feat: Fuzzer for noir programs

Cargo.toml

@@ -13,6 +13,7 @@ members = [
     # Crates related to tooling built on top of the Noir compiler
     "tooling/lsp",
     "tooling/debugger",
+    "tooling/greybox_fuzzer",
     "tooling/fuzzer",
     "tooling/nargo",
     "tooling/nargo_fmt",
@@ -75,6 +76,7 @@ noirc_frontend = { path = "compiler/noirc_frontend" }
 noirc_printable_type = { path = "compiler/noirc_printable_type" }
 
 # Noir tooling workspace dependencies
+noir_greybox_fuzzer = { path = "tooling/greybox_fuzzer" }
 noir_fuzzer = { path = "tooling/fuzzer" }
 nargo = { path = "tooling/nargo" }
 nargo_fmt = { path = "tooling/nargo_fmt" }

acvm-repo/acvm/src/pwg/brillig.rs

@@ -11,7 +11,9 @@ use acir::{
     AcirField,
 };
 use acvm_blackbox_solver::BlackBoxFunctionSolver;
-use brillig_vm::{BrilligProfilingSamples, FailureReason, MemoryValue, VMStatus, VM};
+use brillig_vm::{
+    BranchToFeatureMap, BrilligProfilingSamples, FailureReason, MemoryValue, VMStatus, VM,
+};
 use serde::{Deserialize, Serialize};
 
 use crate::{pwg::OpcodeNotSolvable, OpcodeResolutionError};
@@ -67,6 +69,7 @@ impl<'b, B: BlackBoxFunctionSolver<F>, F: AcirField> BrilligSolver<'b, F, B> {
         acir_index: usize,
         brillig_function_id: BrilligFunctionId,
         profiling_active: bool,
+        with_branch_to_feature_map: Option<&BranchToFeatureMap>,
     ) -> Result<Self, OpcodeResolutionError<F>> {
         let vm = Self::setup_brillig_vm(
             initial_witness,
@@ -75,6 +78,7 @@ impl<'b, B: BlackBoxFunctionSolver<F>, F: AcirField> BrilligSolver<'b, F, B> {
             brillig_bytecode,
             bb_solver,
             profiling_active,
+            with_branch_to_feature_map,
         )?;
         Ok(Self { vm, acir_index, function_id: brillig_function_id })
     }
@@ -86,6 +90,7 @@ impl<'b, B: BlackBoxFunctionSolver<F>, F: AcirField> BrilligSolver<'b, F, B> {
         brillig_bytecode: &'b [BrilligOpcode<F>],
         bb_solver: &'b B,
         profiling_active: bool,
+        with_branch_to_feature_map: Option<&BranchToFeatureMap>,
     ) -> Result<VM<'b, F, B>, OpcodeResolutionError<F>> {
         // Set input values
         let mut calldata: Vec<F> = Vec::new();
@@ -133,7 +138,14 @@ impl<'b, B: BlackBoxFunctionSolver<F>, F: AcirField> BrilligSolver<'b, F, B> {
 
         // Instantiate a Brillig VM given the solved calldata
         // along with the Brillig bytecode.
-        let vm = VM::new(calldata, brillig_bytecode, vec![], bb_solver, profiling_active);
+        let vm = VM::new(
+            calldata,
+            brillig_bytecode,
+            vec![],
+            bb_solver,
+            profiling_active,
+            with_branch_to_feature_map,
+        );
         Ok(vm)
     }
 
@@ -149,6 +161,10 @@ impl<'b, B: BlackBoxFunctionSolver<F>, F: AcirField> BrilligSolver<'b, F, B> {
         self.vm.get_call_stack()
     }
 
+    pub fn get_fuzzing_trace(&self) -> Vec<u32> {
+        self.vm.get_fuzzing_trace()
+    }
+
     pub(crate) fn solve(&mut self) -> Result<BrilligSolverStatus<F>, OpcodeResolutionError<F>> {
         let status = self.vm.process_opcodes();
         self.handle_vm_status(status)

acvm-repo/acvm/src/pwg/mod.rs

@@ -16,6 +16,7 @@
     AcirField, BlackBoxFunc,
 };
 use acvm_blackbox_solver::BlackBoxResolutionError;
+use brillig_vm::BranchToFeatureMap;
 
 use self::{
     arithmetic::ExpressionSolver, blackbox::bigint::AcvmBigIntSolver, memory_op::MemoryOpSolver,
@@ -55,7 +56,7 @@
     RequiresForeignCall(ForeignCallWaitInfo<F>),
 
     /// The ACVM has encountered a request for an ACIR [call][acir::circuit::Opcode]
     /// to execute a separate ACVM instance. The result of the ACIR call must be passd back to the ACVM.
     ///
     /// Once this is done, the ACVM can be restarted to solve the remaining opcodes.
     RequiresAcirCall(AcirCallWaitInfo<F>),
@@ -209,6 +210,14 @@
     profiling_active: bool,
 
     profiling_samples: ProfilingSamples,
+
+    // Whether we need to trace brillig execution for fuzzing
+    brillig_fuzzing_active: bool,
+
+    // Brillig branch to feature map
+    brillig_branch_to_feature_map: Option<&'a BranchToFeatureMap>,
+
+    brillig_fuzzing_trace: Option<Vec<u32>>,
 }
 
 impl<'a, F: AcirField, B: BlackBoxFunctionSolver<F>> ACVM<'a, F, B> {
@@ -236,6 +245,9 @@
             assertion_payloads,
             profiling_active: false,
             profiling_samples: Vec::new(),
+            brillig_fuzzing_active: false,
+            brillig_branch_to_feature_map: None,
+            brillig_fuzzing_trace: None,
         }
     }
 
@@ -244,6 +256,24 @@
         self.profiling_active = profiling_active;
     }
 
+    // Enable brillig fuzzing
+    pub fn with_brillig_fuzzing(
+        &mut self,
+        brillig_fuzzing_active: bool,
+        brillig_branch_to_feature_map: Option<&'a BranchToFeatureMap>,
+    ) {
+        self.brillig_fuzzing_active = brillig_fuzzing_active;
+        if brillig_fuzzing_active {
+            self.brillig_branch_to_feature_map = brillig_branch_to_feature_map;
+        } else {
+            self.brillig_branch_to_feature_map = None;
+        }
+    }
+
+    pub fn get_brillig_fuzzing_trace(&self) -> Option<Vec<u32>> {
+        self.brillig_fuzzing_trace.clone()
+    }
+
     /// Returns a reference to the current state of the ACVM's [`WitnessMap`].
     ///
     /// Once execution has completed, the witness map can be extracted using [`ACVM::finalize`]
@@ -510,10 +540,16 @@
                 self.instruction_pointer,
                 *id,
                 self.profiling_active,
+                self.brillig_branch_to_feature_map,
             )?,
         };
 
-        let result = solver.solve()?;
+        let result = solver.solve().map_err(|err| {
+            if self.brillig_fuzzing_active {
+                self.brillig_fuzzing_trace = Some((&solver).get_fuzzing_trace())
+            };
+            err
+        })?;
 
         match result {
             BrilligSolverStatus::ForeignCallWait(foreign_call) => {
@@ -525,6 +561,9 @@
                 unreachable!("Brillig solver still in progress")
             }
             BrilligSolverStatus::Finished => {
+                if self.brillig_fuzzing_active {
+                    self.brillig_fuzzing_trace = Some(solver.get_fuzzing_trace())
+                }
                 // Write execution outputs
                 if self.profiling_active {
                     let profiling_info =
@@ -586,6 +625,7 @@
             self.instruction_pointer,
             *id,
             self.profiling_active,
+            self.brillig_branch_to_feature_map,
         );
         match solver {
             Ok(solver) => StepResult::IntoBrillig(solver),