logos-blockchain/lez-fuzzing
1
0
Fork 0
mirror of https://github.com/logos-blockchain/lez-fuzzing.git synced 2026-06-07 11:39:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: AFL CI workflow

Browse Source
This commit is contained in:
Roman 2026-05-25 13:06:53 +08:00
parent d1e9ea8e3d
commit aefb30f369
No known key found for this signature in database
GPG Key ID: 583BDF43C238B83E
1 changed files with 95 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
.github/workflows/fuzz-afl.yml vendored
View File

@ -4,36 +4,62 @@ on:
schedule: schedule:
- cron: "0 2 * * *" # nightly at 02:00 UTC - cron: "0 2 * * *" # nightly at 02:00 UTC
workflow_dispatch: # manual trigger workflow_dispatch: # manual trigger
push:
branches:
- feat-add-afl-fuzzing
env: env:
RISC0_DEV_MODE: "1" RISC0_DEV_MODE: "1"
jobs: jobs:
# ──────────────────────────────────────────────────────────────────────────── # ────────────────────────────────────────────────────────────────────────────
# afl-smoke — 120-second campaign for 7 priority targets # afl-smoke — 120-second campaign for all 15 targets
# ──────────────────────────────────────────────────────────────────────────── # ────────────────────────────────────────────────────────────────────────────
afl-smoke: afl-smoke:
name: "AFL++ smoke — ${{ matrix.target }}" name: "AFL++ smoke — ${{ matrix.target }}"
runs-on: ubuntu-latest runs-on: ubuntu-latest
container:
image: aflplusplus/aflplusplus:v4.40c permissions:
contents: read
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
target: target:
- fuzz_transaction_decoding
- fuzz_encoding_roundtrip
- fuzz_state_serialization
- fuzz_stateless_verification
- fuzz_state_transition
- fuzz_apply_state_diff_split_path - fuzz_apply_state_diff_split_path
- fuzz_block_verification
- fuzz_encoding_roundtrip
- fuzz_multi_block_state_sequence
- fuzz_program_deployment_lifecycle
- fuzz_replay_prevention
- fuzz_sequencer_vs_replayer - fuzz_sequencer_vs_replayer
- fuzz_signature_verification
- fuzz_state_diff_computation
- fuzz_state_serialization
- fuzz_state_transition
- fuzz_stateless_verification
- fuzz_transaction_decoding
- fuzz_validate_execute_consistency
- fuzz_witness_set_verification
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install AFL++ v4.40c from source
run: |
sudo apt-get update -q
sudo apt-get install -y \
build-essential python3-dev automake cmake \
flex bison libglib2.0-dev libpixman-1-dev \
python3-setuptools ninja-build
git clone --depth 1 --branch v4.40c \
https://github.com/AFLplusplus/AFLplusplus /tmp/aflplusplus
cd /tmp/aflplusplus
make distrib
sudo make install
afl-fuzz --version
- name: Install Rust (stable) - name: Install Rust (stable)
uses: dtolnay/rust-toolchain@stable uses: dtolnay/rust-toolchain@stable
@ -50,61 +76,49 @@ jobs:
- name: Build fuzz target - name: Build fuzz target
run: | run: |
cd fuzz && cargo afl build \ cargo afl build \
--manifest-path fuzz/Cargo.toml \
--no-default-features \ --no-default-features \
--features fuzzer-afl \ --features fuzzer-afl \
--release \ --release \
--bin ${{ matrix.target }} --bin ${{ matrix.target }}
- name: Create corpus directories - name: Prepare seed corpus
run: |
mkdir -p corpus/libfuzz/${{ matrix.target }}
mkdir -p corpus/afl/${{ matrix.target }}
- name: Run AFL++ for 120 seconds
run: |
mkdir -p afl-output/${{ matrix.target }}
timeout 120 \
afl-fuzz \
-i corpus/libfuzz/${{ matrix.target }} \
-o afl-output/${{ matrix.target }} \
-- fuzz/target/release/${{ matrix.target }} \
|| true # timeout exit code 124 is expected
- name: Sync queue entries to AFL corpus
run: | run: |
TARGET="${{ matrix.target }}" TARGET="${{ matrix.target }}"
DEST="corpus/afl/${TARGET}" SEEDS="afl-seeds/${TARGET}"
mkdir -p "$DEST" mkdir -p "$SEEDS"
count=0 # Merge checked-in libFuzzer corpus and accumulated AFL corpus
for instance_dir in afl-output/${TARGET}/*/; do for src in corpus/libfuzz/${TARGET} corpus/afl/${TARGET}; do
QUEUE="${instance_dir}queue" [ -d "$src" ] || continue
[ -d "$QUEUE" ] || continue for f in "$src"/*; do
for f in "$QUEUE"/id:*; do
[ -f "$f" ] || continue [ -f "$f" ] || continue
HASH=$(sha1sum "$f" | cut -d' ' -f1) cp -n "$f" "$SEEDS/" 2>/dev/null || true
DEST_FILE="${DEST}/${HASH}"
if [ ! -f "$DEST_FILE" ]; then
cp "$f" "$DEST_FILE"
count=$((count + 1))
fi
done done
done done
echo "Synced ${count} new input(s) to ${DEST}" # Guarantee at least one seed so afl-fuzz does not abort
if [ -z "$(ls -A "$SEEDS")" ]; then
echo -n "seed" > "$SEEDS/default_seed"
fi
echo "Seed inputs: $(ls "$SEEDS" | wc -l)"
- name: Open corpus PR (if new inputs found) - name: Run AFL++ for 120 seconds
uses: peter-evans/create-pull-request@v6 env:
with: AFL_SKIP_CPUFREQ: "1"
commit-message: "chore: add AFL++ corpus entries for ${{ matrix.target }}" AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: "1"
title: "AFL++ corpus update — ${{ matrix.target }}" run: |
body: | TARGET="${{ matrix.target }}"
Automated corpus update from the nightly AFL++ smoke run. mkdir -p afl-output/${TARGET}
Target: `${{ matrix.target }}` timeout 120 \
branch: "afl-corpus/${{ matrix.target }}" afl-fuzz \
add-paths: "corpus/afl/${{ matrix.target }}/" -i afl-seeds/${TARGET} \
delete-branch: true -o afl-output/${TARGET} \
-- fuzz/target/release/${TARGET}
rc=$?
# 124 = SIGALRM from timeout (expected); 0 = clean exit; anything else is a real failure
[ $rc -eq 0 ] || [ $rc -eq 124 ] || exit $rc
- name: Upload crashes and hangs artifact - name: Upload crashes, hangs, and queue artifact
if: always() if: always()
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
with: with:
@ -112,10 +126,11 @@ jobs:
path: | path: |
afl-output/${{ matrix.target }}/*/crashes/ afl-output/${{ matrix.target }}/*/crashes/
afl-output/${{ matrix.target }}/*/hangs/ afl-output/${{ matrix.target }}/*/hangs/
afl-output/${{ matrix.target }}/*/queue/
if-no-files-found: ignore if-no-files-found: ignore
# ──────────────────────────────────────────────────────────────────────────── # ────────────────────────────────────────────────────────────────────────────
# afl-coverage — LLVM coverage report for 3 key targets # afl-coverage — LLVM coverage report for all 15 targets
# ──────────────────────────────────────────────────────────────────────────── # ────────────────────────────────────────────────────────────────────────────
afl-coverage: afl-coverage:
name: "AFL++ coverage — ${{ matrix.target }}" name: "AFL++ coverage — ${{ matrix.target }}"
@ -126,9 +141,21 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
target: target:
- fuzz_state_transition
- fuzz_sequencer_vs_replayer
- fuzz_apply_state_diff_split_path - fuzz_apply_state_diff_split_path
- fuzz_block_verification
- fuzz_encoding_roundtrip
- fuzz_multi_block_state_sequence
- fuzz_program_deployment_lifecycle
- fuzz_replay_prevention
- fuzz_sequencer_vs_replayer
- fuzz_signature_verification
- fuzz_state_diff_computation
- fuzz_state_serialization
- fuzz_state_transition
- fuzz_stateless_verification
- fuzz_transaction_decoding
- fuzz_validate_execute_consistency
- fuzz_witness_set_verification
steps: steps:
- name: Checkout repository - name: Checkout repository
@ -139,15 +166,12 @@ jobs:
with: with:
components: llvm-tools-preview components: llvm-tools-preview
- name: Install cargo-afl
run: cargo install cargo-afl --locked
- name: Download smoke findings for ${{ matrix.target }} - name: Download smoke findings for ${{ matrix.target }}
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
with: with:
name: afl-findings-${{ matrix.target }} name: afl-findings-${{ matrix.target }}
path: afl-output/${{ matrix.target }} path: afl-output/${{ matrix.target }}
continue-on-error: true # no crashes/hangs is fine continue-on-error: true # no crashes/hangs/queue is fine
- name: Build with LLVM instrumented coverage - name: Build with LLVM instrumented coverage
env: env:
@ -170,13 +194,20 @@ jobs:
idx=0 idx=0
# libFuzzer corpus (checked-in) # libFuzzer corpus (checked-in)
for f in corpus/libfuzz/${TARGET}/id:* corpus/libfuzz/${TARGET}/*; do for f in corpus/libfuzz/${TARGET}/*; do
[ -f "$f" ] || continue [ -f "$f" ] || continue
LLVM_PROFILE_FILE="${PROFRAW_DIR}/${idx}.profraw" "$BINARY" < "$f" 2>/dev/null || true LLVM_PROFILE_FILE="${PROFRAW_DIR}/${idx}.profraw" "$BINARY" < "$f" 2>/dev/null || true
idx=$((idx + 1)) idx=$((idx + 1))
done done
# AFL++ queue entries (if available from the smoke job) # AFL corpus (checked-in, accumulated from prior runs)
for f in corpus/afl/${TARGET}/*; do
[ -f "$f" ] || continue
LLVM_PROFILE_FILE="${PROFRAW_DIR}/${idx}.profraw" "$BINARY" < "$f" 2>/dev/null || true
idx=$((idx + 1))
done
# AFL++ queue entries from today's smoke run (downloaded artifact)
for instance_dir in afl-output/${TARGET}/*/; do for instance_dir in afl-output/${TARGET}/*/; do
QUEUE="${instance_dir}queue" QUEUE="${instance_dir}queue"
[ -d "$QUEUE" ] || continue [ -d "$QUEUE" ] || continue
@ -193,13 +224,14 @@ jobs:
TARGET="${{ matrix.target }}" TARGET="${{ matrix.target }}"
PROFRAW_DIR="coverage/afl/${TARGET}/profraw" PROFRAW_DIR="coverage/afl/${TARGET}/profraw"
PROFDATA="coverage/afl/${TARGET}/merged.profdata" PROFDATA="coverage/afl/${TARGET}/merged.profdata"
LLVM_PROFDATA="$(rustup which llvm-profdata)"
shopt -s nullglob shopt -s nullglob
files=("${PROFRAW_DIR}"/*.profraw) files=("${PROFRAW_DIR}"/*.profraw)
if [ ${#files[@]} -eq 0 ]; then if [ ${#files[@]} -eq 0 ]; then
echo "No .profraw files found — skipping merge." echo "No .profraw files found — skipping merge."
exit 0 exit 0
fi fi
llvm-profdata merge -sparse "${files[@]}" -o "$PROFDATA" "$LLVM_PROFDATA" merge -sparse "${files[@]}" -o "$PROFDATA"
- name: Generate HTML coverage report - name: Generate HTML coverage report
run: | run: |
@ -207,12 +239,13 @@ jobs:
BINARY="fuzz/target/release/${TARGET}" BINARY="fuzz/target/release/${TARGET}"
PROFDATA="coverage/afl/${TARGET}/merged.profdata" PROFDATA="coverage/afl/${TARGET}/merged.profdata"
HTML_DIR="coverage/afl/${TARGET}/html" HTML_DIR="coverage/afl/${TARGET}/html"
LLVM_COV="$(rustup which llvm-cov)"
if [ ! -f "$PROFDATA" ]; then if [ ! -f "$PROFDATA" ]; then
echo "No profdata — skipping HTML report." echo "No profdata — skipping HTML report."
exit 0 exit 0
fi fi
mkdir -p "$HTML_DIR" mkdir -p "$HTML_DIR"
llvm-cov show \ "$LLVM_COV" show \
"$BINARY" \ "$BINARY" \
--instr-profile="$PROFDATA" \ --instr-profile="$PROFDATA" \
--format=html \ --format=html \