fix ABI resolution issue and use in mutations issue

Author: anishnaik

fuzzing/corpus/corpus.go

@@ -28,6 +28,12 @@ import (
 // Corpus describes an archive of fuzzer-generated artifacts used to further fuzzing efforts. These artifacts are
 // reusable across fuzzer runs. Changes to the fuzzer/chain configuration or definitions within smart contracts
 // may create incompatibilities with corpus items.
+// warmupSequence tracks a stored corpus entry and whether it should rejoin the mutation chooser after replay.
+type warmupSequence struct {
+	sequence       calls.CallSequence
+	useInMutations bool
+}
+
 type Corpus struct {
 	// storageDirectory describes the directory to save corpus callSequenceFiles within.
 	storageDirectory string
@@ -45,7 +51,7 @@ type Corpus struct {
 	// unexecutedCallSequences defines the callSequences which have not yet been executed by the fuzzer. As each item
 	// is selected for execution by the fuzzer on startup, it is removed. This way, all call sequences loaded from disk
 	// are executed to check for test failures.
-	unexecutedCallSequences []calls.CallSequence
+	unexecutedCallSequences []warmupSequence
 
 	// mutationTargetSequenceChooser is a provider that allows for weighted random selection of callSequences. If a
 	// call sequence was not found to be compatible with this run, it is not added to the chooser.
@@ -68,7 +74,7 @@ func NewCorpus(corpusDirectory string) (*Corpus, error) {
 		coverageMaps:            coverage.NewCoverageMaps(),
 		callSequenceFiles:       newCorpusDirectory[calls.CallSequence](""),
 		testResultSequenceFiles: newCorpusDirectory[calls.CallSequence](""),
-		unexecutedCallSequences: make([]calls.CallSequence, 0),
+		unexecutedCallSequences: make([]warmupSequence, 0),
 		logger:                  logging.GlobalLogger.NewSubLogger("module", "corpus"),
 	}
 
@@ -511,17 +517,23 @@ func (c *Corpus) CheckSequenceCoverageAndUpdate(callSequence calls.CallSequence,
 // MarkSequenceValidated records that a call sequence loaded from disk has been successfully replayed by a worker.
 // The sequence is cloned, stripped of runtime metadata, and registered with the mutation chooser so it can participate
 // in future mutations.
-func (c *Corpus) MarkSequenceValidated(sequence calls.CallSequence, mutationChooserWeight *big.Int) error {
+func (c *Corpus) MarkSequenceValidated(sequence calls.CallSequence, mutationChooserWeight *big.Int, useInMutations bool) error {
 	if mutationChooserWeight == nil {
 		mutationChooserWeight = big.NewInt(1)
 	}
 
+	c.callSequencesLock.Lock()
+	defer c.callSequencesLock.Unlock()
+
+	if !useInMutations {
+		return nil
+	}
+
 	clonedSequence, err := sequence.Clone()
 	if err != nil {
 		return err
 	}
 
-	// Strip runtime-only references that should not persist in the corpus chooser.
 	for _, element := range clonedSequence {
 		if element == nil {
 			continue
@@ -530,9 +542,6 @@ func (c *Corpus) MarkSequenceValidated(sequence calls.CallSequence, mutationChoo
 		element.ExecutionTrace = nil
 	}
 
-	c.callSequencesLock.Lock()
-	defer c.callSequencesLock.Unlock()
-
 	if c.mutationTargetSequenceChooser == nil {
 		c.mutationTargetSequenceChooser = randomutils.NewWeightedRandomChooser[calls.CallSequence]()
 	}
@@ -599,12 +608,18 @@ func (c *Corpus) PrepareForWarmup(baseTestChain *chain.TestChain, contractDefini
 	totalSequences := len(c.callSequenceFiles.files) + len(c.testResultSequenceFiles.files)
 
 	c.callSequencesLock.Lock()
-	c.unexecutedCallSequences = make([]calls.CallSequence, 0, totalSequences)
+	c.unexecutedCallSequences = make([]warmupSequence, 0, totalSequences)
 	for _, sequenceFileData := range c.testResultSequenceFiles.files {
-		c.unexecutedCallSequences = append(c.unexecutedCallSequences, sequenceFileData.data)
+		c.unexecutedCallSequences = append(c.unexecutedCallSequences, warmupSequence{
+			sequence:       sequenceFileData.data,
+			useInMutations: false,
+		})
 	}
 	for _, sequenceFileData := range c.callSequenceFiles.files {
-		c.unexecutedCallSequences = append(c.unexecutedCallSequences, sequenceFileData.data)
+		c.unexecutedCallSequences = append(c.unexecutedCallSequences, warmupSequence{
+			sequence:       sequenceFileData.data,
+			useInMutations: true,
+		})
 	}
 	activeSequences := len(c.unexecutedCallSequences)
 	c.callSequencesLock.Unlock()
@@ -617,11 +632,11 @@ func (c *Corpus) PrepareForWarmup(baseTestChain *chain.TestChain, contractDefini
 // failures. If a call sequence is returned, it will not be returned by this method again.
 // Returns a call sequence loaded from disk which has not yet been executed, to check for test failures. If all
 // sequences in the corpus have been executed, this will return nil.
-func (c *Corpus) UnexecutedCallSequence() *calls.CallSequence {
+func (c *Corpus) UnexecutedCallSequence() (*calls.CallSequence, bool) {
 	// Prior to thread locking, if we have no un-executed call sequences, quit.
 	// This is a speed optimization, as thread locking on a central component affects performance.
 	if len(c.unexecutedCallSequences) == 0 {
-		return nil
+		return nil, false
 	}
 
 	// Acquire a thread lock for the duration of this method.
@@ -631,15 +646,15 @@ func (c *Corpus) UnexecutedCallSequence() *calls.CallSequence {
 	// Check that we have an item now that the thread is locked. This must be performed again as an item could've
 	// been removed between time of check (the prior exit condition) and time of use (thread locked operations).
 	if len(c.unexecutedCallSequences) == 0 {
-		return nil
+		return nil, false
 	}
 
 	// Otherwise obtain the first item and remove it from the slice.
 	firstSequence := c.unexecutedCallSequences[0]
 	c.unexecutedCallSequences = c.unexecutedCallSequences[1:]
 
 	// Return the first sequence
-	return &firstSequence
+	return &firstSequence.sequence, firstSequence.useInMutations
 }
 
 // Flush writes corpus changes to disk. Returns an error if one occurs.

fuzzing/fuzzer_worker.go

@@ -259,16 +259,34 @@ func (fw *FuzzerWorker) updateMethods() {
 	}
 }
 
-// bindContractsForSequence ensures each call sequence element references the deployed contract known to the worker.
-func (fw *FuzzerWorker) bindContractsForSequence(sequence calls.CallSequence) {
+// bindContractsForSequence ensures each call sequence element references the deployed contract known to the worker and
+// resolves ABI metadata needed for serialization.
+func (fw *FuzzerWorker) bindContractsForSequence(sequence calls.CallSequence) error {
 	for _, element := range sequence {
-		if element == nil || element.Call == nil || element.Call.To == nil {
+		if element == nil || element.Call == nil {
 			continue
 		}
-		if contractDefinition, ok := fw.deployedContracts[*element.Call.To]; ok {
-			element.Contract = contractDefinition
+		// Deployments have no target address, so there is no contract to resolve.
+		if element.Call.To == nil {
+			continue
+		}
+
+		contractDefinition, ok := fw.deployedContracts[*element.Call.To]
+		if !ok {
+			return fmt.Errorf("contract at address %s is not registered with worker %d", element.Call.To.String(), fw.workerIndex)
+		}
+
+		element.Contract = contractDefinition
+
+		if abiValues := element.Call.DataAbiValues; abiValues != nil {
+			if abiValues.Method == nil {
+				if err := abiValues.Resolve(contractDefinition.CompiledContract().Abi); err != nil {
+					return fmt.Errorf("failed to resolve ABI for contract %s: %w", contractDefinition.Name(), err)
+				}
+			}
 		}
 	}
+	return nil
 }
 
 // testNextCallSequence tests a call message sequence against the underlying FuzzerWorker's Chain and calls every
@@ -297,8 +315,12 @@ func (fw *FuzzerWorker) testNextCallSequence() ([]ShrinkCallSequenceRequest, err
 		return nil, err
 	}
 	isWarmupSequence := fw.sequenceGenerator.LastSequenceFromWarmup()
+	warmupUseInMutations := fw.sequenceGenerator.WarmupSequenceUseInMutations()
 	if isWarmupSequence {
-		fw.bindContractsForSequence(fw.sequenceGenerator.CurrentSequence())
+		if err = fw.bindContractsForSequence(fw.sequenceGenerator.CurrentSequence()); err != nil {
+			fw.fuzzer.logger.Debug("[Worker ", fw.workerIndex, "] Skipping warmup sequence: ", err)
+			return nil, nil
+		}
 	}
 
 	// Define our shrink requests we'll collect during execution.
@@ -371,7 +393,7 @@ func (fw *FuzzerWorker) testNextCallSequence() ([]ShrinkCallSequenceRequest, err
 
 	// If this was not a new call sequence, indicate not to save the shrunken result to the corpus again.
 	if isWarmupSequence && len(shrinkCallSequenceRequests) == 0 && len(executedSequence) > 0 {
-		err = fw.fuzzer.corpus.MarkSequenceValidated(executedSequence, fw.getNewCorpusCallSequenceWeight())
+		err = fw.fuzzer.corpus.MarkSequenceValidated(executedSequence, fw.getNewCorpusCallSequenceWeight(), warmupUseInMutations)
 		if err != nil {
 			return nil, err
 		}

fuzzing/fuzzer_worker_sequence_generator.go

@@ -29,6 +29,9 @@ type CallSequenceGenerator struct {
 	// lastSequenceFromWarmup indicates whether the most recent sequence originated from the corpus warmup queue.
 	lastSequenceFromWarmup bool
 
+	// warmupSequenceUseInMutations indicates whether the current warmup sequence should be added to the mutation chooser.
+	warmupSequenceUseInMutations bool
+
 	// fetchIndex describes the current position in the baseSequence which defines the next element to be mutated and
 	// returned when calling PopSequenceElement.
 	fetchIndex int
@@ -197,13 +200,15 @@ func (g *CallSequenceGenerator) InitializeNextSequence() (bool, error) {
 	g.fetchIndex = 0
 	g.prefetchModifyCallFunc = nil
 	g.lastSequenceFromWarmup = false
+	g.warmupSequenceUseInMutations = false
 
 	// Check if there are any previously un-executed corpus call sequences. If there are, the fuzzer should execute
 	// those first.
-	unexecutedSequence := g.worker.fuzzer.corpus.UnexecutedCallSequence()
+	unexecutedSequence, useInMutations := g.worker.fuzzer.corpus.UnexecutedCallSequence()
 	if unexecutedSequence != nil {
 		g.baseSequence = *unexecutedSequence
 		g.lastSequenceFromWarmup = true
+		g.warmupSequenceUseInMutations = useInMutations
 		return false, nil
 	}
 
@@ -243,6 +248,11 @@ func (g *CallSequenceGenerator) LastSequenceFromWarmup() bool {
 	return g.lastSequenceFromWarmup
 }
 
+// WarmupSequenceUseInMutations indicates whether the current warmup sequence should be added to the mutation chooser.
+func (g *CallSequenceGenerator) WarmupSequenceUseInMutations() bool {
+	return g.warmupSequenceUseInMutations
+}
+
 // CurrentSequence returns the base sequence currently managed by the generator.
 func (g *CallSequenceGenerator) CurrentSequence() calls.CallSequence {
 	return g.baseSequence