feat(invariant): gas-envelope fuzzing via invariant.gas_fuzz

[grandizzy]

OSS-185

Motivation

Foundry's invariant runner currently treats tx.gas_limit and tx.gasprice
as fixed environmental constants. Bugs that only surface when an inner call
runs out of gas — swallowed-OOG state corruption, single-selector gas DoS,
half-applied multi-step writes — are unreachable from the invariant
harness today.

This PR adds a single opt-in flag, invariant.gas_fuzz, that turns on:

1. Per-call tx.gas_limit randomization via a razor-power-law sampler
   centered on the observed natural cost of each (target, selector).
2. Per-call tx.gasprice randomization (calibration-free).
3. Per-selector peak-gas tracking + a colored "Max Gas" column in
   the metrics table, with thresholds tied to the configured block gas
   limit.

The strategy deliberately starves calls just below their observed natural
cost so user invariants about post-conditions catch the divergence when the
sub-step OOGs but the outer call proceeds.

UX changes

New config (default: false, no behavior change for existing tests)

[invariant]
gas_fuzz = true

Setting gas_fuzz = true implicitly enables the metrics table display
(independent of show_metrics) because the "Max Gas" column is the
primary surface for the feature.

New metrics column (only when gas_fuzz = true)

Max Gas is appended to the existing Calls | Reverts | Discards table.
Cell color is driven by the share of the block gas limit consumed by a
single call:

Color	Threshold	Meaning
cyan	< 25% of block gas limit	safe
yellow	≥ 25%	warning — investigate
red	≥ 50%	DoS risk — single tx eats the block

New JSON fields (omitted when zero)

InvariantMetrics gains max_gas: u64 and max_gas_sequence: Vec<BasicTxDetails> so --json consumers can pipe peak gas + a
reproducer sequence into dashboards.

How the sampler works

crates/evm/fuzz/src/strategies/gas_sampler.rs:

• GasObservations: campaign-scoped (target, selector) -> max gas_used
  tracker, Arc<RwLock<HashMap>>.
• sample_gas_limit — razor-power-law (k=4):
  • 15% natural (no override; also keeps the observation tracker honest).
  • 80% in [50% · max, max) biased toward max.
  • 5% in [10% · max, 30% · max) for griefing / DoS paths.
  • Floors at 50k gas; skips selectors whose observed max is < 100k.
• sample_gas_price — 40% zero / 40% [1, 1e10) / 20% [1e10, 1e12) wei.

Only natural-gas runs (no override) feed the observation tracker, so
truncated-OOG gas_used doesn't poison the running max.

Comparison with Echidna and Medusa

Note: the genuinely new bit is the adaptive, campaign-scoped
(target, selector) → max gas_used observation feeding a razor-power-law
sampler in [50%, 100%) of natural cost — i.e. driving execution into
the OOG razor on purpose. Both Echidna and Medusa expose only static
gas-limit configuration; Echidna additionally randomizes gas price up to
a static cap, but neither adapts gas to per-selector behaviour or
persists per-call gas in the corpus for replay.

Capability	Foundry (this PR)	Echidna	Medusa
Per-call tx.gas_limit randomization	✅ adaptive razor-power-law sampler centered on observed per-(target,selector) peak	❌ static configured tx gas limit	❌ static configured blockGasLimit / transactionGasLimit
Per-call tx.gasprice randomization	✅ 40/40/20, calibration-free, persisted in CallDetails for replay	✅ random gas price up to static maxGasprice cap; not adaptive, not persisted per-call for replay	❌
Per-selector peak-gas tracking	✅ "Max Gas" column (per (target,selector), campaign-scoped, color-coded)	⚠️ historical estimateGas was experimental and removed in 2.2.7	⚠️ available in traces, not aggregated
Actively drives execution to the OOG razor	✅ (the point of this PR)	❌ (passive observer)	❌ (passive observer)
Catches swallowed-OOG state-corruption bugs	✅	❌ unless full tx reverts	❌ unless full tx reverts

[0xalpharush]

Can you post results of a bench run?

[grandizzy]

Benchmark: 1h Aave v4 SCFuzzBench, PR #14902 gas_fuzz overhead check

Comparing throughput, coverage, and bug discovery across configurations on the Recon-Fuzz/aave-v4-scfuzzbench suite (forge test --mc CryticToFoundry, FOUNDRY_INVARIANT_TIMEOUT=3600, all runs on the same host).

Methodology note

After #14844 merged "Group invariant campaigns by test contract", a single forge test --mc CryticToFoundry invocation now runs one merged campaign covering all 10 invariants instead of 10 independent campaigns. To recover comparable CPU effort (~10 CPU-hours/run), runs fan out 10 parallel forge processes, each in its own scratch copy. To control for cross-seed variance, the OFF-mode comparison was run twice with two disjoint seed sets (42–51 and 52–61).

aave-v4-scfuzzbench commit: e54577dc1. PR head: 4661bf390.

Throughput & coverage

Run	seeds	total txs	tx/s agg	edges (avg/seed)	peak RSS
#14853 hash+depth (old, ref)	—	32.16M	8938 per-stream	371–409	4.19 GB (single proc)
master 0659e1dbc	42–51	30.92M	8594	~375	1.35 GB/seed
master 0659e1dbc	52–61	30.56M	8494	~370	1.35 GB/seed
PR #14902 gas_fuzz=OFF	42–51	29.45M	8188	~375	1.33 GB/seed
PR #14902 gas_fuzz=OFF	52–61	28.47M	7915	~370	1.33 GB/seed
PR #14902 gas_fuzz=ON	42–51	30.45M	8464	~442	1.35 GB/seed

Paired Δ vs master on identical seeds: −4.7% (42–51), −6.8% (52–61). Average ~−5.8% throughput regression on the OFF default path.

Bugs found (union of [FAIL] lines across seeds)

Run	seeds	invariants	handlers	total
#14853 hash+depth	—	5	3	8
master	42–51	4	4	8
master	52–61	3	3	6
PR gas_fuzz=OFF	42–51	5	4	9
PR gas_fuzz=OFF	52–61	4	5	9
PR gas_fuzz=ON	42–51	3	3	6

Cross-batch variance is substantial on master (8 → 6) and on OFF (9 → 9). The bug deltas should be read as PR finds more bugs reliably across both batches in OFF mode, not as a precise count.

Max Gas distribution (gas_fuzz=ON, seed42 representative)

Top-10 selectors by observed Max Gas:

Selector	Calls	Reverts	Max Gas
iSpoke_borrow	153,762	150,269 (97.7%)	581,631
iAaveOracle_setPrice	213,164	67,067 (31.5%)	548,424
iSpoke_withdraw_ASSERTION_WITHDRAW_DOS	146,769	141,050	497,974
iSpoke_updateUserDynamicConfig	132,692	10,019	418,545
iSpoke_updateUserRiskPremium	122,980	9,995	412,155
iSpoke_setUsingAsCollateral	170,449	28,049	410,520
iSpoke_supply_ASSERTION_SUPPLY_DOS	140,840	78,945	404,025
iHub_mintFeeShares_ASSERTION_MINT_FEE_SHARES_PPS_CHANGE	135,250	123,286	363,248
iSpoke_repay_ASSERTION_REPAY_DOS	112,087	111,571	343,610
iHub_setInterestRateData	131,475	120,318	313,611

Two selectors registered Max Gas = 0 (zero successful execution):

Selector	Calls	Reverts
iHub_updateAssetConfig	144,742	144,742 (100%)
iSpoke_liquidationCall_ASSERTION_LIQUIDATION_CALL_DOS	158,244	158,244 (100%)

Both are scfuzzbench harness artifacts, not foundry issues:

• iSpoke_liquidationCall_*_DOS uses a try { ... } catch { require(false) } pattern by design — every call enters the catch and discards.
• iHub_updateAssetConfig is an asAdmin config-mutation handler whose InterestRateData struct input isn't being generated in a valid shape.

The Max Gas column surfacing these is a useful side benefit of the feature.

Findings

1. gas_fuzz=ON delivers a large coverage uplift. Edges jump to ~442 avg (vs ~375 OFF — +18%), aggregate throughput rises +3.4% over OFF. Per-process peak RSS unchanged.

2. OFF-mode regression is real and reproduces on two seed sets. Average ~−5.8% throughput vs master on the default path. An earlier revision (9301b445b) widened CallDetails by two Option<u64> (+32 bytes), copied into every BasicTxDetails. Commit 4661bf390 boxes the overrides behind Option<Box<GasOverrides>> (8 bytes inline, niche-optimized, allocation-free when OFF, JSON shape preserved via serde(flatten)). That recovered the per-tx-layout portion of the regression; a residual ~5% gap remains and is mode-agnostic (ON mode shows the same magnitude drop vs the pre-fix ON measurement), suggesting a campaign-scoped cost rather than per-tx. Initial bisection toward record_metrics was inconclusive — the residual source has not been localized.

3. Bug-finding is consistently better on the PR. OFF mode hit 9 unique bugs across both seed batches (42–51 and 52–61) vs master's 8 / 6. Both v1 and v2 variants of totalBorrowedLessThanSupplied plus all 4 handlers landed in both PR batches. Caveat: the PR changes RNG consumption order, so "seed 42" explores a different campaign in PR vs master — part of the bug delta may be sampling artifact rather than search-quality improvement. The trend is consistent across two seed sets, which is suggestive but not statistically tight.

4. gas_fuzz=ON finds 6 unique bugs — fewer than OFF's 9. ON misses invariant_totalBorrowedLessThanSupplied_v1, _v2, and iSpoke_repay_ASSERTION_REPAY_DOS — all "deep state" bugs requiring multi-call setup chains. The wider gas envelope trades depth for breadth: more code paths attempted (+18% edges), fewer deep sequences completed before OOG. This reproduces identically on the boxed-fix binary, so it's a behavior of the gas-envelope sampling itself, not the plumbing. Worth a follow-up to understand whether the new distribution is hiding these bugs or just pushing their discovery threshold past 1h.

5. The Max Gas column delivers value beyond bug-finding. Surfaces two handlers producing zero successful executions — a harness-quality signal invisible from Calls/Reverts/Discards alone.

Conclusion

The feature delivers a substantial coverage uplift (+18% edges) and consistent bug-finding gains on the suite tested, with the cost of a ~5% throughput regression on the default OFF path. The OFF-mode per-tx layout cost has been diagnosed and fixed in 4661bf390; a residual campaign-scoped ~5% gap remains unattributed and affects both modes equally. Recommended path: merge with the opt-in flag as drafted (no behavioral surprise for existing users), file the residual gap and the ON-mode v1/v2 starvation as follow-ups.

[0xalpharush]

The feature delivers a substantial coverage uplift (+18% edges)

Would be nice to know specifically the area of code that is covered using lcov-diff

My suggestion would to do a 2nd experiment, setting gaslimit to 2^24 (https://eips.ethereum.org/EIPS/eip-7825) by default, and adding a mutator that does rng.range(tx.gaslimit/2, tx.gaslimit*2).max( 2^24). If we can avoid calibration and having an additional config w/o perf hit, I think that'd be simpler.

[grandizzy]

My suggestion would to do a 2nd experiment, setting gaslimit to 2^24 (https://eips.ethereum.org/EIPS/eip-7825) by default, and adding a mutator that does rng.range(tx.gaslimit/2, tx.gaslimit*2).max( 2^24). If we can avoid calibration and having an additional config w/o perf hit, I think that'd be simpler.

@0xalpharush pls check 1e08588 and comparison below, looks much cleaner

Benchmarks — this PR vs master

Workload: scfuzzbench, 10 parallel 1h forge test runs per seed (--fuzz-seed N), aggregated per seed batch.

run	mode	total txs	agg tx/s	avg edges	unique bugs
master 0659e1dbc, seeds 42–51	n/a	30.92M	8594	~375	8
master 0659e1dbc, seeds 52–61	n/a	30.56M	8494	~370	6
this PR HEAD, seeds 42–51	ON	27.98M	7777	~372	9
this PR HEAD, seeds 52–61	ON	28.45M	7910	~371	6

unique bugs = cumulative invariant + handler bugs surfaced across the 10 seeds in the batch.

Findings

1. Bug discovery. PR ON beats master on seeds 42–51 (9 vs 8) and matches master on seeds 52–61 (6 vs 6).
2. Throughput. PR ON is −9.5% on 42–51 and −6.9% on 52–61 vs master — well inside the per-seed-batch noise seen in the master rows themselves.
3. Edge coverage. PR ON sits in master's range (~371–372 vs ~370–375).
4. gas_fuzz=OFF path. The design adds no campaign-scoped state, no per-call heap allocation, and no extra fields on CallDetails beyond a single Option<u64>, so the OFF path is the same hot path as master and was not re-measured.

Conclusion

A single-knob design: when invariant.gas_fuzz=true, each call's tx.gas_limit is drawn uniformly in [2^24, 2^25). No per-(target, selector) state, no calibration, no gas_price envelope, no boxed override struct — CallDetails carries one extra Option<u64> gas_limit field. Same or better bug discovery than master, no OFF-mode regression.

[mablr]

lgtm !

pending @0xalpharush :)

[mablr]

gas_fuzz never stamps generated calls with a sampled gas limit. invariant_strat receives config, but here we return always CallDetails { ..., gas_limit: None }, and sample_gas_limit is only referenced by its unit test. As written, enabling invariant.gas_fuzz adds reporting, but does not randomize tx.gaslimit(). Let's thread config.gas_fuzz into the call-details strategy and set Some(sample_gas_limit(...)) only when enabled?