hw-sw-contracts/revizor

How to capture the violated inputs

Closed this issue · 2 comments

npbhoang commented

Hi,

I have been playing with Revizor for a while, it works great!
I noticed that when a violation is spotted, Revizor halts and as a result of this, the latest generated.asm stores the violated test case.

My question: Is there any config option, arguments to capture also the pair or collection of violated inputs? If not, how would I capture these inputs and store them?

--

Right now, what I did to capture these inputs is to poke into the source code, at the part right after the violation is detected, print all the inputs to files, that is calling my function below:

    def log_violation(self, violation):
        name = 'violation'
        measurements = violation.measurements
        for i,ms in enumerate(measurements):
            with open("cex/" + str(i) + name + ".seed.in", "w") as f:
                f.write(str(ms.input_.seed))
            with open("cex/" + str(i) + name + ".datasize.in", "w") as f:
                f.write(str(ms.input_.data_size))
            with open("cex/" + str(i) + name + ".registerstart.in", "w") as f:
                f.write(str(ms.input_.register_start))

Many thanks in advance!

OleksiiOleksenko commented

Hi,

First, Revizor does not necessarily stop on violation. You can use --nonstop, and it will store the test case in violation<TIMESTAMP>.asm and continue fuzzing. You might want to use it in combination with -w, see docs.

Second, the sequence of generated inputs to the test case is determined by the seed value, set by the input_gen_seed config option. If you set it to a non-zero value, it will be used for all test cases, which means that all test cases will be executed with the same sequence of inputs.

The exact inputs that caused a contract violation will be printed when a violation is detected. E.g., the following violation was caused by the inputs number 14, 34, 54, ...:

================================ Violations detected ==========================
  Contract trace (hash):

    0110111001111010001100011110111100111011011110110011001111100110
  Hardware traces:
   Inputs [14]:
    ^_________^_____________^^______________________________________
   Inputs [34, 54, 74, 94] (+ 0 ):
    ^_____^_________________^^______________________________________

Finally, if you really need to store all inputs and the seed value is no sufficient, a more appropriate place would be store_test_case. Right now it's invoked only in the --nonstop mode, but it can be easily changed.

Hope it helps.

npbhoang commented

Thank you, Oleksii.

Your comments help me a lot.
I got it now.

Cheers,
-- Hoang.