def print_analysis_result(analyzed_contract): """ Print the analysis result """ result = '' for block in analyzed_contract.blocks: label = block.label if label is not None: result += ':label{}\n'.format(label) offset = block.offset for instruction in block.instructions: op = instruction.op name = instruction.name if opcodes.is_push(op): arg = instruction.arg result += '{:#x}\t{} {:#x}\n'.format(offset, name, arg) elif name == 'JUMPI' or name == 'JUMP': result += '{:#x}\t{} '.format(offset, name) source_instruction_set = instruction.source[0] for pointer in source_instruction_set: source_instruction = analyze.get_instruction(pointer) target_label = analyzed_contract.jump_destination[ source_instruction.arg].label result += ':label{} '.format(target_label) result = result[:-1] + '\n' else: result += '{:#x}\t{}\n'.format(offset, name) offset += opcodes.operand_size(op) + 1 result += '\n' print(result)
def relocating(contr, relocate, bytecode): """ Relocate target addresses """ instrs = contr.instructions sources = relocate.sources destinations = relocate.destinations for pc, off in sources.items(): instr = instrs[pc] op = instr.op arg = instr.arg # Update PUSH's opcode addr = destinations[arg] size = opcodes.operand_size(op) if addr is None: raise ValueError( 'Invalid target address. addr: {:#x}, source: {:#x}'.format( arg, pc)) if addr > 0xff and size == 1: instr.op = 0x61 instr.name = 'PUSH2' return False # Update PUSH's operand and bytecode instr.arg = addr bytecode[off + 1:off + size + 1] = bytearray( addr.to_bytes(size, byteorder='big')) return True
def get_instruction_offset(pointer): """ Get the instruction offset form the instruction pointer """ offset = pointer.block.offset for i in range(pointer.index): size = opcodes.operand_size(pointer.block.instructions[i].op) offset += size + 1 return offset
def instruction_to_bytecode(instr): """ Convert instruction to bytecode """ op = instr.op evm = bytearray(op.to_bytes(1, byteorder='big')) if opcodes.is_push(op): arg = instr.arg size = opcodes.operand_size(op) evm += bytearray(arg.to_bytes(size, byteorder='big')) return evm
def initialize(evm): """ Initialize the analysis, disassemble the bytecode and construct basic blocks """ contract = Contract() current_block = BasicBlock(0) i = 0 while i < len(evm): op = evm[i] if op not in opcodes.opcodes.keys(): raise KeyError('Invalid op. op: {:#x}, offset: {:#x}'.format( op, i)) name = opcodes.opcodes[op][0] size = opcodes.operand_size(op) if size != 0: arg = int.from_bytes(evm[i + 1:i + 1 + size], byteorder='big') else: arg = None if name == 'JUMPDEST': if len(current_block.instructions) > 0: contract.blocks.append(current_block) new_block = BasicBlock(i) current_block.next = new_block current_block = new_block current_block.offset += 1 contract.jump_destination[i] = current_block else: instruction = Instruction(op, name, arg) current_block.instructions.append(instruction) if (name == 'JUMP' or name == 'JUMPI' or name == 'RETURN' or name == 'SUICIDE' or name == 'STOP' or name == 'REVERT'): contract.blocks.append(current_block) new_block = BasicBlock(i + 1) current_block.next = new_block current_block = new_block i += size + 1 if len(current_block.instructions ) > 0 or current_block.offset in contract.jump_destination.keys(): contract.blocks.append(current_block) else: contract.blocks[-1].next = None return contract
def init_relocation_table(contr, relocate): """ Initialize relocation table """ instrs = contr.instructions sources = relocate.sources reloc_tbl = set() for pc, off in sources.items(): instr = instrs[pc] op = instr.op arg = instr.arg size = opcodes.operand_size(op) reloc_tbl.add(JumpPush(off, arg, size)) return reloc_tbl
def advance(state): """ Execute next block abstractly and advance the current state """ contract = state.contract block = state.next_block pc = state.next_block.offset stack = state.stack.copy() update_block_source(block, stack, len(stack)) for index, instruction in enumerate(state.next_block.instructions): op = instruction.op name = instruction.name old_stack = stack.copy() ins = opcodes.opcodes[op][1] operands = [] for i in range(ins): operand = stack.pop(0) operands.append(operand) update_instruction_source(instruction, operands, ins) if name == 'STOP' or name == 'RETURN' or name == 'REVERT' or name == 'SUICIDE': return [] elif opcodes.is_push(op): stack.insert(0, InstructionPointer(state.next_block, index)) elif opcodes.is_dup(op): old_stack.insert(0, operands[-1]) stack = old_stack elif opcodes.is_swap(op): tmp = old_stack[0] old_stack[0] = old_stack[ins - 1] old_stack[ins - 1] = tmp stack = old_stack elif name == 'JUMP': source_instruction = get_instruction(operands[0]) if not opcodes.is_push(source_instruction.op): raise TypeError( 'Error resolving JUMP address. pc: {:#x}, source: {:#x}'. format(pc, get_instruction_offset(operands[0]))) if source_instruction.arg not in contract.jump_destination.keys(): raise KeyError( 'Invalid JUMP address. pc: {:#x}, source: {:#x}, addr: {:#x}' .format(pc, get_instruction_offset(operands[0]), source_instruction.arg)) return [ State(contract, contract.jump_destination[source_instruction.arg], stack) ] elif name == 'JUMPI': source_instruction = get_instruction(operands[0]) if not opcodes.is_push(source_instruction.op): raise ValueError( 'Error resolving JUMP address. pc: {:#x}, source: {:#x}'. format(pc, get_instruction_offset(operands[0]))) if source_instruction.arg not in contract.jump_destination.keys(): raise KeyError( 'Invalid JUMP address. pc: {:#x}, source: {:#x}, addr: {:#x}' .format(pc, get_instruction_offset(operands[0]), source_instruction.arg)) ret = [ State(contract, contract.jump_destination[source_instruction.arg], stack) ] if state.next_block.next is not None: ret.append(State(contract, state.next_block.next, stack)) return ret else: outs = opcodes.opcodes[op][2] for i in range(outs): stack.insert(0, InstructionPointer(state.next_block, index)) if len(stack) > 1024: log.critical('Stack overflow. pc: {:#x}'.format(pc)) return [] size = opcodes.operand_size(op) pc += size + 1 if state.next_block.next is not None: return [State(contract, state.next_block.next, stack)] else: return []
def initialize(evm): """ Initialize contract analysis, disassemble EVM bytecode, construct basic blocks, create DFG and CFG """ contr = Contract() dfg = DiGraph() # Data Flow Graph cfg = DiGraph() # Control Flow Graph cur_blk = BasicBlock(0) pc = 0 while pc < len(evm): op = evm[pc] if op not in opcodes.listing: raise KeyError('Invalid op. op: {:#x}, offset: {:#x}'.format(op, pc)) name = opcodes.listing[op][0] size = opcodes.operand_size(op) if size != 0: arg = int.from_bytes(evm[pc + 1:pc + 1 + size], byteorder='big') else: arg = None instr = Instruction(op, name, arg) if name == 'JUMPDEST': if len(cur_blk.instructions) > 0: contr.blocks.append(cur_blk) # Add CFG nodes, representing basic blocks cfg.graph.add_node(cur_blk.offset, blk=cur_blk) new_blk = BasicBlock(pc) cur_blk.next = new_blk cur_blk = new_blk cur_blk.offset += 1 contr.jump_destination[pc] = cur_blk contr.instructions[pc] = instr else: cur_blk.instructions.append(instr) contr.instructions[pc] = instr if opcodes.is_swap(op) or opcodes.is_dup(op): # Omit SWAP and DUP from IDG pass elif (name == 'JUMP' or name == 'JUMPI' or name == 'STOP' or name == 'RETURN' or name == 'REVERT' or name == 'INVALID' or name == 'SUICIDE'): contr.blocks.append(cur_blk) # Add CFG nodes, representing basic blocks cfg.graph.add_node(cur_blk.offset, blk=cur_blk) new_blk = BasicBlock(pc + 1) cur_blk.next = new_blk cur_blk = new_blk # Add DFG nodes, representing instructions dfg.graph.add_node(pc, instr=instr) else: # Add DFG nodes, representing instructions dfg.graph.add_node(pc, instr=instr) pc += size + 1 if len(cur_blk.instructions) > 0 or cur_blk.offset - 1 in contr.jump_destination: contr.blocks.append(cur_blk) # Add CFG nodes, representing basic blocks cfg.graph.add_node(cur_blk.offset, blk=cur_blk) else: contr.blocks[-1].next = None return contr, dfg, cfg
def advance(elm): """ Execute next block abstractly and advance current state """ global contr global trace global relocate stat = elm.state blk = stat.next_block pc = blk.offset stack = stat.stack.copy() memory = stat.memory.copy() storage = stat.storage.copy() sequence = stat.sequence.copy() # Mark current state as executed elm.executed = True for instr in blk.instructions: op = instr.op name = instr.name old_stack = stack.copy() ins = opcodes.listing[op][1] if ins > len(stack): raise RuntimeError('Stack underflow. pc: {:#x}'.format(pc)) operands = [] for i in range(ins): operand = stack.pop(0) operands.append(operand) backtrack_instruction_sources(pc, instr, operands, ins) # Trace executed instructions from CALL to SSTORE, omit JUMPDEST, SWAP and DUP if name != 'JUMPDEST' and not opcodes.is_swap(op) and not opcodes.is_dup(op): for off in sequence: sequence[off].add(pc) if name == 'STOP' or name == 'SUICIDE': # Current block is NOT revert block return False elif name == 'INVALID': # Current block is revert block return True elif name == 'ADD': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, (op0 + op1) & TT256M1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'SUB': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, (op0 - op1) & TT256M1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'MUL': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, (op0 * op1) & TT256M1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'DIV': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, 0 if op1 == 0 else op0 // op1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'MOD': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, 0 if op1 == 0 else op0 % op1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'SDIV': op0 = convert_to_signed(operands[0].value) op1 = convert_to_signed(operands[1].value) if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, 0 if op1 == 0 else (abs(op0) // abs(op1) * (-1 if op0 * op1 < 0 else 1)) & TT256M1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'SMOD': op0 = convert_to_signed(operands[0].value) op1 = convert_to_signed(operands[1].value) if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, 0 if op1 == 0 else (abs(op0) % abs(op1) * (-1 if op0 < 0 else 1)) & TT256M1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'ADDMOD': op0 = operands[0].value op1 = operands[1].value op2 = operands[2].value if op0 is not None and op1 is not None and op2 is not None: stack.insert(0, OperandStackElement(pc, instr, (op0 + op1) % op2 if op2 else 0)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'MULMOD': op0 = operands[0].value op1 = operands[1].value op2 = operands[2].value if op0 is not None and op1 is not None and op2 is not None: stack.insert(0, OperandStackElement(pc, instr, (op0 * op1) % op2 if op2 else 0)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'EXP': base = operands[0].value exponent = operands[1].value if base is not None and exponent is not None: stack.insert(0, OperandStackElement(pc, instr, pow(base, exponent, TT256))) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'SIGNEXTEND': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: if op0 <= 31: test_bit = op0 * 8 + 7 if op1 & (1 << test_bit): stack.insert(0, OperandStackElement(pc, instr, op1 | (TT256 - (1 << test_bit)))) else: stack.insert(0, OperandStackElement(pc, instr, op1 & ((1 << test_bit) - 1))) else: stack.insert(0, OperandStackElement(pc, instr, op1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'LT': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, 1 if op0 < op1 else 0)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'GT': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, 1 if op0 > op1 else 0)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'SLT': op0 = convert_to_signed(operands[0].value) op1 = convert_to_signed(operands[1].value) if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, 1 if op0 < op1 else 0)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'SGT': op0 = convert_to_signed(operands[0].value) op1 = convert_to_signed(operands[1].value) if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, 1 if op0 > op1 else 0)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'EQ': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, 1 if op0 == op1 else 0)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'ISZERO': op0 = operands[0].value if op0 is not None: stack.insert(0, OperandStackElement(pc, instr, 0 if op0 else 1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'AND': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: if op0 == 0xffffffff: stack.insert(0, OperandStackElement(pc, instr, op0 & op1, operands[1].source)) elif op1 == 0xffffffff: stack.insert(0, OperandStackElement(pc, instr, op0 & op1, operands[0].source)) else: stack.insert(0, OperandStackElement(pc, instr, op0 & op1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'OR': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, op0 | op1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'XOR': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: stack.insert(0, OperandStackElement(pc, instr, op0 ^ op1)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'NOT': op0 = operands[0].value if op0 is not None: stack.insert(0, OperandStackElement(pc, instr, TT256M1 - op0)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'BYTE': op0 = operands[0].value op1 = operands[1].value if op0 is not None and op1 is not None: if op0 >= 32: stack.insert(0, OperandStackElement(pc, instr, 0)) else: stack.insert(0, OperandStackElement(pc, instr, (op1 // 256 ** (31 - op0)) % 256)) else: stack.insert(0, OperandStackElement(pc, instr)) elif name == 'RETURN': address = operands[0].value size = operands[1].value # Resolve read address and read size, record memory dependencies if address is not None and size is not None: for i in range(size): if address + i in memory: instr.dependence.update(memory[address + i]) if 'all' in memory: instr.dependence.update(memory['all']) # Can not resolve read address or read size, record all possible memory dependencies else: for addr in memory: instr.dependence.update(memory[addr]) # Current block is NOT revert block return False elif name == 'REVERT': address = operands[0].value size = operands[1].value # Resolve read address and read size, record memory dependencies if address is not None and size is not None: for i in range(size): if address + i in memory: instr.dependence.update(memory[address + i]) if 'all' in memory: instr.dependence.update(memory['all']) # Can not resolve read address or read size, record all possible memory dependencies else: for addr in memory: instr.dependence.update(memory[addr]) # Current block is revert block return True elif opcodes.is_push(op): stack.insert(0, OperandStackElement(pc, instr, instr.arg, pc)) elif opcodes.is_dup(op): old_stack.insert(0, operands[-1]) stack = old_stack elif opcodes.is_swap(op): tmp = old_stack[0] old_stack[0] = old_stack[ins - 1] old_stack[ins - 1] = tmp stack = old_stack elif name == 'JUMP': src_pc = operands[0].source dst_pc = operands[0].value if src_pc is None or dst_pc is None: raise ValueError('Error resolving JUMP address. pc: {:#x}, source: {:#x}' .format(pc, operands[0].pc)) if dst_pc not in contr.jump_destination: # Current block is revert block return True else: dst_blk = contr.jump_destination[dst_pc] # Construct relocation table relocate.sources[src_pc] = None relocate.destinations[dst_pc] = None # Add CFG edges, representing control flow dependencies between basic blocks cfg.graph.add_edge(blk.offset, dst_blk.offset, type='JUMP') # Update number of return values to wait elm.num += 1 return [State(dst_blk, stack, memory, storage, sequence)] elif name == 'JUMPI': src_pc = operands[0].source dst_pc = operands[0].value if src_pc is None or dst_pc is None: raise ValueError('Error resolving JUMPI address. pc: {:#x}, source: {:#x}' .format(pc, operands[0].pc)) ret = [] if dst_pc in contr.jump_destination: dst_blk = contr.jump_destination[dst_pc] # Construct relocation table relocate.sources[src_pc] = None relocate.destinations[dst_pc] = None # Add CFG edges, representing control flow dependencies between basic blocks cfg.graph.add_edge(blk.offset, dst_blk.offset, type='JUMPI') # Update number of return values to wait elm.num += 1 ret.append(State(dst_blk, stack, memory, storage, sequence)) if blk.next is not None: # Add CFG edges, representing control flow dependencies between basic blocks cfg.graph.add_edge(blk.offset, blk.next.offset, type='JUMPI') # Update number of return values to wait elm.num += 1 ret.append(State(blk.next, stack, memory, storage, sequence)) if not ret: # Current block is revert block return True else: return ret elif name == 'SHA3': address = operands[0].value size = operands[1].value # Resolve read address and read size, record memory dependencies if address is not None and size is not None: for i in range(size): if address + i in memory: instr.dependence.update(memory[address + i]) if 'all' in memory: instr.dependence.update(memory['all']) # Can not resolve read address or read size, record all possible memory dependencies else: for addr in memory: instr.dependence.update(memory[addr]) stack.insert(0, OperandStackElement(pc, instr)) elif name == 'LOG0' or name == 'LOG1' or name == 'LOG2' or name == 'LOG3' or name == 'LOG4': address = operands[0].value size = operands[1].value # Resolve read address and read size, record memory dependencies if address is not None and size is not None: for i in range(size): if address + i in memory: instr.dependence.update(memory[address + i]) if 'all' in memory: instr.dependence.update(memory['all']) # Can not resolve read address or read size, record all possible memory dependencies else: for addr in memory: instr.dependence.update(memory[addr]) elif name == 'MLOAD': address = operands[0].value # Resolve read address, record memory dependencies if address is not None: for i in range(32): if address + i in memory: instr.dependence.update(memory[address + i]) if 'all' in memory: instr.dependence.update(memory['all']) # Can not resolve read address, record all possible memory dependencies else: for addr in memory: instr.dependence.update(memory[addr]) stack.insert(0, OperandStackElement(pc, instr)) elif name == 'CREATE': address = operands[0].value size = operands[1].value # Resolve read address and read size, record memory dependencies if address is not None and size is not None: for i in range(size): if address + i in memory: instr.dependence.update(memory[address + i]) if 'all' in memory: instr.dependence.update(memory['all']) # Can not resolve read address or read size, record all possible memory dependencies else: for addr in memory: instr.dependence.update(memory[addr]) stack.insert(0, OperandStackElement(pc, instr)) elif name == 'MSTORE': address = operands[0].value # Resolve write address, label memory if address is not None: for i in range(32): if address + i not in memory: memory[address + i] = set() instr.overwrite.update(memory[address + i]) memory[address + i].add(pc) # Can not resolve write address, label all possible addresses else: if 'all' not in memory: memory['all'] = set() for addr in memory: instr.overwrite.update(memory[addr]) memory['all'].add(pc) elif name == 'MSTORE8': address = operands[0].value # Resolve write address, label memory if address is not None: if address not in memory: memory[address] = set() instr.overwrite.update(memory[address]) memory[address].add(pc) # Can not resolve write address, label all possible addresses else: if 'all' not in memory: memory['all'] = set() for addr in memory: instr.overwrite.update(memory[addr]) memory['all'].add(pc) elif name == 'CALLDATACOPY' or name == 'RETURNDATACOPY': address = operands[0].value size = operands[2].value # Resolve write address and write size, label memory if address is not None and size is not None: for i in range(size): if address + i not in memory: memory[address + i] = set() instr.overwrite.update(memory[address + i]) memory[address + i].add(pc) # Can not resolve write address or write size, label all possible addresses else: if 'all' not in memory: memory['all'] = set() for addr in memory: instr.overwrite.update(memory[addr]) memory['all'].add(pc) elif name == 'CODECOPY': address = operands[0].value size = operands[2].value src_pc = operands[1].source dst_pc = operands[1].value if src_pc is None or dst_pc is None: raise ValueError('Error resolving CODECOPY address. pc: {:#x}, source: {:#x}' .format(pc, operands[1].pc)) # Construct relocation table relocate.sources[src_pc] = None relocate.destinations[dst_pc] = None # Resolve write address and write size, label memory if address is not None and size is not None: for i in range(size): if address + i not in memory: memory[address + i] = set() instr.overwrite.update(memory[address + i]) memory[address + i].add(pc) # Can not resolve write address or write size, label all possible addresses else: if 'all' not in memory: memory['all'] = set() for addr in memory: instr.overwrite.update(memory[addr]) memory['all'].add(pc) elif name == 'EXTCODECOPY': address = operands[1].value size = operands[3].value # Resolve write address and write size, label memory if address is not None and size is not None: for i in range(size): if address + i not in memory: memory[address + i] = set() instr.overwrite.update(memory[address + i]) memory[address + i].add(pc) # Can not resolve write address or write size, label all possible addresses else: if 'all' not in memory: memory['all'] = set() for addr in memory: instr.overwrite.update(memory[addr]) memory['all'].add(pc) elif name == 'CALL': # Start tracing executed instructions from CALL to SSTORE if pc not in sequence: sequence[pc] = set() read_address = operands[3].value read_size = operands[4].value # Resolve read address and read size, record memory dependencies if read_address is not None and read_size is not None: for i in range(read_size): if read_address + i in memory: instr.dependence.update(memory[read_address + i]) if 'all' in memory: instr.dependence.update(memory['all']) # Can not resolve read address or read size, record all possible memory dependencies else: for addr in memory: instr.dependence.update(memory[addr]) write_address = operands[5].value write_size = operands[6].value # Resolve write address and write size, label memory if write_address is not None and write_size is not None: for i in range(write_size): if write_address + i not in memory: memory[write_address + i] = set() instr.overwrite.update(memory[write_address + i]) memory[write_address + i].add(pc) # Can not resolve write address or write size, label all possible addresses else: if 'all' not in memory: memory['all'] = set() for addr in memory: instr.overwrite.update(memory[addr]) memory['all'].add(pc) stack.insert(0, OperandStackElement(pc, instr)) elif name == 'CALLCODE': read_address = operands[3].value read_size = operands[4].value # Resolve read address and read size, record memory dependencies if read_address is not None and read_size is not None: for i in range(read_size): if read_address + i in memory: instr.dependence.update(memory[read_address + i]) if 'all' in memory: instr.dependence.update(memory['all']) # Can not resolve read address or read size, record all possible memory dependencies else: for addr in memory: instr.dependence.update(memory[addr]) write_address = operands[5].value write_size = operands[6].value # Resolve write address and write size, label memory if write_address is not None and write_size is not None: for i in range(write_size): if write_address + i not in memory: memory[write_address + i] = set() instr.overwrite.update(memory[write_address + i]) memory[write_address + i].add(pc) # Can not resolve write address or write size, label all possible addresses else: if 'all' not in memory: memory['all'] = set() for addr in memory: instr.overwrite.update(memory[addr]) memory['all'].add(pc) stack.insert(0, OperandStackElement(pc, instr)) elif name == 'DELEGATECALL' or name == 'STATICCALL': read_address = operands[2].value read_size = operands[3].value # Resolve read address and read size, record memory dependencies if read_address is not None and read_size is not None: for i in range(read_size): if read_address + i in memory: instr.dependence.update(memory[read_address + i]) if 'all' in memory: instr.dependence.update(memory['all']) # Can not resolve read address or read size, record all possible memory dependencies else: for addr in memory: instr.dependence.update(memory[addr]) write_address = operands[4].value write_size = operands[5].value # Resolve write address and write size, label memory if write_address is not None and write_size is not None: for i in range(write_size): if write_address + i not in memory: memory[write_address + i] = set() instr.overwrite.update(memory[write_address + i]) memory[write_address + i].add(pc) # Can not resolve write address or write size, label all possible addresses else: if 'all' not in memory: memory['all'] = set() for addr in memory: instr.overwrite.update(memory[addr]) memory['all'].add(pc) stack.insert(0, OperandStackElement(pc, instr)) elif name == 'SLOAD': address = operands[0].value # Resolve read address, record storage dependencies if address is not None: if address in storage: instr.dependence.update(storage[address]) if 'all' in storage: instr.dependence.update(storage['all']) # Can not resolve read address, record all possible storage dependencies else: for addr in storage: instr.dependence.update(storage[addr]) stack.insert(0, OperandStackElement(pc, instr)) elif name == 'SSTORE': # End tracing executed instructions from CALL to SSTORE for off in sequence: if (off, pc) not in trace: trace[(off, pc)] = set() trace[(off, pc)].update(sequence[off]) address = operands[0].value # Resolve write address, label storage if address is not None: if address not in storage: storage[address] = set() instr.overwrite.update(storage[address]) storage[address].add(pc) # Can not resolve write address, label all possible addresses else: if 'all' not in storage: storage['all'] = set() for addr in storage: instr.overwrite.update(storage[addr]) storage['all'].add(pc) else: outs = opcodes.listing[op][2] for i in range(outs): stack.insert(0, OperandStackElement(pc, instr)) if len(stack) > MAX_DEPTH: raise RuntimeError('Stack overflow. pc: {:#x}'.format(pc)) size = opcodes.operand_size(op) pc += size + 1 if blk.next is not None: # Add CFG edges, representing control flow dependencies between basic blocks cfg.graph.add_edge(blk.offset, blk.next.offset, type='SEQUENTIAL') # Update number of return values to wait elm.num += 1 return [State(stat.next_block.next, stack, memory, storage, sequence)] else: # Current block is NOT revert block return False