Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
instruction.cpp
Go to the documentation of this file.
1#include "barretenberg/avm_fuzzer/mutations/instructions/instruction.hpp"
2
3#include <optional>
4#include <random>
5#include <vector>
6
7#include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_context.hpp"
8#include "barretenberg/avm_fuzzer/fuzz_lib/instruction.hpp"
9#include "barretenberg/avm_fuzzer/mutations/basic_types/eth_address.hpp"
10#include "barretenberg/avm_fuzzer/mutations/basic_types/field.hpp"
11#include "barretenberg/avm_fuzzer/mutations/basic_types/memory_tag.hpp"
12#include "barretenberg/avm_fuzzer/mutations/basic_types/uint16_t.hpp"
13#include "barretenberg/avm_fuzzer/mutations/basic_types/uint32_t.hpp"
14#include "barretenberg/avm_fuzzer/mutations/basic_types/uint64_t.hpp"
15#include "barretenberg/avm_fuzzer/mutations/basic_types/uint8_t.hpp"
16#include "barretenberg/avm_fuzzer/mutations/basic_types/uint_mutations.hpp"
17#include "barretenberg/avm_fuzzer/mutations/basic_types/vector.hpp"
18#include "barretenberg/avm_fuzzer/mutations/configuration.hpp"
19#include "barretenberg/vm2/common/field.hpp"
20
21namespace {
22
23// Maximum operand values based on instruction operand size
24constexpr uint32_t MAX_8BIT_OPERAND = 255;
25constexpr uint32_t MAX_16BIT_OPERAND = 65535;
26
27// Helper to generate a SET instruction for a given tag at a given address
28FuzzInstruction generate_set_for_tag(bb::avm2::MemoryTag tag, AddressRef addr, std::mt19937_64& rng)
29{
30 switch (tag) {
31 // We use set 16 for u1 and u8 because using set_8 will limit the address range to 255.
32 case bb::avm2::MemoryTag::U1:
33 return SET_16_Instruction{ .value_tag = tag, .result_address = addr, .value = static_cast<uint8_t>(rng() & 1) };
34 case bb::avm2::MemoryTag::U8:
35 return SET_16_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint8(rng) };
36 case bb::avm2::MemoryTag::U16:
37 return SET_16_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint16(rng) };
38 case bb::avm2::MemoryTag::U32:
39 return SET_32_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint32(rng) };
40 case bb::avm2::MemoryTag::U64:
41 return SET_64_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint64(rng) };
42 case bb::avm2::MemoryTag::U128:
43 return SET_128_Instruction{ .value_tag = tag,
44 .result_address = addr,
45 .value_low = generate_random_uint64(rng),
46 .value_high = generate_random_uint64(rng) };
47 case bb::avm2::MemoryTag::FF:
48 default:
49 return SET_FF_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_field(rng) };
50 }
51}
52
53uint8_t generate_envvar_type(std::mt19937_64& rng)
54{
55 bool valid_type = std::uniform_int_distribution<int>(0, 9)(rng) != 0;
56
57 if (valid_type) {
58 // 0 -> ADDRESS, 1 -> SENDER, 2 -> TRANSACTIONFEE, 3 -> CHAINID, 4 -> VERSION, 5 -> BLOCKNUMBER, 6 -> TIMESTAMP,
59 // 7 -> MINFEEPERDAGAS, 8 -> MINFEEPERL2GAS, 9 -> ISSTATICCALL, 10 -> L2GASLEFT, 11 -> DAGASLEFT
60 return std::uniform_int_distribution<uint8_t>(0, 11)(rng);
61 } else {
62 return generate_random_uint8(rng);
63 }
64}
65
66std::optional<MemoryTag> get_param_ref_tag(const ParamRef& param)
67{
68 return std::visit(overloaded{ [](const VariableRef& var) -> std::optional<MemoryTag> { return var.tag.value; },
69 [](const AddressRef&) -> std::optional<MemoryTag> { return std::nullopt; } },
70 param);
71}
72
73void sanitize_address_ref(AddressRef& address_ref, uint32_t base_offset, uint32_t max_operand_value)
74{
75
76 // For Direct mode, constrain address to fit in the operand
77 if (address_ref.mode == AddressingMode::Direct) {
78 address_ref.address = address_ref.address % (max_operand_value + 1);
79 }
80 // For Relative mode, we can reach from base_pointer to base_pointer + max_operand_value
81 if (address_ref.mode == AddressingMode::Relative) {
82 address_ref.address = base_offset + (address_ref.address % (max_operand_value + 1));
83 }
84}
85
86uint32_t generate_address(std::mt19937_64& rng)
87{
88 if (std::uniform_int_distribution<int>(0, 19)(rng) == 0) { // 5% chance to generate the highest address
89 return AVM_HIGHEST_MEM_ADDRESS;
90 }
91 return generate_random_uint32(rng);
92}
93
94} // namespace
95
96namespace bb::avm2::fuzzer {
97
98std::vector<FuzzInstruction> InstructionMutator::generate_instruction(std::mt19937_64& rng)
99{
100 InstructionGenerationOptions option = BASIC_INSTRUCTION_GENERATION_CONFIGURATION.select(rng);
101 // forgive me
102 switch (option) {
103 case InstructionGenerationOptions::ADD_8:
104 return generate_alu_with_matching_tags<ADD_8_Instruction>(rng, MAX_8BIT_OPERAND);
105 case InstructionGenerationOptions::SUB_8:
106 return generate_alu_with_matching_tags<SUB_8_Instruction>(rng, MAX_8BIT_OPERAND);
107 case InstructionGenerationOptions::MUL_8:
108 return generate_alu_with_matching_tags<MUL_8_Instruction>(rng, MAX_8BIT_OPERAND);
109 case InstructionGenerationOptions::DIV_8:
110 return generate_alu_with_matching_tags_not_ff<DIV_8_Instruction>(rng, MAX_8BIT_OPERAND);
111 case InstructionGenerationOptions::FDIV_8:
112 return generate_fdiv_instruction(rng, MAX_8BIT_OPERAND);
113 case InstructionGenerationOptions::EQ_8:
114 return { EQ_8_Instruction{ .a_address = generate_variable_ref(rng),
115 .b_address = generate_variable_ref(rng),
116 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
117 case InstructionGenerationOptions::LT_8:
118 return { LT_8_Instruction{ .a_address = generate_variable_ref(rng),
119 .b_address = generate_variable_ref(rng),
120 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
121 case InstructionGenerationOptions::LTE_8:
122 return { LTE_8_Instruction{ .a_address = generate_variable_ref(rng),
123 .b_address = generate_variable_ref(rng),
124 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
125 case InstructionGenerationOptions::AND_8:
126 return generate_alu_with_matching_tags_not_ff<AND_8_Instruction>(rng, MAX_8BIT_OPERAND);
127 case InstructionGenerationOptions::OR_8:
128 return generate_alu_with_matching_tags_not_ff<OR_8_Instruction>(rng, MAX_8BIT_OPERAND);
129 case InstructionGenerationOptions::XOR_8:
130 return generate_alu_with_matching_tags_not_ff<XOR_8_Instruction>(rng, MAX_8BIT_OPERAND);
131 case InstructionGenerationOptions::NOT_8:
132 return { NOT_8_Instruction{ .a_address = generate_variable_ref(rng),
133 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
134 case InstructionGenerationOptions::SHL_8:
135 return { SHL_8_Instruction{ .a_address = generate_variable_ref(rng),
136 .b_address = generate_variable_ref(rng),
137 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
138
139 case InstructionGenerationOptions::SHR_8:
140 return { SHR_8_Instruction{ .a_address = generate_variable_ref(rng),
141 .b_address = generate_variable_ref(rng),
142 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
143 case InstructionGenerationOptions::SET_8:
144 return { SET_8_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
145 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND),
146 .value = generate_random_uint8(rng) } };
147 case InstructionGenerationOptions::SET_16:
148 return { SET_16_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
149 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
150 .value = generate_random_uint16(rng) } };
151 case InstructionGenerationOptions::SET_32:
152 return { SET_32_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
153 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
154 .value = generate_random_uint32(rng) } };
155 case InstructionGenerationOptions::SET_64:
156 return { SET_64_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
157 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
158 .value = generate_random_uint64(rng) } };
159 case InstructionGenerationOptions::SET_128:
160 return { SET_128_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
161 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
162 .value_low = generate_random_uint64(rng),
163 .value_high = generate_random_uint64(rng) } };
164 case InstructionGenerationOptions::SET_FF:
165 return { SET_FF_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
166 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
167 .value = generate_random_field(rng) } };
168 case InstructionGenerationOptions::MOV_8:
169 return { MOV_8_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
170 .src_address = generate_variable_ref(rng),
171 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
172 case InstructionGenerationOptions::MOV_16:
173 return { MOV_16_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
174 .src_address = generate_variable_ref(rng),
175 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
176 case InstructionGenerationOptions::ADD_16:
177 return generate_alu_with_matching_tags<ADD_16_Instruction>(rng, MAX_16BIT_OPERAND);
178 case InstructionGenerationOptions::SUB_16:
179 return generate_alu_with_matching_tags<SUB_16_Instruction>(rng, MAX_16BIT_OPERAND);
180 case InstructionGenerationOptions::MUL_16:
181 return generate_alu_with_matching_tags<MUL_16_Instruction>(rng, MAX_16BIT_OPERAND);
182 case InstructionGenerationOptions::DIV_16:
183 return generate_alu_with_matching_tags_not_ff<DIV_16_Instruction>(rng, MAX_16BIT_OPERAND);
184 case InstructionGenerationOptions::FDIV_16:
185 return { FDIV_16_Instruction{ .a_address = generate_variable_ref(rng),
186 .b_address = generate_variable_ref(rng),
187 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
188 case InstructionGenerationOptions::EQ_16:
189 return { EQ_16_Instruction{ .a_address = generate_variable_ref(rng),
190 .b_address = generate_variable_ref(rng),
191 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
192 case InstructionGenerationOptions::LT_16:
193 return { LT_16_Instruction{ .a_address = generate_variable_ref(rng),
194 .b_address = generate_variable_ref(rng),
195 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
196 case InstructionGenerationOptions::LTE_16:
197 return { LTE_16_Instruction{ .a_address = generate_variable_ref(rng),
198 .b_address = generate_variable_ref(rng),
199 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
200 case InstructionGenerationOptions::AND_16:
201 return generate_alu_with_matching_tags_not_ff<AND_16_Instruction>(rng, MAX_16BIT_OPERAND);
202 case InstructionGenerationOptions::OR_16:
203 return generate_alu_with_matching_tags_not_ff<OR_16_Instruction>(rng, MAX_16BIT_OPERAND);
204 case InstructionGenerationOptions::XOR_16:
205 return generate_alu_with_matching_tags_not_ff<XOR_16_Instruction>(rng, MAX_16BIT_OPERAND);
206 case InstructionGenerationOptions::NOT_16:
207 return { NOT_16_Instruction{ .a_address = generate_variable_ref(rng),
208 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
209 case InstructionGenerationOptions::SHL_16:
210 return { SHL_16_Instruction{ .a_address = generate_variable_ref(rng),
211 .b_address = generate_variable_ref(rng),
212 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
213 case InstructionGenerationOptions::SHR_16:
214 return { SHR_16_Instruction{ .a_address = generate_variable_ref(rng),
215 .b_address = generate_variable_ref(rng),
216 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
217 case InstructionGenerationOptions::CAST_8:
218 return { CAST_8_Instruction{ .src_address = generate_variable_ref(rng),
219 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND),
220 .target_tag =
221 generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION) } };
222 case InstructionGenerationOptions::CAST_16:
223 return { CAST_16_Instruction{ .src_address = generate_variable_ref(rng),
224 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
225 .target_tag =
226 generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION) } };
227 case InstructionGenerationOptions::SSTORE:
228 return { SSTORE_Instruction{ .src_address = generate_variable_ref(rng),
229 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
230 .slot = generate_random_field(rng) } };
231 case InstructionGenerationOptions::SLOAD:
232 return generate_sload_instruction(rng);
233 case InstructionGenerationOptions::GETENVVAR:
234 return { GETENVVAR_Instruction{ .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
235 .type = generate_envvar_type(rng) } };
236 case InstructionGenerationOptions::EMITNULLIFIER:
237 return { EMITNULLIFIER_Instruction{ .nullifier_address = generate_variable_ref(rng) } };
238 case InstructionGenerationOptions::NULLIFIEREXISTS:
239 return { NULLIFIEREXISTS_Instruction{ .siloed_nullifier_address = generate_variable_ref(rng),
240 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
241 case InstructionGenerationOptions::L1TOL2MSGEXISTS:
242 return { L1TOL2MSGEXISTS_Instruction{ .msg_hash_address = generate_variable_ref(rng),
243 .leaf_index_address = generate_variable_ref(rng),
244 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
245 case InstructionGenerationOptions::EMITNOTEHASH:
246 return { EMITNOTEHASH_Instruction{ .note_hash_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
247 .note_hash = generate_random_field(rng) } };
248 case InstructionGenerationOptions::NOTEHASHEXISTS:
249 return generate_notehashexists_instruction(rng);
250 case InstructionGenerationOptions::CALLDATACOPY:
251 return generate_calldatacopy_instruction(rng);
252 case InstructionGenerationOptions::SENDL2TOL1MSG:
253 return generate_sendl2tol1msg_instruction(rng);
254 case InstructionGenerationOptions::EMITPUBLICLOG:
255 return generate_emitpubliclog_instruction(rng);
256 case InstructionGenerationOptions::CALL:
257 return generate_call_instruction(rng);
258 case InstructionGenerationOptions::RETURNDATASIZE:
259 return generate_returndatasize_instruction(rng);
260 case InstructionGenerationOptions::RETURNDATACOPY:
261 return generate_returndatacopy_instruction(rng);
262 case InstructionGenerationOptions::GETCONTRACTINSTANCE:
263 return generate_getcontractinstance_instruction(rng);
264 case InstructionGenerationOptions::SUCCESSCOPY:
265 return { SUCCESSCOPY_Instruction{ .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
266 case InstructionGenerationOptions::ECADD:
267 return generate_ecadd_instruction(rng);
268 case InstructionGenerationOptions::POSEIDON2PERM:
269 return { POSEIDON2PERM_Instruction{ .src_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
270 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
271 case InstructionGenerationOptions::KECCAKF1600:
272 return generate_keccakf_instruction(rng);
273 case InstructionGenerationOptions::SHA256COMPRESSION:
274 return generate_sha256compression_instruction(rng);
275 case InstructionGenerationOptions::TORADIXBE:
276 return generate_toradixbe_instruction(rng);
277 case InstructionGenerationOptions::DEBUGLOG:
278 return { { DEBUGLOG_Instruction{ .level_offset = generate_variable_ref(rng),
279 .message_offset = generate_variable_ref(rng),
280 .fields_offset = generate_variable_ref(rng),
281 .fields_size_offset = generate_variable_ref(rng),
282 .message_size = generate_random_uint16(rng) } } };
283 }
284}
285
286void InstructionMutator::mutate_instruction(FuzzInstruction& instruction, std::mt19937_64& rng)
287{
288 std::visit(
289 overloaded{
290 [&rng, this](ADD_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
291 [&rng, this](SUB_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
292 [&rng, this](MUL_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
293 [&rng, this](DIV_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
294 [&rng, this](EQ_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
295 [&rng, this](LT_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
296 [&rng, this](LTE_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
297 [&rng, this](AND_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
298 [&rng, this](OR_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
299 [&rng, this](XOR_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
300 [&rng, this](SHL_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
301 [&rng, this](SHR_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
302 [&rng, this](SET_8_Instruction& instr) { mutate_set_8_instruction(instr, rng); },
303 [&rng, this](SET_16_Instruction& instr) { mutate_set_16_instruction(instr, rng); },
304 [&rng, this](SET_32_Instruction& instr) { mutate_set_32_instruction(instr, rng); },
305 [&rng, this](SET_64_Instruction& instr) { mutate_set_64_instruction(instr, rng); },
306 [&rng, this](SET_128_Instruction& instr) { mutate_set_128_instruction(instr, rng); },
307 [&rng, this](SET_FF_Instruction& instr) { mutate_set_ff_instruction(instr, rng); },
308 [&rng, this](MOV_8_Instruction& instr) { mutate_mov_8_instruction(instr, rng); },
309 [&rng, this](MOV_16_Instruction& instr) { mutate_mov_16_instruction(instr, rng); },
310 [&rng, this](FDIV_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
311 [&rng, this](NOT_8_Instruction& instr) { mutate_not_8_instruction(instr, rng); },
312 [&rng, this](ADD_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
313 [&rng, this](SUB_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
314 [&rng, this](MUL_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
315 [&rng, this](DIV_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
316 [&rng, this](FDIV_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
317 [&rng, this](EQ_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
318 [&rng, this](LT_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
319 [&rng, this](LTE_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
320 [&rng, this](AND_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
321 [&rng, this](OR_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
322 [&rng, this](XOR_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
323 [&rng, this](NOT_16_Instruction& instr) { mutate_not_16_instruction(instr, rng); },
324 [&rng, this](SHL_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
325 [&rng, this](SHR_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
326 [&rng, this](CAST_8_Instruction& instr) { mutate_cast_8_instruction(instr, rng); },
327 [&rng, this](CAST_16_Instruction& instr) { mutate_cast_16_instruction(instr, rng); },
328 [&rng, this](SSTORE_Instruction& instr) { mutate_sstore_instruction(instr, rng); },
329 [&rng, this](SLOAD_Instruction& instr) { mutate_sload_instruction(instr, rng); },
330 [&rng, this](GETENVVAR_Instruction& instr) { mutate_getenvvar_instruction(instr, rng); },
331 [&rng, this](EMITNULLIFIER_Instruction& instr) { mutate_emit_nullifier_instruction(instr, rng); },
332 [&rng, this](NULLIFIEREXISTS_Instruction& instr) { mutate_nullifier_exists_instruction(instr, rng); },
333 [&rng, this](L1TOL2MSGEXISTS_Instruction& instr) { mutate_l1tol2msgexists_instruction(instr, rng); },
334 [&rng, this](EMITNOTEHASH_Instruction& instr) { mutate_emit_note_hash_instruction(instr, rng); },
335 [&rng, this](NOTEHASHEXISTS_Instruction& instr) { mutate_note_hash_exists_instruction(instr, rng); },
336 [&rng, this](CALLDATACOPY_Instruction& instr) { mutate_calldatacopy_instruction(instr, rng); },
337 [&rng, this](SENDL2TOL1MSG_Instruction& instr) { mutate_sendl2tol1msg_instruction(instr, rng); },
338 [&rng, this](EMITPUBLICLOG_Instruction& instr) { mutate_emitpubliclog_instruction(instr, rng); },
339 [&rng, this](CALL_Instruction& instr) { mutate_call_instruction(instr, rng); },
340 [&rng, this](RETURNDATASIZE_Instruction& instr) { mutate_returndatasize_instruction(instr, rng); },
341 [&rng, this](RETURNDATACOPY_Instruction& instr) { mutate_returndatacopy_instruction(instr, rng); },
342 [&rng, this](GETCONTRACTINSTANCE_Instruction& instr) {
343 mutate_getcontractinstance_instruction(instr, rng);
344 },
345 [&rng, this](SUCCESSCOPY_Instruction& instr) { mutate_successcopy_instruction(instr, rng); },
346 [&rng, this](ECADD_Instruction& instr) { mutate_ecadd_instruction(instr, rng); },
347 [&rng, this](POSEIDON2PERM_Instruction& instr) { mutate_poseidon2perm_instruction(instr, rng); },
348 [&rng, this](KECCAKF1600_Instruction& instr) { mutate_keccakf1600_instruction(instr, rng); },
349 [&rng, this](SHA256COMPRESSION_Instruction& instr) { mutate_sha256compression_instruction(instr, rng); },
350 [&rng, this](TORADIXBE_Instruction& instr) { mutate_toradixbe_instruction(instr, rng); },
351 [&rng, this](DEBUGLOG_Instruction& instr) { mutate_debuglog_instruction(instr, rng); },
352 [](auto&) { throw std::runtime_error("Unknown instruction"); } },
353 instruction);
354}
355
360
361AddressRef InstructionMutator::generate_address_ref(std::mt19937_64& rng, uint32_t max_operand_value)
362{
363 AddressRef address_ref = AddressRef{ .address = generate_address(rng),
364 .pointer_address_seed = generate_random_uint16(rng),
365 .mode = generate_addressing_mode(rng) };
366 sanitize_address_ref(address_ref, base_offset, max_operand_value);
367 return address_ref;
368}
369
370void InstructionMutator::mutate_address_ref(AddressRef& address, std::mt19937_64& rng, uint32_t max_operand_value)
371{
372 AddressRefMutationOptions option = BASIC_ADDRESS_REF_MUTATION_CONFIGURATION.select(rng);
373 switch (option) {
374 case AddressRefMutationOptions::address:
375 mutate_uint32_t(address.address, rng, BASIC_UINT32_T_MUTATION_CONFIGURATION);
376 break;
377 case AddressRefMutationOptions::pointer_address:
378 mutate_uint16_t(address.pointer_address_seed, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
379 break;
380 case AddressRefMutationOptions::mode:
381 address.mode = generate_addressing_mode(rng);
382 break;
383 }
384 sanitize_address_ref(address, base_offset, max_operand_value);
385}
386
395
397void InstructionMutator::mutate_variable_ref(VariableRef& variable,
398 std::mt19937_64& rng,
399 std::optional<MemoryTag> default_tag)
400{
401 VariableRefMutationOptions option = BASIC_VARIABLE_REF_MUTATION_CONFIGURATION.select(rng);
402 switch (option) {
403 case VariableRefMutationOptions::tag:
404 if (default_tag.has_value()) {
405 mutate_or_default_tag(variable.tag.value, rng, default_tag.value());
406 } else {
407 mutate_memory_tag(variable.tag.value, rng, BASIC_MEMORY_TAG_MUTATION_CONFIGURATION);
408 }
409 break;
410 case VariableRefMutationOptions::index:
411 mutate_uint32_t(variable.index, rng, BASIC_UINT32_T_MUTATION_CONFIGURATION);
412 break;
413 case VariableRefMutationOptions::pointer_address:
414 mutate_uint16_t(variable.pointer_address_seed, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
415 break;
416 case VariableRefMutationOptions::mode:
417 variable.mode = generate_addressing_mode(rng);
418 break;
419 }
420}
421
422std::vector<FuzzInstruction> InstructionMutator::generate_ecadd_instruction(std::mt19937_64& rng)
423{
424 // 80% chance to use backfill (4 out of 5) to increase success rate
425 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
426
427 if (!use_backfill) {
428 // Random mode: use existing memory values (may fail if not valid points on curve)
429 return { ECADD_Instruction{ .p1_x = generate_variable_ref(rng),
430 .p1_y = generate_variable_ref(rng),
431 .p1_infinite = generate_variable_ref(rng),
432 .p2_x = generate_variable_ref(rng),
433 .p2_y = generate_variable_ref(rng),
434 .p2_infinite = generate_variable_ref(rng),
435 .result = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
436 }
437
438 // Backfill mode: generate valid points on the Grumpkin curve and SET them
439 // 6 SET instructions (2 points * 3 fields each) + 1 ECADD = 7 instructions
440 std::vector<FuzzInstruction> instructions;
441 instructions.reserve(7);
442
443 // Generate a valid point via scalar multiplication of the generator (always on curve)
444 auto generate_point = [&rng]() {
445 bb::avm2::Fq scalar(generate_random_field(rng));
446 return bb::avm2::EmbeddedCurvePoint::one() * scalar;
447 };
448
449 // Generate SET instructions to backfill a point at the given addresses
450 auto backfill_point = [&instructions](const bb::avm2::EmbeddedCurvePoint& point,
451 AddressRef x_addr,
452 AddressRef y_addr,
453 AddressRef inf_addr) {
454 instructions.push_back(
455 SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF, .result_address = x_addr, .value = point.x() });
456 instructions.push_back(
457 SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF, .result_address = y_addr, .value = point.y() });
458 instructions.push_back(SET_8_Instruction{ .value_tag = bb::avm2::MemoryTag::U1,
459 .result_address = inf_addr,
460 .value = static_cast<uint8_t>(point.is_infinity() ? 1 : 0) });
461 };
462
463 auto p1 = generate_point();
464 auto p2 = generate_point();
465
466 // Generate addresses (SET_FF uses 16-bit, SET_8 uses 8-bit operands)
467 AddressRef p1_x_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
468 AddressRef p1_y_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
469 AddressRef p1_inf_addr = generate_address_ref(rng, MAX_8BIT_OPERAND);
470 AddressRef p2_x_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
471 AddressRef p2_y_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
472 AddressRef p2_inf_addr = generate_address_ref(rng, MAX_8BIT_OPERAND);
473
474 backfill_point(p1, p1_x_addr, p1_y_addr, p1_inf_addr);
475 backfill_point(p2, p2_x_addr, p2_y_addr, p2_inf_addr);
476
477 instructions.push_back(ECADD_Instruction{ .p1_x = p1_x_addr,
478 .p1_y = p1_y_addr,
479 .p1_infinite = p1_inf_addr,
480 .p2_x = p2_x_addr,
481 .p2_y = p2_y_addr,
482 .p2_infinite = p2_inf_addr,
483 .result = generate_address_ref(rng, MAX_16BIT_OPERAND) });
484
485 return instructions;
486}
487
488// Generate binary ALU instruction with optional backfill for matching tagged operands
489template <typename InstructionType>
490std::vector<FuzzInstruction> InstructionMutator::generate_alu_with_matching_tags(std::mt19937_64& rng,
491 uint32_t max_operand)
492{
493 // 80% chance to use backfill (4 out of 5) to increase success rate
494 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
495
496 if (!use_backfill) {
497 return { InstructionType{ .a_address = generate_variable_ref(rng),
498 .b_address = generate_variable_ref(rng),
499 .result_address = generate_address_ref(rng, max_operand) } };
500 }
501
502 auto tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION);
503 AddressRef a_addr = generate_address_ref(rng, max_operand);
504 AddressRef b_addr = generate_address_ref(rng, max_operand);
505
506 std::vector<FuzzInstruction> instructions;
507 instructions.push_back(generate_set_for_tag(tag, a_addr, rng));
508 instructions.push_back(generate_set_for_tag(tag, b_addr, rng));
509 instructions.push_back(InstructionType{
510 .a_address = a_addr, .b_address = b_addr, .result_address = generate_address_ref(rng, max_operand) });
511 return instructions;
512}
513
514// Generate binary ALU instruction with optional backfill for matching non-FF tagged operands
515// Used for bitwise operations (AND, OR, XOR) and integer DIV which don't support FF
516template <typename InstructionType>
517std::vector<FuzzInstruction> InstructionMutator::generate_alu_with_matching_tags_not_ff(std::mt19937_64& rng,
518 uint32_t max_operand)
519{
520 // 80% chance to use backfill (4 out of 5) to increase success rate
521 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
522
523 if (!use_backfill) {
524 return { InstructionType{ .a_address = generate_variable_ref(rng),
525 .b_address = generate_variable_ref(rng),
526 .result_address = generate_address_ref(rng, max_operand) } };
527 }
528
529 // Pick a random non-FF tag (U1, U8, U16, U32, U64, U128)
530 static constexpr std::array<bb::avm2::MemoryTag, 6> int_tags = {
531 bb::avm2::MemoryTag::U1, bb::avm2::MemoryTag::U8, bb::avm2::MemoryTag::U16,
532 bb::avm2::MemoryTag::U32, bb::avm2::MemoryTag::U64, bb::avm2::MemoryTag::U128
533 };
534 auto tag = int_tags[std::uniform_int_distribution<size_t>(0, int_tags.size() - 1)(rng)];
535
536 AddressRef a_addr = generate_address_ref(rng, max_operand);
537 AddressRef b_addr = generate_address_ref(rng, max_operand);
538
539 std::vector<FuzzInstruction> instructions;
540 instructions.push_back(generate_set_for_tag(tag, a_addr, rng));
541 instructions.push_back(generate_set_for_tag(tag, b_addr, rng));
542 instructions.push_back(InstructionType{
543 .a_address = a_addr, .b_address = b_addr, .result_address = generate_address_ref(rng, max_operand) });
544 return instructions;
545}
546
547std::vector<FuzzInstruction> InstructionMutator::generate_fdiv_instruction(std::mt19937_64& rng, uint32_t max_operand)
548{
549 // 80% chance to use backfill (4 out of 5) to increase success rate
550 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
551
552 if (!use_backfill) {
553 // Random mode: use existing memory values
554 return { FDIV_8_Instruction{ .a_address = generate_variable_ref(rng),
555 .b_address = generate_variable_ref(rng),
556 .result_address = generate_address_ref(rng, max_operand) } };
557 }
558
559 // Backfill mode: generate two non-zero FF values
560 std::vector<FuzzInstruction> instructions;
561 instructions.reserve(3);
562
563 // Generate non-zero field values (avoid division by zero)
564 auto generate_nonzero_field = [&rng]() {
565 bb::avm2::FF value;
566 do {
567 value = generate_random_field(rng);
568 } while (value.is_zero());
569 return value;
570 };
571
572 AddressRef a_addr = generate_address_ref(rng, max_operand);
573 AddressRef b_addr = generate_address_ref(rng, max_operand);
574
575 // SET the dividend (a)
576 instructions.push_back(SET_FF_Instruction{
577 .value_tag = bb::avm2::MemoryTag::FF, .result_address = a_addr, .value = generate_nonzero_field() });
578
579 // SET the divisor (b) - must be non-zero
580 instructions.push_back(SET_FF_Instruction{
581 .value_tag = bb::avm2::MemoryTag::FF, .result_address = b_addr, .value = generate_nonzero_field() });
582
583 // FDIV instruction
584 instructions.push_back(FDIV_8_Instruction{
585 .a_address = a_addr, .b_address = b_addr, .result_address = generate_address_ref(rng, max_operand) });
586
587 return instructions;
588}
589
590std::vector<FuzzInstruction> InstructionMutator::generate_keccakf_instruction(std::mt19937_64& rng)
591{
592 // 80% chance to use backfill (4 out of 5) to increase success rate
593 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
594 if (!use_backfill) {
595 // Random mode
596 return { KECCAKF1600_Instruction{ .src_address = generate_variable_ref(rng),
597 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
598 }
599 // Backfill mode
600 std::vector<FuzzInstruction> instructions;
601
602 // Keccak needs to backfill 25 U64 values, these need be contiguous in memory
603 AddressRef src_address = generate_address_ref(rng, MAX_16BIT_OPERAND - 24);
604 for (size_t i = 0; i < 25; i++) {
605 AddressRef item_address = src_address;
606 item_address.address += static_cast<uint32_t>(i);
607 instructions.push_back(SET_64_Instruction{ .value_tag = bb::avm2::MemoryTag::U64,
608 .result_address = item_address,
609 .value = generate_random_uint64(rng) });
610 }
611 instructions.push_back(KECCAKF1600_Instruction{ .src_address = src_address,
612 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
613 return instructions;
614}
615
616std::vector<FuzzInstruction> InstructionMutator::generate_sha256compression_instruction(std::mt19937_64& rng)
617{
618 // 80% chance to use backfill (4 out of 5) to increase success rate
619 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
620 if (!use_backfill) {
621 // Random mode
622 return { SHA256COMPRESSION_Instruction{ .state_address = generate_variable_ref(rng),
623 .input_address = generate_variable_ref(rng),
624 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
625 }
626 // Backfill mode
627 // SHA256 compression needs 8 U32 values for state and 16 U32 values for input (contiguous)
628 std::vector<FuzzInstruction> instructions;
629 instructions.reserve(8 + 16 + 1);
630
631 // Generate state address (8 contiguous U32 values)
632 AddressRef state_address = generate_address_ref(rng, MAX_16BIT_OPERAND - 7);
633
634 for (size_t i = 0; i < 8; i++) {
635 AddressRef item_address = state_address;
636 item_address.address += static_cast<uint32_t>(i);
637 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
638 .result_address = item_address,
639 .value = generate_random_uint32(rng) });
640 }
641
642 // Generate input address (16 contiguous U32 values)
643 AddressRef input_address = generate_address_ref(rng, MAX_16BIT_OPERAND - 15);
644
645 for (size_t i = 0; i < 16; i++) {
646 AddressRef item_address = input_address;
647 item_address.address += static_cast<uint32_t>(i);
648 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
649 .result_address = item_address,
650 .value = generate_random_uint32(rng) });
651 }
652
653 instructions.push_back(
654 SHA256COMPRESSION_Instruction{ .state_address = state_address,
655 .input_address = input_address,
656 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
657 return instructions;
658}
659
660std::vector<FuzzInstruction> InstructionMutator::generate_toradixbe_instruction(std::mt19937_64& rng)
661{
662 // 80% chance to use backfill (4 out of 5) to increase success rate
663 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
664 if (!use_backfill) {
665 // Random mode
666 return { TORADIXBE_Instruction{ .value_address = generate_variable_ref(rng),
667 .radix_address = generate_variable_ref(rng),
668 .num_limbs_address = generate_variable_ref(rng),
669 .output_bits_address = generate_variable_ref(rng),
670 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
671 .is_output_bits = std::uniform_int_distribution<int>(0, 1)(rng) == 0 } };
672 }
673 // Backfill mode: set up proper typed values
674 // value: FF, radix: U32, num_limbs: U32, output_bits: U1
675 std::vector<FuzzInstruction> instructions;
676 instructions.reserve(5);
677
678 AddressRef value_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
679 AddressRef radix_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
680 AddressRef num_limbs_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
681 AddressRef output_bits_addr = generate_address_ref(rng, MAX_8BIT_OPERAND);
682
683 // SET the radix (U32) - pick radix between 2 and 256
684 uint32_t radix = std::uniform_int_distribution<uint32_t>(2, 256)(rng);
685 instructions.push_back(
686 SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32, .result_address = radix_addr, .value = radix });
687
688 // SET the output_bits (U1)
689 bool is_output_bits = radix == 2;
690 instructions.push_back(SET_8_Instruction{ .value_tag = bb::avm2::MemoryTag::U1,
691 .result_address = output_bits_addr,
692 .value = static_cast<uint8_t>(is_output_bits ? 1 : 0) });
693
694 // Generate value with num_limbs digits
695 uint32_t num_limbs = std::uniform_int_distribution<uint32_t>(0, 256)(rng);
696 bb::avm2::FF value = 0;
697 bb::avm2::FF exponent = 1;
698 for (uint32_t i = 0; i < num_limbs; i++) {
699 uint32_t digit = std::uniform_int_distribution<uint32_t>(0, radix - 1)(rng);
700 value += bb::avm2::FF(digit) * exponent;
701 exponent *= radix;
702 }
703
704 // 20% chance to truncate - reduce the number of limbs we request or increment the value if we have 0 limbs
705 if (std::uniform_int_distribution<int>(0, 4)(rng) == 0) {
706 if (num_limbs > 0) {
707 num_limbs--;
708 } else {
709 value++;
710 }
711 }
712
713 // SET the num_limbs (U32)
714 instructions.push_back(SET_32_Instruction{
715 .value_tag = bb::avm2::MemoryTag::U32, .result_address = num_limbs_addr, .value = num_limbs });
716
717 // SET the value (FF)
718 instructions.push_back(
719 SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF, .result_address = value_addr, .value = value });
720
721 // TORADIXBE instruction
722 instructions.push_back(TORADIXBE_Instruction{ .value_address = value_addr,
723 .radix_address = radix_addr,
724 .num_limbs_address = num_limbs_addr,
725 .output_bits_address = output_bits_addr,
726 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
727 .is_output_bits = is_output_bits });
728 return instructions;
729}
730
731// A better way in the future is to pass in a vector of possible slots that have been written to,
732// this would allow us to supply external world state info.
733std::vector<FuzzInstruction> InstructionMutator::generate_sload_instruction(std::mt19937_64& rng)
734{
735 // 80% chance to use backfill (4 out of 5) to increase success rate
736 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
737
738 if (!use_backfill) {
739 // Random mode: requires at least one prior SSTORE to have been processed
740 return { SLOAD_Instruction{ .slot_index = generate_random_uint16(rng),
741 .slot_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
742 .contract_address_address = generate_variable_ref(rng),
743 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
744 }
745
746 // Backfill mode: generate SSTORE first to ensure storage_addresses is non-empty
747 // This guarantees SLOAD will find a valid slot (get_slot uses modulo on non-empty vector)
748 std::vector<FuzzInstruction> instructions;
749 instructions.reserve(4);
750
751 AddressRef sstore_src = generate_address_ref(rng, MAX_16BIT_OPERAND);
752
753 // SET a value to store
754 instructions.push_back(SET_FF_Instruction{
755 .value_tag = bb::avm2::MemoryTag::FF, .result_address = sstore_src, .value = generate_random_field(rng) });
756
757 // SSTORE - appends to storage_addresses in memory_manager
758 instructions.push_back(SSTORE_Instruction{ .src_address = sstore_src,
759 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
760 .slot = generate_random_field(rng) });
761
762 // Now set our own contract address
763 AddressRef contract_address_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
764 instructions.push_back(
765 GETENVVAR_Instruction{ .result_address = contract_address_address, /* contract address */ .type = 0 });
766
767 // SLOAD - now guaranteed to succeed (storage_addresses not empty, get_slot uses modulo)
768 instructions.push_back(SLOAD_Instruction{ .slot_index = generate_random_uint16(rng),
769 .slot_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
770 .contract_address_address = contract_address_address,
771 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
772
773 return instructions;
774}
775
776std::vector<FuzzInstruction> InstructionMutator::generate_emitpubliclog_instruction(std::mt19937_64& rng)
777{
778 // 80% chance to use backfill (4 out of 5) to increase success rate
779 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
780
781 if (!use_backfill) {
782 return { EMITPUBLICLOG_Instruction{ .log_size_address = generate_variable_ref(rng),
783 .log_values_address = generate_variable_ref(rng) } };
784 }
785
786 uint32_t log_size = std::uniform_int_distribution<uint32_t>(0, FLAT_PUBLIC_LOGS_PAYLOAD_LENGTH)(rng);
787 std::vector<FuzzInstruction> instructions;
788 instructions.reserve(3);
789
790 auto log_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
791 auto log_values_address = generate_address_ref(rng, MAX_16BIT_OPERAND - log_size);
792
793 instructions.push_back(SET_32_Instruction{
794 .value_tag = bb::avm2::MemoryTag::U32, .result_address = log_size_address, .value = log_size });
795
796 // Write one random FF in the log
797 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
798 .result_address = log_values_address,
799 .value = generate_random_field(rng) });
800
801 instructions.push_back(
802 EMITPUBLICLOG_Instruction{ .log_size_address = log_size_address, .log_values_address = log_values_address });
803
804 return instructions;
805}
806
807std::vector<FuzzInstruction> InstructionMutator::generate_call_instruction(std::mt19937_64& rng)
808{
809 // 80% chance to use backfill (4 out of 5) to increase success rate
810 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
811
812 if (!use_backfill) {
813
814 return { CALL_Instruction{ .l2_gas_address = generate_variable_ref(rng),
815 .da_gas_address = generate_variable_ref(rng),
816 .contract_address_address = generate_variable_ref(rng),
817 .calldata_address = generate_variable_ref(rng),
818 .calldata_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
819 .calldata_size = generate_random_uint16(rng),
820 .is_static_call = rng() % 2 == 0 } };
821 }
822
823 std::vector<FuzzInstruction> instructions;
824 instructions.reserve(5);
825
826 auto contract_address_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
827 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
828 .result_address = contract_address_address,
829 .value = context.get_contract_address(generate_random_uint16(rng)) });
830
831 auto l2_gas_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
832 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
833 .result_address = l2_gas_address,
834 .value = generate_random_uint32(rng) });
835
836 auto da_gas_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
837 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
838 .result_address = da_gas_address,
839 .value = generate_random_uint32(rng) });
840
841 auto calldata_size = generate_random_uint16(rng);
842 auto calldata_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
843
844 auto calldata_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
845 // Write one random FF in the calldata
846 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
847 .result_address = calldata_address,
848 .value = generate_random_field(rng) });
849
850 instructions.push_back(CALL_Instruction{ .l2_gas_address = l2_gas_address,
851 .da_gas_address = da_gas_address,
852 .contract_address_address = contract_address_address,
853 .calldata_address = calldata_address,
854 .calldata_size_address = calldata_size_address,
855 .calldata_size = calldata_size,
856 .is_static_call = rng() % 2 == 0 });
857
858 return instructions;
859}
860
861std::vector<FuzzInstruction> InstructionMutator::generate_getcontractinstance_instruction(std::mt19937_64& rng)
862{
863 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
864 if (!use_backfill) {
865 return { GETCONTRACTINSTANCE_Instruction{
866 .contract_address_address = generate_variable_ref(rng),
867 .member_enum = generate_random_uint8(rng),
868 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
869 } };
870 }
871
872 std::vector<FuzzInstruction> instructions;
873 instructions.reserve(2);
874
875 auto contract_address_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
876 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
877 .result_address = contract_address_address,
878 .value = context.get_contract_address(generate_random_uint16(rng)) });
879 uint8_t member_enum = std::uniform_int_distribution<uint8_t>(0, 2)(rng);
880
881 instructions.push_back(GETCONTRACTINSTANCE_Instruction{
882 .contract_address_address = contract_address_address,
883 .member_enum = member_enum,
884 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
885 });
886
887 return instructions;
888}
889
890std::vector<FuzzInstruction> InstructionMutator::generate_notehashexists_instruction(std::mt19937_64& rng)
891{
892 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
893 if (!use_backfill) {
894 return { NOTEHASHEXISTS_Instruction{ .notehash_address = generate_variable_ref(rng),
895 .leaf_index_address = generate_variable_ref(rng),
896 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
897 }
898 auto existing_note_hash = context.get_existing_note_hash(generate_random_uint16(rng));
899 FF note_hash = existing_note_hash.has_value() ? existing_note_hash.value().first : generate_random_field(rng);
900 uint64_t leaf_index =
901 existing_note_hash.has_value() ? existing_note_hash.value().second : generate_random_uint64(rng);
902 AddressRef note_hash_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
903 AddressRef leaf_index_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
904
905 std::vector<FuzzInstruction> instructions;
906 instructions.reserve(3);
907
908 instructions.push_back(SET_FF_Instruction{
909 .value_tag = bb::avm2::MemoryTag::FF, .result_address = note_hash_address, .value = note_hash });
910 instructions.push_back(SET_64_Instruction{
911 .value_tag = bb::avm2::MemoryTag::U64, .result_address = leaf_index_address, .value = leaf_index });
912
913 instructions.push_back(
914 NOTEHASHEXISTS_Instruction{ .notehash_address = note_hash_address,
915 .leaf_index_address = leaf_index_address,
916 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
917
918 return instructions;
919}
920
921std::vector<FuzzInstruction> InstructionMutator::generate_returndatasize_instruction(std::mt19937_64& rng)
922{
923 return { RETURNDATASIZE_Instruction{ .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
924}
925
926std::vector<FuzzInstruction> InstructionMutator::generate_returndatacopy_instruction(std::mt19937_64& rng)
927{
928 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
929 if (!use_backfill) {
930 return { RETURNDATACOPY_Instruction{ .copy_size_address = generate_variable_ref(rng),
931 .rd_offset_address = generate_variable_ref(rng),
932 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
933 }
934 std::vector<FuzzInstruction> instructions;
935 instructions.reserve(3);
936 auto copy_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
937 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
938 .result_address = copy_size_address,
939 // We generate small sizes so we fail less often due to gas
940 // Mutations might change this to a larger value.
941 .value = generate_random_uint8(rng) });
942
943 auto rd_offset_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
944 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
945 .result_address = rd_offset_address,
946 .value = generate_random_uint8(rng) });
947
948 instructions.push_back(RETURNDATACOPY_Instruction{ .copy_size_address = copy_size_address,
949 .rd_offset_address = rd_offset_address,
950 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
951
952 return instructions;
953}
954
955std::vector<FuzzInstruction> InstructionMutator::generate_calldatacopy_instruction(std::mt19937_64& rng)
956{
957 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
958 if (!use_backfill) {
959 return { CALLDATACOPY_Instruction{ .copy_size_address = generate_variable_ref(rng),
960 .cd_offset_address = generate_variable_ref(rng),
961 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
962 }
963 std::vector<FuzzInstruction> instructions;
964 instructions.reserve(3);
965 auto copy_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
966 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
967 .result_address = copy_size_address,
968 // We generate small sizes so we fail less often due to gas
969 // Mutations might change this to a larger value.
970 .value = generate_random_uint8(rng) });
971
972 auto cd_offset_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
973 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
974 .result_address = cd_offset_address,
975 .value = generate_random_uint8(rng) });
976
977 instructions.push_back(CALLDATACOPY_Instruction{ .copy_size_address = copy_size_address,
978 .cd_offset_address = cd_offset_address,
979 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
980
981 return instructions;
982}
983
984std::vector<FuzzInstruction> InstructionMutator::generate_sendl2tol1msg_instruction(std::mt19937_64& rng)
985{
986 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
987 if (!use_backfill) {
988 return { SENDL2TOL1MSG_Instruction{ .recipient_address = generate_variable_ref(rng),
989 .content_address = generate_variable_ref(rng) } };
990 }
991 std::vector<FuzzInstruction> instructions;
992 instructions.reserve(3);
993
994 auto recipient_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
995 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
996 .result_address = recipient_address,
997 .value = generate_random_eth_address(rng) });
998
999 auto content_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
1000 instructions.push_back(SET_FF_Instruction{
1001 .value_tag = bb::avm2::MemoryTag::FF, .result_address = content_address, .value = generate_random_field(rng) });
1002
1003 instructions.push_back(
1004 SENDL2TOL1MSG_Instruction{ .recipient_address = recipient_address, .content_address = content_address });
1005
1006 return instructions;
1007}
1008
1009void InstructionMutator::mutate_param_ref(ParamRef& param,
1010 std::mt19937_64& rng,
1011 std::optional<MemoryTag> default_tag,
1012 uint32_t max_operand_value)
1013{
1014 std::visit(overloaded{ [&](VariableRef& var) { mutate_variable_ref(var, rng, default_tag); },
1015 [&](AddressRef& addr) { mutate_address_ref(addr, rng, max_operand_value); } },
1016 param);
1017}
1018
1019template <typename BinaryInstructionType>
1020void InstructionMutator::mutate_binary_instruction_8(BinaryInstructionType& instruction, std::mt19937_64& rng)
1021{
1022 BinaryInstruction8MutationOptions option = BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION.select(rng);
1023 switch (option) {
1024 case BinaryInstruction8MutationOptions::a_address:
1025 mutate_param_ref(instruction.a_address, rng, std::nullopt, MAX_8BIT_OPERAND);
1026 break;
1027 case BinaryInstruction8MutationOptions::b_address:
1028 mutate_param_ref(instruction.b_address, rng, get_param_ref_tag(instruction.a_address), MAX_8BIT_OPERAND);
1029 break;
1030 case BinaryInstruction8MutationOptions::result_address:
1031 mutate_address_ref(instruction.result_address, rng, MAX_8BIT_OPERAND);
1032 break;
1033 }
1034}
1035
1036template <typename BinaryInstructionType>
1037void InstructionMutator::mutate_binary_instruction_16(BinaryInstructionType& instruction, std::mt19937_64& rng)
1038{
1039 BinaryInstruction8MutationOptions option = BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION.select(rng);
1040 switch (option) {
1041 case BinaryInstruction8MutationOptions::a_address:
1042 mutate_param_ref(instruction.a_address, rng, std::nullopt, MAX_16BIT_OPERAND);
1043 break;
1044 case BinaryInstruction8MutationOptions::b_address:
1045 mutate_param_ref(instruction.b_address, rng, get_param_ref_tag(instruction.a_address), MAX_16BIT_OPERAND);
1046 break;
1047 case BinaryInstruction8MutationOptions::result_address:
1048 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1049 break;
1050 }
1051}
1052
1065
1081
1097
1113
1129
1148
1164
1165void InstructionMutator::mutate_mov_8_instruction(MOV_8_Instruction& instruction, std::mt19937_64& rng)
1166{
1167 int choice = std::uniform_int_distribution<int>(0, 2)(rng);
1168 switch (choice) {
1169 case 0:
1170 mutate_memory_tag(instruction.value_tag.value, rng, BASIC_MEMORY_TAG_MUTATION_CONFIGURATION);
1171 break;
1172 case 1:
1173 mutate_param_ref(instruction.src_address, rng, std::nullopt, MAX_8BIT_OPERAND);
1174 break;
1175 case 2:
1176 mutate_address_ref(instruction.result_address, rng, MAX_8BIT_OPERAND);
1177 break;
1178 }
1179}
1180
1181void InstructionMutator::mutate_mov_16_instruction(MOV_16_Instruction& instruction, std::mt19937_64& rng)
1182{
1183 int choice = std::uniform_int_distribution<int>(0, 2)(rng);
1184 switch (choice) {
1185 case 0:
1186 mutate_memory_tag(instruction.value_tag.value, rng, BASIC_MEMORY_TAG_MUTATION_CONFIGURATION);
1187 break;
1188 case 1:
1189 mutate_param_ref(instruction.src_address, rng, std::nullopt, MAX_16BIT_OPERAND);
1190 break;
1191 case 2:
1192 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1193 break;
1194 }
1195}
1196
1209
1225
1241
1242void InstructionMutator::mutate_sstore_instruction(SSTORE_Instruction& instruction, std::mt19937_64& rng)
1243{
1244 SStoreMutationOptions option = BASIC_SSTORE_MUTATION_CONFIGURATION.select(rng);
1245 switch (option) {
1246 case SStoreMutationOptions::src_address:
1247 mutate_param_ref(instruction.src_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1248 break;
1249 case SStoreMutationOptions::result_address:
1250 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1251 break;
1252 case SStoreMutationOptions::slot:
1253 mutate_field(instruction.slot, rng, BASIC_FIELD_MUTATION_CONFIGURATION);
1254 break;
1255 }
1256}
1257
1258void InstructionMutator::mutate_sload_instruction(SLOAD_Instruction& instruction, std::mt19937_64& rng)
1259{
1260 SLoadMutationOptions option = BASIC_SLOAD_MUTATION_CONFIGURATION.select(rng);
1261 switch (option) {
1262 case SLoadMutationOptions::slot_index:
1263 mutate_uint16_t(instruction.slot_index, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
1264 break;
1265 case SLoadMutationOptions::slot_address:
1266 mutate_address_ref(instruction.slot_address, rng, MAX_16BIT_OPERAND);
1267 break;
1268 case SLoadMutationOptions::contract_address_address:
1269 mutate_param_ref(instruction.contract_address_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1270 break;
1271 case SLoadMutationOptions::result_address:
1272 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1273 break;
1274 }
1275}
1276
1277void InstructionMutator::mutate_getenvvar_instruction(GETENVVAR_Instruction& instruction, std::mt19937_64& rng)
1278{
1279 GetEnvVarMutationOptions option = BASIC_GETENVVAR_MUTATION_CONFIGURATION.select(rng);
1280 switch (option) {
1281 case GetEnvVarMutationOptions::result_address:
1282 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1283 break;
1284 case GetEnvVarMutationOptions::type:
1285 instruction.type = generate_envvar_type(rng);
1286 break;
1287 }
1288}
1289
1290void InstructionMutator::mutate_emit_nullifier_instruction(EMITNULLIFIER_Instruction& instruction, std::mt19937_64& rng)
1291{
1292 // emitnulifier only has one field
1293
1294 mutate_param_ref(instruction.nullifier_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1295}
1296
1310
1311void InstructionMutator::mutate_l1tol2msgexists_instruction(L1TOL2MSGEXISTS_Instruction& instruction,
1312 std::mt19937_64& rng)
1313{
1314 L1ToL2MsgExistsMutationOptions option = BASIC_L1TOL2MSGEXISTS_MUTATION_CONFIGURATION.select(rng);
1315 switch (option) {
1316 case L1ToL2MsgExistsMutationOptions::msg_hash_address:
1317 mutate_param_ref(instruction.msg_hash_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1318 break;
1319 case L1ToL2MsgExistsMutationOptions::leaf_index_address:
1320 mutate_param_ref(instruction.leaf_index_address, rng, MemoryTag::U64, MAX_16BIT_OPERAND);
1321 break;
1322 case L1ToL2MsgExistsMutationOptions::result_address:
1323 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1324 break;
1325 }
1326}
1327
1340void InstructionMutator::mutate_note_hash_exists_instruction(NOTEHASHEXISTS_Instruction& instruction,
1341 std::mt19937_64& rng)
1342{
1343 NoteHashExistsMutationOptions option = BASIC_NOTEHASHEXISTS_MUTATION_CONFIGURATION.select(rng);
1344 switch (option) {
1345 case NoteHashExistsMutationOptions::notehash_address:
1346 mutate_param_ref(instruction.notehash_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1347 break;
1348 case NoteHashExistsMutationOptions::leaf_index_address:
1349 mutate_param_ref(instruction.leaf_index_address, rng, MemoryTag::U64, MAX_16BIT_OPERAND);
1350 break;
1351 case NoteHashExistsMutationOptions::result_address:
1352 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1353 break;
1354 }
1355}
1356
1357void InstructionMutator::mutate_calldatacopy_instruction(CALLDATACOPY_Instruction& instruction, std::mt19937_64& rng)
1358{
1359 CalldataCopyMutationOptions option = BASIC_CALLDATACOPY_MUTATION_CONFIGURATION.select(rng);
1360 switch (option) {
1361 case CalldataCopyMutationOptions::copy_size_address:
1362 mutate_param_ref(instruction.copy_size_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1363 break;
1364 case CalldataCopyMutationOptions::cd_offset_address:
1365 mutate_param_ref(instruction.cd_offset_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1366 break;
1367 case CalldataCopyMutationOptions::dst_address:
1368 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1369 break;
1370 }
1371}
1372
1385
1398
1399void InstructionMutator::mutate_call_instruction(CALL_Instruction& instruction, std::mt19937_64& rng)
1400{
1401 CallMutationOptions option = BASIC_CALL_MUTATION_CONFIGURATION.select(rng);
1402 switch (option) {
1403 case CallMutationOptions::l2_gas_address:
1404 mutate_param_ref(instruction.l2_gas_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1405 break;
1406 case CallMutationOptions::da_gas_address:
1407 mutate_param_ref(instruction.da_gas_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1408 break;
1409 case CallMutationOptions::contract_address_address:
1410 mutate_param_ref(instruction.contract_address_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1411 break;
1412 case CallMutationOptions::calldata_size_address:
1413 mutate_address_ref(instruction.calldata_size_address, rng, MAX_16BIT_OPERAND);
1414 break;
1415 case CallMutationOptions::calldata_size:
1416 mutate_uint16_t(instruction.calldata_size, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
1417 break;
1418 case CallMutationOptions::calldata_address:
1419 mutate_param_ref(instruction.calldata_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1420 break;
1421 case CallMutationOptions::is_static_call:
1422 // with 0.5 probability, set to true, otherwise false
1423 instruction.is_static_call = rng() % 2 == 0;
1424 }
1425}
1426
1432
1433void InstructionMutator::mutate_returndatacopy_instruction(RETURNDATACOPY_Instruction& instruction,
1434 std::mt19937_64& rng)
1435{
1436 ReturndataCopyMutationOptions option = BASIC_RETURNDATACOPY_MUTATION_CONFIGURATION.select(rng);
1437 switch (option) {
1438 case ReturndataCopyMutationOptions::copy_size_address:
1439 mutate_param_ref(instruction.copy_size_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1440 break;
1441 case ReturndataCopyMutationOptions::rd_offset_address:
1442 mutate_param_ref(instruction.rd_offset_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1443 break;
1444 case ReturndataCopyMutationOptions::dst_address:
1445 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1446 break;
1447 }
1448}
1449
1466
1476
1477void InstructionMutator::mutate_ecadd_instruction(ECADD_Instruction& instruction, std::mt19937_64& rng)
1478{
1479 // ECADD has 7 operands, select one to mutate
1480 int choice = std::uniform_int_distribution<int>(0, 6)(rng);
1481 switch (choice) {
1482 case 0:
1483 mutate_param_ref(instruction.p1_x, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1484 break;
1485 case 1:
1486 mutate_param_ref(instruction.p1_y, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1487 break;
1488 case 2:
1489 mutate_param_ref(instruction.p1_infinite, rng, MemoryTag::U1, MAX_16BIT_OPERAND);
1490 break;
1491 case 3:
1492 mutate_param_ref(instruction.p2_x, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1493 break;
1494 case 4:
1495 mutate_param_ref(instruction.p2_y, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1496 break;
1497 case 5:
1498 mutate_param_ref(instruction.p2_infinite, rng, MemoryTag::U1, MAX_16BIT_OPERAND);
1499 break;
1500 case 6:
1501 mutate_address_ref(instruction.result, rng, MAX_16BIT_OPERAND);
1502 break;
1503 }
1504}
1505
1506void InstructionMutator::mutate_poseidon2perm_instruction(POSEIDON2PERM_Instruction& instruction, std::mt19937_64& rng)
1507{
1508 int choice = std::uniform_int_distribution<int>(0, 1)(rng);
1509 switch (choice) {
1510 case 0:
1511 mutate_param_ref(instruction.src_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1512 break;
1513 case 1:
1514 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1515 break;
1516 }
1517}
1518
1519void InstructionMutator::mutate_keccakf1600_instruction(KECCAKF1600_Instruction& instruction, std::mt19937_64& rng)
1520{
1521 int choice = std::uniform_int_distribution<int>(0, 1)(rng);
1522 switch (choice) {
1523 case 0:
1524 mutate_param_ref(instruction.src_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1525 break;
1526 case 1:
1527 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1528 break;
1529 }
1530}
1531
1532void InstructionMutator::mutate_sha256compression_instruction(SHA256COMPRESSION_Instruction& instruction,
1533 std::mt19937_64& rng)
1534{
1535 int choice = std::uniform_int_distribution<int>(0, 2)(rng);
1536 switch (choice) {
1537 case 0:
1538 mutate_param_ref(instruction.state_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1539 break;
1540 case 1:
1541 mutate_param_ref(instruction.input_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1542 break;
1543 case 2:
1544 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1545 break;
1546 }
1547}
1548
1549void InstructionMutator::mutate_toradixbe_instruction(TORADIXBE_Instruction& instruction, std::mt19937_64& rng)
1550{
1551 ToRadixBEMutationOptions option = BASIC_TORADIXBE_MUTATION_CONFIGURATION.select(rng);
1552 switch (option) {
1553 case ToRadixBEMutationOptions::value_address:
1554 mutate_param_ref(instruction.value_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1555 break;
1556 case ToRadixBEMutationOptions::radix_address:
1557 mutate_param_ref(instruction.radix_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1558 break;
1559 case ToRadixBEMutationOptions::num_limbs_address:
1560 mutate_param_ref(instruction.num_limbs_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1561 break;
1562 case ToRadixBEMutationOptions::output_bits_address:
1563 mutate_param_ref(instruction.output_bits_address, rng, MemoryTag::U1, MAX_16BIT_OPERAND);
1564 break;
1565 case ToRadixBEMutationOptions::dst_address:
1566 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1567 break;
1568 case ToRadixBEMutationOptions::is_output_bits:
1569 instruction.is_output_bits = !instruction.is_output_bits;
1570 break;
1571 }
1572}
1573
1574void InstructionMutator::mutate_debuglog_instruction(DEBUGLOG_Instruction& instruction, std::mt19937_64& rng)
1575{
1576 DebugLogMutationOptions option = BASIC_DEBUGLOG_MUTATION_CONFIGURATION.select(rng);
1577 switch (option) {
1578 case DebugLogMutationOptions::level_offset:
1579 mutate_param_ref(instruction.level_offset, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1580 break;
1581 case DebugLogMutationOptions::message_offset:
1582 mutate_param_ref(instruction.message_offset, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1583 break;
1584 case DebugLogMutationOptions::fields_offset:
1585 mutate_param_ref(instruction.fields_offset, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1586 break;
1587 case DebugLogMutationOptions::fields_size_offset:
1588 mutate_param_ref(instruction.fields_size_offset, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1589 break;
1590 case DebugLogMutationOptions::message_size:
1591 mutate_uint16_t(instruction.message_size, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
1592 break;
1593 }
1594}
1595
1596} // namespace bb::avm2::fuzzer
FuzzInstruction
::FuzzInstruction FuzzInstruction
Definition avm_differential.fuzzer.cpp:17
generate_random_field
FF generate_random_field(std::mt19937_64 &rng)
Definition field.cpp:25
mutate_field
void mutate_field(bb::avm2::FF &value, std::mt19937_64 &rng, const FieldMutationConfig &config)
Definition field.cpp:99
field.hpp
FLAT_PUBLIC_LOGS_PAYLOAD_LENGTH
#define FLAT_PUBLIC_LOGS_PAYLOAD_LENGTH
Definition aztec_constants.hpp:33
AVM_HIGHEST_MEM_ADDRESS
#define AVM_HIGHEST_MEM_ADDRESS
Definition aztec_constants.hpp:47
WeightedSelectionConfig::select
T select(std::mt19937_64 &rng) const
Definition weighted_selection.hpp:33
bb::avm2::StandardAffinePoint::is_infinity
constexpr bool is_infinity() const noexcept
Definition standard_affine_point.hpp:73
bb::avm2::StandardAffinePoint::x
constexpr const BaseField & x() const noexcept
Definition standard_affine_point.hpp:79
bb::avm2::StandardAffinePoint::y
constexpr const BaseField & y() const noexcept
Definition standard_affine_point.hpp:81
bb::avm2::fuzzer::InstructionMutator::generate_getcontractinstance_instruction
std::vector< FuzzInstruction > generate_getcontractinstance_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:861
bb::avm2::fuzzer::InstructionMutator::mutate_set_ff_instruction
void mutate_set_ff_instruction(SET_FF_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1149
bb::avm2::fuzzer::InstructionMutator::mutate_sha256compression_instruction
void mutate_sha256compression_instruction(SHA256COMPRESSION_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1532
bb::avm2::fuzzer::InstructionMutator::mutate_l1tol2msgexists_instruction
void mutate_l1tol2msgexists_instruction(L1TOL2MSGEXISTS_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1311
bb::avm2::fuzzer::InstructionMutator::mutate_returndatasize_instruction
void mutate_returndatasize_instruction(RETURNDATASIZE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1427
bb::avm2::fuzzer::InstructionMutator::mutate_emit_note_hash_instruction
void mutate_emit_note_hash_instruction(EMITNOTEHASH_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1328
bb::avm2::fuzzer::InstructionMutator::mutate_set_16_instruction
void mutate_set_16_instruction(SET_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1082
bb::avm2::fuzzer::InstructionMutator::mutate_mov_16_instruction
void mutate_mov_16_instruction(MOV_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1181
bb::avm2::fuzzer::InstructionMutator::mutate_not_8_instruction
void mutate_not_8_instruction(NOT_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1053
bb::avm2::fuzzer::InstructionMutator::mutate_mov_8_instruction
void mutate_mov_8_instruction(MOV_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1165
bb::avm2::fuzzer::InstructionMutator::mutate_binary_instruction_16
void mutate_binary_instruction_16(BinaryInstructionType &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1037
bb::avm2::fuzzer::InstructionMutator::generate_variable_ref
VariableRef generate_variable_ref(std::mt19937_64 &rng)
Definition instruction.cpp:387
bb::avm2::fuzzer::InstructionMutator::generate_alu_with_matching_tags
std::vector< FuzzInstruction > generate_alu_with_matching_tags(std::mt19937_64 &rng, uint32_t max_operand)
Definition instruction.cpp:490
bb::avm2::fuzzer::InstructionMutator::generate_call_instruction
std::vector< FuzzInstruction > generate_call_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:807
bb::avm2::fuzzer::InstructionMutator::generate_fdiv_instruction
std::vector< FuzzInstruction > generate_fdiv_instruction(std::mt19937_64 &rng, uint32_t max_operand)
Definition instruction.cpp:547
bb::avm2::fuzzer::InstructionMutator::mutate_getenvvar_instruction
void mutate_getenvvar_instruction(GETENVVAR_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1277
bb::avm2::fuzzer::InstructionMutator::generate_sload_instruction
std::vector< FuzzInstruction > generate_sload_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:733
bb::avm2::fuzzer::InstructionMutator::generate_toradixbe_instruction
std::vector< FuzzInstruction > generate_toradixbe_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:660
bb::avm2::fuzzer::InstructionMutator::mutate_not_16_instruction
void mutate_not_16_instruction(NOT_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1197
bb::avm2::fuzzer::InstructionMutator::generate_addressing_mode
AddressingMode generate_addressing_mode(std::mt19937_64 &rng)
Definition instruction.cpp:356
bb::avm2::fuzzer::InstructionMutator::mutate_successcopy_instruction
void mutate_successcopy_instruction(SUCCESSCOPY_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1467
bb::avm2::fuzzer::InstructionMutator::mutate_calldatacopy_instruction
void mutate_calldatacopy_instruction(CALLDATACOPY_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1357
bb::avm2::fuzzer::InstructionMutator::mutate_sload_instruction
void mutate_sload_instruction(SLOAD_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1258
bb::avm2::fuzzer::InstructionMutator::mutate_emit_nullifier_instruction
void mutate_emit_nullifier_instruction(EMITNULLIFIER_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1290
bb::avm2::fuzzer::InstructionMutator::generate_keccakf_instruction
std::vector< FuzzInstruction > generate_keccakf_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:590
bb::avm2::fuzzer::InstructionMutator::mutate_sstore_instruction
void mutate_sstore_instruction(SSTORE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1242
bb::avm2::fuzzer::InstructionMutator::mutate_binary_instruction_8
void mutate_binary_instruction_8(BinaryInstructionType &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1020
bb::avm2::fuzzer::InstructionMutator::generate_instruction
std::vector< FuzzInstruction > generate_instruction(std::mt19937_64 &rng)
Generate one instruction and optionally backfill.
Definition instruction.cpp:98
bb::avm2::fuzzer::InstructionMutator::mutate_set_32_instruction
void mutate_set_32_instruction(SET_32_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1098
bb::avm2::fuzzer::InstructionMutator::generate_sendl2tol1msg_instruction
std::vector< FuzzInstruction > generate_sendl2tol1msg_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:984
bb::avm2::fuzzer::InstructionMutator::mutate_sendl2tol1msg_instruction
void mutate_sendl2tol1msg_instruction(SENDL2TOL1MSG_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1373
bb::avm2::fuzzer::InstructionMutator::generate_calldatacopy_instruction
std::vector< FuzzInstruction > generate_calldatacopy_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:955
bb::avm2::fuzzer::InstructionMutator::mutate_nullifier_exists_instruction
void mutate_nullifier_exists_instruction(NULLIFIEREXISTS_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1297
bb::avm2::fuzzer::InstructionMutator::mutate_note_hash_exists_instruction
void mutate_note_hash_exists_instruction(NOTEHASHEXISTS_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1340
bb::avm2::fuzzer::InstructionMutator::mutate_toradixbe_instruction
void mutate_toradixbe_instruction(TORADIXBE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1549
bb::avm2::fuzzer::InstructionMutator::mutate_call_instruction
void mutate_call_instruction(CALL_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1399
bb::avm2::fuzzer::InstructionMutator::mutate_set_128_instruction
void mutate_set_128_instruction(SET_128_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1130
bb::avm2::fuzzer::InstructionMutator::mutate_instruction
void mutate_instruction(FuzzInstruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:286
bb::avm2::fuzzer::InstructionMutator::generate_returndatacopy_instruction
std::vector< FuzzInstruction > generate_returndatacopy_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:926
bb::avm2::fuzzer::InstructionMutator::mutate_debuglog_instruction
void mutate_debuglog_instruction(DEBUGLOG_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1574
bb::avm2::fuzzer::InstructionMutator::mutate_keccakf1600_instruction
void mutate_keccakf1600_instruction(KECCAKF1600_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1519
bb::avm2::fuzzer::InstructionMutator::mutate_address_ref
void mutate_address_ref(AddressRef &address, std::mt19937_64 &rng, uint32_t max_operand_value)
Definition instruction.cpp:370
bb::avm2::fuzzer::InstructionMutator::mutate_variable_ref
void mutate_variable_ref(VariableRef &variable, std::mt19937_64 &rng, std::optional< MemoryTag > default_tag)
Most of the tags will be equal to the default tag.
Definition instruction.cpp:397
bb::avm2::fuzzer::InstructionMutator::mutate_cast_8_instruction
void mutate_cast_8_instruction(CAST_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1210
bb::avm2::fuzzer::InstructionMutator::mutate_set_64_instruction
void mutate_set_64_instruction(SET_64_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1114
bb::avm2::fuzzer::InstructionMutator::mutate_getcontractinstance_instruction
void mutate_getcontractinstance_instruction(GETCONTRACTINSTANCE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1450
bb::avm2::fuzzer::InstructionMutator::generate_sha256compression_instruction
std::vector< FuzzInstruction > generate_sha256compression_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:616
bb::avm2::fuzzer::InstructionMutator::generate_emitpubliclog_instruction
std::vector< FuzzInstruction > generate_emitpubliclog_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:776
bb::avm2::fuzzer::InstructionMutator::mutate_ecadd_instruction
void mutate_ecadd_instruction(ECADD_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1477
bb::avm2::fuzzer::InstructionMutator::mutate_returndatacopy_instruction
void mutate_returndatacopy_instruction(RETURNDATACOPY_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1433
bb::avm2::fuzzer::InstructionMutator::mutate_cast_16_instruction
void mutate_cast_16_instruction(CAST_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1226
bb::avm2::fuzzer::InstructionMutator::mutate_set_8_instruction
void mutate_set_8_instruction(SET_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1066
bb::avm2::fuzzer::InstructionMutator::generate_returndatasize_instruction
std::vector< FuzzInstruction > generate_returndatasize_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:921
bb::avm2::fuzzer::InstructionMutator::generate_address_ref
AddressRef generate_address_ref(std::mt19937_64 &rng, uint32_t max_operand_value)
Definition instruction.cpp:361
bb::avm2::fuzzer::InstructionMutator::generate_ecadd_instruction
std::vector< FuzzInstruction > generate_ecadd_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:422
bb::avm2::fuzzer::InstructionMutator::mutate_poseidon2perm_instruction
void mutate_poseidon2perm_instruction(POSEIDON2PERM_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1506
bb::avm2::fuzzer::InstructionMutator::generate_alu_with_matching_tags_not_ff
std::vector< FuzzInstruction > generate_alu_with_matching_tags_not_ff(std::mt19937_64 &rng, uint32_t max_operand)
Definition instruction.cpp:517
bb::avm2::fuzzer::InstructionMutator::mutate_emitpubliclog_instruction
void mutate_emitpubliclog_instruction(EMITPUBLICLOG_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1386
bb::avm2::fuzzer::InstructionMutator::mutate_param_ref
void mutate_param_ref(ParamRef &param, std::mt19937_64 &rng, std::optional< MemoryTag > default_tag, uint32_t max_operand_value)
Definition instruction.cpp:1009
bb::avm2::fuzzer::InstructionMutator::generate_notehashexists_instruction
std::vector< FuzzInstruction > generate_notehashexists_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:890
Set32MutationOptions
Set32MutationOptions
Definition configuration.hpp:176
BASIC_SET_128_MUTATION_CONFIGURATION
constexpr Set128MutationConfig BASIC_SET_128_MUTATION_CONFIGURATION
Definition configuration.hpp:200
BASIC_ADDRESS_REF_MUTATION_CONFIGURATION
constexpr AddressRefMutationConfig BASIC_ADDRESS_REF_MUTATION_CONFIGURATION
Definition configuration.hpp:129
Set64MutationOptions
Set64MutationOptions
Definition configuration.hpp:186
BASIC_SLOAD_MUTATION_CONFIGURATION
constexpr SLoadMutationConfig BASIC_SLOAD_MUTATION_CONFIGURATION
Definition configuration.hpp:367
BASIC_GETENVVAR_MUTATION_CONFIGURATION
constexpr GetEnvVarMutationConfig BASIC_GETENVVAR_MUTATION_CONFIGURATION
Definition configuration.hpp:377
BASIC_SET_16_MUTATION_CONFIGURATION
constexpr Set16MutationConfig BASIC_SET_16_MUTATION_CONFIGURATION
Definition configuration.hpp:170
L1ToL2MsgExistsMutationOptions
L1ToL2MsgExistsMutationOptions
Definition configuration.hpp:390
ReturndataCopyMutationOptions
ReturndataCopyMutationOptions
Definition configuration.hpp:466
BASIC_NOTEHASHEXISTS_MUTATION_CONFIGURATION
constexpr NoteHashExistsMutationConfig BASIC_NOTEHASHEXISTS_MUTATION_CONFIGURATION
Definition configuration.hpp:410
NoteHashExistsMutationOptions
NoteHashExistsMutationOptions
Definition configuration.hpp:407
BASIC_TORADIXBE_MUTATION_CONFIGURATION
constexpr ToRadixBEMutationConfig BASIC_TORADIXBE_MUTATION_CONFIGURATION
Definition configuration.hpp:502
EmitPublicLogMutationOptions
EmitPublicLogMutationOptions
Definition configuration.hpp:437
BASIC_SET_64_MUTATION_CONFIGURATION
constexpr Set64MutationConfig BASIC_SET_64_MUTATION_CONFIGURATION
Definition configuration.hpp:190
EmitNoteHashMutationOptions
EmitNoteHashMutationOptions
Definition configuration.hpp:399
CallMutationOptions
CallMutationOptions
Definition configuration.hpp:445
SetFFMutationOptions
SetFFMutationOptions
Definition configuration.hpp:207
BASIC_MEMORY_TAG_GENERATION_CONFIGURATION
constexpr MemoryTagGenerationConfig BASIC_MEMORY_TAG_GENERATION_CONFIGURATION
Definition configuration.hpp:96
SuccessCopyMutationOptions
SuccessCopyMutationOptions
Definition configuration.hpp:485
BASIC_DEBUGLOG_MUTATION_CONFIGURATION
constexpr DebugLogMutationConfig BASIC_DEBUGLOG_MUTATION_CONFIGURATION
Definition configuration.hpp:514
BASIC_UINT64_T_MUTATION_CONFIGURATION
constexpr Uint64MutationConfig BASIC_UINT64_T_MUTATION_CONFIGURATION
Definition configuration.hpp:62
Set8MutationOptions
Set8MutationOptions
Definition configuration.hpp:156
Set16MutationOptions
Set16MutationOptions
Definition configuration.hpp:166
BASIC_CALLDATACOPY_MUTATION_CONFIGURATION
constexpr CalldataCopyMutationConfig BASIC_CALLDATACOPY_MUTATION_CONFIGURATION
Definition configuration.hpp:423
BASIC_GETCONTRACTINSTANCE_MUTATION_CONFIGURATION
constexpr GetContractInstanceMutationConfig BASIC_GETCONTRACTINSTANCE_MUTATION_CONFIGURATION
Definition configuration.hpp:478
InstructionGenerationOptions
InstructionGenerationOptions
Definition configuration.hpp:227
BASIC_L1TOL2MSGEXISTS_MUTATION_CONFIGURATION
constexpr L1ToL2MsgExistsMutationConfig BASIC_L1TOL2MSGEXISTS_MUTATION_CONFIGURATION
Definition configuration.hpp:393
BASIC_UINT32_T_MUTATION_CONFIGURATION
constexpr Uint32MutationConfig BASIC_UINT32_T_MUTATION_CONFIGURATION
Definition configuration.hpp:54
BASIC_UNARY_INSTRUCTION_8_MUTATION_CONFIGURATION
constexpr UnaryInstruction8MutationConfig BASIC_UNARY_INSTRUCTION_8_MUTATION_CONFIGURATION
Definition configuration.hpp:139
SStoreMutationOptions
SStoreMutationOptions
Definition configuration.hpp:355
BASIC_SET_FF_MUTATION_CONFIGURATION
constexpr SetFFMutationConfig BASIC_SET_FF_MUTATION_CONFIGURATION
Definition configuration.hpp:211
BASIC_SET_32_MUTATION_CONFIGURATION
constexpr Set32MutationConfig BASIC_SET_32_MUTATION_CONFIGURATION
Definition configuration.hpp:180
BASIC_FIELD_MUTATION_CONFIGURATION
constexpr FieldMutationConfig BASIC_FIELD_MUTATION_CONFIGURATION
Definition configuration.hpp:84
UnaryInstruction8MutationOptions
UnaryInstruction8MutationOptions
Definition configuration.hpp:135
BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION
constexpr BinaryInstruction8MutationConfig BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION
Definition configuration.hpp:149
BASIC_UINT16_T_MUTATION_CONFIGURATION
constexpr Uint16MutationConfig BASIC_UINT16_T_MUTATION_CONFIGURATION
Definition configuration.hpp:46
BASIC_SSTORE_MUTATION_CONFIGURATION
constexpr SStoreMutationConfig BASIC_SSTORE_MUTATION_CONFIGURATION
Definition configuration.hpp:358
CalldataCopyMutationOptions
CalldataCopyMutationOptions
Definition configuration.hpp:416
BASIC_NULLIFIER_EXISTS_MUTATION_CONFIGURATION
constexpr NullifierExistsMutationConfig BASIC_NULLIFIER_EXISTS_MUTATION_CONFIGURATION
Definition configuration.hpp:385
BASIC_CALL_MUTATION_CONFIGURATION
constexpr CallMutationConfig BASIC_CALL_MUTATION_CONFIGURATION
Definition configuration.hpp:456
BASIC_SENDL2TOL1MSG_MUTATION_CONFIGURATION
constexpr SendL2ToL1MsgMutationConfig BASIC_SENDL2TOL1MSG_MUTATION_CONFIGURATION
Definition configuration.hpp:432
BASIC_VARIABLE_REF_MUTATION_CONFIGURATION
constexpr VariableRefMutationConfig BASIC_VARIABLE_REF_MUTATION_CONFIGURATION
Definition configuration.hpp:120
Set128MutationOptions
Set128MutationOptions
Definition configuration.hpp:196
BASIC_EMITNOTEHASH_MUTATION_CONFIGURATION
constexpr EmitNoteHashMutationConfig BASIC_EMITNOTEHASH_MUTATION_CONFIGURATION
Definition configuration.hpp:402
ToRadixBEMutationOptions
ToRadixBEMutationOptions
Definition configuration.hpp:492
BASIC_MEMORY_TAG_MUTATION_CONFIGURATION
constexpr MemoryTagMutationConfig BASIC_MEMORY_TAG_MUTATION_CONFIGURATION
Definition configuration.hpp:108
SLoadMutationOptions
SLoadMutationOptions
Definition configuration.hpp:364
BASIC_UINT8_T_MUTATION_CONFIGURATION
constexpr Uint8MutationConfig BASIC_UINT8_T_MUTATION_CONFIGURATION
Definition configuration.hpp:38
VariableRefMutationOptions
VariableRefMutationOptions
Definition configuration.hpp:118
BASIC_INSTRUCTION_GENERATION_CONFIGURATION
constexpr InstructionGenerationConfig BASIC_INSTRUCTION_GENERATION_CONFIGURATION
Definition configuration.hpp:292
BASIC_SUCCESSCOPY_MUTATION_CONFIGURATION
constexpr SuccessCopyMutationConfig BASIC_SUCCESSCOPY_MUTATION_CONFIGURATION
Definition configuration.hpp:488
GetContractInstanceMutationOptions
GetContractInstanceMutationOptions
Definition configuration.hpp:475
GetEnvVarMutationOptions
GetEnvVarMutationOptions
Definition configuration.hpp:374
DebugLogMutationOptions
DebugLogMutationOptions
Definition configuration.hpp:511
AddressRefMutationOptions
AddressRefMutationOptions
Definition configuration.hpp:127
BinaryInstruction8MutationOptions
BinaryInstruction8MutationOptions
Definition configuration.hpp:145
SendL2ToL1MsgMutationOptions
SendL2ToL1MsgMutationOptions
Definition configuration.hpp:429
BASIC_SET_8_MUTATION_CONFIGURATION
constexpr Set8MutationConfig BASIC_SET_8_MUTATION_CONFIGURATION
Definition configuration.hpp:160
BASIC_EMITPUBLICLOG_MUTATION_CONFIGURATION
constexpr EmitPublicLogMutationConfig BASIC_EMITPUBLICLOG_MUTATION_CONFIGURATION
Definition configuration.hpp:440
BASIC_RETURNDATACOPY_MUTATION_CONFIGURATION
constexpr ReturndataCopyMutationConfig BASIC_RETURNDATACOPY_MUTATION_CONFIGURATION
Definition configuration.hpp:469
NullifierExistsMutationOptions
NullifierExistsMutationOptions
Definition configuration.hpp:382
value
FF value
Definition indexed_tree_check.test.cpp:67
generate_random_eth_address
EthAddress generate_random_eth_address(std::mt19937_64 &rng)
Definition eth_address.cpp:18
eth_address.hpp
instruction.hpp
AddressingMode
AddressingMode
Definition instruction.hpp:50
AddressingMode::Relative
@ Relative
AddressingMode::Direct
@ Direct
ParamRef
std::variant< VariableRef, AddressRef > ParamRef
Definition instruction.hpp:124
fuzzer_context.hpp
instruction
Instruction instruction
Definition gas_tracker.test.cpp:33
generate_memory_tag
MemoryTag generate_memory_tag(std::mt19937_64 &rng, const MemoryTagGenerationConfig &config)
Definition memory_tag.cpp:8
mutate_or_default_tag
void mutate_or_default_tag(MemoryTag &value, std::mt19937_64 &rng, MemoryTag default_tag, double probability=0.1)
Mutate the memory tag or set to the chosen tag with a given probability.
Definition memory_tag.cpp:57
mutate_memory_tag
void mutate_memory_tag(MemoryTag &value, std::mt19937_64 &rng, const MemoryTagMutationConfig &config)
Definition memory_tag.cpp:29
memory_tag.hpp
bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10
bb::avm2::Fq
AvmFlavorSettings::G1::Fq Fq
Definition field.hpp:11
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
ADD_16_Instruction
mem[result_offset] = mem[a_address] + mem[b_address] (16-bit)
Definition instruction.hpp:323
ADD_8_Instruction
mem[result_offset] = mem[a_address] + mem[b_address]
Definition instruction.hpp:149
AND_16_Instruction
mem[result_offset] = mem[a_address] & mem[b_address] (16-bit)
Definition instruction.hpp:386
AND_8_Instruction
mem[result_offset] = mem[a_address] & mem[b_address]
Definition instruction.hpp:212
AddressRef::mode
AddressingModeWrapper mode
Definition instruction.hpp:120
AddressRef::address
uint32_t address
Definition instruction.hpp:114
CALL_Instruction
Definition instruction.hpp:529
CALL_Instruction::l2_gas_address
ParamRef l2_gas_address
Definition instruction.hpp:530
CALLDATACOPY_Instruction
Definition instruction.hpp:510
CALLDATACOPY_Instruction::copy_size_address
ParamRef copy_size_address
Definition instruction.hpp:511
CAST_16_Instruction
CAST_16: cast mem[src_offset_index] to target_tag and store at dst_offset.
Definition instruction.hpp:441
CAST_16_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:443
CAST_8_Instruction
CAST_8: cast mem[src_offset_index] to target_tag and store at dst_offset.
Definition instruction.hpp:432
CAST_8_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:434
DEBUGLOG_Instruction
Definition instruction.hpp:622
DEBUGLOG_Instruction::level_offset
ParamRef level_offset
Definition instruction.hpp:623
DIV_16_Instruction
mem[result_offset] = mem[a_address] / mem[b_address] (16-bit)
Definition instruction.hpp:347
DIV_8_Instruction
mem[result_offset] = mem[a_address] / mem[b_address]
Definition instruction.hpp:173
ECADD_Instruction
Definition instruction.hpp:573
ECADD_Instruction::p1_x
ParamRef p1_x
Definition instruction.hpp:574
EMITNOTEHASH_Instruction
EMITNOTEHASH: M[note_hash_offset] = note_hash; emit note hash to the note hash tree.
Definition instruction.hpp:497
EMITNOTEHASH_Instruction::note_hash_address
AddressRef note_hash_address
Definition instruction.hpp:498
EMITNULLIFIER_Instruction
EMITNULIFIER: inserts new nullifier to the nullifier tree.
Definition instruction.hpp:474
EMITNULLIFIER_Instruction::nullifier_address
ParamRef nullifier_address
Definition instruction.hpp:475
EMITPUBLICLOG_Instruction
Definition instruction.hpp:523
EMITPUBLICLOG_Instruction::log_size_address
ParamRef log_size_address
Definition instruction.hpp:524
EQ_16_Instruction
mem[result_offset] = mem[a_address] == mem[b_address] (16-bit)
Definition instruction.hpp:362
EQ_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:363
EQ_8_Instruction
mem[result_offset] = mem[a_address] == mem[b_address]
Definition instruction.hpp:188
EQ_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:189
FDIV_16_Instruction
Definition instruction.hpp:354
FDIV_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:355
FDIV_8_Instruction
Definition instruction.hpp:180
FDIV_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:181
GETCONTRACTINSTANCE_Instruction
Definition instruction.hpp:561
GETCONTRACTINSTANCE_Instruction::contract_address_address
ParamRef contract_address_address
Definition instruction.hpp:562
GETENVVAR_Instruction
GETENVVAR: M[result_offset] = getenvvar(type)
Definition instruction.hpp:467
GETENVVAR_Instruction::result_address
AddressRef result_address
Definition instruction.hpp:468
KECCAKF1600_Instruction
KECCAKF1600: Perform Keccak-f[1600] permutation on 25 U64 values M[dst_address:dst_address+25] = kecc...
Definition instruction.hpp:594
KECCAKF1600_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:595
L1TOL2MSGEXISTS_Instruction
L1TOL2MSGEXISTS: Check if a L1 to L2 message exists M[result_address] = L1TOL2MSGEXISTS(M[msg_hash_ad...
Definition instruction.hpp:489
L1TOL2MSGEXISTS_Instruction::msg_hash_address
ParamRef msg_hash_address
Definition instruction.hpp:490
LT_16_Instruction
mem[result_offset] = mem[a_address] < mem[b_address] (16-bit)
Definition instruction.hpp:370
LT_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:371
LT_8_Instruction
mem[result_offset] = mem[a_address] < mem[b_address]
Definition instruction.hpp:196
LT_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:197
LTE_16_Instruction
mem[result_offset] = mem[a_address] <= mem[b_address] (16-bit)
Definition instruction.hpp:378
LTE_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:379
LTE_8_Instruction
mem[result_offset] = mem[a_address] <= mem[b_address]
Definition instruction.hpp:204
LTE_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:205
MOV_16_Instruction
MOV_16 instruction: mem[dst_offset] = mem[src_offset].
Definition instruction.hpp:315
MOV_16_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:316
MOV_8_Instruction
MOV_8 instruction: mem[dst_offset] = mem[src_offset].
Definition instruction.hpp:307
MOV_8_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:308
MUL_16_Instruction
mem[result_offset] = mem[a_address] * mem[b_address] (16-bit)
Definition instruction.hpp:339
MUL_8_Instruction
mem[result_offset] = mem[a_address] * mem[b_address]
Definition instruction.hpp:165
NOT_16_Instruction
Definition instruction.hpp:409
NOT_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:410
NOT_8_Instruction
Definition instruction.hpp:235
NOT_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:236
NOTEHASHEXISTS_Instruction
Definition instruction.hpp:503
NOTEHASHEXISTS_Instruction::notehash_address
ParamRef notehash_address
Definition instruction.hpp:504
NULLIFIEREXISTS_Instruction
NULLIFIEREXISTS: checks if a siloed nullifier exists in the nullifier tree M[result_address] = NULLIF...
Definition instruction.hpp:481
NULLIFIEREXISTS_Instruction::siloed_nullifier_address
ParamRef siloed_nullifier_address
Definition instruction.hpp:482
OR_16_Instruction
mem[result_offset] = mem[a_address] | mem[b_address] (16-bit)
Definition instruction.hpp:394
OR_8_Instruction
mem[result_offset] = mem[a_address] | mem[b_address]
Definition instruction.hpp:220
POSEIDON2PERM_Instruction
POSEIDON2PERM: Perform Poseidon2 permutation on 4 FF values M[dst_address:dst_address+4] = poseidon2_...
Definition instruction.hpp:586
POSEIDON2PERM_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:587
RETURNDATACOPY_Instruction
Definition instruction.hpp:553
RETURNDATACOPY_Instruction::copy_size_address
ParamRef copy_size_address
Definition instruction.hpp:554
RETURNDATASIZE_Instruction
Definition instruction.hpp:548
RETURNDATASIZE_Instruction::dst_address
AddressRef dst_address
Definition instruction.hpp:549
SENDL2TOL1MSG_Instruction
Definition instruction.hpp:517
SENDL2TOL1MSG_Instruction::recipient_address
ParamRef recipient_address
Definition instruction.hpp:518
SET_128_Instruction
SET_128 instruction.
Definition instruction.hpp:290
SET_128_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:291
SET_16_Instruction
SET_16 instruction.
Definition instruction.hpp:266
SET_16_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:267
SET_32_Instruction
SET_32 instruction.
Definition instruction.hpp:274
SET_32_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:275
SET_64_Instruction
SET_64 instruction.
Definition instruction.hpp:282
SET_64_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:283
SET_8_Instruction
SET_8 instruction.
Definition instruction.hpp:258
SET_8_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:259
SET_FF_Instruction
SET_FF instruction.
Definition instruction.hpp:299
SET_FF_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:300
SHA256COMPRESSION_Instruction
SHA256COMPRESSION: Perform SHA256 compression M[dst_address:dst_address+8] = sha256_compression(M[sta...
Definition instruction.hpp:603
SHA256COMPRESSION_Instruction::state_address
ParamRef state_address
Definition instruction.hpp:604
SHL_16_Instruction
mem[result_offset] = mem[a_address] << mem[b_address] (16-bit)
Definition instruction.hpp:416
SHL_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:417
SHL_8_Instruction
mem[result_offset] = mem[a_address] << mem[b_address]
Definition instruction.hpp:242
SHL_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:243
SHR_16_Instruction
mem[result_offset] = mem[a_address] >> mem[b_address] (16-bit)
Definition instruction.hpp:424
SHR_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:425
SHR_8_Instruction
mem[result_offset] = mem[a_address] >> mem[b_address]
Definition instruction.hpp:250
SHR_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:251
SLOAD_Instruction
SLOAD: M[slot_offset] = slot; M[result_offset] = S[M[slotOffset]].
Definition instruction.hpp:458
SLOAD_Instruction::slot_index
uint16_t slot_index
Definition instruction.hpp:459
SSTORE_Instruction
SSTORE: M[slot_offset_index] = slot; S[M[slotOffset]] = M[srcOffset].
Definition instruction.hpp:450
SSTORE_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:451
SUB_16_Instruction
mem[result_offset] = mem[a_address] - mem[b_address] (16-bit)
Definition instruction.hpp:331
SUB_8_Instruction
mem[result_offset] = mem[a_address] - mem[b_address]
Definition instruction.hpp:157
SUCCESSCOPY_Instruction
Definition instruction.hpp:568
SUCCESSCOPY_Instruction::dst_address
AddressRef dst_address
Definition instruction.hpp:569
TORADIXBE_Instruction
TORADIXBE: Convert a field element to a vector of limbs in big-endian radix representation M[dst_addr...
Definition instruction.hpp:612
TORADIXBE_Instruction::value_address
ParamRef value_address
Definition instruction.hpp:613
VariableRef::mode
AddressingModeWrapper mode
Definition instruction.hpp:108
VariableRef::index
uint32_t index
Index of the variable in the memory_manager.stored_variables map.
Definition instruction.hpp:102
VariableRef::tag
MemoryTagWrapper tag
Definition instruction.hpp:100
VariableRef::pointer_address_seed
uint16_t pointer_address_seed
A seed for the generation of the pointer address Used for Indirect/IndirectRelative modes only.
Definition instruction.hpp:106
XOR_16_Instruction
mem[result_offset] = mem[a_address] ^ mem[b_address] (16-bit)
Definition instruction.hpp:402
XOR_8_Instruction
mem[result_offset] = mem[a_address] ^ mem[b_address]
Definition instruction.hpp:228
bb::field::is_zero
BB_INLINE constexpr bool is_zero() const noexcept
Definition field_impl.hpp:764
mutate_uint16_t
void mutate_uint16_t(uint16_t &value, std::mt19937_64 &rng, const Uint16MutationConfig &config)
Definition uint16_t.cpp:4
uint16_t.hpp
mutate_uint32_t
void mutate_uint32_t(uint32_t &value, std::mt19937_64 &rng, const Uint32MutationConfig &config)
Definition uint32_t.cpp:4
uint32_t.hpp
mutate_uint64_t
void mutate_uint64_t(uint64_t &value, std::mt19937_64 &rng, const Uint64MutationConfig &config)
Definition uint64_t.cpp:4
uint64_t.hpp
mutate_uint8_t
void mutate_uint8_t(uint8_t &value, std::mt19937_64 &rng, const Uint8MutationConfig &config)
Definition uint8_t.cpp:4
uint8_t.hpp
uint_mutations.hpp
generate_random_uint64
uint64_t generate_random_uint64(std::mt19937_64 &rng)
Definition uint_mutations.hpp:240
generate_random_uint32
uint32_t generate_random_uint32(std::mt19937_64 &rng)
Definition uint_mutations.hpp:235
generate_random_uint16
uint16_t generate_random_uint16(std::mt19937_64 &rng)
Definition uint_mutations.hpp:230
generate_random_uint8
uint8_t generate_random_uint8(std::mt19937_64 &rng)
Definition uint_mutations.hpp:225