@@ -6,7 +6,7 @@ This guide explains how to run formal verification for the p-token Solana progra
66
77## Architecture
88
9- After the merge of ` dc/test-hack ` branch, the codebase uses conditional compilation to separate production and verification code:
9+ The codebase uses conditional compilation to separate production and verification code:
1010
1111- ** Production code** : ` src/entrypoint.rs ` - Used for normal builds
1212- ** Verification code** : ` src/entrypoint-runtime-verification.rs ` - Used when ` runtime-verification ` feature is enabled
@@ -19,10 +19,32 @@ Cheatcode functions are markers used by the formal verification tools to inject
1919fn cheatcode_is_account (_ : & AccountInfo ) {}
2020fn cheatcode_is_mint (_ : & AccountInfo ) {}
2121fn cheatcode_is_rent (_ : & AccountInfo ) {}
22- fn cheatcode_is_multisig (_ : & AccountInfo ) {} // Currently unsupported and behind feature flag "multisig"
22+ fn cheatcode_is_multisig (_ : & AccountInfo ) {} // Currently unsupported
2323```
2424
25- These functions are no-ops at runtime but provide type hints to the verification tools.
25+ These functions are no-ops at runtime but set up data required for the verification.
26+
27+ ### Assumptions implemented in cheat codes
28+
29+ * Calling ` cheatcode_is_{account,mint,multisig,rent} ` asserts that the ` Account ` pointed-to by ` AccountInfo `
30+ is followed in memory by the respective data structure, ` state::account::Account ` , ` state::mint::Mint ` ,
31+ ` state::multisig::Multisig ` , or ` sysvars::rent::Rent ` .
32+ * The cheat codes will set the data length (` data_len ` ) of the ` AccountInfo ` to the correct value for the underlying object:
33+ | Object | ` data_len ` |
34+ | --------- | ---------- |
35+ | Account | 165 |
36+ | Mint | 82 |
37+ | Rent | 17 |
38+ | Multisig | 355 |
39+ * For the ` Rent ` sysvar, the proofs make additional assumptions to avoid overflows and imprecise ` Float ` computation:
40+ - The ` lamports_per_byteyear ` is assumed to be less than ` 2^32 ` (to avoid overflows during rent computation).
41+ - The ` exemption_threshold ` is fixed to value ` 2.0 ` (default). This means that computations will be performed in ` u64 ` .
42+ - The ` burn_percent ` value is assumed to be between 0 and 100 (to avoid underflows during rent computation).
43+ * Access to the data structure is provided by intercepting the following Rust functions:
44+ - ` AccountInfo::borrow_data_unchecked ` and ` AccountInfo::borrow_mut_data_unchecked `
45+ - ` Transmutable::load_unchecked ` and ` Transmutable::load_mut_unchecked ` for the instances ` Account ` , ` Mint ` , ` Multisig `
46+ - ` sysvars::rent::Rent::from_bytes_unchecked ` and ` sysvars::rent::Rent::get `
47+ and replacing their function body execution by an effect that provides the desired access (read-only or mutable).
2648
2749## Running Verification
2850
@@ -56,10 +78,7 @@ cd test-properties
5678./run-verification.sh -t 600 test_process_transfer
5779
5880# With custom prove-rs options
59- ./run-verification.sh -o " --max-iterations 50 --max-depth 300"
60-
61- # With multisig feature enabled
62- ./run-verification.sh --multisig test_process_transfer
81+ ./run-verification.sh -o " --max-iterations 50 --max-depth 200"
6382```
6483
6584## Test Functions
@@ -69,21 +88,12 @@ All test functions are located in `src/entrypoint-runtime-verification.rs` and f
6988- Each function has cheatcode calls at the beginning to mark account types
7089- Functions use fixed-size arrays for formal verification compatibility
7190
72- ## Feature Flags
73-
74- ### runtime-verification
91+ ## Feature Flag ` runtime-verification `
7592Required for all verification tests. Enables the verification-specific entrypoint (entrypoint-runtime-verification.rs) and test functions.
7693
77- ### multisig (optional)
78- Enables cheat codes for all Owner / Authority accounts to be ` Multisig ` (by default these are ` Account ` ). When enabled:
79- - Owner / Authority accounts are instantiated as ` Multisig ` with symbolic arguments via ` cheatcode_is_multisig ` (TODO: not implemented yet)
80- - ` Multisig ` -specific validation logic is included in proof harnesses
81-
82- Use ` --multisig ` flag with run-verification.sh to enable this feature.
83-
8494## Available Tests
8595
86- See ` tests .md` for the complete list of available test functions and their current status .
96+ See ` proofs .md` for the complete list of available test functions.
8797
8898## Troubleshooting
8999
@@ -96,14 +106,7 @@ If you get errors about the entrypoint module not being found, ensure you're bui
96106cargo build --features runtime-verification
97107```
98108
99- ### Multisig Support
100- To enable multisig account validation in verification tests, use both features:
101- ``` bash
102- cargo build --features " runtime-verification,multisig"
103- ```
104-
105109## Notes
106110
107- - The verification process can take significant time (20+ minutes per test)
108- - Default settings: max-depth 200, max-iterations 30, timeout 1200s
109- - Results are stored in ` artefacts/proof/ ` directory
111+ - Default settings: max-depth 2000, max-iterations 500, timeout 1h
112+ - Results are stored in ` artefacts/proof-SHA1-SHA2/ ` directory, where ` SHA1 ` and ` SHA2 ` indicate the version of ` solana-token ` and ` mir-semantics ` used.
0 commit comments