fuzz: add regression fuzztest for value encoding

Author: apoelstra

.github/workflows/fuzz.yml

@@ -22,6 +22,7 @@ c_rust_merkle,
 decode_natural,
 decode_program,
 parse_human,
+regression_value,
         ]
     steps:
       - name: Checkout Crate

fuzz/Cargo.toml

@@ -14,7 +14,10 @@ path = "fuzz_lib/lib.rs"
 
 [dependencies]
 libfuzzer-sys = "0.4"
-simplicity-lang = { path = "..", features = ["test-utils"] }
+# We shouldn't need an explicit version on the next line, but Andrew's tools
+# choke on it otherwise. See https://github.com/nix-community/crate2nix/issues/373
+simplicity-lang = { path = "..", features = ["test-utils"], version = "0.3.0" }
+old_simplicity = { package = "simplicity-lang", version = "0.3.0" }
 
 [dev-dependencies]
 base64 = "0.22.1"
@@ -56,3 +59,10 @@ path = "fuzz_targets/parse_human.rs"
 test = false
 doc = false
 bench = false
+
+[[bin]]
+name = "regression_value"
+path = "fuzz_targets/regression_value.rs"
+test = false
+doc = false
+bench = false

fuzz/fuzz_lib/lib.rs

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: CC0-1.0
 
 use std::sync::Arc;
+use simplicity::{BitIter, Value};
 use simplicity::types::Final as FinalTy;
 
 /// A wrapper around a buffer which has utilities for extracting various
@@ -91,5 +92,19 @@ impl<'f> Extractor<'f> {
         assert_eq!(result_stack.len(), 1);
         result_stack.pop()
     }
+
+    /// Attempt to yield a value from the fuzzer.
+    pub fn extract_value_padded(&mut self) -> Option<Value> {
+        let ty = self.extract_final_type()?;
+        if ty.bit_width() > 64 * 1024 * 1024 {
+            // little fuzzing value in producing massive values
+            return None;
+        }
+
+        let mut iter = BitIter::new(self.data.iter().copied());
+        let ret = Value::from_padded_bits(&mut iter, &ty).ok()?;
+        self.data = &self.data[iter.n_total_read().div_ceil(8)..];
+        Some(ret)
+    }
 }
 

fuzz/fuzz_targets/regression_value.rs

@@ -0,0 +1,126 @@
+// SPDX-License-Identifier: CC0-1.0
+
+#![cfg_attr(fuzzing, no_main)]
+
+#[cfg(any(fuzzing, test))]
+use std::sync::Arc;
+
+#[cfg(any(fuzzing, test))]
+use simplicity::types::Final;
+#[cfg(any(fuzzing, test))]
+use old_simplicity::{Value as OldValue, types::Final as OldFinal};
+
+#[cfg(any(fuzzing, test))]
+fn convert_ty(new: &Final) -> Option<Arc<OldFinal>> {
+    /// Our stack of tasks describing “what we need to do next.”
+    enum Task<'a> {
+        /// Convert this `Final` into an `OldFinal`.
+        NeedType(&'a Final),
+        Binary {
+            is_sum: bool,
+            dupe: bool,
+        }
+    }
+
+    // We'll push tasks onto this stack until everything is converted.
+    let mut task_stack = vec![Task::NeedType(new)];
+    // As we finish conversion of subtrees, we store them here along with
+    // a count of units. Because the released version of 0.3.0 does not
+    // have any typeskip optimization we need to bail out if there are
+    // too many units, since otherwise we will OOM in from_compact_bits.
+    let mut result_stack: Vec<(usize, Arc<OldFinal>)> = vec![];
+    const MAX_UNITS: usize = 1024 * 1024;
+
+    // Process tasks in LIFO order
+    while let Some(task) = task_stack.pop() {
+        match task {
+            Task::NeedType(final_ty) => {
+                if final_ty.is_unit() {
+                    result_stack.push((1, OldFinal::unit()));
+                } else if let Some((left, right)) = final_ty.as_sum() {
+                    let dupe = Arc::ptr_eq(left, right);
+                    task_stack.push(Task::Binary {
+                        is_sum: true,
+                        dupe,
+                    });
+                    if !dupe {
+                        task_stack.push(Task::NeedType(right));
+                    }
+                    task_stack.push(Task::NeedType(left));
+                } else if let Some((left, right)) = final_ty.as_product() {
+                    let dupe = Arc::ptr_eq(left, right);
+                    task_stack.push(Task::Binary {
+                        is_sum: false,
+                        dupe,
+                    });
+                    if !dupe {
+                        task_stack.push(Task::NeedType(right));
+                    }
+                    task_stack.push(Task::NeedType(left));
+                } else {
+                    unreachable!();
+                }
+            }
+            Task::Binary { is_sum, dupe } => {
+                let right = result_stack.pop().expect("right type missing");
+                let left = if dupe {
+                    (right.0, Arc::clone(&right.1))
+                } else {
+                    result_stack.pop().expect("left type missing")
+                };
+                let new_total = left.0 + right.0;
+                if new_total > MAX_UNITS {
+                    return None;
+                }
+                if is_sum {
+                    result_stack.push((new_total, OldFinal::sum(left.1, right.1)));
+                } else {
+                    result_stack.push((new_total, OldFinal::product(left.1, right.1)));
+                }
+            }
+        }
+    }
+
+    // At the end, we should have exactly one final type.
+    assert_eq!(result_stack.len(), 1, "Internal conversion error");
+    let (_, res) = result_stack.pop().unwrap();
+    Some(res)
+}
+
+#[cfg(any(fuzzing, test))]
+fn do_test(data: &[u8]) {
+    let mut extractor = simplicity_fuzz::Extractor::new(data);
+    let val = match extractor.extract_value_padded() {
+        Some(val) => val,
+        None => return,
+    };
+    let old_ty = match convert_ty(val.ty()) {
+        Some(converted) => converted,
+        None => return,
+    };
+
+    let old_val = OldValue::from_padded_bits(&mut val.iter_padded(), &old_ty).unwrap();
+    assert!(val.iter_compact().eq(old_val.iter_compact()));
+
+    let old_val = OldValue::from_compact_bits(&mut val.iter_compact(), &old_ty).unwrap();
+    assert!(val.iter_compact().eq(old_val.iter_compact()));
+}
+
+#[cfg(fuzzing)]
+libfuzzer_sys::fuzz_target!(|data| do_test(data));
+
+#[cfg(not(fuzzing))]
+fn main() {}
+
+#[cfg(test)]
+mod tests {
+    use base64::Engine;
+
+    #[test]
+    fn duplicate_crash() {
+        let data = base64::prelude::BASE64_STANDARD
+            .decode("Cg==")
+            .expect("base64 should be valid");
+        super::do_test(&data);
+    }
+}

fuzz/generate-files.sh

@@ -25,7 +25,10 @@ path = "fuzz_lib/lib.rs"
 
 [dependencies]
 libfuzzer-sys = "0.4"
-simplicity-lang = { path = "..", features = ["test-utils"] }
+# We shouldn't need an explicit version on the next line, but Andrew's tools
+# choke on it otherwise. See https://github.com/nix-community/crate2nix/issues/373
+simplicity-lang = { path = "..", features = ["test-utils"], version = "0.3.0" }
+old_simplicity = { package = "simplicity-lang", version = "0.3.0" }
 
 [dev-dependencies]
 base64 = "0.22.1"