Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve docs #690

Merged
merged 6 commits into from
Mar 24, 2025
+255 −195
Merged

Improve docs #690

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
901f32a
Update
msooseth Mar 19, 2025
c510d86
More explanation about gas
msooseth Mar 20, 2025
e1c5f58
Update doc/src/equivalence.md
msooseth Mar 20, 2025
c769906
One more dot
msooseth Mar 20, 2025
590ca9b
Adding a new file with common options
msooseth Mar 20, 2025
00c5f6f
Merge branch 'main' into improve-docs
msooseth Mar 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions doc/src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,4 @@
- [Symbolic unit execution](./symbolic.md)
- [Equivalence checking](./equivalence.md)
- [Concrete execution](./exec.md)
- [Common options](./common-options.md)
50 changes: 50 additions & 0 deletions doc/src/common-options.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Common options

The subcommands of hevm present a number
of common options. Here, we document these options in detail.

## Maximum Buffer Size, ``--max-buf-size``

The buffers in hevm are limited to a maximum size of 2^N bytes, where N is by
default 64, but adjustable via the `--max-buf-size` flag. This helps to prevent
the system from creating buffers that are too large and would exceed the gas
limit. Limiting this value further to e.g. 20 can help to force the system to
generate counterexamples that are easier to examine and understand.

## Choice of Solver, ``--solver``

hevm can use any SMT solver that supports the AUFBV theory and incremental
solving. Currently, z3, cvc5, and bitwuzla's interfaces are implemented. While
any of these solvers work, we recommend using bitwuzla as it is in general
extremely fast, almost always significantly faster than e.g. z3.

## Number of Solvers, ``--num-solvers``

hevm can run multiple solvers in parallel and will run as many solvers as it
detects the number of CPU cores on the machine. However, in some cases, that
may lead to memory outs, in case the solver happens to get queries that are
memory-intensive. In these cases, the number of solvers can be limited to a a
specific (low) number via the `--num-solvers` flag.

## Promising no reentrancy, ``--promise-no-reent``

hevm can be instructed to assume that no reentrancy will occur during the
execution of the contract. This is currently neccessary to fully explore
certain contracts. This is because value transfer is usually done via a `CALL`,
which can be reentrant. By promising no reentrancy, the system can assume that
no reentrancy will occur and can explore the contract more fully.

## Timeout for SMT queries, ``--smttimeout``

Some queries take too long. With a timeout, we ensure that hevm eventually
terminates. However, endstates where the timeout was reached are considered
inditerminate, and will lead to a `WARNING` in the output. It is worthwhile
trying to switch to a different SMT solver such as bitwuzla, or increasing the
timeout if this happens.

## Loop Iteration Limit, ``--ask-smt-iterations``

Loops in the code cause a challenge to symbolic execution framework. In order
to not run indefinitely, hevm will only explore a certain number of iterations
of a loop before consideing abandoning the exploration of that branch. This
number can be set via the `--ask-smt-iterations` flag.
183 changes: 141 additions & 42 deletions doc/src/equivalence.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,53 +1,152 @@
# `hevm equivalence`

```
Usage: hevm equivalence --code-a TEXT --code-b TEXT [--sig TEXT]
[--arg STRING]... [--calldata TEXT]
[--smttimeout NATURAL] [--max-iterations INTEGER]
[--solver TEXT] [--smtoutput] [--smtdebug] [--debug]
[--trace] [--ask-smt-iterations INTEGER]
[--num-cex-fuzz INTEGER]
[--loop-detection-heuristic LOOPHEURISTIC]
[--abstract-arithmetic] [--abstract-memory]

Available options:
-h,--help Show this help text
--code-a TEXT Bytecode of the first program
--code-b TEXT Bytecode of the second program
--sig TEXT Signature of types to decode / encode
--arg STRING Values to encode
--calldata TEXT Tx: calldata
--smttimeout NATURAL Timeout given to SMT solver in seconds (default: 300)
--max-iterations INTEGER Number of times we may revisit a particular branching
point. Default is 5. Setting to -1 allows infinite looping
--solver TEXT Used SMT solver: z3 (default), cvc5, or bitwuzla
--smtoutput Print verbose smt output
--smtdebug Print smt queries sent to the solver
--debug Debug printing of internal behaviour
--trace Dump trace
--ask-smt-iterations INTEGER
Number of times we may revisit a particular branching
point before we consult the smt solver to check
reachability (default: 1) (default: 1)
--num-cex-fuzz INTEGER Number of fuzzing tries to do to generate a
counterexample (default: 3) (default: 3)
--loop-detection-heuristic LOOPHEURISTIC
Which heuristic should be used to determine if we are
in a loop: StackBased (default) or Naive
(default: StackBased)
```plain
Usage: hevm equivalence [--code-a TEXT] [--code-b TEXT] [--code-a-file STRING]
[--code-b-file STRING] [--sig TEXT] [--arg STRING]...
[--calldata TEXT] [--smttimeout NATURAL]
[--max-iterations INTEGER] [--solver TEXT]
[--num-solvers NATURAL] ...
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does ... mean here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was trying to imply that there are more options... maybe I should remove? I don't want to list them all, I think it's not that useful? What do you think?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not document all the options?
It seems unusual to omit some of them.
Unless you can argue they belong to separate categories, like "for users" and "for developers"?
And you want to list only those important for the users.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, we keep adding some and then not documenting them in the MD docs. I am wondering what' the best thing to do here. Of course I can run --help and copy-paste but I'm not sure that's the best. I am trying to improve the documentation, not make it perfect :D Currently, it's quite out of date. I am not sure what's best. The full --help is also way too verbose and I don't think it's too helpful. They can always run it themselves. What do you think? Should I just copy-paste the --help and then explain the options as it is now (with common-options.md to explain the common ones)?

```

Symbolically execute both the code given in `--code-a` and `--code-b` and try
to prove equivalence between their outputs and storages. Extracting bytecode
from solidity contracts can be done via, e.g.:
to prove equivalence between their outputs and storages. For a full listing of
options, see `hevm equivalence --help`. For common options, see
[here](./common-options.md).

## Simple example usage

```shell
$ solc --bin-runtime "contract1.sol" | tail -n1 > a.bin
$ solc --bin-runtime "contract2.sol" | tail -n1 > b.bin
$ hevm equivalence --code-a-file a.bin --code-b-file b.bin
```
hevm equivalence \
--code-a $(solc --bin-runtime "contract1.sol" | tail -n1) \
--code-b $(solc --bin-runtime "contract2.sol" | tail -n1)
```

## Calldata size limits

If `--sig` is given, calldata is assumed to take the form of the function
given. If `--calldata` is provided, a specific, concrete calldata is used. If
neither is provided, a fully abstract calldata of at most `2**64` byte is
assumed. Note that a `2**64` byte calldata would go over the gas limit, and
hence should cover all meaningful cases.
hence should cover all meaningful cases. You can limit the buffer size via
`--max-buf-size`, which sets the exponent of the size, i.e. 10 would limit the
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we call this option --max-calldata-buf-size?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! Yes, we should. Fixing.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah wait... this actually applies to other buffers too, like here:

symCalldata :: App m => Text -> [AbiType] -> [String] -> Expr Buf -> m (Expr Buf, [Prop])
symCalldata sig typesignature concreteArgs base = do
  conf <- readConfig
  let
    args = concreteArgs <> replicate (length typesignature - length concreteArgs) "<symbolic>"
    mkArg :: AbiType -> String -> Int -> CalldataFragment
    mkArg typ "<symbolic>" n = symAbiArg (T.pack $ "arg" <> show n) typ
    mkArg typ arg _ =
      case makeAbiValue typ arg of
        AbiUInt _ w -> St [] . Lit . into $ w
        AbiInt _ w -> St [] . Lit . unsafeInto $ w
        AbiAddress w -> St [] . Lit . into $ w
        AbiBool w -> St [] . Lit $ if w then 1 else 0
        _ -> internalError "TODO"
    calldatas = zipWith3 mkArg typesignature args [1..]
    (cdBuf, props) = combineFragments calldatas base
    withSelector = writeSelector cdBuf sig
    sizeConstraints
      = (Expr.bufLength withSelector .>= cdLen calldatas)
      .&& (Expr.bufLength withSelector .< (Lit (2 ^ conf.maxBufSize)))

and also the data that an unknown contract sends back to us. We should explain this...

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I am gonna talk about this more in the docs and try to give a better explanation in the --help, too.

calldata to `2**10` bytes.

## What constitutes equivalence

The equivalence checker considers two contracts equivalent if given the
same calldata they:
- return the same value
- have the same storage
- match on the success/failure of the execution
Importantly, logs are *not* considered in the equivalence check. Hence,
it is possible that two contracts are considered equivalent by `hevm equivalence` but
they emit different log items. Furthermore, gas is explicitly not considered,
as in many cases, the point of the equivalence check is to ensure that the
contracts are functionally equivalent, but one of them is more gas efficient.

For example, two contracts that are:

```
PUSH1 3
```

And

```
PUSH1 4
```

Are considered *equivalent*, because they don't put anything in the return
data, are not different in their success/fail attribute, and don't touch
storage. However, these two are considered different:

```
PUSH1 3
PUSH1 0x20
MSTORE
PUSH1 0x40
PUSH1 0x00
RETURN
```

and:


```
PUSH1 4
PUSH1 0x20
MSTORE
PUSH1 0x40
PUSH1 0x00
RETURN
```

Since one of them returns a 3 and the other a 4. We also consider contracts different when
they differ in success/fail. So these two contracts:

```
PUSH1 0x00
PUSH1 0x00
RETURN
```

and:

```
PUSH1 0x00
PUSH1 0x00
REVERT
```

Are considered different, as one of them reverts (i.e. fails) and the other
succeeds.

## Creation code equivalence

If you want to check the equivalence of not just the runtime code, but also the
creation code of two contracts, you can use the `--creation` flag. For example
these two contracts:

```solidity
contract C {
uint private immutable NUMBER;
constructor(uint a) {
NUMBER = 2;
}
function stuff(uint b) public returns (uint256) {
unchecked{return 2+NUMBER+b;}
}
}
```

And:

```solidity
contract C {
uint private immutable NUMBER;
constructor(uint a) {
NUMBER = 4;
}
function stuff(uint b) public returns (uint256) {
unchecked {return NUMBER+b;}
}
}
```

Will compare equal when compared with `--create` flag:

```shell
solc --bin a.sol | tail -n1 > a.bin
solc --bin b.sol | tail -n1 > b.bin
cabal run exe:hevm equivalence -- --code-a-file a.bin --code-b-file b.bin --create
```

Notice that we used `--bin` and not `--bin-runtime` for solc here. Also note that
in case `NUMBER` is declared `public`, the two contracts will not be considered
equivalent, since solidity will generate a getter for `NUMBER`, which will
return 2/4 respectively.

## Further reading

For a tutorial on how to use `hevm equivalence`, see the [equivalence checking
tutorial](symbolic-execution-tutorial.html).
51 changes: 11 additions & 40 deletions doc/src/exec.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,57 +2,28 @@

Run an EVM computation using specified parameters.

```
Usage: hevm exec [--code TEXT] [--calldata TEXT] [--address ADDR]
```plain
Usage: hevm exec [--code TEXT] [--code-file STRING] [--calldata TEXT] [--address ADDR]
[--caller ADDR] [--origin ADDR] [--coinbase ADDR]
[--value W256] [--nonce WORD64] [--gas WORD64] [--number W256]
[--timestamp W256] [--basefee W256] [--priority-fee W256]
[--gaslimit WORD64] [--gasprice W256] [--create]
[--gaslimit WORD64] [--gasprice W256]
[--maxcodesize W256] [--prev-randao W256] [--chainid W256]
[--debug] [--trace] [--rpc TEXT] [--block W256] [--root STRING]
[--project-type PROJECTTYPE]

Available options:
-h,--help Show this help text
--code TEXT Program bytecode
--calldata TEXT Tx: calldata
--address ADDR Tx: address
--caller ADDR Tx: caller
--origin ADDR Tx: origin
--coinbase ADDR Block: coinbase
--value W256 Tx: Eth amount
--nonce WORD64 Nonce of origin
--gas WORD64 Tx: gas amount
--number W256 Block: number
--timestamp W256 Block: timestamp
--basefee W256 Block: base fee
--priority-fee W256 Tx: priority fee
--gaslimit WORD64 Tx: gas limit
--gasprice W256 Tx: gas price
--create Tx: creation
--maxcodesize W256 Block: max code size
--prev-randao W256 Block: prevRandao
--chainid W256 Env: chainId
--debug Debug printing of internal behaviour
--trace Dump trace
--rpc TEXT Fetch state from a remote node
--block W256 Block state is be fetched from
--root STRING Path to project root directory (default: . )
--project-type PROJ Foundry or CombinedJSON project (default: Foundry)
--assertion-type ASSERT Assertions as per Forge or DSTest (default: Forge)
[--trace] [--rpc TEXT] [--block W256] ...
```

Minimum required flags: either you must provide `--code` or you must both pass
`--rpc` and `--address`.
Concretely execute a given EVM bytecode with the specified parameters. Minimum
required flags: either you must provide `--code` or you must both pass `--rpc`
and `--address`. For a full listing of options, see `hevm exec --help`.

If the execution returns an output, it will be written
to stdout. Exit code indicates whether the execution was successful or
errored/reverted.

Simple example usage:
## Simple example usage

```
hevm exec --code 0x647175696e6550383480393834f3 --gas 0xff
```shell
$ hevm exec --code 0x647175696e6550383480393834f3 --gas 0xff
"Return: 0x647175696e6550383480393834f3"
```

Expand All @@ -61,7 +32,7 @@ Virtual Machine will put `0x647175696e6550383480393834f3` in the RETURNDATA.

To execute a mainnet transaction:

```
```shell
# install seth as per
# https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide/seth-guide.md
$ export ETH_RPC_URL=https://mainnet.infura.io/v3/YOUR_API_KEY_HERE
Expand Down
Loading
Loading