Merge pull request #9451 from ethereum/smt_fix_push_push

[SMTChecker] Fix push().push()
2023-10-03 13:03:40 +00:00 · 2020-07-21 11:40:37 +02:00 · 2020-07-21 11:40:37 +02:00 · e19e4d9db1
commit e19e4d9db1
parent 05d43f9d6b 2c93278719
8 changed files with 104 additions and 1 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -13,6 +13,7 @@ Bugfixes:
 * SMTChecker: Fix internal error when using bitwise operators on fixed bytes type.
 * SMTChecker: Fix internal error when using compound bitwise operator assignments on array indices inside branches.
 * SMTChecker: Fix error in events with indices of type static array.
 * SMTChecker: Fix internal error in sequential storage array pushes (``push().push()`).
 * Type Checker: Fix overload resolution in combination with ``{value: ...}``.
 * Type Checker: Fix internal compiler error related to oversized types.
 * Code Generator: Avoid double cleanup when copying to memory.
--- a/libsolidity/formal/SMTEncoder.cpp
+++ b/libsolidity/formal/SMTEncoder.cpp
@ -1077,7 +1077,7 @@ void SMTEncoder::arrayPush(FunctionCall const& _funCall)
 	m_context.addAssertion(symbArray->length() == oldLength + 1);
 	if (arguments.empty())
-		defineExpr(_funCall, element);
+		defineExpr(_funCall, smtutil::Expression::select(symbArray->elements(), oldLength));
 	arrayPushPopAssign(memberAccess->expression(), symbArray->currentValue());
 }
@ -1119,6 +1119,28 @@ void SMTEncoder::arrayPushPopAssign(Expression const& _expr, smtutil::Expression
 	}
 	else if (auto const* indexAccess = dynamic_cast<IndexAccess const*>(&_expr))
 		arrayIndexAssignment(*indexAccess, _array);
 	else if (auto const* funCall = dynamic_cast<FunctionCall const*>(&_expr))
 	{
 		FunctionType const& funType = dynamic_cast<FunctionType const&>(*funCall->expression().annotation().type);
 		if (funType.kind() == FunctionType::Kind::ArrayPush)
 		{
 			auto memberAccess = dynamic_cast<MemberAccess const*>(&funCall->expression());
 			solAssert(memberAccess, "");
 			auto symbArray = dynamic_pointer_cast<smt::SymbolicArrayVariable>(m_context.expression(memberAccess->expression()));
 			solAssert(symbArray, "");
 			auto oldLength = symbArray->length();
 			auto store = smtutil::Expression::store(
 				symbArray->elements(),
 				symbArray->length() - 1,
 				_array
 			);
 			symbArray->increaseIndex();
 			m_context.addAssertion(symbArray->elements() == store);
 			m_context.addAssertion(symbArray->length() == oldLength);
 			arrayPushPopAssign(memberAccess->expression(), symbArray->currentValue());
 		}
 	}
 	else if (dynamic_cast<MemberAccess const*>(&_expr))
 		m_errorReporter.warning(
 			9599_error,
--- a/test/libsolidity/smtCheckerTests/array_members/push_push_no_args_1.sol
+++ b/test/libsolidity/smtCheckerTests/array_members/push_push_no_args_1.sol
@ -0,0 +1,9 @@
 pragma experimental SMTChecker;
 contract C {
 	int[][] array2d;
 	function l() public {
 		array2d.push().push();
 		assert(array2d.length > 0);
 		assert(array2d[array2d.length - 1].length > 0);
 	}
 }
--- a/test/libsolidity/smtCheckerTests/array_members/push_push_no_args_1_fail.sol
+++ b/test/libsolidity/smtCheckerTests/array_members/push_push_no_args_1_fail.sol
@ -0,0 +1,12 @@
 pragma experimental SMTChecker;
 contract C {
 	int[][] array2d;
 	function l() public {
 		array2d.push().push();
 		assert(array2d.length > 2);
 		assert(array2d[array2d.length - 1].length > 3);
 	}
 }
 // ----
 // Warning 4661: (113-139): Assertion violation happens here
 // Warning 4661: (143-189): Assertion violation happens here
--- a/test/libsolidity/smtCheckerTests/array_members/push_push_no_args_2.sol
+++ b/test/libsolidity/smtCheckerTests/array_members/push_push_no_args_2.sol
@ -0,0 +1,11 @@
 pragma experimental SMTChecker;
 contract C {
 	int[][][] array2d;
 	function l() public {
 		array2d.push().push().push();
 		assert(array2d.length > 0);
 		uint last = array2d[array2d.length - 1].length;
 		assert(last > 0);
 		assert(array2d[array2d.length - 1][last - 1].length > 0);
 	}
 }
--- a/test/libsolidity/smtCheckerTests/array_members/push_push_no_args_2_fail.sol
+++ b/test/libsolidity/smtCheckerTests/array_members/push_push_no_args_2_fail.sol
@ -0,0 +1,15 @@
 pragma experimental SMTChecker;
 contract C {
 	int[][][] array2d;
 	function l() public {
 		array2d.push().push().push();
 		assert(array2d.length > 2);
 		uint last = array2d[array2d.length - 1].length;
 		assert(last > 3);
 		assert(array2d[array2d.length - 1][last - 1].length > 4);
 	}
 }
 // ----
 // Warning 4661: (122-148): Assertion violation happens here
 // Warning 4661: (202-218): Assertion violation happens here
 // Warning 4661: (222-278): Assertion violation happens here
--- a/test/libsolidity/smtCheckerTests/array_members/storage_pointer_push_1.sol
+++ b/test/libsolidity/smtCheckerTests/array_members/storage_pointer_push_1.sol
@ -0,0 +1,18 @@
 pragma experimental SMTChecker;
 contract C {
 	int[][] array2d;
 	function l() public {
 		s().push();
 		// False positive.
 		// Knowledge is erased because `s()` is a storage pointer.
 		assert(array2d[2].length > 0);
 	}
 	function s() internal returns (int[] storage) {
 		array2d.push();
 		array2d.push();
 		array2d.push();
 		return array2d[2];
 	}
 }
 // ----
 // Warning 4661: (184-213): Assertion violation happens here
--- a/test/libsolidity/smtCheckerTests/array_members/storage_pointer_push_1_safe.sol
+++ b/test/libsolidity/smtCheckerTests/array_members/storage_pointer_push_1_safe.sol
@ -0,0 +1,15 @@
 pragma experimental SMTChecker;
 contract C {
 	int[][] array2d;
 	function l() public {
 		s();
 		array2d[2].push();
 		assert(array2d[2].length > 0);
 	}
 	function s() internal returns (int[] storage) {
 		array2d.push();
 		array2d.push();
 		array2d.push();
 		return array2d[2];
 	}
 }