d-xo
commented
1 year ago I think a hybrid fuzzing mode will be extremely powerful. The dream setup I've always had in my head is as follows:
- summarize the contract under test
- try to get models that can hit every branch
- use any models as seeds for a dictionary
- fuzz by evaluating the summary directly (this should be a lot faster than actually running the evm), use standard mutation heuristics on the seed in the dictionary. Fallback to direct evm execution for
Partialbranches (perhaps even givePartialnodes enough data to be able to directly resume execution in a full interpreter).
steps 2,3, and 4 can be run in parallel. I am fairly confident that this approach would be very competitive with the best available evm fuzzers (even with the perf hit that we pay for using haskell).
Original Idea (already implemented)
There are some hard cases where running concrete execution for a little bit will get us a win. For example:
In the benchmark suite https://github.com/eth-sc-comp/benchmarks/ will take forever for an SMT solver to deal with, but a fuzzer should find a counterexample in <1s.
This sounds like a hack, and in some sense it is, but I can very easily see this being helpful to the users. The perceived utility of HEVM would be higher, and that's all that matters.
We could even run a thread that just does fuzzing, while the other threads do the symbolic interpretation, etc.
Follow-ups
The original idea as per above has been implemented already, see
Fuzz.hs. However, as detailed below by d-xo, there are a number of significant improvements that can be done that could improve the performance in very significant ways.