solidity/libsolidity/formal/BMC.h

230 lines
7.6 KiB
C
Raw Permalink Normal View History

/*
This file is part of solidity.
solidity is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
solidity is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with solidity. If not, see <http://www.gnu.org/licenses/>.
*/
// SPDX-License-Identifier: GPL-3.0
/**
* Class that implements an SMT-based Bounded Model Checker (BMC).
* Traverses the AST such that:
* - Loops are unrolled
* - Internal function calls are inlined
* Creates verification targets for:
* - Underflow/Overflow
* - Constant conditions
* - Assertions
*/
#pragma once
#include <libsolidity/formal/EncodingContext.h>
#include <libsolidity/formal/ModelCheckerSettings.h>
#include <libsolidity/formal/SMTEncoder.h>
#include <libsolidity/interface/ReadFile.h>
2020-05-18 15:42:24 +00:00
#include <libsmtutil/SolverInterface.h>
#include <liblangutil/UniqueErrorReporter.h>
2019-07-04 12:44:10 +00:00
#include <set>
#include <string>
#include <vector>
2019-12-11 16:31:36 +00:00
using solidity::util::h256;
namespace solidity::langutil
{
class ErrorReporter;
2020-05-12 00:29:54 +00:00
struct ErrorId;
struct SourceLocation;
}
2019-12-11 16:31:36 +00:00
namespace solidity::frontend
{
class BMC: public SMTEncoder
{
public:
BMC(
smt::EncodingContext& _context,
langutil::UniqueErrorReporter& _errorReporter,
2023-03-06 13:19:58 +00:00
langutil::UniqueErrorReporter& _unsupportedErrorReporter,
std::map<h256, std::string> const& _smtlib2Responses,
ReadCallback::Callback const& _smtCallback,
ModelCheckerSettings _settings,
2021-07-01 15:28:06 +00:00
langutil::CharStreamProvider const& _charStreamProvider
);
void analyze(SourceUnit const& _sources, std::map<ASTNode const*, std::set<VerificationTargetType>, smt::EncodingContext::IdCompare> _solvedTargets);
/// This is used if the SMT solver is not directly linked into this binary.
/// @returns a list of inputs to the SMT solver that were not part of the argument to
/// the constructor.
std::vector<std::string> unhandledQueries() { return m_interface->unhandledQueries(); }
/// @returns true if _funCall should be inlined, otherwise false.
2021-01-25 17:17:56 +00:00
/// @param _scopeContract The contract that contains the current function being analyzed.
/// @param _contextContract The most derived contract, currently being analyzed.
static bool shouldInlineFunctionCall(
FunctionCall const& _funCall,
ContractDefinition const* _scopeContract,
ContractDefinition const* _contextContract
);
private:
/// AST visitors.
/// Only nodes that lead to verification targets being built
/// or checked are visited.
//@{
bool visit(ContractDefinition const& _node) override;
void endVisit(ContractDefinition const& _node) override;
bool visit(FunctionDefinition const& _node) override;
void endVisit(FunctionDefinition const& _node) override;
bool visit(IfStatement const& _node) override;
bool visit(Conditional const& _node) override;
bool visit(WhileStatement const& _node) override;
bool visit(ForStatement const& _node) override;
void endVisit(UnaryOperation const& _node) override;
void endVisit(FunctionCall const& _node) override;
void endVisit(Return const& _node) override;
bool visit(TryStatement const& _node) override;
bool visit(Break const& _node) override;
bool visit(Continue const& _node) override;
//@}
/// Visitor helpers.
//@{
void visitAssert(FunctionCall const& _funCall);
void visitRequire(FunctionCall const& _funCall);
void visitAddMulMod(FunctionCall const& _funCall) override;
void assignment(smt::SymbolicVariable& _symVar, smtutil::Expression const& _value) override;
/// Visits the FunctionDefinition of the called function
/// if available and inlines the return value.
void inlineFunctionCall(FunctionCall const& _funCall);
/// Inlines if the function call is internal or external to `this`.
/// Erases knowledge about state variables if external.
void internalOrExternalFunctionCall(FunctionCall const& _funCall);
/// Creates underflow/overflow verification targets.
2020-05-19 12:14:46 +00:00
std::pair<smtutil::Expression, smtutil::Expression> arithmeticOperation(
Token _op,
2020-05-19 12:14:46 +00:00
smtutil::Expression const& _left,
smtutil::Expression const& _right,
Type const* _commonType,
Expression const& _expression
) override;
void reset();
2020-05-19 12:14:46 +00:00
std::pair<std::vector<smtutil::Expression>, std::vector<std::string>> modelExpressions();
//@}
/// Verification targets.
//@{
struct BMCVerificationTarget: VerificationTarget
{
Expression const* expression;
std::vector<CallStackEntry> callStack;
2020-05-19 12:14:46 +00:00
std::pair<std::vector<smtutil::Expression>, std::vector<std::string>> modelExpressions;
2023-02-09 16:07:13 +00:00
friend bool operator<(BMCVerificationTarget const& _a, BMCVerificationTarget const& _b)
{
return _a.expression->id() < _b.expression->id();
}
};
2023-02-09 16:07:13 +00:00
std::string targetDescription(BMCVerificationTarget const& _target);
2020-12-16 17:32:34 +00:00
void checkVerificationTargets();
void checkVerificationTarget(BMCVerificationTarget& _target);
void checkConstantCondition(BMCVerificationTarget& _target);
2020-12-16 17:32:34 +00:00
void checkUnderflow(BMCVerificationTarget& _target);
void checkOverflow(BMCVerificationTarget& _target);
void checkDivByZero(BMCVerificationTarget& _target);
void checkBalance(BMCVerificationTarget& _target);
void checkAssert(BMCVerificationTarget& _target);
void addVerificationTarget(
VerificationTargetType _type,
2020-05-19 12:14:46 +00:00
smtutil::Expression const& _value,
Expression const* _expression
);
//@}
/// Solver related.
//@{
/// Check that a condition can be satisfied.
void checkCondition(
2023-02-09 16:07:13 +00:00
BMCVerificationTarget const& _target,
2020-05-19 12:14:46 +00:00
smtutil::Expression _condition,
2020-05-12 00:29:54 +00:00
std::vector<CallStackEntry> const& _callStack,
2020-05-19 12:14:46 +00:00
std::pair<std::vector<smtutil::Expression>, std::vector<std::string>> const& _modelExpressions,
langutil::SourceLocation const& _location,
2020-05-12 00:29:54 +00:00
langutil::ErrorId _errorHappens,
langutil::ErrorId _errorMightHappen,
std::string const& _additionalValueName = "",
2020-05-19 12:14:46 +00:00
smtutil::Expression const* _additionalValue = nullptr
);
/// Checks that a boolean condition is not constant. Do not warn if the expression
/// is a literal constant.
void checkBooleanNotConstant(
Expression const& _condition,
2020-05-19 12:14:46 +00:00
smtutil::Expression const& _constraints,
smtutil::Expression const& _value,
2020-05-12 00:29:54 +00:00
std::vector<CallStackEntry> const& _callStack
);
2020-05-19 12:14:46 +00:00
std::pair<smtutil::CheckResult, std::vector<std::string>>
checkSatisfiableAndGenerateModel(std::vector<smtutil::Expression> const& _expressionsToEvaluate);
2020-05-19 12:14:46 +00:00
smtutil::CheckResult checkSatisfiable();
//@}
smtutil::Expression mergeVariablesFromLoopCheckpoints();
bool isInsideLoop() const;
2020-05-19 12:14:46 +00:00
std::unique_ptr<smtutil::SolverInterface> m_interface;
/// Flags used for better warning messages.
bool m_loopExecutionHappened = false;
bool m_externalFunctionCallHappened = false;
std::vector<BMCVerificationTarget> m_verificationTargets;
2023-02-09 16:07:13 +00:00
/// Targets proved safe by this engine.
std::map<ASTNode const*, std::set<BMCVerificationTarget>, smt::EncodingContext::IdCompare> m_safeTargets;
/// Targets that were already proven before this engine started.
std::map<ASTNode const*, std::set<VerificationTargetType>, smt::EncodingContext::IdCompare> m_solvedTargets;
/// Number of verification conditions that could not be proved.
size_t m_unprovedAmt = 0;
enum class LoopControlKind
{
Continue,
Break
};
// Current path conditions and SSA indices for break or continue statement
struct LoopControl {
LoopControlKind kind;
smtutil::Expression pathConditions;
VariableIndices variableIndices;
};
// Loop control statements for every loop
std::stack<std::vector<LoopControl>> m_loopCheckpoints;
};
}