Enum evmil::Instruction
source · pub enum Instruction {
Show 79 variants
STOP,
ADD,
MUL,
SUB,
DIV,
SDIV,
MOD,
SMOD,
ADDMOD,
MULMOD,
EXP,
SIGNEXTEND,
LT,
GT,
SLT,
SGT,
EQ,
ISZERO,
AND,
OR,
XOR,
NOT,
BYTE,
SHL,
SHR,
SAR,
KECCAK256,
ADDRESS,
BALANCE,
ORIGIN,
CALLER,
CALLVALUE,
CALLDATALOAD,
CALLDATASIZE,
CALLDATACOPY,
CODESIZE,
CODECOPY,
GASPRICE,
EXTCODESIZE,
EXTCODECOPY,
RETURNDATASIZE,
RETURNDATACOPY,
EXTCODEHASH,
BLOCKHASH,
COINBASE,
TIMESTAMP,
NUMBER,
DIFFICULTY,
GASLIMIT,
CHAINID,
SELFBALANCE,
POP,
MLOAD,
MSTORE,
MSTORE8,
SLOAD,
SSTORE,
JUMP,
JUMPI,
PC,
MSIZE,
GAS,
JUMPDEST(usize),
PUSH(Vec<u8>),
PUSHL(usize),
DUP(u8),
SWAP(u8),
LOG(u8),
CREATE,
CALL,
CALLCODE,
RETURN,
DELEGATECALL,
CREATE2,
STATICCALL,
REVERT,
INVALID,
SELFDESTRUCT,
DATA(Vec<u8>),
}
Variants§
STOP
ADD
MUL
SUB
DIV
SDIV
MOD
SMOD
ADDMOD
MULMOD
EXP
SIGNEXTEND
LT
GT
SLT
SGT
EQ
ISZERO
AND
OR
XOR
NOT
BYTE
SHL
SHR
SAR
KECCAK256
ADDRESS
BALANCE
ORIGIN
CALLER
CALLVALUE
CALLDATALOAD
CALLDATASIZE
CALLDATACOPY
CODESIZE
CODECOPY
GASPRICE
EXTCODESIZE
EXTCODECOPY
RETURNDATASIZE
RETURNDATACOPY
EXTCODEHASH
BLOCKHASH
COINBASE
TIMESTAMP
NUMBER
DIFFICULTY
GASLIMIT
CHAINID
SELFBALANCE
POP
MLOAD
MSTORE
MSTORE8
SLOAD
SSTORE
JUMP
JUMPI
PC
MSIZE
GAS
JUMPDEST(usize)
PUSH(Vec<u8>)
PUSHL(usize)
DUP(u8)
SWAP(u8)
LOG(u8)
CREATE
CALL
CALLCODE
RETURN
DELEGATECALL
CREATE2
STATICCALL
REVERT
INVALID
SELFDESTRUCT
DATA(Vec<u8>)
Implementations§
source§impl Instruction
impl Instruction
sourcepub fn fallthru(&self) -> bool
pub fn fallthru(&self) -> bool
Determine whether or not control can continue to the next instruction.
sourcepub fn can_branch(&self) -> bool
pub fn can_branch(&self) -> bool
Determine whether or not this instruction can branch. That
is, whether or not it is a JUMP
or JUMPI
instruction.
Examples found in repository?
294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342
pub fn build(mut self) -> Self {
let mut changed = true;
//
while changed {
// Reset indicator
changed = false;
// Iterate blocks in order
for i in 0..self.blocks.len() {
// Sanity check whether block unreachable.
if !self.is_block_reachable(i) { continue; }
// Yes, is reachable so continue.
let blk = &self.blocks[i];
let mut ctx = self.contexts[i].clone();
let mut pc = blk.start;
// println!("BLOCK (start={}, end={}): {:?}", pc, blk.end, i);
// println!("CONTEXT (pc={}): {}", pc, ctx);
// Parse the block
while pc < blk.end {
// Decode instruction at the current position
let insn = Instruction::decode(pc,&self.bytes);
// Check whether a branch is possible
if insn.can_branch() {
// Determine branch target
let target = ctx.peek(0).unwrap();
// Determine branch context
let branch_ctx = ctx.branch(target,&insn);
// Convert target into block ID.
let block_id = self.get_enclosing_block_id(target);
// println!("Branch: target={} (block {})",target,block_id);
// println!("Before merge (pc={}): {}", pc, self.contexts[block_id]);
// Merge in updated state
changed |= self.contexts[block_id].merge(branch_ctx);
// println!("After merge (pc={}): {}", pc, self.contexts[block_id]);
}
// Apply the transfer function!
// print!("{:#08x}: {}",pc,ctx);
ctx = ctx.transfer(&insn);
// println!(" ==>\t{:?}\t==> {}",insn,ctx);
// Next instruction
pc = pc + insn.length(&[]);
}
// Merge state into following block.
if (i+1) < self.blocks.len() {
changed |= self.contexts[i+1].merge(ctx);
}
}
}
self
}
sourcepub fn encode(&self, offsets: &[Offset], bytes: &mut Vec<u8>) -> Result<(), Error>
pub fn encode(&self, offsets: &[Offset], bytes: &mut Vec<u8>) -> Result<(), Error>
Encode an instruction into a byte sequence, assuming a given set of label offsets.
sourcepub fn length(&self, _offsets: &[Offset]) -> usize
pub fn length(&self, _offsets: &[Offset]) -> usize
Determine the length of this instruction (in bytes) assuming a given set of label offsets.
Examples found in repository?
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342
pub fn get_state(&self, loc: usize) -> T {
// Determine enclosing block
let bid = self.get_enclosing_block_id(loc);
let blk = &self.blocks[bid];
let mut ctx = self.contexts[bid].clone();
let mut pc = blk.start;
// Reconstruct state
while pc < loc {
// Decode instruction at the current position
let insn = Instruction::decode(pc,&self.bytes);
// Apply the transfer function!
ctx = ctx.transfer(&insn);
// Next instruction
pc = pc + insn.length(&[]);
}
// Done
ctx
}
/// Get the enclosing block for a given bytecode location.
pub fn get_enclosing_block(&self, pc: usize) -> &Block {
for i in 0..self.blocks.len() {
if self.blocks[i].encloses(pc) {
return &self.blocks[i];
}
}
panic!("invalid bytecode address");
}
/// Determine whether a given block is currently considered
/// reachable or not. Observe the root block (`id=0`) is _always_
/// considered reachable.
pub fn is_block_reachable(&self, id: usize) -> bool {
id == 0 || self.contexts[id].is_reachable()
}
/// Read a slice of bytes from the bytecode program, padding with
/// zeros as necessary.
pub fn read_bytes(&self, start: usize, end: usize) -> Vec<u8> {
let n = self.bytes.len();
if start >= n {
vec![0; end-start]
} else if end > n {
// Determine lower potion
let mut slice = self.bytes[start..n].to_vec();
// Probably a more idiomatic way to do this?
for _i in end .. n { slice.push(0); }
//
slice
} else {
// Easy case
self.bytes[start..end].to_vec()
}
}
/// Refine this disassembly to something (ideally) more precise
/// use a fixed point dataflow analysis. This destroys the
/// original disassembly.
pub fn refine<S>(self) -> Disassembly<'a,S>
where S:AbstractState+From<T> {
let mut contexts = Vec::new();
// Should be able to do this with a map?
for ctx in self.contexts {
contexts.push(S::from(ctx));
}
// Done
Disassembly{bytes: self.bytes, blocks: self.blocks, contexts}
}
/// Flattern the disassembly into a sequence of instructions.
pub fn to_vec(&self) -> Vec<Instruction> {
let mut insns = Vec::new();
// Iterate blocks in order
for i in 0..self.blocks.len() {
let blk = &self.blocks[i];
let ctx = &self.contexts[i];
// Check for reachability
if i == 0 || ctx.is_reachable() {
// Disassemble block
self.disassemble_into(blk,&mut insns);
} else {
// Not reachable, so must be data.
let data = self.read_bytes(blk.start,blk.end);
//
insns.push(DATA(data));
}
}
//
insns
}
// ================================================================
// Helpers
// ================================================================
/// Disassemble a given block into a sequence of instructions.
fn disassemble_into(&self, blk: &Block, insns: &mut Vec<Instruction>) {
let mut pc = blk.start;
// Parse the block
while pc < blk.end {
// Decode instruction at the current position
let insn = Instruction::decode(pc,&self.bytes);
// Increment PC for next instruction
pc = pc + insn.length(&[]);
//
insns.push(insn);
}
}
/// Perform a linear scan splitting out the blocks. This is an
/// over approximation of the truth, as some blocks may turn out
/// to be unreachable (e.g. they are data).
fn scan_blocks(bytes: &[u8]) -> Vec<Block> {
let mut blocks = Vec::new();
// Current position in bytecodes
let mut pc = 0;
// Identifies start of current block.
let mut start = 0;
// Parse the block
while pc < bytes.len() {
// Decode instruction at the current position
let insn = Instruction::decode(pc,&bytes);
// Increment PC for next instruction
pc = pc + insn.length(&[]);
// Check whether terminating instruction
match insn {
JUMPDEST(_) => {
// Determine whether start of this block, or next
// block.
if (pc - 1) != start {
// Start of next block
blocks.push(Block::new(start,pc-1));
start = pc - 1;
}
}
INVALID|JUMP|RETURN|REVERT|STOP => {
blocks.push(Block::new(start,pc));
start = pc;
}
_ => {}
}
}
// Append last block (if necessary)
if start != pc {
blocks.push(Block::new(start,pc));
}
// Done
blocks
}
/// Determine the enclosing block number for a given bytecode
/// address.
fn get_enclosing_block_id(&self, pc: usize) -> usize {
for i in 0..self.blocks.len() {
if self.blocks[i].encloses(pc) {
return i;
}
}
panic!("invalid bytecode address");
}
}
impl<'a,T> Disassembly<'a,T>
where T:AbstractState+fmt::Display {
/// Apply flow analysis to refine the results of this disassembly.
pub fn build(mut self) -> Self {
let mut changed = true;
//
while changed {
// Reset indicator
changed = false;
// Iterate blocks in order
for i in 0..self.blocks.len() {
// Sanity check whether block unreachable.
if !self.is_block_reachable(i) { continue; }
// Yes, is reachable so continue.
let blk = &self.blocks[i];
let mut ctx = self.contexts[i].clone();
let mut pc = blk.start;
// println!("BLOCK (start={}, end={}): {:?}", pc, blk.end, i);
// println!("CONTEXT (pc={}): {}", pc, ctx);
// Parse the block
while pc < blk.end {
// Decode instruction at the current position
let insn = Instruction::decode(pc,&self.bytes);
// Check whether a branch is possible
if insn.can_branch() {
// Determine branch target
let target = ctx.peek(0).unwrap();
// Determine branch context
let branch_ctx = ctx.branch(target,&insn);
// Convert target into block ID.
let block_id = self.get_enclosing_block_id(target);
// println!("Branch: target={} (block {})",target,block_id);
// println!("Before merge (pc={}): {}", pc, self.contexts[block_id]);
// Merge in updated state
changed |= self.contexts[block_id].merge(branch_ctx);
// println!("After merge (pc={}): {}", pc, self.contexts[block_id]);
}
// Apply the transfer function!
// print!("{:#08x}: {}",pc,ctx);
ctx = ctx.transfer(&insn);
// println!(" ==>\t{:?}\t==> {}",insn,ctx);
// Next instruction
pc = pc + insn.length(&[]);
}
// Merge state into following block.
if (i+1) < self.blocks.len() {
changed |= self.contexts[i+1].merge(ctx);
}
}
}
self
}
sourcepub fn opcode(&self, offsets: &[Offset]) -> Result<u8, Error>
pub fn opcode(&self, offsets: &[Offset]) -> Result<u8, Error>
Determine the opcode for a given instruction. In many cases, this is a straightforward mapping. However, in other cases, its slightly more involved as a calculation involving the operands is required.
Examples found in repository?
169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186
pub fn encode(&self, offsets: &[Offset], bytes: &mut Vec<u8>) -> Result<(),Error> {
// Push opcode
bytes.push(self.opcode(&offsets)?);
// Push operands (if applicable)
match self {
Instruction::PUSH(args) => {
bytes.extend(args);
}
Instruction::PUSHL(idx) => {
bytes.extend(offsets[*idx].to_bytes());
}
_ => {
// All other instructions have no operands.
}
}
//
Ok(())
}
sourcepub fn decode(pc: usize, bytes: &[u8]) -> Instruction
pub fn decode(pc: usize, bytes: &[u8]) -> Instruction
Decode the next instruction in a given sequence of bytes.
Observe that this never returns a PUSHL
instruction. This
is because it cannot determine whether a given operand will be
used as a jump destination. A separate analysis is required
to “lift” PUSH
instructions to PUSHL
instructions.
Examples found in repository?
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342
pub fn get_state(&self, loc: usize) -> T {
// Determine enclosing block
let bid = self.get_enclosing_block_id(loc);
let blk = &self.blocks[bid];
let mut ctx = self.contexts[bid].clone();
let mut pc = blk.start;
// Reconstruct state
while pc < loc {
// Decode instruction at the current position
let insn = Instruction::decode(pc,&self.bytes);
// Apply the transfer function!
ctx = ctx.transfer(&insn);
// Next instruction
pc = pc + insn.length(&[]);
}
// Done
ctx
}
/// Get the enclosing block for a given bytecode location.
pub fn get_enclosing_block(&self, pc: usize) -> &Block {
for i in 0..self.blocks.len() {
if self.blocks[i].encloses(pc) {
return &self.blocks[i];
}
}
panic!("invalid bytecode address");
}
/// Determine whether a given block is currently considered
/// reachable or not. Observe the root block (`id=0`) is _always_
/// considered reachable.
pub fn is_block_reachable(&self, id: usize) -> bool {
id == 0 || self.contexts[id].is_reachable()
}
/// Read a slice of bytes from the bytecode program, padding with
/// zeros as necessary.
pub fn read_bytes(&self, start: usize, end: usize) -> Vec<u8> {
let n = self.bytes.len();
if start >= n {
vec![0; end-start]
} else if end > n {
// Determine lower potion
let mut slice = self.bytes[start..n].to_vec();
// Probably a more idiomatic way to do this?
for _i in end .. n { slice.push(0); }
//
slice
} else {
// Easy case
self.bytes[start..end].to_vec()
}
}
/// Refine this disassembly to something (ideally) more precise
/// use a fixed point dataflow analysis. This destroys the
/// original disassembly.
pub fn refine<S>(self) -> Disassembly<'a,S>
where S:AbstractState+From<T> {
let mut contexts = Vec::new();
// Should be able to do this with a map?
for ctx in self.contexts {
contexts.push(S::from(ctx));
}
// Done
Disassembly{bytes: self.bytes, blocks: self.blocks, contexts}
}
/// Flattern the disassembly into a sequence of instructions.
pub fn to_vec(&self) -> Vec<Instruction> {
let mut insns = Vec::new();
// Iterate blocks in order
for i in 0..self.blocks.len() {
let blk = &self.blocks[i];
let ctx = &self.contexts[i];
// Check for reachability
if i == 0 || ctx.is_reachable() {
// Disassemble block
self.disassemble_into(blk,&mut insns);
} else {
// Not reachable, so must be data.
let data = self.read_bytes(blk.start,blk.end);
//
insns.push(DATA(data));
}
}
//
insns
}
// ================================================================
// Helpers
// ================================================================
/// Disassemble a given block into a sequence of instructions.
fn disassemble_into(&self, blk: &Block, insns: &mut Vec<Instruction>) {
let mut pc = blk.start;
// Parse the block
while pc < blk.end {
// Decode instruction at the current position
let insn = Instruction::decode(pc,&self.bytes);
// Increment PC for next instruction
pc = pc + insn.length(&[]);
//
insns.push(insn);
}
}
/// Perform a linear scan splitting out the blocks. This is an
/// over approximation of the truth, as some blocks may turn out
/// to be unreachable (e.g. they are data).
fn scan_blocks(bytes: &[u8]) -> Vec<Block> {
let mut blocks = Vec::new();
// Current position in bytecodes
let mut pc = 0;
// Identifies start of current block.
let mut start = 0;
// Parse the block
while pc < bytes.len() {
// Decode instruction at the current position
let insn = Instruction::decode(pc,&bytes);
// Increment PC for next instruction
pc = pc + insn.length(&[]);
// Check whether terminating instruction
match insn {
JUMPDEST(_) => {
// Determine whether start of this block, or next
// block.
if (pc - 1) != start {
// Start of next block
blocks.push(Block::new(start,pc-1));
start = pc - 1;
}
}
INVALID|JUMP|RETURN|REVERT|STOP => {
blocks.push(Block::new(start,pc));
start = pc;
}
_ => {}
}
}
// Append last block (if necessary)
if start != pc {
blocks.push(Block::new(start,pc));
}
// Done
blocks
}
/// Determine the enclosing block number for a given bytecode
/// address.
fn get_enclosing_block_id(&self, pc: usize) -> usize {
for i in 0..self.blocks.len() {
if self.blocks[i].encloses(pc) {
return i;
}
}
panic!("invalid bytecode address");
}
}
impl<'a,T> Disassembly<'a,T>
where T:AbstractState+fmt::Display {
/// Apply flow analysis to refine the results of this disassembly.
pub fn build(mut self) -> Self {
let mut changed = true;
//
while changed {
// Reset indicator
changed = false;
// Iterate blocks in order
for i in 0..self.blocks.len() {
// Sanity check whether block unreachable.
if !self.is_block_reachable(i) { continue; }
// Yes, is reachable so continue.
let blk = &self.blocks[i];
let mut ctx = self.contexts[i].clone();
let mut pc = blk.start;
// println!("BLOCK (start={}, end={}): {:?}", pc, blk.end, i);
// println!("CONTEXT (pc={}): {}", pc, ctx);
// Parse the block
while pc < blk.end {
// Decode instruction at the current position
let insn = Instruction::decode(pc,&self.bytes);
// Check whether a branch is possible
if insn.can_branch() {
// Determine branch target
let target = ctx.peek(0).unwrap();
// Determine branch context
let branch_ctx = ctx.branch(target,&insn);
// Convert target into block ID.
let block_id = self.get_enclosing_block_id(target);
// println!("Branch: target={} (block {})",target,block_id);
// println!("Before merge (pc={}): {}", pc, self.contexts[block_id]);
// Merge in updated state
changed |= self.contexts[block_id].merge(branch_ctx);
// println!("After merge (pc={}): {}", pc, self.contexts[block_id]);
}
// Apply the transfer function!
// print!("{:#08x}: {}",pc,ctx);
ctx = ctx.transfer(&insn);
// println!(" ==>\t{:?}\t==> {}",insn,ctx);
// Next instruction
pc = pc + insn.length(&[]);
}
// Merge state into following block.
if (i+1) < self.blocks.len() {
changed |= self.contexts[i+1].merge(ctx);
}
}
}
self
}
Trait Implementations§
source§impl Debug for Instruction
impl Debug for Instruction
source§impl Display for Instruction
impl Display for Instruction
source§impl PartialEq<Instruction> for Instruction
impl PartialEq<Instruction> for Instruction
source§fn eq(&self, other: &Instruction) -> bool
fn eq(&self, other: &Instruction) -> bool
self
and other
values to be equal, and is used
by ==
.