foundry-rs · grandizzy · Oct 22, 2025 · Oct 8, 2025 · Oct 8, 2025 · Oct 9, 2025
@@ -80,6 +80,11 @@ pub struct FuzzDictionaryConfig {
     /// Once the fuzzer exceeds this limit, it will start evicting random entries
     #[serde(deserialize_with = "crate::deserialize_usize_or_max")]
     pub max_fuzz_dictionary_values: usize,
+    /// How many literal values to seed from the AST, at most.
+    ///
+    /// This value is independent from the max amount of addresses and values.
+    #[serde(deserialize_with = "crate::deserialize_usize_or_max")]
+    pub max_fuzz_dictionary_literals: usize,
 }
 
 impl Default for FuzzDictionaryConfig {
@@ -90,8 +95,10 @@ impl Default for FuzzDictionaryConfig {
             include_push_bytes: true,
             // limit this to 300MB
             max_fuzz_dictionary_addresses: (300 * 1024 * 1024) / 20,
+            // limit this to 300MB
+            max_fuzz_dictionary_values: (300 * 1024 * 1024) / 20,
             // limit this to 200MB
-            max_fuzz_dictionary_values: (200 * 1024 * 1024) / 32,
+            max_fuzz_dictionary_literals: (200 * 1024 * 1024) / 32,
         }
     }
 }

@@ -362,13 +362,23 @@ impl FuzzedExecutor {
 
     /// Stores fuzz state for use with [fuzz_calldata_from_state]
     pub fn build_fuzz_state(&self, deployed_libs: &[Address]) -> EvmFuzzState {
+        let inspector = self.executor.inspector();
+
         if let Some(fork_db) = self.executor.backend().active_fork_db() {
-            EvmFuzzState::new(fork_db, self.config.dictionary, deployed_libs)
+            EvmFuzzState::new(
+                fork_db,
+                self.config.dictionary,
+                deployed_libs,
+                inspector.analysis.as_ref(),
+                inspector.paths_config(),
+            )
         } else {
             EvmFuzzState::new(
                 self.executor.backend().mem_db(),
                 self.config.dictionary,
                 deployed_libs,
+                inspector.analysis.as_ref(),
+                inspector.paths_config(),
             )
         }
     }

@@ -566,10 +566,13 @@ impl<'a> InvariantExecutor<'a> {
             self.select_contracts_and_senders(invariant_contract.address)?;
 
         // Stores fuzz state for use with [fuzz_calldata_from_state].
+        let inspector = self.executor.inspector();
         let fuzz_state = EvmFuzzState::new(
             self.executor.backend().mem_db(),
             self.config.dictionary,
             deployed_libs,
+            inspector.analysis.as_ref(),
+            inspector.paths_config(),
         );
 
         // Creates the invariant strategy.

@@ -8,6 +8,7 @@ use alloy_primitives::{
     map::{AddressHashMap, HashMap},
 };
 use foundry_cheatcodes::{CheatcodeAnalysis, CheatcodesExecutor, Wallets};
+use foundry_compilers::ProjectPathsConfig;
 use foundry_evm_core::{
     ContextExt, Env, InspectorExt,
     backend::{DatabaseExt, JournaledState},
@@ -209,6 +210,7 @@ impl InspectorStackBuilder {
             let mut cheatcodes = Cheatcodes::new(config);
             // Set analysis capabilities if they are provided
             if let Some(analysis) = analysis {
+                stack.set_analysis(analysis.clone());
                 cheatcodes.set_analysis(CheatcodeAnalysis::new(analysis));
             }
             // Set wallets if they are provided
@@ -308,11 +310,20 @@ pub struct InspectorStack {
     pub inner: InspectorStackInner,
 }
 
+impl InspectorStack {
+    pub fn paths_config(&self) -> Option<&ProjectPathsConfig> {
+        self.cheatcodes.as_ref().map(|c| &c.config.paths)
+    }
+}
+
 /// All used inpectors besides [Cheatcodes].
 ///
 /// See [`InspectorStack`].
 #[derive(Default, Clone, Debug)]
 pub struct InspectorStackInner {
+    /// Solar compiler instance, to grant syntactic and semantic analysis capabilities.
+    pub analysis: Option<Arc<solar::sema::Compiler>>,
+
     // Inspectors.
     // These are boxed to reduce the size of the struct and slightly improve performance of the
     // `if let Some` checks.
@@ -388,6 +399,12 @@ impl InspectorStack {
         });
     }
 
+    /// Set the solar compiler instance.
+    #[inline]
+    pub fn set_analysis(&mut self, analysis: Arc<solar::sema::Compiler>) {
+        self.analysis = Some(analysis);
+    }
+
     /// Set variables from an environment for the relevant inspectors.
     #[inline]
     pub fn set_env(&mut self, env: &Env) {

@@ -21,6 +21,8 @@ foundry-evm-core.workspace = true
 foundry-evm-coverage.workspace = true
 foundry-evm-traces.workspace = true
 
+solar.workspace = true
+
 alloy-dyn-abi = { workspace = true, features = ["arbitrary", "eip712"] }
 alloy-json-abi.workspace = true
 alloy-primitives = { workspace = true, features = [

@@ -28,6 +28,7 @@ pub use error::FuzzError;
 
 pub mod invariant;
 pub mod strategies;
+pub use strategies::LiteralMaps;
 
 mod inspector;
 pub use inspector::Fuzzer;

@@ -11,7 +11,7 @@ mod calldata;
 pub use calldata::{fuzz_calldata, fuzz_calldata_from_state};
 
 mod state;
-pub use state::EvmFuzzState;
+pub use state::{EvmFuzzState, LiteralMaps};
 
 mod invariants;
 pub use invariants::{fuzz_contract_with_calldata, invariant_strat, override_call_strat};

@@ -170,27 +170,74 @@ pub fn fuzz_param_from_state(
             })
             .boxed(),
         DynSolType::Bool => DynSolValue::type_strategy(param).boxed(),
-        DynSolType::String => DynSolValue::type_strategy(param)
-            .prop_map(move |value| {
-                DynSolValue::String(
-                    value.as_str().unwrap().trim().trim_end_matches('\0').to_string(),
-                )
-            })
-            .boxed(),
+        DynSolType::String => {
+            let state_clone = state.clone();
+            (any::<prop::sample::Index>(), any::<prop::sample::Index>())
+                .prop_flat_map(move |(use_ast_index, select_index)| {
+                    let dict = state_clone.dictionary_read();
+
+                    // AST string literals available: use 30/70 allocation
+                    let ast_strings = dict.ast_strings();
+                    if !ast_strings.is_empty() && use_ast_index.index(10) < 3 {
+                        let s = &ast_strings.as_slice()[select_index.index(ast_strings.len())];
+                        return Just(DynSolValue::String(s.clone())).boxed();
+                    }
+
+                    // Fallback to random string generation
+                    DynSolValue::type_strategy(&DynSolType::String)
+                        .prop_map(|value| {
+                            DynSolValue::String(
+                                value.as_str().unwrap().trim().trim_end_matches('\0').to_string(),
+                            )
+                        })
+                        .boxed()
+                })
+                .boxed()
+        }
         DynSolType::Bytes => {
-            value().prop_map(move |value| DynSolValue::Bytes(value.0.into())).boxed()
+            let state_clone = state.clone();
+            (value(), any::<prop::sample::Index>(), any::<prop::sample::Index>())
+                .prop_map(move |(word, use_ast_index, select_index)| {
+                    let dict = state_clone.dictionary_read();
+
+                    // Try string literals as bytes (10% chance)
+                    let ast_strings = dict.ast_strings();
+                    if !ast_strings.is_empty() && use_ast_index.index(10) < 1 {
+                        let s = &ast_strings.as_slice()[select_index.index(ast_strings.len())];
+                        return DynSolValue::Bytes(s.as_bytes().to_vec());
+                    }
+
+                    // Prefer hex literals (20% chance)
+                    let ast_bytes = dict.ast_bytes();
+                    if !ast_bytes.is_empty() && use_ast_index.index(10) < 3 {
+                        let bytes = &ast_bytes.as_slice()[select_index.index(ast_bytes.len())];
+                        return DynSolValue::Bytes(bytes.to_vec());
+                    }
+
+                    // Fallback to the generated word from the dictionary (70% chance)
+                    DynSolValue::Bytes(word.0.into())
+                })
+                .boxed()
         }
         DynSolType::Int(n @ 8..=256) => match n / 8 {
             32 => value()
                 .prop_map(move |value| DynSolValue::Int(I256::from_raw(value.into()), 256))
                 .boxed(),
             1..=31 => value()
                 .prop_map(move |value| {
-                    // Generate a uintN in the correct range, then shift it to the range of intN
-                    // by subtracting 2^(N-1)
-                    let uint = U256::from_be_bytes(value.0) % U256::from(1).wrapping_shl(n);
-                    let max_int_plus1 = U256::from(1).wrapping_shl(n - 1);
-                    let num = I256::from_raw(uint.wrapping_sub(max_int_plus1));
+                    // Extract lower N bits
+                    let uint_n = U256::from_be_bytes(value.0) % U256::from(1).wrapping_shl(n);
+                    // Interpret as signed int (two's complement) --> check sign bit (bit N-1).
+                    let sign_bit = U256::from(1) << (n - 1);
+                    let num = if uint_n >= sign_bit {
+                        // Negative number in two's complement
+                        let modulus = U256::from(1) << n;
+                        I256::from_raw(uint_n.wrapping_sub(modulus))
+                    } else {
+                        // Positive number
+                        I256::from_raw(uint_n)
+                    };
+
                     DynSolValue::Int(num, n)
                 })
                 .boxed(),
@@ -379,16 +426,18 @@ mod tests {
         FuzzFixtures,
         strategies::{EvmFuzzState, fuzz_calldata, fuzz_calldata_from_state},
     };
+    use alloy_primitives::B256;
     use foundry_common::abi::get_func;
     use foundry_config::FuzzDictionaryConfig;
     use revm::database::{CacheDB, EmptyDB};
+    use std::collections::HashSet;
 
     #[test]
     fn can_fuzz_array() {
         let f = "testArray(uint64[2] calldata values)";
         let func = get_func(f).unwrap();
         let db = CacheDB::new(EmptyDB::default());
-        let state = EvmFuzzState::new(&db, FuzzDictionaryConfig::default(), &[]);
+        let state = EvmFuzzState::new(&db, FuzzDictionaryConfig::default(), &[], None, None);
         let strategy = proptest::prop_oneof![
             60 => fuzz_calldata(func.clone(), &FuzzFixtures::default()),
             40 => fuzz_calldata_from_state(func, &state),
@@ -397,4 +446,63 @@ mod tests {
         let mut runner = proptest::test_runner::TestRunner::new(cfg);
         let _ = runner.run(&strategy, |_| Ok(()));
     }
+
+    #[test]
+    fn can_fuzz_string_and_bytes_with_ast_literals_and_hashes() {
+        use super::fuzz_param_from_state;
+        use crate::strategies::state::LiteralMaps;
+        use alloy_dyn_abi::DynSolType;
+        use alloy_primitives::keccak256;
+        use proptest::strategy::Strategy;
+
+        // Seed dict with string values and their hashes --> mimic `CheatcodeAnalysis` behavior.
+        let mut literals = LiteralMaps::default();
+        literals.strings.insert("hello".to_string());
+        literals.strings.insert("world".to_string());
+        literals.words.entry(DynSolType::FixedBytes(32)).or_default().insert(keccak256("hello"));
+        literals.words.entry(DynSolType::FixedBytes(32)).or_default().insert(keccak256("world"));
+
+        let db = CacheDB::new(EmptyDB::default());
+        let state = EvmFuzzState::new(&db, FuzzDictionaryConfig::default(), &[], None, None);
+        state.seed_literals(literals);
+
+        let cfg = proptest::test_runner::Config { failure_persistence: None, ..Default::default() };
+        let mut runner = proptest::test_runner::TestRunner::new(cfg);
+
+        // Verify strategies generates the seeded AST literals
+        let mut generated_bytes = HashSet::new();
+        let mut generated_hashes = HashSet::new();
+        let mut generated_strings = HashSet::new();
+        let bytes_strategy = fuzz_param_from_state(&DynSolType::Bytes, &state);
+        let string_strategy = fuzz_param_from_state(&DynSolType::String, &state);
+        let bytes32_strategy = fuzz_param_from_state(&DynSolType::FixedBytes(32), &state);
+
+        for _ in 0..256 {
+            let tree = bytes_strategy.new_tree(&mut runner).unwrap();
+            if let Some(bytes) = tree.current().as_bytes()
+                && let Ok(s) = std::str::from_utf8(bytes)
+            {
+                generated_bytes.insert(s.to_string());
+            }
+
+            let tree = string_strategy.new_tree(&mut runner).unwrap();
+            if let Some(s) = tree.current().as_str() {
+                generated_strings.insert(s.to_string());
+            }
+
+            let tree = bytes32_strategy.new_tree(&mut runner).unwrap();
+            if let Some((bytes, size)) = tree.current().as_fixed_bytes()
+                && size == 32
+            {
+                generated_hashes.insert(B256::from_slice(bytes));
+            }
+        }
+
+        assert!(generated_bytes.contains("hello"));
+        assert!(generated_bytes.contains("world"));
+        assert!(generated_strings.contains("hello"));
+        assert!(generated_strings.contains("world"));
+        assert!(generated_hashes.contains(&keccak256("hello")));
+        assert!(generated_hashes.contains(&keccak256("world")));
+    }
 }