Merge branch 'model-checking:main' into rapx-verify-std

Author: DiuDiu777

.github/workflows/flux.yml

@@ -8,8 +8,8 @@ on:
     branches: [main]
 
 env:
-  FIXPOINT_VERSION: "556104ba5508891c357b0bdf819ce706e93d9349"
-  FLUX_VERSION: "f5e57bec353e2eb3550d2b7ba086462264dfa290"
+  FLUX_VERSION: "6b080b32801f923bfb590ac48e729de38f829f21"
+  FIXPOINT_VERSION: "nightly-10-15-2025"
 
 jobs:
   check-flux-on-core:
@@ -25,27 +25,22 @@ jobs:
           echo ~/.cargo/bin >> $GITHUB_PATH
           echo ~/.local/bin >> $GITHUB_PATH
 
-      - name: Cache fixpoint
-        uses: actions/cache@v4
-        id: cache-fixpoint
-        with:
-          path: ~/.local/bin/fixpoint
-          key: fixpoint-bin-${{ runner.os }}-${{ env.FIXPOINT_VERSION }}
+      - name: Download and install fixpoint
+        run: |
+          set -e
+          NAME="fixpoint-x86_64-linux-gnu.tar.gz"
+          URL="https://github.com/ucsd-progsys/liquid-fixpoint/releases/download/${FIXPOINT_VERSION}/${NAME}"
 
-      - name: Install Haskell
-        if: steps.cache-fixpoint.outputs.cache-hit != 'true'
-        uses: haskell-actions/setup@v2.7.0
-        with:
-          enable-stack: true
-          stack-version: "2.15.7"
+          echo "Downloading from $URL"
+          curl -fsSL --retry 3 -o "$NAME" "$URL"
 
-      - name: Install fixpoint
-        if: steps.cache-fixpoint.outputs.cache-hit != 'true'
-        run: |
-          git clone https://github.com/ucsd-progsys/liquid-fixpoint.git
-          cd liquid-fixpoint
-          git checkout $FIXPOINT_VERSION
-          stack install --fast --flag liquid-fixpoint:-link-z3-as-a-library
+          echo "Extracting archive"
+          tar -xzf "$NAME"
+          mkdir -p ~/.local/bin
+          cp fixpoint ~/.local/bin/fixpoint
+
+          echo "Cleaning up"
+          rm -f "$NAME"
 
       - name: Install Z3
         uses: cda-tum/setup-z3@v1.6.1

.github/workflows/kani-metrics.yml

@@ -11,6 +11,9 @@ defaults:
 
 jobs:
   update-kani-metrics:
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.repository == 'model-checking/verify-rust-std'
     runs-on: ubuntu-latest
 

.github/workflows/update-subtree.yml

@@ -11,6 +11,9 @@ defaults:
 
 jobs:
   update-subtree-library:
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.repository == 'model-checking/verify-rust-std'
     # Changing the host platform may alter the libgit2 version as used by
     # splitsh-lite, which will require changing the version of git2go.
@@ -214,16 +217,12 @@ jobs:
 
         # Try to automatically patch the VeriFast proofs
         pushd verifast-proofs
-        if bash ./patch-verifast-proofs.sh; then
-          if ! git diff --quiet; then
-            git -c user.name=gitbot -c user.email=git@bot \
-              commit . -m "Update VeriFast proofs"
-          else
-            # The original files have not changed; no updates to the VeriFast proofs are necessary.
-            true
-          fi
+        ./patch-verifast-proofs.sh
+        if ! git diff --quiet; then
+          git -c user.name=gitbot -c user.email=git@bot \
+            commit . -m "Update VeriFast proofs"
         else
-          # Patching the VeriFast proofs failed; requires manual intervention.
+          # The original files have not changed; no updates to the VeriFast proofs are necessary.
           true
         fi
         popd

.github/workflows/verifast-negative.yml

@@ -27,19 +27,5 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@v4
 
-      - name: Install VeriFast
-        run: |
-          cd ~
-          curl -OL https://github.com/verifast/verifast/releases/download/25.07/verifast-25.07-linux.tar.gz
-          # https://github.com/verifast/verifast/attestations/8998468
-          echo '48d2c53b4a6e4ba6bf03bd6303dbd92a02bfb896253c06266b29739c78bad23b  verifast-25.07-linux.tar.gz' | shasum -a 256 -c
-          tar xf verifast-25.07-linux.tar.gz
-
-      - name: Install the Rust toolchain used by VeriFast
-        run: rustup toolchain install nightly-2025-04-09
-
       - name: Run VeriFast Verification
-        run: |
-          export PATH=~/verifast-25.07/bin:$PATH
-          cd verifast-proofs
-          bash check-verifast-proofs-negative.sh
+        run: verifast-proofs/check-verifast-proofs-negative.sh

.github/workflows/verifast.yml

@@ -24,22 +24,8 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@v4
 
-      - name: Install VeriFast
-        run: |
-          cd ~
-          curl -OL https://github.com/verifast/verifast/releases/download/25.07/verifast-25.07-linux.tar.gz
-          # https://github.com/verifast/verifast/attestations/8998468
-          echo '48d2c53b4a6e4ba6bf03bd6303dbd92a02bfb896253c06266b29739c78bad23b  verifast-25.07-linux.tar.gz' | shasum -a 256 -c
-          tar xf verifast-25.07-linux.tar.gz
-
-      - name: Install the Rust toolchain used by VeriFast
-        run: rustup toolchain install nightly-2025-04-09
-
       - name: Run VeriFast Verification
-        run: |
-          export PATH=~/verifast-25.07/bin:$PATH
-          cd verifast-proofs
-          bash check-verifast-proofs.sh
+        run: verifast-proofs/check-verifast-proofs.sh
 
   notify-btj:
     name: Notify @btj

doc/src/challenges/0028-flt2dec.md

@@ -0,0 +1,55 @@
+# Challenge 28: Verify float to decimal conversion module
+
+- **Status:** *Open*
+- **Solution:** *Option field to point to the PR that solved this challenge.*
+- **Tracking Issue:** [#524](https://github.com/model-checking/verify-rust-std/issues/524)
+- **Start date:** *2026/01/01*
+- **End date:** *2026/08/31*
+- **Reward:** *5,000 USD*
+
+-------------------
+
+
+## Goal
+
+The goal of this challenge is to verify the [flt2dec](https://doc.rust-lang.org/src/core/num/flt2dec/mod.rs.html) module, which provides functions for converting floating point numbers to decimals. To do this, it implements both the Dragon and Grisu families of algorithms.
+
+## Motivation
+
+Given that converting floats to decimals correctly is a relatively costly operation, the standard library’s flt2dec module employs unsafe code to enable performance-enhancing operations that are otherwise not allowed in safe Rust (e.g., lifetime laundering to get around borrow-checker restrictions). Functions from this module are primarily invoked whenever attempting to represent floats in a human-readable format, making this a potentially highly-used module.
+
+## Description
+
+All of the functions targeted in this challenge are safe functions whose bodies contain unsafe code. This challenge is thus centered around proving well-encapsulation, which here mainly means showing that calls to variants of assume_init() are only performed on fully-initialized structures, and that the lifetime laundering does not cause undefined behaviour.
+
+### Success Criteria
+
+The following functions contain unsafe code in their bodies but are not themselves marked unsafe. All of these should be proven unconditionally safe, or safety contracts should be added:
+
+| Function | Location |
+|---------|---------|
+| `digits_to_dec_str` | `flt2dec` |
+| `digits_to_exp_str` | `flt2dec` |
+| `to_shortest_str` | `flt2dec` |
+| `to_shortest_exp_str` | `flt2dec` |
+| `to_exact_exp_str` | `flt2dec` |
+| `to_exact_fixed_str` | `flt2dec` |
+| `format_shortest_opt` | `flt2dec::strategy::grisu` |
+| `format_shortest` | `flt2dec::strategy::grisu` |
+| `format_exact_opt` | `flt2dec::strategy::grisu` |
+| `format_exact` | `flt2dec::strategy::grisu` |
+| `format_shortest` | `flt2dec::strategy::dragon` |
+| `format_exact` | `flt2dec::strategy::dragon` |
+
+For functions taking inputs of generic type 'T', the proofs can be limited to primitive types only.
+
+*List of UBs*
+
+In addition to any properties called out as SAFETY comments in the source code, all proofs must automatically ensure the absence of the following [undefined behaviors](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
+* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
+* Invoking undefined behavior via compiler intrinsics.
+* Mutating immutable bytes.
+* Producing an invalid value.
+
+Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
+in addition to the ones listed above.

doc/src/challenges/0029-boxed.md

@@ -0,0 +1,99 @@
+# Challenge 29: Safety of boxed
+
+- **Status:** *Open*
+- **Solution:** *Option field to point to the PR that solved this challenge.*
+- **Tracking Issue:** [#526](https://github.com/model-checking/verify-rust-std/issues/526)
+- **Start date:** *2026/01/01*
+- **End date:** *2026/12/31*
+- **Reward:** *15,000 USD*
+
+-------------------
+
+
+## Goal
+
+The goal of this challenge is to verify the [boxed](https://doc.rust-lang.org/std/boxed/index.html) module, which implements the Box family of types (which includes Box and other related types such as ThinBox). A Box is a type of smart pointer that points to a uniquely-owned heap allocation for arbitrary types.
+
+## Motivation
+
+A Box allows the storage of data on the heap rather than the stack. This has several applications, a common [example](https://doc.rust-lang.org/book/ch15-01-box.html#enabling-recursive-types-with-boxes) being for using dynamically-sized types in contexts requiring an exact size (e.g., recursive types). While this type is useful and diverse in its applications, it also extensively uses unsafe code, meaning it is important to verify that this module is free of undefined behaviour.
+
+### Success Criteria
+
+All the following unsafe functions must be annotated with safety contracts and the contracts have been verified:
+
+| Function | Location |
+|---------|---------|
+| `Box<mem::MaybeUninit<T>, A>::assume_init`  | `alloc::boxed`  |
+| `Box<[mem::MaybeUninit<T>], A>::assume_init`  | `alloc::boxed`  |
+| `Box<T>::from_raw`  |  `alloc::boxed`  |
+| `Box<T>::from_non_null`   |  `alloc::boxed`  |
+| `Box<T, A>::from_raw_in`  |  `alloc::boxed`  |
+| `Box<T, A>::from_non_null_in`   | `alloc::boxed`   |
+| `<dyn Error>::downcast_unchecked`  |  `alloc::boxed::convert`  |
+| `<dyn Error + Send>::downcast_unchecked`  |  `alloc::boxed::convert`  |
+| `<dyn Error + Send + Sync>::downcast_unchecked`  |  `alloc::boxed::convert`  |
+
+The following functions contain unsafe code in their bodies but are not themselves marked unsafe. At least 75% of these should be proven unconditionally safe, or safety contracts should be added:
+
+| Function | Location |
+|---------|---------|
+| `Box<T, A>::new_in`  |  `alloc::boxed`  |
+| `Box<T, A>::try_new_in`  |  `alloc::boxed`  |
+| `Box<T, A>::try_new_uninit_in`  |  `alloc::boxed`  |
+| `Box<T, A>::try_new_zeroed_in` |  `alloc::boxed`  |
+| `Box<T, A>::into_boxed_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::new_uninit_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::new_zeroed_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::try_new_uninit_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::try_new_zeroed_slice`  |  `alloc::boxed`  |
+| `Box<[T]>::into_array` |  `alloc::boxed`  |
+| `Box<T, A>::new_uninit_slice_in` |  `alloc::boxed` |
+| `Box<T, A>::new_zeroed_slice_in` |  `alloc::boxed`  |
+| `Box<T, A>::try_new_uninit_slice_in` |  `alloc::boxed`  |
+| `Box<T, A>::try_new_zeroed_slice_in` |  `alloc::boxed`  |
+| `Box<mem::MaybeUninit<T>, A>::write` |  `alloc::boxed`  |
+| `Box<T>::into_non_null` |  `alloc::boxed`  |
+| `Box<T, A>::into_raw_with_allocator` |  `alloc::boxed`  |
+| `Box<T, A>::into_non_null_with_allocator` |  `alloc::boxed`  |
+| `Box<T, A>::into_unique` |  `alloc::boxed`  |
+| `Box<T, A>::leak` |  `alloc::boxed`  |
+| `Box<T, A>::into_pin` |  `alloc::boxed`  |
+| `<Box<T, A> as Drop>::drop` |  `alloc::boxed`  |
+| `<Box<T> as Default>::default` |  `alloc::boxed`  |
+| `<Box<str> as Default>::default` |  `alloc::boxed`  |
+| `<Box<T, A> as Clone>::clone` |  `alloc::boxed`  |
+| `<Box<str> as Clone>::clone` |  `alloc::boxed`  |
+| `<Box<[T]> as BoxFromSlice<T>>::from_slice`  |  `alloc::boxed::convert`  |
+| `<Box<str> as From<&str>>::from`  |  `alloc::boxed::convert`  |
+| `<Box<[u8], A> as From<Box<str, A>>>::from`  |  `alloc::boxed::convert`  |
+| `<Box<[T; N]> as TryFrom<Box<[T]>>>::try_from` |  `alloc::boxed::convert`  |
+| `<Box<[T; N]> as TryFrom<Box<T>>>::try_from`  |  `alloc::boxed::convert`  |
+| `Box<dyn Any, A>::downcast` |  `alloc::boxed::convert`  |
+| `Box<dyn Any + Send, A>::downcast`  |  `alloc::boxed::convert`  |
+| `Box<dyn Any + Send + Sync, A>::downcast`  |  `alloc::boxed::convert`  |
+| `<dyn Error>::downcast`  |  `alloc::boxed::convert`  |
+| `<dyn Error + Send>::downcast`  |  `alloc::boxed::convert`  |
+| `<dyn Error + Send + Sync>::downcast`  |  `alloc::boxed::convert`  |
+| `<ThinBox<T> as Deref>::deref`  | `alloc::boxed::thin`   |
+| `<ThinBox<T> as DerefMut>::deref_mut`  | `alloc::boxed::thin`   |
+| `<ThinBox<T> as Drop>::drop`  | `alloc::boxed::thin`   |
+| `ThinBox<T>::meta`  | `alloc::boxed::thin`   |
+| `ThinBox<T>::with_header`  | `alloc::boxed::thin`   |
+| `WithHeader<H>::new`  | `alloc::boxed::thin`   |
+| `WithHeader<H>::try_new`  | `alloc::boxed::thin`   |
+| `WithHeader<H>::new_unsize_zst`  | `alloc::boxed::thin`   |
+| `WithHeader<H>::header`  | `alloc::boxed::thin`   |
+
+For functions taking inputs of generic type 'T', the proofs can be limited to primitive types only.
+
+*List of UBs*
+
+In addition to any properties called out as SAFETY comments in the source code, all proofs must automatically ensure the absence of the following [undefined behaviors](https://github.com/rust-lang/reference/blob/142b2ed77d33f37a9973772bd95e6144ed9dce43/src/behavior-considered-undefined.md):
+* Accessing (loading from or storing to) a place that is dangling or based on a misaligned pointer.
+* Invoking undefined behavior via compiler intrinsics.
+* Mutating immutable bytes.
+* Producing an invalid value.
+
+Note: All solutions to verification challenges need to satisfy the criteria established in the [challenge book](../general-rules.md)
+in addition to the ones listed above.

library/Cargo.lock

@@ -23,8 +23,6 @@ safety = { path = "../contracts/safety" }
 compiler-builtins-mem = ['compiler_builtins/mem']
 compiler-builtins-c = ["compiler_builtins/c"]
 compiler-builtins-no-f16-f128 = ["compiler_builtins/no-f16-f128"]
-# Make panics and failed asserts immediately abort without formatting any message
-panic_immediate_abort = ["core/panic_immediate_abort"]
 # Choose algorithms that are optimized for binary size instead of runtime performance
 optimize_for_size = ["core/optimize_for_size"]
 

library/alloc/Cargo.toml

@@ -408,12 +408,12 @@ pub const fn handle_alloc_error(layout: Layout) -> ! {
         }
     }
 
-    #[cfg(not(feature = "panic_immediate_abort"))]
+    #[cfg(not(panic = "immediate-abort"))]
     {
         core::intrinsics::const_eval_select((layout,), ct_error, rt_error)
     }
 
-    #[cfg(feature = "panic_immediate_abort")]
+    #[cfg(panic = "immediate-abort")]
     ct_error(layout)
 }