def test_CONCAT(self):
solver = self.solver
cs = ConstraintSet()
a = cs.new_bitvec(16)
b = cs.new_bitvec(8)
c = cs.new_bitvec(8)
cs.add(b == 0x41)
cs.add(c == 0x42)
cs.add(a == Operators.CONCAT(a.size, b, c))
self.assertTrue(solver.check(cs))
self.assertEqual(solver.get_value(cs, a), Operators.CONCAT(a.size, 0x41, 0x42))
def test_arithmetic_simplify_extract(self):
cs = ConstraintSet()
arr = cs.new_array(name='MEM')
a = cs.new_bitvec(32, name='VARA')
b = Operators.CONCAT(32, Operators.EXTRACT(a, 24, 8),
Operators.EXTRACT(a, 16, 8),
Operators.EXTRACT(a, 8, 8),
Operators.EXTRACT(a, 0, 8))
self.assertEqual(
translate_to_smtlib(b),
'(concat ((_ extract 31 24) VARA) ((_ extract 23 16) VARA) ((_ extract 15 8) VARA) ((_ extract 7 0) VARA))'
)
self.assertEqual(translate_to_smtlib(simplify(b)), 'VARA')
c = Operators.CONCAT(16, Operators.EXTRACT(a, 16, 8),
Operators.EXTRACT(a, 8, 8))
self.assertEqual(
translate_to_smtlib(c),
'(concat ((_ extract 23 16) VARA) ((_ extract 15 8) VARA))')
self.assertEqual(translate_to_smtlib(simplify(c)),
'((_ extract 23 8) VARA)')
with open('overflow.sol') as f:
source_code = f.read()
# Generate the accounts
user_account = m.create_account(balance=1000)
contract_account = m.solidity_create_contract(source_code,
owner=user_account,
balance=0)
#First add won't overflow uint256 representation
value_0 = m.make_symbolic_value()
contract_account.add(value_0, caller=user_account)
#Potential overflow
value_1 = m.make_symbolic_value()
contract_account.add(value_1, caller=user_account)
contract_account.sellerBalance(caller=user_account)
for state in m.running_states:
# Check if input0 > sellerBalance
# last_return is the data returned
last_return = state.platform.transactions[-1].return_data
# retrieve last_return and input0 in a similar format
last_return = Operators.CONCAT(256, *last_return)
state.constrain(Operators.UGT(value_0, last_return))
if solver.check(state.constraints):
print("Overflow found! see {}".format(m.workspace))
m.generate_testcase(state, 'OverflowFound')
# Generate the accounts
user_account = m.create_account(balance=1000)
contract_account = m.solidity_create_contract(source_code,
owner=user_account,
balance=0)
#First add won't overflow uint256 representation
contract_account.add(m.SValue, caller=user_account)
#Potential overflow
contract_account.add(m.SValue, caller=user_account)
contract_account.sellerBalance(caller=user_account)
for state in m.running_states:
# Check if input0 > sellerBalance
# last_return is the data returned
last_return = state.platform.last_return_data
# First input (first call to add)
input0 = state.input_symbols[0]
# retrieve last_return and input0 in a similar format
last_return = Operators.CONCAT(256, *last_return)
# starts at 4 to skip function id
input0 = Operators.CONCAT(256, *input0[4:36])
state.constrain(input0 > last_return)
if solver.check(state.constraints):
print "Overflow found! see %s" % m.workspace
m.generate_testcase(state, 'OverflowFound')
def get_return_data(tx):
assert isinstance(tx, Transaction)
r = tx.return_data
if isinstance(r, str):
r = list(map(ord, r))
return Operators.CONCAT(256, *r)
'''
# Initiate the accounts
user_account = m.create_account(balance=1000)
contract_account = m.solidity_create_contract(source_code,
owner=user_account,
balance=0)
# Call f(a), with a symbolic value
contract_account.f(m.SValue, caller=user_account)
## Check if an execution ends with a REVERT or INVALID
for state in m.terminated_states:
last_tx = state.platform.transactions[-1]
if last_tx.result in ['REVERT', 'INVALID']:
# return the first symbolic input
input0 = state.input_symbols[0]
# skip the function id, and extract the 32 bytes corresponding to the first parameter
input0 = Operators.CONCAT(256, *input0[4:36])
# we do not consider the path were a == 65
state.constrain(input0 != 65)
if not solver.check(state.constraints):
print "Error found in infeasible path"
continue
print "Error found in f() execution (see %s)" % m.workspace
m.generate_testcase(state, 'BugFound')
