Out-Of-Range Signals
Detector Type:
Summary and Usage
The Out-Of-Range Signals (OORS) detector analyzes patterns of computation and constraint generation to estimate the expected ranges of intermediate values (e.g., if a value is part of a byte decomposition, it should lie within [0, 255]). These expected ranges are then compared against the actual ranges enforced by constraints. If the expected range is narrower than the enforced range, values may fall "out of range," leaving them underconstrained and potentially introducing bugs or vulnerabilities.
Usage
Coming soon.
Configuration Options
Coming soon.
Example and Explanation
- Zirgen
Coming soon.
Usage Example
- Zirgen
Coming soon.
Limitations
- This detector uses LLZK’s intraprocedural range analysis to infer expected intervals. Any inaccuracies in this analysis (e.g., when constraints are applied indirectly in other parts of the circuit) may result in false positives.
- This detector only recognizes a specific set of patterns to infer likely intervals. It will not detect out-of-range errors for computation patterns that are highly circuit- or application-specific.
How to Assess Severity
If confirmed as a true positive, a finding from the OORS detector indicates a severe issue. Underconstrained values may allow multiple different proofs to yield the same output, undermining the integrity of the circuit.