Verify Rust Standard Library - Challenge 11: Safety of Methods for Numeric Primitive Types (#985)

This PR adds infrastructure for verify-rust-std
([docs](https://model-checking.github.io/verify-rust-std/) /
[github](https://github.com/model-checking/verify-rust-std/))
challenges. challenges and implements [Challenge 11: Safety of Methods
for Numeric
Primitives](https://model-checking.github.io/verify-rust-std/challenges/0011-floats-ints.html):

- Proof harnesses verifying correctness under preconditions (symbolic
inputs)
- Fail harnesses verifying UB detection when preconditions are violated,
with expected output
   files
  - All verify-rust-std proofs run with `--terminate-on-thunk`
  - K simplification lemmas added for shift mask identities

Part 3 (floats) is blocked: KMIR lacks float value support. Harnesses
exist in to_int_unchecked-fail.rs and should be moved to
to_int_unchecked.rs once passing.

Progress

Part 1 - Unsafe Integer Methods (`i8`–`i128`, `u8`–`u128`). Proofs for
soundness and proofs catching UB:
- [x] `unchecked_add`
- [x] `unchecked_sub`
- [x] `unchecked_mul`
- [x] `unchecked_shl`
- [x] `unchecked_shr`
- [x] `unchecked_neg` (signed only)


Part 2 - Safe API Verification. Proofs for soundness:
- [x] `wrapping_shl` (`i8`–`i128`, `u8`–`u128`)
- [x] `wrapping_shr` (`i8`–`i128`, `u8`–`u128`)
- [x] `widening_mul` (`u8`–`u64`)
- [x] `carrying_mul` (`u8`–`u64`)

Part 3 — Float to Integer Conversion: 
- [ ] `to_int_unchecked` (`f16`, `f32`, `f64`, `f128`) See "Floats"
section below

### Floats
#995 added preliminary float support for KMIR, however due to conflicts
with expected behaviours with floats in the [Solana equivalance proof
harness'](https://github.com/runtimeverification/solana-token/tree/proofs/specs/shared)
they have since been reverted. Concrete and symbolic floats will be
revisited in future work.

For contributors: The haskell backend does not contain a float module
and will fail for any float hooks. This means that symbolic floats or
any float expression that is not able to be rewritten by the booster
backend or simplified / executed by the LLVM backend will fail. While
verification of floats as mapping to real numbers remains open research,
bitvector verification is well defined and would be sufficient to solve
this verification problem. If A. a Float.hs module was added to the
haskell-backend, and B. the z3 dependency was connected to solve queries
such as this with bitvectors, then I believe this challenge is
achievable.

Author: dkcumming

.github/workflows/test.yml

@@ -74,8 +74,12 @@ jobs:
             test-args: '-k "test_prove and not test_prove_termination"'
             parallel: 6
             timeout: 150
+          - name: 'Verify Rust Std'
+            test-args: '-k test_verify_rust_std'
+            parallel: 6
+            timeout: 60
           - name: 'Remainder'
-            test-args: '-k "not llvm and not test_run_smir_random and not test_exec_smir and not test_prove_termination and not test_prove"'
+            test-args: '-k "not llvm and not test_run_smir_random and not test_exec_smir and not test_prove_termination and not test_prove and not test_verify_rust_std"'
             parallel: 6
             timeout: 60
     steps:

Makefile

@@ -56,6 +56,10 @@ test-integration: stable-mir-json build
 	$(UV_RUN) pytest $(TOP_DIR)/kmir/src/tests/integration --maxfail=1 --verbose \
 			--durations=0 --numprocesses=$(PARALLEL) --dist=worksteal $(TEST_ARGS)
 
+test-verify-rust-std: stable-mir-json build
+	$(UV_RUN) pytest $(TOP_DIR)/kmir/src/tests/integration/test_integration.py::test_verify_rust_std --maxfail=1 --verbose \
+			--durations=0 --numprocesses=$(PARALLEL) --dist=worksteal $(TEST_ARGS)
+
 .PHONY: test-stable-mir-ui
 test-stable-mir-ui: stable-mir-json build
 	@test -n "$(RUST_DIR_ROOT)" || (echo "RUST_DIR_ROOT is required. Example: RUST_DIR_ROOT=/path/to/rust make test-stable-mir-ui"; exit 2)

kmir/src/kmir/kdist/mir-semantics/lemmas/kmir-lemmas.md

@@ -163,6 +163,17 @@ power of two but the semantics will always operate with these particular ones.
   rule VAL &Int bitmask128 => VAL requires 0 <=Int VAL andBool VAL <=Int bitmask128 [simplification, preserves-definedness, smt-lemma]
 ```
 
+Shift operations like `wrapping_shl` mask the shift amount with `BITS - 1` (e.g., `rhs & 7` for `u8`).
+When the shift amount is already known to be less than `BITS`, the mask is a no-op.
+
+```k
+  rule VAL &Int 7   => VAL requires 0 <=Int VAL andBool VAL <Int 8   [simplification, preserves-definedness, smt-lemma]
+  rule VAL &Int 15  => VAL requires 0 <=Int VAL andBool VAL <Int 16  [simplification, preserves-definedness, smt-lemma]
+  rule VAL &Int 31  => VAL requires 0 <=Int VAL andBool VAL <Int 32  [simplification, preserves-definedness, smt-lemma]
+  rule VAL &Int 63  => VAL requires 0 <=Int VAL andBool VAL <Int 64  [simplification, preserves-definedness, smt-lemma]
+  rule VAL &Int 127 => VAL requires 0 <=Int VAL andBool VAL <Int 128 [simplification, preserves-definedness, smt-lemma]
+```
+
 Repeated bit-masking can be simplified in an even more general way:
 
 ```k

kmir/src/tests/integration/data/verify-rust-std/0011-floats-ints/README.md

@@ -0,0 +1,41 @@
+# Challenge 0011: Safety of Methods for Numeric Primitive Types
+
+Tests for [verify-rust-std challenge 0011](https://model-checking.github.io/verify-rust-std/challenges/0011-floats-ints.html), which verifies the safety of public unsafe methods for floats and integers in `core::num`.
+
+## Part 1: Unsafe Integer Methods
+
+All types: i8, i16, i32, i64, i128, u8, u16, u32, u64, u128
+
+- [x] `unchecked_add`
+- [x] `unchecked_sub`
+- [x] `unchecked_mul`
+- [x] `unchecked_shl`
+- [x] `unchecked_shr`
+
+Signed only: i8, i16, i32, i64, i128
+
+- [x] `unchecked_neg`
+
+## Part 2: Safe API Verification
+
+All types: i8, i16, i32, i64, i128, u8, u16, u32, u64, u128
+
+- [x] `wrapping_shl`
+- [x] `wrapping_shr`
+
+Unsigned only: u8, u16, u32, u64
+
+- [x] `widening_mul`
+- [x] `carrying_mul`
+
+## Part 3: Float to Integer Conversion
+
+TODO: Currently floats are unsupported. The required harnesses are stored in
+`to_int_unchecked-fail.txt` (renamed from `.rs` to exclude from tests). Once
+float support is added, this file should be renamed to `to_int_unchecked.rs`
+and tests that demonstrate KMIR catching `UB` should be added to
+`to_int_unchecked-fail.rs`.
+
+Types: f16, f32, f64, f128
+
+- [ ] `to_int_unchecked`

kmir/src/tests/integration/data/verify-rust-std/0011-floats-ints/carrying_mul.rs

@@ -0,0 +1,36 @@
+#![feature(bigint_helper_methods)]
+
+fn main() {
+    carrying_mul_u8(0, 0, 0);
+    carrying_mul_u16(0, 0, 0);
+    carrying_mul_u32(0, 0, 0);
+    carrying_mul_u64(0, 0, 0);
+}
+
+fn carrying_mul_u8(a: u8, b: u8, c: u8) {
+    let (lo, hi) = a.carrying_mul(b, c);
+    let expected = (a as u16) * (b as u16) + (c as u16);
+    assert!(lo == (expected as u8));
+    assert!(hi == ((expected >> u8::BITS) as u8));
+}
+
+fn carrying_mul_u16(a: u16, b: u16, c: u16) {
+    let (lo, hi) = a.carrying_mul(b, c);
+    let expected = (a as u32) * (b as u32) + (c as u32);
+    assert!(lo == (expected as u16));
+    assert!(hi == ((expected >> u16::BITS) as u16));
+}
+
+fn carrying_mul_u32(a: u32, b: u32, c: u32) {
+    let (lo, hi) = a.carrying_mul(b, c);
+    let expected = (a as u64) * (b as u64) + (c as u64);
+    assert!(lo == (expected as u32));
+    assert!(hi == ((expected >> u32::BITS) as u32));
+}
+
+fn carrying_mul_u64(a: u64, b: u64, c: u64) {
+    let (lo, hi) = a.carrying_mul(b, c);
+    let expected = (a as u128) * (b as u128) + (c as u128);
+    assert!(lo == (expected as u64));
+    assert!(hi == ((expected >> u64::BITS) as u64));
+}

kmir/src/tests/integration/data/verify-rust-std/0011-floats-ints/show/unchecked_add-fail.unchecked_add_i128.expected

@@ -0,0 +1,34 @@
+
+┌─ 1 (root, init)
+│   #execTerminator ( terminator ( ... kind: terminatorKindCall ( ... func: operandC
+│   span: 0
+│
+│  (56 steps)
+├─ 3
+│   #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 128 , true ) , Intege
+│   span: 301
+┃
+┃ (1 step)
+┣━━┓
+┃  │
+┃  ├─ 4
+┃  │   Integer ( truncate ( ARG_INT1:Int +Int ARG_INT2:Int , 128 , Signed ) , 128 , tru
+┃  │   span: 301
+┃  │
+┃  │  (70 steps)
+┃  ├─ 6 (terminal)
+┃  │   #EndProgram ~> .K
+┃  │
+┃  ┊  constraint: true
+┃  ┊  subst: ...
+┃  └─ 2 (leaf, target, terminal)
+┃      #EndProgram ~> .K
+┃
+┗━━┓
+   │
+   └─ 5 (leaf, terminal)
+       thunk ( #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 128 , true )
+       span: 301
+
+
+

kmir/src/tests/integration/data/verify-rust-std/0011-floats-ints/show/unchecked_add-fail.unchecked_add_i16.expected

@@ -0,0 +1,34 @@
+
+┌─ 1 (root, init)
+│   #execTerminator ( terminator ( ... kind: terminatorKindCall ( ... func: operandC
+│   span: 0
+│
+│  (56 steps)
+├─ 3
+│   #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 16 , true ) , Integer
+│   span: 115
+┃
+┃ (1 step)
+┣━━┓
+┃  │
+┃  ├─ 4
+┃  │   Integer ( truncate ( ARG_INT1:Int +Int ARG_INT2:Int , 16 , Signed ) , 16 , true
+┃  │   span: 115
+┃  │
+┃  │  (70 steps)
+┃  ├─ 6 (terminal)
+┃  │   #EndProgram ~> .K
+┃  │
+┃  ┊  constraint: true
+┃  ┊  subst: ...
+┃  └─ 2 (leaf, target, terminal)
+┃      #EndProgram ~> .K
+┃
+┗━━┓
+   │
+   └─ 5 (leaf, terminal)
+       thunk ( #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 16 , true ) ,
+       span: 115
+
+
+

kmir/src/tests/integration/data/verify-rust-std/0011-floats-ints/show/unchecked_add-fail.unchecked_add_i32.expected

@@ -0,0 +1,34 @@
+
+┌─ 1 (root, init)
+│   #execTerminator ( terminator ( ... kind: terminatorKindCall ( ... func: operandC
+│   span: 0
+│
+│  (56 steps)
+├─ 3
+│   #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 32 , true ) , Integer
+│   span: 146
+┃
+┃ (1 step)
+┣━━┓
+┃  │
+┃  ├─ 4
+┃  │   Integer ( truncate ( ARG_INT1:Int +Int ARG_INT2:Int , 32 , Signed ) , 32 , true
+┃  │   span: 146
+┃  │
+┃  │  (70 steps)
+┃  ├─ 6 (terminal)
+┃  │   #EndProgram ~> .K
+┃  │
+┃  ┊  constraint: true
+┃  ┊  subst: ...
+┃  └─ 2 (leaf, target, terminal)
+┃      #EndProgram ~> .K
+┃
+┗━━┓
+   │
+   └─ 5 (leaf, terminal)
+       thunk ( #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 32 , true ) ,
+       span: 146
+
+
+

kmir/src/tests/integration/data/verify-rust-std/0011-floats-ints/show/unchecked_add-fail.unchecked_add_i64.expected

@@ -0,0 +1,34 @@
+
+┌─ 1 (root, init)
+│   #execTerminator ( terminator ( ... kind: terminatorKindCall ( ... func: operandC
+│   span: 0
+│
+│  (56 steps)
+├─ 3
+│   #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 64 , true ) , Integer
+│   span: 177
+┃
+┃ (1 step)
+┣━━┓
+┃  │
+┃  ├─ 4
+┃  │   Integer ( truncate ( ARG_INT1:Int +Int ARG_INT2:Int , 64 , Signed ) , 64 , true
+┃  │   span: 177
+┃  │
+┃  │  (70 steps)
+┃  ├─ 6 (terminal)
+┃  │   #EndProgram ~> .K
+┃  │
+┃  ┊  constraint: true
+┃  ┊  subst: ...
+┃  └─ 2 (leaf, target, terminal)
+┃      #EndProgram ~> .K
+┃
+┗━━┓
+   │
+   └─ 5 (leaf, terminal)
+       thunk ( #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 64 , true ) ,
+       span: 177
+
+
+

kmir/src/tests/integration/data/verify-rust-std/0011-floats-ints/show/unchecked_add-fail.unchecked_add_i8.expected

@@ -0,0 +1,34 @@
+
+┌─ 1 (root, init)
+│   #execTerminator ( terminator ( ... kind: terminatorKindCall ( ... func: operandC
+│   span: 0
+│
+│  (56 steps)
+├─ 3
+│   #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 8 , true ) , Integer
+│   span: 53
+┃
+┃ (1 step)
+┣━━┓
+┃  │
+┃  ├─ 4
+┃  │   Integer ( truncate ( ARG_INT1:Int +Int ARG_INT2:Int , 8 , Signed ) , 8 , true )
+┃  │   span: 53
+┃  │
+┃  │  (70 steps)
+┃  ├─ 6 (terminal)
+┃  │   #EndProgram ~> .K
+┃  │
+┃  ┊  constraint: true
+┃  ┊  subst: ...
+┃  └─ 2 (leaf, target, terminal)
+┃      #EndProgram ~> .K
+┃
+┗━━┓
+   │
+   └─ 5 (leaf, terminal)
+       thunk ( #applyBinOp ( binOpAddUnchecked , Integer ( ARG_INT1:Int , 8 , true ) ,
+       span: 53
+
+
+