hevm-0.53.0: Symbolic EVM Evaluator
Safe HaskellSafe-Inferred
LanguageGHC2021

EVM.SMT

Description

 
Synopsis

Encoding ** ----------------------------------------------------------------------------------

data CexVars Source #

Data that we need to construct a nice counterexample

Constructors

CexVars 

Fields

Instances

Instances details
Monoid CexVars Source # 
Instance details

Defined in EVM.SMT

Methods

mempty :: CexVars #

mappend :: CexVars -> CexVars -> CexVars #

mconcat :: [CexVars] -> CexVars #

Semigroup CexVars Source # 
Instance details

Defined in EVM.SMT

Methods

(<>) :: CexVars -> CexVars -> CexVars #

sconcat :: NonEmpty CexVars -> CexVars #

stimes :: Integral b => b -> CexVars -> CexVars #

Show CexVars Source # 
Instance details

Defined in EVM.SMT

Methods

showsPrec :: Int -> CexVars -> ShowS #

show :: CexVars -> String #

showList :: [CexVars] -> ShowS #

Eq CexVars Source # 
Instance details

Defined in EVM.SMT

Methods

(==) :: CexVars -> CexVars -> Bool #

(/=) :: CexVars -> CexVars -> Bool #

data BufModel Source #

A model for a buffer, either in it's compressed form (for storing parsed models from a solver), or as a bytestring (for presentation to users)

Constructors

Comp CompressedBuf 
Flat ByteString 

Instances

Instances details
Show BufModel Source # 
Instance details

Defined in EVM.SMT

Methods

showsPrec :: Int -> BufModel -> ShowS #

show :: BufModel -> String #

showList :: [BufModel] -> ShowS #

Eq BufModel Source # 
Instance details

Defined in EVM.SMT

Methods

(==) :: BufModel -> BufModel -> Bool #

(/=) :: BufModel -> BufModel -> Bool #

data CompressedBuf Source #

This representation lets us store buffers of arbitrary length without exhausting the available memory, it closely matches the format used by smt-lib when returning models for arrays

Constructors

Base 

Fields

Write 

Fields

Instances

Instances details
Show CompressedBuf Source # 
Instance details

Defined in EVM.SMT

Methods

showsPrec :: Int -> CompressedBuf -> ShowS #

show :: CompressedBuf -> String #

showList :: [CompressedBuf] -> ShowS #

Eq CompressedBuf Source # 
Instance details

Defined in EVM.SMT

Methods

(==) :: CompressedBuf -> CompressedBuf -> Bool #

(/=) :: CompressedBuf -> CompressedBuf -> Bool #

data SMTCex Source #

a final post shrinking cex, buffers here are all represented as concrete bytestrings

Constructors

SMTCex 

Fields

Instances

Instances details
Show SMTCex Source # 
Instance details

Defined in EVM.SMT

Methods

showsPrec :: Int -> SMTCex -> ShowS #

show :: SMTCex -> String #

showList :: [SMTCex] -> ShowS #

Eq SMTCex Source # 
Instance details

Defined in EVM.SMT

Methods

(==) :: SMTCex -> SMTCex -> Bool #

(/=) :: SMTCex -> SMTCex -> Bool #

data RefinementEqs Source #

Used for abstraction-refinement of the SMT formula. Contains assertions that make our query fully precise. These will be added to the assertion stack if we get sat with the abstracted query.

Constructors

RefinementEqs [Builder] [Prop] 

Instances

Instances details
Monoid RefinementEqs Source # 
Instance details

Defined in EVM.SMT

Methods

mempty :: RefinementEqs #

mappend :: RefinementEqs -> RefinementEqs -> RefinementEqs #

mconcat :: [RefinementEqs] -> RefinementEqs #

Semigroup RefinementEqs Source # 
Instance details

Defined in EVM.SMT

Methods

(<>) :: RefinementEqs -> RefinementEqs -> RefinementEqs #

sconcat :: NonEmpty RefinementEqs -> RefinementEqs #

stimes :: Integral b => b -> RefinementEqs -> RefinementEqs #

Show RefinementEqs Source # 
Instance details

Defined in EVM.SMT

Methods

showsPrec :: Int -> RefinementEqs -> ShowS #

show :: RefinementEqs -> String #

showList :: [RefinementEqs] -> ShowS #

Eq RefinementEqs Source # 
Instance details

Defined in EVM.SMT

Methods

(==) :: RefinementEqs -> RefinementEqs -> Bool #

(/=) :: RefinementEqs -> RefinementEqs -> Bool #

flattenBufs :: SMTCex -> Maybe SMTCex Source #

collapse :: BufModel -> Maybe BufModel Source #

Attempts to collapse a compressed buffer representation down to a flattened one

getVar :: SMTCex -> Text -> W256 Source #

data SMT2 Source #

Constructors

SMT2 [Builder] RefinementEqs CexVars [Prop] 

Instances

Instances details
Monoid SMT2 Source # 
Instance details

Defined in EVM.SMT

Methods

mempty :: SMT2 #

mappend :: SMT2 -> SMT2 -> SMT2 #

mconcat :: [SMT2] -> SMT2 #

Semigroup SMT2 Source # 
Instance details

Defined in EVM.SMT

Methods

(<>) :: SMT2 -> SMT2 -> SMT2 #

sconcat :: NonEmpty SMT2 -> SMT2 #

stimes :: Integral b => b -> SMT2 -> SMT2 #

Show SMT2 Source # 
Instance details

Defined in EVM.SMT

Methods

showsPrec :: Int -> SMT2 -> ShowS #

show :: SMT2 -> String #

showList :: [SMT2] -> ShowS #

Eq SMT2 Source # 
Instance details

Defined in EVM.SMT

Methods

(==) :: SMT2 -> SMT2 -> Bool #

(/=) :: SMT2 -> SMT2 -> Bool #

formatSMT2 :: SMT2 -> Text Source #

declareIntermediates :: BufEnv -> StoreEnv -> SMT2 Source #

Reads all intermediate variables from the builder state and produces SMT declaring them as constants

data AbstState Source #

Constructors

AbstState 

Fields

Instances

Instances details
Show AbstState Source # 
Instance details

Defined in EVM.SMT

Methods

showsPrec :: Int -> AbstState -> ShowS #

show :: AbstState -> String #

showList :: [AbstState] -> ShowS #

abstractAwayProps :: Config -> [Prop] -> ([Prop], AbstState) Source #

smt2Line :: Builder -> SMT2 Source #

assertProps :: Config -> [Prop] -> SMT2 Source #

assertPropsNoSimp :: Config -> [Prop] -> SMT2 Source #

referencedAbstractStores :: TraversableTerm a => a -> Set Builder Source #

referencedWAddrs :: TraversableTerm a => a -> Set Builder Source #

referencedBufs :: TraversableTerm a => a -> [Builder] Source #

referencedVars :: TraversableTerm a => a -> [Builder] Source #

referencedFrameContext :: TraversableTerm a => a -> [(Builder, [Prop])] Source #

referencedBlockContext :: TraversableTerm a => a -> [(Builder, [Prop])] Source #

findStorageReads :: Prop -> Map (Expr EAddr, Maybe W256) (Set (Expr EWord)) Source #

This function overapproximates the reads from the abstract storage. Potentially, it can return locations that do not read a slot directly from the abstract store but from subsequent writes on the store (e.g, SLoad addr idx (SStore addr idx val AbstractStore)). However, we expect that most of such reads will have been simplified away.

findBufferAccess :: TraversableTerm a => [a] -> [(Expr EWord, Expr EWord, Expr Buf)] Source #

assertReads :: [Prop] -> BufEnv -> StoreEnv -> [Prop] Source #

Asserts that buffer reads beyond the size of the buffer are equal to zero. Looks for buffer reads in the a list of given predicates and the buffer and storage environments.

discoverMaxReads :: [Prop] -> BufEnv -> StoreEnv -> Map Text (Expr EWord) Source #

Finds the maximum read index for each abstract buffer in the input props

declareBufs :: [Prop] -> BufEnv -> StoreEnv -> SMT2 Source #

Returns an SMT2 object with all buffers referenced from the input props declared, and with the appropriate cex extraction metadata attached

declareVars :: [Builder] -> SMT2 Source #

declareAddrs :: [Builder] -> SMT2 Source #

declareFrameContext :: [(Builder, [Prop])] -> SMT2 Source #

declareAbstractStores :: [Builder] -> SMT2 Source #

declareBlockContext :: [(Builder, [Prop])] -> SMT2 Source #

prelude :: SMT2 Source #

exprToSMT :: Expr a -> Builder Source #

sp :: Builder -> Builder -> Builder Source #

zero :: Builder Source #

one :: Builder Source #

propToSMT :: Prop -> Builder Source #

Helpers ** ---------------------------------------------------------------------------------

copySlice :: Expr EWord -> Expr EWord -> Expr EWord -> Builder -> Builder -> Builder Source #

Stores a region of src into dst

expandExp :: Expr EWord -> W256 -> Builder Source #

Unrolls an exponentiation into a series of multiplications

concatBytes :: [Expr Byte] -> Builder Source #

Concatenates a list of bytes into a larger bitvector

writeBytes :: ByteString -> Expr Buf -> Builder Source #

Concatenates a list of bytes into a larger bitvector

encodeConcreteStore :: Map W256 W256 -> Builder Source #

storeName :: Expr EAddr -> Maybe W256 -> Builder Source #

formatEAddr :: Expr EAddr -> Builder Source #

Cex parsing ** --------------------------------------------------------------------------------

parseAddr :: SpecConstant -> Addr Source #

parseW256 :: SpecConstant -> W256 Source #

parseInteger :: SpecConstant -> Integer Source #

parseW8 :: SpecConstant -> Word8 Source #

parseSC :: (Num a, Eq a) => SpecConstant -> a Source #

parseErr :: Show a => a -> b Source #

parseVar :: Text -> Expr EWord Source #

parseEAddr :: Text -> Expr EAddr Source #

parseBlockCtx :: Text -> Expr EWord Source #

parseTxCtx :: Text -> Expr EWord Source #

getAddrs :: (Text -> Expr EAddr) -> (Text -> IO Text) -> [Text] -> IO (Map (Expr EAddr) Addr) Source #

getVars :: (Text -> Expr EWord) -> (Text -> IO Text) -> [Text] -> IO (Map (Expr EWord) W256) Source #

getOne :: (SpecConstant -> a) -> (Text -> IO Text) -> Map Text a -> Text -> IO (Map Text a) Source #

queryMaxReads :: (Text -> IO Text) -> Map Text (Expr EWord) -> IO (Map Text W256) Source #

Queries the solver for models for each of the expressions representing the max read index for a given buffer

getBufs :: (Text -> IO Text) -> [Text] -> IO (Map (Expr Buf) BufModel) Source #

Gets the initial model for each buffer, these will often be much too large for our purposes

getStore :: (Text -> IO Text) -> Map (Expr EAddr, Maybe W256) (Set (Expr EWord)) -> IO (Map (Expr EAddr) (Map W256 W256)) Source #

Takes a Map containing all reads from a store with an abstract base, as well as the concrete part of the storage prestate and returns a fully concretized storage

queryValue :: (Text -> IO Text) -> Expr EWord -> IO W256 Source #

Ask the solver to give us the concrete value of an arbitrary abstract word

interpretNDArray :: (Map Symbol Term -> Term -> a) -> Map Symbol Term -> Term -> W256 -> a Source #

Interpret an N-dimensional array as a value of type a. Parameterized by an interpretation function for array values.

interpret1DArray :: Map Symbol Term -> Term -> W256 -> W256 Source #

Interpret an 1-dimensional array as a function