Skip to content

Commit 4917e8d

Browse files
feat(bls): adding fuzz test for bls (#249)
This is moved from [this PR](ChainSafe/blst-z#59). to run the fuzzing: (If you are on Linux) e.g., 1. `sudo apt install afl++` 2. cd `test/fuzz` 3. `zig build run-bls_public_key` (If you are using MacOs) 1. `brew install afl++` 2. cd `test/fuzz` 3. follow the instruction in this [session](https://github.com/jeffoodchain/lodestar-z/blob/jeff/fuzz-test/test/fuzz/README.md#on-macos). 4. run `zig build run-bls_public_key` you could see the following dashboard running in your terminal ```bash AFL ++4.09c {default} (...64d672b6e452d6305a3425b7e2487cb/public_key) [fast] ┌─ process timing ────────────────────────────────────┬─ overall results ────┐ │ run time : 0 days, 0 hrs, 0 min, 8 sec │ cycles done : 20 │ │ last new find : 0 days, 0 hrs, 0 min, 8 sec │ corpus count : 14 │ │last saved crash : none seen yet │saved crashes : 0 │ │ last saved hang : none seen yet │ saved hangs : 0 │ ├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤ │ now processing : 2.197 (14.3%) │ map density : 0.17% / 0.48% │ │ runs timed out : 0 (0.00%) │ count coverage : 2.89 bits/tuple │ ├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤ │ now trying : splice 10 │ favored items : 10 (71.43%) │ │ stage execs : 85/86 (98.84%) │ new edges on : 10 (71.43%) │ │ total execs : 424k │ total crashes : 0 (0 saved) │ │ exec speed : 52.7k/sec │ total tmouts : 0 (0 saved) │ ├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤ │ bit flips : disabled (default, enable with -D) │ levels : 2 │ │ byte flips : disabled (default, enable with -D) │ pending : 0 │ │ arithmetics : disabled (default, enable with -D) │ pend fav : 0 │ │ known ints : disabled (default, enable with -D) │ own finds : 7 │ │ dictionary : n/a │ imported : 0 │ │havoc/splice : 7/180k, 0/244k │ stability : 100.00% │ │py/custom/rq : unused, unused, unused, unused ├───────────────────────┘ │ trim/eff : 5.20%/170, disabled │ [cpu000: 31%] └─ strategy: explore ────────── state: started :-) ──┘ ``` --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
1 parent f684a9f commit 4917e8d

File tree

83 files changed

+604
-37
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

83 files changed

+604
-37
lines changed

pkg/afl++/build.zig

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ const std = @import("std");
77
pub fn addInstrumentedExe(
88
b: *std.Build,
99
obj: *std.Build.Step.Compile,
10+
extra_libs: []const *std.Build.Step.Compile,
1011
) std.Build.LazyPath {
1112
// Force the build system to produce the binary artifact even though we
1213
// only consume the LLVM bitcode below. Without this, the dependency
@@ -27,6 +28,9 @@ pub fn addInstrumentedExe(
2728
const fuzz_exe = afl_cc.addOutputFileArg(obj.name);
2829
afl_cc.addFileArg(pkg.path("afl.c"));
2930
afl_cc.addFileArg(obj.getEmittedLlvmBc());
31+
for (extra_libs) |lib| {
32+
afl_cc.addFileArg(lib.getEmittedBin());
33+
}
3034
return fuzz_exe;
3135
}
3236

test/fuzz/.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ zig-cache/
33
.zig-cache/
44
output/
55
afl-out/
6+
*.log
67

78
# Spec-extracted seeds (regenerate with: zig build extract-corpus)
89
corpus/*-initial/spec-*

test/fuzz/README.md

Lines changed: 71 additions & 4 deletions

test/fuzz/build.zig

Lines changed: 19 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,11 @@ pub fn build(b: *std.Build) void {
1010
.optimize = optimize,
1111
});
1212

13+
const dep_blst = b.dependency("blst", .{
14+
.optimize = optimize,
15+
.target = target,
16+
});
17+
1318
const dep_snappy = b.dependency("snappy", .{
1419
.target = target,
1520
.optimize = optimize,
@@ -43,15 +48,16 @@ pub fn build(b: *std.Build) void {
4348

4449
const Fuzzer = struct {
4550
name: []const u8,
51+
extra_libs: []const *std.Build.Step.Compile = &.{},
4652

4753
/// Returns the corpus directory path for this fuzzer.
4854
/// Change the suffix to switch between -cmin and -initial.
49-
fn corpus(comptime self: @This()) []const u8 {
50-
return "corpus/" ++ self.name ++ "-cmin";
55+
fn corpus(self: @This(), bb: *std.Build) []const u8 {
56+
return bb.fmt("corpus/{s}-cmin", .{self.name});
5157
}
5258

53-
fn source(comptime self: @This()) []const u8 {
54-
return "src/fuzz_" ++ self.name ++ ".zig";
59+
fn source(self: @This(), bb: *std.Build) []const u8 {
60+
return bb.fmt("src/fuzz_{s}.zig", .{self.name});
5561
}
5662
};
5763

@@ -62,6 +68,10 @@ pub fn build(b: *std.Build) void {
6268
.{ .name = "ssz_bytelist" },
6369
.{ .name = "ssz_containers" },
6470
.{ .name = "ssz_lists" },
71+
.{ .name = "bls_public_key", .extra_libs = &.{dep_blst.artifact("blst")} },
72+
.{ .name = "bls_signature", .extra_libs = &.{dep_blst.artifact("blst")} },
73+
.{ .name = "bls_aggregate_pk", .extra_libs = &.{dep_blst.artifact("blst")} },
74+
.{ .name = "bls_aggregate_sig", .extra_libs = &.{dep_blst.artifact("blst")} },
6575
};
6676

6777
inline for (fuzzers) |fuzzer| {
@@ -71,11 +81,12 @@ pub fn build(b: *std.Build) void {
7181
);
7282

7383
const lib_mod = b.createModule(.{
74-
.root_source_file = b.path(fuzzer.source()),
84+
.root_source_file = b.path(fuzzer.source(b)),
7585
.target = target,
7686
.optimize = optimize,
7787
});
7888
lib_mod.addImport("ssz", lodestar_z.module("ssz"));
89+
lib_mod.addImport("bls", lodestar_z.module("bls"));
7990
lib_mod.addImport(
8091
"consensus_types",
8192
lodestar_z.module("consensus_types"),
@@ -90,7 +101,7 @@ pub fn build(b: *std.Build) void {
90101
lib.root_module.stack_check = false;
91102
lib.root_module.fuzz = true;
92103

93-
const exe = afl.addInstrumentedExe(b, lib);
104+
const exe = afl.addInstrumentedExe(b, lib, fuzzer.extra_libs);
94105
const mkdir = b.addSystemCommand(&.{
95106
"mkdir", "-p",
96107
});
@@ -100,15 +111,15 @@ pub fn build(b: *std.Build) void {
100111
const run = afl.addFuzzerRun(
101112
b,
102113
exe,
103-
b.path(fuzzer.corpus()),
114+
b.path(fuzzer.corpus(b)),
104115
b.path(b.fmt("afl-out/{s}", .{fuzzer.name})),
105116
);
106117
run.step.dependOn(&mkdir.step);
107118
run_step.dependOn(&run.step);
108119

109120
const install = b.addInstallBinFile(
110121
exe,
111-
"fuzz-" ++ fuzzer.name,
122+
b.fmt("fuzz-{s}", .{fuzzer.name}),
112123
);
113124
b.getInstallStep().dependOn(&install.step);
114125
}

test/fuzz/build.zig.zon

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@
44
.fingerprint = 0xa5f5892cc2169277,
55
.minimum_zig_version = "0.14.1",
66
.dependencies = .{
7+
.blst = .{
8+
.url = "git+https://github.com/ChainSafe/blst.zig#98868a621ea921ec7dd7c1a4057bc2947586ed3c",
9+
.hash = "blst_zig-0.0.0-cnAxzu0IAABK3ChhGISQMEe6PaX6x8Z8yOtYsp63xh54",
10+
},
711
.lodestar_z = .{ .path = "../../" },
812
.afl = .{ .path = "../../pkg/afl++" },
913
.snappy = .{
Binary file not shown.

test/fuzz/corpus/bls_aggregate_pk-cmin/id:000001,time:0,execs:0,orig:spec-agg-pk-0050

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
��Ѱ�ٻ�y���O�"�Ĩs��dO6������� weM|������?�Zġ5��gm��`ؑ�_��(�^^���4��u�pzڳ� jjX���=!���b�íQML妵w�@=2���&]ѐ���)�ז:��r��xTo�=!���b�íQML妵w�@=2���&]ѐ���)�ז:��r��xTo

0 commit comments

Comments
 (0)