Feature Request : please add an option to get which inputs allows to reach a specific bytecode address.

[ytrezq]

Mythril can generate a call graph. But sometimes, when the call depth is huge, it’s difficult to find which input or input sequence in several transactions allow to reach a said opcode address.

Maybe writing this as an analyser module would be the best thing, but then it would require passing a parameter to modules. Something which as far I’m aware isn’t possible too.

[JoranHonig]

If you want to find a transaction that reaches a specific point in your callgraph it would be easiest to just add assert(false) at the location that you want to reach. Mythril will then generate a transaction that reaches this assertion statement. This ofc doesn't work if you don't have the source code

[ytrezq]

@JoranHonig : except if the source code isn’t available or for testing low‑level compiler code generation.

[norhh]

except if the source code isn’t available or for testing low‑level compiler code generation. In that case you can add an ASSERT_FAIL opcode at that point.

[ytrezq]

@norhh : No. Adding instructions would change all jumps addresses in the binary code which means it’s not possible. In my case, I have only binary code along it’s binary call graph… Nothing else.

[norhh]

It should be possible to convert binary code to disassembly and vice versa. So it should be possible to add a new instruction to disassembly and change the other jump addresses in most of the cases by writing a quick program which does that. But yeah it is obviously something pretty irritating to do

[ytrezq]

@norhh : and instead of writing such a program for reorganizing jumps, why not simply add the option to Mythril for fewer works and once and for all (without needing to maintain ᴠᴍ incompatible changes) ? The fired issue reason would also be the correct one allowing more quickly to differentiate added assertions from failed ones.

[norhh]

why not simply add the option to Mythril for fewer works and once and for I never said it won't be added. I meant till then you can go for this approach.

[nbanmp]

When I had a need to do something similar to this, what I did was wrote a simple custom module. That might be the best approach for now.

You can copy much of the logic from an existing module, then add a check if the expected instruction was reached, and report an issue in that case. https://github.com/ConsenSys/mythril/blob/develop/mythril/analysis/modules/exceptions.py#L51

Does that seem like a reasonable solution for now?

[ytrezq]

@nbanmp : and why not add such custom module to the codebase where it gets active only with a required parameter passed on the command line ?

[nbanmp]

We could. It's just not a high priority right now. Currently there isn't any logic for passing parameters to analysis modules, so that would also need to be added.

If you (or anyone else) end up writing the module, we'd be happy to merge it in.

[norhh]

Currently there isn't any logic for passing parameters to analysis modules, so that would also need to be added I added a Singleton Class named AnalysisArgs() a while back, it can be imported to the analysis modules. (yes! it's a weird method)