(WIP) migrate move_vm_stack to TraceState

Cargo.toml

@@ -46,7 +46,7 @@ rand_core_sui = {version = "0.6.4", package = "rand_core"}
 rand_core_libafl = {version = "0.9", package = "rand_core"}
 const-hex = "1.14.1"
 serde_json_any_key = "2.0.0"
-pprof = { version = "0.15"}
+pprof = { version = "0.15", features = ["frame-pointer"]}
 z3 = "0.16"
 z3-sys = "0.9.10"
 tempfile = "3"
@@ -61,34 +61,33 @@ tonic = "0.14"
 url = "2.5.7"
 
 # Sui dependencies
-move-binary-format = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-trace-format = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-package = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-compiler = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-disassembler = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-ir-types = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-core-types = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-vm-types = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-vm-stack = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-vm-runtime = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz", features = ["tracing", "testing"]}
-move-model = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-move-stackless-bytecode = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-move-build = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-json-rpc-types = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-types = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-package-management = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-sdk = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-config = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-storage = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-snapshot = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-core = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-sui-execution = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz", features = ["testing"]}
-shared-crypto = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
-# sui-adapter-v2 = {git = "https://github.com/wtdcode/sui", branch = "v1.60.1-fuzz"}
+move-binary-format = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+move-trace-format = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+move-package = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+move-compiler = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+move-disassembler = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+move-ir-types = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+move-core-types = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+move-vm-types = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+move-vm-runtime = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz", features = ["tracing"]}
+move-model = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+move-stackless-bytecode = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-move-build = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-json-rpc-types = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-types = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-package-management = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-sdk = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-config = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-storage = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-snapshot = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-core = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+sui-execution = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+shared-crypto = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
+# sui-adapter-v2 = {git = "https://github.com/wtdcode/sui", branch = "v1.65.2-fuzz"}
 
-sui-rpc = { git = "https://github.com/MystenLabs/sui-rust-sdk.git", rev = "fb62af78b30f5dc64eeaec0094ab95b5ce5b7ce2" }
-sui-sdk-types =  { git = "https://github.com/MystenLabs/sui-rust-sdk.git", rev = "fb62af78b30f5dc64eeaec0094ab95b5ce5b7ce2" }
-fastcrypto = { git = "https://github.com/MystenLabs/fastcrypto", rev = "09f86974195ec85d8aae386b1909d341d3ccfe52"} # sui use git dependency =/
+sui-rpc = { git = "https://github.com/MystenLabs/sui-rust-sdk.git", rev = "aef7655b45dcf3747281456f4999542dc52f6af6" }
+sui-sdk-types =  { git = "https://github.com/MystenLabs/sui-rust-sdk.git", rev = "aef7655b45dcf3747281456f4999542dc52f6af6" }
+fastcrypto = { git = "https://github.com/MystenLabs/fastcrypto", rev = "d2e2d13be3e550745739144e2a090b9675e4ffcb"} # sui use git dependency =/
 
 # move-stackless-bytecode = {path = "../sui/external-crates/move/crates/move-stackless-bytecode"}
 # move-model = {path = "../sui/external-crates/move/crates/move-model"}
@@ -100,7 +99,6 @@ fastcrypto = { git = "https://github.com/MystenLabs/fastcrypto", rev = "09f86974
 # move-ir-types = {path = "../sui/external-crates/move/crates/move-ir-types"}
 # move-core-types = {path = "../sui/external-crates/move/crates/move-core-types"}
 # move-vm-types = {path = "../sui/external-crates/move/crates/move-vm-types"}
-# move-vm-stack = {path = "../sui/external-crates/move/crates/move-vm-stack"}
 # move-vm-runtime = {path = "../sui/external-crates/move/crates/move-vm-runtime", features = ["tracing", "testing"]}
 # sui-move-build = {path = "../sui/crates/sui-move-build"}
 # sui-json-rpc-types = {path = "../sui/crates/sui-json-rpc-types"}
@@ -128,4 +126,4 @@ movy-static-analysis = {version = "0.0.1", default-features = false, path = "cra
 
 
 [profile.dev.build-override]
-opt-level = 3
+opt-level = 3

crates/movy-fuzz/Cargo.toml

@@ -38,7 +38,6 @@ move-core-types = {workspace = true}
 move-model = {workspace = true}
 move-stackless-bytecode = {workspace = true}
 move-trace-format = {workspace = true}
-move-vm-stack = {workspace = true}
 move-vm-types = {workspace = true}
 sui-types = {workspace = true}
 sui-json-rpc-types = {workspace = true}

crates/movy-fuzz/src/executor.rs

@@ -10,6 +10,7 @@ use libafl_bolts::tuples::{Handle, MatchNameRef, RefIndexable};
 use log::trace;
 use movy_replay::{
     db::{ObjectStoreInfo, ObjectStoreMintObject},
+    event::{ModuleProvider, NotifierTracer},
     exec::{ExecutionTracedResults, SuiExecutor},
     tracer::{concolic::ConcolicState, fuzz::SuiFuzzTracer, op::Log, oracle::SuiGeneralOracle},
 };
@@ -18,6 +19,8 @@ use movy_types::{
     input::{FunctionIdent, MoveAddress},
     oracle::{Event, OracleFinding},
 };
+use move_core_types::account_address::AccountAddress;
+use movy_types::error::MovyError;
 use serde::{Deserialize, Serialize};
 use sui_types::{
     effects::TransactionEffectsAPI,
@@ -33,6 +36,51 @@ use crate::{
 
 pub const CODE_OBSERVER_NAME: &str = "code_observer";
 
+pub struct FuzzModuleProvider<'a, E> {
+    env: &'a E,
+}
+
+impl<'a, E> FuzzModuleProvider<'a, E>
+where
+    E: ObjectStore,
+{
+    pub fn new(env: &'a E) -> Self {
+        Self { env }
+    }
+}
+
+impl<'a, E> ModuleProvider for FuzzModuleProvider<'a, E>
+where
+    E: ObjectStore,
+{
+    fn get_module(
+        &mut self,
+        address: AccountAddress,
+        name: &str,
+    ) -> Result<Option<move_binary_format::CompiledModule>, MovyError> {
+        use sui_types::base_types::ObjectID;
+
+        let db = self.env;
+        let package_id = ObjectID::from(address);
+
+        let package_obj = match db.get_object(&package_id) {
+            Some(obj) => obj,
+            None => return Ok(None),
+        };
+
+        if let Some(pkg) = package_obj.data.try_as_package() {
+            for (module_name, bytes) in pkg.serialized_module_map() {
+                if module_name.as_str() == name {
+                    let module = move_binary_format::CompiledModule::deserialize_with_defaults(bytes)?;
+                    return Ok(Some(module));
+                }
+            }
+        }
+
+        Ok(None)
+    }
+}
+
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct ExecutionExtraOutcome {
     pub logs: BTreeMap<FunctionIdent, Vec<Log>>,
@@ -92,6 +140,7 @@ impl<T, OT, RT, I, S> HasObservers for SuiFuzzExecutor<T, OT, RT, I, S> {
 impl<EM, Z, T, OT, RT, I, S, E> Executor<EM, I, S, Z> for SuiFuzzExecutor<T, OT, RT, I, S>
 where
     T: ObjectStore + BackingStore + ObjectSuiStoreCommit + ObjectStoreMintObject + ObjectStoreInfo,
+    E: ObjectStore,
     OT: ObserversTuple<I, S>,
     RT: for<'a> SuiGeneralOracle<CachedStore<&'a T>, S>,
     I: MoveInput,
@@ -127,8 +176,16 @@ where
         trace!("Executing input: {}", input.sequence());
         state.executions_mut().add_assign(1);
         let gas_id = state.fuzz_state().gas_id;
-        let tracer = SuiFuzzTracer::new(&mut self.ob, state, &mut self.oracles, CODE_OBSERVER_NAME);
-
+        let provider = FuzzModuleProvider::new(&self.executor.db);
+        let tracer = NotifierTracer::with_provider(
+            SuiFuzzTracer::new(
+                &mut self.ob,
+                state,
+                &mut self.oracles,
+                CODE_OBSERVER_NAME,
+            ),
+            provider,
+        );
         let result = self.executor.run_ptb_with_gas(
             input.sequence().to_ptb()?,
             epoch,
@@ -146,6 +203,7 @@ where
 
         let mut trace_outcome = tracer
             .expect("tracer should be present when tracing is enabled")
+            .into_inner()
             .outcome();
 
         trace!("Execution finished with status: {:?}", effects.status());

crates/movy-fuzz/src/oracles/sui/bool_judgement.rs

@@ -1,6 +1,5 @@
 use move_binary_format::file_format::Bytecode;
 use move_trace_format::format::TraceEvent;
-use move_vm_stack::Stack;
 use serde_json::json;
 use sui_types::effects::TransactionEffects;
 use z3::{
@@ -11,6 +10,7 @@ use z3::{
 use movy_replay::tracer::{
     concolic::{ConcolicState, SymbolValue},
     oracle::SuiGeneralOracle,
+    trace::TraceState,
 };
 use movy_types::{
     error::MovyError,
@@ -36,13 +36,13 @@ impl<T, S> SuiGeneralOracle<T, S> for BoolJudgementOracle {
     fn event(
         &mut self,
         event: &TraceEvent,
-        _stack: Option<&Stack>,
+        _trace_state: &TraceState,
         symbol_stack: &ConcolicState,
         current_function: Option<&movy_types::input::FunctionIdent>,
         _state: &mut S,
     ) -> Result<Vec<OracleFinding>, MovyError> {
         match event {
-            TraceEvent::BeforeInstruction {
+            TraceEvent::Instruction {
                 pc, instruction, ..
             } => {
                 let stack_syms = &symbol_stack.stack;

crates/movy-fuzz/src/oracles/sui/infinite_loop.rs

@@ -2,12 +2,12 @@ use std::collections::BTreeMap;
 
 use move_binary_format::file_format::Bytecode;
 use move_trace_format::format::TraceEvent;
-use move_vm_stack::Stack;
 use serde_json::json;
 
 use movy_replay::tracer::{
     concolic::{ConcolicState, SymbolValue},
     oracle::SuiGeneralOracle,
+    trace::TraceState,
 };
 use movy_types::{
     error::MovyError,
@@ -38,7 +38,7 @@ impl<T, S> SuiGeneralOracle<T, S> for InfiniteLoopOracle {
     fn event(
         &mut self,
         event: &TraceEvent,
-        _stack: Option<&Stack>,
+        _trace_state: &TraceState,
         symbol_stack: &ConcolicState,
         current_function: Option<&movy_types::input::FunctionIdent>,
         _state: &mut S,
@@ -49,7 +49,7 @@ impl<T, S> SuiGeneralOracle<T, S> for InfiniteLoopOracle {
                 let key = hash_to_u64(&key);
                 self.branch_counts.remove(&key);
             }
-            TraceEvent::BeforeInstruction {
+            TraceEvent::Instruction {
                 pc, instruction, ..
             } => {
                 match instruction {

crates/movy-fuzz/src/oracles/sui/overflow.rs

@@ -1,12 +1,12 @@
 use move_binary_format::file_format::Bytecode;
 use move_core_types::u256::U256;
-use move_trace_format::format::TraceEvent;
-use move_vm_stack::Stack;
+use move_trace_format::format::{TraceEvent, TraceValue};
 use serde_json::json;
 
 use movy_replay::tracer::{
     concolic::{ConcolicState, value_bitwidth, value_to_u256},
     oracle::SuiGeneralOracle,
+    trace::TraceState,
 };
 use movy_types::{
     error::MovyError,
@@ -19,7 +19,7 @@ use sui_types::effects::TransactionEffects;
 pub struct OverflowOracle;
 
 /// Count the number of significant bits in the concrete value (0 => 0 bits).
-fn value_sig_bits(v: &move_vm_types::values::Value) -> u32 {
+fn value_sig_bits(v: &TraceValue) -> u32 {
     let as_u256 = value_to_u256(v);
     if as_u256 == U256::zero() {
         0
@@ -41,27 +41,24 @@ impl<T, S> SuiGeneralOracle<T, S> for OverflowOracle {
     fn event(
         &mut self,
         event: &TraceEvent,
-        stack: Option<&Stack>,
+        trace_state: &TraceState,
         _symbol_stack: &ConcolicState,
         current_function: Option<&movy_types::input::FunctionIdent>,
         _state: &mut S,
     ) -> Result<Vec<OracleFinding>, MovyError> {
         match event {
-            TraceEvent::BeforeInstruction {
+            TraceEvent::Instruction {
                 pc, instruction, ..
             } => {
                 if !matches!(instruction, Bytecode::Shl) {
                     return Ok(vec![]);
                 }
-                let stack = match stack {
-                    Some(s) => s,
-                    None => return Ok(vec![]),
-                };
-                let Ok(vals_iter) = stack.last_n(2) else {
+                let stack = &trace_state.operand_stack;
+                if stack.len() < 2 {
                     return Ok(vec![]);
-                };
-                let vals: Vec<_> = vals_iter.collect();
-                let (lhs, rhs) = (vals[0], vals[1]);
+                }
+                let lhs = &stack[stack.len() - 2];
+                let rhs = &stack[stack.len() - 1];
                 let lhs_width_bits = value_bitwidth(lhs); // type width (u8/u16/...)
                 let lhs_sig_bits = value_sig_bits(lhs); // actual significant bits of the value
                 let rhs_bits = value_to_u256(rhs);

crates/movy-fuzz/src/oracles/sui/precision_loss.rs

@@ -1,10 +1,10 @@
 use move_trace_format::format::TraceEvent;
-use move_vm_stack::Stack;
 use serde_json::json;
 
 use movy_replay::tracer::{
     concolic::{ConcolicState, SymbolValue},
     oracle::SuiGeneralOracle,
+    trace::TraceState,
 };
 use movy_types::{error::MovyError, input::MoveSequence, oracle::OracleFinding};
 use sui_types::effects::TransactionEffects;
@@ -26,13 +26,13 @@ impl<T, S> SuiGeneralOracle<T, S> for PrecisionLossOracle {
     fn event(
         &mut self,
         event: &TraceEvent,
-        _stack: Option<&Stack>,
+        _trace_state: &TraceState,
         symbol_stack: &ConcolicState,
         current_function: Option<&movy_types::input::FunctionIdent>,
         _state: &mut S,
     ) -> Result<Vec<OracleFinding>, MovyError> {
         match event {
-            TraceEvent::BeforeInstruction {
+            TraceEvent::Instruction {
                 pc, instruction, ..
             } => {
                 let loss = match instruction {

crates/movy-fuzz/src/oracles/sui/proceeds.rs

@@ -4,10 +4,9 @@ use std::{
 };
 
 use log::debug;
-use move_trace_format::format::TraceEvent;
-use move_vm_stack::Stack;
+use move_trace_format::{format::TraceEvent};
 
-use movy_replay::tracer::{concolic::ConcolicState, oracle::SuiGeneralOracle};
+use movy_replay::tracer::{concolic::ConcolicState, oracle::SuiGeneralOracle, trace::TraceState};
 use movy_types::{
     error::MovyError,
     input::{InputArgument, MoveSequence, SuiObjectInputArgument},
@@ -216,7 +215,7 @@ where
     fn event(
         &mut self,
         _event: &TraceEvent,
-        _stack: Option<&Stack>,
+        _trace_state: &TraceState,
         _symbol_stack: &ConcolicState,
         _current_function: Option<&movy_types::input::FunctionIdent>,
         _state: &mut S,