Merge pull request #100 from morpho-dao/test/certora-3

QGarchery · web-flow · commit 8c19f7d84b8e · 2023-01-02T18:09:34.000+01:00
Certora verification of the DLL
diff --git a/.gitignore b/.gitignore
@@ -33,3 +33,10 @@ yarn-error.log*
 # test
 /test-ts/output-tree-structure.txt
 *.ansi
+
+#certora
+certora/munged-simple/*
+certora/munged-fifo/*
+.certora*
+last_conf*
+certora_debug_log.txt
diff --git a/certora/applyHarnessFIFO.patch b/certora/applyHarnessFIFO.patch
@@ -0,0 +1,150 @@
+diff -ruN DoubleLinkedList.sol DoubleLinkedList.sol
+--- DoubleLinkedList.sol	2022-12-16 20:15:34.039800632 +0100
++++ DoubleLinkedList.sol	2022-12-16 20:33:41.874106437 +0100
+@@ -18,6 +18,8 @@
+         mapping(address => Account) accounts;
+         address head;
+         address tail;
++        address insertedBefore; // HARNESS: address of the account before which the account was inserted at last insertion.
++        address insertedAfter; // HARNESS: address of the account after which the account was inserted at last insertion.
+     }
+ 
+     /// ERRORS ///
+@@ -106,18 +108,22 @@
+ 
+         uint256 numberOfIterations;
+         address next = _list.head; // If not added at the end of the list `_id` will be inserted before `next`.
++        _list.insertedAfter = address(0); // HARNESS
+ 
+         while (
+             numberOfIterations < _maxIterations &&
+             next != address(0) &&
+             _list.accounts[next].value >= _value
+         ) {
++            _list.insertedAfter = next; // HARNESS
+             next = _list.accounts[next].next;
+             unchecked {
+                 ++numberOfIterations;
+             }
+         }
+ 
++        _list.insertedBefore = next; // HARNESS
++
+         // Account is not the new tail.
+         if (numberOfIterations < _maxIterations && next != address(0)) {
+             // Account is the new head.
+diff -ruN MockDLL.sol MockDLL.sol
+--- MockDLL.sol	1970-01-01 01:00:00.000000000 +0100
++++ MockDLL.sol	2022-12-16 20:35:27.432652652 +0100
+@@ -0,0 +1,111 @@
++// SPDX-License-Identifier: GNU AGPLv3
++pragma solidity ^0.8.0;
++
++import "./DoubleLinkedList.sol";
++
++contract MockDLL {
++    using DoubleLinkedList for DoubleLinkedList.List;
++
++    // VERIFICATION INTERFACE
++
++    DoubleLinkedList.List public dll;
++
++    uint256 public maxIterations;
++
++    uint256 internal dummy_state_variable;
++
++    function dummy_state_modifying_function() public {
++        // to fix a CVL error when only one function is accessible
++        dummy_state_variable = 1;
++    }
++
++    function getValueOf(address _id) public view returns (uint256) {
++        return dll.getValueOf(_id);
++    }
++
++    function getHead() public view returns (address) {
++        return dll.getHead();
++    }
++
++    function getTail() public view returns (address) {
++        return dll.getTail();
++    }
++
++    function getNext(address _id) public view returns (address) {
++        return dll.getNext(_id);
++    }
++
++    function getPrev(address _id) public view returns (address) {
++        return dll.getPrev(_id);
++    }
++
++    function remove(address _id) public {
++        dll.remove(_id);
++    }
++
++    function insertSorted(
++        address _id,
++        uint256 _value,
++        uint256 _maxIterations
++    ) public {
++        dll.insertSorted(_id, _value, _maxIterations);
++    }
++
++    // SPECIFICATION HELPERS
++
++    function getInsertedAfter() public view returns (address) {
++        return dll.insertedAfter;
++    }
++
++    function getInsertedBefore() public view returns (address) {
++        return dll.insertedBefore;
++    }
++
++    function getLength() public view returns (uint256) {
++        uint256 len;
++        for (address current = getHead(); current != address(0); current = getNext(current)) len++;
++        return len;
++    }
++
++    function linkBetween(address _start, address _end) internal view returns (bool, address) {
++        if (_start == _end) return (true, address(0));
++        for (uint256 maxIter = getLength(); maxIter > 0; maxIter--) {
++            address next = getNext(_start);
++            if (next == _end) return (true, _start);
++            _start = next;
++        }
++        return (false, address(0));
++    }
++
++    function isForwardLinkedBetween(address _start, address _end) public view returns (bool ret) {
++        (ret, ) = linkBetween(_start, _end);
++    }
++
++    function getPreceding(address _end) public view returns (address last) {
++        (, last) = linkBetween(getHead(), _end);
++    }
++
++    function greaterThanUpTo(
++        uint256 _value,
++        address _to,
++        uint256 _maxIter
++    ) public view returns (bool) {
++        address from = getHead();
++        for (; _maxIter > 0; _maxIter--) {
++            if (from == _to) return true;
++            if (getValueOf(from) < _value) return false;
++            from = getNext(from);
++        }
++        return true;
++    }
++
++    function lenUpTo(address _to) public view returns (uint256) {
++        uint256 maxIter = getLength();
++        address from = getHead();
++        for (; maxIter > 0; maxIter--) {
++            if (from == _to) break;
++            from = getNext(from);
++        }
++        return getLength() - maxIter;
++    }
++}
diff --git a/certora/applyHarnessSimple.patch b/certora/applyHarnessSimple.patch
@@ -0,0 +1,149 @@
+diff -ruN DoubleLinkedList.sol DoubleLinkedList.sol
+--- DoubleLinkedList.sol	2022-10-25 18:11:24.798784245 +0200
++++ DoubleLinkedList.sol	2022-11-11 11:24:29.066289033 +0100
+@@ -18,6 +18,8 @@
+         mapping(address => Account) accounts;
+         address head;
+         address tail;
++        address insertedBefore; // HARNESS: address of the account before which the account was inserted at last insertion.
++        address insertedAfter; // HARNESS: address of the account after which the account was inserted at last insertion.
+     }
+ 
+     /// ERRORS ///
+@@ -93,33 +95,27 @@
+     /// @param _list The list to search in.
+     /// @param _id The address of the account.
+     /// @param _value The value of the account.
+-    /// @param _maxIterations The max number of iterations.
+     function insertSorted(
+         List storage _list,
+         address _id,
+-        uint256 _value,
+-        uint256 _maxIterations
++        uint256 _value
+     ) internal {
+         if (_value == 0) revert ValueIsZero();
+         if (_id == address(0)) revert AddressIsZero();
+         if (_list.accounts[_id].value != 0) revert AccountAlreadyInserted();
+ 
+-        uint256 numberOfIterations;
+-        address next = _list.head; // If not added at the end of the list `_id` will be inserted before `next`.
++        _list.insertedAfter = address(0);
++        address next = _list.head; // `_id` will be inserted before `next`.
+ 
+-        while (
+-            numberOfIterations < _maxIterations &&
+-            next != address(0) &&
+-            _list.accounts[next].value >= _value
+-        ) {
++        while (next != address(0) && _list.accounts[next].value >= _value) {
++            _list.insertedAfter = next;
+             next = _list.accounts[next].next;
+-            unchecked {
+-                ++numberOfIterations;
+-            }
+         }
+ 
++        _list.insertedBefore = next;
++
+         // Account is not the new tail.
+-        if (numberOfIterations < _maxIterations && next != address(0)) {
++        if (next != address(0)) {
+             // Account is the new head.
+             if (next == _list.head) {
+                 _list.accounts[_id] = Account({prev: address(0), next: next, value: _value});
+diff -ruN MockDLL.sol MockDLL.sol
+--- MockDLL.sol	1970-01-01 01:00:00.000000000 +0100
++++ MockDLL.sol	2022-11-11 11:27:17.368989154 +0100
+@@ -0,0 +1,91 @@
++// SPDX-License-Identifier: GNU AGPLv3
++pragma solidity ^0.8.0;
++
++import "./DoubleLinkedList.sol";
++
++contract MockDLL {
++    using DoubleLinkedList for DoubleLinkedList.List;
++
++    // VERIFICATION INTERFACE
++
++    DoubleLinkedList.List public dll;
++
++    uint256 internal dummy_state_variable;
++
++    function dummy_state_modifying_function() public {
++        // to fix a CVL error when only one function is accessible
++        dummy_state_variable = 1;
++    }
++
++    function getValueOf(address _id) public view returns (uint256) {
++        return dll.getValueOf(_id);
++    }
++
++    function getHead() public view returns (address) {
++        return dll.getHead();
++    }
++
++    function getTail() public view returns (address) {
++        return dll.getTail();
++    }
++
++    function getNext(address _id) public view returns (address) {
++        return dll.getNext(_id);
++    }
++
++    function getPrev(address _id) public view returns (address) {
++        return dll.getPrev(_id);
++    }
++
++    function remove(address _id) public {
++        dll.remove(_id);
++    }
++
++    function insertSorted(address _id, uint256 _value) public {
++        dll.insertSorted(_id, _value);
++    }
++
++    // SPECIFICATION HELPERS
++
++    function getInsertedAfter() public view returns (address) {
++        return dll.insertedAfter;
++    }
++
++    function getInsertedBefore() public view returns (address) {
++        return dll.insertedBefore;
++    }
++
++    function getLength() internal view returns (uint256) {
++        uint256 len;
++        for (address current = getHead(); current != address(0); current = getNext(current)) len++;
++        return len;
++    }
++
++    function linkBetween(address _start, address _end) internal view returns (bool, address) {
++        if (_start == _end) return (true, address(0));
++        for (uint256 maxIter = getLength(); maxIter > 0; maxIter--) {
++            address next = getNext(_start);
++            if (next == _end) return (true, _start);
++            _start = next;
++        }
++        return (false, address(0));
++    }
++
++    function isForwardLinkedBetween(address _start, address _end) public view returns (bool ret) {
++        (ret, ) = linkBetween(_start, _end);
++    }
++
++    function getPreceding(address _end) public view returns (address last) {
++        (, last) = linkBetween(getHead(), _end);
++    }
++
++    function isDecrSortedFrom(address _start) public view returns (bool) {
++        for (uint256 maxIter = getLength(); maxIter > 0; maxIter--) {
++            address next = getNext(_start);
++            if (next == address(0)) return true;
++            if (getValueOf(_start) < getValueOf(next)) return false;
++            _start = getNext(_start);
++        }
++        return true;
++    }
++}
diff --git a/certora/makefile b/certora/makefile
@@ -0,0 +1,23 @@
+help:
+	@echo "usage: two possible munging, either simple DLL of DLL with FIFO"
+
+munged-simple: $(wildcard ../src/*.sol) applyHarnessSimple.patch
+	@rm -rf munged-simple
+	@cp -r ../src munged-simple
+	@patch -p0 -d munged-simple < applyHarnessSimple.patch
+
+record-simple:
+	diff -ruN ../contracts munged-simple | sed 's+\.\./src/++g' | sed 's+munged-simple/++g' > applyHarnessSimple.patch
+
+munged-fifo: $(wildcard ../src/*.sol) applyHarnessFIFO.patch
+	@rm -rf munged-fifo
+	@cp -r ../src munged-fifo
+	@patch -p0 -d munged-fifo < applyHarnessFIFO.patch
+
+record-fifo:
+	diff -ruN ../src munged-fifo | sed 's+\.\./src/++g' | sed 's+munged-fifo/++g' > applyHarnessFIFO.patch
+
+clean:
+	rm -rf munged-simple munged-fifo
+
+.PHONY: help clean # do not add munged here, as it is useful to protect munged edits
diff --git a/certora/scripts/dll-fifo.sh b/certora/scripts/dll-fifo.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+make -C certora munged-fifo
+
+certoraRun \
+    certora/munged-fifo/MockDLL.sol \
+    --verify MockDLL:certora/specs/dll-fifo.spec \
+    --loop_iter 4 \
+    --optimistic_loop \
+    --send_only \
+    --msg "FIFO DLL verification" \
+    --staging \
+    $@
diff --git a/certora/scripts/dll-simple.sh b/certora/scripts/dll-simple.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+make -C certora munged-simple
+
+certoraRun \
+    certora/munged-simple/MockDLL.sol \
+    --verify MockDLL:certora/specs/dll-simple.spec \
+    --loop_iter 7 \
+    --optimistic_loop \
+    --send_only \
+    --msg "Simple DLL verification" \
+    --staging \
+    $@
diff --git a/certora/scripts/sanity-fifo.sh b/certora/scripts/sanity-fifo.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+make -C certora munged-fifo
+
+certoraRun \
+    certora/munged-fifo/MockDLL.sol \
+    --verify MockDLL:certora/specs/sanity.spec \
+    --loop_iter 7 \
+    --optimistic_loop \
+    --send_only \
+    --staging \
+    --msg "FIFO DLL sanity" \
+    $@
diff --git a/certora/scripts/sanity-simple.sh b/certora/scripts/sanity-simple.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+make -C certora munged-simple
+
+certoraRun \
+    certora/munged-simple/MockDLL.sol \
+    --verify MockDLL:certora/specs/sanity.spec \
+    --loop_iter 7 \
+    --optimistic_loop \
+    --send_only \
+    --staging \
+    --msg "Simple DLL sanity" \
+    $@
diff --git a/certora/specs/dll-fifo.spec b/certora/specs/dll-fifo.spec
diff --git a/certora/specs/dll-simple.spec b/certora/specs/dll-simple.spec
diff --git a/certora/specs/sanity.spec b/certora/specs/sanity.spec
diff --git a/src/DoubleLinkedList.sol b/src/DoubleLinkedList.sol
