Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
Classes | Typedefs | Functions | Variables
calldata.fuzzer.cpp File Reference
#include <algorithm>
#include <array>
#include <cassert>
#include <cstddef>
#include <cstdint>
#include <fuzzer/FuzzedDataProvider.h>
#include <memory>
#include <utility>
#include <vector>
#include "barretenberg/avm_fuzzer/harness/mutation_helper.hpp"
#include "barretenberg/common/serialize.hpp"
#include "barretenberg/numeric/uint256/uint256.hpp"
#include "barretenberg/vm2/common/field.hpp"
#include "barretenberg/vm2/common/memory_types.hpp"
#include "barretenberg/vm2/constraining/testing/check_relation.hpp"
#include "barretenberg/vm2/generated/columns.hpp"
#include "barretenberg/vm2/simulation/events/calldata_event.hpp"
#include "barretenberg/vm2/simulation/events/event_emitter.hpp"
#include "barretenberg/vm2/simulation/gadgets/calldata_hashing.hpp"
#include "barretenberg/vm2/simulation/interfaces/calldata_hashing.hpp"
#include "barretenberg/vm2/simulation/lib/contract_crypto.hpp"
#include "barretenberg/vm2/tooling/debugger.hpp"
#include "barretenberg/vm2/tracegen/calldata_trace.hpp"
#include "barretenberg/vm2/tracegen/execution_trace.hpp"
#include "barretenberg/vm2/tracegen/field_gt_trace.hpp"
#include "barretenberg/vm2/tracegen/gt_trace.hpp"
#include "barretenberg/vm2/tracegen/poseidon2_trace.hpp"
#include "barretenberg/vm2/tracegen/precomputed_trace.hpp"
#include "barretenberg/vm2/tracegen/range_check_trace.hpp"
#include "barretenberg/vm2/tracegen/test_trace_container.hpp"

Go to the source code of this file.

Classes

struct  CalldataFuzzerInstance
 
struct  CalldataFuzzerInput
 

Typedefs

using calldata_rel = bb::avm2::calldata< FF >
 
using calldata_hashing_rel = bb::avm2::calldata_hashing< FF >
 

Functions

 __attribute__ ((section("__libfuzzer_extra_counters"))) uint8_t num_events
 
void mutate_calldata_instance (CalldataFuzzerInput &input, std::mt19937 rng)
 
std::vector< std::vector< FF > > generate_calldata_values (const CalldataFuzzerInput &input)
 
size_t LLVMFuzzerCustomMutator (uint8_t *data, size_t size, size_t max_size, unsigned int seed)
 
int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 

Variables

const int max_num_events = 20
 
const int max_calldata_fields = 20
 
const uint8_t default_calldata_fields = 16
 

Typedef Documentation

◆ calldata_hashing_rel

using calldata_hashing_rel = bb::avm2::calldata_hashing<FF>

Definition at line 41 of file calldata.fuzzer.cpp.

◆ calldata_rel

using calldata_rel = bb::avm2::calldata<FF>

Definition at line 40 of file calldata.fuzzer.cpp.

Function Documentation

◆ __attribute__()

__attribute__ ( (section("__libfuzzer_extra_counters"))  )

◆ generate_calldata_values()

std::vector< std::vector< FF > > generate_calldata_values ( const CalldataFuzzerInput input)

Definition at line 194 of file calldata.fuzzer.cpp.

◆ LLVMFuzzerCustomMutator()

size_t LLVMFuzzerCustomMutator ( uint8_t *  data,
size_t  size,
size_t  max_size,
unsigned int  seed 
)

Mutation choices:

We have a nested CalldataFuzzerInput struct. The top level configures:

  • starting context id (this will increment for each calldata instance)
  • number of events (i.e. number of calldata instances to retrieve and hash)
  • array of initial values (as in the memory gadget fuzzer, an array to fields to generate values from) Then for each event, we have a CalldataFuzzerInstance which configures:
  • number of calldata fields
  • selection encoding (as in the memory gadget fuzzer, configures generation of calldata values from the parent initial values)
  • mutation (a choice of test case for this calldata instance):
    • 0: do nothing to the calldata and emit as is
    • 1: modify this calldata to be a copy of another instance
    • 2: clear this calldata, so we emit an empty calldata array

Every call to this custom mutator mutates one of: 0: starting context id 1: number of events 2: a single initial value 3: a single calldata instance

If case 3 is chosen, one calldata instance is selected and one of the following is mutated for it: 0: mutation (choice of test case for this one calldata instance) 1: number of fields 3: selection encoding (how to generate the calldata fields)

This method may be too 'nested' and granular, so it may be better to move to using something like mutate_calldata_vec rather than rely on initial values, where it is relatively slow to reach the case where we actually change the fields in a calldata instance.

Definition at line 235 of file calldata.fuzzer.cpp.

◆ LLVMFuzzerTestOneInput()

int LLVMFuzzerTestOneInput ( const uint8_t *  data,
size_t  size 
)

Definition at line 326 of file calldata.fuzzer.cpp.

◆ mutate_calldata_instance()

void mutate_calldata_instance ( CalldataFuzzerInput input,
std::mt19937  rng 
)

Definition at line 160 of file calldata.fuzzer.cpp.

Variable Documentation

◆ default_calldata_fields

const uint8_t default_calldata_fields = 16

Definition at line 60 of file calldata.fuzzer.cpp.

◆ max_calldata_fields

const int max_calldata_fields = 20

Definition at line 59 of file calldata.fuzzer.cpp.

◆ max_num_events

const int max_num_events = 20

Definition at line 58 of file calldata.fuzzer.cpp.