Avoid undefined behavior in AnySlice::new() (rust-lang#2288)

feliperodri · web-flow · commit 4b925fd3a412 · 2023-03-09T20:35:42.000Z
Signed-off-by: Felipe R. Monteiro &lt;felisous@amazon.com&gt;
diff --git a/library/kani/src/slice.rs b/library/kani/src/slice.rs
@@ -71,7 +71,7 @@ impl<T, const MAX_SLICE_LENGTH: usize> AnySlice<T, MAX_SLICE_LENGTH> {
             //         *(ptr as *mut T).add(i) = any();
             //     }
             while i < any_slice.slice_len && i < MAX_SLICE_LENGTH {
-                *any_slice.ptr.add(i) = any();
+                std::ptr::write(any_slice.ptr.add(i), any());
                 i += 1;
             }
         }
diff --git a/tests/kani/Slice/slice-drop.rs b/tests/kani/Slice/slice-drop.rs
@@ -0,0 +1,25 @@
+// Copyright Kani Contributors
+// SPDX-License-Identifier: Apache-2.0 OR MIT
+
+// Assigning to a memory location via pointer dereferencing causes Drop::drop to be called for the location to which the pointer points.
+// Here, kani::Arbitrary implementation for MyStruct deterministically sets MyStruct.0 to 1.
+// We check whether AnySlice will properly initialize memory making the assertion in drop() to pass.
+
+struct MyStruct(i32);
+
+impl Drop for MyStruct {
+    fn drop(&mut self) {
+        assert!(self.0 == 1);
+    }
+}
+
+impl kani::Arbitrary for MyStruct {
+    fn any() -> Self {
+        MyStruct(1)
+    }
+}
+
+#[kani::proof]
+fn my_proof() {
+    let my_slice = kani::slice::any_slice::<MyStruct, 1>();
+}

Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ impl<T, const MAX_SLICE_LENGTH: usize> AnySlice<T, MAX_SLICE_LENGTH> {`
`71`	`71`	`// (ptr as mut T).add(i) = any();`
`72`	`72`	`// }`
`73`	`73`	`while i < any_slice.slice_len && i < MAX_SLICE_LENGTH {`
`74`		`- *any_slice.ptr.add(i) = any();`
	`74`	`+ std::ptr::write(any_slice.ptr.add(i), any());`
`75`	`75`	`i += 1;`
`76`	`76`	`}`
`77`	`77`	`}`