mirror of
https://github.com/ethereum/solidity
synced 2023-10-03 13:03:40 +00:00
Add verification target for empty pop
This commit is contained in:
parent
d4d26c02e4
commit
2435ab938c
@ -98,17 +98,45 @@ void CHC::analyze(SourceUnit const& _source)
|
|||||||
|
|
||||||
for (auto const& [scope, target]: m_verificationTargets)
|
for (auto const& [scope, target]: m_verificationTargets)
|
||||||
{
|
{
|
||||||
auto assertions = transactionAssertions(scope);
|
if (target.type == VerificationTarget::Type::Assert)
|
||||||
for (auto const* assertion: assertions)
|
|
||||||
{
|
{
|
||||||
|
auto assertions = transactionAssertions(scope);
|
||||||
|
for (auto const* assertion: assertions)
|
||||||
|
{
|
||||||
|
createErrorBlock();
|
||||||
|
connectBlocks(target.value, error(), target.constraints && (target.errorId == assertion->id()));
|
||||||
|
auto [result, model] = query(error(), assertion->location());
|
||||||
|
// This should be fine but it's a bug in the old compiler
|
||||||
|
(void)model;
|
||||||
|
if (result == smt::CheckResult::UNSATISFIABLE)
|
||||||
|
m_safeAssertions.insert(assertion);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (target.type == VerificationTarget::Type::PopEmptyArray)
|
||||||
|
{
|
||||||
|
solAssert(dynamic_cast<FunctionCall const*>(scope), "");
|
||||||
createErrorBlock();
|
createErrorBlock();
|
||||||
connectBlocks(target.value, error(), target.constraints && (target.errorId == assertion->id()));
|
connectBlocks(target.value, error(), target.constraints && (target.errorId == scope->id()));
|
||||||
auto [result, model] = query(error(), assertion->location());
|
auto [result, model] = query(error(), scope->location());
|
||||||
// This should be fine but it's a bug in the old compiler
|
// This should be fine but it's a bug in the old compiler
|
||||||
(void)model;
|
(void)model;
|
||||||
if (result == smt::CheckResult::UNSATISFIABLE)
|
if (result != smt::CheckResult::UNSATISFIABLE)
|
||||||
m_safeAssertions.insert(assertion);
|
{
|
||||||
|
string msg = "Empty array \"pop\" ";
|
||||||
|
if (result == smt::CheckResult::SATISFIABLE)
|
||||||
|
msg += "detected here.";
|
||||||
|
else
|
||||||
|
msg += "might happen here.";
|
||||||
|
m_unsafeTargets.insert(scope);
|
||||||
|
m_outerErrorReporter.warning(
|
||||||
|
2529_error,
|
||||||
|
scope->location(),
|
||||||
|
msg
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
solAssert(false, "");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -161,7 +189,7 @@ void CHC::endVisit(ContractDefinition const& _contract)
|
|||||||
auto stateExprs = vector<smt::Expression>{m_error.currentValue()} + currentStateVariables();
|
auto stateExprs = vector<smt::Expression>{m_error.currentValue()} + currentStateVariables();
|
||||||
setCurrentBlock(*m_constructorSummaryPredicate, &stateExprs);
|
setCurrentBlock(*m_constructorSummaryPredicate, &stateExprs);
|
||||||
|
|
||||||
addVerificationTarget(m_currentContract, m_currentBlock, smt::Expression(true), m_error.currentValue());
|
addAssertVerificationTarget(m_currentContract, m_currentBlock, smt::Expression(true), m_error.currentValue());
|
||||||
connectBlocks(m_currentBlock, interface(), m_error.currentValue() == 0);
|
connectBlocks(m_currentBlock, interface(), m_error.currentValue() == 0);
|
||||||
|
|
||||||
SMTEncoder::endVisit(_contract);
|
SMTEncoder::endVisit(_contract);
|
||||||
@ -256,7 +284,7 @@ void CHC::endVisit(FunctionDefinition const& _function)
|
|||||||
|
|
||||||
if (_function.isPublic())
|
if (_function.isPublic())
|
||||||
{
|
{
|
||||||
addVerificationTarget(&_function, m_currentBlock, sum, assertionError);
|
addAssertVerificationTarget(&_function, m_currentBlock, sum, assertionError);
|
||||||
connectBlocks(m_currentBlock, iface, sum && (assertionError == 0));
|
connectBlocks(m_currentBlock, iface, sum && (assertionError == 0));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -556,10 +584,34 @@ void CHC::unknownFunctionCall(FunctionCall const&)
|
|||||||
m_unknownFunctionCallSeen = true;
|
m_unknownFunctionCallSeen = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void CHC::makeArrayPopVerificationTarget(FunctionCall const& _arrayPop)
|
||||||
|
{
|
||||||
|
FunctionType const& funType = dynamic_cast<FunctionType const&>(*_arrayPop.expression().annotation().type);
|
||||||
|
solAssert(funType.kind() == FunctionType::Kind::ArrayPop, "");
|
||||||
|
|
||||||
|
auto memberAccess = dynamic_cast<MemberAccess const*>(&_arrayPop.expression());
|
||||||
|
solAssert(memberAccess, "");
|
||||||
|
auto symbArray = dynamic_pointer_cast<smt::SymbolicArrayVariable>(m_context.expression(memberAccess->expression()));
|
||||||
|
solAssert(symbArray, "");
|
||||||
|
|
||||||
|
auto previousError = m_error.currentValue();
|
||||||
|
m_error.increaseIndex();
|
||||||
|
|
||||||
|
addArrayPopVerificationTarget(&_arrayPop, m_error.currentValue());
|
||||||
|
connectBlocks(
|
||||||
|
m_currentBlock,
|
||||||
|
m_currentFunction->isConstructor() ? summary(*m_currentContract) : summary(*m_currentFunction),
|
||||||
|
currentPathConditions() && symbArray->length() <= 0 && m_error.currentValue() == _arrayPop.id()
|
||||||
|
);
|
||||||
|
|
||||||
|
m_context.addAssertion(m_error.currentValue() == previousError);
|
||||||
|
}
|
||||||
|
|
||||||
void CHC::resetSourceAnalysis()
|
void CHC::resetSourceAnalysis()
|
||||||
{
|
{
|
||||||
m_verificationTargets.clear();
|
m_verificationTargets.clear();
|
||||||
m_safeAssertions.clear();
|
m_safeAssertions.clear();
|
||||||
|
m_unsafeTargets.clear();
|
||||||
m_functionAssertions.clear();
|
m_functionAssertions.clear();
|
||||||
m_callGraph.clear();
|
m_callGraph.clear();
|
||||||
m_summaries.clear();
|
m_summaries.clear();
|
||||||
@ -974,9 +1026,35 @@ pair<smt::CheckResult, vector<string>> CHC::query(smt::Expression const& _query,
|
|||||||
return {result, values};
|
return {result, values};
|
||||||
}
|
}
|
||||||
|
|
||||||
void CHC::addVerificationTarget(ASTNode const* _scope, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId)
|
void CHC::addVerificationTarget(
|
||||||
|
ASTNode const* _scope,
|
||||||
|
VerificationTarget::Type _type,
|
||||||
|
smt::Expression _from,
|
||||||
|
smt::Expression _constraints,
|
||||||
|
smt::Expression _errorId
|
||||||
|
)
|
||||||
{
|
{
|
||||||
m_verificationTargets.emplace(_scope, CHCVerificationTarget{{VerificationTarget::Type::Assert, _from, _constraints}, _errorId});
|
m_verificationTargets.emplace(_scope, CHCVerificationTarget{{_type, _from, _constraints}, _errorId});
|
||||||
|
}
|
||||||
|
|
||||||
|
void CHC::addAssertVerificationTarget(ASTNode const* _scope, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId)
|
||||||
|
{
|
||||||
|
addVerificationTarget(_scope, VerificationTarget::Type::Assert, _from, _constraints, _errorId);
|
||||||
|
}
|
||||||
|
|
||||||
|
void CHC::addArrayPopVerificationTarget(ASTNode const* _scope, smt::Expression _errorId)
|
||||||
|
{
|
||||||
|
solAssert(m_currentContract, "");
|
||||||
|
solAssert(m_currentFunction, "");
|
||||||
|
|
||||||
|
if (m_currentFunction->isConstructor())
|
||||||
|
addVerificationTarget(_scope, VerificationTarget::Type::PopEmptyArray, summary(*m_currentContract), smt::Expression(true), _errorId);
|
||||||
|
else
|
||||||
|
{
|
||||||
|
auto iface = (*m_interfaces.at(m_currentContract))(initialStateVariables());
|
||||||
|
auto sum = summary(*m_currentFunction);
|
||||||
|
addVerificationTarget(_scope, VerificationTarget::Type::PopEmptyArray, iface, sum, _errorId);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
string CHC::uniquePrefix()
|
string CHC::uniquePrefix()
|
||||||
|
@ -78,6 +78,7 @@ private:
|
|||||||
void visitAssert(FunctionCall const& _funCall);
|
void visitAssert(FunctionCall const& _funCall);
|
||||||
void internalFunctionCall(FunctionCall const& _funCall);
|
void internalFunctionCall(FunctionCall const& _funCall);
|
||||||
void unknownFunctionCall(FunctionCall const& _funCall);
|
void unknownFunctionCall(FunctionCall const& _funCall);
|
||||||
|
void makeArrayPopVerificationTarget(FunctionCall const& _arrayPop) override;
|
||||||
//@}
|
//@}
|
||||||
|
|
||||||
struct IdCompare
|
struct IdCompare
|
||||||
@ -182,7 +183,9 @@ private:
|
|||||||
/// @returns <false, model> otherwise.
|
/// @returns <false, model> otherwise.
|
||||||
std::pair<smt::CheckResult, std::vector<std::string>> query(smt::Expression const& _query, langutil::SourceLocation const& _location);
|
std::pair<smt::CheckResult, std::vector<std::string>> query(smt::Expression const& _query, langutil::SourceLocation const& _location);
|
||||||
|
|
||||||
void addVerificationTarget(ASTNode const* _scope, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId);
|
void addVerificationTarget(ASTNode const* _scope, VerificationTarget::Type _type, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId);
|
||||||
|
void addAssertVerificationTarget(ASTNode const* _scope, smt::Expression _from, smt::Expression _constraints, smt::Expression _errorId);
|
||||||
|
void addArrayPopVerificationTarget(ASTNode const* _scope, smt::Expression _errorId);
|
||||||
//@}
|
//@}
|
||||||
|
|
||||||
/// Misc.
|
/// Misc.
|
||||||
@ -245,6 +248,8 @@ private:
|
|||||||
|
|
||||||
/// Assertions proven safe.
|
/// Assertions proven safe.
|
||||||
std::set<Expression const*> m_safeAssertions;
|
std::set<Expression const*> m_safeAssertions;
|
||||||
|
/// Targets proven unsafe.
|
||||||
|
std::set<ASTNode const*> m_unsafeTargets;
|
||||||
//@}
|
//@}
|
||||||
|
|
||||||
/// Control-flow.
|
/// Control-flow.
|
||||||
|
@ -1115,8 +1115,13 @@ void SMTEncoder::arrayPop(FunctionCall const& _funCall)
|
|||||||
solAssert(memberAccess, "");
|
solAssert(memberAccess, "");
|
||||||
auto symbArray = dynamic_pointer_cast<smt::SymbolicArrayVariable>(m_context.expression(memberAccess->expression()));
|
auto symbArray = dynamic_pointer_cast<smt::SymbolicArrayVariable>(m_context.expression(memberAccess->expression()));
|
||||||
solAssert(symbArray, "");
|
solAssert(symbArray, "");
|
||||||
|
|
||||||
|
makeArrayPopVerificationTarget(_funCall);
|
||||||
|
|
||||||
auto oldElements = symbArray->elements();
|
auto oldElements = symbArray->elements();
|
||||||
auto oldLength = symbArray->length();
|
auto oldLength = symbArray->length();
|
||||||
|
m_context.addAssertion(oldLength > 0);
|
||||||
|
|
||||||
symbArray->increaseIndex();
|
symbArray->increaseIndex();
|
||||||
m_context.addAssertion(symbArray->elements() == oldElements);
|
m_context.addAssertion(symbArray->elements() == oldElements);
|
||||||
auto newLength = smt::Expression::ite(
|
auto newLength = smt::Expression::ite(
|
||||||
@ -1124,7 +1129,7 @@ void SMTEncoder::arrayPop(FunctionCall const& _funCall)
|
|||||||
smt::maxValue(*TypeProvider::uint256()),
|
smt::maxValue(*TypeProvider::uint256()),
|
||||||
oldLength - 1
|
oldLength - 1
|
||||||
);
|
);
|
||||||
m_context.addAssertion(symbArray->length() == newLength);
|
m_context.addAssertion(symbArray->length() == oldLength - 1);
|
||||||
|
|
||||||
arrayPushPopAssign(memberAccess->expression(), symbArray->currentValue());
|
arrayPushPopAssign(memberAccess->expression(), symbArray->currentValue());
|
||||||
}
|
}
|
||||||
|
@ -140,6 +140,9 @@ protected:
|
|||||||
void arrayPush(FunctionCall const& _funCall);
|
void arrayPush(FunctionCall const& _funCall);
|
||||||
void arrayPop(FunctionCall const& _funCall);
|
void arrayPop(FunctionCall const& _funCall);
|
||||||
void arrayPushPopAssign(Expression const& _expr, smt::Expression const& _array);
|
void arrayPushPopAssign(Expression const& _expr, smt::Expression const& _array);
|
||||||
|
/// Allows BMC and CHC to create verification targets for popping
|
||||||
|
/// an empty array.
|
||||||
|
virtual void makeArrayPopVerificationTarget(FunctionCall const&) {}
|
||||||
|
|
||||||
/// Division expression in the given type. Requires special treatment because
|
/// Division expression in the given type. Requires special treatment because
|
||||||
/// of rounding for signed division.
|
/// of rounding for signed division.
|
||||||
@ -244,7 +247,7 @@ protected:
|
|||||||
|
|
||||||
struct VerificationTarget
|
struct VerificationTarget
|
||||||
{
|
{
|
||||||
enum class Type { ConstantCondition, Underflow, Overflow, UnderOverflow, DivByZero, Balance, Assert } type;
|
enum class Type { ConstantCondition, Underflow, Overflow, UnderOverflow, DivByZero, Balance, Assert, PopEmptyArray } type;
|
||||||
smt::Expression value;
|
smt::Expression value;
|
||||||
smt::Expression constraints;
|
smt::Expression constraints;
|
||||||
};
|
};
|
||||||
|
@ -0,0 +1,9 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[] a;
|
||||||
|
function f() public {
|
||||||
|
a.push();
|
||||||
|
a.pop();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,10 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[] a;
|
||||||
|
function f() public {
|
||||||
|
a.pop();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// ----
|
||||||
|
// Warning: (82-89): Empty array "pop" detected here.
|
@ -0,0 +1,10 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[][] a;
|
||||||
|
function f() public {
|
||||||
|
a.push();
|
||||||
|
a[0].push();
|
||||||
|
a[0].pop();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,10 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[][] a;
|
||||||
|
function f() public {
|
||||||
|
a.push();
|
||||||
|
a[0].push();
|
||||||
|
a[1].pop();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,9 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[] a;
|
||||||
|
constructor() public {
|
||||||
|
a.push();
|
||||||
|
a.pop();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,8 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[] a;
|
||||||
|
constructor() public {
|
||||||
|
a.pop();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,11 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[] a;
|
||||||
|
function f(uint l) public {
|
||||||
|
for (uint i = 0; i < l; ++i) {
|
||||||
|
a.push();
|
||||||
|
a.pop();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,12 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[] a;
|
||||||
|
function f(uint l) public {
|
||||||
|
for (uint i = 0; i < l; ++i) {
|
||||||
|
a.push();
|
||||||
|
a.pop();
|
||||||
|
}
|
||||||
|
a.pop();
|
||||||
|
}
|
||||||
|
}
|
@ -3,10 +3,7 @@ pragma experimental SMTChecker;
|
|||||||
contract C {
|
contract C {
|
||||||
uint[][] a;
|
uint[][] a;
|
||||||
function f(uint[] memory x, uint y) public {
|
function f(uint[] memory x, uint y) public {
|
||||||
require(a.length < 100000);
|
|
||||||
a.push(x);
|
a.push(x);
|
||||||
assert(a[a.length - 1][0] == x[0]);
|
|
||||||
require(a[0].length < 100000);
|
|
||||||
a[0].push(y);
|
a[0].push(y);
|
||||||
assert(a[0][a[0].length - 1] == y);
|
assert(a[0][a[0].length - 1] == y);
|
||||||
}
|
}
|
@ -0,0 +1,11 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[][] a;
|
||||||
|
function f(uint[] memory x, uint y) public {
|
||||||
|
a.push(x);
|
||||||
|
a[0].push(y);
|
||||||
|
a[0].pop();
|
||||||
|
assert(a[0][a[0].length - 1] == y);
|
||||||
|
}
|
||||||
|
}
|
@ -3,7 +3,6 @@ pragma experimental SMTChecker;
|
|||||||
contract C {
|
contract C {
|
||||||
uint[] a;
|
uint[] a;
|
||||||
function f(uint x) public {
|
function f(uint x) public {
|
||||||
require(a.length < 100000);
|
|
||||||
a.push(x);
|
a.push(x);
|
||||||
assert(a[a.length - 1] == x);
|
assert(a[a.length - 1] == x);
|
||||||
}
|
}
|
@ -8,4 +8,3 @@ contract C {
|
|||||||
assert(x[0] == 42);
|
assert(x[0] == 42);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// ----
|
|
||||||
|
@ -11,5 +11,3 @@ contract C {
|
|||||||
assert(x[0] == 42);
|
assert(x[0] == 42);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// ----
|
|
||||||
|
@ -0,0 +1,10 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[][] a;
|
||||||
|
function f() public {
|
||||||
|
a.push();
|
||||||
|
a[0].push();
|
||||||
|
assert(a[a.length - 1][0] == 0);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,10 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[][] a;
|
||||||
|
function f() public {
|
||||||
|
a.push();
|
||||||
|
a[0].push();
|
||||||
|
assert(a[a.length - 1][0] == 100);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,9 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[] a;
|
||||||
|
function f() public {
|
||||||
|
a.push();
|
||||||
|
assert(a[a.length - 1] == 0);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,9 @@
|
|||||||
|
pragma experimental SMTChecker;
|
||||||
|
|
||||||
|
contract C {
|
||||||
|
uint[] a;
|
||||||
|
function f() public {
|
||||||
|
a.push();
|
||||||
|
assert(a[a.length - 1] == 100);
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user