Challenge 11: Safety of Methods for Numeric Primitive Types
- Status: Open
- Tracking Issue: #59
- Start date: 2024-08-20
- End date: 2024-12-10
Goal
Verify the safety of public unsafe methods for floats and integers in core::num.
To find the documentation for these methods, navigate first to the core::num documentation, then click on the appropriate primitive type in the left-side menu bar. For example, for i8::unchecked_add, click on i8.
Success Criteria
Part 1: Unsafe Integer Methods
Prove the absence of arithmetic overflow/underflow and undefined behavior in the following methods for each of the listed integer types, given that their safety preconditions are satisfied:
| Method | Integer Types |
|---|---|
unchecked_add | i8, i16, i32, i64, i128, u8, u16, u32, u64, u128 |
unchecked_sub | i8, i16, i32, i64, i128, u8, u16, u32, u64, u128 |
unchecked_mul | i8, i16, i32, i64, i128, u8, u16, u32, u64, u128 |
unchecked_shl | i8, i16, i32, i64, i128, u8, u16, u32, u64, u128 |
unchecked_shr | i8, i16, i32, i64, i128, u8, u16, u32, u64, u128 |
unchecked_neg | i8, i16, i32, i64, i128 |
Part 2: Safe API Verification
Now, verify some of the safe APIs that leverage the unsafe integer methods from Part 1. Verify the absence of arithmetic overflow/underflow and undefined behavior of the following methods for each of the listed integer types:
| Method | Integer Types |
|---|---|
wrapping_shl | i8, i16, i32, i64, i128, u8, u16, u32, u64, u128 |
wrapping_shr | i8, i16, i32, i64, i128, u8, u16, u32, u64, u128 |
widening_mul | u8, u16, u32, u64 |
carrying_mul | u8, u16, u32, u64 |
Part 3: Float to Integer Conversion
Verify the absence of arithmetic overflow/underflow and undefined behavior in to_int_unchecked for f16, f32, f64, and f128.
List of UBs
In addition to any properties called out as SAFETY comments in the source code, all proofs must automatically ensure the absence of the following undefined behaviors:
- Invoking undefined behavior via compiler intrinsics.
- Reading from uninitialized memory.
- Mutating immutable bytes.
- Producing an invalid value.
Note: All solutions to verification challenges need to satisfy the criteria established in the challenge book in addition to the ones listed above.