search

crytic / medusa

Parallelized, coverage-guided, mutational Solidity smart contract fuzzing, powered by go-ethereum
https://www.trailofbits.com/
GNU Affero General Public License v3.0
273 stars 33 forks source link

Crash on "coverageEnabled": true #299

Closed algobotishere closed 4 months ago

algobotishere commented 4 months ago

On default

"coverageEnabled": true

I got this error

⇾ Reading the configuration file at: script/echidna/medusa.json
⇾ Compiling targets with crytic-compile
⇾ Creating 10 workers...
⇾ fuzz: elapsed: 0s, calls: 0 (0/sec), seq/s: 0, coverage: 0
panic: runtime error: index out of range [11517] with length 11517

goroutine 84 [running]:
github.com/crytic/medusa/fuzzing/coverage.(*CoverageMapBytecodeData).update(...)
        /Users/user/folder/folder/medusa/fuzzing/coverage/coverage_maps.go:352
github.com/crytic/medusa/fuzzing/coverage.(*ContractCoverageMap).update(0x100935e00?, 0xc009bb1d70?)
        /Users/user/folder/folder/medusa/fuzzing/coverage/coverage_maps.go:281 +0x11c
github.com/crytic/medusa/fuzzing/coverage.(*CoverageMaps).Update(0xc009b74960, 0xc00c29b7c0?)
        /Users/user/folder/folder/medusa/fuzzing/coverage/coverage_maps.go:154 +0x351
github.com/crytic/medusa/fuzzing/corpus.(*Corpus).CheckSequenceCoverageAndUpdate(0xc000378000, {0xc00c0d8bc0?, 0x6, 0x8}, 0x1000113a8?, 0x40?)
        /Users/user/folder/folder/medusa/fuzzing/corpus/corpus.go:395 +0xf8
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).testNextCallSequence.func3({0xc00c0d8bc0, 0x6, 0x8})
        /Users/user/folder/folder/medusa/fuzzing/fuzzer_worker.go:276 +0x94
github.com/crytic/medusa/fuzzing/calls.ExecuteCallSequenceIteratively(0xc00aade640, 0xc00aad1d78, 0xc00aad1dd0)
        /Users/user/folder/folder/medusa/fuzzing/calls/call_sequence_execution.go:120 +0x1f9
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).testNextCallSequence(0xc0035dc000)
        /Users/user/folder/folder/medusa/fuzzing/fuzzer_worker.go:304 +0x176
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).run(0xc0035dc000, 0x100b70940?)
        /Users/user/folder/folder/medusa/fuzzing/fuzzer_worker.go:570 +0x356
github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop.func1({0x0?, 0xc009bb1ec0?})
        /Users/user/folder/folder/medusa/fuzzing/fuzzer.go:542 +0x173
created by github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop
        /Users/user/folder/folder/medusa/fuzzing/fuzzer.go:525 +0x2d1

full params 

  "fuzzing": {
    "workers": 10,
    "workerResetLimit": 50,
    "timeout": 0,
    "testLimit": 0,
    "callSequenceLength": 100,
    "corpusDirectory": "corpusMedusa",
    "coverageEnabled": false,
    "deploymentOrder": ["Tests"],
    "constructorArgs": {},
    "deployerAddress": "0x30000",
    "senderAddresses": ["0x10000", "0x20000"],
    "blockNumberDelayMax": 60480,
    "blockTimestampDelayMax": 604800,
    "blockGasLimit": 125000000,
    "transactionGasLimit": 12500000,
    "testing": {
      "stopOnFailedTest": true,
      "stopOnFailedContractMatching": true,
      "stopOnNoTests": true,
      "testAllContracts": false,
      "traceAll": false,
      "assertionTesting": {
        "enabled": true,
        "testViewMethods": false,
        "assertionModes": {
          "failOnCompilerInsertedPanic": false,
          "failOnAssertion": true,
          "failOnArithmeticUnderflow": false,
          "failOnDivideByZero": false,
          "failOnEnumTypeConversionOutOfBounds": false,
          "failOnIncorrectStorageAccess": false,
          "failOnPopEmptyArray": false,
          "failOnOutOfBoundsArrayAccess": false,
          "failOnAllocateTooMuchMemory": false,
          "failOnCallUninitializedVariable": false
        }
      },
      "propertyTesting": {
        "enabled": false,
        "testPrefixes": ["fuzz_"]
      },
      "optimizationTesting": {
        "enabled": false,
        "testPrefixes": ["optimize_"]
      }
    },
    "chainConfig": {
      "codeSizeCheckDisabled": true,
      "cheatCodes": {
        "cheatCodesEnabled": true,
        "enableFFI": false
      }
    }
  },
  "compilation": {
    "platform": "crytic-compile",
    "platformConfig": {
      "target": "./../../",
      "solcVersion": "",
      "exportDirectory": "",
      "args": ["--solc-remaps", "@openzeppelin/contracts/=lib/openzeppelin-contracts/contracts/"]
    }
  },
  "logging": {
    "level": "info",
    "logDirectory": ""
  }

was trying rebuilding from source, the only thing that helps is "coverageEnabled": false

anishnaik commented 4 months ago

Hey @algobotishere thanks for reporting this. We actually have this bug reported here as well #231. There is a temporary fix in the dev/no-multi-abi branch but I am still not 100% sure whether it is the best fix or not. Will keep you updated on this.