Merge pull request #9706 from ethereum/smt_fix_tuple_lvalue

[SMTChecker] Fix unary operator on lvalue tuple
This commit is contained in:
Leonardo 2020-09-01 10:37:24 +02:00 committed by GitHub
commit c9ca1d1814
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 61 additions and 28 deletions

View File

@ -20,6 +20,7 @@ Bugfixes:
* SMTChecker: Fix internal error in BMC function inlining. * SMTChecker: Fix internal error in BMC function inlining.
* SMTChecker: Fix internal error on array implicit conversion. * SMTChecker: Fix internal error on array implicit conversion.
* SMTChecker: Fix internal error on fixed bytes index access. * SMTChecker: Fix internal error on fixed bytes index access.
* SMTChecker: Fix internal error on lvalue unary operators with tuples.
* SMTChecker: Fix soundness of array ``pop``. * SMTChecker: Fix soundness of array ``pop``.
* References Resolver: Fix internal bug when using constructor for library. * References Resolver: Fix internal bug when using constructor for library.
* Yul Optimizer: Make function inlining order more resilient to whether or not unrelated source files are present. * Yul Optimizer: Make function inlining order more resilient to whether or not unrelated source files are present.

View File

@ -49,9 +49,7 @@ public:
// Z3 "basic resources" limit. // Z3 "basic resources" limit.
// This is used to make the runs more deterministic and platform/machine independent. // This is used to make the runs more deterministic and platform/machine independent.
// The tests start failing for Z3 with less than 10000000, static int const resourceLimit = 12500000;
// so using double that.
static int const resourceLimit = 20000000;
private: private:
void declareFunction(std::string const& _name, Sort const& _sort); void declareFunction(std::string const& _name, Sort const& _sort);

View File

@ -463,12 +463,14 @@ void SMTEncoder::endVisit(UnaryOperation const& _op)
createExpr(_op); createExpr(_op);
auto const* subExpr = innermostTuple(_op.subExpression());
switch (_op.getOperator()) switch (_op.getOperator())
{ {
case Token::Not: // ! case Token::Not: // !
{ {
solAssert(smt::isBool(_op.annotation().type->category()), ""); solAssert(smt::isBool(_op.annotation().type->category()), "");
defineExpr(_op, !expr(_op.subExpression())); defineExpr(_op, !expr(*subExpr));
break; break;
} }
case Token::Inc: // ++ (pre- or postfix) case Token::Inc: // ++ (pre- or postfix)
@ -476,8 +478,8 @@ void SMTEncoder::endVisit(UnaryOperation const& _op)
{ {
auto cat = _op.annotation().type->category(); auto cat = _op.annotation().type->category();
solAssert(smt::isInteger(cat) || smt::isFixedPoint(cat), ""); solAssert(smt::isInteger(cat) || smt::isFixedPoint(cat), "");
solAssert(_op.subExpression().annotation().willBeWrittenTo, ""); solAssert(subExpr->annotation().willBeWrittenTo, "");
if (auto identifier = dynamic_cast<Identifier const*>(&_op.subExpression())) if (auto identifier = dynamic_cast<Identifier const*>(subExpr))
{ {
auto decl = identifierToVariable(*identifier); auto decl = identifierToVariable(*identifier);
solAssert(decl, ""); solAssert(decl, "");
@ -486,12 +488,12 @@ void SMTEncoder::endVisit(UnaryOperation const& _op)
defineExpr(_op, _op.isPrefixOperation() ? newValue : innerValue); defineExpr(_op, _op.isPrefixOperation() ? newValue : innerValue);
assignment(*decl, newValue); assignment(*decl, newValue);
} }
else if (dynamic_cast<IndexAccess const*>(&_op.subExpression())) else if (dynamic_cast<IndexAccess const*>(subExpr))
{ {
auto innerValue = expr(_op.subExpression()); auto innerValue = expr(*subExpr);
auto newValue = _op.getOperator() == Token::Inc ? innerValue + 1 : innerValue - 1; auto newValue = _op.getOperator() == Token::Inc ? innerValue + 1 : innerValue - 1;
defineExpr(_op, _op.isPrefixOperation() ? newValue : innerValue); defineExpr(_op, _op.isPrefixOperation() ? newValue : innerValue);
arrayIndexAssignment(_op.subExpression(), newValue); arrayIndexAssignment(*subExpr, newValue);
} }
else else
m_errorReporter.warning( m_errorReporter.warning(
@ -504,25 +506,24 @@ void SMTEncoder::endVisit(UnaryOperation const& _op)
} }
case Token::Sub: // - case Token::Sub: // -
{ {
defineExpr(_op, 0 - expr(_op.subExpression())); defineExpr(_op, 0 - expr(*subExpr));
break; break;
} }
case Token::Delete: case Token::Delete:
{ {
auto const& subExpr = _op.subExpression(); if (auto decl = identifierToVariable(*subExpr))
if (auto decl = identifierToVariable(subExpr))
{ {
m_context.newValue(*decl); m_context.newValue(*decl);
m_context.setZeroValue(*decl); m_context.setZeroValue(*decl);
} }
else else
{ {
solAssert(m_context.knownExpression(subExpr), ""); solAssert(m_context.knownExpression(*subExpr), "");
auto const& symbVar = m_context.expression(subExpr); auto const& symbVar = m_context.expression(*subExpr);
symbVar->increaseIndex(); symbVar->increaseIndex();
m_context.setZeroValue(*symbVar); m_context.setZeroValue(*symbVar);
if (dynamic_cast<IndexAccess const*>(&_op.subExpression())) if (dynamic_cast<IndexAccess const*>(subExpr))
arrayIndexAssignment(_op.subExpression(), symbVar->currentValue()); arrayIndexAssignment(*subExpr, symbVar->currentValue());
else else
m_errorReporter.warning( m_errorReporter.warning(
2683_error, 2683_error,
@ -1122,9 +1123,7 @@ void SMTEncoder::arrayPop(FunctionCall const& _funCall)
void SMTEncoder::arrayPushPopAssign(Expression const& _expr, smtutil::Expression const& _array) void SMTEncoder::arrayPushPopAssign(Expression const& _expr, smtutil::Expression const& _array)
{ {
Expression const* expr = &_expr; Expression const* expr = innermostTuple(_expr);
if (auto const* tupleExpr = dynamic_cast<TupleExpression const*>(expr))
expr = innermostTuple(*tupleExpr);
if (auto const* id = dynamic_cast<Identifier const*>(expr)) if (auto const* id = dynamic_cast<Identifier const*>(expr))
{ {
@ -1461,9 +1460,7 @@ void SMTEncoder::assignment(
"Tuple assignments should be handled by tupleAssignment." "Tuple assignments should be handled by tupleAssignment."
); );
Expression const* left = &_left; Expression const* left = innermostTuple(_left);
if (auto const* tuple = dynamic_cast<TupleExpression const*>(left))
left = innermostTuple(*tuple);
if (!smt::isSupportedType(_type->category())) if (!smt::isSupportedType(_type->category()))
{ {
@ -1491,7 +1488,7 @@ void SMTEncoder::assignment(
void SMTEncoder::tupleAssignment(Expression const& _left, Expression const& _right) void SMTEncoder::tupleAssignment(Expression const& _left, Expression const& _right)
{ {
auto lTuple = dynamic_cast<TupleExpression const*>(innermostTuple(dynamic_cast<TupleExpression const&>(_left))); auto lTuple = dynamic_cast<TupleExpression const*>(innermostTuple(_left));
solAssert(lTuple, ""); solAssert(lTuple, "");
auto const& lComponents = lTuple->components(); auto const& lComponents = lTuple->components();
@ -1917,10 +1914,12 @@ Expression const* SMTEncoder::leftmostBase(IndexAccess const& _indexAccess)
return base; return base;
} }
Expression const* SMTEncoder::innermostTuple(TupleExpression const& _tuple) Expression const* SMTEncoder::innermostTuple(Expression const& _expr)
{ {
solAssert(!_tuple.isInlineArray(), ""); auto const* tuple = dynamic_cast<TupleExpression const*>(&_expr);
TupleExpression const* tuple = &_tuple; if (!tuple || tuple->isInlineArray())
return &_expr;
Expression const* expr = tuple; Expression const* expr = tuple;
while (tuple && !tuple->isInlineArray() && tuple->components().size() == 1) while (tuple && !tuple->isInlineArray() && tuple->components().size() == 1)
{ {

View File

@ -54,8 +54,9 @@ public:
/// @returns the leftmost identifier in a multi-d IndexAccess. /// @returns the leftmost identifier in a multi-d IndexAccess.
static Expression const* leftmostBase(IndexAccess const& _indexAccess); static Expression const* leftmostBase(IndexAccess const& _indexAccess);
/// @returns the innermost element in a chain of 1-tuples. /// @returns the innermost element in a chain of 1-tuples if applicable,
static Expression const* innermostTuple(TupleExpression const& _tuple); /// otherwise _expr.
static Expression const* innermostTuple(Expression const& _expr);
/// @returns the FunctionDefinition of a FunctionCall /// @returns the FunctionDefinition of a FunctionCall
/// if possible or nullptr. /// if possible or nullptr.

View File

@ -0,0 +1,11 @@
pragma experimental SMTChecker;
contract C {
function f(bool b) public pure {
uint x;
if (b) ++(x);
if (b) --(x);
if (b) delete(b);
assert(x == 0);
assert(!b);
}
}

View File

@ -0,0 +1,11 @@
pragma experimental SMTChecker;
contract C {
function f(bool b) public pure {
uint x;
if (b) ++((((((x))))));
if (b) --((((((x))))));
if (b) delete((((((b))))));
assert(x == 0);
assert(!b);
}
}

View File

@ -0,0 +1,12 @@
pragma experimental SMTChecker;
contract C {
function f(bool b) public pure {
uint x;
if (b) ++(x);
else x += 1;
assert(x == 1);
assert(!b);
}
}
// ----
// Warning 6328: (140-150): Assertion violation happens here