feat(avm): avm fuzzer bytecode mutation

Author: IlyasRidhuan

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/fuzz.cpp

@@ -45,14 +45,14 @@ SimulatorResult fuzz_against_ts_simulator(FuzzerData& fuzzer_data)
 
     try {
         ws_mgr->checkpoint();
-        cpp_result = cpp_simulator.simulate(*ws_mgr, contract_db, tx);
+        cpp_result = cpp_simulator.simulate(*ws_mgr, contract_db, tx, /*public_data_writes=*/{});
         ws_mgr->revert();
     } catch (const std::exception& e) {
         throw std::runtime_error(std::string("CppSimulator threw an exception: ") + e.what());
     }
 
     ws_mgr->checkpoint();
-    auto js_result = js_simulator->simulate(*ws_mgr, contract_db, tx);
+    auto js_result = js_simulator->simulate(*ws_mgr, contract_db, tx, /*public_data_writes=*/{});
 
     ContractDBProxy::reset_instance();
 

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/fuzz.test.cpp

@@ -49,7 +49,7 @@ SimulatorResult simulate_with_default_tx(std::vector<uint8_t>& bytecode, std::ve
 
     ws_mgr->checkpoint();
     try {
-        auto result = cpp_simulator.simulate(*ws_mgr, contract_db, tx);
+        auto result = cpp_simulator.simulate(*ws_mgr, contract_db, tx, /*public_data_writes=*/empty_writes);
         ws_mgr->revert();
         ws_mgr->reset_world_state();
         return result;

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/simulator.cpp

@@ -30,10 +30,12 @@ using namespace bb::avm2::simulation;
 using namespace bb::avm2::fuzzer;
 using namespace bb::world_state;
 
-// Helper function to serialize simulation request via
-std::string serialize_simulation_request(const Tx& tx,
-                                         const GlobalVariables& globals,
-                                         const FuzzerContractDB& contract_db)
+// Helper function to serialize simulation request via msgpack
+std::string serialize_simulation_request(
+    const Tx& tx,
+    const GlobalVariables& globals,
+    const FuzzerContractDB& contract_db,
+    const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes)
 {
     // Build vectors from contract_db
     std::vector<ContractClass> classes_vec = contract_db.get_contract_classes();
@@ -46,6 +48,7 @@ std::string serialize_simulation_request(const Tx& tx,
         .globals = globals,
         .contract_classes = std::move(classes_vec),
         .contract_instances = std::move(instances_vec),
+        .public_data_writes = public_data_writes,
     };
 
     auto [buffer, size] = msgpack_encode_buffer(request);
@@ -69,10 +72,13 @@ GlobalVariables create_default_globals()
     };
 }
 
-SimulatorResult CppSimulator::simulate(fuzzer::FuzzerWorldStateManager& ws_mgr,
-                                       fuzzer::FuzzerContractDB& contract_db,
-                                       const Tx& tx)
+SimulatorResult CppSimulator::simulate(
+    fuzzer::FuzzerWorldStateManager& ws_mgr,
+    fuzzer::FuzzerContractDB& contract_db,
+    const Tx& tx,
+    [[maybe_unused]] const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes)
 {
+    // Note: public_data_writes are already applied to C++ world state in setup_fuzzer_state
 
     const PublicSimulatorConfig config{
         .skip_fee_enforcement = false,
@@ -137,13 +143,15 @@ void JsSimulator::initialize(std::string& simulator_path)
     instance = new JsSimulator(simulator_path);
 }
 
-SimulatorResult JsSimulator::simulate([[maybe_unused]] fuzzer::FuzzerWorldStateManager& ws_mgr,
-                                      fuzzer::FuzzerContractDB& contract_db,
-                                      const Tx& tx)
+SimulatorResult JsSimulator::simulate(
+    [[maybe_unused]] fuzzer::FuzzerWorldStateManager& ws_mgr,
+    fuzzer::FuzzerContractDB& contract_db,
+    const Tx& tx,
+    const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes)
 {
     auto globals = create_default_globals();
 
-    std::string serialized = serialize_simulation_request(tx, globals, contract_db);
+    std::string serialized = serialize_simulation_request(tx, globals, contract_db, public_data_writes);
 
     // Send the request
     process.write_line(serialized);

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/simulator.hpp

@@ -4,6 +4,7 @@
 
 #include "barretenberg/avm_fuzzer/common/interfaces/dbs.hpp"
 #include "barretenberg/avm_fuzzer/common/process.hpp"
+#include "barretenberg/crypto/merkle_tree/indexed_tree/indexed_leaf.hpp"
 #include "barretenberg/vm2/common/avm_io.hpp"
 #include "barretenberg/vm2/common/aztec_types.hpp"
 #include "barretenberg/vm2/common/field.hpp"
@@ -24,8 +25,11 @@ struct FuzzerSimulationRequest {
     std::vector<ContractClass> contract_classes;
     // Having addresses here avoids doing re-work in TS.
     std::vector<std::pair<AztecAddress, ContractInstance>> contract_instances;
+    // Public data tree writes to apply before simulation (e.g., for bytecode upgrades)
+    std::vector<bb::crypto::merkle_tree::PublicDataLeafValue> public_data_writes;
 
-    MSGPACK_CAMEL_CASE_FIELDS(ws_data_dir, ws_map_size_kb, tx, globals, contract_classes, contract_instances);
+    MSGPACK_CAMEL_CASE_FIELDS(
+        ws_data_dir, ws_map_size_kb, tx, globals, contract_classes, contract_instances, public_data_writes);
 };
 
 struct SimulatorResult {
@@ -45,17 +49,21 @@ class Simulator {
     Simulator(Simulator&&) = delete;
     Simulator& operator=(Simulator&&) = delete;
     Simulator() = default;
-    virtual SimulatorResult simulate(fuzzer::FuzzerWorldStateManager& ws_mgr,
-                                     fuzzer::FuzzerContractDB& contract_db,
-                                     const Tx& tx) = 0;
+    virtual SimulatorResult simulate(
+        fuzzer::FuzzerWorldStateManager& ws_mgr,
+        fuzzer::FuzzerContractDB& contract_db,
+        const Tx& tx,
+        const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes) = 0;
 };
 
 /// @brief uses barretenberg/vm2 to simulate the bytecode
 class CppSimulator : public Simulator {
   public:
-    SimulatorResult simulate(fuzzer::FuzzerWorldStateManager& ws_mgr,
-                             fuzzer::FuzzerContractDB& contract_db,
-                             const Tx& tx) override;
+    SimulatorResult simulate(
+        fuzzer::FuzzerWorldStateManager& ws_mgr,
+        fuzzer::FuzzerContractDB& contract_db,
+        const Tx& tx,
+        const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes) override;
 };
 
 /// @brief uses the yarn-project/simulator to simulate the bytecode
@@ -77,9 +85,11 @@ class JsSimulator : public Simulator {
     static JsSimulator* getInstance();
     static void initialize(std::string& simulator_path);
 
-    SimulatorResult simulate(fuzzer::FuzzerWorldStateManager& ws_mgr,
-                             fuzzer::FuzzerContractDB& contract_db,
-                             const Tx& tx) override;
+    SimulatorResult simulate(
+        fuzzer::FuzzerWorldStateManager& ws_mgr,
+        fuzzer::FuzzerContractDB& contract_db,
+        const Tx& tx,
+        const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes) override;
 };
 
 GlobalVariables create_default_globals();

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzzer_lib.cpp

@@ -25,14 +25,22 @@ using namespace bb::avm2::fuzzer;
 using namespace bb::avm2::simulation;
 using namespace bb::world_state;
 
+extern size_t LLVMFuzzerMutate(uint8_t* Data, size_t Size, size_t MaxSize);
+
 void setup_fuzzer_state(FuzzerWorldStateManager& ws_mgr, FuzzerContractDB& contract_db, const FuzzerTxData& tx_data)
 {
     // Add all contract classes and instances to the contract DB
+    // There may be more classes than instances because of the possibility of mutated bytecodes that are used in
+    // upgrades - these are not directly instantiated
     for (size_t i = 0; i < tx_data.contract_classes.size(); ++i) {
         const auto& contract_class = tx_data.contract_classes[i];
+        contract_db.add_contract_class(contract_class.id, contract_class);
+    }
+
+    // Add contract instances to the contract DB
+    for (size_t i = 0; i < tx_data.contract_instances.size(); ++i) {
         const auto& contract_instance = tx_data.contract_instances[i];
         auto contract_address = tx_data.contract_addresses[i];
-        contract_db.add_contract_class(contract_class.id, contract_class);
         contract_db.add_contract_instance(contract_address, contract_instance);
     }
 
@@ -44,6 +52,15 @@ void setup_fuzzer_state(FuzzerWorldStateManager& ws_mgr, FuzzerContractDB& contr
             ws_mgr.register_contract_address(addr);
         }
     }
+
+    // Apply public data tree writes (e.g., for contract instance upgrades)
+    if (!tx_data.public_data_writes.empty()) {
+        auto& ws = ws_mgr.get_world_state();
+        auto fork_id = ws_mgr.get_current_revision().forkId;
+        for (const auto& write : tx_data.public_data_writes) {
+            ws.update_public_data(write, fork_id);
+        }
+    }
 }
 
 void fund_fee_payer(FuzzerWorldStateManager& ws_mgr, const Tx& tx)
@@ -69,7 +86,7 @@ SimulatorResult fuzz_tx(FuzzerWorldStateManager& ws_mgr, FuzzerContractDB& contr
 
     try {
         ws_mgr.checkpoint();
-        cpp_result = cpp_simulator.simulate(ws_mgr, contract_db, tx_data.tx);
+        cpp_result = cpp_simulator.simulate(ws_mgr, contract_db, tx_data.tx, tx_data.public_data_writes);
         ws_mgr.revert();
     } catch (const std::exception& e) {
         fuzz_info("CppSimulator threw an exception: ", e.what());
@@ -83,7 +100,7 @@ SimulatorResult fuzz_tx(FuzzerWorldStateManager& ws_mgr, FuzzerContractDB& contr
     }
 
     ws_mgr.checkpoint();
-    auto js_result = js_simulator->simulate(ws_mgr, contract_db, tx_data.tx);
+    auto js_result = js_simulator->simulate(ws_mgr, contract_db, tx_data.tx, tx_data.public_data_writes);
 
     // If the results do not match
     if (!compare_simulator_results(cpp_result, js_result)) {
@@ -270,6 +287,7 @@ size_t mutate_tx_data(uint8_t* serialized_fuzzer_data,
     tx_data.contract_classes.clear();
     tx_data.contract_instances.clear();
     tx_data.contract_addresses.clear();
+    tx_data.public_data_writes.clear();
     std::vector<AztecAddress> contract_addresses;
 
     for (auto& fuzzer_data : tx_data.input_programs) {
@@ -297,17 +315,21 @@ size_t mutate_tx_data(uint8_t* serialized_fuzzer_data,
     }
 
     // Select mutation type (weighted against bytecode mutations) -- todo
-    auto mutation_type = std::uniform_int_distribution<uint8_t>(0, 0);
-    TxDataMutationType mutation_choice = static_cast<TxDataMutationType>(mutation_type(rng));
+    FuzzerTxDataMutationType mutation_choice = FUZZER_TX_DATA_MUTATION_CONFIGURATION.select(rng);
 
     switch (mutation_choice) {
-    case TxDataMutationType::TxMutation:
+    case FuzzerTxDataMutationType::TxMutation:
         mutate_tx(tx_data.tx, contract_addresses, rng);
         break;
-        // case TxDataMutationType::BytecodeMutation:
-        //     // todo: Maybe here we can do some direct mutations on the bytecode
-        //     // Mutations here are likely to cause immediate failure
-        //     break;
+    case FuzzerTxDataMutationType::BytecodeMutation: {
+        // Mutate bytecode and append public data writes for world state setup
+        mutate_bytecode(tx_data.contract_classes,
+                        tx_data.contract_instances,
+                        tx_data.contract_addresses,
+                        tx_data.public_data_writes,
+                        rng);
+        break;
+    }
         // case TxDataMutationType::ContractClassMutation:
         //     // Mutations here are likely to cause immediate failure
         //     break;

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzzer_lib.hpp

@@ -8,6 +8,9 @@
 #include "barretenberg/avm_fuzzer/common/interfaces/dbs.hpp"
 #include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_data.hpp"
 #include "barretenberg/avm_fuzzer/fuzz_lib/simulator.hpp"
+#include "barretenberg/avm_fuzzer/mutations/bytecode.hpp"
+#include "barretenberg/avm_fuzzer/mutations/tx_data.hpp"
+#include "barretenberg/crypto/merkle_tree/indexed_tree/indexed_leaf.hpp"
 #include "barretenberg/serialize/msgpack_impl.hpp"
 #include "barretenberg/vm2/common/avm_io.hpp"
 #include "barretenberg/vm2/common/aztec_types.hpp"
@@ -27,13 +30,17 @@ struct FuzzerTxData {
     GlobalVariables global_variables;
     ProtocolContracts protocol_contracts;
 
+    // Public data tree writes to be applied during state setup (e.g., for bytecode upgrades)
+    std::vector<bb::crypto::merkle_tree::PublicDataLeafValue> public_data_writes;
+
     MSGPACK_FIELDS(input_programs,
                    contract_classes,
                    contract_instances,
                    contract_addresses,
                    tx,
                    global_variables,
-                   protocol_contracts);
+                   protocol_contracts,
+                   public_data_writes);
 };
 
 inline std::ostream& operator<<(std::ostream& os, const FuzzerTxData& data)
@@ -49,16 +56,22 @@ using Bytecode = std::vector<uint8_t>;
 using ContractArtifacts = std::tuple<Bytecode, ContractClass, ContractInstance>;
 
 // Mutation configuration
-enum class TxDataMutationType : uint8_t {
+enum class FuzzerTxDataMutationType : uint8_t {
     TxMutation,
-    // todo: implement other mutation types
-    // BytecodeMutation,
+    BytecodeMutation,
     // ContractClassMutation,
     // ContractInstanceMutation,
     // GlobalVariablesMutation,
     // ProtocolContractsMutation
 };
 
+using FuzzerTxDataMutationConfig = WeightedSelectionConfig<FuzzerTxDataMutationType, 2>;
+
+constexpr FuzzerTxDataMutationConfig FUZZER_TX_DATA_MUTATION_CONFIGURATION = FuzzerTxDataMutationConfig({
+    { FuzzerTxDataMutationType::TxMutation, 10 },
+    { FuzzerTxDataMutationType::BytecodeMutation, 1 },
+});
+
 // Build bytecode and contract artifacts from fuzzer data
 ContractArtifacts build_bytecode_and_artifacts(FuzzerData& fuzzer_data);
 

barretenberg/cpp/src/barretenberg/avm_fuzzer/mutations/bytecode.cpp

@@ -0,0 +1,80 @@
+#include "barretenberg/avm_fuzzer/mutations/bytecode.hpp"
+
+#include "barretenberg/crypto/poseidon2/poseidon2.hpp"
+#include "barretenberg/vm2/common/aztec_constants.hpp"
+#include "barretenberg/vm2/simulation/lib/contract_crypto.hpp"
+
+extern "C" size_t LLVMFuzzerMutate(uint8_t* Data, size_t Size, size_t MaxSize);
+
+namespace bb::avm2::fuzzer {
+
+void mutate_bytecode(std::vector<ContractClass>& contract_classes,
+                     std::vector<ContractInstance>& contract_instances,
+                     const std::vector<AztecAddress>& contract_addresses,
+                     std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes,
+                     std::mt19937_64& rng)
+{
+    using Poseidon2 = crypto::Poseidon2<crypto::Poseidon2Bn254ScalarFieldParams>;
+
+    // Skip if no contracts to mutate
+    if (contract_classes.empty()) {
+        return;
+    }
+
+    // Select a random contract
+    size_t idx = std::uniform_int_distribution<size_t>(0, contract_classes.size() - 1)(rng);
+
+    ContractClass& klass = contract_classes[idx];
+    ContractInstance& instance = contract_instances[idx];
+    AztecAddress address = contract_addresses[idx];
+
+    // Copy bytecode and mutate it, we allow the default byte-wise fuzzing strategy to modify the
+    // bytecode, including expanding or shrinking it.
+    std::vector<uint8_t> bytecode = klass.packed_bytecode;
+    size_t original_size = bytecode.size();
+    size_t max_size = original_size * 2; // Allow growth up to 2x original size
+    // We have to resize before calling LLVMFuzzerMutate to ensure there's enough space without writing OOB
+    // We have to resize after so that the vector's metadata is correct
+    // LLVMFuzzerMutate is a C function that operates on raw pointers
+    bytecode.resize(max_size);
+    size_t new_size = LLVMFuzzerMutate(bytecode.data(), original_size, max_size);
+    bytecode.resize(new_size); // We need to resize here in case it shrunk
+
+    // Compute new bytecode commitment and class ID
+    FF new_bytecode_commitment = simulation::compute_public_bytecode_commitment(bytecode);
+    FF new_class_id = simulation::compute_contract_class_id(
+        klass.artifact_hash, klass.private_functions_root, new_bytecode_commitment);
+
+    // Store original class ID before modifications
+    FF original_class_id = instance.original_contract_class_id;
+
+    // Copy into NEW contract class with updated bytecode and id, we don't modify the existing one in case
+    // other instances refer to it
+    ContractClass new_class = klass;
+    new_class.id = new_class_id;
+    new_class.packed_bytecode = std::move(bytecode);
+
+    // Update instance's current class ID to point to the newly upgraded-to class
+    instance.current_contract_class_id = new_class_id;
+
+    // Add the new contract class to the vector (for serialization to TS)
+    contract_classes.push_back(new_class);
+
+    // Compute public data tree writes for UpdateCheck to pass
+    FF delayed_public_mutable_slot = Poseidon2::hash({ FF(UPDATED_CLASS_IDS_SLOT), address });
+
+    // Build preimage
+    FF metadata = 0; // The lower 32 bits are the timestamp_of_change, we set to 0 so it has "taken effect"
+    FF hash = Poseidon2::hash({ metadata, original_class_id, new_class_id });
+
+    std::array<FF, 4> values = { metadata, original_class_id, new_class_id, hash };
+
+    for (size_t i = 0; i < 4; i++) {
+        FF storage_slot = delayed_public_mutable_slot + i;
+        FF leaf_slot = Poseidon2::hash(
+            { FF(DOM_SEP__PUBLIC_LEAF_INDEX), FF(CONTRACT_INSTANCE_REGISTRY_CONTRACT_ADDRESS), storage_slot });
+        public_data_writes.push_back(bb::crypto::merkle_tree::PublicDataLeafValue{ leaf_slot, values[i] });
+    }
+}
+
+} // namespace bb::avm2::fuzzer

barretenberg/cpp/src/barretenberg/avm_fuzzer/mutations/bytecode.hpp

@@ -0,0 +1,16 @@
+#pragma once
+
+#include "barretenberg/crypto/merkle_tree/indexed_tree/indexed_leaf.hpp"
+#include "barretenberg/vm2/common/aztec_types.hpp"
+#include <random>
+#include <vector>
+
+namespace bb::avm2::fuzzer {
+
+void mutate_bytecode(std::vector<ContractClass>& contract_classes,
+                     std::vector<ContractInstance>& contract_instances,
+                     const std::vector<AztecAddress>& contract_addresses,
+                     std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes,
+                     std::mt19937_64& rng);
+
+} // namespace bb::avm2::fuzzer