Skip to content

Commit 02a7a8c

Browse files
thanhnguyen-awstautschnigcarolynzech
authored
Add Challenges 20 21 22 for str Pattern and iter (#266)
This PR adds: - Challenge 20 21: for functions in str::pattern.rs - Challenge 22: for functions in str::iter.rs Resolves #ISSUE-NUMBER By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses. --------- Co-authored-by: Michael Tautschnig <[email protected]> Co-authored-by: Carolyn Zech <[email protected]> Co-authored-by: Michael Tautschnig <[email protected]>
1 parent 38f4c41 commit 02a7a8c

File tree

4 files changed

+270
-0
lines changed

4 files changed

+270
-0
lines changed

doc/src/SUMMARY.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,6 @@
3232
- [16: Verify the safety of Iterator functions](./challenges/0016-iter.md)
3333
- [17: Verify the safety of slice functions](./challenges/0017-slice.md)
3434
- [18: Verify the safety of slice iter functions](./challenges/0018-slice-iter.md)
35+
- [20: Verify the safety of char-related functions in str::pattern](./challenges/0020-str-pattern-pt1.md)
36+
- [21: Verify the safety of substring-related functions in str::pattern](./challenges/0021-str-pattern-pt2.md)
37+
- [22: Verify the safety of str iter functions](./challenges/0022-str-iter.md)
Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
# Challenge 20: Verify the safety of char-related functions in str::pattern
2+
3+
- **Status:** Open
4+
- **Tracking Issue:** [#277](https://github.com/model-checking/verify-rust-std/issues/277)
5+
- **Start date:** *2025-03-07*
6+
- **End date:** *2025-10-17*
7+
- **Reward:** *25000 USD*
8+
9+
-------------------
10+
## Goal
11+
Verify the safety of char-related `Searcher` methods in `str::pattern`.
12+
13+
## Motivation
14+
15+
String and `str` types are widely used in Rust programs, so it is important that their associated functions do not cause undefined behavior.
16+
17+
## Description
18+
19+
The following str library functions are generic over the `Pattern` trait (https://doc.rust-lang.org/std/str/pattern/trait.Pattern.html):
20+
- `contains`
21+
- `starts_with`
22+
- `ends_with`
23+
- `find`
24+
- `rfind`
25+
- `split`
26+
- `split_inclusive`
27+
- `rsplit`
28+
- `split_terminator`
29+
- `rsplit_terminator`
30+
- `splitn`
31+
- `rsplitn`
32+
- `split_once`
33+
- `rsplit_once`
34+
- `rmatches`
35+
- `match_indices`
36+
- `rmatch_indices`
37+
- `trim_matches`
38+
- `trim_start_matches`
39+
- `strip_prefix`
40+
- `strip_suffix`
41+
- `trim_end_matches`
42+
These functions accept a pattern as input, then call [into_searcher](https://doc.rust-lang.org/std/str/pattern/trait.Pattern.html#tymethod.into_searcher) to create a [Searcher](https://doc.rust-lang.org/std/str/pattern/trait.Pattern.html#associatedtype.Searcher) for the pattern. They use this `Searcher` to perform their desired operations (split, find, etc.).
43+
Those functions are implemented in (library/core/src/str/mod.rs), but the core of them are the searching algorithms which are implemented in (library/core/src/str/pattern.rs).
44+
45+
### Assumptions
46+
47+
**Important note:** for this challenge, you can assume:
48+
1. The safety and functional correctness of all functions in `slice` module.
49+
2. That all functions in (library/core/src/str/validations.rs) are functionally correct (consistent with the UTF-8 encoding description in https://en.wikipedia.org/wiki/UTF-8).
50+
3. That all the Searchers in (library/core/src/str/iter.rs) are created by the into_searcher(_, haystack) with haystack being a valid UTF-8 string (str). You can assume any UTF-8 string property of haystack.
51+
52+
Verify the safety of the functions in (library/core/src/str/pattern.rs) listed in the next section.
53+
54+
The safety properties we are targeting are:
55+
1. No undefined behavior occurs after the Searcher is created.
56+
2. The impls of unsafe traits `Searcher` and `ReverseSearcher` satisfy the SAFETY condition stated in the file:
57+
```
58+
/// The trait is marked unsafe because the indices returned by the
59+
/// [`next()`][Searcher::next] methods are required to lie on valid utf8
60+
/// boundaries in the haystack. This enables consumers of this trait to
61+
/// slice the haystack without additional runtime checks.
62+
```
63+
This property should hold for next_back() of `ReverseSearcher` too.
64+
65+
66+
### Success Criteria
67+
68+
Verify the safety of the following functions in (library/core/src/str/pattern.rs) :
69+
- `next`
70+
- `next_match`
71+
- `next_back`
72+
- `next_match_back`
73+
- `next_reject`
74+
- `next_back_reject`
75+
for the following `Searcher`s:
76+
- `CharSearcher`
77+
- `MultiCharEqSearcher`
78+
- `CharArraySearcher`
79+
- `CharArrayRefSearcher`
80+
- `CharSliceSearcher`
81+
- `CharPredicateSearcher`
82+
83+
The verification is considered successful if for each `Searcher` above, you can specify a condition (a "type invariant") `C` and prove that:
84+
1. If the `Searcher` is created from any valid UTF-8 haystack, it satisfies `C`.
85+
2. If the `Searcher` satisfies `C`, it ensures the two safety properties mentioned in the previous section.
86+
3. If the `Searcher` satisfies `C`, after it calls any function above and gets modified, it still satisfies `C`.
87+
88+
Furthermore, you must prove the absence of undefined behaviors listed in the next section.
89+
90+
The verification must be unbounded---it must hold for inputs of arbitrary size.
91+
92+
### List of UBs
93+
94+
All proofs must automatically ensure the absence of the following undefined behaviors [ref](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
95+
96+
* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
97+
* Reading from uninitialized memory except for padding or unions.
98+
* Mutating immutable bytes.
99+
* Producing an invalid value
100+
101+
102+
Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
103+
in addition to the ones listed above.
Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
# Challenge 21: Verify the safety of substring-related functions in str::pattern
2+
3+
- **Status:** Open
4+
- **Tracking Issue:** [#278](https://github.com/model-checking/verify-rust-std/issues/278)
5+
- **Start date:** *2025-03-07*
6+
- **End date:** *2025-10-17*
7+
- **Reward:** *25000 USD*
8+
9+
-------------------
10+
## Goal
11+
Verify the safety of `StrSearcher` implementation in `str::pattern`.
12+
13+
## Motivation
14+
15+
String and `str` types are widely used in Rust programs, so it is important that their associated functions do not cause undefined behavior.
16+
17+
## Description
18+
19+
The following str library functions are generic over the `Pattern` trait (https://doc.rust-lang.org/std/str/pattern/trait.Pattern.html):
20+
- `contains`
21+
- `starts_with`
22+
- `ends_with`
23+
- `find`
24+
- `rfind`
25+
- `split`
26+
- `split_inclusive`
27+
- `rsplit`
28+
- `split_terminator`
29+
- `rsplit_terminator`
30+
- `splitn`
31+
- `rsplitn`
32+
- `split_once`
33+
- `rsplit_once`
34+
- `rmatches`
35+
- `match_indices`
36+
- `rmatch_indices`
37+
- `trim_matches`
38+
- `trim_start_matches`
39+
- `strip_prefix`
40+
- `strip_suffix`
41+
- `trim_end_matches`
42+
These functions accept a pattern as input, then call [into_searcher](https://doc.rust-lang.org/std/str/pattern/trait.Pattern.html#tymethod.into_searcher) to create a [Searcher](https://doc.rust-lang.org/std/str/pattern/trait.Pattern.html#associatedtype.Searcher) for the pattern. They use this `Searcher` to perform their desired operations (split, find, etc.).
43+
Those functions are implemented in (library/core/src/str/mod.rs), but the core of them are the searching algorithms which are implemented in (library/core/src/str/pattern.rs).
44+
45+
### Assumptions
46+
47+
**Important note:** for this challenge, you can assume:
48+
1. The safety and functional correctness of all functions in `slice` module.
49+
2. That all functions in (library/core/src/str/validations.rs) are functionally correct (consistent with the UTF8 encoding description in https://en.wikipedia.org/wiki/UTF-8).
50+
3. That all the Searchers in (library/core/src/str/iter.rs) are created by the into_searcher(_, haystack) with haystack is a valid utf8 string (str). You can assume any utf8 string property of haystack.
51+
52+
Verify the safety of the functions in (library/core/src/str/pattern.rs) listed in the next section.
53+
54+
The safety properties we are targeting are:
55+
1. There is no UB happens when calling the functions after the Searcher is created.
56+
2. The impls of unsafe traits `Searcher` and `ReverseSearcher` satisfies the SAFETY condition stated in the file:
57+
```
58+
/// The trait is marked unsafe because the indices returned by the
59+
/// [`next()`][Searcher::next] methods are required to lie on valid utf8
60+
/// boundaries in the haystack. This enables consumers of this trait to
61+
/// slice the haystack without additional runtime checks.
62+
```
63+
This property should hold for next_back() of `ReverseSearcher` too.
64+
65+
66+
67+
### Success Criteria
68+
69+
Verify the safety of the following `StrSearcher` functions in (library/core/src/str/pattern.rs):
70+
- `next`
71+
- `next_match`
72+
- `next_back`
73+
- `next_match_back`
74+
- `next_reject`
75+
- `next_back_reject`
76+
77+
The verification is considered successful if you can specify a condition (a "type invariant") `C` and prove that:
78+
1. If the `StrSearcher` is created from any valid UTF-8 haystack, it satisfies `C`.
79+
2. If the `StrSearcher` satisfies `C`, it ensures the two safety properties mentioned in the previous section.
80+
3. If the `StrSearcher` satisfies `C`, after it calls any function above and gets modified, it still satisfies `C`.
81+
82+
Furthermore, you must prove the absence of undefined behaviors listed in the next section.
83+
84+
The verification must be unbounded---it must hold for inputs of arbitrary size.
85+
86+
### List of UBs
87+
88+
All proofs must automatically ensure the absence of the following undefined behaviors [ref](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
89+
90+
* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
91+
* Reading from uninitialized memory except for padding or unions.
92+
* Mutating immutable bytes.
93+
* Producing an invalid value
94+
95+
96+
Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
97+
in addition to the ones listed above.

doc/src/challenges/0022-str-iter.md

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
# Challenge 22: Verify the safety of `str` iter functions
2+
3+
- **Status:** Open
4+
- **Tracking Issue:** [#279](https://github.com/model-checking/verify-rust-std/issues/279)
5+
- **Start date:** *2025-03-07*
6+
- **End date:** *2025-10-17*
7+
- **Reward:** *10000*
8+
9+
-------------------
10+
11+
12+
## Goal
13+
14+
Verify the safety of [`std::str`] functions that are defined in (library/core/src/str/iter.rs):
15+
16+
## Motivation
17+
18+
String and `str` types are widely used in Rust programs, so it is important that their associated functions do not cause undefined behavior.
19+
## Description
20+
21+
**Important note:** for this challenge, you can assume:
22+
1. The safety and functional correctness of all functions in `slice` module.
23+
2. The safety and functional correctness of all functions in (library/core/src/str/pattern.rs).
24+
3. That all functions in (library/core/src/str/validations.rs) are functionally correct (consistent with the UTF-8 encoding description in https://en.wikipedia.org/wiki/UTF-8).
25+
4. That all the Iterators in (library/core/src/str/iter.rs) are derived from a valid UTF-8 string (str) (You can assume any property of valid UTF-8 encoded string).
26+
27+
28+
### Success Criteria
29+
30+
Prove the safety of the following safe functions that contain unsafe code:
31+
32+
33+
| Function | Impl for |
34+
|---------| ---------|
35+
|next| Chars|
36+
|advance_by| Chars|
37+
|next_back| Chars|
38+
|as_str| Chars|
39+
|get_end| SplitInternal|
40+
|next| SplitInternal|
41+
|next_inclusive| SplitInternal|
42+
|next_match_back| SplitInternal|
43+
|next_back_inclusive| SplitInternal|
44+
|remainder| SplitInternal|
45+
|next| MatchIndicesInternal|
46+
|next_back| MatchIndicesInternal|
47+
|next| MatchesInternal|
48+
|next_back| MatchesInternal|
49+
|remainder| SplitAsciiWhitespace|
50+
51+
Write and prove the safety contract for this unsafe function `__iterator_get_unchecked`
52+
53+
The verification must be unbounded---it must hold for str of arbitrary length.
54+
55+
56+
### List of UBs
57+
58+
All proofs must automatically ensure the absence of the following undefined behaviors [ref](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
59+
60+
* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
61+
* Reading from uninitialized memory except for padding or unions.
62+
* Mutating immutable bytes.
63+
* Producing an invalid value
64+
65+
66+
Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
67+
in addition to the ones listed above.

0 commit comments

Comments
 (0)