Merge pull request #5804 from bshastry/fuzz-refactor

ossfuzz: Refactor and share code with afl fuzzer harness
2023-10-03 13:03:40 +00:00 · 2019-01-23 17:30:17 +01:00 · 2019-01-23 17:30:17 +01:00 · 054a6b0487
commit 054a6b0487
parent ea292393a3 24b1de7df0
13 changed files with 377 additions and 218 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -11,6 +11,7 @@ Bugfixes:


 Build System:
+ * Add support for continuous fuzzing via Google oss-fuzz


 ### 0.5.3 (2019-01-22)
--- a/cmake/EthOptions.cmake
+++ b/cmake/EthOptions.cmake
@ -3,6 +3,7 @@ macro(configure_project)

 	# features
 	eth_default_option(COVERAGE OFF)
+	eth_default_option(OSSFUZZ OFF)

 	# components
 	eth_default_option(TESTS ON)
--- a/libdevcore/CommonData.h
+++ b/libdevcore/CommonData.h
@ -334,4 +334,11 @@ bool containerEqual(Container const& _lhs, Container const& _rhs, Compare&& _com
 	return std::equal(std::begin(_lhs), std::end(_lhs), std::begin(_rhs), std::end(_rhs), std::forward<Compare>(_compare));
 }

+inline std::string findAnyOf(std::string const& _haystack, std::vector<std::string> const& _needles)
+{
+	for (std::string const& needle: _needles)
+		if (_haystack.find(needle) != std::string::npos)
+			return needle;
+	return "";
+}
 }
--- a/test/tools/CMakeLists.txt
+++ b/test/tools/CMakeLists.txt
@ -1,4 +1,8 @@
-add_executable(solfuzzer fuzzer.cpp)
+if (OSSFUZZ)
+    add_subdirectory(ossfuzz)
+endif()
+
+add_executable(solfuzzer afl_fuzzer.cpp fuzzer_common.cpp)
 target_link_libraries(solfuzzer PRIVATE libsolc evmasm ${Boost_PROGRAM_OPTIONS_LIBRARIES} ${Boost_SYSTEM_LIBRARIES})

 add_executable(yulopti yulopti.cpp)
--- a/test/tools/afl_fuzzer.cpp
+++ b/test/tools/afl_fuzzer.cpp
@ -0,0 +1,101 @@
+/*
+	This file is part of solidity.
+
+	solidity is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	solidity is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with solidity.  If not, see <http://www.gnu.org/licenses/>.
+*/
+/**
+ * Executable for use with AFL <http://lcamtuf.coredump.cx/afl>.
+ */
+
+#include <test/tools/fuzzer_common.h>
+#include <boost/program_options.hpp>
+
+using namespace std;
+using namespace dev;
+using namespace dev::eth;
+
+namespace po = boost::program_options;
+
+int main(int argc, char** argv)
+{
+	po::options_description options(
+		R"(solfuzzer, fuzz-testing binary for use with AFL.
+Usage: solfuzzer [Options] < input
+Reads a single source from stdin, compiles it and signals a failure for internal errors.
+
+Allowed options)",
+		po::options_description::m_default_line_length,
+		po::options_description::m_default_line_length - 23);
+	options.add_options()
+		("help", "Show this help screen.")
+		("quiet", "Only output errors.")
+		(
+			"standard-json",
+			"Test via the standard-json interface, i.e. "
+			"input is expected to be JSON-encoded instead of "
+			"plain source file."
+		)
+		(
+			"const-opt",
+			"Run the constant optimizer instead of compiling. "
+			"Expects a binary string of up to 32 bytes on stdin."
+		)
+		(
+			"input-file",
+			po::value<string>(),
+			"input file"
+		)
+		(
+			"without-optimizer",
+			"Run without optimizations. Cannot be used together with standard-json."
+		);
+
+	// All positional options should be interpreted as input files
+	po::positional_options_description filesPositions;
+	filesPositions.add("input-file", 1);
+	bool quiet = false;
+
+	po::variables_map arguments;
+	try
+	{
+		po::command_line_parser cmdLineParser(argc, argv);
+		cmdLineParser.options(options).positional(filesPositions);
+		po::store(cmdLineParser.run(), arguments);
+	}
+	catch (po::error const& _exception)
+	{
+		cerr << _exception.what() << endl;
+		return 1;
+	}
+
+	string input;
+	if (arguments.count("input-file"))
+		input = readFileAsString(arguments["input-file"].as<string>());
+	else
+		input = readStandardInput();
+
+	if (arguments.count("quiet"))
+		quiet = true;
+
+	if (arguments.count("help"))
+		cout << options;
+	else if (arguments.count("const-opt"))
+		FuzzerUtil::testConstantOptimizer(input, quiet);
+	else if (arguments.count("standard-json"))
+		FuzzerUtil::testStandardCompiler(input, quiet);
+	else
+		FuzzerUtil::testCompiler(input, !arguments.count("without-optimizer"), quiet);
+
+	return 0;
+}
--- a/test/tools/fuzzer.cpp
+++ b/test/tools/fuzzer.cpp
@ -1,217 +0,0 @@
-/*
-	This file is part of solidity.
-
-	solidity is free software: you can redistribute it and/or modify
-	it under the terms of the GNU General Public License as published by
-	the Free Software Foundation, either version 3 of the License, or
-	(at your option) any later version.
-
-	solidity is distributed in the hope that it will be useful,
-	but WITHOUT ANY WARRANTY; without even the implied warranty of
-	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-	GNU General Public License for more details.
-
-	You should have received a copy of the GNU General Public License
-	along with solidity.  If not, see <http://www.gnu.org/licenses/>.
-*/
-/**
- * Executable for use with AFL <http://lcamtuf.coredump.cx/afl>.
- */
-
-#include <libdevcore/CommonIO.h>
-#include <libevmasm/Assembly.h>
-#include <libevmasm/ConstantOptimiser.h>
-#include <libsolc/libsolc.h>
-
-#include <libdevcore/JSON.h>
-
-#include <boost/program_options.hpp>
-
-#include <string>
-#include <sstream>
-#include <iostream>
-
-using namespace std;
-using namespace dev;
-using namespace dev::eth;
-namespace po = boost::program_options;
-
-namespace
-{
-
-bool quiet = false;
-
-string contains(string const& _haystack, vector<string> const& _needles)
-{
-	for (string const& needle: _needles)
-		if (_haystack.find(needle) != string::npos)
-			return needle;
-	return "";
-}
-
-void testConstantOptimizer(string const& input)
-{
-	if (!quiet)
-		cout << "Testing constant optimizer" << endl;
-	vector<u256> numbers;
-	stringstream sin(input);
-
-	while (!sin.eof())
-	{
-		h256 data;
-		sin.read(reinterpret_cast<char*>(data.data()), 32);
-		numbers.push_back(u256(data));
-	}
-	if (!quiet)
-		cout << "Got " << numbers.size() << " inputs:" << endl;
-
-	Assembly assembly;
-	for (u256 const& n: numbers)
-	{
-		if (!quiet)
-			cout << n << endl;
-		assembly.append(n);
-	}
-	for (bool isCreation: {false, true})
-	{
-		for (unsigned runs: {1, 2, 3, 20, 40, 100, 200, 400, 1000})
-		{
-			ConstantOptimisationMethod::optimiseConstants(
-				isCreation,
-				runs,
-				EVMVersion{},
-				assembly,
-				const_cast<AssemblyItems&>(assembly.items())
-			);
-		}
-	}
-}
-
-void runCompiler(string input)
-{
-	string outputString(solidity_compile(input.c_str(), nullptr));
-	Json::Value output;
-	if (!jsonParseStrict(outputString, output))
-	{
-		cout << "Compiler produced invalid JSON output." << endl;
-		abort();
-	}
-	if (output.isMember("errors"))
-		for (auto const& error: output["errors"])
-		{
-			string invalid = contains(error["type"].asString(), vector<string>{
-				"Exception",
-				"InternalCompilerError"
-			});
-			if (!invalid.empty())
-			{
-				cout << "Invalid error: \"" << error["type"].asString() << "\"" << endl;
-				abort();
-			}
-		}
-}
-
-void testStandardCompiler(string const& input)
-{
-	if (!quiet)
-		cout << "Testing compiler via JSON interface." << endl;
-
-	runCompiler(input);
-}
-
-void testCompiler(string const& input, bool optimize)
-{
-	if (!quiet)
-		cout << "Testing compiler " << (optimize ? "with" : "without") << " optimizer." << endl;
-
-	Json::Value config = Json::objectValue;
-	config["language"] = "Solidity";
-	config["sources"] = Json::objectValue;
-	config["sources"][""] = Json::objectValue;
-	config["sources"][""]["content"] = input;
-	config["settings"] = Json::objectValue;
-	config["settings"]["optimizer"] = Json::objectValue;
-	config["settings"]["optimizer"]["enabled"] = optimize;
-	config["settings"]["optimizer"]["runs"] = 200;
-
-	// Enable all SourceUnit-level outputs.
-	config["settings"]["outputSelection"]["*"][""][0] = "*";
-	// Enable all Contract-level outputs.
-	config["settings"]["outputSelection"]["*"]["*"][0] = "*";
-
-	runCompiler(jsonCompactPrint(config));
-}
-
-}
-
-int main(int argc, char** argv)
-{
-	po::options_description options(
-		R"(solfuzzer, fuzz-testing binary for use with AFL.
-Usage: solfuzzer [Options] < input
-Reads a single source from stdin, compiles it and signals a failure for internal errors.
-
-Allowed options)",
-		po::options_description::m_default_line_length,
-		po::options_description::m_default_line_length - 23);
-	options.add_options()
-		("help", "Show this help screen.")
-		("quiet", "Only output errors.")
-		(
-			"standard-json",
-			"Test via the standard-json interface, i.e. "
-			"input is expected to be JSON-encoded instead of "
-			"plain source file."
-		)
-		(
-			"const-opt",
-			"Run the constant optimizer instead of compiling. "
-			"Expects a binary string of up to 32 bytes on stdin."
-		)
-		(
-			"input-file",
-			po::value<string>(),
-			"input file"
-		)
-		(
-			"without-optimizer",
-			"Run without optimizations. Cannot be used together with standard-json."
-		);
-
-	// All positional options should be interpreted as input files
-	po::positional_options_description filesPositions;
-	filesPositions.add("input-file", 1);
-
-	po::variables_map arguments;
-	try
-	{
-		po::command_line_parser cmdLineParser(argc, argv);
-		cmdLineParser.options(options).positional(filesPositions);
-		po::store(cmdLineParser.run(), arguments);
-	}
-	catch (po::error const& _exception)
-	{
-		cerr << _exception.what() << endl;
-		return 1;
-	}
-
-	string input;
-	if (arguments.count("input-file"))
-		input = readFileAsString(arguments["input-file"].as<string>());
-	else
-		input = readStandardInput();
-
-	if (arguments.count("quiet"))
-		quiet = true;
-
-	if (arguments.count("help"))
-		cout << options;
-	else if (arguments.count("const-opt"))
-		testConstantOptimizer(input);
-	else if (arguments.count("standard-json"))
-		testStandardCompiler(input);
-	else
-		testCompiler(input, !arguments.count("without-optimizer"));
-
-	return 0;
-}
--- a/test/tools/fuzzer_common.cpp
+++ b/test/tools/fuzzer_common.cpp
@ -0,0 +1,114 @@
+/*
+	This file is part of solidity.
+
+	solidity is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	solidity is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with solidity.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <test/tools/fuzzer_common.h>
+#include <libdevcore/CommonData.h>
+
+using namespace std;
+using namespace dev;
+using namespace dev::eth;
+
+void FuzzerUtil::runCompiler(string _input)
+{
+	string outputString(solidity_compile(_input.c_str(), nullptr));
+	Json::Value output;
+	if (!jsonParseStrict(outputString, output))
+	{
+		cout << "Compiler produced invalid JSON output." << endl;
+		abort();
+	}
+	if (output.isMember("errors"))
+		for (auto const& error: output["errors"])
+		{
+			string invalid = findAnyOf(error["type"].asString(), vector<string>{
+					"Exception",
+					"InternalCompilerError"
+			});
+			if (!invalid.empty())
+			{
+				cout << "Invalid error: \"" << error["type"].asString() << "\"" << endl;
+				abort();
+			}
+		}
+}
+
+void FuzzerUtil::testCompiler(string const& _input, bool _optimize, bool _quiet)
+{
+	if (!_quiet)
+		cout << "Testing compiler " << (_optimize ? "with" : "without") << " optimizer." << endl;
+
+	Json::Value config = Json::objectValue;
+	config["language"] = "Solidity";
+	config["sources"] = Json::objectValue;
+	config["sources"][""] = Json::objectValue;
+	config["sources"][""]["content"] = _input;
+	config["settings"] = Json::objectValue;
+	config["settings"]["optimizer"] = Json::objectValue;
+	config["settings"]["optimizer"]["enabled"] = _optimize;
+	config["settings"]["optimizer"]["runs"] = 200;
+
+	// Enable all SourceUnit-level outputs.
+	config["settings"]["outputSelection"]["*"][""][0] = "*";
+	// Enable all Contract-level outputs.
+	config["settings"]["outputSelection"]["*"]["*"][0] = "*";
+
+	runCompiler(jsonCompactPrint(config));
+}
+
+void FuzzerUtil::testConstantOptimizer(string const& _input, bool _quiet)
+{
+	if (!_quiet)
+		cout << "Testing constant optimizer" << endl;
+	vector<u256> numbers;
+	stringstream sin(_input);
+
+	while (!sin.eof())
+	{
+		h256 data;
+		sin.read(reinterpret_cast<char *>(data.data()), 32);
+		numbers.push_back(u256(data));
+	}
+	if (!_quiet)
+		cout << "Got " << numbers.size() << " inputs:" << endl;
+
+	Assembly assembly;
+	for (u256 const& n: numbers)
+	{
+		if (!_quiet)
+			cout << n << endl;
+		assembly.append(n);
+	}
+	for (bool isCreation: {false, true})
+		for (unsigned runs: {1, 2, 3, 20, 40, 100, 200, 400, 1000})
+		{
+			ConstantOptimisationMethod::optimiseConstants(
+					isCreation,
+					runs,
+					EVMVersion{},
+					assembly,
+					const_cast<AssemblyItems &>(assembly.items())
+			);
+		}
+}
+
+void FuzzerUtil::testStandardCompiler(string const& _input, bool _quiet)
+{
+	if (!_quiet)
+		cout << "Testing compiler via JSON interface." << endl;
+
+	runCompiler(_input);
+}
--- a/test/tools/fuzzer_common.h
+++ b/test/tools/fuzzer_common.h
@ -0,0 +1,35 @@
+/*
+	This file is part of solidity.
+
+	solidity is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	solidity is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with solidity.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <libdevcore/CommonIO.h>
+#include <libevmasm/Assembly.h>
+#include <libsolc/libsolc.h>
+#include <libevmasm/ConstantOptimiser.h>
+
+#include <libdevcore/JSON.h>
+
+#include <string>
+#include <sstream>
+#include <iostream>
+
+struct FuzzerUtil
+{
+	static void runCompiler(std::string _input);
+	static void testCompiler(std::string const& _input, bool _optimize, bool quiet);
+	static void testConstantOptimizer(std::string const& _input, bool _quiet);
+	static void testStandardCompiler(std::string const& _input, bool _quiet);
+};
--- a/test/tools/ossfuzz/CMakeLists.txt
+++ b/test/tools/ossfuzz/CMakeLists.txt
@ -0,0 +1,12 @@
+add_custom_target(ossfuzz)
+add_dependencies(ossfuzz solc_opt_ossfuzz solc_noopt_ossfuzz const_opt_ossfuzz)
+
+#[[FuzzingEngine.a is provided by oss-fuzz's Dockerized build environment]]
+add_executable(solc_opt_ossfuzz solc_opt_ossfuzz.cpp ../fuzzer_common.cpp)
+target_link_libraries(solc_opt_ossfuzz PRIVATE libsolc evmasm FuzzingEngine.a)
+
+add_executable(solc_noopt_ossfuzz solc_noopt_ossfuzz.cpp ../fuzzer_common.cpp)
+target_link_libraries(solc_noopt_ossfuzz PRIVATE libsolc evmasm FuzzingEngine.a)
+
+add_executable(const_opt_ossfuzz const_opt_ossfuzz.cpp ../fuzzer_common.cpp)
+target_link_libraries(const_opt_ossfuzz PRIVATE libsolc evmasm FuzzingEngine.a)
--- a/test/tools/ossfuzz/README.md
+++ b/test/tools/ossfuzz/README.md
@ -0,0 +1,20 @@
+## Intro
+
+[oss-fuzz][1] is Google's fuzzing infrastructure that performs continuous fuzzing. What this means is that, each and every upstream commit is automatically fetched by the infrastructure and fuzzed.
+
+## What does this directory contain?
+
+To help oss-fuzz do this, we (as project maintainers) need to provide the following:
+
+- test harnesses: C/C++ tests that define the `LLVMFuzzerTestOneInput` API. This determines what is to be fuzz tested.
+- build infrastructure: (c)make targets per fuzzing binary. Fuzzing requires coverage and memory instrumentation of the code to be fuzzed.
+
+## What is libFuzzingEngine.a?
+
+`libFuzzingEngine.a` is an oss-fuzz-related dependency. It is present in the Dockerized environment in which Solidity's oss-fuzz code will be built.
+
+## Is this directory relevant for routine Solidity CI builds?
+
+No. This is the reason why the `add_subdirectory(ossfuzz)` cmake directive is nested under the `if (OSSFUZZ)` predicate. `OSSFUZZ` is a solidity-wide cmake option that is invoked by the ossfuzz solidity-builder-bot in order to compile solidity fuzzer binaries.
+
+[1]: https://github.com/google/oss-fuzz
--- a/test/tools/ossfuzz/const_opt_ossfuzz.cpp
+++ b/test/tools/ossfuzz/const_opt_ossfuzz.cpp
@ -0,0 +1,27 @@
+/*
+	This file is part of solidity.
+
+	solidity is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	solidity is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with solidity.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <test/tools/fuzzer_common.h>
+
+using namespace std;
+
+extern "C" int LLVMFuzzerTestOneInput(uint8_t const* _data, size_t _size)
+{
+	string input(reinterpret_cast<char const*>(_data), _size);
+	FuzzerUtil::testConstantOptimizer(input, true);
+	return 0;
+}
--- a/test/tools/ossfuzz/solc_noopt_ossfuzz.cpp
+++ b/test/tools/ossfuzz/solc_noopt_ossfuzz.cpp
@ -0,0 +1,27 @@
+/*
+	This file is part of solidity.
+
+	solidity is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	solidity is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with solidity.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <test/tools/fuzzer_common.h>
+
+using namespace std;
+
+extern "C" int LLVMFuzzerTestOneInput(uint8_t const* _data, size_t _size)
+{
+	string input(reinterpret_cast<char const*>(_data), _size);
+	FuzzerUtil::testCompiler(input, /*optimize=*/false, /*quiet=*/true);
+	return 0;
+}
--- a/test/tools/ossfuzz/solc_opt_ossfuzz.cpp
+++ b/test/tools/ossfuzz/solc_opt_ossfuzz.cpp
@ -0,0 +1,27 @@
+/*
+	This file is part of solidity.
+
+	solidity is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	solidity is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with solidity.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <test/tools/fuzzer_common.h>
+
+using namespace std;
+
+extern "C" int LLVMFuzzerTestOneInput(uint8_t const* _data, size_t _size)
+{
+	string input(reinterpret_cast<char const*>(_data), _size);
+	FuzzerUtil::testCompiler(input, /*optimize=*/true, /*quiet=*/true);
+	return 0;
+}