[Spec] Added specs for module aggregator & aggregator_factory & optional_aggregator & staking_config & version & event & guid & timestamp #5653
Conversation
0xOutOfGas
requested review from
junkil-park,
davidiw,
movekevin and
wrwg
as code owners
| @@ -6,20 +6,24 @@ spec aptos_framework::aggregator { | |||
| spec add { | |||
| // TODO: temporary mockup. | |||
| pragma opaque; | |||
| aborts_if false; | |||
There was a problem hiding this comment.
This native function can actually abort. Please refer to the comment in aggregator.move. (cc: @georgemitenkov )
There was a problem hiding this comment.
Remove aborts if false does not affect the validation.
There was a problem hiding this comment.
Remove aborts if false does not affect the validation.
I didn't get this. Could you elaborate what you mean?
According the comment in aggregator.move, this function "Aborts on overflowing the limit."
| } | ||
|
|
||
| spec sub { | ||
| // TODO: temporary mockup. | ||
| pragma opaque; | ||
| aborts_if false; |
There was a problem hiding this comment.
Same as the above. This native function can actually abort. Please refer to the comment in aggregator.move.
There was a problem hiding this comment.
What is updated?
According to the comment in the code, this function "Aborts on going below zero.".
There was a problem hiding this comment.
The specs of add and sub have been redone.
| } | ||
|
|
||
| spec read { | ||
| // TODO: temporary mockup. | ||
| pragma opaque; | ||
| aborts_if false; |
There was a problem hiding this comment.
@georgemitenkov , can there be any cases where read and destroy may potentially abort?
There was a problem hiding this comment.
destroy never aborts, and so should read. Say you have an aggregator with an overflow limit of 10. And some transaction does this:
a = Aggregator(limit=10) // actual storage value is 5 already, but this transaction doesn't know
a.add(7)
a.read() // aborts the transaction since we read 5+7 > 10
So technically read aborts because it checks if previous deltas made sense. At the same time,
a = Aggregator(limit=10) // actual storage value is 5 already, but this transaction doesn't know
a.add(7)
equally aborts because at the end of the transaction we check if it should have been aborted (e.g. in sequential execution this means read the value, in parallel execution it is a bit more convoluted).
So, in my opinion, this shows that read never aborts, but rather catches an abort in add/sub. Not sure how you would qualify this for the prover?
There was a problem hiding this comment.
Looking at native implementation, we can abort if aggregator value is not found in storage, do we count this is as well? Technically should never happen...
There was a problem hiding this comment.
@georgemitenkov @junkil-park read never aborts. But destroy indeed abort.
┌─ aptos-framework/sources/aggregator/optional_aggregator.move:105:9
│
105 │ aggregator::destroy(aggregator);
│ ------------------------------- abort happened here with code 0x0
│
= at aptos-framework/sources/aggregator/optional_aggregator.move:100: switch_to_integer_and_zero_out
= optional_aggregator =
= &optional_aggregator.OptionalAggregator{
= aggregator =
= option.Option{
= vec =
= vector{
= aggregator.Aggregator{
= handle = 0x6784,
= key = 0x18be,
= limit = 18467u128}}},
= integer = option.Option{vec = vector{}}}
= at aptos-framework/sources/aggregator/optional_aggregator.move:103: destroy_optional_integer
= at <internal>:1
= at aptos-framework/sources/aggregator/optional_aggregator.move:103: destroy_optional_integer
= optional_aggregator =
= &optional_aggregator.OptionalAggregator{
= aggregator = option.Option{vec = vector{}},
= integer = option.Option{vec = vector{}}}
= aggregator =
= aggregator.Aggregator{
= handle = 0x6784,
= key = 0x18be,
= limit = 18467u128}
= at aptos-framework/sources/aggregator/optional_aggregator.move:104: destroy_optional_integer
= at aptos-framework/sources/aggregator/aggregator.move:80: limit
= aggregator =
= aggregator.Aggregator{
= handle = 0x6784,
= key = 0x18be,
= limit = 18467u128}
= at aptos-framework/sources/aggregator/aggregator.move:81: limit
= result = 18467u128
= at aptos-framework/sources/aggregator/aggregator.move:82: limit
= limit = 18467u128
= at aptos-framework/sources/aggregator/optional_aggregator.move:105: switch_to_integer_and_zero_out
= at <internal>:1
= at aptos-framework/sources/aggregator/optional_aggregator.move:105: switch_to_integer_and_zero_out
= ABORTED
{
"Error": "Move Prover failed: exiting with verification errors"
}
There was a problem hiding this comment.
@qpb8023 I am a bit confused with the error log and the inputs that lead to abort -- why there is a line ...optional_aggregator.move:103: destroy_optional_integer?
Is it possible to reproduce an error? This abort is not expected.
There was a problem hiding this comment.
'not implemented: Not yet supported constant vector type: Vector(Primitive(U64))'
This seems a separate issue. Do you still have the same problem when using the latest move-cli?
There was a problem hiding this comment.
@junkil-park The code you gave will still abort. By using the latest move cli.
There was a problem hiding this comment.
@rahxephon89, we support the constant vector type like Vector(Primitive(U64)), right?
There was a problem hiding this comment.
Just to unblock this PR from the constant vector issue, can you use this spec and proceed?
spec destroy(aggregator: Aggregator) {
pragma opaque;
// TODO: this aborts_if condition is a temporary mockup, which needs to be refined.
aborts_if false;
}
There was a problem hiding this comment.
@junkil-park I have solved this.
| aborts_if exists<SetVersionCapability>(@aptos_framework); | ||
| } | ||
|
|
||
| /// Only for test |
There was a problem hiding this comment.
Test functions don't need to be specified. Could you remove this spec?
There was a problem hiding this comment.
we add spec for initialize_for_test and set verify = false, because we opened aborts_if_is_strict in spec module, if we remove spec for initialize_for_test, prover will not let it pass.
spec aptos_framework::version {
spec module {
pragma verify = true;
pragma aborts_if_is_strict;
}
Two solutions from us:
1 keep the spec and add a comment like "no need to add spec for test functions, just because the module turns on aborts_if_is_strict".(which we preferred)
2 remove the spec, and turn aborts_if_is_strict to false.
There was a problem hiding this comment.
OK. The current way looks fine.
|
There is a CI check failure: https://github.com/aptos-labs/aptos-core/actions/runs/3645474643/jobs/6155656855#step:6:864. I am not sure why. Could you try to rebase it and regenerate the doc ( |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
✅ Forge suite
|
✅ Forge suite
|
…nal_aggregator & staking_config & version & event & guid & timestamp (aptos-labs#5653) * add aggregator_factory & optional_aggregator.move spec * Updated specs for module event & guid & timestamp & staking_config & version. * Documentation updated. * add ensures for sub_integer & add_integer function * replace tab to spaces * remove add & sub aborts_if false * update aggregator.spec.move * remove version.move test fun spec * make fun initialize_for_test verify false * [spec] added comments for test functions * Updated aggregator.move spec Co-authored-by: tiutiutiu <qiu971009@gmail.com> Co-authored-by: yoyoping <zhangping_ymd@outlook.com>
Description
This is a part of spec work for Aptos Framework from MoveBit, we updated below files/modules in this PR:
Test Plan