new command

Author: gustavo-grieco

lib/Echidna/Agent/Fuzzer.hs

@@ -16,6 +16,8 @@ import Control.Monad.Trans (lift)
 import Control.Monad.IO.Class (MonadIO)
 import System.Random (mkStdGen)
 import Data.IORef (IORef, writeIORef, readIORef, atomicModifyIORef')
+import Data.Text (Text)
+import EVM.ABI (AbiValue)
 import Data.Map (Map)
 import qualified Data.Map as Map
 import System.Directory (getCurrentDirectory)
@@ -197,9 +199,12 @@ fuzzerLoop callback vm testLimit bus = do
                putStrLn $ "Fuzzer " ++ show workerId ++ ": dumped LCOV coverage."
             pure ()
        Just (WrappedMessage _ (ToFuzzer tid (PrioritizeFunction funcName))) -> do
+          -- Deprecated
+          pure ()
+       Just (WrappedMessage _ (ToFuzzer tid (FuzzTransaction funcName args))) -> do
           workerId <- gets (.workerId)
           when (tid == workerId) $ do
-             modify' $ \s -> s { prioritizedFunctions = funcName : s.prioritizedFunctions }
+             modify' $ \s -> s { prioritizedFunctions = (funcName, args) : s.prioritizedFunctions }
              pure ()
        Just (WrappedMessage _ (ToFuzzer tid ClearPrioritization)) -> do
           workerId <- gets (.workerId)

lib/Echidna/MCP.hs

@@ -57,11 +57,11 @@ inspectCorpusTransactionsTool args env _ _ = do
   let corpusList = Set.toList c
       startIndex = (page - 1) * pageSize
       pageItems = take pageSize $ drop startIndex corpusList
-      
-      ppSequence (i, txs) = 
+
+      ppSequence (i, txs) =
         printf "Sequence (value: %d):\n%s" i (unlines $ map (ppTx Map.empty) txs)
 
-  return $ if null pageItems 
+  return $ if null pageItems
            then "No more transactions found."
            else intercalate "\n" (map ppSequence pageItems)
     where
@@ -81,12 +81,28 @@ splitOn c s = case break (== c) s of
                                            (_:r) -> splitOn c r
 
 parseArg :: String -> Maybe AbiValue
-parseArg s = 
+parseArg s =
    let s' = trim s
    in if "0x" `isPrefixOf` s'
       then AbiAddress . fromIntegral <$> (readMaybe s' :: Maybe Integer)
       else AbiUInt 256 . fromIntegral <$> (readMaybe s' :: Maybe Integer)
 
+parseFuzzArg :: String -> Maybe (Maybe AbiValue)
+parseFuzzArg s =
+   let s' = trim s
+   in if s' == "?"
+      then Just Nothing
+      else Just <$> parseArg s'
+
+parseFuzzCall :: String -> Maybe (Text, [Maybe AbiValue])
+parseFuzzCall s = do
+   let (fname, rest) = break (== '(') s
+   if null rest then Nothing else do
+     let argsS = take (length rest - 2) (drop 1 rest) -- remove parens
+     let argParts = if all isSpace argsS then [] else splitOn ',' argsS
+     args <- mapM parseFuzzArg argParts
+     return (pack fname, args)
+
 parseCall :: String -> Maybe (String, [AbiValue])
 parseCall s = do
    let (fname, rest) = break (== '(') s
@@ -126,10 +142,10 @@ injectTransactionTool args env bus _ = do
               Just p -> Data.Maybe.fromMaybe 0 (readMaybe (unpack p))
               Nothing -> 0
       txStr = maybe "" unpack (lookup "transaction" args)
-  
+
   c <- readIORef env.corpusRef
   let corpusList = Set.toList c
-  
+
   if idx < 0 || idx >= length corpusList
     then return "Error: Invalid sequence index."
     else do
@@ -139,16 +155,16 @@ injectTransactionTool args env bus _ = do
         else do
           let contextTx = case originalSeq of
                             [] -> Nothing
-                            (x:xs) -> Just (if pos > 0 && pos <= length (x:xs) 
-                                            then (x:xs) !! (pos - 1) 
+                            (x:xs) -> Just (if pos > 0 && pos <= length (x:xs)
+                                            then (x:xs) !! (pos - 1)
                                             else x)
           case parseTx contextTx txStr of
             Nothing -> return "Error: Failed to parse transaction string."
             Just newTx -> do
                let newSeq = take pos originalSeq ++ [newTx]
                replyVar <- newEmptyTMVarIO
                atomically $ writeTChan bus (WrappedMessage AIId (ToFuzzer 0 (ExecuteSequence newSeq (Just replyVar))))
-               
+
                -- Wait for reply
                found <- atomically $ takeTMVar replyVar
                if found
@@ -163,13 +179,16 @@ dumpLcovTool _ env _ _ = do
   filename <- saveLcovHook env dir env.sourceCache contracts
   return $ "Dumped LCOV coverage to " ++ filename
 
--- | Implementation of prioritize_function tool
-prioritizeFunctionTool :: ToolExecution
-prioritizeFunctionTool args env bus _ = do
-  let msg = Data.Maybe.fromMaybe "" (lookup "function" args)
-  let nWorkers = getNFuzzWorkers env.cfg.campaignConf
-  mapM_ (\i -> atomically $ writeTChan bus (WrappedMessage AIId (ToFuzzer i (PrioritizeFunction (unpack msg))))) [0 .. nWorkers - 1]
-  return $ printf "Requested prioritization of function '%s' on %d fuzzers" (unpack msg) nWorkers
+-- | Implementation of fuzz_transaction tool
+fuzzTransactionTool :: ToolExecution
+fuzzTransactionTool args env bus _ = do
+  let txStr = Data.Maybe.fromMaybe "" (lookup "transaction" args)
+  case parseFuzzCall (unpack txStr) of
+    Nothing -> return "Error: Failed to parse transaction string."
+    Just (fname, fuzzArgs) -> do
+      let nWorkers = getNFuzzWorkers env.cfg.campaignConf
+      mapM_ (\i -> atomically $ writeTChan bus (WrappedMessage AIId (ToFuzzer i (FuzzTransaction fname fuzzArgs)))) [0 .. nWorkers - 1]
+      return $ printf "Requested fuzzing of transaction '%s' on %d fuzzers" (unpack txStr) nWorkers
 
 -- | Implementation of clear_priorities tool
 clearPrioritiesTool :: ToolExecution
@@ -182,7 +201,11 @@ clearPrioritiesTool _ env bus _ = do
 readLogsTool :: ToolExecution
 readLogsTool _ _ _ logsRef = do
   logs <- readIORef logsRef
-  return $ unpack $ T.unlines $ reverse logs
+  -- Get last 100 logs
+  -- logs is [Newest, ..., Oldest]
+  -- We want to take the 100 newest, and show them in chronological order
+  let logsToShow = reverse $ take 100 logs
+  return $ unpack $ T.unlines $ logsToShow
 
 -- | Implementation of show_coverage tool
 showCoverageTool :: ToolExecution
@@ -235,7 +258,7 @@ availableTools =
   , Tool "inspect_corpus_transactions" "Browse the corpus transactions" inspectCorpusTransactionsTool
   , Tool "inject_transaction" "Inject a transaction into a sequence and execute it" injectTransactionTool
   , Tool "dump_lcov" "Dump coverage in LCOV format" dumpLcovTool
-  , Tool "prioritize_function" "Prioritize a function for fuzzing" prioritizeFunctionTool
+  , Tool "fuzz_transaction" "Fuzz a transaction with optional concrete arguments" fuzzTransactionTool
   , Tool "clear_priorities" "Clear the function prioritization list" clearPrioritiesTool
   , Tool "read_logs" "Read the last 100 log messages" readLogsTool
   , Tool "show_coverage" "Show coverage report for a particular contract" showCoverageTool
@@ -254,7 +277,7 @@ runMCPServer env port logsRef = do
     let serverInfo = McpServerInfo
             { serverName = "Echidna MCP Server"
             , serverVersion = "1.0.0"
-            , serverInstructions = "Echidna Agent Interface. Available tools: read_corpus, inspect_corpus_transactions, dump_lcov, prioritize_function, clear_priorities, read_logs, show_coverage"
+            , serverInstructions = "Echidna Agent Interface. Available tools: read_corpus, inspect_corpus_transactions, dump_lcov, fuzz_transaction, clear_priorities, read_logs, show_coverage"
             }
 
     let mkToolDefinition :: Tool -> ToolDefinition
@@ -267,7 +290,7 @@ runMCPServer env port logsRef = do
                     , required = ["page"]
                     }
                 "inject_transaction" -> InputSchemaDefinitionObject
-                    { properties = 
+                    { properties =
                         [ ("sequence_index", InputSchemaDefinitionProperty "string" "The index of the sequence in the corpus")
                         , ("position", InputSchemaDefinitionProperty "string" "The position to insert the transaction at")
                         , ("transaction", InputSchemaDefinitionProperty "string" "The transaction string (e.g. 'func(arg1, arg2)')")
@@ -278,9 +301,9 @@ runMCPServer env port logsRef = do
                     { properties = []
                     , required = []
                     }
-                "prioritize_function" -> InputSchemaDefinitionObject
-                    { properties = [("function", InputSchemaDefinitionProperty "string" "The name of the function to prioritize")]
-                    , required = ["function"]
+                "fuzz_transaction" -> InputSchemaDefinitionObject
+                    { properties = [("transaction", InputSchemaDefinitionProperty "string" "The transaction string (e.g. 'func(arg1, ?, arg3)')")]
+                    , required = ["transaction"]
                     }
                 "clear_priorities" -> InputSchemaDefinitionObject
                     { properties = []

lib/Echidna/Transaction.hs

@@ -3,7 +3,7 @@
 
 module Echidna.Transaction where
 
-import Control.Monad (join, when)
+import Control.Monad (join, when, zipWithM)
 import Control.Monad.IO.Class (MonadIO, liftIO)
 import Control.Monad.Random.Strict (MonadRandom, getRandom, getRandomR, uniform)
 import Control.Monad.Reader (MonadReader, ask)
@@ -14,7 +14,6 @@ import Data.Map (Map, toList)
 import Data.Maybe (catMaybes)
 import Data.Set (Set)
 import Data.Set qualified as Set
-import qualified Data.Text as T
 import Data.Vector qualified as V
 import Optics.Core
 import Optics.State.Operators
@@ -68,28 +67,46 @@ genTx world deployedContracts = do
   let txConf = env.cfg.txConf
   genDict <- gets (.genDict)
   prioritized <- gets (.prioritizedFunctions)
-  let prioritizedTxt = map T.pack prioritized
   sigMap <- getSignatures world.highSignatureMap world.lowSignatureMap
   sender <- rElem' world.senders
   contractAList <- liftIO $ mapM (toContractA env sigMap) (toList deployedContracts)
   let allContracts = catMaybes contractAList
-  (dstAddr, dstAbis) <- if null prioritizedTxt
-    then rElem' $ Set.fromList allContracts
+
+  (dstAddr, solCall) <- if null prioritized
+    then do
+      (addr, sigs) <- rElem' $ Set.fromList allContracts
+      call <- genInteractionsM genDict sigs
+      pure (addr, call)
     else do
-      let isPrioritized n = any (`T.isInfixOf` n) prioritizedTxt
-      let prioritizedContracts = filter (\(_, sigs) -> any (\(n,_) -> isPrioritized n) sigs) allContracts
       usePrioritized <- (<= (0.9 :: Double)) <$> getRandom
-      if usePrioritized && not (null prioritizedContracts)
+      if usePrioritized
         then do
-           (addr, sigs) <- rElem' $ Set.fromList prioritizedContracts
-           -- Filter sigs to only prioritized ones
-           let pSigs = NE.filter (\(n, _) -> isPrioritized n) sigs
-           case NE.nonEmpty pSigs of
-             Just pSigsNE -> pure (addr, pSigsNE)
-             Nothing -> pure (addr, sigs) -- Should not happen
-        else rElem' $ Set.fromList allContracts
+           (pName, pArgs) <- rElem (NE.fromList prioritized)
+           -- Find contracts containing this function with matching arity
+           let isMatch (_, sigs) = any (\(n, ts) -> n == pName && length ts == length pArgs) sigs
+               matchingContracts = filter isMatch allContracts
+
+           if null matchingContracts
+             then do
+                (addr, sigs) <- rElem' $ Set.fromList allContracts
+                call <- genInteractionsM genDict sigs
+                pure (addr, call)
+             else do
+               (addr, sigs) <- rElem' $ Set.fromList matchingContracts
+               -- Pick the matching signature
+               let matchingSigs = NE.filter (\(n, ts) -> n == pName && length ts == length pArgs) sigs
+               (name, types) <- rElem (NE.fromList matchingSigs)
+
+               -- Generate arguments
+               let genArg (Just val) _ = pure val
+                   genArg Nothing t = genAbiValueM' genDict name 0 t
 
-  solCall <- genInteractionsM genDict dstAbis
+               vals <- zipWithM genArg pArgs types
+               pure (addr, (name, vals))
+        else do
+           (addr, sigs) <- rElem' $ Set.fromList allContracts
+           call <- genInteractionsM genDict sigs
+           pure (addr, call)
   value <- genValue txConf.maxValue genDict.dictValues world.payableSigs solCall
   ts <- (,) <$> genDelay txConf.maxTimeDelay genDict.dictValues
             <*> genDelay txConf.maxBlockDelay genDict.dictValues

lib/Echidna/Types/Campaign.hs

@@ -6,6 +6,7 @@ import Data.Word (Word8, Word16)
 import GHC.Conc (numCapabilities)
 
 import EVM.Solvers (Solver(..))
+import EVM.ABI (AbiValue)
 
 import Echidna.ABI (GenDict, emptyDict)
 import Echidna.Types
@@ -86,7 +87,7 @@ data WorkerState = WorkerState
   , runningThreads :: [ThreadId]
     -- ^ Extra threads currently being run,
     --   aside from the main worker thread
-  , prioritizedFunctions :: ![String]
+  , prioritizedFunctions :: ![(Text, [Maybe AbiValue])]
     -- ^ Functions to prioritize during fuzzing
   }
 

lib/Echidna/Types/InterWorker.hs

@@ -3,6 +3,7 @@ module Echidna.Types.InterWorker where
 import Control.Concurrent.STM
 import Data.Text (Text)
 
+import EVM.ABI (AbiValue)
 import Echidna.Types.Tx (Tx)
 import Echidna.Types.Test (EchidnaTest)
 
@@ -14,14 +15,16 @@ data AgentId = FuzzerId Int | SymbolicId | AIId
 data FuzzerCmd
   = DumpLcov
   | SolutionFound [Tx]
-  | PrioritizeFunction String
+  | PrioritizeFunction String -- Deprecated
+  | FuzzTransaction Text [Maybe AbiValue]
   | ClearPrioritization
   | ExecuteSequence [Tx] (Maybe (TMVar Bool))
 
 instance Show FuzzerCmd where
   show DumpLcov = "DumpLcov"
   show (SolutionFound txs) = "SolutionFound " ++ show txs
   show (PrioritizeFunction s) = "PrioritizeFunction " ++ show s
+  show (FuzzTransaction s args) = "FuzzTransaction " ++ show s ++ " " ++ show args
   show ClearPrioritization = "ClearPrioritization"
   show (ExecuteSequence txs _) = "ExecuteSequence " ++ show txs
 

lib/Echidna/UI.hs

@@ -185,7 +185,7 @@ ui vm dict initialCorpus cliSelectedContract = do
 
       let forwardEvent ev = do
             msg <- runReaderT (ppLogLine vm ev) env
-            liftIO $ atomicModifyIORef' logBuffer (\logs -> (take 100 (pack msg : logs), ()))
+            liftIO $ atomicModifyIORef' logBuffer (\logs -> (pack msg : logs, ()))
             putStrLn msg
       uiEventsForwarderStopVar <- spawnListener forwardEvent