hevm symbolic does not correctly identify a failing assert assert(debt == Art * rate) in the counterexample() function of the following MiniVat contract (the runtime bytecode is available here).
counterexample() encodes the sequence of function calls with concrete parameters that lead to the assert violation, so hevm should be able to report it even without using symbolic storage (--storage-model InitialS); however, it doesn't find a violation:
hevm symbolic --code $(<MiniVat/minivat.bin-runtime) --storage-model InitialS
Exploring contract
Simplifying expression
Explored contract (164 branches)
Checking for reachability of 8 potential property violation(s)
QED: No reachable property violations discovered
The violation can only be identified if symbolic storage is enabled (the analysis takes ~8 minutes), even though it shouldn't be necessary. In addition, the generated concrete storage values also seem a bit off (at the end of the function execution, debt == 0, Art == 10 ** 18, and rate == 10 ** 27; at the beginning of the execution, all these values are supposed to be zero):
hevm symbolic --code $(<MiniVat/minivat.bin-runtime)
Exploring contract
Simplifying expression
Explored contract (174 branches)
Checking for reachability of 8 potential property violation(s)
Discovered the following counterexamples:
Calldata:
0xf473c3a6
Storage:
Addr 0xacab: [(0x0,0xffffffffffffffffffffffffffdb00dc7387bbc139a0571a5c25744927240000),
(0x3,0x187396c075c59861067a10040007100004cc0d2498),(0x4,0x0),
(0x20000000000000000000000000000000004,0x47004c8ba6762e2f2feb74f1f96be8874c0968ce9e011718e593610201000000),
(0x800000000000000000000000000000000000000000000000000000000000003,0x18003190008400000022404020a400802440000000180584c599c0000)]
Transaction Context:
CallValue: 0x0
Caller: 0x0
hevm symbolic
does not correctly identify a failing assertassert(debt == Art * rate)
in thecounterexample()
function of the followingMiniVat
contract (the runtime bytecode is available here).counterexample()
encodes the sequence of function calls with concrete parameters that lead to the assert violation, sohevm
should be able to report it even without using symbolic storage (--storage-model InitialS
); however, it doesn't find a violation:The violation can only be identified if symbolic storage is enabled (the analysis takes ~8 minutes), even though it shouldn't be necessary. In addition, the generated concrete storage values also seem a bit off (at the end of the function execution,
debt == 0
,Art == 10 ** 18
, andrate == 10 ** 27
; at the beginning of the execution, all these values are supposed to be zero):Steps to reproduce:
hevm symbolic --code $(<MiniVat/minivat.bin-runtime) --storage-model InitialS
hevm symbolic --code $(<MiniVat/minivat.bin-runtime)