cerc-io/solidity
16
0
Fork 0
mirror of https://github.com/ethereum/solidity synced 2023-10-03 13:03:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add verification target for empty pop

Browse Source
This commit is contained in:
Leonardo Alt 2020-05-17 23:21:08 +02:00
parent d4d26c02e4
commit 2435ab938c
21 changed files with 232 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
libsolidity/formal/CHC.cpp
View File

@ -98,17 +98,45 @@ void CHC::analyze(SourceUnit const& _source)
for (auto const& [scope, target]: m_verificationTargets)
{
auto assertions = transactionAssertions(scope);
for (auto const* assertion: assertions)
if (target.type == VerificationTarget::Type::Assert)
{
auto assertions = transactionAssertions(scope);
for (auto const* assertion: assertions)
{
createErrorBlock();
connectBlocks(target.value, error(), target.constraints && (target.errorId == assertion->id()));
auto [result, model] = query(error(), assertion->location());
// This should be fine but it's a bug in the old compiler
(void)model;
if (result == smt::CheckResult::UNSATISFIABLE)
m_safeAssertions.insert(assertion);
}
}
else if (target.type == VerificationTarget::Type::PopEmptyArray)
{
solAssert(dynamic_cast<FunctionCall const*>(scope), "");
createErrorBlock();
connectBlocks(target.value, error(), target.constraints && (target.errorId == assertion->id()));
auto [result, model] = query(error(), assertion->location());
connectBlocks(target.value, error(), target.constraints && (target.errorId == scope->id()));
auto [result, model] = query(error(), scope->location());
// This should be fine but it's a bug in the old compiler
(void)model;
if (result == smt::CheckResult::UNSATISFIABLE)
m_safeAssertions.insert(assertion);
if (result != smt::CheckResult::UNSATISFIABLE)
{
string msg = "Empty array \"pop\" ";
if (result == smt::CheckResult::SATISFIABLE)
msg += "detected here.";
else
msg += "might happen here.";
m_unsafeTargets.insert(scope);
m_outerErrorReporter.warning(
2529_error,
scope->location(),
msg
);
}
}
else
solAssert(false, "");
}
}
@ -161,7 +189,7 @@ void CHC::endVisit(ContractDefinition const& _contract)
auto stateExprs = vector<smt::Expression>{m_error.currentValue()} + currentStateVariables();
setCurrentBlock(*m_constructorSummaryPredicate, &stateExprs);
addVerificationTarget(m_currentContract, m_currentBlock, smt::Expression(true), m_error.currentValue());
addAssertVerificationTarget(m_currentContract, m_currentBlock, smt::Expression(true), m_error.currentValue());
connectBlocks(m_currentBlock, interface(), m_error.currentValue() == 0);
SMTEncoder::endVisit(_contract);
@ -256,7 +284,7 @@ void CHC::endVisit(FunctionDefinition const& _function)
if (_function.isPublic())
{
addVerificationTarget(&_function, m_currentBlock, sum, assertionError);
addAssertVerificationTarget(&_function, m_currentBlock, sum, assertionError);
connectBlocks(m_currentBlock, iface, sum && (assertionError == 0));
}
}
@ -556,10 +584,34 @@ void CHC::unknownFunctionCall(FunctionCall const&)
m_unknownFunctionCallSeen = true;
}
void CHC::makeArrayPopVerificationTarget(FunctionCall const& _arrayPop)
{
FunctionType const& funType = dynamic_cast<FunctionType const&>(*_arrayPop.expression().annotation().type);
solAssert(funType.kind() == FunctionType::Kind::ArrayPop, "");
auto memberAccess = dynamic_cast<MemberAccess const*>(&_arrayPop.expression());
solAssert(memberAccess, "");
auto symbArray = dynamic_pointer_cast<smt::SymbolicArrayVariable>(m_context.expression(memberAccess->expression()));
solAssert(symbArray, "");
auto previousError = m_error.currentValue();
m_error.increaseIndex();
addArrayPopVerificationTarget(&_arrayPop, m_error.currentValue());
connectBlocks(
m_currentBlock,
m_currentFunction->isConstructor() ? summary(*m_currentContract) : summary(*m_currentFunction),
currentPathConditions() && symbArray->length() <= 0 && m_error.currentValue() == _arrayPop.id()
);
m_context.addAssertion(m_error.currentValue() == previousError);
}
void CHC::resetSourceAnalysis()
{
m_verificationTargets.clear();
m_safeAssertions.clear();
m_unsafeTargets.clear();
m_functionAssertions.clear();
m_callGraph.clear();
m_summaries.clear();
@ -974,9 +1026,35 @@ pair<smt::CheckResult, vector<string>> CHC::query(smt::Expression const& _query,
return {result, values};
}
void CHC::addVerificationTarget(ASTNode const* _scope, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId)
void CHC::addVerificationTarget(
ASTNode const* _scope,
VerificationTarget::Type _type,
smt::Expression _from,
smt::Expression _constraints,
smt::Expression _errorId
)
{
m_verificationTargets.emplace(_scope, CHCVerificationTarget{{VerificationTarget::Type::Assert, _from, _constraints}, _errorId});
m_verificationTargets.emplace(_scope, CHCVerificationTarget{{_type, _from, _constraints}, _errorId});
}
void CHC::addAssertVerificationTarget(ASTNode const* _scope, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId)
{
addVerificationTarget(_scope, VerificationTarget::Type::Assert, _from, _constraints, _errorId);
}
void CHC::addArrayPopVerificationTarget(ASTNode const* _scope, smt::Expression _errorId)
{
solAssert(m_currentContract, "");
solAssert(m_currentFunction, "");
if (m_currentFunction->isConstructor())
addVerificationTarget(_scope, VerificationTarget::Type::PopEmptyArray, summary(*m_currentContract), smt::Expression(true), _errorId);
else
{
auto iface = (*m_interfaces.at(m_currentContract))(initialStateVariables());
auto sum = summary(*m_currentFunction);
addVerificationTarget(_scope, VerificationTarget::Type::PopEmptyArray, iface, sum, _errorId);
}
}
string CHC::uniquePrefix()

7
libsolidity/formal/CHC.h
View File

@ -78,6 +78,7 @@ private:
void visitAssert(FunctionCall const& _funCall);
void internalFunctionCall(FunctionCall const& _funCall);
void unknownFunctionCall(FunctionCall const& _funCall);
void makeArrayPopVerificationTarget(FunctionCall const& _arrayPop) override;
//@}
struct IdCompare
@ -182,7 +183,9 @@ private:
/// @returns <false, model> otherwise.
std::pair<smt::CheckResult, std::vector<std::string>> query(smt::Expression const& _query, langutil::SourceLocation const& _location);
void addVerificationTarget(ASTNode const* _scope, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId);
void addVerificationTarget(ASTNode const* _scope, VerificationTarget::Type _type, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId);
void addAssertVerificationTarget(ASTNode const* _scope, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId);
void addArrayPopVerificationTarget(ASTNode const* _scope, smt::Expression _errorId);
//@}
/// Misc.
@ -245,6 +248,8 @@ private:
/// Assertions proven safe.
std::set<Expression const*> m_safeAssertions;
/// Targets proven unsafe.
std::set<ASTNode const*> m_unsafeTargets;
//@}
/// Control-flow.

7
libsolidity/formal/SMTEncoder.cpp
View File

@ -1115,8 +1115,13 @@ void SMTEncoder::arrayPop(FunctionCall const& _funCall)
solAssert(memberAccess, "");
auto symbArray = dynamic_pointer_cast<smt::SymbolicArrayVariable>(m_context.expression(memberAccess->expression()));
solAssert(symbArray, "");
makeArrayPopVerificationTarget(_funCall);
auto oldElements = symbArray->elements();
auto oldLength = symbArray->length();
m_context.addAssertion(oldLength > 0);
symbArray->increaseIndex();
m_context.addAssertion(symbArray->elements() == oldElements);
auto newLength = smt::Expression::ite(
@ -1124,7 +1129,7 @@ void SMTEncoder::arrayPop(FunctionCall const& _funCall)
smt::maxValue(*TypeProvider::uint256()),
oldLength - 1
);
m_context.addAssertion(symbArray->length() == newLength);
m_context.addAssertion(symbArray->length() == oldLength - 1);
arrayPushPopAssign(memberAccess->expression(), symbArray->currentValue());
}

5
libsolidity/formal/SMTEncoder.h
View File

@ -140,6 +140,9 @@ protected:
void arrayPush(FunctionCall const& _funCall);
void arrayPop(FunctionCall const& _funCall);
void arrayPushPopAssign(Expression const& _expr, smt::Expression const& _array);
/// Allows BMC and CHC to create verification targets for popping
/// an empty array.
virtual void makeArrayPopVerificationTarget(FunctionCall const&) {}
/// Division expression in the given type. Requires special treatment because
/// of rounding for signed division.
@ -244,7 +247,7 @@ protected:
struct VerificationTarget
{
enum class Type { ConstantCondition, Underflow, Overflow, UnderOverflow, DivByZero, Balance, Assert } type;
enum class Type { ConstantCondition, Underflow, Overflow, UnderOverflow, DivByZero, Balance, Assert, PopEmptyArray } type;
smt::Expression value;
smt::Expression constraints;
};

9
test/libsolidity/smtCheckerTests/array_members/pop_1_safe.sol Normal file
View File

@ -0,0 +1,9 @@
pragma experimental SMTChecker;
contract C {
uint[] a;
function f() public {
a.push();
a.pop();
}
}

10
test/libsolidity/smtCheckerTests/array_members/pop_1_unsafe.sol Normal file
View File

@ -0,0 +1,10 @@
pragma experimental SMTChecker;
contract C {
uint[] a;
function f() public {
a.pop();
}
}
// ----
// Warning: (82-89): Empty array "pop" detected here.

10
test/libsolidity/smtCheckerTests/array_members/pop_2d_safe.sol Normal file
View File

@ -0,0 +1,10 @@
pragma experimental SMTChecker;
contract C {
uint[][] a;
function f() public {
a.push();
a[0].push();
a[0].pop();
}
}

10
test/libsolidity/smtCheckerTests/array_members/pop_2d_unsafe.sol Normal file
View File

@ -0,0 +1,10 @@
pragma experimental SMTChecker;
contract C {
uint[][] a;
function f() public {
a.push();
a[0].push();
a[1].pop();
}
}

9
test/libsolidity/smtCheckerTests/array_members/pop_constructor_safe.sol Normal file
View File

@ -0,0 +1,9 @@
pragma experimental SMTChecker;
contract C {
uint[] a;
constructor() public {
a.push();
a.pop();
}
}

8
test/libsolidity/smtCheckerTests/array_members/pop_constructor_unsafe.sol Normal file
View File

@ -0,0 +1,8 @@
pragma experimental SMTChecker;
contract C {
uint[] a;
constructor() public {
a.pop();
}
}

11
test/libsolidity/smtCheckerTests/array_members/pop_loop_safe.sol Normal file
View File

@ -0,0 +1,11 @@
pragma experimental SMTChecker;
contract C {
uint[] a;
function f(uint l) public {
for (uint i = 0; i < l; ++i) {
a.push();
a.pop();
}
}
}

12
test/libsolidity/smtCheckerTests/array_members/pop_loop_unsafe.sol Normal file
View File

@ -0,0 +1,12 @@
pragma experimental SMTChecker;
contract C {
uint[] a;
function f(uint l) public {
for (uint i = 0; i < l; ++i) {
a.push();
a.pop();
}
a.pop();
}
}

3
test/libsolidity/smtCheckerTests/array_members/push_2d.sol → test/libsolidity/smtCheckerTests/array_members/push_2d_arg_1_safe.sol
View File

@ -3,10 +3,7 @@ pragma experimental SMTChecker;
contract C {
uint[][] a;
function f(uint[] memory x, uint y) public {
require(a.length < 100000);
a.push(x);
assert(a[a.length - 1][0] == x[0]);
require(a[0].length < 100000);
a[0].push(y);
assert(a[0][a[0].length - 1] == y);
}

11
test/libsolidity/smtCheckerTests/array_members/push_2d_arg_1_unsafe.sol Normal file
View File

@ -0,0 +1,11 @@
pragma experimental SMTChecker;
contract C {
uint[][] a;
function f(uint[] memory x, uint y) public {
a.push(x);
a[0].push(y);
a[0].pop();
assert(a[0][a[0].length - 1] == y);
}
}

1
test/libsolidity/smtCheckerTests/array_members/push.sol → test/libsolidity/smtCheckerTests/array_members/push_arg_1.sol
View File

@ -3,7 +3,6 @@ pragma experimental SMTChecker;
contract C {
uint[] a;
function f(uint x) public {
require(a.length < 100000);
a.push(x);
assert(a[a.length - 1] == x);
}

1
test/libsolidity/smtCheckerTests/array_members/push_overflow_1_safe_no_overflow_assumption.sol
View File

@ -8,4 +8,3 @@ contract C {
assert(x[0] == 42);
}
}
// ----

2
test/libsolidity/smtCheckerTests/array_members/push_overflow_2_safe_no_overflow_assumption.sol
View File

@ -11,5 +11,3 @@ contract C {
assert(x[0] == 42);
}
}
// ----

10
test/libsolidity/smtCheckerTests/array_members/push_zero_2d_safe.sol Normal file
View File

@ -0,0 +1,10 @@
pragma experimental SMTChecker;
contract C {
uint[][] a;
function f() public {
a.push();
a[0].push();
assert(a[a.length - 1][0] == 0);
}
}

10
test/libsolidity/smtCheckerTests/array_members/push_zero_2d_unsafe.sol Normal file
View File

@ -0,0 +1,10 @@
pragma experimental SMTChecker;
contract C {
uint[][] a;
function f() public {
a.push();
a[0].push();
assert(a[a.length - 1][0] == 100);
}
}

9
test/libsolidity/smtCheckerTests/array_members/push_zero_safe.sol Normal file
View File

@ -0,0 +1,9 @@
pragma experimental SMTChecker;
contract C {
uint[] a;
function f() public {
a.push();
assert(a[a.length - 1] == 0);
}
}

9
test/libsolidity/smtCheckerTests/array_members/push_zero_unsafe.sol Normal file
View File

@ -0,0 +1,9 @@
pragma experimental SMTChecker;
contract C {
uint[] a;
function f() public {
a.push();
assert(a[a.length - 1] == 100);
}
}