos: usize) -> usize {
         // Take out the value at `pos` and create a hole.
         // SAFETY: The caller guarantees that pos < self.len()
@@ -708,6 +709,7 @@ impl<T: Ord, A: Allocator> BinaryHeap<T, A> {
     ///
     /// The caller must guarantee that `pos < end <= self.len()`.
     #[requires(pos < end && end <= self.len())]
+    #[cfg_attr(kani, kani::modifies(self.data.as_ptr()))]
     unsafe fn sift_down_range(&mut self, pos: usize, end: usize) {
         // SAFETY: The caller guarantees that pos < end <= self.len().
         let mut hole = unsafe { Hole::new(&mut self.data, pos) };
@@ -749,6 +751,7 @@ impl<T: Ord, A: Allocator> BinaryHeap<T, A> {
     ///
     /// The caller must guarantee that `pos < self.len()`.
     #[requires(pos < self.len())]
+    #[cfg_attr(kani, kani::modifies(self.data.as_ptr()))]
     unsafe fn sift_down(&mut self, pos: usize) {
         let len = self.len();
         // SAFETY: pos < len is guaranteed by the caller and
@@ -766,6 +769,7 @@ impl<T: Ord, A: Allocator> BinaryHeap<T, A> {
     ///
     /// The caller must guarantee that `pos < self.len()`.
     #[requires(pos < self.len())]
+    #[cfg_attr(kani, kani::modifies(self.data.as_ptr()))]
     unsafe fn sift_down_to_bottom(&mut self, mut pos: usize) {
         let end = self.len();
         let start = pos;
@@ -1912,19 +1916,23 @@ impl<'a, T: 'a + Ord + Copy, A: Allocator> Extend<&'a T> for BinaryHeap<T, A> {
 mod verify {
     use super::*;
 
-    // unsafe fn sift_up(&mut self, start: usize, pos: usize) -> usize
-    #[kani::proof_for_contract(BinaryHeap<T, A>::sift_up)]
-    pub fn check_sift_up() {
-        // TODO: this isn't exactly an arbitrary heap
-        let mut heap = BinaryHeap::new_in(Global);
-        heap.push(kani::any::<usize>());
-        unsafe {
-            let _ = heap.sift_up(kani::any(), kani::any());
-        }
-    }
+    // TODO: Kani reports as failing property "Only a single top-level call", which does not
+    // obviously make sense. Requires investigation.
+    // // unsafe fn sift_up(&mut self, start: usize, pos: usize) -> usize
+    // #[kani::proof_for_contract(BinaryHeap<T, A>::sift_up)]
+    // #[kani::unwind(1)]
+    // pub fn check_sift_up() {
+    //     // TODO: this isn't exactly an arbitrary heap
+    //     let mut heap = BinaryHeap::new_in(Global);
+    //     heap.push(kani::any::<usize>());
+    //     unsafe {
+    //         let _ = heap.sift_up(kani::any(), kani::any());
+    //     }
+    // }
 
     // unsafe fn sift_down_range(&mut self, pos: usize, end: usize)
     #[kani::proof_for_contract(BinaryHeap<T, A>::sift_down_range)]
+    #[kani::unwind(1)]
     pub fn check_sift_down_range() {
         // TODO: this isn't exactly an arbitrary heap
         let mut heap = BinaryHeap::new_in(Global);
@@ -1936,6 +1944,7 @@ mod verify {
 
     // unsafe fn sift_down(&mut self, pos: usize)
     #[kani::proof_for_contract(BinaryHeap<T, A>::sift_down)]
+    #[kani::unwind(1)]
     pub fn check_sift_down() {
         // TODO: this isn't exactly an arbitrary heap
         let mut heap = BinaryHeap::new_in(Global);
@@ -1947,6 +1956,7 @@ mod verify {
 
     // unsafe fn sift_down_to_bottom(&mut self, mut pos: usize)
     #[kani::proof_for_contract(BinaryHeap<T, A>::sift_down_to_bottom)]
+    #[kani::unwind(1)]
     pub fn check_sift_down_to_bottom() {
         // TODO: this isn't exactly an arbitrary heap
         let mut heap = BinaryHeap::new_in(Global);