Summary
In 🐍 snekmate, I run symbolic execution nightly tests in the CI based on halmos (latest master version) using the Yices SMT solver version 2.6.4:
3 days ago the nightly tests started failing since they were running out of time (i.e. beyond the standard 3hrs GitHub threshold):
After careful (and time-consuming lol) investigation, I was able to find the issue. I updated 4 days ago to the latest forge-std master commit c7be2a3. After running and testing the CI for hours, the following commit introduces the "regression": 276ccaa.
So what's the underlying problem? Specifically, my ERC1155TestHalmos test contract and its test testHalmosAssertNoBackdoor is running out of time. You can see the usage of assertLe and assertGe here:
for (uint256 i = 0; i < tokenIds.length; i++) {
assertLe(erc1155.balanceOf(caller, tokenIds[i]), oldBalanceCaller[i]);
assertGe(erc1155.balanceOf(other, tokenIds[i]), oldBalanceOther[i]);
}But also the test testHalmosSafeTransferFrom struggles since I use assertEq here:
if (from != to) {
assertEq(newBalanceFrom, oldBalanceFrom - amounts[0]);
assertEq(newBalanceTo, oldBalanceTo + amounts[0]);
} else {
assertEq(newBalanceFrom, oldBalanceFrom);
assertEq(newBalanceTo, oldBalanceTo);
}
assertEq(newBalanceOther, oldBalanceOther);The commit 276ccaa (and the refactor later 349b909) introduce additional branching conditions which produce a path explosion. I'm not a formal verification expert, so I can't explain exactly why, but you can see the tests here:
There are 2 ways forward for me in the current status quo:
- Pin an older
forge-std version -> not sustainable
- Directly use
vm.assertGe and vm.assertLe -> ugly solution
I'm not sure if you are open to reconsider this change, but it's important to understand that such small optimisation changes can have breaking impacts downstream.
Summary
In 🐍 snekmate, I run symbolic execution nightly tests in the CI based on
halmos(latest master version) using the Yices SMT solver version2.6.4:3 days ago the nightly tests started failing since they were running out of time (i.e. beyond the standard 3hrs GitHub threshold):
After careful (and time-consuming lol) investigation, I was able to find the issue. I updated 4 days ago to the latest
forge-stdmaster commit c7be2a3. After running and testing the CI for hours, the following commit introduces the "regression": 276ccaa.So what's the underlying problem? Specifically, my
ERC1155TestHalmostest contract and its testtestHalmosAssertNoBackdooris running out of time. You can see the usage ofassertLeandassertGehere:But also the test
testHalmosSafeTransferFromstruggles since I useassertEqhere:The commit 276ccaa (and the refactor later 349b909) introduce additional branching conditions which produce a path explosion. I'm not a formal verification expert, so I can't explain exactly why, but you can see the tests here:
There are 2 ways forward for me in the current status quo:
forge-stdversion -> not sustainablevm.assertGeandvm.assertLe-> ugly solutionI'm not sure if you are open to reconsider this change, but it's important to understand that such small optimisation changes can have breaking impacts downstream.