hevm-0.50.4: Ethereum virtual machine evaluator
Safe HaskellSafe-Inferred
LanguageGHC2021

EVM.SymExec

Synopsis

Documentation

data Sig Source #

A method name, and the (ordered) types of it's arguments

Constructors

Sig Text [AbiType] 

data ProofResult a b c Source #

Constructors

Qed a 
Cex b 
Timeout c 

Instances

Instances details
(Show a, Show b, Show c) => Show (ProofResult a b c) Source # 
Instance details

Defined in EVM.SymExec

Methods

showsPrec :: Int -> ProofResult a b c -> ShowS #

show :: ProofResult a b c -> String #

showList :: [ProofResult a b c] -> ShowS #

(Eq a, Eq b, Eq c) => Eq (ProofResult a b c) Source # 
Instance details

Defined in EVM.SymExec

Methods

(==) :: ProofResult a b c -> ProofResult a b c -> Bool #

(/=) :: ProofResult a b c -> ProofResult a b c -> Bool #

type VerifyResult = ProofResult () (Expr End, SMTCex) (Expr End) Source #

type EquivResult = ProofResult () SMTCex () Source #

isTimeout :: ProofResult a b c -> Bool Source #

isCex :: ProofResult a b c -> Bool Source #

isQed :: ProofResult a b c -> Bool Source #

data VeriOpts Source #

Constructors

VeriOpts 

Fields

Instances

Instances details
Show VeriOpts Source # 
Instance details

Defined in EVM.SymExec

Methods

showsPrec :: Int -> VeriOpts -> ShowS #

show :: VeriOpts -> String #

showList :: [VeriOpts] -> ShowS #

Eq VeriOpts Source # 
Instance details

Defined in EVM.SymExec

Methods

(==) :: VeriOpts -> VeriOpts -> Bool #

(/=) :: VeriOpts -> VeriOpts -> Bool #

defaultVeriOpts :: VeriOpts Source #

rpcVeriOpts :: (BlockNumber, Text) -> VeriOpts Source #

debugVeriOpts :: VeriOpts Source #

extractCex :: VerifyResult -> Maybe (Expr End, SMTCex) Source #

inRange :: Int -> Expr EWord -> Prop Source #

bool :: Expr EWord -> Prop Source #

symAbiArg :: Text -> AbiType -> CalldataFragment Source #

Abstract calldata argument generation

data CalldataFragment Source #

Constructors

St [Prop] (Expr EWord) 
Dy [Prop] (Expr EWord) (Expr Buf) 
Comp [CalldataFragment] 

Instances

Instances details
Show CalldataFragment Source # 
Instance details

Defined in EVM.SymExec

Methods

showsPrec :: Int -> CalldataFragment -> ShowS #

show :: CalldataFragment -> String #

showList :: [CalldataFragment] -> ShowS #

Eq CalldataFragment Source # 
Instance details

Defined in EVM.SymExec

Methods

(==) :: CalldataFragment -> CalldataFragment -> Bool #

(/=) :: CalldataFragment -> CalldataFragment -> Bool #

symCalldata :: Text -> [AbiType] -> [String] -> Expr Buf -> (Expr Buf, [Prop]) Source #

Generates calldata matching given type signature, optionally specialized with concrete arguments. Any argument given as "symbolic" or omitted at the tail of the list are kept symbolic.

cdLen :: [CalldataFragment] -> Expr EWord Source #

writeSelector :: Expr Buf -> Text -> Expr Buf Source #

combineFragments :: [CalldataFragment] -> Expr Buf -> (Expr Buf, [Prop]) Source #

abstractVM :: (Expr Buf, [Prop]) -> ByteString -> Maybe Precondition -> StorageModel -> VM Source #

loadSymVM :: ContractCode -> Expr Storage -> Expr EWord -> Expr EWord -> Expr Buf -> [Prop] -> VM Source #

interpret :: Fetcher -> Maybe Integer -> Maybe Integer -> Stepper (Expr End) -> StateT VM IO (Expr End) Source #

Interpreter which explores all paths at branching points. returns an Expr representing the possible executions

maxIterationsReached :: VM -> Maybe Integer -> Maybe Bool Source #

type Precondition = VM -> Prop Source #

type Postcondition = VM -> Expr End -> Prop Source #

checkAssert :: SolverGroup -> [Word256] -> ByteString -> Maybe Sig -> [String] -> VeriOpts -> IO (Expr End, [VerifyResult]) Source #

checkAssertions :: [Word256] -> Postcondition Source #

Checks if an assertion violation has been encountered

hevm recognises the following as an assertion violation:

  1. the invalid opcode (0xfe) (solc < 0.8)
  2. a revert with a reason of the form `abi.encodeWithSelector("Panic(uint256)", code)`, where code is one of the following (solc >= 0.8): - 0x00: Used for generic compiler inserted panics. - 0x01: If you call assert with an argument that evaluates to false. - 0x11: If an arithmetic operation results in underflow or overflow outside of an unchecked { ... } block. - 0x12; If you divide or modulo by zero (e.g. 5 / 0 or 23 % 0). - 0x21: If you convert a value that is too big or negative into an enum type. - 0x22: If you access a storage byte array that is incorrectly encoded. - 0x31: If you call .pop() on an empty array. - 0x32: If you access an array, bytesN or an array slice at an out-of-bounds or negative index (i.e. x[i] where i >= x.length or i < 0). - 0x41: If you allocate too much memory or create an array that is too large. - 0x51: If you call a zero-initialized variable of internal function type.

see: https://docs.soliditylang.org/en/v0.8.6/control-structures.html?highlight=Panic#panic-via-assert-and-error-via-require

defaultPanicCodes :: [Word256] Source #

By default hevm checks for all assertions except those which result from arithmetic overflow

allPanicCodes :: [Word256] Source #

panicMsg :: Word256 -> ByteString Source #

Produces the revert message for solc >=0.8 assertion violations

mkCalldata :: Maybe Sig -> [String] -> (Expr Buf, [Prop]) Source #

Builds a buffer representing calldata from the provided method description and concrete arguments

verifyContract :: SolverGroup -> ByteString -> Maybe Sig -> [String] -> VeriOpts -> StorageModel -> Maybe Precondition -> Maybe Postcondition -> IO (Expr End, [VerifyResult]) Source #

pruneDeadPaths :: [VM] -> [VM] Source #

runExpr :: Stepper (Expr End) Source #

Stepper that parses the result of Stepper.runFully into an Expr End

flattenExpr :: Expr End -> [([Prop], Expr End)] Source #

Converts a given top level expr into a list of final states and the associated path conditions for each state

reachable :: SolverGroup -> Expr End -> IO ([SMT2], Expr End) Source #

Strips unreachable branches from a given expr Returns a list of executed SMT queries alongside the reduced expression for debugging purposes Note that the reduced expression loses information relative to the original one if jump conditions are removed. This restriction can be removed once Expr supports attaching knowledge to AST nodes. Although this algorithm currently parallelizes nicely, it does not exploit the incremental nature of the task at hand. Introducing support for incremental queries might let us go even faster here. TODO: handle errors properly

evalProp :: Prop -> Prop Source #

Evaluate the provided proposition down to its most concrete result

extractProps :: Expr End -> [Prop] Source #

Extract contraints stored in Expr End nodes

verify :: SolverGroup -> VeriOpts -> VM -> Maybe Postcondition -> IO (Expr End, [VerifyResult]) Source #

Symbolically execute the VM and check all endstates against the postcondition, if available.

type UnsatCache = TVar [Set Prop] Source #

equivalenceCheck :: SolverGroup -> ByteString -> ByteString -> VeriOpts -> (Expr Buf, [Prop]) -> IO [EquivResult] Source #

Compares two contract runtimes for trace equivalence by running two VMs and comparing the end states.

We do this by asking the solver to find a common input for each pair of endstates that satisfies the path conditions for both sides and produces a differing output. If we can find such an input, then we have a clear equivalence break, and since we run this check for every pair of end states, the check is exhaustive.

both' :: (a -> b) -> (a, a) -> (b, b) Source #

produceModels :: SolverGroup -> Expr End -> IO [(Expr End, CheckSatResult)] Source #

showModel :: Expr Buf -> (Expr End, CheckSatResult) -> IO () Source #

formatCex :: Expr Buf -> SMTCex -> Text Source #

subModel :: SMTCex -> Expr a -> Expr a Source #

Takes a buffer and a Cex and replaces all abstract values in the buf with concrete ones from the Cex