Fix two infinite loops in codegen (#1779)

smoelius · web-flow · commit c6db2acc8a39 · 2025-05-11T20:13:33.000+01:00
This PR fixes infinite lops in the reaching definitions and dead storage code. The two added test files are based on ones from Solidity: - https://github.com/ethereum/solidity/blob/develop/test/libsolidity/smtCheckerTests/loops/do_while_break_2.sol - https://github.com/ethereum/solidity/blob/develop/test/libsolidity/smtCheckerTests/loops/do_while_break_2_fail.sol If you add `dbg!(block_no)` between the next two lines and run Solang on either of the test files, you will find that a block is visited repeatedly: https://github.com/hyperledger-solang/solang/blob/279ee911260d74c78acace41d753c5376a7e942e/src/codegen/reaching_definitions.rs#L56-L57 If you fix that infinite loop and add `dbg!(block_no)` between the next two lines, you will again find that a block is visited repeatedly: https://github.com/hyperledger-solang/solang/blob/279ee911260d74c78acace41d753c5376a7e942e/src/codegen/dead_storage.rs#L109-L110 In both cases, the problem appears to be that edges are added to the `blocks_todo` queue unconditionally. My understanding of these algorithms is that they try to iterate to a fixpoint. Hence, I changed each loop so that: - a flag records whether a _state change_ has occurred - at the end of each loop iteration, the edge is added to the queue only if the flag is set Furthermore, I analyzed each loop to try to determine what constitutes a state change. On this point, I invite scrutiny. Nits are welcome on anything, though. Signed-off-by: Samuel Moelius <sam@moeli.us>
diff --git a/src/codegen/dead_storage.rs b/src/codegen/dead_storage.rs
@@ -141,11 +141,11 @@ fn reaching_definitions(cfg: &mut ControlFlowGraph) -> (Vec<Vec<Vec<Transfer>>>,
         );
 
         for edge in cfg.blocks[block_no].successors() {
+            let mut changed = false;
+
             if !block_vars.contains_key(&edge) {
-                blocks_todo.insert(edge);
-                block_vars.insert(edge, vec![vars.clone()]);
+                changed |= block_vars.insert(edge, vec![vars.clone()]).is_none();
             } else if block_vars[&edge][0] != vars {
-                blocks_todo.insert(edge);
                 let block_vars = block_vars
                     .get_mut(&edge)
                     .expect("block vars must contain edge");
@@ -155,20 +155,26 @@ fn reaching_definitions(cfg: &mut ControlFlowGraph) -> (Vec<Vec<Vec<Transfer>>>,
                         for (incoming_def, storage) in defs {
                             if !entry.contains_key(incoming_def) {
                                 entry.insert(*incoming_def, storage.clone());
+                                changed = true;
                             }
                         }
                     } else {
-                        block_vars[0].vars.insert(*var_no, defs.clone());
+                        changed |= block_vars[0].vars.insert(*var_no, defs.clone()).is_none();
                     }
                 }
 
                 // merge storage stores
                 for store in &vars.stores {
                     if !block_vars[0].stores.iter().any(|(def, _)| *def == store.0) {
                         block_vars[0].stores.push(store.clone());
+                        changed = true;
                     }
                 }
             }
+
+            if changed {
+                blocks_todo.insert(edge);
+            }
         }
     }
 
diff --git a/src/codegen/reaching_definitions.rs b/src/codegen/reaching_definitions.rs
@@ -65,30 +65,42 @@ pub fn find(cfg: &mut ControlFlowGraph) {
 
         for edge in cfg.blocks[block_no].successors() {
             if cfg.blocks[edge].defs != vars {
-                blocks_todo.insert(edge);
+                let mut changed = false;
+
                 // merge incoming set
                 for (var_no, defs) in &vars {
                     if let Some(entry) = cfg.blocks[edge].defs.get_mut(var_no) {
                         for (incoming_def, incoming_modified) in defs {
                             if let Some(e) = entry.get_mut(incoming_def) {
-                                *e |= *incoming_modified;
+                                if !*e && *incoming_modified {
+                                    *e = true;
+                                    changed = true;
+                                }
                             } else {
-                                entry.insert(*incoming_def, *incoming_modified);
+                                changed |=
+                                    entry.insert(*incoming_def, *incoming_modified).is_none();
                             }
                         }
                     } else {
-                        cfg.blocks[edge].defs.insert(*var_no, defs.clone());
+                        changed |= cfg.blocks[edge]
+                            .defs
+                            .insert(*var_no, defs.clone())
+                            .is_none();
                     }
 
                     // If a definition from a block executed later reaches this block,
                     // this is a loop. This is an analysis we use later at the
                     // common subexpression elimination.
                     for (incoming_def, _) in defs {
                         if incoming_def.block_no >= edge {
-                            cfg.blocks[edge].loop_reaching_variables.insert(*var_no);
+                            changed |= cfg.blocks[edge].loop_reaching_variables.insert(*var_no);
                         }
                     }
                 }
+
+                if changed {
+                    blocks_todo.insert(edge);
+                }
             }
         }
     }
diff --git a/tests/codegen_testcases/solidity/do_while_break_2.sol b/tests/codegen_testcases/solidity/do_while_break_2.sol
@@ -0,0 +1,24 @@
+// RUN: --target polkadot --emit cfg
+
+contract C {
+	// CHECK: C::function::f
+	function f() public pure {
+		uint a = 0;
+		while (true) {
+			do {
+				break;
+				a = 2;
+			} while (true);
+			a = 1;
+			break;
+		}
+		assert(a == 1);
+	}
+}
+// ====
+// SMTEngine: all
+// SMTSolvers: z3
+// ----
+// Warning 5740: (95-100): Unreachable code.
+// Warning 5740: (114-118): Unreachable code.
+// Info 1391: CHC: 1 verification condition(s) proved safe! Enable the model checker option "show proved safe" to see all of them.
diff --git a/tests/codegen_testcases/solidity/do_while_break_2_fail.sol b/tests/codegen_testcases/solidity/do_while_break_2_fail.sol
@@ -0,0 +1,24 @@
+// RUN: --target polkadot --emit cfg
+
+contract C {
+	// CHECK: C::function::f
+	function f() public pure {
+		uint a = 0;
+		while (true) {
+			do {
+				break;
+				a = 2;
+			} while (true);
+			a = 1;
+			break;
+		}
+		assert(a == 2);
+	}
+}
+// ====
+// SMTEngine: all
+// SMTSolvers: z3
+// ----
+// Warning 5740: (95-100): Unreachable code.
+// Warning 5740: (114-118): Unreachable code.
+// Warning 6328: (147-161): CHC: Assertion violation happens here.\nCounterexample:\n\na = 1\n\nTransaction trace:\nC.constructor()\nC.f()

Original file line number	Diff line number	Diff line change
`@@ -141,11 +141,11 @@ fn reaching_definitions(cfg: &mut ControlFlowGraph) -> (Vec<Vec<Vec<Transfer>>>,`
`141`	`141`	`);`
`142`	`142`
`143`	`143`	`for edge in cfg.blocks[block_no].successors() {`
	`144`	`+ let mut changed = false;`
	`145`	`+`
`144`	`146`	`if !block_vars.contains_key(&edge) {`
`145`		`- blocks_todo.insert(edge);`
`146`		`- block_vars.insert(edge, vec![vars.clone()]);`
	`147`	`+ changed \|= block_vars.insert(edge, vec![vars.clone()]).is_none();`
`147`	`148`	`} else if block_vars[&edge][0] != vars {`
`148`		`- blocks_todo.insert(edge);`
`149`	`149`	`let block_vars = block_vars`
`150`	`150`	`.get_mut(&edge)`
`151`	`151`	`.expect("block vars must contain edge");`
`@@ -155,20 +155,26 @@ fn reaching_definitions(cfg: &mut ControlFlowGraph) -> (Vec<Vec<Vec<Transfer>>>,`
`155`	`155`	`for (incoming_def, storage) in defs {`
`156`	`156`	`if !entry.contains_key(incoming_def) {`
`157`	`157`	`entry.insert(*incoming_def, storage.clone());`
	`158`	`+ changed = true;`
`158`	`159`	`}`
`159`	`160`	`}`
`160`	`161`	`} else {`
`161`		`- block_vars[0].vars.insert(*var_no, defs.clone());`
	`162`	`+ changed \|= block_vars[0].vars.insert(*var_no, defs.clone()).is_none();`
`162`	`163`	`}`
`163`	`164`	`}`
`164`	`165`
`165`	`166`	`// merge storage stores`
`166`	`167`	`for store in &vars.stores {`
`167`	`168`	`if !block_vars[0].stores.iter().any(\|(def, _)\| *def == store.0) {`
`168`	`169`	`block_vars[0].stores.push(store.clone());`
	`170`	`+ changed = true;`
`169`	`171`	`}`
`170`	`172`	`}`
`171`	`173`	`}`
	`174`	`+`
	`175`	`+ if changed {`
	`176`	`+ blocks_todo.insert(edge);`
	`177`	`+ }`
`172`	`178`	`}`
`173`	`179`	`}`
`174`	`180`
Original file line number	Diff line number	Diff line change
`@@ -65,30 +65,42 @@ pub fn find(cfg: &mut ControlFlowGraph) {`
`65`	`65`
`66`	`66`	`for edge in cfg.blocks[block_no].successors() {`
`67`	`67`	`if cfg.blocks[edge].defs != vars {`
`68`		`- blocks_todo.insert(edge);`
	`68`	`+ let mut changed = false;`
	`69`	`+`
`69`	`70`	`// merge incoming set`
`70`	`71`	`for (var_no, defs) in &vars {`
`71`	`72`	`if let Some(entry) = cfg.blocks[edge].defs.get_mut(var_no) {`
`72`	`73`	`for (incoming_def, incoming_modified) in defs {`
`73`	`74`	`if let Some(e) = entry.get_mut(incoming_def) {`
`74`		`- e \|= incoming_modified;`
	`75`	`+ if !e && incoming_modified {`
	`76`	`+ *e = true;`
	`77`	`+ changed = true;`
	`78`	`+ }`
`75`	`79`	`} else {`
`76`		`- entry.insert(incoming_def, incoming_modified);`
	`80`	`+ changed \|=`
	`81`	`+ entry.insert(incoming_def, incoming_modified).is_none();`
`77`	`82`	`}`
`78`	`83`	`}`
`79`	`84`	`} else {`
`80`		`- cfg.blocks[edge].defs.insert(*var_no, defs.clone());`
	`85`	`+ changed \|= cfg.blocks[edge]`
	`86`	`+ .defs`
	`87`	`+ .insert(*var_no, defs.clone())`
	`88`	`+ .is_none();`
`81`	`89`	`}`
`82`	`90`
`83`	`91`	`// If a definition from a block executed later reaches this block,`
`84`	`92`	`// this is a loop. This is an analysis we use later at the`
`85`	`93`	`// common subexpression elimination.`
`86`	`94`	`for (incoming_def, _) in defs {`
`87`	`95`	`if incoming_def.block_no >= edge {`
`88`		`- cfg.blocks[edge].loop_reaching_variables.insert(*var_no);`
	`96`	`+ changed \|= cfg.blocks[edge].loop_reaching_variables.insert(*var_no);`
`89`	`97`	`}`
`90`	`98`	`}`
`91`	`99`	`}`
	`100`	`+`
	`101`	`+ if changed {`
	`102`	`+ blocks_todo.insert(edge);`
	`103`	`+ }`
`92`	`104`	`}`
`93`	`105`	`}`
`94`	`106`	`}`