Skip to content

perf(forge): parallelize stateless fuzzing #12713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DaniPopes wants to merge 90 commits into
base: master
Choose a base branch
from
Open

perf(forge): parallelize stateless fuzzing #12713

DaniPopes wants to merge 90 commits into from
+1,257 −467

Conversation

@DaniPopes
Copy link
Member

@DaniPopes DaniPopes commented Dec 2, 2025

Closes #8898.

Continuation of #11769 + #11842. See these PRs for more details.

@yash-atreya
feat(evm): SharedCorpus for multiple worker threads
0f2c0ae
@yash-atreya
use SharedCorpus + CorpusWorker in InvariantExecutor
c7d9e60
@yash-atreya
remove CorpusManager
0aceb16
@yash-atreya
feat: Master-Worker corpus basic setup
41944cd
@yash-atreya
worker_dir + last_sync_timestamp fields. Write corpus to worker/corpus
2bb34c4
@yash-atreya
feat: export worker corpus to master and import from sync dir
089f30b
@yash-atreya
fix: deser as tx_seq in import
5cdff64
@yash-atreya
feat: calibrate - update the in_memory_corpus + history_map for entri…
488d09d 
…es that provided in new coverage
@yash-atreya
docs
cdfb4fc
@yash-atreya
feat: distribute corpus from master to workers
d4200e4
@yash-atreya
sync
e9d8d3c
@yash-atreya
cleanup: remove MasterCorpus
312225b
@yash-atreya
integrate WorkerCorpus in existing sequential impls of fuzz and invar…
8a477d3 
…iants
@yash-atreya
cleanup: remove SharedCorpus and CorpusWorker
5ddc908
@yash-atreya
feat(types): SharedFuzzState and FuzzWorker
35f46b0
@yash-atreya
basic run_worker in FuzzExecutor
431cc06
@yash-atreya
rename found_counterexample to found_failure in SharedFuzzState and s…
e4c6060 
…tore the workers id that found the failure
@yash-atreya
feat: track total_rejects in SharedFuzzState
40263fd
@yash-atreya
shared_state.increment_runs + only worker0 replays persisted failure …
d1990ec 
…and corpus
@yash-atreya
feat: basic staggered corpus sync in run_worker
ed234d8
@yash-atreya
feat: parallelize fuzz runs + aggregate results
67c96a7
@yash-atreya
fix: derive seeds per worker
0cdccd9
@yash-atreya
fix: only increment runs for success cases + try_increment_runs atomi…
f7310d0 
…cally to prevent going over max_runs
@yash-atreya
fix: run only 1 worker if replaying persisted failure
e5b00bc
@yash-atreya
fix: timed campaigns - introduce per worker timer
1d6363b
@yash-atreya
fix: flaky try_increment_runs
dde52cc
@yash-atreya
fix: expect_emit_test_should_fail - identify events only using cache …
63ca2bf 
…when not in tokio
@yash-atreya
fix: expect_emit_tests_should_fail
1aa39ed
@yash-atreya
fix: timer should be global to fit as many runs as possible
349b5ee
@yash-atreya
fix: worker_runs = config.runs/ num_workers
33a294c
@DaniPopes DaniPopes added Cmd-forge-test Command: forge test T-perf Type: performance labels Dec 10, 2025
0xalpharush
0xalpharush reviewed Dec 10, 2025
View reviewed changes
crates/evm/evm/src/executors/corpus.rs

let corpus_entry = CorpusEntry::new_existing(tx_seq.to_vec(), entry.path.clone())?;
self.in_memory_corpus.push(corpus_entry);
}
Copy link
Contributor

@0xalpharush 0xalpharush Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this rm corpus files that didn't bring new coverage?

Copy link
Member Author

@DaniPopes DaniPopes Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

0xalpharush
0xalpharush reviewed Dec 10, 2025
View reviewed changes
crates/evm/evm/src/executors/corpus.rs
/// Syncs and calibrates the in memory corpus and updates the history_map if new coverage is
/// found from the corpus findings of other workers.
#[instrument(skip_all)]
fn calibrate(
Copy link
Contributor

@0xalpharush 0xalpharush Dec 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From #11769 (comment)

AFL ++ stores a bit map of the history_map (1-byte hitcount -> bool indicating hit) for each input and then uses this bit map to make sure it doesn't eject an entry that is unique (this would mean updating is_favored to mean it contributes a unique bit to the bitmap).

I think here we need to add a minimize step that finds the smallest set of inputs that cover the intersection of all the edges. Really, a worker should replace the in-memory corpus element if we find a smaller sequence or it finds one sequence that is the super set of N sequences. This would apply to both while fuzzing (prior to exporting to master) and also while syncing (master has a smaller seq.)

grandizzy
grandizzy reviewed Dec 11, 2025
View reviewed changes
Copy link
Collaborator

@grandizzy grandizzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you, left some initial thoughts, still going through / test

crates/evm/evm/src/executors/fuzz/mod.rs Outdated
};
/// Determines the number of workers to run.
fn num_workers(&self) -> usize {
rayon::current_num_threads()
Copy link
Collaborator

@grandizzy grandizzy Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we make this a config so we could set number of workers per test? and maybe default to 1 to preserve current behavior?

Copy link
Member Author

@DaniPopes DaniPopes Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like threads to be a configurable value other than CLI -jX. this is an implementation detail and any weird behavior should be tackled in the implementation not with a config that disables it

Copy link
Member Author

@DaniPopes DaniPopes Dec 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for example adding a minimum runs per worker f90ee86

crates/evm/evm/src/executors/corpus.rs
//!
//! ## Workflow
//!
//! - Each worker maintains its own local corpus with entries stored as JSON files
Copy link
Collaborator

@grandizzy grandizzy Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you see any issue if we implement the workers sync mechanism with an in-memory database / notify channel instead files and dump on disk only the interesting corpus like we do now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grandizzy grandizzy grandizzy left review comments

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

@zerosnacks zerosnacks Awaiting requested review from zerosnacks zerosnacks is a code owner

@onbjerg onbjerg Awaiting requested review from onbjerg onbjerg is a code owner

@0xrusowsky 0xrusowsky Awaiting requested review from 0xrusowsky 0xrusowsky is a code owner

+1 more reviewer

@0xalpharush 0xalpharush 0xalpharush left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@DaniPopes DaniPopes

Labels

Cmd-forge-test Command: forge test T-perf Type: performance

Projects

Foundry
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

forge test doesn't utilize all available threads for fuzzing/invariants

5 participants

@DaniPopes @grandizzy @0xalpharush @yash-atreya