Fuzzing tests for SSZ

2020-05-19 20:48:52 +03:00 · 2020-05-19 20:48:52 +03:00 · 52c3ebf631
parent 30f84224a4
commit 52c3ebf631
11 changed files with 108 additions and 1 deletions
--- a/scripts/run_ssz_fuzzing_test.nims
+++ b/scripts/run_ssz_fuzzing_test.nims
@ -0,0 +1,46 @@
+import os except dirExists
+import strformat, confutils
+
+const
+  gitRoot = thisDir() / ".."
+  fixturesDir = gitRoot / "vendor" / "nim-eth2-scenarios" / "tests-v0.11.2" / "mainnet" / "phase0" / "ssz_static"
+
+  fuzzingTestsDir = gitRoot / "tests" / "fuzzing"
+  fuzzingCorpusesDir = fuzzingTestsDir / "corpus"
+
+  fuzzNims = gitRoot / "vendor" / "nim-testutils" / "testutils" / "fuzzing" / "fuzz.nims"
+
+type
+  FuzzerKind = enum
+    libFuzzer
+    afl
+
+cli do (testname {.argument.}: string,
+        fuzzer = libFuzzer):
+
+  if not dirExists(fixturesDir):
+    echo "Please run `make test` first in order to download the official ETH2 test vectors"
+    quit 1
+
+  if not dirExists(fixturesDir / testname):
+    echo testname, " is not a recognized SSZ type name (type names are case-sensitive)"
+    quit 1
+
+  let corpusDir = fuzzingCorpusesDir / testname
+
+  rmDir corpusDir
+  mkDir corpusDir
+
+  var inputIdx = 0
+  template nextInputName: string =
+    inc inputIdx
+    "input" & $inputIdx
+
+  for file in walkDirRec(fixturesDir / testname):
+    if splitFile(file).ext == ".ssz":
+      # TODO Can we create hard links here?
+      cpFile file, corpusDir / nextInputName()
+
+  let testProgram = fuzzingTestsDir / &"ssz_decode_{testname}.nim"
+
+  exec &"""nim "{fuzzNims}" "{fuzzer}" "{testProgram}" "{corpusDir}"  """
--- a/tests/fuzzing/.gitignore
+++ b/tests/fuzzing/.gitignore
@ -0,0 +1,2 @@
+corpus/
+
--- a/tests/fuzzing/ssz_decode_Attestation.nim
+++ b/tests/fuzzing/ssz_decode_Attestation.nim
@ -0,0 +1,4 @@
+import ssz_fuzzing
+
+sszFuzzingTest Attestation
+
--- a/tests/fuzzing/ssz_decode_AttesterSlashing.nim
+++ b/tests/fuzzing/ssz_decode_AttesterSlashing.nim
@ -0,0 +1,4 @@
+import ssz_fuzzing
+
+sszFuzzingTest AttesterSlashing
+
--- a/tests/fuzzing/ssz_decode_BeaconState.nim
+++ b/tests/fuzzing/ssz_decode_BeaconState.nim
@ -0,0 +1,4 @@
+import ssz_fuzzing
+
+sszFuzzingTest BeaconState
+
--- a/tests/fuzzing/ssz_decode_ProposerSlashing.nim
+++ b/tests/fuzzing/ssz_decode_ProposerSlashing.nim
@ -0,0 +1,4 @@
+import ssz_fuzzing
+
+sszFuzzingTest ProposerSlashing
+
--- a/tests/fuzzing/ssz_decode_SignedAggregateAndProof.nim
+++ b/tests/fuzzing/ssz_decode_SignedAggregateAndProof.nim
@ -0,0 +1,4 @@
+import ssz_fuzzing
+
+sszFuzzingTest SignedAggregateAndProof
+
--- a/tests/fuzzing/ssz_decode_SignedBeaconBlock.nim
+++ b/tests/fuzzing/ssz_decode_SignedBeaconBlock.nim
@ -0,0 +1,4 @@
+import ssz_fuzzing
+
+sszFuzzingTest SignedBeaconBlock
+
--- a/tests/fuzzing/ssz_decode_VoluntaryExit.nim
+++ b/tests/fuzzing/ssz_decode_VoluntaryExit.nim
@ -0,0 +1,4 @@
+import ssz_fuzzing
+
+sszFuzzingTest SignedVoluntaryExit
+
--- a/tests/fuzzing/ssz_fuzzing.nim
+++ b/tests/fuzzing/ssz_fuzzing.nim
@ -0,0 +1,31 @@
+import
+  testutils/fuzzing, faststreams/inputs,
+  ../../beacon_chain/ssz,
+  ../../beacon_chain/spec/[datatypes, crypto, digest, datatypes]
+
+export
+  ssz, datatypes, crypto, digest, fuzzing
+
+template sszFuzzingTest*(T: type) =
+  test:
+    block:
+      let input = unsafeMemoryInput(payload)
+      let decoded = try: input.readValue(SSZ, T)
+                    except SSZError: break
+
+      if input.len.get > 0:
+        # Some unconsumed input remained, this is not a valid test case
+        break
+
+      let reEncoded = SSZ.encode(decoded)
+
+      if payload != reEncoded:
+        echo "Payload with len = ", payload.len
+        echo payload
+        echo "Re-encoided payload with len = ", reEncoded.len
+        echo reEncoded
+
+        echo repr(decoded)
+
+        doAssert false
+
--- a/vendor/nim-testutils
+++ b/vendor/nim-testutils
@ -1 +1 @@
-Subproject commit 4edb4c9ae41f8f6fc7489dca63d1d9f5a48e37cd
+Subproject commit e508aea59f6d4699c6e237a6935a5ff785c8c50d