Adversarial Arbitrary values for fuzzing #1052
Comments
|
Another unexpected but probably possible case: BytesN that actually has > N bytes. |
|
soroban-env has checks for object validity now that should make it impossible to create invalid objects. |
|
soroban-env now also rejects bad tags |
github-merge-queue bot
pushed a commit
that referenced
this issue
Oct 26, 2023
### What When fuzzing, sometimes generate vecs and maps with elements of the wrong type. These types are generated 1 in every 1000 iterations. ### Why It's a weird case that is possible for contracts to hit in production, so should be generated during fuzzing. Part of #1052 ### Known limitations None.
|
Done. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What problem does your feature solve?
In #957 I mentioned that the
Arbitraryimpls for contract types never generate "adversarial" values.The Soroban type system allows for
Vals to have various states that are unexpected but representable. The fuzzing infrastructure doesn't generate these.What would you like to see?
Vals with bad tagsThese are no longer allowed by the runtime.
If a fuzz tests asks for a raw
Valtype then we should sometimes give them one with a bogus tag.Vecs and maps with heterogeneous element typesDone.
The Rust wrappers around vecs and maps are not fully recursively typechecked when created - individual element accesses may fail due to dynamic typing errors.
When arbitrary vecs and maps are requested we should occasionally return ones where the keys and/or values are not the expected type but a random type.
Object types with invalid referencesThese are no longer allowed by the runtime.
For any of the possible object types (the ones that aren't encoded directly in the 64-bit rawval), we should sometimes provide a broken value; a good tag, but a reference that doesn't exist. I believe these are representable within the typed Rust wrappers around the various object kinds, and will produce errors at access-time.
Object types that are shared referencesThese are not actually possible. Soroban values are immutable.
Any object type might be a shared and mutable reference in the Soroban type system. This is something that would likely be unexpected to Rust programmers.
It would be desirable that, for any object types, the
Arbitraryimplementation returns the exact same reference as in a previous invocation, creating shared object references within the contract.This is a pretty tough thing to do because it requires remembering the state of previous
Arbitraryinvocations. We would need to do this inside ourSorobanArbitraryimplementations, probably by stashing away previous objects in some private location inEnv, then pulling them back out and returning them.Deeply nested vecs and mapsI don't think this is worth doing. It would be rare code that would be rare code that would actually fail to this type, and the inevitable impact would be stack overflow and transaction failure.
This probably only makes sense for arbitrary
Vals - typed vectors and maps can't be arbitrarily-deeply recursive. So deeply-nested containers may not be so useful for finding real bugs - it will only matter if a contract is attempting to fully and recursively interpretValtypes, which would be an ambitious thing for a contract to do.But we could provide deeply nested vecs and maps when a
Valis requested.BytesN with more than N bytes.I don't think this is worth doing. It's possible to construct unsafely, and probably possible to transmit between contracts, but the constructor from Val to BytesN will always fail and terminate the transaction.
These may be possible.
What alternatives are there?
Don't do any of these.
The text was updated successfully, but these errors were encountered: