Skip to content

Commit 7b857e9

Browse files
gregorymakodzebagregorymakodzeba
authored
Update kmir.md
Added description clarifying KMIR's approach to handling undefined behavior (UB) in Rust’s MIR. This section explains KMIR’s refusal-to-execute strategy and how UB is handled during symbolic execution to ensure soundness guarantees.
1 parent 3818143 commit 7b857e9

1 file changed

Lines changed: 17 additions & 4 deletions

File tree

doc/src/tools/kmir.md

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -44,10 +44,23 @@ Using the K semantics of Stable MIR, the KMIR execution of an entire Rust
4444
program represented as Stable MIR breaks down to a series of configuration
4545
rewrites that compute data held in local variables, and the program may either
4646
terminate normally or reach an exception or construct with undefined behaviour,
47-
which terminates the execution abnormally. Programs modelled in K Framework can
48-
be executed _symbolically_, i.e., operating on abstract input which is not fully
49-
specified but characterised by _path conditions_ (e.g., that an integer variable
50-
holds an unknown but non-negative value).
47+
which terminates the execution abnormally. KMIR is designed to provide sound
48+
assurances about undefined behavior (UB) in Rust’s MIR. Rather than statically
49+
over‑approximating or flagging UB at every unsafe block, KMIR models the full
50+
MIR semantics, including UB transitions, use a **refusal-to-execute** strategy.
51+
This means that if symbolic execution reaches a MIR instruction and cannot prove
52+
that executing it would not result in UB (e.g., an out-of-bounds pointer dereference
53+
or an unchecked arithmetic overflow), execution halts in a `UB DETECTED` state.
54+
This state cannot be unified with a valid target state in the proof, so the proof
55+
fails. KMIR systematically explores all feasible paths under the user-supplied
56+
preconditions. Only when **every** path terminates without hitting UB *and*
57+
satisfies the target property does KMIR declare the program UB-free (and correct
58+
for the property). This ensures that any “no UB” claim holds under the sole assumption
59+
that KMIR’s implementation is correct.
60+
61+
Programs modelled in K Framework can be executed _symbolically_, i.e., operating
62+
on abstract input which is not fully specified but characterized by _path conditions_
63+
(e.g., that an integer variable holds an unknown but non-negative value).
5164

5265
K (and thus KMIR) verifies program correctness by performing an
5366
_all-path-reachability proof_ using the symbolic execution engine and verifier

0 commit comments

Comments
 (0)