fix(invariant): call override strategy panic (foundry-rs#7469)

grandizzy · web-flow · commit 9d2125b013cb · 2024-03-22T14:29:29.000+01:00
* fix(invariant): override call strat panic

* Add test
diff --git a/crates/evm/fuzz/src/strategies/invariants.rs b/crates/evm/fuzz/src/strategies/invariants.rs
@@ -25,7 +25,17 @@ pub fn override_call_strat(
     .prop_flat_map(move |target_address| {
         let fuzz_state = fuzz_state.clone();
         let calldata_fuzz_config = calldata_fuzz_config.clone();
-        let (_, abi, functions) = &contracts.lock()[&target_address];
+
+        let contracts = &contracts.lock();
+        let (_, abi, functions) = contracts.get(&target_address).unwrap_or({
+            // Choose a random contract if target selected by lazy strategy is not in fuzz run
+            // identified contracts. This can happen when contract is created in `setUp` call
+            // but is not included in targetContracts.
+            let rand_index = rand::thread_rng().gen_range(0..contracts.iter().len());
+            let (_, contract_specs) = contracts.iter().nth(rand_index).unwrap();
+            contract_specs
+        });
+
         let func = select_random_function(abi, functions);
         func.prop_flat_map(move |func| {
             fuzz_contract_with_calldata(&fuzz_state, &calldata_fuzz_config, target_address, func)
diff --git a/crates/forge/tests/it/invariant.rs b/crates/forge/tests/it/invariant.rs
@@ -153,6 +153,7 @@ async fn test_invariant() {
 async fn test_invariant_override() {
     let filter = Filter::new(".*", ".*", ".*fuzz/invariant/common/InvariantReentrancy.t.sol");
     let mut runner = TEST_DATA_DEFAULT.runner();
+    runner.test_options.invariant.fail_on_revert = false;
     runner.test_options.invariant.call_override = true;
     let results = runner.test_collect(&filter);
 
diff --git a/testdata/default/fuzz/invariant/common/InvariantReentrancy.t.sol b/testdata/default/fuzz/invariant/common/InvariantReentrancy.t.sol
@@ -5,7 +5,9 @@ import "ds-test/test.sol";
 
 contract Malicious {
     function world() public {
-        // Does not matter, since it will get overridden.
+        // add code so contract is accounted as valid sender
+        // see https://github.com/foundry-rs/foundry/issues/4245
+        payable(msg.sender).transfer(1);
     }
 }
 
@@ -39,6 +41,14 @@ contract InvariantReentrancy is DSTest {
         vuln = new Vulnerable(address(mal));
     }
 
+    // do not include `mal` in identified contracts
+    // see https://github.com/foundry-rs/foundry/issues/4245
+    function targetContracts() public view returns (address[] memory) {
+        address[] memory targets = new address[](1);
+        targets[0] = address(vuln);
+        return targets;
+    }
+
     function invariantNotStolen() public {
         require(vuln.stolen() == false, "stolen");
     }

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,9 @@ import "ds-test/test.sol";`
`5`	`5`
`6`	`6`	`contract Malicious {`
`7`	`7`	`function world() public {`
`8`		`- // Does not matter, since it will get overridden.`
	`8`	`+ // add code so contract is accounted as valid sender`
	`9`	`+ // see https://github.com/foundry-rs/foundry/issues/4245`
	`10`	`+ payable(msg.sender).transfer(1);`
`9`	`11`	`}`
`10`	`12`	`}`
`11`	`13`
`@@ -39,6 +41,14 @@ contract InvariantReentrancy is DSTest {`
`39`	`41`	`vuln = new Vulnerable(address(mal));`
`40`	`42`	`}`
`41`	`43`
	`44`	+ // do not include `mal` in identified contracts
	`45`	`+ // see https://github.com/foundry-rs/foundry/issues/4245`
	`46`	`+ function targetContracts() public view returns (address[] memory) {`
	`47`	`+ address[] memory targets = new address[](1);`
	`48`	`+ targets[0] = address(vuln);`
	`49`	`+ return targets;`
	`50`	`+ }`
	`51`	`+`
`42`	`52`	`function invariantNotStolen() public {`
`43`	`53`	`require(vuln.stolen() == false, "stolen");`
`44`	`54`	`}`