Open
Description
Description
Consider the following Solidity source c.sol:
// SPDX-License-Identifier: UNLICENCED
pragma solidity 0.4.26;
// pragma solidity 0.8.25;
contract c {
int256 num = 2**255 - 1;
// int248 num = 2**247 - 1;
// uint256 num = 2**256 - 1;
// uint248 num = 2**248 - 1;
function t() public payable {
num = num + 5;
// num = num * 5;
}
}These are 16 source files (2 compilers, 4 types, 2 operations).
solc 0.4.26
Running the commands
./myth a c.sol
./myth a -c `solc --bin c.sol | tail -1`yields
| + | * | |
|---|---|---|
| int256 | no issues | OVERFLOW |
| int248 | no issues | no issues |
| uint256 | OVERFLOW | OVERFLOW |
| uint248 | no issues | no issues |
The command
./myth a --bin-runtime -c `solc --bin-runtime c.sol | tail -1`yields no issues for all variants (probably to be expected), whereas
./myth a --bin-runtime --unconstrained-storage -c `solc --bin-runtime c.sol | tail -1`yields
| + | * | |
|---|---|---|
| int256 | OVERFLOW | OVERFLOW |
| int248 | OVERFLOW | OVERFLOW |
| uint256 | OVERFLOW | OVERFLOW |
| uint248 | no issues | no issues |
solc 0.8.25
For this compiler version, the two tables from above look like
| + | * | |
|---|---|---|
| int256 | no issues | no issues |
| int248 | no issues | no issues |
| uint256 | no issues | no issues |
| uint248 | no issues | no issues |
| + | * | |
|---|---|---|
| int256 | OVERFLOW | OVERFLOW |
| int248 | OVERFLOW | OVERFLOW |
| uint256 | no issues | no issues |
| uint248 | no issues | no issues |
Expected behavior
I'd expected Mythril to detect overflows more consistently, maybe just for (u)int256 and not for (u)int248 (if it is not able to infer the smaller type size), or just for addition and not multiplication, but not this patchwork.
Environment
Mythril: 0.24.8
Python: 3.10.12
Solc: 0.4.26+commit.4563c3fc.Linux.g++ / 0.8.25+commit.b61c2a91.Linux.g++
OS: Ubuntu Linux 22.04