Limit uint to u64::MAX for fuzz tests (#507)

Author: smiasojed

crates/config/src/fuzz.rs

@@ -32,6 +32,12 @@ pub struct FuzzConfig {
     pub show_logs: bool,
     /// Optional timeout (in seconds) for each property test
     pub timeout: Option<u32>,
+    /// Maximum value for fuzzed integers, used to simulate smaller integer types.
+    /// When set, unsigned integers are clamped to [0, max_fuzz_int] and signed integers
+    /// are clamped to [-(max_fuzz_int+1), max_fuzz_int] to match real signed type ranges.
+    /// Useful for Polkadot compatibility where balances are u128.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub max_fuzz_int: Option<U256>,
 }
 
 impl Default for FuzzConfig {
@@ -47,6 +53,7 @@ impl Default for FuzzConfig {
             failure_persist_file: None,
             show_logs: false,
             timeout: None,
+            max_fuzz_int: None,
         }
     }
 }

crates/config/src/invariant.rs

@@ -1,6 +1,7 @@
 //! Configuration for invariant testing
 
 use crate::fuzz::FuzzDictionaryConfig;
+use alloy_primitives::U256;
 use serde::{Deserialize, Serialize};
 use std::path::PathBuf;
 
@@ -45,6 +46,12 @@ pub struct InvariantConfig {
     pub show_solidity: bool,
     /// Whether to collect and display edge coverage metrics.
     pub show_edge_coverage: bool,
+    /// Maximum value for fuzzed integers, used to simulate smaller integer types.
+    /// When set, unsigned integers are clamped to [0, max_fuzz_int] and signed integers
+    /// are clamped to [-(max_fuzz_int+1), max_fuzz_int] to match real signed type ranges.
+    /// Used for Polkadot compatibility where balances are u128.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub max_fuzz_int: Option<U256>,
 }
 
 impl Default for InvariantConfig {
@@ -67,6 +74,7 @@ impl Default for InvariantConfig {
             timeout: None,
             show_solidity: false,
             show_edge_coverage: false,
+            max_fuzz_int: None,
         }
     }
 }
@@ -92,6 +100,7 @@ impl InvariantConfig {
             timeout: None,
             show_solidity: false,
             show_edge_coverage: false,
+            max_fuzz_int: None,
         }
     }
 }

crates/evm/evm/src/executors/fuzz/mod.rs

@@ -90,9 +90,10 @@ impl FuzzedExecutor {
         let execution_data = RefCell::new(FuzzTestData::default());
         let state = self.build_fuzz_state(deployed_libs);
         let dictionary_weight = self.config.dictionary.dictionary_weight.min(100);
+        let max_fuzz_int = self.config.max_fuzz_int;
         let strategy = proptest::prop_oneof![
-            100 - dictionary_weight => fuzz_calldata(func.clone(), fuzz_fixtures),
-            dictionary_weight => fuzz_calldata_from_state(func.clone(), &state),
+            100 - dictionary_weight => fuzz_calldata(func.clone(), fuzz_fixtures, max_fuzz_int),
+            dictionary_weight => fuzz_calldata_from_state(func.clone(), &state, max_fuzz_int),
         ];
         // We want to collect at least one trace which will be displayed to user.
         let max_traces_to_collect = std::cmp::max(1, self.config.gas_report_samples) as usize;

crates/evm/evm/src/executors/invariant/corpus.rs

@@ -152,6 +152,9 @@ pub struct TxCorpusManager {
     failed_replays: usize,
     // Corpus metrics.
     pub(crate) metrics: CorpusMetrics,
+    // Maximum value for fuzzed integers, used to simulate smaller integer types.
+    // Unsigned: [0, max], Signed: [-(max+1), max].
+    max_fuzz_int: Option<U256>,
 }
 
 impl TxCorpusManager {
@@ -176,6 +179,7 @@ impl TxCorpusManager {
         let corpus_gzip = invariant_config.corpus_gzip;
         let corpus_min_mutations = invariant_config.corpus_min_mutations;
         let corpus_min_size = invariant_config.corpus_min_size;
+        let max_fuzz_int = invariant_config.max_fuzz_int;
         let mut failed_replays = 0;
 
         // Early return if corpus dir / coverage guided fuzzing not configured.
@@ -191,6 +195,7 @@ impl TxCorpusManager {
                 current_mutated: None,
                 failed_replays,
                 metrics: CorpusMetrics::default(),
+                max_fuzz_int,
             });
         };
 
@@ -273,6 +278,7 @@ impl TxCorpusManager {
             current_mutated: None,
             failed_replays,
             metrics,
+            max_fuzz_int,
         })
     }
 
@@ -495,10 +501,12 @@ impl TxCorpusManager {
                                 .expect("fuzzed_artifacts returned wrong sig");
                             // For now, only new inputs are generated, no existing inputs are
                             // mutated.
+                            let max_fuzz_int = self.max_fuzz_int;
                             let mut gen_input = |input: &alloy_json_abi::Param| {
                                 fuzz_param_from_state(
                                     &input.selector_type().parse().unwrap(),
                                     &test.fuzz_state,
+                                    max_fuzz_int,
                                 )
                                 .new_tree(test_runner)
                                 .expect("Could not generate case")

crates/evm/evm/src/executors/invariant/mod.rs

@@ -597,6 +597,7 @@ impl<'a> InvariantExecutor<'a> {
             targeted_contracts.clone(),
             self.config.dictionary.dictionary_weight,
             fuzz_fixtures.clone(),
+            self.config.max_fuzz_int,
         )
         .no_shrink();
 
@@ -614,6 +615,7 @@ impl<'a> InvariantExecutor<'a> {
                     targeted_contracts.clone(),
                     target_contract_ref.clone(),
                     fuzz_fixtures.clone(),
+                    self.config.max_fuzz_int,
                 ),
                 target_contract_ref,
             ));

crates/evm/fuzz/src/strategies/calldata.rs

@@ -4,14 +4,15 @@ use crate::{
 };
 use alloy_dyn_abi::JsonAbiExt;
 use alloy_json_abi::Function;
-use alloy_primitives::Bytes;
+use alloy_primitives::{Bytes, U256};
 use proptest::prelude::Strategy;
 
 /// Given a function, it returns a strategy which generates valid calldata
 /// for that function's input types, following declared test fixtures.
 pub fn fuzz_calldata(
     func: Function,
     fuzz_fixtures: &FuzzFixtures,
+    max_fuzz_int: Option<U256>,
 ) -> impl Strategy<Value = Bytes> + use<> {
     // We need to compose all the strategies generated for each parameter in all
     // possible combinations, accounting any parameter declared fixture
@@ -23,6 +24,7 @@ pub fn fuzz_calldata(
                 &input.selector_type().parse().unwrap(),
                 fuzz_fixtures.param_fixtures(&input.name),
                 &input.name,
+                max_fuzz_int,
             )
         })
         .collect::<Vec<_>>();
@@ -43,11 +45,14 @@ pub fn fuzz_calldata(
 pub fn fuzz_calldata_from_state(
     func: Function,
     state: &EvmFuzzState,
+    max_fuzz_int: Option<U256>,
 ) -> impl Strategy<Value = Bytes> + use<> {
     let strats = func
         .inputs
         .iter()
-        .map(|input| fuzz_param_from_state(&input.selector_type().parse().unwrap(), state))
+        .map(|input| {
+            fuzz_param_from_state(&input.selector_type().parse().unwrap(), state, max_fuzz_int)
+        })
         .collect::<Vec<_>>();
     strats
         .prop_map(move |values| {
@@ -83,7 +88,7 @@ mod tests {
         );
 
         let expected = function.abi_encode_input(&[address_fixture]).unwrap();
-        let strategy = fuzz_calldata(function, &FuzzFixtures::new(fixtures));
+        let strategy = fuzz_calldata(function, &FuzzFixtures::new(fixtures), None);
         let _ = strategy.prop_map(move |fuzzed| {
             assert_eq!(expected, fuzzed);
         });

crates/evm/fuzz/src/strategies/int.rs

@@ -6,6 +6,20 @@ use proptest::{
     test_runner::TestRunner,
 };
 
+/// Clamps a signed integer to the range [-(max+1), max] to match real signed type ranges.
+/// For example, i128 range is [-2^127, 2^127-1], not [-2^127+1, 2^127-1].
+pub fn clamp(value: I256, max: U256) -> I256 {
+    let max_i256 = I256::from_raw(max);
+    let min_i256 = I256::overflowing_from_sign_and_abs(Sign::Negative, max + U256::from(1)).0;
+    if value > max_i256 {
+        max_i256
+    } else if value < min_i256 {
+        min_i256
+    } else {
+        value
+    }
+}
+
 /// Value tree for signed ints (up to int256).
 pub struct IntValueTree {
     /// Lower base (by absolute value)
@@ -103,28 +117,40 @@ pub struct IntStrategy {
     fixtures_weight: usize,
     /// The weight for purely random values
     random_weight: usize,
+    /// Optional maximum value for generated integers, used to simulate smaller signed types.
+    /// When set, generated values will be clamped to [-(max_value+1), max_value] to match
+    /// real signed integer type ranges (e.g., i128 range is [-2^127, 2^127-1]).
+    max_value: Option<U256>,
 }
 
 impl IntStrategy {
     /// Create a new strategy.
-    /// #Arguments
-    /// * `bits` - Size of uint in bits
+    /// # Arguments
+    /// * `bits` - Size of int in bits
     /// * `fixtures` - A set of fixed values to be generated (according to fixtures weight)
-    pub fn new(bits: usize, fixtures: Option<&[DynSolValue]>) -> Self {
+    /// * `max_value` - Optional maximum value to simulate smaller signed types. Values will be
+    ///   clamped to [-(max_value+1), max_value].
+    pub fn new(bits: usize, fixtures: Option<&[DynSolValue]>, max_value: Option<U256>) -> Self {
         Self {
             bits,
             fixtures: Vec::from(fixtures.unwrap_or_default()),
             edge_weight: 10usize,
             fixtures_weight: 40usize,
             random_weight: 50usize,
+            max_value,
         }
     }
 
+    fn effective_max(&self) -> U256 {
+        let type_max: U256 = (U256::from(1) << (self.bits - 1)) - U256::from(1);
+        self.max_value.map(|m| type_max.min(m)).unwrap_or(type_max)
+    }
+
     fn generate_edge_tree(&self, runner: &mut TestRunner) -> NewTree<Self> {
         let rng = runner.rng();
 
         let offset = I256::from_raw(U256::from(rng.random_range(0..4)));
-        let umax: U256 = (U256::from(1) << (self.bits - 1)) - U256::from(1);
+        let umax = self.effective_max();
         // Choose if we want values around min, -0, +0, or max
         let kind = rng.random_range(0..4);
         let start = match kind {
@@ -136,7 +162,7 @@ impl IntStrategy {
             3 => I256::overflowing_from_sign_and_abs(Sign::Positive, umax).0 - offset,
             _ => unreachable!(),
         };
-        Ok(IntValueTree::new(start, false))
+        Ok(IntValueTree::new(clamp(start, self.effective_max()), false))
     }
 
     fn generate_fixtures_tree(&self, runner: &mut TestRunner) -> NewTree<Self> {
@@ -150,7 +176,7 @@ impl IntStrategy {
         if let Some(int_fixture) = fixture.as_int()
             && int_fixture.1 == self.bits
         {
-            return Ok(IntValueTree::new(int_fixture.0, false));
+            return Ok(IntValueTree::new(clamp(int_fixture.0, self.effective_max()), false));
         }
 
         // If fixture is not a valid type, raise error and generate random value.
@@ -195,7 +221,7 @@ impl IntStrategy {
         let sign = if rng.random::<bool>() { Sign::Positive } else { Sign::Negative };
         let (start, _) = I256::overflowing_from_sign_and_abs(sign, U256::from_limbs(inner));
 
-        Ok(IntValueTree::new(start, false))
+        Ok(IntValueTree::new(clamp(start, self.effective_max()), false))
     }
 }
 

crates/evm/fuzz/src/strategies/invariants.rs

@@ -5,7 +5,7 @@ use crate::{
     strategies::{EvmFuzzState, fuzz_calldata_from_state, fuzz_param},
 };
 use alloy_json_abi::Function;
-use alloy_primitives::Address;
+use alloy_primitives::{Address, U256};
 use parking_lot::RwLock;
 use proptest::prelude::*;
 use rand::seq::IteratorRandom;
@@ -17,6 +17,7 @@ pub fn override_call_strat(
     contracts: FuzzRunIdentifiedContracts,
     target: Arc<RwLock<Address>>,
     fuzz_fixtures: FuzzFixtures,
+    max_fuzz_int: Option<U256>,
 ) -> impl Strategy<Value = CallDetails> + Send + Sync + 'static {
     let contracts_ref = contracts.targets.clone();
     proptest::prop_oneof![
@@ -41,7 +42,13 @@ pub fn override_call_strat(
         };
 
         func.prop_flat_map(move |func| {
-            fuzz_contract_with_calldata(&fuzz_state, &fuzz_fixtures, target_address, func)
+            fuzz_contract_with_calldata(
+                &fuzz_state,
+                &fuzz_fixtures,
+                target_address,
+                func,
+                max_fuzz_int,
+            )
         })
     })
 }
@@ -62,19 +69,22 @@ pub fn invariant_strat(
     contracts: FuzzRunIdentifiedContracts,
     dictionary_weight: u32,
     fuzz_fixtures: FuzzFixtures,
+    max_fuzz_int: Option<U256>,
 ) -> impl Strategy<Value = BasicTxDetails> {
     let senders = Rc::new(senders);
     any::<prop::sample::Selector>()
         .prop_flat_map(move |selector| {
             let contracts = contracts.targets.lock();
             let functions = contracts.fuzzed_functions();
             let (target_address, target_function) = selector.select(functions);
-            let sender = select_random_sender(&fuzz_state, senders.clone(), dictionary_weight);
+            let sender =
+                select_random_sender(&fuzz_state, senders.clone(), dictionary_weight, max_fuzz_int);
             let call_details = fuzz_contract_with_calldata(
                 &fuzz_state,
                 &fuzz_fixtures,
                 *target_address,
                 target_function.clone(),
+                max_fuzz_int,
             );
             (sender, call_details)
         })
@@ -88,14 +98,15 @@ fn select_random_sender(
     fuzz_state: &EvmFuzzState,
     senders: Rc<SenderFilters>,
     dictionary_weight: u32,
+    max_fuzz_int: Option<U256>,
 ) -> impl Strategy<Value = Address> + use<> {
     if !senders.targeted.is_empty() {
         any::<prop::sample::Index>().prop_map(move |index| *index.get(&senders.targeted)).boxed()
     } else {
         assert!(dictionary_weight <= 100, "dictionary_weight must be <= 100");
         proptest::prop_oneof![
-            100 - dictionary_weight => fuzz_param(&alloy_dyn_abi::DynSolType::Address),
-            dictionary_weight => fuzz_param_from_state(&alloy_dyn_abi::DynSolType::Address, fuzz_state),
+            100 - dictionary_weight => fuzz_param(&alloy_dyn_abi::DynSolType::Address, max_fuzz_int),
+            dictionary_weight => fuzz_param_from_state(&alloy_dyn_abi::DynSolType::Address, fuzz_state, max_fuzz_int),
         ]
         .prop_map(move |addr| {
             let mut addr = addr.as_address().unwrap();
@@ -122,13 +133,14 @@ pub fn fuzz_contract_with_calldata(
     fuzz_fixtures: &FuzzFixtures,
     target: Address,
     func: Function,
+    max_fuzz_int: Option<U256>,
 ) -> impl Strategy<Value = CallDetails> + use<> {
     // We need to compose all the strategies generated for each parameter in all possible
     // combinations.
     // `prop_oneof!` / `TupleUnion` `Arc`s for cheap cloning.
     prop_oneof![
-        60 => fuzz_calldata(func.clone(), fuzz_fixtures),
-        40 => fuzz_calldata_from_state(func, fuzz_state),
+        60 => fuzz_calldata(func.clone(), fuzz_fixtures, max_fuzz_int),
+        40 => fuzz_calldata_from_state(func, fuzz_state, max_fuzz_int),
     ]
     .prop_map(move |calldata| {
         trace!(input=?calldata);

crates/evm/fuzz/src/strategies/mod.rs

@@ -1,5 +1,5 @@
 mod int;
-pub use int::IntStrategy;
+pub use int::{IntStrategy, clamp};
 
 mod uint;
 pub use uint::UintStrategy;