more abi mutations

Author: grandizzy

crates/evm/evm/src/executors/corpus.rs

@@ -7,7 +7,7 @@ use foundry_config::FuzzCorpusConfig;
 use foundry_evm_fuzz::{
     BasicTxDetails,
     invariant::FuzzRunIdentifiedContracts,
-    strategies::{EvmFuzzState, fuzz_param_from_state},
+    strategies::{EvmFuzzState, mutate_param_value},
 };
 use proptest::{
     prelude::{Just, Rng, Strategy},
@@ -608,31 +608,33 @@ impl CorpusManager {
         test_runner: &mut TestRunner,
         fuzz_state: &EvmFuzzState,
     ) -> eyre::Result<()> {
-        let rng = test_runner.rng();
-        let mut arg_mutation_rounds = rng.random_range(0..=function.inputs.len()).max(1);
+        // let rng = test_runner.rng();
+        let mut arg_mutation_rounds =
+            test_runner.rng().random_range(0..=function.inputs.len()).max(1);
         let round_arg_idx: Vec<usize> = if function.inputs.len() <= 1 {
             vec![0]
         } else {
-            (0..arg_mutation_rounds).map(|_| rng.random_range(0..function.inputs.len())).collect()
+            (0..arg_mutation_rounds)
+                .map(|_| test_runner.rng().random_range(0..function.inputs.len()))
+                .collect()
         };
         let mut prev_inputs = function
             .abi_decode_input(&tx.call_details.calldata[4..])
             .map_err(|err| eyre!("failed to load previous inputs: {err}"))?;
 
-        // For now, only new inputs are generated, no existing inputs are
-        // mutated.
-        let mut gen_input = |input: &alloy_json_abi::Param| {
-            fuzz_param_from_state(&input.selector_type().parse().unwrap(), fuzz_state)
-                .new_tree(test_runner)
-                .expect("Could not generate case")
-                .current()
-        };
-
         while arg_mutation_rounds > 0 {
             let idx = round_arg_idx[arg_mutation_rounds - 1];
-            let input = &function.inputs.get(idx).expect("Could not get input to mutate");
-            let new_input = gen_input(input);
-            prev_inputs[idx] = new_input;
+            prev_inputs[idx] = mutate_param_value(
+                &function
+                    .inputs
+                    .get(idx)
+                    .expect("Could not get input to mutate")
+                    .selector_type()
+                    .parse()?,
+                prev_inputs[idx].clone(),
+                test_runner,
+                fuzz_state,
+            );
             arg_mutation_rounds -= 1;
         }
 

crates/evm/fuzz/src/strategies/mod.rs

@@ -5,7 +5,7 @@ mod uint;
 pub use uint::UintStrategy;
 
 mod param;
-pub use param::{fuzz_param, fuzz_param_from_state, fuzz_param_with_fixtures};
+pub use param::{fuzz_param, fuzz_param_from_state, fuzz_param_with_fixtures, mutate_param_value};
 
 mod calldata;
 pub use calldata::{fuzz_calldata, fuzz_calldata_from_state};

crates/evm/fuzz/src/strategies/param.rs

@@ -1,7 +1,7 @@
 use super::state::EvmFuzzState;
 use alloy_dyn_abi::{DynSolType, DynSolValue};
 use alloy_primitives::{Address, B256, I256, U256};
-use proptest::prelude::*;
+use proptest::{prelude::*, test_runner::TestRunner};
 use rand::{SeedableRng, rngs::StdRng};
 
 /// The max length of arrays we fuzz for is 256.
@@ -104,6 +104,65 @@ fn fuzz_param_inner(
     }
 }
 
+/// Mutates the current value of a given a parameter type and value.
+/// TODO: add more mutations, see https://github.com/fuzzland/ityfuzz/blob/master/src/mutation_utils.rs#L449-L452
+/// for static args,
+pub fn mutate_param_value(
+    param: &DynSolType,
+    value: DynSolValue,
+    test_runner: &mut TestRunner,
+    state: &EvmFuzzState,
+) -> DynSolValue {
+    let new_value = |param: &DynSolType, test_runner: &mut TestRunner| {
+        fuzz_param_from_state(param, state)
+            .new_tree(test_runner)
+            .expect("Could not generate case")
+            .current()
+    };
+
+    match value {
+        // flip boolean value
+        DynSolValue::Bool(val) => DynSolValue::Bool(!val),
+        // Uint: increment, decrement or generate new value from state.
+        DynSolValue::Uint(val, size) => match test_runner.rng().random_range(0..=2) {
+            0 => DynSolValue::Uint(val.saturating_add(U256::ONE), size),
+            1 => DynSolValue::Uint(val.saturating_sub(U256::ONE), size),
+            _ => new_value(param, test_runner),
+        },
+        // Int: increment, decrement or generate new value from state.
+        DynSolValue::Int(val, size) => match test_runner.rng().random_range(0..=2) {
+            0 => DynSolValue::Int(val.saturating_add(I256::ONE), size),
+            1 => DynSolValue::Int(val.saturating_sub(I256::ONE), size),
+            _ => new_value(param, test_runner),
+        },
+        DynSolValue::Array(mut values) => {
+            if values.is_empty() {
+                return new_value(param, test_runner);
+            }
+
+            let DynSolType::Array(param_type) = param else { return new_value(param, test_runner) };
+
+            match test_runner.rng().random_range(0..=2) {
+                // Decrease array size by removing a random element.
+                0 => {
+                    values.remove(test_runner.rng().random_range(0..values.len()));
+                }
+                // Increase array size.
+                1 => values.push(new_value(param_type, test_runner)),
+                // Mutate array element.
+                _ => {
+                    let id_to_mutate = test_runner.rng().random_range(0..values.len());
+                    let val = values.get(id_to_mutate).unwrap();
+                    let new_value = mutate_param_value(param_type, val.clone(), test_runner, state);
+                    values[id_to_mutate] = new_value;
+                }
+            };
+            DynSolValue::Array(values)
+        }
+        _ => new_value(param, test_runner),
+    }
+}
+
 /// Given a parameter type, returns a strategy for generating values for that type, given some EVM
 /// fuzz state.
 ///