State merging (#973)

Minimal proof of concept for merging branches in symbolic execution.
---------

Co-authored-by: Mate Soos <[email protected]>

Author: gustavo-grieco

CHANGELOG.md

@@ -11,6 +11,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - New opcode: CLZ
 - Support for `--early-abort` flag that aborts symbolic execution as soon as a counterexample is found
 - Support for `vm.etch(address, bytecode)` cheatcode to set the code of a contract at a given address
+- State merging via speculative execution of both branches of a JUMPI, joining the
+  resulting states whenever possible. Amount of speculative execution is
+  controlled via `merge-max-budget`
 
 ## Changed
 - `AbiFunction` and `AbiBytes` parser is now more strict

cli/cli.hs

@@ -101,6 +101,7 @@ data CommonOptions = CommonOptions
   , onlyDeployed  ::Bool
   , cacheDir      ::Maybe String
   , earlyAbort    ::Bool
+  , mergeMaxBudget :: Int
   }
 
 commonOptions :: Parser CommonOptions
@@ -131,6 +132,7 @@ commonOptions = CommonOptions
   <*> (switch $ long "only-deployed" <> help "When trying to resolve unknown addresses, only use addresses of deployed contracts")
   <*> (optional $ strOption $ long "cache-dir" <> help "Directory to save and load RPC cache")
   <*> (switch $  long "early-abort" <> help "Stop exploration immediately upon finding the first counterexample")
+  <*> (option auto $ long "merge-max-budget" <> showDefault <> value 100 <> help "Max instructions for speculative merge exploration during path merging")
 
 data CommonExecOptions = CommonExecOptions
   { address       ::Maybe Addr
@@ -374,6 +376,7 @@ main = do
         , simp = Prelude.not cOpts.noSimplify
         , onlyDeployed = cOpts.onlyDeployed
         , earlyAbort = cOpts.earlyAbort
+        , mergeMaxBudget = cOpts.mergeMaxBudget
         } }
 
 

hevm.cabal

@@ -113,6 +113,7 @@ library
     EVM.Traversals,
     EVM.CSE,
     EVM.Keccak,
+    EVM.Merge,
     EVM.Transaction,
     EVM.Types,
     EVM.UnitTest,

src/EVM.hs

@@ -16,6 +16,7 @@ import EVM.Expr (readStorage, concStoreContains, writeStorage, readByte, readWor
 import EVM.Expr qualified as Expr
 import EVM.FeeSchedule (FeeSchedule (..))
 import EVM.FeeSchedule qualified as Fees (feeSchedule)
+import EVM.Merge qualified as Merge
 import EVM.Op
 import EVM.Precompiled qualified
 import EVM.Solidity
@@ -198,6 +199,7 @@ makeVm o = do
     , exploreDepth = 0
     , keccakPreImgs = fromList []
     , pathsVisited = mempty
+    , mergeState = defaultMergeState
     }
     where
     env = Env
@@ -867,14 +869,39 @@ exec1 conf = do
 
         OpJumpi -> {-# SCC "OpJumpi" #-}
           case stk of
-            x:y:xs -> forceConcreteLimitSz x 2 "JUMPI: symbolic jumpdest" $ \x' ->
+            x:cond:xs -> forceConcreteLimitSz x 2 "JUMPI: symbolic jumpdest" $ \maybeTarget ->
               burn g_high $
                 let jump :: Bool -> EVM t ()
                     jump False = assign' (#state % #stack) xs >> next
-                    jump _    = case tryInto x' of
+                    jump _    = case tryInto maybeTarget of
                       Left _ -> vmError BadJumpDestination
-                      Right i -> checkJump i xs
-                in branch conf.maxDepth y jump
+                      Right jumpTarget -> checkJump jumpTarget xs
+                    -- For Symbolic execution, try forward-jump merge first
+                    symbolicMerge :: EVM Symbolic ()
+                    symbolicMerge = case tryInto maybeTarget of
+                      Left _ ->
+                        -- Invalid destination - but we only error if we try to jump
+                        -- Use branch to decide based on condition
+                        branch conf.maxDepth cond $ \case
+                          False -> assign' (#state % #stack) xs >> next
+                          True -> vmError BadJumpDestination
+                      Right jumpTarget -> do
+                        -- Check if we're already in merge mode (speculative execution)
+                        ms <- use #mergeState
+                        if ms.msActive then
+                          -- Inside speculation: nested branch, bail out
+                          -- This will cause speculateLoop to return Nothing
+                          assign #result $ Just $ VMFailure BadJumpDestination
+                        else do
+                          merged <- Merge.tryMergeForwardJump conf (exec1 conf) vm.state.pc jumpTarget cond xs
+                          unless merged $ do
+                            let jumpSym :: Bool -> EVM Symbolic ()
+                                jumpSym False = assign' (#state % #stack) xs >> next
+                                jumpSym _    = checkJump jumpTarget xs
+                            branch conf.maxDepth cond jumpSym
+                in case eqT @t @Symbolic of
+                     Just Refl -> symbolicMerge
+                     Nothing -> branch conf.maxDepth cond jump
             _ -> underrun
 
         OpPc -> {-# SCC "OpPc" #-}

src/EVM/Effects.hs

@@ -47,6 +47,7 @@ data Config = Config
   , simp             :: Bool
   , onlyDeployed     :: Bool
   , earlyAbort       :: Bool
+  , mergeMaxBudget   :: Int        -- ^ Max instructions for speculative merge exploration
   }
   deriving (Show, Eq)
 
@@ -67,6 +68,7 @@ defaultConfig = Config
   , simp = True
   , onlyDeployed = False
   , earlyAbort = False
+  , mergeMaxBudget = 100
   }
 
 -- Write to the console

src/EVM/Expr.hs

@@ -1057,6 +1057,13 @@ simplifyNoLitToKeccak e = untilFixpoint (mapExpr go) e
     go (IsZero (Xor x y)) = eq x y
     go (IsZero a) = iszero a
 
+    -- ITE (if-then-else) simplification for path merging
+    go (ITE (Lit 0) _ f) = f
+    go (ITE (Lit _) t _) = t
+    go (ITE _ t f) | t == f = t
+    go (ITE c (ITE c' a _) d) | c == c' = ITE c a d -- nested same condition in then
+    go (ITE c a (ITE c' _ d)) | c == c' = ITE c a d -- nested same condition in else
+
     -- syntactic Eq reduction
     go (Eq (Lit a) (Lit b))
       | a == b = Lit 1

src/EVM/Format.hs

@@ -655,6 +655,7 @@ formatExpr = go
       Eq a b -> fmt "Eq" [a, b]
       EqByte a b -> fmt "EqByte" [a, b]
       IsZero a -> fmt "IsZero" [a]
+      ITE c t el -> fmt "ITE" [c, t, el]
 
       And a b -> fmt "And" [a, b]
       Or a b -> fmt "Or" [a, b]

src/EVM/Merge.hs

@@ -0,0 +1,142 @@
+{-# LANGUAGE DataKinds #-}
+{-# LANGUAGE ScopedTypeVariables #-}
+
+-- | State merging for symbolic execution
+--
+-- This module provides functions for merging execution paths during symbolic
+-- execution. Instead of forking on every JUMPI, we can speculatively execute
+-- both paths and merge them using ITE (If-Then-Else) expressions when:
+--
+-- 1. Both paths converge to the same PC (forward jump pattern)
+-- 2. Neither path has side effects (storage, memory, logs unchanged)
+-- 3. Both paths have the same stack depth
+--
+-- This reduces path explosion from 2^N to linear in many common patterns.
+
+module EVM.Merge
+  ( tryMergeForwardJump
+  ) where
+
+import Control.Monad (when)
+import Control.Monad.State.Strict (get, put)
+import Debug.Trace (traceM)
+import Optics.Core
+import Optics.State
+
+import EVM.Effects (Config(..))
+import EVM.Expr qualified as Expr
+import EVM.Types
+
+-- | Execute instructions speculatively until target PC is reached or
+-- we hit budget limit/SMT query/RPC call/revert/error.
+speculateLoopOuter
+  :: Config
+  -> EVM Symbolic ()  -- ^ Single-step executor
+  -> Int              -- ^ Target PC
+  -> EVM Symbolic (Maybe (VM Symbolic))
+speculateLoopOuter conf exec1Step targetPC = do
+    -- Initialize merge state for this speculation
+    let budget = conf.mergeMaxBudget
+    modifying #mergeState $ \ms -> ms { msActive = True , msRemainingBudget = budget }
+    res <- speculateLoop conf exec1Step targetPC
+    -- Reset merge state
+    assign #mergeState defaultMergeState
+    pure res
+
+-- | Inner loop for speculative execution with budget tracking
+speculateLoop
+  :: Config
+  -> EVM Symbolic ()  -- ^ Single-step executor
+  -> Int              -- ^ Target PC
+  -> EVM Symbolic (Maybe (VM Symbolic))
+speculateLoop conf exec1Step targetPC = do
+    ms <- use #mergeState
+    if ms.msRemainingBudget <= 0
+      then pure Nothing  -- Budget exhausted
+      else do
+        pc <- use (#state % #pc)
+        result <- use #result
+        case result of
+          Just _ -> pure Nothing  -- Hit RPC call/revert/SMT query/etc.
+          Nothing
+            | pc == targetPC -> Just <$> get  -- Reached target
+            | otherwise -> do
+                -- Decrement budget and execute one instruction
+                modifying #mergeState $ \s -> s { msRemainingBudget = subtract 1 s.msRemainingBudget }
+                exec1Step
+                speculateLoop conf exec1Step targetPC
+
+-- | Try to merge a forward jump (skip block pattern) for Symbolic execution
+-- Returns True if merge succeeded, False if we should fall back to forking
+-- SOUNDNESS: Both paths (jump and fall-through) must converge to the same PC,
+-- have the same stack depth, and have no side effects. Only then can we merge.
+tryMergeForwardJump
+  :: Config
+  -> EVM Symbolic ()  -- ^ Single-step executor
+  -> Int              -- ^ Current PC
+  -> Int              -- ^ Jump target PC
+  -> Expr EWord       -- ^ Branch condition
+  -> [Expr EWord]     -- ^ Stack after popping JUMPI args
+  -> EVM Symbolic Bool
+tryMergeForwardJump conf exec1Step currentPC jumpTarget cond stackAfterPop = do
+  -- Only handle forward jumps (skip block pattern)
+  if jumpTarget <= currentPC
+  then pure False  -- Not a forward jump
+  else do
+    vm0 <- get
+
+    -- Skip merge if memory is mutable (ConcreteMemory)
+    case vm0.state.memory of
+      ConcreteMemory _ -> pure False
+      SymbolicMemory _ -> do
+        -- True branch (jump taken): Just sets PC to target, no execution needed
+        let trueStack = stackAfterPop  -- Stack after popping JUMPI args
+
+        -- False branch (fall through): Execute until we reach jump target
+        assign' (#state % #stack) stackAfterPop
+        modifying' (#state % #pc) (+ 1)  -- Move past JUMPI
+        maybeVmFalse <- speculateLoopOuter conf exec1Step jumpTarget
+
+        case maybeVmFalse of
+          Nothing -> put vm0 >> pure False -- can't merge: EVM error, SMT/RPC query, over-budget
+          Just vmFalse -> do
+            let falseStack = vmFalse.state.stack
+                soundnessOK = checkNoSideEffects vm0 vmFalse
+
+            -- Check merge conditions: same stack depth AND no side effects
+            if length trueStack == length falseStack && soundnessOK
+              then do
+                -- Merge stacks using ITE expressions, simplifying to prevent growth
+                let condSimp = Expr.simplify cond
+                    mergeExpr t f = Expr.simplify $ ITE condSimp t f
+                    mergedStack = zipWith mergeExpr trueStack falseStack
+                -- Use vm0 as base and update only PC and stack
+                when conf.debug $ traceM $
+                  "Merged forward jump to PC: " <> show jumpTarget <> " from PC: " <> show currentPC
+                put vm0
+                assign (#state % #pc) jumpTarget
+                assign (#state % #stack) mergedStack
+                assign #result Nothing
+                assign (#mergeState % #msActive) False
+                pure True
+              else put vm0 >> pure False -- can't merge: stack depth or state differs
+
+-- | Check that execution had no side effects (storage, memory, logs, etc.)
+checkNoSideEffects :: VM Symbolic -> VM Symbolic -> Bool
+checkNoSideEffects vm0 vmAfter =
+  let memoryUnchanged = case (vm0.state.memory, vmAfter.state.memory) of
+        (SymbolicMemory m1, SymbolicMemory m2) -> m1 == m2
+        _ -> False
+      memorySizeUnchanged = vm0.state.memorySize == vmAfter.state.memorySize
+      returndataUnchanged = vm0.state.returndata == vmAfter.state.returndata
+      storageUnchanged = vm0.env.contracts == vmAfter.env.contracts
+      logsUnchanged = vm0.logs == vmAfter.logs
+      constraintsUnchanged = vm0.constraints == vmAfter.constraints
+      keccakUnchanged = vm0.keccakPreImgs == vmAfter.keccakPreImgs
+      freshVarUnchanged = vm0.freshVar == vmAfter.freshVar
+      framesUnchanged = length vm0.frames == length vmAfter.frames
+      subStateUnchanged = vm0.tx.subState == vmAfter.tx.subState
+  in memoryUnchanged && memorySizeUnchanged && returndataUnchanged
+     && storageUnchanged && logsUnchanged && constraintsUnchanged
+     && keccakUnchanged && freshVarUnchanged
+     && framesUnchanged && subStateUnchanged

src/EVM/SMT.hs

@@ -476,6 +476,11 @@ exprToSMT = \case
   IsZero a -> do
     cond <- op2 "=" a (Lit 0)
     pure $ "(ite " <> cond `sp` one `sp` zero <> ")"
+  ITE c t f -> do
+    condEnc <- exprToSMT c
+    thenEnc <- exprToSMT t
+    elseEnc <- exprToSMT f
+    pure $ "(ite (distinct " <> condEnc `sp` zero <> ") " <> thenEnc `sp` elseEnc <> ")"
   And a b -> op2 "bvand" a b
   Or a b -> op2 "bvor" a b
   Xor a b -> op2 "bvxor" a b

src/EVM/Traversals.hs

@@ -123,6 +123,7 @@ foldExpr f acc expr = acc <> (go expr)
       e@(SGT a b) -> f e <> (go a) <> (go b)
       e@(Eq a b) -> f e <> (go a) <> (go b)
       e@(IsZero a) -> f e <> (go a)
+      e@(ITE c t el) -> f e <> (go c) <> (go t) <> (go el)
 
       -- bits
 
@@ -449,6 +450,11 @@ mapExprM f expr = case expr of
   IsZero a -> do
     a' <- mapExprM f a
     f (IsZero a')
+  ITE c t el -> do
+    c' <- mapExprM f c
+    t' <- mapExprM f t
+    el' <- mapExprM f el
+    f (ITE c' t' el')
 
   -- bits