trailofbits/manticore

Assertion failure: assert value.size == self.size when gas is ignored

Open

#1493 opened on Jul 22, 2019

View on GitHub
 (1 comment) (0 reactions) (1 assignee)Python (3,469 stars) (481 forks)batch import
ethereumhelp wantedpriority-high

Description

OS / Environment

Ubuntu 18.04

Manticore version

cc7811b10d9ce4f5c3444ebceff16b3ed2753f21

Python version

Python 3.6

Summary of the problem

Manticode crashes with an assertion failure when gas computation is ignored.

Step to reproduce the behavior

Use this solidity contract:

contract C {
  function hash(string x) public returns (bytes32) {
    return(keccak256(x));
  }
}

with manticore:

$ manticore bug.sol  --txlimit 1 --evm.oog ignore

Expected behavior

It should should not crash. It's unclear how to proceed with the symbolic exploration since manticore will waste resourced exploring the keccak256 code. Maybe a warning saying that such path will not be explored?

Actual behavior

2019-07-22 10:24:54,158: [15617] m.main:INFO: Registered plugins: DetectReentrancyAdvanced, DetectSuicidal, DetectUnusedRetVal, DetectInvalid, DetectUninitializedMemory, DetectIntegerOverflow, DetectEnvInstruction, DetectExternalCallAndLeak, DetectDelegatecall, DetectReentrancySimple, DetectUninitializedStorage
2019-07-22 10:24:54,158: [15617] m.main:INFO: Beginning analysis
2019-07-22 10:24:54,163: [15617] m.e.manticore:INFO: Starting symbolic create contract
2019-07-22 10:24:54,710: [15617] m.e.manticore:INFO: Starting symbolic transaction: 0
2019-07-22 10:25:10,260: [15916] m.c.worker:ERROR: Exception in state 0: AssertionError()
Traceback (most recent call last):
  File "/home/gustavo/.local/lib/python3.6/site-packages/manticore-0.3.0-py3.6.egg/manticore/core/worker.py", line 121, in run
    current_state.execute()
  File "/home/gustavo/.local/lib/python3.6/site-packages/manticore-0.3.0-py3.6.egg/manticore/ethereum/state.py", line 6, in execute
    return self._platform.execute()
  File "/home/gustavo/.local/lib/python3.6/site-packages/manticore-0.3.0-py3.6.egg/manticore/platforms/evm.py", line 2684, in execute
    self.current_vm.execute()
  File "/home/gustavo/.local/lib/python3.6/site-packages/manticore-0.3.0-py3.6.egg/manticore/platforms/evm.py", line 1210, in execute
    last_pc, last_gas, instruction, arguments, fee, allocated = self._checkpoint()
  File "/home/gustavo/.local/lib/python3.6/site-packages/manticore-0.3.0-py3.6.egg/manticore/platforms/evm.py", line 1106, in _checkpoint
    fee = self._calculate_gas(*arguments)
  File "/home/gustavo/.local/lib/python3.6/site-packages/manticore-0.3.0-py3.6.egg/manticore/platforms/evm.py", line 1079, in _calculate_gas
    return current.fee + implementation(*arguments)
  File "/home/gustavo/.local/lib/python3.6/site-packages/manticore-0.3.0-py3.6.egg/manticore/platforms/evm.py", line 1533, in SHA3_gas
    return GSHA3WORD * (ceil32(size) // 32) + memfee
  File "/home/gustavo/.local/lib/python3.6/site-packages/manticore-0.3.0-py3.6.egg/manticore/core/smtlib/expression.py", line 295, in __add__
    return BitVecAdd(self, self.cast(other))
  File "/home/gustavo/.local/lib/python3.6/site-packages/manticore-0.3.0-py3.6.egg/manticore/core/smtlib/expression.py", line 284, in cast
    assert value.size == self.size
AssertionError
 
2019-07-22 10:25:10,346: [15617] m.e.manticore:INFO: 0 alive states, 3 terminated states
2019-07-22 10:25:10,378: [16754] m.c.manticore:INFO: Generated testcase No. 0 - RETURN(1 txs)
2019-07-22 10:25:10,383: [16755] m.c.manticore:INFO: Generated testcase No. 1 - REVERT(2 txs)
2019-07-22 10:25:10,387: [16757] m.c.manticore:INFO: Generated testcase No. 2 - REVERT(2 txs)
2019-07-22 10:25:10,417: [16760] m.c.manticore:INFO: Generated testcase No. 3 - RETURN(1 txs)

Contributor guide

Tech stack
python
Domain
backend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
PythonManticore basicsEVM gas calculation
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Investigate the assertion failure in manticore/platforms/evm.py in the SHA3 gas function (line 1533) when gas is ignored ( evm.oog ignore). The issue arises from a size mismatch in BitVec operations in expression.py line 295. Reproduce the crash with the provided Solidity contract. Determine whether the fix should adjust the gas calculation to avoid the assertion, or handle the ignore case by skipping the gas calculation entirely. Check if there is an existing PR or discussion (though none visible).