feat(bls): adding fuzz test for bls (#249)

This is moved from [this
PR](ChainSafe/blst-z#59).

to run the fuzzing: 
(If you are on Linux)
e.g.,
1. `sudo apt install afl++`
2. cd `test/fuzz`
3. `zig build run-bls_public_key`

(If you are using MacOs)
1. `brew install afl++`
2. cd `test/fuzz`
3. follow the instruction in this
[session](https://github.com/jeffoodchain/lodestar-z/blob/jeff/fuzz-test/test/fuzz/README.md#on-macos).
4. run `zig build run-bls_public_key`

you could see the following dashboard running in your terminal

```bash
AFL ++4.09c {default} (...64d672b6e452d6305a3425b7e2487cb/public_key) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│        run time : 0 days, 0 hrs, 0 min, 8 sec       │  cycles done : 20    │
│   last new find : 0 days, 0 hrs, 0 min, 8 sec       │ corpus count : 14    │
│last saved crash : none seen yet                     │saved crashes : 0     │
│ last saved hang : none seen yet                     │  saved hangs : 0     │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│  now processing : 2.197 (14.3%)      │    map density : 0.17% / 0.48%      │
│  runs timed out : 0 (0.00%)          │ count coverage : 2.89 bits/tuple    │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│  now trying : splice 10              │ favored items : 10 (71.43%)         │
│ stage execs : 85/86 (98.84%)         │  new edges on : 10 (71.43%)         │
│ total execs : 424k                   │ total crashes : 0 (0 saved)         │
│  exec speed : 52.7k/sec              │  total tmouts : 0 (0 saved)         │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│   bit flips : disabled (default, enable with -D)   │    levels : 2         │
│  byte flips : disabled (default, enable with -D)   │   pending : 0         │
│ arithmetics : disabled (default, enable with -D)   │  pend fav : 0         │
│  known ints : disabled (default, enable with -D)   │ own finds : 7         │
│  dictionary : n/a                                  │  imported : 0         │
│havoc/splice : 7/180k, 0/244k                       │ stability : 100.00%   │
│py/custom/rq : unused, unused, unused, unused       ├───────────────────────┘
│    trim/eff : 5.20%/170, disabled                  │          [cpu000: 31%]
└─ strategy: explore ────────── state: started :-) ──┘

```

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: jeffoodchain

pkg/afl++/build.zig

@@ -7,6 +7,7 @@ const std = @import("std");
 pub fn addInstrumentedExe(
     b: *std.Build,
     obj: *std.Build.Step.Compile,
+    extra_libs: []const *std.Build.Step.Compile,
 ) std.Build.LazyPath {
     // Force the build system to produce the binary artifact even though we
     // only consume the LLVM bitcode below. Without this, the dependency
@@ -27,6 +28,9 @@ pub fn addInstrumentedExe(
     const fuzz_exe = afl_cc.addOutputFileArg(obj.name);
     afl_cc.addFileArg(pkg.path("afl.c"));
     afl_cc.addFileArg(obj.getEmittedLlvmBc());
+    for (extra_libs) |lib| {
+        afl_cc.addFileArg(lib.getEmittedBin());
+    }
     return fuzz_exe;
 }
 

test/fuzz/.gitignore

@@ -3,6 +3,7 @@ zig-cache/
 .zig-cache/
 output/
 afl-out/
+*.log
 
 # Spec-extracted seeds (regenerate with: zig build extract-corpus)
 corpus/*-initial/spec-*

test/fuzz/README.md

@@ -10,6 +10,11 @@ pub fn build(b: *std.Build) void {
         .optimize = optimize,
     });
 
+    const dep_blst = b.dependency("blst", .{
+        .optimize = optimize,
+        .target = target,
+    });
+
     const dep_snappy = b.dependency("snappy", .{
         .target = target,
         .optimize = optimize,
@@ -43,15 +48,16 @@ pub fn build(b: *std.Build) void {
 
     const Fuzzer = struct {
         name: []const u8,
+        extra_libs: []const *std.Build.Step.Compile = &.{},
 
         /// Returns the corpus directory path for this fuzzer.
         /// Change the suffix to switch between -cmin and -initial.
-        fn corpus(comptime self: @This()) []const u8 {
-            return "corpus/" ++ self.name ++ "-cmin";
+        fn corpus(self: @This(), bb: *std.Build) []const u8 {
+            return bb.fmt("corpus/{s}-cmin", .{self.name});
         }
 
-        fn source(comptime self: @This()) []const u8 {
-            return "src/fuzz_" ++ self.name ++ ".zig";
+        fn source(self: @This(), bb: *std.Build) []const u8 {
+            return bb.fmt("src/fuzz_{s}.zig", .{self.name});
         }
     };
 
@@ -62,6 +68,10 @@ pub fn build(b: *std.Build) void {
         .{ .name = "ssz_bytelist" },
         .{ .name = "ssz_containers" },
         .{ .name = "ssz_lists" },
+        .{ .name = "bls_public_key", .extra_libs = &.{dep_blst.artifact("blst")} },
+        .{ .name = "bls_signature", .extra_libs = &.{dep_blst.artifact("blst")} },
+        .{ .name = "bls_aggregate_pk", .extra_libs = &.{dep_blst.artifact("blst")} },
+        .{ .name = "bls_aggregate_sig", .extra_libs = &.{dep_blst.artifact("blst")} },
     };
 
     inline for (fuzzers) |fuzzer| {
@@ -71,11 +81,12 @@ pub fn build(b: *std.Build) void {
         );
 
         const lib_mod = b.createModule(.{
-            .root_source_file = b.path(fuzzer.source()),
+            .root_source_file = b.path(fuzzer.source(b)),
             .target = target,
             .optimize = optimize,
         });
         lib_mod.addImport("ssz", lodestar_z.module("ssz"));
+        lib_mod.addImport("bls", lodestar_z.module("bls"));
         lib_mod.addImport(
             "consensus_types",
             lodestar_z.module("consensus_types"),
@@ -90,7 +101,7 @@ pub fn build(b: *std.Build) void {
         lib.root_module.stack_check = false;
         lib.root_module.fuzz = true;
 
-        const exe = afl.addInstrumentedExe(b, lib);
+        const exe = afl.addInstrumentedExe(b, lib, fuzzer.extra_libs);
         const mkdir = b.addSystemCommand(&.{
             "mkdir", "-p",
         });
@@ -100,15 +111,15 @@ pub fn build(b: *std.Build) void {
         const run = afl.addFuzzerRun(
             b,
             exe,
-            b.path(fuzzer.corpus()),
+            b.path(fuzzer.corpus(b)),
             b.path(b.fmt("afl-out/{s}", .{fuzzer.name})),
         );
         run.step.dependOn(&mkdir.step);
         run_step.dependOn(&run.step);
 
         const install = b.addInstallBinFile(
             exe,
-            "fuzz-" ++ fuzzer.name,
+            b.fmt("fuzz-{s}", .{fuzzer.name}),
         );
         b.getInstallStep().dependOn(&install.step);
     }

test/fuzz/build.zig

@@ -4,6 +4,10 @@
     .fingerprint = 0xa5f5892cc2169277,
     .minimum_zig_version = "0.14.1",
     .dependencies = .{
+        .blst = .{
+            .url = "git+https://github.com/ChainSafe/blst.zig#98868a621ea921ec7dd7c1a4057bc2947586ed3c",
+            .hash = "blst_zig-0.0.0-cnAxzu0IAABK3ChhGISQMEe6PaX6x8Z8yOtYsp63xh54",
+        },
         .lodestar_z = .{ .path = "../../" },
         .afl = .{ .path = "../../pkg/afl++" },
         .snappy = .{

test/fuzz/build.zig.zon

@@ -0,0 +1 @@
+��Ѱ�ٻ�y���O�"�Ĩs��dO6�������weM|�����
�?�Zġ5��gm��`ؑ�_��(�^^���4��u�pzڳ�jjX���=!���b�íQML妵w�@=2���&]ѐ���)�ז:��r��xTo�=!���b�íQML妵w�@=2���&]ѐ���)�ז:��r��xTo