SMTChecker: Fix analysis for selected contracts

Previously, when a contract was selected for analysis, the analysis was
incorrect.
There were two issues. First, the contracts in the same file were
considered as entry points even though they were not selected for
analysis.
Second, the contracts in a different file were mostly ignored, resulting
in unsoundness when an external call was made to such a contract in
trusted mode.

The solution to the above problems is to always create representation of all
contracts (in case they are called from the selected contract), but
create verification targets only for the selected contracts.

Author: blishko

Changelog.md

@@ -7,6 +7,7 @@ Compiler Features:
 
 
 Bugfixes:
+* SMTChecker: Fix incorrect analysis when only a subset of contracts is selected with `--model-checker-contracts`.
 
 
 ### 0.8.29 (2025-03-12)

libsolidity/formal/BMC.cpp

@@ -1068,7 +1068,7 @@ void BMC::addVerificationTarget(
 	Expression const* _expression
 )
 {
-	if (!m_settings.targets.has(_type) || (m_currentContract && !shouldAnalyze(*m_currentContract)))
+	if (!m_settings.targets.has(_type) || (m_currentContract && !shouldAnalyzeVerificationTargetsFor(*m_currentContract)))
 		return;
 
 	BMCVerificationTarget target{

libsolidity/formal/CHC.cpp

@@ -89,7 +89,7 @@ void CHC::analyze(SourceUnit const& _source)
 			" If you wish to use Eldarica, please enable Eldarica only."
 		);
 
-	if (!shouldAnalyze(_source))
+	if (!shouldAnalyzeVerificationTargetsFor(_source))
 		return;
 
 	resetSourceAnalysis();
@@ -131,7 +131,7 @@ std::vector<std::string> CHC::unhandledQueries() const
 
 bool CHC::visit(ContractDefinition const& _contract)
 {
-	if (!shouldAnalyze(_contract))
+	if (!shouldEncode(_contract))
 		return false;
 
 	// Raises UnimplementedFeatureError in the presence of transient storage variables
@@ -152,7 +152,7 @@ bool CHC::visit(ContractDefinition const& _contract)
 
 void CHC::endVisit(ContractDefinition const& _contract)
 {
-	if (!shouldAnalyze(_contract))
+	if (!shouldEncode(_contract))
 		return;
 
 	for (auto base: _contract.annotation().linearizedBaseContracts)
@@ -239,15 +239,14 @@ void CHC::endVisit(ContractDefinition const& _contract)
 	setCurrentBlock(*m_constructorSummaries.at(&_contract));
 
 	solAssert(&_contract == m_currentContract, "");
-	if (shouldAnalyze(_contract))
-	{
-		auto constructor = _contract.constructor();
-		auto txConstraints = state().txTypeConstraints();
-		if (!constructor || !constructor->isPayable())
-			txConstraints = txConstraints && state().txNonPayableConstraint();
+	smtAssert(shouldEncode(_contract));
+	auto constructor = _contract.constructor();
+	auto txConstraints = state().txTypeConstraints();
+	if (!constructor || !constructor->isPayable())
+		txConstraints = txConstraints && state().txNonPayableConstraint();
+	connectBlocks(m_currentBlock, interface(), txConstraints && errorFlag().currentValue() == 0);
+	if (shouldAnalyzeVerificationTargetsFor(_contract))
 		m_queryPlaceholders[&_contract].push_back({txConstraints, errorFlag().currentValue(), m_currentBlock});
-		connectBlocks(m_currentBlock, interface(), txConstraints && errorFlag().currentValue() == 0);
-	}
 
 	solAssert(m_scopes.back() == &_contract, "");
 	m_scopes.pop_back();
@@ -338,7 +337,7 @@ void CHC::endVisit(FunctionDefinition const& _function)
 		!_function.isConstructor() &&
 		_function.isPublic() &&
 		contractFunctions(*m_currentContract).count(&_function) &&
-		shouldAnalyze(*m_currentContract)
+		shouldEncode(*m_currentContract)
 	)
 	{
 		defineExternalFunctionInterface(_function, *m_currentContract);
@@ -349,8 +348,9 @@ void CHC::endVisit(FunctionDefinition const& _function)
 		auto ifacePre = smt::interfacePre(*m_interfaces.at(m_currentContract), *m_currentContract, m_context);
 		auto sum = externalSummary(_function);
 
-		m_queryPlaceholders[&_function].push_back({sum, errorFlag().currentValue(), ifacePre});
 		connectBlocks(ifacePre, interface(), sum && errorFlag().currentValue() == 0);
+		if (shouldAnalyzeVerificationTargetsFor(*m_currentContract))
+			m_queryPlaceholders[&_function].push_back({sum, errorFlag().currentValue(), ifacePre});
 	}
 
 	m_currentFunction = nullptr;

libsolidity/formal/ModelCheckerSettings.cpp

@@ -123,7 +123,7 @@ std::optional<ModelCheckerContracts> ModelCheckerContracts::fromString(std::stri
 	{
 		auto&& names = sourceContract | ranges::views::split(':') | ranges::to<std::vector<std::string>>();
 		if (names.size() != 2 || names.at(0).empty() || names.at(1).empty())
-			return {};
+			return std::nullopt;
 		chosen[names.at(0)].insert(names.at(1));
 	}
 

libsolidity/formal/SMTEncoder.cpp

@@ -1092,19 +1092,24 @@ void SMTEncoder::visitPublicGetter(FunctionCall const& _funCall)
 	}
 }
 
-bool SMTEncoder::shouldAnalyze(SourceUnit const& _source) const
+bool SMTEncoder::shouldEncode(ContractDefinition const& _contract) const
+{
+	return _contract.canBeDeployed();
+}
+
+bool SMTEncoder::shouldAnalyzeVerificationTargetsFor(SourceUnit const& _source) const
 {
 	return m_settings.contracts.isDefault() ||
 		m_settings.contracts.has(*_source.annotation().path);
 }
 
-bool SMTEncoder::shouldAnalyze(ContractDefinition const& _contract) const
+bool SMTEncoder::shouldAnalyzeVerificationTargetsFor(ContractDefinition const& _contract) const
 {
-	if (!_contract.canBeDeployed())
+	if (!shouldEncode(_contract))
 		return false;
 
 	return m_settings.contracts.isDefault() ||
-		m_settings.contracts.has(_contract.sourceUnitName());
+		m_settings.contracts.has(_contract.sourceUnitName(), _contract.name());
 }
 
 void SMTEncoder::visitTypeConversion(FunctionCall const& _funCall)

libsolidity/formal/SMTEncoder.h

@@ -238,11 +238,12 @@ class SMTEncoder: public ASTConstVisitor
 	void visitFunctionIdentifier(Identifier const& _identifier);
 	virtual void visitPublicGetter(FunctionCall const& _funCall);
 
-	/// @returns true if @param _contract is set for analysis in the settings
-	/// and it is not abstract.
-	bool shouldAnalyze(ContractDefinition const& _contract) const;
-	/// @returns true if @param _source is set for analysis in the settings.
-	bool shouldAnalyze(SourceUnit const& _source) const;
+	/// @returns true if symbolic representation of @param _contract is required for verification
+	bool shouldEncode(ContractDefinition const& _contract) const;
+	/// @returns true if the verification targets of @param _contract are actually selected for verification
+	bool shouldAnalyzeVerificationTargetsFor(ContractDefinition const& _contract) const;
+	/// @returns true if we should descend into @param _source to look for contracts that should be verified
+	bool shouldAnalyzeVerificationTargetsFor(SourceUnit const& _source) const;
 
 	/// @returns the state variable returned by a public getter if
 	/// @a _expr is a call to a public getter,

test/cmdlineTests/model_checker_contracts_inexistent_contract/err

@@ -1,27 +1 @@
 Warning: Requested contract "C" does not exist in source "model_checker_contracts_inexistent_contract/input.sol".
-
-Warning: CHC: Assertion violation happens here.
-Counterexample:
-
-x = 0
-
-Transaction trace:
-B.constructor()
-B.f(0)
- --> model_checker_contracts_inexistent_contract/input.sol:5:3:
-  |
-5 | 		assert(x > 0);
-  | 		^^^^^^^^^^^^^
-
-Warning: CHC: Assertion violation happens here.
-Counterexample:
-
-y = 0
-
-Transaction trace:
-A.constructor()
-A.g(0)
-  --> model_checker_contracts_inexistent_contract/input.sol:10:3:
-   |
-10 | 		assert(y > 0);
-   | 		^^^^^^^^^^^^^

test/cmdlineTests/model_checker_contracts_only_one/err

@@ -4,7 +4,7 @@ Counterexample:
 x = 0
 
 Transaction trace:
-B.constructor()
+A.constructor()
 B.f(0)
  --> model_checker_contracts_only_one/input.sol:5:3:
   |

test/cmdlineTests/standard_model_checker_contracts_inexistent_contract/output.json

@@ -9,72 +9,6 @@
             "message": "Requested contract \"C\" does not exist in source \"Source\".",
             "severity": "warning",
             "type": "Warning"
-        },
-        {
-            "component": "general",
-            "errorCode": "6328",
-            "formattedMessage": "Warning: CHC: Assertion violation happens here.
-Counterexample:
-
-y = 0
-
-Transaction trace:
-B.constructor()
-B.g(0)
- --> Source:5:7:
-  |
-5 | \t\t\t\t\t\tassert(y > 0);
-  | \t\t\t\t\t\t^^^^^^^^^^^^^
-
-",
-            "message": "CHC: Assertion violation happens here.
-Counterexample:
-
-y = 0
-
-Transaction trace:
-B.constructor()
-B.g(0)",
-            "severity": "warning",
-            "sourceLocation": {
-                "end": 137,
-                "file": "Source",
-                "start": 124
-            },
-            "type": "Warning"
-        },
-        {
-            "component": "general",
-            "errorCode": "6328",
-            "formattedMessage": "Warning: CHC: Assertion violation happens here.
-Counterexample:
-
-x = 0
-
-Transaction trace:
-A.constructor()
-A.f(0)
-  --> Source:10:7:
-   |
-10 | \t\t\t\t\t\tassert(x > 0);
-   | \t\t\t\t\t\t^^^^^^^^^^^^^
-
-",
-            "message": "CHC: Assertion violation happens here.
-Counterexample:
-
-x = 0
-
-Transaction trace:
-A.constructor()
-A.f(0)",
-            "severity": "warning",
-            "sourceLocation": {
-                "end": 231,
-                "file": "Source",
-                "start": 218
-            },
-            "type": "Warning"
         }
     ],
     "sources": {

test/cmdlineTests/standard_model_checker_contracts_multi_source/output.json

@@ -9,7 +9,7 @@ Counterexample:
 y = 0
 
 Transaction trace:
-B.constructor()
+A.constructor()
 B.g(0)
  --> Source:5:7:
   |
@@ -23,7 +23,7 @@ Counterexample:
 y = 0
 
 Transaction trace:
-B.constructor()
+A.constructor()
 B.g(0)",
             "severity": "warning",
             "sourceLocation": {