def signed_gt(op1, op2, state):
v1, v2, t1, t2 = int_unif(op1, op2, state)
if t1.signed == t2.signed:
return claripy.SGT(v1, v2) if t1.signed else claripy.UGT(v1, v2)
return claripy.If(claripy.SLT(v1 if t1.signed else v2, 0), not t1.signed, v1 > v2)
def _op_generic_StoU_saturation(self, value, min_value, max_value): #pylint:disable=no-self-use
"""
Return unsigned saturated BV from signed BV.
Min and max value should be unsigned.
"""
return claripy.If(
claripy.SGT(value, max_value), max_value,
claripy.If(claripy.SLT(value, min_value), min_value, value))
def claripy_ast_from_ail_condition(self, condition) -> claripy.ast.Base:
# Unpack a condition all the way to the leaves
if isinstance(condition, claripy.ast.Base): # pylint:disable=isinstance-second-argument-not-valid-type
return condition
def _op_with_unified_size(op, conv, operand0, operand1):
# ensure operand1 is of the same size as operand0
if isinstance(operand1, ailment.Expr.Const):
# amazing - we do the eazy thing here
return op(conv(operand0), operand1.value)
if operand1.bits == operand0.bits:
return op(conv(operand0), conv(operand1))
# extension is required
assert operand1.bits < operand0.bits
operand1 = ailment.Expr.Convert(None, operand1.bits, operand0.bits, False, operand1)
return op(conv(operand0), conv(operand1))
_mapping = {
'LogicalAnd': lambda expr, conv: claripy.And(conv(expr.operands[0]), conv(expr.operands[1])),
'LogicalOr': lambda expr, conv: claripy.Or(conv(expr.operands[0]), conv(expr.operands[1])),
'CmpEQ': lambda expr, conv: conv(expr.operands[0]) == conv(expr.operands[1]),
'CmpNE': lambda expr, conv: conv(expr.operands[0]) != conv(expr.operands[1]),
'CmpLE': lambda expr, conv: conv(expr.operands[0]) <= conv(expr.operands[1]),
'CmpLEs': lambda expr, conv: claripy.SLE(conv(expr.operands[0]), conv(expr.operands[1])),
'CmpLT': lambda expr, conv: conv(expr.operands[0]) < conv(expr.operands[1]),
'CmpLTs': lambda expr, conv: claripy.SLT(conv(expr.operands[0]), conv(expr.operands[1])),
'CmpGE': lambda expr, conv: conv(expr.operands[0]) >= conv(expr.operands[1]),
'CmpGEs': lambda expr, conv: claripy.SGE(conv(expr.operands[0]), conv(expr.operands[1])),
'CmpGT': lambda expr, conv: conv(expr.operands[0]) > conv(expr.operands[1]),
'CmpGTs': lambda expr, conv: claripy.SGT(conv(expr.operands[0]), conv(expr.operands[1])),
'Add': lambda expr, conv: conv(expr.operands[0]) + conv(expr.operands[1]),
'Sub': lambda expr, conv: conv(expr.operands[0]) - conv(expr.operands[1]),
'Mul': lambda expr, conv: conv(expr.operands[0]) * conv(expr.operands[1]),
'Not': lambda expr, conv: claripy.Not(conv(expr.operand)),
'Xor': lambda expr, conv: conv(expr.operands[0]) ^ conv(expr.operands[1]),
'And': lambda expr, conv: conv(expr.operands[0]) & conv(expr.operands[1]),
'Or': lambda expr, conv: conv(expr.operands[0]) | conv(expr.operands[1]),
'Shr': lambda expr, conv: _op_with_unified_size(claripy.LShR, conv, expr.operands[0], expr.operands[1]),
'Shl': lambda expr, conv: _op_with_unified_size(operator.lshift, conv, expr.operands[0], expr.operands[1]),
'Sar': lambda expr, conv: _op_with_unified_size(operator.rshift, conv, expr.operands[0], expr.operands[1]),
}
if isinstance(condition, (ailment.Expr.Load, ailment.Expr.DirtyExpression, ailment.Expr.BasePointerOffset,
ailment.Expr.ITE, ailment.Stmt.Call)):
var = claripy.BVS('ailexpr_%s' % repr(condition), condition.bits, explicit_name=True)
self._condition_mapping[var.args[0]] = condition
return var
elif isinstance(condition, ailment.Expr.Register):
var = claripy.BVS('ailexpr_%s-%d' % (repr(condition), condition.idx), condition.bits, explicit_name=True)
self._condition_mapping[var.args[0]] = condition
return var
elif isinstance(condition, ailment.Expr.Convert):
# convert is special. if it generates a 1-bit variable, it should be treated as a BVS
if condition.to_bits == 1:
var_ = self.claripy_ast_from_ail_condition(condition.operands[0])
name = 'ailcond_Conv(%d->%d, %s)' % (condition.from_bits, condition.to_bits, repr(var_))
var = claripy.BoolS(name, explicit_name=True)
else:
var_ = self.claripy_ast_from_ail_condition(condition.operands[0])
name = 'ailexpr_Conv(%d->%d, %s)' % (condition.from_bits, condition.to_bits, repr(var_))
var = claripy.BVS(name, condition.to_bits, explicit_name=True)
self._condition_mapping[var.args[0]] = condition
return var
elif isinstance(condition, ailment.Expr.Const):
var = claripy.BVV(condition.value, condition.bits)
return var
elif isinstance(condition, ailment.Expr.Tmp):
l.warning("Left-over ailment.Tmp variable %s.", condition)
if condition.bits == 1:
var = claripy.BoolV('ailtmp_%d' % condition.tmp_idx)
else:
var = claripy.BVS('ailtmp_%d' % condition.tmp_idx, condition.bits, explicit_name=True)
self._condition_mapping[var.args[0]] = condition
return var
lambda_expr = _mapping.get(condition.verbose_op, None)
if lambda_expr is None:
raise NotImplementedError("Unsupported AIL expression operation %s. Consider implementing." % condition.op)
r = lambda_expr(condition, self.claripy_ast_from_ail_condition)
if r is NotImplemented:
r = claripy.BVS("ailexpr_%r" % condition, condition.bits, explicit_name=True)
self._condition_mapping[r.args[0]] = condition
else:
# don't lose tags
r = r.annotate(TagsAnnotation(**condition.tags))
return r
def _runtime_unify(self,
state,
one,
two,
stack_frame=False,
overwrite=True):
"""
decide if one and two need to be unified, if so add a 'UNIFY' tag
:param state: The analysis state that holds intermediate results
:param one: The first value to unify
:param two: The second value to unify
:param stack_frame: If we're only allowed to look at offsets in front of the pointer
:param overwrite: Whether to use the semantics that one is "overwriting" two
"""
one_ty = self.ty_backend.convert(one).ty
two_ty = self.ty_backend.convert(two).ty
# if both of them are pointers!!! this gets very tricky
if type(one_ty) is type(two_ty) is sim_type.SimTypePointer:
one_subty = one_ty.pts_to
two_subty = two_ty.pts_to
one_offset = one_ty.offset
two_offset = two_ty.offset
if one_offset.symbolic or two_offset.symbolic:
import ipdb
ipdb.set_trace()
print('yikes! (jesus christ)')
if one_subty is two_subty:
if one_offset is not two_subty:
import ipdb
ipdb.set_trace()
print('yikes? (arrays maybe. recursion probably)')
else:
import ipdb
ipdb.set_trace()
print('yikes. (no object identity but yes equality)')
# these are two different structures that we might have to unify.
# possible cases:
# - two structures are actually the same structure.
# - two stack frames. flag tells us this. only deal with the argument parts
# - a structure is present in another structure
# TODO: do some type checking on the two structs to make sure we're not making
# a huge mistake!!!
else:
if claripy.is_true(
one_offset == two_offset) and claripy.is_true(
one_offset == 0):
self.pass_results.append(('UNIFY', (one, two)))
elif stack_frame:
for ckey, _ in two_subty.offsets.iteritems():
offset = ckey.ast
if not claripy.is_true(claripy.SGT(offset, 0)):
continue
two_value = state.memory.load(
two + offset,
size=state.arch.bytes,
inspect=False,
endness=state.arch.memory_endness)
one_value = state.memory.load(
one + offset,
size=state.arch.bytes,
inspect=False,
endness=state.arch.memory_endness)
# one last edge case consideration: if one_value doesn't have a source
# (since we disabled inspect, this might happen)
# we should manually give it a source since this is something we know
one_value_ty = self.ty_backend.convert(one_value).ty
if type(one_value_ty) is not sim_type.SimTypePointer and \
len(one_value_ty.label) == 0:
one_value = one_value.annotate(
TypeAnnotation(
sim_type.SimTypeTop(
label=[ValueSource(two_subty, offset)
])))
self._runtime_unify(state, one_value, two_value)
else:
import ipdb
ipdb.set_trace()
# look through the structs and check offset by offset
# do we want to check in the initial state or elsewhere?
# think we should check in the current state. everything from the initial state wil be there still?
print('okay??')
# when only one of them is a pointer!
# if a source is available we should toss it to SOURCE, she'll just drop the other in!
# if a source is not available, wait. eventually one will be available :)
elif type(two_ty) is sim_type.SimTypePointer:
if len(one_ty.label) > 0:
if len(one_ty.label) > 1:
import ipdb
ipdb.set_trace()
print('????????????')
self.pass_results.append(('SOURCE', one_ty.label[0]))
# this is where overwrite semantics comes into play.
# if one overwrites two, then we can't mark two as a pointer just because 1 is a pointer.
# otherwise, this is the same as the previous case I guess?
# I'm not sure what good this does
elif type(one_ty) is sim_type.SimTypePointer:
import ipdb
ipdb.set_trace()
if not overwrite:
if len(two_ty.label) > 0:
if len(two_ty.label) > 1:
import ipdb
ipdb.set_trace()
print('????????????')
self.pass_results.append(('SOURCE', two_ty.label[0]))
# If neither of them are pointers bail out. this is not a general type inference :)
else:
pass
def constrain_variables(self, func, solver, stack):
self.offsets = self.funcdata[func.addr]
self.bounds_marked = set()
self.stack = stack
self.solver = solver
# do some sanity checking first
top = min(self.offsets)
for addr in stack.addr_list:
if addr < top:
raise Exception("Provided vars miss an access (off the top!)")
base_addr = addr
while base_addr not in self.offsets:
base_addr -= 1
this_offset = addr - base_addr
if this_offset >= self.offsets[base_addr][0]:
raise Exception(
"Provided vars miss an access (between the cracks!)")
i = 0
while i < len(stack.addr_list):
addr = stack.addr_list[i]
if addr in self.offsets:
if i != 0 and self.offsets[stack.addr_list[
i - 1]][0] + stack.addr_list[i - 1] > addr:
raise Exception("Provided vars have an overlap!")
i += 1
continue
stack.merge_up(i)
# standard stuff
stack.alloc_op.apply_constraints(solver)
solver.add(stack.alloc_op.symval == -stack.sym_size)
for op in stack.dealloc_ops:
op.apply_constraints(solver)
solver.add(op.symval == 0)
solver.add(stack.sym_size % stack.arch.bytes == 0)
solver.add(claripy.SGE(stack.sym_size, stack.conc_size))
stack.unsafe_constraints.append(
claripy.SGT(stack.sym_size, stack.conc_size))
stack.unsafe_constraints.append(
claripy.SGE(stack.sym_size, stack.conc_size * 2))
stack.unsafe_constraints.append(
claripy.SLT(stack.sym_size, stack.conc_size * 3))
# loop through variables, add the important constraints!
i = 0
while i < len(stack.addr_list):
addr = stack.addr_list[i]
var = stack.variables[addr]
var.size = self.offsets[addr][0]
fix = self.offsets[addr][1]
if fix == 'TOP':
var.special_top = True
elif fix == 'BOTTOM':
var.special_bottom = True
align = self.offsets[addr][2]
if align != 1:
solver.add(var.sym_addr % align == 0)
var.sym_link(
solver,
stack) # this hooks up the constrains to actual immediates
# also the top/bottom fixing happens in there
if i != 0:
prev_var = stack.variables[stack.addr_list[i - 1]]
self.mark_boundaries(prev_var, var)
if i != len(stack.addr_list) - 1:
next_var = stack.variables[stack.addr_list[i + 1]]
self.mark_boundaries(var, next_var)
# ew. ew ew ew ew ew ew!!!
diff = next_var.conc_addr - var.conc_addr
solver.add(claripy.SLT(var.sym_addr, var.sym_addr + diff))
if i == 0:
solver.add(claripy.SLE(-stack.sym_size, var.sym_addr))
i += 1
def claripy_ast_from_ail_condition(self, condition):
# Unpack a condition all the way to the leaves
if isinstance(condition, claripy.ast.Base):
return condition
_mapping = {
'LogicalAnd':
lambda expr, conv: claripy.And(conv(expr.operands[0]),
conv(expr.operands[1])),
'LogicalOr':
lambda expr, conv: claripy.Or(conv(expr.operands[0]),
conv(expr.operands[1])),
'CmpEQ':
lambda expr, conv: conv(expr.operands[0]) == conv(expr.operands[1]
),
'CmpNE':
lambda expr, conv: conv(expr.operands[0]) != conv(expr.operands[1]
),
'CmpLE':
lambda expr, conv: conv(expr.operands[0]) <= conv(expr.operands[1]
),
'CmpLEs':
lambda expr, conv: claripy.SLE(conv(expr.operands[0]),
conv(expr.operands[1])),
'CmpLT':
lambda expr, conv: conv(expr.operands[0]) < conv(expr.operands[1]),
'CmpLTs':
lambda expr, conv: claripy.SLT(conv(expr.operands[0]),
conv(expr.operands[1])),
'CmpGE':
lambda expr, conv: conv(expr.operands[0]) >= conv(expr.operands[1]
),
'CmpGEs':
lambda expr, conv: claripy.SGE(conv(expr.operands[0]),
conv(expr.operands[1])),
'CmpGT':
lambda expr, conv: conv(expr.operands[0]) > conv(expr.operands[1]),
'CmpGTs':
lambda expr, conv: claripy.SGT(conv(expr.operands[0]),
conv(expr.operands[1])),
'Add':
lambda expr, conv: conv(expr.operands[0]) + conv(expr.operands[1]),
'Sub':
lambda expr, conv: conv(expr.operands[0]) - conv(expr.operands[1]),
'Not':
lambda expr, conv: claripy.Not(conv(expr.operand)),
'Xor':
lambda expr, conv: conv(expr.operands[0]) ^ conv(expr.operands[1]),
'And':
lambda expr, conv: conv(expr.operands[0]) & conv(expr.operands[1]),
'Or':
lambda expr, conv: conv(expr.operands[0]) | conv(expr.operands[1]),
'Shr':
lambda expr, conv: claripy.LShR(conv(expr.operands[0]), expr.
operands[1].value)
}
if isinstance(condition,
(ailment.Expr.Load, ailment.Expr.DirtyExpression,
ailment.Expr.BasePointerOffset)):
var = claripy.BVS('ailexpr_%s' % repr(condition),
condition.bits,
explicit_name=True)
self._condition_mapping[var] = condition
return var
elif isinstance(condition, ailment.Expr.Register):
var = claripy.BVS('ailexpr_%s-%d' %
(repr(condition), condition.idx),
condition.bits,
explicit_name=True)
self._condition_mapping[var] = condition
return var
elif isinstance(condition, ailment.Expr.Convert):
# convert is special. if it generates a 1-bit variable, it should be treated as a BVS
if condition.to_bits == 1:
var_ = self.claripy_ast_from_ail_condition(
condition.operands[0])
name = 'ailcond_Conv(%d->%d, %s)' % (
condition.from_bits, condition.to_bits, repr(var_))
var = claripy.BoolS(name, explicit_name=True)
else:
var_ = self.claripy_ast_from_ail_condition(
condition.operands[0])
name = 'ailexpr_Conv(%d->%d, %s)' % (
condition.from_bits, condition.to_bits, repr(var_))
var = claripy.BVS(name, condition.to_bits, explicit_name=True)
self._condition_mapping[var] = condition
return var
elif isinstance(condition, ailment.Expr.Const):
var = claripy.BVV(condition.value, condition.bits)
return var
elif isinstance(condition, ailment.Expr.Tmp):
l.warning("Left-over ailment.Tmp variable %s.", condition)
if condition.bits == 1:
var = claripy.BoolV('ailtmp_%d' % condition.tmp_idx)
else:
var = claripy.BVS('ailtmp_%d' % condition.tmp_idx,
condition.bits)
self._condition_mapping[var] = condition
return var
lambda_expr = _mapping.get(condition.verbose_op, None)
if lambda_expr is None:
raise NotImplementedError(
"Unsupported AIL expression operation %s. Consider implementing."
% condition.op)
r = lambda_expr(condition, self.claripy_ast_from_ail_condition)
if r is NotImplemented:
r = claripy.BVS("ailexpr_%r" % condition,
condition.bits,
explicit_name=True)
self._condition_mapping[r] = condition
return r
def exec_branch(self, state): # pylint:disable=invalid-name
"""Execute forward from a state, queuing new states if needed."""
logger.debug("Constraints: %s", state.solver.constraints)
def solution(variable):
"""Returns the solution. There must be one or we fail."""
solutions = state.solver.eval(variable, 2)
if len(solutions) > 1:
raise MultipleSolutionsError(
"Multiple solutions for %s (%#x)" %
(variable, self.code[state.pc]))
solution = solutions[0]
return solution if isinstance(solution,
numbers.Number) else solution.value
self.code.pc = state.pc
while True:
if state.pc >= len(self.code):
return True
op = self.code[state.pc]
self.code.pc += 1
self.coverage[state.pc] += 1
logger.debug("NEW STEP")
logger.debug("Memory: %s", state.memory)
logger.debug("Stack: %s", state.stack)
logger.debug("PC: %i, %#x", state.pc, op)
assert self.code.pc == state.pc + 1
assert isinstance(op, numbers.Number)
assert all(
isinstance(i, claripy.ast.base.BV) for i in
state.stack), "The stack musty only contains claripy BV's"
# Trivial operations first
if not self.code.is_valid_opcode(state.pc):
raise utils.CodeError("Trying to execute PUSH data")
elif op == 254: # INVALID opcode
raise utils.CodeError("designed INVALID opcode")
elif op == opcode_values.JUMPDEST:
pass
elif op == opcode_values.ADD:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
state.stack_push(s0 + s1)
elif op == opcode_values.SUB:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
state.stack_push(s0 - s1)
elif op == opcode_values.MUL:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
state.stack_push(s0 * s1)
elif op == opcode_values.DIV:
# We need to use claripy.LShR instead of a division if possible,
# because the solver is bad dealing with divisions, better
# with shifts. And we need shifts to handle the solidity ABI
# for function selection.
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
try:
s1 = solution(s1) # pylint:disable=invalid-name
except MultipleSolutionsError:
state.stack_push(claripy.If(s1 == 0, BVV_0, s0 / s1))
else:
if s1 == 0:
state.stack_push(BVV_0)
elif s1 == 1:
state.stack_push(s0)
elif s1 & (s1 - 1) == 0:
exp = int(math.log(s1, 2))
state.stack_push(s0.LShR(exp))
else:
state.stack_push(s0 / s1)
elif op == opcode_values.SDIV:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
try:
s1 = solution(s1)
except MultipleSolutionsError:
state.stack_push(claripy.If(s1 == 0, BVV_0, s0.SDiv(s1)))
else:
state.stack_push(BVV_0 if s1 == 0 else s0.SDiv(s1))
elif op == opcode_values.MOD:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
try:
s1 = solution(s1)
except MultipleSolutionsError:
state.stack_push(claripy.If(s1 == 0, BVV_0, s0 % s1))
else:
state.stack_push(BVV_0 if s1 == 0 else s0 % s1)
elif op == opcode_values.SMOD:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
try:
s1 = solution(s1)
except MultipleSolutionsError:
state.stack_push(claripy.If(s1 == 0, BVV_0, s0.SMod(s1)))
else:
state.stack_push(BVV_0 if s1 == 0 else s0.SMod(s1))
elif op == opcode_values.ADDMOD:
s0, s1, s2 = state.stack_pop(), state.stack_pop(
), state.stack_pop()
try:
s2 = solution(s2)
except MultipleSolutionsError:
state.stack_push(claripy.If(s2 == 0, BVV_0,
(s0 + s1) % s2))
else:
state.stack_push(BVV_0 if s2 == 0 else (s0 + s1) % s2)
elif op == opcode_values.MULMOD:
s0, s1, s2 = state.stack_pop(), state.stack_pop(
), state.stack_pop()
try:
s2 = solution(s2)
except MultipleSolutionsError:
state.stack_push(claripy.If(s2 == 0, BVV_0,
(s0 * s1) % s2))
else:
state.stack_push(BVV_0 if s2 == 0 else (s0 * s1) % s2)
elif op == opcode_values.SHL:
shift, value = state.stack_pop(), state.stack_pop()
state.stack_push(value << shift)
elif op == opcode_values.SHR:
shift, value = state.stack_pop(), state.stack_pop()
state.stack_push(value.LShR(shift))
elif op == opcode_values.SAR:
shift, value = state.stack_pop(), state.stack_pop()
state.stack_push(claripy.RotateRight(value, shift))
elif op == opcode_values.EXP:
base, exponent = state.stack_pop(), state.stack_pop()
base_sol = solution(base)
if base_sol == 2:
state.stack_push(1 << exponent)
else:
try:
exponent_sol = solution(exponent)
except MultipleSolutionsError:
state.stack_push(exponent) # restore stack
state.stack_push(base)
self.add_for_fuzzing(state, exponent,
EXP_EXPONENT_FUZZ)
return False
else:
state.stack_push(
claripy.BVV(base_sol**exponent_sol, 256))
elif op == opcode_values.LT:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
state.stack_push(bool_to_bv(claripy.ULT(s0, s1)))
elif op == opcode_values.GT:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
state.stack_push(bool_to_bv(claripy.UGT(s0, s1)))
elif op == opcode_values.SLT:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
state.stack_push(bool_to_bv(claripy.SLT(s0, s1)))
elif op == opcode_values.SGT:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
state.stack_push(bool_to_bv(claripy.SGT(s0, s1)))
elif op == opcode_values.SIGNEXTEND:
# TODO: Use Claripy's SignExt that should do exactly that.
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
# s0 is the number of bits. s1 the number we want to extend.
s0 = solution(s0)
if s0 <= 31:
sign_bit = 1 << (s0 * 8 + 7)
state.stack_push(
claripy.If(
s1 & sign_bit == 0,
s1 & (sign_bit - 1),
s1 | ((1 << 256) - sign_bit),
))
else:
state.stack_push(s1)
elif op == opcode_values.EQ:
s0, s1 = state.stack_pop(), state.stack_pop()
state.stack_push(bool_to_bv(s0 == s1))
elif op == opcode_values.ISZERO:
state.stack_push(bool_to_bv(state.stack_pop() == BVV_0))
elif op == opcode_values.AND:
s0, s1 = state.stack_pop(), state.stack_pop()
state.stack_push(s0 & s1)
elif op == opcode_values.OR:
s0, s1 = state.stack_pop(), state.stack_pop()
state.stack_push(s0 | s1)
elif op == opcode_values.XOR:
s0, s1 = state.stack_pop(), state.stack_pop()
state.stack_push(s0 ^ s1)
elif op == opcode_values.NOT:
state.stack_push(~state.stack_pop())
elif op == opcode_values.BYTE:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
state.stack_push(
s1.LShR(claripy.If(s0 > 31, 32, 31 - s0) * 8) & 0xFF)
elif op == opcode_values.PC:
state.stack_push(bvv(state.pc))
elif op == opcode_values.GAS:
state.stack_push(state.env.gas)
elif op == opcode_values.ADDRESS:
state.stack_push(state.env.address)
elif op == opcode_values.BALANCE:
addr = solution(state.stack_pop())
if addr != solution(state.env.address):
raise utils.InterpreterError(
state,
"Can only query balance of the current contract for now"
)
state.stack_push(state.env.balance)
elif op == opcode_values.ORIGIN:
state.stack_push(state.env.origin)
elif op == opcode_values.CALLER:
state.stack_push(state.env.caller)
elif op == opcode_values.CALLVALUE:
state.stack_push(state.env.value)
elif op == opcode_values.BLOCKHASH:
block_num = state.stack_pop()
if block_num not in state.env.block_hashes:
state.env.block_hashes[block_num] = claripy.BVS(
"blockhash[%s]" % block_num, 256)
state.stack_push(state.env.block_hashes[block_num])
elif op == opcode_values.TIMESTAMP:
state.stack_push(state.env.block_timestamp)
elif op == opcode_values.NUMBER:
state.stack_push(state.env.block_number)
elif op == opcode_values.COINBASE:
state.stack_push(state.env.coinbase)
elif op == opcode_values.DIFFICULTY:
state.stack_push(state.env.difficulty)
elif op == opcode_values.POP:
state.stack_pop()
elif op == opcode_values.JUMP:
addr = solution(state.stack_pop())
if addr >= len(self.code
) or self.code[addr] != opcode_values.JUMPDEST:
raise utils.CodeError("Invalid jump (%i)" % addr)
state.pc = addr
self.add_branch(state)
return False
elif op == opcode_values.JUMPI:
addr, condition = solution(
state.stack_pop()), state.stack_pop()
state_false = state.copy()
state.solver.add(condition != BVV_0)
state_false.solver.add(condition == BVV_0)
state_false.pc += 1
self.add_branch(state_false)
state.pc = addr
if (state.pc >= len(self.code)
or self.code[state.pc] != opcode_values.JUMPDEST):
raise utils.CodeError("Invalid jump (%i)" % (state.pc - 1))
self.add_branch(state)
return False
elif opcode_values.PUSH1 <= op <= opcode_values.PUSH32:
pushnum = op - opcode_values.PUSH1 + 1
raw_value = self.code.read(pushnum)
state.pc += pushnum
state.stack_push(
bvv(int.from_bytes(raw_value, byteorder="big")))
elif opcode_values.DUP1 <= op <= opcode_values.DUP16:
depth = op - opcode_values.DUP1 + 1
state.stack_push(state.stack[-depth])
elif opcode_values.SWAP1 <= op <= opcode_values.SWAP16:
depth = op - opcode_values.SWAP1 + 1
temp = state.stack[-depth - 1]
state.stack[-depth - 1] = state.stack[-1]
state.stack[-1] = temp
elif opcode_values.LOG0 <= op <= opcode_values.LOG4:
depth = op - opcode_values.LOG0
mstart, msz = (state.stack_pop(), state.stack_pop())
topics = [state.stack_pop() for x in range(depth)]
elif op == opcode_values.SHA3:
start, length = solution(state.stack_pop()), solution(
state.stack_pop())
memory = state.memory.read(start, length)
state.stack_push(Sha3(memory))
elif op == opcode_values.STOP:
return True
elif op == opcode_values.RETURN:
return True
elif op == opcode_values.CALLDATALOAD:
index = state.stack_pop()
try:
index_sol = solution(index)
except MultipleSolutionsError:
state.stack_push(index) # restore the stack
self.add_for_fuzzing(state, index, CALLDATALOAD_INDEX_FUZZ)
return False
state.stack_push(state.env.calldata.read(index_sol, 32))
elif op == opcode_values.CALLDATASIZE:
state.stack_push(state.env.calldata_size)
elif op == opcode_values.CALLDATACOPY:
old_state = state.copy()
mstart, dstart, size = (
state.stack_pop(),
state.stack_pop(),
state.stack_pop(),
)
mstart, dstart = solution(mstart), solution(dstart)
try:
size = solution(size)
except MultipleSolutionsError:
self.add_for_fuzzing(old_state, size,
CALLDATACOPY_SIZE_FUZZ)
return False
state.memory.copy_from(state.env.calldata, mstart, dstart,
size)
elif op == opcode_values.CODESIZE:
state.stack_push(bvv(len(self.code)))
elif op == opcode_values.EXTCODESIZE:
addr = state.stack_pop()
if (addr == state.env.address).is_true():
state.stack_push(bvv(len(self.code)))
else:
# TODO: Improve that... It's clearly not constraining enough.
state.stack_push(claripy.BVS("EXTCODESIZE[%s]" % addr,
256))
elif op == opcode_values.EXTCODECOPY:
old_state = state.copy()
addr = state.stack_pop()
mem_start = solution(state.stack_pop())
code_start = solution(state.stack_pop())
size = state.stack_pop()
try:
size = solution(size)
except MultipleSolutionsError:
# TODO: Fuzz.
# self.add_for_fuzzing(old_state, size, [])
# return False
raise
state.memory.write(
mem_start,
size,
claripy.BVS("EXTCODE[%s from %s]" % (addr, code_start),
size * 8),
)
elif op == opcode_values.CODECOPY:
mem_start, code_start, size = [
solution(state.stack_pop()) for _ in range(3)
]
for i in range(size):
if code_start + i < len(state.env.code):
state.memory.write(
mem_start + i,
1,
claripy.BVV(state.env.code[code_start + i], 8),
)
else:
state.memory.write(mem_start + i, 1, claripy.BVV(0, 8))
elif op == opcode_values.MLOAD:
index = solution(state.stack_pop())
state.stack_push(state.memory.read(index, 32))
elif op == opcode_values.MSTORE:
index, value = solution(state.stack_pop()), state.stack_pop()
state.memory.write(index, 32, value)
elif op == opcode_values.MSTORE8:
index, value = solution(state.stack_pop()), state.stack_pop()
state.memory.write(index, 1, value[7:0])
elif op == opcode_values.MSIZE:
state.stack_push(bvv(state.memory.size()))
elif op == opcode_values.SLOAD:
state.pc += 1
key = state.stack_pop()
for w_key, w_value in state.storage_written.items():
read_written = [w_key == key]
if state.solver.satisfiable(
extra_constraints=read_written):
new_state = state.copy()
new_state.solver.add(read_written)
new_state.stack_push(w_value)
self.add_branch(new_state)
state.solver.add(w_key != key)
if state.solver.satisfiable():
assert key not in state.storage_written
if key not in state.storage_read:
state.storage_read[key] = claripy.BVS(
"storage[%s]" % key, 256)
state.stack_push(state.storage_read[key])
self.add_branch(state)
return
elif op == opcode_values.SSTORE:
state.pc += 1
key = state.stack_pop()
value = state.stack_pop()
for w_key, w_value in state.storage_written.items():
read_written = [w_key == key]
if state.solver.satisfiable(
extra_constraints=read_written):
new_state = state.copy()
new_state.solver.add(read_written)
new_state.storage_written[w_key] = value
self.add_branch(new_state)
state.solver.add(w_key != key)
if state.solver.satisfiable():
assert key not in state.storage_written
state.storage_written[key] = value
self.add_branch(state)
return
elif op == opcode_values.CALL:
state.pc += 1
# pylint:disable=unused-variable
gas, to_, value, meminstart, meminsz, memoutstart, memoutsz = (
state.stack_pop() for _ in range(7))
# First possibility: the call fails
# (always possible with a call stack big enough)
state_fail = state.copy()
state_fail.stack_push(BVV_0)
self.add_branch(state_fail)
# Second possibility: success.
state.calls.append((memoutsz, memoutstart, meminsz, meminstart,
value, to_, gas))
memoutsz = solution(memoutsz)
if memoutsz != 0:
# If we expect some output, let's constraint the call to
# be to a contract that we do control. Otherwise it could
# return anything...
state.solver.add(to_[159:0] == utils.DEFAULT_CALLER[159:0])
memoutstart = solution(memoutstart)
state.memory.write(
memoutstart,
memoutsz,
claripy.BVS("CALL_RETURN[%s]" % to_, memoutsz * 8),
)
state.stack_push(BVV_1)
self.add_branch(state)
return False
elif op == opcode_values.DELEGATECALL:
state.pc += 1
# pylint:disable=unused-variable
gas, to_, meminstart, meminsz, memoutstart, memoutsz = (
state.stack_pop() for _ in range(6))
# First possibility: the call fails
# (always possible with a call stack big enough)
state_fail = state.copy()
state_fail.stack_push(BVV_0)
self.add_branch(state_fail)
# If the call is to a specific contract we don't control,
# don't assume it could return anything, or even be successful.
# So we say we need to be able to call an arbitrary contract.
state.solver.add(to_[159:0] == utils.DEFAULT_CALLER[159:0])
# Second possibility: success.
state.calls.append(
(memoutsz, memoutstart, meminsz, meminstart, to_, gas))
memoutsz = solution(memoutsz)
if memoutsz != 0:
memoutstart = solution(memoutstart)
state.memory.write(
memoutstart,
memoutsz,
claripy.BVS("DELEGATECALL_RETURN[%s]" % to_,
memoutsz * 8),
)
state.stack_push(BVV_1)
self.add_branch(state)
return False
elif op == opcode_values.RETURNDATASIZE:
state.stack_push(claripy.BVS("RETURNDATASIZE", 256))
elif op == opcode_values.RETURNDATACOPY:
old_state = state.copy()
mem_start_position = solution(state.stack_pop())
returndata_start_position = solution(state.stack_pop())
size = state.stack_pop()
try:
size = solution(size)
except MultipleSolutionsError:
self.add_for_fuzzing(old_state, size,
RETURNDATACOPY_SIZE_FUZZ)
return False
state.memory.write(mem_start_position, size,
claripy.BVS("RETURNDATACOPY", size * 8))
elif op == opcode_values.SELFDESTRUCT:
state.selfdestruct_to = state.stack[-1]
return True
elif op == opcode_values.REVERT:
return False
else:
raise utils.InterpreterError(state, "Unknown opcode %#x" % op)
state.pc += 1
def exec_branch(self, state): # pylint:disable=invalid-name
"""Execute forward from a state, queuing new states if needed."""
logger.debug("Constraints: %s", state.solver.constraints)
def solution(variable):
"""Returns the solution. There must be one or we fail."""
solutions = state.solver.eval(variable, 2)
if len(solutions) > 1:
raise ValueError("Ambiguous solution for %s (%s)" %
(variable, self.code[state.pc]))
solution = solutions[0]
return solution if isinstance(solution,
numbers.Number) else solution.value
state.score += 1
self.code.pc = state.pc
while True:
if state.pc >= len(self.code):
return True
op = self.code.next()
self.coverage[state.pc] += 1
logger.debug("NEW STEP")
logger.debug("Memory: %s", state.memory)
logger.debug("Stack: %s", state.stack)
logger.debug("PC: %i, %s", state.pc, op)
assert self.code.pc == state.pc + 1
assert isinstance(op, numbers.Number)
assert all(
hasattr(i, "symbolic") for i in
state.stack), "The stack musty only contains claripy BV's"
# Trivial operations first
if not self.code.is_valid_opcode(state.pc):
raise utils.CodeError("Trying to execute PUSH data")
elif op == 254: # INVALID opcode
raise utils.CodeError("designed INVALID opcode")
elif op == opcode_values.JUMPDEST:
pass
elif op == opcode_values.ADD:
s0, s1 = (
not_bool(state.stack_pop()),
not_bool(state.stack_pop()),
) # pylint:disable=invalid-name
state.stack_push(s0 + s1)
elif op == opcode_values.SUB:
s0, s1 = (
not_bool(state.stack_pop()),
not_bool(state.stack_pop()),
) # pylint:disable=invalid-name
state.stack_push(s0 - s1)
elif op == opcode_values.MUL:
s0, s1 = (
not_bool(state.stack_pop()),
not_bool(state.stack_pop()),
) # pylint:disable=invalid-name
state.stack_push(s0 * s1)
elif op == opcode_values.DIV:
# We need to use claripy.LShR instead of a division if possible,
# because the solver is bad dealing with divisions, better
# with shifts. And we need shifts to handle the solidity ABI
# for function selection.
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
try:
s1 = solution(s1) # pylint:disable=invalid-name
except ValueError:
state.stack_push(claripy.If(s1 == 0, BVV_0, s0 / s1))
else:
if s1 == 0:
state.stack_push(BVV_0)
elif s1 == 1:
state.stack_push(s0)
elif s1 & (s1 - 1) == 0:
exp = int(math.log(s1, 2))
state.stack_push(s0.LShR(exp))
else:
state.stack_push(s0 / s1)
elif op == opcode_values.SDIV:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
try:
s1 = solution(s1)
except ValueError:
state.stack_push(claripy.If(s1 == 0, BVV_0, s0.SDiv(s1)))
else:
state.stack_push(BVV_0 if s1 == 0 else s0.SDiv(s1))
elif op == opcode_values.MOD:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
try:
s1 = solution(s1)
except ValueError:
state.stack_push(claripy.If(s1 == 0, BVV_0, s0 % s1))
else:
state.stack_push(BVV_0 if s1 == 0 else s0 % s1)
elif op == opcode_values.SMOD:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
try:
s1 = solution(s1)
except ValueError:
state.stack_push(claripy.If(s1 == 0, BVV_0, s0.SMod(s1)))
else:
state.stack_push(BVV_0 if s1 == 0 else s0.SMod(s1))
elif op == opcode_values.ADDMOD:
s0, s1, s2 = state.stack_pop(), state.stack_pop(
), state.stack_pop()
try:
s2 = solution(s2)
except ValueError:
state.stack_push(claripy.If(s2 == 0, BVV_0,
(s0 + s1) % s2))
else:
state.stack_push(BVV_0 if s2 == 0 else (s0 + s1) % s2)
elif op == opcode_values.MULMOD:
s0, s1, s2 = state.stack_pop(), state.stack_pop(
), state.stack_pop()
try:
s2 = solution(s2)
except ValueError:
state.stack_push(claripy.If(s2 == 0, BVV_0,
(s0 * s1) % s2))
else:
state.stack_push(BVV_0 if s2 == 0 else (s0 * s1) % s2)
elif op == opcode_values.EXP:
base, exponent = solution(state.stack_pop()), state.stack_pop()
if base == 2:
state.stack_push(1 << exponent)
else:
exponent = solution(exponent)
state.stack_push(claripy.BVV(base**exponent, 256))
elif op == opcode_values.LT:
s0, s1 = (
not_bool(state.stack_pop()),
not_bool(state.stack_pop()),
) # pylint:disable=invalid-name
state.stack_push(claripy.ULT(s0, s1))
elif op == opcode_values.GT:
s0, s1 = (
not_bool(state.stack_pop()),
not_bool(state.stack_pop()),
) # pylint:disable=invalid-name
state.stack_push(claripy.UGT(s0, s1))
elif op == opcode_values.SLT:
s0, s1 = (
not_bool(state.stack_pop()),
not_bool(state.stack_pop()),
) # pylint:disable=invalid-name
state.stack_push(claripy.SLT(s0, s1))
elif op == opcode_values.SGT:
s0, s1 = (
not_bool(state.stack_pop()),
not_bool(state.stack_pop()),
) # pylint:disable=invalid-name
state.stack_push(claripy.SGT(s0, s1))
elif op == opcode_values.SIGNEXTEND:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
# s0 is the number of bits. s1 the number we want to extend.
s0 = solution(s0)
if s0 <= 31:
sign_bit = 1 << (s0 * 8 + 7)
state.stack_push(
claripy.If(
s1 & sign_bit == 0,
s1 & (sign_bit - 1),
s1 | ((1 << 256) - sign_bit),
))
else:
state.stack_push(s1)
elif op == opcode_values.EQ:
s0, s1 = state.stack_pop(), state.stack_pop()
if isinstance(s0, claripy.ast.Bool) and isinstance(
s1, claripy.ast.Bool):
state.stack_push(s0 == s1)
else:
state.stack_push(not_bool(s0) == not_bool(s1))
elif op == opcode_values.ISZERO:
condition = state.stack_pop()
if isinstance(condition, claripy.ast.Bool):
state.stack_push(claripy.Not(condition))
else:
state.stack_push(condition == BVV_0)
elif op == opcode_values.AND:
s0, s1 = make_consistent(state.stack_pop(), state.stack_pop())
if isinstance(s0, claripy.ast.Bool) and isinstance(
s1, claripy.ast.Bool):
state.stack_push(s0 and s1)
else:
state.stack_push(s0 & s1)
elif op == opcode_values.OR:
s0, s1 = make_consistent(state.stack_pop(), state.stack_pop())
if isinstance(s0, claripy.ast.Bool) and isinstance(
s1, claripy.ast.Bool):
state.stack_push(s0 or s1)
else:
state.stack_push(s0 | s1)
elif op == opcode_values.XOR:
s0, s1 = make_consistent(state.stack_pop(), state.stack_pop())
state.stack_push(s0 ^ s1)
elif op == opcode_values.NOT:
state.stack_push(~state.stack_pop())
elif op == opcode_values.BYTE:
s0, s1 = (
state.stack_pop(),
state.stack_pop(),
) # pylint:disable=invalid-name
state.stack_push(
s1.LShR(claripy.If(s0 > 31, 32, 31 - s0) * 8) & 0xFF)
elif op == opcode_values.PC:
state.stack_push(bvv(state.pc))
elif op == opcode_values.GAS:
state.stack_push(state.env.gas)
elif op == opcode_values.ADDRESS:
state.stack_push(state.env.address)
elif op == opcode_values.BALANCE:
addr = solution(state.stack_pop())
if addr != solution(state.env.address):
raise utils.InterpreterError(
state,
"Can only query balance of the current contract for now"
)
state.stack_push(state.env.balance)
elif op == opcode_values.ORIGIN:
state.stack_push(state.env.origin)
elif op == opcode_values.CALLER:
state.stack_push(state.env.caller)
elif op == opcode_values.CALLVALUE:
state.stack_push(state.env.value)
elif op == opcode_values.BLOCKHASH:
block_num = state.stack_pop()
if block_num not in state.env.block_hashes:
state.env.block_hashes[block_num] = claripy.BVS(
"blockhash[%s]" % block_num, 256)
state.stack_push(state.env.block_hashes[block_num])
elif op == opcode_values.TIMESTAMP:
state.stack_push(state.env.block_timestamp)
elif op == opcode_values.NUMBER:
state.stack_push(state.env.block_number)
elif op == opcode_values.COINBASE:
state.stack_push(state.env.coinbase)
elif op == opcode_values.DIFFICULTY:
state.stack_push(state.env.difficulty)
elif op == opcode_values.POP:
state.stack_pop()
elif op == opcode_values.JUMP:
addr = solution(state.stack_pop())
if addr >= len(self.code
) or self.code[addr] != opcode_values.JUMPDEST:
raise utils.CodeError("Invalid jump (%i)" % addr)
state.pc = addr
self.add_branch(state)
return False
elif op == opcode_values.JUMPI:
addr, condition = solution(
state.stack_pop()), state.stack_pop()
state_false = state.copy()
if isinstance(condition, claripy.ast.Bool):
state.solver.add(condition)
state_false.solver.add(claripy.Not(condition))
else:
state.solver.add(condition != 0)
state_false.solver.add(condition == 0)
state_false.pc += 1
self.add_branch(state_false)
state.pc = addr
if (state.pc >= len(self.code)
or self.code[state.pc] != opcode_values.JUMPDEST):
raise utils.CodeError("Invalid jump (%i)" % (state.pc - 1))
self.add_branch(state)
return False
elif opcode_values.PUSH1 <= op <= opcode_values.PUSH32:
pushnum = op - opcode_values.PUSH1 + 1
raw_value = self.code.read(pushnum)
state.pc += pushnum
state.stack_push(
bvv(int.from_bytes(raw_value, byteorder="big")))
elif opcode_values.DUP1 <= op <= opcode_values.DUP16:
depth = op - opcode_values.DUP1 + 1
state.stack_push(state.stack[-depth])
elif opcode_values.SWAP1 <= op <= opcode_values.SWAP16:
depth = op - opcode_values.SWAP1 + 1
temp = state.stack[-depth - 1]
state.stack[-depth - 1] = state.stack[-1]
state.stack[-1] = temp
elif opcode_values.LOG0 <= op <= opcode_values.LOG4:
depth = op - opcode_values.LOG0
mstart, msz = (state.stack_pop(), state.stack_pop())
topics = [state.stack_pop() for x in range(depth)]
elif op == opcode_values.SHA3:
start, length = solution(state.stack_pop()), solution(
state.stack_pop())
memory = state.memory.read(start, length)
state.stack_push(Sha3(memory))
elif op == opcode_values.STOP:
return True
elif op == opcode_values.RETURN:
return True
elif op == opcode_values.CALLDATALOAD:
indexes = state.stack_pop()
try:
index = solution(indexes)
except ValueError: # Multiple solutions, let's fuzz.
state.stack_push(indexes) # restore the stack
self.add_for_fuzzing(state, indexes, CALLDATASIZE_FUZZ)
return False
state.solver.add(state.env.calldata_size >= index + 32)
state.stack_push(state.env.calldata.read(index, 32))
elif op == opcode_values.CALLDATASIZE:
state.stack_push(state.env.calldata_size)
elif op == opcode_values.CALLDATACOPY:
old_state = state.copy()
mstart, dstart, size = (
state.stack_pop(),
state.stack_pop(),
state.stack_pop(),
)
mstart, dstart = solution(mstart), solution(dstart)
try:
size = solution(size)
except ValueError:
self.add_for_fuzzing(old_state, size, CALLDATASIZE_FUZZ)
return False
state.memory.copy_from(state.env.calldata, mstart, dstart,
size)
state.solver.add(state.env.calldata_size >= dstart + size)
elif op == opcode_values.CODESIZE:
state.stack_push(bvv(len(self.code)))
elif op == opcode_values.EXTCODESIZE:
addr = state.stack_pop()
if (addr == state.env.address).is_true():
state.stack_push(bvv(len(self.code)))
else:
# TODO: Improve that... It's clearly not constraining enough.
state.stack_push(claripy.BVS("EXTCODESIZE[%s]" % addr,
256))
elif op == opcode_values.CODECOPY:
mem_start, code_start, size = [
solution(state.stack_pop()) for _ in range(3)
]
for i in range(size):
if code_start + i < len(state.env.code):
state.memory.write(
mem_start + i,
1,
claripy.BVV(state.env.code[code_start + i], 8),
)
else:
state.memory.write(mem_start + i, 1, claripy.BVV(0, 8))
elif op == opcode_values.MLOAD:
index = solution(state.stack_pop())
state.stack_push(state.memory.read(index, 32))
elif op == opcode_values.MSTORE:
index, value = solution(state.stack_pop()), not_bool(
state.stack_pop())
state.memory.write(index, 32, value)
elif op == opcode_values.MSTORE8:
index, value = solution(state.stack_pop()), not_bool(
state.stack_pop())
state.memory.write(index, 1, value[7:0])
elif op == opcode_values.MSIZE:
state.stack_push(bvv(state.memory.size()))
elif op == opcode_values.SLOAD:
# TODO: This is inaccurate, because the storage can change
# in a single transaction.
# See commit d98cab834f8f359f01ef805256d179f5529ebe30.
key = state.stack_pop()
if key in state.storage_written:
state.stack_push(state.storage_written[key])
else:
if key not in state.storage_read:
state.storage_read[key] = claripy.BVS(
"storage[%s]" % key, 256)
state.stack_push(state.storage_read[key])
elif op == opcode_values.SSTORE:
# TODO: This is inaccurate, because the storage can change
# in a single transaction.
# See commit d98cab834f8f359f01ef805256d179f5529ebe30.
key = state.stack_pop()
value = state.stack_pop()
state.storage_written[key] = value
elif op == opcode_values.CALL:
state.pc += 1
# First possibility: the call fails
# (always possible with a call stack big enough)
state_fail = state.copy()
state_fail.stack_push(claripy.BoolV(False))
self.add_branch(state_fail)
# Second possibility: success.
state.calls.append(state.stack[-7:])
# pylint:disable=unused-variable
gas, to_, value, meminstart, meminsz, memoutstart, memoutsz = (
state.stack_pop() for _ in range(7))
if solution(memoutsz) != 0:
raise utils.InterpreterError(state,
"CALL seems to return data")
if solution(meminsz) != 0:
raise utils.InterpreterError(state,
"CALL seems to take data")
state.stack_push(claripy.BoolV(True))
self.add_branch(state)
return False
elif op == opcode_values.SELFDESTRUCT:
state.selfdestruct_to = state.stack[-1]
return True
elif op == opcode_values.REVERT:
return False
else:
raise utils.InterpreterError(state, "Unknown opcode %s" % op)
state.pc += 1
def __init__(self):
build_tree({
"id": 1,
"block": "B1",
"children": [
{
"id": 2,
"block": "B2",
"children": []
},
{
"id": 3,
"block": "B4",
"children": []
}
]
}, TreePrunerTests.t1, 0)
TreePrunerTests.l1 = build_identity_dict({"B1", "B2", "B4"})
build_tree({
"id": 9,
"block": "B7",
"children": [
{
"id": 1,
"block": "B5",
"children": [
{
"id": 2,
"block": "B3",
"children": [
{
"id": 4,
"block": "B2",
"children": []
},
{
"id": 5,
"block": "B1",
"children": [
{
"id": 6,
"block": "B6",
"children": []
}
]
}
]
},
{
"id": 3,
"block": "B4",
"children": [
{
"id": 7,
"block": "B3",
"children": [
{
"id": 8,
"block": "B1",
"children": []
}
]
},
{
"id": 11,
"block": "B8",
"children": []
}
]
}
]
},
{
"id": 10,
"block": "B9",
"children": []
}
]
}, TreePrunerTests.t2, 0)
TreePrunerTests.l2 = build_identity_dict({"B1", "B2", "B3", "B4", "B5", "B6", "B7", "B8", "B9"})
build_tree({
"id": 1,
"block": "B1",
"children": [
{
"id": 2,
"block": "B2",
"children": []
},
{
"id": 3,
"block": "B1",
"children": [
{
"id": 4,
"block": "B2",
"children": []
},
{
"id": 5,
"block": "B1",
"children": [
{
"id": 6,
"block": "B2",
"children": []
},
{
"id": 7,
"block": "B1",
"children": [
{
"id": 8,
"block": "B2",
"children": []
},
{
"id": 9,
"block": "B1",
"children": []
}
]
}
]
}
]
}
]
}, TreePrunerTests.t3, 0)
TreePrunerTests.l3 = build_identity_dict({"B1", "B2"})
s1 = claripy.BVS('s1', 32)
build_tree({
"id": 1,
"block": "B1",
"children": [
{
"id": 2,
"block": "B2",
"children": [],
"constraints": [
claripy.SGT(s1, 0)
]
},
{
"id": 3,
"block": "B4",
"children": [],
"constraints": [
claripy.SLE(s1, 0)
]
}
]
}, TreePrunerTests.t4, 0)
TreePrunerTests.l4 = build_identity_dict({"B1", "B2", "B4"})
TreePrunerTests.s4 = {
's1': Symbol('s1', '', s1, 1, "", "UNKNOWN")
}
build_tree({
"id": 1,
"block": "B1",
"children": [
{
"id": 2,
"block": "B3",
"constraints": [
claripy.SLE(s1, 10)
],
"children": []
},
{
"id": 3,
"block": "B2",
"constraints": [
claripy.SGT(s1, 10)
],
"children": [
{
"id": 4,
"block": "B4",
"constraints": [
claripy.SGT(s1, 10),
claripy.SLE(s1, 20)
],
"children": []
},
{
"id": 5,
"block": "B5",
"constraints": [
claripy.SGT(s1, 20)
],
"children": []
}
]
}
]
}, TreePrunerTests.t5, 0)
TreePrunerTests.l5 = build_identity_dict({"B1", "B2", "B3", "B4", "B5"})
TreePrunerTests.s5 = {
's1': Symbol('s1', '', s1, 1, "", "UNKNOWN")
}
build_tree({
"id": 1,
"block": "B1",
"children": [
{
"id": 2,
"block": "B2",
"children": []
},
{
"id": 3,
"block": "B1",
"children": [
{
"id": 4,
"block": "B2",
"children": []
},
{
"id": 5,
"block": "B1",
"children": [
{
"id": 6,
"block": "B2",
"children": []
},
{
"id": 7,
"block": "B1",
"children": [
{
"id": 8,
"block": "B2",
"children": []
},
{
"id": 9,
"block": "B1",
"children": []
}
]
}
]
}
]
}
]
}, TreePrunerTests.t6, 0)
TreePrunerTests.l6 = build_identity_dict({"B1", "B2"})
