virtio-queue: kani proofs for virtio queue #363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

priyasiddharth wants to merge 2 commits into rust-vmm:main from priyasiddharth:main

Contributor

priyasiddharth commented Sep 15, 2025

Summary of the PR

This PR adds new Kani proofs for virtio queue mainly around notification logic.

Requirements

Before submitting your PR, please make sure you addressed the following
requirements:

All commits in this PR have Signed-Off-By trailers (with
git commit -s), and the commit message has max 60 characters for the
summary and max 75 characters for each description line.
All added/changed functionality has a corresponding unit/integration
test.
All added/changed public-facing functionality has entries in the "Upcoming
Release" section of CHANGELOG.md (if no such section exists, please create one).
Any newly added unsafe code is properly documented.

priyasiddharth requested review from alexandruag, andreeaflorescu, jiangliu, slp, stsquad, epilys and stefano-garzarella as code owners

September 15, 2025 13:57

priyasiddharth added 2 commits

September 15, 2025 10:23


          virtio-queue: handle more cases for needs_notification proof

4a8b048

This simplifies the logic for the existing need_notification proof
and makes it more general accounting for both when notification is
needed and when it is not.

Signed-off-by: Siddharth Priya <[email protected]>


          virtio-queue: additional proofs around notification logic

24dc553

1. Verify enable_notification logic
2. Verify when driver should send notification to device
3. Verify when driver should not send notification to device
4. Verify that set_next_used method actually changes the next_used field in memory

Signed-off-by: Siddharth Priya <[email protected]>

priyasiddharth force-pushed the main branch from edd1731 to 24dc553 Compare

September 15, 2025 14:27

Contributor Author

priyasiddharth commented Sep 15, 2025

@MatiasVara FYI

epilys changed the title ~~virtio-queue: kani proofs for vritio queue~~ virtio-queue: kani proofs for virtio queue

stefano-garzarella reviewed

View reviewed changes

virtio-queue/src/queue/verification.rs

    
                  let ProofContext { mut queue, memory } = kani::any();

                  let result = queue.set_notification(&memory, false /* disable notification */);

                  if !queue.event_idx_enabled {

                      // Check for Sec 2.7.10

Member

stefano-garzarella Sep 24, 2025

Sec, should be Spec right?

Also the test doc talks about Specification (VirtIO 1.3, Section 2.7.7: "Used Buffer Notification Suppression") what 2.7.10 is? Is related to virtio 1.3?

Please be more verbose with that references.

Contributor

MatiasVara Sep 24, 2025

I think here you could add that Section 2.7.10 of the Virtio spec explains how the device can indicates to the driver that notifications are not required when adding buffers into the avail right.

virtio-queue/src/queue/verification.rs

    
                  }

              }

              /// # Specification (VirtIO 1.3, Section 2.7.7.2: "Device Requirements: Used Buffer Notification Suppression")

Member

stefano-garzarella Sep 24, 2025

The commit 4a8b048 description is not really clear to me.

It seems now this function don't test only the suppression, so should we update this documentation?

Contributor

MatiasVara Sep 24, 2025

I think the proof is testing both w/wo suppression. I think the comment should only mention about the notification.

stefano-garzarella reviewed

View reviewed changes

virtio-queue/src/queue/verification.rs

    
                  mem: &M,

                  order: Ordering,

              ) -> Result<u16, Error> {

                  // This can not overflow an u64 since it is working with relatively small numbers compar

Member

stefano-garzarella Sep 24, 2025

Suggested change

      
                // This can not overflow an u64 since it is working with relatively small numbers compar
          
                // This can not overflow an u64 since it is working with relatively small numbers compared

MatiasVara reviewed

View reviewed changes

virtio-queue/src/queue/verification.rs

    
                  //   - true, if there are pending entries in the `idx` field of the

                  //     avail ring

                  //   - false, if there are no pending entries in the `idx` field of the

                  // avail ring The check for pending entries is done by comparing the

Contributor

MatiasVara Sep 24, 2025

Suggested change

      
                // avail ring The check for pending entries is done by comparing the
          
                // avail ring. The check for pending entries is done by comparing the

MatiasVara reviewed

View reviewed changes

virtio-queue/src/queue/verification.rs

    
                  mem.load::<u16>(queue.used_ring, order)

                      .map(u16::from_le)

                      .map_err(Error::GuestMemory)

              }

Contributor

MatiasVara Sep 24, 2025

Suggested change

MatiasVara reviewed

View reviewed changes

virtio-queue/src/queue/verification.rs

    
              #[kani::unwind(0)]

              fn verify_set_notification_false() {

                  let ProofContext { mut queue, memory } = kani::any();

                  let result = queue.set_notification(&memory, false /* disable notification */);

Contributor

MatiasVara Sep 24, 2025 •

edited

Loading

Can't we use kany::any to cover the potential values of the second parameter of set_notification()? This would prevent having two proofs.

MatiasVara reviewed

View reviewed changes

virtio-queue/src/queue/verification.rs

    
              /// This proof checks that:

              /// - If there are pending entries in the avail ring (avail_idx != next_avail),

              ///   `enable_notification` returns true.

              /// - If there are no pending entries (avail_idx == next_avail), it returns false.

Contributor

MatiasVara Sep 24, 2025 •

edited

Loading

I think VirtIO 1.3, Section 2.7.6.1 states that avail_idx is always >= than next_avail. Although, it is correct that enable_notification() checks only if they are different.

Contributor

MatiasVara commented Sep 24, 2025

In overall, LGTM! but I think you have to improve the commit msgs first. For example in 4a8b048, I would explain exactly how this commit handles more. Similarly in 24dc553, I would state in the commit msg what is the expected result of the method for what we are adding the proof.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

stefano-garzarella stefano-garzarella left review comments

alexandruag Awaiting requested review from alexandruag alexandruag is a code owner

andreeaflorescu Awaiting requested review from andreeaflorescu andreeaflorescu is a code owner

jiangliu Awaiting requested review from jiangliu jiangliu is a code owner

slp Awaiting requested review from slp slp is a code owner

stsquad Awaiting requested review from stsquad stsquad is a code owner

epilys Awaiting requested review from epilys epilys is a code owner

+1 more reviewer

MatiasVara MatiasVara left review comments

At least 2 approving reviews are required to merge this pull request.

Labels

None yet