feat: merge-train/avm (#19142)

BEGIN_COMMIT_OVERRIDE
fix(avm)!: emit unencrypted log memory underflow (#19076)
feat(avm_fuzzing): external calls (#19055)
feat: avm allow and ignore list for fuzzer preset (#19088)
feat(avm): seeding of fuzzer fee payer balance (#19089)
END_COMMIT_OVERRIDE

Author: jeanmon

barretenberg/cpp/cmake/fuzzing-avm-allowlist.txt

@@ -0,0 +1,2 @@
+# Instrument vm2
+src:*/vm2/*

barretenberg/cpp/cmake/fuzzing-avm-ignorelist.txt

@@ -0,0 +1,9 @@
+# Fuzzer instrumentation blocklist for AVM fuzzing
+# These directories contain heavy constraint/circuit code that we don't want instrumented
+# Format: src:<pattern> to match source files
+
+# Exclude constraining code (circuit constraint generation)
+src:*barretenberg/vm2/constraining/*
+
+# Exclude generated code (auto-generated circuit definitions)
+src:*barretenberg/vm2/generated/*

barretenberg/cpp/cmake/module.cmake

@@ -91,6 +91,14 @@ function(barretenberg_module_with_sources MODULE_NAME)
                 PRIVATE
                 -fsanitize=fuzzer-no-link
             )
+            if(FUZZING_AVM)
+                target_compile_options(
+                    ${MODULE_NAME}_objects
+                    PRIVATE
+                    -fsanitize-coverage-allowlist=${CMAKE_SOURCE_DIR}/cmake/fuzzing-avm-allowlist.txt
+                    -fsanitize-coverage-ignorelist=${CMAKE_SOURCE_DIR}/cmake/fuzzing-avm-ignorelist.txt
+                )
+            endif()
         endif()
 
         # enable msgpack downloading via dependency (solves race condition)

barretenberg/cpp/pil/vm2/opcodes/emit_unencrypted_log.pil

@@ -123,14 +123,14 @@ namespace emit_unencrypted_log;
     pol commit error_out_of_bounds; // Constrained to be boolean by the lookup into gt. (provided that start == 1).
 
     // TODO: Column needed until we support constants in lookups
-    pol commit max_mem_addr;
-    start * (max_mem_addr - constants.AVM_HIGHEST_MEM_ADDRESS) = 0;
+    pol commit max_mem_size;
+    start * (max_mem_size - constants.AVM_MEMORY_SIZE) = 0;
 
-    pol commit end_log_address;
-    start * (log_address + log_size - 1 - end_log_address) = 0;
+    pol commit end_log_address_upper_bound;
+    start * (log_address + log_size - end_log_address_upper_bound) = 0;
 
     #[CHECK_MEMORY_OUT_OF_BOUNDS]
-    start { end_log_address, max_mem_addr, error_out_of_bounds }
+    start { end_log_address_upper_bound, max_mem_size, error_out_of_bounds }
     in
     gt.sel_others { gt.input_a, gt.input_b, gt.res };
 

barretenberg/cpp/src/barretenberg/avm_fuzzer/CMakeLists.txt

@@ -1,4 +1,4 @@
-if(AVM AND FUZZING)
+if(FUZZING_AVM)
     # Collect source files, excluding the harness subdirectory to avoid duplicate targets
     file(GLOB_RECURSE SOURCE_FILES
         "${CMAKE_CURRENT_SOURCE_DIR}/*.cpp"

…c/barretenberg/avm_fuzzer/avm.fuzzer.cpp …g/avm_fuzzer/avm_differential.fuzzer.cppbarretenberg/cpp/src/barretenberg/avm_fuzzer/avm.fuzzer.cpp renamed to barretenberg/cpp/src/barretenberg/avm_fuzzer/avm_differential.fuzzer.cpp barretenberg/cpp/src/barretenberg/avm_fuzzer/avm.fuzzer.cpp renamed to barretenberg/cpp/src/barretenberg/avm_fuzzer/avm_differential.fuzzer.cpp

@@ -5,6 +5,8 @@
 #include <vector>
 
 #include "barretenberg/avm_fuzzer/common/interfaces/dbs.hpp"
+#include "barretenberg/avm_fuzzer/fuzz_lib/constants.hpp"
+#include "barretenberg/avm_fuzzer/fuzz_lib/contract_db_proxy.hpp"
 #include "barretenberg/avm_fuzzer/fuzz_lib/control_flow.hpp"
 #include "barretenberg/avm_fuzzer/fuzz_lib/fuzz.hpp"
 #include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_data.hpp"
@@ -40,7 +42,7 @@ SimulatorResult fuzz(const uint8_t* buffer, size_t size)
 
     FuzzerWorldStateManager* ws_mgr = FuzzerWorldStateManager::getInstance();
     ws_mgr->fork();
-    auto res = fuzz(deserialized_data);
+    auto res = fuzz_against_ts_simulator(deserialized_data);
     ws_mgr->reset_world_state();
 
     return res;

barretenberg/cpp/src/barretenberg/avm_fuzzer/common/interfaces/dbs.cpp

@@ -5,9 +5,12 @@
 
 #include "barretenberg/common/throw_or_abort.hpp"
 #include "barretenberg/crypto/merkle_tree/indexed_tree/indexed_leaf.hpp"
+#include "barretenberg/crypto/poseidon2/poseidon2.hpp"
+#include "barretenberg/vm2/common/aztec_constants.hpp"
 #include "barretenberg/vm2/common/aztec_types.hpp"
 
 using namespace bb::avm2::simulation;
+using Poseidon2 = bb::crypto::Poseidon2<bb::crypto::Poseidon2Bn254ScalarFieldParams>;
 using namespace bb::crypto::merkle_tree;
 using namespace bb::world_state;
 
@@ -237,11 +240,13 @@ void FuzzerContractDB::add_contracts(const ContractDeploymentData& contract_depl
 void FuzzerContractDB::add_contract_class(const ContractClassId& class_id, const ContractClass& contract_class)
 {
     contract_classes[class_id] = contract_class;
+    contract_classes_vector.push_back(contract_class);
 }
 
 void FuzzerContractDB::add_contract_instance(const AztecAddress& address, const ContractInstance& contract_instance)
 {
     contract_instances[address] = contract_instance;
+    contract_instances_vector.push_back({ address, contract_instance });
 }
 
 // Based on fromLogs in yarn-project/protocol-contracts/src/class-registry/contract_class_published_event.ts
@@ -378,4 +383,18 @@ void FuzzerWorldStateManager::register_contract_address(const AztecAddress& cont
     ws->insert_indexed_leaves<NullifierLeafValue>(MerkleTreeId::NULLIFIER_TREE, { contract_nullifier }, fork_id);
 }
 
+void FuzzerWorldStateManager::write_fee_payer_balance(const AztecAddress& fee_payer, const FF& balance)
+{
+    if (fee_payer == 0) {
+        return;
+    }
+    FF fee_juice_balance_slot = Poseidon2::hash({ FEE_JUICE_BALANCES_SLOT, fee_payer });
+    FF leaf_slot =
+        Poseidon2::hash({ GENERATOR_INDEX__PUBLIC_LEAF_INDEX, FF(FEE_JUICE_ADDRESS), fee_juice_balance_slot });
+
+    // Write to public data tree using current fork
+    auto fork_id = fork_ids.top();
+    ws->update_public_data(PublicDataLeafValue(leaf_slot, balance), fork_id);
+}
+
 } // namespace bb::avm2::fuzzer

barretenberg/cpp/src/barretenberg/avm_fuzzer/common/interfaces/dbs.hpp

@@ -83,10 +83,10 @@ class FuzzerContractDB : public simulation::ContractDBInterface {
     void revert_checkpoint() override;
 
     // Getters for serialization
-    const std::unordered_map<ContractClassId, ContractClass>& get_contract_classes() const { return contract_classes; }
-    const std::unordered_map<AztecAddress, ContractInstance>& get_contract_instances() const
+    const std::vector<ContractClass>& get_contract_classes() const { return contract_classes_vector; }
+    const std::vector<std::pair<AztecAddress, ContractInstance>>& get_contract_instances() const
     {
-        return contract_instances;
+        return contract_instances_vector;
     }
 
   private:
@@ -96,6 +96,10 @@ class FuzzerContractDB : public simulation::ContractDBInterface {
     std::unordered_map<ContractClassId, ContractClass> contract_classes;
     std::unordered_map<AztecAddress, ContractInstance> contract_instances;
 
+    // Used for serialization keeping track of the order of the contracts and instances
+    std::vector<ContractClass> contract_classes_vector;
+    std::vector<std::pair<AztecAddress, ContractInstance>> contract_instances_vector;
+
     struct Checkpoint {
         std::unordered_map<ContractClassId, ContractClass> contract_classes;
         std::unordered_map<AztecAddress, ContractInstance> contract_instances;
@@ -135,6 +139,7 @@ class FuzzerWorldStateManager {
 
     void reset_world_state();
     void register_contract_address(const AztecAddress& contract_address);
+    void write_fee_payer_balance(const AztecAddress& fee_payer, const FF& balance);
 
     world_state::WorldStateRevision get_current_revision() const;
     world_state::WorldStateRevision fork();

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/constants.hpp

@@ -18,10 +18,10 @@ const FF SLOT_NUMBER = 1;
 const uint64_t TIMESTAMP = 1000000;
 const EthAddress COINBASE = EthAddress{ 0 };
 const AztecAddress FEE_RECIPIENT = AztecAddress{ 0 };
-const uint128_t FEE_PER_DA_GAS = 1;
-const uint128_t FEE_PER_L2_GAS = 1;
+constexpr uint128_t FEE_PER_DA_GAS = 1;
+constexpr uint128_t FEE_PER_L2_GAS = 1;
 const std::string TRANSACTION_HASH = "0xdeadbeef";
-const GasFees EFFECTIVE_GAS_FEES = GasFees{ .fee_per_da_gas = 0, .fee_per_l2_gas = 0 };
+constexpr GasFees EFFECTIVE_GAS_FEES = GasFees{ .fee_per_da_gas = FEE_PER_DA_GAS, .fee_per_l2_gas = FEE_PER_L2_GAS };
 const FF FIRST_NULLIFIER = FF("0x00000000000000000000000000000000000000000000000000000000deadbeef");
 const std::vector<FF> NON_REVERTIBLE_ACCUMULATED_DATA_NULLIFIERS = { FIRST_NULLIFIER };
 const std::vector<FF> NON_REVERTIBLE_ACCUMULATED_DATA_NOTE_HASHES = {};
@@ -49,3 +49,10 @@ inline void fuzz_info_(std::function<std::string()> func)
 }
 
 #define fuzz_info(...) fuzz_info_([&]() { return format(__VA_ARGS__); })
+
+// =========== Pre defined functions ===========
+// Taken from ADD_8 test in fuzz.test.cpp
+const std::vector<uint8_t> ADD_8_BYTECODE = { 39, 0,  0, 2, 5, 39, 0, 1, 2,  2, 0, 0, 0, 1,
+                                              2,  40, 0, 0, 5, 4,  0, 1, 59, 0, 0, 5, 0, 2 };
+
+const std::vector<std::vector<uint8_t>> PREDEFINED_FUNCTIONS = { ADD_8_BYTECODE };

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/contract_db_proxy.cpp

@@ -0,0 +1,145 @@
+#include "barretenberg/avm_fuzzer/fuzz_lib/contract_db_proxy.hpp"
+
+#include "barretenberg/avm_fuzzer/common/interfaces/dbs.hpp"
+#include "barretenberg/avm_fuzzer/fuzz_lib/constants.hpp"
+#include "barretenberg/avm_fuzzer/fuzz_lib/control_flow.hpp"
+#include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_data.hpp"
+#include "barretenberg/avm_fuzzer/fuzz_lib/simulator.hpp"
+#include "barretenberg/common/log.hpp"
+#include "barretenberg/vm2/simulation/lib/contract_crypto.hpp"
+
+using namespace bb::avm2::fuzzer;
+
+// Temp Helper function to create a default contract class from bytecode
+ContractClass create_default_class(const std::vector<uint8_t>& bytecode)
+{
+    // This isn't strictly needed for pure simulation, but if we want to re-use inputs in proving we need valid
+    // commitment
+    auto bytecode_commitment = simulation::compute_public_bytecode_commitment(bytecode);
+    auto class_id =
+        simulation::compute_contract_class_id(/*artifact_hash=*/0, /*private_fn_root=*/0, bytecode_commitment);
+    return ContractClass{
+        .id = class_id,
+        .artifact_hash = 0,
+        .private_functions_root = 0,
+        .packed_bytecode = bytecode,
+    };
+}
+
+// Temp Helper function to create a default contract instance from a class ID
+ContractInstance create_default_instance(const ContractClassId& class_id)
+{
+    return ContractInstance{
+        .salt = 0,
+        .deployer = MSG_SENDER,
+        .current_contract_class_id = class_id,
+        .original_contract_class_id = class_id,
+        .initialization_hash = 0,
+        .public_keys = PublicKeys{},
+    };
+}
+
+// Temp Helper function to compute contract address from instance
+AztecAddress compute_contract_address(const ContractInstance& instance)
+{
+    // This isn't strictly needed for pure simulation, but if we want to re-use inputs in proving we need valid
+    // addresses
+    return simulation::compute_contract_address(instance);
+}
+
+// Creates a default transaction that the single app logic enqueued call can be inserted into
+Tx create_default_tx(const AztecAddress& contract_address,
+                     const AztecAddress& sender_address,
+                     const std::vector<FF>& calldata,
+                     [[maybe_unused]] const FF& transaction_fee,
+                     bool is_static_call,
+                     const Gas& gas_limit)
+{
+    return Tx{
+        .hash = TRANSACTION_HASH,
+        .gas_settings = GasSettings{
+            .gas_limits = gas_limit,
+            .max_fees_per_gas = GasFees{ .fee_per_da_gas = FEE_PER_DA_GAS, .fee_per_l2_gas = FEE_PER_L2_GAS },
+        },
+        .effective_gas_fees = EFFECTIVE_GAS_FEES,
+        .non_revertible_accumulated_data = AccumulatedData{
+            .note_hashes = NON_REVERTIBLE_ACCUMULATED_DATA_NOTE_HASHES,
+            // This nullifier is needed to make the nonces for note hashes and expected by simulation_helper
+            .nullifiers = NON_REVERTIBLE_ACCUMULATED_DATA_NULLIFIERS,
+            .l2_to_l1_messages = NON_REVERTIBLE_ACCUMULATED_DATA_L2_TO_L1_MESSAGES,
+        },
+        .revertible_accumulated_data = AccumulatedData{
+            .note_hashes = REVERTIBLE_ACCUMULATED_DATA_NOTE_HASHES,
+            .nullifiers = REVERTIBLE_ACCUMULATED_DATA_NULLIFIERS,
+            .l2_to_l1_messages = REVERTIBLE_ACCUMULATED_DATA_L2_TO_L1_MESSAGES,
+        },
+        .setup_enqueued_calls = SETUP_ENQUEUED_CALLS,
+        .app_logic_enqueued_calls = {
+            PublicCallRequestWithCalldata{
+                .request = PublicCallRequest{
+                    .msg_sender = MSG_SENDER,
+                    .contract_address = contract_address,
+                    .is_static_call = is_static_call,
+                    .calldata_hash = 0,
+                },
+                .calldata = calldata,
+            },
+        },
+        .teardown_enqueued_call = TEARDOWN_ENQUEUED_CALLS,
+        .gas_used_by_private = GAS_USED_BY_PRIVATE,
+        .fee_payer = sender_address,
+    };
+}
+
+namespace bb::avm2::fuzzer {
+
+ContractDBProxy* ContractDBProxy::instance = nullptr;
+
+ContractDBProxy::ContractDBProxy()
+{
+    contract_db = new FuzzerContractDB();
+}
+
+ContractDBProxy* ContractDBProxy::get_instance()
+{
+    if (instance == nullptr) {
+        instance = new ContractDBProxy();
+    }
+    return instance;
+}
+
+FF ContractDBProxy::register_contract_from_bytecode(const std::vector<uint8_t>& bytecode)
+{
+    if (instance == nullptr) {
+        instance = new ContractDBProxy();
+    }
+    auto default_class = create_default_class(bytecode);
+    auto default_instance = create_default_instance(default_class.id);
+    auto contract_address = simulation::compute_contract_address(default_instance);
+    instance->contract_db->add_contract_class(default_class.id, default_class);
+    instance->contract_db->add_contract_instance(contract_address, default_instance);
+    instance->registered_contract_addresses.push_back(contract_address);
+
+    FuzzerWorldStateManager::getInstance()->register_contract_address(contract_address);
+    return contract_address;
+}
+
+FF ContractDBProxy::get_function_address(size_t index)
+{
+    if (instance == nullptr) {
+        instance = new ContractDBProxy();
+    }
+    if (instance->registered_contract_addresses.size() < 1) {
+        return FF::zero();
+    }
+    return instance->registered_contract_addresses[index % (instance->registered_contract_addresses.size())];
+}
+
+void ContractDBProxy::reset_instance()
+{
+    if (instance != nullptr) {
+        delete instance;
+        instance = new ContractDBProxy();
+    }
+}
+} // namespace bb::avm2::fuzzer