search

crytic / medusa

Parallelized, coverage-guided, mutational Solidity smart contract fuzzing, powered by go-ethereum
https://www.trailofbits.com/
GNU Affero General Public License v3.0
273 stars 33 forks source link

Panic triggered during ABI call data packing #294

Closed anishnaik closed 4 months ago

anishnaik commented 4 months ago 


Dumping error logs...
panic: error while packing call message ABI values: ABI call data packing failed, method definition was not set at runtime

goroutine 85 [running]:
github.com/crytic/medusa/fuzzing/calls.(*CallMessage).Data(0x7f935d3443c8?)
    /home/runner/work/medusa/medusa/fuzzing/calls/call_message.go:141 +0x97
github.com/crytic/medusa/utils.MessageToTransaction({0xf06008, 0xc000210070})
    /home/runner/work/medusa/medusa/utils/message_transaction_utils.go:16 +0x97
github.com/crytic/medusa/fuzzing/calls.CallSequence.Hash({0xc000185400, 0x39, 0x3d5eb970a25c96f9?})
    /home/runner/work/medusa/medusa/fuzzing/calls/call_sequence.go:98 +0x192
github.com/crytic/medusa/fuzzing/corpus.(*Corpus).AddCallSequence(0xc002d2c000, {0xc00d2798b8?, 0x1, 0x1}, 0xc00c1feda0, 0x1)
    /home/runner/work/medusa/medusa/fuzzing/corpus/corpus.go:280 +0x166
github.com/crytic/medusa/fuzzing/corpus.(*Corpus).AddCallSequenceIfCoverageChanged(0xc002d2c000, {0xc00d2798b8?, 0x1, 0x1}, 0x7f935d3443c8?, 0x8?)
    /home/runner/work/medusa/medusa/fuzzing/corpus/corpus.go:347 +0x12b
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).testCallSequence.func3({0xc00d2798b8, 0x1, 0x1})
    /home/runner/work/medusa/medusa/fuzzing/fuzzer_worker.go:253 +0x94
github.com/crytic/medusa/fuzzing/calls.ExecuteCallSequenceIteratively(0xc008ece8c0, 0xc008d9fd78, 0xc008d9fdd0)
    /home/runner/work/medusa/medusa/fuzzing/calls/call_sequence_execution.go:120 +0x1f9
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).testCallSequence(0xc002fce0f0)
    /home/runner/work/medusa/medusa/fuzzing/fuzzer_worker.go:281 +0x176
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).run(0xc002fce0f0, 0xf04860?)
    /home/runner/work/medusa/medusa/fuzzing/fuzzer_worker.go:496 +0x356
github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop.func1({0x0?, 0xc008b43f50?})
    /home/runner/work/medusa/medusa/fuzzing/fuzzer.go:465 +0x173
created by github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop
    /home/runner/work/medusa/medusa/fuzzing/fuzzer.go:448 +0x24b
make: *** [Makefile:16: mc] Error 2```
anishnaik commented 4 months ago

This is where the panic gets triggered: https://github.com/crytic/medusa/blob/f5a4a0973c81557447ab2d6986e0644453effc80/fuzzing/calls/call_message_abi_values.go#L90-L94

anishnaik commented 4 months ago

@0xicingdeath + @Xenomega triggering this is rather odd since, if the code has changed, then the corpus element that is being replayed should not be used to generate a call sequence? Ideally, we never hit this error since we don't try to re-run a call to a method that no longer exists in the target code.

0xicingdeath commented 4 months ago

This seems to only be happening on Ubuntu, fwiw. (Same code, same corpus, only on the servers)

Not sure if the order here matters, but full(er) logs seems to show that it attempts to replay something from the corpus, creates the workers, starts (?) fuzzing, and then panics 

corpus item 'output/medusa-corpus/call_sequences/edfcb27b-e787-40e0-9371-d86d2bfdfefa.json' disabled due to error when replaying it: could not resolve method 'XXX' from the given contract ABI
Creating 20 workers ...
fuzz: elapsed: 0s, call: 0 (0/sec), seq/s: 0, resets/s: 0, cov: 1

Dumping error logs...
panic: error while packing call message ABI values: ABI call data packing failed, method definition was not set at runtime

goroutine 85 [running]:
github.com/crytic/medusa/fuzzing/calls.(*CallMessage).Data(0x7f935d3443c8?)
    /home/runner/work/medusa/medusa/fuzzing/calls/call_message.go:141 +0x97
github.com/crytic/medusa/utils.MessageToTransaction({0xf06008, 0xc000210070})
    /home/runner/work/medusa/medusa/utils/message_transaction_utils.go:16 +0x97
github.com/crytic/medusa/fuzzing/calls.CallSequence.Hash({0xc000185400, 0x39, 0x3d5eb970a25c96f9?})
    /home/runner/work/medusa/medusa/fuzzing/calls/call_sequence.go:98 +0x192
github.com/crytic/medusa/fuzzing/corpus.(*Corpus).AddCallSequence(0xc002d2c000, {0xc00d2798b8?, 0x1, 0x1}, 0xc00c1feda0, 0x1)
    /home/runner/work/medusa/medusa/fuzzing/corpus/corpus.go:280 +0x166
github.com/crytic/medusa/fuzzing/corpus.(*Corpus).AddCallSequenceIfCoverageChanged(0xc002d2c000, {0xc00d2798b8?, 0x1, 0x1}, 0x7f935d3443c8?, 0x8?)
    /home/runner/work/medusa/medusa/fuzzing/corpus/corpus.go:347 +0x12b
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).testCallSequence.func3({0xc00d2798b8, 0x1, 0x1})
    /home/runner/work/medusa/medusa/fuzzing/fuzzer_worker.go:253 +0x94
github.com/crytic/medusa/fuzzing/calls.ExecuteCallSequenceIteratively(0xc008ece8c0, 0xc008d9fd78, 0xc008d9fdd0)
    /home/runner/work/medusa/medusa/fuzzing/calls/call_sequence_execution.go:120 +0x1f9
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).testCallSequence(0xc002fce0f0)
    /home/runner/work/medusa/medusa/fuzzing/fuzzer_worker.go:281 +0x176
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).run(0xc002fce0f0, 0xf04860?)
    /home/runner/work/medusa/medusa/fuzzing/fuzzer_worker.go:496 +0x356
github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop.func1({0x0?, 0xc008b43f50?})
    /home/runner/work/medusa/medusa/fuzzing/fuzzer.go:465 +0x173
created by github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop
    /home/runner/work/medusa/medusa/fuzzing/fuzzer.go:448 +0x24b
make: *** [Makefile:16: mc] Error 2
anishnaik commented 4 months ago

Ah interesting - so the fact that the corpus item was disabled should prevent this from panic from being triggered. Will look into it.

0xicingdeath commented 4 months ago

Sorry @anishnaik , FP! Box is running an older version of Medusa