| 15 Jan 2024 |
 dxo | hm, I'm getting "failed to generate a model" for this too:
function prove_assert_false() public pure {
assert(false);
}
| 19:29:50 |
| dxo | Running functions: ['\''src%unsafe%1tx-abstract%AssertFalse.prove_assert_false()'\'']
PROOF FAILED: src%unsafe%1tx-abstract%AssertFalse.prove_assert_false():0
1 Failure nodes. (0 pending and 1 failing)
Failing nodes:
Node id: 5
Failure reason:
Implication check failed, the following is the remaining implication:
( ( { true #Equals 0 <=Int CALLER_ID:Int }
#And ( { true #Equals 0 <=Int ORIGIN_ID:Int }
#And ( { true #Equals 0 <=Int NUMBER_CELL:Int }
#And ( { true #Equals CALLER_ID:Int <Int pow160 }
#And ( { true #Equals ORIGIN_ID:Int <Int pow160 }
#And { true #Equals NUMBER_CELL:Int <=Int maxSInt256 } ) ) ) ) ) #Implies { true #Equals foundry_success ( ... statusCode: EVMC_REVERT , failed: #lookup ( .Map , 46308022326495007027972728677917914892729792999299745830475596687180801507328 ) , revertExpected: false , opcodeExpected: false , recordEventExpected: false , eventExpected: false ) } )
Path condition:
#Top
Failed to generate a model.
| 19:30:22 |
| dxo | Maybe I'm trying to force the tool into a sort of awkward ideology for it? | 19:32:07 |
| dxo | Like it doesn't really have such a strong distinction between "this can never be proven" and "I don't know if this is safe or not"? | 19:32:29 |
 ehildenb | It should be generating models, so that seems like an issue. | 19:35:01 |
| ehildenb | But yes, it doesn't distinct really between those cases. | 19:35:21 |
| dxo | right | 19:39:45 |
| dxo | I think I’m going to claim that a proof of unsafety requires a cex and classify all “Failed to generate a model” as “unknown” | 19:40:20 |
| dxo | do you know of any examples where it can produce a model? or like some example output of a model? Just so I can write a regex that can detect if it has managed to produce a model? | 19:41:35 |
| ehildenb | Well, lemme file a bug report for the team, and then we can figure out what's going on. | 20:13:57 |
| 16 Jan 2024 |
|  palinatolmach joined the room. | 05:59:25 |
| palinatolmach | In reply to @xvwx:matrix.dapp.org.uk
do you know of any examples where it can produce a model? or like some example output of a model? Just so I can write a regex that can detect if it has managed to produce a model? Hey @dxo! Thanks for all your work on the benchmark repo and integrating Kontrol there!
To produce a model, you can execute the same prove_sub_comm(uint x, uint y) test you've been using:
function prove_sub_comm(uint x, uint y) public pure {
unchecked {
assert(x - y == y - x);
}
}
but please add a --counterexample-information option to kontrol prove:
❯ kontrol prove --match-test prove_sub_comm --counterexample-information
...
Failing nodes:
Node id: 11
Failure reason:
Implication check failed, the following is the remaining implication:
( ( { true #Equals 0 <=Int CALLER_ID:Int }
#And ( { true #Equals 0 <=Int ORIGIN_ID:Int }
#And ( { true #Equals 0 <=Int NUMBER_CELL:Int }
#And ( { true #Equals 0 <=Int VV0_x_114b9705:Int }
#And ( { true #Equals 0 <=Int VV1_y_114b9705:Int }
#And ( { true #Equals CALLER_ID:Int <Int pow160 }
#And ( { true #Equals ORIGIN_ID:Int <Int pow160 }
#And ( { true #Equals NUMBER_CELL:Int <=Int maxSInt256 }
#And ( { true #Equals VV0_x_114b9705:Int <Int pow256 }
#And ( { true #Equals VV1_y_114b9705:Int <Int pow256 }
#And #Not ( { chop ( ( VV0_x_114b9705:Int -Int VV1_y_114b9705:Int ) ) #Equals chop ( ( VV1_y_114b9705:Int -Int VV0_x_114b9705:Int ) ) } ) ) ) ) ) ) ) ) ) ) ) #Implies { true #Equals foundry_success ( ... statusCode: EVMC_REVERT , failed: #lookup ( .Map , 46308022326495007027972728677917914892729792999299745830475596687180801507328 ) , revertExpected: false , opcodeExpected: false , recordEventExpected: false , eventExpected: false ) } )
Path condition:
{ true #Equals ( notBool chop ( ( VV0_x_114b9705:Int -Int VV1_y_114b9705:Int ) ) ==Int chop ( ( VV1_y_114b9705:Int -Int VV0_x_114b9705:Int ) ) ) }
Model:
NUMBER_CELL = 0
VV1_y_114b9705 = maxUInt256
ORIGIN_ID = maxUInt160
CALLER_ID = 0
VV0_x_114b9705 = 57896044618658097711785492504343953926634992332820282019728792003956564819966
| 06:35:54 |
| palinatolmach | We'll turn CEX generation on by default today; right now, we are not generating counterexamples unless the --counterexample-information flag is provided, but the absence of the generated model still makes its way into the output. And we'll handle empty model separately too, so that it doesn't get reported as a failure. Thanks for submitting those issues! | 06:41:02 |
| palinatolmach | In reply to @xvwx:matrix.dapp.org.uk
do you know of any examples where it can produce a model? or like some example output of a model? Just so I can write a regex that can detect if it has managed to produce a model? * Hey dxo ! Thanks for all your work on the benchmark repo and integrating Kontrol there!
To produce a model, you can execute the same prove_sub_comm(uint x, uint y) test you've been using:
function prove_sub_comm(uint x, uint y) public pure {
unchecked {
assert(x - y == y - x);
}
}
but please add a --counterexample-information option to kontrol prove:
❯ kontrol prove --match-test prove_sub_comm --counterexample-information
...
Failing nodes:
Node id: 11
Failure reason:
Implication check failed, the following is the remaining implication:
( ( { true #Equals 0 <=Int CALLER_ID:Int }
#And ( { true #Equals 0 <=Int ORIGIN_ID:Int }
#And ( { true #Equals 0 <=Int NUMBER_CELL:Int }
#And ( { true #Equals 0 <=Int VV0_x_114b9705:Int }
#And ( { true #Equals 0 <=Int VV1_y_114b9705:Int }
#And ( { true #Equals CALLER_ID:Int <Int pow160 }
#And ( { true #Equals ORIGIN_ID:Int <Int pow160 }
#And ( { true #Equals NUMBER_CELL:Int <=Int maxSInt256 }
#And ( { true #Equals VV0_x_114b9705:Int <Int pow256 }
#And ( { true #Equals VV1_y_114b9705:Int <Int pow256 }
#And #Not ( { chop ( ( VV0_x_114b9705:Int -Int VV1_y_114b9705:Int ) ) #Equals chop ( ( VV1_y_114b9705:Int -Int VV0_x_114b9705:Int ) ) } ) ) ) ) ) ) ) ) ) ) ) #Implies { true #Equals foundry_success ( ... statusCode: EVMC_REVERT , failed: #lookup ( .Map , 46308022326495007027972728677917914892729792999299745830475596687180801507328 ) , revertExpected: false , opcodeExpected: false , recordEventExpected: false , eventExpected: false ) } )
Path condition:
{ true #Equals ( notBool chop ( ( VV0_x_114b9705:Int -Int VV1_y_114b9705:Int ) ) ==Int chop ( ( VV1_y_114b9705:Int -Int VV0_x_114b9705:Int ) ) ) }
Model:
NUMBER_CELL = 0
VV1_y_114b9705 = maxUInt256
ORIGIN_ID = maxUInt160
CALLER_ID = 0
VV0_x_114b9705 = 57896044618658097711785492504343953926634992332820282019728792003956564819966
| 06:41:35 |
| palinatolmach | ehildenb also suggested that we assign separate exit codes to results such as "test failed, counterexample generated" and "test failed, unable to generate a counterexample". dxo are there any specific exit codes we can use to make it easier for you to analyze results and integrate them into the benchmark? | 06:43:59 |
| palinatolmach | * We'll turn CEX generation on by default today; right now, we are not generating counterexamples unless the --counterexample-information flag is provided, but the absence of the generated model still makes its way into the output. And we'll handle empty model separately too, so that it doesn't get reported as a failure (UPD: it's actually fixed by enabling counterexample generation too). Thanks for submitting those issues! | 07:51:19 |
| dxo | ah nice | 10:41:16 |
| dxo | thanks a lot! | 10:41:17 |
| dxo | right now the benchmarks classifies test execution results into safe/unsafe/unknown, so having some way to easily figure out how to classify a invocation of kontrol prove into one of those three would be awesome | 10:42:52 |
| dxo | I've been meaning to add some like --benchmark-output flag or smth to hevm for a while which would output just like result:safe or smth | 10:43:32 |
| dxo | having special exit codes is a good idea actually | 10:43:43 |
| dxo | maybe that's better | 10:43:45 |
| dxo | Is there a way to tell kontrol to start with a fully abstract storage? | 10:45:38 |
| dxo | Redacted or Malformed Event | 10:50:55 |
| palinatolmach | Thank you! Let me check what our existing exit code are, and I'll let you know which ones we'll be using to distinguish between unsafe and unknown! | 11:17:30 |
| palinatolmach | In reply to @xvwx:matrix.dapp.org.uk
Is there a way to tell kontrol to start with a fully abstract storage? We have a cheatcode for that, but it's contract-specific. You can install cheatcodes as a forge library in your project:
forge install runtimeverification/kontrol-cheatcodes
and then use it as follows:
function testSymbolicStorage(uint256 slot) public {
address addr = 0xEA674fdDe714fd979de3EdF0F56AA9716B898ec8;
kevm.symbolicStorage(addr);
// the storage for addr is symbolic
// ...
}
| 11:22:38 |
| palinatolmach | In reply to @xvwx:matrix.dapp.org.uk
Is there a way to tell kontrol to start with a fully abstract storage? * We have a cheatcode for that, but it's contract-specific. You can install cheatcodes as a forge library in your project:
forge install runtimeverification/kontrol-cheatcodes
and then use it as follows:
function testSymbolicStorage(uint256 slot) public {
address addr = 0xEA674fdDe714fd979de3EdF0F56AA9716B898ec8;
kevm.symbolicStorage(addr);
// the storage for addr is symbolic
// ...
}
| 11:22:47 |
| palinatolmach | dxo: looks like we'll need a bit more time to agree on the exit code convention, but the counterexample generation fix is ready, and we just have to wait a bit for the PR to go through — I'll send you a message tomorrow once it's published! | 15:29:52 |
| dxo | awesome | 15:48:21 |
| dxo | thanks a lot <3 | 15:48:23 |
