[FUZZER] Multiple utils and library refactor, fuzzers (#15176)

Cargo.toml

@@ -589,6 +589,7 @@ ethnum = "1.5.0"
 event-listener = "2.5.3"
 evm = { version = "0.33.1", features = ["tracing"] }
 evm-runtime = { version = "0.33.0", features = ["tracing"] }
+dearbitrary = { version = "1.0.4", features = ["derive"] }
 fail = "0.5.0"
 ff = { version = "0.13", features = ["derive"] }
 field_count = "0.1.1"

testsuite/fuzzer/Cargo.toml

@@ -5,3 +5,15 @@ edition = "2021"
 license = { workspace = true }
 
 [dependencies]
+aptos-framework = { workspace = true }
+aptos-types = { workspace = true }
+arbitrary = { workspace = true }
+base64 = "0.21.7"
+bcs = { workspace = true }
+clap = "4.5.20"
+csv = "1.3.0"
+dearbitrary = { workspace = true }
+hex = "0.4.3"
+move-binary-format = { workspace = true, features = ["fuzzing"] }
+move-core-types = { workspace = true, features = ["fuzzing"] }
+sha2 = { workspace = true }

testsuite/fuzzer/README.md

@@ -12,7 +12,10 @@ The script includes several functions to manage and execute fuzz tests:
     ```bash
     ./fuzz.sh add <fuzz_target_name>
     ```
-
+- `block-builder`: Run rust utility to build fuzzers.
+    ```bash
+    ./fuzz.sh block-builder <utility> [args]
+    ```
 - `build`: Build specified fuzz targets or all targets.
     ```bash
     ./fuzz.sh build <fuzz_target|all> [target_dir]
@@ -22,7 +25,22 @@ The script includes several functions to manage and execute fuzz tests:
     ```bash
     ./fuzz.sh build-oss-fuzz <target_dir>
     ```
-
+- `coverage`: Generates coverage report in HTML format
+    ```bash
+    ./fuzz.sh coverage <fuzz_target>
+    ```
+- `coverage-cleanup`:
+    ```bash
+    ./fuzz.sh clean-coverage <fuzz_target|all>
+    ```
+- `degub`: Run fuzzer with GDB and pass test_case as input
+    ```bash
+    ./fuzz.sh debug <fuzz_target> <test_case>
+    ```
+- `flamegraph`: Generates flamegraph report (might requires addition setups on the os)
+    ```
+    ./fuzz.sh flamegraph <fuzz_target> <test_case>
+    ```
 - `list`: List all existing fuzz targets.
     ```bash
     ./fuzz.sh list
@@ -97,6 +115,15 @@ When building in the OSS-Fuzz environment, `fuzz.sh` will place the corpus archi
 - **Error Handling:** Implement robust error handling to intercept crashes or unwanted/unexpected behavior.
 - **Performance Optimization:** Optimize for performance to enable more iterations and deeper fuzzing.
 
+## Generate Corpora
+Some fuzzers operate better if a good initial corpus is provided. In order to generate the corpus, utilities are available via `./fuzz.sh block-builder`. Once a corpus is obtained, to feed it to fuzzers running on OSS-Fuzz, building a ZIP archive with a specific name is required: `$FUZZERNAME_seed_corpus.zip`. Upload it to a publicly accessible cloud, e.g., GCP Bucket or S3; avoid GDrive. Obtain a public link and add it to the `CORPUS_ZIPS` array in `fuzz.sh`. It will automatically be downloaded and used inside Google's infrastructure.
+### Aptos-VM Publish & Run
+`./fuzz.sh block-builder generate_runnable_state /tmp/modules.csv /tmp/Modules`
+The CSV file is structured as follows:  
+- Column 1: Module name  
+- Column 2: Module address  
+- Column 3: Base64-encoded bytecode of the module
+
 ## References
 - [Rust Fuzz Book](https://rust-fuzz.github.io/book/)
 - [Google OSS-Fuzz](https://google.github.io/oss-fuzz/)

testsuite/fuzzer/data/.gitignore

@@ -0,0 +1 @@
+*/build

testsuite/fuzzer/data/install-federated-jwks/Move.toml

@@ -0,0 +1,16 @@
+[package]
+name = "install-federated-jwks"
+version = "1.0.0"
+authors = []
+
+[addresses]
+named_addr = "0xFED"
+
+[dev-addresses]
+
+[dependencies.AptosFramework]
+git = "https://github.com/aptos-labs/aptos-core.git"
+rev = "mainnet"
+subdir = "aptos-move/framework/aptos-framework"
+
+[dev-dependencies]

testsuite/fuzzer/data/install-federated-jwks/sources/install_federated_jwks.move

@@ -0,0 +1,19 @@
+script {
+    use aptos_framework::jwks;
+    use std::string::utf8;
+    fun main(account: &signer) {{
+        let iss = b"test.oidc.provider";
+        let kid = utf8(b"RSA");
+        let alg = utf8(b"RS256");
+        let e = utf8(b"AQAB");
+        let n = utf8(b"6S7asUuzq5Q_3U9rbs-PkDVIdjgmtgWreG5qWPsC9xXZKiMV1AiV9LXyqQsAYpCqEDM3XbfmZqGb48yLhb_XqZaKgSYaC_h2DjM7lgrIQAp9902Rr8fUmLN2ivr5tnLxUUOnMOc2SQtr9dgzTONYW5Zu3PwyvAWk5D6ueIUhLtYzpcB-etoNdL3Ir2746KIy_VUsDwAM7dhrqSK8U2xFCGlau4ikOTtvzDownAMHMrfE7q1B6WZQDAQlBmxRQsyKln5DIsKv6xauNsHRgBAKctUxZG8M4QJIx3S6Aughd3RZC4Ca5Ae9fd8L8mlNYBCrQhOZ7dS0f4at4arlLcajtw");
+        jwks::update_federated_jwk_set(
+            account,
+            iss,
+            vector[kid],
+            vector[alg],
+            vector[e],
+            vector[n]
+        );
+    }}
+}

testsuite/fuzzer/fuzz.sh

@@ -2,6 +2,9 @@
 
 export RUSTFLAGS="${RUSTFLAGS} --cfg tokio_unstable"
 export EXTRAFLAGS="-Ztarget-applies-to-host -Zhost-config"
+# Nightly version control
+# Pin nightly-2024-02-12 because of https://github.com/google/oss-fuzz/issues/11626
+NIGHTLY_VERSION="nightly-2024-02-12"
 
 # GDRIVE format https://docs.google.com/uc?export=download&id=DOCID
 CORPUS_ZIPS=("https://storage.googleapis.com/aptos-core-corpora/move_aptosvm_publish_and_run_seed_corpus.zip" "https://storage.googleapis.com/aptos-core-corpora/move_aptosvm_publish_seed_corpus.zip")
@@ -16,9 +19,6 @@ function error() {
 }
 
 function cargo_fuzz() {
-    # Nightly version control
-    # Pin nightly-2024-02-12 because of https://github.com/google/oss-fuzz/issues/11626
-    NIGHTLY_VERSION="nightly-2024-02-12"
     rustup install $NIGHTLY_VERSION
     if [ -z "$1" ]; then
         error "error using cargo()"
@@ -28,11 +28,25 @@ function cargo_fuzz() {
     $cargo_fuzz_cmd $EXTRAFLAGS $@
 }
 
+function cargo_local() {
+    rustup install $NIGHTLY_VERSION
+    if [ -z "$1" ]; then
+        error "error using cargo()"
+    fi
+    cargo_cmd="cargo "+$NIGHTLY_VERSION" $1"
+    shift
+    $cargo_cmd $EXTRAFLAGS $@
+}
+
 function usage() {
     case "$1" in
         "add")
             echo "Usage: $0 add <fuzz_target>"
             ;;
+        "block-builder")
+            #echo "Usage: $0 block-builder <command> [argumetns]"
+            cargo_local run --quiet -- --help
+            ;;
         "build")
             echo "Usage: $0 build <fuzz_target|all> [target_dir]"
             ;;
@@ -61,8 +75,9 @@ function usage() {
             echo "Usage: $0 test"
             ;;
         *)
-            echo "Usage: $0 <build|build-oss-fuzz|coverage|clean-coverage|flamegraph|list|run|debug|test>"
+            echo "Usage: $0 <add|block-builder|build|build-oss-fuzz|coverage|clean-coverage|flamegraph|list|run|debug|test>"
             echo "    add               adds a new fuzz target"
+            echo "    block-builder     runs rust tool to hel build fuzzers"
             echo "    build             builds fuzz targets"
             echo "    build-oss-fuzz    builds fuzz targets for oss-fuzz"
             echo "    coverage          generates coverage for a fuzz target"
@@ -77,6 +92,16 @@ function usage() {
     exit 1
 }
 
+function block-builder() {
+    if [ -z "$1" ]; then
+        usage block-builder
+    fi
+    command=$1
+    shift
+    cargo_local run --quiet -- $command $@
+    exit 0
+}
+
 function build() {
     if [ -z "$1" ]; then
         usage build
@@ -217,14 +242,9 @@ function flamegraph() {
         error "$testcase does not exist"
     fi
     info "Generating flamegraph for $fuzz_target with $testcase"
-    # find the binary
-    binary=$(find ./target -name $fuzz_target -type f -perm /111)
-    if [ -z "$binary" ]; then
-        error "Could not find binary for $fuzz_target. Run `./fuzz.sh build $fuzz_target` first"
-    fi
     # run the binary with cargo-flamegraph
     time=$(date +%s)
-    cargo flamegraph -o "${fuzz_target}_${time}.svg" --bin "$binary" "$testcase -- -runs=1"
+    cargo flamegraph -o "${fuzz_target}_${time}.svg" --root -p="fuzzer-fuzz" --bin="$fuzz_target" -- "$testcase" "-- -runs=1"
 }
 
 function run() {
@@ -298,6 +318,10 @@ case "$1" in
     shift
     add "$@"
     ;;
+  "block-builder")
+    shift
+    block-builder "$@"
+    ;;
   "build")
     shift
     build "$@"

testsuite/fuzzer/fuzz/Cargo.toml

@@ -15,6 +15,7 @@ aptos-language-e2e-tests = { workspace = true, features = ["fuzzing"] }
 aptos-types = { workspace = true, features = ["fuzzing"] }
 aptos-vm = { workspace = true }
 arbitrary = { workspace = true, features = ["derive"] }
+base64 = { workspace = true }
 bcs = { workspace = true }
 libfuzzer-sys = "0.4"
 move-binary-format = { workspace = true, features = ["fuzzing"] }
@@ -23,12 +24,10 @@ move-core-types = { workspace = true, features = ["fuzzing"] }
 move-vm-types = { workspace = true, features = ["fuzzing"] }
 once_cell = { workspace = true }
 rayon = { workspace = true }
+ring = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 
-[features]
-disabled = []
-
 [[bin]]
 name = "move_bytecode_verifier_code_unit"
 path = "fuzz_targets/move/bytecode_verifier_code_unit.rs"
@@ -41,6 +40,30 @@ path = "fuzz_targets/move/bytecode_verifier_mixed.rs"
 test = false
 doc = false
 
+[[bin]]
+name = "move_value_deserialize"
+path = "fuzz_targets/move/value_deserialize.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "move_move_value_deserialize"
+path = "fuzz_targets/move/move_value_deserialize.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "move_move_value_decorate"
+path = "fuzz_targets/move/move_value_decorate.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "signed_transaction_deserialize"
+path = "fuzz_targets/signed_transaction_deserialize.rs"
+test = false
+doc = false
+
 [[bin]]
 name = "move_aptosvm_publish_and_run"
 path = "fuzz_targets/move/aptosvm_publish_and_run.rs"
@@ -58,30 +81,3 @@ name = "move_aptosvm_authenticators"
 path = "fuzz_targets/move/aptosvm_authenticators.rs"
 test = false
 doc = false
-
-#[[bin]]#name = "move_value_deserialize"
-#path = "fuzz_targets/move/value_deserialize.rs"
-#test = false
-#doc = false
-#required-features = ["disabled"]
-
-#[[bin]]
-#name = "move_move_value_deserialize"
-#path = "fuzz_targets/move/move_value_deserialize.rs"
-#test = false
-#doc = false
-#required-features = ["disabled"]
-
-#[[bin]]
-#name = "move_move_value_decorate"
-#path = "fuzz_targets/move/move_value_decorate.rs"
-#test = false
-#doc = false
-#required-features = ["disabled"]
-
-#[[bin]]
-#name = "signed_transaction_deserialize"
-#path = "fuzz_targets/signed_transaction_deserialize.rs"
-#test = false
-#doc = false
-#required-features = ["disabled"]