solidity/test/libsolidity/smtCheckerTests/operators/ternary_operator_3.sol
Martin Blicha 12bca24774 [SMTChecker] Use path condition when creating CHC targets
Without path condition, verification targets created inside ternary
operator ignore the condition of the operator inside the branches.
This led to false positives.

Further updates:

- Function calls should consider the conditions under which they are
called, otherwise the analysis may report false positives.
The fix proposed here is to add the current path condition to the edge
that propagates error from a function call.

- Increment error index after function call

This is necessary for the analysis of the ternary operator to work
correctly. No information should leak from a function call inside a
ternary operator in the first branch to the second branch, including
whether or not an error would have occured in the first branch.

However, for the execution that continues after the function call,
we still need to ensure that under the current path condition
the error has not occurred in that function call.

It would be better to isolate the analysis of the branches to separate
clauses, but I do not see an easy way for that now. In this way, even
though the function call in first branch is included in the clause of
the second branch, no information leaks.

- Additonal test for ternary operator

This tests the behaviour of SMTChecker on ternary operator with function
calls inside both branches. Specifically, it tests that SMTChecker
successfully detects a violation of a verification target in the second
branch when the same target is present also in the first branch, but
there it cannot be triggered because of the operator's condition.
2023-04-21 18:56:34 +02:00

32 lines
483 B
Solidity

abstract contract D {
function d() external virtual returns (uint);
}
contract C {
D d;
uint v;
bool guard = true;
function inc() public {
++v;
}
function dec() public {
if (guard) return;
--v;
}
function f() public returns (uint) {
guard = false;
uint ret = v > 0 ? d.d() : 0;
guard = true;
return ret;
}
}
// ====
// SMTEngine: chc
// SMTTargets: underflow
// ----
// Warning 3944: (206-209): CHC: Underflow (resulting value less than 0) happens here.