foundry icon indicating copy to clipboard operation
foundry copied to clipboard
verified publisher icon foundry-rs

Using AST to seed the fuzzer dictionary

Open MiloTruck opened this issue 8 months ago • 1 comments

Component

Forge

Describe the feature you would like

Currently, the fuzzer fails to break this very simple test case:

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import "forge-std/Test.sol";

contract Hash is Test {
    function testHash(bytes memory v) external {
        assert(keccak256(v) != keccak256("hello"));
    }
}

My understanding is the dictionary is seeded using PUSH values from bytecode, therefore, it will not find any constants that are "optimized away" by the compiler. For the example above, keccak256("hello") becomes a PUSH32 with its keccak256 hash in bytecode, as shown below:

PUSH32 1c8aff950685c2ed4bc3174f3472287b56d9517b9c948127319a09a7a36deac8

As a result, the dictionary will never have "hello".

From what I know, Echidna/Medusa seed their dictionary using outputs from slither, so they do not struggle with this case. It may be beneficial for Foundry to perform some form of AST analysis before fuzzing (in this case, it would just be collecting all literals and constants).

Additional context

No response

MiloTruck avatar Apr 02 '25 11:04 MiloTruck

thank you, makes sense, should be nicely handled with solar

grandizzy avatar Apr 02 '25 12:04 grandizzy

waiting on #11307 to implement

0xrusowsky avatar Aug 19 '25 07:08 0xrusowsky

waiting on https://github.com/foundry-rs/foundry/pull/11612 to be merged, so that i can use the new analysis feature which exposes solar's compiler instance

0xrusowsky avatar Oct 05 '25 14:10 0xrusowsky