manticore icon indicating copy to clipboard operation
manticore copied to clipboard
verified publisher icon trailofbits

New exploration stopping condition

Open feliam opened this issue 5 years ago • 0 comments

Rather than stopping when the last tx has not uncovered any new code at any of the explored states. Stop when each state in its own did not find any new code.

What?

Consider this example....

contract MotivatingExample {
    event Log(string);
    int  stateA = 0;
    int  stateB = 0;
    function f(int input) public {
    	stateA=input;
        }
    function g() public {
        stateB = stateA;
        }
    function h() payable public {
        if(stateB == 61){
          emit Log("Bug found");
         }
    }
}

You need a trace with f()-g()-h() to emit the bug log. though in the first explored tx manticore will fork and explore f(), and g(), and h() all in different states hitting most of the code. Then in the second TX no new coverage would be found and the third tx will never be tried. IFFyou used the global coverage stopping condition

This adds a way to stop only when no state made any progress in its own world. Clearly a longer process.

feliam avatar Aug 27 '20 20:08 feliam