Skip to content

Reworked symbolic execution code#1394

Merged
elopez merged 80 commits intocrytic:masterfrom
gustavo-grieco:fixed-sym-exec
Aug 6, 2025
Merged

Reworked symbolic execution code#1394
elopez merged 80 commits intocrytic:masterfrom
gustavo-grieco:fixed-sym-exec

Conversation

@gustavo-grieco
Copy link
Copy Markdown
Collaborator

@gustavo-grieco gustavo-grieco commented Jul 8, 2025

This PR brings a good number of important changes to the symbolic execution code:

  • It removes the concolic execution: this code should be moved to hevm directly, since it is too hard to maintain from our side, and we don´t know exactly when it is useful.
  • It adds a new type of test result: unsolvable. This new value is used to signal that a symbolic exploration finished to review all possible states without any counter example to trigger an assertion failure.
  • It improves the full symbolic execution of a single transaction, as this seems to be the best approach to explore the code using symbolic execution, some notable changes:
    • A corpus is shuffled before selecting a sequence for the symbolic exploration
    • Bitwulza is the new default smt solver, but other solvers can be selected
    • Support for handling symbolic block.number and block.timestamp
    • Support for avoiding doing symbolic exploration for useless (e.g. no arguments) or unsupported inputs (e.g. dynamic arguments)
    • Two modes for using symbolic execution: verification mode (stateless) and exploration (fuzzing+sym-exec)
    • Two strategies are used for introducing symbolic transactions in the exploration mode: (1) a random transaction is inserted at a random position and (2) the last transaction of a sequence is symbolized.
    • Support for RPC query when doing symbolic exploration (including cache that will be queried but not updated)
    • Added some more tests for symbolic execution (verification mode)
    • The symbolic execution mode is moved into its own directory

Some unrelated changes included in this PR:

  • Removed etheno related code (obsolete)
  • Removed tests related with gas usage (covered by hevm per opcode) and self-destruction (no longer relevant in the current fork)
  • Removed usage of very old solc version in the tests

Known issues:

  • UI needs to be adapted in verification mode since the symbolic worker is busy and it can block the refresh of the UI. Text mode is advised.
  • There is a detection to some cases where hevm produces a counter example, but it is not reproduced correctly. This is a bug that will be eventually solved upstream, but if we manage to detect a counter example that does not increase coverage (e.g. reached an assertion), echidna will trigger a failure so it can be reported upstream. This detection is not perfect, and there cases where it does not properly work.

gustavo-grieco and others added 30 commits April 14, 2025 20:48
@gustavo-grieco
removed etheno support
99f9ce5
@gustavo-grieco
removed tstore_test.sol
5f9c8a0
@gustavo-grieco
fix hlint
ec55378
@gustavo-grieco
removed old solc versions, use 0.8.x only instead
05be755
@gustavo-grieco
fixed harvey test
922884a
@gustavo-grieco
removed unusued import
cf76f78
@gustavo-grieco
Merge pull request #1 from gustavo-grieco/reduced-ci-tests
bd36c5d 
removed old solc versions, use 0.8.x only instead
@gustavo-grieco
started to fix symexec using latest hevm
192f485
@gustavo-grieco
added RPC support for symbolic execution + some clean up
378d919
@gustavo-grieco
added missing file
40ac39e
@gustavo-grieco
better constraints for block timestamp and number
3722f22
@gustavo-grieco
improved and simplified symexec code
c5ed685
@gustavo-grieco
removed useless code
81ca9ef
@gustavo-grieco
removed useless code
c2bc3bd
@gustavo-grieco
removed useless code
354bd50
@gustavo-grieco
hlint fixes
2738c0e
@gustavo-grieco
some test fixes
76d51ab
@gustavo-grieco
increase the number of random symbolic transaction if the corpus is e…
b10f807 
…mpty
@gustavo-grieco
fixed typos
fb6338a
@gustavo-grieco
added comments on why we only take one method from the shuffle list w…
8521841 
…hen doing symbolic exploration
@gustavo-grieco
fix flake.nix revision
cb34d9b
@gustavo-grieco
fixes
f934990
@gustavo-grieco
Merge branch 'master' into fixed-sym-exec
dafacd3
@gustavo-grieco
merge with master
8ea397a
@gustavo-grieco
enable NIXPKGS_ALLOW_BROKEN
08819cc
@gustavo-grieco
add impure flag
05cb48d
@gustavo-grieco
allow user to select smt solver
78a909e
@gustavo-grieco
use slither to filter functions with assert, if any
53c3bc7
@gustavo-grieco
started adding full verification mode for stateless campaigns
63df7e9
@gustavo-grieco
some stuff working
d98439b
@gustavo-grieco
Copy link
Copy Markdown
Collaborator Author

gustavo-grieco commented Jul 23, 2025

It seems that the latest merge broke it: https://github.com/crytic/echidna/actions/runs/16471079633/job/46560187173?pr=1394#step:14:34 😅

elopez
elopez reviewed Aug 3, 2025
View reviewed changes
elopez
elopez reviewed Aug 5, 2025
View reviewed changes
@elopez elopez merged commit c267104 into crytic:master Aug 6, 2025
21 of 22 checks passed
@gustavo-grieco gustavo-grieco deleted the fixed-sym-exec branch September 14, 2025 17:26
@BrewTestBot BrewTestBot mentioned this pull request Dec 15, 2025
Merged
datradito pushed a commit to datradito/echidna-mcp that referenced this pull request Dec 29, 2025
@gustavo-grieco
Reworked symbolic execution code (crytic#1394)
eb87bc2 
* removed old solc versions, use 0.8.x only instead

* fixed harvey test

* started to fix symexec using latest hevm

* added RPC support for symbolic execution + some clean up

* better constraints for block timestamp and number

* improved and simplified symexec code

* removed useless code

* some test fixes

* increase the number of random symbolic transaction if the corpus is empty

* added comments on why we only take one method from the shuffle list when doing symbolic exploration

* allow user to select smt solver

* use slither to filter functions with assert, if any

* started adding full verification mode for stateless campaigns

* refactored tons of code

* improved code for exploration/verification

* finished implementation and get back to hevm master

* fixed issue in addBlockConstraints and upgraded hevm

* disable debug mode when using interactive mode

* corrected array size in symbolic output

* fix decoding of negative numbers

* simplified code for decoding of negative numbers

* removed initialize field from default

* use verification mode for sym-assert test

* added some basic verification tests

* make the harvey test more reliable

* simplified exploration code and added shrinking

* added new test for exploration mode (but disabled so far)

* worker related refactoring code to allow other parts of the codebase to send events

* make sure symExecTarget is used to select methods

* keccak preimage support enabled

* reduced code duplication

* added documentation

* use new types in Types/Config.hs

* removed killed-related files
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elopez elopez elopez approved these changes

@arcz arcz Awaiting requested review from arcz arcz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gustavo-grieco @elopez