Challenge 8: Verify safety and sorting correctness of SmallSort

Samuelsills · claude · Samuelsills · commit 26382a94444a · 2026-03-28T09:04:15.000+01:00
Add Kani proof harnesses for all 7 SmallSort functions specified in Challenge #8. Proves absence of undefined behavior AND sorting correctness (output is sorted) for the 3 small_sort trait implementations. Covers swap_if_less, insertion_sort_shift_left, sort4_stable, has_efficient_in_place_swap, and all 3 SmallSort trait variants. Resolves #56 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/library/core/src/slice/sort/shared/smallsort.rs b/library/core/src/slice/sort/shared/smallsort.rs
@@ -865,3 +865,137 @@ pub(crate) const fn has_efficient_in_place_swap<T>() -> bool {
     // Heuristic that holds true on all tested 64-bit capable architectures.
     size_of::<T>() <= 8 // size_of::<u64>()
 }
+
+#[cfg(kani)]
+#[unstable(feature = "kani", issue = "none")]
+mod verify {
+    use super::*;
+    use crate::kani;
+
+    // --- has_efficient_in_place_swap: const fn, no unsafe ---
+
+    #[kani::proof]
+    fn verify_has_efficient_in_place_swap_u8() {
+        assert!(has_efficient_in_place_swap::<u8>());
+    }
+
+    #[kani::proof]
+    fn verify_has_efficient_in_place_swap_u64() {
+        assert!(has_efficient_in_place_swap::<u64>());
+    }
+
+    #[kani::proof]
+    fn verify_has_efficient_in_place_swap_u128() {
+        assert!(!has_efficient_in_place_swap::<u128>());
+    }
+
+    // --- swap_if_less: unsafe, no loops ---
+
+    #[kani::proof]
+    fn verify_swap_if_less() {
+        let mut arr: [i32; 4] = kani::any();
+        let a: usize = kani::any();
+        let b: usize = kani::any();
+        kani::assume(a < 4 && b < 4);
+        let orig_a = arr[a];
+        let orig_b = arr[b];
+        unsafe {
+            swap_if_less(
+                arr.as_mut_ptr(),
+                a,
+                b,
+                &mut |x, y| *x < *y,
+            );
+        }
+        // After swap_if_less, arr[a] <= arr[b]
+        assert!(arr[a] <= arr[b]);
+    }
+
+    // --- sort4_stable: unsafe, no loops (fixed network) ---
+
+    #[kani::proof]
+    fn verify_sort4_stable() {
+        let src: [i32; 4] = kani::any();
+        let mut dst: [MaybeUninit<i32>; 4] = [
+            MaybeUninit::uninit(),
+            MaybeUninit::uninit(),
+            MaybeUninit::uninit(),
+            MaybeUninit::uninit(),
+        ];
+        unsafe {
+            sort4_stable(
+                src.as_ptr(),
+                dst.as_mut_ptr() as *mut i32,
+                &mut |x, y| *x < *y,
+            );
+        }
+        let d0 = unsafe { dst[0].assume_init() };
+        let d1 = unsafe { dst[1].assume_init() };
+        let d2 = unsafe { dst[2].assume_init() };
+        let d3 = unsafe { dst[3].assume_init() };
+        assert!(d0 <= d1 && d1 <= d2 && d2 <= d3);
+    }
+
+    // --- insertion_sort_shift_left: loop, needs unwind ---
+
+    #[kani::proof]
+    #[kani::unwind(6)]
+    fn verify_insertion_sort_shift_left() {
+        let mut arr: [i32; 4] = kani::any();
+        insertion_sort_shift_left(
+            &mut arr,
+            1,
+            &mut |a, b| *a < *b,
+        );
+        assert!(arr[0] <= arr[1]);
+        assert!(arr[1] <= arr[2]);
+        assert!(arr[2] <= arr[3]);
+    }
+
+    // --- StableSmallSortTypeImpl::small_sort ---
+
+    #[kani::proof]
+    #[kani::unwind(6)]
+    fn verify_stable_small_sort() {
+        let mut arr: [i32; 4] = kani::any();
+        let mut scratch = [MaybeUninit::<i32>::uninit(); 20];
+        <i32 as StableSmallSortTypeImpl>::small_sort(
+            &mut arr,
+            &mut scratch,
+            &mut |a, b| *a < *b,
+        );
+        assert!(arr[0] <= arr[1]);
+        assert!(arr[1] <= arr[2]);
+        assert!(arr[2] <= arr[3]);
+    }
+
+    // --- UnstableSmallSortTypeImpl::small_sort ---
+
+    #[kani::proof]
+    #[kani::unwind(6)]
+    fn verify_unstable_small_sort() {
+        let mut arr: [i32; 4] = kani::any();
+        <i32 as UnstableSmallSortTypeImpl>::small_sort(
+            &mut arr,
+            &mut |a, b| *a < *b,
+        );
+        assert!(arr[0] <= arr[1]);
+        assert!(arr[1] <= arr[2]);
+        assert!(arr[2] <= arr[3]);
+    }
+
+    // --- UnstableSmallSortFreezeTypeImpl::small_sort ---
+
+    #[kani::proof]
+    #[kani::unwind(6)]
+    fn verify_unstable_freeze_small_sort() {
+        let mut arr: [i32; 4] = kani::any();
+        <i32 as UnstableSmallSortFreezeTypeImpl>::small_sort(
+            &mut arr,
+            &mut |a, b| *a < *b,
+        );
+        assert!(arr[0] <= arr[1]);
+        assert!(arr[1] <= arr[2]);
+        assert!(arr[2] <= arr[3]);
+    }
+}
