How to use function contracts on generic functions?

[joshlf]

Are there any recommendations on how to use function contracts on generic functions? Consider this unsound contract:

#[kani::ensures(|r| r == 0)]
fn foo<T>() -> usize {
    1 / mem::size_of::<T>()
}

#[kani::proof_for_contract(foo)]
fn prove_foo() {
    foo::<u8>();
}

foo will divide by zero when size_of::<T>() == 0. However, to my knowledge, Kani has no way of proving statements of the form "for all T, ...". Thus, there's no way to exhaustively cover the space of possible invocations of foo - we can only test with a representative set of types, which is not truly exhaustive, and thus doesn't 100% convince us that our contract is sound.

Is there a way to handle this problem, or should we just avoid using contracts (or at least avoid using ensures - requires are still fine) on generic functions?

[remi-delmas-3000]

Hi, indeed Kani can only analyze monomorphic code for now, so you'd have to instantiate the proof harness with concrete types for every type of interest in some codebase.

If you are a library author and are providing foo<T> for other people to use, you can also provide the a type-parametric harness that clients of you API can instantiate in their own code base, once the finite set of types with which foo is used is known. kind of like rustc defers the monomorphisation of generic code until enough is known about the types, the monomorphisation and checking of the contract can be deferred until enough is known about the type parameters.

[carolynzech]

To add on to what @remi-delmas-3000 said -- we've been writing contracts on generic functions in our effort to verify the standard library, and we often use macros to make writing the harnesses over a representative set of types a bit less painful (see an example). But you're correct that this doesn't solve the fundamental problem of getting a truly exhaustive set.

[joshlf]

Okay that's what I expected, thanks for the clarification!