crytic · anishnaik · Jun 18, 2024 · Jun 18, 2024 · Jun 18, 2024 · Jun 18, 2024
@@ -7,6 +7,7 @@
     "callSequenceLength": 100,
     "corpusDirectory": "",
     "coverageEnabled": true,
+    "experimentalValueGenerationEnabled": true,
     "targetContracts": [],
     "targetContractsBalances": [],
     "constructorArgs": {},

@@ -142,6 +142,10 @@ type TestingConfig struct {
 	// OptimizationTesting describes the configuration used for optimization testing.
 	OptimizationTesting OptimizationTestingConfig `json:"optimizationTesting"`
 
+	// ExperimentalValueGenerationEnabled describes the configuration used for testing of collection
+	// and addition of interesting values found during EVM execution to base value set
+	ExperimentalValueGenerationEnabled bool `json:"experimentalValueGenerationEnabled"`
+
 	// TargetFunctionSignatures is a list function signatures call the fuzzer should exclusively target by omitting calls to other signatures.
 	// The signatures should specify the contract name and signature in the ABI format like `Contract.func(uint256,bytes32)`.
 	TargetFunctionSignatures []string `json:"targetFunctionSignatures"`

@@ -64,6 +64,7 @@ func GetDefaultProjectConfig(platform string) (*ProjectConfig, error) {
 				TraceAll:                     false,
 				TargetFunctionSignatures:     []string{},
 				ExcludeFunctionSignatures:    []string{},
+				ExperimentalValueGenerationEnabled: false,
 				AssertionTesting: AssertionTestingConfig{
 					Enabled:         true,
 					TestViewMethods: false,

@@ -1,11 +1,11 @@
 package executiontracer
 
 import (
+	"github.com/crytic/medusa/utils"
 	"math/big"
 
 	"github.com/crytic/medusa/chain"
 	"github.com/crytic/medusa/fuzzing/contracts"
-	"github.com/crytic/medusa/utils"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/core"
 	"github.com/ethereum/go-ethereum/core/state"

@@ -936,3 +936,59 @@ func TestExcludeFunctionSignatures(t *testing.T) {
 			}
 		}})
 }
+
+// TestExperimentalValueGeneration runs tests to ensure whether interesting values collected
+// during EVM execution is added to the base value set. In addition, it makes sure that the base value set is reset to
+// default after the end of each call sequence execution
+func TestExperimentalValueGeneration(t *testing.T) {
+	filePaths := []string{
+		"testdata/contracts/valuegeneration_tracing/event_and_return_value_emission.sol",
+	}
+
+	for _, filePath := range filePaths {
+		runFuzzerTest(t, &fuzzerSolcFileTest{
+			filePath: filePath,
+			configUpdates: func(config *config.ProjectConfig) {
+				config.Fuzzing.TargetContracts = []string{"TestContract"}
+				config.Fuzzing.TestLimit = 500
+				config.Fuzzing.Testing.PropertyTesting.Enabled = false
+				config.Fuzzing.Testing.OptimizationTesting.Enabled = false
+				config.Fuzzing.Workers = 1
+				config.Fuzzing.Testing.ExperimentalValueGenerationEnabled = true
+			},
+			method: func(f *fuzzerTestContext) {
+				valueSet := f.fuzzer.baseValueSet
+				f.fuzzer.Events.WorkerCreated.Subscribe(func(event FuzzerWorkerCreatedEvent) error {
+					event.Worker.Events.FuzzerWorkerChainSetup.Subscribe(func(event FuzzerWorkerChainSetupEvent) error {
+						event.Worker.chain.Events.PendingBlockAddedTx.Subscribe(func(event chain.PendingBlockAddedTxEvent) error {
+							if valueGenerationResults, ok := event.Block.MessageResults[event.TransactionIndex-1].AdditionalResults["ValueGenerationTracerResults"].([]any); ok {
+								f.fuzzer.workers[0].valueSet.Add(valueGenerationResults)
+								res := experimentalValuesAddedToBaseValueSet(f, valueGenerationResults)
+								assert.True(t, res)
+							}
+							// just check if these values are added to value set
+							//msgResult[event.TransactionIndex].AdditionalResults
+							// make sure to use CallSequenceTested event to see if the base value set
+							// is reset at the end of each sequence
+							//fmt.Printf("MsgResult: %v\n", msgResult[event.TransactionIndex].AdditionalResults)
+							return nil
+						})
+						// This will make sure that the base value set is reset after the end of execution of each
+						// call sequence
+						event.Worker.Events.CallSequenceTested.Subscribe(func(event FuzzerWorkerCallSequenceTestedEvent) error {
+							sequenceValueSet := f.fuzzer.baseValueSet
+							assert.EqualValues(t, valueSet, sequenceValueSet)
+							return nil
+						})
+						return nil
+					})
+					return nil
+				})
+				err := f.fuzzer.Start()
+
+				assert.NoError(t, err)
+
+			},
+		})
+	}
+}
diff --git a/fuzzing/fuzzer_test_methods_test.go b/fuzzing/fuzzer_test_methods_test.go
@@ -1,6 +1,8 @@
 package fuzzing
 
 import (
+	"github.com/ethereum/go-ethereum/common"
+	"math/big"
 	"testing"
 
 	"github.com/crytic/medusa/compilation"
@@ -111,3 +113,32 @@ func expectEventEmitted[T any](f *fuzzerTestContext, eventEmitter *events.EventE
 		assert.Greater(f.t, f.eventCounter[eventType], 0, "Event was not emitted at all")
 	})
 }
+
+// experimentalValuesAddedToBaseValueSet will ensure whether collected EVM values during execution of the current
+// transaction is added to the base value set
+func experimentalValuesAddedToBaseValueSet(f *fuzzerTestContext, valueGenerationResults any) bool {
+	var allAdded bool
+	currentValueSet := f.fuzzer.workers[0].valueSet
+	if valGenResults, ok := valueGenerationResults.([]any); ok {
+		for _, eventOrReturnValues := range valGenResults {
+			if values, ok := eventOrReturnValues.([]any); ok {
+				for _, value := range values {
+					switch v := value.(type) {
+					case *big.Int:
+						allAdded = currentValueSet.ContainsInteger(v)
+					case common.Address:
+						allAdded = currentValueSet.ContainsAddress(v)
+					case string:
+						allAdded = currentValueSet.ContainsString(v)
+					case []byte:
+						allAdded = currentValueSet.ContainsBytes(v)
+					default:
+						// TODO(Sanan): A byte array with just one element is considered as default, fix.
+						continue
+					}
+				}
+			}
+		}
+	}
+	return allAdded
+}
@@ -2,6 +2,7 @@ package fuzzing
 
 import (
 	"fmt"
+	"github.com/crytic/medusa/fuzzing/valuegenerationtracer"
 	"math/big"
 	"math/rand"
 
@@ -29,6 +30,10 @@ type FuzzerWorker struct {
 	// coverageTracer describes the tracer used to collect coverage maps during fuzzing campaigns.
 	coverageTracer *coverage.CoverageTracer
 
+	// valueGenerationTracer represents the structure that is used for collecting "interesting" values during EVM
+	// execution, such as emitted event and return values of executed functions in one sequence.
+	valueGenerationTracer *valuegenerationtracer.ValueGenerationTracer
+
 	// testingBaseBlockNumber refers to the block number at which all contracts for testing have been deployed, prior
 	// to any fuzzing activity. This block number is reverted to after testing each call sequence to reset state.
 	testingBaseBlockNumber uint64
@@ -260,12 +265,21 @@ func (fw *FuzzerWorker) updateMethods() {
 // deployed in the Chain.
 // Returns the length of the call sequence tested, any requests for call sequence shrinking, or an error if one occurs.
 func (fw *FuzzerWorker) testNextCallSequence() (calls.CallSequence, []ShrinkCallSequenceRequest, error) {
+	// Copy the existing value set if experimental value generation is enabled
+	var originalValueSet *valuegeneration.ValueSet
+	if fw.fuzzer.config.Fuzzing.Testing.ExperimentalValueGenerationEnabled {
+		originalValueSet = fw.valueSet.Clone()
+	}
 	// After testing the sequence, we'll want to rollback changes to reset our testing state.
 	var err error
 	defer func() {
 		if err == nil {
 			err = fw.chain.RevertToBlockNumber(fw.testingBaseBlockNumber)
 		}
+		// Reset the value set if experimental value generation is enabled
+		if fw.fuzzer.config.Fuzzing.Testing.ExperimentalValueGenerationEnabled {
+			fw.valueSet = originalValueSet
+		}
 	}()
 
 	// Initialize a new sequence within our sequence generator.
@@ -294,6 +308,16 @@ func (fw *FuzzerWorker) testNextCallSequence() (calls.CallSequence, []ShrinkCall
 			return true, err
 		}
 
+		// Add event and return values to the value set if experimental value generation is enabled
+		if fw.fuzzer.config.Fuzzing.Testing.ExperimentalValueGenerationEnabled {
+			lastExecutedSequenceElement := currentlyExecutedSequence[len(currentlyExecutedSequence)-1]
+
+			if values, ok := lastExecutedSequenceElement.ChainReference.MessageResults().AdditionalResults["ValueGenerationTracerResults"].([]any); ok {
+				fw.valueSet.Add(values)
+			}
+
+		}
+
 		// Loop through each test function, signal our worker tested a call, and collect any requests to shrink
 		// this call sequence.
 		for _, callSequenceTestFunc := range fw.fuzzer.Hooks.CallSequenceTestFuncs {
@@ -557,6 +581,13 @@ func (fw *FuzzerWorker) run(baseTestChain *chain.TestChain) (bool, error) {
 			fw.coverageTracer = coverage.NewCoverageTracer()
 			initializedChain.AddTracer(fw.coverageTracer.NativeTracer(), true, false)
 		}
+
+		// If we enabled experimental value generation, create a tracer to collect interesting values during EVM
+		// execution and connect it to the chain
+		if fw.fuzzer.config.Fuzzing.Testing.ExperimentalValueGenerationEnabled {
+			fw.valueGenerationTracer = valuegenerationtracer.NewValueGenerationTracer(fw.fuzzer.contractDefinitions)
+			initializedChain.AddTracer(fw.valueGenerationTracer.NativeTracer(), true, false)
+		}
 		return nil
 	})
 

@@ -2,12 +2,11 @@ package fuzzing
 
 import (
 	"fmt"
-	"math/big"
-
 	"github.com/crytic/medusa/fuzzing/calls"
 	"github.com/crytic/medusa/fuzzing/valuegeneration"
 	"github.com/crytic/medusa/utils"
 	"github.com/crytic/medusa/utils/randomutils"
+	"math/big"
 )
 
 // CallSequenceGenerator generates call sequences iteratively per element, for use in fuzzing campaigns. It is attached
@@ -164,6 +163,13 @@ func NewCallSequenceGenerator(worker *FuzzerWorker, config *CallSequenceGenerato
 			},
 			new(big.Int).SetUint64(config.RandomMutatedCorpusTailWeight),
 		),
+		randomutils.NewWeightedRandomChoice(
+			CallSequenceGeneratorMutationStrategy{
+				CallSequenceGeneratorFunc: callSeqGenFuncDuplicateAtRandom,
+				PrefetchModifyCallFunc:    prefetchModifyCallFuncMutate,
+			},
+			new(big.Int).SetUint64(config.RandomMutatedCorpusTailWeight),
+		),
 		randomutils.NewWeightedRandomChoice(
 			CallSequenceGeneratorMutationStrategy{
 				CallSequenceGeneratorFunc: callSeqGenFuncSpliceAtRandom,
@@ -368,6 +374,22 @@ func callSeqGenFuncCorpusTail(sequenceGenerator *CallSequenceGenerator, sequence
 	return nil
 }
 
+// callSeqGenFuncDuplicateAtRandom is a CallSequenceGeneratorFunc which prepares a CallSequenceGenerator to generate a sequence
+// which duplicates a call sequence element at index N and inserts it at N+1
+// if random index is len(sequence)-1, it inserts the duplicated call sequence element at N-1
+func callSeqGenFuncDuplicateAtRandom(sequenceGenerator *CallSequenceGenerator, sequence calls.CallSequence) error {
+	randIndex := sequenceGenerator.worker.randomProvider.Intn(len(sequence))
+	duplicatedElement := sequence[randIndex]
+
+	if randIndex == len(sequence)-1 {
+		sequence[randIndex-1] = duplicatedElement
+	} else {
+		sequence[randIndex+1] = duplicatedElement
+	}
+
+	return nil
+}
+
 // callSeqGenFuncSpliceAtRandom is a CallSequenceGeneratorFunc which prepares a CallSequenceGenerator to generate a
 // sequence which is based off of two corpus call sequence entries, from which a random length head and tail are
 // respectively sliced and joined together.

@@ -0,0 +1,47 @@
+pragma solidity ^0.8.0;
+
+contract AnotherContract {
+    // This function returns a variety of values that need to be captured in the value set
+    function testAnotherFunction(uint256 x) public pure returns (uint256, int256, string memory, address, bytes memory, bytes4) {
+        // Fix the values we want to return
+        uint256 myUint = 3;
+        int256 myInt = 4;
+        string memory myStr = "another string";
+        address myAddr = address(0x5678);
+        bytes memory myBytes = "another byte array";
+        bytes4 fixedBytes = "word";
+
+        return (myUint, myInt, myStr, myAddr, myBytes, fixedBytes);
+    }
+}
+
+contract TestContract {
+    AnotherContract public anotherContract;
+
+    event EventValues(uint indexed myUint, int myInt, string myStr, address myAddr, bytes myBytes, bytes4 fixedBytes);
+
+    // Deploy AnotherContract within the TestContract
+    constructor() {
+        anotherContract = new AnotherContract();
+    }
+
+    function testFunction(uint x) public {
+        // Fix the values we want to emit
+        uint256 myUint = 1;
+        int256 myInt = 2;
+        string memory myStr = "string";
+        address myAddr = address(0x1234);
+        bytes memory myBytes = "byte array";
+        bytes4 fixedBytes = "byte";
+
+        // Call an external contract
+        anotherContract.testAnotherFunction(x);
+
+        // Emit an event in this call frame
+        emit EventValues(myUint, myInt, myStr, myAddr, myBytes, fixedBytes);
+
+        // ASSERTION: We always fail when you call this function.
+        assert(false);
+
+    }
+}
@@ -172,3 +172,22 @@ func (vs *ValueSet) RemoveBytes(b []byte) {
 
 	delete(vs.bytes, hashStr)
 }
+
+// Add adds one or more values. Note the values could be any primitive type (integer, address, string, bytes)
+func (vs *ValueSet) Add(values []any) {
+	// Iterate across each value and assert on its type
+	for _, value := range values {
+		switch v := value.(type) {
+		case *big.Int:
+			vs.AddInteger(v)
+		case common.Address:
+			vs.AddAddress(v)
+		case string:
+			vs.AddString(v)
+		case []byte:
+			vs.AddBytes(v)
+		default:
+			continue
+		}
+	}
+}