Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
instruction.cpp
Go to the documentation of this file.
1#include "barretenberg/avm_fuzzer/mutations/instructions/instruction.hpp"
2
3#include <optional>
4#include <random>
5#include <vector>
6
7#include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_context.hpp"
8#include "barretenberg/avm_fuzzer/fuzz_lib/instruction.hpp"
9#include "barretenberg/avm_fuzzer/mutations/basic_types/eth_address.hpp"
10#include "barretenberg/avm_fuzzer/mutations/basic_types/field.hpp"
11#include "barretenberg/avm_fuzzer/mutations/basic_types/memory_tag.hpp"
12#include "barretenberg/avm_fuzzer/mutations/basic_types/uint16_t.hpp"
13#include "barretenberg/avm_fuzzer/mutations/basic_types/uint32_t.hpp"
14#include "barretenberg/avm_fuzzer/mutations/basic_types/uint64_t.hpp"
15#include "barretenberg/avm_fuzzer/mutations/basic_types/uint8_t.hpp"
16#include "barretenberg/avm_fuzzer/mutations/basic_types/uint_mutations.hpp"
17#include "barretenberg/avm_fuzzer/mutations/basic_types/vector.hpp"
18#include "barretenberg/avm_fuzzer/mutations/configuration.hpp"
19#include "barretenberg/vm2/common/field.hpp"
20
21namespace {
22
23// Maximum operand values based on instruction operand size
24constexpr uint32_t MAX_8BIT_OPERAND = 255;
25constexpr uint32_t MAX_16BIT_OPERAND = 65535;
26
27// Helper to generate a SET instruction for a given tag at a given address
28FuzzInstruction generate_set_for_tag(bb::avm2::MemoryTag tag, AddressRef addr, std::mt19937_64& rng)
29{
30 switch (tag) {
31 // We use set 16 for u1 and u8 because using set_8 will limit the address range to 255.
32 case bb::avm2::MemoryTag::U1:
33 return SET_16_Instruction{ .value_tag = tag, .result_address = addr, .value = static_cast<uint8_t>(rng() & 1) };
34 case bb::avm2::MemoryTag::U8:
35 return SET_16_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint8(rng) };
36 case bb::avm2::MemoryTag::U16:
37 return SET_16_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint16(rng) };
38 case bb::avm2::MemoryTag::U32:
39 return SET_32_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint32(rng) };
40 case bb::avm2::MemoryTag::U64:
41 return SET_64_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_uint64(rng) };
42 case bb::avm2::MemoryTag::U128:
43 return SET_128_Instruction{ .value_tag = tag,
44 .result_address = addr,
45 .value_low = generate_random_uint64(rng),
46 .value_high = generate_random_uint64(rng) };
47 case bb::avm2::MemoryTag::FF:
48 default:
49 return SET_FF_Instruction{ .value_tag = tag, .result_address = addr, .value = generate_random_field(rng) };
50 }
51}
52
53uint8_t generate_envvar_type(std::mt19937_64& rng)
54{
55 bool valid_type = std::uniform_int_distribution<int>(0, 9)(rng) != 0;
56
57 if (valid_type) {
58 // 0 -> ADDRESS, 1 -> SENDER, 2 -> TRANSACTIONFEE, 3 -> CHAINID, 4 -> VERSION, 5 -> BLOCKNUMBER, 6 -> TIMESTAMP,
59 // 7 -> MINFEEPERDAGAS, 8 -> MINFEEPERL2GAS, 9 -> ISSTATICCALL, 10 -> L2GASLEFT, 11 -> DAGASLEFT
60 return std::uniform_int_distribution<uint8_t>(0, 11)(rng);
61 } else {
62 return generate_random_uint8(rng);
63 }
64}
65
66std::optional<MemoryTag> get_param_ref_tag(const ParamRef& param)
67{
68 return std::visit(overloaded{ [](const VariableRef& var) -> std::optional<MemoryTag> { return var.tag.value; },
69 [](const AddressRef&) -> std::optional<MemoryTag> { return std::nullopt; } },
70 param);
71}
72
73void sanitize_address_ref(AddressRef& address_ref, uint32_t base_offset, uint32_t max_operand_value)
74{
75
76 // For Direct mode, constrain address to fit in the operand
77 if (address_ref.mode == AddressingMode::Direct) {
78 address_ref.address = address_ref.address % (max_operand_value + 1);
79 }
80 // For Relative mode, we can reach from base_pointer to base_pointer + max_operand_value
81 if (address_ref.mode == AddressingMode::Relative) {
82 address_ref.address = base_offset + (address_ref.address % (max_operand_value + 1));
83 }
84}
85
86uint32_t generate_address(std::mt19937_64& rng)
87{
88 if (std::uniform_int_distribution<int>(0, 19)(rng) == 0) { // 5% chance to generate the highest address
89 return AVM_HIGHEST_MEM_ADDRESS;
90 }
91 return generate_random_uint32(rng);
92}
93
94} // namespace
95
96namespace bb::avm2::fuzzer {
97
98std::vector<FuzzInstruction> InstructionMutator::generate_instruction(std::mt19937_64& rng)
99{
100 InstructionGenerationOptions option = BASIC_INSTRUCTION_GENERATION_CONFIGURATION.select(rng);
101 // forgive me
102 switch (option) {
103 case InstructionGenerationOptions::ADD_8:
104 return generate_alu_with_matching_tags<ADD_8_Instruction>(rng, MAX_8BIT_OPERAND);
105 case InstructionGenerationOptions::SUB_8:
106 return generate_alu_with_matching_tags<SUB_8_Instruction>(rng, MAX_8BIT_OPERAND);
107 case InstructionGenerationOptions::MUL_8:
108 return generate_alu_with_matching_tags<MUL_8_Instruction>(rng, MAX_8BIT_OPERAND);
109 case InstructionGenerationOptions::DIV_8:
110 return generate_alu_with_matching_tags_not_ff<DIV_8_Instruction>(rng, MAX_8BIT_OPERAND);
111 case InstructionGenerationOptions::FDIV_8:
112 return generate_fdiv_instruction(rng, MAX_8BIT_OPERAND);
113 case InstructionGenerationOptions::EQ_8:
114 return { EQ_8_Instruction{ .a_address = generate_variable_ref(rng),
115 .b_address = generate_variable_ref(rng),
116 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
117 case InstructionGenerationOptions::LT_8:
118 return { LT_8_Instruction{ .a_address = generate_variable_ref(rng),
119 .b_address = generate_variable_ref(rng),
120 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
121 case InstructionGenerationOptions::LTE_8:
122 return { LTE_8_Instruction{ .a_address = generate_variable_ref(rng),
123 .b_address = generate_variable_ref(rng),
124 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
125 case InstructionGenerationOptions::AND_8:
126 return generate_alu_with_matching_tags_not_ff<AND_8_Instruction>(rng, MAX_8BIT_OPERAND);
127 case InstructionGenerationOptions::OR_8:
128 return generate_alu_with_matching_tags_not_ff<OR_8_Instruction>(rng, MAX_8BIT_OPERAND);
129 case InstructionGenerationOptions::XOR_8:
130 return generate_alu_with_matching_tags_not_ff<XOR_8_Instruction>(rng, MAX_8BIT_OPERAND);
131 case InstructionGenerationOptions::NOT_8:
132 return { NOT_8_Instruction{ .a_address = generate_variable_ref(rng),
133 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
134 case InstructionGenerationOptions::SHL_8:
135 return { SHL_8_Instruction{ .a_address = generate_variable_ref(rng),
136 .b_address = generate_variable_ref(rng),
137 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
138
139 case InstructionGenerationOptions::SHR_8:
140 return { SHR_8_Instruction{ .a_address = generate_variable_ref(rng),
141 .b_address = generate_variable_ref(rng),
142 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
143 case InstructionGenerationOptions::SET_8:
144 return { SET_8_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
145 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND),
146 .value = generate_random_uint8(rng) } };
147 case InstructionGenerationOptions::SET_16:
148 return { SET_16_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
149 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
150 .value = generate_random_uint16(rng) } };
151 case InstructionGenerationOptions::SET_32:
152 return { SET_32_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
153 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
154 .value = generate_random_uint32(rng) } };
155 case InstructionGenerationOptions::SET_64:
156 return { SET_64_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
157 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
158 .value = generate_random_uint64(rng) } };
159 case InstructionGenerationOptions::SET_128:
160 return { SET_128_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
161 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
162 .value_low = generate_random_uint64(rng),
163 .value_high = generate_random_uint64(rng) } };
164 case InstructionGenerationOptions::SET_FF:
165 return { SET_FF_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
166 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
167 .value = generate_random_field(rng) } };
168 case InstructionGenerationOptions::MOV_8:
169 return { MOV_8_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
170 .src_address = generate_variable_ref(rng),
171 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND) } };
172 case InstructionGenerationOptions::MOV_16:
173 return { MOV_16_Instruction{ .value_tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION),
174 .src_address = generate_variable_ref(rng),
175 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
176 case InstructionGenerationOptions::ADD_16:
177 return generate_alu_with_matching_tags<ADD_16_Instruction>(rng, MAX_16BIT_OPERAND);
178 case InstructionGenerationOptions::SUB_16:
179 return generate_alu_with_matching_tags<SUB_16_Instruction>(rng, MAX_16BIT_OPERAND);
180 case InstructionGenerationOptions::MUL_16:
181 return generate_alu_with_matching_tags<MUL_16_Instruction>(rng, MAX_16BIT_OPERAND);
182 case InstructionGenerationOptions::DIV_16:
183 return generate_alu_with_matching_tags_not_ff<DIV_16_Instruction>(rng, MAX_16BIT_OPERAND);
184 case InstructionGenerationOptions::FDIV_16:
185 return { FDIV_16_Instruction{ .a_address = generate_variable_ref(rng),
186 .b_address = generate_variable_ref(rng),
187 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
188 case InstructionGenerationOptions::EQ_16:
189 return { EQ_16_Instruction{ .a_address = generate_variable_ref(rng),
190 .b_address = generate_variable_ref(rng),
191 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
192 case InstructionGenerationOptions::LT_16:
193 return { LT_16_Instruction{ .a_address = generate_variable_ref(rng),
194 .b_address = generate_variable_ref(rng),
195 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
196 case InstructionGenerationOptions::LTE_16:
197 return { LTE_16_Instruction{ .a_address = generate_variable_ref(rng),
198 .b_address = generate_variable_ref(rng),
199 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
200 case InstructionGenerationOptions::AND_16:
201 return generate_alu_with_matching_tags_not_ff<AND_16_Instruction>(rng, MAX_16BIT_OPERAND);
202 case InstructionGenerationOptions::OR_16:
203 return generate_alu_with_matching_tags_not_ff<OR_16_Instruction>(rng, MAX_16BIT_OPERAND);
204 case InstructionGenerationOptions::XOR_16:
205 return generate_alu_with_matching_tags_not_ff<XOR_16_Instruction>(rng, MAX_16BIT_OPERAND);
206 case InstructionGenerationOptions::NOT_16:
207 return { NOT_16_Instruction{ .a_address = generate_variable_ref(rng),
208 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
209 case InstructionGenerationOptions::SHL_16:
210 return { SHL_16_Instruction{ .a_address = generate_variable_ref(rng),
211 .b_address = generate_variable_ref(rng),
212 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
213 case InstructionGenerationOptions::SHR_16:
214 return { SHR_16_Instruction{ .a_address = generate_variable_ref(rng),
215 .b_address = generate_variable_ref(rng),
216 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
217 case InstructionGenerationOptions::CAST_8:
218 return { CAST_8_Instruction{ .src_address = generate_variable_ref(rng),
219 .result_address = generate_address_ref(rng, MAX_8BIT_OPERAND),
220 .target_tag =
221 generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION) } };
222 case InstructionGenerationOptions::CAST_16:
223 return { CAST_16_Instruction{ .src_address = generate_variable_ref(rng),
224 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
225 .target_tag =
226 generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION) } };
227 case InstructionGenerationOptions::SSTORE:
228 return { SSTORE_Instruction{ .src_address = generate_variable_ref(rng),
229 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
230 .slot = generate_random_field(rng) } };
231 case InstructionGenerationOptions::SLOAD:
232 return generate_sload_instruction(rng);
233 case InstructionGenerationOptions::GETENVVAR:
234 return { GETENVVAR_Instruction{ .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
235 .type = generate_envvar_type(rng) } };
236 case InstructionGenerationOptions::EMITNULLIFIER:
237 return { EMITNULLIFIER_Instruction{ .nullifier_address = generate_variable_ref(rng) } };
238 case InstructionGenerationOptions::NULLIFIEREXISTS:
239 return { NULLIFIEREXISTS_Instruction{ .siloed_nullifier_address = generate_variable_ref(rng),
240 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
241 case InstructionGenerationOptions::L1TOL2MSGEXISTS:
242 return { L1TOL2MSGEXISTS_Instruction{ .msg_hash_address = generate_variable_ref(rng),
243 .leaf_index_address = generate_variable_ref(rng),
244 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
245 case InstructionGenerationOptions::EMITNOTEHASH:
246 return { EMITNOTEHASH_Instruction{ .note_hash_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
247 .note_hash = generate_random_field(rng) } };
248 case InstructionGenerationOptions::NOTEHASHEXISTS:
249 return generate_notehashexists_instruction(rng);
250 case InstructionGenerationOptions::CALLDATACOPY:
251 return generate_calldatacopy_instruction(rng);
252 case InstructionGenerationOptions::SENDL2TOL1MSG:
253 return generate_sendl2tol1msg_instruction(rng);
254 case InstructionGenerationOptions::EMITPUBLICLOG:
255 return generate_emitpubliclog_instruction(rng);
256 case InstructionGenerationOptions::CALL:
257 return generate_call_instruction(rng);
258 case InstructionGenerationOptions::RETURNDATASIZE:
259 return generate_returndatasize_instruction(rng);
260 case InstructionGenerationOptions::RETURNDATACOPY:
261 return generate_returndatacopy_instruction(rng);
262 case InstructionGenerationOptions::GETCONTRACTINSTANCE:
263 return generate_getcontractinstance_instruction(rng);
264 case InstructionGenerationOptions::SUCCESSCOPY:
265 return { SUCCESSCOPY_Instruction{ .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
266 case InstructionGenerationOptions::ECADD:
267 return generate_ecadd_instruction(rng);
268 case InstructionGenerationOptions::POSEIDON2PERM:
269 return { POSEIDON2PERM_Instruction{ .src_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
270 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
271 case InstructionGenerationOptions::KECCAKF1600:
272 return generate_keccakf_instruction(rng);
273 case InstructionGenerationOptions::SHA256COMPRESSION:
274 return generate_sha256compression_instruction(rng);
275 case InstructionGenerationOptions::TORADIXBE:
276 return generate_toradixbe_instruction(rng);
277 case InstructionGenerationOptions::DEBUGLOG:
278 return { { DEBUGLOG_Instruction{ .level_offset = generate_variable_ref(rng),
279 .message_offset = generate_variable_ref(rng),
280 .fields_offset = generate_variable_ref(rng),
281 .fields_size_offset = generate_variable_ref(rng),
282 .message_size = generate_random_uint16(rng) } } };
283 }
284}
285
286void InstructionMutator::mutate_instruction(FuzzInstruction& instruction, std::mt19937_64& rng)
287{
288 std::visit(
289 overloaded{
290 [&rng, this](ADD_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
291 [&rng, this](SUB_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
292 [&rng, this](MUL_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
293 [&rng, this](DIV_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
294 [&rng, this](EQ_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
295 [&rng, this](LT_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
296 [&rng, this](LTE_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
297 [&rng, this](AND_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
298 [&rng, this](OR_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
299 [&rng, this](XOR_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
300 [&rng, this](SHL_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
301 [&rng, this](SHR_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
302 [&rng, this](SET_8_Instruction& instr) { mutate_set_8_instruction(instr, rng); },
303 [&rng, this](SET_16_Instruction& instr) { mutate_set_16_instruction(instr, rng); },
304 [&rng, this](SET_32_Instruction& instr) { mutate_set_32_instruction(instr, rng); },
305 [&rng, this](SET_64_Instruction& instr) { mutate_set_64_instruction(instr, rng); },
306 [&rng, this](SET_128_Instruction& instr) { mutate_set_128_instruction(instr, rng); },
307 [&rng, this](SET_FF_Instruction& instr) { mutate_set_ff_instruction(instr, rng); },
308 [&rng, this](MOV_8_Instruction& instr) { mutate_mov_8_instruction(instr, rng); },
309 [&rng, this](MOV_16_Instruction& instr) { mutate_mov_16_instruction(instr, rng); },
310 [&rng, this](FDIV_8_Instruction& instr) { mutate_binary_instruction_8(instr, rng); },
311 [&rng, this](NOT_8_Instruction& instr) { mutate_not_8_instruction(instr, rng); },
312 [&rng, this](ADD_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
313 [&rng, this](SUB_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
314 [&rng, this](MUL_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
315 [&rng, this](DIV_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
316 [&rng, this](FDIV_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
317 [&rng, this](EQ_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
318 [&rng, this](LT_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
319 [&rng, this](LTE_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
320 [&rng, this](AND_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
321 [&rng, this](OR_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
322 [&rng, this](XOR_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
323 [&rng, this](NOT_16_Instruction& instr) { mutate_not_16_instruction(instr, rng); },
324 [&rng, this](SHL_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
325 [&rng, this](SHR_16_Instruction& instr) { mutate_binary_instruction_16(instr, rng); },
326 [&rng, this](CAST_8_Instruction& instr) { mutate_cast_8_instruction(instr, rng); },
327 [&rng, this](CAST_16_Instruction& instr) { mutate_cast_16_instruction(instr, rng); },
328 [&rng, this](SSTORE_Instruction& instr) { mutate_sstore_instruction(instr, rng); },
329 [&rng, this](SLOAD_Instruction& instr) { mutate_sload_instruction(instr, rng); },
330 [&rng, this](GETENVVAR_Instruction& instr) { mutate_getenvvar_instruction(instr, rng); },
331 [&rng, this](EMITNULLIFIER_Instruction& instr) { mutate_emit_nullifier_instruction(instr, rng); },
332 [&rng, this](NULLIFIEREXISTS_Instruction& instr) { mutate_nullifier_exists_instruction(instr, rng); },
333 [&rng, this](L1TOL2MSGEXISTS_Instruction& instr) { mutate_l1tol2msgexists_instruction(instr, rng); },
334 [&rng, this](EMITNOTEHASH_Instruction& instr) { mutate_emit_note_hash_instruction(instr, rng); },
335 [&rng, this](NOTEHASHEXISTS_Instruction& instr) { mutate_note_hash_exists_instruction(instr, rng); },
336 [&rng, this](CALLDATACOPY_Instruction& instr) { mutate_calldatacopy_instruction(instr, rng); },
337 [&rng, this](SENDL2TOL1MSG_Instruction& instr) { mutate_sendl2tol1msg_instruction(instr, rng); },
338 [&rng, this](EMITPUBLICLOG_Instruction& instr) { mutate_emitpubliclog_instruction(instr, rng); },
339 [&rng, this](CALL_Instruction& instr) { mutate_call_instruction(instr, rng); },
340 [&rng, this](RETURNDATASIZE_Instruction& instr) { mutate_returndatasize_instruction(instr, rng); },
341 [&rng, this](RETURNDATACOPY_Instruction& instr) { mutate_returndatacopy_instruction(instr, rng); },
342 [&rng, this](GETCONTRACTINSTANCE_Instruction& instr) {
343 mutate_getcontractinstance_instruction(instr, rng);
344 },
345 [&rng, this](SUCCESSCOPY_Instruction& instr) { mutate_successcopy_instruction(instr, rng); },
346 [&rng, this](ECADD_Instruction& instr) { mutate_ecadd_instruction(instr, rng); },
347 [&rng, this](POSEIDON2PERM_Instruction& instr) { mutate_poseidon2perm_instruction(instr, rng); },
348 [&rng, this](KECCAKF1600_Instruction& instr) { mutate_keccakf1600_instruction(instr, rng); },
349 [&rng, this](SHA256COMPRESSION_Instruction& instr) { mutate_sha256compression_instruction(instr, rng); },
350 [&rng, this](TORADIXBE_Instruction& instr) { mutate_toradixbe_instruction(instr, rng); },
351 [&rng, this](DEBUGLOG_Instruction& instr) { mutate_debuglog_instruction(instr, rng); },
352 [](auto&) { throw std::runtime_error("Unknown instruction"); } },
353 instruction);
354}
355
360
361AddressRef InstructionMutator::generate_address_ref(std::mt19937_64& rng, uint32_t max_operand_value)
362{
363 AddressRef address_ref = AddressRef{ .address = generate_address(rng),
364 .pointer_address_seed = generate_random_uint16(rng),
365 .mode = generate_addressing_mode(rng) };
366 sanitize_address_ref(address_ref, base_offset, max_operand_value);
367 return address_ref;
368}
369
370void InstructionMutator::mutate_address_ref(AddressRef& address, std::mt19937_64& rng, uint32_t max_operand_value)
371{
372 AddressRefMutationOptions option = BASIC_ADDRESS_REF_MUTATION_CONFIGURATION.select(rng);
373 switch (option) {
374 case AddressRefMutationOptions::address:
375 mutate_uint32_t(address.address, rng, BASIC_UINT32_T_MUTATION_CONFIGURATION);
376 break;
377 case AddressRefMutationOptions::pointer_address:
378 mutate_uint16_t(address.pointer_address_seed, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
379 break;
380 case AddressRefMutationOptions::mode:
381 address.mode = generate_addressing_mode(rng);
382 break;
383 }
384 sanitize_address_ref(address, base_offset, max_operand_value);
385}
386
395
397void InstructionMutator::mutate_variable_ref(VariableRef& variable,
398 std::mt19937_64& rng,
399 std::optional<MemoryTag> default_tag)
400{
401 VariableRefMutationOptions option = BASIC_VARIABLE_REF_MUTATION_CONFIGURATION.select(rng);
402 switch (option) {
403 case VariableRefMutationOptions::tag:
404 if (default_tag.has_value()) {
405 mutate_or_default_tag(variable.tag.value, rng, default_tag.value());
406 } else {
407 mutate_memory_tag(variable.tag.value, rng, BASIC_MEMORY_TAG_MUTATION_CONFIGURATION);
408 }
409 break;
410 case VariableRefMutationOptions::index:
411 mutate_uint32_t(variable.index, rng, BASIC_UINT32_T_MUTATION_CONFIGURATION);
412 break;
413 case VariableRefMutationOptions::pointer_address:
414 mutate_uint16_t(variable.pointer_address_seed, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
415 break;
416 case VariableRefMutationOptions::mode:
417 variable.mode = generate_addressing_mode(rng);
418 break;
419 }
420}
421
422std::vector<FuzzInstruction> InstructionMutator::generate_ecadd_instruction(std::mt19937_64& rng)
423{
424 // 80% chance to use backfill (4 out of 5) to increase success rate
425 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
426
427 if (!use_backfill) {
428 // Random mode: use existing memory values (may fail if not valid points on curve)
429 return { ECADD_Instruction{ .p1_x = generate_variable_ref(rng),
430 .p1_y = generate_variable_ref(rng),
431 .p2_x = generate_variable_ref(rng),
432 .p2_y = generate_variable_ref(rng),
433 .result = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
434 }
435
436 // Backfill mode: generate valid points on the Grumpkin curve and SET them
437 // 4 SET instructions (2 points * 4 fields each) + 1 ECADD = 5 instructions
438 std::vector<FuzzInstruction> instructions;
439 instructions.reserve(5);
440
441 // Generate a valid point via scalar multiplication of the generator (always on curve)
442 auto generate_point = [&rng]() {
443 bb::avm2::Fq scalar(generate_random_field(rng));
444 return bb::avm2::EmbeddedCurvePoint::one() * scalar;
445 };
446
447 // Generate SET instructions to backfill a point at the given addresses
448 auto backfill_point = [&instructions](
449 const bb::avm2::EmbeddedCurvePoint& point, AddressRef x_addr, AddressRef y_addr) {
450 instructions.push_back(
451 SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF, .result_address = x_addr, .value = point.x() });
452 instructions.push_back(
453 SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF, .result_address = y_addr, .value = point.y() });
454 };
455
456 auto p1 = generate_point();
457 auto p2 = generate_point();
458
459 // Generate addresses (SET_FF uses 16-bit, SET_8 uses 8-bit operands)
460 AddressRef p1_x_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
461 AddressRef p1_y_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
462 AddressRef p2_x_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
463 AddressRef p2_y_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
464
465 backfill_point(p1, p1_x_addr, p1_y_addr);
466 backfill_point(p2, p2_x_addr, p2_y_addr);
467
468 instructions.push_back(ECADD_Instruction{ .p1_x = p1_x_addr,
469 .p1_y = p1_y_addr,
470 .p2_x = p2_x_addr,
471 .p2_y = p2_y_addr,
472 .result = generate_address_ref(rng, MAX_16BIT_OPERAND) });
473
474 return instructions;
475}
476
477// Generate binary ALU instruction with optional backfill for matching tagged operands
478template <typename InstructionType>
479std::vector<FuzzInstruction> InstructionMutator::generate_alu_with_matching_tags(std::mt19937_64& rng,
480 uint32_t max_operand)
481{
482 // 80% chance to use backfill (4 out of 5) to increase success rate
483 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
484
485 if (!use_backfill) {
486 return { InstructionType{ .a_address = generate_variable_ref(rng),
487 .b_address = generate_variable_ref(rng),
488 .result_address = generate_address_ref(rng, max_operand) } };
489 }
490
491 auto tag = generate_memory_tag(rng, BASIC_MEMORY_TAG_GENERATION_CONFIGURATION);
492 AddressRef a_addr = generate_address_ref(rng, max_operand);
493 AddressRef b_addr = generate_address_ref(rng, max_operand);
494
495 std::vector<FuzzInstruction> instructions;
496 instructions.push_back(generate_set_for_tag(tag, a_addr, rng));
497 instructions.push_back(generate_set_for_tag(tag, b_addr, rng));
498 instructions.push_back(InstructionType{
499 .a_address = a_addr, .b_address = b_addr, .result_address = generate_address_ref(rng, max_operand) });
500 return instructions;
501}
502
503// Generate binary ALU instruction with optional backfill for matching non-FF tagged operands
504// Used for bitwise operations (AND, OR, XOR) and integer DIV which don't support FF
505template <typename InstructionType>
506std::vector<FuzzInstruction> InstructionMutator::generate_alu_with_matching_tags_not_ff(std::mt19937_64& rng,
507 uint32_t max_operand)
508{
509 // 80% chance to use backfill (4 out of 5) to increase success rate
510 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
511
512 if (!use_backfill) {
513 return { InstructionType{ .a_address = generate_variable_ref(rng),
514 .b_address = generate_variable_ref(rng),
515 .result_address = generate_address_ref(rng, max_operand) } };
516 }
517
518 // Pick a random non-FF tag (U1, U8, U16, U32, U64, U128)
519 static constexpr std::array<bb::avm2::MemoryTag, 6> int_tags = {
520 bb::avm2::MemoryTag::U1, bb::avm2::MemoryTag::U8, bb::avm2::MemoryTag::U16,
521 bb::avm2::MemoryTag::U32, bb::avm2::MemoryTag::U64, bb::avm2::MemoryTag::U128
522 };
523 auto tag = int_tags[std::uniform_int_distribution<size_t>(0, int_tags.size() - 1)(rng)];
524
525 AddressRef a_addr = generate_address_ref(rng, max_operand);
526 AddressRef b_addr = generate_address_ref(rng, max_operand);
527
528 std::vector<FuzzInstruction> instructions;
529 instructions.push_back(generate_set_for_tag(tag, a_addr, rng));
530 instructions.push_back(generate_set_for_tag(tag, b_addr, rng));
531 instructions.push_back(InstructionType{
532 .a_address = a_addr, .b_address = b_addr, .result_address = generate_address_ref(rng, max_operand) });
533 return instructions;
534}
535
536std::vector<FuzzInstruction> InstructionMutator::generate_fdiv_instruction(std::mt19937_64& rng, uint32_t max_operand)
537{
538 // 80% chance to use backfill (4 out of 5) to increase success rate
539 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
540
541 if (!use_backfill) {
542 // Random mode: use existing memory values
543 return { FDIV_8_Instruction{ .a_address = generate_variable_ref(rng),
544 .b_address = generate_variable_ref(rng),
545 .result_address = generate_address_ref(rng, max_operand) } };
546 }
547
548 // Backfill mode: generate two non-zero FF values
549 std::vector<FuzzInstruction> instructions;
550 instructions.reserve(3);
551
552 // Generate non-zero field values (avoid division by zero)
553 auto generate_nonzero_field = [&rng]() {
554 bb::avm2::FF value;
555 do {
556 value = generate_random_field(rng);
557 } while (value.is_zero());
558 return value;
559 };
560
561 AddressRef a_addr = generate_address_ref(rng, max_operand);
562 AddressRef b_addr = generate_address_ref(rng, max_operand);
563
564 // SET the dividend (a)
565 instructions.push_back(SET_FF_Instruction{
566 .value_tag = bb::avm2::MemoryTag::FF, .result_address = a_addr, .value = generate_nonzero_field() });
567
568 // SET the divisor (b) - must be non-zero
569 instructions.push_back(SET_FF_Instruction{
570 .value_tag = bb::avm2::MemoryTag::FF, .result_address = b_addr, .value = generate_nonzero_field() });
571
572 // FDIV instruction
573 instructions.push_back(FDIV_8_Instruction{
574 .a_address = a_addr, .b_address = b_addr, .result_address = generate_address_ref(rng, max_operand) });
575
576 return instructions;
577}
578
579std::vector<FuzzInstruction> InstructionMutator::generate_keccakf_instruction(std::mt19937_64& rng)
580{
581 // 80% chance to use backfill (4 out of 5) to increase success rate
582 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
583 if (!use_backfill) {
584 // Random mode
585 return { KECCAKF1600_Instruction{ .src_address = generate_variable_ref(rng),
586 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
587 }
588 // Backfill mode
589 std::vector<FuzzInstruction> instructions;
590
591 // Keccak needs to backfill 25 U64 values, these need be contiguous in memory
592 AddressRef src_address = generate_address_ref(rng, MAX_16BIT_OPERAND - 24);
593 for (size_t i = 0; i < 25; i++) {
594 AddressRef item_address = src_address;
595 item_address.address += static_cast<uint32_t>(i);
596 instructions.push_back(SET_64_Instruction{ .value_tag = bb::avm2::MemoryTag::U64,
597 .result_address = item_address,
598 .value = generate_random_uint64(rng) });
599 }
600 instructions.push_back(KECCAKF1600_Instruction{ .src_address = src_address,
601 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
602 return instructions;
603}
604
605std::vector<FuzzInstruction> InstructionMutator::generate_sha256compression_instruction(std::mt19937_64& rng)
606{
607 // 80% chance to use backfill (4 out of 5) to increase success rate
608 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
609 if (!use_backfill) {
610 // Random mode
611 return { SHA256COMPRESSION_Instruction{ .state_address = generate_variable_ref(rng),
612 .input_address = generate_variable_ref(rng),
613 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
614 }
615 // Backfill mode
616 // SHA256 compression needs 8 U32 values for state and 16 U32 values for input (contiguous)
617 std::vector<FuzzInstruction> instructions;
618 instructions.reserve(8 + 16 + 1);
619
620 // Generate state address (8 contiguous U32 values)
621 AddressRef state_address = generate_address_ref(rng, MAX_16BIT_OPERAND - 7);
622
623 for (size_t i = 0; i < 8; i++) {
624 AddressRef item_address = state_address;
625 item_address.address += static_cast<uint32_t>(i);
626 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
627 .result_address = item_address,
628 .value = generate_random_uint32(rng) });
629 }
630
631 // Generate input address (16 contiguous U32 values)
632 AddressRef input_address = generate_address_ref(rng, MAX_16BIT_OPERAND - 15);
633
634 for (size_t i = 0; i < 16; i++) {
635 AddressRef item_address = input_address;
636 item_address.address += static_cast<uint32_t>(i);
637 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
638 .result_address = item_address,
639 .value = generate_random_uint32(rng) });
640 }
641
642 instructions.push_back(
643 SHA256COMPRESSION_Instruction{ .state_address = state_address,
644 .input_address = input_address,
645 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
646 return instructions;
647}
648
649std::vector<FuzzInstruction> InstructionMutator::generate_toradixbe_instruction(std::mt19937_64& rng)
650{
651 // 80% chance to use backfill (4 out of 5) to increase success rate
652 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
653 if (!use_backfill) {
654 // Random mode
655 return { TORADIXBE_Instruction{ .value_address = generate_variable_ref(rng),
656 .radix_address = generate_variable_ref(rng),
657 .num_limbs_address = generate_variable_ref(rng),
658 .output_bits_address = generate_variable_ref(rng),
659 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
660 .is_output_bits = std::uniform_int_distribution<int>(0, 1)(rng) == 0 } };
661 }
662 // Backfill mode: set up proper typed values
663 // value: FF, radix: U32, num_limbs: U32, output_bits: U1
664 std::vector<FuzzInstruction> instructions;
665 instructions.reserve(5);
666
667 AddressRef value_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
668 AddressRef radix_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
669 AddressRef num_limbs_addr = generate_address_ref(rng, MAX_16BIT_OPERAND);
670 AddressRef output_bits_addr = generate_address_ref(rng, MAX_8BIT_OPERAND);
671
672 // SET the radix (U32) - pick radix between 2 and 256
673 uint32_t radix = std::uniform_int_distribution<uint32_t>(2, 256)(rng);
674 instructions.push_back(
675 SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32, .result_address = radix_addr, .value = radix });
676
677 // SET the output_bits (U1)
678 bool is_output_bits = radix == 2;
679 instructions.push_back(SET_8_Instruction{ .value_tag = bb::avm2::MemoryTag::U1,
680 .result_address = output_bits_addr,
681 .value = static_cast<uint8_t>(is_output_bits ? 1 : 0) });
682
683 // Generate value with num_limbs digits
684 uint32_t num_limbs = std::uniform_int_distribution<uint32_t>(0, 256)(rng);
685 bb::avm2::FF value = 0;
686 bb::avm2::FF exponent = 1;
687 for (uint32_t i = 0; i < num_limbs; i++) {
688 uint32_t digit = std::uniform_int_distribution<uint32_t>(0, radix - 1)(rng);
689 value += bb::avm2::FF(digit) * exponent;
690 exponent *= radix;
691 }
692
693 // 20% chance to truncate - reduce the number of limbs we request or increment the value if we have 0 limbs
694 if (std::uniform_int_distribution<int>(0, 4)(rng) == 0) {
695 if (num_limbs > 0) {
696 num_limbs--;
697 } else {
698 value++;
699 }
700 }
701
702 // SET the num_limbs (U32)
703 instructions.push_back(SET_32_Instruction{
704 .value_tag = bb::avm2::MemoryTag::U32, .result_address = num_limbs_addr, .value = num_limbs });
705
706 // SET the value (FF)
707 instructions.push_back(
708 SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF, .result_address = value_addr, .value = value });
709
710 // TORADIXBE instruction
711 instructions.push_back(TORADIXBE_Instruction{ .value_address = value_addr,
712 .radix_address = radix_addr,
713 .num_limbs_address = num_limbs_addr,
714 .output_bits_address = output_bits_addr,
715 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
716 .is_output_bits = is_output_bits });
717 return instructions;
718}
719
720// A better way in the future is to pass in a vector of possible slots that have been written to,
721// this would allow us to supply external world state info.
722std::vector<FuzzInstruction> InstructionMutator::generate_sload_instruction(std::mt19937_64& rng)
723{
724 // 80% chance to use backfill (4 out of 5) to increase success rate
725 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
726
727 if (!use_backfill) {
728 // Random mode: requires at least one prior SSTORE to have been processed
729 return { SLOAD_Instruction{ .slot_index = generate_random_uint16(rng),
730 .slot_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
731 .contract_address_address = generate_variable_ref(rng),
732 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
733 }
734
735 // Backfill mode: generate SSTORE first to ensure storage_addresses is non-empty
736 // This guarantees SLOAD will find a valid slot (get_slot uses modulo on non-empty vector)
737 std::vector<FuzzInstruction> instructions;
738 instructions.reserve(4);
739
740 AddressRef sstore_src = generate_address_ref(rng, MAX_16BIT_OPERAND);
741
742 // SET a value to store
743 instructions.push_back(SET_FF_Instruction{
744 .value_tag = bb::avm2::MemoryTag::FF, .result_address = sstore_src, .value = generate_random_field(rng) });
745
746 // SSTORE - appends to storage_addresses in memory_manager
747 instructions.push_back(SSTORE_Instruction{ .src_address = sstore_src,
748 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
749 .slot = generate_random_field(rng) });
750
751 // Now set our own contract address
752 AddressRef contract_address_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
753 instructions.push_back(
754 GETENVVAR_Instruction{ .result_address = contract_address_address, /* contract address */ .type = 0 });
755
756 // SLOAD - now guaranteed to succeed (storage_addresses not empty, get_slot uses modulo)
757 instructions.push_back(SLOAD_Instruction{ .slot_index = generate_random_uint16(rng),
758 .slot_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
759 .contract_address_address = contract_address_address,
760 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
761
762 return instructions;
763}
764
765std::vector<FuzzInstruction> InstructionMutator::generate_emitpubliclog_instruction(std::mt19937_64& rng)
766{
767 // 80% chance to use backfill (4 out of 5) to increase success rate
768 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
769
770 if (!use_backfill) {
771 return { EMITPUBLICLOG_Instruction{ .log_size_address = generate_variable_ref(rng),
772 .log_values_address = generate_variable_ref(rng) } };
773 }
774
775 uint32_t log_size = std::uniform_int_distribution<uint32_t>(0, FLAT_PUBLIC_LOGS_PAYLOAD_LENGTH)(rng);
776 std::vector<FuzzInstruction> instructions;
777 instructions.reserve(3);
778
779 auto log_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
780 auto log_values_address = generate_address_ref(rng, MAX_16BIT_OPERAND - log_size);
781
782 instructions.push_back(SET_32_Instruction{
783 .value_tag = bb::avm2::MemoryTag::U32, .result_address = log_size_address, .value = log_size });
784
785 // Write one random FF in the log
786 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
787 .result_address = log_values_address,
788 .value = generate_random_field(rng) });
789
790 instructions.push_back(
791 EMITPUBLICLOG_Instruction{ .log_size_address = log_size_address, .log_values_address = log_values_address });
792
793 return instructions;
794}
795
796std::vector<FuzzInstruction> InstructionMutator::generate_call_instruction(std::mt19937_64& rng)
797{
798 // 80% chance to use backfill (4 out of 5) to increase success rate
799 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
800
801 if (!use_backfill) {
802
803 return { CALL_Instruction{ .l2_gas_address = generate_variable_ref(rng),
804 .da_gas_address = generate_variable_ref(rng),
805 .contract_address_address = generate_variable_ref(rng),
806 .calldata_address = generate_variable_ref(rng),
807 .calldata_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
808 .calldata_size = generate_random_uint16(rng),
809 .is_static_call = rng() % 2 == 0 } };
810 }
811
812 std::vector<FuzzInstruction> instructions;
813 instructions.reserve(5);
814
815 auto contract_address_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
816 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
817 .result_address = contract_address_address,
818 .value = context.get_contract_address(generate_random_uint16(rng)) });
819
820 auto l2_gas_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
821 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
822 .result_address = l2_gas_address,
823 .value = generate_random_uint32(rng) });
824
825 auto da_gas_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
826 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
827 .result_address = da_gas_address,
828 .value = generate_random_uint32(rng) });
829
830 auto calldata_size = generate_random_uint16(rng);
831 auto calldata_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
832
833 auto calldata_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
834 // Write one random FF in the calldata
835 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
836 .result_address = calldata_address,
837 .value = generate_random_field(rng) });
838
839 instructions.push_back(CALL_Instruction{ .l2_gas_address = l2_gas_address,
840 .da_gas_address = da_gas_address,
841 .contract_address_address = contract_address_address,
842 .calldata_address = calldata_address,
843 .calldata_size_address = calldata_size_address,
844 .calldata_size = calldata_size,
845 .is_static_call = rng() % 2 == 0 });
846
847 return instructions;
848}
849
850std::vector<FuzzInstruction> InstructionMutator::generate_getcontractinstance_instruction(std::mt19937_64& rng)
851{
852 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
853 if (!use_backfill) {
854 return { GETCONTRACTINSTANCE_Instruction{
855 .contract_address_address = generate_variable_ref(rng),
856 .member_enum = generate_random_uint8(rng),
857 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
858 } };
859 }
860
861 std::vector<FuzzInstruction> instructions;
862 instructions.reserve(2);
863
864 auto contract_address_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
865 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
866 .result_address = contract_address_address,
867 .value = context.get_contract_address(generate_random_uint16(rng)) });
868 uint8_t member_enum = std::uniform_int_distribution<uint8_t>(0, 2)(rng);
869
870 instructions.push_back(GETCONTRACTINSTANCE_Instruction{
871 .contract_address_address = contract_address_address,
872 .member_enum = member_enum,
873 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND),
874 });
875
876 return instructions;
877}
878
879std::vector<FuzzInstruction> InstructionMutator::generate_notehashexists_instruction(std::mt19937_64& rng)
880{
881 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
882 if (!use_backfill) {
883 return { NOTEHASHEXISTS_Instruction{ .notehash_address = generate_variable_ref(rng),
884 .leaf_index_address = generate_variable_ref(rng),
885 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
886 }
887 auto existing_note_hash = context.get_existing_note_hash(generate_random_uint16(rng));
888 FF note_hash = existing_note_hash.has_value() ? existing_note_hash.value().first : generate_random_field(rng);
889 uint64_t leaf_index =
890 existing_note_hash.has_value() ? existing_note_hash.value().second : generate_random_uint64(rng);
891 AddressRef note_hash_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
892 AddressRef leaf_index_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
893
894 std::vector<FuzzInstruction> instructions;
895 instructions.reserve(3);
896
897 instructions.push_back(SET_FF_Instruction{
898 .value_tag = bb::avm2::MemoryTag::FF, .result_address = note_hash_address, .value = note_hash });
899 instructions.push_back(SET_64_Instruction{
900 .value_tag = bb::avm2::MemoryTag::U64, .result_address = leaf_index_address, .value = leaf_index });
901
902 instructions.push_back(
903 NOTEHASHEXISTS_Instruction{ .notehash_address = note_hash_address,
904 .leaf_index_address = leaf_index_address,
905 .result_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
906
907 return instructions;
908}
909
910std::vector<FuzzInstruction> InstructionMutator::generate_returndatasize_instruction(std::mt19937_64& rng)
911{
912 return { RETURNDATASIZE_Instruction{ .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
913}
914
915std::vector<FuzzInstruction> InstructionMutator::generate_returndatacopy_instruction(std::mt19937_64& rng)
916{
917 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
918 if (!use_backfill) {
919 return { RETURNDATACOPY_Instruction{ .copy_size_address = generate_variable_ref(rng),
920 .rd_offset_address = generate_variable_ref(rng),
921 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
922 }
923 std::vector<FuzzInstruction> instructions;
924 instructions.reserve(3);
925 auto copy_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
926 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
927 .result_address = copy_size_address,
928 // We generate small sizes so we fail less often due to gas
929 // Mutations might change this to a larger value.
930 .value = generate_random_uint8(rng) });
931
932 auto rd_offset_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
933 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
934 .result_address = rd_offset_address,
935 .value = generate_random_uint8(rng) });
936
937 instructions.push_back(RETURNDATACOPY_Instruction{ .copy_size_address = copy_size_address,
938 .rd_offset_address = rd_offset_address,
939 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
940
941 return instructions;
942}
943
944std::vector<FuzzInstruction> InstructionMutator::generate_calldatacopy_instruction(std::mt19937_64& rng)
945{
946 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
947 if (!use_backfill) {
948 return { CALLDATACOPY_Instruction{ .copy_size_address = generate_variable_ref(rng),
949 .cd_offset_address = generate_variable_ref(rng),
950 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) } };
951 }
952 std::vector<FuzzInstruction> instructions;
953 instructions.reserve(3);
954 auto copy_size_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
955 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
956 .result_address = copy_size_address,
957 // We generate small sizes so we fail less often due to gas
958 // Mutations might change this to a larger value.
959 .value = generate_random_uint8(rng) });
960
961 auto cd_offset_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
962 instructions.push_back(SET_32_Instruction{ .value_tag = bb::avm2::MemoryTag::U32,
963 .result_address = cd_offset_address,
964 .value = generate_random_uint8(rng) });
965
966 instructions.push_back(CALLDATACOPY_Instruction{ .copy_size_address = copy_size_address,
967 .cd_offset_address = cd_offset_address,
968 .dst_address = generate_address_ref(rng, MAX_16BIT_OPERAND) });
969
970 return instructions;
971}
972
973std::vector<FuzzInstruction> InstructionMutator::generate_sendl2tol1msg_instruction(std::mt19937_64& rng)
974{
975 bool use_backfill = std::uniform_int_distribution<int>(0, 4)(rng) != 0;
976 if (!use_backfill) {
977 return { SENDL2TOL1MSG_Instruction{ .recipient_address = generate_variable_ref(rng),
978 .content_address = generate_variable_ref(rng) } };
979 }
980 std::vector<FuzzInstruction> instructions;
981 instructions.reserve(3);
982
983 auto recipient_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
984 instructions.push_back(SET_FF_Instruction{ .value_tag = bb::avm2::MemoryTag::FF,
985 .result_address = recipient_address,
986 .value = generate_random_eth_address(rng) });
987
988 auto content_address = generate_address_ref(rng, MAX_16BIT_OPERAND);
989 instructions.push_back(SET_FF_Instruction{
990 .value_tag = bb::avm2::MemoryTag::FF, .result_address = content_address, .value = generate_random_field(rng) });
991
992 instructions.push_back(
993 SENDL2TOL1MSG_Instruction{ .recipient_address = recipient_address, .content_address = content_address });
994
995 return instructions;
996}
997
998void InstructionMutator::mutate_param_ref(ParamRef& param,
999 std::mt19937_64& rng,
1000 std::optional<MemoryTag> default_tag,
1001 uint32_t max_operand_value)
1002{
1003 std::visit(overloaded{ [&](VariableRef& var) { mutate_variable_ref(var, rng, default_tag); },
1004 [&](AddressRef& addr) { mutate_address_ref(addr, rng, max_operand_value); } },
1005 param);
1006}
1007
1008template <typename BinaryInstructionType>
1009void InstructionMutator::mutate_binary_instruction_8(BinaryInstructionType& instruction, std::mt19937_64& rng)
1010{
1011 BinaryInstruction8MutationOptions option = BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION.select(rng);
1012 switch (option) {
1013 case BinaryInstruction8MutationOptions::a_address:
1014 mutate_param_ref(instruction.a_address, rng, std::nullopt, MAX_8BIT_OPERAND);
1015 break;
1016 case BinaryInstruction8MutationOptions::b_address:
1017 mutate_param_ref(instruction.b_address, rng, get_param_ref_tag(instruction.a_address), MAX_8BIT_OPERAND);
1018 break;
1019 case BinaryInstruction8MutationOptions::result_address:
1020 mutate_address_ref(instruction.result_address, rng, MAX_8BIT_OPERAND);
1021 break;
1022 }
1023}
1024
1025template <typename BinaryInstructionType>
1026void InstructionMutator::mutate_binary_instruction_16(BinaryInstructionType& instruction, std::mt19937_64& rng)
1027{
1028 BinaryInstruction8MutationOptions option = BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION.select(rng);
1029 switch (option) {
1030 case BinaryInstruction8MutationOptions::a_address:
1031 mutate_param_ref(instruction.a_address, rng, std::nullopt, MAX_16BIT_OPERAND);
1032 break;
1033 case BinaryInstruction8MutationOptions::b_address:
1034 mutate_param_ref(instruction.b_address, rng, get_param_ref_tag(instruction.a_address), MAX_16BIT_OPERAND);
1035 break;
1036 case BinaryInstruction8MutationOptions::result_address:
1037 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1038 break;
1039 }
1040}
1041
1054
1070
1086
1102
1118
1137
1153
1154void InstructionMutator::mutate_mov_8_instruction(MOV_8_Instruction& instruction, std::mt19937_64& rng)
1155{
1156 int choice = std::uniform_int_distribution<int>(0, 2)(rng);
1157 switch (choice) {
1158 case 0:
1159 mutate_memory_tag(instruction.value_tag.value, rng, BASIC_MEMORY_TAG_MUTATION_CONFIGURATION);
1160 break;
1161 case 1:
1162 mutate_param_ref(instruction.src_address, rng, std::nullopt, MAX_8BIT_OPERAND);
1163 break;
1164 case 2:
1165 mutate_address_ref(instruction.result_address, rng, MAX_8BIT_OPERAND);
1166 break;
1167 }
1168}
1169
1170void InstructionMutator::mutate_mov_16_instruction(MOV_16_Instruction& instruction, std::mt19937_64& rng)
1171{
1172 int choice = std::uniform_int_distribution<int>(0, 2)(rng);
1173 switch (choice) {
1174 case 0:
1175 mutate_memory_tag(instruction.value_tag.value, rng, BASIC_MEMORY_TAG_MUTATION_CONFIGURATION);
1176 break;
1177 case 1:
1178 mutate_param_ref(instruction.src_address, rng, std::nullopt, MAX_16BIT_OPERAND);
1179 break;
1180 case 2:
1181 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1182 break;
1183 }
1184}
1185
1198
1214
1230
1231void InstructionMutator::mutate_sstore_instruction(SSTORE_Instruction& instruction, std::mt19937_64& rng)
1232{
1233 SStoreMutationOptions option = BASIC_SSTORE_MUTATION_CONFIGURATION.select(rng);
1234 switch (option) {
1235 case SStoreMutationOptions::src_address:
1236 mutate_param_ref(instruction.src_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1237 break;
1238 case SStoreMutationOptions::result_address:
1239 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1240 break;
1241 case SStoreMutationOptions::slot:
1242 mutate_field(instruction.slot, rng, BASIC_FIELD_MUTATION_CONFIGURATION);
1243 break;
1244 }
1245}
1246
1247void InstructionMutator::mutate_sload_instruction(SLOAD_Instruction& instruction, std::mt19937_64& rng)
1248{
1249 SLoadMutationOptions option = BASIC_SLOAD_MUTATION_CONFIGURATION.select(rng);
1250 switch (option) {
1251 case SLoadMutationOptions::slot_index:
1252 mutate_uint16_t(instruction.slot_index, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
1253 break;
1254 case SLoadMutationOptions::slot_address:
1255 mutate_address_ref(instruction.slot_address, rng, MAX_16BIT_OPERAND);
1256 break;
1257 case SLoadMutationOptions::contract_address_address:
1258 mutate_param_ref(instruction.contract_address_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1259 break;
1260 case SLoadMutationOptions::result_address:
1261 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1262 break;
1263 }
1264}
1265
1266void InstructionMutator::mutate_getenvvar_instruction(GETENVVAR_Instruction& instruction, std::mt19937_64& rng)
1267{
1268 GetEnvVarMutationOptions option = BASIC_GETENVVAR_MUTATION_CONFIGURATION.select(rng);
1269 switch (option) {
1270 case GetEnvVarMutationOptions::result_address:
1271 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1272 break;
1273 case GetEnvVarMutationOptions::type:
1274 instruction.type = generate_envvar_type(rng);
1275 break;
1276 }
1277}
1278
1279void InstructionMutator::mutate_emit_nullifier_instruction(EMITNULLIFIER_Instruction& instruction, std::mt19937_64& rng)
1280{
1281 // emitnulifier only has one field
1282
1283 mutate_param_ref(instruction.nullifier_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1284}
1285
1299
1300void InstructionMutator::mutate_l1tol2msgexists_instruction(L1TOL2MSGEXISTS_Instruction& instruction,
1301 std::mt19937_64& rng)
1302{
1303 L1ToL2MsgExistsMutationOptions option = BASIC_L1TOL2MSGEXISTS_MUTATION_CONFIGURATION.select(rng);
1304 switch (option) {
1305 case L1ToL2MsgExistsMutationOptions::msg_hash_address:
1306 mutate_param_ref(instruction.msg_hash_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1307 break;
1308 case L1ToL2MsgExistsMutationOptions::leaf_index_address:
1309 mutate_param_ref(instruction.leaf_index_address, rng, MemoryTag::U64, MAX_16BIT_OPERAND);
1310 break;
1311 case L1ToL2MsgExistsMutationOptions::result_address:
1312 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1313 break;
1314 }
1315}
1316
1329void InstructionMutator::mutate_note_hash_exists_instruction(NOTEHASHEXISTS_Instruction& instruction,
1330 std::mt19937_64& rng)
1331{
1332 NoteHashExistsMutationOptions option = BASIC_NOTEHASHEXISTS_MUTATION_CONFIGURATION.select(rng);
1333 switch (option) {
1334 case NoteHashExistsMutationOptions::notehash_address:
1335 mutate_param_ref(instruction.notehash_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1336 break;
1337 case NoteHashExistsMutationOptions::leaf_index_address:
1338 mutate_param_ref(instruction.leaf_index_address, rng, MemoryTag::U64, MAX_16BIT_OPERAND);
1339 break;
1340 case NoteHashExistsMutationOptions::result_address:
1341 mutate_address_ref(instruction.result_address, rng, MAX_16BIT_OPERAND);
1342 break;
1343 }
1344}
1345
1346void InstructionMutator::mutate_calldatacopy_instruction(CALLDATACOPY_Instruction& instruction, std::mt19937_64& rng)
1347{
1348 CalldataCopyMutationOptions option = BASIC_CALLDATACOPY_MUTATION_CONFIGURATION.select(rng);
1349 switch (option) {
1350 case CalldataCopyMutationOptions::copy_size_address:
1351 mutate_param_ref(instruction.copy_size_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1352 break;
1353 case CalldataCopyMutationOptions::cd_offset_address:
1354 mutate_param_ref(instruction.cd_offset_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1355 break;
1356 case CalldataCopyMutationOptions::dst_address:
1357 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1358 break;
1359 }
1360}
1361
1374
1387
1388void InstructionMutator::mutate_call_instruction(CALL_Instruction& instruction, std::mt19937_64& rng)
1389{
1390 CallMutationOptions option = BASIC_CALL_MUTATION_CONFIGURATION.select(rng);
1391 switch (option) {
1392 case CallMutationOptions::l2_gas_address:
1393 mutate_param_ref(instruction.l2_gas_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1394 break;
1395 case CallMutationOptions::da_gas_address:
1396 mutate_param_ref(instruction.da_gas_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1397 break;
1398 case CallMutationOptions::contract_address_address:
1399 mutate_param_ref(instruction.contract_address_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1400 break;
1401 case CallMutationOptions::calldata_size_address:
1402 mutate_address_ref(instruction.calldata_size_address, rng, MAX_16BIT_OPERAND);
1403 break;
1404 case CallMutationOptions::calldata_size:
1405 mutate_uint16_t(instruction.calldata_size, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
1406 break;
1407 case CallMutationOptions::calldata_address:
1408 mutate_param_ref(instruction.calldata_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1409 break;
1410 case CallMutationOptions::is_static_call:
1411 // with 0.5 probability, set to true, otherwise false
1412 instruction.is_static_call = rng() % 2 == 0;
1413 }
1414}
1415
1421
1422void InstructionMutator::mutate_returndatacopy_instruction(RETURNDATACOPY_Instruction& instruction,
1423 std::mt19937_64& rng)
1424{
1425 ReturndataCopyMutationOptions option = BASIC_RETURNDATACOPY_MUTATION_CONFIGURATION.select(rng);
1426 switch (option) {
1427 case ReturndataCopyMutationOptions::copy_size_address:
1428 mutate_param_ref(instruction.copy_size_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1429 break;
1430 case ReturndataCopyMutationOptions::rd_offset_address:
1431 mutate_param_ref(instruction.rd_offset_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1432 break;
1433 case ReturndataCopyMutationOptions::dst_address:
1434 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1435 break;
1436 }
1437}
1438
1455
1465
1466void InstructionMutator::mutate_ecadd_instruction(ECADD_Instruction& instruction, std::mt19937_64& rng)
1467{
1468 // ECADD has 5 operands, select one to mutate
1469 int choice = std::uniform_int_distribution<int>(0, 4)(rng);
1470 switch (choice) {
1471 case 0:
1472 mutate_param_ref(instruction.p1_x, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1473 break;
1474 case 1:
1475 mutate_param_ref(instruction.p1_y, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1476 break;
1477 case 2:
1478 mutate_param_ref(instruction.p2_x, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1479 break;
1480 case 3:
1481 mutate_param_ref(instruction.p2_y, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1482 break;
1483 case 4:
1484 mutate_address_ref(instruction.result, rng, MAX_16BIT_OPERAND);
1485 break;
1486 }
1487}
1488
1489void InstructionMutator::mutate_poseidon2perm_instruction(POSEIDON2PERM_Instruction& instruction, std::mt19937_64& rng)
1490{
1491 int choice = std::uniform_int_distribution<int>(0, 1)(rng);
1492 switch (choice) {
1493 case 0:
1494 mutate_param_ref(instruction.src_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1495 break;
1496 case 1:
1497 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1498 break;
1499 }
1500}
1501
1502void InstructionMutator::mutate_keccakf1600_instruction(KECCAKF1600_Instruction& instruction, std::mt19937_64& rng)
1503{
1504 int choice = std::uniform_int_distribution<int>(0, 1)(rng);
1505 switch (choice) {
1506 case 0:
1507 mutate_param_ref(instruction.src_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1508 break;
1509 case 1:
1510 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1511 break;
1512 }
1513}
1514
1515void InstructionMutator::mutate_sha256compression_instruction(SHA256COMPRESSION_Instruction& instruction,
1516 std::mt19937_64& rng)
1517{
1518 int choice = std::uniform_int_distribution<int>(0, 2)(rng);
1519 switch (choice) {
1520 case 0:
1521 mutate_param_ref(instruction.state_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1522 break;
1523 case 1:
1524 mutate_param_ref(instruction.input_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1525 break;
1526 case 2:
1527 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1528 break;
1529 }
1530}
1531
1532void InstructionMutator::mutate_toradixbe_instruction(TORADIXBE_Instruction& instruction, std::mt19937_64& rng)
1533{
1534 ToRadixBEMutationOptions option = BASIC_TORADIXBE_MUTATION_CONFIGURATION.select(rng);
1535 switch (option) {
1536 case ToRadixBEMutationOptions::value_address:
1537 mutate_param_ref(instruction.value_address, rng, MemoryTag::FF, MAX_16BIT_OPERAND);
1538 break;
1539 case ToRadixBEMutationOptions::radix_address:
1540 mutate_param_ref(instruction.radix_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1541 break;
1542 case ToRadixBEMutationOptions::num_limbs_address:
1543 mutate_param_ref(instruction.num_limbs_address, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1544 break;
1545 case ToRadixBEMutationOptions::output_bits_address:
1546 mutate_param_ref(instruction.output_bits_address, rng, MemoryTag::U1, MAX_16BIT_OPERAND);
1547 break;
1548 case ToRadixBEMutationOptions::dst_address:
1549 mutate_address_ref(instruction.dst_address, rng, MAX_16BIT_OPERAND);
1550 break;
1551 case ToRadixBEMutationOptions::is_output_bits:
1552 instruction.is_output_bits = !instruction.is_output_bits;
1553 break;
1554 }
1555}
1556
1557void InstructionMutator::mutate_debuglog_instruction(DEBUGLOG_Instruction& instruction, std::mt19937_64& rng)
1558{
1559 DebugLogMutationOptions option = BASIC_DEBUGLOG_MUTATION_CONFIGURATION.select(rng);
1560 switch (option) {
1561 case DebugLogMutationOptions::level_offset:
1562 mutate_param_ref(instruction.level_offset, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1563 break;
1564 case DebugLogMutationOptions::message_offset:
1565 mutate_param_ref(instruction.message_offset, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1566 break;
1567 case DebugLogMutationOptions::fields_offset:
1568 mutate_param_ref(instruction.fields_offset, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1569 break;
1570 case DebugLogMutationOptions::fields_size_offset:
1571 mutate_param_ref(instruction.fields_size_offset, rng, MemoryTag::U32, MAX_16BIT_OPERAND);
1572 break;
1573 case DebugLogMutationOptions::message_size:
1574 mutate_uint16_t(instruction.message_size, rng, BASIC_UINT16_T_MUTATION_CONFIGURATION);
1575 break;
1576 }
1577}
1578
1579} // namespace bb::avm2::fuzzer
FuzzInstruction
::FuzzInstruction FuzzInstruction
Definition avm_differential.fuzzer.cpp:17
generate_random_field
FF generate_random_field(std::mt19937_64 &rng)
Definition field.cpp:25
mutate_field
void mutate_field(bb::avm2::FF &value, std::mt19937_64 &rng, const FieldMutationConfig &config)
Definition field.cpp:99
field.hpp
FLAT_PUBLIC_LOGS_PAYLOAD_LENGTH
#define FLAT_PUBLIC_LOGS_PAYLOAD_LENGTH
Definition aztec_constants.hpp:30
AVM_HIGHEST_MEM_ADDRESS
#define AVM_HIGHEST_MEM_ADDRESS
Definition aztec_constants.hpp:44
WeightedSelectionConfig::select
T select(std::mt19937_64 &rng) const
Definition weighted_selection.hpp:33
bb::avm2::StandardAffinePoint::x
constexpr const BaseField & x() const noexcept
Definition standard_affine_point.hpp:78
bb::avm2::StandardAffinePoint::y
constexpr const BaseField & y() const noexcept
Definition standard_affine_point.hpp:80
bb::avm2::fuzzer::InstructionMutator::generate_getcontractinstance_instruction
std::vector< FuzzInstruction > generate_getcontractinstance_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:850
bb::avm2::fuzzer::InstructionMutator::mutate_set_ff_instruction
void mutate_set_ff_instruction(SET_FF_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1138
bb::avm2::fuzzer::InstructionMutator::mutate_sha256compression_instruction
void mutate_sha256compression_instruction(SHA256COMPRESSION_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1515
bb::avm2::fuzzer::InstructionMutator::mutate_l1tol2msgexists_instruction
void mutate_l1tol2msgexists_instruction(L1TOL2MSGEXISTS_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1300
bb::avm2::fuzzer::InstructionMutator::mutate_returndatasize_instruction
void mutate_returndatasize_instruction(RETURNDATASIZE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1416
bb::avm2::fuzzer::InstructionMutator::mutate_emit_note_hash_instruction
void mutate_emit_note_hash_instruction(EMITNOTEHASH_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1317
bb::avm2::fuzzer::InstructionMutator::mutate_set_16_instruction
void mutate_set_16_instruction(SET_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1071
bb::avm2::fuzzer::InstructionMutator::mutate_mov_16_instruction
void mutate_mov_16_instruction(MOV_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1170
bb::avm2::fuzzer::InstructionMutator::mutate_not_8_instruction
void mutate_not_8_instruction(NOT_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1042
bb::avm2::fuzzer::InstructionMutator::mutate_mov_8_instruction
void mutate_mov_8_instruction(MOV_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1154
bb::avm2::fuzzer::InstructionMutator::mutate_binary_instruction_16
void mutate_binary_instruction_16(BinaryInstructionType &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1026
bb::avm2::fuzzer::InstructionMutator::generate_variable_ref
VariableRef generate_variable_ref(std::mt19937_64 &rng)
Definition instruction.cpp:387
bb::avm2::fuzzer::InstructionMutator::generate_alu_with_matching_tags
std::vector< FuzzInstruction > generate_alu_with_matching_tags(std::mt19937_64 &rng, uint32_t max_operand)
Definition instruction.cpp:479
bb::avm2::fuzzer::InstructionMutator::generate_call_instruction
std::vector< FuzzInstruction > generate_call_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:796
bb::avm2::fuzzer::InstructionMutator::generate_fdiv_instruction
std::vector< FuzzInstruction > generate_fdiv_instruction(std::mt19937_64 &rng, uint32_t max_operand)
Definition instruction.cpp:536
bb::avm2::fuzzer::InstructionMutator::mutate_getenvvar_instruction
void mutate_getenvvar_instruction(GETENVVAR_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1266
bb::avm2::fuzzer::InstructionMutator::generate_sload_instruction
std::vector< FuzzInstruction > generate_sload_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:722
bb::avm2::fuzzer::InstructionMutator::generate_toradixbe_instruction
std::vector< FuzzInstruction > generate_toradixbe_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:649
bb::avm2::fuzzer::InstructionMutator::mutate_not_16_instruction
void mutate_not_16_instruction(NOT_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1186
bb::avm2::fuzzer::InstructionMutator::generate_addressing_mode
AddressingMode generate_addressing_mode(std::mt19937_64 &rng)
Definition instruction.cpp:356
bb::avm2::fuzzer::InstructionMutator::mutate_successcopy_instruction
void mutate_successcopy_instruction(SUCCESSCOPY_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1456
bb::avm2::fuzzer::InstructionMutator::mutate_calldatacopy_instruction
void mutate_calldatacopy_instruction(CALLDATACOPY_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1346
bb::avm2::fuzzer::InstructionMutator::mutate_sload_instruction
void mutate_sload_instruction(SLOAD_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1247
bb::avm2::fuzzer::InstructionMutator::mutate_emit_nullifier_instruction
void mutate_emit_nullifier_instruction(EMITNULLIFIER_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1279
bb::avm2::fuzzer::InstructionMutator::generate_keccakf_instruction
std::vector< FuzzInstruction > generate_keccakf_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:579
bb::avm2::fuzzer::InstructionMutator::mutate_sstore_instruction
void mutate_sstore_instruction(SSTORE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1231
bb::avm2::fuzzer::InstructionMutator::mutate_binary_instruction_8
void mutate_binary_instruction_8(BinaryInstructionType &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1009
bb::avm2::fuzzer::InstructionMutator::generate_instruction
std::vector< FuzzInstruction > generate_instruction(std::mt19937_64 &rng)
Generate one instruction and optionally backfill.
Definition instruction.cpp:98
bb::avm2::fuzzer::InstructionMutator::mutate_set_32_instruction
void mutate_set_32_instruction(SET_32_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1087
bb::avm2::fuzzer::InstructionMutator::generate_sendl2tol1msg_instruction
std::vector< FuzzInstruction > generate_sendl2tol1msg_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:973
bb::avm2::fuzzer::InstructionMutator::mutate_sendl2tol1msg_instruction
void mutate_sendl2tol1msg_instruction(SENDL2TOL1MSG_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1362
bb::avm2::fuzzer::InstructionMutator::generate_calldatacopy_instruction
std::vector< FuzzInstruction > generate_calldatacopy_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:944
bb::avm2::fuzzer::InstructionMutator::mutate_nullifier_exists_instruction
void mutate_nullifier_exists_instruction(NULLIFIEREXISTS_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1286
bb::avm2::fuzzer::InstructionMutator::mutate_note_hash_exists_instruction
void mutate_note_hash_exists_instruction(NOTEHASHEXISTS_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1329
bb::avm2::fuzzer::InstructionMutator::mutate_toradixbe_instruction
void mutate_toradixbe_instruction(TORADIXBE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1532
bb::avm2::fuzzer::InstructionMutator::mutate_call_instruction
void mutate_call_instruction(CALL_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1388
bb::avm2::fuzzer::InstructionMutator::mutate_set_128_instruction
void mutate_set_128_instruction(SET_128_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1119
bb::avm2::fuzzer::InstructionMutator::mutate_instruction
void mutate_instruction(FuzzInstruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:286
bb::avm2::fuzzer::InstructionMutator::generate_returndatacopy_instruction
std::vector< FuzzInstruction > generate_returndatacopy_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:915
bb::avm2::fuzzer::InstructionMutator::mutate_debuglog_instruction
void mutate_debuglog_instruction(DEBUGLOG_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1557
bb::avm2::fuzzer::InstructionMutator::mutate_keccakf1600_instruction
void mutate_keccakf1600_instruction(KECCAKF1600_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1502
bb::avm2::fuzzer::InstructionMutator::mutate_address_ref
void mutate_address_ref(AddressRef &address, std::mt19937_64 &rng, uint32_t max_operand_value)
Definition instruction.cpp:370
bb::avm2::fuzzer::InstructionMutator::mutate_variable_ref
void mutate_variable_ref(VariableRef &variable, std::mt19937_64 &rng, std::optional< MemoryTag > default_tag)
Most of the tags will be equal to the default tag.
Definition instruction.cpp:397
bb::avm2::fuzzer::InstructionMutator::mutate_cast_8_instruction
void mutate_cast_8_instruction(CAST_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1199
bb::avm2::fuzzer::InstructionMutator::mutate_set_64_instruction
void mutate_set_64_instruction(SET_64_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1103
bb::avm2::fuzzer::InstructionMutator::mutate_getcontractinstance_instruction
void mutate_getcontractinstance_instruction(GETCONTRACTINSTANCE_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1439
bb::avm2::fuzzer::InstructionMutator::generate_sha256compression_instruction
std::vector< FuzzInstruction > generate_sha256compression_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:605
bb::avm2::fuzzer::InstructionMutator::generate_emitpubliclog_instruction
std::vector< FuzzInstruction > generate_emitpubliclog_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:765
bb::avm2::fuzzer::InstructionMutator::mutate_ecadd_instruction
void mutate_ecadd_instruction(ECADD_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1466
bb::avm2::fuzzer::InstructionMutator::mutate_returndatacopy_instruction
void mutate_returndatacopy_instruction(RETURNDATACOPY_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1422
bb::avm2::fuzzer::InstructionMutator::mutate_cast_16_instruction
void mutate_cast_16_instruction(CAST_16_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1215
bb::avm2::fuzzer::InstructionMutator::mutate_set_8_instruction
void mutate_set_8_instruction(SET_8_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1055
bb::avm2::fuzzer::InstructionMutator::generate_returndatasize_instruction
std::vector< FuzzInstruction > generate_returndatasize_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:910
bb::avm2::fuzzer::InstructionMutator::generate_address_ref
AddressRef generate_address_ref(std::mt19937_64 &rng, uint32_t max_operand_value)
Definition instruction.cpp:361
bb::avm2::fuzzer::InstructionMutator::generate_ecadd_instruction
std::vector< FuzzInstruction > generate_ecadd_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:422
bb::avm2::fuzzer::InstructionMutator::mutate_poseidon2perm_instruction
void mutate_poseidon2perm_instruction(POSEIDON2PERM_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1489
bb::avm2::fuzzer::InstructionMutator::generate_alu_with_matching_tags_not_ff
std::vector< FuzzInstruction > generate_alu_with_matching_tags_not_ff(std::mt19937_64 &rng, uint32_t max_operand)
Definition instruction.cpp:506
bb::avm2::fuzzer::InstructionMutator::mutate_emitpubliclog_instruction
void mutate_emitpubliclog_instruction(EMITPUBLICLOG_Instruction &instruction, std::mt19937_64 &rng)
Definition instruction.cpp:1375
bb::avm2::fuzzer::InstructionMutator::mutate_param_ref
void mutate_param_ref(ParamRef &param, std::mt19937_64 &rng, std::optional< MemoryTag > default_tag, uint32_t max_operand_value)
Definition instruction.cpp:998
bb::avm2::fuzzer::InstructionMutator::generate_notehashexists_instruction
std::vector< FuzzInstruction > generate_notehashexists_instruction(std::mt19937_64 &rng)
Definition instruction.cpp:879
Set32MutationOptions
Set32MutationOptions
Definition configuration.hpp:176
BASIC_SET_128_MUTATION_CONFIGURATION
constexpr Set128MutationConfig BASIC_SET_128_MUTATION_CONFIGURATION
Definition configuration.hpp:200
BASIC_ADDRESS_REF_MUTATION_CONFIGURATION
constexpr AddressRefMutationConfig BASIC_ADDRESS_REF_MUTATION_CONFIGURATION
Definition configuration.hpp:129
Set64MutationOptions
Set64MutationOptions
Definition configuration.hpp:186
BASIC_SLOAD_MUTATION_CONFIGURATION
constexpr SLoadMutationConfig BASIC_SLOAD_MUTATION_CONFIGURATION
Definition configuration.hpp:367
BASIC_GETENVVAR_MUTATION_CONFIGURATION
constexpr GetEnvVarMutationConfig BASIC_GETENVVAR_MUTATION_CONFIGURATION
Definition configuration.hpp:377
BASIC_SET_16_MUTATION_CONFIGURATION
constexpr Set16MutationConfig BASIC_SET_16_MUTATION_CONFIGURATION
Definition configuration.hpp:170
L1ToL2MsgExistsMutationOptions
L1ToL2MsgExistsMutationOptions
Definition configuration.hpp:390
ReturndataCopyMutationOptions
ReturndataCopyMutationOptions
Definition configuration.hpp:466
BASIC_NOTEHASHEXISTS_MUTATION_CONFIGURATION
constexpr NoteHashExistsMutationConfig BASIC_NOTEHASHEXISTS_MUTATION_CONFIGURATION
Definition configuration.hpp:410
NoteHashExistsMutationOptions
NoteHashExistsMutationOptions
Definition configuration.hpp:407
BASIC_TORADIXBE_MUTATION_CONFIGURATION
constexpr ToRadixBEMutationConfig BASIC_TORADIXBE_MUTATION_CONFIGURATION
Definition configuration.hpp:502
EmitPublicLogMutationOptions
EmitPublicLogMutationOptions
Definition configuration.hpp:437
BASIC_SET_64_MUTATION_CONFIGURATION
constexpr Set64MutationConfig BASIC_SET_64_MUTATION_CONFIGURATION
Definition configuration.hpp:190
EmitNoteHashMutationOptions
EmitNoteHashMutationOptions
Definition configuration.hpp:399
CallMutationOptions
CallMutationOptions
Definition configuration.hpp:445
SetFFMutationOptions
SetFFMutationOptions
Definition configuration.hpp:207
BASIC_MEMORY_TAG_GENERATION_CONFIGURATION
constexpr MemoryTagGenerationConfig BASIC_MEMORY_TAG_GENERATION_CONFIGURATION
Definition configuration.hpp:96
SuccessCopyMutationOptions
SuccessCopyMutationOptions
Definition configuration.hpp:485
BASIC_DEBUGLOG_MUTATION_CONFIGURATION
constexpr DebugLogMutationConfig BASIC_DEBUGLOG_MUTATION_CONFIGURATION
Definition configuration.hpp:514
BASIC_UINT64_T_MUTATION_CONFIGURATION
constexpr Uint64MutationConfig BASIC_UINT64_T_MUTATION_CONFIGURATION
Definition configuration.hpp:62
Set8MutationOptions
Set8MutationOptions
Definition configuration.hpp:156
Set16MutationOptions
Set16MutationOptions
Definition configuration.hpp:166
BASIC_CALLDATACOPY_MUTATION_CONFIGURATION
constexpr CalldataCopyMutationConfig BASIC_CALLDATACOPY_MUTATION_CONFIGURATION
Definition configuration.hpp:423
BASIC_GETCONTRACTINSTANCE_MUTATION_CONFIGURATION
constexpr GetContractInstanceMutationConfig BASIC_GETCONTRACTINSTANCE_MUTATION_CONFIGURATION
Definition configuration.hpp:478
InstructionGenerationOptions
InstructionGenerationOptions
Definition configuration.hpp:227
BASIC_L1TOL2MSGEXISTS_MUTATION_CONFIGURATION
constexpr L1ToL2MsgExistsMutationConfig BASIC_L1TOL2MSGEXISTS_MUTATION_CONFIGURATION
Definition configuration.hpp:393
BASIC_UINT32_T_MUTATION_CONFIGURATION
constexpr Uint32MutationConfig BASIC_UINT32_T_MUTATION_CONFIGURATION
Definition configuration.hpp:54
BASIC_UNARY_INSTRUCTION_8_MUTATION_CONFIGURATION
constexpr UnaryInstruction8MutationConfig BASIC_UNARY_INSTRUCTION_8_MUTATION_CONFIGURATION
Definition configuration.hpp:139
SStoreMutationOptions
SStoreMutationOptions
Definition configuration.hpp:355
BASIC_SET_FF_MUTATION_CONFIGURATION
constexpr SetFFMutationConfig BASIC_SET_FF_MUTATION_CONFIGURATION
Definition configuration.hpp:211
BASIC_SET_32_MUTATION_CONFIGURATION
constexpr Set32MutationConfig BASIC_SET_32_MUTATION_CONFIGURATION
Definition configuration.hpp:180
BASIC_FIELD_MUTATION_CONFIGURATION
constexpr FieldMutationConfig BASIC_FIELD_MUTATION_CONFIGURATION
Definition configuration.hpp:84
UnaryInstruction8MutationOptions
UnaryInstruction8MutationOptions
Definition configuration.hpp:135
BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION
constexpr BinaryInstruction8MutationConfig BASIC_BINARY_INSTRUCTION_8_MUTATION_CONFIGURATION
Definition configuration.hpp:149
BASIC_UINT16_T_MUTATION_CONFIGURATION
constexpr Uint16MutationConfig BASIC_UINT16_T_MUTATION_CONFIGURATION
Definition configuration.hpp:46
BASIC_SSTORE_MUTATION_CONFIGURATION
constexpr SStoreMutationConfig BASIC_SSTORE_MUTATION_CONFIGURATION
Definition configuration.hpp:358
CalldataCopyMutationOptions
CalldataCopyMutationOptions
Definition configuration.hpp:416
BASIC_NULLIFIER_EXISTS_MUTATION_CONFIGURATION
constexpr NullifierExistsMutationConfig BASIC_NULLIFIER_EXISTS_MUTATION_CONFIGURATION
Definition configuration.hpp:385
BASIC_CALL_MUTATION_CONFIGURATION
constexpr CallMutationConfig BASIC_CALL_MUTATION_CONFIGURATION
Definition configuration.hpp:456
BASIC_SENDL2TOL1MSG_MUTATION_CONFIGURATION
constexpr SendL2ToL1MsgMutationConfig BASIC_SENDL2TOL1MSG_MUTATION_CONFIGURATION
Definition configuration.hpp:432
BASIC_VARIABLE_REF_MUTATION_CONFIGURATION
constexpr VariableRefMutationConfig BASIC_VARIABLE_REF_MUTATION_CONFIGURATION
Definition configuration.hpp:120
Set128MutationOptions
Set128MutationOptions
Definition configuration.hpp:196
BASIC_EMITNOTEHASH_MUTATION_CONFIGURATION
constexpr EmitNoteHashMutationConfig BASIC_EMITNOTEHASH_MUTATION_CONFIGURATION
Definition configuration.hpp:402
ToRadixBEMutationOptions
ToRadixBEMutationOptions
Definition configuration.hpp:492
BASIC_MEMORY_TAG_MUTATION_CONFIGURATION
constexpr MemoryTagMutationConfig BASIC_MEMORY_TAG_MUTATION_CONFIGURATION
Definition configuration.hpp:108
SLoadMutationOptions
SLoadMutationOptions
Definition configuration.hpp:364
BASIC_UINT8_T_MUTATION_CONFIGURATION
constexpr Uint8MutationConfig BASIC_UINT8_T_MUTATION_CONFIGURATION
Definition configuration.hpp:38
VariableRefMutationOptions
VariableRefMutationOptions
Definition configuration.hpp:118
BASIC_INSTRUCTION_GENERATION_CONFIGURATION
constexpr InstructionGenerationConfig BASIC_INSTRUCTION_GENERATION_CONFIGURATION
Definition configuration.hpp:292
BASIC_SUCCESSCOPY_MUTATION_CONFIGURATION
constexpr SuccessCopyMutationConfig BASIC_SUCCESSCOPY_MUTATION_CONFIGURATION
Definition configuration.hpp:488
GetContractInstanceMutationOptions
GetContractInstanceMutationOptions
Definition configuration.hpp:475
GetEnvVarMutationOptions
GetEnvVarMutationOptions
Definition configuration.hpp:374
DebugLogMutationOptions
DebugLogMutationOptions
Definition configuration.hpp:511
AddressRefMutationOptions
AddressRefMutationOptions
Definition configuration.hpp:127
BinaryInstruction8MutationOptions
BinaryInstruction8MutationOptions
Definition configuration.hpp:145
SendL2ToL1MsgMutationOptions
SendL2ToL1MsgMutationOptions
Definition configuration.hpp:429
BASIC_SET_8_MUTATION_CONFIGURATION
constexpr Set8MutationConfig BASIC_SET_8_MUTATION_CONFIGURATION
Definition configuration.hpp:160
BASIC_EMITPUBLICLOG_MUTATION_CONFIGURATION
constexpr EmitPublicLogMutationConfig BASIC_EMITPUBLICLOG_MUTATION_CONFIGURATION
Definition configuration.hpp:440
BASIC_RETURNDATACOPY_MUTATION_CONFIGURATION
constexpr ReturndataCopyMutationConfig BASIC_RETURNDATACOPY_MUTATION_CONFIGURATION
Definition configuration.hpp:469
NullifierExistsMutationOptions
NullifierExistsMutationOptions
Definition configuration.hpp:382
value
FF value
Definition indexed_tree_check.test.cpp:69
generate_random_eth_address
EthAddress generate_random_eth_address(std::mt19937_64 &rng)
Definition eth_address.cpp:18
eth_address.hpp
instruction.hpp
AddressingMode
AddressingMode
Definition instruction.hpp:50
AddressingMode::Relative
@ Relative
AddressingMode::Direct
@ Direct
ParamRef
std::variant< VariableRef, AddressRef > ParamRef
Definition instruction.hpp:124
fuzzer_context.hpp
instruction
Instruction instruction
Definition gas_tracker.test.cpp:33
generate_memory_tag
MemoryTag generate_memory_tag(std::mt19937_64 &rng, const MemoryTagGenerationConfig &config)
Definition memory_tag.cpp:8
mutate_or_default_tag
void mutate_or_default_tag(MemoryTag &value, std::mt19937_64 &rng, MemoryTag default_tag, double probability=0.1)
Mutate the memory tag or set to the chosen tag with a given probability.
Definition memory_tag.cpp:57
mutate_memory_tag
void mutate_memory_tag(MemoryTag &value, std::mt19937_64 &rng, const MemoryTagMutationConfig &config)
Definition memory_tag.cpp:29
memory_tag.hpp
bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10
bb::avm2::Fq
AvmFlavorSettings::G1::Fq Fq
Definition field.hpp:11
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
ADD_16_Instruction
mem[result_offset] = mem[a_address] + mem[b_address] (16-bit)
Definition instruction.hpp:323
ADD_8_Instruction
mem[result_offset] = mem[a_address] + mem[b_address]
Definition instruction.hpp:149
AND_16_Instruction
mem[result_offset] = mem[a_address] & mem[b_address] (16-bit)
Definition instruction.hpp:386
AND_8_Instruction
mem[result_offset] = mem[a_address] & mem[b_address]
Definition instruction.hpp:212
AddressRef::mode
AddressingModeWrapper mode
Definition instruction.hpp:120
AddressRef::address
uint32_t address
Definition instruction.hpp:114
CALL_Instruction
Definition instruction.hpp:529
CALL_Instruction::l2_gas_address
ParamRef l2_gas_address
Definition instruction.hpp:530
CALLDATACOPY_Instruction
Definition instruction.hpp:510
CALLDATACOPY_Instruction::copy_size_address
ParamRef copy_size_address
Definition instruction.hpp:511
CAST_16_Instruction
CAST_16: cast mem[src_offset_index] to target_tag and store at dst_offset.
Definition instruction.hpp:441
CAST_16_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:443
CAST_8_Instruction
CAST_8: cast mem[src_offset_index] to target_tag and store at dst_offset.
Definition instruction.hpp:432
CAST_8_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:434
DEBUGLOG_Instruction
Definition instruction.hpp:621
DEBUGLOG_Instruction::level_offset
ParamRef level_offset
Definition instruction.hpp:622
DIV_16_Instruction
mem[result_offset] = mem[a_address] / mem[b_address] (16-bit)
Definition instruction.hpp:347
DIV_8_Instruction
mem[result_offset] = mem[a_address] / mem[b_address]
Definition instruction.hpp:173
ECADD_Instruction
Definition instruction.hpp:573
ECADD_Instruction::p1_x
ParamRef p1_x
Definition instruction.hpp:574
EMITNOTEHASH_Instruction
EMITNOTEHASH: M[note_hash_offset] = note_hash; emit note hash to the note hash tree.
Definition instruction.hpp:497
EMITNOTEHASH_Instruction::note_hash_address
AddressRef note_hash_address
Definition instruction.hpp:498
EMITNULLIFIER_Instruction
EMITNULIFIER: inserts new nullifier to the nullifier tree.
Definition instruction.hpp:474
EMITNULLIFIER_Instruction::nullifier_address
ParamRef nullifier_address
Definition instruction.hpp:475
EMITPUBLICLOG_Instruction
Definition instruction.hpp:523
EMITPUBLICLOG_Instruction::log_size_address
ParamRef log_size_address
Definition instruction.hpp:524
EQ_16_Instruction
mem[result_offset] = mem[a_address] == mem[b_address] (16-bit)
Definition instruction.hpp:362
EQ_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:363
EQ_8_Instruction
mem[result_offset] = mem[a_address] == mem[b_address]
Definition instruction.hpp:188
EQ_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:189
FDIV_16_Instruction
Definition instruction.hpp:354
FDIV_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:355
FDIV_8_Instruction
Definition instruction.hpp:180
FDIV_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:181
GETCONTRACTINSTANCE_Instruction
Definition instruction.hpp:561
GETCONTRACTINSTANCE_Instruction::contract_address_address
ParamRef contract_address_address
Definition instruction.hpp:562
GETENVVAR_Instruction
GETENVVAR: M[result_offset] = getenvvar(type)
Definition instruction.hpp:467
GETENVVAR_Instruction::result_address
AddressRef result_address
Definition instruction.hpp:468
KECCAKF1600_Instruction
KECCAKF1600: Perform Keccak-f[1600] permutation on 25 U64 values M[dst_address:dst_address+25] = kecc...
Definition instruction.hpp:592
KECCAKF1600_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:593
L1TOL2MSGEXISTS_Instruction
L1TOL2MSGEXISTS: Check if a L1 to L2 message exists M[result_address] = L1TOL2MSGEXISTS(M[msg_hash_ad...
Definition instruction.hpp:489
L1TOL2MSGEXISTS_Instruction::msg_hash_address
ParamRef msg_hash_address
Definition instruction.hpp:490
LT_16_Instruction
mem[result_offset] = mem[a_address] < mem[b_address] (16-bit)
Definition instruction.hpp:370
LT_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:371
LT_8_Instruction
mem[result_offset] = mem[a_address] < mem[b_address]
Definition instruction.hpp:196
LT_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:197
LTE_16_Instruction
mem[result_offset] = mem[a_address] <= mem[b_address] (16-bit)
Definition instruction.hpp:378
LTE_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:379
LTE_8_Instruction
mem[result_offset] = mem[a_address] <= mem[b_address]
Definition instruction.hpp:204
LTE_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:205
MOV_16_Instruction
MOV_16 instruction: mem[dst_offset] = mem[src_offset].
Definition instruction.hpp:315
MOV_16_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:316
MOV_8_Instruction
MOV_8 instruction: mem[dst_offset] = mem[src_offset].
Definition instruction.hpp:307
MOV_8_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:308
MUL_16_Instruction
mem[result_offset] = mem[a_address] * mem[b_address] (16-bit)
Definition instruction.hpp:339
MUL_8_Instruction
mem[result_offset] = mem[a_address] * mem[b_address]
Definition instruction.hpp:165
NOT_16_Instruction
Definition instruction.hpp:409
NOT_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:410
NOT_8_Instruction
Definition instruction.hpp:235
NOT_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:236
NOTEHASHEXISTS_Instruction
Definition instruction.hpp:503
NOTEHASHEXISTS_Instruction::notehash_address
ParamRef notehash_address
Definition instruction.hpp:504
NULLIFIEREXISTS_Instruction
NULLIFIEREXISTS: checks if a siloed nullifier exists in the nullifier tree M[result_address] = NULLIF...
Definition instruction.hpp:481
NULLIFIEREXISTS_Instruction::siloed_nullifier_address
ParamRef siloed_nullifier_address
Definition instruction.hpp:482
OR_16_Instruction
mem[result_offset] = mem[a_address] | mem[b_address] (16-bit)
Definition instruction.hpp:394
OR_8_Instruction
mem[result_offset] = mem[a_address] | mem[b_address]
Definition instruction.hpp:220
POSEIDON2PERM_Instruction
POSEIDON2PERM: Perform Poseidon2 permutation on 4 FF values M[dst_address:dst_address+4] = poseidon2_...
Definition instruction.hpp:584
POSEIDON2PERM_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:585
RETURNDATACOPY_Instruction
Definition instruction.hpp:553
RETURNDATACOPY_Instruction::copy_size_address
ParamRef copy_size_address
Definition instruction.hpp:554
RETURNDATASIZE_Instruction
Definition instruction.hpp:548
RETURNDATASIZE_Instruction::dst_address
AddressRef dst_address
Definition instruction.hpp:549
SENDL2TOL1MSG_Instruction
Definition instruction.hpp:517
SENDL2TOL1MSG_Instruction::recipient_address
ParamRef recipient_address
Definition instruction.hpp:518
SET_128_Instruction
SET_128 instruction.
Definition instruction.hpp:290
SET_128_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:291
SET_16_Instruction
SET_16 instruction.
Definition instruction.hpp:266
SET_16_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:267
SET_32_Instruction
SET_32 instruction.
Definition instruction.hpp:274
SET_32_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:275
SET_64_Instruction
SET_64 instruction.
Definition instruction.hpp:282
SET_64_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:283
SET_8_Instruction
SET_8 instruction.
Definition instruction.hpp:258
SET_8_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:259
SET_FF_Instruction
SET_FF instruction.
Definition instruction.hpp:299
SET_FF_Instruction::value_tag
MemoryTagWrapper value_tag
Definition instruction.hpp:300
SHA256COMPRESSION_Instruction
SHA256COMPRESSION: Perform SHA256 compression M[dst_address:dst_address+8] = sha256_compression(M[sta...
Definition instruction.hpp:601
SHA256COMPRESSION_Instruction::state_address
ParamRef state_address
Definition instruction.hpp:602
SHL_16_Instruction
mem[result_offset] = mem[a_address] << mem[b_address] (16-bit)
Definition instruction.hpp:416
SHL_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:417
SHL_8_Instruction
mem[result_offset] = mem[a_address] << mem[b_address]
Definition instruction.hpp:242
SHL_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:243
SHR_16_Instruction
mem[result_offset] = mem[a_address] >> mem[b_address] (16-bit)
Definition instruction.hpp:424
SHR_16_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:425
SHR_8_Instruction
mem[result_offset] = mem[a_address] >> mem[b_address]
Definition instruction.hpp:250
SHR_8_Instruction::a_address
ParamRef a_address
Definition instruction.hpp:251
SLOAD_Instruction
SLOAD: M[slot_offset] = slot; M[result_offset] = S[M[slotOffset]].
Definition instruction.hpp:458
SLOAD_Instruction::slot_index
uint16_t slot_index
Definition instruction.hpp:459
SSTORE_Instruction
SSTORE: M[slot_offset_index] = slot; S[M[slotOffset]] = M[srcOffset].
Definition instruction.hpp:450
SSTORE_Instruction::src_address
ParamRef src_address
Definition instruction.hpp:451
SUB_16_Instruction
mem[result_offset] = mem[a_address] - mem[b_address] (16-bit)
Definition instruction.hpp:331
SUB_8_Instruction
mem[result_offset] = mem[a_address] - mem[b_address]
Definition instruction.hpp:157
SUCCESSCOPY_Instruction
Definition instruction.hpp:568
SUCCESSCOPY_Instruction::dst_address
AddressRef dst_address
Definition instruction.hpp:569
TORADIXBE_Instruction
TORADIXBE: Convert a field element to a vector of limbs in big-endian radix representation M[dst_addr...
Definition instruction.hpp:610
TORADIXBE_Instruction::value_address
ParamRef value_address
Definition instruction.hpp:611
VariableRef::mode
AddressingModeWrapper mode
Definition instruction.hpp:108
VariableRef::index
uint32_t index
Index of the variable in the memory_manager.stored_variables map.
Definition instruction.hpp:102
VariableRef::tag
MemoryTagWrapper tag
Definition instruction.hpp:100
VariableRef::pointer_address_seed
uint16_t pointer_address_seed
A seed for the generation of the pointer address Used for Indirect/IndirectRelative modes only.
Definition instruction.hpp:106
XOR_16_Instruction
mem[result_offset] = mem[a_address] ^ mem[b_address] (16-bit)
Definition instruction.hpp:402
XOR_8_Instruction
mem[result_offset] = mem[a_address] ^ mem[b_address]
Definition instruction.hpp:228
bb::field::is_zero
BB_INLINE constexpr bool is_zero() const noexcept
Definition field_impl.hpp:778
mutate_uint16_t
void mutate_uint16_t(uint16_t &value, std::mt19937_64 &rng, const Uint16MutationConfig &config)
Definition uint16_t.cpp:4
uint16_t.hpp
mutate_uint32_t
void mutate_uint32_t(uint32_t &value, std::mt19937_64 &rng, const Uint32MutationConfig &config)
Definition uint32_t.cpp:4
uint32_t.hpp
mutate_uint64_t
void mutate_uint64_t(uint64_t &value, std::mt19937_64 &rng, const Uint64MutationConfig &config)
Definition uint64_t.cpp:4
uint64_t.hpp
mutate_uint8_t
void mutate_uint8_t(uint8_t &value, std::mt19937_64 &rng, const Uint8MutationConfig &config)
Definition uint8_t.cpp:4
uint8_t.hpp
uint_mutations.hpp
generate_random_uint64
uint64_t generate_random_uint64(std::mt19937_64 &rng)
Definition uint_mutations.hpp:240
generate_random_uint32
uint32_t generate_random_uint32(std::mt19937_64 &rng)
Definition uint_mutations.hpp:235
generate_random_uint16
uint16_t generate_random_uint16(std::mt19937_64 &rng)
Definition uint_mutations.hpp:230
generate_random_uint8
uint8_t generate_random_uint8(std::mt19937_64 &rng)
Definition uint_mutations.hpp:225