search

ethereum / execution-specs

Specification for the Execution Layer. Tracking network upgrades.
Creative Commons Zero v1.0 Universal
808 stars 222 forks source link

fuzzing flaw, `london` #910

Closed holiman closed 3 months ago

holiman commented 3 months ago

When eels excecuts DIFFICULTY on a London fork, it takes the env.currentRandom value from the statetest, not env.currentDifficulty. See difference in stack contents: 

prev:           both: {"depth":1,"pc":23,"gas":7978897,"op":68,"opName":"DIFFICULTY","stack":["0x87","0xad","0x80","0x59","0x1a","0x7"]}
diff:    gethbatch-0: {"depth":1,"pc":24,"gas":7978895,"op":18,"opName":"SLT","stack":["0xad","0x80","0x59","0x1a","0x7","0x20000"]}
diff:    eelsbatch-0: {"depth":1,"pc":24,"gas":7978895,"op":18,"opName":"SLT","stack":["0xad","0x80","0x59","0x1a","0x7","0x200000"]}

Example testcase:

{
  "00000119-mixed-0": {
    "env": {
      "currentCoinbase": "b94f5374fce5edbc8e2a8697c15331677e6ebf0b",
      "currentDifficulty": "0x200000",
      "currentRandom": "0x0000000000000000000000000000000000000000000000000000000000020000",
      "currentGasLimit": "0x26e1f476fe1e22",
      "currentNumber": "0x1",
      "currentTimestamp": "0x3e8",
      "previousHash": "0x044852b2a670ade5407e78fb2863c51de9fcb96542a07186fe3aeda6bb8a116d",
      "currentBaseFee": "0x10"
    },
    "pre": {
      "0x00000000000000000000000000000000000000f1": {
        "code": "0x608760ad60806059601a607560f406646174fe176b3d08441251887644883a34607e390a327d6b7c00619a131106673d1c6e69f4449c12405370877019047b3a3ef0591a65107f3c90973c6e6591316e7d7f07120b396b81421764f48b0113500b68749d7
e693b4283799032118619640a377bfe776312136a377f423a521009860b648902f3453f7778a1051d1070458513301b8784099b3881818d626f3f8436f27b3a3671506d18178b56f06552539a70958b36337d91988d7547770511199d1569667654751757583751323f847c981a7
79aa059867c41478c701b6c41010a6bf06d05906a011306117a7f726e9419f40a13561c519a181d740a5b786d7c686791f54754311c605b508f433b6c6d908d5231969e0961801d00641192855237673159993869fa3f7914660a56597d7e6d1c166bf36a1677418c93095b06078
1688497374590426c30047f5a6f0a82010a3859f4580a20923433625a3f8e73f43992fe7e8a77087b1179a01b7e19694030523034744175121299637d7001516e7f8790415704396a5a1c527473468b15727a32513d727d577661793084118bff331b68008e75728b9356759b924
3ff599b7d453e398344f486781c4387f469013f753247fe797a3f6486187a7a441a73fd9b793af4368410750340196b14027b633f6d8557547c14418d0784953058f36a709e457c3190309c7c390158179d34578a019043fd751912843c3b3c91fd09353bf1310468006d1794616
b90363010f01156521837889b1d625648857ea0575883200b2080541c7b9c701c6f3654a1483f107018904139fd388c47708d7f8100579e3283488475fa44145858327272993ef497421ba1125273134386206957703f7a1b5a899d7f6676a1465248718d76a09003a46d9b05175
271a21d44539f17881c6e7e606a43a437143b9b880b8f406e04476d6e306a720a856f761b3907774367fa03101d3b753c08994199f3071b193f6439356c684658489800ff92883f827c5413f23075358c753445570b7c060a56670994111947a17b411cfe483590817562426b9d1
388956743429b057c577144710019637e3c624462100b9744876f113004367ba40b89577f9f0263427e6a6c8da1fd418c558b65f563066a717a190a078962670132a44002408ba3698d147dff50588d8d1b3a6290885858928fa209355b753190f58562189b085946a305819b0b6
47f306710a35666723b386d8507118c18647f61478c7867a3a389573c79350af25a38920666736b559ff46245399372190b84f550829682857ba443395b461d0445011106163274579e673102003d5513430432528b6d3041378b73588f7d748316345a795a48679f0387327d758
b081548967e9550040b031412413e50526d79149506979c6a7d6269416a3a76f05a449a8e7293301280177e",
        "storage": {
          "0x0000000000000000000000000000000000000000000000000000000000000001": "0x0000000000000000000000000000000000000000000000000000000000000010",
          "0x0000000000000000000000000000000000000000000000000000000000000002": "0x0000000000000000000000000000000000000000000000000000000000000008",
          "0x0000000000000000000000000000000000000000000000000000000000000004": "0x000000000000000000000000000000000000000000000000000000000000000e",
          "0x0000000000000000000000000000000000000000000000000000000000000005": "0x000000000000000000000000000000000000000000000000000000000000000c",
          "0x0000000000000000000000000000000000000000000000000000000000000006": "0x0000000000000000000000000000000000000000000000000000000000000007"
        },
        "balance": "0x0",
        "nonce": "0x0"
      },
      "0xa94f5374fce5edbc8e2a8697c15331677e6ebf0b": {
        "code": "0x",
        "storage": {},
        "balance": "0xffffffffff",
        "nonce": "0x0"
      }
    },
    "transaction": {
      "gasPrice": "0x10",
      "nonce": "0x0",
      "to": "0x00000000000000000000000000000000000000f1",
      "data": [
        "0x22f4993d"
      ],
      "gasLimit": [
        "0x7a1200"
      ],
      "value": [
        "0xd2"
      ],
      "sender": "0xa94f5374fce5edbc8e2a8697c15331677e6ebf0b",
      "secretKey": "0x45a915e4d060149eb4365960e6a7a45f334393093061116b197e3240065ff2d8"
    },
    "out": "0x",
    "post": {
      "London": [
user@debian-work:~/workspace/goevmlab/docker/fuzzout$ cat 00000119-mixed-0.json | jq . 
{
  "00000119-mixed-0": {
    "env": {
      "currentCoinbase": "b94f5374fce5edbc8e2a8697c15331677e6ebf0b",
      "currentDifficulty": "0x200000",
      "currentRandom": "0x0000000000000000000000000000000000000000000000000000000000020000",
      "currentGasLimit": "0x26e1f476fe1e22",
      "currentNumber": "0x1",
      "currentTimestamp": "0x3e8",
      "previousHash": "0x044852b2a670ade5407e78fb2863c51de9fcb96542a07186fe3aeda6bb8a116d",
      "currentBaseFee": "0x10"
    },
    "pre": {
      "0x00000000000000000000000000000000000000f1": {
        "code": "0x608760ad60806059601a607560f406646174fe176b3d08441251887644883a34607e390a327d6b7c00619a131106673d1c6e69f4449c12405370877019047b3a3ef0591a65107f3c90973c6e6591316e7d7f07120b396b81421764f48b0113500b68749d7e693b4283799032118619640a377bfe776312136a377f423a521009860b648902f3453f7778a1051d1070458513301b8784099b3881818d626f3f8436f27b3a3671506d18178b56f06552539a70958b36337d91988d7547770511199d1569667654751757583751323f847c981a779aa059867c41478c701b6c41010a6bf06d05906a011306117a7f726e9419f40a13561c519a181d740a5b786d7c686791f54754311c605b508f433b6c6d908d5231969e0961801d00641192855237673159993869fa3f7914660a56597d7e6d1c166bf36a1677418c93095b060781688497374590426c30047f5a6f0a82010a3859f4580a20923433625a3f8e73f43992fe7e8a77087b1179a01b7e19694030523034744175121299637d7001516e7f8790415704396a5a1c527473468b15727a32513d727d577661793084118bff331b68008e75728b9356759b9243ff599b7d453e398344f486781c4387f469013f753247fe797a3f6486187a7a441a73fd9b793af4368410750340196b14027b633f6d8557547c14418d0784953058f36a709e457c3190309c7c390158179d34578a019043fd751912843c3b3c91fd09353bf1310468006d1794616b90363010f01156521837889b1d625648857ea0575883200b2080541c7b9c701c6f3654a1483f107018904139fd388c47708d7f8100579e3283488475fa44145858327272993ef497421ba1125273134386206957703f7a1b5a899d7f6676a1465248718d76a09003a46d9b05175271a21d44539f17881c6e7e606a43a437143b9b880b8f406e04476d6e306a720a856f761b3907774367fa03101d3b753c08994199f3071b193f6439356c684658489800ff92883f827c5413f23075358c753445570b7c060a56670994111947a17b411cfe483590817562426b9d1388956743429b057c577144710019637e3c624462100b9744876f113004367ba40b89577f9f0263427e6a6c8da1fd418c558b65f563066a717a190a078962670132a44002408ba3698d147dff50588d8d1b3a6290885858928fa209355b753190f58562189b085946a305819b0b647f306710a35666723b386d8507118c18647f61478c7867a3a389573c79350af25a38920666736b559ff46245399372190b84f550829682857ba443395b461d0445011106163274579e673102003d5513430432528b6d3041378b73588f7d748316345a795a48679f0387327d758b081548967e9550040b031412413e50526d79149506979c6a7d6269416a3a76f05a449a8e7293301280177e",
        "storage": {
          "0x0000000000000000000000000000000000000000000000000000000000000001": "0x0000000000000000000000000000000000000000000000000000000000000010",
          "0x0000000000000000000000000000000000000000000000000000000000000002": "0x0000000000000000000000000000000000000000000000000000000000000008",
          "0x0000000000000000000000000000000000000000000000000000000000000004": "0x000000000000000000000000000000000000000000000000000000000000000e",
          "0x0000000000000000000000000000000000000000000000000000000000000005": "0x000000000000000000000000000000000000000000000000000000000000000c",
          "0x0000000000000000000000000000000000000000000000000000000000000006": "0x0000000000000000000000000000000000000000000000000000000000000007"
        },
        "balance": "0x0",
        "nonce": "0x0"
      },
      "0xa94f5374fce5edbc8e2a8697c15331677e6ebf0b": {
        "code": "0x",
        "storage": {},
        "balance": "0xffffffffff",
        "nonce": "0x0"
      }
    },
    "transaction": {
      "gasPrice": "0x10",
      "nonce": "0x0",
      "to": "0x00000000000000000000000000000000000000f1",
      "data": [
        "0x22f4993d"
      ],
      "gasLimit": [
        "0x7a1200"
      ],
      "value": [
        "0xd2"
      ],
      "sender": "0xa94f5374fce5edbc8e2a8697c15331677e6ebf0b",
      "secretKey": "0x45a915e4d060149eb4365960e6a7a45f334393093061116b197e3240065ff2d8"
    },
    "out": "0x",
    "post": {
      "London": [
        {
          "hash": "0x0000000000000000000000000000000000000000000000000000000000000000",
          "logs": "0x0000000000000000000000000000000000000000000000000000000000000000",
          "indexes": {
            "data": 0,
            "gas": 0,
            "value": 0
          }
        }
      ]
    }
  }
}
holiman commented 3 months ago

It's fine btw if you decide not to fix this, I don't usually fuzz older forks, so I can just keep to fuzzing post-merge forks where this is not a problem

SamWilsn commented 3 months ago

Getting old forks correct is pretty important for us!

gurukamath commented 3 months ago

@holiman I see from the trace comparisons that eels (eelsbatch-0) is loading 0x200000 for the DIFFICULTY which is also the value provided by currentDifficulty in the env

"currentDifficulty": "0x200000"
holiman commented 3 months ago

Right! The flaw is with the other clients! Hah!