Understanding gaps between high and low level code
The Certora Prover is analyzing low-level code, such as the EVM bytecode. However, the CVL specification as well as the Rule Report and Call Trace are usually presenting information in terms of the high-level language (e.g., Solidity).
In this document we describe how some of the gaps between the high-level source and the low-level bytecode can affect our understanding of the Prover’s outputs, and recommended solutions.
Loops
Determining the number of needed iterations
The Prover deals with loops by unrolling them a constant number of times (see --loop_iter). Furthermore, it can add an assertion that the number of unrolled iterations was sufficient to fully capture all of the loop’s behavior, which is usually useful in loops that are known to have a constant number of iterations. Otherwise, the user can opt-in to assume the unroll bound was sufficient (see --optimistic_loop).
This approach works well for common simple loops such as:
uint x;
for (uint i = 0; i < 3 ; i++) {
x++;
}
Note
For trivial loops such as the above, the Prover
automatically infers the required number of iterations is 3,
even if a lower --loop_iter is provided.
The natural loop condition determining whether we enter the body of the loop or exit
is clearly i < 3, thus 3 iterations are sufficient to fully unroll the loop and render
the loop condition false.
If --loop_iter 3 is defined, the Prover unrolls the loop 3 times,
and evaluates the loop exit condition one more time (a total of 4 evaluations of the loop exit condition).
The resulting code would behave like the following Solidity snippet:
uint x;
uint i = 0;
if (i < 3) { // iteration #1
i++;
x++;
if (i < 3) { // iteration #2
i++;
x++;
if (i < 3) { // iteration #3
i++;
x++;
assert (i < 3) // exit condition evaluation
// require(i < 3) if `--optimistic_loop` is set
}
}
}
However, for less trivial cases, the definition is not so clear:
uint x; // global state variable
uint i = 0;
while (true) {
x++; // if x overflows, we exit the loop and revert. But is this the loop condition?
if (i >= 3) {
break;
}
i += 1;
}
Running the builtin sanity rule for the above code with --loop_iter of 2 or less
results in sanity violation (can find no paths reaching the end of the loop),
as is expected.
Sanity is passing with --loop_iter 3.
However, running with --loop_iter 3 actually shows 4 loop iterations
in the Call Trace output.
The reason for that is that in cases the Prover cannot detect an exit condition
in the loop’s head, it unrolls one extra time to evaluate a potential exit condition
in the loop’s body.
In our case, the bytecode representation shows that the loop’s head is ending with
a non-conditional jump.
The equivalent Solidity-like version of the unrolled code would look as follows,
(c-style goto and label commands were added for clarity):
uint x; // global state variable
uint i = 0;
// iteration #1
x++;
if (i >= 3) {
goto after_original_while_loop_end;
}
i += 1;
// iteration #2
x++;
if (i >= 3) {
goto after_original_while_loop_end;
}
i += 1;
// iteration #3
x++;
if (i >= 3) {
goto after_original_while_loop_end;
}
i += 1;
// iteration #4
x++;
if (i >= 3) {
goto after_original_while_loop_end;
}
i += 1;
assert(false); // require(false) if `--optimistic_loop` is set
after_original_while_loop_end: ...