unchecked multiplication and shift right

rajathkotyal · rajathkotyal · commit bbd75f7189ba · 2024-09-23T13:01:33.000-07:00
diff --git a/library/core/src/num/int_macros.rs b/library/core/src/num/int_macros.rs
@@ -817,6 +817,8 @@ macro_rules! int_impl {
                       without modifying the original"]
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
+        #[requires(!self.overflowing_mul(rhs).1)]
+        #[ensures(|ret| *ret >= $SelfT::MIN && *ret <= $SelfT::MAX)]
         pub const unsafe fn unchecked_mul(self, rhs: Self) -> Self {
             assert_unsafe_precondition!(
                 check_language_ub,
@@ -1423,8 +1425,10 @@ macro_rules! int_impl {
         #[must_use = "this returns the result of the operation, \
                       without modifying the original"]
         #[rustc_const_unstable(feature = "unchecked_shifts", issue = "85122")]
-        #[inline(always)]
+        #[inline(always)]0
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
+        #[requires(rhs < <$ActualT>::BITS)] // i.e. requires the right hand side of the shift (rhs) to be less than the number of bits in the type. This prevents undefined behavior.
+        #[ensures(|ret| *ret >= $SelfT::MIN && *ret <= $SelfT::MAX)] // ensures result is within range after bit shift
         pub const unsafe fn unchecked_shr(self, rhs: u32) -> Self {
             assert_unsafe_precondition!(
                 check_language_ub,
diff --git a/library/core/src/num/mod.rs b/library/core/src/num/mod.rs
@@ -1703,4 +1703,232 @@ mod verify {
             num1.unchecked_add(num2);
         }
     }
+
+    // `unchecked_mul` proofs
+    //
+    // Target types:
+    // i{8,16,32,64,128} and u{8,16,32,64,128} -- 10 types in total
+    //
+    // Target Files : src/num/int_macros.rs , src/num/uint_macros.rs
+    //
+    // Target contracts :
+    // #[requires(!self.overflowing_mul(rhs).1)]
+    // #[ensures(|ret| *ret >= $SelfT::MIN && *ret <= $SelfT::MAX)]
+    //
+    // Target function definition:
+    // pub const unsafe fn unchecked_mul(self, rhs: Self) -> Self
+
+    #[kani::proof_for_contract(i8::unchecked_mul)]
+    pub fn check_unchecked_mul_i8() {
+        let num1: i8 = kani::any::<i8>();
+        let num2: i8 = kani::any::<i8>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    #[kani::proof_for_contract(i16::unchecked_mul)]
+    pub fn check_unchecked_mul_i16() {
+        let num1: i16 = kani::any::<i16>();
+        let num2: i16 = kani::any::<i16>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    #[kani::proof_for_contract(i32::unchecked_mul)]
+    pub fn check_unchecked_mul_i32() {
+        let num1: i32 = kani::any::<i32>();
+        let num2: i32 = kani::any::<i32>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    #[kani::proof_for_contract(i64::unchecked_mul)]
+    pub fn check_unchecked_mul_i64() {
+        let num1: i64 = kani::any::<i64>();
+        let num2: i64 = kani::any::<i64>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    #[kani::proof_for_contract(i128::unchecked_mul)]
+    pub fn check_unchecked_mul_i128() {
+        let num1: i128 = kani::any::<i128>();
+        let num2: i128 = kani::any::<i128>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    #[kani::proof_for_contract(u8::unchecked_mul)]
+    pub fn check_unchecked_mul_u8() {
+        let num1: u8 = kani::any::<u8>();
+        let num2: u8 = kani::any::<u8>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    #[kani::proof_for_contract(u16::unchecked_mul)]
+    pub fn check_unchecked_mul_u16() {
+        let num1: u16 = kani::any::<u16>();
+        let num2: u16 = kani::any::<u16>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    #[kani::proof_for_contract(u32::unchecked_mul)]
+    pub fn check_unchecked_mul_u32() {
+        let num1: u32 = kani::any::<u32>();
+        let num2: u32 = kani::any::<u32>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    #[kani::proof_for_contract(u64::unchecked_mul)]
+    pub fn check_unchecked_mul_u64() {
+        let num1: u64 = kani::any::<u64>();
+        let num2: u64 = kani::any::<u64>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    #[kani::proof_for_contract(u128::unchecked_mul)]
+    pub fn check_unchecked_mul_u128() {
+        let num1: u128 = kani::any::<u128>();
+        let num2: u128 = kani::any::<u128>();
+
+        unsafe {
+            num1.unchecked_mul(num2);
+        }
+    }
+
+    // `unchecked_shr` proofs
+    //
+    // Target types:
+    // i{8,16,32,64,128} and u{8,16,32,64,128} -- 10 types in total
+    //
+    // Target Files : src/num/int_macros.rs , src/num/uint_macros.rs
+    //
+    // Target contracts:
+    // #[requires(rhs < <$ActualT>::BITS)]
+    // #[ensures(|ret| *ret >= $SelfT::MIN && *ret <= $SelfT::MAX)]
+    //
+    // Target function:
+    // pub const unsafe fn unchecked_shr(self, rhs: u32) -> Self
+
+    #[kani::proof_for_contract(i8::unchecked_shr)]
+    pub fn check_unchecked_shr_i8() {
+        let num: i8 = kani::any::<i8>();
+        let shift: u32 = kani::any::<u32>() % i8::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
+
+    #[kani::proof_for_contract(i16::unchecked_shr)]
+    pub fn check_unchecked_shr_i16() {
+        let num: i16 = kani::any::<i16>();
+        let shift: u32 = kani::any::<u32>() % i16::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
+
+    #[kani::proof_for_contract(i32::unchecked_shr)]
+    pub fn check_unchecked_shr_i32() {
+        let num: i32 = kani::any::<i32>();
+        let shift: u32 = kani::any::<u32>() % i32::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
+
+    #[kani::proof_for_contract(i64::unchecked_shr)]
+    pub fn check_unchecked_shr_i64() {
+        let num: i64 = kani::any::<i64>();
+        let shift: u32 = kani::any::<u32>() % i64::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
+
+    #[kani::proof_for_contract(i128::unchecked_shr)]
+    pub fn check_unchecked_shr_i128() {
+        let num: i128 = kani::any::<i128>();
+        let shift: u32 = kani::any::<u32>() % i128::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
+
+    #[kani::proof_for_contract(u8::unchecked_shr)]
+    pub fn check_unchecked_shr_u8() {
+        let num: u8 = kani::any::<u8>();
+        let shift: u32 = kani::any::<u32>() % u8::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
+
+    #[kani::proof_for_contract(u16::unchecked_shr)]
+    pub fn check_unchecked_shr_u16() {
+        let num: u16 = kani::any::<u16>();
+        let shift: u32 = kani::any::<u32>() % u16::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
+
+    #[kani::proof_for_contract(u32::unchecked_shr)]
+    pub fn check_unchecked_shr_u32() {
+        let num: u32 = kani::any::<u32>();
+        let shift: u32 = kani::any::<u32>() % u32::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
+
+    #[kani::proof_for_contract(u64::unchecked_shr)]
+    pub fn check_unchecked_shr_u64() {
+        let num: u64 = kani::any::<u64>();
+        let shift: u32 = kani::any::<u32>() % u64::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
+
+    #[kani::proof_for_contract(u128::unchecked_shr)]
+    pub fn check_unchecked_shr_u128() {
+        let num: u128 = kani::any::<u128>();
+        let shift: u32 = kani::any::<u32>() % u128::BITS;
+
+        unsafe {
+            num.unchecked_shr(shift);
+        }
+    }
 }
diff --git a/library/core/src/num/uint_macros.rs b/library/core/src/num/uint_macros.rs
@@ -909,6 +909,8 @@ macro_rules! uint_impl {
                       without modifying the original"]
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
+        #[requires(!self.overflowing_mul(rhs).1)]
+        #[ensures(|ret| *ret >= $SelfT::MIN && *ret <= $SelfT::MAX)]
         pub const unsafe fn unchecked_mul(self, rhs: Self) -> Self {
             assert_unsafe_precondition!(
                 check_language_ub,
@@ -1614,6 +1616,8 @@ macro_rules! uint_impl {
         #[rustc_const_unstable(feature = "unchecked_shifts", issue = "85122")]
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
+        #[requires(rhs < <$ActualT>::BITS)]// i.e. requires the right hand side of the shift (rhs) to be less than the number of bits in the type. This prevents undefined behavior.
+        #[ensures(|ret| *ret >= $SelfT::MIN && *ret <= $SelfT::MAX)] // ensures result is within range after bit shift
         pub const unsafe fn unchecked_shr(self, rhs: u32) -> Self {
             assert_unsafe_precondition!(
                 check_language_ub,
