Add new features (#1841)

Author: norhh

mythril/analysis/symbolic.py

@@ -24,6 +24,7 @@
     MutationPrunerBuilder,
     DependencyPrunerBuilder,
     CoveragePluginBuilder,
+    CoverageMetricsPluginBuilder,
     CallDepthLimitBuilder,
     InstructionProfilerBuilder,
     SymbolicSummaryPluginBuilder,
@@ -143,6 +144,7 @@ def __init__(
             )
 
         plugin_loader = LaserPluginLoader()
+        plugin_loader.load(CoverageMetricsPluginBuilder())
         if not args.disable_coverage_strategy:
             plugin_loader.load(CoveragePluginBuilder())
         if not args.disable_mutation_pruner:

mythril/concolic/concolic_execution.py

@@ -74,7 +74,6 @@ def concolic_execution(
     :param solver_timeout: Solver timeout
 
     """
-
     init_state, trace = concrete_execution(concrete_data)
     args.solver_timeout = solver_timeout
     output_list = flip_branches(

mythril/concolic/find_trace.py

@@ -12,11 +12,13 @@
 from mythril.laser.ethereum.state.world_state import WorldState
 from mythril.laser.ethereum.state.account import Account
 from mythril.laser.ethereum.time_handler import time_handler
+from mythril.laser.plugin.plugins import TraceFinderBuilder
 from mythril.laser.ethereum.transaction.concolic import execute_transaction
 from mythril.laser.plugin.loader import LaserPluginLoader
 from mythril.laser.smt import Expression, BitVec, symbol_factory
 from mythril.laser.ethereum.transaction.transaction_models import tx_id_manager
 from mythril.plugin.discovery import PluginDiscovery
+from mythril.support.support_args import args
 
 
 def setup_concrete_initial_state(concrete_data: ConcreteData) -> WorldState:
@@ -30,12 +32,11 @@ def setup_concrete_initial_state(concrete_data: ConcreteData) -> WorldState:
         account = Account(address, concrete_storage=True)
         account.code = Disassembly(details["code"][2:])
         account.nonce = details["nonce"]
-        if isinstance(type(details["storage"]), str):
+        if isinstance(details["storage"], str):
             details["storage"] = eval(details["storage"])  # type: ignore
         for key, value in details["storage"].items():
             key_bitvec = symbol_factory.BitVecVal(int(key, 16), 256)
             account.storage[key_bitvec] = symbol_factory.BitVecVal(int(value, 16), 256)
-
         world_state.put_account(account)
         account.set_balance(int(details["balance"], 16))
     return world_state
@@ -47,16 +48,15 @@ def concrete_execution(concrete_data: ConcreteData) -> Tuple[WorldState, List]:
     :param concrete_data: Concrete data
     :return: path trace
     """
+    args.pruning_factor = 1
     tx_id_manager.restart_counter()
     init_state = setup_concrete_initial_state(concrete_data)
     laser_evm = LaserEVM(execution_timeout=1000)
     laser_evm.open_states = [deepcopy(init_state)]
     plugin_loader = LaserPluginLoader()
-    assert PluginDiscovery().is_installed("myth_concolic_execution")
-    trace_plugin = PluginDiscovery().installed_plugins["myth_concolic_execution"]()
+    plugin_loader.load(TraceFinderBuilder())
     time_handler.start_execution(laser_evm.execution_timeout)
 
-    plugin_loader.load(trace_plugin)
     laser_evm.time = datetime.now()
     plugin_loader.instrument_virtual_machine(laser_evm, None)
     for transaction in concrete_data["steps"]:

mythril/interfaces/cli.py

@@ -300,15 +300,14 @@ def main() -> None:
     )
     create_disassemble_parser(disassemble_parser)
 
-    if PluginDiscovery().is_installed("myth_concolic_execution"):
-        concolic_parser = subparsers.add_parser(
-            CONCOLIC_LIST[0],
-            help="Runs concolic execution to flip the desired branches",
-            aliases=CONCOLIC_LIST[1:],
-            parents=[],
-            formatter_class=RawTextHelpFormatter,
-        )
-        create_concolic_parser(concolic_parser)
+    concolic_parser = subparsers.add_parser(
+        CONCOLIC_LIST[0],
+        help="Runs concolic execution to flip the desired branches",
+        aliases=CONCOLIC_LIST[1:],
+        parents=[],
+        formatter_class=RawTextHelpFormatter,
+    )
+    create_concolic_parser(concolic_parser)
 
     foundry_parser = subparsers.add_parser(
         FOUNDRY_LIST[0],

mythril/laser/plugin/plugins/__init__.py

@@ -12,3 +12,5 @@
 from mythril.laser.plugin.plugins.call_depth_limiter import CallDepthLimitBuilder
 from mythril.laser.plugin.plugins.instruction_profiler import InstructionProfilerBuilder
 from mythril.laser.plugin.plugins.summary import SymbolicSummaryPluginBuilder
+from mythril.laser.plugin.plugins.trace import TraceFinderBuilder
+from mythril.laser.plugin.plugins.coverage_metrics import CoverageMetricsPluginBuilder

mythril/laser/plugin/plugins/coverage_metrics/__init__.py

@@ -0,0 +1 @@
+from .metrics_plugin import CoverageMetricsPluginBuilder

mythril/laser/plugin/plugins/coverage_metrics/constants.py

@@ -0,0 +1 @@
+BATCH_OF_STATES = 5

mythril/laser/plugin/plugins/coverage_metrics/coverage_data.py

@@ -0,0 +1,73 @@
+import json
+from typing import Dict, List
+
+from mythril.support.support_utils import get_code_hash
+from mythril.laser.execution_info import ExecutionInfo
+
+
+class InstructionCoverageInfo(ExecutionInfo):
+    def __init__(self):
+        self._instruction_coverage = {}  # type: Dict[str, int]
+
+    def as_dict(self):
+        return dict(instruction_discovery_time=self._instruction_coverage)
+
+    def get_code_instr_hex(self, code: str, instruction: int):
+        code_hash = get_code_hash(code)[2:]
+        instruction_hex = hex(instruction)[2:]
+        return "{}:{}".format(code_hash, instruction_hex)
+
+    def is_covered(self, code: str, instruction: int):
+        code_instr_hex = self.get_code_instr_hex(code, instruction)
+        return code_instr_hex in self._instruction_coverage
+
+    def add_data(self, code: str, instruction: int, discovery_time: int):
+        code_instr_hex = self.get_code_instr_hex(code, instruction)
+        self._instruction_coverage[code_instr_hex] = discovery_time
+
+    def output(self, filename: str):
+        with open(filename, "w") as outfile:
+            json.dump(
+                self._instruction_coverage, default=lambda o: o.__dict__, fp=outfile
+            )
+
+
+class CoverageData:
+    def __init__(
+        self,
+        instructions_covered: int,
+        total_instructions: int,
+        branches_covered: int,
+        tx_id: int,
+        total_branches: int,
+        state_counter: int,
+        code: str,
+        time_elapsed: int,
+    ):
+        self.instructions_covered = instructions_covered
+        self.total_instructions = total_instructions
+        self.branches_covered = branches_covered
+        self.tx_id = tx_id
+        self.total_branches = total_branches
+        self.state_counter = state_counter
+        self.code_hash = get_code_hash(code)[2:]
+        self.time_elapsed = time_elapsed
+
+    def as_dict(self):
+        return self.__dict__
+
+
+class CoverageTimeSeries(ExecutionInfo):
+    def __init__(self):
+        self.coverage = []  # type: List[CoverageData]
+
+    def output(self, filename: str):
+        with open(filename, "w") as outfile:
+            json.dump(self.coverage, default=lambda o: o.__dict__, fp=outfile)
+
+    def as_dict(self):
+        return dict(coverage=self.coverage)
+
+    def add_data(self, *args, **kwargs):
+        cov_data = CoverageData(*args, **kwargs)
+        self.coverage.append(cov_data.as_dict())

mythril/laser/plugin/plugins/coverage_metrics/metrics_plugin.py

@@ -0,0 +1,131 @@
+from mythril.laser.ethereum.svm import LaserEVM
+from mythril.laser.plugin.interface import LaserPlugin
+from mythril.laser.plugin.builder import PluginBuilder
+from mythril.laser.ethereum.state.global_state import GlobalState
+from .coverage_data import (
+    CoverageTimeSeries,
+    InstructionCoverageInfo,
+)
+from .constants import BATCH_OF_STATES
+from typing import Dict, Tuple, List
+
+import time
+import logging
+
+log = logging.getLogger(__name__)
+
+
+class CoverageMetricsPluginBuilder(PluginBuilder):
+    """CoveragePlugin
+    Checks Instruction and branch coverage and puts it to data.json file
+    which appears in the directory in which mythril is run.
+    """
+
+    plugin_default_enabled = True
+    enabled = True
+
+    author = "MythX Development Team"
+    plugin_name = "MythX Coverage Metrics"
+    plugin_license = "All rights reserved."
+    plugin_type = "Laser Plugin"
+    plugin_description = (
+        "This plugin measures coverage throughout symbolic execution,"
+        " reporting it at the end in the MythX coverage format."
+    )
+
+    def __call__(self, *args, **kwargs):
+        """Constructs the plugin"""
+        return LaserCoveragePlugin()
+
+
+class LaserCoveragePlugin(LaserPlugin):
+    def __init__(self):
+        self.instruction_coverage_data = {}  # type: Dict[str, Tuple[int, Dict[bool]]]
+        self.branch_possibilities = {}  # type: Dict[str, Dict[int, List]]
+        self.tx_id = 0
+        self.state_counter = 0
+        self.coverage = CoverageTimeSeries()
+        self.instruction_coverage_info = InstructionCoverageInfo()
+        self.start_time = time.time_ns()
+
+    def initialize(self, symbolic_vm: LaserEVM) -> None:
+        """Initializes the instruction coverage plugin
+
+        Introduces hooks for each instruction
+        :param symbolic_vm: The symbolic virtual machine to initialise  this plugin for
+        """
+        log.info("Initializing coverage metrics plugin")
+
+        self.instruction_coverage_data = {}
+        self.branch_possibilities = {}
+        self.tx_id = 0
+
+        # Add the instruction coverage ExecutionInfo to laser vm for use in reporting
+        symbolic_vm.execution_info.append(self.instruction_coverage_info)
+        symbolic_vm.execution_info.append(self.coverage)
+
+        @symbolic_vm.laser_hook("execute_state")
+        def execute_state_hook(global_state: GlobalState):
+            self._update_instruction_coverage_data(global_state)
+            self._update_branch_coverage_data(global_state)
+            self.state_counter += 1
+            if self.state_counter == BATCH_OF_STATES:
+                self._record_coverage()
+                self.state_counter = 0
+
+        @symbolic_vm.laser_hook("stop_sym_trans")
+        def execute_stop_sym_trans_hook():
+            self.tx_id += 1
+
+        # The following is useful for debugging
+        # @symbolic_vm.laser_hook("stop_sym_exec")
+        # def execute_stop_sym_exec_hook():
+        #     self.coverage.output("coverage_data.json")
+        #     self.instruction_coverage_info.output("instruction_discovery_data.json")
+
+    def _update_instruction_coverage_data(self, global_state: GlobalState):
+        """Records instruction coverage"""
+        code = global_state.environment.code.bytecode
+        if code not in self.instruction_coverage_data.keys():
+            number_of_instructions = len(global_state.environment.code.instruction_list)
+            self.instruction_coverage_data[code] = (number_of_instructions, {})
+        current_instr = global_state.get_current_instruction()["address"]
+        if self.instruction_coverage_info.is_covered(code, current_instr) is False:
+            self.instruction_coverage_info.add_data(
+                code, current_instr, time.time_ns() - self.start_time
+            )
+        self.instruction_coverage_data[code][1][current_instr] = True
+
+    def _update_branch_coverage_data(self, global_state: GlobalState):
+        """Records branch coverage"""
+        code = global_state.environment.code.bytecode
+        if code not in self.branch_possibilities:
+            self.branch_possibilities[code] = {}
+
+        if global_state.get_current_instruction()["opcode"] != "JUMPI":
+            return
+        addr = global_state.get_current_instruction()["address"]
+        jump_addr = global_state.mstate.stack[-1]
+        if jump_addr.symbolic:
+            log.debug("Encountered a symbolic jump, ignoring it for branch coverage")
+            return
+        self.branch_possibilities[code][addr] = [addr + 1, jump_addr.value]
+
+    def _record_coverage(self):
+        for code, code_cov in self.instruction_coverage_data.items():
+            total_branches = 0
+            branches_covered = 0
+            for jumps, branches in self.branch_possibilities[code].items():
+                for branch in branches:
+                    total_branches += 1
+                    branches_covered += branch in code_cov[1]
+            self.coverage.add_data(
+                code=code,
+                instructions_covered=len(code_cov[1]),
+                total_instructions=code_cov[0],
+                branches_covered=branches_covered,
+                tx_id=self.tx_id,
+                total_branches=total_branches,
+                state_counter=self.state_counter,
+                time_elapsed=time.time_ns() - self.start_time,
+            )

mythril/laser/plugin/plugins/trace.py

@@ -0,0 +1,48 @@
+from mythril.laser.plugin.interface import LaserPlugin
+from mythril.laser.plugin.builder import PluginBuilder
+from mythril.laser.ethereum.state.global_state import GlobalState
+from mythril.laser.ethereum.svm import LaserEVM
+from typing import List, Tuple
+
+
+class TraceFinderBuilder(PluginBuilder):
+    name = "trace-finder"
+    plugin_default_enabled = True
+    enabled = True
+
+    author = "MythX Development Team"
+    name = "MythX Trace Finder"
+    plugin_license = "All rights reserved."
+    plugin_type = "Laser Plugin"
+    plugin_version = "0.0.1 "
+    plugin_description = "This plugin merges states after the end of a transaction"
+
+    def __call__(self, *args, **kwargs):
+        return TraceFinder()
+
+
+class TraceFinder(LaserPlugin):
+    def __init__(self):
+        self._reset()
+
+    def _reset(self):
+        self.tx_trace: List[List[Tuple[int, str]]] = []
+
+    def initialize(self, symbolic_vm: LaserEVM):
+        """Initializes Trace Finder
+
+        Introduces hooks during the start of the execution and each execution state
+        :param symbolic_vm:
+        :return:
+        """
+        self._reset()
+
+        @symbolic_vm.laser_hook("start_exec")
+        def start_sym_trans_hook():
+            self.tx_trace.append([])
+
+        @symbolic_vm.laser_hook("execute_state")
+        def trace_jumpi_hook(global_state: GlobalState):
+            self.tx_trace[-1].append(
+                (global_state.mstate.pc, global_state.current_transaction.id)
+            )