Niv/fix sanity failure #183
Conversation
nivcertora
requested review from
nd-certora and
yoav-el-certora
and removed request for
liav-certora
johspaeth
left a comment
johspaeth
left a comment
There was a problem hiding this comment.
Minor nits and questions - looks ok for me.
| // invariant version is getting SANITY_FAILURE using the below rule instead | ||
| // invariant lockStatusDontChange() | ||
| // !contract_lock_status; |
There was a problem hiding this comment.
Which sanity failure did you receive on this invariant?
I couldn't find a link to a failing job here:
https://certora.atlassian.net/browse/CERT-9252
There was a problem hiding this comment.
would also like to know what was wrong with the invariant, it looks ok and we still want such invariants. do you have a link to the original spec with the sanity failures
There was a problem hiding this comment.
../repo/CVLByExample/TransientStorage/Hooks/runTransientStorage.conf
https://vaas-stg.certora.com/output/52759/0105a027db864c0bb9897978e361037d?anonymousKey=6f78ed30dd77d25d27ec6cefcbf5ad358a62efe9
There was a problem hiding this comment.
I reverted the change by Niv and make this invariant working again.
The issue here is / was that there is a hook on tload/tstore within the constructor and the hooks call out to external solidity function of the same contract which isn't allowed within the constructor (the contract hasn't been created yet). In my fix, I removed all calls that are applied in the hook and changed the accesses to constants that are declared in CVL. This is the only solution I could find here.
|
|
||
| /** | ||
| An internal step check to verify that our ghost works as expected, it should mirror the number of accounts. | ||
| Once the sload is defined, this invariant becomes a tautology |
There was a problem hiding this comment.
Once the sload is defined, this invariant becomes a tautology
Is sload now defined nowadays, so is this why we see the sanity failure for trivial post condition of the invariant?
There was a problem hiding this comment.
After reviewing, I suggest we indeed remove this invariant as it fails on SANITY due to the tautology check.
CERT-9252 | Fix sanity failures in induction base for major version 8
| // invariant version is getting SANITY_FAILURE using the below rule instead | ||
| // invariant lockStatusDontChange() | ||
| // !contract_lock_status; |
There was a problem hiding this comment.
would also like to know what was wrong with the invariant, it looks ok and we still want such invariants. do you have a link to the original spec with the sanity failures
| @@ -1,14 +1,11 @@ | |||
| invariant isUnlocked(env e) | |||
| getLock(e) == 0; | |||
|
|
|||
There was a problem hiding this comment.
what was the sanity failure? we prefer invariant as the requireinvariant is safer
There was a problem hiding this comment.
There was a problem hiding this comment.
The issue here was that a few functions (repay, borrow, callback) use a modifier onlyLocked that contract with the actual invariant and cause vacuity. I filtered them for this invariant.
johspaeth
left a comment
johspaeth
left a comment
There was a problem hiding this comment.
@nd-certora @yoav-el-certora please re-review.
- The issue with
lockStatusDontChangewas that a hook in the constructor called an external method on the same contract - this causes vacuity as the contract doesn't exist yet. This is also not allowed in solidity itself. - I added a new function
changeLockwhich shows that the invariant fails forlockStatusDontChange. This is expected, @yoav-el-certora. Please update output.json expectedly. - For
isUnlockeda filter for a few function was needed.
|
|
||
| /** | ||
| An internal step check to verify that our ghost works as expected, it should mirror the number of accounts. | ||
| Once the sload is defined, this invariant becomes a tautology |
There was a problem hiding this comment.
After reviewing, I suggest we indeed remove this invariant as it fails on SANITY due to the tautology check.
| "solc": "solc8.24", | ||
| "solc_evm_version": "cancun" | ||
| "solc_evm_version": "cancun", | ||
| "prover_args": ["-enableStorageSplitting false"] |
There was a problem hiding this comment.
This was needed here as we got storage splitting failures otherwise. @christiane-certora do you know if this is expected here?
The contract defines a constant slot via keccak256("Mutexer.CONTRACT_LOCK") and then in spec uses alltload/alltstore.
There was a problem hiding this comment.
If the contract uses ALLTLOAD or ALLTSTORE, you should get an error that storage splitting must be disabled, these hook types are not compatible with it (same as the non-transient versions of them).
There was a problem hiding this comment.
So should we instead rather use TLOAD and TSTORE here directly (now that we support them?)
There was a problem hiding this comment.
It looks like we could, yeah, although the currently used way of course also still works.
There was a problem hiding this comment.
But maybe it is not so bad to leave this example, since there are still a lot of patterns with transient storage where we will fail the storage analysis (when the slot accessed is just a parameter, typically), so in that case it could be useful to still see how it can be worked with without.
| @@ -1,14 +1,11 @@ | |||
| invariant isUnlocked(env e) | |||
| getLock(e) == 0; | |||
|
|
|||
There was a problem hiding this comment.
The issue here was that a few functions (repay, borrow, callback) use a modifier onlyLocked that contract with the actual invariant and cause vacuity. I filtered them for this invariant.
| uint256 key = CONTRACT_LOCK; | ||
| assembly { | ||
| value := tload(key) | ||
| } | ||
| return value == Mutex.Locked; |
There was a problem hiding this comment.
This should actually be _tload() which is private in the parent contract and cannot be called here.
|
Assigning @johspaeth (or someone from his team) to complete and merge this Example. |
@yoav-el-certora This is done, can you approve so that I can merge? |
I think it'll be better if @nd-certora or @shoham-certora can approve this one. (As this is the process we were doing before) |
* Add an example on how to reason about events in CVL (#174) * 7.26.0 Release (#163) * Niv/cert 8248 revert example (#155) * CERT 8248 Add Revert Example * Update README * Address Christiane review * Update example based on Nurit Review * Clean * Update config.yml (#160) Co-authored-by: yoav-el-certora <122207807+yoav-el-certora@users.noreply.github.com> * Example ready * christiane cr * Code reviews --------- Co-authored-by: Niv vaknin <122722245+nivcertora@users.noreply.github.com> Co-authored-by: liav-certora <114004726+liav-certora@users.noreply.github.com> Co-authored-by: liav-certora <liav@certora.com> * Bug fixed * Add an example on how to reason about events in CVL * Addressing code reviews * Addressing Christiane's CR * Issue with merge resolution * Revert "Bug fixed" This reverts commit 33b87b9. * Reverse incorrect change after merge --------- Co-authored-by: yoav-el-certora <122207807+yoav-el-certora@users.noreply.github.com> Co-authored-by: Niv vaknin <122722245+nivcertora@users.noreply.github.com> Co-authored-by: liav-certora <114004726+liav-certora@users.noreply.github.com> Co-authored-by: liav-certora <liav@certora.com> Co-authored-by: Otakar <Otakar@certora.com> * Removed Process from conf file * Removed send_only from conf file * add a simple example with a transient field and hooks and direct storage accesses on it * remove rule sanity Co-authored-by: Johannes Späth <johspaeth@users.noreply.github.com> * remove ambiguity * CERT 8687 Realistic example (#167) * CERT 8687 Realistic example * fix spec, sanity issue * fix * require invariant example * Update README * Update CVLByExample/Invariant/RequireInvariantArray/README.md * Addressing Nurit's CR --------- Co-authored-by: Nurit Dor <57101353+nd-certora@users.noreply.github.com> Co-authored-by: Johannes Späth <johspaeth@users.noreply.github.com> Co-authored-by: Johannes Spaeth <johannes@certora.com> * Re routing example (#180) * Re routing example * Updating example --------- Co-authored-by: Johannes Spaeth <johannes@certora.com> * Niv/fix sanity failure (#183) * Fix some of the sanity failure * Fixing specification to not have sanity failures runFullPool.conf -> https://vaas-stg.certora.com/output/53900/a7ab7f221da84eb4accea1c95e936803?anonymousKey=e063b8e60bae944b4a9d0d0431999b5bd4b578ea runBroken.con -> https://vaas-stg.certora.com/output/53900/c85b8c49fec24d32ac0de00043d7ddd6?anonymousKey=a6c585f91d010a7c13f1c6d8935143b894a0c05d * Updates to spec * Self-Review --------- Co-authored-by: Johannes Spaeth <johannes@certora.com> Co-authored-by: yoav-el-certora <122207807+yoav-el-certora@users.noreply.github.com> * Added fixes to breaking changes (#190) * foundry toml * comment * branch * branch * branch * Add an example for internal function calls (#191) * add an example for internal function calls * Update CVLByExample/InternalFunctionsFromCVL/README.md Co-authored-by: Johannes Späth <johspaeth@users.noreply.github.com> --------- Co-authored-by: Johannes Späth <johspaeth@users.noreply.github.com> * Added foundry installation to CI (#194) --------- Co-authored-by: Johannes Späth <johspaeth@users.noreply.github.com> Co-authored-by: Niv vaknin <122722245+nivcertora@users.noreply.github.com> Co-authored-by: liav-certora <114004726+liav-certora@users.noreply.github.com> Co-authored-by: liav-certora <liav@certora.com> Co-authored-by: Otakar <Otakar@certora.com> Co-authored-by: Christiane Goltz <christiane@certora.com> Co-authored-by: Nurit Dor <57101353+nd-certora@users.noreply.github.com> Co-authored-by: Johannes Spaeth <johannes@certora.com> Co-authored-by: rahav <rahav@certora.com> Co-authored-by: Rahav <103361134+rahav-certora@users.noreply.github.com> Co-authored-by: Naftali Goldstein <44599898+naftali-g@users.noreply.github.com>
No description provided.