how to obtain line number information

[sunbeomso]

Hi,

If Solidity source code of a contract is available, how can I obtain line number information from Smartian's bug detection results?

For example, if I run the command:

dotnet build/Smartian.dll fuzz -p examples/bc/SC.bin -a examples/abi/SC.abi -t 2 -o .

Smartian outputs the following log:

...
[00:00:00:01] Tx#3 found SuicidalContract at b50
[00:00:00:01] [*] Save bug seed id-00000-SC_00001: 
...

In the above, what does b50 mean? How can I know that b50 matches with line 139?

[jchoi2022]

Hi, Smartian runs on EVM bytecode, so it cannot report the bug location in source line number. In Smartian's output log, b50 is the address of the EVM bytecode instruction (i.e., program counter).

Therefore, it needs some manual analysis to compare Smartian against source-based tools. For example, on our B1 benchmark (see our arfiact repository), we identified and recorded the bug locations both at source level and bytecode level: ground truth.. This way, we can decide whether source-based tools and Smartian are reporting the same bug or not.

[sunbeomso]

Thanks for your reply.

I am still wondering how the manual analysis is conducted.

If possible, could you explain in more detail using an example below? https://github.com/SoftSec-KAIST/Smartian/blame/main/examples/bc/SC.bin

Or, could you recommend some useful references?

Thanks for your time!

[jchoi2022]

I'm sorry, I thought I had already answered to this issue. Although it's late, here is some more information.

We manually analyzed the EVM bytecode to figure out the correspondence between buggy line number (at source level) and buggy address (of EVM instruction). While you can use any tool you prefer for this, we internally used CFG visualizer equipped in B2R2, which we used as our front-end. It allows us to navigate the CFG of EVM bytecode as shown in the screenshot below.