feat: add vm asm fuzzer

Author: 0xdeafbeef

Cargo.toml

@@ -39,6 +39,7 @@ tracing = "0.1"
 tracing-subscriber = "0.3"
 tracing-test = "0.2"
 
+everscale-asm = { git = "https://github.com/broxus/everscale-asm.git", rev = "bbd284a72676300c89ab074bd39cd91fde21d597" }
 everscale-asm-macros = { git = "https://github.com/broxus/everscale-asm.git", rev = "bbd284a72676300c89ab074bd39cd91fde21d597" }
 
 tycho-vm = { path = "./vm" }

fuzz/Cargo.toml

@@ -14,6 +14,20 @@ test = false
 doc = false
 bench = false
 
+[[bin]]
+name = "vm_asm"
+path = "fuzz_targets/vm_asm.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "vm_opcode"
+path = "fuzz_targets/vm_opcode_fuzz.rs"
+test = false
+doc = false
+bench = false
+
 [[bin]]
 name = "action_phase_real"
 path = "fuzz_targets/action_phase_real.rs"
@@ -34,3 +48,5 @@ everscale-types = { workspace = true, features = ["arbitrary", "base64"] }
 libfuzzer-sys = { workspace = true }
 tycho-executor = { path = "../executor" }
 tycho-vm = { path = "../vm", features = ["arbitrary"] }
+everscale-asm = { workspace = true }
+num-bigint = "0.4.6"

fuzz/fuzz_targets/vm_asm.rs

@@ -0,0 +1,28 @@
+#![no_main]
+
+use everscale_asm::Code;
+use libfuzzer_sys::{fuzz_target, Corpus};
+use tycho_vm::{CustomSmcInfo, GasParams, SafeRc, VmState};
+
+fuzz_target!(|code: String| -> Corpus {
+    if !code.chars().all(|c| c.is_ascii_graphic() || c == ' ') {
+        return Corpus::Reject;
+    }
+
+    let code = match Code::assemble(&code) {
+        Ok(code) => code,
+        Err(_) => return Corpus::Reject,
+    };
+
+    let mut vm = VmState::builder()
+        .with_code(code)
+        .with_smc_info(CustomSmcInfo {
+            version: VmState::DEFAULT_VERSION,
+            c7: SafeRc::new(Vec::new()),
+        })
+        .with_gas(GasParams::getter())
+        .build();
+
+    _ = vm.run();
+    Corpus::Keep
+});

fuzz/fuzz_targets/vm_opcode_fuzz.rs

@@ -0,0 +1,91 @@
+#![no_main]
+
+use arbitrary::Arbitrary;
+use everscale_types::arbitrary::OrdinaryCell;
+use everscale_types::cell::CellBuilder;
+use libfuzzer_sys::{fuzz_target, Corpus};
+use num_bigint::BigInt;
+use tycho_vm::{CustomSmcInfo, GasParams, RcStackValue, SafeRc, Stack, Tuple, VmState};
+
+#[derive(Debug, Arbitrary)]
+enum ArbitraryStackValue {
+    Null,
+    Int(BigInt),
+    NaN,
+    Cell(OrdinaryCell),
+    EmptyBuilder,
+    Tuple(Vec<ArbitraryStackValue>),
+}
+
+fn arbitrary_to_rc(item: ArbitraryStackValue) -> Option<RcStackValue> {
+    Some(match item {
+        ArbitraryStackValue::Null => Stack::make_null(),
+        ArbitraryStackValue::Int(val) if val.bits() <= 256 => SafeRc::new_dyn_value(val),
+        ArbitraryStackValue::NaN => Stack::make_nan(),
+        ArbitraryStackValue::Cell(OrdinaryCell(cell)) => SafeRc::new_dyn_value(cell),
+        ArbitraryStackValue::EmptyBuilder => SafeRc::new_dyn_value(CellBuilder::new()),
+        ArbitraryStackValue::Tuple(items) => {
+            let tuple_items: Tuple = items
+                .into_iter()
+                .map(arbitrary_to_rc)
+                .collect::<Option<Vec<_>>>()?;
+            SafeRc::new_dyn_value(tuple_items)
+        }
+        ArbitraryStackValue::Int(_) => return None,
+    })
+}
+
+#[derive(Debug, Arbitrary)]
+struct Input {
+    code: OrdinaryCell,
+    initial_stack_items: Vec<ArbitraryStackValue>,
+    c7_items: Vec<ArbitraryStackValue>,
+}
+
+const MAX_ITEMS: usize = 32;
+
+fuzz_target!(|input: Input| -> Corpus {
+    if input.initial_stack_items.len() > MAX_ITEMS {
+        return Corpus::Reject;
+    }
+
+    if input.c7_items.len() > MAX_ITEMS {
+        return Corpus::Reject;
+    }
+
+    let OrdinaryCell(code) = input.code;
+
+    let stack_items: Option<Vec<RcStackValue>> = input
+        .initial_stack_items
+        .into_iter()
+        .map(arbitrary_to_rc)
+        .collect();
+
+    let stack_items = match stack_items {
+        Some(items) => items,
+        None => return Corpus::Reject,
+    };
+
+    let c7_rc_items: Option<Vec<RcStackValue>> =
+        input.c7_items.into_iter().map(arbitrary_to_rc).collect();
+    let c7_rc_items = match c7_rc_items {
+        Some(items) => items,
+        None => return Corpus::Reject,
+    };
+
+    let stack = Stack::with_items(stack_items);
+
+    let mut vm = VmState::builder()
+        .with_code(code)
+        .with_raw_stack(stack.into())
+        .with_smc_info(CustomSmcInfo {
+            version: VmState::DEFAULT_VERSION,
+            c7: SafeRc::new(c7_rc_items),
+        })
+        .with_gas(GasParams::getter())
+        .build();
+
+    let _ = vm.run();
+
+    Corpus::Keep
+});