You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We were wondering about Kani's default behaviour with respect to pre and postconditions.
In modular verification, when we encounter a function call, we would normally want to guarantee (assert) its precondition and assume its postcondition (e.g., if a function f1() that we're verifying calls another function f2() that has a contract, we would want to guarantee f2()'s preconditions just prior to the call, and assume its postconditions right after the call). This is currently possible in Kani via stubbing (#[kani::stub_verified(f2)]).
What we were wondering in particular is whether, in the situation where we are calling f2() from f1() (where f1() would be a #[kani::proof] for instance), it would be better for Kani to assert the preconditions and assume the postconditions of f2(), as it currently would if we were stubbing f2(). It seems that the current default behaviour in the absence of a #[kani::stub_verified] is to symbolically execute f2() (via inlining). We suspect that stubbing could be a better default behaviour (to leverage assume/guarantee reasoning and to support recursion), but are wondering what the thought process here is.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
We were wondering about Kani's default behaviour with respect to pre and postconditions.
In modular verification, when we encounter a function call, we would normally want to guarantee (assert) its precondition and assume its postcondition (e.g., if a function
f1()that we're verifying calls another functionf2()that has a contract, we would want to guaranteef2()'s preconditions just prior to the call, and assume its postconditions right after the call). This is currently possible in Kani via stubbing (#[kani::stub_verified(f2)]).What we were wondering in particular is whether, in the situation where we are calling
f2()fromf1()(wheref1()would be a#[kani::proof]for instance), it would be better for Kani to assert the preconditions and assume the postconditions off2(), as it currently would if we were stubbingf2(). It seems that the current default behaviour in the absence of a#[kani::stub_verified]is to symbolically executef2()(via inlining). We suspect that stubbing could be a better default behaviour (to leverage assume/guarantee reasoning and to support recursion), but are wondering what the thought process here is.Thanks!
Beta Was this translation helpful? Give feedback.
All reactions