feat(fuzz): ast-seeded dictionary

[0xrusowsky]

Motivation

closes #10233

Solution

1. leverage solar::sema::Compiler to collect all relevant AST literals found in the sources (excluding libs and scripts) and seed the FuzzerDictionary with them at initialization.
2. modify the strategies to source from a new pool of values (AST literals), when available
3. modify the string strategy to not always generate random strings, but also source from the string literals pool

TODO

• fix unit tests, as they expect different amount of runs to break --> however it is better to get feedback on the impl before fixing all tests, and having to fix them again later

Future improvements

• explore literal value folding as suggested in: feat(fuzz): ast-seeded dictionary #12015 (comment). Tracked on a separate issue: feat(fuzz): impl constant folding for typical expressions #12044
• use HIR rather than AST to figure out the type of the numeric literals, so that we can minimize dict size

PR Checklist

• Added Tests
• Added Documentation
• Breaking changes

[0xrusowsky]

arbitrary value, we could change it if you are opinionated.

[grandizzy]

IMO better to keep this simpler and just insert / reuse the existing fuzz dict samples - insert_sample_values which stores values by type and use them during fuzz runs instead having new strategy / weights and ast_values. We probably need to make the samples limit configurable and bump the default value

foundry/crates/evm/fuzz/src/strategies/state.rs

Lines 374 to 377 in 020d515

	/// Insert sample values that are reused across multiple runs.
	/// The number of samples is limited to invariant run depth.
	/// If collected samples limit is reached then values are inserted as regular values.
	pub fn insert_sample_values(

[0xalpharush]

Not blocking but I would recommend implementing constant folding to some degree i.e. evaluate 2 * 2 ether, evaluate bytes32 IMPLEMENTATION_SLOT = bytes32(uint256(keccak256('eip1967.proxy.implementation')) - 1);, evaluate uint(-2). Arguably, solar will need this and the code could live there

See crytic/echidna#636

[grandizzy]

Not blocking but I would recommend implementing constant folding to some degree i.e. evaluate 2 * 2 ether, perform the keccack hash of a string, evaluate uint(-2).

See crytic/echidna#636

thanks! One thing here - this means we should collect from tests too which we don't do in PR, is this correct?

[0xalpharush]

AFAIK neither Echidna or slither's printer filters tests out. I think not including forge-std makes sense.

Also, I am not sure how the push/pop/log dictionary is managed currently in Foundry, but I think Echidna will always keep the constant pool around and eject the dynamically collected values after running a full sequence. For example, a user's balance that is emitted in one run may help within the same sequence but probably unlikely to help in a totally unrelated sequence.

[grandizzy]

AFAIK neither Echidna or slither's printer filters tests out. I think not including forge-std makes sense.

👍 @0xrusowsky let's include too

Also, I am not sure how the push/pop/log dictionary is managed currently in Foundry, but I think Echidna will always keep the constant pool around and eject the dynamically collected values after running a full sequence. For example, a user's balance that is emitted in one run may help within the same sequence but probably unlikely to help in a totally unrelated sequence.

• The push / pop dictionary + db addresses / storage values are populated when test starts and used across all runs, without being evicted.
  These are defined as
  

  foundry/crates/evm/fuzz/src/strategies/state.rs

  Lines 129 to 134 in b823ae0

  	/// Number of state values initially collected from db.
  	/// Used to revert new collected values at the end of each run.
  	db_state_values: usize,
  	/// Number of address values initially collected from db.
  	/// Used to revert new collected addresses at the end of each run.
  	db_addresses: usize,

  
  and collected when dict is created
  

  foundry/crates/evm/fuzz/src/strategies/state.rs

  Lines 52 to 54 in b823ae0

  	// Create fuzz dictionary and insert values from db state.
  	let mut dictionary = FuzzDictionary::new(config);
  	dictionary.insert_db_values(accs);

• We also maintain a dict of so called sample values, dynamically collected from logs, return values & state changes of runs up to a limit (set rn to the test depth) - these are also reused across all runs
  

  foundry/crates/evm/fuzz/src/strategies/state.rs

  Lines 135 to 136 in b823ae0

  	/// Sample typed values that are collected from call result and used across invariant runs.
  	sample_values: HashMap<DynSolType, B256IndexSet>,

• Then there are the regular values dynamically collected from runs that are not shared between runs
  

  foundry/crates/evm/fuzz/src/strategies/state.rs

  Lines 123 to 124 in b823ae0

  	/// Collected state values.
  	state_values: B256IndexSet,

Please let us know if you see any redundant data / ways to improve the dict. Thank you!

[0xrusowsky]

^ note that AST literals are injected into sample_values

[0xrusowsky]

Not blocking but I would recommend implementing constant folding to some degree i.e. evaluate 2 * 2 ether, evaluate bytes32 IMPLEMENTATION_SLOT = bytes32(uint256(keccak256('eip1967.proxy.implementation')) - 1);, evaluate uint(-2). Arguably, solar will need this and the code could live there

See crytic/echidna#636

thanks for the advise! will be tackled next on a follow-up PR:

• feat(fuzz): impl constant folding for typical expressions #12044

[grandizzy]

thank you, looks good! left some comments / nits, pls check

[grandizzy]

IMO this should follow the sample rules, we already have logic / bias to select them

https://github.com/foundry-rs/foundry/pull/12015/files#diff-d37d278bbc4bfc5240900ba4963f1a0f562f98808670ca692658aed9e0fdf624R128-R130

maybe we could reuse same and return DynSolValues from ast analyzed String / bytes here?

[0xrusowsky]

wdym exactly?

bias is a randomly generated bool (50-50) but allocating 50% to ast seeded literals feels like a lot (before it was 0-100).

my idea was that by using Index we can allocate a smaller pct to AST string literals, but we are already using them (30% of the time)

[0xrusowsky]

moved to bool::weighted as suggested in #12015 (comment)

[grandizzy]

good catch, need to make some more tests to see how this affects overall perf

[DaniPopes]

you can use bool::weighted

[0xrusowsky]

9a05ffb (#12015)

[DaniPopes]

i'd prefer making it even lazier by cloning the compiler into the dictionary, and having OnceLock on the values. for tests you can call .set on the OnceLock and otherwise if let Some() = compiler { values.get_or_init(|| ) } else { None }

I guess it's a bit more complex because of the rwlock but you get the point, we want to initialize only when a value is requested

[0xrusowsky]

addressed in e7d3159 (#12015)

some impl notes:

• compiler is cloned into LiteralsDictionary, which has OnceLock<LiteralMaps> (as requested)
• because of the RwLock limitations, i kinda used a two-stage lazy init:
  1. AST traversal is deferred until first access via samples(), ast_strings(), or ast_bytes(), which trigger the oncelock
  2. merging literals into sample_values is deferred until first runtime sample insertion via seed_samples()
     • before merging: samples() returns AST literals directly (runtime samples are empty)
     • after merging: samples() returns from unified sample_values

the trade-off is some memory overhead from keeping LiteralsDictionary alive vs avoiding O(n) AST traversal unless fuzzer actually needs samples

[DaniPopes]

dont need to clear cache