From 4cac45dc4aa7561781015d37dadde3431b915cd3 Mon Sep 17 00:00:00 2001 From: Bhargava Shastry Date: Tue, 29 Jan 2019 12:54:21 +0100 Subject: [PATCH] Add fuzzer config files for oss-fuzz and a solidity fuzzing dictionary. Update ossfuzz README.md. --- test/tools/ossfuzz/README.md | 8 + .../ossfuzz/config/solc_noopt_ossfuzz.options | 2 + .../ossfuzz/config/solc_opt_ossfuzz.options | 2 + test/tools/ossfuzz/config/solidity.dict | 213 ++++++++++++++++++ 4 files changed, 225 insertions(+) create mode 100644 test/tools/ossfuzz/config/solc_noopt_ossfuzz.options create mode 100644 test/tools/ossfuzz/config/solc_opt_ossfuzz.options create mode 100644 test/tools/ossfuzz/config/solidity.dict diff --git a/test/tools/ossfuzz/README.md b/test/tools/ossfuzz/README.md index eb75f822a..70469513c 100644 --- a/test/tools/ossfuzz/README.md +++ b/test/tools/ossfuzz/README.md @@ -8,6 +8,14 @@ To help oss-fuzz do this, we (as project maintainers) need to provide the follow - test harnesses: C/C++ tests that define the `LLVMFuzzerTestOneInput` API. This determines what is to be fuzz tested. - build infrastructure: (c)make targets per fuzzing binary. Fuzzing requires coverage and memory instrumentation of the code to be fuzzed. +- configuration files: These are files with the `.options` extension that are parsed by oss-fuzz. The only option that we use currently is the `dictionary` option that asks the fuzzing engines behind oss-fuzz to use the specified dictionary. The specified dictionary happens to be `solidity.dict.` + +`solidity.dict` contains Solidity-specific syntactical tokens that are more likely to guide the fuzzer towards generating parseable and varied Solidity input. + +To be consistent and aid better evaluation of the utility of the fuzzing dictionary, we stick to the following rules-of-thumb: + - Full tokens such as `block.number` are preceded and followed by a whitespace + - Incomplete tokens including function calls such as `msg.sender.send()` are abbreviated `.send(` to provide some leeway to the fuzzer to sythesize variants such as `address(this).send()` + - Language keywords are suffixed by a whitespace with the exception of those that end a line of code such as `break;` and `continue;` ## What is libFuzzingEngine.a? diff --git a/test/tools/ossfuzz/config/solc_noopt_ossfuzz.options b/test/tools/ossfuzz/config/solc_noopt_ossfuzz.options new file mode 100644 index 000000000..d596157f5 --- /dev/null +++ b/test/tools/ossfuzz/config/solc_noopt_ossfuzz.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = solidity.dict diff --git a/test/tools/ossfuzz/config/solc_opt_ossfuzz.options b/test/tools/ossfuzz/config/solc_opt_ossfuzz.options new file mode 100644 index 000000000..d596157f5 --- /dev/null +++ b/test/tools/ossfuzz/config/solc_opt_ossfuzz.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = solidity.dict diff --git a/test/tools/ossfuzz/config/solidity.dict b/test/tools/ossfuzz/config/solidity.dict new file mode 100644 index 000000000..5ff5318e4 --- /dev/null +++ b/test/tools/ossfuzz/config/solidity.dict @@ -0,0 +1,213 @@ +" address(this).balance " +" block.coinbase " +" block.difficulty " +" block.gaslimit " +" block.number " +" block.timestamp " +" days " +" ether " +" finney " +" gasleft() " +" hours " +" minutes " +" msg.data " +" msg.gas " +" msg.sender " +" msg.sig " +" msg.value " +" now " +" seconds " +" szabo " +" tx.gasprice " +" tx.origin " +" weeks " +" wei " +" years " +"!=" +"%" +"&" +"(" +")" +"*" +"**" +"+" +"++" +"-" +"--" +".balance" +".call(" +".callcode(" +".creationCode" +".delegatecall(" +".gas(" +".kill(" +".length" +".pop();" +".push(" +".runtimeCode" +".send(" +".staticcall(" +".transfer(" +".value" +"/" +"//" +"0**0" +"1.1" +"2e10" +":=" +";" +"<" +"<<" +"<=" +"==" +">" +">=" +">>" +"[a, b, c]" +"\\udead" +"\\xff" +"^" +"abi.encode(" +"abi.encodePacked(" +"abi.encodeWithSelector(" +"abi.encodeWithSignature(" +"add(" +"addmod(" +"address(this).call(" +"address(this).callcode(" +"address(this).delegatecall(" +"address(this).send(" +"address(this).transfer(" +"anonymous" +"assembly { " +"assert(" +"block.blockhash(" +"bool " +"break;" +"byte " +"bytes(" +"bytes1 " +"bytes10 " +"bytes11 " +"bytes12 " +"bytes13 " +"bytes14 " +"bytes15 " +"bytes16 " +"bytes17 " +"bytes18 " +"bytes19 " +"bytes2 " +"bytes20 " +"bytes21 " +"bytes22 " +"bytes23 " +"bytes24 " +"bytes25 " +"bytes26 " +"bytes27 " +"bytes28 " +"bytes29 " +"bytes3 " +"bytes30 " +"bytes32 " +"bytes4 " +"bytes5 " +"bytes6 " +"bytes7 " +"bytes8 " +"bytes9 " +"constant " +"constructor " +"continue;" +"contract " +"delete " +"do " +"ecrecover(" +"else " +"emit a(" +"enum B { " +"event e(" +"external " +"false " +"fixed " +"fixed128x128 " +"for (a=0;a<2;a++) " +"function bid() public payable { " +"hex\"001122FF\"" +"if " +"int " +"int x = -2**255;" +"int256 " +"int8 " +"interface i { " +"internal " +"is " +"keccak256(" +"keccak256.gas(" +"keccak256.value(" +"let x := " +"library l { " +"log0(" +"log1(" +"log2(" +"log3(" +"log4(" +"mapping(" +"memory m = " +"modifier onlySeller() { " +"mulmod(" +"new " +"payable " +"pragma experimental ABIEncoderV2;" +"pragma experimental SMTChecker;" +"pragma solidity >=0.4.0;" +"pragma solidity ^90.90.0" +"public " +"pure " +"require(" +"require(msg.sender == 0,\"\"" +"return " +"returns (" +"revert(" +"ripemd160(" +"ripemd160.gas(" +"ripemd160.value(" +"self" +"selfdestruct(" +"sha256(" +"sha256.gas(" +"sha256.value(" +"sha3(" +"storage sto = " +"string memory str = " +"string storage str = " +"struct V { " +"suicide(" +"super " +"switch " +"this" +"throw " +"true " +"try " +"type(" +"ufixed " +"ufixed128x128 " +"uint " +"uint256 " +"uint8 " +"uint[] " +"uint[][5] " +"using " +"var " +"view " +"while " +"x % y" +"x * 2**y" +"x / 2**y" +"x << y" +"{ uint x; }" +"{" +"|" +"}" +"~"