Documentation
¶
Index ¶
- type CleanInvalidSequencesResult
- type CleanResult
- type Corpus
- func (c *Corpus) ActiveMutableSequenceCount() int
- func (c *Corpus) AddTestResultCallSequence(callSequence calls.CallSequence, mutationChooserWeight *big.Int, ...) error
- func (c *Corpus) CallSequenceEntryCount() (int, int)
- func (c *Corpus) CheckSequenceCoverageAndUpdate(callSequence calls.CallSequence, mutationChooserWeight *big.Int, ...) error
- func (c *Corpus) CleanInvalidSequences(ctx context.Context, testChain *chain.TestChain, ...) (*CleanInvalidSequencesResult, error)
- func (c *Corpus) CoverageMaps() *coverage.CoverageMaps
- func (c *Corpus) Flush() error
- func (c *Corpus) IncrementValid()
- func (c *Corpus) Initialize(baseTestChain *chain.TestChain, contractDefinitions contracts.Contracts) error
- func (c *Corpus) InitializingCorpus() bool
- func (c *Corpus) MarkCallSequenceForMutation(sequence calls.CallSequence, mutationChooserWeight *big.Int) error
- func (c *Corpus) PruneSequences(ctx context.Context, chain *chain.TestChain) (int, error)
- func (c *Corpus) RandomMutationTargetSequence() (calls.CallSequence, error)
- func (c *Corpus) UnexecutedCallSequence() *calls.CallSequence
- func (c *Corpus) ValidCallSequences() uint64
- type CorpusCleaner
- type CorpusPruner
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CleanInvalidSequencesResult ¶ added in v1.5.0
type CleanInvalidSequencesResult struct {
// TotalSequences is the total number of sequences in the corpus before cleaning.
TotalSequences int
// ValidSequences is the number of sequences that were successfully executed.
ValidSequences int
// InvalidSequences is the list of filenames that were invalid and removed (or would be removed
// in dry-run mode).
InvalidSequences []string
}
CleanInvalidSequencesResult contains the results of cleaning invalid sequences from the corpus.
type CleanResult ¶ added in v1.5.0
type CleanResult struct {
// TotalSequences is the total number of sequences in the corpus before cleaning.
TotalSequences int
// ValidSequences is the number of sequences that executed successfully.
ValidSequences int
// InvalidSequences is the list of filenames that were invalid.
InvalidSequences []string
}
CleanResult contains the results of a corpus cleaning operation.
type Corpus ¶
type Corpus struct {
// contains filtered or unexported fields
}
Corpus describes an archive of fuzzer-generated artifacts used to further fuzzing efforts. These artifacts are reusable across fuzzer runs. Changes to the fuzzer/chain configuration or definitions within smart contracts may create incompatibilities with corpus items.
func NewCorpus ¶
NewCorpus initializes a new Corpus object, reading artifacts from the provided directory and preparing in-memory state required for fuzzing. If the directory refers to an empty path, artifacts will not be persistently stored.
func (*Corpus) ActiveMutableSequenceCount ¶ added in v0.1.1
ActiveMutableSequenceCount returns the count of call sequences recorded in the corpus which have been validated after Corpus initialization and are ready for use in mutations.
func (*Corpus) AddTestResultCallSequence ¶ added in v0.1.1
func (c *Corpus) AddTestResultCallSequence(callSequence calls.CallSequence, mutationChooserWeight *big.Int, flushImmediately bool) error
AddTestResultCallSequence adds a call sequence recorded to the corpus due to a test case provider flagging it to be recorded. Returns an error, if one occurs.
func (*Corpus) CallSequenceEntryCount ¶ added in v0.1.1
CallSequenceEntryCount returns the total number of call sequences that increased coverage and also any test results that led to a failure.
func (*Corpus) CheckSequenceCoverageAndUpdate ¶ added in v0.1.1
func (c *Corpus) CheckSequenceCoverageAndUpdate(callSequence calls.CallSequence, mutationChooserWeight *big.Int, flushImmediately bool) error
CheckSequenceCoverageAndUpdate checks if the most recent call executed in the provided call sequence achieved coverage the Corpus did not with any of its call sequences. If it did, the call sequence is added to the corpus and the Corpus coverage maps are updated accordingly. Returns an error if one occurs.
func (*Corpus) CleanInvalidSequences ¶ added in v1.5.0
func (c *Corpus) CleanInvalidSequences( ctx context.Context, testChain *chain.TestChain, deployedContracts map[common.Address]*contracts.Contract, ) (*CleanInvalidSequencesResult, error)
CleanInvalidSequences validates each call sequence in the corpus by attempting to execute it on the provided test chain. Sequences that fail to execute (due to contract resolution failures, ABI mismatches, or execution errors) are considered invalid and removed from disk.
The deployedContracts map should contain the contracts deployed on the test chain, mapping addresses to their contract definitions.
Returns a CleanInvalidSequencesResult containing statistics about the cleaning operation, or an error if one occurs.
func (*Corpus) CoverageMaps ¶
func (c *Corpus) CoverageMaps() *coverage.CoverageMaps
CoverageMaps exposes coverage details for all call sequences known to the corpus.
func (*Corpus) IncrementValid ¶ added in v1.4.0
func (c *Corpus) IncrementValid()
IncrementValid increments the valid call sequences counter.
func (*Corpus) Initialize ¶
func (c *Corpus) Initialize(baseTestChain *chain.TestChain, contractDefinitions contracts.Contracts) error
Initialize initializes the in-memory corpus state but does not actually replay any of the sequences stored in the corpus. It seeds coverage information from the post-setup chain while enqueueing all persisted sequences for execution. The fuzzer workers will concurrently execute all the sequences stored in the corpus before actually starting the fuzzing campaign.
func (*Corpus) InitializingCorpus ¶ added in v1.4.0
InitializingCorpus returns true if the corpus is still initializing, false otherwise.
func (*Corpus) MarkCallSequenceForMutation ¶ added in v1.4.0
func (c *Corpus) MarkCallSequenceForMutation(sequence calls.CallSequence, mutationChooserWeight *big.Int) error
MarkCallSequenceForMutation records that a call sequence in the corpus has been successfully executed and can be used for mutations.
func (*Corpus) PruneSequences ¶ added in v1.3.0
PruneSequences removes unnecessary entries from the corpus. It does this by:
- Initialize a blank coverage map tmpMap
- Grab all sequences in the corpus
- Randomize the order
- For each transaction, see whether it adds anything new to tmpMap. If it does, add the new coverage and continue. If it doesn't, remove it from the corpus.
By doing this, we hope to find a smaller set of txn sequences that still preserves our current coverage. PruneSequences takes a chain.TestChain parameter used to run transactions. It returns an int indicating the number of sequences removed from the corpus, and an error if any occurred.
func (*Corpus) RandomMutationTargetSequence ¶ added in v0.1.1
func (c *Corpus) RandomMutationTargetSequence() (calls.CallSequence, error)
RandomMutationTargetSequence returns a weighted random call sequence from the Corpus, or an error if one occurs.
func (*Corpus) UnexecutedCallSequence ¶
func (c *Corpus) UnexecutedCallSequence() *calls.CallSequence
UnexecutedCallSequence returns a call sequence loaded from disk which has not yet been returned by this method. It is intended to be used by the fuzzer to run all un-executed call sequences (without mutations) to check for test failures. If a call sequence is returned, it will not be returned by this method again. Returns a call sequence loaded from disk which has not yet been executed, to check for test failures. If all sequences in the corpus have been executed, this will return nil.
func (*Corpus) ValidCallSequences ¶ added in v1.4.0
ValidCallSequences returns the number of valid call sequences in the corpus. Note that this value is only accurate right after corpus initialization.
type CorpusCleaner ¶ added in v1.5.0
type CorpusCleaner struct {
// contains filtered or unexported fields
}
CorpusCleaner provides functionality to clean invalid sequences from a corpus. It follows the same pattern as CorpusPruner by not depending on the Fuzzer type.
func NewCorpusCleaner ¶ added in v1.5.0
func NewCorpusCleaner(corpus *Corpus, logger *logging.Logger) *CorpusCleaner
NewCorpusCleaner creates a new CorpusCleaner.
func (*CorpusCleaner) Clean ¶ added in v1.5.0
func (cc *CorpusCleaner) Clean( ctx context.Context, testChain *chain.TestChain, deployedContracts map[common.Address]*contracts.Contract, ) (*CleanResult, error)
Clean validates call sequences using the provided test chain and deployed contracts. Sequences that fail to execute are removed from disk. Returns the cleaning results and any error encountered.
type CorpusPruner ¶ added in v1.3.0
type CorpusPruner struct {
// contains filtered or unexported fields
}
CorpusPruner is a job that runs every `PruneFrequency` minutes. It removes unnecessary items from the corpus by calling `Corpus.PruneSequences`.
func NewCorpusPruner ¶ added in v1.3.0
func NewCorpusPruner(enabled bool, pruneFrequency uint64, logger *logging.Logger) *CorpusPruner
NewCorpusPruner creates a new CorpusPruner.
func (*CorpusPruner) Start ¶ added in v1.3.0
func (cp *CorpusPruner) Start(ctx context.Context, corpus *Corpus, baseTestChain *chain.TestChain) error
Start takes a context, a corpus to prune, and a base chain in a setup state ready for testing. It clones the base chain, then prunes the corpus every `PruneFrequency` minutes. This runs until ctx cancels the operation. Returns an error if one occurred.
Source Files