Add runnable state generation

aptos-labs · Nov 11, 2024 · 22ca773 · 22ca773
1 parent fa17451
commit 22ca773
Show file tree

Hide file tree

Showing 16 changed files with 338 additions and 68 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/testsuite/fuzzer/Cargo.toml b/testsuite/fuzzer/Cargo.toml
@@ -7,6 +7,13 @@ license = { workspace = true }
 [dependencies]
 aptos-framework = { workspace = true }
 aptos-types = { workspace = true }
+arbitrary = { workspace = true }
+base64 = "0.21.7"
 bcs = { workspace = true }
 clap = "4.5.20"
-move-core-types = { workspace = true }
+csv = "1.3.0"
+dearbitrary = { version = "1.0.4", features = ["derive"] }
+hex = "0.4.3"
+move-binary-format = { workspace = true, features = ["fuzzing"] }
+move-core-types = { workspace = true, features = ["fuzzing"] }
+sha2 = { workspace = true }
diff --git a/testsuite/fuzzer/README.md b/testsuite/fuzzer/README.md
@@ -115,6 +115,15 @@ When building in the OSS-Fuzz environment, `fuzz.sh` will place the corpus archi
 - **Error Handling:** Implement robust error handling to intercept crashes or unwanted/unexpected behavior.
 - **Performance Optimization:** Optimize for performance to enable more iterations and deeper fuzzing.
 
+## Generate Corpora
+Some fuzzers operate better if a good initial corpus is provided. In order to generate the corpus, utilities are available via `./fuzz.sh block-builder`. Once a corpus is obtained, to feed it to fuzzers running on OSS-Fuzz, building a ZIP archive with a specific name is required: `$FUZZERNAME_seed_corpus.zip`. Upload it to a publicly accessible cloud, e.g., GCP Bucket or S3; avoid GDrive. Obtain a public link and add it to the `CORPUS_ZIPS` array in `fuzz.sh`. It will automatically be downloaded and used inside Google's infrastructure.
+### Aptos-VM Publish & Run
+`./fuzz.sh block-builder generate_runnable_state /tmp/modules.csv /tmp/Modules`
+The CSV file is structured as follows:  
+- Column 1: Module name  
+- Column 2: Module address  
+- Column 3: Base64-encoded bytecode of the module
+
 ## References
 - [Rust Fuzz Book](https://rust-fuzz.github.io/book/)
 - [Google OSS-Fuzz](https://google.github.io/oss-fuzz/)

diff --git a/testsuite/fuzzer/fuzz.sh b/testsuite/fuzzer/fuzz.sh
@@ -77,7 +77,7 @@ function usage() {
         *)
             echo "Usage: $0 <add|block-builder|build|build-oss-fuzz|coverage|clean-coverage|flamegraph|list|run|debug|test>"
             echo "    add               adds a new fuzz target"
-            echo "    block-build       blocks the build command"
+            echo "    block-builder     runs rust tool to hel build fuzzers"
             echo "    build             builds fuzz targets"
             echo "    build-oss-fuzz    builds fuzz targets for oss-fuzz"
             echo "    coverage          generates coverage for a fuzz target"
@@ -320,7 +320,7 @@ case "$1" in
     ;;
   "block-builder")
     shift
-    block-build "$@"
+    block-builder "$@"
     ;;
   "build")
     shift

diff --git a/testsuite/fuzzer/fuzz/fuzz_targets/move/aptosvm_publish_and_run.rs b/testsuite/fuzzer/fuzz/fuzz_targets/move/aptosvm_publish_and_run.rs
@@ -51,7 +51,7 @@ static TP: Lazy<Arc<rayon::ThreadPool>> = Lazy::new(|| {
 
 const MAX_TYPE_PARAMETER_VALUE: u16 = 64 / 4 * 16; // third_party/move/move-bytecode-verifier/src/signature_v2.rs#L1306-L1312
 
-const EXECUTION_TIME_GAS_RATIO: u8 = 35;
+const EXECUTION_TIME_GAS_RATIO: u8 = 50;
 
 fn check_for_invariant_violation_vmerror(e: VMError) {
     if e.status_type() == StatusType::InvariantViolation
@@ -94,7 +94,7 @@ fn run_case(mut input: RunnableState) -> Result<(), Corpus> {
     filter_modules(&input)?;
 
     let verifier_config = VerifierConfig::production();
-    let deserializer_config = DeserializerConfig::default();
+    let deserializer_config = DeserializerConfig::new(8, 255);
 
     for m in input.dep_modules.iter_mut() {
         // m.metadata = vec![]; // we could optimize metadata to only contain aptos metadata

diff --git a/testsuite/fuzzer/src/main.rs b/testsuite/fuzzer/src/main.rs
@@ -17,7 +17,23 @@ fn main() {
                         .help("Path to the module source")
                         .required(true)
                         .index(1),
-                ),
+                )
+        )
+        .subcommand(
+            Command::new("generate_runnable_state")
+                .about("Generates a runnable state from a Move module and its metadata.")
+                .arg(
+                    Arg::new("csv_path")
+                        .help("Path to a csv containing b64 encode modules in third coulmn")
+                        .required(true)
+                        .index(1),
+                )
+                .arg(
+                    Arg::new("destination_path")
+                    .help("Path to write the runnable state to")
+                    .required(true)
+                    .index(2),
+                )
         )
         // Add more subcommands or arguments here
         .get_matches();
@@ -34,6 +50,18 @@ fn main() {
                 println!("Module compiled successfully.");
             }
         },
+        Some(("generate_runnable_state", sub_m)) => {
+            let csv_path = sub_m.get_one::<String>("csv_path").unwrap();
+            let destination_path = sub_m.get_one::<String>("destination_path").unwrap();
+
+            // Call the function with the provided arguments
+            if let Err(e) = utils::cli::generate_runnable_state(csv_path, destination_path) {
+                eprintln!("Error generating runnable state: {}", e);
+                std::process::exit(1);
+            } else {
+                println!("Runnable state generated successfully.");
+            }
+        },
         // Handle other subcommands or default behavior
         _ => {
             println!("No valid subcommand was used. Use --help for more information.");