Skip to content

Add Kani proofs for MacroStateGuard pointer lifecycle (#313)#381

Draft
leynos wants to merge 1 commit into
mainfrom
issue-313-kani-macro-state-guard
Draft

Add Kani proofs for MacroStateGuard pointer lifecycle (#313)#381
leynos wants to merge 1 commit into
mainfrom
issue-313-kani-macro-state-guard

Conversation

@leynos

@leynos leynos commented Jun 13, 2026

Copy link
Copy Markdown
Owner

Summary

Closes #313

Adds the four Kani proofs requested as a follow-up to #288, verifying the unsafe pointer lifecycle and thread-safety markers behind manifest macro caching.

Changes

  • src/manifest/jinja_macros/cache.rs:
    • extract the Box::into_rawNonNull::new_unchecked and Box::from_raw dance into payload-agnostic helpers heap_leak_non_null / reclaim_heap_non_null, used verbatim by MacroStateGuard::new and its Drop so the proofs cover the real code;
    • a #[cfg(kani)] module with macro_state_guard_ptr_is_non_null, macro_state_guard_drop_is_safe, macro_instance_is_send, macro_instance_is_sync;
    • extend the MacroInstance::new SAFETY comment to state the precondition and reference the proofs by name.
  • Cargo.toml: register cfg(kani) under [lints.rust] (unexpected_cfgs check-cfg) so ordinary builds do not flag the gated proofs.
  • docs/developers-guide.md: refresh the formal-verification section to record that the first proof harnesses now exist.

Modelling note

Captured<'static> / State cannot be constructed or unwound by Kani, so (as the issue permits) the pointer proofs exercise the real helpers over a small Kani-constructible stand-in payload; the verified unsafe operations are independent of the payload type beyond its being non-zero-sized. The Send/Sync proofs assert the marker traits on the real MacroInstance.

Validation

  • rg '#\[kani::proof\]' src/manifest/jinja_macros/cache.rs → 4
  • Kani 0.67.0 (pinned): 4 successfully verified harnesses, 0 failures (run locally; CI kani-smoke validates independently).
  • make check-fmt / make markdownlint / make lint / make test — pass (37 suites; proofs gated out of ordinary builds).

🤖 Generated with Claude Code

@leynos
Add Kani proofs for MacroStateGuard pointer lifecycle (#313)
d9a5005 
`MacroInstance::new` transmutes a `Captured` to `Captured<'static>`,
and `MacroStateGuard` stores it as a `NonNull<Captured<'static>>` while
being declared `Send + Sync`. Neither the pointer lifecycle nor the
thread-safety markers had formal verification.

Extract the raw-pointer dance into payload-agnostic helpers,
`heap_leak_non_null` and `reclaim_heap_non_null`, which
`MacroStateGuard::new` and its `Drop` now use verbatim. Add a
`#[cfg(kani)]` module with four proofs:

- `macro_state_guard_ptr_is_non_null` — the leaked pointer is non-null
  and dereferences to the stored value;
- `macro_state_guard_drop_is_safe` — the Box → raw → Box round-trip
  neither leaks nor double-frees;
- `macro_instance_is_send` / `macro_instance_is_sync` — compile-time
  assertions of the marker traits.

`Captured`/`State` are too complex for Kani to construct, so the
pointer proofs run the real helpers over a small Kani-constructible
stand-in payload (the unsafe operations are independent of payload
type beyond non-zero size). Register `cfg(kani)` in `Cargo.toml` so
ordinary builds do not flag the gated module, extend the
`MacroInstance::new` SAFETY comment to reference the proofs by name,
and refresh the formal-verification section of the developers' guide.

Verified locally with Kani 0.67.0: 4 harnesses, 0 failures.
@coderabbitai

coderabbitai Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 02bdd53b-ebaf-4853-9fb8-fccb8b0e19ac

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch issue-313-kani-macro-state-guard

Comment @coderabbitai help to get the list of available commands and usage tips.

sourcery-ai[bot]
sourcery-ai Bot reviewed Jun 13, 2026
View reviewed changes

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @leynos, you have reached your weekly rate limit of 2500000 diff characters.

Please try again later or upgrade to continue using Sourcery

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

+1 more reviewer

@codescene-delta-analysis codescene-delta-analysis[bot] codescene-delta-analysis[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Kani formal verification for MacroStateGuard in src/manifest/jinja_macros/cache.rs

1 participant

@leynos