Skip to content

Commit

Permalink
Merge branch 'master' into dev/reversion-metrics
Browse files Browse the repository at this point in the history
  • Loading branch information
bsamuels453 authored Sep 9, 2024
2 parents 65786b7 + 7816944 commit d243328
Show file tree
Hide file tree
Showing 16 changed files with 199 additions and 77 deletions.
19 changes: 18 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
`medusa` is a cross-platform [go-ethereum](https://github.com/ethereum/go-ethereum/)-based smart contract fuzzer inspired by [Echidna](https://github.com/crytic/echidna).
It provides parallelized fuzz testing of smart contracts through CLI, or its Go API that allows custom user-extended testing methodology.

**Disclaimer**: Please note that `medusa` is an **experimental** smart contract fuzzer. Currently, it should _not_ be adopted into production systems. We intend for `medusa` to reach the same capabilities and maturity that Echidna has. Until then, be careful using `medusa` as your primary smart contract fuzz testing solution. Additionally, please be aware that the Go-level testing API is still **under development** and is subject to breaking changes.
**Disclaimer**: The Go-level testing API is still **under development** and is subject to breaking changes.

## Features

Expand All @@ -29,6 +29,23 @@ cd docs
mdbook serve
```

## Install

MacOS users can install the latest release of `medusa` using Homebrew:

```shell

brew install medusa
```

The master branch can be installed using the following command:

```shell
brew install --HEAD medusa
```

For more information on building from source or obtaining binaries for Windows and Linux, please refer to the [installation guide](./docs/src/getting_started/installation.md).

## Contributing

For information about how to contribute to this project, check out the [CONTRIBUTING](./CONTRIBUTING.md) guidelines.
Expand Down
3 changes: 3 additions & 0 deletions chain/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ type TestChainConfig struct {
// CheatCodeConfig indicates the configuration for EVM cheat codes to use.
CheatCodeConfig CheatCodeConfig `json:"cheatCodes"`

// SkipAccountChecks skips account pre-checks like nonce validation and disallowing non-EOA tx senders (this is done in eth_call, for instance).
SkipAccountChecks bool `json:"skipAccountChecks"`

// ContractAddressOverrides describes contracts that are going to be deployed at deterministic addresses
ContractAddressOverrides map[common.Hash]common.Address `json:"contractAddressOverrides,omitempty"`
}
Expand Down
1 change: 1 addition & 0 deletions chain/config/config_defaults.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ func DefaultTestChainConfig() (*TestChainConfig, error) {
CheatCodesEnabled: true,
EnableFFI: false,
},
SkipAccountChecks: true,
}

// Return the generated configuration.
Expand Down
2 changes: 1 addition & 1 deletion chain/test_chain_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -539,7 +539,7 @@ func TestChainCloning(t *testing.T) {
})
}

// TestCallSequenceReplayMatchSimple creates a TestChain, sends some messages to it, then creates another chain which
// TestChainCallSequenceReplayMatchSimple creates a TestChain, sends some messages to it, then creates another chain which
// it replays the same sequence on. It ensures that the ending state is the same.
// Note: this does not set block timestamps or other data that might be non-deterministic.
// This does not test replaying with a previous call sequence with different timestamps, etc. It expects the TestChain
Expand Down
6 changes: 6 additions & 0 deletions docs/src/project_configuration/chain_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ The chain configuration defines the parameters for setting up `medusa`'s underly
- > 🚩 Setting `codeSizeCheckDisabled` to `false` is not recommended since it complicates the fuzz testing process.
- **Default**: `true`

### `skipAccountChecks`

- **Type**: Boolean
- **Description**: If `true`, account-related checks (nonce validation, transaction origin must be an EOA) are disabled in `go-ethereum`.
- **Default**: `true`

## Cheatcode Configuration

### `cheatCodesEnabled`
Expand Down
9 changes: 7 additions & 2 deletions docs/src/static/medusa.json
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@
"workerResetLimit": 50,
"timeout": 0,
"testLimit": 0,
"shrinkLimit": 5000,
"callSequenceLength": 100,
"corpusDirectory": "",
"coverageEnabled": true,
"targetContracts": [],
"predeployedContracts": {},
"targetContractsBalances": [],
"constructorArgs": {},
"deployerAddress": "0x30000",
Expand Down Expand Up @@ -45,14 +47,17 @@
"optimizationTesting": {
"enabled": true,
"testPrefixes": ["optimize_"]
}
},
"targetFunctionSignatures": [],
"excludeFunctionSignatures": []
},
"chainConfig": {
"codeSizeCheckDisabled": true,
"cheatCodes": {
"cheatCodesEnabled": true,
"enableFFI": false
}
},
"skipAccountChecks": true
}
},
"compilation": {
Expand Down
2 changes: 1 addition & 1 deletion fuzzing/calls/call_sequence_execution.go
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ func ExecuteCallSequence(chain *chain.TestChain, callSequence CallSequence) (Cal
return ExecuteCallSequenceIteratively(chain, fetchElementFunc, nil)
}

// ExecuteCallSequenceWithTracer attaches an executiontracer.ExecutionTracer to ExecuteCallSequenceIteratively and attaches execution traces to the call sequence elements.
// ExecuteCallSequenceWithExecutionTracer attaches an executiontracer.ExecutionTracer to ExecuteCallSequenceIteratively and attaches execution traces to the call sequence elements.
func ExecuteCallSequenceWithExecutionTracer(testChain *chain.TestChain, contractDefinitions contracts.Contracts, callSequence CallSequence, verboseTracing bool) (CallSequence, error) {
// Create a new execution tracer
executionTracer := executiontracer.NewExecutionTracer(contractDefinitions, testChain.CheatCodeContracts())
Expand Down
155 changes: 99 additions & 56 deletions fuzzing/corpus/corpus.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,13 @@ import (
"bytes"
"fmt"
"math/big"
"os"
"path/filepath"
"sync"
"time"

"github.com/crytic/medusa/utils"

"github.com/crytic/medusa/chain"
"github.com/crytic/medusa/fuzzing/calls"
"github.com/crytic/medusa/fuzzing/coverage"
Expand All @@ -30,13 +33,8 @@ type Corpus struct {
// coverageMaps describes the total code coverage known to be achieved across all corpus call sequences.
coverageMaps *coverage.CoverageMaps

// mutableSequenceFiles represents a corpus directory with files which describe call sequences that should
// be used for mutations.
mutableSequenceFiles *corpusDirectory[calls.CallSequence]

// immutableSequenceFiles represents a corpus directory with files which describe call sequences that should not be
// used for mutations.
immutableSequenceFiles *corpusDirectory[calls.CallSequence]
// callSequenceFiles represents a corpus directory with files that should be used for mutations.
callSequenceFiles *corpusDirectory[calls.CallSequence]

// testResultSequenceFiles represents a corpus directory with files which describe call sequences that were flagged
// to be saved by a test case provider. These are not used in mutations.
Expand Down Expand Up @@ -66,25 +64,25 @@ func NewCorpus(corpusDirectory string) (*Corpus, error) {
corpus := &Corpus{
storageDirectory: corpusDirectory,
coverageMaps: coverage.NewCoverageMaps(),
mutableSequenceFiles: newCorpusDirectory[calls.CallSequence](""),
immutableSequenceFiles: newCorpusDirectory[calls.CallSequence](""),
callSequenceFiles: newCorpusDirectory[calls.CallSequence](""),
testResultSequenceFiles: newCorpusDirectory[calls.CallSequence](""),
unexecutedCallSequences: make([]calls.CallSequence, 0),
logger: logging.GlobalLogger.NewSubLogger("module", "corpus"),
}

// If we have a corpus directory set, parse our call sequences.
if corpus.storageDirectory != "" {
// Read mutable call sequences.
corpus.mutableSequenceFiles.path = filepath.Join(corpus.storageDirectory, "call_sequences", "mutable")
err = corpus.mutableSequenceFiles.readFiles("*.json")
// Migrate the legacy corpus structure
// Note that it is important to call this first since we want to move all the call sequence files before reading
// them into the corpus
err = corpus.migrateLegacyCorpus()
if err != nil {
return nil, err
}

// Read immutable call sequences.
corpus.immutableSequenceFiles.path = filepath.Join(corpus.storageDirectory, "call_sequences", "immutable")
err = corpus.immutableSequenceFiles.readFiles("*.json")
// Read call sequences.
corpus.callSequenceFiles.path = filepath.Join(corpus.storageDirectory, "call_sequences")
err = corpus.callSequenceFiles.readFiles("*.json")
if err != nil {
return nil, err
}
Expand All @@ -100,26 +98,90 @@ func NewCorpus(corpusDirectory string) (*Corpus, error) {
return corpus, nil
}

// migrateLegacyCorpus is used to read in the legacy corpus standard where call sequences were stored in two separate
// directories (mutable/immutable).
func (c *Corpus) migrateLegacyCorpus() error {
// Check to see if the mutable and/or the immutable directories exist
callSequencePath := filepath.Join(c.storageDirectory, "call_sequences")
mutablePath := filepath.Join(c.storageDirectory, "call_sequences", "mutable")
immutablePath := filepath.Join(c.storageDirectory, "call_sequences", "immutable")

// Only return an error if the error is something other than "filepath does not exist"
mutableDirInfo, err := os.Stat(mutablePath)
if err != nil && !os.IsNotExist(err) {
return err
}
immutableDirInfo, err := os.Stat(immutablePath)
if err != nil && !os.IsNotExist(err) {
return err
}

// Return early if these directories do not exist
if mutableDirInfo == nil && immutableDirInfo == nil {
return nil
}

// Now, we need to notify the user that we have detected a legacy structure
c.logger.Info("Migrating legacy corpus")

// If the mutable directory exists, read in all the files and add them to the call sequence files
if mutableDirInfo != nil {
// Discover all corpus files in the given directory.
filePaths, err := filepath.Glob(filepath.Join(mutablePath, "*.json"))
if err != nil {
return err
}

// Move each file from the mutable directory to the parent call_sequences directory
for _, filePath := range filePaths {
err = utils.MoveFile(filePath, filepath.Join(callSequencePath, filepath.Base(filePath)))
if err != nil {
return err
}
}

// Delete the mutable directory
err = utils.DeleteDirectory(mutablePath)
if err != nil {
return err
}
}

// If the immutable directory exists, read in all the files and add them to the call sequence files
if immutableDirInfo != nil {
// Discover all corpus files in the given directory.
filePaths, err := filepath.Glob(filepath.Join(immutablePath, "*.json"))
if err != nil {
return err
}

// Move each file from the immutable directory to the parent call_sequences directory
for _, filePath := range filePaths {
err = utils.MoveFile(filePath, filepath.Join(callSequencePath, filepath.Base(filePath)))
if err != nil {
return err
}
}

// Delete the immutable directory
err = utils.DeleteDirectory(immutablePath)
if err != nil {
return err
}
}

return nil
}

// CoverageMaps exposes coverage details for all call sequences known to the corpus.
func (c *Corpus) CoverageMaps() *coverage.CoverageMaps {
return c.coverageMaps
}

// CallSequenceEntryCount returns the total number of call sequences entries in the corpus, based on the provided filter
// flags. Some call sequences may not be valid for use if they fail validation when initializing the corpus.
// Returns the count of the requested call sequence entries.
func (c *Corpus) CallSequenceEntryCount(mutable bool, immutable bool, testResults bool) int {
count := 0
if mutable {
count += len(c.mutableSequenceFiles.files)
}
if immutable {
count += len(c.immutableSequenceFiles.files)
}
if testResults {
count += len(c.testResultSequenceFiles.files)
}
return count
// CallSequenceEntryCount returns the total number of call sequences that increased coverage and also any test results
// that led to a failure.
func (c *Corpus) CallSequenceEntryCount() (int, int) {
return len(c.callSequenceFiles.files), len(c.testResultSequenceFiles.files)
}

// ActiveMutableSequenceCount returns the count of call sequences recorded in the corpus which have been validated
Expand Down Expand Up @@ -302,18 +364,13 @@ func (c *Corpus) Initialize(baseTestChain *chain.TestChain, contractDefinitions
return 0, 0, err
}

err = c.initializeSequences(c.mutableSequenceFiles, testChain, deployedContracts, true)
if err != nil {
return 0, 0, err
}

err = c.initializeSequences(c.immutableSequenceFiles, testChain, deployedContracts, false)
err = c.initializeSequences(c.callSequenceFiles, testChain, deployedContracts, true)
if err != nil {
return 0, 0, err
}

// Calculate corpus health metrics
corpusSequencesTotal := len(c.mutableSequenceFiles.files) + len(c.immutableSequenceFiles.files) + len(c.testResultSequenceFiles.files)
corpusSequencesTotal := len(c.callSequenceFiles.files) + len(c.testResultSequenceFiles.files)
corpusSequencesActive := len(c.unexecutedCallSequences)

return corpusSequencesActive, corpusSequencesTotal, nil
Expand Down Expand Up @@ -411,17 +468,9 @@ func (c *Corpus) CheckSequenceCoverageAndUpdate(callSequence calls.CallSequence,
}

// If we had an increase in non-reverted or reverted coverage, we save the sequence.
// Note: We only want to save the sequence once. We're most interested if it can be used for mutations first.
if coverageUpdated {
// If we achieved new non-reverting coverage, save this sequence for mutation purposes.
err = c.addCallSequence(c.mutableSequenceFiles, callSequence, true, mutationChooserWeight, flushImmediately)
if err != nil {
return err
}
} else if revertedCoverageUpdated {
// If we did not achieve new successful coverage, but achieved an increase in reverted coverage, save this
// sequence for non-mutation purposes.
err = c.addCallSequence(c.immutableSequenceFiles, callSequence, false, mutationChooserWeight, flushImmediately)
if coverageUpdated || revertedCoverageUpdated {
// If we achieved new coverage, save this sequence for mutation purposes.
err = c.addCallSequence(c.callSequenceFiles, callSequence, true, mutationChooserWeight, flushImmediately)
if err != nil {
return err
}
Expand Down Expand Up @@ -470,8 +519,8 @@ func (c *Corpus) Flush() error {
c.callSequencesLock.Lock()
defer c.callSequencesLock.Unlock()

// Write mutation target call sequences.
err := c.mutableSequenceFiles.writeFiles()
// Write all coverage-increasing call sequences.
err := c.callSequenceFiles.writeFiles()
if err != nil {
return err
}
Expand All @@ -482,11 +531,5 @@ func (c *Corpus) Flush() error {
return err
}

// Write other call sequences.
err = c.immutableSequenceFiles.writeFiles()
if err != nil {
return err
}

return nil
}
Loading

0 comments on commit d243328

Please sign in to comment.