feat(invariant): fuzz with values from events and return values

crates/evm/evm/src/executors/invariant/error.rs

@@ -173,7 +173,7 @@ impl FailedInvariantCaseData {
  set_up_inner_replay(&mut executor, &self.inner_sequence);
 
  // Replay each call from the sequence until we break the invariant.
- for (sender, (addr, bytes)) in calls.iter() {
+ for (sender, (addr, bytes, _, _)) in calls.iter() {
  let call_result =
  executor.call_raw_committing(*sender, *addr, bytes.clone(), U256::ZERO)?;
 
@@ -241,7 +241,7 @@ impl FailedInvariantCaseData {
  }
 
  for (seq_idx, call_index) in new_sequence.iter().enumerate() {
- let (sender, (addr, bytes)) = &calls[*call_index];
+ let (sender, (addr, bytes, _, _)) = &calls[*call_index];
 
  executor.call_raw_committing(*sender, *addr, bytes.clone(), U256::ZERO)?;
 

crates/evm/evm/src/executors/invariant/funcs.rs

@@ -85,7 +85,7 @@ pub fn replay_run(
  // set_up_inner_replay(&mut executor, &inputs);
 
  // Replay each call from the sequence until we break the invariant.
- for (sender, (addr, bytes)) in inputs.iter() {
+ for (sender, (addr, bytes, _, _)) in inputs.iter() {
  let call_result =
  executor.call_raw_committing(*sender, *addr, bytes.clone(), U256::ZERO)?;
 

crates/evm/evm/src/executors/invariant/mod.rs

@@ -2,6 +2,7 @@ use crate::{
  executors::{Executor, RawCallResult},
  inspectors::Fuzzer,
 };
+use alloy_json_abi::{Function, JsonAbi};
 use alloy_primitives::{Address, FixedBytes, U256};
 use alloy_sol_types::{sol, SolCall};
 use eyre::{eyre, ContextCompat, Result};
@@ -220,7 +221,8 @@ impl<'a> InvariantExecutor<'a> {
  let mut assume_rejects_counter = 0;
 
  while current_run < self.config.depth {
- let (sender, (address, calldata)) = inputs.last().expect("no input generated");
+ let (sender, (address, calldata, func, abi)) =
+ inputs.last().expect("no input generated");
 
  // Executes the call from the randomly generated sequence.
  let call_result = if self.config.preserve_state {
@@ -247,7 +249,17 @@ impl<'a> InvariantExecutor<'a> {
  let mut state_changeset =
  call_result.state_changeset.to_owned().expect("no changesets");
 
- collect_data(&mut state_changeset, sender, &call_result, &fuzz_state);
+ if !&call_result.reverted {
+ collect_data(
+ &mut state_changeset,
+ sender,
+ func,
+ abi,
+ &call_result,
+ &fuzz_state,
+ self.config.depth,
+ );
+ }
 
  // Collect created contracts and add to fuzz targets only if targeted contracts
  // are updatable.
@@ -666,8 +678,11 @@ impl<'a> InvariantExecutor<'a> {
 fn collect_data(
  state_changeset: &mut HashMap<Address, revm::primitives::Account>,
  sender: &Address,
+ function: &Option<Function>,
+ abi: &JsonAbi,
  call_result: &RawCallResult,
  fuzz_state: &EvmFuzzState,
+ run_depth: u32,
 ) {
  // Verify it has no code.
  let mut has_code = false;
@@ -682,7 +697,14 @@ fn collect_data(
  sender_changeset = state_changeset.remove(sender);
  }
 
- fuzz_state.collect_state_from_call(&call_result.logs, &*state_changeset);
+ fuzz_state.collect_state_from_call(
+ function,
+ abi,
+ &call_result.result,
+ &call_result.logs,
+ &*state_changeset,
+ run_depth,
+ );
 
  // Re-add changes
  if let Some(changed) = sender_changeset {

crates/evm/fuzz/src/inspector.rs

@@ -82,7 +82,7 @@ impl Fuzzer {
  !call_generator.used
  {
  // There's only a 30% chance that an override happens.
- if let Some((sender, (contract, input))) =
+ if let Some((sender, (contract, input, _, _))) =
  call_generator.next(call.context.caller, call.contract)
  {
  *call.input = input.0;

crates/evm/fuzz/src/invariant/call_override.rs

@@ -1,4 +1,5 @@
-use super::BasicTxDetails;
+use super::{BasicTxDetails, CallDetails};
+use alloy_json_abi::{Function, JsonAbi};
 use alloy_primitives::{Address, Bytes};
 use parking_lot::{Mutex, RwLock};
 use proptest::{
@@ -17,7 +18,7 @@ pub struct RandomCallGenerator {
  /// Runner that will generate the call from the strategy.
  pub runner: Arc<Mutex<TestRunner>>,
  /// Strategy to be used to generate calls from `target_reference`.
- pub strategy: SBoxedStrategy<Option<(Address, Bytes)>>,
+ pub strategy: SBoxedStrategy<Option<CallDetails>>,
  /// Reference to which contract we want a fuzzed calldata from.
  pub target_reference: Arc<RwLock<Address>>,
  /// Flag to know if a call has been overridden. Don't allow nesting for now.
@@ -33,7 +34,7 @@ impl RandomCallGenerator {
  pub fn new(
  test_address: Address,
  runner: TestRunner,
- strategy: SBoxedStrategy<(Address, Bytes)>,
+ strategy: SBoxedStrategy<(Address, Bytes, Option<Function>, JsonAbi)>,
  target_reference: Arc<RwLock<Address>>,
  ) -> Self {
  let strategy = weighted(0.9, strategy).sboxed();
@@ -77,12 +78,9 @@ impl RandomCallGenerator {
  *self.target_reference.write() = original_caller;
 
  // `original_caller` has a 80% chance of being the `new_target`.
- let choice = self
- .strategy
- .new_tree(&mut self.runner.lock())
- .unwrap()
- .current()
- .map(|(new_target, calldata)| (new_caller, (new_target, calldata)));
+ let choice = self.strategy.new_tree(&mut self.runner.lock()).unwrap().current().map(
+ |(new_target, calldata, func, abi)| (new_caller, (new_target, calldata, func, abi)),
+ );
 
  self.last_sequence.write().push(choice.clone());
  choice

crates/evm/fuzz/src/invariant/mod.rs

@@ -28,8 +28,14 @@ impl FuzzRunIdentifiedContracts {
  }
 }
 
-/// (Sender, (TargetContract, Calldata))
-pub type BasicTxDetails = (Address, (Address, Bytes));
+/// (Sender, CallDetails)
+/// TODO: replace type with struct
+pub type BasicTxDetails = (Address, CallDetails);
+
+/// (TargetContractAddress, Calldata, Function, TargetContractAbi)
+/// Function and contract abi are used for collecting sample values from result and logs.
+/// Function is set for calls that returns values.
+pub type CallDetails = (Address, Bytes, Option<Function>, JsonAbi);
 
 /// Test contract which is testing its invariants.
 #[derive(Clone, Debug)]

crates/evm/fuzz/src/strategies/invariants.rs

@@ -15,7 +15,7 @@ pub fn override_call_strat(
  contracts: FuzzRunIdentifiedContracts,
  target: Arc<RwLock<Address>>,
  calldata_fuzz_config: CalldataFuzzDictionary,
-) -> SBoxedStrategy<(Address, Bytes)> {
+) -> SBoxedStrategy<(Address, Bytes, Option<Function>, JsonAbi)> {
  let contracts_ref = contracts.targets.clone();
  proptest::prop_oneof![
  80 => proptest::strategy::LazyJust::new(move || *target.read()),
@@ -26,7 +26,7 @@ pub fn override_call_strat(
  let fuzz_state = fuzz_state.clone();
  let calldata_fuzz_config = calldata_fuzz_config.clone();
 
- let func = {
+ let (func, abi) = {
  let contracts = contracts.targets.lock();
  let (_, abi, functions) = contracts.get(&target_address).unwrap_or_else(|| {
  // Choose a random contract if target selected by lazy strategy is not in fuzz run
@@ -36,11 +36,17 @@ pub fn override_call_strat(
  let (_, contract_specs) = contracts.iter().nth(rand_index).unwrap();
  contract_specs
  });
- select_random_function(abi, functions)
+ (select_random_function(abi, functions), abi.clone())
  };
 
  func.prop_flat_map(move |func| {
- fuzz_contract_with_calldata(&fuzz_state, &calldata_fuzz_config, target_address, func)
+ fuzz_contract_with_calldata(
+ &fuzz_state,
+ &calldata_fuzz_config,
+ target_address,
+ func,
+ abi.clone(),
+ )
  })
  })
  .sboxed()
@@ -80,23 +86,28 @@ fn generate_call(
  let senders = Rc::new(senders);
  any::<prop::sample::Selector>()
  .prop_flat_map(move |selector| {
- let (contract, func) = {
+ let (contract, func, abi) = {
  let contracts = contracts.targets.lock();
  let contracts =
  contracts.iter().filter(|(_, (_, abi, _))| !abi.functions.is_empty());
  let (&contract, (_, abi, functions)) = selector.select(contracts);
 
  let func = select_random_function(abi, functions);
- (contract, func)
+ (contract, func, abi.clone())
  };
 
  let senders = senders.clone();
  let fuzz_state = fuzz_state.clone();
  let calldata_fuzz_config = calldata_fuzz_config.clone();
  func.prop_flat_map(move |func| {
  let sender = select_random_sender(&fuzz_state, senders.clone(), dictionary_weight);
- let contract =
- fuzz_contract_with_calldata(&fuzz_state, &calldata_fuzz_config, contract, func);
+ let contract = fuzz_contract_with_calldata(
+ &fuzz_state,
+ &calldata_fuzz_config,
+ contract,
+ func,
+ abi.clone(),
+ );
  (sender, contract)
  })
  })
@@ -167,17 +178,23 @@ pub fn fuzz_contract_with_calldata(
  calldata_fuzz_config: &CalldataFuzzDictionary,
  contract: Address,
  func: Function,
-) -> impl Strategy<Value = (Address, Bytes)> {
+ contract_abi: JsonAbi,
+) -> impl Strategy<Value = (Address, Bytes, Option<Function>, JsonAbi)> {
  // We need to compose all the strategies generated for each parameter in all possible
  // combinations.
  // `prop_oneof!` / `TupleUnion` `Arc`s for cheap cloning.
  #[allow(clippy::arc_with_non_send_sync)]
  prop_oneof![
  60 => fuzz_calldata_with_config(func.clone(), Some(calldata_fuzz_config)),
- 40 => fuzz_calldata_from_state(func, fuzz_state),
+ 40 => fuzz_calldata_from_state(func.clone(), fuzz_state),
  ]
  .prop_map(move |calldata| {
  trace!(input=?calldata);
- (contract, calldata)
+ if !func.outputs.is_empty() {
+ // If function has outputs then return it for decoding result.
+ (contract, calldata, Some(func.clone()), contract_abi.clone())
+ } else {
+ (contract, calldata, None, contract_abi.clone())
+ }
  })
 }

crates/evm/fuzz/src/strategies/param.rs

@@ -87,10 +87,21 @@ pub fn fuzz_param_from_state(
  // Value strategy that uses the state.
  let value = || {
  let state = state.clone();
+ let param = param.clone();
  // Use `Index` instead of `Selector` to not iterate over the entire dictionary.
  any::<prop::sample::Index>().prop_map(move |index| {
  let state = state.dictionary_read();
- let values = state.values();
+ let bias = rand::thread_rng().gen_range(0..100);
+ let values = match bias {
+ x if x < 50 => {
+ if let Some(sample_values) = state.samples(param.clone()) {
+ sample_values
+ } else {
+ state.values()
+ }
+ }
+ _ => state.values(),
+ };
  let index = index.index(values.len());
  *values.iter().nth(index).unwrap()
  })