Crash while fuzzing math libs

mario-eth commented 4 days ago

Hello,

It seems i'm running into an issue while fuzzing some math functions:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x1 pc=0x606ad5]

goroutine 6031 [running]:
math/big.nat.cmp({0xc007a93018?, 0x1?, 0xc006e4f648?}, {0x0?, 0x1?, 0xc0060b2878?})
        math/big/nat.go:163 +0x35
math/big.(*Int).Cmp(0xc006e4f8c0, 0xc0060a5360?)
        math/big/int.go:382 +0x5d
github.com/crytic/medusa/utils.ConstrainIntegerToBounds(0xc006e4f8c0, 0xc0060a5380, 0xc0060a5360)
        github.com/crytic/medusa/utils/integer_utils.go:22 +0x150
github.com/crytic/medusa/utils.ConstrainIntegerToBitLength(0xc006e4f8c0, 0x10?, 0x0?)
        github.com/crytic/medusa/utils/integer_utils.go:49 +0x2d
github.com/crytic/medusa/fuzzing/valuegeneration.(*RandomValueGenerator).GenerateInteger(0xc0041fa330, 0x0, 0x40)
        github.com/crytic/medusa/fuzzing/valuegeneration/generator_random.go:137 +0xd8
github.com/crytic/medusa/fuzzing/valuegeneration.(*MutationalValueGenerator).mutateIntegerInternal(0xc0075ecbe8, 0x0, 0x0, 0x40)
        github.com/crytic/medusa/fuzzing/valuegeneration/generator_mutational.go:152 +0x137
github.com/crytic/medusa/fuzzing/valuegeneration.(*MutationalValueGenerator).GenerateInteger(0x0?, 0x0?, 0xc000000100?)
        github.com/crytic/medusa/fuzzing/valuegeneration/generator_mutational.go:471 +0x1a
github.com/crytic/medusa/fuzzing.(*CallSequenceGenerator).generateNewElement(0xc0063baa00)
        github.com/crytic/medusa/fuzzing/fuzzer_worker_sequence_generator.go:313 +0x3a5
github.com/crytic/medusa/fuzzing.(*CallSequenceGenerator).PopSequenceElement(0xc0063baa00)
        github.com/crytic/medusa/fuzzing/fuzzer_worker_sequence_generator.go:248 +0x7c
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).testNextCallSequence.func2(0xc003665900?)
        github.com/crytic/medusa/fuzzing/fuzzer_worker.go:268 +0x1b
github.com/crytic/medusa/fuzzing/calls.ExecuteCallSequenceIteratively(0xc0009ddb80, 0xc006e4fdb0, 0xc006e4fd98)
        github.com/crytic/medusa/fuzzing/calls/call_sequence_execution.go:40 +0xb6
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).testNextCallSequence(0xc003cc8100)
        github.com/crytic/medusa/fuzzing/fuzzer_worker.go:305 +0x167
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).run(0xc003cc8100, 0xf4a620?)
        github.com/crytic/medusa/fuzzing/fuzzer_worker.go:603 +0x3e5
github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop.func1({0x0?, 0xc002e6a450?})
        github.com/crytic/medusa/fuzzing/fuzzer.go:572 +0x169
created by github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop in goroutine 1
        github.com/crytic/medusa/fuzzing/fuzzer.go:555 +0x1d3

Any idea why or how can i figure out why it crashes?

Thank you.

ggrieco-tob commented 4 days ago

Hi!

Which version of medusa are you using? Also, do you have a sample of Solidity code to reproduce the issue?

mario-eth commented 4 days ago

medusa version 0.1.3

Unfortunately i can not share the code here because i am not sure which one fails.

Mostly is math operations in assembly.

ggrieco-tob commented 4 days ago

Can you re-test using medusa from the latest git revision?

crytic / medusa

Crash while fuzzing math libs #389