Component

Forge

Describe the feature you would like

Currently, the fuzzer fails to break this very simple test case:

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import "forge-std/Test.sol";

contract Hash is Test {
    function testHash(bytes memory v) external {
        assert(keccak256(v) != keccak256("hello"));
    }
}

My understanding is the dictionary is seeded using PUSH values from bytecode, therefore, it will not find any constants that are "optimized away" by the compiler. For the example above, keccak256("hello") becomes a PUSH32 with its keccak256 hash in bytecode, as shown below:

PUSH32 1c8aff950685c2ed4bc3174f3472287b56d9517b9c948127319a09a7a36deac8

As a result, the dictionary will never have "hello".

From what I know, Echidna/Medusa seed their dictionary using outputs from slither, so they do not struggle with this case. It may be beneficial for Foundry to perform some form of AST analysis before fuzzing (in this case, it would just be collecting all literals and constants).

Additional context

No response