Fuzz fixes (#1249)

This contains the results of a few days of both reproducing and fixing fuzz bugs and also hacking on the fuzzer: 1. Fixes #1203 which was a somewhat subtle budget-error-escalation bug the fuzzer found. 2. Fixes a couple other instances of that pattern. 3. Fixes a fuzzer-found instance of a frame invariant corruption. 4. Moves the machinery the fuzzer needs from tests/utils (which was guarded by `cfg(test)` so inaccessible to `testutils` and guards it with `cfg(feature="testutils")` 5. Removes the duplicate code in the fuzzer lib and instead uses host testutils 6. Extends testutils to record the storage map and then switch to enforcing, rather than manually building the enforcing map 7. Removes the other non-expr fuzz case, it's redundant. 8. Adds some scaffolding for fuzz debugging. 9. Adds support for passing arguments to the fuzzer to enable access to storage and cross-contract calls. 10. Fix the thing where we rebuild every time due to build.rs not being conservative enough
stellar · Nov 27, 2023 · 8265384 · 8265384
1 parent bb55c40
commit 8265384
Show file tree

Hide file tree

Showing 34 changed files with 375 additions and 474 deletions.
diff --git a/soroban-env-common/build.rs b/soroban-env-common/build.rs
@@ -1,3 +1,4 @@
 pub fn main() {
+    println!("cargo:rerun-if-changed=build.rs");
     crate_git_revision::init();
 }
diff --git a/soroban-env-host/build.rs b/soroban-env-host/build.rs
@@ -1,4 +1,5 @@
 fn main() {
+    println!("cargo:rerun-if-changed=build.rs");
     let opt_level = std::env::var("OPT_LEVEL").unwrap_or_else(|_| "0".to_string());
     if opt_level != "0" {
         println!("cargo:rustc-cfg=opt_build");

diff --git a/soroban-env-host/fuzz/.vscode/launch.json b/soroban-env-host/fuzz/.vscode/launch.json
@@ -0,0 +1,19 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "type": "lldb",
+            "request": "launch",
+            "name": "Debug fuzz artifact",
+            "program": "${workspaceFolder}/target/x86_64-unknown-linux-gnu/debug/expr",
+            "args": [
+                "-artifact_prefix=${workspaceFolder}/artifacts/expr/",
+                "artifacts/expr/crash-7b18da95a61f3f9e45457852fd98c958d49fe603"
+            ],
+            "cwd": "${workspaceFolder}"
+        }
+    ]
+}
diff --git a/soroban-env-host/fuzz/Cargo.lock b/soroban-env-host/fuzz/Cargo.lock
diff --git a/soroban-env-host/fuzz/Cargo.toml b/soroban-env-host/fuzz/Cargo.toml
@@ -12,7 +12,6 @@ libfuzzer-sys = "0.4"
 arbitrary = { version = "1.3.0", features = ["derive"] }
 soroban-env-host = { path = "..", features = ["testutils"]}
 soroban-synth-wasm = { path = "../../soroban-synth-wasm", features = ["testutils"]}
-sha2 = "0.10.0"
 
 # Prevent this from interfering with workspaces
 [workspace]
@@ -21,12 +20,6 @@ members = ["."]
 [profile.release]
 debug = 1
 
-[[bin]]
-name = "log_from_linear_memory"
-path = "fuzz_targets/log_from_linear_memory.rs"
-test = false
-doc = false
-
 [[bin]]
 name = "expr"
 path = "fuzz_targets/expr.rs"

diff --git a/soroban-env-host/fuzz/Makefile b/soroban-env-host/fuzz/Makefile
@@ -0,0 +1,15 @@
+fuzz-fast-stable-no-sanitizer:
+	cargo fuzz run expr --release --sanitizer none -j $$(nproc)
+
+fuzz-debug-stable-no-sanitizer:
+	cargo fuzz run expr --dev --sanitizer none
+
+fuzz-slow-nightly-with-sanitizer:
+	cargo +nightly fuzz run expr --release -j $$(nproc)
+
+clean:
+	rm -rf target
+	rm -rf corpus/* artifacts/*
+
+reset:
+	rm -rf corpus/* artifacts/*