Commit Graph

715 Commits

Author SHA1 Message Date
Nikola Matic
d0a5556fd0 Purge using namespace from libsolidity/formal 2023-08-15 14:40:27 +02:00
Pawel Gebal
6574c10f25 SMTChecker: Visit the condition in for and while loops after loop is unrolled 2023-08-03 13:36:41 +02:00
Pawel Gebal
db5baebff8 SMTChecker fix: Do not unroll loop after it completes 2023-07-26 16:31:03 +02:00
Martin Blicha
3599c8c6b9 SMTChecker: Fix generation of smtlib scripts
When both CHC and BMC engines are used, the type of state variable
changes when trusted mode for external calls is used. This is because in
CHC engine, trusted mode means we pack more information into the
symbolic state. In BMC this type is always simple.

However, if BMC is run after CHC, in the current code state variables
are reset (and their declaration dumped into SMT-LIB script) before BMC
resets the type of the state variable.

The proposed solution is to simply reset the variable type before the
first variable of this type is created.
2023-06-30 15:57:51 +02:00
Pawel Gebal
826fd90dcf Fix error in SMTChecker: Use rich indentifier instead of external identifier to ecnode member access to functions 2023-06-23 15:24:55 +02:00
Pawel Gebal
d4be1d9c2f Add --print-smt flag to output SMTChecker SMTLIB code 2023-06-16 14:04:07 +02:00
Pawel Gebal
f15b826431 Add optional bounds to unroll loops in BMC model checker 2023-06-02 18:32:38 +02:00
Leo
a0933fa80a
Merge pull request #14276 from ethereum/smtchecker-fix-ice
SMTChecker: External function call with struct member is not getter
2023-05-30 13:46:35 +02:00
Martin Blicha
8ca453f82e SMTChecker: External function call with struct member is not getter
if a struct has a member that is a function pointer with `external`
attribute, and such a member is called, it is currently incorrectly
treated as a public getter in SMTEncoder.

The proposed fix is to make SMTEncoder::publicGetter more strict in
deciding whether an expression is a public getter.
The added condition, that the access happens on a state variable, is
exactly what is checked later with an assertion that is currently
failing.
2023-05-26 14:23:45 +02:00
Martin Blicha
b0419da654 [SMTChecker] Remember verification targets from trusted external calls
Previously, we did not remember trusted external calls for later phase
when we compute possible verification targets for each function.
This led to false negative in cases where verification target can be
violated, but not by calling a public function directly, but only when
it is called as an external function from other function.

The added test cases witnesses this behaviour. The underflow in
`dec` cannot happen in any other way except what the `dec` is called
from `f`.

The same problem did not occur when the functions are called internally,
because for such cases, we have already been remembering these calls in
the callgraph in the CHC engine.
2023-05-26 13:03:44 +02:00
Leo Alt
678461e828 Fix encoding of side-effects inside if and conditional statements in the BMC engine 2023-05-11 16:44:09 +02:00
Martin Blicha
12bca24774 [SMTChecker] Use path condition when creating CHC targets
Without path condition, verification targets created inside ternary
operator ignore the condition of the operator inside the branches.
This led to false positives.

Further updates:

- Function calls should consider the conditions under which they are
called, otherwise the analysis may report false positives.
The fix proposed here is to add the current path condition to the edge
that propagates error from a function call.

- Increment error index after function call

This is necessary for the analysis of the ternary operator to work
correctly. No information should leak from a function call inside a
ternary operator in the first branch to the second branch, including
whether or not an error would have occured in the first branch.

However, for the execution that continues after the function call,
we still need to ensure that under the current path condition
the error has not occurred in that function call.

It would be better to isolate the analysis of the branches to separate
clauses, but I do not see an easy way for that now. In this way, even
though the function call in first branch is included in the clause of
the second branch, no information leaks.

- Additonal test for ternary operator

This tests the behaviour of SMTChecker on ternary operator with function
calls inside both branches. Specifically, it tests that SMTChecker
successfully detects a violation of a verification target in the second
branch when the same target is present also in the first branch, but
there it cannot be triggered because of the operator's condition.
2023-04-21 18:56:34 +02:00
Leo Alt
aacbe72079 group unsupported warnings 2023-03-15 17:06:06 +01:00
Leo Alt
21c0f78650 Report safe properties in BMC and CHC 2023-03-09 14:59:32 +01:00
Kamil Śliwak
5b5e853ea0 Warn about missing user-defined operator support in SMTChecker 2023-02-22 00:39:25 +01:00
Leo Alt
db9c11a2a5 fix abstract nondet exception 2023-02-08 16:59:37 +01:00
Leo Alt
8d91ccf028 [SMTChecker] Add a new trusted mode which assumes that code that is
available at compile time is trusted.
2023-02-06 17:02:33 +01:00
Rodrigo Q. Saramago
feba4de509
Add paris constraints to SMTChecker
Co-authored-by: Daniel <daniel@ekpyron.org>
Co-authored-by: Kamil Śliwak <kamil.sliwak@codepoets.it>
Co-authored-by: Leo <leo@ethereum.org>
2023-01-31 11:03:04 +01:00
wechman
64a4f32bc2 Consistent terminology for attached/bound functions 2022-12-07 19:31:41 +01:00
Leo Alt
77698f8108 Fix internal error when deleting struct member of function type 2022-11-30 12:47:32 +01:00
Leo Alt
608b424afc Fix internal error when using user defined value types as mapping indices or struct members. 2022-11-29 13:04:01 +01:00
Leo Alt
07870d0318 Fix internal error in assignment chains that also assign to fully qualified state variables (, for example), where the contract expression is a tuble. 2022-11-28 18:45:50 +01:00
Leo Alt
a5dab6181c Fix internal error when the abstract-nondet SMTChecker natspec annotation is used with a wrong option multiple times for the same function 2022-11-28 16:59:35 +01:00
Leo Alt
9a8dd4242f Fix SMTChecker bug when a public library function is called internally by an internal library function, which in turn is called internally by a contract. 2022-11-28 13:07:18 +01:00
Leo Alt
24df40de9a Allow running Eldarica from the command line 2022-11-22 21:16:45 +01:00
Marenz
f7cc29bec1 Add std:: qualifier to move() calls 2022-08-30 11:12:15 +02:00
Leo Alt
75d08ea924 Check early if solvers are available. 2022-05-11 20:02:31 +02:00
Leo Alt
f9fa76c9d3 smt encode call 2022-04-11 12:19:41 +02:00
Daniel Kirchner
0f1a63c3fa Fix import directive visits in type checker and view pure checker. 2022-03-14 14:53:06 +01:00
Tyler
047034544e Merge branch 'develop' of github.com:tfire/solidity into fix/remove-namespace-ast-annotations 2022-03-09 18:55:22 -05:00
Tyler
519e1c9402 Specify namespaces
Fix references into solidity::util
2022-03-08 00:09:17 -05:00
wechman
52dfccca98 Replace all locale-dependent operations with locale-agnostic counterparts 2022-03-07 17:23:08 +01:00
nishant-sachdeva
cc6344c03c Changed instaces of isByteArrayOrString() to isByteArray() where it's only supposed to return a True for Bytes Type 2022-02-02 17:05:26 +05:30
nishant-sachdeva
9043621747 Changed occurences of isByteArray() to isByteArrayOrString(). The idea
is to, in a future commit, replace such occurences of
isByteArrayOrString() which are required to return True only for Bytes
type with a new isByteArray() function.
2022-02-02 14:19:58 +05:30
Leo Alt
fb8c138b8b Do not analyze unecessary contracts 2021-12-24 19:36:32 +01:00
Marenz
7a96953e78 Implement typechecked abi.encodeCall() 2021-12-16 17:35:58 +01:00
Leo Alt
316be7206f Fix soundness of storage/memory pointers that were not erasing enough knowledge 2021-12-14 12:02:18 +01:00
Leo Alt
16535aae32 Fix ICE when unsafe targets are solved more than once and the cex is different 2021-12-03 00:21:38 +01:00
Leo Alt
dff280cadc Fix ICE in CHC when using gas in the function options 2021-11-03 15:40:54 +01:00
Leo Alt
e40cf92b1d [SMTChecker] Merge all entry points for a target 2021-11-03 11:12:58 +01:00
Leo Alt
37215ffcfd Add SMTCheckerTest isoltest option to ignore invariants 2021-10-26 11:30:30 +02:00
Leo Alt
d419c30ca6 Add errorCode list to invariants report 2021-10-26 11:30:30 +02:00
Leo Alt
49e7627bd3 Use invariants in CHC 2021-10-26 11:30:30 +02:00
Leo Alt
bc90533c93 Add invariants to ModelCheckerSettings 2021-10-26 11:30:30 +02:00
Leo Alt
d554824f70 Add Invariants which traverses the proof and collects invariants for the given predicates 2021-10-26 11:30:30 +02:00
Leo Alt
9bcd2c18e4 Add expression substitution to Predicate 2021-10-26 11:30:30 +02:00
Leo Alt
ce72d7cd26 Add ExpressionFormatter which translates an smtutil::Expression into a Solidity-like expression string 2021-10-26 11:30:30 +02:00
tcoyvwac
ba0c09e082
Prefer make_unique over new 2021-10-15 19:46:47 +02:00
Leo Alt
4c2b661eaa [SMTChecker] Report values for block, msg and tx variables in counterexamples 2021-10-05 15:19:10 +02:00
Leo Alt
d81ebe97c3 Fix magic access 2021-10-01 12:57:06 +02:00