feat: merge-train/avm #19622
Open
feat: merge-train/avm #19622
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mutations for contract instances
Now we allow prefilling the tree with some note hashes and we notify instruction generation with existing note hashes (prefill + nonrevertible inserted)
sirasistant
requested review from
dbanks12,
fcarreiro and
sirasistant
as code owners
We weren't tracegening on coverage prover runs!
This alias type was only used partially (e.g. in internal_call_stack_manager)
Very very simple mutations for globals
Collaborator
Author
|
🤖 Auto-merge enabled after 4 hours of inactivity. This PR will be merged automatically once all checks pass. |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Review via github's markdown viewer: https://github.com/AztecProtocol/aztec-packages/blob/db/avm-docs/yarn-project/simulator/docs/avm/README.md
Fuzzer revealed issues in infinity handling in ts
Protocol contract mutations turned out to be much more complex. Might've been easier to implement a hardcoded set. We need to ensure we re-validate the enqueued calls whenever we mutate the protocol contracts since we could have invalidated some addresses. Note: The TS simulation required a change to match the cpp simulator
running `./run_fuzzer.sh analyze` outputs some statistics about the current tx corpus ``` orpus directory: ../src/barretenberg/avm_fuzzer/corpus/tx Files processed: 836 Files failed: 0 Total input programs: 6408 === Opcode Histogram === SET_32 : 48847 ######################################## SET_8 : 23209 ################### SET_16 : 11977 ########## SET_FF : 6527 ##### RETURN : 6510 ##### SET_64 : 4418 #### SET_128 : 1743 # GETENVVAR_16 : 614 # SUCCESSCOPY : 538 RETURNDATACOPY : 522 RETURNDATASIZE : 522 XOR_8 : 498 POSEIDON2PERM : 471 SSTORE : 459 EMITNOTEHASH : 453 SENDL2TOL1MSG : 448 CALLDATACOPY : 434 SUB_16 : 398 ADD_8 : 392 OR_8 : 389 XOR_16 : 378 TORADIXBE : 374 EMITUNENCRYPTEDLOG : 366 DIV_8 : 363 SUB_8 : 360 AND_8 : 358 OR_16 : 352 GETCONTRACTINSTANCE: 351 MUL_8 : 333 MUL_16 : 318 FDIV_8 : 296 ADD_16 : 291 DIV_16 : 282 SLOAD : 276 AND_16 : 274 ECADD : 241 NOT_8 : 238 EMITNULLIFIER : 231 JUMP_32 : 213 KECCAKF1600 : 209 CAST_8 : 189 STATICCALL : 187 SHA256COMPRESSION : 187 CAST_16 : 186 NOT_16 : 181 NULLIFIEREXISTS : 171 MOV_8 : 158 MOV_16 : 151 SHR_16 : 142 EQ_16 : 138 CALL : 134 SHL_16 : 130 JUMPI_32 : 125 FDIV_16 : 122 LT_16 : 120 LT_8 : 111 LTE_16 : 105 LTE_8 : 105 SHL_8 : 102 L1TOL2MSGEXISTS : 100 EQ_8 : 93 SHR_8 : 92 DEBUGLOG : 60 INTERNALRETURN : 25 INTERNALCALL : 25 NOTEHASHEXISTS : 14 REVERT_16 : 13 === Opcode Statistics === Total instructions: 118639 Unique opcodes used: 67/68 Missing opcodes (1): REVERT_8 Most common: SET_32 (48847) Least common: REVERT_16 (13) === Enqueued Calls Statistics === Setup Calls: Mean: 0.28, Median: 0.00, Mode: 0 Histogram: 0(638) 1(178) 2(10) 3(6) 4(3) 5(1) App Logic Calls: Mean: 1.09, Median: 1.00, Mode: 1 Histogram: 1(789) 2(32) 3(7) 4(6) 5(2) Teardown Calls: Mean: 0.09, Median: 0.00, Mode: 0 Histogram: 0(761) 1(75) Multi-Phase Transactions: Txs with calls in multiple phases: 249 Txs with setup + app_logic only: 174 Txs with setup + teardown only: 0 Txs with app_logic + teardown only: 51 Txs with all three phases: 24 ```
Incentivise the fuzzer to make more enqueued calls during each run by rewarding it with coverage progress
Some claude-suggested boundary conditions for the fuzzer
Collaborator
Author
Flakey Tests🤖 says: This CI run detected 1 tests that failed, but were tolerated due to a .test_patterns.yml entry. |
Collaborator
Author
|
🤖 Auto-merge enabled after 4 hours of inactivity. This PR will be merged automatically once all checks pass. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BEGIN_COMMIT_OVERRIDE
feat(avm): contract instance mutation (#19499)
fix(avm): Fix note hash exists fuzzing (#19616)
fix(avm): Build trace on coverage prover runs (#19627)
chore(avm): Use PC alias type consistently (#19625)
feat(avm): mutate global gas fees and timestamp (#19500)
docs: avm docs (#19603)
fix(avm): Increase chances of fuzzer finding limits (#19656)
fix(avm)!: de-risk memory injection attacks (#19620)
fix(avm): Fix TS ECC add infinity handling (#19657)
fix(avm): Fix jumpif in fuzzer (#19655)
feat(avm): protocol contractg mutations (#19586)
chore(avm): analyze fuzzer corpus distribution (#19614)
feat(avm): fuzzer treats enqueued call size as coverage (#19615)
refactor(avm): Refactor calldata copy and return data copy fuzzing (#19666)
feat(avm): boundary values for mutations (#19617)
END_COMMIT_OVERRIDE