Skip to content

verify add_used operation using guestmemory stubs #346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

verify add_used operation using guestmemory stubs #346

wants to merge 5 commits into from

Conversation

priyasiddharth
Copy link

Summary of the PR

We need to stub out or provide fake implementation for GuestMemory read/write operations since they are too expensive for kani to execute as-is.

This problem was faces by firekracker also and solved by using a fake impl (link).

in vmm-virtio GuestMemory is hardcoded to use the default impl (link) so it is not easy to fake it. There are a few options i see.

  1. conditionally compile a fake version of Bytes trait for GuestMemory for kani - needs changes to vm-memory crate
  2. All vm-virtio functions use GuestMemory in production and FakeGuestMemory in kani - needs changes to vm-virtio to conditionally compile and use the right GuestMemory
  3. Use per unit-proof stubbing provided by kani

This PR provides the third option. However, 1 or 2 maybe a better engineering solution. Looking for inputs.

Requirements

Before submitting your PR, please make sure you addressed the following
requirements:

  • All commits in this PR have Signed-Off-By trailers (with
    git commit -s), and the commit message has max 60 characters for the
    summary and max 75 characters for each description line.
  • All added/changed functionality has a corresponding unit/integration
    test.
  • All added/changed public-facing functionality has entries in the "Upcoming
    Release" section of CHANGELOG.md (if no such section exists, please create one).
  • Any newly added unsafe code is properly documented.

@priyasiddharth
Copy link
Author

@roypat Hi Patrick,
I am looking for some guidance on how best to fake GuestMemory read/writes for kani. The PR contains a detailed description of the problem. Hoping you can help.

thanks
Siddharth

priyasiddharth
priyasiddharth commented Jun 19, 2025
View reviewed changes
MatiasVara
MatiasVara reviewed Jun 26, 2025
View reviewed changes
MatiasVara and others added 4 commits July 25, 2025 14:17
@MatiasVara @priyasiddharth
Add proof for conformance to 2.7.7.2 section
f730282 
Add the verify_spec_2_7_7_2() proof to verify that the implementation of
queue satisfies 2.7.7.2 requirement. The proof relies on whether the
EVENT_IDX feature has been negotiated. Conversely with
`test_needs_notification()` test, this proof `tests` for all possible
values of the queue structure.

Signed-off-by: Matias Ezequiel Vara Larsen <[email protected]>
Signed-off-by: Siddharth Priya <[email protected]>
@MatiasVara @priyasiddharth
Add proof for conformance to 2.7.7.2 section
57e3370 
Add the verify_spec_2_7_7_2() proof to verify that the implementation of
queue satisfies 2.7.7.2 requirement. The proof relies on whether the
EVENT_IDX feature has been negotiated. Conversely with
`test_needs_notification()` test, this proof `tests` for all possible
values of the queue structure.

Signed-off-by: Matias Ezequiel Vara Larsen <[email protected]>
@priyasiddharth
feat(kani): stub out guest memory methods for add_used
65306ea 
GuestMemory trait brings in Bytes trait and therefore hardcodes impl for write_obj and store methods.
This does not work well with Kani which now has to process these methods symbolically.
The solution is to provide NOP impl for these methods.
My current solution is to use kani stub macro to replace these methods by local stubs.
Another solution can be to provide the proof writer a way to construct GuestMemory such that they can stub out methods as needed.

Signed-off-by: Siddharth Priya <[email protected]>
@priyasiddharth
wip
0c15f3d
@priyasiddharth priyasiddharth force-pushed the verify_add_used branch 3 times, most recently from 25784f9 to 96d3228 Compare July 29, 2025 14:35
MatiasVara
MatiasVara reviewed Jul 31, 2025
View reviewed changes
virtio-queue/src/queue/verification.rs
} else {
assert_eq!(queue.next_used, used_idx);

// Ideally, here we would want to actually read the relevant values from memory and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this comment is true in firecraker but is it still valid in the rust-vmm implementation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MatiasVara MatiasVara MatiasVara left review comments

@roypat roypat roypat left review comments

@alexandruag alexandruag Awaiting requested review from alexandruag alexandruag will be requested when the pull request is marked ready for review alexandruag is a code owner

@andreeaflorescu andreeaflorescu Awaiting requested review from andreeaflorescu andreeaflorescu will be requested when the pull request is marked ready for review andreeaflorescu is a code owner

@jiangliu jiangliu Awaiting requested review from jiangliu jiangliu will be requested when the pull request is marked ready for review jiangliu is a code owner

@slp slp Awaiting requested review from slp slp will be requested when the pull request is marked ready for review slp is a code owner

@stsquad stsquad Awaiting requested review from stsquad stsquad will be requested when the pull request is marked ready for review stsquad is a code owner

@epilys epilys Awaiting requested review from epilys epilys will be requested when the pull request is marked ready for review epilys is a code owner

@stefano-garzarella stefano-garzarella Awaiting requested review from stefano-garzarella stefano-garzarella will be requested when the pull request is marked ready for review stefano-garzarella is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@priyasiddharth @MatiasVara @roypat