Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Base type throws off witness checking #5520

Open
RustanLeino opened this issue Jun 3, 2024 · 0 comments · May be fixed by #5495
Open

Base type throws off witness checking #5520

RustanLeino opened this issue Jun 3, 2024 · 0 comments · May be fixed by #5495
Assignees
@RustanLeino
Labels
during 3: execution of incorrect program An bug in the verifier that allows Dafny to run a program that does not correctly implement its spec kind: bug Crashes, unsoundness, incorrect output, etc. If possible, add a `part:` label part: verifier Translation from Dafny to Boogie (translator)

Comments

@RustanLeino
Copy link
Collaborator

Dafny version

4.6.0

Code to produce this issue

type Empty = x: int | false witness *

method OperateOnEmpty(x: Empty)
  ensures false
{
}

type PurportsToBeNonempty = x: Empty | true
  witness 506 // BOGUS: this is not a witness, and yet no error is reported

method Main() {
  var x: PurportsToBeNonempty := *;
  OperateOnEmpty(x);
  print 10 / 0; // boom!
}

Command to run and resulting output

% dafny run test.dfy

Dafny program verifier finished with 3 verified, 0 errors
Unhandled exception. System.DivideByZeroException: Attempted to divide by zero.
   at System.Numerics.BigInteger.op_Division(BigInteger dividend, BigInteger divisor)
   at System.Numerics.BigInteger.Divide(BigInteger dividend, BigInteger divisor)
   at Dafny.Helpers.EuclideanDivision(BigInteger a, BigInteger b)
   at _module.__default._Main(ISequence`1 __noArgsParameter)
   at __CallToMain.<>c__DisplayClass0_0.<Main>b__0()
   at Dafny.Helpers.WithHaltHandling(Action action)
   at __CallToMain.Main(String[] args)

What happened?

The verifier sets up the witness check for PurportsToBeNonempty incorrectly. In particular, it performs the check under the assumption that there is an x: Empty, whereas it should be checking that such an x exists. In more detail, the bug stems from the Boogie where clause given to x. The fix is to remove the where clause and to instead assume x: Empty not for the witness check, but only for the well-formedness check of the constraint.

What type of operating system are you experiencing the problem on?

Mac
@RustanLeino RustanLeino added kind: bug Crashes, unsoundness, incorrect output, etc. If possible, add a `part:` label part: verifier Translation from Dafny to Boogie (translator) during 3: execution of incorrect program An bug in the verifier that allows Dafny to run a program that does not correctly implement its spec labels Jun 3, 2024
@RustanLeino RustanLeino self-assigned this Jun 3, 2024
RustanLeino added a commit to RustanLeino/dafny that referenced this issue Jun 3, 2024
@RustanLeino
Add test cases for Issue 5520
ddb1029 
Fixes dafny-lang#5520
@RustanLeino RustanLeino linked a pull request Jun 3, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RustanLeino RustanLeino

Labels
during 3: execution of incorrect program An bug in the verifier that allows Dafny to run a program that does not correctly implement its spec kind: bug Crashes, unsoundness, incorrect output, etc. If possible, add a `part:` label part: verifier Translation from Dafny to Boogie (translator)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Allow type parameters on newtypes RustanLeino/dafny
1 participant
@RustanLeino