Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix a soundness issue that could be triggered by calling ensures fres… #5248

Merged
merged 5 commits into from
Mar 27, 2024
Merged

Fix a soundness issue that could be triggered by calling ensures fres… #5248

merged 5 commits into from
Mar 27, 2024

Conversation

keyboardDrummer
Copy link
Member

@keyboardDrummer keyboardDrummer commented Mar 25, 2024
edited
Loading

Fixes #4700

Description

Fix a soundness issue that could be triggered by calling ensures fresh in the post-condition of a constructor.

How has this been tested?

Added a littish test

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

@keyboardDrummer keyboardDrummer enabled auto-merge (squash) March 27, 2024 11:31
MikaelMayer
MikaelMayer approved these changes Mar 27, 2024
View reviewed changes
Copy link
Member

@MikaelMayer MikaelMayer left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wonderful! You totally crushed this soundness issue!

Source/DafnyCore/Verifier/BoogieGenerator.cs
}
// for class constructors, the receiver is encoded as an output parameter
Bpl.Formal thVar = new Bpl.Formal(tok, new Bpl.TypedIdent(tok, "this", TrType(receiverType), wh), !(m is Constructor && kind != MethodTranslationKind.SpecWellformedness));
Bpl.Formal thVar = new Bpl.Formal(tok, new Bpl.TypedIdent(tok, "this", TrType(receiverType), wh),
m is not Constructor);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh nice, I see now the soundness issue fix Rustan was talking about. Well done spotting it.

@keyboardDrummer keyboardDrummer merged commit fd15378 into dafny-lang:master Mar 27, 2024
20 checks passed
@keyboardDrummer keyboardDrummer deleted the fix4700 branch March 27, 2024 18:00
@RustanLeino
Copy link
Collaborator

This PR does not completely fix the problem identified by #4700. The PR moves the this parameter from being an in-parameter to being an out-parameter for any Boogie procedure generated from a Dafny constructor. However, it is also necessary to alter the where clause for that parameter.

My comment on #4700 said to remove the $IsAlloc conjunct from that where clause. (This is accomplished by changing the if condition on line 2925 of BoogieGenerator.cs to m is Constructor && kind is MethodTranslationKind.Implementation or MethodTranslationKind.SpecWellformedness.) But more needs to be done.

In my comments on #5136, I said that the entire where clause for this should be removed (for both the Impl$$ procedure and the CheckWellFormed$$ procedure). Instead, the contents of that where clause (which is generated by the GetWhereClause method in the Dafny implementation) should be assumed after the havoc this; that is part of both of these procedures.

So, the full fix of both #4700 and #5136 is to:

  • For the Impl$$ and CheckWellFormed$$ procedures generated for a Dafny constructor:
    • Make the this parameter an out-parameter
    • Do not give a where clause for this this parameter
    • In the assumptions that follow the havoc this; (which occurs in the body of both the procedures), add the assumption $Is(this, Tclass._module.Test()) (which can be obtained by calling GetWhereClause). It's okay if the assumed condition also includes the $IsAlloc condition, but that condition is in effect already assumed in the assumptions after the havoc this;.
  • No change to the Call$$ procedure is necessary. (It's fine and appropriate for it to use this as an out-parameter with a where clause that includes the $IsAlloc conjunct.)

@atomb atomb mentioned this pull request Mar 29, 2024
Open
@keyboardDrummer
Copy link
Member Author

@RustanLeino could you provide a failing test-case, that highlights the changes you describe are still necessary? I trust that your suggestions are correct, but without a test-case I can not validate that, and I'm not sure how to reverse engineer a test-case from what you're describing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MikaelMayer MikaelMayer MikaelMayer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

this is not fresh and fresh in well-formedness
3 participants
@keyboardDrummer @RustanLeino @MikaelMayer