incorrect instruction list of the contract account

[qiana0223]

Description

On a contract that only has constructor and fallback functions, there is a huge coverage gap in the normal execution and in debugging mode.
The normal execution has coverage 1.45% while the debugging has 98% code coverage.

In the normal execution:

In the debugging mode:

I have observed that in a message call transaction, the instruction list has abnormal instructions.

How to Reproduce

1, execute this contract normally in the default setting
2, execute this contract in the debugging mode
The code of the contract:
pragma solidity ^0.5.3;
contract Proxy {
address internal masterCopy;
constructor(address _masterCopy)
public
{
require(_masterCopy != address(0), "Invalid master copy address provided");
masterCopy = _masterCopy;
}
function ()
external
payable
{
assembly {
let masterCopy := and(sload(0), 0xffffffffffffffffffffffffffffffffffffffff)
if eq(calldataload(0), 0xa619486e00000000000000000000000000000000000000000000000000000000) {
mstore(0, masterCopy)
return(0, 0x20)
}
calldatacopy(0, 0, calldatasize())
let success := delegatecall(gas, masterCopy, 0, calldatasize(), 0, 0)
returndatacopy(0, 0, returndatasize())
if eq(success, 0) { revert(0, returndatasize()) }
return(0, returndatasize())
}
}
}

[norhh]

Can you elaborate the difference between normal execution and debugging mode. Do you mean myth analyze file.sol vs myth -v4 analyze file.sol?

[norhh]

Although the two bytecodes in your images are different, the one with the lowest corresponds to the creation bytecode which is constructor + runtime bytecode, you can't cover runtime bytecode during creation, and 1.45% corresponds to the coverage of creation bytecode over creation + runtime bytecode, hence it is low. The one with 98% code coverage is the runtime bytecode's coverage during the runtime symbolic execution of the contract.

[qiana0223]

I run mythril in Pycharm IDE. I explicitly add print statements in coverage_plugin.py to print coverage. The parameters given to myth.py in Pycharm IDE is: analyze path_to_solidity:contract_name.

The normal execution just means to run myth.py by clicking the run button.
In the debugging mode, I just add some breakpoints, then run myth.py by clicking the debugging button.

1.45% is not the coverage of the contract creation code. The contract creation code is 65.98%.

[norhh]

From what I have checked
08c379a000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000024496e76616c6964206d617374657220636f707920616464726573732070726f766964656400000000000000000000000000000000000000000000000000000000
is a concrete instantiation of the contract located at the masterCopy address. This occurs because the bytecode is not instantiated for the address and hence, is unknown.
This bytecode is inexecutable, hence the low coverage.
Almost all bytecodes start with a push which is not the case with the above bytecode. All bytecodes compiled with solc start with PUSH followed by a DUP. The above is invalid because it starts with an instruction that pops from the stack which is empty.

[qiana0223]

Thank you for the explanation!
I have another question: why the bytecode is not instantiated for this contract?

[norhh]

You can look at the code. The variable masterCopy which stores the address of the contract is accepted as an argument from constructor. It is unknown what code the address masterCopy holds.