Persist and replay fuzz failure

Author: grandizzy

crates/evm/evm/src/executors/fuzz/mod.rs

@@ -79,10 +79,12 @@ impl FuzzedExecutor {
     /// If `should_fail` is set to `true`, then it will stop only when there's a success
     /// test case.
     ///
-    /// Returns a list of all the consumed gas and calldata of every fuzz case
+    /// Returns a list of all the consumed gas and calldata of every fuzz case.
+    #[warn(clippy::too_many_arguments)]
     pub fn fuzz(
         &mut self,
         func: &Function,
+        persisted_input: &mut Option<BaseCounterExample>,
         fuzz_fixtures: &FuzzFixtures,
         deployed_libs: &[Address],
         address: Address,
@@ -116,57 +118,64 @@ impl FuzzedExecutor {
         let mut runs = 0;
         let mut rejects = 0;
         let mut run_failure = None;
+
         'stop: while continue_campaign(runs) {
-            let Ok(strategy) = strategy.new_tree(&mut self.runner) else {
-                run_failure = Some(TestCaseError::fail("no input generated to call fuzzed target"));
-                break 'stop;
-            };
+            // If we have a persisted counterexample, then replay it first and do not increment run.
+            let input = if let Some(persisted) = persisted_input.take() {
+                persisted.calldata
+            } else {
+                // If running with progress, then increment current run.
+                if let Some(progress) = progress {
+                    progress.inc(1);
+                };
 
-            // If running with progress then increment current run.
-            if let Some(progress) = progress {
-                progress.inc(1);
-            };
+                runs += 1;
 
-            match self.single_fuzz(address, strategy.current()) {
-                Ok(fuzz_outcome) => {
-                    match fuzz_outcome {
-                        FuzzOutcome::Case(case) => {
-                            let mut data = execution_data.borrow_mut();
-                            data.gas_by_case.push((case.case.gas, case.case.stipend));
+                let Ok(strategy) = strategy.new_tree(&mut self.runner) else {
+                    run_failure =
+                        Some(TestCaseError::fail("no input generated to call fuzzed target"));
+                    break 'stop;
+                };
+                strategy.current()
+            };
 
-                            if data.first_case.is_none() {
-                                data.first_case.replace(case.case);
-                            }
+            match self.single_fuzz(address, input) {
+                Ok(fuzz_outcome) => match fuzz_outcome {
+                    FuzzOutcome::Case(case) => {
+                        let mut data = execution_data.borrow_mut();
+                        data.gas_by_case.push((case.case.gas, case.case.stipend));
 
-                            if let Some(call_traces) = case.traces {
-                                if data.traces.len() == max_traces_to_collect {
-                                    data.traces.pop();
-                                }
-                                data.traces.push(call_traces);
-                                data.breakpoints.replace(case.breakpoints);
-                            }
+                        if data.first_case.is_none() {
+                            data.first_case.replace(case.case);
+                        }
 
-                            if show_logs {
-                                data.logs.extend(case.logs);
+                        if let Some(call_traces) = case.traces {
+                            if data.traces.len() == max_traces_to_collect {
+                                data.traces.pop();
                             }
-
-                            HitMaps::merge_opt(&mut data.coverage, case.coverage);
-                            data.deprecated_cheatcodes = case.deprecated_cheatcodes;
+                            data.traces.push(call_traces);
+                            data.breakpoints.replace(case.breakpoints);
                         }
-                        FuzzOutcome::CounterExample(CounterExampleOutcome {
-                            exit_reason: status,
-                            counterexample: outcome,
-                            ..
-                        }) => {
-                            let reason = rd.maybe_decode(&outcome.1.result, status);
-                            execution_data.borrow_mut().logs.extend(outcome.1.logs.clone());
-                            execution_data.borrow_mut().counterexample = outcome;
-                            // HACK: we have to use an empty string here to denote `None`.
-                            run_failure = Some(TestCaseError::fail(reason.unwrap_or_default()));
-                            break 'stop;
+
+                        if show_logs {
+                            data.logs.extend(case.logs);
                         }
+
+                        HitMaps::merge_opt(&mut data.coverage, case.coverage);
+                        data.deprecated_cheatcodes = case.deprecated_cheatcodes;
                     }
-                }
+                    FuzzOutcome::CounterExample(CounterExampleOutcome {
+                        exit_reason: status,
+                        counterexample: outcome,
+                        ..
+                    }) => {
+                        let reason = rd.maybe_decode(&outcome.1.result, status);
+                        execution_data.borrow_mut().logs.extend(outcome.1.logs.clone());
+                        execution_data.borrow_mut().counterexample = outcome;
+                        run_failure = Some(TestCaseError::fail(reason.unwrap_or_default()));
+                        break 'stop;
+                    }
+                },
                 Err(err) => {
                     match err {
                         TestCaseError::Fail(_) => {
@@ -188,8 +197,6 @@ impl FuzzedExecutor {
                     }
                 }
             }
-
-            runs += 1;
         }
 
         let fuzz_result = execution_data.into_inner();

crates/forge/src/runner.rs

@@ -13,7 +13,7 @@ use alloy_primitives::{Address, Bytes, U256, address, map::HashMap};
 use eyre::Result;
 use foundry_common::{TestFunctionExt, TestFunctionKind, contracts::ContractsByAddress};
 use foundry_compilers::utils::canonicalized;
-use foundry_config::{Config, InvariantConfig};
+use foundry_config::Config;
 use foundry_evm::{
     constants::CALLER,
     decode::RevertDecoder,
@@ -31,9 +31,7 @@ use foundry_evm::{
     traces::{TraceKind, TraceMode, load_contracts},
 };
 use itertools::Itertools;
-use proptest::test_runner::{
-    FailurePersistence, FileFailurePersistence, RngAlgorithm, TestError, TestRng, TestRunner,
-};
+use proptest::test_runner::{RngAlgorithm, TestError, TestRng, TestRunner};
 use rayon::prelude::*;
 use serde::{Deserialize, Serialize};
 use std::{
@@ -726,8 +724,8 @@ impl<'a> FunctionRunner<'a> {
             abi: &self.cr.contract.abi,
         };
 
-        let (failure_dir, failure_file) = invariant_failure_paths(
-            invariant_config,
+        let (failure_dir, failure_file) = test_failure_paths(
+            invariant_config.failure_persist_dir.clone().unwrap(),
             self.cr.name,
             &invariant_contract.invariant_function.name,
         );
@@ -929,17 +927,40 @@ impl<'a> FunctionRunner<'a> {
             fuzz_config.runs,
         );
 
+        let (failure_dir, failure_file) = test_failure_paths(
+            fuzz_config.failure_persist_dir.clone().unwrap(),
+            self.cr.name,
+            &func.name,
+        );
+
+        // Load persisted counterexample, if any.
+        let mut failed_input =
+            foundry_common::fs::read_json_file::<BaseCounterExample>(failure_file.as_path()).ok();
+
         // Run fuzz test.
         let mut fuzzed_executor =
             FuzzedExecutor::new(self.executor.into_owned(), runner, self.tcfg.sender, fuzz_config);
         let result = fuzzed_executor.fuzz(
             func,
+            &mut failed_input,
             &self.setup.fuzz_fixtures,
             &self.setup.deployed_libs,
             self.address,
             &self.cr.mcr.revert_decoder,
             progress.as_ref(),
         );
+
+        // Record counterexample.
+        if let Some(CounterExample::Single(counterexample)) = &result.counterexample {
+            if let Err(err) = foundry_common::fs::create_dir_all(failure_dir) {
+                error!(%err, "Failed to create fuzz failure dir");
+            } else if let Err(err) =
+                foundry_common::fs::write_json_file(failure_file.as_path(), counterexample)
+            {
+                error!(%err, "Failed to record call sequence");
+            }
+        }
+
         self.result.fuzz_result(result);
         self.result
     }
@@ -995,40 +1016,21 @@ impl<'a> FunctionRunner<'a> {
 
     fn fuzz_runner(&self) -> TestRunner {
         let config = &self.config.fuzz;
-        let failure_persist_path = config
-            .failure_persist_dir
-            .as_ref()
-            .unwrap()
-            .join(config.failure_persist_file.as_ref().unwrap())
-            .into_os_string()
-            .into_string()
-            .unwrap();
-        fuzzer_with_cases(
-            config.seed,
-            config.runs,
-            config.max_test_rejects,
-            Some(Box::new(FileFailurePersistence::Direct(failure_persist_path.leak()))),
-        )
+        fuzzer_with_cases(config.seed, config.runs, config.max_test_rejects)
     }
 
     fn invariant_runner(&self) -> TestRunner {
         let config = &self.config.invariant;
-        fuzzer_with_cases(self.config.fuzz.seed, config.runs, config.max_assume_rejects, None)
+        fuzzer_with_cases(self.config.fuzz.seed, config.runs, config.max_assume_rejects)
     }
 
     fn clone_executor(&self) -> Executor {
         self.executor.clone().into_owned()
     }
 }
 
-fn fuzzer_with_cases(
-    seed: Option<U256>,
-    cases: u32,
-    max_global_rejects: u32,
-    file_failure_persistence: Option<Box<dyn FailurePersistence>>,
-) -> TestRunner {
+fn fuzzer_with_cases(seed: Option<U256>, cases: u32, max_global_rejects: u32) -> TestRunner {
     let config = proptest::test_runner::Config {
-        failure_persistence: file_failure_persistence,
         cases,
         max_global_rejects,
         // Disable proptest shrink: for fuzz tests we provide single counterexample,
@@ -1077,18 +1079,13 @@ fn persisted_call_sequence(path: &Path, bytecode: &Bytes) -> Option<Vec<BaseCoun
     )
 }
 
-/// Helper functions to return canonicalized invariant failure paths.
-fn invariant_failure_paths(
-    config: &InvariantConfig,
+/// Helper functions to return canonicalized test failure paths.
+fn test_failure_paths(
+    persist_dir: PathBuf,
     contract_name: &str,
     invariant_name: &str,
 ) -> (PathBuf, PathBuf) {
-    let dir = config
-        .failure_persist_dir
-        .clone()
-        .unwrap()
-        .join("failures")
-        .join(contract_name.split(':').next_back().unwrap());
+    let dir = persist_dir.join("failures").join(contract_name.split(':').next_back().unwrap());
     let dir = canonicalized(dir);
     let file = canonicalized(dir.join(invariant_name));
     (dir, file)