Reject mutual recursion with #[kani::recursion]#4580
Merged
feliperodri merged 1 commit intomodel-checking:mainfrom Apr 22, 2026
Merged
Reject mutual recursion with #[kani::recursion]#4580feliperodri merged 1 commit intomodel-checking:mainfrom
#[kani::recursion]#4580feliperodri merged 1 commit intomodel-checking:mainfrom
Conversation
feliperodri
added
[C] Feature / Enhancement
github-actions
Bot
added
Z-EndToEndBenchCI
feliperodri
force-pushed
the
warn-mutual-recursion-contracts
branch
2 times, most recently
from
1c1e669 to
5b1c860
Compare
|
Should this be a warn or an error? |
rajath-mk
approved these changes
Apr 22, 2026
feliperodri
force-pushed
the
warn-mutual-recursion-contracts
branch
from
5b1c860 to
00c4ba2
Compare
feliperodri
changed the title
#[kani::recursion]#[kani::recursion]
feliperodri
force-pushed
the
warn-mutual-recursion-contracts
branch
3 times, most recently
from
5cd7305 to
0208e77
Compare
…recursion] The per-function REENTRY mechanism used by #[kani::recursion] only handles direct recursion (f calls f) soundly. For mutual recursion (f calls g, g calls f), the REENTRY flag for g is never set, so g's body executes fully instead of being replaced by its contract. This is a silent soundness gap — no error or warning was emitted. This change adds check_mutual_recursion() in the contract transform pass. When a function with #[kani::recursion] is being processed in RecursiveCheck mode, we scan its MIR body for calls to other functions that also have contracts AND #[kani::recursion]. For each such callee, we check if the callee's body calls back to the original function. If so, we emit a span_warn pointing at the call site. We require both has_contract() and has_recursion() on the callee because if the callee has a contract but no #[kani::recursion], Kani replaces the call with the contract abstraction — no mutual recursion occurs. Limitations: - Only detects one level of indirection (f->g->f), not deeper chains. - Reports only the first mutual-recursive callee per function. Includes a test case (mutual_recursion_unsound.rs) with two mutually recursive functions that triggers the warning.
feliperodri
force-pushed
the
warn-mutual-recursion-contracts
branch
from
0208e77 to
e1ccef1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Emit a compilation error when a function with
#[kani::recursion]is involved in mutual recursion. The per-function REENTRY mechanism only handles direct recursion soundly since mutual recursion silently produces unsound verification results.Contributes to #3316, #3273.
Problem
The
#[kani::recursion]attribute uses a per-function REENTRY flag to detect when a function calls itself, replacing the recursive call with the function's contract. For mutual recursion (fcallsg,gcallsf), the REENTRY flag forgis never set when verifyingf's contract, sog's body executes fully instead of being replaced by its contract. Verification succeeds but the result is meaningless — a silent soundness gap.Solution
check_mutual_recursion()in the contract transform pass scans the MIR body of functions inRecursiveCheckmode for calls to other functions that also have#[kani::recursion]and a contract. For each such callee, it checks if the callee's body calls back to the original function. If so, it emits aspan_err(not a warning) because the result would be unsound.This is an error rather than a warning because soundness violations should not be silently ignorable.
Limitations
Example error
Testing
mutual_recursion_unsound.rs— two mutually recursive functions (mutual_a↔mutual_b) with contracts and#[kani::recursion], verifying the error is emitted.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.