Keccak256 abstract semantics

Author: VincenzoArceri

evm-testcases/cfs/keccak256/keccak.sol

@@ -0,0 +1,3 @@
+PUSH1 0x20
+PUSH1 0x00
+SHA3

evm-testcases/cfs/keccak256/report.json

@@ -0,0 +1,38 @@
+{
+  "warnings" : [ ],
+  "files" : [ "report.json", "untyped_program.evm-testcases_cfs_keccak256_keccak.sol().json" ],
+  "info" : {
+    "cfgs" : "1",
+    "duration" : "420ms",
+    "end" : "2025-05-10T23:18:33.632+02:00",
+    "expressions" : "2",
+    "files" : "1",
+    "globals" : "0",
+    "members" : "1",
+    "programs" : "1",
+    "start" : "2025-05-10T23:18:33.212+02:00",
+    "statements" : "3",
+    "units" : "0",
+    "version" : "0.1",
+    "warnings" : "0"
+  },
+  "configuration" : {
+    "analysisGraphs" : "NONE",
+    "descendingPhaseType" : "NONE",
+    "dumpForcesUnwinding" : "false",
+    "fixpointWorkingSet" : "DuplicateFreeFIFOWorkingSet",
+    "glbThreshold" : "5",
+    "hotspots" : "unset",
+    "jsonOutput" : "true",
+    "openCallPolicy" : "WorstCasePolicy",
+    "optimize" : "false",
+    "recursionWideningThreshold" : "5",
+    "semanticChecks" : "JumpSolver",
+    "serializeInputs" : "false",
+    "serializeResults" : "true",
+    "syntacticChecks" : "",
+    "useWideningPoints" : "false",
+    "wideningThreshold" : "5",
+    "workdir" : "evm-outputs/cfs/keccak256"
+  }
+}

evm-testcases/cfs/keccak256/untyped_program.evm-testcases_cfs_keccak256_keccak.sol().json

@@ -0,0 +1,107 @@
+{
+	"name": "untyped program::evm-testcases/cfs/keccak256/keccak.sol()",
+	"description": null,
+	"nodes": [
+		{
+			"id": 0,
+			"subNodes": [
+				1
+			],
+			"text": "PUSH1 0x20"
+		},
+		{
+			"id": 1,
+			"text": "0x20"
+		},
+		{
+			"id": 2,
+			"subNodes": [
+				3
+			],
+			"text": "PUSH1 0x00"
+		},
+		{
+			"id": 3,
+			"text": "0x00"
+		},
+		{
+			"id": 4,
+			"text": "SHA3"
+		}
+	],
+	"edges": [
+		{
+			"sourceId": 0,
+			"destId": 2,
+			"kind": "SequentialEdge"
+		},
+		{
+			"sourceId": 2,
+			"destId": 4,
+			"kind": "SequentialEdge"
+		}
+	],
+	"descriptions": [
+		{
+			"nodeId": 0,
+			"description": {
+				"expressions": [
+					"push \"0x20\""
+				],
+				"state": {
+					"heap": "monolith",
+					"type": "#TOP#",
+					"value": "{ stacks: [[_|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, 32]], memory: EMPTY, storage: #TOP# }"
+				}
+			}
+		},
+		{
+			"nodeId": 1,
+			"description": {
+				"expressions": [
+					"\"0x20\""
+				],
+				"state": "#TOP#"
+			}
+		},
+		{
+			"nodeId": 2,
+			"description": {
+				"expressions": [
+					"push \"0x00\""
+				],
+				"state": {
+					"heap": "monolith",
+					"type": "#TOP#",
+					"value": "{ stacks: [[_|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, 32, 0]], memory: EMPTY, storage: #TOP# }"
+				}
+			}
+		},
+		{
+			"nodeId": 3,
+			"description": {
+				"expressions": [
+					"\"0x00\""
+				],
+				"state": {
+					"heap": "monolith",
+					"type": "#TOP#",
+					"value": "{ stacks: [[_|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, 32]], memory: EMPTY, storage: #TOP# }"
+				}
+			}
+		},
+		{
+			"nodeId": 4,
+			"description": {
+				"expressions": [
+					"sha3 1"
+				],
+				"state": {
+					"heap": "monolith",
+					"type": "#TOP#",
+					"value": "{ stacks: [[_|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, _|_, 18569430475105882587588266137607568536673111973893317399460219858819262702947]], memory: EMPTY, storage: #TOP# }"
+				}
+			}
+		}
+	]
+}

src/main/java/it/unipr/analysis/AbstractMemory.java

@@ -57,7 +57,8 @@ public AbstractMemory mstore(StackElement offset, StackElement e) {
 		}
 
 		if (offset.compareTo(new StackElement(Number.MAX_INT)) >= 0) {
-			log.warn("Offset is greater than max int representation, ignoring mstore with offset {}, value {}.", offset, e);
+			log.warn("Offset is greater than max int representation, ignoring mstore with offset {}, value {}.", offset,
+					e);
 			return AbstractMemory.BOTTOM; // fake path
 		}
 
@@ -86,12 +87,14 @@ public AbstractMemory mstore8(StackElement offset, StackElement value) {
 		}
 
 		if (offset.compareTo(new StackElement(MAX_MEMORY_SIZE)) >= 0) {
-			log.warn("Offset or value are greater than max memory size, ignoring mstore8 with offset {} and value {}.", offset, value);
+			log.warn("Offset or value are greater than max memory size, ignoring mstore8 with offset {} and value {}.",
+					offset, value);
 			return AbstractMemory.BOTTOM;
 		}
 
 		if (offset.compareTo(new StackElement(Number.MAX_INT)) >= 0) {
-			log.warn("Offset is greater than max int representation, ignoring mstore8 with offset {} and value {}.", offset, value);
+			log.warn("Offset is greater than max int representation, ignoring mstore8 with offset {} and value {}.",
+					offset, value);
 			return AbstractMemory.BOTTOM; // fake path
 		}
 
@@ -130,24 +133,36 @@ public StackElement mload(StackElement offset) {
 
 	public AbstractMemory mcopy(StackElement destOffset, StackElement srcOffset, StackElement length) {
 		if (length.compareTo(new StackElement(MAX_MEMORY_SIZE)) >= 0) {
-			log.warn("length is greater than max memory size, ignoring mcopy with destOffset {}, srcOffset {}, length {}.", destOffset, srcOffset, length);
+			log.warn(
+					"length is greater than max memory size, ignoring mcopy with destOffset {}, srcOffset {}, length {}.",
+					destOffset, srcOffset, length);
 			return AbstractMemory.TOP;
 		} else if (destOffset.compareTo(new StackElement(MAX_MEMORY_SIZE)) >= 0) {
-			log.warn("destOffset is greater than max memory size, ignoring mcopy with destOffset {}, srcOffset {}, length {}.", destOffset, srcOffset, length);
+			log.warn(
+					"destOffset is greater than max memory size, ignoring mcopy with destOffset {}, srcOffset {}, length {}.",
+					destOffset, srcOffset, length);
 			return AbstractMemory.TOP;
 		} else if (srcOffset.compareTo(new StackElement(MAX_MEMORY_SIZE)) >= 0) {
-			log.warn("srcOffset is greater than max memory size, ignoring mcopy with destOffset {}, srcOffset {}, length {}.", destOffset, srcOffset, length);
+			log.warn(
+					"srcOffset is greater than max memory size, ignoring mcopy with destOffset {}, srcOffset {}, length {}.",
+					destOffset, srcOffset, length);
 			return AbstractMemory.TOP;
 		}
 
 		if (destOffset.compareTo(new StackElement(Number.MAX_INT)) >= 0) {
-			log.warn("destOffset is greater than max int representation, ignoring mcopy with destOffset {}, srcOffset {}, length {}.", destOffset, srcOffset, length);
+			log.warn(
+					"destOffset is greater than max int representation, ignoring mcopy with destOffset {}, srcOffset {}, length {}.",
+					destOffset, srcOffset, length);
 			return AbstractMemory.BOTTOM; // fake path
 		} else if (srcOffset.compareTo(new StackElement(Number.MAX_INT)) >= 0) {
-			log.warn("srcOffset is greater than max int representation, ignoring mcopy with destOffset {}, srcOffset {}, length {}.", destOffset, srcOffset, length);
+			log.warn(
+					"srcOffset is greater than max int representation, ignoring mcopy with destOffset {}, srcOffset {}, length {}.",
+					destOffset, srcOffset, length);
 			return AbstractMemory.BOTTOM; // fake path
 		} else if (length.compareTo(new StackElement(Number.MAX_INT)) >= 0) {
-			log.warn("length is greater than max int representation, ignoring mcopy with destOffset {}, srcOffset {}, length {}.", destOffset, srcOffset, length);
+			log.warn(
+					"length is greater than max int representation, ignoring mcopy with destOffset {}, srcOffset {}, length {}.",
+					destOffset, srcOffset, length);
 			return AbstractMemory.BOTTOM; // fake path
 		}
 
@@ -369,10 +384,30 @@ public static void fill(AbstractByte[] bytes, byte value) {
 		}
 	}
 
-	private static boolean isUnknown(AbstractByte[] bytes) {
+	public static boolean isUnknown(AbstractByte[] bytes) {
 		for (int i = 0; i < 32; i++)
 			if (bytes[i].isTop())
 				return true;
 		return false;
 	}
+
+	public byte[] readBytes(int offset, int length) {
+		if (offset < 0 || length < 0)
+			throw new IllegalArgumentException("Negative offset or length");
+		if (offset + length > MAX_MEMORY_SIZE)
+			throw new IllegalArgumentException(
+					"Read exceeds maximum memory size: " + (offset + length));
+
+		AbstractByte[] backing = ensureCapacity(offset + length);
+
+		byte[] out = new byte[length];
+		for (int i = 0; i < length; i++) {
+			AbstractByte b = backing[offset + i];
+			// Treat TOP/unknown as 0x00
+			if (b.isTop())
+				return null;
+			out[i] = b.isTop() ? (byte) 0 : b.getValue();
+		}
+		return out;
+	}
 }

src/main/java/it/unipr/analysis/AbstractStack.java

@@ -267,24 +267,15 @@ public void push(StackElement element) {
 	 * @return the element at the top of the stack before popping
 	 */
 	public StackElement pop() {
-
 		int topIndex = (tail - 1 + STACK_LIMIT) % STACK_LIMIT;
-		StackElement popped = circularArray[topIndex];
-
-		// Shift
+		StackElement poppedElement = circularArray[topIndex];
+		StackElement oldBottom = circularArray[head];
+		// rotate head back to shift everything up
 		head = (head - 1 + STACK_LIMIT) % STACK_LIMIT;
-		int bottomIndex = head;
-		int secondLogicalIndex = (head + 1) % STACK_LIMIT;
-
-		if (circularArray[secondLogicalIndex].isTop())
-			circularArray[bottomIndex] = StackElement.TOP;
-		else
-			circularArray[bottomIndex] = StackElement.BOTTOM;
-
-		tail = (head + STACK_LIMIT) % STACK_LIMIT;
-		circularArray[topIndex] = StackElement.BOTTOM;
-
-		return popped;
+		// tail follows head (stack remains “full” in structure)
+		tail = head;
+		circularArray[head] = oldBottom.isBottom() ? StackElement.BOTTOM : StackElement.TOP;
+		return poppedElement;
 	}
 
 	/**
@@ -431,31 +422,4 @@ private StackElement[] toLogicalArray() {
 			logical[i] = circularArray[(head + i) % STACK_LIMIT];
 		return logical;
 	}
-	
-	public static void main(String[] args) {
-	    AbstractStack.setStackLimit(3);
-
-	    // Stack2: [4, 5, 6], head=0, tail=0 → logico: [4, 5, 6]
-	    AbstractStack stack2 = new AbstractStack();
-	    stack2.push(new StackElement(4));
-	    stack2.push(new StackElement(5));
-	    stack2.push(new StackElement(6));
-	    stack2.head = 0;
-	    stack2.tail = 0;
-	    System.out.println("Stack2: " + stack2);
-
-	    /*Test2 - array fisicamente diversi ma logicamente uguali*/
-	    System.out.println("********** Test 2 ********** ");
-	    // Stack3: [1, 2, 3], head=1, tail=1 → logico: [2, 3, 1]
-	    AbstractStack stack3 = new AbstractStack();
-	    stack3.head = 1;
-	    stack3.tail = 1;
-	    System.out.println("Stack3: " + stack3);
-	    stack3.push(new StackElement(4));
-	    System.out.println("Stack3: " + stack3);
-	    stack3.push(new StackElement(5));
-	    System.out.println("Stack3: " + stack3);
-	    stack3.push(new StackElement(6));
-	    System.out.println("Stack3: " + stack3);
-	}
 }

src/main/java/it/unipr/analysis/Number.java

@@ -247,6 +247,7 @@ public Number not() {
 	 * Computes the modulo of this number by another number.
 	 *
 	 * @param other the number to divide by
+	 * 
 	 * @return the result as a {@code Number}
 	 */
 	public Number modulo(Number other) {

src/main/java/it/unipr/analysis/StackElement.java

@@ -7,8 +7,6 @@
 import it.unive.lisa.util.representation.StructuredRepresentation;
 import java.math.BigInteger;
 import java.util.Objects;
-import java.util.Stack;
-
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 

src/test/java/it/unipr/analysis/cron/semantics/EVMAbstractSemanticsTest.java

@@ -97,13 +97,13 @@ public void testMstore() throws AnalysisSetupException, IOException {
 		CronConfiguration conf = createConfiguration("cfs", "mstore", "mstore_eth.sol", false);
 		perform(conf);
 	}
-	
+
 	@Test
 	public void testMstore2() throws AnalysisSetupException, IOException {
 		CronConfiguration conf = createConfiguration("cfs", "mstore2", "mstore_eth.sol", false);
 		perform(conf);
 	}
-	
+
 	@Test
 	public void testMstore3() throws AnalysisSetupException, IOException {
 		CronConfiguration conf = createConfiguration("cfs", "mstore3", "mstore_eth.sol", false);
@@ -122,6 +122,12 @@ public void testLT() throws AnalysisSetupException, IOException {
 		perform(conf);
 	}
 
+	@Test
+	public void testKeccak256() throws AnalysisSetupException, IOException {
+		CronConfiguration conf = createConfiguration("cfs", "keccak256", "keccak.sol", false);
+		perform(conf);
+	}
+
 	/**
 	 * All the items in the final stack must be 1
 	 */