Fuzzer for stack optimiser/code generator.

.circleci/config.yml

@@ -90,6 +90,7 @@ defaults:
         - test/tools/ossfuzz/const_opt_ossfuzz
         - test/tools/ossfuzz/solc_mutator_ossfuzz
         - test/tools/ossfuzz/solc_ossfuzz
+        - test/tools/ossfuzz/stack_reuse_codegen_ossfuzz
         - test/tools/ossfuzz/strictasm_assembly_ossfuzz
         - test/tools/ossfuzz/strictasm_diff_ossfuzz
         - test/tools/ossfuzz/strictasm_opt_ossfuzz

test/EVMHost.cpp

@@ -140,6 +140,8 @@ void EVMHost::reset()
 {
 	accounts.clear();
 	m_currentAddress = {};
+	// Clear self destruct records
+	recorded_selfdestructs.clear();
 
 	// Mark all precompiled contracts as existing. Existing here means to have a balance (as per EIP-161).
 	// NOTE: keep this in sync with `EVMHost::call` below.
@@ -164,6 +166,8 @@ void EVMHost::selfdestruct(const evmc::address& _addr, const evmc::address& _ben
 	evmc::uint256be balance = accounts[_addr].balance;
 	accounts.erase(_addr);
 	accounts[_beneficiary].balance = balance;
+	// Record self destructs
+	recorded_selfdestructs.push_back({_addr, _beneficiary});
 }
 
 evmc::result EVMHost::call(evmc_message const& _message) noexcept
@@ -768,6 +772,13 @@ void EVMHost::print_all_storage(ostringstream& _os)
 	}
 }
 
+void EVMHost::print_storage_at(evmc::address const& _addr, ostringstream& _os)
+{
+	for (auto const& [slot, value]: get_address_storage(_addr))
+		if (get_storage(_addr, slot))
+			_os << convertFromEVMC(slot) << ": " << convertFromEVMC(value.value) << endl;
+}
+
 StorageMap const& EVMHost::get_address_storage(evmc::address const& _addr)
 {
 	assertThrow(account_exists(_addr), Exception, "Account does not exist.");

test/EVMHost.h

@@ -64,6 +64,9 @@ public:
 	/// Prints contents of storage at all addresses in host to @param _os.
 	void print_all_storage(std::ostringstream& _os);
 
+	/// Prints contents of storage at @param _addr to @param _os.
+	void print_storage_at(evmc::address const& _addr, std::ostringstream& _os);
+
 	/// @returns contents of storage at @param _addr.
 	std::unordered_map<evmc::bytes32, evmc::storage_value> const& get_address_storage(evmc::address const& _addr);
 

test/tools/ossfuzz/CMakeLists.txt

@@ -15,6 +15,7 @@ if (OSSFUZZ)
             yul_proto_ossfuzz
             yul_proto_diff_ossfuzz
             yul_proto_diff_custom_mutate_ossfuzz
+            stack_reuse_codegen_ossfuzz
     )
 
     add_custom_target(ossfuzz_abiv2)
@@ -107,6 +108,32 @@ if (OSSFUZZ)
     set_target_properties(yul_proto_diff_custom_mutate_ossfuzz PROPERTIES LINK_FLAGS ${LIB_FUZZING_ENGINE})
     target_compile_options(yul_proto_diff_custom_mutate_ossfuzz PUBLIC ${COMPILE_OPTIONS} -Wno-sign-conversion -Wno-suggest-destructor-override -Wno-inconsistent-missing-destructor-override)
 
+    add_executable(stack_reuse_codegen_ossfuzz
+            StackReuseCodegenFuzzer.cpp
+            protoToYul.cpp
+            yulProto.pb.cc
+            ../../EVMHost.cpp
+            YulEvmoneInterface.cpp
+    )
+    target_include_directories(stack_reuse_codegen_ossfuzz PRIVATE /usr/include/libprotobuf-mutator)
+    target_link_libraries(stack_reuse_codegen_ossfuzz PRIVATE yul
+            evmc
+            evmone-standalone
+            yulInterpreter
+            protobuf-mutator-libfuzzer.a
+            protobuf-mutator.a
+            protobuf.a
+            )
+    set_target_properties(stack_reuse_codegen_ossfuzz PROPERTIES LINK_FLAGS ${LIB_FUZZING_ENGINE})
+    target_compile_options(stack_reuse_codegen_ossfuzz PUBLIC
+            ${COMPILE_OPTIONS}
+            -Wno-sign-conversion
+            -Wno-inconsistent-missing-destructor-override
+            -Wno-unused-parameter
+            -Wno-zero-length-array
+            -Wno-suggest-destructor-override
+    )
+
     add_executable(abiv2_proto_ossfuzz
             ../../EVMHost.cpp
             abiV2ProtoFuzzer.cpp

test/tools/ossfuzz/StackReuseCodegenFuzzer.cpp

@@ -0,0 +1,146 @@
+/*
+    This file is part of solidity.
+
+    solidity is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    solidity is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with solidity.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <test/tools/ossfuzz/yulProto.pb.h>
+#include <test/tools/ossfuzz/protoToYul.h>
+
+#include <test/EVMHost.h>
+
+#include <test/tools/ossfuzz/YulEvmoneInterface.h>
+
+#include <libyul/Exceptions.h>
+
+#include <libyul/backends/evm/EVMCodeTransform.h>
+#include <libyul/backends/evm/EVMDialect.h>
+
+#include <libevmasm/Instruction.h>
+
+#include <liblangutil/EVMVersion.h>
+
+#include <evmone/evmone.h>
+
+#include <src/libfuzzer/libfuzzer_macro.h>
+
+#include <fstream>
+
+using namespace solidity;
+using namespace solidity::test;
+using namespace solidity::test::fuzzer;
+using namespace solidity::yul;
+using namespace solidity::yul::test;
+using namespace solidity::yul::test::yul_fuzzer;
+using namespace solidity::langutil;
+using namespace std;
+
+static evmc::VM evmone = evmc::VM{evmc_create_evmone()};
+
+DEFINE_PROTO_FUZZER(Program const& _input)
+{
+	bool filterStatefulInstructions = true;
+	bool filterUnboundedLoops = true;
+	ProtoConverter converter(
+		filterStatefulInstructions,
+		filterUnboundedLoops
+	);
+	string yul_source = converter.programToString(_input);
+	// Fuzzer also fuzzes the EVM version field.
+	langutil::EVMVersion version = converter.version();
+	EVMHost hostContext(version, evmone);
+	hostContext.reset();
+
+	if (const char* dump_path = getenv("PROTO_FUZZER_DUMP_PATH"))
+	{
+		ofstream of(dump_path);
+		of.write(yul_source.data(), static_cast<streamsize>(yul_source.size()));
+	}
+
+	// Do not proceed with tests that are too large. 1200 is an arbitrary
+	// threshold.
+	if (yul_source.size() > 1200)
+		return;
+
+	YulStringRepository::reset();
+
+	solidity::frontend::OptimiserSettings settings = solidity::frontend::OptimiserSettings::full();
+	settings.runYulOptimiser = false;
+	settings.optimizeStackAllocation = false;
+	bytes unoptimisedByteCode;
+	try
+	{
+		unoptimisedByteCode = YulAssembler{version, settings, yul_source}.assemble();
+	}
+	catch (solidity::yul::StackTooDeepError const&)
+	{
+		return;
+	}
+
+	evmc::result deployResult = YulEvmoneUtility{}.deployCode(unoptimisedByteCode, hostContext);
+	if (deployResult.status_code != EVMC_SUCCESS)
+		return;
+	auto callMessage = YulEvmoneUtility{}.callMessage(deployResult.create_address);
+	evmc::result callResult = hostContext.call(callMessage);
+	// If the fuzzer synthesized input does not contain the revert opcode which
+	// we lazily check by string find, the EVM call should not revert.
+	bool noRevertInSource = yul_source.find("revert") == string::npos;
+	if (noRevertInSource)
+		solAssert(
+			callResult.status_code != EVMC_REVERT,
+			"SolidityEvmoneInterface: EVM One reverted"
+		);
+	// Out of gas errors are problematic because it is possible that the
+	// optimizer makes them go away, making EVM state impossible to
+	// compare in general.
+	if (callResult.status_code == EVMC_OUT_OF_GAS)
+		return;
+
+	if (YulEvmoneUtility{}.checkSelfDestructs(hostContext, deployResult.create_address))
+		return;
+	ostringstream unoptimizedStorage;
+	hostContext.print_storage_at(deployResult.create_address, unoptimizedStorage);
+
+	settings.runYulOptimiser = true;
+	settings.optimizeStackAllocation = true;
+	bytes optimisedByteCode;
+	try
+	{
+		optimisedByteCode = YulAssembler{version, settings, yul_source}.assemble();
+	}
+	catch (solidity::yul::StackTooDeepError const&)
+	{
+		return;
+	}
+	evmc::result deployResultOpt = YulEvmoneUtility{}.deployCode(optimisedByteCode, hostContext);
+	solAssert(
+		deployResultOpt.status_code == EVMC_SUCCESS,
+		"Evmone: Optimized contract creation failed"
+	);
+	auto callMessageOpt = YulEvmoneUtility{}.callMessage(deployResultOpt.create_address);
+	evmc::result callResultOpt = hostContext.call(callMessageOpt);
+	if (noRevertInSource)
+		solAssert(
+			callResultOpt.status_code != EVMC_REVERT,
+			"SolidityEvmoneInterface: EVM One reverted"
+		);
+	if (YulEvmoneUtility{}.checkSelfDestructs(hostContext, deployResultOpt.create_address))
+		return;
+	ostringstream optimizedStorage;
+	hostContext.print_storage_at(deployResultOpt.create_address, optimizedStorage);
+	solAssert(
+		unoptimizedStorage.str() == optimizedStorage.str(),
+		"Storage of unoptimised and optimised stack reused code do not match."
+	);
+}

test/tools/ossfuzz/YulEvmoneInterface.cpp

@@ -0,0 +1,89 @@
+/*
+    This file is part of solidity.
+
+    solidity is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    solidity is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with solidity.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <test/tools/ossfuzz/YulEvmoneInterface.h>
+
+#include <libyul/Exceptions.h>
+
+using namespace solidity;
+using namespace solidity::test::fuzzer;
+using namespace solidity::yul;
+
+bytes YulAssembler::assemble()
+{
+	if (
+		!m_stack.parseAndAnalyze("source", m_yulProgram) ||
+		!m_stack.parserResult()->code ||
+		!m_stack.parserResult()->analysisInfo ||
+		!langutil::Error::containsOnlyWarnings(m_stack.errors())
+	)
+		yulAssert(false, "Yul program could not be parsed successfully.");
+
+	if (m_optimiseYul)
+		m_stack.optimize();
+	return m_stack.assemble(AssemblyStack::Machine::EVM).bytecode->bytecode;
+}
+
+evmc::result YulEvmoneUtility::deployCode(bytes const& _input, EVMHost& _host)
+{
+	// Zero initialize all message fields
+	evmc_message msg = {};
+	// Gas available (value of type int64_t) is set to its maximum value
+	msg.gas = std::numeric_limits<int64_t>::max();
+	solAssert(
+		_input.size() <= 0xffff,
+		"Deployed byte code is larger than the permissible 65535 bytes."
+	);
+	uint8_t inputSizeHigher = static_cast<uint8_t>(_input.size() >> 8);
+	uint8_t inputSizeLower = _input.size() & 0xff;
+	/*
+	 * CODESIZE
+	 * PUSH0 0xc
+	 * PUSH0 0x0
+	 * CODECOPY
+	 * PUSH1 <INPUTSIZE>
+	 * PUSH0 0x0
+	 * RETURN
+	 */
+	bytes deployCode = bytes{
+		0x38, 0x60, 0x0c, 0x60, 0x00, 0x39, 0x61,
+		inputSizeHigher, inputSizeLower,
+		0x60, 0x00, 0xf3
+	} + _input;
+	msg.input_data = deployCode.data();
+	msg.input_size = deployCode.size();
+	msg.kind = EVMC_CREATE;
+	return _host.call(msg);
+}
+
+evmc_message YulEvmoneUtility::callMessage(evmc_address _address)
+{
+	evmc_message call = {};
+	call.gas = std::numeric_limits<int64_t>::max();
+	call.destination = _address;
+	call.kind = EVMC_CALL;
+	return call;
+}
+
+bool YulEvmoneUtility::checkSelfDestructs(EVMHost& _host, evmc_address _address)
+{
+	for (auto const& selfDestructRecord: _host.recorded_selfdestructs)
+		if (selfDestructRecord.selfdestructed == _address)
+			return true;
+	return false;
+}
+

test/tools/ossfuzz/YulEvmoneInterface.h

@@ -0,0 +1,61 @@
+/*
+    This file is part of solidity.
+
+    solidity is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    solidity is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with solidity.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#pragma once
+
+#include <test/EVMHost.h>
+
+#include <libyul/AssemblyStack.h>
+
+#include <libsolidity/interface/OptimiserSettings.h>
+
+namespace solidity::test::fuzzer
+{
+class YulAssembler
+{
+public:
+	YulAssembler(
+		langutil::EVMVersion _version,
+		solidity::frontend::OptimiserSettings _optSettings,
+		std::string const& _yulSource
+	):
+		m_stack(
+			_version,
+			solidity::yul::AssemblyStack::Language::StrictAssembly,
+			_optSettings
+		),
+		m_yulProgram(_yulSource),
+		m_optimiseYul(_optSettings.runYulOptimiser)
+	{}
+	solidity::bytes assemble();
+private:
+	solidity::yul::AssemblyStack m_stack;
+	std::string m_yulProgram;
+	bool m_optimiseYul;
+};
+
+struct YulEvmoneUtility
+{
+	/// @returns the result of deploying bytecode @param _input on @param _host.
+	static evmc::result deployCode(solidity::bytes const& _input, EVMHost& _host);
+	/// @returns call message to be sent to @param _address.
+	static evmc_message callMessage(evmc_address _address);
+	/// @returns true if @param _address is in the list of self destructed
+	/// accounts, false otherwise.
+	static bool checkSelfDestructs(EVMHost& _host, evmc_address _address);
+};
+}