refactor: Port fuzz crate to cargo-fuzz

Update and run fuzz/generate.sh. Update lockfiles. Rewrite each fuzz
target to work with cargo-fuzz. Use base 64 to handle crash seeds.

cargo-fuzz has special entry points for its fuzz tests, which is why
every fuzz target is prefixed with #![no_main]. However, this breaks
our unit tests that live inside the same file, presumably because unit
tests need a normal entry point. My solution is conditionally include
the fuzzing code when the `fuzzing` flag is set. Meanwhile, clippy needs
a main function in each target to work, so I conditionally add that too.
Allow the `fuzzing` flag in Cargo.toml because it is nonstandandard.

Author: uncomputable

.github/workflows/fuzz.yml

@@ -23,9 +23,6 @@ decode_program,
 parse_human,
         ]
     steps:
-      - name: Install test dependencies
-        run: sudo apt-get update -y && sudo apt-get install -y binutils-dev libunwind8-dev libcurl4-openssl-dev libelf-dev libdw-dev cmake gcc libiberty-dev
-
       - name: Checkout Crate
         uses: actions/checkout@v4
 
@@ -38,15 +35,18 @@ parse_human,
             fuzz/target
             target
           key: cache-${{ matrix.target }}-${{ hashFiles('**/Cargo.toml','**/Cargo.lock') }}
+
       - name: Install Toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: '1.65.0'
+          toolchain: nightly-2024-07-01
+          components: "llvm-tools-preview"
+
+      - name: Install Dependencies
+        run: cargo update && cargo update -p cc --precise 1.0.83 && cargo install cargo-fuzz
 
       - name: Run Fuzz Target
-        run: |
-          echo "Using RUSTFLAGS $RUSTFLAGS"
-          cd fuzz && cargo update && cargo update -p cc --precise 1.0.83 && ./fuzz.sh "${{ matrix.fuzz_target }}"
+        run: ./fuzz/fuzz.sh "${{ matrix.fuzz_target }}"
 
       - name: Prepare Artifact
         run: echo "${{ matrix.fuzz_target }}" >executed_${{ matrix.fuzz_target }}

Cargo-recent.lock

@@ -11,6 +11,12 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "arbitrary"
+version = "1.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dde20b3d026af13f561bdd0f15edf01fc734f0dafcedbaf42bba506a9517f223"
+
 [[package]]
 name = "arrayvec"
 version = "0.7.6"
@@ -33,6 +39,12 @@ version = "0.21.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"
 
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
 [[package]]
 name = "bech32"
 version = "0.11.0"
@@ -117,6 +129,8 @@ version = "1.2.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c3d1b2e905a3a7b00a6141adb0e4c0bb941d11caf55349d863942a1cc44e3c9"
 dependencies = [
+ "jobserver",
+ "libc",
  "shlex",
 ]
 
@@ -173,14 +187,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3011d1213f159867b13cfd6ac92d2cd5f1345762c63be3554e84092d85a50bbd"
 
 [[package]]
-name = "honggfuzz"
-version = "0.5.56"
+name = "jobserver"
+version = "0.1.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7c76b6234c13c9ea73946d1379d33186151148e0da231506b964b44f3d023505"
+checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0"
 dependencies = [
- "lazy_static",
- "memmap2",
- "rustc_version",
+ "libc",
 ]
 
 [[package]]
@@ -193,18 +205,22 @@ dependencies = [
  "wasm-bindgen",
 ]
 
-[[package]]
-name = "lazy_static"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
-
 [[package]]
 name = "libc"
 version = "0.2.169"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
 
+[[package]]
+name = "libfuzzer-sys"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf78f52d400cf2d84a3a973a78a592b4adc535739e0a5597a0da6f0c357adc75"
+dependencies = [
+ "arbitrary",
+ "cc",
+]
+
 [[package]]
 name = "log"
 version = "0.4.25"
@@ -217,15 +233,6 @@ version = "2.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
 
-[[package]]
-name = "memmap2"
-version = "0.9.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fd3f7eed9d3848f8b98834af67102b720745c4ec028fcd0aa0239277e7de374f"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "miniscript"
 version = "12.3.0"
@@ -328,15 +335,6 @@ version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 
-[[package]]
-name = "rustc_version"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
-dependencies = [
- "semver",
-]
-
 [[package]]
 name = "santiago"
 version = "1.3.1"
@@ -390,12 +388,6 @@ dependencies = [
  "secp256k1-sys",
 ]
 
-[[package]]
-name = "semver"
-version = "1.0.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f79dfe2d285b0488816f30e700a7438c5a73d816b5b7d3ac72fbc48b0d185e03"
-
 [[package]]
 name = "serde"
 version = "1.0.217"
@@ -426,15 +418,16 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
 name = "simpcli"
 version = "0.3.0"
 dependencies = [
- "base64",
+ "base64 0.21.7",
  "simplicity-lang",
 ]
 
 [[package]]
 name = "simplicity-fuzz"
 version = "0.0.1"
 dependencies = [
- "honggfuzz",
+ "base64 0.22.1",
+ "libfuzzer-sys",
  "simplicity-lang",
 ]
 

fuzz/Cargo.toml

@@ -10,21 +10,39 @@ publish = false
 cargo-fuzz = true
 
 [dependencies]
-honggfuzz = { version = "0.5.55", default-features = false }
+libfuzzer-sys = "0.4"
 simplicity-lang = { path = "..", features = ["test-utils"] }
 
+[dev-dependencies]
+base64 = "0.22.1"
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(fuzzing)'] }
+
 [[bin]]
 name = "c_rust_merkle"
 path = "fuzz_targets/c_rust_merkle.rs"
+test = false
+doc = false
+bench = false
 
 [[bin]]
 name = "decode_natural"
 path = "fuzz_targets/decode_natural.rs"
+test = false
+doc = false
+bench = false
 
 [[bin]]
 name = "decode_program"
 path = "fuzz_targets/decode_program.rs"
+test = false
+doc = false
+bench = false
 
 [[bin]]
 name = "parse_human"
 path = "fuzz_targets/parse_human.rs"
+test = false
+doc = false
+bench = false

fuzz/fuzz_targets/c_rust_merkle.rs

@@ -1,13 +1,14 @@
 // SPDX-License-Identifier: CC0-1.0
 
-use honggfuzz::fuzz;
-
-use simplicity::ffi::tests::{ffi::SimplicityErr, run_program, TestUpTo};
-use simplicity::hashes::sha256::Midstate;
-use simplicity::jet::Elements;
-use simplicity::{BitIter, RedeemNode};
+#![cfg_attr(fuzzing, no_main)]
 
+#[cfg(any(fuzzing, test))]
 fn do_test(data: &[u8]) {
+    use simplicity::ffi::tests::{ffi::SimplicityErr, run_program, TestUpTo};
+    use simplicity::hashes::sha256::Midstate;
+    use simplicity::jet::Elements;
+    use simplicity::{BitIter, RedeemNode};
+
     // To decode the program length, we first try decoding the program using
     // `decode_expression` which will not error on a length check. Alternately
     // we could decode using RedeemNode::decode and then extract the length
@@ -54,37 +55,21 @@ fn do_test(data: &[u8]) {
     }
 }
 
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+#[cfg(fuzzing)]
+libfuzzer_sys::fuzz_target!(|data| do_test(data));
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 #[cfg(test)]
 mod tests {
-    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
-        let mut b = 0;
-        for (idx, c) in hex.as_bytes().iter().enumerate() {
-            b <<= 4;
-            match *c {
-                b'A'..=b'F' => b |= c - b'A' + 10,
-                b'a'..=b'f' => b |= c - b'a' + 10,
-                b'0'..=b'9' => b |= c - b'0',
-                _ => panic!("Bad hex"),
-            }
-            if (idx & 1) == 1 {
-                out.push(b);
-                b = 0;
-            }
-        }
-    }
+    use base64::Engine;
 
     #[test]
     fn duplicate_crash() {
-        let mut a = Vec::new();
-        extend_vec_from_hex("ffffff0000010080800000000000380000001adfc7040000000000000000000007fffffffffffffe1000000000000000000001555600000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff0300000000000000000000000000000000000000000000000000008000000000000000ffffffffffffff7f00000000000000ffffff151515111515155555555555d6eeffffff00", &mut a);
-        super::do_test(&a);
+        let data = base64::prelude::BASE64_STANDARD
+            .decode("Cg==")
+            .expect("base64 should be valid");
+        super::do_test(&data);
     }
 }

fuzz/fuzz_targets/decode_natural.rs

@@ -1,11 +1,12 @@
 // SPDX-License-Identifier: CC0-1.0
 
-use honggfuzz::fuzz;
-
-use simplicity::encode_natural;
-use simplicity::{BitIter, BitWriter};
+#![cfg_attr(fuzzing, no_main)]
 
+#[cfg(any(fuzzing, test))]
 fn do_test(data: &[u8]) {
+    use simplicity::encode_natural;
+    use simplicity::{BitIter, BitWriter};
+
     let mut iter = BitIter::new(data.iter().cloned());
 
     if let Ok(natural) = iter.read_natural(None) {
@@ -28,37 +29,21 @@ fn do_test(data: &[u8]) {
     }
 }
 
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+#[cfg(fuzzing)]
+libfuzzer_sys::fuzz_target!(|data| do_test(data));
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 #[cfg(test)]
 mod tests {
-    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
-        let mut b = 0;
-        for (idx, c) in hex.as_bytes().iter().enumerate() {
-            b <<= 4;
-            match *c {
-                b'A'..=b'F' => b |= c - b'A' + 10,
-                b'a'..=b'f' => b |= c - b'a' + 10,
-                b'0'..=b'9' => b |= c - b'0',
-                _ => panic!("Bad hex"),
-            }
-            if (idx & 1) == 1 {
-                out.push(b);
-                b = 0;
-            }
-        }
-    }
+    use base64::Engine;
 
     #[test]
     fn duplicate_crash() {
-        let mut a = Vec::new();
-        extend_vec_from_hex("00000", &mut a);
-        super::do_test(&a);
+        let data = base64::prelude::BASE64_STANDARD
+            .decode("Cg==")
+            .expect("base64 should be valid");
+        super::do_test(&data);
     }
 }