While we've moving (almost) everything stable by default now,
fuzzing still requires nightly.
Since stable is now the default we need to add "+nightly" to
various fuzzing commands.
clippy linting at the workspace level for all crates
Configure all workspaces to use lints from the top-level Cargo.toml
file
Add example lints that the project could configure to improve security
and reliability.
Configure lints to warn level. Using deny level makes other binaries
fail to compile if even one of them has a failure.
No lints are added in this commit. Future changes can enable and fix
lints
Libfuzzer has more capabilities to provide a helpful code coverage
report for fuzz testing. (Or at least is has better documentation.)
This commit copies the zkas-compile harness from honggfuzz into libfuzzer.
It also includes instructions for generating coverage reports.
Create a fuzz harness to test the ./zkas binary compilation process. The
whole pipeline is tested: Lexer, Parser, Compiler, Analyzer. This is
performed by copying the relevant code from bin/zkas/src/main.rs.
Testing the entire pipeline like this is not very efficient in terms of
fuzzing cycles but on the other hand it is a quick-and-dirty way to find
results. It also benefits from testing the actual inputs to the binary
in the way it's expecting, rather than checking each of the components
in a piecemeal way using interfaces that aren't expected to be exposed
anyway.
DarkFi's VarInt struct is meant to be equivalent to the one used by BTC.
Most of the source code is extremeley similar. This commit adds very
basic tests to ensure equivalence between DarkFi's implementation and
the one used by the BTC crate.
The tests included here are quite basic. Future work can expand on
the testing done on the deserialized values.
This harness can also be used as as guide or template for future
differential fuzzing.
* fuzz: Add honggfuzz
- Added honggfuzz in fuzz2/ (alongside libfuzzer in fuzz/)
- Created convenience script for fuzzing binary decoder
- Created a script to convert inputs that cause crashes into arrays so
that they can be used in unit tests
* Create honggfuzz as subdirectory of fuzz/
- Reorg so that honggfuzz is under fuzz/ instead of in a separate
sibling-level directory fuzz2
- Update fuzz/README.md to make it explicit that it covers libfuzzer
Note: `cargo fuzz`/libfuzzer seems to insist that its folder exists at
`$REPO/fuzz/` so that's the reason for this particular folder structure.
---------
Co-authored-by: y <y>
Add more documentation to fuzz/README.md, especially when it comes to
interpreting out-of-memory issues.
Co-authored-by: y <y>
Co-authored-by: parazyd <parazyd@users.noreply.github.com>
Use artifacts/ rather than corpus/ to track fuzz inputs. corpus appears
to be a temporary directory that will be modified when minimizing test
cases using commands like `cargo fuzz cmin` or `cargo fuzz tmin`. For
this reason it's not suitable for long-term storage and is likely to
make the git commit-staging process very messy.
This input caused an out-of-memory bug. I haven't figured out why yet
but it's good to keep this in the corpus for future testing.
Something interesting: the fuzzer brute-forced the MAGIC BYTES for the
binary on its own! This file is a good starting point for future fuzzing
because it contains the magic bytes: subsequent runs can start from here
instead of needing to "find" the magic bytes via brute forcing every
time
- Inform devs how to build an organized and useful corpora based on the
results of fuzz testing.
- Modify .gitignore to allow corpus/ tracking. Note: files in corpus/
should not be blindly committed but selectively added based on
usefulness
- Add emptyfile to zkas-decoder corpus because it caused a panic
