Merge pull request #10623 from ethereum/smt_const_expr

[SMTChecker] Apply const eval to arithmetic binary expressions
This commit is contained in:
chriseth 2020-12-16 15:39:16 +01:00 committed by GitHub
commit 7338295fee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 67 additions and 13 deletions

View File

@ -11,6 +11,7 @@ Language Features:
Compiler Features:
* Build System: Optionally support dynamic loading of Z3 and use that mechanism for Linux release builds.
* Code Generator: Avoid memory allocation for default value if it is not used.
* SMTChecker: Apply constant evaluation on binary arithmetic expressions.
* SMTChecker: Create underflow and overflow verification targets for increment/decrement in the CHC engine.
* SMTChecker: Report struct values in counterexamples from CHC engine.
* SMTChecker: Support early returns in the CHC engine.

View File

@ -22,6 +22,8 @@
#include <libsolidity/formal/SymbolicState.h>
#include <libsolidity/formal/SymbolicTypes.h>
#include <libsolidity/analysis/ConstantEvaluator.h>
#include <libsmtutil/SMTPortfolio.h>
#include <libsmtutil/Helpers.h>
@ -600,7 +602,8 @@ bool SMTEncoder::visit(BinaryOperation const& _op)
void SMTEncoder::endVisit(BinaryOperation const& _op)
{
if (_op.annotation().type->category() == Type::Category::RationalNumber)
/// If _op is const evaluated the RationalNumber shortcut was taken.
if (isConstant(_op))
return;
if (TokenTraits::isBooleanOp(_op.getOperator()))
return;
@ -1628,17 +1631,17 @@ void SMTEncoder::defineGlobalVariable(string const& _name, Expression const& _ex
bool SMTEncoder::shortcutRationalNumber(Expression const& _expr)
{
if (_expr.annotation().type->category() == Type::Category::RationalNumber)
{
auto rationalType = dynamic_cast<RationalNumberType const*>(_expr.annotation().type);
solAssert(rationalType, "");
if (rationalType->isNegative())
defineExpr(_expr, smtutil::Expression(u2s(rationalType->literalValue(nullptr))));
else
defineExpr(_expr, smtutil::Expression(rationalType->literalValue(nullptr)));
return true;
}
return false;
auto type = isConstant(_expr);
if (!type)
return false;
solAssert(type->category() == Type::Category::RationalNumber, "");
auto const& rationalType = dynamic_cast<RationalNumberType const&>(*type);
if (rationalType.isNegative())
defineExpr(_expr, smtutil::Expression(u2s(rationalType.literalValue(nullptr))));
else
defineExpr(_expr, smtutil::Expression(rationalType.literalValue(nullptr)));
return true;
}
void SMTEncoder::arithmeticOperation(BinaryOperation const& _op)
@ -2660,6 +2663,22 @@ map<ContractDefinition const*, vector<ASTPointer<frontend::Expression>>> SMTEnco
return baseArgs;
}
TypePointer SMTEncoder::isConstant(Expression const& _expr)
{
if (
auto type = _expr.annotation().type;
type->category() == Type::Category::RationalNumber
)
return type;
// _expr may not be constant evaluable.
// In that case we ignore any warnings emitted by the constant evaluator,
// as it will return nullptr in case of failure.
ErrorList l;
ErrorReporter e(l);
return ConstantEvaluator(e).evaluate(_expr);
}
void SMTEncoder::createReturnedExpressions(FunctionCall const& _funCall)
{
FunctionDefinition const* funDef = functionCallToDefinition(_funCall);

View File

@ -83,6 +83,10 @@ public:
/// @returns the arguments for each base constructor call in the hierarchy of @a _contract.
std::map<ContractDefinition const*, std::vector<ASTPointer<frontend::Expression>>> baseArguments(ContractDefinition const& _contract);
/// @returns a valid RationalNumberType pointer if _expr has type
/// RationalNumberType or can be const evaluated, and nullptr otherwise.
static TypePointer isConstant(Expression const& _expr);
protected:
// TODO: Check that we do not have concurrent reads and writes to a variable,
// because the order of expression evaluation is undefined

View File

@ -50,7 +50,9 @@ contract MyConc{
}
}
// ====
// SMTIgnoreCex: yes
// ----
// Warning 2519: (773-792): This declaration shadows an existing declaration.
// Warning 2018: (1009-1086): Function state mutability can be restricted to view
// Warning 4984: (985-1002): CHC: Overflow (resulting value larger than 2**256 - 1) happens here.\nCounterexample:\nA = 1, should_be_constant = 0, should_be_constant_2 = 2, not_constant = 0, not_constant_2 = 115792089237316195423570985008687907853269984665640564039457584007913129639926, not_constant_3 = 0\n\nTransaction trace:\nconstructor()
// Warning 4984: (985-1002): CHC: Overflow (resulting value larger than 2**256 - 1) happens here.

View File

@ -0,0 +1,15 @@
pragma experimental SMTChecker;
contract C {
uint constant x = 2;
uint constant y = x ** 10;
function f() public view {
assert(y == 2 ** 10);
assert(y == 1024);
assert(y == 14); // should fail
}
}
// ----
// Warning 2018: (98-206): Function state mutability can be restricted to pure
// Warning 6328: (172-187): CHC: Assertion violation happens here.\nCounterexample:\nx = 2, y = 1024\n\n\n\nTransaction trace:\nconstructor()\nState: x = 2, y = 1024\nf()

View File

@ -0,0 +1,13 @@
pragma experimental SMTChecker;
contract C {
uint constant DEPOSIT_CONTRACT_TREE_DEPTH = 32;
uint constant MAX_DEPOSIT_COUNT = 2**DEPOSIT_CONTRACT_TREE_DEPTH - 1;
function f() public pure {
assert(DEPOSIT_CONTRACT_TREE_DEPTH == 32);
assert(MAX_DEPOSIT_COUNT == 4294967295);
assert(MAX_DEPOSIT_COUNT == 2); // should fail
}
}
// ----
// Warning 6328: (284-314): CHC: Assertion violation happens here.\nCounterexample:\nDEPOSIT_CONTRACT_TREE_DEPTH = 32, MAX_DEPOSIT_COUNT = 4294967295\n\n\n\nTransaction trace:\nconstructor()\nState: DEPOSIT_CONTRACT_TREE_DEPTH = 32, MAX_DEPOSIT_COUNT = 4294967295\nf()