See Invariants.t.sol and Handler.t.sol for the code that reproduces the bug.
It should only call public functions inside the handler contract, but seems to randomly attempt direct calls to functions inside systems, which should not happen during such a testing campaign, and which will obviously fail.
Weirdly, under some specific conditions, this doesn't happen at all.
See the last 3 calls in the screenshot:
handler_incrementCounteris called successfully;handler_incrementCounteris called successfully;- a direct call with
calldata=0xd09de08a(which is the selector forincrement()) is made, which reverts.
The first two calls are expected (through the handler), but the third one is absolutely not.