Disable floating-point overflow checks #3620
Comments
|
I inserted my own const F32_BOUND: f32 = 1e3;
fn add_f32(a: f32, b: f32) -> f32 {
#[cfg(kani)]
{
kani::assume(a.abs() < F32_BOUND);
kani::assume(b.abs() < F32_BOUND);
}
a + b
}
fn mul_f32(a: f32, b: f32) -> f32 {
#[cfg(kani)]
{
kani::assume(a.abs() < F32_BOUND);
kani::assume(b.abs() < F32_BOUND);
}
a * b
}It can be also just |
|
Hi @cospectrum. The #[kani::proof]
fn check_overflow() {
let x: f32 = kani::any();
let y: f32 = kani::any();
let z: f32 = x + y;
if x == 0.0 {
assert!(y.is_nan() || z == y);
} else if y == 0.0 {
assert!(x.is_nan() || z == x);
}
}the overflow and NaN checks fail: but verification is successful with |
|
@zhassan-aws I saw this flag. But I guess it also disables overflow checking for other types (like i32), which I don't want. |
|
@cospectrum It actually doesn't disable overflow checking for other types: $ cat of.rs
#[kani::proof]
fn check_overflow() {
let x: u8 = kani::any();
let y: u8 = kani::any();
let z = x + y;
}
$ kani of.rs --no-overflow-checks
...
SUMMARY:
** 1 of 1 failed
Failed Checks: attempt to add with overflow
File: "of.rs", line 5, in check_overflowWe need to update the help/option name to clarify this. |
|
Why haven't we removed float overflow checks in the first place? I see that #3162 was never merged. @feliperodri? |
|
Good point. I forgot about #3162. If overflow in these operations is not UB, then Kani shouldn't perform them by default. |
|
TBH, I'm not even convinced we should offer an option to perform them. |
Is there a way to specifically disable the floating-point overflow checks?
I only want to ignore the following errors (and nothing else):
If it's not possible, is there a way to implement custom
add/mulfunctions to make kani happy? Any tips.The text was updated successfully, but these errors were encountered: