-
Notifications
You must be signed in to change notification settings - Fork 36
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #61 from Certora/liav/CERT-5336-V7-Examples
Liav/cert 5336 v7 examples
- Loading branch information
Showing
23 changed files
with
236 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
// SPDX-License-Identifier: AGPL-3.0-only | ||
|
||
pragma solidity >=0.8.0; | ||
|
||
|
||
contract Fibonacci { | ||
function fibonacci(uint32 i) external returns (uint32) { | ||
if(i == 1 || i == 2) { | ||
return 1; | ||
} | ||
return this.fibonacci(i- 1) + this.fibonacci(i - 2); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
methods { | ||
function fibonacci(uint32) external returns (uint32) envfree; | ||
} | ||
|
||
rule fibonacciMonotonicallyIncreasing { | ||
uint32 i1; | ||
uint32 i2; | ||
|
||
assert i2 > i1 => fibonacci(i2) >= fibonacci(i1); | ||
} | ||
|
||
rule fifthFibonacciElementIsFive { | ||
assert fibonacci(5) == 5; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"files": [ | ||
"Helpers/Fibonacci.sol" | ||
], | ||
"verify": "Fibonacci:Helpers/Fibonacci.spec", | ||
// Specify the allowed number of recursion calls. | ||
"contract_recursion_limit": "5", | ||
|
||
"rule": ["fifthFibonacciElementIsFive"] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"files": [ | ||
"Helpers/Fibonacci.sol" | ||
], | ||
"verify": "Fibonacci:Helpers/Fibonacci.spec", | ||
// Turn on optimistic contract recursion. | ||
"optimistic_contract_recursion": true, | ||
|
||
"contract_recursion_limit": "1", | ||
"rule": ["fibonacciMonotonicallyIncreasing"] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
{ | ||
"files": [ | ||
"../CVLByExample/Structs/BankAccounts/Bank.sol" | ||
], | ||
"verify": "Bank:../CVLByExample/Storage/certora/specs/storage.spec", | ||
//Allow going to contract fallback function on unresolved. | ||
"optimistic_fallback": true, | ||
|
||
"optimistic_loop": true, | ||
"loop_iter": "3", | ||
"multi_assert_check": true, | ||
"rule_sanity": "basic", | ||
"solc_allow_path": "../" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,33 @@ | ||
This directory provides a precise ghost summary for the function `sqrRoot`. Certora team has proven the code obeys the property. | ||
# Summarizing a Square Root Function | ||
|
||
To run this spec: | ||
In this example we'll try to prove that adding liquidity to a certain protocol is monotonic. But there is a problem, | ||
the protocol computes some square roots as part of it's calculations. | ||
|
||
```certoraRun.py runSqrRoot.conf``` | ||
Run the following spec: | ||
```certoraRun runUnsummarizedSqrRoot.conf``` | ||
[A report of this run](https://prover.certora.com/output/15800/305a18aa989940d0857e3c928d26dd46?anonymousKey=1f2dd488f9d710622ae9757f27c84642f7d43e45) | ||
|
||
[A report of this run](https://prover.certora.com/output/15800/2846cde0b56a45c3ab044868e95cc7fd?anonymousKey=e509c40a5d1ee37bf7a3b95f5a672f40ee4abd41) | ||
As you can see, the prover timed out trying to prove the rule. This is due to the nature of the complex math square root operation. | ||
In order to solve this timeout, we can try using a feature of the prover that will automatically use NONDET summarizations for | ||
difficult* internal functions. | ||
To enable this option you can add the flag `--auto_nondet_difficult_internal_funcs`, it is already included in the following conf. | ||
|
||
Run it using: | ||
```certoraRun runAutoSummarizedSqrRoot.conf``` | ||
[A report of this run](https://prover.certora.com/output/15800/2c57a7956db04b09b309fa6220dfa2d9?anonymousKey=719eaa90c86e6c73c6f2af637b5921a5b063d47a) | ||
|
||
(*The prover calculates a difficulty score using various attributes of the functions.) | ||
|
||
The timeout was solved and we got a counter example to the rule. If you'll look closely at the counter example you'll notice that | ||
it seems wrong. This is because as we mentioned above, we used a NONDET summarization for the `sqrRoot` function, which is an integral part of the liquidity calculation, instead of actually calculating the square root. | ||
|
||
What we can do, is use a smarter hand-crafted summarization. The spec `SummarizedSqrRoot.conf` contains a precise ghost summary for the function `sqrRoot`. The Certora team has proven the summarization is indeed equal to a square root operation. | ||
|
||
To run this spec use: | ||
|
||
```certoraRun.py runSummarizedSqrRoot.conf``` | ||
[A report of this run](https://prover.certora.com/output/15800/b91e56bd9fab47e69ab023e94b168ed3?anonymousKey=136f48b482a96179742e755d4c644e69abb1595e) | ||
|
||
Now the rule is passing and we successfully proven the monotonicity property. | ||
|
||
|
File renamed without changes.
12 changes: 12 additions & 0 deletions
12
CVLByExample/Summarization/GhostSummary/SqrRoot/runAutoSummarizedSqrRoot.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"files": [ | ||
"contracts/SqrRoot.sol", | ||
], | ||
"verify": "SqrRoot:specs/UnsummarizedSqrRoot.spec", | ||
"msg": "Unsummarized sqrt proof", | ||
"rule_sanity": "basic", | ||
"optimistic_loop": true, | ||
"loop_iter": "7", | ||
"auto_nondet_difficult_internal_funcs": true, | ||
"auto_nondet_minimal_difficulty": "8" | ||
} |
8 changes: 0 additions & 8 deletions
8
CVLByExample/Summarization/GhostSummary/SqrRoot/runSqrRoot.conf
This file was deleted.
Oops, something went wrong.
10 changes: 10 additions & 0 deletions
10
CVLByExample/Summarization/GhostSummary/SqrRoot/runSummarizedSqrRoot.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"files": [ | ||
"contracts/SqrRoot.sol", | ||
], | ||
"verify": "SqrRoot:specs/SummarizedSqrRoot.spec", | ||
"msg": "Unsummarized sqrt proof", | ||
"rule_sanity": "basic", | ||
"optimistic_loop": true, | ||
"loop_iter": "7" | ||
} |
10 changes: 10 additions & 0 deletions
10
CVLByExample/Summarization/GhostSummary/SqrRoot/runUnsummarizedSqrRoot.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"files": [ | ||
"contracts/SqrRoot.sol", | ||
], | ||
"verify": "SqrRoot:specs/UnsummarizedSqrRoot.spec", | ||
"msg": "Unsummarized sqrt proof", | ||
"rule_sanity": "basic", | ||
"optimistic_loop": true, | ||
"loop_iter": "7" | ||
} |
3 changes: 2 additions & 1 deletion
3
...ization/GhostSummary/SqrRoot/SqrRoot.spec → ...mary/SqrRoot/specs/SummarizedSqrRoot.spec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
CVLByExample/Summarization/GhostSummary/SqrRoot/specs/UnsummarizedSqrRoot.spec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
rule addLiquidityMonotonicity(uint256 amount0, uint256 amount1, uint256 amount2, uint256 amount3) { | ||
env e; | ||
storage initStorage = lastStorage; | ||
uint256 firstAdd = addLiquidity(e, amount0, amount1); | ||
uint256 secondAdd = addLiquidity(e, amount2, amount3) at initStorage; | ||
assert ((amount0 <= amount2 || amount1 <= amount3) => | ||
(firstAdd <= secondAdd), | ||
"addLiquidity is not monotonic"); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# What happens when a function has both exact and wildcard summarizations? | ||
|
||
When a function matches a wildcard summarization but also has an exact summarization, the exact summarization is used to summarize | ||
this function. We will demonstrate such case using a simple example. | ||
|
||
We have 2 very simple contracts: `A` (in `A.sol`) and `B` (in `B.sol`). | ||
`A` holds a reference to `B` and has a simple function `callAFunc` that call the function `toBeSummarized` from B and returns it. | ||
The function toBeSummarized just returns 0. | ||
|
||
The spec `WildcardVsExact.spec` defines 2 different summarizations: | ||
* A wildcard summarization that will match a `toBeSummarized()` signature from any contract in the scene. This summarization returns 5. | ||
* An exact summarization to `B.toBeSummarized()` that returns 7. | ||
|
||
The spec also include 2 simple rules: `isFive` and `isSeven` that asserts that `callAFunc` returns 5 and 7 respectively. | ||
|
||
Run this spec via | ||
```certoraRun runWildcardVsExact.conf``` | ||
|
||
[The report of this run](https://prover.certora.com/output/15800/cbdf895a0130407e9997def721834bc3?anonymousKey=ae82616d3ac4a4b608bd41d5c6d1a6b0e1bbe836) | ||
|
||
As you can see `isFive` fails because the wildcard summarization was not used. But `isSeven` passes because the exact summarization was used | ||
instead of calling the actual function that would have returned 0. |
13 changes: 13 additions & 0 deletions
13
CVLByExample/Summarization/WildcardVsExact/contracts/A.sol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
// SPDX-License-Identifier: AGPL-3.0-only | ||
pragma solidity >=0.8.0; | ||
|
||
import "./B.sol"; | ||
|
||
contract A { | ||
|
||
B public other; | ||
|
||
function callAFunc() external returns (uint256) { | ||
return other.toBeSummarized(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
// SPDX-License-Identifier: AGPL-3.0-only | ||
pragma solidity >=0.8.0; | ||
|
||
contract B { | ||
function toBeSummarized() external returns (uint256) { | ||
return 0; | ||
} | ||
} |
11 changes: 11 additions & 0 deletions
11
CVLByExample/Summarization/WildcardVsExact/runWilcardVsExact.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"files": [ | ||
"contracts/A.sol", | ||
"contracts/B.sol" | ||
], | ||
"link": [ | ||
"A:other=B" | ||
], | ||
"verify": "A:specs/WildcardVsExact.spec", | ||
"msg": "Wildcard summary vs exact summary" | ||
} |
15 changes: 15 additions & 0 deletions
15
CVLByExample/Summarization/WildcardVsExact/specs/WildcardVsExact.spec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
using B as B; | ||
|
||
methods { | ||
function callAFunc() external returns (uint256) envfree; | ||
function _.toBeSummarized() external => ALWAYS(5) ALL; | ||
function B.toBeSummarized() external returns(uint256) => ALWAYS(7) ALL; | ||
} | ||
|
||
rule isFive { | ||
assert callAFunc() == 5; | ||
} | ||
|
||
rule isSeven { | ||
assert callAFunc() == 7; | ||
} |