Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't write contracts for functions that return mutable references to input arguments #3764

Open
carolynzech opened this issue Dec 6, 2024 · 0 comments
Open

Can't write contracts for functions that return mutable references to input arguments #3764

carolynzech opened this issue Dec 6, 2024 · 0 comments
Labels
[C] Bug This is a bug. Something isn't working.
Milestone
Function Contracts

Comments

@carolynzech
Copy link
Contributor

I tried this code:

#[kani::requires(*val != 0)]
unsafe fn foo(val: &mut u8) -> &mut u8 {
    val
}

#[kani::proof]
fn harness() {
    let mut x: u8 = kani::any();
    unsafe { foo(&mut x) };
}

using the following command line invocation:

cargo kani

with Kani version: 0.56

I expected to see this happen: verification success

Instead, this happened:

error: captured variable cannot escape `FnMut` closure body
  --> src/lib.rs:12:5
   |
11 | unsafe fn foo(val: &mut u8) -> &mut u8 {
   |               ---              - inferred to be a `FnMut` closure
   |               |
   |               variable defined here
12 |     val
   |     ^^^
   |     |
   |     returns a reference to a captured variable which escapes the closure body
   |     variable captured here
   |
   = note: `FnMut` closures only have access to their captured variables while they are executing...
   = note: ...therefore, they cannot allow references to captured variables to escape

error: captured variable cannot escape `FnMut` closure body
  --> src/lib.rs:10:1
   |
10 | #[kani::requires(*val != 0)]
   | ^^^^^^^^^^^^^^^^^^---^^^^^^^
   | |                 |
   | |                 variable captured here
   | returns a reference to a captured variable which escapes the closure body
11 | unsafe fn foo(val: &mut u8) -> &mut u8 {
   |               ---              - inferred to be a `FnMut` closure
   |               |
   |               variable defined here
   |
   = note: `FnMut` closures only have access to their captured variables while they are executing...
   = note: ...therefore, they cannot allow references to captured variables to escape
   = note: this error originates in the attribute macro `kani::requires` (in Nightly builds, run with -Z macro-backtrace for more info)

This is a minimal reproducer of a problem encountered trying to write contracts for NonZero::from_mut_unchecked, which has this function signature:

pub unsafe fn from_mut_unchecked(n: &mut T) -> &mut Self
@carolynzech carolynzech added the [C] Bug This is a bug. Something isn't working. label Dec 6, 2024
@carolynzech carolynzech added this to the Function Contracts milestone Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
[C] Bug This is a bug. Something isn't working.
Projects
None yet
Milestone
Function Contracts
Development

No branches or pull requests
1 participant
@carolynzech