Barretenberg: src/barretenberg/avm_fuzzer/fuzzer_lib.hpp Source File

#pragma once


#include <cstdint>

#include <random>

#include <tuple>

#include <vector>


#include "barretenberg/avm_fuzzer/common/interfaces/dbs.hpp"

#include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_context.hpp"

#include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_data.hpp"

#include "barretenberg/avm_fuzzer/fuzz_lib/simulator.hpp"

#include "barretenberg/serialize/msgpack_impl.hpp"

#include "barretenberg/vm2/common/avm_io.hpp"

#include "barretenberg/vm2/common/aztec_types.hpp"


// A transaction with multiple enqueued calls and tx-level parameters

// Almost identical to the fast simulation input


struct FuzzerTxData {

    // Enqueued calls data

    std::vector<FuzzerData> input_programs;

    // These are the contract classes and instances that will be registered to addresses in the WS

    // The contract addresses may contain duplicates if multiple contracts derive to the same address

    std::vector<ContractClass> contract_classes;

    std::vector<ContractInstance> contract_instances;

    std::vector<AztecAddress> contract_addresses;


    Tx tx; // This tx has placeholders for enqueued calls, they will be filled in during fuzzing

    GlobalVariables global_variables;

    ProtocolContracts protocol_contracts;


    MSGPACK_FIELDS(input_programs,

                   contract_classes,

                   contract_instances,

                   contract_addresses,

                   tx,

                   global_variables,

                   protocol_contracts);

};


inline std::ostream& operator<<(std::ostream& os, const FuzzerTxData& data)

{

    os << "FuzzerTxData { "

       << "\n  tx: " << data.tx << ","

       << "\n  global_variables: " << data.global_variables << ","

       << "\n  protocol_contracts: " << data.protocol_contracts << "\n}";

    return os;

}


using Bytecode = std::vector<uint8_t>;

using ContractArtifacts = std::tuple<Bytecode, ContractClass, ContractInstance>;

using FuzzerContext = bb::avm2::fuzzer::FuzzerContext;


// Mutation configuration


enum class TxDataMutationType : uint8_t {

    TxMutation,

    // todo: implement other mutation types

    // BytecodeMutation,

    // ContractClassMutation,

    // ContractInstanceMutation,

    // GlobalVariablesMutation,

    // ProtocolContractsMutation

};


// Build bytecode and contract artifacts from fuzzer data

ContractArtifacts build_bytecode_and_artifacts(FuzzerData& fuzzer_data);


// Create a default FuzzerTxData with sensible defaults

FuzzerTxData create_default_tx_data(std::mt19937_64& rng, const FuzzerContext& context);

FuzzerTxData create_default_tx_data(const FuzzerContext& context);


// Setup fuzzer state: register contracts and addresses in the world state

void setup_fuzzer_state(bb::avm2::fuzzer::FuzzerWorldStateManager& ws_mgr,

                        bb::avm2::fuzzer::FuzzerContractDB& contract_db,

                        const FuzzerTxData& tx_data);


// Fund the fee payer with enough balance for the transaction

void fund_fee_payer(bb::avm2::fuzzer::FuzzerWorldStateManager& ws_mgr, const Tx& tx);


// Run the differential fuzzer comparing CPP vs JS simulator

SimulatorResult fuzz_tx(bb::avm2::fuzzer::FuzzerWorldStateManager& ws_mgr,

                        bb::avm2::fuzzer::FuzzerContractDB& contract_db,

                        FuzzerTxData& tx_data);


// Run the prover fuzzer: fast simulation, hint collection, comparison, and check_circuit

// Returns 0 on success, -1 if the input should be rejected

int fuzz_prover(bb::avm2::fuzzer::FuzzerWorldStateManager& ws_mgr,

                bb::avm2::fuzzer::FuzzerContractDB& contract_db,

                FuzzerTxData& tx_data);


// Common custom mutator logic shared between fuzzers

// Returns the new size of the mutated data, or 0 if mutation failed

size_t mutate_tx_data(FuzzerContext& context,

                      uint8_t* serialized_fuzzer_data,

                      size_t serialized_fuzzer_data_size,

                      size_t max_size,

                      unsigned int seed);


bool compare_cpp_simulator_results(const std::vector<TxSimulationResult>& results);

avm_io.hpp

aztec_types.hpp

contract_db
StrictMock< MockContractDB > contract_db
Definition bytecode_manager.test.cpp:48

bb::avm2::context
Definition context.hpp:37

bb::avm2::fuzzer::FuzzerContext
Definition fuzzer_context.hpp:15

bb::avm2::fuzzer::FuzzerContractDB
Definition dbs.hpp:13

bb::avm2::fuzzer::FuzzerWorldStateManager
Definition dbs.hpp:64

bb::avm2::tx
Definition tx.hpp:36

data
const std::vector< MemoryValue > data
Definition data_copy.test.cpp:70

dbs.hpp

ws_mgr
FuzzerWorldStateManager * ws_mgr
Definition fuzz.test.cpp:16

fuzzer_data.hpp

fuzzer_context.hpp

setup_fuzzer_state
void setup_fuzzer_state(bb::avm2::fuzzer::FuzzerWorldStateManager &ws_mgr, bb::avm2::fuzzer::FuzzerContractDB &contract_db, const FuzzerTxData &tx_data)
Definition fuzzer_lib.cpp:27

fund_fee_payer
void fund_fee_payer(bb::avm2::fuzzer::FuzzerWorldStateManager &ws_mgr, const Tx &tx)
Definition fuzzer_lib.cpp:48

create_default_tx_data
FuzzerTxData create_default_tx_data(std::mt19937_64 &rng, const FuzzerContext &context)
Definition fuzzer_lib.cpp:188

fuzz_tx
SimulatorResult fuzz_tx(bb::avm2::fuzzer::FuzzerWorldStateManager &ws_mgr, bb::avm2::fuzzer::FuzzerContractDB &contract_db, FuzzerTxData &tx_data)
Fuzz CPP vs JS simulator with a full transaction containing multiple enqueued calls.
Definition fuzzer_lib.cpp:62

build_bytecode_and_artifacts
ContractArtifacts build_bytecode_and_artifacts(FuzzerData &fuzzer_data)
Definition fuzzer_lib.cpp:214

operator<<
std::ostream & operator<<(std::ostream &os, const FuzzerTxData &data)
Definition fuzzer_lib.hpp:40

TxDataMutationType
TxDataMutationType
Definition fuzzer_lib.hpp:54

TxDataMutationType::TxMutation
@ TxMutation

ContractArtifacts
std::tuple< Bytecode, ContractClass, ContractInstance > ContractArtifacts
Definition fuzzer_lib.hpp:50

mutate_tx_data
size_t mutate_tx_data(FuzzerContext &context, uint8_t *serialized_fuzzer_data, size_t serialized_fuzzer_data_size, size_t max_size, unsigned int seed)
Definition fuzzer_lib.cpp:246

fuzz_prover
int fuzz_prover(bb::avm2::fuzzer::FuzzerWorldStateManager &ws_mgr, bb::avm2::fuzzer::FuzzerContractDB &contract_db, FuzzerTxData &tx_data)
Run the prover fuzzer: fast simulation, hint collection, comparison, and check_circuit.
Definition fuzzer_lib.cpp:106

Bytecode
std::vector< uint8_t > Bytecode
Definition fuzzer_lib.hpp:49

compare_cpp_simulator_results
bool compare_cpp_simulator_results(const std::vector< TxSimulationResult > &results)
Definition fuzzer_comparison_helper.cpp:46

msgpack_impl.hpp

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

simulator.hpp

FuzzerData
describes the data which will be used for fuzzing Should contain instructions, calldata,...
Definition fuzzer_data.hpp:12

FuzzerTxData
Definition fuzzer_lib.hpp:18

FuzzerTxData::contract_addresses
std::vector< AztecAddress > contract_addresses
Definition fuzzer_lib.hpp:25

FuzzerTxData::protocol_contracts
ProtocolContracts protocol_contracts
Definition fuzzer_lib.hpp:29

FuzzerTxData::contract_classes
std::vector< ContractClass > contract_classes
Definition fuzzer_lib.hpp:23

FuzzerTxData::input_programs
std::vector< FuzzerData > input_programs
Definition fuzzer_lib.hpp:20

FuzzerTxData::tx
Tx tx
Definition fuzzer_lib.hpp:27

FuzzerTxData::MSGPACK_FIELDS
MSGPACK_FIELDS(input_programs, contract_classes, contract_instances, contract_addresses, tx, global_variables, protocol_contracts)

FuzzerTxData::contract_instances
std::vector< ContractInstance > contract_instances
Definition fuzzer_lib.hpp:24

FuzzerTxData::global_variables
GlobalVariables global_variables
Definition fuzzer_lib.hpp:28

SimulatorResult
Definition simulator.hpp:31

bb::avm2::GlobalVariables
Definition aztec_types.hpp:466

bb::avm2::ProtocolContracts
Definition aztec_types.hpp:588

bb::avm2::Tx
Definition avm_io.hpp:329