feat: Refactor assumeNot* std cheats
#407
Conversation
Sabnock01
changed the title
vm address from assumeNoPrecompilesvm address from assumeNoPrecompiles
src/StdCheats.sol
Outdated
| @@ -228,7 +228,7 @@ abstract contract StdCheatsSafe { | |||
| // address), but the same rationale for excluding them applies so we include those too. | |||
|
|
|||
| // These should be present on all EVM-compatible chains. | |||
| vm.assume(addr < address(0x1) || addr > address(0x9)); | |||
| vm.assume((addr < address(0x1) || addr > address(0x9)) && addr != address(vm)); | |||
There was a problem hiding this comment.
Should we also exclude the console.log address here, which is 0x000000000000000000636F6e736F6c652e6c6f67?
Though, both vm and console aren't technically precompiles in the sense meant by this function, so perhaps we should instead go with something like this:
enum AddressType {
ZeroAddress,
Precompiles
Payable
NonPayable
ForgeAddresses
...whatever else
}
function assumeAddressIsNot(AddressType addressType) internal { ... }
function assumeAddressIsNot(AddressType addressType1, AddressType addressType2) internal { ... }
// repeat for length of the enumThe latter would be my preference because it scales better and provides a consistent UX for all address types. There's some decisions though, e.g. is the default test contract address part of the ForgreAddresses type, with the vm and console address, or should it be a separate type that we split into ForgePrecompiles and ForgeAddresses or something like that
There was a problem hiding this comment.
I like this approach much better. Will rework.
There was a problem hiding this comment.
Wrote impl's for both the array and overloaded versions. Prefer the array version personally. Less code and easier to test. Either one is fine though.
Two questions though:
- How do you propose to assert that an address is payable vs nonpayable and why include those in the enum exactly? Not positive if there's an optimal way to do this other than doing
callon the address with somemsg.valueand checkingsuccess. - In both impl's, I have functions for each enum type that I check against in
assumeAddressIsNotbut both this and the overloaded version fail with too manyvm.assumerejects when using a fuzz test.
What do you think of this method of testing where instead of calling assumeAddressIsNot all the derivative functions are called?
function testAssumeAddressIsNot(address addr) external {
assumeNoZeroAddress(addr);
assumeNoPrecompiles(addr, getChain("optimism_goerli").chainId);
assumeNoForgeAddresses(addr);
assertTrue(addr != address(0));
assertTrue(
addr < address(1) || (addr > address(9) && addr < address(0x4200000000000000000000000000000000000000))
|| addr > address(0x4200000000000000000000000000000000000800)
);
assertTrue(addr != 0x7109709ECfa91a80626fF3989D68f67F5b1DD12D && addr != 0x000000000000000000636F6e736F6c652e6c6f67);
}There was a problem hiding this comment.
Prefer the array version personally. Less code and easier to test
How is the UX with the array version? Main reason I though overloads would be better is:
// This seems like good UX for devs
assumeAddressIsNot(1, 2, 3);
// This seems like bad UX (using a uint instead of enum for brevity in this example)
uint[] memory x = new uint[](3);
x[0] = 1;
x[1] = 2;
x[2] = 3;
assumeAddressIsNot(x);How do you propose to assert that an address is payable vs nonpayable and why include those in the enum exactly? Not positive if there's an optimal way to do this other than doing
callon the address with somemsg.valueand checkingsuccess.
In the forge-std assumePayable method we just check success on a zero value call. But on second thought I'm not sure if our tests are sufficiently robust, e.g. if a contract has a non-payable fallback and no receive, that contract is not payable, and I think our assumePayable would wrongly return true.
Better way is probably what you said, specifically:
- Return true if address has no code
- Otherwise, ensure recipient's current ETH balance is less than maxUint, deal 1 wei to test contract, send it to recipient and check success, reset test contract and recipient balances to their original values.
In both impl's, I have functions for each enum type that I check against in
assumeAddressIsNotbut both this and the overloaded version fail with too manyvm.assumerejects when using a fuzz test. What do you think of this method of testing where instead of callingassumeAddressIsNotall the derivative functions are called?
If it helps, we can raise the assume limit for that test only using the inline config approach. I think the most robust way would be something like the below, so if a new address type is added it's automatically tested
function testAssumeAddressIsNot(address addr) external {
for (uint8 i = 0; i < type(AddressType).max; i++) {
assumeAddressIsNot(AddressType(i));
}
assertTrue(addr != address(0));
assertTrue(
addr < address(1) || (addr > address(9) && addr < address(0x4200000000000000000000000000000000000000))
|| addr > address(0x4200000000000000000000000000000000000800)
);
assertTrue(addr != 0x7109709ECfa91a80626fF3989D68f67F5b1DD12D && addr != 0x000000000000000000636F6e736F6c652e6c6f67);
}There was a problem hiding this comment.
Did not know of in-line config!
Also UX is certainly worse with the array impl but it's less code for StdCheats.sol is what I meant. But on second thought, we needn't concern ourselves about that so I am in favor of the overloaded one.
Few more q's if you don't mind:
- That for loop is valid Solidity? Don't think there's a built-in way to get the length of an enum and it doesn't seem to work in either my forge test or chisel.
PayableandNonPayableare mutually exclusive right, so we wouldn't need to iterate through the whole enum but instead n - 1?- You still have to provide the address itself as an argument to
assumeAddressIsNotright? That's the wayassumeNoBlacklisted,assumeNoPrecompiles, andassumePayableare.
There was a problem hiding this comment.
That for loop is valid Solidity? Don't think there's a built-in way to get the length of an enum and it doesn't seem to work in either my forge test or chisel.
Hm it should work, see the solidity docs:
Using
type(NameOfEnum).minandtype(NameOfEnum).maxyou can get the smallest and respectively largest value of the given enum.
PayableandNonPayableare mutually exclusive right, so we wouldn't need to iterate through the whole enum but instead n - 1?
Ah good point. So maybe we put payable/nonpayable as indexes 0 and 1 in the enum, then we have:
- main test that iterates through indicies 2-n for the non-mutually-exclusive cases
- second test for payable
- third test for nonpayable
Wdyt of that? This way new values added to the end of the enum are automatically tested
You still have to provide the address itself as an argument to
assumeAddressIsNotright? That's the wayassumeNoBlacklisted,assumeNoPrecompiles, andassumePayableare.
Oops yes, sorry forgot to include that 😅
There was a problem hiding this comment.
type(AddressType).max as it turns out returns an enum so it's trivial enough just to cast to uint8.
And I like the testing structure though even when setting max_fuzz_rejects to some absurdly high number like 10_000_000 which takes several minutes to complete, a fuzz test on assumeNoNonPayable still fails with too many rejects. Separately, was not able to get the in-line config to work for this even though it's documented. Will open issue.
So for both assumeNoPayable and assumeNonPayable I went with modified versions of the old test for the now deprecated assumePayable.
Latest impl pushed.
There was a problem hiding this comment.
Awesome sounds great, thanks! Lmk if this is ready for review or if you still have changes left—will be tied up today/tomorrow but should be able to review this thursday
There was a problem hiding this comment.
It's ready for review!
Sabnock01
changed the title
vm address from assumeNoPrecompilesassumeNot* std cheats
Cool. I like all of these suggestions. It's a big PR to be fair. |
|
Let me know what you make of these adjustments. |
|
This looks great, thanks a lot @Sabnock01! I pushed one commit with a few small tweaks, lmk if you have any feedback/objections there, and afterwards I'll merge |
These are good. Should have caught more of them honestly but was a pleasure working with you on this one. |
|
Likewise, thanks for the quality PR! '🙌 I'll be putting out a new forge-std release with this shortly |
There was a breaking change introduced in `forge-std` at foundry-rs/forge-std#407 which breaks compilation of `Rln.t.sol` with `[email protected]`. This commit updates the dependency to v1.6.0 and adjusts the test source such that it successfully compiles. Another way to go about this would've been to just stick with `v1.5.6.` and ensuring installation of that version. However, I've decided to update the dependency to the latest stable version instead.
There was a breaking change in foundry-rs/forge-std#407 which renamed `assumeNoPrecompiles()` to `assumeNotPrecompile`.
There was a breaking change introduced in `forge-std` at foundry-rs/forge-std#407 which breaks compilation of `Rln.t.sol` with `[email protected]`. This commit updates the dependency to v1.6.0 and adjusts the test source such that it successfully compiles. Another way to go about this would've been to just stick with `v1.5.6.` and ensuring installation of that version. However, I've decided to update the dependency to the latest stable version instead.
There was a breaking change in foundry-rs/forge-std#407 which renamed `assumeNoPrecompiles()` to `assumeNotPrecompile`.
Excludes the
vmaddress0x7109709ECfa91a80626fF3989D68f67F5b1DD12Dfrom theassumeNoPrecompilescheat code.Resolves #405
Note that
address(vm)is used instead ofaddress(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D)(such as intestAssumePayable) so that it fits squarely into the current implementation of the cheat code and respective test with minimal confusion. Open to changing this though.