refactor: drop world_state from AVM fuzzer harness

The fuzzer no longer hands a shared on-disk lmdb between the C++ and TS
differential simulators. The C++ FuzzerWorldStateManager now seeds only an
in-memory MemoryMerkleDB (genesis 128), and the TS simulator self-bootstraps a
fresh NativeWorldStateService.tmp() per process. Both produce an identical
genesis by construction (same 128 nullifier/public-data prefill and
header-generator point), so the shared database is unnecessary.

- FuzzerWorldStateManager: remove the world_state::WorldState member; setup
  methods apply only to the in-memory DB; fork() re-seeds the DB and
  checkpoint/commit/revert/reset_world_state become no-ops.
- Drop wsDataDir/wsMapSizeKb from the serialized FuzzerSimulationRequest on
  both sides.
- Remove world_state from the avm_fuzzer CMake dependencies.

Author: charlielye

barretenberg/cpp/src/barretenberg/avm_fuzzer/CMakeLists.txt

@@ -30,7 +30,7 @@ if(FUZZING_AVM)
         TEST_SOURCE_FILES ${TEST_SOURCE_FILES}
         BENCH_SOURCE_FILES ${BENCH_SOURCE_FILES}
         FUZZERS_SOURCE_FILES ${FUZZERS_SOURCE_FILES}
-        DEPENDENCIES vm2 world_state
+        DEPENDENCIES vm2
     )
 
     # Add the harness subdirectory which will create the alu_fuzzer target

barretenberg/cpp/src/barretenberg/avm_fuzzer/common/interfaces/dbs.cpp

@@ -14,7 +14,6 @@
 
 using namespace bb::avm2::simulation;
 using Poseidon2 = bb::crypto::Poseidon2<bb::crypto::Poseidon2Bn254ScalarFieldParams>;
-using namespace bb::world_state;
 
 namespace bb::avm2::fuzzer {
 
@@ -185,57 +184,25 @@ FuzzerWorldStateManager* FuzzerWorldStateManager::instance = nullptr;
 
 void FuzzerWorldStateManager::initialize_world_state()
 {
-    std::unordered_map<simulation::MerkleTreeId, uint32_t> tree_heights{
-        { simulation::MerkleTreeId::NULLIFIER_TREE, NULLIFIER_TREE_HEIGHT },
-        { simulation::MerkleTreeId::NOTE_HASH_TREE, NOTE_HASH_TREE_HEIGHT },
-        { simulation::MerkleTreeId::PUBLIC_DATA_TREE, PUBLIC_DATA_TREE_HEIGHT },
-        { simulation::MerkleTreeId::L1_TO_L2_MESSAGE_TREE, L1_TO_L2_MSG_TREE_HEIGHT },
-        { simulation::MerkleTreeId::ARCHIVE, ARCHIVE_HEIGHT },
-    };
-    std::unordered_map<simulation::MerkleTreeId, index_t> tree_prefill{
-        { simulation::MerkleTreeId::NULLIFIER_TREE, 128 },
-        { simulation::MerkleTreeId::PUBLIC_DATA_TREE, 128 },
-    };
-    uint32_t initial_header_generator_point = 2064783670; // DomainSeparator.BLOCK_HEADER_HASH
-    ws = std::make_unique<world_state::WorldState>(
-        /*thread_pool_size=*/4, DATA_DIR, MAP_SIZE_KB, tree_heights, tree_prefill, initial_header_generator_point);
-
     mem_db = std::make_unique<simulation::MemoryMerkleDB>(
         /*nullifier_tree_prefill=*/128, /*public_data_tree_prefill=*/128);
-
-    fork_ids.push(ws->create_fork(std::nullopt));
-}
-
-WorldStateRevision FuzzerWorldStateManager::get_current_revision() const
-{
-    return WorldStateRevision{ .forkId = fork_ids.top(), .includeUncommitted = true };
 }
 
-WorldStateRevision FuzzerWorldStateManager::fork()
+void FuzzerWorldStateManager::fork()
 {
-    auto fork_id = ws->create_fork(std::nullopt);
-    fork_ids.push(fork_id);
-    // The fuzzer forks once per transaction before applying genesis state, so reset the mirror DB to a
-    // fresh genesis here. This keeps it in lockstep with the freshly-forked world state.
+    // The fuzzer forks once per transaction before applying genesis state, so reset the in-memory DB to a
+    // fresh genesis here. This keeps each input starting from the same state.
     mem_db =
         std::make_unique<simulation::MemoryMerkleDB>(/*nullifier_tree_prefill=*/128, /*public_data_tree_prefill=*/128);
-    return WorldStateRevision{ .forkId = fork_id, .includeUncommitted = true };
-}
-void FuzzerWorldStateManager::reset_world_state()
-{
-    // We keep the initial fork, so pop until only one remains
-    while (fork_ids.size() != 1) {
-        ws->delete_fork(fork_ids.top());
-        fork_ids.pop();
-    }
 }
+
+void FuzzerWorldStateManager::reset_world_state() {}
+
 void FuzzerWorldStateManager::register_contract_address(const AztecAddress& contract_address)
 {
     NullifierLeafValue contract_nullifier =
         unconstrained_silo_nullifier(CONTRACT_INSTANCE_REGISTRY_CONTRACT_ADDRESS, contract_address);
     fuzz_info("Registering contract address in world state: ", contract_nullifier.nullifier);
-    auto fork_id = fork_ids.top();
-    ws->insert_indexed_leaves<NullifierLeafValue>(MerkleTreeId::NULLIFIER_TREE, { contract_nullifier }, fork_id);
     mem_db->insert_indexed_leaves_nullifier_tree(contract_nullifier);
 }
 
@@ -248,28 +215,18 @@ void FuzzerWorldStateManager::write_fee_payer_balance(const AztecAddress& fee_pa
         Poseidon2::hash({ DOM_SEP__PUBLIC_STORAGE_MAP_SLOT, FEE_JUICE_BALANCES_SLOT, fee_payer });
     FF leaf_slot = Poseidon2::hash({ DOM_SEP__PUBLIC_LEAF_SLOT, FF(FEE_JUICE_ADDRESS), fee_juice_balance_slot });
 
-    // Write to public data tree using current fork
-    auto fork_id = fork_ids.top();
-    ws->update_public_data(PublicDataLeafValue(leaf_slot, balance), fork_id);
     mem_db->insert_indexed_leaves_public_data_tree(PublicDataLeafValue(leaf_slot, balance));
 }
 
 void FuzzerWorldStateManager::public_data_write(const bb::crypto::merkle_tree::PublicDataLeafValue& public_data)
 {
-    auto fork_id = fork_ids.top();
-    ws->update_public_data(public_data, fork_id);
     mem_db->insert_indexed_leaves_public_data_tree(public_data);
 }
 
 void FuzzerWorldStateManager::append_note_hashes(const std::vector<FF>& note_hashes)
 {
-    auto fork_id = fork_ids.top();
-
     uint64_t padding_leaves = MAX_NOTE_HASHES_PER_TX - (note_hashes.size() % MAX_NOTE_HASHES_PER_TX);
 
-    ws->append_leaves(MerkleTreeId::NOTE_HASH_TREE, note_hashes, fork_id);
-    ws->append_leaves(MerkleTreeId::NOTE_HASH_TREE, std::vector<FF>(padding_leaves, FF(0)), fork_id);
-
     mem_db->append_leaves(simulation::MerkleTreeId::NOTE_HASH_TREE, note_hashes);
     mem_db->append_leaves(simulation::MerkleTreeId::NOTE_HASH_TREE, std::vector<FF>(padding_leaves, FF(0)));
 }

barretenberg/cpp/src/barretenberg/avm_fuzzer/common/interfaces/dbs.hpp

@@ -3,11 +3,10 @@
 #include <memory>
 #include <stack>
 
+#include "barretenberg/crypto/merkle_tree/indexed_tree/indexed_leaf.hpp"
 #include "barretenberg/vm2/common/aztec_types.hpp"
 #include "barretenberg/vm2/simulation/interfaces/db.hpp"
 #include "barretenberg/vm2/simulation/lib/memory_merkle_db.hpp"
-#include "barretenberg/world_state/types.hpp"
-#include "barretenberg/world_state/world_state.hpp"
 
 namespace bb::avm2::fuzzer {
 
@@ -56,19 +55,13 @@ class FuzzerContractDB : public simulation::ContractDBInterface {
     std::stack<Checkpoint> checkpoints;
 };
 
-// Set up and manage a world state for the fuzzer, the plan is to use this to set up different world states
-// This is a bit of hack since we need to access the world state in both cpp and ts. Normally, ws is instantiated
-// inside ts and we use napi to access it from cpp, but for the fuzzer we want to instantiate it in cpp and access it
-// from ts. The simplest way is to use the same database files from both cpp and ts, this is fine for now since we know
-// only one thing will be writing to it at a time.
-// FIXME(ilyas): This won't work with multiple concurrent fuzzing processes, but that's ok for now.
+// Seeds and manages the genesis state the fuzzer simulates against.
+// The C++ simulator runs against copies of the in-memory MemoryMerkleDB seeded here, and the TS
+// differential simulator self-bootstraps an identical genesis (a fresh NativeWorldStateService) on its
+// side. Both sides use the same 128 nullifier/public-data tree prefill and header-generator point, so the
+// genesis states match by construction without any shared on-disk database.
 class FuzzerWorldStateManager {
   public:
-    // Shared constants for C++ and TypeScript to use the same database
-    // Note: TypeScript expects trees in {DATA_DIR}/world_state/, so we include that subdirectory
-    static constexpr const char* DATA_DIR = "/tmp/avm_fuzzer_ws/world_state";
-    static constexpr uint64_t MAP_SIZE_KB = 10240; // 10 MB
-
     // Static instance management (similar to JsSimulator pattern)
     static void initialize()
     {
@@ -92,33 +85,29 @@ class FuzzerWorldStateManager {
     void public_data_write(const bb::crypto::merkle_tree::PublicDataLeafValue& public_data);
     void append_note_hashes(const std::vector<FF>& note_hashes);
 
-    world_state::WorldStateRevision get_current_revision() const;
-    world_state::WorldStateRevision fork();
-    world_state::WorldState& get_world_state() { return *ws; }
+    // Re-seeds the in-memory merkle DB to a fresh genesis. The fuzzer calls this once per transaction
+    // (before applying that transaction's genesis state) so each input starts from the same state.
+    void fork();
 
-    // The in-memory merkle DB mirrors every genesis mutation applied to the (file-backed) world state.
-    // The C++ simulator runs against a copy of this DB (so the genesis state is preserved across the
-    // fast and hint-collecting simulations), while the TS simulator reads the world state from disk.
+    // The in-memory merkle DB holds the genesis state plus every mutation applied for the current
+    // transaction. The C++ simulator runs against a copy of this DB so the genesis state is preserved
+    // across the fast and hint-collecting simulations.
     const simulation::MemoryMerkleDB& get_memory_merkle_db() const { return *mem_db; }
 
-    void checkpoint() { ws->checkpoint(fork_ids.top()); }
-
-    void commit() { ws->commit_checkpoint(fork_ids.top()); }
-
-    void revert() { ws->revert_checkpoint(fork_ids.top()); }
+    // The C++ simulators run against copies of mem_db and never mutate the seed, so the WorldState
+    // checkpoint/commit/revert dance is no longer needed. Kept as no-ops to preserve the call sites.
+    void checkpoint() {}
 
-    static const char* get_data_dir() { return DATA_DIR; }
+    void commit() {}
 
-    static uint64_t get_map_size_kb() { return MAP_SIZE_KB; }
+    void revert() {}
 
   private:
     static FuzzerWorldStateManager* instance;
 
     void initialize_world_state();
 
-    std::unique_ptr<world_state::WorldState> ws;
     std::unique_ptr<simulation::MemoryMerkleDB> mem_db;
-    std::stack<uint64_t> fork_ids;
 };
 
 } // namespace bb::avm2::fuzzer

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/simulator.cpp

@@ -22,14 +22,11 @@
 #include "barretenberg/vm2/simulation/lib/contract_crypto.hpp"
 #include "barretenberg/vm2/simulation/lib/serialization.hpp"
 #include "barretenberg/vm2/simulation_helper.hpp"
-#include "barretenberg/world_state/types.hpp"
-#include "barretenberg/world_state/world_state.hpp"
 
 using bb::avm2::GlobalVariables;
 using namespace bb::avm2;
 using namespace bb::avm2::simulation;
 using namespace bb::avm2::fuzzer;
-using namespace bb::world_state;
 
 constexpr auto MAX_RETURN_DATA_SIZE_IN_FIELDS = 1024;
 
@@ -47,8 +44,6 @@ std::string serialize_simulation_request(
     std::vector<std::pair<AztecAddress, ContractInstance>> instances_vec = contract_db.get_contract_instances();
 
     FuzzerSimulationRequest request{
-        .ws_data_dir = FuzzerWorldStateManager::get_data_dir(),
-        .ws_map_size_kb = FuzzerWorldStateManager::get_map_size_kb(),
         .tx = tx,
         .globals = globals,
         .contract_classes = std::move(classes_vec),

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzz_lib/simulator.hpp

@@ -18,8 +18,6 @@ using namespace bb::avm2;
  * Contains all data needed for the TS simulator to execute a transaction.
  */
 struct FuzzerSimulationRequest {
-    std::string ws_data_dir;
-    uint64_t ws_map_size_kb;
     Tx tx;
     GlobalVariables globals;
     std::vector<ContractClass> contract_classes;
@@ -32,15 +30,8 @@ struct FuzzerSimulationRequest {
     // Protocol contracts mapping (canonical address index -> derived address)
     ProtocolContracts protocol_contracts;
 
-    MSGPACK_CAMEL_CASE_FIELDS(ws_data_dir,
-                              ws_map_size_kb,
-                              tx,
-                              globals,
-                              contract_classes,
-                              contract_instances,
-                              public_data_writes,
-                              note_hashes,
-                              protocol_contracts);
+    MSGPACK_CAMEL_CASE_FIELDS(
+        tx, globals, contract_classes, contract_instances, public_data_writes, note_hashes, protocol_contracts);
 };
 
 struct SimulatorResult {

barretenberg/cpp/src/barretenberg/avm_fuzzer/fuzzer_lib.cpp

@@ -27,9 +27,9 @@
 #include "barretenberg/vm2/tooling/stats.hpp"
 #include "barretenberg/vm2/tracegen_helper.hpp"
 
+using namespace bb;
 using namespace bb::avm2::fuzzer;
 using namespace bb::avm2::simulation;
-using namespace bb::world_state;
 
 extern size_t LLVMFuzzerMutate(uint8_t* Data, size_t Size, size_t MaxSize);
 

yarn-project/simulator/src/public/fuzzing/avm_fuzzer_simulator.ts

@@ -44,8 +44,6 @@ import { PublicTxSimulator } from '../public_tx_simulator/public_tx_simulator.js
  */
 export class FuzzerSimulationRequest {
   constructor(
-    public readonly wsDataDir: string,
-    public readonly wsMapSizeKb: number,
     public readonly tx: AvmTxHint,
     public readonly globals: GlobalVariables,
     public readonly contractClasses: any[], // Raw, processed by addContractClassFromCpp
@@ -60,8 +58,6 @@ export class FuzzerSimulationRequest {
       return obj;
     }
     return new FuzzerSimulationRequest(
-      obj.wsDataDir,
-      obj.wsMapSizeKb,
       AvmTxHint.fromPlainObject(obj.tx),
       GlobalVariables.fromPlainObject(obj.globals),
       obj.contractClasses,

yarn-project/simulator/src/public/fuzzing/avm_simulator_bin.ts

@@ -1,5 +1,4 @@
 import { Fr } from '@aztec/foundation/curves/bn254';
-import { EthAddress } from '@aztec/foundation/eth-address';
 import {
   AvmCircuitPublicInputs,
   type AvmTxHint,
@@ -27,31 +26,18 @@ function writeOutput(data: string): Promise<void> {
   });
 }
 
-// This cache holds opened world states to avoid reopening them for each invocation.
-// It's a map so that in the future we could support multiple world states (if we had multiple fuzzers).
-const worldStateCache = new Map<string, NativeWorldStateService>();
+// The fuzzer self-bootstraps its own world state instead of reading a shared on-disk database written by
+// the C++ side. A fresh NativeWorldStateService produces a genesis identical to the C++ MemoryMerkleDB by
+// construction (same 128 nullifier/public-data tree prefill and header-generator point), and the dynamic
+// state is applied per-input below. The instance is opened once and reused across inputs; each input forks
+// from it (in AvmFuzzerSimulator.create).
+let worldStatePromise: Promise<NativeWorldStateService> | undefined;
 
-async function openExistingWorldState(dataDir: string, mapSizeKb: number): Promise<NativeWorldStateService> {
-  const cached = worldStateCache.get(dataDir);
-  if (cached) {
-    return cached;
-  }
-
-  const ws = await NativeWorldStateService.new(EthAddress.ZERO, dataDir, {
-    archiveTreeMapSizeKb: mapSizeKb,
-    nullifierTreeMapSizeKb: mapSizeKb,
-    noteHashTreeMapSizeKb: mapSizeKb,
-    messageTreeMapSizeKb: mapSizeKb,
-    publicDataTreeMapSizeKb: mapSizeKb,
-  });
-
-  worldStateCache.set(dataDir, ws);
-  return ws;
+function getWorldState(): Promise<NativeWorldStateService> {
+  return (worldStatePromise ??= NativeWorldStateService.tmp());
 }
 
 async function simulateWithFuzzer(
-  dataDir: string,
-  mapSizeKb: number,
   txHint: AvmTxHint,
   globals: GlobalVariables,
   rawContractClasses: any[], // Replace these when we are moving contract classes to TS
@@ -66,7 +52,7 @@ async function simulateWithFuzzer(
   publicInputs: AvmCircuitPublicInputs;
   publicTxEffect: PublicTxEffect;
 }> {
-  const worldStateService = await openExistingWorldState(dataDir, mapSizeKb);
+  const worldStateService = await getWorldState();
 
   const simulator = await AvmFuzzerSimulator.create(worldStateService, globals, protocolContracts);
 
@@ -110,8 +96,6 @@ async function execute(base64Line: string): Promise<void> {
 
     // Run the TS simulation
     const result = await simulateWithFuzzer(
-      request.wsDataDir,
-      request.wsMapSizeKb,
       request.tx,
       request.globals,
       request.contractClasses,