Weakening Lemma - How solid is solidity? An in-dept study of solidity’s type safety.

Weakening Lemma is formalized over FS configurations hβ, σ, ei. To prove it, we shall first prove the validity of the same Lemma on the projections on β (Lemma 10), σ (Lemma 11), and e (Lemma 12). In the proof that follow, let Γ0= Γ · ∆.

E.2.1 Weakening of β

Here we prove the projection of the lemma of Weakening on the first component of hβ, σ, ei: β.

Lemma 10 (Weakening of β).

LetΓ ` β be a derivable judgment, and let ∆ be such that dom(Γ) ∩ dom(∆) = ∅. ThenΓ · ∆ ` β can be derived and its derivation has the same height as the previous one.

Proof. We prove this lemma by induction on the height of the derivation of the judgment Γ ` β.

Base case This case corresponds to the axiom EMPTYBLOCKCHAINin Section 6.3. The height of the derivation is 1, and β = ∅, that is Γ `1∅. ∅ is well-formed regardless of Γ, and hence it is also true Γ0`1∅.

Inductive cases Given a judgment J such that its derivation has height k + 1, we prove the inductive cases on the last rule used to derive J . We assume the lemma for the judgments with height at most k and we prove it for those with height k + 1.

• VARIABLE. In this case J = Γ `k+1 β · [x 7→ v] was derived from Γ `k β, Γ `k x : T , and Γ `k v : T , where x /∈ dom(β). By inductive hypothesis, also the judgments Γ0 `k β, Γ0 `k x : T , and Γ0 `k v : T are derivable. Applying VARIABLEwe can thus derive Γ0 `k+1β · [x 7→ v], which is what we wanted to prove.

• CONTRACT. In this case J = Γ `k+1β ·[(c, a) 7→ (C, s˜:v, n)] was derived from Γ `k β, Γ `k c : C, Γ `k a : address, Γ `k n : uint, and Γ `k v : ˜˜ T , where (c, a) /∈ dom(β) and sv(C) = ˜T s. By inductive hypothesis, also the judgments Γ0 `k β, Γ0 `k c : C, Γ0 `k a : address, Γ0 `k n : uint, and Γ0 `k ˜v : ˜T are derivable. Applying CONTRACTwe can thus derive Γ0 `k+1 β · [(c, a) 7→ (C, s˜:v, n)], which is what we wanted to prove.

E.2.2 Weakening of σ

Here we prove the projection of the lemma of Weakening on the second component of hβ, σ, ei: σ.

Lemma 11 (Weakening of σ).

LetΓ ` σ be a derivable judgment, and let ∆ be such that dom(Γ) ∩ dom(∆) = ∅. ThenΓ · ∆ ` σ can be derived and its derivation has the same height as the previous one.

Proof. We prove this lemma by induction on the height of the derivation of the judgment Γ ` σ.

Base case Rule CALLSTACKin Section 6.3 has, as a base case, the well-formedness of β, proven by Lemma 10.

Inductive case Let the judgment Γ ` σ · a have height k + 1. We assume the lemma for the judgments with height at most k and we prove it for those with height at most k + 1.

Γ `k+1 σ · a was derived from Γ `k σ and Γ `k a : address. By inductive hypothesis we can derive Γ0 `k σ and Γ0 `k a : address, and applying CALLSTACK we obtain a derivation of Γ0`k+1σ · a.

E.2.3 Weakening of e

Here we prove the projection of the lemma of Weakening on the first component of hβ, σ, ei: e.

Lemma 12 (Weakening of e).

LetΓ ` e : T be a derivable judgment, and let ∆ be such that dom(Γ) ∩ dom(∆) = ∅. ThenΓ·∆ ` e : T can be derived and its derivation has the same height as the previous one.

Proof. We prove this lemma by induction on the height of the derivation of the judgment Γ ` e : T .

Base cases These cases correspond to the axioms in Section 6.3. The height of these derivations is always 1.

• REF. The judgment is Γ ` c : C. From Case 9 of Lemma 2 we know that c : C ∈ Γ. We defined Γ0 as Γ · ∆, so c : C ∈ Γ ⇒ c : C ∈ Γ0. Hence, Γ0` c : C is derivable.

• VAR. The judgment is Γ ` x : T . From Case 10 of Lemma 2 we know that x : T ∈ Γ. We defined Γ0 as Γ · ∆, so x : T ∈ Γ ⇒ x : T ∈ Γ0. Hence, Γ0` x : T is derivable.

• TRUE. The judgment is Γ ` true : bool. From Case 1 of Lemma 2 we know that this judgment is derivable with height 1 regardless of Γ, and so is Γ0 ` true : bool.

• FALSE. The judgment is Γ ` false : bool. From Case 2 of Lemma 2 we know that this judgment is derivable with height 1 regardless of Γ, and so is Γ0 ` false : bool.

• NAT. The judgment is Γ ` n : uint. From Case 3 of Lemma 2 we know that this judgment is derivable with height 1 whenever n ∈ N+, regardless of Γ, and so is Γ0` n : uint.

• ADDRESS. The judgment is Γ ` a : address. From Case 6 of Lemma 2 we know that a : address ∈ Γ. We defined Γ0 as Γ · ∆, so a : address ∈ Γ ⇒ a : address ∈ Γ0. Hence, Γ0` a : address is derivable.

• UNIT. The judgment is Γ ` u : unit. From Case 4 of Lemma 2 we know that this judgment is derivable with height 1 regardless of Γ, and so is

• REVERT. The judgment is Γ ` revert : T . This judgment is derivable with height 1 regardless of Γ, and so is Γ0` revert : T .

• FUN. In this case J = Γ `k+1 c.f : ˜T1 → T2was derived from the judgment Γ `k c : C with the premise ftype(C, f ) = ˜T1 → T2. We can apply the inductive hypothesis to say that Γ0 `k c : C is derivable. Provided that the premise ftype(C, f ) = ˜T1 → T2 is still valid, applying FUNwe conclude that also Γ0`k+1c.f : ˜T1→ T2is derivable.

• MAPPING. In this case J = Γ `k+1M : mapping(T1⇒ T2) was derived from Γ `k ˜k : ˜T1and Γ `k ˜v : ˜T2. By induction hypothesis, also Γ0 `k ˜k : ˜T1and Γ0`k ˜v : ˜T2can be derived. Hence, applying MAPPINGwe obtain a derivation of Γ0`k+1M : mapping(T1⇒ T2).

• BAL. In this case J = Γ `k+1 balance(e) : uint was derived from Γ `k e : address. By inductive hypothesis, Γ0 `k e : address is derivable. We then apply BALto conclude that the judgment Γ0 `k+1 balance(e) : uint can be derived.

• ADDR. In this case J = Γ `k+1 address(e) : address was derived from Γ `k e : C. By inductive hypothesis, Γ0 `k e : C is derivable. We then apply ADDR to conclude that the judgment Γ0`k+1address(e) : address can be derived, too. • RETURN. In this case J = Γ `k+1return e : T was derived from Γ `k e : T . By inductive hypothesis, Γ0 `k e : T is derivable. We then apply RETURNto conclude that the judgment Γ0`k+1return e : T can be derived, too.

• IF. In this case J = Γ `k+1 if e1 then e2else e3 : T was derived from Γ `k e1 : bool, Γ `k e2 : T , and Γ `k e3 : T . We can thus apply the inductive hypothesis and say that Γ0 `k e1 : bool, Γ0 `k e2: T , and Γ0 `k e3: T are all derivable. We then apply IFto derive Γ0`k+1if e1then e2else e3: T .

• SEQ. In this case J = Γ `k+1 e1; e2 : T2 was derived from Γ `k e1 : T1 and Γ `k e2 : T2. By inductive hypothesis, these “smaller” judgments are derivable also under Γ0, without any changes in height, that is Γ0`ke1: T1and Γ0`k e2: T2. Applying SEQwe obtain a derivation Γ0 `k+1e1; e2: T2. • DECL. In this case J = Γ `k+1 T1 x = e1; e2 : T2 was derived from Γ `k

e1 : T1and Γ, x : T1 `k e2 : T2. On the former we can apply the inductive hypothesis and say that Γ0 `k e1 : T1is derivable. On the contrary, we cannot apply the inductive hypothesis on the latter, since the context is Γ, x : T1 and not Γ. Still, we know there exists a derivation of height k for this judgment, otherwise J would not be derivable, but this is a contradiction, since we assumed J has a valid derivation of height k + 1. Hence, it comes from another judgment J0_{having a derivation of height k−1 where any of the rules defined in Section 6.3} was applied as a last step. We can now apply the inductive hypothesis on J0, considering Γ, x : T1 as a context and concluding that Γ, x : T1, ∆ `k e2 : T2 is derivable. Lastly, applying DECLwe obtain a derivation of Γ0 `k+1 T1x = e1; e2: T2.

• MAPPSEL. In this case J = Γ `k+1 e1[e2] : T2 was derived from Γ `k e1 : mapping(T1 ⇒ T2) and Γ `k e2 : T1. By inductive hypothesis also the judgments Γ0 `k e1: mapping(T1 ⇒ T2) and Γ0 `k e2 : T1are derivable. Applying MAPPSELwe obtain a derivation of Γ0 `k+1e1[e2] : T2.

• STATESEL. In this case J = Γ `k+1 e.si : Ti was derived from Γ `k e : C, with the additional premise stating si ∈ ˜s, where sv(C) = ˜T s. By inductive hypothesis we know that also Γ0`ke : C is derivable. As a final step, applying STATESELwe obtain a derivation of Γ0`k+1e.si: Ti.

• ASS. In this case J = Γ `k+1 x = e : T was derived from Γ `k x : T and Γ `k e : T . By inductive hypothesis we can derive with the same height also

Γ0 `k x : T and Γ0 `k e : T , and applying ASS we obtain a derivation of Γ0`k+1x = e : T .

• MAPPASS. In this case J = Γ `k+1 e1[e2 → e3] : mapping(T1 ⇒ T2) was derived from Γ `k e1 : mapping(T1 ⇒ T2), Γ `k e2 : T1, and Γ `k e3 : T2. By inductive hypothesis we can derive with the same height also Γ0 `k e1 : mapping(T1 ⇒ T2), Γ0 `k e2 : T1, and Γ0 `k e3 : T2, and applying MAPPASSwe obtain a derivation of Γ0`k+1e1[e2→ e3] : mapping(T1⇒ T2). • STATEASS. In this case J = Γ `k+1 e1.s = e2 : T was derived from Γ `k e1.s : T and Γ `k e2: T . By inductive hypothesis we can derive with the same height also Γ0`k e1.s : T and Γ0`k e2: T , and applying STATEASSwe obtain a derivation of Γ0`k+1e1.s = e2: T .

• NEW. In this case J = Γ `k+1 new C.value(e0)(˜e) : C was derived from Γ `k ˜e : ˜T and Γ `k e0 : uint, together with the premise |˜e| = |˜s|, where sv(C) = ˜T s. By inductive hypothesis, Γ0 `k e : ˜˜ T and Γ0 `k e0 : uint can be derived. Furthermore, the premise checking the length of ˜e and ˜s is still valid, and we can apply NEWto derive Γ0`k+1new C.value(e0)(˜e) : C.

• CONTRRETR. In this case J = Γ `k+1 C(e) : C was derived from Γ `k e : address. By inductive hypothesis also Γ0 `k e : address is derivable; applying CONTRRETRwe then obtain a derivation of Γ0`k+1C(e) : C.

• TRANSFER. In this case J = Γ `k+1 e1.transfer(e2) : unit was derived from Γ `k e1 : address and Γ `k e2 : uint. By inductive hypothesis we can derive Γ0 `k e1 : address and Γ0 `k e2 : uint. We then apply TRANSFERto obtain a derivation of Γ0`k+1e1.transfer(e2) : unit.

• CALL. In this case J = Γ `k+1e1.f.value(e2)(˜e) : T2was derived from Γ `k e1: C, Γ `ke2: uint, and Γ `k e : ˜˜ T1, together with the premises checking the length of the tuple ˜e (|˜e| = | ˜T1|) and the type of f in C (ftype(C, f ) = ˜T1 → T2). By induction hypothesis we can derive Γ0 `k e1: C, Γ0 `k e2: uint, and Γ0 `k e : ˜˜ T1. Furthermore, the other two premises are still valid, and thus we can apply CALLto derive Γ0`k+1e1.f.value(e2)(˜e) : T2.

• CALLTOPLEVEL. In this case J = Γ `k+1 e1.f.value(e2).sender(e3)(˜e) : T2 was derived from Γ `ke3: address and Γ `ke1.f.value(e2)(˜e) : T2. By induction hypothesis, the judgments Γ0`k e3: address and Γ0 `ke1.f.value(e2)(˜e) : T2 are derivable. As a final step we apply CALLTOPLEVEL to derive Γ0`k+1e1.f.value(e2).sender(e3)(˜e) : T2.

• CALLVALUE. In this case J = Γ `k+1 e1.value(e2)(˜e) : T2was derived from Γ `k e1: ˜T1 → T2, Γ `k e2: uint, and Γ `k ˜e : ˜T1. There is another premise, checking the length of the tuple ˜e (|˜e| = | ˜T1|). By induction hypothesis, the judgments Γ0 `k e1: ˜T1 → T2, Γ0_`k_e2 _{: uint, and Γ}0 _`k _{e : ˜}_˜ _T1_{are derivable.} Furthermore, the other premise is still valid, and we can thus apply CALLVALUE to obtain a derivation of Γ0 `k+1e1.value(e2)(˜e) : T2.

E.2.4 Proof of the Lemma

We can now prove Lemma 4: Lemma 4 (Weakening).

Let Γ ` hβ, σ, ei : T be a derivable judgment, and let ∆ be such that dom(Γ) ∩ dom(∆) = ∅ (i.e. Γ and ∆ have no elements in common). Then Γ · ∆ ` hβ, σ, ei : T can be derived and its derivation has the same height as the previous one.

Proof. By hypothesis Γ `k+1hβ, σ, ei : T : by rule CONFIGURATIONthis means that also Γ `k β, Γ `k σ, and Γ `k e : T are derivable. By, respectively, Lemma 10, 11, and 12 we know that there exists a derivation for Γ0 `k β, Γ0 `k σ, and Γ0 `k e : T . Hence, applying CONFIGURATIONto the latter three judgments we can derive Γ0 `k+1 hβ, σ, ei : T , which is what we wanted to prove.

In document How solid is solidity? An in-dept study of solidity’s type safety. (Page 174-179)