Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Collision in address is "possible" as per hevm, even though it's not #549

Open
zoep opened this issue Sep 5, 2024 · 2 comments
Open

Collision in address is "possible" as per hevm, even though it's not #549

zoep opened this issue Sep 5, 2024 · 2 comments
Assignees
@msooseth
Labels
bug Something isn't working in progress

Comments

@zoep
Copy link
Collaborator

zoep commented Sep 5, 2024

Should hevm enforce freshness conditions on newly created symbolic addresses?

I am working with this example:

contract A {
    uint public x;

    constructor ()  {
	x = 42;
    }
}

contract B {

    A a1;
    A a2;

    constructor() {
	a1 = new A();
	a2 = new A();
	assert (address(a1) != address(a2));
    }
}

running hevm symbolic --sig "B()" --code <the-creation-code> returns

Discovered the following counterexamples:

Calldata:
  0x32e7c5bf

Storage:
  Addr SymAddr "entrypoint": [(0x0,0x0),(0x1,0x0)]
  Addr SymAddr "miner": []
  Addr SymAddr "origin": []

Transaction Context:
  TxValue: 0x0

the same happens with --initial-storage Empty.

Removing the assertion results in QED.
@msooseth msooseth changed the title Should hevm be able to prove this? Collision in address is "possible" as per hevm, even though it's not Sep 9, 2024
@ethereum ethereum deleted a comment from zoep Sep 9, 2024
@msooseth msooseth added the bug Something isn't working label Sep 9, 2024
@msooseth
Copy link
Collaborator

msooseth commented Sep 9, 2024

Aliasing bug

@msooseth
Copy link
Collaborator

Yay this should be fixed with #641

Took me a looooooong time. But got there eventually.

$ solc --bin --optimize stuff.sol  
======= stuff.sol:A =======
Binary:
6080604052348015600e575f80fd5b50602a5f55607980601e5f395ff3fe6080604052348015600e575f80fd5b50600436106026575f3560e01c80630c55699c14602a575b5f80fd5b60315f5481565b60405190815260200160405180910390f3fea2646970667358221220a28109598464f5c9a677254859396694964348a7b5228bedfd9cf318169566f564736f6c634300081a0033

======= stuff.sol:B =======
Binary:
6080604052348015600e575f80fd5b5060405160199060a6565b604051809103905ff0801580156031573d5f803e3d5ffd5b505f80546001600160a01b0319166001600160a01b0392909216919091179055604051605b9060a6565b604051809103905ff0801580156073573d5f803e3d5ffd5b50600180546001600160a01b0319166001600160a01b039283169081179091555f549091160360a25760a260b2565b60c6565b60978061011083390190565b634e487b7160e01b5f52600160045260245ffd5b603e806100d25f395ff3fe60806040525f80fdfea2646970667358221220daa692e74d5328af58dc112e8f317e1421d86a6068b92f39db243be6059c4b0b64736f6c634300081a00336080604052348015600e575f80fd5b50602a5f55607980601e5f395ff3fe6080604052348015600e575f80fd5b50600436106026575f3560e01c80630c55699c14602a575b5f80fd5b60315f5481565b60405190815260200160405180910390f3fea2646970667358221220a28109598464f5c9a677254859396694964348a7b5228bedfd9cf318169566f564736f6c634300081a0033

Then:

cabal run exe:hevm symbolic -- --sig "B()" --code "6080604052348015600e575f80fd5b5060405160199060a6565b604051809103905ff0801580156031573d5f803e3d5ffd5b505f80546001600160a01b0319166001600160a01b0392909216919091179055604051605b9060a6565b604051809103905ff0801580156073573d5f803e3d5ffd5b50600180546001600160a01b0319166001600160a01b039283169081179091555f549091160360a25760a260b2565b60c6565b60978061011083390190565b634e487b7160e01b5f52600160045260245ffd5b603e806100d25f395ff3fe60806040525f80fdfea2646970667358221220daa692e74d5328af58dc112e8f317e1421d86a6068b92f39db243be6059c4b0b64736f6c634300081a00336080604052348015600e575f80fd5b50602a5f55607980601e5f395ff3fe6080604052348015600e575f80fd5b50600436106026575f3560e01c80630c55699c14602a575b5f80fd5b60315f5481565b60405190815260200160405180910390f3fea2646970667358221220a28109598464f5c9a677254859396694964348a7b5228bedfd9cf318169566f564736f6c634300081a0033"

QED: No reachable property violations discovered

Without the PR:

cabal run exe:hevm symbolic -- --sig "B()" --code "6080604052348015600e575f80fd5b5060405160199060a6565b604051809103905ff0801580156031573d5f803e3d5ffd5b505f80546001600160a01b0319166001600160a01b0392909216919091179055604051605b9060a6565b604051809103905ff0801580156073573d5f803e3d5ffd5b50600180546001600160a01b0319166001600160a01b039283169081179091555f549091160360a25760a260b2565b60c6565b60978061011083390190565b634e487b7160e01b5f52600160045260245ffd5b603e806100d25f395ff3fe60806040525f80fdfea2646970667358221220daa692e74d5328af58dc112e8f317e1421d86a6068b92f39db243be6059c4b0b64736f6c634300081a00336080604052348015600e575f80fd5b50602a5f55607980601e5f395ff3fe6080604052348015600e575f80fd5b50600436106026575f3560e01c80630c55699c14602a575b5f80fd5b60315f5481565b60405190815260200160405180910390f3fea2646970667358221220a28109598464f5c9a677254859396694964348a7b5228bedfd9cf318169566f564736f6c634300081a0033"

Discovered the following 1 counterexample(s):

Calldata:
  0x32e7c5bf
Storage:
  Addr SymAddr "entrypoint": [(0x0,0x0)]
  Addr SymAddr "miner": []
  Addr SymAddr "origin": []
Transaction Context:
  TxValue: 0x0
Addrs:
  SymAddr "freshSymAddr1": 0xFFfFfFffFFfffFFfFFfFFFFFffFFFffffFfFFFfF
  SymAddr "freshSymAddr2": 0xFFfFfFffFFfffFFfFFfFFFFFffFFFffffFfFFFfF

@msooseth msooseth self-assigned this Jan 28, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@msooseth msooseth

Labels
bug Something isn't working in progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zoep @msooseth