Merge branch 'main' into sync-2025-11-25

feliperodri · web-flow · commit 0825fd107b50 · 2026-03-08T21:22:38.000-04:00
diff --git a/.github/workflows/kani-metrics.yml b/.github/workflows/kani-metrics.yml
@@ -11,6 +11,9 @@ defaults:
 
 jobs:
   update-kani-metrics:
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.repository == 'model-checking/verify-rust-std'
     runs-on: ubuntu-latest
     
diff --git a/.github/workflows/update-subtree.yml b/.github/workflows/update-subtree.yml
@@ -11,6 +11,9 @@ defaults:
 
 jobs:
   update-subtree-library:
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.repository == 'model-checking/verify-rust-std'
     # Changing the host platform may alter the libgit2 version as used by
     # splitsh-lite, which will require changing the version of git2go.
diff --git a/doc/src/challenges/0028-flt2dec.md b/doc/src/challenges/0028-flt2dec.md
@@ -0,0 +1,55 @@
+# Challenge 28: Verify float to decimal conversion module
+
+- **Status:** *Open*
+- **Solution:** *Option field to point to the PR that solved this challenge.*
+- **Tracking Issue:** [#524](https://github.com/model-checking/verify-rust-std/issues/524)
+- **Start date:** *2026/01/01*
+- **End date:** *2026/08/31*
+- **Reward:** *5,000 USD*
+
+-------------------
+
+
+## Goal
+
+The goal of this challenge is to verify the [flt2dec](https://doc.rust-lang.org/src/core/num/flt2dec/mod.rs.html) module, which provides functions for converting floating point numbers to decimals. To do this, it implements both the Dragon and Grisu families of algorithms.
+
+## Motivation
+
+Given that converting floats to decimals correctly is a relatively costly operation, the standard library’s flt2dec module employs unsafe code to enable performance-enhancing operations that are otherwise not allowed in safe Rust (e.g., lifetime laundering to get around borrow-checker restrictions). Functions from this module are primarily invoked whenever attempting to represent floats in a human-readable format, making this a potentially highly-used module.
+
+## Description
+
+All of the functions targeted in this challenge are safe functions whose bodies contain unsafe code. This challenge is thus centered around proving well-encapsulation, which here mainly means showing that calls to variants of assume_init() are only performed on fully-initialized structures, and that the lifetime laundering does not cause undefined behaviour.
+
+### Success Criteria
+
+The following functions contain unsafe code in their bodies but are not themselves marked unsafe. All of these should be proven unconditionally safe, or safety contracts should be added:
+
+| Function | Location |
+|---------|---------|
+| `digits_to_dec_str` | `flt2dec` |
+| `digits_to_exp_str` | `flt2dec` |
+| `to_shortest_str` | `flt2dec` |
+| `to_shortest_exp_str` | `flt2dec` |
+| `to_exact_exp_str` | `flt2dec` |
+| `to_exact_fixed_str` | `flt2dec` |
+| `format_shortest_opt` | `flt2dec::strategy::grisu` |
+| `format_shortest` | `flt2dec::strategy::grisu` |
+| `format_exact_opt` | `flt2dec::strategy::grisu` |
+| `format_exact` | `flt2dec::strategy::grisu` |
+| `format_shortest` | `flt2dec::strategy::dragon` |
+| `format_exact` | `flt2dec::strategy::dragon` |
+
+For functions taking inputs of generic type 'T', the proofs can be limited to primitive types only.
+
+*List of UBs*
+
+In addition to any properties called out as SAFETY comments in the source code, all proofs must automatically ensure the absence of the following [undefined behaviors](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
+* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
+* Invoking undefined behavior via compiler intrinsics.
+* Mutating immutable bytes.
+* Producing an invalid value.
+
+Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
+in addition to the ones listed above.
diff --git a/doc/src/challenges/0029-boxed.md b/doc/src/challenges/0029-boxed.md
@@ -0,0 +1,99 @@
+# Challenge 29: Safety of boxed
+
+- **Status:** *Open*
+- **Solution:** *Option field to point to the PR that solved this challenge.*
+- **Tracking Issue:** [#526](https://github.com/model-checking/verify-rust-std/issues/526)
+- **Start date:** *2026/01/01*
+- **End date:** *2026/12/31*
+- **Reward:** *15,000 USD*
+
+-------------------
+
+
+## Goal
+
+The goal of this challenge is to verify the [boxed](https://doc.rust-lang.org/std/boxed/index.html) module, which implements the Box family of types (which includes Box and other related types such as ThinBox). A Box is a type of smart pointer that points to a uniquely-owned heap allocation for arbitrary types.
+
+## Motivation
+
+A Box allows the storage of data on the heap rather than the stack. This has several applications, a common [example](https://doc.rust-lang.org/book/ch15-01-box.html#enabling-recursive-types-with-boxes) being for using dynamically-sized types in contexts requiring an exact size (e.g., recursive types). While this type is useful and diverse in its applications, it also extensively uses unsafe code, meaning it is important to verify that this module is free of undefined behaviour.
+
+### Success Criteria
+
+All the following unsafe functions must be annotated with safety contracts and the contracts have been verified:
+
+| Function | Location |
+|---------|---------|
+| `Box<mem::MaybeUninit<T>, A>::assume_init`  | `alloc::boxed`  |
+| `Box<[mem::MaybeUninit<T>], A>::assume_init`  | `alloc::boxed`  |
+| `Box<T>::from_raw`  |  `alloc::boxed`  |
+| `Box<T>::from_non_null`   |  `alloc::boxed`  |
+| `Box<T, A>::from_raw_in`  |  `alloc::boxed`  |
+| `Box<T, A>::from_non_null_in`   | `alloc::boxed`   |
+| `<dyn Error>::downcast_unchecked`  |  `alloc::boxed::convert`  |
+| `<dyn Error + Send>::downcast_unchecked`  |  `alloc::boxed::convert`  |
+| `<dyn Error + Send + Sync>::downcast_unchecked`  |  `alloc::boxed::convert`  |
+
+The following functions contain unsafe code in their bodies but are not themselves marked unsafe. At least 75% of these should be proven unconditionally safe, or safety contracts should be added:
+
+| Function | Location |
+|---------|---------|
+| `Box<T, A>::new_in`  |  `alloc::boxed`  |
+| `Box<T, A>::try_new_in`  |  `alloc::boxed`  |
+| `Box<T, A>::try_new_uninit_in`  |  `alloc::boxed`  |
+| `Box<T, A>::try_new_zeroed_in` |  `alloc::boxed`  |
+| `Box<T, A>::into_boxed_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::new_uninit_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::new_zeroed_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::try_new_uninit_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::try_new_zeroed_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::into_array` |  `alloc::boxed`  |
+| `Box<T, A>::new_uninit_slice_in` |  `alloc::boxed` |
+| `Box<T, A>::new_zeroed_slice_in` |  `alloc::boxed`  |
+| `Box<T, A>::try_new_uninit_slice_in` |  `alloc::boxed`  |
+| `Box<T, A>::try_new_zeroed_slice_in` |  `alloc::boxed`  |
+| `Box<mem::MaybeUninit<T>, A>::write` |  `alloc::boxed`  |
+| `Box<T>::into_non_null` |  `alloc::boxed`  |
+| `Box<T, A>::into_raw_with_allocator` |  `alloc::boxed`  |
+| `Box<T, A>::into_non_null_with_allocator` |  `alloc::boxed`  |
+| `Box<T, A>::into_unique` |  `alloc::boxed`  |
+| `Box<T, A>::leak` |  `alloc::boxed`  |
+| `Box<T, A>::into_pin` |  `alloc::boxed`  |
+| `<Box<T, A> as Drop>::drop` |  `alloc::boxed`  |
+| `<Box<T> as Default>::default` |  `alloc::boxed`  |
+| `<Box<str> as Default>::default` |  `alloc::boxed`  |
+| `<Box<T, A> as Clone>::clone` |  `alloc::boxed`  |
+| `<Box<str> as Clone>::clone` |  `alloc::boxed`  |
+| `<Box<[T]> as BoxFromSlice<T>>::from_slice`  |  `alloc::boxed::convert`  |
+| `<Box<str> as From<&str>>::from`  |  `alloc::boxed::convert`  |
+| `<Box<[u8], A> as From<Box<str, A>>>::from`  |  `alloc::boxed::convert`  |
+| `<Box<[T; N]> as TryFrom<Box<[T]>>>::try_from` |  `alloc::boxed::convert`  |
+| `<Box<[T; N]> as TryFrom<Box<T>>>::try_from`  |  `alloc::boxed::convert`  |
+| `Box<dyn Any, A>::downcast` |  `alloc::boxed::convert`  |
+| `Box<dyn Any + Send, A>::downcast`  |  `alloc::boxed::convert`  |
+| `Box<dyn Any + Send + Sync, A>::downcast`  |  `alloc::boxed::convert`  |
+| `<dyn Error>::downcast`  |  `alloc::boxed::convert`  |
+| `<dyn Error + Send>::downcast`  |  `alloc::boxed::convert`  |
+| `<dyn Error + Send + Sync>::downcast`  |  `alloc::boxed::convert`  |
+| `<ThinBox<T> as Deref>::deref`  | `alloc::boxed::thin`   |
+| `<ThinBox<T> as DerefMut>::deref_mut`  | `alloc::boxed::thin`   |
+| `<ThinBox<T> as Drop>::drop`  | `alloc::boxed::thin`   |
+| `ThinBox<T>::meta`  | `alloc::boxed::thin`   |
+| `ThinBox<T>::with_header`  | `alloc::boxed::thin`   |
+| `WithHeader<H>::new`  | `alloc::boxed::thin`   |
+| `WithHeader<H>::try_new`  | `alloc::boxed::thin`   |
+| `WithHeader<H>::new_unsize_zst`  | `alloc::boxed::thin`   |
+| `WithHeader<H>::header`  | `alloc::boxed::thin`   |
+
+For functions taking inputs of generic type 'T', the proofs can be limited to primitive types only.
+
+*List of UBs*
+
+In addition to any properties called out as SAFETY comments in the source code, all proofs must automatically ensure the absence of the following [undefined behaviors](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
+* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
+* Invoking undefined behavior via compiler intrinsics.
+* Mutating immutable bytes.
+* Producing an invalid value.
+
+Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
+in addition to the ones listed above.
diff --git a/scripts/kani-std-analysis/metrics-data-core.json b/scripts/kani-std-analysis/metrics-data-core.json
@@ -930,6 +930,94 @@
       "verified_safe_fns_under_contract": 112,
       "verified_safe_fns_with_loop_under_contract": 1,
       "total_functions_under_contract_all_crates": 424
+    },
+    {
+      "date": "2026-02-08",
+      "total_unsafe_fns": 7166,
+      "total_unsafe_fns_with_loop": 22,
+      "total_safe_abstractions": 1899,
+      "total_safe_abstractions_with_loop": 90,
+      "total_safe_fns": 16120,
+      "total_safe_fns_with_loop": 783,
+      "unsafe_fns_under_contract": 290,
+      "unsafe_fns_with_loop_under_contract": 3,
+      "verified_unsafe_fns_under_contract": 254,
+      "verified_unsafe_fns_with_loop_under_contract": 1,
+      "safe_abstractions_under_contract": 77,
+      "safe_abstractions_with_loop_under_contract": 0,
+      "verified_safe_abstractions_under_contract": 77,
+      "verified_safe_abstractions_with_loop_under_contract": 0,
+      "safe_fns_under_contract": 115,
+      "safe_fns_with_loop_under_contract": 1,
+      "verified_safe_fns_under_contract": 112,
+      "verified_safe_fns_with_loop_under_contract": 1,
+      "total_functions_under_contract_all_crates": 424
+    },
+    {
+      "date": "2026-02-15",
+      "total_unsafe_fns": 7166,
+      "total_unsafe_fns_with_loop": 22,
+      "total_safe_abstractions": 1899,
+      "total_safe_abstractions_with_loop": 90,
+      "total_safe_fns": 16120,
+      "total_safe_fns_with_loop": 783,
+      "unsafe_fns_under_contract": 290,
+      "unsafe_fns_with_loop_under_contract": 3,
+      "verified_unsafe_fns_under_contract": 254,
+      "verified_unsafe_fns_with_loop_under_contract": 1,
+      "safe_abstractions_under_contract": 77,
+      "safe_abstractions_with_loop_under_contract": 0,
+      "verified_safe_abstractions_under_contract": 77,
+      "verified_safe_abstractions_with_loop_under_contract": 0,
+      "safe_fns_under_contract": 115,
+      "safe_fns_with_loop_under_contract": 1,
+      "verified_safe_fns_under_contract": 112,
+      "verified_safe_fns_with_loop_under_contract": 1,
+      "total_functions_under_contract_all_crates": 424
+    },
+    {
+      "date": "2026-02-22",
+      "total_unsafe_fns": 7166,
+      "total_unsafe_fns_with_loop": 22,
+      "total_safe_abstractions": 1899,
+      "total_safe_abstractions_with_loop": 90,
+      "total_safe_fns": 16120,
+      "total_safe_fns_with_loop": 783,
+      "unsafe_fns_under_contract": 290,
+      "unsafe_fns_with_loop_under_contract": 3,
+      "verified_unsafe_fns_under_contract": 254,
+      "verified_unsafe_fns_with_loop_under_contract": 1,
+      "safe_abstractions_under_contract": 77,
+      "safe_abstractions_with_loop_under_contract": 0,
+      "verified_safe_abstractions_under_contract": 77,
+      "verified_safe_abstractions_with_loop_under_contract": 0,
+      "safe_fns_under_contract": 115,
+      "safe_fns_with_loop_under_contract": 1,
+      "verified_safe_fns_under_contract": 112,
+      "verified_safe_fns_with_loop_under_contract": 1,
+      "total_functions_under_contract_all_crates": 424
+    },
+    {
+      "date": "2026-03-01",
+      "total_unsafe_fns": 7166,
+      "total_unsafe_fns_with_loop": 22,
+      "total_safe_abstractions": 1899,
+      "total_safe_abstractions_with_loop": 90,
+      "total_safe_fns": 16120,
+      "total_safe_fns_with_loop": 783,
+      "unsafe_fns_under_contract": 290,
+      "unsafe_fns_with_loop_under_contract": 3,
+      "verified_unsafe_fns_under_contract": 254,
+      "verified_unsafe_fns_with_loop_under_contract": 1,
+      "safe_abstractions_under_contract": 77,
+      "safe_abstractions_with_loop_under_contract": 0,
+      "verified_safe_abstractions_under_contract": 77,
+      "verified_safe_abstractions_with_loop_under_contract": 0,
+      "safe_fns_under_contract": 115,
+      "safe_fns_with_loop_under_contract": 1,
+      "verified_safe_fns_under_contract": 112,
+      "verified_safe_fns_with_loop_under_contract": 1,
+      "total_functions_under_contract_all_crates": 424
     }
   ]
 }
diff --git a/scripts/kani-std-analysis/metrics-data-std.json b/scripts/kani-std-analysis/metrics-data-std.json
@@ -813,6 +813,94 @@
       "verified_safe_fns_under_contract": 0,
       "verified_safe_fns_with_loop_under_contract": 0,
       "total_functions_under_contract_all_crates": 424
+    },
+    {
+      "date": "2026-02-08",
+      "total_unsafe_fns": 183,
+      "total_unsafe_fns_with_loop": 12,
+      "total_safe_abstractions": 517,
+      "total_safe_abstractions_with_loop": 44,
+      "total_safe_fns": 4133,
+      "total_safe_fns_with_loop": 186,
+      "unsafe_fns_under_contract": 10,
+      "unsafe_fns_with_loop_under_contract": 1,
+      "verified_unsafe_fns_under_contract": 7,
+      "verified_unsafe_fns_with_loop_under_contract": 0,
+      "safe_abstractions_under_contract": 0,
+      "safe_abstractions_with_loop_under_contract": 0,
+      "verified_safe_abstractions_under_contract": 0,
+      "verified_safe_abstractions_with_loop_under_contract": 0,
+      "safe_fns_under_contract": 0,
+      "safe_fns_with_loop_under_contract": 0,
+      "verified_safe_fns_under_contract": 0,
+      "verified_safe_fns_with_loop_under_contract": 0,
+      "total_functions_under_contract_all_crates": 424
+    },
+    {
+      "date": "2026-02-15",
+      "total_unsafe_fns": 183,
+      "total_unsafe_fns_with_loop": 12,
+      "total_safe_abstractions": 517,
+      "total_safe_abstractions_with_loop": 44,
+      "total_safe_fns": 4133,
+      "total_safe_fns_with_loop": 186,
+      "unsafe_fns_under_contract": 10,
+      "unsafe_fns_with_loop_under_contract": 1,
+      "verified_unsafe_fns_under_contract": 7,
+      "verified_unsafe_fns_with_loop_under_contract": 0,
+      "safe_abstractions_under_contract": 0,
+      "safe_abstractions_with_loop_under_contract": 0,
+      "verified_safe_abstractions_under_contract": 0,
+      "verified_safe_abstractions_with_loop_under_contract": 0,
+      "safe_fns_under_contract": 0,
+      "safe_fns_with_loop_under_contract": 0,
+      "verified_safe_fns_under_contract": 0,
+      "verified_safe_fns_with_loop_under_contract": 0,
+      "total_functions_under_contract_all_crates": 424
+    },
+    {
+      "date": "2026-02-22",
+      "total_unsafe_fns": 183,
+      "total_unsafe_fns_with_loop": 12,
+      "total_safe_abstractions": 517,
+      "total_safe_abstractions_with_loop": 44,
+      "total_safe_fns": 4133,
+      "total_safe_fns_with_loop": 186,
+      "unsafe_fns_under_contract": 10,
+      "unsafe_fns_with_loop_under_contract": 1,
+      "verified_unsafe_fns_under_contract": 7,
+      "verified_unsafe_fns_with_loop_under_contract": 0,
+      "safe_abstractions_under_contract": 0,
+      "safe_abstractions_with_loop_under_contract": 0,
+      "verified_safe_abstractions_under_contract": 0,
+      "verified_safe_abstractions_with_loop_under_contract": 0,
+      "safe_fns_under_contract": 0,
+      "safe_fns_with_loop_under_contract": 0,
+      "verified_safe_fns_under_contract": 0,
+      "verified_safe_fns_with_loop_under_contract": 0,
+      "total_functions_under_contract_all_crates": 424
+    },
+    {
+      "date": "2026-03-01",
+      "total_unsafe_fns": 183,
+      "total_unsafe_fns_with_loop": 12,
+      "total_safe_abstractions": 517,
+      "total_safe_abstractions_with_loop": 44,
+      "total_safe_fns": 4133,
+      "total_safe_fns_with_loop": 186,
+      "unsafe_fns_under_contract": 10,
+      "unsafe_fns_with_loop_under_contract": 1,
+      "verified_unsafe_fns_under_contract": 7,
+      "verified_unsafe_fns_with_loop_under_contract": 0,
+      "safe_abstractions_under_contract": 0,
+      "safe_abstractions_with_loop_under_contract": 0,
+      "verified_safe_abstractions_under_contract": 0,
+      "verified_safe_abstractions_with_loop_under_contract": 0,
+      "safe_fns_under_contract": 0,
+      "safe_fns_with_loop_under_contract": 0,
+      "verified_safe_fns_under_contract": 0,
+      "verified_safe_fns_with_loop_under_contract": 0,
+      "total_functions_under_contract_all_crates": 424
     }
   ]
 }
