Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
tx.fuzzer.cpp
Go to the documentation of this file.
1#include <cstdint>
2#include <string>
3
9
10using namespace bb::avm2::fuzzer;
11using namespace bb::avm2::simulation;
12
13// Extra counters to guide libfuzzer towards inputs with more enqueued calls.
14// Index 0 = 1 call, index 1 = 2 calls, etc. When an input has N enqueued calls,
15// we increment counter[N-1], signaling new coverage to libfuzzer.
16constexpr size_t MAX_ENQUEUED_CALLS_COUNTER = 32;
17__attribute__((section("__libfuzzer_extra_counters"))) uint8_t enqueued_calls_counter[MAX_ENQUEUED_CALLS_COUNTER];
18
19// Counters for tracking transaction effects to guide libfuzzer.
20__attribute__((section(
21 "__libfuzzer_extra_counters"))) uint8_t public_data_writes_counter[MAX_TOTAL_PUBLIC_DATA_UPDATE_REQUESTS_PER_TX];
22__attribute__((section("__libfuzzer_extra_counters"))) uint8_t note_hashes_counter[MAX_NOTE_HASHES_PER_TX];
23__attribute__((section("__libfuzzer_extra_counters"))) uint8_t nullifiers_counter[MAX_NULLIFIERS_PER_TX];
24__attribute__((section("__libfuzzer_extra_counters"))) uint8_t l2_to_l1_msgs_counter[MAX_L2_TO_L1_MSGS_PER_TX];
25
26// Public logs use logarithmic bucketing due to large range
27constexpr size_t MAX_PUBLIC_LOGS_COUNTER = 16;
28__attribute__((section("__libfuzzer_extra_counters"))) uint8_t public_logs_counter[MAX_PUBLIC_LOGS_COUNTER];
29
30namespace {
31
32void update_effects_counters(const SimulatorResult& result)
33{
34 const auto& tx_effect = result.public_tx_effect;
35
36 size_t public_data_writes_size = tx_effect.public_data_writes.size();
37 if (public_data_writes_size > 0) {
38 if (public_data_writes_size > MAX_TOTAL_PUBLIC_DATA_UPDATE_REQUESTS_PER_TX) {
39 throw std::runtime_error(
40 "Should be unreachable: generated " + std::to_string(public_data_writes_size) +
41 " public data writes, max: " + std::to_string(MAX_TOTAL_PUBLIC_DATA_UPDATE_REQUESTS_PER_TX));
42 }
43 public_data_writes_counter[public_data_writes_size - 1]++;
44 }
45
46 size_t note_hashes_size = tx_effect.note_hashes.size();
47 if (note_hashes_size > 0) {
48 if (note_hashes_size > MAX_NOTE_HASHES_PER_TX) {
49 throw std::runtime_error("Should be unreachable: generated " + std::to_string(note_hashes_size) +
50 " note hashes, max: " + std::to_string(MAX_NOTE_HASHES_PER_TX));
51 }
52 note_hashes_counter[note_hashes_size - 1]++;
53 }
54
55 size_t nullifiers_size = tx_effect.nullifiers.size();
56 if (nullifiers_size > 0) {
57 if (nullifiers_size > MAX_NULLIFIERS_PER_TX) {
58 throw std::runtime_error("Should be unreachable: generated " + std::to_string(nullifiers_size) +
59 " nullifiers, max: " + std::to_string(MAX_NULLIFIERS_PER_TX));
60 }
61 nullifiers_counter[nullifiers_size - 1]++;
62 }
63
64 size_t l2_to_l1_size = tx_effect.l2_to_l1_msgs.size();
65 if (l2_to_l1_size > 0) {
66 if (l2_to_l1_size > MAX_L2_TO_L1_MSGS_PER_TX) {
67 throw std::runtime_error("Should be unreachable: generated " + std::to_string(l2_to_l1_size) +
68 " L2-to-L1 messages, max: " + std::to_string(MAX_L2_TO_L1_MSGS_PER_TX));
69 }
70 l2_to_l1_msgs_counter[l2_to_l1_size - 1]++;
71 }
72
73 // Public logs: calculate total field count across all logs.
74 // Each log contributes 2 header fields (length + contract_address) plus data fields.
75 uint32_t logs_field_count = 0;
76 for (const auto& log : tx_effect.public_logs) {
77 logs_field_count += 2 + static_cast<uint32_t>(log.fields.size());
78 }
79 if (logs_field_count > 0) {
80 uint8_t bucket = static_cast<uint8_t>(31 - std::countl_zero(logs_field_count));
81 if (bucket >= MAX_PUBLIC_LOGS_COUNTER) {
82 throw std::runtime_error("Should be unreachable: generated " + std::to_string(logs_field_count) +
83 " fields, max log2(count): " + std::to_string(MAX_PUBLIC_LOGS_COUNTER));
84 }
85 public_logs_counter[bucket]++;
86 }
87}
88
89} // namespace
90
91extern "C" int LLVMFuzzerInitialize(int*, char***)
92{
93 // Zero all counters
94 memset(enqueued_calls_counter, 0, sizeof(enqueued_calls_counter));
95 memset(public_data_writes_counter, 0, sizeof(public_data_writes_counter));
96 memset(note_hashes_counter, 0, sizeof(note_hashes_counter));
97 memset(nullifiers_counter, 0, sizeof(nullifiers_counter));
98 memset(l2_to_l1_msgs_counter, 0, sizeof(l2_to_l1_msgs_counter));
99 memset(public_logs_counter, 0, sizeof(public_logs_counter));
100
102 return 0;
103}
104
105extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* serialized_fuzzer_data,
106 size_t serialized_fuzzer_data_size,
107 size_t max_size,
108 unsigned int seed)
109{
110 // Haven't thought much about the lifecycle of this in the tx fuzzer. Maybe we want it in the serialized data?
111 // Or we can regenerate from the serialized data.
113 return mutate_tx_data(context, serialized_fuzzer_data, serialized_fuzzer_data_size, max_size, seed);
114}
115
116extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
117{
120 ws_mgr->fork();
121
123
124 FuzzerTxData tx_data;
125 try {
126 msgpack::unpack((reinterpret_cast<const char*>(data)), size).get().convert(tx_data);
127 } catch (const std::exception& e) {
128 fuzz_info("Failed to deserialize input in TestOneInput, using default. Exception: ", e.what());
130 }
131
132 // Signal coverage for number of enqueued calls to guide fuzzer towards more calls
133 size_t num_calls = tx_data.tx.setup_enqueued_calls.size() + tx_data.tx.app_logic_enqueued_calls.size();
134 if (num_calls > 0 && num_calls <= MAX_ENQUEUED_CALLS_COUNTER) {
135 enqueued_calls_counter[num_calls - 1]++;
136 }
137
138 // Setup contracts and fund fee payer
140 fund_fee_payer(*ws_mgr, tx_data.tx);
141
142 auto simulation_result = fuzz_tx(*ws_mgr, contract_db, tx_data);
143 update_effects_counters(simulation_result);
145
146 return 0;
147}
#define fuzz_info(...)
Definition constants.hpp:51
#define MAX_TOTAL_PUBLIC_DATA_UPDATE_REQUESTS_PER_TX
#define MAX_L2_TO_L1_MSGS_PER_TX
#define MAX_NOTE_HASHES_PER_TX
#define MAX_NULLIFIERS_PER_TX
StrictMock< MockContractDB > contract_db
static FuzzerWorldStateManager * getInstance()
Definition dbs.hpp:80
world_state::WorldStateRevision fork()
Definition dbs.cpp:211
FuzzerWorldStateManager * ws_mgr
Definition fuzz.test.cpp:15
SimulatorResult fuzz_tx(FuzzerWorldStateManager &ws_mgr, FuzzerContractDB &contract_db, FuzzerTxData &tx_data)
Run the C++ simulator on a full transaction containing multiple enqueued calls.
void setup_fuzzer_state(FuzzerWorldStateManager &ws_mgr, FuzzerContractDB &contract_db, const FuzzerTxData &tx_data)
size_t mutate_tx_data(FuzzerContext &context, uint8_t *serialized_fuzzer_data, size_t serialized_fuzzer_data_size, size_t max_size, unsigned int seed)
FuzzerTxData create_default_tx_data(std::mt19937_64 &rng, FuzzerContext &context)
void fund_fee_payer(FuzzerWorldStateManager &ws_mgr, const Tx &tx)
AVM range check gadget for witness generation.
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::string to_string(bb::avm2::ValueTag tag)
std::byte * data
PublicTxEffect public_tx_effect
Definition simulator.hpp:20
std::vector< PublicDataWrite > public_data_writes
Definition avm_io.hpp:543
std::vector< PublicCallRequestWithCalldata > setup_enqueued_calls
Definition avm_io.hpp:339
std::vector< PublicCallRequestWithCalldata > app_logic_enqueued_calls
Definition avm_io.hpp:340
constexpr size_t MAX_ENQUEUED_CALLS_COUNTER
Definition tx.fuzzer.cpp:16
__attribute__((section("__libfuzzer_extra_counters"))) uint8_t enqueued_calls_counter[MAX_ENQUEUED_CALLS_COUNTER]
int LLVMFuzzerInitialize(int *, char ***)
Definition tx.fuzzer.cpp:91
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
constexpr size_t MAX_PUBLIC_LOGS_COUNTER
Definition tx.fuzzer.cpp:27
size_t LLVMFuzzerCustomMutator(uint8_t *serialized_fuzzer_data, size_t serialized_fuzzer_data_size, size_t max_size, unsigned int seed)