Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(invariant): support fuzz with random msg.value #8644

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions crates/evm/evm/src/executors/invariant/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -314,15 +314,17 @@ impl<'a> InvariantExecutor<'a> {
let tx = current_run.inputs.last().ok_or_else(|| {
TestCaseError::fail("No input generated to call fuzzed target.")
})?;

if current_run.executor.get_balance(tx.sender)? < tx.value {
current_run.executor.set_balance(tx.sender, tx.value)?;
}
// Execute call from the randomly generated sequence and commit state changes.
let call_result = current_run
.executor
.transact_raw(
tx.sender,
tx.call_details.target,
tx.call_details.calldata.clone(),
U256::ZERO,
tx.value,
)
.map_err(|e| {
TestCaseError::fail(format!("Could not make raw evm call: {e}"))
Expand Down
7 changes: 5 additions & 2 deletions crates/evm/evm/src/executors/invariant/replay.rs
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ use foundry_evm_traces::{load_contracts, TraceKind, TraceMode, Traces};
use indicatif::ProgressBar;
use parking_lot::RwLock;
use proptest::test_runner::TestError;
use revm::primitives::U256;
use std::sync::Arc;

/// Replays a call sequence for collecting logs and traces.
Expand All @@ -41,11 +40,14 @@ pub fn replay_run(

// Replay each call from the sequence, collect logs, traces and coverage.
for tx in inputs {
if executor.get_balance(tx.sender)? < tx.value {
executor.set_balance(tx.sender, tx.value)?;
}
let call_result = executor.transact_raw(
tx.sender,
tx.call_details.target,
tx.call_details.calldata.clone(),
U256::ZERO,
tx.value,
)?;
logs.extend(call_result.logs);
traces.push((TraceKind::Execution, call_result.traces.clone().unwrap()));
Expand All @@ -66,6 +68,7 @@ pub fn replay_run(
tx.sender,
tx.call_details.target,
&tx.call_details.calldata,
tx.value,
&ided_contracts,
call_result.traces,
));
Expand Down
7 changes: 5 additions & 2 deletions crates/evm/evm/src/executors/invariant/shrink.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ use crate::executors::{
},
Executor,
};
use alloy_primitives::{Address, Bytes, U256};
use alloy_primitives::{Address, Bytes};
use foundry_evm_fuzz::invariant::BasicTxDetails;
use indicatif::ProgressBar;
use proptest::bits::{BitSetLike, VarBitSet};
Expand Down Expand Up @@ -153,11 +153,14 @@ pub fn check_sequence(
// Apply the call sequence.
for call_index in sequence {
let tx = &calls[call_index];
if executor.get_balance(tx.sender)? < tx.value {
executor.set_balance(tx.sender, tx.value)?;
}
let call_result = executor.transact_raw(
tx.sender,
tx.call_details.target,
tx.call_details.calldata.clone(),
U256::ZERO,
tx.value,
)?;
if call_result.reverted && fail_on_revert {
// Candidate sequence fails test.
Expand Down
5 changes: 3 additions & 2 deletions crates/evm/fuzz/src/invariant/call_override.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use super::{BasicTxDetails, CallDetails};
use alloy_primitives::Address;
use alloy_primitives::{Address, U256};
use parking_lot::{Mutex, RwLock};
use proptest::{
option::weighted,
Expand Down Expand Up @@ -75,12 +75,13 @@ impl RandomCallGenerator {
*self.target_reference.write() = original_caller;

// `original_caller` has a 80% chance of being the `new_target`.
// TODO: Support msg.value > 0 for call_override
let choice = self
.strategy
.new_tree(&mut self.runner.lock())
.unwrap()
.current()
.map(|call_details| BasicTxDetails { sender, call_details });
.map(|call_details| BasicTxDetails { sender, call_details, value: U256::ZERO });

self.last_sequence.write().push(choice.clone());
choice
Expand Down
4 changes: 3 additions & 1 deletion crates/evm/fuzz/src/invariant/mod.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use alloy_json_abi::{Function, JsonAbi};
use alloy_primitives::{Address, Bytes, Selector};
use alloy_primitives::{Address, Bytes, Selector, U256};
use itertools::Either;
use parking_lot::Mutex;
use std::{collections::BTreeMap, sync::Arc};
Expand Down Expand Up @@ -205,6 +205,8 @@ pub struct BasicTxDetails {
pub sender: Address,
// Transaction call details.
pub call_details: CallDetails,
// Transaction value.
pub value: U256,
}

/// Call details of a transaction generated to fuzz invariant target.
Expand Down
19 changes: 16 additions & 3 deletions crates/evm/fuzz/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
extern crate tracing;

use alloy_dyn_abi::{DynSolValue, JsonAbiExt};
use alloy_primitives::{Address, Bytes, Log};
use alloy_primitives::{Address, Bytes, Log, U256};
use foundry_common::{calc, contracts::ContractsByAddress, evm::Breakpoints};
use foundry_evm_coverage::HitMaps;
use foundry_evm_traces::CallTraceArena;
Expand Down Expand Up @@ -44,6 +44,8 @@ pub struct BaseCounterExample {
pub addr: Option<Address>,
/// The data to provide
pub calldata: Bytes,
/// The number of wei sent
pub value: Option<U256>,
/// Contract name if it exists
pub contract_name: Option<String>,
/// Function signature if it exists
Expand All @@ -61,9 +63,11 @@ impl BaseCounterExample {
sender: Address,
addr: Address,
bytes: &Bytes,
value: U256,
contracts: &ContractsByAddress,
traces: Option<CallTraceArena>,
) -> Self {
let value = if value == U256::ZERO { None } else { Some(value) };
if let Some((name, abi)) = &contracts.get(&addr) {
if let Some(func) = abi.functions().find(|f| f.selector() == bytes[..4]) {
// skip the function selector when decoding
Expand All @@ -72,6 +76,7 @@ impl BaseCounterExample {
sender: Some(sender),
addr: Some(addr),
calldata: bytes.clone(),
value,
contract_name: Some(name.clone()),
signature: Some(func.signature()),
args: Some(
Expand All @@ -87,6 +92,7 @@ impl BaseCounterExample {
sender: Some(sender),
addr: Some(addr),
calldata: bytes.clone(),
value,
contract_name: None,
signature: None,
args: None,
Expand All @@ -104,6 +110,7 @@ impl BaseCounterExample {
sender: None,
addr: None,
calldata: bytes,
value: None,
contract_name: None,
signature: None,
args: Some(foundry_common::fmt::format_tokens(&args).format(", ").to_string()),
Expand Down Expand Up @@ -133,9 +140,15 @@ impl fmt::Display for BaseCounterExample {
}

if let Some(args) = &self.args {
write!(f, " args=[{args}]")
write!(f, " args=[{args}]")?
} else {
write!(f, " args=[]")
write!(f, " args=[]")?
}

if let Some(value) = &self.value {
write!(f, " value=[{value}]")
} else {
write!(f, "")
}
}
}
Expand Down
30 changes: 26 additions & 4 deletions crates/evm/fuzz/src/strategies/invariants.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ use crate::{
strategies::{fuzz_calldata_from_state, fuzz_param, EvmFuzzState},
FuzzFixtures,
};
use alloy_json_abi::Function;
use alloy_primitives::Address;
use alloy_json_abi::{Function, StateMutability};
use alloy_primitives::{Address, U256};
use parking_lot::RwLock;
use proptest::prelude::*;
use rand::seq::IteratorRandom;
Expand Down Expand Up @@ -70,15 +70,16 @@ pub fn invariant_strat(
let functions = contracts.fuzzed_functions();
let (target_address, target_function) = selector.select(functions);
let sender = select_random_sender(&fuzz_state, senders.clone(), dictionary_weight);
let value = select_random_msg_value(&fuzz_state, dictionary_weight, target_function);
let call_details = fuzz_contract_with_calldata(
&fuzz_state,
&fuzz_fixtures,
*target_address,
target_function.clone(),
);
(sender, call_details)
(sender, call_details, value)
})
.prop_map(|(sender, call_details)| BasicTxDetails { sender, call_details })
.prop_map(|(sender, call_details, value)| BasicTxDetails { sender, call_details, value })
}

/// Strategy to select a sender address:
Expand All @@ -104,6 +105,27 @@ fn select_random_sender(
}
}

/// Strategy to select a msg.value:
/// * If the target function is not payable, the msg.value is zero.
/// * If the target function is payable, the msg.value either a random number or
/// * from the dictionary.
fn select_random_msg_value(
fuzz_state: &EvmFuzzState,
dictionary_weight: u32,
func: &Function,
) -> impl Strategy<Value = U256> {
if func.state_mutability != StateMutability::Payable {
(0..1).prop_map(move |_value| U256::ZERO).boxed()
} else {
assert!(dictionary_weight <= 100, "dictionary_weight must be <= 100");
proptest::prop_oneof![
100 - dictionary_weight => fuzz_param(&alloy_dyn_abi::DynSolType::Uint(96)),
dictionary_weight => fuzz_param_from_state(&alloy_dyn_abi::DynSolType::Uint(96), fuzz_state),
]
.prop_map(move |value| value.as_uint().unwrap().0).boxed()
}
}

/// Given a function, it returns a proptest strategy which generates valid abi-encoded calldata
/// for that function's input types.
pub fn fuzz_contract_with_calldata(
Expand Down
1 change: 1 addition & 0 deletions crates/forge/src/runner.rs
Original file line number Diff line number Diff line change
Expand Up @@ -508,6 +508,7 @@ impl<'a> ContractRunner<'a> {
target: seq.addr.unwrap_or_default(),
calldata: seq.calldata.clone(),
},
value: seq.value.unwrap_or(U256::ZERO),
})
.collect::<Vec<BasicTxDetails>>();
if let Ok((success, replayed_entirely)) = check_sequence(
Expand Down
21 changes: 20 additions & 1 deletion crates/forge/tests/it/invariant.rs
Original file line number Diff line number Diff line change
Expand Up @@ -588,6 +588,25 @@ async fn test_invariant_scrape_values() {
);
}

#[tokio::test(flavor = "multi_thread")]
async fn test_invariant_msg_value() {
let filter = Filter::new(".*", ".*", ".*fuzz/invariant/common/InvariantMsgValue.t.sol");
let results = TEST_DATA_DEFAULT.runner().test_collect(&filter);
assert_multiple(
&results,
BTreeMap::from([(
"default/fuzz/invariant/common/InvariantMsgValue.t.sol:InvariantMsgValue",
vec![(
"invariant_msg_value_not_found()",
false,
Some("revert: CBA with 2,msg.value>0.1234,0 found".into()),
None,
None,
)],
)]),
);
}

#[tokio::test(flavor = "multi_thread")]
async fn test_invariant_roll_fork_handler() {
let filter = Filter::new(".*", ".*", ".*fuzz/invariant/common/InvariantRollFork.t.sol");
Expand Down Expand Up @@ -672,7 +691,7 @@ async fn test_invariant_selectors_weight() {
let mut runner = TEST_DATA_DEFAULT.runner();
runner.test_options.fuzz.seed = Some(U256::from(119u32));
runner.test_options.invariant.runs = 1;
runner.test_options.invariant.depth = 10;
runner.test_options.invariant.depth = 5000;
let results = runner.test_collect(&filter);
assert_multiple(
&results,
Expand Down
35 changes: 35 additions & 0 deletions testdata/default/fuzz/invariant/common/InvariantMsgValue.t.sol
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
// SPDX-License-Identifier: MIT OR Apache-2.0
pragma solidity ^0.8.13;

import "ds-test/test.sol";

contract Pay {
uint256 private counter;
bool public found; // CBA with 2,msg.value>0.1234,0

function A(uint8 x) external {
if (counter == 2 && x == 0) found = true;
else counter = 0;
}
function B() external payable {
if (counter == 1 && msg.value > 0.1234 ether) counter++;
else counter = 0;
}
function C(uint8 x) external {
if (counter == 0 && x == 2) counter++;
}
}

contract InvariantMsgValue is DSTest {
Pay target;

function setUp() public {
target = new Pay();
}

/// forge-config: default.invariant.runs = 2000
function invariant_msg_value_not_found() public view {
require(!target.found(), "CBA with 2,msg.value>0.1234,0 found");
}
}

Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,19 @@ contract InvariantSelectorsWeightTest is DSTest {

function afterInvariant() public {
// selector hits uniformly distributed, see https://github.com/foundry-rs/foundry/issues/2986
assertEq(handlerOne.hit1(), 2);
assertEq(handlerTwo.hit2(), 2);
assertEq(handlerTwo.hit3(), 3);
assertEq(handlerTwo.hit4(), 1);
assertEq(handlerTwo.hit5(), 2);
uint256[5] memory hits =
[handlerOne.hit1(), handlerTwo.hit2(), handlerTwo.hit3(), handlerTwo.hit4(), handlerTwo.hit5()];

uint256 hits_sum;
for (uint256 i = 0; i < hits.length; i++) {
hits_sum += hits[i];
}
uint256 average = (hits_sum) / hits.length;
for (uint256 i = 0; i < hits.length; i++) {
uint256 delta = average > hits[i] ? average - hits[i] : hits[i] - average;
uint256 delta_scaled = delta * 100 / average;
require(delta_scaled <= 10, "Selectors Delta > 10%");
}
}

function invariant_selectors_weight() public view {}
Expand Down
Loading