-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add symbolic execution #1216
Add symbolic execution #1216
Conversation
This is great!. I have some suggestions, but this first needs some testing. Btw, I think this code will not work as expected when |
Some UI improvements we need (as simple textual events):
|
Yeah, it won't be able to call any contracts aside from the "main one" |
A few small additional improvements:
|
438152a
to
6ad6d70
Compare
|
104cefa
to
f6ba713
Compare
Also added config options for setting the |
Could this be used to lower the memory consumption? |
Yep, although it only affects memory consumption of symbolic execution, not the fuzz workers |
Co-authored-by: Ben Siraphob <bensiraphob@gmail.com> Co-authored-by: Sam Alws <sam.alws@trailofbits.com>
This PR on hevm may resolve the issues on Windows ethereum/hevm#484 |
I've ran some tests and it is using a LOT less memory with the default config now. function testSymExec(uint256 magicNumber) public {
if (magicNumber == 1256984789498465878979846549849854654984)
t(false, "you found the magic number");
} What is a good approach to test the symexec itself? I've tried the above code but it does not break this in a couple of minutes. Update: I should have been a bit more patient. It breaks both with and without symexec enabled in ~10 minutes. |
Related note here: I'm working on implementing concolic execution, which should significantly lower the memory usage & runtime when executing on functions with a lot of branches (I kept running into this issue when testing this PR). I should have a proof-of-concept available in a day or two. Most of the code for concolic execution will be shared with the code from this PR, so any bug you find here will probably also be a bug in the concolic version. |
@ your test example: It shouldn't take that long to find the test case, unless there's other functions in the contract that it tries executing first |
Thanks @elopez ! |
Just pushed a commit adding support for concolic execution. It works, but:
Any testing done on both the symexec and concolic execution features is appreciated :) |
db6e1a8
to
f14a603
Compare
@elopez confirmed that your hevm PR fixes tests on windows |
Fixed up the todos, now all that's left is:
|
I think this looks almost ready to go. We need to:
flip runReaderT defaultEnv $ withSolvers Z3 (fromIntegral conf.campaignConf.symExecNSolvers) timeout $ \solvers -> do
threadId <- liftIO $ forkIO $ flip runReaderT defaultEnv $ do
res <- forM methods $ \method -> do
+ liftIO $ print method
let
fetcher = concOrSymFetcher tx solvers rpcInfo
dst = conf.solConf.contractAddr
@@ -92,8 +93,11 @@ exploreContract conf contract tx vm = do
& #env % #contracts .~ (Map.union vmSym'.env.contracts vm.env.contracts)
-- TODO we might want to switch vm's state.baseState value to to AbstractBase eventually.
-- Doing so might mess up concolic execution.
+ liftIO $ putStrLn $ "Building path conditions"
exprInter <- interpret fetcher maxIters askSmtIters Naive vm' runExpr
- models <- liftIO $ mapConcurrently (checkSat solvers) $ manipulateExprInter isConc exprInter
+ let sats = manipulateExprInter isConc exprInter
+ liftIO $ putStrLn $ "Number of expressions:" ++ show (length sats)
+ models <- liftIO $ mapConcurrently (checkSat solvers) sats It is very useful to know which transaction is explored, but let's make sure the printing looks correct since it is ugly here 😅
|
Hi, I want to try out the new features, I'm currently using Echidna version 2.2.3 and encountering issues. It seems that some options are not supported yet ? Warning: unused option: symExec
Warning: unused option: symExecAskSMTIters
Warning: unused option: symExecConcolic
Warning: unused option: symExecMaxIters
Warning: unused option: symExecNSolvers
Warning: unused option: symExecTargets
Warning: unused option: symExecTimeout Maybe it's for the next release ? |
Correct. You can download one of the latest builds here (scroll down) Or manually build the latest |
This PR is a continuation of #1030 and #1175. It adds a
symExec
configuration option which enables an extra symbolic execution worker, which runs alongside the existing fuzzing workers. This should allow for bugs which require very specific inputs to be caught more easily (seetests/solidity/symbolic/sym.sol
for a fairly contrived example). Symbolic execution is mostly implemented by hevm; the bulk of this PR has to do with calling hevm's symbolic executor in the right way, and spawning a new worker to do this.The sym exec worker runs at startup using the initial corpus, and also runs whenever a fuzz worker finds new coverage. It uses a queue to keep track of this. When the queue is empty, the worker is in a sleep mode waiting for more events to come in.
This PR also adds
symExecTimeout
andsymExecNSolvers
configuration options which allow for choosing the timeout and number of sym exec solvers (i.e. Z3 instances, I think). It's unclear what a good default value for these would be, so I just picked something that looks right (30 and 1, respectively).This is meant to be an experimental feature, and this PR shouldn't affect users unless they explicitly enable
symExec
. It is turned off by default.