solidity/test/tools/ossfuzz
chriseth 192946c1ba
Merge pull request #7413 from ethereum/ossfuzz-link-correctly
Link ossfuzz targets with -fsanitize=fuzzer instead of libFuzzingEngine
2019-09-12 20:22:53 +02:00
..
config Adds oss-fuzz harnesses to fuzz AssemblyStack API calls for parsing/optimizing StrictAssembly and generating EVM bytecode. 2019-03-20 16:06:45 +01:00
abiV2FuzzerCommon.cpp Add evmc and host interface implementation. Modify fuzzer harness to make use of evmc host/vm. 2019-07-17 10:55:33 +02:00
abiV2FuzzerCommon.h Updated evmc to version tracked by evmone v0.1.0 2019-07-17 14:24:27 +02:00
abiV2Proto.proto Test low level calls with correct and incorrect encodings 2019-08-06 09:43:55 +02:00
abiV2ProtoFuzzer.cpp Use evmone for testing. 2019-08-08 17:35:44 +02:00
CMakeLists.txt Link ossfuzz targets with -fsanitize=fuzzer instead of libFuzzingEngine supplied by docker image 2019-09-12 11:26:05 +02:00
const_opt_ossfuzz.cpp Reduce input file size for solc and constant optimizer fuzzers. 2019-03-06 11:35:22 +01:00
protoToAbiV2.cpp Abiv2 proto fuzzer: Crop at least 32 bytes if last dynamically encoded parameter is right padded 2019-09-09 10:07:30 +02:00
protoToAbiV2.h Abiv2 proto fuzzer: Crop at least 32 bytes if last dynamically encoded parameter is right padded 2019-09-09 10:07:30 +02:00
protoToYul.cpp Pseudo-randomly choose object/data identifier that is in scope 2019-09-11 10:57:54 +02:00
protoToYul.h Pseudo-randomly choose object/data identifier that is in scope 2019-09-11 10:57:54 +02:00
README.md Add fuzzer config files for oss-fuzz and a solidity fuzzing dictionary. 2019-02-04 15:58:41 +01:00
solc_noopt_ossfuzz.cpp Reduce input file size for solc and constant optimizer fuzzers. 2019-03-06 11:35:22 +01:00
solc_opt_ossfuzz.cpp Reduce input file size for solc and constant optimizer fuzzers. 2019-03-06 11:35:22 +01:00
strictasm_assembly_ossfuzz.cpp Reset Yul string repository before each compilation. 2019-05-28 13:12:39 +02:00
strictasm_diff_ossfuzz.cpp Reset Yul string repository before each compilation. 2019-05-28 13:12:39 +02:00
strictasm_opt_ossfuzz.cpp Reset Yul string repository before each compilation. 2019-05-28 13:12:39 +02:00
yulFuzzerCommon.cpp Change interpreter memory to be non-contiguous. 2019-09-02 13:51:47 +02:00
yulFuzzerCommon.h Change interpreter memory to be non-contiguous. 2019-09-02 13:51:47 +02:00
yulOptimizerFuzzDictionary.h Do not create duplicate case statements 2019-08-26 12:44:06 +02:00
yulProto_diff_ossfuzz.cpp Add object access builtin functions 2019-09-11 10:57:54 +02:00
yulProto.proto Pseudo-randomly choose object/data identifier that is in scope 2019-09-11 10:57:54 +02:00
yulProtoFuzzer.cpp Reset Yul string repository before each compilation. 2019-05-28 13:12:39 +02:00

Intro

oss-fuzz is Google's fuzzing infrastructure that performs continuous fuzzing. What this means is that, each and every upstream commit is automatically fetched by the infrastructure and fuzzed.

What does this directory contain?

To help oss-fuzz do this, we (as project maintainers) need to provide the following:

  • test harnesses: C/C++ tests that define the LLVMFuzzerTestOneInput API. This determines what is to be fuzz tested.
  • build infrastructure: (c)make targets per fuzzing binary. Fuzzing requires coverage and memory instrumentation of the code to be fuzzed.
  • configuration files: These are files with the .options extension that are parsed by oss-fuzz. The only option that we use currently is the dictionary option that asks the fuzzing engines behind oss-fuzz to use the specified dictionary. The specified dictionary happens to be solidity.dict.

solidity.dict contains Solidity-specific syntactical tokens that are more likely to guide the fuzzer towards generating parseable and varied Solidity input.

To be consistent and aid better evaluation of the utility of the fuzzing dictionary, we stick to the following rules-of-thumb:

  • Full tokens such as block.number are preceded and followed by a whitespace
  • Incomplete tokens including function calls such as msg.sender.send() are abbreviated .send( to provide some leeway to the fuzzer to sythesize variants such as address(this).send()
  • Language keywords are suffixed by a whitespace with the exception of those that end a line of code such as break; and continue;

What is libFuzzingEngine.a?

libFuzzingEngine.a is an oss-fuzz-related dependency. It is present in the Dockerized environment in which Solidity's oss-fuzz code will be built.

Is this directory relevant for routine Solidity CI builds?

No. This is the reason why the add_subdirectory(ossfuzz) cmake directive is nested under the if (OSSFUZZ) predicate. OSSFUZZ is a solidity-wide cmake option that is invoked by the ossfuzz solidity-builder-bot in order to compile solidity fuzzer binaries.