GitBross Home Explore Help
Register Sign In
sol_Bo8des9o
/
openzeppelin-contracts
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 2c5194f3f1
Branches Tags
openzeppelin-co...
/
certora
/
specs
/
Initializable.spec

Initializable.spec 8.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215 
  1. //// ## Verification of `Initializable`
    2. 

  2. //// 
    3. 

  3. //// `Initializable` is a contract used to make constructors for upgradable
    4. 

  4. //// contracts. This is accomplished by applying the `initializer` modifier to any
    5. 

  5. //// function that serves as a constructor, which makes this function only
    6. 

  6. //// callable once. The secondary modifier `reinitializer` allows for upgrades
    7. 

  7. //// that should run at most once after the contract is upgraded.
    8. 

  8. ////     
    9. 

  9. //// 
    10. 

  10. //// ### Assumptions and Simplifications
    11. 

  11. //// We assume `initializer()` and `reinitializer(1)` are equivalent if they
    12. 

  12. //// both guarantee `_initialized` to be set to 1 after a successful call. This
    13. 

  13. //// allows us to use `reinitializer(n)` as a general version that also handles
    14. 

  14. //// the regular `initialzer` case.
    15. 

  15. ////     
    16. 

  16. //// #### Harnessing
    17. 

  17. //// Two harness versions were implemented, a simple flat contract, and a
    18. 

  18. //// Multi-inheriting contract. The two versions together help us ensure there are
    19. 

  19. //// No unexpected results because of different implementations. `Initializable` can
    20. 

  20. //// Be used in many different ways but we believe these 2 cases provide good
    21. 

  21. //// Coverage for all cases. In both harnesses we use getter functions for
    22. 

  22. //// `_initialized` and `_initializing` and implement  `initializer` and
    23. 

  23. //// `reinitializer` functions that use their respective modifiers. We also
    24. 

  24. //// Implement some versioned functions that are only callable in specific
    25. 

  25. //// Versions of the contract to mimic upgrading contracts.
    26. 

  26. ////     
    27. 

  27. //// #### Munging
    28. 

  28. //// Variables `_initialized` and `_initializing` were changed to have internal
    29. 

  29. //// visibility to be harnessable.
    30. 

  30.     
    31. 

  31. methods {
    32. 

  32.     initialize(uint256, uint256, uint256) envfree
    33. 

  33.     reinitialize(uint256, uint256, uint256, uint8) envfree
    34. 

  34.     initialized() returns uint8 envfree
    35. 

  35.     initializing() returns bool envfree
    36. 

  36.     thisIsContract() returns bool envfree
    37. 

  37. 

  38.     returnsV1() returns uint256 envfree
    39. 

  39.     returnsVN(uint8) returns uint256 envfree
    40. 

  40.     returnsAV1() returns uint256 envfree
    41. 

  41.     returnsAVN(uint8) returns uint256 envfree
    42. 

  42.     returnsBV1() returns uint256 envfree
    43. 

  43.     returnsBVN(uint8) returns uint256 envfree
    44. 

  44.     a() returns uint256 envfree
    45. 

  45.     b() returns uint256 envfree
    46. 

  46.     val() returns uint256 envfree
    47. 

  47. }
    48. 

  48. 

  49. 

  50. ////////////////////////////////////////////////////////////////////////////////
    51. 

  51. //// #### Definitions                                                       ////
    52. 

  52. ////////////////////////////////////////////////////////////////////////////////
    53. 

  53. 

  54. //// ***`isUninitialized:`*** A contract's `_initialized` variable is equal to 0.
    55. 

  55. definition isUninitialized() returns bool = initialized() == 0;
    56. 

  56. 

  57. //// ***`isInitialized:`*** A contract's `_initialized` variable is greater than 0.
    58. 

  58. definition isInitialized() returns bool = initialized() > 0;
    59. 

  59. 

  60. //// ***`isInitializedOnce:`*** A contract's `_initialized` variable is equal to 1.
    61. 

  61. definition isInitializedOnce() returns bool = initialized() == 1;
    62. 

  62. 

  63. //// ***`isReinitialized:`*** A contract's `_initialized` variable is greater than 1.    
    64. 

  64. definition isReinitialized() returns bool = initialized() > 1;
    65. 

  65. 

  66. //// ***`isDisabled:`*** A contract's `_initialized` variable is equal to 255.
    67. 

  67. definition isDisabled() returns bool = initialized() == 255;
    68. 

  68. 

  69. 

  70. //////////////////////////////////////////////////////////////////////////////
    71. 

  71. //// ### Properties                                ///////////////////////////
    72. 

  72. //////////////////////////////////////////////////////////////////////////////
    73. 

  73. 

  74. //////////////////////////////////////////////////////////////////////////////
    75. 

  75. // Invariants                            /////////////////////////////////////
    76. 

  76. //////////////////////////////////////////////////////////////////////////////
    77. 

  77. 

  78. /// A contract must only ever be in an initializing state while in the middle
    79. 

  79. /// of a transaction execution.
    80. 

  80. invariant notInitializing()
    81. 

  81.     !initializing()
    82. 

  82. 

  83. 

  84. //////////////////////////////////////////////////////////////////////////////
    85. 

  85. // Rules                                 /////////////////////////////////////
    86. 

  86. //////////////////////////////////////////////////////////////////////////////
    87. 

  87. 

  88. /// @title Only initialized once
    89. 

  89. /// @notice An initializable contract with a function that inherits the
    90. 

  90. ///         initializer modifier must be initializable only once
    91. 

  91. rule initOnce() {
    92. 

  92.     uint256 val; uint256 a; uint256 b;
    93. 

  93. 

  94.     require isInitialized();
    95. 

  95.     initialize@withrevert(val, a, b);
    96. 

  96.     assert lastReverted, "contract must only be initialized once";
    97. 

  97. }
    98. 

  98. 

  99. /// Successfully calling reinitialize() with a version value of 1 must result
    100. 

  100. /// in `_initialized` being set to 1.
    101. 

  101. rule reinitializeEffects {
    102. 

  102.     uint256 val; uint256 a; uint256 b;
    103. 

  103. 

  104.     reinitialize(val, a, b, 1);
    105. 

  105. 

  106.     assert isInitializedOnce(), "reinitialize(1) must set _initialized to 1";
    107. 

  107. }
    108. 

  108. 

  109. /// Successfully calling `initialize()` must result in `_initialized` being set to 1.
    110. 

  110. /// @dev We assume `initialize()` and `reinitialize(1)` are equivalent if this rule
    111. 

  111. ///      and the [above rule][#reinitializeEffects] both pass.
    112. 

  112. rule initializeEffects {
    113. 

  113.     uint256 val; uint256 a; uint256 b;
    114. 

  114. 

  115.     initialize(val, a, b);
    116. 

  116. 

  117.     assert isInitializedOnce(), "initialize() must set _initialized to 1";
    118. 

  118. }
    119. 

  119. 

  120. /// A disabled initializable contract must always stay disabled.
    121. 

  121. rule disabledStaysDisabled(method f) {
    122. 

  122.     env e; calldataarg args; 
    123. 

  123. 

  124.     bool disabledBefore = isDisabled();
    125. 

  125.     f(e, args);
    126. 

  126.     bool disabledAfter = isDisabled();
    127. 

  127. 

  128.     assert disabledBefore => disabledAfter, "a disabled initializer must stay disabled";
    129. 

  129. }
    130. 

  130. 

  131. /// The variable `_initialized` must not decrease.
    132. 

  132. rule increasingInitialized(method f) {
    133. 

  133.     env e; calldataarg args;
    134. 

  134. 

  135.     uint8 initBefore = initialized();
    136. 

  136.     f(e, args);
    137. 

  137.     uint8 initAfter = initialized();
    138. 

  138.     assert initBefore <= initAfter, "_initialized must only increase";
    139. 

  139. }
    140. 

  140. 

  141. /// If `reinitialize(...)` was called successfully, then the variable
    142. 

  142. /// `_initialized` must increase.
    143. 

  143. /// @title Reinitialize increases `init`
    144. 

  144. rule reinitializeIncreasesInit {
    145. 

  145.     uint256 val; uint8 n; uint256 a; uint256 b;
    146. 

  146. 

  147.     uint8 initBefore = initialized();
    148. 

  148.     reinitialize(val, a, b, n);
    149. 

  149.     uint8 initAfter = initialized();
    150. 

  150. 

  151.     assert initAfter > initBefore, "calling reinitialize must increase _initialized";
    152. 

  152. }
    153. 

  153. 

  154. /// `reinitialize(n)` must be callable if the contract is not in an
    155. 

  155. /// `_initializing` state and `n` is greater than `_initialized` and less than
    156. 

  156. /// 255
    157. 

  157. rule reinitializeLiveness {
    158. 

  158.     uint256 val; uint8 n; uint256 a; uint256 b;
    159. 

  159. 

  160.     requireInvariant notInitializing();
    161. 

  161.     uint8 initVal = initialized();
    162. 

  162.     reinitialize@withrevert(val, a, b, n);
    163. 

  163. 

  164.     assert n > initVal => !lastReverted, "reinitialize(n) call must succeed if n was greater than _initialized";
    165. 

  165. }
    166. 

  166. 

  167. /// If `reinitialize(n)` was called successfully then `n` was greater than
    168. 

  168. /// `_initialized`.
    169. 

  169. rule reinitializeRule {
    170. 

  170.     uint256 val; uint8 n; uint256 a; uint256 b;
    171. 

  171. 

  172.     uint8 initBefore = initialized();
    173. 

  173.     reinitialize(val, a, b, n);
    174. 

  174. 

  175.     assert n > initBefore;
    176. 

  176. }
    177. 

  177. 

  178. /// Functions implemented in the parent contract that require `_initialized` to
    179. 

  179. /// be a certain value are only callable when it is that value. 
    180. 

  180. /// @title Reinitialize version check parent
    181. 

  181. rule reinitVersionCheckParent {
    182. 

  182.     uint8 n;
    183. 

  183. 

  184.     returnsVN(n);
    185. 

  185.     assert initialized() == n, "parent contract's version n functions must only be callable in version n";
    186. 

  186. }
    187. 

  187. 

  188. /// Functions implemented in the child contract that require `_initialized` to
    189. 

  189. /// be a certain value are only callable when it is that value.
    190. 

  190. /// @title Reinitialize version check child
    191. 

  191. rule reinitVersionCheckChild {
    192. 

  192.     uint8 n;
    193. 

  193. 

  194.     returnsAVN(n);
    195. 

  195.     assert initialized() == n, "child contract's version n functions must only be callable in version n";
    196. 

  196. }
    197. 

  197. 

  198. /// Functions implemented in the grandchild contract that require `_initialized`
    199. 

  199. /// to be a certain value are only callable when it is that value.
    200. 

  200. /// @title Reinitialize version check grandchild
    201. 

  201. rule reinitVersionCheckGrandchild {
    202. 

  202.     uint8 n;
    203. 

  203. 

  204.     returnsBVN(n);
    205. 

  205.     assert initialized() == n, "gransdchild contract's version n functions must only be callable in version n";
    206. 

  206. }
    207. 

  207. 

  208. /// Calling parent initializer function must initialize all child contracts.
    209. 

  209. rule inheritanceCheck {
    210. 

  210.     uint256 val; uint8 n; uint256 a; uint256 b;
    211. 

  211. 

  212.     reinitialize(val, a, b, n);
    213. 

  213.     assert val() == val && a() == a && b() == b, "all child contract values must be initialized";
    214. 

  214. }
    215. 

  215.