feat(avm): protocol contractg mutations (#19586)

Protocol contract mutations turned out to be much more complex. Might've
been easier to implement a hardcoded set.

We need to ensure we re-validate the enqueued calls whenever we mutate
the protocol contracts since we could have invalidated some addresses.

Note: The TS simulation required a change to match the cpp simulator

Author: IlyasRidhuan

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/fuzz.cpp

@@ -44,16 +44,26 @@ SimulatorResult fuzz_against_ts_simulator(FuzzerData& fuzzer_data, FuzzerContext
 
     try {
         ws_mgr->checkpoint();
-        cpp_result =
-            cpp_simulator.simulate(*ws_mgr, contract_db, tx, globals, /*public_data_writes=*/{}, /*note_hashes=*/{});
+        cpp_result = cpp_simulator.simulate(*ws_mgr,
+                                            contract_db,
+                                            tx,
+                                            globals,
+                                            /*public_data_writes=*/{},
+                                            /*note_hashes=*/{},
+                                            /*protocol_contracts=*/{});
         ws_mgr->revert();
     } catch (const std::exception& e) {
         throw std::runtime_error(std::string("CppSimulator threw an exception: ") + e.what());
     }
 
     ws_mgr->checkpoint();
-    auto js_result =
-        js_simulator->simulate(*ws_mgr, contract_db, tx, globals, /*public_data_writes=*/{}, /*note_hashes=*/{});
+    auto js_result = js_simulator->simulate(*ws_mgr,
+                                            contract_db,
+                                            tx,
+                                            globals,
+                                            /*public_data_writes=*/{},
+                                            /*note_hashes=*/{},
+                                            /*protocol_contracts=*/{});
 
     context.reset();
 

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/fuzz.test.cpp

@@ -65,7 +65,13 @@ class FuzzTest : public ::testing::Test {
         auto cpp_simulator = CppSimulator();
         auto globals = create_default_globals();
 
-        auto result = cpp_simulator.simulate(*ws_mgr, contract_db, tx, globals, /*public_data_writes=*/{}, {});
+        auto result = cpp_simulator.simulate(*ws_mgr,
+                                             contract_db,
+                                             tx,
+                                             globals,
+                                             /*public_data_writes=*/{},
+                                             /*note_hashes=*/{},
+                                             /*protocol_contracts=*/{});
 
         ws_mgr->revert();
 

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/simulator.cpp

@@ -39,7 +39,8 @@ std::string serialize_simulation_request(
     const GlobalVariables& globals,
     const FuzzerContractDB& contract_db,
     const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes,
-    const std::vector<FF>& note_hashes)
+    const std::vector<FF>& note_hashes,
+    const ProtocolContracts& protocol_contracts)
 {
     // Build vectors from contract_db
     std::vector<ContractClass> classes_vec = contract_db.get_contract_classes();
@@ -54,6 +55,7 @@ std::string serialize_simulation_request(
         .contract_instances = std::move(instances_vec),
         .public_data_writes = public_data_writes,
         .note_hashes = note_hashes,
+        .protocol_contracts = protocol_contracts,
     };
 
     auto [buffer, size] = msgpack_encode_buffer(request);
@@ -83,7 +85,8 @@ SimulatorResult CppSimulator::simulate(
     const Tx& tx,
     const GlobalVariables& globals,
     [[maybe_unused]] const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes,
-    [[maybe_unused]] const std::vector<FF>& note_hashes)
+    [[maybe_unused]] const std::vector<FF>& note_hashes,
+    const ProtocolContracts& protocol_contracts)
 {
     // Note: public_data_writes and note_hashes are already applied to C++ world state in setup_fuzzer_state
 
@@ -96,8 +99,6 @@ SimulatorResult CppSimulator::simulate(
         },
     };
 
-    ProtocolContracts protocol_contracts{};
-
     WorldState& ws = ws_mgr.get_world_state();
     WorldStateRevision ws_rev = ws_mgr.get_current_revision();
 
@@ -157,9 +158,11 @@ SimulatorResult JsSimulator::simulate(
     const Tx& tx,
     const GlobalVariables& globals,
     const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes,
-    const std::vector<FF>& note_hashes)
+    const std::vector<FF>& note_hashes,
+    const ProtocolContracts& protocol_contracts)
 {
-    std::string serialized = serialize_simulation_request(tx, globals, contract_db, public_data_writes, note_hashes);
+    std::string serialized =
+        serialize_simulation_request(tx, globals, contract_db, public_data_writes, note_hashes, protocol_contracts);
 
     // Send the request
     process.write_line(serialized);

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/simulator.hpp

@@ -29,6 +29,8 @@ struct FuzzerSimulationRequest {
     std::vector<bb::crypto::merkle_tree::PublicDataLeafValue> public_data_writes;
     // Note hashes to be applied before simulation
     std::vector<FF> note_hashes;
+    // Protocol contracts mapping (canonical address index -> derived address)
+    ProtocolContracts protocol_contracts;
 
     MSGPACK_CAMEL_CASE_FIELDS(ws_data_dir,
                               ws_map_size_kb,
@@ -37,7 +39,8 @@ struct FuzzerSimulationRequest {
                               contract_classes,
                               contract_instances,
                               public_data_writes,
-                              note_hashes);
+                              note_hashes,
+                              protocol_contracts);
 };
 
 struct SimulatorResult {
@@ -63,7 +66,8 @@ class Simulator {
         const Tx& tx,
         const GlobalVariables& globals,
         const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes,
-        const std::vector<FF>& note_hashes) = 0;
+        const std::vector<FF>& note_hashes,
+        const ProtocolContracts& protocol_contracts) = 0;
 };
 
 /// @brief uses barretenberg/vm2 to simulate the bytecode
@@ -74,7 +78,8 @@ class CppSimulator : public Simulator {
                              const Tx& tx,
                              const GlobalVariables& globals,
                              const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes,
-                             const std::vector<FF>& note_hashes) override;
+                             const std::vector<FF>& note_hashes,
+                             const ProtocolContracts& protocol_contracts) override;
 };
 
 /// @brief uses the yarn-project/simulator to simulate the bytecode
@@ -101,7 +106,8 @@ class JsSimulator : public Simulator {
                              const Tx& tx,
                              const GlobalVariables& globals,
                              const std::vector<bb::crypto::merkle_tree::PublicDataLeafValue>& public_data_writes,
-                             const std::vector<FF>& note_hashes) override;
+                             const std::vector<FF>& note_hashes,
+                             const ProtocolContracts& protocol_contracts) override;
 };
 
 GlobalVariables create_default_globals();

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzzer_lib.cpp

@@ -15,6 +15,7 @@
 #include "barretenberg/avm_fuzzer/mutations/basic_types/uint64_t.hpp"
 #include "barretenberg/avm_fuzzer/mutations/configuration.hpp"
 #include "barretenberg/avm_fuzzer/mutations/fuzzer_data.hpp"
+#include "barretenberg/avm_fuzzer/mutations/protocol_contracts.hpp"
 #include "barretenberg/avm_fuzzer/mutations/tx_data.hpp"
 #include "barretenberg/avm_fuzzer/mutations/tx_types/gas.hpp"
 #include "barretenberg/common/log.hpp"
@@ -49,6 +50,22 @@ void setup_fuzzer_state(FuzzerWorldStateManager& ws_mgr, FuzzerContractDB& contr
         contract_db.add_contract_instance(contract_address, contract_instance);
     }
 
+    // For protocol contracts, also add instances keyed by canonical address (1-11).
+    // This is needed because protocol contracts are looked up by canonical address,
+    // but the derived address in protocol_contracts.derived_addresses maps to the actual instance.
+    for (size_t i = 0; i < tx_data.protocol_contracts.derived_addresses.size(); ++i) {
+        const auto& derived_address = tx_data.protocol_contracts.derived_addresses[i];
+        if (!derived_address.is_zero()) {
+            // Canonical address is index + 1 (addresses 1-11 map to indices 0-10)
+            AztecAddress canonical_address(static_cast<uint256_t>(i + 1));
+            // Find the instance for this derived address and also add it by canonical address
+            auto maybe_instance = contract_db.get_contract_instance(derived_address);
+            if (maybe_instance.has_value()) {
+                contract_db.add_contract_instance(canonical_address, maybe_instance.value());
+            }
+        }
+    }
+
     // Register contract addresses in the world state
     for (const auto& addr : tx_data.contract_addresses) {
         ws_mgr.register_contract_address(addr);
@@ -85,8 +102,13 @@ SimulatorResult fuzz_tx(FuzzerWorldStateManager& ws_mgr, FuzzerContractDB& contr
 
     try {
         ws_mgr.checkpoint();
-        cpp_result = cpp_simulator.simulate(
-            ws_mgr, contract_db, tx_data.tx, tx_data.global_variables, tx_data.public_data_writes, tx_data.note_hashes);
+        cpp_result = cpp_simulator.simulate(ws_mgr,
+                                            contract_db,
+                                            tx_data.tx,
+                                            tx_data.global_variables,
+                                            tx_data.public_data_writes,
+                                            tx_data.note_hashes,
+                                            tx_data.protocol_contracts);
         fuzz_info("CppSimulator completed without exception");
         fuzz_info("CppSimulator result: ", cpp_result);
         ws_mgr.revert();
@@ -102,8 +124,13 @@ SimulatorResult fuzz_tx(FuzzerWorldStateManager& ws_mgr, FuzzerContractDB& contr
     }
 
     ws_mgr.checkpoint();
-    auto js_result = js_simulator->simulate(
-        ws_mgr, contract_db, tx_data.tx, tx_data.global_variables, tx_data.public_data_writes, tx_data.note_hashes);
+    auto js_result = js_simulator->simulate(ws_mgr,
+                                            contract_db,
+                                            tx_data.tx,
+                                            tx_data.global_variables,
+                                            tx_data.public_data_writes,
+                                            tx_data.note_hashes,
+                                            tx_data.protocol_contracts);
 
     // If the results do not match
     if (!compare_simulator_results(cpp_result, js_result)) {
@@ -126,7 +153,7 @@ SimulatorResult fuzz_tx(FuzzerWorldStateManager& ws_mgr, FuzzerContractDB& contr
 /// @throws An exception if simulation results differ or check_circuit fails
 int fuzz_prover(FuzzerWorldStateManager& ws_mgr, FuzzerContractDB& contract_db, FuzzerTxData& tx_data)
 {
-    ProtocolContracts protocol_contracts{};
+    ProtocolContracts& protocol_contracts = tx_data.protocol_contracts;
     WorldState& ws = ws_mgr.get_world_state();
     WorldStateRevision ws_rev = ws_mgr.get_current_revision();
     AvmSimulationHelper helper;
@@ -369,14 +396,21 @@ size_t mutate_tx_data(FuzzerContext& context,
         // This is just mutating the gas values and timestamp
         mutate_uint64_t(tx_data.global_variables.timestamp, rng, BASIC_UINT64_T_MUTATION_CONFIGURATION);
         mutate_gas_fees(tx_data.global_variables.gas_fees, rng);
-        // This must be less than or equal to the tx max fees per gas
-        tx_data.global_variables.gas_fees.fee_per_da_gas = std::min(
-            tx_data.global_variables.gas_fees.fee_per_da_gas, tx_data.tx.gas_settings.max_fees_per_gas.fee_per_da_gas);
-        tx_data.global_variables.gas_fees.fee_per_l2_gas = std::min(
-            tx_data.global_variables.gas_fees.fee_per_l2_gas, tx_data.tx.gas_settings.max_fees_per_gas.fee_per_l2_gas);
         break;
-        // case TxDataMutationType::ProtocolContractsMutation:
-        // break;
+    case FuzzerTxDataMutationType::ProtocolContractsMutation:
+        mutate_protocol_contracts(tx_data.protocol_contracts, tx_data.tx, tx_data.contract_addresses, rng);
+        break;
+    }
+
+    // Clear any protocol contract derived addresses that reference addresses no longer in the contract set.
+    // This can happen when mutations (e.g., ContractClassMutation, ContractInstanceMutation) change contract addresses.
+    // Must run AFTER all mutations since some mutations modify contract_addresses.
+    std::unordered_set<AztecAddress> valid_addresses(tx_data.contract_addresses.begin(),
+                                                     tx_data.contract_addresses.end());
+    for (auto& derived_address : tx_data.protocol_contracts.derived_addresses) {
+        if (!derived_address.is_zero() && !valid_addresses.contains(derived_address)) {
+            derived_address = AztecAddress(0);
+        }
     }
 
     // todo: do we need to ensure this or are should we able to process 0 enqueued calls?
@@ -393,6 +427,13 @@ size_t mutate_tx_data(FuzzerContext& context,
                                            .calldata = calldata });
     }
 
+    // Ensure global gas_fees <= max_fees_per_gas (required for compute_effective_gas_fees)
+    // This must run after ANY mutation since TxMutation can reduce max_fees_per_gas
+    tx_data.global_variables.gas_fees.fee_per_da_gas = std::min(
+        tx_data.global_variables.gas_fees.fee_per_da_gas, tx_data.tx.gas_settings.max_fees_per_gas.fee_per_da_gas);
+    tx_data.global_variables.gas_fees.fee_per_l2_gas = std::min(
+        tx_data.global_variables.gas_fees.fee_per_l2_gas, tx_data.tx.gas_settings.max_fees_per_gas.fee_per_l2_gas);
+
     // Compute effective gas fees matching TS computeEffectiveGasFees
     // This must be done after any mutation that could affect gas settings or global variables
     tx_data.tx.effective_gas_fees =

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzzer_lib.hpp

@@ -66,17 +66,18 @@ enum class FuzzerTxDataMutationType : uint8_t {
     ContractClassMutation,
     ContractInstanceMutation,
     GlobalVariablesMutation,
-    // ProtocolContractsMutation
+    ProtocolContractsMutation
 };
 
-using FuzzerTxDataMutationConfig = WeightedSelectionConfig<FuzzerTxDataMutationType, 5>;
+using FuzzerTxDataMutationConfig = WeightedSelectionConfig<FuzzerTxDataMutationType, 6>;
 
 constexpr FuzzerTxDataMutationConfig FUZZER_TX_DATA_MUTATION_CONFIGURATION = FuzzerTxDataMutationConfig({
     { FuzzerTxDataMutationType::TxMutation, 10 },
     { FuzzerTxDataMutationType::BytecodeMutation, 1 },
     { FuzzerTxDataMutationType::ContractClassMutation, 1 },
     { FuzzerTxDataMutationType::ContractInstanceMutation, 1 },
     { FuzzerTxDataMutationType::GlobalVariablesMutation, 4 },
+    { FuzzerTxDataMutationType::ProtocolContractsMutation, 4 },
 });
 
 // Build bytecode and contract artifacts from fuzzer data

barretenberg/cpp/src/barretenberg/avm_fuzzer/mutations/protocol_contracts.cpp

@@ -0,0 +1,79 @@
+#include "barretenberg/avm_fuzzer/mutations/protocol_contracts.hpp"
+
+#include "barretenberg/vm2/common/aztec_constants.hpp"
+#include "barretenberg/vm2/common/aztec_types.hpp"
+
+namespace bb::avm2::fuzzer {
+
+namespace {
+
+void update_enqueued_calls_for_protocol_contract(Tx& tx,
+                                                 const AztecAddress& prev_address,
+                                                 const AztecAddress& new_address)
+{
+    // Update setup_enqueued_calls
+    for (auto& call : tx.setup_enqueued_calls) {
+        if (call.request.contract_address == prev_address) {
+            call.request.contract_address = new_address;
+        }
+    }
+    // Update app_logic_enqueued_calls
+    for (auto& call : tx.app_logic_enqueued_calls) {
+        if (call.request.contract_address == prev_address) {
+            call.request.contract_address = new_address;
+        }
+    }
+    // Update teardown_enqueued_call
+    if (tx.teardown_enqueued_call.has_value() && tx.teardown_enqueued_call->request.contract_address == prev_address) {
+        tx.teardown_enqueued_call->request.contract_address = new_address;
+    }
+}
+
+} // namespace
+
+void mutate_protocol_contracts(ProtocolContracts& protocol_contracts,
+                               Tx& tx,
+                               const std::vector<AztecAddress>& contract_addresses,
+                               std::mt19937_64& rng)
+{
+    if (contract_addresses.empty()) {
+        return;
+    }
+
+    auto choice = PROTOCOL_CONTRACTS_MUTATION_CONFIGURATION.select(rng);
+    switch (choice) {
+    case ProtocolContractsMutationOptions::Mutate: {
+        // Pick a random index and add a protocol contract
+        auto protocol_contract_index = std::uniform_int_distribution<size_t>(0, MAX_PROTOCOL_CONTRACTS - 1)(rng);
+        auto contract_address_index = std::uniform_int_distribution<size_t>(0, contract_addresses.size() - 1)(rng);
+
+        AztecAddress derived_address = contract_addresses[contract_address_index];
+        protocol_contracts.derived_addresses[protocol_contract_index] = derived_address;
+
+        // The index of the protocol contracts array maps to canonical address.
+        // Add 1 because canonical addresses are 1-indexed
+        AztecAddress canonical_address(static_cast<uint256_t>(protocol_contract_index + 1));
+
+        // todo(ilyas): there should be a more efficient way to do this
+        // Update any enqueued calls that reference the derived address to now use the canonical address
+        update_enqueued_calls_for_protocol_contract(
+            tx, /*prev_address=*/derived_address, /*new_address=*/canonical_address);
+        break;
+    }
+    case ProtocolContractsMutationOptions::Remove: {
+        // Pick an index, and zero it out, removing the protocol contract. It may already be zero but the fuzzer should
+        // figure out better mutations
+        size_t idx = std::uniform_int_distribution<size_t>(0, MAX_PROTOCOL_CONTRACTS - 1)(rng);
+        AztecAddress canonical_address(static_cast<uint256_t>(idx + 1));
+        AztecAddress derived_address = protocol_contracts.derived_addresses[idx];
+        // Update any enqueued calls that reference the canonical address to use the derived address
+        update_enqueued_calls_for_protocol_contract(
+            tx, /*prev_address=*/canonical_address, /*new_address=*/derived_address);
+        // Set the derived address to zero
+        protocol_contracts.derived_addresses[idx] = AztecAddress(0);
+        break;
+    }
+    }
+}
+
+} // namespace bb::avm2::fuzzer

barretenberg/cpp/src/barretenberg/avm_fuzzer/mutations/protocol_contracts.hpp

@@ -0,0 +1,28 @@
+#pragma once
+
+#include "barretenberg/avm_fuzzer/common/weighted_selection.hpp"
+#include "barretenberg/vm2/common/avm_io.hpp"
+#include "barretenberg/vm2/common/aztec_types.hpp"
+
+#include <random>
+
+namespace bb::avm2::fuzzer {
+
+enum class ProtocolContractsMutationOptions : uint8_t {
+    Mutate,
+    Remove,
+};
+
+using ProtocolContractsMutationConfig = WeightedSelectionConfig<ProtocolContractsMutationOptions, 2>;
+
+constexpr ProtocolContractsMutationConfig PROTOCOL_CONTRACTS_MUTATION_CONFIGURATION = ProtocolContractsMutationConfig({
+    { ProtocolContractsMutationOptions::Mutate, 3 },
+    { ProtocolContractsMutationOptions::Remove, 1 },
+});
+
+void mutate_protocol_contracts(bb::avm2::ProtocolContracts& protocol_contracts,
+                               bb::avm2::Tx& tx,
+                               const std::vector<AztecAddress>& contract_addresses,
+                               std::mt19937_64& rng);
+
+} // namespace bb::avm2::fuzzer