Merge branch 'master' into dependabot/go_modules/go.etcd.io/bbolt-1.4.3

Author: anishnaik

.github/workflows/ci.yml

@@ -105,7 +105,7 @@ jobs:
 
     steps:
       - name: Download binaries
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           pattern: medusa-*
           merge-multiple: true

Dockerfile

@@ -1,5 +1,5 @@
 ## medusa build process
-FROM golang:1.23 AS medusa
+FROM golang:1.24 AS medusa
 
 WORKDIR /src
 COPY . /src/medusa/

fuzzing/corpus/corpus.go

@@ -3,11 +3,12 @@ package corpus
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/crytic/medusa/utils"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
+
+	"github.com/crytic/medusa/utils"
 )
 
 // corpusFile represents corpus data and its state on the filesystem.
@@ -176,7 +177,7 @@ func (cd *corpusDirectory[T]) writeFiles() error {
 			// Write the JSON encoded data.
 			err = os.WriteFile(filePath, jsonEncodedData, os.ModePerm)
 			if err != nil {
-				return fmt.Errorf("An error occurred while writing corpus data to file: %v\n", err)
+				return fmt.Errorf("an error occurred while writing corpus data to file: %v", err)
 			}
 
 			// Update our written to disk status.

fuzzing/corpus/corpus_files.go

@@ -814,6 +814,7 @@ func (f *Fuzzer) spawnWorkersLoop(baseTestChain *chain.TestChain) error {
 			if err == nil && workerCreatedErr != nil {
 				err = workerCreatedErr
 			}
+
 			if err == nil {
 				// Publish an event indicating we created a worker.
 				workerCreatedErr = f.Events.WorkerCreated.Publish(FuzzerWorkerCreatedEvent{Worker: worker})
@@ -894,13 +895,6 @@ func (f *Fuzzer) Start() error {
 		f.ctx, f.ctxCancelFunc = context.WithTimeout(f.ctx, time.Duration(f.config.Fuzzing.Timeout)*time.Second)
 	}
 
-	// Set up the corpus
-	f.logger.Info("Initializing corpus")
-	f.corpus, err = corpus.NewCorpus(f.config.Fuzzing.CorpusDirectory)
-	if err != nil {
-		f.logger.Error("Failed to create the corpus", err)
-		return err
-	}
 	// Start the revert reporter
 	f.revertReporter.Start(f.ctx)
 
@@ -933,28 +927,25 @@ func (f *Fuzzer) Start() error {
 	}
 	f.logger.Info("Finished setting up test chain")
 
-	// Initialize our coverage maps by measuring the coverage we get from the corpus.
-	var corpusActiveSequences, corpusTotalSequences int
-	if totalCallSequences, testResults := f.corpus.CallSequenceEntryCount(); totalCallSequences > 0 || testResults > 0 {
-		f.logger.Info("Running call sequences in the corpus")
-	}
-	startTime := time.Now()
-	corpusActiveSequences, corpusTotalSequences, err = f.corpus.Initialize(baseTestChain, f.contractDefinitions)
-	if corpusTotalSequences > 0 {
-		f.logger.Info("Finished running call sequences in the corpus in ", time.Since(startTime).Round(time.Second))
+	// Create and initialize the corpus
+	f.logger.Info("Creating corpus...")
+	f.corpus, err = corpus.NewCorpus(f.config.Fuzzing.CorpusDirectory)
+	if err != nil {
+		f.logger.Error("Failed to create the corpus", err)
+		return err
 	}
+	err = f.corpus.Initialize(baseTestChain, f.contractDefinitions)
 	if err != nil {
 		f.logger.Error("Failed to initialize the corpus", err)
 		return err
 	}
 
-	// Log corpus health statistics, if we have any existing sequences.
-	if corpusTotalSequences > 0 {
-		f.logger.Info(
-			colors.Bold, "corpus: ", colors.Reset,
-			"health: ", colors.Bold, int(float32(corpusActiveSequences)/float32(corpusTotalSequences)*100.0), "%", colors.Reset, ", ",
-			"sequences: ", colors.Bold, corpusTotalSequences, " (", corpusActiveSequences, " valid, ", corpusTotalSequences-corpusActiveSequences, " invalid)", colors.Reset,
-		)
+	// Log that we will initialize corpus if there are any call sequences or test results
+	if totalCallSequences, testResults := f.corpus.CallSequenceEntryCount(); totalCallSequences > 0 || testResults > 0 {
+		f.logger.Info("Initializing corpus...")
+
+		// Monitor corpus initialization
+		go f.monitorCorpusInitialization()
 	}
 
 	// Start the corpus pruner.
@@ -1081,6 +1072,45 @@ func (f *Fuzzer) Terminate() {
 	}
 }
 
+// monitorCorpusInitialization monitors the corpus initialization process and logs the corpus health when it is complete.
+// This goroutine is short-lived and exits when the corpus is initialized.
+func (f *Fuzzer) monitorCorpusInitialization() {
+	// There is nothing to do if there are no corpus elements or unexecuted call sequences
+	totalSequences, totalTestResults := f.corpus.CallSequenceEntryCount()
+	if !f.corpus.InitializingCorpus() || totalSequences == 0 || totalTestResults == 0 {
+		return
+	}
+
+	// Capture an approximate start time
+	startTime := time.Now()
+	for !utils.CheckContextDone(f.ctx) && !utils.CheckContextDone(f.emergencyCtx) {
+		// Go to sleep if corpus is still initializing
+		if f.corpus.InitializingCorpus() {
+			time.Sleep(200 * time.Millisecond)
+			continue
+		}
+
+		// Calculate the necessary variables for corpus health
+		totalSequences, totalTestResults := f.corpus.CallSequenceEntryCount()
+		totalCorpusEntries := totalSequences + totalTestResults
+		validSequences := f.corpus.ValidCallSequences()
+		invalidSequences := int(totalSequences - int(validSequences))
+
+		// Log how much time it took to initialize the corpus
+		f.logger.Info("Finished running call sequences in the corpus in ", time.Since(startTime).Round(time.Second))
+
+		// Log the overall corpus health
+		f.logger.Info(
+			colors.Bold, "corpus: ", colors.Reset,
+			"health: ", colors.Bold, int(float32(validSequences)/float32(totalCorpusEntries)*100), "%", colors.Reset, ", ",
+			"sequences: ", colors.Bold, totalCorpusEntries, " (", validSequences, " valid, ", invalidSequences, " invalid)", colors.Reset,
+		)
+
+		// Now we can exit the goroutine
+		break
+	}
+}
+
 // printMetricsLoop prints metrics to the console in a loop until ctx signals a stopped operation.
 func (f *Fuzzer) printMetricsLoop() {
 	// Define our start time

fuzzing/fuzzer.go

@@ -259,10 +259,46 @@ func (fw *FuzzerWorker) updateMethods() {
 	}
 }
 
+// bindCorpusElement ensures that the de-serialized corpus element is ready for runtime use.
+// The index for the element is provided and the base sequence used for execution is updated in-place.
+// It resolves the contract definition and ABI metadata needed for runtime execution. If the function
+// returns an error, the call sequence/corpus item is marked as invalid and will not be used for mutations.
+func (fw *FuzzerWorker) bindCorpusElement(currentIndex int) error {
+	// Guard clause
+	if currentIndex >= len(fw.sequenceGenerator.baseSequence) {
+		return nil
+	}
+
+	// Obtain the corpus element
+	element := fw.sequenceGenerator.baseSequence[currentIndex]
+
+	// If it is a contract creation, there is nothing to do.
+	if element.Call.To == nil {
+		return nil
+	}
+
+	contractDefinition, ok := fw.deployedContracts[*element.Call.To]
+	if !ok {
+		return fmt.Errorf("contract at address %v could not be resolved", element.Call.To.String())
+	}
+	element.Contract = contractDefinition
+
+	// Next, if our sequence element uses ABI values to produce call data, our deserialized data is not yet
+	// sufficient for runtime use, until we use it to resolve runtime references.
+	if abiValues := element.Call.DataAbiValues; abiValues != nil {
+		// Resolve the ABI values.
+		if err := abiValues.Resolve(contractDefinition.CompiledContract().Abi); err != nil {
+			return fmt.Errorf("error resolving method in contract '%v': %v", element.Contract.Name(), err)
+		}
+	}
+
+	return nil
+}
+
 // testNextCallSequence tests a call message sequence against the underlying FuzzerWorker's Chain and calls every
 // CallSequenceTestFunc registered with the parent Fuzzer to update any test results. If any call message in the
 // sequence is nil, a call message will be created in its place, targeting a state changing method of a contract
-// deployed in the Chain.
+// deployed in the Chain. Note that this function also replays the corpus call sequences before entering the main fuzzing loop.
 // Returns any requests for call sequence shrinking or an error if one occurs.
 func (fw *FuzzerWorker) testNextCallSequence() ([]ShrinkCallSequenceRequest, error) {
 	// We will make a copy of the worker's base value set so that we can rollback to it at the end of the call sequence
@@ -290,6 +326,17 @@ func (fw *FuzzerWorker) testNextCallSequence() ([]ShrinkCallSequenceRequest, err
 
 	// Our "fetch next call" method will generate new calls as needed, if we are generating a new sequence.
 	fetchElementFunc := func(currentIndex int) (*calls.CallSequenceElement, error) {
+		// We need to prepare the corpus element for runtime execution if we are replaying a corpus sequence
+		if !isNewSequence {
+			err := fw.bindCorpusElement(currentIndex)
+
+			// We will separately capture the error and log that the corpus element is disabled
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// Now, we are ready to fetch the next element from the sequence generator
 		return fw.sequenceGenerator.PopSequenceElement()
 	}
 
@@ -340,10 +387,16 @@ func (fw *FuzzerWorker) testNextCallSequence() ([]ShrinkCallSequenceRequest, err
 	}
 
 	// Execute our call sequence.
-	_, err = calls.ExecuteCallSequenceIteratively(fw.chain, fetchElementFunc, executionCheckFunc)
+	var executedSequence calls.CallSequence
+	executedSequence, err = calls.ExecuteCallSequenceIteratively(fw.chain, fetchElementFunc, executionCheckFunc)
 
 	// If we encountered an error, report it.
 	if err != nil {
+		// If a corpus element fails to execute, log it (in debug mode) and exit the function early
+		if !isNewSequence {
+			fw.fuzzer.logger.Debug("[Worker ", fw.workerIndex, "] corpus element has been disabled due to an error:", err)
+			return nil, nil
+		}
 		return nil, err
 	}
 
@@ -352,7 +405,17 @@ func (fw *FuzzerWorker) testNextCallSequence() ([]ShrinkCallSequenceRequest, err
 		return nil, nil
 	}
 
-	// If this was not a new call sequence, indicate not to save the shrunken result to the corpus again.
+	// We successfully executed a corpus element
+	if !isNewSequence {
+		fw.fuzzer.corpus.IncrementValid()
+		// If there are no shrink requests that means this is not a test result call sequence, so we can mark it for mutation.
+		if len(shrinkCallSequenceRequests) == 0 {
+			// We don't really want an error here to stop fuzzing, so we ignore it.
+			_ = fw.fuzzer.corpus.MarkCallSequenceForMutation(executedSequence, big.NewInt(1))
+		}
+	}
+
+	// We don't want to save shrink results from corpus sequences since we already did.
 	if !isNewSequence {
 		for i := 0; i < len(fw.shrinkCallSequenceRequests); i++ {
 			shrinkCallSequenceRequests[i].RecordResultInCorpus = false

fuzzing/fuzzer_worker.go

@@ -262,8 +262,11 @@ func (g *CallSequenceGenerator) PopSequenceElement() (*calls.CallSequenceElement
 		}
 	}
 
-	// Update the element with the current nonce for the associated chain.
-	element.Call.FillFromTestChainProperties(g.worker.chain)
+	// Update the element with the current nonce for the associated chain only if we are not replaying a corpus sequence.
+	// TODO: This feels a little hacky
+	if !g.worker.fuzzer.corpus.InitializingCorpus() {
+		element.Call.FillFromTestChainProperties(g.worker.chain)
+	}
 
 	// Update our base sequence, advance our position, and return the processed element from this round.
 	g.baseSequence[g.fetchIndex] = element

fuzzing/fuzzer_worker_sequence_generator.go

@@ -12,8 +12,8 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/rs/zerolog v1.34.0
 	github.com/shopspring/decimal v1.4.0
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
+	github.com/spf13/cobra v1.10.1
+	github.com/spf13/pflag v1.0.9
 	github.com/stretchr/testify v1.11.1
 	go.etcd.io/bbolt v1.4.3
 	golang.org/x/crypto v0.43.0

go.mod

@@ -182,10 +182,10 @@ github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKl
 github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=