Challenge 18: Verify the safety of slice iter functions
- Status: Open
- Tracking Issue: #282
- Start date: 2025-03-07
- End date: 2025-10-17
- Reward: 10000 USD
Goal
Part 1:
Verify the safety of Iterator functions of std::slice generated by iterator! and forward_iterator! macros that are defined in (library/core/src/slice/iter/macros.rs):
to generate impl for Iter, IterMut, SplitN, SplitNMut, RSplitN, RSplitNMut in (library/core/src/slice/iter.rs):
iterator! {struct Iter -> *const T, &'a T, const, {/* no mut */}, as_ref, {
fn is_sorted_by<F>(self, mut compare: F) -> bool
where
Self: Sized,
F: FnMut(&Self::Item, &Self::Item) -> bool,
{
self.as_slice().is_sorted_by(|a, b| compare(&a, &b))
}
}}
iterator! {struct IterMut -> *mut T, &'a mut T, mut, {mut}, as_mut, {}}
forward_iterator! { SplitN: T, &'a [T] }
forward_iterator! { RSplitN: T, &'a [T] }
forward_iterator! { SplitNMut: T, &'a mut [T] }
forward_iterator! { RSplitNMut: T, &'a mut [T] }
Part 2:
Verify the safety of Iterator functions of std::slice that are defined in (library/core/src/slice/iter.rs).
Success Criteria
Part 1: In (library/core/src/slice/iter/macros.rs)
Prove absence of undefined behaviors of following safe functions that contain unsafe code:
| Function |
|---|
| make_slice |
| len |
| is_empty |
| next |
| size_hint |
| count |
| nth |
| advance_by |
| last |
| fold |
| for_each |
| position |
| rposition |
| next_back |
| nth_back |
| advance_back_by |
Part 2: In (library/core/src/slice/iter.rs)
Write and prove the contract for the safety of the following unsafe functions:
| Function | Impl for |
|---|---|
| __iterator_get_unchecked | Windows |
| __iterator_get_unchecked | Chunks |
| __iterator_get_unchecked | ChunksMut |
| __iterator_get_unchecked | ChunksExact |
| __iterator_get_unchecked | ChunksExact |
| __iterator_get_unchecked | ArrayChunks |
| __iterator_get_unchecked | ArrayChunksMut |
| __iterator_get_unchecked | RChunks |
| __iterator_get_unchecked | RChunksMut |
| __iterator_get_unchecked | RChunksExact |
| __iterator_get_unchecked | RChunksExactMut |
Prove absence of undefined behaviors of following safe functions that contain unsafe code:
| Function | Impl for |
|---|---|
| new | Iter |
| new | IterMut |
| into_slice | IterMut |
| as_mut_slice | IterMut |
| next | Split |
| next_back | Split |
| next_back | Chunks |
| next | ChunksMut |
| nth | ChunksMut |
| next_back | ChunksMut |
| nth_back | ChunksMut |
| new | ChunksExact |
| new | ChunksExactMut |
| next | ChunksExactMut |
| nth | ChunksExactMut |
| next_back | ChunksExactMut |
| nth_back | ChunksExactMut |
| next | ArrayWindows |
| nth | ArrayWindows |
| next_back | ArrayWindows |
| nth_back | ArrayWindows |
| next | RChunks |
| next_back | RChunks |
| next | RChunksMut |
| nth | RChunksMut |
| last | RChunksMut |
| next_back | RChunksMut |
| nth_back | RChunksMut |
| new | RChunksExact |
| new | RChunksExactMut |
| next | RChunksExactMut |
| nth | RChunksExactMut |
| next_back | RChunksExactMut |
| nth_back | RChunksExactMut |
The verification must be unbounded---it must hold for slices of arbitrary length.
The verification must hold for generic type T (no monomorphization).
List of UBs
All proofs must automatically ensure the absence of the following undefined behaviors ref:
- Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
- Reading from uninitialized memory except for padding or unions.
- Mutating immutable bytes.
- Producing an invalid value
Note: All solutions to verification challenges need to satisfy the criteria established in the challenge book in addition to the ones listed above.