model-checking
diff --git a/‎.github/workflows/verifast-negative.yml
+1-1 b/‎.github/workflows/verifast-negative.yml
+1-1
diff --git a/‎.github/workflows/verifast.yml
+26-1 b/‎.github/workflows/verifast.yml
+26-1
diff --git a/‎doc/src/SUMMARY.md
+3 b/‎doc/src/SUMMARY.md
+3
diff --git a/‎doc/src/challenges/0016-iter.md
+74 b/‎doc/src/challenges/0016-iter.md
+74
diff --git a/‎doc/src/challenges/0017-slice.md
+83 b/‎doc/src/challenges/0017-slice.md
+83
diff --git a/‎doc/src/challenges/0018-slice-iter.md
+138 b/‎doc/src/challenges/0018-slice-iter.md
+138
@@ -42,4 +42,4 @@ jobs:
         run: |
           export PATH=~/verifast-25.02/bin:$PATH
           cd verifast-proofs
-          mysh check-verifast-proofs-negative.mysh
+          bash check-verifast-proofs-negative.sh
@@ -39,4 +39,29 @@ jobs:
         run: |
           export PATH=~/verifast-25.02/bin:$PATH
           cd verifast-proofs
-          mysh check-verifast-proofs.mysh
+          bash check-verifast-proofs.sh
+
+  notify-btj:
+    name: Notify @btj
+    runs-on: ubuntu-latest
+    needs: check-verifast-on-std
+    if: failure()
+    permissions:
+      id-token: write
+    
+    steps:
+      - name: Get GitHub OIDC token
+        id: get_token
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const audience = 'notify-bart-jacobs';
+            return await core.getIDToken(audience);
+          result-encoding: string
+
+      - name: Call notification endpoint
+        run: |
+          curl -X POST "https://verify-rust-std-verifast-monitor.bart-jacobs.workers.dev/" \
+            -H "Authorization: Bearer ${{ steps.get_token.outputs.result }}" \
+            -H "Content-Type: application/json" \
+            -d '{}'
@@ -29,3 +29,6 @@
   - [13: Safety of `CStr`](./challenges/0013-cstr.md)
   - [14: Safety of Primitive Conversions](./challenges/0014-convert-num.md)
   - [15: Contracts and Tests for SIMD Intrinsics](./challenges/0015-intrinsics-simd.md)
+  - [16: Verify the safety of Iterator functions](./challenges/0016-iter.md)
+  - [17: Verify the safety of slice functions](./challenges/0017-slice.md)
+  - [18: Verify the safety of slice iter functions](./challenges/0018-slice-iter-pt1.md)
@@ -0,0 +1,74 @@
+# Challenge 16: Verify the safety of Iterator functions
+
+- **Status:** Open
+- **Tracking Issue:** [#280](https://github.com/model-checking/verify-rust-std/issues/280)
+- **Start date:** *2025-03-07*
+- **End date:** *2025-10-17*
+- **Reward:** *10,000 USD*
+
+-------------------
+
+
+## Goal
+
+Verify the safety of iter functions that are defined in (library/core/src/iter/adapters):
+
+
+
+### Success Criteria
+
+Write and prove the contract for the safety of the following unsafe functions:
+
+| Function | Defined in |
+|---------| ---------|
+|__iterator_get_unchecked| clone.rs|
+|next_unchecked| clone.rs|
+|__iterator_get_unchecked| copied.rs|
+|__iterator_get_unchecked| enumerate.rs|
+|__iterator_get_unchecked | fuse.rs|
+|__iterator_get_unchecked | map.rs|
+|next_unchecked | map.rs|
+|__iterator_get_unchecked | skip.rs|
+|__iterator_get_unchecked | zip.rs|
+|get_unchecked| zip.rs|
+
+Prove the absence of undefined behavior for following safe abstractions:
+
+| Function | Defined in |
+|---------| ---------|
+|next_back_remainder| array_chunks.rs|
+|fold| array_chunks.rs|
+|spec_next_chunk| copied.rs|
+|next_chunk_dropless| filter.rs|
+|next_chunk| filter_map.rs|
+|as_array_ref | map_windows.rs|
+|as_uninit_array_mut | map_windows.rs|
+|push | map_windows.rs|
+|drop | map_windows.rs|
+|original_step | step_by.rs|
+|spec_fold| take.rs|
+|spec_for_each| take.rs|
+|fold| zip.rs|
+|next| zip.rs|
+|nth| zip.rs|
+|next_back| zip.rs|
+|spec_fold| zip.rs|
+
+
+
+The verification must be unbounded---it must hold for slices of arbitrary length.
+
+The verification must hold for generic type `T` (no monomorphization).
+
+### List of UBs
+
+All proofs must automatically ensure the absence of the following undefined behaviors [ref](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
+
+* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
+* Reading from uninitialized memory except for padding or unions.
+* Mutating immutable bytes.
+* Producing an invalid value
+
+
+Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
+in addition to the ones listed above.
@@ -0,0 +1,83 @@
+# Challenge 17: Verify the safety of `slice` functions
+
+- **Status:** Open
+- **Tracking Issue:** [#281](https://github.com/model-checking/verify-rust-std/issues/281)
+- **Start date:** *2025-03-07*
+- **End date:** *2025-10-17*
+- **Reward:** *10000 USD*
+
+-------------------
+
+
+## Goal
+
+Verify the safety of `std::slice` functions in (library/core/src/slice/mod.rs).
+
+
+### Success Criteria
+
+For the following unsafe functions (in library/core/src/slice/mod.rs):
+- Write contracts specifying the safety precondition(s) that the caller must uphold, then
+- Verify that if the caller respects those preconditions, the function does not cause undefined behavior.
+
+| Function |
+|---------|
+|get_unchecked| 
+|get_unchecked_mut| 
+|swap_unchecked| 
+|as_chunks_unchecked| 
+|as_chunks_unchecked_mut| 
+|split_at_unchecked| 
+|split_at_mut_unchecked| 
+|align_to|
+|align_to_mut|
+|get_disjoint_unchecked_mut|
+
+Prove that the following safe abstractions (in library/core/src/slice/mod.rs) do not cause undefined behavior:
+
+| Function |
+|---------|
+|first_chunk| 
+|first_chunk_mut| 
+|split_first_chunk|
+|split_first_chunk_mut| 
+|split_last_chunk|
+|split_last_chunk_mut| 
+|last_chunk| 
+|last_chunk_mut| 
+|reverse| 
+|as_chunks| 
+|as_chunks_mut| 
+|as_rchunks| 
+|split_at_checked| 
+|split_at_mut_checked| 
+|binary_search_by| 
+|partition_dedup_by|
+|rotate_left|
+|rotate_right|
+|copy_from_slice|
+|copy_within|
+|swap_with_slice|
+|as_simd|
+|as_simd_mut|
+|get_disjoint_mut|
+|get_disjoint_check_valid|
+|as_flattened|
+|as_flattened_mut|
+
+The verification must be unbounded---it must hold for slices of arbitrary length.
+
+The verification must hold for generic type `T` (no monomorphization).
+
+### List of UBs
+
+All proofs must automatically ensure the absence of the following undefined behaviors [ref](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
+
+* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
+* Reading from uninitialized memory except for padding or unions.
+* Mutating immutable bytes.
+* Producing an invalid value
+
+
+Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
+in addition to the ones listed above.
@@ -0,0 +1,138 @@
+# Challenge 18: Verify the safety of `slice` iter functions
+
+- **Status:** Open
+- **Tracking Issue:** [#282](https://github.com/model-checking/verify-rust-std/issues/282)
+- **Start date:** *2025-03-07*
+- **End date:** *2025-10-17*
+- **Reward:** *10000 USD*
+
+-------------------
+
+
+## Goal
+**Part 1:**
+Verify the safety of Iterator functions of `std::slice` generated by `iterator!` and `forward_iterator!` macros that are defined in (library/core/src/slice/iter/macros.rs):
+to generate impl for Iter, IterMut, SplitN, SplitNMut, RSplitN, RSplitNMut  in (library/core/src/slice/iter.rs):
+
+```
+iterator! {struct Iter -> *const T, &'a T, const, {/* no mut */}, as_ref, {
+    fn is_sorted_by<F>(self, mut compare: F) -> bool
+    where
+        Self: Sized,
+        F: FnMut(&Self::Item, &Self::Item) -> bool,
+    {
+        self.as_slice().is_sorted_by(|a, b| compare(&a, &b))
+    }
+}}
+
+iterator! {struct IterMut -> *mut T, &'a mut T, mut, {mut}, as_mut, {}}
+
+forward_iterator! { SplitN: T, &'a [T] }
+forward_iterator! { RSplitN: T, &'a [T] }
+forward_iterator! { SplitNMut: T, &'a mut [T] }
+forward_iterator! { RSplitNMut: T, &'a mut [T] }
+```
+
+**Part 2:**
+Verify the safety of Iterator functions of `std::slice` that are defined in (library/core/src/slice/iter.rs).
+
+### Success Criteria
+
+**Part 1:** In (library/core/src/slice/iter/macros.rs)
+
+Prove absence of undefined behaviors of following safe functions that contain unsafe code:
+
+| Function | 
+|---------|
+|make_slice| 
+|len|
+|is_empty|
+|next|
+|size_hint| 
+|count| 
+|nth| 
+|advance_by| 
+|last| 
+|fold| 
+|for_each| 
+|position| 
+|rposition| 
+|next_back| 
+|nth_back| 
+|advance_back_by| 
+
+
+**Part 2:** In (library/core/src/slice/iter.rs)
+
+Write and prove the contract for the safety of the following unsafe functions:
+
+| Function | Impl for |
+|---------| ---------|
+|__iterator_get_unchecked| Windows|
+|__iterator_get_unchecked| Chunks|
+|__iterator_get_unchecked| ChunksMut|
+|__iterator_get_unchecked| ChunksExact|
+|__iterator_get_unchecked| ChunksExact|
+|__iterator_get_unchecked| ArrayChunks|
+|__iterator_get_unchecked| ArrayChunksMut|
+|__iterator_get_unchecked| RChunks|
+|__iterator_get_unchecked| RChunksMut|
+|__iterator_get_unchecked| RChunksExact|
+|__iterator_get_unchecked| RChunksExactMut|
+
+Prove absence of undefined behaviors of following safe functions that contain unsafe code:
+
+| Function | Impl for |
+|---------| ---------|
+|new| Iter|
+|new| IterMut|
+|into_slice| IterMut|
+|as_mut_slice| IterMut|
+|next| Split|
+|next_back| Split|
+|next_back| Chunks|
+|next| ChunksMut|
+|nth| ChunksMut|
+|next_back| ChunksMut|
+|nth_back| ChunksMut|
+|new| ChunksExact|
+|new| ChunksExactMut|
+|next| ChunksExactMut|
+|nth| ChunksExactMut|
+|next_back| ChunksExactMut|
+|nth_back| ChunksExactMut|
+|next| ArrayWindows|
+|nth| ArrayWindows|
+|next_back| ArrayWindows|
+|nth_back| ArrayWindows|
+|next| RChunks|
+|next_back| RChunks|
+|next| RChunksMut|
+|nth| RChunksMut|
+|last| RChunksMut|
+|next_back| RChunksMut|
+|nth_back| RChunksMut|
+|new| RChunksExact|
+|new| RChunksExactMut|
+|next| RChunksExactMut|
+|nth| RChunksExactMut|
+|next_back| RChunksExactMut|
+|nth_back| RChunksExactMut|
+
+
+The verification must be unbounded---it must hold for slices of arbitrary length.
+
+The verification must hold for generic type `T` (no monomorphization).
+
+### List of UBs
+
+All proofs must automatically ensure the absence of the following undefined behaviors [ref](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
+
+* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
+* Reading from uninitialized memory except for padding or unions.
+* Mutating immutable bytes.
+* Producing an invalid value
+
+
+Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
+in addition to the ones listed above.