Feat/coverage guided fuzzing #10190
Feat/coverage guided fuzzing #10190
Conversation
| error!(%err, "Failed to create invariant corpus dir"); | ||
| } else if let Err(err) = foundry_common::fs::write_json_file( | ||
| corpus_dir.join(timestamp).as_path(), | ||
| ¤t_run.inputs.clone(), |
There was a problem hiding this comment.
Ideally we'd have the ABI sig here and not have to call from_invariant_call all of the time to recover it
| @@ -315,6 +320,7 @@ impl<'a> InvariantExecutor<'a> { | |||
| setup_contracts, | |||
| project_contracts, | |||
| artifact_filters: ArtifactFilters::default(), | |||
| history_map: RefCell::new(vec![0u8; COVERAGE_MAP_SIZE]), | |||
There was a problem hiding this comment.
The corpus should probably be ran on startup and populate this from run_invariant_test
There was a problem hiding this comment.
I think we can move this under InvariantTestData
which is part of InvariantTest execution data
foundry/crates/evm/evm/src/executors/invariant/mod.rs
Lines 151 to 152 in 8e2a4c4
that is created / populated on prepare_test
foundry/crates/evm/evm/src/executors/invariant/mod.rs
Lines 509 to 517 in 8e2a4c4
There was a problem hiding this comment.
Ig if the corpus can't be shared globally, this may make sense.
| // TODO expose config and add tests | ||
| // splice | ||
| 0 => { | ||
| let start1 = rng.gen_range(0..one.len()); |
There was a problem hiding this comment.
there's an edge case here when generated start1 is the same as end1 and start2 as end2. This will result in an empty new_seq which will then panic when performing runs in initial_seq[0].clone(),
let mut current_run = InvariantTestRun::new(
initial_seq[0].clone(),
// Before each run, we must reset the backend state.
self.executor.clone(),
self.config.depth as usize,
);should we maybe just test if for empty and if it is empty then fallback into proptest strategy new tree?
if !new_seq.is_empty() {
return new_seq;
}
| let item = &tx[item_idx]; | ||
| for i in start..end { | ||
| new_seq[i] = item.clone(); | ||
| } |
There was a problem hiding this comment.
do we want to return the new_seq here too or not needed?
| .current(), | ||
| ); | ||
| // dictionary if initial seq isn't `depth` long. | ||
| if current_run.depth as usize > initial_seq.len().saturating_sub(1) { |
There was a problem hiding this comment.
we should apply this logic for discarded inputs as well, otherwise the corpus will get stuck at the same discarded sequence and won't advance (invariant::test_invariant_assume_does_not_revert test failure)
if discarded || (current_run.depth as usize > initial_seq.len().saturating_sub(1)) {
grandizzy
force-pushed
the
feat/coverage-guided-fuzzing
branch
from
abb95de to
3f148eb
Compare
grandizzy
force-pushed
the
feat/coverage-guided-fuzzing
branch
from
3f148eb to
e7a878f
Compare
|
b7f09d8 operated under the assumption that the libafl function updated the history map, but it doesn't. So we either need to revert back to the other way or iterate over the history map and set every index to the "classified" hitcount when there's new coverage |
I think reverting and using the other way should work here, do you see any big disadvantages using one or another? |
|
Mainly perf considerations... But it can wait and we avoid taking a dep on libafl |
Motivation
Right now, all it does is store "interesting" call sequences for invariant mode in a corpus but they aren't mutated or replayed.
Solution
PR Checklist