Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

disasm: Return values

See original GitHub issue

Unfortunately selector hashes don’t include the return value, so none of the 4byte databases include return types.

Questions:

How do we detect whether a function has a return value at all?
If it does, can we do anything to guess the type or size?

What we have:

Function selectors with instruction pointers
Boundaries for selectors’ functions (they seem to be assembled contiguously based on a few anecdotal examinations).

Updated challenges:

Old Solidity (e.g. WETH compiled with 0.4.x) assembles functions with simple return macros, so those are fairly easily detectable by looking back for RETURN from the end of each selector function’s boundary.
Modern Solidity assembles returns through chains of helper branches that prepare the data. I can’t think of a way to resolve these in a ~single pass. Anyone have ideas?
- One of the helper branches is a STOP branch, which shouldn’t be too hard to find in isolation (basically JUMPDEST STOP, sometimes there are multiples, not sure why). Could we just use the absence of a STOP or JUMP to a STOP offset as an indicator whether there is a return value of somekind?
In either case, I’m having trouble finding a reliable pattern for extracting the size of the return values, even in the old-Solidity simple case.

Issue Analytics

State:
Created a year ago
Reactions:2
Comments:5 (4 by maintainers)

Top GitHub Comments

2reactions

shazowcommented, Nov 4, 2022

Started a WIP PR in #14, here are the vibes so far (from PR):

Still in the research phase, trying to find a way to detect output sizes but that’s looking harder than I hoped.

It looks like modern solidity wraps most outputs through a chain of jumps that prepares the data. It’s going to be quite hard to do this with a single-pass static analysis.

Older solidity (e.g. WETH contract with v0.4.x) does a simpler return macro per function window, those aren’t hard to detect but extracting sizing reliably still seems hard.

Also I thought it’d be easier to detect address type outputs because they’re 20 bytes rather than the usual 32, but I forgot that things get padded so it still ends up being 32 bytes.

I probably need to sleep on this in case there’s other clever solutions but not looking great for single-pass static analysis right now. 😅

1reaction

shazowcommented, Nov 4, 2022

Updated the current state and challenges in the issue description, going to pass it around to some folks to see if anyone else has ideas. Feel free to re-share. 😃

Top Results From Across the Web

DISASM - IBM

Returns information about the specified instruction. ... done using the current target program register values at the time of the EXTRACT DISASM command....

Programming with Python language - Capstone engine

In return, disasm gives back a list of instructions of the class type CsInsn, and the for loop here iterates this list. Line...

GDB Command Reference - disassemble command

The disassemble command disassembles a specified function or a function ... the disassemble command will show the raw byte values of all disassembled ......

dis — Disassembler for Python bytecode — Python 3.11.1 ...

Return a formatted view of the bytecode operations (the same as printed by ... numeric code for operation, corresponding to the opcode values...

scanf return value - Reverse Engineering Stack Exchange

From man page, scanf() return an int value representing the number of input items successfully matched and assigned.