EVM failure modes

The possible result states of a VM

The state of a stepwise EVM execution

Queries halt execution until resolved through RPC calls or SMT queries

Alias for the type of e.g. exec1.

The possible return values of a SMT query

The possible return values of a `is unique` SMT query

The cache is data that can be persisted for efficiency: any expensive query that is constant at least within a block.

A way to specify an initial VM state

An entry in the VM's "call/create stack"

Call/create info

The "registers" of the VM along with memory and data stack

The state that spans a whole transaction

The "accrued substate" across a transaction

A contract is either in creation (running its "constructor") or post-creation, and code in these two modes is treated differently by instructions like EXTCODEHASH, so we distinguish these two code types.

The definition follows the structure of code output by solc. We need to use some heuristics here to deal with symbolic data regions that may be present in the bytecode since the fully abstract case is impractical:

• initcode has concrete code, followed by an abstract data "section"
• runtimecode has a fixed length, but may contain fixed size symbolic regions (due to immutable)

hopefully we do not have to deal with dynamic immutable before we get a real data section...

We have two variants here to optimize the fully concrete case. ConcreteRuntimeCode just wraps a ByteString SymbolicRuntimeCode is a fixed length vector of potentially symbolic bytes, which lets us handle symbolic pushdata (e.g. from immutable variables in solidity).

A contract can either have concrete or symbolic storage depending on what type of execution we are doing data Storage = Concrete (Map Word Expr EWord) | Symbolic [(Expr EWord, Expr EWord)] (SArray (WordN 256) (WordN 256)) deriving (Show)

The state of a contract

When doing symbolic execution, we have three different ways to model the storage of contracts. This determines not only the initial contract storage model but also how RPC or state fetched contracts will be modeled.

Various environmental data

Data about the block

An "external" view of a contract's bytecode, appropriate for e.g. EXTCODEHASH.

Initialize empty contract with given code

Update program counter

Executes the EVM one step

Checks a *CALL for failure; OOG, too many callframes, memory access etc.

Construct RPC Query and halt execution until resolved

Loads the selected contract as the current contract to execute

Burn gas, failing if insufficient gas is available

returns a wrapped boolean- if true, this address has been touched before in the txn (warm gas cost as in EIP 2929) otherwise cold

returns a wrapped boolean- if true, this slot has been touched before in the txn (warm gas cost as in EIP 2929) otherwise cold

We don't wanna introduce the machinery needed to sign with a random nonce, so we just use the same nonce every time (420). This is obviusly very insecure, but fine for testing purposes.

Replace a contract's code, like when CREATE returns from the constructor code.

A stack frame can be popped in three ways.

This function defines how to pop the current stack frame in either of the ways specified by FrameResult.

It also handles the case when the current stack frame is the only one; in this case, we set the final _result of the VM execution.

The length of the code ignoring any constructor args. This represents the region that can contain executable opcodes

The length of the code including any constructor args. This can return an abstract value