Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
instruction.cpp
Go to the documentation of this file.
1#include "barretenberg/avm_fuzzer/fuzz_lib/instruction.hpp"
2
3#include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_context.hpp"
4#include "barretenberg/avm_fuzzer/mutations/basic_types/field.hpp"
5#include "barretenberg/avm_fuzzer/mutations/basic_types/memory_tag.hpp"
6#include "barretenberg/avm_fuzzer/mutations/basic_types/uint16_t.hpp"
7#include "barretenberg/avm_fuzzer/mutations/basic_types/uint32_t.hpp"
8#include "barretenberg/avm_fuzzer/mutations/basic_types/uint64_t.hpp"
9#include "barretenberg/avm_fuzzer/mutations/basic_types/uint8_t.hpp"
10#include "barretenberg/avm_fuzzer/mutations/basic_types/vector.hpp"
11#include "barretenberg/avm_fuzzer/mutations/configuration.hpp"
12#include "barretenberg/vm2/common/field.hpp"
13#include <optional>
14
19
20VariableRef generate_variable_ref(std::mt19937_64& rng)
21{
22 auto tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION);
23 auto index = generate_random_uint32(rng);
24 auto pointer_address = generate_random_uint16(rng);
25 auto base_offset = generate_random_uint32(rng);
26 auto mode = generate_addressing_mode(rng);
27 return VariableRef{ .tag = tag,
28 .index = index,
29 .pointer_address_seed = pointer_address,
30 .base_offset_seed = base_offset,
31 .mode = mode };
32}
33
34// Maximum operand values based on instruction operand size
35constexpr uint32_t MAX_8BIT_OPERAND = 255;
36constexpr uint32_t MAX_16BIT_OPERAND = 65535;
37
38AddressRef generate_address_ref(std::mt19937_64& rng, uint32_t max_operand_value)
39{
40 auto address = generate_random_uint32(rng);
41 auto pointer_address = generate_random_uint16(rng);
42 auto base_offset = generate_random_uint32(rng);
43 auto mode = generate_addressing_mode(rng);
44 // For Direct mode, constrain address to fit in the operand
45 if (mode == AddressingMode::Direct) {
46 address = address % (max_operand_value + 1);
47 }
48 return AddressRef{
49 .address = address, .pointer_address_seed = pointer_address, .base_offset_seed = base_offset, .mode = mode
50 };
51}
52
53std::vector<FuzzInstruction> generate_ecadd_instruction(std::mt19937_64& rng)
54{
55 // 80% chance to use backfill (4 out of 5) to increase success rate
56 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
57
58 if (!use_backfill) {
59 // Random mode: use existing memory values (may fail if not valid points on curve)
60 return { ECADD_Instruction{ .p1_x = generate_variable_ref(rng),
61 .p1_y = generate_variable_ref(rng),
62 .p1_infinite = generate_variable_ref(rng),
63 .p2_x = generate_variable_ref(rng),
64 .p2_y = generate_variable_ref(rng),
65 .p2_infinite = generate_variable_ref(rng),
66 .result = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
67 }
68
69 // Backfill mode: generate valid points on the Grumpkin curve and SET them
70 // 6 SET instructions (2 points * 3 fields each) + 1 ECADD = 7 instructions
71 std::vector<FuzzInstruction> instructions;
72 instructions.reserve(7);
73
74 // Generate a valid point via scalar multiplication of the generator (always on curve)
75 auto generate_point = [&rng]() {
76 bb::avm2::Fq scalar(generate_random_field(rng));
77 return bb::avm2::EmbeddedCurvePoint::one() * scalar;
78 };
79
80 // Generate SET instructions to backfill a point at the given addresses
81 auto backfill_point = [&instructions](const bb::avm2::EmbeddedCurvePoint& point,
82 AddressRef x_addr,
83 AddressRef y_addr,
84 AddressRef inf_addr) {
85 instructions.push_back(
86 SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF, .result_address = x_addr, .value = point.x() });
87 instructions.push_back(
88 SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF, .result_address = y_addr, .value = point.y() });
89 instructions.push_back(SET_8_Instruction{ .value_tag = bb::avm2::MemoryTag::U1,
90 .result_address = inf_addr,
91 .value = static_cast<uint8_t>(point.is_infinity() ? 1 : 0) });
92 };
93
94 auto p1 = generate_point();
95 auto p2 = generate_point();
96
97 // Generate addresses (SET_FF uses 16-bit, SET_8 uses 8-bit operands)
98 AddressRef p1_x_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
99 AddressRef p1_y_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
100 AddressRef p1_inf_addr = generate_address_ref(rng, MAX_8BIT_OPERAND);
101 AddressRef p2_x_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
102 AddressRef p2_y_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
103 AddressRef p2_inf_addr = generate_address_ref(rng, MAX_8BIT_OPERAND);
104
105 backfill_point(p1, p1_x_addr, p1_y_addr, p1_inf_addr);
106 backfill_point(p2, p2_x_addr, p2_y_addr, p2_inf_addr);
107
108 instructions.push_back(ECADD_Instruction{ .p1_x = p1_x_addr,
109 .p1_y = p1_y_addr,
110 .p1_infinite = p1_inf_addr,
111 .p2_x = p2_x_addr,
112 .p2_y = p2_y_addr,
113 .p2_infinite = p2_inf_addr,
114 .result = generate_address_ref(rng, MAX_16BIT_OPERAND) });
115
116 return instructions;
117}
118
119// Helper to generate a SET instruction for a given tag at a given address
120FuzzInstruction generate_set_for_tag(bb::avm2::MemoryTag tag, AddressRef addr, std::mt19937_64& rng)
121{
122 switch (tag) {
123 // We use set 16 for u1 and u8 because using set_8 will limit the address range to 255.
124 case bb::avm2::MemoryTag::U1:
125 return SET_16_Instruction{ .value_tag = tag, .result_address = addr, .value = static_cast<uint8_t>(rng() & 1) };
126 case bb::avm2::MemoryTag::U8:
127 return SET_16_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint8(rng) };
128 case bb::avm2::MemoryTag::U16:
129 return SET_16_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint16(rng) };
130 case bb::avm2::MemoryTag::U32:
131 return SET_32_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint32(rng) };
132 case bb::avm2::MemoryTag::U64:
133 return SET_64_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint64(rng) };
134 case bb::avm2::MemoryTag::U128:
135 return SET_128_Instruction{ .value_tag = tag,
136 .result_address = addr,
137 .value_low = generate_random_uint64(rng),
138 .value_high = generate_random_uint64(rng) };
139 case bb::avm2::MemoryTag::FF:
140 default:
141 return SET_FF_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_field(rng) };
142 }
143}
144
145// Generate binary ALU instruction with optional backfill for matching tagged operands
146template <typename InstructionType>
147std::vector<FuzzInstruction> generate_alu_with_matching_tags(std::mt19937_64& rng, uint32_t max_operand)
148{
149 // 80% chance to use backfill (4 out of 5) to increase success rate
150 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
151
152 if (!use_backfill) {
153 return { InstructionType{ .a_address = generate_variable_ref(rng),
154 .b_address = generate_variable_ref(rng),
155 .result_address = generate_address_ref(rng, max_operand) } };
156 }
157
158 auto tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION);
159 AddressRef a_addr = generate_address_ref(rng, max_operand);
160 AddressRef b_addr = generate_address_ref(rng, max_operand);
161
162 std::vector<FuzzInstruction> instructions;
163 instructions.push_back(generate_set_for_tag(tag, a_addr, rng));
164 instructions.push_back(generate_set_for_tag(tag, b_addr, rng));
165 instructions.push_back(InstructionType{
166 .a_address = a_addr, .b_address = b_addr, .result_address = generate_address_ref(rng, max_operand) });
167 return instructions;
168}
169
170// Generate binary ALU instruction with optional backfill for matching non-FF tagged operands
171// Used for bitwise operations (AND, OR, XOR) and integer DIV which don't support FF
172template <typename InstructionType>
173std::vector<FuzzInstruction> generate_alu_with_matching_tags_not_ff(std::mt19937_64& rng, uint32_t max_operand)
174{
175 // 80% chance to use backfill (4 out of 5) to increase success rate
176 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
177
178 if (!use_backfill) {
179 return { InstructionType{ .a_address = generate_variable_ref(rng),
180 .b_address = generate_variable_ref(rng),
181 .result_address = generate_address_ref(rng, max_operand) } };
182 }
183
184 // Pick a random non-FF tag (U1, U8, U16, U32, U64, U128)
185 static constexpr std::array<bb::avm2::MemoryTag, 6> int_tags = {
186 bb::avm2::MemoryTag::U1, bb::avm2::MemoryTag::U8, bb::avm2::MemoryTag::U16,
187 bb::avm2::MemoryTag::U32, bb::avm2::MemoryTag::U64, bb::avm2::MemoryTag::U128
188 };
189 auto tag = int_tags[std::uniform_int_distribution<size_t>(0, int_tags.size() - 1)(rng)];
190
191 AddressRef a_addr = generate_address_ref(rng, max_operand);
192 AddressRef b_addr = generate_address_ref(rng, max_operand);
193
194 std::vector<FuzzInstruction> instructions;
195 instructions.push_back(generate_set_for_tag(tag, a_addr, rng));
196 instructions.push_back(generate_set_for_tag(tag, b_addr, rng));
197 instructions.push_back(InstructionType{
198 .a_address = a_addr, .b_address = b_addr, .result_address = generate_address_ref(rng, max_operand) });
199 return instructions;
200}
201
202std::vector<FuzzInstruction> generate_fdiv_instruction(std::mt19937_64& rng, uint32_t max_operand)
203{
204 // 80% chance to use backfill (4 out of 5) to increase success rate
205 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
206
207 if (!use_backfill) {
208 // Random mode: use existing memory values
209 return { FDIV_8_Instruction{ .a_address = generate_variable_ref(rng),
210 .b_address = generate_variable_ref(rng),
211 .result_address = generate_address_ref(rng, max_operand) } };
212 }
213
214 // Backfill mode: generate two non-zero FF values
215 std::vector<FuzzInstruction> instructions;
216 instructions.reserve(3);
217
218 // Generate non-zero field values (avoid division by zero)
219 auto generate_nonzero_field = [&rng]() {
220 bb::avm2::FF value;
221 do {
222 value = generate_random_field(rng);
223 } while (value.is_zero());
224 return value;
225 };
226
227 AddressRef a_addr = generate_address_ref(rng, max_operand);
228 AddressRef b_addr = generate_address_ref(rng, max_operand);
229
230 // SET the dividend (a)
231 instructions.push_back(SET_FF_Instruction{
232 .value_tag = bb::avm2::MemoryTag::FF, .result_address = a_addr, .value = generate_nonzero_field() });
233
234 // SET the divisor (b) - must be non-zero
235 instructions.push_back(SET_FF_Instruction{
236 .value_tag = bb::avm2::MemoryTag::FF, .result_address = b_addr, .value = generate_nonzero_field() });
237
238 // FDIV instruction
239 instructions.push_back(FDIV_8_Instruction{
240 .a_address = a_addr, .b_address = b_addr, .result_address = generate_address_ref(rng, max_operand) });
241
242 return instructions;
243}
244
245std::vector<FuzzInstruction> generate_keccakf_instruction(std::mt19937_64& rng)
246{
247 // 80% chance to use backfill (4 out of 5) to increase success rate
248 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
249 if (!use_backfill) {
250 // Random mode
251 return { KECCAKF1600_Instruction{ .src_address = generate_variable_ref(rng),
252 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
253 }
254 // Backfill mode
255 std::vector<FuzzInstruction> instructions;
256
257 // Keccak needs to backfill 25 U64 values, these need be contiguous in memory
258 AddressRef src_address = generate_address_ref(rng, MAX_16BIT_OPERAND - 24);
259 for (size_t i = 0; i < 25; i++) {
260 AddressRef item_address = src_address;
261 item_address.address += static_cast<uint32_t>(i);
262 instructions.push_back(SET_64_Instruction{ .value_tag = bb::avm2::MemoryTag::U64,
263 .result_address = item_address,
264 .value = generate_random_uint64(rng) });
265 }
266 instructions.push_back(KECCAKF1600_Instruction{ .src_address = src_address,
267 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
268 return instructions;
269}
270
271std::vector<FuzzInstruction> generate_sha256compression_instruction(std::mt19937_64& rng)
272{
273 // 80% chance to use backfill (4 out of 5) to increase success rate
274 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
275 if (!use_backfill) {
276 // Random mode
277 return { SHA256COMPRESSION_Instruction{ .state_address = generate_variable_ref(rng),
278 .input_address = generate_variable_ref(rng),
279 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
280 }
281 // Backfill mode
282 // SHA256 compression needs 8 U32 values for state and 16 U32 values for input (contiguous)
283 std::vector<FuzzInstruction> instructions;
284 instructions.reserve(8 + 16 + 1);
285
286 // Generate state address (8 contiguous U32 values)
287 AddressRef state_address = generate_address_ref(rng, MAX_16BIT_OPERAND - 7);
288
289 for (size_t i = 0; i < 8; i++) {
290 AddressRef item_address = state_address;
291 item_address.address += static_cast<uint32_t>(i);
292 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
293 .result_address = item_address,
294 .value = generate_random_uint32(rng) });
295 }
296
297 // Generate input address (16 contiguous U32 values)
298 AddressRef input_address = generate_address_ref(rng, MAX_16BIT_OPERAND - 15);
299
300 for (size_t i = 0; i < 16; i++) {
301 AddressRef item_address = input_address;
302 item_address.address += static_cast<uint32_t>(i);
303 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
304 .result_address = item_address,
305 .value = generate_random_uint32(rng) });
306 }
307
308 instructions.push_back(
309 SHA256COMPRESSION_Instruction{ .state_address = state_address,
310 .input_address = input_address,
311 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
312 return instructions;
313}
314
315std::vector<FuzzInstruction> generate_toradixbe_instruction(std::mt19937_64& rng)
316{
317 // 80% chance to use backfill (4 out of 5) to increase success rate
318 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
319 if (!use_backfill) {
320 // Random mode
321 return { TORADIXBE_Instruction{ .value_address = generate_variable_ref(rng),
322 .radix_address = generate_variable_ref(rng),
323 .num_limbs_address = generate_variable_ref(rng),
324 .output_bits_address = generate_variable_ref(rng),
325 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
326 .is_output_bits = std::uniform_int_distribution<int>(0, 1)(rng) == 0 } };
327 }
328 // Backfill mode: set up proper typed values
329 // value: FF, radix: U32, num_limbs: U32, output_bits: U1
330 std::vector<FuzzInstruction> instructions;
331 instructions.reserve(5);
332
333 AddressRef value_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
334 AddressRef radix_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
335 AddressRef num_limbs_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
336 AddressRef output_bits_addr = generate_address_ref(rng, MAX_8BIT_OPERAND);
337
338 // SET the radix (U32) - pick radix between 2 and 256
339 uint32_t radix = std::uniform_int_distribution<uint32_t>(2, 256)(rng);
340 instructions.push_back(
341 SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32, .result_address = radix_addr, .value = radix });
342
343 // SET the output_bits (U1)
344 bool is_output_bits = radix == 2;
345 instructions.push_back(SET_8_Instruction{ .value_tag = bb::avm2::MemoryTag::U1,
346 .result_address = output_bits_addr,
347 .value = static_cast<uint8_t>(is_output_bits ? 1 : 0) });
348
349 // Generate value with num_limbs digits
350 uint32_t num_limbs = std::uniform_int_distribution<uint32_t>(1, 256)(rng);
351 bb::avm2::FF value = 0;
352 bb::avm2::FF exponent = 1;
353 for (uint32_t i = 0; i < num_limbs; i++) {
354 uint32_t digit = std::uniform_int_distribution<uint32_t>(0, radix - 1)(rng);
355 value += bb::avm2::FF(digit) * exponent;
356 exponent *= radix;
357 }
358
359 // 20% chance to truncate - reduce the number of limbs we request
360 if (std::uniform_int_distribution<int>(0, 4)(rng) == 0) {
361 num_limbs--;
362 }
363
364 // SET the num_limbs (U32)
365 instructions.push_back(SET_32_Instruction{
366 .value_tag = bb::avm2::MemoryTag::U32, .result_address = num_limbs_addr, .value = num_limbs });
367
368 // SET the value (FF)
369 instructions.push_back(
370 SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF, .result_address = value_addr, .value = value });
371
372 // TORADIXBE instruction
373 instructions.push_back(TORADIXBE_Instruction{ .value_address = value_addr,
374 .radix_address = radix_addr,
375 .num_limbs_address = num_limbs_addr,
376 .output_bits_address = output_bits_addr,
377 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
378 .is_output_bits = is_output_bits });
379 return instructions;
380}
381
382// A better way in the future is to pass in a vector of possible slots that have been written to,
383// this would allow us to supply external world state info.
384std::vector<FuzzInstruction> generate_sload_instruction(std::mt19937_64& rng)
385{
386 // 80% chance to use backfill (4 out of 5) to increase success rate
387 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
388
389 if (!use_backfill) {
390 // Random mode: requires at least one prior SSTORE to have been processed
391 return { SLOAD_Instruction{ .slot_index = generate_random_uint16(rng),
392 .slot_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
393 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
394 }
395
396 // Backfill mode: generate SSTORE first to ensure storage_addresses is non-empty
397 // This guarantees SLOAD will find a valid slot (get_slot uses modulo on non-empty vector)
398 std::vector<FuzzInstruction> instructions;
399 instructions.reserve(3);
400
401 AddressRef sstore_src = generate_address_ref(rng, MAX_16BIT_OPERAND);
402
403 // SET a value to store
404 instructions.push_back(SET_FF_Instruction{
405 .value_tag = bb::avm2::MemoryTag::FF, .result_address = sstore_src, .value = generate_random_field(rng) });
406
407 // SSTORE - appends to storage_addresses in memory_manager
408 instructions.push_back(SSTORE_Instruction{ .src_address = sstore_src,
409 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
410 .slot = generate_random_field(rng) });
411
412 // SLOAD - now guaranteed to succeed (storage_addresses not empty, get_slot uses modulo)
413 instructions.push_back(SLOAD_Instruction{ .slot_index = generate_random_uint16(rng),
414 .slot_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
415 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
416
417 return instructions;
418}
419
420std::vector<FuzzInstruction> generate_emitunencryptedlog_instruction(std::mt19937_64& rng)
421{
422 // 80% chance to use backfill (4 out of 5) to increase success rate
423 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
424
425 if (!use_backfill) {
426 return { EMITUNENCRYPTEDLOG_Instruction{ .log_size_address = generate_variable_ref(rng),
427 .log_values_address = generate_variable_ref(rng) } };
428 }
429
430 uint32_t log_size = std::uniform_int_distribution<uint32_t>(0, FLAT_PUBLIC_LOGS_PAYLOAD_LENGTH)(rng);
431 std::vector<FuzzInstruction> instructions;
432 instructions.reserve(3);
433
434 auto log_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
435 auto log_values_address = generate_address_ref(rng, MAX_16BIT_OPERAND - log_size);
436
437 instructions.push_back(SET_32_Instruction{
438 .value_tag = bb::avm2::MemoryTag::U32, .result_address = log_size_address, .value = log_size });
439
440 // Write one random FF in the log
441 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
442 .result_address = log_values_address,
443 .value = generate_random_field(rng) });
444
445 instructions.push_back(EMITUNENCRYPTEDLOG_Instruction{ .log_size_address = log_size_address,
446 .log_values_address = log_values_address });
447
448 return instructions;
449}
450
451std::vector<FuzzInstruction> generate_call_instruction(std::mt19937_64& rng,
452 const bb::avm2::fuzzer::FuzzerContext& context)
453{
454 // 80% chance to use backfill (4 out of 5) to increase success rate
455 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
456
457 if (!use_backfill) {
458
459 return { CALL_Instruction{ .l2_gas_address = generate_variable_ref(rng),
460 .da_gas_address = generate_variable_ref(rng),
461 .contract_address_address = generate_variable_ref(rng),
462 .calldata_address = generate_variable_ref(rng),
463 .calldata_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
464 .calldata_size = generate_random_uint16(rng),
465 .is_static_call = rng() % 2 == 0 } };
466 }
467
468 std::vector<FuzzInstruction> instructions;
469 instructions.reserve(5);
470
471 auto contract_address_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
472 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
473 .result_address = contract_address_address,
474 .value = context.get_contract_address(generate_random_uint16(rng)) });
475
476 auto l2_gas_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
477 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
478 .result_address = l2_gas_address,
479 .value = generate_random_uint32(rng) });
480
481 auto da_gas_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
482 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
483 .result_address = da_gas_address,
484 .value = generate_random_uint32(rng) });
485
486 auto calldata_size = generate_random_uint16(rng);
487 auto calldata_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
488
489 auto calldata_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
490 // Write one random FF in the calldata
491 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
492 .result_address = calldata_address,
493 .value = generate_random_field(rng) });
494
495 instructions.push_back(CALL_Instruction{ .l2_gas_address = l2_gas_address,
496 .da_gas_address = da_gas_address,
497 .contract_address_address = contract_address_address,
498 .calldata_address = calldata_address,
499 .calldata_size_address = calldata_size_address,
500 .calldata_size = calldata_size,
501 .is_static_call = rng() % 2 == 0 });
502
503 return instructions;
504}
505
506std::vector<FuzzInstruction> generate_getcontractinstance_instruction(std::mt19937_64& rng,
507 const bb::avm2::fuzzer::FuzzerContext& context)
508{
509 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
510 if (!use_backfill) {
511 return { GETCONTRACTINSTANCE_Instruction{
512 .contract_address_address = generate_variable_ref(rng),
513 .member_enum = generate_random_uint8(rng),
514 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
515 } };
516 }
517
518 std::vector<FuzzInstruction> instructions;
519 instructions.reserve(2);
520
521 auto contract_address_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
522 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
523 .result_address = contract_address_address,
524 .value = context.get_contract_address(generate_random_uint16(rng)) });
525 uint8_t member_enum = std::uniform_int_distribution<uint8_t>(0, 2)(rng);
526
527 instructions.push_back(GETCONTRACTINSTANCE_Instruction{
528 .contract_address_address = contract_address_address,
529 .member_enum = member_enum,
530 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
531 });
532
533 return instructions;
534}
535
536namespace bb::avm2::fuzzer {
537std::vector<FuzzInstruction> generate_instruction(std::mt19937_64& rng, const FuzzerContext& context)
538{
539 InstructionGenerationOptions option = BASIC_INSTRUCTION_GENERATION_CONFIGURATION.select(rng);
540 // forgive me
541 switch (option) {
542 case InstructionGenerationOptions::ADD_8:
543 return generate_alu_with_matching_tags<ADD_8_Instruction>(rng, MAX_8BIT_OPERAND);
544 case InstructionGenerationOptions::SUB_8:
545 return generate_alu_with_matching_tags<SUB_8_Instruction>(rng, MAX_8BIT_OPERAND);
546 case InstructionGenerationOptions::MUL_8:
547 return generate_alu_with_matching_tags<MUL_8_Instruction>(rng, MAX_8BIT_OPERAND);
548 case InstructionGenerationOptions::DIV_8:
549 return generate_alu_with_matching_tags_not_ff<DIV_8_Instruction>(rng, MAX_8BIT_OPERAND);
550 case InstructionGenerationOptions::FDIV_8:
551 return generate_fdiv_instruction(rng, MAX_8BIT_OPERAND);
552 case InstructionGenerationOptions::EQ_8:
553 return { EQ_8_Instruction{ .a_address = generate_variable_ref(rng),
554 .b_address = generate_variable_ref(rng),
555 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
556 case InstructionGenerationOptions::LT_8:
557 return { LT_8_Instruction{ .a_address = generate_variable_ref(rng),
558 .b_address = generate_variable_ref(rng),
559 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
560 case InstructionGenerationOptions::LTE_8:
561 return { LTE_8_Instruction{ .a_address = generate_variable_ref(rng),
562 .b_address = generate_variable_ref(rng),
563 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
564 case InstructionGenerationOptions::AND_8:
565 return generate_alu_with_matching_tags_not_ff<AND_8_Instruction>(rng, MAX_8BIT_OPERAND);
566 case InstructionGenerationOptions::OR_8:
567 return generate_alu_with_matching_tags_not_ff<OR_8_Instruction>(rng, MAX_8BIT_OPERAND);
568 case InstructionGenerationOptions::XOR_8:
569 return generate_alu_with_matching_tags_not_ff<XOR_8_Instruction>(rng, MAX_8BIT_OPERAND);
570 case InstructionGenerationOptions::NOT_8:
571 return { NOT_8_Instruction{ .a_address = generate_variable_ref(rng),
572 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
573 case InstructionGenerationOptions::SHL_8:
574 return { SHL_8_Instruction{ .a_address = generate_variable_ref(rng),
575 .b_address = generate_variable_ref(rng),
576 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
577
578 case InstructionGenerationOptions::SHR_8:
579 return { SHR_8_Instruction{ .a_address = generate_variable_ref(rng),
580 .b_address = generate_variable_ref(rng),
581 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
582 case InstructionGenerationOptions::SET_8:
583 return { SET_8_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
584 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND),
585 .value = generate_random_uint8(rng) } };
586 case InstructionGenerationOptions::SET_16:
587 return { SET_16_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
588 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
589 .value = generate_random_uint16(rng) } };
590 case InstructionGenerationOptions::SET_32:
591 return { SET_32_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
592 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
593 .value = generate_random_uint32(rng) } };
594 case InstructionGenerationOptions::SET_64:
595 return { SET_64_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
596 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
597 .value = generate_random_uint64(rng) } };
598 case InstructionGenerationOptions::SET_128:
599 return { SET_128_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
600 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
601 .value_low = generate_random_uint64(rng),
602 .value_high = generate_random_uint64(rng) } };
603 case InstructionGenerationOptions::SET_FF:
604 return { SET_FF_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
605 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
606 .value = generate_random_field(rng) } };
607 case InstructionGenerationOptions::MOV_8:
608 return { MOV_8_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
609 .src_address = generate_variable_ref(rng),
610 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
611 case InstructionGenerationOptions::MOV_16:
612 return { MOV_16_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
613 .src_address = generate_variable_ref(rng),
614 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
615 case InstructionGenerationOptions::ADD_16:
616 return generate_alu_with_matching_tags<ADD_16_Instruction>(rng, MAX_16BIT_OPERAND);
617 case InstructionGenerationOptions::SUB_16:
618 return generate_alu_with_matching_tags<SUB_16_Instruction>(rng, MAX_16BIT_OPERAND);
619 case InstructionGenerationOptions::MUL_16:
620 return generate_alu_with_matching_tags<MUL_16_Instruction>(rng, MAX_16BIT_OPERAND);
621 case InstructionGenerationOptions::DIV_16:
622 return generate_alu_with_matching_tags_not_ff<DIV_16_Instruction>(rng, MAX_16BIT_OPERAND);
623 case InstructionGenerationOptions::FDIV_16:
624 return { FDIV_16_Instruction{ .a_address = generate_variable_ref(rng),
625 .b_address = generate_variable_ref(rng),
626 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
627 case InstructionGenerationOptions::EQ_16:
628 return { EQ_16_Instruction{ .a_address = generate_variable_ref(rng),
629 .b_address = generate_variable_ref(rng),
630 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
631 case InstructionGenerationOptions::LT_16:
632 return { LT_16_Instruction{ .a_address = generate_variable_ref(rng),
633 .b_address = generate_variable_ref(rng),
634 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
635 case InstructionGenerationOptions::LTE_16:
636 return { LTE_16_Instruction{ .a_address = generate_variable_ref(rng),
637 .b_address = generate_variable_ref(rng),
638 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
639 case InstructionGenerationOptions::AND_16:
640 return generate_alu_with_matching_tags_not_ff<AND_16_Instruction>(rng, MAX_16BIT_OPERAND);
641 case InstructionGenerationOptions::OR_16:
642 return generate_alu_with_matching_tags_not_ff<OR_16_Instruction>(rng, MAX_16BIT_OPERAND);
643 case InstructionGenerationOptions::XOR_16:
644 return generate_alu_with_matching_tags_not_ff<XOR_16_Instruction>(rng, MAX_16BIT_OPERAND);
645 case InstructionGenerationOptions::NOT_16:
646 return { NOT_16_Instruction{ .a_address = generate_variable_ref(rng),
647 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
648 case InstructionGenerationOptions::SHL_16:
649 return { SHL_16_Instruction{ .a_address = generate_variable_ref(rng),
650 .b_address = generate_variable_ref(rng),
651 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
652 case InstructionGenerationOptions::SHR_16:
653 return { SHR_16_Instruction{ .a_address = generate_variable_ref(rng),
654 .b_address = generate_variable_ref(rng),
655 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
656 case InstructionGenerationOptions::CAST_8:
657 return { CAST_8_Instruction{ .src_address = generate_variable_ref(rng),
658 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND),
659 .target_tag =
660 generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION) } };
661 case InstructionGenerationOptions::CAST_16:
662 return { CAST_16_Instruction{ .src_address = generate_variable_ref(rng),
663 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
664 .target_tag =
665 generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION) } };
666 case InstructionGenerationOptions::SSTORE:
667 return { SSTORE_Instruction{ .src_address = generate_variable_ref(rng),
668 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
669 .slot = generate_random_field(rng) } };
670 case InstructionGenerationOptions::SLOAD:
671 return generate_sload_instruction(rng);
672 case InstructionGenerationOptions::GETENVVAR:
673 return { GETENVVAR_Instruction{ .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
674 .type = generate_random_uint8(rng) } };
675 case InstructionGenerationOptions::EMITNULLIFIER:
676 return { EMITNULLIFIER_Instruction{ .nullifier_address = generate_variable_ref(rng) } };
677 case InstructionGenerationOptions::NULLIFIEREXISTS:
678 return { NULLIFIEREXISTS_Instruction{ .nullifier_address = generate_variable_ref(rng),
679 .contract_address_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
680 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
681 case InstructionGenerationOptions::L1TOL2MSGEXISTS:
682 return { L1TOL2MSGEXISTS_Instruction{ .msg_hash_address = generate_variable_ref(rng),
683 .leaf_index_address = generate_variable_ref(rng),
684 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
685 case InstructionGenerationOptions::EMITNOTEHASH:
686 return { EMITNOTEHASH_Instruction{ .note_hash_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
687 .note_hash = generate_random_field(rng) } };
688 case InstructionGenerationOptions::NOTEHASHEXISTS:
689 return { NOTEHASHEXISTS_Instruction{ .notehash_index = generate_random_uint16(rng),
690 .notehash_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
691 .leaf_index_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
692 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
693 case InstructionGenerationOptions::CALLDATACOPY:
694 return { CALLDATACOPY_Instruction{ .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
695 .copy_size = generate_random_uint8(rng),
696 .copy_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
697 .cd_start = generate_random_uint16(rng),
698 .cd_start_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
699 case InstructionGenerationOptions::SENDL2TOL1MSG:
700 return { SENDL2TOL1MSG_Instruction{ .recipient = generate_random_field(rng),
701 .recipient_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
702 .content = generate_random_field(rng),
703 .content_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
704 case InstructionGenerationOptions::EMITUNENCRYPTEDLOG:
705 return generate_emitunencryptedlog_instruction(rng);
706 case InstructionGenerationOptions::CALL:
707 return generate_call_instruction(rng, context);
708 case InstructionGenerationOptions::RETURNDATASIZE_WITH_RETURNDATACOPY:
709 return { RETURNDATASIZE_WITH_RETURNDATACOPY_Instruction{ .copy_size_offset = generate_random_uint16(rng),
710 .dst_address = generate_random_uint16(rng),
711 .rd_start_offset = generate_random_uint16(rng) } };
712 case InstructionGenerationOptions::GETCONTRACTINSTANCE:
713 return generate_getcontractinstance_instruction(rng, context);
714 case InstructionGenerationOptions::SUCCESSCOPY:
715 return { SUCCESSCOPY_Instruction{ .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
716 case InstructionGenerationOptions::ECADD:
717 return generate_ecadd_instruction(rng);
718 case InstructionGenerationOptions::POSEIDON2PERM:
719 return { POSEIDON2PERM_Instruction{ .src_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
720 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
721 case InstructionGenerationOptions::KECCAKF1600:
722 return generate_keccakf_instruction(rng);
723 case InstructionGenerationOptions::SHA256COMPRESSION:
724 return generate_sha256compression_instruction(rng);
725 case InstructionGenerationOptions::TORADIXBE:
726 return generate_toradixbe_instruction(rng);
727 }
728}
755
756void mutate_address_ref(AddressRef& address, std::mt19937_64& rng, uint32_t max_operand_value)
757{
758 AddressRefMutationOptions option = BASIC_ADDRESS_REF_MUTATION_CONFIGURATION.select(rng);
759 switch (option) {
760 case AddressRefMutationOptions::address:
761 mutate_uint32_t(address.address, rng, BASIC_UINT32_T_MUTATION_CONFIGURATION);
762 // Constrain address for Direct mode
763 if (address.mode == AddressingMode::Direct) {
764 address.address = address.address % (max_operand_value + 1);
765 }
766 break;
767 case AddressRefMutationOptions::pointer_address:
768 mutate_uint16_t(address.pointer_address_seed, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
769 break;
770 case AddressRefMutationOptions::base_offset:
771 mutate_uint32_t(address.base_offset_seed, rng, BASIC_UINT32_T_MUTATION_CONFIGURATION);
772 break;
773 case AddressRefMutationOptions::mode:
774 address.mode = generate_addressing_mode(rng);
775 // Constrain address if mode changed to Direct
776 if (address.mode == AddressingMode::Direct) {
777 address.address = address.address % (max_operand_value + 1);
778 }
779 break;
780 }
781}
782
783void mutate_param_ref(ParamRef& param,
784 std::mt19937_64& rng,
785 std::optional<MemoryTag> default_tag,
786 uint32_t max_operand_value)
787{
788 std::visit(overloaded{ [&](VariableRef& var) { mutate_variable_ref(var, rng, default_tag); },
789 [&](AddressRef& addr) { mutate_address_ref(addr, rng, max_operand_value); } },
790 param);
791}
792
793std::optional<MemoryTag> get_param_ref_tag(const ParamRef& param)
794{
795 return std::visit(overloaded{ [](const VariableRef& var) -> std::optional<MemoryTag> { return var.tag.value; },
796 [](const AddressRef&) -> std::optional<MemoryTag> { return std::nullopt; } },
797 param);
798}
799
800template <typename BinaryInstructionType>
816
817template <typename BinaryInstructionType>
833
846
862
878
894
910
929
945
946void mutate_mov_8_instruction(MOV_8_Instruction& instruction, std::mt19937_64& rng)
947{
948 int choice = std::uniform_int_distribution<int>(0, 2)(rng);
949 switch (choice) {
950 case 0:
951 mutate_memory_tag(instruction.value_tag.value, rng, BASIC_MEMORY_TAG_MUTATION_CONFIGURATION);
952 break;
953 case 1:
954 mutate_param_ref(instruction.src_address, rng, std::nullopt, MAX_8BIT_OPERAND);
955 break;
956 case 2:
957 mutate_address_ref(instruction.result_address, rng, MAX_8BIT_OPERAND);
958 break;
959 }
960}
961
962void mutate_mov_16_instruction(MOV_16_Instruction& instruction, std::mt19937_64& rng)
963{
964 int choice = std::uniform_int_distribution<int>(0, 2)(rng);
965 switch (choice) {
966 case 0:
967 mutate_memory_tag(instruction.value_tag.value, rng, BASIC_MEMORY_TAG_MUTATION_CONFIGURATION);
968 break;
969 case 1:
970 mutate_param_ref(instruction.src_address, rng, std::nullopt, MAX_16BIT_OPERAND);
971 break;
972 case 2:
973 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
974 break;
975 }
976}
977
990
1006
1022
1038
1054
1067
1068void mutate_emit_nullifier_instruction(EMITNULLIFIER_Instruction& instruction, std::mt19937_64& rng)
1069{
1070 // emitnulifier only has one field
1071
1072 mutate_param_ref(instruction.nullifier_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1073}
1074
1090
1106
1137
1159
1178
1191
1192void mutate_call_instruction(CALL_Instruction& instruction, std::mt19937_64& rng)
1193{
1194 CallMutationOptions option = BASIC_CALL_MUTATION_CONFIGURATION.select(rng);
1195 switch (option) {
1196 case CallMutationOptions::l2_gas_address:
1197 mutate_param_ref(instruction.l2_gas_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1198 break;
1199 case CallMutationOptions::da_gas_address:
1200 mutate_param_ref(instruction.da_gas_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1201 break;
1202 case CallMutationOptions::contract_address_address:
1203 mutate_param_ref(instruction.contract_address_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1204 break;
1205 case CallMutationOptions::calldata_size_address:
1206 mutate_address_ref(instruction.calldata_size_address, rng, MAX_16BIT_OPERAND);
1207 break;
1208 case CallMutationOptions::calldata_size:
1209 mutate_uint16_t(instruction.calldata_size, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
1210 break;
1211 case CallMutationOptions::calldata_address:
1212 mutate_param_ref(instruction.calldata_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1213 break;
1214 case CallMutationOptions::is_static_call:
1215 // with 0.5 probability, set to true, otherwise false
1216 instruction.is_static_call = rng() % 2 == 0;
1217 }
1218}
1219
1237
1253
1263
1264void mutate_ecadd_instruction(ECADD_Instruction& instruction, std::mt19937_64& rng)
1265{
1266 // ECADD has 7 operands, select one to mutate
1267 int choice = std::uniform_int_distribution<int>(0, 6)(rng);
1268 switch (choice) {
1269 case 0:
1270 mutate_param_ref(instruction.p1_x, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1271 break;
1272 case 1:
1273 mutate_param_ref(instruction.p1_y, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1274 break;
1275 case 2:
1276 mutate_param_ref(instruction.p1_infinite, rng, MemoryTag::U1, MAX_16BIT_OPERAND);
1277 break;
1278 case 3:
1279 mutate_param_ref(instruction.p2_x, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1280 break;
1281 case 4:
1282 mutate_param_ref(instruction.p2_y, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1283 break;
1284 case 5:
1285 mutate_param_ref(instruction.p2_infinite, rng, MemoryTag::U1, MAX_16BIT_OPERAND);
1286 break;
1287 case 6:
1288 mutate_address_ref(instruction.result, rng, MAX_16BIT_OPERAND);
1289 break;
1290 }
1291}
1292
1293void mutate_poseidon2perm_instruction(POSEIDON2PERM_Instruction& instruction, std::mt19937_64& rng)
1294{
1295 int choice = std::uniform_int_distribution<int>(0, 1)(rng);
1296 switch (choice) {
1297 case 0:
1298 mutate_param_ref(instruction.src_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1299 break;
1300 case 1:
1301 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1302 break;
1303 }
1304}
1305
1306void mutate_keccakf1600_instruction(KECCAKF1600_Instruction& instruction, std::mt19937_64& rng)
1307{
1308 int choice = std::uniform_int_distribution<int>(0, 1)(rng);
1309 switch (choice) {
1310 case 0:
1311 mutate_param_ref(instruction.src_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1312 break;
1313 case 1:
1314 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1315 break;
1316 }
1317}
1318
1319void mutate_sha256compression_instruction(SHA256COMPRESSION_Instruction& instruction, std::mt19937_64& rng)
1320{
1321 int choice = std::uniform_int_distribution<int>(0, 2)(rng);
1322 switch (choice) {
1323 case 0:
1324 mutate_param_ref(instruction.state_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1325 break;
1326 case 1:
1327 mutate_param_ref(instruction.input_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1328 break;
1329 case 2:
1330 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1331 break;
1332 }
1333}
1334
1359
1360void mutate_instruction(FuzzInstruction& instruction,
1361 std::mt19937_64& rng,
1362 [[maybe_unused]] const FuzzerContext& context)
1363{
1364 std::visit(
1365 overloaded{
1366 [&rng](ADD_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1367 [&rng](SUB_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1368 [&rng](MUL_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1369 [&rng](DIV_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1370 [&rng](EQ_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1371 [&rng](LT_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1372 [&rng](LTE_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1373 [&rng](AND_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1374 [&rng](OR_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1375 [&rng](XOR_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1376 [&rng](SHL_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1377 [&rng](SHR_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1378 [&rng](SET_8_Instruction& instr) { mutate_set_8_instruction(instr, rng); },
1379 [&rng](SET_16_Instruction& instr) { mutate_set_16_instruction(instr, rng); },
1380 [&rng](SET_32_Instruction& instr) { mutate_set_32_instruction(instr, rng); },
1381 [&rng](SET_64_Instruction& instr) { mutate_set_64_instruction(instr, rng); },
1382 [&rng](SET_128_Instruction& instr) { mutate_set_128_instruction(instr, rng); },
1383 [&rng](SET_FF_Instruction& instr) { mutate_set_ff_instruction(instr, rng); },
1384 [&rng](MOV_8_Instruction& instr) { mutate_mov_8_instruction(instr, rng); },
1385 [&rng](MOV_16_Instruction& instr) { mutate_mov_16_instruction(instr, rng); },
1386 [&rng](FDIV_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
1387 [&rng](NOT_8_Instruction& instr) { mutate_not_8_instruction(instr, rng); },
1388 [&rng](ADD_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1389 [&rng](SUB_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1390 [&rng](MUL_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1391 [&rng](DIV_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1392 [&rng](FDIV_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1393 [&rng](EQ_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1394 [&rng](LT_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1395 [&rng](LTE_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1396 [&rng](AND_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1397 [&rng](OR_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1398 [&rng](XOR_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1399 [&rng](NOT_16_Instruction& instr) { mutate_not_16_instruction(instr, rng); },
1400 [&rng](SHL_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1401 [&rng](SHR_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
1402 [&rng](CAST_8_Instruction& instr) { mutate_cast_8_instruction(instr, rng); },
1403 [&rng](CAST_16_Instruction& instr) { mutate_cast_16_instruction(instr, rng); },
1404 [&rng](SSTORE_Instruction& instr) { mutate_sstore_instruction(instr, rng); },
1405 [&rng](SLOAD_Instruction& instr) { mutate_sload_instruction(instr, rng); },
1406 [&rng](GETENVVAR_Instruction& instr) { mutate_getenvvar_instruction(instr, rng); },
1407 [&rng](EMITNULLIFIER_Instruction& instr) { mutate_emit_nullifier_instruction(instr, rng); },
1408 [&rng](NULLIFIEREXISTS_Instruction& instr) { mutate_nullifier_exists_instruction(instr, rng); },
1409 [&rng](L1TOL2MSGEXISTS_Instruction& instr) { mutate_l1tol2msgexists_instruction(instr, rng); },
1410 [&rng](EMITNOTEHASH_Instruction& instr) { mutate_emit_note_hash_instruction(instr, rng); },
1411 [&rng](NOTEHASHEXISTS_Instruction& instr) { mutate_note_hash_exists_instruction(instr, rng); },
1412 [&rng](CALLDATACOPY_Instruction& instr) { mutate_calldatacopy_instruction(instr, rng); },
1413 [&rng](SENDL2TOL1MSG_Instruction& instr) { mutate_sendl2tol1msg_instruction(instr, rng); },
1414 [&rng](EMITUNENCRYPTEDLOG_Instruction& instr) { mutate_emitunencryptedlog_instruction(instr, rng); },
1415 [&rng](CALL_Instruction& instr) { mutate_call_instruction(instr, rng); },
1416 [&rng](RETURNDATASIZE_WITH_RETURNDATACOPY_Instruction& instr) {
1417 mutate_returndatasize_with_returndatacopy_instruction(instr, rng);
1418 },
1419 [&rng](GETCONTRACTINSTANCE_Instruction& instr) { mutate_getcontractinstance_instruction(instr, rng); },
1420 [&rng](SUCCESSCOPY_Instruction& instr) { mutate_successcopy_instruction(instr, rng); },
1421 [&rng](ECADD_Instruction& instr) { mutate_ecadd_instruction(instr, rng); },
1422 [&rng](POSEIDON2PERM_Instruction& instr) { mutate_poseidon2perm_instruction(instr, rng); },
1423 [&rng](KECCAKF1600_Instruction& instr) { mutate_keccakf1600_instruction(instr, rng); },
1424 [&rng](SHA256COMPRESSION_Instruction& instr) { mutate_sha256compression_instruction(instr, rng); },
1425 [&rng](TORADIXBE_Instruction& instr) { mutate_toradixbe_instruction(instr, rng); },
1426 [](auto&) { throw std::runtime_error("Unknown instruction"); } },
1427 instruction);
1428}
1429
1430} // namespace bb::avm2::fuzzer
FuzzInstruction
::FuzzInstruction FuzzInstruction
Definition avm_differential.fuzzer.cpp:17
generate_random_field
FF generate_random_field(std::mt19937_64 &rng)
Definition field.cpp:23
mutate_field
void mutate_field(bb::avm2::FF &value, std::mt19937_64 &rng, const FieldMutationConfig &config)
Definition field.cpp:54
field.hpp
FLAT_PUBLIC_LOGS_PAYLOAD_LENGTH
#define FLAT_PUBLIC_LOGS_PAYLOAD_LENGTH
Definition aztec_constants.hpp:31
WeightedSelectionConfig::select
T select(std::mt19937_64 &rng) const
Definition weighted_selection.hpp:33
bb::avm2::StandardAffinePoint::is_infinity
constexpr bool is_infinity() const noexcept
Definition standard_affine_point.hpp:68
bb::avm2::StandardAffinePoint::x
constexpr const BaseField & x() const noexcept
Definition standard_affine_point.hpp:74
bb::avm2::StandardAffinePoint::y
constexpr const BaseField & y() const noexcept
Definition standard_affine_point.hpp:76
Set32MutationOptions
Set32MutationOptions
Definition configuration.hpp:168
BASIC_SET_128_MUTATION_CONFIGURATION
constexpr Set128MutationConfig BASIC_SET_128_MUTATION_CONFIGURATION
Definition configuration.hpp:192
BASIC_ADDRESS_REF_MUTATION_CONFIGURATION
constexpr AddressRefMutationConfig BASIC_ADDRESS_REF_MUTATION_CONFIGURATION
Definition configuration.hpp:120
Set64MutationOptions
Set64MutationOptions
Definition configuration.hpp:178
BASIC_SLOAD_MUTATION_CONFIGURATION
constexpr SLoadMutationConfig BASIC_SLOAD_MUTATION_CONFIGURATION
Definition configuration.hpp:355
BASIC_GETENVVAR_MUTATION_CONFIGURATION
constexpr GetEnvVarMutationConfig BASIC_GETENVVAR_MUTATION_CONFIGURATION
Definition configuration.hpp:364
BASIC_SET_16_MUTATION_CONFIGURATION
constexpr Set16MutationConfig BASIC_SET_16_MUTATION_CONFIGURATION
Definition configuration.hpp:162
L1ToL2MsgExistsMutationOptions
L1ToL2MsgExistsMutationOptions
Definition configuration.hpp:378
BASIC_NOTEHASHEXISTS_MUTATION_CONFIGURATION
constexpr NoteHashExistsMutationConfig BASIC_NOTEHASHEXISTS_MUTATION_CONFIGURATION
Definition configuration.hpp:398
NoteHashExistsMutationOptions
NoteHashExistsMutationOptions
Definition configuration.hpp:395
BASIC_TORADIXBE_MUTATION_CONFIGURATION
constexpr ToRadixBEMutationConfig BASIC_TORADIXBE_MUTATION_CONFIGURATION
Definition configuration.hpp:494
BASIC_SET_64_MUTATION_CONFIGURATION
constexpr Set64MutationConfig BASIC_SET_64_MUTATION_CONFIGURATION
Definition configuration.hpp:182
EmitNoteHashMutationOptions
EmitNoteHashMutationOptions
Definition configuration.hpp:387
CallMutationOptions
CallMutationOptions
Definition configuration.hpp:435
SetFFMutationOptions
SetFFMutationOptions
Definition configuration.hpp:199
BASIC_MEMORY_TAG_GENERATION_CONFIGURATION
constexpr MemoryTagGenerationConfig BASIC_MEMORY_TAG_GENERATION_CONFIGURATION
Definition configuration.hpp:86
BASIC_RETURNDATASIZE_WITH_RETURNDATACOPY_MUTATION_CONFIGURATION
constexpr ReturndatasizeWithReturndatacopyMutationConfig BASIC_RETURNDATASIZE_WITH_RETURNDATACOPY_MUTATION_CONFIGURATION
Definition configuration.hpp:461
SuccessCopyMutationOptions
SuccessCopyMutationOptions
Definition configuration.hpp:477
BASIC_UINT64_T_MUTATION_CONFIGURATION
constexpr Uint64MutationConfig BASIC_UINT64_T_MUTATION_CONFIGURATION
Definition configuration.hpp:57
Set8MutationOptions
Set8MutationOptions
Definition configuration.hpp:148
Set16MutationOptions
Set16MutationOptions
Definition configuration.hpp:158
BASIC_CALLDATACOPY_MUTATION_CONFIGURATION
constexpr CalldataCopyMutationConfig BASIC_CALLDATACOPY_MUTATION_CONFIGURATION
Definition configuration.hpp:408
BASIC_GETCONTRACTINSTANCE_MUTATION_CONFIGURATION
constexpr GetContractInstanceMutationConfig BASIC_GETCONTRACTINSTANCE_MUTATION_CONFIGURATION
Definition configuration.hpp:470
InstructionGenerationOptions
InstructionGenerationOptions
Definition configuration.hpp:219
BASIC_L1TOL2MSGEXISTS_MUTATION_CONFIGURATION
constexpr L1ToL2MsgExistsMutationConfig BASIC_L1TOL2MSGEXISTS_MUTATION_CONFIGURATION
Definition configuration.hpp:381
BASIC_UINT32_T_MUTATION_CONFIGURATION
constexpr Uint32MutationConfig BASIC_UINT32_T_MUTATION_CONFIGURATION
Definition configuration.hpp:50
BASIC_UNARY_INSTRUCTION_8_MUTATION_CONFIGURATION
constexpr UnaryInstruction8MutationConfig BASIC_UNARY_INSTRUCTION_8_MUTATION_CONFIGURATION
Definition configuration.hpp:131
ReturndatasizeWithReturndatacopyMutationOptions
ReturndatasizeWithReturndatacopyMutationOptions
Definition configuration.hpp:456
SStoreMutationOptions
SStoreMutationOptions
Definition configuration.hpp:343
BASIC_SET_FF_MUTATION_CONFIGURATION
constexpr SetFFMutationConfig BASIC_SET_FF_MUTATION_CONFIGURATION
Definition configuration.hpp:203
BASIC_SET_32_MUTATION_CONFIGURATION
constexpr Set32MutationConfig BASIC_SET_32_MUTATION_CONFIGURATION
Definition configuration.hpp:172
BASIC_FIELD_MUTATION_CONFIGURATION
constexpr FieldMutationConfig BASIC_FIELD_MUTATION_CONFIGURATION
Definition configuration.hpp:75
UnaryInstruction8MutationOptions
UnaryInstruction8MutationOptions
Definition configuration.hpp:127
BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION
constexpr BinaryInstruction8MutationConfig BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION
Definition configuration.hpp:141
BASIC_UINT16_T_MUTATION_CONFIGURATION
constexpr Uint16MutationConfig BASIC_UINT16_T_MUTATION_CONFIGURATION
Definition configuration.hpp:43
BASIC_SSTORE_MUTATION_CONFIGURATION
constexpr SStoreMutationConfig BASIC_SSTORE_MUTATION_CONFIGURATION
Definition configuration.hpp:346
CalldataCopyMutationOptions
CalldataCopyMutationOptions
Definition configuration.hpp:405
EmitUnencryptedLogMutationOptions
EmitUnencryptedLogMutationOptions
Definition configuration.hpp:426
BASIC_NULLIFIER_EXISTS_MUTATION_CONFIGURATION
constexpr NullifierExistsMutationConfig BASIC_NULLIFIER_EXISTS_MUTATION_CONFIGURATION
Definition configuration.hpp:372
BASIC_EMITUNENCRYPTEDLOG_MUTATION_CONFIGURATION
constexpr EmitUnencryptedLogMutationConfig BASIC_EMITUNENCRYPTEDLOG_MUTATION_CONFIGURATION
Definition configuration.hpp:429
BASIC_CALL_MUTATION_CONFIGURATION
constexpr CallMutationConfig BASIC_CALL_MUTATION_CONFIGURATION
Definition configuration.hpp:446
BASIC_SENDL2TOL1MSG_MUTATION_CONFIGURATION
constexpr SendL2ToL1MsgMutationConfig BASIC_SENDL2TOL1MSG_MUTATION_CONFIGURATION
Definition configuration.hpp:419
BASIC_VARIABLE_REF_MUTATION_CONFIGURATION
constexpr VariableRefMutationConfig BASIC_VARIABLE_REF_MUTATION_CONFIGURATION
Definition configuration.hpp:110
Set128MutationOptions
Set128MutationOptions
Definition configuration.hpp:188
BASIC_EMITNOTEHASH_MUTATION_CONFIGURATION
constexpr EmitNoteHashMutationConfig BASIC_EMITNOTEHASH_MUTATION_CONFIGURATION
Definition configuration.hpp:390
ToRadixBEMutationOptions
ToRadixBEMutationOptions
Definition configuration.hpp:484
BASIC_MEMORY_TAG_MUTATION_CONFIGURATION
constexpr MemoryTagMutationConfig BASIC_MEMORY_TAG_MUTATION_CONFIGURATION
Definition configuration.hpp:98
SLoadMutationOptions
SLoadMutationOptions
Definition configuration.hpp:352
BASIC_UINT8_T_MUTATION_CONFIGURATION
constexpr Uint8MutationConfig BASIC_UINT8_T_MUTATION_CONFIGURATION
Definition configuration.hpp:36
VariableRefMutationOptions
VariableRefMutationOptions
Definition configuration.hpp:108
BASIC_INSTRUCTION_GENERATION_CONFIGURATION
constexpr InstructionGenerationConfig BASIC_INSTRUCTION_GENERATION_CONFIGURATION
Definition configuration.hpp:282
BASIC_SUCCESSCOPY_MUTATION_CONFIGURATION
constexpr SuccessCopyMutationConfig BASIC_SUCCESSCOPY_MUTATION_CONFIGURATION
Definition configuration.hpp:480
GetContractInstanceMutationOptions
GetContractInstanceMutationOptions
Definition configuration.hpp:467
GetEnvVarMutationOptions
GetEnvVarMutationOptions
Definition configuration.hpp:361
AddressRefMutationOptions
AddressRefMutationOptions
Definition configuration.hpp:118
BinaryInstruction8MutationOptions
BinaryInstruction8MutationOptions
Definition configuration.hpp:137
SendL2ToL1MsgMutationOptions
SendL2ToL1MsgMutationOptions
Definition configuration.hpp:416
BASIC_SET_8_MUTATION_CONFIGURATION
constexpr Set8MutationConfig BASIC_SET_8_MUTATION_CONFIGURATION
Definition configuration.hpp:152
NullifierExistsMutationOptions
NullifierExistsMutationOptions
Definition configuration.hpp:369
context
StrictMock< MockContext > context
Definition data_copy.test.cpp:59
instruction.hpp
overloaded
overloaded(Ts...) -> overloaded< Ts... >
AddressingMode
AddressingMode
Definition instruction.hpp:50
AddressingMode::Direct
@ Direct
ParamRef
std::variant< VariableRef, AddressRef > ParamRef
Definition instruction.hpp:132
fuzzer_context.hpp
instruction
Instruction instruction
Definition gas_tracker.test.cpp:33
generate_sha256compression_instruction
std::vector< FuzzInstruction > generate_sha256compression_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:271
generate_variable_ref
VariableRef generate_variable_ref(std::mt19937_64 &rng)
Definition instruction.cpp:20
generate_call_instruction
std::vector< FuzzInstruction > generate_call_instruction(std::mt19937_64 &rng, const bb::avm2::fuzzer::FuzzerContext &context)
Definition instruction.cpp:451
generate_alu_with_matching_tags_not_ff
std::vector< FuzzInstruction > generate_alu_with_matching_tags_not_ff(std::mt19937_64 &rng, uint32_t max_operand)
Definition instruction.cpp:173
generate_addressing_mode
AddressingMode generate_addressing_mode(std::mt19937_64 &rng)
Definition instruction.cpp:15
generate_alu_with_matching_tags
std::vector< FuzzInstruction > generate_alu_with_matching_tags(std::mt19937_64 &rng, uint32_t max_operand)
Definition instruction.cpp:147
generate_sload_instruction
std::vector< FuzzInstruction > generate_sload_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:384
generate_ecadd_instruction
std::vector< FuzzInstruction > generate_ecadd_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:53
generate_keccakf_instruction
std::vector< FuzzInstruction > generate_keccakf_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:245
generate_toradixbe_instruction
std::vector< FuzzInstruction > generate_toradixbe_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:315
generate_fdiv_instruction
std::vector< FuzzInstruction > generate_fdiv_instruction(std::mt19937_64 &rng, uint32_t max_operand)
Definition instruction.cpp:202
MAX_8BIT_OPERAND
constexpr uint32_t MAX_8BIT_OPERAND
Definition instruction.cpp:35
generate_set_for_tag
FuzzInstruction generate_set_for_tag(bb::avm2::MemoryTag tag, AddressRef addr, std::mt19937_64 &rng)
Definition instruction.cpp:120
MAX_16BIT_OPERAND
constexpr uint32_t MAX_16BIT_OPERAND
Definition instruction.cpp:36
generate_getcontractinstance_instruction
std::vector< FuzzInstruction > generate_getcontractinstance_instruction(std::mt19937_64 &rng, const bb::avm2::fuzzer::FuzzerContext &context)
Definition instruction.cpp:506
generate_emitunencryptedlog_instruction
std::vector< FuzzInstruction > generate_emitunencryptedlog_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:420
generate_address_ref
AddressRef generate_address_ref(std::mt19937_64 &rng, uint32_t max_operand_value)
Definition instruction.cpp:38
generate_memory_tag
MemoryTag generate_memory_tag(std::mt19937_64 &rng, const MemoryTagGenerationConfig &config)
Definition memory_tag.cpp:8
mutate_or_default_tag
void mutate_or_default_tag(MemoryTag &value, std::mt19937_64 &rng, MemoryTag default_tag, double probability=0.1)
Mutate the memory tag or set to the chosen tag with a given probability.
Definition memory_tag.cpp:57
mutate_memory_tag
void mutate_memory_tag(MemoryTag &value, std::mt19937_64 &rng, const MemoryTagMutationConfig &config)
Definition memory_tag.cpp:29
memory_tag.hpp
bb::avm2::fuzzer::mutate_variable_ref
void mutate_variable_ref(VariableRef &variable, std::mt19937_64 &rng, std::optional< MemoryTag > default_tag)
Most of the tags will be equal to the default tag.
Definition instruction.cpp:730
bb::avm2::fuzzer::mutate_l1tol2msgexists_instruction
void mutate_l1tol2msgexists_instruction(L1TOL2MSGEXISTS_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1091
bb::avm2::fuzzer::mutate_poseidon2perm_instruction
void mutate_poseidon2perm_instruction(POSEIDON2PERM_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1293
bb::avm2::fuzzer::mutate_keccakf1600_instruction
void mutate_keccakf1600_instruction(KECCAKF1600_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1306
bb::avm2::fuzzer::mutate_not_16_instruction
void mutate_not_16_instruction(NOT_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:978
bb::avm2::fuzzer::mutate_call_instruction
void mutate_call_instruction(CALL_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1192
bb::avm2::fuzzer::mutate_cast_16_instruction
void mutate_cast_16_instruction(CAST_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1007
bb::avm2::fuzzer::mutate_emit_note_hash_instruction
void mutate_emit_note_hash_instruction(EMITNOTEHASH_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1107
bb::avm2::fuzzer::get_param_ref_tag
std::optional< MemoryTag > get_param_ref_tag(const ParamRef &param)
Definition instruction.cpp:793
bb::avm2::fuzzer::mutate_nullifier_exists_instruction
void mutate_nullifier_exists_instruction(NULLIFIEREXISTS_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1075
bb::avm2::fuzzer::mutate_set_16_instruction
void mutate_set_16_instruction(SET_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:863
bb::avm2::fuzzer::mutate_instruction
void mutate_instruction(FuzzInstruction &instruction, std::mt19937_64 &rng, const FuzzerContext &context)
Definition instruction.cpp:1360
bb::avm2::fuzzer::mutate_sload_instruction
void mutate_sload_instruction(SLOAD_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1039
bb::avm2::fuzzer::mutate_sstore_instruction
void mutate_sstore_instruction(SSTORE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1023
bb::avm2::fuzzer::mutate_calldatacopy_instruction
void mutate_calldatacopy_instruction(CALLDATACOPY_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1138
bb::avm2::fuzzer::mutate_getenvvar_instruction
void mutate_getenvvar_instruction(GETENVVAR_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1055
bb::avm2::fuzzer::mutate_address_ref
void mutate_address_ref(AddressRef &address, std::mt19937_64 &rng, uint32_t max_operand_value)
Definition instruction.cpp:756
bb::avm2::fuzzer::mutate_returndatasize_with_returndatacopy_instruction
void mutate_returndatasize_with_returndatacopy_instruction(RETURNDATASIZE_WITH_RETURNDATACOPY_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1220
bb::avm2::fuzzer::mutate_ecadd_instruction
void mutate_ecadd_instruction(ECADD_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1264
bb::avm2::fuzzer::mutate_set_32_instruction
void mutate_set_32_instruction(SET_32_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:879
bb::avm2::fuzzer::mutate_note_hash_exists_instruction
void mutate_note_hash_exists_instruction(NOTEHASHEXISTS_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1119
bb::avm2::fuzzer::mutate_set_128_instruction
void mutate_set_128_instruction(SET_128_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:911
bb::avm2::fuzzer::mutate_mov_8_instruction
void mutate_mov_8_instruction(MOV_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:946
bb::avm2::fuzzer::mutate_emitunencryptedlog_instruction
void mutate_emitunencryptedlog_instruction(EMITUNENCRYPTEDLOG_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1179
bb::avm2::fuzzer::mutate_toradixbe_instruction
void mutate_toradixbe_instruction(TORADIXBE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1335
bb::avm2::fuzzer::mutate_not_8_instruction
void mutate_not_8_instruction(NOT_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:834
bb::avm2::fuzzer::mutate_binary_instruction_8
void mutate_binary_instruction_8(BinaryInstructionType &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:801
bb::avm2::fuzzer::mutate_set_ff_instruction
void mutate_set_ff_instruction(SET_FF_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:930
bb::avm2::fuzzer::generate_instruction
std::vector< FuzzInstruction > generate_instruction(std::mt19937_64 &rng, const FuzzerContext &context)
Generate one instruction and optionally backfill.
Definition instruction.cpp:537
bb::avm2::fuzzer::mutate_set_64_instruction
void mutate_set_64_instruction(SET_64_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:895
bb::avm2::fuzzer::mutate_emit_nullifier_instruction
void mutate_emit_nullifier_instruction(EMITNULLIFIER_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1068
bb::avm2::fuzzer::mutate_getcontractinstance_instruction
void mutate_getcontractinstance_instruction(GETCONTRACTINSTANCE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1238
bb::avm2::fuzzer::mutate_binary_instruction_16
void mutate_binary_instruction_16(BinaryInstructionType &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:818
bb::avm2::fuzzer::mutate_mov_16_instruction
void mutate_mov_16_instruction(MOV_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:962
bb::avm2::fuzzer::mutate_sha256compression_instruction
void mutate_sha256compression_instruction(SHA256COMPRESSION_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1319
bb::avm2::fuzzer::mutate_set_8_instruction
void mutate_set_8_instruction(SET_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:847
bb::avm2::fuzzer::mutate_cast_8_instruction
void mutate_cast_8_instruction(CAST_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:991
bb::avm2::fuzzer::mutate_successcopy_instruction
void mutate_successcopy_instruction(SUCCESSCOPY_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1254
bb::avm2::fuzzer::mutate_sendl2tol1msg_instruction
void mutate_sendl2tol1msg_instruction(SENDL2TOL1MSG_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1160
bb::avm2::fuzzer::mutate_param_ref
void mutate_param_ref(ParamRef &param, std::mt19937_64 &rng, std::optional< MemoryTag > default_tag, uint32_t max_operand_value)
Definition instruction.cpp:783
bb::avm2::Fq
AvmFlavorSettings::G1::Fq Fq
Definition field.hpp:11
bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
value
FF value
Definition public_data_tree.test.cpp:97
ADD_16_Instruction
mem[result_offset] = mem[a_address] + mem[b_address] (16-bit)
Definition instruction.hpp:320
ADD_8_Instruction
mem[result_offset] = mem[a_address] + mem[b_address]
Definition instruction.hpp:146
AND_16_Instruction
mem[result_offset] = mem[a_address] & mem[b_address] (16-bit)
Definition instruction.hpp:383
AND_8_Instruction
mem[result_offset] = mem[a_address] & mem[b_address]
Definition instruction.hpp:209
AddressRef::address
uint32_t address
Definition instruction.hpp:118
CALL_Instruction
Definition instruction.hpp:546
CALL_Instruction::l2_gas_address
ParamRef l2_gas_address
Definition instruction.hpp:547
CALLDATACOPY_Instruction
CALLDATACOPY: M[dstOffset:dstOffset+M[copySizeOffset]] = calldata[M[cdStartOffset]:M[cdStartOffset]+M...
Definition instruction.hpp:523
CALLDATACOPY_Instruction::dst_address
AddressRef dst_address
Definition instruction.hpp:524
CAST_16_Instruction
CAST_16: cast mem[src_offset_index] to target_tag and store at dst_offset.
Definition instruction.hpp:438
CAST_16_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:440
CAST_8_Instruction
CAST_8: cast mem[src_offset_index] to target_tag and store at dst_offset.
Definition instruction.hpp:429
CAST_8_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:431
DIV_16_Instruction
mem[result_offset] = mem[a_address] / mem[b_address] (16-bit)
Definition instruction.hpp:344
DIV_8_Instruction
mem[result_offset] = mem[a_address] / mem[b_address]
Definition instruction.hpp:170
ECADD_Instruction
Definition instruction.hpp:590
ECADD_Instruction::p1_x
ParamRef p1_x
Definition instruction.hpp:591
EMITNOTEHASH_Instruction
EMITNOTEHASH: M[note_hash_offset] = note_hash; emit note hash to the note hash tree.
Definition instruction.hpp:498
EMITNOTEHASH_Instruction::note_hash_address
AddressRef note_hash_address
Definition instruction.hpp:499
EMITNULLIFIER_Instruction
EMITNULIFIER: inserts new nullifier to the nullifier tree.
Definition instruction.hpp:473
EMITNULLIFIER_Instruction::nullifier_address
ParamRef nullifier_address
Definition instruction.hpp:474
EMITUNENCRYPTEDLOG_Instruction
Definition instruction.hpp:540
EMITUNENCRYPTEDLOG_Instruction::log_size_address
ParamRef log_size_address
Definition instruction.hpp:541
EQ_16_Instruction
mem[result_offset] = mem[a_address] == mem[b_address] (16-bit)
Definition instruction.hpp:359
EQ_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:360
EQ_8_Instruction
mem[result_offset] = mem[a_address] == mem[b_address]
Definition instruction.hpp:185
EQ_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:186
FDIV_16_Instruction
Definition instruction.hpp:351
FDIV_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:352
FDIV_8_Instruction
Definition instruction.hpp:177
FDIV_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:178
GETCONTRACTINSTANCE_Instruction
Definition instruction.hpp:578
GETCONTRACTINSTANCE_Instruction::contract_address_address
ParamRef contract_address_address
Definition instruction.hpp:579
GETENVVAR_Instruction
GETENVVAR: M[result_offset] = getenvvar(type)
Definition instruction.hpp:463
GETENVVAR_Instruction::result_address
AddressRef result_address
Definition instruction.hpp:464
KECCAKF1600_Instruction
KECCAKF1600: Perform Keccak-f[1600] permutation on 25 U64 values M[dst_address:dst_address+25] = kecc...
Definition instruction.hpp:611
KECCAKF1600_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:612
L1TOL2MSGEXISTS_Instruction
L1TOL2MSGEXISTS: Check if a L1 to L2 message exists M[result_address] = L1TOL2MSGEXISTS(M[msg_hash_ad...
Definition instruction.hpp:490
L1TOL2MSGEXISTS_Instruction::msg_hash_address
ParamRef msg_hash_address
Definition instruction.hpp:491
LT_16_Instruction
mem[result_offset] = mem[a_address] < mem[b_address] (16-bit)
Definition instruction.hpp:367
LT_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:368
LT_8_Instruction
mem[result_offset] = mem[a_address] < mem[b_address]
Definition instruction.hpp:193
LT_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:194
LTE_16_Instruction
mem[result_offset] = mem[a_address] <= mem[b_address] (16-bit)
Definition instruction.hpp:375
LTE_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:376
LTE_8_Instruction
mem[result_offset] = mem[a_address] <= mem[b_address]
Definition instruction.hpp:201
LTE_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:202
MOV_16_Instruction
MOV_16 instruction: mem[dst_offset] = mem[src_offset].
Definition instruction.hpp:312
MOV_16_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:313
MOV_8_Instruction
MOV_8 instruction: mem[dst_offset] = mem[src_offset].
Definition instruction.hpp:304
MOV_8_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:305
MUL_16_Instruction
mem[result_offset] = mem[a_address] * mem[b_address] (16-bit)
Definition instruction.hpp:336
MUL_8_Instruction
mem[result_offset] = mem[a_address] * mem[b_address]
Definition instruction.hpp:162
NOT_16_Instruction
Definition instruction.hpp:406
NOT_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:407
NOT_8_Instruction
Definition instruction.hpp:232
NOT_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:233
NOTEHASHEXISTS_Instruction
NOTEHASHEXISTS: M[result_offset] = NOTEHASHEXISTS(M[notehash_offset], M[leaf_index_offset]) len = len...
Definition instruction.hpp:509
NOTEHASHEXISTS_Instruction::notehash_index
uint16_t notehash_index
Definition instruction.hpp:511
NULLIFIEREXISTS_Instruction
NULLIFIEREXISTS: checks if nullifier exists in the nullifier tree Gets contract's address by GETENVVA...
Definition instruction.hpp:481
NULLIFIEREXISTS_Instruction::nullifier_address
ParamRef nullifier_address
Definition instruction.hpp:482
OR_16_Instruction
mem[result_offset] = mem[a_address] | mem[b_address] (16-bit)
Definition instruction.hpp:391
OR_8_Instruction
mem[result_offset] = mem[a_address] | mem[b_address]
Definition instruction.hpp:217
POSEIDON2PERM_Instruction
POSEIDON2PERM: Perform Poseidon2 permutation on 4 FF values M[dst_address:dst_address+4] = poseidon2_...
Definition instruction.hpp:603
POSEIDON2PERM_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:604
RETURNDATASIZE_WITH_RETURNDATACOPY_Instruction
: RETURNDATASIZE + RETURNDATACOPY:
Definition instruction.hpp:570
RETURNDATASIZE_WITH_RETURNDATACOPY_Instruction::copy_size_offset
uint16_t copy_size_offset
Definition instruction.hpp:571
SENDL2TOL1MSG_Instruction
Definition instruction.hpp:532
SENDL2TOL1MSG_Instruction::recipient
bb::avm2::FF recipient
Definition instruction.hpp:533
SET_128_Instruction
SET_128 instruction.
Definition instruction.hpp:287
SET_128_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:288
SET_16_Instruction
SET_16 instruction.
Definition instruction.hpp:263
SET_16_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:264
SET_32_Instruction
SET_32 instruction.
Definition instruction.hpp:271
SET_32_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:272
SET_64_Instruction
SET_64 instruction.
Definition instruction.hpp:279
SET_64_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:280
SET_8_Instruction
SET_8 instruction.
Definition instruction.hpp:255
SET_8_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:256
SET_FF_Instruction
SET_FF instruction.
Definition instruction.hpp:296
SET_FF_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:297
SHA256COMPRESSION_Instruction
SHA256COMPRESSION: Perform SHA256 compression M[dst_address:dst_address+8] = sha256_compression(M[sta...
Definition instruction.hpp:620
SHA256COMPRESSION_Instruction::state_address
ParamRef state_address
Definition instruction.hpp:621
SHL_16_Instruction
mem[result_offset] = mem[a_address] << mem[b_address] (16-bit)
Definition instruction.hpp:413
SHL_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:414
SHL_8_Instruction
mem[result_offset] = mem[a_address] << mem[b_address]
Definition instruction.hpp:239
SHL_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:240
SHR_16_Instruction
mem[result_offset] = mem[a_address] >> mem[b_address] (16-bit)
Definition instruction.hpp:421
SHR_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:422
SHR_8_Instruction
mem[result_offset] = mem[a_address] >> mem[b_address]
Definition instruction.hpp:247
SHR_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:248
SLOAD_Instruction
SLOAD: M[slot_offset] = slot; M[result_offset] = S[M[slotOffset]].
Definition instruction.hpp:455
SLOAD_Instruction::slot_index
uint16_t slot_index
Definition instruction.hpp:456
SSTORE_Instruction
SSTORE: M[slot_offset_index] = slot; S[M[slotOffset]] = M[srcOffset].
Definition instruction.hpp:447
SSTORE_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:448
SUB_16_Instruction
mem[result_offset] = mem[a_address] - mem[b_address] (16-bit)
Definition instruction.hpp:328
SUB_8_Instruction
mem[result_offset] = mem[a_address] - mem[b_address]
Definition instruction.hpp:154
SUCCESSCOPY_Instruction
Definition instruction.hpp:585
SUCCESSCOPY_Instruction::dst_address
AddressRef dst_address
Definition instruction.hpp:586
TORADIXBE_Instruction
TORADIXBE: Convert a field element to a vector of limbs in big-endian radix representation M[dst_addr...
Definition instruction.hpp:629
TORADIXBE_Instruction::value_address
ParamRef value_address
Definition instruction.hpp:630
VariableRef::mode
AddressingModeWrapper mode
Definition instruction.hpp:112
VariableRef::base_offset_seed
uint32_t base_offset_seed
A seed for the generation of the base offset Used for Relative/IndirectRelative modes only Sets M[0] ...
Definition instruction.hpp:111
VariableRef::index
uint32_t index
Index of the variable in the memory_manager.stored_variables map.
Definition instruction.hpp:102
VariableRef::tag
MemoryTagWrapper tag
Definition instruction.hpp:100
VariableRef::pointer_address_seed
uint16_t pointer_address_seed
A seed for the generation of the pointer address Used for Indirect/IndirectRelative modes only.
Definition instruction.hpp:106
XOR_16_Instruction
mem[result_offset] = mem[a_address] ^ mem[b_address] (16-bit)
Definition instruction.hpp:399
XOR_8_Instruction
mem[result_offset] = mem[a_address] ^ mem[b_address]
Definition instruction.hpp:225
bb::field::is_zero
BB_INLINE constexpr bool is_zero() const noexcept
Definition field_impl.hpp:658
mutate_uint16_t
void mutate_uint16_t(uint16_t &value, std::mt19937_64 &rng, const Uint16MutationConfig &config)
Definition uint16_t.cpp:4
uint16_t.hpp
mutate_uint32_t
void mutate_uint32_t(uint32_t &value, std::mt19937_64 &rng, const Uint32MutationConfig &config)
Definition uint32_t.cpp:4
uint32_t.hpp
mutate_uint64_t
void mutate_uint64_t(uint64_t &value, std::mt19937_64 &rng, const Uint64MutationConfig &config)
Definition uint64_t.cpp:4
uint64_t.hpp
mutate_uint8_t
void mutate_uint8_t(uint8_t &value, std::mt19937_64 &rng, const Uint8MutationConfig &config)
Definition uint8_t.cpp:4
uint8_t.hpp
generate_random_uint64
uint64_t generate_random_uint64(std::mt19937_64 &rng)
Definition uint_mutations.hpp:140
generate_random_uint32
uint32_t generate_random_uint32(std::mt19937_64 &rng)
Definition uint_mutations.hpp:135
generate_random_uint16
uint16_t generate_random_uint16(std::mt19937_64 &rng)
Definition uint_mutations.hpp:130
generate_random_uint8
uint8_t generate_random_uint8(std::mt19937_64 &rng)
Definition uint_mutations.hpp:125