Fix fuzz (#475)

* Fix fuzz

* Build fuzz in ci

Author: mohanson

.github/workflows/develop.yml

@@ -197,3 +197,13 @@ jobs:
         shell: pwsh
         run: |
           make ci-asm
+
+  linux-fuzz:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Build fuzz
+        run: |
+          sudo apt install device-tree-compiler
+          cargo install cargo-fuzz
+          cargo +nightly fuzz build

fuzz/Cargo.toml

@@ -3,7 +3,7 @@ name = "ckb-vm-fuzz"
 version = "0.1.0"
 authors = ["Nervos Core Dev <dev@nervos.org>"]
 publish = false
-edition = "2018"
+edition = "2024"
 
 [package.metadata]
 cargo-fuzz = true

fuzz/fuzz_targets/asm.rs

@@ -1,16 +1,18 @@
 #![no_main]
 use ckb_vm::cost_model::constant_cycles;
-use ckb_vm::machine::asm::{AsmCoreMachine, AsmMachine};
+use ckb_vm::machine::asm::{AsmCoreMachine, AsmDefaultMachineBuilder, AsmMachine};
 use ckb_vm::machine::trace::TraceMachine;
-use ckb_vm::machine::{DefaultCoreMachine, DefaultMachineBuilder, SupportMachine, VERSION2};
+use ckb_vm::machine::{
+    DefaultCoreMachine, DefaultMachineRunner, RustDefaultMachineBuilder, SupportMachine, VERSION2,
+};
 use ckb_vm::memory::sparse::SparseMemory;
 use ckb_vm::memory::wxorx::WXorXMemory;
 use ckb_vm::{Bytes, Error, ISA_A, ISA_B, ISA_IMC, ISA_MOP};
 use libfuzzer_sys::fuzz_target;
 
 fn run_asm(data: &[u8]) -> Result<(i8, u64), Error> {
     let asm_core = AsmCoreMachine::new(ISA_IMC | ISA_A | ISA_B | ISA_MOP, VERSION2, 200_000);
-    let core = DefaultMachineBuilder::<Box<AsmCoreMachine>>::new(asm_core)
+    let core = AsmDefaultMachineBuilder::new(asm_core)
         .instruction_cycle_func(Box::new(constant_cycles))
         .build();
     let mut machine = AsmMachine::new(core);
@@ -22,15 +24,13 @@ fn run_asm(data: &[u8]) -> Result<(i8, u64), Error> {
 }
 
 fn run_int(data: &[u8]) -> Result<(i8, u64), Error> {
-    let machine_memory = WXorXMemory::new(SparseMemory::<u64>::default());
-    let machine_core = DefaultCoreMachine::new_with_memory(
+    let machine_core = DefaultCoreMachine::<u64, WXorXMemory<SparseMemory<u64>>>::new(
         ISA_IMC | ISA_A | ISA_B | ISA_MOP,
         VERSION2,
         200_000,
-        machine_memory,
     );
     let mut machine = TraceMachine::new(
-        DefaultMachineBuilder::new(machine_core)
+        RustDefaultMachineBuilder::new(machine_core)
             .instruction_cycle_func(Box::new(constant_cycles))
             .build(),
     );

fuzz/fuzz_targets/interpreter.rs

@@ -1,22 +1,20 @@
 #![no_main]
 use ckb_vm::cost_model::constant_cycles;
 use ckb_vm::machine::trace::TraceMachine;
-use ckb_vm::machine::{DefaultCoreMachine, DefaultMachineBuilder, SupportMachine, VERSION2};
+use ckb_vm::machine::{DefaultCoreMachine, RustDefaultMachineBuilder, SupportMachine, VERSION2};
 use ckb_vm::memory::sparse::SparseMemory;
 use ckb_vm::memory::wxorx::WXorXMemory;
-use ckb_vm::{Bytes, Error, ISA_A, ISA_B, ISA_IMC, ISA_MOP};
+use ckb_vm::{Bytes, DefaultMachineRunner, Error, ISA_A, ISA_B, ISA_IMC, ISA_MOP};
 use libfuzzer_sys::fuzz_target;
 
 fn run(data: &[u8]) -> Result<(i8, u64), Error> {
-    let machine_memory = WXorXMemory::new(SparseMemory::<u64>::default());
-    let machine_core = DefaultCoreMachine::new_with_memory(
+    let machine_core = DefaultCoreMachine::<u64, WXorXMemory<SparseMemory<u64>>>::new(
         ISA_IMC | ISA_A | ISA_B | ISA_MOP,
         VERSION2,
         200_000,
-        machine_memory,
     );
     let mut machine = TraceMachine::new(
-        DefaultMachineBuilder::new(machine_core)
+        RustDefaultMachineBuilder::new(machine_core)
             .instruction_cycle_func(Box::new(constant_cycles))
             .build(),
     );

fuzz/fuzz_targets/isa_a.rs

@@ -1,5 +1,5 @@
 #![no_main]
-use ckb_vm::{CoreMachine, Memory};
+use ckb_vm::{CoreMachine, Memory, SupportMachine};
 use libfuzzer_sys::fuzz_target;
 use spike_sys::Spike;
 use std::collections::VecDeque;
@@ -34,13 +34,17 @@ fuzz_target!(|data: [u8; 512]| {
     let ckb_vm_isa = ckb_vm::ISA_IMC | ckb_vm::ISA_A | ckb_vm::ISA_B;
     let ckb_vm_version = ckb_vm::machine::VERSION2;
     let mut ckb_vm_int =
-        ckb_vm::DefaultMachineBuilder::new(ckb_vm::DefaultCoreMachine::<
+        ckb_vm::RustDefaultMachineBuilder::new(ckb_vm::DefaultCoreMachine::<
             u64,
             ckb_vm::SparseMemory<u64>,
         >::new(ckb_vm_isa, ckb_vm_version, u64::MAX))
         .build();
-    let mut ckb_vm_asm = ckb_vm::DefaultMachineBuilder::new(
-        ckb_vm::machine::asm::AsmCoreMachine::new(ckb_vm_isa, ckb_vm_version, u64::MAX),
+    let mut ckb_vm_asm = ckb_vm::machine::asm::AsmDefaultMachineBuilder::new(
+        <ckb_vm::machine::asm::AsmCoreMachine as SupportMachine>::new(
+            ckb_vm_isa,
+            ckb_vm_version,
+            u64::MAX,
+        ),
     )
     .build();
     let insts: [u32; 18] = [

fuzz/fuzz_targets/isa_b.rs

@@ -1,5 +1,5 @@
 #![no_main]
-use ckb_vm::CoreMachine;
+use ckb_vm::{CoreMachine, SupportMachine};
 use libfuzzer_sys::fuzz_target;
 use spike_sys::Spike;
 use std::collections::VecDeque;
@@ -40,13 +40,17 @@ fuzz_target!(|data: [u8; 512]| {
     let ckb_vm_isa = ckb_vm::ISA_IMC | ckb_vm::ISA_A | ckb_vm::ISA_B;
     let ckb_vm_version = ckb_vm::machine::VERSION2;
     let mut ckb_vm_int =
-        ckb_vm::DefaultMachineBuilder::new(ckb_vm::DefaultCoreMachine::<
+        ckb_vm::RustDefaultMachineBuilder::new(ckb_vm::DefaultCoreMachine::<
             u64,
             ckb_vm::SparseMemory<u64>,
         >::new(ckb_vm_isa, ckb_vm_version, u64::MAX))
         .build();
-    let mut ckb_vm_asm = ckb_vm::DefaultMachineBuilder::new(
-        ckb_vm::machine::asm::AsmCoreMachine::new(ckb_vm_isa, ckb_vm_version, u64::MAX),
+    let mut ckb_vm_asm = ckb_vm::machine::asm::AsmDefaultMachineBuilder::new(
+        <ckb_vm::machine::asm::AsmCoreMachine as SupportMachine>::new(
+            ckb_vm_isa,
+            ckb_vm_version,
+            u64::MAX,
+        ),
     )
     .build();
 

fuzz/fuzz_targets/snapshot.rs

@@ -1,15 +1,15 @@
 #![no_main]
 use ckb_vm::cost_model::constant_cycles;
-use ckb_vm::machine::asm::{AsmCoreMachine, AsmMachine};
-use ckb_vm::machine::{DefaultMachineBuilder, VERSION2};
+use ckb_vm::machine::VERSION2;
+use ckb_vm::machine::asm::{AsmCoreMachine, AsmDefaultMachineBuilder, AsmMachine};
 use ckb_vm::snapshot;
-use ckb_vm::{Bytes, Error, SupportMachine, ISA_A, ISA_B, ISA_IMC, ISA_MOP};
+use ckb_vm::{Bytes, DefaultMachineRunner, Error, ISA_A, ISA_B, ISA_IMC, ISA_MOP, SupportMachine};
 use libfuzzer_sys::fuzz_target;
 
 fuzz_target!(|data: &[u8]| {
     let mut machine1 = {
         let asm_core = AsmCoreMachine::new(ISA_IMC | ISA_A | ISA_B | ISA_MOP, VERSION2, 200_000);
-        let machine = DefaultMachineBuilder::<Box<AsmCoreMachine>>::new(asm_core)
+        let machine = AsmDefaultMachineBuilder::new(asm_core)
             .instruction_cycle_func(Box::new(constant_cycles))
             .build();
         AsmMachine::new(machine)
@@ -27,7 +27,7 @@ fuzz_target!(|data: &[u8]| {
     let mut machine2 = {
         let asm_core =
             AsmCoreMachine::new(ISA_IMC | ISA_A | ISA_B | ISA_MOP, VERSION2, half_cycles);
-        let machine = DefaultMachineBuilder::<Box<AsmCoreMachine>>::new(asm_core)
+        let machine = AsmDefaultMachineBuilder::new(asm_core)
             .instruction_cycle_func(Box::new(constant_cycles))
             .build();
         AsmMachine::new(machine)
@@ -40,7 +40,7 @@ fuzz_target!(|data: &[u8]| {
     let mut machine3 = {
         let asm_core =
             AsmCoreMachine::new(ISA_IMC | ISA_A | ISA_B | ISA_MOP, VERSION2, half_cycles);
-        let machine = DefaultMachineBuilder::<Box<AsmCoreMachine>>::new(asm_core)
+        let machine = AsmDefaultMachineBuilder::new(asm_core)
             .instruction_cycle_func(Box::new(constant_cycles))
             .build();
         AsmMachine::new(machine)

fuzz/fuzz_targets/snapshot2.rs

@@ -1,11 +1,12 @@
 #![no_main]
 use ckb_vm::{
+    Bytes, CoreMachine, DEFAULT_MEMORY_SIZE, ISA_A, ISA_B, ISA_IMC, ISA_MOP, Memory,
+    RISCV_PAGESIZE, SupportMachine,
     elf::{LoadingAction, ProgramMetadata},
     machine::VERSION2,
-    memory::{round_page_down, round_page_up, FLAG_EXECUTABLE, FLAG_FREEZED},
+    machine::asm::{AsmDefaultMachine, AsmDefaultMachineBuilder},
+    memory::{FLAG_EXECUTABLE, FLAG_FREEZED, round_page_down, round_page_up},
     snapshot2::{DataSource, Snapshot2Context},
-    Bytes, CoreMachine, DefaultMachine, DefaultMachineBuilder, Memory, DEFAULT_MEMORY_SIZE, ISA_A,
-    ISA_B, ISA_IMC, ISA_MOP, RISCV_PAGESIZE,
 };
 use ckb_vm_definitions::asm::AsmCoreMachine;
 use libfuzzer_sys::fuzz_target;
@@ -63,10 +64,10 @@ impl DataSource<u32> for DummyData {
     }
 }
 
-fn build_machine() -> DefaultMachine<Box<AsmCoreMachine>> {
+fn build_machine() -> AsmDefaultMachine {
     let isa = ISA_IMC | ISA_A | ISA_B | ISA_MOP;
-    let core_machine = AsmCoreMachine::new(isa, VERSION2, u64::MAX);
-    DefaultMachineBuilder::new(core_machine).build()
+    let core_machine = <AsmCoreMachine as SupportMachine>::new(isa.into(), VERSION2, u64::MAX);
+    AsmDefaultMachineBuilder::new(core_machine).build()
 }
 
 fuzz_target!(|data: [u8; 96]| {