Barretenberg: src/barretenberg/avm_fuzzer/avm_differential.fuzzer.cpp Source File

#include <iomanip>

#include <iostream>

#include <random>

#include <string>

#include <vector>


#include "barretenberg/avm_fuzzer/common/interfaces/dbs.hpp"

#include "barretenberg/avm_fuzzer/fuzz_lib/constants.hpp"

#include "barretenberg/avm_fuzzer/fuzz_lib/control_flow.hpp"

#include "barretenberg/avm_fuzzer/fuzz_lib/fuzz.hpp"

#include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_context.hpp"

#include "barretenberg/avm_fuzzer/fuzz_lib/fuzzer_data.hpp"

#include "barretenberg/avm_fuzzer/fuzz_lib/simulator.hpp"

#include "barretenberg/avm_fuzzer/mutations/fuzzer_data.hpp"

#include "barretenberg/serialize/msgpack_impl.hpp"


using FuzzInstruction = ::FuzzInstruction;

using namespace bb::avm2::fuzzer;


namespace {


FuzzerContext create_context_with_predefined_functions()

{

    FuzzerContext context;


    // Register predefined functions

    for (const auto& function : PREDEFINED_FUNCTIONS) {

        context.register_contract_from_bytecode(function);

    }


    return context;

}


} // namespace


extern "C" int LLVMFuzzerInitialize(int*, char***)

{

    const char* simulator_path = std::getenv("AVM_SIMULATOR_BIN");

    if (simulator_path == nullptr) {

        throw std::runtime_error("AVM_SIMULATOR_BIN is not set");

    }

    std::string simulator_path_str(simulator_path);

    JsSimulator::initialize(simulator_path_str);

    FuzzerWorldStateManager::initialize();

    return 0;

}


SimulatorResult fuzz(const uint8_t* buffer, size_t size)

{

    FuzzerData deserialized_data;

    try {

        msgpack::unpack((reinterpret_cast<const char*>(buffer)), size).get().convert(deserialized_data);

    } catch (const std::exception& e) {

        deserialized_data = FuzzerData();

    }


    FuzzerWorldStateManager* ws_mgr = FuzzerWorldStateManager::getInstance();

    ws_mgr->fork();

    auto context = create_context_with_predefined_functions();

    auto res = fuzz_against_ts_simulator(deserialized_data, context);

    ws_mgr->reset_world_state();


    return res;

}


extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* serialized_fuzzer_data,

                                          size_t serialized_fuzzer_data_size,

                                          size_t max_size,

                                          unsigned int seed)

{

    auto context = create_context_with_predefined_functions();

    auto rng = std::mt19937_64(seed);

    FuzzerData deserialized_data;

    try {

        msgpack::unpack((reinterpret_cast<const char*>(serialized_fuzzer_data)), serialized_fuzzer_data_size)

            .get()

            .convert(deserialized_data);

    } catch (const std::exception& e) {

        deserialized_data = FuzzerData();

    }

    mutate_fuzzer_data(deserialized_data, rng, context);

    auto [mutated_serialized_fuzzer_data, mutated_serialized_fuzzer_data_size] =

        msgpack_encode_buffer(deserialized_data);

    if (mutated_serialized_fuzzer_data_size > max_size) {

        delete[] mutated_serialized_fuzzer_data;

        return 0;

    }


    memcpy(serialized_fuzzer_data, mutated_serialized_fuzzer_data, mutated_serialized_fuzzer_data_size);

    delete[] mutated_serialized_fuzzer_data;


    return mutated_serialized_fuzzer_data_size;

}


extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)

{

    fuzz(data, size);

    return 0;

}


LLVMFuzzerInitialize
int LLVMFuzzerInitialize(int *, char ***)
Definition avm_differential.fuzzer.cpp:38

LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition avm_differential.fuzzer.cpp:97

FuzzInstruction
::FuzzInstruction FuzzInstruction
Definition avm_differential.fuzzer.cpp:17

fuzz
SimulatorResult fuzz(const uint8_t *buffer, size_t size)
Definition avm_differential.fuzzer.cpp:50

LLVMFuzzerCustomMutator
size_t LLVMFuzzerCustomMutator(uint8_t *serialized_fuzzer_data, size_t serialized_fuzzer_data_size, size_t max_size, unsigned int seed)
Definition avm_differential.fuzzer.cpp:68

constants.hpp

PREDEFINED_FUNCTIONS
const std::vector< std::vector< uint8_t > > PREDEFINED_FUNCTIONS
Definition constants.hpp:67

JsSimulator::initialize
static void initialize(std::string &simulator_path)
Definition simulator.cpp:138

bb::avm2::context
Definition context.hpp:37

bb::avm2::fuzzer::FuzzerContext
Definition fuzzer_context.hpp:15

bb::avm2::fuzzer::FuzzerWorldStateManager
Definition dbs.hpp:64

bb::avm2::fuzzer::FuzzerWorldStateManager::reset_world_state
void reset_world_state()
Definition dbs.cpp:210

bb::avm2::fuzzer::FuzzerWorldStateManager::initialize
static void initialize()
Definition dbs.hpp:72

bb::avm2::fuzzer::FuzzerWorldStateManager::getInstance
static FuzzerWorldStateManager * getInstance()
Definition dbs.hpp:80

bb::avm2::fuzzer::FuzzerWorldStateManager::fork
world_state::WorldStateRevision fork()
Definition dbs.cpp:204

data
const std::vector< MemoryValue > data
Definition data_copy.test.cpp:70

control_flow.hpp

dbs.hpp

buffer
uint8_t buffer[RANDOM_BUFFER_SIZE]
Definition engine.cpp:34

fuzz_against_ts_simulator
SimulatorResult fuzz_against_ts_simulator(FuzzerData &fuzzer_data, FuzzerContext &context)
fuzz CPP vs JS simulator with the given fuzzer data
Definition fuzz.cpp:14

fuzz.hpp

ws_mgr
FuzzerWorldStateManager * ws_mgr
Definition fuzz.test.cpp:16

fuzzer_data.hpp

fuzzer_context.hpp

msgpack_impl.hpp

msgpack_encode_buffer
std::pair< uint8_t *, size_t > msgpack_encode_buffer(auto &&obj, uint8_t *scratch_buf=nullptr, size_t scratch_size=0)
Definition msgpack_impl.hpp:28

fuzzer_data.hpp

bb::avm2::fuzzer
Definition dbs.cpp:19

bb::avm2::fuzzer::mutate_fuzzer_data
void mutate_fuzzer_data(FuzzerData &fuzzer_data, std::mt19937_64 &rng, const FuzzerContext &context)
Definition fuzzer_data.cpp:17

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

simulator.hpp

FuzzerData
describes the data which will be used for fuzzing Should contain instructions, calldata,...
Definition fuzzer_data.hpp:12

SimulatorResult
Definition simulator.hpp:31