def handle_jumps(self, trace, line, condition): i, op = line[0], line[1] stack = self.stack if '--explain' in sys.argv and op in ('jump', 'jumpi', 'selfdestruct', 'stop', 'return', 'invalid', 'assert_fail', 'revert'): trace.append(C.asm(f' {stack}')) trace.append('') trace.append(f'[{line[0]}] {C.asm(op)}') if op == 'jump': target = stack.pop() n = Node(self, start=target, safe=False, stack=tuple(self.stack.stack), condition=condition) trace.append(('jump', n)) return trace if op == 'jumpi': target = stack.pop() if_condition = simplify_bool(stack.pop()) tuple_stack = tuple(self.stack.stack) n_true = Node(self, start=target, safe=False, stack=tuple_stack, condition=if_condition) n_false = Node(self, start=self.loader.next_line(i), safe=True, stack=tuple_stack, condition=is_zero(if_condition)) if self.just_fdests: if if_condition ~ ('eq', int:fx_hash, :is_cd) and str(('cd', 0)) in str(is_cd): n_true.trace=[('funccall', fx_hash, target)] if if_condition ~ ('eq', :is_cd, int:fx_hash) and str(('cd', 0)) in str(is_cd): n_true.trace=[('funccall', fx_hash, target)]
def apply_stack(self, ret, line): def trace(exp, *format_args): try: logger.debug("Trace: %s", str(exp).format(*format_args)) except Exception: pass if type(exp) == str: ret.append(exp.format(*format_args)) else: ret.append(exp) stack = self.stack op = line[1] previous_len = stack.len() if "--verbose" in sys.argv or "--explain" in sys.argv: trace(C.asm(" " + str(stack))) trace("") if "push" not in op and "dup" not in op and "swap" not in op: trace("[{}] {}", line[0], C.asm(op)) else: if type(line[2]) == str: trace("[{}] {} {}", line[0], C.asm(op), C.asm(" ”" + line[2] + "”")) elif line[2] > 0x1000000000: trace("[{}] {} {}", line[0], C.asm(op), C.asm(hex(line[2]))) else: trace("[{}] {} {}", line[0], C.asm(op), C.asm(str(line[2]))) param = 0 if len(line) > 2: param = line[2] if op in [ "exp", "and", "eq", "div", "lt", "gt", "slt", "sgt", "mod", "xor", "signextend", "smod", "sdiv", ]: stack.append(arithmetic.eval(( op, stack.pop(), stack.pop(), ))) elif op[:4] == "push": stack.append(param) elif op == "pop": stack.pop() elif op == "dup": stack.dup(param) elif op == "mul": stack.append(mul_op(stack.pop(), stack.pop())) elif op == "or": stack.append(or_op(stack.pop(), stack.pop())) elif op == "add": stack.append(add_op(stack.pop(), stack.pop())) elif op == "sub": left = stack.pop() right = stack.pop() if type(left) == int and type(right) == int: stack.append(arithmetic.sub(left, right)) else: stack.append(sub_op(left, right)) elif op in ["mulmod", "addmod"]: stack.append(("mulmod", stack.pop(), stack.pop(), stack.pop())) elif op == "shl": off = stack.pop() exp = stack.pop() if all_concrete(off, exp): stack.append(exp << off) else: stack.append(mask_op(exp, shl=off)) elif op == "shr": off = stack.pop() exp = stack.pop() if all_concrete(off, exp): stack.append(exp >> off) else: stack.append(mask_op(exp, offset=minus_op(off), shr=off)) elif op == "sar": off = stack.pop() exp = stack.pop() if all_concrete(off, exp): sign = exp & (1 << 255) if off >= 256: if sign: stack.append(2**256 - 1) else: stack.append(0) else: shifted = exp >> off if sign: shifted |= (2**256 - 1) << (256 - off) stack.append(shifted) else: # FIXME: This won't give the right result... stack.append(mask_op(exp, offset=minus_op(off), shr=off)) elif op in ["not", "iszero"]: stack.append((op, stack.pop())) elif op == "sha3": p = stack.pop() n = stack.pop() res = mem_load(p, n) self.counter += 1 vname = f"_{self.counter}" vval = ( "sha3", res, ) trace(("setvar", vname, vval)) stack.append(("var", vname)) elif op == "calldataload": stack.append(( "cd", stack.pop(), )) elif op == "byte": val = stack.pop() num = stack.pop() off = sub_op(256, to_bytes(num)) stack.append(mask_op(val, 8, off, shr=off)) elif op == "selfbalance": stack.append(( "balance", "address", )) elif op == "balance": addr = stack.pop() if opcode(addr) == "mask_shl" and addr[:4] == ("mask_shl", 160, 0, 0): stack.append(( "balance", addr[4], )) else: stack.append(( "balance", addr, )) elif op == "swap": stack.swap(param) elif op[:3] == "log": p = stack.pop() s = stack.pop() topics = [] param = int(op[3]) for i in range(param): el = stack.pop() topics.append(el) trace(( "log", mem_load(p, s), ) + tuple(topics)) elif op == "sload": sloc = stack.pop() stack.append(("storage", 256, 0, sloc)) elif op == "sstore": sloc = stack.pop() val = stack.pop() trace(("store", 256, 0, sloc, val)) elif op == "mload": memloc = stack.pop() self.counter += 1 vname = f"_{self.counter}" trace(("setvar", vname, ("mem", ("range", memloc, 32)))) stack.append(("var", vname)) elif op == "mstore": memloc = stack.pop() val = stack.pop() trace(( "setmem", ("range", memloc, 32), val, )) elif op == "mstore8": memloc = stack.pop() val = stack.pop() trace(( "setmem", ("range", memloc, 8), val, )) elif op == "extcodecopy": addr = stack.pop() mem_pos = stack.pop() code_pos = stack.pop() data_len = stack.pop() trace(( "setmem", ("range", mem_pos, data_len), ("extcodecopy", addr, ("range", code_pos, data_len)), )) elif op == "codecopy": mem_pos = stack.pop() call_pos = stack.pop() data_len = stack.pop() if (type(call_pos), type(data_len)) == ( int, int, ) and call_pos + data_len < len(self.loader.binary): res = 0 for i in range(call_pos - 1, call_pos + data_len - 1): res = res << 8 res += self.loader.binary[ i] # this breaks with out of range for some contracts # may be because we're usually getting compiled code binary # and not runtime binary trace(("setmem", ("range", mem_pos, data_len), res)) # ('bytes', data_len, res))) else: trace(( "setmem", ("range", mem_pos, data_len), ( "code.data", call_pos, data_len, ), )) elif op == "codesize": stack.append(len(self.loader.binary)) elif op == "calldatacopy": mem_pos = stack.pop() call_pos = stack.pop() data_len = stack.pop() if data_len != 0: call_data = ("call.data", call_pos, data_len) # call_data = mask_op(('call.data', bits(add_op(data_len, call_pos))), size=bits(data_len), shl=bits(call_pos)) trace(("setmem", ("range", mem_pos, data_len), call_data)) elif op == "returndatacopy": mem_pos = stack.pop() ret_pos = stack.pop() data_len = stack.pop() if data_len != 0: return_data = ("ext_call.return_data", ret_pos, data_len) # return_data = mask_op(('ext_call.return_data', bits(add_op(data_len, ret_pos))), size=bits(data_len), shl=bits(ret_pos)) trace(("setmem", ("range", mem_pos, data_len), return_data)) elif op == "call": self.handle_call(op, trace) elif op == "staticcall": self.handle_call(op, trace) elif op == "delegatecall": gas = stack.pop() addr = stack.pop() arg_start = stack.pop() arg_len = stack.pop() ret_start = stack.pop() ret_len = stack.pop() call_trace = ( "delegatecall", gas, addr, ) # arg_start, arg_len, ret_start, ret_len) if arg_len == 0: fname = None fparams = None elif arg_len == 4: fname = mem_load(arg_start, 4) fparams = 0 else: fname = mem_load(arg_start, 4) fparams = mem_load(add_op(arg_start, 4), sub_op(arg_len, 4)) call_trace += (fname, fparams) trace(call_trace) self.call_len = ret_len stack.append("delegate.return_code") if 0 != ret_len: return_data = ("delegate.return_data", 0, ret_len) trace(("setmem", ("range", ret_start, ret_len), return_data)) elif op == "callcode": gas = stack.pop() addr = stack.pop() value = stack.pop() arg_start = stack.pop() arg_len = stack.pop() ret_start = stack.pop() ret_len = stack.pop() call_trace = ( "callcode", gas, addr, value, ) if arg_len == 0: fname = None fparams = None elif arg_len == 4: fname = mem_load(arg_start, 4) fparams = 0 else: fname = mem_load(arg_start, 4) fparams = mem_load(add_op(arg_start, 4), sub_op(arg_len, 4)) call_trace += (fname, fparams) trace(call_trace) self.call_len = ret_len stack.append("callcode.return_code") if 0 != ret_len: return_data = ("callcode.return_data", 0, ret_len) trace(("setmem", ("range", ret_start, ret_len), return_data)) elif op == "create": wei, mem_start, mem_len = stack.pop(), stack.pop(), stack.pop() call_trace = ("create", wei) code = mem_load(mem_start, mem_len) call_trace += (code, ) trace(call_trace) stack.append("create.new_address") elif op == "create2": wei, mem_start, mem_len, salt = ( stack.pop(), stack.pop(), stack.pop(), stack.pop(), ) call_trace = ("create2", wei, ("mem", ("range", mem_start, mem_len)), salt) trace(call_trace) stack.append("create2.new_address") elif op == "pc": stack.append(line[0]) elif op == "msize": self.counter += 1 vname = f"_{self.counter}" trace(("setvar", vname, "msize")) stack.append(("var", vname)) elif op in ("extcodesize", "extcodehash", "blockhash"): stack.append(( op, stack.pop(), )) elif op in [ "callvalue", "caller", "address", "number", "gas", "origin", "timestamp", "chainid", "difficulty", "gasprice", "coinbase", "gaslimit", "calldatasize", "returndatasize", ]: stack.append(op) else: # TODO: Maybe raise an error directly? assert op not in [ "jump", "jumpi", "revert", "return", "stop", "jumpdest", "UNKNOWN", ] if stack.len() - previous_len != opcode_dict.stack_diffs[op]: logger.error("line: %s", line) logger.error("stack: %s", stack) logger.error( "expected %s, got %s stack diff", opcode_dict.stack_diffs[op], stack.len() - previous_len, ) assert False, f"opcode {op} not processed correctly" stack.cleanup()
def handle_jumps(self, trace, line, condition): i, op = line[0], line[1] stack = self.stack if "--explain" in sys.argv and op in ( "jump", "jumpi", "selfdestruct", "stop", "return", "invalid", "assert_fail", "revert", ): trace.append(C.asm(f" {stack}")) trace.append("") trace.append(f"[{line[0]}] {C.asm(op)}") if op in ( "jump", "jumpi", "selfdestruct", "stop", "return", "invalid", "assert_fail", "revert", ): logger.debug("[%s] %s", i, op) if op == "jump": target = stack.pop() n = Node( self, start=target, safe=False, stack=tuple(self.stack.stack), condition=condition, ) trace.append(("jump", n)) return trace elif op == "jumpi": target = stack.pop() if_condition = simplify_bool(stack.pop()) tuple_stack = tuple(self.stack.stack) n_true = Node( self, start=target, safe=False, stack=tuple_stack, condition=if_condition, ) n_false = Node( self, start=self.loader.next_line(i), safe=True, stack=tuple_stack, condition=is_zero(if_condition), ) if self.just_fdests: if ((m := match(if_condition, ("eq", ":fx_hash", ":is_cd"))) and str(("cd", 0)) in str(m.is_cd) and isinstance(m.fx_hash, int)): n_true.trace = [("funccall", m.fx_hash, target, tuple_stack)] if ((m := match(if_condition, ("eq", ":is_cd", ":fx_hash"))) and str(("cd", 0)) in str(m.is_cd) and isinstance(m.fx_hash, int)): n_true.trace = [("funccall", m.fx_hash, target, tuple_stack)]
def apply_stack(self, ret, line): def trace(exp, *format_args): if '--verbose' in sys.argv: # otherwise breaks sometimes, e.g. 0x00a159d41a5bc12dce2f8AcA8e5BB5Beb8F6ABc8.update logger.debug("Trace: %s", str(exp).format(*format_args)) if type(exp) == str: ret.append(exp.format(*format_args)) else: ret.append(exp) def trace_extend(l): assert type(l) == list for r in l: trace(r) stack = self.stack op = line[1] previous_len = stack.len() if '--verbose' in sys.argv or '--explain' in sys.argv: trace(C.asm(' '+str(stack))) trace('') if "push" not in op and "dup" not in op and "swap" not in op: trace('[{}] {}',line[0],C.asm(op)) else: if type(line[2]) == str: trace('[{}] {} {}',line[0],C.asm(op),C.asm(" ”"+line[2]+"”")) elif line[2] > 0x1000000000: trace('[{}] {} {}',line[0],C.asm(op),C.asm(hex(line[2]))) else: trace('[{}] {} {}',line[0],C.asm(op),C.asm(str(line[2]))) assert op not in ['jump', 'jumpi', 'revert', 'return', 'stop', 'jumpdest'] param = 0 if len(line)>2: param = line[2] if op in ['exp', 'and', 'eq', 'div', 'lt', 'gt', 'slt', 'sgt', 'mod', 'xor', 'signextend', 'smod', 'sdiv']: stack.append(arithmetic.eval((op, stack.pop(), stack.pop(),))) if op in ['mulmod', 'addmod']: stack.append(('mulmod', stack.pop(), stack.pop(), stack.pop())) if op == 'mul': stack.append(mul_op(stack.pop(), stack.pop())) if op == 'or': stack.append(or_op(stack.pop(), stack.pop())) if op == 'shl': off = stack.pop() exp = stack.pop() if all_concrete(off, exp): stack.append(exp << off) else: stack.append(mask_op(exp, shl = off)) if op == 'shr': off = stack.pop() exp = stack.pop() if all_concrete(off, exp): stack.append(exp >> off) else: stack.append(mask_op(exp, offset=minus_op(off), shr = off)) if op == 'add': stack.append(add_op(stack.pop(), stack.pop())) if op == 'sub': left = stack.pop() right = stack.pop() if type(left) == int and type(right) == int: stack.append(arithmetic.sub(left, right)) else: stack.append(sub_op(left, right)) elif op in ['not', 'iszero']: stack.append((op, stack.pop())) elif op == 'sha3': p = stack.pop() n = stack.pop() res = mem_load(p, n) self.counter += 1 vname = f'_{self.counter}' vval = ('sha3', res, ) trace(('setvar', vname, vval)) stack.append(('var', vname)) elif op == 'calldataload': stack.append(('cd', stack.pop(),)) elif op == 'byte': val = stack.pop() num = stack.pop() off = sub_op(256, to_bytes(num)) stack.append(mask_op(val, 8, off, shr=off)) elif op == 'balance': addr = stack.pop() if opcode(addr) == 'mask_shl' and addr[:4] == ('mask_shl', 160, 0, 0): stack.append(('balance', addr[4],)) else: stack.append(('balance', addr,)) elif op == 'swap': stack.swap(param) elif op[:3] == 'log': p = stack.pop() s = stack.pop() topics = [] param = int(op[3]) for i in range(param): el = stack.pop() topics.append(el) trace(('log', mem_load(p, s), ) + tuple(topics)) elif op == 'sload': sloc = stack.pop() stack.append(('storage', 256, 0, sloc)) elif op == 'sstore': sloc = stack.pop() val = stack.pop() trace(('store', 256, 0, sloc, val)) elif op == 'mload': memloc = stack.pop() loaded = mem_load(memloc) self.counter += 1 vname = f'_{self.counter}' trace(('setvar', vname, ('mem', ('range', memloc, 32)))) stack.append(('var',vname)) elif op == 'mstore': memloc = stack.pop() val = stack.pop() trace(('setmem', ('range', memloc, 32), val,)) elif op == 'mstore8': memloc = stack.pop() val = stack.pop() trace(('setmem', ('range', memloc, 8), val,)) elif op == 'extcodecopy': addr = stack.pop() mem_pos = stack.pop() code_pos = stack.pop() data_len = stack.pop() trace(('setmem', ('range', mem_pos, data_len), ('extcodecopy', addr, ('range', code_pos, data_len)))) elif op == 'codecopy': mem_pos = stack.pop() call_pos = stack.pop() data_len = stack.pop() if (type(call_pos), type(data_len)) == (int, int) and call_pos+data_len < len(self.loader.binary): res = 0 for i in range(call_pos-1, call_pos+data_len-1): res = res << 8 res += self.loader.binary[i] # this breaks with out of range for some contracts # may be because we're usually getting compiled code binary # and not runtime binary trace(('setmem', ('range', mem_pos, data_len), res))# ('bytes', data_len, res))) else: trace(('setmem', ('range', mem_pos, data_len), ('code.data', call_pos, data_len, ),)) elif op == 'codesize': stack.append(len(self.loader.binary)) elif op == 'calldatacopy': mem_pos = stack.pop() call_pos = stack.pop() data_len = stack.pop() if data_len != 0: call_data = ('call.data', call_pos, data_len) # call_data = mask_op(('call.data', bits(add_op(data_len, call_pos))), size=bits(data_len), shl=bits(call_pos)) trace(('setmem', ('range', mem_pos, data_len), call_data)) elif op == 'returndatacopy': mem_pos = stack.pop() ret_pos = stack.pop() data_len = stack.pop() if data_len != 0: return_data = ('ext_call.return_data', ret_pos, data_len) # return_data = mask_op(('ext_call.return_data', bits(add_op(data_len, ret_pos))), size=bits(data_len), shl=bits(ret_pos)) trace(('setmem', ('range', mem_pos, data_len), return_data)) elif op == 'call': self.handle_call(op, trace) elif op == 'staticcall': self.handle_call(op, trace) elif op == 'delegatecall': gas = stack.pop() addr = stack.pop() arg_start = stack.pop() arg_len = stack.pop() ret_start = stack.pop() ret_len = stack.pop() call_trace = ('delegatecall', gas, addr, ) # arg_start, arg_len, ret_start, ret_len) if arg_len == 0: fname = None fparams = None elif arg_len == 4: fname = mem_load( arg_start, 4 ) fparams = 0 else: fname = mem_load( arg_start, 4 ) fparams = mem_load( add_op(arg_start, 4), sub_op(arg_len, 4)) call_trace += (fname, fparams) trace(call_trace) self.call_len = ret_len stack.append('delegate.return_code') if 0 != ret_len: return_data = ('delegate.return_data', 0, ret_len) trace(('setmem', ('range', ret_start, ret_len), return_data)) elif op == 'callcode': gas = stack.pop() addr = stack.pop() value = stack.pop() arg_start = stack.pop() arg_len = stack.pop() ret_start = stack.pop() ret_len = stack.pop() call_trace = ('callcode', gas, addr, value, ) if arg_len == 0: fname = None fparams = None elif arg_len == 4: fname = mem_load( arg_start, 4 ) fparams = 0 else: fname = mem_load( arg_start, 4 ) fparams = mem_load( add_op(arg_start, 4), sub_op(arg_len, 4)) call_trace += (fname, fparams) trace(call_trace) self.call_len = ret_len stack.append('callcode.return_code') if 0 != ret_len: return_data = ('callcode.return_data', 0, ret_len) trace(('setmem', ('range', ret_start, ret_len), return_data)) elif op == 'create': wei, mem_start, mem_len = stack.pop(), stack.pop(), stack.pop() call_trace = ('create', wei) code = mem_load(mem_start, mem_len) call_trace += (code, ) trace(call_trace) stack.append('create.new_address') elif op == 'create2': wei, mem_start, mem_len, salt = stack.pop(), stack.pop(), stack.pop(), stack.pop() call_trace = ('create2', wei, ('mem', ('range', mem_start, mem_len)), salt) trace(call_trace) stack.append('create2.new_address') elif op[:4] == 'push': stack.append(param) elif op == 'pc': stack.append(line[0]) elif op == 'pop': stack.pop() elif op == 'dup': stack.dup(param) elif op == 'msize': self.counter += 1 vname = f'_{self.counter}' trace(('setvar', vname, 'msize')) stack.append(('var',vname)) elif op in ('extcodesize', 'extcodehash', 'blockhash'): stack.append((op, stack.pop(),)) elif op in ['callvalue', 'caller', 'address', 'number', 'gas', 'origin', 'timestamp', 'difficulty', 'gasprice', 'coinbase', 'gaslimit', 'calldatasize', 'returndatasize']: stack.append(op) if stack.len() - previous_len != opcode_dict.stack_diffs[op]: logger.error('line: %s', line) logger.error('stack: %s', stack) logger.error('expected %s, got %s stack diff', opcode_dict.stack_diffs[op], stack.len() - org_len) assert False, f'opcode {op} not processed correctly' stack.cleanup()