UNKNOWN INSTRUCTION: SHL
mrx23dot opened this issue · 2 comments
Running latest Oyente on contract:
https://etherscan.io/address/0xe681f80966a8b1ffadecf8068bd6f99034791c95#code
extracted binary via etherscan API:
0xe681f80966a8b1ffadecf8068bd6f99034791c95.txt
Many other contracts pass this way.
cmd
docker start oyente_cont && docker exec -i oyente_cont python /oyente/oyente/oyente.py --compilation-error --depthlimit 4 --looplimit 100 -s 0xe681f80966a8b1ffadecf8068bd6f99034791c95.txt -b
fails with
WARNING:root:You are using evm version 1.8.2. The supported version is 1.7.3
WARNING:root:You are using solc version 0.4.21, The latest supported version is 0.4.19
incomplete push instruction at 522
INFO:symExec: ============ Results ===========
Traceback (most recent call last):
File "/oyente/oyente/oyente.py", line 221, in <module>
main()
File "/oyente/oyente/oyente.py", line 210, in main
exit_code = analyze_bytecode()
File "/oyente/oyente/oyente.py", line 72, in analyze_bytecode
result, exit_code = symExec.run(disasm_file=inp['disasm_file'])
File "/oyente/oyente/symExec.py", line 2457, in run
analyze()
File "/oyente/oyente/symExec.py", line 2440, in analyze
run_build_cfg_and_analyze(timeout_cb=timeout_cb)
File "/oyente/oyente/symExec.py", line 2397, in run_build_cfg_and_analyze
build_cfg_and_analyze()
File "/oyente/oyente/symExec.py", line 228, in build_cfg_and_analyze
full_sym_exec() # jump targets are constructed on the fly
File "/oyente/oyente/symExec.py", line 547, in full_sym_exec
return sym_exec_block(params, 0, 0, 0, -1, 'fallback')
File "/oyente/oyente/symExec.py", line 612, in sym_exec_block
sym_exec_ins(params, block, instr, func_call, current_func_name)
File "/oyente/oyente/symExec.py", line 2054, in sym_exec_ins
raise Exception('UNKNOWN INSTRUCTION: ' + opcode)
Exception: UNKNOWN INSTRUCTION: SHL
Was compiled with v0.7.6+commit.7338295f according to etherscan
Oyente was designed before the fork Byzantium
(block 7,280,000 on the main chain, 28 Feb 2019) that introduced the instruction SHL
, and apparently has never been upgraded by the semantics of newer instructions. Oyente does not handle the operations SHR
, SAR
, EXTCODEHASH
, CHAINID
, SELFBALANCE
, BASEFEE
and CREATE2
(same or later fork). Oyente even uses the opcode for CREATE2
internally for a different purpose.
Not being able to handle SHL
is particularly painful, as this instruction appears, since quite some time, near the beginning of every bytecode generated by the Solidity compiler, to dissect the call data to obtain the four byte signature of the called method.
Thanks for the detailed answer!