def testBasicMigration(self):
solver = Z3Solver.instance()
cs1 = ConstraintSet()
cs2 = ConstraintSet()
var1 = cs1.new_bitvec(32, "var")
var2 = cs2.new_bitvec(32, "var")
cs1.add(Operators.ULT(var1, 3)) # var1 can be 0, 1, 2
# make a migration map dict
migration_map1 = {}
# this expression is composed with variables of both cs
expression = var1 > var2
migrated_expression = cs1.migrate(expression, migration_map1)
cs1.add(migrated_expression)
expression = var2 > 0
migrated_expression = cs1.migrate(expression, migration_map1)
cs1.add(migrated_expression)
self.assertItemsEqual(solver.get_all_values(cs1, var1),
[2]) # should only be [2]
"""
Race condition on Reserve buy and sell allows one to steal ethers
"""
import sys
from collections import namedtuple
from manticore.ethereum import ManticoreEVM
from manticore.utils import config
from manticore.ethereum.abi import ABI
#from manticore.core.smtlib import solver
from manticore.core.smtlib.solver import Z3Solver
solver = Z3Solver.instance()
from initialize_market import initialize
from constants import ONE_ETH
consts = config.get_group("evm")
consts.oog = "ignore"
Account = namedtuple('Account', ['name', 'account', 'initial_supply'])
################ Helpers #######################
def init_user(m, market, name, initial_balance):
user_account = m.create_account(balance=initial_balance)
print(f"[+] Creating a {name} account {hex(user_account.address)}")
market.ether_token_contract.deposit(value=initial_balance,
caller=user_account)
def constraints_are_sat(cons):
"Whether constraints are sat"
return Z3Solver.instance().check(constraints_to_constraintset(cons))
def setUp(self):
self.solver = Z3Solver.instance()
def test_ConstraintsForking(self):
solver = Z3Solver.instance()
import pickle
cs = ConstraintSet()
# make free 32bit bitvectors
x = cs.new_bitvec(8)
y = cs.new_bitvec(8)
# linear relation
# cs.add(x+y*5 == 0)
# Fork and divide in quadrants
saved_up = None
saved_up_right = None
saved_up_left = None
saved_down = None
saved_down_right = None
saved_down_left = None
with cs as cs_up:
cs_up.add(y.uge(0x80))
self.assertItemsEqual(solver.get_all_values(cs_up, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_up, y),
range(0x80, 0x100))
saved_up = pickle_dumps((x, y, cs_up))
self.assertItemsEqual(solver.get_all_values(cs_up, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_up, y),
range(0x80, 0x100))
with cs_up as cs_up_right:
cs_up_right.add(x.uge(0x80))
saved_up_right = pickle_dumps((x, y, cs_up_right))
self.assertItemsEqual(solver.get_all_values(cs_up_right, x),
range(0x80, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_up_right, y),
range(0x80, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_up, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_up, y),
range(0x80, 0x100))
with cs_up as cs_up_left:
cs_up_left.add(x.ult(0x80))
saved_up_left = pickle_dumps((x, y, cs_up_left))
self.assertItemsEqual(solver.get_all_values(cs_up_left, x),
range(0, 0x80))
self.assertItemsEqual(solver.get_all_values(cs_up_left, y),
range(0x80, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_up, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_up, y),
range(0x80, 0x100))
with cs as cs_down:
cs_down.add(y.ult(0x80))
self.assertItemsEqual(solver.get_all_values(cs_down, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_down, y),
range(0, 0x80))
saved_down = pickle_dumps((x, y, cs_down))
self.assertItemsEqual(solver.get_all_values(cs_down, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_down, y),
range(0, 0x80))
with cs_down as cs_down_right:
cs_down_right.add(x.uge(0x80))
saved_down_right = pickle_dumps((x, y, cs_down_right))
self.assertItemsEqual(solver.get_all_values(cs_down_right, x),
range(0x80, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_down_right, y),
range(0, 0x80))
self.assertItemsEqual(solver.get_all_values(cs_down, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_down, y),
range(0, 0x80))
with cs_down as cs_down_left:
cs_down_left.add(x.ult(0x80))
saved_down_left = pickle_dumps((x, y, cs_down_left))
self.assertItemsEqual(solver.get_all_values(cs_down_left, x),
range(0, 0x80))
self.assertItemsEqual(solver.get_all_values(cs_down_left, y),
range(0, 0x80))
self.assertItemsEqual(solver.get_all_values(cs_down, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_down, y),
range(0, 0x80))
x, y, cs_up = pickle.loads(saved_up)
self.assertItemsEqual(solver.get_all_values(cs_up, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_up, y),
range(0x80, 0x100))
x, y, cs_up_right = pickle.loads(saved_up_right)
self.assertItemsEqual(solver.get_all_values(cs_up_right, x),
range(0x80, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_up_right, y),
range(0x80, 0x100))
x, y, cs_up_left = pickle.loads(saved_up_left)
self.assertItemsEqual(solver.get_all_values(cs_up_left, x),
range(0x00, 0x80))
self.assertItemsEqual(solver.get_all_values(cs_up_left, y),
range(0x80, 0x100))
x, y, cs_down = pickle.loads(saved_down)
self.assertItemsEqual(solver.get_all_values(cs_down, x),
range(0x0, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_down, y),
range(0x0, 0x80))
x, y, cs_down_right = pickle.loads(saved_down_right)
self.assertItemsEqual(solver.get_all_values(cs_down_right, x),
range(0x80, 0x100))
self.assertItemsEqual(solver.get_all_values(cs_down_right, y),
range(0x00, 0x80))
x, y, cs_down_left = pickle.loads(saved_down_left)
self.assertItemsEqual(solver.get_all_values(cs_down_left, x),
range(0x00, 0x80))
self.assertItemsEqual(solver.get_all_values(cs_down_left, y),
range(0x00, 0x80))
def test_related_to(self):
import gzip
import pickle, sys
filename = os.path.abspath(
os.path.join(DIRPATH, "data", "ErrRelated.pkl.gz"))
# A constraint set and a contraint caught in the act of making related_to fail
constraints, constraint = pickle.loads(
gzip.open(filename, "rb").read())
Z3Solver.instance().can_be_true.cache_clear()
ground_truth = Z3Solver.instance().can_be_true(constraints, constraint)
self.assertEqual(ground_truth, False)
Z3Solver.instance().can_be_true.cache_clear()
self.assertEqual(
ground_truth,
Z3Solver.instance().can_be_true(
constraints.related_to(constraints), constraint),
)
# Replace
new_constraint = Operators.UGE(
Operators.SEXTEND(BitVecConstant(256, 0x1A), 256, 512) *
BitVecConstant(512, 1),
0x00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000,
)
self.assertEqual(translate_to_smtlib(constraint),
translate_to_smtlib(new_constraint))
Z3Solver.instance().can_be_true.cache_clear()
self.assertEqual(
ground_truth,
Z3Solver.instance().can_be_true(constraints, new_constraint))
Z3Solver.instance().can_be_true.cache_clear()
self.assertEqual(
ground_truth,
Z3Solver.instance().can_be_true(
constraints.related_to(new_constraint), new_constraint),
)